CompTIA Net+ Chapter 8 - Supporting Network Management
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/75
Earn XP
Description and Tags
CompTIA Net+ Chapter 8
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
76 Terms
Configuration management
Identifying and documenting all the infrastructure and devices installed at a site
Configuration management is implemented using the following elements:
Service assets are things, processes, or people that contribute to the delivery of an IT service. Each asset must be identified by some sort of label.
A configuration item (CI) is an asset that requires specific management procedures for it to be used to deliver the service. CIs are defined by their attributes.
A configuration management system (CMS) is the tools and databases that collect, store, manage, update, and present information about CIs. A small network might capture this information in spreadsheets and diagrams; there are dedicated applications for enterprise CMSs.
When discussing configuration management concepts, you need to distinguish between various configuration states:
A baseline documents the approved or authorized state of a CI. This allows auditing processes to detect unexpected or unauthorized change. A baseline can be a configuration baseline (the ACL applied to a firewall, for instance) or a performance baseline (such as the throughput achieved by the firewall). A baseline configuration is sometimes referred to as a golden configuration.
The production configuration is the state of a CI as used within a working network. This might deviate temporarily or persistently from the baseline. This deviation is often referred to as configuration drift.
A backup configuration is a copy of the production configuration made at a particular time. As the production configuration might have drifted, a given backup might also not match the golden configuration.
An appliance may also support two backup modes:
State/bare metal—A snapshot-type image of the whole system. This can be redeployed to any device of the same make and model as a system restore.
Configuration file—A copy of the configuration data in a structured format, such as Extensible Markup Language (XML). This file can be used in a two-stage restore where the OS or firmware image is applied first (or a new appliance provisioned) and then the configuration is restored by importing the backup file.
A documented change management process does what?
It minimizes the risk of configuration drift and unscheduled downtime by implementing changes in a planned and controlled way.
in a formal change management process, the need for change and the procedure for implementing the change is captured in what?
A Request for Change (RFC) document
In a fully documented environment, each task will be governed by what?
A standard operating procedure (SOP)
Standard Operating Procedure
A SOP sets out the principal goals and considerations, such as budget, security, or customer contact standards, for performing a task and identifies lines of responsibility and authorization for performing it.
A SOP may also contain detailed steps for completing a task in an approved way, or these steps may be presented as work instructions.
System life-cycle management
Refers to the managed acquisition, deployment, use, and decommissioning of assets
End of Life
Which support and availability of spares and updates become more limited
End of Support
Is one that is no longer supported by its developer or vendor
No longer receive security updates and are a critical vulnerability
Data Remnant Removal
Refers to ensuring that no data is recoverable from hard disk drives (HDDs), flash devices or solid state drives (SSDs), tape media, and CD and DVD ROMs before they are disposed of or put to a different use.
Paper documents must also be disposed of securely.
Data remnants can be dealt with either by destroying the media or by sanitizing it (removing the confidential information but leaving the media intact for reuse).
Media Sanitization
Refers to erasing data from HDD, SSD, and tape media before they are disposed of or put to a different use.
Cable Map
Shows how wires are routed through conduit from telecommunications closets to work areas
Port location diagram
Identifies how wall ports located in work areas are connected back to ports in a distribution frame or patch panel and then from the patch panel ports to the switch ports.
Rack diagrams
Should also show how power outlets on the UPS connect to appliance power supply units
Wiring Diagram
Shows detailed information about the termination of twisted pairs in an RJ45 jack or IDC
Rack Diagram
Records the position of each appliance in the rack.
Schematic
Simplified or abstracted representation of a system
In terms of the physical network topology
A schematic diagram can show the general placement of equipment and telecommunications rooms, plus device and port IDs, without trying to capture the exact position or relative size of any one element.
Some of the information appropriate to show at each layer includes the following:
PHY (Physical layer)—Asset IDs, cable links, and wall/patch panel/switch port IDs. You can use color-coding or line styles to represent the cable type (make sure the diagram has an accompanying legend to explain your scheme).
Data Link (layer 2)—Shows interconnections between switches and routers, with asset IDs (or the management IP of the appliance), interface IDs, and link-layer protocol and bandwidth. You could use line thickness to represent bandwidth, but for clarity it is a good idea to use labels as well.
Logical (IP/layer 3)—IP addresses of router interfaces (plus any other static IP assignments) and firewalls, plus links showing the IP network ID and netmask, VLAN ID (if used), and DHCP scopes.
Application—Server instances and TCP/UDP ports in use. You might also include configuration information and performance baselines (CPU, memory, storage, and network utilization) at this level.
IP address management (IPAM)
Core function of IPAM is to scan DHCP and DNS servers and log IP address usage to a database
Service Level Agreement (SLA)
Contractual agreement setting out the detailed terms under which an ongoing service is provided
Nondisclosure agreement (NDA)
Legal basis for protecting information assets
Identifies what uses of sensitive data are permitted
What storage and distribution restrictions must be enforced
What penalties will be incurred by breaches of the agreement
Memorandum of Understanding (MOU)
Preliminary or exploratory agreement to express an intent to work together
Not a binding contract
Nmap Security Scanner
Widely used for IP scanning
Both as an auditing and as a penetration test tool
Port scanner
Tries to identify which TCP and UDP ports are listening
As examples, the following represent some of the main types of scanning that Nmap can perform:
TCP SYN (-sS)
TCP Connect (-sT)
UDP scans (-sU)
Port range (-p)
TCP SYN (-sS)
This is a fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.
TCP Connect (-sT)
A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets. If privileged access is not available, Nmap must use the OS to attempt a full TCP connection. This type of scan is less stealthy.
UDP scans (-sU)
Scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.
Port range (-p)
By default, Nmap scans 1,000 commonly used ports. Use the -p argument to specify a port range. You can also use --top-ports n, where n is the number of commonly used ports to scan. The frequency statistics for determining how commonly a port is used are stored in the nmap-services configuration file.
Cisco Discovery Protocol (CDP)
Runs by default on all Cisco switch, router, and access point hardware
Uses Data Link layer multicast messaging to send status announcements over local interfaces every 60 seconds
When you are monitoring a network host or appliance, several performance metrics can tell you whether the host is operating normally:
Bandwidth
Utilization/throughput
CPU and memory
Storage
Bandwidth
This is the rated speed of all the interfaces available to the device, measured in Mbps or Gbps. For wired Ethernet links, this will not usually vary, but the bandwidth of WAN and wireless links can change over time.
Utilization/Throughput
This is the actual amount of data transferred. Utilization expresses this as a percentage of the bandwidth, while throughput is the amount of data transferred per unit of time.
CPU and Memory
Devices such as switches and routers perform a lot of processing. If CPU and/or system memory utilization (measured as a percentage) is consistently very high, an upgrade might be required. High CPU utilization can also indicate a problem with network traffic.
Storage
Some network devices require persistent storage (typically, one or more flash drives) to keep configuration information and logs. Storage is measured in MB or GB. If the device runs out of storage space, it could cause serious errors. Servers also depend on fast input/output (I/O) to run applications efficiently.
Baseline Metrics
Establishes the level of resource utilization at a point in time, such as when the system was first installed. This provides a comparison to measure system responsiveness later.
Availability Monitor
Triggers an alert or alarm if a host or service experiences an outage or other unscheduled downtime
There can be any number of underlying causes, but consider some of the following:
The application or OS hosting the service has crashed (or there is a hardware or power problem).
The server hosting the service is overloaded (high CPU/memory/disk I/O utilization/disk space utilization). Try throttling client connections until the server resources can be upgraded.
There is congestion in the network, either at the client or server end (or both). Use
pingortracerouteto check the latency experienced over the link and compare to a network performance baseline. Again, throttling connections or bandwidth may help to ease the congestion until higher bandwidth links can be provisioned.A broadcast storm is causing loss of network bandwidth. Switching loops causes broadcast and unknown unicast frames to circulate the network perpetually, as each switch repeatedly floods each frame. A broadcast storm may quickly consume all link bandwidth and crash network appliances (check for excessive CPU utilization on switches and hosts). The Spanning Tree Protocol (STP) is supposed to prevent such loops, but this can fail if STP communications between switches do not work correctly, either because of a fault in cabling or a port/transceiver or because of a misconfiguration. Ports can also be configured with storm control. This will start to drop broadcasts and unknown unicasts if they reach a certain level.
Network congestion or high host CPU/memory utilization may also be a sign that the service is being subject to a denial of service (DoS) attack. Look for unusual access patterns (for example, use GeoIP to graph source IP addresses by country and compare to baseline access patterns).
Configuration Monitor
Generates logs, alerts, or alarms when there is a change to a device’s production configuration
Management Information Base (MIB)
Holds variables relating to the activity of the device, such as the number of frames per second handled by a switch
SNMP Monitor
Management software that provides a location from which you can oversee network activity
The monitor can retrieve information from a device in two main ways:
Get—The software queries the agent for a single OID. This command is used by the monitor to perform regular polling (obtaining information from devices at defined intervals).
Trap—The agent informs the monitor of a notable event, such as port failure. The threshold for triggering traps can be set for each value.
Many networks run SNMP v2c. This protocol version has no support for robust authentication or encryption. When using SNMP v2c, apply the following guidelines:
SNMP v2c community strings are sent in plaintext and should not be transmitted over the network if there is any risk of interception.
Use difficult-to-guess community strings; never leave the community string blank or set it to the default.
Use access control lists to restrict management operations to known hosts (that is, restrict to one or two host IP addresses).
SNMP v3
Supports encryption
Supports strong user-based authentication
Instead of community strings, the agent is configured with a list of usernames and access permissions.
When authentication is required, the SNMP message is signed with a hash of the user's passphrase.
The agent can verify the signature and authenticate the user using its own record of the passphrase.
System Log
Records start up events plus subsequent changes to the configuration at an OS level
Application Log
Records data for a single specific service
Audit Log
Records use of authentication and authorization privileges
Performance and Traffic Logs
Record metrics for compute, storage, and network resources over a defined period
Security Information and Event Management (SIEM)
Designed to integrate network and security monitoring through automated collection, aggregation, and analysis of log data
Packet Sniffer
Captures frames moving over the network medium
There are three main options for connecting a sniffer to the appropriate point in the network:
SPAN (switched port analyzer)/port mirroring
Passive test access point (TAP)
Active TAP
SPAN (switched port analyzer)/port mirroring
This means that the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports).
This method is not completely reliable.
Frames with errors will not be mirrored, and frames may be dropped under heavy load.
Passive test access point (TAP)
This is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port.
There are types for copper and fiber optic cabling.
Unlike a SPAN, no logic decisions are made so the monitor port receives every frame—corrupt or malformed or not—and the copying is unaffected by load.
Active TAP
This is a powered device that performs signal regeneration (again, there are copper and fiber variants), which may be necessary in some circumstances.
Gigabit signaling over copper wire is too complex for a passive tap to monitor, and some types of fiber links may be adversely affected by optical splitting.
Because it performs an active function, the TAP becomes a point of failure for the links in the event of power loss.
tcpdump
Command line packet capture utility for Linux, providing a user interface to the libpcap library
Basic syntax of tcpdump is
tcpdump -i eht0
tcpdump is often used with some sort of filter expression:
Type—Filter by
host,net,port, orportrange.Direction—Filter by source (
src) or destination (dst) parameters (host,network, orport).Protocol—Filter by a named protocol rather than port number (for example,
arp,icmp,ip,ip6,tcp,udp, and so on).
Bandwidth
Amount of information that can be transmitted, measured in bits per second (bps), or some multiple thereof.
Bottleneck
Point of poor performance that reduces the productivity of the whole network.
Reasons packets are dropped can include the following:
A server, router, or switch is overloaded.
A power outage occurred.
A firewall is blocking packets from a known destination.
A malicious actor is interfering with network transmissions.
Faulty firmware is causing packet processing errors.
Jitter
Defined as being a variation in the delay
Utilization
Data transferred over a period
Can either be measured as the amount of data traffic both sent and received or calculated as a percentage as the available bandwidth.
Per-protocol utiliztaion
Packet or byte counts for a specific protocol
Useful to monitor both packet counts and bandwidth consumption
High packet counts will incur processing load on the CPU and system memory resources of the appliance, even if the size of each packet is quite smal
Error rate
Number of packets per second that cause errors
May occur as a result of interference or poor link quality causing data corruption in frames
Discards/drops
An interface may discard incoming and/or outgoing frames for several reasons. Each interface is likely to class the type of discard or drop separately to assist with troubleshooting the precise cause.
Retransmissions
Errors and discards/drops mean that frames of data are lost during transmission between two devices.
As a result, the communication will be incomplete, and the data will, therefore, have to be retransmitted to ensure application data integrity.
If you observe high levels of retransmissions (as a percentage of overall traffic), you must analyze and troubleshoot the specific cause of the underlying packet loss, which could involve multiple aspects of network configuration and connectivity.
Cisco’s Netflow
Gathers traffic flow data only and reports it to a structured database.
Using NetFlow involves deploying three types of components:
A NetFlow exporter is configured on network appliances (switches, routers, and firewalls). Each flow is defined on an exporter. A traffic flow is defined by packets that share the same characteristics, such as Source IP address, Destination IP address, Source Port, Destination Port, and Protocol. These five bits of information are referred to as a 5-tuple. A 7-tuple flow adds the input interface and IP type of service data. Each exporter caches data for newly seen flows and sets a timer to determine flow expiration. When a flow expires or becomes inactive, the exporter transmits the data to a collector.
A NetFlow collector aggregates flows from multiple exporters. A large network can generate huge volumes of flow traffic and data records, so the collector needs a high-bandwidth network link and substantial storage capacity. The exporter and collector must support compatible versions of NetFlow and/or IPFIX. The most widely deployed versions of NetFlow are v5 and v9.
A NetFlow analyzer reports and interprets information by querying the collector and can be configured to generate alerts and notifications. In practical terms, the collector and analyzer components are often implemented as a single product.
The two main classes are the following:
Broadband speed checkers—These test how fast the local broadband link to the Internet is. They are mostly designed for SOHO use. The tool will test downlink and uplink speeds, will test latency using ping, and can usually compare the results with neighboring properties and other users of the same ISP.
Website performance checkers—These query a nominated website to work out how quickly pages load. One of the advantages of an online tool is that you can test your site's response times from the perspective of customers in different countries.
On a local network, delay is typically caused by congestion and contention:
Congestion is where the network infrastructure is not capable of meeting the demands of peak load and starts to queue or drop packets.
Contention is the ratio between demand for a service and its available capacity. For example, if 100 video conferencing hosts each requiring 10 Mbps share a 1 Gbps link, the contention ratio is 1:1 (100 * 10 Mbps = 1 Gbps). If there are 200 handsets, the ratio is 2:1. Contention is a planning issue. You might not expect all 200 hosts to be running conferences at the same time, and so you may accept the 2:1 ratio. You would use monitoring to determine if the ratio changes (if there are more hosts or they start to require more bandwidth).
Differentiated Services
Framework classifies each packet passing through a device
In terms of QoS, network functions are commonly divided into three planes:
Control plane—Makes decisions about how traffic should be prioritized and where it should be switched.
Data plane—Handles the actual switching of traffic.
Management plane—Monitors traffic conditions.