View
226
Download
0
Category
Preview:
Citation preview
7/31/2019 Ccna VPN Raid Qans
1/117
CCNA Questions
Ques 1:- What is the Difference between Hub and Switch?Ans :-
HUB
1. Hub is a Layer 1 Device2. Hub is not more intelligent device3. Hub does not reads the frame4. Hub provides the always broadcasting in the network5. we cannot configure Hub6. In Hub the rate of data transmission is slow7. hub is a half duplex device8.
the rate of data transmission is divided in hub9. hub does not provide packet filtering in the network
10.hub is a single broadcast domain11.hub is a single collision domain12.Hub does not create any table
SWITCH1. Generally Switch is a Layer 2/ Layer 3 Device2. Switch is a more intelligent device3. Switch reads the frame4. Switch provides conditional broadcasting in the network5 fi S it h
7/31/2019 Ccna VPN Raid Qans
2/117
5 fi S it h
Manageable Switch we can configure Manageable switch that
means we can create VLAN in this Switch. with the help of this
switch we can create a separate broadcast domain in the network
Ques 3:- How many types of Switch?Ans :- There are two types of switch
1. Normal Switch2.
Manageable Switch
Ques 4:- What is the Difference between Switch and Bridge?Ans :- Generally Switch and bridge are having the same functionality in
the network but there is one major difference between switch and
bridge.
Bridge maximum 16 ports are availableSwitch Maximum 100 ports are available
Ques 5:- What is the Function of Router?Ans :- Router is a Device that provides the Connectivity between Tow
and More Different Network ID. Router is a Layer 3 Device of
OSI model.
Ques 6:- What is the function of Layer 2 Switch?
7/31/2019 Ccna VPN Raid Qans
3/117
Ans :- Layer 2 Device provides the connectivity within a single NetworkID. As for example
1. Switch2. Bridge
Ques 9:- What is the function of Layer 3 Device?Ans :- Later 3 Device provides the connectivity between two or more
different Network ID as for example
1. Router2. Layer 3 Switch
Ques 10:-How many Types of Router are Available in the Network?Ans :- There are two types of Router in the Network
1. Fixed Router i.e. 2500 Series2. Modular Router i.e. 1600, 1700, 2600, 3600, 4500 and above
Series
Ques 11:-What are the Difference between Fixed Router and ModularRouter?
Ans :- Fixed Router we cannot add additional serial port as well as
7/31/2019 Ccna VPN Raid Qans
4/117
5. Auxiliary PortRemotely Configuration of Router.Ques 13:-What is Broadcast Domain?Ans :- When Ever one Computer Are Sending A Broadcast message in
the Network And If Another Computer Receive That Broadcast
message, in that Case We Can Say Both Computer Belongs To
Single Broadcast Domain.
1.
Hub Is a Single Broadcast Domain2. Switch is a Single Broadcast Domain by Default3. Router Is a Separate Broadcast Domain4. Bridge Is a Single broadcast Domain By default.
Ques 14:-What is Collision Domain?Ans :- When Ever Two Computer Are Sending a Message to Each Otherat a Same Time, Then Collision Will Be Happen, in that case we
can Say Both Computer belongs to Single Collision Domain.
1. Hub Is a Single Collision Domain2. Switch Is a Separate Collision Domain3. Bridge is A Separate Collision Domain4. Router Is a Separate Collision Domain
Ques 15:-What is VLAN?
7/31/2019 Ccna VPN Raid Qans
5/117
Ques 18:-What is the function of BPDU {Bridge Protocol Data Unit}?Ans :- BPDU Stands for Bridge protocol Data unit. It is basically used in
spanning tree operation In the Network. It detects the looping in
the Network.
Ques 19:-What is Trunk?Ans :-
Trunks carry your multiple VLAN traffic in the network. TrunkAre Always configured on fast Ethernet port.
Ques 20:-What is Uplink Port?Ans :- Uplink port provides the Connectivity between Two Or more
Network Devices in the Network.
Ques 21:-What is Native VLAN?Ans :- By default VLAN one are available on the switch and all of ports
are member of that VLAN that is called Native VLAN. We cannot
Modify or delete native VLAN but we can change the
membership of any port in the switch.
Ques 22:-How many types of VLAN?
7/31/2019 Ccna VPN Raid Qans
6/117
VLAN in the switch. For dynamic VLAN we will use VMPS
Server. VMPS stands for VLAN Management policy Server.
Ques 24:-What is Routing?Ans :- Routing route a packet from one network ID to another network
ID. Routes are created on router. Layer 3 device provides the
routing in the network. As for example layer 3 switch and router.
Ques 25:-What is Routing Table?Ans :- Routing Table Are Stored on the Router In the Network. In
Routing Table All OF the routes are Available on the Router.
When Ever Router Receive Any Packets From one network Then
after Router Find Out the destination network in Routing Table
Then After, Router Send that packet To Respective Router in thenetwork
Ques 26:-How many methods to create a Route on the Router?Ans :- There are two methods to create a route on the router
1. Static routing In a static routing administrator manually create aroute on the router it is basically use for smaller size network.
7/31/2019 Ccna VPN Raid Qans
7/117
Default static Routing If only one Existing point is Available
on The Router, In That case We Will create A Default static route
on the Router.
Ques 28:-What is IOS {Internetwork Operating System}?Ans :- IOS stands for Inter Network Operating System. IOS works as an
interpreter between hardware device and user interface.
Ques 29:-What is Protocol?Ans :- Protocol is a set of rules and regulations that provides the
communication between two or more different devices in the
network.
Ques 30:-How many types of Protocol in the Network?Ans :- There are two types of protocol in the network
1. Routing Protocol i.e. RIP, IGRP, EIGRP, OSPF2. Routed Protocol i.e. TCP/IP, IPX/SPX, Apple Talk
Ques 31:-What is the Difference between Routing Protocol and RoutedProtocol?
7/31/2019 Ccna VPN Raid Qans
8/117
Ans :- Except Cisco All of the Company Router Are Only SupportIndustry Standard Routing protocol. This Company Router Only
Support RIP & OSPF Routing protocol in The Network.
But Cisco Have developed Own routing protocol that is Called
Cisco Standard Routing protocol. IGRP & EIGRP Is the Cisco
standard Routing protocol in the network. Cisco Are Talking
About My Routing protocol Is More intelligent routing protocol
than RIP & OSPF. And he is also talking about If U Will Use myrouter, My Router Supports All of the routing protocol in the
network. Such AsRIP, IGRP, EIGRP, OSPF
Ques 33:-What is AD {Administrative Distance}?Ans :- AD stands for Administrative Distance. Administrative Distancedefines the intelligence of any dynamic routing protocol in the
Network. Lower the AD that is the more intelligent routing
protocol. Whenever we will enable two or more dynamic routing
protocol on the router then it will be used.
Ques 34:-What is BGP {Border Gateway Protocol}?Ans :- BGP stands for Border Gateway Protocol. It provides the
communications between two or more different environment in
7/31/2019 Ccna VPN Raid Qans
9/117
Ans :- Route Bridge is a master switch in the network. Every switch ishaving a one ID number that number is called Bridge ID. Lower
the Bridge ID that switch becomes A Route Bridge and rest of theswitches are non route bridge In the Network. Route bridge and
non route bridge depends on bridge ID. Bridge ID is a
combination of priority + MAC Address. This Term is basically
used in spanning tree operation in the Network.
Ques 37:-What is Non-Route Bridge?
Ans :- Non Route Bridge is a secondary switch in the network. RouteBridge is the master switch in the network. This Term is basically
used in STP operation In the Network.
Ques 38:-What is Root Port?Ans :- It is the port on the non route bridge that is connected to Route
Bridge at less port ID. This port is always in forwarding stage. It
is also called designated port.
Ques 39:-What is Forwarding Stage?Ans :- Every port are having in two stage
1. Forwarding stage in forwarding stage we can send the packet as
7/31/2019 Ccna VPN Raid Qans
10/117
Ques 41:-What are Difference between RIP, IGRP, EIGRP and OSPFRouting Protocol?
Ans :-1. RIP-:
RIP Stands For Routing Information protocol It Is a Industry standard Dynamic Routing Protocol IT Is not a More Intelligent Dynamic Routing Protocol It Is Basically Use For Smaller Size Organization It Support Maximum 15 Routers in the Network. 16 Router Is
Unreachable
It is denoted By R in Routing Table. Its Administrative Distance Is 120. In RIP Routing protocol We Can not create A Separate
Administrative boundary in The Network.
It Calculate the Metric In Terms Of Hop Count From sourceNetwork to destination Network. Lower the Hop count that Is
the Best route For That Particular Network.
It works on Bellman Ford algorithm RIPV.1 Do Not Support VLSM RIPV.2 Support VLSM
2. IGRP-: IGRP Stands For Interior Gateway Routing protocol
7/31/2019 Ccna VPN Raid Qans
11/117
3. EIGRP-: EIGRP Stands For Enhanced Interior Gateway Routing
protocol
It Is a Cisco standard routing protocol It Is a More Intelligent routing protocol Than RIP And IGRP It Is Basically Use For Medium to Lager Size Organization in
the network. It supports Maximum 255 Routers in The Network Its Administrative distance Is 90 It calculates the Metric In Terms Of Bandwidth And delay EIGRP Works on DUAL(Diffusing Update Algorithm)
Algorithm
EIGRP is denoted by D in Routing Table. EIGRP Supports VLSM EIGRP Creates three table In the Router
1. Neighbor Table
2. Topology Table
3. Routing table
4. OSPF-:
OSPF stands For Open shortest path First
7/31/2019 Ccna VPN Raid Qans
12/117
OSPF Routing protocol Creates three Table in the router1. Neighbor Table2. Database table3. Routing Table
Ques 42:-What is CIDR {Classless Inter Domain Routing}?Ans :- CIDR Stands for Classless Inter Domain Routing.Ques 43:-What is VLSM {Variable Length Subnet Mask}?Ans :- VLSM stands For Variable Length Subnet Mask. Whenever we
are Using Different-different Subnet Mask in entire Organization,
that architecture Is Called VLSM.
Ques 44:-What is CLSM {Constant Length Subnet Mask}?Ans :- CLSM stands For Constant Length Subnet Mask. Whenever we
are Using Same Subnet Mask in entire Organization, that
architecture Is Called CLSM.
Ques 45:-What is the function of Console Cable?Ans :- With the help of console cable we will configure the router,
switch, pix.
7/31/2019 Ccna VPN Raid Qans
13/117
Ans :- Layer 1 device provides the communication within the singlenetwork ID. As for example Hub, Repeater, Cable, NIC
Ques 49:-What is VTP {VLAN Trunking Protocol}?Ans :- VTP Stands For VLAN Trunking Protocol. It is basically used in
VLAN Environment. VLAN Trunking protocol provides the
Sending and Receiving Multiple VLAN information In theNetwork.
Ques 50:-How many types of VTP Operation Mode?Ans :- There are three types Of VTP operation Mode in the Network
1. VTP Server mode2. VTP Client Mode3. VTP Transparent modeBY default all of The Switch Are VTP Server Mode in the
Network.
Ques 51:-What is the difference between VTP Server Mode, Client Modeand Transparent Mode?
Ans :-
7/31/2019 Ccna VPN Raid Qans
14/117
receive The VLAN Information from Other switch as well As
this switch Can Not Send the own VLAN information to other
Switch in The Network. That means we can say this Switch IsNot participated in the VLAN configuration in the Network
Ques 52:-What is Switching Method in the Network?Ans :- Switching Method define How the Data is Sending As Well As
receiving From one Switch To Another Switch in the Network.There are three types of switching Method in the Network
1. Store-in-Forward2. Cut-Through3. Fragment free
Ques 53:-What is difference between Store-and-Forward, cut-through,Fragment-Free Method?Ans :-
1. Store-in-forward2. Cut-Through3. Fragment free
7/31/2019 Ccna VPN Raid Qans
15/117
Ques 56:-What is the booting Sequence of Router?Ans :- There are three steps for booting a router In the Network
1. POST {Power On Self Test}2. Load IOS {Internetwork Operating System}3. Load Startup Configuration
Ques 57:-What is the difference between RIPv1 and RIPv2?
Ans :- There is one major difference between RIP v1 and RIP v2. RIP v1does not support VSLM but RIP v2 support VLSM In the
Network.
Ques 58:-What is the difference Classfull Routing and Classless Routing?Ans :- When Ever we are talking about Class full Routing, in this
Routing We Will use CLSM (Constant Length subnet Mask) in
the Network
When ever we are talking about Classless routing, in this routing
we will Use VLSM (Variable Length Subnet mask) in the
Network
Ques 59:-What is ASN {Autonomous System Number}?
7/31/2019 Ccna VPN Raid Qans
16/117
Ques 61:-How many types of Industry Standard Routing Protocol in theNetwork?
Ans :- There are two types of Industry Standard Routing Protocol1. RIP {Routing Information Protocol}2. OSPF {Open Shortest Path First}
Ques 62:-What is the function of Area Number in OSPF Routing Protocol?Ans :- Area Number defines the administrative boundary in the network.
Within the same area all of the routers are exchanging the route
information from neighbor router in the network. Area 0 is called
backbone area. In this area all of the routers are called backbone
router. Whenever any area wants to communicate with another
area that query must be forwarded through area 0. Every area isdirectly connected to area 0 in the Network.
Ques 63:-What is the function of Loopback Interface in OSPF RoutingProtocol?
Ans :- Loop back interfaces Are Basically Used in OSPF Environment.Loop Back interface IP Address Define the RID Of Any Router inthe network. It is basically useful in DR and BDR Selection in the
Network.
7/31/2019 Ccna VPN Raid Qans
17/117
Ans :- This Timer Specify how Long a Router Should Wait beforeDeclaring A Route is Invalid if it does not receive a Specific
update About It.
Ques 67:-What is Flush Timer?Ans :- After Flush Timer Router Delete a Particular Route from routing
Table in the Network.
Ques 68:-What are the Timer of RIP, IGRP, EIGRP and OSPF RoutingProtocol?
Ans :-1. RIP Timer---1. Update Timer 30 Second2. Hold down Timer180 Second3. Invalid Timer180 Second4. Flush Timer240 Second2. IGRP Timer1. Update timer90 Second2. Hold Down timer280 Second3. Invalid timer270 Second4. Flush Timer630 Second
7/31/2019 Ccna VPN Raid Qans
18/117
1. Route Summarization2.
Ques 71:-What is difference between Static NAT, Dynamic NAT andOverloading NAT?
Ans :- There are three Types of NAT in the Network1. Static NAT In Static NAT Only One Computer IS Connected
To Internet. For That We Define The Mapping Of That
Particular Computer in The Network.
2. Dynamic NAT In Dynamic NAT We Define the Pool. InThis NAT Only Some Computer Is Connected To Internet At A
Same Time.
3. Overloading NAT (PAT) Overloading NAT Is Also CalledPAT (port Address Translation). With The Help of PAT All of
the Internal User Are connected to internet through Single
Public IP Address In the network. In this NAT All User Query
Are Differentiate Through port Basis in the network, thats why
it is Called PAT.
Ques 72:-What is PAT {Port Address Translation}?
7/31/2019 Ccna VPN Raid Qans
19/117
Ques 75:-What is function of Telnet Command?Ans :- Telnet Command provides the Remotely Configuration of Any
Devices in The Network. Such As--Router, Switch, Pix.
Ques 76:-How many types of Access List in the Network?Ans :- There are two types of access List in The Network.
1. Number Access List2. Name Access ListNumber and Name access List is Again divides in to two parts
1. Standard Access List2. Extended Access List
Ques 77:-What is the difference between Number Access List and NameAccess List?Ans :- Number access List In this access List we can not edit the
existing access List.
Name access List In this access List we can edit The Existing
access List According to My company requirement.
Ques 78:-What is difference between Standard Access List and ExtendedAccess List?
7/31/2019 Ccna VPN Raid Qans
20/117
Ans :- Wild Card mask are generally Used in Access list And OSPFrouting environment in the Network.
Ques 80:-How many types of ISDN Technologies are available in theNetwork?
Ans :- There are two types of technologies are available in the network1. BRI {Basic Rate Interface}2. PRI {Primary Rate Interface}
Whenever we are talking about BRI technologies, in this technology two B
channel and one D channel are available.
Whenever we are talking about PRI technologies again PRI are divided into
two technologies
1. T1 Technologies2. EI Technologies
Ques 81:-What is the difference between BRI and PRI Technologies?Ans :- BRI Stands for Basic rate Interface. When Ever we are talking
about BRI, in BRI Maximum 2 B Channel And 1 d Channel Are
available in The Network. Per B Channel Speed Is 64 Kbps And
per D Channel Speed Is 16 Kbps in the Network.
PRI Stands for Primary Rate interface. When Ever we are talking
7/31/2019 Ccna VPN Raid Qans
21/117
Ques 83:-What is the Function of D Channel in ISDN Technologies?Ans :- D Channel provides the data signaling in the Network.
Connections establish From Source to Destination Computer in
the Network Depends on D Channel Speed.
Ques 84:-What is HDLC {High level Data Link Control Protocol}?Ans :- HDLC Stands for High Level data Link Control Protocol. This
protocol Is Basically Used in leased line In the Network. By
default HDLC Protocol is enable on Cisco router.
Ques 85:-What is PPP?Ans :- PPP stands for point to Point protocol. It Is an Industry standard
Protocol in The World. This protocol Is Basically Used inInternet.
Ques 86:-What is the Difference between ISDN and Frame RelayTechnologies?
Ans :- ISDN Stands for Integrated service Digital Network. GenerallyISDN Works on SVC (Switched virtual Circuit) in the Network.In isdn we are Using PPP (point To point Protocol) In the
Network
7/31/2019 Ccna VPN Raid Qans
22/117
Ans :- Metric (Cost) are generally used in Routing environment. If MoreThan one routes are Available for any particular Network in
routing Table in That Case Router use The Metric Value. Lowerthe Metric that Is the Best route for That Particular Network. If the
Metric Value is same In that case Router Will Do the Load
Balancing in The network
Ques 89:-How many types of Subnet Mask?Ans :- There are two types of subnet Mask in the Network
1. Default subnet Mask2. Customized subnet Mask
Ques 90:-What is the difference between Default Subnet Mask andCustomize Subnet Mask?
Ans :- Default subnet Mask It is Generally Used in Class Full IPaddress In the Network.
Customized subnet Mask It is Generally Used in Classless IP
address in the Network. When ever we are talking About Sub
netting and super netting in That Case we will Use CustomizedSubnet Mask in The Network.
7/31/2019 Ccna VPN Raid Qans
23/117
Ans :- BDR Stands for Backup designated Routed. It is Basically Used inOSPF routing Protocol in the Network. BDR Stores the Complete
Backup Information of Network topology. When DR Will Downin that Case BDR Becomes a DR in the Network
Ques 94:-What is Process ID in OSPF Routing Protocol?Ans :- Process Id Is Nothing Just enables The OSPF routing Process in
the Network. Process Id Can Be Same or May Be different on all
of the Router in the Network
Ques 95:-What is Bridge ID?Ans :- Every Switch is having a one Id No. that No IS Called Bridge Id.
Bridge Id Is a Combination Of priority + Mac address. Lower The
Bridge Id That switch becomes a Route Bridge in the Network. InLemon Language We Can Say Route Bridge Is a Master switches
in The Network. Every Switch are Having a Default priority That
Is32768 in the network. We can Change the Switch priority.
Ques 96:-What is DLCI {Data Link Connection Identification Number}?Ans :- DLCI stands for data Link Connection Identification Number. It is
basically used in frame relay technology in the Network. With The
Help of DLCI No. We can create PVC (permanent Virtual Circuit)
7/31/2019 Ccna VPN Raid Qans
24/117
(Permanent Virtual Circuit). In PVC All of The data is Sending
from Source Computer to destination Computer through That
Route in the Network.
Ques 99:-What is SVC {Switched Virtual Circuit}?Ans :- When Ever a Permanent Route Is Not established Between Source
to Destination Computer in the Network, that Is Called SVC
(Switched Virtual Circuit). In SVC All Of The data Are Sending
from Source Computer to destination Computer Through May Be
a Different Way in the Network.
Ques 100:- What is DE {Discard Eligibility}?Ans :- DE Stands For Discard Eligibility. This Term is basically used in
frame relay technology in the Network. It provides to stop thecongestion in frame relay technology.
Ques 101:- What is FECN {Forward Explicit Congestion Notification}?Ans :- FECN stands for forward Explicit Congestion Notification. This
Term is basically used in Frame relay technology in The Network.
It provides to stop the congestion in frame relay technology.
Ques 102:- What is BECN {Backward Explicit Congestion Notification}?
7/31/2019 Ccna VPN Raid Qans
25/117
Ans :-
7/31/2019 Ccna VPN Raid Qans
26/117
The User-Space VPN and
OpenVPN
Understanding the User-Space VPN
History, Conceptual Foundations, andPractical Usage By James Yonan
Copyright James Yonan 2003
7/31/2019 Ccna VPN Raid Qans
27/117
What is a VPN and how is it different
from other security software?
Fundamentally, a VPN is a set of tools whichallow networks at different locations to besecurely connected, using a public network
as the transport layer. VPNs use cryptography to provide protections
against eavesdropping and active attacks.
VPNs are most commonly used today fortelecommuting and linking branch offices viasecure WANs.
7/31/2019 Ccna VPN Raid Qans
28/117
The Wide area network before VPNs
Firms would spend thousands of dollars permonth for private, dedicated circuits to linkbranch offices.
The rise of the internet created cheap butinsecure bandwidth.
The VPN concept was to produce the virtualdedicated circuit, pump it over the internet,and use cryptography to make it secure.
7/31/2019 Ccna VPN Raid Qans
29/117
A brief history of VPNs
IPSec was the first major effort to develop astandard for secure networking.
First version in 1995.
IPSec, like other early crypto developments,were hamstrung by export controls andinsufficient processor power in the routerswhere they were to be implemented.
Some components of IPSec, e.g. IKE are stillin development today. Long Developmenttime!
7/31/2019 Ccna VPN Raid Qans
30/117
IPSec problems
Slow progress resulted in a splintering ofefforts during the mid-90s
SSL was one such offshoot, developed to
provide application-level security rather thannetwork level security. Traditional IPSec implementations required a
great deal of kernel code, complicating cross-
platform porting efforts. IPSec is a complex production with arelatively steep learning curve for new users.
7/31/2019 Ccna VPN Raid Qans
31/117
The rise of SSL and user-space VPNs.
IPSecs slow progress and complexity causedmany to turn to other solutions.
By contrast, SSL matured quickly, due to
heavy usage on the web. SSL runs in user space, simplifyingimplementation and administration.
The so-called SSL VPN is really just a web
application that tries to give users theservices they need without a full VPNimplementation.
7/31/2019 Ccna VPN Raid Qans
32/117
Linux and virtual network interfaces
The maturing of the Linux OS by the late 90sprovided an excellent test bed forexperimental networking concepts.
One such innovation is the tun or tapinterface.
The first tun driver for linux was written byMaxim Krasnyansky.
mailto:max_mk@yahoo.commailto:max_mk@yahoo.com7/31/2019 Ccna VPN Raid Qans
33/117
What is a tun interface?
A tun interface is a virtual network adapterthat looks like point-to-point networkhardware to the OS, such as a T1 line.
But instead of pushing bits out a wire, the tundriver pushes them to user space.A user space program can open the tun
device just like a file and read and write IP
packets from and to it.A tap interface is a similar production, only itemulates ethernet rather than point-to-point.
7/31/2019 Ccna VPN Raid Qans
34/117
How is a tun interface used to build a
VPN?
Suppose I have a tun interface on machine A,and another on machine B.
I write a simple network application with two
threads. Copy bits from tun device -> network socket.
Copy bits from network socket -> tun device.
If I run this app on machine A and B I willhave constructed a very simple VPN minusthe security component.
7/31/2019 Ccna VPN Raid Qans
35/117
How is a tun interface used to build a
VPN (continued)?
From A I can ping the tun device on B, andfrom B I can ping the tun device on A.
That ping will actually travel over the socket
connection, i.e. the ping packet will beencapsulated within a UDP or TCP packetand sent between A and B.
The problem with this very simple VPN is itsmissing the security it is what is known as acleartext tunnel.
7/31/2019 Ccna VPN Raid Qans
36/117
Adding security to the VPN
The simple VPN we have constructed,tunnels a virtual network interface over a TCPor UDP connection.
By forwarding such a TCP connection over asecure port forwarding tool such as SSH, wecan build a real VPN.
7/31/2019 Ccna VPN Raid Qans
37/117
Problems with using SSH to build a
VPN
The previous example has a problem, however. IP is what is known as an unreliable protocol. This is not a value judgment.
Rather, it means that IP assumes that packetssent over a physical or virtual network might belost or corrupted.
Protocols in the IP family such as TCP try very
hard to work under this assumption.
7/31/2019 Ccna VPN Raid Qans
38/117
Reliable and Unreliable protocols
TCP is a reliable application protocol thatutilizes an unreliable transport layer.
This means that your web browser (HTTP is aTCP protocol) expects TCP to handle theglitches in the connection between your clientand a possibly distant web server.
TCP does this by retransmitting packets
which are lost due to network congestion. TCP is a reliability bridge between theapplication and physical network layers.
7/31/2019 Ccna VPN Raid Qans
39/117
Encapsulating Protocols
One of the cool things about networking isthat you can take one protocol andencapsulate it into another.
Getting back to our simple VPN example, weare encapsulating IP into a TCP port, thenusing SSH to secure that TCP connectionwith another remote host.
As far as encapsulation is concerned, we areencapsulating IP (which includes TCP andUDP protocols) into TCP.
7/31/2019 Ccna VPN Raid Qans
40/117
Encapsulating TCP in TCP the
problem
There is a fundamental problem, however, inthis encapsulation graph.
TCP is designed to flow over unreliablenetworks. Pushing TCP into TCP means thatwe are nesting one reliability layer intoanother, essentially producing a whole levelof redundancy.
This redundancy translates into lessefficiency and less robustness duringcongested network conditions.
7/31/2019 Ccna VPN Raid Qans
41/117
Fixing the problem
A better solutions is to encapsulate TCP inUDP.
UDP is the unreliable cousin of TCP. It
strips out the whole reliability layer of TCP,giving the application the responsibility to sortout problems of dropped packets, or packetsarriving in a different order from how they
were sent.
7/31/2019 Ccna VPN Raid Qans
42/117
Why is UDP better for encapsulating
IP?
The fundamental reason is that IP wasdesigned to flow over wires, fiber, or wirelesslinks which are all unreliable physical media
that can suffer from glitches or congestion. Because UDP is itself an unreliable protocol,
it gives IP a transmission medium which is asclose as possible to its native environment.
Encapsulating IP in UDP is the ideal choice.
7/31/2019 Ccna VPN Raid Qans
43/117
VPNs and UDP
The modern, portable, easy-to-configure,user-space VPN has several basic properties.
IP packets from tun or tap virtual networkadapters are encrypted and encapsulated,onto a UDP connection, and sent to a remotehost over the internet.
The remote host decrypts, authenticates, andde-encapsulates the IP packets, pumpingthem into a tun or tap virtual adapter at theother end.
7/31/2019 Ccna VPN Raid Qans
44/117
The VPN is invisible to applications
tunneling over it.
This user-space VPN model essentially linksa local tun virtual adapter with a remote tunvirtual adapter.
One can apply routes or firewall rules to tunor tap interfaces in the same way that youcan apply them to ethernet interfaces.
Applications using a VPN would find themindistinguishable from a wide area networkimplemented with dedicated circuits.
7/31/2019 Ccna VPN Raid Qans
45/117
Enter OpenVPN
There are several Open Source VPNs todaythat follow the user-space tun/tap model.
OpenVPN, VTun, Tinc, Cipe, and many more
are being actively developed today. They stand in contrast to IPSec solutions
such as FreeSwan which attack the problemin a very different way.
7/31/2019 Ccna VPN Raid Qans
46/117
User-space Tun/Tap vs. IPSec
There is some controversy about whichapproach is better.
User space is more portable and easier to
configure. IPSec is more complex, and offers multi-
vendor and dedicated router support.
IPSecs complexity sometimes makes itdifficult for vendor As implementation to talkto vendor Bs.
7/31/2019 Ccna VPN Raid Qans
47/117
IPSec in a nutshell
IPSec is a complex modification to the IPstack itself.
IPSec examines packets coming out of an IPinterface, determines if a security associationexists with the destination, and then tries toautomatically encrypt packets at one end anddecrypt them at the other.
The dream of IPSec is that it just works andyou never need to know its there (thisconcept is often referred to as opportunisticencryption).
7/31/2019 Ccna VPN Raid Qans
48/117
IPSec limitations
As IPSec evolved, the internet evolved alongwith it.
The IPv4 address shortage created aprofusion of private networks that use NAT toaccess the internet through a single IPaddress.
The IP address shortage also caused anincrease in the use of dynamic IP addresses.
IPSec proved somewhat inflexible to thesenew developments.
7/31/2019 Ccna VPN Raid Qans
49/117
IPSec limitations (continued)
Because IPSec considered the source anddestination addresses to be part of thesecured payload, it broke interoperability withNAT.
Since then, the IPSec standard has tried toevolve around these limitations.
IPSec has also been both lauded andcriticized for its security.
Sometimes such praise/blame emanates fromthe same individuals! (see next slide)
h i d f
7/31/2019 Ccna VPN Raid Qans
50/117
The Two Minds of IPSec -- N.
Ferguson and B. Schneier
We are of two minds about IPsec. On the one hand,IPsec is far better than any IP security protocol thathas come before: Microsoft PPTP, L2TP, etc. On theother hand, we do not believe that it will ever result ina secure operational system. It is far too complex,
and the complexity has lead to a large number ofambiguities, contradictions, inefficiencies, andweaknesses. [...] We strongly discourage the use ofIPsec in its current form for protection of any kind ofvaluable information, and hope that future iterationsof the design will be improved. However, we evenmore strongly discourage any current alternatives,and recommend IPsec when the alternative is aninsecure network. Such are the realities of the world.
7/31/2019 Ccna VPN Raid Qans
51/117
How does a VPN achieve security?
A VPN must protect against passive andactive attacks.
A passive attacker is an eavesdropper who
has no ability to interrupt or modify the datachannel between two parties.
Encryption is effective at defeating passiveattacks.
7/31/2019 Ccna VPN Raid Qans
52/117
Active Attacks
An active attacker has the ability to inserthimself into the communication channel andadd, modify, or delete data packets between
both parties to the channel. For this reason, such attacks are commonly
referred to as Man-in-the-middle attacks.
A i k h d h h
7/31/2019 Ccna VPN Raid Qans
53/117
Active attacks are thwarted through
the use ofauthentication
While many believe that VPN security is allabout encryption, the larger and more difficultproblem to solve is the problem ofauthentication.
Authentication in the VPN context involvessigning every packet with a secure hash, sothat the recipient can prove that it originatedfrom a legitimate source.
Both OpenVPN and IPSec use the HMACconstruction to authenticate packets.
HMAC i 100% l i i
7/31/2019 Ccna VPN Raid Qans
54/117
HMAC isnt a 100% solution against
active attacks.
Even after applying HMAC, we are stillvulnerable to two types of active attacks:
Replay attacks.
Known plaintext attacks.
7/31/2019 Ccna VPN Raid Qans
55/117
Replay Attacks
Suppose an attacker was able to tap into hisbanks T1 line at 3am when traffic is low.
While observing the encrypted bits flowingacross the line with a tool such as snort, helogs onto his banks web site and does anumber of small wire transfers, observing theencrypted packets flowing over the banks T1line.
He is able, by timing analysis, to gain accessto a sample of encrypted packets thatrepresent his money transfers.
7/31/2019 Ccna VPN Raid Qans
56/117
Replay attacks, continued
What if he then spams the T1 with a largenumber of those sampled packets.
He doesnt need to know the encryption
algorithm, he only needs to reproduce thepackets.
If the bank is only using encryption withoutreplay protection, they may find an
unexplained deluge of questionable transfersthe following morning.
7/31/2019 Ccna VPN Raid Qans
57/117
Replay attacks, continued.
The solution to the problem is to embed aunique ID or timestamp in every packetbefore it is signed.
The receiver needs to keep track of thistimestamp, and make sure that it neveraccepts a packet with the same timestamptwice.
Both OpenVPN and IPSec implement replayprotection using the Sliding WindowAlgorithm.
7/31/2019 Ccna VPN Raid Qans
58/117
Known plaintext attacks.
Getting back to our bank cracker, supposethat he makes 5 transfers of differingamounts of money.
By analyzing the ciphertext stream over theT1 as his transfers are taking place, he isable to discern the byte offsets in the packetsthat represent the dollar amount of the
transfer, even though the amountsthemselves are encrypted gibberish.
7/31/2019 Ccna VPN Raid Qans
59/117
Known plaintext attacks (continued).
Suppose the $ amount is a 32 bit integer.
He inserts some bogus packets onto the linkwith the dollar amount altered.
He doesnt know what the final dollar amountwill be when it is decrypted but he knows ifhe tries enough values, some of them will turnout to be large and disruptive.
Thi ld b i ibl (I h ) i
7/31/2019 Ccna VPN Raid Qans
60/117
This would be impossible (I hope) in
2003.
This scenario could not, of course, happentoday.
The importance of this kind of thoughtexperiment is to show that encryption, even ifit is unbreakable, is not enough to secureagainst an active attacker.
Encryption must be combined withauthentication (HMAC), randomized IVs, andreplay protection, to protect against thepreviously discussed attacks.
7/31/2019 Ccna VPN Raid Qans
61/117
OpenVPN and Cryptography
Cryptography is an advanced and specializedfield.
OpenVPN takes a modular approach to
cryptography. Most crypto functions are offloaded to the
OpenSSL library.
OpenVPN has protection against bothpassive attacks and known types of activeattacks.
7/31/2019 Ccna VPN Raid Qans
62/117
OpenVPN and keying
OpenVPN tries to supply the best of bothworlds when it comes to keying.
Static, pre-shared keys are provided for ease
of configuration. Full RSA PKI, through the OpenSSL library, is
provided for full certificate and private keyoperation.
SSL/TLS can be used for initial authenticationand symmetric key exchange.
A thentication onl leads into a bigger
7/31/2019 Ccna VPN Raid Qans
63/117
Authentication only leads into a bigger
problem key management.
The HMAC construction is a strong andelegant contribution from the cryptographycommunity but it still needs a shared secret
key to exist at both ends of the secureconnection.
How do two parties bootstrap their keyexchange process in a way that protects
against the exchange being hijacked by anattacker?
7/31/2019 Ccna VPN Raid Qans
64/117
Enter public key cryptography.
In the September, 1977 issue of The ScientificAmerican, Ronald L. Rivest, Adi Shamir and LeonardM. Adleman introduced to the world their RSA cipher,applicable to public key cryptography and digitalsignatures. The authors offered to send their full
report to anyone who sent them self-addressedstamped envelopes, and the ensuing internationalresponse was so overwhelming the NSA balked atthe idea of such widespread distribution ofcryptography source code. When no response wasmade by the NSA as to the legal basis of theirrequest, distribution recommenced, and thealgorithm was published in The Communications ofthe ACM the following year.
Public Key cryptography is really
7/31/2019 Ccna VPN Raid Qans
65/117
Public Key cryptography is really
about the problem of authentication
Since long before the age of computers,cryptography was practiced betweenindividuals who possessed a shared key.
The innovation of Public Key cryptographywas to show how individuals couldcommunicate securely without needing a pre-existing secure medium over which to share
their keys.
Public Key technology solves the key
7/31/2019 Ccna VPN Raid Qans
66/117
Public Key technology solves the key
sharing problem.
Public key cryptography solves the problemof providing the secure medium over whichthe initial shared secret key can be
exchanged. The real encryption still occurs with a shared,
symmetrical key. The public key process onlygives us a means of sharing this key
electronically over an insecure medium.
7/31/2019 Ccna VPN Raid Qans
67/117
Public key cryptography.
Public key cryptography allows you togenerate a public and private key pair.
The private key never leaves your hard drive.
The public key is published far and wide. To communicate with someone, you only
need their public key.
But once content has been encrypted with apublic key, only the private key can decrypt it.
Public key cryptography and
7/31/2019 Ccna VPN Raid Qans
68/117
Public key cryptography and
authentication.
Public key cryptography as described thus farstill has a missing link.
How do you know that the person on the
other end of the communication channel iswho they say they are?
They can present their public key, but thatproves nothing about their identity.
7/31/2019 Ccna VPN Raid Qans
69/117
Enter the Certificate.
Public key cryptography and RSA pioneered theconcept of secure signatures.
I can sign a file with my private key. I can publish my public key.Anyone who receives the file can verify that it
was signed by my public key. The mathematics of the algorithm behind digital
signatures ensures that it would be infeasible toforge a signature without having the correctprivate key.
7/31/2019 Ccna VPN Raid Qans
70/117
The Certificate Authority.
The certificate authority (CA) is the finalresult in a long linkage of developments inapplied cryptography that attempt to solve theproblem of authentication.
The CA has a super-secret key that they keepunder armed guard.
They have a team of investigators who verifythe identity of clients.
They then sign the keys of clients with theirsuper secret key.
7/31/2019 Ccna VPN Raid Qans
71/117
CAs Continued
The CAs public key becomes a publiccommodity, embedded in applications andoperating systems.
The CAs root certificate forms a the root ofa chain of public keys which can be used toverify the indentity of any of the CAs clients.
The CA solves the problem of authenticationby trusted referral.
CAs are the basis of authentication on thesecure web.
7/31/2019 Ccna VPN Raid Qans
72/117
Cryptography conclusion
While OpenVPN draws heavily on thecryptography-related developments of IPSec,there are details about any encryptedcommunication session which cannot be
hidden. Traffic Analysis is one type of attack that no
internet-based, modern cryptosystem canprotect against.
But when considering the needs of most VPNusers, the modern crypto technology provesmore than sufficient.
7/31/2019 Ccna VPN Raid Qans
73/117
OpenVPN Features
OpenVPN tries to take advantage of all thecapabilities which are possible to a userspace VPN.
Portability. Familiar daemon-style usage.
No kernel modifications required.
State-of-the-art cryptography layer providedby the OpenSSL library.
7/31/2019 Ccna VPN Raid Qans
74/117
OpenVPN Features, continued.
Very comfortable with dynamic addresses orNAT.
Supports most operating systems in the
known computing universe, including Linux,Windows, Mac OS X, the three BSDs, andSolaris.
7/31/2019 Ccna VPN Raid Qans
75/117
OpenVPNs 3 tier security model
One of the maxims of computer security isthat complexity is the enemy of security
One way of reducing the impact of software
complexity on overall software security is toforce incoming network traffic to pass througha kind of security gateway that is a muchsimpler piece of code than the applications
behind itA prime example of this is the firewall.
OpenVPNs 3 tier security model
7/31/2019 Ccna VPN Raid Qans
76/117
OpenVPN s 3 tier security model
(continued)
The key is to reduce the number of lines ofcode which can be touched byunauthenticated packets. These fewer linesof code can then be more rigorouslyscrutinized for vulnerabilities.
OpenVPN expands on the concept of afirewall, using thetls-auth option to subject
incoming packets to a preliminary digitalsignature test before they are passed on tothe actual SSL/TLS code.
OpenVPNs 3 tier security model
7/31/2019 Ccna VPN Raid Qans
77/117
OpenVPN s 3 tier security model
(continued)
Tier 1 Use HMAC-based tls-auth option toprevent an attacker from injecting packetsinto the SSL/TLS subsystem.
Tier 2 Use SSL/TLS for bidirectionalclient/server authentication.
Tier 3 Downgrade OpenVPN daemonsprivilege level using --user/--group to help
contain a successful code injection exploit.
7/31/2019 Ccna VPN Raid Qans
78/117
VPNs and Networking
As much (or more) can be written about thetopic of VPNs and networking as can bewritten about VPNs and cryptography.
95% of the tech support problems that peoplehave with VPNs are with the networking andfirewall layers, not the cryptography layer.
The two major techniques for VPN networking
are routing and bridging.
Bridging vs Routing in the VPN
7/31/2019 Ccna VPN Raid Qans
79/117
Bridging vs. Routing in the VPN
context
Bridging is a technique for creating a virtual,wide-area ethernet LAN, running on a singlesubnet.
Routing solves the problem of a wide areaVPN by using separate subnets and settingup routes between them.
7/31/2019 Ccna VPN Raid Qans
80/117
Bridging Advantages
Broadcasts traverse the VPN -- this allowssoftware that depends on LAN broadcastssuch as Windows NetBIOS file sharing andnetwork neighborhood browsing to work.
No route statements to configure. Works with any protocol that can function
over ethernet, including IPv4, IPv6, NetwareIPX, AppleTalk, etc.
Relatively easy-to-configure solution for roadwarriors.
id i i d
7/31/2019 Ccna VPN Raid Qans
81/117
Bridging Disadvantages
Less efficient than routing, and does notscale well.
i Ad
7/31/2019 Ccna VPN Raid Qans
82/117
Routing Advantages
Efficiency and scalability.Allows better tuning of MTU for efficiency.
R i Di d
7/31/2019 Ccna VPN Raid Qans
83/117
Routing Disadvantages
On Windows, clients must use a WINS server(such as samba) to allow cross-VPN networkbrowsing to work.
Routes must be set up linking each subnet. Software that depends on broadcasts will not
"see" machines on the other side of the VPN.
Works only with IPv4 in general, and IPv6 insome special cases.
Th d b l f b id i (1)
7/31/2019 Ccna VPN Raid Qans
84/117
The nuts and bolt of bridging (1)
Suppose you want to create a secure ethernet bridgethat serves multiple mobile clients, using Linux as theserver.
First generate a bunch of persistent tap virtualethernet interfaces on your server, using openvpn mktun.
Then use the brctl tool to bridge them together with
your real ethernet adapter.
Th d b l f b id i (2)
7/31/2019 Ccna VPN Raid Qans
85/117
The nuts and bolt of bridging (2)
When clients connect to the server, the tapvirtual ethernet interface at their end can beassigned an IP address from the actualsubnet of the physical ethernet LAN
connected to the server. So I could have a subnet 10.4.7.0 netmask
255.255.255.0 which is a bridged ethernet. 10.4.7.5 could be a machine in Moscow,
Idaho. 10.4.7.6 could be a machine inMoscow, Russia.
VPN d fi lli
7/31/2019 Ccna VPN Raid Qans
86/117
VPNs and firewalling
The modern user-space VPN presents virtualtun and tap interfaces as VPN endpoints.
Suppose you have a vpn network device
called tun0 You can apply the same kinds of firewall rules
to tun0 as you could to eth0 or any othernetworking device.
VPN d fi lli ( ti d)
7/31/2019 Ccna VPN Raid Qans
87/117
VPNs and firewalling (continued).
One of the more troublesome security issuesof VPNs is the way that they create trustedrelationships between different networks.
This can be bad, as in the case where a
worm or virus infects someones homemachine, then jumps across the VPN tocorporate headquarters.
Firewall rules applied to the VPN itself can
create a trust relationship between twonetworks that is more than untrusted but lessthan fully trusted.
F t di ti O VPN 2 0
7/31/2019 Ccna VPN Raid Qans
88/117
Future directions -- OpenVPN 2.0
In OpenVPN 1.x, a single openvpn daemoncan support a single tunnel over a singletun/tap interface, using a single UDP or TCPport for daemon-to-daemon communication.
This model offers maximum flexibility, as theconfiguration for each tunnel can becustomized.
The weakness in this model is that it is hard
to set up an OpenVPN configuration thathandles connections from a large number ofdynamic clients.
Future directions -- OpenVPN 2.0
7/31/2019 Ccna VPN Raid Qans
89/117
p
(continued)
OpenVPN 2.0 (currently in beta) solves thisproblem by allowing an arbitrarily largenumber of UDP clients to connect to a singleopenvpn daemon, which itself uses onetun/tap interface and one UDP port number.
C l i
7/31/2019 Ccna VPN Raid Qans
90/117
Conclusion
VPNs tie together concepts from cryptography,networking, and firewalls.
VPNs can be used as building blocks to constructanything from a small secure telecommuting solution,
to a large-scale secure WAN. The user-space VPN is an elegant solution to the
VPN problem in a modular package.
VPNs still have a long way to evolve before they are
as easy-to-configure as other networkingsubsystems, such as IP.
OVERVIEW
7/31/2019 Ccna VPN Raid Qans
91/117
CPEG323 1
OVERVIEW
What is RAID?
Benefits of RAID
Concepts of RAID
RAID Levels
RAID AND ITS BENEFITS
7/31/2019 Ccna VPN Raid Qans
92/117
CPEG323 2
RAID AND ITS BENEFITS
What is RAID?
RAID (redundant array of independent disks; originally redundant arrayof inexpensive disks) is a way of storing the same data in differentplaces (thus, redundantly) on multiple hard disks.
Benefits OF RAID
Improved Performance
High Availability
Fault Tolerance
RAID CONCEPTS
7/31/2019 Ccna VPN Raid Qans
93/117
CPEG323 3
RAID CONCEPTS
STRIPING
MIRRORING
PARITY
RAID Concepts(Striping)
7/31/2019 Ccna VPN Raid Qans
94/117
CPEG323 4
RAID Concepts(Striping)
Raid Concepts (Mirroring)
7/31/2019 Ccna VPN Raid Qans
95/117
CPEG323 5
Raid Concepts (Mirroring)
All data in the system is written simultaneously to twohard disksinstead of one; thus the "mirror" concept .
100% data redundancy which provides full protection against the
failure of either of the disks containing the duplicated data.
RAID Concepts(Parity)
7/31/2019 Ccna VPN Raid Qans
96/117
CPEG323 6
RAID Concepts(Parity)
Parity is redundancy information calculated from the actualdata values.
take "N" pieces of data, and from them, compute an extra piece ofdata. Take the "N+1" pieces of data and store them on "N+1"drives. If you lose any one of the "N+1" pieces of data, you canrecreate it from the "N" that remain, regardless of which piece islost.
The parity calculation is typically performed using a logicaloperation called "exclusive OR" or "XOR".
RAID LEVELS
7/31/2019 Ccna VPN Raid Qans
97/117
CPEG323 7
RAID LEVELS
RAID: Level 0 (No Redundancy; Striping)
7/31/2019 Ccna VPN Raid Qans
98/117
CPEG323 8
RAID: Level 0 (No Redundancy; Striping)
Multiple smaller disks as opposed to one big diskSpreading the blocks over multiple disks striping means that
multiple blocks can be accessed in parallel increasing theperformance .
A 3 disk system gives 3 times the throughput of a 1 disk system
RAID: Level 0 (No Redundancy; Striping)
7/31/2019 Ccna VPN Raid Qans
99/117
CPEG323 9
RAID: Level 0 (No Redundancy; Striping)
No redundancy, so what if one disk fails?
Failure of one or more disks results in data loss.
RECOMMENDED APPLICATIONS
Video Production and Editing
Image Editing
Any application requiring high bandwidth
RAID: Level 1 (Redundancy via Mirroring)
7/31/2019 Ccna VPN Raid Qans
100/117
CPEG323 10
RAID: Level 1 (Redundancy via Mirroring)
Uses twice as many disks as RAID 0 (e.g., 8 smaller
disks with second set of 4 duplicating the first set) sothere are always two copies of the data
# redundant disks = # of data disks so twice the cost of one bigdisk
RAID: Level 1 (Redundancy via Mirroring)
7/31/2019 Ccna VPN Raid Qans
101/117
CPEG323 11
RAID: Level 1 (Redundancy via Mirroring)
What if one disk fails?
If a disk fails, the system just goes to the mirror for the data
Recommended Application
Accounting
Payroll
Financial
Any application requiring very high availability
RAID: Level 2 (Redundancy via ECC)
7/31/2019 Ccna VPN Raid Qans
102/117
CPEG323 12
RAID: Level 2 (Redundancy via ECC)
ECC disks contain the parity of data on a set of distinctoverlapping disks
# redundant disks = log (total # of data disks) so almost twice thecost of one big disk
- writes require computing parity to write to the ECC disks
- reads require reading ECC disk and confirming parity
Can tolerate limiteddisk failure, since the data can bereconstructed
blk1,b0 blk1,b2blk1,b1 blk1,b3Checks4,5,6,7
Checks2,3,6,7
Checks1,3,5,7
3 5 6 7 4 2 1
10 0 0 11
ECC disks
0
ECC disks 4 and 2 point to either data disk 6 or 7,but ECC disk 1 says disk 7 is okay, so disk 6 must be in error
1
RAID: Level 3 (Bit-Interleaved Parity)
7/31/2019 Ccna VPN Raid Qans
103/117
CPEG323 13
RAID: Level 3 (Bit-Interleaved Parity)
On RAID 3 systems, data blocks are subdivided (striped)and written in parallel on two or more drives. An
additional drive stores parity information. You need atleast 3 disks for a RAID 3 array.
writes require writing the new data to the data disk as well as computing
the parity, meaning reading the other disks, so that the parity disk can beupdated
Can tolerate limiteddisk failure, since the data can bereconstructed
reads require reading all the operational data disks as well as theparity disk to calculate the missing data that was stored on the faileddisk
blk1,b0 blk1,b2blk1,b1 blk1,b3
10 01(odd)
bit parity disk
RAID: Level 3 (Bit-Interleaved Parity)
7/31/2019 Ccna VPN Raid Qans
104/117
CPEG323 14
RAID: Level 3 (Bit-Interleaved Parity)
On RAID 3 systems, data blocks are subdivided (striped)and written in parallel on two or more drives. An
additional drive stores parity information. You need atleast 3 disks for a RAID 3 array.
writes require writing the new data to the data disk as well ascomputing the parity, meaning reading the other disks, so that theparity disk can be updated
Can tolerate limiteddisk failure, since the data can bereconstructed
reads require reading all the operational data disks as well as theparity disk to calculate the missing data that was stored on the faileddisk
blk1,b0 blk1,b2blk1,b1 blk1,b3
10 0 1(odd)
bit parity diskdisk fails
1
RAID: Level 3 (Bit-Interleaved Parity)
7/31/2019 Ccna VPN Raid Qans
105/117
CPEG323 15
RAID: Level 3 (Bit Interleaved Parity)
Recommended Applications
Video Production and live streaming
Image Editing
Video Editing
Any application requiring high throughput
RAID: Level 4 (Block-Interleaved Parity)
7/31/2019 Ccna VPN Raid Qans
106/117
CPEG323 16
RAID: Level 4 (Block Interleaved Parity)
RAID 4 improves performance by striping data acrossmany disks in blocks, and provides fault tolerancethrough a dedicated parity disk.
RAID: Level 4 (Block-Interleaved Parity)
7/31/2019 Ccna VPN Raid Qans
107/117
CPEG323 17
RAID: Level 4 (Block Interleaved Parity)
It is like RAID 3 except that it uses blocks instead of bytesfor striping
Supports small reads and small writes (reads and writes that goto just one (or a few) data disk)
by watching which bits change when writing new information, needonly to change the corresponding bits on the parity disk
the parity disk must be updated on every write, so it is a bottleneck forback-to-back writes
Can tolerate limiteddisk failure, since the data can bereconstructed
Small Writes
7/31/2019 Ccna VPN Raid Qans
108/117
CPEG323 18
Small Writes RAID 3 small writes
New D1 data
D1 D2 D3 D4 P
D1 D2 D3 D4 P
3 reads and2 writes
involving all
the disks
RAID 4 small writesNew D1 data
D1 D2 D3 D4 P
D1 D2 D3 D4 P
2 reads and2 writes
involving justtwo disks
RAID: Level 5 (Distributed Block-Interleaved
7/31/2019 Ccna VPN Raid Qans
109/117
CPEG323 19
RAID: Level 5 (Distributed Block InterleavedParity)
Parity is distributed across the disks
Supports small reads and small writes (reads and writes thatgo to just one (or a few) data disk)
Allows multiple simultaneous writes as long as theaccompanying parity blocks are not located on the same disk
Can tolerate limiteddisk failure, since the data can bereconstructed
RAID: Level 5 (Distributed Block-Interleaved
7/31/2019 Ccna VPN Raid Qans
110/117
CPEG323 20
RAID: Level 5 (Distributed Block InterleavedParity)
Recommended Applications
File and Application servers
Database servers
Web, E-mail, and News servers
Intranet servers
Most versatile RAID level
Distributing Parity Blocks
7/31/2019 Ccna VPN Raid Qans
111/117
CPEG323 21
Distributing Parity Blocks
By distributing parity blocks to all disks, some smallwrites can be performed in parallel
1 2 3 4 P0
5 6 7 8 P1
9 10 11 12 P2
13 14 15 16 P3
RAID 4 RAID 5
1 2 3 4 P0
5 6 7 P1 8
9 10 P2 11 12
13 P3 14 15 16
Raid : Level 6
7/31/2019 Ccna VPN Raid Qans
112/117
CPEG323 22
Raid : Level 6
RAID level 6 is an evolution of RAID 5. RAID 6 usesdouble parity for additional fault tolerance.
Like in RAID 5, data is striped at a block level across thedisk sets while parity information is generated and writtenacross the array. Now it's possible for more than onedrive to fail simultaneously, and the RAID will stilloperate.
RAID: Level 6
7/31/2019 Ccna VPN Raid Qans
113/117
CPEG323 23
e e 6
Advantages
Perfect solution for mission critical applications as it can sustainmultiple drive failures .
Disadvantages
Uses 2 drives for parity
Recommended Applications Database server
Mail server
Web server
Intranet server Transaction processing
RAID: Level 0+1 (Striping with Mirroring)
7/31/2019 Ccna VPN Raid Qans
114/117
CPEG323 24
( p g g)
Combines the best of RAID 0 and RAID 1, data is striped
across four disks and mirrored to four disks
Four times the throughput (due to striping)
# redundant disks = # of data disks so twice the cost of one bigdisk
writes have to be made to both sets of disks, so writes would be only1/2 the performance of RAID 0
blk1 blk3blk2 blk4 blk1 blk2 blk3 blk4
redundant (check) data
RAID: Level 0+1 (Striping with Mirroring)
7/31/2019 Ccna VPN Raid Qans
115/117
CPEG323 25
( p g g)
What if one disk fails?
If a disk fails, the system just goes to the mirror for the data
Recommended Applications
Imaging applications
General fileserver
RAID: Level 1+0 (Mirroring with Striping)
7/31/2019 Ccna VPN Raid Qans
116/117
CPEG323 26
( g p g)
RAID Level 10 provides very high performance andredundancy.
Data is simultaneously mirrored and striped.
Can under circumstances support multiple drive failures.
7/31/2019 Ccna VPN Raid Qans
117/117
THANK YOU
Queries?
Recommended