1. What is subnet and what are the benefits of subnetting?

Used in IP Networks to break up larger networks into smaller subnetworks.
Subnetting helps reduce network traffic and the size of the routing tables. It’s also a way to add security to network traffic by isolating it from the rest of the network.

  1. What can you tell me about the OSI Reference Model?

The OSI Reference Model provides a framework for discussing network design and operations. It groups communication functions into 7 logical layers, each one building on the next.

OSI Reference Model

  • Layer 7: The application layer This is the layer at which communication partners are identified (Is there someone to talk to?), network capacity is assessed (Will the network let me talk to them right now?), and that creates a data to send or opens the data received. (This layer is not the application itself, it is the set of services an application should be able to make use of directly, although some applications may perform application layer functions.)

  • Layer 6: The presentation layer. This layer is usually part of an operating system (OS) and converts incoming and outgoing data from one presentation format to another (for example, from clear text to encrypted text at one end and back to clear text at the other).

  • Layer 5: The session layer. This layer sets up, coordinates and terminates conversations. Services include authentication and reconnection after an interruption. On the Internet, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) provide these services for most applications.

  • Layer 4: The transport layer. This layer manages packetization of data, then the delivery of the packets, including checking for errors in the data once it arrives. On the Internet, TCP and UDP provide these services for most applications as well.

  • Layer 3: The network layer. This layer handles the addressing and routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level). IP is the network layer for the Internet.

  • Layer 2: The data-link layer. This layer sets up links across the physical network, putting packets into network frames. This layer has two sub-layers, the Logical Link Control Layer and the Media Access Control Layer. Ethernet is the main data link layer in use.

  • Layer 1: The physical layer. This layer conveys the bit stream through the network at the electrical, optical or radio level. It provides the hardware means of sending and receiving data on a carrier network.

  1. What is a 3-way handshake?

A three-way-handshake is a method used in a TCP/IP network to create a connection between a local host/client and server. It is a three-step method that requires both the client and server to exchange SYN and ACK (acknowledgment) packets before actual data communication begins.

  • A client node sends a SYN data packet over an IP network to a server on the same or an external network. The objective of this packet is to ask/infer if the server is open for new connection.
  • The target server must have open ports that can accept and initiate new connections. When the server receives the SYN packet from the client node, it responds and returns a confirmation receipt - the ACK packet or SYN/ACK packet.
  • The client node receives the SYN/ACK from the server and responds with an ACK packet.

TCP 3 way handshake

  1. How does traceroute work?

Traceroute is a program that shows you route taken by packets through a network. Traceroute sends a UDP packet to the destination taking advantage of ICMP’s messages.

  • Traceroute creates a UDP packet from the source to destination with a TTL(Time-to-live) = 1
  • The UDP packet reaches the first router where the router decrements the value of TTL by 1, thus making our UDP packet’s TTL = 0 and hence the packet gets dropped.
  • Noticing that the packet got dropped, it sends an ICMP message (Time exceeded) back to the source.
  • Traceroute makes a note of the router’s address and the time taken for the round-trip.
  • It sends two more packets in the same way to get an average value of the round-trip time. Usually, the first round-trip takes longer than the other two due to the delay in ARP finding the physical address, the address stays in the ARP cache during the second and the third time and hence the process speeds up.
  • The steps that have occurred uptil now, occur again and again until the destination has been reached. The only change that happens is that the TTL is incremented by 1 when the UDP packet is to be sent to next router/host.
  • Once the destination is reached, Time exceeded ICMP message is NOT sent back this time because the destination has already been reached.
  • But, the UDP packet used by Traceroute specifies the destination port number to be one that is not usually used for UDP. Hence, when the destination computer verifies the headers of the UDP packet, the packet gets dropped due to improper port being used and an ICMP message (this time – Destination Unreachable) is sent back to the source.
  • When Traceroute encounters this message, it understands that the destination has been reached. Even the destination is reached 3 times to get the average of the round-trip time.
  1. How does DNS work? Have you ever had DNS go down? When should you have backup DNS – have you ever had to set this up for a website?

When you visit a domain such as xyz.com, your computer follows a series of steps to turn the human-readable web address into a machine-readable IP address. This happens every time you use a domain name, whether you are viewing websites, sending email or listening to Internet radio stations like Pandora.

  • Step 1: Request information
    The process begins when you ask your computer to resolve a hostname, such as visiting http://xyz.com. The first place your computer looks is its local DNS cache, which stores information that your computer has recently retrieved.
    If your computer doesn’t already know the answer, it needs to perform a DNS query to find out.

  • Step 2: Ask the recursive DNS servers
    If the information is not stored locally, your computer queries (contacts) your ISP’s recursive DNS servers. These specialized computers perform the legwork of a DNS query on your behalf. Recursive servers have their own caches, so the process usually ends here and the information is returned to the user.

    • Step 3: Ask the root nameservers
      If the recursive servers don’t have the answer, they query the root nameservers. A nameserver is a computer that answers questions about domain names, such as IP addresses. The thirteen root nameservers act as a kind of telephone switchboard for DNS. They don’t know the answer, but they can direct our query to someone that knows where to find it.

    • Step 4: Ask the TLD nameservers
      The root nameservers will look at the first part of our request, reading from right to left — www.xyz.com — and direct our query to the Top-Level Domain (TLD) nameservers for .com. Each TLD, such as .com, .org, and .us, have their own set of nameservers, which act like a receptionist for each TLD. These servers don’t have the information we need, but they can refer us directly to the servers that do have the information.

    • Step 5: Ask the authoritative DNS servers
      The TLD nameservers review the next part of our request — www.xyz.com — and direct our query to the nameservers responsible for this specific domain. These authoritative nameservers are responsible for knowing all the information about a specific domain, which are stored in DNS records. There are many types of records, which each contain a different kind of information. In this example, we want to know the IP address for www.xyz.com, so we ask the authoritative nameserver for the Address Record (A).

    • Step 6: Retrieve the record
      The recursive server retrieves the A record for xyz.com from the authoritative nameservers and stores the record in its local cache. If anyone else requests the host record for xyz.com, the recursive servers will already have the answer and will not need to go through the lookup process again. All records have a time-to-live value, which is like an expiration date. After a while, the recursive server will need to ask for a new copy of the record to make sure the information doesn’t become out-of-date.

    • Step 7: Receive the answer
      Armed with the answer, recursive server returns the A record back to your computer. Your computer stores the record in its cache, reads the IP address from the record, then passes this information to your browser. The browser then opens a connection to the webserver and receives the website.

This entire process, from start to finish, takes only milliseconds to complete.

The major point in having a secondary DNS server is as backup in the event the primary DNS server handling your domain goes down. In this case, your server would be still up, and so without having a backup, nobody could get to your server possibly costing you lots of lost customers.
A secondary DNS server is always up, and ready to serve. It can help balance the load on the network as there are now more than one authoritative place to get your information. Updates are generally performed automatically from the master DNS. Thus it is an exact clone of the master.

  1. What is a disaster recovery plan? Have you ever created one? In your opinion, how (and how often) should you test your plan?

Disaster recovery plan, DRP is a plan for business continuity in the event of a disaster that destroys part or all of a business's resources, including IT equipment, data records and the physical space of an organization.
DRP is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. Such a plan, ordinarily documented in written form, specifies procedures an organisation is to follow in the event of a disaster. It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster." The disaster could be natural, environmental or man-made. Man-made disasters could be intentional or unintentional.
The frequency of your tests may vary depending on the particular piece of the plan you’re working with. Many industries have implemented regulations that require DR solution testing to occur at least once a year. And many times, these regulations specify even more regular testing.
Personally I would suggest to carry out DR testing atleast twice in a year.
7. what is the minimum set of things you should monitor? What is the optimum set? What has worked well in practice?

Monitoring refers to the practice of collecting regular data regarding your infrastructure in order to provide alerts of unplanned downtime, network intrusion, and resource saturation. Monitoring also makes operational practices auditable, which is useful in forensic investigations and for determining the root cause of errors. Monitoring provides the basis for the objective analysis of systems administration practices and IT in general.

Minimum things to be monitored in a infrastructure would be basic server health monitoring cpu, memory, i/o, disk space, network and application monitoring.

  1. What is Proxy Server?

Most large businesses, organizations, and universities these days use a proxy server. This is a server that all computers on the local network have to go through before accessing information on the Internet. By using a proxy server, an organization can improve the network performance and filter what users connected to the network can access.

  1. What is DHCP?

Dynamic Host Configuration Protocol is the default way for connecting up to a network. The implementation varies across Operating Systems, but the simple explanation is that there is a server on the network that hands out IP addresses when requested. Upon connecting to a network, a DHCP request will be sent out from a new member system. The DHCP server will respond and issue an address lease for a varying amount of time. If the system connects to another network, it will be issued a new address by that server but if it re-connects to the original network before the lease is up- it will be re-issued that same address that it had before.

DHCP lease-generation is 4 step process called DORA which expands as below:

  • D – Discover
    The client broadcasts messages on the network subnet using the destination address or the specific subnet broadcast address. A DHCP client may also request its last-known IP address. If the client remains connected to the same network, the server may grant the request. Otherwise, it depends whether the server is set up as authoritative or not. An authoritative server denies the request, causing the client to issue a new request. A non-authoritative server simply ignores the request, leading to an implementation-dependent timeout for the client to expire the request and ask for a new IP address.
  • O – Offer
    When a DHCP server receives a DHCPDISCOVER message from a client, which is an IP address lease request, the server reserves an IP address for the client and makes a lease offer by sending a DHCPOFFER message to the client. This message contains the client's MAC address, the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.
  • R – Request
    In response to the DHCP offer, the client replies with a DHCP request, broadcast to the server, requesting the offered address. A client can receive DHCP offers from multiple servers, but it will accept only one DHCP offer. Based on required server identification option in the request and broadcast messaging, servers are informed whose offer the client has accepted.When other DHCP servers receive this message, they withdraw any offers that they might have made to the client and return the offered address to the pool of available addresses.
  • A – Acknowledgement
    When the DHCP server receives the DHCPREQUEST message from the client, the configuration process enters its final phase. The acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the IP configuration process is completed.
  1. What is a subnet mask?

Subnet mask is a mask used to determine what subnet an IP address belongs to.An IP address has two components, the network address and the host address. A subnet mask separates the IP address into the network and host addresses.
A Subnet mask is a 32-bit number that masks an IP address, and divides the IP address into network address and host address.

  1. What are sticky ports?

You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.

  1. What’s your experience of configuration management?
Configuration Management is the practice of handling changes systematically so that a system maintains its integrity over time. Chef and Puppet are some of the tools used to manage configuration changes of infrastructure. 

Advantages of configuration management include:

  • Streamlining the processes of maintenance, repair, expansion and upgrading.
  • Minimizing configuration errors.
  • Minimizing downtime.
  • Optimizing network security.
  • Ensuring that changes made to a device or system do not adversely affect other devices or systems.
  • Rolling back changes to a previous configuration if results are unsatisfactory.
  • Archiving the details of all network configuration changes.
  1. What is network configuration management?
Network configuration management (NCM) is the process of organizing and maintaining information about all the components of a computer network. When a network needs repair, modification, expansion or upgrading, the administrator refers to the network configuration management database to determine the best course of action. This database contains the locations and network addresses of all hardware devices, as well as information about the programs, versions and updates installed in network computers. NCM can be as simple as having all the configuration documented in spreadsheets or using enterprise level 3rd party tools to manage and analyse network configuration changes.
  1. What are a runt, Giant, and collision?
  • runt is a packet in a network that is too small.
  • Giant is a packet, frame, cell or any other transmission unit which is too large.
  • In a half duplex Ethernet network, a collision is the result of two devices on the same Ethernet network attempting to transmit data at exactly the same time. The network detects the "collision" of the two transmitted packets and discards them both.
  1. How does ping work?

The Internet Ping program works much like a sonar echo-location, sending a small packet of information containing an ICMP ECHO_REQUEST to a specified computer, which then sends an ECHO_REPLY packet in return. The IP address is set by convention to always indicate your own computer. Therefore, a ping to that address will always ping yourself and the delay should be very short. This provides the most basic test of your local communications.

  1. What is broadcast storm?

Broadcast radiation is the accumulation of broadcast and multicast traffic on a computer network. Extreme amounts of broadcast traffic constitute a broadcast storm. A broadcast storm can consume sufficient network resources so as to render the network unable to transport normal traffic.

  1. What is the purpose of VRRP?

Virtual Router Redundancy Protocol (VRRP) enables you to set up a group of routers as a default gateway router (VRRP Group) for backup or redundancy purposes. This way, the PC clients can actually point to the IP address of the VRRP virtual router as their default gateway. If one of the master routers in the group goes down, one of the other routers can take over.

  1. How do you distinguish a DNS problem from a network problem?

If you're truly experiencing a DNS issue, your system will not be able to resolve host names (google.com) into IP addresses ( which is what your computer really uses to communicate. A simple test to verify that this is the case is to go to your terminal and ping a host name and then try to ping an ip address (on the internet). If you're able to ping the IP address and not the FQDN then you've got yourself a DNS issue because your DNS provider is not translating that name to an IP.

You could also use NSLOOKUP command to resolve a FQDN to IP address. If the command does not resolve it to a IP address but you are able to ping the IP address directly, then there is a potential problem with the DNS.

  1. What is the difference between layer 2 and layer 3 devices?

A L2 switch does switching only. This means that it uses MAC addresses to switch the packets from a port to the destination port (and only the destination port). It therefore maintains a MAC address table so that it can remember which ports have which MAC address associated.

A L3 switch also does switching exactly like a L2 switch. The L3 means that it has an identity from the L3 layer. Practically this means that a L3 switch is capable of having IP addresses and doing routing. For intra-VLAN communication, it uses the MAC address table. For extra-VLAN communication, it uses the IP routing table.

  1. What is MTU?

A maximum transmission unit (MTU) is the largest size packet or frame, specified in octets (eight-bit bytes), that can be sent in a packet- or frame-based network such as the Internet. The Internet's Transmission Control Protocol (TCP) uses the MTU to determine the maximum size of each packet in any transmission. Too large an MTU size may mean retransmissions if the packet encounters a router that can't handle that large a packet. Too small an MTU size means relatively more header overhead and more acknowledgements that have to be sent and handled.