instructor: paul simmons - carahsoft · 2020. 1. 2. · instructor: paul simmons • company: f5...
TRANSCRIPT
Instructor: Paul Simmons• Company: F5 Networks• Job Title: Sales Engineer, US Navy and USMC• Industry Experience: 22 years• Network Experience: 12 years• F5 Product Exposure: 7 years• F5 Certified Administrator & more…
• https://www.linkedin.com/in/paul-simmons-1547456/• @F4plusplus
Instructor: Jimmy Jennings• Company: F5 Networks• Job Title: Systems Engineer, US Navy and USMC• Industry Experience: 21 years• Network Experience: 21 years• F5 Product Exposure: 14 years• F5 Certified Administrator & more…
Day 111:00 - 11:20 Introductions11:20 - 11:30 Test Registration11:30 - 12:00 OSI Layers 1-412:00 - 1:00 Lunch1:00 - 3:00 OSI Layers Cont.3:00 - 3:15 Break3:15 - 4:30 F5 Solutions and Technology Overview
Day 28:30 - 9:30 Load Balancing Essentials9:30 - 10:30 Security10:30 - 10:45 Break10:45 - 11:15 Application Delivery Platforms11:15 - 11:45 What is Next – 200 Level Exam
• Certification.f5.com
• Click “Register for an Account >>”
• Agree to the terms
• Fill out the form information
• Receive email with F5 ID
• Receive email with Pearson Vue ID
• Follow email instructions
• Register for exam
• TMOS 12.1
• Multiple Choice
• Not Adaptive
• 70 questions in 90 mins
• No command line engines
• View whole exhibit before you close them
• Manage Your Time
• The pass rates for 2014(average): Overall - 69.7%, 101 - 74.2%,
•• http://www.f5.com/pdf/certification/exams/Certification_Study_Guide_101.pdf• https://www.f5.com/pdf/certification/exams/Certification_Study_Guide_201_v2.pdf
• https://university.f5.com
•• https://portal-v5.examstudio.com/default.aspx?ReturnUrl=%2f%3fid%3d20882&id=20882
• https://devcentral.f5.com
• https://ihealth.f5.com
•• https://www.linkedin.com/groups/85832• https://www.linkedin.com/groups/6711359/profile• https://www.linkedin.com/groups/6709915/profile
*http://certmag.com/salary-survey-2018-new-salary-survey-75/
Objective 1.01
• Describe the function of each OSI layer
• Differentiate between the OSI layers
• Describe the purpose of the various address types at different OSI layers
Explain, compare, and contrast the OSI layers
• Explain the purpose and functionality of MAC addresses
Explain protocols and technologies specific to the data link layer
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500ether 28:cf:e9:1b:ae:91 inet6 fe80::2acf:e9ff:fe1b:ae91%en0 prefixlen 64 scopeid 0x4 inet 192.168.69.109 netmask 0xffffff00 broadcast 192.168.69.255nd6 options=1<PERFORMNUD>media: autoselectstatus: active
28:cf:e9:1b:ae:91 28cf.e91b.ae91
28-cf-e9-1b-ae-91
• Explain the purpose of a switch’s forwarding database
Explain protocols and technologies specific to the data link layer
• Explain the purpose and functionality of ARP• Address Resolution Protocol (ARP) is a telecommunications protocol
used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks.
Explain protocols and technologies specific to the data link layer
arp who-has 10.128.10.6 tell 10.128.10.68arp reply 10.128.10.6 is-at 02:07:01:00:01:c4
FF:FF:FF:FF:FF:FF = Broadcast
Local Cached ARP Table
Windows: arp –a Mac: Siri show me my ARP table
• Explain the purpose and functionality of a broadcast domain
Explain protocols and technologies specific to the data link layer
• Explain the purpose and functionality of IP addressing and subnetting
• Given an IP address and net mask, determine the network IP and the broadcast IP
Explain protocols and apply technologies specific to the network layer
Type Network Subnet Broadcast Hosts IPs/24 10.1.1.0 255.255.255.0 10.1.1.255 254 256
/25 10.1.1.0 255.255.255.128 10.1.1.127 126 128
/25 10.1.1.128 255.255.255.128 10.1.1.255 126 128
/26 10.1.1.0 255.255.255.192 10.1.1.63 62 64
/26 10.1.1.64 255.255.255.192 10.1.1.127 62 64
/26 10.1.1.128 255.255.255.192 10.1.1.191 62 64
/26 10.1.1.192 255.255.255.192 10.1.1.255 62 64
• Given a routing table and a destination IP address, identify which routing table entry the destination IP address will match
Explain protocols and apply technologies specific to the network layer
• Explain the purpose and functionality of Routing protocols
• Dynamic Protocols: • RIP (Routing Information Protocol)• IGRP (Interior Gateway Routing Protocol)• EIGRP (Enhanced Interior Gateway Routing Protocol)• OSPF (Open Shortest Path First)• IS-IS (Intermediate System-to-Intermediate System)• BGP (Border Gateway Protocol
Explain protocols and apply technologies specific to the network layer
• Explain the purpose of fragmentation
• Given a fragment, identify what information is needed for reassembly
• Explain the purpose of TTL functionality
• Given a packet traversing a topology, document the source/destination IP address/MAC address changes at each hop
Explain protocols and apply technologies specific to the network layer
• Given a packet traversing a topology, document the source/destination IP address/MAC address changes at each hop
Explain protocols and apply technologies specific to the network layer
Src MAC = Host ADest MAC = DGW Router ASrc IP = Host ADest IP = Host B
Src MAC = Router ADest MAC = Router BSrc IP = Host ADest IP = Host B
Src MAC = Router BDest MAC = Router CSrc IP = Host ADest IP = Host B
Src MAC = Router CDest MAC = Host BSrc IP = Host ADest IP = Host B
• Compare/Contrast purpose and functionality of MTU and MSS
• Explain the purpose and functionality of TCP
• Explain the purpose and functionality of UDP
• Explain the purpose and functionality of ports in general
• Explain how retransmissions occur
• Explain the purpose and process of a reset
Explain the features and functionality of protocols and technologies specific to the transport layer
A maximum transmission unit (MTU) is the largest size packet or frame, specified in octets (eight-bit bytes), that can be sent in a packet- or frame-based network
The maximum segment size (MSS) is a parameter of the TCP protocol that specifies the largest amount of data, specified in octets, that a computer or communications device can receive in a single TCP segment.
"Hi, I'd like to hear a TCP joke.""Hello, would you like to hear a TCP joke?""Yes, I'd like to hear a TCP joke.""OK, I'll tell you a TCP joke.""Ok, I will hear a TCP joke.""Are you ready to hear a TCP joke?""Yes, I am ready to hear a TCP joke.""Ok, I am about to send the TCP joke. It will last 10 seconds, it has two characters, it does not have a setting, it ends with a punchline.""Ok, I am ready to get your TCP joke that will last 10 seconds, has two characters, does not have an explicit setting, and ends with a punchline.""I'm sorry, your connection has timed out. Hello, would you like to hear a TCP joke?"
• Describe various TCP options - (i.e. MSS, SACK permitted, Timestamps, etc)
• Describe a TCP checksum error – (i.e 96-bit TCP pseudo header)
• Describe how TCP addresses error correction – (Sequence numbers, error detection and retransmits)
• Describe how the flow control process occurs
Explain the features and functionality of protocols and technologies specific to the transport layer
TCP uses an end-to-end flow control protocol to avoid having the sender send data too fast for the TCP receiver to receive and process it reliably. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies in the receive window field the amount of additionally received data (in bytes) that it is willing to buffer for the connection. The sending host can send only up to that amount of data before it must wait for an acknowledgment and window update from the receiving host.
• Explain the purpose and functionality of HTTP
• Differentiate between HTTP versions
• Interpret HTTP status codes
• Determine an HTTP request method for a given use case
Explain the features and functionality of protocols and technologies specific to the application layer
HTTP functions as a request-response protocol in the client-server computing model.In HTTP/1.0 a separate connection to the same server is made for every resource request. HTTP/1.1 can reuse a connection multiple times to download images, scripts, stylesheets et cetera after the page has been delivered.
1xx Informational2xx Success3xx Redirection4xx Client Error5xx Server Error6xx See also7xx References8xx External links
• Explain the purpose and functionality of HTTP keepalives, HTTP headers, DNS, SIP, FTP
• Differentiate between passive and active FTP
• Explain the purpose and functionality of SMTP
• Explain the purpose and functionality of a cookie
• Given a situation in which a client connects to a remote host, explain how the name resolution process occurs
Explain the features and functionality of protocols and technologies specific to the application layer
Active mode FTPFTP server's port 21 from anywhere (Client initiates connection)FTP server's port 21 to ports > 1023 (Server responds to client's control port)FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)
• Explain the purpose and functionality of HTTP keepalives, HTTP headers, DNS, SIP, FTP
• Differentiate between passive and active FTP
• Explain the purpose and functionality of SMTP
• Explain the purpose and functionality of a cookie
• Given a situation in which a client connects to a remote host, explain how the name resolution process occurs
• Explain the purpose and functionality of a URL
Explain the features and functionality of protocols and technologies specific to the application layer
http://www.host.com/path/to/content/content.html
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
InternetEnterprise
iAppsiControliRulesiCall
Programmability
F5 TMOS
LocalTraffic
Manager(LTM)
Advanced Firewall
Manager(AFM)
ApplicationSecurityManager
(ASM)
AccessPolicy
Manager(APM)
Secure Web
Gateway(SWG)
Anti-fraud(WebSafe)
BIG-IP DNSa.k.a(GTM)
Advanced WAF
DDOS Hybrid
Defender (DHD)
SSLOrchestrator
(SSLO)
••••
Articulate the role of F5 products
Additional Learning: AFM, BIG-IQ, SWG, WebSafe, Silverline, *Enterprise Manager, *AAM
BIG-IP LTM Physical
Virtual
Public or private cloud
Fast• TCP Optimization• Server Offload
• SSL Encryption• Compression• RAM Cache• OneConnect
• Bandwidth Allocation
Available• Load balancing• Health monitoring• Server persistence
Secure• DDoS Protection• TCP Proxy• Application Proxy• SSL Encryption• Resource Cloaking
Articulate the role of Local Traffic Manager (LTM)
Router
L-DNS
BIG-IP GTM
BIG-IP LTM
App Servers
Data Center 1
Client
Router
BIG-IP LTM
Data Center 2
BIG-IP GTM
App Servers
Articulate the role of Global Traffic Manager (GTM)
Protect against DNS Denial of Service• High-speed response and
DDoS protection with in-memory DNS
• Authoritative DNS serving out of RAM
• Respond to 125K QPS per CPU core
ManageDNS
Records
NIC
OSAdminAuthRoles
DynamicDNS
DHCP
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
DNS Express in TMOS
DNS Server
Articulate the role of Global Traffic Manager (GTM)
• Features
AFMVirtual Edition
BIG-IP Advanced Firewall ManagerBIG-IP Local Traffic Manager
BIG-IP Advanced Firewall ManagerBIG-IP Local Traffic Manager
*Objective 2.01* Advanced Firewall ManagerArticulate the role of BIG-IP Advanced Firewall Manager (AFM)
• Protection from DoS/DDoS attacks and web application security risks• Enforce positive and/or negative security policies, protocol compliance• DataGuard data-scrubbing/DLP/compliance• Vulnerability assessment service integration• IP Intelligence malicious client classification and blocking• Application logging and reporting
Content scrubbing,application cloaking
Request made BIG-IP ASM security policy checked Server response
BIG-IP ASM applies security policy Vulnerable applicationSecure response delivered
•Articulate the role of Application Security Manager (ASM)
• Centralized access policy enforcement
• Single Sign-On (SSO) user authentication
• L3-7 access controls• Robust client device support• Advanced client endpoint
security• Visual Policy Editor
Articulate the role of Access Policy Manager (APM)
Articulate the role of Access Policy Manager (APM)
• Webtop unites internal and external application resources across your Enterprise
• Provides seamless presentation and access to Windows, Web, SaaS, Mobile Applications and data
• WebTop helps organizations with RDP, VMware and Citrix consolidate on a single platform
Articulate the role of Access Policy Manager (APM)
•
•
Articulate the role of Access Policy Manager (APM)
Articulate the role of Access Policy Manager (APM)
*Objective 2.01* F5 WebSafe
Organization’s DMZ
Web Application
On-Premise
Internet
Online Users
F5 SOCAlerts
In the Cloud
WebSafe on BIG-IP
AlertsHosted in
DMZ (no data
visible to F5.com)
Internet
• Only 100% transparent solution combining detection and protection capabilities• Secures your site without application modifications or changes to the user experience.• Detects and safeguards against sophisticated online fraud -- web injection, credential &
form grabbers, MITM, MITB, etc.• Identifies phishing attacks before they are launched• Monitors the latest and most sophisticated attacks that may potentially impact your
business.
Articulate the role of F5 WebSafe - Anti-fraud, Anti-malware and Anti-phishing
• Only web gateway to secure against inbound andoutbound threats
• First one-stop shop for all access policy, inbound and outbound – context-aware
• Ensures regulatory and organizational compliance
• Superior scale and performance
• Lowest TCO and quickestROI
• Subscription service on top of APM
*Objective 2.01* Secure Web GatewayArticulate the role of BIG-IP Secure Web Gateway Services (SWG) for APM
Public CloudHybrid Cloud
BIG -IQ
*Objective 2.01* BIG-IQ
BIG-IP
BIG-IP
Data Center
Articulate the role of BIG-IQ
*Objective 2.01* F5 Silverline DDoS ProtectionKeep your business online during volumetric DDoSattacks
24/7 access to Security Operations Center DDoSexperts
Protect against the largest of DDoS attacks
Multi-layered, comprehensive L3-L7 protection
Gain real-time attack mitigation insights
Cloud-Scrubbing Service
LegitimateUsers
DDoS Attackers
F5 SilverlineDDoS
Protection
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
Customer
Attack mitigation bandwidth capacity over 2.0 Tbps,
scrubbing capacity over 1.0 Tbps
Articulate the role of F5 Silverline DDoS Protection
•••
Explain the purpose, use, and advantages of iRules
when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {
snat automap} else {
snat none }
}
•••
Explain the purpose, use, and advantages of iApps
https://tinyurl.com/F5Files
*Objective 2.03*
•••
Explain the purpose, use, and advantages of iControl
iControl is F5’s API that allows for programmatic configure the BIG-IP. This API is based on SOAP/XML.
iControlREST is F5’s API that allows for programmatic configure the BIG-IP. This API is based on REST.
*Objective 2.03*
•••
Explain the purpose, use, and advantages of iCall
iCall is a Tcl-based scripting framework that lets you use Traffic Management Shell (tmsh) commands to manage the configuration of a running F5 device.
Three Components to iCall: Events, handler, Script
*Objective 2.03*
•••
Explain the purpose, use, and advantages of iHealth
https://iHealth.f5.com
••
Explain the purpose of and use cases for full proxy and packet forwarding/packet based architectures
Internet
Syn, Syn-Ack, Ack
Client Data
Syn, Syn-Ack, Ack
Server Response
Separate Client and Server connections
••
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4172.20.10.1:80 172.20.10.2:80
172.20.10.2:443172.20.10.3:80172.20.10.3:443 172.20.10.4:443
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4172.20.10.1:80 172.20.10.2:80
172.20.10.2:443172.20.10.3:8080172.20.10.3:443 172.20.10.4:443
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4172.20.10.1:80 172.20.10.2:80
172.20.10.2:443172.20.10.3:8080172.20.10.3:443 172.20.10.4:443
10.2.2.100:80 10.2.2.100:443
NOTE: BIG-IP LTM is a default deny device; the virtual server is the most
common way allow client requests to pass through
10.2.2.225:8080
•
Explain the advantages and configurations of high availability (HA)
Internet
Clients
Servers
Device Service Cluster
ActiveTraffic-Group-1
StandbyTraffic-Group-1
•
Explain the advantages and configurations of high availability (HA)
Internet
Clients
Servers
Device Service Cluster
ActiveTraffic-Group-1
StandbyTraffic-Group-1
ActiveTraffic-Group-2
StandbyTraffic-Group-2
•
Explain the advantages and configurations of high availability (HA)
Internet
Clients
Servers
Device Service Cluster
ActiveTraffic-Group-1
StandbyTraffic-Group-1
*Objective 2.01* - Application Acceleration Manager
Application Optimization
Transport Optimization
Data Center Optimization
Application Optimization+ Transport Optimization
+ Data Center Optimization
BIG-IP Platform
Users
Articulate the role of BIG-IP Application Acceleration Manager (AAM)
• Explain the purpose of distribution of load across multiple servers
Discuss the purpose of, use cases for, and key considerations related to load balancing
Internet
Virtual Server216.34.94.17:80
Pool Members
Maps to
• Given an environment, determine the appropriate load balancing algorithm that achieves a desired result
Discuss the purpose of, use cases for, and key considerations related to load balancing
Static
Dynamic
Round RobinRatio
Least ConnectionsFastestLeast SessionsWeighted Least ConnectionsObservedPredictiveDynamic Ratio
• Given an environment, determine the appropriate load balancing algorithm that achieves a desired result
• Explain the concept of persistence
Discuss the purpose of, use cases for, and key considerations related to load balancing
• Given a scenario, identify the client/server
• Explain the role of a client
• Explain the role of a server
Differentiate between a client and server
Internet
Clients
Servers
BIG-IP LTMs
• Describe the concept of a positive security model
• Describe the concept of a negative security model
• Given a list of scenarios, identify which is a positive security model
• Given a list of scenarios, identify which is a negative security model
• Describe the benefits of a positive security model
• Describe the benefits of a negative security model
Compare and contrast positive and negative security models
A "positive" security model (also known as "whitelist") is one that defines what is allowed, and rejects everything else.A "negative" (or "blacklist") security model, which defines what is disallowed, while implicitly allowing everything else.
• Describe the purpose of signing
• Describe the purpose of encryption
• Describe the purpose of certificates and the certificate chains
• Distinguish between private/public keys
• Compare and contrast symmetric/asymmetric encryption – one key vstwo keys
Explain the purpose of cryptographic services
• Explain the purpose of authentication
• Explain the advantages of single sign on
• Explain the concepts of multifactor authentication
• Describe the role authentication plays in AAA
Describe the purpose and advantages of authentication
• Explain the purpose, advantages, and challenges associated with IPsec
• Explain the purpose, advantages, and challenges associated with SSL VPN
• Given a list of environments/situations, determine which is appropriate for an IPsec solution
• Given a list of environments/situations, determine which is appropriate for an SSL VPN solution
Describe the purpose, advantages, and use cases of IPsec and SSL VPN
• Explain when a hardware based application deliver platform solution is appropriate
• Explain when a virtual machine solution is appropriate
• Explain the purpose, advantages, and challenges associated with hardware based application deliver platform solutions
• Explain the purpose, advantages, and challenges associated with virtual machines
• Given a list of environments/situations, determine which is appropriate for a hardware based application deliver platform solution
• Given a list of environments/situations, determine which is appropriate for a virtual machine solution
• Explain the advantages of dedicated hardware (SSL card, compression card)
Describe the purpose, advantages, use cases, and challenges associated with hardware based application delivery platforms and virtual machines
• Describe the purpose of TCP optimization
• Describe the purpose of HTTP keepalives, caching, compression, and pipelining
Describe the purpose of the various types of advanced acceleration U/A techniques
• Log onto certification.f5.com
• Look in your menu for History
• If you are qualified for the 200 level exam you can register for them on Pearson Vue
• Download the 201 Study Guide and vLab
• Attend the 201 Boot Camp or watch the new CBT
• Download the 201 Study Guide• Study the guide and work in the vLab environment• Attend the 201 Boot Camp or watch the 201 CBT• Register for the 201 to set a deadline for yourself
If I can be of further assistance please contact me:[email protected] | 1-813-404-1628