Networking Notes
You've got this!
Understanding the OSI Model
The Open Systems Interconnection reference model is a guide to help you understand how data traverses systems. It is not the same as the OSI protocol suite.
Layer
Description
Mnemonic
PDU
1 - Physical
This layer concerns physical connections such as cables and connectors as well as the signals themselves. Troubleshooting physical layer problems may include fixing cabling, punch-down blocks, running loopback tests, or swapping adapter cards.
Please
Bit
2 - Data Link
This layer is also known as the MAC address layer because MAC addresses are relevant to this layer. Network switches operate at this layer because they utilize mac addresses. It's also associated with frames and EUI-48/64.
Do
Frame
3 - Networking
Also knowns as the routing layer. This layer concerns the IP address, routers, and packets. At this layer, frames can be fragmented to fit through the network.
Not
Packet
4 - Transport
The "post office" layer. TCP and UDP frequently are operated at this layer. Packets are sent at this layer.
Throw
Segment (TCP) or Datagram (UDP)
5 - Session
This layer is all about communication management between devices--starting, stopping, and restarting communication. It concerns control and tunneling protocols.
Sausage
Data
6 - Presentation
This layer prepares data for human perception. This includes character encoding and application encryption. This layer is often combines with the Application layer.
Pizza
Data
7 - Application
The application layer is the layer users see. Some protocols that operate at this layer are HTTP(S), FTP, DNS, and POP3.
Away
Data
Networks Security Groups and Lists
Network security groups (NSGs) and network security lists (NSLs) function like a firewall for cloud-based services. They allow you to control inbound and outbound traffic, much like a firewall. You can create rules based on protocols or their port numbers as well as rules based on IP addresses, of which ranges can be specified using CIDR block notation or directly specifying ranges.
Network Security Lists
Network security lists are used to assign security rules on a subnet-level, as in the rule applies to every device in the subnet. These are great if all your devices grouped in a subnet need the same security rules, but sometimes more granularity is needed, and in that case NSGs may be more well-suited for the job.
Network Security Groups
Network Security Groups are used to assign security rules to specific virtual NICs. This is more granular than an NSL because rather than having to apply rules to an entire subnet, you can add indiviual VNICs from any subnet to an NSG and apply rules that way. However, if you do just need to apply rules broadly to an entire subnet, an NSL may be a better solution.
TCP/IP Basics
Binary/Decimal Conversions
To convert binary to decimal, remember the number 128. Make a row of numbers starting with 128, then half of that, then half of that, until you have 1. Then you can make a row below that with your binary number. Each column of that row should be a 1 or 0. Now, for every column with 1, add the corresponding number in the first row.
128
64
32
16
8
4
2
1
Decimal
1
0
1
1
0
0
0
0
= 176
0
0
1
1
1
0
1
1
= 59
Converting decimal numbers to binary is quite similar. Start with the same row of numbers as the previous technique. Then take your decimal number, and you're going to go through each column and determine if that number is smaller than your decimal number. If it can, subtract that number from the decimal number and mark a 1 in the row below. If not, just mark a 0 and go to the next number. Remember that for each subsequent number in the first row, you want to assess using the decimal number that has been subtracted, not the original.
Decimal
128
64
32
16
8
4
2
1
185 =
1
0
1
1
1
0
0
1
Subnetting
Let's say you're an ISP and you want to lease IP addresses to a company or home that doesn't need 254 IP addresses (this is the number of IP addresses you get when using a subnet of 255.255.255.0 or /24). To get a mask that has less IP addresses than that, you would use a process called subnetting. This process is easier to understand if you think of the subnet mask in binary form, so 255.255.255.0 becomes 11111111 11111111 11111111 00000000. If you change the subnet mask to 11111111 11111111 11111111 10000000, or 255.255.255.128 (remember to check out the binary/decimal conversion section if that part confuses you), you will now have only 126 available IP addresses and a CIDR block of /25. As you can see, subnetting is basically just adding extra ones to your subnet mask in order to get a smaller number of IP addresses.
In order to calculate the IP address range of a subnet mask, use the formula 2z = a, where z is the number of zeros in the subnet mask and a is the number of IP addresses. To calculate the number of usable IP addresses, subtract two from this number. The reason for this is that 1 is for the default gateway and the highest number is the broadcast address.
Instead of calculating this information manually each time, you should try to memorize CIDR blocks and their corresponding available IP addresses in order to be quick. This is also helpful for the Comptia Network+ exam, where you may not have access to a calculator.
Decimal Subnet Mask
CIDR Block
Available IPs
255.255.255.0
/24
254
255.255.255.128
/25
126
255.255.255.192
/26
62
255.255.255.224
/27
30
255.255.255.240
/28
14
255.255.255.248
/29
6
255.255.255.252
/30
2
My Take on Quick Subnetting
This method is a mix of seven second subnetting and magic number subnetting. It can be used to find the subnet ID, the broadcast address, first available IP, last available IP, and convert a CIDR block to a subnet mask or vice versa. You'll start by making the following chart. The masks section is created by starting with /1, then counting up to /8, making a new column, and continuing to count until you get to /32. The next column must be memorized: 128, 192, 224, 240, 248, 252, 254, 255. The final column is made by starting with 128 and dividing it by two, then continuing to divide each number by two.
Masks
Mask Dec.
Addresses
/1
/9
/17
/25
128
128
/2
/10
/18
/26
192
64
/3
/11
/19
/27
224
32
/4
/12
/20
/28
240
16
/5
/13
/21
/29
248
8
/6
/14
/22
/30
252
4
/7
/15
/23
/31
254
2
/8
/16
/24
/32
255
1
Now let's find a bunch of information on a specific IP address in a subnet. We'll use the example 10.12.255.255/13. Our first goal is to turn that CIDR block into a subnet mask. Doing so is simple: first find the cidr block (/13) on the chart. Notice that it's on the second column. Next, look on the same row as the CIDR block on the Mask Decimal column. Here we find the number 248. Since /13 is on the second column, we'll put 248 in the second octet. The octet before will be 255 and the octets after will be 0.
IP
10.17.255.255/13
Mask
255.248.0.0
Now that we have the subnet mask, we can find the subnet ID. Refer to the subnet mask. For every octet with 255, copy down the octet from the original IP address. For every 0 in the subnet mask, write 0. For any other number, AKA the interesting octet, refer to chart. The number to the right of your interesting octet is called the magic number and represents how many IP addresses each subnet has, including the subnet ID and the broadcast address. Divide the octet in the IP address directly above the interesting octet by the magic number, disregarding any decimals (do not round up.) In our case, 17/8 = 2.125. We ignore the decimals and get 2. Next, multiply that number by the magic number. In this case 8 * 2 is obviously 16. Write that number down.
IP
10.17.255.255/13
Mask
255.248.0.0
ID
10.16.0.0
Next, let's find the broadcast address. Let's start by referring to the subnet mask. For each 255, copy the subnet ID. for each 0, write 255. For the interesting octet, add the subnet ID and the magic number together, then subtract 1. In this case, we do 16 + 8 - 1 = 23. Write that number down.
IP
10.17.255.255/13
Mask
255.248.0.0
ID
10.16.0.0
Broadcast
10.23.255.255
Lastly, the easy parts. To find the first available IP address, of which you would usually use for a router, simply add one to the subnet ID. To find the last available IP address, subtract 1 from the broadcast address.
IP
10.17.255.255/13
Mask
255.248.0.0
ID
10.16.0.0
Broadcast
10.23.255.255
First IP
10.16.0.1
Last IP
10.23.255.254
Networking Devices
Name
Description
OSI Layer
Router
Routers are used to route traffic through two different LANs or IP subnets. Routers inside of switches are sometimes called "layer 3 switches."
3 - Network
Switch
Used to bridge network segments.
2 - Data Link (or 3 if includes routing capabilities)
Firewall
Filter traffic by factors such as port number or application. Can also encrypt traffic.
Layer 3, 4, and/or 7
IDS/IPS
Both of these devices watch network traffic. They will detect exploits against the OS or applications, vulnerabilities such as xss, and more. The difference is that the Intrusion Detection System (IDS) will only produce an alert when detecting these issues, while the Intrusion Prevention System (IPS) will prevent them from reaching the network.
Many options, depends on the device
Load Balancer
This device manages multiple servers that provide the same functions. This is helpful for managing traffic, redundancy, and sometimes performance.
4 or 7
Proxy Server
This device sits between users and the external network. It receives user requests and performs them on their behalf. It's useful for caching, access authorization, URL and packet filtering.
Access point
This device allows users to connect to a 802.11 network. Not be mistaken with a wireless router, which is a router and access point combined into one device.
2 - Data Link
Wireless LAN Controller
This device allows you to manage access points from one device. You can deploy new access points, monitor performance and security, and configure/deploy any changes you need to make. These systems are often propietary
1 and 2
NAS vs. SAN
A Network Attached Storage (NAS) device is a storage device that's shared across the network. It provides file-level access, requiring you to copy the entire file just to make changes to it.
A Storage Area Network, on the other hand, looks and feels like a local storage device. It provides block-level access, making it very efficient for reading and writing alike.
Both NAS and SAN need a lot of bandwidth, so you may want to use and isolated network and high-speed network technologies such as fiber optics.
Link Aggregation
Link aggregation is when you take multiple interfaces connecting the same two devices and allow them to work together as a single logical interface. It's similar to how when you use twisted-pair cables, all of the individual wires and pairs work together to make one cable. In fact, the devices connected by interfaces using link aggregation will actually see them as one logical interface.
Link aggregation is currently defined by IEEE as 802.1AX-2020, originally 802.1AX-2008. It is known by many names, including but not limited to "Eth-channel," "Eth-trunk," and "Ethernet bonding."
These aggregated interfaces are coordinated by LACP (Link Aggregation Control Protocol.) LACP utilizes LACPDUs (Link Aggregation Control Protocol Data Units) to transmit information between the devices that the links are connected to in order for the links to work together.
With LACP, the two connected devices are each given roles. One is determined as the Actor, and this device is responsible for dictating which interfaces are active. The other is made a Partner, which just follows the Actor's instructions.
A group of interfaces working together is called a Link Aggregation Group, or LAG. You should only have a maximum of 8 interfaces per LAG.
Wireless Security
Wireless Encryption
Without wireless encryption, anyone can join a wireless network and snoop on potentially sensitive information. The purpose of wireless encryption is to authenticate users before granting them access to the network and encrypt messages so that anyone who intercepts them is unable to read them. It also provides a message integrity check (or MIC), meaning that incoming messages will be checked to ensure they weren't tampered with.
Name
Cipher mode
Description
Wi-Fi Protected Access II (WPA2)
CCMP
WPA2 uses CCMP. CCMP allows for data confidentiality with AES encryption and MIC with CBC-MAC. WPA2 uses a pre-shared key (PSK) to authenticate users. This means that it has one password that everyone uses to connect to the network. This is a security vulnerability because the PSK's hash is sent over the network, and if an attacker managed to get a hold of that hash, they can use it for a brute-force attack and gain access to the network.
Wi-Fi Protected Access III (WPA3)
GCMP
WPA3 uses a more powerful form of encryption called GCMP. GCMP provides data confidentiality with AES and MIC with GMAC. WPA3 is more secure, especially in work environments, because it has a different PSK authentication process. It uses a method called Simultaneous Authentication of Equals, or SAE, which does not require a hash to be sent over the network, therefore preventing brute-force attacks. With SAE, everyone gets their own session key (which is not sent across the network) despite using the same PSK.
These encryption methods also have Enterprise variants, identifiable by a suffic of "Enterprise" or "802.1X" rather than "Personal" or "PSK." These variants have users authenticate via a server (such as RADIUS) individually rather than using a PSK.
SSO with Kerberos
Kerberos provides SSO functionality, meaning the user only needs to sign in once, and will then be automatically authenticated into a variety of services. When a user signs into a Windows domain, there is a certain process detailed below.
- The user logs into the domain. The client computer sends an authentication request to the Kerberos server's authentication service (AS). This request contains the user's username and a timestamp which is encrypted with the user's password.
- The AS confirms that the user is listed in its database, then uses the user's password stored in its database to decrypt the timestamp. If it's successful, The AS generates a session key and encrypts it with the user's password, as well as a ticket-granting ticket (TGT), which is encrypted with a KDC key and will expire after a specified time (such as 10 hours.) The AS sends the TGT to the client.
- The client decrypts the session key using the user's password, and if successful, sends the TGT to the ticket-granting service (TGS) along with the user's name and a time stamp, both of which are encrypted using the session key.
- The TGS validates the request's contents and creates a ticket which will allow the user to access a network service. This ticket includes the name of the service, a time stamp, and the service's session key, all encrypted with the client's session key. It also includes information intended only for the service, including the client's session key, and this content is encrypted with a key that only the service has access to.
- The client decrypts the information it needs from the service ticket using the session key, then creates a service request containing the information that the TGS encrypted with the service's secret key, which is still encrypted, as well as the username and a time stamp encrypted with the client's session key.
- Finally, the service decrypts both parts of the message, verifies the user by contacting the KDC, and allows access to the user.
Authentication Methods
Name
Description
RADIUS (Remote Authentication Dial-in User Service
RADIUS is a pretty common AAA protocol. It's widely supported on various platforms and devices, partly due to its age.
TACACS
A remote authentication protocol. Its most recent version, TACACS+, is an open standard that supports more authentication requests and response codes. Despite being an open standard, it is especially common with cisco devices.
Kerberos
This network authentication protocol supports single-sign on (SSO.) It uses mutual authentication: the client and server authenticate each other, therefore preventing on-path or replay attacks. It gained a boost of popularity when Microsoft first introduced it to Windows 2000. Now, Kerberos is the method used to authenticate users signing into a Windows domain.
IPSec
Transport Mode
By default, IPSec operates in transport mode. It is used to encrypt packets before sending them over the internet (or other networks.) First, Encapsulating Security Payload (ESP) encrypts the packet's payload. Then Authentication Header (AH) is added and used to validate the integrity of the header.
Tunnel Mode
This mode is used for VPN connections. First, IPSec runs through transport mode and takes the entire packet, using it as a payload. This payload is encrypted and both a new Authentication Header and a new IP header are added to the new packet. An interesting thing about tunnel mode is that the IP header of the payload could contain information including private IP addresses, while the packet's IP header could contain information including public IP addresses, which would be helpful for NAT networks. It also provides additional security because there are two layers of encryption: both the new packet's payload and the new packet's payload's payload are encrypted.
DNS Records
Name
Description
Example
A
A record for assigning a FQDN to an IPv4 address.
www.professermesser.com IN A 162.159.246.164
AAAA
A record for assigning a FQDN to an IPv6 address.
www.professermesser.com IN AAAA 1b:2121:18cd
MX
A record that defines a server as a mail exchanger via FQDN. To work properly, there must also be an A or AAAA record for the mail server.
IN MX mail.professermesser.com
SPF
A TXT record that lists all servers authorized to send emails for the domain. Servers which receive an email supposedly from a certain domain will query that domain and confirm if the sender is authorized to send emails under that domain using the SPF record.
professermesser.com 300 IN TXT "v=spf1 include:mailgun.org ~all"
DKIM
A TXT record containing a public key used to digitally sign a domain's outgoing mail.
5456686746.professermesser._domainkey.professermesser.com. IN 300 TXT "v=DKIM1;t=s;p=HKJGFHSDGYITFYG&E^5675865"
DMARC
A TXT record which defines what happens when an email cannot be verified with SPF or DKIM. For example, the email could be accepted, rejected, or sent to spam.
professermesser.com IN TXT "v=DMARC1;p=none; sp=quarantine; pct=100; rua=mailto:dmarcreports@example.com;
Internet Connection Types
Name
Description
Pros
Cons
Satellite
This is when a satellite is used to communicate with another satellite in low orbit in order to communicate with the internet.
- Comes in handy in areas where other types of connections are impossible
- High cost relative to terrestrial networking
- Slow speeds (around 5Mbps download, 3Mbps upload)
- Remote sites are difficult to service
- High latency
- Susceptable to rain fade
Fiber
When using fiber optic cables in order to connect.
- High speed
- Can be used over long distances
- More expensive to install
- More expensive to repair
Cable broadband
Communication over the same coaxial cables that would be used for cable TV.
- Can transmit various traffic types
- High speed is possible
DSL
Uses existing telephone lines.
- Faster speeds may be possible if closer to the CO
- With ADSL, the most common form of DSL, upstream is much slower than downstream
- ~10,000 foot limitation from the CO
Cellular
Uses the same cellular networks that phones use for calls
- Phones can often be used as hotspots
- Tethering and hotspot may be limited by phone carrier
WISP
When an ISP sends data to customers wirelessly using grounded stations.
- Accessible in rural areas
Optical Fiber
SMF vs. MMF
Single-mode Fiber
Multimode Fiber
Suitable for long-range communication (Up to 100 km without processing)
Best for short-range communication (Up to 2 km)
Expensive light source (such as lasers)
Relatively inexpensive light source (such as LED)
Connector Types
Local Connector
Straight-tip Connector
Subscriber Connector
Typically, the connectors are in a pair. One transmits and one receives.
Usually is its own singular connector.
Also commonly comes in pairs.
Has a long latch thingy
Named after its long ferrule that sticks out.
Often referred to as a "square connector" due to its square shape.
Fiber Ethernet Standards
Name
Max Throughput
Max distance per segment
Physical media
Description
100BASE-SX
100Mbps
Up to 300 meters
Multimode Fiber
A low-cost solution for fast ethernet which uses a short 850-nanometer wavelength light signal. It's named SX because the wavelength is about equal to the width of six carbon atoms in a row.
100BASE-FX
100Mbps
Up to 2 kilometers
Multimode Fiber
The F stands for fast ethernet. It uses a longer wavelength of 1300 nanometers.
1000BASE-SX
1Gbps
Up to 550 meters
Multimode Fiber
As the S in the name suggests, it uses a wavelength of 850 nanometers and is best suited for short runs, such as connecting a data center and data closet within the same building.
1000BASE-LX
1Gbps
550m for MMF, 5000m for SMF
Multimode fiber or single-mode fiber
It's a common fiber version of gigabit ethernet. It uses a long wavelength, hence the L in it's name, of 1300 nanometers. It's useful for long backbone connections, such as connecting an ISP with its telecommunications carrier.
10GBASE-SR
10Gbps
Up to 300 meters
Multimode fiber
The SR stands for "short range." It uses a wavelength of 850 nanometers.
10GBASE-LR
10Gbps
10 kilometers
Single-mode fiber
The LR stands for "long range." It uses a wavelength of 1310 nanometers.
Twisted-pair Cabling
Twisted-pair cabling standards
Name
Speed
Range
Notes
Category 3 (CAT3)
16 Mbps
100 meters
Not used for modern computer connections, should now only be used for telephone connections.
Category 5 (CAT5)
100Mbps
100 meters
Minimum required standard for Fast Ethernet.
Enhanced category 5 (CAT 5e)
1000 Mbps
100 meters
A higher quality version of CAT 5, boasting high-quality copper, higher twist ratio, and more advanced methods for reducing crosstalk.
Category 6 (CAT6)
1 Gbps or 10Gbps at short distances
100 meters or significantly less for 10Gbps.
Has a plastic core to reduce crosstalk.
Augemented category 6 (CAT6a)
10Gbps
100 meters
Further reduces crosstalk and attenuation.
Category 7
10Gbps or 100Gbps at short distances.
100 meters
Is able to function at higher frequencies thanks to STP technology as well as additional shielding inside the sheath. Requires the use of either GG45, a connector compatible with RJ-45, or TERA, to utilize its full potential. Rarely used.
Augmented category 7 (Cat 7a)
40-100Gbps at very short distances
100 meters or much less for the maximum speed.
Has the same requirements as Cat 7 but is capable of higher speeds.
Category 8 (Cat 8)
25Gbps or 40Gbps at longer distances compared to Cat 7
30 meters for 40Gbps, otherwise 100meters.
Quite new technology. It relies on extensive shielding and is best for short-distance and/or backbone connections.
Networking cable termination types
Name
Purpose
Description
Straight-through/Patch cable
Used for the majority of network connection types, such as connecting a workstation to a switch or a switch to a router.
This type of cable is created by terminating both end of the ethernet cable using the exact sane TIA 568 standard.
Crossover cable
Used for older devices that do not support gigabit ethernet, but only when connecting two like devices, such as two switches.
Created by using the TIA 568A standard on one end and the TIA 568B standard on the other end.
Console/Rollover cables
Used to connect a computer to the console port of a router.
Created by mirroring the order of the pins that the wires are connected to on one end when terminating the cable.
Ethernet standards
Name
Maximumum throughput
Maximum distance per segment
Physical media
Pairs of wires used
Power over Ethernet PoE
Depends on which physical media is used
Depends on physical media.
Category 5 or better copper cable
4 pairs
10BASE-T
10Mbps
100 meters
Cat 3 or better UTP
2 pairs
100BASE-T
100Mbps
100 meters
Cat 5 or better
2 pairs
100BASE-TX
100Mbps
100 meters
Cat 6 or better
2 pairs
1000BASE-T
1Gbps
100 meters
Cat 5 or better
4 pairs
10GBASE-T
10Gbps
100 meters
Cat 6a or Cat 7
4 pairs
40GBASE-T
40Gbps
30 meters
Cat 8
4 pairs
Basic Network Device Commands
Generic Command
Description
Cisco command
show mac-address-table
A command for switches that shows the switch's MAC address table. This table is a list of devices that are connected to the switch.
show mac-address-table
show route
A command for routers which displays the routing table.
show ip route
show interface
Shows the status of a particular networking interface. Can be used to find configuration info and errors such as CRC errors.
show interfaces [interface type] [port number of interface]
show config
Shows the device's configuration settings.
show running-config
show arp
Shows a device's ARP table. That is, the table that aligns a MAC address to its IP address.
show arp
show vlan
A command for switches, showing the VLANs associated with that switch and its interfaces.
show vlan
show power
Displays various power-related information, such as power supply status, PoE usage, available, used, and remaining power. It also shows you the device's remaining wattage, allowing you to plan for future devices.
show power inline
