TCP/IP Model(4 Layers)
- Application Layer: HTTP, FTP, SSH
- Transport Layer: TCP, UDP, QUIC
- Internet Layer: IP, ICMP
- Link Layer: MAC, device driver
OSI Model(7 Layers)
- Layer 7: Application Layer (HTTP, FTP, BGP, SNMP)
- Layer 6: Presentation Layer
- Layer 5: Session Layer, controls the dialogues (connections) between computers. (SOCKS)
- Layer 4: Transport Layer (TCP, UDP)
- Layer 3: Network Layer (IP, ICMP) (Layer 3 Wwitch)
- Layer 2: Data Link Layer. (Switch, Bridge)
- Media Access Control (MAC) layer
- Logical Link Control (LLC) layer
- Point-to-Point Protocol (PPP)
- Layer 1: Physical Layer (Hub)
OSI vs TCP/IP
- In TCP/IP model, Internet Layer is a subset of OSI model's network layer. It describes only one type of network architecture: the internet.
- OSI's top 3 layers (application, presentation and session) are not distinguished separately in TCP/IP model.
Layer 1 data is just bits sent across a wire.
Devices: without logic. E.g. cables, hubs (a hub simply broadcasts traffic to all ports).
Layer 2 is primarily involved in transmitting data from one specific node to another. 2 sub-layers: Medium Access Control (MAC) and Logical Link Control (LLC).
- MAC: provides a unique address for each endpoint on the Layer 2 topology.
- LLC: a helper layer to assist between Layer 2's MAC and Layer 3
frame is a protocol data unit, the smallest unit of bits on a Layer 2 network. (for multiplexing Layer 3 Protocols, i.e. helps facilitate the ability for multiple Layer 3 protocols to be used simultaneously over the same medium).
Unilke bits, frames have a defined structure and can be used for error detection, control plane activities and so forth.
Layer 2 Devices: switches, bridges, network interface cards. They use the headers of the packet to determine where it goes.
- unicast: sending frames from one node to a single other node.
- multicast: sending traffic from one node to multiple nodes.
- broadcasting: the transmission of frames to all nodes in a network. A broadcast domain is a logical division of a network in which all nodes of that network can be reached at Layer 2 by a broadcast.
Segments of a LAN can be linked at the frame level using bridges. Bridging creates separate broadcast domains on the LAN, creating VLANs, which are independent logical networks that group together related devices into separate network segments.
Forwarding is the relaying of packets from one network segment to another by nodes in the network.
Data: a packet. A stateless grouping of data. No validation (which may be done by layer 4, e.g. TCP yes, UDP no).
Devices: routers (routes/forwards data packets based on their IP addresses), Layer 3 switches. Firewalls.
Layer 4 identifies which application protocols (HTTP, SNTP, FTP, etc.) are included with each packet and uses this information to hand off the packet to the appropriate higher-layer software. Layer 4 switches make packet forwarding decisions based not only on the MAC address and IP address, but also on the application a packet belongs to.
Devices: Layer 4 switches, gateways (a protocol converter which will translate one protocol into the other), firewalls.
Things related to Networking
- Routing: BGP (IPv4 and IPv6), OSPF (v2 and v3), RIP and RIPng, policy-based routing.
- VPN: IPsec, VTI, VXLAN, L2TPv3, L2TP/IPsec and PPTP servers, tunnel interfaces (GRE, IPIP, SIT), OpenVPN in client, server, or site-to-site modes, WireGuard.
- Firewall and NAT: Stateful firewall, zone-based firewall, all types of source and destination NAT (one to one, one to many, many to many).
- Network services: DHCP and DHCPv6 server and relay, IPv6 RA, DNS forwarding, TFTP server, web proxy, PPPoE access concentrator, NetFlow/sFlow sensor, QoS.
- Layer 3.
- IP is connectionless, i.e. a data packet can travel from a sender to a recipient without the recipient having to send an acknowledgement.
IPv4 Private address: (NOT publicly routable):
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
- Layer 3. No associated TCP or UDP port number.
- a supporting protocol.
- sends success/failure and error messages (e.g. a requested service is not available or that a host or router could not be reached.) when communicating with another IP address.
- not typically used to exchange data between systems
- for diagnostic or control purposes, e.g. used by diagnostic tools like
- ICMPv6 is for IPv6.
Simple Network Management Protocol (SNMP)
- Layer 7 (Application).
- Purpose: network monitoring.
- Used in modems, routers, switches, servers, workstations, printers, etc.
Dynamic Host Configuration Protocol
- automatically assigning IP addresses and other communication parameters to devices, eliminates the need for individually configuring network devices manually.
- a client–server architecture: a centrally installed network DHCP server and client instances of the protocol stack on each computer or device.
Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host.
TFTP can be easily implemented by code with a small memory footprint.
- the protocol of choice for the initial stages of any network booting strategy like BOOTP, PXE, BSDP, etc.
- to transfer firmware images and configuration files to network appliances like routers, firewalls, IP phones, etc.
- virtually unused for Internet transfers; only used on local area networks (LAN).
UDP port 69.
What does "lock-step" mean:
There is only ever one packet outstanding at any time, and every packet received by either party caused one packet to be sent in reply (until the termination of the transfer). The TFTP specification said that any time any packet was received, the receiver was required to send the appropriate reply packet. Thus, the receipt of a block of data triggered the sending of an 'acknowledgement', and the receipt of an acknowledgement triggered the sending of the next data block.
TFTP includes timeouts. After sending a packet, it expects a reply, so it starts a timer. If the timer expires with no reply received, it takes some action; typically re-sending the original packet.
Anycast addressing uses a one-to-nearest association; datagrams are routed to a single member of a group of potential receivers that are all identified by the same destination address.
what happens: type
example.com in browser, use Anycast to find the nameserver (google/godaddy), nameserver lookup your ip in their records, the request is redirected to that ip, your server receives the request, parse the http request, retrieve static html or data from databse, return response, user’s browser receive response, render HTML
Multiprotocol Label Switching (MPLS)
Directs data from one node to the next based on labels rather than network addresses.
Multiple analog or digital signals are combined into one signal over a shared medium. The aim is to share a scarce resource.
Domain Names / DNS
FQDN: Fully Qualified Domain Name: sometimes also referred as an absolute domain name is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS).
TLD: Top Level Domains.
Google DNS is a public DNS service that is provided by Google.
18.104.22.168: the primary DNS server for Google DNS.
22.214.171.124: the secondary DNS server.
iSCSI stands for Internet Small Computer Systems Interface.
An Internet Protocol (IP)-based storage networking standard for linking data storage facilities. The protocol allows admins to better utilize shared storage by allowing hosts to store data to remote networked storage, and virtualizes remote storage for applications that require direct attached storage.
Open-iSCSI: implements the SCSI protocol.
To check sessions (it will show one entry for each SAN LIF):
iscsiadm -m session iscsiadm -m session -P 3
The iSCSI protocol encapsulates SCSI commands and assembles the data in packets for the TCP/IP layer. TCP/IP is a universal and non-proprietary technology.
iSCSI initiator vs target
iSCSI storage works by transporting block-level data between iSCSI initiator on a server and iSCSI target on a storage device through the TCP/IP network.
- iSCSI initiator: a piece of software or hardware that is installed in a server to send requests to and receive responses from an iSCSI target.
- iSCSI target: on storage devices providing the storage, which listens and responds to commands from iSCSI initiators.
iSCSI SAN vs Fibre Channel SAN
iSCSI SAN storage is a cost-effective alternative to traditional Fibre Channel (FC) SAN.
- FC SAN requires dedicated hardware (FC HBA, FC switch, etc.).
- iSCSI SAN storage can be built on existing network infrastructure (fiber switch, router, etc.), rather than requiring us to buy additional hardware.
- iSCSI SAN is less performant than FC SAN.
iSCSI vs NAS
- iSCSI is a data transport protocol.
- NAS is a common way of connecting storage into a shared user network.
iSCSI vs NFS
- for data sharing among multiple client machines.
- shares data on the file level.
- supports a single client for each volume on the server.
- shares data on the block level
Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems, allowing a user on a client computer to access files over a computer network much like local storage is accessed. Similar protocols include SMB (Server Message Block) and AFP (Apple Filing Protocol).
Standard: DOCSIS (Data Over Cable Service Interface Specification)
|Version||Since||Max Downstream||Max Upstream|
|1.0||1997||40 Mbit/s||10 Mbit/s|
|1.1||2001||40 Mbit/s||10 Mbit/s|
|2.0||2002||40 Mbit/s||30 Mbit/s|
|3.0||2006||1 Gbit/s||200 Mbit/s|
|3.1||2013||10 Gbit/s||1-2 Gbit/s|
|4.0||2017||10 Gbit/s||6 Gbit/s|
Bluetooth 5 is the latest version.
One feature is Dual Audio: you can play audio on two connected devices at the same time, or stream two different audio sources to two different audio devices at the same time.
- 5.0: 2016
- 5.1: Jan 2019
- 5.2: Dec 2019
- 5.3: 2021
About the name and the logo:
- The king Harald "Bluetooth" is most famous for uniting Norway and DenmarkGormsson (bluetooth is to unite the PC and cellular industries with a short-range wireless link)
- Logo: a combination of the Nordic runes for the letters H (ᚼ) and B (ᛒ) for 'Harald Bluetooth'
Near-field communication: a set of communication protocols for communication between two electronic devices. Used for contactless payment.
The network is distributed over land areas called "cells", each served by at least one fixed-location transceiver.
- mmWave: higher speeds, however with a limited range.
- sub-6GHz: speeds in the 100-150 Mbps (in the United States), easier to deploy but far less powerful than mmWave 5G.
Border Gateway Protocol (BGP)
The Border Gateway Protocol (BGP) is the protocol used throughout the Internet to exchange routing information between networks.
It is the language spoken by routers. When someone submits data via the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route.
BGP is the protocol that makes the Internet work by enabling data routing.
- iBGP: internal BGP.
- eBGP: external BGP.
BGP vs IGP:
- Interior Gateway Protocols (IGP):
- used for Transport, Underlay purposes.
- used usually just for IPv4 and IPv6 Unicast purposes.
- Border Gateway Protocols (BGP):
- used for Service Layer, the Overlay mechanism.
- 20 different purposes, IPv4 unicast, IPv4 multicast, IPv4 unicast, IPv6 multicast, EVPN, L2VPN, Security, Quality of Service, Multicast, and many other purposes.
Berkeley Packet Filter (BPF) and eBPF
BPF: Provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.
eBPF: origins in the Linux kernel, using a JIT mechanism.
eBPF = Kernel Runtime (including verifier, JIT, etc) + SDKs (Go, C++, Rust, etc) + Projects (Cilium, Falco, etc).
Use cases: networking, observability / monitoring, tracing / profiling, and security.
eBPF is clearly superior to iptables.
There is no such thing as a pre-defined eBPF datapath. eBPF is a programming language and runtime engine that allows to build datapath features among many other things. The Cilium and Calico eBPF datapaths differ quite significantly.
Network bonding: a process of combing or joining two or more network interfaces together into a single interface.
Why? For performance improvements and redundancy: If one interface is down or unplugged the other one will work.
In Linux, a special kernel module named
bonding is used to connect multiple network interfaces into a single interface.
The bond interface (e.g.
bond0) share the load among many interfaces, which gives fault tolerance and increases throughput.
Check the status of a bond:
$ cat /proc/net/bonding/bondN
GENEVE (Generic Network Virtualization Encapsulation), A new network virtualization standard, promises to address the perceived limitations of the earlier specifications and support all of the capabilities of VXLAN, NVGRE and STT.
Defines an encapsulation data format only. It does not include any information or specification for the control plane.
Virtual routing and forwarding (VRF)
IP technology that enables the virtual creation of multiple routes instate on one physical device, layer 3. It allows multiple instances of a routing table to co-exist within the same router at the same time.
VRFs are used for network isolation/virtualization at Layer 3 of the OSI model as VLANs serve similarly at Layer 2. (VRFs are the TCP/IP layer 3 equivalent of a VLAN.)
- Full VRF focuses on labeling Layer 3 traffic via MPLS — a similar idea to Layer 2 VLANS.
- VRF lite, actually a subset of VRF, is normally VRF without MPLS and MP BGP. Used in the office LAN or data center environment to virtualize various security zones and network elements.
Example: Within each VRF, set at least two VXLAN based subnets: an external subnet and an internal subnet. The CIDR blocks of the external subnets will be advertised to the data center network, thus accessible from a outside client.
The Cost of Encryption: Wireguard vs IPsec
Wireguard outperforms IPsec.
A SOCKS5 proxy is an alternative to a VPN (faster than VPN). It routes packets between a server and a client using a proxy server. This means that your real IP address is hidden and you access the internet with an address provided to you by a proxy provider.
SOCKS is a de facto standard for circuit-level gateways (level 5 gateways). A circuit-level gateway is a type of firewall.
- Telnet => SSH: because of serious security concerns when using Telnet over an open network such as the Internet, its use for this purpose has waned significantly in favor of SSH.
- Internet Group Management Protocol (IGMP): used on IPv4 networks. Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which is a part of ICMPv6 in contrast to IGMP's bare IP encapsulation.
- SSL => TLS; TLS 1.0 and 1.1 were deprecated in 2021.
- Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is a mechanism ethernet uses to help deal with collisions on half duplex networks. Today, with Gigabit Ethernet and higher, there is virtually no half duplex and therefore no need to do this.
Small Form-factor Pluggable (SFP):
- fiber-optic cable
- The SFP replaced the larger gigabit interface converter (GBIC) in most applications, and has been referred to as a Mini-GBIC by some vendors.
- At introduction, typical speeds were 1 Gbit/s for Ethernet SFPs and up to 4 Gbit/s for Fibre Channel SFP modules
- SFP+ (2006): up to 10 Gbit/s
- SFP28: up to 25 Gbit/s.
- A slightly larger sibling is the four-lane Quad Small Form-factor Pluggable (QSFP)
- QSFP28 (2014): up to 100 Gbit/s
- QSFP56 (2019): up to 200 Gbit/s
- SFP-DD: allows for 100 Gbit/s over two lanes
- QSFP-DD: allows for 400 Gbit/s over eight lanes
- OSFP (Octal Small Format Pluggable) (2022): up to 800 Gbit/s
Network interface cards (NICs)
Brands: Mellanox and Granite.
Serial consoles allow admins to manage critical infrastructure without needing to log in to each separate device individually. A serial console also provides out-of-band (OOB) management, creating a completely separate network that’s dedicated to infrastructure management and troubleshooting. OOB management allows you to remotely troubleshoot, monitor, and administer your infrastructure, and more.
A LIF (logical interface) is an IP address associated with a physical or logical port.
The Arp-scan network discovery command is designed to map physical (MAC) addresses to logical (IP) addresses. The Address Resolution Protocol (ARP) uses a simple message format containing one address resolution request or response.
nmcli (nm for NetworkManager)
$ nmcli device show
dnsmasq: a lightweight DNS server.
dnsmasq accepts DNS queries and either answers them from a small, local cache or forwards them to a real, recursive DNS server.
The dnsmasq plugin: instead of using the DNS nameserver assigned by DHCP,
NetworkManager will configure a local copy of
dnsmasq that can be customized.
CIDR: Classless Inter-Domain Routing
CIDR is a method for allocating IP addresses and for IP routing.
CIDR blocks: share an initial sequence of bits in the binary representation of their IP addresses. E.g. a
/20 block is a CIDR block with an unspecified 20-bit prefix.
Usecase example: ONTAP does not support https/TLS to encrypt iSCSI connections; instead use IPSec tunnel (strongSwan).
All data sent over the Internet is broken down into smaller chunks that are called packets.
Data packets have two main parts: the header and the payload. packets on the Internet have multiple headers attached by different networking protocols.
In networking, maximum transmission unit (MTU) is a measurement representing the largest data packet that a network-connected device will accept.
packets that exceed the MTU of a network cannot pass through that network. data packets that exceed MTU are broken up into smaller pieces so that they can fit through. This process is called fragmentation. Fragmented packets are reassembled once they reach their destination.
MTU almost always is used in reference to layer 3 packets, or packets that use the Internet Protocol (IP). MTU measures the packet as a whole, including all headers and the payload.