I sure miss turning on my space ship / physical lab from my CCNP R/S studies 🙂
This will be a review of some fairly basic networking information that is so basic and forgettable that I should probably review it, though I am very tempted to just skip right over this portion of this weeks material of “Network Fundamentals” portion of the DEVASC blueprint.
I breezed over the module and saw just enough information that I kind of half way forgot by now, so wanted to just it down here quick, so that I have important details in a single page for exam prep rather than search out topics from previous studies.
Reviewing the basics, and introducing some new information on Networking
Stateless VS Stateful Connection / Packet Monitoring and Filtering
For the purpose of DevNet studies from the DEVASC forward this goes beyond Firewalls and the discussion in those terms, where “Stateless” connections are allowed via set of Static Configuration that if the traffic flow matches the connection is allowed to proceed and the actual connection state is not allowed unless configured to do so.
Stateful means to monitor the state of a connection, meaning if something changes during the transmission of the connection such as Port # / MTU / Fragmentation the connection will be dropped – It essentially remembers the state of all packets that have already passed through so it knows what to expect and if it does not get that expected packet then it will drop the connection.
For example if I connect to a device or application while connected to a VPN, and I can disconnect the VPN (thus changing the source IP) and maintain the session it is considered “Stateless” whereas if it will detect that change and drop the connection it is Stateful – This applications to building security into Development of APIs and Applications which is why it goes here beyond network devices into just a general sense of whether the connection / session is actively monitored for any changes (Stateful) or whether a change in the connection will not impact the connection (Stateless).
If packet by packet inspection is constantly monitored to maintain the session, it is a Stateful connection / device, if it is not monitored packet by packet then it is Stateless.
(This can be demonstrated on an ASA via “sh xlate” for the NAT Translation Table maintained while the session is active or “sh conn” to show all open Connections / Port numbers of Active Connections) meaning ASA Firewalls are Stateful Devices.
Layer 7 / UTM (Unified Threat Management) Packet / Connection filtering
These are devices or filtering that is performed at higher levels in the OSI Model typically known as Layer 7 (5-7) Application Layer filtering, which provides the most comprehensive connection filtering Criteria, and may be overkill for your needs unless you have a need to filter above Layer 4 which is the Transport / Port # layer of the OSI.
The name is the recipe with Load Balancers, much alike GLBP as a FHRP in CCNP R/S Terminology in how it “Load Balances” Client Connection Requests on the LAN to multiple “Forwarders” in the GLBP Group based on which device can most efficiently fulfill the client request as quickly as possible while spreading out the connections to keep the resources of the servers or devices even across all of them.
Load Balancers can either be configured to load balance solely based on the availability of the servers, or can be configured to define a specific client be connected to a specific server despite the availability of the server, this is called Server “Stickiness” as some session information may be required for sub-subsequent connections from the same client – For example if you are checking out via Paypal while shopping on eBay the eBay server needs to maintain Session information while you are paying via Paypal to complete the session request.
Load Balancers are also used to handle SSL Connections / Sessions as they are more Hardware intensive, so the Load Balancer itself maintains the actual SSL connection with the Client, while forwarding the session information onto the Server without Encryption and the data is then returned and Secured back to the Client at the Balancer.
This makes it a sort of VPN or Security Endpoint for the Servers, like a Firewall, only of course with the ability to provide Redundancy / Resilience / High Availability to Servers.
Network Protocols – Telnet / SSH / DHCP / DNS / SNMP / NTP / NAT
Though Telnet is largely seen as the non-secure and therefor unusable Protocol, it may have its uses on a secured LAN, as it uses less overhead / Bandwidth because it does transmits Data in plain text rather than using Encryption, though most connections should generally use SSHv2 when possible even on a secured LAN (though not required).
Well known and newer port #’s to know for DevNet studies:
- SSH – 22
- Telnet 23 or 992 (Telnet over TLS or SSL)
- DNS – 53
- HTTP – 80
- HTTPS – 443 (HTTP over TLS or SSL)
- NETCONF – 830
- RESTCONF – Commonly in 8000’s like 8008, 8080, 8888 (No standard port value)
A few IPv6 well known addresses that I easily forget never really work with it:
One critical IPv6 skill is knowing how to properly convert Hex to Dotted Decimal to create an IPv6 Address that is IPv4 compatible which can be found here which demonstrates out to make 192.168.10.234 into an ::XXXX:XXXX/32 format
- IPv4 Address in IPv6 – ::XXXX:XXXX/96 – This signifies that the subnet is all zeros until the last 32 characters out of the 128-bit IPv6 Addy, click the link right above this for my article on Hex to Dotted Decimal conversion
- IPv6 Link Local / Unicast Address – 2001::/10 is created from the EUI-64 format, this uses Neighbor Discovery Protocol (ND) and Stateless AutoConfig
- IPv6 Multicast Address – FF0#:: defines the different types of Multicast as IPv6 DOES NOT USE BROADCASTS AT ALL(!!!), so for the different protocols the end # is to indicate which protocol is being used (which I will not cover here in depth)
- IPv6 Loopback Address – ::1/128
- IPv6 Default Route – ::/0
- Anycast Address – This is configured so devices can discover each other that are physically the closest and use the matching Anycast Addressing format to communicate with each other, no real standard Address format outside of the nodes IPv6 Interface Address, this is a fairly unique Address Config
Regarding IPv6 – I do not expect much if any IPv6 addressing on the DEVASC exam.
I think its enough to know the basic addresses and IPv6 concepts, and that a /128 defines a host address, a /0 defines ANY address (meaning a default route in IPv4 speak), if you are not familiar I’d use the search function here to go through some articles once over on my IPv6 review – The ones more recently in my TSHOOT portion are probably the best.
The two “modern” switching methods mentioned specifically in course material:
- Cut-Through mode – The faster of the two “modern” switching methods, begins forwarding the frame as soon as the destination header is read
- Store-and-Forward mode – This performs the CRC Error Checks and it waits until it receives the entire frame to inspect for errors before beginning forwarding
I thought this worth noting as when I think of switch forwarding I think of IP CEF Packet / Hardware Switching as the “Modern” and really only type anymore, but in the absence of this option these are apparently the “modern methods” taught for the exam.
DHCP Order of Operations:
- Client – DHCP Discover (broadcast)
- Server – DHCP Offer (unicast)
- Client – DHCP Request (broadcast)
- Server – DHCP ACK (unicast)
Client = Broadcast on Port 67, Servers = Unicast on port 68
DNS Information (Domain Name System) Server info
DNS Servers contain the following info:
- NS or Name Server records
- Cache to speed up resolution
- Name Resolvers run on clients to use DNS
- Authoritative Name Servers (Authority or Root Resource like in URI)
DNS Servers only provide NS Resolution within its zone of Authority, Non-Authoritative DNS Servers provide resolution via Cached information, these requests are held until an appropriate response can be sent back, making them a prime target for DDoS attacks as they can become overwhelmed with Queries if they are attacked / overloaded by them.
DNS Database stores SOA (Start of Authority) / IP Addresses / SMTP Address (MX Records), PTR or Pointers for reverse lookup, and CNAME alias records (and is capable of much more alike DHCP and configuration of ‘options’ for certain phones or other criteria that needs to be manually configured to hand out).
UDP Port 123, NTP Clients never Synchronize with other devices that is not synchronized, or has a higher Stratum (lower reliability on correct time) than itself.
There are 3 different NTP Client / Server / Peering models:
- Client / Server – Client is dependent on the Server to provide it time via occasional polling for time updates made via Asynchronous RPCs
- Symmetric Active / Passive – This is a grouping of low Stratum “Peers” that rely on each other to synchronize the whole groups time, with some having the ability to be an “Active” peer that “Passive” Peers will rely on for time but still hold their own backup time sources if the Active source were to fail
- Broadcast / Multicast – This mode is used when NTP is not mission critical to be absolutely correct at all times, being that Routers do not propagate Broadcast traffic these it would be a Switch per Subnet / Broadcast Domain that is configured to Broadcast or Multicast traffic to all other devices that require Time with no configuration on all devices for NTP (other than configuring to receive NTP traffic)
Authentication should always be used with NTP as there are numerous Rogue Client attacks that can Impersonate Peers / Servers / Broadcast Devices for all models.
One good Mneminoc for DHCP Requests – DORA (Discover / Request / Offer / Ack)
Not sure if that would rear its ugly head on exam day, but figured it was throwing on here just to have that Mnemonic noted here in this section.
That touches on any network concepts I saw to brush up on from this weeks Network Concepts module for the DEVASC