Downloadable Official CompTIA Network+ Instructor Guide
Downloadable Official CompTIA Network+ Instructor Guide
CompTIA
Network+
Instructor Guide
(Exam N10-009)
Course Edition: 1.0
Acknowledgments
Notices
Disclaimer
While The Computing Technology Industry Association (“CompTIA”) takes care to ensure the accuracy and quality of these
materials, we cannot guarantee their accuracy, and all materials are provided without any warranty whatsoever, including,
but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The use of screenshots,
photographs of another entity’s products, or another entity’s product name or service in this book is for editorial purposes
only. No such use should be construed to imply sponsorship or endorsement of the book by nor any affiliation of such entity
with CompTIA. This courseware may contain links to sites on the Internet that are owned and operated by third parties (the
“External Sites”). CompTIA is not responsible for the availability of, or the content located on or through, any External Site.
Please contact CompTIA if you have any concerns regarding such links or External Sites.
Trademark Notice
CompTIA®, Network+®, and the CompTIA logo are registered trademarks of CompTIA, Inc., in the United States and other
countries. All other product and service names used may be common law or registered trademarks of their respective
proprietors.
Copyright Notice
Copyright © 2024 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software
proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written permission of CompTIA,
3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software
or other products is the responsibility of the user according to terms and conditions of the owner. If you believe that this
book, related materials, or any other CompTIA materials are being reproduced or transmitted without permission, please call
1-866-835-8020 or visit help.comptia.org.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Table of Contents | iii
Table of Contents
Table of Contents
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
iv | Table of Contents
Table of Contents
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Table of Contents | v
Table of Contents
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
vi | Table of Contents
Glossary...........................................................................................................................G-1
Index................................................................................................................................. I-1
Table of Contents
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
1
About This Course
CompTIA, a not-for-profit trade association, is here to help you get the tech
career you deserve with industry-leading certifications, courses, and expert
knowledge. Today’s job market demands individuals have demonstrable skills,
and the information and activities in this course can help you build your network
administration skill set so that you can confidently perform your duties in any
entry-level network support technician role.
With CompTIA Network+, you can unlock a diverse range of career paths, from
network administration and support to cybersecurity, creating opportunities
for advancement and specialization in the rapidly evolving IT industry. CompTIA
Network+ is a global IT certification validating candidates have the core skills
necessary to establish, maintain, troubleshoot, and secure networks in any
environment, regardless of technology and platform.
This course can prepare you for the CompTIA Network+ (Exam N10-009)
certification examination and a job role in network administration. It utilizes a
learning progression model to help you learn and build skills related to the course
objectives and job task requirements. This learning methodology uses a series of
steps to contextualize what you’re learning, elaborate on areas where additional
instruction is needed, and provide relevance through practice and personalized
feedback. You’ll then apply what you learned and demonstrate the skills you’ve
gained through a series of lab activities and quizzes.
On course completion, you will be able to do the following:
• Deploy and troubleshoot Ethernet networks.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
viii | Preface
Prerequisites
To ensure your success in this course, you should have basic IT skills comprising
nine to 12 months’ experience. CompTIA A+ certification, or the equivalent
knowledge, is strongly recommended.
The prerequisites for this course might differ significantly from the prerequisites for
the CompTIA certification exams. For the most up-to-date information about the exam
prerequisites, complete the form on this page: www.comptia.org/training/resources/
exam-objectives.
As You Learn
At the top level, this course is divided into modules, each representing an area of
competency within the target job roles. Each lesson is composed of a number of
topics. A lesson contains subjects that are related to a discrete job task, mapped to
objectives and content examples in the CompTIA exam objectives document. Rather
than follow the exam domains and objectives sequence, modules and lessons are
arranged in order of increasing proficiency. Each lesson is intended to be studied
within a short period (typically 30 minutes at most). Each lesson is concluded by one
or more activities, designed to help you to apply your understanding of the study
notes to practical scenarios and tasks.
In addition to the study content in the lessons, there is a glossary of the terms and
concepts used throughout the course. There is also an index to assist in locating
particular terminology, concepts, technologies, and tasks within the lesson and
topic content.
In many electronic versions of the book, you can click links on keywords in the topic
content to move to the associated glossary definition, and on page references in the
index to move to that term in the content. To return to the previous location in the
document after clicking a link, use the appropriate functionality in your eBook viewing
software.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Preface | ix
As You Review
Any method of instruction is only as effective as the time and effort you, the
student, are willing to invest in it. In addition, some of the information that you
learn in class may not be important to you immediately, but it may become
important later. For this reason, we encourage you to spend some time reviewing
the content of the course after your time in the classroom.
Following the lesson content, you will find a table mapping the modules and lessons
to the exam domains, objectives, and content examples. You can use this as a
checklist as you prepare to take the exam and to review any content that you are
uncertain about.
As a Reference
The organization and layout of this book make it an easy-to-use resource for future
reference. Guidelines can be used during class and as after-class references when
you're back on the job and need to refresh your understanding. Taking advantage
of the glossary, index, and table of contents, you can use this book as a first source
of definitions, background information, and summaries.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 1
Explaining Network Topologies
1
Module Introduction
Computer networks are complex systems that incorporate multiple functions,
standards, and proprietary technologies. The Open Systems Interconnection
(OSI) model is used to try to simplify some of this complexity. It divides network
technologies among seven functional layers. This makes it easier to separate and
focus on individual concepts and technologies while retaining an understanding of
relationships between functions of technologies placed in other layers.
This module uses the OSI model to give you an overview of the technologies that
you will be studying in the rest of the course. You will compare the functions of
these layers in the OSI model and apply those concepts to the installation and
configuration of a small office/home office network.
You will also learn how to apply a methodology to structure troubleshooting
activity, so that you can diagnose and resolve problems efficiently.
Module Objectives
In this lesson, you will do the following:
• Explain network types and characteristics.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
2 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 1.1
Networking Overview
2
Network types and topologies determine the scale and flow of data through
a network. Identifying the different topologies is essential to designing or
troubleshooting a network. No matter what your specific role in network
implementation and management, you will need to understand the characteristics
of the network topology you are working with and identify how the topology affects
network design, performance, and troubleshooting.
As you study this lesson, answer the following questions:
• Why is it useful to categorize network types, appliances, applications, functions,
and topologies?
• What do diagrams of point to point, star, and mesh topologies look like?
Networking Concepts
A network is two or more computer systems that are linked by a transmission
medium and share one or more protocols that enable them to exchange data. You
can think of any network in terms of nodes and links. The nodes are devices that
send, receive, and forward data, and the links are the communications pathways
between them.
There are two general kinds of nodes: intermediate nodes and end systems.
Intermediate nodes perform a forwarding function, while end system nodes are
those that send and receive data traffic. End systems are often also referred to as
hosts.
A client-server network is one where some nodes, such as PCs, laptops, and
smartphones, act mostly as clients. The servers are more powerful computers.
Application services and resources are centrally provisioned, managed, and
secured.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 3
A peer-to-peer network is one where each host acts as both client and server. This
is a decentralized model where provision, management, and security of services
and data are distributed around the network. A small peer-to-peer network can also
be referred to as a workgroup.
Business and enterprise networks are typically client-server, while residential
networks are more often peer-to-peer. However, note that in a client-server
network, often, hosts will function as both clients and servers at the same time. For
example, a computer hosting a web application acts as a server to browser clients
but is itself a client of database services running on other server computers. It is the
centrally administered nature of the network that really defines it as client-server.
Network Types
A network type refers primarily to its size and scope. The size of a network can be
measured as the number of nodes, while the scope refers to the area over which
nodes sharing the same network address are distributed.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
4 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Datacenter—A network that hosts only servers and storage, not end user client
devices.
Network Topology
Where the type defines the network scope, the topology describes the physical or
logical structure of the network in terms of nodes and links.
A network’s physical topology describes the placement of nodes and how they are
connected by the transmission media. For example, in one network, nodes might be
directly connected via a single cable; in another network, each node might connect
to a switching appliance via separate cables. These two networks have different
physical topologies.
The logical topology describes the flow of data through the network. For example,
given the different physical network topologies described previously, if in each case
the nodes can send messages to one another, the logical topology is the same.
The different physical implementations—directly connected via a cable versus
connected to the same switch—achieve the same logical layout.
In the simplest type of topology, a single link is established between two nodes. This
is called a point to point link. Because only two devices share the connection, they
are guaranteed a level of bandwidth.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 5
Physical point to point topologies using different media types for half-duplex and
duplex communications.
A point to point link can be a physical or logical topology. For example, on a WAN,
two router appliances might be physically linked via multiple intermediate networks
and physical devices but still share a logical point to point link, where each can
address only the other router. With either a physical or logical topology, it is the 1:1
relationship that defines a point to point link.
Star Topology
In a star topology, each endpoint node is connected to a central forwarding
appliance, such as a switch or router. The central node mediates communications
between the endpoints. The star topology is the most widely used physical
topology. For example, a typical SOHO network is based around a single Internet
router appliance that clients can connect to with a cable or wirelessly. The star
topology is easy to reconfigure and easy to troubleshoot because all data goes
through a central point, which can be used to monitor and manage the network.
Faults are automatically isolated to the media, node (network card), or the switch,
router, or wireless access point at the center of the star.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
6 | The Official CompTIA Network+ Study Guide (Exam N10-009)
You may also encounter the hub-and-spoke topology, which has the same physical
layout as a star topology but is primarily used in a different context. While the star
topology is often seen in local area networks (LANs), the hub-and-spoke topology is
more commonly applied to wide area networks (WANs) with remote sites.
Mesh Topology
A mesh topology is commonly used in WANs, especially public networks such as
the Internet. A full mesh network requires that each device has a point to point
link with every other device on the network. This approach is normally impractical,
however. The number of links required by a full mesh is expressed as n(n–1)/2,
where n is the number of nodes. For example, a network of just four nodes would
require six links, while a network of 40 nodes would need 780 links! Consequently, a
hybrid approach is often used, with only the most important devices interconnected
in the mesh, perhaps with extra links for fault tolerance and redundancy. This type
of topology is referred to as a partial mesh.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 7
Lesson 1.2
OSI Model Concepts
3
Networks are built on common standards and models that describe how devices
and protocols interconnect. In this lesson, you will identify how the implementation
and support of these systems refer to an important common reference model:
the Open Systems Interconnection (OSI) model. The OSI model breaks the data
communication process into discrete layers. Being able to identify the OSI layers
and compare the functions of devices and protocols working at each layer will help
you to implement and troubleshoot networks.
As you study this lesson, answer the following questions:
• Why are protocols important for networking?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
8 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Although not all network systems implement layers using this precise structure,
they all implement each task in some way. The OSI model is not a standard or a
specification; it serves as a functional guideline for designing network protocols,
software, and appliances and for troubleshooting networks.
A network will involve the use of many different protocols operating at different
layers of the OSI model. At each layer, for two nodes to communicate they must
be running the same protocol. The protocol running at each layer communicates
with its peer layer on the other node. This communication between nodes at
the same layer is described as a same layer interaction. To transmit or receive a
communication, on each node, each layer provides services for the layer above and
uses the services of the layer below. This is referred to as adjacent layer interaction.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 9
When a message is sent from one node to another, it travels down the stack of
layers on the sending node, reaches the receiving node using the transmission
media, and then passes up the stack on that node. At each level (except the Physical
layer), the sending node adds a header to the data payload, forming a “chunk” of
data called a protocol data unit (PDU). This is the process of encapsulation.
For example, on the sending node, data is generated by an application, such as the
HyperText Transfer Protocol (HTTP), which will include its own application header.
At the Transport layer, a Transmission Control Protocol (TCP) header is added
to this application data. At the Network layer, the TCP segment is wrapped in an
Internet Protocol (IP) header. The IP packet is encapsulated in an Ethernet frame at
the Data Link layer, then the stream of bits making up the frame is transmitted over
the network at the Physical layer as a modulated electrical signal.
The receiving node performs the reverse process, referred to as decapsulation. It
receives the stream of bits arriving at the Physical layer and decodes an Ethernet
frame. It extracts the IP packet from this frame and resolves the information in
the IP header, then does the same for the TCP and Application headers, eventually
extracting the HTTP application data for processing by a software program, such as
a web browser or web server.
You might notice that this example seems to omit some OSI layers. This is because
“real-world” protocols do not conform exactly to the OSI model.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
10 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Layer 1 - Physical
The Physical layer (PHY) of the OSI model is defined as layer 1. The Physical layer
is responsible for the transmission and receipt of the signals that represent bits of
data. Transmission media can be classified as cabled or wireless:
• Cabled—A physical signal conductor is provided between two nodes. Examples
include copper or fiber optic cable types. Cabled media can also be described as
bounded media.
• Media converter—A device that converts one media signaling type to another.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 11
The Data Link layer also performs an encapsulation function. It organizes the
stream of bits arriving from the Physical layer into structured units called frames.
Each frame contains a Network layer packet as its payload. The Data Link layer adds
control information to the payload in the form of header fields. These fields include
source and destination hardware addresses, plus a basic error check to test if the
frame was received intact.
Devices that operate at the Data Link layer include the following:
• Network adapter or network interface card (NIC)—A NIC joins an end system
host to network media (cabling or wireless) and enables it to communicate over
the network by assembling and disassembling frames.
• Switch—An advanced type of bridge with many ports. A switch creates links
between large numbers of nodes more efficiently.
• Wireless access point (AP)—An AP allows nodes with wireless network cards to
communicate and creates a bridge between wireless networks and wired ones.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
12 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Layer 3 - Network
Layer 3 is the Network layer. This layer is responsible for moving data around
a network of networks, known as an internetwork. While the Data Link layer is
capable of forwarding data by using hardware addresses within a single segment,
the Network layer moves information around an internetwork by using logical
network and host IDs. The networks are often heterogeneous; that is, they use a
variety of Physical layer media and Data Link protocols. The main appliance working
at layer 3 is the router.
The general convention is to describe PDUs packaged at the Network layer as packets
or datagrams and messages packaged at the Data Link layer as frames. Packet is often
used to describe PDUs at any layer, however.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 13
Layer 4 - Transport
The first three layers of the OSI model are primarily concerned with moving frames
and datagrams between nodes and networks. At the Transport layer—also known
as the end-to-end or host-to-host layer—the content of the packets becomes
significant. Any given host on a network will be communicating with many other
hosts using many different types of networking data. One of the functions of the
Transport layer is to identify each type of network application by assigning it a
port number. For example, data requested from an HTTP web application can be
identified as port 80, while data sent to an email server can be identified as port 25.
At the Transport layer, on the sending host, data from the upper layers is packaged
as a series of layer 4 PDUs, referred to as segments. Each segment is tagged with
the application’s port number. The segment is then passed to the Network layer
for delivery. Many different hosts could be transmitting multiple HTTP and email
packets at the same time. These are multiplexed using the port numbers along with
the source and destination network addresses onto the same link.
At the Network and Data Link layers, the port number is ignored—it becomes part
of the data payload and is invisible to the routers and switches that implement
the addressing and forwarding functions of these layers. At the receiving host,
each segment is decapsulated, identified by its port number, and passed to the
relevant handler at the Application layer. Put another way, the traffic stream is
de-multiplexed.
The Transport layer can also implement reliable data delivery mechanisms, should
the application require it. Reliable delivery means that any lost or damaged packets
are resent.
Devices working at the Transport layer include multilayer switches—usually working
as load balancers—and many types of security appliances, such as more advanced
firewalls and intrusion detection systems (IDSs).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
14 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Upper Layers
The upper layers of the OSI model are less clearly associated with distinct real-world
protocols. These layers collect various functions that provide useful interfaces
between software applications and the Transport layer.
Layer 5—Session
Most application protocols require the exchange of multiple messages between
the client and server. This exchange of such a sequence of messages is called a
session or dialog. The Session layer (layer 5) represents functions that administer
the process of establishing a dialog, managing data transfer, and then ending (or
tearing down) the session.
Layer 6—Presentation
The Presentation layer (layer 6) transforms data between the format required
for the network and the format required for the application. For example, the
Presentation layer is used for character set conversion, such as between American
Standard Code for Information Interchange (ASCII) and Unicode.
Layer 7—Application
The Application layer (layer 7) is at the top of the OSI stack. An Application
layer protocol doesn’t encapsulate any other protocols or provide services to any
protocol. Application layer protocols provide an interface for software programs
on network hosts that have established a communications channel through the
lower-level protocols to exchange data.
More widely, upper-layer protocols provide most of the services that make a
network useful, rather than just functional, including web browsing, email and
communications, directory lookup, remote printing, and database services.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 15
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
16 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 1.3
SOHO Networks
4
The OSI model involves quite a lot of abstraction. As a practical example, it is worth
examining how a basic network is implemented. In this topic, you will describe
the connection and configuration options for components within a typical small
office/home office (SOHO) router. You will also explore some of the organizations
responsible for managing the Internet and the various numbering schemes used
for network address notation.
As you study this lesson, answer the following questions:
• What separate functions are packed into a typical SOHO router appliance?
SOHO Routers
Networks of different sizes are classified in different ways. A network in a
single location is often described as a local area network (LAN). This definition
encompasses many different sizes of networks with widely varying functions and
capabilities. It can include both residential networks with a couple of computers and
enterprise networks with hundreds of servers and thousands of workstations.
Small office/home office (SOHO) is a category of LAN with a small number of
computing hosts that typically rely on a single integrated appliance for local and
Internet connectivity.
Networks such as the Internet that are located in different geographic regions but
with shared links are called wide area networks (WANs). The intermediate system
powering SOHO networks is usually described as a SOHO router because one of
its primary functions is to forward traffic between the LAN and the WAN. However,
routing is actually just one of its functions. We can use the OSI model to analyze
each of these in turn.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 17
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
18 | The Official CompTIA Network+ Study Guide (Exam N10-009)
At this layer, each host interface is identified by a media access control (MAC)
address. For example, each NIC port in the computers and each radio in the mobile
devices has a unique MAC address.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 19
The router runs a Dynamic Host Configuration Protocol (DHCP) server to allocate a
unique address to each host that connects to it over either an Ethernet port or via
the wireless access point. The addresses assigned to clients use the same first three
octets as the router’s address: 192.168.1. The last octet can be any value from
1 to 254, excluding whichever value is used by the router.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
20 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The SOHO router’s WAN interface is allocated a public IP address, for example
203.0.113.1, by the Internet service provider. When a host on the local
network tries to access any valid IP address outside the 192.168.1.0/24
range, the router forwards that packet over its WAN interface and directs any
replies back to the host on the LAN.
Configuring the WAN (Internet) interface on a wireless router. These parameters are supplied by
the ISP. Many ISP services use DHCP to allocate a dynamic WAN address, but some offer static
addressing. (Screenshot courtesy of TP-Link Technologies Co., Ltd.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 21
The Internet
The WAN interface of the router connects the SOHO network to the Internet.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
22 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Internet Standards
Although no single organization owns the Internet or its technologies, several
organizations are responsible for the development of the Internet and on the
agreement ofcommon standards and protocols.
• Internet Assigned Numbers Authority (IANA) (iana.org)—Manages allocation
of IP addresses and maintenance of the top-level domain space. IANA is
currently run by Internet Corporation for Assigned Names and Numbers
(ICANN). IANA allocates addresses to regional registries that then allocate them
to local registries or ISPs.
References to RFCs in this course are for your information should you want to read
more. You do not need to learn them for the certification exam.
The OSI model has a stricter definition of the Session, Presentation, and Application
layers than is typical of actual protocols used on networks. The Internet model (tools.
ietf.org/html/rfc1122) uses a simpler four-layer hierarchy, with a Link layer representing
OSI layers 1 and 2, layer 3 referred to as the Internet layer, a Transport layer mapping
approximately to layers 4 and 5, and an Application layer corresponding to layers 6
and 7.
(2x10x10)+(5x10)+5
Binary is base 2, so a digit in any given position can only have one of two values (0
or 1), and each place position is the next power of 2. The binary value 11111111 can
be converted to the decimal value 255 by the following sum:
(1x2x2x2x2x2x2x2)+(1x2x2x2x2x2x2)+(1x2x2x2x2x2)+
(1x2x2x2x2)+(1x2x2x2)+(1x2x2)+(1x2)+1
As you can see, it takes eight binary digits to represent a decimal value up to 255.
An 8-bit value is called a byte or an octet. While computers process everything
in binary, the values make for very long strings if they have to be written out or
entered into configuration dialogs. An IPv4 address can be expressed as decimal
octets. The four decimal numbers in the SOHO router’s WAN IP address 203.0.113.1
are octets.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 23
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
24 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 1.4
Troubleshooting Methodology
5
Network problems can arise from a variety of sources outside your control. As
a network professional, your users, your managers, and your colleagues will all
look to you to identify and resolve those problems efficiently. To do that, you will
need a strong fundamental understanding of the tools and processes involved
in troubleshooting a network. Being able to resolve problems in these areas is a
crucial skill for keeping your network running smoothly.
Troubleshooting requires a best practice approach to both problem- solving and
customer/client communication. A troubleshooting model provides you with proven
processes on which to base your techniques and approach.
As you study this lesson, answer the following questions:
• What are the advantages of applying a structured methodology to
troubleshooting?
• Gather information.
• Question users.
• Identify symptoms.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 25
4. Establish a plan of action to resolve the problem and identify potential effects.
Gather Information
To start troubleshooting a ticket, identify the location and scope of the problem.
Scope means the area or number of systems affected. This is helpful in two ways.
First, a problem that is small in scope might not be a priority in relation to other
incidents. Secondly, establishing the scope can help to identify the source of the
problem.
If the description in the ticket is unclear or incomplete, to assist with identifying the
precise nature of a problem, consider what indirect sources of information there
may be:
• Check the system documentation, such as installation or maintenance logs, for
useful information.
• Check recent job logs or consult any other technicians who might have worked
on the system recently or might be working on some related issue.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
26 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Question Users
You will often need to contact users to establish more facts about the problem. The
basis of getting troubleshooting information from users is asking good questions.
Questions are commonly divided into two types:
• Open questions invite someone to explain in their own words. Examples are:
“What is the problem?” or “What happens when you try to switch the computer
on?” Open questions are good to start with, as they help to avoid making your
own assumptions about what is wrong, and they encourage the user to give you
all the information they can.
• Duplicate the problem on the user’s system or a test system. You will need to
try to follow the same steps as the user. Issues that are transitory or difficult to
reproduce are often the hardest to troubleshoot.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 27
• What has changed since it was last working? The change that caused the
problem may not be obvious. Maybe the window cleaners were in the building,
and one of them tripped over a cable and now the user can’t log in. Maybe
someone has moved the user’s workstation from one end of their desk to
another and plugged the cable into a different port. Check for documented
changes using the system inventory, but if this does not reveal anything, look for
undocumented changes in the local area of the incident.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
28 | The Official CompTIA Network+ Study Guide (Exam N10-009)
3. Decide whether the problem is in the NIC adapter or connectors and cabling
(cabling).
4. Test your theory (replace the cable with a known good one).
When you have drilled down like this, the problem should become obvious. Of
course, you could have made the wrong choice at any point, so you must be
prepared to go back and follow a different path.
If you are really unlucky, two (or more) components may be faulty. Another difficulty lies
in assessing whether a component itself is faulty or if it is not working because a related
component is broken.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 29
• The problem falls under a system warranty and would be better dealt with by
the supplier.
• The scope of the problem is very large and/or the solution requires some major
reconfiguration of the network.
When you escalate a problem, you should have established the basic facts, such as
the scope of the problem and its likely cause, and be able to communicate these
clearly to the person to whom you are referring the incident.
If you can prove the cause of the problem, you can start to determine the next
steps to resolve the problem.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
30 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A basic technique when you are troubleshooting a cable, connector, or device is to have
a known good duplicate on hand (that is, another copy of the same cable or device that
you know works) and to test by substitution.
• Accept—Not all problems are critical. If neither repair nor replace is cost-
effective, it may be best either to find a workaround or to document the issue
and move on.
When you consider solutions, you must assess the cost and time required. Another
consideration is potential effects on the rest of the system. A typical example
is applying a software patch, which might fix a given problem but cause other
programs not to work. Up-to-date configuration management documentation
and standard operating procedures should help you to understand how different
systems are interconnected and cause you to seek the proper authorization for
your plan.
Virtualization and the cloud provide the means to trial changes before updating the
production environment. They allow the rapid creation of sandbox environments that
simulate the production one.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 31
To fully solve a problem, you should try to eliminate any factors that may cause the
problem to recur. For example, if a user plugs their laptop into the wrong network
jack, ensure that the jacks are clearly labeled to help users in the future. If a faulty
server induces hours of network downtime, consider implementing failover services
to minimize the impact of the next incident.
When you complete a problem log, remember that people other than you
may come to rely on it. Also, logs may be presented to customers as proof of
troubleshooting activity. Write clearly and concisely, checking for spelling and
grammar errors.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
32 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Module 1
Summary
6
You should be able to compare and contrast OSI model layers, encapsulation
concepts, and the CompTIA troubleshooting methodology and apply them
to analyzing and troubleshooting the function of networks and networking
components.
• Use the Data Link layer to plan logical segments to isolate groups of hosts for
performance or security reasons.
• At the Network layer, map Data Link segments to logical network IDs and work
out rules for how hosts in one network should be permitted or denied access to
other networks.
• Use the process of identify, theorize, test, plan, implement, verify, and document
to structure all troubleshooting activity.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 2
Supporting Cabling and Physical
Installations
1
Module Introduction
At the Physical layer, networks are made from different cabling types and their
connectors and transceivers. These establish direct links between nodes in a local
segment. At the Data Link layer, nodes in these segments are given a standard
means of exchanging data as frames.
As they are closely related, networking products often define standards for both the
Physical and Data Link layers. While plenty of products have been used in the past,
many cabled networks are now based on the Ethernet standards. Understanding
the options and specifications for Ethernet are essential to building and supporting
networks of all sizes.
In this module, you will summarize standards for deploying Ethernet over copper
and fiber optic media types and identify the tools and techniques required to
deploy and troubleshoot Ethernet cabling.
Module Objectives
In this module, you will do the following:
• Summarize Ethernet standards.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
34 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 2.1
Ethernet
2
In this lesson, you will identify the components used in an Ethernet network
implementation. A standard provides detailed specifications for Physical layer
media and interfaces. The Ethernet standard dominates the wired LAN product
market. Large and small networks use Ethernet technology to provide both
backbone and end user services. Due to the wide deployment of Ethernet today,
you will undoubtedly be required to manage and troubleshoot Ethernet networks.
As you study this lesson, answer the following questions:
• What cable topologies and appliances support the creation of an Ethernet
network?
• How can I identify what cable speed is specified by a given Ethernet standard?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 35
Ethernet Standards
Over the years, many protocols, standards, and products have been developed to
implement the functions of the Physical and Data Link layers of the OSI model. A
standard must define cable and connector specifications and define schemes for
modulation and encoding.
The Institute of Electrical and Electronics Engineers (IEEE) 802.3 Ethernet
standards (ieee802.org/3) are very widely used on both LANs and WANs. Ethernet
standards provide assurance that network cabling will meet the bandwidth
requirements of applications. These Ethernet media specifications are named using
a three-part convention, which is often referred to as xBASE-y. This describes the
following:
• The speed or bit rate in megabits per second (Mbps) or gigabits per second
(Gbps).
• The signal mode (baseband or broadband). All mainstream types of Ethernet use
baseband transmissions, so you will only see specifications of the form xBASE-y.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
36 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 37
To support compatibility with hosts still equipped with 10 Mbps Ethernet interfaces,
Fast Ethernet introduced an autonegotiation protocol to allow a host to choose the
highest supported connection parameters (10 or 100 Mbps and half- or full-duplex).
10BASE-T Ethernet specifies that a node should transmit regular electrical pulses
when it is not transmitting data to confirm the viability of the link. Fast Ethernet
codes a 16-bit data packet into this signal, advertising its service capabilities. This
is called a Fast Link Pulse. A node that does not support autonegotiation can be
detected by one that does and sent ordinary link integrity test signals, or Normal
Link Pulses.
Fast Ethernet would not be deployed on new networks, but you may need to
maintain it in legacy installations.
10/40 GbE Ethernet is not deployed in many access networks, as the cost of 10/40
GbE compatible network adapters and switch transceiver modules is high. It might
be used where a company’s business requires very high-bandwidth data transfers,
such as TV and film production. It is also widely used as backbone cabling, where
it supports high-bandwidth links between switches and routers, or between
appliances in a datacenter.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
38 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Maximum
Specification Optics Cable Distance Connectors
100BASE-FX 1300 nm MMF (OM1) 4 km (2.48
ST, SC, MT-RJ
miles)
100BASE-SX 850 nm MMF (OM1) 300 meters
ST, SC, LC
MMF (OM2) (984 feet)
1000BASE-SX 850 nm MMF (OM1) 275 meters
(902 feet) ST, SC, LC,
MMF (OM2) 550 meters MT-RJ
MMF (OM3) (1804 feet)
1000BASE-LX 1,300 nm MMF 550 meters
(OM1/OM2/OM3) (1,804 feet)
SC, LC
1,310 nm SMF (OS1/OS2) 5 km (3.1
miles)
10GBASE-SR 850 nm MMF (OM1) 33 meters
(108 feet)
MMF (OM2) 82 meters
(269 feet)
MMF (OM3) 300 meters
(984 feet) SC, LC
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 39
Lesson 2.2
Copper Cables and Connectors
3
Copper wire twisted pair cabling is the most popular choice for access networks in
offices. You are likely to work with this network media daily as part of your duties as
a network professional. Understanding the characteristics of twisted pair will enable
you to properly install and service your networks.
As you study this lesson, answer the following questions:
• Why are wires twisted together in twisted pair cables?
• How can you tell the difference between RJ11 and RJ45 connectors?
Twisted pair cable—Each color-coded pair is twisted at a different rate to reduce interference.
(Image by Thuansak Srilao © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
40 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The pairs are twisted at different rates to reduce external interference and
crosstalk. Crosstalk is a phenomenon whereby one pair causes interference in
another as a result of their proximity.
Twisted pair can use either solid or stranded conductor wires. Solid cabling uses
a single thick wire per conductor and is used for cables that run behind walls or
through ducts. Stranded cabling uses thin filament wires wrapped around one
another and is used to make flexible patch cords for connecting computers to wall
ports and switch ports to patch panel ports. Copper wire thickness is measured
using American Wire Gauge (AWG). Increasing AWG numbers represent thinner
wire. Solid cable uses thicker 22 to 24 AWG, while the stranded cable used for patch
cords is often 26 AWG. The attenuation of stranded wire is higher than solid wire, so
it should not be used for cables over 5 m in length.
Most twisted pair cable used in office networks is unshielded twisted pair (UTP).
Modern buildings are often flood wired using UTP cabling. This involves cables
being laid to every location in the building that may need to support a telephone or
computer.
• Fully shielded cabling has a braided outer screen and foil-shielded pairs and is
referred to as shielded/foiled twisted pair (S/FTP). There are also variants with a
foil outer shield (F/FTP).
Legacy STP cable could be complex to install, as it required bonding each element
to ground manually, but modern F/UTP and S/FTP solutions with appropriate cable,
connectors, and patch panels reduce this complexity by incorporating bonding
within the design of each element.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 41
RJ45 Connectors
RJ45 connectors are used with 4-pair copper cables. The connectors are also
referred to as 8P8C, standing for 8-position/8-contact. This means that all eight
“potential” wire positions are supplied with contacts, so that they can all carry
signals if needed. RJ45 is used for Ethernet twisted pair cabling.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
42 | The Official CompTIA Network+ Study Guide (Exam N10-009)
RJ45 plugs have a plastic retaining clip. This is normally protected by a rubber boot. This
type of cable construction is also referred to as snagless.
There are also GG45 and TERA connectors, associated with ISO Class F and Class II
cabling. GG45 has a similar form factor to RJ45 but has four conductors in the corners.
TERA connectors have a completely different form factor.
RJ11 Connectors
The smaller RJ11 connector is used with 2-pair copper cable. An RJ11 connector
can support six positions, but only the center two contacts are wired (6P2C). In a
telephone system, this pair carries the dial tone and voice circuit. These are also
called the Tip and Ring wires after the way older phone plugs were wired. The other
pair is usually unused but can be deployed for a secondary circuit. RJ11 connectors
are used for telephone systems and to connect analog data modems to a phone
jack.
Other six position connectors are the same physical form factor but wired to use
more pairs. RJ14 is 6P4C, and RJ25 is 6P6C.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 43
You can use plenum-rated cables in place of riser-rated cables, but never use riser-rated
cables in place of plenum-rated cables. Both of these typically include a rope or filament
that helps support their weight when they're installed vertically.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
44 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Coax cables are categorized using Radio Grade (RG) designations, which represent
the thickness of the core conductor and the cable’s characteristic impedance. RG6 is
18 AWG cable with 75 ohm impedance typically used as drop cable for Cable Access
TV (CATV) and broadband cable modems. Thinner, more flexible RG59 cable is used
for audio/video and closed-circuit television (CCTV). For these applications, coax can
be terminated using either a Bayonet Neill-Concelman (BNC) connector or an
F-type connector. BNC uses a twist-and-lock mechanism, while F-connectors are
secured by screwing them into place.
Twinaxial (or twinax) is similar to coax but contains two inner conductors. Twinax
is used for datacenter interconnects working at 10 GbE (unofficially referred to as
10GBASE-CR) and 40 GbE (40GBASE-CR4). The maximum distance is up to about
5 meters for passive cable types and 10 meters for active cable types. Twinax for
10/40 GbE is terminated using Direct Attach Copper (DAC) transceivers. These
transceivers can be installed as modules in switch, router, and server appliances.
Direct Attach Copper (DAC) twinax cabling with SFP+ termination. (Image created by Labsy and
reproduced under the Creative Commons Attribution ShareAlike 4.0 license.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 45
Lesson 2.3
Wiring Implementation
4
• When should you use stranded core twisted pair cable instead of solid core
twisted pair?
• When you use a punch down tool, which way should the blade be facing?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
46 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 47
Smaller facilities might not require IDFs. If distance limitations are not exceeded, wall
ports can be terminated directly to a single main distribution frame.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
48 | The Official CompTIA Network+ Study Guide (Exam N10-009)
In T568A, the green pairs are wired to pins 1 and 2, and the orange pairs are wired
to pins 3 and 6. In T568B, these pairs swap places, so orange is terminated to pins 1
and 2 and green to 3 and 6. Organizations should try to avoid using a mixture of the
two standards. T568A is mandated by the residential cabling standard (TIA 570), but
T568B is probably the more widely deployed of the two.
Cat 7 and Cat 8 are so sensitive to noise that the secondary wire in each pair is solid
white with no stripe, as the coloring process reduces the effectiveness of the insulation.
Patch Panels
Cable management techniques and tools ensure that cabling is reliable and easy to
maintain. Structured copper wiring runs from a wall port in the user’s work area to
some type of distribution frame in the network closet. At both ends, it is terminated
at a punch down block with insulation-displacement connection (IDC) terminals.
An IDC contains contacts that cut the insulation from a wire and hold it in place.
This design allows large numbers of cables to be terminated within a small space.
In data networks, numerous moves, adds, and changes (MACs) would require
re-terminating the wiring. To simplify MACs, a distribution frame is normally
implemented as a patch panel. This has punch down blocks on one side and
pre-terminated RJ45 modular ports on the other. This allows incoming and outgoing
connections to be reconfigured by changing the patch cable connections, which is
much simpler than re-terminating punch down blocks.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 49
The structured cabling running from the work area or forming a backbone is
terminated at the back of the patch panel on the IDCs, using either T568A or T568B
wiring order. An RJ45 patch cord is used to connect the port to another network
port, typically a switch port housed in the same rack. This greatly simplifies wiring
connections and is the most commonly installed type of wiring distribution where
connections need to be changed often.
Patch panel with pre-wired RJ45 ports. (Image by Svetlana Kurochkina © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
50 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Fixed cable is terminated using a punch down tool. This tool fixes conductors into
an IDC. There are different IDC formats (66, 110, BIX, and Krone), and these require
different blades. Many punch down tools have replaceable blades, though. Blades
are double sided; one side pushes the wire into the terminal while the other side
cuts the excess. Make sure the blade marked “cut” is oriented correctly to cut the
excess wire.
Alternatively, a block tool terminates a group of connectors in one action. For a 110
format panel, a four position block is suitable for terminating 4-pair data cabling.
A patch cord is created using a cable crimper. This tool fixes a plug to a cable.
The tools are specific to the type of connector and cable, though some may have
modular dies to support a range of RJ-type plugs.
For shielded and screened cable, termination must be made to shielded IDCs or
modular plugs. On an IDC, a metal clip placed over the exposed foil or braided
shield bonds the cable to the housing. A shielded modular plug has a metal housing
and is not terminated using a standard crimper. There are several different designs,
but all follow the principle of connecting the cable shield to a bonding strip.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 51
Lesson 2.4
Fiber Optic Cables and Connectors
5
Fiber optic media can support higher bandwidths over longer distances than
copper wire. These advantages make it a popular choice for long-distance
telecommunications networks and for reliable, high-speed networking within
datacenters. Understanding the characteristics of fiber optic media will help you to
support existing installations and upgrades.
As you study this lesson, answer the following questions:
• What advantages do fiber optic cables offer over copper cables?
• What are the different fiber connector types, and what are their typical uses?
• Cladding reflects signals back into the waveguide as efficiently as possible. The
core and cladding can be made from glass or plastic. The cladding is applied as a
thin layer surrounding the core. While made of the same material, the cladding
has a different refractive index than the core. The effect of this is to create a
boundary that causes the light to bounce back into the core, facilitating the
process of total internal reflection that guides the light signal through the core.
In basic operation modes, each fiber optic strand can only transfer light in a single
direction at a time. Therefore, multiple fibers are often bundled within a cable to
allow simultaneous transmission and reception of signals or to provide links for
multiple applications.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
52 | The Official CompTIA Network+ Study Guide (Exam N10-009)
There are many different outer jacket designs and materials suited for different
installations (indoor/plenum, outdoor, underground, undersea, and so on). Kevlar
(Aramid) strands and sometimes fiberglass rods (strength members) are often used
to protect the fibers from excessive bending or kinking when “pulling” the cable to
install it. For exposed outdoor applications, a steel shield (armor) may be added to
deter rodents from gnawing the cable.
• Multimode Fiber (MMF) has a larger core (62.5 or 50 microns) and shorter
wavelength light (850 nm or 1,300 nm) transmitted in multiple waves of varying
length. MMF uses less expensive optics and consequently is less expensive to
deploy than SMF. However, it does not support such high signaling speeds or
long distances as single mode and so is more suitable for LANs than WANs.
Optical transceivers for SMF are now only slightly more expensive than ones for MMF.
Consequently, SMF is often used for short-range applications in datacenters, as well as
for long-distance links. SMF still comes at a slight price premium, but it provides better
support for 40 Gbps and 100 Gbps Ethernet standards.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 53
Straight Tip
Straight Tip (ST) is an early bayonet-style connector that uses a push-and-twist
locking mechanism. ST was used mostly for multimode networks, but it is not widely
used for Ethernet installations anymore.
Subscriber Connector
The Subscriber Connector (SC) is a push/pull design, allowing for simple insertion
and removal. It can be used for single- or multimode. It is commonly used for
Gigabit Ethernet.
Local Connector
The Local Connector (LC) (also referred to as Lucent Connector) is a small-form-
factor connector with a tabbed push/pull design. LC is similar to SC, but the smaller
size allows for higher port density. LC is a widely adopted form factor for Gigabit
Ethernet and 10/40 GbE.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
54 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Patch cord with duplex SC format connectors (left) and LC connectors (right).
(Image by YANAWUT SUNTORNKIJ © 123RF.com.)
Most connectors are keyed to prevent incorrect insertion, but if in doubt, an optical
power meter can be used to determine whether an optical signal is being received
from a particular fiber.
Transmitted optical signals are visible as bright white spots when viewed through a
smartphone camera. This can be used to identify which adapter on an optical interface
is transmitting and which fiber patch cord is receiving a signal from the other end of the
cable.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 55
Finishing Type
The core of a fiber optic connector is a ceramic or plastic ferrule that holds the glass
strand and ensures continuous reception of the light signals. The tip of the ferrule
can be finished in several formats. The two most popular are:
• Ultra Physical Contact (UPC)—The faces of the connector and fiber tip are
polished so that they curve slightly and fit together better.
• Angled Physical Contact (APC)—The faces are angled for an even tighter
connection. APC cannot be mixed with PC or UPC.
It is important to match the finishing type when you are selecting a connector type.
APC finishing is often not supported by the patch panels, transceivers, and switch
ports designed for Ethernet.
Also, by convention, cable jackets and connectors use the following color-coding:
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
56 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Where there are multiple strands within a single cable, the strands are color-coded
(TIA/EIA 598) to differentiate them.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 57
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
58 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 2.5
Physical Installation Factors
6
Cabling is only one part of physical installation. There are also important
considerations around installing switches, routers, access points, and servers within
a site. Power, temperature, humidity, and fire risks can all adversely affect the
reliability of network services. There are also security and access control factors
to account for. While you might not be responsible for site design at this stage in
your career, you should be able to explain the importance of these factors when
performing maintenance and upgrades.
As you study this lesson, answer the following questions:
• How do rack systems ensure density and security?
• What are the risks from environmental factors, and how can they be controlled?
Rack Systems
Networking equipment should be installed within secure areas. Within a building,
these can be referred to as telecommunications closets, equipment rooms,
or server rooms. A whole facility dedicated to provisioning servers is called
a datacenter. All these spaces should be dedicated to appliance and server
installation and not used for other kinds of storage. They need physical access
controls so that only authorized persons are allowed entry.
Within a telecommunications closet, server room, or datacenter, equipment is
installed in racks. A rack is a specially configured steel shelving system designed
for standard-size equipment. Using a rack allows equipment to be stored more
securely and compactly than ordinary desks or shelving would allow for. The
concept of installing more computing appliances in a smaller space is referred to as
density.
Network appliances and server hardware designed for rack-mounting are EIA
standard 19" / 48.26 cm width. Each appliance can be screwed into the rack directly.
Nonstandard components, such as a tower server or monitor, can be installed on
shelves.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 59
A server rack is a compact and secure installation option for servers and networking appliances.
Rack height is measured in “U” units of 1.75" / 4.45 cm. Racks are sold in heights
from 8U to 48U. Rack-compatible equipment is designed with a vertical height
quoted in U so you can plan exactly how much vertical space you require.
Most racks are designed to be freestanding, though smaller wall-mounted cabinet
units are also available. Freestanding racks can be bolted together in rows. There
should be about 3 feet (1 meter) clearance aisle for service access and airflow.
Multiple rows should be placed back-to-back not front to back to maximize cooling.
This is referred to as a hot aisle/cold aisle layout.
Rack-mounted appliances are usually designed with intake fans on the front to draw
in cool air and exhaust fans on the back to expel warm air. Some switch models can
be configured between port-side exhaust, where hot air is expelled on the same
side as the port interfaces, and port-side intake. Port-side intake allows a switch to
be installed with ports facing the front of the rack, which might be better for some
cable management scenarios.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
60 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A hot aisle/cold aisle layout ensures that hot air expelled from exhaust vents does not
contaminate cool air drawn in through intake vents.
Side panels and blanking plates should cover unused rack slots to improve
airflow. Each rack can be installed with lockable doors (front and rear) to prevent
unauthorized access to the equipment.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 61
CPUID’s HWMONITOR app can report temperatures from sensors installed on PC components.
(Screenshot used by permission of CPUID.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
62 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Power Management
All types of network appliances require a stable power supply to operate.
Electrical events, such as voltage spikes or surges, can crash computers, switchs,
and routers, while loss of power from under-voltage events or power failures
will cause equipment to fail. An under-voltage event is where the voltage drops
briefly, while a power failure is a complete loss of power lasting seconds or more.
Power management means deploying systems to ensure that equipment is
protected against these events and that network operations can either continue
uninterrupted or be recovered quickly.
If the circuits were 120 VAC, the amperage would be double. This is why equipment
room and datacenter facilities tend to use high voltage circuits.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 63
Fire Suppression
Health and safety legislation dictates what mechanisms an organization must put
in place to detect and suppress fires. Some basic elements of fire safety include the
following:
• Well-marked fire exits and an emergency evacuation procedure that is tested
and practiced regularly.
• Building design that does not allow fire to spread quickly, by separating different
areas with fire-resistant walls and doors.
Fire suppression systems work on the basis of the fire triangle. The fire triangle
works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn.
Removing any one of those elements provides fire suppression (and prevention).
In the United States (and most other countries), fires are divided by class under the
NFPA (National Fire Protection Association) system, according to the combustible
material that fuels the fire. Portable fire extinguishers come in several different
types, with each type being designed for fighting a particular class of fire. Notably,
Class C extinguishers use gas-based extinguishing and can be used where the risk
of electric shock makes other types unsuitable.
Premises may also be fitted with an overhead sprinkler system. Wet-pipe sprinklers
work automatically, are triggered by heat, and discharge water. Wet-pipe systems
constantly hold water at high pressure, so there is some risk of burst pipes and
accidental triggering, as well as the damage that would be caused in the event of
an actual fire. There are several alternatives to wet-pipe systems that can minimize
damage that may be caused by water flooding the room:
• Dry-pipe—These are used in areas where freezing is possible; water only enters
this part of the system if sprinklers elsewhere are triggered.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
64 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 2.6
Cable Troubleshooting
7
• Which tools can you use to diagnose issues with copper and fiber optic cable and
connectors?
• What is the difference between a regular cable tester and a cable certifier?
• Which tool would you use to find the end of a specific cable within a wiring
closet?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 65
Throughput is typically measured at the Network or Transport layer. Often the term
“goodput” is used to measure an averaged data transfer rate at the Application layer.
This takes account of the effect of packet loss. Throughput is also sometimes measured
as packets per second.
As well as bandwidth or throughput and packet loss, the speed at which packets
are delivered is also an important network performance characteristic. Speed is
measured as a unit of time—typically milliseconds (ms)—and is also referred to as
latency, or delay.
The term “speed” is also used to describe how well or badly a link is performing in terms
of throughput but do be aware of the distinction between bit rate and latency.
Cable Issues
When troubleshooting cable connectivity, you are focusing on issues at the Physical
layer. At layer 1, a typical Ethernet link for an office workstation includes the
following components:
• Network transceiver in the host (end system).
• Structured cable between the wall port and a patch panel (the permanent link).
• Patch cable between the patch panel port and a switch port.
The entire cable path (patch cords plus permanent link) is referred to as a channel
link.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
66 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Assuming you are investigating link failure (complete loss of connectivity), the first
step is to check that the patch cords are properly terminated and connected to the
network ports. If you suspect a fault, substitute the patch cord with a known good
cable.
If you cannot isolate the problem to the patch cords, test the transceivers. You can
use a loopback tool to test for a bad port.
If you don't have a loopback tool available, another approach is to substitute known
working hosts (connect a different computer to the link or swap ports at the switch). This
approach may have adverse impacts on the rest of the network, however, and issues
such as port security may make it an unreliable method.
If you can discount faulty patch cords and bad network ports/NICs, you will need
to use tools to test the structured cabling. The solution may involve installing a
new permanent link, but there could also be a termination or external interference
problem.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 67
When evaluating whether a cable category is suitable for a given use in the network,
consider the following factors:
• Cat 5e supports Gigabit Ethernet and could still be an acceptable choice for
providing network links for workstations, but most new installations and
upgrades would now use Cat 6 or better.
Unlike Ethernet and Fast Ethernet, Gigabit Ethernet uses all four pairs for transmission
and is thus more sensitive to crosstalk between the wire pairs.
Cabling is not the only part of the wiring system that must be rated to the appropriate
category. For Gigabit Ethernet and better, the performance of connectors becomes
increasingly critical. For example, if you are installing Cat 6A wiring, you must also
install Cat 6A patch panels, wall plates, and connectors.
• Cat 8 is intended for use in datacenters only for short patch cable runs that
make top-of-rack connections between adjacent appliances. ISO defines two
variants; 8.1 (Class I) is equivalent to TIA/EIA Cat 8 and uses RJ45 connectors
while 8.2 (Class II) must use outer shielding or screening and GG45 or TERA
connectors.
From a safety point of view, you must also ensure that the cable jacket type is
suitable for the installation location, such as using plenum-rated cable in plenum
spaces and plenum- or riser-rated cable in riser spaces.
Cable Testers
If the cable is not accessible, cable testing tools can also be used to diagnose
intermittent connectivity or poor performance issues. A cable tester reports
detailed information on the physical and electrical properties of the cable. For
example, it can test and report on cable conditions, crosstalk, attenuation, noise,
resistance, and other characteristics of a cable run. Devices classed as certifiers
can be used to test and certify cable installations to a performance category—for
example, that a network is TIA/EIA 568 Category 6A compliant. They use defined
transport performance specifications to ensure an installation exceeds the required
performance characteristics for parameters such as attenuation and crosstalk.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
68 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Cable testing tools can be used for troubleshooting and verification. It is best to verify
wiring installation and termination just after you have made all the connections. This
means you should still have access to the cable runs. Identifying and correcting errors at
this point will be much simpler than when you are trying to set up end user devices.
• Short—Two conductors are joined at some point, usually because the insulating
wire is damaged, or a connector is poorly wired.
• Crossed pair (TX/RX transposed)—The conductors from one pair have been
connected to pins belonging to a different pair (for example, from pins 3 and
6 to pins 1 and 2). This may be done deliberately to create a crossover cable,
but such a cable would not be used to link a host to a switch.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 69
Another potential cable wiring fault is a split pair. This is where both ends of a single
wire in one pair are wired to terminals belonging to a different pair. This type of
fault can only be detected by a cable tester that measures crosstalk.
A network tone generator (or toner) and probe are used to trace a cable from one
end to the other. This may be necessary when the cables are bundled and have
not been labeled properly. This device is also known as a Fox and Hound. The tone
generator is used to apply a signal on the cable to be traced so that you can use the
probe to identify the same cable within a bundle or duct.
The maximum value allowed for insertion loss depends on the link category. For
example, Cat 5e at 100 MHz allows up to 24 dB, while Cat 6 allows up to 21.7
dB at 250 MHz. When you are measuring insertion loss itself, smaller values are
better (20 dB insertion loss is better than 22 dB, for instance). A cable certifier is
likely to report the margin, which is the difference between the actual loss and
the maximum value allowed for the cable standard. Consequently, higher margin
values are better. For example, if the insertion loss measured over a Cat 5e cable
is 22 dB, the margin is 2 dB; if another cable measures 23 dB, the margin is only 1
dB, and you are that much closer to not meeting acceptable link standards. Higher
grade or shielded cable may alleviate the problem; otherwise, you will need to find
a shorter cable run or install a repeater or additional switch.
Careful cable placement is necessary during installation to ensure that the wiring is
not subject to interference from sources such as electrical power cables, fluorescent
lights, motors, electrical fans, radio transmitters, and so on. Electromagnetic
interference (EMI) is something that should be detected when the cable is installed,
so you should suspect either some new source that has been installed recently or
some source that was not taken into account during testing (machinery or power
circuits that weren’t activated when the installation testing took place, for instance).
Interference from nearby data cables is also referred to as alien crosstalk.
Radio frequency interference (RFI) is EMI that occurs in the frequencies used for radio
transmissions.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
70 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Crosstalk Issues
Crosstalk usually indicates a problem with bad wiring (poor quality or damaged or
the improper type for the application), a bad connector, or improper termination.
Check the cable for excessive untwisting at the ends and for kinks or crush points
along its run. Crosstalk is also measured in dB, but unlike insertion loss, higher
values represent less noise. Again, the expected measurements vary according to
the cable category and application. There are various types of crosstalk that can be
measured:
• Near End (NEXT)—This measures crosstalk on the receive pairs at the
transmitter end and is usually caused by excessive untwisting of pairs or faulty
bonding of shielded elements.
• Power Sum—Gigabit and 10 GbE Ethernet use all four pairs. Power sum
crosstalk calculations (PSNEXT, PSACRN, and PSACRF) confirm that a cable is
suitable for this type of application. They are measured by energizing three of
the four pairs in turn.
• Alien Crosstalk—This is signal traffic from cables in close proximity that causes
interference to a disturbed or victim cable. This is commonly caused by cinching
a cable bundle with ties too tightly and by poorly terminated cabling.
Complete loss of connectivity indicates a break in the cable (or a completely faulty
installation), while intermittent loss of connectivity is more likely to be caused by
attenuation, crosstalk, or noise.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 71
The powerful light sources used by fiber optics are a hazard. Wear appropriate safety
goggles, and never look directly at an active transceiver port or the end of a fiber cable.
Point a cable at a flat surface to confirm whether visible light is being transmitted, or
use a smartphone camera to detect whether infrared light is being transmitted.
• Check the cable for any visible damage such as cuts, kinks, or severe bends.
• Ensure that the connectors are not damaged and are securely plugged into
the network device and the computer.
• Unplug the cable from both ends and then plug it back in. This can resolve
loose connection issues.
3. Verify Drivers
• If the problem persists, the issue could be the drivers or a physical problem
with the network adapter.
• Open Device Manager on your computer, find your network adapter in the
list, and check if it’s working properly.
• If it is not working correctly, you may need to update the drivers or replace
the network adapter.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
72 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Module 2
Summary
8
You should be able to summarize the properties of copper and fiber optic media
and connectors and match them to an appropriate Ethernet standard for a
particular solution. Additionally, you should be able to use appropriate tools to
diagnose symptoms and causes of common cable connectivity issues.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 3
Configuring Interfaces and Switches
1
Module Introduction
Cabling establishes the links between nodes on the network, but each node also
requires a network interface that both connects the cabling and performs the Data
Link layer addressing and framing functions necessary for communications.
Also, not many networks are established by directly connecting each end system
to every other local system. Cabling and support costs are reduced by using
intermediate systems to establish local networks. These intermediate systems are
deployed as network appliances such as hubs, bridges, and switches. Installing
and configuring these devices will be a regular task for you during your career in
network administration.
Module Objectives
In this lesson, you will do the following:
• Deploy networking devices.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
74 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 3.1
Network Interfaces
2
• What is Ethernet framing, and how are network interfaces uniquely addressed?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 75
Network interface card (NIC) with two RJ45 ports. (Image © 123RF.com.)
Each Ethernet network interface port has a unique hardware address known as the
Media Access Control (MAC) address. This may also be referred to as the Ethernet
address (EA) or, in IEEE terminology, as the extended unique identifier (EUI). A
MAC address is also referred to as a local or physical address.
Modular Transceivers
A network might involve the use of multiple types of cabling. When this occurs,
server, switch, and router equipment must be able to terminate different cable
and connector types. Enterprise servers, switches, and routers are available with
modular, hot-swappable transceivers for different types of fiber optic and copper
connections.
SFP/SFP+
Small form-factor pluggable (SFP) transceivers use LC connectors and support
Gigabit Ethernet data rates. Enhanced SFP (SFP+) is an updated specification to
support 10 GbE but still uses the LC form factor. There are different modules to
support the various Ethernet standards and fiber mode type (10GBASE-SR versus
10GBASE-LR, for instance).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
76 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Switch with hot-pluggable SFP fiber transceivers. (Image by Zdenek Maly © 123RF.com.)
You will often see the term “MSA” in conjunction with modular transceivers. Multi-source
agreement (MSA) is intended to ensure that a transceiver from one vendor is compatible
with the switch/router module of another vendor.
There are also transceivers that support the Fibre Channel storage area network (SAN)
protocol. These are not compatible with Ethernet switches.
QSFP/QSFP+
Quad small form-factor pluggable (QSFP) is a transceiver form factor that
supports 4 x 1 Gbps links, typically aggregated to a single 4 Gbps channel. Enhanced
quad small form-factor pluggable (QSFP+) is designed to support 40 GbE by
provisioning 4 x 10 Gbps links. QSFP+ is typically used with parallel fiber and multi-
fiber push-on (MPO) termination. QSFP+ can also be used with Wavelength Division
Multiplexing (WDM) Ethernet standards.
There are also SFP+ and QSFP+ transceivers with Direct Attach Copper (DAC) ports.
WDM transceivers must be installed in matched pairs. The Tx wavelength used on one
side must match the Rx wavelength used on the other.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 77
Typically, an estimated loss budget is calculated when planning the link. The link is
tested at deployment to derive an actual value. Differences between these values
may reveal an installation fault or some unexpected source of signal loss.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
78 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The loss budget must be less than the power budget. The power budget is
calculated from the transceiver transmit (Tx) power and receiver (Rx) sensitivity,
which are both typically measured in dB per milliwatt or dBm. For example, if Tx is
-8 dBm and Rx is -15 dBm, then the power budget is 7 dB.
dBm measures signal strength against a reference value, where 0 dBm is 1 milliwatt. A
negative dBm is typical of Ethernet transceivers, which output less than 1 mw.
If the loss budget is 5 dB, the margin between the power budget and loss budget
will be 2 dB. Margin is a safety factor to account for suboptimal installation
conditions (such as bends or stress), aging, repair of accidental damage
(additional splices), and performance under different thermal conditions (extreme
temperatures can cause loss).
If the margin between the transmitter power and link budget is low, the link is less
likely to achieve the expected bandwidth. There may be opportunities to improve
performance with better or fewer splices, or it may be necessary to use an amplifier
to boost the signal. Most outdoor plans would be designed with a margin of at least
5 dB. In a datacenter where conditions are less variable a lower margin might be
acceptable.
Preamble
The preamble and start frame delimiter (SFD) are used for clock synchronization
and as part of the CSMA/CD protocol to identify collisions. The preamble consists of
8 bytes of alternating 1s and 0s with the SFD being two consecutive 1s at the end.
This is not technically considered to be part of the frame.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 79
EtherType
The 2-byte EtherType field is usually used to indicate the type of protocol in the
frame payload. For example, a frame carrying an IPv4 packet would have an
EtherType value of 0x0800; one carrying IPv6 data would be 0x86DD.
You might see the 2-byte field described as the EtherType/Length field. When Ethernet
was being developed, there were several alternative frame formats, one of which used
the 2-byte field to indicate the frame length. To maintain compatibility, EtherTypes
are values of 0x0600 (1536 in decimal) or greater. Anything less than that would be
interpreted as the payload length.
Error Checking
The error checking field contains a 32-bit (4-byte) checksum called a cyclic
redundancy check (CRC) or frame check sequence (FCS). The CRC is calculated
based on the contents of the frame; the receiving node performs the same
calculation and, if it matches, accepts the frame. There is no mechanism for
retransmission if damage is detected nor is the CRC completely accurate at
detecting damage; these are functions of error checking in protocols operating at
higher layers.
Burned-in Addresses
The IEEE gives each network adapter manufacturer a range of numbers, and the
manufacturer hard codes every interface produced with a unique number from
their range. This is called the burned-in address or the universal address. The first
six hex digits (3 bytes or octets), also known as the organizationally unique identifier
(OUI), identify the manufacturer of the adapter. The last six digits are a serial
number.
An organization can decide to use locally administered addresses in place of
the manufacturersʼ universal coding systems. This can be used to make MACs
meaningful in terms of location on the network, but it adds a significant amount
of administrative overhead. A locally administered address is defined by changing
the universal/local (U/L) bit from 0 to 1. The rest of the address is configured
using the card driver or network management software. It becomes the network
administratorʼs responsibility to ensure that all interfaces are configured with a
unique MAC.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
80 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Captured Ethernet frame showing the resolved OUI and IG and LG bits in the destination
(broadcast) and source addresses. Note that Wireshark uses local/global (L/G) terminology rather
than universal/local (U/L). (Screenshot courtesy of Wireshark.)
Broadcast Address
The I/G bit of a MAC address determines whether the frame is addressed to an
individual node (0) or a group (1). The latter is used for broadcast and multicast
transmissions. A MAC address consisting entirely of 1s is the broadcast address
(ff:ff:ff:ff:ff:ff).
A unicast transmission is one sent to an individual host. This is achieved by adding
the hostʼs unique MAC address as the destination address. When a frame uses the
broadcast address as the destination address, it should be processed by all nodes
that receive the frame. These nodes are said to be within the same broadcast
domain.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 81
Lesson 3.2
Ethernet Switches
3
Most networks use intermediate systems to reduce cabling costs and complexity.
In this topic, you will summarize the functions of hub, bridge, and switch appliances
working at the Physical and Data Link layers.
As you study this lesson, answer the following questions:
• A host on a network sends a frame to the hub. Which other devices on the
network will see this frame?
• What are the similarities and differences between a bridge and a switch?
Hubs
Most Ethernet networks are implemented so that each end system node is wired
to a central intermediate system. In early types of Ethernet, this function was
performed by a hub. While hubs are no longer widely deployed as standalone
appliances, it is important to understand the basic functions they perform.
A hub acts like a multiport repeater so that every port receives transmissions
sent from any other port. As a repeater, the hub works only at the Physical layer.
Electrically, the network segment looks like a single length of cable. Consequently,
every hub port is part of the same shared media access area and within the same
collision domain. All node interfaces are half-duplex, using the CSMA/CD protocol,
and the media bandwidth (10 Mbps or 100 Mbps) is shared between all nodes.
A broadcast transmission is sent to all hosts in the same logical network area. In
Ethernet, this is accomplished by using the broadcast MAC address ff:ff:ff:ff:ff:ff. A
unicast transmission is addressed to a single host only, using its MAC address. With
hubs, all interfaces receive all unicast and broadcast transmissions. Hosts are typically
configured to ignore unicast transmissions that are not addressed to them. However,
setting an interface to promiscuous mode allows a host to capture (or “sniff”) all unicast
transmissions sent via the hub. This is a major security weakness of hubs.
When Ethernet is wired with a hub there needs to be a means of distinguishing the
interface on an end system (a computing host) from the interface on an intermediate
system (the hub). The end system interface is referred to as medium dependent
interface (MDI); the interface on the hub is referred to as MDI crossover (MDIX). This
means that the transmit (Tx) wires on the host connect to receive (Rx) wires on the hub.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
82 | The Official CompTIA Network+ Study Guide (Exam N10-009)
There are no configuration options for a hub. You just connect the device to a
power source and then connect the network cables for the hosts that are going to
be part of the network segment served by the hub.
Bridges
An Ethernet bridge works at the Data Link layer (layer 2) to establish separate
physical network segments while keeping all nodes in the same logical network.
This reduces the number of collisions caused by having too many nodes contending
for access.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 83
The previous figure shows how a bridge creates separate collision domains.
Each hub is a shared access media area. The nodes connected to the hubs share
the available bandwidth—a 100 Mbps Ethernet for domain A and a 10 Mbps
Ethernet for domain B—because only one node within each collision domain can
communicate at any one time. The bridge isolates these segments from each other,
so nodes in domain B do not slow down or contend with nodes in domain A. The
bridge does allow nodes to communicate with the other collision domain. It does
this by forwarding only the appropriate traffic. This creates a single logical network,
referred to as a layer 2 broadcast domain.
An Ethernet bridge builds a forwarding database to track which addresses are
associated with which of its ports. When the bridge is initialized, the databaseʼs
MAC address table is empty, but information is constantly added as the bridge
listens to the connected segments. Entries are flushed out of the table after a
period to ensure the information remains current.
If no record of the MAC address exists or the frame is a broadcast or multicast, then
the bridge floods the frame to all segments except for the source segment (acting
like a hub).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
84 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Switches
The problems created by contention can be more completely resolved by moving
from a shared Ethernet system to a switched Ethernet. Hubs and bridges are
replaced with switches. Gigabit Ethernet and faster can only be deployed using
switches.
An Ethernet switch performs the same sort of function as a bridge, but in a more
granular way and for many more ports than are supported by bridges. Each
switch port is a separate collision domain. In effect, the switch establishes a point
to point full-duplex link between any two network nodes. This is referred to as
microsegmentation.
Because each port is in a separate collision domain, collisions can occur only if
the port is operating in half-duplex mode. This would only be the case if a legacy
network card or a hub is attached to it. Even then, collisions affect only the
microsegment between the switch port and the connected interface; they do not
slow down the whole network. As with a bridge, traffic on all switch ports is in the
same broadcast domain unless the switch is configured to implement virtual LANs
(VLANs).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 85
The market is dominated by Ciscoʼs Catalyst and Nexus platforms (over 55% of
sales), but other notable vendors include HP Enterprise, Huawei, Juniper, Arista,
Linksys, D-Link, NETGEAR, and NEC.
Ethernet switches can be distinguished using the following general categories:
• Unmanaged versus managed—On a SOHO network, switches are more likely
to be unmanaged, standalone units that can be added to the network and run
without any configuration. The switch functionality might also be built into an
Internet router/modem. On a corporate network, switches are most likely to be
managed. This means the switch settings can be configured. If a managed switch
is left unconfigured, it functions the same as an unmanaged switch does.
• Modular versus fixed—A fixed switch comes with a set number of ports that
cannot be changed or upgraded. A modular switch has slots for plug-in cards,
meaning it can be configured with different numbers and types of ports.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
86 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Privileged EXEC mode—This allows the user to report the configuration, show
system status, reboot or shut down the appliance, and backup and restore the
system configuration. This mode is activated using the enable command from
user EXEC mode. It is denoted by a # prompt.
Most switch CLIs also support TAB and/or use of ? to list different ways to
complete a partial instruction.
Interfaces are identified by type, slot, and port number. For example,
GigabitEthernet 0/2 (or G0/2) is port #2 on the first 10/100/1000 slot (or only slot).
Stackable switches precede interface identifiers with a module ID. For example,
GigabitEthernet 3/0/2 is the second port on the first slot in the third module in the stack.
Note that this numbering does vary between manufacturers. Also, some start from zero
and some from one.
Switches normally support a range of Ethernet standards so that older and newer
network adapters can all be connected to the same network. In most cases, the port
on the switch is set to auto-negotiate speed (10/100/1000) and full- or half-duplex
operation. A static configuration can be applied manually if necessary.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 87
If you don’t use autonegotiation, you need to manually configure the speed and duplex
to match both devices. For best performance, if one end of the connection is hard
coded, it’s advised to hard code the other end and not rely on autonegotiation.
To configure the first interface, from global config mode, run interface
GigabitEthernet0/1. This changes the prompt to (config-if)#. Some of the
main subcommands are the following:
• shutdown disables the interface; no shutdown enables the interface.
• speed and duplex are both normally set to auto (the default). Using
speed 100 and duplex half would apply a static configuration.
• switchport configures switching mode characteristics. Interfaces connected
to computer devices are usually set to switchport mode access.
switchport port-security allows configuration of various security
mechanisms.
Once done, run exit. To make changes persistent, run do copy running-
config startup-config.
Cisco IOS switch interface configuration commands. (Image © and Courtesy of Cisco Systems, Inc.
Unauthorized use not permitted.)
copy is a privileged mode command. do copy allows you to run the command
from within config mode.
You can use the range command to configure a number of interfaces simultaneously.
For example, interface range GigabitEthernet0/1-24
enters configuration mode for all 24 interfaces in module 0.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
88 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 3.3
Switch Port Configuration
4
• Why would you consider configuring switches in your network to handle jumbo
frames?
• What are the options and benefits of integrating PoE devices in your network?
• What protocol can be used to prevent looping and broadcast storms in your
network, and how does it work?
From the host end, this can also be called NIC teaming; at the switch end, it can
be called port aggregation and is referred to by Cisco as an EtherChannel. The term
“bonding” is also widely substituted for “aggregation.”
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 89
A server node uses NIC teaming to create a 4 Gbps channel link from four 1 Gbps ports
to a workgroup switch, while the workgroup switch bonds its uplink transceivers to create a
20 Gbps channel to a router.
Link aggregation can also provide redundancy; if one link is broken, the connection
is still maintained by the other. It is also often cost-effective; a four-port Gigabit
Ethernet card might not match the bandwidth of a 10 GbE port but will cost less.
This configuration is fully redundant only if the business function does not depend on
the full speed of the bonded link. If one port fails, and the link drops to 1 Gbps, but that
bandwidth is insufficient, there is not full redundancy.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
90 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Optionally, both sides can be configured as active. However, if both sides are set to
passive, no bonded channel will be created. The channel ID on each side does not have
to match, but it is easier to manage the connection if it is the same on both switches.
The maximum size of the data payload is 1,500 bytes. This upper limit of the
payload is also referred to as the maximum transmission unit (MTU).
In circumstances where data payloads can be very high, a 1500-byte MTU means
using a lot of frames. A jumbo frame is one that supports a data payload of up to
9,216 bytes. This reduces the number of frames that need to be transmitted, which
can reduce the amount of processing that switches and routers need to do. It also
reduces the bandwidth requirement somewhat, as fewer frame headers are being
transmitted. The benefits of jumbo frames are somewhat disputed, however.
When implementing jumbo frames, it is critical that all hosts and appliances
(switches and routers) along the communications path be able and configured to
support them. It is also vital to ensure that each device supports the same MTU.
Also, it can be complex to calculate the MTU if any additional headers are used (for
IPSec, for instance).
Jumbo frame support can be configured using the command mtu 9018, where
9,018 is the required size. On some appliances, this must be configured for the
whole system; on others, it can be configured on a per-interface basis.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 91
Each switch then determines the shortest path to the root bridge by exchanging
information with other switches. This STP information is packaged as bridge
protocol data unit (BPDU) multicast frames. Different port roles are assigned to
the interfaces participating in the spanning tree. A port that forwards “up” to the
root, possibly via intermediate switches, is identified as a root port. Ports that can
forward traffic “down” through the network with the least cost are identified as
designated ports. A port that would create a loop is identified as a blocking or non-
designated port. Subsequently, bridges exchange Topology Change Notifications if
devices are added or removed, enabling them to change the status of forwarding/
blocked ports appropriately.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
92 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Viewing spanning tree configuration on a Cisco switch. This switch has been designated the root.
(Image © and Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.)
The following table shows the different port states associated with spanning tree
operation.
Forwards
State Learns MACs? Notes
Frames?
Blocking No No The port drops all
frames other than
BPDUs.
Listening No No The port is listening for
BPDUs to detect loops.
Learning No Yes The port discovers
the topology of the
network and builds the
MAC address table.
Forwarding Yes Yes The port works as
normal.
Disabled No No The port has been
disabled by the
administrator.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 93
One of this switchʼs interfaces would make a loop, so it has been put in the blocking state.
(Image © and Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.)
When all ports on all switches are in forwarding or blocking states, the network
is converged. When the network is not converged, no communications can take
place. Under the original 802.1D standard, this made the network unavailable
for extended periods—tens of seconds—during configuration changes. STP is
now more likely to be implemented as 802.1D-2004/802.1w or Rapid STP (RSTP).
The rapid version creates outages of a few seconds or less. In RSTP, the blocking,
listening, and disabled states are aggregated into a discarding state.
PoE switches are referred to as endspan (or endpoint) power sourcing equipment
(PSE). On a Cisco switch, the command power inline auto max 15000
enables a port for PoE and sets a maximum output of 15,000 mW (or 15 W).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
94 | The Official CompTIA Network+ Study Guide (Exam N10-009)
When a device is connected to a port on a PoE switch, the switch goes through a
detection phase to determine whether the device is PoE enabled. If not, it does not
supply power over the port and, therefore, does not damage non-PoE devices. If
so, it determines the deviceʼs power consumption and sets the supply voltage level
appropriately.
If a switch does not support PoE, a device called a power injector (or midspan) can
be used.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 95
Lesson 3.4
Switch Troubleshooting
5
Ethernet switches and network adapters introduce the potential for issues at the
Data Link layer and can reveal subtle cabling problems and interference at the
Physical layer. Diagnosing and resolving problems gets more complex as you
work up through the network stack. You need to assimilate your knowledge of
both cabling types and Ethernet framing with awareness of status indicators and
commands for network equipment to resolve these issues.
As you study this lesson, answer the following questions:
• How can you use the physical and logical topology to isolate a problem to a
particular area of the network?
• What information can you obtain from network device status lights?
Power Issues
Like any computer system, networks require stable power to operate properly.
Power anomalies, such as surges and spikes, can damage devices, under-voltage
events (very brief power loss) can cause systems to lock up or reboot, while power
failures will down everything, including the lights. Enterprise sites have systems
to protect against these issues. Uninterruptible power supplies (UPSs) can keep
servers, switches, and routers running for a few minutes. This provides time to
either switch in a secondary power source (a generator) or shut down the system
gracefully, hopefully avoiding data loss. Most power problems will have to be
escalated to an electrician or the power company, depending on where the fault
lies.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
96 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Do be aware that restarting a switch, router, or server can be very disruptive to the
rest of the network. Identify how to mitigate potential impacts and seek authorization
for your plan before proceeding. Also, remember that a restart will apply the startup
configuration. Any unsaved changes in the running configuration will be discarded.
• Flickering green—The link is operating normally (with traffic). The blink rate
indicates the link speed.
• Solid amber—The port is blocked by the spanning tree algorithm, which works
to prevent loops within a switched network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 97
• show interface lists the state of all interfaces or the specified interface.
An interface has a line status (up if a host is connected via a good cable) and a
protocol status (up if an Ethernet link is established). show interface will
also report configuration details and traffic statistics if the link is up/up.
If an interface is not up/up, you need to diagnose the cause from the state:
• Down/down—There is no link. This is typically because no host is attached, but
it could also be caused by a speed mismatch.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
98 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 99
An Ethernet frame that is slightly larger (up to 1600 bytes) is often referred to as a baby
giant.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
100 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 101
• Verify the physical configuration of segments that use legacy equipment, such as
Ethernet hubs.
• Investigate networking devices in the user environment and verify that they are
not connected as part of a loop. Typical sources of problems include unmanaged
desktop switches and VoIP handsets.
Cabling Issues
Cabling for PoE+ must be Cat 5e or better, but standards typically recommend the
use of Cat 6A. Drawing power down the cable generates more heat. If this heat
is not dissipated, it can affect data rates. Thermal performance is improved by
using pure copper cabling with thicker conductors. A thin conductor will generate
more heat through resistance. Shielded cabling is capable of dispersing heat more
efficiently.
Incorrect Standard
A PD should be able to negotiate the correct mode and power output with the
switch. However, this process can fail with some devices that only support the first
PoE standard, especially if the switch interface is enabled for high power PoE++
Type 4 PDs. The switch and PD must negotiate a compatible mode:
• Alternative A delivers power with data over pairs 1/2 and 3/6. This is compatible
with 10/100 and 10/100/1000 links.
• Alternative B delivers power over the 10/100 spare pairs (4/5 and 7/8). This is not
compatible with Gigabit Ethernet.
• Four-pair delivers power over all pairs. This is required by PoE++ Type 3 and
Type 4 PDs. This is compatible with 10/100/1000 and also supports 10G.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
102 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Summary of PoE-enabled ports. The “switch” devices listed here are actually Voice over IP (VoIP)
handsets. (Image © and Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.)
Actual power consumption can fluctuate quite widely. For example, a camera with
pan-tilt-zoom controls will use more power when its motor is active.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 103
Module 3
Summary
6
You should be able to identify the features of network devices operating at layers
1 and 2 and determine their appropriate placement on the network. You should
be able to deploy and troubleshoot Ethernet switches with appropriate port
configurations.
• Create a management plan for legacy hub and bridge appliances to ensure they
do not impact overall network performance.
• Enable spanning tree to prevent loops around redundant circuits and ensure the
selection of an appropriate root bridge.
• Use status indicators and networking device commands to verify system and
interface configurations.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 4
Configuring Network Addressing
1
Module Introduction
The Physical and Data Link layers covered in the previous course modules establish
local links between nodes. At the Network layer—layer 3—these individual networks
can be connected together into a network of networks, or internetwork.
In this module, you will identify the addressing and data delivery methods of the
Internet Protocol (IP). IP is at the heart of most modern networks and consequently
one of the most important topic areas for a network professional to understand
and apply.
IP is implemented on network hosts using a wide variety of configuration interfaces
and tools. You must be confident about selecting an appropriate tool to use to
complete a particular support or troubleshooting task.
This module also introduces IPv6 addressing concepts and highlights some key
differences between IPv6 and IPv4.
Module Objectives
In this module, you will do the following:
• Explain IPv4 addressing schemes.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
106 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 4.1
Internet Protocol Basics
2
There are two versions of IP; version 4 is more widely adopted and is the version
discussed in the following few lessons. IPv6 introduces a much larger address space and
different means of configuring clients and is discussed later in the module.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 107
IPv4 header.
The Version field indicates the version of Internet Protocol in use (4), while the
Length fields indicate the size of the header and the total packet size (including the
payload). The maximum theoretical size is 65,535 bytes, but actual packets would
typically be much smaller to avoid fragmentation when transported as the payload
of Ethernet frames, which usually have 1,500-byte MTUs.
The Protocol field describes what type of data is encapsulated in the payload so
that the receiving host knows how to process it. For most packets, the IP protocol
type value in the Protocol field will indicate a Transmission Control Protocol (TCP/6)
segment or a User Datagram Protocol (UDP/17) datagram, which work at the
Transport layer. The values assigned to protocol types, such as 6 for TCP and 17 for
UDP, are managed by IANA.
Those are the values in decimal. You are also likely to see them in their hex forms
(0x06 and 0x11). Both formats ultimately represent 8-bit binary values (00000110 and
00010001).
Some Network layer protocols run directly on IP. These IP protocol types include the
following:
• Internet Control Message Protocol (ICMP/1) is used for status messaging and
connectivity testing.
• Enhanced Interior Gateway Routing Protocol (EIGRP/88) and Open Shortest Path
First (OSPF/89) are protocols used by routers to exchange information about
paths to remote networks.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
108 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Nodes within each subnet can address one another directly (they are in the same
broadcast domain), but they can only communicate with nodes in other subnets via
the router.
Within each subnet, nodes use Media Access Control (MAC) addresses to forward
frames to one another, using a mechanism to translate between layer 3 IP
addresses and layer 2 MAC addresses.
The Network layer can also accommodate forwarding between different types
of layer 1/layer 2 networks. The private zone is implemented using Ethernet, but
the link between the router’s public interface and the ISP might use a different
technology, such as digital subscriber line (DSL).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 109
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
110 | The Official CompTIA Network+ Study Guide (Exam N10-009)
All hosts that share the same broadcast address receive the packet. They are said
to be in the same layer 3 broadcast domain. Broadcast domain boundaries are
established at the Network layer by routers. Routers do not forward broadcasts,
except in some specially configured circumstances.
As with unicast traffic, IP packets must be delivered to hosts using layer 2 MAC
addresses. At layer 2, broadcasts are delivered using the group MAC address
(ff:ff:ff:ff:ff:ff). This means that there is also a broadcast domain scope at layer 2.
With legacy devices such as hubs and bridges, every port on all physically connected
nodes is part of the same layer 2 broadcast domain. This is also the case with a
basic or unmanaged switch. By default, a switch floods broadcasts out of every port
except the source port.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 111
Multicast Addressing
IP multicasting allows one host on the Internet (or private IP network) to send
content to other hosts that have identified themselves as interested in receiving
the originating host’s content. Multicast packets are sent to a destination IP address
from a special range configured for use with that multicast group. In IPv4, the range
224.0.0.0 through to 239.255.255.255 is reserved for multicast addressing.
The intent to receive multicasts from a particular host is signaled by joining a
multicast group. The Internet Group Management Protocol (IGMP) is typically
used to configure group memberships and IP addresses.
At layer 2, multicasts are delivered using a special MAC address, comprised of the
prefix 01-00-53, with the remainder expressing the multicast group IP address in
hex notation. To deliver this frame only to members of the multicast group, the
switch must be capable of IGMP snooping. If the switch is not multicast capable,
it will treat the multicast MAC address like a broadcast and flood the multicast
transmissions out of all ports.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
112 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Anycast Addressing
Anycast means that a group of hosts is configured with the same IP address. When
a router forwards a packet to an anycast group, it uses a prioritization algorithm
and metrics to select the host that is “closest” (that will receive the packet and be
able to process it the most quickly). This allows the service behind the IP address to
be provisioned more quickly and reliably. It allows for load balancing and failover
between the server hosts sharing the IP address.
There isn’t an anycast address range. Hosts participating in an anycast group are
configured with the same unicast address. Anycast forwarding is handled by routers,
typically using a dynamic routing protocol, such as Border Gateway Protocol (BGP).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 113
Lesson 4.2
IP Version 4 Addressing
3
The core function of IP is to facilitate the creation of a group of logically distinct but
interconnected networks, referred to as an internetwork. This means that some
packets addressed to hosts on remote networks must be forwarded via one or
more of the intermediate systems that establish paths between networks.
In this topic, you will identify the basic principles by which IPv4 distinguishes local
and remote hosts and networks.
As you study this lesson, answer the following questions:
• What is the format of an IPv4 address?
• What is the purpose of a network mask, and what format can these masks take
in IPv4?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
114 | The Official CompTIA Network+ Study Guide (Exam N10-009)
11000110001100110110010000000001
The 32 bits are subdivided into four groups of 8 bits (1 byte) known as octets. The
previous IP address could therefore be written as:
Binary/Decimal Conversion
The following examples demonstrate the process of converting between binary and
decimal notation.
In base 2 (binary), digits can take one of two different values (0 and 1). The place
values are powers of 2: 21=2, 22=4, 23=8, 24=16, 25=32, 26=64, and 27=128. You should
memorize these values to be able to perform binary/decimal conversions using
the columnar method. Consider the octet 11101101 represented in base 2. This
image shows the place value of each digit in the octet in the first two rows, with the
binary octet in the third row. Rows four and five show that where there is a 1 in the
octet, the decimal place value is added to the sum:
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 115
You can use the same columnar method to convert from decimal to binary. For
example, the number 51 can be converted as follows:
If all the bits in an octet are set to 1, the number obtained is 255 (the maximum
possible value). Similarly, if all the bits are set to 0, the number obtained is 0 (the
minimum possible value). Therefore, theoretically an IPv4 address may be any value
between 0.0.0.0 and 255.255.255.255. However, some addresses are not
permitted or are reserved for special use.
Network Masks
An IP address represents both a network ID and a host ID. In IPv4, a 32-bit network
mask (or netmask) is used to distinguish these two components within a single
IPv4 address. The mask conceals the host ID portion of the IP address and thereby
reveals the network ID portion.
The mask and the IPv4 address are the same number of bits. Wherever there is a
binary 1 in the mask, the corresponding binary digit in the IPv4 address is part of
the network ID. The 1s in the mask are always contiguous. For example, this mask is
valid:
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
116 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 117
Subnet Masks
The relative sizes of the network and host portions in an IPv4 address determine
how many networks and hosts per network an addressing scheme can support. The
conventional addressing technique has IPv4 addresses with two hierarchical levels,
namely the network ID and host ID. This scheme of using whole octet boundaries
for the netmask is inflexible, so a system of dividing networks into subnetworks or
subnets was devised.
Subnet addressing has three hierarchical levels: a network ID, subnet ID, and host
ID. To create logical subnets, bits from the host portion of the IP address must be
allocated as a subnetwork address, rather than part of the host ID.
This means the subnet ID lies within an octet boundary. For example, a binary mask
with 28 bits could use all the octets, with the network prefix boundary lying within
the fourth octet:
Subnet addressing.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
118 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Because the 1s in a mask are always contiguous, each octet in decimal in an IPv4
mask will always be one of the following.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 119
Default Gateway
When two end system hosts attempt to communicate via IPv4, the protocol
compares the source and destination address in each packet against the netmask.
If the masked portions of the source and destination IP addresses match, then the
destination interface is assumed to be reachable via the local layer 2 network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
120 | The Official CompTIA Network+ Study Guide (Exam N10-009)
In the figure, the first 28 bits of the source and destination address are the same.
Therefore, IP concludes the destination IPv4 address is on the same IP network or
subnet and tries to deliver the packet locally.
If the masked portion does not match, as in the following figure, IP assumes the
packet must be routed to another IP network or subnet:
When the destination IPv4 address is on a different IP network or subnet, the host
forwards the packet to its default gateway, rather than trying to deliver it locally.
The default gateway is a router configured with a path to remote networks.
The router determines what to do with the packet by performing the same
comparison between the source and destination address and netmask. The router
then uses its routing table to determine which interface it should use to forward the
packet. If no suitable path is available, the router drops the packet and informs the
host that it could not be delivered.
If the message is destined for yet another network, the process is repeated to take
it to the next stage, and so on.
Paths to other IP networks can be manually configured in the routing table or
learned by a dynamic routing protocol. Dynamic routing protocols allow routers
to share information about known networks and possible paths to them. This
information allows them to choose the best routes to any given destination and
select alternate routes if one of these is unavailable.
A default gateway router's interface IP can be any usable host ID, but by convention it is
normally set to either the first or last usable host address.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 121
Broadcast Addresses
A broadcast can be performed by sending a packet to the network or subnet’s
broadcast address. The broadcast address is the last address in any IP network, or
put another way, the address in any IP network where all the host bits are set to 1.
For example, if the subnet mask is 255.255.255.240, the last four digits of the
last octet in the IP address is the host ID portion. If these digits are set to all 1s, that
is the last possible address before the next subnet ID, and therefore the network
broadcast address:
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
122 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 123
Lesson 4.3
IP Version 4 Subnetting
4
Organizations with large networks need to divide those networks up into smaller
segments to improve performance and security. A network segment is represented
at the Network layer by a subnet. Additionally, IPv4 uses a system of public versus
private addressing that determines how hosts and networks can connect over the
Internet. Understanding the features of these addressing schemes will be essential
to your career in network support.
• What is the original classful IPv4 addressing scheme, and how is it relevant to
modern networks?
• Which address ranges are available for use on the public Internet, and which are
reserved for private networks or other purposes?
• How can classless addressing summarize network addresses and allow for
networks with different-sized subnets?
Classful Addressing
So far, we have considered IP network and subnet IDs that are defined by network
masks. This is referred to as classless addressing. A classful addressing scheme
was employed in the 1980s, before the use of netmasks to identify the network ID
portion of an address was developed. Classful addressing allocates a network ID
based on the first octet of the IP address.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
124 | The Official CompTIA Network+ Study Guide (Exam N10-009)
IP ranges 0.0.0.0/8 and 127.0.0.0/8 are also part of Class A but are reserved for special
uses. 0.0.0.0/8 means “this” network, and 127.0.0.0/8 is used for loopback addressing.
While routers have performed classless addressing for years, the class terminology
is still used in some contexts. Even under classless addressing, the old classes are
often used as names for the netmasks that align to whole octet boundaries:
• Class A: 255.0.0.0 (/8)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 125
Any organization can use private addresses on its networks without applying to a
registry or ISP, and multiple organizations can use these ranges simultaneously.
Internet access can be facilitated for hosts using a private addressing scheme in two
ways:
• Through a router configured with a single valid public IP address or a block of
valid public IP addresses; the router translates between the private and public
addresses using a process called Network Address Translation (NAT).
• Through a proxy server that fulfills requests for Internet resources on behalf of
clients. The proxy server itself must be configured with a public IP address on
the external-facing interface.
Loopback Addresses
While nominally part of Class A, the range 127.0.0.0 to 127.255.255.255 (or
127.0.0.0/8) is reserved. This range is used to configure a loopback address, which
is a special address typically used to check that TCP/IP is correctly installed on the
local host. The loopback interface does not require a physical interface to function.
A packet sent to a loopback interface is not processed by a network adapter
but is otherwise processed as normal by the host’s TCP/IP stack. Every IP host is
automatically configured with a default loopback address, typically 127.0.0.1. On
some hosts, such as routers, more than one loopback address might be configured.
Loopback interfaces can also be configured with an address from any suitable IP
range, as long as it is unique on the network. A host will process a packet addressed
to a loopback address regardless of the physical interface on which it is received.
Most hosts are also configured with a Domain Name System (DNS) host name.
The loopback address is associated with the name localhost. The name
localhost can be substituted for the numeric loopback address.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
126 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Other
A few other IPv4 address ranges are reserved for special use and are not publicly
routable:
• 0.0.0.0/8—Used when a specific address is unknown. This is typically used as a
source address by a client seeking a DHCP lease.
• The number of hosts per subnet that must be supported must be considered.
• The network ID must be from a valid public or a private range (not from the
loopback, link-local reserved range, multicast range, or reserved/experimental
range, for instance).
• The network and/or host IDs cannot be all 1s in binary—this is reserved for
broadcasts.
• The network and/or host ID cannot be all 0s in binary; 0 means “this network.”
• The network ID must be unique on the Internet (if you are using a public
addressing scheme) or on your internal system of internetworks (if you are using
a private addressing scheme).
When you are performing subnet calculations, try to think in terms of the number
of mask bits. It helps to remember that each power of 2 is double the previous one:
22 23 24 25 26 27 28
4 8 16 32 64 128 256
Also memorize the decimal values for the number of bits set to 1 in an octet within
a mask:
1 2 3 4 5 6 7 8
128 192 224 240 248 252 254 255
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 127
In the following example, the network designer is subnetting the network address
172.30.0.0/16. The process of designing the scheme is as follows:
1. Work out how many subnets are required (remembering to allow for future
growth), then round this number up to the nearest power of 2.
For example, if you need 12 subnets, the next nearest power of 2 is 16. The
exponent is the number of bits you will need to add to your default mask.
For example, 16 is 24 (2 to the power of 4), so you will need to add 4 bits to
the network prefix. In dotted decimal format, the subnet mask becomes
255.255.240.0.
2. Work out how many hosts each subnet must support and whether there is
enough space left in the scheme to accommodate them.
For example, the network address is in the /16 range, and you are using 4
bits for subnetting, so you have 32–20 = 12 bits for hosts in each subnet. The
number of hosts per subnet can be expressed using the formula 2n–2, where
n is the number of bits you have allocated for the host ID. 12 bits is enough
for 4,094 hosts in each subnet.
You subtract 2 because each subnet's network address and broadcast address cannot
be assigned to hosts.
Wherever a 1 appears in the binary mask, the corresponding digit in the IP address is
part of the network or subnet address. When you are planning what your mask will be,
remember this rule. Allocate more bits in the mask if you need more subnets. Allocate
fewer bits in the mask if you need more hosts per subnet.
Just for comparison, if you have a /24 (or Class C) network address and try
to allocate 16 subnets, there will be enough space left for only 14 hosts per
subnet (24–2).
3. Work out the subnets. The easiest way to find the next subnet ID is to deduct
the least significant octet in the mask (240 in this example) from 256. This
gives the next subnet ID, which, in full, is 172.30.16.0/20.
The subsequent subnet IDs are all the lowest subnet ID higher than the one
before—32, 48, 64, and so on.
4. Work out the host ranges for each subnet. Take the subnet address and add
a binary 1 to it for the first host. For the last host, take the next subnet ID
and deduct two binary digits from it. For the 172.30.16.0/20 subnet,
this is 172.30.16.1 and 172.30.31.254, respectively. Repeat for all
subnets.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
128 | The Official CompTIA Network+ Study Guide (Exam N10-009)
For example, rather than allocate a Class B (or /16) network address to a company,
several contiguous Class C (or /24) addresses could be assigned. Four /24 network
addresses gives 1,016 hosts. However, this would mean complicated routing
with many entries in the routing tables to represent four IP networks at the
same location. Using CIDR collapses these routing entries into one single entry.
If the network addresses assigned to a company were 198.51.100.0 through to
198.51.103.0 and you wanted to view this as one network, you need to allocate two
bits from the network address to summarize the four networks. This makes the
supernet prefix /22 or the subnet mask 255.255.252.0.
The ANDing process is still used to determine whether to route. If the ANDed
result reveals the same network ID as the destination address, then it is the same
network. In this next example, the first IP addresses belong to the supernet, but the
second is on a different company’s network:
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 129
Comparing two addresses with /22 prefixes. ANDing reveals that they are separate networks.
Routers external to the network just use this /22 prefix, so the complexity of the
LAN subnets is hidden and doesn’t need to clog up their routing tables. The LAN’s
internal routers use the /24 prefix or even multiple prefixes to create subnets of
different sizes.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
130 | The Official CompTIA Network+ Study Guide (Exam N10-009)
VLSM design usually proceeds by identifying the subnets with the most hosts and
organizing the scheme in descending order. As with any subnet calculations, it helps
to remember that each power of 2 is double the previous one:
22 23 24 25 26 27 28
4 8 16 32 64 128 256
1. In the example, the largest requirement is for 80 hosts. 26 has a maximum
of 64 values, which is not enough, so the nearest match in the table is 27.
This tells us that we need 7 bits for host addressing. This actually allows for
126 host addresses once the network and broadcast addresses have been
accounted for (27–2). Using 7 bits makes the prefix /25 (32 minus 7).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 131
2. The next requirement is technically met by a 5-bit host address space, but as
this allows for exactly 30 addresses, there would be no room for growth. Using
6 bits might be safer, but for this scenario, we will choose the closest match
and adopt the /27 prefix.
3. The next three requirements are for 8, 12, and 12 hosts. These all require
4 bits, which gives 14 usable addresses.
4. The routers use point-to-point links, so no more than two addresses will ever
be required. This can be met by selecting a /30 prefix.
Required Actual
Office/ Number of IP Number of IP
Subnet Addresses Mask Bits Addresses Prefix
Main Office 1 80 7 126 /25
(Router A)
Main Office 2 30 5 30 /27
(Router A)
Main Office 3 8 4 14 /28
(Router A)
Branch Office 12 4 14 /28
(Router B)
Branch Office 12 4 14 /28
(Router C)
Router A – 2 2 2 /30
Router B
Router A – 2 2 2 /30
Router C
Router B – 2 2 2 /30
Router C
All subnets except for Main Office 2 have room for growth.
In fact, if you analyze the final design, you will find that there are 36 unused
addresses at the end of the range. Consequently, there would have been space to
use a /26 prefix for the group of 30 hosts.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
132 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The actual IP address ranges generated by the VLSM design are shown in this table.
Useable
Host Broadcast
Office Subnet Subnet Mask
Address Address
Range
Main 198.51.100.0/25 255.255.255.128 1–126 127
Office 1
(Router A)
Main 198.51.100.128/27 255.255.255.224 129–158 159
Office 2
(Router A)
Main 198.51.100.160/28 255.255.255.240 161–174 175
Office 3
(Router A)
Branch 198.51.100.176/28 255.255.255.240 177–190 191
Office
(Router B)
Branch 198.51.100.192/28 255.255.255.240 193–206 207
Office
(Router C)
Router A – 198.51.100.208/30 255.255.255.252 209–210 211
Router B
Router A – 198.51.100.212/30 255.255.255.252 213–214 215
Router C
Router B – 198.51.100.216/30 255.255.255.252 217–218 219
Router C
The VLSM network topology can be summarized by this diagram:
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 133
Lesson 4.4
IP Troubleshooting Tools
5
TCP/IP command-line utilities enable you to gather information about how your
systems are configured and how they communicate over an IP network. When used
for troubleshooting, these utilities can provide information about communication
issues and their causes.
As you study this lesson, answer the following questions:
• What command-line tools report a host’s IP configuration? Are there different
tools for use in Windows and Linux?
• Is there a tool to verify whether one host can contact another host?
• How can I report information about how a host maps an IP address to a MAC
address?
ipconfig Tool
On a Windows host, the ipconfig command is widely used for basic configuration
reporting and support tasks. ipconfig can be used as follows:
• ipconfig without any switches will display the IP address, subnet mask, and
default gateway (router) for all network interfaces to which TCP/IP is bound.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
134 | The Official CompTIA Network+ Study Guide (Exam N10-009)
There are also /release6 and /renew6 switches for use with DHCPv6 (a DHCP
server supporting IPv6).
ifconfig output.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 135
net-tools has been replaced by the iproute2 package. These tools can interface
properly with modern network configuration manager packages. As part of the
iproute2 package, the ip command has options for managing routes as well as
the local interface configuration. The basic reporting functionality of ifconfig
(show the current address configuration) is performed by running ip addr;
to report a single interface only, use ip addr show dev eth0. The ip
link command shows the status of interfaces, while the ip -s link reports
interface statistics.
ip a command output.
arp Tool
The Address Resolution Protocol (ARP) is used by hosts to determine which MAC
address is associated with an IP address on the local network. ARP queries are sent
as broadcasts. ARP broadcasts can generate considerable traffic on a network,
which can reduce performance. To optimize this process, the results of an ARP
broadcast are cached in an ARP table. If the entry is used within the timeout period,
the entry is held in the cache for a few minutes before it is deleted.
The arp command can be used to perform functions related to the ARP table
cache. You would use this to diagnose a suspected problem with local addressing
and packet delivery.
• arp -a (or arp -g) shows the ARP cache contents. You can use this with
IPAddress to view the ARP cache for the specified interface only. The ARP
cache will not necessarily contain the MAC addresses of every host on the local
segment. There will be no cache entry if there has not been a recent exchange of
frames.
• arp -d * deletes all entries in the ARP cache; it can also be used with
IPAddress to delete a single entry.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
136 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Output from the arp command showing network (IP) addresses mapped to physical (MAC)
addresses. Host interfaces are learned (dynamic), while broadcast and multicast interfaces are
configured statically. (Screenshot used with permission from Microsoft.)
In Linux, the ip neigh command shows entries in the local ARP cache (replacing
the old arp command).
Don't confuse the ARP cache with a MAC address table. ARP cache is maintained by layer
3 hosts and routers to map IP addresses to MAC addresses. A switch's MAC address
table contains the MAC addresses that the switch has seen on each of its ports.
ping Tool
The Internet Control Message Protocol (ICMP) is used to report errors and send
messages about the delivery of a packet. ICMP messages are generated under
error conditions in most types of unicast traffic but not for broadcast or multicast
packets.
ICMP can also be used to test and troubleshoot connectivity issues on IP networks.
The ping command sends a configurable number and size of ICMP request packets
to a destination host. ping is implemented on both Windows and Linux hosts.
ping can be used to perform a basic connectivity test that is not dependent on the
target host running any higher-level applications or services.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 137
The Time to Live (TTL) IP header field is reduced by one every time a packet is
forwarded by a router (referred to as a hop). The TTL output field in the ping
command shows the value of the counter when the packet arrived at its destination.
To work out the number of hops it took, you need to know the initial value. Different
operating systems and OS versions use different default values. For example, if you ping
a remote host from a Windows 10 host and the TTL value in the output is 52, then you
know the packet took 12 hops (64–52) to reach its destination.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
138 | The Official CompTIA Network+ Study Guide (Exam N10-009)
ping Switches
ping can be used with several switches. You can use a host name or fully qualified
domain name rather than an IP address to test name resolution. When pinging
by name, use -4 or -6 to force the tool to query the IPv4 host record or IPv6
host record respectively. Also, -t continues to ping the host until interrupted (by
pressing Ctrl+C).
ping has different syntax when used under Linux. By default, the command
executes until manually halted, unless run with the number of packets set by the
-c switch.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 139
Lesson 4.5
IP Version 6
6
The previous topics focused on IP version 4 (IPv4), which is still the mainstream
version of the protocol. In this topic, you will explain IP version 6 (IPv6) addressing.
As a network professional, you should be aware of the limitations of IPv4 and the
increasing adoption of IPv6. You need to understand the characteristics of IPv6, as
well as how it can interoperate with existing IPv4 implementations.
As you study this section, answer the following questions:
• Why is IPv6 needed?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
140 | The Official CompTIA Network+ Study Guide (Exam N10-009)
An IPv6 packet consists of two or three elements: the main header, which is a fixed
length (unlike in IPv4), one or more optional extension headers, and the payload. As
with an IPv4 header, there are fields for the source and destination addresses and
the version (0110 or 0x06 for IPv6). Some of the other header fields are as follows:
Field Explanation
Traffic Class Describes the packet’s priority.
Flow Label Used for quality of service (QoS) management, such as for
real-time streams. This is set to 0 for packets not part of
any delivery sequence or structure.
Payload Length Indicates the length of the packet payload, up to a
maximum of 64 KB; if the payload is bigger than that, this
field is 0, and a special Jumbo Payload (4 GB) option is
established.
Next Header Used to describe what the next extension header (if any) is,
or where the actual payload begins.
Hop Limit Replaces the TTL field in IPv4 but performs the same
function.
Extension headers replace the Options field in IPv4. There are several predefined
extension headers to cover functions such as fragmentation and reassembly,
security (IPSec), source routing, and so on.
2001:0db8:0000:0000:0abc:0000:def0:1234
Using canonical notation, the hex notation can be compressed further. Where a
double byte contains leading 0s, they can be ignored. In addition, one contiguous
series of 0s can be replaced by a double colon place marker. Thus, the prior address
would become:
2001:db8::abc:0:def0:1234
You can only use double colon compression once in a given address. For example,
2001:db8::abc::def0:1234 is not valid as it is unclear which of the
following two addresses is represented:
2001:db8:0000:0abc:0000:0000:def0:1234
2001:db8:0000:0000:0abc:0000:def0:1234
Where IPv6 addresses are used as part of a URL (web address), because both
formats use colon delimiters to mean different things, the IPv6 address must be
contained within brackets. For example:
https://[2001:db8::abc:0:def0:1234]/index.htm.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 141
Network addresses are written using classless notation, where /nn is the length of
the network prefix in bits. Within the 64-bit network ID, as with IPv4 netmasks, the
length of any given network prefix is used to determine whether two addresses
belong to the same IP network. For example, if the prefix is /48, then if the first
48 bits of an IPv6 address were the same as another address, the two would belong
to the same IP network. This means that a given organization’s network can be
represented by a global routing prefix 48 bits long, and they then have 16 bits left in
the network ID to subnet their network. For example,
2001:db8:3c4d::/48
would represent a network address, while:
2001:db8:3c4d:0001::/64
would represent a subnet within that network address.
Like IPv4, IPv6 can use unicast, multicast, and anycast addressing. Unlike IPv4, there
is no broadcast addressing.
• The next 45 bits are allocated in a hierarchical manner to regional registries and
from them to ISPs and end users.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
142 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Interface ID/EUI-64
The 64-bit interface ID can be determined by using two techniques.
One is by using the interface’s MAC address. This is known as a MAC-derived
address or interface identifier. As a MAC address is 48 bits, a translation mechanism
allows driver software to create a 64-bit interface ID from these 48 bits. Formally,
this is called an Extended Unique Identifier-64 (EUI-64).
Two changes occur to derive the EUI-64 interface ID from an interface’s MAC
address. First, the digits fffe are added in the middle of the MAC address.
Second, the first 8 bits, or 2 hex digits, are converted to binary, and the 7th
bit (or U/L bit) is flipped (from 0 to 1 or 1 to 0). For example, the MAC address
00608c123abc would become the EUI-64 address 02608cfffe123abc,
which (when expressed in double bytes) becomes 0260:8cff:fe12:3abc, or
(without the leading 0) 260:8cff:fe12:3abc.
In the second technique, referred to as privacy extensions, the client device uses a
pseudorandom number for the interface ID. This is known as a temporary interface
ID or token. There is some concern that using interface identifiers would allow a
host to be identified and closely monitored when connecting to the Internet, and
using a token mitigates this to some degree.
The equivalent in IPv4 is Automatic Private IP Addressing (APIPA) and its 169.254.0.0
addresses. However, unlike IPv4, an IPv6 host is always configured with link local
addresses (one for each link), even if it also has a globally unique address.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 143
A link local address is also appended with a zone index (or scope id) of the form
%1 (Windows) or %eth0 (Linux). This is used to define the source of the address
and make it unique to a particular link. For example, a given host may have links
to a loopback address, Ethernet, and a VPN. Each of these links may use the same
link local address, so each is assigned a zone ID to make it unique. Zone indices
are generated by the host system, so where two hosts communicate, they may be
referring to the link using different zone IDs.
While it is relatively uncommon for an interface to have more than one IPv4 address, in
IPv6 it is typical for an interface to have multiple addresses.
• The next 4 bits are used to flag types of multicast if necessary; otherwise, they
are set to 0.
• The next 4 bits determine the scope; for example, 1 is node-local (to all
interfaces on the same node), and 2 is link local.
• The final 112 bits define multicast groups within that scope.
The Multicast Listener Discovery (MLD) protocol allows nodes to join a multicast
group and discover whether members of a group are present on a local subnet.
Broadcast addresses are not implemented in IPv6. Instead, hosts use an
appropriate multicast address for a given situation. The well-known multicast
addresses are ones reserved for these types of broadcast functionality. They allow
an interface to transmit to all interfaces or routers on the same node or local link.
In IPv4, IP address resolution to a specific hardware interface is performed using
ARP. ARP uses inefficient broadcasts and requires every node to process its
messages, whether they are relevant to the node or not. IPv6 replaces ARP with the
Neighbor Discovery (ND) Protocol.
Each unicast address for an interface is configured with a corresponding solicited-
node multicast address. It has the prefix ff02::1:ff plus the last 24 bits of
the unicast address. The solicited-node address is used by ND to perform address
resolution. It greatly reduces the number of hosts that are likely to receive ND
messages (down to one in most cases) and is therefore much more efficient than
the old ARP broadcast mechanism.
IPv6 can also use anycast addressing, though as with IPv4, this is implemented by a
routing protocol rather than having a special range of addresses. Anycast interfaces
are those configured with the same IPv6 global unicast address.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
144 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Dual Stack
Dual stack hosts and routers can run both IPv4 and IPv6 simultaneously and
communicate with devices configured with either type of address. Most modern
desktop and server operating systems implement dual stack IP. Most modern dual
stack systems will try to initiate communications using IPv6 by default.
Most services are addressed using names rather than IP addresses. This means that the
preference for IPv6 over IPv4 or the availability of either addressing method depends on
the Domain Name System (DNS) records for the network.
Tunneling
As an alternative to dual stack, tunneling can be used to deliver IPv6 packets across
an IPv4 network. Tunneling means that IPv6 packets are inserted into IPv4 packets
and routed over the IPv4 network to their destination. Routing decisions are
based on the IPv4 address until the packets approach their destinations, at which
point the IPv6 packets are stripped from their IPv4 carrier packets and forwarded
according to IPv6 routing rules. This carries a high protocol overhead and is not
nearly as efficient as operating dual stack hosts.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 145
NAT64
A third approach to transitioning from IPv4 to IPv6 is to use Network Address
Translation (NAT). This is a well-known process for rewriting network addresses as
they pass routing boundaries. With NAT64, an IPv6 host addresses an IPv4 host
using the prefix 64:ff9b::/96 plus the 32-bit IPv4 destination address. When
the packet reaches the gateway router, it strips the prefix and forwards the packet
using IPv4 headers. Replies from the IPv4 host are directed to the IPv6 host by
tracking connections using Transport layer port numbers.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
146 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The 0000::/8 block (that is, IPv6 addresses where the first bits are 0000 0000) is
reserved for special functions. Within this block, there are two special addresses
defined:
• Unspecified address (0:0:0:0:0:0:0:0)—A host that has not obtained a valid
address. This is often expressed as ::.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 147
Lesson 4.6
IP Troubleshooting
7
IP Configuration Issues
Troubleshooting IP configuration issues takes place at the Network layer. If you can
rule out a problem at the Physical and Data Link layers, the next thing to check is
basic addressing and protocol configuration.
If a host cannot perform neighbor discovery to contact any other nodes on the local
network, first use ipconfig (Windows) or ip or ifconfig (Linux) to verify the
host configuration.
Incorrect IP Address
Each end system host must have the same netmask as its neighbors and an IP
address that produces a valid, unique host address within that subnet. A neighbor
in this sense is another host in the same layer 2 broadcast domain. For example,
if the subnet is 192.168.1.0/24, consider the following host address
configurations:
• Host A: IP: 192.168.1.10, Mask: 255.255.255.0
Host A and Host B have valid configurations, but Host C has an address in a
different subnet (192.168.0.0 compared to 192.168.1.0). Hosts A and B
will try to use the default gateway to forward packets to Host C. Host C is unlikely to
be able to communicate on the network at all.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
148 | The Official CompTIA Network+ Study Guide (Exam N10-009)
When you encounter non-default masks, it can be slightly more difficult to identify
valid host ranges. For example, if the subnet address is 198.51.100.16/28,
consider the following host address configurations:
• Host A: IP: 198.51.100.10, Mask: 255.255.255.240
The network prefix boundary lies within the last octet, so you cannot rely on the
first three octets alone. However, if you convert the addresses to binary, you will
find that Host C is in a different subnet.
Also, remember that neither the network address nor the broadcast address can be
used as a host address.
Because it is using a longer prefix than it should, Host C will think it needs to route
to a different subnet to communicate with Hosts A and B. This will cause packets to
go via the router, placing unnecessary load on it.
The other scenario for an incorrect mask is where the mask is shorter than it should
be:
• Host A: IP: 192.168.1.10, Mask: 255.255.255.0
In this case, the problem will not be obvious if Hosts A, B, and C are attached to
the same switch, as they will be able to use ARP messaging and receive replies.
However, Host C will not be able to contact Host D, as it thinks that Host D
is on the same local network, whereas in fact it needs to route messages for
192.168.0.0/24 via the default gateway.
In this scenario, the router might send ICMP redirect status messages to Host C.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 149
Issues with MAC addressing can be a sign that someone is attempting to perform a
spoofing attack. Spoofing attacks are discussed later in the course.
To diagnose MAC address issues, use the arp utility to verify the MAC addresses
recorded for each host and ipconfig or ip neigh to check the MAC address
assigned to the interface. Also check the MAC address and ARP tables on any
switches and routers involved in the communications path. You can use a protocol
analyzer to examine ARP traffic and identify which IP hosts are attempting to claim
the same MAC address.
IP Forwarding Issues
If the address configuration on the local host seems to be correct, you can complete
a series of connectivity tests using ping to determine the likely location and scope of
a fault.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
150 | The Official CompTIA Network+ Study Guide (Exam N10-009)
2. Ping the IP address of the local host to verify it was added correctly and to
verify that the network adapter is functioning properly. If you cannot ping
the host’s own address, there might have been a configuration error, or the
network adapter or adapter driver could be faulty.
3. Ping the IP address of the default gateway to verify it is up and running and
that you can communicate with another host on the local network.
4. Ping the IP address of other hosts on the same subnet to test for local
configuration or link problems.
5. Ping the IP address of a remote host to verify you can communicate through
the router. If a remote IP address cannot be contacted, check the default
gateway parameter on the local host to rule out an incorrect default gateway
issue. If the gateway is configured correctly and you can ping the router, you
need to start investigating the routing infrastructure.
When performing tests using ping, always be aware that ICMP could be blocked by a
firewall or other security software, especially when pinging remote hosts.
This methodical approach is suitable when you cannot diagnose the cause of a problem,
or when you are verifying a new or changed IP configuration. In practice, you might
start with a simple ping test to a remote host to identify or reproduce the problem.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 151
Module 4
Summary
8
• The use of 32-bit IPv4 addresses and netmasks or network prefixes to identify
networks and subnets within networks.
• The role of the Address Resolution Protocol (ARP) in mapping layer 3 to layer
2 IP:MAC addresses.
• How features of classless addressing such as supernetting and VLSM allow for
better routing design and address space utilization.
• Allocate more bits to the netmask to create more subnets with fewer hosts per
subnet, or fewer bits to the netmask to create fewer subnets with more hosts
per subnet.
• Use the arp and ping utilities to troubleshoot issues with local addressing and
connectivity.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
152 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Ping loopback, local, and then remote to determine connectivity and problem
scope.
• The use of 128-bit IPv6 addresses and with network prefixes and 64-bit
interface identifiers.
• The use of local and global unicast plus multicast addressing schemes.
• Dual stack, tunneling, and NAT64 mechanisms to transition from IPv4 to IPv6
networks.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 5
Configuring Routing and Advanced
Switching
1
Module Introduction
Now that you are aware of the basic concepts of IP addressing and forwarding, you
can start identifying ways that paths between networks are implemented. Routers
work at layer 3 to aggregate information about neighboring networks and forward
packets along an appropriate path to their final destination.
While configuring routing infrastructure is often a senior job role, you should
understand basic concepts and be able to apply them to solve common issues.
Module Objectives
In this module, you will do the following:
• Compare and contrast routing concepts.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
154 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 5.1
Routing Technologies
2
Routers support internetworks of all sizes and types. It is critical for a network
professional to understand the process a router applies to make forwarding
decisions. In this lesson, you will examine routing tables and how they are used to
select a forwarding path. You will also learn to use command line tools to report
and test the routing configuration.
As you study this lesson, answer the following questions:
• What is the function of a routing table?
• What are the uses of route, show route, tracert, and traceroute tools?
• Gateway/next hop—The IP address of the next router along the path to the
destination.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 155
Routing table for a Cisco router showing directly connected subnets (C) and routes learned from
the EIGRP dynamic protocol (D). There is also a static route identifying the gateway of last resort/
default gateway. (Image © and Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.)
An IPv4 host route has a /32 prefix, while an IPv6 host route has a /128 prefix. Directly
connected hosts are often defined by host routes. Anycast addressing also requires that
the anycast address be entered in routing tables as a host route.
• Remote routes—For subnets and IP networks that are not directly attached.
• Host routes—To a specific IP address. A host route has a /32 (IPv4) or /128 (IPv6)
prefix.
• Default route—To use when an exact match for a network or host route is not
found.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
156 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Static Routes
A static route is manually added to the routing table and only changes if edited
by the administrator. Configuring static routing entries can be useful in some
circumstances, but it can be problematic if the routing topology changes often, as
each route on each affected router needs to be updated manually.
Default Route
A default route is a special type of static route that identifies the next hop router
for a destination that cannot be matched by another routing table entry. The
destination address 0.0.0.0/0 (IPv4) or ::/0 (IPv6) is used to represent the default
route. The default route is also described as the gateway of last resort. Most end
systems are configured with a default route (pointing to the default gateway).
This may also be the simplest way for an edge router to forward traffic to an ISP’s
routers.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 157
• The router has been configured with static routes to 10.0.3.0/24 and 10.0.4.0/24,
both of which are reachable via interface G1.
Router B has been configured in the same way, but here the networks 10.0.2.0/24
and 10.0.3.0/24 are directly connected, and the paths to 10.0.1.0/24 and 10.0.4.0/24
are configured as static entries.
Router C has been configured differently. It is directly connected to 10.0.3.0/24 and
10.0.4.0/24, but the only static route configured is for 0.0.0.0/0. This is a default
route. While the router has no specific knowledge of networks 10.0.1.0/24 and
10.0.2.0/24, it will forward packets for these destinations over its G0 interface.
Packet Forwarding
When a router receives a packet, it reads the destination address in the packet and
looks up a matching destination network IP address and prefix in its routing table.
If there is a match, the router will forward the packet out of one of its interfaces by
encapsulating the packet in a new frame:
• If the packet can be delivered to a directly connected network via an Ethernet
interface, the router uses ARP (IPv4) or Neighbor Discovery (ND in IPv6) to
determine the Data Link layer address of the destination interface.
• If the packet can be forwarded via a gateway over an Ethernet interface, it inserts
the next hop router’s MAC address as the destination address in a new frame
and uses the MAC address of the outgoing interface as the source addresss.
• If the packet can be forwarded via a gateway over another type of interface
(leased line or DSL, for instance), the router encapsulates the packet in an
appropriate frame type.
Hop Count
If the packet is forwarded via a gateway, this process is repeated at each router to
deliver the packet through the internetwork. Each router along the path counts as
one hop. For example, in the network shown in the figure, Host A takes one hop to
communicate with LOCAL_SRV via a directly connected interface on the LAN router.
Note that the switches do not count as hops. Host B takes multiple hops (nine) to
communicate with REMOTE_SRV, with traffic routed via two ISP networks. Also,
observe the alternative routes that could be taken. Do any have a lower hop count?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
158 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Time to Live
At each router, the Time to Live (TTL) header field is decreased by at least 1. This
could be greater if the router is congested. The TTL is nominally the number of
seconds a packet can stay on the network before being discarded. While TTL is
defined as a unit of time (seconds), in practice, it is interpreted as a maximum hop
count. When the TTL is 0, the packet is discarded. This prevents badly addressed
packets from permanently circulating the network.
In IPv6, the field is named Hop Limit to formalize the fact that it is a counter not a timer.
Fragmentation
IP provides best-effort delivery of an unreliable and connectionless nature.
Delivery is not guaranteed, and a packet might be lost, delivered out of sequence,
duplicated, or delayed. It is possible that due to limitations in the underlying
network, IP may fragment the packet into more manageable pieces to fit within the
maximum transmission unit (MTU) of the Data Link protocol frame.
In IPv4, the ID, Flags, and Fragment Offset IP header fields are used to record the
sequence in which the packets were sent and to indicate whether the IP datagram
has been split between multiple frames for transport over the underlying Data Link
protocol. For example, the MTU of an Ethernet frame is usually 1,500 bytes. An IP
datagram larger than 1,500 bytes would have to be fragmented across more than
one Ethernet frame. A datagram passing over an internetwork might have to be
encapsulated in different Data Link frame types, each with different MTUs.
Most systems try to avoid IP fragmentation. IPv6 does not allow routers to perform
fragmentation. Instead, the host performs path MTU discovery to work out the MTU
supported by each hop and crafts IP datagrams that will fit the smallest MTU.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 159
Router Configuration
Routers serve both to link physically remote networks and subdivide autonomous
IP networks into multiple subnets. Router placement is primarily driven by the IP
networks and subnets that have been created:
• Hosts with addresses in the same subnet or IP network must not be separated
by a router.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
160 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Configuring RIP on a VyOS-based software router. The host can be configured at a local terminal or
from a remote computer over Secure Shell (SSH).
Having placed the router at an appropriate point in the network, connected its
cabling, and established a management session, the principal configuration tasks
are as follows:
• Apply an IP configuration to each interface.
• Configure one or more routing protocols and/or static routes so that the router
can serve its function.
show route
The show ip route, show ipv6 route, or similar show route command
will output the active routing table. As well as destination, gateway, AD/metric, and
interface, the output will show the source of the route, identified as a letter code
(C = connected, S = static, R = RIP, B = BGP, D = EIGRP, O = OSPF, and so on).
show arp
As with any IP host, a router keeps a cache of IP addresses that have been resolved
to MAC addresses via the Address Resolution Protocol (ARP). Inspecting the ARP
cache table is useful for discovering duplicate IP addresses, IP misconfigurations,
and routing protocol misconfigurations. To view the cache, use show arp or
show ip arp.
Each of the router’s interfaces has a separate ARP cache. If an entry is listed as
incomplete, the router has sent an ARP request but has not received a reply. This
indicates that it expects a host with that IP to be present on that network but that
the host is not available.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 161
IPv4 and IPv6 routing tables for a Windows host. For IPv4, the host uses 10.11.2.5 as its default
gateway. IPv6 default gateway uses the router's link local interface address.
(Screenshot used with permission from Microsoft.)
In Linux, the route command is part of the older, deprecated package of tools.
You can use ip route show and ip route add to achieve the same ends.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
162 | The Official CompTIA Network+ Study Guide (Exam N10-009)
traceroute
traceroute is supported on Linux and router operating systems, such as Cisco
IOS. traceroute uses UDP probe messages by default. The command issues
a UDP probe for port 33434 with a TTL of 1. The first hop should reduce the TTL
to zero and respond with an ICMP Time Exceeded message. The command then
increments the port number and TTL by one and sends a second probe, which
should reach the second hop router. This process is repeated until the end node is
reached, which should reply with an ICMP Port Unreachable response.
The output shows the number of hops, the IP address of the ingress interface of the
router or host (that is, the interface from which the router receives the probe), and
the time taken to respond to each probe in milliseconds (ms). If no acknowledgment
is received within the timeout period, an asterisk is shown against the probe. Note
that while this could indicate that the router interface is not responding, it could
also be that the router is configured to drop packets with expired TTLs silently.
traceroute can be configured to send ICMP Echo Request probes rather than
UDP by using traceroute -I. The traceroute -6 or traceroute6
commands are used for IPv6 networks.
tracert
On a Windows system, the same function is performed using the tracert
command. tracert uses ICMP Echo Request probes by default. The command
issues an Echo Request probe with a TTL of 1. The first hop should reduce this to
zero and respond with a Time Exceeded response. tracert then increments the
TTL by one each time to discover the full path.
Using tracert in Windows to plot the path from a host in the UK to CompTIA's web server.
(Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 163
tracert can be used with several switches, which must precede the target IP
address or host.
You can use the -d switch to suppress name resolution, -h to specify the
maximum number of hops (the default is 30), and -w to specify a timeout in ms
(the default is 4,000). If, after increasing the value, destinations are then reachable,
you probably have a bandwidth issue to resolve. When used with host names
(rather than IP addresses), tracert can be forced to use IPv6 instead of IPv4 by
adding the -6 switch.
tracert -6 www.microsoft.com
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
164 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 5.2
Dynamic Routing Technologies
3
• What are the most common routing protocols? Which protocol is best for each
situation?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 165
Convergence
Convergence is the process whereby routers running dynamic routing algorithms
agree on the network topology. Routers must be capable of adapting to changes
such as newly added networks, router or router interface failures, link failures, and
so on. Routers must be able to communicate changes to other routers quickly to
avoid sinkholes and loops. A sinkhole means that a packet is discarded without
notification back to the source; a loop causes a packet to be forwarded around the
network until its TTL expires.
A network where all the routers share the same topology is described as steady
state. The time taken to reach steady state is a measure of a routing protocol’s
convergence performance.
A flapping interface is one that frequently changes from online to offline and offline to
online. Similarly, route flapping refers to a router changing the properties of a route it is
advertising quickly and often. Flapping can cause serious convergence problems.
Autonomous Systems
As well as the algorithm used to determine the network topology, routing protocols
can be classified according to the way they deal with administrative boundaries.
A network under the administrative control of a single owner is referred to as an
autonomous system (AS). An Interior Gateway Protocol (IGP) is one that identifies
routes within an AS. An Exterior Gateway Protocol (EGP) is one that can advertise
routes between autonomous systems. An EGP includes a field to communicate the
network’s autonomous system ID and allows network owners to determine whether
they can use paths through another organization’s network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
166 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The following example illustrates a mesh topology where there are multiple paths
between networks. Router A has two possible paths to network 10.0.3.0/24, which
it learns from Router B and Router C. It can forward a packet out of its G1 interface
over network 10.0.2.0/24, which will take one hop to reach the destination. It could
also forward the packet out of G2 and reach the destination via Router C and then
Router B. This takes two hops and so is not used as the preferred route.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 167
If Router A’s G1 link goes down, those entries will be removed from the routing
table, and the alternative routes via 10.0.4.0/24 will be selected:
To help prevent looping, the maximum hop count allowed is 15. Consequently, this
limits the maximum size of a RIP network, since networks that have a hop count of
16 or higher are unreachable.
• Delay—Applies a cost based on the time it takes for a packet to traverse the
link. This metric is most important if the route is used to carry time-sensitive
data, such as voice or video. Delay is calculated as the cumulative value for all
outgoing interfaces in the path.
Where RIP sends periodic updates of its entire routing information base, EIGRP
sends a full update when it first establishes contact with a neighbor and thereafter
only sends updates when there is a topology change. This is more efficient and less
disruptive to large networks, giving it the best convergence performance in many
scenarios. EIGRP does use regular hello messaging to confirm connectivity with
its neighbors. Unlike RIP, EIGRP maintains a topology table alongside its routing
information base. The topology table is used to prevent loops while also supporting
a greater number of maximum hops than RIP (nominally up to 255).
EIGRP is a default IP protocol, which means that it is encapsulated directly in IP
datagrams, rather than using TCP or UDP. It is tagged with the protocol number
88 in the Protocol field of the IP header. Updates are transmitted using multicast
addressing.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
168 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 169
Messages are sent as multicasts using OSPF’s own datagram format. This is tagged
as protocol number 89 in the IP datagram’s Protocol field. There are various packet
types and mechanisms to ensure sequencing and reliable delivery and to check for
errors. OSPF also supports plaintext or cryptographic authentication.
Route Selection
If a router has multiple entries to similar networks in its routing table, it must
determine which route to prefer. The first determining factor is that longer prefixes
are preferred over shorter ones. This is referred to as longest prefix match. For
example, a routing table contains the following two entries:
198.51.100.0/24 g0
198.51.100.0/28 g1
If the router receives a packet for 198.51.100.1, the packet will be routed via
g1, as that has the longer and more specific prefix.
Each routing protocol supported by the router can add a single route for any given
destination prefix to the routing table. This means that there might be more than
one route with an identical length prefix in the routing table. Each routing protocol
uses its metric to determine the least-cost path for routes with identical prefix
lengths. However, as routing protocols use different methods to calculate the
metric, it cannot be used to compare routes from different protocols in the overall
IP routing table. Instead, an administrative distance (AD) value is used to express
the relative trustworthiness of the protocol supplying the route. Default AD values
are coded into the router but can be adjusted by the administrator if necessary.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
170 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Source AD
Local interface/Directly connected 0
Static route 1
BGP 20
EIGRP 90
OSPF 110
RIP 120
Unknown 255
This means, for example, that given identical prefix lengths, a static route will be
preferred to anything other than directly connected networks and that a route
discovered by EIGRP would be preferred to one reported by OSPF. The value of 255
for unknown routes means that they will not be used.
Conversely, a static route with a high AD could be defined to function as a backup
if a learned route update fails. In normal circumstances, the router will prefer the
learned route because it has a lower AD.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 171
Lesson 5.3
Network Address Translation
4
As well as understanding the different types of routing algorithms, you must be able
to install routing devices to an appropriate place in the network. This lesson will
help you to understand the role of routers placed at the network edge or perimeter.
On IPv4 networks, this role involves the use of Network Address Translation (NAT)
to manage communications between public and private address schemes.
As you study this lesson, answer the following questions:
• Why is there a requirement for network address translation?
Edge Routers
Edge routers, placed at the network perimeter, are typified by distinguishing
external (Internet-facing) and internal interfaces. These routers can perform
framing to repackage data from the private LAN frame format to the WAN Internet
access frame format. The customer’s router is referred to as the customer edge
(CE), while the service provider’s router is referred to as the provider edge (PE).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
172 | The Official CompTIA Network+ Study Guide (Exam N10-009)
An integrated services router. This type of device combines DSL Internet access with Ethernet
switch, Wi-Fi, and VoIP for a “one box” solution for remote sites and branch offices.
(Image © 123RF.com.)
Routers designed to service medium to large networks are complex and expensive
appliances. They feature specialized processors to handle the routing and
forwarding processes, and memory to buffer data. Most routers of this class will
also support plug-in cards for WAN interfaces. Another important feature is support
for different methods of configuring site-to-site virtual private networks (VPNs).
An advanced services router. This type of device provides network edge connectivity
over Carrier Ethernet networks. (Image © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 173
Where the NAT device performs forwarding over selected ports only, this can be referred
to as port forwarding.
A single static mapping is not very useful in most scenarios. Under dynamic NAT,
the NAT device exposes a pool of public IP addresses. To support inbound and
outbound connections between the private network and the Internet, the NAT
service builds a table of public to private address mappings. Each new session
creates a new public-private address binding in the table. When the session is
ended or times out, the binding is released for use by another host.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
174 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Defining a one-to-one NAT rule on an OPNsense router/firewall. This rule maps hosts using a
172.200.0.0/24 addressing scheme to 10.200.0.0/24 addresses.
(Screenshot used with permission from OPNsense.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 175
PAT works by allocating each new connection an ephemeral Transport layer port ID.
For example, say two hosts (10.0.0.101 and 10.0.0.102) initiate a web connection at
the same time. The PAT service creates two new port mappings for these requests
(10.0.0.101:61101 and 10.0.0.102:61102) in its state table. It then substitutes the
private IP for the public IP and forwards the requests to the public Internet. It
performs a reverse mapping on any traffic returned using those ports, inserting the
original IP address and port number, and forwarding the packets to the internal
hosts.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
176 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 5.4
Firewalls
5
When a private network is connected to public ones, traffic between the private
and public zones needs to be subject to rules. This filtering role is performed by a
firewall. Firewalls apply access controls to ensure authorized use of the network.
They perform a filtering function to analyze the properties of connection requests
and then allow, deny, and/or log them as appropriate. While you may not be
installing and configuring these devices at this stage in your career, it is important
that you understand their use on the network edge.
As you study this lesson, answer the following questions:
• How is a packet filtering firewall different from a circuit-level gateway?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 177
Port numbers are contained in TCP or UDP headers (layer 4) rather than the IP
datagram header, but packet filtering firewalls are still almost always described as
working at layer 3. They can inspect only port numbers and not any other layer 4
header information.
ACLs might be designed to control only inbound traffic or both inbound and
outbound traffic. This is also often referred to as “ingress” and “egress” traffic or
filtering. Controlling outbound traffic is useful because it can block applications
that have not been authorized to run on the network and defeat malware, such as
backdoors. Ingress and egress traffic is filtered using separate ACLs.
A packet filtering firewall is stateless. This means that it does not preserve
information about the connection between two hosts. Each packet is analyzed
independently with no record of previously processed packets. This type of filtering
requires the least processing effort, but it can be vulnerable to attacks that are
spread over a sequence of packets. A stateless firewall can also introduce problems
in traffic flow, especially when some sort of load balancing is being used or when
clients or servers need to make use of dynamically assigned ports.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
178 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A router firewall is similar, except that the functionality is built into the router
firmware. Most SOHO Internet router/modems have this type of firewall
functionality, though they are typically limited to supporting a single subnet within
the home network. An enterprise-class router firewall would be able to support far
more sessions than a SOHO one.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 179
Lesson 5.5
Enterprise Network Topologies
6
Ethernet, switching, and IP routing are the principal technologies used to implement
cabled local networks. There are many types and sizes of network, however, and
many different ways of designing cabling and forwarding to suit the requirements
of large and small organizations and budgets. While you might not be responsible
for network design at this stage of your career, it is important that you be able to
identify the components and advantages of the tiered network hierarchies used to
implement complex local networks.
• As you study this lesson, answer the following questions:
Hybrid Topology
The network topology establishes how nodes are physically and logically connected.
Recall that the basic topologies are as follows:
• Point to point is a one-to-one link between two hosts only.
These basic topologies do not always support network requirements. Often, a more
complex hybrid topology is required. A hybrid topology is anything that uses a
mixture of point-to-point, star, and mesh physical and/or logical topologies. On
modern networks, hybrid topologies are often used to implement redundancy and
fault tolerance or to connect sites in WANs and in enterprise campus networks:
• Hierarchical star—Corporate networks are often designed in a hierarchy,
also known as a tree topology. This can be combined with a star topology to
implement each node in the overall tree. The links between nodes in the tree are
referred to as backbones or trunks because they aggregate and distribute traffic
from multiple different areas of the network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
180 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 181
Access/Edge Layer
The access or edge layer allows end user devices, such as computers, printers, and
smartphones to connect to the network. The access layer is implemented for each
site using structured cabling and wall ports for wired access and access points for
wireless access. Both are ultimately connected to workgroup switches. Switches
deployed to serve the access layer might also be referred to as LAN switches or
data switches. End systems connect to switches in the access/edge layer in a star
topology. There are no direct links between the access switches.
Distribution/Aggregation Layer
The distribution or aggregation layer provides fault-tolerant interconnections
between different access blocks and either the core or other distribution blocks.
Each access switch has full or partial mesh links to each router or layer 3 switch in
its distribution layer block. The distribution layer is often used to implement traffic
policies, such as routing boundaries, filtering, or quality of service (QoS).
The layer 3 switches used to implement the distribution/aggregation layer have
different capabilities to the layer 2 workgroup switches used in the access tier.
Rather than 1 Gbps access port and 10 Gbps uplink ports, as would be typical of
a workgroup switch, basic interfaces on an aggregation switch would be 10 Gbps
and uplink/backbone ports would be 40 Gbps (or possibly 40 Gbps/100 Gbps).
Layer 3 switches work on the principle of “route once, switch many,” which means
that once a route is discovered, it is cached with the destination MAC address, and
subsequent communications are switched without invoking the routing lookup.
Layer 3 switches can be far faster, but they are not always as flexible. Layer 3
switches cannot usually perform WAN routing and work with interior routing
protocols only. Often layer 3 switches support Ethernet only.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
182 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Core Layer
The core layer provides a highly available network backbone. Devices such as
client and server computers should not be attached directly to the core. Its purpose
should be kept simple: provide redundant traffic paths for data to continue
to flow around the access and distribution layers of the network. Routers or
layer 3 switches in the core layer establish a full mesh topology with switches in
distribution layer blocks.
Collapsed Core
Medium-sized networks might not need separate core and distribution layers. In a
two-tier or collapsed core model, a monolithic core layer is implemented as a full
mesh. This is impractical if there are large numbers of core switches, making the
design less scalable.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 183
Lesson 5.6
Virtual LANs
7
Most networks make use of virtual LANs (VLANs), both to improve network security
and network performance, so they are an important concept for you to understand.
In this topic, you will identify the benefits of network segmentation and the
characteristics and functions of VLANs.
As you study this lesson, answer the following questions:
• What is the purpose of configuring VLANs?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
184 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Apart from breaking up broadcast domains, VLANs and subnets can be used to
achieve other network design goals:
• Many organizations have more than one site with WAN links between them. The
WAN link normally forms a separate subnet.
• It is useful to divide a network into logically distinct zones for security and
administrative control. VLANs isolate a group of hosts, allowing incoming and
outgoing traffic for the group to easily be filtered at the router.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 185
Cisco switch showing port 1 assigned to VLAN 111, ports 2–11 in VLAN 112, and so on.
(Image © and Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.)
VLANs 2–1001 are referred to as the normal range. VLANs 1002–1005 are reserved.
Extended VLAN IDs (1006–4094) are not available on older switch OS versions.
A VLAN database is the list of VLANs configured on a switch. A VLAN is created using
the following commands from global configuration mode:
vlan 16
name VLAN16
The show vlan command reports the VLAN IDs configured on the switch, plus
the ports assigned to them. You can use no vlan to delete a VLAN.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
186 | The Official CompTIA Network+ Study Guide (Exam N10-009)
When frames designated for different VLANs are transported across a trunk, the
VLAN ID (VID) of each frame must be preserved for the receiving switch to forward
it correctly. VIDs are normally defined by the IEEE 802.1Q standard. Under 802.1Q,
per-VLAN traffic is identified by a tag inserted in the Ethernet frame between the
Source Address and EtherType fields. The tag contains information about the VID
(from 1 to 4,094) and priority (used for QoS functions). The EtherType value is set to
identify the frame as 802.1Q.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 187
• If the frame needs to be transported over a trunk link, the switch adds the
relevant 802.1Q tag to identify the VLAN, and then forwards the frame over the
trunk port.
• If the switch receives an 802.1Q tagged frame on an access port, it strips the tag
before forwarding it to the host.
Conversely, a tagged port will normally be one that is operating as a trunk; that
is, capable of transporting traffic addressed to multiple VLANs using the 802.1Q
frame format. A trunk might be used to connect switches or to connect a switch
to a router. In some circumstances, a host attached to a port might need to be
configured to use multiple VLANs and would need to be attached to a trunk port,
rather than an access port. One example of this is a virtualization host with multiple
guest operating systems. The virtual servers might need to be configured to use
different VLANs.
Voice VLANs
Voice over IP (VoIP) transmits voice traffic as data packets, rather than over circuit-
based transmission lines. The bandwidth and latency requirements of voice traffic
mean that it is often necessary to prioritize it over other types of data packets. This
can be accomplished using a dedicated VLAN for voice traffic. However, in many
cases, VoIP has been implemented into network infrastructures that were originally
designed for just desktop and laptop computers, with limited numbers of physical
network wall ports.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
188 | The Official CompTIA Network+ Study Guide (Exam N10-009)
To accommodate the lack of dedicated wall ports for handsets, most VoIP endpoints
incorporate an embedded switch with just two external ports. The handset is
connected via its uplink port to the wall port and via the structured cabling to an access
switch. The PC or laptop is connected to the handset via the other port. The handset
forwards data traffic from the PC to the access switch as untagged frames. The handset
sends voice traffic over the same physical link but uses 802.1Q tagged frames.
Normally, for a switch interface to process tagged frames, it would have to be
configured as a trunk port. This adds a lot of configuration complexity, so most
switches now support the concept of a voice or auxiliary VLAN to distinguish the
PC and VoIP traffic without having to configure a trunk. In the following example, the
interface configuration assigns traffic from the PC to VLAN 100 and the voice traffic to
VLAN 101:
interface GigabitEthernet0/0
switchport mode access
switchport access vlan 100
switchport voice vlan 101
Sharing a single physical wall port between a PC and VoIP handset. The handset and switch interface
configuration allow VoIP traffic to be assigned to a different VLAN than the PC’s data traffic.
(Images © 123RF.com.)
The switch will only accept tagged frames that match the configured voice VLAN ID.
To avoid having to configure this manually, the voice VLAN ID and other configuration
parameters can be communicated to the handset using a protocol such as Cisco
Discovery Protocol (CDP).
VLAN Routing
Many networks are segmented using the VLAN feature of managed switches. Traffic
between VLANs must be routed. There are various ways of accomplishing this.
Subinterfaces
One method is to deploy a router with a single interface (a one-armed router or router
on a stick) connected to a trunk port on the switch. The trunk port carries all the VLAN-
to-VLAN traffic that must be routed. The router’s physical interface is configured with
multiple subinterfaces. Each subinterface is configured with a specific VLAN ID and IP
address. The subinterface acts as the default gateway for its VLAN/subnet. The router
forwards inter-VLAN traffic between the subinterfaces.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 189
The following commands would configure a subinterface for VLAN16 on G0, using
the last available host address as the default gateway:
interface G0.16
encapsulation dot1Q 16
ip address 198.51.100.30 255.255.255.240
Remember that the choice of default gateway is by convention. Many organizations use
the first available host address. In these examples, we’re using the last available address
(just to focus attention on how many addresses are available in any given subnet). The
key is to apply the same convention consistently across the network.
Be aware that it’s not necessary for the router to have a single physical interface. This
is just a conventional example. It could have multiple physical interfaces each with
subinterfaces connected to different switches. It could also have a WAN interface.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
190 | The Official CompTIA Network+ Study Guide (Exam N10-009)
With layer 3 switches, each VLAN can be assigned a Switch Virtual Interface (SVI)
to act as the default gateway. For example, if the topology shown in the previous
figure were implemented using a single layer 3 switch rather than a router plus
layer 2 switch, the SVI for VLAN 16 would be configured as follows:
interface VLAN16
ip address 198.51.100.30 255.255.255.240
The hosts in that VLAN would be configured with 198.51.100.30 as the default
gateway.
Do be aware that a layer 3 switch could also be configured with subinterfaces. Any
port on a layer 3 switch can be designated as routed rather than switched using the
no switchport command. To distinguish the concepts independently of device
types, remember that an SVI is bound to a VLAN and doesn’t require a physical interface
(it’s like configuring a virtual router for the virtual LAN); a subinterface is bound to a
physical interface and then allocated a VLAN ID.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 191
Lesson 5.7
Routing and VLAN Troubleshooting
8
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
192 | The Official CompTIA Network+ Study Guide (Exam N10-009)
2. If there are paths with equal prefixes, the path with the lowest administative
distance will be selected. Administrative distance is a measure of how
trustworthy the source of the root is. Directly connected and static routes
have lower AD values than routing protocols.
3. If there are identical paths with equal AD, the path with the lowest metric
value is preferred.
Investigate any paths with overlapping ranges, such as the /24 and /28 example
quoted. These are likely to indicate an error, especially if they come from different
sources. For example, a misconfigured static route might be in conflict with a
learned route.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 193
Routing protocols use various mechanisms to prevent loops. For example, distance
vector protocols use the following mechanisms:
• Maximum hop count—If the cost exceeds a certain value (16 in RIP), the
network is deemed unreachable. A poison route is one advertised with a hop
count of 16. This can provide an explicit failure notice to other routers.
• Split horizon—Prevents a routing update from being copied back to the source.
In the example above, this would prevent Router C from sending an update
about a route to Router A via Router B to Router B.
Link state protocols try to ensure that each node has a consistent view of the
network through continual, timely updates flooded to all nodes in the routing
domain. A loop in a link state routing domain typically indicates that updates are
not being propagated correctly.
You can use traceroute to diagnose a routing loop by looking for IP addresses
that appear multiple times in the output.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
194 | The Official CompTIA Network+ Study Guide (Exam N10-009)
If you cannot diagnose the issue by looking at the configuration, use ping to test
connectivity. You can use exactly the same process as you would a physical LAN:
1. Ping the loopback address, then the host’s own IP address to verify that TCP/IP
is working and that the host’s IP is correctly configured.
2. Ping the default gateway to verify that it is contactable. Optionally, also ping
another host on the same VLAN/subnet to verify that local communications
can be established. If you cannot ping the default gateway, look for a problem
with either the host or switch/router configuration. If you can rule out these
and there is no connectivity with any local hosts, check that the patch cable for
the workstation’s wall port is connected to the correct switch port and for any
other physical cable issues.
Hosts in each VLAN must be able to reach Dynamic Host Configuration Protocol (DHCP)
servers and Domain Name System (DNS) servers. One option is to place these as hosts
within the VLAN, but that could mean provisioning many servers. More typically, they
will be in a server VLAN, and hosts in the client VLAN must use the default gateway to
contact them. In this setup, a DHCP relay must also be configured. Network service
configuration is discussed in more detail in the next module.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 195
Module 5
Summary
9
• Provision redundant trunk links within the core and between the core and
distribution layer.
• Determine bandwidth requirements for the access layer (typically 1 Gbps) and
provision appropriate workgroup/LAN switches based on media type.
• Provision redundant trunk links between distribution layer switch blocks and
access layer switches.
• Connect client devices (PCs, VoIP endpoints, and printers) and non-datacenter
servers to access layer switches.
• Design IP subnets for each VLAN and create a VLAN numbering system.
• Map the logical topology to the physical switch topology and identify trunk
links. Configure the interfaces that will participate in trunk links with the
VLANs they are permitted to carry.
• Assess how static, default, and dynamic routing can best meet network design
requirements.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
196 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• How the destination prefix length and route source administrative distance
affects forwarding.
• Use the command line tools to investigate host and router routing tables.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 6
Implementing Network Services
1
Module Introduction
Layers 1 through 3 of the OSI model are concerned with addressing and packet
forwarding and delivery. This basic connectivity is established for the purpose of
transporting application data. In this module, you will describe how protocols at
layer 4 provision the transport services that network applications depend upon.
Also, this module identifies application protocols that perform low-level network
operations tasks, such as providing dynamic address or name resolution services.
Module Objectives
In this module, you will do the following:
• Compare and contrast transport protocols.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
198 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 6.1
Transport and Application Layer
Protocols
2
You have seen how IP provides addressing and delivery at layer 3 of the OSI model.
At layer 4, the TCP/IP protocol suite also defines how different applications on
separate hosts establish connections and track communications. Understanding
how application protocols use ports to establish connections is critical to being able
to configure and support network services.
As you study this section, answer the following questions:
• What is the function of a Transport layer port?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 199
The remaining ports (up to 65,535) are designated for private or dynamic use. As
well as the server application needing a port, each client application must assign
its own port number to track its requests. Client ports are also referred to as
ephemeral ports or source ports.
The port number is used in conjunction with the source IP address to form a
socket. Each socket is bound to a software process. Only one process can operate
a socket at any one time. A connection is formed when a client socket requests
a service from the server socket. A connection is uniquely identified by the
combination of server port plus IP address and client port plus IP address. A server
socket can therefore support multiple connections from a number of client sockets.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
200 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Field Explanation
Source port TCP port of sending host.
Destination port TCP port of destination host.
Sequence number The ID number of the current segment (the sequence
number of the last byte in the segment). This allows the
receiver to rebuild the message correctly and deal with
out-of-order packets.
Ack number The sequence number of the next segment expected
from the other host (that is, the sequence number of the
last segment received +1). Packets might be out of order
because they are delayed, but they could also be lost
completely or arrive in a damaged state. In the first case,
the lack of acknowledgment results in the retransmission
of data and, in the second case, a Negative
Acknowledgment (NAK or NACK) forces retransmission.
Data length Length of the TCP segment.
Flags Type of content in the segment (ACK, SYN, FIN, and so
on).
Window The amount of data the host is willing to receive before
sending another acknowledgment. TCP’s flow control
mechanism means that if it is getting overwhelmed with
traffic, one side can tell the other to slow the sending
rate.
Checksum Ensures validity of the segment. The checksum is
calculated on the value of not only the TCP header
and payload but also part of the IP header, notably the
source and destination addresses. Consequently, the
mechanism for calculating the checksum is different for
IPv6 (128-bit addresses) than for IPv4 (32-bit addresses).
Urgent Pointer If urgent data is being sent, this specifies the end of that
data in the segment.
Options Allows further connection parameters to be configured.
The most important of these is the maximum
segment size. This allows the host to specify how
large the segments it receives should be, minimizing
fragmentation as they are transported over data link
frames.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 201
1. The client sends a segment with the TCP flag SYN set to the server with a
randomly generated sequence number. The client enters the SYN-SENT state.
3. The client responds with an ACK segment. The client assumes the connection
is ESTABLISHED.
4. The server opens a connection with the client and enters the ESTABLISHED
state.
The sending machine expects regular acknowledgments for segments it sends and,
if a period elapses without an acknowledgment, it assumes the information did not
arrive and automatically resends it. This overhead makes the system relatively slow.
Connection-oriented transmission is suitable when reliability and data integrity are
important.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
202 | The Official CompTIA Network+ Study Guide (Exam N10-009)
2. The server responds with an ACK segment and enters the CLOSE-WAIT state.
3. The client receives the ACK segment and enters the FIN-WAIT2 state. The
server sends its own FIN segment to the client and goes to the LAST-ACK state.
4. The client responds with an ACK and enters the TIME-WAIT state. After a
defined period, the client closes its connection.
5. The server closes the connection when it receives the ACK from the client.
Some implementations may use one less step by combining the FIN and ACK
responses into a single segment operation.
Observing TCP connections with the netstat tool. (Screenshot used with permission from Microsoft.)
A host can also end a session abruptly using a reset (RST) segment. This would
not be typical behavior and might need to be investigated. A server or security
appliance might refuse connections using RST, a client or server application might
be faulty, or there could be some sort of suspicious scanning activity ongoing.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 203
Field Explanation
Source port UDP port of sending host.
Destination port UDP port of destination host.
Message length Size of the UDP packet.
Checksum Ensures validity of the packet.
The header size is 8 bytes, compared to 20 bytes (or more) for TCP.
Netstat
The netstat command allows you to check the state of ports on the local host. You
can use netstat to check for service misconfigurations, such as a host running a
web or FTP server that a user installed without authorization. You may also be able
to identify suspicious remote connections to services on the local host or from the
host to remote IP addresses.
On Windows, used without switches, the command outputs active TCP connections,
showing the local and foreign addresses and ports. Using the -a switch displays
all open ports, including both active TCP and UDP connections and ports in the
listening state.
On Linux, running netstat without switches shows active connections of any
type. If you want to show different connection types, you can use the switches for
Internet connections for TCP (-t) and UDP (-u), raw connections (-w), and UNIX
sockets/local server ports (-x). Using the -a switch includes ports in the listening
state in the output. -l shows only ports in the listening state, omitting established
connections.
For example, the following command shows listening and established Internet
connections (TCP and UDP) only: netstat -tua.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
204 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Linux netstat output showing active and listening TCP and UDP connections.
On both Windows and Linux, -n displays ports and addresses in numerical format.
Skipping name resolution speeds up each query. On Linux, using -4 or -6 filters
sockets by IPv4 or IPv6 addresses respectively. In Windows, use the -p switch with
the protocol type (TCP, TCPv6, UDP, or UDPv6).
Another common task is to identify which software process is bound to a socket. On
Windows, -o shows the process ID (PID) number that has opened the port, while
-b shows the process name. In Linux, use -p to show the PID and process name.
netstat -s reports per protocol statistics, such as packets received, errors,
discards, unknown requests, port requests, failed connections, and so on. The tool
will report Ethernet statistics using -e (Windows) or -I (Linux). netstat -r
displays the routing table.
netstat can also be set to run continuously. In Windows, run netstat nn,
where nn is the refresh interval in seconds (press Ctrl+C to stop); in Linux, run
netstat -c.
The Linux netstat command is part of the deprecated net-tools package. The
preferred package iproute2 contains a number of different commands to replace
netstat functionality. Most of the port scanning functions are performed by ss, while
interface statistics are reported by nstat.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 205
Transport Service or
Port Number Description
Protocol Application
20 TCP ftp-data File Transfer
Protocol—Data
21 TCP ftp File Transfer
Protocol—Control
22 TCP ssh/sftp Secure Shell/FTP
over SSH
23 TCP telnet Telnet
25 TCP smtp Simple Mail
Transfer Protocol
53 TCP/UDP domain Domain Name
System
67 UDP bootps BOOTP/DHCP
Server
68 UDP bootpc BOOTP/DHCP
Client
69 UDP tftp Trivial File
Transfer Protocol
80 TCP http HTTP
110 TCP pop Post Office
Protocol
123 UDP ntp/sntp Network Time
Protocol/Simple
NTP
143 TCP imap Internet Message
Access Protocol
161 UDP snmp Simple Network
Management
Protocol
162 UDP snmp-trap Simple Network
Management
Protocol Trap
389 TCP/UDP ldap Lightweight
Directory Access
Protocol
443 TCP https HTTP-Secure
(Secure Sockets
Layer (SSL)/
Transport Layer
Security (TLS)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
206 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Transport Service or
Port Number Description
Protocol Application
445 TCP smb Server Message
Block over TCP/IP
514 UDP syslog Syslog
546 UDP dhcpv6-client DHCPv6 Client
547 TCP dhcpv6-server DHCPv6 Server
587 TCP smtps SMTP-Secure
636 TCP ldaps LDAP-Secure
993 TCP imaps IMAP-Secure
995 TCP pop3s POP3-Secure
1433 TCP sql-server MS Structured
Query Language
(SQL) Server
1521 TCP sqlnet Oracle SQL*Net
3306 TCP mysql MySQL/MariaDB
3389 TCP rdp Remote Desktop
Protocol
5004 UDP rtp Real-Time
Protocol
5005 UDP rtcp Real-Time Control
Protocol
5060 TCP/UDP sip Session Initiation
Protocol
5061 TCP/UDP sips SIP-Secure
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 207
Lesson 6.2
Dynamic Host Configuration Protocol
3
• What are the advantages and disadvantages of static and reserved IP address
assignments?
DHCP Process
The Dynamic Host Configuration Protocol (DHCP) provides an automatic method
for allocating an IP address, subnet mask, and optional parameters, such as the
default gateway and DNS server addresses, when a host joins the network.
A host is configured to use DHCP by specifying in the TCP/IP configuration that it
should automatically obtain an IP address.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
208 | The Official CompTIA Network+ Study Guide (Exam N10-009)
3. The client may choose to accept the offer using a DHCPREQUEST packet—also
broadcast onto the network.
4. Assuming the offer is still available, the server will respond with a DHCPACK
packet. The client broadcasts an ARP message to check that the address is
unused. If so, it will start to use the address and options; if not, it declines the
address and requests a new one.
The IP address is leased by the server for a limited period only. A client can attempt
to renew or rebind the lease before it expires. If the lease cannot be renewed, the
client must release the IP address and start the discovery process again.
Sometimes, the DHCP lease process is called the DORA process: Discover, Offer, Request,
and Ack(nowledge).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 209
DHCP Options
Along with an address scope, you also need to define other parameters, such as
lease time and options.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
210 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A long lease time means the client does not have to renew the lease often, but the
DHCP server’s available pool of IP addresses is not replenished frequently. Where
IP addresses are in short supply, a short lease period enables the DHCP server
to allocate addresses previously assigned to hosts that are now not active on the
network.
DHCP Options
When the DHCP server offers a configuration to a client, at a minimum it must
supply an IP address and subnet mask. Typically, it will also supply other IP-related
settings, known as DHCP options. Each option is identified by a tag byte or decimal
value between 0 and 255 (though neither 0 nor 255 can be used as option values).
Some widely used options include the following:
• The default gateway (IP address of the router).
• The IP address(es) of DNS servers that can act as resolvers for name queries.
• Other useful server options, such as time synchronization (NTP), file transfer
(TFTP), or VoIP proxy.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 211
Lesson 6.3
APIPA and SLAAC
4
Not all networks have DHCP servers. Also, the DHCP process can sometimes fail to
work properly. There are various methods for hosts to perform autoconfiguration
when DHCP is not available. You should also understand how IPv6 networks
use autoconfiguration and appreciate differences in the way DHCPv6 functions,
compared to DHCPv4.
As you study this lesson, answer the following questions:
• What is the purpose of Automatic Private IP Addressing (APIPA)?
These addresses are from one of the address ranges reserved for private addressing
(169.254.0.0/16). The first and last subnets are supposed to be unused.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
212 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• The host listens for a router advertisement (RA) or transmits a router solicitation
(RS) using ND protocol messaging. The router can either provide a network
prefix, direct the host to a DHCPv6 server to perform stateful autoconfiguration,
or perform some combination of stateless and stateful configuration.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 213
ICMPv6
IPv6 uses an updated version of ICMP. The key new features are the following:
• Error messaging—ICMPv6 supports the same sort of destination unreachable
and time exceeded messaging as ICMPv4. One change is the introduction of a
Packet Too Big class of error. Under IPv6, routers are no longer responsible for
packet fragmentation and reassembly, so the host must ensure that they fit in
the MTUs of the various links used.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
214 | The Official CompTIA Network+ Study Guide (Exam N10-009)
By contrast, stateful mode means that a host can also obtain a routable IP address
from a DHCPv6 scope. In either mode, a DHCPv6 server can be used to supply
options information, such as DNS server addresses, DNS suffix/domain lists, time
servers, and so on.
Configuring the scope requires you to define the network prefix and then any IP
addresses that are to be excluded from being offered. All other addresses that
are not explicitly excluded can be offered. The host must still listen for a router
advertisement to obtain the network prefix and configure a default gateway. There
is no mechanism in DHCPv6 for setting the default route.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 215
Lesson 6.4
DHCP Relay and Troubleshooting
5
Automatic addressing is a critical service for most types of networks. Where a SOHO
network might have a single DHCP server for a single subnet, enterprises must
support multiple subnets. This lesson will help you to implement and troubleshoot
DHCP services in complex network environments.
As you study this section, answer the following questions:
• What is the purpose of a DHCP relay agent?
• What is the purpose of an IP helper? How does it differ from a DHCP relay agent?
• What issues arise when using DHCP services, and how can they be resolved?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
216 | The Official CompTIA Network+ Study Guide (Exam N10-009)
interface eth1
ip helper-address 10.1.0.200
interface eth2
ip helper-address 10.1.0.200
UDP forwarding is a more general application of the same principle. As well as
DHCP, it is used for the Network Time Protocol (NTP) and other broadcast-based
applications.
DHCP Issues
A Windows host that is configured to use dynamic addressing but that fails to
obtain a lease will revert to an automatic IP address (APIPA) configuration and select
an address in the 169.254.0.0/16 range. Linux might use link local addressing, set
the address to unknown (0.0.0.0), or leave the interface unconfigured.
Possible reasons for a client to fail to obtain a lease include the following:
• The DHCP server is offline. If your DHCP servers go offline, users will continue
to connect to the network for a period and thereafter start to lose contact with
network services and servers as they come to try to renew a lease.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 217
• The router between the client and DHCP server doesn’t support BOOTP
forwarding. Either install RFC 1542-compliant routers or add another type of
DHCP relay agent to each subnet or VLAN.
If you reconfigure your DHCP servers and their scopes, you will need to plan for the
fact that not all clients’ IP configurations will be updated when the server scopes are
edited and could be left with an expired IP, default gateway, or DNS server address.
You can mitigate this by lowering the lease duration in advance of changes, forcing
all clients to renew, or running parallel settings for a period.
Also be aware that address pool exhaustion might be a symptom of a malicious attack.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
218 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 6.5
Domain Name System
6
Each host that has an IP address assigned to it can also have a descriptive name.
This makes it easier for human users to identify and access it on the network and
for application services to be configured with an addressing scheme that allows
for changes in the underlying network. Almost all networks depend on this name
resolution functionality to operate smoothly and securely, so it is important to
understand how it works. In this topic, you will identify methods for host name
resolution for TCP/IP networks.
As you study this lesson, answer the following questions:
• How do Domain Name Service (DNS) queries resolve host names and domains
to IP addresses?
• What is the difference between a forward lookup zone and a reverse lookup
zone?
• What functions do different record types have, such as A records and PTR
records?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 219
When you are configuring name records, an FQDN must include the trailing period to
represent the root, but this can be omitted in most other use cases.
A domain name must be registered with a registrar to ensure that it is unique within
a top-level domain. Once a domain name has been registered, it cannot be used by
another organization. The same domain name may be registered within different
top-level domains, however—widget.example. and widget.example.
uk. are distinct domains, for instance.
Numerous hosts may exist within a single domain. For example: nut, bolt, and
washer might all be hosts within the widget.example. domain. Given that,
FQDNs must follow certain rules:
• The host name must be unique within the domain.
• The total length of an FQDN cannot exceed 253 characters, with each label (part
of the name defined by a period) no more than 63 characters (excluding the
periods).
• A DNS label should use letter, digit, and hyphen characters only. A label should
not start with a hyphen. Punctuation characters such as the period (.) or forward
slash (/) should not be used.
DNS Hierarchy
The Domain Name System (DNS) is a global hierarchy of distributed name server
databases that contain information on domains and hosts within those domains.
At the top of the DNS hierarchy is the root, which is represented by the null label,
consisting of just a period (.). There are 13 root level servers (A to M).
Immediately below the root lie the top-level domains (TLDs). There are several
types of top-level domains, but the most prevalent are generic (such as .com, .org,
.net, .info, .biz), sponsored (such as .gov, .edu), and country code (such as .uk, .ca,
.de). DNS is operated by ICANN (icann.org), which also manages the generic TLDs.
Country codes are generally managed by an organization appointed by the relevant
government.
Information about a domain is found by tracing records from the root down
through the hierarchy. The root DNS servers have complete information about the
top-level domain servers. In turn, these servers have information relating to servers
for the second level domains. No name server has complete information about all
domains. Records within the DNS tell them where an authoritative name server for
the missing information is found.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
220 | The Official CompTIA Network+ Study Guide (Exam N10-009)
An FQDN reflects this hierarchy, from most specific on the left (the host’s resource
record with its name:IP address mapping) to least specific on the right (the TLD
followed by the root). An example is pc.corp.515support.com.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 221
Most queries between name servers are performed as iterative lookups. This
means that a name server responds to a query with either the requested record or
the address of a name server at a lower level in the hierarchy that is authoritative
for the namespace. It makes no effort to try to make additional queries to locate
information that it does not have. In the figure, at steps 4 and 5, the root server and
.net name server simply pass the querying server the address of an authoritative
name server. They do not take on the task of resolving the original query for
www.515web.net.
A recursive lookup means that if the queried server is not authoritative, it does
take on the task of querying other name servers until it finds the requested record
or times out. The name servers listed in a client’s TCP/IP configuration accept
recursive queries. This is the type of querying performed by the corp.515support.
com name server.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
222 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Name server (NS) records identify authoritative DNS name servers for the zone. As
well as the primary name server, most zones are configured with secondary name
servers for redundancy and load balancing. Secondary name servers hold read-only
copies of resource records but can still be authoritative for the zone.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 223
Both types of host records (A and AAAA) plus a CNAME record in Windows Server DNS.
(Screenshot courtesy of Microsoft.)
DNS uses the UDP transport protocol over port 53 by default, and UDP has a maximum
packet size of 512 bytes. Due to the larger address sizes of IPv6, AAAA records can
exceed this limit. This can result in UDP packets being fragmented into several smaller
packets. This can result in these packets being blocked by firewalls if they are not
configured to expect them. Network administrators should check that their DNS servers
can accept these transmissions and that intermediary components are not blocking
them.
A canonical name (CNAME) (or alias) record is used to configure an alias for an
existing address record (A or AAAA). For example, the IP address of a web server
with the host record lamp could also be resolved by the alias www. CNAME records
are also often used to make DNS administration easier. For example, an alias can be
redirected to a completely different host temporarily during system maintenance.
Multiple different-named resource records can refer to the same IP address (and
vice versa in the case of load balancing).
A name server can be configured to allow automatic creation, updating, and deletion
of host records using Dynamic DNS (DDNS). DDNS allows a client or DHCP server to
configure records, rather than requiring the DNS server administrator to create and
update them manually. In Windows, running ipconfig/registerdns causes
a client to attempt to use DDNS.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
224 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A TXT record is used to store any free-form text that may be needed to support
other network services. A single domain name may have many TXT records, but
most commonly they are used as part of Sender Policy Framework (SPF) and
DomainKeys Identified Mail (DKIM). An SPF record is used to list the IP addresses
or names of servers that are permitted to send email from a particular domain
and is used to combat the sending of spam. DKIM records are used to decide
whether you should allow received email from a given source, preventing spam and
mail spoofing. DKIM can use encrypted signatures to prove that a message really
originated from the domain it claims.
Pointer Records
A DNS server may have two types of zones: forward lookup and reverse lookup.
Forward lookup zones contain the resource records listed previously. For example,
given a name record, a forward lookup returns an IP address; an MX record
returns a host record associated with the domain’s mail services. Conversely, a
reverse DNS query returns the host name associated with a given IP address. This
information is stored in a reverse lookup zone as a pointer (PTR) record.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 225
Reverse DNS querying uses a special domain named by the first three octets of
IP addresses in the zone in reverse order and appended with in-addr.arpa.
The name server is configured with a reverse lookup zone. This zone contains PTR
records consisting of the final octet of each host record. For example, the reverse
lookup for a host record containing the IP address 198.51.100.1 is:
1.100.51.198.in-addr.arpa
IPv6 uses the ip6.arpa domain; each of the 32 hex characters in the IPv6 address is
expressed in reverse order as a subdomain. For example, the IPv6 address:
2001:0db8:0000:0000:0bcd:abcd:ef12:1234
is represented by the following pointer record:
4.3.2.1.2.1.f.e.d.c.b.a.d.c.b.0.0.0.0.0.0.0.0.0.8.b.d
.0.1.0.0.2.ip6.arpa
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
226 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Secondary means that the server holds a read-only copy of the zone. This is
maintained through a process of replication known as a zone transfer from a
primary name server. A secondary zone would typically be provided on two or
more separate servers to provide fault tolerance and load balancing. Again, the
serial number is a critical part of the zone transfer process.
A name server that holds complete records for a domain can be defined as
authoritative. This means that a record in the zone identifies the server as a
name server for that namespace. Both primary and secondary name servers are
authoritative.
Servers that don’t maintain a zone (primary or secondary) are referred to as cache-
only servers. A non-authoritative answer from a server is one that derives from a
cached record, rather than directly from the zone records.
DNS Caching
Each resource record can be configured with a default time to live (TTL) value,
measured in seconds. This value instructs resolvers how long a query result can
be kept in cache. Setting a low TTL allows records to be updated more quickly but
increases load on the server and latency on client connections to services. Some
common TTL values include 300 (five minutes), 3,600 (one hour), 86,400 (one day),
and 604,800 (one week).
DNS caching is performed by both servers and client computers. In fact, each
application on a client computer might be configured to manage its own DNS cache.
For example, separate web browser applications typically maintain their own caches
rather than relying on a shared OS cache.
If there is a change to a resource record, server and client caching means that the
updated record can be relatively slow to propagate around the Internet. These
changes need to be managed carefully to avoid causing outages. Planning for a
record change involves reducing the TTL in the period before the change, waiting
for this change to propagate before updating the record, and then reverting to the
original TTL value when the update has safely propagated.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 227
Companies must also provide name resolution services to support their internal
clients contacting other domains. The function of a resolver is to perform recursive
queries in response to requests from client systems (stub resolvers). If a name
server is not authoritative for the requested domain, it can either perform a
recursive query to locate an authoritative name server, or it can forward the
request to another name server. A recursive resolver must be configured with a
root hints file so that it can query the whole DNS hierarchy from the root servers
down. DNS servers should allow recursive queries only from authorized internal
clients. It is also a good idea to separate the DNS servers used to host zone records
from ones used to service client requests for non-authoritative domains.
It is possible for the same DNS server instance to perform in both name server and
resolver roles, but more typically these functions are separated to different servers for
security reasons.
DNS Security
DNS is a critical service that should be configured to resist spoofing and poisoning
attacks. These attacks mean that a threat actor changes the record returned by
a DNS query to point to a different IP address, potentially redirecting the victim
machine to connect to a malicious host.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
228 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The Key Signing Key for a particular domain is validated by the parent domain
or host ISP. The top-level domain trusts are validated by the Regional Internet
Registries, and the DNS root servers are self-validated, using a type of M-of-N
control group key signing. This establishes a chain of trust from the root servers
down to any particular subdomain.
• DNS over hypertext transfer protocol secure (DoH)—This also validates the
resolver certificate and encrypts the DNS traffic but does so by encapsulating
it within HTTP Secure packets. This uses the HTTPS standard port TCP/443,
which completely disguises the fact that the client is making DNS queries. The
downside is that the additional HTTP headers add overhead to each query and
response.
As well as protecting against malicious attacks, DoH and DoT provide better privacy.
Plain text queries can be read by anyone operating a network appliance in the path
between the client and resolver. Encrypting the queries and responses prevents this type
of snooping. Conversely, administrators of a corporate network need to ensure that
clients use authorized resolvers and will often prefer to monitor DNS traffic.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 229
Lesson 6.6
DNS Troubleshooting
7
The Domain Name System (DNS) is critical for locating services and hosts on the
Internet and on corporate networks. SOHO and enterprise Linux and Windows
systems usually rely on DNS server infrastructure for name resolution and service
discovery. In the absence of DNS servers, network client machines will be unable
to log on or connect to services or servers. DNS problems can also affect external
websites and services. As a network technician, you will often be called upon to
troubleshoot issues with name resolution.
As you study this lesson, answer the following questions:
• What are the symptoms of name resolution problems?
• What is the role of the HOSTS file in the name resolution process?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
230 | The Official CompTIA Network+ Study Guide (Exam N10-009)
While we are focusing on name resolution via DNS here, note that a host can use
multiple methods, especially on Windows workgroup networks. Link Local Multicast
Name Resolution (LLMNR) and Multicast DNS (mDNS) are modified forms of DNS that
allow clients to perform name resolution on a local link without needing a server.
Hosts have a system DNS configuration, but apps such as browsers might use separately
configured name servers.
Any text preceded by the # symbol in a HOSTS file is a comment and will not be
processed. To verify a name resolution problem, edit the HOSTS file and place the
correct name and IP address record in the file for the test host. When you ping that
name, if that is successful, it suggests a name resolution service problem.
3. Verify DNS records using the nslookup or dig tools. There might be some
discrepancy between the records returned by the resolver compared to the
records configured on the authoritative DNS server that maintains the zone.
Use the nslookup or dig utilities to check what records are returned by the
resolver. If trying to connect to an Internet resource, compare these records to
those returned by public resolvers (such as Google’s servers at 8.8.8.8). Consider
whether clients have cached a record that has been changed recently.
Reconfiguration of DNS records should be planned and implemented carefully to
avoid caching problems.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 231
nslookup
Name resolution troubleshooting typically involves testing multiple clients and
servers. The use of caching and the distributed nature of the system means that
configuration errors can occur in several different places.
You might start investigating a name resolution issue by verifying the name
configured on a host. In Windows, you can use the command ipconfig/all
to display the FQDN of the local host. In Linux, you can use the command
hostname --fqdn.
On a local network, each host is normally configured with a DNS suffix. For example,
PC1 might be configured as part of a Windows network with the suffix ad.example.local.
If this suffix is not set correctly, some name queries could fail.
You can troubleshoot DNS name resolution with the nslookup command:
Host can be either a host name, domain name, FQDN, or IP address. DNSServer
is the IP address of a server used to resolve the query; the default DNS server is
used if this argument is omitted. Option specifies an nslookup subcommand. For
example, the following command queries Google’s public DNS server (8.8.8.8) for
information about 515support.com’s mail records:
The first two nslookup commands identify comptia.org’s MX and primary name server records
using Google’s public DNS resolver (8.8.8.8). Note that the answers are non-authoritative. The
third command queries CompTIA’s name server for the MX record. This answer is authoritative.
(Screenshot courtesy of Microsoft.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
232 | The Official CompTIA Network+ Study Guide (Exam N10-009)
dig
Domain Information Groper (dig) is a command line tool for querying DNS servers
that ships with the BIND DNS server software published by the Internet Systems
Consortium (ISC) (isc.org/downloads/bind).
dig can be run pointing at a specific DNS server; otherwise, it will use the default
resolver. Without any specific settings, it queries the DNS root zone. A simple query
uses the syntax: dig host. This will search for the address record for the host,
domain, or FQDN or PTR record for an IP address.
The following command example directs the resolve request to the specific DNS
server identified after the @ symbol. This can be an FQDN or IP address.
You can use dig on Windows by downloading the BIND DNS server package and
installing it using the tools-only option.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 233
Module 6
Summary
8
You should be able to compare and contrast appropriate uses of TCP and UDP and
select appropriate tools to support and troubleshoot Transport layer issues.
You should be able to explain the uses and purposes of the network services
protocols DHCP and DNS.
• Understand that applications may use UDP for unreliable unicast, multicast, or
broadcast transmissions to minimize protocol overheads.
• Configure secure DHCP and DNS servers and ensure that all network hosts can
contact them, using DHCP relay where appropriate.
• Ensure DHCP servers are configured with accurate IP, default gateway, and DNS
server parameters for the scopes/subnets that they serve.
• If the address pool is limited, use short lease times to prevent address
exhaustion.
• Set up primary and secondary name servers to host records for your LAN. These
name services should be accessible only by authorized clients.
• Configure the appropriate host, MX, and service records for the forward lookup
zone on the primary server.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
234 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• For external DNS, consider using a third-party provider, ideally with a cloud
service, to ensure high availability. Without public DNS, your customers will not
be able to browse your websites or send you email.
• Set up a process for checking that your external DNS records are accurate and
working correctly.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 7
Explaining Application Services
1
Module Introduction
Where DHCP and DNS support basic network operations, other Application layer
protocols provide platforms for user-level services, such as websites, databases,
file/printer sharing, email, and voice/video calling.
You must be able to identify the ports used by these services and their performance
and security requirements so that you can assist with product deployments and
upgrades and perform basic troubleshooting.
Module Objectives
In this module, you will do the following:
• Explain the importance of time synchronization and the role of NTP.
• Explain how high availability services are provisioned using redundancy and load
balancing.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
236 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 7.1
Application Security and Time
Synchronization
2
Many TCP/IP application protocols have been developed to meet the different
purposes of transferring files, exchanging messages, and publishing pages.
However, when TCP/IP protocols were being developed, it was assumed that
access to the network was sufficient security, so there were no mechanisms to
authenticate services and protect data as it crossed the network. On modern
networks, we have to assume that no network channel is entirely safe, so robust
application security is critical. Along with security, most application protocols also
require hosts to be synchronized to the same time. This is particularly important for
authentication and auditing functions. This lesson will help you to explain features
of the protocols that fulfill these security and synchronization functions.
As you study this lesson, answer the following questions:
• How do clients identify and authenticate application services, and how do
servers protect data exchanged with clients from snooping?
• What methods are available to synchronize network hosts to the same time?
TLS can also be used with UDP, referred to as Datagram Transport Layer Security (DTLS),
most often in virtual private networking (VPN) solutions.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 237
To implement TLS, the server is installed with a digital certificate issued by some
trusted certificate authority (CA). When a client connects to a secure service,
a TLS handshake is performed. During the handshake, the server provides its
certificate to the client. The cryptographic data in the certificate proves the identity
of the server, assuming that the client also trusts the CA. The certificate contains the
public key part of a public/private encryption key pair. The private key is kept a
secret known only to the server.
If authentication is successful, the server and client use the key pair in the digital
certificate and a chosen cryptographic cipher suite within the TLS protocol to set
up an encrypted tunnel. Even though someone else might know the public key and
be in a position to record traffic passing between the server and client, they cannot
decrypt the contents of the tunnel without obtaining the server’s private key. This
means that the communications cannot be read or changed by a third party.
The latest versions of TLS can use a mechanism called Perfect Forward Secrecy (PFS).
When this is configured, not even obtaining the server’s private key allows decrpytion of
captured packets.
TLS has been developed through a number of versions, with TLSv1.3 being current
at the time of writing. A server and client must be able to agree on a compatible
version. As older versions can contain serious weaknesses, many servers are
configured to allow only TLSv1.3 or TLSv1.2. Additionally, the client and server must
be able to agree on a mutually supported cipher suite.
TLS itself was developed from an older protocol called Secure Sockets Layer (SSL). SSL is
now completely obsolete.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
238 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Client hosts (application servers and workstations) usually obtain the time by using
a modified form of the protocol called Simple NTP (SNTP). SNTP works over the
same port as NTP. A host that supports only SNTP cannot act as a time source for
other hosts. In Windows, the Time Service can be configured by using the w32tm
command. In Linux, the ntp package can be configured via /etc/ntp.conf.
Time drift is when a system’s clock begins to deviate from the source clock. NTP can
use two methods to deal with time drift:
• Slew method—If the time is off by only a few seconds, NTP adjusts the time a
few milliseconds at a time to get it back on track. Slewing is a slower, methodical
method of correcting the time, but the risk of problems occurring is much less.
• Slam method—If the time is off by more than a few seconds and slewing will
take too long, NTP will hard reset the time. While this is a quick and immediate
fix, slamming can cause some programs to not function properly.
If a server or host is configured with the incorrect time, it may not be able to access
network services. Authentication and other security mechanisms will often fail if the
time is not synchronized on both communicating devices. In this situation, errors
are likely to be generic failure or invalid token type messages. Always try to rule out
time synchronization as an issue early in the troubleshooting process.
If a local stratum 1 server cannot be implemented on the local network, the time source
can be configured using one or more public NTP server pools, such as time.google.com,
time.windows.com, time.apple.com, time.nist.gov, or pool.ntp.org.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 239
When two clocks are connected, one interface has a timeTransmitter role, and
the other has a timeReceiver role. The grandmaster clock’s interfaces are always
timeTransmitter. A boundary clock would have the timeReceiver role on its interface
with the grandmaster and the timeTransmitter role on other interfaces. Ordinary
clock interfaces are usually timeReceiver.
Additionally, transparent clocks can be deployed. These can measure path delay
and adjust P2P messages to compensate.
PTP can also be deployed as a layer 3 protocol over IP, but it will not work as accurately
as a layer 2 implementation with PTP-compatible hardware-timestamping adapters and
switches.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
240 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 7.2
Web, File/Print, and Database Services
3
So far, you have studied lower-layer services and application protocols that enable
basic connectivity between nodes. Above these are the services that provide
useful functions to users, such as web browsing, file/print sharing, and databases.
The services that form part of the TCP/IP protocol suite are mostly client-server
protocols and applications. Client-server applications are based around a
centralized server that stores information and waits for requests from clients.
You need a good understanding of how these protocols are used so that you can
support them on your networks.
As you study this lesson, answer the following questions:
• How are secure service protocols distinguished from insecure ones?
• What specific protocols support publishing, file transfer, file/printer sharing, and
database access?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 241
Using Firefox’s web developer tools to inspect the HTTP requests and response headers involved
in serving a typical modern webpage. (Screenshot courtesy of Mozilla Foundation.)
HTTP also features a forms mechanism (POST) that enables a user to submit data
from the client to the server. HTTP is nominally a stateless protocol; this means that
the server is not required to preserve information about the client during a session.
However, the basic functionality of HTTP servers is also often extended by support
for scripting and programmable features (web applications). Servers can also
set text file cookies to preserve session information. These coding features, plus
integration with databases, increase flexibility and interactivity, but also increase
the attack surface and expose more vulnerabilities.
Many argue that HTTP is a stateful protocol. Version 2 of HTTP adds more state-
preserving features (blog.zamicol.com/2017/05/is-http2-stateful-protocol-application.
html).
Web Servers
Most organizations have an online presence, represented by a website. In order
to run a website, it must be hosted on an HTTP server connected to the Internet.
Larger organizations or SMEs with the relevant expertise may host websites
themselves, but more typically, an organization will lease a server or space on a
server from an ISP. The following types of hosting packages are common:
• Dedicated server—The ISP allocates your own private server computer. This
type of service is usually unmanaged (or management comes at additional cost).
• Virtual private server (VPS)—The ISP allocates you a virtual machine (VM) on a
physical server. This is isolated from other customer instances by the hypervisor.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
242 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The main web server platforms are Apache, Microsoft Internet Information Services
(IIS), and NGINX
HTTP Secure
Plaintext HTTP is highly vulnerable. A modern browser will warn users before
initiating an unencrypted connection (or may refuse such connections altogether).
HTTP protected by Transport Layer Security (TLS) is referred to as HTTP Secure
(HTTPS). HTTPS encrypted traffic is sent over TCP port 443 (by default), rather than
the open and unencrypted port 80. A web browser will open a secure session
to a server providing this service by using a URL starting with https://, and it will
also show a padlock icon in the address bar to indicate that the connection is
secure. The padlock icon allows inspection of the site’s security data, including the
certificate authority (CA) that issued the certificate.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 243
In passive mode, the client opens a data port (again, typically n+1) and sends the
PASV command to the server’s control port. The server then opens a random high
port number and sends it to the client using the PORT command. The client then
initiates the connection between the two ports.
Active FTP poses a configuration problem for some firewalls, as the server is
initiating the inbound connection, but there is no way of predicting which port
number will be utilized. However, not all FTP servers and clients can operate in
passive mode. If this is the case, check that firewalls installed between the client
and server can support active FTP (stateful inspection firewalls).
Another problem is that the control connection can remain idle when the data
connection is in use, meaning that the connection can be “timed out” by the firewall
(or other routing device).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
244 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Another means of securing FTP is to use the connection security protocol SSL/TLS.
There are two means of configuring FTP over TLS:
• Explicit TLS (FTPES)—Use the AUTH TLS command to upgrade an insecure
connection established over TCP port 21 to a secure one. This protects
authentication credentials. The data connection for the actual file transfers can
also be encrypted (using the PROT command).
FTPS is tricky to configure when there are firewalls between the client and server.
Consequently, FTPES is usually the preferred method.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 245
SMB has gone through several updates, with SMB3 as the current version. SMB1 has
very serious security vulnerabilities and is now disabled by default on current Windows
versions (docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/
detect-enable-and-disable-smbv1-v2-v3).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
246 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Database Services
A database provisions information in a format that can be read and updated
through some type of query language. There are two main types of databases.
Relational databases store information in tables with rows (records) and columns
(fields). Relationships between data fields in different tables is created using key
fields that uniquely identify each record. Relational databases are operated using
Structured Query Language (SQL). SQL defines commands such as SELECT to
retrieve information or UPDATE to change it.
SQL has been implemented in relational database management system (RDBMS)
platforms by several different vendors. As well as providing an implementation
of SQL, an RDBMS provides management tools and often a GUI to use to operate
the database. A remote access protocol allows a client to connect to the database
server over the network and allows replication traffic to move between database
servers. Replication is a means of synchronizing the data held on each server. Each
RDBMS uses a different TCP port to distinguish it as an application service:
• Oracle’s remote data access protocol SQL*Net uses TCP/1521.
• The open source MySQL platform uses TCP/3306. The MariaDB platform forked
from MySQL uses the same port.
These are the principal ports. An RDBMS is likely to use other TCP or UDP ports for
additional functions.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 247
By default, these ports are insecure. However, the RDBMS server can be installed
with a certificate and configured to enable TLS transport encryption. The connection
is still made over the same port. Either the server or the client can be configured
to require encryption and drop the connection if a valid security profile is not
available. Optionally, the client can also be installed with a certificate and the server
configured to refuse connections from clients without a valid certificate.
The other type of database is referred to as NoSQL or “not only SQL.” Rather than
highly structured relational tables, NoSQL data can use a variety of formats, such as
key-value pairs or wide columns (where rows do not have to have the same set of
fields). NoSQL databases are typically accessed using an application programming
interface (API) over HTTPS.
All the RDBMS platforms also provide support for NoSQL datastores. There are also
dedicated NoSQL platforms, such as MongoDB, Amazon DynamoDB, and CouchDB.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
248 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 7.3
Email and Voice Services
4
• What is the difference between a hard VoIP phone and a soft VoIP phone?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 249
The Simple Mail Transfer Protocol (SMTP) specifies how email is delivered from
one system to another. The SMTP server of the sender discovers the IP address
of the recipient SMTP server by using the domain name part of the recipient’s
email address. The SMTP servers for the domain are registered in DNS using mail
exchange (MX) and host (A/AAAA) records.
SMTP does not queue messages indefinitely. If there is a communication problem,
the SMTP server retries at regular intervals before timing out and returning a non-
delivery report (NDR) to the sender. The NDR will contain an error code indicating
the reason the item could not be delivered. SMTP provides no mechanism for the
persistent storage of messages.
SMTP communications can be secured using TLS. This works much like HTTPS with
a certificate on the SMTP server and a negotiation between client and server about
which cipher suites to use. There are two ways for SMTP to use TLS:
• STARTTLS—This is a command that upgrades an existing insecure connection to
use TLS. This is also referred to as explicit TLS or opportunistic TLS. This method
is now deprecated but does remain in widespread use.
Typical SMTP configurations use the following ports and secure services:
• Port 25—Used for message relay between SMTP servers, or message transfer
agents (MTAs). If security is required and supported by both servers, the
STARTTLS command can be used to set up the secure connection.
• Port 465—Used for SMTP Submission with implicit TLS. SMTP Submission is a
subset of SMTP that allows the message submission agent (MSA) part of a mail
client to transfer messages for delivery by a server.
• Port 587—Used for SMTP Submission with explicit TLS. Servers configured
to support port 587 should use STARTTLS and require authentication before
message submission.
Mail clients can use port 25 to submit messages to the server for delivery, but this is not
best practice. Use of port 25 is typically reserved for relay between servers.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
250 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Internet Message Access Protocol (IMAP) is the most widely used mail retrieval
protocol. IMAP supports permanent connections to a server and connecting
multiple clients to the same mailbox simultaneously. It also allows a client to
manage the mailbox on the server (to organize messages in folders and to control
when they are deleted, for instance) and to create multiple mailboxes.
A client connects to an IMAP server over TCP port 143, but this port is insecure.
Connection security can be established using a TLS. The default port for IMAPs is
TCP/993.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 251
VoIP-Enabled PBX
TDM-based PBXes are being replaced by hybrid and fully IP/VoIP PBXes. For internal
calls and conferences, a VoIP PBX establishes connections between local VoIP
endpoints with data transmitted over the local Ethernet network. A VoIP PBX can
also route incoming and outgoing calls from and to external networks. This might
involve calls between internal and external VoIP endpoints, or with voice telephone
network callers and receivers. A VoIP PBX will also support features such as music
on hold and voicemail.
A TDM PBX is supplied as vendor-specific hardware. A VoIP PBX can be
implemented as software running on a Windows or Linux server. Examples
of software-based solutions include 3CX (3cx.com) and Asterisk (asterisk.org).
There are also hardware solutions, where the VoIP PBX runs on a router, such
as Cisco Unified Communications Manager (cisco.com/c/en/us/products/unified-
communications/unified-communications-manager-callmanager/index.html).
A VoIP PBX would normally be placed at the network edge and be protected by a
firewall. Internal clients connect to the PBX over Ethernet data cabling and switching
infrastructure, using Internet Protocol (IP) at the Network layer for addressing. The
VoIP PBX uses the organization’s Internet link to connect to a VoIP service provider,
which facilitates inward and outward dialing to voice-based telephone networks.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
252 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A VoIP PBX facilitates internal IP calls and calls to and from external VoIP networks and
the landline and cellular telephone networks. (Images © 123RF.com.)
VoIP Protocols
Voice and video services can be challenging to support because they require
response times measured in milliseconds (ms). Delayed responses will result in
poor call or video quality. This type of data can be one-way, as is the case with
media streaming, or two-way, as is the case with VoIP and VTC.
The protocols designed to support real-time services cover one or more of the
following functions:
• Session control—Used to establish, manage, and disestablish communications
sessions. They handle tasks such as user discovery (locating a user on the
network), availability advertising (whether a user is prepared to receive calls),
negotiating session parameters (such as use of audio/video), and session
management and termination.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 253
There is also a tel: URI scheme allowing SIP endpoints to dial a landline or cell phone.
A tel: URI can either use the global (E.164) format (such as tel:+1-866-8358020) or a
local format (for internal extensions).
SIP typically runs over UDP or TCP ports 5060 (insecured) and 5061 (SIP-TLS). SIP
has its own reliability and retransmission mechanisms and can thus be seen to
benefit most from the lower overhead and reduced latency and jitter of UDP. Some
enterprise SIP products use TCP anyway.
VoIP Phones
A VoIP/SIP endpoint can be implemented as software running on a computer or
smartphone or as a dedicated hardware handset. VoIP phones use VLAN tagging
to ensure that the SIP control and RTP media protocols can be segregated from
normal data traffic. In a typical voice VLAN configuration, the LAN port on the
handset is connected to the wall port, while the PC is connected to the PC port
on the handset. The two devices share the same physical link, but data traffic is
distinguished from voice traffic by configuring separate VLAN IDs.
Handsets can use Power over Ethernet (PoE), if available, to avoid the need for
separate power cabling or batteries. There are also wireless handsets that work
over 802.11 Wi-Fi networks.
Connection security for VoIP works in a similar manner to HTTPS. To initiate the
call, the secure version of SIP (SIPS) uses digital certificates to authenticate the
endpoints and establish a TLS tunnel. The secure connection established by SIPS
can also be used to generate a master key to use with the secure versions of the
transport and control protocols.
When you are installing a new handset, you should also test that the connection
works and that the link provides sufficient call quality. Most service providers have
test numbers to verify basic connectivity and perform an echo test call, which
replays a message you record so that you can confirm voice quality.
Module 7: Explaining Application Services | Lesson 7.3
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
254 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 7.4
Disaster Recovery and High
Availability
5
The services offered over a network use physical media and processing assets
installed at a single site. The site premises might be an office or datacenter. When
deploying services, it is critical to anticipate and mitigate issues that might arise
from disasters that prevent a site from working normally. The plans used to
minimize the risk of site-wide problems are referred to as business continuity, while
the plans used to mitigate these issues if they do occur are called disaster recovery.
At this stage in your career, you must understand the concepts and technologies
underpinning these plans so that you can assist with disaster recovery and high
availability planning and provisioning.
As you study this lesson, answer the following questions:
• What are the relationships among business continuity, disaster recovery, high
availability, fault tolerance, load balancing, and redundancy?
• What are the roles of hot, warm, and cold sites within disaster recovery?
• Train staff in the disaster planning procedures and how to react well to adverse
events.
Testing system resilience and incident response effectiveness are crucial for
organizations to recover from disruptions and maintain business continuity.
By conducting various tests, organizations can identify potential vulnerabilities,
evaluate the efficiency of their recovery strategies, and improve their overall
preparedness for real-life incidents.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 255
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
256 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A system where there is almost no scheduled downtime and outages are extremely
rare is also referred to as continuous availability. This sort of availability is required
when there is not just a commercial imperative, but a danger of injury or loss
of life associated with systems failure. Examples include networks supporting
medical devices, air traffic control systems, communications satellites, networked
autonomous vehicles, and smart traffic signaling systems.
The MTD metric sets the upper limit on the amount of recovery time that system
and asset owners have to resume operations. Additional metrics can be used to
govern recovery operations:
• Recovery time objective (RTO). This is the period following a disaster that an
individual IT system may remain offline. This represents the maximum amount
of time allowed to identify that there is a problem and then perform recovery
(restore from backup or switch in an alternative system, for instance).
Recovery point objective (RPO). This is the amount of data loss that a system can
sustain, measured in time units. That is, if a database is destroyed by a virus, an
RPO of 24 hours means that the data can be recovered from a backup copy to a
point not more than 24 hours before the database was infected.
Any data that has been lost between the RPO and the present needs to either be
accepted as a loss or reconstructed.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 257
• A warm site could be similar but with the requirement that the latest dataset
will need to be loaded.
• A cold site takes longer to set up. A cold site may be an empty building with
a lease agreement in place to install whatever equipment is required when
necessary.
Clearly, providing redundancy on this scale can be very expensive. Sites are often
leased from service providers. However, in the event of a nationwide emergency,
demand for the services is likely to exceed supply! Another option is for businesses
to enter into reciprocal arrangements to provide mutual support. This is cost-
effective but complex to plan and set up.
For many companies, the most cost-effective solution is to move processing and
data storage to a cloud site. A cloud operator should be able to maintain hot site
redundancy so that a disaster in one geographic area will not disrupt service,
because the cloud will be supported by a datacenter in a different region.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
258 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Mean time to repair (MTTR) is a measure of the time taken to correct a fault so
that the system is restored to full operation. This can also be described as mean
time to replace or recover. MTTR is calculated as the total number of hours
of unplanned maintenance divided by the number of failure incidents. This
average value can be used to estimate whether a recovery time objective (RTO) is
achievable.
• Network links—If there are multiple paths between switches and routers, these
devices can automatically failover to a working path if a cable or network port is
damaged.
• Cluster services—A means of ensuring that the total failure of a server does not
disrupt services generally.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 259
Load Balancers
Where NIC teaming allows load balancing at the component level, a load balancer
can be deployed as a hardware appliance or software instance to distribute client
requests across server nodes in a farm or pool. You can use a load balancer in any
situation where you have multiple servers providing the same function. Examples
include web servers, front-end email servers, and web conferencing, video
conferencing, or streaming media servers. The load balancer is placed in front of
the server network and distributes requests from the client network or Internet
to the application servers. The service address is advertised to clients as a virtual
server. This is used to provision services that can scale from light to heavy loads,
provision fault tolerant services, and to provide mitigation against distributed denial
of service (DDoS) attacks.
We are used to associating switches with layer 2 (Ethernet), but appliances can perform
switch-like forwarding at layer 3, layer 4, and layer 7. These are collectively referred to
as multilayer switches.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
260 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Virtual IP
For example, you might want to provision two load balancer appliances so that if
one fails, the other can still handle client connections. Unlike load balancing with
a single appliance, the public IP used to access the service is shared between the
two instances in the cluster. This is referred to as a virtual IP or shared or floating
address. The instances are configured with a private connection, on which each is
identified by its “real” IP address. This connection runs some type of redundancy
protocol, such as Common Address Redundancy Protocol (CARP), that enables the
active node to “own” the virtual IP and respond to connections. The redundancy
protocol also implements a heartbeat mechanism to allow failover to the passive
node if the active one should suffer a fault.
The same sort of topology can be used to deploy routers and firewalls for high
availability and load sharing.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 261
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
262 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Cisco also has the Gateway Load Balancing Protocol (GLBP) which allows for an active/
active load-balanced configuration.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 263
Module 7
Summary
6
You should be able to explain the characteristics of common application ports and
protocols, especially in terms of security/encryption requirements.
• Configure web servers with a valid certificate issued by a locally trusted or public
certificate authority (CA) to enable HTTPS over TCP/443.
• Enable secure FTP on web servers, file servers, and appliances as a means of
transferring files securely. FTP can be secured using SSH (SFTP) or TLS (FTPES or
FTPS).
• Ensure that unencrypted local file and printer sharing services such as SMB are
used only on trusted local networks. Block the SMB ports (TCP/UDP/137–139 and
TCP/445) at the network perimeter. Ensure that legacy versions of the protocol
are disabled.
• Deploy database services for access by application servers, rather than being
directly accessible to client workstations and devices. Use access control lists to
block access to RDBMS ports TCP/1521 (Oracle SQL*Net), TCP/1433 (MS SQL),
TCP/3306 (MySQL/MariaDB), or TCP/5432 (PostgreSQL).
• Deploy SMTP servers to the network edge to transfer email messages to and
from external recipients over TCP/25. Use TCP/587 and TLS to allow mail clients
to submit messages for delivery securely. IMAP mailbox servers should be
deployed as secure version (TCP/993).
• Deploy VoIP/hybrid PBX with voice gateways to local and perimeter networks to
support legacy and packetized telephony devices. Configure VoIP endpoints to
use secure SIP (TCP/5061) for session control and RTP/RTCP for data transfer.
• Develop disaster recovery and high availability plans and provision supporting
resources:
• Test DR plans using tabletop exercises and validation tests, using the latter to
develop key metrics, such as MTD, RPO, RTO, MTTR, and MTBF.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
264 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 8
Supporting Network Management
1
Module Introduction
So far in this course, you have learned about all the different network media
and topologies plus the application protocols that go toward building network
connectivity and services. In this module, you will demonstrate use of tools and
management methods that will help you document network assets, determine
baselines, and optimize your network’s performance.
Module Objectives
In this module, you will do the following:
• Explain the use of configuration and change management documentation.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
266 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 8.1
Organizational Policies and
Documentation
2
Configuration Management
Running an efficient network is not just about installing cabling and network
devices. The administration of the network in terms of configuration
documentation, change management, and monitoring is a critical task.
Configuration management means identifying and documenting all the
infrastructure and devices installed at a site. It is a systematic approach to ensuring
that the desired state of an IT system is maintained throughout its lifecycle.
Configuration management is implemented using the following elements:
• Service assets are things, processes, or people that contribute to the delivery of
an IT service. Each asset must be identified by some sort of label.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 267
A network appliance may also hold state information that has not been written to
a log and that will not be captured by a backup of the configuration file only. State
information includes data such as the MAC tables in switches or the NAT table in a
firewall. Advanced firewalls may contain additional data such as malware/intrusion
detection signatures. Some devices might log state data to an internal database
that can be backed up periodically. In other cases, if this information needs to be
preserved, the appliance should be configured to log state data to a remote server,
using a protocol such as syslog.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
268 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Change Management
A documented change management process minimizes the risk of configuration
drift and unscheduled downtime by implementing changes in a planned and
controlled way. The need to change is often described either as reactive, where the
change is forced on the organization, or as proactive, where the need for change
is initiated internally. Changes can also be categorized according to their potential
impact and level of risk (major, significant, minor, or normal, for instance).
In a formal change management process, the need for change and the procedure
for implementing the change is captured in a Request for Change (RFC) document.
The RFC will then be considered at the appropriate level, and affected stakeholders
will be notified. Major or significant changes might be managed as a separate
project and require approval through a Change Advisory Board (CAB).
Configuration changes should be made only when there is a service request ticket
authorizing the change. This means that the activity of all network personnel,
whether it be installing new devices or troubleshooting, is recorded in job logs.
In a fully documented environment, each task will be governed by a standard
operating procedure (SOP). A SOP sets out the principal goals and considerations,
such as budget, security, or customer contact standards, for performing a task and
identifies lines of responsibility and authorization for performing it. A SOP may also
contain detailed steps for completing a task in an approved way, or these steps may
be presented as work instructions.
Managing changes using a ticket system facilitates request process tracking. The
ticket documents request and approval, identifies stakeholders plus change and
rollback plans, and monitors progress through implementation and testing of the
change.
Inventory Tools
There are many software suites and associated hardware solutions available to
assist with managing inventory. An asset management database can be configured
to store as much or as little information as is deemed necessary, though typical
data would be type, model, serial number, asset ID, location, user(s), value, and
service information.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 269
A product such as Lansweeper assists inventory management by scanning network hosts and
compiling an asset information database automatically.
(Screenshot used with permission from Lansweeper.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
270 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lifecycle Management
One of the functions supported by change management and inventory
documentation is system lifecycle management. A system lifecycle refers to the
managed acquisition, deployment, use, and decommissioning of assets. Up-to-date
inventory documentation can identify assets that are no longer fully supported by
the vendor or that otherwise no longer meet performance or security requirements.
When a manufacturer discontinues sales of a product, it enters an end of life
(EOL) phase in which support and availability of spares and updates become more
limited. An end of support (EOS) system is one that is no longer supported by
its developer or vendor. EOS products no longer receive security updates and so
represent a critical vulnerability if any remain in active use.
The exact terminology can vary between vendors. EOL is sometimes referred to as End
of Sale (EOS). If that is the case, End of Support can be referred to as End of Service Life
(EOSL).
Each type of firmware, OS, and applications software has vulnerabilities that
present opportunities for would-be attackers. As soon as a vulnerability is identified
in a supported product, the vendor will (or should) try to correct it. At the same
time, threat actors will try to exploit it. There can never be a single comprehensive
list of vulnerabilities for each bit of firmware or software, so you must stay up to
date with the system security advisories posted on vendor websites and in other
security reference sources. Patch management refers to the procedures put in
place to manage the installation of updates for hardware (firmware) and software.
A patch is a publicly released collection of updates. These can include fixes and feature
changes/improvements. A hotfix is a code change that addresses a specific issue that
can be applied without incurring downtime; conversely, a coldfix is one that requires the
software or host to be restarted. The term bugfix is usually reserved for issues that are
caught during product development and testing.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 271
Most software and firmware version changes and updates are upward, toward
newer versions. Downgrading (or rollback) refers to reverting to a previous version
of the software or firmware. This might be necessary to fix a problem caused
by a recently upgraded or updated device or software. In some circumstances,
downgrading might not be possible. For instance, a network appliance might not
support downgrading to an earlier firmware version, and an OS might have to be
reinstalled completely. When applying a patch or upgrade, it is common practice to
make a configuration backup, in case settings must be reapplied after the update.
When downgrading, a configuration backup might not work because it may involve
settings not included in the earlier version.
Decommissioning
Each system also has a decommissioning phase of its lifecycle. When a server or
appliance is disposed of by resale, gift, or recycling, there is a risk that software
licenses could be misused or that configuration information valuable to an attacker
could be leaked. These risks can be mitigated by ensuring that the built-in factory
reset routine is invoked to wipe any custom configuration settings or modifications
when decommissioning a server, switch, router, firewall, or printer.
A factory reset may leave data remnants, however. Data remnant removal is
critical because an organization’s confidential data or personal/sensitive data held
could be compromised.
Data remnant removal refers to ensuring that no data is recoverable from hard disk
drives (HDDs), flash devices or solid state drives (SSDs), tape media, and CD and
DVD ROMs before they are disposed of or put to a different use. Paper documents
must also be disposed of securely. Data remnants can be dealt with either by
destroying the media or by sanitizing it (removing the confidential information but
leaving the media intact for reuse).
Methods of destroying media include incineration, pulverization, and degaussing
(for magnetic media such as hard drives).
Media sanitization refers to erasing data from HDD, SSD, and tape media before
they are disposed of or put to a different use. The standard method of sanitizing an
HDD is called overwriting. This can be performed using the drive’s firmware tools or
a utility program. The basic type of overwriting is called zero filling, which just sets
each bit to zero. Single-pass zero filling can leave patterns that can be read with
specialist tools. A more secure method is to overwrite the content with one pass
of all zeros, then a pass of all ones, and then one or more additional passes in a
pseudorandom pattern.
Secure Erase
Since 2001, the SATA and Serial Attached SCSI (SAS) specifications have included
a Secure Erase (SE) command. This command can be invoked using a drive/
array utility or the hdparm Linux utility. On HDDs, this performs a single pass of
zero-filling.
For SSDs and hybrid drives and some USB thumb drives and flash memory cards,
overwriting methods are not reliable, because the device uses wear-leveling
routines in the drive controller to communicate which locations are available for
use to any software process accessing the device. On SSDs, the SE command marks
all blocks as empty. A block is the smallest unit on flash media that can be given an
erase command. The drive firmware’s automatic garbage collectors then perform
the actual erase of each block over time. If this process is not completed (and there
is no progress indicator), there is a risk of remnant recovery, though this requires
removing the chips from the device to analyze them in specialist hardware.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
272 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Cable Maps
A cable map or floor plan shows how wires are routed through conduit from
telecommunications closets to work areas. For example, you might use floor plans
to document wall port locations and cable runs in an office. Physically accurate
floor plans are hard to design and are likely to require the help of an architect or
graphics professional.
A port location diagram identifies how wall ports located in work areas are
connected back to ports in a distribution frame or patch panel and then from the
patch panel ports to the switch ports. Rack diagrams should also show how power
outlets on the uninterruptible power supply (UPS) connect to appliance power
supply units (PSUs).
In order for a physical diagram of cabling and assets to make any sense, there must be
a system of labeling in place for identifying these assets. A typical type of port naming
convention is for alphanumeric identifiers for the campus (for multicampus networks),
building (for campus networks), telecommunications space, and port. For example,
CB01-01A-D01 could refer to a cable terminating at Main Campus Building (CB01),
telecommunications space A on floor 1 (01A), or data port 1 (D01). Structured cable and
patch cords should be labeled at both ends to fully identify the circuit.
In addition to having a diagram, it can be very useful to take a photo of the current
configuration by using a digital camera or smartphone. This provides an additional
visual reference for troubleshooting and identifying unauthorized changes.
Wiring Diagram
A wiring diagram (or pin-out) shows detailed information about the termination of
twisted pairs in an RJ45 jack or Insulation Displacement Connector (IDC). You might
also use a wiring diagram to document how fiber optic strands are terminated.
You should document the wiring diagrams used to terminate twisted pairs. Ethernet
is wired by T568A or T568B, and the same standard should be used consistently
throughout the network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 273
Rack Diagrams
A rack diagram records the position of each appliance in the rack. You can obtain
stencils that represent vendor equipment from their websites or a collection such
as visiocafe.com. You can record key configuration information for each item
using labels. As well as service tags and port IDs and links, you should identify
which power outlets on the uninterruptible power supply (UPS) connect to which
appliance power supply units (PSU)s.
Designing rack layout in Microsoft Visio. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
274 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Logical (IP/layer 3)—IP addresses of router interfaces (plus any other static IP
assignments) and firewalls, plus links showing the IP network ID and netmask,
VLAN ID (if used), and DHCP scopes.
• Application—Server instances and TCP/UDP ports in use. You might also include
configuration information and performance baselines (CPU, memory, storage,
and network utilization) at this level.
Schematics can either be drawn manually using a tool such as Microsoft Visio or
compiled automatically from network mapping software.
Schematics can use either representative icons or pictures or drawings of actual
product models. As far as icons go, the ones created by Cisco are recognized as
standards. These are freely available (without alteration) from Cisco’s website
(cisco.com/c/en/us/about/brand-center/network-topology-icons.html). Some of the
more commonly used devices are shown here:
Common Cisco network icons. (Images © and Courtesy of Cisco Systems, Inc.
Unauthorized use not permitted.)
IP Address Management
An enterprise will have to manage hundreds or even thousands of IPv4 and IPv6
networks and subnets across a wide range of physical infrastructure. Maintaining
visibility into IP address assignments and name resolution across physical,
virtualized, and cloud infrastructure and incorporating network appliances, servers
and clients, plus mobile devices and “internet of things” devices is a challenging
task. Historically, IT departments might have tracked IP usage in static files such
as spreadsheets. IP address management (IPAM) software provides better
automation and oversight than these manually compiled lists.
The core function of IPAM is to scan DHCP and DNS servers and log IP address
usage to a database. Most suites can scan IP address ranges to detect use of
statically assigned addresses. Some IPAM software may also be able to scan
the hardware associated with an IP address (device fingerprinting) and save the
information to an asset inventory. IPAM software can often be used to manage and
reconfigure DHCP and DNS servers remotely.
The software also provides analysis tools to allow administrators to identify
overloaded DHCP scopes or to make more valuable public IP addresses available.
Module 8: Supporting Network Management | Lesson 8.1
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 275
Common Agreements
Agreements are used between a company and its employees and between
companies to enforce performance and security objectives.
Nondisclosure Agreement
A nondisclosure agreement (NDA) is the legal basis for protecting information
assets. It defines what uses of sensitive data are permitted, what storage and
distribution restrictions must be enforced, and what penalties will be incurred by
breaches of the agreement. A contract of employment is highly likely to contain
NDA clauses. NDAs are also used between companies and contractors and between
two companies.
Memorandum of Understanding
A memorandum of understanding (MOU) is a preliminary or exploratory
agreement to express an intent to work together. MOUs are usually intended to be
relatively informal and not to act as binding contracts. MOUs almost always have
clauses stating that the parties shall respect confidentiality, however.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
276 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 8.2
Host Discovery and Monitoring
3
There are many types of network monitoring solutions. Discovery solutions enable
administrators to identify which hosts are connected. Availability and performance
monitoring verifies service status. Configuration monitoring protects against
unauthorized changes. While the capabilities of individual monitoring suites vary
widely, you should be able to explain the basic principles underlying these solutions
so that you can support their use.
As you study this lesson, answer the following questions:
• What solutions and tools are available to perform different monitoring
requirements?
Network Discovery
One of the management tasks facing a network administrator is to verify exactly
what is connected to the network and what is being communicated over it. This
is usually described as network discovery or visibility. Visibility is necessary to
confirm that servers and clients are in the correct VLANs or subnets and to try to
identify rogue or unauthorized machines. An IP scanner is a tool that performs
host discovery and can establish the overall logical topology of the network in terms
of subnets and routers.
IP scanning can be performed using lightweight standalone open source or
commercial tools. Examples include Nmap, Angry IP, or PRTG. Enterprise network
management suites will also perform IP scanning and combine that with asset or
inventory information about each host. This functionality is often referred to as IP
address management (IPAM). Suites that integrate with DHCP and DNS servers can
be referred to as DHCP, DNS, and IPAM (DDI).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 277
Angry IP Scanner.
Nmap
The Nmap Security Scanner (nmap.org) is widely used for IP scanning, both as an
auditing and as a penetration testing tool. The tool is open-source software with
packages for most versions of Windows, Linux, and macOS. It can be operated with
a command line or via a GUI (Zenmap).
The basic syntax of an Nmap command is to give the IP subnet (or IP address) to
scan. When used without switches like this, the default behavior of Nmap is to ping
and send a TCP ACK packet to ports 80 and 443 to determine whether a host is
present. On a local network segment, Nmap will also perform ARP and Neighbor
Discovery (ND) sweeps. If a host is detected, Nmap performs a port scan against
that host to determine which services it is running. This OS fingerprinting can be
time consuming on a large IP scope. If you want to perform only host discovery,
you can use Nmap with the -sn switch to suppress the port scan. The tool can also
work out hop counts by specifying the --traceroute switch.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
278 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A variety of options are available for custom scans to try to detect stealthy hosts
(nmap.org/book/host-discovery-techniques.html).
• TCP connect (-sT)—A half-open scan requires Nmap to have privileged access
to the network driver so that it can craft packets. If privileged access is not
available, Nmap must use the OS to attempt a full TCP connection. This type of
scan is less stealthy.
• UDP scans (-sU)—Scan UDP ports. As these do not use ACKs, Nmap needs to
wait for a response or timeout to determine the port state, so UDP scanning can
take a long time. A UDP scan can be combined with a TCP scan.
• Port range (-p)—By default, Nmap scans 1,000 commonly used ports. Use the
-p argument to specify a port range. You can also use --top-ports n,
where n is the number of commonly used ports to scan. The frequency statistics
for determining how commonly a port is used are stored in the nmap-services
configuration file.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 279
Half-open scanning with Nmap. (Screenshot used with permission from Nmap.)
When services are discovered, you can use Nmap with the -sV or -A switch
to probe a host more intensively to discover the software or software version
operating each port. The process of identifying an OS or software application from
its responses to probes is called fingerprinting.
The responses to network probes can be used to identify the type and version of the
host operating system. (Screenshot used with permission from Nmap.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
280 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Discovery Protocols
Nmap is a relatively complex app that needs a Windows or Linux computer to run it.
Switch, router, and access point appliances can run simpler discovery protocols to
identify other devices on the same local (Data Link) network.
Output from show cdp neighbors command listing router physical interface plus subinterfaces
and a number of switches (these are actually VoIP handsets with embedded voice VLAN switches).
(Image © and Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.)
Performance Monitoring
Network monitoring tools fulfill a wide range of functions beyond host and service
discovery. As input, they can capture and analyze traffic, monitor interface and
device metrics, and consolidate log data. As output, they can alert you to events,
help you define baselines, analyze traffic patterns and congestion, determine
upgrade and forecast needs, and generate reports for management.
Performance Metrics
When you are monitoring a network host or appliance, several performance
metrics can tell you whether the host is operating normally:
• Bandwidth—This is the rated speed of all the interfaces available to the device,
measured in Mbps or Gbps. For wired Ethernet links, this will not usually vary,
but the bandwidth of WAN and wireless links can change over time.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 281
Baseline Metrics
Baseline metrics establish the level of resource utilization at a point in time, such
as when the system was first installed. This provides a comparison to measure
system responsiveness later. For example, if a company is expanding a remote
office that is connected to the corporate office with an ISP’s basic tier package, the
baseline can help determine if there is enough reserve bandwidth to handle the
extra user load, or if the basic package needs to be upgraded to support higher
bandwidths.
Reviewing baselines is the process of evaluating whether a baseline is still fit for
purpose or whether a new baseline should be established. Changes to the system
usually require a new baseline to be taken.
Availability Monitoring
An availability monitor triggers an alert or alarm if a host or service experiences
an outage or other unscheduled downtime. These tools are also referred to as
heartbeat monitors or uptime monitors. Most work by sending a probe to the target
service and checking for a non-error response. For example, an HTTP service should
return a 200 status code when a resource is available. Some monitors may also be
configured to check the expiry date of digital certificates.
When you are troubleshooting unresponsive service issues, they will usually
manifest with multiple clients being unable to connect. There can be any number of
underlying causes, but consider some of the following:
• The application or OS hosting the service has crashed (or there is a hardware or
power problem).
• There is congestion in the network, either at the client or server end (or both).
Use ping or traceroute to check the latency experienced over the link and
compare to a network performance baseline. Again, throttling connections or
bandwidth may help to ease the congestion until higher bandwidth links can be
provisioned.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
282 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Network congestion or high host CPU/memory utilization may also be a sign that
the service is being subject to a denial of service (DoS) attack. Look for unusual
access patterns (for example, use GeoIP to graph source IP addresses by country
and compare to baseline access patterns).
If users on a LAN cannot connect to an external service, such as a cloud application, use
a site such as isitdownrightnow.com to test whether the issue is local to your network or
a problem with the service provider site.
Be proactive in monitoring service availability so that you can resolve problems before
they affect large numbers of clients.
Configuration Monitoring
Configuration management processes ensure that all network appliances are in a
known state. Recall that there are various configuration states:
• The baseline or golden configuration is a template for the state that a given
device should be in.
• The production configuration is the state that the device is actually in. Also,
a device could have a running configuration that is different from its startup
configuration.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 283
Lesson 8.3
Simple Network Management Protocol
4
• Why doesn’t the community string provide security for SNMP devices?
SNMP Agents
The agent is a process (software or firmware) running on a switch, router, server,
or other SNMP-compatible network device. A device running an SNMP agent
is referred to as a managed device. The agent maintains a data store called a
management information base (MIB) that holds variables relating to the activity
of the device, such as the number of frames per second handled by a switch. Each
parameter stored in a MIB is referred to by a numeric Object Identifier (OID). OIDs
are stored within a tree structure. Part of the tree is generic to SNMP, while part can
be defined by the device vendor.
An agent is configured with the community string or community name of the
computers allowed to manage the agent and the IP address or host name of
the server running the management system. The community string acts as a
rudimentary type of password. An agent can pass information only to management
systems configured with the same community string. There are usually two
community strings; one for read-only access and one for read-write access (or
privileged mode).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
284 | The Official CompTIA Network+ Study Guide (Exam N10-009)
SNMP Monitor
An SNMP monitor is management software that provides a location from which
you can oversee network activity. The monitor polls agents at regular intervals for
information from their MIBs and displays the information for review. It also displays
any trap operations as alerts for the network administrator to assess and act upon
as necessary. The monitor can retrieve information from a device in two main ways:
• Get—The software queries the agent for a single OID. This command is used by
the monitor to perform regular polling (obtaining information from devices at
defined intervals).
• Trap—The agent informs the monitor of a notable event, such as port failure.
The threshold for triggering traps can be set for each value.
The monitor can be used to change certain variables using the Set command. It can
also walk an MIB subtree by using multiple Get and Get Next commands. This is
used to discover the complete layout of an MIB. Device queries take place over UDP
port 161; traps are communicated over UDP port 162.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 285
SNMP collects information from network devices for diagnostic purposes. (Images © 123RF.com.)
SNMP Security
Many networks run SNMP v2c. This protocol version has no support for robust
authentication or encryption. When using SNMP v2c, apply the following guidelines:
• SNMP v2c community strings are sent in plaintext and should not be
transmitted over the network if there is any risk of interception.
• Use difficult-to-guess community strings; never leave the community string blank
or set it to the default.
• Use access control lists to restrict management operations to known hosts (that
is, restrict to one or two host IP addresses).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
286 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 8.4
Event Management
5
• What is the role of security information and event management (SIEM) products?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 287
Audit Logs
An audit log records use of authentication and authorization privileges. It will
generally record success/fail type events. An audit log might also be described as an
access log or security log. Audit logging might be performed at an OS level and at a
per-application level.
Audit logs typically associate an action with a particular user. This is one of the reasons
that it is critical that users not share logon details. If a user account is compromised,
there is no means of tying events in the log to the actual attacker.
Performance/Traffic Logs
Performance and traffic logs record metrics for compute, storage, and network
resources over a defined period.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
288 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 289
The logging level configured on each host determines the maximum level at which
events are recorded or forwarded. For example, if the logging level for remote
forwarding is set to 4, events that are level 5, 6, or 7 are not forwarded.
An automated event management system can be configured to generate some
sort of alert. An alert can indicate when certain event types of a given severity are
encountered. Alerts can also be generated by setting thresholds for performance
counters. Examples include packet loss, link bandwidth drops, number of sessions
established, delay/jitter in real-time applications, and so on. Finally, an alert can
reveal an anomaly, or patterns of behavior or usage that are not consistent with
normal activity. Most network monitors also support heartbeat tests so that you can
receive an alert if a device or server stops responding to probes.
Setting alerts is a matter of balance. On the one hand, you do not want
performance to deteriorate to the point that it affects user activity; on the other
hand, you do not want to be overwhelmed by alerts.
You can also make a distinction between alerts and notifications. An alert means
that the system has matched some sort of pattern or filter that should be recorded
and highlighted. A notification means that the system sends a message to advertise
the occurrence of the alert. A low priority alert may simply be displayed in the
system dashboard. A high priority alert might use some sort of active notification
messaging, such as emailing a system administrator, sending a text message (SMS)
to a phone, or triggering a physical alarm signal.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
290 | The Official CompTIA Network+ Study Guide (Exam N10-009)
There should be some process for acknowledging and dismissing alerts as they are
generated. A serious alert may need to be processed as an incident and assigned a
job ticket for formal investigation. If an alert is a false positive, it can be dismissed.
If the management system or dashboard is allowed to become cluttered with old
alerts, it is much more difficult to identify new alerts and gauge the overall status of
the network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 291
Log Reviews
Monitoring involves viewing traffic, protocols, and events in real time. Network
and log reviewing, or analysis, involves later inspection and interpretation of
the captured data to determine what was happening on the network during the
capture. Only referring to the logs after a major incident misses the opportunity to
identify performance problems or security issues early and to respond proactively.
Not all performance incidents will be revealed by a single event. One of the features
of log analysis and reporting software should be to identify trends. Examining
each event in a log file makes it difficult to spot a trend. Plotting data as a graph
is particularly helpful as it makes it easier to spot trends, spikes, or troughs in a
visualization of events rather than the raw data. Most performance monitors, log
collectors, and SIEMs can plot metrics in a graph.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
292 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 293
Lesson 8.5
Packet Capture and Analysis
6
One of the critical tasks for network administrators is to identify and analyze the
traffic passing over network links. This information is used to troubleshoot network
services and to verify the security of the network.
As you study this lesson, answer the following questions:
• What is the difference between a packet capture tool and a packet analyzer?
Packet Capture
A protocol analyzer is one of the most important tools used for network support.
A protocol analyzer allows inspection of traffic received by a host or passing over a
network link. A protocol analyzer depends on a packet sniffer. A sniffer captures
frames moving over the network medium.
Often the terms “sniffer” and “protocol analyzer” are used interchangeably, but be
aware that they might be implemented separately.
A basic software-based sniffer installed to a host will simply interrogate the frames
received by the network adapter by installing a special driver. This allows the frames
to be read from the network stack and saved to a file on disk. They also support
filters to reduce the amount of data captured.
There are three main options for connecting a sniffer to the appropriate point in the
network:
• SPAN (switched port analyzer)/port mirroring—This means that the sensor
is attached to a specially configured port on the switch that receives copies
of frames addressed to nominated access ports (or all the other ports). This
method is not completely reliable. Frames with errors will not be mirrored, and
frames may be dropped under heavy load.
• Passive test access point (TAP)—This is a box with ports for incoming and
outgoing network cabling and an inductor or optical splitter that physically
copies the signal from the cabling to a monitor port. There are types for copper
and fiber optic cabling. Unlike a SPAN, no logic decisions are made so the
monitor port receives every frame—corrupt or malformed or not—and the
copying is unaffected by load.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
294 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A TAP will usually output two streams to monitor a full-duplex link (one channel
for upstream and one for downstream). Alternatively, there are aggregation TAPs,
which rebuild the streams into a single channel, but these can drop frames under
very heavy load.
tcpdump
tcpdump is a command line packet capture utility for Linux, providing a user
interface to the libpcap library. The basic syntax of the command is:
tcpdump -i eth0
...where eth0 is the interface to listen on (you can substitute with the keyword
any to listen on all interfaces of a multi-homed host). The utility will then display
captured packets until halted manually (by pressing Ctrl+C). The operation of the
basic command can be modified by switches. For example, the -w and -r switches
write output to a file and read the contents of a capture file respectively. The -v,
-vv, and -vvv can be used to increase the amount of detail shown about each
frame while the -e switch shows the Ethernet header.
tcpdump is often used with some sort of filter expression:
• Type—Filter by host, net, port, or portrange.
Refer to tcpdump.org for the full help and usage examples. ngrep (github.com/jpr5/
ngrep) is another useful packet capture and analysis tool. As well as the standard filter
syntax, it supports use of regular expressions (regexr.com) to search and filter capture
output. You can also use the netcat tool (nmap.org/ncat) to copy network traffic from
one host to another for analysis.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 295
Protocol Analyzers
A protocol analyzer works in conjunction with a packet capture or sniffer tool.
You can either analyze a live capture to analyze frames as they are read by a sniffer
or open a saved capture (.pcap) file. Most protocol analyzer tools bundle a sniffer
component with the analyzer in the same software package.
One function of a protocol analyzer is to parse each frame in a stream of traffic
to reveal its header fields and payload contents in a readable format. Analyzing
protocol data at the frame or packet level will help to identify protocol or service
misconfigurations. Wireshark (wireshark.org) is an open source graphical packet
capture and analysis utility, with installer packages for most operating systems.
Having chosen the interfaces to listen on, the output is displayed in a three-pane
view, with the top pane showing each frame, the middle pane showing the fields
from the currently selected frame, and the bottom pane showing the raw data from
the frame in hex and ASCII.
As a live stream or capture file can contain hundreds or thousands of frames, you
can use display filters to show only particular frames or sequences of frames.
Another useful option is to use the Follow TCP Stream context command to
reconstruct the packet contents for a TCP session.
Another function of a protocol analyzer is to perform traffic analysis. Rather than
reading each frame individually, you use the tool to monitor statistics related to
communications flows, such as bandwidth consumed by each protocol or each
host, identifying the most active network hosts, monitoring link utilization and
reliability, and so on. In Wireshark, you can use the Statistics menu to access traffic
analysis tools.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
296 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Using the Protocol Hierarchy tool in Wireshark to view the most active protocols on a network link.
This sort of report can be used to baseline network activity. (Screenshot courtesy of Wireshark.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 297
Lesson 8.6
Traffic Monitoring
7
• How does traffic shaping ensure quality of service for real-time applications?
Bandwidth
Bandwidth is the amount of information that can be transmitted, measured in bits
per second (bps), or some multiple thereof. Bandwidth expresses the available
capacity of the link. When monitoring, you need to distinguish between the nominal
data link/Ethernet bit rate, the throughput of a link at layer 3, and the goodput
available to an application.
Bandwidth for audio depends on the sampling frequency (Hertz) and bit depth of
each sample. For example, early digital telecommunications links were based on
64 Kbps channels. This was derived through the following calculation:
• The voice frequency range is 4,000 Hz. This must be sampled at twice the rate to
ensure an accurate representation of the original analog waveform.
• The sample size is 1 byte (or 8 bits). Therefore, 8 KHz x 8 bits = 64 Kbps.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
298 | The Official CompTIA Network+ Study Guide (Exam N10-009)
For VoIP, bandwidth requirements for voice calling can vary, but allowing 100 Kbps
per call upstream and downstream should be sufficient in most cases.
Bandwidth required for video is determined by image resolution (number of pixels),
color depth, and the frame rate, measured in frames per second (fps).
Bottlenecks
A bottleneck is a point of poor performance that reduces the productivity of the
whole network. A bottleneck may occur because a device is underpowered or faulty.
It may also occur because of user or application behavior. To identify the cause of a
bottleneck, you need to identify where and when on the network overutilization or
excessive errors occur. If the problem is continual, it is likely to be device related; if
the problem only occurs at certain times, it is more likely to be user or application
related.
Packet Loss
Packet loss is expected but only to a degree. The larger the network, the more
likely you are to lose packets during heavy traffic periods. If you run a packet
sniffer on the affected segment, high numbers of TCP retransmission and duplicate
acknowledgments are strong indicators of packet loss. Knowing where and when
the packet loss occurs can direct you to the device that is dropping the frames.
Reasons packets are dropped can include the following:
• A server, router, or switch is overloaded.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 299
Also, if you run a packet capture, Wireshark gives each packet a timestamp relevant
to when the last frame was sent from the very first transmitted frame. This can
find the delays in a TCP conversation during a session between two devices. You
can plot a sequence graph (using the Statistics tab on Wireshark’s menu) to visually
represent how this delay behaves. The line should have a gradual, steady increase
upward to the right. An optimal network should show small gaps between each
transmission. The longer the gap and more jagged the graph, the more latency is
being introduced.
Interface Statistics
To diagnose a performance issue due to congestion, bottlenecking, bandwidth,
or packet loss, you must collect data and configure alerts for interface statistics,
whether on a network adapter or switch or router port.
• Utilization—The data transferred over a period. This can either be measured
as the amount of data traffic both sent and received (measured in bits or bytes
per second or a multiple thereof) or calculated as a percentage of the available
bandwidth.
You also need to differentiate between average utilization and peak utilization. If
average utilization is around 80%, it may appear that there is sufficient bandwidth.
However, if peak utilization often spikes to 100%, then that will manifest as delay and
packet loss and may require that you upgrade the link. Monitoring the queue length can
help to determine whether the link is a bottleneck.
• Error rate—The number of packets per second that cause errors. Errors may
occur as a result of interference or poor link quality causing data corruption in
frames. In general terms, error rates should be under 1%; high error rates may
indicate a driver problem if a network media problem can be ruled out.
Some vendors may use the terms “discard” for frames that are rejected because of
errors or security policies and “drop” for frames that are lost due to high load, but often
the terms are used interchangeably.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
300 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Flow Data
As well as monitoring individual interface statistics, diagnosing performance issues
depends on detailed information about network traffic flows. A packet analyzer
can be used to measure network traffic statistics, but trying to record each frame
imposes a heavy processing overhead on the network tap or mirror port. Collecting
just the packet metadata, rather than the whole packet payload, reduces the
bandwidth required by the sniffer. Technologies such as Cisco’s NetFlow (cisco.
com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html) gather traffic flow
data only and report it to a structured database. These technologies can also use
sampling to further reduce processing demands. NetFlow has been redeveloped as
the IP Flow Information Export (IPFIX) IETF standard (tools.ietf.org/html/rfc7011).
Using NetFlow involves deploying three types of components:
• A NetFlow exporter is configured on network appliances (switches, routers, and
firewalls). Each flow is defined on an exporter. A traffic flow is defined by packets
that share the same characteristics, such as IP source, destination addresses,
and protocol type. These five bits of information are referred to as a 5-tuple. A
7-tuple flow adds the input interface and IP type of service data. Each exporter
caches data for newly seen flows and sets a timer to determine flow expiration.
When a flow expires or becomes inactive, the exporter transmits the data to a
collector.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 301
This type of test can have a substantial impact on performance. Schedule this type of
testing when the network is otherwise unused.
Throughput Testers
One fairly simple way to measure network throughput is to transfer a large file
between two hosts. To determine your network throughput using this method,
simply divide the file size by the amount of time taken to copy the file. For example,
if you transfer a 1 GB file in half an hour, the throughput can be calculated as
follows:
• 1 gigabyte is 1,024x1,024x1,024 bytes (1,073,741,824 bytes or 8,589,934,592 bits).
• 8,589,934,592 bits in 1,800 seconds is 4,772,186 bits per second or 4.55 Mbps.
This method derives a value that is different from the nominal data rate. Because
two hosts are transferring the files between one another, it is the Application layers
that handle the file transfer. The intervening layers on both hosts add complexity
(headers) and introduce inaccuracy, such as corrupt frames that have to be
retransmitted.
Several software utilities, such as iperf (iperf.fr), Ttcp (linux.die.net/man/1/ttcp), and
BWPing (bwping.sourceforge.io), can be used to automate this testing process. An
instance of the tool is configured on two network hosts, and the tools measure the
throughput achieved between the sender and the listener.
iperf3 transfer report showing bitrate, jitter, and packet loss. (Screenshot courtesy of iperf.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
302 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Top Talkers/Listeners
Top talkers are the interfaces generating the most outgoing traffic (in terms of
bandwidth), while top listeners are the interfaces receiving the most incoming
traffic. Identifying these hosts and the routes they are using is useful in identifying
and eliminating performance bottlenecks. Most network analyzer software comes
with filters or built-in reporting to identify top talkers or top listeners.
The Endpoints report in Wireshark can be used to identify top talkers and top listeners.
(Screenshot courtesy of Wireshark.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 303
Bandwidth Management
Latency and jitter on the Internet are difficult to control because of the number
of different parties that are involved (both caller networks plus any ISP transit
networks). On a local network, delay is typically caused by congestion and
contention:
• Congestion is where the network infrastructure is not capable of meeting the
demands of peak load and starts to queue or drop packets.
• Contention is the ratio between demand for a service and its available capacity.
For example, if 100 video conferencing hosts each requiring 10 Mbps share a
1 Gbps link, the contention ratio is 1:1 (100 * 10 Mbps = 1 Gbps). If there are
200 handsets, the ratio is 2:1. Contention is a planning issue. You might not
expect all 200 hosts to be running conferences at the same time, and so you
may accept the 2:1 ratio. You would use monitoring to determine if the ratio
changes (if there are more hosts or they start to require more bandwidth).
Differentiated Services
The Differentiated Services (DiffServ) framework classifies each packet
passing through a device. Router policies can then be defined to use the packet
classification to prioritize the delivery. DiffServ is an IP (layer 3) service tagging
mechanism. It uses the Type of Service field in the IPv4 header (Traffic Class in IPv6).
The field is populated with a 6-byte DiffServ Code Point (DSCP) by either the sending
host or by the router. Packets with the same DSCP and destination are referred
to as behavior aggregates and allocated the same Per Hop Behavior (PHB) at each
DiffServ-compatible router.
DiffServ traffic classes are typically grouped into three types:
• Best Effort.
IEEE 802.1p
While DiffServ works at layer 3, IEEE 802.1p can be used at layer 2 (independently or
in conjunction with DiffServ) to classify and prioritize traffic passing over a switch or
wireless access point. 802.1p defines a tagging mechanism within the 802.1Q VLAN
field (it is also often referred to as 802.1Q/p). The 3-bit priority field is set to a value
between 0 and 7. Most vendors map DSCP values to corresponding 802.1p values.
For example, 7 and 6 can be reserved for network control (such as routing table
updates), 5 and 4 map to expedited forwarding levels for two-way communications,
3 and 2 map to assured forwarding for streaming multimedia, and 1 and 0 for
“ordinary” best-effort delivery.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
304 | The Official CompTIA Network+ Study Guide (Exam N10-009)
As well as invoking the priority tag, VLAN infrastructure is often used for traffic
management on local networks. For example, voice traffic might be allocated to a
different VLAN than data traffic.
Traffic Shaping
Quality of service (QoS) is distinct from class of service (CoS). CoS mechanisms,
such as DiffServ and 802.1p, categorize protocols into groups requiring different
service levels and provide a tagging mechanism to identify a frame or packet’s
class. QoS allows fine-grained control over traffic parameters. For example, if a
network link is congested, DiffServ and 802.1p cannot address it, but a protocol
such as Multiprotocol Label Switching (MPLS) with QoS functionality can reserve
required bandwidth and predetermine statistics such asacceptable packet loss and
maximum latency and jitter when setting up the link.
In terms of QoS, network functions are commonly divided into three planes:
• Control plane—Makes decisions about how traffic should be prioritized and
where it should be switched.
Protocols, appliances, and software that can apply these three functions can be
described as traffic shapers or bandwidth shapers. Traffic shapers delay certain
packet types—based on their content—to ensure that other packets have a higher
priority. This can help to ensure that latency is reduced for critical applications.
Simpler devices performing traffic policing do not offer the enhanced traffic
management functions of a shaper. For example, typical traffic policing devices will
simply fail to deliver packets once the configured traffic threshold has been reached
(this is often referred to as tail drop). Consequently, there will be times when
packets are being lost, while other times when the network is relatively idle, and the
bandwidth is being underutilized. A traffic shaper will store packets until there is
free bandwidth available. Hopefully, this leads to consistent usage of the bandwidth
and few lost packets.
It is essential that the selected device is capable of handling high traffic volumes. As
these devices have a limited buffer, there will be situations when the buffer overflows.
Devices can either drop packets and in essence provide traffic policing, or else they
must implement a dropping algorithm. Random Early Detection (RED) is one of several
algorithms that can be implemented to help manage traffic overflow on the shaper.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 305
Module 8
Summary
8
You should be able to explain the purpose of organizational processes and procedures
and use network monitoring technologies to troubleshoot performance issues.
• Create a network asset inventory and diagrams that show the physical and
logical configuration.
• Deploy IP and port scanners to gain visibility into hosts attached to the network
and protocol traffic passing over it.
• Deploy packet capture and protocol analyzer software to gain visibility into
individual packets and per-host or per-protocol statistics.
• Select a log collection system that will provide the best compatibility with the
endpoints used on your network, plus the reporting and management features
that you require.
• Set up filters to alert and notify administrators when key thresholds are
exceeded or when hosts fail heartbeat tests.
• Set up a process for responding to alerts, reviewing logs, and diagnosing trends.
Use this analysis to plan deployment of traffic marking (DiffServ/802.1p) and
traffic shaping/bandwidth management solutions.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 9
Explaining Network Security Concepts
1
Module Introduction
You have identified the basic components and concepts for deploying and
monitoring a network, but a network implementation is not complete without
security mechanisms. In this module, you will describe basic concepts related to
network security. As a networking professional, it is part of your responsibility to
understand these fundamental concepts so that you can support network security
controls.
Module Objectives
In this module, you will do the following:
• Explain common security concepts.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
308 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 9.1
Security Concepts
2
In this lesson, you will describe basic concepts related to security terminology and
network security audits and assessments. It’s important to have a solid foundation
and awareness of the industry terminology used when you are discussing network
security.
As you study this lesson, answer the following questions:
• How can you use the CIA triad to help create security policies and select security
controls?
• What are the types of security audits and assessments, and how are they
affected by regulatory compliance?
• Integrity means that the data is stored and transferred as intended and that any
modification is authorized.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 309
Risk Management
Risk management is a process for identifying, assessing, and mitigating
vulnerabilities and threats to the essential functions that a business must perform
to serve its customers. Risk management is complex and treated very differently
in companies and institutions of different sizes, and with different regulatory
and compliance requirements. Most companies will institute enterprise risk
management (ERM) policies and procedures, based on published frameworks.
Risk assessment is a subset of risk management where the company’s systems and
procedures are audited for risk factors. Separate assessments can be devised to
perform an initial evaluation and ongoing monitoring of threats, vulnerabilities, and
security posture.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
310 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Posture Assessment
There are many different ways of thinking about how IT services should be
governed to fulfill overall business needs. Some organizations have developed
IT service frameworks to provide best practice guides to implementing IT and
cybersecurity. These frameworks can shape company policies and provide
checklists of procedures, activities, and technologies that should ideally be in place.
Collectively, these procedures, activities, and tools can be referred to as security
controls. A security control is something designed to give a system or data asset the
properties of confidentiality, integrity, availability, and non-repudiation.
In theory, security controls or countermeasures could be introduced to address
every risk factor. The difficulty is that security controls can be expensive, so you
must balance the cost of the control with the cost associated with the risk. It is not
possible to eliminate risk; rather, the aim is to mitigate risk factors to the point
where the organization is exposed only to a level of risk that it can afford. The
overall status of risk management is referred to as risk posture. Risk posture shows
which risk response options can be identified and prioritized. Posture assessment
is often performed with reference to an IT or security framework. The framework
can be used to assess the organization’s maturity level in its use of security policies
and controls.
Cybersecurity audits are comprehensive reviews designed to ensure an
organization’s security posture aligns with established standards and best practices.
There are various types of cybersecurity audits, including compliance audits, which
assess adherence to regulations; risk-based audits, which identify potential threats
and vulnerabilities in an organization’s systems and processes; and technical audits,
which delve into the specifics of the organization’s IT infrastructure, examining
areas such as network security, access controls, and data protection measures.
Process Assessment
Mitigating risk can involve a large amount of expenditure so it is important to
focus efforts. Effective risk management must focus on mission essential functions
that could cause the whole business to fail if they are not performed. Part of this
process involves identifying critical systems and assets that support these functions.
A mission essential function (MEF) is one that cannot be deferred. This means
that the organization must be able to perform the function as close to continually as
possible, and if there is any service disruption, the mission essential functions must
be restored first.
Business impact analysis (BIA) is the process of assessing what losses might
occur for a range of threat scenarios. For instance, if a denial of service (DoS)
attack suspends an e-commerce portal for five hours, the business impact analysis
will be able to quantify the losses from orders not made and customers moving
permanently to other suppliers based on historic data. The likelihood of a DoS
attack can be assessed on an annualized basis to determine annualized impact,
in terms of costs. You then have the information required to assess whether a
security control, such as load balancing or managed attack mitigation, is worth the
investment.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 311
Regulatory Compliance
Internal security audits assess risk factors or ensure that an organization has
deployed sufficient controls to protect its systems and data assets. Regulatory
compliance imposes externally determined requirements on companies in certain
industries or when processing certain types of data. These regulations might dictate
the type of controls that must be deployed, and the type and frequency of audits.
An organization might be subject to a compliance audit run by external auditors to
verify that it is meeting the requirements of the regulations.
Data Locality
Some states and nations may respect privacy more or less than others; and
likewise, some nations may disapprove of the nature and content of certain data.
They may even be suspicious of security measures such as encryption. When your
data is stored or transmitted in other jurisdictions, or when you collect data from
citizens in other states or other countries, you may not “own” the data in the same
way as you’d expect or like to.
Data sovereignty refers to a jurisdiction preventing or restricting processing and
storage from taking place on systems that do not physically reside within that
jurisdiction. For example, GDPR protections are extended to any EU citizen while
they are within EU or EEA (European Economic Area) borders. Data subjects can
consent to allow a transfer, but there must be a meaningful option for them to
refuse consent. If the transfer destination jurisdiction does not provide adequate
privacy regulations (to a level comparable to GDPR), then contractual safeguards
must be given to extend GDPR rights to the data subject.
Data sovereignty may require you to implement data locality policies and tools.
Data locality establishes storage and processing boundaries based on national or
state borders. Most cloud storage and processing solutions offer data locality tools.
For example, if a healthcare database is hosted in the cloud, data locality could be
configured to prevent an administrator from replicating it to any datacenter outside
the United States.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
312 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Encryption
An access control system ensures that a computer system or network meets the
goals of the CIA triad. Access control governs how subjects may interact with
objects. Subjects are people, devices, software processes, or any other system
that can request and be granted access to a resource. Objects are the resources.
An object could be a network, server, database, app, or file. Subjects are assigned
rights or permissions on resources.
Many access control solutions depend on some type of encryption, or more
generally some type of cryptographic technology. Encryption is an example of a
logical security system. Logical security means that the system depends on software
components, rather than the physical security of locks and intruder alarms. There
are two main types of cryptographic cipher or algorithm:
• An encryption algorithm converts a human-readable plaintext into a ciphertext.
A ciphertext must be decrypted using a key linked to the initial encryption
process before it can be read. This makes data confidential, so long as the key is
only available to authorized persons.
• Data in transit (or data in motion)—The state in which data is transmitted over
a network.
• Data in use (or data in processing)—The state in which data is present in volatile
memory, such as system RAM or CPU registers and cache.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 313
Different cryptographic solutions are used to protect data in these states. Data in
transit can be protected by Transport Layer Security (TLS) encryption, for example.
Data at rest can be protected by self-encrypting drives, file system encryption, or
database encryption.
The term “zero-day” is usually applied to the vulnerability itself but can also refer to an
attack or malware that exploits it.
Vulnerability Assessment
A vulnerability assessment is an evaluation of a system’s security and ability to
meet compliance requirements based on the configuration state of the system.
Essentially, the vulnerability assessment determines if the current configuration
matches the ideal configuration (the baseline). Vulnerability assessments might
involve manual inspection of security controls but are more often accomplished
through automated vulnerability scanners.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
314 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Deception Technologies
Deception and disruption technologies are powerful cybersecurity resilience tools
that significantly increase the attacker’s cognitive load and resource expenditure by
forcing them to constantly adapt their tactics, techniques, and procedures (TTPs). A
honeypot is a decoy computer system designed to attract attackers. By analyzing
their attack strategies and tools, honeypots provide early warning of attack
attempts and valuable insights into attacker behavior. A honeynet is an entire decoy
network. This may be set up as an actual network or simulated using an emulator.
A honeypot or honeynet is more likely to be located in a protected but untrusted
area between the Internet and the private network or on a closely monitored and
filtered segment within the private network itself. This provides early warning and
evidence of whether a threat actor has been able to penetrate to a given security
zone.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 315
Lesson 9.2
Network Threats and Attacks
3
• What are attack types, and what threat actor objectives do they work toward?
• What are the types of denial of service (DoS) and distributed DoS (DDoS)?
• What are the main malware classifications, and how has the use of malware
evolved to give threat actors new capabilities?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
316 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Threat Research
Threat research is a counterintelligence gathering effort in which security
companies and researchers attempt to discover the tactics, techniques, and
procedures (TTPs) of threat actors.
The outputs from the primary research undertaken by security solutions providers
and academics can take three main forms:
• Behavioral threat research—Narrative commentary describing examples of
attacks and TTPs gathered through primary research sources.
Attack Types
A network can be attacked by many kinds of threat actors for many different
reasons, and different attacks can have various kinds of impact. The goals of most
types of adversaries will be to steal (exfiltrate) information from the network, to
misuse network services (for fraud, for instance), or to compromise the availability
of the network. Insider threat-type attacks may be launched with privileged
access to the network, while external threats must find some way of accessing the
network, perhaps by installing malware on a host system.
Spoofing Attacks
The term “spoofing” covers a wide range of different attacks. Spoofing can include
any type of attack where the threat actor disguises their identity, or in which the
source of network information is forged to appear legitimate. Social engineering
and techniques such as phishing and pharming, where the attacker sets up a false
website in imitation of a real one, are types of spoofing attacks. It is also possible to
abuse the way a protocol works or how network packets are constructed to inject
false or modified data onto a network. ARP and DNS services are often used as
vectors for this type of attack.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 317
When we describe attacks, there’s a focus on purposefully malicious threat actors, but
do be aware of inadvertent, accidental, and non-malicous threats. For example, a user
might cause accidental DoS by connecting two wall ports and creating a switching loop.
Users can also create inadvertent vulnerabilities. For example, shadow IT (devices or
apps used in the workplace without authorization) could be vectors for exploits that
aren’t mitigated by security controls.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
318 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Botnets
A botnet is a group of compromised hosts that can be used to launch DDoS and
DRDoS attacks. A threat actor will first compromise one or two machines to use as
handlers or herders. The handlers are used to compromise hundreds, thousands,
or even millions of zombie hosts and install DDoS tools on them (the bots). To
compromise a host, the attacker must install malware that opens a backdoor
remote connection. The attacker can then use the malware to install bots and
trigger the zombies to launch the attack at the same time. The network established
between the handlers and the bots is called a command and control (C2 or C&C)
network.
Malware Attacks
Many of the intrusion attempts perpetrated against computer networks depend
on the use of malicious software, or malware. Malware can be defined simply
as software that does something bad, from the perspective of the system owner.
There are many types of malware, but they are not classified in a rigorous way,
so some definitions overlap or are blurred. Some malware classifications, such as
Trojan, virus, and worm, focus on the vector used by the malware. The vector is the
method by which the malware executes on a computer and potentially spreads to
other network hosts. Another complicating factor with malware classification is the
degree to which its installation is expected or tolerated by the user. The following
categories describe some types of malware according to vector:
• Viruses and worms—These represent some of the first types of malware and
spread without any authorization from the user by being concealed within the
executable code of another process. Viruses infect files, while worms can infect
processes running in system memory.
Other classifications are based on the payload delivered by the malware. The
payload is an action performed by the malware other than simply replicating or
persisting on a host. Examples of payload classifications include spyware, rootkit,
remote access Trojan (RAT) or backdoor, and ransomware.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 319
As malware has continued to be developed for criminal intent and security software
became better able to detect and block known viruses, worms, and Trojans,
malware code and techniques have become more sophisticated. The term “fileless”
has gained prominence to refer to these modern types of malware. Fileless is not
a definitive classification, but it describes a collection of common behaviors and
techniques:
• Fileless malware does not write its code to disk. The malware uses memory-
resident techniques to run in its own process, within a host process or dynamic
link library (DLL), or within a scripting host. This does not mean that there is no
disk activity at all, however. The malware may change registry values to achieve
persistence (executing if the host computer is restarted). The initial execution
of the malware may also depend on the user running a downloaded script, file
attachment, or Trojan software package.
• Fileless malware may use “live off the land” techniques rather than compiled
executables to evade detection. This means that the malware code uses
legitimate system scripting tools, notably PowerShell and Windows Management
Instrumentation (WMI), to execute payload actions. If they can be executed with
sufficient permissions, these environments provide all the tools the attacker
needs to perform scanning, reconfigure settings, and exfiltrate data.
The terms ”advanced persistent threat (APT)” and “advanced volatile threat
(AVT)” can be used to describe this general class of modern fileless/live off the land
malware. Another useful classification is low-observable characteristics (LOC) attack.
The exact classification is less important than the realization that adversaries can
use any variety of coding tricks to effect intrusions and that their tactics, techniques,
and procedures to evade detection are continually evolving.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
320 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 9.3
Spoofing Attacks
4
• What are some common attacks that use MAC and ARP spoofing or flooding?
• How can an attacker manipulate an ARP cache to redirect frames to capture all
outbound data?
• How can an attacker manipulate VLANs to gain access that wouldn’t normally be
permitted?
On-path Attacks
An on-path attack is a specific type of spoofing attack where a threat actor
compromises the connection between two hosts and transparently intercepts and
relays all communications between them. The threat actor might also have the
opportunity to modify the traffic before relaying it.
On-path attacks are also known by the term “Man-in-the-Middle (MitM).” Such terms
are non-inclusive and/or use inappropriate or vague metaphors and are deprecated
in the latest CompTIA exam objectives documents. The terms “Manipulator in the
Middle,” “Machine in the Middle,” and “Adversary in the Middle (AitM)” are also used as
replacements.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 321
IP spoofing is also used in most denial of service (DoS) attacks to mask the origin of the
attack and make it harder for the target system to block packets from the attacking
system. In this type of spoofing, the threat actor does not care that they will not receive
replies, so it is different from an on-path attack.
The usual target will be the subnet’s default gateway. If the attack is successful, all
traffic destined for remote networks will be sent to the attacker. The threat actor
can then perform an on-path attack to monitor the communications and continue
to forward them to the router to avoid detection. The attacker could also modify the
packets before forwarding them. ARP poisoning could also perform a DoS attack by
not forwarding the packets.
ARP spoofing can be difficult to detect without closely monitoring network traffic.
However, attempts at ARP spoofing are likely to cause sporadic communications
difficulties, such as an unreachable default gateway. In such cases, performing
network captures and examining ARP packets may reveal the poison packets, as will
examining local ARP caches for multiple IP addresses mapping to the same MAC
address.
Technically, ARP spoofing is the broadcast of the unsolicited ARP replies, while ARP
poisoning is the injection of spoofed MAC:IP mappings into the victim cache. The terms
are often just used interchangeably, however. Be aware that ARP poisoning could
include other methods of injecting fake mappings, such as the local host being infected
with malware.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
322 | The Official CompTIA Network+ Study Guide (Exam N10-009)
While IPv6 does not use ARP, it is also vulnerable to layer 2 spoofing if the unencrypted
Neighbor Discovery (ND) Protocol is used. Abuse of this can be used for router
advertisment (RA) spoofing.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 323
Lesson 9.4
Rogue System Attacks
5
Spoofing attacks can also be launched at the Application layer. Such attacks often
involve the use of a rogue system. A rogue system is hardware or software that
spoofs legitimate services, such as DNS or DHCP.
As you study this lesson, answer the following questions:
• What are impacts on the network that arise from rogue DHCP services?
• What spoofing and poisoning attack types can compromise DNS services?
Rogue DHCP
The Dynamic Host Configuration Protocol (DHCP) provides IP addressing
autoconfiguration to hosts. If a Windows client fails to obtain a DHCP lease, it
defaults to using an address in the Automatic Private IP Addressing (APIPA) range
of 169.254.0.0/16. It will be limited to communication with other APIPA hosts on the
same network segment (broadcast domain). Linux hosts will use the 169.254.0.0/16
range if they have Zeroconf support, leave the IP address set to 0.0.0.0, or disable
IPv4 on the interface.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
324 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Clients have no means of preferring a DHCP server. If two DHCP servers are
running on the same subnet, clients could end up with an incorrect IP configuration
because they have obtained a lease from a rogue server. A rogue DHCP server may
be deployed accidentally (forgetting to disable a DHCP server in an access point
or router, for instance) or may be used by a malicious threat actor to subvert the
network. A threat actor would normally use a rogue server to change the default
gateway and/or DNS resolver addresses for the subnet and route communications
via their machine. This is a means of using DHCP to facilitate an on-path attack.
A DHCP starvation attack uses bogus requests to use up leases in a legitimate
DHCP server’s address pool. An exhausted DHCP scope means legitimate hosts
cannot obtain a lease. A DHCP starvation attack might be a denial of service (DoS)
mechanism or be used to force legitimate hosts to obtain a lease from a rogue
DHCP server.
DNS Attacks
The Domain Name System (DNS) resolves requests for named host and services to
IP addresses. Name resolution is a critical addressing method on the Internet and
on private networks. There are many potential attacks against DNS. On the public
Internet, attacks might use typosquatting techniques to cause victims to confuse
malicious sites with legitimate ones. DNS can be exploited in a DRDoS attack. Threat
actors can also directly target public DNS services as a means of performing DoS
against a website or cloud resource. Finally, a threat actor might be able to hijack a
public DNS server and insert poisoned records, directing victims to rogue websites.
On a private network, a DNS attack is likely to mean some sort of DNS spoofing or
DNS poisoning. These DNS attacks compromise the process by which clients query
name servers to locate the IP address for a domain name.
As with ARP spoofing/poisoning, DNS spoofing and poisoning attacks are often taken to
mean the same thing, but technically spoofing is using false DNS requests or replies or
running a rogue DNS service, while poisoning is manipulating cached records.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 325
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
326 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 9.5
Social Engineering
6
Phishing Attacks
Phishing is a combination of social engineering and spoofing. It persuades or tricks
the target into interacting with a malicious resource disguised as a trusted one,
traditionally using email as the vector. A phishing message might try to convince
the user to perform some action, such as installing disguised malware or allowing a
remote access connection by the attacker.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 327
Other types of phishing campaigns use a spoof website set up to imitate a bank
or e‑commerce site or some other web resource that should be trusted by the
target. The attacker then emails users of the genuine website to inform them that
their account must be updated or with a hoax alert or alarm. This message will
contain aa disguised link that actually leads to the spoofed site. When the user
authenticates with the spoofed site, their login credentials are captured.
Example phishing email—on the right, you can see the message in its true form as the mail client
has stripped out the formatting (shown on the left) designed to disguise the nature of the links.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
328 | The Official CompTIA Network+ Study Guide (Exam N10-009)
A threat actor might stage attacks over a long period. Initial attacks may only aim at
compromising low-level information and user accounts, but this low-level information
can be used to attack more sensitive and confidential data and better protected
management and administrative accounts.
Password Attacks
On-path and malware attacks can be difficult to perpetrate. Many network
intrusions occur because a threat actor is able to obtain credentials to access the
network. Also, when a threat actor gains some sort of access via an on-path or
malware attack, they are likely to attempt to escalate privileges to gain access to
other targets on the network by harvesting credentials for administrative accounts.
Passwords or password hashes can be captured by obtaining a password file or by
sniffing the network. If the protocol uses cleartext credentials, then the threat actor
can simply read the cleartext password from the captured frames.
A password might be sent in an encoded form, such as Base64, which is simply an ASCII
representation of binary data. This is not the same as encryption. The password value
can easily be derived from the Base64 string.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 329
Password cracking software uses various methods to work out the plaintext
password string from a cryptographic hash:
• Dictionary—The software matches the hash to those produced by ordinary
words found in a dictionary. This could also include information such as user and
company names, pet names, or any other data that people might naively use as
passwords.
• Brute force—The software tries to match the hash against one of every possible
combination it could be. If the password is short (under eight characters) and
non-complex (using only letters, for instance), a password might be cracked in
minutes. Longer and more complex passwords increase the amount of time the
attack takes to run.
A threat actor might obtain password hashes from a protocol such as SMB with no
encryption configured. The risks posed by cracking software mean that it is more
secure to use end-to-end encryption, such as IPSec or Transport Layer Security
(TLS). This means that all payload data is encrypted, and a network sniffer cannot
even recover the password hashes.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
330 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Module 9
Summary
7
• Overall risk and posture assessment for mission essential functions (MEF)
to produce business impact analysis, business continuity plans, and security
policies, such as privileged access management and vendor assessment.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 10
Applying Network Security Features
1
Module Introduction
Authentication and authorization policies and systems enforce access control.
Access control ensures that an organization’s data is processed and stored securely.
During your career in network support, you will often have to configure accounts
and permissions and troubleshoot issues arising from access control.
Module Objectives
In this module, you will do the following:
• Explain identity and access management concepts.
• Apply security rules, such as ACLs and content filtering, to manage network
traffic.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
332 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 10.1
Authentication
2
Access Control
Access control governs how subjects/principals may interact with objects. When
implemented on a computer system or network, access control is a type of logical
security. Modern access control is typically implemented as an identity and access
management (IAM) system. IAM comprises four main processes:
• Identification—Creating an account or ID that uniquely represents the user,
device, or process on the network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 333
For example, if you are setting up an e-commerce site and want to enroll users, you
need to select the appropriate controls to perform each function:
• Identification—Ensure that customers are legitimate. For example, you might
need to ensure that billing and delivery addresses match and that they are not
trying to use fraudulent payment methods.
• Accounting—The system must record the actions a customer takes (to ensure
that they cannot deny placing an order, for instance).
Remember that these processes apply both to people and to systems. For example,
you need to ensure that your e-commerce server can authenticate its identity when
customers connect to it using a web browser.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
334 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Authentication Methods
An account defines a subject on the computer or network system. Assuming that
an account has been created securely (the identity of the account holder has been
verified), authentication verifies that only the account holder is able to use the
account and that the system may be used only by account holders. Authentication
is performed when the account holder submits credentials to the system to request
access. These are compared to the credentials stored on the system. If they match,
the account is authenticated.
• Location factor—Somewhere you are, such as only being able to log into an
account from a specific location, known as geofencing.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 335
Local Authentication
One of the most important features of an operating system is the authentication
provider. The local authentication provider is the software architecture and code
that underpins the mechanism by which the user is authenticated before starting
a shell. This is usually described as a login (Linux) or a logon or sign-in (Microsoft).
Knowledge-based authentication, using a password or PIN, is the default
authentication provider for most operating systems.
Knowledge-based authentication relies on cryptographic hashes. A cryptographic
hash is a function that converts any string to a unique, fixed-length code. The function
should ensure that the code cannot be converted back into the plaintext string.
Windows Authentication
Windows authentication involves a complex architecture of components (docs.
microsoft.com/en-us/windows-server/security/windows-authentication/credentials-
processes-in-windows-authentication), but the following three scenarios are typical:
• Windows local sign-in—The Local Security Authority (LSA) compares the
submitted credential to a hash stored in the Security Accounts Manager (SAM)
database, which is part of the registry. This is also referred to as interactive
logon.
• Windows network sign-in—The LSA can pass the credentials for authentication
to a network service. The preferred system for network authentication is based
on Kerberos, but legacy network applications might use NT LAN Manager (NTLM)
authentication.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
336 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Remote sign-in—If the user’s device is not connected to the local network,
authentication can take place over some type of virtual private network (VPN) or
web portal.
Linux Authentication
In Linux, local user account names are stored in /etc/passwd. When a user
logs in to a local interactive shell, the password is checked against a hash stored in
/etc/shadow. Interactive login over a network is typically accomplished using
Secure Shell (SSH). With SSH, the user can be authenticated using cryptographic
keys instead of a password.
A pluggable authentication module (PAM) is a package for enabling different
authentication providers, such as smart card login (tecmint.com/configure-pam-
in-centos-ubuntu-linux). The PAM framework can also be used to implement
authentication to network servers.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 337
When authenticated, the KDC server presents the user with a Ticket Granting Ticket.
To access resources within the domain, the client requests a service ticket (a token
that grants access to a target application server) by supplying the Ticket Granting
Ticket to the Ticket Granting Service (TGS).
As encryption using a public key is relatively slow; rather than encrypting the whole
message using a public key, more typically, the public key is used to encrypt a
symmetric encryption key for use in a single session and exchange it securely. The
symmetric session key is then used to encrypt the actual message. In a symmetric
cipher, the same key can perform both encryption and decryption.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
338 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• When you want to authenticate yourself to others, you create a signature using
your private key. You give others your public key to use to verify the signature.
As only you know the private key, everyone can be assured that only you could
have created the signature.
The basic problem with public key cryptography lies in proving the identity of the
owner of a public key. The system is vulnerable to attacks where a threat actor is
able to substitute your public key for their own. Public key infrastructure (PKI)
aims to prove that the owners of public keys are who they say they are. Under
PKI, anyone distributing public keys should obtain a digital certificate. The validity
of the certificate is guaranteed by a certificate authority (CA). A digital certificate
is essentially a wrapper for a subject’s (or end entity’s) public key. As well as the
public key, it contains information about the subject and the certificate’s issuer or
guarantor. The certificate is digitally signed to prove that it was issued to the subject
by a particular CA.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 339
Key Management
Key management refers to operational considerations for the various stages in the
lifecycle of an encryption key or key pair. A key’s lifecycle may involve the following
stages:
• Key Generation—Creates an asymmetric key pair or symmetric secret key of
the required strength, using the chosen cipher.
A decentralized key management model means that keys are generated and
managed directly on the computer or user account that will use the certificate. This
does not require any special setup and so is easy to deploy. It makes the detection
of key compromise more difficult, however.
Some organizations prefer to centralize key generation and storage using a tool
such as a key management system. In one type of cryptographic key management
system, a dedicated server or appliance is used to generate and store keys. When
a device or app needs to perform a cryptographic operation, it uses the Key
Management Interoperability Protocol (KMIP) to communicate with the server.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
340 | The Official CompTIA Network+ Study Guide (Exam N10-009)
6. The principal presents the claim to the service provider. The SP can validate
that the IdP has signed the claim because of its trust relationship with the IdP.
The service provider can now connect the authenticated principal to its own
accounts database to determine its permissions and other attributes. It may be able
to query attributes of the user account profile held by the IdP if the principal has
authorized this type of access.
A federated network or cloud needs specific protocols and technologies to
implement user identity assertions and transmit claims between the principal, the
service provider, and the identity provider. Security Assertion Markup Language
(SAML) is one such solution. SAML assertions (claims) are written in eXtensible
Markup Language (XML). Communications are established using HTTP/HTTPS and
the Simple Object Access Protocol (SOAP). The secure tokens are signed using the
XML signature specification. The use of a digital signature allows the relying party to
trust the identity provider.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 341
Most other federated identity frameworks, such as OAuth, use the service provider
terminology. In SAML, the service provider is referred to as a relying party (RP).
Remote Authentication
Local authentication takes place when a user tries to start an interactive session
directly on a computer. The authentication system might use Kerberos or another
SSO provider to allow the local host and user to access a network, but the session is
still started locally. Remote authentication means that a host runs a remote access
server or terminal server that accepts login requests initiated via another host over
a network. Remote authentication is typically used in two scenarios:
• Authenticating with a cloud provider or web host or joining a virtual private
network (VPN). With a VPN, the remote user connects to a remote access server
on the perimeter of the private network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
342 | The Official CompTIA Network+ Study Guide (Exam N10-009)
sudo (“superuser do”) in Linux and User Account Control (UAC) in Windows allow a
user to temporarily elevate permissions without having to fully sign out and in to use a
different account.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 343
Lesson 10.2
Authorization and Account
Management
3
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
344 | The Official CompTIA Network+ Study Guide (Exam N10-009)
RBAC can be partially implemented by mapping security groups onto roles, but they
are not identical schemes. Membership in security groups is largely discretionary
(assigned by administrators rather than determined by the system). Also, ideally, a
principal should only inherit the permissions of a role to complete a particular task
rather than retain them permanently. Administrators should be prevented from
escalating their own privileges by assigning roles to their own accounts arbitrarily or
boosting a role’s permissions.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 345
The types of attributes, what information they contain, and the way object types are
defined through attributes (some of which may be required and some optional) are
described by the directory schema. For example, the distinguished name of a web
server operated by Widget in London might be:
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
346 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LDAP Secure
Like many TCP/IP protocols, LDAP provides no security, and all transmissions are in
plaintext, making it vulnerable to sniffing and spoofing attacks. Also, a server that
allows anonymous access by unauthenticated clients is vulnerable to overloading
by denial of service attacks. Authentication, referred to as binding to the server, can
be implemented in the following ways:
• Simple bind—The client must supply its distinguished name (DN) and password,
but these are passed as plaintext.
Generally, two levels of access will need to be granted on the directory: read-only
access (query) and read/write access (update). This is implemented using an access
control policy, but the precise mechanism is vendor-specific and not specified by
the LDAP standards documentation.
Unless it is hosting a public service, the LDAP directory server should also only be
accessible from the private network. This means that LDAP ports (389 over TCP and
UDP) should be blocked by a firewall from access over the public interface.
LDAPS is sometimes referred to as LDAP over Secure Sockets Layer (SSL). SSL is an older,
deprecated version of TLS. LDAPS would now always be configured to use TLS, not SSL.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 347
Lesson 10.3
Network Hardening
4
• What are the critical elements of device and service hardening policies?
Defense in Depth
Firewalls try to establish a secure barrier at the network perimeter. This barrier
is designed to subject any connections between the internal private network
and external public or third-party networks to access controls. For example, a
host on a public network would only be permitted to join the private network if it
authenticates over a virtual private network (VPN). This system of focusing on the
boundary between the public and private network and trusting everything that has
connected via internal switches is called the perimeter security model.
The proliferation of mobile devices with wireless or cellular data access and cloud
services, plus the better recognition of insider threat and vulnerabilities to malware,
has eroded confidence in a solely perimeter-based security model. Network
security design must address the concept of defense in depth. This refers to
placing security controls throughout the network, so that all access attempts are
authenticated, authorized, and audited.
Logical security controls governing access management, deception/honeypot
strategies, and identity and access management (IAM) are all important parts of
defense in depth. In addition to these, endpoint security is a set of procedures
and technologies designed to restrict both remote and local network access at
a device level and to ensure that each endpoint device is hardened to mitigate
vulnerabilities.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
348 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The network perimeter is the border between the private network and external, public
networks. This is often also referred to as the network edge. However, as the perimeter
security model has eroded, the concept of where the network edge lies has expanded to
include access switches and wireless access points. These would previously have been
considered as “internal” under a perimeter-based security model.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 349
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
350 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 10.4
Switch Security
5
• What are the differences between port security, 802.1X, and Extensible
Authentication Protocol?
• What are the roles of AAA servers, such as RADIUS and TACACS+, in network
access control?
• What switch port security and monitoring features protect against other kinds of
network attacks?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 351
MAC Filtering
Configuring MAC filtering on a switch means defining which MAC addresses are
permitted to connect to a particular port. This can be done by creating a static
lock list of valid MAC addresses or by specifying a limit to the number of permitted
addresses. For example, if port security is enabled with a maximum of two MAC
addresses, the switch will record the first two MACs to connect to that port but
then drop any traffic from machines with different network adapter IDs that try to
connect. This dynamic method is often referred to as sticky MACs. Addresses are
dropped from the table if they go unused for a specified amount of time.
If a host attempts to connect with a MAC address that violates policy, the switch
port enters a violation state:
• Protect mode means the port drops frames from the invalid source address but
keeps the interface open otherwise. Protect mode can only be used with sticky
MACs.
• Restrict mode drops frames and logs and alerts violations but also keeps the
interface open.
• Shutdown mode disables the port and sends alerts. The port must be manually
re-enabled using the no shutdown command. This is the default mode.
Configuring port security with up to two learned MACs and violation policy set to restrict.
Note that violations have been reported, indicating that multiple additional hosts
have been connected to this port. (Image © and Courtesy of Cisco Systems, Inc.
Unauthorized use not permitted.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
352 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• When the user is connecting to the network over a public network via a virtual
private network (VPN).
EAP allows many different authentication methods, but some of them use a
digital certificate on the server and/or client machines. These certificates allow the
machines to establish a trust relationship and create a secure tunnel to transmit the
user credential, or to perform smart card authentication without a user password.
Where EAP implements a particular authentication factor and mechanism, the
IEEE 802.1X Port-Based Network Access Control (NAC) standard provides the
means of using an EAP method when a device connects to an Ethernet switch port,
wireless access point, or VPN gateway. 802.1X uses authentication, authorization,
and accounting (AAA) architecture. If the AAA protocol is RADIUS, the switch is
configured as a RADIUS client by specifying the IP address or host name of the
RADIUS server and setting a shared secret. The RADIUS server is positioned in a
secure zone within the private network. The RADIUS server stores (or can obtain)
account details and can validate authentication credentials. The switch does not
have to store any authentication credentials. The switch forwards authentication
data between the RADIUS server and the supplicant device. The RADIUS server uses
the shared secret to validate RADIUS clients.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 353
Basic NAC solutions can authenticate a client on the basis of machine certificates
and/or user passwords. More sophisticated solutions can enforce a health policy. A
health policy means that the client must submit an attestation report. This secure
report proves that the client is running an authorized OS and has up-to-date
patches and security scanner configurations.
Port Guards
There are various switch port security features to mitigate attacks on network
infrastructure:
• A malicious host may use a spoofed MAC address to try to perform ARP cache
poisoning against other hosts on the network and perpetrate an on-path attack.
A switch port security feature such as dynamic ARP inspection (DAI) prevents a
host attached to an untrusted port from flooding the segment with gratuitous
ARP replies. ARP inspection maintains a trusted database of IP:ARP mappings. It
also ensures that ARP packets are validly constructed and use valid IP addresses.
• Configuring DHCP snooping causes the switch to inspect DHCP traffic arriving
on access ports to ensure that a host is not trying to spoof its MAC address. It
can also be used to prevent rogue DHCP servers from operating on the network.
With DHCP snooping, only DHCP offers from ports configured as trusted are
allowed.
• When configuring VLANs, ensure that the default VLAN uses a different ID than
any other user accessible VLAN. This mitigates against double tagging attacks.
• Ensure that ports allowed to be used as trunks are predetermined in the switch
configuration and that access ports are not allowed to auto-configure as trunk
ports. This mitigates against VLAN hopping attacks.
• To mitigate risks from attacks on spanning tree and root bridge selection, make
sure that attackers can’t easily guess which bridge ID number is being used by
the legitimate root bridge. Set up Bridge Protocol Data Units Guard, or BPDU
Guard, to allow an interface to put itself into blocking state when it receives a
BPDU packet meant to change the root bridge switch. Enable root guard on the
ports not being used as trunk lines. This keeps ports in their assigned roles. If
one of these ports receives a BPDU frame, an error is logged and that port is
blocked, thwarting the attacker’s attempt to change the root bridge.
Port Mirroring
If it is operating normally, a switch forwards unicast traffic only to the specific port
connected to the intended destination interface. This prevents sniffing of unicast
traffic by hosts attached to the same switch. There are circumstances in which
capturing and analyzing network traffic is a legitimate activity, however, and port
mirroring provides the facility to do this. Port mirroring copies all packets sent to
one or more source ports to a mirror (or destination) port. On a Cisco switch, this is
referred to as a switched port analyzer (SPAN).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
354 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Port mirroring demands a lot of processing and can lead to the switch hardware
becoming overloaded and consequently crashing. If possible, test any security solution
that requires port mirroring under typical loads before deploying it on a production
network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 355
Lesson 10.5
Network Security Rules
6
Appliances such as firewalls and proxy servers enforce security rules to ensure
authorized use of the network. They perform a filtering function to analyze the
properties of connection requests and then allow, deny, and/or log them as
appropriate. These rules require careful configuration. If they are too loose, your
network will be exposed to a wider range of threats. If they are too restrictive,
services and workflows could be disrupted. It is important you know the types of
rules that can be configured to apply defense techniques and solutions.
As you study this section, answer the following questions:
• What distinguishing features of firewalls and proxies make them candidates for
different types of network filtering?
• What distinguishes security rule types, such as access control lists (ACLs),
uniform resource locator (URL) filtering, and content filtering?
• What issues and impacts can arise from misconfigured security rules?
We’re focusing on firewalls that protect routed network traffic here. Do be aware that
firewalls can also be deployed in different ways. These include layer 2 inline or “bump in
the wire” appliances and host or personal firewalls. A firewall can also be deployed as a
virtual appliance, typically in cloud environments.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
356 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The security rules for what traffic is permitted and what should be blocked are
configured as access control lists (ACLs). Design of firewall ACLs is guided by the
principle of least access. This is similar to the principle of least privilege; only allow
the minimum amount of traffic required for the operation of network services that
should be permitted on the network segment and no more. The rules in a firewall’s
ACL are processed from top to bottom. If traffic matches a rule that allows the
packet, then it is allowed to pass. Conversely, if a match is made to a block rule, the
traffic is dropped. Once the firewall matches traffic to a rule, it stops processing
subsequent rules. Consequently, the most specific rules are placed at the top of
the ACL. If traffic does not match any rule, a firewall can be configured to block the
traffic by default. This is called an implicit deny. If the firewall is not configured for
default implicit deny, an explicit deny all rule can be added manually to the end of
the ACL.
Sample firewall ruleset configured on OPNsense. This ruleset allows any ICMP traffic,
HTTP/HTTPS traffic being forwarded to a local server (172.16.0.201), and
SMTP traffic sent to the firewall (it is operating an SMTP mail gateway).
(Screenshot used with permission from OPNsense.)
Each rule can specify whether to block or allow traffic based on parameters, often
referred to as a tuple. For example, in the screenshot, the firewall imposes a 5-tuple
rule, with matches against Protocol, Source address, Source port, Destination
address, and Destination port.
As well as allowing and blocking, rules can be configured to log matches. Log-only rules
are often used as a means of testing a new rule.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 357
Most firewalls apply stateful rules. For example, a stateful firewall can differentiate
between new and established connections. If a rule allows a new connection to be
made by hosts on the public network to a server on the private network, a stateful
firewall could automatically allow server replies via the established connection, but
not allow the server to create new connections. To apply stateful rules, the firewall
must be capable of maintaining a state table of established connections. If the
firewall is stateless, an explicit rule would have to be configured for replies.
Proxy Servers
A typical network firewall filters traffic that is routed through its interfaces. By
contrast, a proxy server forwards requests and responses on behalf of its clients.
A proxy implies more of a break in the communications flow. Rather than inspecting
traffic as it passes through, the proxy deconstructs each packet, performs analysis,
and then rebuilds the packet and forwards it on, providing it conforms to the rules.
The proxy could also perform address translation to convert between private and
public addressing schemes.
Note that you should consider proxying as a function, rather than a class of device. It is
possible to configure proxy server software on general-purpose computer hardware, but
equally most firewall appliances will be capable of working as a proxy. Similarly, a proxy
can be configured as a virtual appliance.
Forward Proxies
A forwarding proxy server provides for protocol-specific outbound traffic. For
example, you might deploy a web proxy that enables hosts on a private network
to connect to websites and secure websites on the Internet. A proxy server must
understand the application it is servicing. A web proxy must be able to parse and
modify HTTP and HTTPS requests and replies (and potentially HTML too). Some
proxy servers are application-specific; others are multipurpose. A multipurpose
proxy is one configured with filters for multiple protocol types, such as HTTP, FTP,
and SMTP.
The main benefit of a proxy server is that clients connect to a specified point
within the perimeter network for web access. This provides for a degree of traffic
management and security. In addition, most web proxy servers provide caching
engines, whereby frequently requested webpages and image assets are retained on
the proxy, negating the need to refetch those files for subsequent requests.
Proxy servers can generally be classed as nontransparent or transparent. A
nontransparent proxy means that the client must be configured with the proxy
server address and port number to use it. The port on which the proxy server
accepts client connections is often configured as port 8080. A transparent (or
“forced” or “intercepting”) proxy intercepts client traffic without the client having to
be reconfigured.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
358 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Configuring transparent proxy settings for the proxy server running on the
OPNsense security appliance. (Screenshot used with permission from OPNsense.)
Reverse Proxies
A reverse proxy server provides for protocol-specific inbound traffic. Security and
performance factors might make it unwise to allow hosts on a public network to
connect directly to application servers. Instead, you can deploy a reverse proxy
and configure it to listen for client requests from a public network (the Internet)
and create the appropriate request to the application server. The proxy is said
to publish the application. Typical applications for reverse proxy servers include
publishing a web server, publishing messaging or conferencing applications, and
enabling POP/IMAP mail retrieval.
A reverse proxy might handle the encryption/decryption and authentication on
behalf of the application servers, reducing the overhead on those servers. It can
also perform caching to improve performance. Reverse proxies could also be
configured to perform load balancing across an application server pool.
Content Filtering
An ACL-type security rule applies basic Network or Transport layer filtering. By
contrast, content filtering is capable of applying Application layer filters based
on HTTP data. It could also apply more general business rules, such as time-of-day
restrictions. Most firewalls and proxies now support some level of content filtering.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 359
Web filter content categories using the IPFire open source firewall.
(Screenshot used with permission from IPFire.)
Transport Layer Security (TLS) poses major issues for proxies and content filters. A proxy
cannot inspect or modify application data in encrypted traffic, but it cannot decrypt
the traffic without breaking the TLS handshake between the client and the website. To
perform TLS inspection, the proxy has to generate an enterprise certificate for each
domain. The client trusts this certificate as it is issued by an enterprise CA but still
matches the domain it has requested. The proxy establishes its own TLS tunnel with the
website, forwarding the client’s requests (if they conform to policy).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
360 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 361
Module 10
Summary
7
You should be able to explain identity and access management concepts and apply
device hardening and network access control techniques and solutions.
• Use only secure channels for administration traffic or any other protocol where
credentials need to be submitted.
• Configure services according to the device’s baseline and disable any services
which are not required.
• Ensure that only the necessary IP ports (TCP and UDP ports) to run permitted
services are open and that access to a port is controlled by a firewall ACL if
appropriate.
• Use wall port and switch port security techniques to prevent attachment of
unauthorized devices.
ModuleNetwork
Module 10: Applying 10: Applying Network
Security Security
Features Features
| Module 10
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 11
Supporting Network Security Design
1
Module Introduction
The idea of an office network with web, file, and messaging services is a familiar
one, but it is not the only use of networking. Networks are also used to support
industrial and fulfillment processes, for example. The types and variety of services
run over a network have a direct impact on its design, and on the security design
especially. To support these diverse networks, you must be able to explain
segmentation and security zone concepts. You should also be able to describe the
technologies used to ensure the physical security of a network site.
Module Objectives
In this module, you will do the following:
• Explain the importance of network segmentation and use of trusted and
untrusted zones.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
364 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 11.1
Zone-Based Security
2
A zone-based security model groups hosts with the same level of trust into separate
network segments. Traffic between segments is subject to policies and rules that
are enforced by security appliances such as firewalls, proxy servers, and intrusion
detection/prevention systems. These appliances perform a filtering function to
analyze the properties of connection requests and then allow, deny, and/or log
them as appropriate. Understanding the concept of zone-based security is vital for
the application of effective defense techniques and solutions, especially when it
comes to configuring perimeter networks.
As you study this lesson, answer the following questions:
• What technologies are used to implement zones and network segmentation
enforcement?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 365
For example, an organization could identify the following general security zones to
use as a basis for writing security policies and rules:
• Private server administrative networks—Devices are subject to strict
hardening and configuration management policies. Hosts, user accounts, and
traffic with permission to operate in the zone are continually monitored to
ensure compliance with security policies.
Zones with different trust levels and security rules would typically be configured
to protect the integrity and confidentiality of different asset groups within the
organization. For example, servers storing financial records can be their own VLAN,
and marketing servers could be another VLAN. If something like a remote access
Trojan were introduced in one VLAN, it should not be able to spread to other VLANs
without also being able to pass through the firewall protecting each zone.
Perimeter Networks
One important distinction between different security zones is whether a host is
Internet facing. An Internet-facing host accepts or initiates connections from or to
hosts on the public Internet. Internet-facing hosts are placed in a perimeter network
zone. The basic principle of a perimeter network zone is that traffic cannot pass
through it directly. A perimeter network enables external clients to access data on
private systems, such as web servers, without compromising the security of the
internal network.
If communication is required between hosts on either side of the perimeter
network, a host within it can be configured to act as a proxy. For example, if a host
on the local network requests a connection with a web server on the Internet, a
proxy in the network perimeter takes the request and checks it. If the request is
valid, it retransmits it to the destination. To the external host, all communications
seem to be initiated by the proxy. The external host has no direct connectivity with
the LAN client device.
Servers that provide public access services should be placed in a perimeter
network. These would typically include web servers, mail and other communications
servers, proxy servers, and remote access servers. The hosts in the perimeter are
not fully trusted by the internal network because of the possibility that they could
be compromised from the Internet.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
366 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Screened Subnets
To configure a perimeter network, two different security configurations must be
enabled: one on the external interface and one on the internal interface. There
are several ways of implementing this as a topology of physical or virtual security
appliances.
A screened subnet uses two firewalls placed on either side of the perimeter
network zone. The screening firewall restricts traffic on the external/public interface
and allows permitted traffic to the hosts in the perimeter zone subnet. The internal
firewall filters communications between hosts in the perimeter and hosts on
the LAN. This firewall is often described as the choke firewall. A choke point is
a purposefully narrow gateway that facilitates better access control and easier
monitoring.
Screened subnet using multiple firewalls. The border firewall has a WAN interface but no direct
connection to the LAN. Instead, it routes filtered traffic to the choke firewall. The choke firewall
has a LAN interface, plus two interfaces in screened subnets implementing a guest network
and a public-facing app server network. (Images © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 367
Screened subnet using a single firewall. This is directly connected to the LAN.
(Images © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
368 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Like a packet analyzer, an IDS must be configured with a sniffer to read frames
from a mirrored port or TAP. Placement of the sniffer must be carefully considered
to meet security goals. Typically, an IDS is positioned behind a firewall to monitor
traffic entering and exiting a security zone. The aim is to detect suspicious traffic
that the firewall has not blocked, providing defense in depth. This type of passive
sensor does not slow down traffic and is undetectable by the attacker (it does not
have an IP address on the monitored network segment).
Network IDS/IPS can be combined with host-based IDS/IPS. These run as agents on
end systems to monitor application processes, data files, and log files for suspicious
activity. Advanced IDS/IPS suites analyze information from multiple sensors to identify
suspicious traffic flows and host activity.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 369
Lesson 11.2
Internet of Things
3
Many people and businesses are deploying internet of things (IoT) devices in their
homes and offices, and some businesses depend on the underlying embedded
systems technology for manufacturing and fulfillment. In this lesson, you will
examine how these technologies can be integrated securely with or alongside
corporate data networks.
As you study this lesson, answer the following questions:
• What are embedded and IoT systems and devices?
• What differences are there between consumer and industrial IoT devices and
networks?
• What impact does the use of IoT or IIoT have on network segmentation
enforcement?
IoT Devices
An embedded system is a complete computer system that is designed to perform a
specific, dedicated function. These systems can be as contained as a microcontroller
in an intravenous drip-rate meter or as large and complex as the network of
control devices managing a water treatment plant. Embedded systems can be
characterized as static environments. A PC is a dynamic environment. The user can
add or remove programs and data files, install new hardware components, and
upgrade the operating system. A static environment does not allow or require such
frequent changes.
In terms of security this can be ideal, because unchanging environments are
typically easier to protect and defend. Static computing environments pose their
own risks, however. A static environment is often an unknown environment to
security administrators. Unlike an OS environment such as Windows, there may be
little support for identifying and correcting security issues.
The term internet of things (IoT) is used to describe a global network of
embedded systems used as or in personal devices, home appliances, home
control systems, vehicles, and other items that have been equipped with sensors,
software, and network connectivity. These features allow these types of objects to
communicate and pass data between themselves and other traditional systems
like computer servers. This is often referred to as machine to machine (M2M)
communication.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
370 | The Official CompTIA Network+ Study Guide (Exam N10-009)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 371
IoT Networks
Each device in an IoT network is identified with some form of unique serial number
or code embedded within its own operating or control system and can interoperate
within Internet infrastructure, either directly or via an intermediary. As these
devices tend to be small and often either unpowered or dependent on battery
power, the standard Ethernet, cellular, and Wi-Fi networking products that connect
computers are not always suitable for use. Other networking standards and
products have been developed to facilitate IoT networks.
Cellular Networks
A cellular network for IoT enables long-distance communication over the same
system that supports mobile phones and smartphones. This is also called baseband
radio, after the baseband processor that performs the function of a cellular
modem. There are several baseband radio technologies:
• Narrowband-IoT (NB-IoT)—This refers to a low-power version of the Long
Term Evolution (LTE) or 4G cellular standard. The signal occupies less bandwidth
than regular cellular. This means that data rates are limited (20–100 kbps), but
most sensors need to send small packets with low latency, rather than making
large data transfers. Narrowband also has greater penetrating power, making
it more suitable for use in inaccessible locations, such as tunnels or deep within
buildings, where ordinary cellular connectivity would be impossible.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
372 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Smart Buildings
By contrast with consumer-grade components, there should be less scope for
compromise in the entry mechanisms and climate/lighting control components
of a properly designed smart building system. Management and monitoring of
the system should be performed over isolated network segments. Configuration
management and change control processes should ensure that no weak
configurations are introduced and that vendor advisories are tracked for any known
vulnerabilities or exploits so that these can be patched or mitigated.
ICS/SCADA
While an ICS or SCADA is typically implemented as a dedicated OT or wireless WAN
network, there may be points where these networks are linked to a corporate data
network. Historically, these vulnerable links and bridging hosts have been exploited
by threat actors. There are risks both to embedded systems from the data network
and to corporate data assets and systems from the embedded network. Where
possible, isolate management and monitoring traffic for embedded systems to
minimize access to and from the corporate data network. If OT and IT networks
cannot be completely isolated, links to them must be closely monitored and subject
to access controls.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 373
Lesson 11.3
Physical Security
4
Locks
Prevention-type physical controls are ones that stop an intruder from gaining
unauthorized access, if they work effectively. Where an area is controlled by being
enclosed by walls or fencing, access is channeled through defined points of entry,
such as doors and gates. These entry points can be protected by types of electronic
lock.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
374 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Two types of electronic lock with biometric reader (left) and badge/card reader (right).
(Images © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 375
Cameras
Detection-based controls provide an important additional layer of defense in the
event that prevention-based controls fail to work. For example, surveillance is
another layer of security designed to improve the resilience of perimeter gateways.
Effective surveillance mechanisms ensure that attempts to penetrate a barricade
are detected. Surveillance may be focused on perimeter areas or within security
zones themselves. Surveillance can be performed by security guards or via video.
Camera-based surveillance is a cheaper means of monitoring than maintaining
separate guards at each gateway or zone.
A security camera is either fixed or can be operated using pan-tilt-zoom (PTZ)
controls. Different cameras suit different purposes. If you want to record the image
of every person entering through an access control vestibule, a fixed, narrow focal
length camera positioned on the doorway will be perfectly adequate. If you want to
survey a large room and pick out individual faces, a camera with PTZ is required.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
376 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Geofencing
Geolocation is the use of network attributes to identify (or estimate) the physical
position of a device. The device uses location services to determine its current
position. Location services can make use of two systems:
• Global Positioning System (GPS)—This is a means of determining the device’s
latitude and longitude based on information received from satellites via a GPS
sensor.
Restricting device permissions such as camera and screen capture using Intune.
(Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 377
Module 11
Summary
5
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 12
Configuring Wireless Networks
1
Module Introduction
Wireless media technologies have distinct advantages for businesses over cabling.
They can be easier to install to existing premises, and they support the device
mobility that users require from laptop or smartphone-based access to networks.
Wireless technology implementations offer various advantages, but you need to
understand their limitations and security issues to support them properly in your
network environments.
Module Objectives
In this module, you will do the following:
• Summarize wireless standards.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
380 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 12.1
Wireless Concepts and Standards
2
• What are frequency bands and channels, and how do they affect wireless
performance?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 381
Wi-Fi typically uses a logical star topology to establish a wireless local area network
(WLAN). A device called an access point (AP) implements the center of the star,
mediating connections between client device radios, which are referred to as
stations.
The original 802.11 Wi-Fi standard worked at just 1 Mbps, but like the 802.3
Ethernet standard, it has been revised many times, with each iteration specifying
different signaling and transmission mechanisms. Products conforming to the
various standards can be certified by the Wi-Fi Alliance (wi-fi.org).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
382 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The IEEE 802.11a standard specifies use of the 5 GHz frequency band and a
multiplexed carrier scheme called Orthogonal Frequency Division Multiplexing
(OFDM). 802.11a has a nominal data rate of 54 Mbps.
The 5 GHz band is subdivided into 25 non-overlapping channels, each of which is
20 MHz wide. However, some of the channels work in a frequency range also used
by radar. The 802.11h standard specifies a Dynamic Frequency Selection (DFS)
method to scan for radar signals and prevent an access point from using channels
that would cause interference. The exact use of channels can be subject to different
regulations in different countries. Regulatory impacts also include a strict limit on
power output, constraining the range of Wi-Fi devices.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 383
Bonded channel options in the 5 GHz Unlicensed National Information Infrastructure (U-NII)
sub-bands. Channels within the DFS range may be disabled if the site is near a radar transmitter.
Some 802.11n client adapters may support only the 2.4 GHz band. An access point
(AP) or adapter that can support both is referred to as dual band. A dual band AP can
support both 2.4 GHz and 5 GHz bands simultaneously. This allows legacy clients to be
allocated to the 2.4 GHz band.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
384 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The data rate for 802.11n is 72 Mbps per stream. Assuming the maximum number
of four spatial streams and optimum conditions, the nominal data rate could
be as high as 600 Mbps for a 40 MHz bonded channel. 802.11n can work in high
throughput (HT)/greenfield mode for maximum performance or HT mixed mode for
compatibility with older standards (801.11a-ht, 802.11b-ht, and 802.11g-ht). Mixed
mode reduces overall WLAN performance, as it involves the transmission of legacy
identification and collision avoidance frames (HT protection) but not to the extent
that 802.11n devices are reduced to, for example, 802.11g data rates. Operating in
greenfield mode is likely to cause substantial interference if there are legacy WLANs
operating nearby on the same channel(s).
In recent years, Wi-Fi standards have been renamed with simpler digit numbers.
802.11n is now officially designated as Wi-Fi 4.
Wi-Fi 5 (802.11ac)
Wi-Fi 5 is designed to work only in the 5 GHz band. The 2.4 GHz band can be
used for legacy standards (802.11g/n) in mixed mode. The aim for Wi-Fi 5 is to
get throughput like that of Gigabit Ethernet or better. It supports more channel
bonding (up to 80 or 160 MHz channels), up to eight spatial streams, rather than
four, and denser modulation (at close ranges). The way Wi-Fi 5 uses the radio
spectrum is designated as very high throughput (VHT).
Wi-Fi 5 access points are marketed using AC values, such as AC5300. The 5300 value
represents 1,000 Mbps over a 40 MHz channel in the 2.4 GHz band and two 2,167
Mbps streams over 80 MHz channels in the 5 GHz band.
While there aren’t 802.11ac standards for 2.4 GHz, vendors use proprietary extensions
to claim higher maximum throughput than 802.11n’s 600 Mbps.
Wi-Fi 6 (802.11ax)
Wi-Fi 6 uses advanced modulation and signal encoding to improve the amount
of data sent per packet by about 40%. The way Wi-Fi 6 uses the radio spectrum is
designated as high efficiency (HE) to reflect these improvements. The aim for Wi-Fi 6
is to approximate 10G connection speeds (AX11000). Like Wi-Fi 5, Wi-Fi 6 products
are branded using the combined throughput. For example, AX6000 is nominally
1,148 Mbps on the 2.4 GHz radio and 4,804 over 5 GHz. Wi-Fi 6 also specifies use of
a new 6 GHz frequency band, which is required to achieve the highest data rates.
In Wi-Fi 6, the OFDM with multiple access (OFDMA) modulation scheme allows
sub-carriers or tones to be allocated in groups of different sizes, referred to as
resource units (RUs), each of which can communicate in parallel. Where small RUs
are used, this reduces throughput but provides more opportunities for a larger
number of devices to transmit. The effect is to reduce latency where numerous
small data packets are being transmitted. This technology provides better support
for IoT devices. Stations that require more bandwidth can be assigned larger RUs.
RUs can also be assigned based on class of service parameters, such as prioritizing
voice over IP (VoIP) traffic. It also allows an access point to support legacy Wi-Fi 4/5
stations efficiently.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 385
Multiuser MIMO
Downlink MU-MIMO (DL MU-MIMO) allows the AP to use its multiple antennae
to process a spatial stream of signals in one direction separately from other
streams. This means that groups of stations on a different alignment can connect
simultaneously and also obtain more bandwidth. For example, if four stations are
positioned north, south, east, and west of a 4x4:4 AP, the AP should be able to
allow each of them to connect at close to the maximum speed. If another station is
added to the north, those two northern stations will share the available bandwidth
along that beam path. Both stations and AP must support MU-MIMO. Where Wi-Fi
5 supports up to four stations communicating in parallel over 5 GHz only, Wi-Fi
6 can support up to eight in 2.4 GHz, 5 GHz, and 6 GHz bands, giving it better
performance in congested areas.
With DL MU-MIMO, only the AP can initiate beamforming, so it is only available
on the downlink from AP to station (not station to AP). Wi-Fi 6 supports uplink
MU-MIMO (UL MU-MIMO), allowing stations to initiate beamforming with the access
point.
For both Wi-Fi 5 and Wi-Fi 6, improvements are released to market in waves. For
example, UL MU-MIMO was released in wave 2 Wi-Fi 6 products, which also added
support for the 6 GHz frequency band.
MU-MIMO and OFDMA are different but complementary technologies. MU-MIMO makes
use of spatial streams, where OFDMA makes flexible use of subcarriers within a channel.
Both can work together to increase parallelism (supporting communication with more
devices simultaneously).
Band Steering
Many Wi-Fi devices have dual-band (2.4 GHz and 5 GHz) or tri-band (2.4, 5, and
6 GHz) radios. In a site where multiple access points support dual-band or tri-band
networks, a client device will use a combination of beacon messages from the
access point and a measure of signal strength to determine which band to use. In
some circumstances, the network designer might want to exert more control over
this process. Band steering allows an access point to make it more likely that a
client will connect to the 5 GHz or 6 GHz band than the 2.4 Ghz band. It does this by
reducing the number of beacons used to advertise the 2.4 GHz network. The goal is
to restrict the use of the 2.4 GHz band to devices with no 5/6 GHz capability.
Another approach is to use different network names for 2.4 GHz and 5/6 GHz networks.
Alternatively, a network designer may prefer to allow client devices to select the best
band. The AP does not use signal strength as a factor in band steering, so it can lead to
poor performance in some circumstances.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
386 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Cellular Technologies
Where Wi-Fi is typically operated as private infrastructure, cellular radio is
operated by telecommunications providers. A cellular radio establishes a
connection with the nearest available cell or base station. Each base station has an
effective range of up to 5 miles (8 km). The base station links the device to global
telecommunications networks.
Cellular digital communications standards are described as belonging to
a generation. 2G and 3G cellular networks were implemented by different
technologies in different parts of the world and suffered from low data rates.
Converged 4G and 5G standards are supported by telecommunications providers
worldwide. As well as faster mobile speeds, 4G and 5G can provide fixed-wireless
broadband solutions for homes and businesses, and support IoT networks. 4G and
5G devices must be installed with a Subscriber Identity Module (SIM) card or chip
issued by the network provider.
5G
Compared to earlier cellular technologies, 5G can use a broader radio spectrum,
from low (sub-1 GHz) to medium/high (6 GHz to 40 GHz). Low bands, such as
900 MHz or 1,900 MHz, have greater range and penetrating power. High bands,
also referred to as millimeter wave (mmWave), require close range (a few hundred
feet) and cannot penetrate walls or windows. Consequently, design and rollout
of 5G services is relatively complex. Rather than a single large antenna serving a
large wireless cell, 5G involves installing hundreds of smaller antennae to form
an array that can take advantage of multipath and beamforming to overcome the
propagation limitations of the spectrum. This is also referred to as massive MIMO.
In theory, 5G has a maximum peak rate of 20 Gbps. As with 4G, real-world speeds
are nowhere near the peak rate, ranging from about 50 Mbps to 300 Mbps at time
of writing.
Cellular data rates vary widely from country to country and from region to region. The
rates given here are only illustrative.
Satellite Technologies
Satellite systems use microwave dishes aligned to orbital satellites that can either
relay signals between sites directly or via another satellite. The widespread use of
satellite television receivers allows for domestic Internet connectivity services over
satellite connections. Satellite services for business are also expanding, especially in
rural areas where DSL or cable services are unlikely to be available.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 387
RTT is the two-way latency, or the time taken for a probe to be sent and a response to
be received.
To create a satellite Internet connection, the ISP installs a very small aperture
terminal (VSAT) satellite dish antenna at the customer’s premises and aligns it
with the orbital satellite. Because the satellite does not move relative to the dish,
there should be no need for any realignment. The antenna is connected via coaxial
cabling to a digital video broadcast satellite (DVB-S) modem. The transfer rates
available vary between providers and access packages, but 2 or 6 Mbps up and
30 Mbps down would be typical.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
388 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 12.2
Enterprise Wireless Network Design
3
• How can an infrastructure network cover a wider area than the range of a single
access point?
• What are the uses of ad hoc, mesh, and point to point wireless network types?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 389
Any given access point could operate multiple BSSs on its 2.4 GHz, 5 GHz, and 6 GHz
radios. These BSSs could be configured with separate network names (SSIDs), or the
same network name, depending on how many logical networks are required. Each
network can have different security properties. For example, you might configure
a guest network with no authentication, and a home network that requires a
passphrase to join.
If a client connects to an SSID underpinned by multiple BSSs, it tries to determine
which BSSID offers the best signal.
Access point hosting multiple networks. The CORPNET and GUEST networks are offered on both
2.4 GHz and 5 GHz bands. The IoT network is only offered on the 2.4 GHz band. Each BSS (a
network name on a particular band) is identified by a BSSID MAC address. (Image © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
390 | The Official CompTIA Network+ Study Guide (Exam N10-009)
This infrastructure isn’t limited to running a single ESS. Each ESS could be mapped to a
VLAN to segment the traffic as it is carried around the switched network.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 391
Depending on the vendor, RSSI might be measured directly in dBm or might be an index
value related to a scale of dBm measurements. RSSI indices can be measured as 0–60,
0–127, or as 0–255. On a client, this index is displayed as a number of bars of signal
strength on the adapter icon.
The comparative strength of the data signal to the background noise is called the
signal-to-noise ratio (SNR). Noise is also measured in dBm, but here values closer to
zero are less welcome as they represent higher noise levels. For example, if signal is
−65 dBm and noise is −90 dBm, the SNR is the difference between the two values,
expressed in dB (25 dB). If noise is −80 dBm, the SNR is 15 dB and the connection
will be much, much worse.
Alternatively, Power over Ethernet (PoE) allows a switch to supply power to the AP over
data cabling.
The next step is to create a new plan on which you will mark the basic service areas
and associated APs and booster antennae. The idea here is to place APs close
enough together to avoid “dead zones”—areas where connectivity is difficult or data
transfer rates are below an acceptable tolerance level—but far enough apart that
one AP does not interfere with another or that one AP is overutilized and a nearby
one underutilized.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
392 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Position an AP in the first planned location, then use a laptop with a wireless adapter
and a wireless survey tool to record signal strength and supported data rate at
various points in the intended BSA. Many tools can show the signal strength within
a particular channel obtained in different locations as a graphical heat map. The
heat map would show areas with a strong signal in greens and yellows with warning
oranges and reds where signal strength drops off. This step is then repeated for
each planned location. Neighboring APs should be configured with non-overlapping
channels to avoid interfering with one another. It may also be necessary to adjust
the transmit power of an AP to size its BSA appropriately. Transmit power is a setting
that configures the device to use less than its maximum output.
The network design might call for different power levels for different bands. For
example, you might lower power on the 2.4 GHz band to reduce its range and make
it more likely that clients will connect on the 5 GHz band. Alternatively, you might
configure band steering, or use different ESSIDs for 2.4 GHz and 5 GHz networks.
Wireless Roaming
Clients can roam within an extended service area (ESA). An ESA is created by installing
APs with the same ESSID and security configuration connected by a wired network, or
distribution system (DS). The access points are configured with different channels
so that where BSAs overlap, there is no interference. When the client detects that it
is no longer receiving a good signal, it checks for another signal with the same ESSID
on other channels or on a different frequency band, and if there is a stronger signal,
it disassociates from the current AP. The station can then reassociate with the new
AP. Depending on the roaming infrastructure and security type, the station may have
to reauthenticate, or if 802.11r fast roaming is supported, it may be able to use its
existing authentication status to generate security properties for the new association.
Roaming is supposed to be seamless, but in practice reestablishing the connection
can often cause time-out problems for applications. To improve mobility, there
needs to be a balance between determining what constitutes a “good” signal and
the rate at which a client tries to associate with different APs. Many adapters
support a roaming “aggressiveness” setting that can be configured to prevent
a Wi-Fi adapter “flapping” between two APs or (conversely) to prevent a client
from remaining associated with a more distant AP when it could achieve better
bandwidth through one closer to it.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 393
Even if SSID broadcast is suppressed, it is fairly easy for a network sniffer to detect it as
clients still use it when connecting with the AP.
WDS support and implementation can vary between manufacturers. If you are
implementing WDS, it is usually best to use APs from the same vendor.
Wireless Controllers
An enterprise network might require the use of tens or hundreds of access
points (APs). If APs are individually managed, this can lead to configuration errors
on specific APs and can make it difficult to gain an overall view of the wireless
deployment, including which clients are connected to which APs and which clients
or APs are producing the most traffic.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
394 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Rather than configure each device individually, enterprise wireless solutions allow
for centralized management and monitoring of the APs on the network. This is
typically achieved through the use of a dedicated hardware device called a wireless
controller.
An AP whose firmware contains enough processing logic to be able to handle
clients without the use of a wireless controller is known as an autonomous AP,
while one that requires a wireless controller to function is a lightweight AP. Cisco
wireless controllers usually communicate with the APs using the Lightweight Access
Point Protocol (LWAPP). LWAPP allows an AP configured to work in lightweight
mode to download an appropriate SSID, standards mode, channel, and security
configuration. Alternatives to LWAPP include the derivative Control And Provisioning
of Wireless Access Points (CAPWAP) protocol or a proprietary protocol.
As well as autoconfiguring the appliances, a wireless controller can aggregate
client traffic and provide a central switching and routing point between the WLAN
and wired LAN. It can assign clients to separate VLANs. Automated VLAN pooling
ensures that the total number of stations per VLAN is kept within specified limits,
reducing excessive broadcast traffic.
Antenna Types
The antenna type determines the propagation pattern or shape of the radio waves
transmitted. Most wireless radios are fitted with omnidirectional vertical rod-type
antennae. An omnidirectional antenna receives and sends signals in all directions
more or less equally. Access points with omnidirectional antennae should ideally
be ceiling mounted for best coverage. The propagation pattern is shaped like a
torus (donut), rather than a sphere, and radiates more powerfully in the horizontal
plane than it does in the vertical plane. Locating the antenna above head height
will minimize interference from obstructing furniture by allowing line of sight to
most connecting devices, but positioning it too high (above around 25 ft) will reduce
signal strength, especially for stations directly below the antenna. You can obtain
APs with downtilt omnidirectional antennae for use on high ceilings.
To extend the signal to a particular area, you can use a unidirectional antenna
focused in a single direction. Both the sender and receiver must use directional
antennae, or one will be able to receive signals but not send responses.
Unidirectional antenna types include the Yagi (a bar with fins) and parabolic (dish
or grid) form factors. Unidirectional antennae are useful for point to point wireless
bridge connections.
The increase in signal strength obtained by focusing the signal is referred to as
the gain and is measured in dBi (decibel isotropic). The amount of directionality,
referred to as the beamwidth, is measured in degrees. A pair of 10-degree antennae
is highly directional and will require more exact alignment than a pair of 90-degree
antennae.
A variety of generic antenna types: from left to right, a vertical rod antenna,
a Yagi antenna, a parabolic/dish antenna, and a parabolic grid antenna.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 395
Polarization refers to the orientation of the wave propagating from the antenna.
If you imagine a rod-type antenna, when the rod is pointed up relative to the floor,
the wave is horizontally polarized; if you orient the rod parallel to the floor, the
wave is vertically polarized. To maximize signal strength, the transmission and
reception antennae should normally use the same polarization. This is particularly
important when deploying unidirectional antennae for a point to point link.
Some antennae are dual-polarized, meaning that they can be installed in either
orientation. Dual-polarized antennae are also the best way to support mobile
devices, as these can be held by their user in a variety of orientations.
Ad Hoc Topology
In an ad hoc topology, the wireless adapter allows connections to and from other
devices. In 802.11 documentation, this is referred to as an Independent Basic
Service Set (IBSS). This topology does not require an access point. All the stations
within an ad hoc network must be within range of one another. An ad hoc network
might suit a small workgroup of devices, or connectivity to a single device, such as a
shared printer, but it is not scalable to large network implementations.
IBSS is not supported by the updated WDI driver model in the latest versions of Windows
(docs.microsoft.com/en-us/windows-hardware/drivers/network/wdi-features-not-
carried-over-in-wdi). Peer-to-peer connections are more likely to use Wi-Fi Direct. Wi-Fi
Direct allows a device such as a printer to operate a limited type of access point to allow
clients to send print jobs wirelessly.
Mesh Topology
The 802.11s standard defines a wireless mesh network (WMN). There are also
various proprietary mesh protocols and products. Unlike an ad hoc network,
nodes in a WMN are capable of discovering one another and peering, forming a
Mesh Basic Service Set (MBSS). The mesh stations can perform path discovery and
forwarding between peers using a routing protocol, such as the Hybrid Wireless
Mesh Protocol (HWMP).
These features make a mesh topology more scalable than an ad hoc topology
because the stations do not need to be within direct radio range of one another—a
transmission can be relayed by intermediate stations. Mesh topologies are
becoming increasingly popular and are the foundation of most internet of things
(IoT) networks.
Point to Point
A point to point link means a physical and logical connection between two devices.
A wireless point to point link is usually used as a means of bridging two locations
when it is not possible to connect them using cables. For example, two office
buildings could be connected by installing highly directional dish or Yagi antennae
on the roofs. The antennae would be carefully aligned to point directly at one
another. The antennae could be connected to access points configured in bridge
mode. Traffic that needs to be sent from one office to another would pass over the
wireless bridge.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
396 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 12.3
Wireless Security
4
Wireless networking is popular with users but also poses considerable risk to
the whole network unless it is secured with access controls. In this topic, you will
identify different wireless security methods and their configuration requirements.
As you study this lesson, answer the following questions:
• What is the strongest wireless encryption method, and what are the risks of
using weaker encryption standards?
• What are the differences between personal, enterprise, and open authentication
modes, and what is the impact on encryption?
• How can users’ personal devices and guest networks be supported securely?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 397
Configuring a TP-LINK SOHO access point with wireless encryption and authentication settings.
In this example, the 2.4 GHz band allows legacy connections with WPA2-Personal security,
while the 5 GHz network is for 802.11ax (Wi-Fi 6) capable devices using WPA3-SAE authentication.
(Screenshot used with permission from TP-Link Technologies.)
Neither WEP nor the original WPA version are considered secure enough for
continued use. They can be exploited by various types of replay attack that aim to
recover the encryption key. WPA2 uses the Advanced Encryption Standard (AES)
cipher deployed within the Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP). AES replaces RC4, and CCMP replaces TKIP.
CCMP provides authenticated encryption, which is designed to make replay attacks
harder.
Weaknesses have also been found in WPA2, however, which has led to its
replacement by WPA3. The main features of WPA3 are as follows:
• Simultaneous Authentication of Equals (SAE)—WPA2 uses a four-way
handshake to allow a station to authenticate its credential, exchange a key to use
for data encryption, and establish an association with an access point. This four-
way handshake mechanism is vulnerable to manipulations that allow a threat
actor to recover the key. WPA3 replaces the four-way handshake with the more
secure SAE mechanism.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
398 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Personal Authentication
In order to secure a network, you need to be able to confirm that only valid users
are connecting to it. Wi-Fi authentication comes in three types: personal, open, and
enterprise. Within the personal authentication category, there are two methods:
pre-shared key authentication (PSK) and Simultaneous Authentication of Equals
(SAE).
The configuration interfaces for access points can use different labels for these
methods. You might see WPA2-Personal and WPA3-SAE rather than WPA2-PSK and
WPA3-Personal, for example. Additionally, an access point can be configured for WPA3
only or with support for legacy WPA2 (WPA3-Personal Transition mode).
Enterprise Authentication
The main problems with personal modes of authentication are that distribution
of the key or passphrase cannot be secured properly and that users may choose
insecure phrases. Personal authentication also fails to provide accounting, as all
users share the same credential.
As an alternative to personal authentication, WPA’s enterprise authentication
method implements IEEE 802.1X to use an Extensible Authentication Protocol (EAP)
mechanism to authenticate against a network directory. 802.1X defines the use of
EAP over Wireless (EAPoW) to allow an access point to forward authentication data
without allowing any other type of network access. It is configured by selecting
WPA2-Enterprise or WPA3-Enterprise as the security method on the access point.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 399
Using Cisco’s Virtual Wireless LAN Controller to set security policies for a WLAN—This policy
enforces use of WPA2 and the use of 802.1X (Enterprise) authentication.
(Image © and Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
400 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Captive portal issues can arise when the redirect does not work. The captive portal
should use HTTPS. Most modern browsers will block redirection to sites that do not
use TLS. This means that the captive portal also needs to be installed with a digital
certificate issued by a certification authority (CA) that is trusted by the client browser.
When using open wireless, users must ensure they send confidential web data only
over HTTPS connections and only use messaging and file transfer services with
TLS enabled. Another option is for the user to join a virtual private network (VPN).
The user would associate with the open hotspot, then start the VPN connection.
This creates an encrypted “tunnel” between the user’s computer and the VPN
server. This allows the user to browse the web or connect to email services without
anyone eavesdropping on the open Wi-Fi network being able to intercept those
communications. The VPN could be provided by the user’s company, or they
could use a third-party VPN service provider. Of course, if using a third party, the
user needs to be able to trust them implicitly. The VPN must use certificate-based
tunneling to set up the “inner” authentication method.
Some of the impact of these issues can be mitigated through the use of enterprise
mobility management (EMM) suites and corporate workspaces. EMM (or mobile
device management) is a type of network access control solution that registers
devices as they connect to the network. It can then enforce security policies while
the device is connected. These might restrict use of device functions or personal
apps. A corporate workspace is an app that is segmented from the rest of the
device and allows more centralized control over corporate data. Users must also
agree to acceptable use policies, which might prohibit installing non-store apps
and rooting/jailbreaking a device and require keeping the device up to date with
patches. Users might have to permit some level of inspection of the device to
protect corporate data.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 401
Evil Twins
A rogue AP masquerading as a legitimate one is called an evil twin. An evil twin
might advertise a similar network name (SSID) to the legitimate one. For example,
an evil twin might be configured with the network name “compeny” where the
legitimate network name is “company.” Alternatively, the evil twin might spoof the
SSID and BSSID (MAC address) of an authorized access point, and then the attacker
might use some DoS technique to overcome the legitimate AP. After a successful
DoS attack, the users will be forced to disconnect from the network and then
manually attempt to reconnect. At that point, with many users busy and trying to
get back to work, some or all may associate with the evil twin AP and submit the
network passphrase or their credentials for authentication.
However it is configured, when a user connects to an evil twin, it might be able to
harvest authentication information and, if it is able to provide wider network or
Internet access, execute an on-path attack to snoop on connections established
with servers or websites.
Surveying Wi-Fi networks using Xirrus Wi-Fi Inspector (xirrus.com)—Note the presence of print
devices configured with open authentication (no security) and a smart TV appliance (requiring
authentication). (Screenshot used with permission from Xirrus.)
One solution to the risk of rogue access points is to use EAP-TLS security so that
the authentication server and clients perform mutual authentication. There are
also various scanners and monitoring systems that can detect rogue APs, referred
to as a wireless intrusion detection system (WIDS) or wireless intrusion prevention
system (WIPS).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
402 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Deauthentication Attacks
The use of an evil twin may be coupled with a deauthentication attack. This sends
a stream of spoofed management frames to cause a client to deauthenticate from
an AP. This might allow the attacker to interpose the evil twin, sniff information
about the authentication process, or perform a denial of service (DoS) attack
against the wireless infrastructure. The attacks can be mitigated if the wireless
infrastructure supports Management Frame Protection (MFP/802.11w). Both the AP
and clients must be configured to support MFP.
Aireplay sniffs ARP packets to harvest IVs while Airodump saves them to a capture,
which Aircrack can analyze to identify the correct encryption key.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 403
Lesson 12.4
Wireless Troubleshooting
5
• What are the steps for diagnosing signal degradation, coverage, channel overlap,
roaming, and disassociation issues?
• Throughput is the amount of data that can be transferred at the Network layer,
discarding overhead from layers 1 and 2. Often the term “goodput” is used to
describe data transfer achieved at the Application layer (accounting for overhead
from header fields and packet loss/retransmissions).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
404 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Radio frequency (RF) attenuation or free space path loss is the degradation
of a signal as the distance between a radio transmitter and receiver increases.
The strength of the signal decreases per the inverse-square rule. For example,
doubling the distance decreases the signal strength by a factor of four. Meanwhile,
interference sources collectively overlay a competing background signal, referred
to as noise. These factors impose distance limitations on how far a client can be
from an access point. Loss of power/signal strength is measured in dB units. For
example, if transmit power is 14 dBm (~25 mW), antenna gain is 3 dBi, and free
space loss over 30 meters is 70 dB, the received signal strength is approximately
0.000005 mW:
Surveying Wi-Fi networks using inSSIDer. The chart shows which channels are active and the signal
strength of different networks in each channel. (Screenshot used with permission from MetaGeek.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 405
Antenna Placement
Incorrect antenna placement could cause or exacerbate attenuation and
interference problems. Use a site survey and heat map to determine the optimum
position for APs and (if available) the direction in which to point adjustable
antennae. Also, using an incorrect antenna type may adversely affect the signal
strength at any given point. A unidirectional antenna is only suitable for point to
point connections, not for general client access. The internal antennae built into APs
may also be optimized to transmit and receive in some directions more than others.
For example, an AP designed for ceiling mounting may produce a stronger signal in
a cone directed downward from its central axis, whereas the signal from a desktop
AP is likely to radiate in a doughnut-like pattern. Consult the documentation for
your specific model of AP or use site survey software to produce a heat map.
Remember that some client devices might support a standard such as 802.11n, but only
have a single band 2.4 GHz radio. They will not be able to join a 5 GHz network.
If a device has removable antennae, check that these are screwed in firmly. A loose
or disconnected antenna may reduce the range of the device or prevent connectivity
altogether.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
406 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The EIRP for each radio is reported through the access point or controller
management software. EIRP must not exceed regulatory limits. Power limits are
different for the 2.4 GHz and 5 GHz bands and for point to multipoint versus point
to point operation modes.
Increasing transmit power is not usually an effective solution for improving wireless
coverage. While an AP might have an EIRP of around 23 dBm, smartphone devices
are more likely to be around 10 to 14 dBm. If the client detects a strong signal, it will
set a high data rate. However, because the EIRP of the client radio is much lower, it
fails to transmit a strong signal back to the AP. Because it is trying to use a high data
rate, this results in excessive packet errors.
As a general rule of thumb, AP power should be two-thirds of the weakest client
power. For example, if the weakest client can output 14 dBm, the AP should
transmit at 9 to 10 dBm.
One of the design goals for a multi-AP site is to create clean basic service areas so
that clients can select an AP with the strongest signal easily and the WLAN operates
with a minimum of co-channel interference. At least 25 MHz spacing should be
allowed to avoid channel overlap. In practice, therefore, no more than three nearby
APs using the 2.4 GHz band can have non-overlapping channels. This could be
implemented, for example, by selecting channel 1 for AP1, channel 6 for AP2, and
channel 11 for AP3. When you are using the 5 GHz band for 802.11a or Wi-Fi 4/5/6,
more non-overlapping channels are available.
In a complex environment, it may be necessary to adjust the power level used by an
AP on a given channel. Using the maximum available power on an AP can result in
it interfering with other “cells” and to situations where a client can “hear” the AP but
cannot “talk” to it because it lacks sufficient power.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 407
Checking power levels on a wireless station using Intel's PROSet Wi-Fi configuration utility.
(Screenshot courtesy of Intel Corp.)
Interference Issues
If a device is within the supported range but the signal is weak or you cannot get
a connection, there is likely to be interference. Apart from CCI and ACI, there are
several other sources of interference to consider:
• Reflection/bounce (multipath interference)—Mirrors or shiny surfaces
cause signals to reflect, meaning that a variable delay is introduced. This causes
packets to be lost and consequently the data rate to drop.
The Wi-Fi 4/5/6 standards actually use bounce (multipath) as a means of optimizing
throughput and range via MIMO.
• Refraction—Glass or water can cause radio waves to bend and take a different
path to the receiver. This can also cause the data rate to drop.
• Absorption—This refers to the degree to which walls, windows, and people will
reduce signal strength (some of the radio wave’s energy is lost as heat when
passing through construction materials or human bodies). An internal wall might
“cost” 3 to 15 dB, depending on the material used (concrete being the most
effective absorber). The 2.4 GHz frequency has better penetration than the
5 GHz one, given the same power output. To minimize absorption from office
furniture (and people), use ceiling-mounted APs.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
408 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Also consider that signal problems could be a result of someone trying to attack the
network by jamming the legitimate AP and making clients connect to a rogue AP.
• Clients that do not support roaming standards (802.11k, 802.11r, and 802.11v)
and so experience service interruptions due to having to reauthenticate or
associate too slowly with the new AP. 802.11r assists with reauthentication,
support for 802.11k can mitigate sticky and flapping client issues, as it transmits
information about the wireless topology to the client, and 802.11v can “push” a
client toward a less congested access point.
• Inconsistent service areas for 2.4 GHz and 5 GHz. 2.4 GHz supports longer
ranges than 5 GHz, and this can cause it to “attract” more clients. Typically,
a 2.4 GHz BSS is configured with a lower transmit power than the equivalent
5 GHz BSS.
Issues with roaming can be identified by analyzing access point association times
for client devices. A WLAN controller will be able to track client mobility, showing
each access point and the time that the client associated with it.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 409
Overcapacity Issues
Overcapacity (or device saturation) occurs when too many client devices connect
to the same AP. The maximum number of clients that an AP can support varies,
depending on the Wi-Fi standard used and the type of network traffic generated.
For example, web browsing will typically place a lighter load on the network than
local client-server traffic or is likely at least to move any bottleneck further upstream
to the WAN, rather than the wireless network. While individual circumstances must
be considered, a maximum of 30 clients per AP is generally accepted as a rule of
thumb. In designing the network, enough APs should be provided in appropriate
locations to support the expected client density at this ratio. APs can usually be
configured to enforce a maximum number of connections, so that additional clients
will connect to the next nearest AP.
Even with a relatively low number of clients, the wireless network can suffer
from bandwidth saturation. Since wireless is a broadcast medium, the available
bandwidth is shared between all clients. Thus, if one client is a bandwidth hog,
others may find it difficult to maintain a reliable connection. In an enterprise Wi-Fi
solution, a controller will normally provide reporting tools to diagnose bandwidth
issues and to report on which clients are consuming the most bandwidth. It could
also report on wireless channel utilization and configure APs and clients to reassign
channels dynamically to reduce overutilization. If a traffic shaper is deployed, it may
work automatically to throttle bandwidth to overactive nodes.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
410 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Module 12
Summary
6
• Consider the devices you will need and any compatibility requirements they
have, in terms of Wi-Fi standards support, such as 802.11a, b, g or Wi-Fi 4 (n),
5 (ac), 6 (ax).
• Obtain a scale drawing of the building and a Wi-Fi analyzer to use to perform a
site survey and generate heat maps of signal strength and channel utilization.
• Determine the range of the AP for the wireless technology you have chosen.
This will help you to better determine how many APs you will need to ensure
adequate coverage for the space.
• Balance the number of users who will have access to the AP, and ensure that the
AP can cover all employees in the range of the AP. More employees in a given
area means more APs.
• Tour the area in the range of the AP, and check to see if there are any devices
that will interfere with the wireless network. This can include devices such as
microwave ovens, Bluetooth-enabled devices, or an existing wireless network—
whether from a community network, a neighboring building, or another floor of
your company’s building. These devices or networks can possibly interfere with
your new implementation.
• Ensure that there are no obstacles in the path of the AP, such as doors, closed
windows, walls, and furniture, that the wireless signal will need to pass through
on its way to a client. If there are too many obstacles in the path, adjust the
placement of your AP accordingly.
• Install the APs. The specific steps for installing the AP will vary by vendor, but the
common steps may include the following:
• Configuring frequency bands and channel layout within each frequency band.
• Adjusting transmit power to reduce channel overlap and using either transmit
power or band steering to optimize frequency usage by clients.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 411
• Perform period site surveys to check RSSI at key locations and compare it to
previous performance levels from previous site surveys.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 13
Comparing Remote Access Methods
1
Module Introduction
Most local networks require some sort of external connection, whether to the
global Internet or within an enterprise WAN. These long-distance communications
are typically facilitated by service provider links. Supporting WAN and Internet
access effectively is an essential competency to learn.
User services and network management often require the creation of various types
of remote access, including virtual private networks (VPNs). While remote access
makes networks more usable and accessible, it also broadens the attack surface.
You must understand the implications of different remote access models and
protocols so that you can support their secure use.
Module Objectives
In this module, you will do the following:
• Summarize WAN provider and Internet access types.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
414 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 13.1
WAN and Internet Connectivity
2
Understanding the various WAN connectivity devices and methods will help you
support Internet connectivity and the configuration of enterprise WANs. You will
need to understand the capabilities and limitations of WAN provider links to choose
the one best suited for your network.
As you study this lesson, answer the following questions:
• How are private homes and offices connected to public telecommunications
networks?
• What connection speeds should you expect from various types of Internet access
methods?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 415
T-Carrier
The T-carrier system enabled voice traffic to be digitized for transport around the
core of the telecommunications network. It also enabled other types of digital data
to be transported and could be provisioned directly to subscribers as a leased line.
T-carrier is based on time division multiplexing (TDM). The protocol assigns each
circuit (or channel) a time slot. Each 64 Kbps channel provides enough bandwidth
for a digitized voice call.
A single 64 Kbps channel is known as a DS0 or narrowband link. For leased line data
services, however, the foundation level of T-carrier is the DS1 or T1 digital signal
circuit. This service comprises 24 channels multiplexed into a single 1.544 Mbps
full-duplex digital connection that can be used for voice and data. The T1 lines
themselves can be multiplexed to provide even more bandwidth.
At the Data Link layer, T1 leased lines typically use either High-Level Data Link
Control (HDLC) or Point-to-Point Protocol (PPP).
• Symmetric versions of DSL offer the same uplink and downlink speeds. These
are of more use to businesses and for branch office links, where more data is
transferred upstream than with normal Internet use.
Cable Internet
A cable Internet connection is usually available along with Cable Access TV (CATV).
These networks are sometimes described as hybrid fiber coax (HFC) because they
combine a fiber optic core network with coax links to CPE, but are more simply just
described as cable broadband.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
416 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Installation of a cable modem follows the same general principles as for a DSL
modem. An Ethernet cable connects the cable modem to the customer’s router,
and a short segment of coax connects the WAN port to the provider network.
More coax then links all the premises in a street with a Cable Modem Termination
System (CMTS), which routes data traffic via the fiber backbone to the ISP’s point of
presence (PoP) and from there to the Internet. Cable based on the Data Over Cable
Service Interface Specification (DOCSIS) supports downlink speeds of up to 38 Mbps
(North America) or 50 Mbps (Europe) and uplinks of up to 27 Mbps. DOCSIS version
3 allows the use of multiplexed channels to achieve higher bandwidth.
The modem type must match the service. An ADSL-only modem cannot be used to
access a VDSL service, for instance.
Optical network terminal—the PON port terminates the external fiber cable, and the LAN ports
connect to local routers or computers over RJ45 patch cords. (Image by artush © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 417
Lesson 13.2
Virtual Private Networks
3
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
418 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Restricting privileges on the local network (ideally, remote users would only be
permitted access to a clearly defined part of the network).
In addition to this, a management plan should ensure that RASs and other
hardware are kept up to date with the latest software or firmware updates.
Administrative access to the devices should also be secured, using strong
authentication.
Tunneling Protocols
Most modern remote network solutions use Internet access infrastructure to
implement a virtual private network (VPN). This requires a protocol that can
create a secure tunnel for private communications through the Internet. Tunneling
is where the hosts are on the same logical network but connected via different
physical networks. The tunnel encapsulates the packet for the local network within
a public network packet. Typically, the local network packet is encrypted. When
the packet is delivered, the remote access server strips the public packet headers,
extracts and decrypts the local packet, and forwards it over the local network.
Point-to-Point Protocol
The Point-to-Point Protocol (PPP) is an encapsulation protocol that works at the
Data Link layer (layer 2). PPP is used to encapsulate IP packets for transmission over
serial digital lines. PPP has no security mechanisms, so must be used with other
protocols to provision a secure tunnel.
IP Security
Internet Protocol Security (IPSec) also operates at the Network layer of the OSI
model to authenticate hosts and encrypt packets. IPSec is used with other protocols
to provide connection security, and it is increasingly used as a standalone VPN
protocol.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 419
With ESP, algorithms for both confidentiality (symmetric cipher) and authentication/
integrity (hash function) are usually applied together. It is possible to use one or the
other, however.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
420 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The principles underlying IPSec are the same for IPv4 and IPv6, but the header formats
are different. IPSec makes use of extension headers in IPv6 while in IPv4, ESP and AH are
allocated new IP protocol numbers (50 and 51), and either modify the original IP header
or encapsulate the original packet, depending on whether transport or tunnel mode is
used.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 421
2. Phase II uses the secure channel created in Phase I to establish which ciphers
2.
and key sizes will be used with AH and/or ESP in the IPSec session.
There are two versions of IKE. Version 1 was designed for site-to-site and host-to-
host topologies and requires a supporting protocol to implement remote access
VPNs. IKEv2 has some additional features that have made the protocol popular for
use as a stand-alone remote access client-to-site VPN solution. The main changes
are the following:
• Supports EAP authentication methods, allowing, for example, user
authentication against a RADIUS server.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
422 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Client-to-Site VPNs
A VPN can be implemented in several topologies. In a client-to-site or remote access
topology, the VPN client connects over the public network to a VPN gateway (a
VPN-enabled router) positioned on the edge of the local network (typically the VPN
access server will be in a screened subnet). Client-to-site is the “telecommuter”
model, allowing homeworkers and employees working in the field to connect to the
corporate network.
Client-to-site VPNs can be configured using a number of protocols. An SSL/TLS VPN
solution uses certificates to establish the secure tunnel. One example is Microsoft’s
Secure Socket Tunneling Protocol (SSTP). Cisco’s Layer 2 Tunneling Protocol (L2TP)
is also widely used, in conjunction with IPSec. All these solutions require client
software to operate. Most VPN solutions use EAP and AAA/RADIUS architecture to
authenticate client devices and users.
Microsoft’s Point-to-Point Tunneling Protocol (PPTP) was once very widely used but has
too many security flaws to be deployed safely.
When a client connected to a remote access VPN tries to access other sites on the
Internet, there are two ways to manage the connection:
• Split tunnel—The client accesses the Internet directly using its ISP-manged IP
configuration, routers, and DNS servers.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 423
Full tunnel offers better security, but the network address translations and DNS
operations required may cause problems with some websites, especially cloud
services. It also means more data is channeled over the link, and the connection can
exhibit higher latency.
Clientless VPNs
Microsoft’s Remote Desktop Protocol (RDP) can be used to access a physical
machine on a one-to-one basis. Alternatively, the site can operate a remote desktop
gateway that facilitates access to virtual desktops or individual apps running on
the network servers (docs.microsoft.com/en-us/windows-server/remote/remote-
desktop-services/welcome-to-rds). Similar services are provided by Citrix’s products
(citrix.com/products).
Traditionally, remote desktop products and client-to-site VPNs require a client
app that implements the protocols and authentication methods supported by the
remote desktop/VPN gateway. The canvas element introduced in HTML5 allows a
browser to draw and update a desktop with relatively little lag. It can also handle
audio. This allows ordinary browser software to connect to a remote desktop or
to a VPN portal that publishes a number of web applications. This is referred to as
an HTML5 VPN or clientless VPN (guacamole.apache.org). This solution also uses
a protocol called WebSockets, which enables bidirectional messages to be sent
between the server and client without requiring the overhead of separate HTTP
requests.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
424 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Site-to-Site VPNs
A VPN can also be deployed in a site-to-site model to connect two or more private
networks. Where remote access VPN connections are typically initiated by the client,
a site-to-site VPN is configured to operate automatically. The gateways exchange
security information using whichever protocol the VPN is based on. This establishes
a trust relationship between the gateways and sets up a secure connection through
which to tunnel data. Hosts at each site do not need to be configured with any
information about the VPN. The routing infrastructure at each site determines
whether to deliver traffic locally or send it over the VPN tunnel. This is also referred
to as compulsory tunneling. Compulsory tunnels can be in place permanently
(static), or they can be put in place based on the data or client type (dynamic).
VPNs are not always established over the public Internet. A WAN service provider can
implement VPNs via its network. The provider can use VLAN-like technology to isolate a
customer’s data from other traffic. This is a common model for site-to-site VPNs.
While VPNs are being covered here as part of remote access, they can be just as usefully
deployed on local networks as a type of network segmentation. For example, the
department for product development might need to provide secure communications
with SCADA workstations in an industrial internet of things (IIoT) segment.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 425
Lesson 13.3
Remote Management
4
A remote management tool allows you to configure servers and devices over the
network. Having to perform configuration and troubleshooting activity at a local
console would be incredibly time consuming. Efficient network administration
depends upon remote access tools. It is imperative to configure these tools
securely, however.
As you study this lesson, answer the following questions:
• What protocols support secure remote access?
• What is the role of APIs in remote management, and what security issues do they
raise?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
426 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Secure Shell
The name “terminal” comes from the early days of computing where configuration
was performed by a teletype (TTY) device. The TTY is the terminal or endpoint for
communication between the computer and the user. The TTY handles text input
and output between the user and the shell, or command environment. Where
the terminal accepts input and displays output, the shell performs the actual
processing.
A terminal emulator is any kind of software that replicates this TTY input/output
function. A given terminal emulator application might support connections to
multiple types of shell. A remote terminal emulator allows you to connect to the
shell of a different host over the network.
Secure Shell (SSH) is the principal means of obtaining secure remote access to
UNIX and Linux servers and to most types of network appliances (switches, routers,
and firewalls). As well as terminal emulation, SSH can be used as the secure file
transfer protocol (SFTP). There are numerous commercial and open source SSH
servers and terminal emulation clients available for all the major NOS platforms
(UNIX, Linux, Windows, and macOS). The most widely used is OpenSSH (openssh.
com). An SSH server listens on TCP port 22 by default.
Confirming the SSH server's host key using the SSH client. (Screenshot courtesy of Microsoft.)
The host key must be changed if any compromise of the host is suspected. If an attacker
has obtained the private key of a server or appliance, they can masquerade as that
server or appliance and perform a spoofing attack, usually with a view to obtaining
other network credentials. You might also change the key to use a longer bit strength.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 427
Managing valid client public keys is a critical security task. Many recent attacks on web
servers have exploited poor key management. If a user's private key is compromised,
delete the public key from the appliance, then regenerate the key pair on the user's
(remediated) client device and copy the public key to the SSH server. Always delete
public keys if the user's access permissions have been revoked.
• ssh-keygen—Create a key pair to use to access servers. The private key must
be stored securely on your local computer. The public key must be copied to the
server. You can use the ssh-copy-id command to do this, or you can copy
the file manually.
• ssh Host—Use the SSH client to connect to the server running at Host. Host
can be an FQDN or IP address. You can also create a client configuration file.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
428 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Telnet
Telnet is both a protocol and a terminal emulation software tool that transmits
shell commands and output between a client and the remote host. In order to
support Telnet access, the remote computer must run a service known as the Telnet
Daemon. The Telnet Daemon listens on TCP port 23 by default.
A Telnet interface can be password protected, but the password and other
communications are not encrypted and therefore could be vulnerable to packet
sniffing and replay. Historically, Telnet provided a simple means to configure switch
and router equipment, but only secure access methods should be used for these
tasks now. Ensure that the Telnet service is uninstalled or disabled, and block
access to port 23.
If use of Telnet to manage legacy systems is unavoidable, these legacy systems must be
deployed to a secure segment.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 429
There are several popular alternatives to Remote Desktop. Most support remote
access to platforms other than Windows (macOS and iOS, Linux, Chrome OS,
and Android, for instance). Examples include TeamViewer (teamviewer.com/en)
and Virtual Network Computing (VNC), which is implemented by several different
providers (notably realvnc.com/en).
RDP is mainly used for the remote administration of a Windows server or client,
but another function is to publish software applications on a server, rather than
installing them locally on each client (application virtualization). A site can operate
a remote desktop gateway that facilitates access to virtual desktops or individual
apps running on the network servers (docs.microsoft.com/en-us/windows-server/
remote/remote-desktop-services/welcome-to-rds). Similar services are provided by
Citrix’s products (citrix.com/products).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
430 | The Official CompTIA Network+ Study Guide (Exam N10-009)
USB and RJ45 type console ports plus AUX and other management interfaces on a router.
(Image © 123RF.com.)
Use a secure connection protocol (HTTPS rather than HTTP, or SSH rather than Telnet)
for the management interface. This applies to OOB too, but it is critical for in-band
management.
Jump Boxes
One of the challenges of managing hosts exposed to the Internet, such as in a
screened subnet or cloud network, is providing administrative access to the servers
and appliances located within it. On the one hand, a link is necessary; on the
other, the administrative interface could be compromised and exploited as a pivot
point into the rest of the network. Consequently, management of hosts permitted
to access administrative interfaces on hosts in the secure zone must be tightly
controlled. Configuring and auditing this type of control when there are many
different servers operating in the zone is complex.
One solution to this complexity is to add a single administration server, or jump
box/host/server, to the secure zone. The jump box only runs the necessary
administrative port and protocol, such as SSH or RDP. Administrators connect to
the jump box and then use the jump host to connect to the admin interface on the
application server. The application server’s admin interface has a single entry in its
ACL (the jump server) and denies connection attempts from any other hosts.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 431
• Only use secure protocols, such as HTTPS, for API communications. Configure
mutual authentication and access controls so that API requests can only be
issued from authorized clients.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
432 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Module 13
Summary
5
You should be able to explain WAN provider links and compare and contrast
remote access methods and security implications.
• Develop a remote access policy to ensure only authorized users can connect
and ensure that the network is not compromised by remote clients with weak
security configurations.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Module 14
Summarizing Cloud Concepts
1
Module Introduction
As the Internet becomes more robust and capable of matching the performance of
local networks, many services are being moved from on-premises servers to cloud
providers. Even where services are kept on-site, the different requirements and
design principles of datacenters are essential competencies for network technicians
at all levels.
This module completes the Network+ course by summarizing the software-driven
virtualization, automation, and orchestration functionality that underpins cloud
services.
Module Objectives
In this module, you will do the following:
• Explain datacenter and storage network architecture.
• Summarize the use of software, coding, and zero trust in modern network
environments.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
434 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Lesson 14.1
Datacenter and Storage Networks
2
Datacenters and storage networks play critical parts in both on-premises and cloud
networks. Understanding the different topology and automation requirements of
these networks will be critical for pursuing a successful career in networking.
As you study this lesson, answer the following questions:
• What is the difference between north/south and east/west traffic patterns?
• What components and cabling are used to create a storage network, and how
are these different from Ethernet?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 435
In datacenters that support cloud and other Internet services, most traffic is
actually between servers within the datacenter. This is referred to as east-west
traffic. Consider a client uploading a photograph as part of a social media post.
The image file might be checked by an analysis server for policy violations (indecent
or copyright images, for instance), a search/indexing service would be updated
with the image metadata, the image would be replicated to servers that provision
content delivery networks (CDNs), the image would be copied to backup servers,
and so on. A single request to the cloud tends to cascade into multiple requests and
transfers within the cloud. Consequently, datacenters need to use a topology that
optimizes secure server-to-server communications.
The preponderance of east-west traffic complicates security design. If each of these
cascading transactions were to pass through a firewall or other security appliance,
it would create a severe bottleneck. These requirements are driving the creation of
virtualized security appliances that can monitor traffic as it passes between servers
(blogs.cisco.com/security/trends-in-data-center-security-part-1-traffic-trends). At the
same time, security implementations are moving toward zero trust architectures.
Zero trust implies a highly segmented network where each request from one server
to another must be authenticated and authorized.
• The leaf layer contains access switches. Each access switch is connected to every
spine switch in a full mesh topology. The access switches never have direct
connections to one another.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
436 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• There are multiple redundant paths between a leaf switch and the backbone,
allowing for load balancing and failover.
• Servers are connected to multiple leaf switches for multipath redundancy, using
a first hop gateway protocol to determine the active path.
• Scalability is improved because adding spine and/or leaf nodes does not
change the topology. This means adding capacity for service needs that change
unpredictably, such as storage, is easy.
The leaf layer access switches are implemented as top-of-rack (ToR) switch models.
These are switch models designed to provide high-speed connectivity to a rack
of server appliances and support higher bandwidths than ordinary workgroup
switches. For example, where a workgroup switch might have 1 Gbps access ports
and a 10 Gbps uplink port, top-of-rack switches have 10 Gbps access ports and
40/100 Gbps uplink ports.
A ToR switch doesn’t have to be placed at the top of the server rack. This is a common
practice, however, as it ensures cleaner cable management and better accessibility.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 437
A SAN can integrate different types of storage technology—RAID arrays and tape
libraries, for instance. It can contain a mixture of high-speed and low-cost devices,
allowing for tiered storage to support different types of file access requirements
without having to overprovision high-cost, fast drives.
Fibre Channel
A SAN fabric can be implemented using a variety of technologies.
Fibre Channel
Fibre Channel is defined in the T11 ANSI standard. The British spelling “fibre” is
deliberately chosen to distinguish the standard from fiber optic cabling, which
it often uses but on which it does not rely. A SAN based on a Fibre Channel (FC)
Switched Fabric (FC-SW) involves three main types of components:
• Initiator—This is a client device of the SAN, such as a file or database server
installed with a fibre channel host bus adapter (HBA).
• Target—This is the network port for a storage device. Typical devices include
single drives, RAID drive arrays, tape drives, and tape libraries. Space on the
storage devices is divided into logical volumes, each identified by a 64-bit logical
unit number (LUN). The initiator will use SCSI, Serial Attached SCSI (SAS), SATA, or
Nonvolatile Memory Express (NVMe) commands to operate the storage devices
in the network, depending on which interface they support. Most devices have
multiple ports for load balancing and fault tolerance.
The initiators and targets are identified by 64-bit WorldWide Names (WWN),
similar to network adapter MAC addresses. Collectively, initiators and targets
are referred to as nodes. Nodes can be allocated their own WWN, referred to as
a WWNN (WorldWide Node Name). Also, each port on a node can have its own
WorldWide Port Name (WWPN).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
438 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Fibre Channel can use rates from 1GFC (1 Gbps) up to 128GFC. Fibre Channel uses
dedicated SFP+ and QSFP optical and twinax modular transceivers. Fibre Channel
transceivers and Ethernet transceivers are not interchangeable.
As most SANs now depend on the use of fast, highly parallel SSDs, the NVMe
specification is typically preferred over the older SCSI interface. Using NVMe in a
networked environment is referred to as NVMe over Fabrics (NVMe-oF). NVMe over FC
can be referred to as either FC-NVMe or NVMe/FC.
Converged Ethernet
The reason for using Fibre Channel fabric over standard Ethernet is that a SAN
requires quality of service (QoS) mechanisms to ensure flow control and guaranteed
delivery. A new iteration of Ethernet, referred to as lossless Ethernet, Data Center
Ethernet, or Converged Enhanced Ethernet, has been developed as an alternative
SAN fabric.
Fibre Channel over Ethernet (FCoE) is a means of delivering Fibre Channel packets
over lossless Ethernet components. FCoE requires special 10/40/100G adapters that
combine the function of NIC and HBA, referred to as converged network adapters
(CNAs).
A more modern option is NVMe over Remote Direct Memory Access (RDMA) over
Converged Ethernet (RoCE). RDMA is a way of offloading storage transfers from the
CPU and OS to improve performance, compared to NVMe/FC.
TCP/IP
Internet Small Computer Systems Interface (iSCSI) is an IP tunneling protocol
that enables the transfer of SCSI data over an IP-based network. iSCSI works with
ordinary Ethernet network adapters and switches. iSCSI can be used to link SANs
but is also seen as an alternative to Fibre Channel or Converged Ethernet, as it
works with regular Ethernet adapters and switches.
Another option is NMEe over TCP (NVMe/TCP), which uses the reliability
mechanisms built into TCP to substitute for the lossless mechanisms of FC or CE.
While there is greater packet header and latency compared to NVMe/FC or RoCE,
the use of standard Ethernet products can simplify procurement and support
procedures.
A SAN should not be implemented on the same cabling as a production data network,
even if technologies such as iSCSI and NVMe/TCP make that technically possible. The
performance of the SAN will be heavily impacted. As a best practice, implement a
dedicated network infrastructure (cabling, switches, and NICs) that is restricted to only
SAN traffic.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 439
Lesson 14.2
Cloud Concepts
3
• What are the types of cloud deployment model, and how do they impact security
considerations?
• What is a cloud service model, and which are the main types?
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
440 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Infrastructure as a Service
Infrastructure as a Service (IaaS) is a means of provisioning IT resources such
as servers, load balancers, and storage area network (SAN) components quickly.
Rather than purchase these components and the Internet links they require, you
rent them on an as-needed basis from the service provider’s datacenter. Examples
include Amazon Elastic Compute Cloud (aws.amazon.com/ec2), Microsoft Azure
Virtual Machines (azure.microsoft.com/services/virtual-machines), and OpenStack
(openstack.org).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 441
Software as a Service
Software as a Service (SaaS) is a different model of provisioning software
applications. Rather than purchasing software licenses for a given number of seats,
a business would access software hosted on a supplier’s servers on a pay-as-you-go
or lease arrangement (on-demand). Virtual infrastructure allows developers
to provision on-demand applications much more quickly than previously. The
applications can be developed and tested in the cloud without the need to test and
deploy on client computers. Examples include Microsoft Office 365 (support.office.
com), Salesforce (salesforce.com), and Google Workspace (workspace.google.com).
Platform as a Service
Platform as a Service (PaaS) provides resources somewhere between SaaS
and IaaS. A typical PaaS solution would deploy servers and storage network
infrastructure (as per IaaS) but also provide a multi-tier web application/database
platform on top. This platform could be based on Oracle or MS SQL or PHP and
MySQL. Examples include Oracle Database (cloud.oracle.com/paas), Microsoft Azure
SQL Database (azure.microsoft.com/services/sql-database), and Google App Engine
(cloud.google.com/appengine).
As distinct from SaaS though, this platform would not be configured to actually
do anything. Your own developers would have to create the software (the CRM or
e‑commerce application) that runs using the platform. The service provider would
be responsible for the integrity and availability of the platform components, but
you would be responsible for the security of the application you created on the
platform.
Dashboard for Amazon Web Services Elastic Compute Cloud (EC2) IaaS/PaaS.
(Screenshot courtesy of Amazon.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
442 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Content delivery network with datacenters around the world. (Images © 123RF.com.)
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 443
Lesson 14.3
Cloud Networking
4
• What is a virtual private cloud, and how does it support familiar subnetting and
routing concepts?
• What options are there for filtering traffic within the cloud and between the
cloud and external networks?
Cloud Instances
When using an IaaS or PaaS model, the customer will use the cloud to build a
solution, such as creating a popular video streaming platform. Each solution
will comprise one or more workloads. For example, each time an end-customer
requests a video, a workload is created to stream the video to them. Each workload
requires compute (CPU and memory), storage, and network resources. These are
allocated using some type of virtualization:
• A virtual machine (VM) is an instance of a computer or network appliance
running an OS and applications software. The VM can be allocated with a
number of CPUs, an amount of system RAM, local storage, and network links. A
VM can be managed just like a normal computer by connecting to it via RDP or
SSH.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
444 | The Official CompTIA Network+ Study Guide (Exam N10-009)
To establish “local” networks within the cloud to deploy instances to, each tenant
can create one or more virtual private clouds (VPCs) attached to their account. By
default, a VPC is isolated from other CSP accounts and from other VPCs operating
in the same account. This means that tenant A cannot view traffic passing over
tenant B’s VPC. The instances assigned to each VPC are isolated from other VPCs.
Any communications between them must be created by configuring routing. Within
each VPC, the cloud consumer can assign an IPv4 CIDR block and configure one or
more subnets within that block. Optionally, an IPv6 CIDR block can be assigned also.
These notes focus on features of networking in AWS. Other vendors support similar
functionality, though sometimes with different terminology. For example, in Microsoft
Azure, VPCs are referred to as virtual networks.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 445
Cloud Gateways
As with on-premises networking, a cloud gateway refers to the route that instances
within a VPC subnet use to establish communications with other subnets in the
same VPC, subnets in other VPCs, or over the Internet.
Each subnet within a VPC can either be private or public. To configure a public
subnet, first an Internet gateway (virtual router) must be attached to the VPC
configuration. Secondly, the Internet gateway must be configured as the default
route for each public subnet. If a default route is not configured, the subnet
remains private, even if an Internet gateway is attached to the VPC. Each instance
in the subnet must also be configured with a public IP in its cloud profile. The
Internet gateway performs 1:1 network address translation (NAT) to route Internet
communications to and from the instance.
The instance network interface is not configured with this public IP address. The
instance’s network interface is configured with an IP address for the subnet. The public
address is used by the virtualization management layer only. Public IP addresses can be
assigned from your own pool or from a CSP-managed service, such as Amazon’s Elastic
IP (docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html).
There are other ways to provision external connectivity for a subnet if it is not
appropriate to make it public:
• NAT gateway—This feature allows an instance to connect out to the Internet or
to other AWS services but does not allow connections initiated from the Internet.
Note that both an Internet gateway and a NAT gateway use NAT, but in different ways.
An Internet gateway is a two-way gateway and requires the VM to be associated with a
public IP address instance. A NAT gateway is a one-way (outbound only) gateway and
does not require the VM to be associated with a public IP.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
446 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Direct Connect/Colocation
Colocation within a datacenter offers a higher bandwidth solution by providing
a direct connect or private link. The customer establishes infrastructure within a
datacenter supported by the cloud provider or provisions a direct connect link
from their enterprise network to the datacenter, possibly using private connections
configured within a service provider’s network. The datacenter installs a cross-
connect cable or VLAN between the customer and the cloud provider, establishing a
low-latency, high-bandwidth secure link. This solution is preferred for organizations
which have a more centralized operation where the connection to the cloud can
be from the main HQ and the company’s own enterprise network is used to allow
branch locations access.
Transit Gateways
Connectivity can also be configured between VPCs in the same account or with VPCs
belonging to different accounts, and between VPCs and on-premises networks.
Configuring additional VPCs rather than subnets within a VPC allows for a greater
degree of segmentation between instances. A complex network might split
segments between different VPCs across different cloud accounts for performance
or compliance reasons.
Traditionally, VPCs can be interconnected using peering relationships and
connected with on-premises networks using VPN gateways. These one-to-one VPC
peering relationships can quickly become difficult to manage, especially if each VPC
must interconnect in a mesh-like structure. A transit gateway is a simpler means of
managing these interconnections. Essentially, a transit gateway is a virtual router
that handles routing between the subnets in each attached VPC and any attached
VPN gateways (aws.amazon.com/transit-gateway).
Amazon’s white paper sets out options for configuring multi-VPC infrastructure in more
detail (d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-
network-infrastructure.pdf).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 447
Filtering decisions can be made based on packet headers and payload contents at
various layers, identified in terms of the OSI model:
• Network layer (layer 3)—The firewall accepts or denies connections on the
basis of IP addresses or address ranges and TCP/UDP port numbers (the latter
are actually contained in layer 4 headers, but this functionality is still always
described as basic layer 3 packet filtering).
• Transport layer (layer 4)—The firewall can store connection states and use
rules to allow established or related traffic. Because the firewall must maintain
a state table of existing connections, this requires more processing power (CPU
and memory).
• Application layer (layer 7)—The firewall can parse application protocol headers
and payloads (such as HTTP packets) and make filtering decisions based on their
contents. This requires even greater processing capacity (or load balancing), or
the firewall will become a bottleneck and increase network latency.
• As a service at the virtualization layer to filter traffic between VPC subnets and
instances. This equates to the concept of an on-premises network firewall.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
448 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Adding a custom security group when launching a new instance in AWS EC2.
This policy allows SSH access from a single IP address (redacted) and access to HTTPS
from any IP address. (Screenshot courtesy of Amazon.com.)
Most cloud providers support similar filtering functionality, though they may be
implemented differently. For example, in Azure, network security groups can be
applied to network interfaces or to subnets (docs.microsoft.com/en-us/azure/
virtual-network/security-overview). In Oracle Cloud Infrastructure (OCI), a security
list is a set of rules that applies to an entire subnet. An OCI security group is similar
to the AWS concept, as it can be applied to selected network interfaces (docs.oracle.
com/en-us/iaas/Content/Network/Concepts/securityrules.htm#comparison).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 449
Lesson 14.4
Modern Network Environments
5
• What is the function of an overlay network, and what is the role of VXLAN in
implementing it?
• What is Secure Access Service Edge, and how does it relate to Security Service
Edge and zero trust architecture?
Infrastructure as Code
The use of cloud technologies encourages the use of scripted approaches to
provisioning, rather than installing operating systems and apps and making
configuration changes or installing patches manually. An approach to infrastructure
management where automation and orchestration fully replace manual
configuration is referred to as infrastructure as code (IaC).
One of the goals of IaC is to eliminate snowflake systems. A snowflake is a
configuration or build that is different from any other. The lack of consistency—or
drift—in the platform environment leads to security issues, such as patches that
have not been installed, and stability issues, such as scripts that fail to run because
of some small configuration difference.
IaC is often deployed to provision immutable architecture. Immutable architecture
means that instances are never updated in place. If a change or update is required, a
new instance is deployed to replace the old one. By rejecting manual configuration
and ad hoc patching, IaC ensures idempotence. Idempotence means that making
the same call with the same parameters will always produce the same result.
Note that IaC is not simply a matter of using scripts to perform repetitive tasks. Running
scripts that have been written ad hoc is just as likely to cause environment drift as
manual configuration. IaC means using carefully developed and tested scripts and
orchestration playbooks to generate consistent builds.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
450 | The Official CompTIA Network+ Study Guide (Exam N10-009)
• Declarative tools take the desired configuration as input and leave the detail of
how that configuration should be achieved to the implementation platform.
Orchestration
Where automation focuses on making a single, discrete task easily repeatable,
orchestration performs a sequence of automated tasks. For example, you might
orchestrate adding a new VM to a load-balanced cluster. This end-to-end process
might include provisioning the VM, configuring it with an app and network settings,
adding the new VM to the load-balanced cluster, and reconfiguring the load-
balancing weight distribution given the new cluster configuration. In doing this, the
orchestrated steps would have to run numerous automated scripts or API service
calls.
For orchestration to work properly, automated steps must occur in the right
sequence, taking dependencies into account; it must provide the right security
credentials at every step along the way; and it must have the rights and permissions
to perform the defined tasks. Orchestration can automate processes that are
complex, requiring dozens or hundreds of manual steps.
Automation and orchestration platforms connect to and provide administration,
management, and orchestration for many popular cloud platforms and services.
One of the advantages of using a third-party orchestration platform is protection
from vendor lock in. If you wish to migrate from one cloud provider to another,
or wish to move to a multicloud environment, automated workflows can often be
adapted for use on new platforms. Industry leaders in this space include Chef (chef.
io), Puppet (puppet.com), Ansible (ansible.com), and Kubernetes (kubernetes.io).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 451
Upgrades
An upgrade is a move from an old OS or software version to a newer one. While an
upgrade might have benefits for usability, performance, and security, the upgrade
process can be highly complex. The changes introduced by an upgrade can have
unforeseen impacts. An upgrade project must be treated as a major change
and should be supported by test and rollback plans. The project must identify
dependencies between systems and how they will be impacted by the upgrade.
Automation can assist with this by speeding up deployment of systems into a test
network, and performing scripted test suites to check for known or anticipated
compatibility issues. It can also be used to deploy the upgraded systems on the
production network.
Dynamic Inventories
Instances of VMs and containers launched into a cloud environment need to be
tracked as inventory just like switches, routers, and servers in an on-premises
network. Additional complexity comes from the fact that cloud instances are
ephemeral. Rather than fixed asset IDs, they need to be identified by tags. Tags
can be assigned in the cloud management system when the instance is launched.
It is imperative to devise and enforce a tagging system that properly identifies
ownership and roles for all instances.
As with on-premises virtualization, it is important to manage instances to
avoid sprawl. Sprawl is where undocumented instances are launched and left
unmanaged. As well as restricting rights to launch instances, you should configure
logging and monitoring to track usage. This process is supported by dynamic
inventory features of automation suites. A dynamic inventory queries the cloud API
to return a list of instances and their properties for storage in a database.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
452 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Reusable Tasks
In any coding environment, it is helpful to minimize the number of lines of code or
the number of scripts. The more code there is to manage, the more likely it is to
develop bugs and vulnerabilities. A reusable task or module is a block of code that
can perform a function in multiple different contexts. For example, given different
inputs, the same block of code could launch a Windows VM into subnet A and
a Linux VM into subnet B. Writing separate scripts for these tasks would be less
scalable and more likely to lead to inconsistencies. Rather than separate scripts, you
develop function libraries that can be reused for multiple tasks.
Source Control
Source control is the overall process of managing code for a software development
project. When using infrastructure as code, it is important to use the correct version
of a script to perform a task. Tasks performed by different versions can lead to
configuration drift and noncompliance. Also, software development is typically a
collaborative process, and there needs to be procedures and tools to allow multiple
developers to work on the same project.
Version Control
Within the overall process of source control, version control is an ID system for
each iteration of a software product or automation script. Most version control
numbers represent both the version, as made known to the customer or end user,
and internal build numbers for use in the development process. Version control
supports the change management process for software development projects.
Central Repository
Software development environments use a repository server to maintain source
code. One example is the Global Information Tracker commonly known as Git
(git-scm.com). When a developer commits new or changed code to the repository,
the new source code is tagged with an updated version number and the old version
archived. This allows changes to be rolled back if a problem is discovered.
Branching
As scripts are developed and updated, there will be times when new features or
changed functionality needs to be created and tested. To facilitate this, changes
can be made in a branch copy of source code stored separately to the main or
production version. When the branch code is ready, the developer issues a pull
request, and it is tested and validated for merging back into the main branch.
Conflict Identification
Even with a branching strategy, there can still be instances where two (or more)
competing changes to code need to be integrated back into the main branch.
Conflict identification highlights these clashes and provides developers with tools to
resolve them.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 453
Software-Defined Networking
Cloud services require the rapid provisioning and deprovisioning of server instances
and networks using automation and orchestration, plus the use of overlay networks
to establish logical point to point links quickly and reliably. This means that these
components must be fully accessible to scripting—representing the ideal of
infrastructure as code. Software-defined networking (SDN) is a model for how
these processes can be used to provision and deprovision networks. Some of the
properties of SDN are the following:
• Central policy management—There is a single “source of truth” for how the
network should operate. These business and security rules are automatically
converted into device configuration states. There is central policy management
but distributed policy enforcement. Also, status reporting ensures that “single
pane of glass” monitoring and oversight is available to administrators.
SDN Architecture
In the SDN model defined by IETF (datatracker.ietf.org/doc/html/rfc7426), network
functions are divided into three layers. The top and bottom layers are application
and infrastructure:
• Application layer—Applies the business logic to make decisions about how
traffic should be prioritized and secured and where it should be switched. This
layer defines policies such as segmentation, ACLs, and traffic prioritization.
The principal innovation of SDN is to insert a control layer between the Application
and Infrastructure layers. The functions of the control plane are implemented
by a virtual device called the SDN controller. Each layer exposes an application
programming interface (API) that can be automated by scripts that call functions
in the layer above or below. The interface between SDN applications and the SDN
controller is described as the service interface or as the “northbound” API, while
that between the SDN controller and infrastructure devices is the “southbound” API.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
454 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Management Plane
In IETF’s SDN model, there are separate forwarding (data) and operational planes
at the infrastructure level. The operational plane implements device state, such
as CPU and memory utilization. A management plane sits at the same level as the
control plane to interface with the operational plane. This is used to implement
monitoring of traffic conditions and network status.
Overlay Networks
An overlay network is used to implement logical links between nodes or networks.
The overlay network abstracts the complexity of the underlying physical topology.
A virtual private network (VPN) is an example of an overlay network. Other types
of overlay network use encapsulation protocols and software-defined networking
(SDN) to create a logical tunnel between nodes or networks that might be located in
different physical topologies. An overlay network also allows for the segmentation
of the same physical network. For example, a cloud provider can use an overlay
network to isolate each tenant’s traffic from other tenants.
When used inside the datacenter, overlay networks are typically implemented using
virtual extensible LANs (VXLANs).
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 455
VXLAN overlay network with VNI 101 allows the VMs with IP addresses 172..1 and ..2 to establish
layer 2 adjacency, even though they are located on different hypervisors in physically separate
racks. The hypervisors are configured with VTEP IDs and IP addresses. The VXLAN header allows
the encapsulated packet from .1 to .2 to be tunneled through the underlying IP network, which
uses a different 10. addressing scheme. (Image © 123RF.com.)
Traditional VLANs use a 12-bit field that allows for 4096 values, some of which are
reserved. The 24-bit VXLAN format allows for millions of IDs.
Datacenter Interconnect
An overlay network could also span two geographically separate locations, such as
connecting instances or logical networks hosted in two different datacenters. Data
Center Interconnect (DCI) refers to ways of creating links between datacenters
and hosts/networks in different datacenters.
Datacenter services typically use cluster technologies and other applications that
depend upon layer 2 adjacency. This means that the clustered servers or VMs must
be part of the same broadcast domain and subnet, even if they are in different
datacenters. Simply “stretching" the layer 2 boundaries over physical fiber links
between datacenters with hosts in the different locations configured as part of
the same VLAN can generate complex broadcast and spanning tree issues. This
problem can be mitigated using VXLAN and Ethernet VPN (EVPN) to implement
datacenter interconnects. EVPN allows servers to discover adjacent MAC addresses
and forward data using an overlay network to tunnel traffic between them.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
456 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Software-Defined WAN
The hub and branch office design with on-premises datacenters has a number of
performance and reliability drawbacks. Shifting services to one or more dedicated
datacenters in the cloud mitigates some of these issues. Service availability and
integrity is separated from site accessibility considerations. In this model, access to
the datacenter from the corporate network, branch offices, and remote/teleworker
locations can be facilitated through a software-defined WAN (SD-WAN). SD-
WAN replaces hub-and-spoke-type designs with more efficient, but still secure,
connectivity to corporate clouds.
In a branch office topology, access to the datacenter or the cloud would be routed
and authorized via the hub office. An SD-WAN is a type of overlay network that
provisions a corporate WAN across multiple locations and can facilitate secure
access to the cloud directly from a branch office or other remote location. It uses
automation and orchestration to provision links dynamically based on application
requirements and network congestion, using IPSec to ensure that traffic is tunneled
through the underlying transport networks securely. An SD-WAN solution should
also apply microsegmentation and zero trust security policies to ensure that all
requests and responses are authenticated and authorized.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 457
• Threat scope reduction and least privilege access means that access to
network resources is granted on a need-to-know basis, and access is limited
to only those resources required to complete a specific task. These concepts
reduce the network’s attack surface and limit the damage that a successful
attack can cause.
In a zero trust architecture, the control and data planes are implemented separately
and have different functions.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
458 | The Official CompTIA Network+ Study Guide (Exam N10-009)
The control plane manages policies that dictate how users and devices are
authorized to access network resources. It is implemented through a centralized
policy decision point. The policy decision point is responsible for defining policies
that limit access to resources on a least privilege basis, monitoring network
activity for suspicious behavior, and updating policies to reflect changing network
conditions and security threats. The policy decision point is comprised of two
subsystems:
• The policy engine is configured with subject and host identities and credentials,
access control policies, up-to-date threat intelligence, behavioral analytics,
and other results of host and network security scanning and monitoring. This
comprehensive state data allows it to define an algorithm and metrics for
making dynamic authentication and authorization decisions on a per-request
basis.
Where systems in the control plane define policies and make decisions, systems
in the data plane establish sessions for secure information transfers. In the data
plane, a subject (user or service) uses a system (such as a client host PC, laptop,
or smartphone) to make requests for a given resource. A resource is typically an
enterprise app running on a server or cloud. Each request is mediated by a policy
enforcement point. The enforcement point might be implemented as a software
agent running on the client host that communicates with an app gateway. The
policy enforcement point interfaces with the policy administrator to set up a secure
data pathway if access is approved, or tear down a session if access is denied or
revoked.
The processes implementing the policy enforcement point are the only ones permitted to
interface with the policy administrator. It is critical to establish a root of trust for these
processes so that policy decisions cannot be tampered with.
The data pathway established between the policy enforcement point and the
resource is referred to as an implicit trust zone. For example, the outcome of a
successful access request might be an IPSec tunnel established between a digitally
signed agent process running on the client, a trusted web application gateway, and
the resource server. Because the data is protected by IPSec transport encryption,
no tampering by anyone with access to the underlying network infrastructure
(switches, access points, routers, and firewalls) is possible.
The goal of zero trust design is to make this implicit trust zone as small as
possible, and as transient as possible. Trusted sessions might only be established
for individual transactions. This granular or microsegmented approach is in
contrast with perimeter-based models, where trust is assumed once a user has
authenticated and joined the network. In zero trust, place in the network is not a
sufficient reason to trust a subject request. Similarly, even if a user is nominally
authenticated, behavioral analytics might cause a request to be blocked or a
session to be terminated.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
The Official CompTIA Network+ Study Guide (Exam N10-009) | 459
• Reverse proxy—This is positioned at the cloud network edge and directs traffic
to cloud services if the contents of that traffic comply with policy. This does not
require configuration of the users’ devices. This approach is only possible if the
cloud application has proxy support.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
460 | The Official CompTIA Network+ Study Guide (Exam N10-009)
Module 14
Summary
6
• Consider a spine and leaf topology with aggregation and top-of-rack switch
models to create a network fabric that best supports east-west traffic flows
and use of overlay networks.
• Identify virtualization and SAN products that can support the goals of
elasticity and scalability and benefit from SDN and network function
virtualization.
• When using a public cloud vendor, create a cloud responsibility matrix and
perform regular risk assessments and security audits.
• Develop a WAN access strategy that provisions secure and high-performing links
between corporate data networks, branch offices, remote teleworkers, and on-/
off-premises datacenters and clouds, making use of technologies such as SD-
WAN.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A
Mapping Course Content to
CompTIA Certification
1
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
A-2 | Appendix A
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A | A-3
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
A-4 | Appendix A
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A | A-5
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
A-6 | Appendix A
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A | A-7
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
A-8 | Appendix A
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A | A-9
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
A-10 | Appendix A
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A | A-11
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
A-12 | Appendix A
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A | A-13
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
A-14 | Appendix A
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A | A-15
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
A-16 | Appendix A
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Appendix A | A-17
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary
802.11 standards Specifications active-passive High availability cluster
developed by IEEE for wireless configuration where one or more nodes
networking over microwave radio are only utilized during failover.
transmission in the 2.4 GHz, 5 GHz,
ad hoc network A type of wireless
and 6 GHz frequency bands. The Wi-Fi
network where connected devices
standards brand has six main iterations:
communicate directly with each other
a, b, g, Wi-Fi 4 (n), Wi-Fi 5 (ac), and Wi-Fi 6
instead of over an established medium.
(ax). These specify different modulation
techniques, supported distances, and Address Resolution Protocol (ARP)
data rates, plus special features, such as Broadcast mechanism by which the
channel bonding, MIMO, and MU-MIMO. hardware MAC address of an interface
is matched to an IP address on a local
802.11h Amendment to Wi-Fi standards
network segment.
that defines a Dynamic Frequency
Selection (DFS) mechanism to avoid addressing (network) Unique identifier
interference with radar and cellular for a network node, such as a MAC
communications in the 5 GHz frequency address, IPv4 address, or IPv6 address.
band.
adjacent channel interference (ACI)
802.1p IEEE standard defining a 3-bit Troubleshooting issue where access
(0 to 7) class of service priority field points within range of one another
within the 802.1Q format. are configured to use different but
overlapping channels, causing increased
802.1Q Trunking protocols enable
noise.
switches to exchange data about VLAN
configurations. The 802.1Q protocol is administrative distance (AD) Metric
often used to tag frames destined for determining the trustworthiness of
different VLANs across trunk links. routes derived from different routing
protocols.
802.1X A standard for encapsulating
EAP communications over a LAN (EAPoL) administratively down Switch or
or WLAN (EAPoW) to implement port- router port that has been purposefully
based authentication. disabled via the management interface.
access control list (ACL) The collection advanced persistent threat (APT)
of access control entries (ACEs) that Threat actors with the ability to craft
determines which subjects (user novel exploits and techniques to obtain,
accounts, host IP addresses, and so maintain, and diversify unauthorized
on) are allowed or denied access to the access to network systems over a long
object and the privileges given (read- period.
only, read/write, and so on).
angled physical contact (APC) Fiber
access point (AP) A device that provides optic connector finishing type that uses
a connection between wireless devices an angled polish for the ferrule.
and can connect to wired networks,
antenna type Specially arranged metal
implementing an infrastructure mode
wires that can send and receive radio
WLAN.
signals, typically implemented as either
access/edge layer Lowest tier in a an omnidirectional or a unidirectional
hierarchical network topology acting as type.
the attachment point for end systems.
anycast IP delivery mechanism whereby
active-active High availability cluster a packet is addressed to a single host
configuration where all nodes are from a group sharing the same address.
utilized continually.
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-2 | Glossary
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-3
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-4 | Glossary
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-5
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-6 | Glossary
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-7
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-8 | Glossary
end of life (EOL) Product life cycle access points to form an extended
phase where mainstream vendor service area.
support is no longer available.
extended unique identifier (EUI) IEEE’s
end of service life (EOSL) Product life preferred term for a network interface’s
cycle phase where support is no longer unique identifier. An EUI-48 corresponds
available from the vendor. to a MAC address while an EUI-64 is one
that uses a 64-bit address space.
Enhanced Interior Gateway Routing
Protocol (EIGRP) Advanced distance Extensible Authentication Protocol
vector dynamic routing protocol (EAP) Framework for negotiating
using bandwidth and delay metrics to authentication methods that enable
establish optimum forwarding paths. systems to use hardware-based
identifiers, such as fingerprint
enterprise authentication A wireless
scanners or smart card readers, for
network authentication mode where the
authentication and to establish secure
access point acts as pass-through for
tunnels through which to submit
credentials that are verified by an AAA
credentials.
server.
fiber distribution panel Type of
enumeration An attack that aims to
distribution frame with pre-wired
list resources on the network, host, or
connectors used with fiber optic cabling.
system as a whole to identify potential
targets for further attack. fiber optic cable Network cable type
that uses light signals as the basis for
escalation In the context of support
data transmission. Infrared light pulses
procedures, incident response, and
are transmitted down the glass core of
breach-reporting, escalation is the
the fiber. The cladding that surrounds
process of involving expert and senior
this core reflects light back to ensure
staff to assist in problem management.
transmission efficiency. At the receiving
Ethernet Standards developed as the end of the cable, light-sensitive diodes
IEEE 802.3 series describing media re-convert the light pulse into an
types, access methods, data rates, and electrical signal. Fiber optic cable is
distance limitations at OSI layers 1 and 2 immune to eavesdropping and EMI,
using xBASE-y designations. has low attenuation, supports rates of
10 Gb/s+, and is light and compact.
Ethernet header Fields in a frame used
to identify source and destination MAC Fibre Channel (FC) High-speed network
addresses, protocol type, and error communications protocol used to
detection. implement SANs.
Ethernet virtual private network File Transfer Protocol (FTP) Application
(EVPN) Using Border Gateway Protocol protocol used to transfer files between
(BGP) to advertise virtual extensible LAN network hosts. Variants include S(ecure)
(VXLAN) networks as routes. FTP, FTP with SSL (FTPS and FTPES), and
T(rivial)FTP. FTP utilizes ports 20 and 21.
evil twin A wireless access point that
deceives users into believing that it is a firewall Software or hardware device
legitimate network access point. that protects a network segment or
individual host by filtering packets to an
explicit deny Firewall ACL rule
access control list.
configured manually to block any traffic
not matched by previous rules. first hop redundancy protocol (FHRP)
Provisioning failover routers to serve as
exploit A specific method by which
the default gateway for a subnet.
malware code infects a target host,
often via some vulnerability in a fragmentation Mechanism for splitting
software process. a layer 3 datagram between multiple
frames to fit the maximum transmission
Extended Service Set ID (ESSID)
unit (MTU) of the underlying Data Link
Network name configured on multiple
network.
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-9
frame Common term for the protocol hashing A function that converts an
data unit for layer 2. arbitrary-length string input to a fixed-
length string output. A cryptographic
frequency band Portion of the
hash function does this in a way that
microwave radio-frequency spectrum in
reduces the chance of collisions, where
which wireless products operate, such
two different inputs produce the same
as 2.4 GHz band or 5 GHz band.
output.
F-type connector Screw down
heat map In a Wi-Fi site survey, a
connector used with coaxial cable.
diagram showing signal strength and
full tunnel VPN configuration where all channel uitilization at different locations.
traffic is routed via the VPN gateway.
heating, ventilation, air conditioning
full-duplex Network link that allows (HVAC) Control systems that maintain
interfaces to send and receive an optimum heating, cooling, and
simultaneously. humidity level working environment for
different parts of the building.
fully qualified domain name (FQDN)
Unique label specified in a DNS high availability (HA) A metric that
hierarchy to identify a particular host defines how closely systems approach
within a subdomain within a top-level the goal of providing data availability
domain. 100% of the time while maintaining a
high level of system performance.
General Data Protection Regulation
(GDPR) Provisions and requirements honeypot A host (honeypot), network
protecting the personal data of (honeynet), file (honeyfile), or credential/
European Union (EU) citizens. Transfers token (honeytoken) set up with the
of personal data outside the EU Single purpose of luring attackers away from
Market are restricted unless protected assets of actual value and/or discovering
by like-for-like regulations, such as the attack strategies and weaknesses in the
US’s Privacy Shield requirements. security configuration.
Generic Routing Encapsulation hop One link in the path from a host to
(GRE) Tunneling protocol allowing the a router or from router to router. Each
transmission of encapsulated frames or time a packet passes through a router,
packets from different types of network its hop count (or TTL) is decreased by
protocol over an IP network. one.
geofencing Security control that can host name Label applied to a host
enforce a virtual boundary based on computer that is unique on the local
real-world geography. network.
giant Ethernet frame that is larger than hosts (file) List of static name to IP
the receiving interface will accept. address mappings maintained on a
host computer that will typically take
Global Positioning System (GPS)
precedence over name resolution
A means of determining a receiver’s
queries.
position on Earth based on information
received from orbital satellites. hot site A fully configured alternate
processing site that can be brought
half-duplex Network link where
online either instantly or very quickly
simultaneously sending and receiving is
after a disaster.
not possible.
HTML5 VPN Using features of HTML5
hardening A process of making a host
to implement remote desktop/VPN
or app configuration secure by reducing
connections via browser software
its attack surface, through running only
(clientless).
necessary services, installing monitoring
software to protect against malware hub Layer 1 (Physical) network device
and intrusions, and establishing a used to implement a star network
maintenance schedule to ensure the topology on legacy Ethernet networks,
system is patched to be secure against working as a multiport repeater.
software exploits.
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-10 | Glossary
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-11
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-12 | Glossary
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-13
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-14 | Glossary
network interface card (NIC) Adapter entities will not share confidential
card that provides one or more Ethernet information, knowledge, or materials
ports for connecting hosts to a network with unauthorized third parties.
so that they can exchange data over a
north-south traffic Network data flows
link.
that go into and out of an organization’s
Network layer OSI model layer network or datacenter.
responsible for logical network
nslookup command Cross-platform
addressing and forwarding.
command tool for querying DNS
network loop Troubleshooting issue resource records.
where layer 2 frames are forwarded
on-path attack An attack where the
between switches or bridges in an
threat actor makes an independent
endless loop.
connection between two victims and is
network mask Number of bits applied able to read and possibly modify traffic.
to an IP address to mask the network
open authentication Wireless network
ID portion from the host/interface ID
authentication mode where guest
portion. This can be expressed as a bit
(unauthenticated) access is permitted.
prefix in slash notation or as a dotted
decimal subnet mask. Open Shortest Path First (OSPF)
Dynamic routing protocol that uses a
network security group Rules that
link state algorithm and a hierarchical
filter communication between cloud
topology.
networks and from cloud networks to
the Internet. Open Systems Interconnection
reference model (OSI) Assigns
network security list In Oracle Cloud
network and hardware components
Infrastructure, traffic filtering rules
and functions at seven discrete layers:
that apply to a subnet, rather than just
Physical, Data Link, Network, Transport,
network interfaces.
Session, Presentation, and Application.
network separation Enforcing a
operational technology (OT) A
security zone by separating a segment
communications network designed to
of the network from access by the
implement an industrial control system
rest of the network. This could be
rather than data networking.
accomplished using firewalls or VPNs or
VLANs. A physically separate network optical link budget Assessment of
or host (with no cabling or wireless links allowable signal loss over a fiber optic
to other networks) is referred to as link.
air-gapped.
optical multimode (OM) Classification
Network Time Protocol (NTP) system for multimode fiber designating
Application protocol allowing machines core size and modal bandwidth.
to synchronize to the same time clock
option (DCHP) DHCP configuration that
that runs over UDP port 123.
assigns additional parameters, such as
Network Time Security (NTS) Method DNS server addresses. In DHCPv4, an
of securing NTP queries and responses option is used to identify the default
using Transport Layer Security (TLS). gateway address.
NTS typically uses TCP port 3443.
orchestration Automation of multiple
NIC teaming Two or more NIC coordinated steps in a deployment
aggregated into a single channel link process.
for fault tolerance and increased
out of band management (OOB)
throughput. Also known as NIC bonding.
Accessing the administrative interface
Nmap An IP and port scanner used for of a network appliance using a separate
topology, host, service, and OS discovery network from the usual data network.
and enumeration. This could use a separate VLAN or a
different kind of link, such as a dial-up
nondisclosure agreement (NDA)
modem.
An agreement that stipulates that
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-15
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-16 | Glossary
port scanner Utility that can probe a network. The passphrase is used to
host to enumerate the status of TCP and derive an encryption key.
UDP ports.
private branch exchange (PBX) Routes
port security Preventing a device incoming calls to direct dial numbers
attached to a switch port from and provides facilities such as voice
communicating on the network unless it mail, Automatic Call Distribution (ACD),
matches a given MAC address or other and interactive voice response (IVR).
protection profile. A PBX can also be implemented as
software (virtual PBX). An IP-based PBX
port state In Spanning Tree Protocol
or hybrid PBX allows use of VoIP.
(STP), topology changes cause ports
to transition through different states private cloud A cloud that is deployed
(blocking, listening, learning, forwarding, for use by a single entity.
and disabled).
private key In asymmetric encryption,
port tagging On a switch with VLANs the private key is known only to the
configured, a port with an end station holder and is linked to, but not derivable
host connected operates in untagged from, a public key distributed to
mode (access port). A tagged port will those with whom the holder wants to
normally be part of a trunk link. communicate securely. A private key
can be used to encrypt data that can be
port-side exhaust/intake Feature
decrypted by the linked public key or
of switches that allows fans to switch
vice versa.
between expelling hot air and drawing
in cool air from the side with ports. production configuration Configuration
settings used when an appliance,
posture assessment Audit process and
instance, or app is booted or started.
tools for verifying compliance with a
compliance framework or configuration protocol analyzer Utility that can
baseline. parse the header fields and payloads of
protocols in captured frames for display
power budget When configuring Power
and analysis.
over Ethernet, the maximum amount of
power available across all switchports. protocol data unit (PDU) Network
packet encapsulating a data payload
power distribution unit (PDU) An
from an upper layer protocol with
advanced strip socket that provides
header fields used at the current layer.
filtered output voltage. A managed unit
supports remote administration. proxy server A server that mediates
the communications between a client
Power over Ethernet (PoE)
and another server. It can filter and
Specification allowing power to be
often modify communications as well
supplied via switch ports and ordinary
as provide caching services to improve
data cabling to devices such as VoIP
performance.
handsets and wireless access points.
Devices can draw up to about 13 W (or public cloud A cloud that is deployed
25 W for PoE+). for shared use by multiple independent
tenants.
Precision Time Protocol (PTP) Provides
clock synchronization to network public key During asymmetric
devices to a higher degree of accuracy encryption, this key is freely distributed
than Network Time Protocol (NTP). and can be used to perform the reverse
encryption or decryption operation of
Presentation layer OSI model layer
the linked private key in the pair.
that transforms data between the
formats used by the network and public key infrastructure (PKI) A
applications. framework of certificate authorities,
digital certificates, software, services,
pre-shared key (PSK) A wireless
and other cryptographic components
network authentication mode where a
deployed for the purpose of validating
passphrase-based mechanism is used to
subject identities.
allow group authentication to a wireless
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-17
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-18 | Glossary
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-19
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-20 | Glossary
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-21
syslog Application protocol and time to live (DNS) (TTL) Amount of time
event-logging format enabling different that the record returned by a DNS query
appliances and software applications should be cached before discarding it.
to transmit logs or event records to a
Time to Live (IP) (TTL) Counter field in
central server. Syslog works over UDP
the IP header recording the number of
port 514 by default.
hops a packet can make before being
T568A/T568B (T568A) Twisted-pair dropped.
termination pinouts defined in the
tone generator Two-part tool used to
ANSI/TIA/EIA 568 Commercial Building
identify one cable within a bundle by
Telecommunications Standards.
applying an audible signal.
tabletop exercise A discussion of
top-of-rack switch (ToR) High-
simulated emergency situations and
performance switch model designed to
security incidents.
implement the leaf tier in a spine and
tailgating Social engineering technique leaf topology.
in which a person gains access to a
topology Network specification that
building by following someone who is
determines the network’s overall layout,
unaware of his or her presence.
signaling, and dataflow patterns.
TCP flag Field in the header of a TCP
traceroute/tracert command
segment designating the connection
Diagnostic utilities that trace the route
state, such as SYN, ACK, or FIN.
taken by a packet as it “hops” to the
tcpdump command A command line destination host on a remote network.
packet sniffing utility. tracert is the Windows implementation,
while traceroute runs on Linux.
telnet Application protocol supporting
unsecure terminal emulation for remote traffic analysis Processes and tools
host management. Telnet runs over TCP that facilitate reporting of network
port 23. communication flows summarized by
host or protocol type.
Terminal Access Controller Access
Control System Plus (TACACS+) traffic shaper Appliances and/or
AAA protocol developed by Cisco software that enable administrators
that is often used to authenticate to to closely monitor network traffic and
administrator accounts for network to manage that network traffic. The
appliance management. primary function of a traffic shaper is
to optimize network media throughput
test access point (TAP) A hardware
to get the most from the available
device inserted into a cable run to copy
bandwidth.
frames for analysis.
transceiver Component in a network
threat A potential for an entity to
interface that converts data to and
exercise a vulnerability (that is, to
from the media signalling type. Modular
breach security).
transceivers are designed to plug into
three-tier hierarchal model Paradigm switches and routers.
to simplify network design by separating
Transmission Control Protocol (TCP)
switch and router functionality and
Protocol in the TCP/IP suite operating
placement into three tiers each
at the Transport layer to provide
with a separate role, performance
connection-oriented, guaranteed
requirements, and physical topology.
delivery of packets.
throughput Amount of data transfer
Transport layer OSI model layer
supported by a link in typical conditions.
responsible for ensuring reliable data
This can be measured in various ways
delivery.
with different software applications.
Goodput is typically used to refer to Transport Layer Security (TLS)
the actual “useful” data rate at the Security protocol that uses certificates
application layer (less overhead from for authentication and encryption to
headers and lost packets). protect web communications and other
application protocols.
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
G-22 | Glossary
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Glossary | G-23
voice virtual local area network wireless local area network (WLAN)
(VLAN) Feature of VoIP handsets and Network scope and type that uses
switches to segregate data and voice wireless radio communications based
traffic while using a single network on some variant of the 802.11 (Wi-Fi)
wall port to attach the handset and the standard series.
computer.
wireless mesh network (WMN)
VoIP phone Handset or software client Wireless network topology where all
that implements a type of voice over nodes—including client stations—are
Internet Protocol (VoIP) to allow a user capable of providing forwarding and
to place and receive calls. path discovery. This improves coverage
and throughput compared to using just
vulnerability A weakness that could
fixed access points and extenders.
be triggered accidentally or exploited
intentionally to cause a security breach. Wireshark A widely used protocol
analyzer.
vulnerability assessment Evaluation of
a system’s security and ability to meet wiring diagram Documentation of
compliance requirements based on the connector pinouts.
configuration state of the system, as
work recovery time (WRT) In disaster
represented by information collected
recovery, time additional to the RTO
from the system.
of individual systems to perform
warm site An alternate processing reintegration and testing of a restored
location that is dormant or performs or upgraded system following an event.
noncritical functions under normal
YAML Ain’t Markup Language (YAML)
conditions, but which can be rapidly
Language for configuration files and
converted to a key operations site if
applications such as Netplan and
needed.
Ansible.
wide area network (WAN) Network
zero trust architecture (ZTA) The
scope that spans a large geographical
security design paradigm where any
area, incorporating more than one site
request (host-to-host or container-to-
and often a mix of different media types
container) must be authenticated before
and protocols plus the use of public
being allowed.
telecommunications networks.
zero-day A vulnerability in software that
Wi-Fi analyzer Device or software that
is unpatched by the developer or an
can report characteristics of a WLAN,
attack that exploits such a vulnerability.
such as signal strength and channel
utilization. zone index Parameter assigned by a
host to distinguish ambiguous interface
Wi-Fi Protected Access (WPA)
addresses within a link local scope.
Standards for authenticating and
encrypting access to Wi-Fi networks. zone transfer Mechanism by which
a secondary name server obtains a
wire map tester Tool to verify
read-only copy of zone records from
termination/pinouts of cable.
the primary server.
wireless controller Device that
provides wireless LAN management
for multiple APs.
Glossary
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index
Numbers 802.11k, 408 active-passive clustering, 261
802.11n, 383–384 active TAP, 294
0000::/8 block, 146
802.11r, 392, 408 address autoconfiguration,
2.4 GHz channel bandwidth,
802.11v, 408 IPv6, 212
381, 382–383
802.11w, 402 addressing, defined, G-1, 8.
3CX, 251
1000BASE-T Ethernet, 37 see also IP addressing
4G cellular standard, 371
1588 standard, 239 address pool exhaustion, 217
4G standard, 386
address record (A or AAAA),
5 GHz channel bandwidth,
381–382 A 223, 224, 249
Address Resolution Protocol
5G standard, 386 A/AAAA records, G-17, 223,
(ARP), G-1, G-19, 109
6to4 tunneling, 145 224, 249
tool, 135–136
8-bit value, 22, 107, 140 AAA clients or authenticators,
address scheme design, IPv4,
8P8C connectors, 41 341, 399
126–127
10BASE-T Ethernet, 35, 36–37 absorption, 407
ad hoc network, G-1, 395
10-degree antenna, 394 AC5300, 384
adjacent channel interference
10/forty Gigabit Ethernet access control, 332–333
(ACI), G-1, 406
(10 GbE), 37 discretionary access
adjacent layer interaction, 8
10GBASE-CR, 44 control, 343
administrative distance (AD),
10 Gigabit Ethernet (10 GbE), identity and access
G-1, 169–170
37, 38 management, 332–333
administratively down, G-1
32-bit IPv4 addressing, 114 Lightweight Directory
Advanced Encryption Standard
40GBASE-CR4, 44 Access Protocol, 345–346
(AES), 397
/48s, 145 privileged access
advanced persistent threat
90-degree antenna, 394 management, 344–345
(APT), G-1, 319
100BASE-TX Fast Ethernet role-based access control,
advanced volatile threat (AVT),
standards, 36–37 343–344
319
802.1D standard, 93 access control list (ACL), G-1,
agents, SNMP, 283–284
802.1p standard, G-1, 303 12, 173, 176–177
agreements, 275
802.1Q, G-1 authorization and role-
AIC triad. see confidentiality,
802.1Q standard, 186, 187, based access control, 343
integrity, and availability (CIA)
188, 322 configuration, security rules
Aircrack, 402
802.1Q VLAN, 303 and, 355–357
Aireplay, 402
802.1X standard, G-1, 352–353, content filtering, 358–359
air-gapped network, G-14
398 firewalls, 173, 176–177,
Airodump, 402
802.3af standard, 93 356–357
alerting, 289–290
802.3at (PoE+) standard, 93, issues, 360
alerts versus notifications, 289
101 access denied issues, 360
alien crosstalk, 69, 70
802.3bt (PoE++) standard, 93, access/edge layer, G-1, 181
alternating current (AC)
101 access point (AP), G-1, 381,
voltage, 62
802.3 standard, 35, 381 388–389, 391–392, 393–394
Amazon DynamoDB, 247
802.11 standards, G-1, 381 access port, 187
Amazon Elastic Compute
802.11a, 381–382, 383 accounting, IAM, 333
Cloud, 440, 441, 445
802.11ac, 384 acknowledgment (ACK), 380
Amazon Web Services (AWS),
802.11ax, 384, 397 active-active clustering, G-1, 261
341, 444, 445, 447, 448
802.11b, 382–383 Active Directory, 339, 345
American National Standards
802.11g, 383 active FTP, 242–243
Institute (ANSI), 40, 437
802.11h, G-1, 382 active-passive, G-1
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-2 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-3
speed tester, G-2, 302 bring your own device (BYOD), fiber optic cable testing
base 10, 22 G-3, 400 tools, 70–71
Base64, 328 broadband cable modems, 44 guidelines for, 72
baseband radio, 371 broadband speed checkers, 302 physical inspection, 71
baseband signal (BASE), 35 broadcast, defined, G-3 Power over Ethernet, 101
baseline configuration, 30 broadcast, SSID, 393 reseat the cable, 71
baseline metrics, G-2, 281 broadcast addressing, 80, 81, specification and
basic service area (BSA), 110, 121 limitations, 64–65
391–392 broadcast domain, G-3, 80, 82, attenuation, 65
Basic Service Set (BSS), 388 83, 84 distance limitations, 65
Basic Service Set Identifier broadcast storm, G-3, 100–101, interference, 65
(BSSID), G-2, 388–389, 393, 401 282 speed versus
battery backups, 62 brute force, password cracking, throughput, 64–65
baud rate, 64 329 strategies, 71
Bayonet Neill-Concelman (BNC) brute force attack, G-3 tone generator, 69
connector, G-2, 44 bugfix, G-3, 270 verify drivers, 71
beacon frame, 393 building automation system wire map testers, 68–69
beamwidth, 394 (BAS), 370, 372 cache-only servers, 226
behavior aggregates, 303 “bump in the wire” appliances, caching, DNS, 226
behavioral authentication, 334 355 cameras, 375
behavioral threat research, 316 burned-in addresses, 79–80 CAM table, G-12, 99. see also
bidirectional (BiDi) business continuity (BC), G-3 media access control (MAC)
transceivers, 56 business continuity plan (BCP), address table
bidirectional wavelength 255 canonical name (CNAME), G-17,
division multiplexing (BWDM), business impact analysis (BIA), 223, 224
G-2, 56 G-3, 255, 310 canonical notation, G-3, 140
binary conversion, 114–115 BWPing, 301 captive portal, G-3, 399–400
binary value, 22, 107 byte, 22 cardholder data environment
IPv4 addressing, 139, 145 (CDE), 312
IPv6 addressing, 140 C card verification value (CVV),
BIND DNS server, 22, 232 312
Cable Access TV (CATV), 44, 415
binding to the server, 346 carrier sense multiple access
cable attenuation, antenna,
biometric authentication, 334 with collision avoidance
405
biometric locks, 373–374 (CSMA/CA), G-3, 380–381, 385,
cable category issues, 66–67
bit rate, G-2–G-3, 64 406
cable crimper, 50
bits per second (bps), 34 carrier sense multiple access
cable-cutting blades, 49
block tool, 50 with collision detection (CSMA/
cabled media, 10
Bluetooth, 381, 390 CD), G-3–G-4, 35–36, 81
cable Internet, 415–416
Boolean operators, 294 Category (“Cat”) standards, G-4,
cable map, G-3, 272
Border Gateway Protocol 66–67
Cable Modem Termination
(BGP), G-3, 112, 169, 455 Cat 5e, 41, 66–67, 69
System (CMTS), 416
botnet, G-3, 318 Cat 6, 37, 41, 50, 67
cable stripper, G-3, 49
bottleneck, G-3, 298 Cat 6A, 37, 41, 67
cable tester, G-3, 67–68
boundary clock, 239 Cat 7, 37, 41, 67
cable troubleshooting, 64–71
branching, 452 Cat 8, 37, 41, 67
attenuation and
bridge, G-3, 11 Gigabit Ethernet standards,
interference issues, 69
bridge protocol data unit 37
cable category issues,
(BPDU), 91, 353 troubleshooting cable
66–67
bridges, 82–83 category issues, 66–67
cable issues, 65–66
root bridge selection, 91–93 twisted pair cable, 35,
cable testers, 67–68
Spanning Tree Protocol, 40–41
crosstalk issues, 70
90–91 untwisting, 50
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-4 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-5
(config-if)# prompt, 87 twisted pair copper cabling, Data Link layer (Layer 2), OSI,
configuration baseline, G-5, 266 35 G-5, 10–11, 15, 17–18
configuration drift, G-5, 267 unshielded twisted pair addressing and forwarding,
configuration file, 267 cable, 39–40 108
configuration item (CI), 266 copy command, 87 cable troubleshooting, 64
configuration management, core/distribution switch, 181 cisco discovery protocol,
G-5, 266–267 core layer, G-5, 182 280
configuration management CORPNET, 389 Ethernet bridges, 82
system (CMS), 266 CouchDB, 247 Ethernet frame format, 78
configuration monitoring, G-5, Counter Mode, 397 functions, 17–18
282 course content, mapping. see hardware failure issues, 95,
conflict identification, 452 exam objectives for Exam 96
congestion, 282, 303 N10-009 infrastructure network type,
connectors, testing, 77 CPUID’s HWMONITOR app, 61 388
console connections, 429–430 crimper, G-5 interface error counters, 98
console port, 159, 429 crossed pair (TX/RX transposed), IP forwarding issues, 150
consumer-grade smart devices, 68 IPv4 address format, 113
370, 372 crosstalk, G-5, 70 logical network diagrams,
content addressable memory cryptographic hash, 335 273
(CAM), G-12, 99 cryptographic hash algorithm, packet forwarding, 157
content and reputation-based 312 Point-to-Point Protocol, 418
filtering, 359 cryptographic protocols, SOHO routers, 17–18
content delivery network updated, 397 T-carrier system, 415
(CDN), G-5, 435, 442 cryptographic system, 312–313 wide area networks, 414
content filtering, G-5, 358–359 Cumulus VX switch, 354 data locality, 311
contention, 303 customer edge (CE), 171 Data Over Cable Service
continuity (open), 68 router, 414 Interface Specification
continuity of operations plan customer premises equipment (DOCSIS), 416
(COOP), 255 (CPE), 21, 415 data plane, QoS, 304
Control And Provisioning cybersecurity audits, 310 data remnant, G-5, 271
of Wireless Access Points cyclic redundancy check (CRC), data service units (DSUs), 414
(CAPWAP), 394 G-5, 79, 99 data sovereignty, G-5, 311
control plane, QoS, 304 data switches, 181
Converged Enhanced Ethernet, D data transport, VoIP, 252
438 deauthentication/
dashboards, configurable,
converged network adapters disassociation attack, G-6, 402
291
(CNAs), 438 decapsulation, 9
data at rest, G-5, 312
convergence, G-5, 165 decentralized key management
database services, 246–247
Coordinated Universal Time model, 339
datacenter, G-6, 4, 58
(UTC), 237 deception technologies, 314
Data Center Ethernet, 438
copper cable and connectors, decibel loss (dB), G-6, 69, 78
data center interconnect (DCI),
35, 39–44 decimal conversion, 114–115
G-5, 455
Cat cable standards, 35, decommissioning, G-6, 271–272
datacenter network design,
40–41 data remnants, 271
434–435
coaxial and twinaxial cable Instant Secure Erase, 272
datagrams, 12
and connectors, 35, 43–44 sanitization, 271
datagram TLS (DTLS), 418
plenum and riser-rated Secure Erase, 271
Datagram Transport Layer
cable, 43 dedicated server, 241
Security (DTLS), 236
shielded and screened default gateway, G-6
data historian, 371
twisted pair cable, 40 Address Resolution
data in transit, G-5, 312
twisted pair connector Protocol, 109
data in use, 312
types, 41–42 IPv4 addressing, 119–122
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-6 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-7
Domain Name System Security autonomous systems, 165 end-to-end encryption, 328
Extensions (DNSSEC), G-7, Border Gateway Protocol, end-to-end layer, 13, 15, 20
227–228 169 Enhanced IGRP, 167
DORA process, 208 convergence, 165 Enhanced Interior Gateway
dotted decimal notation, G-7, Enhanced IGRP, 167 Routing Protocol (EIGRP), G-8,
114 exam objectives for Exam 107
downgrading, 271 N10-009, A-6 enhanced QSFP (QSFP+), 76
downlink MU-MIMO Open Shortest Path First, enhanced SFP (SFP+), 75–76
(DL MU-MIMO), 385 168–169 enterprise authentication, G-8,
drift, 449 route selection, 169–170 398–399
drop, 49, 98, 299 Routing Information enterprise LAN, 4
dry-pipe systems, 63 Protocol, 165–167 enterprise mobility
dual band adapter, 383 topology and metrics, 164 management (EMM), 400
dual stack, G-7, 144 enterprise network
dumpster diving, G-7, 327–328 E management suites, 276
duplex fiber optic cable, 77 enterprise network topologies,
EAP over Wireless (EAPoW),
duplicate IP and MAC address 179–181
398–399
issues, 149 hybrid topology, 179–180
east-west traffic, G-7, 435
DVD ROMs, 271 three-tiered hierarchy,
eavesdropping, 236, 244, 400
dynamic ARP inspection (DAI), 180–182
edge layer, 181
353 enterprise risk management
edge routers, 171–172
Dynamic Host Configuration (ERM), 309
effective isotropic radiated
Protocol (DHCP), G-7, 19, 121, enterprise wireless network
power (EIRP), G-7, 405–406
207–210 design, 388–395
“egress” traffic, 177
DHCP snooping, 353 ad hoc topology, 395
Ekahau Site Survey, 392
exclusions, 210 antenna types, 394–395
elasticity, G-7, 439–440
IP address management, heat map, 392
electrical environment,
274 infrastructure network type,
monitoring, 61
ipconfig command, 388–390
electrician’s scissors (snips), 49
133–134 mesh topology, 395
electromagnetic interference
IP helper, 216 point to point link, 395
(EMI), G-7, 69, 407–408
lease time and available range and signal strength,
Electronic Industries Alliance
leases, 209–210 390–391
(EIA), 40, 58, 67
network discovery, 276, 277 wireless controllers, 393–394
email services, 248–250
options, 210 wireless roaming, 392–393
Internet Message Access
process, 207–208 wireless survey, 391
Protocol, 250
relay, 215–216 entrance facilities, 47, 415
Simple Mail Transfer
reservations, 210 enumeration, G-8, 316
Protocol, 248–249
rogue DHCP attacks, ephemeral ports, 199
Encapsulating Security Payload
323–324 Equal Cost Multipathing
(ESP), G-7, 107, 419
server configuration, (ECMP), 436
encapsulation, G-7, 8–9
208–209 equipment rooms, 58
encryption, G-7, 312–313
starvation attack, 324 error checking, 79
algorithm, 312
troubleshooting, 216–217 error messaging
end-to-end, 328
Unique Identifier, 214 ICMPv6, 213
wireless network attacks,
dynamic inventories, IaC, 451 ping, 137
400–402
dynamic link library (DLL), 319 error rate, 299
end of life (EOL), G-8, 270
Dynamic Rate Switching/ escalation, G-8, 29
End of Sale (EOS), 270
Selection (DRS), 390 Ethernet, G-8, 34–38
end of service life (EOSL), G-8,
dynamic route, G-7 100BASE-TX Fast Ethernet
270
dynamic routing protocols, standards, 36–37
end of support (EOS), 270
164–170 fiber Ethernet standards, 38
endpoint security, 347
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-8 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-9
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-10 | Index
Generic Security Services hardening, G-9, 309, 347–349 network discovery, 276–277
Application Program Interface defense in depth, 347–348 Nmap port scanning,
(GSSAPI), 427 defined, 348 278–279
geofencing, G-9, 334, 376 device and service, 348–349 Nmap Security Scanner,
Geostationary Orbital Satellite hardware 277–278
Internet Access, 387 assets, 268 performance monitoring,
Get command, 283 failures, 95, 96 280–281
Get Next command, 283 server, 58 Hosted Private cloud
GG45 connectors, 42, 67 VoIP PBX, 251 deployment model, 440
giant, G-9 Wi-Fi tester hardware hosting packages, 241–242
giant frame errors, 99 devices, 404 host key, SSH, 426
Gigabit Ethernet standards, 37, hashing, G-9, 420 host name, G-9, 218–219
67 hdparm utility, 271 host number (host ID)
gigabits per second (Gbps), 35 headers, HTTP, 240–241 broadcast addresses, 121
global addressing, 141–142 heartbeat monitors, 281 default gateway, 120
global configuration mode, 86 heating, ventilation, air host address ranges,
Global Information Tracker conditioning (HVAC), G-9, 43, 118–119
(GIT), 452 60, 370 IPv4 address format, 113
Global Positioning System heat map, G-9, 392 IPv4 address scheme
(GPS), G-9, 237, 376, 387 Hertz (Hz), 34 design, 126, 127
golden configuration, 266 hexadecimal notation (hex), 23 IPv6 network prefixes, 141
goodput, 65 hierarchical star, 179 network masks, 115–116
Google hierarchical star-mesh, subnet masks, 117
firewall service, 431 179–180 host port, 187
public DNS resolver, 231 high attenuation, 35 host routes, 155
Google App Engine, 441 high availability (HA), G-9, 255 hosts (file), G-9, 2, 230
Google Workspace, 339, 441 high availability clusters, host-to-host layer, 13, 15, 20
grandmaster clock, 239 260–261 hot aisle/cold aisle layout, 59,
graphical user interface (GUI), active-active clustering, 261 60
122, 246, 277, 425, 428 active-passive clustering, 261 hot site, G-9, 257
gratuitous ARP replies, 321 virtual IP, 260 hotspot, 399
group authentication, 398 high efficiency (HE), 384 Hot Standby Router Protocol
guest network, 365, 389, High-Level Data Link Control (HSRP), 261–262
399–400 (HDLC), 415 HTML5 VPN, G-9, 423
GUI Properties dialog, 121 holddown timer, 193 HTTP Secure (HTTPS), G-10,
home/residential network, 3 242, 357
H honeypot, G-9, 314 hub, G-9, 10
hop, G-9, 137, 157–158 hub-and-spoke, G-10, 6
hacking the human. see social
horizontal cabling, 46 hub/control system, 370
engineering attacks
host address, DNS, 223 hubs, 81–82
half-duplex, G-9, 81
host bus adapter (HBA), 437, human authentication, 334
half-open scanning, 278, 279
438 human-machine interfaces
Halon, 63
host discovery and monitoring, (HMIs), 371
handshake
276–282 humidity, 60–61
four-way, 398
availability monitoring, hybrid cloud, G-10, 440
three-way, 201
281–282 hybrid fiber coax (HFC), 415
Transmission Control
configuration monitoring, hybrid topology, G-10, 179–180
Protocol, 201
282 hierarchical star, 179
Transport Layer Security,
discovery protocols, 280 hierarchical star-mesh,
359
exam objectives for Exam 179–180
hard disk drives (HDDs), 271
N10-009, A-9 star of stars, 180
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-11
Hybrid Wireless Mesh Protocol Independent Basic Service Set interface error counters, 98–99
(HWMP), 395 (IBSS), 395 cyclic redundancy check
HyperTerminal, 429 Indoor Positioning System errors, 99
HyperText Markup Language (IPS), 376 giant frame errors, 99
(HTML), 240 industrial control system (ICS), increasing interface
HyperText Transfer Protocol G-10, 370–371, 372 counters, 98
(HTTP), G-10, 9, 13, 20, 240–242 industrial embedded systems, runt frame errors, 99
content filtering, 242, 358 370–371 interface identifier, 142
DNS client security, 228 INERGEN, 63 interface ID/EUI-64, 142
headers and payload, informational messaging, 213 interface statistics, G-10, 299
240–241 informed consent, 311 interference, 65
HTTP Secure, 242, 357 Infrastructure as a Service interference issues, 69, 406,
Internet Message Access (IaaS), G-10, 440 407–408
Protocol, 250 Infrastructure as Code (IaC), Interior Gateway Protocol
NoSQL databases, 247 G-10, 449–452 (IGP), 165
open wireless, 400 automation, 450 Interior Gateway Routing
padlock icon, 242 dynamic inventories, 451 Protocol (IGRP), 167
proxy servers, 357 mastering instructions, 451 intermediate distribution
Security Assertion Markup orchestration, 450 frame (IDF), G-10, 46
Language, 340 playbooks, 450 internal DNS zones, 226–227
Simple Mail Transfer reusable tasks, 452 internal threats, 315
Protocol, 249 upgrades, 451 International Organization for
state-preserving features, 241 infrastructure layer, SDN, 453 Standardization (ISO)
web servers, 241–242 infrastructure network type, cable standards, 40, 42, 67
388–390 ID card standards, 373
I “ingress” traffic, 177 optical multimode
initiator, Fibre Channel, 437 categories, 52
ICMP Echo Request, 162
insertion loss, 69, 70 reference model, 7
ICMP Port Unreachable
instant secure erase (ISE), G-10, Internet Assigned Numbers
response, 162
272 Authority (IANA), 22, 107, 124,
ICMP Time Exceeded message,
Institute of Electrical and 169, 198
162, 192
Electronics Engineers (IEEE), 35. Internet Control Message
identification, IAM, 332, 333
see also 802.11 standards Protocol (ICMP), G-10, 107, 136,
identity and access
ad hoc topology, 395 150
management (IAM), G-10,
burned-in address, 79 Internet Corporation for
332–333, 347
extended unique identifier, Assigned Names and Numbers
accounting, 333
75 (ICANN), 22, 219
authentication, 332, 333
Port-Based Network Internet Engineering Task
authorization, 332, 333
Access Control (NAC), Force (IETF), 22, 236, 300, 453,
identification, 332, 333
352–353 454
Identity Association Identifier
Power over Ethernet, 93–94 Internet eXchange Points
(IAID), 214
VoIP phones, 253 (IXPs), 21
ifconfig command, G-10,
insufficient wireless coverage Internet-facing zones, 367
134–135
issues, 405–406 Internet Group Management
implicit deny, G-10, 356
insulation displacement Protocol (IGMP), G-10, 107, 111
implicit TLS, 244, 249
connector (IDC), G-10, 47, 48, Internet Key Exchange (IKE),
implicit trust zone, 458
50, 272 G-10, 420–421
in-band management, 430
integrity, CIA triad, 308 digital certificates, 421
incorrect IP address, 147–148
Integrity Check Value (ICV), 419 network address
incorrect pin-out/incorrect
Intel, 407 translation, 421
termination/mismatched
interactive logon, 335 pre-shared key (group
standards, 68
interface configuration, 86–87 authentication), 421
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-12 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-13
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-14 | Index
IPv6 interface laser optimized MMF (LOMMF), lightweight AP, G-11, 394
autoconfiguration and 52 Lightweight Directory Access
testing, 212–213 latency, G-11, 65, 298–299 Protocol (LDAP), G-11, 345–346
ICMPv6, 213 Layer 1. see Physical layer link aggregation, G-11, 88–90
Neighbor Discovery (Layer 1), OSI Link Aggregation Control
Protocol, 212 Layer 2. see Data Link layer Protocol (LACP), G-11, 89
router advertisement, 212 (Layer 2), OSI link aggregation group (LAG),
stateless address layer 2 broadcast domain, 83 89
autoconfiguration, 212 Layer 2 Tunneling Protocol Link Layer Discovery Protocol
IPv6 Rapid Deployment (6RD), (L2TP), 422 (LLDP), G-11, 280
145 Layer 3. see Network layer link local addressing, G-11,
isitdownrightnow.com, 282 (Layer 3), OSI 142–143, 211, 216
IT contingency planning (ITCP), layer 3 switch, G-11, 181 link state, G-11–G-12, 98, 164
255 Layer 4. see Transport layer Link State Advertisement (LSA),
iterative lookup, G-11, 221 (Layer 4), OSI 168
IT service continuity planning layer 4 switch load balancer, link state database (LSDB), 168
(ITSCP), 255 259 Linux. see also UNIX/Linux
Layer 5. see Session layer authentication, 336
J (Layer 5), OSI client ports, 199
Layer 6. see Presentation layer DHCP issues, 216
JavaScript Objection Notation
(Layer 6), OSI DNS service, 225
(JSON), 431
Layer 7. see Application layer hdparm utility, 271
JavaScript Object Notation
(Layer 7), OSI IP interface configuration,
(JSON), 288
layer 7 switch (content switch) 122
jitter, G-11, 298–299
load balancer, 259 iproute2, 204
jumbo frame, G-11, 90
layers, Internet model, 22 login, 335
errors, 99
layers, OSI model, 1, 7–8. netstat command, 203–204
jump boxes, 430–431
see also individual layers Nmap Security Scanner, 277
jump server, G-11, 430–431
encapsulation and rogue DHCP, 323
decapsulation, 8–9 sudo, 342
K Internet model layers Ttcp, 301
Kerberos, G-11, 336–337, 427 versus, 22 VoIP PBX, 251
Key Distribution Center (KDC), SOHO routers, 16–20 “live off the land” techniques,
336–337 troubleshooting, 28–29 319
Authentication Service, divide and conquer load balancer, G-12, 259
336–337 approach, 29 local address resolution, IPv6,
Ticket Granting Service, 337 top-to-bottom/bottom- 212
key generation, 339 to-top approach, 28 local area network (LAN), G-12,
key management, 339 upper layers, 14, 15 3–4
Key Management LDAP Secure (LDAPS), 346 datacenter, 4
Interoperability Protocol lease time and available leases, enterprise LAN, 4
(KMIP), 339 DHCP, 209–210 home/residential network, 3
key recovery attacks, 397 least privilege, G-11, 344, 457 SME network, 4
Key Signing Key, 227–228 legacy networks, 245 SOHO router, 4, 16, 17, 19,
knowledge-based legacy system, 313 20
authentication, 334 licensing, 269 local authentication, 335–336
known good duplicate, 30 lifecycle management, 270–271 local connector (LC), G-12,
Kubernetes, 450 lifecycle roadmap, G-11 53–54
light source hazards of fiber local exchange carrier’s (LEC’s)
L optics, 71 network, 47
Lightweight Access Point local/global (L/G) terminology,
LAN switches, 181 Protocol (LWAPP), 394 80
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-15
local loop, 415 MAC spoofing, 320, 353 duplicate issues, 149
Local Security Authority (LSA), mail exchange (MX), G-17, 224, format, 79–80
335 249 interface ID/EUI-64, 142
local sign-in, 335 main distribution frame (MDF), Layer 2 versus Layer 3
location-based authentication, G-12, 47 addressing and forwarding,
334 malware, G-12 108
locks, 373–374 attacks, 318–319 multicasting addressing, 111
badge reader, 373, 374 code and techniques, 319 network interface cards, 75
biometric, 373–374 defined, 318 patch panels, 48
rack system, 374 managed device, 283 spoofing attacks, 149
log aggregation, 290 managed Ethernet switch, 85 media access control (MAC)
log collectors, 288 management and orchestration address table, G-12, 99–100,
logging level, G-12, 289 (MANO), 444 136
logical network diagrams, Management Frame Protection media bandwidth, 34
273–274 (MFP), 402 media converter, G-12, 10
Application Layer, 274 management frames, 397 medium dependent interface
Data Link (layer 2), 273 management information base (MDI), G-12, 81
logical (IP/layer 3), 274 (MIB), G-12, 283, 284 megabits per second (Mbps),
Physical layer (Layer 1), 273 management plane, QoS, 304 35
logical topology, 10 management plane, SDN, 454 membership, VLANs, 184–185
logical unit number (LUN), 437 management port, 429 memorandum of
log-only rules, 356 Man-in-the-Middle (MitM) understanding (MoU), G-13,
log reviews, 291–292 attacks. see on-path attack 275
longest prefix match, 169 many-to-one NAT, 174 memory, 281
Long Term Evolution (LTE), MariaDB platform, 246 Mesh Basic Service Set (MBSS),
G-12, 371, 386 massive MIMO, 386 395
loopback address, G-12, 125, master image, 451 mesh topology, G-13, 6, 395
146 mastering instructions, 451 Message Digest v5 (MD5), 328
loopback interface, 159 master key (MK), 399 message submission agent
loopback tool, 66 master router, 262 (MSA), 249
loop issues, 192–193 maximum hop count, 193 metrics, 164
loss budget calculator, 78 maximum tolerable downtime Metro Ethernet, 38
lossless Ethernet, 438 (MTD), G-12, 255–256 microsegmentation, G-13, 84
loss of connectivity, 70 maximum transmission unit Microsoft
low Earth orbit (LEO), 387 (MTU), G-12, 90 Active Directory LDAP
low-observable characteristics MDI crossover (MDIX), G-12, 81 schema, 345
(LOC) attack, 319 mean time between failures logon or sign-in, 335
LTE Advanced (LTE-A), 386 (MTBF), G-12, 257, 258 Point-to-Point Tunneling
LTE Machine Type mean time to failure (MTTF), Protocol, 422
Communication (LTE-M), 371 G-12, 258 Remote Desktop Protocol,
Lucent Connector, 53–54 mean time to repair/replace/ 423, 428–429
recover (MTTR), G-12, 258 Secure Socket Tunneling
M media access control (MAC), Protocol, 422
G-12 SQL Server, 246
MAC-derived address, 142
64-bit interface ID Microsoft Azure
MAC filtering, G-12, 351
determined by, 142 network security groups,
MAC flooding, G-12, 322
Address Resolution 448
machine to machine (M2M)
Protocol, 109, 135, 136 SQL Database, 441
communication, 369
broadcast addressing, 80, Virtual Machines, 440
macOS
81, 110 Microsoft Office 365, 441
Nmap Security Scanner,
burned-in addresses, 79–80 Microsoft Visio, 273, 274
277–278
collision domain, 35–36 midspan device, 94
Secure Shell, 426
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-16 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-17
network interface card (NIC), guidelines for, 305 guidelines for applying
G-14, 11, 18, 55, 74–75, 438 host discovery and network access control
network interfaces, monitoring, 276–282 solutions, 361
configuring, 74–80 organizational policies and hardening, 347–349
frame format, 78–79 documentation, 266–275 network security rules,
Media Access Control packet capture and 355–360
address format, 79–80 analysis, 293–296 switch security, 350–354
modular transceivers, 75–76 Simple Network guidelines for supporting
network interface cards, Management Protocol, security planning and
74–75 283–285 auditing, 330
transceiver mismatch traffic monitoring, 297–304 password attacks, 328–329
issues, 77 network mask, G-14, 115–116 regulatory compliance,
transceiver signal strength network number (network ID) 311–312
issues, 77–78 classful addressing, 123 rogue system attacks,
Network layer (Layer 3), OSI, Classless Inter-Domain 323–325
G-14, 12, 15, 18–20 Routing, 128 rules, 355–360
addressing and forwarding, default gateway, 119–120 access control list
108 IPv4 address format, 113 configuration, 355–357
Address Resolution IPv4 address scheme access control list issues,
Protocol, 109 design, 126 360
Border Gateway Protocol, IPv6 network prefixes, 141 content filtering,
169 network masks, 115–116 358–359
broadcast domain subnet masks, 117 misconfigured firewalls,
boundaries, 110 network protocol, 8–9 360
cloud firewall security, 447 addressing, 8 proxy servers, 357–358
content filtering, 358 decapsulation, 9 security audits and
functions, 18–20 encapsulation, 8–9 assessments, 309–310
Generic Routing network schematics, 273–274. social engineering attacks,
Encapsulation, 145 see also logical network 326–328
hardware failure issues, 95 diagrams spoofing attacks, 320–322
Internet Protocol Security, network security terminology, 308–309
419 concepts, 308–314 threats and attacks,
IP configuration issues, 147 deception technologies, 315–329
IPv4 address format, 113 314 rogue system attacks,
IPv4 datagram header, 106, design 323–325
107 guidelines for social engineering,
SOHO routers, 18–20 supporting, 377 326–329
throughput, 65, 403 internet of things (IoT), spoofing attacks,
tunneling protocols, 418 369–372 320–322
virtual LANs and subnets, physical security, vulnerability and exploit
183 373–376 types, 313
VoIP-enabled PBX, 251 zone-based security, zones, 364–365
Wide area networks, 414 364–368 network security group, G-14,
Network Layer Reachability encryption, 312–313 343–344, 447–448
Information (NLRI), 169 exam objectives for Exam network security list, G-14,
Network Level Authentication N10-009, A-12–A-14 448
(NLA), 428 features network segmentation
network links, 258 authentication, 332–342 enforcement, 364
network loop, G-14, 100 authorization and role- network separation, G-14
network management based access control, network services. see also
event management, 343–346 Domain Name System (DNS);
286–292
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-18 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-19
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-20 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-21
public cloud, G-16, 440 RC4, 396, 397 virtual private network,
public IP address, 124–125 RDP Restricted Admin (RDPRA) 417–424
public key, G-16, 237 Mode, 429 wide area network, 414–416
public key authentication read-only access (query), 346 remote access server (RAS),
(PKA), 427 read/write access (update), 346 417
public key cryptography, Real-Time Transport Protocol remote access Trojan (RAT),
337–338 (RTP), 253 318
public key infrastructure (PKI), Received Signal Strength remote authentication,
G-16, 338 Indicator (RSSI), G-17, 391 341–342
public network, 365 receive (Rx) wires, 81 AAA, 341
public server network, 365 recovery point objective (RPO), RADIUS, 341–342
public switched telephone G-17, 256 TACACS+, 341, 342
network (PSTN), G-17, 21, 251 recovery time objective (RTO), Remote Authentication Dial-In
public versus private G-17, 256, 258 User Service (RADIUS), G-17,
addressing, G-17, 124–125 recursive lookup, G-17, 221 341–342, 399
pulling cable, 49 recursive resolvers, 221 remote configuration of
punchdown tool, G-17, 50 redirection, IPv6, 212 network appliances, 425
Puppet, 450 redundancy, 257–258 Remote Credential Guard, 429
PuTTY, 429 Redundant Array of remote desktop connections,
PVC (polyvinyl chloride) jackets, Independent Disks (RAID), 245, 425
43 258 remote desktop gateway, 425
redundant spares, 258 Remote Desktop Protocol
Q reflection/bounce (multipath (RDP), G-17, 341, 423, 428–429
interference), 407 remote host access, 425
quad small form factor
refraction, 407 remote management, 425–431
pluggable/enhanced quad
Regional Internet Registries, API connection methods,
small form factor pluggable
228 431
(QSFP/QSFP+), G-17, 76, 438
registered-jack connector (RJ), console connections,
quality of service (QoS), G-17,
G-17 429–430
252, 253, 297, 304
RJ11 connectors, 41–42 exam objectives for Exam
storage area network, 438
RJ45 connectors, 41–42 N10-009, A-11
regulatory compliance, jump boxes, 430–431
R 311–312 out-of-band, 430
rack, G-17, 58 data locality, 311 Remote Desktop Protocol,
rack diagram, G-17, 273 General Data Protection 428–429
rack-mounted Ethernet Regulation, 311 remote host access, 425
switch, 85 Payment Card Industry Secure Shell, 426–427
rack system locks, 374 Data Security Standard, 312 SSH client
rack systems, 58–60 personally identifiable authentication, 427
radio frequency (RF) information, 311 Kerberos, 427
attenuation, G-17, 404 relational database public key
radio frequency interference management system (RDBMS), authentication, 427
(RFI), 69, 391 246–247 username/password,
Radio Grade (RG) designations, relative distinguished name, 427
44 345 SSH commands, 427
RAID arrays, 437 relay, DHCP, 215–216 SSH host key, 426
Random Early Detection (RED), relying party (RP), 341 Telnet, 428
304 remote access methods remote network access, VPN,
range and signal strength, guidelines for supporting, 417–418
390–391 432 remote routes, 155
ransomware, 318 remote management, remote sign-in, 336
Rapid STP (RSTP), 93 425–431 renewal, key management, 339
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-22 | Index
repeater, G-17, 10 rogue system attacks, 323–325 routing loop, G-18, 192–193
reputational threat intelligence, DNS attacks, 324–325 routing table, G-18
316 rogue devices and services, default routes, 155, 156
Request for Change (RFC), 268 323 directly connected routes,
Requests for Comments (RFCs), rogue DHCP, 323–324 155
22, 124 role-based access control example, 156–157
reservation (DHCP), G-17, 210, (RBAC), G-18, 343–346 host routes, 155
214 rollback, 271 issues, troubleshooting,
resets, 98 root bridge selection, G-18, 191–192
resetting, 30 91–93 path selection, 154–155
residential cabling standard root bridge switch, 353 remote routes, 155
(TIA 570), 48 rootkit, 318 routing entry, parameters
Resolve-DnsName, 231 round robin DNS, 223 defining, 154
resolvers, DNS round trip time (RTT), 136, 298, static routes, 156
caching, 226 387 routing table tools, 160–163
client issues, 229–230 route command, G-18, 161 ip route, 161
client security, 228 route flapping, 165 route command, 161
DHCP options, 210 router, G-18 show arp, 160
dig command, 232 router, SOHO, 16 show route, 160
function of, 227 router advertisement (RA), traceroute, 162
name resolution, 220–221 G-18, 212 tracert, 162–163
name resolution methods, Router Advertisement (RA) routing technologies. see also
230 Guard, G-18, 353 routing table
nslookup command, 231 router configuration, 159–160 default routes, 156
resource record, G-17, router implementation, 419 dynamic (see dynamic
221–222, 227 router solicitation (RS), 212 routing protocols)
resource units (RUs), 384 route selection, 169–170, enterprise network
retransmissions, 299 191–192 topologies, 179–181
reusable tasks, IaC, 452 routing. see also dynamic hybrid topology,
reverse DNS, G-17, 224–225 routing protocols 179–180
reversed pair, 68 convergence, 165 three-tiered hierarchy,
reverse proxies, 358, 459 Enhanced IGRP, 167 180–182
revocation, key management, fragmentation, 158 firewalls, 176–178
339 Open Shortest Path First, packet filtering,
RFC 1542, 215, 217 168, 169 176–177
RFC 1918, G-17, 124 packet forwarding, 157–158 selection and
RFC 3927, 211 Port Address Translation, placement, 178
riser cabling, 43 175 stateful inspection, 177
risk, G-17, 309 route selection, 169 fragmentation, 158
risk assessment, 309 Routing Information guidelines for supporting
risk management, 309 Protocol, 166 routing and campus
risk posture, 310 routing loop, 192 network design, 195–196
RJ11 connectors, 17, 41–42 routing tables, 154, 157 network address
RJ45 connectors, 17, 41–42, 67, switch virtual interfaces, translation, 171–175
272 189 edge routers, 171–172
RJ45 patch cord, 49 traceroute, 162 Network Address
roaming, G-17, 392–393 routing by rumor, 165 Translation, 173–174
roaming misconfiguration routing entry, parameters Port Address
issues, 408 defining, 154 Translation, 174–175
rogue access point, G-18, 400 Routing Information Protocol packet forwarding,
rogue devices and services, 323 (RIP), G-18, 165–167 157–158
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-23
router configuration, secure erase (SE), G-18, 271 Serial Advanced Technology
159–160 secure file transfer protocol Attachment (SATA), 271, 437
troubleshooting, 191–194 (SFTP), 244, 426 Serial Attached SCSI (SAS), 271,
default route issues, 192 Secure Hash Algorithm (SHA), 437
loop issues, 192–193 328 server, AAA, 341
routing table issues, Secure Shell (SSH), G-18, 159, server cache poisoning, DNS,
191–192 244, 336, 341, 426–427 325
VLAN assignment issues, remote host access, 425 server configuration
193–194 SSH client authentication, DHCPv6, 213–214
trunking and IEEE 802.1Q, 427 Domain Name Service,
186 Kerberos, 427 225–226
VLANs, 183–194 public key server configuration, DHCP,
assignment issues, authentication, 427 208–209
troubleshooting, username/password, server hardware, 58
193–194 427 Server Message Block (SMB),
default, 187 SSH commands, 427 G-19, 20, 245
IDs and membership, SSH host key, 426 server rooms, 58
184–185 virtual terminal, 429 server types, DNS, 225–226
native, 187 Secure Sockets Layer (SSL), service assets, 266
port tagging, 187 237, 346, 422 service hardening, 348–349
routing, 188–190 Secure Socket Tunneling service level agreement (SLA),
subnets, 183–184 Protocol (SSTP), 422 G-19, 275
voice, 187–188 secure version of SIP (SIPS), service (SRV) record, 224
RTP Control Protocol (RTCP), 253 services, rogue, 323
253 secure web gateway (SWG), Service Set Identifier (SSID),
runt, G-18, 99 459 G-19, 388–389, 393, 399, 401
security, DNS, 227–228 broadcast and beacon
S security, SNMP, 285 frame, 393
Security Accounts Manager session, 14
Salesforce, 441
(SAM), 335 session control, VoIP, 252
Samba software suite, 245
Security Assertion Markup Session Initiation Protocol (SIP),
sandbox environments, 30
Language (SAML), G-18, G-19, 253
sanitization, G-18, 271
340–341 Session layer (Layer 5), OSI,
satellite systems, 386–387
security association (SA), 420 G-19, 14, 15, 236, 418
satellite, G-18
security audits and shadow, G-19, 323
scalability, G-18, 439
assessments, 309–310 shared hosting, 242
schematics, 273–274. see also
security controls, 310 shellcode, G-19, 319
logical network diagrams
Security Information and Event shielded/foiled twisted pair
scope (DHCP), G-18, 209
Management (SIEM), G-18, (S/FTP), 40
scope exhaustion, DHCP, 216
290–291 shielded modular plug, 50
scope of a network, 3
Security Service Edge (SSE), shielded twisted pair (STP),
screened subnet, G-18,
G-18, 459 G-19, 40
366–367
security violation issues, 360 short, 68
screened twisted pair (ScTP),
segments, 10, 13 shortest path first (SPF), 168
40
self-encrypting drives (SEDs), shoulder surfing, G-19
scripting tools, 319
272 shoulder surfing attacks, 327
SDN controller, 453
self-signed certificate, G-18, show arp command, G-19, 160
secondary zone, 226
338 show commands, G-19, 97–98
Secure Access Service Edge
Sender Policy Framework (SPF), administratively down/
(SASE), G-18, 459
224 down, 97
secure administrative
sensors, 61 down/down, 97
workstation (SAW), 429, 434
separation of duties, G-18, 345 down/error disabled, 98
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-24 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-25
Spanning Tree Protocol (STP), stations, 381, 388 substitute known working
G-20, 90–93 Statistics menu, Wireshark, 295 hosts, 66
broadcast storm, 282 stealthy hosts, 278 sudo, 342
configuration, 91–93 sticky MACs, 351 supervisory control and data
manipulation attack, 322 storage acquisition (SCADA), G-20, 371,
port guards, 353 key management, 339 372
SPAN (switched port analyzer)/ performance metrics, supplicant, AAA, 341
port mirroring, 293 281 supplicant device, 399
spatial diversity, 383 storage area network (SAN), switch, G-20, 11
spatial multiplexing, 383 G-20, 38, 76, 436–438, 440 Ethernet, 84–87
spectrum analyzer, G-20, 408 straight tip (ST) connector, guidelines for deploying,
speed versus throughput, G-20, 53 103
64–65 stranded-wire patch cords, 49 ping, 138
Spiceworks IT Support “strip” sockets, 62 port configuration, 88–94
management tool, 31 structured cable installation, 49 switched port analyzer (SPAN),
spine and leaf topology, G-20, structured cabling system, 353
435–436 45–47 switching, 108
splices, 77 backbone cabling, 47 switchport command, 87
split horizon, 193 entrance facilities/demarc, switch port configuration,
split pair, 69 47 88–94
split tunnel, G-20, 422 horizontal cabling, 46 exam objectives for Exam
spoofing, G-20, 316 telecommunications room, N10-009, A-6–A-7
spoofing attacks, 149, 316, 47 link aggregation, 88–90
320–322 work area, 45 maximum transmission
ARP spoofing, 321–322 Structured Query Language unit, 90
IP spoofing, 320–321 (SQL), G-20, 246 NIC teaming, 88–89
MAC flooding attacks, 322 stub resolver, 220 Power over Ethernet, 93–94
MAC spoofing, 320 subinterface, G-20, 188–189 Spanning Tree Protocol,
on-path attacks, 320–322 subnet, 183–184 90–93
VLAN hopping attacks, 322 subnet addressing, G-20, 117, switch security, 350–354
spyware, 318 127, 128, 142, 148 Extensible Authentication
stackable Ethernet switch, 85, subnet mask, 117–118, 148 Protocol, 352
86 incorrect, 148 IEEE 802.1X Port-Based
standard operating procedure variable length, 130–132 NAC, 352–353
(SOP), G-20, 450 subnetting, 123–132 network access control,
standby group, 261 address ranges reserved for 350–351
standby power supplies, 258 special use and not publicly port guards, 353
star of stars, 180 routable, 126 port mirroring, 353–354
start frame delimiter (SFD), 78 classful addressing, switch troubleshooting, 95–102
Start of Authority (SOA), 123–124 broadcast storms, 100–101
221–222 Classless Inter-Domain hardware failures, 96
star topology, G-20, 5–6 Routing, 128–129 interface error counters,
STARTTLS, 249 IPv4 address scheme 98–99
starvation attack, DHCP, 324 design, 126–127, 151–152 MAC address tables, 99–100
state/bare metal, 267 loopback address, 125 network loop issues, 100
stateful inspection firewalls, public versus private port status indicators, 96
177 addressing, 124–125 power issues, 95
stateless address purpose, 119 Power over Ethernet issues,
autoconfiguration (SLAAC), variable length subnet 101–102
G-20, 212–214 masking, 130–132 restarting, 96
static address assignment, 210 subscriber connector (SC), switch show commands,
static route, G-20, 156 G-20, 53, 54 97–98
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-26 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-27
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-28 | Index
Point-to-Point Protocol, 418 uplink MU-MIMO (UL MU- Virtual Extensible LAN (VXLAN),
Transport Layer Security, MIMO), 385 G-22, 454–455
418 uptime monitors, 281 virtual firewall, 431
tunnel mode, 419–420 URL filtering, G-22, 359 virtual IP, G-22, 260
tuple, 300, 356 USB thumb drives, 271 virtualization, 30
twinaxial cable, G-22, 44 User Account Control (UAC), virtual LANs (VLANs), G-22, 84,
twisted pair cable, G-22, 35 342 183–194
twisted pair connector types, user agents, 253 assignment issues, 193–194
41–42 User Datagram Protocol (UDP), automated VLAN pooling,
RJ11 connectors, 42 G-22, 203 394
RJ45 connectors, 41–42 Datagram Transport Layer default, 187
two-factor authentication, 334 Security, 236 firewalls, 355
TX/RX transposed (crossed device queries, 284 hopping attacks, 322
pair), 68 IP protocol types, 107 IDs and membership,
type, tcpdump, 294 load balancers, 259 184–185
typosquatting techniques, 324 Network Time Protocol, 237 native, 187
Nmap port scanning, 278 port guards, 353
U overlay networks, 454 port tagging, 187
port numbers, 177 routing, 188–190
Ultra Physical Contact (UPC),
ports, 205–206, 284, 288 subinterfaces, 188–189
G-22, 54, 70
relational database Switch Virtual Interface,
unauthorized modification, 236
management system, 246 189–190
unicast addressing, G-22, 110,
Session Initiation Protocol, subnets, 183–184
141–142
253 traffic management, 304
unicast transmissions, 80, 81
structure of, 203 trunking and IEEE 802.1Q,
Unicode, 14
Trivial File Transfer 186
unidirectional antenna, 394
Protocol, 237 voice, 187–188
Uniform Resource Identifier
user EXEC mode, 86 VoIP phones, 253
(URI), 253
username, 427 virtual machine (VM), 443–444
uniform resource locator (URL),
utilization, 281, 299 Virtual Network Computing
240
(VNC), 429
filtering, 359
uninterruptible power supply V Virtual network function (VNF),
444
(UPS), G-22, 62, 95, 258, 272, validation tests, 255
virtual private cloud (VPC),
273 variable length subnet masking
G-22, 444
universal address, 79 (VLSM), G-22, 130–132
virtual private network (VPN),
universal/local (U/L), 79, 80 version control, G-22, 452
G-22, 107, 400, 417–424
UNIX/Linux. see also Linux vertical cabling, 47
clientless VPNs, 423
DNS poisoning, 325 vertical-cavity surface-emitting
client-to-site VPNs, 422–423
Secure Shell, 426 lasers (VCSEL), 52
cloud connectivity, 445–446
syslog, 288 vertical rod antenna, 394
exam objectives for Exam
tunneling, 145 very high-speed DSL (VDSL),
N10-009, A-11
unmanaged Ethernet switch, 416
Internet Key Exchange,
85 very high throughput (VHT),
420–421
unpatched system, 313 384
Internet Protocol Security,
unshielded twisted pair (UTP) very small aperture terminal
419–420
cable, G-22, 39–40 (VSAT), 387
remote network access,
unspecified address, 146 video, bandwidth requirements,
417–418
untagged ports, 187 298
site-to-site VPNs, 424
updated cryptographic video teleconferencing (VTC),
tunneling protocols, 418
protocols, 397 251, 252
virtual private clouds, 445
upgrades, IaC, 451 virtual appliances, G-22, 3
virtual private server (VPS), 241
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
Index | I-29
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024
I-30 | Index
Index
LICENSED FOR USE ONLY BY: EXEDIN NOT PROVIDED · 17274861 · OCT 15 2024