Supporting Network Management

Question 1

What is configuration Management?

Answer 1

Identifying and documenting all the infrastructure and devices installed at a site.
A systematic approach to ensuring that the desired state of an IT system is maintained throughout its lifecycle.

Question 2

What elements help implement configuration management?

Answer 2

A CMS (Configuration management system)- The tools and databases that collect, store, manage, update, and present information about CIs.

A CI (Configuration item)- An asset that requires specific management procedures for it to be used to deliver the service.

Service assets- Are things, processes, or people that contribute to the delivery of an IT service. Each asset must be identified by some sort of label.

Question 3

What are the various configuration states?

Answer 3

Configuration Baseline: Documents the approved or authorized state of a CI, allows auditing processes to detect unexpected or unauthorized change. Sometimes referred to as the golden configuration.

Production configuration: The state of a CI as used withing a working network. The Configuration settings used when an appliance, instance or app is booted up or started.

Backup configuration: A copy of the production configuration made at a particular time, may not match the golden config as production config changes.

Question 4

What are backup policies in network management more focused on?

Answer 4

Swiftly restoring faulty switches, routers, firewalls, and load balancers.

Question 5

What are 2 backup modes a appliance may support?

Answer 5

State/ bare metal: This is a snapshot type image of the whole system.
Can be redeployed to any device of the same make and model as a system restore.

Configuration File: This is a copy of the configuration data in a structured format, such as Extensible Markup Language (XML)
This file can be used in a two-stage restore where the OS or firmware image is applied first, and then the configuration is restored by importing the backup file.

Question 6

What does the change management process do?

Answer 6

Minimizes the risk of configuration drift and unscheduled downtime by implementing changes in a planned and controlled way.

Question 7

How do major changes get approved?

Answer 7

They require approval through a Change Advisory Board (CAB)

Question 8

How is the need for change implemented in a formal change management protocol?

Answer 8

The need for the change and the procedure is captured in a RFC (request for change) document.
The RFC be considered at the appropriate level, and affected stakeholders will be notified

Question 9

What is typical asset management information?

Answer 9

Type, model, serial number, asset ID, location, user(s), value, and service information.

Question 10

Name a application that assists in inventory management.

Answer 10

Lansweeper

Question 11

What is the starting point for trouble shooting license issues?

Answer 11

The log.
This should show whether an evaluation/trial period has just expired or when a seat/instance count has been exceeded.

Question 12

What is the difference between EOS and EOL?

Answer 12

End of Life
When a manufacturer discontinues sales of a product.
Support and availability of spares and updates become more limited.

End of support.
These products no longer receive security updates and represent a critical vulnerability if any remain in active use.

The exact terminology can vary between vendors.

Question 13

What is a hotfix and a coldfix and what is the difference?

Answer 13

hotfix: A code change that addresses a specific issue that can be applied without incurring downtime

coldfix: A code change that requires the software or host to be restarted.

Question 14

What is patch management?

Answer 14

Refers to the procedures put in place to manage the installation of updates for hardware (firmware) and software.

Question 15

What is flashing the chip?

Answer 15

Updating firmware.

Make sure you make a backup of the system before updating the firmware (esp. for firewall)

Question 16

Name some methods of destroying media.

Answer 16

Incineration, pulverization, and degaussing.

Question 17

What is the standard method for media sanitizing?

Answer 17

overwriting.
The basic type of overwriting is called zero filling, it does one pass of 0’s then all 1’s then one or more additional passes in a random pattern.

Question 18

What is Secure erase? (SE)

Answer 18

Method of sanitizing a drive using the ATA command set.

This command can be invoked using a drive/array utility or the hdparm Linux utility. On HDDs, this performs a single pass of zero-filling.

Question 19

What is a SED?

Answer 19

Self Encrypting Device

Question 20

What is Instant Secure Erase? (ISE)

Answer 20

Used on HDD and SSD that are self encrypting.
All data on the drive is encrypted using a MEK(media encryption key).
When the erase command is issued the MEK is erased, rendering the data unrecoverable.

Question 21

What are commonly used physical network diagrams?

Answer 21

Cable Maps: aka floor plan, show how wires are routed through conduit from telecommunications closets to work areas. Also documents wall port locations and cable runs in an office.

Port location diagram: Identifies how wall ports located in work areas are connected back to ports in a distribution frame or patch panel and then from the patch panel ports to the switch ports.

Wiring Diagram: aka pin out shows detailed information about the termination of twisted pairs in an RJ45 jack or Insulation Displacement Connector (IDC) and how fiber strands are documented.

Rack Diagrams: records the position of each appliance in the rack. Also records service tags, port IDs, and links, identifying which power outlets on the uninterruptible power supply (UPS) connect to which appliance power supply units (PSU)s.

Question 22

How should you make a logical network diagram?

Answer 22

With a schematic.
When making a schematic don’t try to represent too much information in a single diagram.
ex. create separate diagrams for the PHY, Data Link, and Logical (IP) layers

Physical layer-Asset IDs, cable links, and wall/patch panel/switch port IDs. You can use color-coding or line styles to represent the cable type

Data Link-Shows interconnections between switches and routers, with asset IDs (or the management IP of the appliance), interface IDs, and link-layer protocol and bandwidth.

Logical IP-IP addresses of router interfaces (plus any other static IP assignments) and firewalls, plus links showing the IP network ID and netmask, VLAN ID (if used), and DHCP scopes.

Application- Server instances and TCP/UDP ports in use, configuration info and performance baseline

Schematics can either be drawn manually using a tool such as Microsoft Visio

Question 23

What is IPAM?

Answer 23

IP address management.

Software consolidating management of multiple DHCP and DNS services to provide oversight into IP address allocation across an enterprise network.
IPAM software can often be used to manage and reconfigure DHCP and DNS servers remotely.

Question 24

What are common agreements?

Answer 24

SLA (Service Level Agreements): a contractual agreement setting out the detailed terms under which an ongoing service is provided. Defines aspects of the service, such as scope, performance characteristics, and responsibilities that are agreed upon between the service provider and the customer.

NDA (Nondisclosure Agreement): The legal basis for protecting information assets. Defines what uses of sensitive data are permitted, what storage and distribution restrictions must be enforced, and what penalties will be incurred by breaches of the agreement.

MOU (Memorandum of Understanding): A preliminary or exploratory agreement to express an intent to work together. Intended to be relatively informal and not to act as binding contracts. However, MOUs almost always have clauses stating that the parties shall respect confidentiality.

Question 25

What historical method might IT departments have used for tracking IP usage?

Answer 25

Static Files.

Question 26

What is network discovery?

Answer 26

verifying exactly what is connected to the network and what is being communicated over it. Processes and tools that facilitate identification of hosts present on a network or subnet. Windows firewall configurations makes a host visible to network browsers.

Question 27

What does an IP scanner do?

Answer 27

Utility that can probe a network to detect which IP addresses are in use by hosts. Performs host discovery and can establish the overall logical topology of the network in terms of subnets and routers.

Question 28

What is host discovery?

Answer 28

A basic type of IP scanning that only attempts to determine if an IP address is "up"

Question 29

How can NMap be used?

Answer 29

Widely used for IP scanning, both as an auditing and as a penetration testing tool. Is open-source software with packages for most versions of Windows, Linux, and macOS. It can be operated with a command line or via a GUI (Zenmap). Basic syntax of an Nmap command is to give the IP subnet (or IP address) to scan

Question 30

What are some examples of IP scanning tools?

Answer 30

Nmap, Angry IP, or PRTG.

Question 31

How do you perform only host discovery with Nmap?

Answer 31

-sn This switch suppresses the port scan.

Question 32

How do you make Nmap show the hop counts?

Answer 32

specifying the --traceroute switch.

Question 33

What does a port scanner do?

Answer 33

Tries to identify which TCP and UDP ports are listening.

Question 34

What are the main types of scanning Nmap can perform?

Answer 34

TCP SYN (-sS):This is a fast technique also referred to as half-open scanning. The scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state. Stealthy. TCP connect (-sT): A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets. Less stealthy. UDP scans (-sU): Scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan. Port range (-p): By default, Nmap scans 1,000 commonly used ports. Use the -p argument to specify a port range. You can also use --top-ports n, where n is the number of commonly used ports to scan

Question 35

What does the Nmap -sV or -A switch do?

Answer 35

They probe a host more intensively to discover the software or software version operating each port.

Question 36

What is CDP?

Answer 36

Cisco Discovery Protocol A proprietary protocol used by Cisco network appliances to discover layer 2 adjacent devices or neighbors. Sends announcements every 60 seconds. Each device keeps a cache table of the data compiled from announcements it has received.

Question 37

What is CDP multicast address?

Answer 37

01:00:0c:cc:cc:cc

Question 38

What is LLDP?

Answer 38

Link Layer Discovery Protocol. A standards-based protocol used by network appliances to discover layer 2 adjacent devices or neighbors. Sends announcements every 30 seconds by default.

Question 39

What is LLDP multicast address?

Answer 39

01:80:c2:00:00:0e

Question 40

What is the point of discovery protocols?

Answer 40

They enable network devices to automatically, detect, identify, and map directly connected neighbors. Simplifying network management.

Question 41

How do get reports from the CDP cache?

Answer 41

With the command: show cdp neighbors

Question 42

What is a performance metric and what are indicators of performance?

Answer 42

Performance metrics are measurements of a value affecting system performance. Indicators include: -Bandwidth: The rated speed of all the interfaces available to the device -Utilization/Throughput: The actual amount of data transferred. -CPU and memory: If CPU and/or system memory utilization (measured as a percentage) is consistently very high, an upgrade might be required. High CPU utilization can also indicate a problem with network traffic. -Storage: If the device runs out of storage space, it could cause serious errors.

Question 43

What is the point of baseline metrics?

Answer 43

To establish the level of resource utilization at a point in time. Typically when the system is first installed. Changes to the system usually require a new baseline to be taken.

Question 44

What are availability monitors and their purpose?

Answer 44

AKA heartbeat monitors, or uptime monitors. Processes and tools that trigger an alert or an alarm if a host or service experiences an outage or other unscheduled downtime. Most work by sending a probe to the target service and checking for a non-error response.

Question 45

What are some underlying causes of unresponsive service issues?

Answer 45

-The application or OS hosting the service has crashed -Hardware or power issues -The server hosting the service is overloaded (high CPU/memory/disk I/O utilization/disk space utilization). -Network congestion can be at the client or server end or both. -A broadcast storm can cause loss of network bandwidth. -DoS attack which can be signified by network congestion or high host CPU/memory utilization

Question 46

What are the various configuration states?

Answer 46

-The baseline or golden configuration is a template for the state that a given device should be in. -The production configuration is the state that the device is actually in. Also, a device could have a running configuration that is different from its startup configuration. -A backup configuration is a point-in-time copy of a running or startup configuration.

Question 47

What does a configuration monitor do?

Answer 47

Processes and tools that facilitate reporting and alerting when a host or app's configuration deviates from a baseline or golden configuration.

Question 48

What does Nmap use to determine whether a host is present when used without switches?

Answer 48

Its default behavior is to ping and send a TCP ACK packet to ports 80 and 443.

Question 49

What is is NOT information that CDP can report?

Answer 49

MAC address table sizes

Question 50

What is SNMP?

Answer 50

A widely used framework for remote managements and monitoring of servers and network appliances. Consists of agents and a monitoring system.

Question 51

What is an SNMP agent?

Answer 51

A process (software or firmware) that runs on a switch router server or other SNMP compatible network device. A device running a SNMP agent is referred to as a managed device. The agent contains a data store called a MIB (management information base). Each parameter in a MIB is referred to by a OID.

Question 52

What is a MIB?

Answer 52

Management information base. Database that stores Simple Network Management Protocol (SNMP) properties and values of a network device and its components. Each parameter stored in a MIB is referred to by a numeric OID (object identifier)

Question 53

What is a OID?

Answer 53

Object Identifier. Each parameter stored in a MIB is referred to by a numeric OID. OIDs are stored within a tree structure. Part of the tree is generic to SNMP and the other part can be defined by the device vendor.

Question 54

How are SNMP agents configured?

Answer 54

With the community string or community name of the computers allowed to manage the agent and the IP address or host name of the server running the management system. The community string acts as a rudimentary type of password. An agent can pass information only to management systems configured with the same community string. There are usually two community strings; one for read-only access and one for read-write access (or privileged mode).

Question 55

What is an SNMP monitor?

Answer 55

A management software that provides a location which you can oversee network activity. The monitor polls agents at regular intervals for information from their MIBs and displays the information for review. The monitor can retrieve information from a device one of 2 ways: -Get: The software queries the agent for a single OID. This command is used by the monitor to perform regular polling -Trap: The agent informs the monitor of a notable event, such as port failure. The threshold for triggering traps can be set for each value. The monitor can change certain variables using the set command.

Question 56

What are community strings?

Answer 56

In SNMP, a password like value that permits a management system to access an agent.

Question 57

What is the difference between SNMP v2c and SNMP v3?

Answer 57

SNMP v2c: Many networks run on this. Has no support for robust authentication or encryption. SNMP v2c community strings are sent in plaintext and should not be transmitted over the network if there is any risk of interception. SNMP v3 : Supports encryption and strong user based authentication. Instead of community strings the agent is configured with a list of usernames and access permissions. When authentication is required, the SNMP message is signed with a hash of the user's passphrase. If authNoPriv mode is used, packets are not encrypted. authPriv enables encryption using the credential as a key.

Question 58

How does the authPriv stuff work.

Answer 58

auth = authentication Priv = encryption so authNoPriv would mean authentication and no encryption NOTE: auth comes first.

Question 59

What do system logs record?

Answer 59

They record startup events and OS events. This includes kernel processes and drivers and can also include core services.

Question 60

What do application logs record?

Answer 60

Records data for a single specific service. ex DNS, HTTP, a database etc.

Question 61

What do audit logs do?

Answer 61

Can also be described as an access log or security log. Records the use of authentication and authorization privileges. Generally records success/fail type events.

Question 62

What do performance/ Traffic logs do?

Answer 62

Records metrics for compute, storage, and network resources over a defined period.

Question 63

What does a log collector do?

Answer 63

it receives logs form numerous devices and puts them in a single storage location.

Question 64

What does syslog do?

Answer 64

A protocol that facilitates log collection from diverse network devices. Can forward messages to a remote log collector. Provides an open format for event data Works over UDP 514.

Question 65

What is a syslog message comprised of?

Answer 65

A PRI code, a header (that contains a timestamp and host name), and a message part which contains a tag showing the source process plus content.

Question 66

What are the syslog severity levels/ logging levels

Answer 66

A system for prioritizing logs that require immediate response. Code 0=Emergency: The system is unusable (kernel panic) Code 1= Alert: A fault requiring immediate remediation has occurred Code 2=critical: A fault that WILL require immediate remediation is likely to develop. Code 3= error: A nonurgent fault has developed. Code 4=Warning: A nonurgent fault is likely to develop. Code 5=Notice: A state that could potentially lead to an error condition has developed. Code 6=Informational: A normal but reportable event has occurred. Code 7=Debug: Verbose status conditions used during development and testing

Question 67

How do alerts and notifications work together?

Answer 67

An alert means that the system has matched some sort of pattern or filter that should be recorded and highlighted. A notification means that the system sends a message to advertise the occurrence of the alert. ex. A low priority alert may simply be displayed in the system dashboard. A high priority alert might use some sort of active notification messaging, such as emailing a system administrator, sending a text message, triggering a physical alarm etc.

Question 68

What is SIEM and what does it do?

Answer 68

Security Information and Event Management. It is designed to integrate network and security monitoring through automated collection, aggregation, and analysis of log data. Its core function is to aggregate logs from multiple sources.

Question 69

What is the purpose of a PRI code in a syslog message?

Answer 69

To indicate the messages priority based on facility and severity level. This code helps in categorizing and prioritizing the messages for better management and analysis.

Question 70

What is an automated event management system configured to generate?

Answer 70

Their primary configuration is to generate some kind of alert.

Question 71

What is a protocol analyzer?

Answer 71

A very important tool used for network support. It allows the inspection of traffic received by a host or passing over a network link. Can interpret each frame in a stream of traffic to reveal its header fields and payload contents in a readable format. Also preforms traffic analysis. Protocol analyzers depend on packet sniffers.

Question 72

What does a packet sniffer do?

Answer 72

A monitor that records (or "sniffs") data from frames as they pass over network media, using methods such as a mirror port or TAP device.

Question 73

What are the 3 main options for connecting a sniffer to the appropriate point in the network, what are they?

Answer 73

SPAN (switched port analyzer)/port mirroring: The sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports). Not a completely reliable method. Frame errors will not be mirrored, and frames may be dropped under heavy load. Passive TAP: A box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port. No logic decisions are made so the monitor port receives every frame corrupt or not. Copying is unaffected by load. Active TAP: A powered device that performs signal regeneration, which may be necessary in some circumstances. Gigabit signaling over copper wire is too complex for a passive tap to monitor, and some types of fiber links may be adversely affected by optical splitting. Because it performs an active function, the TAP becomes a point of failure for the links in the event of power loss. TAP=Test Access Point

Question 74

What is tcpdump?

Answer 74

A command line packet capture utility for Linux, it provides a user interface to the libpcap library. The basic syntax of the command is: tcpdump -i eth0

Question 75

What are some switches for tcpdump?

Answer 75

-w switch writes output to a file and -r switches read the contents of a capture file. The -v, -vv, and -vvv can be used to increase the amount of detail shown about each frame The -e switch shows the Ethernet header. The -i switch specifies the network interface to listen on.

Question 76

How is Wiresharks output displayed?

Answer 76

In a 3 pane view. Top Pane shows each frame. Second Pane shows the fields from the currently selected frame. Last Pane shows the raw data from the frame in hex and ASCII.

Question 77

What is ASCII?

Answer 77

American Standard Code.

Question 78

What is an aggregation TAP and what does it do?

Answer 78

An aggregation TAP combines the upstream and downstream traffic into a single channel for monitoring. Under heavy load, the capacity of this single channel may be exceeded, leading to dropped frames as it cannot keep up with the volume of data.

Question 79

What is bandwidth?

Answer 79

The amount of information that can be transmitted theoretically. Expresses that available capacity of the link. Measured in bps for data and Hz for audio

Question 80

What is a bottleneck?

Answer 80

A point of poor performance that reduces the productivity for the whole network. May occur because a device is underpowered or faulty or because of a user or application behavior. To identify the bottleneck you must identify where and when on the network overutilization or excessive errors occur.

Question 81

What are some reasons packets are dropped/ packet loss occurs?

Answer 81

A server, router, or switch is overloaded. A power outage occurred. A firewall is blocking packets from a known destination. A malicious actor is interfering with network transmissions. Faulty firmware is causing packet processing errors. Knowing where and when the packet loss occurs can direct you to the device that is dropping the frames.

Question 82

What is the difference between latency and jitter?

Answer 82

Latency: is the time it takes for a transmission to reach the recipient, measured in milliseconds (ms). (Speed) Jitter: Defined as being a variation in the delay. Manifests itself as an inconsistent rate of packet delivery. Also measured in ms

Question 83

How can you test the latency and jitter of a link?

Answer 83

Latency: ping, pathping, mtr Jitter: mtr

Question 84

What are interface statistics?

Answer 84

Metrics recorded by a host or switch that enable monitoring of link state, resets, speed, duplex setting, utilization, and error rates. This helps to diagnose performance issues due to congestion, bottlenecking, bandwidth, or packet loss.

Question 85

What are some stats measured by interface statistics?

Answer 85

Utilization: The data transferred over a period. This can either be measured as the amount of data traffic both sent and received, or calculated as a percentage of the available bandwidth. Per-protocol utilization: The packet or byte counts for a specific protocol. It is often useful to monitor both packet counts and bandwidth consumption. Error rate: The number of packets per second that cause errors. Errors may occur as a result of interference or poor link quality causing data corruption in frames. Error rates should be under 1%; high error rates may indicate a driver problem if a network media problem can be ruled out. Error rate—The number of packets per second that cause errors. Errors may occur as a result of interference or poor link quality causing data corruption in frames. In general terms, error rates should be under 1%; high error rates may indicate a driver problem if a network media problem can be ruled out. Retransmissions: If you observe high levels of retransmissions, you must analyze and troubleshoot the specific cause of the underlying packet loss, which could involve multiple aspects of network configuration and connectivity.

Question 86

What are traffic flows?

Answer 86

Processes and tools that facilitate reporting of network communication flows summarized by host or protocol type. Diagnosing performance issues depends on detailed information about network traffic flows.

Question 87

What does Ciscos netflow do?

Answer 87

Gather traffic flow data only and report it to a structured database. Allows for a better understanding of IP traffic flows as used by different network applications and hosts. Has been redeveloped as the IP Flow Information Export (IPFIX) IETF standard

Question 88

What are the 3 components NetFlow deploys?

Answer 88

Exporter: It defines traffic/cache flows. A traffic flow is defined by packets that share the same characteristics, such as Source IP Address, Destination IP Address, Source Port, Destination Port, and Protocol. These five bits of information are referred to as a 5-tuple. A 7-tuple flow adds the input interface and IP type of service data. When a flow expires or becomes inactive, the exporter transmits the data to a collector. Collector: Aggregates flows from multiple exporters. Needs a high-bandwidth network link and substantial storage capacity. The exporter and collector must support compatible versions of NetFlow and/or IPFIX. The most widely deployed versions of NetFlow are v5 and v9. Analyzer: Reports and interprets information by querying the collector and can be configured to generate alerts and notifications. The collector and analyzer components are often implemented as a single product.

Question 89

How can you measure throughput?

Answer 89

Transfer a large file between two hosts. To determine your network throughput divide the file size by the amount of time taken to copy the file. Several software utilities can be used to automate this process such as: iperf, Ttcp, and BWPing

Question 90

What is the difference between top talkers and listeners?

Answer 90

top talkers are the interfaces generating the most outgoing traffic top listeners are the interfaces receiving the most incoming traffic. Useful in identifying and eliminating performance bottlenecks.

Question 91

What are bandwidth speed testers?

Answer 91

A hosted utility used to measure actual speed obtained by an Internet link to a representative server or to measure the response times of websites from different locations on the Internet.

Question 92

What are the 2 main classes of internet tools for checking performance?

Answer 92

Broadband speed checkers: These test how fast the local broadband link to the Internet is. Mostly designed for SOHO use. Tests downlink and uplink speeds, will test latency using ping, and can usually compare the results with neighboring properties and other users of the same ISP. Website performance checkers: These query a nominated website to work out how quickly pages load. Since it is an online tool you can test your site's response times from the perspective of customers in different countries.

Question 93

On a loacl network what is delay typically caused by?

Answer 93

Congestion and Contention

Question 94

What is congestion and contention?

Answer 94

Congestion: Where the network infrastructure is not capable of meeting the demands of peak load and starts to queue or drop packets. Contention: The ratio between demand for a service and its available capacity.

Question 95

What does the Differentiated Services (DiffServ) do?

Answer 95

A header field used to indicate a priority value for a layer 3 (IP) packet to facilitate Quality of Service (QoS) or Class of Service (CoS) scheduling. Is a layer 3 service tagging mechanism. DiffServ traffic classes are typically grouped into three types: -Best Effort. -Assured Forwarding (which is broken down into sub-levels). -Expedited Forwarding (has the highest priority). A CoS (Class of Service) mechanism.

Question 96

What does IEEE 802.1p do?

Answer 96

Can be used at layer 2 independetly or in conjunction with DiffServ. Classifies and prioritizes traffic passing over a switch or wireless access point. Defines a tagging mechanism within the 802.1Q VLAN field. A CoS (Class of Service) mechanism.

Question 97

What does QoS do?

Answer 97

Allows fine-grained control over traffic parameters. ex. if a network link is congested, DiffServ and 802.1p cannot address it, but a protocol such as Multiprotocol Label Switching (MPLS) with QoS functionality can reserve required bandwidth and predetermine statistics such as acceptable packet loss and maximum latency and jitter when setting up the link.

Question 98

What are the 3 planes the network functions of QoS is normally divided into?

Answer 98

Control plane: Makes decisions about how traffic should be prioritized and where it should be switched. Data plane: Handles the actual switching of traffic. Management plane: Monitors traffic conditions. NOTE: Protocols, appliances, and software that can apply these three functions can be described as traffic shapers or bandwidth shapers.

Question 99

What do traffic shapers do?

Answer 99

Delay certain packet types, based on their content to ensure that other packets have a higher priority. This can help to ensure that latency is reduced for critical applications. Will also store packets until there is free bandwidth available. Helps make the traffic smoother.