CompTIA Network+™ Study Guide Network Plus
User Manual:
Open the PDF directly: View PDF .
Page Count: 960
Download | ![]() |
Open PDF In Browser | View PDF |
ffi rst.indd 07/17/2017 Page i CompTIA Network+™ Study Guide Third Edition Todd Lammle ffi rs_247.indd 04/07/2015 Page iii Senior Acquistions Editor: Kenyon Brown Development Editor: Kim Wimpsett Technical Editors: Quentin Doctor and Troy McMillan Production Editor: Christine O’Connor Copy Editor: Judy Flynn Editorial Manager: Mary Beth Wakefield Production Manager: Kathleen Wisor Associate Publisher: Jim Minatel Media Supervising Producer: Richard Graves Book Designers: Judy Fung and Bill Gibson Proofreader: Jennifer Bennett, Word One New York Indexer: Robert Swanson Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: Wiley Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-02124-7 ISBN: 978-1-119-02126-1 (ebk.) ISBN: 978-1-119-02125-4 (ebk.) No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Control Number: 2014958356 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA Network+ is a trademark of CompTIA Properties, LLC. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. 10 9 8 7 6 5 4 3 2 1 ffi rs_247.indd 04/07/2015 Page iv Acknowledgments Kim Wimpsett was the development editor of this, the newest book in the Sybex CompTIA series. Thank you, Kim, for working so hard on this book with me. Kenyon Brown is my new acquisitions editor for this book. Thank you, Kenyon, for making this book a reality! In addition, Christine O’Connor was an excellent production editor, and she worked really hard to get the book done as quickly as possible, without missing the small mistakes that are so easy to overlook. I am always very pleased when I hear that she will be working with me on a new project. Judy Flynn was my copy editor, and she was patient, helpful, and detailed yet worked extremely hard to get this book on the shelf as quickly as possible, and for that I thank her tremendously. Quentin Docter reviewed each topic in this guide, scrutinizing the material until we both agreed it was verifiably solid. Thank you, Quentin! Troy McMillian literally hashed and rehashed each topic in this guide with me at all hours of the day and night. Thank you, Troy, yet again! About the Author Todd Lammle, CompTIA Network+, CCSI, CCNA/CCNP, is the authority on network certification and internetworking. He is a world-renowned author, speaker, trainer, and consultant. Todd has over 25 years of experience working with LANs, WANs, and large licensed and unlicensed wireless networks. He’s president and CEO of GlobalNet Training and Consulting, Inc., a network-integration and training fi rm based in Boulder, Colorado; Dallas, Texas; and San Francisco, California. You can reach Todd through his forum at www.lammle.com/networkplus. Contents at a Glance Introduction xxix Assessment Test xli Chapter 1 Introduction to Networks Chapter 2 The Open Systems Interconnection Specifications 27 Chapter 3 Networking Topologies, Connectors, and Wiring Standards 55 Chapter 4 The Current Ethernet Specifications 91 Chapter 5 Networking Devices 127 Chapter 6 Introduction to the Internet Protocol 171 Chapter 7 IP Addressing 205 Chapter 8 IP Subnetting, Troubleshooting IP, and Introduction to NAT 233 Chapter 9 Introduction to IP Routing 277 Chapter 10 Routing Protocols 297 Chapter 11 Switching and Virtual LANs 333 Chapter 12 Wireless Networking 377 Chapter 13 Authentication and Access Control 429 Chapter 14 Network Threats and Mitigation 469 Chapter 15 Physical Security and Risk 525 Chapter 16 Wide Area Networks 573 Chapter 17 Troubleshooting Tools 615 Chapter 18 Software and Hardware Tools 671 Chapter 19 Network Troubleshooting 711 Chapter 20 Management, Monitoring, and Optimization 755 Appendix A Answers to the Written Labs 813 Appendix B Answers to Review Questions 827 Appendix C Subnetting Class A 857 Index 1 865 ffi rs_247.indd 04/07/2015 Page ix Contents Introduction xxix Assessment Test Chapter Chapter 1 2 xli Introduction to Networks 1 First Things First: What’s a Network? The Local Area Network Common Network Components Wide Area Network Network Architecture: Peer-to-Peer or Client-Server? Physical Network Topologies Bus Topology Star Topology Ring Topology Mesh Topology Point-to-Point Topology Point-to-Multipoint Topology Hybrid Topology Topology Selection, Backbones, and Segments Selecting the Right Topology The Network Backbone Network Segments Summary Exam Essentials Written Labs Review Questions 2 3 5 8 10 12 12 13 14 15 16 17 18 19 19 20 20 21 22 22 23 The Open Systems Interconnection Specifications 27 Internetworking Models The Layered Approach Advantages of Reference Models The OSI Reference Model The Application Layer The Presentation Layer The Session Layer The Transport Layer The Network Layer The Data Link Layer The Physical Layer 28 29 29 30 32 33 33 33 40 43 45 ftoc.indd 04/06/2015 Page xi xii Chapter Chapter Contents 3 4 Introduction to Encapsulation Modulation Techniques Summary Exam Essentials Written Lab Review Questions 46 47 47 48 49 50 Networking Topologies, Connectors, and Wiring Standards 55 Physical Media Coaxial Cable Twisted-Pair Cable Fiber-Optic Cable Media Converters Serial Cables Cable Properties Transmission Speeds Distance Duplex Noise Immunity (Security, EMI) Frequency Wiring Standards 568A vs 568B Straight-Through Cable Crossover Cable Rolled/Rollover Cable T1 Crossover Cable Installing Wiring Distributions Summary Exam Essentials Written Lab Review Questions 57 58 60 64 69 71 73 74 74 74 74 75 75 76 78 78 80 81 82 85 85 86 87 The Current Ethernet Specifications 91 Network Basics Ethernet Basics Collision Domain Broadcast Domain CSMA/CD Broadband/Baseband Bit Rates vs Baud Rate Wavelength Sampling -Size 93 95 95 96 96 98 98 98 99 ftoc.indd 04/06/2015 Page xii Contents Chapter 5 xiii Half- and Full-Duplex Ethernet Ethernet at the Data Link Layer Binary to Decimal and Hexadecimal Conversion Ethernet Addressing Ethernet Frames Ethernet at the Physical Layer Ethernet over Other Standards (IEEE 1905.1-2013) Ethernet over Power Line Ethernet over HDMI Summary Exam Essentials Written Lab Review Questions 99 101 102 105 106 108 114 114 116 117 117 117 123 Networking Devices 127 Common Network Connectivity Devices Network Interface Card Hub Bridge Switch Router Firewall IDS/IPS HIDS Access Point Dynamic Host Configuration Protocol Server Other Specialized Devices Multilayer Switch Load Balancer Domain Name Service Server Proxy Server Encryption Devices Analog Modem Packet Shaper VPN Concentrator Planning and Implementing a Basic SOHO Network Using Network Segmentation Determining Requirements Switches and Bridges at the Data Link Layer Hubs at the Physical Layer Environmental Considerations Summary Exam Essentials 129 130 131 132 132 133 137 138 138 138 139 144 144 145 145 150 151 152 153 153 154 154 161 162 163 164 164 ftoc.indd 04/06/2015 Page xiii xiv Chapter Chapter Contents 6 7 Written Lab Review Questions 165 166 Introduction to the Internet Protocol 171 Introducing TCP/IP A Brief History of TCP/IP TCP/IP and the DoD Model The Process/Application Layer Protocols The Host-to-Host Layer Protocols The Internet Layer Protocols Data Encapsulation Summary Exam Essentials Written Lab Review Questions 173 173 174 176 184 189 194 198 198 198 200 IP Addressing IP Terminology The Hierarchical IP Addressing Scheme Network Addressing Private IP Addresses (RFC 1918) IPv4 Address Types Layer 2 Broadcasts Layer 3 Broadcasts Unicast Address Multicast Address (Class D) Internet Protocol Version 6 (IPv6) Why Do We Need IPv6? The Benefits of and Uses for IPv6 IPv6 Addressing and Expressions Shortened Expression Address Types Special Addresses Stateless Autoconfiguration (EUI-64) DHCPv6 (Stateful) Migrating to IPv6 Summary Exam Essentials Written Lab Written Lab 7.1 Written Lab 7.2 Written Lab 7.3 Review Questions ftoc.indd 04/06/2015 Page xiv 205 206 207 208 212 214 214 215 215 215 216 216 217 218 219 219 220 221 223 223 225 226 227 227 227 228 229 Contents Chapter Chapter 8 9 IP Subnetting, Troubleshooting IP, and Introduction to NAT 10 233 Subnetting Basics How to Create Subnets Subnet Masks Classless Inter-Domain Routing (CIDR) Subnetting Class C Addresses Subnetting Class B Addresses Troubleshooting IP Addressing Determining IP Address Problems Introduction to Network Address Translation (NAT) Types of Network Address Translation NAT Names How NAT Works Summary Exam Essentials Written Labs Review Questions 234 235 236 237 239 249 256 259 264 265 266 267 268 269 269 271 Introduction to IP Routing 277 Routing Basics The IP Routing Process Testing Your IP Routing Understanding Static and Dynamic Routing Summary Exam Essentials Written Lab Review Questions Chapter xv 278 281 287 288 291 292 292 293 Routing Protocols 297 Routing Protocol Basics Administrative Distances Classes of Routing Protocols Distance Vector Routing Protocols Routing Information Protocol (RIP) RIP Version 2 (RIPv2) VLSM and Discontiguous Networks EIGRP Border Gateway Protocol (BGP) Link State Routing Protocols Open Shortest Path First (OSPF) Intermediate System-to-Intermediate System (IS-IS) 299 300 302 303 305 305 306 309 311 313 314 316 ftoc.indd 04/06/2015 Page xv xvi Contents High Availability Hot Standby Router Protocol (HSRP) Virtual Router Redundancy Protocol IPv6 Routing Protocols RIPng EIGRPv6 OSPFv3 Summary Exam Essentials Written Lab Review Questions Chapter 11 Switching and Virtual LANs Networking Before Layer 2 Switching Switching Services Limitations of Layer 2 Switching Bridging vs LAN Switching Three Switch Functions at Layer 2 Spanning Tree Protocol Spanning Tree Port States STP Convergence Rapid Spanning Tree Protocol 802.1w Virtual LANs VLAN Basics Quality of Service VLAN Memberships Static VLANs Dynamic VLANs Identifying VLANs VLAN Identification Methods VLAN Trunking Protocol VTP Modes of Operation Do We Really Need to Put an IP Address on a Switch? Port Security Port Bonding Two Additional Advanced Features of Switches Power over Ethernet (802.3af, 802.3at) Port Mirroring/Spanning (SPAN/RSPAN) Summary Exam Essentials Written Lab Review Questions ftoc.indd 04/06/2015 Page xvi 317 319 324 324 325 325 325 326 326 327 328 333 335 338 339 340 340 346 347 347 348 349 350 353 354 354 355 355 357 359 360 361 363 364 366 366 368 370 370 371 372 Contents Chapter Chapter 12 13 xvii Wireless Networking 377 Introduction to Wireless Technology The 802.11 Standards 2.4GHz (802.11b) 2.4GHz (802.11g) 5GHz (802.11a) 5GHz (802.11h) 2.4GHz/5GHz (802.11n) 5GHz (802.11ac) Comparing 802.11 Standards Range Comparisons Wireless Network Components Wireless Access Points Wireless Network Interface Card Wireless Antennas Installing a Wireless Network Ad Hoc Mode: Independent Basic Service Set Infrastructure Mode: Basic Service Set Wireless Controllers Mobile Hot Spots Signal Degradation Other Network Infrastructure Implementations Installing and Configuring WLAN Hardware Site Survey Wireless Security Wireless Threats Open Access Service Set Identifiers, Wired Equivalent Privacy, and Media Access Control Address Authentication Remote Authentication Dial-In User Service (802.1x) Temporal Key Integrity Protocol Wi-Fi Protected Access or WPA2 Pre-Shared Key Summary Exam Essentials Written Lab Review Questions 380 383 384 385 386 387 388 389 389 390 391 391 392 393 395 395 396 398 399 400 401 402 408 412 412 416 Authentication and Access Control Security Filtering Access Control Lists Tunneling Encryption Remote Access 416 417 418 419 422 423 423 425 429 431 432 434 440 445 ftoc.indd 04/06/2015 Page xvii xviii Contents Managing User Account and Password Security Managing User Accounts Managing Passwords Single Sign-On Multifactor Authentication User-Authentication Methods Public Key Infrastructure (PKI) Kerberos Authentication, Authorization, and Accounting (AAA) Web Services Unified Voice Services Network Controllers Network Access Control (NAC) Challenge Handshake Authentication Protocol (CHAP) MS-CHAP Extensible Authentication Protocol (EAP) Hashes Network Access Control Summary Exam Essentials Written Lab Review Questions Chapter 14 447 448 450 454 455 455 455 456 458 459 460 460 460 460 461 462 462 462 464 464 465 466 Network Threats and Mitigation 469 Recognizing Security Threats Denial of Service Distributed DoS (DDoS) Authentication Issues Viruses Zero Day Attacks Insider Threat/Malicious Employee Vulnerabilities Unnecessary Running Services Open Ports Unpatched/Legacy Systems Unencrypted Channels Clear-Text Credentials TEMPEST/RF Emanation Malicious Users Buffer Overflow Wireless Threats Attackers and Their Tools Misconfiguration Issues 473 474 475 483 484 487 487 488 488 488 488 488 488 489 489 490 490 493 497 ftoc.indd 04/06/2015 Page xviii Contents Social Engineering (Phishing) Understanding Mitigation Techniques Active Detection Passive Detection Proactive Defense Basic Forensic Concepts Policies and Procedures Security Policies Security Training Patches and Upgrades Firmware Updates Driver Updates Upgrading vs Downgrading Anti-malware software Host-based Cloud/Server-based Configuration Backups Updating Antivirus Components Fixing an Infected Computer Summary Exam Essentials Written Lab Review Questions Chapter 15 xix 498 499 500 500 500 501 503 504 509 510 512 512 513 514 514 514 515 515 518 518 518 519 520 Physical Security and Risk 525 Using Hardware and Software Security Devices Defining Firewalls Network-Based Firewalls Host-Based Firewalls Firewall Technologies Access Control Lists Port Security Demilitarized Zone Protocol Switching Dynamic Packet Filtering Proxy Services Firewalls at the Application Layer vs the Network Layer Stateful vs Stateless Network Layer Firewalls Application Layer Firewalls Scanning Services and Other Firewall Features Content Filtering Signature Identification 527 529 530 530 530 531 533 534 534 537 538 540 541 542 542 544 544 ftoc.indd 04/06/2015 Page xix xx Chapter Contents 16 Context Awareness Virtual Wire vs Routed Zones Intrusion Detection and Prevention Systems Network-Based IDS Host-Based IDS Vulnerability Scanners VPN Concentrators Understanding Problems Affecting Device Security Physical Security Logical Security Configurations Risk-Related Concepts Summary Exam Essentials Written Lab Review Questions 544 545 545 547 549 551 551 552 553 554 558 560 566 566 567 569 Wide Area Networks 573 What’s a WAN? Defining WAN Terms The Public Switched Telephone Network WAN Connection Types Bandwidth or Speed T-Series Connections The T1 Connection The T3 Connection Transmission Media Wired Connections Wavelength Division Multiplexing Passive Optical Network Wireless Technologies Broadband Services DSL Technology and X DSL Cable Modem Wireless WAN Technologies Cellular WAN WAN Protocols Integrated Services Digital Network Frame Relay Technology Point-to-Point Protocol Asynchronous Transfer Mode MPLS 577 577 579 580 581 582 583 584 584 585 585 586 586 588 589 591 593 593 595 595 596 599 602 603 ftoc.indd 04/06/2015 Page xx Contents Chapter 17 xxi WAN Troubleshooting Loss of Internet Connectivity Interface Errors/Monitoring Split Horizon DNS Issues Router Configurations Company Security Policy Summary Exam Essentials Written Lab Review Questions 603 603 604 607 608 608 609 609 609 610 611 Troubleshooting Tools 615 Protocol Analyzers Throughput Testers Connectivity Software Using Traceroute Using ipconfig and ifconfig Using the ipconfig Utility Using the ifconfig Utility Using the ping Utility Using the Address Resolution Protocol The Windows ARP Table Using the arp Utility Using the nslookup Utility Resolving Names with the Hosts Table Using the Mtr Command (pathping) Using the route Command Using the route Command Options Some Examples of the route Command Using the nbtstat Utility The –a Switch The –A Switch The –c Switch The –n Switch The –r Switch The –R Switch The –S Switch The –s Switch Using the netstat Utility The –a Switch The –e Switch 616 618 619 620 622 622 626 627 630 630 631 634 636 637 638 639 641 641 642 644 644 645 645 646 646 647 647 650 651 ftoc.indd 04/06/2015 Page xxi xxii Chapter Contents 18 The –r Switch The –s Switch The –p Switch The –n Switch Using the File Transfer Protocol Starting FTP and Logging In to an FTP Server Downloading Files Uploading Files Using the Telnet Utility How to Enable Telnet in Windows Don’t Use Telnet, Use Secure Shell Summary Exam Essentials Written Lab Review Questions 652 652 652 654 655 656 658 660 660 661 662 662 663 663 665 Software and Hardware Tools 671 Understanding Network Scanners Packet Sniffers/Network Monitors Intrusion Detection and Prevention Software Port Scanners Wi-Fi Analyzer Baseline Network Monitoring and Logging Network Monitoring SNMP Syslog SIEM Utilization Identifying Hardware Tools Cable Testers Protocol Analyzer Certifiers Time-Domain Reflectometer Optical Time-Domain Reflectometer Multimeter Toner Probe Butt Set Punch-Down Tool Cable Stripper/Snips Voltage Event Recorder (Power) Environmental Monitors 673 673 675 677 680 681 683 683 684 685 687 690 691 692 695 696 696 697 698 698 700 701 702 702 703 ftoc.indd 04/06/2015 Page xxii Contents Chapter Chapter 19 20 xxiii Summary Exam Essentials Written Lab Review Questions 704 704 705 706 Network Troubleshooting 711 Narrowing Down the Problem Did You Check the Super Simple Stuff? Is Hardware or Software Causing the Problem? Is It a Workstation or a Server Problem? Which Segments of the Network Are Affected? Is It Bad Cabling? Troubleshooting Steps Step 1: Identify the Problem Step 2: Establish a Theory of Probable Cause Step 3: Test the Theory to Determine Cause Step 4: Establish a Plan of Action to Resolve the Problem and Identify Potential Effects Step 5: Implement the Solution or Escalate as Necessary Step 6: Verify Full System Functionality, and If Applicable, Implement Preventative Measures Step 7: Document Findings, Actions, and Outcomes Troubleshooting Tips Don’t Overlook the Small Stuff Prioritize Your Problems Check the Software Configuration Don’t Overlook Physical Conditions Don’t Overlook Cable Problems Check for Viruses Summary Exam Essentials Written Lab Review Questions 715 716 720 721 721 722 729 729 733 737 Management, Monitoring, and Optimization 755 Managing Network Documentation Using SNMP Schematics and Diagrams Network Monitoring Baselines On-Boarding and Off-Boarding of Mobile Devices 761 761 762 771 771 771 740 741 744 745 746 746 746 747 747 748 748 749 749 750 751 ftoc.indd 04/06/2015 Page xxiii xxiv Contents Appendix A NAC Policies, Procedures, and Regulations Safety Practices Implementing Network Segmentation Network Optimization Reasons to Optimize Your Network’s Performance How to Optimize Performance Unified Communications Traffic Shaping Load Balancing High Availability Caching Engines Fault Tolerance Archives/Backups Common Address Redundancy Protocol Virtual Networking Locating and Installing Equipment Change Management Procedures Summary Exam Essentials Written Lab Review Questions 772 772 775 780 783 783 786 788 788 789 789 789 790 790 791 791 797 803 805 806 807 808 Answers to the Written Labs 813 Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Written Lab 7.1 Written Lab 7.2 Written Lab 7.3 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 814 814 815 815 818 818 819 819 820 820 820 821 821 822 822 823 823 824 824 ftoc.indd 04/06/2015 Page xxiv Contents Chapter 17 Chapter 18 Chapter 19 Chapter 20 Appendix Appendix B C 825 825 825 826 Answers to Review Questions 827 Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Chapter 20 828 829 830 832 833 834 835 837 839 840 842 843 845 846 848 849 851 852 853 855 Subnetting Class A 857 Subnetting Practice Examples: Class A Addresses Practice Example #1A: 255.255.0.0 (/16) Practice Example #2A: 255.255.240.0 (/20) Practice Example #3A: 255.255.255.192 (/26) Subnetting in Your Head: Class A Addresses Written Lab 1 Written Lab 2 Answers to Written Lab 1 Answers to Written Lab 2 Index xxv 858 859 859 860 861 861 862 863 864 865 ftoc.indd 04/06/2015 Page xxv Becoming a CompTIA Certified IT Professional Is Easy It’s also the best way to reach greater professional opportunities and rewards. Why Get CompTIA Certified? Growing Demand Higher Salaries Labor estimates predict some technology fields will experience growth of over 20% by the year 2020.* CompTIA certification qualifies the skills required to join this workforce. IT professionals with Of hiring managers, 91% CompTIA certifications are certifications on their indicate CompTIA certifica- vendor neutral—which means resume command better tions are valuable in validat-that certified professionals jobs, earn higher salaries ing IT expertise, making can proficiently work with an and have more doors certification the best way extensive variety of hardware open to new multito demonstrate your com- and software found in most industry opportunities. petency and knowledge to organizations. employers.** Learn more about what the exam covers by reviewing the following: ■ Exam objectives for key study points. ■ Sample questions for a general overview of what to expect on the exam and examples of question format. ■ Visit online forums, like LinkedIn, to see what other IT professionals say about CompTIA exams. Verified Strengths Purchase a voucher at a Pearson VUE testing center or at CompTIAstore.com. ■ ■ ■ Register for your exam at a Pearson VUE testing center: Visit pearsonvue.com/CompTIA to find the closest testing center to you. Schedule the exam online. You will be required to enter your voucher number or provide payment information at registration. Universal Skills Congratulations on your CompTIA certification! ■ Make sure to add your certification to your resume. ■ Check out the CompTIA Certification Roadmap to plan your next career move. Take your certification exam. Learn More: Certification.CompTIA.org/networkplus * Source: CompTIA 9th Annual Information Security Trends study: 500 U.S. IT and Business Executives Responsible for Security ** Source: CompTIA Employer Perceptions of IT Training and Certification *** Source: 2013 IT Skills and Salary Report by CompTIA Authorized Partner © 2014 CompTIA Properties, LLC, used under license by CompTIA Certifications, LLC. All rights reserved. All certification programs and education related to such programs are operated exclusively by CompTIA Certifications, LLC. CompTIA is a registered trademark of CompTIA Properties, LLC in the U.S. and internationally. Other brands and company names mentioned herein may be trademarks or service marks of CompTIA Properties, LLC or of their respective owners. Reproduction or dissemination prohibited without written consent of CompTIA Properties, LLC. Printed in the U.S. 01085-Sep2014 flast.indd 04/01/2015 Page xxvii Introduction If you’re like most of us in the networking community, you probably have one or more network certifications. If that’s you, you’re very wise in choosing a CompTIA Network+ (N10-006) certification to proudly add to your repertoire because that achievement will make you all the more valuable as an employee. In these challenging economic times, keeping ahead of the competition—even standing out among your present colleagues—could make a big difference in whether you gain a promotion or possibly keep your job instead of being the one who gets laid off! Or maybe this is your fi rst attempt at certification because you’ve decided to venture into a new career in information technology (IT). You’ve realized that getting into the IT sector is a good way to go because as the information age marches on, the demand for knowledgeable professionals in this dynamic field will only intensify dramatically. Either way, certification is one of the best things you can do for your career if you are working in, or want to break into, the networking profession because it proves that you know what you’re talking about regarding the subjects in which you’re certified. It also powerfully endorses you as a professional in a way that’s very similar to a physician being board certified in a certain area of expertise. In this book, you’ll fi nd out what the Network+ exam is all about because each chapter covers a part of the exam. I’ve included some great review questions at the end of each chapter to help crystallize the information you learned and solidly prepare you to ace the exam. A really cool thing about working in IT is that it’s constantly evolving, so there are always new things to learn and fresh challenges to master. Once you obtain your Network+ certification and discover that you’re interested in taking it further by getting into more complex networking (and making more money), the Cisco CCNA certification is defi nitely your next step; you can get the skinny on that and even more in-depth certifications on my blog at www.lammle.com. For Network+ training with Todd Lammle, both instructor-led and online, please see www.lammle.com/networkplus. What Is the Network+ Certification? Network+ is a certification developed by the Computing Technology Industry Association (CompTIA) that exists to provide resources and education for the computer and technology community. This is the same body that developed the A+ exam for PC technicians. flast.indd 04/01/2015 Page xxix Introduction xxx Way back in 1995, members of the organization got together to develop a new certification that tests skills for IT. To ensure industry-wide support, it was sponsored by many past and present IT industry leaders like these: ■ Compaq Computers ■ Digital Equipment Corporation (a part of Compaq) ■ IBM ■ Lotus ■ Microsoft ■ Novell ■ TSS ■ U.S. Robotics ■ US West ■ Wave Technologies The Network+ exam was designed to test the skills of network technicians with 18 to 24 months of experience in the field. It tests areas of networking technologies such as the defi nition of a protocol, the Open Systems Interconnection (OSI) model and its layers, and the concepts of network design and implementation—the minimum knowledge required for working on a network and some integral prerequisites for network design and implementation. Why Become Network+ Certified? Because CompTIA is a well-respected developer of vendor-neutral industry certifications, becoming Network+ certified proves you’re competent in the specific areas covered by the Network+ objectives. Three major benefits are associated with becoming Network+ certified: Proof of Professional Achievement Networking professionals are pretty competitive when it comes to collecting more certifications than their peers. And because the Network+ certification broadly covers the entire field of networking, technicians want this certification a lot more than just Microsoft certifications—Network+ is a lot more prestigious and valuable. Because it’s rare to gain something that’s worth a lot with little effort, I’ll be honest— preparing for the Network+ exam isn’t exactly a lazy day at the beach. (However, beaches do happen to be really high on my personal list of great places to study!) And people in IT know that it isn’t all that easy to pass the Network+ exam, so they’ll defi nitely respect you more and know that you’ve achieved a certain level of expertise about vendor-independent, networking-related subjects. Opportunity for Advancement We all like to get ahead in our careers—advancement results in more responsibility and prestige, and it usually means a fatter paycheck, greater opportunities, and added options. In the IT sector, a great way to make sure all that good stuff happens is by earning a lot of technology certifications, including Network+. flast.indd 04/01/2015 Page xxx Introduction xxxi Fulfillment of Training Requirements Network+, because of its wide-reaching industry support, is recognized as a baseline of networking information. Some companies actually specify the possession of a Network+ certification as a job requirement before they’ll even consider hiring you, or it may be specified as a goal to be met before your next review. Customer Confidence As companies discover the CompTIA advantage, they will undoubtedly require qualified staff to achieve these certifications. Many companies outsource their work to consulting fi rms with experience working with security. Firms that have certified staff have a defi nite advantage over fi rms that don’t. How to Become Network+ Certified As this book goes to press, Pearson VUE is the sole Network+ exam providers. The following is the necessary contact information and exam-specific details for registering. Exam pricing might vary by country or by CompTIA membership. Vendor Website Phone Number Pearson VUE www.pearsonvue.com/comptia US and Canada: 877-551-PLUS (7587) When you schedule the exam, you’ll receive instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you’ll receive a registration and payment confi rmation letter. Exams can be scheduled up to six weeks out or as late as the next day (or, in some cases, even the same day). Exam prices and codes may vary based on the country in which the exam is administered. For detailed pricing and exam registration procedures, refer to CompTIA’s website at www.comptia.org. After you’ve successfully passed your Network+ exam, CompTIA will award you a certification. Within four to six weeks of passing the exam, you’ll receive your official CompTIA Network+ certificate and ID card. (If you don’t receive these within eight weeks of taking the test, contact CompTIA directly using the information found in your registration packet.) Tips for Taking the Network+ Exam Here are some general tips for taking your exam successfully: ■ Bring two forms of ID with you. One must be a photo ID, such as a driver’s license. The other can be a major credit card or a passport. Both forms must include a signature. flast.indd 04/01/2015 Page xxxi xxxii ■ ■ ■ ■ ■ ■ Introduction Arrive early at the exam center so you can relax and review your study materials, particularly tables and lists of exam-related information. After you are ready to enter the testing room, you will need to leave everything outside; you won’t be able to bring any materials into the testing area. Read the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what each question is asking. Don’t leave any unanswered questions. Unanswered questions are scored against you. There will be questions with multiple correct responses. When there is more than one correct answer, a message at the bottom of the screen will prompt you to either “choose two” or “choose all that apply.” Be sure to read the messages displayed to know how many correct answers you must choose. When answering multiple-choice questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. Doing so will improve your odds if you need to make an educated guess. On form-based tests (nonadaptive), because the hard questions will take the most time, save them for last. You can move forward and backward through the exam. For the latest pricing on the exams and updates to the registration procedures, visit CompTIA’s website at www.comptia.org. Who Should Read This Book? You—if want to pass the Network+ exam, and pass it confidently! This book is chock full of the exact information you need and directly maps to Network+ exam objectives, so if you use it to study for the exam, your odds of passing shoot way up. And in addition to including every bit of knowledge you need to learn to pass the exam, I’ve included some really great tips and solid wisdom to equip you even further to successfully work in the real IT world. What Does This Book Cover? This book covers everything you need to know to pass the CompTIA Network+ exam. But in addition to studying the book, it’s a good idea to practice on an actual network if you can. Here’s a list of the 20 chapters in this book: Chapter 1, “Introduction to Networks” This chapter includes an introduction to what a network is and an overview of the most common physical network topologies you’ll fi nd in today’s networks. Chapter 2, “The Open Systems Interconnection Specifications” This chapter covers the OSI model, what it is, what happens at each of its layers, and how each layer works. flast.indd 04/01/2015 Page xxxii Introduction xxxiii Chapter 3, “Networking Topologies, Connectors, and Wiring Standards” This chapter covers the various networking media and topologies, plus the cable types and properties used in today’s networks. Chapter 4, “The Current Ethernet Specifications” This chapter covers how a basic Ethernet LAN works, and describes and categorizes the different Ethernet specifications. Chapter 5, “Networking Devices” It’s important for you to understand all the various devices used in today’s networks, and this chapter will describe how hubs, routers, and switches and some other devices work within a network. Chapter 6, “Introduction to the Internet Protocol” important IP protocol stack. This is your introduction to the all- Chapter 7, “IP Addressing” This chapter will take up from where Chapter 6 left off and move into IP addressing. It also contains information about public versus private addressing and DHCP. Chapter 8, “IP Subnetting, Troubleshooting IP, and Introduction to NAT” Beginning where Chapter 7 ends, we’ll be tackling IP subnetting in this one. But no worries here—I’ve worked hard to make this not-so-popular-yet-vital topic as painless as possible. Chapter 9, “Introduction to IP Routing” This is an introduction to routing that basically covers what routers do and how they do it. This chapter, along with Chapter 10 and Chapter 11, cover routing and switching in much more detail than what is necessary to meet the CompTIA Network+ objectives because this knowledge is so critical to grasp when working with today’s networks. Chapter 10, “Routing Protocols” This chapter goes into detail describing the protocols that run on routers and that update routing tables to create a working map of the network. Chapter 11, “Switching and Virtual LANs” This chapter covers Layer 2 switching, the Spanning Tree Protocol (STP), and virtual LANs. I went deeper than needed for the exam with the routing chapters, and I’ll cover switching and virtual LANs (which are also vital in today’s corporate networks) more thoroughly as well. Chapter 12, “Wireless Networking” Because wireless is so important for both home and business networks today, this chapter is loaded with all the information you need to be successful at wireless networking at home and work. Chapter 13, “Authentication and Access Control” This is the fi rst of three security chapters. There are tons of exam objectives about network security that are so important that I took three chapters to cover all of them. In this chapter, I’ll introduce security, security fi ltering, tunneling, and user authentication. Chapter 14, “Network Threats and Mitigation” This is probably the most fun of the three security chapters because I’ll tell you all about security threats and how to stop them. The only way to get good at network security is to implement it, and this chapter shows you how. flast.indd 04/01/2015 Page xxxiii xxxiv Introduction Chapter 15, “Physical Security and Risk” This chapter’s focus is on explaining basic fi rewalls, security devices, and device security. Chapter 16, “Wide Area Networks” In this chapter, you get to learn all about things like Frame Relay, E1/T1, DSL, cable modems, and more. All of the CompTIA Network+ WAN objectives are covered in this chapter. Chapter 17, “Troubleshooting Tools” This is also a fun chapter because, again, you can follow along and run all the commands yourself. And I repeat, it’s a really good idea to run through all the commands in this chapter! Chapter 18, “Software and Hardware Tools” This chapter introduces you to the network tools you will use to help you run your networks. Both software and hardware tools will be discussed. Chapter 19, “Network Troubleshooting” In almost every chapter, I discuss how to verify and fi x problems, but this chapter will really get into the nuts and bolts of detailed network troubleshooting and documentation. Chapter 20, “Management, Monitoring, and Optimization” This last chapter will provide configuration-management documentation, and covers wiring, logical diagrams, baselines, policies, and regulations. What’s Included in the Book I’ve included several study tools throughout the book: Assessment Test At the end of this introduction is an assessment test that you can use to check your readiness for the exam. Take this test before you start reading the book; it will help you determine the areas you might need to brush up on. The answers to the assessment test questions appear on a separate page after the last question of the test. Each answer includes an explanation and a note telling you the chapter in which the material appears. Objective Map and Opening List of Objectives On the inside front cover of this book is a detailed exam objective map showing you where each of the exam objectives is covered in this book. In addition, each chapter opens with a list of the exam objectives it covers. Use these to see exactly where each of the exam topics is covered. Exam Essentials Each chapter, just after the summary, includes a number of exam essentials. These are the key topics you should take from the chapter in terms of areas to focus on when preparing for the exam. Written Lab Each chapter includes a written lab. These are short exercises that map to the exam objectives. Answers to these can be found in Appendix A. Chapter Review Questions To test your knowledge as you progress through the book, there are review questions at the end of each chapter. As you fi nish each chapter, answer the review questions and then check your answers—the correct answers and explanations are in Appendix B. You can go back to reread the section that deals with each question you got wrong to ensure that you answer correctly the next time you’re tested on the material. flast.indd 04/01/2015 Page xxxiv Introduction xxxv Interactive Online Learning Environment and Test Bank The interactive online learning environment that accompanies CompTIA Network+ Study Guide: Exam N10-006, Third Edition provides a test bank with study tools to help you prepare for the certification exam—and increase your chances of passing it the fi rst time! The test bank includes the following tools: Sample Tests All of the questions in this book are provided, including the assessment test, which you’ll fi nd at the end of this introduction, and the chapter tests that include the review questions at the end of each chapter. In addition, there are two practice exams. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices. Flashcards Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam. Other Study Tools A glossary of key terms from this book and their defi nitions are available as a fully searchable PDF. Go to http://sybextestbanks.wiley.com to register and gain access to this interactive online learning environment and test bank with study tools. How to Use This Book If you want a solid foundation for the serious effort of preparing for the Network+ exam, then look no further because I’ve spent countless hours putting together this book with the sole intention of helping you pass it! This book is loaded with valuable information, and you will get the most out of your study time if you understand how I put the book together. Here’s a list that describes how to approach studying: 1. Take the assessment test immediately following this introduction. (The answers are at the end of the test, but no peeking!) It’s okay if you don’t know any of the answers— that’s what this book is for. Carefully read over the explanations for any question you get wrong, and make note of the chapters where that material is covered. 2. Study each chapter carefully, making sure you fully understand the information and the exam objectives listed at the beginning of each one. Again, pay extra-close attention to any chapter that includes material covered in questions you missed on the assessment test. 3. Complete the written lab at the end of each chapter. Do not skip these written exercises because they directly map to the CompTIA objectives and what you’ve got to have nailed down to meet them. flast.indd 04/01/2015 Page xxxv xxxvi Introduction 4. Answer all the review questions related to each chapter. Specifically note any questions that confuse you, and study the corresponding sections of the book again. And don’t just skim these questions—make sure you understand each answer completely. 5. Try your hand at the practice exams. In addition, check out www.lammle.com for more CompTIA Network+ exam prep questions. The questions found on my site will be updated at least monthly, maybe weekly, or even daily. Before you take your test, be sure to visit my website for questions, videos, audios, and other useful information. 6. Test yourself using all the electronic flashcards. This is a brand-new and updated flashcard program to help you prepare for the latest CompTIA Network+ exam, and it is a really great study tool. I tell you no lies—learning every bit of the material in this book is going to require applying yourself with a good measure of discipline. So try to set aside the same time period every day to study, and select a comfortable and quiet place to do so. If you work hard, you will be surprised at how quickly you learn this material. If you follow the steps listed here and study with the review questions, practice exams, electronic flashcards, and all the written labs, you would almost have to try to fail the CompTIA Network+ exam. However, studying for the Network+ exam is like training for a marathon—if you don’t go for a good run every day, you’re not likely to finish very well. This book covers everything about CompTIA Network+. For up-to-date information about Todd Lammle CompTIA boot camps, audio training, and training videos, please see www.lammle.com and/or www.lammle.com/ networkplus. Exam Objectives Speaking of objectives, you’re probably pretty curious about those, right? CompTIA asked groups of IT professionals to fi ll out a survey rating the skills they felt were important in their jobs, and the results were grouped into objectives for the exam and divided into five domains. This table gives you the extent by percentage that each domain is represented on the actual examination. Domain % of Examination 1.0 Network Architecture 22% 2.0 Network Operations 20% flast.indd 04/01/2015 Page xxxvi Introduction xxxvii Domain % of Examination 3.0 Network Security 18% 4.0 Troubleshooting 24% 5.0 Industry Standards, Practices, and Network Theory 16% Total 100% Exam objectives are subject to change at any time without prior notice and at CompTIA’s sole discretion. Please visit CompTIA’s website (www.comptia.org) for the most current listing of exam objectives. N10-006 Exam Objectives Objective Chapter 1.0 Network architecture 1.1 Explain the functions and applications of various network devices 5, 15 1.2 Compare and contrast the use of networking services and applications 13 1.3 Install and configure the following networking services/applications 5, 8 1.4 Explain the characteristics and benefits of various WAN technologies 16 1.5 Install and properly terminate various cable types and connectors using appropriate tools 3, 18 1.6 Differentiate between common network topologies 1 1.7 Differentiate between network infrastructure implementations 12, 16, 20 1.8 Given a scenario, implement and configure the appropriate addressing schema 4, 7, 8 1.9 Explain the basics of routing concepts and protocols 9, 10 flast.indd 04/01/2015 Page xxxvii xxxviii Introduction Objective Chapter 1.10 Identify the basics elements of unified communication technologies 20 1.11 Compare and contrast technologies that support cloud and virtualization 20 1.12 Given a set of requirements, implement a basic network 5 2.0 Network operations 2.1 Given a scenario, use appropriate monitoring tools 18 2.2 Given a scenario, analyze metrics and reports from monitoring and tracking performance tools 16, 18 2.3 Given a scenario, use appropriate resources to support configuration management 20 2.4 Explain the importance of implementing network segmentation 15, 20 2.5 Given a scenario, install and apply patches and updates 14 2.6 Given a scenario, configure a switch using proper features 11 2.7 Install and configure wireless LAN infrastructure and implement the appropriate technologies in support of wireless capable devices 12 3.0 Network security 3.1 Compare and contrast risk-related concepts 15 3.2 Compare and contrast common network vulnerabilities and threats 6, 14 3.3 Given a scenario, implement network hardening techniques 6, 11, 12, 13, 14 3.4 Compare and contrast physical security controls 15 3.5 Given a scenario, install and configure a basic firewall 15 3.6 Explain the purpose of various network access control models 13 3.7 Summarize basic forensic concepts 14 flast.indd 04/01/2015 Page xxxviii Introduction Objective xxxix Chapter 4.0 Troubleshooting 4.1 Given a scenario, implement the following network troubleshooting methodology 19 4.2 Given a scenario, analyze and interpret the output of troubleshooting tools 17, 18 4.3 Given a scenario, troubleshoot and resolve common wireless issues 12, 19 4.4 Given a scenario, troubleshoot and resolve common copper cable issues 19 4.5 Given a scenario, troubleshoot and resolve common fiber cable issues 19 4.6 Given a scenario, troubleshoot and resolve common network issues 19 4.7 Given a scenario, troubleshoot and resolve common security issues 14 4.8 Given a scenario, troubleshoot and resolve common WAN issues 3, 16 5.0 Industry standards, practices, and network theory 5.1 Analyze a scenario and determine the corresponding OSI layer 2 5.2 Explain the basics of network theory and concepts 2, 4, 6 5.3 Given a scenario, deploy the appropriate wireless standard 12 5.4 Given a scenario, deploy the appropriate wired connectivity standard 3, 4 5.5 Given a scenario, implement the appropriate policies or procedures 20 5.6 Summarize safety practices 20 5.7 Given a scenario, install and configure equipment in the appropriate location using best practices 20 5.8 Explain the basics of change management procedures 20 5.9 Compare and contrast the following ports and protocols 6 5.10 Given a scenario, configure and apply the appropriate ports and protocols 6, 13 flast.indd 04/01/2015 Page xxxix xl Introduction Exam specifications and content are subject to change at any time without prior notice and at CompTIA’s sole discretion. Please visit CompTIA’s website (www.comptia.org) for the most current information on the exam content. flast.indd 04/01/2015 Page xl Assessment Test xli Assessment Test 1. What is the basic purpose of a local area network (LAN)? A. To interconnect networks in several different buildings 2. B. To connect one or more computers together so they can share resources C. To interconnect two to 10 routers D. To make routers unnecessary You need a topology that is easy to troubleshoot and scalable. Which would you use? A. Bus 3. B. Star C. Mesh D. Ring IP resides at which layer of the OSI model? A. Application 4. B. Data Link C. Network D. Physical Layer 2 of the OSI model is named . A. Application layer B. 5. Network layer C. Transport layer D. Data Link layer Which RG rating of coax is used for cable modems? A. RG-59 B. 6. RG-58 C. RG-6 D. RG-8 Which UTP wiring uses four twisted wire pairs (eight wires) and is rated for 250MHz? A. Category 3 UTP B. Category 5 STP C. Category 5 UTP D. Category 6 UTP flast.indd 04/01/2015 Page xli Assessment Test xlii 7. If you are running half-duplex Internet, which of the following is true? (Choose all that apply.) A. Your digital signal cannot transmit and receive data at the same time. 8. B. Hosts use the CSMA/CD protocol to prevent collisions. C. The physical connection consists of one wire pair. D. None of the above. You need to connect a hub to a switch. You don’t like this idea because you know that it will create congestion. What type of cable do you need to use to connect the hub to the switch? A. EtherIP B. 9. Crossover C. Straight-through D. Cable Sense, Multiple Access Your boss asks you why you just put in a requisition to buy a bunch of switches. He said he just bought you a bunch of hubs five years ago! Why did you buy the switches? A. Because each switch port is its own collision domain. B. The cable connecting devices to the hub wore out, and switches were cheaper than new cable. C. There were too many broadcast domains, and a switch breaks up broadcast domains by default. D. The hubs kept repeating signals but quit recognizing frames and data structures. 10. Which device would connect network segments together, creating separate collision domains for each segment but only a single broadcast domain? A. Hub B. Router C. Switch D. Modem 11. Most Application layer protocols use only UDP or TCP at the Transport layer. Which of the following could use both? A. TCP B. Microsoft Word C. Telnet D. DNS 12. HTTP, FTP, and Telnet work at which layer of the OSI model? A. Application B. Presentation C. Session D. Transport flast.indd 04/01/2015 Page xlii Assessment Test xliii 13. IPv6 uses multiple types of addresses. Which of the following would describe an anycast address used by an IPv6 host? A. Communications are routed to the most distant host that shares the same address. B. Packets are delivered to all interfaces identified by the address. This is also called oneto-many addressing. C. This address identifies multiple interfaces, and the anycast packet is only delivered to one address. This address can also be called one-to-one-of-many. D. Anycast is a type of broadcast. 14. Which of the following IP addresses are not allowed on the Internet? (Choose all that apply.) A. 11.255.255.1 B. 10.1.1.1 C. 172.33.255.0 D. 192.168.0.1 15. What is the subnetwork address for a host with the IP address 200.10.5.168/28? A. 200.10.5.156 B. 200.10.5.132 C. 200.10.5.160 D. 200.10.5.0 E. 200.10.5.255 16. If you wanted to verify the local IP stack on your computer, what would you do? A. Ping 127.0.0.0 B. Ping 127.0.0.1 C. Telnet 1.0.0.127 D. Ping 169.5.3.10 E. Telnet 255.255.255.255 17. The OSI model uses an encapsulation method to describe the data as it is encapsulated at each layer. What is the encapsulation named at the Data Link layer? A. Bits B. Packets C. Frames D. Data E. Segments 18. Where does a Data Link layer frame have to carry a Network layer packet if the packet is destined for a remote network? A. Router B. Physical medium flast.indd 04/01/2015 Page xliii Assessment Test xliv C. Switch D. Another host 19. Which of the following are not distance vector routing protocols? (Choose all that apply.) A. OSPF B. RIP C. RIPv2 D. IS-IS 20. Which of the following uses both distance vector and link state properties? A. IGRP B. OSPF C. RIPv1 D. EIGRP E. IS-IS 21. You need to break up broadcast domains in a Layer 2 switched network. What strategy will you use? A. Implement a loop-avoidance scheme. B. Create a flatter network structure using switches. C. Create a VLAN. D. Disable the spanning tree on individual ports. 22. Why do most switches run the Spanning Tree Protocol by default? A. It monitors how the network is functioning. 3. B. It stops data from forwarding until all devices are updated. C. It prevents switching loops. D. It manages the VLAN database. Which of the following describes MIMO correctly? A. A protocol that requires acknowledgment of each and every frame B. A data-transmission technique in which several frames are sent by several antennae over several paths and are then recombined by another set of antennae C. A modulation technique that allows more than one data rate D. A technique that packs smaller packets into a single unit, which improves throughput 24. Which two practices help secure your wireless access points from unauthorized access? (Choose all that apply.) A. Assigning a private IP address to the AP B. Changing the default SSID value C. Configuring a new administrator password flast.indd 04/01/2015 Page xliv Assessment Test D. Changing the mixed-mode setting to single mode E. Configuring traffic filtering xlv 25. IPSec is defined at what layer of the OSI model? A. Network B. Physical C. Layer 4 D. Layer 7 26. You want your users to log in and authenticate before they can get onto your network. Which of the following services would you use? A. RADIUS B. DNS C. Virtual Network Computing D. Remote Desktop Protocol 27. Someone calls you and asks for your bank account number because the bank is having problems with your account. You give them this information and later find out that you were scammed. What type of attack is this? A. Phishing B. Calling scam C. Analog scam D. Trust-exploration attack E. Man-in-the-middle attack F. Rogue access point 28. Which of the following are types of denial of service attacks? (Choose all that apply.) A. Ping of Death B. Stacheldraht C. SYN flood D. Virus FloodSyn 29. You want to stop a hacker in their tracks. Which of the following devices are proactive in providing this service? A. Access control list (ACL) B. Content filtering C. Security zones D. Intrusion prevention system (IPS) E. Network Address Translation F. Virtual LANs flast.indd 04/01/2015 Page xlv Assessment Test xlvi 30. You connected your company to the Internet, and security is a concern. What should you install? A. Higher-quality cables B. Firewall C. DNS D. Switches 31. Which of the following are WAN protocols or technologies? (Choose all that apply.) A. ATM B. ISDN C. MPLS D. RIP 32. The rate at which the Frame Relay switch agrees to transfer data is referred to as . A. BE B. FECN C. CIR D. BECN 33. Which two arp utility switches perform the same function? A. –g B. –Z C. –d D. –a E. -h F. -b 34. You need to purge and reload the remote NetBIOS name table cache. Which nbtstat utility switch will you use? A. –r B. –R C. /r D. /R E. -a F. -A 35. Which tool is used to attach ends to network cables? A. Punch-down tool B. Crimper C. VLAN tool flast.indd 04/01/2015 Page xlvi Assessment Test D. Strippers E. ARP tool xlvii 36. You are using a TDR. Which of the following actions can you do with this device? (Choose all that apply.) A. Estimate cable lengths B. Find splice and connector locations and their associated loss amounts C. Display unused services D. Define cable-impedance characteristics 37. Which of the following are considered cabling issues? (Choose all that apply.) A. Crosstalk B. Shorts C. Open impedance mismatch D. DNS configurations 38. You have just tested your theory of a problem to determine the cause. Based on the standard troubleshooting model, what is your next step? A. Question the obvious. B. Establish a theory of probable cause. C. Establish a plan of action to resolve the problem and identify potential effects. D. Verify full system functionality, and if applicable, implement preventative measures. 39. Which network performance optimization technique can delay packets that meet certain criteria to guarantee usable bandwidth for other applications? A. Traffic shaping B. Jitter control C. Logical network mapping D. Load balancing E. Access lists 40. You need to optimize network traffic by spreading it across multiple connections. Which strategy should be used? A. Load balancing B. Traffic shaping C. Adding VLANs D. A 1Gbps connection E. Following the regulations flast.indd 04/01/2015 Page xlvii xlviii Answers to Assessment Test Answers to Assessment Test 1. B. LANs generally have a geographic scope of a single building or smaller. They can be simple (two hosts) to complex (with thousands of hosts). See Chapter 1 for more information. 2. B. Star topologies are the easiest to troubleshoot and can easily scale to large sizes. See Chapter 1 for more information. 3. C. IP is a Network layer protocol. Internet Explorer is an example of an Application layer protocol, Ethernet is an example of a Data Link layer protocol, and T1 can be considered a Physical layer protocol. See Chapter 2 for more information. 4. D. Layer 2 of the OSI model is the Data Link layer, which provides the physical transmission of the data and handles error notification, network topology, and flow control. See Chapter 2 for more information. 5. C. Cable modems use RG-6 coax cables. See Chapter 3 for more information. 6. D. To get the high data-transfer speed, like 1Gbps, you need to use a wire standard that is highly rated, such as Category 5e or Category 6. See Chapter 3 for more information. 7. A, B, C. With half duplex, you are using one wire pair with a digital signal either transmitting or receiving (but not both at once). Carrier Sense Multiple Access with Collision Detection (CSMA/CD) helps packets that are transmitted simultaneously from different hosts share bandwidth evenly. See Chapter 4 for more information. 8. B. To connect two switches together or a hub to a switch, you need a crossover cable. See Chapter 4 for more information. 9. A. For the most part, switches are not cheap; however, one of the biggest benefits of using switches instead of hubs in your internetwork is that each switch port is actually its own collision domain. A hub creates one large collision domain. Switches still can’t break up broadcast domains (do you know which devices do?). Hubs do not recognize frames and data structures but switches do. See Chapter 5 for more information. 10. C A. switch creates separate collision domains for each port but does not break up broadcast domains by default. See Chapter 5 for more information. 11. D. DNS uses TCP for zone exchanges between servers and UDP when a client is trying to resolve a hostname to an IP address. See Chapter 6 for more information. 12. A. HTTP, FTP, and Telnet use TCP at the Transport layer; however, they are all Application layer protocols, so the Application layer is the best answer for this question. See Chapter 6 for more information. 13. C. Anycast is a new type of communication that replaces broadcasts in IPv4. Anycast addresses identify multiple interfaces, which is the same as multicast; however, the big difference is that the anycast packet is delivered to only one address: the fi rst one it fi nds flast.indd 04/01/2015 Page xlviii Answers to Assessment Test xlix defi ned in terms of routing distance. This address can also be called one-to-one-of-many. See Chapter 7 for more information. 14. B, D. The addresses in the ranges 10.0.0.0 through 10.255.255.255 and 172.16.0.0 through 172.31.255.255 as well as 192.168.0.0 through 192.168.255.255 are all considered private, based on RFC 1918. Use of these addresses on the Internet is prohibited so that they can be used simultaneously in different administrative domains without concern for confl ict. See Chapter 7 for more detail on IP addressing and information on private IP addresses. 15. C. This is a pretty simple question. A /28 is 255.255.255.240, which means that our block size is 16 in the fourth octet. 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, and so on. The host is in the subnet 160. See Chapter 8 for more information. 16. B. To test the local stack on your host, ping the loopback interface of 127.0.0.1. See Chapter 8 for more information. 17. C. The Data Link layer is responsible for encapsulating IP packets into frames and for providing logical network addresses. See Chapter 9 for more information. 18. A. Packets specifically have to be carried to a router in order to be routed through a network. See Chapter 9 for more information. 19. A, D. RIP and RIPv2 are distance vector routing protocols. OSPF and IS-IS are link state. See Chapter 10 for more information. 20. D. EIGRP is called a hybrid routing protocol because it uses the characteristics of both distance vector and link state routing protocols. However, EIGRP can only be run on Cisco routers and is not vendor neutral. The new CompTIA objectives mention BGP as a hybrid routing protocol. See Chapter 10 for more information. 21. C. Virtual LANs break up broadcast domains in Layer 2 switched internetworks. See Chapter 11 for more information. 22. C. The Spanning Tree Protocol (STP) was designed to stop Layer 2 loops. All enterprise model switches have STP by default. See Chapter 11 for more information. 23. B. Part of the 802.11n wireless standard, MIMO sends multiple frames by several antennae over several paths; they are then recombined by another set of antennae to optimize throughput and multipath resistance. This is called spatial multiplexing. See Chapter 12 for more information. 24. B, C. At a minimum, you need to change the default SSID value on each AP and configure new usernames and passwords on the AP. See Chapter 12 for more information. 25. A. IPSec works at the Network layer of the OSI model (Layer 3) and secures all applications that operate above it (Layer 4 and above). Additionally, because it was designed by the IETF and designed to work with IPv4 and IPv6, it has broad industry support and is quickly becoming the standard for VPNs on the Internet. See Chapter 13 for more information. flast.indd 04/01/2015 Page xlix l Answers to Assessment Test 26. A. RADIUS combines user authentication and authorization into one profi le. See Chapter 13 for more information. 27. A. Social engineering, or phishing, refers to the act of attempting to illegally obtain sensitive information by pretending to be a credible source. Phishing usually takes one of two forms: an email or a phone call. See Chapter 14 for more information. 28. A, B, C A. denial of service (DoS) attack prevents users from accessing the system. All of the options are possible denial of service attacks except Virus FloodSyn. See Chapter 14 for more information. 29. D. Changing network configurations, terminating sessions, and deceiving the attacker are all actions that can be taken by an intrusion prevention system (IPS) device. These are all proactive approaches to security. See Chapter 15 for more information. 30. B. Firewalls help provide perimeter network security by allowing or denying connections and types of traffic in or out of the network. See Chapter 15 for more information. 31. A, B, C. Routing Information Protocol (RIP) is not a WAN protocol but a routing protocol used in local area connections. See Chapter 16 for more information. 32. C. The committed information rate (CIR) is the rate, in bits per second, at which the Frame Relay switch agrees to transfer data. See Chapter 16 for more information. 33. A, D. The arp utility’s –a and –g switches perform the same function. They both show the current ARP cache. See Chapter 17 for more information. 34. B. To purge and reload the remote NetBIOS name cache, you must use nbtstat –R. Remember that the R must be uppercase, and it will not work correctly without the hyphen before it. See Chapter 17 for more information. 35. B A. wire crimper or crimper is used to attach ends onto different types of network cables. See Chapter 18 for more information. 36. A, B, D. Due to sensitivity to any variation and impedance to cabling, options A, B, and D are all reasons you’d use a TDR. See Chapter 18 for more information. 37. A, B, C. Because most of today’s networks still consist of large amounts of copper cable, they can continue to suffer from the physical issues (the options are not a complete list) that have plagued all networks since the very beginning of networking. See Chapter 19 for more information. 38. C. You have just tested your theory of a problem to determine the cause. Based on the standard troubleshooting model, the next step would be to establish a plan of action to resolve the problem and identify potential effects. See Chapter 19 for more information. 39. A. Traffic shaping, also known as packet shaping, is another form of bandwidth optimization. See Chapter 20 for more information. 40. A. Load balancing refers to a technique used to spread work out to multiple computers, network links, or other devices. You can load-balance work on servers by clustering servers so that multiple machines all provide the same service. See Chapter 20 for more information. flast.indd 04/01/2015 Page l Chapter 1 Introduction to Networks THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.6 Differentiate between common network topologies ■ Mesh ■ Partial ■ Full ■ Bus ■ Ring ■ Star ■ Hybrid ■ Point-to-point ■ Point-to-multipoint ■ Client-server ■ Peer-to-peer c01.indd 04/02/2015 Page 1 You’d have to work pretty hard these days to fi nd someone who would argue when we say that our computers have become invaluable to us personally and professionally. Our society has become highly dependent on the resources they offer and on sharing them with each other. The ability to communicate with others—whether they’re in the same building or in some faraway land—completely hinges on our capacity to create and maintain solid, dependable networks. And those vitally important networks come in all shapes and sizes—ranging from small and simple to humongous and super complicated. But whatever their flavor, they all need to be maintained properly, and to do that well, you have to understand networking basics. The various types of devices and technologies that are used to create networks, as well as how they work together, is what this book is about, and I’ll go through this critical information one step at a time with you. Understanding all of this will not only equip you with a rock-solid base to build on as you gain IT knowledge and grow in your career, it will also arm you with what you’ll need to ace the Network+ certification exam! To find up-to-the-minute updates for this chapter, please see www.lammle .com/forum or the book’s website at http://sybextestbanks.wiley.com/. First Things First: What’s a Network? The dictionary defi nes the word network as “a group or system of interconnected people or things.” Similarly, in the computer world, the term network means two or more connected computers that can share resources such as data and applications, office machines, an Internet connection, or some combination of these, as shown in Figure 1.1. F I G U R E 1 .1 A basic network Printer Host Host Figure 1.1 shows a really basic network made up of only two host computers connected; they share resources such as files and even a printer hooked up to one of the hosts. These two c01.indd 04/02/2015 Page 2 First Things First: What’s a Network? 3 hosts “talk” to each other using a computer language called binary code, which consists of lots of 1s and 0s in a specific order that describes exactly what they want to “say.” Next, I’m going to tell you about local area networks, how they work, and even how we can connect LANs together. Then, later in this chapter, I’ll describe how to connect remote LANs together through something known as a wide area network. The Local Area Network Just as the name implies, a local area network (LAN) is usually restricted to spanning a particular geographic location such as an office building, a single department within a corporate office, or even a home office. Back in the day, you couldn’t put more than 30 workstations on a LAN, and you had to cope with strict limitations on how far those machines could actually be from each other. Because of technological advances, all that’s changed now, and we’re not nearly as restricted in regard to both a LAN’s size and the distance a LAN can span. Even so, it’s still best to split a big LAN into smaller logical zones known as workgroups to make administration easier. The meaning of the term workgroup in this context is slightly different than when the term is used in contrast to domains. In that context, a workgroup is a set of devices with no security association with one another (whereas in a domain they do have that association). In this context, we simply mean they physically are in the same network segment. In a typical business environment, it’s a good idea to arrange your LAN’s workgroups along department divisions; for instance, you would create a workgroup for Accounting, another one for Sales, and maybe another for Marketing—you get the idea. Figure 1.2 shows two separate LANS, each as its own workgroup. F I G U R E 1. 2 Two separate LANs (workgroups) Servers Servers Switch Marketing Hub Sales Printer c01.indd 04/02/2015 Page 3 4 Chapter 1 ■ Introduction to Networks First, don’t stress about the devices labeled hub and switch—these are just connectivity devices that allow hosts to physically connect to resources on an LAN. Trust me; I’ll describe them to you in much more detail in Chapter 5, “Networking Devices.” Anyway, back to the figure. Notice that there’s a Marketing workgroup and a Sales workgroup. These are LANs in their most basic form. Any device that connects to the Marketing LAN can access the resources of the Marketing LAN—in this case, the servers and printer. There are two problems with this: ■ ■ You must be physically connected to a workgroup’s LAN to get the resources from it. You can’t get from one LAN to the other LAN and use its server data and printing resources remotely. This is a typical network issue that’s easily resolved by using a cool device called a router to connect the two LANs, as shown in Figure 1.3. F I G U R E 1. 3 A router connects LANs Servers Servers Router Marketing Sales Nice—problem solved! Even though you can use routers for more than just connecting LANs, the router shown in Figure 1.3 is a great solution because the host computers from the Sales LAN can get to the resources (server data and printers) of the Marketing LAN, and vice versa. Now, you might be thinking that we really don’t need the router—that we could just physically connect the two workgroups with a type of cable that would allow the Marketing and Sales workgroups to hook up somehow. Well, we could do that, but if we did, we would have only one big, cumbersome workgroup instead of separate workgroups for Marketing and Sales, and that kind of arrangement just isn’t practical for today’s networks. This is because with smaller, individual-yet-connected groups, the users on each LAN enjoy much faster response times when accessing resources, and administrative tasks are a c01.indd 04/02/2015 Page 4 First Things First: What’s a Network? 5 lot easier, too. Larger workgroups run more slowly because there’s a legion of hosts within them that are all trying to get to the same resources simultaneously. So the router shown in Figure 1.3, which separates the workgroups while still allowing access between them, is a really great solution! Don’t focus too much on the network connectivity devices like the hubs, routers, and switches I’ve mentioned so far in this chapter yet. We’ll thoroughly cover them all later, in Chapter 5. Right now, I really want you to prioritize your understanding of the concepts that I’m presenting here, so at this point, all you need to know is that hubs and switches are devices that connect other devices together and routers connect networks together. So let me defi ne the other terms I’ve used so far: workstations, servers, and hosts. Common Network Components There are a lot of different machines, devices, and media that make up our networks. Let’s talk about three of the most common: ■ Workstations ■ Servers ■ Hosts Workstations Workstations are often seriously powerful computers that run more than one central processing unit (CPU) and whose resources are available to other users on the network to access when needed. With this much power, you might think I am describing a server—not quite because there is an important difference between these devices that I’ll cover in the next section. Workstations are often employed as systems that end users use on a daily basis. Don’t confuse workstations with client machines, which can be workstations but not always. People often use the terms workstation and client interchangeably. In colloquial terms, this isn’t a big deal; we all do it. But technically speaking, they are different. A client machine is any device on the network that can ask for access to resources like a printer or other hosts from a server or powerful workstation. The terms workstation, client, and host can sometimes be used interchangeably. Computers have become more and more powerful and the terms have become somewhat fuzzy because hosts can be clients, workstations, servers, and more! The term host is used to describe pretty much anything that takes an IP address. c01.indd 04/02/2015 Page 5 6 Chapter 1 ■ Introduction to Networks Servers Servers are also powerful computers. They get their name because they truly are “at the service” of the network and run specialized software known as the network operating system to maintain and control the network. In a good design that optimizes the network’s performance, servers are highly specialized and are there to handle one important labor-intensive job. This is not to say that a single server can’t do many jobs, but more often than not, you’ll get better performance if you dedicate a server to a single task. Here’s a list of common dedicated servers: File Server Stores and dispenses fi les Mail Server The network’s post office; handles email functions Print Server Manages printers on the network Web Server Manages web-based activities by running Hypertext Transfer Protocol (HTTP) for storing web content and accessing web pages Fax Server The “memo maker” that sends and receives paperless faxes over the network Application Server Manages network applications Telephony Server Handles the call center and call routing and can be thought of as a sophisticated network answering machine Proxy Server Handles tasks in the place of other machines on the network, particularly an Internet connection. See how the name of each kind of server indicates what it actually does— how it serves the network? This is an excellent way to remember them. As I said, servers are usually dedicated to doing one specific important thing within the network. Not always though—sometimes they have more than one job. But whether servers are designated for one job or are network multitaskers, they can maintain the network’s data integrity by backing up the network’s software and providing redundant hardware (for fault tolerance). And no matter what, they all serve a number of client machines. Back in Figure 1.2, I showed you an example of two really simple LAN networks. I want to make sure you know that servers must have considerably superior CPUs, hard-drive space, and memory—a lot more than a simple client’s capacity—because they serve many client machines and provide any resources they require. Because they’re so important, you should always put your servers in a very secure area. My company’s servers are in a locked server room because not only are they really pricey workhorses, they also store huge amounts of important and sensitive company data, so they need to be kept safe from any unauthorized access. In Figure 1.4, you can see a network populated with both workstations and servers. Also notice that the hosts can access the servers across the network, which is pretty much the general idea of having a network in the fi rst place! c01.indd 04/02/2015 Page 6 First Things First: What’s a Network? F I G U R E 1. 4 7 A network populated with servers and workstations Secure Server Room Servers Servers Hub Sales Switch Marketing Hosts You probably picked up on the fact that there are more workstations here than servers, right? Think of why that is. If you answered that it’s because one server can provide resources to what can sometimes be a huge number of individual users at the same time but workstations don’t, you nailed it! Hosts This can be kind of confusing because when people refer to hosts, they really can be referring to almost any type of networking devices—including workstations and servers. But if you dig a bit deeper, you’ll fi nd that usually this term comes up when people are talking about resources and jobs that have to do with Transmission Control Protocol/ Internet Protocol (TCP/IP). The scope of possible machines and devices is so broad because, in TCP/IP-speak, host means any network device with an IP address. Yes, you’ll hear IT professionals throw this term around pretty loosely; for the Network+ exam, stick to the defi nition being network devices, including workstations and servers, with IP addresses. Here’s a bit of background: The name host harkens back to the Jurassic period of networking when those dinosaurs known as mainframes were the only intelligent devices able to roam the network. These were called hosts whether they had TCP/IP functionality or not. In that bygone age, everything else in the network-scape was referred to as dumb terminals because only mainframes—hosts—were given IP addresses. Another fossilized term from way back then is gateways, which was used to talk about any Layer 3 machines like routers. We still use these terms today, but they’ve evolved a bit to refer to the many c01.indd 04/02/2015 Page 7 Chapter 1 8 ■ Introduction to Networks intelligent devices populating our present-day networks, each of which has an IP address. This is exactly the reason you hear host used so broadly. Wide Area Network There are legions of people who, if asked to defi ne a wide area network (WAN), just couldn’t do it. Yet most of them use the big dog of all WANs—the Internet—every day! With that in mind, you can imagine that WAN networks are what we use to span large geographic areas and truly go the distance. Like the Internet, WANs usually employ both routers and public links, so that’s generally the criteria used to defi ne them. WANs are so important that I have dedicated an entire chapter to them: Chapter 16, “Wide Area Networks.” Here’s a list of some of the important ways that WANs are different from LANs: ■ WANs usually need a router port or ports. ■ WANs span larger geographic areas and/or can link disparate locations. ■ WANs are usually slower. ■ ■ We can choose when and how long we connect to a WAN. A LAN is all or nothing— our workstation is either connected permanently to it or not at all, although most of us have dedicated WAN links now. WANs can utilize either private or public data transport media such as phone lines. We get the word Internet from the term internetwork. An internetwork is a type of LAN and/or WAN that connects a bunch of networks, or intranets. In an internetwork, hosts still use hardware addresses to communicate with other hosts on the LAN. However, they use logical addresses (IP addresses) to communicate with hosts on a different LAN (other side of the router). And routers are the devices that make this possible. Each connection into a router is a different logical network. Figure 1.5 demonstrates how routers are employed to create an internetwork and how they enable our LANs to access WAN resources. The Internet is a prime example of what’s known as a distributed WAN—an internetwork that’s made up of a lot of interconnected computers located in a lot of different places. There’s another kind of WAN, referred to as centralized, that’s composed of a main, centrally located computer or location that remote computers and devices can connect to. A good example is remote offices that connect to a main corporate office, as shown in Figure 1.5. MPLS Multiprotocol Label Switching (MPLS) will be defi ned clearly in Chapter 16, but for the objectives of the CompTIA Network+ exam, this chapter will defi ne the actual layout of c01.indd 04/02/2015 Page 8 First Things First: What’s a Network? F I G U R E 1. 5 9 An internetwork Servers Branch1 Internet Corp Branch2 what is one of the most popular WAN protocols in use today. MPLS has become one of the most innovative and flexible networking technologies on the market, and has some key advantages over other WAN technologies: ■ Physical layout flexibility ■ Prioritizing of data ■ Redundancy in case of link failure ■ One-to-many connection MPLS is a switching mechanism that imposes labels (numbers) to data and then uses those labels to forward data when it arrives at the MPLS network, as shown in Figure 1.6. F I G U R E 1. 6 Multiprotocol Label Switching layout Branch Offices Corporate Office MPLS Network Logical Connections between Sites Each router assigns labels to data when the data heads toward the MPLS cloud. The labels are assigned on the edge of the MPLS network, and forwarding inside the MPLS network (cloud) is done solely based on labels through virtual links instead of c01.indd 04/02/2015 Page 9 10 Chapter 1 ■ Introduction to Networks physical links. Prioritizing data is a huge advantage; for example, voice data could have priority over basic data based on the labels. And since there are multiple paths for the data to be forwarded through the MPLS cloud, there’s even some redundancy provided as well. Network Architecture: Peer-to-Peer or Client-Server? We’ve developed networking as a way to share resources and information, and how that’s achieved directly maps to the particular architecture of the network operating system software. There are two main network types you need to know about: peer-to-peer and clientserver. And by the way, it’s really tough to tell the difference just by looking at a diagram or even by checking out live video of the network humming along. But the differences between peer-to-peer and client-server architectures are pretty major. They’re not just physical; they’re logical differences. You’ll see what I mean in a bit. Peer-to-Peer Networks Computers connected together in peer-to-peer networks do not have any central, or special, authority—they’re all peers, meaning that when it comes to authority, they’re all equals. The authority lies with the computer that has the desired resource being requested from it to perform a security check for proper access rights. It also means that the computers coexisting in a peer-to-peer network can be client machines that access resources and server machines and provide them to other computers. This actually works pretty well as long as there isn’t a huge number of users on the network, if each user backs things up locally, and if your network doesn’t require much security. If your network is running Windows, Mac, or Unix in a local LAN workgroup, you have a peer-to-peer network. Figure 1.7 gives you a snapshot of a typical peer-to-peer network. Keep in mind that peer-to-peer networks defi nitely present security-oriented challenges; for instance, just backing up company data can get pretty sketchy! F I G U R E 1.7 A peer-to-peer network Users Mickey Pluto Louie Password !Tails? $NoKats ^Wet#! Access Full Read Read Users Millie Pluto Louie Password #Shorts? &LittleTail! ^Wet#! Access Read Full Full c01.indd 04/02/2015 Page 10 Millie Mickey Pluto Hub Louie Users Millie Mickey Louie Password #Shorts? My!Ears? ^Wet#! Access Read Read Full Users Millie Pluto Mickey Password #Shorts? &LittleTail! &&Boss!@ Access Read Full Full First Things First: What’s a Network? 11 Since it should be clear by now that peer-to-peer networks aren’t all sunshine, backing up all your critical data may be tough, but it’s vital! Haven’t all of us forgotten where we’ve put an important fi le? And then there’s that glaring security issue to tangle with. Because security is not centrally governed, each and every user has to remember and maintain a list of users and passwords on each and every machine. Worse, some of those all-important passwords for the same users change on different machines—even for accessing different resources. What a mess! Client-Server Networks Client-server networks are pretty much the polar opposite of peer-to-peer networks because in them, a single server uses a network operating system for managing the whole network. Here’s how it works: A client machine’s request for a resource goes to the main server, which responds by handling security and directing the client to the desired resource. This happens instead of the request going directly to the machine with the desired resource, which has some serious advantages. First, because the network is much better organized and doesn’t depend on users remembering where needed resources are, it’s a whole lot easier to fi nd the fi les you need because everything is stored in one spot—on that special server. Your security also gets a lot tighter because all usernames and passwords are on that specific server, which is never ever used as a workstation. You even gain scalability—client-server networks can have legions of workstations on them. And surprisingly, with all those demands, the network’s performance is actually optimized—nice! Check out Figure 1.8, which shows a client-server network with a server that has a database of access rights, user accounts, and passwords. F I G U R E 1. 8 A client-server network Millie Mickey Pluto Hub Louie Server Users Millie Pluto Louie Mickey Password #Shorts? &LittleTail! ^Wet#! --Earls? Access Read Full Full Write Many of today’s networks are hopefully a healthy blend of peer-to-peer and clientserver architectures, with carefully specified servers that permit the simultaneous sharing of resources from devices running workstation operating systems. Even though the supporting machines can’t handle as many inbound connections at a time, they still run the server service reasonably well. And if this type of mixed environment is designed well, most networks benefit greatly by having the capacity to take advantage of the positive aspects of both worlds. c01.indd 04/02/2015 Page 11 Chapter 1 12 ■ Introduction to Networks Physical Network Topologies Just as a topographical map is a type of map that shows the shape of the terrain, the physical topology of a network is also a type of map. It defi nes the specific characteristics of a network, such as where all the workstations and other devices are located and the precise arrangement of all the physical media such as cables. On the other hand, the logical topologies we covered earlier, delineate exactly how data moves through the network. Now, even though these two topologies are usually a lot alike, a particular network can actually have physical and logical topologies that are very different. Basically, what you want to remember is that a network’s physical topology gives you the lay of the land and the logical topology shows how a digital signal or data navigates through that layout. Here’s a list of the topologies you’re most likely to run into these days: ■ Bus ■ Star ■ Ring ■ Mesh ■ Point-to-point ■ Point-to-multipoint ■ Hybrid Bus Topology This type of topology is the most basic one of the bunch, and it really does sort of resemble a bus, but more like one that’s been in a wreck! Anyway, the bus topology consists of two distinct and terminated ends, with each of its computers connecting to one unbroken cable running its entire length. Back in the day, we used to attach computers to that main cable with wire taps, but this didn’t work all that well so we began using drop cables in their place. If we were dealing with 10Base2 Ethernet, we would slip a “T” into the main cable anywhere we wanted to connect a device to it instead of using drop cables. Figure 1.9 depicts what a typical bus network’s physical topology looks like. F I G U R E 1. 9 A typical bus network’s physical topology Laser Printer Server S1 c01.indd 04/02/2015 Page 12 Physical Network Topologies 13 Even though all the computers on this kind of network see all the data flowing through the cable, only the one computer, which the data is specifically addressed to, actually gets the data. Some of the benefits of using a bus topology are that it’s easy to install and it’s not very expensive, partly because it doesn’t require as much cable as the other types of physical topologies. But it also has some drawbacks: For instance, it’s hard to troubleshoot, change, or move, and it really doesn’t offer much in the way of fault tolerance because everything is connected to that single cable. This means that any fault in the cable would basically brings the whole network down! By the way, fault tolerance is the capability of a computer or a network system to respond to a condition automatically, often resolving it, which reduces the impact on the system. If fault-tolerance measures have been implemented correctly on a network, it’s highly unlikely that any of that network’s users will know that a problem ever existed at all. Star Topology A star topology’s computers are connected to a central point with their own individual cables or wireless connections. You’ll often fi nd that central spot inhabited by a device like a hub, a switch, or an access point. Star topology offers a lot of advantages over bus topology, making it more widely used even though it obviously requires more physical media. One of its best features is that because each computer or network segment is connected to the central device individually, if the cable fails, it only brings down the machine or network segment related to the point of failure. This makes the network much more fault tolerant as well as a lot easier to troubleshoot. Another great thing about a star topology is that it’s a lot more scalable—all you have to do if you want to add to it is run a new cable and connect to the machine at the core of the star. In Figure 1.10, you’ll fi nd a great example of a typical star topology. F I G U R E 1 .1 0 Typical star topology with a hub Hub c01.indd 04/02/2015 Page 13 14 Chapter 1 ■ Introduction to Networks Although it is called a star topology, it also looks a lot like a bike wheel with spokes connecting to the hub in the middle of the wheel and extending outward to connect to the rim. And just as with that bike wheel, it’s the hub device at the center of a star topology network that can give you the most grief if something goes wrong with it. If that central hub happens to fail, down comes the whole network, so it’s a very good thing hubs don’t fail often! Just as it is with pretty much everything, a star topology has its pros and cons. But the good news far outweighs the bad, which is why people often opt for star topology. And here’s a list of benefits you gain by going with it: ■ New stations can be added easily and quickly. ■ A single cable failure won’t bring down the entire network. ■ It’s relatively easy to troubleshoot. And here are the disadvantages to using a star topology: ■ ■ The total installation cost can be higher because of the larger number of cables, even though prices are becoming more competitive. It has a single point of failure—the hub or other central device. There are two more sophisticated implementations of a star topology. The fi rst is called a point-to-point link, where you have not only the device in the center of the spoke acting as a hub but also on the other end, which extends the network. This is still a star-wired topology, but as I’m sure you can imagine, it gives you a lot more scalability! Another refi ned version is the wireless version, but to understand this variety well, you’ve got to have a solid grasp of all the capabilities and features of any devices populating the wireless star topology. No worries, though—I’ll be covering wireless access points later on in Chapter 12, “Wireless Networking.” For now, it’s good enough for you to know that access points are pretty much just wireless hubs or switches that behave like their wired counterparts. Basically, they create a point-by-point connection to endpoints and other wireless access points. Ring Topology In this type of topology, each computer is directly connected to other computers within the same network. Looking at Figure 1.11, you can see that the network’s data flows from computer to computer back to the source, with the network’s primary cable forming a ring. The problem is, the ring topology has a lot in common with the bus topology because if you want to add to the network, you have no choice but to break the cable ring, which is likely to bring down the entire network! This is one big reason that ring topology isn’t very popular—you just won’t run into it a lot as I did in the 1980s and early 1990s. It’s also pricey because you need several cables to connect each computer, it’s really hard to reconfigure, and as you’ve probably guessed, it’s not fault-tolerant. c01.indd 04/02/2015 Page 14 Physical Network Topologies F I G U R E 1 .11 15 A typical ring topology But even with all that being said, if you work at an ISP, you may still fi nd a physical ring topology in use for a technology called SONET or some other WAN technology. However, you just won’t fi nd any LANs in physical rings anymore. Mesh Topology In this type of topology, you’ll fi nd that there’s a path from every machine to every other one in the network. That’s a lot of connections—in fact, the mesh topology wins the prize for “most physical connections per device”! You won’t fi nd it used in LANs very often, if ever, these days, but you will fi nd a modified version of it known as a hybrid mesh used in a restrained manner on WANs, including the Internet. Often, hybrid mesh topology networks will have quite a few connections between certain places to create redundancy (backup). And other types of topologies can sometimes be found in the mix, too, which is another reason it’s dubbed hybrid. Just remember that it isn’t a full-on mesh topology if there isn’t a connection between all devices in the network. And understand that it’s fairly complicated. Figure 1.12 gives you a great picture of just how much only four connections can complicate things! F I G U R E 1 .1 2 A typical mesh topology c01.indd 04/02/2015 Page 15 16 Chapter 1 ■ Introduction to Networks You can clearly see that everything gets more and more complex as both the wiring and the connections multiply. For each n locations or hosts, you end up with n (n–1)/2 connections. This means that in a network consisting of only four computers, you have 4(4–1)/2, or 6 connections. And if that little network grows to, say, a population of 10 computers, you’ll then have a whopping 45 connections to cope with! That’s a huge amount of overhead, so only small networks can really use this topology and manage it well. On the bright side, you get a really nice level of fault tolerance, but mesh still isn’t used in corporate LANs anymore because they were so complicated to manage. A full mesh physical topology is least likely to have a collision, which happens when the data from two hosts trying to communicate simultaneously “collides” and gets lost. This is also the reason you’ll usually fi nd the hybrid version in today’s WANs. In fact, the mesh topology is actually pretty rare now, but it’s still used because of the robust fault tolerance it offers. Because you have a multitude of connections, if one goes on the blink, computers and other network devices can simply switch to one of the many redundant connections that are up and running. And clearly, all that cabling in the mesh topology makes it a very pricey implementation. Plus, you can make your network management much less insane than it is with mesh by using what’s known as a partial mesh topology solution instead, so why not go that way? You may lose a little fault tolerance, but if you go the partial mesh route, you still get to use the same technology between all the network’s devices. Just remember that with partial mesh, not all devices will be interconnected, so it’s very important to choose the one’s that will be very wisely. Point-to-Point Topology As its name implies, in a point-to-point topology you have a direct connection between two routers or switches, giving you one communication path. The routers in a point-to-point topology can either be linked by a serial cable, making it a physical network. If they’re located far apart and connected only via a circuit within a Frame Relay or MPLS network, it’s a logical network instead. Figure 1.13 illustrates a typical T1, or WAN, point-to-point connection. What you see here is a lightning bolt and a couple of round things with a bunch of arrows projecting from them, right? Well, the two round things radiating arrows represent our network’s two routers, and that lightning bolt represents a WAN link. These symbols are industry standard, and I’ll be using them throughout this book, so it’s a good idea to get used to them! Okay—so part two of the diagram shows two computers connected by a cable—a point-to-point link. By the way, this should remind you of something we just went over. Remember peer-to-peer networks? Good! I hope you also remember that a big drawback to peer-to-peer network sharing is that it’s not very scalable. With this in mind, you probably won’t be all that surprised that even if both machines have a wireless point-to-point connection, this network still won’t be very scalable. c01.indd 04/02/2015 Page 16 Physical Network Topologies F I G U R E 1 .1 3 17 Three point-to-point connections Serial Connection, Like a T1 between Routers Direct Ethernet or Wireless Cable Direct to Hub or Switch Hub You’ll usually fi nd point-to-point networks within many of today’s WANs, and as you can see in part three of Figure 1.13, a link from a computer to a hub or switch is also a valid point-to-point connection. A common version of this setup consists of a direct wireless link between two wireless bridges that’s used to connect computers in two different buildings together. Point-to-Multipoint Topology Again as the name suggests, a point-to-multipoint topology consists of a succession of connections between an interface on one router and multiple destination routers—one point of connection to multiple points of connection. Each of the routers and every one of their interfaces involved in the point-to-multipoint connection are part of the same network. Figure 1.14 shows a WAN and demonstrates a point-to-multipoint network. You can clearly see a single, corporate router connecting to multiple branches. F I G U R E 1 .1 4 A point-to-multipoint network, example 1 Branch Offices Corporate Office c01.indd 04/02/2015 Page 17 18 Chapter 1 ■ Introduction to Networks Figure 1.15 shows another prime example of a point-to-multipoint network: a college or corporate campus. F I G U R E 1 .1 5 A point-to-multipoint network, example 2 Hybrid Topology I know I just talked about hybrid network topology in the section about mesh topology, but I didn’t give you a mental picture of it in the form of a figure. I also want to point out that hybrid topology means just that—a combination of two or more types of physical or logical network topologies working together within the same network. Figure 1.16 depicts a simple hybrid network topology; it shows a LAN switch or hub in a star topology configuration that connects to its hosts via bus topology. F I G U R E 1 .1 6 A simple hybrid network Hub Physical Star, Logical Bus c01.indd 04/02/2015 Page 18 Topology Selection, Backbones, and Segments 19 Topology Selection, Backbones, and Segments Now that you’re familiar with many different types of network topologies, you’re ready for some tips on selecting the right one for your particular network. You also need to know about backbones and segments, which I’ll cover in the very last part of this chapter. They’re Just Cables, Right? Wrong! Regardless of the type of network you build, you need to start thinking about quality at the bottom and work up. Think of it as if you were at an electronics store buying the cables for your home theater system. You’ve already spent a bunch of time and money getting the right components to meet your needs. Because you’ve probably parted with a hefty chunk of change, you might be tempted to cut corners, but why would you stop now and connect all your highquality devices together with the cable equivalent of twine? No, you’re smarter than that–you know that picking out the exact cables that will maximize the sound and picture quality of your specific components can also protect them! It’s the same thing when you’re faced with selecting the physical media for a specific network. You just don’t want to cut corners here because this is the backbone of the network and you definitely don’t want to be faced with going through the costly pain of replacing this infrastructure once its been installed. Doing that will cost you a lot more than taking the time to wisely choose the right cables and spending the money it takes to get them in the first place. The network downtime alone can cost a company a bundle! Another reason for choosing the network’s physical media well is that it’s going to be there for a good five to 10 years. This means two things: It better be solid quality, and it better be scalable because that network is going to grow and change over the years. Selecting the Right Topology As you now know, not only do you have a buffet of network topologies to choose from, but each one also has pros and cons to implementing it. But it really comes down to that wellknown adage “Ask the right questions.” First, how much cash do you have? How much fault tolerance and security do you really need? Also, is this network likely to grow like a weed—will you need to quickly and easily reconfigure it often? In other words, how scalable does your network need to be? c01.indd 04/02/2015 Page 19 Chapter 1 20 ■ Introduction to Networks For instance, if your challenge is to design a nice, cost-effective solution that involves only a few computers in a room, getting a wireless access point and some wireless network cards is definitely your best way to go because you won’t need to part with the cash for a bunch of cabling and it’s super easy to set up. Alternatively, if you’re faced with coming up with a solid design for a growing company’s already-large network, you’re probably good to go with using a wired star topology because it will nicely allow for future changes. Remember, a star topology really shines when it comes to making additions to the network, moving things around, and making any kind of changes happen quickly, efficiently, and cost effectively. If, say, you’re hired to design a network for an ISP that needs to be up and running 99.9 percent of the time with no more than eight hours a year allowed downtime, well, you need Godzilla-strength fault tolerance. Do you remember which topology gives that up the best? (Hint: Internet.) Your primo solution is to go with either a hybrid or a partial mesh topology. Remember that partial mesh leaves you with a subset of n(n–1)/2 connections to maintain—a number that could very well blow a big hole in your maintenance budget! Here’s a list of things to keep in mind when you’re faced with coming up with the right topology for the right network: ■ Cost ■ Ease of installation ■ Ease of maintenance ■ Fault-tolerance requirement ■ Security requirement The Network Backbone Today’s networks can get pretty complicated, so we need to have a standard way of communicating with each other intelligibly about exactly which part of the network we’re referencing. This is the reason we divide networks into different parts called backbones and segments. Figure 1.17 illustrates a network and shows which part is the backbone and which parts are segments. You can see that the network backbone is actually kind of like our own. It’s what all the network segments and servers connect to and what gives the network its structure. As you can imagine, being such an important nerve center, the backbone must use some kind of seriously fast, robust technology—often Gigabit Ethernet. And to optimize network performance—it’s speed and efficiency—it follows that you would want to connect all of the network’s servers and segments directly to the network’s backbone. Network Segments When we refer to a segment, we can mean any small section of the network that may be connected to, but isn’t actually a piece of, the backbone. The network’s workstations and c01.indd 04/02/2015 Page 20 Summary 21 servers organized into segments connect to the network backbone, which is the common connecting point for all segments; you can see this by taking another look at Figure 1.17, which displays four segments. F I G U R E 1 .17 Backbone and segments on a network Servers Backbone Segments Sales Marketing Summary This chapter created a solid foundation for you to build your networking knowledge on as you go through this book. In it, you learned what, exactly, a network is, and you got an introduction to some of the components involved in building one—routers, switches, and hubs—as well as the jobs they do in a network. You also learned that having the components required to build a network isn’t all you need. Understanding the various types of network connection methods, like peer-to-peer and client-server, is also vital. Further, you learned about the various types of logical and physical network topologies and the features and drawbacks of each. I wrapped up the chapter with a short discussion about network backbones and segments and equipped you with the right questions to ask yourself to ensure that you come up with the right network topology for your networking needs. c01.indd 04/02/2015 Page 21 22 Chapter 1 ■ Introduction to Networks Exam Essentials Know your network topologies. Know the names and descriptions of the topologies. Be aware of the difference between physical networks (what humans see) and logical networks (what the equipment “sees”). Know the advantages and disadvantages of the topologies. It is important to know what each topology brings to the table. Knowing the various characteristics of each topology comes in handy during troubleshooting. Understand the terms LAN and WAN. You need to understand when you would use a LAN and when you would use a WAN. A LAN is used to connect a group of hosts together, and a WAN is used to connect various LANs together. Written Labs You can fi nd the answers in Appendix A. 1. What are the three basic LAN topologies? 2. What common WAN topology often results in multiple connections to a single site (leading to a high degree of fault tolerance) and has one-to-many connections? 3. What is the term for a device that shares its resources with other network devices? 4. What network model draws a clear distinction between devices that share their resources and devices that do not? 5. Which network topology or connection type can be implemented with only two endpoints? 6. What device is generally implemented as a star topology? 7. What does MPLS stand for? 8. What does WAN stand for? 9. Will a computer that shares no resources most likely be connected to the backbone or to a segment? 10. Which LAN topology is characterized by all devices being daisy-chained together with the devices at each end being connected to only one other device? c01.indd 04/02/2015 Page 22 Review Questions 23 Review Questions You can fi nd the answers to the review questions in Appendix B. 1. You need a network that provides centralized authentication for your users. Which of the following logical topologies should you use? A. VLANs B. 2. Peer-to-peer C. Client-server D. Mesh You need a topology that is scalable to use in your network. Which of the following will you install? A. Bus B. 3. Ring C. Star D. Mesh Which of the following physical topologies has the most connections and is the least popular for LANs? A. Bus B. 4. Start C. Ring D. Mesh In a physical star topology, what happens when a workstation loses its physical connection to another device? A. The ring is broken, so no devices can communicate. 5. B. Only that workstation loses its ability to communicate. C. That workstation and the device it’s connected to lose communication with the rest of the network. D. No devices can communicate because there are now two unterminated network segments. Which type of WAN technology uses labels, which enables priority of voice though the network? A. VPN B. T1 C. MPLS c01.indd 04/02/2015 Page 23 Chapter 1 24 6. D. LAN E. Bus ■ Introduction to Networks What is a logical grouping of network users and resources called? A. WAN B. 7. LAN C. MPLS D. Host Which of the following is a concern when using peer-to-peer networks? A. Where to place the server 8. B. Whose computer is least busy and can act as the server C. The security associated with such a network D. Having enough peers to support creating such a network Which of the following is an example of when a point-to-multipoint network is called for? A. When a centralized office needs to communicate with many branch offices 9. B. When a full mesh of WAN links is in place C. When multiple offices are daisy-chained to one another in a line D. When there are only two nodes in the network to be connected Which of the following is an example of a LAN? A. Ten buildings interconnected by Ethernet connections over fiber-optic cabling B. Ten routers interconnected by Frame Relay circuits C. Two routers interconnected with a T1 circuit D. A computer connected to another computer so they can share resources 10. Which of the following is a disadvantage of the star topology? A. When a single port on the central concentrating device fails, the entire network loses connectivity. B. When the central concentrating device experiences a complete failure, all attached devices lose connectivity to the rest of the network. C. In a star topology, a more expensive type of host must be used compared to the host used when implementing a physical bus. D. It is more difficult to add stations and troubleshoot than with other topologies. 11. What is a difference between a LAN and a WAN? A. WANs require a router. B. WANs cover larger geographical areas. C. WANs can utilize either private or public data transport. D. All of the above. c01.indd 04/02/2015 Page 24 Review Questions 25 12. Which of the following provides the most physical layout flexibility in a very large, geographically dispersed enterprise network? A. Bus topology B. LAN switch C. Star topology D. MPLS cloud network 13. In what type of network are all computers considered equal and do not share any central authority? A. Peer-to-peer B. Client-server C. Physical topology D. None of the above 14. What advantage does the client-server architecture have over peer-to-peer? A. Easier maintenance B. Greater organization C. Tighter security D. All of the above 15. Which of the following is an example of a hybrid network? A. Ethernet switch B. Ring topology C. Bus topology D. Star topology 16. You have a network with multiple LANs and want to keep them separate but still connect them together so they can all get to the Internet. Which of the following is the best solution? A. Use static IP addresses. B. Add more hubs. C. Implement more switches. D. Install a router. 17. Which type of topology has the greatest number of physical connections? A. Point-to-multipoint B. Star C. Point-to-point D. Mesh c01.indd 04/02/2015 Page 25 Chapter 1 26 ■ Introduction to Networks 18. What type of topology gives you a direct connection between two routers so that there is one communication path? A. Point-to-point B. Star C. Bus D. Straight 19. Which network topology is a combination of two or more types of physical or two or more types of logical topologies? A. Point-to-multipoint B. Hybrid C. Bus D. Star 20. When designing a network and deciding which type of network topology to use, which item(s) should be considered? (Select all that apply.) A. Cost B. Ease of installation C. Ease of maintenance D. Fault-tolerance requirements c01.indd 04/02/2015 Page 26 Chapter 2 The Open Systems Interconnection Specifications THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 5.0 Industry standards, practices, and network theory ✓ 5.1 Analyze a scenario and determine the corresponding OSI layer ■ Layer 1 – Physical ■ Layer 2 – Data link ■ Layer 3 – Network ■ Layer 4 – Transport ■ Layer 5 – Session ■ Layer 6 – Presentation ■ Layer 7 – Application ✓ 5.2 Explain the basics of network theory and concepts ■ Encapsulation/de-encapsulation ■ Modulation techniques ■ Multiplexing ■ De-multiplexing ■ Analog and digital techniques ■ TDM c02.indd 04/02/2015 Page 27 In this chapter, we’re going to analyze the Open Systems Interconnection (OSI) model. I’ll thoroughly describe each part to you in detail because it’s imperative for you to grasp the OSI model’s key concepts. Once solidly equipped with this vital foundation, you’ll be set to move on and build your own, personal storehouse of networking knowledge. The OSI model has seven hierarchical layers that were developed to enable different networks to communicate reliably between disparate systems. Because this book is centering upon all things Network+, it’s crucial for you to understand the OSI model as CompTIA sees it, so I’ll present each of its seven layers in that light. I’ll also provide you with an introduction to encapsulation, which is the process of encoding data as it goes down the OSI stack. I’ll fi nish this chapter by covering important modulation techniques. To find up-to-the-minute updates for this chapter, please see www.lammle .com/forum or the book’s website at http://sybextestbanks.wiley.com/ Internetworking Models In the very first networks, the computers involved could communicate only with other computers made by the same manufacturer. For example, companies ran either a complete DECnet solution or an IBM solution—not both together. In the late 1970s, the Open Systems Interconnection (OSI) reference model was created by the International Organization for Standardization (ISO) to break through this barrier. The OSI model was meant to help vendors create interoperable network devices and software in the form of protocols, or standards, so that different vendors’ networks could become compatible and work together. Like world peace, it’ll probably never happen completely, but it’s still a great goal. The OSI model is the primary architectural model for networks. It describes how data and network information are communicated from an application on one computer through the network media to an application on another computer. The OSI reference model breaks this approach into layers. Let’s move on and explore this layered approach as well as how you can utilize its key concepts to troubleshoot internetworks. c02.indd 04/02/2015 Page 28 Internetworking Models 29 The Layered Approach Basically, a reference model is a conceptual blueprint of how communications should take place. It addresses all the processes required for effective communication and divides these processes into logical groupings called layers. When a communication system is designed in this manner, it’s known as layered architecture. Think of it like this: Say you and some friends want to start a company. One of the first things you’ll do is sit down and think through what tasks must be done, who will do them, the order in which they will be done, and how they relate to each other. Ultimately, you might group these tasks into departments. Let’s say you decide to have a customer service department, an inventory department, and a shipping department. Each of your departments has its own unique tasks, keeping its staff members busy and requiring them to focus only on their own duties. In this scenario, I’m using departments as a metaphor for the layers in a communication system. For things to run smoothly, the staff of each department has to trust and rely heavily on the others to do their jobs and competently handle their unique responsibilities. During your planning sessions, you’ll probably take notes, recording the entire process to facilitate later discussions about standards of operation that will serve as your business blueprint or reference model. Once your business is launched, each department leader will need to develop practical methods to implement their assigned tasks using the specific part of the business model’s blueprint that relates to their branch. These practical methods, or protocols, must be compiled into a standard operating procedures manual and followed closely. The procedures in your manual will have been included for different reasons and have varying degrees of importance and implementation. If you form a partnership or acquire another company, it will be crucial for its business protocols to either match or be compatible with yours. Similarly, software developers can use a reference model to understand computer communication processes and see exactly what must be accomplished on any one layer and how. In other words, if I need to develop a protocol for a certain layer, I only need to focus on that specific layer’s functions. I don’t need to be concerned with those of any other layer because different protocols will be in place to meet the different layer’s needs. The technical term for this idea is binding. The communication processes that are related to each other are bound, or grouped together, at a particular layer. Advantages of Reference Models The OSI model is hierarchical, and I’d like to point out that the same beneficial characteristics can actually apply to any layered model. Understand that the central purpose of the OSI, and all networking models, is to allow different vendors’ networks to interoperate smoothly. This short list depicts some of the most important advantages we gain by using the OSI layered model: ■ ■ The OSI model divides network communication processes into smaller and simpler components, thus aiding component development, design, and troubleshooting. It allows multiple-vendor development through the standardization of network components. c02.indd 04/02/2015 Page 29 30 ■ ■ ■ Chapter 2 ■ The Open Systems Interconnection Specifications It encourages industry standardization by defining the specific functions that occur at each layer of the model. It allows various types of network hardware and software to communicate. It prevents changes in one layer from affecting other layers, facilitating development, and making application programming much easier. The OSI Reference Model One of the greatest functions of the OSI specifications is to assist in data transfer between disparate hosts regardless if they’re Unix-Windows-or Mac-based. But keep in mind that the OSI model isn’t a physical model; it’s a conceptual and comprehensive yet fluid set of guidelines, which application developers utilize to create and implement applications that run on a network. It also provides a framework for creating and implementing networking standards, devices, and internetworking schemes. The OSI model has seven layers: ■ Application (Layer 7) ■ Presentation (Layer 6) ■ Session (Layer 5) ■ Transport (Layer 4) ■ Network (Layer 3) ■ Data Link (Layer 2) ■ Physical (Layer 1) Figure 2.1 summarizes the functions that occur at each layer of the OSI model. With this in mind, you’re ready to delve into what takes place at each layer in detail. F I G U R E 2 .1 Layer functions Application Presentation Session Transport Network Data Link Physical c02.indd 04/02/2015 Page 30 • File, print, message, database, and application services • Data encryption, compression, and translation services • Dialog control • End-to-end connection • Routing • Framing • Physical topology The OSI Reference Model 31 Some people like to use the mnemonic Please Do Not Throw Sausage Pizza Away to remember the seven layers (starting at Layer 1 and moving up to Layer 7). I didn’t make that up! The OSI’s seven layers are divided into two groups. The top three layers defi ne the rules of how the applications working within host machines communicate with each other as well as with end users. The bottom four layers defi ne how the actual data is transmitted from end to end. Figure 2.2 shows the top three layers and their functions, and Figure 2.3 shows the four lower layers and their functions. FIGURE 2.2 The upper layers • Provides a user interface Presentation • • Presents data Handles processing such as encryption Session • Keeps different applications’ data separate Application Transport Network Data Link Physical FIGURE 2.3 The lower layers Application Presentation Session • • Provides reliable or unreliable delivery Performs error correction before retransmit • Provides logical addressing, which routers use for path determination Data Link • • • Combines packets into bytes and bytes into frames Provides access to media using MAC address Performs error detection, not correction Physical • • Moves bits between devices Specifies voltage, wire speed, and pin-out of cables Transport Network c02.indd 04/02/2015 Page 31 32 Chapter 2 ■ The Open Systems Interconnection Specifications Looking at Figure 2.2, it’s clear that actual users interface with the computer at the Application layer. It’s also apparent that the upper layers are responsible for applications communicating between hosts. Remember that none of the upper layers “know” anything about networking or network addresses. That’s the responsibility of the four bottom layers. Figure 2.3 illustrates that the four bottom layers define how data is transferred through physical media, switches, and routers. These bottom layers also determine how to rebuild a data stream from a transmitting host to a destination host’s application. Okay—so let’s start at the Application layer and work our way down the stack. The Application Layer The Application layer of the OSI model marks the spot where users actually communicate or interact with the computer. Technically, users communicate with the network stack through application processes, interfaces, or APIs that connect the application in use to the operating system of the computer. The Application layer chooses and determines the availability of communicating partners along with the resources necessary to make their required connections. It coordinates partnering applications and forms a consensus on procedures for controlling data integrity and error recovery. The Application layer comes into play only when it’s apparent that access to the network will be needed soon. Take the case of Internet Explorer (IE). You could uninstall every trace of networking components from a system, such as TCP/IP, the network card, and so on, and you could still use IE to view a local HTML document without a problem. But things would defi nitely get messy if you tried to do something like view an HTML document that had to be retrieved using HTTP or nab a fi le with FTP or TFTP because IE responds to requests like those by attempting to access the Application layer. So what’s happening is that the Application layer acts as an interface between the application program—which isn’t part of the layered structure—and the next layer down by providing ways for the application to send information down through the protocol stack. In other words, IE doesn’t reside within the Application layer—it interfaces with Application layer protocols when it needs to deal with remote resources. The Application layer is also responsible for identifying and establishing the availability of the intended communication partner and determining whether sufficient resources for the requested communication exist. These tasks are important because computer applications sometimes require more than just desktop resources. Often, they unite communicating components from more than one network application. Prime examples are fi le transfers and email as well as enabling remote access, network-management activities, and client-server processes like printing and information location. Many network applications provide services for communication over enterprise networks, but for present and future internetworking, the need is fast developing to reach beyond the limitations of current physical networking. c02.indd 04/02/2015 Page 32 The OSI Reference Model 33 It’s important to remember that the Application layer acts as an interface between application programs. For instance, Microsoft Word doesn’t reside at the Application layer, it interfaces with the Application layer protocols. Later in Chapter 6, “Introduction to the Internet Protocol,” I’ll tell you all about key programs or processes that actually do reside at the Application layer, like FTP and TFTP. The Presentation Layer The Presentation layer gets its name from its purpose: it presents data to the Application layer and is responsible for data translation and code formatting. A successful data-transfer technique is to adapt the data into a standard format before transmission. Computers are configured to receive this generically formatted data and then convert it back into its native format for reading—for example, from EBCDIC to ASCII. By providing translation services, the Presentation layer ensures that the data transferred from one system’s Application layer can be read and understood by the Application layer on another’s. The OSI has protocol standards that defi ne how standard data should be formatted. Tasks like data compression, decompression, encryption, and decryption are all associated with this layer. Some Presentation layer standards are even involved in multimedia operations. The Session Layer The Session layer is responsible for setting up, managing, and then tearing down sessions between Presentation layer entities. This layer also provides dialog control between devices, or nodes. It coordinates communication between systems and serves to organize their communication by offering three different modes: simplex, half duplex, and full duplex. To sum up, the Session layer basically keeps applications’ data separate from other applications’ data. The Transport Layer The Transport layer segments and reassembles data into a data stream. Services located in the Transport layer handle data from upper-layer applications and unite it onto the same data stream. They provide end-to-end data transport services and can establish a logical connection between the sending host and destination host on an internetwork. The Transport layer is responsible for providing the mechanisms for multiplexing upper-layer applications, establishing virtual connections, and tearing down virtual circuits. It also hides the many and sundry details of any network-dependent information from the higher layers facilitating data transfer. c02.indd 04/02/2015 Page 33 34 Chapter 2 ■ The Open Systems Interconnection Specifications We’ll cover Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) thoroughly in Chapter 6, but if you’re already familiar with them, you know that they both work at the Transport layer. You also know that TCP is a reliable service and UDP is not. These two protocols give application developers more options because they have a choice between them when they’re working with TCP/IP protocols. The term reliable networking relates to the Transport layer and means that acknowledgments, sequencing, and flow control will be used. The Transport layer can be connectionless or connection-oriented, but it’s especially important for you to really understand the connection-oriented portion of the Transport layer. So let’s take some time to delve into the connection-oriented (reliable) protocol of the Transport layer now. Connection-Oriented Communication Before a transmitting host starts to send segments down the model, the sender’s TCP process contacts the destination’s TCP process to establish a connection. The resulting creation is known as a virtual circuit. This type of communication is called connection-oriented. During this initial handshake, the two TCP processes also agree on the amount of information that will be sent in either direction before the respective recipient’s TCP sends back an acknowledgment. With everything agreed on in advance, the path is paved for reliable communication to take place. Figure 2.4 depicts a typical reliable session taking place between sending and receiving systems. Both of the hosts’ application programs begin by notifying their individual operating systems that a connection is about to be initiated. The two operating systems communicate by sending messages over the network confirming that the transfer is approved and that both sides are ready for it to take place. After all of this required synchronization occurs, a connection is fully established and the data transfer begins. This virtual circuit setup is called overhead. FIGURE 2.4 Establishing a connection-oriented session Sender Receiver SYN SYN/ACK ACK Connection established Data transfer (Send bytes of segments) c02.indd 04/02/2015 Page 34 The OSI Reference Model 35 While the information is being transferred between hosts, the two machines periodically check in with each other, communicating through their protocol software to ensure that all is going well and that data is being received properly. Let me sum up the steps in the connection-oriented session—the three-way handshake— pictured in Figure 2.4: 1. The first “connection agreement” segment is a request for synchronization. 2. The next segments acknowledge the request and establishes connection parameters— the rules—between hosts. These segments request that the receiver’s sequencing is synchronized here as well so that a bidirectional connection is formed. 3. The final segment is also an acknowledgment. It notifies the destination host that the connection agreement has been accepted and that the connection has been established. Data transfer can now begin. I know I went into a lot of detail about this connection setup, and I did that so you would have a really clear picture of how it works. You can refer to this entire process as “the three-way handshake” I already mentioned, known as SYN, SYN/ACK, ACK or synchronize, synchronize-acknowledgment, acknowledgment. That sounds pretty simple, but things don’t always flow so well. Sometimes congestion can occur during a transfer because a high-speed computer is generating data traffic a lot faster than the network can handle transferring it. A bunch of computers simultaneously sending datagrams through a single gateway or to a destination can also clog things up. In the latter case, a gateway or destination can become congested even though no single source caused the problem. Either way, the problem is like a freeway bottleneck—too much traffic for too small a capacity. It’s not usually one car that’s the problem; it’s that there are just too many cars on that particular route. Flow Control Data integrity is ensured at the Transport layer by maintaining flow control and by allowing users to request reliable data transport between systems. Flow control provides a means for the receiver to govern the amount of data sent by the sender. It prevents a sending host on one side of the connection from overflowing the buffers in the receiving host—an event that can result in lost data. Reliable data transport employs a connection-oriented communications session between systems, and the protocols involved ensure that the following will be achieved: 1. The segments delivered are acknowledged back to the sender upon their reception. 2. Any segments not acknowledged are retransmitted. 3. Segments are sequenced back into their proper order upon arrival at their destination. 4. A manageable data flow is maintained in order to avoid congestion, overloading, and data loss. c02.indd 04/02/2015 Page 35 36 Chapter 2 ■ The Open Systems Interconnection Specifications Okay, so what happens when a machine receives a flood of datagrams too quickly for it to process? It stores them in a memory section called a buffer. But this buffering tactic can only solve the problem if the datagrams are part of a small burst. If not, and the datagram deluge continues, a device’s memory will eventually be exhausted, its flood capacity will be exceeded, and it will react by discarding any additional datagrams that arrive like a dam spilling over! This sounds pretty bad, and it would be if it weren’t for the transport function network flood-control systems that actually work really well. But how? Well, instead of just dumping resources and allowing data to be lost, the transport can issue a “not ready” indicator to the sender, or source, of the flood, as shown in Figure 2.5. This mechanism works kind of like a stoplight, signaling the sending device to stop transmitting segment traffic to its overwhelmed peer. After the peer machine’s receiver processes the segments abounding in its memory reservoir (its buffer), it sends out a “ready” transport indicator. When the machine waiting to transmit the rest of its datagrams receives this “go” indictor, it resumes its transmission. FIGURE 2.5 Transmitting segments with flow control Sender Receiver Transmit Buffer full Not ready – STOP! Segments processed GO! Transmit During fundamental, reliable, connection-oriented data transfer, datagrams are delivered to the receiving host in exactly the same sequence they’re transmitted. So if any data segments are lost, duplicated, or damaged along the way, a failure notice is transmitted. c02.indd 04/02/2015 Page 36 The OSI Reference Model 37 This error is corrected by making sure the receiving host acknowledges it has received each and every data segment, and in the correct order. To summarize, a service is considered connection-oriented if it has the following characteristics: ■ A virtual circuit is set up (such as a three-way handshake). ■ It uses sequencing. ■ It uses acknowledgments. ■ It uses flow control. Windowing Ideally, data throughput happens quickly and efficiently. And as you can imagine, it would be slow if the transmitting machine had to wait for an acknowledgment after sending each segment. But because time is available after the sender transmits the data segment and before it finishes processing acknowledgments from the receiving machine, the sender uses the break as an opportunity to transmit more data. The quantity of data segments (measured in bytes) that the transmitting machine is allowed to send without receiving an acknowledgment is represented by something called a window. Windows are used to control the amount of outstanding, unacknowledged data segments. It’s important to understand that the size of the window controls how much information is transferred from one end to the other. Although some protocols quantify information by observing the number of packets, TCP/IP measures it by counting the number of bytes. Figure 2.6 illustrates two window sizes—one set to 1 and one set to 3. In this simplified example, both the sending and receiving machines are workstations. When you’ve configured a window size of 1, the sending machine waits for an acknowledgment for each data segment it transmits before transmitting another. If you’ve configured a window size of 3, the sending machine is allowed to transmit three data segments before an acknowledgment is received. In reality, the window size actually delimits the amount of bytes that can be sent at a time. If a receiving host fails to receive all the segments that it should acknowledge, the host can improve the communication session by decreasing the window size. c02.indd 04/02/2015 Page 37 38 Chapter 2 FIGURE 2.6 ■ The Open Systems Interconnection Specifications Windowing Receiver Sender Window size of 1 Send 1 Receive 1 ACK 1 Send 2 Receive 2 ACK 2 Window size of 3 Send 1 Send 2 Send 3 ACK 4 Send 4 Acknowledgments Reliable data delivery ensures the integrity of a data stream being sent from one machine to the other through a fully functional data link. It guarantees that the data won’t be duplicated or lost. This is achieved through something called positive acknowledgment with retransmission—a technique that requires a receiving machine to communicate with the transmitting source by sending an acknowledgment message back to the sender when it receives data. The sender documents each segment it sends and waits for this acknowledgment before sending the next segment. When it sends a segment, the transmitting machine starts a timer and retransmits if it expires before an acknowledgment is returned from the receiving end. In Figure 2.7, the sending machine transmits segments 1, 2, and 3. The receiving node acknowledges it has received them by requesting segment 4. When it receives the acknowledgment, the sender then transmits segments 4, 5, and 6. If segment 5 doesn’t make it to the destination, the receiving node acknowledges that event with a request for the segment to be resent. The sending machine will then resend the lost segment and wait for an acknowledgment, which it must receive in order to move on to the transmission of segment 7. The Transport layer doesn’t need to use a connection-oriented service. That choice is up to the application developer. It’s safe to say that if you’re connection-oriented, meaning that you’ve created a virtual circuit, you’re using TCP. If you aren’t setting up a virtual circuit, then you’re using UDP and are considered connectionless. c02.indd 04/02/2015 Page 38 The OSI Reference Model 39 Transport Control Protocol (TCP) and User Datagram Protocol (UDP) are protocols that work at the Transport layer and will be covered in detail in Chapter 6. F I G U R E 2 .7 Transport layer reliable delivery Receiver Sender 1 2 3 4 5 6 1 2 3 4 5 6 Send 1 Send 2 Send 3 ACK 4 Send 4 Send 5 Connection lost! Send 6 ACK 5 Send 5 ACK 7 Devices Used in an Internetwork The following network devices operate at all seven layers of the OSI model: ■ Network management stations (NMSs) ■ Web and application servers ■ Gateways (not default gateways) ■ Network hosts continues c02.indd 04/02/2015 Page 39 Chapter 2 40 ■ The Open Systems Interconnection Specifications continued Several devices operate primarily at the Physical layer of the OSI model. These devices manipulate mainly the physical aspects of a network data stream—things like voltages, signal direction, and signal strength. The following four devices are the most popular and will be detailed in Chapter 5, “Networking Devices”: ■ Network Interface Cards (NICs) ■ Transceivers ■ Repeaters ■ Hubs The Network Layer The Network layer manages logical device addressing, tracks the location of devices on the network, and determines the best way to move data. This means that the Network layer must transport traffic between devices that aren’t locally attached. Routers are Layer 3 devices that are specified at the Network layer and provide the routing services within an internetwork. It happens like this: First, when a packet is received on a router interface, the destination IP address is checked. If the packet isn’t destined for that particular router, the router looks up the destination network address in the routing table. Once the router chooses an exit interface, the packet is sent to that interface to be framed and sent out on the local network. If the router can’t fi nd an entry for the packet’s destination network in the routing table, the router drops the packet. Two types of packets are used at the Network layer: Data Packets These are used to transport user data through the internetwork. Protocols used to support data traffic are called routed protocols. Two examples of routed protocols are Internet Protocol (IP) and Internet Protocol version 6 (IPv6), which you’ll learn all about coming up in Chapter 7, “IP Addressing.” Route-Update Packets These are used to update neighboring routers about the networks connected to all routers within the internetwork. Protocols that send route-update packets are called routing protocols, and some common ones are Routing Information Protocol (RIP), RIPv2, Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF). Route-update packets are used to help build and maintain routing tables on each router. Figure 2.8 pictures a routing table. The routing table used by a router includes the following information: c02.indd 04/02/2015 Page 40 The OSI Reference Model FIGURE 2.8 41 Routing table used in a router 1.0 3.0 1.1 3.1 2.1 1.3 2.2 3.3 E0 E0 S0 S0 1.2 3.2 Routing table Routing table INT Metric NET INT Metric 1 E0 0 1 S0 1 2 S0 0 2 S0 0 3 S0 1 3 E0 0 NET Network Addresses These are protocol-specific network addresses. A router must maintain a routing table for individual routing protocols because each routing protocol keeps track of a network that includes different addressing schemes, like IP and IPv6. Think of it as a street sign in each of the different languages spoken by the residents who live on a particular street. If there were American, Spanish, and French folks on a street named Cat, the sign would read Cat/Gato/Chat. Interface This is the exit interface a packet will take when destined for a specific network. Metric This value equals the distance to the remote network. Different routing protocols use different ways of computing this distance. I’ll cover routing protocols in Chapter 9, “Introduction to IP Routing.” For now, just know that some routing protocols, namely RIP, use something called a hop count—the number of routers a packet passes through en route to a remote network. Other routing protocols alternatively use bandwidth, delay of the line, and even something known as a tick count, which equals 1/18 of a second, to make routing decisions. Routers break up broadcast domains, which means that by default, broadcasts aren’t forwarded through a router. This is a good thing because it reduces traffic on the network. Routers also break up collision domains, but this can be accomplished using Layer 2 (Data Link layer) switches as well. c02.indd 04/02/2015 Page 41 42 Chapter 2 ■ The Open Systems Interconnection Specifications Broadcast and collision domains will be covered in detail in Chapter 5. For now, just remember that routers break up broadcast domains and switches break up collision domains. Because each interface in a router represents a separate network, it must be assigned unique network identification numbers, and each host on the network connected to that router must use the same network number. Figure 2.9 demonstrates how a router works within an internetwork. FIGURE 2.9 A router in an internetwork Internet FastEthernet0/0 Serial0 WAN Services FastEthernet0/1 Each router interface is a broadcast domain. Routers break up broadcast domains by default and provide WAN services. Here are some key points about routers that you really should commit to memory: ■ ■ ■ ■ ■ ■ Routers, by default, won’t forward any broadcast or multicast packets. Routers use the logical address in a Network layer header to determine the next-hop router to forward the packet to. Routers can use access lists, created by an administrator, to control security on the types of packets that are allowed to enter or exit an interface. Routers can provide Layer 2 bridging functions if needed and can simultaneously route through the same interface. Layer 3 devices (routers, in this case) provide connections between virtual LANs (VLANs). Routers can provide quality of service (QoS) for specific types of network traffic. A router can also be referred to as a Layer 3 switch. These terms are interchangeable. c02.indd 04/02/2015 Page 42 The OSI Reference Model 43 The Data Link Layer The Data Link layer provides the physical transmission of the data and handles error notification, network topology, and flow control. This means the Data Link layer ensures that messages are delivered to the proper device on a LAN using hardware (MAC) addresses and translates messages from the Network layer into bits for the Physical layer to transmit. The Data Link layer formats the message into pieces, each called a data frame, and adds a customized header containing the destination and source hardware address. This added information forms a sort of capsule that surrounds the original message in much the same way that engines, navigational devices, and other tools were attached to the lunar modules of the Apollo project. These various pieces of equipment were useful only during certain stages of fl ight and were stripped off the module and discarded when their designated stage was complete. This is a great analogy for data traveling through networks because it works very similarly. It’s important for you to understand that routers, which work at the Network layer, don’t care about where a particular host is located. They’re only concerned about where networks are located and the best way to reach them—including remote ones. Routers are totally obsessive when it comes to networks, and in this instance, obsession is a good thing! The Data Link layer is responsible for the unique identification of each device that resides on a local network. For a host to send packets to individual hosts on a local network as well as transmit packets between routers, the Data Link layer uses hardware addressing. Each time a packet is sent between routers, it’s framed with control information at the Data Link layer. However, that information is stripped off at the receiving router, and only the original packet is left completely intact. This framing of the packet continues for each hop until the packet is finally delivered to the correct receiving host. It’s important to understand that the packet itself is never altered along the route; it’s only encapsulated with the type of control information required for it to be properly passed on to the different media types. Figure 2.10 shows the Data Link layer with the Ethernet and Institute of Electrical and Electronics Engineers (IEEE) specifications. When you check it out, notice that the IEEE 802.2 standard is not only used in conjunction with the other IEEE standards, it also adds functionality to those standards. F I G U R E 2 .1 0 Data Link layer Logical Link Control (LLC) Media Access Control (MAC) 802.5 802.3 802.2 c02.indd 04/02/2015 Page 43 Chapter 2 44 ■ The Open Systems Interconnection Specifications The IEEE Ethernet Data Link layer has two sublayers: Media Access Control (MAC) Defines how packets are placed on the media. Contention media access is “first come, first served” access, where everyone shares the same bandwidth—hence the name. Physical addressing is defined here, as are logical topologies. What’s a logical topology? It’s the signal path through a physical topology. Line discipline, error notification (not correction), ordered delivery of frames, and optional flow control can also be used at this sublayer. Logical Link Control (LLC) Responsible for identifying Network layer protocols and then encapsulating them, an LLC header tells the Data Link layer what to do with a packet once a frame is received. It works like this: A host receives a frame and looks in the LLC header to fi nd out where the packet is destined—say, the IP protocol at the Network layer. The LLC can also provide flow control and sequencing of control bits. Project 802 One of the major components of the Data Link layer is the result of the IEEE’s 802 subcommittees and their work on standards for local area and metropolitan area networks (LANs/MANs). The committee met in February 1980, so they used the 80 from 1980 and the 2 from the second month to create the name Project 802. The designation for an 802 standard always includes a dot (.) followed by either a single or a double digit. These numeric digits specify particular categories within the 802 standard. These standards are listed in the following table. Standard Topic 802.1 LAN/MAN Management (and Media Access Control Bridges) 802.2 Logical Link Control 802.3 CSMA/CD (Ethernet) 802.4 Token Passing Bus 802.5 Token Passing Ring 802.6 Distributed Queue Dual Bus (DQDB) Metropolitan Area Network (MAN) 802.7 Broadband Local Area Networks 802.8 Fiber-Optic LANs and MANs 802.9 Isochronous LANs c02.indd 04/02/2015 Page 44 The OSI Reference Model 802.10 LAN/MAN Security 802.11 Wireless LAN 802.12 Demand Priority Access Method 802.15 Wireless Personal Area Network 802.16 Wireless Metropolitan Area Network (also called WiMAX) 802.17 Resilient Packet Ring 802.18 LAN/MAN Standards Committee 45 From this list in the sidebar, “Project 802”, you just need to remember that 802.3 calls out anything having to do with Ethernet and 802.11 is anything wireless. The Physical Layer Finally, we’re hitting bottom. Well, not in a bad way—we’ve now arrived at the Physical layer, which does two important things: it sends bits and receives bits. Bits come only in values of 1 or 0—a Morse code with numerical values. The Physical layer communicates directly with the various types of actual communication media. Different kinds of media represent these bit values in different ways. Some use audio tones, and others employ state transitions—changes in voltage from high to low and low to high. Specific protocols are needed for each type of media to describe the proper bit patterns to be used, how data is encoded into media signals, and the various qualities of the physical media’s attachment interface. The Physical layer specifies the electrical, mechanical, procedural, and functional requirements for activating, maintaining, and deactivating a physical link between end systems. This layer is also where you identify the interface between the data terminal equipment (DTE) and the data communication equipment (DCE). (Some older phone company employees still call DCE data circuit-terminating equipment.) The DCE is usually located at the customer whereas the DTE is the attached device. The services available to the DTE are most often accessed via the DCE device, which is a modem or channel service unit/data service unit (CSU/DSU). The Physical layer’s connectors and different physical topologies are defi ned by the standards, allowing disparate systems to communicate. Finally, the Physical layer specifies the layout of the transmission media, otherwise known as its topology. A physical topology describes the way the cabling is physically laid out, as opposed to the logical topology that we just talked about in “The Data Link Layer” section. The various physical topologies include Bus, Star, Ring, and Mesh, and were described in Chapter 1, “Introduction to Networks.” c02.indd 04/02/2015 Page 45 46 Chapter 2 ■ The Open Systems Interconnection Specifications Introduction to Encapsulation When a host transmits data across a network to another device, the data goes through encapsulation: It’s wrapped with protocol information at each layer of the OSI model. Each layer communicates only with its peer layer on the receiving device. To communicate and exchange information, each layer uses Protocol Data Units (PDUs). These hold the control information attached to the data at each layer of the model. They’re usually attached to the header in front of the data field but can also be in the trailer, or end, of it. At a transmitting device, the data-encapsulation method works like this: 1. User information is converted to data for transmission on the network. 2. Data is converted to segments, and a reliable connection is set up between the transmitting and receiving hosts. 3. Segments are converted to packets or datagrams, and a logical address is placed in the header so each packet can be routed through an internetwork. A packet carries a segment of data. 4. Packets or datagrams are converted to frames for transmission on the local network. Hardware (Ethernet) addresses are used to uniquely identify hosts on a local network segment. Frames carry packets. 5. Frames are converted to bits, and a digital encoding and clocking scheme is used. Figure 2.11 shows how user data is encapsulated at a transmitting host. F I G U R E 2 .11 Data encapsulation PDU Application Presentation Upper-Layer Data Session TCP Header Upper-Layer Data IP Header Segment LLC Header Packet FCS MAC Header Packet FCS 0101110101001000010 c02.indd 04/02/2015 Page 46 Segment Transport Packet Network Frame Data Link Bits Physical Summary 47 After you learn more foundational material about networking in the next few chapters, I’ll come back to the encapsulation method and discuss it in a lot more detail in Chapter 6. Modulation Techniques In networks, modulation is the process of varying one or more properties of a waveform, called the carrier signal, with a signal that typically contains information to be transmitted. Modulation of a waveform transforms a baseband (Ethernet or wireless) message signal into a passband signal (a passband [a band-pass fi ltered signal] is the range of frequencies or wavelengths that can pass through a fi lter without being attenuated). In current networks, modulation takes a digital or analog signal and puts it in another signal that can be physically transmitted. A modulator is a device that performs modulation of a signal and a demodulator is a device that performs demodulation, the inverse of modulation. We typically just call these modems (from modulator–demodulator), which can perform both operations. The purpose of digital modulation is to transfer a digital bit stream over an analog bandpass channel. (A good example would be data transmitting over the public switched telephone network, where a bandpass fi lter limits the frequency range to 300–3400 Hz, or over a limited radio frequency band.) The purpose of an analog modulation is to transfer an analog baseband (or lowpass) signal (for example, an audio signal, wireless network, or TV signal) over an analog bandpass channel at a different frequency. Analog and digital modulation use something called frequency-division multiplexing (FDM), where several low-pass information signals are transferred simultaneously over the same shared physical network, using separate passband channels (several different frequencies). The digital baseband modulation methods found in our Ethernet networks, and also known as line coding, are used to transfer a digital bit stream over a baseband channel. Baseband means that the signal being modulated used the complete available bandwidth. Time-division multiplexing (TDM) is a method of transmitting and receiving many independent signals over a common signal path by means of synchronized network devices at each end of the transmission line so that each signal appears on the line only a fraction of time in an alternating pattern. The receiving end demultiplexes the signal back to its original form. Summary You’re now armed with a ton of fundamental information. You’re set to build on it and are well on your way to certification. Let’s take a minute to go over what you’ve learned in this chapter. We started by discussing internetworking models and the advantages of having them. I then discussed the c02.indd 04/02/2015 Page 47 48 Chapter 2 ■ The Open Systems Interconnection Specifications OSI model—the seven-layer model used to help application developers design applications that can run on any type of system or network. Each layer has its special jobs and select responsibilities within the model to ensure that solid, effective communications do, in fact, occur. I provided you with complete details of each layer and discussed how you need to view the specifications of the OSI model. I also discussed the encapsulation method used in networking. Encapsulation is a highly important concept to understand, and I’ll continue to discuss it throughout this book. This chapter fi nished with a brief introduction to modulation of digital and analog signals. Exam Essentials Remember the OSI layers. You absolutely must remember and understand the seven layers of the OSI model as well as what function each layer provides. The Application, Presentation, and Session layers are upper layers and are responsible for communicating from a user interface to an application. The Transport layer provides segmentation, sequencing, and virtual circuits. The Network layer provides logical network addressing and routing through an internetwork. The Data Link layer provides framing and placing of data on the network medium. The Physical layer is responsible for taking 1s and 0s and encoding them into a digital signal for transmission on the network segment. Know the sublayers of the Data Link layer. In addition to the OSI layers, knowing the only layer that has sublayers and the functions of those sublayers is extremely important. The Data Link layer has two sublayers: LLC and MAC. The LLC sublayer is responsible primarily for the multiplexing of Network layer protocols. The MAC sublayer is responsible for physical addressing and determining the appropriate time to place data on the network. Know the devices that operate at each layer of the OSI model. Hubs and repeaters see only bits, making them Layer 1 devices. Because all networking devices have physical connectivity to the network, they all operate at Layer 1, but hubs and repeaters operate only at this layer, whereas other devices work in higher layers. Nevertheless, we generally consider that a device operates at the highest layer it supports; that layer’s functionality is the main reason we implement the device on the network. For example, switches and bridges are considered Layer 2 devices because they understand and make decisions based on Layer 2 addresses. Routers are Layer 3 devices for a similar reason; they deal with Layer 3 addresses. Networking devices, such as workstations that run applications, are said to operate at the Application layer (or you may hear that they operate at all layers) because they must include Application layer protocols that offer services to networked applications. c02.indd 04/02/2015 Page 48 Written Lab 49 Written Lab You can fi nd the answers in Appendix A. 1. Which layer chooses and determines the availability of communicating partners along with the resources necessary to make the connection, coordinates partnering applications, and forms a consensus on procedures for controlling data integrity and error recovery? 2. Which layer is responsible for converting frames from the Data Link layer into electrical signals? 3. At which layer is routing implemented, enabling connections and path selection between two end systems? 4. Which layer defines how data is formatted, presented, encoded, and converted? 5. Which layer is responsible for creating, managing, and terminating sessions between applications? 6. Which layer manages the transmission of data across a physical link and is primarily concerned with physical addressing and the ordered delivery of frames? 7. Which layer is used for reliable communication between end nodes over the network and provides mechanisms for establishing, maintaining, and terminating virtual circuits as well as controlling the flow of information? 8. Which layer provides logical addressing that routers use for path determination? 9. Which layer specifies voltage, wire speed, and connector pin-outs and moves bits between devices? 10. Which layer combines bits into bytes and bytes into frames and uses MAC addressing? c02.indd 04/02/2015 Page 49 Chapter 2 50 ■ The Open Systems Interconnection Specifications Review Questions You can fi nd the answers in Appendix B. 1. Host 1 sent a SYN packet to Host 2. What will Host 2 send in response? A. ACK B. 2. NAK C. SYN/ACK D. SYN/NAK E. SYN TCP and UDP reside at which layer of the OSI model? A. 1 B. 3. 2 C. 3 D. 4 Which layer of the OSI model provides a user interface in the form of an entry point for programs to access the network infrastructure? A. Application B. 4. Transport C. Network D. Physical You are connected to a server on the Internet and you click a link on the server and receive a time-out message. What layer could be the source of this message? A. Application B. 5. Transport C. Network D. Physical Which layer of the OSI model is responsible for code and character-set conversion as well as recognizing data formats? A. Application B. 6. Presentation C. Session D. Network At which layers of the OSI model do bridges, hubs, and routers primarily operate, respectively? A. Physical, Physical, Data Link B. Data Link, Data Link, Network c02.indd 04/02/2015 Page 50 Review Questions 7. C. Data Link, Physical, Network D. Physical, Data Link, Network 51 Which layer of the OSI model is responsible for converting data into signals appropriate for the transmission medium? A. Application 8. B. Network C. Data Link D. Physical A receiving host has failed to receive all the segments that it should acknowledge. What can the host do to improve the reliability of this communication session? A. Send a different source port number. 9. B. Restart the virtual circuit. C. Decrease the sequence number. D. Decrease the window size. Which Layer 1 devices can be used to enlarge the area covered by a single LAN segment? (Choose two.) A. Firewall B. NIC C. Hub D. Repeater E. RJ-45 transceiver 10. Segmentation of a data stream happens at which layer of the OSI model? A. Physical B. Data Link C. Network D. Transport 11. When data is encapsulated, which is the correct order? A. Data, frame, packet, segment, bits B. Segment, data, packet, frame, bits C. Data, segment, packet, frame, bits D. Data, segment, frame, packet, bits 12. What are two purposes for segmentation with a bridge? (Choose two.) A. To add more broadcast domains B. To create more collision domains C. To add more bandwidth for users D. To allow more broadcasts for users c02.indd 04/02/2015 Page 51 Chapter 2 52 ■ The Open Systems Interconnection Specifications 13. Acknowledgments, sequencing, and flow control are characteristic of which OSI layer? A. Layer 2 B. Layer 3 C. Layer 4 D. Layer 7 14. Which of the following is true regarding sequencing and acknowledgments? (Choose all that apply.) A. The segments delivered are acknowledged back to the sender upon their reception. B. If a segment is not received, the virtual circuit must be restarted from the beginning at a slower transmit interval. C. Any segments not acknowledged are retransmitted. D. Segments are sequenced back into their proper order upon arrival at their destination. E. All segments are retransmitted on time slot intervals. 15. What is the purpose of flow control? A. To ensure that data is retransmitted if an acknowledgment is not received B. To reassemble segments in the correct order at the destination device C. To provide a means for the receiver to govern the amount of data sent by the sender D. To regulate the size of each segment 16. At which layer of the OSI model would you find IP? A. Transport B. Network C. Data Link D. Physical 17. Of the following, which is the highest layer in the OSI model? A. Transport B. Session C. Network D. Presentation 18. Routers perform routing at which OSI layer? A. Physical B. Data Link C. Network D. Transport E. Application c02.indd 04/02/2015 Page 52 Review Questions 53 19. Which of the following mnemonic devices can you use to remember the first letter of the name of each layer of the OSI model in the proper order? A. All People Seem To Need Processed Data. B. Always Should People Never Threaten Dog Police. C. Please Do Not Throw Sausage Pizza Away. D. All Day People Should Try New Professions. 20. Which IEEE standard specifies the protocol for CSMA/CD? A. 802.2 B. 802.3 C. 802.5 D. 802.11 c02.indd 04/02/2015 Page 53 Chapter 3 Networking Topologies, Connectors, and Wiring Standards THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.0 Network architecture ✓ 1.5 Install and properly terminate various cable types and connectors using appropriate tools ■ ■ Copper connectors ■ RJ-11 ■ RJ-45 ■ RJ-48C ■ DB-9/RS-232 ■ DB-25 ■ UTP coupler ■ BNC coupler ■ BNC ■ F-connector ■ 110 block ■ 66 block Copper cables ■ Shielded vs unshielded ■ CAT3, CAT5, CAT5e, CAT6, CAT6a c03.indd 04/06/2015 Page 55 ■ ■ ■ ■ PVC vs plenum ■ RG-59 ■ RG-6 ■ Straight-through vs crossover vs rollover Fiber connectors ■ ST ■ SC ■ LC ■ MTRJ ■ FC ■ Fiber coupler Fiber cables ■ Single mode ■ Multimode ■ APC vs UPC Media converters ■ Single mode fiber Ethernet ■ Multimode fiber Ethernet ■ Fiber coaxial ■ Single mode multimode fiber ✓ 4.8 Given a scenario, troubleshoot and resolve common WAN issues ■ Customer premise equipment ■ Smart jack/NIU ■ Demarc ■ CSU/DSU ✓ 5.0 Industry standards, practices, and network theory ✓ 5.4 Given a scenario, deploy the appropriate wired connectivity standard ■ Wiring standards ■ EIA/TIA 568A/568B c03.indd 04/06/2015 Page 56 The idea of connecting a bunch of computers together hasn’t changed a whole lot since the mid-1980s, but how we go about doing that certainly has. Like everything else, the technologies and devices we create our networks with have evolved dramatically and will continue to do so in order to keep up with the ever-quickening pace of life and the way we do business. When you connect computers together to form a network, you want error-free, blazingly fast communication, right? Although “error-free” and reality don’t exactly walk hand in hand, keeping lapses in communication to a minimum and making that communication happen really fast is definitely possible. But it isn’t easy, and understanding the types of media and network topologies used in networking today will go far in equipping you to reach these goals. So will being really knowledgeable about the array of components and devices used to control network traffic. All of these networking ingredients are going to be the focus of this chapter. In it, I’ll cover different types of networking media, discuss common topologies and devices, and compare the features that they all bring into designing a solid network that’s as problem free and turbo charged as possible. To find up-to-the-minute updates for this chapter, please see www.lammle .com/networkplus or the book’s website at http://sybextestbanks .wiley.com/. Physical Media A lot of us rely on wireless networking methods that work using technologies like radio frequency and infrared, but even wireless depends on a physical media backbone in place somewhere. And the majority of installed LANs today communicate via some kind of cabling, so let’s take a look at the three types of popular cables used in modern networking designs: ■ Coaxial ■ Twisted-pair ■ Fiber optic c03.indd 04/06/2015 Page 57 58 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards Coaxial Cable Coaxial cable, referred to as coax, contains a center conductor made of copper that’s surrounded by a plastic jacket with a braided shield over it. A plastic such as polyvinyl chloride (PVC) or fluoroethylenepropylene (FEP, commonly known as Teflon) covers this metal shield. The Teflon-type covering is frequently referred to as a plenum-rated coating, and it’s defi nitely expensive but often mandated by local or municipal fi re code when cable is hidden in walls and ceilings. Plenum rating applies to all types of cabling and is an approved replacement for all other compositions of cable sheathing and insulation like PVC-based assemblies. The difference between plenum and non-plenum cable comes down to how each is constructed and where you can use it. Many large multistory buildings are designed to circulate air through the spaces between the ceiling of one story and the floor of the next; this space between floors is referred to as the plenum. And it just happens to be a perfect spot to run all the cables that connect the legions of computers that live in the building. Unless there’s a fi re—if that happens, the non-plenum cable becomes a serious hazard because its insulation gives off poisonous smoke that gets circulated throughout the whole building. Plus, non-plenum cables can actually become “wicks” for the fi re, helping it quickly spread from room to room and floor to floor—yikes! Because it’s a great goal to prevent towering infernos, the National Fire Protection Association (NFPA) demands that cables run within the plenum have been tested and guaranteed as safe. They must be fi re retardant and create little or no smoke and poisonous gas when burned. This means you absolutely can’t use a non-plenum-type cable in the plenum, but it doesn’t mean you can’t use it in other places where it’s safe. And because it’s a lot cheaper, you defi nitely want to use it where you can. Thin Ethernet, also referred to as thinnet or 10Base2, is a thin coaxial cable. It is basically the same as thick coaxial cable except it’s only about 5 mm, or 2/10" diameter coaxial cable. Thin Ethernet coaxial cable is Radio Grade 58, or just RG-58. Figure 3.1 shows an example of thinnet. This connector resembles the coaxial connector used for cable TV, which is called an F connector. F I G U R E 3 .1 A stripped-back thinnet cable Plastic Jacket Dielectric Insulator Metallic Shield Center Core c03.indd 04/06/2015 Page 58 Physical Media 59 Oh, by the way, if you use thinnet cable, you’ve got to use BNC connectors to attach stations to the network, as shown in Figure 3.2, and you have to use 50 ohm terminating resistors at each end of the cable in order to achieve the proper performance. FIGURE 3.2 Male and female BNC connectors You don’t have to know much about most coax cable types in networks anymore, especially the thinnet and thicknet types of coaxial cable. Thicknet was known as RG-8, was about 1/2” in diameter, also requiring 50 ohm terminating resistors on each end of the cable. Nowadays, we use 75 ohm coax for cable TV; using coax in the Ethernet LAN world is pretty much a thing of the past, but we do use them for high-bandwidth runs in our data centers. RG-6, or CATV coax, is used in our broadband world. You can attach a BNC connector to the cable with a crimper that looks like a weird pair of pliers and has a die to crimp the connector. A simple squeeze crimps the connector to the cable. You can also use a screw-on connector, but I avoid doing that because it’s not very reliable. You can use a BNC coupler to connect two male connectors together or two female connectors together. Table 3.1 lists some specifications for the different types of coaxial cable, but understand that we use only RG-59 and RG-6 in today’s world. TA B L E 3 .1 Coaxial cable specifications RG rating Popular name Ethernet implementation Type of cable RG-58 U N/A None Solid copper RG-58 A/U Thinnet 10Base2 Stranded copper c03.indd 04/06/2015 Page 59 60 Chapter 3 TA B L E 3 .1 ■ Networking Topologies, Connectors, and Wiring Standards Coaxial cable specifications (continued) RG rating Popular name Ethernet implementation Type of cable RG-8 Thicknet 10Base5 Solid copper RG-59 Cable television N/A Solid copper N/A Solid copper N/A Solid/stranded Low cost, short distance RG-6 Cable television, cable modems Longer distances than RG-59; some power implementations RG-62 ARCnet (obsolete) An advantage of using coax cable is the braided shielding that provides resistance to electronic pollution like electromagnetic interference (EMI), radio frequency interference (RFI), and other types of stray electronic signals that can make their way onto a network cable and cause communication problems. Twisted-Pair Cable Twisted-pair cable consists of multiple individually insulated wires that are twisted together in pairs. Sometimes a metallic shield is placed around them, hence the name shielded twisted-pair (STP). Cable without outer shielding is called unshielded twisted-pair (UTP), and it’s used in twisted-pair Ethernet (10BaseT, 100BaseTX, 1000BaseTX) networks. Ethernet Cable Descriptions Ethernet cable types are described using a code that follows this format: NX. The N refers to the signaling rate in megabits per second. stands for the signaling type—either baseband or broadband—and the X is a unique identifier for a specific Ethernet cabling scheme. Here’s a common example: 100BaseX. The 100 tells us that the transmission speed is 100Mb, or 100 megabits. The X value can mean several different things, for example, a T is short for twisted-pair. This is the standard for running 100-megabit Ethernet over two pairs (four wires) of Category 5, 5e, or 6 UTP. So why are the wires in this cable type twisted? Because when electromagnetic signals are conducted on copper wires in close proximity—like inside a cable—it causes c03.indd 04/06/2015 Page 60 Physical Media 61 interference called crosstalk. Twisting two wires together as a pair minimizes interference and even protects against interference from outside sources. This cable type is the most common today for the following reasons: ■ It’s cheaper than other types of cabling. ■ It’s easy to work with. ■ It allows transmission rates that were impossible 10 years ago. UTP cable is rated in these categories: Category 1 Two twisted wire pairs (four wires). It’s the oldest type and is only voice grade—it isn’t rated for data communication. People refer to it as plain old telephone service (POTS). Before 1983, this was the standard cable used throughout the North American telephone system. POTS cable still exists in parts of the Public Switched Telephone Network (PSTN) and supports signals limited to the 1MHz frequency range. Category is often shortened to Cat. Today, any cable installed should be a minimum of Cat 5e because some cable is now certified to carry bandwidth signals of 350MHz or beyond. This allows unshielded twisted-pair cables to exceed speeds of 1Gbps—fast enough to carry broadcast-quality video over a network. Category 2 Four twisted wire pairs (eight wires). It handles up to 4Mbps, with a frequency limitation of 10MHz, and is now obsolete. Category 3 Four twisted wire pairs (eight wires) with three twists per foot. This type can handle transmissions up to 16MHz. It was popular in the mid-1980s for up to 10Mbps Ethernet, but it’s now limited to telecommunication equipment and, again, is obsolete for networks. Category 4 Four twisted wire pairs (eight wires), rated for 20MHz; also obsolete. Category 5 Four twisted wire pairs (eight wires), rated for 100MHz. But why use Cat 5 when you can use Cat 5e for the same price? I am not sure you can even buy plain Cat 5 anymore! Category 5e (Enhanced) Four twisted wire pairs (eight wires), rated for 100MHz but capable of handling the disturbance on each pair that’s caused by transmitting on all four pairs at the same time—a feature that’s needed for Gigabit Ethernet. Any category below 5e shouldn’t be used in today’s network environments. Figure 3.3 shows a basic Cat 5e cable with the four wire pairs twisted to reduce crosstalk. c03.indd 04/06/2015 Page 61 62 Chapter 3 FIGURE 3.3 ■ Networking Topologies, Connectors, and Wiring Standards Cat 5e UTP cable Category 6 Four twisted wire pairs (eight wires), rated for 250MHz. Cat 6 became a standard back in June 2002. You would usually use it as riser cable to connect floors together. If you’re installing a new network in a new building, there’s no reason to use anything but Category 6 UTP cabling as well as running fiber runs between floors. Category 6a (Augmented) Basic Category 6 cable has a reduced maximum length when used for 10GBaseT; however, Category 6a cable, or Augmented Category 6, is characterized to 500MHz and has improved crosstalk characteristics, which allows 10GBaseT to be run for up to 100 meters. The most important point is a performance difference between Electronic Industries Alliance and Telecommunication Industry Association (EIA/TIA) component specifications for the NEXT (near-end crosstalk) transmission parameter. Running at a frequency of 500MHz, an ISO/IEC Cat 6a connector provides double the power (3db) of a Cat 6A connector that conforms with the EIA/TIA specification. Note that 3dB equals a 100 percent increase of a near-end crosstalk noise reduction. This is our future cable indeed! Connecting UTP BNC connectors won’t fit very well on UTP cable, so you need to use a registered jack (RJ) connector, which you’re familiar with because most telephones connect with them. The connector used with UTP cable is called RJ-11 for phones that use four wires; RJ-45 has four pairs (eight wires), as shown in Figure 3.4. c03.indd 04/06/2015 Page 62 Physical Media FIGURE 3.4 63 RJ-11 and RJ-45 connectors RJ-11 RJ-45 Figure 3.5 shows the pin-outs used in a typical RJ-45 connector. Looking from the bottom of the connector, pin 1 would be on the left. FIGURE 3.5 The pin-outs in an RJ-45 Connector, T568B standard Orange/White Orange Green/White Blue Blue/White Green Brown/White Brown Most of the time, UTP uses RJ connectors, and you use a crimper to attach them to a cable, just as you would with BNC connectors. The only difference is that the die that holds the connector is a different shape. Higher-quality crimping tools have interchangeable dies for both types of cables. We don’t use RJ-11 for local area networks (LANs), but we do use them for our home Digital Subscriber Line (DSL) connections. RJ-11 uses two wire pairs, and RJ-45 uses four wire pairs. There’s one other type of copper connector called the RJ-48c, which looks exactly like an RJ-45 connector. This plug is very similar to the RJ-45 in that it has four wire pairs, but they are wired differently and used for different circumstances. c03.indd 04/06/2015 Page 63 64 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards RJ-45 is mainly used in LANs with short distances (typically up to 100 meters), where the RJ-48c wiring type would be used with a T1 connection, which is a long-distance wide area network (WAN). In addition, to protect the signal in an RJ-48c, the wires are typically shielded, whereas the RJ-45 uses unshielded wiring. Category 5e Cabling Tips If you want data rates faster than 10Mbps over UTP, ensure that all components are rated to deliver this and be really careful when handling all components. If you yank on Cat 5e cable, it will stretch the number of twists inside the jacket, rendering the Cat 5e label on the outside of the cable invalid. Also, be certain to connect and test all four pairs of wire. Although today’s wiring usually uses only two pairs (four wires), the standard for Gigabit Ethernet over UTP requires that all four pairs (eight wires) be in good condition. Also be aware that a true Cat 5e cabling system uses rated components from end to end, patch cables from workstation to wall panel, cable from wall panel to patch panel, and patch cables from patch panel to hub. So if any components are missing, or if the lengths don’t match the Category 5e specification, you just don’t have a Category 5e cabling installation. And certify that the entire installation is Category 5e compliant. I’ve got to warn you that doing this requires some pretty pricey test equipment to make the appropriate measurements! Fiber-Optic Cable Because fiber-optic cable transmits digital signals using light impulses rather than electricity, it’s immune to EMI and RFI. Anyone who’s seen a network’s UTP cable run down an elevator shaft would defi nitely appreciate this fiber feature. Fiber cable allows light impulses to be carried on either a glass or a plastic core. Glass can carry the signal a greater distance, but plastic costs less. Whichever the type of core, it’s surrounded by a glass or plastic cladding with a different refraction index that reflects the light back into the core. Around this is a layer of flexible plastic buffer that can be wrapped in an armor coating that’s usually Kevlar, which is then sheathed in PVC or plenum. The cable itself comes in either single-mode fiber (SMF) or multimode fiber (MMF); the difference between them is in the number of light rays (the number of signals) they can carry. Multimode fiber is most often used for shorter-distance applications and single-mode fiber for spanning longer distances. Although fiber-optic cable may sound like the solution to many problems, it has its pros and cons just like the other cable types. c03.indd 04/06/2015 Page 64 Physical Media 65 Here are the pros: ■ It’s completely immune to EMI and RFI. ■ It can transmit up to 40 kilometers (about 25 miles). And here are the cons: ■ It’s difficult to install. ■ It’s more expensive than twisted-pair. ■ Troubleshooting equipment is more expensive than twisted-pair test equipment. ■ It’s harder to troubleshoot. Single-Mode Fiber Single-mode fiber-optic cable (SMF) is a very high-speed, long-distance media that consists of a single strand—sometimes two strands—of glass fiber that carries the signals. Light-emitting diodes (LEDs) and laser are the light sources used with SMF. The light source is transmitted from end to end and pulsed to create communication. This is the type of fiber cable employed to span really long distances because it can transmit data 50 times further than multimode fiber at a faster rate. Clearly, because the transmission media is glass, the installation of SMF can be a bit tricky. Yes, there are outer layers protecting the glass core, but the cable still shouldn’t be crimped or pinched around any tight corners. Multimode Fiber Multimode fi ber-optic cable (MMF) also uses light to communicate a signal, but with it, the light is dispersed on numerous paths as it travels through the core and is refl ected back. A special material called cladding is used to line the core and focus the light back onto it. MMF provides high bandwidth at high speeds over medium distances (up to about 3,000 feet), but beyond that it can be really inconsistent. This is why MMF is most often used within a smaller area of one building; SMF can be used between buildings. MMF is available in glass or in a plastic version that makes installation a lot easier and increases the installation’s flexibility. APC vs UPC The choice between angle-polished connectors (APCs) and ultra-polished connectors (UPCs) can make a pretty big difference on how your network will perform. The ultra-polished connector looks like what you’d expect to fi nd in a fiber-optic end. The cut is perfectly straight, as shown in Figure 3.6. c03.indd 04/06/2015 Page 65 66 Chapter 3 FIGURE 3.6 ■ Networking Topologies, Connectors, and Wiring Standards UPC typical fiber connector end UPC polish Light is reflected back down to the core. Return loss = 55dB (Adequate for most applications) The angle-polished connector looks like Figure 3.7. Notice the perfectly cut angle, which seems odd, but there is a reason for this and it’s a good one! F I G U R E 3 .7 The superior APC fiber connector 8° angled polish Light is reflected into the cladding. Return loss = –65dB (0.0001% of power reflected back) (Ideal for video and single-fiber applications) Unlike the UPC, where the light is reflected back down to the core of the fiber cable, which causes a loss of db called a return loss because the angled connector causes the light to reflect back into the cladding—the thick sides of the glass instead of the core. But the APC doesn’t cause nearly as much db loss when using this type of connector. Very cool design indeed! Fiber-Optic Connectors A whole bunch of different types of connectors are available to use with fiber-optic cables, but the two most popular are the straight tip (ST) and subscriber (or square) connector (SC). The ST fiber-optic connector (developed by AT&T) is one of the most widely used fiber-optic connectors; it uses a BNC attachment mechanism similar to thinnet’s that makes c03.indd 04/06/2015 Page 66 Physical Media 67 connections and disconnections fairly frustration free. In fact, this is the feature that makes this connector so popular. Figure 3.8 shows an example of an ST connector. Notice the BNC attachment mechanism. FIGURE 3.8 An example of an ST connector The SC connector is another type of fiber-optic connector. As you can see in Figure 3.9, SC connectors are latched—a mechanism holds the connector in securely and prevents it from falling out. FIGURE 3.9 A sample SC connector SC connectors work with both single-mode and multimode optical fibers and will last for around 1,000 matings. They’re being used more now but still aren’t nearly as popular as ST connectors for LAN connections. Another type of connector I want to mention before moving on to the SFF connector is the FC connector, or field assembly connector, also called the ferrule connector, which isn’t c03.indd 04/06/2015 Page 67 68 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards very popular. It’s still used in telecommunications and measurement equipment with single-mode lasers, but the SC is a way more popular fiber end. The only reason I mention it here is because it is an exam objective; other than that you probably won’t ever see it in production. These look identical to ST connectors. You can also get a fiber coupler in order to connect an ST to an SC connector, for example, but you will lose a lot of your power (db) if you do so. Small Form Factor Fiber-Optic Connectors Another cool fiber-optic connector is the small form factor (SFF) connector, which allows more fiber-optic terminations in the same amount of space than its standardsized counterparts. The two most popular versions are the mechanical transfer registered jack (MT-RJ or MTRJ), designed by AMP, and the Local Connector (LC), designed by Lucent. Should I Use Copper or Fiber? If your data runs are measured in miles, fiber optic is your cable of choice because copper just can’t give you more than about 1,500 feet without electronics regenerating the signal. The standards limit UTP to a pathetic 328 feet. Another good reason to opt for fiber is if you require high security because it doesn’t create a readable magnetic field. Although fiber-optic technology was initially super expensive and nasty to work with, it’s now commonly used for Gigabit or 10GB Internet backbones. Ethernet running at 10Mbps over fiber-optic cable to the desktop is designated 10BaseFL; the 100Mbps version of this implementation is 100BaseFX. The L in the 10Mbps version stands for link. Other designations are B for backbone and P for passive. The MT-RJ fiber-optic connector was the fi rst small form factor fiber-optic connector to be widely used, and it’s only one-third the size of the SC and ST connectors it most often replaces. It offers these benefits: ■ Small size ■ TX and RX strands in one connector ■ Keyed for single polarity ■ Pre-terminated ends that require no polishing or epoxy ■ Easy to use Figure 3.10 shows an example of an MT-RJ fiber-optic connector. c03.indd 04/06/2015 Page 68 Physical Media F I G U R E 3 .1 0 69 A sample MT-RJ fiber-optic connector LC is a newer style of SFF fiber-optic connector that’s pulling ahead of the MT-RJ. It’s especially popular for use with Fibre-Channel adapters (FCs) and is a standard used for fast storage area networks and Gigabit Ethernet adapters. Figure 3.11 depicts an example of the LC connector. F I G U R E 3 .11 A sample LC fiber-optic connector It has similar advantages to MT-RJ and other SFF-type connectors but it’s easier to terminate. It uses a ceramic insert just as standard-sized fiber-optic connectors do. Media Converters Sometimes, you’ll need to convert from one media type to another. Maybe you need to go from one mode of fiber to another mode, or in an even more extreme case, you need to go from fiber to Ethernet. If you’re faced with situations like these, you’ll need to be familiar with some of the more common media converters: c03.indd 04/06/2015 Page 69 70 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards Single-Mode Fiber to Ethernet These devices accept a fiber connector and an Ethernet connector and convert the signal from Ethernet and single-mode fiber (see Figure 3.12). F I G U R E 3 .1 2 Single-mode fiber to Ethernet Multimode Fiber to Ethernet These devices accept a fiber connector and an Ethernet connector and convert the signal from Ethernet and multi-mode fiber (see Figure 3.13). F I G U R E 3 .1 3 Multimode fiber to Ethernet Fiber to Coaxial These devices accept a fiber connector and a coaxial connector and convert digital signals from optical to coax (see Figure 3.14). c03.indd 04/06/2015 Page 70 Physical Media F I G U R E 3 .1 4 71 Fiber to coaxial Front Back Single-Mode to Multimode Fiber These devices accept a single-mode fiber connector and a multimode fiber connector and convert the signals between the two (see Figure 3.15). F I G U R E 3 .1 5 Single-mode to multimode fiber Serial Cables Except for multimode fiber, all the cable varieties I’ve talked about so far are considered serial cable types. In network communications, serial means that one bit after another is c03.indd 04/06/2015 Page 71 72 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards sent out onto the wire or fiber and interpreted by a network card or other type of interface on the other end. Each 1 or 0 is read separately and then combined with others to form data. This is very different from parallel communication where bits are sent in groups and have to be read together to make sense of the message they represent. A good example of a parallel cable is an old printer cable—which has been replaced by USB, as I’ll get to in a minute. RS-232 Recommended Standard 232 (RS-232) was a cable standard commonly used for serial data signals connecting the DTE and the DCE, such as a computer’s serial port to an external modem. Figure 3.16 shows an example of one of the many types of RS-232 cables. These cables normally connect to a connector on the device called a DB-9. F I G U R E 3 .1 6 An RS-232 cable end Because laptops don’t even come with these types of connectors anymore, they’ve pretty much been replaced by things like USB, Thunderbolt, and FireWire. DB-25 Now here’s a connector that has been around for a while! The D series of connectors was invented by ITT Cannon in 1952, and the D was followed by A, B, C, D, or E, which described the shell size, then the numbers of pins or sockets. DB-25 tells us we have 25 pins in a “B” size shell. RS-232 devices usually used the DB-25 connector, but today we don’t use RS-232 or DB-25, and we rarely use a DB-9, which used to be used for Cisco console cables, but has mostly been replaced by USB. Universal Serial Bus Universal Serial Bus (USB) is now the built-in serial bus du jour of most motherboards. You usually get a maximum of 4 external USB interfaces, but add-on adapters can take that up to as many as 16 serial interfaces. USB can actually connect a maximum of 127 external devices, and it’s a much more flexible peripheral bus than either serial or parallel. c03.indd 04/06/2015 Page 72 Cable Properties 73 We use USB to connect printers, scanners, and a host of other input devices like keyboards, joysticks, and mice. When connecting USB peripherals, you’ve got to connect them either directly to one of the USB ports on the PC or to a USB hub that is connected to one of those USB ports. You can get a picture of this in Figure 3.17. F I G U R E 3 .17 A USB port Hubs can be chained together to provide multiple USB connections, but even though you can connect up to 127 devices, it’s really not practical to go there. Each device has a USB plug, as shown in Figure 3.18. F I G U R E 3 .1 8 A USB plug Cable Properties The reason we use so many different types of cables in a network is that each type has its own set of properties that specifically make it the best to use for a particular area or purpose. Different types vary in transmission speeds, distance, duplex, noise immunity, and frequency, and I’ll cover each of these next. c03.indd 04/06/2015 Page 73 74 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards Transmission Speeds Based on the type of cable or fiber you choose and the network that it’s installed in, network administrators can control the speed of a network to meet the network’s traffic demands. Admins usually permit, or would like to have, transmission speeds of up to 10Gbps or higher on the core areas of their networks that connect various network segments. In the distribution and access areas, where users connect to switches, it’s typically 100Mbps per connection, but transmission speeds are creeping up because the traffic demand is getting higher. Distance Deciding factors used in choosing what cable type to use often come down to the topology of a network and the distance between its components. Some network technologies can run much further than others without communication errors, but all network communication technologies are prone to attenuation—the degradation of a signal due to the medium itself and the distance signals have to travel. Some cable types suffer from attenuation more than others. For instance, any network using twisted-pair cable should have a maximum segment length of only 328 feet (100 meters). Duplex All communications are either half duplex or full duplex. The difference is whether the communicating devices can “talk” and “listen” at the same time. During half-duplex communication, a device can either send communication or receive communication, but not both at the same time. Think walkie-talkie—when you press the button on the walkie-talkie, you turn the speaker off and you can’t hear anything the other side is saying. In full-duplex communication, both devices can send and receive communication at the same time. This means that the effective throughput is doubled and communication is much more efficient. Full duplex is typical in most of today’s switched networks. I’ll discuss both full and half duplex in more detail in Chapter 4, “The Current Ethernet Specifications.” Noise Immunity (Security, EMI) Any time electrons are pushed through two wires next to each other a magnetic current is created. And we can create a current in the wires. This is good because without magnetic flux we wouldn’t be using computers—the power that surges through them is a result of it. The bad news is that it also creates two communications issues. First, because the wire is creating a current based on the 1s and 0s coursing through it, with the right tools in hand, people can read the message in the wire without c03.indd 04/06/2015 Page 74 Wiring Standards 75 cutting it or even removing the insulation. You’ve heard of this—it’s called tapping the wire, and it’s clearly a valid security concern. In ancient history, high-security installations like the Pentagon actually encased communication wires in lead shielding to prevent them from being tapped. STP wires make tapping a little harder, but not hard enough. The best way to solve the magnetic-flux problem caused by electricity is to not use these wires at all. As I said, fiber-optic cables carry the signal as light on a glass or a really pure plastic strand, and light is not susceptible to magnetic flux, making fiber optics a whole lot harder to tap. It’s still not impossible—you can do it at the equipment level, but you have to actually cut and then repair the cable to do that, which isn’t likely to go unnoticed. The second magnetic-flux issue comes from the outside in instead of from the inside out. Because wires can take on additional current if they’re near any source of magnetism, you’ve got to be really careful where you run your cables. You can avoid EMI by keeping copper cables away from all powerful magnetic sources like electric motors, speakers, amplifiers, fluorescent light ballasts, and so on. Just keep them away from anything that can generate a magnetic field! Frequency Each cable type has a specifi ed maximum frequency that gives you the transmission bandwidth it can handle. Cat 5e cable is tested to 100MHz maximum frequency and can run 1Gbps signals for relatively short distances. That’s maxing it out, but it’s still good for connecting desktop hosts at high speeds. On the other hand, Cat 6 is a 250MHz cable that can handle 1Gbps data flow all day long with ease. Cat 6 has a lot more twists and thicker cables, so it’s best used when connecting floors of a building. Although a signal is measured as bandwidth, the capacity to carry the signal in a cable is measured as frequency. Wiring Standards Ethernet cabling is an important thing to understand, especially if you’re planning to work on any type of LAN. There are different types of wiring standards available: ■ 568A ■ 568B c03.indd 04/06/2015 Page 75 76 Chapter 3 ■ ■ Straight-through ■ Crossover ■ Rolled/rollover Networking Topologies, Connectors, and Wiring Standards We will look into each one of these, and then I’ll end this discussion with some examples for you. 568A vs 568B If you look inside a network cable, you’ll fi nd four pairs of wires twisted together to prevent crosstalk; they’re also twisted like this to help prevent EMI and tapping. The same pins have to be used on the same colors throughout a network to receive and transmit, but how do you decide which color wire goes with which pin? The good news is that you don’t have to decide—at least not completely. Two wiring standards have surfaced that have been agreed on by over 60 vendors, including AT&T, 3Com, and Cisco, although there isn’t 100 percent agreement. In other words, over the years, some network jacks have been pinned with the 568A standard and some have used the 568B standard, which can cause a bit of confusion if you don’t know what you’re looking at in your network. 568A By looking at Figure 3.19, you can see that the green pair is used for pins 1 and 2 but the orange pair is split to pins 3 and 6, separated by the blue pair. F I G U R E 3 .1 9 568A wired standard 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 RJ-45 Plug Pin 1 g G o B b O br BR T-568A Clip is pointed away from you. g G o B b O br BR T-568A 568B Now take a look at Figure 3.20. The orange pair is pins 1 and 2 and the green pair is pins 3 and 6, again separated by the blue pair. c03.indd 04/06/2015 Page 76 Wiring Standards FIGURE 3.20 77 568B wired standard 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 RJ-45 Plug Pin 1 o O g B b G br BR T-568B Clip is pointed away from you. o O g B b G br BR T-568B Note that the only difference between T568A and T568B is that pairs 2 and 3 (orange and green) are swapped. Also, you can use a UTP coupler in order to connect two RJ-45 connectors together to lengthen a cable or in order to make a straight-through cable into a crossover, and vice versa. If you’re thinking, “What’s the difference, and why does it matter?” the answer is the position of four wires on one side of the cable—that’s it! There are eight wires in each UTP cable; pins 4, 5, 7, and 8 aren’t used in either standard. If you’re installing new cabling to each cubicle and/or office, you need to make sure to connect all eight pins—and use Cat 5e or Cat 6. Voice over IP (VoIP) uses all eight pins, and it’s really common to have voice and data on the same wire at the same time in today’s networks. This only leaves the wire pairs to connect to pins 1, 2, 3, and 6 for data. Remember, if we connect the green-white, green, orange-white, and orange wires to pins 1, 2, 3, and 6, respectively, on both sides of the cable, we’re using the 568A standard and creating the kind of straight-through cable that’s regularly implemented as a regular patch cable for most networks. On the other hand, if we switch from pin 1 to pin 3 and from pin 2 to pin 6 on one side only, we’ve created a crossover cable for most networks. Let’s take a look. c03.indd 04/06/2015 Page 77 Chapter 3 78 ■ Networking Topologies, Connectors, and Wiring Standards Straight-Through Cable The straight-through cable is used to connect a host to a switch or hub or a router to a switch or hub. No worries—I’ll tell you all about devices like switches, hubs, and routers in detail in Chapter 5, “Networking Devices.” Four wires are used in straight-through cable to connect 10/100 Ethernet devices. It’s really pretty simple to do this; Figure 3.21 depicts the four wires used in a straightthrough Ethernet cable. F I G U R E 3 . 21 Straight-through Ethernet cable 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 Notice that only pins 1, 2, 3, and 6 are used. Connect 1 to 1, 2 to 2, 3 to 3, and 6 to 6 and you’ll be up and networking in no time. Just remember that this would be a 10/100 Ethernetonly cable, so it wouldn’t work with 1000Mbps Ethernet, voice, Token Ring, ISDN, and so on. Crossover Cable The same four wires are used in this cable, and just as with the straight-through cable, you simply connect the different pins together. Crossover cables can be used to connect these devices: ■ Switch to switch ■ Hub to hub ■ Host to host ■ Hub to switch ■ Router direct to host Take a look at Figure 3.22, which demonstrates how each of the four wires are used in a crossover Ethernet cable. FIGURE 3.22 Crossover Ethernet cable 1 2 3 4 5 6 7 8 c03.indd 04/06/2015 Page 78 1 2 3 4 5 6 7 8 Wiring Standards 79 Okay—did you notice that instead of connecting 1 to 1, 2 to 2, and so on, we connected pins 1 to 3 and 2 to 6 on each side of the cable? A crossover cable is typically used to connect two switches together, but it can also be used to test communications between two workstations directly, bypassing the switch. A crossover cable is used only in Ethernet UTP installations. You can connect two workstation NICs or a workstation and a server NIC directly with it. If you are trying to match the straight-through and crossover cables with the 568A and 568B standard, here is how it would look: 568A+568A = straight-through 568B+568B = straight-through 568A+568B = crossover You’re going to find out a lot more about how important it is to label basically everything. But for now, make sure to label a crossover cable as what it is so that no one tries to use it as a workstation patch cable. If they do that, the workstation won’t be able to communicate with the hub and the rest of the network! It’s really cool that you can carry a crossover cable with you in your tool bag along with your laptop—then, if you want to ensure that a server’s NIC is functioning correctly, you can just connect your laptop directly to the server’s NIC using your handy crossover cable. You should be able to log in to the server if both NICs are configured correctly. Use a cable tester to make sure that what you’re dealing with is in fact a crossover cable. The tester can also tell you if there’s a problem with the cable. Figure 3.23 shows an inexpensive cable tester for UTP. FIGURE 3.23 An inexpensive cable tester This cost-effective little tool will tell you beyond a shadow of a doubt if you have a straight-through or crossover cable—or even if there’s a problem with the cable. c03.indd 04/06/2015 Page 79 Chapter 3 80 ■ Networking Topologies, Connectors, and Wiring Standards UTP Gigabit Wiring (1000BaseT) In the previous examples of 10BaseT and 100BaseT UTP wiring, only two wire pairs were used, but that’s just not good enough for Gigabit UTP transmission. 1000BaseT UTP wiring (Figure 3.24) requires four wire pairs and uses more advanced electronics so that each and every pair in the cable can transmit simultaneously. Even so, gigabit wiring is almost identical to my earlier 10/100 example, except that we’ll use the other two pairs in the cable. FIGURE 3.24 UTP gigabit crossover Ethernet cable 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 For a straight-through cable it’s still 1 to 1, 2 to 2, and so on up to pin 8. And in creating the gigabit crossover cable, you’d still cross 1 to 3 and 2 to 6, but you would add 4 to 7 and 5 to 8—pretty straightforward! Rolled/Rollover Cable Although rolled cable isn’t used to connect any Ethernet connections together, you can use a rolled Ethernet cable to connect a host EIA-TIA 232 interface to a router console serial communication (COM) port. If you have a Cisco router or switch, you would use this cable to connect your PC, Mac, or a device like an iPad to the Cisco hardware. Eight wires are used in this cable to connect serial devices, although not all eight are used to send information, just as in Ethernet networking. Figure 2.14 shows the eight wires used in a rolled cable. FIGURE 3.25 Rolled Ethernet cable 1 2 3 4 5 6 7 8 c03.indd 04/06/2015 Page 80 1 2 3 4 5 6 7 8 Wiring Standards 81 These are probably the easiest cables to make because you just cut the end off on one side of a straight-through cable, turn it over, and put it back on—with a new connector, of course! T1 Crossover Cable In Chapter 15 you’ll be introduced to a device called the CSU/DSU. This device may be your connection to the Internet for the enterprise. The type of cable you use to connect to this device from your router depends on the interface types that are available on the router. The router may connect with several types of serial cables if a T1 connection is not built into it. If a T1 connection is built into the router, you will use an Ethernet cable. Figure 3.26 shows a T1 crossover cable connected to a T568B connection. FIGURE 3.26 A T1 crossover cable T1 crossover cable T568B 1 1 2 2 3 3 4 4 5 5 6 Pin 1 6 7 7 8 8 RJ-45 Plug In rare instances you may have the need to run a cable between two CSU/DSUs. In that case you would need a T1 crossover cable. A T1 cable uses T568B pairs 1 and 2, so to connect two T1 CSU/DSU devices back-to-back requires a crossover cable that swaps these pairs. Specifically, pins 1, 2, 4, and 5 are connected to 4, 5, 1, and 2, respectively. Test Your Cable Understanding You’ve taken a look at the various RJ-45 UTP cables. With that in mind, what cable is used between the switches in the following image? continues c03.indd 04/06/2015 Page 81 82 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards continued Switch Switch ? For host A to ping host B, you need a crossover cable to connect the two switches together. But what types of cables are used in the network shown in the following image? Router Console In the second example, there are a variety of cables in use. For the connection between the switches, we’d clearly use a crossover cable like the one you saw in the earlier example. The trouble is, here we have a console connection that uses a rolled cable. Plus, the connection from the router to the switch is a straight-through cable, which is also what’s running between the hosts to the switches. Installing Wiring Distributions By now, you’re probably getting the idea that there are a lot more components in the average computer networks than meets the eye, right? If this isn’t exactly a news bulletin to you, then you either already are, or have been, involved in the initial c03.indd 04/06/2015 Page 82 Installing Wiring Distributions 83 installation of a network. If the latter describes you, you probably will be, or already are, involved in the purchase and installation of the components that will connect the computers throughout your organization’s building. And it may also be up to you to verify that all of the network components have been installed properly and tested. So, let’s go over each of these components and the process of verifying their proper installation. MDF/IDF The main distribution frame (MDF) is a wiring point that’s generally used as a reference point for telephone lines. It’s also considered the WAN termination point. It’s installed in the building as part of the prewiring, and the internal lines are connected to it. After that, all that’s left is to connect the external (telephone company) lines to the other side to complete the circuit. Often, another wire frame called an intermediate distribution frame (IDF) is located in an equipment or telecommunications room. It’s connected to the MDF and is used to provide greater flexibility for the distribution of all the communications lines to the building. It’s typically a sturdy metal rack designed to hold the bulk of cables coming from all over the building! 25 Pair A 25-pair cable consists of 25 individual pairs of wires all inside one common insulating jacket. It’s not generally used for data cabling, just for telephone cabling, and especially for backbone and cross-connect cables because it reduces the cable clutter significantly. This type of cable is often referred to as a feeder cable because it supplies signal to many connected pairs. 66 Block If you know what a 66 block is, you’re either really old or work in an old building since they came out in 1962 and can really only be used for old analog telephone connections. This uses the 25-pair cable I just mentioned and is a standard termination block containing 50 rows, which created an industry standard for easy termination of voice cabling 110 Block A newer type of wiring distribution point called a 110 block has replaced most telephone wire installations and is also used for computer networking. On one side, wires are punched down; the other side has RJ-11 (for phone) or RJ-45 (for network) connections. You’ll fi nd 110 blocks in sizes from 25 to more than 500 wire pairs, and some are capable of carrying 1Gpbs connections when used with Category 6 cables. The c03.indd 04/06/2015 Page 83 84 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards hitch is that using Cat 6 with the 110 block is really difficult because of the size of the Cat 6 wiring. Figure 3.27 shows a 110 block and describes each section used in the 110 block. FIGURE 3.27 A 110 block Rugged, high-impact, flame-retardant polycarbonate. Color laser-printable labels are available. Termination strips on the base are notched and divided into 5-pair increments. Connecting blocks are color-coded. Ideal for use in cross-connect and consolidation point applications. Demarc/Demarc Extension The demarc (short for demarcation) is the last point of responsibility for the service provider. It’s often at the MDF in your building connection, especially if your building is large, but it’s usually just an RJ-45 jack that your channel service unit/data service unit (CSU/DSU) connects from your router to wide area network (WAN) connections. I’ll thoroughly cover CSU/DSUs in Chapter 16, “Wide Area Networks”. When troubleshooting, network admins often test for connectivity on both sides of the demarc to determine if the problem is internal or external. The length of copper or fiber that begins after the demarc but still doesn’t reach all the way up to your office is referred to as a demarc extension. Smart Jack A smart jack, also called a network interface device (NID) or network interface unit (NIU), is owned by the PSTN and is a special network interface that’s often used between the service provider’s network and the internal network. You can’t physically test to an actual demarc because it’s just an RJ-45 jack, but the service provider may install an NID that has power and can be looped for testing purposes. The smart-jack device may also provide for code and protocol conversion, making the signal from the service provider usable by the devices on the internal network like the CSU/DSU. c03.indd 04/06/2015 Page 84 Exam Essentials 85 Above and Beyond the Network+! If you have a Cisco router that is having a problem—such as a serial WAN connection issue—and you’re using a serial port on your router to connect to a port on a CSU/DSU, type this at the enabled Cisco router console or Telnet port: config t int s0/0 loopback At this point, your interface will come up and look like it is working. That is, of course, if your connection from the router to the CSU/DSU is working properly. If not, you have a local problem. Summary I know getting through this chapter probably wasn’t the most fun you’ve had recently. But understanding all those types of wires and cabling, along with their unique capacities, their associated standards, and the right connectors to use with them plus where to place them, is integral to having a solid, foundational understanding of the things that make a great network run quickly and reliably. It’s critical for you to grasp the basics of networking. Having the facts about how a good network is designed and implemented and what goes into that process will make you an effective and efficient technician—and maybe, some day, a highly paid system administrator. Exam Essentials Understand the various types of cables used in today’s networks. Coaxial (other than for cable modems) is rarely used, but twisted-pair and fiber-optic cable are very common in today’s networks. Understand the various types of ends that are used on each type of cable. Coax uses BNC; twisted-pair uses RJ-11 for voice and RJ-45 for data; and fiber uses various ends, depending on its use. Describe the various types of media converters that are available. These include singlemode fiber to Ethernet, multimode fiber to Ethernet, fiber to coaxial, and single-mode to multimode fiber. c03.indd 04/06/2015 Page 85 86 Chapter 3 ■ Networking Topologies, Connectors, and Wiring Standards Understand what a 568A to 568A cable is. A 568A to 568A cable is also known as an Ethernet straight-through cable and is used to connect hosts to switches, for example. Understand what a 568A to 568B cable is. A 568A to 568B cable is also known as an Ethernet crossover cable and is used to connect switches to switches, for example. Define the function of a T1 crossover cable. In rare instances, you may have the need to run a cable between two CSU/DSUs. In that case, you will need a T1 crossover cable. A T1 cable uses T568B pairs 1 and 2, so to connect two T1 CSU/DSU devices back-to-back requires a crossover cable that swaps these pairs. Specifically, pins 1, 2, 4, and 5 are connected to 4, 5, 1, and 2, respectively. Written Lab You can fi nd the answers in Appendix A. 1. Which UTP wiring uses four twisted wire pairs (eight wires) and is rated for 250MHz? 2. The point at which the operational control or ownership changes from your company to a service provider is referred to as . 3. Which type of cable will you use to connect two switches to each other? 4. Which RG rating of coax is used for cable modems? 5. Which UTP uses four twisted wire pairs (eight wires), is rated for 100MHz, and is capable of handling the disturbance on each pair caused by transmitting on all four pairs at the same time? 6. You want to connect a host to a switch port. What type of Ethernet cable will you use? 7. In what instance would you use T1 crossover cable? 8. 568A uses which pins to make a connection? 9. A crossover uses which pins to make a connection? 10. What are two advantages of fiber-optic cabling? c03.indd 04/06/2015 Page 86 Review Questions 87 Review Questions You can fi nd the answers to the review questions in Appendix B. 1. Why would a network administrator use plenum-rated cable during an installation? (Choose two.) A. Low combustion temperature 2. B. High combustion temperature C. Reduces toxic gas released during a fire D. Is not susceptible to any interference Which of the following Ethernet unshielded twisted-pair cabling types are commonly used? A. 10BaseT B. 3. 100BaseTX C. 1000BaseTX D. All of the above In which of the following categories is UTP cable not rated? A. Category 2 B. 4. Category 3 C. Category 5e D. Category 8 What type of connector does UTP cable typically use? A. BNC 5. B. ST C. RJ-45 D. SC Which of the following provides the longest cable run distance? A. Single-mode fiber 6. B. Multimode fiber C. Category 3 UTP D. Coax You need to crimp on a connector using an RJ-45 connector. Which pin-out configuration would you use to connect a host into a switch? A. UTP B. Straight-through c03.indd 04/06/2015 Page 87 Chapter 3 88 7. C. Crossover D. Rolled ■ Networking Topologies, Connectors, and Wiring Standards Fiber-optic cable is immune to electromagnetic interference (EMI) and radio frequency interference (RFI) because it . A. Transmits analog signals using electricity 8. B. Transmits analog signals using light impulses C. Transmits digital signals using light impulses D. Transmits digital signals using electricity What type of cable transmits lights from end to end? A. Coax B. 9. Fiber-optic C. UTP D. Category 2 What is the main difference between single-mode fiber (SMF) and multimode fiber (MMF)? A. Electrical signals B. Number of light rays C. Number of digital signals D. Signal-mode can be run a shorter distance 10. What type of cable should be used if you need to make a cable run longer than 100 meters? A. Category 5e B. Category 6 C. Fiber-optic D. Coaxial 11. Which of the following are fiber-optic connectors? (Select three.) A. BNC B. ST C. RJ-11 D. SC E. LC F. RJ-45 12. You need to connect two devices on a network and they need to send voice traffic. Which of the following cable will you use? A. Cat 3 B. Cat 5 c03.indd 04/06/2015 Page 88 Review Questions C. Cat 8 D. Rolled 89 13. How many hosts on a half-duplex segment can talk at one time? A. 0 B. 1 C. 2 D. Unlimited 14. On which type of cable does EMI have the least effect? A. Coax B. Fiber-optic C. UTP D. STP 15. How many devices can be connected to a full-duplex segment? A. 0 B. 1 C. 2 D. 4 16. How many wires are used in a 100Mbps UTP transmission? A. 2 B. 4 C. 6 D. 8 17. A crossover cable is used to connect all of the following except . A. Switch to switch B. Host to host C. Hub to switch D. Host to switch 18. How is a T1 crossover cable wired? A. Pins 1, 2, 4, and 5 are connected to 4, 5, 1, and 2. B. Pins 2, 3, 4, and 5 are connected to 4, 5, 1, and 2. C. Pins 1, 2, 4, and 5 are connected to 3, 4, 5, and 6. D. Pins 4, 5, 6, and 7 are connected to 4, 5, 1, and 2. 19. The purpose of the demarcation point is to separate the customer from whom? A. The branch office B. Headquarters c03.indd 04/06/2015 Page 89 Chapter 3 90 ■ Networking Topologies, Connectors, and Wiring Standards C. The data center D. The service provider 20. You need to make a 568B cable for a Fast Ethernet link. How many pairs will you use? A. 1 B. 2 C. 3 D. 4 c03.indd 04/06/2015 Page 90 Chapter 4 The Current Ethernet Specifications THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.0 Network architecture ✓ 1.8 Given a scenario, implement and configure the appropriate addressing schema ■ MAC addressing ✓ 5.0 Industry standards, practices, and network theory ✓ 5.2 Explain the basics of network theory and concepts ■ Numbering systems ■ Binary ■ Hexadecimal ■ Octal ■ Broadband/baseband ■ Bit rates vs baud rate ■ Sampling size ■ CSMA/CD and CSMA/CA ■ Carrier detect/sense ■ Wavelength ■ Collision c04.indd 04/02/2015 Page 91 ✓ 5.4 Given a scenario, deploy the appropriate wired connectivity standard ■ Ethernet standards ■ 10BaseT ■ 100BaseT ■ 1000BaseT ■ 1000BaseTX ■ 10GBaseT ■ 100BaseFX ■ 10Base2 ■ 10GBaseSR ■ 10GBaseER ■ 10GBaseSW ■ IEEE 1901-2013 ■ Ethernet over HDMI ■ Ethernet over power line c04.indd 04/02/2015 Page 92 Before we dive into the complex worlds of networking devices, the TCP/IP and DoD models, IP addressing, subnetting, and routing in the upcoming chapters, you have to understand the big picture of LANs and learn the answer to these key questions: How is Ethernet used in today’s networks? What are Media Access Control (MAC) addresses, and how are these identifiers utilized in networking? This chapter will answer those questions and more. I’ll not only discuss the basics of Ethernet and the way MAC addresses are used on an Ethernet LAN, I’ll also cover the protocols used with Ethernet at the Data Link layer. You’ll also learn about the various Ethernet specifications. So now, let’s get started with the fundamentals of connecting two hosts together. To find up-to-the-minute updates for this chapter, please see www. lammle.com/networkplus or the book’s website at www.sybextestbanks .wiley.com. Network Basics Networks and networking have grown exponentially over the last 20 years— understandably so. They’ve had to evolve at light speed just to keep up with huge increases in basic mission-critical user needs ranging from sharing data and printers to more advanced demands like videoconferencing. Unless everyone who needs to share network resources is located in the same office area (an increasingly uncommon situation), the challenge is to connect the sometimes large number of relevant networks together so all users can share the networks’ wealth. Let’s take a look at how communication happens on a basic local area network (LAN), which I started to discuss in Chapter 1, “Introduction to Networks.” Starting with Figure 4.1, you get a picture of a basic LAN network that’s connected together using an Ethernet connection to a hub. This network is actually one collision domain and one broadcast domain, but don’t stress if you have no idea what this means— I’m going to talk about both collision and broadcast domains in depth in Chapter 5, “Networking Devices.” c04.indd 04/02/2015 Page 93 94 Chapter 4 F I G U R E 4 .1 ■ The Current Ethernet Specifications The basic network Bob Sally Hub Okay, about Figure 4.1; how would you say the PC named Bob communicates with the PC named Sally? Well, they’re both on the same LAN connected with a multiport repeater (a hub). So does Bob just send out a data message, “Hey Sally, you there?” or does Bob use Sally’s IP address and put things more like, “Hey 192.168.0.3, are you there?” I hope you picked the IP address option, but even if you did, the news is still bad—both answers are wrong! Why? Because Bob is actually going to use Sally’s MAC address (known as a hardware address), which is burned right into the network card of Sally’s PC, to get a hold of her. This is all good, but how does Bob get Sally’s MAC address when Bob knows only Sally’s name and doesn’t even have her IP address? Bob is going to start by using name resolution (hostname-to-IP-address resolution), something that’s usually accomplished using Domain Name Service (DNS). And note that if these two hosts are on the same LAN, Bob can just broadcast to Sally asking her for the information (no DNS needed)—welcome to Microsoft Windows! Here’s the output from a network analyzer depicting a simple name-resolution process from Bob to Sally: Time 53.892794 Source 192.168.0.2 Destination 192.168.0.255 Protocol NBNS Info Name query NB SALLY<00> As I already mentioned, because the two hosts are on a local LAN, Windows (Bob) will broadcast to resolve the name Sally (the destination 192.168.0.255 is a broadcast address). Let’s take a look at the rest of the information: EthernetII,Src:192.168.0.2(00:14:22:be:18:3b),Dst:Broadcast(ff:ff:ff:ff:ff:ff) This output shows that Bob knows his own MAC address and source IP address, but not Sally’s IP address or MAC address. So, Bob sends a broadcast address of all Fs for the MAC address (a Data Link layer broadcast) and an IP LAN broadcast of 192.168.0.255. Again, no worries—you’re going to learn all about broadcasts in Chapter 6, “Introduction to the Internet Protocol.” c04.indd 04/02/2015 Page 94 Ethernet Basics 95 Before the name is resolved, the fi rst thing Bob has to do is broadcast on the LAN to get Sally’s MAC address so he can communicate to her PC and resolve her name to an IP address: Time 5.153054 Source 192.168.0.2 Destination Protocol Info Broadcast ARP Who has 192.168.0.3? Tell 192.168.0.2 Next, check out Sally’s response: Time 5.153403 5.53.89317 Source Destination 192.168.0.3 192.168.0.2 192.168.0.3 192.168.0.2 Protocol Info ARP 192.168.0.3 is at 00:0b:db:99:d3:5e NBNS Name query response NB 192.168.0.3 Okay, sweet—Bob now has both Sally’s IP address and her MAC address (00:0b:db:99:de:5e). These are both listed as the source address at this point because this information was sent from Sally back to Bob. So, finally, Bob has all the goods he needs to communicate with Sally. And just so you know, I’m also going to tell you all about Address Resolution Protocol (ARP) and show you exactly how Sally’s IP address was resolved to a MAC address a little later, in Chapter 6. Importantly, I want you to understand that Sally still had to go through the same resolution processes to communicate back to Bob—sounds crazy, huh? Consider this welcome to IPv4 and basic networking with Windows—and we haven’t even added a router yet! Ethernet Basics Ethernet is a contention media-access method that allows all hosts on a network to share the same bandwidth of a link. Ethernet is popular because it’s readily scalable, meaning that it’s comparatively easy to integrate new technologies, such as Fast Ethernet and Gigabit Ethernet, into an existing network infrastructure. It’s also relatively simple to implement in the fi rst place, and with it, troubleshooting is reasonably straightforward. Ethernet uses both Data Link and Physical layer specifications, and this part of the chapter will give you both the Data Link layer and Physical layer information you need to effectively implement, troubleshoot, and maintain an Ethernet network. In the following sections, I’ll also cover some basic terms used in networking with Ethernet technologies. Let’s start with collision domains. Collision Domain The term collision domain is an Ethernet term that refers to a particular network scenario wherein one device sends a packet out on a network segment and thereby forces every other device on that same physical network segment to pay attention to it. This is bad because if two devices on one physical segment transmit at the same c04.indd 04/02/2015 Page 95 96 Chapter 4 ■ The Current Ethernet Specifications time, a collision event—a situation where each device’s digital signals interfere with another on the wire—occurs and forces the devices to retransmit later. Collisions have a dramatically negative effect on network performance, so they’re defi nitely something we want to avoid! The situation I just described is typically found in a hub environment where each host segment connects to a hub that represents only one collision domain and one broadcast domain. This begs the question, What’s a broadcast domain? Broadcast Domain Here’s that answer: A broadcast domain refers to the set of all devices on a network segment that hear all the broadcasts sent on that segment. Even though a broadcast domain is typically a boundary delimited by physical media like switches and repeaters, it can also reference a logical division of a network segment where all hosts can reach each other via a Data Link layer (hardware address) broadcast. That’s the basic story, but rest assured, I’ll be delving deeper into the skinny on collision and broadcast domains a bit later, in Chapter 5. CSMA/CD Ethernet networking uses Carrier Sense Multiple Access with Collision Detection (CSMA/ CD), a media access control method that helps devices share the bandwidth evenly without having two devices transmit at the same time on the network medium. CSMA/ CD was created to overcome the problem of those collisions that occur when packets are transmitted simultaneously from different hosts. And trust me—good collision management is crucial because when a host transmits in a CSMA/CD network, all the other hosts on the network receive and examine that transmission. Only bridges, switches, and routers, but not hubs, can effectively prevent a transmission from propagating throughout the entire network. So, how does the CSMA/CD protocol work? Let’s start by taking a look at Figure 4.2, where a collision has occurred in the network. When a host wants to transmit over the network, it fi rst checks for the presence of a digital signal on the wire. If all is clear, meaning that no other host is transmitting, the host will then proceed with its transmission. But it doesn’t stop there. The transmitting host constantly monitors the wire to make sure no other hosts begin transmitting. If the host detects another signal on the wire, it sends out an extended jam signal that causes all hosts on the segment to stop sending data (think busy signal). The hosts respond to that jam signal by waiting a while before attempting to transmit again. Backoff algorithms, represented by the clocks counting down on either side of the jammed devices, determine when the colliding stations can retransmit. If collisions keep occurring after 15 tries, the hosts attempting to transmit will then time out. Pretty clean! c04.indd 04/02/2015 Page 96 Ethernet Basics FIGURE 4.2 97 CSMA/CD Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Collision Jam Jam Jam Jam Jam Jam Jam Jam When a collision occurs on an Ethernet LAN, the following things happen: ■ A jam signal informs all devices that a collision occurred. ■ The collision invokes a random backoff algorithm. ■ ■ Each device on the Ethernet segment stops transmitting for a short time until the timers expire. All hosts have equal priority to transmit after the timers have expired. And following are the effects of having a CSMA/CD network that has sustained heavy collisions: ■ Delay ■ Low throughput ■ Congestion Backoff on an 802.3 network is the retransmission delay that’s enforced when a collision occurs. When a collision occurs, a host will resume transmission after the forced time delay has expired. After this backoff delay period has expired, all stations have equal priority to transmit data. c04.indd 04/02/2015 Page 97 98 Chapter 4 ■ The Current Ethernet Specifications Broadband/Baseband We have two ways to send analog and digital signals down a wire: broadband and baseband. We hear the term broadband a lot these days because that is pretty much what everyone uses at home. It allows us to have both our analog voice and digital data carried on the same network cable or physical medium. Broadband allows us to send multiple frequencies of different signals down the same wire at the same time (called frequency-division multiplexing), and to send both analog and digital signals. Baseband is what all LANs use. This is where all the bandwidth of the physical media is used by only one signal. For example, Ethernet uses only one digital signal at a time, and requires all the available bandwidth. If multiple signals are sent from different hosts at the same time, we get collisions; same with wireless, except that uses only analog signaling. Bit Rates vs Baud Rate Bit rate is a measure of the number of data bits (0s and 1s) transmitted in one second in either a digital or analog signal. A figure of 56,000 bits per second (bps) means 56,000 0s or 1s can be transmitted in one second, which we simply refer to as bps. In the 1970s and 1980s, we used the term baud rate a lot, but that was replaced by bps because it was more accurate. Baud was a term of measurement named after a French engineer, Jean-Maurice-Emile Baudot, because he used it to measure the speed of telegraph transmissions. One baud is one electronic state change per second—for example, from 0.2 volts to 3 volts or from binary 0 to 1. However, since a single state change can involve more than a single bit of data, the bps unit of measurement has replaced it as a more accurate defi nition of how much data you’re transmitting or receiving. Wavelength Has anyone every told you that they were on the same wavelength as you? That means they thought you were basically thinking the same way they were. The same is true of the inverse—if they say, “you’re not on the same wavelength.” With electromagnetic radiation, radio waves, light waves, or even infrared (heat) waves make characteristic patterns as they travel through space. Some patterns can be the same, and some can be different, as shown in Figure 4.3. Each wave pattern has a certain shape and length. The distance between peaks (high points) is called wavelength. If two wavelengths are different, we would say they’re not on the same wavelength and that is the way we tell different kinds of electromagnetic energy apart. We can use this to our advantage in electronics by sending traffic on different wavelengths at the same time. c04.indd 04/02/2015 Page 98 Ethernet Basics 99 In the following sections, I’m going to cover Ethernet in detail at both the Data Link layer (Layer 2) and the Physical layer (Layer 1). FIGURE 4.3 Shorter and longer wavelengths Shorter Wavelength Longer Wavelength Sampling -Size At its core, computers work one step at a time by turning a succession of switches on or off at very high speed. In order for a computer to convert analog audio signals to digital signals in a discrete step, the analog waveform is mathematically described as a succession of discrete amplitude values. When converting to analog, the computer captures a series of samples in specified sizes, which we’ll call the sampling size. Each data stream sample contains items like dynamic range, frequency content, and more. The measured amplitude level in each sample is quantized by being given a value of the nearest measured increment. A computer will reproduce these values and play them back in the same order and at the same rate at which they were captured, producing a copy of the original waveform. This is called the sample rate or sample size. The number of bits transmitted per second is called the bit rate. Half- and Full-Duplex Ethernet Just so you know, half-duplex Ethernet is defi ned in the original 802.3 Ethernet specification. Basically, when you run half duplex, you’re using only one wire pair with a digital signal either transmitting or receiving. This really isn’t all that different from full duplex because you can both transmit and receive—you just don’t get to do that at the same time running half duplex as you can if you’re running full duplex. c04.indd 04/02/2015 Page 99 100 Chapter 4 ■ The Current Ethernet Specifications Here’s how it works: If a host hears a digital signal, it uses the CSMA/CD protocol to help prevent collisions and to permit retransmitting if a collision does occur. Half-duplex Ethernet—typically 10BaseT—is only about 30 to 40 percent efficient because a large 10BaseT network will usually provide only 3Mbps to 4Mbps at most. Although it’s true that 100Mbps Ethernet can and sometimes does run half duplex, it’s just not very common to fi nd that happening anymore. In contrast, full-duplex Ethernet uses two pairs of wires at the same time instead of one measly wire pair like half duplex employs. Plus, full duplex uses a point-topoint connection between the transmitter of the sending device and the receiver of the receiving device (in most cases the switch). This means that with full-duplex data transfer, you not only get faster data-transfer speeds, but you also get collision prevention too—sweet! You don’t need to worry about collisions because now it’s like a freeway with multiple lanes instead of the single-lane road provided by half duplex. Full-duplex Ethernet is supposed to offer 100 percent efficiency in both directions—for example, you can get 20Mbps with a 10Mbps Ethernet running full duplex or 200Mbps for Fast Ethernet. But this rate is something known as an aggregate rate, which translates as “you’re supposed to get” 100 percent efficiency. No guarantees, in networking as in life. Full-duplex Ethernet can be used in many situations; here are some examples: ■ With a connection from a switch to a host ■ With a connection from a switch to a switch ■ With a connection from a host to a host using a crossover cable You can run full duplex with just about any device except a hub. You may be wondering: If it’s capable of all that speed, why wouldn’t it deliver? Well, when a full-duplex Ethernet port is powered on, it fi rst connects to the remote end and then negotiates with the other end of the Fast Ethernet link. This is called an auto-detect mechanism. This mechanism fi rst decides on the exchange capability, which means it checks to see if it can run at 10, 100, or even 1000Mbps. It then checks to see if it can run full duplex, and if it can’t, it will run half duplex instead. Hosts usually auto-detect both the Mbps and the duplex type available (the default setting), but you can manually set both the speed and duplex type on the Network Interface Card (NIC), as shown in the following screen shot. c04.indd 04/02/2015 Page 100 Ethernet at the Data Link Layer 101 Today, it’s pretty rare to go into a NIC configuration on a host and change these settings, but this example demonstratess that you can do that if you want. Remember that half-duplex Ethernet shares a collision domain and provides a lower effective throughput than full-duplex Ethernet, which typically has a private collision domain and a higher effective throughput. Lastly, remember these important points: ■ There are no collisions in full-duplex mode. ■ A dedicated switch port is required for each full-duplex host. ■ The host network card and the switch port must be capable of operating in full-duplex mode. Now let’s take a look at how Ethernet works at the Data Link layer. Ethernet at the Data Link Layer Ethernet at the Data Link layer is responsible for Ethernet addressing, commonly referred to as hardware addressing or MAC addressing. Ethernet is also responsible for framing c04.indd 04/02/2015 Page 101 102 Chapter 4 ■ The Current Ethernet Specifications packets received from the Network layer and preparing them for transmission on the local network through the Ethernet contention media-access method known as CSMA/CD. Ethernet MAC addresses are made up of hexadecimal addresses. So before I discuss MAC addresses, let’s start by talking about binary, decimal, and hexadecimal addresses and how to convert one to another. Binary to Decimal and Hexadecimal Conversion Understanding the differences between binary, decimal, and hexadecimal numbers and how to convert one format into the other is very important before we move on to discussing the TCP/IP protocol stack and IP addressing in Chapters 6 and 7. So let’s get started with binary numbering. It’s pretty simple, really. Each digit used is limited to being either a 1 (one) or a 0 (zero), and each digit is called 1 bit (short for binary digit). Typically, you count either 4 or 8 bits together, with these being referred to as a nibble and a byte, respectively. What’s interesting about binary numbering is the value represented in a decimal format—the typical decimal format being the base-10 number scheme that we’ve all used since kindergarten. The binary numbers are placed in a value spot, starting at the right and moving left, with each spot having double the value of the previous spot. Table 4.1 shows the decimal values of each bit location in a nibble and a byte. Remember, a nibble is four bits and a byte is eight bits. In network addressing, we often refer to a byte as an octet or octal addressing. Mathematically, octal addressing actually refers to base 8, which is completely different from the base 10 we are familiar with. So, technically speaking we are using the term incorrectly, but it’s the common usage anyway. When we get to the subnetting chapter, you’ll see that I’ll use byte and octet interchangeably when discussing IP addressing. TA B L E 4 .1 Binary values Nibble values Byte values 8421 128 64 32 16 8 4 2 1 What all this means is that if a one digit (1) is placed in a value spot, then the nibble or byte takes on that decimal value and adds it to any other value spots that have a 1. And if a zero (0) is placed in a bit spot, you don’t count that value. Let me clarify things for you—if we have a 1 placed in each spot of our nibble, we then add up 8 + 4 + 2 + 1 to give us a maximum value of 15. Another example for our nibble values is 1010, which means that the 8 bit and the 2 bit are turned on and equal a decimal value of 10. If we have a nibble binary value of 0110, then our decimal value is 6 because the 4 and 2 bits are turned on. c04.indd 04/02/2015 Page 102 Ethernet at the Data Link Layer 103 But the byte values can add up to a value that’s significantly higher than 15. This is how—if we count every bit as a one (1), then the byte binary value looks like this (remember, 8 bits equal a byte): 11111111 We then count up every bit spot because each is turned on. It looks like this, which demonstrates the maximum value of a byte: 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = 255 A binary number can equal plenty of other decimal values. Let’s work through a few examples: 10010110 Which bits are on? The 128, 16, 4, and 2 bits are on, so we’ll just add them up: 128 + 16 + 4 + 2 = 150. 01101100 Which bits are on? The 64, 32, 8, and 4 bits are on, so we add them up: 64 + 32 + 8 + 4 = 108. 11101000 Which bits are on? The 128, 64, 32, and 8 bits are on, so we add the values: 128 + 64 + 32 + 8 = 232. You should memorize Table 4.2 before braving the IP sections in Chapter 6 and Chapter 7 since this lists all available subnet masks. TA B L E 4 . 2 Binary-to-decimal memorization chart Binary value Decimal value 10000000 128 11000000 192 11100000 224 11110000 240 11111000 248 11111100 252 11111110 254 11111111 255 c04.indd 04/02/2015 Page 103 104 Chapter 4 ■ The Current Ethernet Specifications Hexadecimal addressing is completely different than binary or decimal—it’s converted by reading nibbles, not bytes. By using a nibble, we can convert these bits to hex pretty simply. First, understand that the hexadecimal addressing scheme uses only the numbers 0 through 9. And because the numbers 10, 11, 12, and so on can’t be used (because they are two-digit numbers), the letters A, B, C, D, E, and F are used to represent 10, 11, 12, 13, 14, and 15, respectively. Table 4.3 shows both the binary value and the decimal value for each hexadecimal digit. TA B L E 4 . 3 Hex-to-binary-to-decimal chart Hexadecimal value Binary value Decimal value 0 0000 0 1 0001 1 2 0010 2 3 0011 3 4 0100 4 5 0101 5 6 0110 6 7 0111 7 8 1000 8 9 1001 9 A 1010 10 B 1011 11 C 1100 12 D 1101 13 E 1110 14 F 1111 15 Did you notice that the first 10 hexadecimal digits (0–9) are the same values as the decimal values? If not, look again. This handy fact makes those values super easy to convert. c04.indd 04/02/2015 Page 104 Ethernet at the Data Link Layer 105 So suppose you have something like this: 0x6A. (Some manufacturers put 0x in front of characters so you know that they’re a hex value, while others just give you an h. It doesn’t have any other special meaning.) What are the binary and decimal values? To correctly answer that question, all you have to remember is that each hex character is one nibble and two hex characters together make a byte. To figure out the binary value, fi rst put the hex characters into two nibbles and then put them together into a byte. 6 = 0110 and A (which is 10 in hex) = 1010, so the complete byte is 01101010. To convert from binary to hex, just take the byte and break it into nibbles. Here’s how you do that: Say you have the binary number 01010101. First, break it into nibbles—0101 and 0101—with the value of each nibble being 5 because the 1 and 4 bits are on. This makes the hex answer 0x55. And in decimal format, the binary number is 01010101, which converts to 64 + 16 + 4 + 1 = 85. Okay, now try another binary number: 11001100 Our answer is 1100 = 12 and 1100 = 12 (therefore, it’s converted to CC in hex). The decimal conversion answer is 128 + 64 + 8 + 4 = 204. One more example, and then we need to get working on the Physical layer. Suppose we’re given the following binary number: 10110101 The hex answer is 0xB5 because 1011 converts to B and 0101 converts to 5 in hex value. The decimal equivalent is 128 + 32 + 16 + 4 + 1 = 181. See the written lab at the end of this chapter for more practice with binary/ hex/decimal conversion. Ethernet Addressing Now that you’ve got binary-to-decimal and hexadecimal address conversion down, we can get into how Ethernet addressing works. It uses the Media Access Control (MAC) address burned into each and every Ethernet NIC. The MAC, or hardware, address is a 48-bit (6-byte) address written in a hexadecimal format. Figure 4.4 shows the 48-bit MAC addresses and how the bits are divided. The organizationally unique identifier (OUI) is assigned by the Institute of Electrical and Electronics Engineers (IEEE) to an organization. It’s composed of 24 bits, or 3 bytes. The organization, in turn, assigns a globally administered address (24 bits, or 3 bytes) that is unique to each and every adapter it manufactures. Look closely at the figure. The Individual/Group (I/G) address bit is used to signify if the destination MAC address is a unicast or a multicast/broadcast Layer 2 address. If the bit is set to 0, then it is an Individual MAC address and is a unicast address. If the bit is set to 1, it is a Group address and is a multicast/broadcast address. c04.indd 04/02/2015 Page 105 106 Chapter 4 FIGURE 4.4 ■ The Current Ethernet Specifications Ethernet addressing using MAC addresses 24 bits 24 bits 47 46 I/G L/G Organizationally Unique Identifier (OUI) (Assigned by IEEE) Vendor Assigned The next bit is the Local/Global bit (L/G). This bit is used to tell if the MAC address is the burned-in-address (BIA) or a MAC address that has been changed locally. You’ll see this happen when we get to IPv6 addressing. The low-order 24 bits of an Ethernet address represent a locally administered or manufacturer-assigned code. This portion commonly starts with 24 0s for the fi rst card made and continues in order until there are 24 1s for the last (16,777,216th) card made. You’ll fi nd that many manufacturers use these same six hex digits as the last six characters of their serial number on the same card. Ethernet Frames The Data Link layer is responsible for combining bits into bytes and bytes into frames. Frames are used at the Data Link layer to encapsulate packets handed down from the Network layer for transmission on a type of physical media access. The function of Ethernet stations is to pass data frames between each other using a group of bits known as a MAC frame format. This provides error detection from a cyclic redundancy check (CRC). But remember—this is error detection, not error correction. The 802.3 frames and Ethernet frame are shown in Figure 4.5. FIGURE 4.5 802.3 and Ethernet frame formats Ethernet_II Preamble 7 SOF 1 Destination 6 Source 6 Type 2 Data and Pad 46 – 1500 FCS 4 Length 2 Data and Pad 46 – 1500 FCS 4 802.3_Ethernet Preamble 7 SOF 1 Destination 6 Source 6 Encapsulating a frame within a different type of frame is called tunneling. c04.indd 04/02/2015 Page 106 Ethernet at the Data Link Layer 107 The following information regarding frame headings and the various types of Ethernet frames are beyond the scope of the CompTIA Network+ objectives. Throughout the rest of this book, I’ll show you screen shots from a network analyzer. It’s always good to understand what you are looking at, so I put this information in to help you understand a frame structure. Following are the details of the different fields in the 802.3 and Ethernet frame types: Preamble An alternating 1,0 pattern provides a 5MHz clock at the start of each packet, which allows the receiving devices to lock the incoming bit stream. Start of Frame Delimiter (SOF)/Synch The preamble is seven octets, and the start of a frame (SOF) is one octet (synch). The SOF is 10101011, where the last pair of 1s allows the receiver to come into the alternating 1,0 pattern somewhere in the middle and still synch up and detect the beginning of the data. Destination Address (DA) This transmits a 48-bit value using the least significant bit (LSB) fi rst. The DA is used by receiving stations to determine whether an incoming packet is addressed to a particular host and can be an individual address or a broadcast or multicast MAC address. Remember that a broadcast is all 1s (or Fs in hex) and is sent to all devices, but a multicast is sent only to a similar subset of hosts on a network. Source Address (SA) The SA is a 48-bit MAC address used to identify the transmitting device, and it uses the LSB fi rst. Broadcast and multicast address formats are illegal within the SA field. Length or Type 802.3 uses a Length field, but the Ethernet frame uses a Type field to identify the Network layer protocol. 802.3 by itself cannot identify the upper-layer routed protocol and must be used with a proprietary LAN protocol—Internetwork Packet Exchange (IPX), for example. Data This is a packet sent down to the Data Link layer from the Network layer. The size can vary from 64 to 1500 bytes. Frame Check Sequence (FCS) store the CRC. FCS is a field that is at the end of the frame and is used to Okay—let’s take a minute to look at some frames caught on our trusty network analyzer. You can see that the following frame has only three fields: Destination, Source, and Type, displayed as Protocol Type on this analyzer: Destination: 00:60:f5:00:1f:27 Source: 00:60:f5:00:1f:2c Protocol Type: 08-00 IP This is an Ethernet_II frame. Notice that the Type field is IP, or 08-00 (mostly just referred to as 0x800) in hexadecimal. The next frame has the same fields, so it must be an Ethernet_II frame, too: Destination: ff:ff:ff:ff:ff:ff Ethernet Broadcast Source: 02:07:01:22:de:a4 Protocol Type: 08-00 IP c04.indd 04/02/2015 Page 107 108 Chapter 4 ■ The Current Ethernet Specifications Did you notice that this frame was a broadcast? You can tell because the destination hardware address is all 1s in binary, or all Fs in hexadecimal. Let’s take a look at one more Ethernet_II frame. You can see that the Ethernet frame is the same Ethernet_II frame we use with the IPv4 routed protocol. The difference is that the Type field has 0x86dd when we are carrying IPv6 data, and when we have IPv4 data, we use 0x0800 in the Protocol field: Destination: IPv6-Neighbor-Discovery_00:01:00:03 (33:33:00:01:00:03) Source: Aopen_3e:7f:dd (00:01:80:3e:7f:dd) Type: IPv6 (0x86dd) This is the beauty of the Ethernet_II frame. Because of the Protocol field, we can run any Network layer routed protocol and it will carry the data because it can identify that particular Network layer protocol! Ethernet at the Physical Layer Ethernet was fi rst implemented by a group called DIX (Digital, Intel, and Xerox). They created and implemented the fi rst Ethernet LAN specification, which the IEEE used to create the IEEE 802.3 Committee. This was a 10Mbps network that ran on coax, then on twisted-pair, and fi nally on fiber physical media. The IEEE extended the 802.3 Committee to two new committees known as 802.3u (Fast Ethernet), 802.3ab (Gigabit Ethernet on Category 5+), and then fi nally to 802.3ae (10Gbps over fiber and coax). Figure 4.6 shows the IEEE 802.3 and original Ethernet Physical layer specifications. FIGURE 4.6 Ethernet Physical layer specifications 100BaseT4 100BaseFX 100BaseTX 10BaseF 10BaseT 10Base5 10Base2 Physical Ethernet 802.3 Data Link (MAC Layer) When designing your LAN, it’s really important to understand the different types of Ethernet media available to you. Sure, it would be great to run Gigabit Ethernet to each desktop and 10Gbps between switches, as well as to servers. Although this is just starting to happen, justifying the cost of that network today for most companies would be a pretty hard sell. But if you mix and match the different types of Ethernet media methods currently available instead, you can come up with a cost-effective network solution that works great! The Electronic Industries Association and the newer Telecommunications Industry Alliance (EIA/TIA) together form the standards body that creates the Physical layer specifications for Ethernet. The EIA/TIA specifies that Ethernet use a registered jack (RJ) c04.indd 04/02/2015 Page 108 Ethernet at the Physical Layer 109 connector on unshielded twisted-pair (UTP) cabling (RJ-45). However, the industry is calling this just an 8-pin modular connector. Each Ethernet cable type that is specified by the EIA/TIA has something known as inherent attenuation, which is defi ned as the loss of signal strength as it travels the length of a cable and is measured in decibels (dB). The cabling used in corporate and home markets is measured in categories. A higher-quality cable will have a higher-rated category and lower attenuation. For example, Category 5 is better than Category 3 because Category 5 cables have more wire twists per foot and therefore less crosstalk. Crosstalk is the unwanted signal interference from adjacent pairs in the cable. Here are the original IEEE 802.3 standards: 10Base2 This is also known as thinnet and can support up to 30 workstations on a single segment. It uses 10Mbps of baseband technology, coax up to 185 meters in length, and a physical and logical bus with Attachment Unit Interface (AUI) connectors. The 10 means 10Mbps, and Base means baseband technology—a signaling method for communication on the network—and the 2 means almost 200 meters. 10Base2 Ethernet cards use BNC (British Naval Connector, Bayonet Neill-Concelman, or Bayonet Nut Connector) and T-connectors to connect to a network. 10Base5 Also known as thicknet, 10Base5 uses a physical and logical bus with AUI connectors, 10Mbps baseband technology, and coax up to 500 meters in length. You can go up to 2,500 meters with repeaters and 1,024 users for all segments. 10BaseT This is 10Mbps using Category 3 UTP wiring. Unlike on 10Base2 and 10Base5 networks, each device must connect into a hub or switch, and you can have only one host per segment or wire. It uses an RJ-45 connector (8-pin modular connector) with a physical star topology and a logical bus. Each of the 802.3 standards defi nes an AUI, which allows a one-bit-at-a-time transfer to the Physical layer from the Data Link media-access method. This allows the MAC address to remain constant but means the Physical layer can support both existing and new technologies. The original AUI interface was a 15-pin connector, which allowed a transceiver (transmitter/receiver) that provided a 15-pin-to-twistedpair conversion. There’s an issue, though—the AUI interface can’t support 100Mbps Ethernet because of the high frequencies involved. So basically, 100BaseT needed a new interface, and the 802.3u specifications created one called the Media Independent Interface (MII) that provides 100Mbps throughput. The MII uses a nibble, which you of course remember is defi ned as 4 bits. Gigabit Ethernet uses a Gigabit Media Independent Interface (GMII) and transmits 8 bits at a time. 802.3u (Fast Ethernet) is compatible with 802.3 Ethernet because they share the same physical characteristics. Fast Ethernet and Ethernet use the same maximum transmission unit (MTU) and the same MAC mechanisms, and they both preserve the frame format that is used by 10BaseT Ethernet. Basically, Fast Ethernet is just based on an extension to the IEEE 802.3 specification, and because of that, it offers us a speed increase of 10 times 10BaseT. Here are the expanded IEEE Ethernet 802.3 standards, starting with Fast Ethernet: c04.indd 04/02/2015 Page 109 110 Chapter 4 ■ The Current Ethernet Specifications 100BaseTX (IEEE 802.3u) 100BaseTX, most commonly known as Fast Ethernet, uses EIA/TIA Category 5 or 5e or 6 and UTP two-pair wiring. It allows for one user per segment up to 100 meters long (328 feet), and uses an RJ-45 connector with a physical star topology and a logical bus. 100BaseT and 100BaseTX: What’s the difference? 100BaseT is the name of a group of standards for Fast Ethernet that include 100BaseTX. Also included are 100BaseT4 and 100BaseT2.The same can be said about 1000BaseT and 1000BaseX. 100BaseFX (IEEE 802.3u) Uses 62.5/125-micron multimode fiber cabling up to 412 meters long and point-to-point topology. It uses ST and SC connectors, which are mediainterface connectors. Ethernet’s implementation over fiber can sometimes be referred to as 100BaseTF even though this isn’t an actual standard. It just means that Ethernet technologies are being run over fiber cable. 1000BaseCX (IEEE 802.3z) Copper twisted-pair called twinax (a balanced coaxial pair) that can run only up to 25 meters and uses a special 9-pin connector known as the HighSpeed Serial Data Connector (HSSDC). 1000BaseT (IEEE 802.3ab) (328 feet). Category 5, four-pair UTP wiring, and up to 100 meters long 1000BaseTX Category 5, two-pair UTP wiring up to 100 meters long (328 feet). Not used, and has been replaced by Category 6 cabling. 1000BaseSX (IEEE 802.3z) The implementation of Gigabit Ethernet runs over multimode fiber-optic cable instead of copper twisted-pair cable and uses short wavelength laser. Multimode fiber (MMF), using 62.5- and 50-micron core, utilizes an 850 nanometer (nm) laser and can go up to 220 meters with 62.5-micron; 550 meters with 50-micron. 1000BaseLX (IEEE 802.3z) Single-mode fiber that uses a 9-micron core, 1,300 nm laser, and can go from 3 km up to 10 km. 10GBaseT 10GBaseT is a standard created by the IEEE 802.3an committee to provide 10Gbps connections over conventional UTP cables (Category 5e, 6, or 7 cables). 10GBaseT allows the conventional RJ-45 used for Ethernet LANs. It can support signal transmission at the full 100-meter distance specified for LAN wiring. If you need to implement a 10Gbps link, this is the most economical way to go! 10GBaseSR An implementation of 10 Gigabit Ethernet that uses short-wavelength lasers at 850 nm over multimode fiber. It has a maximum transmission distance of between 2 and 300 meters (990 feet), depending on the size and quality of the fiber. 10GBaseLR An implementation of 10 Gigabit Ethernet that uses long-wavelength lasers at 1,310 nm over single-mode fiber. It also has a maximum transmission distance between 2 meters and 10 km, or 6 miles, depending on the size and quality of the fiber. c04.indd 04/02/2015 Page 110 Ethernet at the Physical Layer 111 10GBaseER An implementation of 10 Gigabit Ethernet running over single-mode fiber that uses extra-long-wavelength lasers at 1,550 nm. It has the longest transmission distances possible of all the 10 Gigabit technologies: anywhere from 2 meters up to 40 km, again depending on the size and quality of the fiber used. 10GBaseSW 10GBaseSW, as defi ned by IEEE 802.3ae, is a mode of 10GBaseS for MMF with an 850 nm laser transceiver and a bandwidth of 10Gbps. It can support up to 300 meters of cable length. This media type is designed to connect to SONET equipment. 10GBase-LW 10GBaseLW is a mode of 10GBaseL supporting a link length of 10 km on standard single-mode fiber (SMF) (G.652). This media type is also designed to connect to SONET equipment. 10GBaseEW 10GBaseEW is a mode of 10GBaseE supporting a link length of up to 40 km on SMF based on G.652 using optical-wavelength 1,550 nm. This is another media type designed to connect to SONET equipment. If you want to implement a network medium that is not susceptible to electromagnetic interference (EMI), fiber-optic cable provides a more secure, long-distance cable that is not susceptible to EMI at high speeds like UTP is. Table 4.4 summarizes the cable types. TA B L E 4 . 4 Common Ethernet cable types Maximum transmission distance Ethernet name Cable type Maximum speed 10Base5 Coax 10Mbps 500 meters per segment Also called thicknet, this cable type uses vampire taps to connect devices to cable. 10Base2 Coax 10Mbps 185 meters per segment Also called thinnet, a very popular implementation of Ethernet over coax. 10BaseT UTP 10Mbps 100 meters per segment One of the most popular network cabling schemes. 100BaseTX UTP, STP 100Mbps 100 meters per segment Two pairs of Category 5 UTP. Notes c04.indd 04/02/2015 Page 111 112 Chapter 4 TA B L E 4 . 4 ■ The Current Ethernet Specifications Common Ethernet cable types (continued) Maximum transmission distance Ethernet name Cable type Maximum speed 10BaseFL Fiber 10Mbps Varies (ranges from 500 meters to 2,000 meters) Ethernet over fiber optics to the desktop. 100BaseFX MMF 100Mbps 2,000 meters 100Mbps Ethernet over fiber optics. 1000BaseT UTP 1000Mbps 100 meters Four pairs of Category 5e or higher. 1000BaseTX UTP 1000Mbps 100 meters Two pairs of Category 5e or higher. 1000BaseSX MMF 1000Mbps 550 meters Uses SC fiber connectors. Max length depends on fiber size. 1000BaseCX Balanced, shielded copper 1000Mbps 25 meters Uses a special connector, the HSSDC. 1000BaseLX MMF and SMF 1000Mbps 550 meters multimode/2,000 meters single mode Uses longer wavelength laser than 1000BaseSX. Uses SC and LC connectors. 10GBaseT UTP 10Gbps 100 meters Connects to the network like a Fast Ethernet link using UTP. 10GBaseSR MMF 10Gbps 300 meters 850 nm laser. Max length depends on fiber size and quality. 10GBaseLR SMF 10Gbps 10 kilometers 1,310 nm laser. Max length depends on fiber size and quality. 10GBaseER SMF 10Gbps 40 kilometers 1,550 nm laser. Max length depends on fiber size and quality. c04.indd 04/02/2015 Page 112 Notes Ethernet at the Physical Layer Cable type Maximum speed Maximum transmission distance 10GBaseSW MMF 10Gbps 300 meters 850 nm laser transceiver. 10GBaseLW SMF 10Gbps 10 kilometers Typically used with SONET. 10GBaseEW SMF 10Gbps 40 kilometers 1,550 nm optical wavelength. Ethernet name 113 Notes An advantage of 100BaseFX over 100BaseTX is longer cable runs, but 100BaseTX is easier to install. I know there’s a lot of information to remember about the various Ethernet and fiber types used in today’s networks, but for the CompTIA Network+ exam, you really need to know them. Trust me, I haven’t inundated you with unnecessary information! Deploy the Appropriate Wired Connectivity Standard You have been tasked with installing wiring to handle the new networking technologies of 1000Mbps to the desktop and Voice over IP (VoIP), with 10Gbps between the access switches and the core switches. What cabling do you consider installing in order to accomplish this in a cost-effective manner? First, you need to verify your distances. Since this will not include any wireless stations, you need to double-check the distances to each station and make sure the phone is within 100 meters (or closer) for connectivity to your access switches. Once you have your distances verified at 100 meters or less, you can use UTP wiring to the stations and phones and possibly even connect the stations into the back of the phones. Most phones have switches included, so this means you only need to run one Category 5e or better 1000BaseT four-pair cable to each cubicle or office. For your connections from your access switches to your core switches, you can use 10GbaseT if your runs are 100 meters or less, or you can use 10GbaseSR, which allows runs up to 300 meters using multimode fiber. c04.indd 04/02/2015 Page 113 114 Chapter 4 ■ The Current Ethernet Specifications Ethernet over Other Standards (IEEE 1905.1-2013) IEEE 1905.1-2013 is an IEEE standard that defi nes a convergent digital home network for both wireless and wireline technologies. Some the technologies include IEEE 802.11 (WiFi), IEEE 1901 (HomePlug, HD-PLC) powerline networking, IEEE 802.3 Ethernet, and Multimedia over Coax (MoCA). The 2905.1-2013 was published in April 2013. The IEEE 1905.1 Standard Working Group is sponsored by the IEEE Power Line Communication Standards Committee (PLCSC). The idea behind the 1905.1 technology standards is simple setup, configuration, and operation of home networking devices using both wired and wireless technologies. This will take advantage of the performance, coverage, and mobility benefits of multiple interfaces (Ethernet, Wi-Fi, Powerline, and MoCA), which enables better coverage and throughput in every room for both wireless and fi xed devices. ■ Ethernet over Power Line ■ Ethernet over HDMI Ethernet over Power Line In February 2011, the IEEE fi nally published a standard for Broadband over Power Line (BPL) called IEEE 1901, also referred to as Power Line Communication (PLC), or even Power Line Digital Subscriber Line (PDSL). Although this technology has been available for decades in theory, without an IEEE standard it was just not adopted as an alternative to other high-speed media. However, it is highly likely that this technology will really start to see some traction, especially from the power companies who will be able to gather data from every device in your house and specifically tell you how much power is being used by your refrigerator, washers and dryers, and especially your computer and televisions, among all the other devices plugged into a wall power outlet. In the future, BPL will allow you to just plug a computer into a wall power socket and have more than 500Mbps for up to 1,500 meters. Near my home in Boulder, Colorado, Xcel Energy is using BPL in combination with radio links for its SmartGridCity pilot project, which will send data from power meters, hot water heaters, thermostats, and more. An example of an adaptor is shown in Figure 4.7. This technology can be used to deliver Internet access to the home as well. For a computer (or any other device), you would simply need to plug a BPL modem into any outlet in an equipped building to have high-speed Internet access. The basic BPL installation is shown in Figure 4.8. c04.indd 04/02/2015 Page 114 Ethernet over Other Standards (IEEE 1905.1-2013) F I G U R E 4 .7 Powerline adapter sets FIGURE 4.8 Basic BPL installation 115 Basic BPL Installation BPL Modem Internet Existing Electrical Wiring Broadband Service ISP Router BPL Gateway Coaxial Cable BPL Coupler Meter Bank After the gateway is connected through the coupler to the meter bank for the building, any electrical outlet can be used with the BPL modem to receive the ISP connection to the Internet. Challenges that still exist include: ■ ■ The fact that power lines are typically noisy. The frequency at which the information is transmitted is used by shortwave and the unshielded power lines can act as antennas, thereby interfering with shortwave communications. c04.indd 04/02/2015 Page 115 116 Chapter 4 ■ The Current Ethernet Specifications Ethernet over HDMI HDMI Ethernet Channel technology consolidates video, audio, and data streams into a single HDMI cable, combining the signal quality of HDMI connectivity with the power and flexibility of home entertainment networking. Figure 4.9 shows how a possible home entertainment network will look before and after Ethernet over HDMI is implemented. FIGURE 4.9 Ethernet over HDMI Internet HDMI Before HDMI Ethernet Channel HDMI HDMI HDMI Internet HDMI HDMI HDMI HDMI c04.indd 04/02/2015 Page 116 With HDMI Ethernet Channel Written Lab 117 It incorporates a dedicated data channel into the HDMI link, enabling high-speed, bi-directional networking at up to 100Mbps. Armed with the basics covered in the chapter, you’re equipped to go to the next level and put Ethernet to work using various network devices. But to ensure that you’re really ready, read the summary, go over the exam essentials, and do the written lab and review questions for this chapter! Summary In this chapter, you learned the fundamentals of Ethernet networking, how hosts communicate on a network, and how CSMA/CD works in an Ethernet half-duplex network. I also showed you the differences between half- and full-duplex modes. I fi nished the chapter with a description of the common Ethernet cable types used in today’s networks. And by the way, you’d be wise to study that section really well! Exam Essentials Understand basic Ethernet communication. communicate on an Ethernet LAN. Understand Ethernet addressing. an Ethernet address. Know how hosts use hardware addresses to Know the hexadecimal addressing scheme used to create Understand binary, decimal, and hexadecimal addressing. Know the different addressing types, and also use the written lab to practice your conversions. Written Lab In this section, you will write in the answers to the following conversion tables. You can fi nd the answers in Appendix A. 1. Convert from decimal IP address to binary format. Complete the following table to express 192.168.10.15 in binary format. c04.indd 04/02/2015 Page 117 118 128 Chapter 4 64 ■ The Current Ethernet Specifications 32 16 8 4 2 1 Binary Complete the following table to express 172.16.20.55 in binary format. 128 64 32 c04.indd 04/02/2015 Page 118 16 8 4 2 1 Binary Written Lab 119 Complete the following table to express 10.11.12.99 in binary format. 128 64 2. 32 16 8 4 2 1 Binary Convert the following from binary format to decimal IP address. Complete the following table to express 11001100.00110011.10101010.01010101 in decimal IP address format. 128 64 32 16 8 4 2 1 Binary c04.indd 04/02/2015 Page 119 120 Chapter 4 ■ The Current Ethernet Specifications Complete the following table to express 11000110.11010011.00111001.11010001 in decimal IP address format. 128 64 32 16 8 4 2 1 Binary Complete the following table to express 10000100.11010010.10111000.10100110 in decimal IP address format. 128 64 32 c04.indd 04/02/2015 Page 120 16 8 4 2 1 Binary Written Lab 3. 121 Convert the following from binary format to hexadecimal. Complete the following table to express 11011000.00011011.00111101.01110110 in hexadecimal. 128 64 32 16 8 4 2 1 Hexadecimal Complete the following table to express 11001010.11110101.10000011.11101011 in hexadecimal. 128 64 32 16 8 4 2 1 Hexadecimal c04.indd 04/02/2015 Page 121 122 Chapter 4 ■ The Current Ethernet Specifications Complete the following table to express 10000100.11010010.01000011.10110011 in hexadecimal. 128 64 32 c04.indd 04/02/2015 Page 122 16 8 4 2 1 Hexadecimal Review Questions 123 Review Questions You can fi nd the answers to the review questions in Appendix B. 1. On an Ethernet switched network, what address does one host computer use to communicate with another? A. IP address B. 2. MAC address C. Street address D. HUB address Which of the following can run full duplex and achieve 200Mbps with Cat 5e cable? A. 100BaseF B. 3. 100BaseTX C. 1000BaseF D. 1000BaseT How many devices in a collision domain have to listen when a single host talks? A. 2 4. B. 3 C. 1 D. All If you are using a cable medium called 10Base2, what does this mean? A. That you are running Ethernet over HDMI 5. B. That you are running Ethernet over fiber C. That you are running Ethernet over thicknet D. That you are bundling multiple connections E. That you are really old and using thinnet coax for your LAN medium What network access control method helps devices share the bandwidth evenly without having two devices transmit at the same time on the network medium? A. TCP/IP 6. B. CSMA/CD C. HTTPS D. TFTP What is the maximum distance of 10GBaseSR? A. 100 meters (328 feet) B. 302 meters (990 feet) C. 305 meters (1000 feet) D. 1,593 km (6 miles) c04.indd 04/02/2015 Page 123 Chapter 4 124 7. ■ The Current Ethernet Specifications How many wire pairs are used with half duplex? A. 2 8. B. 1 C. 4 D. None of the above How many wire pairs are used with 100BaseT full duplex? A. 2 9. B. 1 C. 4 D. A or C What is the maximum distance of 10GBaseLR? A. 1 mile B. 3 miles C. 6 miles D. 25 miles 10. What is the effective total throughput increase with a full-duplex connection? A. None B. Twice as much C. Four times as much D. Ten times as much 11. What device can you not use full-duplex communication with? A. Host B. Hub C. Switch D. Router 12. What is the decimal equivalent of this binary number: 11000000.10101000.00110000.1111 0000? A. 192.168.48.192 B. 192.168.48.240 C. 192.168.64.224 D. 192.168.32.248 13. Which IEEE standard is used for Ethernet over Power Lines? A. 802.3p B. 1901 C. 802.16 D. 1918 c04.indd 04/02/2015 Page 124 Review Questions 125 14. How is the decimal value 10 represented in binary? A. 1000 B. 1001 C. 1010 D. 1011 15. What is the decimal value for the binary number 11101000? A. 128 B. 194 C. 224 D. 232 16. What is the decimal number 10 in hexadecimal? A. 9 B. A C. C D. B 17. How many bits is a MAC address? A. 16 B. 32 C. 48 D. 64 18. What is the maximum distance of 1000BaseT? A. 100 meters (328 feet) B. 128 meters (420 feet) C. 1000 meters (3280 feet) D. 1,024 meters (3360 feet) 19. What is the purpose of the Frame Check Sequence (FCS) in an Ethernet frame? A. Error correction B. Error detection C. Error recovery D. Creating errors 20. What does the Base mean in 100BaseTX? A. Broadband B. 100Mbps C. Baseband D. Twisted-pair at 100Mbps c04.indd 04/02/2015 Page 125 Chapter 5 Networking Devices THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.1 Explain the functions and applications of various network devices ■ Router ■ Switch ■ Multilayer switch ■ Firewall ■ HIDS ■ IDS/IPS ■ Access point (wireless/wired) ■ Content filter ■ Load balancer ■ Hub ■ Analog modem ■ Packet shaper ■ VPN concentrator ✓ 1.3 Install and configure the following networking services/applications ■ DHCP ■ Static vs dynamic IP addressing ■ Reservations ■ Scopes ■ Leases ■ Options (DNS servers, suffixes) ■ IP helper/DHCP relay c05.indd 03/23/2015 Page 127 ■ ■ DNS ■ DNS servers ■ DNS records (A, MX, AAAA, CNAME, PTR) ■ Dynamic DNS Proxy/reverse proxy ✓ 1.12 Given a set of requirements, implement a basic network ■ List of requirements ■ Device types/requirements ■ Environment limitations ■ Equipment limitations ■ Compatibility requirements ■ Wired/wireless considerations ■ Security considerations c05.indd 03/23/2015 Page 128 In this chapter, I’ll tell you all about the networking devices I’ve introduced so far. I’ll go into much greater detail about each device, and yes—I’m going to present even more of them to you! Because all the components that you’ll learn about shortly are typically found in today’s networks and internetworks, it’s very important that you be familiar with them. We’ll start by covering the more common network devices that you would be most likely to come across and then move on to discuss some of the more specialized devices that you may or may not always fi nd running in a network. I’ll fi nish the chapter by using examples to discuss how routers, hubs, and switches work within internetworks today. To find up-to-the-minute updates for this chapter, please see www.lammle. com/networkplus or the book’s website at www.sybextestbanks.wiley.com. Common Network Connectivity Devices By now, you should be fairly savvy regarding the various types of network media and connections, so it’s time to learn about some of the devices they hook up to that are commonly found on today’s networks. First, I’ll defi ne the basic terms; then, later in this chapter, I’ll show you how these devices actually work within a network. At that time, I’ll give you more detailed descriptions of these devices and the terminology associated with them. Because these devices connect network entities, they’re known as connectivity devices. Here’s a list of the devices I’ll be covering in this chapter: ■ Network interface card (NIC) ■ Hub ■ Bridge ■ Basic switch ■ Basic router ■ Basic firewall ■ IDS/IPS/HIDS c05.indd 03/23/2015 Page 129 130 Chapter 5 ■ Networking Devices ■ Access point ■ Dynamic Host Configuration Protocol (DHCP) server ■ Other specialized devices Network Interface Card Those of you who aren’t familiar with NICs probably want to be, at this point, so here goes: a network interface card (NIC) is installed in your computer to connect, or interface, your computer to the network. It provides the physical, electrical, and electronic connections to the network media. A NIC either is an expansion card or is built right into the computer’s motherboard. Today, almost all NICs are built into the computer motherboard providing 10, 100, and 1000 Mbits/sec, but there was a time when all NICs were expansion cards that plugged into motherboard expansion slots. In some notebook computers, NIC adapters can be connected to the USB port or through a PC card slot. Figure 5.1 shows a typical 100Mbps Ethernet NIC. F I G U R E 5 .1 Network interface card Nowadays, most PCs and laptops of all types come with an Ethernet and Wireless connector built into the motherboard, so you usually don’t need a separate card. It’s rare to fi nd a laptop today without a built-in wireless network card, but you can buy external wireless cards for desktops and laptops if you’ve got legacy equipment that needs them. NICs today usually have one, two, or more LEDs; one, usually green, is called a link-light indicating that an Ethernet connection has been established with the device on the other end of the cable, and, which flickers when traffic is being passed back or forth. The other, or others, usually indicate the speed of the connection: 10, 100, or 1000 Mbit/sec. There’s no universal standard for NIC LEDs, so check the manual to familiarize yourself with what the ones you are working with indicate. But it’s not always that cut and dry—that blinking LED can mean the NIC is receiving a proper signal from the hub or switch, but it can also c05.indd 03/23/2015 Page 130 Common Network Connectivity Devices 131 indicate connectivity to and detection of a carrier on a segment. Another possibility is that it’s found connectivity with a router or other end device using a crossover cable. The other LED is the aptly named Activity LED, and it tends to fl icker constantly. That activity indicates the intermittent transmission and reception of frames arriving at the network or leaving it. The first LED you should verify is the Link LED because if it’s not illuminated, the Activity LED simply cannot illuminate. Hub As you learned earlier, a hub is the device that connects all the segments of the network together in a star topology Ethernet network. Each device in the network connects directly to the hub through a single cable and is used to connect multiple devices without segmenting a network. Any transmission received on one port will be sent out all the other ports in the hub, including the receiving pair for the transmitting device, so that Carrier Sense Multiple Access with Collision Detection (CSMA/CD) on the transmitter can monitor for collisions. So, basically, this means that if one station sends a broadcast, all the others will receive it; yet based on the addressing found in the frame, only the intended recipient will actually listen and process it. This arrangement simulates the physical bus that the CSMA/CD standard was based on, and it’s why we call the use of a hub in an Ethernet environment a physical star/logical bus topology. Figure 5.2 depicts a typical hub as you might fi nd it employed within a small network. Since there are only two users there isn’t a problem in using a hub here: however, if there were 20 users, everyone would see Bob’s request to send a packet to Mary. Most of the time, hubs really aren’t recommended for corporate networks because of their limitations. FIGURE 5.2 A typical hub Hub Bob HEY SALLY? Sally It’s important to note that hubs are nothing more than glorified repeaters that are incapable of recognizing frames and data structures—the reason they act with such a lack of intelligence. A broadcast sent out by any device on the hub will be propagated to all c05.indd 03/23/2015 Page 131 132 Chapter 5 ■ Networking Devices devices connected to it. And just as in a physical bus topology configuration, any two or more of those connected devices have the potential of causing a collision with each other, which means that this hardware device will create a LAN with the most network traffic collisions. Hubs are not suggested for use in today’s corporate network for this reason. Bridge A bridge—specifically, a transparent bridge—is a network device that connects two similar network segments together. Its primary function is to keep traffic separated on either side of the bridge, breaking up collision domains, as pictured in Figure 5.3. FIGURE 5.3 Bridges break up collision domains Collision Domains Bridge One Broadcast Domain What we can see here is that traffic is allowed to pass through the bridge only if the transmission is intended for a station on the opposite side. The main reasons you would place a bridge in your network would be to connect two segments together or to divide a busy network into two segments. Bridges are software based; so, interestingly, you can think of a switch as a hardwarebased, multiport bridge. In fact, the terms bridge and switch are often used interchangeably because the two devices used basically the same bridging technologies. The past tense is there for a reason—you’d be hard-pressed to buy a bridge today. Switch Switches connect multiple segments of a network together much like hubs do, but with three significant differences—a switch recognizes frames and pays attention to the source and destination MAC address of the incoming frame as well as the port on which it was received. A switch makes each of its ports a unique, singular collision domain. Hubs don’t do those things. They simply send anything they receive on one port out to all the others. c05.indd 03/23/2015 Page 132 Common Network Connectivity Devices 133 So, if a switch determines that a frame’s fi nal destination happens to be on a segment that’s connected via a different port than the one on which the frame was received, the switch will only forward the frame out from the specific port on which its destination is located. If the switch can’t figure out the location of the frame’s destination, it will flood the frame out every port except the one on which the frame port was received. Figure 5.4 shows a typical low-cost Ethernet switch. It looks a lot like a hub. However, switches can come in very large, expensive sizes. Switches that can perform the basic switching process and do not allow you to configure more advanced features—like adding an IP address for telnetting to the device or adding VLANs—are called unmanaged switches. Others, like Cisco switches that do allow an IP address to be configured for management with such applications as SNMP and do allow special ports to be configured (as in VoIP), are called managed switches. FIGURE 5.4 Typical Ethernet switch That’s as far as we’re going with switches right now. I’ll bring them up later on in this chapter and cover them in much greater detail in Chapter 11, “Switching and Virtual LANs.” For now, you can think of a switch as a faster, smarter bridge that has more ports. Switches are Layer 2 devices, which means they segment the network with MAC addresses. If you see the term Layer 3 switch that means you are talking about a router, not a Layer 2 switch. The terms router and Layer 3 switch are interchangeable. Router A router is a network device used to connect many, sometimes disparate, network segments together, combining them into what we call an internetwork. A well-configured router can make intelligent decisions about the best way to get network data to its destination. It gathers the information it needs to make these decisions based on a network’s particular performance data. Figure 5.5 shows a small office, home office (SOHO) router that provides wired and wireless access for hosts and connects them to the Internet without any necessary configuration. But know that I certainly don’t recommend leaving a router with the default c05.indd 03/23/2015 Page 133 134 Chapter 5 ■ Networking Devices configuration! No worries, though—I’ll go over the configuration process with you in Chapter 10, “Routing Protocols.” FIGURE 5.5 Router connected to the Internet, providing access for hosts Internet DSL/Cable Modem Computer Equipped with Wireless Adaptor Wireless Router Computer Equipped with Network Adaptor Notebook Equipped with Wireless Adaptor Routers can be multifaceted devices that behave like computers unto themselves with their own complex operating systems—for example, Cisco’s IOS. You can even think of them as CPUs that are totally dedicated to the process of routing packets. And due to their complexity and flexibility, you can configure them to actually perform the functions of other types of network devices (like fi rewalls, for example) by simply implementing a specific feature within the router’s software. Routers can have many different names: Layer 3 switch and multilayer switch are the most common, besides the name router, of course. Remember, if you hear just the word switch, that means a Layer 2 device. Routers, Layer 3 switches, and multilayer switches are all Layer 3 devices. Interface Configurations When configuring interfaces on a router or switch, unless you’re doing complex configurations such as connecting up a Voice over IP (VoIP) network, the interface configurations are pretty straightforward. There is a major difference between a router interface and a switch interface configuration, however. On a switch, you do not add an IP address since they only read to Layer 2, and most of the time, you never even need to configure a switch interface. First, they are enabled by default, and second, they are very good at auto-detecting the speed, duplex, and in newer switches, even the Ethernet cable type (crossover or straight-through). A router is c05.indd 03/23/2015 Page 134 Common Network Connectivity Devices 135 much different and an IP address is expected on each interface; they are not enabled by default, and a good Layer 3 network design must be considered before installing a router. Let’s start by taking a look at a basic Cisco switch configuration. First, notice by the output shown that there is no configuration on the interfaces, yet you can plug this switch into your network and it would work. This is because all ports are enabled and there are some very basic configurations that allow the switch to run without any configuration— they can be considered plug-and-play in a small or home network: Switch#sh running-config [output cut] ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! Let’s take a look at a configuration of a simple switch interface. First, we’ll notice the duplex options: Switch(config-if)#duplex ? auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation All switch ports are set to duplex auto by default, and usually you can just leave this configuration alone. However, be aware that if your network interface card is set to half duplex and the switch port is configured for full duplex, the port will receive errors and you’ll eventually get a call from the user. This is why it is advised to just leave the defaults on your hosts and switch ports, but it is a troubleshooting spot to check when a problem is reported from a single user. c05.indd 03/23/2015 Page 135 136 Chapter 5 ■ Networking Devices The next configuration and/or troubleshooting spot you may need to consider is the speed of the port: Switch(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation auto Enable AUTO speed configuration Again, this is set to auto, but you may want to force the port to be 100 and full duplex. Typically, the NIC will run this without a problem and you’ll be sure you’re getting the most bang for your buck on your switch port. Let’s take a look at a router interface. We’re pretty much going to configure (or not configure) the same parameters. However, you should be very aware that a router interface and a switch interface perform different functions. A router interface will break up collision domains just as a switch interface does, but the purpose of a router interface is to create and maintain broadcast domains and connectivity of WAN services. Basic Layer 2 switches cannot provide these services. As I mentioned, you must have a Layer 3 design before you can implement a router, meaning you must have your subnet design laid out on your network diagram and your IP addressing scheme must be completely understood. You cannot start configuring router interfaces randomly; there must be a design and it needs to be correct. Unlike switches, router interfaces do not just work when you plug them into the network—they must be configured and enabled. All ports are shut down by default, and why shouldn’t they be? Unless you have a network design and understand IP addressing, what good is a router to your network? Let’s take a look: Router(config-if)#duplex ? auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation Router(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation auto Enable AUTO speed configuration Router(config-if)#ip address ? A.B.C.D IP address dhcp IP Address negotiated via DHCP pool IP Address autoconfigured from a local DHCP pool First, we can see that the basics are there, duplex and speed, but also, to make a router interface useful at all we must add an IP address. Notice that the options allow you to configure a specific IP address or allow the interface to receive the address from a c05.indd 03/23/2015 Page 136 Common Network Connectivity Devices 137 DHCP server. You would only use this option if you had an IP address reservation for the router interface on your DHCP server since having your router get a random IP address from a DHCP server would be hard to manage. Let’s fi nish the basics: Router(config-if)#ip address 1.1.1.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)# *Oct 5 17:26:46.522: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Oct 5 17:26:47.522: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up The interface can now be connected to a Layer 2 switch and the hosts connected to the same broadcast domain must set their default gateway address to 1.1.1.1, and voilà, they can now send packets to the router. Firewall So what, exactly, is a firewall? Basically, firewalls are your network’s security guards, and to be real, they’re probably the most important thing to implement on your network. That’s because today’s networks are almost always connected to the Internet—a situation that makes security crucial! A firewall protects your LAN resources from invaders that prowl the Internet for unprotected networks while simultaneously preventing all or some of your LAN’s computers from accessing certain services on the Internet. You can employ them to filter packets based on rules that you or the network administrator create and configure to strictly delimit the type of information allowed to flow in and out of the network’s Internet connection. A fi rewall can be either a stand-alone “black box” or a software implementation placed on a server or router. Either way, the fi rewall will have at least two network connections: one to the Internet (known as the public side) and one to the network (known as the private side). Sometimes, there is a second fi rewall, as shown in Figure 5.6. This fi rewall is used to connect servers and equipment that can be considered both public and private (like web and email servers). This intermediary network is known as a demilitarized zone (DMZ). FIGURE 5.6 Example of firewalls with a DMZ Internet Internal Network Firewall DMZ Firewall c05.indd 03/23/2015 Page 137 138 Chapter 5 ■ Networking Devices Firewalls are the fi rst line of defense for an Internet-connected network. Without them in place, any network that’s connected to the Internet is essentially wide open to anyone with a little technical savvy who seeks to exploit LAN resources and/or access your network’s sensitive information. IDS/IPS Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are very important in today’s networks. They are network security appliances that monitor networks and packets for malicious activity. An IDS is considered monitor mode and just records and tells you about problems, whereas an IPS can work in real time to stop threats as they occur. The main difference between them is that an IPS works inline to actively prevent and block intrusions that are detected based on the rules you set up. IPSs can send an alarm, create correlation rules and remediation, drop malicious packets, provide malware protection, and reset the connection of offending source hosts. HIDS In a host-based IDS (HIDS), software runs on one computer to detect abnormalities on that system alone by monitoring applications, system logs, and event logs—not by directly monitoring network traffic. Systems like these are typically implemented on servers because they’re a bear to manage if spread across several client computers on a network. Plus, if the IDS database is on the local computer and its data becomes compromised by an attack, the IDS data could be corrupted, too. Other types of IDSs are protocol based (PIDS), which monitor traffic for one protocol on one server, and application protocol based (APIDS), which monitor traffic for a group of servers running the same application (such as SQL). Access Point I’ll be covering access points (APs) in depth in Chapter 12, but I’ll introduce them here. Understand that an AP is just a hub that accepts wireless clients via an analog wireless signal. It’s no secret that wireless is the key to all networks in the world today, and they will be even more prevalent in the future when all our home appliances have IP addresses and communicate wirelessly to our networks, for example. The ease of communicating on a c05.indd 03/23/2015 Page 138 Common Network Connectivity Devices 139 network using an AP instead of having to use an Ethernet cable has changed our world forever. Figure 5.7 shows how an AP would look in a small network, such as a home. F I G U R E 5.7 Example of an AP in a network Internet Wireless Router DSL/Cable Modem The wireless client modulates a digital signal to an analog signal, which the AP can read and demodulate back to a digital signal. The AP creates one collision domain and can only run half duplex, which is why you can describe an AP as being like a hub. However, even though there are some standards that provide some full-duplex-type connectivity, a wireless host will never achieve the same type of throughput, security, and consistency that a wired Ethernet network would, but does that matter? Like rock ’n’ roll, wireless is here to stay. Dynamic Host Configuration Protocol Server Even though I’m going to get into the finer points of DHCP soon, in Chapter 6, “Introduction to the Internet Protocol,” I want to give you some basic insight into this server service here. In essence, DHCP servers assign IP addresses to hosts. This protocol gives us a much easier way to administer—by automatically providing IP information—than the alternative and tedious method known as static IP addressing, where we have to address each host manually. It works well in any network environment, from tiny to huge, and allows all types of hardware to be employed as a DHCP server, including routers. It works like this: A DHCP server receives a request for IP information from a DHCP client using a broadcast (as Chapter 6 will show you in detail). The only hitch is that if the DHCP server isn’t on the same segment as the DHCP client, the broadcast won’t be received by the server because by default, routers won’t forward broadcasts, as shown in Figure 5.8. c05.indd 03/23/2015 Page 139 140 Chapter 5 FIGURE 5.8 ■ Networking Devices DHCP client sends broadcasts looking for a DHCP server Single-Server Example A B E0 Unicast Client Server Broadcast Multiple-Server Example A B E0 Directed Broadcast Client Server Server Broadcast In Figure 5.8, Router A is configured with the IP helper address command on interface E0 of the router. Whenever interface E0 receives a broadcast request, Router A will forward those requests as a unicast (meaning instead of a broadcast, the packet now has the destination IP address of the DHCP server). So, as shown in the figure, you can configure Router A to forward these requests and even use multiple DHCP servers for redundancy, if needed. This works because the router has been configured to forward the request to a single server using a unicast or by sending the request to multiple servers via a directed broadcast. Personally, most of the time I use a Windows server to act as the DHCP server for my entire internetwork and have my routers forward client requests. It is possible to have a DHCP server on every network segment, but that is not necessary because of the routers’ forwarding ability. Figure 5.9 shows a picture of a Windows server with something called scope options. Scope Options provide IP configuration for hosts on a specific subnet. Below the Scope Options, you’ll fi nd Server Options, which provide IP information for all scopes configured on the server. If I had just one Domain Name Service (DNS) server for the entire network, I’d configure the Server Options with my DNS server information; that DNS server information would then show up automatically in all scopes configured on my server. So, what exactly does a DHCP client ask for, and what does a DHCP server provide? Is it just an IP address, a mask, and a default gateway? No, it is much more than that. Let’s take a look at a DHCP client request on an analyzer. Figure 5.10 shows the options that the client is requesting from the DHCP server. c05.indd 03/23/2015 Page 140 Common Network Connectivity Devices FIGURE 5.9 F I G U R E 5 .1 0 141 A Windows DHCP server’s Scope Options DHCP client request to a DHCP server First, you can see that the DHCP service runs on top of the BootP protocol (port 68) and that the DHCP client is looking for a BootP server (port 67). The client IP address is 0.0.0.0, and the client doesn’t know the DHCP server address either because this is a broadcast to 255.255.255.255 (the Data Link layer broadcast shows FF:FF:FF:FF:FF:FF). Basically, all the DHCP client knows for sure is its own MAC address. The client is “requesting” a certain IP address because this is the IP address it received from the server the last time it requested an IP address. c05.indd 03/23/2015 Page 141 142 Chapter 5 ■ Networking Devices The DHCP client Parameter Request List option shown at the end of Figure 5.10 has been expanded and is shown in Figure 5.11. Notice all the parameter information that can be sent to a DHCP client from the server. F I G U R E 5 .11 DHCP client parameter request list That is quite a request list! The DHCP server will respond with the options that it has configured and available to provide to a DHCP client. Let’s take a look and see what the server responds with. Figure 5.12 shows the DHCP server response. F I G U R E 5 .1 2 DHCP server response c05.indd 03/23/2015 Page 142 Common Network Connectivity Devices 143 The client is going to get the IP address that it asked for (10.100.36.38), a subnet mask of 255.255.255.224, a lease time of 23 hours (the amount of time before the IP address and other DHCP information expires on the client), the IP address of the DHCP server, the default gateway (router), the DNS server IP address (it gets two), the domain name used by DNS, and some NetBIOS information (used by Windows for name resolution). The lease time is important and can even be used to tell you if you have a DHCP problem or, more specifically, that the DHCP server is no longer handing out IP addresses to hosts. If hosts start failing to get onto the network one at a time as they try to get a new IP address as their lease time expires, you need to check your server settings. Here is another example of a possible DHCP problem: You arrive at work after a weekend and fi nd that some hosts were left on and some were shut down. The hosts that were left running and not shut down are still working, but the hosts that were shut down and were restarted on Monday morning do not get a new IP address. This is a good indication that you need to head over to your DHCP server and take a look at what is going on. A DHCP server can also be configured with a reservation list so that a host always receives the same IP address. You would use this reservation list for routers or servers if they were not statically assigned. However, you can use reservation lists for any host on your network as well. DHCP Relay If you need to provide addresses from a DHCP server to hosts that aren’t on the same LAN as the DHCP server, you can configure your router interface to relay or forward the DHCP client requests, as shown in Figure 5.13. If we don’t provide this service, our router would receive the DHCP client broadcast, promptly discard it, and the remote host would never receive an address—unless we added a DHCP server on every broadcast domain! Let’s take a look at how we would typically configure DHCP service in today’s networks. F I G U R E 5 .1 3 Configuring a DHCP relay I hear the port 67 request on int fa0/0! I’ll forward this broadcast as a unicast to 10.10.10.254 ASAP! Admin Int F0/0 192.168.10.1 Sales DHCP Server 10.10.10.254 DHCP Client broadcast request c05.indd 03/23/2015 Page 143 144 Chapter 5 ■ Networking Devices So we know that because the hosts off the router don’t have access to a DHCP server, the router will simply drop their client request broadcast messages by default. To solve this problem, we can configure the F0/0 interface of the router to accept the DHCP client requests and forward them to the DHCP server like this: Router#config t Router(config)#interface fa0/0 Router(config-if)#ip helper-address 10.10.10.254 Now I know that was a pretty simple example, and there are defi nitely other ways to configure the relay, but rest assured that I’ve covered the objectives for you. Also, I want you to know that ip helper-address forwards more than just DHCP client requests, so be sure to research this command before you implement it! Other Specialized Devices In addition to the network connectivity devices I’ve discussed with you, there are several devices that, while they may not be directly connected to a network, do actively participate in moving network data. Here’s a list of them: ■ Multilayer switch ■ Load balancer ■ DNS server ■ Proxy server ■ Encryption devices ■ Content filter ■ Analog modem ■ Packet shaper ■ VPN concentrator Multilayer Switch A multilayer switch (MLS) is a computer networking device that switches on Open Systems Interconnection (OSI) Layer 2 like an ordinary network switch but provides routing. A 24-port MLS gives you the best of both worlds. It operates at Layer 3 (routing) while still providing 24 collision domains, which a router could not do. The major difference between the packet-switching operation of a router and that of a Layer 3 or multilayer switch lies in the physical implementation. In routers, packet switching takes place using a microprocessor, whereas a Layer 3 switch handles this by using application-specific integrated circuit (ASIC) hardware. I’d show you a picture of a c05.indd 03/23/2015 Page 144 Other Specialized Devices 145 Layer 3 switch, but they look just like regular Layer 2 switches and you already know what those look like. The differences are the hardware inside and the operating system. Load Balancer Your average router just sends incoming packets to their specified, correlative IP address on the network, but a load balancer can actually send incoming packets to multiple machines hidden behind one IP address—cool, right? Today’s load-balancing routers follow various rules to determine specifically how they will route network traffic. Depending on your needs, you can set rules based on the least load, fault tolerance, the fastest response times, or just dividing up (balancing) outbound requests for smooth network operations. In fact, the fault tolerance, or redundancy, as well as the scalability so vital to large networking environments and e-commerce are some of the great benefits we gain using load balancers. Think about this scenario: Say you have a website where people are placing orders for the stuff you’ve got for sale. Obviously, the orders placed vary in size and the rate at which they come in varies; you defi nitely wouldn’t want your servers becoming so overloaded that they hose up and crash your site, causing you to lose lots of money, now would you? That’s where balancing the load of traffic between a group of servers comes to the rescue, because even if one of them freezes, your customers will still be able to access your site and place orders. Domain Name Service Server A Domain Name Service (DNS) server is one of the most important servers in your network and on the Internet as well. Why? Because without a DNS server, you would have to type http://206.123.114.186 instead of simply entering www.lammle.com. So it follows that you can pretty much think of the DNS system as the phone book of the Internet. A hostname is typically the name of a device that has a specific IP address; on the Internet, it is part of what is known as a fully qualified domain name (FQDN). An FQDN consists of a hostname and a domain name. The process of fi nding the IP address for any given hostname is known as name resolution, and it can be performed in several ways: a HOSTS fi le (meaning you statically type in all names and IP addresses on each and every host), a request broadcast on the local network (Microsoft’s favorite—why ask a server when you can just broadcast, right?), DNS, and Microsoft’s Windows Internet Naming Service (WINS). DNS is the most popular today and is the resolution method you really need to know. On the Internet, domains are arranged in a hierarchical tree structure. The following list includes some of the top-level domains currently in use: .com A commercial organization. Most companies end up as part of this domain. .edu An educational establishment, such as a university. c05.indd 03/23/2015 Page 145 146 Chapter 5 ■ Networking Devices .gov A branch of the US government. .int An international organization, such as NATO or the United Nations. .mil A branch of the US military. .net A network organization. .org A nonprofit organization. Your local ISP is probably a member of the .net domain, and your company is probably part of the .com domain. The .gov and .mil domains are reserved strictly for use by the government and the military within the United States. In other parts of the world, the fi nal part of a domain name represents the country in which the server is located (.ca for Canada, .jp for Japan, .uk for Great Britain, and .ru for Russia, for example). Well over 130 countries are represented on the Internet. The .com domain is by far the largest, followed by the .edu domain. Some new domain names are becoming popular, however, because of the increasing number of domain-name requests. These include .firm for businesses and companies, .store for businesses selling goods rather than services, .arts for cultural and entertainment organizations, and .info for informational services. The domains .cc, .biz, .travel, and .post are also in use on the Internet. Figure 5.14 shows how, when you type in a domain name, the DNS server resolves it, allowing the host to send the HTTP packets to the server. F I G U R E 5 .1 4 DNS resolution example This DOS screen shows how the DNS server can resolve the human name to the IP address of the Lammle.com server when I ping the server by the name instead of the IP address. c05.indd 03/23/2015 Page 146 Other Specialized Devices 147 It should be easy to imagine how hard life would be without DNS translating human names to IP addresses, routing your packet through the Internet or internetwork to get to your servers. Figure 5.15 gives you an example of a Windows server configured as a DNS server. To complete unqualified Domain Name System (DNS) names that will be used to search and submit DNS queries at the client for resolution, you must have a list of DNS suffixes that can be appended to these DNS names. For DHCP clients, this can be set by assigning the DNS domain name option (option 15) and providing a single DNS suffix for the client to append and use in searches. For example, if you just wanted to ping todd instead of ping todd .lammle.com, you can configure the DHCP server option 15 to provide the suffix for you. F I G U R E 5 .1 5 A Windows DNS server Now the hosts can receive the IP address of this DNS server, and then this server will resolve hostnames to correct IP addresses. This is a mission-critical service in today’s networks, don’t you think? As shown in Figure 5.15, if I ping from a host to conlanpc1, the host will send the name-resolution request to the DNS server and translate this name to IP address 192.168.255.8. Host (A) is called an A record and is what gives you the IP address of a domain or host. In IPv6, it’s called a quad-A or AAAA record. In Figure 5.15, you can see that each name has an A record, which is associated to an IP address. So, A records resolve hostnames to IP addresses, but what happens if you know the IP address and want to know the hostname? There is a record for this, too! It’s called the pointer record (PTR). c05.indd 03/23/2015 Page 147 148 Chapter 5 ■ Networking Devices Other typical records found on DNS servers are mail exchanger (MX) records, which are used to translate mail records. The MX record points to the mail exchanger for a particular host. DNS is structured so that you can actually specify several mail exchangers for one host. This feature provides a higher probability that email will arrive at its intended destination. The mail exchangers are listed in order in the record, with a priority code that indicates the order in which they should be accessed by other mail-delivery systems. If the first-priority mail exchanger doesn’t respond in a given amount of time, the maildelivery system tries the second one, and so on. Here are some sample mail-exchange records: hostname.company.com. hostname.company.com. hostname.company.com. IN IN IN MX MX MX 10 mail.company.com. 20 mail2.company.com. 30 mail3.company.com. In this example, if the fi rst mail exchanger, mail.company.com, does not respond, the second one, mail2.company.com, is tried, and so on. Another important record type on a DNS is the canonical name (CNAME) record. This is also commonly known as the alias record and allows hosts to have more than one name. For example, suppose your web server has the hostname www and you want that machine to also have the name ftp so that users can use FTP to access a different portion of the fi le system as an FTP root. You can accomplish this with a CNAME record. Given that you already have an address record established for the hostname www, a CNAME record that adds ftp as a hostname would look something like this: www.company.com. ftp.company.com. IN IN A CNAME 204.176.47.2 www.company.com. When you put all these record types together in a zone fi le, or DNS table, it might look like this: mail.company.com. mail2.company.com. mail3.company.com. yourhost.company.com. yourhost.company.com. yourhost.company.com. www.company.com. ftp.company.com. IN IN IN IN IN IN IN IN A A A MX MX MX A CNAME 204.176.47.9 204.176.47.21 204.176.47.89 10 mail.company.com. 20 mail2.company.com. 30 mail3.company.com. 204.176.47.2 www.company.com. Finally two other record types you should know about include AAA (for authentication servers such as RADIUS or TACACS+) and PTR or pointer records. PTR records are an IP address to name mapping rather than a name to IP address mapping. They reside in what is called a reverse lookup zone (or table) in the server and are used when an IP address is known but not a name. Let’s take a look a tad deeper for a minute into how resolution takes place between a host and a DNS server. Figure 5.16 shows a DNS query from my host to www.lammle.com from a browser. c05.indd 03/23/2015 Page 148 Other Specialized Devices F I G U R E 5 .1 6 149 A DNS query to www.lammle.com This figure shows that DNS uses User Datagram Protocol (UDP) at the Transport layer (it uses Transport Control Protocol [TCP] if it is updating its phone book pages—we call these zone updates), and this query is asking destination port 53 (the DNS service) on host 192.168.133.2 who the heck www.lammle.com is. Let’s take a look at the server’s response. Figure 5.17 shows the DNS answer to our query for www.lammle.com. F I G U R E 5 .17 The DNS answer to our query Port 53 answered from server 192.168.133.147 with a CNAME and an A record with the IP address of 184.172.53.52. My host can now go to that server requesting HTTP pages using the IP address. c05.indd 03/23/2015 Page 149 150 Chapter 5 ■ Networking Devices Dynamic DNS At one time all DNS records had to be manually entered into the DNS server and edited manually when changes occurred. Today DNS is dynamic and works in concert with the DHCP function. Hosts register their names with the DNS sever as they receive their IP address configuration from the DHCP server. Some older operating systems are not capable of self-registration (such as Windows NT), but the DHCP server can even be configured to perform registration on behalf of these clients with the DNS server. This doesn’t mean that manual records cannot be created if desired. In fact, some of the record types we have discussed can only be created manually. These include MX and CNAME records. Proxy Server A proxy server is basically a type of server that handles its client-machine requests by forwarding them on to other servers while allowing granular control over the traffic between the local LAN and the Internet. When it receives a request, the proxy will then connect to the specific server that can fulfi ll the request for the client that wants it. Sometimes the proxy modifi es the client’s request or a server’s response to it—or even handles the client’s request itself. It will actually cache, or “remember,” the specifi c server that would have normally been contacted for the request in case it’s needed another time. This behavior really speeds up the network’s function, thereby optimizing its performance. However, proxy servers can also limit the availability of the types of sites that users on a LAN have access to, which is a benefit for an administrator of the network if users are constantly connected to non-work sites and using all the WAN bandwidth. Figure 5.18 shows where a proxy server would be typically found in a small-to-mediumsize network. F I G U R E 5 .1 8 A proxy server PC LAN Proxy Server Router Switch Second PC or Printer Internet Wireless Connection c05.indd 03/23/2015 Page 150 Other Specialized Devices 151 There are two main types of proxy servers you’ll typically find working in present-day networks: Caching Proxy Server A caching proxy server speeds up the network’s service requests by recovering information from a client’s or clients’ earlier request. Caching proxies keep local copies of the resources requested often, which really helps minimize the upstream use of bandwidth. These servers can greatly enhance network performance. Web Proxy Server A web proxy server is usually used to create a web cache. You experience this when you Google a site you’ve visited before. The web proxy “remembers” you, and the site not only loads faster, it sometimes even recalls your personal information by automatically filling in your username—or even your billing/shipping information when you place another order. I want to mention one more thing before we move on from proxies, and this is reverse proxies. Unlike a forward proxy, a reverse proxy takes requests from the Internet and forwards them to servers in an internal network, whereas the forward proxy we discussed in this section takes client requests and sends them to the Internet. Encryption Devices Although a number of the devices we have discussed earlier can perform encryption services, there are dedicated appliances that can perform encryption as well. The advantage of using these devices is that they normally provide more choice of encryption methods and stronger encryption options. They also offload the process from other devices like routers and servers, which is a good thing since the encryption /decryption process is very processer intensive and interferes with other functions that those routers and servers might be performing. Sometimes these devices are called encryption gateways. They can either sit in line with a server or a local network, encrypting and decrypting all traffic, or function as an application server, encrypting any fi le sent to them within a network. Examples of encryption appliances are shown in Figure 5.19. F I G U R E 5 .1 9 Encryption appliance c05.indd 03/23/2015 Page 151 152 Chapter 5 ■ Networking Devices While an encryption appliance is dedicated to encryption, a content fi ltering appliance scans the content of what goes through it and fi lters out specific content or content types. Dedicating a device to this process offloads the work from servers or routers that could do this but at a cost of greatly slowing the devices. Also, there is usually more functionality and granular control available with a dedicated appliance. Email is a good example of what you might run through one of these devices before the email is delivered to fi lter out spam and objectionable content. Another example of the use of a content fi lter might be to block websites based on the content of the web pages rather than on the basis of the URL or IP address. An example of a dedicated content/URL fi ltering appliance from SecPoint is shown in Figure 5.20. FIGURE 5.20 Content filtering appliance Analog Modem A modem (modulator-demodulator) is a device that modulates an analog carrier signal to encode digital information and demodulates the signal to decode the transmitted information. I gave you an example of this when I explained APs earlier in the chapter because an AP modulates and demodulates a signal just like a modem. Figure 5.21 shows a current analog modem that can be used in today’s networks, albeit with slow throughput. F I G U R E 5. 21 Analog modem The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data. These signals are transmitted over telephone lines and demodulated by another modem at the receiver side in order to read the digital data. c05.indd 03/23/2015 Page 152 Other Specialized Devices 153 Packet Shaper Packet shaping (also known as traffic shaping, it’s a form of rate limiting) is an internetworking traffic management technique that delays some or all packets to bring them into compliance with your or your company’s traffic profi le. Figure 5.22 shows a dedicated packet shaper appliance from Blue Coat. FIGURE 5.22 Packet shaper This profile is used to optimize or guarantee performance, improve latency, and/or increase usable bandwidth for some kinds of packets by delaying other kinds, decided on by you. VPN Concentrator A VPN concentrator is a device that accepts multiple VPN connections from remote locations. Although this function can be performed by a router or server, as with the encryption gateways and content fi ltering devices discussed earlier, the same performance benefits can be derived from dedicating a device to this. Moreover, additional functionality usually comes with these devices, one of which is shown in Figure 5.23. FIGURE 5.23 VPN concentrator c05.indd 03/23/2015 Page 153 154 Chapter 5 ■ Networking Devices Planning and Implementing a Basic SOHO Network Using Network Segmentation It’s likely that at some point you’ll have to break up one large network into a bunch of smaller ones because user response will have dwindled to a slow crawl as the network grew and grew. With all that growth, your LAN’s traffic congestion will have reached epic proportions. Determining Requirements When implementing a SOHO network, the fi rst thing to be done is to identify the requirements of the network and the constraints around which you must operate. This should drive your design and device choices. An example set of requirements and constraints might be as follows: ■ A small number of computers are needed. ■ There is a high need for Internet access. ■ Resources need to be shared. ■ Wired hosts and wireless hosts will need to communicate with each other. ■ Security is very important. With these constraints in mind, you might fi nd that you’ll need more than just a switch and some Cat 5e cabling for this project. There is a need for a router, an AP, and a fi rewall in this case. In addition, you need to think about compatibility between equipment and the types and brands of equipment to buy as well as environmental issues or limitations. Wireless and security constraints are covered in Chapter 12 and Chapter 15, respectively. Chapter 12 is “Wireless Networking” and Chapter 15 is “Physical and Hardware Security.” One of the most important considerations you must take very seriously when building a basic network is LAN traffic congestion, which can be lessened with network segmentation and is directly related to device types and compatibility requirements as well as equipment limitations. Let’s look at how to use the segmentation devices I have defi ned so far in this chapter. Here’s a list of some of the nasty things that commonly cause LAN traffic congestion: c05.indd 03/23/2015 Page 154 Planning and Implementing a Basic SOHO Network Using Network Segmentation ■ Too many hosts in a broadcast domain ■ Broadcast storms ■ Multicasting ■ Low bandwidth ■ Adding hubs for connectivity to the network 155 The answer to fi xing a huge but slow network is to break it up into a number of smaller networks—something called network segmentation. You do this by using devices like routers and switches, which are sometimes still referred to as bridges because switches still use bridging technologies. Figure 5.24 displays a network that’s been segmented with a switch so each network segment connected to the switch is now a separate collision domain. But make note of the fact that this network is actually still one broadcast domain—the set of all devices on a network segment that hear all the broadcasts sent on that segment. FIGURE 5.24 A switch can replace the hub, breaking up collision domains. Switch Hub And keep in mind that the hub used in Figure 5.24 just extended the one collision domain from the switch port. Routers are used to connect networks together and route packets of data from one network to another. (Cisco has become the de facto standard for routers because of its high-quality router products, great selection, and fantastic service.) Routers, by default, break up a broadcast domain. Figure 5.25 shows a router in our little network that creates an internetwork and breaks up broadcast domains. The network in Figure 5.25 is pretty cool. Each host is connected to its own collision domain, and the router has created two broadcast domains. And don’t forget that the router provides connections to WAN services as well. The router uses something called a serial interface for WAN connections: specifically, a V.35 physical interface. c05.indd 03/23/2015 Page 155 156 Chapter 5 FIGURE 5.25 ■ Networking Devices Routers create an internetwork. Switch Serial 0 Switch Breaking up a broadcast domain is important because when a host or server sends a network broadcast, every device on the network must read and process that broadcast—unless you’ve got a router. When the router’s interface receives this broadcast, it can respond by basically saying, “Thanks, but no thanks,” and discard the broadcast without forwarding it on to other networks. Even though routers are known for breaking up broadcast domains by default, it’s important to remember that they break up collision domains as well. There are two advantages of using routers in your network: ■ ■ They don’t forward broadcasts by default. They can filter the network based on Layer 3 (network layer) information (such as an IP address). Four router functions in your network can be listed as follows: ■ Packet switching ■ Packet filtering ■ Internetwork communication ■ Path selection Remember that routers are really switches; they’re actually what we call Layer 3 switches. Unlike Layer 2 switches, which forward or fi lter frames, routers (Layer 3 switches) use logical addressing and provide what is called packet switching. Routers can also provide packet fi ltering by using access lists, and when routers connect two or more networks together and use logical addressing (IP or IPv6), this is called an internetwork. Last, routers use a routing table (map of the internetwork) to make path selections and to forward packets to remote networks. Conversely, switches aren’t used to create internetworks (they do not break up broadcast domains by default); they’re employed to add functionality to a network LAN. The main c05.indd 03/23/2015 Page 156 Planning and Implementing a Basic SOHO Network Using Network Segmentation 157 purpose of a switch is to make a LAN work better—to optimize its performance—providing more bandwidth for the LAN’s users. And switches don’t forward packets to other networks as routers do. Instead, they only “switch” frames from one port to another within the switched network. Okay, you may be thinking, “Wait a minute, what are frames and packets?” I’ll tell you all about them later in this chapter, I promise. By default, switches break up collision domains, as mentioned in Chapter 4, “The Current Ethernet Specifications.” This is an Ethernet term used to describe a network scenario wherein one particular device sends a packet on a network segment, forcing every other device on that same segment to pay attention to it. At the same time, a different device tries to transmit, leading to a collision, after which both devices must retransmit, one at a time. Not very efficient! This situation is typically found in a hub environment where each host segment connects to a hub that represents only one collision domain and only one broadcast domain. By contrast, each and every port on a switch represents its own collision domain. Switches create separate collision domains but a single broadcast domain. Routers provide a separate broadcast domain for each interface. The term bridging was introduced before routers and hubs were implemented, so it’s pretty common to hear people referring to bridges as switches. That’s because bridges and switches basically do the same thing—break up collision domains on a LAN (in reality, you cannot buy a physical bridge these days, only LAN switches, but these switches use bridging technologies.) So this means a switch is basically just a multiple-port bridge with more brainpower, right? Well, pretty much, but there are differences. Switches do provide this function, but they do so with greatly enhanced management ability and features. Plus, most of the time, bridges only had two or four ports. Yes, you could get your hands on a bridge with up to 16 ports, but that’s nothing compared to the hundreds available on some switches. You would use a bridge in a network to reduce collisions within broadcast domains and to increase the number of collision domains in your network. Doing this provides more bandwidth for users. And keep in mind that using hubs in your network can contribute to congestion on your Ethernet network. As always, plan your network design carefully! Figure 5.26 shows how a network would look with all these internetwork devices in place. Remember that the router will not only break up broadcast domains for every LAN interface but also break up collision domains. c05.indd 03/23/2015 Page 157 158 Chapter 5 FIGURE 5.26 ■ Networking Devices Internetworking devices Bridge Switch Router When you look at Figure 5.26, do you see the router at center stage and see how it connects each physical network together? We have to use this layout because of the older technologies involved—bridges and hubs. On the top internetwork in Figure 5.26, you’ll notice that a bridge is used to connect the hubs to a router. The bridge breaks up collision domains, but all the hosts connected to both hubs are still crammed into the same broadcast domain. Also, the bridge creates only two collision domains, so each device connected to a hub is in the same collision domain as every other device connected to that same hub. This is actually pretty lame, but it’s still better than having one collision domain for all hosts. Notice something else: The three hubs at the bottom that are connected also connect to the router, creating one collision domain and one broadcast domain. This makes the bridged network look much better indeed. Although bridges/switches are used to segment networks, they will not isolate broadcast or multicast packets. The best network connected to the router is the LAN switch network on the left. Why? Because each port on that switch breaks up collision domains. But it’s not all good—all devices are still in the same broadcast domain. Do you remember why this can be a really bad thing? Because all devices must listen to all broadcasts transmitted, that’s why. c05.indd 03/23/2015 Page 158 Planning and Implementing a Basic SOHO Network Using Network Segmentation 159 And if your broadcast domains are too large, the users have less bandwidth and are required to process more broadcasts, and network response time will slow to a level that could cause office riots. Once we have only switches in our network, things change a lot. Figure 5.27 shows the network that is typically found today. FIGURE 5.27 Switched networks creating an internetwork Router Here I’ve placed the LAN switches at the center of the network world so the router is connecting only logical networks together. If I implement this kind of setup, I’ve created virtual LANs (VLANs), something I’m going to tell you about in Chapter 11. So don’t stress. But it is really important to understand that even though you have a switched network, you still need a router to provide your inter-VLAN communication, or internetworking. Don’t forget that. Obviously, the best network is one that’s correctly configured to meet the business requirements of the company it serves. LAN switches with routers, correctly placed in the network, are the best network design. This book will help you understand the basics of routers and switches so you can make tight, informed decisions on a case-by-case basis. Let’s go back to Figure 5.26 again. Looking at the figure, how many collision domains and broadcast domains are in this internetwork? I hope you answered nine collision domains and three broadcast domains. The broadcast domains are definitely the easiest to see because only routers break up broadcast domains by default. And because there are three connections, that gives you three broadcast domains. But do you see the nine collision domains? Just in case that’s a no, I’ll explain. The all-hub network is one collision domain; the bridge network equals three collision domains. Add in the switch network of five collision domains—one for each switch port—and you’ve got a total of nine. Now, in Figure 5.27, each port on the switch is a separate collision domain and each VLAN is a separate broadcast domain. But you still need a router for routing between VLANs. How many collision domains do you see here? I’m counting 10—remember that connections between the switches are considered a collision domain. c05.indd 03/23/2015 Page 159 160 Chapter 5 ■ Networking Devices Should I Replace All My Hubs with Switches? You’re a network administrator at a large company in San Jose. The boss comes to you and says that he got your requisition to buy a switch and is not sure about approving the expense; do you really need it? Well, if you can, sure—why not? Switches really add a lot of functionality to a network that hubs just don’t have. But most of us don’t have an unlimited budget. Hubs still can create a nice network—that is, of course, if you design and implement the network correctly. Let’s say that you have 40 users plugged into four hubs, 10 users each. At this point, the hubs are all connected together so that you have one large collision domain and one large broadcast domain. If you can afford to buy just one switch and plug each hub into a switch port, as well as plug the servers into the switch, then you now have four collision domains and one broadcast domain. Not great; but for the price of one switch, your network is a much better thing. So, go ahead! Put that requisition in to buy all new switches. What do you have to lose? So now that you’ve gotten an introduction to internetworking and the various devices that live in an internetwork, it’s time to head into internetworking models. As I mentioned earlier, routers break up broadcast domains, which means that by default, broadcasts aren’t forwarded through a router. Do you remember why this is a good thing? Routers break up collision domains, but you can also do that using Layer 2 (Data Link layer) switches. Because each interface in a router represents a separate network, it must be assigned unique network identification numbers, and each host on the network connected to that router must use the same network number. Figure 5.28 shows how a router works in an internetwork. FIGURE 5.28 A router in an internetwork Serial0 Internet FastEthernet0/0 WAN Services FastEthernet0/1 Here are some points about routers that you should commit to memory: ■ ■ Routers, by default, will not forward any broadcast or multicast packets. Routers use the logical address in a Network layer header to determine the next hop router to forward the packet to. c05.indd 03/23/2015 Page 160 Planning and Implementing a Basic SOHO Network Using Network Segmentation ■ ■ ■ ■ 161 Routers can use access lists, created by an administrator, to control security on the types of packets that are allowed to enter or exit an interface. Routers can provide Layer 2 bridging functions if needed and can simultaneously route through the same interface. Layer 3 devices (routers, in this case) provide connections between virtual LANs (VLANs). Routers can provide quality of service (QoS) for specific types of network traffic. Switching and VLANs are covered in Chapter 11. Switches and Bridges at the Data Link Layer Layer 2 switching is considered hardware-based bridging because it uses specialized hardware called an application-specific integrated circuit (ASIC). ASICs can run up to gigabit speeds with very low latency rates. Latency is the time measured from when a frame enters a port to when it exits. Bridges and switches read each frame as it passes through the network. The Layer 2 device then puts the source hardware address in a fi lter table and keeps track of which port the frame was received on. This information (logged in the bridge’s or switch’s fi lter table) is what helps the machine determine the location of the specific sending device. Figure 5.29 shows a switch in an internetwork. FIGURE 5.29 A switch in an internetwork 1 2 3 4 Each segment has its own collision domain. All segments are in the same broadcast domain. c05.indd 03/23/2015 Page 161 162 Chapter 5 ■ Networking Devices The real-estate business is all about location, location, location, and it’s the same way for both Layer 2 and Layer 3 devices. Although both need to be able to negotiate the network, it’s crucial to remember that they’re concerned with very different parts of it. Primarily, Layer 3 machines (such as routers) need to locate specific networks, whereas Layer 2 machines (switches and bridges) need to eventually locate specific devices. So, networks are to routers as individual devices are to switches and bridges. And routing tables that “map” the internetwork are for routers as filter tables that “map” individual devices are for switches and bridges. After a fi lter table is built on the Layer 2 device, it will forward frames only to the segment where the destination hardware address is located. If the destination device is on the same segment as the frame, the Layer 2 device will block the frame from going to any other segments. If the destination is on a different segment, the frame can be transmitted only to that segment. This is called transparent bridging. When a switch interface receives a frame with a destination hardware address that isn’t found in the device’s fi lter table, it will forward the frame to all connected segments. If the unknown device that was sent the “mystery frame” replies to this forwarding action, the switch updates its fi lter table regarding that device’s location. But in the event that the destination address of the transmitting frame is a broadcast address, the switch will forward all broadcasts to every connected segment by default. All devices that the broadcast is forwarded to are considered to be in the same broadcast domain. This can be a problem; Layer 2 devices propagate Layer 2 broadcast storms that choke performance, and the only way to stop a broadcast storm from propagating through an internetwork is with a Layer 3 device—a router. The biggest benefit of using switches instead of hubs in your internetwork is that each switch port is actually its own collision domain. (Conversely, a hub creates one large collision domain.) But even armed with a switch, you still can’t break up broadcast domains. Neither switches nor bridges will do that. They’ll typically simply forward all broadcasts instead. Another benefit of LAN switching over hub-centered implementations is that each device on every segment plugged into a switch can transmit simultaneously—at least they can as long as there is only one host on each port and a hub isn’t plugged into a switch port. As you might have guessed, hubs allow only one device per network segment to communicate at a time. Hubs at the Physical Layer As you know, a hub is really a multiple-port repeater. A repeater receives a digital signal, reamplifies or regenerates that signal, and then forwards the digital signal out all active ports without looking at any data. An active hub does the same thing. Any digital signal received from a segment on a hub port is regenerated or reamplified and transmitted out all ports on the hub. This means all devices plugged into a hub are in the same collision domain as well as in the same broadcast domain. Figure 5.30 shows a hub in a network. c05.indd 03/23/2015 Page 162 Planning and Implementing a Basic SOHO Network Using Network Segmentation FIGURE 5.30 163 A hub in a network All devices are in the same collision domain. All devices are in the same broadcast domain. Devices share the same bandwidth. Hubs, like repeaters, don’t examine any of the traffic as it enters and is then transmitted out to the other parts of the physical media. Every device connected to the hub, or hubs, must listen if a device transmits. A physical star network—where the hub is a central device and cables extend in all directions out from it—is the type of topology a hub creates. Visually, the design really does resemble a star, whereas Ethernet networks run a logical bus topology, meaning that the signal has to run through the network from end to end. Hubs and repeaters can be used to enlarge the area covered by a single LAN segment, although I do not recommend this. LAN switches and/or wireless APs are affordable for almost every situation. Environmental Considerations All of the equipment discussed in this chapter—switches, routers, hubs, and so on—require proper environmental conditions to operate correctly. These devices have the same needs as any computing device. These environmental concerns can be categorized thusly: Temperature Like any device with a CPU, infrastructure devices such as routers, switches, and specialty appliances must have a cool area to operate. When temperatures rise, servers start rebooting and appliance CPUs start overworking as well. The room(s) where these devices are located should be provided with heavy-duty HVAC systems and ample ventilation. It may even be advisable to dedicate a suite for this purpose and put the entire system on a UPS with a backup generator in the case of a loss of power. Humidity The air around these systems can be neither too damp nor too dry; it must be “just right.” If it is too dry, static electricity will build up in the air, making the situation ripe for damaging a system. It takes very little static electricity to fry some electrical components. If it is too damp, connections start corroding and shorts begin to occur. A humidifying system should be used to maintain the level above 50 percent. The air conditioning should keep it within acceptable levels on the upper end. c05.indd 03/23/2015 Page 163 164 Chapter 5 ■ Networking Devices Summary Whew, this chapter covered quite a bit of information. You learned the difference between a router, a switch (bridge), and a hub and when to use each one. I also covered some devices that you might find in a network today, but not as often, such as VPN concentrators and content filters. The information I discussed about DNS and DHCP is critical to your success on the Network+ objectives, and I highly suggest that you reread those sections. I covered how both the DNS and DHCP services work on a network. In addition to the most common devices, I discussed the specialized network devices mentioned in the Network+ objectives. I finished the chapter by discussing collision and broadcast domains in detail as well as how you would use a router, switch, and hub in your networks today. All of the information in this chapter is fundamental, and you must understand it before moving on to the other chapters in this book. Exam Essentials Understand how DHCP works and its purpose. Dynamic Host Configuration Protocol (DHCP) provides IP configuration information to hosts. It is important to know how a DHCP client requests information from a server, how a server receives this information, and also how the server responds to the client and with what type of information. Understand how DNS works and its purpose. Domain Name Service (DNS) is used to resolve human names to IP addresses. Understanding how DNS resolves these names is critical, as is understanding how a DNS query is sent and how a DNS server responds. Understand the difference between a hub, a switch (bridge), and a router. A hub just connects network segments together. A switch/bridge segments the network using MAC addresses, and a router segments the network using logical addressing (IP and IPv6). Switches break up collision domains, and routers break up broadcast domains by default. Remember the different names for a router. A router is a Layer 3 hardware device, but it can also be called a Layer 3 switch or a multilayer switch. Remember the various devices used on networks today and when you would use each one and how. Understand the differences and how each device works: routers, switches, hubs, DNS servers, and DHCP servers. Identify the purpose, benefits, and characteristics of using a proxy service. A proxy server keeps a LAN somewhat separated from the Internet. Doing so increases security and filtering control, and has the tendency to speed up Internet access through caching of recently used web pages. Describe the proper use of network segmentation when planning and implementing a basic SOHO network. Understand and apply the concepts of proper network segmentation when planning the use of various devices in the design of a SOHO network. c05.indd 03/23/2015 Page 164 Written Lab 165 Describe the benefits of using dedicated appliances for certain services. Using appliances to offload functions such as encryption, content filtering, and VPN concentration can decrease the workload of other systems and add functionality that may be present in these dedicated devices. Identify the environmental requirements of infrastructure devices. A cool temperature, ample ventilation, and the proper humidity level are all key to maintaining the operation of devices like routers, switches, and appliances. Written Lab Complete the table by filling in the appropriate layer of the OSI or hub, switch, or router device. You can fi nd the answers in Appendix A. Description Device or OSI layer This device sends and receives information about the Network layer. This layer creates a virtual circuit before transmitting between two end stations. A Layer 3 switch or multilayer switch. This device uses hardware addresses to filter a network. Ethernet is defined at these layers. This layer supports flow control and sequencing. This device can measure the distance to a remote network. Logical addressing is used at this layer. Hardware addresses are defined at this layer. This device creates one big collision domain and one large broadcast domain. This device creates many smaller collision domains, but the network is still one large broadcast domain. This device can never run full duplex. This device breaks up collision domains and broadcast domains. c05.indd 03/23/2015 Page 165 Chapter 5 166 ■ Networking Devices Review Questions You can fi nd the answers in Appendix B. 1. Which of the following is not a term used when making SOHO Internet connections? A. Hub B. 2. Repeater C. NIC D. Switch What advantage does a switch have over a hub? A. It discards frames. 3. B. Transmissions received on one port will be sent out all the other ports. C. It recognizes frame boundaries and destination MAC addresses of incoming frames. D. Any two or more devices the switch connects are capable of causing a collision with each other. Which device is used to segment a network? A. Hub 4. B. Switch C. Repeater D. All of the above What is the primary function of a bridge? A. Breaks up collision domains 5. B. Allows a NIC or other networking device to connect to a different type of media than it was designed for C. Allows mobile users to connect to a wired network wirelessly D. None of the above A network device that is used to connect multiple devices together without segmenting a network is a . A. Hub 6. B. Wireless access point C. Switch D. Router Which of the following is among the benefits of a switch? A. Protects LAN resources from attackers on the Internet B. Provides extra bandwidth C. Reduces throughput D. Allows access to all computers on a LAN c05.indd 03/23/2015 Page 166 Review Questions 7. 167 Which of the following devices can work at both Layers 2 and 3 of the OSI model? A. Hub 8. B. Switch C. Multilayer switch D. Bridge What is an advantage of using DHCP in a network environment? A. More difficult administration of the network 9. B. Static IP addressing C. Can send an operating system for the PC to boot from D. Assigns IP address to hosts What is a benefit of a multilayer switch (MLS) over a Layer 2 switch? A. Less bandwidth B. Routing functions C. Fewer features D. Fewer ports 10. Which device should be used if you need to send incoming packets to one or more machines that are hidden behind a single IP address? A. Switch B. Load balancer C. Hub D. Repeater 11. What role does the A record in a Domain Name Service (DNS) server have in your network? A. Translates human name to IP address B. Translates IP address to human name C. Enables printing, copying, and faxing from one device D. Controls network packets to optimize performance 12. Which device does not aid in network segmentation? A. Router B. Switch C. Hub D. Bridge 13. What is the most common use for a web proxy? A. Web cache B. Increases throughput C. DHCP services D. Supports user authentication c05.indd 03/23/2015 Page 167 Chapter 5 168 ■ Networking Devices 14. Which is not an advantage of network segmentation? A. Reduced congestion B. Improved security C. Containing network problems D. Preventing broadcast storms 15. Users arrive at the office after a weekend and the hosts that were shut down over the weekend are restarted but cannot access the LAN or Internet. Hosts that were not shut down are working fine. Where can the problem be? A. The DNS server B. The DHCP server C. The proxy server D. The firewall 16. You need a device that can prevent your users from accessing certain websites. Which device should you install? A. Firewall B. IDS C. IPS D. Proxy server 17. Which device creates separate collision domains and a single broadcast domain? A. Hub B. Router C. Switch D. Modem 18. Which of the following is not an advantage of using appliances to offload services like encryption and content filtering? A. Less expensive B. Takes load off other devices C. Additional functionality D. Better performance 19. Which type of server in your network uses pointer and A records? A. NAT translation server B. IPS/IDS server C. DNS server D. Proxy server c05.indd 03/23/2015 Page 168 Review Questions 169 20. Users on your network are saturating your bandwidth because they are using too many non-work-related sites. What device would limit the availability of the types of sites that users on a LAN have access to while providing granular control over the traffic between the local LAN and the Internet? A. Switch B. DHCP server C. DNS server D. Proxy server c05.indd 03/23/2015 Page 169 Chapter 6 Introduction to the Internet Protocol THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 5.2 Explain the basics of network theory and concepts ■ TCP/IP suite ■ ICMP ■ UDP ■ TCP ✓ 5.9 Compare and contrast the following ports and protocols ■ 80 HTTP ■ 443 HTTPS ■ 137-139 Netbios ■ 110 POP ■ 143 IMAP ■ 25 SMTP ■ 5060/5061 SIP ■ 2427/2727 MGCP ■ 5004/5005 RTP ■ 1720 H.323 ■ TCP ■ Connection-oriented ■ UDP ■ Connectionless c06.indd 04/02/2015 Page 171 ✓ 5.10 Given a scenario, configure and apply the appropriate ports and protocols ■ 20,21 FTP ■ 161 SNMP ■ 22 SSH ■ 23 Telnet ■ 53 DNS ■ 67,68 DHCP ■ 69 TFTP ■ 445 SMB ■ 3389 RDP ✓ 3.0 Network security ✓ 3.2 Compare and contrast common network vulnerabilities and threats ■ Vulnerabilities ■ Unsecure protocols ■ TELNET ■ HTTP ■ SLIP ■ FTP ■ TFTP ■ SNMPv1 and SNMPv2 ✓ 3.3 Given a scenario, implement network hardening techniques ■ Use secure protocols ■ SSH ■ SNMPv3 ■ TLS/SSL ■ SFTP ■ HTTPS c06.indd 04/02/2015 Page 172 The Transmission Control Protocol/Internet Protocol (TCP/IP) suite was created by the Department of Defense (DoD) to ensure and preserve data integrity as well as to maintain communications in the event of catastrophic war. So it follows that if designed and implemented correctly, a TCP/IP network can truly be a solid, dependable, and resilient network solution. In this chapter, I’ll cover the protocols of TCP/IP. I’ll begin by covering the DoD’s version of TCP/IP and then compare this version and its protocols with the OSI reference model discussed in Chapter 2, “The Open Systems Interconnection Specifications.” After going over the various protocols found at each layer of the DoD model, I’ll fi nish the chapter by adding more detail to the explanation of data encapsulation that I started in Chapter 2. To find up-to-the-minute updates for this chapter, please see www.lammle .com/networkplus or the book’s website at www.sybextestbanks.wiley.com. Introducing TCP/IP Because TCP/IP is so central to working with the Internet and intranets, it’s essential for you to understand it in detail. I’ll begin by giving you some background on TCP/IP and how it came about, and then move on to describe the important technical goals defi ned by the original designers. After that, you’ll fi nd out how TCP/IP compares to a theoretical model—the Open Systems Interconnection (OSI) model. A Brief History of TCP/IP The very fi rst Request for Comments (RFC) was published in April 1969, which paved the way for today’s Internet and its protocols. Each of these protocols is specified in the multitude of RFCs, which are observed, maintained, sanctioned, fi led, and stored by the Internet Engineering Task Force (IETF). TCP fi rst came on the scene in 1974. In 1978, it was divided into two distinct protocols, TCP and IP, and fi nally documented into an RFC in 1980. Then, in 1983, TCP/IP replaced the Network Control Protocol (NCP) and was authorized as the official means of data transport for anything connecting to ARPAnet. ARPAnet was the Internet’s ancestor, c06.indd 04/02/2015 Page 173 174 Chapter 6 ■ Introduction to the Internet Protocol created by ARPA, the DoD’s Advanced Research Projects Agency, again, way back in 1969 in reaction to the Soviet’s launching of Sputnik. ARPA was soon redubbed DARPA, and it was divided into ARPAnet and MILNET (also in 1983); both were fi nally dissolved in 1990. But contrary to what you might think, most of the development work on TCP/IP happened at UC Berkeley in Northern California, where a group of scientists were simultaneously working on the Berkeley version of Unix, which soon became known as the BSD, or the Berkeley Software Distribution series of Unix versions. Of course, because TCP/ IP worked so well, it was packaged into subsequent releases of BSD Unix and offered to other universities and institutions if they bought the distribution tape. Basically, BSD Unix bundled with TCP/IP began as shareware in the world of academia and, as a result, became the basis of the huge success and exponential growth of today’s Internet as well as smaller, private, and corporate intranets. As usual, what may have started as a small group of TCP/IP aficionados evolved, and as it did, the US government created a program to test any new published standards and make sure they passed certain criteria. This was to protect TCP/IP’s integrity and to ensure that no developer changed anything too dramatically or added any proprietary features. It’s this very quality—this open-systems approach to the TCP/IP family of protocols—that pretty much sealed its popularity because it guarantees a solid connection between myriad hardware and software platforms with no strings attached. TCP/IP and the DoD Model The DoD model is basically a condensed version of the OSI model; it’s composed of four, instead of seven, layers: ■ Process/Application layer ■ Host-to-Host layer ■ Internet layer ■ Network Access layer Figure 6.1 shows a comparison of the DoD model and the OSI reference model. As you can see, the two are similar in concept, but each has a different number of layers with different names. When the different protocols in the IP stack are discussed, two layers of the OSI and DoD models are interchangeable. In other words, the Internet layer and the Network layer describe the same thing, as do the Host-toHost layer and the Transport layer. The other two layers of the DoD model, Process/Application and Network Access, are composed of multiple layers of the OSI model. A vast array of protocols operate at the DoD model’s Process/Application layer to integrate the various activities and duties spanning the focus of the OSI’s corresponding top c06.indd 04/02/2015 Page 174 Introducing TCP/IP 175 three layers (Application, Presentation, and Session). We’ll be looking closely at those protocols in the next part of this chapter. The Process/Application layer defi nes protocols for node-to-node application communication and also controls user-interface specifications. F I G U R E 6 .1 The DoD and OSI models DoD Model OSI Model Application Process/ Application Presentation Session Host-to-Host Transport Internet Network Network Access Data Link Physical The Host-to-Host layer parallels the functions of the OSI’s Transport layer, defi ning protocols for setting up the level of transmission service for applications. It tackles issues such as creating reliable end-to-end communication and ensuring the error-free delivery of data. It handles packet sequencing and maintains data integrity. The Internet layer corresponds to the OSI’s Network layer, designating the protocols relating to the logical transmission of packets over the entire network. It takes care of the logical addressing of hosts by giving them an IP address, and it handles the routing of packets among multiple networks. At the bottom of the DoD model, the Network Access layer monitors the data exchange between the host and the network. The equivalent of the Data Link and Physical layers of the OSI model, the Network Access layer oversees hardware addressing and defi nes protocols for the physical transmission of data. The DoD and OSI models are alike in design and concept, and have similar functions in similar layers. Figure 6.2 shows the TCP/IP protocol suite and how its protocols relate to the DoD model layers. FIGURE 6.2 The TCP/IP protocol suite DoD Model Process/ Application Telnet TFTP Network Access LPD NFS SNMP X Window TCP Host-to-Host Internet FTP SMTP UDP ICMP Ethernet ARP IP Fast Ethernet RARP Gigabit Ethernet Wireless /802.11 c06.indd 04/02/2015 Page 175 176 Chapter 6 ■ Introduction to the Internet Protocol We’ll now look at the different protocols in more detail, starting with the Process/ Application layer protocols. The Process/Application Layer Protocols In the following sections, I’ll describe the different applications and services typically used in IP networks and list their associated port numbers as well, which are discussed in detail in this chapter. Telnet (23) Telnet is the chameleon of protocols—its specialty is terminal emulation. It allows a user on a remote client machine, called the Telnet client, to access the resources of another machine, the Telnet server. Telnet achieves this by pulling a fast one on the Telnet server and making the client machine appear as though it were a terminal directly attached to the local network. This projection is actually a software shell—a virtual terminal that can interact with the chosen remote host. These emulated terminals are of the text-mode type and can execute refi ned procedures such as displaying menus that give users the opportunity to choose options and access the applications on the duped server. Users begin a Telnet session by running the Telnet client software and then logging into the Telnet server. Telnet offers no security or encryption and is replaced by Secure Shell (SSH) when security across the remote-configuration session is needed or desired. File Transfer Protocol (20, 21) File Transfer Protocol (FTP) is the protocol that actually lets you transfer fi les across an IP network, and it can accomplish this between any two machines that are using it. But FTP isn’t just a protocol; it’s also a program. Operating as a protocol, FTP is used by applications. As a program, it’s employed by users to perform fi le tasks by hand. FTP also allows for access to both directories and files and can accomplish certain types of directory operations, such as relocating fi les into different directories. Accessing a host through FTP is only the fi rst step, though. Users must then be subjected to an authentication login that’s probably secured with passwords and usernames implemented by system administrators to restrict access. You can get around this somewhat by adopting the username anonymous—although what you’ll gain access to will be limited. Even when employed by users manually as a program, FTP’s functions are limited to listing and manipulating directories, typing fi le contents, and copying fi les between hosts. It can’t execute remote fi les as programs. The problem with FTP is that all data is sent in clear text, just as with Telnet. If you need to make sure your FTP transfers are secure, then you’ll use SFTP. Secure File Transfer Protocol (22) Secure File Transfer Protocol (SFTP) is used when you need to transfer fi les over an encrypted connection. It uses an SSH session (more on this later), which encrypts the connection, and SSH uses port 22, hence the port 22 for SFTP. Apart from the secure c06.indd 04/02/2015 Page 176 Introducing TCP/IP 177 part, it’s used just as FTP is—for transferring fi les between computers on an IP network, such as the Internet. Trivial File Transfer Protocol (69) Trivial File Transfer Protocol (TFTP) is the stripped-down, stock version of FTP, but it’s the protocol of choice if you know exactly what you want and where to find it—plus it’s easy to use, and it’s fast, too! It doesn’t give you the abundance of functions that FTP does though. TFTP has no directory-browsing abilities; it can do nothing but send and receive fi les. This compact little protocol also skimps in the data department, sending much smaller blocks of data than FTP, and there’s no authentication as with FTP, so it’s insecure. Few sites support it because of the inherent security risks. When Should You Use FTP? The folks at your San Francisco office need a 50MB file emailed to them right away. What do you do? Most email servers would reject the email because they have size limits. Even if there’s no size limit on the server, it would still take a while to send this big file. FTP to the rescue! However, most ISPs don’t allow files larger then 10MB to be emailed, so FTP is an option you should consider if you need to send and receive. If you need to give someone a large file or you need to get a large file from someone, FTP is a nice choice. Smaller files (less than 10MB) can be sent via email if you have the bandwidth (who doesn’t these days?), even if they’re compressed. To use FTP, you’ll need to set up an FTP server on the Internet so that the files can be shared. Besides, FTP is faster than email, which is another reason to use FTP for sending or receiving large files. In addition, because it uses TCP and is connection-oriented, if the session dies, FTP can sometimes start up where it left off. Try that with your email client! Simple Mail Transfer Protocol (25) Simple Mail Transfer Protocol (SMTP), answering our ubiquitous call to email, uses a spooled, or queued, method of mail delivery. Once a message has been sent to a destination, the message is spooled to a device—usually a disk. The server software at the destination posts a vigil, regularly checking the queue for messages. When it detects them, it proceeds to deliver them to their destination. SMTP is used to send mail; POP3 is used to receive mail. Post Office Protocol (110) Post Office Protocol (POP) gives us a storage facility for incoming mail, and the latest version is called POP3 (sound familiar?). Basically, how this protocol works is when a client device connects to a POP3 server, messages addressed to that client are released for c06.indd 04/02/2015 Page 177 178 Chapter 6 ■ Introduction to the Internet Protocol downloading. It doesn’t allow messages to be downloaded selectively, but once they are, the client-server interaction ends and you can delete and tweak your messages locally at will. A newer standard, IMAP, is being used more and more in place of POP3. Why? Internet Message Access Protocol, Version 4 (143) Because Internet Message Access Protocol (IMAP) makes it so you get control over how you download your mail, with it, you also gain some much-needed security. It lets you peek at the message header or download just a part of a message—you can now just nibble at the bait instead of swallowing it whole and then choking on the hook hidden inside! With it, you can choose to store messages on the email server hierarchically and link to documents and user groups, too. IMAP even gives you search commands to use to hunt for messages based on their subject, header, or content. As you can imagine, it has some serious authentication features—it actually supports the Kerberos authentication scheme that MIT developed. And yes, IMAP4 is the current version. Remote Desktop Protocol (3389) Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft. It allows you to connect to another computer and run programs. RDP operates somewhat like Telnet, except instead of getting a command-line prompt as you do with Telnet, you get the actual graphical user interface (GUI) of the remote computer. Clients exist for most versions of Windows, and Macs now come with a preinstalled RDP client. Microsoft currently calls its official RDP server software Remote Desktop Services; it was called Terminal Services for a while. Microsoft’s official client software is currently referred to as Remote Desktop Connection, which was called Terminal Services Client in the past. RDP is an excellent tool for remote clients, allowing them to connect to their work computer from home, for example, and get their email or perform work on other applications without running or installing any of the software on their home computer. Transport Layer Security/Secure Sockets Layer (995/465) Both Transport Layer Security (TLS) and its forerunner, Secure Sockets Layer (SSL), are cryptographic protocols that come in really handy for enabling secure online data-transfer activities like browsing the Web, instant messaging, Internet faxing, and so on. They’re so similar that it’s not within the scope of this book to detail the differences between them. They both use X.509 certificates and asymmetric cryptography to authenticate to the host they are communicating with and to exchange a key. This key is then used to encrypt data flowing between the hosts. This allows for data/message confidentiality, message integrity, and message authentication. Even though I listed TLS/SSL as using port 995 and 465, which is true if you’re using Gmail, TLS/SSL isn’t tied down to any certain ports and can use various different ones. SIP (VoIP) (5060/5061) Session Initiation Protocol (SIP) is a hugely popular signaling protocol used to construct and deconstruct multimedia communication sessions for many things like voice and video c06.indd 04/02/2015 Page 178 Introducing TCP/IP 179 calls, videoconferencing, streaming multimedia distribution, instant messaging, presence information, and online games over the Internet. RTP (VoIP) (5004/5005) Real-time Transport Protocol (RTP) describes a packet-formatting standard for delivering audio and video over the Internet. Although initially designed as a multicast protocol, it’s now used for unicast applications, too. It’s commonly employed for streaming media, videoconferencing, and push-to-talk systems—all things that make it a de facto standard in Voice over IP (VoIP) industries. MGCP (Multimedia) (2427/2727) Media Gateway Control Protocol (MGCP) is a standard protocol for handling the signaling and session management needed during a multimedia conference. The protocol defines a means of communication between a media gateway, which converts data from the format required for a circuit-switched network to that required for a packet-switched network, and the media gateway controller. MGCP can be used to set up, maintain, and terminate calls between multiple endpoints. H.323 (Video) (1720) H.323 is a protocol that provides a standard for video on an IP network that defines how real-time audio, video, and data information is transmitted. This standard provides signaling, multimedia, and bandwidth control mechanisms. H.323 uses the RTP standard for communication. Simple Network Management Protocol (161) Simple Network Management Protocol (SNMP) collects and manipulates valuable network information. It gathers data by polling the devices on the network from a management station at fi xed or random intervals, requiring them to disclose certain information. When all is well, SNMP receives something called a baseline—a report delimiting the operational traits of a healthy network. This protocol can also stand as a watchdog over the network, quickly notifying managers of any sudden turn of events. The network watchdogs are called agents, and when aberrations occur, agents send an alert called a trap to the management station. In addition, SNMP can help simplify the process of setting up a network as well as the administration of your entire internetwork. SNMP Versions 1, 2, and 3 SNMP versions 1 and 2 are pretty much obsolete. This doesn’t mean you won’t see them in a network at some time, but v1 is super old and, well, outdated. SNMPv2 provided improvements, especially in performance. But one of the best additions was what was called GETBULK, which allowed a host to retrieve a large amount of data at once. However, v2 never really caught on in the networking world. SNMPv3 is now the standard and uses both TCP and UDP, unlike v1, which used only UDP. Version 3 added even more security and message integrity, authentication, and encryption. So, be careful when running SNMPv1 and v2 because they are susceptible to a packet sniffer reading the data. c06.indd 04/02/2015 Page 179 180 Chapter 6 ■ Introduction to the Internet Protocol Secure Shell (22) Secure Shell (SSH) protocol sets up a secure Telnet session over a standard TCP/IP connection and is employed for doing things like logging into other systems, running programs on remote systems, and moving fi les from one system to another. And it does all of this while maintaining a nice, strong, encrypted connection. You can think of it as the new-generation protocol that’s now used in place of rsh and rlogin—even Telnet. Hypertext Transfer Protocol (80) All those snappy websites comprising a mélange of graphics, text, links, and so on— the Hypertext Transfer Protocol (HTTP) is making it all possible. It’s used to manage communications between web browsers and web servers, and opens the right resource when you click a link, wherever that resource may actually reside. Hypertext Transfer Protocol Secure (443) Hypertext Transfer Protocol Secure (HTTPS) is a secure version of HTTP that arms you with a whole bunch of security tools for keeping transactions between a web browser and a server secure. It’s what your browser needs to fill out forms, sign in, authenticate, and encrypt an HTTP message when you make a reservation or buy something online. Both SSH (port 22) and HTTPS (port 443) are used to encrypt packets over your intranet and the Internet. Network Time Protocol (123) Kudos to Professor David Mills of the University of Delaware for coming up with this handy protocol that’s used to synchronize the clocks on our computers to one standard time source (typically, an atomic clock). Network Time Protocol (NTP) works in conjunction with other synchronization utilities to ensure that all computers on a given network agree on the time. This may sound pretty simple, but it’s very important because so many of the transactions done today are time- and date-stamped. Think about your precious databases, for one. It can mess up a server pretty badly if it’s out of sync with the machines connected to it, even by mere seconds (think crash!). You can’t have a transaction entered by a machine at, say, 1:50 a.m. when the server records that transaction as having occurred at 1:45 a.m. So basically, NTP works to prevent “back to the future sans DeLorean” from bringing down the network—very important indeed! Lightweight Directory Access Protocol (389) If you’re the system administrator of any decent-sized network, odds are you have a type of directory in place that keeps track of all your network resources, such as devices and users. But how do you access those directories? Through the Lightweight Directory Access c06.indd 04/02/2015 Page 180 Introducing TCP/IP 181 Protocol (LDAP), that’s how. This protocol standardizes how you access directories, and its fi rst and second inceptions are described in RFCs 1487 and 1777, respectively. There were a few glitches in those two earlier versions, so a third version—the one most commonly used today—was created to address those issues and is described in RFC 3377. Internet Group Management Protocol Internet Group Management Protocol (IGMP) is the TCP/IP protocol used for managing IP multicast sessions. It accomplishes this by sending out unique IGMP messages over the network to reveal the multicast-group landscape and to find out which hosts belong to which multicast group. The host machines in an IP network also use IGMP messages to become members of a group and to quit the group, too. IGMP messages come in seriously handy for tracking group memberships as well as active multicast streams. IGMP works at the Network layer and doesn’t use port numbers, same as our next one: SLIP. Serial Line IP Serial Line IP (SLIP) is a protocol created with the IP protocol stack and designed to work over serial ports and modem connections. It’s also completely outdated, so I’m not sure why it’s listed on the exam objectives. In the 1970s through the early 1990s, we used SLIP with our modem configurations. It was not compatible with DHCP, so everything was statically configured and assigned. SLIP has been completely replaced by the Point-to-Point Protocol (PPP), which is better engineered, has more features, and does not require a static IP address configuration. NetBIOS (137–139) Network Basic Input/Output System works only in the upper layers of the OSI model and allows for an interface on separate computers to communicate over a network. It was fi rst created in the early 1980s to work on an IBM LAN and was proprietary. Microsoft and Novel both created a NetBIOS implementation to allows their hosts to communicate to their servers, but Microsoft’s version became the de facto version. Server Message Block (445) Server Message Block (SMB) is used for sharing access to files and printers and other communications between hosts on a Microsoft Windows network. SMB can run on UDP port 137 and 138, and TCP port 137 and 139 using NetBIOS. Domain Name Service (53) Domain Name Service (DNS) resolves hostnames—specifically, Internet names, such as www.lammle.com—to their corresponding IP addresses. You don’t have to use DNS; you can just type in the IP address of any device you want to communicate with. An IP address identifies hosts on a network and the Internet as well. However, DNS was designed to make our lives easier. Think about this: What would c06.indd 04/02/2015 Page 181 Chapter 6 182 ■ Introduction to the Internet Protocol happen if you wanted to move your web page to a different service provider? The IP address would change, and no one would know what the new one was. DNS allows you to use a domain name to specify an IP address. You can change the IP address as often as you want and no one will know the difference. DNS is used to resolve a fully qualifi ed domain name (FQDN)—for example, www.lammle.com or todd.lammle.com—to an IP address. An FQDN, or DNS namespace, is a hierarchy that can logically locate a system based on its domain identifier. If you want to resolve the name todd, you must either type in the FQDN of todd.lammle.com or have a device, such as a PC or router, add the suffi x for you. For example, on a Cisco router, you can use the command ip domain-name lammle.com to append each request with the lammle.com domain. If you don’t do that, you’ll have to type in the FQDN to get DNS to resolve the name. An important thing to remember about DNS is that if you can ping a device with an IP address but can’t use its FQDN, you might have some type of DNS configuration failure. Dynamic Host Configuration Protocol/Bootstrap Protocol (67/68) Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to hosts with information provided by a server. It allows easier administration and works well in small to even very large network environments. Many types of hardware can be used as a DHCP server, including routers. DHCP differs from Bootstrap Protocol (BootP) in that BootP assigns an IP address to a host but the host’s hardware address must be entered manually in a BootP table. You can think of DHCP as a dynamic BootP. But remember that BootP is also used to send an operating system that a host can boot from. DHCP can’t do that. Please also read the section on DHCP and DNS in Chapter 5, “Networking Devices,” if you have not done so; both figure largely in the exam objectives. But there is a lot of information a DHCP server can provide to a host when the host is requesting an IP address from the DHCP server. Here’s a partial list of the information a DHCP server can provide: ■ IP address ■ Subnet mask ■ Domain name ■ Default gateway (routers) ■ DNS ■ Windows Internet Naming Service (WINS) information c06.indd 04/02/2015 Page 182 Introducing TCP/IP 183 A DHCP server can give even more information than this, but the items in the list are the most common. A client that sends out a DHCP Discover message in order to receive an IP address sends out a broadcast at both Layer 2 and Layer 3. The Layer 2 broadcast is all Fs in hex, which looks like this: FF:FF:FF:FF:FF:FF. The Layer 3 broadcast is 255.255.255.255, which means all networks and all hosts. DHCP is connectionless, which means it uses User Datagram Protocol (UDP) at the Transport layer, also known as the Host-to-Host layer, which we’ll talk about next. In case you don’t believe me, here’s an example of output from my trusty analyzer: Ethernet II,Src:192.168.0.3(00:0b:db:99:d3:5e),Dst:Broadcast(ff:ff:ff:ff:ff:ff) Internet Protocol,Src:0.0.0.0(0.0.0.0),Dst:255.255.255.255(255.255.255.255). The Data Link and Network layers are both sending out “all hands” broadcasts saying, “Help—I don’t know my IP address!” Figure 6.3 shows the process of a client-server relationship using a DHCP connection. FIGURE 6.3 DHCP client four-step process Client Broadcast DHCP Discover Server Unicast DHCP Offer Client Broadcast DHCP Request Server Unicast DHCP Acknowledgment The following is the four-step process a client takes to receive an IP address from a DHCP server: 1. The DHCP client broadcasts a DHCP Discover message looking for a DHCP server (port 67). 2. The DHCP server that received the DHCP Discover message sends a unicast DHCP Offer message back to the host. 3. The client then broadcasts to the server a DHCP Request message asking for the offered IP address and possibly other information. 4. The server finalizes the exchange with a unicast DHCP Acknowledgment message. c06.indd 04/02/2015 Page 183 184 Chapter 6 ■ Introduction to the Internet Protocol What happens if you have a few hosts connected together with a switch or hub and you don’t have a DHCP server? You can add IP information by hand (this is called static IP addressing), or Windows provides what is called Automatic Private IP Addressing (APIPA), a feature of later Windows operating systems. With APIPA, clients can automatically self-configure an IP address and subnet mask (basic IP information that hosts use to communicate, which is covered in detail in Chapter 7, “IP Addressing,” and Chapter 8, “IP Subnetting, Troubleshooting IP, and Introduction to NAT”) when a DHCP server isn’t available. The IP address range for APIPA is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default Class B subnet mask of 255.255.0.0. If you have a DHCP server and your host is using this IP address, this means your DHCP client on your host is not working or the server is down or can’t be reached because of a network issue. Now, let’s take a look at the Transport layer, or what the DoD calls the Host-to-Host layer. The Host-to-Host Layer Protocols The main purpose of the Host-to-Host layer is to shield the upper-layer applications from the complexities of the network. This layer says to the upper layer, “Just give me your data stream, with any instructions, and I’ll begin the process of getting your information ready to send.” The following sections describe the two protocols at this layer: ■ Transmission Control Protocol (TCP) ■ User Datagram Protocol (UDP) In addition, we’ll look at some of the key host-to-host protocol concepts as well as the port numbers. Transmission Control Protocol Transmission Control Protocol (TCP) takes large blocks of information from an application and breaks them into segments. It numbers and sequences each segment so that the destination’s TCP process can put the segments back into the order the application intended. After these segments are sent, TCP (on the transmitting host) waits for an acknowledgment from the receiving end’s TCP process, retransmitting those segments that aren’t acknowledged. Remember that in a reliable transport operation, a device that wants to transmit sets up a connection-oriented communication with a remote device by creating a session. The transmitting device fi rst establishes a connection-oriented session with its peer system; that session is called a call setup or a three-way handshake. Data is then transferred, and when the transfer is complete, a call termination takes place to tear down the virtual circuit. TCP is a full-duplex, connection-oriented, reliable, and accurate protocol, but establishing all these terms and conditions, in addition to error checking, is no small task. TCP is very complicated and, not surprisingly, costly in terms of network overhead. And because today’s networks are much more reliable than those of yore, this added reliability is often unnecessary. c06.indd 04/02/2015 Page 184 Introducing TCP/IP 185 Because the upper layers just send a data stream to the protocols in the Transport layers, I’ll demonstrate how TCP segments a data stream and prepares it for the Internet layer. When the Internet layer receives the data stream, it routes the segments as packets through an internetwork. The segments are handed to the receiving host’s Host-to-Host layer protocol, which rebuilds the data stream to hand to the upper-layer protocols. Figure 6.4 shows the TCP segment format. The figure shows the different fields within the TCP header. FIGURE 6.4 TCP segment format Bit 0 Bit 15 Bit 16 Source Port (16) Bit 31 Destination Port (16) Sequence Number (32) 24 Bytes Acknowledgment Number (32) Header Length (4) Reserved (6) Code Bits (6) Checksum (16) Window (16) Urgent (16) Options (0 or 32 if any) Data (varies) The TCP header is 20 bytes long, or up to 24 bytes with options. For more detailed information regarding the TCP header, which is beyond the scope of the CompTIA Network+ exam objectives, please see my book CCNA: Cisco Certified Network Associate Study Guide (Sybex, 2013). User Datagram Protocol If you were to compare User Datagram Protocol (UDP) with TCP, the former is basically the scaled-down economy model that’s sometimes referred to as a thin protocol. Like a thin person on a park bench, a thin protocol doesn’t take up a lot of room—or in this case, much bandwidth on a network. UDP doesn’t offer all the bells and whistles of TCP either, but it does do a fabulous job of transporting information that doesn’t require reliable delivery—and it does so using far fewer network resources. There are some situations in which it would defi nitely be wise for developers to opt for UDP rather than TCP. Remember the watchdog SNMP up there at the Process/Application c06.indd 04/02/2015 Page 185 186 Chapter 6 ■ Introduction to the Internet Protocol layer? SNMP monitors the network, sending intermittent messages and a fairly steady flow of status updates and alerts, especially when running on a large network. The cost in overhead to establish, maintain, and close a TCP connection for each one of those little messages would reduce what would be an otherwise healthy, efficient network to a dammed-up bog in no time! Another circumstance calling for UDP over TCP is when reliability is already handled at the Process/Application layer. DNS handles its own reliability issues, making the use of TCP both impractical and redundant. But ultimately, it’s up to the application developer to decide whether to use UDP or TCP, not the user who wants to transfer data faster. UDP does not sequence the segments and doesn’t care in which order the segments arrive at the destination. But after that, UDP sends the segments off and forgets about them. It doesn’t follow through, check up on them, or even allow for an acknowledgment of safe arrival—complete abandonment. Because of this, it’s referred to as an unreliable protocol. This doesn’t mean that UDP is ineffective, only that it doesn’t handle issues of reliability. Because UDP assumes that the application will use its own reliability method, it doesn’t use any. This gives an application developer a choice when running the IP stack: TCP for reliability or UDP for faster transfers. Further, UDP doesn’t create a virtual circuit, nor does it contact the destination before delivering information to it. Because of this, it’s also considered a connectionless protocol. Figure 6.5 clearly illustrates UDP’s markedly low overhead as compared to TCP’s hungry usage. Look at the figure carefully—can you see that UDP doesn’t use windowing or provide for acknowledgments in the UDP header? FIGURE 6.5 UDP segment Bit 0 Bit 15 Bit 16 Bit 31 Destination Port (16) Length (16) Checksum (16) 6 Bytes Source Port (16) Data For more detailed information regarding the UDP header, which is beyond the scope of the CompTIA Network+ exam objectives, please see my book CCNA: Cisco Certified Network Associate Study Guide (Sybex, 2013). Key Concepts of Host-to-Host Protocols Now that you’ve seen both a connection-oriented (TCP) and connectionless (UDP) protocol in action, it would be good to summarize the two here. Table 6.1 highlights some of the key concepts that you should keep in mind regarding these two protocols. You should memorize this table. c06.indd 04/02/2015 Page 186 Introducing TCP/IP TA B L E 6 .1 187 Key features of TCP and UDP TCP UDP Sequenced Unsequenced Reliable Unreliable Connection-oriented Connectionless Virtual circuit No virtual circuit High overhead Low overhead Acknowledgments No acknowledgment Windowing flow control No windowing or flow control A telephone analogy could really help you understand how TCP works. Most of us know that before you speak to someone on a phone, you must fi rst establish a connection with that person—wherever they are. This is like a virtual circuit with TCP. If you were giving someone important information during your conversation, you might say, “You know?” or ask, “Did you get that?” Saying something like this is a lot like a TCP acknowledgment—it’s designed to get your verification. From time to time (especially on cell phones), people also ask, “Are you still there?” They end their conversations with a “Goodbye” of some kind, putting closure on the phone call. TCP also performs these types of functions. Alternatively, using UDP is like sending a postcard. To do that, you don’t need to contact the other party fi rst. You simply write your message, address the postcard, and mail it. This is analogous to UDP’s connectionless orientation. Because the message on the postcard is probably not a matter of life or death, you don’t need an acknowledgment of its receipt. Similarly, UDP doesn’t involve acknowledgments. Port Numbers TCP and UDP must use port numbers to communicate with the upper layers because they’re what keep track of different simultaneous conversations originated by or accepted by the local host. Originating source port numbers are dynamically assigned by the source host and will usually have a value of 1024 or higher. Ports 1023 and below are defi ned in RFC 3232, which discusses what are called well-known port numbers. Virtual circuits that don’t use an application with a well-known port number are assigned port numbers randomly from a specific range instead. These port numbers identify the source and destination application or process in the TCP segment. Figure 6.6 illustrates how both TCP and UDP use port numbers. c06.indd 04/02/2015 Page 187 188 Chapter 6 FIGURE 6.6 ■ Introduction to the Internet Protocol Port numbers for TCP and UDP FTP Telnet Doom DNS TFTP POP3 News 21 23 666 53 69 110 119 Application Layer Port Numbers Transport Layer TCP UDP You just need to remember that numbers below 1024 are considered well-known port numbers and are defi ned in RFC 3232. Numbers 1024 and above are used by the upper layers to set up sessions with other hosts and by TCP as source and destination identifiers in the TCP segment. Table 6.2 gives you a list of the typical applications used in the TCP/IP suite, their wellknown port numbers, and the Transport layer protocols used by each application or process. It’s important that you study and memorize this table for the CompTIA Network+ exam. TA B L E 6 . 2 Key protocols that use TCP and UDP TCP UDP Telnet 23 SNMPv1/2 161 SMTP 25 TFTP 69 HTTP 80 DNS 53 FTP 20, 21 BOOTPS/DHCP 67,68 SFTP 22 DNS 53 HTTPS 443 SSH 22 SMB 445 POP3 110 NTP 123 IMAP4 143 RDP 3389 SNMPv3 161 c06.indd 04/02/2015 Page 188 Introducing TCP/IP 189 Notice that DNS uses both TCP and UDP. Whether it opts for one or the other depends on what it’s trying to do. Even though it’s not the only application that can use both protocols, it’s certainly one that you should remember in your studies. The Internet Layer Protocols In the DoD model, there are two main reasons for the Internet layer’s existence: routing and providing a single network interface to the upper layers. None of the other upper- or lower-layer protocols have any functions relating to routing—that complex and important task belongs entirely to the Internet layer. The Internet layer’s second duty is to provide a single network interface to the upper-layer protocols. Without this layer, application programmers would need to write what are called hooks into every one of their applications for each different Network Access protocol. This would not only be a pain in the neck, it would also lead to different versions of each application—one for Ethernet, another one for Token Ring, and so on. To prevent this, IP provides one single network interface for the upper-layer protocols. That accomplished, it’s then the job of IP and the various Network Access protocols to get along and work together. All network roads don’t lead to Rome—they lead to IP. And all the other protocols at this layer, as well as all those at the upper layers, use it. Never forget that. All paths through the DoD model go through IP. The following sections describe the protocols at the Internet layer: ■ Internet Protocol (IP) ■ Internet Control Message Protocol (ICMP) ■ Address Resolution Protocol (ARP) ■ Reverse Address Resolution Protocol (RARP) Internet Protocol Internet Protocol (IP) is essentially the Internet layer. The other protocols found here merely exist to support it. IP holds the big picture and could be said to “see all” in that it’s aware of all the interconnected networks. It can do this because all the machines on the network have a software, or logical, address called an IP address, which I’ll cover more thoroughly in the next chapter. IP looks at each packet’s destination address. Then, using a routing table, it decides where a packet is to be sent next, choosing the best path. The protocols of the Network Access layer at the bottom of the DoD model don’t possess IP’s enlightened scope of the entire network; they deal only with physical links (local networks). Identifying devices on networks requires answering these two questions: Which network is it on? And what is its ID on that network? The answer to the fi rst question is the software address, or logical address (the correct street). The answer to the second question is the hardware address (the correct mailbox). All hosts on a network have a logical ID called an IP address. This is the software, or logical, address and contains valuable encoded information, greatly simplifying the complex task of routing. (IP is discussed in RFC 791.) c06.indd 04/02/2015 Page 189 Chapter 6 190 ■ Introduction to the Internet Protocol IP receives segments from the Host-to-Host layer and fragments them into packets if necessary. IP then reassembles packets back into segments on the receiving side. Each packet is assigned the IP address of the sender and of the recipient. Each router (Layer 3 device) that receives a packet makes routing decisions based on the packet’s destination IP address. Figure 6.7 shows an IP header. This will give you an idea of what IP has to go through every time user data is sent from the upper layers to a remote network. F I G U R E 6 .7 IP header Bit 0 Bit 15 Bit 16 Version (4) Header Length (4) Priority and Type of Service (8) Protocol (8) Fragmented Offset (13) Header Checksum (16) Source IP Address (32) 20 Bytes Time to Live (8) Total Length (16) Flags (3) Identification (16) Bit 31 Destination IP Address (32) Options (0 or 32 if any) Data (varies if any) For more detailed information regarding the IP header, which is beyond the scope of the CompTIA Network+ exam objectives, please see my book CCNA: Cisco Certified Network Associate Study Guide, (Sybex, 2013). Internet Control Message Protocol Internet Control Message Protocol (ICMP) works at the Network layer and is used by IP for many different services. ICMP is a management protocol and messaging service provider for IP. Its messages are carried as IP packets. ICMP packets have the following characteristics: ■ They can provide hosts with information about network problems. ■ They are encapsulated within IP datagrams. The following are some common events and messages that ICMP relates to, and the two most popular programs that use ICMP: c06.indd 04/02/2015 Page 190 Introducing TCP/IP 191 Destination Unreachable If a router can’t send an IP datagram any further, it uses ICMP to send a message back to the sender, advising it of the situation. For example, take a look at Figure 6.8, which shows that the Ethernet interface of the Lab B router is down. FIGURE 6.8 ICMP error message is sent to the sending host from the remote router e0 on Lab B is down. Host A is trying to communicate to Host B. What happens? Lab A e0 Lab B icmp Host A e0 Host B When Host A Sends a packet destined for Host B, the Lab B router will send an ICMP Destination Unreachable message back to the sending device (directly to Host A, in this example). Buffer Full If a router’s memory buffer for receiving incoming datagrams is full, it will use ICMP to send out this message until the congestion abates. Hops Each IP datagram is allotted a certain number of routers, called hops, to pass through. If a datagram reaches its limit of hops before arriving at its destination, the last router to receive it deletes it. The executioner router then uses ICMP to send an obituary message, informing the sending machine of the demise of its datagram. Ping Ping uses ICMP echo request and reply messages to check the physical and logical connectivity of machines on an internetwork. Traceroute Traceroute uses IP packet Time-to-Live time-outs to discover the path a packet takes as it traverses an internetwork. Both Ping and Traceroute (also just called Trace, and Microsoft Windows uses tracert) allow you to verify address configurations in your internetwork. Address Resolution Protocol Address Resolution Protocol (ARP) fi nds the hardware address of a host from a known IP address. Here’s how it works: When IP has a datagram to send, it must inform a Network c06.indd 04/02/2015 Page 191 192 Chapter 6 ■ Introduction to the Internet Protocol Access protocol, such as Ethernet or Token Ring, of the destination’s hardware address on the local network. (It has already been informed by upper-layer protocols of the destination’s IP address.) If IP doesn’t fi nd the destination host’s hardware address in the ARP cache, it uses ARP to fi nd this information. As IP’s detective, ARP interrogates the local network by sending out a broadcast asking the machine with the specified IP address to reply with its hardware address. So basically, ARP translates the software (IP) address into a hardware address—for example, the destination machine’s Ethernet address. Figure 6.9 shows how an ARP broadcast looks to a local network. FIGURE 6.9 Local ARP broadcast I heard that broadcast. The message is for me. Here is my Ethernet address. I need the Ethernet address of 10.1.1.2. 10.1.1.2 10.1.1.1 IP: 10.1.1.2 = ??? IP: 10.1.1.2 Ethernet: 45:23:79:85:77:34 ARP resolves IP addresses to Ethernet (MAC) addresses. The following trace shows an ARP broadcast—notice that the destination hardware address is unknown and is all 0s in the ARP header. In the Ethernet header, a destination of all Fs in hex (all 1s in binary), a hardware-address broadcast, is used to make sure all devices on the local link receive the ARP request: Flags: Status: Packet Length: Timestamp: Ethernet Header Destination: Source: 0x00 0x00 64 09:17:29.574000 12/06/03 FF:FF:FF:FF:FF:FF Ethernet Broadcast 00:A0:24:48:60:A5 c06.indd 04/02/2015 Page 192 Introducing TCP/IP 193 Protocol Type: 0x0806 IP ARP ARP - Address Resolution Protocol Hardware: 1 Ethernet (10Mb) Protocol: 0x0800 IP Hardware Address Length: 6 Protocol Address Length: 4 Operation: 1 ARP Request Sender Hardware Address: 00:A0:24:48:60:A5 Sender Internet Address: 172.16.10.3 Target Hardware Address: 00:00:00:00:00:00 (ignored) Target Internet Address: 172.16.10.10 Extra bytes (Padding): ................ 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A Frame Check Sequence: 0x00000000 Reverse Address Resolution Protocol When an IP machine happens to be a diskless machine, it has no way of initially knowing its IP address. But it does know its MAC address. Reverse Address Resolution Protocol (RARP) discovers the identity of the IP address for diskless machines by sending out a packet that includes its MAC address and a request for the IP address assigned to that MAC address. A designated machine, called a RARP server, responds with the answer, and the identity crisis is over. RARP uses the information it does know about the machine’s MAC address to learn its IP address and complete the machine’s ID portrait. Figure 6.10 shows a diskless workstation asking for its IP address with a RARP broadcast. F I G U R E 6 .1 0 RARP broadcast example What’s my IP address? I heard that broadcast. Your IP address is 192.168.10.3. Ethernet: 45:23:79:85:77:34 IP = ?? Ethernet: 45:23:79:85:77:34 IP: 192.168.10.3 c06.indd 04/02/2015 Page 193 194 Chapter 6 ■ Introduction to the Internet Protocol Data Encapsulation I started to discuss data encapsulation in Chapter 2, but I could only provide an overview at that point in the book because you needed to have a fi rm understanding of how ports work in a virtual circuit. With the last five chapters of foundational material under your belt, you’re ready to get more into the details of encapsulation. When a host transmits data across a network to another device, the data goes through encapsulation: It’s wrapped with protocol information at each layer of the OSI model. Each layer communicates only with its peer layer on the receiving device. To communicate and exchange information, each layer uses Protocol Data Units (PDUs). These hold the control information attached to the data at each layer of the model. They’re usually attached to the header in front of the data field but can also be in the trailer, or end, of it. Each PDU attaches to the data by encapsulating it at each layer of the OSI model, and each has a specific name depending on the information provided in each header. This PDU information is read only by the peer layer on the receiving device. After it’s read, it’s stripped off, and the data is then handed to the next layer up. Figure 6.11 shows the PDUs and how they attach control information to each layer. This figure demonstrates how the upper-layer user data is converted for transmission on the network. The data stream is then handed down to the Transport layer, which sets up a virtual circuit to the receiving device by sending over a synch packet. Next, the data stream is broken up into smaller pieces, and a Transport layer header (a PDU) is created and attached to the header of the data field; now the piece of data is called a segment. Each segment is sequenced so the data stream can be put back together on the receiving side exactly as it was transmitted. F I G U R E 6 .11 Data encapsulation PDU Application Presentation Upper-Layer Data Session TCP Header Upper-Layer Data IP Header Segment LLC Header Packet FCS MAC Header Packet FCS 0101110101001000010 c06.indd 04/02/2015 Page 194 Segment Transport Packet Network Frame Data Link Bits Physical Data Encapsulation 195 Each segment is then handed to the Network layer for network addressing and routing through the internetwork. Logical addressing (for example, IP) is used to get each segment to the correct network. The Network layer protocol adds a control header to the segment handed down from the Transport layer, and what we have now is called a packet or datagram. Remember that the Transport and Network layers work together to rebuild a data stream on a receiving host, but it’s not part of their work to place their PDUs on a local network segment—which is the only way to get the information to a router or host. It’s the Data Link layer that’s responsible for taking packets from the Network layer and placing them on the network medium (cable or wireless). The Data Link layer encapsulates each packet in a frame, and the frame’s header carries the hardware address of the source and destination hosts. If the destination device is on a remote network, then the frame is sent to a router to be routed through an internetwork. Once it gets to the destination network, a new frame is used to get the packet to the destination host. To put this frame on the network, it must fi rst be put into a digital signal. Because a frame is really a logical group of 1s and 0s, the Physical layer is responsible for encoding these digits into a digital signal, which is read by devices on the same local network. The receiving devices will synchronize on the digital signal and extract (decode) the 1s and 0s from the digital signal. At this point, the devices build the frames, run a cyclic redundancy check (CRC), and then check their answer against the answer in the frame’s Frame Check Sequence (FCS) field. If it matches, the packet is pulled from the frame and what’s left of the frame is discarded. This process is called de-encapsulation. The packet is handed to the Network layer, where the address is checked. If the address matches, the segment is pulled from the packet and what’s left of the packet is discarded. The segment is processed at the Transport layer, which rebuilds the data stream and acknowledges to the transmitting station that it received each piece. It then happily hands the data stream to the upper-layer application. In summary, at a transmitting device, the data-encapsulation method works like this: 1. User information is converted to data for transmission on the network. 2. Data is converted to segments, and a reliable connection is set up between the transmitting and receiving hosts. 3. Segments are converted to packets or datagrams, and a logical address is placed in the header so each packet can be routed through an internetwork. 4. Packets or datagrams are converted to frames for transmission on the local network. Hardware (Ethernet) addresses are used to uniquely identify hosts on a local network segment. 5. Frames are converted to bits, and a digital encoding and clocking scheme is used. To explain this in more detail using the layer addressing, I’ll use Figure 6.12. c06.indd 04/02/2015 Page 195 196 Chapter 6 F I G U R E 6 .1 2 ■ Introduction to the Internet Protocol PDU and layer addressing Segment Source Port Destination Port … Data Packet Source IP Destination IP Protocol … Segment Frame Destination MAC Source MAC Ether-Field Packet FCS Bits 1011011100011110000 Remember that a data stream is handed down from the upper layer to the Transport layer. As technicians, we really don’t care who the data stream comes from because that’s a programmer’s problem. Our job is to rebuild the data stream reliably and hand it to the upper layers on the receiving device. Before we go further in our discussion of Figure 6.12, let’s review port numbers and make sure you understand them. The Transport layer uses port numbers to defi ne both the virtual circuit and the upper-layer process, as you can see from Figure 6.13. F I G U R E 6 .1 3 Port numbers at the Transport layer Source Port Destination Port … Host A Host Z SP DP 1028 23 Defines virtual circuit c06.indd 04/02/2015 Page 196 … Defines upper-layer process or application Data Encapsulation 197 The Transport layer takes the data stream, makes segments out of it, and establishes a reliable session by creating a virtual circuit. It then sequences (numbers) each segment and uses acknowledgments and flow control. If you’re using TCP, the virtual circuit is defined by the source port number. Remember, the host just makes this up starting at port number 1024 (0 through 1023 are reserved for well-known port numbers). The destination port number defi nes the upper-layer process (application) that the data stream is handed to when the data stream is reliably rebuilt on the receiving host. Now that you understand port numbers and how they’re used at the Transport layer, let’s go back to Figure 6.12. Once the Transport layer header information is added to the piece of data, it becomes a segment and is handed down to the Network layer along with the destination IP address. (The destination IP address was handed down from the upper layers to the Transport layer with the data stream, and it was discovered through a name resolution method at the upper layers—probably DNS.) The Network layer adds a header, and adds the logical addressing (IP addresses), to the front of each segment. Once the header is added to the segment, the PDU is called a packet. The packet has a protocol field that describes where the segment came from (either UDP or TCP) so it can hand the segment to the correct protocol at the Transport layer when it reaches the receiving host. The Network layer is responsible for fi nding the destination hardware address that dictates where the packet should be sent on the local network. It does this by using ARP. IP at the Network layer looks at the destination IP address and compares that address to its own source IP address and subnet mask. If it turns out to be a local network request, the hardware address of the local host is requested via an ARP request. If the packet is destined for a remote host, IP will get the IP address of the default gateway from its configuration information, then ARP for the hardware address of the default gateway (router) instead. The packet, along with the destination hardware address of either the local host or default gateway, is then handed down to the Data Link layer. The Data Link layer will add a header to the front of the packet, and the piece of data then becomes a frame. (We call it a frame because both a header and a trailer are added to the packet, which makes the data resemble bookends or a frame, if you will.) This is shown in Figure 6.12. The frame uses an Ether-Type field to describe which protocol the packet came from at the Network layer. Now a CRC is run on the frame, and the answer to the CRC is placed in the FCS field found in the trailer of the frame. The frame is now ready to be handed down, one bit at a time, to the Physical layer, which will use bit-timing rules to encode the data into a digital signal. Every device on the network segment will synchronize with the clock, extract the 1s and 0s from the digital signal, and build a frame. After the frame is rebuilt, a CRC is run to make sure the frame is okay. If everything turns out to be good, the hosts will check the destination address to see if the frame is for them. If all this is making your eyes cross and your brain freeze, don’t freak—things will become much clearer as we go through the book—really! Soon, I’ll be going over exactly how data is encapsulated and routed through an internetwork in even more detail, in an easy-to-understand, step-by-step manner, in Chapter 9, “Introduction to IP Routing.” c06.indd 04/02/2015 Page 197 198 Chapter 6 ■ Introduction to the Internet Protocol Summary Protocols, protocols everywhere—so many different reasons for them, and so many jobs they do for us! And sometimes they even work in conjunction with each other. This can seem like way too much information, but no worries—as you become familiar with the various layers and their functions, I promise it will soon become clear that this hierarchical structure is a seriously tight, robust networking foundation. Similarly, as you understand the TCP/IP big picture, the reason why all those protocols exist and are necessary will also become much easier to understand. They’re really like a team that works jointly, from layer to layer, to make our TCP/IP networks the wonderful, great tools they are. Exam Essentials Remember the Process/Application layer protocols. Telnet is a terminal-emulation program that allows you to log into a remote host and run programs. File Transfer Protocol (FTP) is a connection-oriented service that allows you to transfer files. Trivial FTP (TFTP) is a connectionless file transfer program. Simple Mail Transfer Protocol (SMTP) is a sendmail program. Remember the Host-to-Host layer protocols. Transmission Control Protocol (TCP) is a connection-oriented protocol that provides reliable network service by using acknowledgments and flow control. User Datagram Protocol (UDP) is a connectionless protocol that provides low overhead and is considered unreliable. Remember the Internet layer protocols. Internet Protocol (IP) is a connectionless protocol that provides logical network addressing and routing through an internetwork. Address Resolution Protocol (ARP) finds a hardware address from a known IP address. Internet Control Message Protocol (ICMP) provides diagnostics and Destination Unreachable messages. Remember the difference between connection-oriented and connectionless network services. Connection-oriented services use acknowledgments and flow control to create a reliable session. More overhead is used than in a connectionless network service. Connectionless services are used to send data with no acknowledgments or flow control. This is considered unreliable. Written Lab Provide the answers to the following questions. You can find the answers in Appendix A. 1. What would an ARP destination MAC address appear as? 2. Name the protocol that uses both TCP ports 20 and 21. c06.indd 04/02/2015 Page 198 Written Lab 199 3. What Transport layer protocol does a DNS server use? 4. Which protocol dynamically reports errors to source hosts by using IP directly to build packets? 5. What could cause a server that you can ping not to provide the particular TCP/IP service, such as FTP, HTTP, and so on, that you expect it to offer? 6. What is the well-known port number for RPC? 7. Which ports does the protocol MGCP use? 8. What protocol is at the heart of the ping and tracert commands in a Windows operating system? 9. Which destination Transport layer protocol and port number does a TFTP client use to transfer files over the network? 10. What well-known port numbers do SMTP, POP3, RDP, and IMAP4 servers use? c06.indd 04/02/2015 Page 199 Chapter 6 200 ■ Introduction to the Internet Protocol Review Questions You can fi nd the answers to the review questions in Appendix B. 1. The OSI model has seven layers and the DoD has four. At which layer does SMTP work in both models? A. Network B. 2. Transport C. Session D. Application E. Internet You need to have secure communications using HTTPS. What port number is used by default? A. 69 3. B. 23 C. 21 D. 443 You want to implement a mechanism that automates the IP configuration, including IP address, subnet mask, default gateway, and DNS information. Which protocol will you use to accomplish this? A. SMTP 4. B. SNMP C. DHCP D. ARP What protocol is used to find the hardware address of a local device? A. RARP 5. B. ARP C. IP D. ICMP E. BootP You need to log in to a Unix server across a network that is not secure. Which of the following protocols will allow you to remotely administrate this server securely? A. Telnet B. SSH C. SFTP D. HTTP c06.indd 04/02/2015 Page 200 Review Questions 6. 201 If you can ping by IP address but not by hostname, or FQDN, which of the following port numbers is related to the server process that is involved? A. 21 7. B. 23 C. 53 D. 69 E. 80 Which of the following describe the DHCP Discover message? (Choose two.) A. It uses FF:FF:FF:FF:FF:FF as a Layer 2 broadcast. 8. B. It uses UDP as the Transport layer protocol. C. It uses TCP as the Transport layer protocol. D. It does not use a Layer 2 destination address. What Layer 4 protocol is used for a Telnet connection, and what is the default port number? A. IP, 6 B. 9. TCP, 21 C. UDP, 23 D. ICMP, 21 E. TCP, 23 Which statements are true regarding ICMP packets? (Choose two.) A. They acknowledge receipt of a TCP segment. B. They guarantee datagram delivery. C. They can provide hosts with information about network problems. D. They are encapsulated within IP datagrams. E. They are encapsulated within UDP datagrams. 10. Which of the following services use TCP? (Choose three.) A. DHCP B. SMTP C. SNMP D. FTP E. HTTP F. TFTP 11. Which of the following services use UDP? (Choose three.) A. DHCP B. SMTP c06.indd 04/02/2015 Page 201 Chapter 6 202 C. SNMP D. FTP E. HTTP F. TFTP ■ Introduction to the Internet Protocol 12. Which of the following TCP/IP protocols are used at the Application layer of the OSI model? (Choose three.) A. IP B. TCP C. Telnet D. FTP E. TFTP 13. Which of the following protocols is used by email servers to exchange messages with one another? A. POP3 B. IMAP C. SMTP D. HTTP 14. You need to have a connection to run applications that are installed on only your desktop computer at your office. Which protocol will provide a GUI interface to your work computer? A. Telnet B. FTP C. RDP D. IMAP E. SMTP 15. Which of the following protocols can use TCP and UDP, permits authentication and secure polling of network devices, and allows for automated alerts and reports on network devices? A. DNS B. SNMP C. SMTP D. TCP 16. You need to transfer files between two hosts. Which two protocols can you use? (Choose two.) A. SNMP B. SCP C. RIP D. NTP E. FTP c06.indd 04/02/2015 Page 202 Review Questions 203 17. What layer in the IP stack is equivalent to the Transport layer of the OSI model? A. Application B. Host-to-Host C. Internet D. Network Access 18. You need to make sure that the time is consistent across all your network devices. What protocol do you need to run on your network? A. FTP B. SCP C. NTP E. RTP 19. Which of the following allows a server to distinguish among different simultaneous requests from the same host? A. They use different port numbers. B. A NAT server changes the IP address for subsequent requests. C. A server is unable to accept multiple simultaneous sessions from the same host. One session must end before another can begin. D. The MAC address for each one is unique. 20. Which of the following uses both TCP and UDP? A. FTP B. SMTP C. Telnet D. DNS c06.indd 04/02/2015 Page 203 Chapter 7 IP Addressing THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.8 Given a scenario, implement and configure the appropriate addressing schema ■ IPv6 ■ Auto-configuration ■ EUI 64 ■ DHCP6 ■ Link local ■ Address structure ■ Address compression ■ Tunneling 6to4, 4to6 ■ Teredo, miredo ■ IPv4 ■ Address structure ■ Subnetting ■ APIPA ■ Classful A, B, C, D ■ Classless ■ Private vs public ■ NAT/PAT ■ MAC addressing ■ Multicast ■ Unicast ■ Broadcast ■ Broadcast domains vs collision domains c07.indd 04/02/2015 Page 205 One of the most important topics in any discussion of TCP/IP is IP addressing. An IP address is a numeric identifier assigned to each machine on an IP network. It designates the specific location of a device on the network. An IP address is a logical address, not a hardware address—the latter is hard-coded on a network interface card (NIC) and used for fi nding hosts on a local network. IP addressing was designed to allow hosts on one network to communicate with a host on a different network regardless of the type of LANs the hosts are participating in. Before we get into the more complicated aspects of IP addressing, you need to understand some of the basics. First I’m going to explain some of the fundamentals of IP addressing and its terminology. Then you’ll learn about the hierarchical IP addressing scheme and private IP addresses. I’ll defi ne unicast, multicast, and broadcast addresses and then fi nish the chapter with a discussion on IPv6. And I promise to make it all as painless as possible. The reason that we would even discuss IPv6 (besides to cover the objectives, of course) is because of the lack of IPv4 addresses available for use in future networks, which we need to keep our corporate and private networks and even the Internet running. Basically, we’re running out of addresses for all our new hosts! IPv6 will fi x this for us. To find up-to-the-minute updates for this chapter, please see www.lammle .com/networkplus or the book’s website at www.sybextestbanks.wiley.com. IP Terminology Throughout this chapter, you’ll learn several important terms vital to your understanding of the Internet Protocol. Here are a few to get you started: Bit A bit is one binary digit, either a 1 or a 0. Byte A byte is 7 or 8 bits, depending on whether parity is used. For the rest of this chapter, always assume a byte is 8 bits. Octet An octet, made up of 8 bits, is just an ordinary 8-bit binary number. In this chapter, the terms byte and octet are completely interchangeable, and they are typically displayed in decimal up to 255. Network Address This is the designation used in routing to send packets to a remote network—for example, 10.0.0.0, 172.16.0.0, and 192.168.10.0. c07.indd 04/02/2015 Page 206 The Hierarchical IP Addressing Scheme 207 IP Address A logical address used to defi ne a single host; however, IP addresses can be used to reference many or all hosts as well. If you see something written as just IP, it is referring to IPv4. IPv6 will always be written as IPv6. Broadcast Address The broadcast address is used by applications and hosts to send information to all hosts on a network. Examples include 255.255.255.255, which designates all networks and all hosts; 172.16.255.255, which specifies all subnets and hosts on network 172.16.0.0; and 10.255.255.255, which broadcasts to all subnets and hosts on network 10.0.0.0. You will find the terms subnet mask and slash notation (for example, /24) used a few times in this chapter. These terms will be fully defined and used in Chapter 8, “IP Subnetting, Troubleshooting IP, and Introduction to NAT.” The Hierarchical IP Addressing Scheme An IP address consists of 32 bits of information. These bits are divided into four sections, referred to as octets or bytes, and four octets sum up to 32 bits (8 × 4 = 32). You can depict an IP address using one of three methods: ■ Dotted-decimal, as in 172.16.30.56 ■ Binary, as in 10101100.00010000.00011110.00111000 ■ Hexadecimal, as in AC.10.1E.38 Each of these examples validly represents the same IP address. Hexadecimal is used with IPv6, and IP addressing uses dotted-decimal or binary, but you still might fi nd an IP address stored in hexadecimal in some programs. The Windows XP Registry is a good example of a program that stores a machine’s IP address in hex. The 32-bit IP address is known as a structured, or hierarchical, address as opposed to a flat, or nonhierarchical, address. Although either type of addressing scheme can be used, hierarchical addressing has been chosen for a very important reason. The major advantage of this scheme is that it can handle a large number of addresses, namely, 4.3 billion (a 32-bit address space with two possible values for each position—either 0 or 1—gives you 232 , or 4,294,967,296). The disadvantage of the flat-addressing scheme, and the reason it’s not used for IP addressing, relates to routing. If every address were unique, all routers on the Internet would need to store the address of each and every machine on the Internet. This would make efficient routing impossible, even if only a fraction of all possible addresses were used. The solution to this problem is to use a two- or three-level hierarchical addressing scheme that is structured by network and host or by network, subnet, and host. This two- or three-level scheme is comparable to a telephone number. The fi rst section, the area code, designates a very large area. The second section, the prefi x, narrows the scope to a local calling area. The fi nal segment, the customer number, zooms in on the specific connection. IP addresses use the same type of layered structure. Rather than all 32 bits c07.indd 04/02/2015 Page 207 208 Chapter 7 ■ IP Addressing being treated as a unique identifier, as in flat addressing, a part of the address is designated as the network address and the other part is designated as either the subnet and host or just the host address. Next, I’m going to cover IP network addressing and the different classes of addresses used for our networks. Network Addressing The network address—also called the network number—uniquely identifies each network. Every machine on the same network shares that network address as part of its IP address. In the IP address 172.16.30.56, for example, 172.16 is the network address (and in just a minute I’ll show you how this is true). The host address is assigned to, and uniquely identifies, each machine on a network. This part of the address must be unique because it identifies a particular machine—an individual—as opposed to a network, which is a group. So in the sample IP address 172.16.30.56, the 30.56 is the host address. The designers of the Internet decided to create classes of networks based on network size. For the small number of networks possessing a very large number of hosts, they created the rank Class A network. At the other extreme is the Class C network, which is reserved for the numerous networks with a small number of hosts. The class distinction for networks between very large and very small is predictably the Class B network. Subdividing an IP address into a network and host address is determined by the class designation of your network. Figure 7.1 summarizes the classes of networks—a subject I’ll explain in much greater detail throughout this chapter. F I G U R E 7.1 Summary of the three classes of networks 8 bits 8 bits 8 bits 8 bits Class A: Network Host Host Host Class B: Network Network Host Host Class C: Network Network Network Host Class D: Multicast Class E: Research To ensure efficient routing, Internet designers defi ned a mandate for the leading-bits section of the address for each different network class. For example, since a router knows that a Class A network address always starts with a 0, the router might be able to speed a packet on its way after reading only the fi rst bit of its address. This is where the address c07.indd 04/02/2015 Page 208 The Hierarchical IP Addressing Scheme 209 schemes defi ne the difference between a Class A, a Class B, and a Class C address. Coming up, I’ll discuss the differences between these three classes followed by a discussion of the Class D and Class E addresses. For now, know that Classes A, B, and C are the only ranges that are used to address hosts in our networks. Class A Addresses In a Class A network address, the fi rst byte is assigned to the network address, and the three remaining bytes are used for the host addresses. The Class A format is as follows: network.host.host.host For example, in the IP address 49.22.102.70, the 49 is the network address and 22.102.70 is the host address. Every machine on this particular network would begin with the distinctive network address of 49. Class A network addresses are 1 byte long, with the fi rst bit of that byte reserved and the 7 remaining bits available for manipulation, or addressing. As a result, the theoretical maximum number of Class A networks that can be created is 128. Why? Well, each of the 7 bit positions can be either a 0 or a 1 and 27 gives you 128. The designers of the IP address scheme said that the fi rst bit of the fi rst byte in a Class A network address must always be off, or 0. This means a Class A address must be between 0 and 127 in the fi rst byte, inclusive. Consider the following network address: 0xxxxxxx If we turn the other 7 bits all off and then turn them all on, we’ll fi nd the Class A range of network addresses: 00000000 = 0 01111111 = 127 So, a Class A network is defi ned in the fi rst octet between 0 and 127, and it can’t be less or more. To complicate matters further, the network address of all 0s (0000 0000) is reserved to designate the default route (see Table 7.1). Additionally, the address 127, which is reserved for diagnostics, can’t be used either, which means that you can really only use the numbers 1 to 126 to designate Class A network addresses. This means the actual number of usable Class A network addresses is 128 minus 2, or 126. TA B L E 7.1 Reserved IP addresses Address Function Network address of all 0s Interpreted to mean “this network or segment.” Network address of all 1s Interpreted to mean “all networks.” c07.indd 04/02/2015 Page 209 Chapter 7 210 TA B L E 7.1 ■ IP Addressing Reserved IP addresses (continued) Address Function Network 127.0.0.1 Reserved for loopback tests. Designates the local host and allows that host to send a test packet to itself without generating network traffic. Host address of all 0s Interpreted to mean “network address” or any host on specified network. Host address of all 1s Interpreted to mean “all hosts” on the specified network; for example, 126.255.255.255 means “all hosts” on network 126 (Class A address). Entire IP address set to all 0s Used by Cisco routers to designate the default route. Could also mean “any network.” Entire IP address set to all 1s (same as 255.255.255.255) Broadcast to all hosts on the current network; sometimes called an “all 1s broadcast” or limited broadcast. Each Class A address has 3 bytes (24 bit positions) for the host address of a machine. This means there are 224 —or 16,777,216—unique combinations and, therefore, precisely that many potential unique host addresses for each Class A network. Because host addresses with the two patterns of all 0s and all 1s are reserved, the actual maximum usable number of hosts for a Class A network is 224 minus 2, which equals 16,777,214. Either way, you can see that’s a seriously huge number of hosts to have on a network segment! Here’s an example of how to figure out the valid host IDs in a Class A network address: ■ All host bits off is the network address: 10.0.0.0. ■ All host bits on is the broadcast address: 10.255.255.255. The valid hosts are the numbers in between the network address and the broadcast address: 10.0.0.1 through 10.255.255.254. Notice that 0s and 255s can be valid host IDs. All you need to remember when trying to fi nd valid host addresses is that the host bits can’t ever be all turned off or all turned on at the same time. Class B Addresses In a Class B network address, the fi rst 2 bytes are assigned to the network address and the remaining 2 bytes are used for host addresses. The format is as follows: network.network.host.host For example, in the IP address 172.16.30.56, the network address is 172.16 and the host address is 30.56. With a network address being 2 bytes (8 bits each), we’re left with 216 unique combinations. But the Internet designers decided that all Class B network addresses should start c07.indd 04/02/2015 Page 210 The Hierarchical IP Addressing Scheme 211 with the binary digit 1, then 0. This leaves 14 bit positions available to manipulate, so in reality, we get 16,384 (that is, 214) unique Class B network addresses. In a Class B network, the RFCs state that the fi rst bit of the fi rst byte must always be turned on but the second bit must always be turned off. If we turn the other 6 bits all off and then all on, we will fi nd the range for a Class B network: 10000000 = 128 10111111 = 191 As you can see, a Class B network is defi ned when the fi rst byte is configured from 128 to 191. A Class B address uses 2 bytes for host addresses. This is 216 minus the two reserved patterns (all 0s and all 1s), for a total of 65,534 possible host addresses for each Class B network. Here’s an example of how to fi nd the valid hosts in a Class B network: ■ All host bits turned off is the network address: 172.16.0.0. ■ All host bits turned on is the broadcast address: 172.16.255.255. The valid hosts would be the numbers in between the network address and the broadcast address: 172.16.0.1 through 172.16.255.254. Class C Addresses The fi rst 3 bytes of a Class C network address are dedicated to the network portion of the address, with only 1 measly byte remaining for the host address. Here’s the format: network.network.network.host Using the example IP address 192.168.100.102, the network address is 192.168.100 and the host address is 102. In a Class C network address, the fi rst three bit positions are always the binary 110. The calculation is as follows: 3 bytes, or 24 bits, minus 3 reserved positions leaves 21 positions. Hence, there are 221, or 2,097,152, possible Class C networks. For Class C networks, the RFCs defi ne the fi rst 2 bits of the fi rst octet as always turned on, but the third bit can never be on. Following the same process as the previous classes, convert from binary to decimal to find the range. Here’s the range for a Class C network: 11000000 = 192 11011111 = 223 So, if you see an IP address with a range from 192 up to 223, you’ll know it’s a Class C IP address. Each unique Class C network has 1 byte to use for host addresses. This gets us to 28, or 256, minus the two reserved patterns of all 0s and all 1s for a total of 254 available host addresses for each Class C network. Here’s an example of how to fi nd a valid host ID in a Class C network: ■ All host bits turned off is the network ID: 192.168.100.0. ■ All host bits turned on is the broadcast address: 192.168.100.255. The valid hosts would be the numbers in between the network address and the broadcast address: 192.168.100.1 through 192.168.100.254. c07.indd 04/02/2015 Page 211 212 Chapter 7 ■ IP Addressing Class D and E Addresses Addresses with the fi rst octet of 224 to 255 are reserved for Class D and E networks. Class D (224–239) is used for multicast addresses and Class E (240–255) for scientific purposes. But they’re really beyond the scope of this book, so I’m not going to go into detail about them here. But you do need to know that the multicast range is from 224.0.0.0 through 239.255.255.255. Special Purposes of Network Addresses Some IP addresses are reserved for special purposes, so network administrators can’t ever assign them to hosts. Table 7.1 listed the members of this exclusive little club and the reasons why they’re included in it. Private IP Addresses (RFC 1918) The people who created the IP addressing scheme also created what we call private IP addresses. These addresses can be used on a private network, but they’re not routable through the Internet. This is designed for the purpose of creating a measure of muchneeded security, but it also conveniently saves valuable IP address space. If every host on every network had to have real routable IP addresses, we would have run out of available IP addresses to hand out years ago. But by using private IP addresses, ISPs, corporations, and home users need only a relatively tiny group of bona fide IP addresses to connect their networks to the Internet. This is economical because they can use private IP addresses on their inside networks and get along just fi ne. To accomplish this task, the ISP and the corporation—the end users, no matter who they are—need to use something called Network Address Translation (NAT), which basically takes a private IP address and converts it for use on the Internet. NAT provides security in that these IP addresses cannot be seen by external users. External users will only be able to see the public IP address to which the private IP address has been mapped. Moreover, multiple devices in the same private network can use the same, real IP address to transmit out onto the Internet. Doing things this way saves megatons of address space—a very good thing for us all! Table 7.2 lists the reserved private addresses. TA B L E 7. 2 Reserved IP address space Address class Reserved address space Class A 10.0.0.0 through 10.255.255.255 Class B 172.16.0.0 through 172.31.255.255 Class C 192.168.0.0 through 192.168.255.255 c07.indd 04/02/2015 Page 212 The Hierarchical IP Addressing Scheme 213 So, What Private IP Address Should I Use? That’s a really great question: Should you use Class A, Class B, or even Class C private addressing when setting up your network? Let’s take Acme Corporation in San Francisco as an example. This company is moving into a new building and needs a whole new network (what a treat this is!). It has 14 departments, with about 70 users in each. You could probably squeeze three or four Class C addresses to use, or maybe you could use a Class B, or even a Class A just for fun. The rule of thumb in the consulting world is, when you’re setting up a corporate network—regardless of how small it is—you should use a Class A network address because it gives you the most flexibility and growth options. For example, if you used the 10.0.0.0 network address with a /24 mask, then you’d have 65,536 networks, each with 254 hosts. Lots of room for growth with that network! You would then subnet this network address space using Classless Internet Domain Routing (CIDR), which provides only the needed amount of hosts to each department or building without wasting IP addresses. (A /24 tells you that a subnet mask has 24 bits out of 32 bits turned on for subnetting a network. This will be covered, as well as CIDR, in more detail in Chapter 8.) But if you’re setting up a home network, you’d opt for a Class C address because it is the easiest for people to understand and configure. Using the default Class C mask gives you one network with 254 hosts—plenty for a home network. With the Acme Corporation, a nice 10.1.x.0 with a /24 mask (the x is the subnet for each department) makes this easy to design, install, and troubleshoot. APIPA I discussed this in Chapter 6, “Introduction to the Internet Protocol,” but it is worth repeating here. What happens if you have a few hosts connected together with a switch or hub and you don’t have a DHCP server? You can add static IP information to a host or you can let Windows provides what is called Automatic Private IP Addressing (APIPA). I don’t recommend this, but APIPA is a “feature,” so you do need to remember it, hence mentioning it two chapters in a row! With APIPA, clients can automatically self-configure an IP address and subnet mask, which is the minimum information needed for hosts to communicate when a DHCP server isn’t available. In this way, it could be thought of as a DHCP failover scheme. If all of the hosts set themselves with an APIPA address, they could communicate with one another but unfortunately not with any addresses that were statically configured, such as default gateways! c07.indd 04/02/2015 Page 213 214 Chapter 7 ■ IP Addressing The IP address range for APIPA is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default Class B subnet mask of 255.255.0.0. However, when you’re in your corporate network and you’re running a DHCP server, and your host displays that it is using this IP address range, this means that either your DHCP client on the host is not working or the DHCP server is down or can’t be reached because of a network issue. For example, if you plug a DHCP client into a port that is disabled, the host will receive an APIPA address. I don’t know anyone who has seen a host in the APIPA address range and been happy about it! IPv4 Address Types Most people use broadcast as a generic term, and most of the time, we understand what they mean. But not always. For example, you might say, “The host broadcasted through a router to a DHCP server,” but, well, it’s pretty unlikely that this would ever really happen. What you probably mean—using the correct technical jargon—is, “The DHCP client broadcasted for an IP address; a router then forwarded this as a unicast packet to the DHCP server.” Oh, and remember that with IPv4, broadcasts are pretty important, but with IPv6, there aren’t any broadcasts sent at all—as you’ll see in a bit! Okay, I’ve referred to broadcast addresses throughout earlier chapters, and even showed you some examples of various IP addresses. But I really haven’t gone into the different terms and uses associated with them yet, and it’s about time I did. So here are the four IPv4 address types that I’d like to defi ne for you: Layer 2 Broadcasts These are sent to all nodes on a LAN. Broadcasts (Layer 3) These are sent to all nodes on the network. Unicast This is an address for a single interface, and these are used to send packets to a single destination host. Multicast These are packets sent from a single source and transmitted to many devices on different networks. Referred to as one-to-many. Layer 2 Broadcasts First, understand that Layer 2 broadcasts are also known as hardware broadcasts—they only go out on a LAN, and they don’t go past the LAN boundary (router). The typical hardware address is 6 bytes (48 bits) and looks something like 0c.43. a4.f3.12.c2. The broadcast would be all 1s in binary, which would be all Fs in hexadecimal, as in FF.FF.FF.FF.FF.FF. c07.indd 04/02/2015 Page 214 IPv4 Address Types 215 Layer 3 Broadcasts Then there are the plain old broadcast addresses at Layer 3. Broadcast messages are meant to reach all hosts on a broadcast domain. These are the network broadcasts that have all host bits on. Here’s an example that you’re already familiar with: The network address of 172.16.0.0 would have a broadcast address of 172.16.255.255—all host bits on. Broadcasts can also be “any network and all hosts,” as indicated by 255.255.255.255. A good example of a broadcast message is an Address Resolution Protocol (ARP) request. When a host has a packet, it knows the logical address (IP) of the destination. To get the packet to the destination, the host needs to forward the packet to a default gateway if the destination resides on a different IP network. If the destination is on the local network, the source will forward the packet directly to the destination. Because the source doesn’t have the MAC address to which it needs to forward the frame, it sends out a broadcast, something that every device in the local broadcast domain will listen to. This broadcast says, in essence, “If you are the owner of IP address 192.168.2.3, please forward your MAC address to me,” with the source giving the appropriate information. Unicast Address A unicast address is assigned to a single interface, and this term is used in both IPv4 and IPv6 to describe your host interface IP address. Multicast Address (Class D) Multicast is a different beast entirely. At fi rst glance, it appears to be a hybrid of unicast and broadcast communication, but that isn’t quite the case. Multicast does allow point-to-multipoint communication, which is similar to broadcasts, but it happens in a different manner. The crux of multicast is that it enables multiple recipients to receive messages without flooding the messages to all hosts on a broadcast domain. However, this is not the default behavior—it’s what we can do with multicasting if it’s configured correctly! Multicast works by sending messages or data to IP multicast group addresses. Routers then forward copies (unlike broadcasts, which are not forwarded) of the packet out every interface that has hosts subscribed to a particular group address. This is where multicast differs from broadcast messages—with multicast communication, copies of packets, in theory, are sent only to subscribed hosts. When I say in theory, this means that the hosts will receive, for example, a multicast packet destined for 224.0.0.10 (this is an EIGRP packet and only a router running the EIGRP protocol will read these). All hosts on the broadcast LAN (Ethernet is a broadcast multi-access LAN technology) will pick up the frame, read the destination address, and immediately discard the frame, unless they are in the multicast group. This saves PC processing, not LAN bandwidth. Multicasting can cause severe LAN congestion, in some instances, if not implemented carefully. c07.indd 04/02/2015 Page 215 216 Chapter 7 ■ IP Addressing There are several different groups that users or applications can subscribe to. The range of multicast addresses starts with 224.0.0.0 and goes through 239.255.255.255. As you can see, this range of addresses falls within IP Class D address space based on classful IP assignment. Internet Protocol Version 6 (IPv6) People refer to IPv6 as “the next-generation Internet protocol,” and it was originally created as the answer to IPv4’s inevitable, looming address-exhaustion crisis. Though you’ve probably heard a thing or two about IPv6 already, it has been improved even further in the quest to bring us the flexibility, efficiency, capability, and optimized functionality that can truly meet our ever-increasing needs. The capacity of its predecessor, IPv4, pales in comparison—and that’s the reason it will eventually fade into history completely. The IPv6 header and address structure has been completely overhauled, and many of the features that were basically just afterthoughts and addendums in IPv4 are now included as full-blown standards in IPv6. It’s well equipped, poised, and ready to manage the mindblowing demands of the Internet to come. Why Do We Need IPv6? Well, the short answer is because we need to communicate and our current system isn’t really cutting it anymore—kind of like how the Pony Express couldn’t compete with airmail. Just look at how much time and effort we’ve invested in coming up with slick new ways to conserve bandwidth and IP addresses. It’s reality, the number of people and devices that connect to networks increases each and every day. That’s not a bad thing at all—we’re fi nding new and exciting ways to communicate with more people all the time, something that’s become integral to our culture today. In fact, it’s now pretty much a basic human need. But the forecast isn’t exactly blue skies and sunshine because, as I alluded to in this chapter’s introduction, IPv4, upon which our ability to communicate is presently dependent, is going to run out of addresses for us to use. IPv4 has only about 4.3 billion addresses available—in theory—and we know that we don’t even get to use all of those. There really are only about 250 million addresses that can be assigned to devices. Sure, the use of Classless Inter-Domain Routing (CIDR) and NAT has helped to extend the inevitable dearth of addresses, but the truth is we will run out of them, and it’s going to happen within a few years. China is barely online, and we know a huge population of people and corporations there surely want to be. There are a lot of reports that give us all kinds of numbers, but all you really need to think about to convince yourself that I’m not just being an alarmist is the fact that there are about 7.2 billion people in the world today, and it’s estimated that just over 10 percent of that population is connected to the Internet—wow! IPv6 to the rescue! That statistic is basically screaming at us the ugly truth that, based on IPv4’s capacity, every person can’t have a single computer with an IP address—let alone all the other devices we use with them. I have more than one computer, and it’s pretty likely you do, too. c07.indd 04/02/2015 Page 216 Internet Protocol Version 6 (IPv6) 217 And I’m not even including in the mix phones, laptops, game consoles, fax machines, routers, switches, and a mother lode of other devices we use every day! So I think I’ve made it pretty clear that we’ve got to do something before we run out of addresses and lose the ability to connect with each other as we know it. And that “something” just happens to be implementing IPv6. The Benefits of and Uses for IPv6 What’s so fabulous about IPv6? Is it really the answer to our coming dilemma? Is it really worth it to upgrade from IPv4? All good questions—you may even think of a few more. Of course, there’s going to be that group of people with the time-tested and well-known “resistance-to-change syndrome,” but don’t listen to them. If we had done that years ago, we’d still be waiting weeks, even months for our mail to arrive via horseback. Instead, just know that the answer is a resounding YES! Not only does IPv6 give us lots of addresses (3.4 × 1038 = defi nitely enough), but there are many other features built into this version that make it well worth the cost, time, and effort required to migrate to it. Today’s networks, as well as the Internet, have a ton of unforeseen requirements that simply were not considerations when IPv4 was created. We’ve tried to compensate with a collection of add-ons that can actually make implementing them more difficult than mandating them by a standard. By default, IPv6 has improved upon and included many of those features as standard and mandatory. One of these sweet new standards is IPSec—a feature that provides end-to-end security, and that I’ll cover in Chapter 13, “Authentication and Access Control.” Another little beauty is known as mobility, and as its name suggests, it allows a device to roam from one network to another without dropping connections. But it’s the efficiency features that are really going to rock the house! For starters, the header in an IPv6 packet has half the fields, and they are aligned to 64 bits, which gives us some seriously souped-up processing speed—compared to IPv4, lookups happen at light speed. Most of the information that used to be bound into the IPv4 header was taken out, and now you can choose to put it, or parts of it, back into the header in the form of optional extension headers that follow the basic header fields. And of course there’s that whole new universe of addresses (3.4 × 1038) we talked about already. But where did we get them? Did that Criss Angel Mindfreak dude just show up and, blammo, they all materialized? The obvious answer is no, but that huge proliferation of addresses had to come from somewhere, right? Well, it just so happens that IPv6 gives us a substantially larger address space, meaning the address is a whole lot bigger—four times bigger, as a matter of fact! An IPv6 address is actually 128 bits in length, and no worries— I’m going to break down the address piece by piece and show you exactly what it looks like coming up in the next section, “IPv6 Addressing and Expressions.” For now, let me just say that all that additional room permits more levels of hierarchy inside the address space and a more flexible address architecture. It also makes routing much more efficient and scalable because the addresses can be aggregated a lot more effectively. And IPv6 also allows multiple addresses for hosts and networks. Plus, the new version of IP now includes an expanded use of multicast communication (one device sending to many hosts or to a select group), which will also join in to boost efficiency on networks because communications will be more specific. c07.indd 04/02/2015 Page 217 218 Chapter 7 ■ IP Addressing IPv4 uses broadcasts very prolifically, causing a bunch of problems, the worst of which is of course the dreaded broadcast storm—an uncontrolled deluge of forwarded broadcast traffic that can bring an entire network to its knees and devour every last bit of bandwidth. Another nasty thing about broadcast traffic is that it interrupts each and every device on the network. When a broadcast is sent out, every machine has to stop what it’s doing and analyze the traffic, whether the broadcast is meant for it or not. But smile, everyone: There is no such thing as a broadcast in IPv6 because it uses multicast traffic instead. And there are two other types of communication as well: unicast, which is the same as it is in IPv4, and a new type called anycast. Anycast communication allows the same address to be placed on more than one device so that when traffic is sent to one device addressed in this way, it is routed to the nearest host that shares the same address. This is just the beginning—we’ll get more into the various types of communication later in this chapter in the section “Address Types.” IPv6 Addressing and Expressions Just as understanding how IP addresses are structured and used is critical with IPv4 addressing, it’s also vital when it comes to IPv6. You’ve already read about the fact that at 128 bits, an IPv6 address is much larger than an IPv4 address. Because of this, as well as because of the new ways the addresses can be used, you’ve probably guessed that IPv6 will be more complicated to manage. But no worries! As I said, I’ll break it down into the basics and show you what the address looks like, how you can write it, and what many of its common uses are. It’s going to be a little weird at fi rst, but before you know it, you’ll have it nailed. So let’s take a look at Figure 7.2, which has a sample IPv6 address broken down into sections. F I G U R E 7. 2 IPv6 address example 2001:0db8:3c4d:0012:0000:0000:1234:56ab Global Prefix Subnet Interface ID As you can now see, the address is truly much larger—but what else is different? Well, fi rst, notice that it has eight groups of numbers instead of four, and also that those groups are separated by colons instead of periods. And hey, wait a second…there are letters in that address! Yep, the address is expressed in hexadecimal just like a MAC address is, so you could say this address has eight 16-bit hexadecimal colon-delimited blocks. That’s already quite a mouthful, and you probably haven’t even tried to say the address out loud yet. One other thing I want to point out is for when you set up your test network to play with IPv6, because I know you’re going to want to do that. When you use a web browser to make an HTTP connection to an IPv6 device, you have to type the address into the browser with brackets around the literal address. Why? Well, a colon is already being used by the browser for specifying a port number. So basically, if you don’t enclose the address in brackets, the browser will have no way to identify the information. c07.indd 04/02/2015 Page 218 Internet Protocol Version 6 (IPv6) 219 Here’s an example of how this looks: http://[2001:0db8:3c4d:0012:0000:0000:1234:56ab]/default.html Now obviously, if you could, you would rather use names to specify a destination (like www.lammle.com); but even though it’s defi nitely going to be a pain in the rear, you just have to accept the fact that sometimes you have to bite the bullet and type in the address number. It should be pretty clear that DNS is going to become extremely important when implementing IPv6. Shortened Expression The good news is, there are a few tricks to help rescue you when you’re writing these monster addresses. For one thing, you can actually leave out parts of the address to abbreviate it, but to get away with doing that you have to follow a couple of rules. First, you can drop any leading zeros in each of the individual blocks. After you do that, the sample address from earlier would then look like this: 2001:db8:3c4d:12:0:0:1234:56ab That’s a defi nite improvement—at least you don’t have to write all of those extra zeros! But what about whole blocks that don’t have anything in them except zeros? Well, you can kind of lose those, too—at least some of them. Again referring to our sample address, you can remove the two blocks of zeros by replacing them with double colons, like this: 2001:db8:3c4d:12::1234:56ab Cool—you replaced the blocks of all zeros with double colons. The rule you have to follow to get away with this is that you can only replace one contiguous block of zeros in an address. So if my address has four blocks of zeros and each of them is separated, I don’t get to replace them all. Check out this example: 2001:0000:0000:0012:0000:0000:1234:56ab And just know that you can’t do this: 2001::12::1234:56ab Instead, this is the best that you can do: 2001::12:0:0:1234:56ab The reason why this example is your best shot is that if you remove two sets of zeros, the device looking at the address will have no way of knowing where the zeros go back in. Basically, the router would look at the incorrect address and say, “Well, do I place two blocks into the fi rst set of double colons and two into the second set, or do I place three blocks into the fi rst set and one block into the second set?” And on and on it would go because the information the router needs just isn’t there. Address Types We’re all familiar with IPv4’s unicast, broadcast, and multicast addresses, which basically defi ne who or at least how many other devices we’re talking to. But as I mentioned, IPv6 c07.indd 04/02/2015 Page 219 220 Chapter 7 ■ IP Addressing adds to that trio and introduces the anycast address type. Broadcasts, as we know them, have been eliminated in IPv6 because of their cumbersome inefficiency. Since a single interface can have multiple types of IPv6 addresses assigned for various purposes, let’s fi nd out what each of these types of IPv6 addresses are and the communication methods of each: Unicast Packets addressed to a unicast address are delivered to a single interface, same as in IPv4. For load balancing, multiple interfaces can use the same address. Global Unicast Addresses These are your typical publicly routable addresses, and they’re used the same way globally unique addresses are in IPv4. Link-Local Addresses These are like the APIPA addresses in IPv4 in that they’re not meant to be routed and are unique for each link (LAN). Think of them as a handy tool that gives you the ability to throw a temporary LAN together for meetings or for creating a small LAN that’s not going to be routed but still needs to share and access fi les and services locally. However, link-local is used on every LAN that connects to a router interface(s) as well. Unique Local Addresses These addresses are also intended for nonrouting purposes, but they are nearly globally unique, so it’s unlikely you’ll ever have one of them overlap with any other address. Unique local addresses were designed to replace site-local addresses, so they basically do almost exactly what IPv4 private addresses do—allow communication throughout a site while being routable to multiple local networks. The difference between link-local and unique local is that unique local can be routed within your organization or company. Multicast Again, as in IPv4, packets addressed to a multicast address are delivered to all interfaces identified by the multicast address. Sometimes people call them one-to-many addresses. It’s really easy to spot multicast addresses in IPv6 because they always start with FF. Anycast Like multicast addresses, an anycast address identifies multiple interfaces, but there’s a big difference: The anycast packet is delivered to only one address—actually, to the fi rst IPv6 address it fi nds defi ned in terms of routing distance. And again, this address is special because you can apply a single address to more than one interface. You could call them one-to-one-of-many addresses, but just saying anycast is a lot easier. This is also referred to as one-to-nearest addressing. You’re probably wondering if there are any special, reserved addresses in IPv6 because you know they’re there in IPv4. Well, there are—plenty of them! Let’s go over them now. Special Addresses I’m going to list some of the addresses and address ranges that you should defi nitely make a point to remember because you’ll eventually use them. They’re all special or reserved for specific use, but unlike IPv4, IPv6 gives us a galaxy of addresses, so reserving a few here and there doesn’t hurt a thing. c07.indd 04/02/2015 Page 220 Internet Protocol Version 6 (IPv6) TA B L E 7. 3 221 Special IPv6 addresses Address Meaning 0:0:0:0:0:0:0:0 Equals ::. This is the equivalent of IPv4’s 0.0.0.0 and is typically the source address of a host before the host receives an IP address when you’re using DHCP-driven stateful configuration. 0:0:0:0:0:0:0:1 Equals ::1. The equivalent of 127.0.0.1 in IPv4. 0:0:0:0:0:0:192.168.100.1 This is how an IPv4 address would be written in a mixed IPv6/ IPv4 network environment. 2000::/3 The global unicast address range allocated for Internet access. FC00::/7 The unique local unicast range. FE80::/10 The link-local unicast range. FF00::/8 The multicast range. 3FFF:FFFF::/32 Reserved for examples and documentation. 2001:0DB8::/32 Also reserved for examples and documentation. 2002::/16 Used with 6to4 tunneling, which is an IPv4-to-IPv6 transition system. The structure allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels. Stateless Autoconfiguration (EUI-64) Autoconfiguration is an especially useful solution because it allows devices on a network to address themselves with a link-local unicast address as well as with a global unicast address. This process happens through fi rst learning the prefi x information from the router and then appending the device’s own interface address as the interface ID. But where does it get that interface ID? Well, you know every device on an Ethernet network has a physical MAC address, which is exactly what’s used for the interface ID. But since the interface ID in an IPv6 address is 64 bits in length and a MAC address is only 48 bits, where do the extra 16 bits come from? The MAC address is padded in the middle with the extra bits— it’s padded with FFFE. For example, let’s say I have a device with a MAC address that looks like this: 0060:d673:1987. After it’s been padded, it would look like this: 0260:d6FF:FE73:1987. Figure 7.3 illustrates what an EUI-64 address looks like. c07.indd 04/02/2015 Page 221 222 Chapter 7 F I G U R E 7. 3 ■ IP Addressing EUI-64 interface ID assignment 16-Bit Interface ID OUI Unique Address FF FE 000000X0 Insert 16 bits The 7th Bit (U/L) 10 = Universally Unique 00 = Locally Unique So where did that 2 in the beginning of the address come from? Another good question. You see that part of the process of padding, called modified EUI-64 format, changes the Universal/Local (U/L) bit to specify if the address is locally unique or globally unique. And the bit that gets changed is the 7th bit in the address. The reason for modifying the U/L bit is that, when using manually assigned addresses on an interface, it means you can simply assign the address 2001:db8:1:9::1/64 instead of the much longer 2001:db8:1:9:0200::1/64. Also, if you are going to manually assign link-local addresses, you can assign the short address fe80::1 instead of the long fe80::0200:0:0:1 or fe80:0:0:0:0200::1. So, even though at fi rst glance it seems the IETF made this harder for you to simply understand IPv6 addressing by fl ipping the 7th bit, in reality this made addressing much simpler. Also, since most people don’t typically override the burned-in address, the U/L bit is by default a 0, which means that you’ll see this inverted to a 1 most of the time. But because you’re studying the exam objectives, you’ll need to look at inverting it both ways. Here are a few examples: ■ MAC address 0090:2716:fd0f ■ IPv6 EUI-64 address: 2001:0db8:0:1:0290:27ff:fe16:fd0f That one was easy! Too easy for the exam objectives, so let’s do another: ■ MAC address aa12:bcbc:1234 ■ IPv6 EUI-64 address: 2001:0db8:0:1:a812:bcff:febc:1234 10101010 represents the fi rst 8 bits of the MAC address (aa), which when inverting the 7th bit becomes 10101000. The answer becomes a8. I can’t tell you how important this is for you to understand, so bear with me and work through a couple more! ■ MAC address 0c0c:dede:1234 ■ IPv6 EUI-64 address: 2001:0db8:0:1:0e0c:deff:fede:1234 c07.indd 04/02/2015 Page 222 Internet Protocol Version 6 (IPv6) 223 0c is 00001100 in the fi rst 8 bits of the MAC address, which then becomes 00001110 when fl ipping the 7th bit. The answer is then 0e. Let’s practice one more: ■ MAC address 0b34:ba12:1234 ■ IPv6 EUI-64 address: 2001:0db8:0:1:0934:baff:fe12:1234 0b in binary is 00001011, the fi rst 8 bits of the MAC address, which then becomes 00001001. The answer is 09. Pay extra-special attention to this EUI-64 address assignment and be able to convert the 7th bit based on the EUI-64 rules! Written Lab 14.3 will help you practice this. DHCPv6 (Stateful) DHCPv6 works pretty much the same way DHCP does in v4, with the obvious difference that it supports IPv6’s new addressing scheme. And it might come as a surprise, but there are a couple of other options that DHCP still provides for us that autoconfiguration doesn’t. And no, I’m not kidding—in autoconfiguration, there’s absolutely no mention of DNS servers, domain names, or many of the other options that DHCP has always generously provided for us via IPv4. This is a big reason that the odds favor DHCP’s continued use in IPv6 into the future at least partially—maybe even most of the time! This means that you’re defi nitely going to need another server around to supply and dispense all the additional, required information—maybe to even manage the address assignment, if needed! Migrating to IPv6 We certainly have talked a lot about how IPv6 works and how we can configure it to work on our networks, but what is doing that going to cost us? And how much work is it really going to take? Good questions for sure, but the answers to them won’t be the same for everyone. This is because how much you are going to end up having to pony up is highly dependent upon what you’ve got going on already in terms of your infrastructure. Obviously, if you’ve been making your really old routers and switches “last” and therefore have to upgrade every one of them so that they’re IPv6 compliant, that could very well turn out to be a good-sized chunk of change! Oh, and that sum doesn’t even include server and computer operating systems (OSs) and the blood, sweat, and maybe even tears spent on making all your applications compliant. So, my friend, it could cost you quite a bit! The good news is that unless you’ve really let things go, many OSs and network devices have been IPv6 compliant for a few years—we just haven’t been using all their features until now. Then there’s that other question about the amount of work and time. Straight up—this one could still be pretty intense. No matter what, it’s going to take you some time to get all c07.indd 04/02/2015 Page 223 224 Chapter 7 ■ IP Addressing of your systems moved over and make sure that things are working correctly. And if you’re talking about a huge network with tons of devices, well, it could take a really long time! But don’t panic—that’s why migration strategies have been created, to allow for a gradual integration. I’m going to show you three of the primary transition strategies available to us. The fi rst is called dual stacking, which allows a device to have both the IPv4 and IPv6 protocol stacks running so it’s capable of continuing on with its existing communications and simultaneously running newer IPv6 communications as they’re implemented. The next strategy is the 6to4 tunneling approach; this is your choice if you have an all-IPv6 network that must communicate over an IPv4 network to reach another IPv6 network. I’ll surprise you with the third one just for fun! Dual Stacking This is the most common type of migration strategy because, well, it’s the easiest on us— it allows our devices to communicate using either IPv4 or IPv6. Dual stacking lets you upgrade your devices and applications on the network one at a time. As more and more hosts and devices on the network are upgraded, more of your communication will happen over IPv6, and after you’ve arrived—everything’s running on IPv6 and you get to remove all the old IPv4 protocol stacks you no longer need. 6to4 Tunneling 6to4 tunneling is really useful for carrying IPv6 packets over a network that’s still running IPv4. It’s quite possible that you’ll have IPv6 subnets or other portions of your network that are all IPv6, and those networks will have to communicate with each other. Not so complicated, but when you consider that you might fi nd this happening over a WAN or some other network that you don’t control, well, that could be a bit ugly. So what do we do about this if we don’t control the whole tamale? Create a tunnel that will carry the IPv6 traffic for us across the IPv4 network, that’s what. The whole idea of tunneling isn’t a difficult concept, and creating tunnels really isn’t as hard as you might think. All it really comes down to is snatching the IPv6 packet that’s happily traveling across the network and sticking an IPv4 header onto the front of it. Kind of like catch and release fishing, except for the fish doesn’t get something plastered on its face before being thrown back into the stream. To get a picture of this, take a look at Figure 7.4. Nice—but to make this happen, we’re going to need a couple of dual-stacked routers, which I just demonstrated for you, so you should be good to go. Now we have to add a little configuration to place a tunnel between those routers. Tunnels are pretty simple—we just have to tell each router where the tunnel begins and where we want it to end up. The opposite of this would be a 4to6 tunnel, which is rare to fi nd because this means your whole business network is IPv4 (okay, this sounds normal so far) but you’re traversing an IPv6-only Internet to get to another IPv4 network. Not so common at the time of this writing. One important note here—if the IPv4 network that you’re traversing in this 6to4 situation has a NAT translation point, it would absolutely break the tunnel encapsulation we’ve c07.indd 04/02/2015 Page 224 Summary 225 just created! Over the years, NAT has been upgraded a lot so that it can handle specific protocols and dynamic connections, and without one of these upgrades, NAT likes to demolish most connections. And since this transition strategy isn’t present in most NAT implementations, that means trouble. F I G U R E 7. 4 A 6to4 tunnel Dual Stack Router1 Dual Stack Router2 IPv4 Network IPv4: 192.168.40.1 IPv6: 2001:db8:2:2::1 IPv4: 192.168.30.1 IPv6: 2001:db8:1:1::1 IPv6 Host and Network IPv6 Host and Network IPv4 IPv6 Packet IPv6 packet encapsulated in an IPv4 packet But there is a way around this little problem, and it’s called Teredo, which allows all your tunnel traffic to be placed in UDP packets. NAT doesn’t blast away at UDP packets, so they won’t get broken as other protocol packets do. So with Teredo in place and your packets disguised under their UDP cloak, the packets will easily slip by NAT alive and well! Miredo is a tunneling technique used on native IPv6 Linux and BSD Unix machines to communicate on the IPv4 Internet directly without a dual-stack router or 6to4 tunnel. This is rarely used. Summary In this chapter, I covered the very basics of both IPv4 and IPv6 and how they work in an internetwork (remember that if the word IP is used alone, it is referring to just IPv4). As you now know by reading this chapter, even when discussing and configuring the basics, there is a lot to understand—and we just scratched the surface. But trust me when I say this—you now know more than you’ll need to meet the Network+ objectives. I discussed in detail the difference between each class of address and how to fi nd a network address, broadcast address, and valid host range. I explained why we need IPv6 and the benefits associated with it. I followed that up by covering addressing with IPv6 as well as how to use the shortened expressions. And during c07.indd 04/02/2015 Page 225 226 Chapter 7 ■ IP Addressing the discussion on addressing with IPv6, I showed you the different address types, plus the special addresses reserved in IPv6. The next chapter is very important, but it’s one that some people fi nd rather challenging, so take a break and get ready for a really fun but long chapter on IP subnetting. I promise not to torture you too much! Exam Essentials Remember the Class A range. The IP range for a Class A network is 1 through 126. This provides 8 bits of network addressing and 24 bits of host addressing by default. Remember the Class B range. The IP range for a Class B network is 128 through 191. Class B addressing provides 16 bits of network addressing and 16 bits of host addressing by default. Remember the Class C range. The IP range for a Class C network is 192 through 223. Class C addressing provides 24 bits of network addressing and 8 bits of host addressing by default. Remember the Private IP ranges. 10.255.255.255. The Class A private address range is 10.0.0.0 through The Class B private address range is 172.16.0.0 through 172.31.255.255. The Class C private address range is 192.168.0.0 through 192.168.255.255. Remember the APIPA range. The IP address range for APIPA is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default Class B subnet mask of 255.255.0.0. Understand why we need IPv6. addresses. Without IPv6, the world would soon be depleted of IP Understand link-local. Link-local addresses are like an IPv4 APIPA IP address, but it can’t be routed at all, not even in your organization. Understand unique local. This, like link-local, is like a private IP address in IPv4 and cannot be routed to the Internet. However, the difference between link-local and unique local is that unique local can be routed within your organization or company. Remember IPv6 addressing. IPv6 addressing is not like IPv4 addressing. IPv6 addressing has much more address space and the address is 128 bits long, represented in hexadecimal, unlike an IPv4 address, which is only 32 bits long and represented in decimals. Understand and be able to read a EUI-64 address with the 7th bit inverted. Hosts can use autoconfiguration to obtain an IPv6 address, and one of the ways is through what is called EUI-64. This takes the unique MAC address of a host and inserts FF:FE in the middle of c07.indd 04/02/2015 Page 226 Written Lab 227 the address to change a 48-bit MAC address to a 64-bit interface ID. In addition to inserting the 16 bits into the interface ID, the 7th bit of the fi rst byte is inverted, typically from a 0 to a 1. Practice this with Written Lab 7.3. Written Lab You can fi nd the answers in Appendix A. Written Lab 7.1 Provide the answers to the following questions: 1. What is the valid range used for a Class C private IP address? 2. Name some of the benefits of IPv6 over IPv4. 3. What is the term for the autoconfiguration technology responsible for addresses that start with 169.254? 4. What defines a unicast address? 5. What defines a multicast address? 6. What is the name for a 48-bit (6-byte) numerical address physically assigned to a network interface, such as a NIC? 7. What gives IPv6 the ability to reference more addresses than IPv4? 8. What is the private address range for class B networks? 9. What is the Class C range of values for the first octet in decimal and in binary? 10. What is the 127.0.0.1 address used for? Written Lab 7.2 In this lab, write the answers to the following IPv6 questions: 1. Which type of packet is addressed and delivered to only a single interface? 2. Which type of address is used just like a regular public routable address in IPv4? 3. Which type of address is not meant to be routed? 4. Which type of address is not meant to be routed to the Internet but is still globally unique? 5. Which type of address is meant to be delivered to multiple interfaces? c07.indd 04/02/2015 Page 227 228 Chapter 7 ■ IP Addressing 6. Which type of address identifies multiple interfaces, but packets are delivered only to the first address it finds? 7. Which addressing type is also referred to as one-to-nearest? 8. IPv4 had a loopback address of 127.0.0.1. What is the IPv6 loopback address? 9. What does a link-local address always start with? 10. What does a unique local unicast range start with? Written Lab 7.3 In this lab, you will practice inverting the 7th bit of a EUI-64 address. Use the prefi x 2001:db8:1:1/64 for each address. 1. Convert the following MAC address into a EUI-64 address: 0b0c:abcd:1234 2. Convert the following MAC address into a EUI-64 address: 060c:32f1:a4d2 3. Convert the following MAC address into a EUI-64 address: 10bc:abcd:1234 4. Convert the following MAC address into a EUI-64 address: 0d01:3a2f:1234 5. Convert the following MAC address into a EUI-64 address: 0a0c.abac.caba c07.indd 04/02/2015 Page 228 Review Questions 229 Review Questions You can fi nd the answers to the review questions in Appendix B. 1. Which of the following addresses is not allowed on the Internet? A. 191.192.168.1 B. 2. 191.168.169.254 C. 172.32.255.0 D. 172.31.12.251 A host automatically configured with an address from which of the following ranges indicates an inability to contact a DHCP server? A. 169.254.0.x with a mask of 255.255.255.0 3. B. 169.254.x.x with a mask of 255.255.0.0 C. 169.254.x.x with a mask of 255.255.255.0 D. 169.255.x.x with a mask of 255.255.0.0 Which statement regarding private IP addresses is most accurate? A. Private addresses cannot be used in intranets that require routing. 4. B. Private addresses must be assigned by a registrar or ISP. C. A remote host across the Internet cannot ping your host if it has a private address. D. Private addresses can only be used by a single administrative domain. Which of the following is a valid Class A address? A. 191.10.0.1 5. B. 127.10.0.1 C. 128.10.0.1 D. 126.10.0.1 Which of the following is a valid Class B address? A. 10.1.1.1 B. 6. 126.1.1.1 C. 129.1.1.1 D. 192.168.1.1 Which of the following describes a broadcast address? A. All network bits are on (1s). B. All host bits are on (1s). C. All network bits are off (0s). D. All host bits are off (0s). c07.indd 04/02/2015 Page 229 Chapter 7 230 7. ■ IP Addressing Which of the following is a Layer 2 broadcast? A. FF.FF.FF.EE.EE.EE 8. B. FF.FF.FF.FF.FF.FF C. 255.255.255.255 D. 255.0.0.0 In a Class C IP address, how long is the network address? A. 8 bits 9. B. 16 bits C. 24 bits D. 32 bits Which of the following is true when describing a unicast address? A. Packets addressed to a unicast address are delivered to a single interface. B. These are your typical publicly routable addresses, just like regular publicly routable addresses in IPv4. C. These are like private addresses in IPv4 in that they are not meant to be routed. D. These addresses are meant for nonrouting purposes, but they are almost globally unique so it is unlikely they will have an address overlap. 10. A host is rebooted and you view the IP address that it was assigned. The address is 169.123.13.34. Which of the following happened? A. The host received an APIPA address. B. The host received a multicast address. C. The host received a public address. D. The host received a private address. 11. An IPv4 address uses 32 bits. How many bits is an IPv6 address? A. 64 B. 128 C. 192 D. 255 12. Which of the following is true when describing a multicast address? A. Packets addressed to a unicast address from a multicast address are delivered to a single interface. B. Packets are delivered to all interfaces identified by the address. This is also called a one-to-many address. C. It identifies multiple interfaces and is delivered to only one address. This address can also be called one-to-one-of-many. D. These addresses are meant for nonrouting purposes, but they are almost globally unique so it is unlikely they will have an address overlap. c07.indd 04/02/2015 Page 230 Review Questions 231 13. Which of the following is true when describing an anycast address? A. Packets addressed to a unicast address from an anycast address are delivered to a single interface. B. Packets are delivered to all interfaces identified by the address. This is also called a one-to-many address. C. This address identifies multiple interfaces, and the anycast packet is delivered to only one address; the closest one. This address can also be called one-to-nearest. D. These addresses are meant for nonrouting purposes, but they are almost globally unique so it is unlikely they will have an address overlap. 14. You want to ping the loopback address of your local host. Which two addresses could you type? (Choose two.) A. ping 127.0.0.1 B. ping 0.0.0.0 C. ping ::1 D. trace 0.0.::1 15. What two statements about IPv6 addresses are true? A. Leading zeros are required. B. Two colons (::) are used to represent successive hexadecimal fields of zeros. C. Two colons (::) are used to separate fields. D. A single interface will have multiple IPv6 addresses of different types. 16. What two statements about IPv4 and IPv6 addresses are true? (Choose two.) A. An IPv6 address is 32 bits long, represented in hexadecimal. B. An IPv6 address is 128 bits long, represented in decimal. C. An IPv4 address is 32 bits long, represented in decimal. D. An IPv6 address is 128 bits long, represented in hexadecimal. 17. Which of the following is a Class C network address? A. 10.10.10.0 B. 127.0.0.1 C. 128.0.0.0 D. 192.255.254.0 18. Which of the following are private IP addresses? (Choose two.) A. 12.0.0.1 B. 168.172.19.39 C. 172.20.14.36 D. 172.33.194.30 E. 192.168.24.43 c07.indd 04/02/2015 Page 231 Chapter 7 232 ■ IP Addressing 19. IPv6 unicast routing is running on the Corp router. Which of the following addresses would be used as the EUI-64 address? Corp#sh int f0/0 FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 000d.bd3b.0d80 (bia 000d.bd3b.0d80) [output cut] A. FF02::3c3d:0d:bdff:fe3b:0d80 B. FE80::3c3d:2d:bdff:fe3b:0d80 C. FE80::3c3d:0d:bdff:fe3b:0d80 D. FE80::3c3d:2d:ffbd:3bfe:0d80 20. Which of the following is an invalid IP address for a host? A. 10.0.0.1 B. 128.0.0.1 C. 224.0.0.1 D. 172.0.0.1 c07.indd 04/02/2015 Page 232 Chapter 8 IP Subnetting, Troubleshooting IP, and Introduction to NAT THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.3 Install and configure the following networking services/applications ■ ■ NAT ■ PAT ■ SNAT ■ DNAT Port forwarding ✓ 1.8 Given a scenario, implement and configure the appropriate addressing schema ■ IPv4 ■ ■ Subnetting NAT/PAT c08.indd 03/23/2015 Page 233 This chapter’s focus will really zoom in on IP addressing to ensure that you have it nailed down tight. This is an integral aspect of networking, and it’s important to your success on the exams and as a professional, too! We’ll start with subnetting an IP network. You’re going to have to really apply yourself because it takes time and practice in order to do subnetting correctly and quickly. So be patient and do whatever it takes to get this stuff dialed in. This chapter truly is important— possibly the most important chapter in this book for you to understand. Make it part of you! I’ll thoroughly cover IP subnetting from the very beginning. I know this might sound weird to you, but I think you’ll be much better off if you can try to forget everything you’ve learned about subnetting before reading this chapter—especially if you’ve been to a Microsoft class! I’ll also take you through IP address troubleshooting and walk you through each of the steps recommended when you’re faced with troubleshooting an IP network. Finally, I’ll fi nish up with an introduction to Network Address Translation (NAT)—there are various types of NAT, and you need to know when you would use each one. So get psyched—you’re about to go for quite a ride! This chapter will truly help you understand IP addressing and networking, so don’t get discouraged or give up. If you stick with it, I promise that one day you’ll look back on this and be really glad you decided to stay the course. It’s one of those things that after you understand it, you’ll laugh at that time, way back when, when you thought this was hard. So, are you ready now? Let’s go! To find up-to-the-minute updates for this chapter, please see www.lammle. com/networkplus or the book’s website at www.sybextestbanks.wiley.com. Subnetting Basics In Chapter 7, “IP Addressing,” you learned how to defi ne and fi nd the valid host ranges used in a Class A, Class B, or Class C network address by turning the host bits all off and then all on. This is very good, but here’s the catch: You were defi ning only one network. What would happen if you wanted to take one network address and create six networks c08.indd 03/23/2015 Page 234 Subnetting Basics 235 from it? You would have to do something called subnetting, because that’s what allows you to take one larger network and break it into a bunch of smaller networks. There are loads of reasons in favor of subnetting, including the following benefits: Reduced Network Traffic We all appreciate less traffic of any kind. With networks, it’s no different. Without trusty routers, packet traffic could grind the entire network down to a near standstill. With routers, most traffic will stay on the local network; only packets destined for other networks will pass through the router. Routers create broadcast domains. The more broadcast domains you create, the smaller the broadcast domains and the less network traffic on each network segment. Optimized Network Performance network traffic! This is the very cool reward you get when you reduce Simplified Management It’s easier to identify and isolate network problems in a group of smaller connected networks than within one gigantic network. Facilitated Spanning of Large Geographical Distances Because WAN links are considerably slower and more expensive than LAN links, a single large network that spans long distances can create problems in every area previously listed. Connecting multiple smaller networks makes the system more efficient. Next, we’re going to move on to subnetting a network address. This is the good part—ready? How to Create Subnets To create subnetworks, you take bits from the host portion of the IP address and reserve them to defi ne the subnet address. This means fewer bits for hosts, so the more subnets, the fewer bits are left available for defi ning hosts. Soon, I’ll show you how to create subnets, starting with Class C addresses. But before you actually implement subnetting, you really need to determine your current requirements as well as plan for future conditions. Follow these steps—they’re your recipe for solid design: 1. 2. 3. Determine the number of required network IDs: ■ One for each subnet ■ One for each wide area network (WAN) connection Determine the number of required host IDs per subnet: ■ One for each TCP/IP host ■ One for each router interface Based on the previous requirements, create the following: ■ One subnet mask for your entire network ■ A unique subnet ID for each physical segment ■ A range of host IDs for each subnet c08.indd 03/23/2015 Page 235 Chapter 8 236 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT Understanding the Powers of 2 By the way, powers of 2 are really important to memorize for use with IP subnetting. To review powers of 2, remember that when you see a number with another number to its upper right (an exponent), this means you should multiply the number by itself as many times as the upper number specifies. For example, 23 is 2 × 2 × 2, which equals 8. Here’s a list of powers of 2 that you should commit to memory: 21 = 2 22 = 4 23 = 8 24 = 16 25 = 32 26 = 64 27 = 128 28 = 256 29 = 512 210 = 1,024 211 = 2,048 212 = 4,096 213 = 8,192 214 = 16,384 If you hate math, don’t get stressed out about knowing all these exponents—it’s helpful to know them, but it’s not absolutely necessary. Here’s a little trick, because you’re working with 2s: Each successive power of 2 is double the previous one. For example, all you have to do to remember the value of 29 is to first know that 28 = 256. Why? Because when you double 2 to the eighth power (256), you get 29 (or 512). To determine the value of 210, simply start at 28 = 256, and then double it twice. You can go the other way as well. If you needed to know what 26 is, for example, you just cut 256 in half two times: once to reach 27 and then one more time to reach 26. Not bad, right? Subnet Masks For the subnet address scheme to work, every machine on the network must know which part of the host address will be used as the subnet address. This is accomplished by assigning a subnet mask to each machine. A subnet mask is a 32-bit value that allows the recipient of IP packets to distinguish the network ID portion of the IP address from the host ID portion of the IP address. c08.indd 03/23/2015 Page 236 Subnetting Basics 237 The network administrator creates a 32-bit subnet mask composed of 1s and 0s. The 1s in the subnet mask represent the positions that refer to the network, or subnet, addresses. Not all networks need subnets, meaning they use the default subnet mask. This is basically the same as saying that a network doesn’t have a subnet address. Table 8.1 shows the default subnet masks for Classes A, B, and C. These default masks cannot and do not change. In other words, you can’t make a Class B subnet mask read 255.0.0.0. If you try, the host will read that address as invalid and usually won’t even let you type it in. For a Class A network, you can’t change the fi rst byte in a subnet mask; it must read 255.0.0.0 at a minimum. Similarly, you cannot assign 255.255.255.255, because this is all 1s—a broadcast address. A Class B address must start with 255.255.0.0, and a Class C has to start with 255.255.255.0. Check out Table 8.1. TA B L E 8 .1 Default subnet mask Class Format Default subnet mask A network.host.host.host 255.0.0.0 B network.network.host.host 255.255.0.0 C network.network.network.host 255.255.255.0 Classless Inter-Domain Routing (CIDR) Another term you need to know is Classless Inter-Domain Routing (CIDR). It’s basically the method that Internet service providers (ISPs) use to allocate a number of addresses to a company or a home connection. They provide addresses in a certain block size; I’ll be going into that in greater detail later in this chapter. When you receive a block of addresses from an ISP, what you get will look something like this: 192.168.10.32/28. This is telling you what your subnet mask is. The slash notation (/) means how many bits are turned on (1s). Obviously, the maximum could only be /32 because a byte is 8 bits and there are 4 bytes in an IP address: 4 × 8 = 32. But keep in mind that the largest subnet mask available (regardless of the class of address) can only be a /30 because you have to keep at least 2 bits for host bits. Take, for example, a Class A default subnet mask, which is 255.0.0.0. This means that the fi rst byte of the subnet mask is all ones (1s), or 11111111. When referring to a slash notation, you need to count all the 1s bits to figure out your mask. The 255.0.0.0 is considered a /8 because it has 8 bits that are 1s—that is, 8 bits that are turned on. A Class B default mask would be 255.255.0.0, which is a /16 because 16 bits are (1s): 11111111.11111111.00000000.00000000. Table 8.2 offers a listing of every available subnet mask and its equivalent CIDR slash notation. c08.indd 03/23/2015 Page 237 238 Chapter 8 TA B L E 8 . 2 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT CIDR values Subnet Mask CIDR Value 255.0.0.0 /8 255.128.0.0 /9 255.192.0.0 /10 255.224.0.0 /11 255.240.0.0 /12 255.248.0.0 /13 255.252.0.0 /14 255.254.0.0 /15 255.255.0.0 /16 255.255.128.0 /17 255.255.192.0 /18 255.255.224.0 /19 255.255.240.0 /20 255.255.248.0 /21 255.255.252.0 /22 255.255.254.0 /23 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 255.255.255.252 /30 c08.indd 03/23/2015 Page 238 Subnetting Basics 239 Make a note to self that the /8 through /15 can be used only with Class A network addresses; /16 through /23 can be used by Class A and B network addresses; /24 through /30 can be used by Class A, B, and C network addresses. This is a big reason why most companies use Class A network addresses. By being allowed the use of all subnet masks, they gain the valuable benefit of maximum flexibility for their network design. Subnetting Class C Addresses There are many different ways to subnet a network. The right way is the way that works best for you. In a Class C address, only 8 bits are available for defining the hosts. Remember that subnet bits start at the left and go to the right, without skipping bits. This means that the only Class C subnet masks can be those listed here: Binary Decimal CIDR 00000000 0 /24 10000000 128 /25 11000000 192 /26 11100000 224 /27 11110000 240 /28 11111000 248 /29 11111100 252 /30 We can’t use a /31 or /32 because, remember, we have to leave at least 2 host bits for assigning IP addresses to hosts. Get ready for something special. I’m going to teach you an alternate method of subnetting that makes it a whole lot easier to subnet larger numbers in no time. And trust me, you really do need to be able to subnet fast! Subnetting a Class C Address: The Fast Way! When you’ve chosen a possible subnet mask for your network and need to determine the number of subnets, valid hosts, and broadcast addresses of a subnet that the mask provides, all you need to do is answer five simple questions: ■ How many subnets does the chosen subnet mask produce? ■ How many valid hosts per subnet are available? ■ What are the valid subnets? ■ What’s the broadcast address of each subnet? ■ What are the valid hosts in each subnet? c08.indd 03/23/2015 Page 239 Chapter 8 240 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT At this point, it’s important that you both understand and have memorized your powers of 2. Please refer to the sidebar “Understanding the Powers of 2” earlier in this chapter if you need some help. Here’s how you get the answers to those five big questions: ■ ■ ■ ■ ■ How many subnets? 2x = number of subnets. x is the number of masked bits, or the 1s. For example, in 11000000, the number of 1s gives us 22 subnets. In this example, there are 4 subnets. How many hosts per subnet? 2y – 2 = number of hosts per subnet. y is the number of unmasked bits, or the 0s. For example, in 11000000, the number of 0s gives us 26 – 2 hosts. In this example, there are 62 hosts per subnet. You need to subtract 2 for the subnet address and the broadcast address, which are not valid hosts. What are the valid subnets? 256 – subnet mask = block size, or increment number. An example would be 256 – 192 = 64. The block size of a 192 mask is always 64. Start counting at zero in blocks of 64 until you reach the subnet mask value, and these are your subnets. 0, 64, 128, 192. Easy, huh? What’s the broadcast address for each subnet? Now here’s the really easy part. Because we counted our subnets in the last section as 0, 64, 128, and 192, the broadcast address is always the number right before the next subnet. For example, the 0 subnet has a broadcast address of 63 because the next subnet is 64. The 64 subnet has a broadcast address of 127 because the next subnet is 128. And so on. And remember, the broadcast of the last subnet is always 255. What are the valid hosts? Valid hosts are the numbers between the subnets, omitting all the 0s and all the 1s. For example, if 64 is the subnet number and 127 is the broadcast address, then 65–126 is the valid host range—it’s always the numbers between the subnet address and the broadcast address. I know this can truly seem confusing. But it really isn’t as hard as it seems to be at fi rst— just hang in there! Why not try a few and see for yourself? Subnetting Practice Examples: Class C Addresses Here’s your opportunity to practice subnetting Class C addresses using the method I just described. Exciting, isn’t it? We’re going to start with the fi rst Class C subnet mask and work through every subnet that we can using a Class C address. When we’re done, I’ll show you how easy this is with Class A and B networks too! Practice Example #1C: 255.255.255.128 (/25) Because 128 is 10000000 in binary, there is only 1 bit for subnetting, and there are 7 bits for hosts. We’re going to subnet the Class C network address 192.168.10.0. 192.168.10.0 = Network address 255.255.255.128 = Subnet mask Now, let’s answer the big five: ■ ■ How many subnets? Because 128 is 1 bit on (10000000), the answer is 21 = 2. How many hosts per subnet? We have 7 host bits off (10000000), so the equation is 27 – 2 = 126 hosts. c08.indd 03/23/2015 Page 240 Subnetting Basics ■ ■ ■ 241 What are the valid subnets? 256 – 128 = 128. Remember, we’ll start at zero and count in our block size, so our subnets are 0, 128. What’s the broadcast address for each subnet? The number right before the value of the next subnet is all host bits turned on and equals the broadcast address. For the 0 subnet, the next subnet is 128, so the broadcast of the 0 subnet is 127. What are the valid hosts? These are the numbers between the subnet and broadcast address. The easiest way to find the hosts is to write out the subnet address and the broadcast address. This way, the valid hosts are obvious. The following table shows the 0 and 128 subnets, the valid host ranges of each, and the broadcast address of both subnets: Subnet 0 128 First host 1 129 Last host 126 254 Broadcast 127 255 Before moving on to the next example, take a look at Figure 8.1. Okay, looking at a Class C /25, it’s pretty clear there are two subnets. But so what—why is this significant? Well actually, it’s not, but that’s not the right question. What you really want to know is what you would do with this information! F I G U R E 8 .1 .2 Implementing a Class C /25 logical network .3 192.168.10.0 .4 .130 .1 .129 .131 .132 192.168.10.128 Router#show ip route [output cut] C 192.168.10.0 is directly connected to Ethernet 0. C 192.168.10.128 is directly connected to Ethernet 1. The key to understanding subnetting is to understand the very reason you need to do it. And I’m going to demonstrate this by going through the process of building a physical network—and let’s add a router. (We now have an internetwork, as I truly hope you already know!) Because we added that router, in order for the hosts on our internetwork to communicate, they must now have a logical network addressing scheme. We could use IPv6, but IPv4 is still the most popular, and it also just happens to be what we’re studying at the moment, so that’s what we’re going with. c08.indd 03/23/2015 Page 241 Chapter 8 242 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT Now take a look back at Figure 8.1. By the way, the output you see below the diagram is the routing table of the router, which was displayed by executing the show ip route command on the router. There are two physical networks, so we’re going to implement a logical addressing scheme that allows for two logical networks. As always, it’s a really good idea to look ahead and consider any likely growth scenarios—both short and long term, but for this example, a /25 will do the trick. Practice Example #2C: 255.255.255.192 (/26) In this second example, we’re going to subnet the network address 192.168.10.0 using the subnet mask 255.255.255.192. 192.168.10.0 = Network address 255.255.255.192 = Subnet mask It’s time to answer the big five: ■ ■ ■ ■ ■ How many subnets? Because 192 is 2 bits on (11000000), the answer is 22 = 4 subnets. How many hosts per subnet? We have 6 host bits off (11000000), so the equation is 26 – 2 = 62 hosts. What are the valid subnets? 256 – 192 = 64. Remember, we start at zero and count in our block size, so our subnets are 0, 64, 128, and 192. What’s the broadcast address for each subnet? The number right before the value of the next subnet is all host bits turned on and equals the broadcast address. For the 0 subnet, the next subnet is 64, so the broadcast address for the 0 subnet is 63. What are the valid hosts? These are the numbers between the subnet and broadcast address. The easiest way to find the hosts is to write out the subnet address and the broadcast address. This way, the valid hosts are obvious. The following table shows the 0, 64, 128, and 192 subnets, the valid host ranges of each, and the broadcast address of each subnet: The subnets (do this first) 0 64 128 192 Our first host (perform host addressing last) 1 65 129 193 Our last host 62 126 190 254 The broadcast address (do this second) 63 127 191 255 Again, before getting into the next example, you can see that we can now subnet a /26. And what are you going to do with this fascinating information? Implement it! We’ll use Figure 8.2 to practice a /26 network implementation. c08.indd 03/23/2015 Page 242 Subnetting Basics FIGURE 8.2 243 Implementing a Class C /26 logical network .66 .67 .68 192.168.10.64 .130 .65 .129 .131 .132 192.168.10.128 .1 .2 .3 .4 .5 192.168.10.0 Router#show ip route [output cut] C 192.168.10.0 is directly connected to Ethernet 0 C 192.168.10.64 is directly connected to Ethernet 1 C 192.168.10.128 is directly connected to Ethernet 2 The /26 mask provides four subnetworks, and we need a subnet for each router interface. With this mask, in this example, we actually have room to add another router interface. Practice Example #3C: 255.255.255.224 (/27) This time, we’ll subnet the network address 192.168.10.0 and subnet mask 255.255.255.224. 192.168.10.0 = Network address 255.255.255.224 = Subnet mask ■ How many subnets? 224 is 11100000, so our equation is 23 = 8. ■ How many hosts? 25 – 2 = 30. ■ ■ ■ What are the valid subnets? 256 – 224 = 32. We just start at zero and count to the subnet mask value in blocks (increments) of 32: 0, 32, 64, 96, 128, 160, 192, and 224. What’s the broadcast address for each subnet (always the number right before the next subnet)? What are the valid hosts (the numbers between the subnet number and the broadcast address)? To answer the last two questions, first just write out the subnets, and then write out the broadcast addresses—the number right before the next subnet. Last, fi ll in the host addresses. The following table gives you all the subnets for the 255.255.255.224 Class C subnet mask: c08.indd 03/23/2015 Page 243 Chapter 8 244 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT The subnet address 0 32 64 96 128 160 192 224 The first valid host 1 33 65 97 129 161 193 225 The last valid host 30 62 94 126 158 190 222 254 The broadcast address 31 63 95 127 159 191 223 255 Practice Example #4C: 255.255.255.240 (/28) Let’s practice on another one: 192.168.10.0 = Network address 255.255.255.240 = Subnet mask ■ Subnets? 240 is 11110000 in binary. 24 = 16. ■ Hosts? 4 host bits, or 24 – 2 = 14. ■ Valid subnets? 256 – 240 = 16. 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240. ■ Broadcast address for each subnet? ■ Valid hosts? To answer the last two questions, check out the following table. It gives you the subnets, valid hosts, and broadcast addresses for each subnet. First, fi nd the address of each subnet using the block size (increment). Second, fi nd the broadcast address of each subnet increment (it’s always the number right before the next valid subnet); then, just fi ll in the host addresses. The following table shows the available subnets, hosts, and broadcast addresses provided by a Class C network 255.255.255.240 mask: Subnet 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 First host 1 17 33 49 65 81 97 Last host 14 30 46 62 78 94 110 126 142 158 174 190 206 222 238 254 113 129 145 161 177 193 209 225 241 Broadcast 15 31 47 63 79 95 111 127 143 159 175 191 207 223 239 255 Practice Example #5C: 255.255.255.248 (/29) Let’s keep practicing: 192.168.10.0 = Network address 255.255.255.248 = Subnet mask ■ Subnets? 248 in binary = 11111000. 25 = 32. ■ Hosts? 23 – 2 = 6. c08.indd 03/23/2015 Page 244 Subnetting Basics ■ 245 Valid subnets? 256 – 248 = 8, start at zero: 0, 8, 16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120, 128, 136, 144, 152, 160, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240, and 248. ■ Broadcast address for each subnet? ■ Valid hosts? Take a look at the following table. It shows some of the subnets (fi rst four and last four only), valid hosts, and broadcast addresses for the Class C 255.255.255.248 mask: Subnet 0 8 16 24 … 224 232 240 248 First host 1 9 17 25 … 225 233 241 249 Last host 6 14 22 30 … 230 238 246 254 Broadcast 7 15 23 31 … 231 239 247 255 Practice Example #6C: 255.255.255.252 (/30) I know, I know—but just one more: 192.168.10.0 = Network address 255.255.255.252 = Subnet mask ■ Subnets? 64. ■ Hosts? 2. ■ Valid subnets? 0, 4, 8, 12, and so on, all the way to 252. ■ ■ Broadcast address for each subnet (always the number right before the next subnet)? Valid hosts (the numbers between the subnet number and the broadcast address)? The following table shows you the subnet, valid host, and broadcast address of the first four and last four subnets in the 255.255.255.252 Class C subnet: Subnet 0 4 8 12 … 240 244 248 252 First host 1 5 9 13 … 241 245 249 253 Last host 2 6 10 14 … 242 246 250 254 Broadcast 3 7 11 15 … 243 247 251 255 c08.indd 03/23/2015 Page 245 246 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT Subnetting in Your Head: Class C Addresses It really is possible to subnet in your head by looking at a valid IP address and subnet mask. This is extremely important for IP addressing and troubleshooting. Even if you don’t believe me that you can subnet in your head, I’ll show you how. And it’s not all that hard either—take the following example: What is the subnet, broadcast address, and valid host range that this host IP address is a part of? 192.168.10.33 = Host address 255.255.255.224 = Subnet mask Should We Really Use This Mask That Provides Only Two Hosts? Imagine you are the network administrator for Acme Corporation in San Francisco, with dozens of WAN links connecting to your corporate office. Right now your network is a classful network, which means that the same subnet mask is on each host and router interface. You’ve read about classless routing where you can have different size masks, but you don’t know what to use on your point-to-point WAN links. Is 255.255.255.252 (/30) a helpful mask in this situation? Yes, this is a very helpful mask in wide area networks. If you use the 255.255.255.0 mask, then each network will have 254 hosts, but you only use two addresses with a WAN link! That is a waste of 252 hosts per subnet. If you use the 255.255.255.252 mask, then each subnet has only 2 hosts, and you don’t waste precious addresses. First, determine the subnet and broadcast address of this IP address. You can do this by answering question 3 of the big five questions: 256 – 224 = 32. Start at zero: 0, 32, 64. The address of 33 falls between the two subnets of 32 and 64 and must be part of the 192.168.10.32 subnet. The next subnet is 64, so the broadcast address of the 32 subnet is 63. (Remember that the broadcast address of a subnet is always the number right before the next subnet.) The valid host range is 33–62 (the numbers between the subnet and broadcast address). I told you this is easy! Okay, let’s try another one. What is the subnet, broadcast address, and valid host range that this host IP address is a part of? 192.168.10.33 = Host address 255.255.255.240 = Subnet mask 256 – 240 = 16. Start at zero and count till you pass the valid host in the problem: 0, 16, 32, 48. Bingo—the host address is between the 32 and 48 subnets. The subnet is c08.indd 03/23/2015 Page 246 Subnetting Basics 247 192.168.10.32, and the broadcast address is 47 (the next subnet is 48). The valid host range is 33–46 (the numbers between the subnet number and the broadcast address). We need to do more, just to make sure you have this down. You have a host address of 192.168.10.174 with a mask of 255.255.255.240. What is the subnet, broadcast address, and valid host range that this host IP address is a part of? The mask is 240, so we need our block size: 256 – 240 = 16. Just keep adding 16 until we pass the host address of 174, starting at zero, of course: 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176. The host address of 174 is between 160 and 176, so the subnet is 160. The broadcast address is 175; the valid host range is 161–174. That was a tough one. Let’s do one more just for fun. This is the easiest one of all Class C subnetting: 192.168.10.17 = Host address 255.255.255.252 = Subnet mask What subnet and broadcast address is this IP address a part of? 256 – 252 = 4. Start at zero (always start at zero unless told otherwise), 0, 4, 8, 12, 16, 20, and so on. You’ve got it! The host address is between the 16 and 20 subnets. The subnet is 192.168.10.16, and the broadcast address is 19. The valid host range is 17–18. Now that you’re all over Class C subnetting, let’s move on to Class B subnetting. But before we do, let’s do a quick review. So What Do You Know Now? Here’s where you can really apply what you’ve learned so far and begin committing it all to memory. This is a very cool section that I’ve been using in my classes for years. It will really help you nail down subnetting! When you see a subnet mask or slash notation (CIDR), you should know the following when working with Class C networks. /25 What do you know about a /25? ■ 128 mask ■ 1 bit on and 7 bits off (10000000) ■ Block size of 128 ■ 2 subnets, each with 126 hosts /26 And what do you know about a /26? ■ 192 mask ■ 2 bits on and 6 bits off (11000000) ■ Block size of 64 ■ 4 subnets, each with 62 hosts c08.indd 03/23/2015 Page 247 248 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT /27 What about a /27? ■ 224 mask ■ 3 bits on and 5 bits off (11100000) ■ Block size of 32 ■ 8 subnets, each with 30 hosts /28 And what about a /28? ■ 240 mask ■ 4 bits on and 4 bits off ■ Block size of 16 ■ 16 subnets, each with 14 hosts /29 What do you know about a /29? ■ 248 mask ■ 5 bits on and 3 bits off ■ Block size of 8 ■ 32 subnets, each with 6 hosts /30 And last, what about a /30? ■ 252 mask ■ 6 bits on and 2 bits off ■ Block size of 4 ■ 64 subnets, each with 2 hosts Regardless of whether you have a Class A, Class B, or Class C address, the /30 mask will provide you with only two hosts, ever. This mask is suited almost exclusively for use on point-to-point links. If you can memorize this “So What Do You Know Now?” section, you’ll be much better off in your day-to-day job and in your studies. Try saying it out loud, which helps you memorize things—yes, your significant other and/or coworkers will think you’ve lost it, but they probably already do if you’re in the networking field. And if you’re not yet in the networking field but are studying all this to break into it, you might as well have people start thinking you’re a little “different” now because they will eventually anyway. It’s also helpful to write these on some type of flashcards and have people test your skill. You’d be amazed at how fast you can get subnetting down if you memorize block sizes as well as this “So What Do You Know Now?” section. c08.indd 03/23/2015 Page 248 Subnetting Basics 249 Subnetting Class B Addresses Before we dive into this, let’s look at all the possible Class B subnet masks. Notice that we have a lot more possible subnet masks than we do with a Class C network address: 255.255.0.0 (/16) 255.255.128.0 (/17) 255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) We know the Class B network address has 16 bits available for host addressing. This means we can use up to 14 bits for subnetting (because we have to leave at least 2 bits for host addressing). Using a /16 means you are not subnetting with Class B, but it is a mask you can use. By the way, do you notice anything interesting about that list of subnet values—a pattern, maybe? Ah-ha! That’s exactly why I had you memorize the binary-to-decimal numbers at the beginning of this section. Because subnet mask bits start on the left and move to the right and bits can’t be skipped, the numbers are always the same regardless of the class of address. Memorize this pattern. The process of subnetting a Class B network is pretty much the same as it is for a Class C, except that you have more host bits and you start in the third octet. Use the same subnet numbers for the third octet with Class B that you used for the fourth octet with Class C, but add a 0 to the network portion and a 255 to the broadcast section in the fourth octet. The following table shows you an example host range of two subnets used in a Class B 240 (/20) subnet mask: c08.indd 03/23/2015 Page 249 Chapter 8 250 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT First subnet Second Subnet 16.0 32.0 31.255 47.255 Notice that these are the same numbers we used in the fourth octet with a /28 mask, but we moved them to the third octet and added a .0 and .255 at the end. Just add the valid hosts between the numbers, and you’re set! Subnetting Practice Examples: Class B Addresses This section will give you an opportunity to practice subnetting Class B addresses. Again, I have to mention that this is the same as subnetting with Class C, except we start in the third octet—with the exact same numbers! Practice Example #1B: 255.255.128.0 (/17) Let’s take a look at our fi rst example: 172.16.0.0 = Network address 255.255.128.0 = Subnet mask ■ Subnets? 21 = 2 (same as Class C). ■ Hosts? 215 – 2 = 32,766 (7 bits in the third octet, and 8 in the fourth). ■ ■ Valid subnets? 256 – 128 = 128. 0, 128. Remember that subnetting in Class B starts in the third octet, so the subnet numbers are really 0.0 and 128.0, as shown in the next table. These are the exact numbers we used with Class C; we use them in the third octet and add a 0 in the fourth octet for the network address. Broadcast address for each subnet? The following table shows the two subnets available, the valid host range, and the broadcast address of each: Subnet 0.0 128.0 First host 0.1 128.1 Last host 127.254 255.254 Broadcast 127.255 255.255 Notice that we just added the fourth octet’s lowest and highest values and came up with the answers. And again, it’s done exactly the same way as for a Class C subnet. We just use the same numbers in the third octet and added 0 and 255 in the fourth octet—pretty c08.indd 03/23/2015 Page 250 Subnetting Basics 251 simple, huh? I really can’t say this enough: It’s not hard. The numbers never change. We just use them in different octets! Practice Example #2B: 255.255.192.0 (/18) Let’s take a look at a second example with Class B. 172.16.0.0 = Network address 255.255.192.0 = Subnet mask ■ Subnets? 22 = 4. ■ Hosts? 214 – 2 = 16,382 (6 bits in the third octet, and 8 in the fourth). ■ Valid subnets? 256 – 192 = 64. 0, 64, 128, 192. Remember that we’re in the third octet, so the subnet numbers are really 0.0, 64.0, 128.0, and 192.0, as shown in the next table. ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows the four subnets available, the valid host range, and the broadcast address of each: Subnet 0.0 64.0 128.0 192.0 First host 0.1 64.1 128.1 192.1 Last host 63.254 127.254 191.254 255.254 Broadcast 63.255 127.255 191.255 255.255 Again, it’s pretty much the same as it is for a Class C subnet—we just added 0 and 255 in the fourth octet for each subnet in the third octet. Practice Example #3B: 255.255.240.0 (/20) Let’s take a look: 172.16.0.0 = Network address 255.255.240.0 = Subnet mask ■ Subnets? 24 = 16. ■ Hosts? 212 – 2 = 4094. ■ Valid subnets? 256 – 240 = 0, 16, 32, 48, and so on, up to 240. Notice that these are the same numbers as a Class C 240 mask—we just put them in the third octet and add a 0 and 255 in the fourth octet. ■ Broadcast address for each subnet? ■ Valid hosts? c08.indd 03/23/2015 Page 251 Chapter 8 252 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT The following table shows the fi rst four subnets, valid hosts, and broadcast addresses in a Class B 255.255.240.0 mask: Subnet 0.0 16.0 32.0 48.0 First host 0.1 16.1 32.1 48.1 Last host 15.254 31.254 47.254 63.254 Broadcast 15.255 31.255 47.255 63.255 Practice Example #4B: 255.255.254.0 (/23) Let’s take a look: 172.16.0.0 = Network address 255.255.254.0 = Subnet mask ■ Subnets? 27 = 128. ■ Hosts? 29 – 2 = 510. ■ Valid subnets? 256 – 254 = 0, 2, 4, 6, 8, and so on, up to 254. ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows the fi rst five subnets, valid hosts, and broadcast addresses in a Class B 255.255.254.0 mask: Subnet 0.0 2.0 4.0 6.0 8.0 First host 0.1 2.1 4.1 6.1 8.1 Last host 1.254 3.254 5.254 7.254 9.254 Broadcast 1.255 3.255 5.255 7.255 9.255 Practice Example #5B: 255.255.255.0 (/24) Contrary to popular belief, 255.255.255.0 used with a Class B network address is not called a Class B network with a Class C subnet mask. It’s amazing how many people see this mask used in a Class B network and think it’s a Class C subnet mask. This is a Class B subnet mask with 8 bits of subnetting—it’s considerably different from a Class C mask. Subnetting this address is fairly simple: c08.indd 03/23/2015 Page 252 Subnetting Basics 253 172.16.0.0 = Network address 255.255.255.0 = Subnet mask ■ Subnets? 28 = 256. ■ Hosts? 28 – 2 = 254. ■ Valid subnets? 256 – 255 = 1. 0, 1, 2, 3, and so on, all the way to 255. ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows the fi rst four and last two subnets, the valid hosts, and the broadcast addresses in a Class B 255.255.255.0 mask: Subnet 0.0 1.0 2.0 3.0 ... 254.0 255.0 First host 0.1 1.1 2.1 3.1 ... 254.1 255.1 Last host 0.254 1.254 2.254 3.254 ... 254.254 255.254 Broadcast 0.255 1.255 2.255 3.255 ... 254.255 255.255 Practice Example #6B: 255.255.255.128 (/25) This is one of the hardest subnet masks you can play with. And worse, it actually is a really good subnet to use in production because it creates over 500 subnets with a whopping 126 hosts for each subnet—a nice mixture. So, don’t skip over it! 172.16.0.0 = Network address 255.255.255.128 = Subnet mask ■ Subnets? 29 = 512. ■ Hosts? 27 – 2 = 126. ■ Valid subnets? Now for the tricky part. 256 – 255 = 1. 0, 1, 2, 3, and so on for the third octet. But you can’t forget the one subnet bit used in the fourth octet. Remember when I showed you how to figure one subnet bit with a Class C mask? You figure this out the same way. (Now you know why I showed you the 1-bit subnet mask in the Class C section—to make this part easier.) You actually get two subnets for each third octet value, hence the 512 subnets. For example, if the third octet is showing subnet 3, the two subnets would actually be 3.0 and 3.128. ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows how you can create subnets, valid hosts, and broadcast addresses using the Class B 255.255.255.128 subnet mask (the fi rst eight subnets are shown, and then the last two subnets): c08.indd 03/23/2015 Page 253 254 Chapter 8 Subnet 0.0 0.128 1.0 1.128 First host 0.1 0.129 1.1 1.129 2.1 Last host ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT 2.0 2.128 3.0 3.128 ... 255.0 255.128 2.129 3.1 3.129 ... 255.1 255.129 0.126 0.254 1.126 1.254 2.126 2.254 3.126 3.254 ... 255.126 255.254 Broadcast 0.127 0.255 1.127 1.255 2.127 2.255 3.127 3.255 ... 255.127 255.255 Practice Example #7B: 255.255.255.192 (/26) Now, this is where Class B subnetting gets easy. Because the third octet has a 255 in the mask section, whatever number is listed in the third octet is a subnet number. However, now that we have a subnet number in the fourth octet, we can subnet this octet just as we did with Class C subnetting. Let’s try it: 172.16.0.0 = Network address 255.255.255.192 = Subnet mask ■ Subnets? 210 = 1024. ■ Hosts? 26 – 2 = 62. ■ Valid subnets? 256 – 192 = 64. The subnets are shown in the following table. Do these numbers look familiar? ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows the fi rst eight subnet ranges, valid hosts, and broadcast addresses: Subnet 0.0 0.64 0.128 0.192 1.0 1.64 1.128 1.192 First host 0.1 0.65 0.129 0.193 1.1 1.65 1.129 1.193 Last host 0.62 0.126 0.190 0.254 1.62 1.126 1.190 1.254 Broadcast 0.63 0.127 0.191 0.255 1.63 1.127 1.191 1.255 Notice that for each subnet value in the third octet, you get subnets 0, 64, 128, and 192 in the fourth octet. Practice Example #8B: 255.255.255.224 (/27) This is done the same way as the preceding subnet mask, except that we have more subnets and fewer hosts per subnet available. c08.indd 03/23/2015 Page 254 Subnetting Basics 255 172.16.0.0 = Network address 255.255.255.224 = Subnet mask ■ Subnets? 211 = 2048. ■ Hosts? 25 – 2 = 30. ■ Valid subnets? 256 – 224 = 32. 0, 32, 64, 96, 128, 160, 192, 224. ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows the fi rst eight subnets: Subnet 0.0 0.32 0.64 0.96 0.128 0.160 0.192 0.224 First host 0.1 0.33 0.65 0.97 0.129 0.161 0.193 0.225 Last host 0.30 0.62 0.94 0.126 0.158 0.190 0.222 0.254 Broadcast 0.31 0.63 0.95 0.127 0.159 0.191 0.223 0.255 255.160 This next table shows the last eight subnets: Subnet 255.0 255.32 255.64 255.96 255.128 255.192 255.224 First host 255.1 255.33 255.65 255.97 255.129 255.161 Last host 255.30 255.62 255.94 255.126 255.158 255.190 255.222 255.254 Broadcast 255.31 255.63 255.95 255.127 255.159 255.191 255.223 255.255 255.193 255.225 Subnetting in Your Head: Class B Addresses Are you nuts? Subnet Class B addresses in our heads? It’s actually easier than writing it out—I’m not kidding! Let me show you the steps: 1. What subnet and broadcast address is the IP address 172.16.10.33 255.255.255.224 (/27) a member of? The interesting octet is the fourth octet. 256 – 224 = 32. 32 + 32 = 64. Bingo: 33 is between 32 and 64. However, remember that the third octet is considered part of the subnet, so the answer is the 10.32 subnet. The broadcast is 10.63 because 10.64 is the next subnet. That was a pretty easy one. 2. What subnet and broadcast address is the IP address 172.16.66.10 255.255.192.0 (/18) a member of? c08.indd 03/23/2015 Page 255 256 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT The interesting octet is the third octet instead of the fourth octet. 256 – 192 = 64. 0, 64, 128. The subnet is 172.16.64.0. The broadcast must be 172.16.127.255 because 128.0 is the next subnet. Notice in the last example I started counting at zero. This is called ip subnet-zero. It is a command that if executed on a router, allows us to use the zero subnet as our first subnet. This may or may not be enabled on your router. If it is not enabled, then you cannot start counting subnets at zero. Most routers, if not all routers these days, support ip subnet-zero. 3. What subnet and broadcast address is the IP address 172.16.50.10 255.255.224.0 (/19) a member of? 256 – 224 = 0, 32, 64 (remember, we always start counting at zero). The subnet is 172.16.32.0, and the broadcast must be 172.16.63.255 because 64.0 is the next subnet. 4. What subnet and broadcast address is the IP address 172.16.46.255 255.255.240.0 (/20) a member of? 256 – 240 = 16. The third octet is interesting to us. 0, 16, 32, 48. This subnet address must be in the 172.16.32.0 subnet, and the broadcast must be 172.16.47.255 because 48.0 is the next subnet. So, yes, 172.16.46.255 is a valid host. 5. What subnet and broadcast address is the IP address 172.16.45.14 255.255.255.252 (/30) a member of? Where is the interesting octet? 256 – 252 = 0, 4, 8, 12, 16 (in the fourth octet). The subnet is 172.16.45.12, with a broadcast of 172.16.45.15 because the next subnet is 172.16.45.16. 6. What is the subnet and broadcast address of the host 172.16.88.255/20? What is a /20? If you can’t answer this, you can’t answer this question, can you? A /20 is 255.255.240.0, which gives us a block size of 16 in the third octet, and because no subnet bits are on in the fourth octet, the answer is always 0 and 255 in the fourth octet. 0, 16, 32, 48, 64, 80, 96. Bingo: 88 is between 80 and 96, so the subnet is 80.0 and the broadcast address is 95.255. 7. A router receives a packet on an interface with a destination address of 172.16.46.191/26. What will the router do with this packet? Discard it. Do you know why? 172.16.46.196⁄26 is a 255.255.255.192 mask, which gives us a block size of 64. Our subnets are then 0, 64, 128, 192. 191 is the broadcast address of the 128 subnet, so a router, by default, will discard any broadcast packets. Troubleshooting IP Addressing Troubleshooting IP addressing is obviously an important skill because running into trouble somewhere along the way is pretty much a sure thing, and it’s going to happen to you. c08.indd 03/23/2015 Page 256 Troubleshooting IP Addressing 257 No—I’m not a pessimist; I’m just keeping it real. Because of this nasty fact, it will be great when you can save the day because you can both figure out (diagnose) the problem and fi x it on an IP network whether you’re at work or at home! Let’s use Figure 8.3 as an example of your basic IP trouble—poor Sally can’t log in to the Windows server. Do you deal with this by calling the Microsoft team to tell them their server is a pile of junk and causing all your problems? Tempting, but probably not such a great idea—let’s fi rst double-check our network instead. Check out Figure 8.3. FIGURE 8.3 Basic IP troubleshooting E0 172.16.10.1 Sally 172.16.10.2 Server 172.16.20.2 Let’s get started by going over the basic troubleshooting steps. They’re pretty simple, but important nonetheless. Pretend you’re at Sally’s host and she’s complaining that she can’t communicate to a server that just happens to be on a remote network: 1. Open a command prompt window on Sally’s host, and ping 127.0.0.1. C:\>ping 127.0.0.1 Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms This is the diagnostic, or loopback, address, and if you get a successful ping, your IP stack is considered to be initialized. If it fails, then you have an IP stack failure and need to reinstall TCP/IP on the host. c08.indd 03/23/2015 Page 257 258 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT If you ping the loopback address and receive an “unable to contact IP driver, error code 2” message, you need to reinstall the TCP/IP protocol suite on the host. 2. Now, from the same command prompt window, ping the IP address of the local host. C:\>ping 172.16.10.2 Pinging 172.16.10.2 with 32 bytes of data: Reply from 172.16.10.2: bytes=32 time<1ms TTL=128 Reply from 172.16.10.2: bytes=32 time<1ms TTL=128 Reply from 172.16.10.2: bytes=32 time<1ms TTL=128 Reply from 172.16.10.2: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.10.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms If that’s successful, your Network Interface Card (NIC) is functioning. If it fails, there is a problem with the NIC. Success here doesn’t mean that a cable is plugged into the NIC, only that the IP protocol stack on the host can communicate to the NIC (via the LAN driver). 3. From the command prompt window, ping the default gateway (router). C:\>ping 172.16.10.1 Pinging 172.16.10.1 with 32 bytes of data: Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.10.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms If the ping works, it means that the NIC is plugged into the network and can communicate on the local network. If it fails, you have a local physical network problem that could be anywhere from the NIC to the router. 4. If steps 1 through 3 were successful, try to ping the remote server. C:\>ping 172.16.20.2 Pinging 172.16.20.2 with 32 bytes of data: Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 c08.indd 03/23/2015 Page 258 Troubleshooting IP Addressing 259 Ping statistics for 172.16.20.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms If that works, then you know that you have IP communication between the local host and the remote server. You also know that the remote physical network is working. If the user still can’t communicate with the server after steps 1 through 4 are successful, you probably have some type of name resolution problem and need to check your Domain Name System (DNS) settings. But if the ping to the remote server fails, then you know you have some type of remote physical network problem and need to go to the server and work through steps 1 through 3 until you fi nd the snag. Before we move on to determining IP address problems and how to fi x them, I just want to mention some basic yet handy DOS commands that you can use to help troubleshoot your network from both a PC and a Cisco router (the commands might do the same thing, but they are implemented differently): Packet InterNet Groper (ping) Uses an Internet Control Message Protocol (ICMP) echo request and replies to test if a host IP stack is initialized and alive on the network. traceroute Displays the list of routers on a path to a network destination by using Time- to-Live (TTL) time-outs and ICMP error messages. This command will work on a router, MAC, or Linux box but not from a Windows command prompt. tracert Same command as traceroute, but it’s a Microsoft Windows command and will not work on other devices, like a Cisco router or Unix box. arp -a Displays IP-to-MAC-address mappings on a Windows PC. ipconfig /all Used only from a DOS prompt. Shows you the PC network configuration. Once you’ve gone through all these steps and used the appropriate DOS commands, if necessary, what do you do if you fi nd a problem? How do you go about fi xing an IP address configuration error? That’s exactly what you’re going to learn about next—how to determine specific IP address problems and what you can do to fi x them. Determining IP Address Problems It’s common for a host, router, or other network device to be configured with the wrong IP address, subnet mask, or default gateway. Because this happens way too often, I’m going to teach you how to both determine and fi x IP address configuration errors. Once you’ve worked through the four basic steps of troubleshooting and determined there’s a problem, you obviously then need to fi nd and fi x it. It really helps to draw out the network and IP addressing scheme. If it’s already done, consider yourself lucky and go buy a lottery ticket because although it should be done, it rarely is. And if it is, it’s usually outdated or inaccurate anyway. Typically it is not done, and you’ll probably just have to bite the bullet and start from scratch. Once you have your network accurately drawn out, including the IP addressing scheme, you need to verify each host’s IP address, mask, and default gateway address to determine c08.indd 03/23/2015 Page 259 260 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT the problem. (I’m assuming that you don’t have a physical problem or that if you did, you’ve already fi xed it.) Let’s check out the example illustrated in Figure 8.4. A user in the sales department calls and tells you that she can’t get to ServerA in the marketing department. You ask her if she can get to ServerB in the marketing department, but she doesn’t know because she doesn’t have rights to log on to that server. What do you do? FIGURE 8.4 IP address problem 1 Marketing Sales 192.168.1.33 Default gateway: 192.168.1.62 ServerA 192.168.1.66 Default gateway: 192.168.1.95 ServerB 192.168.1.65 Default gateway: 192.168.1.95 F0/0 192.168.1.62 Lab_A S0/0 192.168.1.97/27 F0/0 192.168.1.95 S0/0 DCE Lab_B 192.168.1.100/27 You ask the client to go through the four troubleshooting steps that you learned about in the preceding section. Steps 1 through 3 work, but step 4 fails. By looking at the figure, can you determine the problem? Look for clues in the network drawing. First, the WAN link between the Lab_A router and the Lab_B router shows the mask as a /27. You should already know that this mask is 255.255.255.224 and then determine that all networks are using this mask. The network address is 192.168.1.0. What are our valid subnets and hosts? 256 – 224 = 32, so this makes our subnets 0, 32, 64, 96, 128, and so on. So, by looking at the figure, you can see that subnet 32 is being used by the sales department, the WAN link is using subnet 96, and the marketing department is using subnet 64. Now you have to determine what the valid host ranges are for each subnet. From what you learned at the beginning of this chapter, you should now be able to easily determine the subnet address, broadcast addresses, and valid host ranges. The valid hosts for the Sales LAN are 33 through 62—the broadcast address is 63 because the next subnet is 64, right? For the Marketing LAN, the valid hosts are 65 through 94 (broadcast 95), and for the WAN link, 97 through 126 (broadcast 127). By looking at the figure, you can determine that the default gateway on the Lab_B router is incorrect. That address is the broadcast address of the 64 subnet, so there’s no way it could be a valid host. Did you get all that? Maybe we should try another one, just to make sure. Figure 8.5 shows a network problem. A user in the Sales LAN can’t get to ServerB. You have the user c08.indd 03/23/2015 Page 260 Troubleshooting IP Addressing 261 run through the four basic troubleshooting steps and fi nd that the host can communicate to the local network but not to the remote network. Find and defi ne the IP addressing problem. FIGURE 8.5 IP address problem 2 Marketing Sales 192.168.1.25 Default gateway: 192.168.1.30 ServerA 192.168.1.86 Default gateway: 192.168.1.81 ServerB 192.168.1.87 Default gateway: 192.168.1.81 F0/0 192.168.1.30 Lab_A S0/0 192.168.1.41/29 F0/0 192.168.1.81 S0/0 DCE Lab_B 192.168.1.46/29 If you use the same steps used to solve the last problem, you can see fi rst that the WAN link again provides the subnet mask to use— /29, or 255.255.255.248. You need to determine what the valid subnets, broadcast addresses, and valid host ranges are to solve this problem. The 248 mask is a block size of 8 (256 – 248 = 8), so the subnets both start and increment in multiples of 8. By looking at the figure, you see that the Sales LAN is in the 24 subnet, the WAN is in the 40 subnet, and the Marketing LAN is in the 80 subnet. Can you see the problem yet? The valid host range for the Sales LAN is 25–30, and the configuration appears correct. The valid host range for the WAN link is 41–46, and this also appears correct. The valid host range for the 80 subnet is 81–86, with a broadcast address of 87 because the next subnet is 88. Server B has been configured with the broadcast address of the subnet. Now that you can figure out misconfigured IP addresses on hosts, what do you do if a host doesn’t have an IP address and you need to assign one? What you need to do is look at other hosts on the LAN and figure out the network, mask, and default gateway. Let’s take a look at a couple of examples of how to fi nd and apply valid IP addresses to hosts. You need to assign a server and router IP addresses on a LAN. The subnet assigned on that segment is 192.168.20.24/29, and the router needs to be assigned the fi rst usable address and the server the last valid host ID. What are the IP address, mask, and default gateway assigned to the server? To answer this, you must know that a /29 is a 255.255.255.248 mask, which provides a block size of 8. The subnet is known as 24, the next subnet in a block of 8 is 32, so the broadcast address of the 24 subnet is 31, which makes the valid host range 25–30: c08.indd 03/23/2015 Page 261 262 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT Server IP address: 192.168.20.30 Server mask: 255.255.255.248 Default gateway: 192.168.20.25 (router’s IP address) As another example, let’s take a look at Figure 8.6 and solve this problem. FIGURE 8.6 Find the valid host RouterA E0: 192.168.10.33/27 HostA Look at the router’s IP address on Ethernet0. What IP address, subnet mask, and valid host range could be assigned to the host? The IP address of the router’s Ethernet0 is 192.168.10.33/27. As you already know, a /27 is a 224 mask with a block size of 32. The router’s interface is in the 32 subnet. The next subnet is 64, so that makes the broadcast address of the 32 subnet 63 and the valid host range 33–62: Host IP address: 192.168.10.34–62 (any address in the range except for 33, which is assigned to the router) Mask: 255.255.255.224 Default gateway: 192.168.10.33 Figure 8.7 shows two routers with Ethernet configurations already assigned. What are the host addresses and subnet masks of hosts A and B? F I G U R E 8 .7 Find the valid host #2 RouterA E0: 192.168.10.65/26 HostA c08.indd 03/23/2015 Page 262 RouterB E0: 192.168.10.33/28 HostB Troubleshooting IP Addressing 263 RouterA has an IP address of 192.168.10.65/26 and RouterB has an IP address of 192.168.10.33/28. What are the host configurations? RouterA Ethernet0 is in the 192.168.10.64 subnet, and RouterB Ethernet0 is in the 192.168.10.32 network: HostA IP address: 192.168.10.66–126 HostA mask: 255.255.255.192 HostA default gateway: 192.168.10.65 HostB IP address: 192.168.10.34–46 HostB mask: 255.255.255.240 HostB default gateway: 192.168.10.33 Just a couple more examples, and then this section is history. Hang in there! Figure 8.8 shows two routers; you need to configure the S0⁄0 interface on RouterA. The network assigned to the serial link is 172.16.16.0/22. What IP address can be assigned? FIGURE 8.8 Find the valid host address #3 172.16.16.0/22 RouterA RouterB S0/0 S0/0 First, you must know that a /22 CIDR is 255.255.252.0, which makes a block size of 4 in the third octet. Because 16 is listed, the available range is 16.1 through 19.254; so, for example, the IP address S0⁄0 could be 172.16.18.255 because that’s within the range. Okay, last one! You have one Class C network ID, and you need to provide one usable subnet per city while allowing enough usable host addresses for each city specified in Figure 8.9. What is your mask? FIGURE 8.9 Find the valid subnet mask Corporate 7 Users LA 15 Users SF 13 Users NY 7 Users Chicago 15 Users c08.indd 03/23/2015 Page 263 264 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT Actually, this is probably the easiest thing you’ve done all day! I count 5 subnets needed, and the Chicago office needs 16 users (always look for the network that needs the most hosts). What block size is needed for the Chicago office? 32. (Remember, you cannot use a block size of 16 because you always have to subtract 2!) What mask provides you with a block size of 32? 224. Bingo! This provides 8 subnets, each with 30 hosts. Introduction to Network Address Translation (NAT) Similar to Classless Inter-Domain Routing (CIDR), the original intention for NAT was to slow the depletion of available IP address space by allowing many private IP addresses to be represented by some smaller number of public IP addresses. Since then, it’s been discovered that NAT is also a useful tool for network migrations and mergers, server load sharing, and creating “virtual servers.” So in this section, I’m going to describe the basics of NAT functionality and the terminology common to NAT. At times, NAT really decreases the overwhelming amount of public IP addresses required in your networking environment. And NAT comes in very handy when two companies that have duplicate internal addressing schemes merge. NAT is also great to have around when an organization changes its ISP and the networking manager doesn’t want the hassle of changing the internal address scheme. Here’s a list of situations when it’s best to have NAT on your side: ■ You need to connect to the Internet and your hosts don’t have globally unique IP addresses. ■ You change to a new ISP that requires you to renumber your network. ■ You need to merge two intranets with duplicate addresses. You typically use NAT on a border router. For an illustration of this, see Figure 8.10, where NAT would be configured on the Corporate router. Now you may be thinking, “NAT’s totally cool. It’s the grooviest, greatest network gadget, and I just gotta have it.” Well, hang on a minute. There are truly some serious snags related to NAT use. Oh, don’t get me wrong: It really can save you sometimes, but there’s a dark side you need to know about too. For a visual of the pros and cons linked to using NAT, check out Table 8.3. c08.indd 03/23/2015 Page 264 Introduction to Network Address Translation (NAT) TA B L E 8 . 3 265 Advantages and disadvantages of implementing NAT Advantages Disadvantages Conserves legally registered addresses. Translation introduces switching path delays. Reduces address overlap occurrences. Loss of end-to-end IP traceability. Increases flexibility when connecting to the Internet. Certain applications will not function with NAT enabled. Eliminates address renumbering as the network changes. F I G U R E 8 .1 0 Where to configure NAT Corporate Internet Engineering Sales Types of Network Address Translation In this section, I’m going to go over the three types of NAT with you: Static NAT (SNAT) This type of NAT is designed to allow one-to-one mapping between local and global addresses. Keep in mind that the static version requires you to have one real Internet IP address for every host on your network. c08.indd 03/23/2015 Page 265 266 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT Dynamic NAT (DNAT) This version gives you the ability to map an unregistered IP address to a registered IP address from a pool of registered IP addresses. You don’t have to statically configure your router to map an inside-to-an-outside-address as you would using static NAT, but you do have to have enough real, bona-fide IP addresses for everyone who’s going to be sending packets to and receiving them from the Internet. Overloading This is the most popular type of NAT configuration. Understand that overloading really is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address—many-to-one—by using different ports. Now, why is this so special? Well, because it’s also known as Port Address Translation (PAT). And by using PAT (NAT Overload), you get to have thousands of users connect to the Internet using only one real global IP address—pretty slick, yeah? Seriously, NAT Overload is the real reason we haven’t run out of valid IP address on the Internet. Really—I’m not joking. NAT Names The names we use to describe the addresses used with NAT are pretty simple. Addresses used after NAT translations are called global addresses. These are usually the public addresses used on the Internet, but remember, you don’t need public addresses if you aren’t going on the Internet. Local addresses are the ones we use before NAT translation. So, the inside local address is actually the private address of the sending host that’s trying to get to the Internet, while the outside local address is the address of the destination host. The latter is usually a public address (web address, mail server, and so on) and is how the packet begins its journey. After translation, the inside local address is then called the inside global address, and the outside global address then becomes the name of the destination host. Check out Table 8.4, which lists all this terminology, for a clear picture of the various names used with NAT. TA B L E 8 . 4 NAT terms Name Meaning Inside local Name of the inside source address before translation Outside local Name of the destination host before translation Inside global Name of the inside host after translation Outside global Name of the outside destination host after translation c08.indd 03/23/2015 Page 266 Introduction to Network Address Translation (NAT) 267 How NAT Works Now it’s time to look at how this whole NAT thing works. I’m going to start by using Figure 8.11 to describe the basic translation of NAT. In the example shown in Figure 8.11, host 10.1.1.1 sends an outbound packet to the border router configured with NAT. The router identifies the IP address as an inside local IP address destined for an outside network, translates the address, and documents the translation in the NAT table. The packet is sent to the outside interface with the new translated source address. The external host returns the packet to the destination host, and the NAT router translates the inside global IP address back to the inside local IP address using the NAT table. This is as simple as it gets. F I G U R E 8 .11 Basic NAT translation DA 170.168.2.2 Inside DA 10.1.1.1 Host B 63.41.7.3 SA 170.168.2.2 Internet 10.1.1.3 10.1.1.2 10.1.1.1 SA 10.1.1.1 NAT Table Inside Local IP Addresses Inside Global IP Addresses 10.1.1.3 170.168.2.4 10.1.1.2 170.168.2.3 10.1.1.1 170.168.2.2 Let’s take a look at a more complex configuration using overloading, or what is also referred to as PAT. I’ll use Figure 8.12 to demonstrate how PAT works. With overloading, all inside hosts get translated to one single IP address, hence the term overloading. Again, the reason we have not run out of available IP addresses on the Internet is because of overloading (PAT). Take a look at the NAT table in Figure 8.12 again. In addition to the inside local IP address and outside global IP address, we now have port numbers. These port numbers help the router identify which host should receive the return traffic. c08.indd 03/23/2015 Page 267 268 Chapter 8 F I G U R E 8 .1 2 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT NAT overloading example (PAT) DA 170.168.2.2 Inside DA 10.1.1.1 Host B 63.41.7.3 SA 170.168.2.2 Internet 10.1.1.3 10.1.1.2 SA 10.1.1.1 DA 170.168.2.2 Host C 63.40.7.3 NAT Table 10.1.1.1 Protocol 10.1.1.1 Inside Local IP Addresses: Port Inside Global IP Addresses: Port Outside Global IP Addresses: Port TCP 10.1.1.3:1492 170.168.2.2:1492 63.41.7.3:23 TCP 10.1.1.2:1723 170.168.2.2:1723 63.41.7.3:23 TCP 10.1.1.1:1024 170.168.2.2:1024 63.40.7.3:23 Port numbers are used at the Transport layer to identify the local host in this example. If we had to use IP addresses to identify the source hosts, that would be called static NAT, and we would run out of addresses. PAT allows us to use the Transport layer to identify the hosts, which in turn allows us to use (theoretically) up to 65,000 hosts with one real IP address. One last thing: we’ve been discussing translating IP addresses using some type of network address translation. However, using a router or firewall, you can also perform port forwarding, which is translating the port number of a packet to a new destination. The destination may be a predetermined network port (using any IP protocol, but typically TCP or UDP ports) on a host within a private network behind a NAT router. Based on the received port number, a remote host can communicate to servers behind the NAT gateway to the local network. You’re done, the diva has sung, the chicken has crossed the road…whew! Take a good break, and then come back and go through the written labs and review questions. Summary Did you read Chapter 7 and this chapter and understand everything on the fi rst pass? If so, that is fantastic—congratulations! The thing is, you probably got lost a couple of times— and as I told you, that’s what usually happens, so don’t stress. Don’t feel bad if you have to read each chapter more than once, or even 10 times, before you’re truly good to go. This chapter provided you with an important understanding of IP subnetting. After reading this chapter, you should be able to subnet IP addresses in your head. c08.indd 03/23/2015 Page 268 Written Labs 269 You should also understand the basic troubleshooting methods. You must remember the four steps you take when trying to narrow down exactly where a network/IP addressing problem is and then know how to proceed systematically in order to fix it. In addition, you should be able to find valid IP addresses and subnet masks by looking at a network diagram. I fi nished this chapter with an introduction to Network Address Translation. I discussed the difference between static and dynamic NAT and NAT overloading. Exam Essentials Remember the steps to subnet in your head. Understand how IP addressing and subnetting work. First, determine your block size by using the 256-subnet mask math. Then, count your subnets and determine the broadcast address of each subnet—it is always the number right before the next subnet. Your valid hosts are the numbers between the subnet address and the broadcast address. Understand the various block sizes. This is an important part of understanding IP addressing and subnetting. The valid block sizes are always 4, 8, 16, 32, 64, 128, and so on. You can determine your block size by using the 256-subnet mask math. Remember the four diagnostic steps. The four simple steps for troubleshooting are ping the loopback address, ping the NIC, ping the default gateway, and ping the remote device. You must be able to find and fix an IP addressing problem. Once you go through the four troubleshooting steps, you should be able to determine the IP addressing problem by drawing out the network and fi nding the valid and invalid hosts addressed in your network. Understand basic NAT terminology. You want to know the difference between inside local and inside global. Inside local is before translation, and inside global is after translation. Inside global is defi ned as a registered address that represents an inside host to an outside network. You should also understand PAT and how it works by using different port numbers to map multiple private IP addresses to a single registered IP address. Written Labs You can fi nd the answers to the written labs in Appendix A. Write the subnet, broadcast address, and valid host range for question 1 through question 6: 1. 192.168.100.25/30 2. 192.168.100.37/28 3. 192.168.100.66/27 c08.indd 03/23/2015 Page 269 270 Chapter 8 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT 4. 192.168.100.17/29 5. 192.168.100.99/26 6. 192.168.100.99/25 7. You have a Class B network and need 29 subnets. What is your mask? 8. What is the broadcast address of 192.168.192.10/29? 9. How many hosts are available with a Class C /29 mask? 10. What is the subnet for host ID 172.16.3.65/23? c08.indd 03/23/2015 Page 270 Review Questions 271 Review Questions You can fi nd the answers to the review questions in Appendix B. 1. What is the maximum number of IP addresses that can be assigned to hosts on a local subnet that uses the 255.255.255.224 subnet mask? A. 14 B. 2. 15 C. 16 D. 30 E. 31 F. 62 You have a Class A host of 10.0.0.110/25. It needs to communicate to a host with an IP address of 10.0.0.210/25. Which of the following devices do you need to use in order for these hosts to communicate? A. A Layer 2 switch B. 3. Router C. DNS server D. Hub What is the subnetwork address for a host with the IP address 200.10.5.68/28? A. 200.10.5.56 B. 4. 200.10.5.32 C. 200.10.5.64 D. 200.10.5.0 The network address of 172.16.0.0/19 provides how many subnets and hosts? A. 7 subnets, 30 hosts each 5. B. 7 subnets, 2,046 hosts each C. 7 subnets, 8,190 hosts each D. 8 subnets, 30 hosts each E. 8 subnets, 2,046 hosts each F. 8 subnets, 8,190 hosts each You receive a call from a user who is complaining that they cannot get on the Internet. You have them verify their IP address, mask, and default gateway. The IP address is 10.0.37.144, with a subnet mask of 255.255.254.0. The default gateway is 10.0.38.1. What is the problem? A. Incorrect DNS server address B. Invalid subnet mask c08.indd 03/23/2015 Page 271 Chapter 8 272 6. ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT C. Incorrect gateway IP D. IP address and mask not compatible If a host on a network has the address 172.16.45.14/30, what is the subnetwork this host belongs to? A. 172.16.45.0 7. B. 172.16.45.4 C. 172.16.45.8 D. 172.16.45.12 E. 172.16.45.16 On a network, which mask should you use on point-to-point WAN links in order to reduce the waste of IP addresses? A. /27 B. 8. /28 C. /29 D. /30 E. /31 On which of the following devices are you most likely to be able to implement NAT? A. Hub B. 9. Ethernet switch C. Router D. Bridge You have an interface on a router with the IP address of 192.168.192.10/29. Including the router interface, how many hosts can have IP addresses on the LAN attached to the router interface? A. 6 B. 8 C. 30 D. 62 E. 126 10. When configuring the IP settings on a computer on one subnet to ensure that it can communicate with a computer on another subnet, which of the following is desirable? A. Configure the computer with the same default gateway as the other computer. B. Configure the computer with the same subnet mask as the other computer. C. Configure the computer with a default gateway that matches the IP address of the interface of the router that is attached to the same subnet as the computer. D. Configure the computer with a subnet mask that matches the IP address of the router’s interface that is attached to the same subnet as the computer. c08.indd 03/23/2015 Page 272 Review Questions 273 11. You have an interface on a router with the IP address of 192.168.192.10/29. What is the broadcast address the hosts will use on this LAN? A. 192.168.192.15 B. 192.168.192.31 C. 192.168.192.63 D. 192.168.192.127 E. 192.168.192.255 12. What is the highest usable address on the 172.16.1.0/24 network? A. 172.16.1.255 B. 172.16.1.254 C. 172.16.1.253 D. 172.16.1.23 13. A network administrator is connecting two hosts directly through their Ethernet interfaces, as shown in the illustration. Ping attempts between the hosts are unsuccessful. What can be done to provide connectivity between the hosts? (Choose two.) Straight-Through Cable IP Address: 192.168.1.20 Mask: 255.255.255.240 IP Address: 192.168.1.201 Mask: 255.255.255.240 A. A crossover cable should be used in place of the straight-through cable. B. A rollover cable should be used in place of the straight-though cable. C. The subnet masks should be set to 255.255.255.192. D. A default gateway needs to be set on each host. E. The subnet masks should be set to 255.255.255.0. 14. If an Ethernet port on a router was assigned an IP address of 172.16.112.1/25, what would be the subnet address of this host? A. 172.16.112.0 B. 172.16.0.0 C. 172.16.96.0 D. 172.16.255.0 E. 172.16.128.0 c08.indd 03/23/2015 Page 273 Chapter 8 274 ■ IP Subnetting, Troubleshooting IP, and Introduction to NAT 15. Using the following illustration, what would be the IP address of E0 if you were using the eighth subnet? The network ID is 192.168.10.0/28, and you need to use the last available IP address in the range. The 0 subnet should not be considered valid for this question. Router S0 E0 A. 192.168.10.142 B. 192.168.10.66 C. 192.168.100.254 D. 192.168.10.143 E. 192.168.10.126 16. Using the illustration in question 15, what would be the IP address of E0 if you were using the first subnet? The network ID is 192.168.10.0/28, and you need to use the last available IP address in the range. Again, the zero subnet should not be considered valid for this question. A. 192.168.10.24 B. 192.168.10.62 C. 192.168.10.30 D. 192.168.10.127 17. If you are forced to replace a router that has failed to the point that you are unable to access its current configuration to aid in setting up interface addresses on the new router, which of the following can you reference for assistance? A. The default-gateway settings on computers from each subnet that the old router interconnected. B. The router’s configuration that was periodically cached on the DHCP server. C. The router’s configuration that was periodically cached on the DNS server. D. The new router will auto-configure itself with the correct settings. c08.indd 03/23/2015 Page 274 Review Questions 275 18. You have a network with a subnet of 172.16.17.0/22. Which of the following is a valid host address? A. 172.16.17.1 255.255.255.252 B. 172.16.0.1 255.255.240.0 C. 172.16.20.1 255.255.254.0 D. 172.16.16.1 255.255.255.240 E. 172.16.18.255 255.255.252.0 F. 172.16.0.1 255.255.255.0 19. Your router has the following IP address on Ethernet0: 172.16.2.1/23. Which of the following can be valid host IDs on the LAN interface attached to the router? (Choose two.) A. 172.16.0.5 B. 172.16.1.100 C. 172.16.1.198 D. 172.16.2.255 E. 172.16.3.0 F. 172.16.3.255 20. You have one IP address provided from your ISP with a /30 mask. However, you have 300 users that need to access the Internet. What technology will you use to implement a solution? A. PAT B. VPN C. DNS D. LANs c08.indd 03/23/2015 Page 275 Chapter 9 Introduction to IP Routing THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.9 Explain the basics of routing concepts and protocols ■ Loopback interface ■ Routing loops ■ Routing tables ■ Static vs dynamic routes ■ Default route ■ Distance vector routing protocols ■ ■ Hybrid routing protocols ■ ■ RIP v2 BGP Link state routing protocols ■ OSPF ■ IS-IS c09.indd 04/02/2015 Page 277 IP routing is the process of moving packets from one network to another network using routers. The IP routing process is a super-important subject to understand because it pertains to all routers and configurations that use IP. Before you read this chapter, you need to understand the difference between a routing protocol and a routed protocol. A routing protocol is a tool used by routers to dynamically fi nd all the networks in the internetwork as well as to ensure that all routers have the same routing table. Basically, a routing protocol determines the path of a packet through an internetwork. Examples of routing protocols are Routing Information Protocol (RIP), Routing Information Protocol version 2 (RIPv2), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF). Once all routers know about all networks, a routed protocol can be used to send user data (packets) through the established internetwork. Routed protocols are assigned to an interface and determine the method of packet delivery. Examples of routed protocols are Internet Protocol (IP) and Internet Protocol version 6 (IPv6). In this chapter, I’m going to describe IP routing with routers. I will explain, in a step-bystep fashion, the IP routing process. I will also explain static and dynamic routing on a conceptual level, with more details about dynamic routing in Chapter 10, “Routing Protocols.” To find up-to-the-minute updates for this chapter, please see www.lammle .com/networkplus or the book’s website at www.sybextestbanks.wiley.com. Routing Basics Once you create an internetwork by connecting your wide area networks (WANs) and local area networks (LANs) to a router, you need to configure logical network addresses, such as IP addresses, to all hosts on the internetwork so that they can communicate via routers across that internetwork. In IT, routing essentially refers to the process of taking a packet from one device and sending it through the network to another device on a different network. Routers don’t really care about hosts—they care only about networks and the best path to each network. The logical network address of the destination host is used to get packets to a network through a routed network, and then the hardware address of the host is used to deliver the packet from a router to the correct destination host. If your network has no routers, then it should be apparent that, well, you are not routing. But if you do have them, they’re there to route traffic to all the networks in your c09.indd 04/02/2015 Page 278 Routing Basics 279 internetwork. To be capable of routing packets, a router must know at least the following information: ■ Destination network address ■ Neighbor routers from which it can learn about remote networks ■ Possible routes to all remote networks ■ The best route to each remote network ■ How to maintain and verify routing information The router learns about remote networks from neighbor routers or from an administrator. The router then builds a routing table (a map of the internetwork) that describes how to find the remote networks. If a network is directly connected, then the router already knows how to get to it. If a network isn’t directly connected to the router, the router must use one of two ways to learn how to get to it. One way is called static routing, which can be a ton of work because it requires someone to hand-type all network locations into the routing table. The other way is dynamic routing. In dynamic routing, a protocol on one router communicates with the same protocol running on neighbor routers. The routers then update each other about all the networks they know about and place this information into the routing table. If a change occurs in the network, the dynamic routing protocols automatically inform all routers about the event. If static routing is used, the administrator is responsible for updating all changes by hand into all routers. Understandably, in a large network, it’s common to fi nd that a combination of both dynamic and static routing is being used. Before we jump into the IP routing process, let’s take a look at a simple example that demonstrates how a router uses the routing table to route packets out of an interface. We’ll be going into a more detailed study of this process in a minute. Figure 9.1 shows a simple two-router network. Lab_A has one serial interface and three LAN interfaces. F I G U R E 9 .1 A simple routing example Fa0/0 10.10.10.1/24 S0/0 10.10.40.1/24 Lab_A Fa0/1 10.10.20.1/24 Fa0/2 10.10.30.1/24 c09.indd 04/02/2015 Page 279 280 Chapter 9 ■ Introduction to IP Routing Looking at Figure 9.1, can you figure out which interface Lab_A will use to forward an IP datagram to a host with an IP address of 10.10.10.10? By using the Cisco IOS command show ip route, we can see the routing table (map of the internetwork) that router Lab_A will use to make all forwarding decisions: Router_A#show ip route [output cut] Gateway of last resort is not set C 10.10.10.0/24 is directly connected, C 10.10.20.0/24 is directly connected, C 10.10.30.0/24 is directly connected, C 10.10.40.0/24 is directly connected, FastEthernet0/0 FastEthernet0/1 FastEthernet0/2 Serial 0/0 The C in the routing table output means that the networks listed are “directly connected,” and until we add a routing protocol—something like RIP, EIGRP, and so on—to the routers in our internetwork, or use static routes, we’ll have only directly connected networks in our routing table. So, let’s get back to the original question: By looking at the figure and the output of the routing table, can you tell what Lab_A will do with a received packet that has a destination IP address of 10.10.10.10? If you answered, “The router will packet-switch the packet to interface FastEthernet 0/0, and this interface will then frame the packet and send it out on the network segment,” you’re right. Just because we can, let’s look at a different example. Based on the output of the next routing table, which interface will a packet with a destination address of 10.10.10.14 be forwarded from? Router_A#sh ip route [output cut] Gateway of last resort is not set C 10.10.10.16/28 is directly connected, FastEthernet0/0 C 10.10.10.8/29 is directly connected, FastEthernet0/1 C 10.10.10.4/30 is directly connected, FastEthernet0/2 C 10.10.10.0/30 is directly connected, Serial 0/0 First, you can see that the network is subnetted and that each interface has a different mask. And I have to tell you, you positively can’t answer this question if you can’t subnet—no way! Here’s the answer: 10.10.10.14 would be a host in the 10.10.10.8/29 subnet connected to the FastEthernet 0/1 interface. Don’t freak if this one left you staring vacantly. Instead, if you’re struggling, go back and reread Chapter 8, “IP Subnetting, Troubleshooting IP, and Introduction to NAT,” until you get it. This should then make perfect sense to you. When the routing tables of all routers in the network are complete (because they include information about all the networks in the internetwork), they are considered converged, or in a steady state. This is covered in more detail in Chapter 10. Now, let’s get into this process in more detail. c09.indd 04/02/2015 Page 280 The IP Routing Process 281 The IP Routing Process The IP routing process is actually pretty simple, and it doesn’t change, regardless of the size of your network. I’m going to use Figure 9.2 to give you a picture of this step-by-step process. The question I’m asking is this: What happens when Host_A wants to communicate with Host_B on a different network? I’ll go through how to answer that question by breaking down the process with headings to make it easier to understand. First, check out Figure 9.2. FIGURE 9.2 IP routing example using two hosts and one router Host_A Host_B E0 172.16.10.1 172.16.10.2 Lab_A E1 172.16.20.1 172.16.20.2 Here you can see that a user on Host_A pings Host_B’s IP address. Routing doesn’t get any simpler than this, but it still involves a lot of steps. Let’s work through them. A packet is created on the host: 1. Internet Control Message Protocol (ICMP) creates an echo request payload (which is just the alphabet in the data field). 2. ICMP hands that payload to IP, which then creates a packet. At a minimum, this packet contains an IP source address, an IP destination address, and a Protocol field with 01h. (Remember that Cisco likes to use 0x in front of hex characters, so this could look like 0x01.) All of that tells the receiving host whom it should hand the payload to when the destination is reached. In this example, it’s ICMP. The packet is forwarded: 3. After the packet is created, IP determines whether the destination IP address is on the local network or a remote one. 4. Because IP has discovered that this is a remote request, the packet needs to be sent to the default gateway so the packet can be routed to the correct remote network. The Registry in Windows is parsed to find the configured default gateway. 5. The default gateway of host 172.16.10.2 (Host_A) is configured to 172.16.10.1. For this packet to be sent to the default gateway, the hardware address of the router’s interface Ethernet 0 (configured with the IP address of 172.16.10.1) must be known. Why? So the packet can be handed down to the Data Link layer, framed, and sent to the router’s interface that’s connected to the 172.16.10.0 network. Because hosts only communicate via hardware addresses on the local LAN, it’s important to recognize that for Host_A to communicate to Host_B, it has to send c09.indd 04/02/2015 Page 281 Chapter 9 282 ■ Introduction to IP Routing packets to the Media Access Control (MAC) address of the default gateway on the local network. MAC addresses are always local on the LAN and never go through and past a router. 6. The Address Resolution Protocol (ARP) cache of the host is checked to see whether the IP address of the default gateway has already been resolved to a hardware address. If it has, the packet is then free to be handed to the Data Link layer for framing. (The hardware-destination address is also handed down with that packet.) To view the ARP cache on your host, use the following command: C:\>arp -a Interface: 172.16.10.2 --- 0x3 Internet Address Physical Address 172.16.10.1 00-15-05-06-31-b0 Type dynamic If the hardware address isn’t already in the ARP cache of the host, an ARP broadcast is sent out onto the local network to search for the hardware address of 172.16.10.1. The router responds to that request and provides the hardware address of Ethernet 0, and the host caches this address. 7. After the packet and destination hardware address have been handed to the Data Link layer, the LAN driver is used to provide media access via the type of LAN being used (in this example, it’s Ethernet). A frame is then generated, encapsulating the packet with control information. Within that frame are the hardware-destination and source addresses plus, in this case, an Ether-Type field that describes the Network layer protocol that handed the packet to the Data Link layer—in this instance, IP. At the end of the frame is something called a Frame Check Sequence (FCS) field that houses the result of the cyclic redundancy check (CRC). The frame would look something like what I’ve detailed in Figure 9.3. It contains Host_A’s hardware (MAC) address and the hardware-destination address of the default gateway. It does not include the remote host’s MAC address—remember that because it’s important! FIGURE 9.3 Frame used from Host_A to the Lab_A router when Host_B is pinged Destination MAC (router’s E0 MAC address) c09.indd 04/02/2015 Page 282 Source MAC (Host_A MAC address) Ether-Type field Packet FCS (CRC) The IP Routing Process 8. 283 When the frame is completed, it’s handed down to the Physical layer to be placed onto the physical medium one bit at a time. In this example, the physical medium is twisted-pair wire. The router receives the packet: 9. Every device within the collision domain receives these bits and builds the frame. They each run a CRC and check the answer in the FCS field. If the answers don’t match, the frame is discarded. But if the CRC matches, then the hardware-destination address is checked to see if it matches, too (in this example, it’s the router’s interface, Ethernet 0). If it’s a match, then the Ether-Type field is checked to find the protocol used at the Network layer. 10. The packet is pulled from the frame, and what is left of the frame is discarded. The packet is then handed to the protocol listed in the Ether-Type field—it’s given to IP. The router routes the packet: 11. IP receives the packet and checks the IP destination address. Because the packet’s destination address doesn’t match any of the addresses configured on the receiving router’s interfaces, the router will look up the destination IP network address in its routing table. 12. The routing table must have an entry for the network 172.16.20.0 or the packet will be discarded immediately and an ICMP message will be sent back to the originating device with a Destination Unreachable message. 13. If the router does find an entry for the destination network in its table, the packet is switched to the exit interface—in this example, interface Ethernet 1. The following output displays the Lab_A router’s routing table. The C means “directly connected.” No routing protocols are needed in this network because all networks (all two of them) are directly connected: Lab_A>sh ip route Codes:C - connected,S - static,I - IGRP,R - RIP,M - mobile,B – BGP, D - EIGRP,EX - EIGRP external,O - OSPF,IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, E – EGP,i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS intearea * - candidate default, U - per-user static route, o – ODR P - periodic downloaded static route Gateway of last resort is not set C C 172.16.0.0/24 is subnetted, 2 subnets 172.16.10.0 is directly connected, Ethernet0 172.16.20.0 is directly connected, Ethernet1 c09.indd 04/02/2015 Page 283 284 Chapter 9 ■ Introduction to IP Routing 14. The router packet-switches the packet to the Ethernet 1 buffer. 15. Now that the packet is in the Ethernet 1 buffer, IP needs to know the hardware address of the destination host and first checks the ARP cache. If the hardware address of Host_B has already been resolved and is in the router’s ARP cache, then the packet and the hardware address are handed down to the Data Link layer to be framed. Let’s take a look at the ARP cache on the Lab_A router by using the show ip arp command: Lab_A#sh ip arp Protocol Address Age(min) Hardware Addr Internet 172.16.20.1 00d0.58ad.05f4 Internet 172.16.20.2 3 0030.9492.a5dd Internet 172.16.10.1 0015.0506.31b0 Internet 172.16.10.2 12 0030.9492.a4ac Type ARPA ARPA ARPA ARPA Interface Ethernet1 Ethernet1 Ethernet0 Ethernet0 The dash (-) means that this is the physical interface on the router. From this output, we can see that the router knows the 172.16.10.2 (Host_A) and 172.16.20.2 (Host_B) hardware addresses. Cisco routers will keep an entry in the ARP table for 4 hours. But if the hardware address hasn’t already been resolved, the router then sends an ARP request out E1 looking for the hardware address of 172.16.20.2. Host_B responds with its hardware address, and the packet and hardware-destination address are both sent to the Data Link layer for framing. 16. The Data Link layer creates a frame with the destination and source hardware address, Ether-Type field, and FCS field at the end. The frame is handed to the Physical layer to be sent out on the physical medium one bit at a time. Finally, the remote host receives the packet: 17. Host_B receives the frame and immediately runs a CRC. If the result matches what’s in the FCS field, the hardware-destination address is then checked. If the host finds a match, the Ether-Type field is then checked to determine the protocol that the packet should be handed to at the Network layer—IP, in this example. 18. At the Network layer, IP receives the packet and checks the IP destination address. Because there’s finally a match made, the Protocol field is checked to find out whom the payload should be given to. 19. The payload is handed to ICMP, which understands that this is an echo request. ICMP responds to this by immediately discarding the packet and generating a new payload as an echo reply. The destination host becomes a source host: 20. A packet is created, including the source and destination IP addresses, Protocol field, and payload. The destination device is now Host_A. 21. IP checks to see whether the destination IP address is a device on the local LAN or on a remote network. Because the destination device is on a remote network, the packet needs to be sent to the default gateway. c09.indd 04/02/2015 Page 284 The IP Routing Process 285 22. The default gateway IP address is found in the Registry of the Windows device, and the ARP cache is checked to see whether the hardware address has already been resolved from an IP address. 23. After the hardware address of the default gateway is found, the packet and desti- nation hardware addresses are handed down to the Data Link layer for framing. 24. The Data Link layer frames the packet of information and includes the following in the header: ■ The destination and source hardware addresses ■ The Ether-Type field with 0x0800 (IP) in it ■ The FCS field with the CRC result in tow 25. The frame is now handed down to the Physical layer to be sent out over the net- work medium one bit at a time. Time for the router to route another packet: 26. The router’s Ethernet 1 interface receives the bits and builds a frame. The CRC is run, and the FCS field is checked to make sure the answers match. 27. When the CRC is found to be okay, the hardware-destination address is checked. Because the router’s interface is a match, the packet is pulled from the frame, and the Ether-Type field is checked to see which protocol at the Network layer the packet should be delivered to. 28. The protocol is determined to be IP, so it gets the packet. IP runs a CRC check on the IP header first and then checks the destination IP address. IP does not run a complete CRC the way the Data Link layer does—it only checks the header for errors. Because the IP destination address doesn’t match any of the router’s interfaces, the routing table is checked to see whether it has a route to 172.16.10.0. If it doesn’t have a route over to the destination network, the packet will be discarded immediately. (This is the source point of confusion for a lot of administrators—when a ping fails, most people think the packet never reached the destination host. But as we see here, that’s not always the case. All it takes is just one of the remote routers to be lacking a route back to the originating host’s network and—poof!—the packet is dropped on the return trip, not on its way to the host.) Just a quick note to mention that when (if) the packet is lost on the way back to the originating host, you will typically see a Request Timed Out message because it is an unknown error. If the error occurs because of a known issue, such as a route that is not in the routing table on the way to the destination device, you will see a Destination Unreachable message. This should help you determine if the problem occurred on the way to the destination or on the way back. c09.indd 04/02/2015 Page 285 286 Chapter 9 ■ Introduction to IP Routing 29. In this case, the router does know how to get to network 172.16.10.0—the exit interface is Ethernet 0—so the packet is switched to interface Ethernet 0. 30. The router checks the ARP cache to determine whether the hardware address for 172.16.10.2 has already been resolved. 31. Because the hardware address to 172.16.10.2 is already cached from the originat- ing trip to Host_B, the hardware address and packet are handed to the Data Link layer. 32. The Data Link layer builds a frame with the destination and source hardware addresses and then puts IP in the Ether-Type field. A CRC is run on the frame, and the result is placed in the FCS field. 33. The frame is then handed to the Physical layer to be sent out onto the local network one bit at a time. The original source host, now the destination host, receives the reply packet: 34. The destination host receives the frame, runs a CRC, checks the hardware destination address, and looks in the Ether-Type field to find out whom to hand the packet to. 35. IP is the designated receiver, and after the packet is handed to IP at the Network layer, IP checks the Protocol field for further direction. IP finds instructions to give the payload to ICMP, and ICMP determines the packet to be an ICMP echo reply. 36. ICMP acknowledges that it has received the reply by sending an exclamation point (!) to the user interface. ICMP then attempts to send four more echo requests to the destination host. You’ve just been introduced to “Todd’s 36 easy steps to understanding IP routing.” The key point to understand here is that if you had a much larger network, the process would be the same. In a really big internetwork, the packet just goes through more hops before it fi nds the destination host. It’s super important to remember that when Host_A sends a packet to Host_B, the destination hardware address used is the default gateway’s Ethernet interface. Why? Because frames can’t be placed on remote networks—only local networks. So packets destined for remote networks must go through the default gateway. Let’s take a look at Host_A’s ARP cache now by using the arp -a command from the DOS prompt: C:\ >arp -a Interface: 172.16.10.2 --- 0x3 Internet Address Physical Address 172.16.10.1 00-15-05-06-31-b0 172.16.20.1 00-15-05-06-31-b0 Type dynamic dynamic Did you notice that the hardware (MAC) address that Host_A uses to get to Host_B is the Lab_A E0 interface? c09.indd 04/02/2015 Page 286 Testing Your IP Routing Understanding 287 Hardware addresses are always local, and they never pass a router’s interface. Understanding this process is as important to internetworking as breathing air is to you, so carve this into your memory! Testing Your IP Routing Understanding I want to make sure you understand IP routing because it’s really that important. So, I’m going to use this section to test your understanding of the IP routing process by having you look at a couple of figures and answer some very basic IP routing questions. Figure 9.4 shows a LAN connected to RouterA, which is, in turn, connected via a WAN link to RouterB. RouterB has a LAN connected with an HTTP server attached. Take a look. FIGURE 9.4 IP routing example 1 RouterA RouterB S0/0 S0/0 Fa0/0 HostA Fa0/0 HTTP Server The critical information you need to glean from this figure is exactly how IP routing will occur in this example. Okay—we’ll cheat a bit. I’ll give you the answer, but then you should go back over the figure and see if you can answer example 2 without looking at my answers: 1. The destination address of a frame, from HostA, will be the MAC address of the Fa0/0 interface of the RouterA router. 2. The destination address of a packet will be the IP address of the network interface card (NIC) of the HTTP server. 3. The destination port number in the segment header will have a value of 80. That example was a pretty simple one, and it was also very to the point. One thing to remember is that if multiple hosts are communicating to the server using HTTP, they must all use a different source port number. That is how the server keeps the data separated at the Transport layer. Let’s mix it up a little and add another internetworking device into the network and then see if you can fi nd the answers. Figure 9.5 shows a network with only one router but two switches. c09.indd 04/02/2015 Page 287 288 Chapter 9 FIGURE 9.5 ■ Introduction to IP Routing IP routing example 2 RouterA Fa0/1 Fa0/0 HTTPS Server HostA What you want to understand about the IP routing process here is what happens when HostA sends data to the HTTPS server: 1. The destination address of a frame from HostA will be the MAC address of the Fa0/0 interface of the RouterA router. 2. The destination address of a packet will be the IP address of the NIC of the HTTPS server. 3. The destination port number in the segment header will have a value of 443. Notice that neither switch was used as either a default gateway or another destination. That’s because switches have nothing to do with routing. I wonder how many of you chose the switch as the default gateway (destination) MAC address for HostA. If you did, don’t feel bad—just take another look with that fact in mind. It’s very important to remember that the destination MAC address will always be the router’s interface—if your packets are destined for outside the LAN, as they were in these last two examples. Static and Dynamic Routing How does a router send packets to remote networks when the only way it can send them is by looking at the routing table to find out how to get to the remote networks? And what happens when a router receives a packet for a network that isn’t listed in the routing table? It doesn’t send a broadcast looking for the remote network—the router just discards the packet. There are several ways to configure the routing tables to include all the networks so that packets will be forwarded. Understand that what’s best for one network isn’t necessarily what’s best for another. Knowing about and being able to recognize the different types of c09.indd 04/02/2015 Page 288 Static and Dynamic Routing 289 routing will really help you come up with the best solution for your specific environment and business requirements. Looking at Figure 9.6, we can see that we can configure a router either with static or dynamic routing. If we choose static routing, then we have to go to each router and type in each network and the path that IP will use to send packets. However, static routing does not scale well in large networks, but dynamic routing does because network routes are automatically added to the routing table via the routing protocol. FIGURE 9.6 Routing options Routing Static Routing Dynamic Routing Dynamic routing protocols break up into many different categories or types of protocols, as shown in Figure 9.7. The fi rst split in the dynamic protocol branch is the division of interior gateway protocols (IGPs) and exterior gateway protocols (EGPs). We are going to talk about each protocol and category in the next few sections, but for now the difference between IGP and EGP is interior or exterior routing of an autonomous system (AS). F I G U R E 9.7 Dynamic routing options Dynamic Routing IGPs EGPs Protocol: BGP c09.indd 04/02/2015 Page 289 290 Chapter 9 ■ Introduction to IP Routing An autonomous system is a collection of networks or subnets that are in the same administrative domain. This is another way of saying an administrative domain is within your company’s network, and you control or administer all the subnets that are within it. You control and set the policy for what happens in the network or autonomous system. I hope you can now see that an IGP operates and routes within an AS, and an EGP works outside or between more than one AS. The most popular protocol for an EGP is Border Gateway Protocol (BGP), which is typically used by ISPs or really large corporations. As an administrator of a small to mediumsize network, you’ll probably never use BGP. (BGP will be discussed in Chapter 10.) Now that we have that out of the way, let’s talk about all the great things that dynamic routing protocols do for us. The thing that comes to mind fi rst is the amount of time and energy we save configuring routers. We won’t have to go to every single router and defi ne for it, with a static route, what and where every destination network is. If that was the only way to configure routing, there would probably be a lot fewer of us interested in doing this for a living. Thankfully, we have routing protocols that do much of the work for us. We still have to know what the routing protocols are going to do and how they will do it, but the protocols will take care of most of the updating and sending information to each other. That is the end of the EGP branch of the tree, but the IGP branch continues to split out as we go down further. Looking at Figure 9.8, with the IGP split, you can see that there are two primary categories: distance vector (DV) and link state (LS) routing protocols. FIGURE 9.8 DV and LS routing protocols IGP Distant Vector Protocols: RIPv1 & 2, IGRP Link State Protocols: OSPF, IS-IS No worries—I’m going to discuss all of these types of protocols in the next chapters. But in the distance vector category, for example, we have RIP and Interior Gateway Routing Protocol (IGRP). Under the link state category are the nonproprietary OSPF and Intermediate System-to-Intermediate System (IS-IS) that were designed to work in larger internetworks. c09.indd 04/02/2015 Page 290 Summary 291 Now, in Figure 9.9, you can see from the diagram that there is a third category: the hybrid protocol category. FIGURE 9.9 Hybrid routing Distant Vector Link State Protocols: RIPv1 & 2, IGRP Protocols: OSPF, IS-IS Hybrid EIGRP and BGP The only protocol under this category is EIGRP. It is Cisco proprietary and uses the features of both DV and LS. The Network+ objectives list BGP as a hybrid routing protocol as well because it can work on internal networks as well as external, but it’s really an EGP; just keep this in mind. Now that we have a handle on IP routing, let’s move on to Chapter 10 and discuss the IGP routing protocols introduced in this chapter. Summary This chapter covered the IP routing process in detail. It’s extremely important that you really understand the basics we covered in this chapter because everything that’s done on a router typically will have some type of IP routing configured and running. You learned in this chapter how IP routing uses frames to transport packets between routers and to the destination host. Understanding the process of how packets and frames traverse a network is critical to your fundamental understanding of IP routing. After I covered the basics of IP routing, I went through some examples to test your understanding and to emphasize the importance of the IP routing fundamentals that you need. I fi nished the chapter with an introduction to static and dynamic routing, and explained IGP and EGP as well as the difference between distance vector and link state routing protocols. In the next chapter, we’ll continue with dynamic routing by discussing the various dynamic routing protocols. c09.indd 04/02/2015 Page 291 292 Chapter 9 ■ Introduction to IP Routing Exam Essentials Understand the basic IP routing process. You need to remember that the frame changes at each hop but that the packet is never changed or manipulated in any way until it reaches the destination device. Understand that MAC addresses are always local. A MAC (hardware) address will only be used on a local LAN. It will never pass a router’s interface. Understand that a frame carries a packet to only two places. A frame uses MAC (hardware) addresses to send a packet on a LAN. The frame will take the packet to either a host on the LAN or a router’s interface if the packet is destined for a remote network. Remember the difference between static and dynamic routing. Static routing is where you, as the administrator, by hand, add every route into every routing table on every router on the network. This is as much work as it sounds like, which is why we use dynamic routing protocols that do the work for us. Of course, we’ll discuss dynamic routing protocols more in the next chapter, but the main job of a routing protocol is to update routing tables. Written Lab You can fi nd the answers in Appendix A. Write the answers to the following questions: 1. True/False: RIPv2 is a hybrid routing protocol. 2. True/False: RIPv1 is a link state routing protocol. 3. True/False: EIGRP is a nonproprietary routing protocol. 4. An tive domain. 5. You need a routing protocol that can be run in a very large network with routers from multiple vendors. What routing protocol would be your best choice? 6. Which type of routing are you performing if you have to go to each router and type in each network and the path that IP will use to send packets? 7. You are trying to reach a server on another subnet. What will be the destination hardware address of a frame sent from your host? 8. You are trying to reach a server on another subnet. What will be the destination IP address of a packet sent from your host? 9. A server has received a frame from your remote host. What will be the source hardware address of the frame? is a collection of networks or subnets that are in the same administra- c09.indd 04/02/2015 Page 292 Review Questions 293 10. A server has received a packet from your remote host. What will be the destination IP address of the packet? Review Questions You can fi nd the answers to the review questions in Appendix B. 1. Which is not a routing protocol? A. RIP 2. B. RIPv2 C. RIPv3 D. EIGRP Which of these best describes dynamic routing? A. All network addresses must be hand-typed into the routing table. 3. B. Only a portion of the network address must be hand-typed into the routing table. C. Routing tables are updated automatically when changes occur in the network. D. A and B. Which is true regarding dynamic routing? A. Static routes are best in large networks and thus better to use than dynamic routing protocols. 4. B. Static routes are automatically added to the routing table but dynamic routes must be added by hand. C. You must use a DNS and WINS server when configuring dynamic routing. D. Dynamic routes are automatically added to the routing table. Which of the following is true for MAC addresses? A. MAC addresses are never local on the LAN and always pass through a router. 5. B. MAC addresses are always local on the LAN and never go through or past a router. C. MAC addresses will always be the IP address of Fa0/0 interface. D. None of the above. What is it called when protocols update their forwarding tables after changes have occurred? A. Name resolution B. 6. Routing C. Convergence D. ARP resolution What command would be used to view the ARP cache on your host? c09.indd 04/02/2015 Page 293 Chapter 9 294 7. ■ Introduction to IP Routing A. C:\ >show ip route B. C:\ >show ip arp C. C:\ >show protocols D. C:\ >arp -a What happens when a router receives a packet for a network that isn’t listed in the routing table? A. It forwards the packet to the next available router. 8. B. It holds the packet until the address is updated in the routing table. C. The router will use RIP to inform the host that it can’t send the packet. D. None of the above. Which of the following is not a distance vector protocol? A. RIPv1 B. 9. RIPv2 C. OSPF D. IGRP Which two of the following are link state protocols? A. RIPv1 B. RIPv2 C. OSPF D. IS-IS E. IGRP 10. Which of the following is a hybrid routing protocol? A. RIPv2 B. EIGRP C. IS-IS D. IGRP 11. What does the acronym IGRP stand for? A. Interior Gateway Routing Protocol B. Inside Gateway Redundancy Protocol C. Interior Group Reliability Protocol D. Interior Gateway Redundancy Protocol 12. What EGP protocol is used on the Internet? A. GGP B. EGP C. BGP c09.indd 04/02/2015 Page 294 Review Questions D. 295 IGP 13. What are the two categories of IGP protocols? A. Link state B. Static C. Distance vector D. EGP 14. What two pieces of information does a router require to make a routing decision? (Choose two.) A. Destination network (address) B. Destination MAC address C. Application layer protocol D. Neighbor router 15. Where does a frame have to carry a packet if it is destined for a remote network? A. Default gateway B. Neighbor host C. Switch D. Hub 16. Where along the IP routing process does a packet get changed? A. Router B. Host A C. Destination device D. Host B 17. When all routers in a network agree about the path from one point to another, the network is said to be what? A. Dynamic B. Static C. Secure D. Converged 18. What type of request must a client send if it does not know the destination MAC address? A. ARP broadcast B. Multicast C. ICMP redirect D. Reverse ARP 19. You need to perform maintenance on a router in your corporate office. It is important that the network does not go down. What can you do to accomplish your goal? c09.indd 04/02/2015 Page 295 Chapter 9 296 ■ Introduction to IP Routing A. Configure BGP on the router. B. Implement NAT on the router. C. Configure on the router a static route that temporarily reroutes traffic through another office. D. Implement convergence on the router. 20. When are you most likely to see a Request Timed Out message? A. When an unknown error has occurred B. When you have used the arp -a command incorrectly C. When a known error has occurred D. When you are using a hybrid routing protocol c09.indd 04/02/2015 Page 296 Chapter 10 Routing Protocols THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.9 Explain the basics of routing concepts and protocols ■ Loopback interface ■ Routing loops ■ Routing tables ■ Static vs dynamic routes ■ Default route ■ Distance vector routing protocols ■ ■ Hybrid routing protocols ■ ■ RIPv2 BGP Link state routing protocols ■ OSPF ■ IS-IS ■ Interior vs exterior gateway routing protocols ■ Autonomous system numbers ■ Route redistribution ■ High availability ■ VRRP ■ Virtual IP ■ HSRP ■ Route aggregation ■ Routing metrics c10.indd 04/02/2015 Page 297 ■ Hop counts ■ MTU, bandwidth ■ Costs ■ Latency ■ Administrative distance ■ SPB c10.indd 04/02/2015 Page 298 Routing protocols are critical to a network’s design. This chapter focuses on dynamic routing protocols. Dynamic routing protocols run only on routers that use them in order to discover networks and update their routing tables. Using dynamic routing is easier on you, the system administrator, than using the labor-intensive, manually achieved, static routing method, but it’ll cost you in terms of router CPU processes and bandwidth on the network links. The source of the increased bandwidth usage and CPU cycles is the operation of the dynamic routing protocol itself. A router running a dynamic routing protocol shares routing information with its neighboring routers, and it requires additional CPU cycles and additional bandwidth to accomplish that. In this chapter, I’ll give you all the basic information you need to know about routing protocols so you can choose the correct one for each network you work on or design. To find up-to-the-minute updates for this chapter, please see www.lammle .com/networkplus or the book’s website at www.sybextestbanks.wiley .com. Routing Protocol Basics Because getting a solid visual can really help people learn, I’ll get you started by combining the last few figures used in Chapter 9, “Introduction to IP Routing.” This way, you can get the big picture and really understand how routing works. Figure 10.1 shows the complete routing tree that I broke up piece by piece at the end of Chapter 9. As I touched on in Chapter 9, two types of routing protocols are used in internetworks: interior gateway protocols (IGPs) and exterior gateway protocols (EGPs). IGPs are used to exchange routing information with routers in the same autonomous system (AS). An AS is a collection of networks under a common administrative domain, which simply means that all routers sharing the same routing table information are in the same AS. EGPs are used to communicate between multiple ASs. A nice example of an EGP would be Border Gateway Protocol (BGP). There are a few key points about routing protocols that I think it would be a good idea to talk over before getting deeper into the specifics of each one. First on the list is something known as an administrative distance. c10.indd 04/02/2015 Page 299 300 Chapter 10 F I G U R E 1 0 .1 ■ Routing Protocols Routing flow tree Routing Static Routing Dynamic Routing IGP EGP Protocols: BGP Distance Vector Link State Protocols: RIPv1 & 2, IGRP Protocols: OSPF, IS-IS Hybrid Protocols: EIGRP/BGP Administrative Distances The administrative distance (AD) is used to rate the trustworthiness of routing information received on one router from its neighboring router. An AD is an integer from 0 to 255, where 0 equals the most trusted route and 255 the least. A value of 255 essentially means, “No traffic is allowed to be passed via this route.” If a router receives two updates listing the same remote network, the fi rst thing the router checks is the AD. If one of the advertised routes has a lower AD than the other, the route with the lower AD is the one that will get placed in the routing table. If both advertised routes to the same network have the same AD, then routing protocol metrics like hop count or the amount of bandwidth on the lines will be used to fi nd the best path to the remote network. And as it was with the AD, the advertised route with the lowest metric will be placed in the routing table. But if both advertised routes have the same AD as well as the same metrics, then the routing protocol will load-balance to the remote network. To perform load balancing, a router will send packets down each link to test for the best one. c10.indd 04/02/2015 Page 300 Routing Protocol Basics 301 Why Not Just Turn On All Routing Protocols? Many customers have hired me because all their employees were complaining about the slow, intermittent network that had a lot of latency. Many times, I have found that the administrators did not truly understand routing protocols and just enabled them all on every router. This may sound laughable, but it is true. When an administrator tried to disable a routing protocol, such as the Routing Information Protocol (RIP), they would receive a call that part of the network was not working. First, understand that because of default ADs, although every routing protocol was enabled, only the Enhanced Interior Gateway Routing Protocol (EIGRP) would show up in most of the routing tables. This meant that Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), and RIP would be running in the background but just using up bandwidth and CPU processes, slowing the routers almost to a crawl. Disabling all the routing protocols except EGIRP (this would only work on an all-Cisco router network) improved the network at least 30 percent. In addition, finding the routers that were configured only for RIP and enabling EIGRP solved the calls from users complaining that the network was down when RIP was disabled on the network. Last, I replaced the core routers with better routers with more memory, enabling faster, more efficient routing and raising the network response time to a total of 50 percent. Table 10.1 shows the default ADs that a router uses to decide which route to take to a remote network. TA B L E 1 0 .1 Default administrative distances Route source Default AD Connected interface 0 Static route 1 External BGP 20 Internal EIGRP 90 IGRP 100 c10.indd 04/02/2015 Page 301 302 Chapter 10 TA B L E 1 0 .1 ■ Routing Protocols Default administrative distances (continued) Route source Default AD OSPF 110 ISIS 115 RIP 120 External EIGRP 170 Internal BGP 200 Unknown 255 (this route will never be used) Understand that if a network is directly connected, the router will always use the interface connected to that network. Also good to know is that if you configure a static route, the router will believe that route to be the preferred one over any other routes it learns about dynamically. You can change the ADs of static routes, but by default, they have an AD of 1. That’s only one place above zero, so you can see why a static route’s default AD will always be considered the best by the router. This means that if you have a static route, a RIP-advertised route, and an EIGRPadvertised route listing the same network, then by default, the router will always use the static route unless you change the AD of the static route. Classes of Routing Protocols The three classes of routing protocols introduced in Chapter 9, and shown in Figure 10.1, are as follows: Distance Vector The distance vector protocols fi nd the best path to a remote network by judging—you guessed it—distance. Each time a packet goes through a router, it equals something we call a hop, and the route with the fewest hops to the destination network will be chosen as the best path to it. The vector indicates the direction to the remote network. RIP, RIPv2, and Interior Gateway Routing Protocol (IGRP) are distance vector routing protocols. These protocols send the entire routing table to all directly connected neighbors. Link State Using link state protocols, also called shortest path first protocols, the routers each create three separate tables. One of these tables keeps track of directly attached c10.indd 04/02/2015 Page 302 Distance Vector Routing Protocols 303 neighbors, one determines the topology of the entire internetwork, and one is used as the actual routing table. Link state routers know more about the internetwork than any distance vector routing protocol. OSPF and IS-IS are IP routing protocols that are completely link state. Link state protocols send updates containing the state of their own links to all other routers on the network. Hybrid A hybrid protocol uses aspects of both distance vector and link state, and formerly, EIGRP was the only one you needed to understand to meet the Network+ objectives. But now, BGP is also listed as a hybrid routing protocol because of its capability to work as an EGP and be used in supersized internetworks internally. When deployed in this way, it’s called internal BGP, or iBGP, but understand that it’s still most commonly utilized as an EGP. I also want you to understand that there’s no one set way of configuring routing protocols for use in every situation because this really needs to be done on a case-by-case basis. Even though all of this might seem a little intimidating, if you understand how each of the different routing protocols works, I promise you’ll be capable of making good, solid decisions that will truly meet the individual needs of any business! Distance Vector Routing Protocols Okay, the distance vector routing algorithm passes its complete routing table contents to neighboring routers, which then combine the received routing table entries with their own routing tables to complete and update their individual routing tables. This is called routing by rumor because a router receiving an update from a neighbor router believes the information about remote networks without verifying for itself if the news is actually correct. It’s possible to have a network that has multiple links to the same remote network, and if that’s the case, the AD of each received update is checked fi rst. As I said, if the AD is the same, the protocol will then have to use other metrics to determine the best path to use to get to that remote network. Distance vector uses only hop count to determine the best path to a network. If a router fi nds more than one link with the same hop count to the same remote network, it will automatically perform what’s known as round-robin load balancing. It’s important to understand what a distance vector routing protocol does when it starts up. In Figure 10.2, the four routers start off with only their directly connected networks in their routing table. After a distance vector routing protocol is started on each router, the routing tables are then updated with all route information gathered from neighbor routers. c10.indd 04/02/2015 Page 303 304 Chapter 10 F I G U R E 10 . 2 ■ Routing Protocols The internetwork with distance vector routing 172.16.30.0 172.16.10.0 Routing Table 172.16.50.0 E0 S1 S0 2501A Routing Table 172.16.10.0 F0/0 0 172.16.40.0 S0 E0 F0/0 2621A E0 172.16.20.0 S0 2501C 2501B Routing Table Routing Table 172.16.10.0 E0 0 172.16.20.0 S0 0 172.16.40.0 S0 0 172.16.20.0 S0 0 172.16.30.0 E0 0 172.16.50.0 E0 0 172.16.40.0 S1 0 As you can see in Figure 10.2, each router only has the directly connected networks in its routing table. Also notice that their hop count is zero in every case. Each router sends its complete routing table, which includes the network number, exit interface, and hop count to the network, out to each active interface. Now, in Figure 10.3, the routing tables are complete because they include information about all the networks in the internetwork. They are considered converged. The hop count for every directly connected network remains zero, but notice that the hop count is incremented by one each time the path completely passes through a router. So, for router 2621A, the path to the 172.16.10.0 network still has a hop count of zero, but the hop count for the path to network 172.16.20.0 is one. The hop count to networks 172.16.30.0 and 172.16.40.0 increases to two, and so on. Usually, data transmission will cease while routers are converging—a good reason in favor of fast convergence time! In fact, one of the main problems with RIP is its slow convergence time. F I G U R E 10 . 3 Converged routing tables 172.16.30.0 172.16.10.0 F0/0 Routing Table 172.16.40.0 S0 E0 2621A E0 172.16.20.0 172.16.50.0 E0 S1 S0 2501A Routing Table S0 2501C 2501B Routing Table Routing Table 172.16.10.0 F0/0 0 172.16.10.0 E0 0 172.16.20.0 S0 0 172.16.40.0 S0 172.16.20.0 F0/0 1 172.16.20.0 S0 0 172.16.30.0 E0 0 172.16.50.0 E0 0 172.16.30.0 F0/0 2 172.16.30.0 S0 1 172.16.40.0 S1 0 172.16.10.0 S0 2 172.16.40.0 F0/0 2 172.16.40.0 S0 1 172.16.10.0 S0 1 172.16.20.0 S0 1 172.16.50.0 F0/0 3 172.16.50.0 S0 2 172.16.50.0 S1 1 172.16.30.0 S0 1 c10.indd 04/02/2015 Page 304 0 Distance Vector Routing Protocols 305 As you can see in Figure 10.3, once all the routers have converged, the routing table in each router keeps information about three important things: ■ The remote network number ■ The interface that the router will use to send packets to reach that particular network ■ The hop count, or metric, to the network Remember! Routing convergence time is the time required by protocols to update their forwarding tables after changes have occurred. Let’s start discussing dynamic routing protocols with one of the oldest routing protocols that is still in existence today. Routing Information Protocol (RIP) RIP is a true distance vector routing protocol. It sends the complete routing table out to all active interfaces every 30 seconds. RIP uses only one thing to determine the best way to a remote network—the hop count. And because it has a maximum allowable hop count of 15 by default, a hop count of 16 would be deemed unreachable. This means that although RIP works fairly well in small networks, it’s pretty inefficient on large networks with slow WAN links or on networks populated with a large number of routers. Worse, this dinosaur of a protocol has a bad history of creating routing loops, which were somewhat kept in check by using things like maximum hop count. This is the reason why RIP only permits going through15 routers before it will judge that route to be invalid. If all that isn’t nasty enough for you, RIP also happens to be glacially slow at converging, which can easily cause latency in your network! RIP version 1 uses only classful routing, which means that all devices in the network must use the same subnet mask for each specific address class. This is because RIP version 1 doesn’t send updates with subnet mask information in tow. RIP version 2 provides something called prefi x routing and does send subnet mask information with the route updates. Doing this is called classless routing. RIP Version 2 (RIPv2) Let’s spend a couple of minutes discussing RIPv2 before we move into the advanced distance vector (also referred to as hybrid), Cisco-proprietary routing protocol EIGRP. RIP version 2 is mostly the same as RIP version 1. Both RIPv1 and RIPv2 are distance vector protocols, which means that each router running RIP sends its complete routing tables out to all active interfaces at periodic time intervals. Also, the timers and loopavoidance schemes are the same in both RIP versions. Both RIPv1 and RIPv2 are c10.indd 04/02/2015 Page 305 306 Chapter 10 ■ Routing Protocols configured with classful addressing (but RIPv2 is considered classless because subnet information is sent with each route update), and both have the same AD (120). But there are some important differences that make RIPv2 more scalable than RIPv1. And I’ve got to add a word of advice here before we move on: I’m defi nitely not advocating using RIP of either version in your network. But because RIP is an open standard, you can use RIP with any brand of router. You can also use OSPF because OSPF is an open standard as well. Table 10.2 discusses the differences between RIPv1 and RIPv2. TA B L E 1 0 . 2 RIPv1 vs RIPv2 RIPv1 RIPv2 Distance vector Distance vector Maximum hop count of 15 Maximum hop count of 15 Classful Classless Broadcast based Uses multicast 224.0.0.9 No support for VLSM Supports VLSM networks No authentication Allows for MD5 authentication No support for discontiguous networks Supports discontiguous networks (covered in the next section) RIPv2, unlike RIPv1, is a classless routing protocol (even though it is configured as classful, like RIPv1), which means that it sends subnet mask information along with the route updates. By sending the subnet mask information with the updates, RIPv2 can support Variable Length Subnet Masks (VLSMs), which are described in the next section; in addition, network boundaries are summarized. VLSM and Discontiguous Networks VLSMs allows classless routing, meaning that the routing protocol sends subnet-mask information with the route updates. The reason it’s good to do this is to save address space. If we didn’t use a routing protocol that supports VLSMs, then every router interface, every node (PC, printer, server, and so on), would have to use the same subnet mask. c10.indd 04/02/2015 Page 306 Distance Vector Routing Protocols 307 As the name suggests, with VLSMs we can have different subnet masks for different router interfaces. Check out Figure 10.4 to see an example of why classful network designs are inefficient. F I G U R E 10 . 4 Typical classful network (6 Hosts) .34 .35 (10 Hosts) .66 .67 (2 Hosts) 192.168.10.48/28 .33 .49 .50 .1 .17 192.168.10.32/28 192.168.10.0/28 .2 .3 (25 Hosts) .65 192.168.10.64/28 192.168.10.16/28 .18 .19 (12 Hosts) Looking at this figure, you’ll notice that we have two routers, each with two LANs and connected together with a WAN serial link. In a typical classful network design example (RIP or RIPv2 routing protocol), you could subnet a network like this: 192.168.10.0 = Network 255.255.255.240 (/28) = Mask Our subnets would be (you know this part, right?) 0, 16, 32, 48, 64, 80, and so on. This allows us to assign 16 subnets to our internetwork. But how many hosts would be available on each network? Well, as you probably know by now, each subnet provides only 14 hosts. This means that with a /28 mask, each LAN can support 14 valid hosts—one LAN requires 25 addresses, so a /28 mask doesn’t provide enough addresses for the hosts in that LAN! Moreover, the point-to-point WAN link also would consume 14 addresses when only 2 are required. It’s too bad we can’t just nick some valid hosts from that WAN link and give them to our LANs. All hosts and router interfaces have the same subnet mask—again, this is called classful routing. And if we want this network to be more efficient, we defi nitely need to add different masks to each router interface. c10.indd 04/02/2015 Page 307 308 Chapter 10 ■ Routing Protocols But there’s still another problem—the link between the two routers will never use more than two valid hosts! This wastes valuable IP address space, and it’s the big reason I’m talking to you about VLSM networking. Now let’s take Figure 10.4 and use a classless design, which will become the new network shown in Figure 10.5. In the previous example, we wasted address space—one LAN didn’t have enough addresses because every router interface and host used the same subnet mask. Not so good. F I G U R E 10 . 5 Classless network design (6 Hosts) .66 .67 (10 Hosts) .66 .67 (2 Hosts) 192.168.10.72/30 .65 .73 .74 .1 .33 192.168.10.64/29 192.168.10.0/27 .2 s .3 (25 Hosts) .49 192.168.10.48/28 192.168.10.32/28 .45 .35 (12 Hosts) What would be good is to provide only the needed number of hosts on each router interface, meaning VLSMs. Remember that if a “classful routed network” requires that all subnet masks be the same length, then it follows that a “classless routed network” would allow us to use Variable Length Subnet Masks (VLSMs). So, if we use a /30 on our WAN links and a /27, /28, and /29 on our LANs, we’ll get 2 hosts per WAN interface and 30, 14, and 6 hosts per LAN interface—nice! This makes a huge difference—not only can we get just the right number of hosts on each LAN, we still have room to add more WANs and LANs using this same network. Remember, in order to implement a VLSM design on your network, you need to have a routing protocol that sends subnet-mask information with the route updates. This would be RIPv2, EIGRP, or OSPF. RIPv1 and IGRP will not work in classless networks and are considered classful routing protocols. By using a VLSM design, you do not necessarily make your network run better, but you can save a lot of IP addresses. c10.indd 04/02/2015 Page 308 Distance Vector Routing Protocols 309 Now, what’s a discontiguous network? It’s one that has two or more subnetworks of a classful network connected together by different classful networks. Figure 10.6 displays a typical discontiguous network. F I G U R E 10 .6 A discontiguous network Host_A Host_B 172.16.10.2/24 172.16.20.2/24 172.16.10.0/24 E0 172.16.10.1/24 172.16.20.0/24 10.3.1.0/24 Lab_A S0/0 10.3.1.1/24 S0/0 10.3.1.2/24 E0 172.16.20.1/24 Lab_B The subnets 172.16.10.0 and 172.16.20.0 are connected together with a 10.3.1.0 network. By default, each router thinks it has the only 172.16.0.0 classful network. It’s important to understand that discontiguous networks just won’t work with RIPv1 at all. They don’t work by default on RIPv2 or EIGRP either, but discontiguous networks do work on OSPF networks by default because OSPF does not auto-summarize like RIPv2 and EIGRP. Route aggregation is essentially combining multiple subnets into one larger subnet, and it’s also known as supernetting. You would implement this type of route summarization if you required more efficient routing tables in large networks. EIGRP EIGRP is a classless, enhanced distance vector protocol that possesses a real edge over another older Cisco proprietary protocol, IGRP. That’s basically why it’s called Enhanced IGRP. EIGRP uses the concept of an autonomous system to describe the set of contiguous routers that run the same routing protocol and share routing information. But unlike IGRP, EIGRP includes the subnet mask in its route updates. And as you now know, the advertisement of subnet information allows us to use VLSMs when designing our networks. EIGRP is referred to as a hybrid routing protocol because it has characteristics of both distance vector and link state protocols. For example, EIGRP doesn’t send link state c10.indd 04/02/2015 Page 309 310 Chapter 10 ■ Routing Protocols packets as OSPF does; instead, it sends traditional distance vector updates containing information about networks, plus the cost of reaching them from the perspective of the advertising router. But EIGRP has link state characteristics as well—it synchronizes routing tables between neighbors at startup and then sends specific updates only when topology changes occur. This makes EIGRP suitable for very large networks. There are a number of powerful features that make EIGRP a real standout from RIP, RIPv2, and other protocols. The main ones are listed here: ■ Support for IP and IPv6 (and some other useless routed protocols) via protocol-dependent modules ■ Considered classless (same as RIPv2 and OSPF) ■ Support for VLSM/Classless Inter-Domain Routing (CIDR) ■ Support for summaries and discontiguous networks ■ Efficient neighbor discovery ■ Communication via Reliable Transport Protocol (RTP) ■ Best path selection via Diffusing Update Algorithm (DUAL) Another great feature of EIGRP is that it’s simple to configure and turn on like a distance vector protocol, but it keeps track of more information than a distance vector does. It creates and maintains additional tables instead of just one table as distance vector routing protocols do. To determine the best path to each network, EIGRP uses bandwidth and delay of the line as well as send reliability, load, and the MTU information between routers, but it only uses bandwidth and delay by default. These tables are called the neighbor table, topology table, and routing table, as shown in Figure 10.7. F I G U R E 10 .7 EIGRP tables Neighbor Table–IP Next Hop Router Interface Topology Table–IP Destination 1 Destination 1 Successor Feasible Successor Routing Table–IP Destination 1 c10.indd 04/02/2015 Page 310 Successor Distance Vector Routing Protocols 311 Neighbor Table Each router keeps state information about adjacent neighbors. When a newly discovered neighbor is learned on a router interface, the address and interface of that neighbor are recorded, and the information is held in the neighbor table and stored in RAM. Sequence numbers are used to match acknowledgments with update packets. The last sequence number received from the neighbor is recorded so that out-of-order packets can be detected. Topology Table The topology table is populated by the neighbor table, and the best path to each remote network is found by running Diffusing Update Algorithm (DUAL). The topology table contains all destinations advertised by neighboring routers, holding each destination address and a list of neighbors that have advertised the destination. For each neighbor, the advertised metric, which comes only from the neighbor’s routing table, is recorded. If the neighbor is advertising this destination, it must be using the route to forward packets. Feasible Successor (Backup Routes) A feasible successor is a path whose reported distance is less than the feasible (best) distance, and it is considered a backup route. EIGRP will keep up to six feasible successors in the topology table. Only the one with the best metric (the successor) is copied and placed in the routing table. Successor (Routes in a Routing Table) A successor route (think successful!) is the best route to a remote network. A successor route is used by EIGRP to forward traffic to a destination and is stored in the routing table. It is backed up by a feasible successor route that is stored in the topology table—if one is available. By using the feasible distance and having feasible successors in the topology table as backup links, EIGRP allows the network to converge instantly and updates to any neighbor only consist of traffic sent from EIGRP. All of these things make for a very fast, scalable, fault-tolerant routing protocol. Route redistribution is the term used for translating from one routing protocol into another. An example would be where you have an old router running RIP but you have an EIGRP network. You can run route redistribution on one router to translate the RIP routes into EIGRP. Border Gateway Protocol (BGP) In a way, you can think of Border Gateway Protocol (BGP) as the heavyweight of routing protocols. This is an external routing protocol (used between autonomous systems, unlike RIP or OSPF, which are internal routing protocols) that uses a sophisticated algorithm to determine the best route. In fact, it just happens to be the core routing protocol of the Internet. And it’s not exactly breaking news that the Internet has become a vital resource in so many organizations, is it? No—but this growing dependence has resulted in redundant connections to many different ISPs. c10.indd 04/02/2015 Page 311 312 Chapter 10 ■ Routing Protocols Even though BGP is an EGP by default, it can be used within an AS, which is one of the reasons the objectives are calling this a hybrid routing protocol. Another reason they call it a hybrid is because it’s often known as a path vector protocol instead of a distance vector like RIP. This is where BGP comes in. The sheer onslaught of multiple connections would totally overwhelm other routing protocols like OSPF, which I am going to talk about in the next section. BGP is essentially an alternative to using default routes for controlling path selections. Default routes are configured on routers to control packets that have a destination IP address that is not found in the routing table. Please see CCNA: Cisco Certifi ed Network Associate Study Guide (Sybex, 2011) for more information on static and default routing. Because the Internet’s growth rate shows no signs of slowing, ISPs use BGP for its ability to make classless routing and summarization possible. These capabilities help to keep routing tables smaller and more efficient at the ISP core. BGP is used for IGPs to communicate ASs together in larger networks, if needed, as shown in Figure 10.8. F I G U R E 10 . 8 Border Gateway Protocol (BGP) IGPs: RIP, IGRP, EIGRP, OSPF EGP: BGP Autonomous System 1 Autonomous System 2 An autonomous system is a collection of networks under a common administrative domain. IGPs operate within an autonomous system, and EGPs connect different autonomous systems together. So yes, very large private IP networks can make use of BGP. Let’s say you wanted to join a number of large OSPF networks together. Because OSPF just couldn’t scale up enough to handle such a huge load, you would go with BGP instead to connect the ASs together. Another situation in which BGP would come in really handy would be if you wanted to multi-home a network for better redundancy, either to a multiple access point of a single ISP or to multiple ISPs. Internal routing protocols are employed to advertise all available networks, including the metric necessary to get to each of them. BGP is a personal favorite of mine because its routers exchange path vectors that give you detailed information on the BGP AS numbers, c10.indd 04/02/2015 Page 312 Link State Routing Protocols 313 hop by hop (called an AS path), required to reach a specific destination network. Also good to know is that BGP doesn’t broadcast its entire routing table like RIP does; it updates a lot more like OSPF, which is a huge advantage. Also, the routing table with BGP is called a Routing Information Base (RIB). And BGP also tells you about any/all networks reachable at the end of the path. These factors are the biggest differences you need to remember about BGP. Unlike IGPs that simply tell you how to get to a specific network, BGP gives you the big picture on exactly what’s involved in getting to an AS, including the networks located in that AS itself. And there’s more to that “BGP big picture”—this protocol carries information like the network prefi xes found in the AS and includes the IP address needed to get to the next AS (the next-hop attribute). It even gives you the history on how the networks at the end of the path were introduced into BGP in the fi rst place, known as the origin code attribute. All of these traits are what makes BGP so useful for constructing a graph of loop-free autonomous systems, for identifying routing policies, and for enabling us to create and enforce restrictions on routing behavior based upon the AS path—sweet! Link State Routing Protocols Link state protocols also fall into the classless category of routing protocols, and they work within packet-switched networks. OSPF and IS-IS are two examples of link state routing protocols. Remember, for a protocol to be a classless routing protocol, the subnet-mask information must be carried with the routing update. This enables every router to identify the best route to each and every network, even those that don’t use class-defi ned default subnet masks (i.e., 8, 16, or 24 bits), such as VLSM networks. All neighbor routers know the cost of the network route that’s being advertised. One of the biggest differences between link state and distance vector protocols is that link state protocols learn and maintain much more information about the internetwork than distance vector routing protocols do. Distance vector routing protocols only maintain routing tables with the destination routes and vector costs (like hop counts) in them. Link state routing protocols maintain two additional tables with more detailed information, with the fi rst of these being the neighbor table. The neighbor table is maintained through the use of hello packets that are exchanged by all routers to determine which other routers are available to exchange routing data with. All routers that can share routing data are stored in the neighbor table. The second table maintained is the topology table, which is built and sustained through the use of link state advertisements or packets (LSAs or LSPs). In the topology table, you’ll fi nd a listing for every destination network plus every neighbor (route) through which it can be reached. Essentially, it’s a map of the entire internetwork. Once all of that raw data is shared and each one of the routers has the data in its topology table, the routing protocol runs the Shortest Path First (SPF) algorithm to compare it all and determine the best paths to each of the destination networks. c10.indd 04/02/2015 Page 313 314 Chapter 10 ■ Routing Protocols Open Shortest Path First (OSPF) Open Shortest Path First (OSPF) is an open-standard routing protocol that’s been implemented by a wide variety of network vendors, including Cisco. OSPF works by using the Dijkstra algorithm. First, a shortest-path tree is constructed, and then the routing table is populated with the resulting best paths. OSPF converges quickly (although not as fast as EIGRP), and it supports multiple, equal-cost routes to the same destination. Like EIGRP, it supports both IP and IPv6 routed protocols, but OSPF must maintain a separate database and routing table for each, meaning you’re basically running two routing protocols if you are using IP and IPv6 with OSPF. OSPF provides the following features: ■ Consists of areas and autonomous systems ■ Minimizes routing update traffic ■ Allows scalability ■ Supports VLSM/CIDR ■ Has unlimited hop count ■ Allows multivendor deployment (open standard) ■ Uses a loopback (logical) interface to keep the network stable OSPF is the fi rst link state routing protocol that most people are introduced to, so it’s good to see how it compares to more traditional distance vector protocols like RIPv2 and RIPv1. Table 10.3 gives you a comparison of these three protocols. TA B L E 1 0 . 3 OSPF and RIP comparison Characteristic OSPF RIPv2 RIPv1 Type of protocol Link state Distance vector Distance vector Classless support Yes Yes No VLSM support Yes Yes No Auto-summarization No Yes Yes Manual summarization Yes No No Discontiguous support Yes Yes No c10.indd 04/02/2015 Page 314 Link State Routing Protocols 315 Characteristic OSPF RIPv2 RIPv1 Route propagation Multicast on change Periodic multicast Periodic broadcast Path metric Bandwidth Hops Hops Hop-count limit None 15 15 Convergence Fast Slow Slow Peer authentication Yes Yes No Hierarchical network Yes (using areas) No (flat only) No (flat only) Updates Event triggered Route table updates time intervals Route table updates Route computation Dijkstra Bellman-Ford Bellman-Ford OSPF has many features beyond the few I’ve listed in Table 10.3, and all of them contribute to a fast, scalable, and robust protocol that can be actively deployed in thousands of production networks. One of OSPF’s most noteworthy features is that after a network change, such as when a link changes to up or down, OSPF converges with serious speed! In fact, it’s the fastest of any of the interior routing protocols we’ll be covering. Just to make sure you’re clear, convergence refers to when all routers have been successfully updated with the change. OSPF is supposed to be designed in a hierarchical fashion, which basically means that you can separate the larger internetwork into smaller internetworks called areas. This is defi nitely the best design for OSPF. The following are reasons you really want to create OSPF in a hierarchical design: ■ To decrease routing overhead ■ To speed up convergence ■ To confine network instability to single areas of the network Pretty sweet benefits! But you have to earn them—OSPF is more elaborate and difficult to configure in this manner. Figure 10.9 shows a typical OSPF simple design. Notice how each router connects to the backbone—called area 0, or the backbone area. OSPF must have an area 0, and all other areas should connect to this area. Routers that connect other areas to the backbone area within an AS are called area border routers (ABRs). Still, at least one interface of the ABR must be in area 0. c10.indd 04/02/2015 Page 315 316 Chapter 10 F I G U R E 10 . 9 ■ Routing Protocols OSPF design example Area 0 Backbone Router Area Border Router (ABR) Autonomous System Border Router (ASBR) Area 1 Area 2 Autonomous System OSPF runs inside an autonomous system, but it can also connect multiple autonomous systems together. The router that connects these ASs is called an autonomous system border router (ASBR). Typically, in today’s networks, BGP is used to connect between ASs, not OSPF. Ideally, you would create other areas of networks to help keep route updates to a minimum and to keep problems from propagating throughout the network. But that’s beyond the scope of this chapter. Just make note of it for your future networking studies. Intermediate System-to-Intermediate System (IS-IS) IS-IS is an IGP, meaning that it’s intended for use within an administrative domain or network, not for routing between ASs. That would be a job that an EGP (such as BGP, which we just covered) would handle instead. IS-IS is a link state routing protocol, meaning it operates by reliably flooding topology information throughout a network of routers. Each router then independently builds a picture of the network’s topology, just as they do with OSPF. Packets or datagrams are forwarded based on the best topological path through the network to the destination. Figure 10.10 shows an IS-IS network and the terminology used with IS-IS. Here are the defi nitions for the terms used in the IS-IS network shown in Figure 10.10: L1 Level 1 intermediate systems route within an area. When the destination is outside an area, they route toward a Level 2 system. L2 Level 2 intermediate systems route between areas and toward other ASs. The similarity between IS-IS and OSPF is that both employ the Dijkstra algorithm to discover the shortest path through the network to a destination network. The difference between IS-IS and OSPF is that IS-IS uses Connectionless Network Service (CLNS) to provide connectionless delivery of data packets between routers, and it also doesn’t require an area 0 like OSPF does. OSPF uses IP to communicate between routers instead. c10.indd 04/02/2015 Page 316 High Availability F I G U R E 1 0 .1 0 317 IS-IS network terminology Area 13 L2 AS 1200 L1/L2 L1/L2 Area 10 Area 12 L1/L2 L1 L1 Area 11 L1 An advantage to having CLNS around is that it can easily send information about multiple routed protocols (IP and IPv6), and as I already mentioned, OSPF must maintain a completely different routing database for IP and IPv6, respectively, for it to be able to send updates for both protocols. IS-IS supports the most important characteristics of OSPF and EIGRP because it supports VLSM and also because it converges quickly. Each of these three protocols has advantages and disadvantages, but it’s these two shared features that make any of them scalable and appropriate for supporting the large-scale networks of today. One last thing—even though it’s not as common, IS-IS, although comparable to OSPF, is actually preferred by ISPs because of its ability to run IP and IPv6 without creating a separate database for each protocol as OSPF does. That single feature makes it more efficient in very large networks. High Availability First hop redundancy protocols (FHRPs) work by giving you a way to configure more than one physical router to appear as if they were only a single logical one. This makes client configuration and communication easier because you can simply configure a single default gateway and the host machine can use its standard protocols to communicate. First hop is a reference to the default router being the fi rst router, or fi rst router hop, through which a packet must pass. c10.indd 04/02/2015 Page 317 318 Chapter 10 ■ Routing Protocols So how does a redundancy protocol accomplish this? The protocols I’m going to describe to you do this basically by presenting a virtual router to all of the clients. The virtual router has its own IP and MAC addresses. The virtual IP address is the address that’s configured on each of the host machines as the default gateway. The virtual MAC address is the address that will be returned when an ARP request is sent by a host. The hosts don’t know or care which physical router is actually forwarding the traffic, as you can see in Figure 10.11. F I G U R E 1 0 .11 address. FHRPs use a virtual router with a virtual IP address and virtual MAC Fa0/1 Fa0/0 10.0.0.1 Fa0/1 Virtual Router 10.0.0.10 Fa0/0 10.0.0.2 IP: 10.0.0.100 Gateway: 10.0.0.10 It’s the responsibility of the redundancy protocol to decide which physical router will actively forward traffic and which one will be placed in standby in case the active router fails. Even if the active router fails, the transition to the standby router will be transparent to the hosts because the virtual router, identified by the virtual IP and MAC addresses, is c10.indd 04/02/2015 Page 318 High Availability 319 now used by the standby router. The hosts never change default gateway information, so traffic keeps flowing. Fault-tolerant solutions provide continued operation in the event of a device failure, and load-balancing solutions distribute the workload over multiple devices. Next we’ll explore these two important redundancy protocols: Hot Standby Router Protocol (HSRP) This is by far Cisco’s favorite protocol ever! Don’t buy just one router; buy up to eight routers to provide the same service, and keep seven as backup in case of failure! HSRP is a Cisco proprietary protocol that provides a redundant gateway for hosts on a local subnet, but this isn’t a load-balanced solution. HSRP allows you to configure two or more routers into a standby group that shares an IP address and MAC address and provides a default gateway. When the IP and MAC addresses are independent from the routers’ physical addresses (on a virtual interface, not tied to a specific interface), they can swap control of an address if the current forwarding and active router fails. But there is actually a way you can sort of achieve load balancing with HSRP—by using multiple VLANs and designating a specific router for one VLAN, then an alternate router as active for VLAN via trunking. Virtual Router Redundancy Protocol (VRRP) This also provides a redundant—but again, not load-balanced—gateway for hosts on a local subnet. It’s an open standard protocol that functions almost identically to HSRP. I’ll comb through the fi ne differences that exist between these protocols. Hot Standby Router Protocol (HSRP) Again, HSRP is a Cisco proprietary protocol that can be run on most, but not all, of Cisco’s router and multilayer switch models. It defi nes a standby group, and each standby group that you defi ne includes the following routers: ■ Active router ■ Standby router ■ Virtual router ■ Any othser routers that maybe attached to the subnet The problem with HSRP is that with it, only one router is active and two or more routers just sit there in standby mode and won’t be used unless a failure occurs—not very cost effective or efficient! Figure 10.12 shows how only one router is used at a time in an HSRP group. c10.indd 04/02/2015 Page 319 320 Chapter 10 F I G U R E 1 0 .1 2 ■ Routing Protocols HSRP active and standby routers Fa0/1 Fa0/0 10.0.0.1 Active Fa0/1 Virtual Router 10.0.0.10 Fa0/0 10.0.0.2 Standby IP: 10.0.0.100 Gateway: 10.0.0.10 The standby group will always have at least two routers participating in it. The primary players in the group are the one active router and one standby router that communicate to each other using multicast Hello messages. The Hello messages provide all of the required communication for the routers. The Hellos contain the information required to accomplish the election that determines the active and standby router positions. They also hold the key to the failover process. If the standby router stops receiving hello packets from the active router, it then takes over the active router role, as shown in Figure 10.13. As soon as the active router stops responding to hellos, the standby router automatically becomes the active router and starts responding to host requests. Virtual MAC Address A virtual router in an HSRP group has a virtual IP address and a virtual MAC address. So where does that virtual MAC come from? The virtual IP address isn’t that hard to figure out; it just has to be a unique IP address on the same subnet as the hosts defi ned in the configuration. But MAC addresses are a little different, right? Or are they? The answer is yes—sort of. With HSRP, you create a totally new, made-up MAC address in addition to the IP address. c10.indd 04/02/2015 Page 320 High Availability F I G U R E 1 0 .1 3 321 Example of HSRP active and standby routers swapping interfaces Fa0/1 Fa0/0 10.0.0.1 Standby Fa0/1 Virtual Router 10.0.0.10 Fa0/0 10.0.0.2 Active IP: 10.0.0.100 Gateway: 10.0.0.10 The HSRP MAC address has only one variable piece in it. The fi rst 24 bits still identify the vendor who manufactured the device (the organizationally unique identifier, or OUI). The next 16 bits in the address tells us that the MAC address is a well-known HSRP MAC address. Finally, the last 8 bits of the address are the hexadecimal representation of the HSRP group number. Let me clarify all this with an example of what an HSRP MAC address would look like: 0000.0c07.ac0a ■ ■ ■ The first 24 bits (0000.0c) are the vendor ID of the address; in the case of HSRP being a Cisco protocol, the ID is assigned to Cisco. The next 16 bits (07.ac) are the well-known HSRP ID. This part of the address was assigned by Cisco in the protocol, so it’s always easy to recognize that this address is for use with HSRP. The last 8 bits (0a) are the only variable bits and represent the HSRP group number that you assign. In this case, the group number is 10 and converted to hexadecimal when placed in the MAC address, where it becomes the 0a that you see. c10.indd 04/02/2015 Page 321 322 Chapter 10 ■ Routing Protocols You can see this MAC address added to the ARP cache of every router in the HSRP group. There will be the translation from the IP address to the MAC address as well as the interface on which it’s located. HSRP Timers Before we get deeper into the roles that each of the routers can have in an HSRP group, I want to defi ne the HSRP timers. The timers are very important to HSRP function because they ensure communication between the routers, and if something goes wrong, they allow the standby router to take over. The HSRP timers include hello, hold, active, and standby. Hello Timer The hello timer is the defi ned interval during which each of the routers send out Hello messages. Their default interval is 3 seconds, and they identify the state that each router is in. This is important because the particular state determines the specific role of each router and, as a result, the actions each will take within the group. Figure 10.14 shows the Hello messages being sent, and the router uses the hello timer to keep network traffic flowing in case of a failure. F I G U R E 1 0 .1 4 HSRP Hellos Fa0/1 Fa0/1 Virtual Router 10.0.0.10 Fa0/0 10.0.0.1 Active Hello? IP: 10.0.0.100 Gateway: 10.0.0.10 c10.indd 04/02/2015 Page 322 Fa0/0 10.0.0.2 Standby High Availability 323 This timer can be changed, and people used to avoid doing so because it was thought that lowering the hello value would place an unnecessary load on the routers. That isn’t true with most of the routers today; in fact, you can configure the timers in milliseconds, meaning the failover time can be in milliseconds! Still, keep in mind that increasing the value will make the standby router wait longer before taking over for the active router when it fails or can’t communicate. Hold Timer The hold timer specifies the interval the standby router uses to determine whether the active router is offl ine or out of communication. By default, the hold timer is 10 seconds, roughly three times the default for the hello timer. If one timer is changed for some reason, I recommend using this multiplier to adjust the other timers too. By setting the hold timer at three times the hello timer, you ensure that the standby router doesn’t take over the active role every time there’s a short break in communication. Active Timer The active timer monitors the state of the active router. The timer resets each time a router in the standby group receives a Hello packet from the active router. This timer expires based on the hold time value that’s set in the corresponding field of the HSRP hello message. Standby Timer The standby timer is used to monitor the state of the standby router. The timer resets anytime a router in the standby group receives a hello packet from the standby router and expires based on the hold time value that’s set in the respective hello packet. Large Enterprise Network Outages with FHRPs Years ago when HSRP was all the rage, and before VRRP and GLBP, enterprises used hundreds of HSRP groups. With the hello timer set to 3 seconds and a hold time of 10 seconds, these timers worked just fine and we had great redundancy with our core routers. However, as we’ve seen in the last few years, and will certainly see in the future, 10 seconds is now a lifetime! Some of my customers have been complaining with the failover time and loss of connectivity to their virtual server farms. So lately I’ve been changing the timers to well below the defaults. Cisco had changed the timers so you could use sub-second times for failover. Because these are multicast packets, the overhead that is seen on a current high-speed network is almost nothing. The hello timer is typically set to 200 msec and the hold time is 700 msec. The command is as follows: (config-if)#Standby 1 timers msec 200 msec 700 This almost ensures that not even a single packet is lost when there is an outage. c10.indd 04/02/2015 Page 323 324 Chapter 10 ■ Routing Protocols Virtual Router Redundancy Protocol Like HSRP, Virtual Router Redundancy Protocol (VRRP) allows a group of routers to form a single virtual router. In an HSRP or VRRP group, one router is elected to handle all requests sent to the virtual IP address. With HSRP, this is the active router. An HSRP group has only one active router, at least one standby router, and many listening routers. A VRRP group has one master router and one or more backup routers, and is the open standard implementation of HSRP. Comparing VRRP and HSRP The LAN workstations are configured with the address of the virtual router as their default gateway, just as they are with HSRP, but VRRP differs from HSRP in these important ways: ■ VRRP is an IEEE standard (RFC 2338) for router redundancy; HSRP is a Cisco proprietary protocol. ■ The virtual router that represents a group of routers is known as a VRRP group. ■ The active router is referred to as the master virtual router. ■ The master virtual router may have the same IP address as the virtual router group. ■ Multiple routers can function as backup routers. ■ VRRP is supported on Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces as well as on Multiprotocol Label Switching (MPLS), virtual private networks (VPNs), and VLANs. VRRP Redundancy Characteristics VRRP has some unique features: ■ VRRP provides redundancy for the real IP address of a router or for a virtual IP address shared among the VRRP group members. ■ If a real IP address is used, the router with that address becomes the master. ■ If a virtual IP address is used, the master is the router with the highest priority. ■ A VRRP group has one master router and one or more backup routers. ■ The master router uses VRRP messages to inform group members of its status. ■ VRRP allows load sharing across more than one virtual router. Now let’s take a look at some IPv6 routing protocols. IPv6 Routing Protocols Most of the routing protocols we’ve already discussed have been upgraded for use in IPv6 networks. Also, many of the functions and configurations that we’ve already learned will be used in almost the same way as they’re used now. Knowing that broadcasts have been c10.indd 04/02/2015 Page 324 IPv6 Routing Protocols 325 eliminated in IPv6, it follows that any protocols that use entirely broadcast traffic will go the way of the dodo—but unlike the dodo, it’ll be good to say goodbye to these bandwidthhogging, performance-annihilating little gremlins! The routing protocols that we’ll still use in version 6 got a new name and a facelift. Let’s talk about a few of them now. First on the list is RIPng (next generation). Those of you who have been in IT for a while know that RIP has worked very well for us on smaller networks, which happens to be the reason it didn’t get whacked and will still be around in IPv6. And we still have EIGRPv6 because it already had protocol-dependent modules and all we had to do was add a new one to it for the IPv6 protocol. Rounding out our group of protocol survivors is OSPFv3— that’s not a typo; it really is version 3. OSPF for IPv4 was actually version 2, so when it got its upgrade to IPv6, it became OSPFv3. RIPng To be honest, the primary features of RIPng are the same as they were with RIPv2. It is still a distance vector protocol, has a max hop count of 15, and still has the same loop avoidance mechanisms as well as using UDP port 521. And it still uses multicast to send its updates, too, but in IPv6, it uses FF02::9 for the transport address. This is actually kind of cool because in RIPv2, the multicast address was 224.0.0.9, so the address still has a 9 at the end in the new IPv6 multicast range. In fact, most routing protocols got to keep a little bit of their IPv4 identities like that. But of course there are differences in the new version or it wouldn’t be a new version, would it? We know that routers keep the next-hop addresses of their neighbor routers for every destination network in their routing table. The difference is that with RIPng, the router keeps track of this next-hop address using the link-local address, not a global address. So just remember that RIPng will pretty much work the same way as with IPv4. EIGRPv6 As with RIPng, EIGRPv6 works much the same as its IPv4 predecessor does—most of the features that EIGRP provided before EIGRPv6 will still be available. EIGRPv6 is still an advanced distance vector protocol that has some link state features. The neighbor-discovery process using hellos still happens, and it still provides reliable communication with a reliable transport protocol that gives us loop-free fast convergence using DUAL. Hello packets and updates are sent using multicast transmission, and as with RIPng, EIGRPv6’s multicast address stayed almost the same. In IPv4 it was 224.0.0.10; in IPv6, it’s FF02::A (A = 10 in hexadecimal notation). Last to check out in our group is what OSPF looks like in the IPv6 routing protocol. OSPFv3 The new version of OSPF continues the trend of the routing protocols having many similarities with their IPv4 versions. c10.indd 04/02/2015 Page 325 326 Chapter 10 ■ Routing Protocols The foundation of OSPF remains the same—it is still a link state routing protocol that divides an entire internetwork or autonomous system into areas, making a hierarchy. Adjacencies (neighbor routers running OSPF) and next-hop attributes now use linklocal addresses, and OSPFv3 still uses multicast traffic to send its updates and acknowledgments, with the addresses FF02::5 for OSPF routers and FF02::6 for OSPF-designated routers, which provide topological updates (route information) to other routers. These new addresses are the replacements for 224.0.0.5 and 224.0.0.6, respectively, which were used in OSPFv2. With all this routing information behind you, it’s time to go through some review questions and then move on to learning all about switching in the next chapter. Shortest Path Bridging (SPB), specified in the IEEE 802.1aq standard, is a computer networking technology intended to simplify the creation and configuration of networks and replace the older 802.1d/802.1w protocols, while enabling multipath routing Summary This chapter covered the basic routing protocols that you may fi nd on a network today. Probably the most common routing protocols you’ll run into are RIP, OSPF, and EIGRP. I covered RIP, RIPv2, the differences between the two RIP protocols, EIGRP, and BGP in the section on distance vector protocols. I fi nished by discussing OSPF and IS-IS and when you would possibly see each one in a network. Exam Essentials Remember the differences between RIPv1 and RIPv2. RIPv1 sends broadcasts every 30 seconds and has an AD of 120. RIPv2 sends multicasts (224.0.0.9) every 30 seconds and also has an AD of 120. RIPv2 sends subnet mask information with the route updates, which allows it to support classless networks and discontiguous networks. RIPv2 also supports authentication between routers, and RIPv1 does not. Compare OSPF and RIPv1. OSPF is a link state protocol that supports VLSM and classless routing; RIPv1 is a distance vector protocol that does not support VLSM and supports only classful routing. c10.indd 04/02/2015 Page 326 Written Lab 327 Written Lab You can fi nd the answers in Appendix A. 1. The default administrative distance of RIP is 2. The default administrative distance of EIGRP is 3. The default administrative distance of RIPv2 is 4. What is the default administrative distance of a static route? 5. What is the version or name of RIP that is used with IPv6? 6. What is the version or name of OSPF that is used with IPv6? 7. What is the version or name of EIGRP that is used with IPv6? 8. When would you use BGP? 9. When could you use EIGRP? . . . 10. Is BGP considered link state or DV? c10.indd 04/02/2015 Page 327 Chapter 10 328 ■ Routing Protocols Review Questions You can fi nd the answers to the review questions in Appendix B. 1. Which of the following protocols support VLSM, summarization, and discontiguous networking? (Choose three.) A. RIPv1 B. 2. IGRP C. EIGRP D. OSPF E. BGP F. RIPv2 Which of the following are considered distance vector routing protocols? (Choose two.) A. OSPF 3. B. RIP C. RIPv2 D. IS-IS Which of the following are considered link state routing protocols? (Choose two.) A. OSPF 4. B. RIP C. RIPv2 D. IS-IS Which of the following is considered a hybrid routing protocol? (Choose two.) A. OSPF B. 5. BGP C. RIPv2 D. IS-IS E. EIGRP Why would you want to use a dynamic routing protocol instead of using static routes? A. There is less overhead on the router. 6. B. Dynamic routing is more secure. C. Dynamic routing scales to larger networks. D. The network runs faster. Which of the following is a vendor-specific FHRP protocol? A. STP B. OSPF c10.indd 04/02/2015 Page 328 Review Questions C. 7. 329 RIPv1 D. EIGRP E. IS-IS F. HSRP RIP has a long convergence time and users have been complaining of response time when a router goes down and RIP has to reconverge. Which can you implement to improve convergence time on the network? A. Replace RIP with static routes. 8. B. Update RIP to RIPv2. C. Update RIP to OSPF using link state. D. Replace RIP with BGP as an exterior gateway protocol. What is the administrative distance of OSPF? A. 90 9. B. 100 C. 110 D. 120 Which of the following protocols will advertise routed IPv6 networks? A. RIP B. RIPng C. OSPFv2 D. EIGRPv3 10. What is the difference between static and dynamic routing? A. You use static routing in large, scalable networks. B. Dynamic routing is used by a DNS server. C. Dynamic routes are added automatically. D. Static routes are added automatically. 11. Which routing protocol has a maximum hop count of 15? A. RIPv1 B. IGRP C. EIGRP D. OSPF 12. Which of the following describes routing convergence time? A. The time it takes for your VPN to connect B. The time required by protocols to update their forwarding tables after changes have occurred c10.indd 04/02/2015 Page 329 Chapter 10 330 ■ Routing Protocols C. The time required for IDS to detect an attack D. The time required by switches to update their link status and go into forwarding state 13. What routing protocol is typically used to connect ASs on the Internet? A. IGRP B. RIPv2 C. BGP D. OSPF 14. RIPv2 sends out its routing table every 30 seconds just like RIPv1, but it does so more efficiently. What type of transmission does RIPv2 use to accomplish this task? A. Broadcasts B. Multicasts C. Telecast D. None of the above 15. Which routing protocols have an administrative distance of 120? (Choose two.) A. RIPv1 B. RIPv2 C. EIGRP D. OSPF 16. Which of the following routing protocols uses AS-Path as one of the methods to build the routing tables? A. OSPF B. IS-IS C. BGP D. RIP E. EIGRP 17. Which IPv6 routing protocol uses UDP port 521? A. RIPng B. EIGRPv6 C. OSPFv3 D. IS-IS 18. What EIGRP information is held in RAM and maintained through the usage of hello and update packets? (Select all that apply.) A. DUAL table B. Neighbor table C. Topology table D. Successor route c10.indd 04/02/2015 Page 330 Review Questions 331 19. Which is true regarding EIGRP successor routes? A. Successor routes are saved in the neighbor table. B. Successor routes are stored in the DUAL table. C. Successor routes are used only if the primary route fails. D. A successor route is used by EIGRP to forward traffic to a destination. 20. Which of the following uses only hop count as a metric to find the best path to a remote network? A. RIP B. EIGRP C. OSPF D. BGP c10.indd 04/02/2015 Page 331 Chapter 11 Switching and Virtual LANs THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 2.6 Given a scenario, configure a switch using proper features ■ ■ ■ VLAN ■ Native VLAN/Default VLAN ■ VTP Spanning tree (802.1d)/rapid spanning tree (802.1w) ■ Flooding ■ Forwarding/blocking ■ Filtering Interface configuration ■ Trunking/802.1q ■ Tag vs untag VLANs ■ Port bonding (LACP) ■ Port mirroring (local vs remote) ■ Speed and duplexing ■ IP address assignment ■ VLAN assignment ■ Default gateway ■ PoE and PoE+ (802.3af, 802.3at) ■ Switch management ■ User/passwords ■ AAA configuration ■ Console ■ Virtual terminals c11.indd 04/02/2015 Page 333 ■ ■ In-band/Out-of-band management Managed vs unmanaged ✓ 3.3 Given a scenario, implement network hardening techniques ■ Network-based ■ Switch port security ■ MAC address filtering ■ DHCP snooping ■ ARP inspection ■ VLAN assignments ■ Network segmentation c11.indd 04/02/2015 Page 334 Layer 2 switching is the process of using the hardware addresses of devices on a LAN to segment a network. Because you’ve got the basic ideas down, I’m now going to focus on the more in-depth particulars of Layer 2 switching and how it works. You already know that switching breaks up large collision domains into smaller ones and that a collision domain is a network segment with two or more devices sharing the same bandwidth. A hub network is a typical example of this type of technology. But because each port on a switch is actually its own collision domain, you can create a much better Ethernet LAN network by simply replacing your hubs with switches! Switches truly have changed the way networks are designed and implemented. If a pure switched design is properly implemented, it will result in a clean, cost-effective, and resilient internetwork. In this chapter, we’ll survey and compare how networks were designed before and after switching technologies were introduced. Routing protocols like RIP, which you learned about in Chapter 10, employ processes for preventing network loops from occurring at the Network layer. This is all good, but if you have redundant physical links between your switches, routing protocols won’t do a thing to stop loops from occurring at the Data Link layer. That’s exactly the reason Spanning Tree Protocol was developed—to put a stop to loops taking place within a Layer 2 switched network. The essentials of this vital protocol, as well as how it works within a switched network, are some of the important subjects that we’ll cover thoroughly in this chapter. And to fi nish up this chapter, you’re going to learn exactly what a VLAN is and how VLAN memberships are used in a switched network as well as how trunking is used to send information from all VLANs across a single link. Good stuff! To find up-to-the-minute updates for this chapter, please see www.lammle .com/networkplus or the book’s website at www.sybextestbanks.wiley .com. Networking Before Layer 2 Switching Because knowing the history of something really helps with understanding why things are the way they are today, I’m going to go back in time a bit and talk about the condition of networks before switches and the part switches have played in the evolution of corporate LANs by helping to segment them. For a visual of how a typical network design looked before LAN switching, check out the network in Figure 11.1. c11.indd 04/02/2015 Page 335 336 Chapter 11 F I G U R E 11 .1 ■ Switching and Virtual LANs A network before switching Hubs Server Farm Corporate Remote Branch Token Ring The design in Figure 11.1 was called a collapsed backbone because all the hosts involved had to go to the corporate backbone in order to reach any network services—both LAN and mainframe. Going back even further, before networks like the one shown in Figure 11.1 had physical segmentation devices such as routers and hubs, there was the mainframe network. This type of network comprised mainframe controllers made by IBM, Honeywell, Sperry, DEC, and so on, and dumb terminals that connected into the controller(s). Any remote sites were connected to the mainframe with bridges. And then the PC began its rise to stardom, and the mainframe was connected to an Ethernet or Token Ring LAN where the servers were installed. These servers were usually OS/2 or LAN Manager because this was “pre-NT.” Each floor of a building ran either coax or twisted-pair wiring to the corporate backbone, which was then connected to a router. PCs ran an emulating software program that allowed them to connect to mainframe services, giving those PCs the ability to access services from the mainframe and LAN simultaneously. Eventually, the PC became robust enough to allow application developers to port applications more effectively than they ever could before—an advance that markedly reduced networking prices and enabled businesses to grow at a much faster rate. Moving forward to when Novell rose to popularity in the late 1980s and early 1990s, OS/2 and LAN Manager servers were by and large replaced with NetWare servers. This made the Ethernet network even more popular because that’s what Novell 3.x servers used to communicate with client-server software. So basically, that’s the story about how the network in Figure 11.1 came into being. But soon a big problem arose with this configuration. As the corporate backbone grew and grew, network services became slower and slower. A big reason for this was that at the same time this huge burst in growth was taking place, LAN services began to require even faster response times. This resulted in networks becoming totally saturated and c11.indd 04/02/2015 Page 336 Networking Before Layer 2 Switching 337 overwhelmed. Everyone was dumping the dumb terminals used to access mainframe services in favor of those slick new PCs so they could more easily connect to the corporate backbone and network services. And all this was taking place before the Internet’s momentous popularity, so everyone in the company needed to access the corporate network’s own, internal services. Without the Internet, all network services were internal, meaning that they were exclusive to the company network. As you can imagine, this situation created a screaming need to segment that single, humongous, and now plodding corporate network, which was connected together with sluggish old routers. How was this issue addressed? Well, at fi rst, Cisco responded by simply creating faster routers (no doubt about that), but still more segmentation was needed, especially on the Ethernet LANs. The invention of Fast Ethernet was a very good and helpful thing, yet it too fell short of solving that network segmentation need. But devices called bridges did provide relief, and they were fi rst used in the networking environment to break up collision domains. Sounds good, but only so much—bridges were sorely limited by the number of ports and other network services they could provide, and that’s when Layer 2 switches came to the rescue. These switches saved the day by breaking up collision domains on each and every port—like a bridge—but switches could provide hundreds of ports! This early, switched LAN looked like the network pictured in Figure 11.2. F I G U R E 11 . 2 The first switched LAN Hubs Server Farm Switches Corporate Remote Branch Token Ring As you can see here, each hub was placed into a switch port—an innovation that vastly improved the network. So now, instead of each building being crammed into the same c11.indd 04/02/2015 Page 337 338 Chapter 11 ■ Switching and Virtual LANs collision domain, each hub became its own separate collision domain. Yet still, as is too often the case, there was a catch—switch ports were still very new and, therefore, super expensive. Because switches were so cost prohibitive, simply adding a switch into each floor of the building just wasn’t going to happen—at least, not yet. But thanks to whomever you choose to thank for these things, the switch price tag has dropped dramatically; now, having every one of your users plugged into a switch port is a really good solution, and cost effective, too! So there it is—if you’re going to create a network design and implement it, including switching services is a must. A typical, contemporary, and complete switched network design/implementation would look something like Figure 11.3. F I G U R E 11 . 3 The typical switched network design “But wait—there’s still a router in there!” you say. Yes, it’s not a mirage—there is a router in there. But its job has changed quite a bit. Instead of performing physical segmentation, it now creates and handles logical segmentation. Those logical segments are called VLANs, and no worries, I promise to explain them thoroughly throughout the rest of this chapter. Switching Services Bridges use software to create and manage a fi lter table, but switches use applicationspecific integrated circuits (ASICs) to accomplish this. Even so, it’s still okay to think of a Layer 2 switch as a multiport bridge because their basic reason for being is the same: to break up collision domains. Layer 2 switches and bridges are faster than routers because they don’t take up time looking at the Network layer header information. Instead, they look at the frame’s hardware addresses before deciding to forward, flood, or drop the frame. c11.indd 04/02/2015 Page 338 Switching Services 339 Switches create private, dedicated collision domains and provide independent bandwidth on each port, unlike hubs. Figure 11.4 shows five hosts connected to a switch—all running 100Mbps full duplex to the server. Unlike with a hub, each host has full-duplex, 100Mbps of dedicated communication to the server. F I G U R E 11 . 4 Switches create private domains. 100Mbps Full-Duplex Links Server Layer 2 switching provides the following benefits: ■ Hardware-based bridging (ASIC) ■ Wire speed ■ Low latency ■ Low cost What makes Layer 2 switching so efficient is that no modification to the data packet takes place. The device reads only the frame encapsulating the packet, which makes the switching process considerably faster and less error prone than routing processes. And if you use Layer 2 switching for both workgroup connectivity and network segmentation (breaking up collision domains), you can create a flatter network design with more network segments than you can with traditional routed networks. Plus, Layer 2 switching increases bandwidth for each user because, again, each connection (interface) into the switch is its own collision domain. This feature makes it possible for you to connect multiple devices to each interface—very cool. Coming up, we’ll dive deeper into the Layer 2 switching technology. Limitations of Layer 2 Switching Because people usually toss Layer 2 switching into the same category as bridged networks, we also tend to think it has the same hang-ups and issues that bridged networks do. Keep in mind that bridges are good and helpful things if we design the network correctly, c11.indd 04/02/2015 Page 339 340 Chapter 11 ■ Switching and Virtual LANs keeping our devices’ features as well as their limitations in mind. To end up with a solid design that includes bridges, there are two really important things to consider: ■ ■ You absolutely have to break up the collision domains properly. A well-oiled, functional bridged network is one whose users spend 80 percent of their time on the local segment. So, bridged networks break up collision domains, but remember, that network is really still just one big broadcast domain. Neither Layer 2 switches nor bridges break up broadcast domains by default—something that not only limits your network’s size and growth potential but can also reduce its overall performance! Broadcasts and multicasts, along with the slow convergence time of spanning trees, can give you some major grief as your network grows. These are the big reasons Layer 2 switches and bridges just can’t completely replace routers (Layer 3 devices) in the internetwork. Bridging vs LAN Switching It’s true—Layer 2 switches really are pretty much just bridges that give us a lot more ports. But the comparison doesn’t end there. Here’s a list of some significant differences and similarities between bridges and switches that you need to keep in mind: ■ ■ ■ Bridges are software based, whereas switches are hardware based because they use ASIC chips to help make filtering decisions. A switch can be viewed as a multiport bridge. There can be only one spanning-tree instance per bridge, whereas switches can have many. (I’m going to tell you all about spanning trees in a bit.) ■ Switches have a higher number of ports than most bridges. ■ Both bridges and switches forward Layer 2 broadcasts. ■ ■ Bridges and switches learn MAC addresses by examining the source address of each frame received. Both bridges and switches make forwarding decisions based on Layer 2 addresses. Three Switch Functions at Layer 2 There are three distinct functions of Layer 2 switching—you need to know these! They are as follows: ■ Address learning ■ Forward/filter decisions ■ Loop avoidance The next three sections cover these functions in detail. c11.indd 04/02/2015 Page 340 Switching Services 341 Address Learning Layer 2 switches and bridges are capable of address learning; that is, they remember the source hardware address of each frame received on an interface and enter this information into a MAC database known as a forward/filter table. But fi rst things fi rst—when a switch is initially powered on, the MAC forward/filter table is empty, as shown in Figure 11.5. F I G U R E 11 . 5 Empty forward/filter table on a switch MAC Forward/Filter Table E0/0: E0/1: E0/2: E0/3: E0/0 E0/3 E0/1 Host A Host B E0/2 Host C Host D When a device transmits and an interface receives a frame, the switch places the frame’s source address in the MAC forward/filter table, which allows it to remember the interface on which the sending device is located. The switch then has no choice but to flood the network with this frame out of every port except the source port because it has no idea where the destination device is actually located. If a device answers this flooded frame and sends a frame back, then the switch will take the source address from that frame and place that MAC address in its database as well, thereby associating the newly discovered address with the interface that received the frame. Because the switch now has both of the relevant MAC addresses in its fi ltering table, the two devices can make a point-to-point connection. The switch doesn’t need to flood the frame as it did the fi rst time because now the frames can and will be forwarded only between the two devices recorded in the table. This is exactly the thing that makes Layer 2 switches better than hubs, because in a hub network, all frames are forwarded out all ports every time—no matter what. This is because hubs just aren’t equipped to collect, store, and draw upon data in a table as a switch is. Figure 11.6 shows the processes involved in building a MAC database. c11.indd 04/02/2015 Page 341 342 Chapter 11 F I G U R E 11 . 6 ■ Switching and Virtual LANs How switches learn hosts’ locations MAC Forward/Filter Table E0/0: 0000.8c01.000A Step 2 E0/1: 0000.8c01.000B Step 4 E0/2: E0/3: E0/0 E0/3 E0/1 E0/2 Step 1 3 Host A Host B 4 3 Host C 3 Host D In this figure, you can see four hosts attached to a switch. When the switch is powered on, it has nothing in its MAC address forward/fi lter table (just as in Figure 11.5). But when the hosts start communicating, the switch places the source hardware address of each frame in the table along with the port that the frame’s address corresponds to. Let me give you a step-by-step example of how a forward/filter table becomes populated: 1. Host A sends a frame to Host B. Host A’s MAC address is 0000.8c01.000A, and Host B’s MAC address is 0000.8c01.000B. 2. The switch receives the frame on the E0/0 interface and places the source address in the MAC address table, associating it with the port it came in on. 3. Because the destination address is not in the MAC database, the frame is forwarded (flooded) out all interfaces—except the source port. 4. Host B receives the frame and responds to Host A. The switch receives this frame on interface E0/1 and places the source hardware address in the MAC database, associating it with the port it came in on. 5. Host A and Host B can now make a point-to-point connection, and only the two devices will receive the frames. Hosts C and D will not see the frames, nor are their MAC addresses found in the database because they haven’t yet sent a frame to the switch. Oh, by the way, it’s important to know that if Host A and Host B don’t communicate to the switch again within a certain amount of time, the switch will flush their entries from the database to keep it as current as possible. Forward/Filter Decisions When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database and the switch makes a forward/filter decision. In c11.indd 04/02/2015 Page 342 Switching Services 343 other words, if the destination hardware address is known (listed in the database), the frame is only sent out the specified exit interface. The switch will not transmit the frame out any interface except the destination interface. Not transmitting the frame preserves bandwidth on the other network segments and is called frame filtering. But as I mentioned earlier, if the destination hardware address isn’t listed in the MAC database, then the frame is flooded out all active interfaces except the interface on which the frame was received. If a device answers the flooded frame, the MAC database is updated with the device’s location—its particular interface. So by default, if a host or server sends a broadcast on the LAN, the switch will flood the frame out all active ports except the source port. Remember, the switch creates smaller collision domains, but it’s still one large broadcast domain by default. In Figure 11.7, you can see Host A sending a data frame to Host D. What will the switch do when it receives the frame from Host A? F I G U R E 11 . 7 Forward/filter table Switch#sh mac address-table VLAN Mac Address Ports 1 1 1 Fa0/3 Fa0/4 Fa0/5 0005.dccb.d74b 000a.f467.9e80 000a.f467.9e8b Fa0/4 Fa0/5 Fa0/6 Fa0/6 If you answered that because Host A’s MAC address is not in the forward/fi lter table, the switch will add the source address and port to the MAC address table and then forward the frame to Host D, you’re halfway there. If you also came back with, “If Host D’s MAC address was not in the forward/fi lter table, the switch would have flooded the frame out all ports except for port Fa0/3,” then congratulations—you nailed it! Let’s take a look at the output of a show mac address-table command as seen from a Cisco Catalyst switch (the MAC address table works pretty much exactly the same on all brands of switches): Switch#sh mac address-table Vlan Mac Address Type ----------------------1 0005.dccb.d74b DYNAMIC 1 000a.f467.9e80 DYNAMIC 1 000a.f467.9e8b DYNAMIC 1 000a.f467.9e8c DYNAMIC 1 0010.7b7f.c2b0 DYNAMIC Ports ----Fa0/1 Fa0/3 Fa0/4 Fa0/3 Fa0/3 c11.indd 04/02/2015 Page 343 Chapter 11 344 1 1 1 ■ Switching and Virtual LANs 0030.80dc.460b 0030.9492.a5dd 00d0.58ad.05f4 DYNAMIC DYNAMIC DYNAMIC Fa0/3 Fa0/1 Fa0/1 Now suppose the preceding switch received a frame with the following MAC addresses: Source MAC: 0005.dccb.d74b Destination MAC: 000a.f467.9e8c How will the switch handle this frame? The right answer is that the destination MAC address will be found in the MAC address table and the frame will be forwarded out Fa0/3 only. Remember that if the destination MAC address is not found in the forward/ fi lter table, it will forward the frame out all ports of the switch looking for the destination device. Now that you can see the MAC address table and how switches add hosts’ addresses to the forward fi lter table, how do you stop switching loops if you have multiple links between switches? Let’s talk about this possible problem in more detail. Loop Avoidance Redundant links between switches can be a wise thing to implement because they help prevent complete network failures in the event that one link stops working. But it seems like there’s always a downside—even though redundant links can be extremely helpful, they often cause more problems than they solve. This is because frames can be flooded down all redundant links simultaneously, creating network loops as well as other evils. Here are a few of the problems you can be faced with: ■ ■ If no loop avoidance schemes are put in place, the switches will flood broadcasts endlessly throughout the internetwork. This is sometimes referred to as a broadcast storm. (In real life, it’s often referred to in less-polite ways that we’re not permitted to repeat in print!) Figure 11.8 illustrates how a broadcast can be propagated throughout the network. Pay special attention to how a frame is continually being flooded through the internetwork’s physical network media. One way to test the loop avoidance operations of your switch network is to plug one end of a cable into one port and the other end of the same cable into another port. If loop avoidance is not operational, this should cause a big broadcast storm! What you see in Figure 11.8 is that a device can receive multiple copies of the same frame because that frame can arrive from different segments at the same time. Figure 11.9 demonstrates how a whole bunch of frames can arrive from multiple segments simultaneously. The server in the figure sends a unicast frame to another device connected to Segment 1. Because it’s a unicast frame, Switch A receives and forwards the frame, and Switch B provides the same service—it forwards the unicast. This is bad because it means that the destination device on Segment 1 receives that unicast frame twice, causing additional overhead on the network. c11.indd 04/02/2015 Page 344 Switching Services F I G U R E 11 . 8 345 Broadcast storm Segment 1 Broadcast Switch A Switch B Segment 2 F I G U R E 11 . 9 Multiple frame copies Router C Unicast Segment 1 Unicast Switch B Unicast Switch A Segment 2 ■ ■ You may have thought of this one: The MAC address filter table could be totally confused about the device’s location because the switch can receive the frame from more than one link. Worse, the bewildered switch could get so caught up in constantly updating the MAC filter table with source hardware address locations that it might fail to forward a frame! This is called thrashing the MAC table. One of the nastiest things that can happen is having multiple loops propagating throughout a network. This means you end up with loops occurring within other loops, and if a broadcast storm happened at the same time, the network wouldn’t be able to perform frame switching at all—it’s toast! All of these problems spell disaster (or something like it) and are decidedly ugly situations that just must be avoided or at least fi xed somehow. That’s where the Spanning Tree Protocol comes into the game. It was developed to solve each and every one of the problems I just told you about. c11.indd 04/02/2015 Page 345 346 Chapter 11 ■ Switching and Virtual LANs Spanning Tree Protocol Once upon a time, a company called Digital Equipment Corporation (DEC) was purchased and renamed Compaq. But before that happened, DEC created the original version of Spanning Tree Protocol (STP). The IEEE later created its own version of STP called 802.1D. Yet again, it’s not all clear skies—by default, most switches run the IEEE 802.1D version of STP, which isn’t compatible with the DEC version. The good news is that there is a new industry standard called 802.1w, which is faster but not enabled by default on any switches. To begin with, STP’s main task is to stop network loops from occurring on your Layer 2 network (bridges or switches). It achieves this feat by vigilantly monitoring the network to fi nd all links and making sure that no loops occur by shutting down any redundant ones. STP uses the spanning-tree algorithm (STA) to fi rst create a topology database and then search out and destroy redundant links. With STP running, frames will be forwarded only on the premium, STP-picked links. Switches transmit Bridge Protocol Data Units (BPDUs) out all ports so that all links between switches can be found. STP is a Layer 2 protocol that is used to maintain a loop-free switched network. STP is necessary in networks such as the one shown in Figure 11.10. F I G U R E 11 .1 0 A switched network with switching loops In Figure 11.10, you see a switched network with a redundant topology (switching loops). Without some type of Layer 2 mechanism to stop network loops, we would fall victim to the problems I discussed previously: broadcast storms and multiple frame copies. Understand that the network in Figure 11.10 would actually sort of work, albeit extremely slowly. This clearly demonstrates the danger of switching loops. And to make matters worse, it can be super hard to find this problem once it starts! c11.indd 04/02/2015 Page 346 Spanning Tree Protocol 347 Spanning Tree Port States The ports on a bridge or switch running STP can transition through five different states: Blocking A blocked port won’t forward frames; it just listens to BPDUs and will drop all other frames. The purpose of the blocking state is to prevent the use of looped paths. All ports are in a blocking state by default when the switch is powered up. Listening The port listens to BPDUs to make sure no loops occur on the network before passing data frames. A port in listening state prepares to forward data frames without populating the MAC address table. Learning The switch port listens to BPDUs and learns all the paths in the switched network. A port in learning state populates the MAC address table but doesn’t forward data frames. Forward delay is the time it takes to transition a port from listening to learning mode. It’s set to 15 seconds by default. Forwarding The port sends and receives all data frames on the bridged port. If the port is still a designated or root port at the end of the learning state, it enters the forwarding state. Disabled A port in the disabled state (administratively) does not participate in the frame forwarding or STP. A port in the disabled state is virtually nonoperational. Switches populate the MAC address table in learning and forwarding modes only. Switch ports are usually in either the blocking or forwarding state. A forwarding port is one that has been determined to have the lowest (best) cost to the root bridge. But when and if the network experiences a topology change because of a failed link or when someone adds a new switch into the mix, you’ll fi nd the ports on a switch in the listening and learning states. As I mentioned, blocking ports is a strategy for preventing network loops. Once a switch determines the best path to the root bridge, all other redundant ports will be in blocking mode. Blocked ports can still receive BPDUs—they just don’t send out any frames. If a switch determines that a blocked port should now be the designated, or root, port, say because of a topology change, the portwill respond by going into listening mode and check all the BPDUs it receives to ensure that it won’t create a loop once the port goes back into forwarding mode. STP Convergence Convergence is what happens when all the ports on bridges and switches have transitioned to either forwarding or blocking modes. During this phase, no data will be forwarded until the convergence event is complete. Plus, before data can begin being forwarded again, all devices must be updated. Yes—you read that right: When STP is converging, all host data stops transmitting! So if you want to remain on speaking terms with your network’s users c11.indd 04/02/2015 Page 347 348 Chapter 11 ■ Switching and Virtual LANs (or remain employed for any length of time), you positively must make sure that your switched network is physically designed really well so that STP can converge quickly and painlessly. Figure 11.11 demonstrates a really great way to design and implement your switched network so that STP converges efficiently. F I G U R E 11 .11 An optimal hierarchical switch design 6500 STP Root Bridge Priority 4096 Bridge Priority 8192 3560 2960 2960 3560 2960 2960 3560 2960 2960 Create core switch as STP root for fastest STP convergence Convergence is truly important because it ensures that all devices are in either the forwarding mode or the blocking mode. But as I’ve drilled into you, it does cost you some time. It usually takes 50 seconds to go from blocking to forwarding mode, and I don’t recommend changing the default STP timers. (You can adjust those timers if you really have to.) By creating your physical switch design in a hierarchical manner, as shown in Figure 11.11, you can make your core switch the STP root. This makes everyone happy because it makes STP convergence happen fast. Because the typical spanning-tree topology’s time to convergence from blocking to forwarding on a switch port is 50 seconds, it can create time-out problems on your servers or hosts—like when you reboot them. To address this hitch, you can disable spanning tree on individual ports. Rapid Spanning Tree Protocol 802.1w How would you like to have a good STP configuration running on your switched network (regardless of the brand of switches) but instead of taking 50 seconds to converge, the switched network can converge in about 5 seconds, or maybe even less. How does that sound? Absolutely—yes, we want this! Well then, welcome to the world of Rapid Spanning Tree Protocol (RSTP). RSTP was not designed to be a “brand -new” protocol but more of an evolution of the 802.1d standard, with faster convergence time when a topology change occurs. Backward compatibility was a must when 802.1w was created. c11.indd 04/02/2015 Page 348 Virtual LANs 349 The 802.1w is defi ned in these different port states (compared to 802.1d): ■ Disabled = Discarding ■ Blocking = Discarding ■ Listening = Discarding ■ Learning = Learning ■ Forwarding = Forwarding To verify the spanning-tree type running on your Cisco switch, use the following command: S1#sh spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000d.29bd.4b80 Cost 3012 Port 56 (Port-channel1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 49153 (priority 49152 sys-id-ext 1) Address 001b.2b55.7500 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Uplinkfast enabled Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- ---------Fa0/3 Desg FWD 3100 128.3 Edge Shr Fa0/4 Desg FWD 3019 128.4 Edge P2p Fa0/8 Desg FWD 3019 128.8 P2p Po1 Root FWD 3012 128.56 P2p Since the type output shows Spanning tree enabled protocol ieee, we know we are running the 802.1d protocol. If the output shows RSTP, then you know your switch is running the 802.1w protocol. Virtual LANs I know I keep telling you this, but I’ve got to be sure you never forget it, so here I go one last time: By default, switches break up collision domains and routers break up broadcast domains. Okay, I feel better! Now we can move on. In contrast to the networks of yesterday, which were based on collapsed backbones, today’s network design is characterized by a flatter architecture—thanks to switches. c11.indd 04/02/2015 Page 349 350 Chapter 11 ■ Switching and Virtual LANs So now what? How do we break up broadcast domains in a pure switched internetwork? By creating a virtual local area network (VLAN), that’s how! A VLAN is a logical grouping of network users and resources connected to administratively defi ned ports on a switch. When you create VLANs, you gain the ability to create smaller broadcast domains within a Layer 2 switched internetwork by assigning the various ports on the switch to different subnetworks. A VLAN is treated like its own subnet or broadcast domain, meaning that frames broadcasted onto the network are only switched between the ports logically grouped within the same VLAN. So, does this mean we no longer need routers? Maybe yes, maybe no—it really depends on what your specific goals and needs are. By default, hosts in a specific VLAN can’t communicate with hosts that are members of another VLAN, so if you want inter-VLAN communication, the answer is yes, you still need a router. VLAN Basics Figure 11.12 shows how Layer 2 switched networks are typically designed—as flat networks. With this configuration, every broadcast packet transmitted is seen by every device on the network regardless of whether the device needs to receive that data or not. F I G U R E 11 .1 2 Flat network structure Host A Host D By default, routers allow broadcasts to occur only within the originating network, whereas switches forward broadcasts to all segments. Oh, and by the way, the reason it’s called a fl at network is because it’s one broadcast domain, not because the actual design is physically flat. In Figure 11.12, you can see Host A sending out a broadcast and all ports on all switches forwarding it—all except the port that originally received it. Now check out Figure 11.13. It pictures a switched network and shows Host A sending a frame with Host D as its destination. What’s important to get out of this figure is that the frame is forwarded only out of the port where Host D is located. This is a huge improvement over the old hub networks, unless having one collision domain by default is what you really want. (I’m guessing not!) c11.indd 04/02/2015 Page 350 Virtual LANs F I G U R E 11 .1 3 351 The benefit of a switched network Host A Host D Okay, you already know that the coolest benefit you gain by having a Layer 2 switched network is that it creates an individual collision domain segment for each device plugged into each port on the switch. But as is often the case, new advances bring new challenges with them. One of the biggest is that the greater the number of users and devices, the more broadcasts and packets each switch must handle. And of course, the all-important issue of security and its demands also must be considered—while simultaneously becoming more complicated! VLANs present a security challenge because by default, within the typical Layer 2 switched internetwork, all users can see all devices. And you can’t stop devices from broadcasting, plus you can’t stop users from trying to respond to broadcasts. This means your security options are dismally limited to placing passwords on your servers and other devices. To understand how a VLAN looks to a switch, it’s helpful to begin by fi rst looking at a traditional network. Figure 11.14 shows how a network used to be created using hubs to connect physical LANs to a router. F I G U R E 11 .1 4 Physical LANs connected to a router Hubs Engineering Sales Shipping Marketing Finance Management c11.indd 04/02/2015 Page 351 352 Chapter 11 ■ Switching and Virtual LANs Here you can see that each network is attached with a hub port to the router (each segment also has its own logical network number, even though this isn’t obvious looking at the figure). Each host attached to a particular physical network has to match that network’s logical network number in order to be able to communicate on the internetwork. Notice that each department has its own LAN, so if we needed to add new users to, let’s say, Sales, we would just plug them into the Sales LAN and they would automatically be part of the Sales collision and broadcast domain. This design actually did work well for many years. But there was one major flaw: What happens if the hub for Sales is full and we need to add another user to the Sales LAN? Or, what do we do if there’s no more physical space for a new employee where the Sales team is located? Hmmm, well, let’s say there just happens to be plenty of room over in the Finance section of the building. That new Sales team member will just have to sit on the same side of the building as the Finance people, and we’ll just plug the poor soul into the hub for Finance. Simple, right? So wrong! Doing this obviously makes the new user part of the Finance LAN, which is very bad for many reasons. First and foremost, we now have a major security issue. Because the new Sales employee is a member of the Finance broadcast domain, the newbie can see all the same servers and access all network services that the Finance folks can. Second, for this user to access the Sales network services they need to get their job done, they would have to go through the router to log in to the Sales server—not exactly efficient. Now, let’s look at what a switch accomplishes for us. Figure 11.15 demonstrates how switches come to the rescue by removing the physical boundary to solve our problem. It also shows how six VLANs (numbered 2 through 7) are used to create a broadcast domain for each department. Each switch port is then administratively assigned a VLAN membership, depending on the host and which broadcast domain it’s placed in. F I G U R E 11 .1 5 Switches removing the physical boundary VLAN2 VLAN3 VLAN4 VLAN2 VLAN7 VLAN3 VLAN3 VLAN6 VLAN5 VLAN5 VLAN6 VLAN4 Marketing Shipping Engineering Finance Management Sales VLAN2 VLAN3 VLAN4 VLAN5 VLAN6 VLAN7 c11.indd 04/02/2015 Page 352 172.16.20.0/24 172.16.30.0/24 172.16.40.0/24 172.16.50.0/24 172.16.60.0/24 172.16.70.0/24 Provides inter-VLAN communication and WAN services Virtual LANs 353 So now if we needed to add another user to the Sales VLAN (VLAN 7), we could just assign the port to VLAN 7 regardless of where the new Sales team member is physically located—nice! This illustrates one of the sweetest advantages to designing your network with VLANs over the old collapsed backbone design. Now, cleanly and simply, each host that needs to be in the Sales VLAN is merely assigned to VLAN 7. Notice that I started assigning VLANs with VLAN number 2. The number is irrelevant, but you might be wondering what happened to VLAN 1. Well, that VLAN is an administrative VLAN, and even though it can be used for a workgroup, Cisco recommends that you use it for administrative purposes only. You can’t delete or change the name of VLAN 1, and by default, all ports on a switch are members of VLAN 1 until you actually do change them. Now, because each VLAN is considered a broadcast domain, it’s got to also have its own subnet number (refer again to Figure 11.15). And if you’re also using IPv6, then each VLAN must also be assigned its own IPv6 network number. So you don’t get confused, just keep thinking of VLANs as separate subnets or networks. Let’s get back to that “because of switches, we don’t need routers anymore” misconception. When looking at Figure 11.15, you can see that there are seven VLANs, or broadcast domains, counting VLAN 1 (not shown in the figure). The hosts within each VLAN can communicate with each other but not with anything in a different VLAN because the hosts in any given VLAN “think” that they’re actually in a collapsed backbone, illustrated in Figure 11.14. So what handy little device do you think we need to enable the hosts in Figure 11.15 to communicate to a host or hosts on a different VLAN? You guessed it—a router! Those hosts absolutely need to go through a router, or some other Layer 3 device, just as they do when they’re configured for internetwork communication (as shown in Figure 11.14). It works the same way it would if we were trying to connect different physical networks. Communication between VLANs must go through a Layer 3 device. So don’t expect mass router extinction anytime soon! Quality of Service Before we dive in further into VLANs, I want to make sure that you have a fundamental understanding of QoS and why it is important. Chapter 20, “Management, Monitoring, and Optimization,” will provide more detail on QoS. Quality of service (QoS) refers to the way the resources are controlled so that the quality of services is maintained. It’s basically the ability to provide a different priority for one or more types of traffic over other levels; priority is applied to different applications, data flows, or users so that they can be guaranteed a certain performance level. QoS methods focus on one of five problems that can affect data as it traverses network cable: ■ Delay ■ Dropped packets ■ Error ■ Jitter ■ Out-of-order delivery c11.indd 04/02/2015 Page 353 354 Chapter 11 ■ Switching and Virtual LANs QoS can ensure that applications with a required bit rate receive the necessary bandwidth to work properly. Clearly, on networks with excess bandwidth, this is not a factor, but the more limited your bandwidth is, the more important a concept like this becomes. To provide inter-VLAN communication (communication between VLANs), you need to use a router or a Layer 3 switch. VLAN Memberships Most of the time, VLANs are created by a system administrator who proceeds to assign switch ports to each one. VLANs of this type are known as static VLANs. If you don’t mind doing a little more work when you begin this process, assign all the host devices’ hardware addresses into a database so your switches can be configured to assign VLANs dynamically anytime you plug a host into a switch. I hate saying things like “obviously,” but obviously, this type of VLAN is known as a dynamic VLAN. I’ll be covering both static and dynamic VLANs next. Static VLANs Creating static VLANs is the most common way to create a VLAN, and one of the reasons for that is because static VLANs are the most secure. This security stems from the fact that any switch port you’ve assigned a VLAN association to will always maintain it unless you change the port assignment manually. Static VLAN configuration is pretty easy to set up and supervise, and it works really well in a networking environment where any user movement within the network needs to be controlled. It can be helpful to use network management software to configure the ports, but you don’t have to use it if you don’t want to. In Figure 11.15, each switch port was configured manually with a VLAN membership based on which VLAN the host needed to be a member of—remember, the device’s actual physical location doesn’t matter one bit as long as the VLAN assignments are correctly configured. Which broadcast domain your hosts become members of is purely up to you. And again, remember that each host also has to have the correct IP address information. For instance, you must configure each host in VLAN 2 into the 172.16.20.0/24 network for them to become members of that VLAN. It’s also a good idea to keep in mind that if you plug a host into a switch, you have to verify the VLAN membership of that port. If the membership is different than what’s needed for that host, the host won’t be able to gain access to the network services that it needs, such as a workgroup server. Static access ports are either manually assigned to a VLAN or assigned through a RADIUS server for use with IEEE 802.1x. c11.indd 04/02/2015 Page 354 Virtual LANs 355 Dynamic VLANs On the other hand, a dynamic VLAN determines a host’s VLAN assignment automatically. Using intelligent management software, you can base VLAN assignments on hardware (MAC) addresses, protocols, or even applications that work to create dynamic VLANs. For example, let’s say MAC addresses have been entered into a centralized VLAN management application and you hook up a new host. If you attach it to an unassigned switch port, the VLAN management database can look up the hardware address and both assign and configure the switch port into the correct VLAN. Needless to say, this makes management and configuration much easier because if a user moves, the switch will simply assign them to the correct VLAN automatically. But here again, there’s a catch—initially, you’ve got to do a lot more work setting up the database. It can be very worthwhile though! And here’s some more good news: You can use the VLAN Management Policy Server (VMPS) service to set up a database of MAC addresses to be used for the dynamic addressing of your VLANs. The VMPS database automatically maps MAC addresses to VLANs. Identifying VLANs Know that switch ports are Layer 2–only interfaces that are associated with a physical port. A switch port can belong to only one VLAN if it is an access port or all VLANs if it is a trunk port, as I’ll explain in a minute. You can manually configure a port as an access or trunk port, or you can let the Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the switch port mode. DTP does this by negotiating with the port on the other end of the link. Switches are defi nitely pretty busy devices. As frames are switched throughout the network, they’ve got to be able to keep track of all the different port types plus understand what to do with them depending on the hardware address. And remember—frames are handled differently according to the type of link they’re traversing. There are two different types of links in a switched environment: access ports and trunk ports. Access Ports An access port belongs to and carries the traffic of only one VLAN. Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. Any device attached to an access link is unaware of a VLAN membership—the device just assumes it’s part of the same broadcast domain, but it doesn’t have the big picture, so it doesn’t understand the physical network topology at all. Another good thing to know is that switches remove any VLAN information from the frame before it’s forwarded out to an access-link device. Remember that access-link devices can’t communicate with devices outside their VLAN unless the packet is routed. And you can only create a switch port to be either an access port or a trunk port—not both. So you’ve got to choose one or the other, and know that if you make it an access port, that port can be assigned to one VLAN only. c11.indd 04/02/2015 Page 355 356 Chapter 11 ■ Switching and Virtual LANs Voice Access Ports Not to confuse you, but all that I just said about the fact that an access port can be assigned to only one VLAN is really only sort of true. Nowadays, most switches will allow you to add a second VLAN to an access port on a switch port for your voice traffic; it’s called the voice VLAN. The voice VLAN used to be called the auxiliary VLAN, which allowed it to be overlaid on top of the data VLAN, enabling both types of traffic through the same port. Even though this is technically considered to be a different type of link, it’s still just an access port that can be configured for both data and voice VLANs. This allows you to connect both a phone and a PC device to one switch port but still have each device in a separate VLAN. If you are configuring voice VLANs, you’ll want to configure Quality of Service (QoS) on the switch ports to provide a higher precedence to voice traffic over data traffic to improve sound quality. Suppose you plug a host into a switch port and users are unable to access any server resources. The two typical reasons this happens is because the port is configured in the wrong VLAN membership or STP has shut down the port because STP thought there was possibly a loop. Trunk Ports Believe it or not, the term trunk port was inspired by the telephone system trunks that carry multiple telephone conversations at a time. So it follows that trunk ports can similarly carry multiple VLANs at a time. A trunk link is a 100Mbps or 1000Mbps point-to-point link between two switches, between a switch and router, or even between a switch and server, and it carries the traffic of multiple VLANs—from 1 to 4,094 VLANs at a time. Trunking can be a real advantage because with it, you get to make a single port part of a whole bunch of different VLANs at the same time. This is a great feature because you can actually set ports up to have a server in two separate broadcast domains simultaneously so your users won’t have to cross a Layer 3 device (router) to log in and access it. Another benefit of trunking comes into play when you’re connecting switches. Information from multiple VLANs can be carried across trunk links, but by default, if the links between your switches aren’t trunked, only information from the configured VLAN will be switched across that link. Check out Figure 11.16. It shows how the different links are used in a switched network. All hosts connected to the switches can communicate to all ports in their VLAN because of the trunk link between them. Remember, if we used an access link between the switches, this would allow only one VLAN to communicate between switches. As you can see, these hosts are using access links to connect to the switch, so they’re communicating in one VLAN only. That means that without a router, no host can communicate outside its own VLAN, but the hosts can send data over trunked links to hosts on another switch configured in their same VLAN. c11.indd 04/02/2015 Page 356 Virtual LANs F I G U R E 11 .1 6 357 Access and trunk links in a switched network Trunk Link Red VLAN Blue VLAN Green VLAN VLANs can span across multiple switches by using trunk links, which carry traffic for multiple VLANs. Red VLAN Blue VLAN Green VLAN It’s fi nally time to tell you about the VLAN identification methods. VLAN Identification Methods VLAN identification is what switches use to keep track of all those frames as they’re traversing a switch fabric. All of our hosts connect together via a switch fabric in our switched network topology. It’s how switches identify which frames belong to which VLANs, and there’s more than one trunking method: ISL and 802.1q. Inter-Switch Link (ISL) Inter-Switch Link (ISL) is a way of explicitly tagging VLAN information onto an Ethernet frame. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method (ISL), which allows the switch to identify the VLAN membership of a frame over the trunked link. By running ISL, you can interconnect multiple switches and still maintain VLAN information as traffic travels between switches on trunk links. ISL functions at Layer 2 by encapsulating a data frame with a new header and cyclic redundancy check (CRC). Of note is that this is proprietary to Cisco switches, and it’s used for Fast Ethernet and Gigabit Ethernet links only. ISL routing is pretty versatile and can be used on a switch port, on router interfaces, and on server interface cards to trunk a server. c11.indd 04/02/2015 Page 357 358 Chapter 11 ■ Switching and Virtual LANs IEEE 802.1q Created by the IEEE as a standard method of frame tagging, IEEE 802.1q works by inserting a field into the frame to identify the VLAN. This, one of the aspects of 802.1q that makes it your only option if you want to trunk between a Cisco switched link and another brand of switch. In a mixed environment, you’ve just got to use 802.1q for the trunk to work! Unlike ISL, which encapsulates the frame with control information, 802.1q inserts an 802.1q field along with tag control information, as shown in Figure 11.17. F I G U R E 11 .17 Preamble (7-bytes) Preamble (7-bytes) Start Frame Delimiter (1-byte) Start Frame Delimiter (1-byte) IEEE 802.1q encapsulation with and without the 802.1q tag Destination MAC Address (6-bytes) Source MAC Address (6-bytes) Type/Length (2-bytes) Type/Length Destination Source MAC = 802.1Q Tag Tag Control MAC Address Address Type Information (6-bytes) (6-bytes) (2-bytes) Packet (0 – n bytes) Pad (0 – p bytes) Frame Check Sequence (4-bytes) Length/Type Packet Pad (2-bytes) (0 – n bytes) (0 – p bytes) Frame Check Sequence (4-bytes) 802.1q Field inserted CRC must be recalculated 3 bits = User Priority Field 1 bit = Canonical Format Identifier (CFI) 12 bits – VLAN Identifier (VLAN ID) To meet the exam objectives, it’s really the 12-bit VLAN ID that matters, so keep your focus on it. This field identifies the VLAN and can be 2^12 minus 2 for the 0 and 4,095 reserved VLANs, which means an 802.1q tagged frame can carry information for 4,094 VLANs. It works like this: You fi rst designate each port that’s going to be a trunk with 802.1q encapsulation. The other ports must be assigned a specific VLAN ID in order for them to communicate. VLAN 1 is the default native VLAN, and when using 802.1q, all traffic for a native VLAN is untagged. The ports that populate the same trunk create a group with this native VLAN, and each port gets tagged with an identification number reflecting that membership. Again the default is VLAN 1. The native VLAN allows the trunks to accept information that was received without any VLAN identification or frame tag. The basic purpose of ISL and 802.1q frame-tagging methods is to provide inter-switch VLAN communication. Remember that any ISL or 802.1q frame tagging is removed if a frame is forwarded out an access link—tagging is used internally and across trunk links only! c11.indd 04/02/2015 Page 358 VLAN Trunking Protocol 359 VLAN Trunking Protocol The basic goals of VLAN Trunking Protocol (VTP) are to manage all configured VLANs across a switched internetwork and to maintain consistency throughout that network. VTP allows you to add, delete, and rename VLANs—and information about those actions is then propagated to all other switches in the VTP domain. Here’s a list of some of the cool features VTP has to offer: ■ Consistent VLAN configuration across all switches in the network ■ Accurate tracking and monitoring of VLANs ■ Dynamic reporting of added VLANs to all switches in the VTP domain ■ Adding VLANs using plug-and-play Very nice, but before you can get VTP to manage your VLANs across the network, you have to create a VTP server (really, you don’t need to even do that since all switches default to VTP server mode, but just make sure you have a server). All servers that need to share VLAN information must use the same domain name, and a switch can be in only one domain at a time. So basically, this means that a switch can share VTP domain information with other switches only if they’re configured into the same VTP domain. You can use a VTP domain if you have more than one switch connected in a network, but if you’ve got all your switches in only one VLAN, you just don’t need to use VTP. Do keep in mind that VTP information is sent between switches only via a trunk port. Switches advertise VTP management domain information as well as a configuration revision number and all known VLANs with any specific parameters. But there’s also something called VTP transparent mode. In it, you can configure switches to forward VTP information through trunk ports but not to accept information updates or update their VTP databases. If you’ve got sneaky users adding switches to your VTP domain behind your back, you can include passwords, but don’t forget—every switch must be set up with the same password. And as you can imagine, this little snag can be a real hassle administratively! Switches detect any added VLANs within a VTP advertisement and then prepare to send information on their trunk ports with the newly defi ned VLAN in tow. Updates are sent out as revision numbers that consist of summary advertisements. Anytime a switch sees a higher revision number, it knows the information it’s getting is more current, so it will overwrite the existing VLAN database with the latest information. You should know these requirements for VTP to communicate VLAN information between switches: ■ The VTP management domain name of both switches must be set the same. ■ One of the switches has to be configured as a VTP server. c11.indd 04/02/2015 Page 359 360 Chapter 11 ■ Switching and Virtual LANs ■ Set a VTP password if used. ■ No router is necessary and a router is not a requirement. Now that you’ve got that down, we’re going to delve deeper into the world of VTP with VTP modes. VTP Modes of Operation Figure 11.18 shows you all three different modes of operation within a VTP domain: F I G U R E 11 .1 8 VTP modes Server Configuration: Saved in NVRAM Server Client Client Configuration: Not Saved in NVRAM Transparent Transparent Configuration: Saved in NVRAM Server This is the default mode for all Catalyst switches. You need at least one server in your VTP domain to propagate VLAN information throughout that domain. Also important is that the switch must be in server mode for you to be able to create, add, and delete VLANs in a VTP domain. VLAN information has to be changed in server mode, and any change made to VLANs on a switch in server mode will be advertised to the entire VTP domain. In VTP server mode, VLAN configurations are saved in NVRAM on the switch. Client In client mode, switches receive information from VTP servers, but they also receive and forward updates, so in this way they behave like VTP servers. The difference is that they can’t create, change, or delete VLANs. Plus, none of the ports on a client switch can be added to a new VLAN before the VTP server notifies the client switch of the new VLAN and the VLAN exists in the client’s VLAN database. Also good to know is that VLAN information sent from a VTP server isn’t stored in NVRAM, which is important because it means that if the switch is reset or reloaded, the VLAN information will be deleted. Here’s a hint: If you want a switch to become a server, fi rst make it a client so it receives all the correct VLAN information, then change it to a server—so much easier! Transparent Switches in transparent mode don’t participate in the VTP domain or share its VLAN database, but they’ll still forward VTP advertisements through any configured trunk links. An admin on a transparent switch can create, modify, and delete VLANs because they keep their own database—one they keep secret from the other switches. c11.indd 04/02/2015 Page 360 VLAN Trunking Protocol 361 Despite being kept in NVRAM memory, the VLAN database in transparent mode is actually only locally significant. The whole purpose of transparent mode is to allow remote switches to receive the VLAN database from a VTP-server-configured switch through a switch that is not participating in the same VLAN assignments. Do We Really Need to Put an IP Address on a Switch? The answer is absolutely not! Switches have all ports enabled and ready to rock. Take the switch out of the box, plug it in, and the switch starts learning MAC addresses in the CAM. But since the switches are providing Layer 2 services, why do we need an IP address? Because you still need an IP address for in-band management, which is used with your virtual terminals, that’s why. Telnet, SSH, SNMP, and so on all require IP addresses to communicate with the switch, in-band, through the network. And remember, since all ports are enabled by default, you need to shut down unused ports or assign them to an unused VLAN. Configuring a switch out-of-band means you’re not going through the network to configure the device; you’re actually using a port, such as a console port, to configure the switch instead. Most of the time, you’ll use the console port upon starting up the switch. After that, all the management will be completed in-band. So now you know that the switch needs a management IP address for in-band management purposes, but exactly where do you want to place it? Conveniently, there’s something predictably called the management VLAN interface, and that’s clearly your target. It’s a routed interface found on every switch, and it’s referred to as interface VLAN 1. Good to know that this management interface can be changed, and all manufacturers recommend changing it to a different management interface for security purposes. Yes, you can buy switches that are unmanaged, but you would never ever want to do that for an enterprise network! The only environment in which doing that would make sense is in a home network, but that’s about it. Anything you get for an office or larger network absolutely must be a managed switch! With all that in mind, let’s get down to configuring a switch now. We’ll begin our configuration by connecting into the switch via the console and setting the administrative functions. At this point, we’ll also assign an IP address to each switch, but as I said, doing that isn’t really necessary to make our network function. The only reason we’re going to do that is so we can manage/administer it remotely—in-band—via a protocol like telnet. Let’s use a simple IP scheme like 192.168.10.16/28. And by the way, this mask should be familiar to you. Let’s check out the following output: Switch>enable Switch#config t Switch(config)#hostname S1 S1(config)#enable secret todd S1(config)#int f0/15 S1(config-if)#description 1st connection to S3 S1(config-if)#int f0/16 S1(config-if)#description 2nd connection to S3 c11.indd 04/02/2015 Page 361 362 Chapter 11 ■ Switching and Virtual LANs S1(config-if)#speed 1000 S1(config-if)#duplex full S1(config-if)#line console 0 S1(config-line)#password console S1(config-line)#login S1(config-line)#line vty 0 15 S1(config-line)#password telnet S1(config-line)#login S1(config-line)#int vlan 1 S1(config-if)#ip address 192.168.10.17 255.255.255.240 S1(config-if)#no shut S1(config-if)#exit S1(config)#ip default-gateway 192.168.10.30 S1(config)#banner motd #this is my S1 switch# S1(config)#exit S1#copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] S1# In this output, the fi rst thing to notice is that there aren’t any IP addresses configured on the switch’s physical interfaces. Since all ports on a switch are enabled by default, there’s not really a whole lot to configure. But look again—I configured the speed and duplex of the switch to gigabit, full-on port 16. Most of the time you would just leave these as autodetect, and I actually recommend doing that. My next step is to set the console password for out-of-band management and then the VTY (Telnet) password for in-band management. The next task is to set the default gateway of the switch and banner. So you don’t get confused, I want to clarify that the default gateway is used to send management (in-band) traffic to a remote network so you can manage the switch remotely. Understand this is not the default gateway for the hosts—the default gateway would be the router interface address assigned to each VLAN. The IP address is configured under a logical interface, called a management domain or VLAN. You can use default VLAN 1 to manage a switched network just as we’re doing here, or you can be smart and opt to use a different VLAN for management. The preceding configuration demonstrates how to configure the switch for local management, meaning that the passwords to log in to the switch are right there in the switch’s configuration. You can also configure switches and routers to store their usernames and passwords remotely for ease of configuration using a AAA server. Doing this allows you to change the passwords at one device without having to telnet into each device separately to change passwords. c11.indd 04/02/2015 Page 362 VLAN Trunking Protocol 363 To get this done, use the following command: S1(config)#aaa authentication login default This tells the switch to use AAA when Telnet or SSH is used for in-band management. This next command tells the switch to use the AAA server if someone is trying to access the console of the switch: S1(config)#aaa authentication login console So remember, no IP addresses on physical switch interfaces, no routing protocols there either, and so on. We’re performing Layer 2 switching at this point, not routing! Port Security Clearly, it’s a bad idea to have your switches available for anyone to just plug into and play around with. Security is a big deal—even more of a concern regarding wireless security, so why wouldn’t we demand switch security as much, if not more? But just how do we actually prevent someone from simply plugging a host into one of our switch ports—or worse, adding a hub, switch, or access point into the Ethernet jack in their office? By default, MAC addresses dynamically appear in your MAC forward/fi lter database, but the good news is that you can stop bad guys in their tracks by using port security! Figure 11.19 pictures two hosts connected to the single switch port Fa0/3 via either a hub or access point (AP). F I G U R E 11 .1 9 Port security on a switch port restricts port access by MAC address Fa0/3 Okay! NO! A B Port Fa0/3 is configured to observe and allow only certain MAC addresses to associate with the specific port, so in this example, Host A is denied access, but Host B is allowed to associate with the port. By using port security, you can limit the number of MAC addresses that can be assigned dynamically to a port, set static MAC addresses, and—here’s my favorite part—set penalties for users who abuse your policy! Personally, I like to have the port shut down when the security policy is violated. Making abusers bring me a memo from their boss explaining why they violated the security policy brings with it a certain poetic justice, which is nice. c11.indd 04/02/2015 Page 363 364 Chapter 11 ■ Switching and Virtual LANs And I’ll also require something like that before I’ll enable their port again. Things like this really seem to help people remember to behave! DHCP Snooping A rogue DHCP server (one not under your control that is giving out incompatible IP addresses) can be an annoyance that causes users to be unable to connect to network resources, or it may play a part in several types of attacks. In either case, DHCP snooping is a switch feature that can help to prevent your devices from communicating with illegitimate DHCP servers. When enabled, DHCP snooping allows responses to client requests from only DHCP servers located on trusted switch ports (which you defi ne). When only ports where company DHCP servers are located are configured to be trusted, rogue DHCP servers will be unable to respond to client requests. The protection doesn’t stop there, however. The switch will also, over time, develop an IP address to MAC address table called the bindings table, derived from “snooping “ on DHCP traffic to and from the legitimate DHCP server. The bindings table will alert the switch to any packets that have mappings that do not match the table. These frames will be dropped. The bindings table is also used with ARP inspection, which makes the configuration of DHCP snooping a prerequisite of ARP inspection. ARP Inspection Many man-in-the-middle attacks are made possible by the attacker polluting the ARP cache of the two victims such that their cache maps each other’s IP addresses to the MAC address of the attacker, thus allowing the attacker to receive all traffic in the conversation. Dynamic ARP inspection (DAI) is a feature that, when configured, uses the DHCP snooping database of IP address to MAC address mappings to verify the MAC address mappings of each frame going through the switch. In this way, any frames with incorrect or altered mappings are dropped by the switch, thus breaking any attacks depending on these bogus mappings. Because it uses the DHCP snooping database, the configuration of DHCP snooping is a prerequisite to enabling DAI. Port Bonding Know that almost all Ethernet networks today will typically have multiple links between switches because this kind of design provides redundancy and resiliency. On a physical design that includes multiple links between switches, STP will do its job and put a port or ports into blocking mode. In addition to that, routing protocols like OSPF and EIGRP could see all these redundant links as individual ones, depending on the configuration, which can mean an increase in routing overhead. We can gain the benefits from multiple links between switches by using port channeling. EtherChannel is a port channel technology that was originally developed by Cisco as a switch-to-switch technique for grouping several Fast Ethernet or Gigabit Ethernet ports into one logical channel. c11.indd 04/02/2015 Page 364 VLAN Trunking Protocol 365 Also important to note is that once your port channel is up and working, Layer 2 STP and Layer 3 routing protocols will treat those bundled links as a single one, which would stop STP from performing blocking. An additional nice result is that because the routing protocols now only see this as a single link, a single adjacency across the link can be formed—elegant! Figure 11.20 shows how a network would look if we had four connections between switches, before and after configuring port channels. F I G U R E 11 . 2 0 Before and after port channels Now as usual, there’s the Cisco version and the IEEE version of port channel negotiation protocols to choose from, and you can take your pick. Cisco’s version is called Port Aggregation Protocol (PAgP), and the IEEE 802.3ad standard is called Link Aggregation Control Protocol (LACP). Both versions work equally well, but the way you configure each is slightly different. Keep in mind that both PAgP and LACP are negotiation protocols and that EtherChannel can actually be statically configured without PAgP or LACP. Still, it’s better to use one of these protocols to help with compatibility issues as well as to manage link additions and failures between two switches. Cisco EtherChannel allows us to bundle up to eight active ports between switches. The links must have the same speed, duplex setting, and VLAN configuration—in other words you can’t mix interface types and configurations into the same bundle. Here are a few things to remember: Port Channeling/Bonding Refers to combining two to eight Fast Ethernet or Gigabit Ethernet ports together between two switches into one aggregated logical link to achieve more bandwidth and resiliency. EtherChannel Cisco’s proprietary term for port channeling. PAgP This is a Cisco proprietary port channel negotiation protocol that aids in the automatic creation of EtherChannel links. All links in the bundle must match the same parameters (speed, duplex, VLAN info), and when PAgP identifies matched links, it groups the links into an EtherChannel. This is then added to STP as a single bridge port. At this point, PAgP’s job is to send packets every 30 seconds to manage the link for consistency, any link additions and modifications, and failures. LACP (802.3ad) This has the exact same purpose as PAgP, but it’s nonproprietary, so it can work between multi-vendor networks. c11.indd 04/02/2015 Page 365 Chapter 11 366 ■ Switching and Virtual LANs Two Additional Advanced Features of Switches Switches really expand our flexibility when we’re designing our networks. The features that we need to cover for the CompTIA Network+ objectives are as follows: ■ Power over Ethernet (PoE) ■ Port mirroring/spanning (local vs remote) Power over Ethernet (802.3af, 802.3at) Power over Ethernet (PoE and PoE+) technology describes a system for transmitting electrical power, along with data, to remote devices over standard twisted-pair cable in an Ethernet network. This technology is useful for powering IP telephones (Voice over IP, or VoIP), wireless LAN access points, network cameras, remote network switches, embedded computers, and other appliances—situations where it would be inconvenient, expensive, and possibly not even feasible to supply power separately. One reason for this is that the main wiring usually must be done by qualified and/or licensed electricians for legal and/or insurance mandates. The IEEE has created a standard for PoE called 802.3af, and for PoE+ it’s referred to as 802.3at. This standard describes precisely how a powered device is detected and also defi nes two methods of delivering Power over Ethernet to a given powered device. Keep in mind that PoE+ standard, 802.3at, delivers more power than 802.3af, which is compatible with Gigabit Ethernet with four-wire pairs at 30w. This process happens one of two ways: either by receiving the power from an Ethernet port on a switch (or other capable device) or via a power injector. And you can’t use both approaches to get the job done. And this can lead to serious trouble, so be sure before connecting! PoE It would be rare for me not to design a network around PoE. Most of my consulting work is wireless networking, including large outdoor wireless networks. When I design the network, I order equipment based on the amount of power needed to run it, knowing I’ll have only a few electrical outlets, or even no outlets if all my equipment is outside. This means that all my switches must run PoE to my access points and wireless bridges and must do this for long distances. For me to accomplish this, I need to order the more expensive, large-scale enterprise switches. If you have devices that need PoE but do not have long-distance connections, c11.indd 04/02/2015 Page 366 Two Additional Advanced Features of Switches 367 you can use lower-end switches, but you must verify that they provide the right amount of power. There was a customer who called me because their network access points were going up and down. The bottom line is that they had purchased less-expensive switches and there was not enough power to run the equipment. They ended up buying all new switches. So, before you buy a PoE switch, verify that the switch provides the right power for your environment. Figure 11.121 shows an example of a switch that provides PoE to any PoE-capable device. F I G U R E 11 . 2 1 Switched Ethernet ports can provide power to devices. As I just said, if you don’t have a switch with PoE, then you can use a power injector. Figure 11.22 shows a picture of a typical power injector physically installed in a network. Use caution when using an external power injector! Take the time to make sure the power injector provides the voltage level for which your device was manufactured. F I G U R E 11 . 2 2 An external power injector used for PoE Network Resource Power Injector Power Cord Universal Power Supply Access Port or Bridge c11.indd 04/02/2015 Page 367 368 Chapter 11 ■ Switching and Virtual LANs Because most higher-end switches provide PoE, we don’t need to worry about injectors, but if you are adding a wireless bridge into an existing network that has switches without PoE, you need to add a power injector. Figure 11.23 shows a power injector used for a wireless bridge. F I G U R E 11 . 2 3 Wireless bridge power injector Now, let’s discuss how we would troubleshoot a network that has a switch in the LAN instead of a hub. Port Mirroring/Spanning (SPAN/RSPAN) Port mirroring, also called Switch Port Analyzer (SPAN) and Remote SPAN, allows you to sniff traffic on a network when using a switch. In Figure 11.24, you can see how a typical switch will read the forward/fi lter table and only send traffic out the destination port (this is the whole idea of using a switch, so this is good!). F I G U R E 11 . 2 4 Switches send frames out the destination port only Sniffer Switch c11.indd 04/02/2015 Page 368 Two Additional Advanced Features of Switches 369 All good, but a problem with this arises when you need to sniff traffic on the network. Figure 11.24 illustrates this issue; the sniffer isn’t seeing data coming from Host A to Host B. To solve this little snag, you can temporarily place a hub between Host A and Host B, as demonstrated in Figure 11.25. F I G U R E 11 . 2 5 Place a hub between two hosts to troubleshoot Sniffer Hub This method will allow you to see the frames sent from Host A to Host B. The bad news, however, is that by doing this, you’ll bring down the network temporarily. The port-mirroring option allows you to place a port in span mode so that every frame from Host A is captured by both Host B and the sniffer, as shown in Figure 11.26. This would also be a helpful option to take advantage of if you were connecting an IDS or IPS to the switch as well. F I G U R E 11 . 2 6 Port spanning/mirroring Sniffer Switch Be careful when using port mirroring because it can cause a lot of overhead on the switch and possibly crash your network. Because of this, it’s a really good idea to use this feature at strategic times, and only for short periods if possible. c11.indd 04/02/2015 Page 369 370 Chapter 11 ■ Switching and Virtual LANs The last thing I want you to bear in mind is that RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN, which is dedicated for a specific RSPAN session in all participating switches. Summary In this chapter, I talked about the differences between switches and bridges and how they both work at Layer 2 and create a MAC address forward/fi lter table in order to make decisions about whether to forward or flood a frame. I also discussed problems that can occur if you have multiple links between bridges (switches) and how to solve these problems by using the Spanning Tree Protocol (STP). This chapter also introduced you to the world of virtual LANs and described how switches can use them. We talked about how VLANs break up broadcast domains in a switched internetwork—a very important, necessary thing because Layer 2 switches only break up collision domains and, by default, all switches make up one large broadcast domain. I also described access links and went over how trunked VLANs work across a Fast Ethernet link. Trunking is a crucial technology to understand well when you’re dealing with a network populated by multiple switches that are running several VLANs. Exam Essentials Remember the three switch functions. Address learning, forward/filter decisions, and loop avoidance are the functions of a switch. Understand the main purpose of the Spanning Tree Protocol in a switched LAN. The main purpose of STP is to prevent switching loops in a network with redundant switched paths. Remember the states of STP. The purpose of the blocking state is to prevent the use of looped paths. A port in the listening state prepares to forward data frames without populating the MAC address table. A port in the learning state populates the MAC address table but doesn’t forward data frames. A port in the forwarding state sends and receives all data frames on the bridged port. Last, a port in the disabled state is virtually nonoperational. Remember to check a switch port’s VLAN assignment when plugging in a new host. you plug a new host into a switch, then you must verify the VLAN membership of c11.indd 04/02/2015 Page 370 If Written Lab 371 that port. If the membership is different than what is needed for that host, the host will not be able to reach the needed network services, such as a workgroup server. Understand what PoE provides. Power over Ethernet was created to provide power to devices that are connected to a switch port but that are not in a place that has a power outlet—for example, an access point in a ceiling. Written Lab You can fi nd the answers in Appendix A. Write the answers to the following questions: 1. VLANs break up ________ domains in a Layer 2 switched network. 2. Switches, by default, only break up ________ domains. 3. What does trunking provide? 4. You need to power a device such as an access point or IP phone. What protocol can provide power to these devices over an Ethernet cable? 5. You plug a host into a switch port and the host receives an IP address but the user can’t get to the services it needs. What is probably the problem? 6. If a destination MAC address is not in the forward/filter table, what will the switch do with the frame? 7. What are the three switch functions at Layer 2? 8. If a frame is received on a switch port and the source MAC address is not in the forward/ filter table, what will the switch do? 9. What is used at Layer 2 to prevent switching loops? 10. You need to implement a separate network for contractors and guests working at your office. Which technology should you implement? c11.indd 04/02/2015 Page 371 Chapter 11 372 ■ Switching and Virtual LANs Review Questions You can fi nd the answers in Appendix B. 1. You want to improve network performance by increasing the bandwidth available to hosts and limiting the size of the broadcast domains. Which of the following options will achieve this goal? A. Managed hubs 2. B. Bridges C. Switches D. Switches configured with VLANs The types of ports that can be found on a switch are___________________ and ___________________. (Choose two.) A. VLAN Trunk Protocol 3. B. Access C. 802.1Q D. Trunk Which switching technology reduces the size of a broadcast domain? A. ISL B. 4. 802.1Q C. VLANs D. STP Which of the following are IEEE versions of STP? (Choose two.) A. 802.1x B. 5. VLANs C. 802.1d D. 802.11 E. 802.1w You connect a host to a switch port, but the new host cannot log into the server that is plugged into the same switch. What could the problem be? (Choose two.) A. The router is not configured for the new host. B. The STP configuration on the switch is not updated for the new host. C. The host has an invalid MAC address. D. The switch port the host is connected to is not configured to the correct VLAN membership. E. STP shut down the port. c11.indd 04/02/2015 Page 372 Review Questions 6. 373 Which of the following are benefits of VLANs? (Choose three.) A. They increase the size of collision domains. 7. B. They allow logical grouping of users by function. C. They can enhance network security. D. They increase the size of broadcast domains while decreasing the number of collision domains. E. They simplify switch administration. F. They increase the number of broadcast domains while decreasing the size of the broadcast domains. Which of the following is a Layer 2 protocol used to maintain a loop-free network? A. VTP 8. B. STP C. RIP D. CDP What is the result of segmenting a network with a bridge (switch)? (Choose two.) A. It increases the number of collision domains. 9. B. It decreases the number of collision domains. C. It increases the number of broadcast domains. D. It decreases the number of broadcast domains. E. It makes smaller collision domains. F. It makes larger collision domains. You connect your host to a switch that is running network analyses software. However, you are not seeing any packets from the server. What do you need to implement on the switch to see all the packet information? A. VLANs B. STP C. Port mirroring D. Authentication 10. Which of the following features of a switch will allow two switches to pass VLAN network information? A. PoE B. VLANs C. Trunking D. STP c11.indd 04/02/2015 Page 373 Chapter 11 374 ■ Switching and Virtual LANs 11. What are the distinct functions of Layer 2 switching that increase available bandwidth on the network? (Choose three.) A. Address learning B. Routing C. Forwarding and filtering D. Creating network loops E. Loop avoidance F. IP addressing 12. Which of the following statements is true? A. A switch creates a single collision domain and a single broadcast domain. A router creates a single collision domain. B. A switch creates separate collision domains but one broadcast domain. A router provides a separate broadcast domain. C. A switch creates a single collision domain and separate broadcast domains. A router provides a separate broadcast domain as well. D. A switch creates separate collision domains and separate broadcast domains. A router provides separate collision domains. 13. What does a switch do when a frame is received on an interface and the destination hardware address is unknown or not in the filter table? A. Forwards the switch to the first available link B. Drops the frame C. With the exception of the source port, floods the network with the frame looking for the device D. Sends back a message to the originating station asking for a name resolution 14. If a switch receives a frame and the source MAC address is not in the MAC address table but the destination address is, what will the switch do with the frame? A. Discard it and send an error message back to the originating host B. Flood the network with the frame C. Add the source address and port to the MAC address table and forward the frame out the destination port D. Add the destination to the MAC address table and then forward the frame 15. When would you configure VTP on a switch? A. When you have hubs connected in your network B. When you have redundant links between switches C. When you have multiple hosts in multiple VLANs and you want to share all the data between hosts without a router D. When you have multiple switches with multiple VLANs and you want to share the VLAN database from one switch to all the others c11.indd 04/02/2015 Page 374 Review Questions 375 16. When is STP said to be converged on the root bridge? (Choose two.) A. When all ports are in the forwarding state B. When all ports are in the blocking state C. When all ports are in the listening state D. When all ports are in the learning state 17. In which two states is the MAC address table populated with addresses? (Choose two.) A. Blocking B. Listening C. Learning D. Forwarding 18. You have multiple departments all connected to switches, with crossover cables connecting the switches together. However, response time on the network is still very slow even though you have upgraded from hubs to switches. What technology should you implement to improve response time on the networks? A. STP B. VLANs C. Convergence D. OSPF 19. If you are configuring voice VLANs, which of the following should you configure on the switch ports to provide a higher precedence to voice traffic over data traffic to improve sound quality? A. Access VLANs B. VTP C. QoS D. STP 20. What is a disadvantage of using port spanning? A. It breaks up broadcast domains on all ports. B. It can create overhead on the switch. C. It makes the switch one large collision domain. D. It makes the switch fast between only two ports instead of all ports. c11.indd 04/02/2015 Page 375 Chapter Wireless Networking 12 THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.7 Differentiate between network infrastructure implementations ■ WLAN ■ ■ Hotspot PAN ■ Bluetooth ■ IR ■ NFC (near field communication) ✓ 2.7 Install and configure wireless LAN infrastructure and implement the appropriate technologies in support of wireless capable devices ■ Small office/home office wireless router ■ Wireless access points ■ Device density ■ Roaming ■ Wireless controllers ■ VLAN pooling ■ LWAPP ■ Wireless bridge ■ Site surveys ■ Heat maps ■ Frequencies ■ 2.4 Ghz ■ 5.0 Ghz c12.indd 04/0½015 Page 377 ■ Channels ■ Goodput ■ Connection types ■ o 802.11a-ht ■ o 802.11g-ht ■ Antenna placement ■ Antenna types ■ Omnidirectional ■ Unidirectional ■ MIMO/MUMIMO ■ Signal strength ■ Coverage ■ Differences between device antennas ■ SSID broadcast ■ Topologies ■ Adhoc ■ Mesh ■ Infrastructure ■ Mobile devices ■ Cell phones ■ Laptops ■ Tablets ■ Gaming devices ■ Media devices ✓ 3.3 Given a scenario, implement network hardening techniques ■ Wireless security ■ WEP ■ WPA/WPA2 ■ Enterprise ■ Personal ■ TKIP/AES c12.indd 04/0½015 Page 378 ■ 802.1x ■ TLS/TTLS ■ MAC filtering ✓ 4.3 Given a scenario, troubleshoot and resolve common wireless issues ■ Open networks ■ Rogue access point ■ MIMO ■ AP placement ■ AP configurations ■ LWAPP ■ Thin vs thick ✓ 5.3 Given a scenario, deploy the appropriate wireless standard ■ 802.11a ■ 802.11b ■ 802.11g ■ 802.11n ■ 802.11ac c12.indd 04/0½015 Page 379 While you’re sipping coffee at a café or hanging out in an airport until they fi nally fi x the plane you’re waiting to board, you are no longer limited to just reading actual papers and magazines. Now, you have the option to connect to the local wireless network and catch up on your emails, blog, do a little gaming—maybe even get some work done! It’s come to the point that many of us wouldn’t even think of checking into a hotel that doesn’t offer this important little amenity. So clearly, those of us already in or wishing to enter the IT field better have our chops down regarding wireless network components and their associated installation factors, right? (Answer: a resounding YES!) With that established, here’s a great starting point. If you want to understand the basic wireless LANs (WLANs) most commonly used today, just think 10BaseT Ethernet with hubs. What this means is that our WLANs typically run half-duplex communication— everyone is sharing the same bandwidth, and only one user is communicating at a time. This isn’t necessarily bad; it’s just not good enough. Because most people rely upon wireless networks today, it’s critical that they evolve faster than greased lightning to keep up with our rapidly escalating needs. The good news is that this is actually happening—and it even works securely! The goal in this chapter is to introduce you to wireless networks and the technologies in use today. I’ll also cover the various components used, the IEEE 802.11 standards, wireless installation, and of course, wireless security. To find up-to-the-minute updates for this chapter, please see www.lammle. com/networkplus or the book’s website at www.sybextestbanks.wiley.com. Introduction to Wireless Technology Transmitting a signal using the typical 802.11 specifications works a lot like it does with a basic Ethernet hub: They’re both two-way forms of communication, and they both use the same frequency to both transmit and receive, often referred to as half duplex as mentioned in the chapter introduction. Wireless LANs (WLANs) use radio frequencies (RFs) that are radiated into the air from an antenna that creates radio waves. These waves can be absorbed, refracted, or reflected by walls, water, and metal surfaces, resulting in low signal strength. So because of this innate vulnerability to surrounding environmental factors, it’s pretty apparent that wireless will never offer us the same robustness as a wired network can, but that still doesn’t mean we’re not going to run wireless. Believe me, we definitely will! We can increase the transmitting power and we’d be able to gain a greater transmitting distance, but doing so can create some nasty distortion, so it has to be done carefully. c12.indd 04/0½015 Page 380 Introduction to Wireless Technology 381 By using higher frequencies, we can attain higher data rates, but this is, unfortunately, at the cost of decreased transmitting distances. And if we use lower frequencies, we get to transmit greater distances but at lower data rates. This should make it pretty clear to you that understanding all the various types of WLANs you can implement is imperative to creating the LAN solution that best meets the specific requirements of the unique situation you’re dealing with. Also important to note is the fact that the 802.11 specifications were developed so that there would be no licensing required in most countries—to ensure the user the freedom to install and operate without any licensing or operating fees. This means that any manufacturer can create wireless networking products and sell them at a local computer store or wherever. It also means that all our computers should be able to communicate wirelessly without configuring much, if anything at all. Various agencies have been around for a very long time to help govern the use of wireless devices, frequencies, standards, and how the frequency spectrums are used. Table 12.1 shows the current agencies that help create, maintain, and even enforce wireless standards worldwide. TA B L E 1 2 .1 Wireless agencies and standards Agency Purpose Website Institute of Electrical and Electronics Engineers (IEEE) Creates and maintains operational standards www.ieee.org Federal Communications Commission (FCC) Regulates the use of wireless devices in the US www.fcc.gov European Telecommunications Standards Institute (ETSi) Chartered to produce common standards in Europe www.etsi.org Wi-Fi Alliance Promotes and tests for WLAN interoperability www.wi-fi.com WLAN Association (WLANA) Educates and raises consumer awareness regarding WLANs www.wlana.org Because WLANs transmit over radio frequencies, they’re regulated by the same types of laws used to govern things like AM/FM radios. In the United States, it’s the Federal Communications Commission (FCC) that regulates the use of wireless LAN devices, and the Institute of Electrical and Electronics Engineers (IEEE) takes it from there and creates standards based on what frequencies the FCC releases for public use. The FCC has released three unlicensed bands for public use: 900MHz, 2.4GHz, and 5GHz. The 900MHz and 2.4GHz bands are referred to as the Industrial, Scientific, and Medical (ISM) bands, and the 5GHz band is known as the Unlicensed National Information Infrastructure (UNII) band. Figure 12.1 shows where the unlicensed bands sit within the RF spectrum. So it follows that if you opt to deploy wireless in a range outside of the three public bands shown in Figure 12.1, you need to get a specific license from the FCC to do so. c12.indd 04/0½015 Page 381 382 Chapter 12 ■ Wireless Networking Once the FCC opened the three frequency ranges for public use, many manufacturers were able to start offering myriad products that flooded the market, with 802.11b/g/n being the most widely used wireless network found today. Figure 12.2 shows the WLAN history that is important to us. Although wireless transmissions date back many, many years, the type we really care about is wireless as related to WLANs starting in the 1990s. Use of the ISM band started in early 1990, and it’s deployed today in multiple environments, including outdoor links, mesh networks, office buildings, healthcare facilities, warehouses, and homes. F I G U R E 1 2 .1 Unlicensed frequencies Cellular (840 Mhz) AM Broadcasts Sonar (extremely low) Visible Light FM Broadcasts X-rays Infrared Wireless LAN 2.4 Ghz Band 5 Ghz Band 900 Mhz Band F I G U R E 12 . 2 Speed 860Kbps Network Radio Wireless LAN history 1 and 2Mbps 11Mbps Proprietary 54Mbps Standards-Based 900 MHz 2.4 GHz IEEE 802.11 Drafting Begins 1992 5 GHz 802.11 Ratified 1997 802.11a,b Ratified 1999 802.11g 802.11n Ratified Draft 2.0 2003 2007 802.11ac was released in December 2013, and although it isn’t shown in Figure 12.2, it will be the newest, hottest 802.11 standard in the next few years. I’ll discuss 802.11ac in detail throughout this chapter. The Wi-Fi Alliance grants certification for interoperability among 802.11 products offered by various vendors. This certification provides a sort of comfort zone for the users purchasing the many types of products, although in my personal experience, it’s just a whole lot easier if you buy all your access points from the same manufacturer. In the current US WLAN market, there are several accepted operational standards and drafts created and maintained by the IEEE. We’ll now take a look at these standards and then talk about how the most commonly used standards work. c12.indd 04/0½015 Page 382 The 802.11 Standards 383 The 802.11 Standards Taking off from what you learned in Chapter 1, “Introduction to Networks,” wireless networking has its own 802 standards group—remember, Ethernet’s committee is 802.3. Wireless starts with 802.11, and there are various other up-and-coming standard groups as well, like 802.11ac. And even cellular networks are becoming huge players in our wireless experience. But for now, we’re going to concentrate on the 802.11 standards committee and subcommittees. IEEE 802.11 was the fi rst, original standardized WLAN at 1Mbps and 2Mbps. It runs in the 2.4GHz radio frequency. It was ratified in 1997, although we didn’t see many products pop up until around 1999 when 802.11b was introduced. All the committees listed in Table 12.2 made amendments to the original 802.11 standard except for 802.11f and 802.11t, which produced stand-alone documents. TA B L E 1 2 . 2 802.11 committees and subcommittees Committee Purpose IEEE 802.11a 54Mbps, 5GHz standard IEEE 802.11ac 1Gbps, 5GHz standard IEEE 802.11b Enhancements to 802.11 to support 5.5Mbps and 11Mbps IEEE 802.11c Bridge operation procedures; included in the IEEE 802.1d standard IEEE 802.11d International roaming extensions IEEE 802.11e Quality of service IEEE 802.11f Inter-Access Point Protocol IEEE 802.11g 54Mbps, 2.4GHz standard (backward compatible with 802.11b) IEEE 802.11h Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) at 5GHz IEEE 802.11i Enhanced security IEEE 802.11j Extensions for Japan and US public safety IEEE 802.11k Radio resource measurement enhancements IEEE 802.11m Maintenance of the standard; odds and ends c12.indd 04/0½015 Page 383 384 Chapter 12 TA B L E 1 2 . 2 ■ Wireless Networking 802.11 committees and subcommittees (continued) Committee Purpose IEEE 802.11n Higher throughput improvements using multiple-input, multiple-output (MIMO) antennas IEEE 802.11p Wireless Access for the Vehicular Environment (WAVE) IEEE 802.11r Fast roaming IEEE 802.11s ESS Extended Service Set Mesh Networking IEEE 802.11t Wireless Performance Prediction (WPP) IEEE 802.11u Internetworking with non-802 networks (cellular, for example) IEEE 802.11v Wireless network management IEEE 802.11w Protected management frames IEEE 802.11y 3650–3700 operation in the US One type of wireless networking that doesn’t get a whole lot of attention is infrared wireless. Infrared wireless uses the same basic transmission method as many television remote controls—that’s right, infrared technology. Infrared is used primarily for short-distance, point-to-point communications, like those between a peripheral and a PC, with the most widely used for peripherals being the IrDA standard. Now let’s discuss some important specifics of the most popular 802.11 WLANs. 2.4GHz (802.11b) First on the menu is the 802.11b standard. It was the most widely deployed wireless standard, and it operates in the 2.4GHz unlicensed radio band that delivers a maximum data rate of 11Mbps. The 802.11b standard has been widely adopted by both vendors and customers who found that its 11Mbps data rate worked pretty well for most applications. But now that 802.11b has a big brother (802.11g), no one goes out and just buys an 802.11b card or access point anymore—why would you buy a 10Mbps Ethernet card when you can score a 10/100 Ethernet card for the same price? An interesting thing about all 802.11 WLAN products is that they have the ability to data-rate-shift while moving. This allows the person operating at 11Mbps to shift to c12.indd 04/0½015 Page 384 The 802.11 Standards 385 5.5Mbps, then 2Mbps, and fi nally still communicate farthest from the access point at 1Mbps. And furthermore, this rate shifting happens without losing the connection and with no interaction from the user. Rate shifting also occurs on a transmission-by-transmission basis. This is important because it means that the access point can support multiple clients at varying speeds depending upon the location of each client. The problem with all 802.11b communication lies in how the Data Link layer is dealt with. In order to solve problems in the RF spectrum, a type of Ethernet collision detection was created called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). CSMA/CA also has an optional implementation called a Request to Send, Clear to Send (RTS/CTS) because of the way that hosts must communicate with the access point (AP). For every packet sent, an RTS/CTS and acknowledgment must be received, and because of this rather cumbersome process, it’s kind of hard to believe it all actually works when you use this! To get a clear picture of this, check out Figure 12.3. F I G U R E 12 . 3 802.11b CSMA/CA Source Destination RTS CTS Data Ack 2.4GHz (802.11g) The 802.11g standard was ratified in June 2003 and is backward compatible to 802.11b. The 802.11g standard delivers the same 54Mbps maximum data rate as you’ll fi nd in the 802.11a range but runs in the 2.4GHz range—the same as 802.11b. Because 802.11b/g operates in the same 2.4GHz unlicensed band, migrating to 802.11g is an affordable choice for organizations with existing 802.11b wireless infrastructures. Just keep in mind that 802.11b products can’t be “software upgraded” to 802.11g. This limitation is because 802.11g radios use a different chipset in order to deliver the higher data rate. But still, much like Ethernet and Fast Ethernet, 802.11g products can be commingled with 802.11b products in the same network. Yet, for example, and completely unlike Ethernet, if you have four users running 802.11g cards and one user starts using an c12.indd 04/0½015 Page 385 386 Chapter 12 ■ Wireless Networking 802.11b card, everyone connected to the same access point is then forced to run the 802.11b CSMA/CA method—an ugly fact that really makes throughput suffer badly. So to optimize performance, it’s recommended that you disable the 802.11b-only modes on all your access points. To explain this further, 802.11b uses a modulation technique called Direct Sequence Spread Spectrum (DSSS) that’s just not as robust as the Orthogonal Frequency Division Multiplexing (OFDM) modulation used by both 802.11g and 802.11a. 802.11g clients using OFDM enjoy much better performance at the same ranges as 802.11b clients do, but—and remember this—when 802.11g clients are operating at the 802.11b rates (11Mbps, 5.5Mbps, 2Mbps, and 1Mbps), they’re actually using the same modulation 802.11b uses. So, regarding the throughput of different WLAN standards, you know that 802.11b has a top throughput of 11Mbps, and 802.11g has a top throughput of 54Mbp. But with that said, do you really think we’re actually getting that type of throughput? The answer is absolutely not! This is because in reality, about 70% or more of the RF bandwidth is used for management of the wireless network itself! The actual bandwidth the user experiences using an application is called goodput, even though you won’t hear this term used a lot. Just remember that goodput refers to the actual data throughput, not the theoretical number that the standards describe. Figure 12.4 shows the 14 different channels (each 22MHz wide) that the FCC released in the 2.4GHz range. F I G U R E 12 . 4 ISM 2.4GHz channels Channels 1 2 3 2.402GHz 4 5 6 22MHz 7 8 9 10 11 12 13 14 2.483GHz In the United States, only 11 channels are configurable, with channels 1, 6, and 11 being non-overlapping. This allows you to have three access points in the same area without experiencing interference. You must be aware of the channels when installing APs in a large environment so you do not overlap channels. Make sure that each channel is not overlapping the same channel number! If you configure one AP with channel 1, then the next AP would be configured in channel 11, the channel farthest from that configured on the fi rst AP. 5GHz (802.11a) The IEEE ratified the 802.11a standard in 1999, but the fi rst 802.11a products didn’t begin appearing on the market until late 2001—and boy, were they pricey! The 802.11a standard delivers a maximum data rate of 54Mbps with 12 non-overlapping frequency channels. Figure 12.5 shows the UNII bands. c12.indd 04/0½015 Page 386 The 802.11 Standards F I G U R E 12 . 5 387 UNII 5GHz band has 12 non-overlapping channels (US) Middle Band 5.25–5.35 Indoor and Outdoor Lower Band 5.15–5.25 Indoor Upper Band 5.725–5.825 Outdoor 5.15 Channel Center Frequencies Operating Channels 5.825 5.180 5.200 5.220 5.240 5.260 5.280 5.300 5.320 5.745 5.765 5.785 5.805 36 40 44 48 52 56 60 64 149 153 157 161 Operating in the 5GHz radio band, 802.11a is also immune to interference from devices that operate in the 2.4GHz band, like microwave ovens, cordless phones, and Bluetooth devices. 802.11a isn’t backward compatible with 802.11b because they are different frequencies, so you don’t get to just “upgrade” part of your network and expect everything to work together in perfect harmony. But no worries—there are plenty of dual-radio devices that will work in both types of networks. A defi nite plus for 802.11a is that it can work in the same physical environment without interference from 802.11b users. Similar to the 802.11b radios, all 802.11a products also have the ability to data-rateshift while moving. The 802.11a products allow the person operating at 54Mbps to shift to 48Mbps, 36Mbps, 24Mbps, 18Mbps, 12Mbps, and 9Mbps, and fi nally, still communicate farthest from the AP at 6Mbps. There’s also an extension to the 802.11a specification called 802.11h, which is described next. 5GHz (802.11h) The FCC added 11 new channels in February 2004, and in 2008, we were finally able to begin using these channels based on manufacturers’ releases of more 802.11a 5GHz products. This means that we gained access to up to 23 non-overlapping channels! And there are even two new features to the 5GHz radio that are part of the 802.11h specification: Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC). Dynamic Frequency Selection (DFS) This cool feature continuously monitors a device’s operating range for any radar signals that are allowed to operate in portions of the 5GHz band as well as 802.11a before transmitting. If DFS discovers any radar signals, it’ll either abandon the occupied channel or mark it as unavailable to prevent interference from occurring on the WLAN. Transmit Power Control (TPC) Even though it’s been employed by the mobile phone industry for a long time, this technology has some handy new uses. You can set the client machine’s adapter and the access point’s transmit power to cover various size ranges—a feature that’s useful for many reasons. For one, setting the access point’s transmit power to 5mW reduces cell range, which works great if you’ve got a compact area with high-density usage. Further advantages include the fact that TPC enables the client and the access point to communicate with less power. This means the client machine can fine-tune its transmit power c12.indd 04/0½015 Page 387 388 Chapter 12 ■ Wireless Networking dynamically so it uses just enough energy to preserve its connection to the access point and conserve its battery power plus reduce interference on the neighboring WLAN cells—sweet! 2.4GHz/5GHz (802.11n) 802.11n builds on previous 802.11 standards by adding multiple-input, multiple-output (MIMO), which employs multiple transmitters and receiver antennas to increase data throughput. 802.11n can have up to eight antennas, but most of today’s access points use four. These are sometimes referred to as smart antennas, and if you did have four of them, two would be used for transmitting simultaneously with the other two receiving simultaneously. This setup would allow for much higher data rates than 802.11a/b/g. In fact, the marketing people claim it will provide about 250Mbps, but personally, I’ve never really seen that level of throughput. Even if what they’re saying is true, exactly how would that help if all you’ve got is a 1Mbps or even 20Mbps cable or DSL connection to the Internet? 802.11n allows for communication at both the 2.4GHz and 5GHz frequencies by using channel bonding. Unlike 802.11a and 802.11g, which are locked into using the 5.0GHz and 2.4GHz spectrums, respectively, with 802.11n you can control which of the spectrums (or both) that you want to allow in your WLAN! Listed next are some additional components of 802.11n that give people reason to say 802.11n has greater reliability and predictability: 40MHz Channels 802.11g and 802.11a use 20MHz channels, and tones on the sides of each channel are not used to protect the main carrier, which means that 11Mbps are unused or wasted. 802.11n aggregates two carriers to double the speed from 54Mbps to 108Mbps. Add the 11Mbps that we gain from not wasting the side tones and we have 119Mbps. MAC Efficiency 802.11 protocols require acknowledgment of each and every frame. 802.11n can pass many packets before an acknowledgment is required, which saves you on overhead. This is called block acknowledgment. So What Is Wi-Fi? You may have seen products that are 802.11 compliant with a small sticker on them that says “Wi-Fi.” You might be able to guess that this rather odd phrase stands for Wireless Fidelity, but you may not know what its implications are. Simply put, that sticker indicates that the product in question has passed certification testing for 802.11 interoperability by the Wi-Fi Alliance. This nonprofit group was formed to ensure that all 802.11a/b/g/n wireless devices would communicate seamlessly. So, Wi-Fi is a good thing. c12.indd 04/0½015 Page 388 Comparing 802.11 Standards 389 Multiple-Input, Multiple-Output (MIMO) Several frames are sent by several antennae over several paths and are then recombined by another set of antennae to optimize throughput and multipath resistance. This is called spatial multiplexing. 5GHz (802.11ac) 802.11ac is a Wi-Fi standard that works in the 5GHz range and delivers up to 1Gigabit throughput that was approved by the 802.11 standards committee in January 2014. Still, just as it is with 802.11n, you won’t fi nd that the speeds described in the standard actually line up with the marketing material. For example, for a single link, which is basically one host to AP, the best throughput you can hope to get would be 500Mbps, which is fantastic if it actually happens! But unless you have a Gigabit Internet connection, 802.11ac won’t really help so much. To be fair, in a small network, or if you’re transferring fi les in your internal WLAN or to your internal network, this new specification could actually be useful. At this point, you’re probably wondering how these people can claim to achieve these theoretical rates, right? That’s an excellent question! They get these values by increasing the RF band usage from 20MHz wide channels with 802.11a/b/g to 40MHz with 802.11n and up to 160MHz wide channels with 802.11ac. But again, for typical commercial 802.11ac products, 80MHz would be a lot more realistic. The problem with this scenario centers on the fact that if any interference is found in the 80MHz wide channel, it drops down to 40MHz wide channels. Worse, if interference is still found at that level, it will drop even further down to 20MHz wide channels. In addition to the wider channels, we can also get more MIMO spatial streams than we can with 802.11n—up to eight where 802.11n only supported four. Furthermore, and optionally, a downlink of multi-user MIMO (MU-MIMO) supports up to four clients and, most important, a modulation of QAM-256 compared to QAM-64 with 802.11a/g. The last thing I want to point out is the fact that 802.11n had added fields in the wireless frame to identify 802.11a and 802.11g as high throughput (HT), whereas 802.11ac adds four fields to identify the frames as very high throughput (VHT). Comparing 802.11 Standards Before I move on to wireless installations, take a look at Figure 12.6, which lists, for each of the IEEE standards in use today, the year of ratification as well as the frequency, number of non-overlapping channels, physical layer transmission technique, and data rates. I mentioned earlier that 802.11b runs DSSS, whereas 802.11g and 802.11a both run the OFDM modulation technique (802.11ac runs up to OFDM 256-QAM). c12.indd 04/0½015 Page 389 Chapter 12 390 F I G U R E 12 .6 ■ Wireless Networking Standards for spectrums and speeds 802.11 802.11b 802.11a 802.11g 802.11n 802.11ac Ratified 1997 1999 1999 2003 2010 2013 Frequency Band 2.4GHz 2.4GHz 5GHz 2.4GHz 2.4GHz–5GHz 5GHz No. of Channels 3 3 Up to 23 3 Varies Varies Transmission IR, FHSS, DSSS DSSS OFDM Data Rates (Mbps) 1, 2 1, 2, 5.5, 11 DSSS OFDM DSSS, CCK, OFDM OFDM 6, 9, 12, 18, 24, 1, 2, 36, 48, 54 5.5, 11 6, 9, 12, 5.5, 11 100+ 1000+ Range Comparisons Now let’s take a look at Figure 12.7, which delimits the range comparisons of each 802.11 standard and shows these different ranges using an indoor open-office environment as a factor. (We’ll be using default power settings.) F I G U R E 12 .7 Range comparisons of 802.11 standards 11Mbps 5.5Mbps 802.11b 2Mbps 1Mbps 54Mbps 48Mbps 36Mbps 24Mbps 802.11g 18Mbps 12Mbps 9Mbps 6Mbps 54Mbps 48Mbps 36Mbps 24Mbps 18Mbps 12Mbps 9Mbps 6Mbps 802.11a 50 ft. c12.indd 04/0½015 Page 390 100 ft. 150 ft. 200 ft. 250 ft. 300 ft. 350 ft. Wireless Network Components 391 You can see that to get the full 54Mbps benefit of both 802.11a and 802.11g, you need to be between 50 feet and 100 feet (maximum) away, which will likely be even less if there happens to be any obstructions between the client and the access point. 802.11n gives more distance than all three standards shown in the figure (up to twice the distance), and understand that 802.11ac just won’t give you more distance than 802.11n. Wireless Network Components Though it might not seem this way to you right now, wireless networks are less complex than their wired cousins because they require fewer components. To make a wireless network work properly, all you really need are two main devices: a wireless access point and a wireless NIC, the latter of which is typically built into your laptop. This also makes it a lot easier to install a wireless network because, basically, you just need an understanding of these two components in order to do so. Wireless Access Points You’ll fi nd a central component—like a hub or switch—in the vast majority of wired networks that serves to connect hosts together and allow them to communicate with each other. It’s the same idea with wireless networks. They also have a component that connects all wireless devices together, only that device is known as a wireless access point (WAP), or just AP. Wireless access points have at least one antenna (typically two for better reception—a solution called diversity, and up to eight to support 802.11ac) and an Ethernet port to connect them to a wired network. Figure 12.8 shows an example of a typical wireless access point. F I G U R E 12 . 8 A wireless access point c12.indd 04/0½015 Page 391 392 Chapter 12 ■ Wireless Networking You can even think of an AP as a bridge between the wireless clients and the wired network. In fact, an AP can be used as a wireless bridge (depending on the settings) to bridge two wired network segments together. In addition to the stand-alone AP, there is another type of AP that includes a builtin router, which you can use to connect both wired and wireless clients to the Internet (the most popular home brand being Linksys, a division of Cisco). In summation, an AP can operate as a repeater, bridge (switch), or router, depending on its hardware and its implementation. These devices are usually known as (surprise) wireless routers. They’re usually employed as Network Address Translation (NAT) servers by using the one ISP-provided global IP address to multiplex numerous local IP addresses that are generally doled out to inside clients by the wireless router from a pool within the 192.168.x.x range. Wireless Network Interface Card Every host that wants to connect to a wireless network needs a wireless Network Interface Card (NIC) to do so. Basically, a wireless NIC does the same job as a traditional NIC, but instead of having a socket to plug some cable into, the wireless NIC has a radio antenna. In addition to the different types of wireless networking (I’ll talk about those in a minute), wireless NICs (like other NICs) can differ in the type of connection they use to connect to the host computer. Figure 12.9 shows an example of a wireless NIC. F I G U R E 12 . 9 A wireless NIC c12.indd 04/0½015 Page 392 Wireless Network Components 393 The wireless card shown in Figure 12.9 is used in a desktop PC. There are various options for laptops as well. All new laptops have wireless cards built into the motherboard. These days, it’s pretty rare to use an external wireless client card because all laptops come with them built in, and desktops can be ordered with them too. But it’s good to know that you can still buy the client card shown in Figure 12.9. Typically, you would use cards like the one shown in the figure for areas of poor reception because they can have a better range— depending on the antenna you use, or because you want to upgrade the built-in card to 802.11n/ac. Wireless Antennas Wireless antennas act as both transmitters and receivers. There are two broad classes of antennas on the market today: Omni directional (or point-to-multipoint) and directional, or Yagi (point-to-point). Yagi antennas usually provide greater range than Omni antennas of equivalent gain. Why? Because Yagis focus all their power in a single direction, whereas Omnis must disperse the same amount of power in all directions at the same time. A downside to using a directional antenna is that you’ve got to be much more precise when aligning communication points. This is why a Yagi is really only a good choice for point-to-point bridging of access points. It’s also why most APs use Omnis, because often, clients and other APs could be located in any direction at any given moment. To get a picture of this, think of the antenna on your car. Yes, it’s a non-networking example, but it’s still a good one because it clarifies the fact that your car’s particular orientation doesn’t affect the signal reception of whatever radio station you happen to be listening to. Well, most of the time, anyway. If you’re in the boonies, you’re out of range— something that also applies to the networking version of Omnis. The television aerials that some of us are old enough to remember rotating into a specific direction for a certain channel are examples of Yagi antennas. (How many of you labeled your set-top antenna dial for the actual TV stations you could receive?) Believe it or not, they still look the same to this day! Both Omnis and Yagis are rated according to their signal gain with respect to an actual or theoretical laboratory reference antenna. These ratings are relative indicators of the corresponding production antenna’s range. Range is also affected by the bit rate of the underlying technology, with higher bit rates extending shorter distances. Remember, a Yagi will always have a longer range than an equivalently rated Omni, but as I said, the straightline Yagi will be very limited in its coverage area. Both antennas are also rated in units of decibel isotropic (dBi) or decibel dipole (dBd), based on the type of reference antenna (isotropic or dipole) of equivalent frequency that was initially used to rate the production antenna. A positive value for either unit of measure represents a gain in signal strength with respect to the reference antenna. Merriam-Webster defi nes isotropic as “exhibiting properties (as velocity of light transmission) with the same c12.indd 04/0½015 Page 393 Chapter 12 394 ■ Wireless Networking values when measured along axes in all directions.” Isotropic antennas are not able to be produced in reality, but their properties can be engineered from antenna theory for reference purposes. As a practical example, I’m going to use the Cisco Systems series of Aironet access point (indoor) and bridge (outdoor) antennas. Table 12.3 describes the effect that gain ratings and attempted bit rates have on range limitations. TA B L E 1 2 . 3 Wireless antenna types and ranges Model Gain Indoor range at 1Mbps Indoor range at 11Mbps Outdoor range at 2Mbps Outdoor range at 11Mbps AIR-ANT2410Y-R 10dBi 800ft 230ft Not specified Not specified AIR-ANT1728 5.2dBi 497ft 142ft Not specified Not specified AIR-ANT4941 2.2dBi 350ft 130ft Not specified Not specified AIR-ANT2506 5.2dBi Not specified Not specified 5,000ft 1,580ft AIR-ANT24120 12dBi Not specified Not specified 24,288ft 7,392ft It’s pretty much a given that antennas operating with frequencies below 1GHz are measured in dBd while those operating above 1GHz are measured in dBi. But because this rule doesn’t always work defi nitively, sometimes we have to compare the strength of one antenna measured in dBd with another measured in numerically equivalent dBi in order to determine which one is stronger. This is exactly why it’s important to know that a particular numerical magnitude of dBd is more powerful than the same numerical magnitude of dBi. I know this sounds pretty complicated, but because the relationship between these two values is linear, it really makes the conversion a lot easier than you might think. Here’s how it works: At the same operating frequency, a dipole antenna has about 2.2dB gain over a 0dBi theoretical isotropic antenna, which means you can easily convert from dBd to dBi by adding 2.2 to the dBd rating. Conversely, subtract 2.2 from the dBi rating and you get the equivalent dBd rating. Armed with what you’ve learned about the difference between Omni and Yagi antennas and the difference between dBd and dBi gain ratings, you should be able to compare the relative range of transmission of one antenna with respect to another based on a combination of these characteristics. For example, the following four antenna ratings are given in relative order from greatest to least range: ■ 7dBd Yagi (equivalent to a 9.2dBi Yagi) ■ 7dBi Yagi (longer range than 7dBi Omni) c12.indd 04/0½015 Page 394 Installing a Wireless Network ■ 4.8dBd Omni (equivalent to a 7dBi Omni) ■ 4.8dBi Omni (equivalent to a 2.6dBd Omni) 395 If you’re having an intermittent problem with hosts connecting to the wireless network and varying signal strengthens at different locations, check your antennae location in the office or warehouse to make sure you’re getting the best coverage possible. So now that you understand the basic components involved in a wireless network, it’s time to use what you learned about the standards we use in our everyday home and corporate wireless networks and the different ways that they’re actually installed. Installing a Wireless Network Let’s say you just bought a wireless AP for your laptop to use to connect to the Internet. What’s next? Well, that all depends on the type of installation you want to create with your new toys. First, it’s important you understand where to place the AP. For example, you don’t want to place the AP on or near a metal fi ling cabinet or other obstructions. Once you decide on the AP’s placement, you can configure your wireless network. There are two main installation types, ad hoc and infrastructure mode, and each 802.11 wireless network device can be installed in one of these two modes, also called service sets. Ad Hoc Mode: Independent Basic Service Set This is the easiest way to install wireless 802.11 devices. In this mode, the wireless NICs (or other devices) can communicate directly without the need for an AP. A good example of this is two laptops with wireless NICs installed. If both cards were set up to operate in ad hoc mode, they could connect and transfer fi les as long as the other network settings, like protocols, were set up to enable this as well. We’ll also call this an independent basic service set (IBSS), which is created as soon as two wireless devices communicate. To set up a basic ad hoc wireless network, all you need are two wireless NICs and two computers. First (assuming they aren’t built in), install the cards into the computers according to the manufacturer’s directions. During the software installation, you’ll be asked if you want to set up the NIC in ad hoc mode or infrastructure mode. For an ad hoc network, you would obviously go with the ad hoc mode setting. Once that’s done, all you’ve got to do is bring the computers within range (90m–100m) of each other, and voilà—they’ll “see” each other and be able to connect to each other. Figure 12.10 shows an example of an ad hoc wireless network. (Note the absence of an access point.) c12.indd 04/0½015 Page 395 396 Chapter 12 F I G U R E 1 2 .1 0 ■ Wireless Networking A wireless network in ad hoc mode An ad hoc network would not scale well and really is not recommended due to collision and organization issues. With the low costs of APs, this type of network is just not needed today. Infrastructure Mode: Basic Service Set The most common use of wireless networking equipment is to give us the wireless equivalent of a wired network. To do this, all 802.11 wireless equipment has the ability to operate in what’s known as infrastructure mode, also referred to as a basic service set (BSS), which is provided by an AP. The term basic service area (BSA) is also used at times to defi ne the area managed by the AP, but BSS is the most common term used to defi ne the cell area. In infrastructure mode, NICs communicate only with an access point instead of directly with each other as they do when they’re in ad hoc mode. All communication between hosts, plus with any wired portion of the network, must go through the access point. A really important fact to remember is that in this mode, wireless clients actually appear to the rest of the network as though they were standard, wired hosts. Figure 12.11 shows a typical infrastructure mode wireless network. Pay special attention to the access point and the fact that it’s also connected to the wired network. This connection from the access point to the wired network is called the distribution system (DS) and is referred to as wireless bridging. When you configure a client to operate in wireless infrastructure mode, you need to understand a couple of basic wireless concepts—namely, SSID and security. The service set identifi er (SSID) refers to the unique 32-character identifier that represents a particular wireless network and defi nes the basic service set. Oh, and by the way, a lot of people use the terms SSID and BSS interchangeably, so don’t let that confuse you! All devices involved in a particular wireless network must be configured with the same SSID. Good to know is that if you set all your access points to the same SSID, mobile wireless clients can roam around freely within the same network. Doing this creates an extended c12.indd 04/0½015 Page 396 Installing a Wireless Network 397 service set (ESS) and provides more coverage than a single access point. Figure 12.12 shows two APs configured with the same SSID in an office, thereby creating the ESS network. F I G U R E 1 2 .11 A wireless network in infrastructure mode Internet DS* Access Point Wireless Clients *DS = Distribution System F I G U R E 1 2 .1 2 Extended service set (ESS) “Wireless Cell” “Wireless Cell” Channel 1 Channel 6 SSID Sales Wireless Clients Overlapping 20% LAN Backbone SSID Sales Wireless Clients For users to be able to roam throughout the wireless network—from AP to AP without losing their connection to the network—all APs must overlap by 10 percent of their signal c12.indd 04/0½015 Page 397 398 Chapter 12 ■ Wireless Networking or more. To make this happen, be sure the channels on each AP are set differently. And remember, in an 802.11b/g network, there are only three non-overlapping channels (1, 6, 11), so careful design is super important here! Wireless Controllers You’d be hard pressed to fi nd an enterprise WLAN that doesn’t use wireless controllers. In fact, every wireless enterprise manufacturer has a controller to manage the APs in the network. By looking at Figure 12.13, you can see the difference between what we call stand-alone APs and the controller solution. In a stand-alone solution, all the APs have a full operating system loaded and running, and each must be managed separately. F I G U R E 1 2 .1 3 Stand-alone and controller-based wireless networks Administrator Configure Administrator Configure WLAN Controller stand-alone Solution Controller-Based Solution In the controller-based system, the APs are what we refer to as lightweight, meaning they do not have a full operating system running on them. The controller and AP split duties—a solution known as split MAC. APs running with a controller are referred to as lightweight, but also you’ll hear the term thin AP, whereas you’ll hear the term thick when referring to APs that run a full OS. Take another look at Figure 12.13. You can also see that the administrator isn’t managing each AP independently when using the WLAN controller solution. Instead, the administrator configures the controller, which in turn pushes out the configuration needed for each AP. Controllers allow us to design and implement larger enterprise wireless networks with less time and tedium, which is very important in today’s world! One feature that also gives controllers the ability to provide a great solution is when you’re dealing with a location that’s overloaded with clients because it utilizes VLAN pooling, or virtual LAN pooling. This is very cool because it allows you to partition a c12.indd 04/0½015 Page 398 Installing a Wireless Network 399 single large wireless broadcast domain into multiple VLANs and then either statically or randomly assign clients into a pool of VLANs. So, all clients get to keep the same SSID and stay connected to the wireless network, even when they roam. They’re just in different broadcast domains. In order for split MAC to work in a wireless controller network, the APs and controller run a protocol to enable them to communicate. The proprietary protocol that Cisco used was called Lightweight Access Point Protocol (LWAPP), and it’s pictured in Figure 12.14. F I G U R E 1 2 .1 4 LWAPP WLAN Controller P AP LW Keep in mind that LWAPP isn’t used too much these days, but a newer, more secure protocol called Control and Provisioning of Wireless Access Points (CAPWAP), which also happens to be nonproprietary, has replaced it to become the standard that most controller manufactures use today. Mobile Hot Spots Let’s say you’re in a location that doesn’t have an AP installed, or they want to charge you for access, and you want to connect your laptop, tablet, or even play a game. What can you do? You’ve got a couple of options, but they all include the cellular network as an infrastructure. Not to be an ad for AT&T, but Figure 12.15 shows a mobile hot spot device that connects your laptop, tablet, media devices, or even a gaming device to the Internet at decent speeds. Pretty much all cellular vendors sell a version of these hot spots now. But let’s say you don’t want to carry yet another device around with you and you just want to use your phone instead. Figure 12.16 shows how I turned my iPhone into an AP for my laptop. First I went to Settings and then chose Personal Hotspot. If that option doesn’t show up for you, just give a quick shout to your carrier and have it enabled. c12.indd 04/0½015 Page 399 400 Chapter 12 ■ Wireless Networking F I G U R E 1 2 .1 5 Mobile hot spot F I G U R E 1 2 .1 6 iPhone hot spot I pay very little to AT&T for my AP capability, but I still have to pay for my usage, so I use it only when I’m someplace like an airport and I want security without paying for access to their Internet wireless. Airport wireless hot spots are notoriously slow anyway, and you’d be dead in the water if you intend to use this type of wireless networking for something like gaming, which requires a ton of bandwidth! Signal Degradation Something that’s really important to consider when installing a wireless network is signal degradation. Because the 802.11 wireless protocols use radio frequencies, the signal strength varies according to many factors. The weaker the signal, the less reliable the c12.indd 04/0½015 Page 400 Installing a Wireless Network 401 network connection will be and so the less usable as well. (Think dropped calls!) There are several key factors that affect signal strength: Distance This one is defi nitely on the obvious side—the farther away from the WAP you get, the weaker the signal you get. Most APs have a very limited maximum range that equals less than 100 meters for most systems. You can extend this range to some degree using amplifiers or repeaters, or even by using different antennas. Walls and Other Barriers Also easy to imagine is the fact that the more walls and other office barriers a wireless signal has to pass through, the more attenuated (reduced) the signal becomes. Also, the thicker the wall, the more it interrupts the signal. So in an indoor office area with lots of walls, the range of your wireless network could be as low as 25 feet! You really have to be careful where you place your APs! Protocols Used This one isn’t so apparent, but it certainly is a factor that affects, and can even determine, the range of a wireless LAN. The various wireless 802.11 protocols have different maximum ranges. As discussed earlier, and illustrated in Figure 12.7, the maximum effective range varies quite a bit depending on the 802.11 protocol used. For example, if you have a client running the 802.11g protocol but it connects to an AP running only the 802.11b protocol, you’ll only get a throughput of 11Mbps to the client. Interference The fi nal factor that affects wireless performance is outside interference. Because 802.11 wireless protocols operate in the 900MHz, 2.4GHz, and 5GHz ranges, interference can come from many sources. These include wireless devices like Bluetooth, cordless telephones, cell phones, other wireless LANs, and any other device that transmits a radio frequency (RF) near the frequency bands that 802.11 protocols use. Even microwave ovens—a huge adversary of 802.11b and 802.11g—can be serious culprits! Other Network Infrastructure Implementations We’ve discussed the hot spot’s wireless LANs (WLANs) created by installing APs, but there are other technologies like personal area networks (PANs), which create wireless infrastructures, too. By far, the best known is the ever-popular Bluetooth, but there are other wireless technologies we can use as well, and we’ll take some time to explore these soon. For now, it’s back to Bluetooth, which happens to have a fantastic history behind it! The technology was actually named after a fabled 10th century Viking king, Harald I (Harald “Blatand” Gormsson), who was faced with the challenge of dealing with many disparate tribes; he needed to communicate with them all and they needed to get along with each other. Blatand, who it’s said got his unique nickname due to sporting an unfortunately prominent blue tooth, was having a really tough time getting this to happen. The Viking king was a famously great diplomat possessing a wonderful way with words, and he effectively and nonviolently united ancient Norway and Denmark into a single territory via his powerful communication skills. Incidentally, Blatand just happens to translate into Bluetooth in English. Fast forward to modern times and a Scandinavian company called Ericsson and a highly gifted, technological innovator, Jim Kardach. As one of the founders of Bluetooth, Kardach’s challenge was a decent, modern-day analogy of the ancient Viking king’s—he was faced with making disparate phones, computers, and other devices communicate and cooperate effectively. To answer the challenge, Kardach came up with an elegant, c12.indd 04/0½015 Page 401 402 Chapter 12 ■ Wireless Networking technological wireless solution to make all these disparate devices communicate and play well with each other. To come up with an equally cool name for the brilliant innovation, he did some research, discovered the legend of the ancient Viking king, and codenamed the new technology Bluetooth. It stuck! Now all that was left was to create a super slick logo for it. Today’s Bluetooth icon is actually the legendary king’s initials in ancient Viking runes merged together—how cool is that? Bluetooth operates in the 2.4GHz range, so while it can cause some interference with 802.11b/g, it’s really low power. Plus, the electronics in our WLANs are much better today than they were in the past, so it really isn’t much of an issue anymore, and so at last, modern wireless communication works nicely for us today, making our technological lives so much easier! To delve a little deeper into wireless technologies, the idea of PANs is to allow personal items such as keyboards, mouse, and phones to communicate to our PC/laptop/display/TV wirelessly instead of having to use any wires at all—over short distances of up to 30 feet, of course. This idea of the wireless office hasn’t quite come to fruition completely yet, but you have to admit that Bluetooth really has helped us out tremendously in our offices and especially in our cars! There are two other network infrastructure implementations in the PAN area: infrared (IR) and near-field communication (NFC). Like Bluetooth, IR has some history behind it, but the technology’s idea only goes back to about 1800 because that’s when it was fi rst said that the energy from the sun radiates to Earth in infrared. We can use IR to communicate short range with our devices, like Bluetooth-enabled ones, but it isn’t really as popular as Bluetooth to use within network infrastructures. Unlike Wi-Fi and Bluetooth, the infrared wireless signals cannot penetrate walls and only work line-of-sight. Last, the rates are super slow and most transfers are only 115kbps—up to 4Mbps on a really good day! The last implementation I want to cover is called near-field communication (NFC). For NFC to work, the actual antenna must be smaller than the wavelength on both the transmitter and receiver. For instance, if you look at a 2.4GHz or 5GHz antenna, they are the exact length of one wavelength for that specific frequency. With NFC, the antenna is about one-quarter the size of the wavelength, which means that the antenna can create either an electric field or a magnetic field but not an electromagnet field. NFC can be used for wireless communication between devices like smartphones and/or tablets, but you need to be near the device transmitting the RF to pick up the signal—really close. A solid example would be when you’re swiping your phone over a QR code. Installing and Configuring WLAN Hardware As I said earlier, installing 802.11 equipment is actually fairly simple—remember that there are really only two main types of components in 802.11 networks: APs and NICs. Wireless NIC installation is just like installing any other network card, but nowadays most, if not all, laptops have wireless cards preinstalled, and that’s as easy as it gets! And just as with connecting an Ethernet card to a LAN switch, you need the wireless network card to connect to an access point. The AP installation can be fairly simple as well. Take it out of the box, connect the antenna(e) if necessary, connect the power, and then place the AP where it can reach the c12.indd 04/0½015 Page 402 Installing a Wireless Network 403 highest number of clients. This last part is probably the trickiest, but it really just involves a little common sense and maybe a bit of trial and error. Knowing that walls obstruct the signal means that putting the AP out in the open—even indoors—works better. And you also know it should be placed away from sources of RF interference, so putting it next to the microwave or phone system is probably a really bad idea, too. Near a metal fi ling cabinet is also not so good. So just experiment and move your AP around to fi nd the spot that gives you the best signal strength for all the clients that need to use it. Now that you have the hardware installed, it’s time to configure it, right? Let’s get started. No worries—configuring your AP and NIC to work together isn’t as tricky as it sounds. Most wireless equipment is designed to work almost without configuration, so by default, you can pretty much turn things on and start working. The only things you need to configure are customization settings (name, network address, and so on) and security settings, and even these aren’t required. But because I do highly recommend configuring them, I’ll take you through that now. NIC Configuration Windows XP, Windows Vista, Windows 7/8, and Windows Server 2003/2008/2012 include software to automatically configure a wireless connection, and they do so automatically when you install a wireless NIC—assuming that somehow you have a Windows machine without a wireless NIC installed on the motherboard. And if you have one without a NIC installed, your Windows machine is really old! Configuring a Windows 7 client is pretty simple, but what do you if you can’t get it to actually work afterward? If this happens to you, searching for the solution could eat up a serious amount of your time! Following these steps could save you from that frustrating quest: 1. To find a wireless network, open Control Panel and choose Network And Internet, Network And Sharing Center, and finally, Connect To A Network. If all is well, you’ll get a screen similar to this one. c12.indd 04/0½015 Page 403 404 Chapter 12 ■ Wireless Networking What I just described was actually the long way to get to that goal. There’s a shortcut: just go to the lower-right corner of your screen and click the signal strength bars with the yellow caution sign that I circled in the screen shot to get the same results! 2. Double-click the network you want to join, and click Connect Anyway, even if it’s an unsecured network. You’ll then see a screen showing that it’s trying to connect. 3. If you’re using security, the AP will ask you for your credentials. 4. Check your TCP/IP settings to find out if you’re not really connected to the Internet and troubleshoot from there. AP Configuration Once you’ve successfully configured your workstation(s), it’s time to move on and configure the AP. There are literally hundreds of different APs out there, and of course, each uses a different method to configure its internal software. The good news is that for the most part, they all follow the same general patterns: 1. First of all, out of the box, the AP should come configured with an IP address that’s usually something similar to 192.168.1.1. But check the documentation that comes with the AP to be sure. You can just take the AP out of its box, plug it into a power outlet, and connect it to your network, but in order to manage the AP, you’ve got to configure its IP address scheme to match your network’s. 2. You should receive a DHCP address from the AP when you connect, but if you don’t get one, start by configuring a workstation on the wired network with an IP address (192.168.1.2 or similar) and subnet mask on the same subnet as the AP’s. You should then be able to connect to the AP to begin the configuration process. Usually, you do this via a web browser or with a manufacturer-supplied configuration program. 3. Once you have successfully connected to the AP, you then get to configure its parameters. Following are the minimum parameters common to APs that you should configure for your AP to work properly. (Remember, typically, an AP works right out of the box, but it is unsecure too!) c12.indd 04/0½015 Page 404 Installing a Wireless Network 405 SSID As I talked about earlier, this is the name of the wireless network that your AP will advertise. If this new AP is to be part of an existing wireless network, it needs to be configured with the same SSID as the existing network. In a network with only one AP, you can think of the SSID as the “name” of the AP. AP IP Addresses Remember, even though most APs come preconfigured with an IP address, it may not be one that matches the wired network’s IP addressing scheme. So it follows that you should configure the AP’s IP addresses (including the address, subnet mask, and default gateway addresses) to match the wired network you want it connected to. An AP does not need an IP address to work in your network. The IP address of the AP is used only to manage the AP. Operating Mode (Access Point or Bridging) Access points can operate in one of two main modes: Access Point mode or Bridging mode. Access Point mode allows the AP to operate as a traditional access point to allow a wireless client transparent access to a wired network. Alternatively, two APs set to Bridging mode provide a wireless bridge between two wired network segments. Password Every access point has some kind of default password that’s used to access the AP’s configuration. For security reasons, it’s a good idea to change this as soon as you can to connect to and configure the AP. Wireless Channel 802.11 wireless networks can operate on different channels to avoid interference. Most wireless APs come set to work on a particular channel from the factory, and you can change it if other networks in the area are using that channel, but be aware that no particular channel is any more secure than another. Wireless stations do not use a channel number as a taker when seeking a connection. They only pay attention to SSIDs! WEP/WPA Although it isn’t a requirement per se, I defi nitely recommend enabling security right from the start as soon as you turn on the AP. Commercial APs typically come configured as an open network so that it’s easy to log in, whereas enterprise APs come unconfigured and don’t work until they are configured. WEP and Wi-Fi Protected Access (WPA) allow data to be encrypted before it’s sent over the wireless connection, and all configuring entails is to enable it and pick a key to be used for the connections. Simple, easy-to-configure security is certainly worth your time! So here’s what you do: First, you’ll be asked to enter one or more human-readable passphrases called shared keys—secret passwords that won’t ever be sent over the wire. After entering each one, you’ll generally click a button to initiate a one-way hash to produce a WEP key of a size related to the number of bits of WEP encryption you want. Entering the same passphrase on a wireless client causes the hash (not the passphrase) to be sent from the wireless client to the AP during a connection attempt. Most configuration utilities allow you to create multiple keys in case you want to grant someone temporary access to the network, but you still want to keep the primary passphrase a secret. You can just delete the key you enabled to permit temporary access after you don’t need it anymore without affecting access by any primary LAN participants. c12.indd 04/0½015 Page 405 406 Chapter 12 ■ Wireless Networking Here’s an example of connecting to a Linksys access point (not a Linksys wireless router, which is a different device): 1. The first screen shows that I’ve connected using HTTP to configure the device. The IP address of the Linksys AP is 192.168.1.245. If it was a Linksys wireless router instead—the typical home DSL/cable modem wireless connection device around today—than the address would be 192.168.1.1. 2. As you can see, there’s no username required, and the password is just admin. Again, be sure not to leave this login configuration as the default! Once I click OK, I get taken to a screen where I can change my IP address: 3. It isn’t vital for an AP to have an IP address, but it comes in handy for management purposes. You can change the IP address as well as the device name from this screen if you want to. I clicked the Wireless tab on top and this screen appeared: c12.indd 04/0½015 Page 406 Installing a Wireless Network 407 4. From here, you can set the device to run b/g, only g, or even Mixed mode, which happens to be the default. You can also change the SSID from Linksys to another name, and I highly recommend doing this. The AP channel can also be changed, and you can turn off the AP beacons as well, which is also recommended, but understand that if you do this, you’ll have to set the new SSID name in each of your clients! Last thing—you can see that by default, there’s no encryption. Click the Wireless Security tab, and you’ll get this screen: 5. From the pull-down menu, it’s clear that security is set to Disabled by default, but no worries, you get to choose from various wireless security options if you want to. c12.indd 04/0½015 Page 407 408 Chapter 12 ■ Wireless Networking I’ll talk more about security after I hammer on about site surveys for a bit—they really are that important! Site Survey I want to be sure you’re completely clear about where I stand regarding site surveys. They are absolutely and vitally imperative to bringing a premium-quality—even just a reasonably viable—WLAN into this world! You should carry out a predeployment survey and a postdeployment survey, but keep in mind that your predeployment survey isn’t actually your fi rst step to begin this key process. So, because you positively must know how to formulate and implement a solid site survey, I’m going to walk you through executing the three major steps to doing that effectively. And just to be really thorough, I’m also going to cover some issues commonly encountered as we progress through these steps. Information Gathering This is actually your fi rst step, and during this stage, you must determine three key factors: ■ ■ ■ The scope of the network, including all applications that will be used, data types that will be present, and how sensitive these data types are to delay. The areas that must be covered and the expected capacity at each location. The types of wireless devices that will need to be supported, such as, for example, laptops, iPads/iPhones, IP phones, and barcode readers. During this phase, a key goal of mine would be to create a coverage model that maps to all areas that need coverage, along with those that don’t, and have my client sign off in agreement to this document before I do anything else. You definitely want to do this, too—just trust me! Predeployment Site Survey In this phase, I use live APs to verify the optimal distances between their prospective locations. I base this placement on the expected speed at the edge of the cell, the anticipated number of devices, and other information gathered in step 1. Usually, after I get one AP positioned, I’ll place the next one based on the distance from the fi rst, with special consideration given to any sources of interference I’ve found. Postdeployment Site Survey I utilize the postdeployment survey phase to confi rm and verify that the original design and placements are happily humming along, problem free, when all stations are using the network. This pretty much never happens, so at this point, it’s likely changes will need to be made—sometimes, significant ones—in order to optimize the performance of a WLAN operating under full capacity. Providing Capacity Now here’s a big issue that frequently rears its ugly head: providing enough capacity in areas where many wireless stations will be competing for the airwaves. Remember that stations share access to the RF environment with all other stations in the BSS, as well as with the AP, so really, the only way to increase capacity is by increasing the number of APs in an area requiring serious density. c12.indd 04/0½015 Page 408 Site Survey 409 This can get complicated, but basically, it comes down to placing APs on non-overlapping channels while still sharing the same SSID. Take a look at Figure 12.17 for an example of this scenario. F I G U R E 1 2 .17 Basic coverage In Figure 12.17, nine APs have been configured in the same area using the three, nonoverlapping channels in the 2.4GHz frequency (1, 6, and 11). Each shade represents a different channel. Even though the APs on the same channel have been positioned far enough away from one another so that they don’t overlap much and/or cause interference, surprisingly, it’s actually better if there is some overlap. But bear in mind that the channels should be used in a way that no APs on the same channel overlap in a detrimental way. Another thing I want to point out that’s not so ideal about this arrangement is that all the APs would have to run at full power. This isn’t a good way to go because it doesn’t give you much fault tolerance at all! So, we’ve got two problems with our design: lack of overlap and lack of fault tolerance. To address both issues, you need more APs using 802.11a, b, and g, which would get you more channels and provide better throughput, as shown in Figure 12.18. A key benefit to this design is it would also gain the critical ability to run the APs at less than full power. This allows the controller to strategically boost the power of specific APs in the event of an AP outage in a given area. When you know exactly the type of applications and activity a WLAN will need to support, you can then determine the data rate that must be attained in a particular area. Since received signal strength indicator (RSSI), signal-to-noise ratio (SNR), and data rate are correlated, the required data rate will tell you what the required RSSI or SNR should be as seen at the AP from the stations. Keep in mind that stations located at the edge of the cell will automatically drop the data rate and that the data rate will increase as a station moves toward the AP. c12.indd 04/0½015 Page 409 410 Chapter 12 F I G U R E 1 2 .1 8 ■ Wireless Networking Enterprise design Multiple Floors Another special challenge is a multistory building where WLANs are located on all floors. In these conditions, you’ve got to think about channel usage in a three-dimensional way, and you’ll have to play nicely with the other WLANs’ administrators to make this work! Facing this scenario, your channel spacing should be deployed, as shown in Figure 12.19. To prevent bleed from one floor to another, use semi-directional or patch antennas to control radiation patterns. Location-Based WLAN When using a location device such as the Cisco 2710, your restrictions get even tighter. The additional requirements for the location device to operate properly are as follows: ■ ■ ■ APs should be placed at the edge even when they’re not needed there for normal coverage purposes so that devices at the edge can be located. The density of APs must be higher. Each AP should be 50 to 70 feet apart—much closer than is normally required. Some APs will need to be set in monitor or scanner mode so that they won’t transmit and interfere with other APs. All of this means that the fi nal placement will be denser and a bit more symmetrical than usual. Site Survey Tools As I touched upon at the beginning of our site survey section, there are some highly specialized, very cool site survey tools that can majorly help you achieve your goals. The c12.indd 04/0½015 Page 410 Site Survey 411 AirMagnet Survey and Ekahau Site Survey tools make it possible to do a client walkthrough with the unit running and you can click each location on the map. F I G U R E 1 2 .1 9 2nd Floor A multifloor installation Channel 1 Channel 11 Channel 6 Channel 1 Channel 1 Channel 6 1st Floor Channel 1 Channel 11 These tools will gather RSSI and SNR from each AP in the range, and at the end of your tour, global heat map coverage will be magically displayed, as shown in Figure 12.20. F I G U R E 12 . 2 0 A heat map of a building c12.indd 04/0½015 Page 411 412 Chapter 12 ■ Wireless Networking Wireless Security So, wireless security is basically nonexistent on access points and clients. The original 802.11 committee just didn’t imagine that wireless hosts would one day outnumber bounded media hosts, but that’s actually where we’re headed now. Also, unfortunately, just as with the IPv4 routed protocol, engineers and scientists didn’t include security standards that are robust enough to work in a corporate environment. So we’re left with proprietary solution add-ons to aid us in our quest to create a secure wireless network. And no—I’m not sitting here bashing the standards committees, because the security problems we’re experiencing were also created by the US government because of export issues with its own security standards. Our world is a complicated place, so it follows that our security solutions would have to be as well. Wireless Threats Protection of data and the authentication processes are certainly key threats, but there are other wireless security perils lurking out there as well. We’ll dive deeper into the processes and procedures designed to mitigate these dangers in Chapter 14, but l want to briefly discuss them here. Rogue APs First, there’s the evil we call rogue APs. These are APs that have been connected to your wired infrastructure without your knowledge. The rogue may have been placed there by a determined hacker who snuck into your facility and put it in an out-of-the-way location or, more innocently, by an employee who just wants wireless access and doesn’t get just how dangerous doing this is. Either way, it’s just like placing an open Ethernet port out in the parking lot with a sign that says “Corporate LAN access here—no password required!” Clearly, the worst type of rogue AP is the one some hacker has cleverly slipped into your network. It’s particularly nasty because the bad guy probably didn’t do it to simply gain access to your network. Nope—the hacker likely did it to entice your wireless clients to disastrously associate with their rogue AP instead! This ugly trick is achieved by placing their AP on a different channel from your legitimate APs and then setting its SSID in accordance with your SSID. Wireless clients identify the network by the SSID, not the MAC address of the AP or the IP address of the AP, so jamming the channel that your AP is on will cause your stations to roam to the bad guy’s AP instead. With the proper DHCP software installed on the AP, the hacker can issue the client an address, and once that’s been done, the bad guy has basically “kidnapped” your client over to their network and can freely perform a peer-to-peer attack. Believe it or not, this can all be achieved from a laptop while Mr. Hacker simply sits in your parking lot, because there are many types of AP software that will run on a laptop—yikes! c12.indd 04/0½015 Page 412 Wireless Security 413 Mitigation But you’re not helpless—one way to keep rogue APs out of the wireless network is to employ a wireless LAN controller (WLC) to manage your APs. This is a nice mitigation technique because APs and controllers communicate using Lightweight Access Point Protocol (LWAPP) or the newer CAPWAP, and it just so happens that one of the message types they share is called Radio Resource Management (RRM). Basically, your APs monitor all channels by momentarily switching from their configured channel and by collecting packets to check for rogue activity. If an AP is detected that isn’t usually managed by the controller, it’s classified as a rogue, and if a wireless control system is in use, that rogue can be plotted on a floor plan and located. Another great benefit to this mitigation approach is that it enables your APs to also prevent workstations from associating with the newly exposed rogue. Ad Hoc Networks As you already know, ad hoc networks are created peer to peer or directly between stations and not through an AP. This can be a dangerous configuration because there’s no corporate security in place, and since these networks are often created by unsophisticated users, you end up with the scenario I just described that’s primed for, and wide open to, a peer-topeer attack. Even uglier, if the laptop happens to connect to the corporate LAN through an Ethernet connection at the same time the ad hoc network is created, the two connections could be bridged by a hacker to gain them access straight up into the wired LAN itself! Mitigation When you’ve got a Cisco Unified Wireless Network (CUWN) in operation, ad hoc networks can be identified over the air by the kind of frames they send, which are different from those belonging to an infrastructure network. When these frames are identified, the CUWN can prevent harmful intrusions by sending out something known as deauthentication frames to keep your stations from associating via ad hoc mode. Denial of Service Not all attacks are aimed at the goal of stealing information. Sometimes the hacker just wants to cause some major network grief, like jamming the frequency where your WLAN lives to cause a complete interruption of service until you manage to ferret out the jamming signal and disable it. This type of assault is known as a denial of service (DoS) attack. Mitigation And this is how we deal with them. First, if someone is jamming the frequency, there isn’t much, if anything, you can do. However, many DoS, man-in-the-middle, and penetration attacks operate by deauthenticating, or disassociating, stations from their networks. Some DoS attacks take the form of simply flooding the wireless network with probe requests or association frames, which effectively makes the overwhelmed network unavailable for normal transmissions. These types of management frames are sent unauthenticated and c12.indd 04/0½015 Page 413 414 Chapter 12 ■ Wireless Networking unencrypted. Since deauthentication and disassociation frames are classified as management frames, the Management Frame Protection (MFP) mechanism can be used to prevent the deluge. There are two types of MFP you can use, referred to as infrastructure and client. Let’s take a look at each of them now. Infrastructure Mode This sweet strategy doesn’t require configuration on the station—only the AP. Controllers generate a specific signature for each WLAN, which is added to each management frame it sends, and any attempt to alter this is detected by the MIC in the frame. Therefore, when an AP receives a management frame from an unknown SSID, it reports the event to the controller and an alarm is generated. When an AP receives an MFP protected frame from an unknown SSID, it queries the controller for the key. If the BSSID isn’t recognized by the controller, it will return an “unknown BSSID” message, which causes the AP to drop the frame. Client Mode Often rogue APs attempt to impersonate the company AP. With client MFP, all management frames between the AP and the station are protected because clients can detect and drop spoofed or invalid management frames. Passive Attacks So far, the attacks I’ve talked about are in a category referred to as active attacks because in deploying them, the hacker is interacting with stations, the AP, and the network in real time. But beware—there are other ways into the fort! Passive attacks are most often used to gather information to be used in an active attack a hacker is planning to execute later, and they usually involve wireless sniffi ng. During a passive attack, the hacker captures large amounts of raw frames to analyze online with sniffi ng software used to discover a key and decrypt it “on the fly.” Or the data will be analyzed offl ine, which simply means the bad guy will take the data away and analyze it later. Mitigation In addition to the tools already described, you can use an intrusion detection system (IDS) or an intrusion protection system (IPS) to guard against passive attacks: IDS An intrusion detection system (IDS) is used to detect several types of malicious behaviors that can compromise the security and trust of your system. These malicious behaviors include network attacks against vulnerable services; data-driven attacks on applications; host-based attacks like privilege escalation; unauthorized logins; access to sensitive fi les; and malware like viruses, Trojan horses, and worms. IPS An intrusion prevention system (IPS) is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real time, to block or prevent those activities. For example, a network-based IPS will operate inline to monitor all network traffic for malicious code or attacks. When either is detected, it can drop the offending packets while still allowing all other traffic to pass. c12.indd 04/0½015 Page 414 Wireless Security 415 Which approach you’ll opt to go with depends on the size of your wireless network and how tight your security needs to be. The goal of a security mechanism is to provide three features: ■ Confidentiality of the data ■ Data integrity ■ An assured identification process And when faced with decisions about security, you need to consider these three things: ■ The safety of the authentication process ■ The strength of the encryption mechanism ■ Its ability to protect the integrity of the data War Driving It’s a fact—wireless networks are pretty much everywhere these days. You can get your hands on a wireless access point for less than $100.00, and they’re flying off the shelves. You can find APs in public places like shopping malls, coffee shops, airports, and hotels, and in some cities, you can just hang out in a downtown area and zero in on a veritable menu of APs operating in almost every nearby business. Predictably, this proliferation of APs has led to a new hobby for those with enough skill: It’s called war driving. Not for the technologically challenged, war driving involves driving around in a car with a laptop, a wireless NIC, and a high-gain antenna, trying to locate open APs. If one with high-speed Internet access is found, it’s like hitting the jackpot. People do this aided by various software programs and Global Positioning Systems (GPSs) to make their game even easier. But it’s not always innocent—war drivers can be a serious security threat because they can potentially access anything on your wireless LAN as well as anything it’s attached to! Even though they’re not a sinister threat most of the time, realize that in the very least, they’re consuming precious resources from your network. So, if you happen to notice unusually slow-moving vehicles outside your home or business—especially those with computer equipment inside—know that you’re the potential target of a war driver. A good place to start discussing Wi-Fi security is by talking about the basic security that was incorporated into the original 802.11 standards and why those standards are still way too fl imsy and incomplete to help us create a secure wireless network relevant to today’s challenges. c12.indd 04/0½015 Page 415 416 Chapter 12 ■ Wireless Networking Open Access All Wi-Fi Certifi ed small-offi ce, home-offi ce (SOHO) wireless LAN products are shipped in “open-access” mode, with their security features turned off. Although open access or no security may be appropriate and acceptable for public hot spots such as coffee shops, college campuses, and maybe airports, it’s defi nitely not an option for an enterprise organization, and it’s probably not even adequate for your private home network. With what I’ve told you so far, I’m sure you agree that security needs to be enabled on wireless devices during their installation in enterprise environments. Yet surprisingly, many companies actually don’t enable any WLAN security features. Obviously, the companies that do this are exposing their networks to tremendous risk. The reason that the products are shipped with open access is so that any person who knows absolutely nothing about computers can just buy an access point, plug it into their cable or DSL modem, and voilà—they’re up and running. It’s marketing, plain and simple, and simplicity sells. Service Set Identifiers, Wired Equivalent Privacy, and Media Access Control Address Authentication What the original designers of 802.11 did to create basic security was to include the use of SSIDs, open or shared-key authentication, static WEP, and optional Media Access Control (MAC) authentication/MAC filtering. Sounds like a lot, but none of these really offer any type of serious security solution—all they may be close to adequate for is use on a common home network. But we’ll go over them anyway. An SSID is a common network name for the devices in a WLAN system that create the wireless LAN. An SSID prevents access by any client device that doesn’t have the SSID. The thing is, by default, an access point broadcasts its SSID in its beacon many times a second. And even if SSID broadcasting is turned off, a bad guy can discover the SSID by monitoring the network and just waiting for a client response to the access point. Why? Because, believe it or not, that information, as regulated in the original 802.11 specifications, must be sent in the clear—how secure! If you cannot see an AP when trying to perform a site survey, verify that the AP has SSID beaconing enabled. Two types of authentication were specified by the IEEE 802.11 committee: open and shared-key authentication. Open authentication involves little more than supplying the correct SSID—but it’s the most common method in use today. With shared-key authentication, the access point sends the client device a challenge-text packet that the client must then encrypt with the correct WEP key and return to the access point. Without the correct key, authentication will fail and the client won’t be allowed to associate with the access point. But shared-key authentication is still not considered secure because all an intruder has to do c12.indd 04/0½015 Page 416 Wireless Security 417 to get around this is detect both the clear-text challenge and the same challenge encrypted with a WEP key and then decipher the WEP key. Surprise—shared key isn’t used in today’s WLANs because of clear-text challenge. With open authentication, even if a client can complete authentication and associate with an access point, the use of WEP prevents the client from sending and receiving data from the access point unless the client has the correct WEP key. A WEP key is composed of either 40 or 128 bits, and in its basic form, it’s usually statically defi ned by the network administrator on the access point and all clients that communicate with that access point. When static WEP keys are used, a network administrator must perform the time-consuming task of entering the same keys on every device in the WLAN. Obviously, we now have fi xes for this because tackling this would be administratively impossible in today’s huge corporate wireless networks! Last, client MAC addresses can be statically typed into each access point, allowing MAC fi ltering, and any frames that show up to the AP without a known MAC address in the fi lter table will be denied access. Sounds good, but of course all MAC layer information must be sent in the clear—anyone equipped with a free wireless sniffer can just read the client packets sent to the access point and spoof their MAC address. If you have a small number of wireless clients and you don’t want to deploy an encryption-based access method, MAC address fi lters may be sufficient. If you cannot connect to an AP and you’ve verified that your DHCP configuration and WEP key are correct, check the MAC address filtering on the AP. WEP can actually work if administered correctly. But basic static WEP keys are no longer a viable option in today’s corporate networks without some of the proprietary fi xes that run on top of WEP. So, what should you use today? The answer lies in the size of your wireless network and how tight your security needs to be. Let’s discuss this further now. Remote Authentication Dial-In User Service (802.1x) Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that offers us several security benefits: authorization, centralized access, and accounting supervision regarding the users and/or computers that connect to and access our networks’ services. Once RADIUS has authenticated the user, it allows us to specify the type of rights a user or workstation has, plus control what it, or they, can do within the network. It also creates a record of all access attempts and actions. The provision of authentication, authorization, and accounting is called AAA, which is pronounced just like the automobile insurance company, “triple A,” and it’s part of the IEEE 802.1x security standard. RADIUS has risen to stardom because of its AAA features and is often employed by ISPs, web servers, wireless networks, and APs, as well as network ports—basically, by anybody who wants or needs a AAA server. And these servers are only becoming more c12.indd 04/0½015 Page 417 418 Chapter 12 ■ Wireless Networking critically important in large corporate environments, and that’s because they offer security for wireless networks. From the Linksys security screen shown earlier, you can see that RADIUS is an available option. If you choose it, you’ll be asked for the IP address of the RADIUS server so the AP can send authentication packets. Figure 12.21 shows how the AP becomes an authenticator when you choose the RADIUS authentication method. F I G U R E 12 . 21 RADIUS authentication server 802.11 Network Enterprise Edge Enterprise Network Supplicant Authenticator Authentication Server 802.1x Traffic Only Operates on a client Access point acts as authenticator EAP plug-in goes In RADIUS server Now, packets must pass through the AP until the user and/or host gets authenticated by the RADIUS server. Temporal Key Integrity Protocol Put up a fence, and it’s only a matter of time until bad guys fi nd a way over, around, and through it. And true to form, they indeed found ways to get through WEP’s defenses, leaving our Wi-Fi networks vulnerable—stripped of their Data Link layer security! So someone had to come to the rescue. In this case, it happened to be the IEEE 802.11i task group and the Wi-Fi Alliance, joining forces for the cause. They came up with a solution called Temporal Key Integrity Protocol (TKIP). The Wi-Fi Alliance unveiled it back in late 2002 and introduced it as Wi-Fi Protected Access (WPA). This little beauty even saved us lots of money because TKIP—say this like “tee kip”—didn’t make us upgrade all our legacy hardware equipment in order to use it. Then, in the summer of 2004, the IEEE put its seal of approval on the fi nal version and added even more defensive muscle with goodies like 802.1x and AES-CCMP (AES-Counter Mode CBC-MAC Protocol) upon publishing IEEE 802.11i-2004. The Wi-Fi Alliance responded positively by embracing the now-complete specifi cation and dubbing it WPA2 for marketing purposes. c12.indd 04/0½015 Page 418 Wireless Security 419 A big reason that TKIP doesn’t require buying new hardware to run is because it really just kind of wraps around the preexisting WEP encryption key (which was way too short), and upgrades it a whole lot to much more impenetrable 128-bit encryption. Another reason for TKIP’s innate compatibility is that both its encryption mechanism and the RC4 algorithm used to power and defi ne WEP, respectively, remained the same. But there are still significant differences that help make it the seriously tough shield it is, one of them being that it actually changes each packet’s key. Let me explain: Packet keys are made up of three things: a base key, the transmitting device’s MAC address, and the packet’s serial number. It’s an elegant design because, although it doesn’t place a ton of stress on workstations and APs, it serves up some truly formidable cryptographic force. Here’s how it works: Remember the packet serial number part of the transmission key? Well, it’s not just your average serial number; it’s special—very special. TKIP-governed transmission ensures that each packet gets its very own 48-bit serial number, which is augmented with a sequence number whenever a new packet gets sent out, and not only serves as part of the key but also acts as the initialization vector. And the good news doesn’t end there—because each packet is now uniquely identified, the collision attacks that used to happen using WEP are also history. Plus, the fact that part of the packet’s serial number is also the initialization vector prevents something called replay attacks. It takes an ice age for a 48-bit value to repeat, so replaying packets from some past wireless connection is just not going to happen; those “recycled” packets won’t be in sequence, but they will be identified, thus preventing the attack. Now for what may be the truly coolest thing about TKIP keys: the base key. Because each base key that TKIP creates is unique, no one can recycle a commonly known key over and over again to gain access to a formerly vulnerable WEP wireless LAN. This is because TKIP throws the base key into the mix when it assembles each packet’s unique key, meaning that even if a device has connected to a particular access point a bunch of times, it won’t be permitted access again unless it has a completely new key granting it permission. Even the base key itself is a fusion of something called nonces—an assortment of random numbers gleaned from the workstation, the access point, and each of these devices’ MAC addresses, so this should also be referred to as a session secret. So basically, if you’ve got IEEE 802.1x authentication working for you, rest assured that a session secret absolutely will be transmitted securely to each machine every time it initiates a connection to the wireless LAN by the authentication server—unless you’re using pre-shared keys, that is, because if you happen to be using them, that important session secret always remains the same. Using TKIP with pre-shared keys is kind of like closing an automatically locking security door but not enabling its security settings and alarm—anyone who knows where the secret latch is can get right in! Wi-Fi Protected Access or WPA2 Pre-Shared Key These are both essentially another form of basic security that’s really just an add-on to the specifications. Even though you can totally lock the vault, as I mentioned in the previous c12.indd 04/0½015 Page 419 420 Chapter 12 ■ Wireless Networking section, WPA/WPA2 Pre-Shared Key (PSK) is a better form of wireless security than any other basic wireless security method I’ve talked about so far. And note that I did say basic! But if you are using only MAC address fi lters and/or WEP, and you fi nd that interlopers are still using your network and dragging down the performance, adding this layer of security should help tremendously since it’s a better form of access control than either of those measures. Wi-Fi Protected Access (WPA) is a standard developed by the Wi-Fi Alliance, formerly known as the Wireless Ethernet Compatibility Alliance (WECA). WPA provides a standard for authentication and encryption of WLANs that’s intended to solve known security problems. The standard takes into account the well-publicized AirSnort and man-in-the-middle WLAN attacks. So of course we use WPA2 to help us with today’s security issues. The PSK verifies users via a password or identifying code (also called a passphrase) on both the client machine and the access point. A client gains access to the network only if its password matches the access point’s password. The PSK also provides keying material that TKIP or Advanced Encryption Standard (AES) uses to generate an encryption key for each packet of transmitted data. Although more secure than static WEP, PSK still has a lot in common with static WEP in that the PSK is stored on the client station and can be compromised if the client station is lost or stolen (even though fi nding this key isn’t all that easy to do). It’s a defi nite recommendation to use a strong PSK passphrase that includes a mixture of letters, numbers, and nonalphanumeric characters. With WPA, it’s still actually possible to specify the use of dynamic encryption keys that change each time a client establishes a connection. The benefit of WPA over a static WEP key is that WPA can change dynamically while the system is used. WPA is a step toward the IEEE 802.11i standard and uses many of the same components, with the exception of encryption—802.11i (WPA2) uses AES-CCMP encryption. The IEEE 802.11i standard replaced WEP with a specific mode of AES known as the CCMP, as mentioned earlier. This allows AES-CCMP to provide both data confidentiality (encryption) and data integrity. The highest level of wireless encryption you can run is WPA2-AES. The following screen shows that if you choose WPA2 Personal on the Linksys AP, you can then enter your passphrase—it’s really called WPA2 Pre-Shared Key, but whatever. c12.indd 04/0½015 Page 420 Wireless Security 421 You have a choice of TKIP or AES as the encryption, and by the way, you can choose up to a 64-character key—pretty tight! WPA’s mechanisms are designed to be implementable by current hardware vendors, meaning that users should be able to implement WPA on their systems with only a fi rmware/software modification. The IEEE 802.11i standard has been sanctioned by WPA and is called WPA version 2. Certificates and PKI WPA2 can use the Extensible Authentication Protocol (EAP) method for authentication. EAP isn’t a single method but a framework that enhances the existing 802.1x framework. The EAP framework describes a basic set of actions that will take place, and each EAP type differs in the specifics of how it operates within the framework. These variables include things like whether they use passwords or certificates as well as the ultimate level of security provided. Some of the EAP methods require that certifi cates be used as the credential during authentication. This means that to implement those methods, you must have a Public Key Infrastructure (PKI) in your network. A PKI requires a certificate server that issues certificates to your users and/or devices. These certificates, which consist of a public/private key pair, must be securely installed on the devices and renewed at regular intervals. c12.indd 04/0½015 Page 421 422 Chapter 12 ■ Wireless Networking In symmetric encryption, the two encryption keys are the same, just as they are with WEP keys, but in asymmetric encryption, the key used to encrypt is different from the key used to decrypt. In PKI, asymmetric keys are used, and the keys are called a public/private key pair. Certificates are binding regulations of a public/private key pair generated by a certificate server to a user or computer. As long as two parties trust the same certificate source, called the trusted certificate authority (CA), they can trust the certificate they’re presented with for authentication. These keys can also be used for encryption and as digital signatures. Despite the other uses of public/private keys, our focus here is the use of the certificates as a form of authentication. And as a means of identifying the device or the user, this is considered the highest form of authentication when compared to names and passwords. What all this means is that as long as the AP or controller and the station or user trust the CA that issued the certificates, the certificate is trusted as a means of identification as well. EAP-TLS EAP Transport Layer Security (EAP-TLS) is the most secure method, but it’s also the most difficult to configure and maintain. To use EAP-TLS, you must install a certificate on both the authentication server and the client. An authentication server pair of keys and a client pair of keys need to be generated fi rst, signed using a PKI, and installed on the devices. On the station side, the keys can be issued for the machine itself and/or for the user. In the authentication stage, the station, along with the authentication server (RADIUS, etc.), exchange certificates and identify each other. Mutual authentication is a solid beneficial feature, which ensures that the station it’s communicating with is the proper authentication server. After this process is completed, random session keys are created for encryption. Tunneled Transport Layer Security (TTLS) provides authentication as strong as EAP-TLS, but it doesn’t require each user to be issued a certificate. Instead, only the servers are issued certificates. Summary Like rock ’n’ roll, wireless technologies are here to stay. And for those of us who have come to depend on wireless technologies, it’s actually pretty hard to imagine a world without wireless networks—what did we do before cell phones? So we began this chapter by exploring the essentials and fundamentals of how wireless networks function. Springing off that foundation, I then introduced you to the basics of wireless radio frequencies (RFs) and the IEEE standards. We discussed 802.11 from its inception through its evolution to current and near-future standards, and talked about the subcommittees who create these standards. c12.indd 04/0½015 Page 422 Written Lab 423 All of this led into a discussion of wireless security—or rather, nonsecurity for the most part—which we went over in detail. We fi nished the chapter by bringing you up to speed on TKIP and WPA/WPA2 security solutions—important tools used to protect the wireless LANs of today. Exam Essentials Understand the IEEE 802.11a specification. 802.11a runs in the 5GHz spectrum, and if you use the 802.11h extensions, you have 23 non-overlapping channels. 802.11a can run up to 54Mbps, but only if you are less than 50 feet from an access point. Understand the IEEE 802.11b specification. IEEE 802.11b runs in the 2.4GHz range and has three non-overlapping channels. It can handle long distances but with a maximum data rate of up to 11Mpbs. Understand the IEEE 802.11g specification. IEEE 802.11g is 802.11b’s big brother and runs in the same 2.4GHz range, but it has a higher data rate of 54Mbps if you are less than 100 feet from an access point. Remember the wireless LAN modulation techniques. Direct Sequence Spread Spectrum (DSSS) is the most widely used modulation technique, but it has speeds only to 11Mbps. Frequency Hopping Spread Spectrum (FHSS), although it is used in wireless devices like Bluetooth, isn’t the technique of choice for either vendors or the 802.11 working group. To get the higher speeds needed in today’s WLANs, we use Orthogonal Frequency Division Multiplexing (OFDM) in 802.11g/a/n and ac networks. Understand how WPA works in a WLAN. Wi-Fi Protected Access (WPA) is the security of choice in today’s home and corporate networks. It provides both authentication and encryption (either TKIP or AES); the latest version is WPA2. Written Lab You can fi nd the answers in Appendix A. Write the answers to the following questions about wireless networking: 1. What is the maximum data rate of IEEE 802.11b? 2. What is the maximum data rate of IEEE 802.11g? 3. What is the maximum data rate of IEEE 802.11a? 4. What is the frequency range of IEEE 802.11b? 5. What is the frequency range of IEEE 802.11g? c12.indd 04/0½015 Page 423 424 Chapter 12 ■ Wireless Networking 6. What is the frequency range of IEEE 802.11a? 7. What is the possible bandwidth of 802.11ac? 8. Why would we use WPA instead of basic WEP? 9. Which IEEE committee has been sanctioned by WPA and is called WPA2? 10. The IEEE 802.11b/g basic standard has how many non-overlapping channels? c12.indd 04/0½015 Page 424 Review Questions 425 Review Questions You can fi nd the answers to the review questions in Appendix B. 1. You need to install wireless Internet access in an open warehouse environment. After installing the equipment, the technician notices varying signal strengths throughout the warehouse. How do you make sure there is full coverage? A. Turn on broadcast key rotation. 2. B. Change the encryption method used on all the APs. C. Change the antenna placement. D. Use channel bonding. E. Use channel shaping. Which of the following uses a certificate on both the server and client to provide the best wireless security with 802.1x (but is hardest to implement)? A. AES 3. B. TTLS C. TLS D. TKIP What is the frequency range of the IEEE 802.11g standard? A. 2.4Gbps 4. B. 5Gbps C. 2.4GHz D. 5GHz Which devices can interfere with the operation of a wireless network because they operate on similar frequencies? (Choose two.) A. Copier 5. B. Microwave oven C. Toaster D. Cordless phone E. IP phone F. AM radio Which wireless standard allows you to channel-bond to increase bandwidth and uses both the 2.4GHz and 5GHz frequencies? A. 802.11b B. 802.11g C. 802.11a c12.indd 04/0½015 Page 425 Chapter 12 426 6. D. 802.11n E. 802.11ac ■ Wireless Networking Which of the following is considered a PAN? A. AES B. 7. BSS C. SSID D. Bluetooth How many non-overlapping channels are available with 802.11a? A. 3 B. 8. 12 C. 23 D. 40 What is the maximum data rate for the 802.11a standard? A. 6Mbps 9. B. 11Mbps C. 22Mbps D. 54Mbps You need to install wireless on multiple floors of a large building and maintenance area. What is your first concern before installing the APs? A. Authentication B. Encryption C. Channel overlap D. AP configuration 10. What is the maximum data rate for the 802.11b standard? A. 6Mbps B. 11Mbps C. 22Mbps D. 54Mbps 11. You connect a new host to your company’s wireless network. The host is set to receive a DHCP address and the WPA2 key is entered correctly. However, the host cannot connect to the network. What can the problem be? A. DNS is not configured on the host. B. MAC filtering is enabled on the AP. c12.indd 04/0½015 Page 426 Review Questions C. The network has run out of wireless connections. D. The host is enabled to run 802.11b and 802.11g. 427 12. Which is the highest encryption that WPA2 can use? A. AES-CCMP B. PPK via IV C. PSK D. TKIP/MIC 13. Which additional configuration step is necessary in order to connect to an access point that has SSID broadcasting disabled? A. Set the SSID value in the client software to public. B. Configure open authentication on the AP and the client. C. Set the SSID value on the client to the SSID configured on the AP. D. Configure MAC address filtering to permit the client to connect to the AP. 14. Which spread-spectrum technology does the 802.11b standard define for operation? A. IR B. DSSS C. FHSS D. DSSS and FHSS E. IR, FHSS, and DSSS 15. Which wireless LAN design ensures that a mobile wireless client will not lose connectivity when moving from one access point to another? A. Using adapters and access points manufactured by the same company B. Overlapping the wireless cell coverage by at least 10 percent C. Configuring all access points to use the same channel D. Utilizing MAC address filtering to allow the client MAC address to authenticate with the surrounding APs 16. You have installed a point-to-point connection using wireless bridges and Omni directional antennas between two buildings. The throughput is low. What can you do to improve the link? A. Replace the bridges with APs. B. Replace the Omni directional antennas with Yagis. C. Configure 802.11a on the links. D. Install amps to boost the signal. c12.indd 04/0½015 Page 427 Chapter 12 428 ■ Wireless Networking 17. What does extended service set (ESS) ID mean? A. That you have more than one access point, and they are in the same SSID connected by a distribution system B. That you have more than one access point, and they are in separate SSIDs connected by a distribution system C. That you have multiple access points, but they are placed physically in different buildings D. That you have multiple access points, but one is a repeater access point 18. What is one reason that WPA encryption is preferred over WEP? A. A WPA key is longer and requires more special characters than the WEP key. B. The access point and the client are manually configured with different WPA key values. C. WPA key values remain the same until the client configuration is changed. D. The values of WPA keys can change dynamically while the system is used. 19. How wide are the channels used in 802.11n in order to gain the large bandwidth that the specification provides? A. 22MHz B. 20MHz C. 40MHz D. 100MHz 20. 802.11n uses MIMO. How does this optimize throughput to gain the high-speed advantage that 802.11n provides? A. By specifying an acknowledgment of each and every frame, 802.11n provides better overhead. B. Several frames are sent by several antennae over several paths and are then recombined by another set of antennae. C. One frame at a time is sent, but faster than in 802.11g because multiple antennas are used (multiple-in, multiple-out). D. MIMO packs smaller packets into a single unit, which improves throughput. c12.indd 04/0½015 Page 428 Chapter 13 Authentication and Access Control THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 3.3 Given a scenario, implement network hardening techniques ■ Switch port security ■ ■ Use secure protocols ■ ■ ■ MAC address filtering TLS/SSL Access lists ■ IP filtering ■ Port filtering User authentication ■ CHAP/MSCHAP ■ EAP ■ Kerberos ■ Multifactor authentication ■ Two-factor authentication ■ Single sign-on ✓ 5.10 Given a scenario, configure and apply the appropriate ports and protocols ■ 3389 RDP ■ 22 SSH c13.indd 04/02/2015 Page 429 ✓ 1.2 Compare and contrast the use of networking services and applications ■ VPN ■ Site to site/host to site/host to host ■ Protocols ■ IPsec ■ GRE ■ SSL VPN ■ PTP/PPTP ■ TACACS/RADIUS ■ RAS ■ Web services ■ Unified voice services ■ Network controllers ✓ 3.6 Explain the purpose of various network access control models ■ 802.1x ■ Posture assessment ■ Guest network ■ Persistent vs non-persistent agents ■ Quarantine network ■ Edge vs access control c13.indd 04/02/2015 Page 430 So far, you’ve learned a lot about networking standards and related technologies and even how to make computers and devices communicate so you can get a network up and running. But there’s more—because network security is absolutely critical, I’m going to equip you with the knowledge you need to keep your network safe from intruders. Yes, communication and accessing the information you need is all good, but knowing exactly who it is at the other end of the connection is vital. This means you need ways to confi rm that the person or computer at the other end of the connection is really supposed to be accessing the resource it’s trying to, and even whether the resources or entities that you’re contacting are really who and what they appear to be. Seriously, if you don’t have network security fi rmly in place, you’re flying dangerously blind—you could be inadvertently exposing critical data to people who have no right to see that information and may even intend to exploit it in a big way! So, in this chapter, we’ll focus on some very important pieces of the security puzzle; two of the fi rst things on our list are security fi ltering and user authentication. To find up-to-the-minute updates for this chapter, please see www.lammle .com/networkplus or the book’s website at www.sybextestbanks.wiley.com. Security Filtering How do we know who’s really at the other end of our connections? The answer to that may seem simple enough because the computer or person on the other end has to identify him/ her/itself, right? Wrong! That’s just not good enough because people—especially hackers— lie, so it’s totally naïve to assume that the person or computer on the other end of the line is who they’re claiming to be. Sad but true: Hackers use the many tools out there today with the precise goal of convincing us they’re someone else, and way too many of us have been, or know of someone who has been, a victim of identity theft thanks to bad guys with the right spoofi ng software in hand. This means it’s imperative to control who or what can get into our network by identifying the specific computers and individuals who have the right to gain access to it and its resources. But how do we do this? Well, for starters, I’m going to cover some basic ways to safely allow the computers you want to have access into your network plus ways to keep out the ones you don’t. c13.indd 04/02/2015 Page 431 432 Chapter 13 ■ Authentication and Access Control The fi rst line of defense is something called security filtering, which broadly refers to ways to let people securely access your resources. This process is twofold and includes ensuring that only authorized computers get to enter your network and making sure data you’re sending back and forth between networks is secured so it can’t be intercepted and translated by bad guys. Access Control Lists It’s rare to fi nd a network around these days that isn’t connected to the Internet. The Internet is clearly a public internetwork that anyone can connect to, but your company’s or personal network is, and should defi nitely be, a private one. The catch here is that every time you connect to the Internet (where everyone is welcome) from a private network, you’re instantly vulnerable to security break-ins. This is where something we call a firewall comes into play. Firewalls are basically tools that you can implement to prevent any unauthorized users roaming around on public networks from gaining access to your private network. I’ll be covering the different types of firewalls, plus give you the skinny on exactly how they work, in Chapter 15, “Physical Security and Risk.” For now, understand that firewalls can be either stand-alone devices or combined with another hardware device like a server or a router. And although firewalls can use a lot of various technologies to restrict information flow, their primary weapon is known as an access control list (ACL). Access control lists (ACLs) typically reside on routers to determine which packets are allowed to route through them based on the requesting device’s source or destination Internet Protocol (IP) address. Oh, and just so you know, ACLs have been around for decades and have other uses apart from fi rewalls. Figure 13.1 demonstrates how ACLs prevent users on Network B from accessing Network A. F I G U R E 1 3 .1 Two networks with an ACL-enabled router A can access B. B can access if a secure authenticated connection is detected. Network B “Public” Network Network A “Private” Network Router c13.indd 04/02/2015 Page 432 Security Filtering 433 Okay, what we see here is that users in Network A can pass through the router into Network B. This means that an IP spoofi ng attack, when someone pretends to have a network address on the inside of a fi rewall to gain network access, can still happen if a user in Network B pretends to be located in Network A. We’ll go over things like IP spoofi ng more thoroughly in Chapter 14, “Network Threats and Mitigation,” but for now, let’s get back to ACLs. You can create a wide array of ACLs, from the very simple to the highly complex, depending on exactly what you want to have them do for you. One example is placing separate inbound and outbound ACLs on a router to ensure that the data that’s leaving your network comes from a different source than the data that’s coming into it. When configuring ACLs between the Internet and your private network to mitigate security problems, it’s a good idea to include these four conditions: ■ Deny any addresses from your internal networks. ■ Deny any local host addresses (127.0.0.0/8). ■ Deny any reserved private addresses. ■ Deny any addresses in the IP multicast address range (224.0.0.0/4). None of these addresses should ever be allowed to enter your internetwork. Interestingly enough, because of the way in which in-public IP addresses are issued, with some research you can create a fi lter that blocks a country, state, or even locale based on IP addresses! Most of the time, it’s wise to configure ACLs so that they’ll allow or deny access based on the IP address of the source or destination device. If your network is running a protocol other than Transmission Control Protocol/Internet Protocol (TCP/IP), you can fi lter traffic based on a Media Access Control (MAC), or hardware, address instead of an IP address. You can still use a MAC address–based ACL if you’re running TCP/IP, but keep in mind that it’s a lot easier to deal with IP addresses than MAC addresses. Another point to remember is that even though most fi rewalls and routers will allow you to create both IP-based and MAC-based ACLs, doing so can create an exceptionally ugly situation where access is denied when it really shouldn’t be. Port Filtering ACLs can also be used to fi lter based on port numbers as well as IP addresses. In fact, most fi rewalls default to allowing only the open ports that you specify. This is another version of the implicit deny (anything not allowed specifically is denied). When managing a fi rewall, it’s important to know the port numbers of all traffic that needs to be allowed through it. This means that for some of your applications, you will need to read and learn the port numbers being used. This also explains why it’s a big deal to know the port numbers of security protocols like SSL and IPSec. Successful fi rewall management involves being aware of and allowing only the ports to keep things running. c13.indd 04/02/2015 Page 433 434 Chapter 13 ■ Authentication and Access Control Tunneling Just thinking about the huge amount of sensitive data bouncing all over the Internet 24/7 makes me want to scream the word security! It’s seriously clear that we need it almost as much as air. Worse, most of that data is sent out over the Internet without any encryption or security, but at least not the really sensitive stuff, which should be sent via one of several different security protocols available today—phew. These vital protocols are really sets of conditions or rules that define how a secure connection is maintained when we send sensitive data through an unsecure medium like the Internet or a wireless connection. Before talking about the security protocols that the Network+ exam is likely to quiz you on, I’d like to define a few terms. The fi rst is a concept called tunneling, which basically means encapsulating one protocol within another to ensure that a transmission is secure. Here’s an example: The lion’s share of us use IP, known as a payload protocol, which can be encapsulated within a delivery protocol like Internet Protocol Security (IPSec). If you took a look at these packets individually, you would see that they’re encrypted. If you look at the process as a whole, it appears that a point-to-point tunnel is created on the Internet, as Figure 13.2 illustrates. (Make a note to yourself that usually the tunneled protocol is running at a higher layer in the OSI model than the payload protocol, but not always.) F I G U R E 13 . 2 A tunnel through the Internet Internet Single Private Path or Tunnel through the Internet The Network+ exam will test your understanding of the following tunneling protocols: ■ Virtual Private Network (VPN) ■ Secure Sockets Layer (SSL) ■ Secure Sockets Layer Virtual Private Network (SSL VPN) ■ Layer 2 Tunneling Protocol (L2TP) ■ Point-to-Point Tunneling Protocol (PPTP) ■ Generic Routing Encapsulation (GRE) ■ Internet Protocol Security (IPSec) ■ ISAKMP Let’s dig in and take a detailed look at each one now. c13.indd 04/02/2015 Page 434 Security Filtering 435 Virtual Private Network No worries—VPNs aren’t really that hard to understand. A VPN fits somewhere between a LAN and WAN, and many times may seem just like a WAN link because your computer, on one LAN, connects to a different, remote LAN and uses its resources remotely. The key difference with VPNs is a big one—security! So the defi nition of connecting a LAN (or VLAN) to a WAN may sound the same, but a VPN is much more. Here’s the difference: A typical WAN connects two or more remote LANs together using someone else’s network—like, say, your Internet service provider’s (ISP’s)—and a router. Your local host and router see these networks as remote networks and not as local networks or local resources. This would be a WAN in its most general defi nition. A VPN actually makes your local host part of the remote network by using the WAN link that connects you to the remote LAN. The VPN will make your host appear as though it’s actually local on the remote network! This means that we now have access to the remote LAN’s resources and that access is very secure. This may sound a lot like the VLAN defi nition I just used in Chapter 11, “Switching and Virtual LANs,” and really, the concept is the same: “Take my host and make it appear local to the remote resources.” Just remember that for networks that are physically local, using VLANs is a good solution, but for networks that are physically remote—those that span a WAN—we’d opt for using VPNs instead. For a simple VPN example, let’s use my home office in Boulder, Colorado. Here, I have my personal host, but I want it to appear as if it’s on a LAN in my corporate office in Dallas, Texas, so I can get to my remote servers. VPN is the solution I use for this because I need the security it provides. Figure 13.3 shows this example of my host using a VPN connection from Boulder to Dallas, which allows me to access the remote network services and servers as if my host is right there on the same VLAN as my servers. F I G U R E 13 . 3 Example of using a VPN network Secure VLAN at Dallas Corporate Office Servers Internet VPN My Host in Colorado Now my host appears local to the servers. Secure Server Room Why is this so important? If you answered, “Because my servers in Dallas are secure, and only the hosts on the same VLAN are allowed to connect to them and use their c13.indd 04/02/2015 Page 435 436 Chapter 13 ■ Authentication and Access Control resources,” you nailed it! A VPN allows me to connect to these resources by locally attaching to the VLAN through a VPN across the WAN. The other option is to open up my network and servers to everyone on the Internet or another WAN service, in which case my security goes poof! So you can see that it’s a very good thing I have a VPN. Types of VPNs are named based on the kind of role they play in a real-world business situation. There are three different categories of VPNs: Host-to-Site (Remote-Access) VPNs Remote-access VPNs allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to. It is typical that users can connect to the Internet but not to the office via their VPN client because they don’t have the correct VPN address and password. This is the most common problem and one you should always check fi rst. Host-to-Host VPN A host-to-host VPN is somewhat like a site-to-site in concept except that the endpoints of the tunnel are two individual hosts. In this case all traffic is protected from the time it leaves the NIC on one host until it reaches the NIC of the other host. Site-to-Site VPNs Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like Frame Relay. This is probably the best solution for connecting a remote office to a main company office. Extranet VPNs Extranet VPNs allow an organization’s suppliers, partners, and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications. SSL and SSL VPN Next on the list is Secure Sockets Layer (SSL). This security protocol was developed by Netscape to work with its browser. It’s based on Rivest, Shamir, and Adleman (RSA) public-key encryption and used to enable secure Session layer connections over the Internet between a web browser and a web server. SSL is service independent, meaning a lot of different network applications can be secured with it—a famous one being the ubiquitous HTTP Secure (HTTPS) protocol. As time marched on, SSL was merged with other Transport layer security protocols to form a new protocol called Transport Layer Security (TLS). The latest version of Transport Layer Security (TLS 2.0) provides a number of enhancements over earlier versions. The following are the most noteworthy: ■ ■ ■ Several improvements in the operation of a central component, the MD5-SHA-1 hashing function. Hashing functions are used to ensure that the data is not changed or altered (also known as maintaining data integrity). More flexibility in the choice of hashing and encryption algorithms on the part of the client and the server. Enhanced support for the Advanced Encryption Standard (AES). Figure 13.4 shows the SSL connection process. c13.indd 04/02/2015 Page 436 Security Filtering F I G U R E 13 . 4 437 The SSL connection process Connection Request Secure Connection Needed Security Capabilities SSL Session Established PC Server SSL VPN is really the process of using SSL to create a virtual private network (VPN). A VPN is a secured connection between two systems that would otherwise have to connect to each other through a non-secured network. Here’s what I mean: Even though I’d never really let this happen, let’s just say I could connect to the servers in my corporate office through the Internet like, snap! You know by now that this would be a very bad thing because the Internet is far from secure, right? But if I connected to those servers using a VPN with a tunneling protocol instead, anything I send from my PC to my corporate office would be locked up nice and securely. Plus, VPNs also come in handy for data that’s being sent within a private network that you probably wouldn’t want everyone on that network to be able to see. Maybe you want a few specific computers on the intranet to be able to communicate with each other securely—like, say, the computers used by your top finance people. You wouldn’t necessarily want that data just sent off in the clear to be viewed by the office gossip, now would you? No way. So, you can put those fi nance folks on a VPN that’s just like having them on their own little private, secure subnetwork. Plus, what’s even cooler about this setup is that the members of your intranet’s VPN can still communicate with everyone else whenever they want; they just won’t be doing that securely—nice solution! L2TP Next, we have the Layer 2 Tunneling Protocol (L2TP), which was created by the Internet Engineering Task Force (IETF). It comes in handy for supporting non-TCP/IP protocols in VPNs over the Internet. L2TP is actually a combination of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) technologies. A nice L2TP feature is that, because it works way down there at the Data Link layer (Layer 2) of the OSI model, it can support tons of protocols beyond just TCP/IP—a couple of biggies being Internetwork Packet Exchange (IPX) and AppleTalk. It’s a really great tool to implement if you happen to have two non-TCP/IP networks that need to be connected via the Internet. PPTP I just mentioned Point-to-Point Tunneling Protocol (PPTP), and even though I said it was Microsoft’s PPTP, this security protocol was really developed jointly by Microsoft, Lucent c13.indd 04/02/2015 Page 437 Chapter 13 438 ■ Authentication and Access Control Technologies, 3COM, and a few other companies. Oh, and it’s not actually sanctioned by the IETF, but that doesn’t mean it doesn’t work. PPTP acts by combining an unsecured Point-to-Point Protocol (PPP) session with a secured session using the Generic Routing Encapsulation (GRE) protocol. Because PPTP uses two different protocols, it actually opens up two different network sessions: so be warned, PPTP can give you some grief when passing through a router. This is a big reason you won’t fi nd it around much nowadays. Another reason it’s going the way of the dinosaurs is that it originally gained popularity because it was the fi rst VPN protocol to be supported by Microsoft’s dial-up networking services, and not too many of us depend on dial-up to get to the Internet anymore. As if these aren’t reasons enough for PPTP’s impending extinction, it’s also not that secure. In fact, as you’d probably expect from a fi rst-generation security protocol, it’s now really vulnerable to spoofi ng attacks, which is why it’s pretty much been replaced by L2TP and IPSec. PPTP is a VPN protocol that runs over port 1723 and allows encryption to be done at the Application (data) level. It is important to remember for the CompTIA Network+ objectives that PPTP is a protocol that allows secure access to a VPN. GRE Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate many protocols inside IP tunnels. Some examples would be routing protocols such as EIGRP and OSFP and the routed protocol IPv6. Figure 13.5 shows GRE. F I G U R E 13 . 5 GRE encapsulation GRE Tunnel (Carrier Protocol) IP VPN Site IP Network (Transportation Protocol) (Passenger Protocol) Transport IP Header IP VPN Site (Passenger Protocol) GRE Header Passenger (IP) Packet A GRE tunnel interface supports a header for each of the following: ■ A passenger protocol or encapsulated protocols like IP or IPv6, which is the protocol being encapsulated by GRE ■ GRE protocol ■ A Transport delivery protocol, typically IP c13.indd 04/02/2015 Page 438 Security Filtering 439 GRE tunnels have the following characteristics: ■ GRE uses a protocol-type field in the GRE header so any Layer 3 protocol can be used through the tunnel. ■ GRE is stateless and has no flow control. ■ GRE offers no security. ■ GRE creates additional overhead for tunneled packets—at least 24 bytes. IPSec On the other hand, IP Security (IPSec) was designed by the IETF for providing authentication and encryption over the Internet. It works at the Network layer of the OSI model (Layer 3) and secures all applications that operate in the layers above it. Because it’s sanctioned by the IETF and designed to work with IPv4 and IPv6, it’s got a huge amount of industry support, so it’s the standard for VPNs on the Internet today. The two major protocols you’ll fi nd working in IPSec are Authentication Header (AH) and Encapsulating Security Payload (ESP). AH serves up authentication services only—no encryption—but ESP provides both authentication and encryption abilities. Both of these protocols can be used with either mode discussed in the following paragraphs. The AH protocol within IPSec isn’t compatible with networks running Network Address Translation (NAT). IPSec works in two modes: transport mode and tunneling mode. Transport mode creates a secure tunnel between two devices end to end. This means that regardless of how many foreign networks (including the Internet) the packet traverses, it is protected. The data is protected by authentication and/or encryption. Figure 13.6 illustrates a TCP/IP packet and a TCP/IP packet in transport mode using AH. ESP can also be used with transport mode. F I G U R E 13 . 6 TCP/IP packet in IPSec transport mode with AH Standard TCP/IP Packet TCP/IP Payload TCP Header Destination IP Address Source IP Address IP Header Data Flow TCP/IP Packet with AH in Transport Mode TCP/IP Payload TCP Header AH Header Destination IP Address Source IP Address IP Header Authenticated by AH Data Flow c13.indd 04/02/2015 Page 439 440 Chapter 13 ■ Authentication and Access Control On the other hand, in tunnel mode, the tunnel is created between two endpoints, such as two routers or two gateway servers, protecting all traffic that goes through the tunnel. It is commonly used between two offices to protect all traffic going between the offices regardless of the source and destination. Figure 13.7 fi rst shows a TCP/IP packet and then depicts one using ESP in tunnel mode. AH can also be used with tunnel mode. F I G U R E 13 .7 TCP/IP packet in IPSec tunnel mode with ESP Standard TCP/IP Packet TCP/IP Payload TCP Header Destination IP Address Source IP Address IP Header Data Flow TCP/IP Packet with ESP in Tunneling Mode TCP/IP Payload (Encrypted) TCP Header (Encrypted) ESP Header Destination IP Address Source IP Address IP Header Authenticated by AH Data Flow You can see here that when data is tunneled in this way, hackers can’t even see what transport protocol you’re using, let alone decipher the data you’re transmitting. ISAKMP Internet Security Association and Key Management Protocol (ISAKMP) defi nes procedures and packet formats to establish, negotiate, modify, and delete security associations (SAs). SAs contain information required to execute security services, such as header authentication and payload encapsulation. ISAKMP’s real value is its ability to provide a framework for safely transferring key and authentication data independent of the key generation technique, encryption algorithm, and authentication mechanism. ISAKMP is integrated into another security mechanism we have already discussed, IPSec. Encryption Sometimes, like it or not, sending out corporate fi nancial and other types of sensitive data over the Internet just can’t be avoided. This is why being able to hide or encode that data with encryption technologies is so vital for shielding it from the prying eyes of a company’s competitors, identity thieves—anyone who wants to take a look. Without encryption, our sensitive fi les and information are essentially being paraded on full display as the data courses over the Internet. c13.indd 04/02/2015 Page 440 Security Filtering 441 Encryption works by running the data (which when encoded is represented as numbers) through a special encryption formula called a key that the designated sending and receiving devices both “know.” When encrypted data arrives at its specified destination, the receiving device uses that key to decode the data back into its original form. Back in 1979, the National Security Agency (NSA) classified encryption tools and their associated formulas as munitions, and the NSA has overseen their regulation ever since. The dangerous possibility that hostile nations, terrorists, and criminals may use encrypted communications to plan crimes and go undetected is the compelling reason for doing so. It’s also the reason that we’re only allowed to export weak encryption methods. This brings up an important question: Exactly how do we measure an encryption algorithm’s strength? One way to do that is to measure its bit strength. Until 1998, only software with 40-bit strength or less could be exported, but today, the bar has been raised to 64-bit strength. And by the way, exporting any software with a key length greater than 64 bits is subject to review by the Export Administration Regulations (EAR) required by the US Department of Commerce’s Bureau of Industry and Security. This doesn’t include exporting to every country because some—like most of those in Western Europe plus Canada, Australia, and Japan—are countries we trust with the technology. But if you happen to be curious or just want to be really careful, check out the current regulations at www. bis.doc.gov/index.php/regulations#ear. Remember, these regulations aren’t there to make life a hassle; they’re in place to protect us. The greater the number of bits that are encrypted, the tougher it is to crack the code. Clearly, the security of monetary transfers is extremely important. The NSA does allow US banks to use more secure encryption methods for this reason and to ensure that they communicate very securely with their overseas branches, customers, and affiliates. Encrypting passwords being sent from a workstation to a server at login is the most basic need for internal networks, and it’s done automatically by most network operating systems today. But legacy utilities like File Transfer Protocol (FTP) and Telnet don’t have the ability to encrypt passwords. Most email systems also give users the option to encrypt individual (or all) email messages, and third-party software packages like Pretty Good Privacy (PGP) are used by email systems that don’t come with encryption abilities of their own. And you already know how critical encryption is for data transmission over VPNs. Last but not least, encryption capability is clearly very important for e-commerce transactions, online banking, and investing. I mentioned this earlier, but I didn’t tell you exactly what it is: An encryption key is essentially a random string of characters that is used in conjunction with the encryption algorithm. The algorithm is the same for all transactions, but the key is unique to each transaction. Encryption keys come in two flavors: public and private. I’m going to tell you how each one is used next. c13.indd 04/02/2015 Page 441 442 Chapter 13 ■ Authentication and Access Control Symmetrical Encryption Keys Using symmetrical key encryption, both the sender and receiver have the same key and use it to encrypt and decrypt all messages. The downside of this technique is that it becomes hard to maintain the security of the key. When the keys at each end are different, it is called asymmetrical or public key. We’ll talk about that right after we discuss some encryption standards. The Data Encryption Standard (DES) Kudos go to IBM for coming up with one of the most widely used standards: Data Encryption Standard (DES). It was made a standard back in 1977 by the US government. If you want, you can look it up in the Federal Information Processing Standards Publication 46-2 (FIPS 46-2). Basically, DES uses lookup and table functions, and it actually works much faster than more complex systems. It uses 56-bit keys. RSA Data Systems once issued a challenge to see if anyone could break the key. A group of Internet users worked together to attempt the task, with each member dealing with a portion of the 72 quadrillion possible combinations. They succeeded and cracked the key in June 1997, after searching only 18 quadrillion keys. Their prize? Knowing they had succeeded when they read a plain-text message that said, “Strong cryptography makes the world a safer place.” Back in the day, DES was a great security standard, but its 56-bit key length has proved to be too short. As I said, the key was fi rst cracked in June 1997. A year later, one was cracked in just 56 hours, and in January 1999, a DES key was broken in a blazing 22 hours and 15 minutes! Not exactly secure, right? We definitely needed something stronger. Triple Data Encryption Standard (3DES) That’s when Triple Data Encryption Standard (3DES, also referred to as TDES) came into its glory. Originally developed in the late 1970s, it became the recommended method of implementing DES encryption in 1999. As its name implies, 3DES is essentially three DES encryption methods combined into one. So 3DES encrypts three times, and it allows us to use one, two, or three separate keys. Clearly, going with only one key is the most unsecure, and opting to use all three keys gives you the highest level of security. Three-key TDES has a key length of 168 bits (56 times 3), but due to a complex type of attack known as meet-in-the-middle, it really provides only 112 bits of security. It gets worse farther down the food chain—even though the two-key version has a key size of 112 bits, it actually arms you with only 80 bits of effective security. Another problem with 3DES is that it’s slow. No one likes that, so the National Institute of Standards and Technology (NIST) believes that 3DES will be an effective encryption standard only until sometime around 2030. Even now, it’s being phased out in favor of faster methods like AES. The Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES, also known as Rijndael) has been the “official” encryption standard in the United States since 2002. It specifies key lengths of 128, 192, or 256 bits. c13.indd 04/02/2015 Page 442 Security Filtering 443 The United States government has determined that 128-bit security is adequate for things like secure transactions and all materials deemed Secret, but all Top Secret information must be encoded using 192- or 256-bit keys. The good news is that the AES standard has proven amazingly difficult to crack. Those who try use a popular method involving something known as a side channel attack. This means that instead of going after the cipher directly, they attempt to gather the information they want from the physical implementation of a security system. Hackers attempt to use power consumption, electromagnetic leaks, or timing information (like the number of processor cycles taken to complete the encryption process) to give them critical clues about how to break the AES system. Although it’s true that attacks like these are possible to pull off, they’re not really practical to clinch over the Internet. Public Key Encryption Public key encryption uses the Diffi e-Hellman algorithm, which employs a public key and a private key to encrypt and decrypt data. It works like this: The sending machine’s public key is used to encrypt a message that is decrypted by the receiving machine with its private key. It’s a one-way communication, but if the receiver wants to send a return message, it does so via the same process. If the original sender doesn’t have a public key, the message can still be sent with a digital certificate that’s often called a digital ID, which verifies the sender of the message. Figure 13.8 shows public-key-encrypted communication between User X and User Y. F I G U R E 13 . 8 Public-key encryption User X Original Message Encrypted Using User Y’s Public Key Original Message Decrypted Using User Y’s Private Key Y&Z!8:” >)(hb& gf%^dc yH98Y milk bread eggs cat food Don’t forget the chocolate! >_ sh controllers s0/0 Interface Serial0/0 Hardware is PowerQUICC MPC860 DTE V.35 TX and RX clocks detected. Okay, we’ve verified we’re receiving clocking, so let’s move on to look at the what the interface is telling us: Router#sh int s0/0 Serial0/0 is up, line protocol is down Hardware is PowerQUICC Serial Description: Connection to CR1 Internet address is 192.168.11.1/24 MTU 1500 bytes, BW 1000 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Closed, loopback not set Keepalive set (10 sec) CRC checking enabled Last input never, output never, output hang never Last clearing of "show interface" counters 00:02:58 c16.indd 04/02/2015 Page 606 WAN Troubleshooting 607 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 1565789 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up BR1# See that? We can see a problem with this interface right there in the fi rst line output. The Serial0/0 is up, but the line protocol is down, which tells us that our local router interface connecting to the CSU/DSU is working, but we’re still not seeing the remote router. Once in a while this indicates a remote router problem, but it’s usually an ISP issue. So again, it means you’ve got to call into the ISP if you’re getting this error. And look at all those input errors! This is screaming that you’ve got a troubled line—probably some type of interference, which needs to be reported. Split Horizon Split horizon issues usually happen when using Frame Relay in an environment where you have multiple PVCs coming into a single serial WAN interface. This configuration makes the routing protocol think that it’s receiving routes on the same interface that they were being sent out of, which in this case would result in the routes being dropped. A great way to solve this problem is to create subinterfaces (logical interfaces) on the serial interface to make the routing protocol believe there are multiple interfaces—one for each subnet—so the routing advertisement will be received. The configuration would go from looking like this: interface Serial0/0 ip address 10.1.12.1 255.255.255.0 no ip directed-broadcast encapsulation frame-relay to looking like this: interface Serial0/0 no ip address (notice there is no IP address on the physical interface!) no ip directed-broadcast encapsulation frame-relay c16.indd 04/02/2015 Page 607 608 Chapter 16 ■ Wide Area Networks ! interface Serial0/0.102 point-to-point ip address 10.1.12.1 255.255.255.0 no ip directed-broadcast frame-relay interface-dlci 102 ! interface Serial0/0.103 point-to-point ip address 10.1.13.1 255.255.255.0 no ip directed-broadcast frame-relay interface-dlci 103 ! DNS Issues Another issue that could make it appear as if the Internet connectivity has gone down completely involves DNS. If users cannot resolve names, it seems like everything is broken to them. The fi rst step to solving a DNS issue is to understand exactly how your DNS is set up on your specific network. Do you have a local DNS server or are you using the ISP’s DNS server? If you can ping a site, such as 74.125.228.50, but can’t ping www.google.com from an internal host, you know you’re dealing with a DNS resolution issue. Start by verifying the local DNS server, if you use one, and if that checks out, call the ISP. Router Configurations Router configurations can also be the culprit when WAN services just aren’t working right. All you need is an admin that enters some routing protocol information incorrectly and your access to the Internet goes poof! So your fi rst step is always to verify your default route to the ISP when troubleshooting the routers that connect you to the Internet. By using the command show ip route on a router, we can see the routing table—a map of the internetwork that the router uses to make its forwarding decisions: Router#sh ip route Codes: L - local, C - connected, S - static, [output cut] 10.0.0.0/8 is variably subnetted, 6 subnets, 4 masks C 10.0.0.0/8 is directly connected, FastEthernet0/3 L 10.0.0.1/32 is directly connected, FastEthernet0/3 C 10.10.0.0/16 is directly connected, FastEthernet0/2 L 10.10.0.1/32 is directly connected, FastEthernet0/2 C 10.10.10.0/24 is directly connected, FastEthernet0/1 L 10.10.10.1/32 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 is directly connected, FastEthernet0/0 c16.indd 04/02/2015 Page 608 Exam Essentials 609 Verify the default route, which is the one that starts with an S*. If this route points to the wrong next hop or wrong exit interface, you’re going to have some serious problems! Company Security Policy Another common culprit that can often cause WAN-related problems is the company security policy. For example, if there’s a fi rewall blocking ports, say, on applications that need to get to the Internet, it mimics a WAN issue when the root of the problem is actually bad configuration on your fi rewall(s)! Another common source of trouble tickets have to do with slow response time, which again can make it look as though it’s the WAN link that’s having issues. But again, it’s possible that it’s the security policy that’s throttling bandwidth on certain applications. I can’t tell you how typical this is these days! Many company policies block certain sites, demanding that you provide URL fi ltering to them, especially social media or streaming news feeds. People often refer to these security-oriented limitations as fair access policies or utilization limits, which are forced upon certain activities for several reasons but most often to preserve bandwidth. Summary In this chapter, you learned about the important issues involved in providing WAN connectivity between geographically separated network locations as well as about the different kinds of WAN connections, including point-to-point connections, circuit-switched service provider networks, and packet-switched service provider networks. You also became aware of the impacts different transmission media and different distance parameters have on WAN connections. In addition, you learned about the choices for leased-line connections along with broadband technologies like xDSL and cable modems. You studied the different WAN protocols and technologies used in connecting today’s high-speed WANs, including ISDN, Frame Relay, ATM, and MPLS, and were equipped with helpful strategies to troubleshoot and solve common WAN connection issues. Exam Essentials Be able to differentiate the kinds of WAN technologies. You must be able to identify the speeds and capacities of the different remote-access and WAN technologies as well as the media over which they are implemented. Identify the basic characteristics of various Internet access technologies. These include DSL, broadband cable, POTS, and fiber to the premises (PON). It is important to know the c16.indd 04/02/2015 Page 609 610 Chapter 16 ■ Wide Area Networks differentiating features of these access technologies. Know their advantages and disadvantages so you can identify the best use of each. Be knowledgeable about the differences between circuit-switched and packet-switched technologies, and know which protocols use either. Frame Relay is a packet-switched technology, and ISDN is a circuit-switched digital solution. ATM is considered to be a cellswitched technology because it incorporates a 53-byte cell. Both MPLS and ATM are considered connection-oriented technologies because the connection is set up fi rst. Be clear about the differences involving speed and distance between different media and between different WAN protocols. The use of both wireless and fiber is growing, and their standards are facilitating faster speeds and coverage of greater distances. Be able to differentiate cellular WAN technologies like HSPA+, WiMAX, and LTE. HSPA+ is considered 3.5G, while LTE and WiMAX are considered true 4G. Be able to differentiate between the different WAN protocols and technologies, their relative costs and speeds, and the types of implementations for which each would serve as a best solution. ISDN is rarely used nowadays in its BRI configuration except for small home or office solutions. Frame Relay is relatively inexpensive, but service providers have overbooked their Frame Relay clouds, resulting in poor performance. ATM is fast but inefficient, and MPLS is fast and more efficient but complicated to administer. Written Lab You can fi nd the answers in Appendix A. 1. What is the greatest advantage of PSTN (POTS)? 2. Which technology uses the term HFC? 3. You have one serial port on your router but need to connect many remote sites. What WAN protocol could you consider as an option? 4. What is the maximum speed for T1? 5. What does the acronym DSL stand for? 6. Which WAN technologies are considered packet-switching networks? 7. Which cellular technologies are considered 4G? 8. Which WAN technology is considered a cell-switching network? 9. What are the different flavors of xDSL? 10. What is another name for PON? c16.indd 04/02/2015 Page 610 Review Questions 611 Review Questions You can fi nd the answers to the review questions in Appendix B. 1. Which of the following is not a WAN protocol or technology? A. ATM B. 2. ISDN C. MPLS D. RIP What OSI model layers do WAN protocols operate in? A. Layer 6, Layer 4, Layer 2 3. B. Transport, Data Link, Network C. Physical, Data Link, Network D. Application, Data Link, Network If you have a device in a telecommunications closet owned and installed by the telecommunications company (telco) and it’s your responsibility to cable from this box to the CPE, which term should you use to refer to the device? A. Customer premises equipment B. 4. Demarcation point C. Toll network D. Central office You have an E1. How many DS0s are used in this point-to-point connection? A. 24 5. B. 25 C. 30 D. 32 Where does the local exchange carrier responsibility end and your responsibility begin on a WAN link? A. POP B. Central office C. Demarc D. Smart jack c16.indd 04/02/2015 Page 611 Chapter 16 612 6. ■ Wide Area Networks You have a small office/home office environment. What WAN technology would most likely be used? A. T1 7. B. T3 C. Frame Relay D. Cable modem Which type of communication has a line speed of 1.544Mbps (millions of bits per second)? A. T3 8. B. T1C C. T1 D. T4 Which cellular WAN technology has the best data rate? A. HSPA 9. B. HSPA+ C. LTE D. WiMAX Which is not a common optical carrier level (OC-x)? A. OC-1 B. OC-4 C. OC-12 D. OC-192 10. Which wireless protocol utilizes a short-range communications technology facilitating data transmission from fixed and/or mobile devices, creating wireless personal area networks (PANs)? A. Bluetooth B. Microwave radio relay C. Comsat D. Point-to-multipoint 11. What does the x in xDSL represent? A. Wire type B. Transmission speed C. DSL type D. Download speed 12. Which is not a type of xDSL? A. ADSL B. HDSL c16.indd 04/02/2015 Page 612 Review Questions C. SONET D. SDSL 613 13. What does the acronym DOCSIS stand for? A. Data over cable service interface spectrum B. Data over cable systems Internet specification C. Data over cable service Internet specification D. Data over cable service interface specification 14. What is the bandwidth for OC-12? A. 1.544Mbps B. 45Mbps C. 622Mbps D. 1000Mbps 15. Which WAN protocol utilizes cell-switching technology? A. Frame Relay B. ISDN C. ATM D. RIP 16. Which WAN protocol utilizes packet-switched technology? A. Frame Relay B. ISDN C. ATM D. RIP 17. What is the CIR in Frame Relay? A. Virtual circuit that is established when data needs to be transmitted B. Maximum speed at which the Frame Relay interface can transmit C. Rate at which the Frame Relay switch guarantees to transfer data D. Rate at which the Frame Relay switch agrees to receive data 18. You are having DSL Internet connection issues and time-outs. You check the interface on your router and notice a lot of input errors. What could the problem be? A. CSU/DSU B. Demarc C. Duplex configuration D. Clocking is down 19. Which WAN has a transfer rate of 44.7Mbps? A. T1 B. T3 c16.indd 04/02/2015 Page 613 Chapter 16 614 C. E1 D. E3 ■ Wide Area Networks 20. How does DWDM put multiple transmissions on a single strand? A. Different frequencies B. Different polarizations C. Different wavelengths D. Different time slots c16.indd 04/02/2015 Page 614 Chapter 17 Troubleshooting Tools THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 4.2 Given a scenario, analyze and interpret the output of troubleshooting tools ■ Command line tools ■ ipconfig ■ netstat ■ ifconfig ■ ping/ping6/ping -6 ■ tracert/tracert -6/traceroute6/traceroute -6 ■ nbtstat ■ nslookup ■ arp ■ mac address lookup table ■ pathping c17.indd 04/03/2015 Page 615 Most of us are running Transmission Control Protocol/Internet Protocol (TCP/IP) version 4 on our networks these days, so we absolutely need a way to test IP connectivity. But we also need to be able to test and verify IPv6 networks. The reason for this is that even though Microsoft makes the majority of client platforms, a lot of the commands used to test IP connectivity are really platform independent, and most of the platforms can now use both IPv4 and IPv6. Even so, keep in mind that the Network+ exam focuses on the basic concepts of the function and use of the TCP/IP utilities that come with Windows. You can use several utilities, both command line and GUI, to verify TCP/IP function on Windows workstations, and most of them are listed in the chapter objectives. But there are a few others that I’m going to discuss with you because they’re really important for anyone working in the networking field to know about. Here’s a list of them: ■ Traceroute (tracert in Microsoft) ■ ipconfig/winipcfg (ifconfig in Unix) ■ ping ■ arp ■ nslookup (dig in Unix) ■ Mtr (pathping) ■ route ■ nbtstat ■ netstat ■ ftp ■ telnet And by the way, it’s very important that you don’t just blow through the output that I’ve supplied for each command. Instead, pay serious attention to it because to meet the Network+ objectives, you’ll be required to correctly identify each command’s output. So, let’s cut right to the chase and take a look at some of these commands and their output. Oh, and do try and have fun with it! To find up-to-the-minute updates for this chapter, please see www.lammle. com/networkplus or the book’s website at www.sybextestbanks.wiley.com. Protocol Analyzers Protocol analyzers, also called sniffers or network monitors, are used to capture packets in their raw format as they cross the network. Windows desktop operating systems before Windows Vista came with a built-in protocol analyzer called Network Monitor, but that is c17.indd 04/03/2015 Page 616 Protocol Analyzers 617 no longer the case, although you can download one for free that will work with the newer operating systems. The Network Monitor tool that comes with these operating systems will capture only packets that are sourced from or destined to the computer on which the tool is running. Commercial sniffers like Wireshark and OmniPeek can capture any packets because they set the NIC to operate in promiscuous mode, which means the NIC processes all packets that it sees. Protocol analyzers can be used to determine the type of traffic that you have in your network, and depending on the product and the bells and whistles contained therein, you may be able to sort the results based on port numbers, protocols, and so on. Another use of a sniffer is to examine the traffic that should be occurring on the network when something is not working to aid in troubleshooting. These devices can capture and display all packets involved in the connection setup, including, for example, request and response headers to a web server. For example, earlier in the book we discussed the operation of DHCP, and you learned that there are a series of four packet types that must occur for a DHCP client to receive an IP configuration from the server. As a review, those packets are as follows: ■ DHCP Discover ■ DHCP Offer ■ DHCP Request ■ DHCP ACK If you turned on the analyzer and then executed the ipconfig/release and ipconfig/ renew commands on the client (more on those commands later in this chapter), you should see these four packets in the analyzer’s capture fi le. The packets would be interspersed with the hundreds and perhaps thousands of other packet types that would be captured, but by using the display fi ltering options in the software, you can easily segregate out the DHCP traffic. An example of the DHCP process, as seen in a capture, is shown in Figure 17.1. F I G U R E 17.1 DHCP capture If all you saw in the capture were the DHCDISCOVER packets with no DHCPOFFER packets, you could reasonably assert that the DHCP server is not receiving the DHCPDISCOVER packets (perhaps it is located in another broadcast domain or perhaps it is not on). Additionally, you could examine fields in the DHCPOFFER packets that may tell c17.indd 04/03/2015 Page 617 618 Chapter 17 ■ Troubleshooting Tools you that the DHCP server is out of addresses. The point is that the tool can be used to troubleshoot the issue. Throughput Testers Users of a network often complain about the speed of the network. Network “speed” is in some ways a personal perception because some people have more patience than others. To determine when a network slowdown is real as opposed to perceived, you need to actually measure the throughput. That’s what throughput testers are used for. These devices, typically software based, work much like a protocol analyzer in that they measure the traffic seen on the network and can also classify the types of traffic that are eating up your bandwidth (which is probably what you really need to know). Figure 17.2 shows one version of this software by TamoSoft. F I G U R E 17. 2 Throughput This software is installed on a server and also on a client. In the figure the software is measuring traffic between the client and a server. It shows the throughput for traffic in real time and in this shot is breaking that traffic up by unicast (TCP) and broadcast (UDP) types and by direction. c17.indd 04/03/2015 Page 618 Connectivity Software 619 Earlier in this book, I discussed the importance of baselines, and this is another area where they are important. Network throughput figures mean little without a baseline with which comparisons can be made. How do you know what is abnormal when you don’t know what normal is? Baselines should be taken when the network is operating well, but they should also be taken when the traffic load is normal. Connectivity Software There are times when you need to make a remote connection to a machine to perform troubleshooting but you are miles away. Connectivity software is designed to allow you to make a connection to the machine, see the desktop, and perform any action you could perform if you were sitting in front of it. Microsoft has made what it calls Remote Desktop software available for free with Windows products since Windows NT. When this software is installed (installed by default in later versions) on both source and destination computers, a remote desktop connection can be made. Commercial tools are also available that (of course) claim to have more functionality, and they probably do have a few extra bells and whistles. These include LogMeIn.com, GoToMyPC, and others. Figure 17.3 shows the session window for a LogMeIn.com session. F I G U R E 17. 3 LogMeIn c17.indd 04/03/2015 Page 619 620 Chapter 17 ■ Troubleshooting Tools The advantages of these connectivity tools are obvious. With these tools, you can do anything you need to on the machine as long as you can connect. They also allow you to see what a user is actually doing when they encounter a problem rather than having to rely on what they tell you they are doing. You can even show a user what they are doing wrong. Most of these tools allow for chat sessions and for either end of the connection to take control of the machine. You can also transfer files to them if required (maybe a DLL got deleted, for example). Using Traceroute For starters, let’s pose these questions: Where do all those packets really go when we send them over the Internet? And, how do all the packets actually get to their destinations? Well, we can use the TCP/IP traceroute (tracert with Windows) command-line utility to help us answer both questions because its output will show us every router interface a TCP/IP packet passes through on the way to its destination. Traceroute (trace for short) displays the path a packet takes to get to a remote device in all its glory by using something we call IP packet Time-to-Live (TTL) time-outs, and Internet Control Message Protocol (ICMP) error messages. And it’s also a handy tool for troubleshooting an internetwork because we can use it to figure out which router along a path through that internetwork happens to be causing a network failure when a certain destination machine or network is, or suddenly becomes, unreachable. To use tracert, at a Windows command prompt, type tracert, a space, and the Domain Name Service (DNS) name or IP address of the host machine to which you want to fi nd the route. The tracert utility will respond with a list of all the DNS names and IP addresses of the routers that the packet is passing through on its way. Plus, tracert uses TTL to indicate the time it takes for each attempt. Following is the tracert output from my workstation in Boulder, Colorado, to my Lammle.com server in Dallas, Texas: C:\Users\tlammle>tracert www.lammle.com Tracing route to lammle.com [206.123.114.186] over a maximum of 30 hops: 1 1 ms <1 2 53 ms 52 [207.225.112.228] 3 52 ms 53 4 75 ms 75 5 76 ms 76 6 76 ms 76 ms ms <1 ms 52 ms dslmodem.domain.actdsltmp [192.168.0.1] hlrn-dsl-gw36-228.hlrn.qwest.net ms ms ms ms 52 74 76 76 hlrn-agw1.inet.qwest.net [71.217.189.25] dal-core-01.inet.qwest.net [67.14.2.53] dap-brdr-01.inet.qwest.net [205.171.225.49] 205.171.1.110 c17.indd 04/03/2015 Page 620 ms ms ms ms Using Traceroute 7 75 ms 76 8 76 ms 76 [209.249.122.74] 9 76 ms 76 10 76 ms 76 Trace complete. ms ms 106 ms 76 ms ms ms 76 ms 76 ms 621 xe-0-0-0.er2.dfw2.us.above.net [64.125.26.206] 209.249.122.74.available.above.net 65.99.248.250 pageuppro.pageuppro.com [206.123.114.186] Were you able to see that the packet bounces through several routers before arriving at its destination? Good! This utility is useful if you are having problems reaching a web server on the Internet and you want to know if a wide area network (WAN) link is down or if the server just isn’t responding. What this means to you is that, basically, wherever the trace stops is a great place to start troubleshooting. No worries here, though—the previous output shows that every router is up and responding. Last, notice in the output the ms. This is the latency of each hop, meaning the delay. Tracert (or traceroute) is a great troubleshooting tool you can use to find out where your network bottlenecks are. If you use traceroute or tracert and receive an asterisk, this indicates that the attempt to reach that router took longer than the default time-out value. This is very good to know because it can mean that either the router is extremely busy or that a particular link is slow. Another reason for getting an asterisk could be that the administrator has disabled ICMP on the router that the packet is trying to hop through. Why would someone want to do that? For security reasons, that’s why. It happens to be a typical strategic move done on the routers that interface to the ISP to conceal their actual location so bad guys can’t hack into them and therefore into your internetwork. It’s a good idea, and I highly recommend doing it. If you are running traceroute and see repeating addresses and TTL time-outs, you probably have a routing loop. In addition to traceroute and tracert, you can use pathping, which is a lot like traceroute: C:\Users\Todd Lammle>pathping lammle.com Tracing route to lammle.com [184.172.53.52] over a maximum of 30 hops: 0 WIN-Q14VTD8DH0G.localdomain [192.168.133.147] 1 192.168.133.2 2 * * * Computing statistics for 25 seconds... Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address 0 WIN-Q14VTD8DH0G.localdomain [192.168.133.147] 0/ 100 = 0% | 1 0ms 0/ 100 = 0% 0/ 100 = 0% 192.168.133.2 c17.indd 04/03/2015 Page 621 622 Chapter 17 ■ Troubleshooting Tools Trace complete. C:\Users\Todd Lammle> This provides a nice feedback at the end of the output. In addition to traceroute and tracert, which show the path of an IPv4 packet, you can use tracert -6 for a Windows trace, traceroute6 for MAC and Unix, and traceroute -6 for Cisco routers to trace an IPv6 packet through an internetwork. Using ipconfig and ifconfig The utilities known as ipconfig (in Windows) and ifconfig (in Unix/Linux/Mac) will display the current configuration of TCP/IP on a given workstation—including the current IP address, DNS configuration, Windows Internet Naming Service (WINS) configuration, and default gateway. In the following sections, I will show you how to use both. Using the ipconfig Utility With the new Mac, Windows Vista, Windows 7 and 8, and Windows Server 2008/2012 operating systems you can now see the IPv6 configuration because IPv6 is enabled by default. The output of the ipconfig command provides the basic routed protocol information on your machine. From a DOS prompt, type ipconfig, and you’ll see something like this: C:\Users\tlammle>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : domain.actdsltmp Link-local IPv6 Address . . . . . : fe80::2836:c43e:274b:f08c%11 IPv4 Address. . . . . . . . . . . : 192.168.0.6 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1 Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : qwest.net Link-local IPv6 Address . . . . . : fe80::20e7:7fb8:8a00:832b%10 IPv4 Address. . . . . . . . . . . : 10.0.1.198 Subnet Mask . . . . . . . . . . . : 255.255.255.0 c17.indd 04/03/2015 Page 622 Using ipconfig and ifconfig 623 Default Gateway . . . . . . . . . : fe80::21b:63ff:fef3:3694%10 10.0.1.1 Tunnel adapter Local Area Connection* 6: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Local Area Connection* 7: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : [output cut for brevity] Wow, there sure are a lot of options in this output compared to the output for earlier versions of Windows! First, what’s up with all these interfaces showing? I only have two— one Ethernet and one wireless. You can see that my Ethernet adapter shows up fi rst, and it has an IP address, a mask, and a default gateway plus an IPv6 address and a DNS suffi x. The next configured interface is the wireless local area network (LAN) adapter, which has an IP address, a mask, a default gateway, an IPv6 address, and the IPv6 default gateway as well. This IPv6 default gateway address is simply my router advertising that it runs IPv6 and saying, “I am the way out of the local LAN!” The next adapters are disconnected because they are logical interfaces and I’m not using them—my machine actually shows eight, but I cut the output because it provides no new information. They’re automatically inserted because IPv6 is installed and running on my machine, and these adapters allow me to run IPv6 over an IPv4-only network. But just in case the ipconfig command doesn’t provide enough information for you, try the ipconfig /all command—talk about details. Here’s the beginning of that output: C:\Users\tlammle>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . Primary Dns Suffix . . . . Node Type . . . . . . . . . IP Routing Enabled. . . . . WINS Proxy Enabled. . . . . DNS Suffix Search List. . . Ethernet adapter Local Connection-specific Description . . . . Network Connection Physical Address. . . . . . . . . . . . . . . . . . . . : : : : : : globalnet-todd globalnet.local Hybrid No No globalnet.local domain.actdsltmp qwest.net Area Connection: DNS Suffix . : domain.actdsltmp . . . . . . . : Intel(R) 82566MM Gigabit . . . . . . . : 00-1E-37-D0-E9-35 c17.indd 04/03/2015 Page 623 624 Chapter 17 ■ Troubleshooting Tools DHCP Enabled. . . . . . . Autoconfiguration Enabled Link-local IPv6 Address . IPv4 Address. . . . . . . Subnet Mask . . . . . . . Lease Obtained. . . . . . Lease Expires . . . . . . Default Gateway . . . . . DHCP Server . . . . . . . DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : : : : : : : : : : Yes Yes fe80::2836:c43e:274b:f08c%11(Preferred) 192.168.0.6(Preferred) 255.255.255.0 Monday, October 20, 2008 9:08:36 AM Tuesday, October 21, 2008 9:08:39 AM 192.168.0.1 192.168.0.1 192.168.0.1 205.171.3.65 NetBIOS over Tcpip. . . . . . . . : Enabled Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : qwest.net Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN Physical Address. . . . . . . . . : 00-1F-3B-3F-4A-D9 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::20e7:7fb8:8a00:832b%10(Preferred) IPv4 Address. . . . . . . . . . . : 10.0.1.198(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Monday, October 20, 2008 10:43:53 AM Lease Expires . . . . . . . . . . : Monday, October 20, 2008 2:43:53 PM Default Gateway . . . . . . . . . : fe80::21b:63ff:fef3:3694%10 10.0.1.1 DHCP Server . . . . . . . . . . . : 10.0.1.1 DNS Servers . . . . . . . . . . . : 10.0.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter Local Area Connection* 6: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : isatap.globalnet.local Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 c17.indd 04/03/2015 Page 624 Using ipconfig and ifconfig 625 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 7: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : isatap.{9572A79F-3A58-4E9B9BD0-8F6FF2F058FC} Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes [output cut] As you can see, it’s more of the same—a whole lot more. The most important thing I want you to notice is that I’ve received the hardware information about each interface, including the Media Access Control (MAC) address. Also significant is that I can see the Dynamic Host Configuration Protocol (DHCP) lease times and DNS addresses now. But why stop here? There are two more valuable options you need to use with the ipconfig command. They are /release and /renew. When you change networks, you need to get the IP address of that subnet and/or virtual LAN (VLAN). Windows 7 and 8 work most of the time without doing anything, but sometimes I do have to renew the IP configuration when changing networks. But that’s easy— just type ipconfig /renew from a command prompt, and if you’re connected to a DHCP server that’s available, you’ll then magically receive an IP address. Now, if it still doesn’t work, you’ll need to release and renew your TCP/IP settings. To release your current DHCP TCP/IP information, you must elevate your command prompt or you’ll get this warning: C:\Users\tlammle>ipconfig /release The requested operation requires elevation. C:\Users\tlammle> Should this happen to you, choose Start ➪ All Programs ➪ Accessories ➪ Command Prompt, right-click, and choose Run As Administrator. (Of course, you’ll have to enter your name and password to do this if you are using Windows 7 or 8. But we love Windows 7 and 8, right? Okay, maybe not always.) Figure 17.4 shows how I did this. Once your command prompt has been duly elevated, you can use the ipconfig /release command and then the ipconfig /renew command to get new TCP/IP information for your host. c17.indd 04/03/2015 Page 625 626 Chapter 17 F I G U R E 17. 4 ■ Troubleshooting Tools Elevating your command prompt Using the ifconfig Utility There is a utility in Linux/Unix/Mac that will give you information similar to what ipconfig shows. It’s called ifconfig (short for interface configuration). Although ipconfig and ifconfig show similar information, there are major differences between these two utilities. The ipconfig utility is mainly used to view the TCP/IP configuration for a computer. You can use ifconfig to do the same thing, but ifconfig can also be used to configure a protocol or a particular network interface. The general syntax of the ifconfig command is as follows: ifconfig interface [address [parameters]] The interface parameter equals the Unix name of the interface, such as eth0. If the optional address parameter is specified, the ifconfig command sets the IP address for the interface to the address you’ve specified. When the ifconfig command is used by itself with no parameters, all configured interfaces will be reported on. But if only the interface name is specified, you’ll get output that looks like this: # ifconfig eth0 eth0 Link encap 10Mbps Ethernet HWaddr 00:00:C0:90:B3:42 inetaddr 172.16.0.2 Bcast 172.16.0.255 Mask 255.255.255.0 UP c17.indd 04/03/2015 Page 626 Using the ping Utility 627 BROADCAST RUNNING MTU 1500 Metric 0 RX packets 3136 errors 217 dropped 7 overrun 26 TX packets 1752 errors 25 dropped 0 overrun 0 Looking at this, we can see that the eth0 interface is a 10Mbps Ethernet interface. The interface’s MAC and IP address information is displayed in this output as well. And, although not shown in the output, the ifconfig tool can show you the DNS information configured on the host. Using the ping Utility ping is the most basic TCP/IP utility, and it’s included with most TCP/IP stacks for most platforms. Windows, again, is no exception. In most cases, ping is a command-line utility, although there are many GUI implementations available. You use the ping utility for two primary purposes: ■ To find out if a host is responding ■ To find out if you can reach a host Here’s the syntax: ping hostname or IP address If you ping any station that has an IP address, the ICMP that’s part of that particular host’s TCP/IP stack will respond to the request. The ICMP test and response looks something like this: ping 204.153.163.2 Pinging 204.153.163.2 with 32 bytes of data: Reply Reply Reply Reply from from from from 204.153.163.2: 204.153.163.2: 204.153.163.2: 204.153.163.2: bytes=32 bytes=32 bytes=32 bytes=32 time<10ms TTL=128 time=1ms TTL=128 time<10ms TTL=128 time<10ms TTL=128 Because I’ve received a reply from the destination station (204.153.163.2, in this case), I know that I can reach the host and that it’s responding to basic IP requests. Don’t forget that you can use name resolution and ping to a name, such as ping www.sybex.com, and as long as that name can be resolved, you’re golden. Most versions of ping work the same way, but there are some switches you can use to specify certain information, like the number of packets to send, how big a packet to send, and so on. And if you’re running the Windows command-line version of ping, just use the /? or –? switch to display a list of the available options like this: c17.indd 04/03/2015 Page 627 628 Chapter 17 ■ Troubleshooting Tools C:\Users\tlammle>ping /? Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name The command will also output a table showing what each of the options does, presented here in Table 17.1. TA B L E 17.1 Options for ping switches Option Description -t Pings the specified host until stopped. To see statistics and continue, press Ctrl+Break; to stop, press Ctrl+C. -a Resolves addresses to hostnames. -n count Specifies the number of echo requests to send. -l size Sends the buffer size. -f Sets the Don’t Fragment flag in the packet (IPv4 only). -i TTL Specifies the time to live of the packet. -v TOS Specifies the type of service (IPv4 only). -r count Records the route for count hops (IPv4 only). -s count Specifies the time stamp for count hops (IPv4 only). -j host-list Uses a loose source route along the host-list (IPv4 only). -k host-list Uses a strict source route along host-list (IPv4 only). -w timeout Specifies the time-out to wait for each reply in milliseconds. -R Uses the routing header to test the reverse route also (IPv6 only). -S srcaddr Specifies the source address to use. -4 Forces using IPv4. -6 Forces using IPv6. c17.indd 04/03/2015 Page 628 Using the ping Utility 629 You can ping your local TCP/IP interface by typing ping 127.0.0.1 or ping localhost. Understand that both addresses represent the local interface. Really, you can use any address in the 127.0.0.0 network range to provide a loopback test. As you can see, there’s a plethora of options you can use with the ping command from a Windows DOS prompt. But I really want you to focus on a few from the previous output. (I’m going to go over only a few of them, but you can get on your host machine and play with all the options.) The -a switch is very cool because if you have name resolution (such as a DNS server), you can see the name of the destination host even if you only know its IP address. The -n switch sets the number of echo requests to send, where four is the default, and the -w switch allows you to adjust the timeout in milliseconds. The default ping timeout is 1 second (1000ms). The -6 is also nice if you want to ping an IPv6 host. By the way, unless you really love typing 128-bit addresses, this is a wonderful example of how important name resolution is. And then there’s -t, which keeps the ping running. Here’s an example of a ping to an IPv6 address: C:\Users\tlammle>ping -6 fe80::1063:16af:3f57:fff9 Pinging fe80::1063:16af:3f57:fff9 from fe80::1063:16af:3f57:fff9%25 with 32 bytes of data: Reply from fe80::1063:16af:3f57:fff9: time<1ms Reply from fe80::1063:16af:3f57:fff9: time<1ms Reply from fe80::1063:16af:3f57:fff9: time<1ms Reply from fe80::1063:16af:3f57:fff9: time<1ms Ping statistics for fe80::1063:16af:3f57:fff9: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\tlammle> From a MAC you can use the ping6 command. Here are the options: $ ping6 usage: ping6 [-DdfHmnNoqrRtvwW] [-a addrtype] [-b bufsiz] [-B boundif] [-c count][-g gateway] [-h hoplimit] [-I interface] [-i wait] [-l preload] [-p pattern] [-S sourceaddr] [-s packetsize] [-z tclass] [hops ...] host c17.indd 04/03/2015 Page 629 630 Chapter 17 ■ Troubleshooting Tools And if I want to have a continuous ping, I just use that -t option like this: C:\Users\tlammle>ping -t 192.168.0.1 Pinging 192.168.0.1 with 32 bytes of data: Reply from 192.168.0.1: bytes=32 time=7ms TTL=255 Reply from 192.168.0.1: bytes=32 time=1ms TTL=255 Reply from 192.168.0.1: bytes=32 time=1ms TTL=255 Reply from 192.168.0.1: bytes=32 time=1ms TTL=255 Reply from 192.168.0.1: bytes=32 time=1ms TTL=255 Reply from 192.168.0.1: bytes=32 time=1ms TTL=255 Ping statistics for 192.168.0.1: Packets: Sent = 6, Received = 6, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 7ms, Average = 2ms Control-C ^C C:\Users\tlammle> This ping will just keep going and going like the Energizer Bunny until you press Ctrl+C. And by the way, it’s an awesome tool for troubleshooting links. Using the Address Resolution Protocol The Address Resolution Protocol (ARP) is part of the TCP/IP protocol stack. It’s used to translate TCP/IP addresses to MAC addresses using broadcasts. When a machine running TCP/IP wants to know which machine on an Ethernet network is using a certain IP address, it will send an ARP broadcast that says, in effect, “Hey…exactly who is IP address xxx.xxx.xxx.xxx?” The machine that owns the specific address will respond with its own MAC address, supplying the answer. The machine that made the inquiry will respond by adding the newly gained information to its own ARP table. In addition to the normal usage, the ARP designation refers to a utility in Windows that you can use to manipulate and view the local workstation’s ARP table. The Windows ARP Table The ARP table in Windows includes a list of TCP/IP addresses and their associated physical (MAC) addresses. This table is cached in memory so that Windows doesn’t have to perform ARP lookups for frequently accessed TCP/IP addresses like those of servers and default gateways. Each entry contains an IP address and a MAC address plus a value for TTL that determines how long each entry will remain in the ARP table. c17.indd 04/03/2015 Page 630 Using the Address Resolution Protocol 631 Remember that the ARP table contains two kinds of entries: ■ Dynamic ■ Static Dynamic ARP table entries are created whenever the Windows TCP/IP stack performs an ARP lookup but the MAC address isn’t found in the ARP table. When the MAC address of the requested IP address is fi nally found, or resolved, that information is then added into the ARP table as a dynamic entry. Whenever a request to send a packet to the host is sent to the Data Link layer, the ARP cache is checked fi rst before an ARP broadcast is sent out. Remember, the ARP request is broadcast on the local segment—it does not go through a router. The ARP table is cleared of dynamic entries whose TTL has expired to ensure that the entries are current. Static ARP table entries serve the same function as dynamic entries but are made manually using the arp utility. Using the arp Utility You now know that ARP is a protocol included in the TCP/IP suite. You also understand that ARP is used by IP to determine the MAC address of a device that exists on the same subnet as the requesting device. When a TCP/IP device needs to forward a packet to a device on the local subnet, it fi rst looks in its own table, called an ARP cache or mac address lookup table, for an association between the known IP address of the destination device on the local subnet and that same device’s MAC address. The cache is called that because the contents are periodically weeded out. If no association that includes the destination IP address can be found, the device will then send out an ARP broadcast that includes its own MAC and IP information as well as the IP address of the target device and a blank MAC address field. Filling in that blank is the object of the whole operation—it’s the unknown value that the source device is requesting to be returned to it in the form of an ARP reply. Windows includes a utility called arp that allows us to check out the operating system’s ARP cache. To view this, from a Windows DOS prompt, use the arp command like this: C:\Uses\tlammle>arp Displays and modifies the IP-to-Physical address translation tables used by address resolution protocol (ARP). ARP -s inet_addr eth_addr [if_addr] ARP -d inet_addr [if_addr] ARP -a [inet_addr] [-N if_addr] [-v] c17.indd 04/03/2015 Page 631 Chapter 17 632 ■ Troubleshooting Tools Table 17.2 describes the various options that you can use with the arp command. TA B L E 17. 2 arp options Option Description -a Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as -a. -v Displays current ARP entries in verbose mode. All invalid entries and entries on the loopback interface will be shown. inet_addr Specifies an Internet address. -N Displays the ARP entries for the network interface specified by if_addr. -d Deletes the host specified by inet_addr. inet_addr. May be wildcarded with * to delete all hosts. -s Adds the host, and associates the Internet address inet_addr with the physical address eth_addr. The physical address is given as six hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr Specifies a physical address. if_addr If present, specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Sheesh. Looking at that output really makes me wish we were all just running IPv6 because, as you already should know, IPv6 doesn’t need ARP as well as many other annoying features and protocols required when running IPv4. Of note, the Windows arp utility is primarily useful for resolving duplicate IP addresses. For example, let’s say your workstation receives its IP address from a DHCP server but it accidentally receives the same address that some other workstation gets. And so, when you try to ping it, you get no response. Your workstation is basically confused—it’s trying to determine the MAC address, and it can’t because two machines are reporting that they have the same IP address. To solve this little snag, you can use the arp utility to view your local ARP table and see which TCP/IP address is resolved to which MAC address. To display the entire current ARP table, use the arp command with the –a switch like so to show you the mac address lookup table: c17.indd 04/03/2015 Page 632 Using the Address Resolution Protocol 633 C:\Users\tlammle>arp -a Interface: 192.168.0.6 --- 0xb Internet Address Physical Address 192.168.0.1 00-15-05-06-31-b0 192.168.0.255 ff-ff-ff-ff-ff-ff 224.0.0.22 01-00-5e-00-00-16 224.0.0.252 01-00-5e-00-00-fc 239.255.255.250 01-00-5e-7f-ff-fa 255.255.255.255 ff-ff-ff-ff-ff-ff Type dynamic static static static static static Interface: 10.100.10.54 --- 0x10 Internet Address Physical Address 10.100.10.1 00-15-05-06-31-b0 10.100.10.255 ff-ff-ff-ff-ff-ff 224.0.0.22 01-00-5e-00-00-16 224.0.0.252 01-00-5e-00-00-fc 239.255.255.250 01-00-5e-7f-ff-fa Type dynamic static static static static By the way, the –g switch will produce the same result. Now, from this output, you can tell which MAC address is assigned to which IP address. Then, for static assignments, you can tell which workstation has a specific IP address and if it’s indeed supposed to have that address by examining your network documentation—you do have that record, right? For DHCP-assigned addresses, you can begin to uncover problems stemming from multiple DHCP scopes or servers doling out identical addresses and other common configuration issues. And remember that under normal circumstances, you shouldn’t see IP addresses in the ARP table for a given interface that aren’t members of the same IP subnet as the interface. If the machine has more than one network card (as may happen in Windows servers and on laptops with both Ethernet and wireless cards), each interface will be listed separately. It’s good to know that in addition to displaying the ARP table, you can use the arp utility to manipulate the table itself. To add static entries to the ARP table, you use the arp command with the –s switch. These static entries will stay in the ARP table until the machine is rebooted. A static entry essentially hardwires a specific IP address to a c17.indd 04/03/2015 Page 633 634 Chapter 17 ■ Troubleshooting Tools specific MAC address so that when a packet needs to be sent to that IP address, it will automatically be sent to that MAC address. Here’s the syntax: arp –s [IP Address] [MAC Address] Simply replace the [IP Address] and [MAC Address] sections with the appropriate entries, like so: arp –s 204.153.163.5 00–a0–c0–ab–c3–11 Now, take a look at your new ARP table by using the arp –a command. You should see something like this: Internet Address 204.153.163.5 Physical Address 00–a0–c0–ab–c3–11 Type static Finally, if you want to delete entries from the ARP table, you can either wait until the dynamic entries time out or use the –d switch with the IP address of the static entry you’d like to delete, like this: arp –d 204.153.163.5 Doing so effectively deletes the entry from the ARP table in memory. The arp utility doesn’t confirm successful additions or deletions (use arp -a or arp -g for that), but it will give you an error message if you use incorrect syntax. Using the nslookup Utility Whenever you’re configuring a server or a workstation to connect to the Internet, you’ve got to start by configuring DNS if you want name resolution to happen (that is, if you want to be able to type www.sybex.com instead of an IP address). When configuring DNS, it’s a very good thing to be able to test what IP address DNS is returning to ensure that it’s working properly. The nslookup utility allows you to query a name server and quickly fi nd out which name resolves to which IP address. The Unix dig (short for domain information groper) utility does the exact same thing as nslookup. It’s primarily a command-line utility that allows you to perform a single DNS lookup for a specific entity, but it can also be employed in batch mode for a series of lookups. Detailed information on this command is beyond the scope of this study guide, but you can find more information on the Web by searching for “unix dig.” The nslookup utility comes with Windows NT and later as well as most versions of Unix and Linux, but not with Windows 95/98. You can run it from a Windows command c17.indd 04/03/2015 Page 634 Using the nslookup Utility 635 prompt. At the command prompt, you can start the nslookup utility by typing nslookup and pressing Enter. When you’re inside this utility, the command prompt will change from something similar to a C:\> sign to a shorter > sign. It will also display the name and IP address of the default DNS server you will be querying (you can change it, if necessary). Then you can start using nslookup. The following output gives you a sample of the display after the nslookup command has been entered at the C:\> prompt. C:\Users\tlammle>nslookup Default Server: gnt-corpdc1.globalnet.local Address: 10.100.36.12 > The primary job of nslookup is to tell you the many different features of a particular domain name, the names of the servers that serve it, and how they’re configured. To get that, just type in a domain name at the > prompt, and the nslookup utility will then return this information: > lammle.com Server: dslmodem.domain.actdsltmp Address: 192.168.0.1 Non-authoritative answer: Name: lammle.com Address: 206.123.114.186 What this tells you is that the server that returned the information is not responsible (authoritative) for the zone information of the domain for which you requested an address and that the name server for the domain lammle.com is located at the IP address 206.123.114.186. You can also ask nslookup for other information by setting a different option within nslookup. Just type set option at the > prompt and replace option with the actual option you want to use—for example, use >set type=mx to determine the IP address of your email server. If you can’t decide which one you want, use the question mark (?) at the greater than sign (>) to see all available options. If you type in nslookup and receive the reply: NS request timed out. timeout was 2 seconds. ***Can't find server name for address 206.123.114.186: Timed out Default Server: UnKnown Address: fec0:0:0:ffff::1 then you know your DNS servers are not answering. You need to get over to the DNS server, stat! c17.indd 04/03/2015 Page 635 Chapter 17 636 ■ Troubleshooting Tools Resolving Names with the Hosts Table The Hosts table is really a lot like DNS, except its entries are static for each and every host and server. Within the Hosts table, you’ll fi nd a collection of hostnames that devices reference for name-resolution purposes. And even though it works in both IPv4 and IPv6 environments, it’s unlikely you will use it these days because the Hosts table is a way-ancient relic left over from old Unix machines. But just because it’s museum quality doesn’t mean you won’t run into it now and then, which is the main reason I’m showing it to you. You can fi nd the Hosts table in C:\Windows\System32\drivers\etc. Just double-click the fi le, and then choose to open the fi le in Notepad or another text editor. Here’s the default information—it’s really nothing more than an explanation of how to use it and the local hosts for both IP and IPv6: # # # # # # # # # # # # # # # # # Copyright (c) 1993-2006 Microsoft Corp. This is a sample HOSTS file used by Microsoft TCP/IP for Windows. This file contains the mappings of IP addresses to host names. Each entry should be kept on an individual line. The IP address should be placed in the first column followed by the corresponding host name. The IP address and the host name should be separated by at least one space. Additionally, comments (such as these) may be inserted on individual lines or following the machine name denoted by a '#' symbol. For example: 102.54.94.97 38.25.63.10 127.0.0.1 ::1 rhino.acme.com x.acme.com # source server # x client host localhost localhost Any information entered to the right of a pound sign (#) in a Hosts file is ignored, so you can use this space for comments. c17.indd 04/03/2015 Page 636 Using the Mtr Command (pathping) 637 Because it’s a plain ASCII text fi le, you add the IP address under the local hosts and then the name to which you want to resolve the IP address. It’s a pretty simple configuration, and again, one I don’t recommend using because you have to type in the names of every host on every machine in your network. DNS is defi nitely the name resolution of choice for networks today. Do not get the Hosts table confused with the hostname command. The hostname command doesn’t do much but display the name of your host, as shown here: C:\Users\tlammle>hostname /? Prints the name of the current host. hostname C:\Users\tlammle>hostname globalnet-todd Using the Mtr Command (pathping) Mtr, or My traceroute, is a computer program that combines the functions of the traceroute and ping utilities in a single network diagnostic tool. It also adds round-trip time and packet loss to the output—very cool. Mtr probes routers on the route path by limiting the number of hops individual packets are allowed to traverse and listening to news of their termination. It will regularly repeat this process (usually once per second) and keep track of the response times of the hops along the path. Mtr is great if you have Linux or Unix, but by default, it’s not installed on Windows devices. Third-party applications of Mtr are available to install on Windows, but Microsoft did respond with its own version of Mtr—it’s called pathping and it provides the same functions as Mtr. Here’s a look at the output and the options: C:\Users\tlammle>pathping Usage: pathping [-g host-list] [-h maximum_hops] [-i address] [-n] [-p period] [-q num_queries] [-w timeout] [-4] [-6] target_name Table 17.3 lists the options of the Windows pathping command. c17.indd 04/03/2015 Page 637 638 Chapter 17 TA B L E 17. 3 ■ Troubleshooting Tools pathping options Option Description -g host-list Uses a loose source route along the host-list. -h maximum_hops Specifies the maximum number of hops to search for the target. -i address Uses the specified source address. -n Does not resolve addresses to hostnames. -p period Waits period milliseconds between pings. -q num_queries Specifies the number of queries per hop. -w timeout Waits timeout milliseconds for each reply. -4 Forces using IPv4. -6 Forces using IPv6. The Mtr utility is basically the same as traceroute and ping, but it does give you some additional output that can help you troubleshoot your network. Using the route Command I went over static routing in Chapter 9, “Introduction to IP Routing,” so you know that Windows devices like routers perform routing. Most of the time, it’s a good idea to leave Windows alone, but it’s still good to know how to add and delete routes on your Windows machines. Probably the biggest reason for manipulating the routing table on a Windows server is to create a fi rewall. For instance, let’s say we’re running an Application layer fi rewall on a Windows server located between the demilitarized zone (DMZ) and the internal network. This scenario would mean the routing that’s happening on the server or hosts located in the DMZ wouldn’t be able to reach the internal network’s hosts and vice versa. To circumvent this problem, we would need to employ both static and default routing because Windows Vista, Windows 7/8, and Server 2008/2012 don’t support routing protocols—running routing protocols on hosts and servers wouldn’t be a good solution for today’s networks, and Microsoft knows that. c17.indd 04/03/2015 Page 638 Using the route Command 639 To view the routing table on a Windows device, use the route print command, as shown in Figure 17.5. F I G U R E 17. 5 route print output In this output, you can see that each of the routes were added automatically when the system booted up. (This is all based on the configuration of your IP stack.) To see all the options available with the route command, type the route command and then press Enter. To add a route to your routing table, use the following syntax: route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric]] [if Interface]] Using the route Command Options Let’s start with the switches you can use: -f Using this command with any of the options like add, change, or delete will clear the routing table of all entries that aren’t host routes (routes with the subnet mask c17.indd 04/03/2015 Page 639 640 Chapter 17 ■ Troubleshooting Tools 255.255.255.255), the loopback network route(s) (routes with a destination of 127.0.0.0 and the subnet mask 255.0.0.0), and any multicast routes (those with a destination of 224.0.0.0 and the subnet mask 240.0.0.0). -p If you use this with the add command, the individual route will be added to the Registry and then used to initialize the IP routing table whenever TCP/IP is started. Important to remember is that by default, the routes you’ve statically added won’t remain in the routing table the next time TCP/IP boots. And if you use -p with the print command, you’ll get shown a list of the persistent routes that are stored in the Registry location of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ PersistentRoutes. Now, let’s take a look at how and when you would use the route command. Table 17.4 shows the command options available and what they do when you are using the route command with them. TA B L E 17. 4 route command options Command Purpose add Adds a route change Modifies an existing route delete Deletes a route(s) print Prints a route(s) Here’s a description of some other tasks you can accomplish via the rest of the command’s options: destination This will give you the network destination of a given route. If the host bits of the network address are set to 0, it will be depicted with the destination’s IP network address, an IP address for a specific host route, or the default route of 0.0.0.0. mask netmask This will provide you with the netmask—often referred to as the subnet mask—that’s associated with the destination network. The default destination subnet mask is 0.0.0.0, and typically you’ll see 255.255.255.255 representing a host route. It’s really important to remember that the destination address can’t be more specific than its corresponding subnet mask. What I’m saying is that there absolutely can’t be a bit set to 1 in the destination address if the equivalent bit in the subnet mask is a 0. gateway The gateway also depends on the network address and subnet mask, but it’s even more specific and delimits what’s called the next-hop IP address. For routes located on a local subnet, the gateway address maps directly to a particular interface. If the destination is on a remote network, the gateway IP address will direct packets to the neighboring router. c17.indd 04/03/2015 Page 640 Using the nbtstat Utility 641 metric metric Metric refers to the cost of a given route from the sending to the receiving device, and it’s a value between 1 and 9999. Devices use this value to choose the best, or most efficient, routes among those in its routing table—the route with the lowest value wins. This decision can also include factors like the number of hops and the speed, reliability, and available bandwidth of the path being considered plus the various administrative aspects associated with it. if interface This tool depends on information from the gateway address and determines the interface index for the specific interface that needs to receive the data. You can get a list of interfaces along with their relevant interface indexes by typing the route print command. /? Using this will allow you to view help at the command prompt. Some Examples of the route Command Even though the fi ner points of the route command demand that you use caution when deploying some of the options, I’ll still list the basics of the route command because it can be really useful. I highly recommend that you spend some time practicing them on a nonproduction server, though—especially at fi rst. ■ ■ To display the entire IP routing table, type route print. To add a default route with the default gateway address 192.168.10.1, type route add 0.0.0.0 mask 0.0.0.0 192.168.10.1. ■ ■ ■ To add a route to the destination 10.1.1.0 with the subnet mask 255.255.255.0 and the next-hop address 10.2.2.2, type route add 10.1.1..0 mask 255.255.255.0 10.2.2.2. If you want to, let’s say, add a persistent route to the destination 10.100.0.0 with the subnet mask 255.255.0.0 and the next-hop address 10.2.0.1, type route -p add 10.100.0.0 mask 255.255.0.0 10.2.0.1. If you want to delete the route to the destination 10.100.0.0 with the subnet mask 255.255.0.0, enter route delete 10.100.0.0 mask 255.255.0.0. And finally, if you want to change the next-hop address of a route with the destination 10.100.0.0 and the subnet mask 255.255.0.0 from 10.2.0.1 to 10.7.0.5, type route change 10.100.0.0 mask 255.255.0.0 10.7.0.5. Let’s move on to some other important Windows utilities. Using the nbtstat Utility Microsoft Windows uses an interface called Network Basic Input/Output System (NetBIOS), which relates names with workstations and is an upper-layer interface that c17.indd 04/03/2015 Page 641 Chapter 17 642 ■ Troubleshooting Tools requires a transport protocol—usually TCP/IP. But IPv6 can be used as well. Deploying the nbtstat utility will achieve these three important things: ■ Track NetBIOS over TCP/IP statistics ■ Show the details of incoming and outgoing NetBIOS over TCP/IP connections ■ Resolve NetBIOS names Understand that because NetBIOS name resolution is primarily a Windows network utility, the nbtstat command is available only in Windows-based operating systems. To display a basic description of nbtstat and its associated options, type nbtstat at the command line. Then, use these options to get a display of information about NetBIOS over TCP/IP hosts. Here are some of the tools, or switches, you can use: –a –A –c –n –r –R –S –s All nbtstat switches are case sensitive. Generally speaking, lowercase switches deal with NetBIOS names of hosts, and the uppercase ones deal with the TCP/IP addresses of hosts. The –a Switch Making use of the–a switch will get you a remote machine’s NetBIOS name table consisting of a list of every NetBIOS name the machine from which you’ve deployed the switch knows of. The –a switch produced the output from server S1 shown in Figure 17.6. F I G U R E 17. 6 Sample output of the nbtstat –a command c17.indd 04/03/2015 Page 642 Using the nbtstat Utility 643 So, using this switch arranges the NetBIOS name-table information in table form with output in four columns. The Name column displays the NetBIOS name entry for the remote host machine. The next column gives you a unique two-digit hexadecimal identifier for the NetBIOS name. This identifier represents the last byte of the NetBIOS name depicted in the Name column, and it’s important because the same name could actually be used several times for the same machine. Plus, it identifies the specific service on the particular host that the name is referencing. Table 17.5 and Table 17.6 list the hexadecimal identifiers for unique and group hostnames. TA B L E 17. 5 Last-byte identifiers for unique names Hex ID Description 00 General name for the computer. 03 Messenger service ID used to send messages between a WINS server and a workstation. This is the ID registered with a WINS server. 06 Remote Access Server (RAS) server service ID. 20 File-serving service ID. 21 RAS client. 53 DNS. 123 Network Time Protocol (NTP). 1B Domain master browser ID. A NetBIOS name with this ID indicates the domain master browser. 1F Network Dynamic Data Exchange (NetDDE) service ID. BE Network monitor agent ID. BF Network monitor utility ID. The Type column refers to (surprise) the type of NetBIOS name being referenced. Unique NetBIOS names refer to individual hosts, and group names refer to logical groupings of workstations—either domains or workgroups. The Status column gives you information about the status of a host’s NetBIOS even if it hasn’t been registered with the rest of the network. c17.indd 04/03/2015 Page 643 644 Chapter 17 TA B L E 17. 6 ■ Troubleshooting Tools Last-byte identifiers for group names Hex ID Description 01 Master browser for a domain to other master browsers. 20 Internet group name ID. This ID is registered with the WINS server to indicate which computers are used for administrative purposes. 1C Domain group name ID. 1D Master browser name. 1E Normal group name. The –A Switch The –A switch works just like the –a switch and will give you the same output, but the syntax of the command is different. Obviously, you use an uppercase A instead of a lowercase one, and you also have to include the host’s IP address instead of its NetBIOS name. To use it, type nbtstat followed by –A and fi nally the IP address of the specific host whose NetBIOS table you want to check out: nbtstat –A 199.153.163.2 The –c Switch Use the –c switch to display the local NetBIOS name cache on the workstation it’s running on. Figure 17.7 shows sample output of the nbtstat –c command. F I G U R E 17. 7 Sample output of the nbtstat –c command Each entry in this display shows the NetBIOS name, the hex ID for the service that was accessed, the type of NetBIOS name (unique or group), the IP address that the name resolves to, and its life. The Life value shows how many seconds each entry will live in the cache. When this time expires, the entry will be deleted. c17.indd 04/03/2015 Page 644 Using the nbtstat Utility 645 Sometimes, deploying nbtstat to display the cache will get you the response “No names in the cache” because all entries in the cache have expired. This is what happens if you don’t regularly access machines or services with NetBIOS names. The –n Switch The –n switch will give you the local NetBIOS name table on a Windows device. Figure 17.8 shows output that’s similar to the output of the –a switch except for one important thing: What you’re seeing is the NetBIOS name table for the machine you’re running the command on instead of that of another host. Check it out. F I G U R E 17. 8 Sample output of the nbtstat –n command The –r Switch This switch is probably the one you’ll use most often when you want to get a hold of NetBIOS over TCP/IP (NBT) statistics because it tells you exactly how many NetBIOS names have been resolved to TCP/IP addresses. Figure 17.9 shows sample output of the nbtstat –r command. What you can see here is that the statistics are divided into two categories. First, there are the NetBIOS names resolution and registration statistics. This is how many names have been resolved or registered either by broadcasts on the local segment or via lookup from a WINS name server. Next you have the NetBIOS unique and group names and their associated hex IDs that were resolved or registered. In Figure 17.9, you can see that there’s a distinct lack of information regarding names resolved by a name server. What this means is that the output is telling you that there’s no WINS server operating—instead, all NetBIOS names were resolved by broadcast only. c17.indd 04/03/2015 Page 645 646 Chapter 17 F I G U R E 17. 9 ■ Troubleshooting Tools Sample output of the nbtstat –r command The –r switch comes in handy when you want to determine how a workstation is resolving NetBIOS names and whether WINS is configured correctly. If WINS isn’t configured correctly or it’s simply not being used, the numbers in the Resolved By Name Server and Registered By Name Server categories will always be zero. The –R Switch Unlike the –a and –A switches, -r and -R use the same letter but do not have anything in common. Here’s an example. Let’s say you have a bad name in the NetBIOS name cache but the right name is in the LMHOSTS fi le instead. (The LMHOSTS fi le contains NetBIOS names of stations and their associated IP addresses.) Because the cache is consulted before the LMHOSTS fi le is, that bad address will remain in the cache until it expires. This command is used when you want to purge the NetBIOS name table cache and reload the LMHOSTS fi le into memory. You do that using the nbtstat command with the –R switch, like so: nbtstat –R You can practice this nbtstat -R command on your host to purge the NBT remote cache table. The –S Switch Using the -S switch will display the NetBIOS sessions table that lists all NetBIOS sessions to and from the host from which you issued the command. The –S switch displays both workstation and server sessions but lists remote addresses by IP address only. Figure 17.10 shows sample output of the nbtstat –S command. c17.indd 04/03/2015 Page 646 Using the netstat Utility F I G U R E 17.1 0 647 Sample output of the nbtstat –S command Here you can see the NetBIOS name being displayed along with its hex ID and the status of each session. An entry in the In/Out column determines whether the connection has been initiated from the computer on which you’re running nbtstat (outbound) or whether another computer has initiated the connection (inbound). The numbers in the Input and Output columns indicate in bytes the amount of data transferred between the stations. The –s Switch As with the –A and –a switches, the lowercase –s switch is similar to its uppercase sibling. The nbtstat –s command produces the same output as nbtstat –S except that it will also attempt to resolve remote-host IP addresses into hostnames. Figure 17.11 shows sample output from the nbtstat –s command. F I G U R E 17.11 Sample output of the nbtstat –s command Note the similarities between Figure 17.10 and Figure 17.11. As with the netstat command, with the nbtstat command you can place a number for an interval at the end to direct it to deploy once every so many seconds until you press Ctrl+C. Using the netstat Utility Using netstat is a great way to check out the inbound and outbound TCP/IP connections on your machine. You can also use it to view packet statistics like how many packets have been sent and received, the number of errors, and so on. c17.indd 04/03/2015 Page 647 648 Chapter 17 ■ Troubleshooting Tools When used without any options, netstat produces output similar to the following, which shows all the outbound TCP/IP connections. This utility is a great tool to use to determine the status of outbound web connections. Take a look: C:\Users\tlammle>netstat Active Connections Proto TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP Local Address 10.100.10.54:49545 10.100.10.54:49548 10.100.10.54:49551 10.100.10.54:49557 10.100.10.54:49590 127.0.0.1:49174 127.0.0.1:62514 192.168.0.6:2492 192.168.0.6:2492 192.168.0.6:49170 192.168.0.6:49171 192.168.0.6:49473 192.168.0.6:49625 192.168.0.6:49628 192.168.0.6:49629 192.168.0.6:49630 192.168.0.6:49631 192.168.0.6:49632 192.168.0.6:49635 192.168.0.6:49636 192.168.0.6:49638 Foreign Address gnt-exchange:epmap gnt-exchange:epmap gnt-exchange:1151 gnt-exchange:1026 gnt-exchange:epmap globalnet-todd:62514 globalnet-todd:49174 blugro2relay:2492 blugro3relay:2492 64.12.25.26:5190 oam-d05c:5190 205.128.92.124:http 64-190-251-21:ftp 210-11:http varp1:http varp1:http varp1:http varp1:http 199.93.62.125:http m1:http spe:http State TIME_WAIT TIME_WAIT ESTABLISHED ESTABLISHED TIME_WAIT ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED CLOSE_WAIT ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED The Proto column lists the protocol being used. You can see that I’m connected to my Exchange server and an FTP server and that I have some HTTP sessions open; by the way, all of them use TCP at the Transport layer. The Local Address column lists the source address and the source port (source socket). The Foreign Address column lists the address of the destination machine (the hostname if it’s been resolved). If the destination port is known, it will show up as the well-known port. In the previous output, you see http instead of port 80 and ftp instead of port 21. The State column indicates the status of each connection. This column shows statistics only for TCP connections because User Datagram Protocol (UDP) establishes no virtual circuit to the remote device. Usually, this column indicates ESTABLISHED when a TCP connection between your computer and the destination computer has been established. All sessions eventually time out and then close, and you can see that I have all of these listed in my netstat output. c17.indd 04/03/2015 Page 648 Using the netstat Utility 649 If the address of either your computer or the destination computer can be found in the HOSTS file on your computer, the destination computer’s name, rather than the IP address, will show up in either the Local Address or Foreign Address column. The output of the netstat utility depends on the switch. By using the netstat /? command, we can see the options available to us. C:\Users\tlammle>netstat /? All of the netstat switch options are listed in Table 17.7. TA B L E 17. 7 netstat options Option Description -a Displays all connections and listening ports. -b Displays the executable involved in creating each connection or listening port. In some cases, well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case, the executable name is in [ ] at the bottom; on top is the component it called, and so forth, until TCP/IP was reached. Note that this option can be time consuming and will fail unless you have sufficient permissions. -e Displays Ethernet statistics. This may be combined with the -s option. -f Displays fully qualified domain names (FQDNs) for foreign addresses. -n Displays addresses and port numbers in numerical form. -o Displays the owning process ID associated with each connection. -p proto Shows connections for the protocol specified by proto; proto may be TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default. -t Displays the current connection offload state. Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics. If -t is omitted, netstat will print the current configuration information once. c17.indd 04/03/2015 Page 649 650 Chapter 17 ■ Troubleshooting Tools Simply type netstat followed by a space and then the particular switch you want to use. Some switches have options, but no matter what, the syntax is basically the same. Note that with Unix-type switches, the hyphen absolutely must be included. This is common in Microsoft operating systems for TCP/IP utilities that originate from Unix systems. I’m not going to exhaustively go over each and every switch, but make sure you practice all of these on your own Windows machine. The –a Switch When you use the –a switch, the netstat utility displays all TCP/IP connections and all UDP connections. Figure 17.12 shows sample output produced by the netstat –a command. F I G U R E 17.1 2 Sample output of the netstat –a command The last two entries in Figure 17.12 show that the protocol is UDP and give the source-port nicknames nbname and nbdatagram. These are the well-known port numbers of 137 and 138, respectively. These port numbers are commonly seen on networks that broadcast the NetBIOS name of a workstation on the TCP/IP network. You can tell that this is a broadcast because the destination address is listed as *:* (meaning “any address, any port”). The State column in Figure 17.12 has no entry for the UDP rows because UDP is not a connection-oriented protocol and, therefore, has no connection state. The most common use for the –a switch is to check the status of a TCP/IP connection that appears to be hung. You can determine if the connection is simply busy or is actually hung and no longer responding. c17.indd 04/03/2015 Page 650 Using the netstat Utility 651 The –e Switch The -e switch displays a summary of all the packets that have been sent over the Network Interface Card (NIC) as of that instant. The Received and Sent columns show packets coming in as well as being sent: C:\Users\tlammle>netstat -e Interface Statistics Bytes Unicast packets Non-unicast packets Discards Errors Unknown protocols Received Sent 7426841 25784 1115 0 0 0 7226953 35006 12548 0 71 You can use the –e switch to display the following categories of statistics: Bytes The number of bytes transmitted or received since the computer was turned on. This statistic is useful for fi nding out if data is actually being transmitted and received or if the network interface isn’t doing anything at all. Unicast Packets The number of packets sent from or received at this computer. To register in one of these columns, the packet must be addressed directly from one computer to another and the computer’s address must be in either the source or destination address section of the packet. Non-unicast Packets The number of packets that weren’t directly sent from one workstation to another. For example, a broadcast packet is a non-unicast packet. The number of non-unicast packets should be smaller than the number of unicast packets. If the number of non-unicast packets is as high or higher than that of unicast packets, too many broadcast packets are being sent over your network. Defi nitely fi nd the source of these packets and make any necessary adjustments to optimize performance. Discards The number of packets that were discarded by the NIC during either transmission or reception because they weren’t assembled correctly. Errors The number of errors that occurred during transmission or reception. (These numbers may indicate problems with the network card.) Unknown Protocols The number of received packets that the Windows networking stack couldn’t interpret. This statistic only shows up in the Received column because if the computer sent them, they wouldn’t be unknown, right? Unfortunately, statistics don’t mean much unless they can be colored with time information. For example, if the Errors column shows 71 errors, is that a problem? It might be if the computer has been on for only a few minutes. But 71 errors could be par for the c17.indd 04/03/2015 Page 651 652 Chapter 17 ■ Troubleshooting Tools course if the computer has been operating for several days. Unfortunately, the netstat utility doesn’t have a way of indicating how much time has elapsed for these statistics. The –r Switch You use the –r switch to display the current route table for a workstation so that you can see exactly how TCP/IP information is being routed. This will give you the same output as the route print command that we covered earlier in this chapter. The –s Switch Using the –s switch displays a variety of TCP, UDP, IP, and ICMP protocol statistics. But be warned—the output you’ll get is really long, which may or may not be okay for you. For this book, it’s way too long for me to insert. With that in mind, we can add another modifier called the -p switch. The –p Switch Like the –n switch, the –p switch is a modifier that’s usually used with the –s switch to specify which protocol statistics to list in the output (IP, TCP, UDP, or ICMP). For example, if you want to view only ICMP statistics, you use the –p switch like so: netstat –s –p ICMP The netstat utility then displays the ICMP statistics instead of the entire gamut of TCP/ IP statistics that the –s switch will typically flood you with. For a different example, let’s use the -s and -p switches to retrieve some IPv6 information: C:\Users\tlammle>netstat -s -p IPV6 IPv6 Statistics Packets Received Received Header Errors Received Address Errors Datagrams Forwarded Unknown Protocols Received Received Packets Discarded Received Packets Delivered Output Requests Routing Discards Discarded Output Packets Output Packet No Route Reassembly Required c17.indd 04/03/2015 Page 652 = = = = = = = = = = = = 1400 0 6 0 0 451 10441 24349 0 3575 41 0 Using the netstat Utility Reassembly Successful Reassembly Failures Datagrams Successfully Fragmented Datagrams Failing Fragmentation Fragments Created = = = = = 653 0 0 0 0 0 C:\Users\tlammle> Nice! Gets right to the point. Now, let’s see the TCP connections my host has: C:\Users\tlammle>netstat -s -p tcp TCP Statistics for IPv4 Active Opens Passive Opens Failed Connection Attempts Reset Connections Current Connections Segments Received Segments Sent Segments Retransmitted = = = = = = = = 7832 833 1807 2428 11 1391678 1340994 6246 Active Connections Proto TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP Local Address 10.100.10.54:54737 10.100.10.54:54955 10.100.10.54:55218 127.0.0.1:2492 127.0.0.1:54516 127.0.0.1:54840 127.0.0.1:62514 192.168.0.6:2492 192.168.0.6:2492 192.168.0.6:54527 192.168.0.6:54531 192.168.0.6:55163 Foreign Address gnt-exchange:1151 gnt-exchange:1026 gnt-exchange:epmap globalnet-todd:54840 globalnet-todd:62514 globalnet-todd:2492 globalnet-todd:54516 blugro2relay:2492 blugro3relay:2492 64.12.25.26:5190 oam-d05c:5190 207.123.44.123:http State ESTABLISHED ESTABLISHED TIME_WAIT ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED CLOSE_WAIT C:\Users\tlammle> This kind of efficiency is exactly why it’s good you to use the -p modifier with the -s switch. c17.indd 04/03/2015 Page 653 654 Chapter 17 ■ Troubleshooting Tools Because the Network+ exam doesn’t cover them, we won’t go into detail about what all these statistics mean for most of these commands. You can probably figure out most of them—for instance, Packets Received. For more details, go to Microsoft’s support website at www.support.microsoft.com. The –n Switch The -n switch is a modifier for the other switches. When used with them, it reverses the natural tendency of netstat to use names instead of network addresses. In other words, when you use the –n switch, the output always displays network addresses instead of their associated network names. Following is output from the netstat command used with the netstat -n command. It’s showing the same information but with IP addresses instead of names: C:\Users\tlammle>netstat Active Connections Proto TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP Local Address 10.100.10.54:54737 10.100.10.54:54955 127.0.0.1:2492 127.0.0.1:54516 127.0.0.1:54840 127.0.0.1:62514 192.168.0.6:2492 192.168.0.6:2492 192.168.0.6:54527 192.168.0.6:54531 192.168.0.6:55163 Foreign Address gnt-exchange:1151 gnt-exchange:1026 globalnet-todd:54840 globalnet-todd:62514 globalnet-todd:2492 globalnet-todd:54516 blugro2relay:2492 blugro3relay:2492 64.12.25.26:5190 oam-d05c:5190 207.123.44.123:http State ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED CLOSE_WAIT Foreign Address 10.100.36.13:1151 10.100.36.13:1026 127.0.0.1:54840 127.0.0.1:62514 State ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED C:\Users\tlammle>netstat -n Active Connections Proto TCP TCP TCP TCP Local Address 10.100.10.54:54737 10.100.10.54:54955 127.0.0.1:2492 127.0.0.1:54516 c17.indd 04/03/2015 Page 654 Using the File Transfer Protocol TCP TCP TCP TCP TCP TCP TCP 127.0.0.1:54840 127.0.0.1:62514 192.168.0.6:2492 192.168.0.6:2492 192.168.0.6:54527 192.168.0.6:54531 192.168.0.6:55163 127.0.0.1:2492 127.0.0.1:54516 65.55.239.100:2492 65.55.248.110:2492 64.12.25.26:5190 205.188.248.163:5190 207.123.44.123:80 655 ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED CLOSE_WAIT C:\Users\tlammle> Uses for netstat You might be saying to yourself, “Fine…I can use lots of cool switches with netstat, but really, what for?” I’m always finding uses for netstat. For instance, once I found a particularly nasty worm on my PC using netstat. I just happened to run netstat for giggles one day and noticed a very large number of outbound connections to various places on the Internet. My PC was sending out SYN packets to a large number of hosts (an indication that my computer was involved—unknowingly—in a large-scale denial of service attack). Upon further examination, I noticed that this activity would start shortly after bootup. I tried running netstat after bootup and noticed that the first outbound connection was to TCP port 6667, some Internet Relay Chat (IRC) server I’d never heard of—I didn’t even have an IRC client on my machine at the time. The worm was particularly nasty to try to get rid of while active, so I turned off port 6667 on my firewall. That prevented the initial connection to the IRC server and, as I found out later, nicely prevented the worm from getting its instructions from the IRC server. I was then able to simply remove it. I would’ve never found out that this worm was working without netstat. Even my antivirus program missed it. Using the File Transfer Protocol You already know that File Transfer Protocol (FTP) is a subset of TCP/IP and that FTP is used for the transfer of fi les. In recent years, FTP has become a truly cross-platform protocol for transferring files. Because Internet (and thus TCP/IP) use has skyrocketed, almost every client and server platform has implemented FTP. Windows is no exception. Its TCP/IP stack comes with a command-line ftp utility. c17.indd 04/03/2015 Page 655 656 Chapter 17 ■ Troubleshooting Tools To start the ftp utility, enter ftp at a command prompt. The result is an ftp command prompt: C:\Users\tlammle>ftp ftp> From this prompt, you can open a connection to an FTP server and upload and download files as well as change the way FTP operates. To display a list of all the commands you can use at the ftp command prompt, type help or ? and press Enter. To get help on a specific command, type help, a space, and then the name of the command. Here is some output from the help command: ftp>help Commands may be abbreviated. ! ? append ascii bell binary bye cd close ftp> delete debug dir disconnect get glob hash help lcd Commands are: literal ls mdelete mdir mget mkdir mls mput open prompt put pwd quit quote recv remotehelp rename rmdir send status trace type user verbose In the following sections, I’ll give you an introduction to uploading and downloading fi les because every network technician and administrator positively needs to know how to do this. As they come up, I’ll go over the specific commands necessary to perform those two operations as well as any commands that relate to those processes. But first, let’s look at how to begin the process. Third-party applications are available that provide a GUI interface for FTP, which is easier to use than a command line. Starting FTP and Logging In to an FTP Server Of the two FTP fi le operations (download and upload), the ability to download fi les is defi nitely the more crucial for you to have down as a network technician or sys admin. The reason it’s so important for you to master is that network and client operating system drivers and patches are located on FTP servers all over the Internet. c17.indd 04/03/2015 Page 656 Using the File Transfer Protocol 657 The fi rst steps in starting an FTP download session are to determine the address of the FTP site and start the ftp utility. The FTP site typically has the same name as the website except that the fi rst three characters are ftp instead of www. For example, Microsoft’s website is www.microsoft.com. Its FTP site, on the other hand, is ftp.microsoft.com. We’ll use my personal FTP site as an example for the rest of this section because it works, so I can actually log in to it. First, start the ftp utility as demonstrated earlier, and then follow these steps: 1. At the ftp command prompt, type open, a space, and the name of the FTP server, like this: C:\Users\tlammle>ftp ftp>open ftp.lammle.com Connected to ftp.lammle.com. 220---------- Welcome to Pure-FTPd [TLS] ---------220-You are user number 1 of 50 allowed. 220-Local time is now 11:45. Server port: 21. 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. User (ftp.lammle.com:(none)):enter 230 Anonymous user logged in ftp> As shown here, if the FTP server is available and running, you’ll receive a response welcoming you to the server and asking you for a username. Right now, I just have Anonymous as the username (enabled by default on the FTP server), which means that anyone can log in to it. (By the way, don’t bother trying this on my server because I disabled it for obvious reasons as soon as I fi nished writing this section.) You can also start an FTP session by typing ftp, a space, and the address of the FTP server (for example, ftp ftp.globalnettraining.com). This allows you to start the ftp utility and open a connection in one step. Here’s an example: C:\Users\tlammle>ftp ftp.globalnettraining.com Connected to ftp.globalnettraining.com. 220 Microsoft FTP Service User (ftp.globalnettraining.com:(none)):todd 331 Password required for todd. Password:not shown when typed 230 User todd logged in. ftp>quit 2. Enter a valid username, and press Enter. 3. Enter your password, and press Enter. (The password won’t show up when you type it.) c17.indd 04/03/2015 Page 657 658 Chapter 17 ■ Troubleshooting Tools Most Internet web servers that allow just about anyone to download files also allow the username anonymous, as I demonstrated. In addition to anonymous, you can use the username ftp to gain access to a public FTP server. They are both anonymous usernames. Remember that FTP (and Unix) usernames are case sensitive. All good, but if you want to access a private FTP server, as I’ll demonstrate in a minute, you’ll need to use the username and password given to you by the site’s administrator. Oh, and sometimes you can use your email address as a password when accessing a public FTP server with a username like anonymous. You don’t have to enter your entire email address to log in with the anonymous username. Most of the time, FTP server software doesn’t actually verify the actual email address, only that it is, in fact, an email address. To do this, it checks for an @ sign and two words separated by a period. You just need to enter a very short email address to bypass the password (like u@me.com). This is especially helpful if you have a long email address, and it’s a really good idea if you don’t want to get a ton of junk email. If you enter the wrong username and/or password, the server will tell you so by displaying the following and leaving you at the ftp command prompt: 530 Login Incorrect Login failed. This means you’ve got to try again and must start the login process over. If you’re successful, the FTP server will welcome you and drop you back at the ftp command prompt. You’re now ready to start uploading or downloading files. Downloading Files After you log in to the FTP server, you’ll navigate to the directory that contains the files you want. Thankfully, the FTP command-line interface is similar to the DOS commandline interface. This is no surprise because DOS is based on Unix and FTP is a Unix utility. Table 17.8 lists and describes the common navigation commands for FTP. (Remember that these are also case sensitive.) After you navigate to the directory and fi nd the fi le you want to download, it’s time to set the parameters for the type of file. Files come in two types: ■ ASCII, which contains text ■ Binary, which is all other files If you set ftp to the wrong type, the fi le you download will contain gibberish. So if you’re in doubt, set ftp to download files as binary fi les. Check out Table 17.8. c17.indd 04/03/2015 Page 658 Using the File Transfer Protocol TA B L E 17. 8 659 Common FTP navigation commands Command Description Ls Short for list. Displays a directory listing. Very similar to the DIR command in MS-DOS. Cd Short for change directory. Works almost identically to the MS-DOS CD command. Use it to change to a different directory and navigate the server’s directory structure. Pwd Short for print working directory. Displays the current directory on the server. Useful if you forget where you are when changing to several locations on the server. Lcd Short for local change directory. Displays and changes the current directory on the local machine. Useful when you are downloading a file and aren’t in the directory where you want to put the file. To set the fi le type to ASCII, type ascii at the ftp command prompt. ftp will respond by telling you that the fi le type has been set to A (ASCII): ftp>ascii Type set to A To set the fi le type to binary, type binary at the ftp command prompt. ftp will respond by telling you that the fi le type has been set to I (binary): ftp>binary Type set to I To download the fi le, just use the get command like this: ftp>get lammlepress.exe 200 PORT command successful. 150 Opening BINARY mode data connection for 'scrsav.exe' (567018 bytes). The fi le will start downloading to your hard drive. Unfortunately, with its default settings, the ftp utility doesn’t give you any indication of the progress of the transfer. When the fi le has downloaded, the ftp utility will display the following message and return you to the ftp command prompt: 226 Transfer complete. 567018 bytes received in 116.27 seconds (4.88 Kbytes/sec) You can download multiple files by using the mget command. Simply type mget, a space, and then something known as a wildcard that specifies the files you want to get. For example, to download all the text files in a directory, type mget *.txt. c17.indd 04/03/2015 Page 659 660 Chapter 17 ■ Troubleshooting Tools Uploading Files To upload a fi le to an FTP server, you’ve got to have rights on that specific server. These rights are assigned on a directory-by-directory basis. To upload a fi le, log in and then follow these steps: 1. At the ftp command prompt, type lcd to navigate to the directory on the local machine where the file resides. 2. Type cd to navigate to the destination directory. 3. Set the file type to ASCII or binary. 4. Use the put command to upload the file. The syntax of the put command looks like this: ftp>put local file destination file Let’s say you want to upload a file called 1.txt on the local server but you want it to be called my.txt on the destination server. To accomplish that, use the following command: ftp>put 1.txt my.txt You’ll get the following response: 200 PORT command successful. 150 Opening BINARY mode data connection for collwin.zip 226 Transfer complete. 743622 bytes sent in 0.55 seconds (1352.04 Kbytes/sec) You can upload multiple files using the mput command. Simply type mput, a space, and then a wildcard that specifies the files. For example, to upload all the text files in a directory, type mput *.txt. When you’re fi nished with the ftp utility, just type quit to return to the command prompt. Using the Telnet Utility Part of the TCP/IP protocol suite, Telnet is a virtual terminal protocol utility that allows you to make connections to remote devices, gather information, and run programs. Telnet was originally developed to open terminal sessions from remote Unix workstations to Unix servers. Although it’s still used for that purpose, we now use it as a troubleshooting tool as well. Figure 17.13 shows the basic Telnet interface as it’s being used to start a terminal session on a remote Unix host. c17.indd 04/03/2015 Page 660 Using the Telnet Utility F I G U R E 17.1 3 661 The Telnet utility In today’s Windows environments, Telnet is a basic command-line tool for testing TCP connections. You can telnet to any TCP port to see if it’s responding—something that’s especially useful when checking Simple Mail Transfer Protocol (SMTP) and HTTP (web) ports. As you learned back in Chapter 6, “Introduction to the Internet Protocol,” each upperlayer service in a TCP stack has a number for its address. And by default, each network service that uses a particular address will respond to a TCP request on that specific port. How to Enable Telnet in Windows Because most people have Windows 7 or 8 operating systems running on their PCs these days, it’s good to know that, by default, these operating systems install without Telnet available. But there’s a way around that one—if you really must have a Telnet client enabled in these operating systems, here’s how to do it: 1. Open Control Panel. 2. Select Programs And Features. 3. In the left column, select Turn Windows Features On Or Off (get ready for the annoying User Account Control [UAC] prompt, and then enter your name and password). 4. Select the Telnet check box (and any other obscure services you may want enabled), and wait while Windows thinks for a while and then reboots. Nice—now you can go to Start and then type telnet in the Start search box to get a Telnet window to open for you. You can also open a DOS prompt and just type telnet from there. Here are the options that Windows provides with Telnet: Microsoft Telnet> ? Commands may be abbreviated. Supported commands are: c - close close current connection c17.indd 04/03/2015 Page 661 Chapter 17 662 d o q set sen st u ?/h - ■ Troubleshooting Tools display open hostname [port] quit set send status unset help display operating parameters connect to hostname (default port 23). exit telnet set options (type 'set ?' for a list) send strings to server print status information unset options (type 'unset ?' for a list) print help information Now that we’ve fi nished talking about Telnet, my personal recommendation is that you never use it again. What? Yes, you read that right, and here’s why. Don’t Use Telnet, Use Secure Shell What? I just told you how to use Telnet, and now I am telling you not to use it. That’s right, don’t use Telnet! Telnet is totally insecure because it sends all data in crystal-clear text— including your name and password. And I’m pretty sure you know that’s a really bad thing these days. If Microsoft doesn’t even enable it on its latest OSs, then you know it really must be insecure. So if you shouldn’t use Telnet, what should you use instead? Secure Shell (SSH) is your answer. It provides the same options as Telnet, plus a lot more; but most important, it doesn’t send any data in clear text. The thing is, your servers, routers, and other devices need to be enabled with SSH, and it’s not configured by default on most devices. Some configuration is usually necessary if you want things to work as they really should, and yes, sometimes it’s a little painful to get everything running smoothly, but it’s all worth it in the long run. Personally, I disable Telnet on all my routers and use SSH exclusively. No lie—I never use Telnet anymore if I can help it. Even so, you should still understand Telnet and get in some practice with it in case you do ever need it. In my Sybex book Cisco CCNA Study Guide, I get into the skinny on how to configure SSH on all Cisco devices and use an SSH client. Summary In this chapter, you learned about many of the utilities for using and troubleshooting TCP/IP. These utilities include GUI tools like protocol analyzers, throughput testers, and connectivity software like Remote Desktop, and they include command-line utilities like tracert, ping, arp, netstat, nbtstat, ipconfig, ifconfig, and nslookup. You also learned how these utilities are used, including their various options and switches and how they all affect the use of the utilities. Finally, you learned about how these utilities work within the TCP/IP suite. c17.indd 04/03/2015 Page 662 Written Lab 663 Exam Essentials Describe some of the GUI tools available to assist in testing and troubleshooting. These include protocol analyzers, throughput testers, and connectivity software. Understand each product’s purpose and how to use it. Know how to describe and use the troubleshooting information and statistics that arp, nbtstat, and netstat provide for you. The arp utility shows whether an IP address is being resolved to your MAC address (or someone else’s, in case of confl icts). The netstat utility produces TCP/IP statistics, and nbtstat produces NetBIOS over TCP/IP statistics. Know how to diagnose a network by using TCP/IP’s troubleshooting commands. The ping command echoes back if a machine is alive and active on a network. The tracert command shows the path that the ping packets take from source to target. And telnet enables a user to participate in a remote text-based session. Know what the tracert utility does. The tracert utility fi nds the route from your computer to any computer on a network. Know what the ping utility does. responding. ping determines whether a particular IP host is Know what the ftp utility does. The ftp utility allows you to reliably download and upload fi les from and to an FTP server across the Internet. Know what the ipconfig and ifconfig utilities do. The ipconfig utility displays TCP/ IP configuration information for Windows NT and later operating systems. The ifconfig utility performs a similar function in Unix environments, in addition to performing certain interface-configuration tasks. Know what the nslookup and dig utilities do. look up DNS resolution information. The nslookup and dig utilities allow you to Written Lab You can fi nd the answers in Appendix A. Write the answers to the following questions about command-line tools: 1. What command can you type from a command prompt to see the hops a packet takes to get to a destination host? 2. What tool would you use to verify a complaint about a slow network? 3. You need your IP address, subnet mask, default gateway, and DNS information. What command will you type from a Windows command prompt? 4. You need to log in as a dumb terminal to a server or Unix host and run programs. What application will you use? c17.indd 04/03/2015 Page 663 664 Chapter 17 ■ Troubleshooting Tools 5. You need to add a route to your Windows server’s routing table. What command will you use? 6. You want to log in to a server and transfer files. What application will you use? 7. You need to check your name-resolution information on your host. What command will you type from the command prompt? 8. You want to use netstat, but you want to see only the IP address, not the names of the hosts. Which modifier will you use? 9. You want the IP configuration on a Unix host. What command will you type at the command prompt? 10. Which Windows command will show you the routing table of your host or server? c17.indd 04/03/2015 Page 664 Review Questions 665 Review Questions You will fi nd the answers to the review questions in Appendix B. 1. Which TCP/IP utility is most often used to test whether an IP host is up and functional? A. ftp 2. B. telnet C. ping D. netstat Which TCP/IP utility will produce the following result? Interface: 199.102.30.152 Internet Address Physical Address 199.102.30.152 A0–ee–00–5b–0e–ac Type dynamic A. arp 3. B. netstat C. tracert D. nbtstat Which Windows utility can you use to connect to a machine 50 miles away to troubleshoot? A. Remote Desktop 4. B. netstat C. arp D. Wireshark Which TCP/IP utility might produce the following output? Reply Reply Reply Reply from from from from 204.153.163.2: 204.153.163.2: 204.153.163.2: 204.153.163.2: bytes=32 bytes=32 bytes=32 bytes=32 time=1ms TTL=128 time=1ms TTL=128 time=1ms TTL=128 time<10ms TTL=128 A. tracert 5. B. ping C. WINS D. ipconfig Which utility can you use to find the MAC and TCP/IP addresses of your Windows workstation? A. ping B. ipconfig C. ipconfig /all c17.indd 04/03/2015 Page 665 Chapter 17 666 6. D. tracert E. telnet ■ Troubleshooting Tools Which ping commands will verify that your local TCP/IP interface is working? (Choose all that apply.) A. ping 204.153.163.2 7. B. ping 127.0.0.1 C. ping localif D. ping localhost E. ping iphost Which switch for the Windows nbtstat utility will display all NetBIOS name-resolution statistics? A. –r 8. B. /r C. –R D. /R You need to find a NIC’s specific MAC address and IP address. Which command-line tool can you use to find this information without physically going to the computer? A. ping 9. B. nbtstat C. arp D. netstat E. ftp Which nbtstat utility switch will purge and reload the remote NetBIOS name table cache? A. –r B. –R C. /r D. /R 10. Wireshark is an example of a ________________? A. Throughput tester B. Protocol analyzer C. Remote connection tool 11. Which utility produces output similar to the following? 1 110 ms 96 ms 107 ms fgo1.corpcomm.net [209.74.93.10] 2 96 ms 126 ms 95 ms someone.corpcomm.net [209.74.93.1] 3 113 ms 119 ms 112 ms Serial5–1–1.GW2.MSP1.alter.net [157.130.100.185] c17.indd 04/03/2015 Page 666 Review Questions 4 133 ms 123 ms 126 [146.188.209.126] 5 176 ms 133 ms 129 6 196 ms 184 ms 218 7 182 ms 187 ms 187 8 204 ms 176 ms 186 [146.188.144.133] 9 202 ms 198 ms 212 [206.57.16.17] 10 209 ms 202 ms 195 [206.132.150.98] 11 190 ms * 191 ms [206.251.5.93] 12 195 ms 188 ms 188 [206.132.150.206] 13 198 ms 202 ms 197 667 ms 152.ATM3–0.XR2.CHI6.ALTER.NET ms ms ms ms 290.ATM2–0.TR2.CHI4.ALTER.NET [146.188.209.10] 106.ATM7–0.TR2.SCL1.ALTER.NET [146.188.136.162] 298.ATM7–0.XR2.SJC1.ALTER.NET [146.188.146.61] 192.ATM3–0–0.SAN–JOSE9– GW.ALTER.NET ms atm3–0–622M.cr1.sjc.globalcenter.net ms pos3–1–155M.br4.SJC.globalcenter.net pos0–0–0–155M.hr3.SNV.globalcenter.net ms pos4–1–0– 155M.hr2.SNV.globalcenter.net ms www10.yahoo.com [204.71.200.75] A. arp B. tracert C. nbtstat D. netstat 12. You are the network administrator. A user calls you, complaining that the performance of the intranet web server is sluggish. When you try to ping the server, it takes several seconds for the server to respond. You suspect that the problem is related to a router that is seriously overloaded. Which workstation utility could you use to find out which router is causing this problem? A. netstat B. nbtstat C. tracert D. ping E. arp 13. Which ipconfig switch will display the most complete listing of IP configuration information for a station? A. /all B. /renew C. /release D. /? 14. Which utility will display a list of all the routers that a packet passes through on the way to an IP destination? A. netstat B. nbtstat c17.indd 04/03/2015 Page 667 Chapter 17 668 C. tracert D. ping E. arp ■ Troubleshooting Tools 15. Which Windows TCP/IP utility could you use to find out whether a server is responding on TCP port 21? A. tcp B. port C. ping D. nbtstat E. telnet 16. Which arp command can you use to display the currently cached ARP entries? A. arp B. arp –all C. arp /a D. ipconfig /arp E. arp /ipconfig 17. Which command-line tool would best be used to verify DNS functionality? A. netstat B. nbtstat C. dig D. icmp E. arp 18. Which of the following arp utility switches perform the same function? (Choose all that apply.) A. –g B. –A C. –d D. –a 19. Which command would you use at a workstation prompt to see the DNS servers that are configured to use? (Choose three.) A. arp B. nslookup C. netstat D. nbtstat E. ipconfig/all F. ifconfig c17.indd 04/03/2015 Page 668 Review Questions 669 20. Which nbtstat switch displays a list of all the NetBIOS sessions currently active on the local workstation? A. –a B. –r C. –s D. –I c17.indd 04/03/2015 Page 669 Chapter 18 Software and Hardware Tools THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 1.5 Install and properly terminate various cable types and connectors using appropriate tools ■ Tools ■ Cable crimpers ■ Punch down tool ■ Wire strippers ■ Snips ■ OTDR ■ Cable certifier ✓ 2.1 Given a scenario, use appropriate monitoring tools ■ Packet/network analyzer ■ Interface monitoring tools ■ Port scanner ■ Top talkers/listeners ■ SNMP management software ■ ■ ■ Trap ■ Get ■ Walk ■ MIBS Alerts ■ Email ■ SMS Packet flow monitoring c18.indd 04/01/2015 Page 671 ■ SYSLOG ■ SIEM ■ Environmental monitoring tools ■ Temperature ■ Humidity ■ Power monitoring tools ■ Wireless survey tools ■ Wireless analyzers ✓ 2.2 Given a scenario, analyze metrics and reports from monitoring and tracking performance tools ■ Baseline ■ Bottleneck ■ Log management ■ Graphing ■ Utilization ■ Bandwidth ■ Storage ■ Network device CPU ■ Network device memory ■ Wireless channel utilization ✓ 4.2 Given a scenario, analyze and interpret the output of troubleshooting tools ■ Line testers ■ Certifiers ■ Multimeter ■ Cable tester ■ Light meter ■ Toner probe ■ Speed test sites ■ Looking glass sites ■ WiFi analyzer ■ Protocol analyzer c18.indd 04/01/2015 Page 672 Specialized tasks require specialized tools, and installing network components is no exception. We use some of these tools, like network scanners, on an everyday basis, but most of the hardware tools I’ll be covering in this chapter are used mainly in the telecommunications industry. Still, in order to meet the CompTIA Network+ objectives, and also because you’re likely to run across them in today’s networking environments, it’s very important that you’re familiar with them. For up-to-the-minute updates for this chapter, please see www.lammle.com/ networkplus or www.sybextestbanks.wiley.com. Understanding Network Scanners Network scanner has become a broad term often referring to a family of tools used to analyze our networks, but the CompTIA Network+ objectives are much less vague. So with regard to those critical objectives, know that network scanners refer to these three tools: ■ Packet sniffers ■ Intrusion detection system/intrusion prevention system (IDS/IPS) software ■ Port scanners Packet Sniffers/Network Monitors Unlike port scanners, packet sniffers actually look inside every packet on a network segment. Packet sniffers come in many fl avors, and some of them, like Microsoft’s Network Monitor (NetMon), are even free today. Even though NetMon comes in more complex versions that are, well, not exactly free, the version that comes bundled with Windows Server does allow you to analyze network communications traffic. The full version will give you statistics on network utilization and packet traffic data as well as capture individual frames for analysis. These abilities really mean that NetMon is both a packet sniffer and a network analyzer, and it’s common for these to be combined and referred to as one and the same. c18.indd 04/01/2015 Page 673 674 Chapter 18 ■ Software and Hardware Tools All good, but personally, I use Wireshark instead. It’s also free, and you can easily download it from www.wireshark.org. A nice feature of Wireshark is that it runs from Windows, OS X, Linux, and Unix platforms. It easily captures data on all my interfaces, including my wireless and virtual private network (VPN) connections, and looks at all traffic on the network segment. There are tons of packet sniffers available, and to get your hands on most of them, you’ll have to pony up some cash. Sometimes they’re worth it, though, because these higher-end products can even provide solutions to problems you find on your network—nice. Anyway, free or not, the basic purpose of packet sniffers (or network analyzers) is to collect and analyze each individual packet that is captured on a specific network segment to determine if problems like bottlenecks, retransmissions, and security breaches are happening. Packet sniffers are a must-have for every network administrator to troubleshoot and fi nd problems or security holes in a network. For example, you may discover that users are using an application on the network with usernames and passwords being sent unencrypted over the network. You can also use packet sniffers to see if there is too much traffic on a segment, to see router or switch interfaces (referred to as interface monitoring), or even to see if a broadcast storm has been created by a bad Network Interface Card (NIC). And remember—I do mean on a network segment—you can’t use them to catch packets passing through routers. These network analyzers can also show you top talkers and listeners on your network, and provide packet flow monitoring. Yes, they can help you fi nd a hacker stalking around in there, but you’d really have to be looking closely and constantly to discover this. For that level of monitoring, you’d be better off using a tool known as an IDS/IPS. It can really help you track and even defeat hackers. (We’ll talk about IDS/IPS software in the next section.) The more expensive network sniffers can help fi nd anomalies in your network, like a hack, and even alert you to these problems. Figure 18.1 shows output from a packet sniffer. Notice that you can identify both the IP addresses and the MAC addresses associated with any of the packets captured as well as identify the protocol in use. You can defi nitely see that a packet sniffer can provide you with huge amounts of information. This means you really need something to narrow things down and help you to more readily fi nd the needle in the haystack that you’re looking for, right? In this case, help comes in the form of some handy built-in fi lters that can be used to gather information from just one specific host or server; without them, you’d have to go through possibly thousands of packets to fi nd the problem. For the packet I’ve highlighted, you can see that there’s a probable User Datagram Protocol (UDP) checksum error. And by the way, because UDP is connectionless, this is a pretty common error. You should download and start working with a network sniffer right away. As I mentioned, you can download Wireshark at www.wireshark.org for free, so what are you waiting for? Go for it! c18.indd 04/01/2015 Page 674 Understanding Network Scanners F I G U R E 1 8 .1 675 Output from a packet sniffer Now comes the fun stuff—let’s take a look at ways we can fi nd and stop hackers dead in their tracks. Intrusion Detection and Prevention Software An IDS detects unwanted attempts to manipulate network systems and/or environments, and an IPS is a computer-security device that monitors network and/or system activities for any strange or malicious behavior. It can react in real time to prevent and even block nasty activities. An IDS identifies, detects, and reports attempts of unauthorized access to the network as well as any suspicious activity, and it’s the best software type for identifying an attack. However, if you want to stop the attack in its tracks, you need to add an IPS device. So, unlike IDSs, which can identify an attack and report it, an IPS can stop the attack by shutting down ports or dropping certain types of packets. A bunch of different IDS/IPS software packages are available on the market, and a lot of them are free. Again, predictably, the best ones aren’t, and they can be a bit pricey. These high-powered versions run on Linux or other proprietary hardware. But there are still many IDS/IPS software applications available for Windows. Snort is one of the most popular IDS/IPS software products around. It runs on both Linux and Windows, and it’s a free, open-source platform, which happens to be a big c18.indd 04/01/2015 Page 675 676 Chapter 18 ■ Software and Hardware Tools reason for its popularity. But that’s not the only reason—just because it is free doesn’t mean it doesn’t offer up some pretty cool features. On the other hand, if you’re dealing with a large, corporate environment, you need some serious weaponry, and Cisco offers an Adaptive Security Appliance (ASA) as an enterprise solution that’s powerful but defi nitely far from free. It’s worth it, though. Figure 18.2 shows a picture of a Cisco ASA box I use in my security classes. F I G U R E 18 . 2 A Cisco ASA Compact Flash Security Service Module (SSM) Monitoring Port 10/100 Out-of-Band Management Port Console Port Four 10/100/1000 Copper Gigabit Ports AUX Ports Two USB 2.0 Ports Personally, I think the Cisco box is the best IDS/IPS box on the market today. Still, Snort isn’t bad (check out Cisco’s new acquisition, SourceFire), so if cost is an issue, rest assured you can use it, as well as several other tools, and be much better equipped than you would be without them working on your network to help you keep it secure. Figure 18.3 shows where you’d fi nd a typical IDS/IPS in a internetwork. F I G U R E 18 . 3 IDS/IPS placement in an internetwork DMZ Web Server Internal Network Firewall SQL Server IDS/IPS c18.indd 04/01/2015 Page 676 Understanding Network Scanners 677 To be honest, because of the device’s complexity and the many different physical configurations possible, this is a relatively simplistic view of an IDS/IPS working within a network. The important thing I want you to pay attention to is the fact that you would typically fi nd the IDS/IPS software positioned between your internal router and the fi rewall to the outside network (Internet). If you’re using Snort, just add the software to a Linux box, and connect this box between the fi rewall and the router. This area would typically be your demilitarized zone (DMZ). The Basic Analysis and Security Engine (BASE) displays and reports intrusions and attacks logged in the Snort database in a web browser for convenient analysis. Port Scanners A port scanner is a software tool designed to search a host for open ports. Those of us administering our networks use port scanners to ensure their security, but bad guys use them to fi nd a network’s vulnerabilities and compromise them. To port scan means to scan for TCP and UDP open ports on a single target host either to legitimately connect to and use its services for business and/or personal reasons or to fi nd and connect to those ports and subsequently attack the host and steal or manipulate it for nefarious reasons. In contrast, port sweeping means scanning multiple hosts on a network for a specific listening TCP or UDP port, like SQL. (SQL injection attacks are super common today.) This just happens to be a favorite approach used by hackers when trying to invade your network. They port sweep in a broad manner, and then, if they fi nd something—in this case, SQL—they can port scan the particular host they’ve discovered with the desired service available to exploit and get what they’re after. This is why it’s a really good idea to turn off any unused services on your servers and routers and to run only the minimum services required on every host machine in your network. Do yourself a big favor and make sure this is in your security policy. Remember that three-way handshake I discussed in Chapter 6, “Introduction to the Internet Protocol”? Well, it just so happens that a SYN scan is the most popular form of TCP scanning. Rather than use the operating system’s network functions, the port scanner actually generates raw IP packets itself and monitors for responses. This scan type is also known as half-open scanning because it never really opens a full TCP connection. The port scanner generates a SYN packet, and if the targeted port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST (reset) packet, closing the connection before the handshake is completed. Never use the tools I’m telling you about on computers belonging to any businesses or government agencies without their permission. It’s against the law in a big way, and they do monitor and prosecute! Know that I am not exaggerating here, so please do yourself a favor and use the following tools only to test your own network for vulnerabilities. c18.indd 04/01/2015 Page 677 678 Chapter 18 ■ Software and Hardware Tools Although a free program named Network Mapper (Nmap) can be used as a port scanner, you can use it to do so much more. I give it two thumbs up and recommend that you download Nmap (http://nmap.org) and play with this cool program. Nmap, like Snort, is open source. But Nmap runs on all platforms and can provide port-scanning ability, check all the open services running on each host, fi nd fi rewalls, and even help tremendously with network management. Figure 18.4 shows Nmap running on a Windows Vista platform, performing a Domain Name Service (DNS) resolution, and then a port scan to the host being monitored (Zenmap is the name of the GUI interface it uses). Pretty chill, right? F I G U R E 18 . 4 Nmap in action Nmap is very flexible, and again, I really encourage you to check it out. One of the other nice features of Nmap is its documentation capacity. It comes with a complete set of instructions and equips you with documentation to help you troubleshoot and map your network. Even though Nmap is pretty simple, there are even simpler tools out there—a whole lot of them. Angry IP is a program I also use that provides both IP-scanning and port-scanning abilities. It’s defi nitely not as complex as Nmap, but because it’s extremely easy to use, you c18.indd 04/01/2015 Page 678 Understanding Network Scanners 679 might want to try out this free, open-source program as well. Figure 18.5 illustrates port scanning with Angry IP. F I G U R E 18 . 5 Angry IP port scanning You can see right away that this is a much simpler program than some of the other sniffi ng and port mapping tools we’ve discussed, but simple doesn’t mean it isn’t powerful. Angry IP slowed the PC I was scanning way down when I performed a full port scan on the host using this program. Check it out at http://angryip.org. Hacked and Blamed! I’ve already mentioned that you shouldn’t port scan on hosts that are not yours, but you need to be careful that someone else does not use your hosts or servers to port scan someone else’s servers as well. A few years ago, I had a server at an ISP, and some crackers had hacked into my server and were using it to port scan the Department of Defense (DoD) servers. I received a letter from the DoD informing me of this issue. They were very professional and even mentioned that it probably wasn’t me doing the port scanning, but they said that if it happened again, they would prosecute me. They told me that I was responsible for my server and that if I did not stop the attackers, I would be liable. continues c18.indd 04/01/2015 Page 679 680 Chapter 18 ■ Software and Hardware Tools continued I was terribly embarrassed, and I was a little freaked out, too! After looking at the server logs, I realized that the crackers were from France and that they had been in my server for three months. Instead of just locking down the ports and getting rid of the hackers, I formatted the server. Why? Because crackers/hackers are notorious for creating many backdoors once they are in a system, in case they get caught, so just locking them out would not have solved the problem. If this happens to you, a reformat is typically what you need to do. I also upgraded to the latest server operating system, which helped with some of the security issues. After you’ve downloaded all the software tools I just went over with you and practiced honing your skills with them (only on your own network, right?), you’ll be ready to move on and explore the hardware tools that you need to be familiar with to meet the CompTIA Network+ objectives. Wi-Fi Analyzer A Wi-Fi analyzer, or wireless analyzer, is similar to the network analyzers that I’ve already discussed but is used for sniffi ng wireless networks. Wi-Fi analyzers can fi nd the channels in use, the amount of clients and bandwidth used, top talkers, and more. On wireless LANs, one can capture traffic on a particular channel or on several channels when using multiple adapters. Wi-Fi analyzers identify networks by passively collecting packets and detecting standard named networks, detecting (given time) hidden networks, and inferring the presence of nonbeaconing networks via data traffic. Figure 18.6 shows an output of a wireless analyzer. In addition to using a wireless analyzer, to create a good wireless network, you need to do a wireless survey of the floor or building where you are installing your network. To do this, you need a wireless survey tool. Wireless survey tools help you design and deploy the most accurate indoor and outdoor wireless LAN networks (802.11n/a/b/g/ac) correctly the fi rst time and prevent costly rework and IT complaints. You can collect real-world data by performing unique true end-user experience measurements (wireless LAN throughput, data rates, retries, losses). You can also minimize the (expensive) impact of RF interference sources on wireless 802.11n/a/b/g/ ac LAN performance by performing simultaneous wireless spectrum analysis in a single walk-through. In addition, you can certify the wireless network for any design/application requirements using customer-ready pass/fail assessment reports. Figure 18.7 shows an output of a wireless survey tool. c18.indd 04/01/2015 Page 680 Baseline F I G U R E 18 .6 681 Wireless analyzer Baseline High-quality documentation should include a baseline for network performance because you and your client need to know what “normal” looks like in order to detect problems before they develop into disasters. Don’t forget to verify that the network conforms to all internal and external regulations and that you’ve developed and itemized solid management procedures and security policies for future network administrators to refer to and follow. c18.indd 04/01/2015 Page 681 682 Chapter 18 F I G U R E 18 .7 ■ Software and Hardware Tools Wireless survey tool In networking, baseline can refer to the standard level of performance of a certain device or to the normal operating capacity for your whole network. For instance, a specific server’s baseline describes norms for factors like how busy its processors are, how much of the memory it uses, and how much data usually goes through the NIC at a given time. A network baseline delimits the amount of bandwidth available and when. For networks and networked devices, baselines include information about four key components: ■ Processor ■ Memory ■ Hard-disk (or other storage) subsystem ■ Wired/wireless utilization After everything is up and running, it’s a good idea to establish performance baselines on all vital devices and your network in general. To do this, measure things like network usage at three different strategic times to get an accurate assessment. For instance, peak usage usually happens around 8:00 a.m. Monday through Friday, or whenever most people log in to the network in the morning. After hours or on weekends is often when usage is the lowest. Knowing these values can help you troubleshoot bottlenecks or determine why certain system resources are more limited than they should be. Knowing what your baseline is can even tell you if someone’s complaints about the network running like a slug are really valid—nice! c18.indd 04/01/2015 Page 682 Network Monitoring and Logging 683 It’s good to know that you can use network-monitoring software to establish baselines. Even some server operating systems come with software to help with network monitoring, which can help fi nd baselines, perform log management, and even do network graphing as well so you can compare the logs and graphs at a later period of time on your network. In my experience, it’s wise to re-baseline network performance at least once a year. And always pinpoint new performance baselines after any major upgrade to your network’s infrastructure. Network Monitoring and Logging There are a lot of ways to fi nd out what’s really going on within your network. Most administrators opt to directly keep tabs on network performance by looking at important factors like data rates and available bandwidth, using the many tools on the market designed to help with that. Another good strategy for assessing a network’s health and well-being is via the more indirect route of monitoring the logs that your server operating systems keep. These can help you spot problems on your physical network as well as services or applications that aren’t running properly and could eventually bring the network or its resources down and make your users really unhappy. Network Monitoring Some key network-monitoring tools and diagnostic utilities around today are software additions that run on an existing server operating system like Windows Server or Unix. Others are stand-alone hardware devices that you plug into your network, but both are basically the packet sniffers we talked about back in Chapter 14. Although it’s true that hackers can and do use sniffers to capture network traffic and gather data for an attack, we make good use of them too. And strange but true, being a bit of a hacker yourself can make you a much better sys admin—knowing your enemies and their methods can help you fi nd the same holes they would use for evil, and you can use that knowledge to plug security holes and even optimize your network’s performance. Packet sniffers allow you to examine network traffic down to details of individual packets. You can put the packet’s header under the microscope: It contains vital information about the protocol being used to encapsulate it, plus the source and destination IP addresses. This is super-valuable information—if I’m seeing the speed of traffic on a specific segment grind to a crawl, one of fi rst the things I’ll look for is one IP address that’s spewing tons of data. If that’s the case, it could mean that I’ve got a failing network adapter because a common symptom of a dying NIC is to become extremely “chatty” by sending out broadcast packets and clogging things to the point that legitimate traffic can’t get through. It’s like getting a deluge of junk mail and being forced to read every last bit of it; a broadcast packet is technically addressed to everyone, meaning that all the other NICs on the segment have to stop and read what’s in it—not so good. c18.indd 04/01/2015 Page 683 684 Chapter 18 ■ Software and Hardware Tools Good news—routers are, by default, configured to prevent broadcasts from going from one segment to another. Most switches sold today are also able to prevent broadcasts from spreading to multiple network segments, but not by default. When you hear people refer to things like load testing, connectivity testing, and throughput testing, they’re really talking about network monitoring. You’ll also hear network monitors referred to as protocol analyzers. Microsoft has a graphical utility called Network Monitor that can be used to capture network traffic. The current version is 3.4, and it’s supported by Windows Vista, Windows 7/8, Server 2003/2008/2012. You can download it from Microsoft’s website, but for it to work, your network adapter must be able to work in promiscuous mode (yes, you read that right!). Several third parties specialize in producing network monitors, such as, for example, Fluke Networks, which makes some cool tools like the OptiView Network Analyzer. SNMP Although Simple Network Management Protocol (SNMP) certainly isn’t the oldest protocol ever, it’s still pretty old, considering it was created way back in 1988 (RFC 1065)! SNMP is an Application layer protocol that provides a message format for agents on a variety of devices to communicate with network management stations (NMSs)—for example, Cisco Prime or HP Openview. These agents send messages to the NMS station, which then either reads or writes information in the database, stored on the NMS, that’s called a Management Information Base (MIB). The NMS periodically queries or polls the SNMP agent on a device to gather and analyze statistics via GET messages. These messages can be sent to a console or alert you via email or SMS. The command snmpwalk uses the SNMP GETNEXT request to query a network for a tree of information. End devices running SNMP agents would send an SNMP trap to the NMS if a problem occurs. This is demonstrated in Figure 18.8. F I G U R E 18 . 8 SNMP GET and TRAP messages Check interface status! GET Reply Router Gi0/1 NMS TRAP! NMS c18.indd 04/01/2015 Page 684 Router Gi0/1 My interface Gi0/1 went down! It’s the end of the world! HELP! Network Monitoring and Logging 685 Admins can also use SNMP to provide some configuration to agents as well, called SET messages. In addition to polling to obtain statistics, SNMP can be used for analyzing information and compiling the results in a report or even a graph. Thresholds can be used to trigger a notification process when exceeded. Graphing tools are used to monitor the CPU statistics of devices like a core router. The CPU should be monitored continuously, and the NMS can graph the statistics. Notification will be sent when any threshold you’ve set has been exceeded. SNMP has three versions, with version 1 being rarely, if ever, implemented today. Here’s a summary of these three versions: SNMPv1 Supports plaintext authentication with community strings and uses only UDP. SNMPv2c Supports plaintext authentication with MD5 or SHA with no encryption but provides GET BULK, which is a way to gather many types of information at once and minimize the number of GET requests. It offers a more detailed error message reporting method, but it’s not more secure than v1. It uses UDP even though it can be configured to use TCP. SNMPv3 Supports strong authentication with MD5 or SHA, providing confidentiality (encryption) and data integrity of messages via DES or DES-256 encryption between agents and managers. GET BULK is a supported feature of SNMPv3, and this version also uses TCP. Syslog Reading system messages from a switch’s or router’s internal buffer is the most popular and efficient method of seeing what’s going on with your network at a particular time. But the best way is to log messages to a syslog server, which stores messages from you and can even time-stamp and sequence them for you, and it’s easy to set up and configure! Figure 18.9 shows a syslog server and client in action. F I G U R E 18 . 9 Syslog server and client Syslog server SF I want to look at the console messages of the SF router from last night. Syslog allows you to display, sort, and even search messages, all of which makes it a really great troubleshooting tool. The search feature is especially powerful because you can use keywords and even severity levels. Plus, the server can email admins based on the severity level of the message. Network devices can be configured to generate a syslog message and forward it to various destinations. These four examples are popular ways to gather messages from Cisco devices: ■ Logging buffer (on by default) ■ Console line (on by default) c18.indd 04/01/2015 Page 685 686 Chapter 18 ■ Software and Hardware Tools ■ Terminal lines (using the terminal monitor command) ■ Syslog server As you already know, all system messages and debug output generated by the IOS go out only the console port by default and are also logged in buffers in RAM. And you also know that routers aren’t exactly shy about sending messages! To send message to the VTY lines, use the terminal monitor command. So, by default, we’d see something like this on our console line: *Oct 21 17:33:50.565:%LINK-5-CHANGED:Interface FastEthernet0/0, changed state to administratively down *Oct 21 17:33:51.565:%LINEPROTO-5-UPDOWN:Line protocol on Interface FastEthernet0/0, changed state to down And the router would send a general version of the message to the syslog server that would be formatted something like this: Seq no:timestamp: %facility-severity-MNEMONIC:description The system message format can be broken down in this way: seq no This stamp logs messages with a sequence number, but not by default. If you want this output, you’ve got to configure it. timestamp Date and time of the message or event. facility The facility to which the message refers. severity A single-digit code from 0 to 7 that indicates the severity of the message. MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. The severity levels, from the most severe level to the least severe, are explained in Table 18.1. Informational is the default and will result in all messages being sent to the buffers and console. TA B L E 1 8 .1 Severity levels Severity Level Explanation Emergency (severity 0) System is unusable. Alert (severity 1) Immediate action is needed. Critical (severity 2) Critical condition. Error (severity 3) Error condition. Warning (severity 4) Warning condition. c18.indd 04/01/2015 Page 686 Network Monitoring and Logging Severity Level Explanation Notification (severity 5) Normal but significant condition. Information (severity 6) Normal information message. Debugging (severity 7) Debugging message. 687 If you are studying for your CompTIA Network+ exam, you need to memorize Table 18.1. Understand that only emergency-level messages will be displayed if you’ve configured severity level 0. But if, for example, you opt for level 4 instead, level 0 through 4 will be displayed, giving you emergency, alert, critical, error, and warning messages, too. Level 7 is the highest-level security option and displays everything, but be warned that going with it could have a serious impact on the performance of your device. So always use debugging commands carefully with an eye on the messages you really need to meet your specific business requirements! SIEM Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. You can get this as a software solution or a hardware appliance, and some businesses sell managed services using SIEM. Any one of these solutions provides log security data and can generate reports for compliance purposes. The acronyms SEM, SIM, and SIEM are used interchangeably; however, SEM is typically used to describe the management that deals with real-time monitoring and correlation of events, notifications, and console views. The term SIM is used to describe long-term storage, analysis, and reporting of log data. Recently, vSIEM (voice security information and event management) was introduced to provide voice data visibility. SIEM can collect useful data about the following items: ■ Data aggregation ■ Correlation ■ Alerting ■ Dashboards c18.indd 04/01/2015 Page 687 688 Chapter 18 ■ Compliance ■ Retention ■ Forensic analysis ■ Software and Hardware Tools Speed Test Sites Speed test sites are especially helpful for testing the bandwidth of your Internet connection. I typically use Speakeasy’s Speed Test, but just search for speed tests, or DSL speed tests, and you’ll get a whole host of speed test sites. Figure 18.10 shows the speed test site that I use. F I G U R E 1 8 .1 0 Speakeasy Speed Test Looking Glass Sites You can access a Looking Glass (LG) server remotely to view routing information. They are servers on the Internet that run Looking Glass software that is available to the public. The servers are essentially read-only portals to the router belonging to the organizations running them. They are basically just providing a ping or traceroute from a remote location for you. c18.indd 04/01/2015 Page 688 Network Monitoring and Logging 689 Figure 18.11 shows an output from a Looking Glass server. F I G U R E 1 8 .11 Looking Glass site output Server Logs Windows Server 2003 and 2008 (and most other Windows operating systems) come with a tool called Event Viewer that provides you with several logs containing vital information about events happening on your computer. Other server operating systems have similar logs, and many connectivity devices like routers and switches also have graphical logs that gather statistics on what’s happening to them. These logs can go by various names, like history logs, general logs, or server logs. Figure 18.12 shows an Event Viewer system log display from a Windows Server 2003 machine. On Windows servers, a minimum of three separate logs hold different types of information: Application Contains events triggered by applications or programs determined by their programmers. Example applications include LiveUpdate, the Microsoft Office suite, and SQL and Exchange servers. Security Contains security events like valid or invalid logon attempts and potential security problems. System Contains events generated by Windows system components, including drivers and services that started or failed to start. The basic “Big Three” can give us lots of juicy information about who’s logging on, who’s accessing the computer, and which services are running properly (or not). If you want to fi nd out whether your Dynamic Host Confi guration Protocol (DHCP) server started up its DHCP service properly, just check out its system log. Because the computer depicted in Figure 18.12 is confi gured as a domain controller, its Event Viewer serves up three more logs: Directory Service, DNS Server, and File Replication Service, for a total of six. c18.indd 04/01/2015 Page 689 690 Chapter 18 F I G U R E 1 8 .1 2 ■ Software and Hardware Tools Windows Event Viewer system log Windows 2000 Server and Windows Server 2003 came with System Monitor—another graphical tool used to create network baselines, provide performance logs, and identify bottlenecks. Windows Server 2008 R2 offers an optional new monitoring and optimization tool called System Center Operations Manager 2010. Utilization Wired and wireless analyzers can show you the bandwidth used on your network segments or wireless area. There are tools to help you fi nd the stats on storage, network device CPU, and device memory for your servers and hosts. For example, if you have a MAC, you can use the built-in activity monitor, which provides the CPU usage, memory statistics, energy used by the applications, disk usage, and network bytes sent and received, as shown in Figure 18.13. In addition to utilization information for your hosts, servers, networks, and so on, you need information about the wireless channel utilization on your network. To get it, you need to use a wireless analyzer, which I’ve already discussed. The wireless analyzer in Figure 18.14 is showing channel utilization. Notice that three channels—1, 6, and 11—are in use. c18.indd 04/01/2015 Page 690 Identifying Hardware Tools F I G U R E 1 8 .1 3 691 MAC’s Activity Monitor Identifying Hardware Tools A great example of when the hardware tools and testers I’m about to cover would come in really handy is if you’re dealing with failed fiber links between structures. As a system administrator running a network with a server, routers, and switches, it’s entirely possible you’ll never fi nd yourself in a situation that calls for these tools. But if you’re in network design or a field that requires installing cabling, then these hardware tools are going to be really valuable to you. Unlike the software tools we just talked about, none of these goodies are free, but they do come in a variety of flavors that run the gamut from real bargains to “You’re joking—how much?” Some of them can indeed free you of thousands of dollars! Cable testers are the most widely used hardware tool in today’s LANs, so let’s start with them. c18.indd 04/01/2015 Page 691 692 Chapter 18 F I G U R E 1 8 .1 4 ■ Software and Hardware Tools Wireless channel utilization Cable Testers The best way to deal with a faulty cable installation is to avoid the problem in the fi rst place by purchasing high-quality components and installing them carefully. Still, this isn’t a perfect world—no matter how careful you are, problems are bound to arise anyway. The tools that I’m going to cover can be used to test cables at the time of their installation and afterward, if and when you need to troubleshoot cabling problems. Cable-testing tools can range from simple, inexpensive mechanical devices to elaborate electronic testers that automatically supply you with a litany of test results in an easy-to-read pass/ fail format. Figure 18.15 shows an example of an inexpensive cable tester for twisted-pair wiring testing. This little box can verify the connection through the cable and tell you if the cable is straight-through or crossover. It can also identify problems such as grounding issues. Sometimes the problem is not a complete lack of connectivity. Sometimes performance is slow, which can also be a cabling issue that a cable tester can identify. This tool is as cheap as they come. c18.indd 04/01/2015 Page 692 Identifying Hardware Tools F I G U R E 1 8 .1 5 693 An inexpensive cable tester Let’s focus on the types of tools available for both copper and fiber-optic cable testing. This is not to say that you need all of the tools listed here. In fact, I’ll try to steer you away from certain types of tools. Sometimes you’ll get lucky and have the luxury of choosing between high-tech and low-tech devices that perform roughly the same function. You can choose which ones you prefer according to the requirements of your network, your operational budget, even your temperament and time constraints. Some of the tools are extremely complicated and require extensive training to use effectively, whereas others can be used by pretty much anybody equipped with a functioning brain. Other important considerations to keep in mind when selecting the types of tools you need are based on the descriptions of cable tests given earlier in this chapter, the test results required by the standards you’re using to certify your network, and the capabilities of the people who will be doing the actual work. And don’t forget the potentially painful cost of some of them. Loopback Plug A loopback test is a diagnostic procedure in which a signal is transmitted and returned to the sending device after passing through all or a portion of a network or circuit. The returned signal is compared with the transmitted signal to evaluate the integrity of the equipment or transmission path. A computer needs a loopback plug that is inserted into a port in order to perform a loopback test. Loopback plugs are made for both Ethernet and fiber applications. Figure 18.16 shows an Ethernet loopback plug and Figure 18.17 shows a plug for fiber applications. c18.indd 04/01/2015 Page 693 694 Chapter 18 ■ Software and Hardware Tools F I G U R E 1 8 .1 6 Ethernet loopback plug F I G U R E 1 8 .17 Fiber loopback plug Wire-Map Testers A wire-map tester is a device that transmits signals through each wire in a copper twisted-pair cable to determine if it’s connected to the correct pin at the other end. Wire mapping is the most basic test for twisted-pair cables because the eight separate wire connections involved in each cable run are a common source of installation errors. Wire-map testers detect transposed wires, opens (broken or unconnected wires), and shorts (wires or pins improperly connected to each other). All of these problems can render a cable run completely inoperable. Wire-map testing is nearly always included in multifunction cable testers, but sometimes it’s just not worth spending serious cash on a comprehensive device. Dedicated wire-map testers that run about two to three hundred bucks are relatively inexpensive options that enable you to test your installation for the most common faults that occur during installations and afterward. If, say, you’re installing voice-grade cable, a simple wire-mapping test is probably all that’s needed. A wire-map tester essentially consists of a remote unit that you attach to the far end of a connection and a battery-operated, handheld main unit that displays the results. Typically, c18.indd 04/01/2015 Page 694 Identifying Hardware Tools 695 the tester displays various codes that indicate the specific type of fault that it fi nds. You can also purchase a tester with multiple remote units that are numbered so that one person can test several connections without constantly traveling back and forth from one end of the connections to the other to move the remote unit. The one wiring fault that is not detectable by a dedicated wire-map tester is something known as split pairs. This fault flies under the radar because even though the pinouts are incorrect, the cable is still wired straight through. To detect split pairs, you must use a device that tests the cable for the near-end crosstalk that split pairs cause. Continuity Testers A continuity tester, or line tester, is an even simpler and less-expensive device than a wire-map tester; it’s designed to check a copper cable connection for basic installation problems like opens, shorts, and crossed pairs. It will set you back only a few dollars, but such a device usually can’t detect the more complicated twisted-pair wiring faults. It’s still a nice option for basic cable testing, especially for coaxial cables that have only two conductors and so don’t easily confuse whoever is installing them. Like a wire-map tester, a continuity tester consists of two separate units that you connect to each end of the cable you want to test. Most of the time, the two units can snap together for storage and easy testing of patch cables. But remember, a continuity tester simply tests continuity, equivalent to data at one bit per minute (or slower), and cannot tell you whether or not a cable will reliably pass Ethernet data at network speeds. For that, you need a real cable tester that can test cables up to Gigabit speeds or higher. Protocol Analyzer A protocol analyzer is often confused with a packet sniffer because some products really are both. Remember—a packet sniffer looks at all traffic on a network segment. On the other hand, a protocol analyzer (surprise!) analyzes protocols. These tools come in both software and hardware versions, but compared to the products I listed earlier in this chapter, a network protocol analyzer is likely to give you more information and help than a sniffer will. This is because a bona fide protocol analyzer can actually help you troubleshoot problems, whereas most sniffers just provide information for you to have a ball deciphering. A network protocol analyzer can perform the following functions: ■ Help troubleshoot hard-to-solve problems ■ Help you detect and identify malicious software (malware) ■ Help gather information such as baseline traffic patterns and network-utilization metrics ■ Help you identify unused protocols so that you can remove them from the network ■ Provide a traffic generator for penetration testing ■ Possibly even work with an IDS c18.indd 04/01/2015 Page 695 696 Chapter 18 ■ Software and Hardware Tools And last, and perhaps most important for you, they can really help you learn about networking in general. This means if you just want to fi nd out why a network device is functioning in a certain way, you can use a protocol analyzer to sniff (there’s that word again) the traffic and expose the data and protocols that pass along the wire. Free Network Analyzers I’ve found a whole bunch of network analyzers you can use for free at the following location: www.snapfiles.com/freeware/network/fwpacketsniffer.html But understand that there’s no way I can verify the validity of this link after this book is published. Again, the terms sniffer and analyzer are used to define the same product found at this link. Both Microsoft’s NetMon and Wireshark are called sniffers and analyzers, and they both are—at least to some degree. Certifiers Certification testers—or certifi ers—are used to determine whether your network meets specific International Organization for Standardization (ISO) or Telecommunication Industry Association (TIA) standards (Cat 5e, Cat 6, or Cat 7). They are the only option for you in this case. Also, if your network is wired with both copper and fiber, you really must use a certification tester. Basically, a certifier is a combination cable tester and network analyzer, only better because it comes with more options. This is wonderful because it makes your job easier and makes you seem smarter to everyone around you—you’re only as good as your tools, right? A good certifier will test the performance and response times of network resources like web, fi le, email, and even DNS and Dynamic Host Configuration Protocol (DHCP) servers. And, at the same time, it will certify your full Category 6 cable installation. After it fi nishes all this, you can provide your boss with a detailed network test report complete with dazzling, colorful graphics to make it simple to explain and understand—voilà! You’re instantly the genius of the day. To get these smarts, all you need is a lot of money. These products are not for the small office, home office (SOHO) market because they cost literally thousands of dollars, starting at about $5,000. Time-Domain Reflectometer A time-domain refl ectometer (TDR) is a tool that fi nds and describes faults in metallic cables like twisted wire pairs and coaxial cables. The equivalent device for optical fiber is an optical time-domain reflectometer (OTDR), which I’ll talk about in a minute. c18.indd 04/01/2015 Page 696 Identifying Hardware Tools 697 A TDR works in the same basic way that radar does. It transmits a short rise time pulse along the conductor, and if it turns out to be of a uniform impedance and properly terminated, the entire transmitted pulse is absorbed in the far-end termination; no signal is reflected back to the TDR. Any impedance interruptions will cause some of the incident signal to be sent back toward the source, letting you know all is not well. So basically, any increases in the impedance create a reflection that reinforces the original pulse and decreases the impedance, thereby creating a reflection that opposes the original pulse. The resulting reflected pulse that’s measured at the output/input to the TDR is displayed or plotted in measures of time. And because the speed of signal propagation is pretty consistent for a given type of transmission medium, the reading can also tell you about the cable length. Because of this sensitivity to any variation in impedance, you can use a TDR to verify these things: ■ Speed and condition of the cable ■ How long it takes to send a signal down a cable and how long it takes to come back ■ Cable impedance characteristics ■ Splice and connector locations and their associated loss amounts ■ Estimated cable lengths Now, let’s take a look at a device that tests fiber-optic cables. Optical Time-Domain Reflectometer An optical time-domain refl ectometer (OTDR) is an optoelectronic instrument used to give you the skinny on optical fibers, typically referred to as light meters. It works by putting out a series of optical pulses into the specific fiber you want to test. From the same end that sent these impulses, it collects and measures the light that is scattered and reflected along the length of the fiber. It then records the change in the amount of refraction at various points. This is a lot like the way an electronic TDR measures reflections caused by impedance changes in a cable that you’re testing. The strength of the return pulses is incorporated into a measure of time, which also conveniently gives you the fiber’s length. We use OTDRs to give us the following information: ■ The fiber’s estimated length ■ Its overall attenuation, including splice and mated-connector losses ■ The location faults, such as breaks Figure 18.18 shows the output from an OTDR testing a fiber connection. The spike shows where a splice in the fiber is located, which has resulted in the signal being degraded. This is a very typical output. As the signal attenuates, you see a gradual but quick drop in decibels (db). Any connector will actually show a reflection, which, as mentioned, shows up as a spike in the OTDR output. The connector then creates more attenuation and loss of more db. The more splices, the less distance you can run with fiber. c18.indd 04/01/2015 Page 697 698 Chapter 18 F I G U R E 1 8 .1 8 ■ Software and Hardware Tools Sample OTDR output Connector Reflection Attenuation Splice Loss Multimeter A multimeter, or a multitester (also called a volt/ohm meter [VOM]), is a multitasking electronic measuring instrument. Your average multimeter typically includes features like the ability to measure voltage, current, and resistance. Multimeters come in analog and digital versions, and they range from basic handheld devices useful for simple fault-fi nding and field-service work to more complex bench instruments that will give you measurements with a very high degree of accuracy. They can be used to troubleshoot electrical problems in a wide array of electrical devices like batteries, motor controls, appliances, power supplies, and wiring systems. Figure 18.19 shows the multimeter that I use to help troubleshoot my networks. Multimeters come in lots of flavors with different ranges of features and prices. Cheap ones cost less than 10 bucks, but the top-of-the-line models can set you back up to 5 thousand. Toner Probe A toner probe, also called a tone generator, is a simple copper cable tester that is simple to use and can be used to trace a wire in a wall. It is a two-piece unit that’s basically a tone generator and probe, sometimes called a “fox and hound” wire tracer. This type of device consists of one part that you connect to a cable with a standard jack—or to an individual wire with alligator clips that transmit a signal over the cable or wire—and another part that’s a penlike probe that emits an audible tone when it touches the other end of the cable, the wire, or even its insulating sheath. c18.indd 04/01/2015 Page 698 Identifying Hardware Tools F I G U R E 1 8 .1 9 699 A multimeter Most often, you will use a toner probe to locate a specific connection in a punch-down block because (annoyingly) some installers run all the cables for a network to the central punch-down block without labeling them. They (or you, if you’re unlucky enough) then have to use a tone generator to identify which block is connected to which wall plate and label the punch-down block accordingly. This tool can identify a particular cable at any point between the two ends, and because the probe can detect the cable containing the tone signal through its sheath, it can help you to locate one specific cable out of a massive cable-spaghetti bundle in a ceiling conduit or other type of raceway. Just connect the tone generator to one end, and touch the probe to each cable in the bundle until you hear the tone. Figure 18.20 shows a picture of my toner and the probe I use to fi nd the tone on the other end of the cable. Also, by testing the continuity of individual wires using alligator clips, you can use a tone generator and probe to fi nd opens, shorts, and miswires. An open wire won’t produce a tone at the other end, a short will produce a tone on two or more wires at the other end, and an improperly connected wire will produce a tone on the wrong pin at the other end. Sound like fun to you? Well, not so much—it takes a really long time, and it’s super tedious. Worse, the whole process is almost as prone to errors as the cable installation itself. You have to either continually travel from one end of the cable to the other to move the tone generator unit or use a partner to test each connection, keeping in close contact using radios or some other means of communication to avoid confusion. So, considering the time and effort involved, investing in a wire-map tester is just a much more practical solution unless you’re numbingly bored or really easily amused. c18.indd 04/01/2015 Page 699 700 Chapter 18 F I G U R E 18 . 2 0 ■ Software and Hardware Tools A toner probe Butt Set A butt set is essentially a portable telephone that allows you to test analog wet or dry lines and is used to monitor those lines. The most common type, shown in Figure 18.21, can both monitor and transmit. F I G U R E 18 . 21 A butt set You see these all the time with telco guys up on the telephone poles. They use their butt sets to connect to telephone lines, test them, and even make phone calls. Another handy tool that will take the place of a butt set is a hound. This noncanine device is nothing more than an inductively coupled amplifier with a small speaker in a c18.indd 04/01/2015 Page 700 Identifying Hardware Tools 701 handheld tool. It’s used to monitor the audio on a given line to verify that you have the right pair before connecting it and typically is used with a toner probe. It will also monitor for noise. Punch-Down Tool Most networks today are built using twisted-pair cable of some sort. This cable is usually terminated in wiring closets using a tool known as a punch-down tool. It’s called that because that’s exactly what the tool does—punch down the wire into some kind of insulation displacement connector (IDC). There are different types of punch-down tools. The most common is a punch down with replaceable blades for the different types of connectors (either 66 or 110). Figure 18.22 shows an example of this type of punch-down tool. F I G U R E 18 . 2 2 An example of a punch-down tool IDCs make contact by cutting through, or displacing, the insulation around a single conductor inside a twisted-pair cable. As shown in Figure 18.23, the punch-down tool pushes a conductor between the sides of a V inside an IDC, in this example a keystone connector, allowing the small metal blade inside the connector to make contact with the inner conductor deep inside the wire. F I G U R E 18 . 2 3 Using a punch-down tool on a small keystone connector Now let’s take a look at how to put a cable end together. c18.indd 04/01/2015 Page 701 702 Chapter 18 ■ Software and Hardware Tools Cable Stripper/Snips A wire crimper, often simply called a crimper, is a handy tool found in most network technicians’ tool bags. Crimpers are primarily used for attaching ends onto different types of network cables via a process known as—that’s right—crimping. Crimping involves using your hands to apply a certain amount of force to press some kind of metal teeth into the inner conductors of a cable. Before you can crimp a connector onto the end, you’ve got to strip the cable with a type of cable stripper (or snip) and then properly put the wires into the connector. Figure 18.24 shows what a cable stripper and snip looks like (this particular tool also includes a crimper). F I G U R E 18 . 2 4 A combination cable stripper, crimper, and snippers Often, network technicians will make patch cables with a crimper. They’ll take a small piece of Category 5e unshielded twisted-pair (UTP), strip the cable, and crimp two RJ-45 ends onto it to create the cable. Snips will create the type of cable needed to connect a host to a wall jack connection, for example. There are strippers and crimpers for the other types of cable as well—even specialized crimpers for fiber-optic ends. Voltage Event Recorder (Power) Alternating current (AC) is basically the food that PCs and other network devices require in specific amounts to function properly. In the United States, it’s normally 110 volts and changes polarity 60 cycles a second (60 hertz). These values are referred to as line voltage. Any deviation from these values can create some major problems for your PC or other electronics—like death. While we’re on the subject, you should also know that when a telephone rings, the phone company central office puts 140 VAC on the line to ring that bell; telephone lines are not always the “low-voltage” devices we think they are. Do all phone systems do this, even PBX systems within buildings? Are you willing to bet your life that they don’t? Didn’t think so. This is why we have surge protectors. These little saviors use a special electronic circuit that monitors the incoming voltage level and trips a circuit breaker when the voltage level c18.indd 04/01/2015 Page 702 Identifying Hardware Tools 703 reaches critical mass, which is known as the overvoltage threshold. Even though having a surge protector is definitely better than nothing, they too can fall victim to overvoltage events—I’m reminded of a friend whose home was struck by lightning during a thunderstorm and he found his surge protectors literally melted into the carpet! But they’re still cool because even though they’re really only somewhat protective, they are multiple-outlet strips that give us a lot more places to plug in our stuff. By contrast, a quality voltage event recorder can troubleshoot and even provide preventative maintenance on your entire electrical system, whether it’s for a home or a huge factory. Although they do big things, they’re typically small devices that just plug into a wall and record, over time, the power quality of a given circuit. You would typically use a voltage event recorder for the following applications: Recording Voltage The voltage event recorder monitors and records the supply voltage and checks whether the socket outlet is providing voltage within specifications. Measuring Distortion The device measures frequency and harmonics, and it checks whether your uninterruptible power supply (UPS) system is functioning correctly. Measuring Flicker It checks the switching loads on lighting systems. Capturing Voltage Transients It can help you find intermittent, momentary events that may be affecting your equipment; the full waveform is captured with date, time stamp, and duration. But you still have to do more to ensure the vitality of your electronic devices because they’re very sensitive to temperature as well. This means you also need a way to monitor the temperature of the place(s) where your equipment is stored. Environmental Monitors Environmental monitors are designed to monitor the temperature, humidity, power, and air flow in an area or in a device. Temperature and humidity are both critical factors in the health of computing equipment. High temperatures lead to CPU overheating, and shortly thereafter, systems start rebooting. High humidity cannot be tolerated because it leads to corrosion of electrical parts followed by shorts and other failures. Low humidity sounds good on paper, but with it comes static electricity buildup in the air, which can fry computer parts if it reaches them. Both of these conditions should be monitored. A temperature and humidity monitor can save you and your precious devices from a total meltdown. By their very nature, networks often include lots of machines placed close together in one or several location(s)—like server rooms. Clearly, these devices, all humming along at once, generate quite a bit of heat. Just like us, electronics need to “breathe,” and they’re also pretty sensitive to becoming overheated, which is why you’ll often need a jacket in a chilly server room. It’s also why we need to set up and use temperature-monitoring devices. Twenty years ago or so, these devices didn’t send alerts or give off any kind of alarms; they were just little plastic boxes that had pieces of round graph paper to graph temperature. The paper was good for a month, and for that duration, it would just spin around in a circle. As the temperature moved up or down, the pen attached to the temperature coil moved in or out, leaving a c18.indd 04/01/2015 Page 703 704 Chapter 18 ■ Software and Hardware Tools circle line around the paper. All of this allowed you to manually monitor the temperature modulation in the server room over time. Although intended to “alert” you when and if there were climate changes, it usually did so after the fact, and therefore, too late. Today, these temperature/humidity systems can provide multiple sensors feeding data to a single control point—nice. Now we can much more accurately track the temperature in our server rooms dynamically in real time. The central control point is usually equipped with HTTP software that can send alerts and provide alarms via a browser should your server room experience a warming event. Temperature/humidity monitors also come in a variety of flavors. They vary in size and cost and come in hardware and/or software varieties. The kind you need varies and is based on the size of the room and the number of devices in it. You can even get one that will just monitor your PC’s internal heat. What else will indicate you have a temperature problem in your server room? When you install new servers in a rack and you have network instability and other issues across all the servers in the rack but the power resources and bandwidth have been tested, this would be a good time to check your temperature monitor and verify that the servers are staying cool enough. Another red flag when it comes to environmental issues is a problem that occurs every day at the same time. This could be the time of day when the room temperature reaches the problematic stage. Summary You need network tools, and you need to know how to use them. And as I said, you can get your hands on many of them for free; so download them and use them as soon as possible to get the experience you’ll need to pass the CompTIA Network+ exam. This chapter covered network scanners, including packet sniffers, IDS and IPS software, and port scanners. I also covered hardware tools, which are rarely free. The good news is that you don’t need many of them yourself, but the company that owns all the equipment defi nitely does. Even though I’ve used all of the tools I talked about in this chapter, I don’t own most of them personally—only the ones that are free or relatively inexpensive. In the hardware tools section, I covered cable testers, analyzers, certifiers, TDR/OTDRs, and other critical tools that help you test the cables and devices in your network, monitor them, and keep them up and running smoothly. Exam Essentials Understand what network scanners are and how to use each one. Network scanners are described as packet sniffers, IDS/IPS software, and port scanners. These devices can help you both troubleshoot and fi x your network as well as fi nd and stop hackers in their tracks. c18.indd 04/01/2015 Page 704 Written Lab 705 Remember the basic purpose of a packet sniffer. The basic purpose of packet sniffers or network analyzers is to collect and analyze each individual packet that is captured on a specific network segment to determine if problems are happening. Remember the main purpose of IDS/IPS software. The IDS detects unwanted attempts to manipulate network systems and/or environment, and the IPS is a computer security device that monitors network and/or system activities for malicious behavior and can react in real time to stop attacks. Understand what an OTDR is used for. An optical time-domain reflectometer (OTDR) is an optoelectronic instrument used to test fiber-optic cabling. You can learn the cable’s estimated length and attenuation (loss in db) and the location of faults. Understand the difference between cable testers and certifiers. Cable testers simply tell you if the cable will function. Cable certifiers run much more sophisticated tests that determine if the cable performs according to specifications called for in the standard. Understand the value of temperature and humidity monitors. These devices can monitor environmental conditions and alert you if either the temperature or the humidity in a server room or area falls below or rises above the prescribed range of safe values. Written Lab You can fi nd the answers in Appendix A. Answer the following questions about software and hardware tools: 1. True/False: An IDS box can find and fix a problem as the attack occurs. 2. True/False: A TDR is used to test fiber connections. 3. True/False: An IDS box will report an attack but not fix it. 4. True/False: An OTDR is used to test fiber connections. 5. True/False: A network analyzer will see every packet on every segment of your network at the same time. 6. What type of device determines if a cable meets standards specifications? 7. True/False: It is okay to scan the DoD network servers with a port scanner. 8. You need to monitor the temperature of your server room. What device should you use? 9. You want to monitor your UPS systems and make sure they are functioning correctly. What device should you use? 10. What type of device is used to put an RJ-45 end on a Cat 5e cable? c18.indd 04/01/2015 Page 705 Chapter 18 706 ■ Software and Hardware Tools Review Questions You can fi nd the answers to the review questions in Appendix B. 1. Which is a tool in the network scanner category? (Choose all that apply.) A. Packet sniffers B. 2. IDS/IPS software C. Port scanners D. None of the above What is the purpose of packet sniffers? A. Discarding frames 3. B. Sending transmissions from one port to another port C. Looking inside every packet on a network segment D. Stopping malicious behavior on the network You need to trace cables in multiple-pair wiring. What tool will you use? A. Toner probe 4. B. IDS C. Cable tester D. Butt set What tool would you use to both find a break in a fiber-optic connection and test the fiber connectivity on the network? A. Multimeter 5. B. OTDR C. Butt set D. Toner probe You need to create a cable that will connect your host to a wall jack connection. Which of the following will you use? A. IDS/IPS 6. B. Snips C. Coax cable strippers D. Multimeter Where is the IDS/IPS software typically placed within a network? A. Between the internal router and the firewall connected to the ISP B. Between the printer and the router connected to the ISP c18.indd 04/01/2015 Page 706 Review Questions 7. C. Between the computer and the switch configured with VLANs D. Between the firewall and the router connected to the email server 707 What is the purpose of a port scanner? A. Scan UDP for closed ports 8. B. Sweep TCP for closed ports C. Search the network host for open ports D. None of the above What is the purpose of wire-map testers? A. Check copper cable for crossed pairs only 9. B. Analyze protocols in software C. Help find unused protocols and remove them from the network D. Detect transposed wires, opens, and shorts in twisted-pair cables Which of the following can check the speed and condition of the signal on a cable, measure the time it takes to send a signal down the wire and back, and find the exact location of a break? A. Multimeter B. TDR C. Tone generator D. Event recorder 10. Which device should be used if you need to determine whether your network meets ISO or TIA standards? A. Angry IP B. Certifiers C. Nmap D. Routing table 11. Which software tool is used to view network traffic at the frame level? A. TDR B. Multimeter C. Port scanner D. Packet sniffer 12. Which of the following options is not a function of a TDR? A. Estimate cable lengths B. Find splice and connector locations and their associated loss amounts C. Display unused services D. Determine cable-impedance characteristics E. Send a signal down a cable and measure how long it takes to come back c18.indd 04/01/2015 Page 707 Chapter 18 708 ■ Software and Hardware Tools 13. Which device would be used to measure voltage? A. Multimeter B. OTDR C. Butt set D. Toner probe 14. Which device would most likely be used to locate a specific connection in an unlabeled punch-down block? A. VOM B. Certifier C. TDR D. Toner probe 15. Which tool would be used to connect wire between two punch-down block blades? A. Punch-down tool B. Crimper C. Snips D. Strippers 16. Which tool is used to attach an RJ-45 connector to a Cat 5 cable? A. Punch-down tool B. Crimper C. Snips D. Strippers 17. On which of the following would a technician use a punch-down tool? A. RJ-45 connector B. CSU/DSU C. 110 block D. Fiber ST connector 18. Which device monitors incoming voltage levels and overvoltage thresholds? A. Repeater B. Toner probe C. VOM D. Surge protector 19. Which of the following tools can test a port on a device? A. Cable certifier B. Loopback plug c18.indd 04/01/2015 Page 708 Review Questions C. Butt set D. Toner probe 709 20. You install new switches in your server room and are now experiencing network instability and other issues across all servers in the rack. Which device would be used to alert you of a system overheating? A. Voltage event recorder B. Temperature monitor C. Surge protector D. Probe c18.indd 04/01/2015 Page 709 Chapter 19 Network Troubleshooting THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 4.1 Given a scenario, implement the following network troubleshooting methodology ■ ■ ■ Identify the problem ■ Gather information ■ Duplicate the problem, if possible ■ Question users ■ Identify symptoms ■ Determine if anything has changed ■ Approach multiple problems individually Establish a theory of probable cause ■ Question the obvious ■ Consider multiple approaches ■ Top-to-bottom/bottom-to-top OSI model ■ Divide and conquer Test the theory to determine cause ■ Once theory is confirmed, determine next steps to resolve problem ■ If theory is not confirmed, re-establish new theory or escalate ■ Establish a plan of action to resolve the problem and identify potential effects ■ Implement the solution or escalate as necessary c19.indd 04/01/2015 Page 711 ■ Verify full system functionality and if applicable implement preventative measures ■ Document findings, actions, and outcomes ✓ 4.3 Given a scenario, troubleshoot and resolve common wireless issues ■ Signal loss ■ Interference ■ Overlapping channels ■ Mismatched channels ■ Signal-to-noise ratio ■ Device saturation ■ Bandwidth saturation ■ Untested updates ■ Wrong SSID ■ Power levels ■ Wrong antenna type ■ Incompatibilities ■ Wrong encryption ■ Bounce ■ Environmental factors ■ ■ Concrete walls ■ Window film ■ Metal studs Wireless standard related issues ■ Throughput ■ Frequency ■ Distance ■ Channels c19.indd 04/01/2015 Page 712 ✓ 4.4 Given a scenario, troubleshoot and resolve common copper cable issues ■ Shorts ■ Opens ■ Incorrect termination (mismatched standards) ■ ■ Straight-through ■ Crossover Cross-talk ■ Near end ■ Far end ■ EMI/RFI ■ Distance limitations ■ Attenuation/Db loss ■ Bad connector ■ Bad wiring ■ Split pairs ■ Tx/Rx reverse ■ Cable placement ■ Bad SFP/GBIC - cable or transceiver ✓ 4.5 Given a scenario, troubleshoot and resolve common fiber cable issues ■ Attenuation/Db loss ■ SFP/GBIC - cable mismatch ■ Bad SFP/GBIC - cable or transceiver ■ Wavelength mismatch ■ Fiber type mismatch ■ Dirty connectors ■ Connector mismatch ■ Bend radius limitations ■ Distance limitations c19.indd 04/01/2015 Page 713 ✓ 4.6 Given a scenario, troubleshoot and resolve common network issues ■ Incorrect IP configuration/default gateway ■ Broadcast storms/switching loop ■ Duplicate IP ■ Speed and duplex mismatch ■ End-to-end connectivity ■ Incorrect VLAN assignment ■ Hardware failure ■ Misconfigured DHCP ■ Misconfigured DNS ■ Incorrect interface/interface misconfiguration ■ Cable placement ■ Interface errors ■ Simultaneous wired/wireless connections ■ Discovering neighboring devices/nodes ■ Power failure/power anomalies ■ MTU/MTU black hole ■ Missing IP routes ■ NIC teaming misconfiguration ■ Active-active vs active-passive ■ Multicast vs broadcast c19.indd 04/01/2015 Page 714 There is no way around it. Troubleshooting computers and networks is a combination of art and science, and the only way to get really good at it is by doing it—a lot! So it’s practice, practice, and practice with the basic yet vitally important skills you’ll attain in this chapter. Of course, I’m going to cover all the troubleshooting topics you’ll need to sail through the Network+ exam, but I’m also going to add some juicy bits of knowledge that will really help you to tackle the task of troubleshooting successfully in the real world. First, you’ll learn to check quickly for problems in the “super simple stuff” category, and then we’ll move into a hearty discussion about a common troubleshooting model that you can use like a checklist to go through and solve a surprising number of network problems. We’ll fi nish the chapter with a good briefi ng about some common troubleshooting resources, tools, tips, and tricks to keep up your sleeve and equip you even further. I won’t be covering any new networking information in this chapter because you’ve gotten all the foundational background material you need for troubleshooting in the previous chapters. But no worries. I’ll go through each of the issues described in this chapter’s objectives, one at a time, in detail, so that even if you’ve still got a bit of that previous material to nail down yet, you’ll be good to get going and fix some networks anyway. To find up-to-the-minute updates for this chapter, please see www.lammle. com/networkplus or the book’s website at www.sybextestbanks.wiley.com. Narrowing Down the Problem When initially faced with a network problem in its entirety, it’s easy to get totally overwhelmed. That’s why it’s a great strategy to start by narrowing things down to the source of the problem. To help you achieve that goal, it’s always wise to ask the right questions. You can begin doing just that with this list of questions to ask yourself: ■ Did you check the super simple stuff (SSS)? ■ Is hardware or software causing the problem? ■ Is it a workstation or server problem? ■ Which segments of the network are affected? ■ Can you test the network from end to end to confirm connectivity? ■ Are there any cabling issues? c19.indd 04/01/2015 Page 715 716 Chapter 19 ■ Network Troubleshooting Did You Check the Super Simple Stuff? Yes—it sounds like a snake’s hiss (appropriate for a problem, right?), but exactly what’s on the SSS list that you should be checking fi rst, and why? Well, as the saying goes, “All things being equal, the simplest explanation is probably the correct one,” so you probably won’t be stunned and amazed when I tell you that I’ve had people call me in and act like the sky is falling when all they needed to do was check to make sure their workstation was plugged in or powered on. (I didn’t say “super simple stuff” for nothing!) Your SSS list really does include things that are this obvious—sometimes so obvious no one thinks to check for them. Even though anyone experienced in networking has their own favorite “DUH” events to tell about, almost everyone can agree on a few things that should defi nitely be on the SSS list: ■ Check to ensure login procedures and rights. ■ Look for link lights and collision lights. ■ Check all power switches, cords, and adapters. ■ Look for user errors. The Correct Login Procedure and Rights You know by now that if you’ve set up everything correctly, your network’s users absolutely have to follow the proper login procedure to the letter (or number, or symbol) in order to successfully gain access to the network resources they’re after. If they don’t do that, they will be denied access, and considering that there are truly tons of opportunities to blow it, it’s a miracle, or at least very special, that anyone manages to log in to the network correctly at all. Think about it. First, a user must enter their username and password flawlessly. Sounds easy, but as they say, “in a perfect world. . .” In this one, people mess up, don’t realize it, and freak out at you about the “broken network” or the imaginary IT demon that changed their password on them while they went to lunch and now they can’t log in. (The latter could be true—you may have done exactly that. If you did, just gently remind them about that memo you sent about the upcoming password-change date and time that they must have spaced about due to the tremendous demands on them.) Anyway, it’s true. By far, the most common problem is bad typing—people accidentally enter the wrong username or password, and they do that a lot. With some operating systems, a slight brush of the Caps Lock key is all it takes: The user’s username and password are case sensitive, and suddenly, they’re trying to log in with what’s now all in uppercase instead—oops. Plus, if you happen to be running one of the shiny new operating systems around today, you can also restrict the times and conditions under which users can log in, right? So, if your user spent an unusual amount of time in the bathroom upon returning from lunch, or if they got distracted and tried to log in from their BFF’s workstation instead of their own, the network’s operating system would’ve rejected their login request even though they still can type impressively well after two martinis. c19.indd 04/01/2015 Page 716 Narrowing Down the Problem 717 And remember—you can also restrict how many times a user can log in to the network simultaneously. If you’ve set that up, and your user tries to establish more connections than you’ve allowed, access will again be denied. Just know that most of the time, if a user is denied access to the network and/or its resources, they’re probably going to interpret that as a network problem even though the network operating system is doing what it should. Can the Problem Be Reproduced? The first question to ask anyone who reports a network or computer problem is, “Can you show me what ‘not working’ looks like?” This is because if you can reproduce the problem, you can identify when it happens, which may give you all the information you need to determine the source of the problem and maybe even solve it in a snap. The hardest problems to solve are those of the random variety that occur intermittently and can’t be easily reproduced. Let’s pause for a minute to outline the steps to take during any user-oriented network problem-solving process: 1. Make sure the username and password is being entered correctly. 2. Check that Caps Lock key. 3. Try to log in yourself from another workstation, assuming that doing this doesn’t violate the security policy. If it works, go back to the user-oriented login problems, and go through them again. 4. If none of this solves the problem, check the network documentation to find out whether any of the aforementioned kinds of restrictions are in place; if so, find out whether the user has violated any of them. Remember, if intruder detection is enabled on your network, a user will get locked out of their account after a specific number of unsuccessful login attempts. If this happens, either they’ll have to wait until a predetermined time period has elapsed before their account will unlock and give them another chance or you’ll have to go in and manually unlock it for them. The Link and Collision Lights The link light is that little light-emitting diode (LED) found on both the Network Interface Card (NIC) and the switch. It’s typically green and labeled Link or some abbreviation of that. If you’re running 100BaseT, a link light indicates that the NIC and switch are making a logical (Data Link layer) connection. If the link lights are lit up on both the workstation’s c19.indd 04/01/2015 Page 717 718 Chapter 19 ■ Network Troubleshooting NIC and the switch port to which the workstation is connected, it’s usually safe to assume that the workstation and switch are communicating just fi ne. The link lights on some NICs don’t activate until the driver is loaded. So, if the link light isn’t on when the system is first turned on, you’ll just have to wait until the operating system loads the NIC driver. But don’t wait forever! The collision light is also a small LED, but it’s typically amber in color, and it can usually be found on both Ethernet NICs and hubs. When lit, it indicates that an Ethernet collision has occurred. If you’ve got a busy Ethernet network on which collisions are somewhat common, understand that this light is likely to blink occasionally; if it stays on continuously, though, it could mean that there are way too many collisions happening for legitimate network traffic to get through. Don’t assume this is really what’s happening without fi rst checking that the NIC, or other network device, is working properly because one or both could simply be malfunctioning. Don’t confuse the collision light with the network-activity or network-traffic light (which is usually green) because the latter just indicates that a device is transmitting. This particular light should be blinking on and off continually as the device transmits and receives data on the network. The Power Switch Clearly, to function properly, all computer and network components must be turned on and powered up fi rst. Obvious, yes, but if I had a buck for each time I’ve heard, “My computer is on, but my monitor is all dark,” I’d be rolling in money by now. When this kind of thing happens, just keep your cool and politely ask, “Is the monitor turned on?” After a little pause, the person calling for help will usually say, “Ohhh. . .ummmm. . .thanks,” and then hang up ASAP. The reason I said to be nice is that, embarrassing as it is, this, or something like it, will probably happen to you, too, eventually. Most systems include a power indicator (a Power or PWR light). The power switch typically has an On indicator, but the system or device could still be powerless if all the relevant power cables aren’t actually plugged in—including the power strip. Remember that every cable has two ends, and both must be plugged into something. If you’re thinking something like, “Sheesh—a four-year-old knows that,” you’re probably right. But again, I can’t count the times this has turned out to be the root cause of a “major system failure.” The best way to go about troubleshooting power problems is to start with the most obvious device and work your way back to the power-service panel. There could be a c19.indd 04/01/2015 Page 718 Narrowing Down the Problem 719 number of power issues between the device and the service panel, including a bad power cable, bad outlet, bad electrical wire, tripped circuit breaker, or blown fuse, and any of these things could be the actual cause of the problem that appears to be device-death instead. Operator Error Or, the problem may be that you’ve got a user who simply doesn’t know how to be one. Maybe you’re dealing with someone who doesn’t have the tiniest clue about the equipment they’re using or about how to perform a certain task correctly—in other words, the problem may be due to something known as operator error (OE). Here’s a short list of the most common types of OEs and their associated acronyms: ■ Equipment exceeds operator capability (EEOC) ■ Problem exists between chair and keyboard (PEBCAK) ■ ID Ten T error (an ID10T) A word of caution here, though—assuming that all your problems are user related can quickly make an ID10T error out of you. Although it can be really tempting to take the easy way out and blow things off, remember that the network’s well-being and security are ultimately your responsibility. So, before you jump to the operator-error conclusion, ask the user in question to reproduce the problem in your presence, and pay close attention to what they do. Understand that doing this can require a great deal of patience, but it’s worth your time and effort if you can prevent someone who doesn’t know what they’re doing from causing serious harm to pricey devices or leaving a gaping hole in your security. You might even save the help desk crew’s sanity from the relentless calls of a user with the bad habit of fl ipping off the power switch without following proper shutdown procedures. You just wouldn’t know they always do that if you didn’t see it for yourself, right? And what about fi nding out that that pesky user was, in fact, trained really badly by someone and that they aren’t the only one? This is exactly the kind of thing that can turn the best security policy to dust and leave your network and its resources as vulnerable to attack as that goat in Jurassic Park. The moral here is, always check out the problem thoroughly. If the problem and its solution aren’t immediately clear to you, try the procedure yourself, or ask someone else at another workstation to do so. Don’t just leave the issue unsettled or make the assumption that it is user error or a chance abnormality because that’s exactly what the bad guys out there are hoping you’ll do. This is only a partial list of super simple stuff. No worries. Rest assured you’ll come up with your own expanded version over time. c19.indd 04/01/2015 Page 719 720 Chapter 19 ■ Network Troubleshooting Is Hardware or Software Causing the Problem? A hardware problem often rears its ugly head when some device in your computer skips a beat and/or dies. This one’s pretty easy to discern because when you try to do something requiring that particular piece of hardware, you can’t do it and instead get an error telling you that you can’t do it. Even if your hard disk fails, you’ll probably get warning signs before it actually kicks, like a Disk I/O error or something similar. Other problems drop out of the sky and hit you like something from the wrong end of a seagull. No warning at all—just splat! Components that were humming along fi ne a second ago can and do suddenly fail, usually at the worst possible time, leaving you with a mess of lost data, fi les, everything—you get the idea. Solutions to hardware problems usually involve one of three things: ■ Changing hardware settings ■ Updating device drivers ■ Replacing dead hardware If your hardware has truly failed, it’s time to get out your tools and start replacing components. If this isn’t one of your skills, you can either send the device out for repair or replace it. Your mantra here is “backup, backup, backup,” because in either case, a system could be down for a while—anywhere from an hour to several days—so it’s always good to keep backup hardware around. And I know everyone and your momma has told you this, but here it is one more time: Back up all data, fi les, hard drive, everything, and do so on a regular basis. Software problems are muddier waters. Sometimes you’ll get General Protection Fault messages, which indicate a Windows or Windows program (or other platform) error of some type, and other times the program you’re working in will suddenly stop responding and hang. At their worst, they’ll cause your machine to randomly lock up on you. When this type of thing happens, I’d recommend visiting the manufacturer’s support website to get software updates and patches or searching for the answer in a knowledge base. Sometimes you get lucky and the ailing software will tell the truth by giving you a precise message about the source of the problem. Messages saying the software is missing a fi le or a fi le has become corrupt are great because you can usually get your problem fi xed fast by providing that missing file or by reinstalling the software. Neither solution takes very long, but the downside is that whatever you were doing before the program hosed will probably be at least partially lost; so again, back up your stuff, and save your data often. Please reread Chapter 17, “Troubleshooting Tools,” and Chapter 18, “Software and Hardware Tools,” and use the software and hardware tools discussed in those two chapters to help you troubleshoot network problems. It’s time for you to learn how to troubleshoot your workstations and servers. c19.indd 04/01/2015 Page 720 Narrowing Down the Problem 721 Is It a Workstation or a Server Problem? The fi rst thing you’ve got to determine when troubleshooting this kind of problem is whether it’s only one person or a whole group that’s been affected. If the answer is only one person (think, a single workstation), solving the issue will be pretty straightforward. More than that, and your problem probably involves a chunk of the network, like a segment. A clue that the source of your grief is the latter case is if there’s a whole bunch of users complaining that they can’t discover neighboring devices/nodes. So either way, what do you do about it? Well, if it’s the single-user situation, your fi rst line of defense is to try to log in from another workstation within the same group of users. If you can do that, the problem is defi nitely the user’s workstation, so look for things like cabling faults, a bad NIC, power issues, and OSs. But if a whole department can’t access a specific server, take a good, hard look at that particular server, and start by checking all user connections to it. If everyone is logged in correctly, the problem may have something to do with individual rights or permissions. If no one can log in to that server, including you, the server probably has a communication problem with the rest of the network. And if the server has totally crashed, either you’ll see messages telling you all about it on the server’s monitor or you’ll fi nd its screen completely blank—screaming indicators that the server is no longer running. And keep in mind that these symptoms do vary among network operating systems. Which Segments of the Network Are Affected? Figuring this one out can be a little tough. If multiple segments are affected, you may be dealing with a network-address confl ict. If you’re running Transmission Control Protocol/ Internet Protocol (TCP/IP), remember that IP addresses must be unique across an entire network. So, if two of your segments have the same static IP subnet addresses assigned, you’ll end up with duplicate IP errors—an ugly situation that can be a real bear to troubleshoot and can make it tough to fi nd the source of the problem. If all of your network’s users are experiencing the problem, it could be a server everyone accesses. Thank the powers that be if you nail it down to that because if not, other network devices like your main router or hub may be down, making network transmissions impossible and usually meaning a lot more work on your part to fi x. Adding wide area network (WAN) connections to the mix can complicate matters exponentially, and you don’t want to go there if you can avoid it, so start by fi nding out if stations on both sides of a WAN link can communicate. If so, get the champagne—your problem isn’t related to the WAN—woo hoo! But if those stations can’t communicate, it’s not a happy thing: You’ve got to check everything between the sending station and the receiving one, including the WAN hardware, to fi nd the culprit. The good news is that most of the time, WAN devices have built-in diagnostics that tell you whether a WAN link is working okay, which really helps you determine if the failure has something to do with the WAN link itself or with the hardware involved instead. c19.indd 04/01/2015 Page 721 722 Chapter 19 ■ Network Troubleshooting Is It Bad Cabling? Back to hooking up correctly. . .Once you’ve figured out whether your plight is related to one workstation, a network segment, or the whole tamale (network), you must then examine the relevant cabling. Are the cables properly connected to the correct port? More than once, I’ve seen a Digital Subscriber Line (DSL) modem connection to the wall cabled all wrong—it’s an easy mistake to make and an easy one to fi x. And you know that nothing lasts forever, so check those patch cables running between a workstation and a wall jack. Just because they don’t come with expiration dates written on them doesn’t mean they don’t expire. They do go bad—especially if they get moved, trampled, or tripped over a lot. (I did tell you that it’s a bad idea to run cabling across the office floor, didn’t I?) Connection problems are the tell here—if you check the NIC and there is no link light blinking, you may have a bad patch cable to blame. It gets murkier if your cable in the walls or ceiling is toast or hasn’t been installed correctly. Maybe you’ve got a user or two telling you the place is haunted because they only have problems with their workstations after dark when the lights go on. Haunted? No. . .some genius probably ran a network cable over a fluorescent light, which is something that just happens to produce lots of electromagnetic interference (EMI), which can really mess up communications in that cable. Next on your list is to check the medium dependent interface/medium dependent interface-crossover (MDI/MDI-X) port setting on small, workgroup hubs and switches. This is a potential source of trouble that’s often overlooked, but it’s important because this port is the one that’s used to uplink to a switch on the network’s backbone. First, understand that the port setting has to be set to either MDI or MDI-X depending on the type of cable used for your hub-to-hub or switch-to-switch connection. For instance, the crossover cables I talked about way back in Chapter 3, “Networking Topologies, Connectors, and Wiring Standards,” require that the port be set to MDI, and a standard network patch cable requires that the port be set to MDI-X. You can usually adjust the setting via a regular switch or a dual inline package (DIP) switch, but to be sure, if you’re still using hubs, check out the hub’s documentation. (You did keep that, right?) Other Important Cable Issues You Need to Know About They may be basic, but they’re still vital—an understanding of the physical issues that can happen on a network when a user is connected via cable (usually Ethernet) is critical information to have in your troubleshooting repertoire. Because many of today’s networks still consist of large amounts of copper cable, they suffer from the same physical issues that have plagued networking since the very beginning. Newer technologies and protocols have helped to a degree, but they haven’t made these issues a thing of the past yet. Some physical issues that still affect networks are listed and defi ned next: Incorrect Termination/Bad Wiring/Bad Connector The fi rst things to check when working on cabling are the cable connectors to make sure they haven’t gone bad. After that, look to make sure the wiring is correct on both ends by physically checking c19.indd 04/01/2015 Page 722 Narrowing Down the Problem 723 the cable pinouts. Important to remember is that if you have two switches, you need a crossover cable where you cross pins 1 and 2 with 3 and 6. On the other hand, if you have a PC going into a switch, you need a straight-through cable where pins 1 and 2 correspondingly connect to pins 1 and 2 on each side—the same with 3 and 6. Finally, make sure the termination pins on both ends are the correct type for the kind of cable you’re using. Crosstalk Again, looking back to Chapter 3, remember that crosstalk is what happens when there’s signal bleed between two adjacent wires that are carrying a current. Network designers minimize crosstalk inside network cables by twisting the wire pairs together, putting them at a 90-degree angle to each other. The tighter the wires are twisted, the less crosstalk you have, and newer cables like Cat 6 cable really make a difference. But like I said, not completely—crosstalk still exists and affects communications, especially in high-speed networks. Near-End/Far-End Crosstalk Near-end crosstalk is a specific type of crosstalk measurement that has to do with the EMI bled from a wire to adjoining wires where the current originates. This particular point has the strongest potential to create crosstalk issues because the crosstalk signal itself degrades as it moves down the wire. If you have a problem with it, it’s probably going to show up in the first part of the wire where it’s connected to a switch or a NIC. Far-end crosstalk is the interference between two pairs of a cable measured at the far end of the cable with respect to the interfering transmitter. Attenuation/DB Loss/Distance Limitation As a signal moves through any medium, the medium itself will degrade the signal—a phenomenon known as attenuation that’s common in all kinds of networks. True, signals traversing fiber-optic cable don’t attenuate as fast as those on copper cable, but they still do eventually. You know that all copper twisted-pair cables have a maximum segment distance of 100 meters before they’ll need to be amplified, or repeated, by a hub or a switch, but single-mode fiber-optic cables can sometimes carry signals for miles before they begin to attenuate (degrade). If you need to go big, use fiber, not copper. Although there is attenuation/Db loss in fiber, it can go much further distances than copper cabling can before being affected by attenuation. Collisions A network collision happens when two devices try to communicate on the same physical segment at the same time. Collisions like this were a big problem in the early Ethernet networks, and a tool known as Carrier Sense Multiple Access with Collision Detection (CSMA/CD) was used to detect and respond to them in Ethernet_II. Nowadays, we use switches in place of hubs because they can separate the network into multiple collision domains, learn the Media Access Control (MAC) addresses of the devices attached to them, create a type of permanent virtual circuit between all network devices, and prevent collisions. Shorts Basically, a short circuit, or short, happens when the current flows through a different path within a circuit than it’s supposed to; in networks, they’re usually caused by some type of physical fault in the cable. You can fi nd shorts with circuit-testing equipment, but because sooner is better when it comes to getting a network back up and running, replacing the ailing cable until it can be fi xed (if it can be) is your best option. c19.indd 04/01/2015 Page 723 724 Chapter 19 ■ Network Troubleshooting Open Impedance Mismatch (echo) Open impedance on cable-testing equipment tells you that the cable or wires connect into another cable and there is an impedance mismatch. When that happens, some of the signal will bounce back in the direction it came from, degrading the strength of the signal, which ultimately causes the link to fail. Interference/Cable Placement EMI and radio frequency interference (RFI) occur when signals interfere with the normal operation of electronic circuits. Computers happen to be really sensitive to sources of this, such as TV and radio transmitters, which create a specific radio frequency as part of their transmission process. Two other common culprits are two-way radios and cellular phones. Your only way around this is to use shielded network cables like shielded twisted-pair (STP) and coaxial cable (rare today), or to run EMI/RFI-immune but pricey fiber-optic cable throughout your entire network. Split Pairs A split pair is a wiring error where two connections that are supposed to be connected using the two wires of a twisted pair are instead connected using two wires from different pairs. Such wiring causes errors in high-rate data lines. If you buy your cables precut, you won’t have this problem. Tx/Rx Reverse When connecting from a PC type device into a switch, for the PC use pins 1 and 2 to transmit and 3 and 6 for receiving a digital signal. This means that the pins must be reversed on the switch, using pins 1 and 2 for receive and 3 and 6 for transmitting the digital signal. If your connection isn’t working, check the cable end pinouts. Fiber Cable Issues Fiber is defi nitely the best kind of wiring to use for long-distance runs because it has the least attenuation at long distances compared to copper. The bad news is that it’s also the hardest to troubleshoot. Here are some common fiber issues to be aware of. SFP/GBIC (Cable Mismatch) The small form-factor pluggable (SFP) is a compact, hot-pluggable transceiver used for networking and other types of equipment. It interfaces a network device motherboard for a switch, router, media converter, or similar device to a fiber-optic or copper networking cable. Due to its smaller size, SFP obsolesces the formerly ubiquitous gigabit interface converter (GBIC), so SFP is sometimes referred to as a mini-GBIC. Always make sure you have the right cable for each type of connector type and that they are not mismatched. Bad SFP/GBIC (Cable or Transceiver) If your link is down, verify that your cable or transceiver hasn’t gone bad. I covered the pricey equipment you need to get this done in Chapter 18. It can provide exact locations of exactly where the problem has originated. Wavelength Mismatch One of the more confusing terms used regarding fiber networks is wavelength. Though it sounds very complicated and scientific, it’s actually just the term used to define what we think of as the color of light. Wavelength mismatch occurs when two different fiber transmitters at each end of the cable are using either a longer or shorter wavelength. This means you’ve got to make sure your transmitters match on both ends of the cable. c19.indd 04/01/2015 Page 724 Narrowing Down the Problem 725 Fiber Type Mismatch Fiber type mismatches, at each of the transceivers, can cause wavelength issues, massive attenuation, and Db loss. Dirty Connectors It’s important to verify your connectors to make sure no dirt or dust has corrupted the cable end. You need to polish your cable ends with a soft cloth, but do not look into the cable if the other end is transmitting—it could damage your eyes! Connector Mismatch Just because it fits doesn’t mean it works. Make sure you have precisely the right connectors for each type of cable end or transceiver. Bend Radius Limitations Fiber, whether it is made of glass or plastic, can break. You need to make sure you understand the bend radius limitations of each type of fiber you purchase and that you don’t exceed the specifications when installing fiber in your rack. Distance Limitations The pros of fiber are that it’s completely immune to EMI and RFI, and that it can transmit up to 40 kilometers—about 25 miles! Add some repeater stations and you can go between continents. But all fiber types aren’t created equally. For example, single mode can perform at much greater distances than multi-mode can. And again, make sure you have the right cable for the distance you’ll require to run your fiber! Unbounded Media Issues (Wireless) Now let’s say your problem-ridden user is telling you they only use a wireless connection. Well, you can defi nitely take crosstalk and shorts off the list of suspects, but don’t get excited because with wireless, you’ve got a whole new bunch of possible Physical layer problems to sort through. Wireless networks are really convenient for the user but not so much for administrators. They can require a lot more configuration, and understand that with wireless networks, you don’t just get to substitute one set of challenges for another—you pretty much add all those fresh new issues on top of the wired challenges you already have on your plate. The following list includes some of those new wireless challenges: Interference Because wireless networks rely on radio waves to transmit signals, they’re more subject to interference, even from other wireless devices like Bluetooth keyboards, mice, or cell phones that are all close in frequency ranges. Any of these—even microwave ovens!—can cause signal bleed that can slow down or prevent wireless communications. Factors like the distance between a client and a wireless access point (WAP) and the stuff between the two can also affect signal strength and even intensify the interference from other signals. So, careful placement of that WAP is a must. Device Saturation/Bandwidth Saturation Clearly it’s important to design and implement your wireless network correctly. Be sure to understand the number of hosts that will be connecting to each AP that you’ll be installing. If you have too much device saturation on an AP, it will result in low available bandwidth. Just think about when you’re in a hotel and how slow the wireless is. This is directly due to device/bandwidth saturation for each AP. And more APs don’t always solve the problem—you need to design correctly! c19.indd 04/01/2015 Page 725 726 Chapter 19 ■ Network Troubleshooting Simultaneous Wired/Wireless Connections It’s not unusual to fi nd that a laptop today will have both a wired and wireless connection at the same time. Typically this doesn’t create a problem, but don’t think you get more bandwidth or better results because of it. It’s possible that the configurations can cause a problem, although that’s rare today. For instance, if each provides a DNS server with a different address, it can cause name resolution issues, or even default gateway issues. Most of the time, it just causes confusion in your laptop, which will make it work harder to determine the correct DNS or default gateway address to use. And it’s possible for the laptop to give up and stop communicating completely! Because of this, you need to remind the user to turn off their wireless when they take it into their office and connect it to their dock. Configurations Mistakes in the configuration of the wireless access point or wireless router or inconsistencies between the settings on the AP and the stations can also be the source of problems. The following list describes some of the main sources of configuration problems. Incorrect Encryption You know that wireless networks can use encryption to secure their communications and that different encryption flavors are used for wireless networks, like Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 (WPA2) with Advanced Encryption Standard (AES). To ensure the tightest security, configure your wireless networks with the highest encryption protocol that both the WAP and the clients can support. Oh, and make sure the AP and its clients are configured with the same type of encryption. This is why it’s a good idea to disable security before troubleshooting client problems, because if the client can connect once you’ve done that, you know you’re dealing with a security configuration error. Incorrect, Overlapping, or Mismatched Channels Wireless networks use many different frequencies within the 2.4GHz or 5GHz band, and I’ll bet you didn’t know that these frequencies are sometimes combined to provide greater bandwidth for the user. You actually do know about this—has anyone heard of something called a channel? Well, that’s exactly what a channel is, and it’s also the reason some radio stations come in better than others—they have more bandwidth because their channel has more combined frequencies. You also know what happens when the AP and the client aren’t quite matching up. Have you ever hit the scan button on your car’s radio and only kind of gotten a station’s static-ridden broadcast? That’s because the AP (radio station) and the client (your car’s radio) aren’t quite on the same channel. Most of the time, wireless networks use channel 1, 6, or 11, and because clients auto-configure themselves to any channel the AP is broadcasting on, it’s not usually a configuration issue unless someone has forced a client onto an incorrect channel. Also, be sure not to use the same channel on APs within the same area. Overlapping channels cause your signal-to-noise ratio to drop because you’ll get a ton of interference and signal loss! Incorrect Frequency/Incompatibilities So, setting the channel sets the frequency or frequencies that wireless devices will use. But some devices, such as an AP running 802.11g/n, allow you to tweak those settings and choose a specific frequency such as 2.4GHz or 5GHz. As with any relationship, it works best if things are mutual. So if you c19.indd 04/01/2015 Page 726 Narrowing Down the Problem 727 do this on one device, you’ve got to configure the same setting on all the devices with which you want to communicate, or they won’t—they’ll argue, and you don’t want that. Incorrect-channel and frequency-setting problems on a client are rare, but if you have multiple APs and they’re in close proximity, you need to make sure they’re on different channels/frequencies to avoid potential interference problems. ESSID Mismatch When a wireless device comes up, it scans for Service Set Identifiers (SSIDs) in its immediate area. These can be Basic Service Set Identifiers (BSSIDs) that identify an individual access point or Extended Service Set Identifiers (ESSIDs) that identify a set of APs. In your own wireless LAN, you clearly want the devices to fi nd the ESSID that you’re broadcasting, which isn’t usually a problem: Your broadcast is closer than the neighbor’s, so it should be stronger—unless you’re in an office building or apartment complex that has lots of different APs assigned to lots of different ESSIDs because they belong to lots of different tenants in the building. This can defi nitely give you some grief because it’s possible that your neighbor’s ESSID broadcast is stronger than yours, depending on where the clients are in the building. So if a user reports that they’re connected to an AP but still can’t access the resources they need or authenticate to the network, you should verify that they are, in fact, connected to your ESSID and not your neighbor’s. This is very typical in an open security wireless network. You can generally just look at the information tool tip on the wireless software icon to fi nd this out. However, you can easily solve this problem today by making the office SSID the preferred network in the client software. Wireless Standard Mismatch As you found out in Chapter 12, “Wireless Networking,” wireless networks have many standards that have evolved over time, like 802.11a, 802.11b, 802.11g, and 802.11n. Standards continue to develop that make wireless networks even faster and more powerful. The catch is that some of these standards are backward compatible and others aren’t. For instance, most devices you buy today can be set to 802.11a/b/g/n, which means they can be used to communicate with other devices of all four standards. So, make sure the standards on the AP match the standards on the client, or that they’re at least backward compatible. It’s either that or tell all your users to buy new cards for their machines. Be sure to understand the throughput, frequency, distance capabilities, and available channels for each standard you use. Untested Updates It’s really important to push updates to the APs in your wireless network, but not before you test them. Just like waiting for an update from Microsoft or Apple to become available for weeks or months before you update, you need to wait for the OS or patch updates for your AP. Then, you need to test the updates thoroughly on your bench before pushing them to your live network. Distance/Signal Strength/Power Levels Location, location, location. You’ve got only two worries with this one: Your clients are either not far enough away or they’re too far from the AP. If your AP doesn’t seem to have enough power to provide a connectivity point for your clients, you can move it closer to them, increase the distance that the AP can transmit by changing the type of antenna it uses, or you can use multiple APs connected to the same switch or set of switches to solve the problem. If the power level or signal is too strong, and c19.indd 04/01/2015 Page 727 728 Chapter 19 ■ Network Troubleshooting it reaches out into the parking area or farther out to other buildings and businesses, place the AP as close as possible to the center of the area it’s providing service for. And don’t forget to verify that you’ve got the latest security features in place to keep bad guys from authenticating to and using your network. Latency When wireless users complain that the network is slow (latency) or that they are losing their connection to applications during a session, it is usually a capacity or distance issue. Remember, 802.11 is a shared medium, and as more users connect, all user throughput goes down. If this becomes a constant problem as opposed to the occasional issue where 20 guys with laptops gather for a meeting every six months in the conference room, it may be time to consider placing a second AP in the area. When you do this, place the second AP on a different non-overlapping channel from the fi rst and make sure the second AP uses the same SSID as the first. In the 2.4 GHz frequency (802.11b and 802.11g), the three non-overlapping channels are 1, 6, and 11. Now the traffic can be divided between them and users will get better performance. It is also worth noting that when clients move away from the AP, the data rate drops until at some point it is insufficient to maintain the connection. Bounce For a wireless network spanning large geographical distances, you can install repeaters and reflectors to bounce a signal and boost it to cover about a mile. This can be a good thing, but if you don’t tightly control signal bounce, you could end up with a much bigger network than you wanted. To determine exactly how far and wide the signal will bounce, make sure you conduct a thorough wireless site survey. However, bounce can also refer to multipath issues, where the signal reflects off objectives and arrives at the client degraded because it is arriving out of phase. The solution is pretty simple. APs use two antennas that both sample the signal and use the strongest signal, and ignore the out-of-phase signal. However, 802.11n takes advantage of multipath and can combine the out-of-phase signals to increase the distance hosts can be from the AP. Incorrect Antenna or Switch Placement Most of the time, the best place to put an AP and/or its antenna is as close to the center of your wireless network as possible. But you can position some antennas a distance from the AP and connect to it with a cable—a method used for a lot of the outdoor installations around today. If you want to use multiple APs, you’ve also got to be a little more sophisticated about deciding where to put them all; you can use third-party tools like the packet sniffers Wireshark and AirMagnet on a laptop to survey the site and establish how far your APs are actually transmitting. You can also hire a consultant to do this for you—there are many companies that specialize in assisting organizations with their wireless networks and the placement of antennas and APs. This is important because poor placement can lead to interference and poor performance, or even no performance at all. Environmental Factors It’s vital to understand your environmental factors when designing and deploying your wireless network. Do you have concrete walls, window fi lm, or metal studs in the walls? All of these will cause a degradation of DB or power level and result in connectivity issues. Again—plan your wireless network carefully! Now that you know all about the possible physical network horrors that can befall you on a typical network, it’s a good time for you to memorize the troubleshooting steps that you’ve got to know to ace the CompTIA Network+ exam. c19.indd 04/01/2015 Page 728 Troubleshooting Steps 729 Troubleshooting Steps In the Network+ troubleshooting model, there are seven steps you’ve got to have dialed in: 1. Identify the problem. 2. Establish a theory of probable cause. 3. Test the theory to determine cause. 4. Establish a plan of action to resolve the problem and identify potential effects. 5. Implement the solution or escalate as necessary. 6. Verify full system functionality, and if applicable, implement preventative measures. 7. Document findings, actions, and outcomes. To get things off to a running start, let’s assume that the user has called you yet again, but now they’re almost in tears because they can’t connect to the server on the intranet and they also can’t get to the Internet. (By the way, this happens a lot, so pay attention—it’s only a matter of time before it happens to you!) Absolutely, positively make sure you memorize this seven-step troubleshooting process in the right order when studying for the Network+ exam! Step 1: Identify the Problem Before you can solve the problem, you’ve got to figure out what it is, right? Again, asking the right questions can get you far along this path and really help clarify the situation. Identifying the problem involves steps that together constitute information gathering. Gather Information by Questioning Users A good way to start is by asking the user the following questions: ■ Exactly which part of the Internet can’t you access? A particular website? A certain address? A type of website? None of it at all? ■ Can you use your web browser? ■ Is it possible to duplicate the problem? ■ ■ ■ If the hitch has to do with an internal server to the company, ask the user if they can ping the server and talk them through doing that. Ask the user to try to telnet or FTP to an internal server to verify local network connectivity; if they don’t know how, talk them through it. If there are multiple complaints of problems occurring, look for the big stuff first, then isolate and approach each problem individually. c19.indd 04/01/2015 Page 729 730 Chapter 19 ■ Network Troubleshooting Here’s another really common trouble ticket that just happens to build on the last scenario: Now let’s say you’ve got a user who’s called you at the help desk. By asking the previous questions, you found out that this user can’t access the corporate intranet or get out to any sites on the Internet. You also established that the user can use their web browser to access the corporate FTP site, but only by IP address, not by the FTP server name. This information tells you two important things: that you can rule out the host and the web browser (application) as the source of the problem and that the physical network is working. Determine If Anything Has Changed Moving right along, if you can reproduce the problem, your next step is to verify what has changed and how. Drawing on your knowledge of networking, you ask yourself and your user questions like these: Were you ever able to do this? If not, then maybe it just isn’t something the hardware or software is designed to do. You should then tell the user exactly that, as well as advise them that they may need additional hardware or software to pull off what they’re trying do. If so, when did you become unable to do it? If, once upon a time, the computer was able to do the job and then suddenly could not, whatever conditions surrounded and were involved in this turn of events become extremely important. You have a really good shot at unearthing the root of the problem if you know what happened right before things changed. Just know that there’s a high level of probability that the cause of the problem is directly related to the conditions surrounding the change when it occurred. Has anything changed since the last time you could do this? This question can lead you right to the problem’s cause. Seriously—the thing that changed right before the problem began happening is almost always what caused it. It’s so important that if you ask it and your user tells you, “Nothing changed…it just happened,” you should rephrase the question and say something like, “Did anyone add anything to your computer?” or “Are you doing anything differently from the way you usually do it?” Were any error messages displayed? These are basically arrows that point directly at the problem’s origin; error messages are designed by programmers for the purpose of pointing them to exactly what it is that isn’t working properly in computer systems. Sometimes error messages are crystal clear, like Disk Full, or they can be cryptically annoying little puzzles in and of themselves. If you pulled the short straw and got the latter variety, it’s probably best to hit the software or hardware vendor’s support site, where you can usually score a translation from the “programmerese” in which the error message is written into plain English so you can get back to solving your riddle. Are other people experiencing this problem? You’ve got to ask this one because the answer will defi nitely help you target the cause of the problem. First, try to duplicate the problem from your own workstation because if you can’t, it’s likely that the issue is related c19.indd 04/01/2015 Page 730 Troubleshooting Steps 731 to only one user or group of users—possibly their workstations. (A solid hint that this is the case is if you’re being inundated with calls from a bunch of people from the same workgroup.) Is the problem always the same? It’s good to know that when problems crop up, they’re almost always the same each time they occur. But their symptoms can change slightly as the conditions surrounding them change. A related question would be, “If you do x, does the problem get better or worse?” For example, ask a user, “If you use a different fi le, does the problem get better or worse?” If the symptoms lighten up, it’s an indication that the problem is related to the original file that’s being used. It’s important to try to duplicate the problem to fi nd the source of the issue as soon as possible! Understand that these are just a few of the questions you can use to get to the source of a problem. Okay, so let’s get back to our sample scenario. So far, you’ve determined that the problem is unique to one user, which tells you that the problem is specific to this one host. Confi rming that is the fact that you haven’t received any other calls from other users on the network. And when watching the user attempt to reproduce the problem, you note that they’re typing the address correctly. Plus, you’ve got an error message that leads you to believe that the problem has something to with Domain Name Service (DNS) lookups on the user’s host. Time to go deeper… Identify Symptoms I probably don’t need to tell you that computers and networks can be really fickle—they can hum along fi ne for months, suddenly crash, and then continue to work fi ne again without ever seizing in that way again. That’s why it’s so important to be able to reproduce the problem and identify the affected area to narrow things down so you can cut to the chase and fi x the issue fast. This really helps—when something isn’t working, try it again, and write down exactly what is and is not happening. Most users’ knee-jerk reaction is to straight up call the help desk the minute they have a problem. This is not only annoying but also inefficient, because you’re going to ask them exactly what they were doing when the problem occurred and most users have no idea what they were doing with the computer at the time because they were focused on doing their jobs instead. This is why if you train users to reproduce the problem and jot down some notes about it before calling you, they’ll be much better prepared to give you the information you need to start troubleshooting it and help them. So with that, here we go. The problem you’ve identified results in coughing out an error message to your user when they try to access the corporate intranet. It looks like this. c19.indd 04/01/2015 Page 731 732 Chapter 19 ■ Network Troubleshooting And when this user tries to ping the server using the server’s hierarchical web name, it fails, too. You’re going to respond by checking to see whether the server is up by pinging the server by its IP address. c19.indd 04/01/2015 Page 732 Troubleshooting Steps 733 Nice—that worked, so the server is up, but you could still have a server problem. Just because you can ping a host, it doesn’t mean that host is 100 percent up and running, but in this case, it’s a good start. And you’re in luck because you’ve been able to re-create this problem from this user’s host machine. By doing that, you now know that the URL name is not being resolved from Internet Explorer, and you can’t ping it by the name either. But you can ping the server IP address from your limping host, and when you try this same connection to the internal. lammle.com server from another host nearby, it works fi ne, meaning the server is working fi ne. So, you’ve succeeded in isolating the problem to this specific host—yes! It is a huge advantage if you can watch the user try to reproduce the problem themselves because then you know for sure whether the user is performing the operation correctly. It’s a really bad idea to assume the user is typing in what they say they are. Great—now you’ve nailed down the problem. This leads us to step 2. Step 2: Establish a Theory of Probable Cause After you observe the problem and identify the symptoms, next on the list is to establish its most probable cause. (If you’re stressing about it now, don’t, because though you may feel overwhelmed by all this. It truly does get a lot easier with time and experience.) You must come up with at least one possible cause, even though it may not be completely on the money. And you don’t always have to come up with it yourself. Someone else in the group may have the answer. Also, don’t forget to check online sources and vendor documentation. c19.indd 04/01/2015 Page 733 734 Chapter 19 ■ Network Troubleshooting Again, let’s get back to our scenario, in which you’ve determined the cause is probably an improperly configured DNS lookup on the workstation. The next thing to do is to verify the configuration and probably reconfigure DNS on the workstation; we’ll get to this solution later, in step 4. Understand that there are legions of problems that can occur on a network—and I’m sorry to tell you this, but they’re typically not as simple as the example we’ve been using. They can be, but I just don’t want you to expect them to be. Always consider the physical aspects of a network, but look beyond them into the realm of logical factors like the DNS lookup issue we’ve been using. Question the Obvious The probable causes that you’ve got to thoroughly understand to meet the Network+ objectives are as follows: ■ Port speed ■ Port duplex mismatch ■ Mismatched MTU ■ Incorrect virtual local area network (VLAN) ■ Incorrect IP address/duplicate IP address ■ Wrong gateway ■ Wrong DNS ■ Wrong subnet mask ■ Incorrect interface/interface misconfiguration Let’s talk about these logical issues, which can cause an abundance of network problems. Most of these happen because a device has been improperly configured: Port Speed Because networks have been evolving for many years, there are various levels of speed and sophistication mixed into them—often within the same network. Most of the newest NICs can be used at 10Mbps, 100Mbps, and 1000Mbps. Most switches can support at least 10Mbps and 100Mbps, and an increasing number of switches can also support 1,000Mbps. Plus, many switches can also autosense the speed of the NIC that’s connected and use different speeds on various ports. As long as the switches are allowed to autosense the port speed, it’s rare to have a problem develop that results in a complete lack of communication. But if you decide to set the port speed manually, make positively sure to set the same speed on both sides of a link. Port Duplex Mismatch There are generally three duplex settings on each port of a network switch: full, half, and auto. In order for two devices to connect effectively, the duplex setting has to match on both sides of the connection. If one side of a connection is set to full and the other is set to half, they’re mismatched. More elusively, if both sides are set to auto but the devices are different, you can also end up with a mismatch because the device on one side defaults to full and the other one defaults to half. c19.indd 04/01/2015 Page 734 Troubleshooting Steps 735 Duplex mismatches can cause lots of network and interface errors, and even the lack of a network connection. This is partially because setting the interfaces to full duplex disables the CSMA/CD protocol. This is definitely not a problem in a network that has no hubs (and therefore no shared segments in which there could be collisions), but it can make things really ugly in a network where hubs are still being used. This means the settings you choose are based on the type of devices you have populating your network. If you have all switches and no hubs, feel free to set all interfaces to full duplex, but if you’ve got hubs in the mix, you have shared networks, so you’re forced to keep the settings at half duplex. With all new switches produced today, leaving the speed and duplex setting to auto (the default on both switches and hosts) is the recommended way to go. Mismatched MTU Ethernet LANs enforce what is called a maximum transmission unit (MTU). This is the largest size packet that is allowed across a segment. In most cases, this is 1,500 bytes. Left alone this is usually not a problem, but it is possible to set the MTU on a router interface, which means it is possible for a mismatch to be present between two router interfaces. This can cause problems with communications between the routers, resulting in the link failing to pass traffic. To check the MTU on an interface, execute the command show interface. Incorrect VLAN Switches can have multiple VLANs each, and they can be connected to other switches using trunk links. As you now know, VLANs are often used to represent departments or the occupations of a group of users. This makes the configurations of security policies and network access lists much easier to manage and control. On the other hand, if a port is accidentally assigned to the wrong VLAN in a switch, it’s as if that client was magically transported to another place in the network. If that happens, the security policies that should apply to the client won’t anymore, and other policies will be applied to the client that never should have been. The correct VLAN port assignment of a client is as important as air; when I’m troubleshooting a single-host problem, this is the fi rst place I look. It’s pretty easy to tell if you have a port configured with a wrong VLAN assignment. If this is the case, it won’t be long before you’ll get a call from some user screaming something at you that makes the building shake, like, “I can get to the Internet but I can’t get to the Sales server, and I’m about to lose a huge sale. DO SOMETHING!” When you check the switch, you will invariably see that this user’s port has a membership in another VLAN like Marketing, which has no access to the Sales server. Incorrect IP Address/Duplicate IP Address The most common addressing protocol in use today is IPv4, which provides a unique IP address for each host on a network. Client computers usually get their addresses from Dynamic Host Configuration Protocol (DHCP) servers. But sometimes, especially in smaller networks, IP addresses for servers and router interfaces are statically assigned by the network’s administrator. An incorrect or duplicate IP address on a client will keep that client from being able to communicate and may even c19.indd 04/01/2015 Page 735 736 Chapter 19 ■ Network Troubleshooting cause a confl ict with another client on the network, and a bad address on a server or router interface can be disastrous and affect a multitude of users. This is exactly why you need to be super careful to set up DHCP servers correctly and also when configuring the static IP addresses assigned to servers and router interfaces. Wrong Gateway A gateway, sometimes called a default gateway or an IP default gateway, is a router interface’s address that’s confi gured to forward traffic with a destination IP address that’s not in the same subnet as the device itself. Let me clarify that one for you: If a device compares where a packet wants to go with the network it’s currently on and fi nds that the packet needs to go to a remote network, the device will send that packet to the gateway to be forwarded to the remote network. Because every device needs a valid gateway to obtain communication outside of its own network, it’s going to require some careful planning when considering the gateway configuration of devices in your network. If you’re configuring a static IP address and default gateway, you need to verify the router’s address. Not doing so is a really common “wrong gateway” problem that I see all the time. Wrong DNS DNS servers are used by networks and their clients to resolve a computer’s hostname to its IP addresses and to enable clients to fi nd the server they need to provide the resources they require, like a domain controller during the login and authentication process. Most of the time, DNS addresses are automatically confi gured by a DHCP server, but sometimes these addresses are statically confi gured instead. Because lots of applications rely on hostname resolution, a botched DNS confi guration usually causes a computer’s network applications to fail just like the user’s applications in our example scenario. If you can ping a host using its IP address but not its name, you probably have some type of name-resolution issue. It’s probably lurking somewhere within a DNS configuration. Wrong Subnet Mask When network devices look at an IP address configuration, they see a combination of the IP address and the subnet mask. The device uses the subnet mask to establish which part of the address represents the network address and which part represents the host address. So clearly, a subnet mask that is configured wrong has the same nasty effect as a wrong IP address configuration does on communications. Again, a subnet mask is generally configured by the DHCP server; if you’re going to enter it manually, make sure the subnet mask is tight or you’ll end up tangling with the fallout caused by the entire address’s misconfiguration. c19.indd 04/01/2015 Page 736 Troubleshooting Steps 737 Incorrect Interface/Interface Misconfiguration If a host is plugged into a misconfigured switch port, or if it’s plugged into the wrong switch port that’s configured for the wrong VLAN, the host won’t function correctly. Make sure the speed, duplex, and correct Ethernet cable is used. Get any of that wrong and you’ll either get interface errors on the host and switch port or, worse, things just won’t work at all! With all that in mind, let’s move on with our troubleshooting steps. Consider Multiple Approaches There are two standard approaches that you can use to establish a theory of probable cause. Let’s take a look at them next. Top-to-Bottom/Bottom-to-Top OSI Model As its name implies, when you apply a top-down approach to troubleshooting a networking problem, you start with the user application and work your way down the layers of the OSI model. If a layer is not in good working condition, you inspect the layer below it. When you know that the current layer is not in working condition and you discover that a lower layer works, you can conclude that the problem is within the layer above the lower working layer. Once you’ve determined which layer is the lowest layer with problems, you can begin identifying the cause of them from within that layer. The bottom-up approach to troubleshooting a networking problem starts with the physical components of the network and works its way up the layers of the OSI model. If you conclude that all the elements associated with a particular layer are in good working order, move on to inspect the elements associated with the next layer up until the cause(s) of the problem is/are identified. The downside to the bottom-up approach is that it requires you to check every device, interface, and so on. In other words, regardless of the nature of the problem, the bottom-up approach starts with an exhaustive check of all the elements of each layer, starting with the physical layer and working its way up from there. Divide and Conquer Unlike when opting for the top-down and bottom-up troubleshooting strategies, the divide-and-conquer approach to network troubleshooting doesn’t always begin the investigation at a particular OSI layer. When using the divide-and-conquer approach, you select a layer, test its health, and based on the results, you can move up or down through the model from the layer you began scrutinizing. Step 3: Test the Theory to Determine Cause Once you’ve gathered information and established a plausible theory, you’ve got to determine the next steps to resolve your problem. If you can’t confi rm your theory during this step, you must formulate a new theory or escalate the problem. Let’s look into the matter by fi rst checking the IP configuration of the host that just happens to include DNS information. You use the ipconfig /all command to show the IP configuration. The /all switch will give you the DNS information you need. c19.indd 04/01/2015 Page 737 738 Chapter 19 ■ Network Troubleshooting Check out the DNS entries: 1.1.1.1 and 2.2.2.2. Is this right? What are they supposed to be? You can fi nd this out by checking the addresses on a working host, but let’s check the settings on your troubled host’s adapter fi rst. Click Start, then Control Panel, then Network And Sharing Center, and then Manage Network Connections on the left side of the screen, which will take you to this screen. Now, click the interface in question, and click Properties. You receive this screen. c19.indd 04/01/2015 Page 738 Troubleshooting Steps 739 From here, you highlight Internet Protocol Version 4, and click Properties (or just double-click). From the next screen, do you see what may be causing the problem? As I said, you’re using DHCP right? But DNS is statically configured on this host. Interesting enough, when you set a static DNS entry on an interface, it will override the DHCP-provided DNS entry. c19.indd 04/01/2015 Page 739 740 Chapter 19 ■ Network Troubleshooting Step 4: Establish a Plan of Action to Resolve the Problem and Identify Potential Effects Now that you’ve identified some possible changes, you’ve got to follow through and test your solution to see if you really solved the problem. In this case, you ask the user to try to access the intranet server (because that’s what they called about). Basically, you just ask the user to try doing whatever it was they couldn’t do when they called you in the fi rst place. If it works—sweet—problem solved. If not, try the operation yourself. Now you can test the proposed solution on the computer of the user who is still waiting for a solution. To do that, you need to check the DNS configuration on your host. But fi rst, let me point out something about the neglected user’s network. All hosts are using DHCP, so it’s really weird that a single user is having a DNS resolution issue. So, to fi x the problem and get your user back in the game, just click Obtain DNS Server Address Automatically, and then click OK. Voilà! Let’s take a look at the output of ipconfig /all and see if you received new DNS server addresses. All good; you did. And you can test the host by trying to use HTTP to connect to a web page on the intranet server and even pinging by hostname. Congratulations on solving your fi rst trouble ticket! If things hadn’t worked out so well, you would go back to step 2, select a new possible cause, and redo step 3. If this happens, keep track of what worked and what didn’t so you don’t make the same mistakes twice. c19.indd 04/01/2015 Page 740 Troubleshooting Steps 741 It’s pretty much common sense that you should change settings like this only when you fully understand the effect your changes will have, or when you’re asked to by someone who does. The incorrect configuration of these settings will disable the normal operation of your workstation, and, well, it seems that someone (the user, maybe?) did something they shouldn’t have or you wouldn’t have had the pleasure of solving this problem. You have to be super careful when changing settings and always check out a troubled host’s network settings. Don’t just assume that because they’re using DHCP, someone has screwed up the static configuration. Step 5: Implement the Solution or Escalate as Necessary Although it’s true that CompTIA doesn’t expect you to fi x every single network problem that could possibly happen in the universe, they actually do expect you to get pretty close to determining exactly what the problem is. And if you can’t fi x it, you’ll be expected to know how to escalate it and to whom. You are only as good as your resources—be they your own skill set, a book like this one, other more reference-oriented technical books, the Internet, or even a guru at a call center. I know it seems like I talked to death physical and logical issues that cause problems in a network, but trust me, with what I’ve taught you, you’re just getting started. There’s a galaxy of networking evils that we have not even touched on because they’re far beyond the objectives for Network+ certification and, therefore, the scope of this book. But out there in the real world, you’ll get calls about them anyway, and because you’re not yet equipped to c19.indd 04/01/2015 Page 741 742 Chapter 19 ■ Network Troubleshooting handle them yourself, you need to escalate these nasties to a senior network engineer who has the additional experience and knowledge required to resolve the problems. Some of the calamities that you should escalate are as follows: ■ Switching loops ■ Missing routes ■ Routing loops ■ Routing problems ■ MTU black hole ■ Bad modules ■ Proxy Address Resolution Protocol (ARP) ■ Broadcast storms ■ NIC Teaming misconfiguration ■ Power failures/power anomalies If you can’t implement a solution and instead have to escalate the problem, there is no need for you to go on with steps 6 and 7 of the seven-step troubleshooting model. You now need to meet with the emergency response team to determine the next step. And just as with other problems, you have to be able to identify these events because if you can’t do that, how else will you know that you need to escalate them? Switching Loops Today’s networks often connect switches with redundant links to provide for fault tolerance and load balancing. Protocols such as Spanning Tree Protocol (STP) prevent switching loops and simultaneously maintain fault tolerance. If STP fails, it takes some expertise to reconfigure and repair the network, so you just need to be concerned with being able to identify the problem so you can escalate it. Remember, when you hear users complaining that the network works fi ne for a while, then unexpectedly goes down for about a minute, and then goes back to being fi ne, it’s defi nitely an STP convergence issue that’s pretty tough to fi nd and fi x. Escalate this problem ASAP! Missing Routes Routers must have routes either configured or learned to function. There are a number of issues that can prevent a router from learning the routes that it needs. To determine if a router has the route to the network in question, execute the show ip route command and view the routing table. This can save a lot of additional troubleshooting if you can narrow the problem to a missing route. Routing Loops Routing protocols are often used on networks to control traffic efficiently while preventing routing loops that happen when a routing protocol hasn’t been configured properly or network changes didn’t get the attention they deserved. Routing loops c19.indd 04/01/2015 Page 742 Troubleshooting Steps 743 can also happen if you or the network admin blew the static configuration and created confl icting routes through the network. This evil event affects the traffic flow for all users, and because it’s pretty complicated to fi x, again, it’s up, up, and away with this one. You can expect routing loops to occur if your network is running old routing protocols like Routing Information Protocol (RIP) and RIPv2. Just upgrading your routing protocol to Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), or Intermediate System-to-Intermediate System (IS-IS) will usually take care of the problem once and for all. Anyway, escalate this problem to the router group—which hopefully is soon to be you. Routing Problems Routing packets through the many subnets of a large enterprise while still maintaining security can be a tremendous challenge. A router’s configuration can include all kinds of stuff like access lists, Network Address Translation (NAT), Port Address Translation (PAT), and even authentication protocols like Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS). Particularly diabolical, errant configuration changes can trigger a domino effect that can derail traffic down the wrong path or even cause it to come to a grinding halt and stop traversing the network completely. To identify routing problems, check to see if someone has simply set a wrong default route on a router. This can easily create routing loops. I see it all the time. These configurations can be highly complex and specific to a particular device, so they need to be escalated to the top dogs—get the problem to the best sys admin in the router group. MTU Black Hole On a WAN connection, communication routes may fail if an intermediate network segment has an MTU that is smaller than the maximum packet size of the communicating hosts—and if the router does not send an appropriate Internet Control Message Protocol (ICMP) response to this condition. If ICMP traffic is allowed, the routers will take care of this problem using ICMP messages. However, as ICMP traffic is increasingly being blocked, this can create what is called a black hole. This will probably be an issue you will escalate. Bad Modules Some multilayer switches and routers have slots available to add new features. The hardware that fits in these slots is called modules. These modules can host fiber connections, wireless connections, and other types as well. A common example is the Cisco Small Form-Factor Pluggable (SFP) Gigabit Interface Ethernet Converter (GBIC). This is an input-output device that plugs into an existing Gigabit Ethernet port or slot, providing a variety of additional capabilities to the device hosting the slot or port. Conversions can happen in all types of cables, from Ethernet to fiber, for example. Like any piece of hardware made by humans, the modules can fail. It is always worth checking if there are no other reasons a link is not functioning. Proxy ARP Address Resolution Protocol (ARP) is a service that resolves IP addresses to MAC addresses. Proxy ARP is just wrong to use in today’s networks, but hosts and routers still have it on by default. The idea of Proxy ARP was to solve the problem of a c19.indd 04/01/2015 Page 743 744 Chapter 19 ■ Network Troubleshooting host being able to have only one configured default gateway. To allow redundancy, Proxy ARP running on a router will respond to an ARP broadcast from a host that’s sending a packet to a remote network—but the host doesn’t have a default gateway set. So the router responds by being the proxy for the remote host, which in turn makes the local host think the remote host is really local; as a result, the local host sends the packets to the router, which then forwards the packets to the remote host. Most of the time, in today’s networks, this does not work well, if at all. Disable Proxy ARP on your routers, and make sure you have default gateways set on all your hosts. If you need router redundancy, there are much better solutions available than Proxy ARP! This is another job for the routing group. Broadcast Storms When a switch receives a broadcast, it will normally flood the broadcast out all the ports except for the one the broadcast came in on. If STP fails between switches or is disabled by an administrator, it’s possible that the traffic could continue to be flooded repeatedly throughout the switch topology. When this happens, the network can get so busy that normal traffic can’t traverse it—an event referred to as a broadcast storm. As you can imagine, this is a particularly gruesome thing to have to troubleshoot and fi x because you need to fi nd the one bad link that is causing the mess while the network is probably still up and running—but at a heavily congested crawl. Escalate ASAP to experts! NIC Teaming Misconfiguration NIC Teaming, also known as load balancing/failover (LBFO), allows multiple network interfaces to be placed into a team for the purposes of bandwidth aggregation and/or traffic failover to prevent connectivity loss in the event of a network component failure. The cards can be set to active-active state, where both cards are load balancing, or active–passive, where one card is on standby in case the primary card fails. Most of the time, the NIC team will use a multicast address to send and receive data, but it can also use a broadcast address so all cards receive the data at the same time. If these are not configured correctly, either they will operate at a severely diminished capacity or, worse, neither card will work at all! Power Failure/Power Anomalies When you have power issues, whether it’s a full-blown power outage or intermittent power surges, it can cause some serious issues with your network devices. Your servers and core network devices require a fully functional UPS system. Step 6: Verify Full System Functionality, and If Applicable, Implement Preventative Measures A trap that any network technician can fall into is solving one problem and thinking it’s all fi xed without stopping to consider the possible consequences of their solution. The cure can be worse than the disease, and it’s possible that your solution falls into this category. So before you fully implement the solution to a problem, make sure you totally understand the ramifications of doing so—clearly, if it causes more problems than it fi xes, you should toss it and fi nd a different solution that does no harm. c19.indd 04/01/2015 Page 744 Troubleshooting Steps 745 Many people update a router’s operating system or firmware just because a new version of code is released from the manufacturer. Do not do this on your production routers—just say no! Always test any new code before upgrading your production routers: Like a bad solution, sometimes the new code provides new features but creates more problems, and the cons outweigh the pros. Step 7: Document Findings, Actions, and Outcomes I can’t stress enough how vital network documentation is. Always document problems and solutions so that you have the information at hand when a similar problem arises in the future. With documented solutions to documented problems, you can assemble your own database of information that you can use to troubleshoot other problems. Be sure to include information like the following: ■ A description of the conditions surrounding the problem ■ The OS version, the software version, the type of computer, and the type of NIC ■ Whether you were able to reproduce the problem ■ The solutions you tried ■ The ultimate solution Network Documentation I don’t know how many times I’ve gone into a place and asked where their documentation was only to be met with a blank stare. I was recently at a small business that was experiencing network problems. The first question I asked was, “Do you have any kind of network documentation?” I got the blank stare. So, we proceeded to search through lots of receipts and other paperwork—anything we could find to help us understand the network layout and figure out exactly what was on the network. It turned out they had recently bought a WAP, and it was having trouble connecting—something that would’ve taken me five minutes to fix instead of searching through a mess for a couple hours! Documentation doesn’t have to look like a sleek owner’s manual or anything—it can consist of a simple three-ring binder with an up-to-date network map; receipts for network equipment; a pocket for owner’s manuals; and a stack of loose-leaf paper to record services, changes, network-addressing assignments, access lists, and so on. Just this little bit of documentation can save lots of time and money and prevent grief, especially in the critical first few months of a new network install. c19.indd 04/01/2015 Page 745 746 Chapter 19 ■ Network Troubleshooting Troubleshooting Tips Now that you’ve got the basics of network troubleshooting down pat, I’m going to go over a few really handy troubleshooting tips for you to arm yourself with even further in the quest to conquer the world’s networking evils. Don’t Overlook the Small Stuff The super simple stuff (SSS) I referred to at the beginning of this chapter should never be overlooked—ever! Here’s a quick review: Just remember that problems are often caused by little things like a bad power switch; a power switch in the wrong position; a card or port that’s not working, indicated by a link light that’s not lit; or simply operator error (OE). Even the most experienced system administrator has forgotten to turn on the power, left a cable unplugged, or mistyped a username and password—not me, of course, but others. . . And make sure that users get solid training for the systems they use. An ounce of prevention is worth a pound of cure, and you’ll experience dramatically fewer ID10T errors this way. Prioritize Your Problems Being a network administrator or technician of even a fairly small network can keep you hopping, and it’s pretty rare that you’ll get calls for help one at a time and never be interrupted by more coming in. Closer to reality is receiving yet another call when you already have three people waiting for service. So, you’ve got to prioritize. You start this process by again asking some basic questions to determine the severity of the problem being reported. Clearly, if the new call is about something little and you already have a huge issue to deal with, you should put the new call on hold or get their info and get back to them later. If you establish a good set of priorities, you’ll make much better use of your time. Here’s an example of the rank you probably want to give to networking problems, from highest priority to lowest: ■ Total network failure (affects everyone) ■ Partial network failure (affects small groups of users) ■ Small network failure (affects a small, single group of users) ■ Total workstation failure (single user can’t work at all) ■ Partial workstation failure (single user can’t do most tasks) ■ Minor issue (single user has problems that crop up now and then) Mitigating circumstances can, of course, change the order of this list. For example, if the president of the company can’t retrieve email, you’d take the express elevator to their office as soon as you got the call, right? And even a minor issue can move up the ladder if it’s persistent enough. Don’t fall prey to thinking that simple problems are easier to deal with because even though you may be able to bring up a crashed server in minutes, a user who doesn’t know c19.indd 04/01/2015 Page 746 Troubleshooting Tips 747 how to make columns line up in Microsoft Word could take a chunk out of your day. You’d want to put the latter problem toward the bottom of the list because of the time involved— it’s a lot more efficient to solve problems for a big group of people than to fix this one user’s problem immediately. Some network administrators list all network-service requests on a chalkboard or a whiteboard. They then prioritize them based on the previously discussed criteria. Some larger companies have written support-call tracking software whose only function is to track and prioritize all network and computer problems. Use whatever method makes you comfortable, but prioritize your calls. Check the Software Configuration Often, network problems can be traced to software configuration, like our DNS configuration scenario; so when you’re checking for software problems, don’t forget to check types of configurations: ■ DNS configuration/misconfiguration ■ DHCP configuration/misconfiguration ■ WINS configuration ■ HOSTS file ■ The Registry Software-configuration settings love to hide in places like these and can be notoriously hard to fi nd (especially in the Registry). Also, look for lines that have been commented out either intentionally or accidentally in text-configuration fi les—another place for clues. A command such as REM or REMARK, or asterisk or semicolon characters, indicates comment lines in a fi le. In the HOSTS file, a pound sign (#) is used to indicate a comment line. Don’t Overlook Physical Conditions You want to make sure that from a network-design standpoint, the physical environment for a server is optimized for placement, temperature, and humidity. When troubleshooting an obscure network problem, don’t forget to check the physical conditions under which the network device is operating. Check for problems like these: ■ Excessive heat ■ Excessive humidity (condensation) ■ Low humidity (leads to electrostatic discharge [ESD] problems) ■ EMI/RFI problems ■ ESD problems c19.indd 04/01/2015 Page 747 748 Chapter 19 ■ Power problems ■ Unplugged cables ■ Network Troubleshooting Don’t Overlook Cable Problems Cables, generally speaking, work fi ne once they are installed properly. If the patch cable isn’t the problem, use a cable tester (not a tone generator and locator) to fi nd the source of the problem. One of the easiest mistakes to make, especially if cables are not labeled, is to use a crossover cable where a straight-through cable should be used or vice versa. In either case, when you do this it causes TX RX reversal. What’s that? That’s when the transmit wire is connected to Transmit and the receive wire to Receive. That sounds good, but it needs to be Transmit to Receive. See more about straight through and crossover cables in Chapter 3, “Networking Topologies, Connectors, and Wiring Standards.” Wires that are moved can be prone to breaking or shorting, and a short can happen when the wire conductor comes in contact with another conductive surface, changing the path of the electrical signal. The signal will go someplace else instead of to the intended recipient. You can use cable testers to test for many types of problems: ■ Broken cables ■ Incorrect connections ■ Interference levels ■ Total cable length (for length restrictions) ■ Cable shorts ■ Connector problems ■ Testing the cable at all possible data rates As a matter of fact, cable testers are so sophisticated that they can even indicate the exact location of a cable break, accurate to within 6 inches or better. Check for Viruses People overlook scanning for viruses because they assume that the network’s virus-checking software has already picked them off. But to be effective, the software must be kept up-todate, and updates are made available pretty much daily. You’ve got to run the virus-defi nition update utility to keep the virus-defi nition fi le current. If you are having strange, unusual, irreproducible problems with a workstation, try scanning it with an up-to-date virus-scan utility. You’d be surprised how many times c19.indd 04/01/2015 Page 748 Exam Essentials 749 people have spent hours and hours troubleshooting a strange problem only to run a virus-scan utility, fi nd and clean out one or more viruses, and have the problem disappear like magic. Summary In this chapter, you learned about all things troubleshooting, and you now know how to sleuth out and solve a lot of network problems. You learned to fi rst check all the SSS and about how to approach problem resolution by eliminating what the problem is not. You learned how to narrow the problem down to its basics and defi ne it. Next, you learned a systematic approach using a seven-step troubleshooting model to troubleshoot most of the problems you’ll run into in networking. And you also learned about some resources you can use to help you during the troubleshooting process. In addition, you learned how important documentation is to the health of your network. Finally, I gave you a bunch of cool tips to further equip you, tips about prioritizing issues, checking for configuration issues, considering environmental factors—even hunting down viruses. As you venture out into the real world, keep these tips in mind; along with your own personal experience, they’ll really help make you an expert troubleshooter. Exam Essentials Know the seven troubleshooting steps, in order. The steps, in order, are as follows: 1. Identify the problem. 2. Establish a theory of probable cause. 3. Test the theory to determine cause. 4. Establish a plan of action to resolve the problem and identify potential effects. 5. Implement the solution or escalate as necessary. 6. Verify full system functionality, and if applicable, implement preventative measures. 7. Document findings, actions, and outcomes. Be able to identify a link light. A link light is the small, usually green LED on the back of a network card. This LED is typically found next to the media connector on a NIC and is usually labeled Link. Understand how proper network use procedures can affect the operation of a network. If a user is not following a network use procedure properly (for example, not logging in correctly), that user may report a problem where none exists. A good network troubleshooter c19.indd 04/01/2015 Page 749 750 Chapter 19 ■ Network Troubleshooting should know how to differentiate between a network hardware/software problem and a “lack of user training” problem. Know how to narrow down a problem to one specific area or cause. Most problems can be traced to one specific area or cause. You must be able to determine if a problem is specific to one user or a bunch of users, specific to one computer or a bunch of computers, and related to hardware or software. The answers to these questions will give you a very specific problem focus. Know how to detect cabling-related problems. Generally speaking, most cabling-related problems can be traced by plugging the suspect workstation into a known, working network port. If the problem disappears (or at the very least changes significantly), it is related to the cabling for that workstation. Written Lab In this section, write the answers to the following questions. You can find the answers in Appendix A. 1. What is step 3 of the seven-step troubleshooting model? 2. What is step 7 of the seven-step troubleshooting model? 3. How is crosstalk minimized in twisted-pair cabling? 4. If you plug a host into a switch port and the user cannot get to the server or other services they need to access despite a working link light, what could the problem be? 5. What is it called when a cable has two wires of a twisted pair connected to two wires from a different pair? 6. When a signal moves through any medium, the medium itself will degrade the signal. What is this called? 7. What is step 4 of the seven-step troubleshooting model? 8. What is step 5 of the seven-step troubleshooting model? 9. What are some of the problems that, if determined, should be escalated? 10. What cable issues should you know and understand for network troubleshooting? c19.indd 04/01/2015 Page 750 Review Questions 751 Review Questions You can fi nd the answers to the review questions in Appendix B. 1. Which of the following are not steps in the Network+ troubleshooting model? (Choose all that apply.) A. Reboot the servers. 2. B. Identify the problem. C. Test the theory to determine the cause. D. Implement the solution or escalate as necessary. E. Document findings, actions, and outcomes. F. Reboot all the routers. You have a user who cannot connect to the network. What is the first thing you could check to determine the source of the problem? A. Workstation configuration B. 3. Connectivity C. Patch cable D. Server configuration When wireless users complain that they are losing their connection to applications during a session, what is the source of the problem? A. Incorrect SSID B. 4. Latency C. Incorrect encryption D. MAC address filter Several users can’t log in to the server. Which action would help you to narrow the problem down to the workstations, network, or server? A. Run tracert from a workstation. B. 5. Check the server console for user connections. C. Run netstat on all workstations. D. Check the network diagnostics. A user can’t log in to the network. She can’t even connect to the Internet over the LAN. Other users in the same area aren’t experiencing any problems. You attempt to log in as this user from your workstation with her username and password and don’t experience any problems. However, you cannot log in with either her username or yours from her workstation. What is a likely cause of the problem? A. Insufficient rights to access the server B. A bad patch cable c19.indd 04/01/2015 Page 751 Chapter 19 752 6. ■ Network Troubleshooting C. Server down D. Wrong username and password A user is experiencing problems logging in to a Unix server. He can connect to the Internet over the LAN. Other users in the same area aren’t experiencing any problems. You attempt logging in as this user from your workstation with his username and password and don’t experience any problems. However, you cannot log in with either his username or yours from his workstation. What is a likely cause of the problem? A. The Caps Lock key is pressed. 7. B. The network hub is malfunctioning. C. You have a downed server. D. You have a jabbering NIC. You receive a call from a user who is having issues connecting to a new VPN. Which is the first step you should take? A. Find out what has changed. 8. B. Reboot the workstation. C. Document the solution. D. Identify the symptoms and potential causes. A workstation presents an error message to a user. The message states that a duplicate IP address has been detected on the network. After establishing what has changed in the network, what should be the next step using the standard troubleshooting model? A. Test the result. 9. B. Select the most probable cause. C. Create an action plan. D. Identify the results and effects of the solution. You have gathered information on a network issue and determined the affected areas of the network. What is your next step in resolving this issue? A. You should implement the best solution for the issue. B. You should test the best solution for the issue. C. You should check to see if there have been any recent changes to this affected part of the network. D. You should consider any negative impact to the network that might be caused by a solution. 10. A user calls you, reporting a problem logging in to the corporate intranet. You can access the website without problems using the user’s username and password. At your request, the user has tried logging in from other workstations but has been unsuccessful. What is the most likely cause of the problem? A. The user is logging in incorrectly. B. The network is down. c19.indd 04/01/2015 Page 752 Review Questions C. The intranet server is locked up. D. The server is not routing packets correctly to that user’s workstation. 753 11. You have just implemented a solution and you want to celebrate your success. But what should you do next before you start your celebration? A. Gather more information about the issue. B. Document the issue and the solution that was implemented. C. Test the solution and identify other effects it may have. D. Escalate the issue. 12. You can ping the local router and web server that a local user is trying to reach, but you cannot reach the web page that resides on that server. From step 2 of the troubleshooting model, what is a possible problem that would lead to this situation? A. Your network cable is unplugged. B. There is a problem with your browser. C. Your NIC has failed. D. The web server is unplugged. 13. When troubleshooting an obscure network problem, what physical conditions should be reviewed to make sure the network device is operating correctly? (Choose all that apply.) A. Excessive heat B. Low/excessive humidity C. ESD problems D. None of the above 14. Which of the following is not a basic physical issue that can occur on a network when a user is connected via cable? A. Crosstalk B. Shorts C. Open impedance mismatch D. DNS configurations 15. You are troubleshooting a LAN switch and have identified the symptoms. What is the next step you should take? A. Escalate the issue. B. Create an action plan. C. Implement the solution. D. Determine the scope of the problem. c19.indd 04/01/2015 Page 753 Chapter 19 754 ■ Network Troubleshooting 16. A user calls you, complaining that he can’t access the corporate intranet web server. You try the same address, and you receive a Host Not Found error. Several minutes later, another user reports the same problem. You can still send email and transfer files to another server. What is the most likely cause of the problem? A. The hub is unplugged. B. The server is not routing protocols to your workstation. C. The user’s workstation is not connected to the network. D. The web server is down. 17. You have implemented and tested a solution and identified any other effects the solution may have. What is your next step? A. Create an action plan. B. Close the case and head home for the day. C. Reboot the Windows server. D. Document the solution. 18. Users are reporting that they can access the Internet but not the internal company website. Which of the following is the most likely problem? A. The DNS entry for the server is non-authoritative. B. The intranet server is down. C. The DNS address handed out by DHCP is incorrect. D. The default gateway is incorrect. 19. Several users have complained about the server’s poor performance as of late. You know that the memory installed in the server is sufficient. What could you check to determine the source of the problem? A. Server’s NIC link light B. Protocol analyzer C. Performance-monitoring tools D. Server’s system log file 20. You lose power to your computer room and the switches in your network do not come back up when everything is brought online. After you have identified the affected areas, established the cause, and escalated this problem, what do you do next? A. Start to implement a solution to get those users back online ASAP. B. Create an action plan and solution. C. Meet with the emergency response team to determine the next step. D. Copy all the working routers’ configurations to the nonworking switches. c19.indd 04/01/2015 Page 754 Chapter 20 Management, Monitoring, and Optimization THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 2.3 Given a scenario, use appropriate resources to support configuration management ■ Archives/backups ■ Baselines ■ On-boarding and off-boarding of mobile devices ■ NAC ■ Documentation ■ Network diagrams (logical/physical) ■ Asset management ■ IP address utilization ■ Vendor documentation ■ Internal operating procedures/policies/standards ✓ 1.10 Identify the basic elements of unified communication technologies ■ VoIP ■ Video ■ Real-time services ■ ■ Presence ■ Multicast vs unicast QoS ■ DSCP ■ COS c20.indd 04/02/2015 Page 755 ■ Devices ■ UC servers ■ UC devices ■ UC gateways ✓ 1.11 Compare and contrast technologies that support cloud and virtualization ■ ■ ■ Virtualization ■ Virtual switches ■ Virtual routers ■ Virtual firewall ■ Virtual vs physical NICs ■ Software defined networking Storage area network ■ iSCSI ■ jumboframe ■ Fiber channel ■ Network attached storage Cloud concepts ■ Public IaaS, SaaS, PaaS ■ Private IaaS, SaaS, PaaS ■ Hybrid IaaS, SaaS, PaaS ■ Community IaaS, SaaS, PaaS ✓ 1.7 Differentiate between network infrastructure implementations ■ SCADA/ICS ■ ICS server ■ DCS/closed network ■ Remote terminal unit ■ Programmable logic controller c20.indd 04/02/2015 Page 756 ■ Medianets ■ VTC ■ ISDN ■ IP/SIP ✓ 2.4 Explain the importance of implementing network segmentation ■ SCADA systems/Industrial control systems ■ Legacy systems ■ Separate private/public networks ■ Honeypot/honeynet ■ Testing lab ■ Load balancing ■ Performance optimization ■ Security ■ Compliance ✓ 5.5 Given a scenario, implement the appropriate policies or procedures ■ Security policies ■ Consent to monitoring ■ Network policies ■ Acceptable use policy ■ Standard business documents ■ SLA ■ MOU ■ MLA ■ SOW ✓ 5.6 Summarize safety practices ■ Electrical safety ■ Grounding c20.indd 04/02/2015 Page 757 ■ ESD ■ ■ Static Installation safety ■ Lifting equipment ■ Rack installation ■ Placement ■ Tool safety ■ MSDS ■ Emergency procedures ■ Building layout ■ Fire escape plan ■ Safety/emergency exits ■ Fail open/fail close ■ Emergency alert system ■ Fire suppression systems ■ HVAC ✓ 5.7 Given a scenario, install and configure equipment in the appropriate location using best practices ■ Intermediate distribution frame ■ Main distribution frame ■ Cable management ■ ■ Patch panels Power management ■ Power converters ■ Circuits ■ UPS ■ Inverters ■ Power redundancy ■ Device placement ■ Air flow c20.indd 04/02/2015 Page 758 ■ Cable trays ■ Rack systems ■ ■ Server rail racks ■ Two-post racks ■ Four-post racks ■ Free-standing racks Labeling ■ Port labeling ■ System labeling ■ Circuit labeling ■ Naming conventions ■ Patch panel labeling ■ Rack monitoring ■ Rack Security ✓ 5.8 Explain the basics of change management procedures ■ Document reason for a change ■ Change request ■ Configuration procedures ■ Rollback process ■ Potential impact ■ Notification ■ Approval process ■ Maintenance window ■ Authorized downtime ■ Notification of change ■ Documentation ■ Network configurations ■ Additions to network ■ Physical location changes c20.indd 04/02/2015 Page 759 If you didn’t just skip to the end of this book, you’ve trekked through enough material to know that without a doubt, the task of designing, implementing, and maintaining a stateof-the-art network doesn’t happen magically. Ending up with a great network requires some really solid planning before you buy even one device for it. And planning includes thoroughly analyzing your design for potential flaws and optimizing configurations everywhere you can to maximize the network’s future throughput and performance. If you blow it in this phase, trust me—you’ll pay dearly later in bottom-line costs and countless hours consumed troubleshooting and putting out the fi res of faulty design. Start planning by creating an outline that precisely delimits all goals and business requirements for the network, and refer back to it often to ensure that you don’t deliver a network that falls short of your client’s present needs or fails to offer the scalability to grow with those needs. Drawing out your design and jotting down all the relevant information really helps in spotting weaknesses and faults. If you have a team, make sure everyone on it gets to examine the design and evaluate it, and keep that network plan up throughout the installation phase. Hang on to it after implementation has been completed as well because having it is like having the keys to the kingdom—it will enable you to efficiently troubleshoot any issues that could arise after everything is in place and up and running. High-quality documentation should include a baseline for network performance because you and your client need to know what “normal” looks like in order to detect problems before they develop into disasters. Don’t forget to verify that the network conforms to all internal and external regulations and that you’ve developed and itemized solid management procedures and security policies for future network administrators to refer to and follow. I’ll begin this chapter by going over the fundamentals of things like plans, diagrams, baselines, rules, and regulations, and then move on to cover critical hardware and software utilities you should have in your problem resolution arsenal, like packet sniffers, throughput testers, connectivity packages, and even different types of event logs on your servers. And because even the best designs usually need a little boost after they’ve been up and running for a while, I’ll wrap things up by telling you about some cool ways you can tweak things to really jack up a network’s performance, optimize its data throughput, and, well, keep it all humming along as efficiently and smoothly as possible. To find up-to-the-minute updates for this chapter, please see www.lammle .com/networkplus or the book’s website at www.sybextestbanks.wiley.com. c20.indd 04/02/2015 Page 760 Managing Network Documentation 761 Managing Network Documentation I’ll admit it—creating network documentation is one of my least favorite tasks in network administration. It just isn’t as exciting to me as learning about the coolest new technology or tackling and solving a challenging problem. Part of it may be that I figure I know my networks well enough—after all, I installed and configured them, so if something comes up, it should be easy to figure it out and fi x it, right? And most of the time I can do that, but as networks get bigger and more complex, it gets harder and harder to remember it all. Plus, it’s an integral part of the service I provide for my clients to have seriously solid documentation in hand to refer to after I’ve left the scene and turned their network over to them. So while I’ll admit that creating documentation isn’t something I get excited about, I know from experience that having it around is critical when problems come up—for myself and for my clients’ technicians and administrators, who may not have been part of the installation process and simply aren’t familiar with the system. Using SNMP In Chapter 6, “Introduction to the Internet Protocol,” I introduced you to Simple Network Management Protocol (SNMP), which is used to gather information from and send settings to devices that are SNMP compatible. Make sure to thoroughly review the differences between versions 1, 2, and 3 that we discussed there! Remember, I told you SNMP gathers data by polling the devices on the network from a management station at fi xed or random intervals, requiring them to disclose certain information. This is a big factor that really helps to simplify the process of gathering information about your entire internetwork. SNMP uses UDP to transfer messages back and forth between the management system and the agents running on the managed devices. Inside the UDP packets (called datagrams) are commands from the management system to the agent. These commands can be used either to get information from the device about its state (SNMP GetRequest) or to make a change in the device’s configuration (SetRequest). If a GetRequest command has been sent, the device will respond with an SNMP response. If there’s a piece of information that’s particularly interesting to an administrator about the device, the administrator can set something called a trap on the device. So, no whining! Like it or not, we’re going to create some solid documentation. But because I’m guessing that you really don’t want to redo it, it’s a very good idea to keep it safe in at least three forms: ■ An electronic copy that you can easily modify after configuration changes ■ A hard copy in a binder of some sort, stored in an easily accessible location ■ A copy on an external drive to keep in a really safe place (even off site) in case something happens to the other two or the building or part of it burns to the ground So why the hard copy? Well, what if the computer storing the electronic copy totally crashes and burns at exactly the same time a major crisis develops? Good thing you have c20.indd 04/02/2015 Page 761 762 Chapter 20 ■ Management, Monitoring, and Optimization that paper documentation on hand for reference! Plus, sometimes you’ll be troubleshooting on the run—maybe literally, as in running down the hall to the disaster’s origin. Having that binder containing key configuration information on board could save you a lot of time and trouble, and it’s also handy for making notes to yourself as you troubleshoot. Also, depending on the size of the intranet and the amount of people staffi ng the IT department, it might be smart to have several hard copies. Just always make sure they’re only checked out by staff who are cleared to have them and that they’re all returned to a secure location at the end of each shift. You defi nitely don’t want that information in the wrong hands! Now that I’ve hopefully convinced you that you absolutely must have tight documentation, let’s take a look into the different types you need on hand so you can learn how to assemble them. I’ll cover schematics and diagrams next, and discuss baselines and policies, procedures, and regulations later when I cover network monitoring. Schematics and Diagrams Now reading network documentation doesn’t exactly compete with racing your friends on jet skis, but it’s really not that bad. It’s better than eating canned spinach, and sometimes it’s actually interesting to check out schematics and diagrams—especially when they describe innovative, elegant designs or when you’re hunting down clues needed to solve an intricate problem with an elusive solution. I can’t tell you how many times, if something isn’t working between point A and point B, a solid diagram of the network that precisely describes exactly what exists between point A and point B has totally saved the day. Other times these tools come in handy is when you need to extend your network and you want a clear picture of how the expanded version will look and work. Will the new addition cause one part of the network to become bogged down while another remains underutilized? You get the idea. Diagrams can be simple sketches created while brainstorming or troubleshooting on the fly. They can also be highly detailed, refi ned illustrations created with some of the snappy software packages around today, like Microsoft Visio, SmartDraw, and a host of computeraided design (CAD) programs. Some of the more complex varieties, especially CAD programs, are super pricey. But whatever tool you use to draw pictures about your networks, they basically fall into these groups: ■ Wiring diagrams/schematics ■ Physical network diagrams ■ Logical network diagrams ■ Schematics and Diagrams ■ Asset Management ■ IP address Utilization ■ Vendor Documentation c20.indd 04/02/2015 Page 762 Managing Network Documentation 763 Wiring Schematics Wireless is defi nitely the wave of the future, but for now even the most extensive wireless networks have a wired backbone they rely on to connect them to the rest of humanity. That skeleton is made up of cabled physical media like coax, fiber, and twisted pair. Surprisingly, it is the latter—specifically, unshielded twisted pair (UTP)—that screams to be pictured in a diagram. You’ll see why in a minute. To help you follow me, let’s review what we learned in Chapter 3, “Networking Topologies, Connectors, and Wiring Standards.” We’ll start by checking out Figure 20.1 (a diagram!) that pictures the fact that UTP cables use an RJ-45 connector (RJ stands for registered jack). F I G U R E 2 0 .1 RJ-45 connector 1 2 3 4 5 6 7 8 RJ-45 connector as seen from the front 1 2 3 4 5 6 7 8 As see from the top RJ-45 cable What we see here is that pin 1 is on the left and pin 8 is on the right, so clearly, within your UTP cable, you need to make sure the right wires get to the right pins. No worries if you got your cables premade from the store, but making them yourself not only saves you a bunch of money, it allows you to customize cable lengths, which is really important! Table 20.1 matches the colors for the wire associated with each pin, based on the Electronic Industries Association and the Telecommunications Industry Alliance (EIA/TIA) 568B wiring standard. Standard drop cables or patch cables have the pins in the same order on both connectors. If you’re connecting a computer to another computer directly, you should already know that you need a crossover cable that has one connector with fl ipped wires. Specifi cally, pins 1 and 3 and pins 2 and 6 get switched to ensure that the send port from one computer’s Network Interface Card (NIC) gets attached to the receive port on the other computer’s NIC. Crossover cables were also used to connect older routers, switches, and hubs through their uplink ports. Figure 20.2 shows you what this looks like. c20.indd 04/02/2015 Page 763 764 Chapter 20 TA B L E 2 0 .1 Management, Monitoring, and Optimization Standard EIA/TIA 568B wiring Pin Color 1 White/Orange 2 Orange 3 White/Green 4 Blue 5 White/Blue 6 Green 7 White/Brown 8 Brown FIGURE 20.2 ■ Two ends of a crossover cable 12345678 1. Orange/White 2. Orange 3. Green/White 4. Blue 5. Blue/ White 6. Green 7. Brown/White 8. Brown c20.indd 04/02/2015 Page 764 12345678 1 2 3 4 5 6 7 8 3 6 1 4 5 2 7 8 1. Green/White 2. Green 3. Orange/White 4. Blue 5. Blue/ White 6. Orange 7. Brown/White 8. Brown Managing Network Documentation 765 The crossover cable shown in Figure 20.2 is for connections up to 100BaseTX. If you are using 1000BaseT4, all four pairs of wires get crossed at the opposite end, meaning pins 4 and 7 and pins 5 and 8 get crossed as well. The Automatic MDI/MDI+ Configuration standard—an optional feature of the 1000BaseT standard—makes the need for crossover cables between gigabit-capable interfaces a thing of the past. This is where having a diagram is golden. Let’s say you’re troubleshooting a network and discover connectivity problems between two hosts. Because you’ve got the map, you know the cable running between them is brand new and custom made. This should tell you to go directly to that new cable because it’s likely it was poorly made and is therefore causing the snag. Another reason it’s so important to diagram all things wiring is that all wires have to plug into something somewhere, and it’s really good to know what and where that is. Whether it’s into a hub, a switch, a router, a workstation, or the wall, you positively need to know the who, what, where, when, and how of the way the wiring is attached. After adding a new cable segment on your network, you need to update the wiring schematics. For medium to large networks, devices like switches and routers are rack-mounted and would look something like the switch in Figure 20.3. FIGURE 20.3 Rack-mounted switches c20.indd 04/02/2015 Page 765 766 Chapter 20 ■ Management, Monitoring, and Optimization Knowing someone’s or something’s name is important because it helps us differentiate between people and things—especially when communicating with each other. If you want to be specific, you can’t just say, “You know that router in the rack?” This is why coming up with a good naming system for all the devices living in your racks will be invaluable for ensuring that your wires don’t get crossed. Okay, I know it probably seems like we’re edging over into OCD territory, but stay with me here; in addition to labeling, well, everything so far, you should actually label both ends of your cables, too. If something happens (earthquake, tsunami, temper tantrum, even repairs) and more than one cable gets unplugged at the same time, it can get really messy scrambling to reconnect them from memory—fast! Physical Network Diagrams A physical network diagram contains all the physical devices and connectivity paths on your network and should accurately picture how your network physically fits together in glorious detail. Again, I know it seems like overkill, but ideally, your network diagram should list and map everything you would need to completely rebuild your network from scratch if you had to. This is actually what this type of diagram is designed for. But there’s still another physical network diagram variety that includes the fi rmware revision on all the switches and access points in your network. Remember, besides having your physical network accurately detailed, you must also clearly understand the connections, types of hardware, and their fi rmware revisions. I’m going to say it again—you will be so happy you have this documentation when troubleshooting! It will prevent much suffering and enable you to fi x whatever the problem is so much faster! Avoiding Confusion Naming your network devices is no big deal, but for some reason, coming up with systems for naming devices and numbering connections can really stress people out. Let me ease the pain. Let’s say your network has two racks of switches, creatively named Block A and Block B. (I know this sounds like a prison, but it’s just to keep things simple for this example. In the real world, you can come up with whatever naming system works for you.) Anyway, I’m going to use the letters FETH for Fast Ethernet, and because each rack has six switches, I’m going to number them 1 through 6. Because we read from left to right in the West, it’s intuitive to number the ports on each switch that way, too, but again, do what works best for you. Having a solid naming system makes things so much more efficient—even if it’s a bit of a hassle to create. For instance, if you were the system administrator in this example and suddenly all the computers connected to FETHB-3 couldn’t access any network resources, you would have a pretty good idea of where to look first, right? c20.indd 04/02/2015 Page 766 Managing Network Documentation 767 If you can’t diagram everything for some reason, at least make sure all network devices are listed. As I said, physical network diagrams can run from simple, hand-drawn models to insanely complex monsters created by software packages like SmartDraw, Visio, and AutoCAD. Figure 20.4 shows a simple diagram that most of us could draw by hand. FIGURE 20.4 Simple network physical diagram Router Internet Switch 2 Switch 1 Server 1 (Login) Server 3 (Mail) Server 2 (Files) 2 Printers 19 Workstations For the artistically impaired, or if you just want a flashier version, Figure 20.5 exhibits a more complex physical diagram. This is an actual sample of what SmartDraw can do for you, and you can get it at www.smartdraw.com. In addition, Microsoft Visio provides many, possibly more of these same functions. My last example, also courtesy of SmartDraw, includes diagrams of hardware racks, as revealed in Figure 20.6. Don’t throw anything at me, but I need to bring up one last thing: Never forget to mirror any changes you make to your actual network in the network’s diagram. Think of it like an updated snapshot. If you give the authorities your college buddy’s baby picture after he goes missing, will that really help people recognize him as well as one taken just before he disappeared? Because they don’t make age progression software for networks, it’s smart to just keep things up to date. Logical Network Diagrams Physical diagrams depict how data physically flows from one area of your network to the next, but a logical network diagram includes things like protocols, configurations, addressing schemes, access lists, fi rewalls, types of applications, and so on—all things that apply logically to your network. Figure 20.7 shows what a typical logical network diagram looks like. c20.indd 04/02/2015 Page 767 Chapter 20 768 FIGURE 20.5 ■ Management, Monitoring, and Optimization Network diagram with firewalls from SmartDraw Internet IP Clients IP IP IP IP IP IP IP Just as you mirror any physical changes you make to the physical network, like adding devices or even just a cable, on your physical diagram, you map logical changes, such as creating a new subnet, VLAN, or security zone on your logical network diagram. And it’s equally vital that you keep this oh-so-important document up to date! Asset Management Asset management involves tracking all network assets like computers, routers, switches, and hubs through their entire life cycles. Most organizations fi nd it beneficial to utilize asset identification numbers to facilitate this process. The ISO has established standards regarding asset management. The ISO 19770 family consists of four major parts: c20.indd 04/02/2015 Page 768 Managing Network Documentation FIGURE 20.6 769 Hardware-rack diagram from SmartDraw Cisco 2960 XL Switch 8U Rack Mount Monitor PC-1 PC-2 PC-3 PC-4 PC-5 Router 55.800.50.1 Rack Diagram VLAN1 Netware 5.1 55.811.50.20 PC-6 Cisco 2900 XL Switch Cisco 2900 XL Switch VLAN1 RedHat 7.1 55.812.50.20 UPS PC-7 PC-8 PC-9 UPS ■ ■ ■ ■ 19770-1 is a process-related standard that outlines best practices for IT asset management in an organization. 19770-2 is a standard for machine encapsulation (in the form of an XML file known as a SWID tag) of inventory data—allowing users to easily identify what software is deployed on a given device. 19770-3 is a standard that provides a schema for machine encapsulation of entitlements and rights associated with software licenses. The records (known as ENTs) will describe all entitlements and rights attendant to a piece of software and the method for measurement of license/entitlement consumption. This is still a draft. 19770-4 allows for standardized reporting of utilization of resources. This is crucial when considering complex datacenter license types and for the management of cloudbased software and hardware (software as a service, or SaaS, and infrastructure as a service, or IaaS). This is also still a draft. c20.indd 04/02/2015 Page 769 770 Chapter 20 F I G U R E 20.7 ■ Management, Monitoring, and Optimization Logical network diagram Firewall External Router Internal Router Internet R&D subnet 192.168.5.0/24 File Server IP: 192.168.5.10/24 Printer IPs: 192.168.5.20/24192.168.5.39 Workstation IPs: 192.168.5.50/24192.168.5.99 Web Server www.example.com 192.168.3.10/24 Mail Server mail.example.com 192.168.3.15/24 Server subnet 192.168.4.0/24 Server IPs: 192.168.4.10/24 192.168.4.11/24 192.168.4.12/24 192.168.4.13/24 Admin subnet 192.168.6.0/24 File Server IP: 192.168.6.10/24 Printer IPs: 192.168.6.20/24192.168.6.39 Workstation IPs: 192.168.6.50/24192.168.6.99 IP Address Utilization Documenting the current IP addressing scheme can also be highly beneficial, especially when changes are required. Not only is this really helpful to new technicians, it’s very useful when identifying IP addressing issues that can lead to future problems. In many cases IP addresses are configured over a long period of time with no real thought or planning on the macro level. Current and correct documentation can help administrators identify discontiguous networks (where subnets of a major network are separated by another major network) that can cause routing protocol issues. Proper IP address design can also facilitate summarization, which makes routing tables smaller, speeding the routing process. None of these wise design choices can be made without proper IP address documentation. Vendor Documentation Vendor agreements often have beneficial clauses that were negotiated during the purchase process. Many also contain critical details concerning SLAs and deadlines for warranties. These documents need to be organized and stored safety for future reference. Creating a spreadsheet or some other form of tracking documentation that alerts you of upcoming dates of interest can be a huge advantage! c20.indd 04/02/2015 Page 770 Network Monitoring 771 Network Monitoring Identifying performance issues within the network is only one of the reasons to perform structured monitoring. Security issues also require constant monitoring. In the following sections, we’ll look into both types of monitoring and cover some of the best practices and guidelines for success. Baselines In networking, baseline often refers to the standard level of performance of a certain device, or to the normal operating capacity for your whole network. For instance, a specific server’s baseline describes norms for factors like how busy its processors are, how much memory it uses, and how much data usually goes through the NIC at a given time. A network baseline delimits the amount of bandwidth available and when. For networks and networked devices, baselines include information about four key components: ■ Processor ■ Memory ■ Hard-disk (or other storage) subsystem ■ Network adapter or subsystem After everything is up and running, it’s a good idea to establish performance baselines on all vital devices and for your network in general. To do this, measure things like network usage at three different strategic times to get an accurate assessment. For instance, peak usage usually happens around 8:00 a.m. Monday through Friday, or whenever most people log in to the network in the morning. After hours or on weekends is often when usage is the lowest. Knowing these values can help you troubleshoot bottlenecks or determine why certain system resources are more limited than they should be. Knowing what your baseline is can even tell you if someone’s complaints about the network running like a slug are really valid—nice! It’s good to know that you can use network-monitoring software to establish baselines. Even some server operating systems come with software to help with network monitoring, which can help fi nd baselines as well. In my experience, it’s wise to re-baseline network performance at least once a year. And always pinpoint new performance baselines after any major upgrade to your network’s infrastructure. On-Boarding and Off-Boarding of Mobile Devices Increasingly, users are doing work on their mobile devices that they once performed on laptops and desktop computers. Moreover, they are demanding that they be able to use their personal devices to work on the company network. This presents a huge security issue for the IT department because they have to secure these devices while simultaneously exercising much less control over them. c20.indd 04/02/2015 Page 771 772 Chapter 20 ■ Management, Monitoring, and Optimization The security team must have a way to prevent these personal devices from introducing malware and other security issues to the network. Bring Your Own Device (BYOD) initiatives can be successful if implemented correctly. The key is to implement control over these personal devices that leave the safety of your network and return later after potentially being exposed to environments that are out of your control. One of the methods that has been employed successfully to accomplish this goal is network access control (NAC), covered in the next section. NAC Today’s network access control goes beyond simply authenticating users and devices before they are allowed into the network. With the challenges presented by today’s mobile workforce, it must go further. These services are called Network Admission Control in the Cisco world and Network Access Protection in the Microsoft world, but the goals of these features are the same: to examine all devices requesting network access for malware, missing security updates, and any other security issues any device could potentially introduce to the network. In some cases network access control goes beyond simply denying access to systems that fail inspection. NAC can even redirect the failed system to a remediation server, which will then apply patches and updates before allowing the device access to the network. These systems can be especially helpful in supporting a BYOD initiative while still maintaining the security of the network. Policies, Procedures, and Regulations It’s up to us, individually and corporately, to nail down exactly what solid guidelines there should be for policies and procedures for network installation and operation. Some organizations are bound by regulations that also affect how they conduct their business, and that kind of thing clearly needs to be involved in their choices. But let me take a minute to make sure you understand the difference between policies and procedures. Policies govern how the network is configured and operated as well as how people are expected to behave on it. They’re in place to direct things like how users access resources and which employees and groups get various types of network access and/or privileges. Basically, policies give people guidelines as to what they are expected to do. Procedures are precise descriptions of the appropriate steps to follow in a given situation, such as what to do when an employee is terminated or what to do in the event of a natural disaster. They often dictate precisely how to execute policies as well. Of note, one of the most important aspects of any policy or procedure is that it’s given high-level management support. This is because neither will be very effective if there aren’t any consequences for not following the rules! Policies I talked extensively about security policies in Chapter 14, “Network Threats and Mitigation,” so if you’re drawing a blank, you can go back there for details. Here’s a summary list of factors that most policies cover: Security Policies These are policies applied to users to help maintain security in the network: c20.indd 04/02/2015 Page 772 Network Monitoring ■ ■ ■ ■ 773 Clean-desk policies: These policies are designed to prevent users from leaving sensitive documents on unattended desks. Network access (who, what, and how): These policies control which users can access which portions of the network. They should be designed around job responsibilities. Acceptable-use policies: These policies should be as comprehensive as possible and should outline every action that is allowed in addition to those that are not allowed. They should also specify which devices are allowed, which websites are allowed, and the proper use of company equipment. Consent to monitoring: These policies are designed to constantly remind users that their activities are subject to monitoring as they are using company equipment and as such they should have no expectation of privacy. Change Management These policies ensure a consistent approach to managing changes to network configurations: ■ Disposal of network equipment ■ Use of recording equipment ■ How passwords are managed (length and complexity required, and how often they need to be changed) ■ Types of security hardware in place ■ How often to do backups and take other fault-tolerant measures ■ What to do with user accounts after an employee leaves the company Procedures These are the actions to be taken in specific situations: ■ Disciplinary action to be taken if a policy is broken ■ What to do during an audit ■ How issues are reported to management ■ What to do when someone has locked themselves out of their account ■ How to properly install or remove software on servers ■ What to do if files on the servers suddenly appear to be “missing” or altered ■ How to respond when a network computer has a virus ■ Actions to take if it appears that a hacker has broken into the network ■ Actions to take if there is a physical emergency like a fire or flood So you get the idea, right? For every policy on your network, there should be a credible related procedure that clearly dictates the steps to take in order to fulfi ll it. And you know that policies and procedures are as unique as the wide array of companies and organizations that create and employ them. But all this doesn’t mean you can’t borrow good ideas and plans from others and tweak them a bit to meet your requirements. c20.indd 04/02/2015 Page 773 774 Chapter 20 ■ Management, Monitoring, and Optimization An example of a network access policy is a time-of-day restriction on logging into the network. Standard Business Documents In the course of supporting mergers and acquisitions, and in providing support to departments within the organization, it’s always important to keep the details of agreements in writing to reduce the risk of misunderstandings. In this section, I’ll discuss standard documents that are used in these situations. You should be familiar with the purpose of the following documents: Statement of Work (SOW) This documents spells out all details concerning what work is to be performed, deliverables, and the timeline a vendor must execute in performance of specified work. Memorandum of Understanding (MOU) This is an agreement between two or more organizations that details a common line of action. It is often used in cases where parties do not have a legal commitment or in situations where the parties cannot create a legally enforceable agreement. In some cases, it is referred to as a letter of intent. Master License Agreement (MLA) This is an agreement whereby one party is agreeing to pay another party for the use of a piece of software for a period of time. These agreements, as you would expect, are pretty common in the IT world. Service-Level Agreement (SLA) This is an agreement that defi nes the allowable time in which in party must respond to issues on behalf of the other party. Most service contracts are accompanied by an SLA, which often include security priorities, responsibilities, guarantees, and warranties. Regulations In contrast, regulations are rules imposed on your organization by an outside agency, like a certifying board or a government entity, and they’re usually totally rigid and immutable. The list of possible regulations that your company could be subjected to is so exhaustively long, there’s no way I can include them all in this book. Different regulations exist for different types of organizations, depending on whether they’re corporate, nonprofit, scientific, educational, legal, governmental, and so on, and they also vary by where the organization is located. For instance, US governmental regulations vary by county and state, federal regulations are piled on top of those, and many other countries have multiple regulatory bodies as well. The Sarbanes-Oxley Act of 2002 (Sar-Ox) is an example of a regulation system imposed on all publicly traded companies in the United States. Its main goal was to ensure corporate responsibility and sound accounting practices, and although that may not sound like it would have much of an effect on your IT department, it does, because a lot of the provisions in this act target the retention and protection of data. Believe me, something as innocent sounding as deleting old emails could get you in trouble—if any of them could’ve remotely had a material impact on the company’s fi nancial disclosures, c20.indd 04/02/2015 Page 774 Network Monitoring 775 deleting them could actually be breaking the law. All good to know, so be aware, and be careful! I’m not going to give you a laundry list of regulations to memorize here, but I will tell you that IT regulations center around something known as the CIA triad: ■ Confidentiality: Only authorized users have access to the data. ■ Integrity: The data is accurate and complete. ■ Availability: Authorized users have access to the data when access is needed. One of the most commonly applied regulations is the ISO/IEC 27002 standard for information security, previously known as ISO 17799, renamed in 2007 and updated in 2013. It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and it is based on British Standard (BS) 7799-1:1999. The official title of ISO/IEC 27002 is Information technology - Security techniques - Code of practice for information security controls. Although it’s beyond our scope to get into the details of this standard, know that the following items are among the topics it covers: ■ Risk assessment ■ Security policy ■ Organization of information security ■ Asset management ■ Human-resources security ■ Physical and environmental security ■ Communications and operations management ■ Access control ■ Information systems acquisition, development, and maintenance ■ Information security incident management ■ Business-continuity management ■ Compliance So, what do you take with you from this? Your mission is clear. Know the regulations your company is expected to comply with, and make sure your IT policies and procedures are totally in line with any regulations so it’s easy for you to comply with them. No sense getting hauled off to jail because you didn’t archive an email, right? Safety Practices In the course of doing business, it’s the responsibility of the company to protect the safety of its workers, customers, vendors, and business partners. In the following sections, some of the issues that affect safety are considered, along with best practices and guidelines for preventing injuries and damage to equipment. c20.indd 04/02/2015 Page 775 776 Chapter 20 ■ Management, Monitoring, and Optimization Electrical Safety IT personnel spend a great deal of time dealing with electrical devices. Therefore, electrical safety should be stressed in all procedures. In this section, we’ll look at key issues involved with electrical safety, relevant to preventing injuries and for preventing damage to computer equipment. Grounding Grounding is the electrical term for providing a path for an electrical charge to follow to return to earth. To prevent injury to yourself when you are working with equipment, you should ensure that you are grounded. To avoid damaging the equipment with which you are working, it should also be grounded. You can provide grounding to yourself or the equipment with either a grounding strap or a grounding mat. Either of these should be plugged into the ground of an electrical outlet. The way in which these devices are connected to ground is pictured in Figure 20.8. FIGURE 20.8 Grounding methods Personnel wrist strap ESD-protective foam, trays, etc. 1 MΩ ESD-protective table mat ESD-protective floor or mat 1 MΩ 1 MΩ Building floor ESD Electrostatic discharge (ESD) is the technical term for what happens whenever two objects of dissimilar charge come in contact. ESD can be generated easily by walking across a carpeted floor. While the amount of ESD generated doing that may shock you if you touch a doorknob, it’s really not enough to harm you. However, even that small amount is enough to seriously damage sensitive parts of computers. This is exactly why we ground both ourselves and the equipment—to prevent ESD damage. Always use mats and straps to prevent damage when working with computing equipment. Static When ESD is created, it’s a form of static energy. Extremely dry conditions in the area where computers are utilized make the problem of static electricity worse. This is why the humidity of the area must be controlled so that it’s not too humid, which causes c20.indd 04/02/2015 Page 776 Network Monitoring 777 corrosion of electrical connections, and not too dry, which causes static buildup and potential for damage. Installation Safety While protecting yourself from electrical injury is very important, it’s not the only safety issue you’ve got to take into consideration. Other types of injuries can also occur, ranging from a simple pulled muscle to a more serious incident requiring a trip to the hospital. The following issues related to installing equipment should also be taken into consideration. Lifting Equipment Oftentimes when a piece of equipment is being installed, the time pressures involved and the rush to “get ’er done” can lead to improper lifting. Always keep in mind these safe lifting techniques: ■ Be careful to not twist when lifting. Keep the weight at the center of your body. ■ Keep objects as close to your body as possible and at waist level. ■ ■ Lift with your legs, not your back. When you have to pick up something, bend at the knees, not at the waist. You want to maintain the natural curve of the back and spine when lifting. Whenever possible, push instead of pull. Rack Installation Even for a small business, it’s bad business to operate computing equipment in a poor environment such as on a shelf. There is a reason so many devices come “rack ready.” Racks not only make for a neat and clean server room or closet, but when combined with proper cable management and environmental control, they provide an environment that allows the devices to breathe and stay cool. When installing racks, always follow the manufacturer’s directions and always use the correct tools! Countless screws have been ruined using the wrong tool. Server racks are measured in terms of rack units, usually written as RU or simply U. One rack unit equals 1.75 inches (44.45mm) in height, with compliant equipment measured in multiples of U. Network switches are generally 1U to 2U, servers can range from 1U to 4U, and blade servers can be anywhere from 5U to 10U or more. I’ll cover the types of racks you’re likely to encounter in more detail later in this chapter. Placement The most important issue when placing devices is to ensure proper cooling and protection from moisture. It’s a good idea to align the racks and install your equipment in hot and cold aisles. The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing air flow. Hot aisle/cold aisle design involves lining up racks in alternating rows with cold air intakes facing one way and hot air exhausts facing the other. The rows composed of rack fronts are called cold aisles. Typically, cold aisles face air conditioner output ducts. The rows the heated exhausts pour into are called hot aisles and face air conditioner return ducts. Moreover, all of the racks and the equipment they hold should never be on the floor. There should be a raised floor to provide protection against water. Figure 20.9 pictures a solid arrangement: c20.indd 04/02/2015 Page 777 Chapter 20 778 FIGURE 20.9 ■ Management, Monitoring, and Optimization Hot and cold aisles HOT AISLE/ COLD AISLE APPROACH Precision Air Conditioning Unit [HOT AISLE] Precision Air Conditioning Unit [COLD AISLE] [HOT AISLE] [RAISED FLOOR] Cable Management Perforated Tiles Cable Management Tool safety It’s worth mentioning again that the fi rst step on safely using tools is to make sure you’re properly grounded. Besides practicing tool safety for your own welfare, you should do so to protect the equipment. Here are some specific guidelines to follow: ■ ■ ■ ■ ■ Avoid using pencils inside a computer. They can become a conductor and cause damage. Be sure that the tools you are using have not been magnetized. Magnetic fields can be harmful to data stored on magnetic media. When using compressed air to clean inside the computer, blow the air around the components with a minimum distance of 4 inches (10 centimeters) from the nozzle. Clean the contacts on components with isopropyl alcohol. Do not use rubbing alcohol. Never use a standard vacuum cleaner inside a computer case. The plastic parts of the vacuum cleaner can build up static electricity and discharge to the components. Use only vacuums that are approved for electronic components. MSDS In the course of installing, servicing, and repairing equipment, you’ll come in contact with many different types of materials. Some are safer than others. You can get all the information you need regarding the safe handling of materials by reviewing the Materials Safety Data Sheet (MSDS). Any type of chemical, equipment, or supply that has the potential to harm the environment or people has to have an MSDS associated with it. These are traditionally created by the manufacturer and describe the boiling point, melting point, flash point, and potential health risks. You can obtain them from the manufacturer or from the Environmental Protection Agency. c20.indd 04/02/2015 Page 778 Network Monitoring 779 Emergency Procedures Every organization should be prepared for emergencies of all types. If possible this planning should start with the design of the facility and its layout. In this section, I’ll go over some of the components of a well-planned emergency system along with some guidelines for maintaining safety on a day-to-day basis. Building Layout Planning for emergences can start with the layout of the facility. Here are some key considerations: ■ All walls should have a two-hour minimum fire rating. ■ Doors must resist forcible entry. ■ The location and type of fire suppression systems should be known. ■ Flooring in server rooms and wiring closets should be raised to help mitigate flooding damage. ■ Separate AC units must be dedicated to the information processing facilities. ■ Backup and alternate power sources should exist. Fire Escape Plan You should develop a plan that identifies the escape route in the event of a fi re. You should create a facility map showing the escape route for each section of the building, keeping in mind that it’s better to use multiple exits to move people out quickly. These diagrams should be placed in all areas. Safety/Emergency Exits All escape routes on the map should have the following characteristics: ■ Clearly marked and well lit ■ Wide enough to accommodate the expected number of people ■ Clear of obstructions Fail Open/Fail Close Door systems that have electronic locks may lose power during a fi re. When they do, they may lock automatically (fail close) or unlock automatically (fail open). While a fail close setting may enhance security during an electrical outage, you should consider the effect it will have during an evacuation and take steps to ensure that everyone can get out of the building when the time comes. Emergency Alert System All facilities should be equipped with a system to alert all employees when a fi re or any other type of emergency occurs. It might be advisable to connect the facility to the Emergency Alert System (EAS), which is a national warning system in the United States. One of the functions of this system is to alert the public of local weather emergencies such as tornadoes and flash floods. EAS messages are transmitted via AM and FM radio, broadcast television, cable television, and the Land Mobile Radio Service as well as VHF, UHF, and FiOS (wireline video providers). Fire-Suppression Systems While fi re extinguishers are important and should be placed throughout a facility, when large numbers of computing devices are present, it is worth the money to protect them with a fi re-suppression system. The following types of systems exist: c20.indd 04/02/2015 Page 779 Chapter 20 780 ■ Management, Monitoring, and Optimization ■ Wet pipe systems use water contained in pipes to extinguish the fire. ■ Dry pipe systems hold the water in a holding tank instead of in the pipes. ■ ■ ■ Preaction systems operate like a dry pipe system except that the sprinkler head holds a thermal-fusible link that must melt before the water is released. Deluge systems allow large amounts of water to be released into the room, which obviously makes this not a good choice where computing equipment will be located. Today, most companies use a fire-suppressant like Halon, which is known as a “Clean Agent, an electrically non-conducting, volatile, or gaseous fire extinguisher that does not leave a residue upon evaporation.” Leaving no residue means not rendering inoperative expensive networking equipment like water can do if released in a data center. It’s remarkably safe for human exposure, meaning that it won’t poison living things, and will allow you to leave the area safely, returning only after the fire department gives the all-clear. HVAC The heating and air-conditioning systems must support the massive amounts of computing equipment deployed by most enterprises. Computing equipment and infrastructure devices like routers and switches do not like the following conditions: ■ Heat. Excessive heat causes reboots and crashes. ■ High humidity. It causes corrosion problems with connections. ■ Low humidity. Dry conditions encourage static electricity, which can damage equipment. Here are some important facts to know about temperature: ■ At 100 degrees, damage starts occurring to magnetic media. In fact, floppy disks are the most susceptible. ■ At 175 degrees, damage starts occurring to computers and peripherals. ■ At 350 degrees, damage starts occurring to paper products. Implementing Network Segmentation Maintaining security in the network can be made easier by segmenting the network and controlling access from one segment to another. Segmentation can be done at several layers of the OSI model. The most extreme segmentation would be at Layer 1 if the networks are actually physically separated from one another. In other cases, it may be sufficient to segment a network at Layer 2 or Layer 3. Coming up next, we’ll look at some systems that require segmentation from other networks at one layer or another. SCADA Systems/Industrial Control Systems Industrial control system (ICS) is a general term that encompasses several types of control systems used in industrial production. The most widespread is Supervisory Control and Data Acquisition (SCADA). SCADA is a system operating with coded signals over communication channels to provide control of remote equipment. It includes the following components: c20.indd 04/02/2015 Page 780 Network Monitoring ■ ■ ■ ■ ■ ■ 781 Sensors, which typically have digital or analog I/O, and these signals are not in a form that can be easily communicated over long distances Remote terminal units (RTUs), which connect to the sensors and convert sensor data to digital data (includes telemetry hardware) Programmable logic controllers (PLCs), which connect to the sensors and convert sensor data to digital data (does not include telemetry hardware) Telemetry systems, which connect RTUs and PLCs to control centers and the Enterprise Human interface, which presents data to the operator ICS server, also called a data acquisition server, which uses coded signals over communication channels to acquire information about the status of the remote equipment for display or for recording functions The distributed control system (DCS) network should be a closed network, meaning it should be securely segregated from other networks. The Stuxnet virus hit the SCADA used for the control and monitoring of industrial processes. Medianets Medianets are networks primarily devoted to VoIP and video data that often require segmentation from the rest of the network at some layer. We implement segmentation for two reasons: fi rst, to ensure the security of the data, and second, to ensure that the network delivers the high performance and low latency required by these applications. One such high-demand application is video teleconferencing (VTC), which I’ll cover next. Video Teleconferencing (VTC) IP video has ushered in a new age of remote collaboration. This has saved a great deal of money on travel expenses and enabled more efficient use of time. When you’re implementing IP video systems, consider and plan for the following issues: ■ Expect a large increase in the need for bandwidth. ■ QoS will need to be configured to ensure performance. ■ Storage will need to be provisioned for the camera recordings. ■ Initial cost may be high. There are two types of VTC systems. Let’s look at both: ISDN The fi rst VTC systems were ISDN based. These systems were based on a standard called H.320. While the bandwidth in each ISDN line is quite low by today’s standard (128Kb per line), multiple lines could be combined or bonded. IP/SIP VTC systems based on IP use a standard called H.323. Since these work on a packet-switched network, you don’t need a direct ISDN link between the sites. Session Initiation Protocol can also be used, and it operates over IP but lacks many of the structured call control functions that H.323 provides. c20.indd 04/02/2015 Page 781 782 Chapter 20 ■ Management, Monitoring, and Optimization Legacy Systems Legacy systems are those that are older and incompatible with more modern systems and equipment. They may also be less secure and no longer supported by the vendor. In some cases, these legacy systems, especially with respect to industrial control systems, sometimes use propriety protocols that prevent them from communicating on the IP-based network. It’s a good idea to segment these systems to protect them from security issues they aren’t equipped to handle or even just to allow them to function correctly. Separate Private/Public Networks Public IP addressing isn’t typically used in a modern network. Instead, private IP addresses are used and Network Address Translation services are employed to convert traffic to a public IP address when the traffic enters the Internet. While this is one of the strategies used to conserve the public IP address space, it also served to segment the private network from the public network (Internet). Hiding the actual IP address (private) of the hosts inside the network makes it very difficult to make an unsolicited connection to a system on the inside of the network from the outside. Honeypot/Honeynet Another segmentation tactic is to create honeypots and honeynets. Honeypots are systems strategically configured to be attractive to hackers and to lure them into spending enough time attacking them while information is gathered about the attack. In some cases, entire networks called honeynets are attractively configured for this purpose. You need to make sure that either of these types of systems do not provide direct connections to any important systems. Their ultimate purpose is to divert attention from valuable resources and to gather as much information about an attack as possible. A tarpit is a type of honeypot designed to provide a very slow connection to the hacker so that the attack takes enough time to be properly analyzed. Testing Lab Testing labs are used for many purposes. Sometimes they’re created as an environment for developers to test applications. They may also be used to test operating system patches and antivirus updates. These environments may even be virtual environments. Virtualization works well for testing labs because it makes it easier to ensure that the virtual networks have no physical connection to the rest of the network, providing necessary segmentation. Security One of the biggest reasons for implementing segmentation is for security purposes. At Layer 1, this means complete physical separation. However, if you don’t want to go with complete segmentation, you can also segment at Layer 2 on switches by implementing VLANs and port security. This can prevent connections between systems that are connected to the same switch. They can also be used to organize users into common networks regardless of their physical location. c20.indd 04/02/2015 Page 782 Network Optimization 783 If segmentation at Layer 3 is required, it’s achieved using access control lists on routers to control access from one subnet to another or from one VLAN to another. Firewalls can implement these types of access lists as well. Compliance Finally, network segmentation may be required to comply with an industry regulation. For example, while it’s not strictly required, the Payment Card Industry Data Security Standard (PCI DSS) strongly recommends that the credit card network should be segmented from the regular network. If you choose not to do this, your entire network must be compliant with all sections of the standard. Network Optimization Regardless of how well a network is functioning, you should never stop trying to optimize its performance. This is especially true when latency-sensitive applications such as VoIP, streaming video, and web conferencing are implemented. In the next several sections, I’ll discuss some techniques you can use to ensure that these applications and services deliver on their promise of increased functionality. Reasons to Optimize Your Network’s Performance So why do we have networks, anyway? I don’t mean this in a historical sense; I mean pragmatically. The reason they’ve become such precious resources is that as our world has become smaller and more connected, we need a way to keep in touch like never before. Networks make accessing resources easy for people who can’t be in the same location as the resources they need—including other people. In essence, networks of all types are really complex tools we use to facilitate communication from afar and to allow lots of us to access the resources we need to keep up with the demands imposed on us in today’s lightning-paced world. And use them we do—a lot! And when we have many, many people trying to access one resource like a valuable fi le server or a shared database, our systems can get as bogged down and clogged as a freeway at rush hour. Just as road rage can result from driving on one of those not-so-expressways, frustrated people can direct some serious hostility at you if the same thing happens when they’re trying to get somewhere using a network that’s crawling along at snail speed. This is why optimizing performance is in everyone’s best interest—it keeps you and you network’s users happily humming along. Optimization includes things like splitting up network segments, stopping unnecessary services on servers, offloading one server’s work onto another, and upgrading outmoded hardware devices to newer, faster models. I’ll get to exactly how to make all this happen coming up soon, but fi rst, I’m going to talk about the theories behind performance optimization and even more about the reasons for making sure performance is at its best. c20.indd 04/02/2015 Page 783 784 Chapter 20 ■ Management, Monitoring, and Optimization In a perfect world, there would be unlimited bandwidth, but in reality, you’re more likely to fi nd Bigfoot. So, it’s helpful to have some great strategies up your sleeve. If you look at what computers are used for today, there’s a huge difference between the fi les we transfer now versus those transferred even three to five years ago. Now we do things like watch movies online without them stalling, and we can send huge email attachments. Video teleconferencing is almost more common than Starbucks locations. The point is that the fi les we transfer today are really large compared to what we sent back and forth just a few years ago. And although bandwidth has increased to allow us to do what we do, there are still limitations that cause network performance to suffer miserably. Let’s start with a few reasons why you need to carefully manage whatever amount of precious bandwidth you’ve got. Latency Sensitivity Most of us have clicked to open an application or clicked a web link only to have the computer just sit there staring back at us, helplessly hanging. That sort of lag comes when the resources needed to open the program or take us to the next page are not fully available. That kind of lag on a network is called latency—the time between when data is requested and the moment it actually gets delivered. The more latency, the longer the delay and the longer you have to stare blankly back at your computer screen, hoping something happens soon. Latency affects some programs more than others. If you are sending an email, it may be annoying to have to wait a few seconds for the email server to respond, but that type of delay isn’t likely to cause physical harm to you or a loved one. Applications that are adversely affected by latency are said to have high latency sensitivity. A common example of this is online gaming. Although it may not mean actual life or death, playing certain online games with significant delays can mean the untimely demise of your character—and you won’t even know it. Worse, it can affect the entire experience for those playing with you, which can get you booted from some game servers. On a much more serious level, applications like remote surgery also have high latency sensitivity. High-Bandwidth Applications Many of the applications we now use over the network would have been totally unserviceable in the past because of the high amount of bandwidth they consume. And even though technology is constantly improving to give us more bandwidth, developers are in hot pursuit, developing new applications that gobble up that bandwidth as soon as it becomes— even in advance of it becoming—available. A couple of good examples of high-bandwidth applications are VoIP and video streaming: VoIP Voice over Internet Protocol (VoIP) describes several technologies that work to deliver voice communications over the Internet or other data networks. In many cases, VoIP includes not only voice but video transmissions as well. VoIP allows us to send voice, video, and data all over the same connection to another location. Its most common application is video teleconferencing. c20.indd 04/02/2015 Page 784 Network Optimization 785 Many companies are investing in VoIP systems to reduce travel costs. Ponying up for pricey plane tickets, lodging, and rental cars adds up fast, so investing in a good VoIP system that allows the company to have virtual conferences with people in another state or country pays for itself in no time. But sadly, VoIP installations can be stressed heavily by things like really low bandwidth, latency issues, packet loss, jitter, security flaws, and reliability concerns. And in some cases, routing VoIP through firewalls and routers using address translation can prove pretty problematic as well. Video Applications Watching real-time video on the Internet today is great if you have a decent high-speed connection. You can watch the news, sports, movies, and pretty much anything else that you watch on television. Although viewing digital media online is so common that anyone born after the year 2000 won’t be able to remember a time when we had to watch videos on anything other than a computer, again, this requires lots of bandwidth. And excessive use can cause traffic problems even on the most robust networks! Other Real-Time Services While VOIP and video traffic certainly require the most attention with respect to performance and latency, other real-time services are probably in use in your network. We’re going to briefly look at presence, another example of real-time services you may not give a lot of thought to, and then I’ll compare the use of unicast and multicast in real-time services. Presence Presence is a function provided by many collaboration solutions that indicates the availability of a user. It signals to other users whether a user is online, busy, in a meeting, and so forth. If enabled across multiple communication tools, such as IM, phone, email, and videoconferencing, it also can help determine the communication channel on which the user is currently active and therefore which channel provides the best possibility of an immediate response. Multicast vs Unicast Unicast transmissions represent a one-to-one conversation, that is, data sent from a single device to another single device. On the other hand, Multicast is a technology that sends information for a single source to multiple recipients and is far superior to using unicast transmission when it comes to video streaming and conferencing. While unicast transmission creates a data connection and stream for each recipient, multicast uses the same stream for all recipients. This single stream is replicated as needed by multicast routers and switches in the network. The stream is limited to branches of the network topology that actually have subscribers to the stream. This greatly reduces the use of bandwidth in the network. Uptime Uptime is the amount of time the system is up and accessible to your end users, so the more uptime you have the better. And depending on how critical the nature of your business is, you may need to provide four-nine or five-nine uptime on your network—that’s a lot. Why is this a lot? Because you write out four-nine as 99.99%, or better, you write out five-nine as 99.999%! Now that is some serious uptime! c20.indd 04/02/2015 Page 785 786 Chapter 20 ■ Management, Monitoring, and Optimization How to Optimize Performance You now know that bandwidth is to networking as water is to life, and you’re one of the lucky few if your network actually has an excess of it. Cursed is the downtrodden administrator who can’t seem to find enough, and more fall into this category than the former. At times, your very sanity may hinge upon ensuring that your users have enough available bandwidth to get their jobs done on your network, and even if you’ve got a 1Gbps connection, it doesn’t mean all your users have that much bandwidth at their fi ngertips. What it really means is that they get a piece of it, and they share the rest with other users and network processes. Because it’s your job to make sure as much of that 1Gbps as possible is there to use when needed, I’m going to discuss some really cool ways to make that happen for you. Quality of Service Quality of service (QoS) refers to the way the resources are controlled so that the quality of services is maintained. It’s basically the ability to provide a different priority to one or more types of traffic over other levels for different applications, data flows, or users so that they can be guaranteed a certain performance level. QoS methods focus on one of five problems that can affect data as it traverses network cable: Delay Data can run into congested lines or take a less-than-ideal route to the destination, and delays like these can make some applications, such as VoIP, fail. This is the best reason to implement QoS when real-time applications are in use in the network—to prioritize delay-sensitive traffic. Dropped Packets Some routers will drop packets if they receive a packet while their buffers are full. If the receiving application is waiting for the packets but doesn’t get them, it will usually request that the packets be retransmitted—another common cause of a service(s) delay. Error Packets can be corrupted in transit and arrive at the destination in an unacceptable format, again requiring retransmission and resulting in delays. Jitter Not every packet takes the same route to the destination, so some will be more delayed than others if they travel through a slower or busier network connection. The variation in packet delay is called jitter, and this can have a nastily negative impact on programs that communicate in real time. Out-of-Order Delivery Out-of-order delivery is also a result of packets taking different paths through the network to their destinations. The application at the receiving end needs to put them back together in the right order for the message to be completed, so if there are significant delays or the packets are reassembled out of order, users will probably notice degradation of an application’s quality. QoS can ensure that applications with a required bit rate receive the necessary bandwidth to work properly. Clearly, on networks with excess bandwidth, this is not a factor, but the more limited your bandwidth is, the more important a concept like this becomes. c20.indd 04/02/2015 Page 786 Network Optimization 787 DSCP One of the methods that can be used for classifying and managing network traffic and providing quality of service (QoS) on modern IP networks is Differentiated Services Code Point (DSCP), or DiffServ. DiffServ uses a 6-bit differentiated services code point (DSCP) in the 8-bit Differentiated Services field (DS field) in the IP header for packet classification. This allows for the creation of traffic classes that can be used to assign priorities to various traffic classes. In theory, a network could have up to 64 different traffic classes using different DSCPs, but most networks use the following traffic classifications: ■ Default, which is typically best-effort traffic ■ Expedited Forwarding (EF), which is dedicated to low-loss, low-latency traffic ■ Assured Forwarding (AF), which gives assurance of delivery under prescribed conditions ■ Class Selector, which maintains backward compatibility with the IP Precedence field (a field formerly used by the Type of Service, or TOS, function) Class of Service (COS) The second method of providing traffic classification and thus the ability to treat the classes differently is a 3-bit field called the Priority Code Point (PCP) within an Ethernet frame header when VLAN tagged frames as defi ned by IEEE 802.1Q are used. This method is defi ned in the IEEE 802.1p standard. It describes eight different classes of service as expressed through the 3-bit PCP field in an IEEE 802.1Q header added to the frame. These classes are shown in Table 20.2. TA B L E 2 0 . 2 Eight levels of QoS Level Description 0 Best effort 1 Background 2 Standard (spare) 3 Excellent load (business-critical applications) 4 Controlled load (streaming media) 5 Voice and video (interactive voice and video, less than 100ms latency and jitter) 6 Layer 3 Network Control Reserved Traffic (less than 10ms latency and jitter) 7 Layer 2 Network Control Reserved Traffic (lowest latency and jitter) c20.indd 04/02/2015 Page 787 788 Chapter 20 ■ Management, Monitoring, and Optimization QoS levels are established per call, per session, or in advance of the session by an agreement known as a service-level agreement (SLA). Unified Communications Increasingly, workers and the organizations for which they work are relying on new methods of communicating and working together. Unified communications (UC) is the integration of real-time communication services such as instant messaging with non-real-time communication services such as unified messaging (integrated voicemail, email, SMS, and fax). UC allows an individual to send a message on one medium and receive the same communication on another medium. UC systems are made of several components that make sending a message on one medium and receiving the same communication on another medium possible. The following may be part of a UC system: UC Servers The UC server is the heart of the system. It provides call control mobility services and administrative functions. It may be a standalone device or in some cases a module that is added to a router. UC Devices UC devices are the endpoints that may participate in unified communications. This includes computers, laptops, tablets, and smartphones. UC Gateways UC gateways are used to tie together geographically dispersed locations that may want to make use of UC facilities. They are used to connect the IP-based network with the Public Switched Telephone Network (PSTN). Traffic Shaping Traffic shaping, or packet shaping, is another form of bandwidth optimization. It works by delaying packets that meet a certain criteria to guarantee usable bandwidth for other applications. Traffic shaping is basically traffic triage—you’re really just delaying attention to some traffic so other traffic gets A-listed through. Traffic shaping uses bandwidth throttling to ensure that certain data streams don’t send too much data in a specified period of time as well as rate limiting to control the rate at which traffic is sent. Most often, traffic shaping is applied to devices at the edge of the network to control the traffic entering the network, but it can also be deployed on devices within an internal network. The devices that control it have what’s called a traffi c contract that determines which packets are allowed on the network and when. You can think of this kind of like the stoplights on busy freeway on-ramps, where only so much traffi c is allowed onto the road at one time, based on predefi ned rules. Even so, some traffi c (like carpools and emergency vehicles) is allowed on the road immediately. Delayed packets are stored in the managing device’s fi rst-in, fi rst-out (FIFO) buffer until they’re allowed to proceed per the conditions in the contract. If you’re the fi rst car at the light, this could happen immediately. If not, you get to go after waiting briefly until the traffic in front of you is released. c20.indd 04/02/2015 Page 788 Network Optimization 789 Load Balancing Load balancing refers to a technique used to spread work out to multiple computers, network links, or other devices. Using load balancing, you can provide an active/passive server cluster in which only one server is active and handling requests. For example, your favorite Internet site might actually consist of 1 of 20 servers that all appear to be the same exact site because that site’s owner wants to ensure that its users always experience quick access. You can accomplish this on a network by installing multiple, redundant links to ensure that network traffic is spread across several paths and to maximize the bandwidth on each link. Think of this as like having two or more different freeways that will both get you to your destination equally well—if one is really busy, just take the other one. High Availability High availability is a system-design protocol that guarantees a certain amount of operational uptime during a given period. The design attempts to minimize unplanned downtime—the time users are unable to access resources. In almost all cases, high availability is provided through the implementation of duplicate equipment (multiple servers, multiple NICs, etc.). Organizations that serve critical functions obviously need this; after all, you really don’t want to blaze your way to a hospital ER only to find that they can’t treat you because their network is down! There’s a difference between planned downtime and unplanned downtime. Planned downtime is good—it’s occasionally scheduled for system maintenance and routine upgrades. Unplanned downtime is bad: It’s a lack of access due to system failure, which is exactly the issue high-availability resolves. One of the highest standards in uptime is the ability to provide the five-nine availability I mentioned earlier. This actually means the network is accessible 99.999% of the time—way impressive! Think about this. In one non-leap year, there are 31,536,000 seconds. If you are available 99.999% of the time, it means you can be down only 0.001% of the time, or a total of 315.36 seconds, or 5 minutes and 15.36 seconds per year—wow! There’s a difference between uptime and availability. Your servers may be up but not accessible if a cable gets cut or something, and that outage would definitely count against your availability time. Caching Engines A cache is a collection of data that duplicates key pieces of original data. Computers use caches all the time to temporarily store information for faster access, and processors have both internal and external caches available to them, which speeds up their response times. c20.indd 04/02/2015 Page 789 790 Chapter 20 ■ Management, Monitoring, and Optimization A caching engine is basically a database on a server that stores information people need to access fast. The most popular implementation of this is with web servers and proxy servers, but caching engines are also used on internal networks to speed up access to things like database services. Fault Tolerance Fault tolerance means that even if one component fails, you won’t lose access to the resource it provides. To implement fault tolerance, you need to employ multiple devices or connections that all provide a way to access the same resource(s). A familiar form of fault tolerance is configuring an additional hard drive to be a mirror image of another so that if either one fails, there’s still a copy of the data available to you. In networking, fault tolerance means that you have multiple paths from one point to another. What’s really cool is that fault-tolerant connections can be configured to be available either on a standby basis only or all the time if you intend to use them used as part of a load-balancing system. Archives/Backups While providing redundancy to hardware components is important, the data that resides on the components must also be archived in case a device where the data is stored has to be replaced. It could be a matter of replacing a hard drive on which the data cannot be saved and restoring the data from tape backup. Or suppose RAID has been enabled in a system; in that case, the loss of a single hard drive will not present an immediate loss of access to the data (although a replacement of the bad drive will be required to recover from another drive failure). RAID systems are covered in more detail in Chapter 15, “Physical Security and Risk.” With regard to the data backups, they must be created on a schedule and tested regularly to ensure that a data restoration is successful. The three main data backup types are full backups, differential backups, and incremental backups. But to understand them, you must grasp the concept of archive bits. When a fi le is created or updated, the archive bit for the fi le is enabled. If the archive bit is cleared, the fi le will not be archived during the next backup. If the archive bit is enabled, the fi le will be archived during the next backup. The end result is that each type of backup differs in the amount of time taken, the amount of data backed up, whether unchanged data is backed up repeatedly, and the number of tapes required to restore the data. Keep these key facts in mind: ■ ■ If you use a full back up once a week and differential backups the other days of the week, to restore you will only need the last full backup tape and the last differential tape. This is the fastest restore. If you use a full back up once a week and incremental backups the other days of the week, to restore you will need the last full backup tape and all of the incremental tapes. This is the slowest restore. A comparison of the three main backup types is shown in Figure 20.10. c20.indd 04/02/2015 Page 790 Network Optimization F I G U R E 2 0 .1 0 791 Backup types Backup Type Data Backed Up Backup Time Restore Time Storage Space Full backup All data Slowest Fast High Incremental backup Only new/modified files/folders Fast Moderate Lowest Differential backup All data since last full Moderate Fast Moderate Common Address Redundancy Protocol Common Address Redundancy Protocol (CARP) provides IP-based redundancy, allowing a group of hosts on the same network segment (referred to as a redundancy group) to share an IP address. One host is designated the master and the rest are backups. The master host responds to any traffic or ARP requests directed toward it. Each host may belong to more than one redundancy group at a time. One of its most common uses is to provide redundancy for devices such as fi rewalls or routers. The virtual IP address (this is another name for the shared group IP address) will be shared by a group of routers or fi rewalls. The client machines use the virtual IP address as their default gateway. In the event that the master router suffers a failure or is taken offl ine, the IP will move to one of the backup routers and service will continue. Other protocols that use similar principles are Virtual Router Redundancy Protocol and the Hot Standby Router Protocol. Virtual Networking Over the last few years, one of the most significant developments helping to increase the efficient use of computing resources—leading to an increase in network performance without an increase in spending on hardware—has been the widespread adoption of virtualization technology. You can’t read an industry publication without coming across the term cloud computing within 45 seconds! The concept of virtualization is quite simple. Instead of dedicating a physical piece of hardware to every server, run multiple instances of the server operating system, each in its own “virtual environment” on the same physical piece of equipment. This saves power, maximizes the use of memory and CPU resources, and can even help to “hide” the physical location of each virtual server. Virtual computing solutions come from a number of vendors. The following are some of the more popular currently: ■ VMware vSphere ■ Microsoft Hyper-V ■ Citrix XenServer c20.indd 04/02/2015 Page 791 792 Chapter 20 ■ Management, Monitoring, and Optimization All of these solutions work on the same basic concept but each has its own unique features, and of course all claim to be the best solution. In the following sections, I will discuss the building blocks of virtualization rather than the specific implementation from any single vendor. Onsite vs Offsite Often you hear the terms public cloud and private cloud. Clouds can be thought of as virtual computing environments where virtual servers and desktops live and can be accessed by users. A private cloud is one in which this environment is provided to the enterprise by a third party for a fee. This is a good solution for a company that has neither the expertise nor the resources to manage their own cloud yet would like to take advantage of the benefits that cloud computing offers: ■ Increased performance ■ Increased fault tolerance ■ Constant availability ■ Access from anywhere These types of clouds might be considered offsite or public. On the other hand, for the organization that has the expertise and resources, a private or onsite solution might be better and might be more secure. This approach will enjoy the same benefits as a public cloud and may offer more precise control and more options to the organization. Virtual Networking Components Virtualization can be deployed in several different ways to deliver cost-effective solutions to different problems. Each of the following components can have its place in the solution: Virtual Servers Virtual servers can perform all the same functions as physical servers but can enjoy some significant advantages. By clustering a virtual server with other virtual servers located on different hosts, you can achieve fault tolerance in the case of a host failure. Increased performance can also be derived from this approach. The virtualization software can allow you to allocate CPU and memory resources to the virtual machines (VMs) dynamically as needed to ensure that the maximum amount of computing power is available to any single VM at any moment while not wasting any of that power on an idle VM. In fact, in situations where VMs have been clustered, they may even be suspended or powered down in times of low demand in the cluster. Virtual Switches Virtual switches are software versions of a Layer 2 switch that can be used to create virtual networks. They can be used for the same purposes as physical switches. VLANs can be created, virtual servers can be connected to the switches, and the virtual network can be managed, all while residing on the same physical box. These switches can also span multiple hosts (the physical machines that house multiple virtual servers, desktops, and switches are called hosts). Distributed virtual switches are those switches that span multiple hosts, and they are what link together the VMs that are located on different hosts yet are members of the same cluster. c20.indd 04/02/2015 Page 792 Network Optimization 793 Virtual vs Physical NICs Figure 20.11 shows the relationship between a physical server and the virtual servers and virtual switches that it hosts. The virtual servers, called virtual machines (VMs), have virtual network cards (vNICs) that connect to the virtual switch. Keep in mind that all three of these components are software running on the same physical server. Then the virtual switch makes a software connection to the physical NIC on the physical host, which makes a physical connection to the physical switch in the network. F I G U R E 2 0 .11 Virtualization Physical Server Virtual Machine (VM) Virtual Machine (VM) Virtual Machine (VM) vNIC vNIC vNIC vNIC: Virtual NIC Virtual Network Virtual Switch (Software) NIC NIC: Network Interface Card Physical Switch (Hardware) It is interesting to note and important to be aware of the fact that the IP address of the physical NIC in Figure 20.11 will actually be transmitting packets from multiple MAC addresses since each of the virtual servers will have a unique virtual MAC address. Virtual Routers In virtualized environments, virtual routers are typically implemented as specialized software. They consist of individual routing and forwarding tables, each of which could be considered a virtual router. Virtual Firewall Virtual fi rewalls are also implemented as software in the virtualized environment. Like their physical counterparts, they can be used to restrict traffic between virtual subnets created by virtual routers. Software-Defined Networking Software-defi ned networking (SDN) is an approach to computer networking that allows network administrators to manage network services through abstraction of lower-level functionality. SDN architectures decouple network control and c20.indd 04/02/2015 Page 793 794 Chapter 20 ■ Management, Monitoring, and Optimization forwarding functions, enabling network control to become directly programmable and the underlying infrastructure to be abstracted from applications and network services. Virtual Desktops Using operating system images for desktop computers is not a new concept. Delivering these desktop images to users from a virtual environment when they start their computer is. This allows for the user desktop to require less computing power, especially if the applications are also delivered virtually and those applications are running in a VM in the cloud rather than in the local desktop eating up local resources. Another benefit of using virtual desktops is the ability to maintain a consistent user environment (same desktop, applications, etc.), which can enhance user support. Thin computing takes this a step further. In this case, all of the computing is taking place on the server. A thin client is simply displaying the output from the operating system running in the cloud, and the keyboard is used to interact with that operating system in the cloud. Does this sound like dumb terminals with a GUI to anyone yet? Back to the future indeed! The thin client needs very little processing power for this job. Virtual PBX Virtual PBX is an example of what is called software as a service (SaaS). A hosting company manages the entire phone system for the company, freeing the organization from the need to purchase and manage the physical equipment that would be required otherwise to provide the same level of service. To the outside world, the company appears to have a professional phone system while everything is actually being routed through the hosting company’s system. Network as a Service (NaaS) Now that you know what SaaS is you can probably guess what NaaS is. You guessed it: a network hosted and managed by a third party on behalf of the company. For many enterprises, it makes more sense to outsource the management of the network to a third party when it is not cost effective to maintain a networking staff. An example of this is the Cisco OpenStack cloud operating system, which is an open-source platform that provides computers and storage. Storage Area Network Storage area networks (SANs) comprise high-capacity storage devices that are connected by a high-speed private network (separate from the LAN) using a storage-specific switch. This storage information architecture addresses the collection of data, management of data, and use of data. In this section, we’ll take a look at the protocols that can be used to access the data and the client systems that can use those various protocols. We’ll also look at an alternative to a SAN, network-attached storage (NAS). iSCSI Internet Small Computer System Interface (iSCSI) is an IP-based networking storage standard method of encapsulating SCSI commands (which are used with storage area networks) within IP packets. This allows the use of the same network for storage as is used for the balance of the network. A comparison of a regular SAN that uses the Fibre-Channel protocol, and one using iSCSI is shown in Figure 20.12. I’ll talk more about Fiber Channel in the next section. c20.indd 04/02/2015 Page 794 Network Optimization F I G U R E 2 0 .1 2 Classic SAN vs iSCSI Classic SAN iSCSI Database Clients 795 File Clients HTTP Database File HTTP Data IP Network Servers Web Server File Server Database Server Database Server Data and Storage IP Network File Server Storage Fibre Channel Network Storage Web Server Storage Fiber Channel Fiber Channel, or FC, is a high-speed network technology (commonly running at 2-, 4-, 8-, and 16-gigabit per second rates) primarily used to connect computer data storage. It operates on an optical network that is not compatible with the regular IP-based data network. As you can see in Figure 20.12, this protocol runs on a private network that connects the servers to the storage network. Fibre-Channel over Ethernet (FCoE), on the other hand, encapsulates Fiber Channel traffic within Ethernet frames much like iSCSI encapsulates SCSI commands in IP packets. However, unlike iSCSI, it does not use IP at all. It does allow this traffic on the IP network. Jumbo Frame Jumbo frames are Ethernet frames with more than 1,500 bytes of payload. Jumbo frames or 9,000-byte payload frames have the potential to reduce overhead and CPU cycles. In high-speed networks such as those typically used in a SAN, it may be advisable to enable jumbo frames to improve performance. Network attached storage Network-attached storage (NAS) serves the same function as SAN, but clients access the storage in a different way. In a NAS configuration, almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use protocols such as NFS, CIFS, and HTTP to connect to the NAS and share fi les. In a SAN configuration, only devices that can use the Fiber Channel SCSI network can access the data, so it’s typically done though a server with this capability. A comparison of the two systems is shown in Figure 20.13. c20.indd 04/02/2015 Page 795 796 Chapter 20 F I G U R E 2 0 .1 3 ■ Management, Monitoring, and Optimization NAS and SAN Network-Attached Storage (NAS) Storage Area Network (SAN) Application Networks Application & Database Servers Fibre Channel SAN IP-Based Ethernet LAN RAID Disk Array Custom File Server RAID Disk Array Cloud Concepts Cloud storage locates the data on a central server, but unlike an internal data center in the LAN, the data is accessible from anywhere and in many cases from a variety of device types. Moreover, cloud solutions typically provide fault tolerance and dynamic computer resource (CPU, memory, network) provisioning. Cloud deployments can differ in two ways: ■ The entity that manages the solution ■ The percentage of the total solution provided by the vendor First, let’s look at the options relative to the entity that manages the solution: ■ ■ ■ ■ Private cloud: This is a solution owned and managed by one company solely for that company’s use. Public cloud: This is a solution provided by a third party. It offloads the details to the third party but gives up some control and can introduce security issues. Hybrid cloud: This is some combination of private and public. For example, perhaps you only use the facilities of the provider but still manage the data yourself. Community cloud: This is a solution owned and managed by a group of organizations that create the cloud for a common purpose. There are several levels of service that can be made available through a cloud deployment: ■ ■ Infrastructure as a service (IaaS). The vendor provides the hardware platform or data center, and the company installs and manages its own operating systems and application systems. Platform as a service (PaaS). The vendor provides the hardware platform or data center and the software running on the platform. c20.indd 04/02/2015 Page 796 Network Optimization ■ 797 Software as a service ( SaaS). The vendor provides the entire solution. This includes the operating system, infrastructure software, and the application. Locating and Installing Equipment When infrastructure equipment is purchased and deployed, the ultimate success of the deployment can depend on selecting the proper equipment, determining its proper location in the facility, and installing it correctly. Let’s look at some common data center or server room equipment and a few best practices for managing these facilities. Main Distribution Frame The main distribution frame connects equipment (inside plant) to cables and subscriber carrier equipment (outside plant). It also terminates cables that run to intermediate distribution frames distributed throughout the facility. Intermediate Distribution Frame An intermediate distribution frame (IDF) serves as a distribution point for cables from the main distribution frame (MDF) to individual cables connected to equipment in areas remote from these frames. The relationship between the IDFs and the MDF is shown in Figure 20.14. F I G U R E 2 0 .1 4 MDF and IDFs Cat 5 UTP Intermediate Distribution Frame (IDF) Cat 5 UTP Fiber Optic Intermediate Distribution Frame (IDF) Main Distribution Frame (MDF) Cable Management While some parts of our network may be wireless, the lion’s share of the network will be connected with cables. The cables come together in large numbers at distribution points where managing them becomes important both to protect the integrity of the cables and to prevent overheating of the infrastructure devices caused by masses of unruly cabling. The points of congestion typically occur at the patch panels. c20.indd 04/02/2015 Page 797 798 Chapter 20 ■ Management, Monitoring, and Optimization Patch panels terminate cables from wall or data outlets. These masses of wires that emerge from the wall in a room will probably feed to the patch panel in a cable tray, which I’ll talk more about soon. The critical maintenance issues at the patch panel are to ensure that cabling from the patch panel to the switch is neat, that the patch cables are as short as possible without causing stress on the cables, and that the positioning of the cabling does not impede air flow to the devices, which can cause overheating. Power Management Computing equipment of all types needs clean and constant power. Power fluctuations of any sort, especially complete outages and powerful surges, are a serious matter. In this section, we’ll look at power issues and devices that can be implemented to avoid or mitigate them. Power Converters Power conversion is the process of converting electric energy from one form to another. This conversion could take several forms: ■ AC to DC ■ From one voltage level to another ■ From one frequency to another Power converters are devices that make these conversions, and they typically are placed inline, where the energy flowing into one end is converted to another form when it exits the converter. Circuits In situations where high availability is required, it may be advisable to provision multiple power circuits to the facility. This is sometimes called A+B or A/B power. To provision for A+B power, you should utilize a pair of identically sized circuits (e.g., 2 × 20 amperes). In the final analysis, even these systems can fail you in some natural disasters and so you should always also have power generators as well as a final backup. UPS All infrastructure systems and servers should be connected to an uninterruptible power supply (UPS). As described in Chapter 15, a UPS can immediately supply power from a battery backup when a loss of power is detected. They provide power long enough for you to either shut the system down gracefully or turn on a power generator. Inverters A power inverter is type of power converter that specifically converts DC to AC. It produces no power and must be connected to a DC source. Power Redundancy While the facility itself needs redundant power circuits and backup generators, a system can still fail if the power supply in the device fails. Mission-critical devices should be equipped with redundant power supplies, which can mitigate this issue. Device Placement When locating equipment in a data center, server room, or wiring closet, the placement of the equipment should take several issues into consideration. Air Flow Air flow around the equipment is crucially important to keep devices running. When hot air is not removed from the area and replaced with cooler air, the devices overheat and start doing things like rebooting unexpectedly. Even if the situation doesn’t reach that point, the high heat will shorten the life of costly equipment. c20.indd 04/02/2015 Page 798 Network Optimization 799 One of the approaches that has been really successful is called hot/cold aisles. As explained earlier in this chapter, hot aisle/cold aisle design involves lining up racks in alternating rows with cold air intakes facing one way and hot air exhausts facing the other. The rows composed of rack fronts are called cold aisles. Typically, cold aisles face air conditioner output ducts. The rows the heated exhausts pour into are called hot aisles. They face air conditioner return ducts. Moreover, all of the racks and the equipment they hold should never be on the floor. There should be a raised floor to provide some protection against water. Cable Trays Masses of unruly cables can block air flow and act as a heat blanket on the equipment if the situation is bad enough. Cable trays are metal trays used to organize the cabling neatly and keep it away from the areas where it can cause heat buildup. In Figure 20.15, some examples of cable tray components are shown. These are used to organize the cables and route them as needed. F I G U R E 2 0 .1 5 Cable trays Straight Section Reducer Cable Tray Drop Straight Section Rack Systems Rack systems are used to hold and arrange the servers, routers, switches, fi rewalls, and other rack-ready equipment. Rack devices are advertised in terms of Us. U is the standard unit of measure for designating the vertical usable space, or height of racks. 1U is equal to 1.75 inches. For example, a rack designated as 20U has 20 rack spaces for equipment and has 35 (20 × 1.75) inches of vertical usable space. You should be familiar with the following types of rack systems and components: Server Rail Racks Server rail racks are used to hold servers in one of the types of racks described next. They are designed to hold the server while allowing the server to be slid out from the rack for maintenance. Two-Post Racks A two-post rack is one in which only two posts run from the floor. These posts may reach to the ceiling or they may not (freestanding). Several sizes of twopost racks are shown in Figure 20.16. c20.indd 04/02/2015 Page 799 800 Chapter 20 F I G U R E 2 0 .1 6 ■ Management, Monitoring, and Optimization Two-post racks Four-Post Racks As you would expect, these racks have four rails and can be either floor to ceiling or freestanding. One is shown in Figure 20.17. F I G U R E 2 0 .17 Four-post rack c20.indd 04/02/2015 Page 800 Network Optimization 801 Freestanding racks A freestanding rack is one that does not reach the ceiling and stands on its own. A four-post freestanding rack is shown in Figure 20.18. F I G U R E 2 0 .1 8 Freestanding rack Applying Your Knowledge You have been assigned the job of positioning the following pieces of equipment in the network for maximum performance and security: Firewall Patch server Main distribution frame (MDF) Intermediate distribution frame (IDF) Public web server Using the following table, place these five pieces of equipment in the correct position. The answer is at the end of the chapter. c20.indd 04/02/2015 Page 801 802 Chapter 20 ■ Management, Monitoring, and Optimization Device Position Firewall In the DMZ Patch server Just after the Internet router MDF In the server room or closet on each floor IDF Inside the LAN Public web server In the server room or closet that is connected to the service provider ANSWER BELOW Firewall Just after the Internet router Patch server Inside the LAN MDF In the server room or closet that is connected to the service provider IDF In the server room or closet on each floor Public web server In the DMZ Labeling In a data center, server room, or wiring closet, correct and updated labeling of ports, systems, circuits, and patch panels can prevent a lot of confusion and mistakes when configuration changes are made. Working with incorrect or incomplete (in some cases nonexistent) labeling is somewhat like trying to locate a place with an incorrect or incomplete map. In this section, we’ll touch on some of the items that should be correctly labeled. Port Labeling Ports on switches, patch panels, and other systems should be properly labeled, and the wall outlets to which they lead should match! You should arrive at an agreement as to the naming convention to use so that all technicians are operating from the same point of reference. They also should be updated in any case where changes are made that dictate an update. System Labeling Other systems that are installed in racks, such as servers, fi rewall appliances, and redundant power supplies, should also be labeled with IP addresses and DNS names that the devices possess. c20.indd 04/02/2015 Page 802 Network Optimization 803 Circuit Labeling Circuits entering the facility should also be labeled. Label electrical receptacles, circuit breaker panels, and power distribution units. Include circuit information, voltage and amperage, the type of electrical receptacle, and where in the data center the conduit terminates. Naming Conventions A naming system or convention guides and organizes labeling and ensures consistency. No matter what name or numbering system you use, be consistent. Patch Panel Labeling The key issue when labeling patch panels is to ensure that they’re correct. Also, you need to make sure that the wall outlet they’re connected to is the same. The American National Standards Institute/Telecommunications Industry Association (ANSI/TIA) 606-B.1 Administration Standard for Telecommunications Infrastructure for identification and labeling approved in April 2012 provides clear specifications for labeling and administration best practices across all electrical and network systems premise classes, including large data centers. Rack Monitoring Racks should contain monitoring devices that can be operated remotely. These devices can be used to monitor the following issues: ■ Temperature ■ Humidity ■ Physical security (open doors) ■ Smoke ■ Water leaks ■ Vibration Rack Security Rack devices should be secured from theft. There are several locking systems that can be used to facilitate this. These locks are typically implemented in the doors on the front of a rack cabinet: ■ Swing handle/wing knob locks with common key ■ Swing handle/wing knob locks with unique key ■ Swing handle with number and key lock ■ Electronic locks ■ Radio-frequency identification (RFID) card locks Change Management Procedures Throughout this chapter I’ve stressed that network operations need to occur in a controlled and managed fashion. For this to occur, an organization must have a formal change management process in place. The purpose of this process is to ensure that all changes are approved by the proper personnel and are implemented in a safe and logical manner. Let’s look at some of the key items that should be included in these procedures. c20.indd 04/02/2015 Page 803 804 Chapter 20 ■ Management, Monitoring, and Optimization Document Reason for a Change Clearly, every change should be made for a reason, and before the change is even discussed, that reason should be documented. During all stages of the approval process (discussed later), this information should be clearly communicated and attached to the change under consideration. Change Request A change should start its life as a change request. This request will move through various stages of the approval process and should include certain pieces of information that will guide those tasked with approving or denying it. Configuration Procedures The exact steps required to implement the change and the exact devices involved should be clearly detailed. Complete documentation should be produced and submitted with a formal report to the change management board. Rollback Process Changes always carry a risk. Before any changes are implemented, plans for reversing the changes and recovering from any adverse effects from the change should be identified. Those making the changes should be completely briefed in these rollback procedures, and they should exhibit a clear understanding of them prior to implementing the changes. Potential Impact While unexpected adverse effects of a change can’t always be anticipated, a good-faith effort should be made to identity all possible systems that could be impacted by the change. One of the benefits of performing this exercise is that it can identify systems that may need to be more closely monitored for their reaction to the change as the change is being implemented. Notification When all systems and departments that may be impacted by the change are identified, system owners and department heads should be notified of all changes that could potentially affect them. One of the associated benefits of this is that it creates additional monitors for problems during the change process. Approval Process Requests for changes should be fully vetted by a cross section of users, IT personnel, management, and security experts. In many cases, it’s wise to form a change control board to complete the following tasks: ■ Assure that changes made are approved, tested, documented, and implemented correctly. ■ Meet periodically to discuss change status accounting reports. ■ Maintain responsibility for assuring that changes made do not jeopardize the soundness of the verification system. c20.indd 04/02/2015 Page 804 Summary 805 Maintenance Window A maintenance window is an amount of time a system will be down or unavailable during the implementation of changes. Before this window of time is specified, all affected systems should be examined with respect to their criticality in supporting mission-critical operations. It may be that the time required to make the change may exceed the allowable downtime a system can suffer during normal business hours, and the change may need to be implemented during a weekend or in the evening. Authorized Downtime Once the time required to make the change has been compared to the maximum allowable downtime a system can suffer and the optimum time for the change is identified, the authorized downtime can be specified. This amounts to a fi nal decision on when the change will be made. Notification of Change When the change has been successfully completed and a sufficient amount of time has elapsed for issues to manifest themselves, all stakeholders should be notified that the change is complete. At that time, these stakeholders (those possibly affected by the change) can continue to monitor the situation for any residual problems. Documentation The job isn’t complete until the paperwork is complete. In this case, the following should be updated to reflect the changed state of the network: ■ Network configurations ■ Additions to network ■ Physical location changes Summary In this chapter, I talked a lot about the documentation aspects of network administration. I started off discussing physical diagrams and schematics, and moved on to the logical form as well as configuration-management documentation. You learned about the importance of these diagrams as well as the simple-to-complex forms they can take and the tools used to create them—from pencil and paper to high-tech AutoCAD schematics. You also found out a great deal about creating performance baselines. After that, I delved deep into a discussion of network policies and procedures, and how regulations can affect how you manage your network. Next, you learned about network monitoring and optimization, and how monitoring your network can help you fi nd issues before they develop into major problems. c20.indd 04/02/2015 Page 805 806 Chapter 20 ■ Management, Monitoring, and Optimization You learned that server operating systems and intelligent network devices have built-in graphical monitoring tools to help you troubleshoot your network. We got into performance optimization and the many theories and strategies you can apply to optimize performance on your network. All of them deal with controlling the traffic in some way and include methods like QoS, traffic shaping, load balancing, high availability, and the use of caching servers. We discussed how Common Address Redundancy Protocol (CARP) can be used to increase availability of gateways and firewalls. You also learned how important it is to ensure that you have plenty of bandwidth available for any applications that vitally need it, like critical service operations, VoIP, and real-time multimedia streaming. Finally, we discussed cloud computing, or virtualization. We looked at its benefits, including increased performance and fault tolerance, increased availability, and the ability to access cloud services from anywhere. You also learned about some of its major components, such as virtual servers, virtual switches, virtual desktops, and an example of software as a service (SaaS), virtual PBX. Exam Essentials Understand the difference between a physical network diagram and a logical network diagram. A physical diagram shows all of the physical connections and devices, and in many cases the cables or connections between the devices. It’s a very detail-oriented view of the hardware on your network. A logical network diagram takes a higher-level view, such as your subnets and which protocols those subnets use to communicate with each other. Identify the elements of unified communications technology. This includes the proper treatment of traffic types such as VOIP and video. You should also understand what UC servers, devices, and gateways are. Finally, describe the methods used to provide QoS to latency-sensitive traffic. Understand the difference between policies, procedures, and regulations. A policy is created to give users guidance as to what is acceptable behavior on the network. Policies also help resolve problems before they begin by specifying who has access to what resources and how configurations should be managed. Procedures are steps to be taken when an event occurs on the network, such as what to do when a user is fi red or how to respond to a natural disaster. Regulations are imposed on your organization; you are required to follow them, and if you don’t, you may be subject to punitive actions. Know how your servers and network devices can help you monitor your network. Most servers and network devices have monitoring tools built in that are capable of tracking data and events on your network. These include graphical tools as well as log fi les. Compare and contrast cloud technologies. Understand the differences between public IaaS, SaaS, PaaS; private IaaS, SaaS, PaaS; hybrid IaaS, SaaS, PaaS; and community IaaS, SaaS, PaaS. Also know the difference between a NAS and a SAN. c20.indd 04/02/2015 Page 806 Written Lab 807 Understand several theories of performance optimization. There are several ways to manage traffic on your network to speed up access and in some cases guarantee available bandwidth to applications. These include QoS, traffic shaping, load balancing, high availability, and using caching servers. Know some examples of bandwidth-intensive applications. Two examples of high-bandwidth applications are Voice over IP (VoIP) and real-time video streaming. Describe the major building blocks of virtualization. Understand how virtual servers, virtual switches, and virtual desktops are used to supply the infrastructure to deliver cloud services. Differentiate onsite or private clouds from offsite or public cloud services. Identify services that can be provided, such as network as a service (NaaS) and software as a service (SaaS). Summarize safety and environmental issues in the data center. Understand electrical safety as it relates to both devices and humans. Understand the use of fi re suppression systems. Describe proper emergency procedures. Written Lab You can fi nd the answers in Appendix A. In this section, write the answers to the following management questions: 1. are systems that are configured to be attractive to hackers and to lure them into spending time attacking them while information is gathered about the attack. 2. Which network-performance optimization technique uses a contract to determine which data can get on to the network? 3. The lowest level of QoS is called 4. . is a type of power converter that specifically converts DC to AC. 5. Spreading network traffic across multiple connections is called 6. A standard of normal network performance is called 7. If you need to connect two PCs directly together using their network adapters, what type of cable do you need? 8. What is another name for using virtualization to provide services? 9. List at least three major components of virtualization. . . 10. The steps you should take when, for example, a network user is fired are called . c20.indd 04/02/2015 Page 807 Chapter 20 808 ■ Management, Monitoring, and Optimization Review Questions You can fi nd the answers to the review questions in Appendix B. 1. UTP cables use which type of connector? A. RJ-11 B. 2. RJ-25 C. RJ-45 D. BCN Which type of cable will have the pins in the same order on both connectors? A. Crossover cable 3. B. Straight-through cable C. Console cable D. Telephone cable Which pins are switched in a crossover cable? A. 1 and 2, 3 and 4 4. B. 1 and 3, 2 and 6 C. 2 and 4, 5 and 7 D. 1 and 4, 5 and 8 UTP cable has specific colors for the wire associated with each pin. Based on the TIA/EIA 568B wiring standard, what is the correct color order, starting with pin 1? A. White/Orange, Orange, Blue, White/Green, White/Blue, Green, White/Brown, Brown 5. B. Orange, White/Orange, White/Green, Blue, White/Blue, White/Brown, Brown, Green C. White/Orange, Orange, White/Green, Blue, White/Blue, Green, White/Brown, Brown D. White/Green, Green, White/Orange, Blue, White/Blue, Orange, White/Brown, Brown What is the technical term for what happens when two objects of dissimilar charge come in contact? A. RFI 6. B. EMI C. ESD D. Crosstalk Which of the following govern how the network is configured and operated as well as how people are expected to behave on the network? A. Baselines B. Laws C. Policies D. Procedures c20.indd 04/02/2015 Page 808 Review Questions 7. 809 You have upgraded the firmware on your switches and access points. What documentation do you need to update? A. Baselines and configuration documentation 8. B. Physical network diagram C. Logical network diagram D. Wiring schematics In an ICS, which of the following uses coded signals over communication channels to acquire information about the status of the remote equipment? A. ICS server 9. B. Telemetry system C. Human interface D. PLC Load testing, connectivity testing, and throughput testing are all examples of what? A. Load balancing B. Network monitoring C. Packet sniffing D. Traffic shaping 10. What can provide different priority levels to different applications, data flows, or users to help guarantee performance levels? A. 1Gbps connection B. Bandwidth C. Uptime D. Quality of service 11. Which of the following identifies steps to recover from adverse effects caused by a change? A. Rollback process B. Approvable process C. Notification process D. Impact assessment 12. After a change has been made, which of the following is not a document that needs to be updated? A. Network configurations B. Additions to the network C. Physical location changes D. All of the above c20.indd 04/02/2015 Page 809 Chapter 20 810 ■ Management, Monitoring, and Optimization 13. Which of the following provides increased availability to firewalls and gateways? A. DHCP B. CARP C. SaaS D. NaaS 14. You have added a new cable segment to your network. You need to make sure you document this for troubleshooting purposes. What should you update? A. The disaster recovery plan B. The wiring schematics C. The router connections document D. The baseline document 15. What is the basic purpose of QoS? (Choose two.) A. Block access to certain websites B. Make your entire network run faster C. Provide priority to one more types of traffic over others D. Block access to web resources for just certain users or groups E. Prioritize delay-sensitive traffic 16. Which network-performance optimization technique can delay packets that meet certain criteria to guarantee usable bandwidth for other applications? A. Traffic shaping B. Jitter C. Logical D. Load balancing 17. Which of the following is neither a virtualization component nor a service made available through virtualization? A. Virtual servers B. SaaS C. CARP D. Virtual switches 18. Which of the following are reasons to optimize network performance? (Choose all that apply.) A. Maximizing uptime B. Minimizing latency C. Using VoIP D. Using video applications E. None of the above c20.indd 04/02/2015 Page 810 Review Questions 811 19. What term describes technologies that can deliver voice communications over the Internet? A. Jitter B. Uptime C. Voice over Internet Protocol D. None of the above 20. To optimize performance on your network, which of the following control traffic in some way? (Choose all that apply.) A. QoS B. Traffic shaping C. Load balancing D. Caching services E. None of the above c20.indd 04/02/2015 Page 811 Appendix A Answers to the Written Labs bapp01.indd 04/03/2015 Page 813 Appendix A 814 ■ Answers to the Written Labs Chapter 1 1. Bus, ring, and star 2. Multiprotocol Label Switching (MPLS) 3. Server 4. Client-server 5. Point-to-point 6. Hub or switch 7. Multiprotocol Label Switching 8. Wide area network 9. A segment 10. Bus Chapter 2 1. Application layer is responsible for fi nding the network resources broadcast from a server and adding flow control and error control (if the application developer chooses). 2. The Physical layer takes frames from the Data Link layer and encodes the 1s and 0s into a digital signal for transmission on the network medium. 3. The Network layer provides routing through an internetwork and logical addressing. 4. The Presentation layer makes sure that data is in a readable format for the Application layer. 5. The Session layer sets up, maintains, and terminates sessions between applications. 6. Protocol Data Units (PDUs) at the Data Link layer are called frames. As soon as you see the word frame in a question, you know the answer. 7. The Transport layer uses virtual circuits to create a reliable connection between two hosts. 8. The Network layer provides logical addressing, typically IP addressing, and routing. 9. The Physical layer is responsible for the electrical and mechanical connections between devices. 10. The Data Link layer is responsible for the framing of data packets. bapp01.indd 04/03/2015 Page 814 Chapter 4 815 Chapter 3 1. Category 6 2. Demarcation point, or demarc 3. Crossover 4. RG-6 5. Category 5e 6. Straight-through 7. To connect two CSU/DSUs 8. 1, 2, 3, and 6 9. 1 to 3 and 2 to 6 10. It is completely immune to EMI and RFI and can transmit up to 40 kilometers (about 25 miles). Chapter 4 Decimal 128 64 32 16 8 4 2 1 Binary 192 1 1 0 0 0 0 0 0 11000000 168 1 0 1 0 1 0 0 0 10101000 10 0 0 0 0 1 0 1 0 00001010 15 0 0 0 0 1 1 1 1 00001111 Decimal 128 64 32 16 8 4 2 1 Binary 172 1 0 1 0 1 1 0 0 10101100 16 0 0 0 1 0 0 0 0 00010000 20 0 0 0 1 0 1 0 0 00010100 55 0 0 1 1 0 1 1 1 00110111 bapp01.indd 04/03/2015 Page 815 Appendix A 816 Decimal ■ Answers to the Written Labs 128 64 32 16 10 0 0 0 0 1 0 1 0 00001010 11 0 0 0 0 1 0 1 1 00001011 12 0 0 0 0 1 1 0 0 00001100 99 0 1 1 0 0 0 1 1 01100011 Binary 8 4 32 16 11001100 1 1 0 0 1 1 0 0 204 00110011 0 0 1 1 0 0 1 1 51 10101010 1 0 1 0 1 0 1 0 170 01010101 0 1 0 1 0 1 0 1 85 Binary 128 64 32 16 8 4 2 1 Decimal 11000110 1 1 0 0 0 1 1 0 198 11010011 1 1 0 1 0 0 1 1 211 00111001 0 0 1 1 1 0 0 1 57 11010001 1 1 0 1 0 0 0 1 209 128 64 32 16 10000100 1 0 0 0 0 1 0 0 132 11010010 1 1 0 1 0 0 1 0 210 10111000 1 0 1 1 1 0 0 0 184 10100110 1 0 1 0 0 1 1 0 166 bapp01.indd 04/03/2015 Page 816 4 2 Binary 64 8 4 1 128 Binary 8 2 2 1 1 Decimal Decimal Chapter 4 Binary 128 64 32 16 11011000 1 1 0 1 1 0 0 0 D8 00011011 0 0 0 1 1 0 1 1 1B 00111101 0 0 1 1 1 1 0 1 3D 01110110 0 1 1 1 0 1 1 0 76 Binary 8 4 4 2 1 64 32 16 11001010 1 1 0 0 1 0 1 0 CA 11110101 1 1 1 1 0 1 0 1 F5 10000011 1 0 0 0 0 0 1 1 83 11101011 1 1 1 0 1 0 1 1 EB 128 64 32 16 8 4 10000100 1 0 0 0 0 1 0 0 84 11010010 1 1 0 1 0 0 1 0 D2 01000011 0 1 0 0 0 0 1 1 43 10110011 1 0 1 1 0 0 1 1 B3 2 1 Hexadecimal 128 Binary 8 2 817 1 Hexadecimal Hexadecimal bapp01.indd 04/03/2015 Page 817 Appendix A 818 ■ Answers to the Written Labs Chapter 5 Description Device or OSI layer This device sends and receives information about the Network layer. Router This layer creates a virtual circuit before transmitting between two end stations. Transport A Layer 3 switch or multilayer switch. Router This device uses hardware addresses to filter a network. Bridge or switch Ethernet is defined at these layers. Data Link and Physical This layer supports flow control and sequencing. Transport This device can measure the distance to a remote network. Router Logical addressing is used at this layer. Network Hardware addresses are defined at this layer. Data Link (MAC sublayer) This device creates one big collision domain and one large broadcast domain. Hub This device creates many smaller collision domains, but the network is still one large broadcast domain. Switch or bridge This device can never run full duplex. Hub This device breaks up collision domains and broadcast domains. Router Chapter 6 1. This would be a Layer 2 broadcast, or FF:FF:FF:FF:FF:FF. 2. FTP uses both TCP ports 20 and 21 for the data channel and the control channel, respectively. bapp01.indd 04/03/2015 Page 818 Chapter 7 819 3. Both TCP and UDP! A DNS server uses TCP port 53 for zone transfers and UDP port 53 for name resolutions. Notice that DNS uses both TCP and UDP. Whether it opts for one or the other depends on what it’s trying to do. 4. ICMP uses IP directly to build error-reporting packets that are transmitted back to the originating source host when issues arise during the delivery of data packets. ICMP is also used during Ping and some Traceroute operations. 5. Quite simply, the service might not be running currently on that server. Another possibility might be that a fi rewall between the client and the server has blocked the protocol in question from passing. 6. RDP uses port 3389. 7. MGCP uses ports 2427 and 2727. 8. ICMP is the protocol that the ping and tracert commands rely on. If you’re having trouble getting pings and traceroutes through a router, you might need to check if ICMP is being allowed through. 9. TFTP servers respond to UDP messages sent to port 69. 10. SMTP uses TCP port 25, POP3 uses TCP port 110, RDP uses TCP port 3389, and IMAP4 uses TCP port 143. Chapter 7 Written Lab 7.1 1. The class C private range is 192.168.0.0 through 192.168.255.255. 2. IPv6 has the following characteristics, among others, that make it preferable to IPv4: more available addresses, simpler header, options for authentication, and other security. 3. Automatic Private IP Addressing (APIPA) is the technology that results in hosts automatically configuring themselves with addresses that begin with 169.254. 4. An IP address assigned to an interface 5. One-to-many address 6. A MAC address, sometimes called a hardware address or even a burned-in address 7. The fact that it has 128-bit (16-octet) addresses, compared to IPv4’s 32-bit (4-octet) addresses 8. 172.16.0.0 through 172.31.255.255 9. 192–223, 110xxxxx 10. Loopback or diagnostics bapp01.indd 04/03/2015 Page 819 Appendix A 820 ■ Answers to the Written Labs Written Lab 7.2 1. Unicast 2. Global unicast 3. Link-local 4. Unique local (used to be called site-local) 5. Multicast 6. Anycast 7. Anycast 8. ::1 9. FE80::/10 10. FC00:: /7 Written Lab 7.3 1. 2001:db8:1:1:090c:abff:fecd:1234 2. 2001:db8:1:1: 040c:32ff:fef1:a4d2 3. 2001:db8:1:1:12:abff:fecd:1234 4. 2001:db8:1:1:0f01:3aff:fe2f:1234 5. 2001:db8:1:1:080c:abff:feac:caba Chapter 8 1. 192.168.100.25/30. A /30 is 255.255.255.252. The valid subnet is 192.168.100.24, broadcast is 192.168.100.27, and valid hosts are 192.168.100.25 and 26. 2. 192.168.100.37/28. A /28 is 255.255.255.240. The fourth octet is a block size of 16. Just count by 16s until you pass 37. 0, 16, 32, 48. The host is in the 32 subnet, with a broadcast address of 47. Valid hosts are 33–46. 3. 192.168.100.66/27. A /27 is 255.255.255.224. The fourth octet is a block size of 32. Count by 32s until you pass the host address of 66. 0, 32, 64. The host is in the 64 subnet, broadcast address of 95. The valid host range is 65–94. 4. 192.168.100.17/29. A /29 is 255.255.255.248. The fourth octet is a block size of 8. 0, 8, 16, 24. The host is in the 16 subnet, broadcast of 23. Valid hosts are 17–22. 5. 192.168.100.99/26. A /26 is 255.255.255.192. The fourth octet has a block size of 64. 0, 64, 128. The host is in the 64 subnet, broadcast of 127. Valid hosts are 65–126. bapp01.indd 04/03/2015 Page 820 Chapter 10 821 6. 192.168.100.99/25. A /25 is 255.255.255.128. The fourth octet is a block size of 128. 0, 128. The host is in the 0 subnet, broadcast of 127. Valid hosts are 1–126. 7. A default Class B is 255.255.0.0. A Class B 255.255.255.0 mask is 256 subnets, each with 254 hosts. We need fewer subnets. If we use 255.255.240.0, this provides 16 subnets. Let’s add one more subnet bit. 255.255.248.0. This is 5 bits of subnetting, which provides 32 subnets. This is our best answer, a /21. 8. A /29 is 255.255.255.248. This is a block size of 8 in the fourth octet. 0, 8, 16. The host is in the 8 subnet, and broadcast is 15. 9. A /29 is 255.255.255.248, which is 5 subnet bits and 3 host bits. This is only 6 hosts per subnet. 10. A /23 is 255.255.254.0. The third octet is a block size of 2. 0, 2, 4. The host is in the 16.2.0 subnet; the broadcast address is 16.3.255. Chapter 9 1. False. RIP and RIPv2 are both distance vector protocols. 2. False. RIP and RIPv2 are both distance vector protocols. 3. False. EIGRP is a Cisco-proprietary routing protocol. 4. Autonomous system 5. RIP does not work well in large networks, so OSPF would be the best answer, and both RIP and OSPF are nonproprietary. 6. Static routing 7. The MAC address of your default gateway (router) 8. The IP address of the server 9. The MAC address of the router sending the frame to the server 10. The IP address of the server Chapter 10 1. 120 2. 90 3. 120 4. 1 bapp01.indd 04/03/2015 Page 821 Appendix A 822 ■ Answers to the Written Labs 5. RIPng (Next Generation). I wonder how many of you answered RIPv3. 6. OSPFv3 7. EIGRPv6 8. When you need to connect two autonomous systems (ASs) together 9. When all your routers are Cisco routers 10. Distance vector Chapter 11 1. Broadcast 2. Collision 3. Trunking allows you to send information about many or all VLANs through the same link. Access ports allow information about only one VLAN transmitted. 4. Power over Ethernet (PoE) 5. The VLAN port membership is set wrong. 6. Flood the frame out all ports except the port on which it was received. 7. Address learning, fi ltering, and loop avoidance 8. It will add the source MAC address to the forward/fi lter table. 9. Spanning Tree Protocol (STP) 10. Create a VLAN for contractors and another VLAN for guests. Chapter 12 1. 11Mbps 2. 54Mbps 3. 54Mbps 4. 2.4GHz 5. 2.4GHz 6. 5GHz 7. 1Gbps bapp01.indd 04/03/2015 Page 822 Chapter 14 823 8. The values of WPA keys can change dynamically while the system is being used. 9. The IEEE 802.11i standard has been sanctioned by WPA and is called WPA version 2. 10. Three Chapter 13 1. Anti-malware updates, operating system updates, or Windows Registry settings 2. Persistent 3. SSL VPN 4. PKI 5. Only the owner of the key 6. Kerberos 7. Authentication, Authorization, and Accounting 8. 802.1x 9. MS-CHAP 10. TACACS+ Chapter 14 1. Botnet 2. Once per week 3. Buffer overflow 4. Amplified or reflective 5. Packet sniffer 6. A macro virus 7. Man-in-the-middle attack 8. A rogue access point 9. Windows Update 10. On-demand and on-access virus scans bapp01.indd 04/03/2015 Page 823 Appendix A 824 ■ Answers to the Written Labs Chapter 15 1. Virtual wire fi rewall interfaces 2. Stateful 3. Content fi ltering 4. Single point of failure 5. A VPN concentrator 6. Security zones 7. Mantrap 8. Deny 9. Honeynet 10. Passive reactions from an IDS Chapter 16 1. It is readily available. 2. Cable. In a modern network, hybrid fiber coaxial (HFC) is a telecommunications industry term for a network that incorporates both optical fiber and coaxial cable to create a broadband network. 3. Frame Relay. Although Frame Relay is not available in many markets today, it is a possible solution for the problem presented. 4. 1.544Mbps 5. Digital Subscriber Line 6. Frame Relay and X.25 7. LTE and WiMAX 8. ATM 9. HDSL, SDSL, VDSL, ADSL 10. Fiber to the premises bapp01.indd 04/03/2015 Page 824 Chapter 19 825 Chapter 17 1. traceroute or tracert 2. Throughput tester 3. ipconfig /all 4. Telnet 5. route 6. FTP 7. nslookup 8. -n 9. ifconfig 10. route print Chapter 18 1. False 2. False 3. True 4. True 5. False. A typical network analyzer can see only one segment at a time. 6. Cable certifier 7. False. Unless you don’t mind prison. 8. A temperature monitor 9. A voltage event recorder 10. A cable stripper/crimper Chapter 19 1. Test the theory to determine cause. 2. Document fi ndings, actions, and outcomes. bapp01.indd 04/03/2015 Page 825 Appendix A 826 ■ Answers to the Written Labs 3. Network designers minimize crosstalk inside network cables by twisting the wire pairs together, putting them at a 90 degree angle to each other. 4. The port has the wrong VLAN assignment. 5. Split pairs 6. Attenuation 7. Establish a plan of action to resolve the problem and identify potential effects. 8. Implement the solution or escalate as necessary. 9. Switching loops, routing loops, routing problems, Proxy ARP, broadcast storms 10. Crosstalk, attenuation, collisions, shorts, open impedance mismatch, interference Chapter 20 1. Honeypot 2. Traffic shaping 3. Best effort 4. Inverter 5. Load balancing 6. A baseline 7. Crossover 8. Cloud computing 9. Virtual servers, virtual switches, virtual desktops, software as a service (SaaS), and network as a service (NaaS) 10. Procedures bapp01.indd 04/03/2015 Page 826 Appendix B Answers to Review Questions bapp02.indd 04/01/2015 Page 827 828 Appendix B ■ Answers to Review Questions Chapter 1 1. C. A client-server logical topology allows you to have a centralized database of users so that authentication is provided in one place. 2. C. To install a physical topology that provides ease of scalability, use a star network. This is a hub or switch device, and this is the most common LAN network today. 3. D. Only a mesh physical topology has point-to-point connections to every device, so it has more connections and is not a popular LAN technology. 4. B. In a star topology, each workstation connects to a hub, switch, or similar central device but not to other workstations. The benefit is that when connectivity to the central device is lost, the rest of the network lives on. 5. C. Multiprotocol Label Switching has as many advantages as a LAN protocol. When labels are used, voice can have priority over basic data, for example. 6. B. A logical grouping of hosts is called a LAN, and you typically group them by connecting them to a hub or switch. 7. C. It is easy to relax about security in a peer-to-peer environment. Because of the trouble it takes to standardize authentication, a piecemeal approach involving users’ personal preferences develops. There are no dedicated servers in a peer-to-peer network, and such a network can be created with as few as two computers. 8. A. When a central office, such as headquarters, needs to communicate directly with its branch offices but the branches do not require direct communication with one another, the point-to-multipoint model is applicable. The other scenarios tend to indicate the use of a point-to-point link between sites. 9. D. LANs generally have a geographic scope of a single building or smaller. They can range from simple (two hosts) to complex (with thousands of hosts). 10. B. The only disadvantage mentioned is the fact that there is a single point of failure in the network. However, this topology makes troubleshooting easier; if the entire network fails, you know where to look first. The central device also ensures that the loss of a single port and the addition of a new device to an available port do not disrupt the network for other stations attached to such a device. 11. D. A typical WAN connects two or more remote LANs together using someone else’s network (your ISP’s) and a router. Your local host and router see these networks as remote networks and not as local networks or local resources. Routers use proprietary serial connections for WANs. 12. D. Multiprotocol Label Switching provides logical links between sites, so branch offices can be easily and quickly added. 13. A. In a peer-to-peer network, all computers are considered equal. It is up to the computer that has the resource being requested to perform a security check for access rights to its resources. bapp02.indd 04/01/2015 Page 828 Chapter 2 829 14. D. In client-server networks, requests for resources go to a main server that responds by handling security and directing the client to the resource it wants instead of the request going directly to the machine with the desired resource (as in peer-to-peer). 15. A. The best answer to this question is an Ethernet switch, which uses a star physical topology with a logical bus technology. 16. D. Routers are used to connect different networks together. 17. D. In the mesh topology, there is a path from every connection to every other one in the network. A mesh topology is used mainly because of the robust fault tolerance it offers—if one connection goes on the blink, computers and other network devices can simply switch to one of the many redundant connections that are up and running. 18. A. As its name implies, in a point-to-point topology you have a direct connec- tion between two routers, giving you one communication path. The routers in a point-to-point topology can either be linked by a serial cable, making it a physical network, or be far away and only connected by a circuit within a Frame Relay network, making it a logical network. 19. B. A hybrid topology is a combination of two or more types of physical or logical network topologies working together within the same network. 20. A, B, C, D. Each topology has its own set of pros and cons regarding implementa- tion, so it’s important to ask the right questions and consider cost, ease of installation, maintenance, and fault tolerance. Chapter 2 1. C. A connection-oriented session is set up using what is called a three-way handshake. The transmitting host sends a SYN packet, the receiving host sends a SYN/ACK, and the transmitting host replies with the last ACK packet. The session is now set up. 2. D. TCP and UDP are Transport layer protocols. The Transport layer is Layer 4 of the OSI model. 3. A. The top layer of the OSI model gives applications access to the services that allow network access. 4. A. If the remote server is busy or does not respond to your web browser request, this is an Application layer problem. 5. B. The Presentation layer makes data “presentable” for the Application layer. 6. C. Bridges, like switches, are Data Link layer devices. Hubs, like repeaters, are Physical layer devices. Routers are Network layer devices. 7. D. The Physical layer’s job is to convert data into impulses that are designed for the wired or wireless medium being used on the attached segment. bapp02.indd 04/01/2015 Page 829 830 Appendix B ■ Answers to Review Questions 8. D. A receiving host can control the transmitter by using flow control (TCP uses windowing by default). By decreasing the window size, the receiving host can slow down the transmitting host so the receiving host does not overflow its buffers. 9. C, D. Not that you really want to enlarge a single collision domain, but a hub (multiport repeater) will provide this functionality for you. 10. D. The Transport layer receives large data streams from the upper layers and breaks these up into smaller pieces called segments. 11. C. The encapsulation order is data, segment, packet, frame, bits. 12. B, C. Bridges and switches break up collision domains, which allows more bandwidth for users. 13. C. A reliable Transport layer connection uses acknowledgments to make sure all data is received reliably. A reliable connection is defined by the use of acknowledgments, sequencing, and flow control, which is characteristic of the Transport layer (Layer 4). 14. A, C, D. When sequencing and acknowledgments are used, the segments delivered are acknowledged back to the sender upon their reception. At this point, any segments not acknowledged are retransmitted, and segments are sequenced back into their proper order upon arrival at their destination. 15. C. Flow control allows the receiving device to control the pace of the transmitting device so the receiving device’s buffer does not overflow. 16. B. IP is a Network layer protocol. TCP is an example of a Transport layer protocol, Ethernet is an example of a Data Link layer protocol, and T1 can be considered a Physical layer protocol. 17. D. The Presentation layer is the sixth layer of the model. Only the Application layer is higher, but it is not listed. Session is Layer 5, Transport is Layer 4, and Network is Layer 3. 18. C. A router is specified at the Network layer and a router routes packets. Routers can also be called Layer 3 switches. 19. C. The phrase “Please Do Not Throw Sausage Pizza Away” contains the first letters of the layers in order, from Layer 1 through Layer 7. “All People Seem To Need Data Processing” works from the top down. The other options have all the right letters, just not in the right order. 20. B. The 802.3 standard, commonly associated with Ethernet, specifies the media-access method used by Ethernet, which is known as Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Chapter 3 1. B, C. Plenum-rated means that the cable’s coating doesn’t begin burning until a much higher temperature of heat, doesn’t release as many toxic fumes as PVC when it does burn, and is rated for use in air plenums that carry breathable air, usually as nonenclosed fresh-air return pathways that share space with cabling. bapp02.indd 04/01/2015 Page 830 Chapter 3 831 2. D. UTP is commonly used in twisted-pair Ethernet like 10BaseT, 100BaseTX, 1000BaseTX, and so on. 3. D. Unshielded twisted-pair has standards from Category 2 through 6 for use on Ethernet networks. There is no Category 8 defined. 4. C. UTP usually connects with RJ-45. You use a crimper to attach an RJ connector to a cable. 5. A. Single-mode fiber allows for the maximum cable run distances. 6. B. You would use a straight-through cable to connect a host to a switch, and the typical pin-out is called 568A. 7. C. Fiber-optic cable transmits digital signals using light impulses rather than electricity; therefore, it is immune to EMI and RFI. 8. B. Remember that fiber-optic cable transmits a digital signal using light impulses. Light is carried on either a glass or a plastic core. 9. B. The difference between single-mode fibers and multimode fibers is in the number of light rays (and thus the number of signals) they can carry. Generally speaking, multimode fiber is used for shorter-distance applications and single-mode fiber for longer distances. 10. C. Standards limit UTP to a mere 100 meters. Different fiber-optic types have different maximum lengths, but fiber-optic is the only cable type that can extend well beyond 100 meters. 11. B, D, E. There are many different types of fiber-optic connectors. SC, ST, LC, and MT-RJ are some of the more typical connectors in use today. 12. B. To connect two devices for voice on a vertical connect, the minimum cable you can use is Category 5E. 13. B. In half-duplex communication, a device can either send communication or receive communication, but it cannot do both at the same time. 14. B. Fiber-optic cable transmits only light (not electricity like UTP), so EMI has zero effect on it. 15. C. Full-duplex communication requires a point-to-point configuration because the collision-avoidance circuit is disabled. 16. B. Both wiring standards for UTP (568A and 568B) utilize only pins 1, 2, 3, and 6. 17. D. All devices that are pinned the same for transmit and receive require a crossover cable to communicate directly. 18. A. A T1 cable uses T568B pairs 1 and 2, so to connect two T1 CSU/DSU devices back to back requires a crossover cable that swaps these pairs. Specifically, pins 1, 2, 4, and 5 are connected to 4, 5, 1, and 2, respectively. 19. D. The demarcation point, or demarc, is the point at which the operational control or ownership changes from your company to a service provider. This is often at the MDF in relation to telephone connections and the CSU/DSU in regard to WAN connections. 20. B. A 568B is an RJ-45 wiring standard and this type of cable uses two pairs of wires. bapp02.indd 04/01/2015 Page 831 832 Appendix B ■ Answers to Review Questions Chapter 4 1. B. On an Ethernet network, the MAC address (hardware address) is used for one host to communicate with another. 2. B. 100BaseTX uses CAT 5e and can run 200Mbps when using full duplex. 3. D. When one device sends a packet out on a network segment, all other devices on the same physical network segment must wait and let it be transmitted. 4. E. 10Base2 was one of the very first Ethernet network physical mediums and is a thinnet coax. 5. B. Carrier Sense Multiple Access with Collision Detection (CSMA/CD) helps packets that are transmitted simultaneously from different hosts share bandwidth evenly. 6. B. A 10GBaseSR cable can have a maximum distance of 990 feet (302 meters). 7. B. With half duplex, you are using only one wire pair at a time, with a digital signal either transmitting or receiving. 8. A. Full-duplex Ethernet uses two pairs of wires at the same time. 9. C. A 10GBaseLR implementation can go a distance of up to 6 miles. 10. B. Double up! You can get 20Mbps with a 10Mbps Ethernet running full duplex or 200Mbps for Fast Ethernet. 11. B. Full-duplex communication cannot be used with a hub because a hub is a half- duplex single communication device. A host, switch, and router have the ability to process traffic (frames), whereas a hub is a multiport repeater. 12. B. 11000000 is 192, 10101000 is 168, 00110000 is 48, and 11110000 is 240. 13. B. In February 2011, the IEEE finally published a standard for Broadband over Power Line (BPL) called IEEE 1901; this is also referred to as Power Line Communication (PLC) or even Power Line Digital Subscriber Line (PDSL). 14. C. Nibble values are 8 + 4 + 2 + 1, giving us a maximum value of 15. If we have a decimal value of 10, that means the 8 bit and the 2 bit are turned on. 15. D. The 128, 64, 32, and 8 bits are on, so just add the values: 128 + 64 + 32 + 8 = 232. 16. B. The first 10 hexadecimal digits (0–9) are the same values as the decimal values. We already know the binary value for the number 10 is 1010—in hex, the number 10 needs to be displayed as a single character. To display double-digit numbers as a single character, we substitute letters. In our example, 10 is A. 17. C. A MAC, or hardware, address is a 48-bit (6-byte) address written in hexadecimal format. 18. A. 100BaseT and 1000BaseT both have a maximum distance of 100 meters, or 328 feet. 19. B. The FCS can detect frames in the sequence by calculating the cyclic redundancy check (CRC), which verifies that all the bits in the frame are unchanged. bapp02.indd 04/01/2015 Page 832 Chapter 5 833 20. C. The 100 means 100Mbps. The Base means baseband, which refers to baseband technology—a signaling method for communication on the network. Chapter 5 1. C. NICs are the physical network connections for a computer but are not one of the devices or mediums used to provide Internet access in a SOHO setting. 2. C. Like a hub, a switch connects multiple segments of a network together, with one important difference. Whereas a hub sends out anything it receives on one port to all the others, a switch recognizes frame boundaries and pays attention to the destination MAC address of the incoming frame as well as the port on which it was received. 3. B. When we say segment, we mean to create multiple collision or broadcast domains. Hubs don’t segment a network; they just connect network segments together. Repeaters don’t segment the network; they repeat a signal and allow the distance covered to be increased. So the only correct option is B, a switch. 4. A. The primary function of a bridge is to keep traffic separated on both sides of it, breaking up collision domains. 5. A. Hubs create one collision domain and one broadcast domain. 6. B. By allowing full-duplex operation on each port, a switch provides extra bandwidth to each port. 7. B. A switch is typically just a Layer 2 device segmenting the network by using MAC addresses. However, some higher-end switches can provide Layer 3 services. 8. D. Remember that DHCP servers assign IP addresses to hosts. Thus, DHCP allows easier administration than providing IP information to each host by hand (called static IP addressing). 9. B. Multilayer switches (also called Layer 3 switches) don’t have any fewer features, less bandwidth, or fewer ports than a normal switch; they just allow routing functions between subnets. 10. B. A load balancer uses a little trickery and sends incoming packets to one or more machines that are hidden behind a single IP address. Modern load-balancing routers can use different rules to make decisions about where to route traffic, which can be based on least load, fastest response times, or simply balancing requests. 11. A. DNS translates human names to IP addresses for routing your packet through the Internet. Hosts can receive the IP address of this DNS server and then resolve hostnames to IP addresses. 12. C. Routers, switches, and bridges are all devices that help break up big networks into a number of smaller ones—also known as network segmentation. Hubs don’t segment networks—they just connect network segments together. bapp02.indd 04/01/2015 Page 833 834 Appendix B ■ Answers to Review Questions 13. A. Web cache, of course! Most proxy programs provide a means to deny access to certain URLs in a blacklist, thus providing content filtering, usually in corporate environments. 14. D. Options A, B, and C all aid in boosting network performance, so the only option left is broadcast storms. Increased traffic will increase LAN congestion. 15. B. If the DHCP server has stopped functioning, it will not hand out IP addresses to hosts that are restarted. However, the hosts that were not shut down still have an IP addresses because the lease time has not expired. 16. D. A proxy server can be used to prevent external traffic from reaching your internal network directly and can also be used to filter the sites to which your users are allowed to connect. 17. C. Switches create separate collision domains but a single broadcast domain. Remember that routers provide a separate broadcast domain for each interface. 18. A. Using appliances to offload functions such as encryption, content filtering, and VPN concentration can decrease the workload of other systems and add functionality that may be present in these dedicated devices. 19. C. A DNS server uses many types of records. An A record is a hostname to IP address record, and a pointer record is an IP address to hostname record. 20. D. A proxy server can provide many functions. A proxy server can use a caching engine so repeated access requests for web information would accelerate repeated access for users, and they can also limit the availability of websites. Chapter 6 1. D. SMTP resides at the Application layer of the OSI and DoD models. 2. D. HTTPS, or Secure HTTP, uses port 443 by default. 3. C. Dynamic Host Configuration Protocol (DHCP) is used to provide IP information to hosts on your network. DHCP can provide a lot of information, but the most common is IP address, subnet mask, default gateway, and DNS information. 4. B. Address Resolution Protocol (ARP) is used to find the hardware address from a known IP address. 5. B. Secure Shell (SSH) allows you to remotely administer router, switches, and even servers securely. 6. C. The problem is with DNS, which uses both TCP and UDP port 53. 7. A, B. A client that sends out a DHCP Discover message in order to receive an IP address sends out a broadcast at both Layer 2 and Layer 3. The Layer 2 broadcast is all Fs in hex, or FF:FF:FF:FF:FF:FF. The Layer 3 broadcast is 255.255.255.255, which means all networks and all hosts. DHCP is connectionless, which means it uses User Datagram Protocol (UDP) at the Transport layer, also called the Host-to-Host layer. bapp02.indd 04/01/2015 Page 834 Chapter 7 835 8. E. Telnet uses TCP at the Transport layer with a default port number of 23. 9. C, D. Internet Control Message Protocol (ICMP) is used to send error messages through the network, but ICMP does not work alone. Every segment or ICMP payload must be encapsulated within an IP datagram (or packet). 10. B, D, E. 11. A, C, F. DHCP, SNMP, and TFTP use UDP. SMTP, FTP, and HTTP use TCP. 12. C, D, E. Telnet, File Transfer Protocol (FTP), and Trivial FTP (TFTP) are all Application layer protocols. IP is a Network layer protocol. Transmission Control Protocol (TCP) is a Transport layer protocol. 13. C. SMTP is used by a client to send mail to its server and by that server to send mail to another server. POP3 and IMAP are used by clients to retrieve their mail from the server that stores it until it is retrieved. HTTP is only used with web-based mail services. 14. C. Remote Desktop Protocol (RDP) allows you to connect to a remote computer and run programs, as Telnet does. However, the large advantage that RDP has over Telnet is that RDP allows you to have a GUI interface connection. 15. B. Simple Network Management Protocol is typically implemented using version 3, which allows for a connection-oriented service, authentication and secure polling of network devices, and alerts and reports on network devices. 16. B, E. Secure Copy Protocol (SCP) and File Transfer Protocol (FTP) can be used to transfer files between two systems. 17. B. The four layers of the IP stack (also called the DoD model) are Application/Process, Host-to-Host, Internet, and Network Access. The Host-to-Host layer is equivalent to the Transport layer of the OSI model. 18. C. Network Time Protocol will ensure a consistent time across network devices on the network. 19. A. Through the use of port numbers, TCP and UDP can establish multiple sessions between the same two hosts without creating any confusion. The sessions can be between the same or different applications, such as multiple web-browsing sessions or a web-browsing session and an FTP session. 20. D. DNS uses TCP for zone exchanges between servers and UDP when a client is trying to resolve a hostname to an IP address. Chapter 7 1. D. The addresses in the range 172.16.0.0 through 172.31.255.255 are all considered private, based on RFC 1918. Use of these addresses on the Internet is prohibited so that they can be used simultaneously in different administrative domains without concern for conflict. Some experts in the industry believe these addresses are not routable, which is not true. bapp02.indd 04/01/2015 Page 835 836 Appendix B ■ Answers to Review Questions 2. B. APIPA uses the link-local private address range of 169.254.0.0 through 169.254.255.255 and a subnet mask of 255.255.0.0 (see RFC 3330). APIPA addresses are used by DHCP clients that cannot contact a DHCP server and have no static alternate configuration. These addresses are not Internet routable and cannot, by default, be used across routers on an internetwork. 3. C. Private IP addresses are not routable over the Internet, as either source or destination addresses. Because of that fact, any entity that wishes to use such addresses internally can do so without causing conflicts with other entities and without asking permission of any registrar or service provider. Despite not being allowed on the Internet, private IP addresses are fully routable on private intranets. 4. D. The Class A range is 1 through 126 in the first octet/byte so only option D is a valid Class A address. 5. C. The Class B range is 128 through 191 in the first octet/byte. Only option C is a valid Class B address. 6. B. If you turned on all host bits (all of the host bits are 1s), this would be a broadcast address for that network. 7. B. A Layer 2 broadcast is also referred to as a MAC address broadcast, which is in hexadecimal and is FF.FF.FF.FF.FF.FF. 8. C. A default Class C subnet mask is 255.255.255.0, which means that the first three octets, or first 24 bits, are the network number. 9. A. Packets addressed to a unicast address are delivered to a single interface. For load balancing, multiple interfaces can use the same address. 10. C. I wonder how many of you picked APIPA address as your answer? An APIPA address is 169.254.x.x. The host address in this question is a public address. Somewhat of a tricky question if you did not read carefully. 11. B. An IPv6 address is 128 bits in size. 12. B. Packets addressed to a multicast address are delivered to all interfaces identified by the multicast address, the same as in IPv4. A multicast address is also called a one-to-many address. You can tell multicast addresses in IPv6 because they always start with FF. 13. C. Anycast addresses identify multiple interfaces, which is the same as multicast; however, the big difference is that the anycast packet is delivered to only one address: the first one it finds defined in terms of routing distance. This address can also be called one-to-one-of-many or one-to-nearest. 14. A, C. The loopback address with IPv4 is 127.0.0.1. With IPv6, that address is ::1. 15. B, D. In order to shorten the written length of an IPv6 address, successive fields of zeros may be replaced by double colons. In trying to shorten the address further, leading zeros may also be removed. Just as with IPv4, a single device’s interface can have more than one address; with IPv6 there are more types of addresses and the same rule applies. There can be link-local, global unicast, and multicast addresses all assigned to the same interface. bapp02.indd 04/01/2015 Page 836 Chapter 8 837 16. C, D. IPv4 addresses are 32 bits long and are represented in decimal format. IPv6 addresses are 128 bits long and represented in hexadecimal format. 17. D. Only option D is in the Class C range of 192 through 224. It might look wrong because there is a 255 in the address, but this is not wrong—you can have a 255 in a network address, just not in the first octet. 18. C, E. The Class A private address range is 10.0.0.0 through 10.255.255.255. The Class B private address range is 172.16.0.0 through 172.31.255.255, and the Class C private address range is 192.168.0.0 through 192.168.255.255. 19. B. This can be a hard question if you don’t remember to invert the 7th bit! Always look for the 7th bit when studying for the exam. The EUI-64 autoconfiguration inserts an FF:FE in the middle of the 48-bit MAC address to create a unique IPv6 address. 20. C. Option C is a multicast address and cannot be used to address hosts. Chapter 8 1. D. A /27 (255.255.255.224) is 3 bits on and 5 bits off. This provides 8 subnets, each with 30 hosts. Does it matter if this mask is used with a Class A, B, or C network address? Not at all. The number of host bits would never change. 2. B. Don’t freak because this is a Class A. What is your subnet mask? 255.255.255.128. Regardless of the class of address, this is a block size of 128 in the fourth octet. The subnets are 0 and 128. The 0 subnet host range is 1–126, with a broadcast address of 127. The 128 subnet host range is 129–254, with a broadcast address of 255. You need a router for these two hosts to communicate because they are in different subnets. 3. C. This is a pretty simple question. A /28 is 255.255.255.240, which means that our block size is 16 in the fourth octet (0, 16, 32, 48, 64, 80, and so on). The host is in the 64 subnet. 4. F. A CIDR address of /19 is 255.255.224.0. This is a Class B address, so that is only 3 subnet bits, but it provides 13 host bits, or 8 subnets, each with 8,190 hosts. 5. C. The host ID of 10.0.37.144 with a 255.255.254.0 mask is in the 10.0.36.0 subnet (yes, you need to be able to subnet in this exam!). Do not stress that this is a Class A; what we care about is that the third octet has a block size of 2, so the next subnet is 10.0.38.0, which makes the broadcast address 10.0.37.255. The default gateway address of 10.0.38.1 is not in the same subnet as the host. Even though this is a Class A address, you still should easily be able to subnet this because you look more at the subnet mask and find your interesting octet, which is the third octet in this question. 256 – 254 = 2. Your block size is 2. 6. D. A /30, regardless of the class of address, has a 252 in the fourth octet. This means we have a block size of 4 and our subnets are 0, 4, 8, 12, 16, and so on. Address 14 is obviously in the 12 subnet. bapp02.indd 04/01/2015 Page 837 838 Appendix B ■ Answers to Review Questions 7. D. A point-to-point link uses only two hosts. A /30, or 255.255.255.252, mask provides two hosts per subnet. 8. C. Devices with Layer 3 awareness, such as routers and firewalls, are the only ones that can manipulate the IP header in support of NAT. 9. A. A /29 (255.255.255.248), regardless of the class of address, has only 3 host bits. Six hosts is the maximum number of hosts on this LAN, including the router interface. 10. C. A computer should be configured with an IP address that is unique throughout the reachable internetwork. It should be configured with a subnet mask that matches those of all other devices on its local subnet, but not necessarily one that matches the mask used on any other subnet. It should also be configured with a default gateway that matches its local router’s interface IP address. 11. A. A /29 (255.255.255.248) has a block size of 8 in the fourth octet. This means the subnets are 0, 8, 16, 24, and so on. 10 is in the 8 subnet. The next subnet is 16, so 15 is the broadcast address. 12. B. A 24-bit mask, or prefix length, indicates that the entire fourth octet is used for host identification. In a special case, such as this, it is simpler to visualize the all-zeros value (172.16.1.0) and the all-ones value (172.16.1.255). The highest usable address, the last one before the all-ones value, is 172.16.1.254. 13. A, E. First, if you have two hosts directly connected, as shown in the graphic, then you need a crossover cable. A straight-through cable won’t work. Second, the hosts have different masks, which puts them in different subnets. The easy solution is just to set both masks to 255.255.255.0 (/24). 14. A. A /25 mask is 255.255.255.128. Used with a Class B network, the third and fourth octets are used for subnetting with a total of 9 subnet bits: 8 bits in the third octet and 1 bit in the fourth octet. Because there is only 1 bit in the fourth octet, the bit is either off or on—which is a value of 0 or 128. The host in the question is in the 0 subnet, which has a broadcast address of 127 because 128 is the next subnet. 15. A. A /28 is a 255.255.255.240 mask. Let’s count to the ninth subnet (we need to find the broadcast address of the eighth subnet, so we need to count to the ninth subnet). We start at 16 (remember, the question stated that we will not use subnet 0, so we start at 16, not 0): 16, 32, 48, 64, 80, 96, 112, 128, 144. The eighth subnet is 128, and the next subnet is 144, so our broadcast address of the 128 subnet is 143. This makes the host range 129–142. 142 is the last valid host. 16. C. A /28 is a 255.255.255.240 mask. The first subnet is 16 (remember that the question stated not to use subnet 0), and the next subnet is 32, so our broadcast address is 31. This makes our host range 17–30. 30 is the last valid host. 17. A. The best method here is to check the configuration of devices that were using the old router as a gateway to the rest of the internetwork. Routers do not periodically cache their configurations to servers of any sort. You might have copied the old router’s configuration to a TFTP server or the like, but failing that, you will have to rebuild the configuration from scratch, which might well be much more than interface addresses. bapp02.indd 04/01/2015 Page 838 Chapter 9 839 Therefore, keeping a copy of the router’s current configuration somewhere other than on the router is a wise choice. Routers don’t auto-configure themselves; we wouldn’t want them to. 18. E. A Class B network ID with a /22 mask is 255.255.252.0, with a block size of 4 in the third octet. The network address in the question is in subnet 172.16.16.0 with a broadcast address of 172.16.19.255. Only option E has the correct subnet mask listed, and 172.16.18.255 is a valid host. 19. D, E. The router’s IP address on the E0 interface is 172.16.2.1/23, which is a 255.255.254.0. This makes the third octet a block size of 2. The router’s interface is in the 2.0 subnet, and the broadcast address is 3.255 because the next subnet is 4.0. The valid host range is 2.1 through 3.254. The router is using the first valid host address in the range. 20. A. Network Address Translation can allow up to 65,000 hosts to get onto the Internet with one IP address by using Port Address Translation (PAT). Chapter 9 1. C. Yep, you got it. RIP, RIPv2, and EIGRP are all examples of routing protocols. 2. C. In dynamic routing, routers update each other about all the networks they know about and place this information into the routing table. This is possible because a protocol on one router communicates with the same protocol running on neighbor routers. If changes occur in the network, a dynamic routing protocol automatically informs all routers about the event. 3. D. Dynamic routing scales well in large networks and routes are automatically added into the routing table. Static routing is done by hand, one route at a time into each router. 4. B. Media Access Control (MAC) addresses are always local on the LAN and never go through and past a router. 5. C. Routing convergence is the time required by the routing protocols to update the routing tables (forwarding tables) on all routers in the network. 6. D. The arp -a command will show the ARP cache on your host. 7. D. Hope you answered D! A router will not send a broadcast looking for the remote network—the router will discard the packet. 8. C. RIPv1 and 2 and IGRP are all distance vector (DV) protocols. Routers using a DV protocol send all or parts of their routing table in a routing-update message at a regular interval to each of their neighbor routers. 9. C, D. Open Shortest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) are link state (LS) routing protocols. bapp02.indd 04/01/2015 Page 839 840 Appendix B ■ Answers to Review Questions 10. B. The only protocol you could select is Enhanced Interior Gateway Routing Protocol (EIGRP). The Network+ objectives list BGP as a hybrid routing protocol; just keep that in mind. 11. A. Interior Gateway Routing Protocol is a distance vector (DV) interior gateway protocol. 12. C. Border Gateway Protocol (BGP) is the most popular choice for ISPs or really large corporations. 13. A, C. Distance vector (DV) and link state (LS) are the two routing protocols to remember. 14. A, D. A frame uses MAC addresses to send a packet on the LAN. The frame will take the packet to either a host on the LAN or a router’s interface if the packet is destined for a remote network. 15. A. I hope you said A! Packets specifically have to be carried to a router in order to be routed through a network. 16. C. Remember that the frame changes at each hop but that the packet is never changed in any way until it reaches the destination device. 17. D. When the routing tables are complete because they include information about all networks in the internetwork, they are considered converged. 18. A. This is step 6 in the IP routing process. If the hardware address isn’t in the ARP cache of the host, an ARP broadcast is sent out onto the local network to search for the hardware address. 19. C. The best answer would be to reroute traffic using a temporary static route until the maintenance is complete on the router. 20. A. You are most likely to see a Request Timed Out message when (if) a packet is lost on the way back to the originating host for an unknown error. Remember, if the error occurs because of a known issue, you are likely to see a Destination Unreachable message. Chapter 10 1. C, D, F. RIPv1 and IGRP are true distance vector routing protocols and can’t do much, really—except build and maintain routing tables and use a lot of bandwidth! RIPv2, EIGRP, and OSPF build and maintain routing tables, but they also provide classless routing, which allows for VLSM, summarization, and discontiguous networking. 2. B, C. RIP and RIPv2 are distance vector routing protocols. OSPF and IS-IS are link state. 3. A, D. RIP and RIPv2 are distance vector routing protocols. OSPF and IS-IS are link state. bapp02.indd 04/01/2015 Page 840 Chapter 10 841 4. B, E. RIP and RIPv2 are distance vector routing protocols. OSPF and IS-IS are link state. EIGRP uses qualities from both distance vector and link state to create a hybrid routing protocol. BGP can be used as an EGP and IGP, and the objectives consider BGP a hybrid routing protocol. 5. C. Dynamic routing is typically used in today’s networks because it scales to larger networks and takes less administrative work. 6. F. Hot Standby Router Protocol (HSRP) is Cisco’s FHRP. Cisco also created GLBP. 7. C. Static routes may be a good solution, but remember that they are not dynamic and if a piece of equipment goes down, new routes to remote networks will not automatically update, so OSPF is the best answer. It dynamically will update the routing tables with faster convergence than RIP. 8. C. The administrative distance (AD) is a very important parameter in a routing protocol. The lower the AD, the more trusted the route. If you have IGRP and OSPF running, by default IGRP routes would be placed in the routing table because IGRP has a lower AD of 100. OSPF has an AD of 110. RIPv1 and RIPv2 both have an AD of 120, and EIGRP is the lowest at 90. 9. B. The routing protocols that have been upgraded to advertise IPv6 routes are RIPng, OSPFv3, and EIGRPv6. IS-IS can advertise IPv6 routes as well, but no upgrade was needed for IS-IS. 10. C. Dynamic routing protocols, like RIP, EIGRP and OSPF, automatically add route updates to the routing table. Static routes must be added by hand. 11. A. The distance vector protocols RIPv1 and RIPv2 both have a maximum hop count of 15 (remember, 16 is unreachable). IGRP and EIGRP have a hop count of 255, and OSPF doesn’t have a maximum hop count. 12. B. Routing convergence time happens in many protocols, for many devices, but routing convergence time is the time for all routers to update their routing tables (forwarding tables). 13. C. BGP is used to connect autonomous systems together on the Internet because of its ability to make classless routing and summarization possible. This helps to keep routing tables smaller and more efficient at the ISP core. 14. B. RIPv1 sends broadcasts every 30 seconds and has an AD of 120. RIPv2 sends multicasts (224.0.0.9) every 30 seconds and also has an AD of 120. RIPv2 sends subnet-mask information with the route updates, which allows it to support classless networks and non-contiguous networks. RIPv2 also supports authentication between routers; RIPv1 does not. 15. A, B. Both RIPv1 and RIPv2 have an AD of 120. EIGRP has an AD of 90 and OSPF is 110. 16. C. Border Gateway Protocol (BGP) attributes include the IP address to get to the next AS (the next-hop attribute) as well as an indication of how the networks at the end of the path were introduced into BGP (the origin code attribute). The AS path information bapp02.indd 04/01/2015 Page 841 842 Appendix B ■ Answers to Review Questions is useful to construct a graph of loop-free autonomous systems and is used to identify routing policies so that restrictions on routing behavior can be enforced based on the AS path. 17. A. RIPng has many of the same features as RIPv2: It’s a distance vector protocol; it has a max hop count of 15; and it uses split horizon, poison reverse, and other loop-avoidance mechanisms. And it still uses multicast to send its updates, too, but in IPv6, it uses FF02::9 for the transport address. For RIPv2, the multicast address was 224.0.0.9, so the address still has a 9 at the end in the new IPv6 multicast range. 18. B, C. EIGRP holds three tables in RAM: neighbor, topology, and routing. The neighbor and topology tables are built and also maintained with the use of hello packets. 19. D. A successor route (think “successful” rather than standby or backup) is used by EIGRP to forward traffic to a destination and is stored in the routing table. It is backed up by a feasible successor route that is stored in the topology table—if one is available. Remember that all routes are in the topology table. 20. A. RIP and RIPv2 use only hop count as a metric, with a maximum of 15 hops, to find the best path to a remote network. Chapter 11 1. D. By creating and implementing VLANs in your switched network, you can break up broadcast domains at Layer 2. For hosts on different VLANs to communicate, you must have a router or Layer 3 switch. 2. B, D. Hosts are connected to a switch and are members of one VLAN. This is called an access port. Trunk links connect between switches and pass information about all VLANs. 3. C. Virtual LANs break up broadcast domains in Layer 2 switched internetworks. 4. C, E. Both 802.1d and 802.1w are IEEE STP versions, with 802.1w being the latest and greatest version. 5. D, E. The best answers are that the VLAN membership for the port is configured incorrectly and that STP shut down the port. 6. B, C, F. VLANs break up broadcast domains in a switched Layer 2 network, which means smaller broadcast domains. They allow configuration by logical function instead of physical location and can create some security if configured correctly. 7. B. The Spanning Tree Protocol is used to stop switching loops in a switched network with redundant paths. 8. A, E. Bridges break up collision domains, which would increase the number of collision domains in a network and also make smaller collision domains. bapp02.indd 04/01/2015 Page 842 Chapter 12 9. 843 C. In order to see all frames that pass through the switch and read the packets with a network analyzer, you need to enable port mirroring on the port your diagnostic host is plugged into. 10. C. Trunking allows switches to pass information about many or all VLANs configured on the switches. 11. A, C, E. Layer 2 features include address learning, forwarding and filtering of the network, and loop avoidance. 12. B. Switches break up collision domains, and routers break 13. C. With the exception of the source port, switches flood all frames that have an unknown destination address. If a device answers the frame, the switch will update the MAC address table to reflect the location of the device. 14. C. Because the source MAC address is not in the MAC address table, the switch will add the source address and the port it is connected to into the MAC address table and then forward the frame to the outgoing port. 15. D. Virtual Trunk Protocol (VTP) is a Cisco proprietary method of having a single VLAN database advertised to all other switches in your network. This allows for ease of VLAN management in a larger network. Option C is not a possible configuration, by the way; I made that up. 16. A, B. The sequence of steps for STP convergence is, by default, disabled, blocking, listening, learning, and forwarding. When all ports are in either the blocking or forwarding state, STP is converged. 17. C, D. In the blocking and listening states, the MAC address table is not learning. Only in the learning and forwarding states is the MAC address table learning MAC addresses and populating the MAC address table. 18. B. Switches break up collision domains by default, but the network is still one large broadcast domain. In order to break up broadcast domains in a Layer 2 switched network, you need to create virtual LANs. 19. C. If you are configuring voice VLANs, you’ll want to configure Quality of Service (QoS) on the switch ports to provide a higher precedence to voice traffic over data traffic to improve quality of the line. 20. B. Be careful when using port mirroring/spanning on a switch because it can cause a lot of overhead on the switch and possibly crash your network. It’s therefore a good idea to use this feature at strategic times and only for short periods, if possible. Chapter 12 1. C. It is imperative that a good site survey is completed before you install your wireless network. Trying various types of antennas and their placements is the key to covering the whole wireless area. bapp02.indd 04/01/2015 Page 843 844 Appendix B ■ Answers to Review Questions 2. C. TLS provides really good wireless security, but it’s hard to implement because you need to install a certificate on your server and also on all your clients. TTLS only uses a server-side certificate. 3. C. The IEEE 802.11b and IEEE 802.11g both run in the 2.4GHz RF range. 4. B, D. If you are running 802.11b/g frequency, which most networks are, then you can receive interference from microwave ovens and cordless phones. 5. D. 802.11n uses channel bonding of both the 2.4GHz range and the 5GHz range to get increased bandwidth of over 100Mbps. 6. D. Bluetooth works wirelessly to connect our phones, keyboards, and so on in small areas, also known a personal area networks (PANs). 7. B. The IEEE 802.11a standard provides up to 12 non-overlapping channels, or up to 23 if you add the 802.11h standard. 8. D. The IEEE 802.11a standard provides a maximum data rate of up to 54Mbps. 9. C. If you have a large area to cover with wireless, you need to be concerned with channel overlap. 10. B. The IEEE 802.11b standard provides a maximum data rate of up to 11Mbps. 11. B. If everything is correctly configured on the host, then MAC filtering would stop the host from connecting to the AP. If you try to connect and can’t, check the AP’s settings. 12. A. The IEEE 802.11i standard replaced Wired Equivalent Privacy (WEP) with a specific mode of the Advanced Encryption Standard (AES) known as the Counter Mode Cipher Block Chaining-Message Authentication Code (CBC-MAC) protocol. This allows AES-Counter Mode CBC-MAC Protocol (AES-CCMP) to provide both data confidentiality (encryption) and data integrity. 13. C. If you disable SSID broadcasting, which you should, then you must configure the SSID name on the clients that need to connect to the AP. 14. B. The IEEE 802.11b standard uses Direct Sequence Spread Spectrum (DSSS). If you are running 802.11g, it uses Orthogonal Frequency Division Multiplexing (OFDM). 15. B. If you are running an extended service set (meaning more than one AP with the same SSID), you need to overlap the cell coverage by 10 percent or more so clients will not drop out while roaming. 16. B. You need to use directional antennas, like a Yagi, to get the best signal between antennas. 17. A. Extended service set ID means that you have more than one access point, they all are set to the same SSID, and they are all connected together in the same VLAN or distribution system so users can roam. 18. D. WPA is cool because it is easy to configure and works great. Type in a passphrase (assuming you’re using pre-shared key) and you’re done. Plus, you have great security because the keys change dynamically. bapp02.indd 04/01/2015 Page 844 Chapter 13 845 19. C. 802.11n uses two 20MHz wide channels to create a 40MHz wide channel, which provides over 100Mbps wireless. 20. B. 802.11n MIMO sends multiple frames by several antennae over several paths. The frames are then recombined by another set of antennae to optimize throughput and multipath resistance. This is called spatial multiplexing. Chapter 13 1. A. A non-persistent agent is one that is used to assess the device only during the one-time check-in at login. It can be used to support the assessment of endpoints not owned by the organization and as such can help to make a Bring Your Own Device (BYOD) policy possible. 2. C. On a private network, only authorized users have access to the data, whereas in a public network, everyone connected has access to the data. 3. B. After determining that the user has local network access, your next step would be to verify the VPN address and password. 4. D. To have good security on your network, deny any addresses from your internal networks, deny any local host addresses (127.0.0.0/8), deny any reserved private addresses, and deny any addresses in the IP multicast address range (224.0.0.0/4). 5. D. Tunneling is encapsulating one protocol within another protocol to complete a secure transmission. Options A, B, and C are all tunneling protocols you should be aware of, as well as Secure Sockets Layer Virtual Private Network (SSL VPN) and Point-to-Point Tunneling Protocol (PPTP). 6. A. SSL is based on RSA public-key encryption and is used to provide secure Session layer connections over the Internet between a web browser and a web server. 7. C. The minimum length should be eight characters, and the maximum length should be 15 characters. A strong password is a combination of alphanumeric and special characters that is easy for you to remember but difficult for someone else to guess. 8. B. IPSec works at the Network layer of the OSI model (Layer 3) and secures all applications that operate above it (Layer 4 and above). Additionally, because it was designed by the IETF and designed to work with IPv4 and IPv6, it has broad industry support and is quickly becoming the standard for VPNs on the Internet. 9. D. IPSec works in both transport mode and tunneling mode. In transport mode, a secure IP connection between two hosts is created. Data is protected by authentication or encryption (or both). Tunnel mode is used between network endpoints to protect all data going through the tunnel. 10. B. Companies that want to ensure that their data is secure during transit should encrypt their data before transmission. Encryption is the process that encodes and decodes data. bapp02.indd 04/01/2015 Page 845 846 Appendix B ■ Answers to Review Questions 11. A, C. Some older network utilities such as FTP and Telnet don’t have the ability to encrypt passwords. 12. C. To encode a message and decode an encrypted message, you need the proper encryption key or keys. The encryption key is the table or formula that defines which character in the data translates to which encoded character. 13. C. TLS was available for use with VPNs in earlier versions prior to 2.0. 14. D. The Data Encryption Standard (DES) is not a type of public-key encryption. 15. D. PPTP is a VPN protocol that was created by Microsoft and uses port 1723 to encrypt data at the Application level. 16. B. PPPoE has only two stages: discovery and session. In the discovery phase, the MAC addresses of each of the endpoints of the connection are given to each other so that a secure PPP connection can be made. 17. C. A fingerprint is an example of something you are. Other examples are retina scans and facial recognition. 18. A. RADIUS servers provide both authentication and encryption services and can combine these into one service. RADIUS can be used for allowing or denying both wired and wireless access at the domain level. 19. A. RADIUS combines user authentication and authorization into one centralized database and maintains user profiles. 20. D. Independent Computing Architecture (ICA) is a protocol designed by Citrix Systems to provide communication between servers and clients. ICA is a remote-access method. Chapter 14 1. D. A denial of service (DoS) attack prevents users from accessing the system. All of the options are possible denial of service attacks. 2. A. Session fixation is an attack in which the attacker sets the session ID ahead of time by sending a link to the victim with the ID preset. Then when the user connects, the attacker waits for the authentication to complete and takes over the session by disconnecting the user and using the ID to reconnect. 3. A. Options B, C, and D are all DoS attacks, so the only real answer is a file virus. A file virus attacks executable application and system program files. 4. A. In war driving, the attacker simply drives around with a high-powered antenna connected to a wireless laptop scanning for networks. 5. D. These are all examples of boot-sector viruses that get into the master boot record. A boot-sector virus will overwrite the boot sector, thereby making it look as if there is no pointer to your operating system. When you power up the computer, you will see a Missing Operating System or Hard Disk Not Found error message. bapp02.indd 04/01/2015 Page 846 Chapter 14 847 6. A. A multipartite virus is one that affects both the boot sector and files on your computer. 7. C. A worm can actively replicate itself without user intervention, whereas a virus can be activated and spread only if a user opens an application. 8. B. A brute force attack is a software-related attack that employs a program that is running on a targeted network to log in to some type of shared network resource like a server. 9. A. Social engineering, or phishing, refers to the act of attempting to illegally obtain sensitive information by pretending to be a credible source. Phishing usually takes one of two forms: an email or a phone call. 10. B. A clean-desk policy means that all important documents, such as books, schematics, confidential letters, and the like, are removed from the desk (and locked away) when employees leave their workstations. 11. D. It is important to train all employees by informing them that people may try to call and email them to gather information to attack the company. This is called phishing or social engineering. 12. B. When you set the AP to not broadcast the SSID, it will remove the SSID from packets called beacons (these are the packets that populate the display when you scan for networks) but it will still be present in many other packet types. 13. A. A security procedure defines the appropriate response to a security event on your network. 14. A. Soon after WEP’s adoption as a security measure, it was discovered that due to a weakness in the way the algorithm was employed, programs that became widely available on the Internet could be used to crack the WEP key. 15. B. Windows Update is a utility that is typically automatically installed when you install Windows. The update engine will periodically scan your system for the version of Windows components you have installed and compare them to the most current versions available from Microsoft. If your software is out-of-date, a Windows Update dialog box will appear, asking if you want to install the software updates. 16. C. With so much code written for applications and operating systems, developers go back after the initial release to fix any problems that are uncovered. These fixes are released as hotfixes or patches. 17. A. The first responder is responsible for securing the crime scene and protecting the evidence from corruption. 18. D. Heuristic scanning allows for this type of scanning. The engine looks for suspicious activity that might indicate a virus. 19. A. Every week, you need to update your list of known viruses—called the virus definition files. You can do this manually or automatically through the manufacturer’s website. You can use a staging server within your company to download and then distribute the updates, or you can set up each computer to download updates. bapp02.indd 04/01/2015 Page 847 848 Appendix B ■ Answers to Review Questions 20. D. An antivirus program examines the computer suspected of being infected and eradicates any viruses it finds using any of these methods. Chapter 15 1. C. Firewalls work by allowing only packets that pass security restrictions to be forwarded through the firewall. A firewall can also permit, deny, encrypt, decrypt, and proxy all computer traffic that flows through it; this can be between a public and private network or between different security domains (or zones) on a private network. You, as the administrator, set up the rules by which a firewall decides to forward or reject packets of data. 2. B. Proximity readers are door controls that read a card from a short distance and are used to control access to sensitive rooms. 3. B. A network-based firewall is what companies use to protect their private network from public networks. The defining characteristic of this type of firewall is that it’s designed to protect an entire network of computers as opposed to just one system. This is usually a combination of hardware and software. A host-based firewall is implemented on one machine and is designed to protect that machine only. Most often, this is implemented as software; no additional hardware is required in your personal computer to run a host-based firewall. 4. C. A properly designed disaster recovery plan (DRP) minimizes the effect of a disaster and includes the steps necessary to resume normal operation. The DRP is implemented when the emergency occurs and includes the steps to restore functions and systems. 5. B. Nessus cannot identify incorrect IP addresses. 6. C. One of the benefits of using a firewall is that it helps protect LAN resources from unwanted attacks. 7. B. An intrusion detection system (IDS) monitors network traffic, looking for signs of an intrusion. Intrusions are detected by an attack signature. 8. A. RAID-0, also called disk striping, writes the data across multiple drives. While it improves performance, it does not provide fault tolerance. 9. C. Standard, extended, and outbound are all types of ACL. Referred is not. 10. B. You can sometimes just ignore the attack because it’s possible it won’t affect your network. This is called shunning. 11. C. A DMZ can be set up many different ways, but the best explanation is that the DMZ is used to separate and secure your inside network from the Internet while still allowing hosts on the Internet to access your servers. 12. E. Most firewalls provide content filtering, signature identification, and the ability to segregate network segments into separate security zones. Most firewalls are also bapp02.indd 04/01/2015 Page 848 Chapter 16 849 capable of performing scanning services, which means that they scan different types of incoming traffic in an effort to detect problems. 13. A. In a blind test, the testing team is provided with limited knowledge of the network systems and devices using publicly available information. The organization’s security team knows that an attack is coming. This type of test requires more effort by the testing team. 14. B. Nessus is a propriety vulnerability scanning program that requires a license for commercial use, yet is the single most popular scanning program in use. 15. C. Nessus does not collect passwords. 16. D. Changing network configurations, terminating sessions, and deceiving the attacker are all actions that can be taken by an IPS device. 17. D. Proxies act on behalf of the whole network to completely separate packets from internal hosts and external hosts. 18. B. Nessus operates by performing a port scan and then follows up with more specific tests, but it cannot identify IP address conflicts. 19. C. A stateful firewall keeps track of the established connections passing through it. When another packet is received that’s part of an existing connection (part of a current state), the packet is passed without checking the ACLs. 20. C. An intrusion prevention system (IPS) is like an IDS but with two key differences. First, it learns what is “normal” on the network and can react to abnormalities even if they’re not part of the signature database. Second, it can issue an active response such as shutting down a port, resetting connections, or attempting to lull an attacker into a trap. Chapter 16 1. D. Routing Information Protocol (RIP) is not a WAN protocol but a routing protocol used in internetworks. 2. C. These different protocols and technologies all occupy the lower three layers of the OSI model: the Physical layer, the Data Link layer, and sometimes the Network layer. Most WAN protocols work only at the Physical layer and Data Link layer. 3. B. The demarcation point is the precise spot where the service provider’s responsibility ends and the CPE begins. 4. D. The European version of the T1 is the E1, which operates at 2.048Mbps and uses 30 64Kbps channels (30 DS0s), and two channels are used for D channels, which makes 32 total DS0s. bapp02.indd 04/01/2015 Page 849 850 Appendix B ■ Answers to Review Questions 5. C. The demarc is the precise spot where the service provider’s (local exchange carrier’s) responsibility ends and the CPE begins. It’s generally a device in a telecommunications closet owned and installed by the telecommunications company (telco). 6. D. Cable is a great cost-effective connection for a small office or home office (SOHO). 7. C. A T1 has a line speed of 1.544Mbps. This 1.544Mbps connection uses Digital Signal 1 (DS1) and aggregates 24 discrete 64Kbps channels that use Digital Signal 0 (DS0). Other T-series connections have greater maximum connection speeds. 8. C. LTE is true 4G and has the best data rates. 9. B. OC-1, OC-3, OC-12, OC-48, and OC-192 are the normal service offerings. OC-1 has the lowest data rate at 51.84Mbps, and OC-192 is the highest at 9.953Gbps. 10. A. Bluetooth uses a radio technology called Frequency Hopping Spread Spectrum. It chops up the data being sent and transmits chunks of it through the air on up to 75 different frequencies. 11. C. The x in xDSL represents the different letters that refer to the DSL flavors. xDSLs use high-frequency signals, whereas regular phone calls use low-frequency signals over the same lines. 12. C. ADSL, HDSL, SDSL, VDSL or VHDSL, and VDSL2 are all common xDSL types. Synchronous Optical Network (SONET) is the standard for synchronous data transmission on optical fiber. 13. D. DOCSIS stands for Data Over Cable Service Interface Specifications. All cable modems and like devices have to measure up to this standard. 14. C. Optical carrier 12 has speeds up to 622Mbps. 15. C. ATM uses a high-speed cell-switching technology that can handle data as well as real-time voice and video. The ATM protocol breaks up transmitted data into 53-byte cells. 16. A. Frame Relay is the frame WAN technology in which variable-length packets are transmitted by switching. 17. C. The committed information rate (CIR) is the rate, in bits per second, at which the Frame Relay switch guarantees to transfer data. 18. C. We’re thinking in terms of a DSL, so a CSU/DSU is not used, nor is a demarc. If clocking was down, your Internet would be completely down. Input errors could be indicative of a duplex issue. 19. B. A T3 line works similarly to a T1 connection but carries a whopping 44.736Mbps. This is equivalent to 28 T1 circuits (or a total of 672 DS0 channels), and it uses a signal known as Digital Signal 3 (DS3). 20. C. Wavelength Division Multiplexing (WDM) is a technology that multiplexes multiple optical carriers on a single optical fiber by using different wavelengths. bapp02.indd 04/01/2015 Page 850 Chapter 17 851 Chapter 17 1. C. The program Packet Internet Groper (ping) is used to find out if a host has the IP stack initialized. 2. A. The arp utility is used to display the contents of the ARP cache, which tracks the resolution of IP addresses to physical (MAC) addresses and will produce the displayed output. 3. A. Microsoft has made what it calls Remote Desktop software available for free with Windows products since Windows NT. When this software is installed (installed by default in later versions) on both source and destination computers, a remote desktop connection can be made. 4. B. The purpose of the ping utility is to test the communications channel between two IP hosts as well as how long it takes the packets to get from one host to another. 5. C. The ipconfig /all utility will display the current configuration of TCP/IP on a given workstation—including the current IP address, DNS configuration, WINS configuration, and default gateway. 6. B, D. The address 127.0.0.1 is the special IP address designated for the local TCP/ IP interface. The hostname localhost is the hostname given to the local interface. Therefore, pinging either the IP address or the hostname for the local interface will tell you whether the local interface is working. 7. A. The command nbtstat –r displays all the name resolutions performed by the local client as well as their associated IP addresses. The –R switch will reload the cache. 8. C. The arp utility will show you the resolved MAC to IP address of all hosts on your network segment. Remember, this will work for only local hosts, not remote hosts. 9. B. To purge and reload the remote NetBIOS name cache, you must use nbtstat –R. Remember that the R must be uppercase and that it will not work correctly without the hyphen before it. 10. B. Commercial sniffers like Wireshark and OmniPeek can capture any packets because they set the NIC to operate in promiscuous mode, which means the NIC processes all packets that it sees. 11. B. The tracert utility will give you that output. The tracert command (or trace for short) traces the route from the source IP host to the destination host. 12. C. The tracert utility will tell you which router is having the performance problem and how long it takes to move between each host. tracert can be used to locate problem areas in a network. 13. A. The ipconfig /all switch will display the most complete listing of TCP/IP configuration information, also displaying the MAC address, DHCP lease times, and the DNS addresses. bapp02.indd 04/01/2015 Page 851 852 Appendix B ■ Answers to Review Questions 14. C. The tracert utility returns the names and addresses of all routers through which a packet passes on its way to a destination host. 15. E. The telnet utility can be used to test if a particular IP host is responding on a particular TCP port. 16. C. The arp /a command will display the current contents of the ARP cache on the local workstation. 17. C. dig is an old Unix command that will show you DNS server information. 18. A, D. The arp utility’s –a and –g switches perform the same function. They both show the current ARP cache. 19. B, E, F. The nslookup, ipconfig, and ifconfig commands will show you the DNS servers that a computer is configured to use. 20. C. The command nbtstat –s will display pre-protocol statistics for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6. Chapter 18 1. A, B, C. Yup, all of the above. The CompTIA Network+ objectives cover all three in regard to tools used to analyze today’s networks. 2. C. The basic purpose of packet sniffers or network analyzers is to collect and analyze each individual packet that is captured on a specific network segment to determine whether problems are happening. You can also use them to see if there is too much traffic on a segment. 3. A. A toner probe sends a signal down a pair of wires so that the wires can be traced. Typically, a butt set is used to find this signal, but toner probe is the best answer to this question. 4. B. An optical time-domain reflectometer (OTDR) is an optoelectronic instrument used to give you the skinny on optical fibers. It works by putting out a series of optical pulses into the specific fiber you want to test and can tell you if a break in the fiber has occurred and where. 5. B. To create a patch cable (568A) to connect your host to a jack in the wall, you need to use a snip. 6. A. Remember that firewalls are the first line of defense for an Internet-connected network. If a network was directly connected to the Internet without a firewall, an attacker could theoretically gain direct access to the computers and servers on that network with little effort. The IDS/IPS software is usually positioned between your internal router and the firewall to the outside network (Internet). 7. C. Hope you answered C! A port scanner is just a piece of software designed to search a network for open hosts. Administrators of networks use port scanners to ensure security and bad guys use them to compromise it. bapp02.indd 04/01/2015 Page 852 Chapter 19 853 8. D. Wire-map testing is the most basic type of testing for twisted-pair cables. It detects transposed wires, opens (broken or unconnected wires), and shorts (wires or pins improperly connected to each other). 9. B. A time-domain reflectometer (TDR) is a tool that finds and describes faults in metallic cables like twisted wire pairs and coaxial cables. The equivalent device for optical fiber is an optical time-domain reflectometer (OTDR). A TDR can also check the speed and condition of the signal on the cable. 10. B. A certifier is a combination cable tester and network analyzer, only better. It can test the performance and response times of network resources and certify your full Category 6 cable installation at the same time. 11. D. Unlike port scanners, packet sniffers actually look inside every packet on a network segment at the frame level. 12. C. Due to sensitivity to any variation and impedance, options A, B, D, and E are all reasons you’d use a TDR. 13. A. A multimeter, or a volt/ohm meter (VOM), is used to measure voltage, current, and resistance. 14. D. Otherwise known as a “fox and hound” wire tracer, a toner probe would be useful in this situation. A toner probe will emit an audible tone when it touches the other end of the cable. 15. A. I hope you said A! A punch-down tool would be used if you needed to connect wire to a punch-down block. Most networks today have wiring closets, and to terminate the cables, you’re certain to need a punch-down tool. 16. B. A wire crimper, or crimper, is used for attaching ends onto different types of network cables. 17. C. A punch-down tool is used to punch down an RJ-45 cable to an insulation displacement connector, typically a 110 block. 18. D. An everyday surge protector monitors the incoming voltage level and trips a circuit breaker when the voltage reaches a certain level, known as the overvoltage threshold. 19. B. A loopback test is a diagnostic procedure in which a signal is transmitted and returned to the sending device after passing through all or a portion of a network or circuit. A loopback plug makes this test possible. 20. B. Electronic devices are prone to overheating, which is why you should use a temperature monitor. Chapter 19 1. A, F. Rebooting servers and routers are not part of the troubleshooting model. 2. B. You need to check basic connectivity. The link light indicates that the network card is making a basic-level connection to the rest of the network. It is a very easy item to bapp02.indd 04/01/2015 Page 853 854 Appendix B ■ Answers to Review Questions check, and if the link light is not lit, it is usually a very simple fix (like plugging in an unplugged cable). 3. B. When wireless users complain that the network is slow (latency) or that they are losing their connection to applications during a session, it is usually latency arising from a capacity issue. 4. B. Although all of these are good tests for network connectivity, checking the server console for user connections will tell you whether other users are able to log into the server. If they can, the problem is most likely related to one of those users’ workstations. If they can’t, the problem is either the server or network connection. This helps narrow down the problem. 5. B. Because of all the tests given and their results, you can narrow the problem down to the network connectivity of that workstation. And because no other users in her area are having the same problem, it can’t be the hub or server. You can log in as the user from your workstation, so you know it isn’t a rights issue or username/password issue. The only possible answer listed is a bad patch cable. 6. A. Because other users in the same area aren’t having a problem, it can’t be a downed server, network hub, or jabbering NIC. And because both you and the user can’t log in, more than likely it’s a problem specific to that workstation. The only one that would affect your ability to log in from that station is the Caps Lock key being pressed. That will cause the password to be in all uppercase (which most server operating systems treat as a different password), and thus it will probably be rejected. 7. D. Since this is a new connection, you need to start by troubleshooting and identify the symptoms and potential causes. 8. B. According to the Network+ troubleshooting model, the next step would be step 2, establishing the most probable cause. 9. C. After determining the affected area, you need to find out if any changes have taken place. 10. A. Because the user can’t log in correctly from any machine, more than likely he is using the wrong procedure for logging in. Because no one else is having that problem (including yourself), the problem must be related to that user. 11. C. After you have implemented a solution, you need to test if the solution works and identify other effects it may have. 12. B. Because you cannot reach the web page that resides on the server, the problem is most likely related to your browser. 13. A, B, C. From a design standpoint, the physical environment for a server should be optimized for items such as placement, temperature, and humidity. When troubleshooting, don’t forget to check the physical conditions under which the network device is operating. Check for problems such as those mentioned here as well as EMI/ RFI problems, power problems, and unplugged cables. bapp02.indd 04/01/2015 Page 854 Chapter 20 855 14. D. Because most of today’s networks still consist of large amounts of copper cable, networks can suffer from the physical issues that have plagued all networks since the very beginning of networking (and the answers here are not a complete list). Newer technologies and protocols have lessened these issues but have not resolved them completely. 15. A. Once you have determined that the switch or the configuration of the switch is the problem, you need to escalate the issue. 16. D. Because other people are experiencing the problem, most likely it is either network or server related. Because you can transfer files to and from another server, it can’t be the network. Thus, the problem is related to the web server. 17. D. After investigating the problem thoroughly and successfully testing and resolving an issue, you need to document the solution. 18. B. Since users can get to the Internet, this means the DNS server is working and they have the correct default gateway. The intranet server is probably down. 19. C. Performance-monitoring tools can give you an idea of how busy the server and the rest of the network are. These tools use graphs to indicate how much traffic is going through the server. 20. C. Once you escalate the problem, you are done with the seven-step model. Meet with the escalation team to determine the next step. Chapter 20 1. C. UTP cables use an RJ-45 connector. RJ-11 and RJ-25 are often used for terminating telephone lines. 2. B. Straight-through cables, known as drop cables or patch cables, will have the pins in the same order on both connectors. 3. B. On a crossover cable, one connector has flipped the wires. Specifically, pins 1 and 3 get switched, and pins 2 and 6 get switched. 4. C. If you are going to make your own UTP cables (drop/patch cables) to customize length, you need to make sure that the right wires get to the right pins. 5. C. Electrostatic discharge (ESD) is the technical term for what happens when two objects of dissimilar charge come in contact. 6. C. Policies govern how the network is configured and operated as well as how people are expected to behave on the network, such as how users are able to access resources and which types of employees get network access. 7. A. A physical network diagram contains all the physical devices and connectivity paths on your network and should accurately picture how your network physically bapp02.indd 04/01/2015 Page 855 856 Appendix B ■ Answers to Review Questions fits together in detail. This document will also have the firmware revision on all the switches and access points in your network. 8. A. An ICS server, also called a data acquisition server, uses coded signals over communication channels to acquire information about the status of the remote equipment for display or for recording functions. 9. B. Network monitoring can have several names, including load testing, connectivity testing, and throughput testing. You will also hear network monitors referred to as protocol analyzers. 10. D. QoS provides different priority levels to different applications, data flows, or users so that they can be guaranteed a certain performance level. 11. A. Those making the changes should be completely briefed in rollback procedures, and they should exhibit a clear understanding of them prior to implementing the changes. 12. D. The job isn’t complete until the paperwork is complete. In this case, network configurations, additions to the network, and physical location changes should be updated to reflect the changed state of the network. 13. B. Common Address Redundancy Protocol (CARP) can be used to increase availability of gateways and firewalls. 14. B. If you add a new cable segment to the network, you need to update the wiring schematics document. 15. C, E. Quality of service (QoS) is basically the ability to provide different priority to one or more types of traffic over other levels for different applications, data flows, or users so that they can be guaranteed a certain performance level. 16. A. Traffic shaping, also known as packet shaping, is a form of bandwidth optimization. It delays packets that meet a certain criteria to guarantee usable bandwidth for other applications. Essentially, with traffic shaping, you’re delaying some traffic so other traffic can get through. Traffic shaping uses bandwidth throttling to ensure that certain data streams don’t send too much data in a specified period of time. 17. C. Common Address Redundancy Protocol (CARP) can be used to increase availability of gateways and firewalls. It is not related to virtualization. 18. A, B, C, D. There are many bandwidth-intensive programs, like VoIP and video streaming. These are just a few of the reasons it’s necessary to try to optimize network performance. 19. C. Voice over Internet Protocol (VoIP) is a general term that describes several technologies that are able to deliver voice communications over the Internet or other data networks. 20. A, B, C, D. There are many theories and strategies you can apply to optimize perfor- mance on your network. All of them deal with controlling the traffic in some way. Strategies include QoS, traffic shaping, load balancing, high availability, and the use of caching servers. You want to ensure that you have plenty of bandwidth available for those applications that need it, such as critical service operations, VoIP, and real-time multimedia streaming. bapp02.indd 04/01/2015 Page 856 Appendix Subnetting Class A C bapp03.indd 04/02/2015 Page 857 Class A subnetting is not performed any differently than subnetting with Classes B and C, but there are 24 bits to play with instead of the 16 in a Class B address and the 8 in a Class C address. Let’s start by listing all the Class A masks: 255.0.0.0 (/8) 255.128.0.0 (/9) 255.192.0.0 (/10) 255.224.0.0 (/11) 255.240.0.0 (/12) 255.248.0.0 (/13) 255.252.0.0 (/14) 255.254.0.0 (/15) 255.255.0.0 (/16) 255.255.128.0 (/17) 255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) That’s it. You must leave at least 2 bits for defi ning hosts. And I hope you can see the pattern by now. Remember, we’re going to do this the same way as a Class B or C subnet. It’s just that, again, we simply have more host bits, and we use the same subnet numbers we used with Class B and Class C, but we start using these numbers in the second octet. Subnetting Practice Examples: Class A Addresses When you look at an IP address and a subnet mask, you must be able to distinguish the bits used for subnets from the bits used for determining hosts. This is imperative. If you’re still struggling with this concept, please reread Chapter 6, “Introduction to the Internet Protocol.” It shows you how to determine the difference between the subnet and host bits and should help clear things up. bapp03.indd 04/02/2015 Page 858 bapp03.indd 04/02/2015 Page 858 Subnetting Practice Examples: Class A Addresses 859 Practice Example #1A: 255.255.0.0 (/16) Class A addresses use a default mask of 255.0.0.0, which leaves 22 bits for subnetting since you must leave 2 bits for host addressing. The 255.255.0.0 mask with a Class A address is using 8 subnet bits. ■ Subnets? 28 = 256. ■ Hosts? 216 – 2 = 65,534. ■ Valid subnets? What is the interesting octet? 256 – 255 = 1. 0, 1, 2, 3, etc. (all in the second octet). The subnets would be 10.0.0.0, 10.1.0.0, 10.2.0.0, 10.3.0.0, etc., up to 10.255.0.0. ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows the fi rst two and last two subnets, valid host range, and broadcast addresses for the private Class A 10.0.0.0 network: Subnet 10.0.0.0 10.1.0.0 … 10.254.0.0 10.255.0.0 First host 10.0.0.1 10.1.0.1 … 10.254.0.1 10.255.0.1 Last host 10.0.255.254 10.1.255.254 … 10.254.255.254 10.255.255.254 Broadcast 10.0.255.255 10.1.255.255 … 10.254.255.255 10.255.255.255 Practice Example #2A: 255.255.240.0 (/20) 255.255.240.0 gives us 12 bits of subnetting and leaves us 12 bits for host addressing. ■ Subnets? 212 = 4096. ■ Hosts? 212 – 2 = 4094. ■ Valid subnets? What is your interesting octet? 256 – 240 = 16. The subnets in the second octet are a block size of 1 and the subnets in the third octet are 0, 16, 32, etc. ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows some examples of the host ranges—the fi rst three and the last subnets: bapp03.indd 04/02/2015 Page 859 Appendix C 860 ■ Subnetting Class A Subnet 10.0.0.0 10.0.16.0 10.0.32.0 … 10.255.240.0 First host 10.0.0.1 10.0.16.1 10.0.32.1 … 10.255.240.1 Last host 10.0.15.254 10.0.31.254 10.0.47.254 … 10.255.255.254 Broadcast 10.0.15.255 10.0.31.255 10.0.47.255 … 10.255.255.255 Practice Example #3A: 255.255.255.192 (/26) Let’s do one more example using the second, third, and fourth octets for subnetting. ■ Subnets? 218 = 262,144. ■ Hosts? 26 – 2 = 62. ■ Valid subnets? In the second and third octet, the block size is 1, and in the fourth octet, the block size is 64. ■ Broadcast address for each subnet? ■ Valid hosts? The following table shows the fi rst four subnets and their valid hosts and broadcast addresses in the Class A 255.255.255.192 mask: Subnet 10.0.0.0 10.0.0.64 10.0.0.128 10.0.0.192 First host 10.0.0.1 10.0.0.65 10.0.0.129 10.0.0.193 Last host 10.0.0.62 10.0.0.126 10.0.0.190 10.0.0.254 Broadcast 10.0.0.63 10.0.0.127 10.0.0.191 10.0.0.255 The following table shows the last four subnets and their valid hosts and broadcast addresses: Subnet 10.255.255.0 10.255.255.64 10.255.255.128 10.255.255.192 First host 10.255.255.1 10.255.255.65 10.255.255.129 10.255.255.193 Last host 10.255.255.62 10.255.255.126 10.255.255.190 10.255.255.254 Broadcast 10.255.255.63 10.255.255.127 10.255.255.191 10.255.255.255 bapp03.indd 04/02/2015 Page 860 Written Lab 1 861 Subnetting in Your Head: Class A Addresses This sounds hard, but as with Class C and Class B, the numbers are the same; we just start in the second octet. What makes this easy? You only need to worry about the octet that has the largest block size (typically called the interesting octet; one that is something other than 0 or 255)—for example, 255.255.240.0 (/20) with a Class A network. The second octet has a block size of 1, so any number listed in that octet is a subnet. The third octet is a 240 mask, which means we have a block size of 16 in the third octet. If your host ID is 10.20.80.30, what is your subnet, broadcast address, and valid host range? The subnet in the second octet is 20 with a block size of 1, but the third octet is in block sizes of 16, so we’ll just count them out: 0, 16, 32, 48, 64, 80, 96 . . . violà! (By the way, you can count by 16s by now, right?) This makes our subnet 10.20.80.0, with a broadcast of 10.20.95.255 because the next subnet is 10.20.96.0. The valid host range is 10.20.80.1 through 10.20.95.254. And yes, no lie! You really can do this in your head if you just get your block sizes nailed! Okay, let’s practice on one more, just for fun! Host IP: 10.1.3.65/23 First, you can’t answer this question if you don’t know what a /23 is. It’s 255.255.254.0. The interesting octet here is the third one: 256 – 254 = 2. Our subnets in the third octet are 0, 2, 4, 6, etc. The host in this question is in subnet 2.0, and the next subnet is 4.0, so that makes the broadcast address 3.255. And any address between 10.1.2.1 and 10.1.3.254 is considered a valid host. Written Lab 1 Given a Class A network and the net bits identified (CIDR), complete the following table to identify the subnet mask and the number of host addresses possible for each mask. Classful Address Subnet Mask Number of Hosts per Subnet (2 x – 2) /16 /17 /18 /19 bapp03.indd 04/02/2015 Page 861 Appendix C 862 Classful Address ■ Subnetting Class A Subnet Mask Number of Hosts per Subnet (2 x – 2) /20 /21 /22 /23 /24 /25 /26 /27 /28 /29 /30 Written Lab 2 Given the decimal IP address, write in the address class, number of subnet and host bits, number of subnets, and number of hosts for each IP address. Decimal IP Address Number of Address Subnet and Number of Class Subnets (2x) Number of Hosts (2x – 2) Host Bits 10.25.66.154/23 172.31.254.12/24 192.168.20.123/28 63.24.89.21/18 bapp03.indd 04/02/2015 Page 862 Answers to Written Lab 1 Decimal IP Address 863 Number of Address Subnet and Number of Class Subnets (2x) Number of Hosts (2x – 2) Host Bits 128.1.1.254/20 208.100.54.209/30 Answers to Written Lab 1 Classful Address Subnet Mask Number of Hosts per Subnet (2x – 2) /16 255.255.0.0 65,534 /17 255.255.128.0 32,766 /18 255.255.192.0 16,382 /19 255.255.224.0 8,190 /20 255.255.240.0 4,094 /21 255.255.248.0 2,046 /22 255.255.252.0 1,022 /23 255.255.254.0 510 /24 255.255.255.0 254 /25 255.255.255.128 126 /26 255.255.255.192 62 /27 255.255.255.224 30 /28 255.255.255.240 14 /29 255.255.255.248 6 /30 255.255.255.252 2 bapp03.indd 04/02/2015 Page 863 864 Appendix C ■ Subnetting Class A Answers to Written Lab 2 Decimal IP Address Address Class Number of Subnet Number of and Host Bits Subnets (2x) Number of Hosts (2x – 2) 10.25.66.154/23 A 15/9 32768 510 172.31.254.12/24 B 8/8 256 254 192.168.20.123/28 C 4/4 16 14 63.24.89.21/18 A 10/14 1,024 16,382 128.1.1.254/20 B 4/12 16 4094 208.100.54.209/30 C 6/2 64 2 bapp03.indd 04/02/2015 Page 864 Index Note to the reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations. A A records, 147, 149, 834 -a switch nbtstat utility, 642–644 netstat utility, 650 -A switch, nbtstat utility, 644 AAA (authentication, authorization, accounting), 458–459 AAA records, 148 AAAA (authentication, authorization, accounting, audits), 458 AAAA records, 147 ABB Tech Inc., 513, 536 access control lists (ACLs) described, 432–433, 531–533 misconfigured, 497 access controls, 463–464. See also security filtering access points (APs). See also wireless access points evil twin, 492–493 introduction, 138–139, 139 rogue, 412–413, 492 access ports, VLANs, 355–356 accounting, AAA, 458–459 accounts. See user account management ACK, SYN, SYN/ACK, 34, 34–35 acknowledgments, 38, 39 ACLs. See access control lists Acme Corporation, 213, 246, 508 action plan, 740–741. See also network troubleshooting active detection, 500 active timer, 323 ActiveX attacks, 494 Activity LED, 131 ad hoc mode: IBSS, 395–396, 396 ad hoc networks, 413 address learning, 341–342 Address Resolution Protocol. See ARP administrator training, 510 ADs (administrative distances) default, 301–302 described, 300–302 ADSL. See asymmetric digital subscriber line Advanced Encryption Standard. See AES Advanced Research Projects Agency. See ARPA AES (Advanced Encryption Standard), 442–443 AES-CCMP (AES-Counter Mode CBC-MAC Protocol), 418, 420, 844 agents nonpersistent, 463 persistent, 463 SNMP, 179 aggregate rate, 100 aggregation, route, 309 AirMagnet Survey, 411, 728 Aironet access point, 394, 394 alias record, 148. See also CNAME records amplified/reflected attacks, 478–479, 480 analog modems. See modems angle-polished connectors. See APCs anonymous accounts, 176, 449, 658 antennas, wireless, 393–395, 394 Anthrax virus, 486–487 anti-malware software, 514–518 antivirus components, 515–518 anycast addresses, 218, 220, 836 APCs (angle-polished connectors), 65–66, 66 APIDS. See application protocol based IDS APIPA (Automatic Private IP Addressing) described, 184, 213–214, 819 DHCP failover scheme, 213 IP address range, 184, 214, 226 link-local addresses, 220, 226, 836 Application layer bindex.indd 04/01/2015 Page 865 866 application protocol based IDS (APIDS) – autonomous systems (ASs) described, 32–33 firewalls, 540–542 functions, 30, 31 Process/Application layer, 174–175, 175 application protocol based IDS (APIDS), 138 application servers, 6 Application-layer attacks, 494 application-specific integrated circuits (ASICs), 144, 161, 338, 340 APs. See access points archives, 790 ARP (Address Resolution Protocol). See also RARP broadcast local ARP broadcast, 192 traceroute, 192–193 DAI, 364 described, 191–193 show ip arp, 284 using, 630–634 Windows ARP table, 630–631 arp -a, 259, 282, 286, 293, 634, 839 ARP cache poisoning, 480 arp utility, 631–634 ARPA (Advanced Research Projects Agency), 174 ARPAnet, 173–174 ASBR. See autonomous system border router ASICs. See applicationspecific integrated circuits ASs. See autonomous systems asset management, 768–769 asymmetric cryptography, 178, 456 asymmetric digital subscriber line (ADSL), 591 bindex.indd 04/01/2015 Page 866 Asynchronous Transfer Mode (ATM), 602–603 attacks. See network threats and mitigation; specific attacks attenuation defined, 74 inherent, 108 audits AAAA, 458 security, 451–452, 503 authentication (user authentication), 447–464. See also security filtering CHAP, 460–461, 461 EAP, 421–422, 462 EAP-TLS, 422, 462 exam essentials, 464–465 issues, 483–487 Kerberos, 178, 456–457, 457 methods, 455–464 MS-CHAP, 461 multifactor, 455 NAC, 460, 462 network controllers, 460 password management automatic account lockouts, 453 characters, 452–453 default passwords/ settings, 483–484 described, 450–455 expiration of passwords, 454 minimum length, 451–452 overview, 447–448 password histories, 454 strong passwords, 452–453 PKI, 421–422, 455–456 posture assessment, 462–463 RADIUS, 148, 417–418, 418, 458 review questions, 466–468, 845–846 single sign-on, 454–455 summary, 464 TACACS+, 148, 458–459, 459 two-factor, 455 unified voice services, 460 user account management, 447–450 anonymous accounts, 176, 449, 658 disabling accounts, 447 limiting connections, 449–450 maintenance account, renaming, 450 web services, 459 written lab, 465 authentication, authorization, accounting (AAA), 458–459 authentication, authorization, accounting, audits (AAAA), 458 authorization, AAA, 458–459 autoconfiguration. See EUI-64 auto-detect mechanism, 100 automatic account lockouts, 453 Automatic Private IP Addressing. See APIPA autonomous system border router (ASBR), 316, 316 autonomous systems (ASs) BGP, 311, 312, 313, 841 defined, 29, 299, 312 EGPs, 312 EIGRP, 309 autorooters – brute force attack IGPs, 312 OSPF, 314, 316, 316 autorooters, 494 Availability, CIA triad, 775 B backbones collapsed, 336, 336, 349, 353 defined, 20, 21 backdoor access/improper access, 496 backdoors, 494–495 background checks, 506 backups configuration backups, 515 types, 790, 791 UPS/battery backups, 561 badges, 506 bandwidth high bandwidth DSL, 588 MMF, 65 WANs, 581–582 bandwidth (high-bandwidth) applications described, 784–785 examples of, 784, 807 HDTV, 587, 591 Real-time Transport Protocol described, 179 EIGRP, 310 port 5004/5005, 179 Session Initiation Protocol described, 178–179 port 5060/5061, 178 VTC systems, 781 video streaming, 460, 784, 785, 807, 856 VoIP (Voice over Internet Protocol) delay problems, 786 described, 784–785 managed switches, 133 RTP, 179, 310 SIP, 178–179, 781 wired connectivity standard, Real World Scenario, 113 banner grabbing, 496 barriers, signal degradation and, 401 baseband, 98 baselines, 681–683, 771 basic service area. See BSA basic service set. See BSS battery backups/UPS, 561 baud rates, 98 Baudot, Jean-Maurice-Emile, 98 Berkeley Software Distribution. See BSD BGP (Border Gateway Protocol) AD, default, 301, 302 autonomous systems, 311, 312, 313, 841 described, 311–313, 312 hybrid routing protocol, 312, 840, 841 Routing Information Base, 313 binary binary code, 3 binary values, 102, 102 binary-to-decimal memorization chart, 103, 103 hexadecimal-to-binary-to decimal chart, 104, 104–105 binding, 29 biometric systems, 558 bit rates, 98 bits, 206 867 Blatand, 401 blind test, 565 blocking, STP port state, 347 Bluejacking, 493 Bluesnarfing, 493 Bluetooth, 401–402, 493, 586–587 BNC connectors, 59, 59 bonding, port, 364–365 boot-sector viruses, 486 Border Gateway Protocol. See BGP botnet, 475, 476 BPDUs (Bridge Protocol Data Units), 346, 347 BPL. See Broadband over Power Line breaking policy, 508 bridge (outdoor) antennas, 394, 394 Bridge Protocol Data Units. See BPDUs bridges Data Link layer, 161, 161–162 defined, 132, 132, 157, 337 switches versus, 340 transparent, 132, 162 Bring Your Own Device (BYOD), 463, 772, 845 broadband, 98 Broadband over Power Line (BPL), 114–115, 115 broadband services, 588–593. See also WANs broadcast address defined, 207 Layer 2 broadcasts, 214 Layer 3 broadcasts, 215 broadcast domain, 96 broadcast storms, 345, 744, 834 brute force attack, 482 bindex.indd 04/01/2015 Page 867 868 BSA (basic service area) – CIDR (Classless Inter-Domain Routing) BSA (basic service area), 396 BSD (Berkeley Software Distribution) Unix, 174, 225, 485 BSS (basic service set), 396–398, 397. See also SSIDs Buffer Full, 36, 191 buffer overflow, 490 buffers, flow control and, 36 bus topology, 12, 12–13 business continuity, 561 business documents, network monitoring, 774 butt set, 700, 700–701 BYOD. See Bring Your Own Device bytes (octets) defined, 102, 206 octal addressing, 102 C -c switch, nbtstat utility, 644 cable management, 797–798 cable modem, 591–592, 592 cable strippers/snips, 702, 702 cable testers, 79, 79, 692–693, 693 cables. See also connectors; Ethernet cables; wiring standards bad, 722 coaxial, 58–60 EMI/RFI resistance, 60 specifications, 59–60 thinnet cable, 58, 58, 109, 111 feeder, 83 fiber-optic cable, 64–69 APCs, 65–66, 66 connectors, 66–69 bindex.indd 04/01/2015 Page 868 cons, 65 copper cable versus, 68 FC connector, 67–68 LC connector, 68, 69, 69 MMF, 64, 65 MT-RJ connector, 68–69, 69 pros, 65 SC connectors, 66, 67, 67 SFF connectors, 68–69, 69 SMF, 64, 65 UPCs, 65–66, 66 issues, 722–724 properties, 73–75 distance, 74 duplex communication, 74 frequency, 75 noise immunity, 74–75 transmission speeds, 74 Real World Scenario, 19 review questions, 87–90, 830–831 serial, 71–73 shielded twisted-pair, 60 test for understanding, 81, 82 25-pair, 83 twisted-pair, 60–64 types, 57 UTP categories, 61–62 RJ connectors, 62–64 cache poisoning, ARP, 480 caching engines, 789–790 caching proxy server, 151 call setup. See three-way handshake cameras, 506 capacity provision, site surveys, 408–409 CARP. See Common Address Redundancy Protocol Carrier Sense Multiple Access with Collision Detection. See CSMA/CD categories, UTP cable, 61–62 Category 2, 61 Category 3, 61 Category 4, 61 Category 5, 61 Category 5e (enhanced), 61, 62, 64 Category 6, 62 Category 6a (augmented), 62 CCNA: Cisco Certified Network Associate Study Guide (Sybex, 2013), 185, 186, 190, 312, 662 cellular WAN, 593–594 central office (CO), 579 centralized WANs, 8, 9 certificates PKI and, 421–422 X.509 certificates, 178 certifiers, 696 chain of custody, 502 Challenge Handshake Authentication Protocol. See CHAP change management procedures, 803–805 channel service unit/data service units. See CSU/ DSUs CHAP (Challenge Handshake Authentication Protocol), 460–461, 461 characters, strong passwords, 452–453 CIA triad (Confidentiality, Integrity, Availability), 775 CIDR (Classless Inter-Domain Routing). See also subnetting CIR – continuity testers described, 237–239 NAT compared to, 264 CIR. See Committed Information Rate circuit labeling, 803 circuit switching, 580, 581 circuits, virtual, 34, 598–599. See also connectionoriented communication; Frame Relay Class A network addresses described, 208, 209–210 reserved IP addresses, 209–210 when to use, 213 Class B network addresses described, 208, 210–211 when to use, 213 Class C network addresses described, 208, 211 when to use, 213 Class D network addresses (multicast addresses), 208, 212, 215–216, 220 Class E network addresses, 208, 212 Class of Service (COS), 787, 787–788 classful routing, 305, 307–308, 326 Classless Inter-Domain Routing. See CIDR classless networks, 308, 326, 841 classless routing, 246, 305, 306, 308, 312, 313, 326, 840, 841 clean-desk policy, 504–505 clear-text credentials, 488–489 client mode VTP, 360, 360–361 wireless security, 414 clients, 5 client-server networks, 11, 11–12 CLNS. See Connectionless Network Service clock synchronization, NTP, 180 closed ports, 498 cloud storage, 796–797 cloud/server-based antimalware, 514–515 CNAME records, 148, 149, 150 CO. See central office coaxial cables, 58–60 EMI/RFI resistance, 60 specifications, 59–60 thinnet cable, 58, 58, 109, 111 Code Red worm, 490 collapsed backbones, 336, 336, 349, 353 collision and link lights, 717–718 collision domain, 95–96 collision event, 96 .com (top-level domain), 145 Committed Information Rate (CIR), 598 Common Address Redundancy Protocol (CARP), 791 communications satellite, 587, 588 community cloud, 796 compliance, network segmentation, 783 Confidentiality, CIA triad, 775 configuration backups, 515 connection types, WAN, 580, 580–581 connectionless IP, 198 services, 198 869 TFTP, 198 Transport layer, 34 UDP, 38, 186, 187, 198, 541 Connectionless Network Service (CLNS), 316–317 connection-oriented communication, 34, 34–35 connections, limiting, 449–450. See also user account management connectivity devices. See network devices connectivity software, 619–620 connectors APCs, 65–66, 66 BNC, 59, 59 DB-9, 72 DB-25, 72 F, 58 FC, 67–68 fiber-optic cables, 66–69 LC, 68, 69, 69 MT-RJ, 68–69, 69 110 block, 83–84, 84 review questions, 87–90, 830–831 RJ connectors, 62–64 RJ-11, 62–63, 63 RJ-45, 62–64, 63 RJ-48c, 63–64 RS-232, 72, 72 SC, 66, 67, 67 SFF, 68–69, 69 66 block, 83 UPCs, 65–66, 66 content filtering, 544 content filtering appliance, 152, 152 context awareness, firewalls, 544–545 continuity testers, 695 bindex.indd 04/01/2015 Page 869 870 controllers – demarc extension controllers, wireless, 398, 398–399, 399 convergence, STP, 347–348, 348 conversions. See numbers coordinated attack, 476–477 copper cable, fiber-optic versus, 68. See also fiber-optic cable copper line drivers/repeaters, 578 COS. See Class of Service coxial cable, fiber to coaxial (media converter), 70–71, 71 CPE. See customer premises equipment crimper, 702, 702 critical assets, 562–563 critical nodes, 562 crossover cables described, 78, 78–79 T1, 81, 81 cross-site scripting, 482 crosstalk defined, 61 near-end, 62, 695, 723 cryptography asymmetric, 178, 456 encryption AES, 442–443 AES-CCMP, 418, 420, 844 content filtering appliance, 152, 152 Data Encryption Standard, 442 described, 440–445 devices, 151, 151–152 HTTPS, 180 PGP, 444, 444–445 public key encryption, 443, 443–445, 444 bindex.indd 04/01/2015 Page 870 RSA, 444 SSH, 180 symmetrical encryption keys, 442–443 Triple Data Encryption Standard, 442 unencrypted channels, 488 hashes, 462 “New Directions in Cryptography,” 444 SSL, 178 TKIP packet keys, 418–419 TLS, 178 CSMA/CD (Carrier Sense Multiple Access with Collision Detection) described, 96–97, 97 802.3 standard, 44, 45 CSU/DSUs (channel service unit/data service units), 577–578, 578 customer premises equipment (CPE), 577 cypher locks/keypads, 558 D DA. See Destination Address DAI. See dynamic ARP inspection DARPA, 174 data breach, 561 data collection/evidence, 502 data communication equipment (DCE), 45 data encapsulation. See encapsulation Data Encryption Standard (DES), 442 data frames, 43 Data Link Connection Identifiers (DLCIs), 599 Data Link layer bridges, 161, 161–162 described, 43, 43–45 Ethernet, 101–108 binary-to-decimal memorization chart, 103, 103 frames, 106, 106–108 hexadecimal-to-binaryto decimal chart, 104, 104–105 functions, 30, 31 Network Access layer, 175, 175 switches, 161, 161–162 data packets. See packets data terminal equipment (DTE), 45 data transport, 503 DB-9, 72 DB-25, 72 DCE. See data communication equipment DDoS (distributed DoS), 475–479 decimals binary-to-decimal memorization chart, 103, 103 hexadecimal-to-binary-to decimal chart, 104, 104–105 dedicated (leased) lines, 580, 580–581 de-encapsulation, 195, 481. See also encapsulation default passwords/settings, 483–484 default routes, 312, 743 delivery protocol, 434 Demand Priority Access Method, 45 demarc, 84 demarc extension, 84 demarcation point – DoD (Department of Defense) demarcation point, 578 demilitarized zone. See DMZ demodulator, 47, 152. See also modems denial of service (DoS) attack, 413–414, 474–479 Dense Wavelength Division Multiplexing (DWDM), 585–586 Department of Defense. See DoD DES. See Data Encryption Standard Destination Address (DA), 107 Destination Unreachable, 191, 198, 283, 285, 840 detection, active/passive, 500 device placement, 798–802 DHCP (Dynamic Host Configuration Protocol) basic insights, 139–144 Bootstrap Protocol versus, 182 described, 182–184 DHCP client four-step process, 183, 183–184 DHCP client parameter request list, 142, 142 DHCP client request to DHCP server, 140–141, 141 DHCP client sends broadcasts looking for DHCP server, 140, 140 DHCP relay, 143, 143–144 DHCP server response, 142, 142–143 DHCPv6, 223 failover scheme, APIPA and, 213 information provision, list of, 182–183 port 67/68, 182–184 scope options, Windows DHCP server, 140, 141 SLIP, 181 snooping, 364 diagrams and schematics. See network documentation Differentiated Services Code Points. See DSCPs Diffie, Whitfield, 444 Diffie-Hellman algorithm, 443–444 Diffusing Update Algorithm (DUAL), 310, 311, 325 Digital, Intel, Xerox. See DIX Dijkstra algorithm, 314, 315, 316 Direct Sequence Spread Spectrum. See DSSS directed attacks, 493 directional antennas, 393–395, 394 disabled port, STP, 347 disabling accounts, 448 disaster recovery, 560–561 discontiguous networks, 306–309. See also VLSMs distance cable property, 74 signal degradation and, 401 distance vector (DV) routing protocols converged routing tables, 304, 304–305 defined, 302 described, 303–313 round-robin load balancing, 303 routing flow tree, 299, 300 distributed DoS. See DDoS 871 Distributed Queue Dual Bus (DQDB), 44 distributed WAN, 8 distribution system, 396, 397 DIX (Digital, Intel, Xerox), 108 DLCIs. See Data Link Connection Identifiers DMSETUP.EXE, 487 DMZ (demilitarized zone), 137, 137, 506–507, 507, 534 DNAT. See dynamic NAT DNS (Domain Name Service) described, 145–150, 181–182 DNS answer to query, 149, 149 DNS query to www. lammle.com, 148–149, 149 dynamic, 150 FQDNs, 145, 182, 649 issues, WANs, 608 name resolution, 145, 146, 146–149 port 53, 181 records A records, 147 AAA records, 148 A records, 149, 834 AAAA records, 147 CNAME records, 148, 149, 150 MX records, 148 PTR records, 147, 148, 834 top-level domains, 145–146 Windows DNS server, 147, 147–148 DNS amplification attacks, 479, 480 DoD (Department of Defense) bindex.indd 04/01/2015 Page 871 872 DoD model – 802.3 frame format ARPA, 174 security standards, 503 TCP/IP, 173 DoD model Host-to-Host layer described, 175, 175 main purpose, 184 TCP, 173, 179, 184–185, 185, 186–187, 187 TCP/IP protocol suite, 175, 175 UDP, 179, 185–187, 187 Internet layer described, 175, 175 TCP/IP protocol suite, 175, 175 IP stack, 835 Network Access layer described, 175, 175 TCP/IP protocol suite, 175, 175 OSI model versus, 174–175, 175 Process/Application layer described, 174–175, 175 TCP/IP protocol suite, 175, 175 TCP/IP protocol suite compared to, 175, 175 Domain Name Service. See DNS domain/local group configurations, 497 domains, top-level, 145–146 door access controls, 556–558 door locks/swipe mechanisms, 506 DoS. See denial of service double-blind test, 565 downgrading, 513 bindex.indd 04/01/2015 Page 872 DQDB. See Distributed Queue Dual Bus driver updates, 512–513 DSCPs (Differentiated Services Code Points), 787 DSL technology, 589–591 DSSS (Direct Sequence Spread Spectrum), 386, 390, 423, 844 DTE. See data terminal equipment DUAL. See Diffusing Update Algorithm dual stacking, 224 dumb terminals, 7 duplex cable property, 74 full-duplex communication, 33, 74 full-duplex Ethernet, 99–101 half-duplex communication, 33, 74 half-duplex Ethernet, 99–101 DV. See distance vector DWDM. See Dense Wavelength Division Multiplexing dynamic ARP inspection (DAI), 364 dynamic DNS, 150 Dynamic Host Configuration Protocol. See DHCP dynamic NAT (DNAT), 266 dynamic packet filtering, 537–538, 538 dynamic routing defined, 279 described, 288–291, 289, 290, 291 routing flow tree, 299, 300 static versus, 292 dynamic VLANs, 355 E -e switch, netstat utility, 651–652 EAP (Extensible Authentication Protocol), 421–422, 462 EAP-TLS (EAP Transport Layer Security), 422, 462 edge control, 463–464 eDiscovery, 502 .edu (top-level domain), 145 EGPs (exterior gateway protocols) autonomous systems, 312 IGPs versus, 289 routing flow tree, 299, 300 EIA/TIA (Electronic Industries Alliance and Telecommunication Industry Association), 108–109 568A wired standard, 76, 76–77 568B wired standard, 76–77, 77 NEXT (near-end crosstalk) transmission parameter, 62 Physical layer specifications, 108–109 8-pin modular connector, 109 802.1q, 358, 358, 787 802.3 frame format, 106, 106–108 802.3 standards – EtherChannel 802.3 standards described, 44, 45, 109 expanded, 109–111, 111–113 802.11 standards, 383–391 committees and subcommittees, 383–384 comparing, 389–391, 390 802.11a, 383, 423 802.11ac, 382, 383, 389 802.11b (2.4GHz), 383, 383, 384–385, 423 802.11c, 383 802.11d, 383 802.11e, 383 802.11f, 383, 383 802.11g, 423 802.11g (2.4GHz), 383, 383, 385–386, 386, 423 802.11h (5GHz), 383, 387–388, 423, 844 802.11i, 383, 418, 420, 421, 492, 823, 844 802.11j, 383 802.11k, 383 802.11m, 383 802.11n (2.4GHz/5GHz), 384, 388–389, 428, 728, 844, 845 802.11p, 384 802.11r, 384 802.11s, 384 802.11t, 383, 384 802.11u, 384 802.11v, 384 802.11w, 384 802.11y, 384 range comparisons, 390 spectrums and speeds, 390 802.16, 45 802 standards, 44–45 EIGRP (Enhanced Interior Gateway Routing Protocol) AD, default, 301, 302 autonomous systems, 309 described, 309–311 DUAL, 310, 311, 325 feasible successor, 311, 842 features, 310 hybrid routing protocol, 309, 840, 841 IS-IS, 317 route-update packets, 40 RTP, 310 successor route, 311, 842 VLSM support, 308, 309, 840 EIGRPv6, 325, 841 Ekahau Site Survey, 411 electrical safety, 776–777 electromagnetic interference. See EMI Electronic Industries Alliance and Telecommunication Industry Association. See EIA/TIA emergency procedures, 779–780 EMI (electromagnetic interference) coaxial cable, 60 fiber-optic cable, 64 noise immunity, cables, 74–75 emulated terminals, 176, 198 encapsulation (data encapsulation) de-encapsulation, 195, 481 described, 194, 194–197 introduction, 46, 46–47 PDUs and, 46, 194, 194, 196 encryption 873 AES, 442–443 AES-CCMP, 418, 420, 844 content filtering appliance, 152, 152 Data Encryption Standard, 442 described, 440–445 devices, 151, 151–152 HTTPS, 180 PGP, 444, 444–445 public key encryption, 443, 443–445, 444 RSA, 444 SSH, 180 symmetrical encryption keys, 442–443 Triple Data Encryption Standard, 442 unencrypted channels, 488 end-user training, 510, 561–562 Enhanced Interior Gateway Routing Protocol. See EIGRP environmental considerations, networks, 163 environmental monitors, 703–704 equipment access, security policy, 505 equipment location and installation. See network optimization Ericsson company, 401 error messages ICMP, 191, 259, 620 network troubleshooting, 730 ESS (extended service set), 396–397, 397 ESSIDs (Extended Service Set Identifiers), 727 EtherChannel, 364, 365 bindex.indd 04/01/2015 Page 873 874 Ethernet – exam essentials Ethernet, 91–125 basics, 95–101 baud rates, 98 bit rates, 98 broadcast domain, 96 collision domain, 95–96 CSMA/CD described, 96–97, 97 802.3 standard, 44, 45 Data Link layer, 101–108 binary-to-decimal memorization chart, 103, 103 frames, 106, 106–108 hexadecimal-to-binaryto decimal chart, 104, 104–105 defined, 95 DIX group, 108 exam essentials, 117 Fibre-Channel over Ethernet, 795 full-duplex Ethernet, 99–101 half-duplex Ethernet, 99–101 IEEE 1905.1-2013, 114–117 Broadband over Power Line, 114–115, 115 HDMI Ethernet Channel technology, 116, 116–117 media converters multimode fiber to Ethernet, 70, 70 single-mode fiber to Ethernet, 70, 70 metropolitan-area, 592–593 network basics, 93–95 Physical layer, 108–113 bindex.indd 04/01/2015 Page 874 802.3 standards, 44, 45, 109 802.3 standards, expanded, 109–111, 111–113 specifications, 109 PoE (Power over Ethernet) described, 366–368 Real World Scenario, 366–367 wireless bridge power injector, 368, 368 PPPoE, 446–447 review questions, 123–125, 832–833 sampling size, 99 switch, 133 wavelengths, 98–99, 99 Ethernet addressing. See MAC addresses Ethernet cables, 60–62 10Base2 (thinnet), 58, 58, 109, 111 10Base5 (thicknet), 109, 111 10BaseFL, 68, 112 10BaseT, 109, 111 10GBaseER, 111, 112 10GBaseEW, 111, 113 10GBaseLR, 110, 112 10GBase-LW, 111, 113 10GBaseSR, 110, 112 10GBaseSW, 111, 113 10GBaseT, 110, 112 100BaseFX (IEEE 802.3u), 110, 112, 113 100BaseTX (IEEE 802.3u), 110, 111, 113 1000BaseCX (IEEE 802.3z), 110, 112 1000BaseLX (IEEE 802.3z), 110, 112 1000BaseSX (IEEE 802.3z), 110, 112 1000BaseT (IEEE 802.3ab), 80, 80, 110, 112 1000BaseTX, 110 Ethernet frames. See frames Ethernet_II frame, 106, 106–108 ETSi. See European Telecommunications Standards Institute EUI-64 (stateless autoconfiguration) described, 221–223 interface ID assignment, 221–222, 222 European Telecommunications Standards Institute (ETSi), 381, 593 evidence/data collection, 502 evil twin, 492–493 Evolved High Speed Packet Access (HSPA+), 594 exam essentials authentication, 464–465 cables, connectors, 85–86 Ethernet, 117 hardware and software tools, 704–705 IP addressing, 226–227 NAT, 269 network devices, 164–165 network monitoring, 806–807 network optimization, 806–807 network threats and mitigation, 518–519 network troubleshooting, 749–750 networks, introduction, 22 OSI model, 48 exit interview – firmware updates physical security and risk, 566–567 protocols, 198 routing (IP routing), 292 routing protocols, 326 security filtering, 464–465 subnetting, 269 switches, 370–371 troubleshooting IP addressing, 269 troubleshooting tools, 663 WANs, 609–610 wireless networks, 423 wiring standards, 85–86 exit interview, 509 expiration, password, 454 expressions, IPv6, 219 extended ACLs, 533 extended service set. See ESS Extended Service Set Identifiers. See ESSIDs Extensible Authentication Protocol. See EAP exterior gateway protocols. See EGPs extranet VPNs, 436 F F connector, 58 fault tolerance, 13, 790 fax servers, 6 FC (field assembly) connector, 67–68 FCC (Federal Communications Commission), 381, 381–382, 386, 387, 587 FCS. See Frame Check Sequence feasible successor, 311, 842 Federal Communications Commission. See FCC feeder cable, 83 FEP. See fluoroethylenepropylene ferrule connector, 67–68 FHRPs. See first hop redundancy protocols FHSS (Frequency Hopping Spread Spectrum), 423, 586, 850 fiber cable issues, 724–725 Fiber Channel, 795 fiber to coaxial, 70–71, 71 fiber-optic cable APCs, 65–66, 66 connectors, 66–69 cons, 65 copper cable versus, 68 described, 64–69 FC connector, 67–68 LC connector, 68, 69, 69 media converters, 69–71 fiber to coaxial, 70–71, 71 multimode fiber to Ethernet, 70, 70 single-mode fiber to Ethernet, 70, 70 single-mode to multimode fiber, 71, 71 MMF, 64, 65 MT-RJ connector, 68–69, 69 pros, 65 SC connectors, 66, 67, 67 SFF connectors, 68–69, 69 SMF, 64, 65 UPCs, 65–66, 66 Fibre-Channel over Ethernet, 795 field assembly connector. See FC connector file servers, 6 875 File Transfer Protocol. See FTP file viruses, 485 filtering. See security filtering firewalls, 529–547. See also physical security and risk access control lists described, 432–433, 531–533 misconfigured, 497 Application layer, 540–542 content filtering, 544 context awareness, 544–545 defining, 137, 529 described, 137–138 DMZ, 137, 137, 506–507, 507, 534 dynamic packet filtering, 537–538, 538 host-based, 530 misconfigured, 497 Network layer, 540–542 network-based, 530 port security, 533–534 private side, 137 protocol switching, 534–536, 537 proxy services, 538–540 public side, 137 Real World Scenario, 494, 536, 542 routed wire, 545 scanning services, 542–543, 543 signature identification, 544 technologies, 530–540 virtual, 793 virtual wire, 545, 545 zones, 545–547, 546, 547 firmware updates, 512 bindex.indd 04/01/2015 Page 875 876 firmware/operating systems – hardware tools firmware/operating systems, unpatched, 498 first hop redundancy protocols (FHRPs), 317–318, 318, 323, 841. See also HSRP first responder, 501, 561 5GHz (802.11h), 383, 387–388, 423, 844 5GHz/2.4GHz (802.11n), 384, 388–389, 428, 728, 844, 845 568A wired standard, 76, 76–77 568B wired standard, 76–77, 77 flat network structure, VLANs, 350, 350 flat-addressing scheme, 207 flow control, 35–37, 36 fluoroethylenepropylene (FEP), 58 forensic concepts, 501–503 forensics report, 503 forward proxy, 151. See also proxy servers forward/filter decisions, 342–344 forward/filter table, 341, 341, 343 forwarding, STP port state, 347 4to6 tunneling, 224 FQDNs (fully qualified domain names), 145, 182, 649 Frame Check Sequence (FCS), 107, 195, 282, 490 Frame Relay, 596–599, 597 frames. See also tunneling described, 106–108, 195 Destination Address, 107 802.3 frame format, 106, 106–108 bindex.indd 04/01/2015 Page 876 Ethernet_II frame, 106, 106–108 IP routing process and, 281–287 Length field, 107 on network analyzer, 107–108 packets, 107 to host on LAN, 292 to router’s interface (remote network), 292 preamble, 107 SOF/Synch, 107 Source Address, 107 tunneling, 106 Type field, 107 frequency, cable property, 75 friendly DoS, 477 FTP (File Transfer Protocol) described, 176 port 20, 21, 176 SFTP, 176 TFTP, 177 troubleshooting with, 655–660 when to use, Real World Scenario, 177 FTP bounce attack, 495 FTP proxies, 540 full-duplex communication, 33, 74 full-duplex Ethernet, 99–101 fully qualified domain names. See FQDNs G gateways, older meaning, 7 Generic Routing Encapsulation. See GRE GETBULK, 179 global unicast addresses, 220, 221, 836 Gmail, 178 Gormsson, Harald “Blatand,” 401 .gov (top-level domain), 146 GRE (Generic Routing Encapsulation), 438, 438–439 guards, security, 507, 558 guest network, 462–463 H H.323 Application layer firewalls, 542 described, 179 port 1720, 179 RTP standard, 179 VTC systems, 781 half-duplex communication, 33, 74 half-duplex Ethernet, 99–101 handshake, 34. See also three-way handshake Harald I (Harald “Blatand” Gormsson), 401 hardware addressing. See MAC addresses hardware and software security devices. See physical security and risk hardware tools, 691–704. See also software tools butt set, 700, 700–701 cable strippers/snips, 702, 702 cable testers, 79, 79, 692–693, 693 certifiers, 696 continuity testers, 695 hashes – Host-to-Host layer environmental monitors, 703–704 exam essentials, 704–705 loopback plugs, 693, 694 multimeter, 698, 699 optical time-domain reflectometer, 697, 698 protocol analyzers, 616–618, 695–696 punch-down tool, 701, 701 review questions, 706–709, 852–853 time-domain reflectometer, 696–697 toner probe, 698–699, 700 voltage event recorder (power), 702–703 wire-map testers, 694–695 written lab, 705 hashes, 462 HDMI Ethernet Channel technology, 116, 116–117 HDSL. See High Bit-Rate Digital Subscriber Line HDTV, 587, 591 header IP, 190, 190 TCP, 185, 185 UDP, 186 Hellman, Martin, 444. See also Diffie-Hellman algorithm hello timer, 322, 322–323 hexadecimal-to-binary-to decimal chart, 104, 104–105 HIDS. See host-based IDS hierarchical design, OSPF, 315–316, 316 hierarchical IP addressing scheme, 207–214 high availability described, 317–324, 789 first hop redundancy protocols, 317–318, 318, 323, 841 HSRP active and standby routers, 319–320, 320 defined, 319 timers, 322, 322–323 virtual MAC address, 320–322 VRRP versus, 324 VRRP defined, 319 described, 324 HSRP versus, 324 high bandwidth DSL, 588 MMF, 65 High Bit-Rate Digital Subscriber Line (HDSL), 590 high-bandwidth applications described, 784–785 examples of, 784, 807 HDTV, 587, 591 network optimization, 784–785 Real-time Transport Protocol described, 179 EIGRP, 310 port 5004/5005, 179 Session Initiation Protocol described, 178–179 port 5060/5061, 178 VTC systems, 781 video streaming, 460, 784, 785, 807, 856 VoIP (Voice over Internet Protocol) delay problems, 786 877 described, 784–785 managed switches, 133 RTP, 179, 310 SIP, 178–179, 781 wired connectivity standard, Real World Scenario, 113 histories, password, 454 hold timer, 323 honeynets, 550, 782 honeypots, 550, 550, 782 hopping, VLAN, 482, 483 hops first hop redundancy protocols (FHRPs), 317–318, 318, 323, 841 hop counts AD, 300 RIP and, 41 ICMP, 191 host-based anti-malware, 514 host-based firewalls, 530 host-based IDS (HIDS), 138, 551 hosts, 7–8 HOSTS file, 145, 636, 649, 747 Hosts table, 636–637 Host-to-Host layer described, 175, 175 main purpose, 184 TCP described, 184–185 header, 185, 185 IP and, 173 key concepts, 186–187, 187 segment format, 185, 185 SNMP, 179 TCP/IP protocol suite, 175, 175 UDP bindex.indd 04/01/2015 Page 877 878 host-to-host VPNs – IGPs (interior gateway protocols) described, 185–186 key concepts, 186–187, 187 SNMP, 179 host-to-host VPNs, 436 host-to-site VPNs, 436 hot spots, mobile, 399–400, 400 Hot Standby Router Protocol. See HSRP hotfixes, 512, 847 HSPA+. See Evolved High Speed Packet Access HSRP (Hot Standby Router Protocol) active and standby routers, 319–320, 320 defined, 319 timers, 322, 322–323 virtual MAC address, 320–322 VRRP versus, 324 HTTP (Hypertext Transfer Protocol) described, 180 port 80, 180 HTTP proxies, 539–540 HTTPS (Hypertext Transfer Protocol Secure) described, 180 encryption, 180 port 443, 180 web services, 459 hubs described, 131–132 as multiple-port repeaters, 162–163 Physical layer, 162–163, 163 switches compared to, 160 typical, 131 humidity, network planning and, 163 HVAC, 780 bindex.indd 04/01/2015 Page 878 hybrid cloud, 796 hybrid network topology, 15, 18, 18 hybrid routing protocols BGP, 312, 840, 841 defined, 291, 291, 303 EIGRP, 309, 840, 841 routing flow tree, 299, 300 Hypertext Transfer Protocol. See HTTP Hypertext Transfer Protocol Secure. See HTTPS I IaaS. See Infrastructure as a service IBSS (independent basic service set), 395–396, 396 ICA (Independent Computing Architecture), 447 ICMP (Internet Control Message Protocol) Buffer Full, 191 described, 190–191 Destination Unreachable, 191, 198, 283, 285, 840 error messages, 191, 259, 620 hops, 191 IP routing process and, 281–287 ping, 191, 259 traceroute, 191, 259 ICS. See industrial control systems IDF (intermediate distribution frame), 83, 797, 797 IDSs. See intrusion detection systems IEEE (Institute of Electrical and Electronics Engineers). See also 802.11 standards; Ethernet cables DIX group, 108 802.1q, 358, 358, 787 802.3 standards described, 44, 45, 109 expanded, 109–111, 111–113 802.16, 45 802 standards, 44–45 Ethernet over other standards (IEEE 1905.1-2013), 114–117 Broadband over Power Line, 114–115, 115 HDMI Ethernet Channel technology, 116, 116–117 OUI, 105, 106 purpose, 381 IETF (Internet Engineering Task Force) IPSec, 439, 845 L2TP, 437 PPTP, 438 RFCs, 173 ifconfig, 626–627 IGMP (Internet Group Management Protocol) described, 181 Network layer, 181 port numbers, 181 IGPs (interior gateway protocols) autonomous systems, 312 EGPs versus, 289 routing flow tree, 299, 300 IGRP (Interior Gateway Routing Protocol) – IP addresses IGRP (Interior Gateway Routing Protocol), 290, 301 IMAP (Internet Message Access Protocol) described, 178 Kerberos authentication, 178 POP3, 178 port 143, 178 improper access/backdoor access, 496 inbound ACLs, 533 incident response, 500–501 independent basic service set. See IBSS Independent Computing Architecture. See ICA industrial control systems (ICS), 780–781 information gathering, site surveys, 408 infrared (IR), 384, 402 Infrastructure as a service (IaaS), 796 infrastructure mode: BSS, 396–398, 397 infrastructure mode strategy (wireless security), 414 inherent attenuation, 108 inside global address, 266, 266, 267, 267, 268, 269 inside local address, 266, 266, 267, 268, 269 insider threat/malicious employee, 487 installation safety, 777–778 Institute of Electrical and Electronics Engineers. See IEEE .int (top-level domain), 146 Integrated Services Digital Network (ISDN), 595–596 Integrity, CIA triad, 775 Intel, DIX, 108 interface, Network layer and, 41 interface configurations, routers/switches, 134–137 interface errors/monitoring, WANs, 604–607 interference, signal degradation and, 401 interior gateway protocols. See IGPs Interior Gateway Routing Protocol. See IGRP intermediate distribution frame. See IDF Intermediate System-toIntermediate System. See IS-IS Internet ARPAnet, 173–174 distributed WAN, 8 Internet Control Message Protocol. See ICMP Internet Engineering Task Force. See IETF Internet Group Management Protocol. See IGMP Internet layer described, 175, 175 protocols in, 189–193 purpose, 189 TCP/IP protocol suite, 175, 175 Internet Message Access Protocol. See IMAP Internet Protocol. See IP Internet Protocol version 4. See IPv4 Internet Protocol version 6. See IPv6 879 Internet Security Association and Key Management Protocol. See ISAKMP Internet Small Computer System Interface. See iSCSI internetwork, 8, 9, 133 internetworking devices, 157–158, 158 internetworking models, 28–30. See also OSI model Inter-Switch Link. See ISL intrusion detection, 506 intrusion detection systems (IDSs) described, 138, 414, 547–548, 548 host-based IDS (HIDS), 138, 551 network-based, 549, 549–550, 550 software, 675–677 intrusion prevention systems (IPSs) described, 138, 414–415, 547–548 software, 675–677 IP (Internet Protocol). See also protocols; TCP/IP connectionless, 198 described, 189–190 header, 190, 190 RFC 791, 189 as routed protocol, 40, 278 TCP and, 173 IP address range, APIPA, 184, 214, 226 IP addresses. See also IP addressing; private IP addresses defined, 207 reserved bindex.indd 04/01/2015 Page 879 880 IP addressing – Kerberos IPv6 addresses, 220, 221 network addresses, 209–210, 212 private IP addresses, 212 on switches, 361–363 IP addressing, 205–232. See also subnetting defined, 206 documentation, 770 exam essentials, 226–227 hierarchical IP addressing scheme, 207–214 overview, 206 review questions, 229–232, 835–837 summary, 225–226 written labs, 227–228 IP addressing, troubleshooting, 256–264 basic steps, 257–259 exam essentials, 269 example, 257 problem solving, 259–264 find valid host, 262, 262 find valid host #2, 262, 262–263 find valid host #3, 263, 263 find valid subnet mask, 263, 264 IP address problem 1, 260, 260 IP address problem 2, 260–261, 261 IP proxy, 539 IP routing. See routing IP Security. See IPSec IP stack, 835. See also DoD model IP subnetting. See subnetting IP terminology, 206–207 ipconfig, 622–626 bindex.indd 04/01/2015 Page 880 ipconfig /all, 259, 623, 737, 740, 851 iPhone hot spot, 399, 400 IPSec (IP Security) described, 439, 439–440, 440 IETF, 439, 845 IPSs. See intrusion prevention systems IPv4 (Internet Protocol version 4) address types described, 214–216 Layer 2 broadcasts, 214 Layer 3 broadcasts, 215 multicast addresses (Class D network addresses), 208, 212, 215–216 unicast address, 215 dual stacking, 224 4to6 tunneling, 224 migrating to IPv6, 223–226 IPv6 (Internet Protocol version 6) addresses, 218–221 special, 220, 221 types, 219–220 anycast addresses, 218, 220, 836 benefits, 217–218 described, 216–225 dual stacking, 224 global unicast addresses, 220, 221, 836 link-local addresses, 220, 226, 836 migrating to, 223–226 multicast addresses, 220 overview, 216 reasons for using, 216–217 as routed protocol, 40, 278 routing protocols, 324–326 shortened expressions, 219 6to4 tunneling, 224–225, 225 unicast addresses, 220 unique local addresses, 220 uses, 217–218 IR. See infrared ISAKMP (Internet Security Association and Key Management Protocol), 440 iSCSI (Internet Small Computer System Interface), 794, 795 ISDN. See Integrated Services Digital Network IS-IS (Intermediate Systemto-Intermediate System) AD, default, 302 CLNS, 316–317 described, 316–317 Dijkstra algorithm, 316 link state protocol, 303 network terminology, 316–317, 317 OSPF versus, 316–317 VLSM support, 317 ISL (Inter-Switch Link), 357 isochronous LANs, 44 J jamming, 497 jumbo frames, 795 K Kardach, Jim, 401–402 Kerberos, 178, 456–457, 457 key fob/proximity readers – logical security configurations key fob/proximity readers, 557–558 keypad/cypher locks, 558 L L2TP (Layer 2 Tunneling Protocol), 437 labeling, 802–803 LACP (Link Aggregation Control Protocol), 365 LANs (local area networks). See also Ethernet; switches; VLANs baseband, 98 described, 3, 3–5, 4 isochronous, 44 LAN/MAN Standards Committee, 45 before Layer 2 switching, 335–338 Project 802, 44–45 routers compared to, 351 Token Ring, 78, 189, 192, 336, 336, 337 traffic congestion, 154–155 VTP client mode, 360, 360–361 described, 359–365 features, 359 goals of, 359 modes of operation, 360, 360–361 requirements, 359–360 server mode, 360, 360–361 transparent mode, 360, 360–361 WANs compared to, 8, 22 latency sensitivity, 784 Layer 2 broadcasts, 214 Layer 2 switching. See switches Layer 2 Tunneling Protocol. See L2TP Layer 3 broadcasts, 215 Layer 3 switches (routers), 42, 134 layered architecture, 29 layers. See also OSI model defined, 29 functions, 30 lower, 31, 31–32 mnemonic, 31 upper, 31, 31–32 LC (local connector) fiberoptic connector, 68, 69, 69 LCP. See Link Control Protocol LDAP (Lightweight Directory Access Protocol) described, 180–181 port 389, 180 learning, STP port state, 347 leased lines. See dedicated lines LEDs, NIC, 130–131 legacy/unpatched systems, 488, 782 legal hold, 503 length, passwords, 451–452 Length field, Ethernet frames, 107 Lightweight Access Point Protocol. See LWAPP Lightweight Directory Access Protocol. See LDAP limiting connections, 449–450. See also user account management Link Aggregation Control Protocol. See LACP link and collision lights, 717–718 881 Link Control Protocol (LCP), 600–601 Link LED, 131 link state (LS) routing protocols defined, 302–303 described, 313 routing flow tree, 299, 300 shortest path first protocols, 302 VLSM support, 313 link-local addresses, 220, 226, 836 listening, STP port state, 347 LLC (Logical Link Control), 44 load balancing described, 145, 789, 833 round-robin, 303 local area networks. See LANs local connector. See LC local group/domain configurations, 497 local loop, 579 Local/Global bit, 106 location-based WLANs, 410 lockouts, automatic account, 453 logging and networkmonitoring tools. See software tools Logical Link Control. See LLC logical network diagrams, 767–768, 768 logical network topologies, 12. See also network topologies logical security configurations. See physical security and risk bindex.indd 04/01/2015 Page 881 882 Long Term Evolution (LTE) – mobile devices Long Term Evolution (LTE), 594 looking glass sites, 688, 689 loop avoidance, 344–345, 345 loopback interface, 85 loopback plugs, 693, 694 LOVE-LETTER-FOR-YOU.TXT. VBS, 487 lower layers, 31, 31–32 LS. See link state LTE. See Long Term Evolution LWAPP (Lightweight Access Point Protocol), 399, 399, 413 M MAC (Media Access Control), 44 MAC addresses (Ethernet addressing; hardware addressing) ARP, 192 described, 105–106, 106 EUI-64, 221–223 HSRP, 320–322 local, 292 RARP, 193 MAC authentication, 416–417 macro viruses, 486 mail exchanger (MX) records, 148 mail relay, 507 mail servers, 6, 506 main distribution frame. See MDF mainframes, 7 maintenance account, renaming, 450 bindex.indd 04/01/2015 Page 882 malicious employee/insider threat, 487 malicious users, 489 malware anti-malware software, 514–518 defined, 485 managed switches, 133 management. See network documentation man-in-the-middle attacks, 364, 420, 496, 496 MANs (metropolitan area networks). See also WiMAX DQDB, 44 LAN/MAN Standards Committee, 45 metropolitan-area Ethernet, 592–593 Project 802, 44–45 mantraps, 556, 557 masks. See subnet masks Master License Agreement (MLA), 774 MD5, 462 MDF (main distribution frame), 83, 797, 797 mechanical transfer registered jack. See MT-RJ Media Access Control. See MAC media converters described, 69–71 fiber to coaxial, 70–71, 71 multimode fiber to Ethernet, 70, 70 single-mode fiber to Ethernet, 70, 70 single-mode to multimode fiber, 71, 71 media gateway, 179 Media Gateway Control Protocol. See MGCP media gateway controller, 179 media issues, unbounded, 725–728 medianets, 781 memberships, VLAN, 354 Memorandum of Understanding (MOU), 774 mesh topology, 15, 15–16 metric, Network layer and, 41 metropolitan area networks. See MANs metropolitan-area Ethernet, 592–593 MGCP (Media Gateway Control Protocol) described, 179 port 2427/2727, 179 Michelangelo, 484, 486, 520 Microsoft MS-CHAP, 461 RDP, 178 microwave radio relay, 587 .mil (top-level domain), 146 Mills, David, 180. See also NTP MILNET, 174 minimum length, passwords, 451–452 misconfiguration issues, 497–498. See also network threats and mitigation mitigation techniques. See network threats and mitigation MLA. See Master License Agreement MLS. See multilayer switches MMF. See multimode fiber mnemonic, for layers, 31 mobile devices, on-boarding and off-boarding, 771–772 mobile hot spots – NAT (Network Address Translation) mobile hot spots, 399–400, 400 MoCA. See Multimedia over Coax modems cable, 591–592, 592 described, 152, 152 modulator–demodulator, 47, 152 modulation techniques, 47 WLANs DSSS, 386, 390, 423, 844 FHSS, 423, 586, 850 OFDM, 386, 389, 390, 423, 844 modulator–demodulator, 47, 152 monitor viewing, 506 monitoring. See network monitoring monitors, environmental, 703–704 Monkey B, 486, 520 MOU. See Memorandum of Understanding MPLS (Multiprotocol Label Switching), 8–10, 9, 603 MS-CHAP, 461 MT-RJ (mechanical transfer registered jack) fiber-optic connector, 68–69, 69 multicast, unicast versus, 785 multicast addresses (Class D network addresses), 208, 212, 215–216, 220 multifactor authentication, 455 multilayer switches (MLS), 134, 144–145. See also routers multimedia H.323 Application layer firewalls, 542 described, 179 port 1720, 179 VTC systems, 781 MGCP described, 179 port 2427/2727, 179 Presentation layer standards, 33 real-time multimedia streaming, 806, 856 SIP described, 178–179 port 5060/5061, 178 VTC systems, 781 Multimedia over Coax (MoCA), 114 multimeter, 698, 699 multimode fiber to Ethernet, 70, 70 multimode fiber-optic cable (MMF), 64, 65 multipartite viruses, 486, 486–487 multiple barrier system, 555, 555 multiple floors, site surveys, 410 multiple-port repeaters, 162–163. See also hubs Multiprotocol Label Switching. See MPLS MX records. See mail exchanger records My traceroute, 637–638 N -n switch nbtstat utility, 645 netstat utility, 652–653 883 NaaS (Network as a Service), 794 NAC (Network Access Control), 460, 462, 772 name resolution, DNS, 145, 146, 146–149. See also DNS names maintenance account, renaming, 450 NAT, 266, 266 routers, 134 naming conventions, 803 NAS. See network-attached storage NAT (Network Address Translation) advantages, 265 CIDR compared to, 264 described, 264–268 disadvantages, 265 DNAT, 266 exam essentials, 269 how it works, 267, 267–268, 268 inside global address, 266, 266, 267, 267, 268, 269 inside local address, 266, 266, 267, 268, 269 names, 266, 266 outside global address, 266, 266, 267, 268 outside local address, 266, 266 PAT (Port Address Translation; NAT overload) defined, 266 example, 267–269, 268 NAT allowance: 65,000 hosts, 839 routing problems, 743 private IP addresses, 212 bindex.indd 04/01/2015 Page 883 884 nbtstat utility – network documentation SNAT, 265, 268 types, 265–266 when to use, 264 where to configure, 265 nbtstat utility, 641–647 NCP (Network Control Protocol) PPP and, 599, 600, 600, 601–602 TCP/IP and, 173 near-end crosstalk, 62, 695, 723 neighbor table, 310, 310–311, 313, 842 Nessus, 551 .net (top-level domain), 146 NetBIOS (Network Basic Input/Output System) described, 181 ports 137-139, 181 netstat utility, 647–655 Network Access Control. See NAC Network Access layer described, 175, 175 TCP/IP protocol suite, 175, 175 Network Address Translation. See NAT network addresses (network number) Class A network addresses described, 208, 209–210 reserved IP addresses, 209–210 when to use, 213 Class B network addresses described, 208, 210–211 when to use, 213 Class C network addresses described, 208, 211 when to use, 213 bindex.indd 04/01/2015 Page 884 defined, 206 described, 208–212 Network layer and, 41 reserved IP addresses, 209–210, 212 special purposes of, 209–210, 212 network analyzers Ethernet frames, 107–108 purpose of, 674 Network as a Service. See NaaS Network Basic Input/Output System. See NetBIOS network closets, 556 Network Control Protocol. See NCP network controllers, 460 network devices, 127–169. See also DHCP; DNS; firewalls; routers; switches; specific network devices bridges Data Link layer, 161, 161–162 defined, 132, 132, 157 transparent, 132, 162 connectivity devices, 129–144 encryption devices, 151–152 content filtering appliance, 152, 152 example, 151 exam essentials, 164–165 host-based IDS, 138 hubs described, 131–132 as multiple-port repeaters, 162–163 Physical layer, 162–163, 163 switches compared to, 160 typical, 131 list of, 39–40, 129–130, 144 load balancers, 145, 833 MLS, 144–145 modems described, 152, 152 modulator–demodulator, 47, 152 networks, planning and implementing, 154–163 NICs described, 130, 130–131 LEDs, 130–131 wireless, 392, 392–393, 403–404 in OSI model layers, 39–40 proxy servers defined, 6, 150 described, 150–151 review questions, 166–169, 833–834 traffic shaping (packet shaper), 78, 153, 153, 856 types of, 39–40, 129–130, 144 VPN concentrators, 153, 153, 552–553, 553, 834 written lab, 165 network documentation, 761–770 asset management, 768–769 exam essentials, 806–807 IP address utilization, 770 logical network diagrams, 767–768, 768 network interface cards – network segmentation physical network diagrams, 766–767, 767 Real World Scenario, 745 review questions, 808–811, 855–856 SNMP, 761–762 summary, 805–806 as troubleshooting step, 745 vendor documentation, 770 wiring schematics, 763–766 network interface cards. See NICs network interface devices. See smart jacks network interface units. See smart jacks Network layer data packets, 40 described, 40–42 firewalls, 540–542 functions, 30, 31 IGMP, 181 interface, 41 Internet layer, 175, 175 metric, 41 network addresses, 41 routers, 40–42 route-update packets, 40 Network Mapper. See NMAP network monitoring, 771–783 baselines, 681–683, 771 emergency procedures, 779–780 exam essentials, 806–807 honeynets, 550, 782 honeypots, 550, 550, 782 HVAC, 780 industrial control systems, 780–781 legacy/unpatched systems, 782 medianets, 781 mobile devices, on-boarding and offboarding, 771–772 NAC, 460, 462, 772 network segmentation, 780–783 network-monitoring tools and logging, 683–691 packet sniffers/network monitors, 179, 490, 495, 673–675 policies, 772–773 procedures, 773 regulations, 774–775 review questions, 808– 811, 855–856 safety practices, 775–780 standard business documents, 774 summary, 805–806 Supervisory Control and Data Acquisition, 780–781 testing labs, 782 video teleconferencing, 781 network optimization, 783–805. See also high availability archives, 790 backups configuration backups, 515 types, 790, 791 UPS/battery backups, 561 caching engines, 789–790 change management procedures, 803–805 Class of Service, 787, 787–788 885 device placement, 798–802 DSCPs, 787 equipment location and installation, 797–803 exam essentials, 806–807 fault tolerance, 13, 790 high-bandwidth applications, 784–785 labeling, 802–803 latency sensitivity, 784 load balancing described, 145, 789, 833 round-robin, 303 multicast versus unicast, 785 presence, 785 QoS, 786–788 reasons for, 783–784 review questions, 808–811, 855–856 SANs, 794–795, 795, 796 summary, 805–806 traffic shaping (packet shaper), 78, 153, 153, 788, 856 unified communications, 460, 788 virtual networking, 791–797 network reconnaissance, 495 network scanners IDS/IPS software, 675–677 network analyzers, 107–108, 674 packet sniffers/network monitors, 179, 490, 495, 673–675 port scanners, 495, 677–680 network segmentation. See segmentation bindex.indd 04/01/2015 Page 885 886 network threats and mitigation – networks network threats and mitigation, 469–523. See also physical security and risk; wireless security ActiveX attacks, 494 anti-malware software, 514–518 Application-layer attacks, 494 ARP cache poisoning, 480 attacks, 493–498 authentication issues, 483–487 autorooters, 494 backdoors, 494–495 brute force attack, 482 DDoS (distributed DoS), 475–479 denial of service (DoS) attack, 413–414, 474–479 exam essentials, 518–519 exit interview, 509 forensic concepts, 501–503 insider threat/malicious employee, 487 misconfiguration issues, 497–498 mitigation techniques, 499–503 packet/protocol abuse, 480–481, 481 patches, 488, 498, 507, 510–512 phishing, 498–499 recognizing threats, 473–487 review questions, 520–523, 846–848 security policies, 504–509 security procedures, 509 security training, 509–510 session hijacking, 482 spoofing, 481 bindex.indd 04/01/2015 Page 886 summary, 518 upgrades, 510–512 viruses, 484, 484–487 VLAN hopping, 482, 483 vulnerabilities, 488–499 wireless threats, 490–493 written lab, 519 network topologies logical network topologies, 12 physical network topologies bus, 12, 12–13 hybrid, 15, 18, 18 mesh, 15, 15–16 partial mesh, 16 point-to-multipoint, 17, 17–18, 18 point-to-point, 16–17, 17 ring, 14–15, 15 star, 13, 13–14 selection of, 19–20 network troubleshooting, 711–754 exam essentials, 749–750 narrowing down problems (list of questions), 715–728 bad cables, 722 cable issues, 722–724 fiber cable issues, 724–725 network segments, 721 software or hardware problems, 721 super simple stuff, 716–720 workstation or server problems, 721 review questions, 751–754, 853–855 steps, 729–745 action plan, 740–741 network documentation, 745 probable cause theory, 733–737 problem identification, 729–733 solution implementation, 741–744 test theory to determine cause, 737–739 verify full system functionality; implement preventative measures, 744–745 summary, 749 tips, 746–749 written lab, 750 network-attached storage (NAS), 795, 796 network-based firewalls, 530 network-based IDS, 549, 549–550, 550 networks ad hoc, 413 backbones, 20, 21 basics, Ethernet and, 93–95 classless, 308, 326, 841 client-server, 11, 11–12 collapsed backbones, 336, 336, 349, 353 defined, 2, 2–3 internetwork, 8, 9, 133 introduction, 1–26, 828–829 peer-to-peer described, 10, 10–11 segments, 20–21, 21 networks, planning and implementing, 154–163 “New Directions in Cryptography” – OSI model bridges at Data Link layer, 161, 161–162 environmental considerations, 163 hubs at Physical layer, 162–163 humidity, 163 internetworking devices, 157–158, 158 LAN traffic congestion, 154–155 requirements, 154–161 segmentation, 154–155 switches at Data Link layer, 161, 161–162 temperature, 163 “New Directions in Cryptography” (Diffie and Hellman), 444 NEXT (near-end crosstalk) transmission parameter, 62 NFC (near field communication), 402 nibble, 102, 102 NICs (network interface cards) described, 130–131, 131 LEDs, 130–131 virtual, 793 wireless, 392, 392–393, 403–404 NIDs. See smart jacks NIUs. See smart jacks NMAP (Network Mapper), 552 node-to-node application communication, 175 nonpersistent agents, 463 notification, security policy, 505 nslookup, 634–635 NTP (Network Time Protocol) described, 180 port 123, 180 NTP reflection attacks, 479 numbers binary values, 102, 102 binary-to-decimal memorization chart, 103, 103 hexadecimal-to-binary-to decimal chart, 104, 104–105 octal addressing, 102 written lab: binary, decimal, hexdecimal conversions, 117–122 O octal addressing, 102 octets. See bytes OFDM (Orthogonal Frequency Division Multiplexing), 386, 389, 390, 423, 844 off-boarding, mobile devices, 771–772 omni directional antennas (point-to-multipoint), 393–395, 394 on-boarding, mobile devices, 771–772 100BaseFX (IEEE 802.3u), 110, 112, 113 100BaseTX (IEEE 802.3u), 110, 111, 113 110 block, 83–84, 84 1000BaseCX (IEEE 802.3z), 110, 112 1000BaseLX (IEEE 802.3z), 110, 112 1000BaseSX (IEEE 802.3z), 110, 112 1000BaseT (IEEE 802.3ab), 80, 80, 110, 112 887 1000BaseTX, 110 open access, wireless security, 416 open ports, 488, 498 Open Shortest Path First. See OSPF Open Systems Interconnection reference model. See OSI model operating systems/firmware, unpatched, 498 operator error, 719 optical carrier levels, 585, 585 optical time-domain reflectometer (OTDR), 697, 698 optimization. See network optimization .org (top-level domain), 146 organizationally unique identifier. See OUI OSI model (Open Systems Interconnection reference model), 27–53. See also Application layer; Data Link layer; Network layer; Physical layer; Presentation layer; Session layer; Transport layer advantages, 29–30 DoD model versus, 174–175, 175 exam essentials, 48 layered architecture, 29 layers defined, 29 functions, 30 lower, 31, 31–32 mnemonic, 31 upper, 31, 31–32 network devices operating in layers, 39–40 bindex.indd 04/01/2015 Page 887 888 OSPF (Open Shortest Path First) – Physical layer reference models, 29–30 review questions, 50–53, 829–830 written lab, 49 OSPF (Open Shortest Path First) autonomous systems, 314, 316, 316 default AD, 302 described, 314–316 Dijkstra algorithm, 314, 315, 316 features, 314–315 hierarchical design, 315–316, 316 IS-IS versus, 316–317 link state protocol, 303 RIP (v1/v2) versus, 314–315, 314–315 route-update packets, 40 VLSM support, 308, 314, 314, 326, 840 OSPFv3, 325–326, 841 OTDR. See optical timedomain reflectometer OUI (organizationally unique identifier), 105, 106, 321, 496 outbound ACLs, 533 outside global address, 266, 266, 267, 268 outside local address, 266, 266 overhead, 34 overloading. See PAT P -p switch, netstat utility, 652–653 PaaS. See Platform as a service packet filtering, dynamic, 537–538, 538 bindex.indd 04/01/2015 Page 888 Packet Internet Groper. See ping packet keys, TKIP, 418–419 packet shaper (traffic shaping), 78, 153, 153, 788, 856 packet sniffers/network monitors, 179, 490, 495, 673–675 packet switching, 580, 581 packet/protocol abuse, 480– 481, 481 packets. See also frames defined, 40 IP routing process and, 281–287 Request Timed Out, 284, 840 sizes, 107 PAgP (Port Aggregation Protocol), 365 PANs (personal area networks) Bluetooth, 401–402, 493, 586–587 defined, 45 infrared (IR) wireless, 384, 402 NFC, 402 partial mesh topology, 16 Partition Magic diskette, 554–555 passive attacks, wireless security, 414–415 passive detection, 500 Passive Optical Network (PON), 586 password management automatic account lockouts, 453 characters, 452–453 default passwords/settings, 483–484 described, 450–455 expiration of passwords, 454 minimum length, 451–452 overview, 447–448 password histories, 454 strong passwords, 452–453 PAT (Port Address Translation; NAT overload) defined, 266 example, 267–269, 268 NAT allowance: 65,000 hosts, 839 routing problems, 743 patch panel labeling, 803 patches, 488, 498, 507, 510–512 payload protocol, 434 PBX, virtual, 794 PDUs (Protocol Data Units) encapsulation, 46, 194, 194, 196 peer-to-peer networks, 10, 10–11 penetration testing, 565 performance optimization. See network optimization permanent DoS, 477 persistent agents, 463 personal area networks. See PANs PGP (Pretty Good Privacy), 444, 444–445 phishing (social engineering), 498–499 physical attacks, 477 Physical layer described, 45 EIA/TIA standards body, 108–109 Ethernet, 108–113 802.3 standards, 44, 45, 109 physical media – port numbers 802.3 standards, expanded, 109–111, 111–113 specifications, 109 functions, 30, 31 hubs, 162–163, 163 Network Access layer, 175, 175 network devices at, 40 physical media. See cables; connectors; media converters physical network diagrams, 766–767, 767 physical network topologies, 12–18. See also network topologies bus, 12, 12–13 hybrid, 15, 18, 18 mesh, 15, 15–16 partial mesh, 16 point-to-multipoint, 17, 17–18, 18 point-to-point, 16–17, 17 ring, 14–15, 15 star, 13, 13–14 physical security and risk, 525–572. See also firewalls; network threats and mitigation administrator training, 510 end-user training, 510, 561–562 exam essentials, 566–567 intrusion detection systems described, 138, 414, 547–548, 548 host-based IDS (HIDS), 138, 551 network-based, 549, 549–550, 550 intrusion prevention systems, 138, 414– 415, 547–548 logical security configurations, 558– 560, 559, 560 physical barriers, 555, 555 physical security, 554–558 review questions, 569– 572, 848–849 risk-related concepts, 560–565 security devices, hardware and software, 527–528 security zones, 556 summary, 566 VPN concentrators, 153, 153, 552–553, 553, 834 vulnerability scanners, 551–552, 565 written lab, 567–568 PIDS. See protocol-based IDS ping (Packet Internet Groper) defined, 259 ICMP, 191, 259 troubleshooting IP addressing, 257–259 using, 627–630 Ping of Death attack, 474 PKI (Public Key Infrastructure), 421– 422, 455–456, 456 Platform as a service (PaaS), 796 PLC. See Power Line Communication plenum, 58 plenum-rated coating, 58 PoE (Power over Ethernet) described, 366–368 Real World Scenario, 366–367 889 wireless bridge power injector, 368, 368 pointer records (PTR), 147, 148, 834 point-to-multipoint. See omni directional antennas point-to-multipoint topology, 17, 17–18, 18 point-to-point. See Yagi antennas Point-to-Point Protocol. See PPP point-to-point topology, 16–17, 17 Point-to-Point Tunneling Protocol. See PPTP policies and procedures. See network monitoring; network threats and mitigation polyvinyl chloride (PVC), 58 PON. See Passive Optical Network POP3 (Post Office Protocol) described, 177–178 IMAP, 178 port 110, 177 Port Aggregation Protocol. See PAgP port bonding, 364–365 port filtering, 433 port labeling, 802 port mirroring/spanning, 368–370 port numbers described, 187–189 DHCP, port 67/68, 182–184 DNS, port 53, 181 FTP, port 20, 21, 176 H.323, port 1720, 179 HTTP, port 80, 180 HTTPS, port 443, 180 IGMP and, 181 bindex.indd 04/01/2015 Page 889 890 port scanners – protocols (TCP/IP protocols) IMAP, port 143, 178 LDAP, port 389, 180 MGCP, port 2427/2727, 179 NetBIOS, ports 137-139, 181 NTP, port 123, 180 POP3, port 110, 177 RDP, port 3389, 178 RTP, port 5004/5005, 179 SFTP, port 22, 176–177 SIP, port 5060/5061, 178 SLIP, 181 SMB, port 445, 181 SMTP, port 25, 177 SNMP, port 161, 179 SSH, port 22, 180 TCP, 187–188, 188 Telnet, port 23, 176 TFTP, port 69, 177 TLS, port 995/465, 178 at Transport layer, 196, 196–197 UDP, 187–188, 188 port scanners, 495, 677–680 port security firewalls, 533–534 switches, 361–363 port states, STP, 347 port-redirection attacks, 495 ports access ports, 355–356 closed, 498 open, 488, 498 trunk ports, 356, 357 voice access ports, 356 positive acknowledgment with retransmission, 38 Post Office Protocol. See POP3 postdeployment site surveys, 408 posture assessment, 462–463 bindex.indd 04/01/2015 Page 890 POTS (plain old telephone service), 61, 576, 579, 609 Power Line Communication (PLC), 114–115, 115 power management, 798 Power over Ethernet. See PoE power switch, proper functioning, 718–719 powers of 2, 236 PPP (Point-to-Point Protocol) authentication modes, 602 described, 446 LCP configuration options, 600–601 NCP and, 599, 600, 600, 601–602 session establishment, 601, 601–602 SLIP, 181 WANs, 599–602 PPPoE (PPP over Ethernet), 446–447 PPTP (Point-to-Point Tunneling Protocol), 437–438 preamble, Ethernet frames, 107 predeployment site surveys, 408 prefix routing, 305 presence, network optimization, 785 Presentation layer described, 33 functions, 30, 31 Process/Application layer, 174–175, 175 Pre-Shared Key (PSK), 420 Pretty Good Privacy. See PGP preventative measures. See network troubleshooting print servers, 6 private cloud, 796 private IP addresses APIPA described, 184, 213–214, 819 DHCP failover scheme, 213 IP address range, 184, 214, 226 link-local addresses, 220, 226, 836 described, 212–213 NAT, 212 reserved IP addresses, 212 RFC 1918, 212, 835 selecting, Real World Scenario, 213 private side, firewalls, 137 proactive defense, 500–501 probable cause theory, 733–737 problem identification, 729–733 procedures and policies. See network monitoring; network threats and mitigation Process/Application layer described, 174–175, 175 protocols in, 176–189 TCP/IP protocol suite, 175, 175 Project 802, 44–45 protocol analyzers, 616–618, 695–696 Protocol field, 108 protocol switching, 534–536, 537 protocol-based IDS (PIDS), 138 protocol/packet abuse, 480–481, 481 protocols (TCP/IP protocols), 171–203. See also routing protocols; WAN protocols; specific protocols proximity readers/key fob – Real World Scenario exam essentials, 198 in Internet layer, 189–193 list, 175, 175 in Process/Application layer, 176–189 review questions, 200–203, 834–835 usage in TCP, 188, 188–189 in UDP, 188, 188–189 written lab, 198–199 proximity readers/key fob, 557–558 proxy servers defined, 6, 150 described, 150–151 proxy services, 538–540, 539. See also firewalls PSK. See Pre-Shared Key PSTN. See Public Switched Telephone Network PTR. See pointer records public cloud, 796 public key encryption, 443, 443–445, 444 Public Key Infrastructure. See PKI public side, firewalls, 137 Public Switched Telephone Network (PSTN), 576, 577, 579–580, 788 punch-down tool, 701, 701 PVC. See polyvinyl chloride Q QoS (quality of service) network optimization, 786–788 VLANs, 353–354 quad-A records, 147 quality of service. See QoS quarantine network, 463 R -r switch nbtstat utility, 645–646 netstat utility, 652 -R switch, nbtstat utility, 646 rack monitoring, 803 rack security, 803 radio frequency interference. See RFI RADIUS (Remote Authentication Dial In User Service), 148, 417–418, 418, 458 RADIUS/TACACS misconfiguration, 483 RAID (Redundant Array of Independent Disks), 563, 563–564, 564 Rapid Spanning Tree Protocol. See RSTP RARP (Reverse Address Resolution Protocol) broadcast example, 193, 193 described, 193 RAS. See Remote Access Services RDC. See Remote Desktop Connection RDP (Remote Desktop Protocol) described, 178, 446 port 3389, 178 Remote Desktop Connection, 178, 446 Remote Desktop Services, 178, 446 891 Telnet compared to, 178 Terminal Services Client, 178, 446 Real World Scenario Acme Corporation, 213, 246, 508 cables, 19 copper cable versus fiber-optic, 68 device placement for maximum performance, 801–802 firewalls, 494, 536, 542 FTP usage, 177 hubs versus switches, 160 loopback interface, 85 netstat utility, uses, 655 network documentation, 745 network outages, hello timer, 323 physical security, Partition Magic diskette, 554–555 PoE, 366–367 port scanning, 679–680 private IP address selection, 213 routing protocols, disabling, 301 security audits, 451–452 security policies/procedures, implementing, 508–509 software and firmware updates, 513–514 subnet mask, 246 switches versus hubs, 160 T1 connection, 583–584 war driving, 415 wired connectivity standard, deployment, 113 bindex.indd 04/01/2015 Page 891 892 real-time multimedia streaming – review questions real-time multimedia streaming, 806, 856 Real-time Transport Protocol. See RTP real-time video streaming, 460, 784, 785, 807, 856. See also VoIP recording equipment, security, 505 records, DNS A records, 147 AAA records, 148 A records, 149, 834 AAAA records, 147 CNAME records, 148, 149, 150 MX records, 148 PTR records, 147, 148, 834 redistribution, route, 310 redundancy, 563, 563–564, 564 redundancy protocols FHRPs, 317–318, 318, 323, 841 HSRP active and standby routers, 319–320, 320 defined, 319 timers, 322, 322–323 virtual MAC address, 320–322 VRRP versus, 324 VRRP defined, 319 described, 324 HSRP versus, 324 Redundant Array of Independent Disks. See RAID reference models, 29–30. See also OSI model reflected/amplified attacks, 478–479, 480 bindex.indd 04/01/2015 Page 892 regulations. See network monitoring relay, DHCP, 143, 143–144. See also DHCP reliable delivery, 39 reliable networking, 34 remote access, 445–447 Remote Access Services (RAS), 445, 445–446 Remote Authentication Dial In User Service. See RADIUS Remote Desktop Connection (RDC), 178, 446 Remote Desktop Protocol. See RDP Remote Desktop Services, 178, 446 remote Switch Port Analyzer. See RSPAN remote-access VPNs, 436 repeaters, 162–163, 578. See also hubs Request for Comments. See RFCs Request Timed Out, 284, 840 reserved IP addresses IPv6 addresses, 220, 221 network addresses, 209–210, 212 private IP addresses, 212 Resilient Packet Ring, 45 resolution, DNS, 145, 146, 146–149. See also DNS Reverse Address Resolution Protocol. See RARP reverse lookup zone, 148 reverse proxies, 151. See also proxy servers review questions answers, 827–856 authentication, 466–468, 845–846 cables, connectors, 87–90, 830–831 documentation, network, 808–811, 855–856 Ethernet, 123–125, 832– 833 hardware tools, 706–709, 852–853 IP addressing, 229–232, 835–837 monitoring, network, 808–811, 855–856 network devices, 166–169, 833–834 network threats and mitigation, 520–523, 846–848 network troubleshooting, 751–754, 853–855 networks, introduction, 23–26, 828–829 optimization, network, 808–811, 855–856 OSI model, 50–53, 829– 830 physical security and risk, 569–572, 848–849 protocols, 200–203, 834–835 routing (IP routing), 293–296, 839–840 routing protocols, 328–331, 840–842 security filtering (access control), 466–468, 845–846 software tools, 706–709, 852–853 subnetting, 271–275, 837–839 switches, 372–375, 842–843 troubleshooting tools, 665–669, 851–852 RF Emanation/TEMPEST – Routing Information Base (RIB) VLANs, 372–375, 842–843 WANs, 611–614, 849–850 wireless networks, 425–428, 843–845 wiring standards, 87–90, 830–831 RF Emanation/TEMPEST, 489 RFC 791, 189 RFC 1065, 684 RFC 1487, 181 RFC 1777, 181 RFC 1918, 212, 835. See also private IP addresses RFC 2338, 324 RFC 3232, 187–188 RFC 3330, 836 RFC 3377, 181 RFCs (Request for Comments) Class B network, 211 Class C network, 211 history, 173 RFI (radio frequency interference) coaxial cable, 60 fiber-optic cable, 64 RG-6, 59, 60 RG-8, 60 RG-58, 58 RG-58 A/U, 59, 59 RG-58 U, 59 RG-59, 59, 60 RG-62, 60 RIB. See Routing Information Base Rijndael, 442. See also AES ring Resilient Packet Ring, 45 Token Passing Ring, 44 Token Ring, 78, 189, 192, 336, 336, 337 ring topology, 14–15, 15 RIPng, 325, 822, 841, 842 RIPv1 (Routing Information Protocol) AD, default, 302 described, 305 hop count, 41 OSPF versus, 314–315, 314–315 RIPv2 versus, 305–306, 306, 326 route-update packets, 40 RIPv2 (Routing Information Protocol) described, 305–306 OSPF versus, 314–315, 314–315 RIPv1 versus, 305–306, 306, 326 route-update packets, 40 VLSM support, 308, 840 risk. See physical security and risk Rivest, Shamir, and Adleman. See RSA RJ connectors, 62–64 RJ-11, 62–63, 63 RJ-45, 62–64, 63, 109 RJ-48c, 63–64 rlogin, 180. See also SSH rogue APs, 412–413, 492 rolled/rollover cable, 80, 80–81 round-robin load balancing, 303 route aggregation, 309 route command, 638–641 route redistribution, 310 routed protocols, 40, 278. See also IP; IPv6; routing protocols routed wire, firewalls, 545 routers advantages, 156 ASBR, 316, 316 893 described, 133–134 functions, 156 important points, 160–161 interface configurations, 134–137 key points, 42 LANs compared to, 351 Layer 3 switches, 42, 134 multilayer switches (MLS), 134, 144–145 names for, 134 Network layer, 40–42 switches compared to, 156–157 typical setup, 134 virtual, 793 WAN troubleshooting, 608–609 routes, default, 312, 743 route-update packets, 40 routing (IP routing), 277–296 basics, 278–280 classful, 305, 307–308, 326 classless, 246, 305, 306, 308, 312, 313, 326, 840, 841 defined, 278 exam essentials, 292 prefix, 305 review questions, 293–296, 839–840 show ip route, 242, 243, 280, 283, 608, 742 simple example, 279, 279–280 steps (36 steps), 281–287 summary, 291 testing understanding, 287, 287–288, 288 written lab, 292 Routing Information Base (RIB), 313 bindex.indd 04/01/2015 Page 893 894 Routing Information Protocol – routing protocols Routing Information Protocol. See RIPv1; RIPv2 routing protocols, 297–331 basics, 299–303 BGP AD, default, 301, 302 autonomous systems, 311, 312, 313, 841 described, 311–313, 312 hybrid routing protocol, 312, 840, 841 Routing Information Base, 313 classes of, 302–303 classful, 305, 307–308, 326 classless, 246, 305, 306, 308, 312, 313, 326, 840, 841 defined, 278 disabling, Real World Scenario, 301 distance vector (DV) defined, 302 routing flow tree, 299, 300 EGPs autonomous systems, 312 IGPs versus, 289 routing flow tree, 299, 300 EIGRP AD, default, 301, 302 autonomous systems, 309 described, 309–311 DUAL, 310, 311, 325 feasible successor, 311, 842 features, 310 hybrid routing protocol, 309, 840, 841 bindex.indd 04/01/2015 Page 894 IS-IS, 317 route-update packets, 40 RTP, 310 successor route, 311, 842 VLSM support, 308, 309, 840 EIGRPv6, 325, 841 exam essentials, 326 first hop redundancy protocols (FHRPs), 317–318, 318, 323, 841 HSRP active and standby routers, 319–320, 320 defined, 319 timers, 322, 322–323 virtual MAC address, 320–322 VRRP versus, 324 hybrid BGP, 312, 840, 841 defined, 291, 291, 303 EIGRP, 309, 840, 841 routing flow tree, 299, 300 IGPs autonomous systems, 312 EGPs versus, 289 routing flow tree, 299, 300 IPv6, 324–326 IS-IS AD, default, 302 CLNS, 316–317 described, 316–317 Dijkstra algorithm, 316 link state protocol, 303 network terminology, 316–317, 317 OSPF versus, 316–317 VLSM support, 317 link state (LS) defined, 302–303 routing flow tree, 299, 300 OSPF autonomous systems, 314, 316, 316 default AD, 302 described, 314–316 Dijkstra algorithm, 314, 315, 316 features, 314–315 hierarchical design, 315–316, 316 IS-IS versus, 316–317 link state protocol, 303 RIP (v1/v2) versus, 314–315, 314–315 route-update packets, 40 VLSM support, 308, 314, 314, 326, 840 OSPFv3, 325–326, 841 overview, 299 review questions, 328–331, 840–842 RIPng, 325, 822, 841, 842 RIPv1 AD, default, 302 described, 305 hop count, 41 OSPF versus, 314–315, 314–315 RIPv2 versus, 305–306, 306, 326 route-update packets, 40 RIPv2 described, 305–306 OSPF versus, 314–315, 314–315 routing tables – security training RIPv1 versus, 305–306, 306, 326 route-update packets, 40 VLSM support, 308, 840 routing flow tree, 299, 300 summary, 326 VRRP defined, 319 described, 324 HSRP versus, 324 written lab, 327 routing tables converged, DV protocols, 304, 304–305 defined, 279 described, 40, 41, 310, 310 route-update packets, 40 RS-232 (Recommended Standard 232), 72, 72 RSA (Rivest, Shamir, and Adleman), 444 rsh, 180. See also SSH RSPAN (remote Switch Port Analyzer), 368–370 RSTP (Rapid Spanning Tree Protocol), 348–349 RTP (Real-time Transport Protocol) described, 179 EIGRP, 310 H.323, 179 port 5004/5005, 179 running services, unnecessary, 488 S -s switch nbtstat utility, 647 netstat utility, 652 -S switch, nbtstat utility, 646–647 SA. See Source Address SaaS. See Software as a service safety practices, 775–780 sampling size, 99 SANs (storage area networks), 794–795, 795, 796 satellite, communications, 587, 588 SC connectors, 66, 67, 67 SCADA. See Supervisory Control and Data Acquisition scanners, vulnerability, 551–552, 565 scanning services, 542–543, 543 schematics and diagrams. See network documentation scope options, Windows DHCP server, 140, 141 SDN. See software-defined networking SDSL. See Symmetric Digital Subscriber Line secure area, 501 Secure File Transfer Protocol. See SFTP Secure Hash Algorithm. See SHA Secure Shell. See SSH Secure Sockets Layer. See SSL Secure-HTTPS, 459 security. See also network threats and mitigation; physical security and risk; security filtering; wireless security audits, 451–452, 503 895 noise immunity, cables, 74–75 recording equipment, 505 security devices, hardware and software. See physical security and risk security filtering (access control), 431–447. See also authentication; encryption; tunneling access control lists, 432–433 defined, 432 exam essentials, 464–465 port filtering, 433 PPPoE, 446–447 RAS, 445, 445–446 RDP described, 178, 446 port 3389, 178 Remote Desktop Connection, 178, 446 Remote Desktop Services, 178, 446 Telnet compared to, 178 Terminal Services Client, 178, 446 remote access, 445–447 review questions, 466–468, 845–846 summary, 464 written lab, 465 security guards, 507, 558 security information and event management. See SIEM security policies. See network threats and mitigation security threats. See network threats and mitigation security training. See network threats and mitigation bindex.indd 04/01/2015 Page 895 896 security zones – SNMP (Simple Network Management Protocol) security zones, 556 segmentation, network. See also networks, planning and implementing defined, 155 implementing, 780–783 LAN traffic congestion, 154–155 segments described, 20–21, 21 TCP, 185, 185 UDP, 186, 186 serial, 71–72 serial cables, 71–73 server logs, 689–690, 690 Server Message Block. See SMB server mode, VTP, 360, 360–361 server problems, 721 server/cloud-based antimalware, 514–515 servers described, 6–7 virtual, 792 service set identifiers. See SSIDs Service-Level Agreement (SLA), 774 session establishment, PPP, 601, 601–602 session fixation, 482 session hijacking, 482 Session Initiation Protocol. See SIP Session layer described, 33 functions, 30, 31 Process/Application layer, 174–175, 175 session sidejacking, 482 SFF (small form factor) connectors, 68–69, 69 bindex.indd 04/01/2015 Page 896 SFTP (Secure File Transfer Protocol) described, 176–177 port 22, 176–177 SSH, 176–177 SHA (Secure Hash Algorithm), 462 shielded twisted-pair cable, 60 shortened expressions, IPv6, 219 shortest path first protocols. See link state routing protocols show ip arp, 284 show ip route, 242, 243, 280, 283, 608, 742 SIEM (security information and event management), 687–688 signal degradation, 400–401 signature identification, 544 Simple Mail Transfer Protocol. See SMTP Simple Network Management Protocol. See SNMP simplex mode, 33 single point of failure, 562 single sign-on, 454–455 single-mode fiber to Ethernet, 70, 70 single-mode fiber-optic fiber (SMF), 64, 65 single-mode to multimode fiber, 71, 71 SIP (Session Initiation Protocol) described, 178–179 port 5060/5061, 178 VTC systems, 781 site surveys AirMagnet Survey, 411, 728 described, 408–411 Ekahau Site Survey, 411 heatmap of building, 411 information gathering, 408 multifloor installation, 411 multiple floors, 410 postdeployment, 408 predeployment, 408 providing capacity, 408–409 tools, 410–411, 411 site-to-site VPNs, 436 6to4 tunneling, 224–225, 225 66 block, 83 SLA. See Service-Level Agreement SLIP (Serial Line IP) described, 181 DHCP, 181 PPP, 181 small form factor connectors. See SFF connectors smart jacks (network interface devices (NIDs); network interface units (NIUs)), 84, 578 SMB (Server Message Block) described, 181 port 445, 181 SMF. See single-mode fiber SMTP (Simple Mail Transfer Protocol) described, 177 port 25, 177 SMTP proxies, 540 smurf attacks, 477, 478 SNAT. See static NAT SNMP (Simple Network Management Protocol) agents, 179 described, 179 GETBULK, 179 snooping – storage area networks network documentation, 761–762 packet sniffers, 179 port 161, 179 software tool, 684–685 TCP, 179 UDP, 179 versions, 179 snooping, DHCP, 364 social engineering. See phishing SOF. See Start of Frame Delimiter software and hardware security devices. See physical security and risk Software as a service (SaaS), 797 software tools, 673–691. See also hardware tools baseline, 681–683, 771 exam essentials, 704–705 looking glass sites, 688, 689 network scanners IDS/IPS software, 675–677 network analyzers, 107–108, 674 packet sniffers/network monitors, 179, 490, 495, 673–675 port scanners, 495, 677–680 network-monitoring tools and logging, 683–691 review questions, 706– 709, 852–853 SIEM, 687–688 SNMP, 684–685 speed test sites, 688, 688 Syslog, 685, 685–687, 686–687 Wi-Fi analyzer, 680, 681 wireless survey tools, 680, 682 written lab, 705 software-defined networking (SDN), 793–794 software/hardware problems. See network troubleshooting SOHO networks. See networks, planning and implementing solution implementation. See network troubleshooting SONET (Synchronous Optical Network), 585, 850 Source Address (SA), 107 Soviet Union, Sputnik, 174 SOW. See Statement of Work SPAN (Switch Port Analyzer), 368–370 spanning, port mirroring, 368–370 Spanning Tree Protocol. See STP spanning-tree algorithm (STA), 346 special IPv6 addresses, 220, 221 speed, WANs, 581–582 speed test sites, 688, 688 split horizon issues, 607–608 spoofing, 481 Sputnik, 174 square connectors. See SC connectors SSH (Secure Shell) described, 180, 447 encryption, 180 port 22, 180 rlogin, 180 rsh, 180 SFTP, 176–177 Telnet, 176, 180, 662 897 SSIDs (Service Set Identifiers) defined, 396 ESSIDs, 727 infrastructure mode: BSS, 396–398, 397 wireless security, 416–417 SSL (Secure Sockets Layer), 436–437 SSL VPN, 437 ST (straight tip) connectors, 66–67, 67 STA. See spanning-tree algorithm Stacheldraht, 478 standard ACLs, 532 standard business documents, 774 standby timer, 323 star topology, 13, 13–14 Start of Frame Delimiter (SOF)/Synch, 107 state transitions, 45 stateful, DHCPv6, 223 stateful Network layer firewalls, 541 stateless autoconfiguration. See EUI-64 stateless Network layer firewalls, 541 Statement of Work (SOW), 774 static NAT (SNAT), 265, 268 static routing defined, 279 described, 288–291, 289, 290, 291 dynamic versus, 292 routing flow tree, 299, 300 static VLANs, 354 Stealth Boot, 486, 520 Stoned, 486, 520 storage area networks. See SANs bindex.indd 04/01/2015 Page 897 898 STP (Spanning Tree Protocol) – switches (Layer 2 switching) STP (Spanning Tree Protocol) convergence, 347–348, 348 described, 346–349 port states, 347 RSTP, 348–349 straight tip. See ST connectors straight-through cables, 78, 78 strong passwords, 452–453 subnet masks CIDR values and, 237, 238, 239 Class B addresses, 249 Class C addresses, 239 default, Classes A, B, C, 237, 237 defined, 236 described, 236–237 example: find valid subnet mask, 263, 264 Real World Scenario, 246 VLSMs described, 306–309 discontiguous networks, 306–309 EIGRPs, 308, 309, 840 IS-IS, 317 link state routing protocols, 313 OSPF, 308, 314, 314, 326, 840 RIPv2, 308, 840 subnetting (IP subnetting) basics, 234–256 benefits, 235 defined, 235 exam essentials, 269 powers of 2, 236 review questions, 271–275, 837–839 bindex.indd 04/01/2015 Page 898 route aggregation, 309 subnets, how to create, 235 summary, 268–269 written labs, 269–270 subnetting Class B addresses, 249–256 overview, 249–250 practice examples 255.255.128.0 (/17), 250, 250–251 255.255.192.0 (/18), 251, 251 255.255.240.0 (/20), 251–252, 252 255.255.254.0 (/23), 252, 252 255.255.255.0 (/24), 252–253, 253 255.255.255.128 (/25), 253, 254 255.255.255.192 (/26), 254, 254 255.255.255.224 (/27), 254–255, 255 subnet masks, 249 subnetting in your head, 255–256 subnetting Class C addresses, 239–248 fast way, 239–240 practice examples 255.255.255.128 (/25), 240–242, 241, 242 255.255.255.192 (/26), 242–243, 243 255.255.255.224 (/27), 243, 244 255.255.255.240 (/28), 244, 244 255.255.255.248 (/29), 244–245, 245 255.255.255.252 (/30), 245, 245 “So what do you know now?” section, 247–248 subnet masks, 239 subnetting in your head, 246–247 subscriber connectors. See SC connectors successor route, 311, 842 super simple stuff. See network troubleshooting Supervisory Control and Data Acquisition (SCADA), 780–781 swipe mechanisms, 506 Switch Port Analyzer. See SPAN switches (for troubleshooting tools). See troubleshooting tools switches (Layer 2 switching), 335–349 address learning, 341–342 application-specific integrated circuits, 144, 161, 338, 340 benefits, 339 bridges versus, 340 Data Link layer, 161, 161–162 defined, 335 described, 132–133 Ethernet, 133 exam essentials, 370–371 forward/filter decisions, 342–344 functions of, 340 hubs compared to, 160 interface configurations, 134–137 Symmetric Digital Subscriber Line (SDSL) – 10BaseFL IP addresses on, 361–363 Layer 3 (routers), 42, 134 limitations, 339–334 loop avoidance, 344–345, 345 managed, 133 multilayer switches (MLS), 134, 144–145 networking before, 335–338 overview, 335 PoE (Power over Ethernet) described, 366–368 Real World Scenario, 366–367 wireless bridge power injector, 368, 368 port mirroring/spanning, 368–370 port security, 361–363 purpose, 157 review questions, 372–375, 842–843 routers compared to, 156–157 RSPAN (remote Switch Port Analyzer), 368–370 SPAN (Switch Port Analyzer), 368–370 summary, 370 virtual, 792 written lab, 371 Symmetric Digital Subscriber Line (SDSL), 590 symmetrical encryption keys, 442–443 SYN, SYN/ACK, ACK, 34, 34–35 SYN flood, 478, 479 Synchronous Optical Network. See SONET Syslog, 685, 685–687, 686–687 system labeling, 802 T T1 connection, 583 T1 crossover cables, 81, 81 T3 connection, 584 tables neighbor table, 310, 310–311, 313, 842 routing tables converged, DV protocols, 304, 304–305 defined, 279 described, 40, 41, 310, 310 route-update packets, 40 topology table, 310, 310–311, 313, 842 TACACS+ (Terminal Access Controller AccessControl System Plus), 148, 458–459, 459 TACACS/RADIUS misconfiguration, 483 tapping, 75, 76 target test, 565 TCP (Transmission Control Protocol) described, 184–185 header, 185, 185 IP and, 173 key concepts, 186–187, 187 port numbers, 187–188, 188 protocols that use TCP, 188, 188–189 899 segment format, 185, 185 SNMP, 179 UDP versus, 186–187, 187 TCP/IP (Transmission Control Protocol/ Internet Protocol). See also protocols ARPAnet, 173–174 brief history, 173–174 BSD Unix, 174 DoD and, 173 open-systems approach, 174 University of California, Berkeley, 174 TDM. See time-division multiplexing TDR. See time-domain reflectometer Teflon-type covering, 58 Telecommunication Industry Association. See EIA/TIA telephony servers, 6 Telnet described, 176 port 23, 176 RDP compared to, 178 SSH and, 176, 180, 662 terminal emulation, 176, 198 troubleshooting with, 660–662 temperature, network planning and, 163 TEMPEST/RF Emanation, 489 Temporal Key Integrity Protocol. See TKIP 10Base2 (thinnet), 58, 58, 109, 111 10Base5 (thicknet), 109, 111 10BaseFL, 68, 112 bindex.indd 04/01/2015 Page 899 900 10BaseT – Trojan horses 10BaseT, 109, 111 10GBaseER, 111, 112 10GBaseEW, 111, 113 10GBaseLR, 110, 112 10GBase-LW, 111, 113 10GBaseSR, 110, 112 10GBaseSW, 111, 113 10GBaseT, 110, 112 Tequila virus, 486–487 Terminal Access Controller Access-Control System Plus. See TACACS+ terminal emulation, 176, 198 Terminal Services Client (TSC), 178, 446 test theory to determine cause, 737–739 testers. See hardware tools testing labs, 782 penetration, 565 TFTP (Trivial File Transfer Protocol) connectionless, 198 described, 177 FTP, 177 port 69, 177 thicknet (10Base5), 109, 111 thinnet (10Base2), 58, 58, 109, 111 thrashing, 345 threats. See network threats and mitigation 3DES. See Triple Data Encryption Standard three-way handshake call setup, 184 described, 34, 34–35 throughput testers, 618–619 TIA/EIA. See EIA/TIA time-division multiplexing (TDM), 47 time-domain reflectometer (TDR), 696–697 timers, HSRP, 322, 322–323 TKIP (Temporal Key Integrity Protocol), 418–419 TLS (Transport Layer Security) described, 178 port 995/465, 178 SSL, 178 Token Passing Bus, 44 Token Passing Ring, 44 Token Ring, 78, 189, 192, 336, 336, 337 toll network, 579 toner probe, 698–699, 700 top-level domains, 145–146 topologies. See network topologies topology table, 310, 310–311, 313, 842 traceroute ARP broadcast, 192–193 defined, 259 ICMP, 191, 259 using, 620–622 tracert, 191, 259 tracking, 506 traffic congestion, LAN, 154–155 traffic shaping (packet shaper), 78, 153, 153, 788, 856 traffic spike, 476 training administrator training, 510 end-user training, 510, 561–562 security training, 509–510 Transmission Control Protocol. See TCP bindex.indd 04/01/2015 Page 900 Transmission Control Protocol/ Internet Protocol. See TCP/IP transmission media, WANs, 584–588 transmission speeds, cable property, 74 transparent bridging, 132, 162 transparent mode, VTP, 360, 360–361 Transport layer. See also Host-to-Host layer acknowledgments, 38, 39 connectionless, 34 connection-oriented communication, 34, 34–35 described, 33–40 flow control, 35–37, 36 functions, 30, 31 Host-to-Host layer, 175, 175 port numbers at, 196, 196–197 reliable delivery, 39 reliable networking, 34 TLS described, 178 port 995/465, 178 SSL, 178 Tunneled Transport Layer Security (TTLS), 420, 462, 844 windowing, 37, 38 Transport Layer Security. See TLS Triple Data Encryption Standard (3DES), 442 Trivial File Transfer Protocol. See TFTP Trojan horses, 414, 487, 494, 496 troubleshooting – unlicensed frequencies troubleshooting. See IP addressing, troubleshooting; network troubleshooting; WAN troubleshooting troubleshooting tools, 615–669. See also ARP arp utility, 631–634 connectivity software, 619–620 exam essentials, 663 FTP, 655–660 Hosts table, 636–637 ifconfig, 626–627 ipconfig, 622–626 list, 616 My traceroute, 637–638 nbtstat utility, 641–647 netstat utility, 647–655 nslookup, 634–635 ping (Packet Internet Groper) defined, 259 ICMP, 191, 259 troubleshooting IP addressing, 257–259 using, 627–630 protocol analyzers, 616–618 review questions, 665– 669, 851–852 route command, 638–641 summary, 662 Telnet utility, 660–662 traceroute ARP broadcast, 192–193 defined, 259 ICMP, 191, 259 using, 620–622 written lab, 663–664 trunk ports, 356, 357 trusted network, 528 trusted users, 489 trust-exploitation attacks, 495 TSC. See Terminal Services Client T-series connections, 582–584 TTLS. See Tunneled Transport Layer Security Tunneled Transport Layer Security (TTLS), 420, 462, 844 tunneling defined, 106 described, 433–440 4to6 tunneling, 224 GRE, 438, 438–439 IPSec described, 439, 439–440, 440 IETF, 439, 845 ISAKMP, 440 L2TP, 437 PPTP, 437–438 6to4 tunneling, 224–225, 225 SSL VPN, 437 VPNs, 435, 435–437 25-pair cable, 83 twisted-pair cable, 60–64. See also UTP cable 2.4GHz (802.11b), 383, 383, 384–385, 423 2.4GHz (802.11g), 383, 383, 385–386, 386, 423 2.4GHz/5GHz (802.11n), 384, 388–389, 428, 728, 844, 845 two-factor authentication, 455 Type field, Ethernet frames, 107 901 U UDP (User Datagram Protocol) connectionless, 38, 186, 187, 198, 541 described, 185–186 header, 186 key concepts, 186–187, 187 port numbers, 187–188, 188 protocols that use UDP, 188, 188–189 segment, 186, 186 SNMP, 179 TCP versus, 186–187, 187 unreliable, 186, 187, 198 ultra-polished connectors. See UPCs unbounded media issues (wireless), 725–728 unencrypted channels, 488 unicast, multicast versus, 785 unicast addresses defined, 215, 220 global, 220, 221, 836 unified communications, 460, 788 unified threat management (UTM), 552 unified voice services, 460 unintentional DoS, 477 unique local addresses, 220 Universal Serial Bus. See USB University of California, Berkeley, 174. See also BSD Unix, BSD, 174, 225, 485 unlicensed frequencies, wireless technologies, 381, 382 bindex.indd 04/01/2015 Page 901 902 unnecessary running services – VLANs (virtual LANs) unnecessary running services, 488 unpatched firmware/ operating systems, 498 unpatched/legacy systems, 488, 782 unreachable gateway, 474–475, 475 unreliable connectionless services, 198 UDP, 186, 187, 198 unshielded twisted-pair. See UTP untrusted network, 528 untrusted users, 489 UPCs (ultra-polished connectors), 65–66, 66 upgrades, 510–512 upper layers, 31, 31–32 UPS/battery backups, 561 uptime, 785 USB (Universal Serial Bus), 72–73, 73 user account management, 447–450 anonymous accounts, 176, 449, 658 disabling accounts, 447 limiting connections, 449–450 maintenance account, renaming, 450 user authentication. See authentication User Datagram Protocol. See UDP username, anonymous, 176, 449, 658 UTM. See unified threat management UTP (unshielded twisted-pair) cable bindex.indd 04/01/2015 Page 902 categories, 61–62 Category 2, 61 Category 3, 61 Category 4, 61 Category 5, 61 Category 5e (enhanced), 61, 62, 64 Category 6, 62 Category 6a (augmented), 62 RJ connectors, 62–64 RJ-11, 62–63, 63 RJ-45, 62–64, 63 RJ-48c, 63–64 UTP Gigabit wiring (1000BaseT), 80, 80 V Variable Length Subnet Masks. See VLSMs vendor documentation, 770 verify full system functionality, 744–745 Very High Bit-Rate Digital Subscriber Line (VHDSL), 590–591 video monitoring, 556 video streaming, 460, 784, 785, 807, 856. See also VoIP video teleconferencing (VTC), 781 virtual circuits, 34, 598–599. See also connectionoriented communication; Frame Relay virtual desktops, 794 virtual firewalls, 793 virtual LANs. See VLANs virtual networking, 791–797 virtual NICs, 793 virtual PBX, 794 virtual private networks. See VPNs Virtual Router Redundancy Protocol. See VRRP virtual routers, 793 virtual servers, 792 virtual switches, 792 virtual wire, firewalls, 545, 545 virtualization, 793, 793 viruses antivirus components, 515–518 described, 484, 484–487 VLAN hopping, 482, 483 VLAN Trunking Protocol (VTP) client mode, 360, 360–361 described, 359–365 features, 359 goals of, 359 modes of operation, 360, 360–361 requirements, 359–360 server mode, 360, 360–361 transparent mode, 360, 360–361 VLANs (virtual LANs), 349–365 access ports, 355–356 basics, 350–353 dynamic, 355 flat network structure, 350, 350 identification methods, 357–358 identifying, 355 ISL, 357 memberships, 354 QoS, 353–354 VLSMs (Variable Length Subnet Masks) – WANs (wide area networks) review questions, 372–375, 842–843 static, 354 trunk ports, 356, 357 voice access ports, 356 VLSMs (Variable Length Subnet Masks) described, 306–309 discontiguous networks, 306–309 EIGRPs, 308, 309, 840 IS-IS, 317 link state routing protocols, 313 OSPF, 308, 314, 314, 326, 840 RIPv2, 308, 840 voice access ports, 356 VoIP (Voice over Internet Protocol) delay problems, 786 described, 784–785 managed switches, 133 Real-time Transport Protocol described, 179 EIGRP, 310 port 5004/5005, 179 Session Initiation Protocol described, 178–179 port 5060/5061, 178 VTC systems, 781 wired connectivity standard, Real World Scenario, 113 voltage event recorder (power), 702–703 VPN concentrators, 153, 153, 552–553, 553, 834 VPNs (virtual private networks), 435, 435–437 VRRP (Virtual Router Redundancy Protocol) defined, 319 described, 324 HSRP versus, 324 VTC. See video teleconferencing VTP. See VLAN Trunking Protocol vulnerabilities. See network threats and mitigation vulnerability scanners, 551–552, 565 W walls, signal degradation and, 401 WAN protocols Asynchronous Transfer Mode (ATM), 602–603 Frame Relay, 596–599, 597 ISDN, 595–596 MPLS, 8–10, 9, 603 PPP, 599–602 WAN troubleshooting described, 603–609 DNS issues, 608 interface errors/ monitoring, 604–607 loss of Internet connectivity, 603–604 router configurations, 608–609 split horizon issues, 607–608 WANs (wide area networks), 573–614. See also MPLS; WAN protocols bandwidth, 581–582 Bluetooth, 401–402, 493, 586–587 903 broadband services, 588–593 cable modem, 591–592, 592 cellular, 593–594 centralized, 8, 9 communications satellite, 587, 588 connection types, 580, 580–581 defined, 577 Dense Wavelength Division Multiplexing, 585–586 distributed, 8 DSL technology, 589–591 exam essentials, 609–610 LANs compared to, 8, 22 microwave radio relay, 587 overview, 576 POTS, 61, 576, 579, 609 Public Switched Telephone Network, 576, 577, 579–580, 788 review questions, 611–614, 849–850 speed, 581–582 summary, 609 terms, definitions for, 577–579 transmission media, 584–588 T-series connections, 582–584 Wavelength Division Multiplexing, 585–586 WiMAX, 45, 594 wireless WAN technologies, 593–594 written labs, 610 xDSL, 590–591, 850 bindex.indd 04/01/2015 Page 903 904 WAPs – wireless security WAPs. See wireless access points war chalking, 491 war driving, 415, 491, 846 Wavelength Division Multiplexing (WDM), 585–586 wavelengths, 98–99, 99 WDM. See Wavelength Division Multiplexing web proxies, 151, 539–540 web servers, 6 web services, 459 WEP (Wired Equivalent Privacy), 416–417 WEP cracking, 491 wide area networks. See WANs Wi-Fi, 388. See also 802.11 standards Wi-Fi Alliance, 381, 382, 388, 418, 420, 492 Wi-Fi analyzer, 680, 681 Wi-Fi Protected Access. See WPA WiMAX (World Wide Interoperability for Microwave Access; Wireless Metropolitan Area Network), 45, 594 windowing, 37, 38 Windows ARP table, 630–631 Windows DHCP server, scope options, 140, 141. See also DHCP Windows DNS server, 147, 147–148. See also DNS Windows Event Viewer system log, 690 Windows Update, 511, 511–512 WINS (Windows Internet Naming Service), 145 wire crimper, 702, 702 Wired Equivalent Privacy. See WEP wireless access points (WAPs) configuration, 404–407 described, 391, 391–392 wireless antennas, 393–395, 394 wireless bridge power injector, 368, 368 wireless channel utilization, 692 wireless controllers, 398, 398–399, 399 wireless issues, unbounded media issues, 725–728 Wireless Metropolitan Area Network. See WiMAX wireless networks, 377– 428. See also 802.11 standards; WLANs agencies, 381 antennas, wireless, 393–395, 394 components, 391–395 controllers, wireless, 398, 398–399, 399 exam essentials, 423 installing, 395–408 ad hoc mode: IBSS, 395–396, 396 infrastructure mode: BSS, 396–398, 397 introduction, 380–382 mobile hot spots, 399–400, 400 NICs, wireless, 392, 392–393, 403–404 overview, 380 PANs Bluetooth, 401–402, 493 defined, 45 bindex.indd 04/01/2015 Page 904 infrared (IR) wireless, 384, 402 NFC, 402 review questions, 425–428, 843–845 signal degradation, 400–401 summary, 422–423 unlicensed frequencies, 381, 382 WAPs, 391, 391–392 written lab, 423–424 wireless NICs, 392, 392–393, 403–404 wireless security, 412–422 ad hoc networks, 413 certificates, 421–422 client mode, 414 DoS, 413–414 EAP, 421–422 EAP-TLS, 422, 462 infrastructure mode strategy, 414 intrusion detection systems, 138, 414 intrusion prevention systems, 138, 414–415 MAC authentication, 416–417 open access, 416 passive attacks, 414–415 PKI, 421–422 RADIUS, 148, 417–418, 418, 458 rogue APs, 412–413 SSIDs, 416–417 threats, 490–493 TKIP, 418–419 war driving, 415, 491, 846 WEP, 416–417 WPA described, 419–422 wireless survey tools – written labs 802.11i standard, 383, 418, 420, 421, 492, 823, 844 Pre-Shared Key (PSK), 420 WPA2, 419–421 WPA2-AES, 420 WPA/WPA2 cracking, 492 wireless survey tools, 680, 682 wireless technologies, WANs, 586–587 wireless WAN technologies. See WANs wire-map testers, 694–695 Wireshark, 490, 617, 674, 696, 728, 851 wiring, security policy, 505–506 wiring distributions, installing, 82–84 wiring schematics, 763–766 wiring standards, 75–82. See also cables crossover cables, 78, 78–79 exam essentials, 85–86 568A, 76, 76–77 568B, 76–77, 77 Real World Scenario, 113 review questions, 87–90, 830–831 rolled/rollover cable, 80, 80–81 straight-through cables, 78, 78 T1 crossover cables, 81, 81 UTP Gigabit wiring (1000BaseT), 80, 80, 110, 112 written lab, 86 WLAN Association (WLANA), 381 WLANs (wireless LANs). See also wireless networks APs configuration, 404–407 hardware, installing and configuring, 402–403 history, 382, 382 location-based, 410 modulation techniques DSSS, 386, 390, 423, 844 FHSS, 423, 586, 850 OFDM, 386, 389, 390, 423, 844 NIC configuration, 403–404 site surveys AirMagnet Survey, 411, 728 described, 408–411 Ekahau Site Survey, 411 heatmap of building, 411 information gathering, 408 multifloor installation, 411 multiple floors, 410 postdeployment, 408 predeployment, 408 providing capacity, 408–409 tools, 410–411, 411 workgroups, 3 workstation problems, 721 workstations, 5 World Wide Interoperability for Microwave Access. See WiMAX worms, 485, 490, 655, 847 WPA (Wi-Fi Protected Access) described, 419–422 905 802.11i standard, 383, 418, 420, 421, 492, 823, 844 Pre-Shared Key (PSK), 420 WPA2, 419–421 WPA2-AES, 420 WPA/WPA2 cracking, 492 WPS attacks, 492 written labs answers, 813–826 authentication, 465 binary, decimal, hexadecimal conversions, 117–122 cables, connectors, 86–87 hardware and software tools, 705 IP addressing, 227–228 network devices, 165 network documentation, 807 network monitoring, 807 network optimization, 807 network threats and mitigation, 519 network troubleshooting, 750 networks, introduction, 22 OSI model, 49 physical security and risk, 567–568 protocols, 198–199 routing (IP routing), 292 routing protocols, 327 subnetting, 269–270 switches, 371 troubleshooting tools, 663–664 WANs, 610 wireless networks, 423–424 wiring standards, 86 bindex.indd 04/01/2015 Page 905 906 X.509 certificates – zones X Y Z X.509 certificates, 178 xDSL, 590–591, 850 Xerox, DIX, 108 Yagi antennas (pointto-point), 393–395, 394 zero day attacks, 487, 515 Zimmerman, PHil, 444–445 zones, 545–547, 546, 547 bindex.indd 04/01/2015 Page 906 Free Online Learning Environment Register on Sybex.com to gain access to the free online interactive learning environment and test bank to help you study for your CompTIA certification. The online test bank includes: • Assessment Test to help you focus your study to specific objectives • Chapter Tests to reinforce what you learned • Practice Exams to test your knowledge of the material • Electronic Flashcards to reinforce your learning and provide last-minute • test prep before the exam • Searchable Glossary gives you instant access to the key terms you’ll need to know for the exam Go to http://sybextestbanks.wiley.com to register and gain access to this comprehensive study tool package. badvert.indd 04/02/2015 Page 910 WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.7 Linearized : Yes Author : Todd Lammle Create Date : 2015:04:15 15:20:22+05:30 Modify Date : 2017:08:30 12:36:00+05:30 Has XFA : No XMP Toolkit : Adobe XMP Core 4.2.1-c041 52.342996, 2008/05/07-20:48:00 Metadata Date : 2017:08:30 12:36+05:30 Creator Tool : Adobe InDesign CS5 (7.0) Format : application/pdf Title : CompTIA Network+™ Study Guide Creator : Todd Lammle Document ID : uuid:cb99a3b2-88f0-417e-ab48-9a3eb70b9bfc Instance ID : uuid:0e013380-c762-4da5-8e6e-483d83281390 Producer : Acrobat Distiller 9.0.0 (Windows) Page Count : 960EXIF Metadata provided by EXIF.tools