N10-009 Networking Concepts Study Guide for the CompTIA Network+

Network Topologies, Architectures, and Types

A network is composed of two or more devices that share resources in some manner. Networks can be extremely simple or highly complex depending on the type of network employed and the topology or the manner in which they are connected. Network topologies can be either physical or logical. You will need to be able to identify and explain the characteristics of common network topologies and types.

Mesh

A mesh is a network topology in which every device in a network is connected to all other devices in the network. A mesh network is not typically used in larger networks due to the sheer number of connections needed to complete the mesh. A mesh network does, however, provide very high fault tolerance.

Hybrid

A hybrid topology mixes different topologies into a single network. For example, a hybrid mesh creates connections between multiple devices to create redundancy and fault tolerance without connecting all of the devices.

Star/Hub-and-Spoke

A star topology, also referred to as a hub-and-spoke topology, is a network topology that has all devices connected to a central point, such as a hub, access point, or switch. Star topologies provide the ability to scale easily, and they allow for simpler troubleshooting and fault tolerance if one connection fails. However, star topologies do have a single point of failure in the central point.

Spine-and-Leaf

A spine-and-leaf network architecture is a two-tier network, primarily used in data centers, that consists of two switching layers, the spine and the leaf. A spine-and-leaf architecture is commonly fabric-based, meaning it consists of a system of switches and their interconnections represented as a single entity. A spine-and-leaf network has advantages over a three-tier network (discussed below), including higher resiliency, lower latency, faster performance, easier scalability, and increased adaptability.

Point-to-Point

A point-to-point network topology is one in which two devices are connected directly to one another. This is the simplest network topology.

Three-Tier Hierarchical Model

A three-tiered network architecture is used primarily in modern data centers and divides the computing responsibilities into three layers or tiers depending on their specific function within the data center or network.

Core

The first tier is the core layer. The core layer is responsible for traffic distribution to the second tier. The core layer consists of highly redundant and high-speed devices, often chassis-based switches. The core layer does not provide security functions, since its function is to relay data as quickly as possible.

Distribution

The second tier is the distribution or aggregation layer. The distribution or aggregation layer is responsible for providing core layer connections, access layer redundancy, security and access controls, and routing of the third tier. The distribution layer consists of at least two high-speed switches that provide network redundancy by transferring the load to another switch if one switch fails.

Access

The third tier is the access or edge layer. This layer is where all other network devices and switches connect to the primary network.

Collapsed Core

A collapsed core topology reduces the three-tiered model to two tiers by combining the core and distribution layer into a single layer.

Traffic Flows

A traffic flow is the way traffic moves within a network, either from one tier to another or from one device to another within a network or data center.

North-South

North-south traffic is traffic that moves from one layer to another in a network. For example, in a three-tiered architecture, traffic flow from the access layer to the distribution layer to the core layer is north-south traffic.

East-West

East-west traffic is the traffic that flows from one device to another within the data center. For example, traffic flowing between spines and leaves is east-west traffic. In modern networks, east-west traffic far exceeds north-south traffic.

IPv4 Network Addressing

IPv4 is the most commonly used method of data transmission through the Internet Protocol. It is, however, limited in the number of available addresses it contains. IPv4 uses a structured hierarchical scheme to assign IP addresses to clients. This scheme consists of either two (network and host) or three (network, subnet, and host) levels. How IP addresses are assigned within IP depends on the addressing mode. All questions about this concept will involve a scenario.

Public vs. Private

IP addresses, due to the limited number of addresses available, can be either public or private depending on the assigned address. A public IP address is routable through the internet and accessible to devices outside of the network. A private IP address can only be used for internal networking and is not accessible from outside of the network, which allows for multiple entities to use the same set of private IP addresses within their own network. If every device on every network in the world had to have its own individual IP address, there would not be enough addresses to accommodate the demand. Public and private IP addresses are pre-established.

Automatic Private IP Addressing (APIPA)

APIPA is an addressing scheme that can automatically assign a private IP address to network-connected devices when a Dynamic Host Configuration Protocol (DHCP) server is unavailable. APIPA addresses cannot route outside the host network, meaning they cannot connect to external networks such as the internet. The IPv4 address allotment used by APIPA is 169.254.0.1 to 169.254.255.254 with a default Class B subnet mask of 255.255.0.0. APIPA is a Windows OS feature.

RFC 1918

RFC 1918, developed by the Internet Engineering Task Force (IETF), provides a standard for private IP addressing that is used by networking devices when assigning private IP addresses to devices. RFC 1918 defines three sets of IP address ranges that are reserved for private use and are not routable over the internet. The three sets are divided into address classes as follows:

• Class A: 10.0.0.0 to 10.255.255.255 or 10/8 prefix
• Class B: 172.16.0.0 to 172.16.255.255 or 172.16/12 prefix
• Class C: 192.168.0.0 to 192.168.255.255 or 192.168/16 prefix

Loopback/Localhost

A link-local address is automatically generated to facilitate communications between devices in a LAN. Like APIPA addresses, link-local addresses are not accessible from outside of the network. In IPv4, link-local addresses are only assigned if all other methods of IP addressing fail. They have a range of 169.254.0.0 to 169.254.255.255.

A loopback address sends a packet back to the sender without transmitting to other portions of the network. While the loopback range for IPv4 is 127.0.0.0 to 127.255.255.255, the 127.0.0.1 IP address, also known as the localhost, is the most commonly used and provides an internal IP address that routes back to itself.

Subnetting

Subnetting is the process of taking one larger network and dividing it into smaller networks. With subnetting, the first portion of the IP address, known as the prefix, indicates the network address, while the final portion, or suffix, represents the host address. In IPv4, there are two methods of separating the prefix and the host: classless and classful addressing.

Variable Length Subnet Mask (VLSM)

Also called a classless subnet mask, a VLSM does not have a predefined prefix length. Instead, the prefix length of the subnet is indicated in the IP address itself using Classless Inter-Domain Routing (CIDR; pronounced “cider”) notation. Classless subnetting has replaced classful subnetting in most situations.

Classless Inter-Domain Routing (CIDR)

CIDR (pronounced “cider”) notation or, more commonly, slash notation, is used for VLSM. For example, a classless address written in CIDR notation could be 12.24.76.8/8. The 8 behind the slash indicates the length of the prefix, which would be the first eight bits (or first byte) of the address, resulting in 12.0.0.0 being the network address. The last 24 bits would be the host address.

IPv4 Address Classes

Classful subnetting separates IP address subnets into classes. You need to be able to identify the class of an IP address based on the prefix.

Class A

Class A addresses assign the first byte of an IP address to the host with the remaining bytes reserved for the host, resulting in a network.host.host.host format. Class A IP addresses range from 0.0.0.0 to 127.255.255.255.

Class B

Class B addresses assign the first two bytes (16 bits) of an IP address to the host, with the remaining two bytes reserved for the host, resulting in a network.network.host.host format. The Class B address range is 128.0.0.0 to 191.255.255.255.

Class C

Class C addresses assign the first three bytes (24 bits) to the network with the remaining byte reserved for the host, resulting in a network.network.network.host format. Class C addresses range from 192.0.0.0 to 223.255.255.255.

Class D

Class D addresses do not specify a prefix and suffix. Instead, Class D addresses are used for multicast addressing. Class D addresses range from 224.0.0.0 to 239.255.255.255.

Class E

Class E addresses do not specify a prefix and suffix. Class E addresses are used for scientific and research purposes. Class E addresses range from 240.0.0.0 to 255.255.255.255.

Evolving Use Cases

As network technology evolves, how networks are used and operated also evolve. You should be able to summarize and identify common use cases in the modern work environment.

Software-Defined network (SDN) and Software-Defined Wide Area Network (SD-WAN)

SDN is a networking architecture that compiles all networking devices into a centralized controller. This allows for changes to be implemented via the centralized controller rather than having to configure each network device individually. A SDWAN uses software to create a virtual WAN. All connectivity, devices, and services are managed through the SDWAN controller. SDWANs are often used with WANs to separate the physical WAN from the controlling mechanism.

Application Aware

An SDN with built-in information pertaining to individual applications is referred to as application aware. Application awareness provides increased application efficiency as well as improved effectiveness of network maintenance and administration.

Zero-Touch Provisioning

Zero-touch provisioning is the ability to deploy multiple network resources without individual configuration and deployment of each resource, leading to faster deployment and decreased errors due to the human factor.

Transport Agnostic

A SDN has the ability to use various transport mechanisms, making SDNs transport agnostic. Transport agnostic networks are able to reduce reliance on legacy equipment, lower network costs, and provide increased network visibility, orchestration, and monitoring.

Central Policy Management

Central policy management through a SDN provides a single management point for all connected network environments, including the cloud and on-premises components. Central policy management is able to apply security policies and configuration changes uniformly without having to communicate with each component individually.

Virtual Extensible Local Area Network (VXLAN)

A VXLAN is a protocol that is used to tunnel the data link layer (or Ethernet) traffic over the network layer (or IP). A VXLAN encapsulates (wrapping data with protocol data) a frame within an IP packet, traversing a data center while retaining VLAN information.

Data Center Interconnect (DCI)

A DCI is a method of connecting data centers to one another, most commonly via a VPN, a leased line, or the internet. A VXLAN can be used as an overlay network on top of a physical network to facilitate the scalability and flexibility of interconnected data centers.

Layer 2 Encapsulation

A VXLAN uses Layer 2 encapsulation to increase network utilization by using the encapsulating Layer 3 header to route traffic using all available paths rather than depending on Layer 2 protocols, which may be blocked to prevent switching loops.

Zero Trust Architecture (ZTA)

ZTA is a security concept in which no device or user is trusted, even if they were previously trusted. A ZTA, also called perimeter-less network security, requires dynamic authentication of all requests prior to network resource access.

Policy-Based Authentication

Policy-based authentication, sometimes referred to as attribute-based access control (ABAC), uses predefined rule sets to allow or deny access to resources. Combining multiple attributes or requirements creates the policy that must be met prior to authentication.

Authorization

While authentication is the process of confirming the device or user making the request, authorization dictates what the authenticated entity is allowed to access once inside. Authorization can also be based on policy.

Least Privilege Access

Least privilege access, also referred to as the principle of least privilege, is the concept that an entity’s access or authorization for resource utilization should be reduced to the minimum required to perform a task. Using least privilege access supports ZTA.

Secure Access Secure Edge (SASE)/Security Service Edge (SSE)

SASE is a cloud-based security framework that supports a ZTA by providing both network and security services. SASE secures networks by authenticating users and devices from any location and through any connection, providing cloud-based infrastructure security, and protecting physical, logical, or digital edges. SSE is a subset of SASE and provides cloud-based security for website access using tools such as a secure web gateway (SWG), a cloud access security broker (CASB), or a firewall as a service (FWaaS), among others.

Infrastructure as Code (IaC)

IaC is a cloud service used to provision, deprovision, and manage cloud infrastructure. IaC takes the configuration settings of cloud network devices and translates them into machine-readable definition files, which can be applied to other devices in the cloud network, resulting in faster deployment, configuration consistency, and fewer errors.

Automation

Automation is the fulfillment of a single task without human intervention. The tasks completed by automation are then used to create a workflow in a process called orchestration. Using IoC in a cloud environment for automation and orchestration allows the client to create a complete and complex computing environment virtually.

Playbooks/Templates/Reusable Tasks

Automation uses playbooks, templates, or reusable tasks to guide actions. A playbook is a list of commands or tasks that will be executed when run. A template is a vendor-released reusable task. These predefined playbooks can be used as is or adjusted to meet the needs of the network to complete common tasks.

Configuration Drift/Compliance

During manual configuration, a gradual shifting away from new or updated policies can occur. This is known as drift, and it may prevent the entity from meeting compliance requirements. Automation is useful in identifying and correcting configuration drift or compliance lapses.

Upgrades

Upgrading systems, especially in a large networking environment, can be very time-consuming and may lead to misconfigurations or missed upgrades. Automation can be programmed to apply applicable upgrades throughout a network.

Dynamic Inventories

Dynamic inventories is an automation tool that can be used to extract information from inventory data through the use of plugins, providing up-to-date inventories that may be difficult to track in large environments.

Source Control

Source control, also called version control, is the process of managing and tracking changes to code. Source control is an essential component of using and managing IaC code repositories.

Version Control

A version control system tracks changes to source code and allows for ease of access to previous versions of the original source code. When IaC is used for automation, using the latest version of the code is vital to maintaining security and proper functionality.

Central Repository

A central repository is a model for storing source code in a centralized location, providing visibility and consistency and facilitating collaboration.

Conflict Identification

Conflicts occur when there are inconsistencies or incompatibilities in developed code. Automation tools can be used to identify conflicts, which can then be addressed.

Branching

Branching is a code development technique that allows for different developers to work on different portions of the code at the same time. The codebase, also called the truck, baseline, mainline, or master, is used as a base from which the branches are spawned. The branches are contained in an isolated environment during development and testing.

IPv6 Addressing

IPv6 is the latest version of IP and increases the number of available addresses exponentially. IPv6 was developed to enhance the inherent capabilities and standards of the Internet Protocol while also mitigating address exhaustion. While IPv4 and IPv6 do have a number of concepts in common, IPv6 includes additional concepts that are unique and standard.

Mitigating Address Exhaustion

IPv4 addresses are finite, which leads to address exhaustion, or the use of all available addresses. IPv6 mitigates address exhaustion by increasing the number of available addresses from roughly 4.3 billion to around 340 undecillion.

Compatibility Requirements

While migrating to the use of IPv6 rather than IPv4 is the future goal, there are some compatibility issues to address, including the ability of networking devices and software to use IPv6 addressing. While migrating to IPv6 can be complex, costly, and work-intensive, various strategies can be employed to facilitate the process.

Tunneling

IPv6 tunneling is encapsulating an IPv6 packet in an IPv4 address, creating a link between the two nodes. IPv6 tunneling allows IPv6 packets to be sent and received by and between nodes that may not have IPv6 capabilities over an established IPv4 address.

Dual Stack

A dual stack is the ability of a device to assign, send, and receive both IPv4 and IPv6 addresses. Implementing a dual-stack network configuration allows for seamless communications between devices using IPv4 and IPv6 addressing, facilitating the transition to full usage of IPv6.

Network Address Translation 64 (NAT64)

NAT64 is used to allow communications between IPv6 and IPv4 connections by translating the different addresses through a gateway with both an IPv6 prefix (namely 64:ff9b::/96) and an IPv4 address to create a map between the different address types.