Cheatsheet
ARP vs MAC Table
ARP Table | MAC Table (or CAM Table) |
---|---|
Layer3 address to Layer2 address resolution | Layer2 address to Interface binding |
Matches IP addresses to MAC addresses | Maps Ports to MAC addresses |
Needed to forward packets at layer 3 | Used to Switch frames to the right output interface |
Kept by L3 devices | Kept only by L2 devices |
No entry for dest IP address, machine will send ARP request | If no entry, switch will flood the frame |
Default timeout is 4 hours | Default timeout is 5 minutes |
Filled by each ARP reply | Filled by source MAC of each frame passing through switch |
Fragmentation
- Before fragmentation
Sequence | Identifier | Total Length | DF Flag | MF Flag | Fragment offset |
---|---|---|---|---|---|
0 | 345 | 5140 | 0 | 0 | 0 |
- After fragmentation
Sequence | Identifier | Total Length | DF Flag | MF Flag | Fragment offset |
---|---|---|---|---|---|
0-0 | 345 | 1500 | 0 | 1 | 0 |
0-1 | 345 | 1500 | 0 | 1 | 185 |
0-2 | 345 | 1500 | 0 | 1 | 370 |
0-3 | 345 | 700 | 0 | 0 | 555 |
Headers
Version | HLEN | DSCP | ECN | Total Length | |||||||||||||||||||||||||||
Identification | Flags(DF,MF) | Fragment Offset | |||||||||||||||||||||||||||||
Time To Live | Protocol | Header Checksum | |||||||||||||||||||||||||||||
Source IP Address | |||||||||||||||||||||||||||||||
Destination IP Address | |||||||||||||||||||||||||||||||
Options (if HLEN > 5) |
Source port | Destination port | ||||||||||||||||||||||||||||||
Sequence number | |||||||||||||||||||||||||||||||
Acknowledgment number (if ACK set) | |||||||||||||||||||||||||||||||
Data offset | Reserved 0 0 0 |
N S |
C W R |
E C E |
U R G |
A C K |
P S H |
R S T |
S Y N |
F I N |
Window Size | ||||||||||||||||||||
Checksum | Urgent pointer (if URG set) | ||||||||||||||||||||||||||||||
Options (if data offset > 5. Padded at the end with "0" bytes if necessary.) ... |
Source port | Destination port |
Length | Checksum |
- ARP Header
Hardware type Protocol type Hardware address length Protocol address length Operation Source MAC Source IP Dest MAC Dest IP
- ICMP Header
Code Checksum Rest of Header
TCP Topics Hierarchy
- Congestion Control
- Slow Start - Exponential Increase - Congestion Avoidance - Additive Increase - Congestion Detection - Multiplicative Decrease
- Tahoe
- If RTO occured, TCP Reacts Strongly - Reduces cwnd back to 1 Segment, starts the slow start phase again
- Reno
- If 3 Duplicate ACKs are received, TCP has a Weaker Reaction - Starts the Congestion Avoidance phase - This is called fast transmission and fast recovery
VPN Messages
- Phase 1 - Main Mode
Cookie,Proposal List Cookie,Accepted Proposal DH Key,Nonce DH Key,Nonce ID,ID Hash ID,ID Hash
- Phase 1 - Aggressive Mode
ID,Proposal List,DH Key,Nonce ID,Accepted Proposal,DH Key,Nonce,ID Hash ID Hash
- Phase 2 - Quick Mode
Ph1 Hash,Message ID,Proposal List,Nonce, DH Key,Proxy-ID Ph1 Hash,Message ID,Accepted Proposal,Nonce,DH Key,Proxy-ID Ph1 Hash,Message ID,Nonce
VPN Monitor vs DPD vs IKE Heartbeat
VPN Monitor | DPD | IKE Heartbeat |
---|---|---|
Juniper Proprietary | RFC Standard | Juniper Proprietary |
Work with Non Juniper | Work with Non Juniper | Cannot work with Non Juniper |
Uses ICMP | Uses ICMP(encrypted IKE Phase 1 message(R-U-THERE)) | -- |
Goes inside the Phase 2 Tunnel | Goes through Phase 1 Tunnel | -- |
Implies VPN is UP | Implies peer is up and responding | Enhancement to detect tunnel availability |
Works if supported by one peer only | -- | Both ends must support |
Configured in Phase 2 | Configured in Phase 1 | Configured in Phase 1 |
SRX Architecture
- First Path
Screens Static NAT | Dest NAT Route ==> Forwarding Lookup Zones Policy Reverse Static NAT | Source NAT Service ALG Session
- Fast Path
Screens TCP NAT Service ALG
ScreenOS
- ScreenOS Flow order
Sanity Check Screening Session lookup Route Lookup Policy lookup Session creation ARP lookup
- Route preference order
Policy Based Routing Source Interface Based Routing Source Routing Destination Routing
- NAT Preference order
Mapped IP Virtual IP Policy Based NAT (NAT-Src & NAT-Dst) Interface Based NAT
SYN Flood Protection
Threshold = Proxy connections above this limit If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly Alarm Threshold = Alarm/Alert (to log) Queue Size = The number of proxied connections held in queue After this the firewall starts rejecting new connection requests Timeout Value is maximum time before a half-completed connection is dropped from the queue The range is 0–50s; default is 20s
HTTP Error Codes
Category | Type | Code |
---|---|---|
1XX | Informational | 100 = Continue |
2XX | Successful | 200 = OK 201 = Created (URL) 202 = Accepted (request accepted but not acted upon immediately) 203 = Non-authoritative Information(info in header is from local or third-party copy, not from original server) 204 = No Content (in body) |
3XX | Re-directional | 301 = Moved Permanently 302 = Found (temporary redirect) 304 = Not Modified 305 = Use Proxy (URL must be accessed through the proxy mentioned in the Location header) 307 = Temporary Redirect (requested page has moved temporarily to a new url) |
4XX | Client Error | 400 = Bad Request 401 = Unauthorized 402 = Payment Required 403 = Forbidden 404 = Not Found 405 = Method Not Allowed |
5XX | Server Error | 500 = Internal Server Error 501 = Not Implememted 502 = Bad Gateway or Proxy 503 = Service Unavailable 504 = Gateway or Proxy Timeout 505 = HTTP Version Not Supported |
SSL Handshake
- SSL has 4 protocols:
- 1. Handshake Protocol: Negotiate Cipher Suite & exchange information for building cryptographic secrets. It has 4 Phases:
- a) Phase 1: Establishes secret capabilities
- b) Phase 2: Server authentication and Key exchange
- c) Phase 3: Client authentication and Key exchange
- d) Phase 4: Finalizing handshake
- 2. ChangeCipherSpec Protocol
- 3. Alert Protocol
- 4. Record Protocol
- 1. Handshake Protocol: Negotiate Cipher Suite & exchange information for building cryptographic secrets. It has 4 Phases:
- Brief Steps:
- Client & Server exchange 2 random keys
- Both exchange 1 PreMaster Secret
- Master Key is created from PM Secret by running SHA1 & MD5 several times
- Master Key is used to create variable length key material depending on the cipher used
- Six different secrets are extracted from key material
NetScaler
- LB Methods:
Least Connection = Service with fewest active connections Round Robin = Rotates a list of services Least Response time(LRTM) = Fewest active connections & lowest average response time Least Bandwidth = Service serving least amount of traffic measured in mbps Least Packets = Service that received fewest packets Source IP Hash = Destination IP Hash =
- Persistence Methods:
SOURCE IP = COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session. SSL Session = Connections having same SSL session ID RULE = All connection matching a user defined rule URL Passive = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded Dest IP = SRC IP DST IP = CALL ID = Same Caller ID in SIP Header
OSPF
- States
Down Attempt Init 2-Way ExStart Exchange Loading Full
- LSA Type
Type 1 - Router LSAs Type 2 - Network LSAs Type 3 - Network Summary LSA Type 4 - ASBR summary LSA Type 5 - AS external LSA Type 7 - NSSA External LSA
- Packet Types
Type 1 - Hello Type 2 - Database Description (DBD) Type 3 - Link-State request (LSR) Type 4 - LSU Type 5 - LSAck
BGP
- Route Selection Criteria
Attribute | Which is better |
---|---|
Next Hop reachable | Route cannot be used if next hop is unreachable |
Weight | Bigger |
Local Preference | Bigger |
Locally Injected | Locally injected is better than iBGP/eBGP learned |
AS Path Length | Smaller |
Origin | Prefer I over E & E over Unknown |
MED | Smaller |
Neighbor Type | Prefer eBGP over iBGP |
IGP Metric to Next Hop | Smaller |
- BGP States
Idle Active Attempting to connect Connect TCP session established OpenSent Open message sent OpenConfirm Response received Established Adjacency established
- BGP Messages
Open Update Keepalive Sent every 60 seconds Notification Always indicate something is wrong