Intro To Comp Netwks

Introduction To Networking
NETWORKING 1.0.0 Introduction
A network is simply a group of two or more Personal Computers linked together. Many types of networks exist, but the most common types of networks are LocalArea Networks (LANs), and Wide-Area Networks (WANs). In a LAN, computers are connected together within a "local" area (for example, an office or home). In a WAN, computers are further apart and are connected via telephone/communication lines, radio waves or other means of connection. 1.0.1
Networks Categorization
Networks are usually classified using three properties: Topology, Protocol and Architecture. Topology specifies the geometric arrangement of the network. Common topologies are a bus, ring and star. You can check out a figure showing the three common types of network topologies here. Protocol specifies a common set of rules and signals the computers on the network use to communicate. Most networks use Ethernet, but some networks may use IBM's Token Ring protocol. Ethernet is the normally recommended protocol for both home and office networking. For more information, please select the Ethernet link on the left. add more Architecture refers to one of the two major types of network architecture: Peer-topeer or client/server. In a Peer-to-Peer networking configuration, there is no server, and computers simply connect with each other in a workgroup to share files, printers and Internet access. This is most commonly found in home configurations and is only practical for workgroups of a dozen or less computers. In a client/server network there is usually a Domain Controller (Windows server,NT etc) to which all of the computers log on to. This server can provide various services, including centrally routed Internet Access, mail (including e-mail), file sharing and printer access, as well as ensuring security across the network. This is most commonly found in corporate configurations, where network security is essential.
1.0.2 Network Topologies 1.0.3 Introduction

There are two types of topologies: Physical and Logical. The physical topology of a network refers to the layout of cables, computers and other peripherals. The physical topology can also be described as the layout of the network, just like a map shows the layout of various roads Try to imagine yourself in a room with a small network,
Page 1 of 1765
you can see network cables coming out of every computer that is part of the network, then those cables plug into a hub or switch. What you're looking at is the physical topology of that network! Logical topology is the method used to pass the information between the computers or how the data is sent across the network or how the cars are able to travel (the direction and speed) at every road on the map. In other words, comparing a network to a room, if you were to try to see how the network works with all the computers talking (think of the computers generating traffic and packets of data going everywhere on the network) you would be looking at the logical part of the network. The way the computers will be talking to each other and the direction of the traffic is controlled by the various protocols (rules) such as Ethernet. , and the logical topology describes If we used token ring, then the physical topology would have to change to meet the requirements of the way the token ring protocol works (logically). .
The most common types of physical topologies, which we are going to analyse, are: Bus, Hub/Star and Ring and the Mesh. 1.0.4 The Physical Bus Topology Bus topology is fairly old news and you probably won't be seeing much of these around in any modern office or home. With the Bus topology, all workstations are connected directly to the main backbone that carries the data. Traffic generated by any computer will travel across the backbone and be received by all workstations. This works well in a small network of 2-5 computers, but as the number of computers increases so will the network traffic and this can greatly decrease the performance and available bandwidth of the network.
Page 2 of 1765
Figure1.Bus Topology
As you can see in the above example, all computers are attached to a continuous cable which connects them in a straight line. The arrows clearly indicate that the packet generated by Node 1 is transmitted to all computers on the network, regardless the destination of this packet. Also, because of the way the electrical signals are transmitted over this cable, its ends must be terminated by special terminators that work as "shock absorbers", absorbing the signal so it won't reflect back to where it came from. The value of a terminator (50 Ohms) is selected based on all the electrical characteristics of the cable used, the voltage of the signal which runs through the cables, the maximum and minimum length of the bus and a few more. If the bus (the long yellow cable) is damaged anywhere in its path, then it will most certainly cause the network to stop working or, at the very least, cause big communication problems between the workstations. Thinnet - 10 Base2, also known as coax cable (Black in colour) and Thicknet - 10 Base 5 (Yellow in colour) is used in these type of topologies. The Physical HUB or STAR Topology
Page 3 of 1765
Figure 2: Star or Hub Topology The Star or Hub topology is one of the most common network topologies found in most offices and home networks. It has become very popular in contrast to the bus type because of the cost and the ease of troubleshooting. The advantage of the star topology is that if one computer on the star topology fails, then only the failed computer is unable to send or receive data. The remainder of the network functions normally. The disadvantage of using this topology is that because each computer is connected to a central hub or switch, the entire network will fail if this switch fails. A classic example of this type of topology is the UTP (10 base T). 1.0.5 The Physical Ring Topology In the ring topology, computers are connected on a single circle of cable. Unlike the bus topology, there are no terminated ends. The signals travel around the loop in one direction and pass through each computer, which acts as a repeater to boost the signal and send it to the next computer. On a larger scale, multiple LANs can be connected to each other in a ring topology by using Thicknet coaxial or fiber-optic cable.
Page 4 of 1765
Figure 3: Ring Topology

RRRRR
The method by which the data is transmitted around the ring is called token passing. Any node or computer the requires to send a data request for an empty token which circulates around the ring and places the data into the empty token including the address of the destination or the receiver. It is then transmitted to the destination that has the address. On reaching the destination, the data is released to the node concerned and the token is left to roam in the ring once again. Any node within the ring will have to wait till an empty token becomes available before it can also transmit a signal. A token is a special series of bits that contains control information. Possession of the token allows a network device to transmit data to the network. Each network has only one token..
Figure3: Mesh Topology
Page 5 of 1765
In a mesh topology, each computer is connected to every other computer by a separate cable. This configuration provides redundant paths through the network, so if one computer blows up, you don't lose the network. On a large scale, you can connect multiple LANs using mesh topology with leased telephone lines, thicknet coaxial cable or fiber optic cable. The big advantage of this topology is its backup capabilities by providing multiple paths through the network. 1.0.6 The Physical Hybrid Topology With the hybrid topology, two or more topologies are combined to form a complete network. For example, a hybrid topology could be the combination of a star and bus topology. These are also the most common in use.
Star-Bus
Figure 4: Hybrid-Star Bus Topology
In a star-bus topology, several star topology networks are linked to a bus connection. In this topology, if a computer fails, it will not affect the rest of the network. However, if the central component, or hub, that attaches all computers in a star, fails, then no other computer will be able to communicate.
Page 6 of 1765
Figure 5: Star-Ring Topology In the Star-Ring topology, the computers are connected to a central component as in a star network. These components, however, are wired to form a ring network. Like the star-bus topology, if a single computer fails, it will not affect the rest of the network. By using token passing, each computer in a star-ring topology has an equal chance of communicating. This allows for greater network traffic between segments than in a starbus topology. 1.0.7 Introduction To Data Transmission
1.0.8 Introduction Routable protocols enable the transmission of data between computers in different segments of a network. However, high volumes of certain kinds of network traffic can affect network efficiency because they slow down transmission speed. The amount of network traffic generated varies with the 3 types of data transmissions:

Broadcast Multicast Unicast
Page 7 of 1765
We are going to have a look at each one of these data transmissions because it's very important to know the type of traffic they generate, what they are used for and why they exist on the network.
Introduction To Protocols
Introduction In the networking and communications area, a protocol is the formal specification that defines the procedures that must be followed when transmitting or receiving data. Protocols define the format, timing, sequence, and error checking used on the network. In plain english, the above means that if you have 2 or more devices e.g computers which want to communicate, then they need a common "Protocol" which is a set of rules that guide the computers on how and when to talk to each other. The way this "definition" happens in computer land is by the RFC's (Requests For Comments) where the IETF (a group of enginners with no life) make up the new standards and protocols and then the major vendors (IBM, Cisco, Microsoft, Novell) follow these standards and implement them in their products to make more money and try to take over this world ! There are hundreads of protocols out there and it is impossible to list them all here, but instead we have included some of the most popular protocols around so you can read up on them and learn more about them. The table below shows the most popular TCP/IP protocols. The OSI model is there for you to see which layer each of these protocols work at. One thing which you should keep in mind is that as you move from the lower layers (Physical) to the upper layers (Applications), more processing time is needed by the device that's dealing with the protocol. Please note: All routing protocols can be found under the "Networking/Routing" menu option.
TCP/IP Protocol Stack ..................The OSI Model
Page 8 of 1765
...
Currently available protocols to read about are :

Internet Protocol (IP) TCP UDP ICMP DNS FTP TFTP Ethernet RIP OSPF
Transmission Control Protocol (TCP) Introduction Introduction The Transmission Control Protocol, or TCP as we will refer to it from now on, is one of the most important and well-known protocols in the world on networks today. Used in every type of network world-wide, it enables millions of data transmissions to reach their destination and works as a bridge, connecting hosts with one another and allowing them to use various programs in order to exchange data. The Need For Reliable Delivery TCP is defined by RFC 793 and was introduced to the world towards the end of 1981. The motivation behind creating such a protocol was the fact that back in the early 80s, computer communication systems were playing a very important role for the military, education and normal office environments. As such, there was the need to create a mechanism that would be robust, reliable and complete data transmission on various mediums without great losses.
Page 9 of 1765
TCP was designed to be able to deliver all of the above, and so it was adopted promptly by the rest of the world.
P, A Transport Protocol
oduction
erstanding how each protocol fits into the OSI Model is essential for any network engineer. This page analyses how TCP is sified as a 'transport protocol' and gives you an insight into what to expect from the protocol.
ng TCP into the OSI Model
most of you are well aware, every protocol has its place within the OSI Model. The OSI Model is an indication of the plexity and intelligence of the protocol. As a general rule, the higher you move up the OSI Model, the more intelligent ocols become. The positioning of the layer also reflects how CPU entensive they are, whereas the lower layers of the OSI el are quite the opposite, that is, less CPU intensive and less intelligent.
TCP is placed at the 4th layer of the OSI Mode which is also known as the transport layer. If have read through the OSI model pages, you
Page 10 of 1765
recall that the transport layer is responsible fo establishing sessions, data transfer and tearin down virtual connections.
With this in mind, you would expect any proto that's placed in the transport layer to impleme certain features and characteristics that would allow it to support the functionality the layer provides.
So as we analyse TCP, you will surely agree th it fits right into the transport layer.
Page 11 of 1765
diagram below shows you where the TCP header is located within a frame that's been generated by a computer and sent network. If you rotate it 90 degrees to your left, you would get something similar to the previous diagram. This of course ause each layer appends its own information, or header if you like:
frame is made up of six 3d blocks so you can see which piece is added by every OSI layer. You can see that the TCP Head aining all the options the protocol supports, is placed right after the IP Header (Layer 3), and before the data section that ains upper layer information (Layers 5,6,7).
e: For those who are wondering about the presence of the FCS block at the end, it contains a special checksum that is plac he datalink layer in order to allow the receiving host to detect if the current frame has been corrupt during transit.
se refer to the Ethernet II Frame page for more information.
ere and why would we use the TCP ?
is used in almost every type of network. As a protocol, it is not restricted to any type of network topology, whether it be a area network (LAN) or wide area network (WAN). Being a transport protocol, we call it a transport protocol because it's ted in the transport layer of the OSI model its primary job is to get data from one location to another, regardless of the sical network and location.
most of you already know, there are two types of transport protocols, TCP being one of them and UDP (User Datagram ocol) being the other. The difference between these two transport protocols is that TCP offers an extremely reliable and st method of transferring data, ensuring that the data being transferred does not become corrupt in any way. UDP, on the r hand, offers a non reliable way of transferring data without being able to guarantee the data has arrived to its destinatio s integrity when it does arrive. concept of a transport protocol
we mentioned, TCP is a transport protocol and this means it is used to transfer data of other protocols. At first, this might nd weird or confusing but this is exactly why it was designed, adding substantial functionality to the protocols it carries.
diagram below is the simplest way to show the concept of a 'transport' protocol:
Page 12 of 1765
he pages to follow, we will have a closer look at how TCP manages to provide its reliable data transfer method and make s kets get to their destination without errors. This whole process is the work of many 'subsystems' within the TCP that work ther to provide the reliability that TCP gives us.
re we dive in deeper though, let's have a quick overall view of the protocol. If you're not interested in too much technical il, then the next page is for you! For those looking for an in-depth analysis, you should read the quick-overview page to g an idea on what we will be analyzing soon.
Page 13 of 1765
ick Overview Of The Transmission Control Protocol - TCP
oduction
ssist in making this process as painless and understandable as possible, we are going to provide a quick overview of the ocol and then start analysing each component-field in the pages to come, using examples and the cool 3D diagrams you a :)
reviously mentioned on a number of occasions, TCP is one of the two protocols that lives at the Transport layer and is use y data from one host to another. What makes TCP so popular is the way it works when sending and receiving data. Unlike , TCP will check for errors in every packet it receives in an endless struggle to avoid data corruption.
e common protocols that use TCP are: FTP, Telnet, HTTP, HTTPS, DNS, SMTP and POP3. Let's have a closer look at the m acteristics of this wonderful protocol.
n people refer to "TCP/IP" remember that they are talking about a suite of protocols and not just one protocol, like most ple think. TCP/IP is not one protocol. Please see the Protocols section for more information.
n Features
e are the main features of the TCP that we are going to analyse: Reliable Transport Connection-Oriented Flow Control Windowing Acknowledgements More overhead
able Transport
a reliable transport because of the different techniques it uses to ensure that the data received is error free. TCP is a robu ocol used for file transfers where data error is not an option. When you decide to download a 50MB file from a website, yo ldn't want to find out after the download is complete that the file has an error! Even though, in reality, this does happen, i goes to show that you can't always be perfect with certain things.
picture shows the TCP header within an ethernet II frame. Right below this you will find our second diagram that zooms i he TCP header, displaying the field the protocol contains:
Page 14 of 1765
Page 15 of 1765
The diagram on the left shows the individual breakdow of each field within the TCP header along with its leng in bits. Remember that 8 bits equal to 1 byte.
The most popular fields within the TCP header are the Source Port, Destination Port and Code bits. These Co bits are also known as 'flags'.
The rest of the fields help make sure all TCP segment make it to their destination and are reassembled in th correct order, while at the same time providing an err free mechanism should a few segments go missing an never reach their destination. Keep in mind that in the pages to follow we will have detailed look into each available field, for now we are providing an overview of them.
Page 16 of 1765
Before we proceed, please note that understanding the OSI Mode l(required) (especially Layer 2 and 3), Ethernet and the way a packet is structured is fundamental to understanding a broadcast, multi-cast. The Transmission Control Protocol / Internet Protocol (TCP/IP) is the main platform for a network involving the Internet and operates within the seven layers of the Open System Interconnection (OSI) reference model namely physical layer, data link layer, network layer, transport layer session layer, presentation layer and the application layer. TCP provides a reliable flow of data between two nodes by maintaining a connection-oriented environment and also handles sequencing and error detection, ensuring that a reliable stream of data is received by the destination application. Unlike TCP, User Datagram Protocol (UDP) provides an unreliable and connectionless datagram service in which case it does not attempt to perform any sequencing, or ensure data reliability. The movement of packets around a network is handled by the network layer implementing efficient routing algorithms.
The physical layer is often tightly coupled with the data link layer and it is responsible for transmitting raw bits across the network through network interface cards and cables or by wireless schemes. Within the protocol stack each layer provides services which are used by the upper layers in which case support for mobility is likely to affect all the layers. For instance the data link layer is required to make the necessary provisions to accommodate the distinguishing characteristics of wireless media, such as low bandwidth and the differences in power levels of end-to-end nodes.
Page 17 of 1765
The network layer that routes data to a destination host based on its location needs modification so as to handle routing procedures when the physical location of the host changes. Similarly, at the transport layer, it is necessary to provide a better end-to end delivery service, especially when packets are dropped as packets may be lost during mobility and needs to be delivered to their new location 1.0.8 Open System Interconnection Protocol (OSI) The OSI is a standard reference model for Communication between two end-users in a network. It is used in developing products and understanding networks. Figure 1 shows where commonly-used Internet products and services fit within the model.
Figure 6: Open System Interconnection model The OSI reference model describes seven layers of related functions that are needed at each end when a message is sent from one party to another in a network. An existing network product or program can be described in part by where it fits into this layered structure. For example, Transmission Control Protocol/Internet Protocol (TCP/IP) is Page 18 of 1765
usually packaged with other Internet programs as a suite of products that support communication over the Internet. This suite includes the File Transfer Protocol (FTP) which is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet, Telnet (a user command and an underlying TCP/IP protocol for accessing remote computers) , the Hypertext Transfer Protocol (HTTP), e-mail protocols, and others. Although TCP fits well into the Transport layer of OSI and IP into the network layer, the other programs fit rather loosely (but not neatly within a layer) into the session, presentation, and the application layer . 1.0.9 TCP/IP TCP/IP is a two-layer protocol. The higher layer, TCP, manages the assembling of a message or a file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. It also uses set of rules to exchange messages with other Internet points at the information packet level. The lower IP handles the address part of each packet so that it gets to the right destination. The IP is designed for use in interconnected systems for transmitting blocks of data called datagram from source to destination, and also provides for fragmentation. There are many other Internet protocols, such as the Border Gateway Protocol (BGP) which is a protocol for exchanging routing information between gateway hosts in a network of autonomous systems, the addresses they can reach, and a cost metric associated with the path to each router. Dynamic Host Configuration Protocol (DHCP) is also a protocol which enables network administrators to centrally manage and automate the assignment of IP addresses in an organization's network and it is also part of the Internet Protocol. Without DHCP a new IP address must be entered each time a computer moves to a new location on a network within the same LAN. DHCP uses the concept of a "lease or amount of time that a given IP address will be valid for a computer.
1.1.0 The Internet Protocol Address

An IP address is a 32-bit number that identifies each sender or receiver of information sent in packets across the Internet. This 32-bit IP address has two parts: one part identifies Page 19 of 1765
the network (with the network number) and the other part identifies the specific machine or host within the network (with the host number). An organization can use some of the bits in the machine or host part of the address to identify a specific subnet. Effectively, the IP address then contains three parts: the network number, the subnet number, and the machine number. The 32-bit IP address is also a dot address (also called dotted quad notation) of decimal digits separated by periods. For Example: 130.5.5.25
Each of the decimal digits represents a string of four binary digits. Thus, the above IP address really is this string of 0s and 1s: 10000010.00000101.00000101.00011001
Some portion of the IP address represents the network number or address and some portion represents the local machine address (also known as the host number or address). IP addresses can be one of several classes, each determining how many bits represents the network number and how many represent the host number. The most common class used by large organizations (Class B) allows 16 bits for the network number and 16 bits for the host number. Using the above example, the IP address is divided as: <--Network address--><--Host address--> 130. 5. 5. 25
Sub-netting can be added to this address, in which case, some portion (in this example, eight bits) of the host address could be used for a subnet address. Thus: <--Network address--><--Subnet address--><--Host address--> 130. 5. 5. 25
There are other higher layer application protocols that use TCP/IP to get to the Internet. These include the HTTP, FTP, Telnet, and the Simple Network Management Protocol (SNMP) , which is the protocol governing network management and the monitoring of network devices and their functions. Personal computer users with an analogue phone modem connection to the Internet usually get to the Internet through the Serial Line Page 20 of 1765
Internet Protocol (SLIP) or the Point-to-Point Protocol (PPP). These protocols encapsulate the IP packets so that they can be sent over the dial-up phone connection to an access provider's modem. Other protocols are used by network host computers for exchanging router information and these include the Internet Control Message Protocol (ICMP), the Interior Gateway Protocol (IGP), the Exterior Gateway Protocol (EGP), and the Border Gateway Protocol (BGP) .
An IGP is used for exchanging routing information between gateways (hosts with routers) within an autonomous network (for example, a system of corporate local area networks). The routing information can then be used by the IP or other network protocols to specify how to route transmissions. There are two commonly used IGPs: the Routing Information Protocol (RIP) which is an older routing protocol that is installed in many of today's corporate networks and the Open Shortest Path First (OSPF) protocol which is also used within larger autonomous system networks in preference to the RIP. Unlike the RIP in which the entire routing table is sent, the host using OSPF sends only the part that has changed. OSPF also allows the user to assign cost metrics to a given host router so that some paths are given preference and also supports a variable network subnet mask such that the network can be subdivided. With RIP, the routing table is sent to a neighbor host every 30 seconds. RIP is supported within OSPF for router-to-end station communication. Rather than simply counting the number of hops, Exterior Gateway Protocol (EGP) is used for exchanging routing table information between two neighbor gateway hosts (each with its own router) in a network of autonomous systems. The routing table contains a list of known routers, the addresses they can reach, and a cost metric associated with the path to each router so that the best available route is chosen. Each router polls its neighbor at intervals between 120 to 480 seconds and the neighbor responds by sending its complete routing table. A given network can also be characterized by the type of data transmission technology in use on it (for example, a TCP/IP or Systems Network Architecture network); by whether it carries voice, data, or both kinds of signals; by who can use the network (public or private); by the usual nature of its connections (dial-up or switched, dedicated or non-switched, or virtual connections); and by the types of physical links (for example, optical fiber, coaxial cable, and Shielded/ Unshielded Twisted Pair) . Page 21 of 1765
2.4 IP Header Fields

The IP header contains the IP address of the sending node and the receiving node along with the actual data. For packets to be delivered correctly, IP executes two main steps; packet routing and packet forwarding. IP makes no guarantees concerning reliability, flow control and error detection or error correction. In common with IP, User Datagram Protocol (UDP) is a connectionless protocol. It routes data to its correct destination port, but does not attempt to perform any sequencing, or to ensure data reliability or packet loss .
Figure Figure 7:
Packet headere
1.1.1 Media Access Control-MAC Address
Page 22 of 1765
1.1.2 Introduction MAC addresses are physical addresses, unlike IP addresses which are logical addresses. Logical addresses require you to load special drivers and protocols in order to be able to configure your network card/computer with an IP Address, whereas a MAC address doesn't require any drivers whatsoever. The reason for this is that the MAC address is actually "burnt-in" into your network card's memory chipset. 1.1.3 The Reason for MAC Each computer on a network needs to be identified in some way. If you're thinking of IP addresses, then you're correct to some extent, because an IP address does identify one unique machine on a network, but that is not enough. Check the diagram and explanation below to see why:
Figure 8: Position of MAC address in the Open System Interconnection model
You see, the IP address of a machine exists on the 3rd Layer of the OSI model and, when a packet reaches the computer, it will travel from Layer 1 upwards, so we need to be able to identify the computer before Layer 3.
Page 23 of 1765
This is where the MAC address - Layer 2 comes into the picture. All machines on a network will listen for packets that have their MAC address in the destination field of the packet (they also listen for broadcasts and other stuff, but that's analysed in other sections). The Physical Layer understands the electrical signals on the network and creates the frame which gets passed to the Datalink layer. If the packet is destined for the computer then the MAC address in the destination field of the packet will match, so it will accept it and pass it onto the Layer above (3) which, in turn, will check the network address of the packet (IP Address), to make sure it matches with the network address to which the computer has been configured. Let's now have a look at a MAC address and see what it looks like! In the example below:
Figure 9: Structure of MAC address When looking at a MAC address, you will always see it in HEX format. It is very rare that a MAC address is represented in Binary format because it is simply too long as we will see futher on. When a vendor, e.g Intel, creates network cards, they don't just give them any MAC address they like, this would create a big confusion in identifying who created this network card and could possibly result in clashing with another MAC address from another vendor e.g D-link, who happened to choose the same MAC address for one of their network cards ! To make sure problems like this are not experienced, the (IEEE) group split the MAC address in half, and used the first half to identify the vendor, and the second half is for the vendor to allocate as serial numbers:
Figure 10: Specifications in MAC address
Page 24 of 1765
The Vendor code is specified by RFC - 1700. You might find a particular vendor having more than just one code; this is because of the wide range of products they might have. It should be noted that even though the MAC address is "burnt-in" to the network card's memory, some vendors will allow you to download special programs to change the second half of the MAC address on the card. This is because the vendors actually re-use the same MAC addresses for their network cards because they create so many that they run out of numbers. But at the same time, the chances of you buying two network cards which have the same MAC address are so small that it's almost impossible. A MAC address of any network card is always the same length, that is, 6 Bytes long or 48 Bits long. The figure below makes it a bit easier to understand:
Figure 11: Converting MAC address from HEX to Binary
If you have been into networking for a while you most probably have come across the terms "broadcast" and "subnet broadcast" . When I first dived into the networking world, I was constantly confused between the two, because they both carried the "broadcast" term in them. We will analyse both of them here, to help you understand exactly what they are and how they are used ! 1.1.3 Broadcast
1.1.4 Introduction
The term "Broadcast" is used very frequently in the networking world. You will see it in most networking books and articles, or see it happening on your hub/switch when all the LED's start flashing at the same time.
Page 25 of 1765
A Broadcast means that the network delivers one copy of a packet to each destination. On bus technologies like Ethernet, broadcast delivery can be accomplished with a single packet transmission. On networks composed of switches with point-to-point connections, software must implement broadcasting by forwarding copies of the packet across individual connections until all switches have received a copy. We will be focusing only on Ethernet broadcasts. The picture below illustrates a router which has sent a broadcast to all devices on its network:
Figure12: Broadcasting within a network Normally, when the computers on the network receive a packet, they will first try to match the MAC address of the packet with their own and if that is successful, they process the packet and hand it to the OSI layer above (Network Layer), if the MAC address is not matched, then the packet is discarded and not processed. However, when they see a MAC address of FF:FF:FF:FF:FF:FF, they will process this packet because they recognize it as a broadcast.But what does a "broadcast" look like ? Check out the image below, which is taken from a packet sniffer:
Figure 13: Structure of a packet from a snifer The image above shows a broadcast packet. You can clearly see that the "MAC destination address" is set to FF:FF:FF:FF:FF:FF. The "Address IP destination" is set to 255.255.255.255, this is the IP broadcast address and ensures that no matter what IP address the receiving computer(s) have, they will not reject the data but process it. Now Page 26 of 1765
you might ask yourself "Why would a workstation want to create a broadcast packet?The answer to that lies within the various protocols used on our networks. Compared to Broadcasts and Multicasts, a Unicast broadcast is very simple and the transmission is directed to only one machine. Let's take for example Address Resolution Protocol (ARP). ARP is used to find out which MAC address (effectively, which network card or computer) has a particular IP address bound to it.
Figure 14: The structure of a packet

Figure2:
1.1.5 Subnet Broadcast or Direct Broadcast A Subnet or Direct broadcast is targeted not to all hosts on a network, but to all hosts on a subnet. Since a physical network can contain different subnets/networks e.g 192.168.0.0 and 200.200.200.0, the purpose of this special broadcast is to send a message to all the hosts in a particular subnet. In the example below, Router A sends a subnet broadcast onto the network. Hosts A,B,C and the Server are configured to be part of the 192.168.0.0 network so they will receive and process the data, but Host D is configured with a different IP Address, so it's part of a Page 27 of 1765
different network, it will accept the packet because of its broadcast MAC address, but will drop the packet when it reaches its Network Layer, where it will see that this packet was for a different IP network.
Figure 15 A Subnet Broadcast
It is very similar to the network broadcast we just talked about but varies slightly in the sense that its IP broadcast is not set to 255.255.255.255 , but is set to the subnet broadcast address. For example, my home network is a Class C network: 192.168.0.0 with a subnetmask of 255.255.255.0 or, if you like to keep it simple, 192.168.0.0/254. This means that the available valid hosts for this network are from 192.168.0.1 to 192.168.0.254. In this Class C network, as in every other network, there are 2 addresses which I can't use. The first one is preserved to identify the network (192.168.0.0) and the second one for the subnet broadcast (192.168.0.255).
Figure 16: Structure of a packet from a snifer The above packet, captured from a packet sniffer, shows a workstation broadcasting to the subnet 192.168.0.0. From the broadcast address you can tell that a full Class C network range is being used, otherwise the Destination IP would not be 192.168.0.255. 1.1.6 The Reason for Unicast Page 28 of 1765
Well it's pretty obvious why they came up with Unicasts, imagine trying to send data between 2 computers on a network, using broadcasts ! All you would get would be a very slow transfer and possibly a congested network with low bandwidth availability. Data transfers are almost all of the times, unicasts. You have the sender e.g a webserver and the receiver e.g a workstation. Data is transferred between these two hosts only, where as a broadcast or a multicast is destined either to everyone or just a group of computers.
Figure 17: A Simple unicast example In the figure above, my workstation sends a request to the Windows 2000 Server. The request is a simple Unicast because it's directed to one machine (the server) and nothing else. You just need to keep in mind that because we are talking about a Ethernet network, the traffic and hence the packets, are seen by all machines (in this case the Linux Server as well) but they will not process them once they see that the destination MAC address in the packets do not match their own and are also not set to FF:FF:FF:FF:FF:FF which would indicate that the packet is a broadcast. 1.1.7 Multicast 1.1.8 Introduction A multicast is similar to a broadcast in the sense that its target is a number of machines on a network, but not all. Where a broadcast is directed to all hosts on the network, a multicast is directed to a group of hosts. The hosts can choose whether they wish to participate in the multicast group (often done with the Internet Group Management Protocol), whereas in a broadcast, all hosts are part of the broadcast group whether they like it or not :).
Page 29 of 1765
Figure 18: A simple Multicast example
As you are aware, each host on an Ethernet network has a unique MAC address, so how do you talk to a group of hosts (our multicast group), where each host has a different MAC address, and at the same time ensure that the other hosts, which are not part of the multicast group, don't process the information? You will soon know exactly how all this works. To keep things in perspective and make it easy to understand, we are going to concentrate only on an Ethernet network using the IP protocol, which is what 80-90 % of home networks and offices use. In order to explain Multicasting,the process has been broken down into three sections. 1) Hardware/Ethernet Multicasting 2) IP Multicasting 3) Mapping IP Multicast to Ethernet Multicast A typical multicast on an Ethernet network, using the TCP/IP protocol, consists of two parts: Hardware/Ethernet multicast and IP Multicast. Later on I will talk about Mapping IP Multicast to Ethernet Multicast which is really what happens with multicasting on our Ethernet network using the TCP/IP protocol.
The brief diagram below shows you the relationship between the 3 and how they complete the multicasting model:
Page 30 of 1765
Figure 19; The Multicast model 1.1.9 Hardware/Ethernet Multicasting When a computer joins a multicast group, it needs to be able to distinguish between normal unicasts (which are packets directed to one computer or one MAC address ) and multicasts. With hardware multicasting, the network card is configured, via its drivers, to watch out for particular MAC addresses (in this case, multicast MAC addresses) apart from its own. When the network card picks up a packet which has a destination MAC that matches any of the multicast MAC addresses, it will pass it to the upper layers for further processing. And this is how it is done: Ethernet uses the low-order bit of the high-order octet to distinguish conventional unicast addresses from multicast addresses. A unicast would have this bit set to ZERO (0), whereas a multicast would be set to ONE (1) To understand this, we need to analyse the destination MAC address of a unicast and multicast packet, so you can see what we are talking about: When a normal (unicast) packet is put on the network by a computer, it contains the Source and Destination MAC address, found in the 2nd Layer of the OSI model. The following picture is an example of a workstation (192.168.0.6) sending a packet to it's gateway (192.168.0.5):
Figure 20: Structure of a packet from a snifer Now let's analyse the destination MAC address
Page 31 of 1765
Figure 21: analyzing a unicast Destination So now you should be able to understand how computers can differentiate between a normal or unicast packet and a multicast packet. Again, the destination MAC address 0100-5E-00-00-05 is not the MAC address of a particular host-computer but the MAC address that can be recognized by computers that are part of the multicast group. It should also be noted that you will never find a source address that is a multicast MAC address; the source address will always be a real one, to identify which computer the packet came from. A special Rule which is beyond the scope of this book is used by the Institute of Electrical and Electronic Engineering (IEEE) group to determine the various MAC addresses that will be considered for multicasting. Using this special rule it was determined that MAC address 01:00:5E:00:00:05 will be used for the Open Shortest Path First (OSPF) protocol, which happens to be a routing protocol, and then this MAC address also maps to an IP address which is analyzed in IP Multicast. 1.2.0 IP Multicast The IP Multicast is the second part of multicasting which combined with the hardware multicasting, gives us a multicasting model that works for our Ethernet network. If hardware multicasting fails to work, then the packet will never arrive at the network layer upon which IP multicasting is based, so the whole model fails. With IP multicasting the hardware multicasting MAC address is mapped to an IP Address. Once Layer 2 (Datalink) picks the multicast packet from the network (because it recognizes it, as the destination MAC address is a multicast) it will strip the MAC addresses off and send the rest to the above layer, which is the Network Layer. At that point, the Network Layer needs to be able to understand that it is dealing with a multicast, so the IP address is set in a way that allows the computer to see it as a multicast datagram. A host may send multicast datagrams to a multicast group without being a member. Page 32 of 1765
Multicasts are used a lot between routers so that they can discover each other on an IP network. For example, an Open Shortest Path First (OSPF) router sends a "hello" packet to other OSPF routers on the network. The OSPF router must send this "hello" packet to an assigned multicast address, which is 224.0.0.5, and the other routers will respond. IP Multicast uses Class D IP Addresses:
Figure22: Classes of IP address
All Class C IP Addresses have a 24 bit subnet mask (255.255.255.0). All Class B IP Addresses have a 16 bit subnet mask (255.255.0.0). All Class A IP Addresses have an 8 bit subnet mask (255.0.0.0). Let's have a look at an example so we can understand that a bit better: The picture below is a screenshot from a packet sniffer, it shows a multicast packet which was sent from a NetWare server, notice the destination IP address:
Figure 22: A screen shot of a Packet
The screenshot above shows the packet which was captured, it's simply displaying a quick summary of what was caught. But, when we look on the below we see the above packet in much more detail. Page 33 of 1765
You can clearly see the markings I have put at the bottom which show you that the destination IP for this packet is IP Address 224.0.0.5. This corresponds to a multicast IP and therefore is a multicast packet. The MAC header also shows a destination MAC address of 01-00-5E-00-00-05 which we analysed in the previous section to show you how this is identified as a multicast packet at Layer 2 (Datalink Layer). Remember that these IP Addresses have been assigned by the IEEE.
Figure 22: Packet Header

Some examples of IP multicast addresses: 224.0.0.0 224.0.0.1 224.0.0.2 224.0.0.3 224.0.0.4 224.0.0.5 Base Address (Reserved) [RFC1112,JBP] All Systems on this Subnet [RFC1112,JBP] All Routers on this Subnet [JBP] Unassigned [JBP] DVMRP Routers [RFC1075,JBP] OSPFIGP OSPFIGP All Routers [RFC2328,JXM1] !
1.2.1 Mapping IP Multicast to Ethernet Multicast The last part of multicast which combines the Hardware Multicasting and IP Multicasting is the Mapping between them. There is a rule for the mapping, and this is it: Page 34 of 1765
To map an IP Multicast address to the corresponding Hardware/Ethernet multicast address, place the low-order 23 bits of the IP multicast address into the low-order 23 bits of the special Ethernet multicast address. The rest of the high-order bits are defined by the IEEE (yellow colour in the example) The above rule basically determines the Hardware MAC address. Let's have a look at a real example to understand this. We are going to use Multicast IP Address 224.0.0.5 - a multicast for the OSPF routing protocol. The picture below shows us the analysis of the IP address in binary so we can clearly see all the bits:
Figure 23: Mapping between IP addresses and MAC addresses It might seem a bit confusing at first, but let's break it down:We have an IP Address of 224.0.0.5, this is then converted into binary so we can clearly see the mapping of the 23 bits to the MAC address of the computer. The MAC Address part which is in yellow has been defined by the IEEE group. So the yellow and pink line make the one MAC Address as shown in binary mode, then we convert it from binary to hex and that's about it ! Page 35 of 1765
NOTE:
You should keep in mind that multicast routers should not forward any multicast datagram with destination addresses in the following 224.0.0.0 and 224.0.0.255.
1.2.2 Introduction
This page contains all the Multicast IP Addresses and shows what protocol they are mapped to. Should you ever use a packet sniffer to try and see what's on the network and you capture a packet with a destination IP Address of 224.X.X.X, then simply look up this list and you will know what the purpose of that packet was: 1.2.3 Internet Multicast Addresses Host Extensions for IP Multicasting [RFC1112] specifies the extensions required of a host implementation of the Internet Protocol (IP) to support multicasting. Current addresses are listed below. The range of addresses between 224.0.0.0 and 224.0.0.255, inclusive, is reserved for the use of routing protocols and other low-level topology discovery or maintenance protocols, such as gateway discovery and group membership reporting. Multicast routers should not forward any multicast datagram with destination addresses in this range, regardless of its Time-To Live (TTL). Note that when used on an Ethernet or IEEE 802 network, the 23 low-order bits of the IP Multicast address are placed in the low-order 23 bits of the Ethernet or IEEE 802 net multicast address 1.0.94.0.0.0
REFERENCES [RFC1045] Cheriton, D., "VMTP: Versatile Message Transaction Protocol Specification", RFC 1045, Stanford University, February 1988. [RFC1075] Waitzman, D., C. Partridge, and S. Deering "Distance Vector Multicast Routing Protocol", RFC-1075, BBN STC, Stanford University, November 1988. [RFC1112] Deering, S., "Host Extensions for IP Multicasting", STD 5, RFC 1112, Stanford University, August 1989. [RFC1119] Mills, D., "Network Time Protocol (Version 1), Specification and Implementation", STD 12, RFC 1119, University of Delaware, July 1988.
Page 36 of 1765
[RFC1190] Topolcic, C., Editor, "Experimental Internet Stream Protocol, Version 2 (ST-II)", RFC 1190, CIP Working Group, October 1990. [RFC1583] Moy, J., "The OSPF Specification", RFC 1583, Proteon, March 1994. [RFC1723] Malkin, G., "RIP Version 2: Carying Additional Information", RFC 1723, Xylogics, November 1994. [RFC1884] Hinden, R., and S. Deering, "IP Version 6 Addressing Architecture", RFC 1884, Ipsilon Networks, Xerox PARC, December 1995. ====================================================
1.2.4 Multicast IP List

1.2.5 Introduction
This page contains all the Multicast IP Addresses and shows what protocol they are mapped to. Should you ever use a packet sniffer to try and see what's on the network and you capture a packet with a destination IP Address of 224.X.X.X, then simply look up this list and you will know what the purpose of that packet was:
1.2.6 Internet Multicast Addresses
Host Extensions for IP Multicasting [RFC1112] specifies the extensions required of a host implementation of the Internet Protocol (IP) to support multicasting. Current addresses are listed below. The range of addresses between 224.0.0.0 and 224.0.0.255, inclusive, is reserved for the use of routing protocols and other low-level topology discovery or maintenance protocols, such as gateway discovery and group membership reporting. Multicast routers should not forward any multicast datagram with destination addresses in this range, regardless of its TTL.
REFERENCES [RFC1045] Cheriton, D., "VMTP: Versatile Message Transaction Protocol Specification", RFC 1045, Stanford University, February 1988. [RFC1075] Waitzman, D., C. Partridge, and S. Deering "Distance Vector Multicast Routing Protocol", RFC-1075, BBN STC, Stanford University, November 1988.
Page 37 of 1765
[RFC1112] Deering, S., "Host Extensions for IP Multicasting", STD 5, RFC 1112, Stanford University, August 1989. [RFC1119] Mills, D., "Network Time Protocol (Version 1), Specification and Implementation", STD 12, RFC 1119, University of Delaware, July 1988. [RFC1190] Topolcic, C., Editor, "Experimental Internet Stream Protocol, Version 2 (ST-II)", RFC 1190, CIP Working Group, October 1990. [RFC1583] Moy, J., "The OSPF Specification", RFC 1583, Proteon, March 1994. [RFC1723] Malkin, G., "RIP Version 2: Carying Additional Information", RFC 1723, Xylogics, November 1994. [RFC1884] Hinden, R., and S. Deering, "IP Version 6 Addressing Architecture", RFC 1884, Ipsilon Networks, Xerox PARC, December 1995.
Page 38 of 1765
ssion-Broadcast
oadcast" is used very frequently in the networking world. You will see it in most networking books and articles, or see it h tch when all the LED's start flashing at the same time !
been into networking for a while you most probably have come across the terms "broadcast" and "subnet broadcast" . e networking world, I was constantly confused between the two, because they both carried the "broadcast" term in t of them here, to help you understand exactly what they are and how they are used !
means that the network delivers one copy of a packet to each destination. On bus technologies like Ethernet, broadcast de with a single packet transmission. On networks composed of switches with point-to-point connections, software mu by forwarding copies of the packet across individual connections until all switches have received a copy. We will be focu adcasts.
elow illustrates a router which has sent a broadcast to all devices on its network:
Figure 24:A Broadcast example
en the computers on the network receive a packet, they will first try to match the MAC address of the packet with their ow they process the packet and hand it to the OSI layer above (Network Layer), if the MAC address is not matched, then d not processed. However, when they see a MAC address of FF:FF:FF:FF:FF:FF, they will process this packet because they
Page 39 of 1765
st.
s a "broadcast" look like ?
e image below, which is taken from my packet sniffer:
ve a closer look at the above packet:
Page 40 of 1765
bove shows a broadcast packet. You can clearly see that the "MAC destination address" is FF:FF:FF:FF. The "Address IP destination" is set to 255.255.255.255, this is the IP dress and ensures that no matter what IP address the receiving computer(s) have, they t the data but process it.
ht ask yourself "Why would a workstation want to create a broadcast packet ?"
o that lies within the various protocols used on our networks !
example Address Resolution Protocol, or ARP. ARP is used to find out which MAC address which network card or computer) has a particular IP address bound to it. You will find a mple of the whole process in the IP Routing section.
e 25: IP Header field
Page 41 of 1765
device such as a router to ask "Who has IP address 192.168.0.100 ? ", it must "shout" it out so it can grab everyone's attention, w roadcast to make sure everyone listens and processes the packet on the network.
e image above, the particular machine was looking for a DHCP server (notice the "bootps" protocol under the UDP Header - Lay HCP).
t Broadcast or Direct Broadcast
Direct broadcast is targetted not to all hosts on a network, but to all hosts on a subnet. Since a physical network can contain differ orks e.g 192.168.0.0 and 200.200.200.0, the purpose of this special broadcast is to send a message to all the hosts in a particular s
e below, Router A sends a subnet broadcast onto the network. Hosts A,B,C and the Server are configured to be part of the 192.1 ey will receive and process the data, but Host D is configured with a different IP Adress, so it's part of a different network, it wil of its broadcast MAC address, but will drop the packet when it reaches its Network Layer, where it will see that this packet was f
Figure 26: Subnet Broadcast
ilar to the network broadcast we just talked about but varies slightly in the sense that its IP broadcast is not set to 255.25 he subnet broadcast address. For example, my home network is a Class C network : 192.168.0.0 with a subnetmask of 0 or, if you like to keep it simple, : 192.168.0.0/24.
hat the available valid hosts for this network are from 192.168.0.1 to 192.168.0.254. In this Class C network, as in every re are 2 addresses which I can't use. The first one is preserved to identify the network (192.168.0.0) and the second one f cast (192.168.0.255).
Page 42 of 1765
packet
cket, captured from my packet sniffer, shows my workstation broadcasting to the subnet 192.168.0.0. From the broadcast addres g a full Class C network range, otherwise the Destination IP wouldn't be 192.168.0.255.
Page 43 of 1765
coder on the right shows you the contents of each header from the above packet.Looking at der (Datalink Layer), the destination MAC address is set to FF:FF:FF:FF:FF:FF and the IP ork Layer) has the Destination IP set to 192.168.0.255 which is, as I said, the Subnet dress. Again, all computers on the network which are part of the 192.168.0.0 subnet will acket, the rest will drop the packet once they see it's for a network to which they do not belong.
le, I double clicked at my "Network Places" and was searching for a computer, this forced my o send out a Subnet Broadcast on the network asking if a particular computer existed on the
Header field
1.2.8 Controlling Broadcasts

1.2.9 Introduction
Page 44 of 1765
The first step in controlling broadcast and multicast traffic is to identify which devices are involved in a broadcast or multicast storm. The following protocols can send broadcast or multicast packets:

Address Resolution Protocol (ARP) Open Shortest Path First (OSPF) IP Routing Information Protocol Version 1 (RIP1) Service Advertising Protocol (SAP) Internet Protocol Exchange (IPX) Routing Information Protocol (RIP) NetWare Link Services Protocol (NLSP) AppleTalk Address Resolution Protocol (AARP)
After identifying the source of the broadcast or multicast storm, you must examine the packets to find out which protocol or application triggered the broadcast or multicast storm. For example, if a single device is responsible for a broadcast storm, you can examine the device's broadcast traffic to determine exactly what the device was doing. For example, you can find out what the device was looking for or what the device was announcing.
Broadcast or multicast storms are often caused by a fault that occurs during the device discovery process. For example, if an IPX-based printing environment has been misconfigured, a print driver client may continually send Service Advertising Protocol (SAP) packets to locate a specific print server. Unanswered broadcast or multicast requests usually indicate that a device is missing or has been misconfigured. Practice Test
Examine the broadcast traffic on your company's network. Do you see numerous unanswered, repeat queries? Do you see protocols (such as IP RIP1, SAP, and IPX RIP) that just "blab" all day even when no other devices may be listening? Or, is the majority of the broadcast and multicast traffic on your company's network purposeful? That is, does the broadcast and multicast traffic have a request-reply communication pattern? For example, are broadcast lookups answered? Do broadcast packets contain meaningful information? For example, if a network has numerous routers, do broadcast packets contain routing update information? Is the broadcast rate acceptable? Does your company's network need RIP updates every 30 seconds, or can you increase the interval to one minute?
1.3.0
BROADCAST/MULTICAST DOMAINS
Page 45 of 1765
If your company's network is experiencing excessive broadcast or multicast traffic, you should also check the scope of the broadcast or multicast domain. (A broadcast or multicast domain is the range of devices that are affected by a broadcast or a multicast packet.) Understanding broadcast and multicast domains can help you determine how harmful a broadcast storm can be from any point on the network. The scope of a broadcast and multicast domain depends, to some degree, on the network design. For example, the picture below shows two networks, a switched network and a routed network:
Ff
Figure 28: A Switched Network On a switched network, Device 1 sends a broadcast or multicast packet that is propagated to all ports of the switch. (A typical layer-2 switch does not filter either broadcast or multicast traffic.) On a routed network, however, a router does not forward broadcast traffic. If Device 1 sends a broadcast packet, only Device 2 and the router see the broadcast packet. If appropriate, the router processes the broadcast packet and sends a reply. Because the broadcast packet is not forwarded, it does not affect Devices 3 or 4. 1.3.1 Introduction to Sub-netting 1.3.2 Introduction
Section 1: Basic Sub-netting Concepts. This section is to help you understand what a subnet really is. Introduction to the Default Subnet masks is covered at first and then you get to see and learn how the network is affected by changing the subnet mask Page 46 of 1765
Section 2: Subnet Masks and Their Effect. Here we will look at the Default Subnet mask in a bit more detail and introduce a few new concepts. Classless and Classful IP Addresses are covered here and you get to learn how the subnet mask affects them. Section 3: The Subnet Mask Bits. Detailed analysis of subnet mask bits. Learn to recognise the number of bits in a subnet mask, followed by an introduction to complex subnets. Section 4: Routing and Communications between Subnets. Understand how routers deal with subnets, how computers which are in different subnets can communicate with each other, along with a few general notes on subnetting that you should know. Section 5: Subnetting Guidelines. Some last information to help you plan your new networks and a few things to keep in mind so you can avoid future problems with subnets.
1.3.3 Basic Concepts of Subneting 1.3.4 What is Sub-netting ? When we Subnet a network, we basically split it into smaller networks/partitioning one network into smaller ones by using different subnet masks. For example, when a set of IP Addresses is given to a company, e.g 254 they might want to "break" (the correct term is "partition") that one network into smaller ones, one for each department. This way, their Technical department and Management department can each have a small network of their own. By sub-netting the network we can partition it to as many smaller networks as we need and this also helps reduce traffic and hides the complexity of the network. By default, all type of Classes (A, B and C) have a subnet mask, we call it the "Default Subnet mask". You need to have one because: 1) All computers need the subnet mask field filled when configuring IP 2) You need to set some logical boundaries in your network 2) You should at least enter the default subnet mask for the Class you're using In the previous pages I spoke about IP Classes, Network IDs and Host IDs, the fact is that the Subnet mask is what determines the Network ID and Host ID portion of an IP Address. The table below shows clearly the subnetmask that applies for each network Class. Page 47 of 1765
Figure29: Default Subnet masks When dealing with subnet masks in the real world, we are free in most cases to use any type of subnet mask in order to meet our needs. If for example we require one network which can contain up to 254 computers, then a Class C network with its default subnet mask will do fine, but if we need more, then we might consider a Class B network with its default subnet mask set by the IEEE committee . 1.3.5 Understanding the concept Let's stop here for one moment and have a look at what I mean by partitioning one network into smaller ones by using different subnet masks. The picture below shows our example network (192.168.0.0). All computers here have been configured with the default Class C subnet mask (255.255.255.0):
Page 48 of 1765
Figure 30: A Class C Network with its default Subnet mask
Because of the subnet mask we used, all these computers are part of the one network marked in blue. This also means that any one of these hosts (computers, router and server) can communicate with each other. If we now wanted to partition this network into smaller segments, then we would need to change the subnet mask appropriately so that we can get the desired result. Let's say we needed to change the subnet mask from 255.255.255.0 to 255.255.255.224 on each configured host. The picture below shows us how the computers will see the network once the subnet mask has changed:
Figure 31: Changing the default subnet mask In reality, we have just created 8 networks from the one large (blue) network we had, but I am keeping things simple for now and showing only 2 of these smaller networks because I want you to understand the concept of subnetting and see how important the subnet mask is. Page 49 of 1765
In the next pages which are to follow I will analyse in great depth the way subnetting works and how to calculate it. It is very important that you understand the concepts introduced in this section, so make sure you do, before continuing !
Subnet Masks & Their Effect
1.3.5 Subnet mask and their effect
1.3.6 Introduction There are a few different ways to approach subnetting and it can get confusing because of the complexity of some subnets and the flexibility they offer. For this reason I created this little paragraph to let you know how we are going to approach and learn subnetting. We are going to analyze the common subnet masks for each Class, giving detailed examples for most of them and allowing you to "see" how everything is calculated and understand the different effects a subnet mask can have as you change it. Once you have mastered this, you can then go on and create your custom subnet masks using any type of Class. 1.3.7 Default Subnet masks of each Class By now you should have some idea what the subnet mask does and how it's used to partition a network. What you need to keep in mind is that each Class has its DEFAULT subnet mask, which we can change to suit our needs. I have already mentioned this in the previous page, but we need to look into it in a bit more detail. The picture below shows our 3 Network Classes with their respective default subnet mask:
Figure 32:network Classes with their default subnet masks Page 50 of 1765
1.3.8 The Effect of a Subnet Mask on an IP Address In the IP Classes page we analyzed and showed clearly how an IP Address consists of two parts, 1) The Network ID and 2) The Host ID. This rule applies for all IP Addresses that use the default subnet mask and we call them Classful IP Addresses. We can see this once again in the picture below, where the IP Address is analyzed in Binary, because this is the way you should work when dealing with subnet masks:
Figure 33:Class C Classful IP address
We are looking at an IP Address with its subnet mask for the first time. What we have done is take the decimal subnet mask and converted it to binary, along with the IP Address. It is essential to work in binary because it makes things clearer and we can avoid making mistakes. The ones (1) in the subnet mask "lock" or, if you like, define the Network ID portion. If we change any bit within the Network ID of the IP Address, then we immediately move to a different network. So in this example, we have a 24 bit subnet mask. NOTE: All Class C Classful IP Addresses have a 24 bit subnet mask (255.255.255.0). All Class B Classful IP Addresses have a 16 bit subnet mask (255.255.0.0). All Class A Classful IP Addresses have an 8 bit subnet mask (255.0.0.0).
Page 51 of 1765
On the other hand, the use of an IP Address with a subnet mask other than the default results in the standard Host bits (the Bits used to indentify the HOST ID) being divided in to two parts: a Subnet ID and Host ID. These type of IP Addresses are called Classless IP Addresses. In order to understand what a "Classless IP Address" is without getting confused, we are going to take the same IP Address as above, and make it a Classless IP Address by changing the default subnet mask:
Figure 34: Class C Classfu IP address Looking at the picture above you will now notice that we have a Subnet ID, something that didn't exist before. As the picture explains, we have borrowed 3 bits from the Host ID and used them to create a Subnet ID. Effectively we partitioned our Class C network into smaller networks. If you're wondering how many smaller networks, you'll find the answer on the next page. I prefer that you understanding everything here rather than blasting you with more Subnet ID's, bits and all the rest :) 1.3.9 Summary In this page we saw the default subnet mask of each Class and also introduced the Classful and Classless IP Addresses, which are a result of using various subnet masks. When we use IP Addresses with their default subnet masks, e.g 192.168.0.10 is a Class C IP Address so the default subnet mask would be 255.255.255.0, then these are "Classful IP Addresses". On the other hand, Classless IP Addresses have their subnet mask modified in a way so that there is a "Subnet ID". This Subnet ID is created by borrowing Bits from the Host ID portion. Page 52 of 1765
The picture below shows us both examples:
Figure 32: Subnet Mask Hierarchy
I hope that you have understood the new concepts and material on this page. Next we are going to talk about subnet bits, learn how to calculate how many bits certain subnet masks are and see the different and most used subnet masks available. If you think you might have not understood a few sections throughout this page, I would suggest you read it once more :)
1.4.0 1.4.1
Sub-netting analysis
Introduction
So we have covered to some depth the subnetting topic, but there is still much to learn ! We are going to explain here the available subnet masks and analyse a Class C network, using a specific subnet mask. It's all pretty simple, as long as you understand the logic behind it. 1.4.2 Understanding the use, and analyzing different subnet masks
Okay, so we know what a subnet mask is, but we haven't spoken (yet) about the different values they take, and the guidelines we need when we use them. That's what we are going to do here ! The truth is that you cannot take any subnet mask you like and apply it to a computer or any other device, because depending on the random subnet mask you choose, it will either create a lot of routing and communication problems, or it won't be accepted at all by the device you're trying to configure.
Page 53 of 1765
For this reason we are going to have a look at the various subnet masks so you know exactly what you need to use, and how to use it. Most importantly, we are going to make sure we understand WHY you need to choose specific subnet masks, depending on your needs. Most people simply use a standard subnet mask without understanding what that does. Let's first have a look at the most common subnet masks and then I'll show you where these numbers come from :) Common Subnet Masks In order to keep this place tidy, we are going to see the common Subnet masks for each Class. Looking at each Class's subnet mask is possibly the best and easiest way to learn them. Numer of bits 0 (default mask) 1 2 3 4 5 6 7 Class A 255.0.0.0 (default_mask) 255.128.0.0 (default +1) 255.192.0.0 (default+2) 255.224.0.0 (default+3) 255.240.0.0 (default+4) 255.248.0.0 (default+5) 255.252.0.0 (default+6) 255.254.0.0 (default+7) 255.255.0.0 (default+8) Class B 255.255.0.0 (default_mask) 255.255.128.0 (default+1) 255.255.192.0 (default+2) 255.255.224.0 (default+3) 255.255.240.0 (default+4) 255.255.248.0 (default+5) 255.255.252.0 (default+6) 255.255.254.0 (default+7) 255.255.255.0 (default+8) Class C 255.255.255.0 (default_mask) 255.255.255.128 (default+1) 255.255.255.192 (default+2) 255.255.255.224 (default+3) 255.255.255.240 (default+4) 255.255.255.248 (default+5) 255.255.255.252 (default+6) 255.255.255.254 (default+7) * Only 1 Host per subnet 255.255.255.255 (default+8) * Reserved for Broadcasts
The above table might seem confusing at first, but don't despair ! It's simple, really, you just need to look at it in a different way ! The trick to understanding the pattern of the above table is to think of it in the following way: Each Class has its default subnet mask, which I have noted using the black colour, and all we are doing is borrowing a Bit at a time (starting from 1, all the way to 8) from the Host ID portion of each class. I have used various colours to show you the decimal numbers that we get each time we borrow a bit from the Host ID portion. If you can't understand how these decimal numbers work out, then you should read up on the Binary & IP . Page 54 of 1765
Each time we borrow a bit from the Host ID, we split the network into a different number of networks. For example, when we borrowed 3 Bits in the Class C network, we ended up partitioning the network into 8 smaller networks. Let's take a look at a detailed example (which we will break into three parts) so we can fully understand all the above. We are going to do an analysis using the Class C network and 3 Bits which we took from the Host ID. The analysis will take place once we convert our decimal numbers to binary, something that's essential for this type of work. We will see how we get 8 networks from such a configuration and their ranges!
In this first part, we can see clearly where the 8 Networks come from. The rule applies to all types of Subnets, no matter what Class they are. Simply take the Subnet Bits and place them into the power of 2 and you get your Networks. Now, that was the easy part. The second part is slightly more complicated and I need you focused so you don't get mixed up! At first the diagram below seems quite complex, so try to follow me as we go through it:
Page 55 of 1765
The IP Address and Subnet mask is show in Binary format. We focus on the last octet which contains all the information we are after. Now, the last octet has 2 parts, the Subnet ID and Host ID. When we want to calculate the Subnets and Hosts, we deal with them one at a time. Once that's done, we put the Subnet ID and Host ID portion together so we can get the last octets decimal number. We know we have 8 networks (or subnets) and, by simply counting or incrementing our binary value by one each time, we get to see all the networks available. So we start off with 000 and finish at 111. On the right hand side I have also put the equivalent decimal number for each network. Next we take the Host ID portion, where the first available host is 0 0001 (1 in Decimal), because the 0 0000 (0 in Decimal) value is reserved as it is the Network Address (see IP Classes page), and the last value which is 1 1111 (31 in decimal) is used as a Broadcast Address for each Subnet (see Broadcast page).
Note I've given a formula in the IP Classes page that allows you to calculate the available hosts, that's exactly what we are doing here for each subnet. This formula is :2 to the power of X -2. Where X is the number of Bits we have in the Host ID field, which for our example is 5. When we apply this formula, we get 2 to the power of 5 - 2 = 30 Valid (usable) IP Addresses. If you're wondering why we subtract 2, it's because
Page 56 of 1765
one is used for the Network Address of that subnet and the other for the Broadcast Address of that subnet. This shouldn't be new news to anyone :) Summing up, these are the ranges for each subnet in our new network:
Page 57 of 1765
I hope the example didn't confuse you too much; the above example is one of the simplest type, which is why I chose a Class C network, they are the easiest to work with. If you did find it somewhat difficult, try to read over it slowly. After a few times, you will get to understand it. These things do need time to sink in !
Subnet Routing & Communications

Introduction So we understand all (almost !) about subnetting, but there are few questions/topics which we haven't talked about as yet. Experience shows you can never know everything 100% ! Routing and Communication between subnets is the main topic here. We have analysed subnetting and understood how it works, but haven't yet dealt with the "communication" side of things. These, along with a few other things I would like to bring to your attention, are going to be analysed here ! It's an easy and very interesting page, so sit back and read through it comfortably. Communication Between Subnets So, after reading all the previous pages about subnetting, let me ask you the following: Do you think computers that are on the same physical network but configured to be on separate subnets are able to communicate ? The answer is "no". Why ? Simply because you must keep in mind that we are talking about the communication between 2 different networks ! Looking at our example of the Class C network on the previous page, the fact is that one computer is part of the network 192.168.0.0 and the other one part of network 192.168.0.32, and these are two different networks. In our example, from the moment we modified the default subnet mask from 255.255.255.0 to 255.255.255.224, we split that one network to 8 smaller ones. Let's try it ! And because we just have to prove it..... we are going to try it the network in figure** below.
Page 58 of 1765
Well, that's the network we have to play with. I have put on the diagram the results of a few simple pings from each host and as you can see, they all came out nice: PASS. So in order to proceed to phase 2 of our experiment, I modified the Subnet mask of my workstation to 192.168.0.35 / 255.255.255.224 , my Slackware Linux Firewall to 192.168.0.1 / 255.255.255.224 (internal Network Interface Card) and my NetWare 6 Server to 192.168.0.10 / 255.255.255.224 as shown in the diagram below:
Page 59 of 1765
As you can see, the results for my workstation were devastating ... alone and totaly unaware that the other two servers are still there ! When my workstation tries to actually ping the Linux Firewall, it will get no reply, because its Gateway is a host which belongs to another network, something that we knew would never work. So, we have concluded that there cannot be any sort of communication between the computers of Network 1 and Network 2. So how can two hosts in two different subnets talk to each other ? That's what we are going to have a look at right now ! Building The Bridge There is a way to allow the communication between my workstation and my servers and the Internet. Actually there are a few ways to achieve this and I'm going to show you a few ways, even though some might seem silly or impractical. We are not interested in the best solution at the moment, we just want to know the ways in which we can establish communication between the two subnets. Considering that subnets are smaller networks, you would remember that we use routers to achieve communications between two networks. We need a router which will route packets from one network to the other. Let's have a look at the different ways we can solve this problem: Method 1: Using a Server with 2 Network Cards
Page 60 of 1765
Our first option is to use one of the Servers, or a new Server which has at least 2 network cards installed. By connecting each network card to one of our networks and configuring the network cards so that each one belongs to one subnet/network we can route packets between them:
The above diagram shows pretty much everything that's needed. The 2nd network card has been installed and it's been assigned an IP Address that falls within our Network 1 range and therefore can communicate with my workstation . On the other hand the NetWare server now acts as a Gateway for Network 1, so my workstation is reconfigured to use it as its Gateway. Any packets from Network 1 to Network 2 or the Internet will pass through the NetWare server Method 2: Binding 2 IP Addresses to the same network card This method is possibly the best and easiest way around our problem. We use the same network card on the NetWare server and bind another IP Address to it. This second IP Address will obviously fall within the Network 1 IP range so that my workstation can communicate with the server:
Page 61 of 1765
As noted on the diagram, the only problem we might encounter is the need for the operating system of the server to support this type of configuration, but most modern operating systems would comply. Once configured, the Server takes care of any routing between the two networks. Method 3: Installing a router The third method is to install a router in the network. This might seem a bit far fetched but remember that we are looking at all possible ways to establish communications between our networks ! If this was a large network, then a router could possibly be the ideal solution, but given the size of my network, well... let's just say it would be a silly idea :)
Page 62 of 1765
My workstation in this setup would forward all packets to its Gateway, which is the router's interface and is connected to Network 1 and it will be able to see all other servers and access the Internet. It's a similar setup to Method 1 but instead of a Server we have a dedicated router. Oh, and by the way, if we would end up using such a configuration in real life.. the hub which both of the router's interface's connect to, would be replaced by some type of WAN link.
Subnetting Guidelines
Introduction There is always that day when you are called upon to provide a solution to a network problem. The number of problems that can occur in a network are numerous and believe it or not, most of them can be avoided if the initial design and installation of the network are done properly. When I say "done properly" I don't just mean connecting the correct wires into the wall sockets ! Looking at it from an Administrator's point of view, I'd say that a "properly done job" is one that has had a lot of thought put into it to avoid silly routing problems and solve today's and any future needs. This page contains all the information you need to know in order to design a network that won't suffer from any of the above problems. I've seen some network setups which suffered from all the above, and you would be amazed how frequently I see them at large companies.
Page 63 of 1765
Guidelines - Plan for Growth When creating subnets for your network, answer the following questions: How many subnets are needed today? Calculate the maximum number of subnets required by rounding upthe maximum number to the nearest power of two.For example, if an organization needs five subnets, 2 to the power of 2 or 4 will not provide enough subnet addressing space, so you must round up to 2 to the power of 3 = 8 subnets. How many subnets are needed in the future? You must plan for future growth. For example, if 9 subnets are required today, and you choose to provide for 2 to the power of 4 = 16 subnets, this might not be enough when the seventeenth subnet needs to be deployed. In this example, it might be wise to provide for more growth and select 2 to the power of 5 = 32 as the maximum number of subnets. What are the maximum number of hosts on a given segment? You must ensure that there are enough bits available to assign host addresses to the organizations largest subnet. If the largest subnet needs to support 40 host addresses today, 2 to the power of 5 = 32 will not provide enough host address space, so you would need to round up to 2 to the power of 6 = 64. How many hosts will there be in the future? Besides planning for additional subnets, you must also plan for more hosts to be added to each subnet in the future. Make sure the organizations address allocation provides enough bits to deploy the required subnet addressing plan. When developing subnets, class C addresses present the greatest challenge because fewer bits are available to divide between subnet addresses and host addresses. If you accommodate too many subnets, there may be no room for additional hosts and growth in the future.
Supernetting/CIDR Introduction
Introduction Supernetting, also known as Classless InterDomain Routing (CIDR), is another awesome subject. It exists thanks to the wide adoption of the Internet, which lead to the exhaustion of the available IP Addresses. More specifically, supernetting was invented in 1993 with the purpose of extending the 32 bit IP address lifetime until the adoption of IPv6 was complete.
Page 64 of 1765
Putting it as simply as possible, supernets are used to combine multiple Class C networks into groups, which the router, in turn, treats as one big network. It might not seem like a smart thing to do, but if you look at the picture on a larger scale you will notice some of the really awesome advantages this offers. The creation of Supernets is also known as Address Aggregation. The Big Picture Consider this realistic example: You work for a large ISP with a few hundred networks to which it provides services like Internet access, e-mail etc. These networks, which basically are your ISP's clients, consist of 254 host IPs each (One full Class C network for each client), and they each have a permanent connection to your headquarters via ISDN (represented by the yellow lines) and from there your ISP has a direct connection to the Internet Backbone.
This diagram shows the example network we're talking about. Our main focus is the two routers the ISP has, Router No.1 and Router No.2, because these will be affected when we supernet the networks. Routers No.1 & No.2 exchange information with each other and update their tables, which contain the networks they know about. Router 2 connects directly to 10 networks and needs to let Router 1 know about each one of them. Router 1 in turn
Page 65 of 1765
will also advertise these networks to the Internet Backbone Router so it too will know about these networks. The above setup requires that Router No.1 and the Internet Backbone Router each have more than 13 separate entries in their routing tables to make sure that each network is accessible from them. This is not so bad for this example, but try to imagine the problems and the complexity of a similar setup where you have thousands of networks, where the routing tables would be enormous ! Also, you should keep in mind that the larger the routing table, the more work the router needs to do because it has a huge table of routes to maintain and look through all the time. By using Supernetting, we could supernet the whole network so it appears to the Internet as follows:
You can clearly see that all the clients' networks have been combined into one big network. Even though Router No.1 and the Internet Backbone router see only one big network, Router No.2 knows all about the smaller Class C networks since it is the one "hiding" them from the rest of the world and makes sure it sends the correct data to each network. We are going to look at a more detailed example later on so we can understand exactly how supernetting works. NOTE There are some limitations with Supernetting - this is why there is a rule which we must follow so we don't bump into big routing problems and upset the network. We will have a closer look at the rule on the next page. The reason for evolution
Page 66 of 1765
Supernetting has become very popular and there are a lot of reasons why: Class B network address space has nearly been exhausted A small percentage of class C network addresses have been assigned to networks Routing tables in Internet routers have grown to a size beyond the ability of software and people to effectively manage The 32-bit IP address space will eventually be exhausted
How Supernets work If you understand how Subnetting works, then you will surely understand Supernetting. Supernets are the opposite of Subnets in that they combine multiple Class C networks into blocks rather than dividing them into segments. When Subnetting, we borrow bits from the Host ID portion, which increases the number of bits used for the Network ID portion. With Supernetting we do exactly the opposite, meaning we take the bits from the Network ID portion and give them to the Host ID portion, as illustrated in the picture below:
Page 67 of 1765
The next page deals with a detailed example to give you an in-depth analysis of Supernetting. The main concept you need to understand is that Supernetting is all about combining multiple Class C networks into one or more groups and it does this by taking bits from the Network ID portion and, by doing so, the bits assigned to the Host ID portion increase
Supernetting/CIDR Analysis
Introduction We have had a good introduction to Supernetting (CIDR) and we are about to have a look at an example to finally give answers to all those questions you have about the subject. NOTE:This page requires you to have basic knowledge and understanding on Internet Protocol, Subnetting and Binary notation. These are covered in great detail on other pages and I recommend you have a quick look over these topics if you think you're not up to scratch. Guideline - Rule to Supernetting / CIDR
Page 68 of 1765
Before we get in to deep waters, we must talk about the main rule that applies to creating Supernets. For our example, this rule dictates that, in order to create Supernets from Class C IP Addresses, the network address must be consecutive and the third octec of the first IP Address must be divisible by two. If we had 8 networks we wanted to combine, then the third octec of the first IP address would need to be divisible by eight and not two. There is one more rule you should know and this rule has to do with the routers of the network, which will need to work with the new changes. This rule dictates that all routers on the network must be running static routing or using a classless routing protocol such as RIP2 or OSPF. Classless routing protocols include the subnet mask information and can also pass supernetting information. Routing protocols such as RIP1 do NOT include subnet mask information and would just create problems! The Example Here is an example involving two companies that want to use Supernetting to solve their network requirements. We are going to determine which company mets the criteria for a Supernet (we are assuming the routers are setup in a way that will support supernetting):
Page 69 of 1765
As you can see, Companys No.1's network passes the test, therefore we can Supernet its two networks. The Analysis of Company 1's Network & creation of its Supernet Let's now take Company No.1's network, see how the Supernet will be created and determine various important parameters like the new network's broadcast address, the identification of the new supernets etc. To begin, we must take our two networks and look at them in binary format, this is the only way to "see" exactly what we're doing when supernetting, and take a look at the Network and Host ID portions:
If you have problems understanding why we have no Subnet ID, please read up on the IP and Subnetting sections on this site where everything is explained as simply as possible using cool 3D diagrams. Now we need to create the Supernet. This means that we are going to take one bit from the Network ID of these networks and give it to the Host ID portion. This 1 Bit is our Supernet ID. So our subnet mask will now be reduced from 24 bits to 23 bits. You might get confused or ask why we call this extra Bit we are giving to the Host ID a Supernet ID? The answer is simple, the one Bit that we are taking from the Network ID is given to the Host ID but, in order for us to clearly "see" where the supernet is created, we colour it Green and give it the "Supernet ID" label:
Page 70 of 1765
So there you have it, a new supernet created! Now I can point out something new; I waited to show you this because I didn't want to confuse you :) We have one Supernet made from two networks (203.31.218.0 and 203.31.219.0). In order to identify these two networks we name the first one (203.31.218.0) Supernet 0 and the second one (203.31.219.0) Supernet 1. This is to distinguish between the two networks and nothing more. It actually makes more sense if you look at the values the Supernet ID field takes:
It's very important to understand that Supernet 0 and 1 are part of the same new network ! This means that there is only one network address, one network broadcast address and not two as you might expect. Let's now have a look at some more important information regarding the new network:
Page 71 of 1765
ITEM Supernet range Subnet Mask Supernet Network Address Supernet Broadcast Address Supernet 0 Supernet 1 Valid IP Address range Reserved IP Addresses
VALUE 203.31.218.0 - 203.31.219.255 255.255.254.0 203.31.218.0 203.31.219.255 203.31.218.0 203.31.219.0 203.31.218.1 - 203.31.219.254 203.31.218.0, 203.31.219.255
The above table shows pretty much all the information someone would need about the new network. Let me also point out to you (in case you didn't ask yourself :> ) that IP Addresses 203.31.218.255 and 203.31.219.0, which would have been used as the broadcast address for our first old network and the network address of our old second network, are now usuable addresses! Yes, you can actually assign them to hosts, because we have a Supernet. Now, even though you can use these addresses, I would probably not use them unless I really needed to. Not that it makes a difference, but I always tend to reserve these types of addresses, it's just a habit of mine :) Also, every host that will be part of this Supernet will need to be configured with the new Subnet mask, 255.255.254.0 as noted in the table above. Any host that isn't reconfigured will have big problems trying to communicate with the rest of the network. Well that completes the analysis of our Supernet example. As I pointed out in the beginning, you must have your IP, Subnetting and Binary Notation up to date otherwise you will have difficulties understanding a lot of the material so make sure you read up on those sections before giving this page another shot :)
The Supernetting/CIDR Chart

Introduction Because subnet masks can get very confusing, the creators of this wonderful network technology also made available a few things to make life somewhat easier. The following chart is really a summary of what we've seen so far. It gives you a good idea of the networks we can combine and the result we'd see. The Supernetting/CIDR chart There are four columns available in our chart:
Page 72 of 1765
The CIDR Block, the Supernet Mask, Number of Class C Networks and the Number of Hosts column. Class C CIDR Block /14 /15 /16 /17 /18 /19 /20 /21 /22 /23 /24 /25 /26 /27 /28 /29 /30 Supernet Mask 255.252.0.0 255.254.0.0 255.255.0.0 255.255.128.0 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 Number of Class C Networks Number of Hosts 1024 512 256 128 64 32 16 8 4 2 1 1/2 1/4 1/8 1/16 1/32 1/64 262144 131072 65536 32768 16384 8192 4096 2048 1024 512 254 126 62 32 16 8 4
I am going to explain the meaning of each column, although you probably already know most of them. The CIDR Block The CIDR Block simply represents the number of bits used for the subnet mask. For example, /14 means 14 bits assigned to the subnet mask, it is a lot easier telling someone you have a 14 bit subnet mask rather than a subnet mask of 255.252.0.0 :) Note: In the above paragraph, I called the 14 bits as a subnet mask, when in fact it's a supernet mask, but because when you configure any network device, the field you will need to enter the value is usually named as the 'subnet mask', I decided to name it 'subnet mask' aswell, in order to avoid confusion.
Page 73 of 1765
I'd like you to pay particular attention to the CIDR Block /24, and /25 to /30. These blocks are highlighted in yellow and blue because I want them to grab your attention :) When we use a CIDR Block of 24 (24 bit subnet mask) we are not Supernetting ! This is a default subnet mask for a Class C network. With CIDR Blocks /25 to /30 we are actually Subnetting and not Supernetting ! Now you might wonder why I have them in the chart. The fact is that those particular CIDR Blocks are valid, regardless of whether applying them to a network means we are Subnetting and not Supernetting. If you have dealt with any ISPs and IP Address assignments, chances are you would have been given your IP Addresses in CIDR format. A good example is if you wanted a permanent connection to your ISP and only required 2 IP Addresses, one for your router and one for your Firewall, you would be assigned one /30 CIDR Block. With such a subnet mask you will have 4 IP Addresses, from which 2 will be reserved (one for the Network address and one for the Broadcast address) and you're left with 2 that you can assign to your hosts (router and firewall). The Supernet Mask Basically, this is your Subnet mask. When you configure the devices that will be attached to the specified network, this is the value you will enter as a Subnet mask. It's also the decimal value the CIDR Block specifies. For example, a /24 CIDR block means a 24 bit Subnet mask, which in its turn translates to 255.255.255.0 :) Simple stuff ! Number of Class C Networks This number shows us how many Class C Networks are combined by using a specific Supernet mask or, if you like, CIDR Block. For example, the /24 CIDR Block, 255.255.255.0 Supernet mask is 1 Class C Network, whereas a /20 CIDR Block, 255.255.240.0 Supernet mask is 16 Class C networks. Number Of Hosts This value represents the number of hosts per Supernet. For example, when we use a /20 CIDR Block, which means a Subnet (or Supernet) mask of 255.255.240.0, we can have up to 4096 hosts. Pretty straightforward stuff. There is one thing you must be careful of though ! The value 4096 does not represent the valid, usable IP Addresses. If you wanted to find out how many of these IP Addresses you can actually use, in other words, assign to hosts, then you simply take 2 IP Addresses from that number (the first and last IP Address), so you're left with 4094 IP Addresses to play with :) Why take 2 away ? You shouldn't be asking questions like that if you have read the IP and Subnetting sections but I'll tell you anyway :) One is reserved for the Network Address and one for the Broadcast Address of that network !
Page 74 of 1765
Summary That completes the explanation of the Supernetting/CIDR chart. You will see that Supernetting and Subnetting have quite a few things in common, and this is simply because they work on the same principle.
Securing Your Home Network

Introduction Most people who use computers these days have had to deal with a security issue of some kind whether they are aware of it or not. Everyone has been infected by one of the many worms or viruses floating around the Internet, or have had someone use your password. Most home computer users are victims of attacks that they have no idea about. For example, certain programs called spyware' come packaged into seemingly friendly programs you download, this spyware can do any one of a number of things, though most often they send your personal information (such as name and email address) and information about what sites you visit to certain companies. These in turn will sell your personal information to the spammers and email marketers who will proceed to clog your inbox with junk that they think you might be interested in. To explain how this works, you download a program say a video player from the Internet and install it. In the background it installs some spyware. Now you start surfing to car sites, soon you can expect your email inbox to be full of spam offering you great deals on used cars etc. A lot of people work on the principle that their home computer contains nothing interesting enough for an attacker, what they don't realise is that while an attacker may not target your system specifically, it is very common for them to use programs that will scan vast ranges of the Internet looking for vulnerable systems, if yours happens to be one, it will be automatically taken over and placed at the attackers command. From here he can do a variety of things, like using your computer to attack other sites on the Internet or capturing all your passwords. Worms and email viruses work the same way, they infect one machine, and then spread by trying to email themselves to everyone in your guest book, or turning your machine into a scanning system to find other targets. They may even contain a malicious payload that can destroy your files, or even worse email your private documents to everyone you know (this was the case with a worm a few years ago). Given that the things we use the computer for these days such as online shopping for books or music, electronic banking etc, these threats have a more serious implication than most people realise. You may not have anything worthwhile on your computer, but what if an attacker is able to steal your credit card information when you are buying a book from Amazon.com, or steal the password to your online banking account ? Luckily the steps you have to take to secure your own PC are fairly simple and can be accomplished by non-technical users given the right guidance. If you follow the
Page 75 of 1765
guidelines we have given here, you will be safe from most forms of Internet based threats. So here are a few steps you can take. Email Security A lot of viruses these days, such as the recent MyDoom virus, spread by emailing themselves to people as an attachment, the email can appear to come from anywhere.. most often it will appear to come from a friend, or an address like admin@yahoo.com if you use a yahoo account. The email will try and convince you to download and run the attachment which may appear to be a harmless JPG image or SCR screensaver. In fact, the attachment is a malicious program (known as malware), and once opened, can do any of the nasty things we've listed above. Here are the rules you should follow when checking your email. 1. Has the email come from someone you know ? If so, were you expecting the email and its attachment ? If not, try and confirm with the person over the phone or some other medium. 2. Does the message make sense ? If you receive an email from your computer illiterate parents saying download this new screensaver', you can be quite sure something is fishy. 3. Does the email appear to come from someone in authority ? If the email comes from what appears to be the administrator of your email service, you should double check with them. No email service will ever ask you to reveal your password, or threaten to terminate your account unless you download the instructions in the attachment. If you are unsure, always contact their tech-support personnel before opening any attachment. If you've followed the above steps, and you still think you need to download the attachment, make sure you scan it before downloading. Most popular email services like Hotmail and Yahoo offer you the facility of scanning the attachment, use this feature ! Once you've downloaded it, it never hurts to scan it with your own antivirus software which you should have installed (we will talk about this in the next tip). Only after you are completely certain this attachment is safe, should you download it. If it is a program (ending in .exe, or something like .jpg.exe), then you should be extra careful. Remember that anti-virus scanners must be up to date to be able to catch new viruses, and even then, you may encounter a virus before the anti-virus companies have been able to analyse it. Install An Anti-virus Software 90% of the threats you will face as a home user will come not from hardcore cyber criminals, but from automatic spreading viruses known as worms. The best way to guard against virus threats is to download a good anti-virus scanner. Two of the best ones are Norton AntiVirus and McAfee . Remember that the anti-virus needs to have its scanning database (known as virus definitions) regularly updated. You should try and update the definitions once a week. The longer you put it off for, the larger the new definitions package will be, and the more viruses your system will be vulnerable to. All the virus scanners offer some form of automatic update system so that you don't have to remember to keep updating the definitions yourself. Use this feature. Disable Windows File Sharing
Page 76 of 1765
Most people know that Windows allows you to share files with other people on your network. This is called Windows File Sharing, and is what you make use of whenever you open network neighborhood. What most people don't know is that even if you don't specifically choose folders to share, Windows automatically shares your entire hard-disk with anyone who knows your system's Administrator account password. Not just will it share the hard-disk, it will allow the person full read and write access to the disk. To disable file sharing in Windows XP, go through the following steps: 1. Go to the Start menu and select the Control Panel. 2. In the Control Panel window, double-click on Network Connections. 3. Right-click on the icon for your network connection in the window that appears. You can do this for all your network connections (e.g. VSNL, LAN etc) 4. From the menu which appears, choose Properties (use the left mouse button to make your selection). 5. Under This connection uses the following items, highlight File and Printer Sharing for Microsoft Networks. 6. Click Uninstall. 7. When you are asked if you are sure you want to uninstall File and Printer Sharing for Microsoft Networks, click Yes. 8. Click OK or Close to close the Local Area Connection Properties window. It is also important to understand that most people just press enter when prompted to choose an Administrator password during the install. This is a very bad idea, as it means that anyone can log into your system as an administrator (full access) without supplying a password. Thus you should try and choose a strong password for the administrator account and any other account that you may create on the system if you share it with other people. Read the tip on choosing strong passwords later on. Update the Operating System From time to time, people discover bugs or vulnerabilities in operating systems. These vulnerabilities often allow an attacker to exploit something built into your operating system and take it over. To give you a simple example, a vulnerability may be found in MSN Messenger and an attacker can exploit it to gain control of your system. Whenever such a vulnerability is found, the operating system vendors release what are known as patches' which will fix the problem. If you make sure your system is up to date with the latest patches, an attacker will not be able to exploit one of these vulnerabilities. To update windows, you have to run the Windows update' service, either by clicking Start >> Programs >> Windows update, or by going to http://windowsupdate.microsoft.com/ . >From there you can scan your system for missing patches and then download the ones you need. You should try and do this regularly so that the backlog of patches you need to download is not very large. If you miss out on a lot of patches, the download could be really huge. This is also the case when you reinstall the operating system. Install A Personal Firewall A personal firewall is a piece of software that runs on your machine and lets you decide exactly what data is allowed to enter or leave your machine over the network. For example, if an attacker is scanning your system for vulnerabilities, it will alert
Page 77 of 1765
you. If an attacker is just looking through ranges of the Internet for targets, your system will not respond to your probes. In short, your system operates in a stealthy mode invisible to an attacker. You also need to be careful about what data leaves your system via the network. Viruses and worms that try and email themselves to other people or use your machine to scan for more victims, spyware tries to send data back to an advertiser, and trojan horse programs may try to connect to an attacker. The personal firewall helps by alerting you every time a program tries to access the network connection. This can be tricky to novice users because even when legitimate programs such as Internet Explorer try to access the internet, the firewall will pop-up a warning box. However, if you are unsure if an alert is malicious or not, most firewalls have a more info' button on the alert which will take you to their website and tell you whether the program is a legitimate one or a known offender. A personal firewall is no good if you just keep answering yes' to every program that wants to access your internet connection. Take the trouble to understand what programs on your machine need legitimate access and only allow those. For example if you just downloaded a new screensaver program and the firewall says it wants to access the internet, you can be pretty sure it is trying to send some data back somewhere. It may be spyware or a trojan. Soon you will get used to weeding out the suspicious programs. If you have a permanently on connection like cable-modem or DSL, you should most definitely install a personal firewall. Some of the good ones you can get are: ZoneAlarm Very easy to install and use, there is a free version with a few less features than the professional version. Gives you very good information about the alerts it generates. Considered the market leader. BlackICE Another very highly rated personal firewall, it is not as user friendly as ZoneAlarm, but allows for some further configuration options Sygate Personal Firewall Also less user friendly, but it allows you to make some very powerful configuration changes and it contains a rudimentary intrusion detection system to alert you about common attacks. If you go to any search engine and search for personal firewall' you will find a whole lot of other options. If you use Windows XP, it is a good idea to turn on the built in Internet Connection Firewall by double clicking on your connection icon near the clock, clicking properties >> advanced >> Protect my computer and network. This built in firewall is not meant to be a replacement for a full solution like the ones above. It only filters incoming traffic and will not alert you if a trojan or worm tries to use your machine for some malicious purpose. Scan For Spyware All through this article we have talked about spyware that lets companies customise their advertising by watching what you do on the net. While spyware may not be destructive, it is one of the biggest pests around and will result in a mailbox full of
Page 78 of 1765
spam before you know it. However there are a number of tools that will scan for well known spyware on your machine and will allow you to delete it safely. Note that AntiVirus packages do not usually alert you when you install spyware because it is not considered harmful to the computer itself. Two of the most popular programs for detecting and removing spyware are Ad-aware and Spybot Search & Destroy . Choose Strong Passwords Most of the time an attacker need not resort to a technical hack to break into a system because he can simply guess at poorly chosen passwords. Here are some general rules when selecting a password : 1. Do not use a word which can be found in a dictionary, or a birthdate / name these are very easy to crack 2. Adding numbers like 123 at the end does not make it more difficult to crack the password 3. Choose at least a 6 character long password. 4. Use different capitalisation for the letters, e.g. suRViVor (Don't use this one, its in a dictionary remember its just an example) 5. Add some random numbers to the end or in the middle 6. If possible use a few special characters like !(;,$#& etc. 7. When choosing a password hint question, choose one that only you will be able to answer. What is my birthdate ? is something anyone who knows you even remotely will be able to guess. A very useful method for choosing an easy to remember random password is to take a line of a song that you remember and then take the first letter of each word in that line. Now you can randomise the capitalisation, add a couple of numbers and special characters, and have a very strong password that is still difficult to crack. Remember as far as possible to use a different password for different accounts (e.g. one password for your personal email, one for work email, one for internet banking). This may make things more difficult to remember, but in the event that one password gets compromised, the attacker will not have access to all the other accounts.
Network Cabling
Introduction This section talks about the cabling used in today's networks. There's a lot of different type of cabling in today's networks and I am not going to cover all of them, but I will be talking about the most common cables, which include UTP CAT5 straight through and crossover, Coax and a few more. Cabling is very important if you want a network to work properly with minimum problems and bandwidth losses. There are certain rules which must never be broken
Page 79 of 1765
when you're trying to design a network, otherwise you'll have problems when computers try to communicate. I have seen sites which suffer from enormous problems because the initial desgin of the network was not done properly ! In the near future, cabling will probably be something old and outdated since wireless communication seems to be gaining more ground, day by day. With that in mind, around 95% of companies still rely on cables, so don't worry about it too much :) Let's have a quick look at the history of cabling which will allow us to appreciate what we have today ! The Beginning We tend to think of digital communication as a new idea but in 1844 a man called Samuel Morse sent a message 37 miles from Washington D.C. to Baltimore, using his new invention The Telegraph. This may seem a far cry from today's computer networks but the principles remain the same.
Morse code is type of binary system which uses dots and dashes in different sequences to represent letters and numbers. Modern data networks use 1s and 0s to achieve the same result. The big difference is that while the telegraph operators of the mid 19th Century could perhaps transmit 4 or 5 dots and dashes per second, computers now communicate at speeds of up to 1 Giga bit, or to put it another way, 1,000,000,000 separate 1s and 0s every second. Although the telegraph and the teletypewriter were the forerunners of data communications, it has only been in the last 35 years that things have really started to speed up. This was borne out of the necessity for computers to communicate at ever ncreasing speeds and has driven the development of faster and faster networking equipment, higher and higher specification cables and connecting hardware. Development of new network technology Ethernet was developed in the mid 1970's by the Xerox Corporation at its Palo Alto Research Centre (PARC) in California and in 1979 DEC and Intel joined forces with Xerox to standardize the Ethernet system for everyone to use. The first specification by the three companies, called the 'Ethernet Blue Book', was released in 1980, it was also known as the 'DIX standard' after their initials.
Page 80 of 1765
It was a 10 Mega bits per second system (10Mbps, = 10 million 1s and 0s per second) and used a large coaxial backbone cable running throughout the building, with smaller coax cables tapped off at 2.5m intervals to connect to the workstations. The large coax, which was usually yellow, became known as 'Thick Ethernet' or 10Base5 - the '10' refers to the speed (10Mbps), the 'Base' because it is a base band system (base band uses all of its bandwidth for each transmission, as opposed to broad band which splits the bandwidth into separate channels to use concurrently) and the '5' is short for the system's maximum cable length, in this case 500m. The Institute of Electrical and Electronic Engineers (IEEE) released the official Ethernet standard in 1983 called the IEEE 802.3 after the name of the working group responsible for its development and, in 1985, version 2 (IEEE 802.3a) was released. This second version is commonly known as 'Thin Ethernet' or 10Base2; in this case the maximum length is 185m even though the '2' suggest that it should be 200m. Since 1983, various standard have been introduced because of the increased bandwidth requirements, so far we are up to the Gigabit rate
Unshielded Twisted Pair

Introduction Unshielded Twisted Pair cable is most certainly by far the most popular cable around the world. UTP cable is used not only for networking but also for the traditional telephone (UTP-Cat 1). There are 6 different types of UTP categories and, depending on what you want to achieve, you would need the appropriate type of cable. UTPCAT5 is the most popular UTP cable, it came to replace the good old coaxial cable which was not able to keep up with the constant growing need for faster and more reliable networks. Characteristics The characteristics of UTP are very good and make it easy to work with, install, expand and troubleshoot and we are going to look at the different wiring schemes available for UTP, how to create a straight through UTP cable, rules for safe operation and a lot of other cool stuff ! So let's have a quick look at each of the UTP categories available today:
Page 81 of 1765
Category 1/2/3/4/5/6 a specification for the type of copper wire (most telephone and network wire is copper) and jacks. The number (1, 3, 5, etc) refers to the revision of the specification and in practical terms refers to the number of twists inside the wire (or the quality of connection in a jack). CAT1 is typically telephone wire. This type of wire is not capable of supporting computer network traffic and is not twisted. It is also used by phone companies who provide ISDN, where the wiring between the customer's site and the phone company's network uses CAT 1 cable. CAT2, CAT3, CAT4, CAT5 and CAT6 are network wire specifications. This type of wire can support computer network and telephone traffic. CAT2 is used mostly for token ring networks, supporting speeds up to 4 Mbps. For higher network speeds (100Mbps plus) you must use CAT5 wire, but for 10Mbps CAT3 will suffice. CAT3, CAT4 and CAT5 cable are actually 4 pairs of twisted copper wires and CAT5 has more twists per inch than CAT3 therefore can run at higher speeds and greater lengths. The "twist" effect of each pair in the cables will cause any interference presented/picked up on one cable to be cancelled out by the cable's partner which twists around the initial cable. CAT3 and CAT4 are both used for Token Ring, the only difference is CAT3 can be as long as 100 meters while CAT4 can only be 200 meters. CAT6 wire was originally designed to support gigabit Ethernet (although there are standards that will allow gigabit transmission over CAT5 wire, that's CAT 5e). It is similar to CAT5 wire, but contains a physical separator between the 4 pairs to further reduce electromagnetic interference.
Page 82 of 1765
Straight Thru UTP Cables

Introduction
We will be mainly focussing on the wiring of CAT5 cables here because they are the most popluar cables on wiring the classic CAT1 phone cables as well. It is very important you know how exactly to wire UTP of a solid network and will help you avoid hours of frustration and troubleshooting if you do it right the f hand, if you are dealing with a poorly cabled network, then you will be able to find the problem and fix Wiring the UTP cables !
We are now going to look at how UTP cables are wired. There are 2 popular wiring schemes that most p and T-568B, that differ only in which color coded pairs are connected - pair 2 and 3 are reversed. Both you don't mix them! If you always use only one version, you're OK, but if you mix A and B in a cable ru
UTP cables are terminated with standard connectors, jack/plug is often referred to as an "RJ-45", but that for the "modular 8 pin connector" terminated with a telephones. The male connector on the end of a patc the receptacle on the wall outlet is a "jack."
As I've already mentioned, UTP has 4 twisted pairs o pairs to see what colour codes they have :
As you can see in the picture on the Pairs 2 & 3 are used for normal 10/1 Pairs 1 & 4 are reserved. In Gigabit used.
CAT5 cable is the most common type of UTP around the world ! It's flexible, easy to install and very reli
Page 83 of 1765
The left and center pictures show the end of a CAT5 cable with an RJ-45 connector; used by all cables t computer's network card. The picture to the right shows a stripped CAT5 cable, indicating the 4 twisted
And to be a bit fancy, don't think that UTP CAT5 cable only comes in one boring colour... those days are of choices today :
.......
........
Page 84 of 1765
T-568A & T-568B 4-pair Wiring
Ethernet is generally carried in 8-conductor cables with 8-pin modular plugs and jacks. The connector st is just like a standard RJ-11 modular telephone connector, except it is a bit wider to carry more pins.
Note: Keep in mind that the wiring schemes we are going to talk about are all for straight through cable are examined on a separate page !
The eight-conductor data cable contains 4 pairs of wires. Each pair consists of a solid colored wire and a the same color. The pairs are twisted together. To maintain reliability on Ethernet, you should not untw necessary (like about 1 cm). The pairs designated for 10 and 100 Mbit Ethernet are Orange and Green. and Blue, can be used for a second Ethernet line or for phone connections.
There are two wiring standards for these cables, called "T568A" (also called "EIA") and "T568B" (also ca They differ only in connection sequence - that is, which color is on which pin, not in the definition of wh particular color.
T-568A is supposed to be the standard for new installations, while T-568B is an acceptable alternative. data equipment and cables seem to be wired to T568B. T568B is also the AT&T standard. In fact, I have T568A to wire their network. It's important not to mix systems, as both you and your equipment will be Pin Number Designations for T568B
Note that the odd pin numbers are always the white with stripe color (1,3,5,7). The wires connect to RJ shown below:
Color Codes for T568B Pin color - pair name 1 white/orange (pair 2) TxData + 2 orange (pair 2) ........ TxData 3 white/green (pair 3) ..RecvData+ 4 blue (pair 1) 5 white/blue (pair 1)
Page 85 of 1765
6 green (pair 3) ...........RecvData7 white/brown (pair 4) 8 brown (pair 4)
The wall jack may be wired in a different sequence because the wires are often crossed inside the jack. with a wiring diagram or at least designate pin numbers. Note that the blue pair is on the centre pins; this pair translates to the red/green pair for ordinary telep the centre pair of an RJ-11. (green=wh/blu; red=blu)
Pin Number Designations for T568A
The T568A specification reverses the orange and green connections so that pairs 1 and 2 are on the cen more compatible with the telco voice connections. (Note that in the RJ-11 plug at the top, pairs 1 and 2 T568A goes:
Color Codes for T568A Pin color - pair name 1 white/green (pair 3) ..RecvData+ 2 green (pair 3) ..........RecvData3 white/orange (pair 2) TxData + 4 blue (pair 1) 5 white/blue (pair 1) 6 orange (pair 2) .........TxData 7 white/brown (pair 4) 8 brown (pair 4) The diagram below shows the 568A and 568B in comparison:
Page 86 of 1765
require any special cross over since the phones connect directly to the phone socket.
The picture above shows us a standard CAT5 straight thru cable, used to connect a PC to a HUB. You m because you might expect the TX+ of one side to connect to the TX+ of the other side but this is not the PC to a HUB, the HUB it will automatically x-over the cable for you by using its internal circuits, this res is TX+) to connect to Pin 1 of the HUB (which connects to RX+).This happens for the rest of the pinouts
If the HUB didn't x-over the pinouts using its internal circuits (this happens when you use the Uplink po from the PC (which is TX+) would connect to Pin 1 of the HUB (which would be TX+ in this case). So yo we do with the HUB port (uplink or normal), the signals assigned to the 8 Pins on the PC side of things, same, the HUB's pinouts though will change depending wether the port is set to normal or uplink.
Page 87 of 1765
Where are they used ?
The most common application for a straight through cable is a connection between a PC and a hub/swit connected directly to the hub/switch which will automatically cross over the cable internaly, using specia CAT1 cable, which is usually found in telephone lines, only 2 wires are used, these do not require any sp phones connect directly to the phone socket.
The picture above shows us a standard CAT5 straight thru cable, used to connect a PC to a HUB. You m because you might expect the TX+ of one side to connect to the TX+ of the other side but this is not th PC to a HUB, the HUB it will automatically x-over the cable for you by using its internal circuits, this res is TX+) to connect to Pin 1 of the HUB (which connects to RX+).This happens for the rest of the pinouts
If the HUB didn't x-over the pinouts using its internal circuits (this happens when you use the Uplink po from the PC (which is TX+) would connect to Pin 1 of the HUB (which would be TX+ in this case). So yo we do with the HUB port (uplink or normal), the signals assigned to the 8 Pins on the PC side of things, same, the HUB's pinouts though will change depending wether the port is set to normal or uplink.
CAT5 UTP X-Over Cable

Introduction
The cross-over (x-over) CAT5 UTP cable has to be one of the most used cables after the classic straight allows us to connect two computers without needing a hub or switch. If you recall, the hub does the x-o you only need to use a straight thru cable from the PC to the hub. Since now we don't have a hub, we n over.
Page 88 of 1765
Why do we need an x-over ?
When sending or receiving data between two devices, e.g computers, one will be sending while the othe via the network cable and if you look at a network cable you will notice that it contains multiple cables. used to send data, while others are used to receive data and this is exactly what we take into account w cable. We basically connect the TX (transmit) of one end to the RX (receive) of the other ! The diagram below shows this in the simplest way possible:
CAT5 X-over
There is only one way to make a CAT5 x-over cable and it's pretty simple. Those who read the "wiring u cable is a a 568A on one end and a 568B on the other. If you haven't read the wiring section, don't wor enough information to understand what we are talking about.
As mentioned previously, an x-over cable is as simple as connecting the TX from one end to the RX of t Let's now have a look at the pinouts of a typical x-over CAT5 cable:
As you can see, only 4 pins are needed for a x-over cable. When you buy a x-over cable, you might find these cables aren't any different from the above, it's just that there are cables running to the unsed pin difference in performance, but is just a habit some people follow. Here are the pinouts for a x-over cable which has all 8 pins connected:
Page 89 of 1765
Where else can I use a x-over ?
X-over cables are not just used to connect computers, but a variety of other devices. Prime example are have two hubs and you need to connect them, you would usually use the special uplink port which, whe switch (in most cases), makes that particular port not cross the tx and rx, but leave them as if they whe happens though if you haven't got any uplink ports or they are already used ?
The X-over cable will allow you to connect them and solve your problem. The diagram below shows a fe simpler:
As you can see in the above diagram, thanks to the uplink port, there is no need for a x-over cable.
Let's now have have look at how to cope when we don't have an uplink to spare, in which case we must connect the two hubs:
Page 90 of 1765
All the above should explain a x-over cable, where we use it and why we need it. I thought it would be a last picture, the pinouts of a straight thru and a x-over cable so you can compare them side by side:
100Base-(T) TX/T4/FX - Ethernet

Introduction
The 100Base-TX (sometimes referred to 100Base-T) cable is the most popular cable around since it has 10Base-T and 10Base-2 (Coaxial). The 100Base-TX cable provides fast speeds up to 100Mbits and is mo CAT5 cable (see the CAT 1/2/3/4/5 page).There is also 100Base-T4 and 100Base-FX available, which w So what does 100Base-TX/T4/FX mean ?
To make it simpler to distinguish cables they are categorised; that's how we got the CAT1, 2, 3 etc cabl for speed and type of network. But since one type of cable can support various speeds, depending on its cables are named using the "BaseT" to show exactly what type of networks the specific cable is made to
Page 91 of 1765
We are going to break the "100Base-T?" into 3 parts so we can make it easier to understand: 100
The number 100 represents the frequency in MHz (Mega HertZ) for which this cable is made. In this cas the MHz, the greater speeds the cable can handle. If you try to use this type of cable for greater freque speeds) it will either not work or become extremely unreliable. The 100 MHz speed translates to 100Mb theory means 12 MBytes per second. In practice though, you wouldn't get more than 4 MBytes per seco Base
The word "Base" refers to Baseband. Baseband is the type of communication used by Ethernet and it m is transmitting, it uses all the available bandwith, whereas Broadband (cable modems) shares the bandw reason cable modem users notice a slowdown in speed when they are connected on a busy node, or wh downloading all the time at maximum speed ! Of course with Ethernet you will notice a slowdown in spe comparison to broadband. TX/T4/FX
The "T" refers to "Twisted Pair" physical medium that carries the signal. This shows the structure of the pairs which are twisted. For example, UTP has twisted pairs and this is the cable used in such cases. Th sometimes to refer to the 100Base-TX cable specification. For more information, see the "UTP -Unshield you can find information on pinouts for the cables. All 100Mbit rated cables, except the 100Base-FX, us 100Base-TX
The TX (sometimes refered as "T" only) means it's a CAT5 UTP straight through cable using 2 of the 4 a speeds up to 100Mbits. Maximum length is 100 meters and minimum length between nodes is 2.5 mete 100Base-T4
The T4 means it's a CAT5 UTP straight through cable using all 4 available pairs and supports speeds up length is 100 meters and minimum length between nodes is 2.5 meters. 100Base-FX
The FX means it's a 2 strand fiber cable and supports speeds up to 100Mbits. Maximum length is usuall
10Base-T/2/5/F/35 - Ethernet
Introduction
The 10Base-T UTP Ethernet and 10Base-2 Coax Ethernet were very popular around the early to mid 199 cards and hubs/switches were very expensive. Today's prices have dropped so much that most vendors networks but the 100Base ones and, at the same time, support the 10 BaseT and 10Base-2 standard. W 10Base5/F and 35 shortly. So what does 10 BaseT/2/5/F/35 mean ?
To make it simpler to distinguish cables they are categorised; that's how we got the CAT1, 2, 3 etc cabl
Page 92 of 1765
for speed and type of network. But since one type of cable can support various speeds, depending on it cables are named using the "BaseT" to show exactly what type of networks the specific cable is made to
We are going to break the "10 Base T (and the rest) " into 3 parts so we can make it easier to understa 10
The number 10 represents the frequency in MHz (Mega HertZ) for which this cable is made. In this case the MHz, the greater speeds the cable can handle. If you try to use this type of cable for greater freque speeds) then it either will not work or become extremely unreliable. The 10 MHz speed translates to 10M theory means 1.2 MBytes per second. In practice though, you wouldn't get more than 800 KBytes per s Base
The word "Base" refers to Baseband. Baseband is the type of communication used by Ethernet and it m is transmitting, it uses all the available bandwith, whereas Broadband (cable modems) shares the bandw reason cable modem users notice a slowdown in speed when they are connected on a busy node, or wh downloading all the time at maximum speed ! Of course with Ethernet you will notice a slowdown in spe comparison to broadband. T/2/5/F/35
The "T" refers to "Twisted Pair" physical medium that carries the signal. This shows the structure of the pairs which are twisted. For example, UTP has twisted pairs and this is the cable used in such cases. For "UTP -Unshielded Twisted Pair" page where you can find information on pinouts for the cables. 10Base-T
A few years ago, the 10 BaseT cables used CAT3 cables, which are used for speeds up to 10Mbit, but to CAT5 cables, which are good for speeds up to 100 Mhz or 100Mbit, these cables are also used for 10Mb the UTP cable are used with the 10Base-T specification and the maximum length is 100 meters. Minimu 2.5 meters. 10Base-2
This specification uses Coaxial cable which is usually black, sometimes also called "Thinwire coax", "Thin Maximum length is 185 meters while the minimum length between nodes is 0.5 meters. 10Base-2 uses depending on the configuration, require special terminators. The 10Base-2 specification is analysed here contains pictures) if you wish to read more about it. 10Base-5
This specification uses what's called "Thickwire" coaxial cable, which is usually yellow. The maximum len minimum length between nodes is 2.5 meters. Also, special connectors are used to interface to the netw AUI (Attachment Unit Interface) connectors and are similar to the DB-15 pin connectors most soundcard port.
Most networks use UTP cable and RJ-45 connectors or Coaxial cable with BNC "T" connectors, for this re their way to the market that allow you to connect an AUI network card to these different cable networks
Page 93 of 1765
The picture below shows you a few of these devices:
10Base-F
This specification uses fibre optic cable. Fibre optic cable is considered to be more secure than UTP or an because it is nearly impossible to tap into. It is also resistant to electro magnetic interference and atten 10Base-F specification is for speeds up to 10Mbits per second, depending on the type of fibre and equip speeds of up to 2Gigabits per second ! 10Base-35
The 10Base-35 specification uses broadband coaxial cable. It is able to carry multiple baseband channel 3,600 meters or 3.6 Kms. Summary To summarise, keep the following in mind:
10Base-T works for 10Mbit networks only and uses unshielded twisted pair cable with RJ-45 conn maximum length of 100 meters. They also only use 2 pairs of cables. 10Base-2 works for 10Mbit networks only and uses Coaxial cable. Maximum length is 185 meters are used to connect to the computers; there are special terminators at each of the coaxial cable. 10Base-5 works for 10Mbit networks only and uses Thick Coaxial cable. Maximum length is 500 connectors (DB-15) are used to interface with the network card.
10Base-F works for 10Mbit networks only and uses cool fibre optic cable :) Summary To summarise, keep the following in mind:
100Base-TX/T4 works for 100Mbit networks only and uses unshielded twisted pair cable with RJ-
Page 94 of 1765
All CAT5 UTP cables have 4 pairs of cables (8 wires). 100Base-TX (sometimes called 100Base-T) uses 2 of the 4 available pairs within the UTP cable, w uses all 4 pairs. 100Base-FX also works for speeds up to 100Mbits but uses fibre optic cable instead of UTP.
Fibre Optic Cable

Introduction
In the 1950's more research and development into the transmission of visible images through optical fib the medical world where it was being used in remote illumination and viewing instruments. In 1966 Cha Hockham proposed the transmission of information over glass fibre and realised that to make it a practi losses in the cables were essential.
This was the driving force behind the developments to improve the optical losses in fibre manufacturing significantly lower than the original target set by Charles Kao and George Hockham. The advantages of using fibre optics
Because of the Low loss, high bandwidth properties of fibre cables they can be used over greater distan data networks this can be as much as 2km without the use of repeaters. Their light weight and small siz applications where running copper cables would be impractical and, by using multiplexors, one fibre cou copper cables. This is pretty impressive for a tiny glass filament, but the real benefit in the data industr Magnetic Interference (EMI), and the fact that glass is not an electrical conductor.
Because fibre is non-conductive it can be used where electrical isolation is needed, for instance, betwee cables would require cross bonding to eliminate differences in earth potentials. Fibres also pose no threa environments such as chemical plants where a spark could trigger an explosion. Last but not least is the very difficult to tap into a fibre cable to read the data signals.
Page 95 of 1765
Fibre construction
There are many different types of fibre cable, but for the purposes of this explanation we will deal with types, 62.5/125 micron loose tube. The numbers represent the diameters of the fibre core and cladding microns which are millionths of a metre.
Loose tube fibre cable can be indoor or outdoor, or both, the outdoor cables usually have the tube filled moisture barrier to the ingress of water. The number of cores in one cable can be anywhere from 4 to 1
Over the years a variety of core sizes have been produced but these days there are three main sizes tha communications, these are 50/125, 62.5/125 and 8.3/125. The 50/125 and 62.5/125 micron multi-mod used in data networks, although recently the 62.5 has become the more popular choice. This is rather u 50/125 has been found to be the better option for Gigabit Ethernet applications.
Page 96 of 1765
The 8.3/125 micron is a single mode cable which until now hasn't been widely used in data networking mode hardware. Things are beginning to change because the length limits for Gigabit Ethernet over 62. reduced to around 220m and now using 8.3/125 may be the only choice for some campus size networks single mode may start to bring the costs down. What's the difference between single-mode and multi-mode?
With copper cables larger size means less resistance and therefore more current, but with fibre the oppo we first need to understand how the light propagates within the fibre core. Light propagation
Light travels along a fibre cable by a process called 'Total Internal Reflection' (TIR), this is made possibl glass which have different refractive indexes. The inner core has a high refractive index and the outer c is the same principle as the reflection you see when you look into a pond. The water in the pond has a h the air and if you look at it from a shallow angle you will see a reflection of the surrounding area, howev at the water you can see the bottom of the pond.
At some specific angle between these two view points the light stops reflecting off the surface of the wa air/water interface allowing you to see the bottom of the pond. In multi-mode fibres, as the name sugg modes of propagation for the rays of light. These range from low order modes, which take the most dire middle, to high order modes, which take the longest route as they bounce from one side to the other all
This has the effect of scattering the signal because the rays from one pulse of light arrive at the far end known as Intermodal Dispersion (sometimes referred to as Differential Mode Delay, DMD). To ease the were developed. Unlike the examples above which have a definite barrier between core and cladding, th index at the centre which gradually reduces to a low refractive index at the circumference. This slows do allowing the rays to arrive at the far end closer together, thereby reducing intermodal dispersion and im signal.
So what about the single-mode fibre?
Well, what's the best way to get rid of Intermodal Dispersion?, easy, only allow one mode of propagatio means higher bandwidth and greater distances. Simple as that ! :)
Page 97 of 1765
Direct Cable Connection

Introduction
From the early PC days, Direct Cable Connection (dcc) was the most popular way to transfer data from course, it might seem a bit of an "old fashioned" way to transfer data these days but remember that ba running Dos 6.22 or Windows for Workgroups 3.11 if you were lucky !
Today, most computers are equipped with a network card and have an x-over or hub which will allow yo faster than a serial or parallel cable. But still, there is always a time when you require a simple transfer that's what this page is about.
There is a variety of programs which allow you to use the above mentioned cables to successfully transf you should know that you can achieve your goal without them as well since Windows 95 and above sup connection method.
Installing Windows programs or components to transfer data is out of this section's scope, but I have in you should check before attempting the Direct Connection via cable, this info is included in the "Importa be learning how to create the cables required to meet our goals and comparing the speed of the two (Se
Because the page ended up being quite long, I decided to split it in order to make it easier to read. Sim like to read about: Serial Direct Connection
Page 98 of 1765
Serial Direct Cable Connection

Introduction
The Serial Direct Connection is the one which utilizes the COM ports of your computers. E computer has at least 2 COM ports, COM1 and COM2. The "COM" stands for "Communica pinouts are a lot simpler when compared to the parallel port, but the speed is also a lot s
To give you an idea of how fast (or slow) a serial port is, at its best you will get around 1 per second. That's pretty slow when you're used to a network connection, but let me sho serial data is transferred so you can also understand why it's a lot slower:
The above picture gives you an idea on how serial data is transferred. Each coloured bloc numbered is sent from PC 1 to PC 2. PC 2 will receive the data in the same order it was s words it will receive data block 1 first and then 2, all the way to block 7. This is a pretty g representation of data flow in a serial cable. Serial ports transmit data sequentially over o wires (the rest of the wires are used to controll the transfer).
Another way you can think of it is like a one lane road where the road is wide enough to car at a time (one data block at a time in our example above), so you would imagine that cannont process several cars at one time. The Serial port
Most new computers have two COM ports with 9 pins each, these are DB-9 male connect computers would have one DB-9 male connector and one DB-25 male connector. The 25 connector is pretty much the same as the 9 pin, it's just bigger. Let's have a look at a serial port to see what we are talking about:
Page 99 of 1765
Different pinouts are used for the DB-9 and DB-25 connectors and we will have a look at moment. Let's just have another quick look at the COM ports of a new computer:
Notice the COM ports, they are both DB-9 connectors, there is no more DB-25 ! The conn the two blue COM ports is an LPT or Parallel port.
The serial port of a computer is able to run at different speeds, thus allowing us to conne devices which communicate at different speeds with the computer. The following table sh speeds at which most computers' serial ports are able to run and how many KB/sec they
Now we will have a look at the pin outs of both DB-9 and DB-25 connectors:
Page 100 of 1765
The Cable
All that's left now is the pinouts required to allow us to use the serial cable for direct conn is a special term for this type of a cable, it's call a "null modem" cable, which basically me to have TX and RX crossed over. Because you can have different configurations, e.g DB-9 9 to DB-25, and DB-25 to DB-25, I have created different tables to show you the pinouts
1) DB-9 to DB-9. You use this configuration when you need a cable with a DB-9 connecto end:
2) DB-9 to DB-25. You use this configuration when you need a cable with one DB-9 and o connector on either end:
Page 101 of 1765
3) DB-25 to DB-25. You use this configuration when you need a cable with a DB-25 conn end
Well, that pretty much covers everything about serial direct connection via a null modem
If you're using third party software to connect your computers, you probably won't stumb problems, but if you're using Windows software be sure you have unique names for each computers because Windows will treat the direct connection as a "network" connection. T you will be able to see the other computer via Network Neighborhood.
Page 102 of 1765
Parallel Direct Cable Connection Parallel Direct Connection
The Parallel Direct Connection is the second solution to transfer data from one computer to another. The more complicated as it has more wires that need to be connected, but the speeds you will get from it w time and effort required to make the cable.
Most people would know the parallel Direct Cables as "Laplink" cables. You get one when you buy the La PCAnywhere, it's usually a yellow cable, but you'll be able to make your own by the time you finish read
Because of the variety of parallel (LPT) ports, 4 to be precise, but we use the same cable for everyone o look at them all to make sure we cover everything :)
Now, as far as speed's concerned, with a standard LPT port you're looking at around 40 to 60 KB per se LPT ports you should expect something around 1MB per second ! Whichever way you see it, it's a huge to the serial cable (Null modem cable).
Let's have a quick look at the way data is transferred over a parallel link, this will help us understand wh the serial method of transfer:
This diagram shows a parallel transfer. In serial transfer there is one block of data moved at a time, wh more specificaly in our example, there are 4 data blocks moved at a time. Parallel ports transmit data s lines and are therefore faster than serial.
If you're having difficulties understanding the diagram just think of a 4 lane highway, which is our paral time are moving whereas the serial cable is like a one lane highway with one car at a time moving. Hop What does the parallel port (LPT) look like ? The picture below shows a parallel port, also known as LPT port, of a new computer.
Page 103 of 1765
With new computers, you will always find the LPT port right above the two COM ports and it's usually co matter what type of LPT port you have, they all look the same, it's the electronic characteristics which c different types of LPT ports and that's transparent to everyone. All LPT ports are female DB-25 connecto So what are the different LPT ports ?
Before we get stuck into the pinouts of the LPT port, let's have a look at the different types of LPT ports on the LPT port, you would expect different speed rates:
Because it might seem a bit confusing at the begining, I have include a bit more techincal information o you understand more about them. To keep it simple, I have categorised and colour coded them to show above: 4 bit ports
The port can do 8 bit byte output and 4 bit nibble input. These ports are often called "unidirectional" an on desktop bus cards (also called IO expansion cards, serial/parallel cards, or even 2S+P cards) and old most common type of port, especially on desktop systems. 4 bit ports are capable of effective transfer r per second in typical devices but can be pushed upwards of 140 KBytes/sec with certain design tricks. 8 bit ports
These ports can do both 8 bit input and output and are sometimes called "bidirectional ports" but that t vendors to refer to 4 bit ports as well. Most newer laptops have 8 bit capability although it may need to
Page 104 of 1765
vendor-specific CMOS setup function. This is discussed below. A relatively smaller percentage of LPT bu that sometimes must be enabled with a hardware jumper on the board itself. True 8 bit ports are prefer they are considerably faster when used with external devices that take advantage of the 8 bit capability speeds ranging from 80-300 KBytes per second, again depending on the speed of the attached device, t software and the port's electrical characteristics. EPP ports
Can do both 8bit input and output at ISA bus speeds. These ports are as fast as 8 bit bus cards and can upwards of 600 KByte per second. These ports are usually used by non-printer peripheral devices such drives, hard drives, network adaptors and more. ECP ports
Can do both 8 bit input and output at bus speeds. The specification for this port type was jointly develop Hewlett-Packard. ECP ports are distinguished by having DMA capability, on-board FIFOs at least 16 byte compression capability and are generally featured more than other ports. These ports are as fast as 8 b transfer rates upwards of 1 Mbyte per second and faster on PCs whose buses will support it. The design rates in the future.
Laplink cable is used to link two PCs with MSDOS 6.0 or later very effectively by using INTERSVR.EXE (o (on GUEST) PCs. But it can also be used to data-transfer at faster speed with DCC Feature of Win9x/Me Let's now have a quick look at the pinouts of an LPT port:
The Cable
As explained, there are different LPT ports, but the cable used is the same for all types of LPT ports. De bios LPT settings you will be able to achieve different speed transfers as outlined in the table above. The picture below clearly shows the pinouts of the required cable:
Page 105 of 1765
One wire should be attached to the metal body of the Male pins on both sides, this is also shown as the diagram.
Now, because I understand how much trouble someone can fall into when trying to create a cable and g have included the DirectParallel Connection Monitor Utility, for all the DCC users to troubleshoot and tes on both computers. It provides detailed information about the connection, the cable being used for the (4-bit, 8-bit, ECP, EPP), the parallel port types, I/O address, and IRQ.
Page 106 of 1765
Page 107 of 1765
Page 108 of 1765
Page 109 of 1765
USB Direct Cable Connection

Introduction Serial and Parallel Direct Cable Connections are considered to be a bit "old fashioned" these days. USB Direct Cable Connection (DCC), on the other hand, belongs in the "new fashioned" category :) USB DCC is a few years old, but because most people would use their network card to transfer data, the DCC hasn't been very well known for the USB port, but does exist.... and the catch is that you can't make it, but you must buy it ! But don't be tempted to leave the page just as yet, there is a lot of information on USB which is always good to know. Keep reading .... :) Let's have a closer look and see what it's all about ! About USB USB stands for Universal Serial Bus. Most peripherals for computers these days come in a USB version. The USB port was designed to be very flexible and for this reason you are able to connect printers, external hard drives, cdroms, joysticks, scanners, digital cameras, modems, hubs and a lot of other cool stuff to it. The Universal Serial Bus gives you a single, standardized, easy-to-use way to connect up to 127 devices to a computer. The 127 number is a theoretical number :) In practice it's a lot less ! The devices you connect can even power through the USB port of your computer if they draw less than 500mA, which is half an Ampere (I). A good example is my little Canon scanner, it only has one cable which is used to power the scanner up and to transfer the data to the computer !
Currently there are 2 versions of the USB port, the initial version which is USB v1.1 and the newer version USB v2 which has hit the market since the end of 2001. Most people have computers and devices which use the first version, but all new computers will now come with USB v2. This new version of the USB port is backwards compatible with the older version and also a lot faster. The table below compares the two USB ports so you can see the speed difference:
Page 110 of 1765
Keep in mind that when you're using a USB DCC cable, you won't get such great speeds, but somewhere around the 500KBytes/sec. This also depends on the type of CPU, O/S, the quality of the cable and electronic components and protocols running on your system. Another thing which you should keep in mind is the Windows operating system that supports the USB port:
The USB Cable The USB standard uses A and B connectors to avoid confusion. "A" connectors head "upstream" toward the computer, while "B" connectors head "downstream" and connect to individual devices. This might seem confusing to some, but it was designed to avoid confusion between consumers because it would be more complicated for most people to try and figure out which end goes where. And this is what the USB cable and connectors actually look like:
Page 111 of 1765
As mentioned earlier, the USB port can power certain devices and also transfer data at the same time. For this to happen, the USB port must have at least 4 cables of which 2 are for the power, and 2 for the data. The diagram is to help you understand what the cable contains:
The USB DCC (Finally :) ) As I mentioned in the introduction of this page, the USB DCC cable cannot be made, because it requires special electronic circuits built around the cable. Parallel Technologies manufacture USB DCC cables and they call it the "NET-LinQ":
..........................
Page 112 of 1765
The USB DCC cable can also be used to connect a computer to your network. The way it works is pretty simple. Assuming you have Computers A, B , C and D. Computer A, B and C are connected via an Ethernet LAN and Computer D hasn't got a network card to connect to the network. Using the NET-LinQ or other similar cables you can connect Computer D with any of the other 3 computers as long as they have a USB port, then by configuring the network protocols on Computer D, it will be able to see and connect to the rest of the network !
Important Direct Cable Connection Notes

Important Points for DCC This page was designed to provide some notes on Direct Cable Connection (Filetransfer) of Win9x/ME/2000 with LAPLINK (Printer port) Cable or Null-Modem (serial port) Cable. I've successfully used Laplink cable to link two PCs for FILE TRANSFER only (not playing Games), with WIN95 and Direct Cable Connection program using the NetBeui protocol on each computer. You can quickly check to see if the protocol is installed by doubleclicking on the "Network Section" in Control Panel of your Windows operating system. In addition to the above, you must have installed "Client for Microsoft Networks", "File and Printer Sharing for Microsoft Networks" and optionally the TCP/IP protocol, which will require some configuration. Providing a simply IP Address and subnetmask will be enough for our purposes, the rest of the fields can be ignored. If you would like to allow users to access your files and printer, then ensure both the options in "File and Print Sharing" are selected. Once you have completed the above steps, you should have the following listed in the "Network Selection" window:: Client for Microsoft Networks TCP/IP Netbeui File and Printer Sharing for Microsoft Networks
Once your changes are complete, Windows might prompt you to reboot the system, so make sure all work is saved before answering "yes"! You should also share the Disks on both computers by right-clicking on the selected disks installed in your system and select the "Sharing" option that will appear in the menu. You can access them via your "My Computer" icon on your desktop. After you complete these actions, you will see a blue hand "holding" your shared drives, indicating that the drive is shared with the rest of the network!
Page 113 of 1765
Connection Oriented What this basically means is that a connection is established between the two hosts or rather, the two computers, before any data is transferred. When the term "connection is established" is used, this means that both computers know about each other and have agreed on the exchange of data. This is also where the famous 3-way handshake happens. You will find the SYN and ACK bits in the Code bits field which are used to perform the 3-way handshake. Thanks to the 3-way handshake, TCP is connection oriented. The following diagram explains the procedure of the 3-way handshake:
STEP 1: Host A sends the initial packet to Host B. This packet has the "SYN" bit enabled. Host B receives the packet and sees the "SYN" bit which has a value of "1" (in binary, this means ON) so it knows that Host A is trying to establish a connection with it. STEP 2: Assuming Host B has enough resources, it sends a packet back to Host A and with the "SYN and ACK" bits enabled (1). The SYN that Host B sends, at this step, means 'I want to synchronise with you' and the ACK means 'I acknowledge your previous SYN request'. STEP 3: So... after all that, Host A sends another packet to Host B and with the "ACK" bit set (1), it effectively tells Host B 'Yes, I acknowledge your previous request'. Once the 3-way handshake is complete, the connection is established (virtual circuit) and the data transfer begins. Flow Control Flow control is used to control the data flow between the connection. If for any reason one of the two hosts are unable to keep up with the data transfer, it is able to send special signals to the other end, asking it to either stop or slow down so it can keep up. For example, if Host B was a webserver from which people could download games, then obviously Host A is not going to be the only computer downloading from this webserver, so Host B must regulate the data flow to every computer downloading from it. This means it might turn to Host A and tell it to wait for a while until more resources are available because it has another 20 users trying to download at the same time. Below is a diagram that illustrates a simple flow control session between two hosts. At this point, we only need to understand the concept of flow control:
Page 114 of 1765
Generally speaking, when a machine receives a flood of data too quickly for it to process, it stores it in a memory section called a buffer. This buffering action solves the problem only if the data bursts are small and don't last long. However, if the data burst continues it will eventually exhaust the memory of the receiving end and that will result in the arriving data being discarded. So in this situation the receiving end will simply issue a "Not ready" or "Stop" indicator to the sender, or source of the flood. After the receiver processes the data it has in its memory, it sends out a "Ready" or "Go" transport indicator and the sending machine receives the "Go" indicator and resumes its transmission. Windowing Data throughput, or transfer efficiency, would be low if the transmitting machine had to wait for an acknowledgment after sending each packet of data (the correct term is segment as we will see on the next page). Because there is time available after the sender transmits the data segment and before it finishes processing acknowledgments from the receiving machine, the sender uses the break to transmit more data. If we wanted to briefly define Windowing we could do so by stating that it is the number of data segments the transmitting machine is allowed to send without receiving an acknowledgment for them. Windowing controls how much information is transferred from one end to the other. While some protocols quantify information by observing the number of packets, TCP/IP measures it by counting the number of bytes.
Let's explain what is happening in the above diagram. Host B is sending data to Host A, using a window size equal to one. This means that Host B is expecting an "ACK" for each data segment it sends to Host A. Once the first data segment is sent, Host A receives it and sends an "ACK 2"
Page 115 of 1765
to Host B. You might be wondering why "ACK 2" and not just "ACK"? The "ACK 2" is translated by Host B to say: 'I acknowledge (ACK) the packet you just sent me and I am ready to receive the second (2) segment'. So Host B gets the second data segment ready and sends it off to Host A, expecting an "ACK 3" response from Host A so it can send the third data segment for which, as the picture shows, it receives the "ACK 3". However, if it received an "ACK 2" again, this would mean something went wrong with the previous transmission and Host B will retransmit the lost segment. We will see how this works in the Acknowledgments section later on. Let's now try a different Window size to get a better understanding.. let's say 3! Keep in mind the way the "ACK's" work, otherwise you might find the following example a bit confusing. If you can't understand it, read the previous example again where the Window size was equal to one.
In the above example, we have a window size equal to 3, which means that Host B can send 3 data segments to Host A before expecting an "ACK" back. Host B sends the first 3 segments (Send 1, Send 2 and Send 3), Host A receives them all in good condition and then sends the "ACK 4" to Host B. This means that Host A acknowledged the 3 data segments Host B sent and awaits the next data segments which, in this case, would be 4, 5 and 6. Acknowledgments Reliable data delivery ensures the integrity of a stream of data sent from one machine to the other through a fully functional data link. This guarantees the data won't be duplicated or lost. The method that achieves this is known as positive acknowledgment with retransmission. This technique requires a receiving machine to communicate with the transmitting source by sending an acknowledgment message back to the sender when it receives data. The sender documents each segment it sends and waits for this acknowledgment before sending the next segment. When it sends a segment, the transmitting machine starts a timer and retransmits if it expires before an acknowledgment is returned from the receiving end.
Page 116 of 1765
This figure shows how the Acknowledgments work. If you examine the diagram closely you will see the window size of this transfer which is equal to 3. At first, Host B sends 3 data segments to Host A and they are received in perfect condition so, based on what we learned, Host A sends an "ACK 4" acknowledging the 3 data segments and requesting the next 3 data segments which will be 4, 5, 6. As a result, Host B sends data segments 4, 5, 6 but 5 gets lost somewhere along the way and Host A doesn't receive it so, after a bit of waiting, it realises that 5 got lost and sends an "ACK 5" to Host B, indicating that it would like data segment 5 retransmitted. Now you see why this method is called "positive acknowledgment with retransmission". At this point Host B sends data segment 5 and waits for Host A to send an "ACK" so it can continue sending the rest of the data. Host A receives the 5th data segment and sends "ACK 7" which means 'I received the previous data segment, now please send me the next 3'. The next step is not shown on the diagram but it would be Host B sending data segments 7, 8 and 9. More Overhead As you can see, there is quite a neat mechanism under the TCP hood that enables data to be transferred error free. All the features the protocol supports come at a price, and this is the overhead associated with TCP. When we talk about overhead, we are referring to all the different fields contained within the TCP header and error checking that takes place to ensure no portion of the data is corrupt. While for most this is a fair trade off, some people simply can't spare the extra processing power, bandwidth and increased time the TCP transactions require, for this reason we have the alternative UDP protocol, which you can read about in the UDP protocol section. At this point our quick overview of the TCP has reached its conclusion. From the next page onwards, we start to dive in deeper, so take a deep breath and jump right into it!
Page 117 of 1765
The TCP Header/Segment

Introduction This page will introduce several new concepts, nothing of great difficulty, but essential for you to understand. We will learn what a TCP segment is, analyse it and start to explore the guts of TCP :) So buckle up and get ready. It's all really simple, you just need to clear your mind and try to see things in the simplest form and you will discover how easy and friendly TCP really is. You can only feel comfortable with something once you get to know it. TCP Header and TCP Segment If we wanted to be more accurate with the terms we use, then perhaps we would title this page as "Analysing A TCP Segment". Why? Well, that's what it's called in the networking world so we need to know it by the correct term. This of course leads us to another new definition, a TCP segment: The unit of transfer between the TCP software on to machines is called a TCP segment. If your expression has transformed itself to resemble a confused person, then don't worry, just keep reading... Understanding this term is easier than you thought 5 seconds ago, just take a good look at the diagram below:
Now you see that a TCP segment is basically the TCP header plus the data that's right behind it and, of course, the data belongs to the upper layers (5,6,7). The data contents could be part of a file transfer, or the response from a http request, the fact is that we really are not interested in the data's contents, but only in the fact that it's part of the TCP segment. The screen shot below was taken from my packet sniffer, and it shows the DATA portion belonging to the TCP Header:
Page 118 of 1765
If you tried to capture a similar packet from any packet sniffer, it is more likely to display the Data portion within the TCP header, just as the screen shot on the left. So the question is whether a TCP header and a TCP segment are basically the same thing. Even though it might seem they are, in most cases, when referring to the TCP header, we are talking about the header without the data, whereas a TCP segment includes the data.
Page 119 of 1765
Getting Ready To Analyse The TCP Header We are now ready to begin examining the structure of the TCP header. However, be sure to keep in mind that the 'TCP Header' is the same thing as a 'TCP Segment', meaning it's the TCP header information plus the Data, just as the diagrams above show. The last screen shot certainly gives out a fair bit of information, but there is still much that hasn't been revealed, not to mention nothing's really been analysed as yet :)
Page 120 of 1765
Analysing The TCP Header

Introduction A fair amount of time was spent trying to figure out which way to analyse the TCP header. Most websites and other resources mention the protocol's main characteristics with a bit of information attached, leaving the reader with a lot of questions and making it difficult to comprehend how certain aspects of the protocol works. For this reason a different approach was selected. Our method certainly gets right into the protocol's guts and contains a lot of information which some of you might choose to skip, but it is guaranteed to satisfy you by giving a thorough understanding of what is going on. Get Ready.... Here It Comes! For those who skipped the first introduction page of the protocol, you will be happy to find out that the tcp quick-overview page contains a brief summary of the protocol's main characteristics to help refresh your memory. If you need to dive into the details at any point, simply return to this page! The diagram below shows the TCP header captured from a packet that I was running on the network. We'll be using it to help us through our step by step analysis of TCP.
Page 121 of 1765
As you can see, the TCP header has been completely expanded to show us all the fields the protocol contains. The numbers on the right are each field's length in bits. This is also shown in the quick TCP overview page. Since much time was spent to ensure our analysis was complete in all aspects, be sure that by the end of it, you will understand each field's purpose and how it works. We should also point out that when the packet in our example arrives to its destination, only section 7 (the last one) is sent to the upper OSI layers because it contains the data it is waiting for. The rest of the information (including the MAC header, IP Header and TCP header) is overhead which serves the purpose of getting the packet to its destination and allowing the receiving end to figure out what to do with the packet, e.g. send the data to the correct local application. Now you're starting to understand the somewhat complex mechanisim involved in determing how data gets from one point to another!
TCP Analysis - Section 1: Source & Destination port number

Introduction This section contains one of the most well-known fields in the TCP header, the Source and Destination port numbers. These fields are used to specify the application or services offered on local or remote hosts. You will come to understand how important ports are and how they can be used to gain information on remote systems that have been targetted for attacks. We will cover basic and advanced port communications using detailed examples and colourful diagrams, but for now, we will start with some basics to help break down the topic and allow us to smoothly progress in to more advanced and complex information.
Page 122 of 1765
When a host needs to generate a request or send data, it requires some information: 1) IP Address of the desired host to which it wants to send the data or request. 2) Port number to which the data or request should be sent to on the remote host. In the case of a request, it allows the sender to specify the service it is intending to use. We will analyse this soon.
Page 123 of 1765
1) The IP Address is used to uniquely identify the desired host we need to contact. This information is not shown in the above packet because it exists in the IP header section located right above the TCP header we are analysing. If we were to expand the IP header, we would (certainly) find the source and destination IP Address fields in there. 2) The 2nd important aspect, the port number, allows us to identify the service or application our data or request must be sent to, as we have previously stated. When a host, whether it be a simple computer or a dedicated server, offers various services such as http, ftp, telnet, all clients connecting to it must use a port number to choose which particular service they would like to use. The best way to understand the concept is through examples and there are plenty of them below, so let's take a look at a few, starting from a simple one and then moving towards something slightly more complicated. Time To Dive Deeper! Let's consider your web browser for a moment. When you send a http request to download a webpage, it must be sent to the correct web server in order for it to receive it, process it and allow you to view the page you want. This is achieved by obtaining the correct IP address via DNS resolution and sending the request to the correct port number at the remote machine (web server). The port value, in the case of an http request, is usually 80. Once your request arrives at the web server, it will check that the packet is indeed for itself. This is done by observing the destination IP Address of the newly received packet. Keep in mind that this particular step is a function of the Network layer. Once it verifies that the packet is in fact for the local machine, it will process the packet and see that the destination port number is equal to 80. It then realises it should send the data (or request) to the http deamon that's waiting in the background to serve clients:
Using this neat method we are able to use the rest of the services offered by the server. So, to use the FTP service, our workstation generates a packet that is directed to the server's IP address, that is 200.0.0.1, but this time with a destination port of 21. The diagram that follows illustrates this process:
Page 124 of 1765
By now you should understand the purpose of the destination port and how it allows us to select the services we require from hosts that offer them. For those who noticed, our captured packet at the beginning of this page also shows the existence of another port, the source port, which we are going to take a look at below. Understanding the Source Port The source port serves analogues to the destination port, but is used by the sending host to help keep track of new incoming connections and existing data streams. As most of you are well aware, in TCP/UDP data communications, a host will always provide a destination and source port number. We have already analysed the destination port, and how it allows the host to select the service it requires. The source port is provided to the remote machine, in the case of our example, this is the Internet Server, in order for it to reply to the correct session initiated by the other side. This is achieved by reversing the destination and source ports. When the host (in our example, Host A) receives this packet, it will identify the packet as a reply to the previous packet it sent:
Page 125 of 1765
As Host A receives the Internet Server's reply, the Transport layer will notice the reversed ports and recognise it as a response to the previous packet it sent (the one with the green arrow). The Transport and Session layers keep track of all new connections, established connections and connections that are in the process of being torn down, which explains how Host A remembers that it's expecting a reply from the Internet Server. Of course the captured packet that's displayed at the beginning of the page shows different port numbers than the ones in these diagrams. In that particular case, the workstation sends a request to its local http proxy server that runs on port 8080, using port 3025 as its source port. We should also note that TCP uses a few more mechanisms to accurately keep track of these connections. The pages to follow will analyse them as well, so don't worry about missing out on any information, just grab some brain food (hhmmm chocolate...), sit back, relax and continue reading!
Page 126 of 1765
TCP Analysis - Section 2: Sequence & Acknowledgement Numbers

Introduction This page will closely examine the Sequence and Acknowledgement numbers. The very purpose of their existence is related directly to the fact that the Internet, and generally most networks, are packet switched (we will explain shortly) and because we nearly always send and receive data that is larger than the maximum transmission unit (a.k.a MTU - analysed on sections 5 and 6 ) which is 1500 on most networks. Let's take a look at the fields we are about to analyse:
As you can see, the Sequence number proceeds the Acknowledgement number. We are going to explain how these numbers increment and what they mean, how various operating systems handle them in a different manner and lastly, what way these numbers can become a security hazard for those who require a solid secure network.
TCP - Connection Oriented Protocol The Sequence and Acknowledgement fields are two of the many features that help us classify TCP as a connection oriented protocol. As such, when data is sent through a TCP connection, they help the remote hosts keep track of the connection and ensure that no packet has been lost on the way to its destination. TCP utilizes positive acknowledgments, timeouts and retransmissions to ensure error-free, sequenced delivery of user data. If the retransmission timer expires before an acknowledgment is received, data is retransmitted starting at the byte after the last acknowledged byte in the stream. A further point worth mentioning is the fact that Sequence numbers are generated differently on each operating system. Using special algorithims (and sometimes weak ones), an operating system will generate these numbers, which are used to track the packets sent or received, and since both Sequence and Acknowledgement fields are 32bit, there are 2^32= 4,294,967,296 possibilities of generating a different number! Initial Sequence Number (ISN) When two hosts need to transfer data using the TCP transport protocol, a new connection is created. This involves the first host that wishes to initiate the connection, to generate what is called an Initial Sequence Number (ISN), which is basically the first sequence number that's contained in the Sequence field we are looking at. The ISN has always been the subject of security issues, as it seems to be a favourite way for hackers to 'hijack' TCP connections. Believe it or not, hijacking a new TCP connection is something an experienced hacker can alarmingly achieve with very few attempts. The root of this security problem starts with the way the ISN is generated. Every operating system uses its own algorithm to generate an ISN for every new connection, so all a hacker needs
Page 127 of 1765
to do is figure out, or rather predict, which algorithm is used by the specific operating system, generate the next predicted sequence number and place it inside a packet that is sent to the other end. If the attacker is successful, the receiving end is fooled and thinks the packet is a valid one coming from the host that initiated the connection. At the same time, the attacker will launch a flood attack to the host that initiated the TCP connection, keeping it busy so it won't send any packets to the remote host with which it tried to initiate the connection. Here is a brief illustration of the above-mentioned attack:
As described, the hacker must find the ISN algorithm by sampling the Initial Sequence Numbers used in all new connections by Host A. Once this is complete and the hacker knows the algorithm and they are ready to initiate their attack:
Timing is critical for the hacker, so he sends his first fake packet to the Internet Banking Server while at the same
Page 128 of 1765
time starts flooding Host A with garbage data in order to consume the host's bandwidth and resources. By doing so, Host A is unable to cope with the data it's receiving and will not send any packets to the Internet Banking Server. The fake packet sent to the Internet Banking Server will contain valid headers, meaning it will seem like it originated from Host A's IP Address and will be sent to the correct port the Internet Banking Server is listening to. There have been numerous reports published online that talk about the method each operating system uses to generate its ISN and how easy or difficult it is to predict. Do not be alarmed to discover that the Windows operating system's ISN algorithm is by far the easiest to predict! Programs such as 'nmap' will actually test to see how difficult it can be to discover the ISN algorithm used in any operating system. In most cases, hackers will first sample TCP ISN's from the host victim, looking for patterns in the initial sequence numbers chosen by TCP implementations when responding to a connection request. Once a pattern is found it's only a matter of minutes for connections initiated by the host to be hijacked. Example of Sequence and Acknowledgment Numbers To help us understand how these newly introduced fields are used to track a connection's packets, an example is given below. Before we proceed, we should note that you will come across the terms "ACK flag" or "SYN flag"; these terms should not be confused with the Sequence and Acknowledgment numbers as they are different fields within the TCP header. The screen shot below is to help you understand:
You can see the Sequence number and Acknowledgement number fields, followed by the TCP Flags to which we're referring. The TCP Flags (light purple section) will be covered on the pages to come in much greater depth, but because we need to work with them now to help us examine how the Sequence and Acknowledgement numbers work, we are forced to analyse a small portion of them. To keep things simple, remember that when talking about Sequence and Acknowledgement numbers we are referring to the blue section, while SYN and ACK flags refer to the light purple section.
The next diagram shows the establishment of a new connection to a web server - the Gateway Server. The first three packets are part of the 3-way handshake performed by TCP before any data is transferred between the two hosts, while the small screen shot under the diagram is captured by our packet sniffer:
Page 129 of 1765
To make sure we understand what is happening here, we will analyse the example step by step. Step 1 Host A wishes to download a webpage from the Gateway Server. This requires a new connection between the two to be established so Host A sends a packet to the Gateway Server. This packet has the SYN flag set and also contains the ISN generated by Host A's operating system, that is 1293906975. Since Host A is initiating the connection and hasn't received a reply from the Gateway Server, the Acknowledgment number is set to zero (0).
Page 130 of 1765
In short, Host A is telling the Gateway Server the following: "I'd like to initiate a new connection with you. My Sequence number is 1293906975". Step 2 The Gateway Server receives Host A's request and generates a reply containing its own generated ISN, that is 3455719727, and the next Sequence number it is expecting from Host A which is 1293906976. The Server also has the SYN & ACK flags set, acknowledging the previous packet it received and informing Host A of its own Sequence number.
In short, the Gateway Server is telling Host A the following: "I acknowledge your sequence number and expecting your next packet with sequence number 1293906976. My sequence number is 3455719727". Step 3 Host A receives the reply and now knows Gateway's sequence number. It generates another packet to complete the connection. This packet has the ACK flag set and also contains the sequence number that it expects the Gateway Server to use next, that is 3455719728.
Page 131 of 1765
In short, Host A is telling the Gateway Server the following: "I acknowledge your last packet. This packet's sequence number is 1293906976, which is what you're expecting. I'll also be expecting the next packet you send me to have a sequence number of 3455719728". Now, someone might be expecting the next packet to be sent from the Gateway Server, but this is not the case. You might recall that Host A initiated the connection because it wanted to download a web page from the Gateway Server. Since the 3-way TCP handshake has been completed, a virtual connection between the two now exists and the Gateway Server is ready to listen to Host A's request. With this in mind, it's now time for Host A to ask for the webpage it wanted, which brings us to step number 4. Step 4 In this step, Host A generates a packet with some data and sends it to the Gateway Server. The data tells the Gateway Server which webpage it would like sent.
Note that the sequence number of the segment in line 4 is the same as in line 3 because the ACK does not occupy sequence number space. So keep in mind that any packets generated, which are simply acknowledgments (in other words, have only the ACK
Page 132 of 1765
flag set and contain no data) to previously received packets, never increment the sequence number. Last Notes There are other important roles that the Sequence and Acknowledgement numbers have during the communication of two hosts. Because segments (or packets) travel in IP datagrams, they can be lost or delivered out of order, so the receiver uses the sequence numbers to reorder the segments. The receiver collects the data from arriving segments and reconstructs an exact copy of the stream being sent. If we have a closer look at the diagram above, we notice that the TCP Acknowledgement number specifies the sequence number of the next segment expected by the receiver. Simply scroll back to Step 2 and you will see what I mean. Summary This page has introduced the Sequence and Acknowledgement fields within the TCP header. We have seen how hackers hijack connections by discovering the algorithms used to produce the ISNs and we examined step by step the way Sequence and Acknowledgement numbers increase.
TCP Analysis - Section 3: Header Length

Introduction The third field under close examination is the TCP Header length. There really isn't that much to say about the Header length other than to explain what it represents and how to interpret its values, but this alone is very important as you will soon see. Let's take a quick look at this field, noting its location within the TCP structure: You might also have seen the Header length represented as "Data offset" in other packet sniffers or applications, this is virtually the same as the Header length, only with a 'fancier' name. Analysing the Header length If you open any networking book that covers the TCP header, you will almost certainly find the following description for this particular field: "An interger that specifies the length of the segment header measured in 32-bit multiples" (Internetworking with TCP/IP, Douglas E. Comer, p. 204, 1995). This description sounds impressive, but when you look at the packet, you're most likely to scratch your head thinking: what exactly did that mean? Well, you can cease being confused because we are going to cover it step by step, giving answers to all possible questions you might have. If we don't cover your questions completely, well... there are always our forums to turn to! Step 1 - What portion is the "Header length" ? Before we dive into analysing the meaning of the values used in this field, which by the way changes with every
Page 133 of 1765
packet, we need to understand which portion on the packet is the "Header length".
Looking at the screen shot on the left, the light blue highlighted section shows us the section that's counted towards the Header length value. With this in mind, you can see that the total length of the light blue section (header length) is 28 bytes. The Header length field is required because of the TCP Options field, which contains various options that might or might not be used. Logically, if no options are used then the header length will be much smaller. If you take a look at our example, you will notice the 'TCP Options' is equal to 'yes', meaning there are options in this field that are used in this particular connection. We've expanded the section to show the TCP options used and these are 'Max Segment' and 'SACK OK'. These will be analysed in the pages which follow, at the present time though we are interested in whether the TCP options are used or not. As the packet in our screenshot reaches the receiving end, the receiver will read the header length field and know exactly where the data portion starts.
Page 134 of 1765
This data will be carried to the layers above, while the TCP header will be stripped and disregarded. In this example, we have no data, which is normal since the packet is initiating a 3-way handshake (Flags, SYN=1), but we will cover that in more depth on the next page. The main issue requiring our attention deals with the values used for the header length field and learning how to interpret them correctly. Step 2 - Header Value Analysis From the screen shot above, we can see our packet sniffer indicating that the field has a value of 7(hex) and this is interpreted as 28 bytes. To calculate this, you take the value of 7, multiply it by 32 and divide the result by 8: 7x32=224/8=28 bytes. Do you recall the definition given at the beginning of this page? "An interger that specifies the length of the segment header measured in 32-bit multiples". This was the formal way of describing these calculations :) The calculation given is automatically performed by our packet sniffer, which is quite thoughtful, wouldn't you agree? This can be considered, if you like, as an additional 'feature' found on most serious packet sniffers. Below you will find another screen shot from our packet sniffer that shows a portion of the TCP header (left frame) containing the header length field. On the right frame, the packet sniffer shows the packet's contents in hex:
By selecting the Header length field on the left, the program automatically highlights the corresponding section and hex value on the right frame. According to the packet sniffer, the hex value '70' is the value for the header length field. If you recall at the beginning of the page, we mentioned the header length field being 4 bits long. This means that when viewing the value in hex, we should only have one digit or character highlighted, but this isn't the case here because the packet sniffer has incorrectly highlighted the '7' and '0' together, giving us the impression that the field is 8 bits long! Note: In hex, each character e.g '7' represents 4 bits. This means that on the right frame, only '7' should be highlighted, and not "70". Furthermore, if we were to convert '7' hex to binary, the result would be '0111' (notice the total amount of bits is equal to 4). Summary The 'Header length' field is very simple as it contains only a number that allows the receiving end to calculate the number of bytes in the TCP Header. At the same time, it is mandatory because without it there is no way the receiver will know where the data portion begins! Logically, wherever the TCP header ends, the data begins - this is clear in the screen shots provided on this page. So, if you find yourself analysing packets and trying to figure out where the data starts, all you need to do is find the
Page 135 of 1765
TCP Header, read the "Header length" value and you can find exactly where the data portion starts! Next up are the TCP flags that most of us have come across when talking about the famous 3-way handshake and virtual connections TCP creates before exchanging data.
TCP Analysis - Section 3: Header Length

Introduction The third field under close examination is the TCP Header length. There really isn't that much to say about the Header length other than to explain what it represents and how to interpret its values, but this alone is very important as you will soon see.
Page 136 of 1765
Let's take a quick look at this field, noting its location within the TCP structure:
You might also have seen the Header length represented as "Data offset" in other packet sniffers or applications, this is virtually the same as the Header length, only with a 'fancier' name. Analysing the Header length If you open any networking book that covers the TCP header, you will almost certainly find the following description for this particular field: "An interger that specifies the length of the segment header measured in 32-bit multiples" (Internetworking with TCP/IP, Douglas E. Comer, p. 204, 1995). This description sounds impressive, but when you look at the packet, you're most likely to scratch your head thinking: what exactly did that mean? Well, you can cease being confused because we are going to cover it step by step, giving answers to all possible questions you might have. If we don't cover your questions completely, well... there are always our forums to turn to! Step 1 - What portion is the "Header length" ? Before we dive into analysing the meaning of the values used in this field, which by the way changes with every packet, we need to understand which portion on the packet is the "Header length".
Page 137 of 1765
Looking at the screen shot on the left, the light blue highlighted section shows us the section that's counted towards the Header length value. With this in mind, you can see that the total length of the light blue section (header length) is 28 bytes. The Header length field is required because of the TCP Options field, which contains various options that might or might not be used. Logically, if no options are used then the header length will be much smaller. If you take a look at our example, you will notice the 'TCP Options' is equal to 'yes', meaning there are options in this field that are used in this particular connection. We've expanded the section to show the TCP options used and these are 'Max Segment' and 'SACK OK'. These will be analysed in the pages which follow, at the present time though we are interested in whether the TCP options are used or not. As the packet in our screenshot reaches the receiving end, the receiver will read the header length field and know exactly where the data portion starts.
Page 138 of 1765
This data will be carried to the layers above, while the TCP header will be stripped and disregarded. In this example, we have no data, which is normal since the packet is initiating a 3-way handshake (Flags, SYN=1), but we will cover that in more depth on the next page. The main issue requiring our attention deals with the values used for the header length field and learning how to interpret them correctly. Step 2 - Header Value Analysis From the screen shot above, we can see our packet sniffer indicating that the field has a value of 7(hex) and this is interpreted as 28 bytes. To calculate this, you take the value of 7, multiply it by 32 and divide the result by 8: 7x32=224/8=28 bytes. Do you recall the definition given at the beginning of this page? "An interger that specifies the length of the segment header measured in 32-bit multiples". This was the formal way of describing these calculations :) The calculation given is automatically performed by our packet sniffer, which is quite thoughtful, wouldn't you agree? This can be considered, if you like, as an additional 'feature' found on most serious packet sniffers. Below you will find another screen shot from our packet sniffer that shows a portion of the TCP header (left frame) containing the header length field. On the right frame, the packet sniffer shows the packet's contents in hex:
By selecting the Header length field on the left, the program automatically highlights the corresponding section and hex value on the right frame. According to the packet sniffer, the hex value '70' is the value for the header length field. If you recall at the beginning of the page, we mentioned the header length field being 4 bits long. This means that when viewing the value in hex, we should only have one digit or character highlighted, but this isn't the case here because the packet sniffer has incorrectly highlighted the '7' and '0' together, giving us the impression that the field is 8 bits long! Note: In hex, each character e.g '7' represents 4 bits. This means that on the right frame, only '7' should be highlighted, and not "70". Furthermore, if we were to convert '7' hex to binary, the result would be '0111' (notice the total amount of bits is equal to 4). Summary The 'Header length' field is very simple as it contains only a number that allows the receiving end to calculate the number of bytes in the TCP Header. At the same time, it is mandatory because without it there is no way the receiver will know where the data portion begins! Logically, wherever the TCP header ends, the data begins - this is clear in the screen shots provided on this page. So, if you find yourself analysing packets and trying to figure out where the data starts, all you need to do is find the
Page 139 of 1765
TCP Header, read the "Header length" value and you can find exactly where the data portion starts! Next up are the TCP flags that most of us have come across when talking about the famous 3-way handshake and virtual connections TCP creates before exchanging data.
Page 140 of 1765
TCP Analysis - Section 4: TCP Flag Options

Introduction As we have seen in the previous pages, some TCP segments carry data while others are simple acknowledgements for previously received data. The popular 3-way handshake utilises the SYNs and ACKs available in the TCP to help complete the connection before data is transferred. Our conclusion is that each TCP segment has a purpose, and this is determined with the help of the TCP flag options, allowing the sender or receiver to specify which flags should be used so the segment is handled correctly by the other end. Let's take a look at the TCP flags field to begin our analysis: You can see the 2 flags that are used during the 3-way handshake (SYN, ACK) and data transfers. As with all flags, a value of '1' means that a particular flag is 'set' or, if you like, is 'on'. In this example, only the "SYN" flag is set, indicating that this is the first segment of a new TCP connection. In addition to this, each flag is one bit long, and since there are 6 flags, this makes the Flags section 6 bits in total.
Page 141 of 1765
You would have to agree that the most popular flags are the "SYN", "ACK" and "FIN", used to establish connections, acknowledge successful segment transfers and, lastly, terminate connections. While the rest of the flags are not as well known, their role and purpose makes them, in some cases, equally important. We will begin our analysis by examining all six flags, starting from the top, that is, the Urgent Pointer: 1st Flag - Urgent Pointer The first flag is the Urgent Pointer flag, as shown in the previous screen shot. This flag is used to identify incoming data as 'urgent'. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately. An Urgent Pointer could be used during a stream of data transfer where a host is sending data to an application running on a remote machine. If a problem appears, the host machine needs to abort the data transfer and stop the data processing on the other end. Under normal circumstances, the abort signal will be sent and queued at the remote machine until all previously sent data is processed, however, in this case, we need the abort signal to be processed immediately. By setting the abort signal's segment Urgent Pointer flag to '1', the remote machine will not wait till all queued data is processed and then execute the abort. Instead, it will give that specific segment priority, processing it immediately and stopping all further data processing. If you're finding it hard to understand, consider this real-life example: At your local post office, hundreds of trucks are unloading bags of letters from all over the world. Because the amount of trucks entering the post office building are abundant, they line up one behind the other, waiting for their turn to unload their bags. As a result, the queue ends up being quite long. However, a truck with a big red flag suddenly joins the queue and the security officer, whose job it is to make sure no truck skips the queue, sees the red flag and knows it's carrying very important letters that need to get to their destination urgently. By following the normal procedures, the security officer signals to the truck to skip the queue and go all the way up to the front, giving it priority over the other the trucks. In this example, the trucks represent the segments that arrive at their destination and are queued in the buffer waiting to be processed, while the truck with the red flag is the segment with the Urgent Pointer flag set. A further point to note is the existence of theUrgent Pointer field. This field is covered in section 5, but we can briefly mention that when the Urgent Pointer flag is set to '1' (that's the one we are analysing here), then the Urgent Pointer field specifies the position in the segment where urgent data ends. 2nd Flag - ACKnowledgement The ACKnowledgement flag is used to acknowledge the successful receipt of packets. If you run a packet sniffer while transferring data using the TCP, you will notice that, in most cases, for every packet you send or receive, an ACKnowledgement follows. So if you received a packet from a remote host, then your workstation will most probably send one back with the ACK field set to "1". In some cases where the sender requires one ACKnowledgement for every 3 packets sent, the receiving end will send the ACK expected once (the 3rd sequential packet is received). This is also called Windowing and is covered
Page 142 of 1765
extensively in the pages that follow. 3rd Flag - PUSH The Push flag, like the Urgent flag, exists to ensure that the data is given the priority (that it deserves) and is processed at the sending or receiving end. This particular flag is used quite frequently at the beginning and end of a data transfer, affecting the way the data is handled at both ends. When developers create new applications, they must make sure they follow specific guidelines given by the RFC's to ensure that their applications work properly and manage the flow of data in and out of the application layer of the OSI model flawlessly. When used, the Push bit makes sure the data segment is handled correctly and given the appropriate priority at both ends of a virtual connection. When a host sends its data, it is temporarily queued in the TCP buffer, a special area in the memory, until the segment has reached a certain size and is then sent to the receiver. This design guarantees that the data transfer is as efficient as possible, without waisting time and bandwidth by creating multiple segments, but combining them into one or more larger ones. When the segment arrives at the receiving end, it is placed in the TCP incoming buffer before it is passed onto the application layer. The data queued in the incoming buffer will remain there until the other segments arrive and, once this is complete, the data is passed to the application layer that's waiting for it. While this procedure works well in most cases, there are a lot of instances where this 'queueing' of data is undesirable because any delay during queuing can cause problems to the waiting application. A simple example would be a TCP stream, e.g real player, where data must be sent and processed (by the receiver) immediately to ensure a smooth stream without any cut offs. A final point to mention here is that the Push flag is usually set on the last segment of a file to prevent buffer deadlocks. It is also seen when used to send HTTP or other types of requests through a proxy - ensuring the request is handled appropriately and effectively. 4th Flag - Reset (RST) Flag The reset flag is used when a segment arrives that is not intended for the current connection. In other words, if you were to send a packet to a host in order to establish a connection, and there was no such service waiting to answer at the remote host, then the host would automatically reject your request and then send you a reply with the RST flag set. This indicates that the remote host has reset the connection. While this might prove very simple and logical, the truth is that in most cases this 'feature' is used by most hackers in order to scan hosts for 'open' ports. All modern port scanners are able to detect 'open' or 'listening' ports thanks to the 'reset' function. The method used to detect these ports is very simple: When attempting to scan a remote host, a valid TCP segment is constructed with the SYN flag set (1) and sent to the target host. If there is no service listening for incoming connections on the specific port, then the remote host will reply with ACK and RST flag set (1). If, on the other hand, there is a service listening on the port, the remote host will construct a TCP segment with the ACK flag set (1). This is, of course, part of the standard 3-way handshake we have covered. Once the host scanning for open ports receives this segment, it will complete the 3-way handshake and then terminate it using the FIN (see below) flag, and mark the specific port as "active".
Page 143 of 1765
5th Flag - SYNchronisation Flag The fifth flag contained in the TCP Flag options is perhaps the most well know flag used in TCP communications. As you might be aware, the SYN flag is initialy sent when establishing the classical 3-way handshake between two hosts:
In the above diagram, Host A needs to download data from Host B using TCP as its transport protocol. The protocol requires the 3-way handshake to take place so a virtual connection can be established by both ends in order to exchange data. During the 3-way handshake we are able to count a total of 2 SYN flags transmitted, one by each host. As files are exchanged and new connections created, we will see more SYN flags being sent and received. 6th Flag - FIN Flag The final flag available is the FIN flag, standing for the word FINished. This flag is used to tear down the virtual connections created using the previous flag (SYN), so because of this reason, the FIN flag always appears when the last packets are exchanged between a connection. It is important to note that when a host sends a FIN flag to close a connection, it may continue to receive data until the remote host has also closed the connection, although this occurs only under certain circumstances. Once the connection is teared down by both sides, the buffers set aside on each end for the connection are released. A normal teardown procedure is depicted below:
The above diagram represents an existing connection betwen Host A and B, where the two hosts are exchanging data. Once the data transfer is complete, Host A sends a packet with the FIN, ACK flags set (STEP 1). With this packet, Host A is ACKnowledging the previous stream while at the same time initiating the TCP close procedure to kill this connection. At this point, Host A's application will stop receiving any data and will close the
Page 144 of 1765
connection from this side. In response to Host A's request to close the connection, Host B will send an ACKnowledgement (STEP 2) back, and also notify its application that the connection is no longer available. Once this is complete, the host (B) will send its own FIN, ACK flags (STEP 3) to close their part of the connection. If you're wondering why this procedure is required, then you may need to recall that TCP is a Full Duplex connection, meaning that there are two directions of data flow. In our example this is the connection flow from Host A to Host B and vice versa. In addition, it requires both hosts to close the connection from their side, hence the reason behind the fact that both hosts must send a FIN flag and the other host must ACKnowledge it. Lastly, at Step 4, Host A willl acknowledge the request Host B sent at STEP 3 and the closedown procedure for both sides is now complete! Summary This page dealt with the TCP Flag Options available to make life either more difficult, or easy, depending on how you look at the picture :) Perhaps the most important information given on this page that is beneficial to remember is the TCP handshake procedure and the fact that TCP is a Full Duplex connection. The following section will examine the TCP Window size, Checksum and Urgent Pointer fields, all of which are relevant and very important. For this reason we strongly suggest you read through these topics, rather than skip over them.
Page 145 of 1765
TCP Analysis - Section 5: Window Size, Checksum & Urgent Pointer

Introduction Our fifth section contains some very interesting fields that are used by the TCP transport protocol. We see how TCP helps control how much data is transferred per segment, make sure there are no errors in the segment and, lastly, flag our data as urgent, to ensure it gets the priority it requires when leaving the sender and arriving at the recipient. So let's not waste any time and get right into our analysis!
The fifth section we are analysing here occupies a total of 6 bytes in the TCP header. These values, like most of the fields in the protocol's header, remain constant in size, regardless of the amount of application data. This means that while the values they contain will change, the total amount of space the field occupied will not.
Page 146 of 1765
The Window Flag The Window size is considered to be one of the most important flags within the TCP header. This field is used by the receiver to indicate to the sender the amount of data that it is able to accept. Regardless of who the sender or receiver is, the field will always exist and be used. You will notice that the largest portion of this page is dedicated to the Window size field. The reason behind this is because this field is of great importance. The Window size field is the key to efficient data transfers and flow control. It trully is amazing once you start to realise how important this flag is and how many functions it contains. The Window size field uses 'bytes' as a metric. So in our example above, the number 64,240 is equal to 64,240 bytes, or 62.7 kb (64,240/1024). The 62.7 kbytes reflects the amount of data the receiver is able to accept, before transmitting to the sender (the server) a new Window value. When the amount of data transmitted is equal to the current Window value, the sender will expect a new Window value from the receiver, along with an acknowledgement for the Window just received. The above process is required in order to maintain flawless data transmission and high efficiency. We should however note that the Window size field selected is not in any case just a random value, but one calculated using special formulas like the one in our example below:
In this example, Host A is connected to a Web server via a 10 Mbit link. According to our formula, to calculate the best Window value we need the following information: Bandwidth and Delay. We are aware of the link's bandwidth: 10,000,000 bits (10 Mbits), and we can easily find out the delay by issuing a 'ping' from Host A to the Web server which gives us an average Round Trip Time response (RTT) of 10 milliseconds or 0.01 seconds. We are then able to use this information to calculate the most efficient Window size (WS): WS = 10,000,000 x 0.01 => WS = 100,000 bits or (100,000/8)/1024 = 12,5 kbytes For 10 Mbps bandwidth and a round-trip delay of 0.01 sec, this gives a window size of about 12 kb or nine 1460byte segments:
Page 147 of 1765
This should yield maximum throughput on a 10 Mbps LAN, even if the delay is as high as 10 ms because most LANs have round-trip delay of less than a few milliseconds. When bandwidth is lower, more delay can be tolerated for the same fixed window size, so a window size of 12 kb works well at lower speeds, too. Windowing - A Form of Flow Control Apart from the Windowing concept being a key factor for efficient data transmission, it is also a form of flow control, where a host (the receiver) is able to indicate to the other (the sender) how much data it can accept and then wait for further instructions. The fact is that in almost all cases, the default value of 62 kbytes is used as a Window size. In addition, even though a Window size of 62 kbytes might have been selected by the receiver, the link is constantly monitored for packet losses and delays during the data transfer by both hosts, resulting in small increases or decreases of the original Window size in order to optimise the bandwidth utilisation and data throughput. This automatic self-correcting mechanisim ensures that the two hosts will try to make use of the pipe linking them in the best possible way, but do keep in mind that this is not a guarantee that they will always succeed. This is generally the reason why a user is able to manually modify the Window size until the best value is found and this, as we explained, depends greatly on the link between the hosts and its delay. In the case where the Window size falls to zero, the remote TCP can send no more data. It must wait until buffer space becomes available and it receives a packet announcing a non-zero Window size. Lastly, for those who deal with Cisco routers, you might be interested to know that you are able to configure the Window size on Cisco routers running the Cisco IOS v9 and greater. Routers with versions 12.2(8)T and above support Window Scaling, a feature that's automatically enabled for Window sizes above 65,535, with a maximum value of 1,073,741,823 bytes!
Page 148 of 1765
Window Scalling will be dealt with in greater depth on the following page. On the Server Side: Larger Window Size = More Memory Most network administrators who have worked with very busy web servers would recall the massive amounts of memory they require. Since we now understand the concept of a 'Window size', we are able to quickly analyse how it affects busy web servers that have thousands of clients connecting to them and requesting data. When a client connects to a web server, the server is required to reserve a small amount of memory (RAM) aside for the client's session. The amount of required memory is the same amount as the window size and, as we have seen, this value depends on the bandwidth and delay between the client and server. To give you an idea how the window size affects the server's requirements in memory, let's take an example: If you had a web server that served 10,000 clients on a local area network (LAN) running at 100 Mbits with a 0.1 second round trip delay and wanted maximum performance/efficiency for your file transfers, according to our formula, you would need to allocate a window of 1.25 MB for each client, or 12 Gigs of memory for all your clients! Assuming of course that all 10,000 clients are connected to your web server simultaneously. To support large file transfers in both directions (server to client and vice versa), your server would need: [(100,000,000 x 0.1) 10,000 x 2] = over 24 Gigs of memory just for the socket buffers! So you can see how important it is for clients not to use oversized window values! In fact, the current TCP standard requires that the receiver must be capable of accepting a full window's worth of data at all times. If the receiver over-subscribes its buffer space, it may have to drop an incoming packet. The sender will discover this packet loss and invoke TCP congestion control mechanisms even though the network is not congested. It is clear that receivers should not over-subscribe buffer space (window size) if they wish to maintain high performance and avoid packet loss. Checksum Flag The TCP Checksum field was created to ensure that the data contained in the TCP segment reaches the correct destination and is error-free. For those network gurus who are wondering how TCP would ensure the segment arrives to the correct destination (IP Address), you will be happy to know that there is a little bit more information used than just the TCP header to calculate the checksum and, naturally, it would include a portion of the IP Header. This 'extra' piece of information is called the pseudo-header and we will shortly analyse its contents but, for now, let's view a visual representation of the sections used to calculate the TCP checksum:
Page 149 of 1765
The above diagram shows you the pseudo header, followed by the TCP header and the data this segment contains. However, once again, be sure to remember that the pseudo header is included in the Checksum calculation to ensure the segment has arrived at the correct receiver. Let's now take a look how the receiver is able to verify it is the right receiver for the segment it just received by analysing the pseudo header. The Pseudo Header The pseudo header is a combination of 5 different fields, used during the calculation of the TCP checksum. It is important to note (and remember!) that the pseudo header is not transmitted to the receiver, but is simply involved in the checksum calculation. Here are the 5 fields as they are defined by the TCP RFC:
Page 150 of 1765
When the segment arrives at its destination and is processed through the OSI layers, once the transport layer (Layer 4) is reached, the receiver will recreate the pseudo header in order to recalculate the TCP header checksum and compare the result with the value stored in the segment it has received. If we assume the segment somehow managed to find its way to a wrong machine, when the pseudo header is recreated, the wrong IP Address will be inserted into the Destination IP Address field and the result will be an incorrect calculated checksum. Therefore, the receiver that wasn't supposed to receive the segment will drop it as it's obviously not meant to be there. Now you know how the checksum field guarantees that the correct host will receive the packet, or that it will get there without any errors! However, be sure to keep in mind that even though these mechanisms exist and work wonderfully in theory, when it comes to the practical part, there is a possibility that packets with errors might make their way through to the application! It's quite amazing once you sit down and think for a minute that this process happens for every single packet that is sent and received between hosts that use TCP and UDP (UDP calculates the same way its checksum) as their transport protocol! Lastly, during the TCP header checksum calculation, the field is set to zero (0) as shown below. This action is performed only during the checksum calculation on either end because it is unknown at the time. Once the value is calculated, it is then inserted into the field, replacing the inital zero (0) value. This is also illustrated in the screen shot below: In summarising the procedure followed when calculating the checksum, the following process occurs, from the sender all the way to the receiver: The sender prepares the segment that is to be sent to the receiving end. The checksum is set to zero, in fact 4 zeros (hex) or 8 zeros (0000 0000) if you look at it in binary, because the checksum is an 8 bit field.
Page 151 of 1765
The checksum in then calculated using the pseudo header, TCP header and lastly the data to be attached to the specific segment. The result is then stored in the checksum field and the segment is sent! The segment arrives at the receiver and is processed. When it reaches the 4th OSI layer where the TCP lives, the checksum field is set once again to zero. The receiver will then create its own pseudo header for the segment received by entering its own IP Address in the Destination IP Address field (as shown in the previous diagrams) and makes use of the TCP header and data to calculate the new checksum. If all is successfully accomplished, the result should be identical with the one the checksum field segment had when it arrived. When this occurs, the packet is then further processed and the data is handed to the application awaiting it. If, however, the checksum is different, then the packet should be discarded (dropped) and a notification will be sent to the receiver depending on how the TCP stack is implemented on the receiver's operating system. The Urgent Pointer In section 4, we analysed the TCP Flag options and amongst them we found the Urgent Pointer flag. The urgent pointer flag in the TCP Flag allows us to mark a segment of data as 'urgent', while this urgent pointer field specifies where exactly the urgent data ends. To help you understand this, take a look at the following diagram:
You may also be interested to know that the Urgent Pointer can also be used when attacking remote hosts. From the case studies we have analysed, we see that certain applications, which supposedly guard your system from attack attempts, do not properly log attacks when the URG flag is set. One particular application happens to be the famous BlackIce Server v2.9, so beware! As a final conclusion this section, if you find yourself capturing thousands of packets in order to view one with the URG bit set, don't be disappointed if you are unable to catch any such packets! We found it nearly impossible to get our workstation to generate such packets using telnet, http, ftp and other protocols. The best option and by far the easiest way would be to look for packet crafting programs that allow you to create packets with different flags and options set.
Page 152 of 1765
Summary While this section was a fairly extensive, we have covered some very important sections of the TCP protocol. You now know what a TCP Window is and how you can calculate it depending on your bandwidth and delay. We also examined the Checksum field, which is used by the receiver to verify the segment it received is not corrupt and at the same time checking to make sure it didn't receive the segment accidently! Lastly, we examined in great detail the usage of the URG flag and Urgent Pointer field, which are used to define an incoming segment that contains urgent data. After enjoying such a thorough analysis, we're sure you're ready for more! The next section deals with the TCP Options located at the end of the TCP header.
Page 153 of 1765
TCP Analysis - Section 6: TCP Options

Introduction The TCP Options are located at the end of the TCP Header which is also why they are covered last. Thanks to the TCP Options field we have been able to enhance the TCP protocol by introducing new features or 'addons' as some people like to call them, defined by their respective RFC's. As data communication continues to become more complex and less tolerable to errors and latency, it was clear that these new features had to be incorporated to the TCP transport to help overcome the problems created by the new links and speeds available. To give you an example, Window Scaling, mentioned in the previous pages and elaborated here, is possible using the TCP Options field because the original Window field is only 16 bits long, allowing a maximum decimal number of 65,535. Clearly this is far too small when we want to express 'Window size' values using numbers in the range of thousands to a million e.g 400,000 or 950,000. Before we delve into any details, let's take a look at the TCP Options field:
As you can see, the TCP Options field is the sixth section of the TCP Header analysis. Located at the end of the header and right before the Data section, it allows us to make use of the new enhancements recommended by the engineers who help design the protocols we use in data communications today.
Page 154 of 1765
TCP Options Most of the TCP Options we will be analysing are required to appear only during the initial SYN and SYN/ACK phase of the 3-way-handshake TCP performs to establish a virtual link before transferring any data. Other options, however, can be used at will, during the TCP session. It is also important to note that the TCP Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length. This means that if we use one TCP Option that is 4 bits in length, there must be another 4 bits of padding in order to comply with the TCP RFC. So the TCP Options length MUST be in multiples of 8 bits, that is 8, 16, 24, 32 e.t.c Here's a brief view of the TCP Options we are going to analyse: Maximum Segment Size (MSS) Window Scaling Selective Acknowledgements (SACK) Timestamps Nop
Let's now take a look at the exciting options available and explain the purpose of each one. Maximum Segment Size (MSS) The Maximum Segment Size is used to define the maximum segment that will be used during a connection between two hosts. As such, you should only see this option used during the SYN and SYN/ACK phase of the 3-wayhandshake. The MSS TCP Option occupies 4 bytes (32 bits) of length. If you have previously come across the term "MTU" which stands for Maximum Transfer Unit, you will be pleased to know that the MSS helps define the MTU used on the network. If your scratching your head because the MSS and MTU field doesn't make any sense to you, or it is not quite clear, don't worry, the following diagram will help you get the big picture:
You can see the Maximum Segment Size consists of the TCP Header and Data, while the Maximum Transfer Unit includes the MSS plus the IP Header. It would also benefit us to recognise the correct terminology that corresponds to each level of the OSI Model: The
Page 155 of 1765
TCP Header and Data is called a Segment (Layer 4), while the IP Header and the Segment is called an IP Datagram (Layer 3). Furthermore, regardless of the size the MTU will have, there is an additional 18 bytes overhead placed by the Datalink layer. This overhead includes the Source and Destination MAC Address, the Protocol type, followed by the Frame Check Sequence placed at the end of the frame. This is also the reason why we can only have a maximum MTU of 1500 bytes. Since the maximum size of an Ethernet II frame is 1518 bytes, subtracting 18 bytes (Datalink overhead) leaves us with 1500 bytes to play with. TCP usually computes the Maximum Segment Size (MSS) that results in IP Datagrams that match the network MTU. In practice, this means the MSS will have such a value that if we add the IP Header as well, the IP Datagram (IP Header+TCP Header+DATA) would be equal to the network MTU. If the MSS option is omitted by one or both ends of the connection, then the value of 536 bytes will be used. The MSS value of 536 bytes is defined by RFC 1122 and is calculated by taking the default value of an IP Datagram, 576 bytes, minus the standard length of the IP and TCP Header (40 bytes), which gives us 536 bytes. In general, it is very important to use the best possible MSS value for your network because your network performance could be extremely poor if this value is too large or too small. To help you understand why, lets look at a simple example: If you wanted to transfer 1 byte of data through the network, you would need to create a datagram with 40 bytes of overhead, 20 for the IP Header and 20 for the TCP Header. This means that your using 1/41 of your available network bandwidth for data. The rest is nothing but overhead! On the other hand, if the MSS is very large, your IP Datagrams will also be very large, meaning that they will most probably fail to fit into one packet should the MTU be too small. Therefore they will require to be fragmented, increasing the overhead by a factor of 2. Window Scaling We briefly mentioned Window Scaling in the previous section of the TCP analysis, though you will soon discover that this topic is quite broad and requires a great deal of attention. After gaining a sound understanding of what the Window size flag is used for, Window Scaling is, in essence, an extention to the Window size flag. Because the largest possible value in the Window size flag is only 65,535 bytes (64 kb), it was clear that a larger field was required in order to increase the value to a whopping 1 Gig! Thus, Window Scaling was born. The Window Scaling option can be a maximum of 30 bits in size, which includes the original 16 bit Window size field covered in the previous section. So that's 16 (original window field) + 14 (TCP Options 'Window Scaling') = 30 bits in total. If you're wondering where on earth would someone use such an extremely large Window size, think again. Window Scaling was created for high-latency, high-bandwidth WAN links where a limited Window size can cause severe performance problems. To consolidate all these technological terms and numbers, an example would prove to beneficial:
Page 156 of 1765
The above example assumes we are using the maximum Window size of 64 kbs and because the WAN link has very high latency, the packets take some time to arrive to their destination, that is, Host B. Due to the high latency, Host A has stopped transmitting data since there are 64 kbs of data sent and they have not yet been acknowledged. When the Time = 4, Host B has received the data and sends the long awaited acknowledgement to Host A so it can continue to send data, but the acknowledgement will not arrive until somewhere around Time = 6. So, from Time = 1 up until Time = 6, Host A is sitting and waiting. You can imagine how poor the performance of this transfer would be in this situation. If we were to transfer a 10 Mb file, it would take hours! Let's now consider the same example, using Window Scaling:
As you can see, with the use of Window Scaling, the window size has increased to256 kb! Since the value is quite large, which translates to more data during transit, Host B has already received the first few packets, while Host A is still sending the first 256 kb window. On Time = 2, Host B sends an Acknowledgement to Host A, which is still busy sending data. Host A will receive the Acknowledgement before it finishes the 256 kb window and will therefore continue sending data without pause since it will soon receive another Acknowledgement from Host B. Clearly the difference that a large window size has made is evident, increasing the network performance and minimising the ideal time for the sending host.
Page 157 of 1765
The Window Scale option is defined in RFC 1072, which lets a system advertise 30-bit (16 from the original window + 14 from the TCP Options) Window size values, with a maximum buffer size of 1 GB. This option has been clarified and redefined in RFC 1323, which is the specification that all implementations employ today. Lastly, for those who deal with Cisco routers, it may benefit you to know that you are also able to configure the Window size on Cisco routers running the Cisco IOS v9 and greater. Also, routers with versions 12.2(8)T and above support Window Scaling, which is automatically enabled for Window sizes above 65,535 bytes (64 kb), with a maximum value of 1,073,741,823 bytes (1 GByte)! Selective Acknowledgments (SACK) TCP has been designed to be a fairly robust protocol though, despite this, it still has several disadvantages, one of which concerns Acknowledgements, which also happens to be the reason Selective Acknowledgement were introduced with RFC 1072. The problem with the good old plain Acknowledgements is that there are no mechanisms for a receiver to state "I'm still waiting for bytes 20 through 25, but have received bytes 30 through 35". And if your wondering whether this is possible, then the answer is 'yes' it is! If segments arrive out of order and there is a hole in the receiver's queue, then using the 'classical' Acknowledgements supported by TCP, can only say "I've received everything up to byte 20". The sender then needs to recognise that something has gone wrong and continue sending from that point onwards (byte 20). As you may have concluded, the above situation is totally unacceptable, so a more robust service had to be created, hence Selective Acknowledgments! Firstly, when a virtual connection is established using the classic 3-way-handshake the hosts must send a "Selective Acknowledgments Permitted" in the TCP Options to indicate that they are able to use SACK's. From this point onwards, the SACK option is sent whenever a selective acknowledgment is required. For example, if we have a Windows98 client that is waiting for byte 4,268, but the SACK option shows that the Windows98 client has also received bytes 7,080 through 8,486, it is obvious that it is missing bytes 4,268 through 7,079, so the server should only resend the missing 2,810 bytes, rather than restarting the entire transfer at byte number 4,268. Lastly, we should note that the SACK field in the TCP Options uses two 16 bit fields, a total of 32 bits together. The reason there are two fields is because the receiver must be able to specify the range of bytes it has received, just like the example we used. In the case where Window Scaling is also used, these 2 x 16 bit fields can be expanded to two 24 or 32 bit fields. Timestamps Another aspect of TCP's flow-control and reliability services is the round-trip delivery times that a virtual circuit is experiencing. The round-trip delivery time will accurately determine how long TCP will wait before attempting to retransmit a segment that has not been acknowledged. Because every network has unique latency characteristics, TCP has to understand these characteristics in order to set accurate acknowledgment timer threshold values. LANs typically have very low latency times, and as such TCP can use low values for the acknowledgment timers. If a segment is not acknowledged quickly, a sender can retransmit the questionable data quickly, thus minimizing any lost bandwidth and delay.
Page 158 of 1765
On the other hand, using a low threshold value on a WAN is sure to cause problems simply because the acknowledgment timers will expire before the data ever reaches the destination. Therefore, in order for TCP to accurately set the timer threshold value for a virtual circuit, it has to measure the round-trip delivery times for various segments. Finally, it has to monitor additional segments throughout the connection's lifetime to keep up with the changes in the network. This is where the Timestamp option comes into the picture. Similarly to the majority of the other TCP Options covered here, the Timestamp option must be sent during the 3way-handshake in order to enable its use during any subsequent segments. The Timestamp field consists of a Timestamp Echo and Timestamp Reply field, both of which the reply field is always set to zero by the sender and completed by the receiver after which it is sent back to the original sender. Both timestamp fields are 4 bytes long! Nop The nop TCP Option means "No Option" and is used to separate the different options used within the TCP Option field. The implementation of the nop field depends on the operating system used. For example, if options MSS and SACK are used, Windows XP will usually place two nop's between them, as was indicated in the first picture on this page. Lastly, we should note that the nop option occupies 1 byte. In our example at the beggining of the page, it would occupy 2 bytes since it's used twice. You should also be aware that this field is usually checked by hackers when trying to determine the remote host's operating system. Summary This page provided all the available TCP Options that have been introduced to the TCP protocol in its efforts to extend its reliability and performance. While these options are critical in some cases, most users are totally unaware of their existence, especially network administrators. The information provided here is essential to help administrators deal with odd local and wan network problems that can't be solved by rebooting a server or router :) The final page to this topic is a summary covering the previous six pages of TCP, as there is little to analyse in the data section of the TCP Segment. It is highly suggested you read it as a recap to help you remember the material covered.
Page 159 of 1765
Analysing The TCP Header

Introduction A fair amount of time was spent trying to figure out which way to analyse the TCP header. Most websites and other resources mention the protocol's main characteristics with a bit of information attached, leaving the reader with a lot of questions and making it difficult to comprehend how certain aspects of the protocol works. For this reason a different approach was selected. Our method certainly gets right into the protocol's guts and contains a lot of information which some of you might choose to skip, but it is guaranteed to satisfy you by giving a thorough understanding of what is going on. Get Ready.... Here It Comes! For those who skipped the first introduction page of the protocol, you will be happy to find out that the tcp quickoverview page contains a brief summary of the protocol's main characteristics to help refresh your memory. If you need to dive into the details at any point, simply return to this page! The diagram below shows the TCP header captured from a packet that I was running on the network. We'll be using it to help us through our step by step analysis of TCP.
Page 160 of 1765
As you can see, the TCP header has been completely expanded to show us all the fields the protocol contains. The numbers on the right are each field's length in bits. This is also shown in the quick TCP overview page. Since much time was spent to ensure our analysis was complete in all aspects, be sure that by the end of it, you will understand each field's purpose and how it works. We should also point out that when the packet in our example arrives to its destination, only section 7 (the last one) is sent to the upper OSI layers because it contains the data it is waiting for. The rest of the information (including the MAC header, IP Header and TCP header) is overhead which serves the purpose of getting the packet to its destination and allowing the receiving end to figure out what to do with the packet, e.g. send the data to the correct local application. Now you're starting to understand the somewhat complex mechanisim involved in determing how data gets from one point to another!
Since you have made it this far, you can select the section you want to read about by simply clicking on the coloured area on the above packet, or by using the menu below. It is highly recommended that you start from the first section and slowly progress to the final one. This will avoid confusion and limit the case of you scratching your head halfway through any of the other sections: Section Section Section Section Section Section Section 1: 2: 3: 4: 5: 6: 7: Source & Destination Port Number Sequence & Acknowledgement Numbers Header Length TCP Flag Options Window Size, Checksum & Urgent Pointer TCP Options Data
Page 161 of 1765
Since you have made it this far, you can select the section you want to read about by simply clicking on the coloured area on the above packet, or by using the menu below. It is highly recommended that you start from the first section and slowly progress to the final one. This will avoid confusion and limit the case of you scratching your head halfway through any of the other sections:
TCP Analysis - Section 7: Data & Quick Summary

Introduction Finally, the last page of our incredible TCP Analysis. As most of you would expect, this section is dedicated to the DATA, which is also the reason all the previous pages exist! The Data The following diagram may have been tiresome, however, it will be displayed one final time to note the data portion of the packet:
Your knowledge regarding the procedure followed when the above packet arrives to its destination is assumed. However, a summary is given below to refresh our understanding in order to avoid confusion. When the above packet arrives at the receiver, a decapsulation process is required in order to remove each OSI layer's overhead and pass the Data portion to the application that's waiting for it. As such, when the packet is received in full by the network card, it is given to the 2nd OSI layer (Datalink) which, after performing a quick check on the packet for errors, it will strip the overhead associated with that layer, meaning the yellow blocks will be removed. The remaining portion, that is, the IP header, TCP header and Data, now called an IP Datagram, will be passed to the 3rd OSI layer (Network) where another check will be performed and if found to be error free, the IP header will be stripped and the rest (now called a Segment) is passed to the 4th OSI layer. The TCP protocol (4th OSI layer) will accept the segment and perform its own error check on the segment. Assuming it is found error free, the TCP header is stripped off and remaining data is given to the upper layers eventually arriving at the application waiting for it. Summary Our in-depth analysis of the the TCP protocol has reached its conclusion. After reading all these pages, we are sure you have a much better understanding regarding the TCP protocol's purpose and process, and you are able to really appreciate its functions.
Page 162 of 1765
The TCP Header/Segment

Introduction This page will introduce several new concepts, nothing of great difficulty, but essential for you to understand. We will learn what a TCP segment is, analyse it and start to explore the guts of TCP :) So buckle up and get ready. It's all really simple, you just need to clear your mind and try to see things in the simplest form and you will discover how easy and friendly TCP really is. You can only feel comfortable with something once you get to know it. TCP Header and TCP Segment If we wanted to be more accurate with the terms we use, then perhaps we would title this page as "Analysing A TCP Segment". Why? Well, that's what it's called in the networking world so we need to know it by the correct term. This of course leads us to another new definition, a TCP segment: The unit of transfer between the TCP software on to machines is called a TCP segment. If your expression has transformed itself to resemble a confused person, then don't worry, just keep reading... Understanding this term is easier than you thought 5 seconds ago, just take a good look at the diagram below:
Now you see that a TCP segment is basically the TCP header plus the data that's right behind it and, of course, the data belongs to the upper layers (5,6,7). The data contents could be part of a file transfer, or the response from a http request, the fact is that we really are not interested in the data's contents, but only in the fact that it's part of the TCP segment. The screen shot below was taken from my packet sniffer, and it shows the DATA portion belonging to the TCP Header:
Page 163 of 1765
If you tried to capture a similar packet from any packet sniffer, it is more likely to display the Data portion within the TCP header, just as the screen shot on the left. So the question is whether a TCP header and a TCP segment are basically the same thing. Even though it might seem they are, in most cases, when referring to the TCP header, we are talking about the header without the data, whereas a TCP segment includes the data.
Getting Ready To Analyse The TCP Header We are now ready to begin examining the structure of the TCP header. However, be sure to keep in mind that the 'TCP Header' is the same thing as a 'TCP Segment', meaning it's the TCP header information plus the Data, just as the diagrams above show. The last screen shot certainly gives out a fair bit of information, but there is still much that hasn't been revealed, not to mention nothing's really been analysed as yet :)
Page 164 of 1765
User Datagram Protocol - UDP
Some common protocols which use UDP are: DNS, TFTP, ARP, RARP and SNMP. When people refer to "TCP/IP" remember that they are talking about a suite of protocols, and not just one (as most people think). TCP/IP is NOT one protocol. Please see the Protocols section for more information. The User Datagram Protocol (UDP) is defined by IETF RFC768
Page 165 of 1765
UDP - User Datagram Protocol The second protocol used at the Transport layer is UDP. Application developers can use UDP in place of TCP. UDP is the scaled-down economy model and is considered a thin protocol. Like a thin person in a car, a thin protocol doesn't take up a lot of room - or in this case, much bandwidth on a network. UDP as mentioned dosen't offer all the bells and whistles of TCP, but it does a fabulous job of transporting information that doesn't require reliable delivery and it does so using far fewer network resources. Unreliable Transport UDP is considered to be an unreliable transport protocol. When UDP sends segments over a network, it just sends them and forgets about them. It doesn't follow through, check on them, or even allow for an acknowledgment of safe arrival, in other words .... complete abandonment! This does not mean that UDP is ineffective, only that it doesn't handle issues of reliability. The picture below shows us the UDP header within a data packet. This is to show you the different fields a UDP header contains:
Page 166 of 1765
Connection-less Oriented For those who read about TCP, you would know it is a connection oriented protocol, but UDP isn't. This is because UDP doesn't create a virtual circuit (establish a connection before data transfer), nor does it contact the destination before delivering information to it. No 3-way handshake or anything like that here! Since UDP assumes that the application will use its own reliability method, it doesn't use any, which obviously makes things transfer faster. Less Overhead The very low overhead, compared to TCP, is a result of the lack of windowing or acknowledgments. This certainly speeds things up but you get an unreliable (in comparison to TCP) service. There really isn't much more to write about UDP so I'll finish here.
Page 167 of 1765
Domain Name System (DNS) Introduction

Introduction DNS is a very well known protocol. It is used for resolving host names and domain names to IP addresses. The fact is that when you type www.firewall.cx it is translated into an IP address via special queries that take place from your PC, but I'll explain how that works later on. Because there is a fair bit of material to cover for the DNS protocol, and I don't want to confuse you with too much information on one page, I have broken it down into 5 sections, each covering a specific part of the protocol. People who want specific information on the DNS protocol can go straight to the section they need, the rest of us who just want to learn it all can start reading in the order presented: Section 1: The DNS Protocol. How and why the DNS protocol was born. Page contains a bit of historical information and also compares DNS with the OSI Reference model, where you will see the layers on which DNS works. Internet DNS hierarchy is also analysed here, giving you the chance to understand how domains on the Internet are structured. Section 2: The DNS Resolution Process. What really happens when a host requests a DNS resolution. Full analysis of the whole resolution process using a real life example. Understand Name Servers and the role they play in the DNS system. Section 3: The DNS Query Message Format. This section, along with the next one gives you the DNS packet format in all its glory. Learn how DNS queries are generated and formatted. See, learn and understand the various fields within the packets as your taken through a full detailed analysis of the packet structure using the cool 3D diagrams. Section 4: The DNS Response Message Format. This is the continuation of the section above, dealing with the DNS response that's received. You will learn how the response packet is generated, formatted and sent to the resolver. Again, you're taken through a full detailed analysis of the packet structure using the cool 3D diagrams. Section 5: The DNS Server (BIND). Based on BIND for Linux, this section is broken into a futher 6 pages: Section 5.1: Introduction to the DNS Server. Learn how a DNS server is setup on a Linux machine. Over 85% of DNS servers on the Internet run on Linux and Unix based systems while Microsoft and Novell DNS servers follow the same structure. DNS Zones and Domains are also covered on this page, this is essential for understanding how DNS Servers work.
Page 168 of 1765
Section 5.2: The db.DOMAIN file. Complete analysis of the zone data file for a Primary DNS server. See what is contains and understand how its structured. Section 5.3: The db.ADDR file. Complete analysis of the zone data file for a Primary DNS server. See what is contains and understand how its structured. Section 5.4: Other common files. Analysing the rest of the files which are common to all DNS servers. Section 5.5: Slave DNS Server. Instructions on setting up a secondary DNS server. Section 5.6: DNS Caching. The key to an efficient DNS server. This is a must for any DNS Administrator. Learn how DNS caching helps improve performance and reduce traffic. Includes analysis of specific parameters within the DNS packet, which helps make DNS caching a reality, and find out how to avoid problems that come with Domain redelegation or website transfers.
As you can see, there's plenty of stuff to cover. But don't despair because is all cool stuff ! Grab something to drink and let's dive into the DNS waters ! You will be amazed at the stuff you'll find :)
Page 169 of 1765
The DNS Protocol

Introduction If you ever wondered where DNS came from, this is your chance to find out ! The quick summary on DNS's history will also help you understand why DNS servers are run mostly on Linux and Unix-type systems. We then get to see the layers of the OSI Model on which DNS works and, towards the end of the page, you will find out how the Domains (and DNS servers) are structured on the Internet to ensure uptime and effectiveness. The History DNS began in the early days when the Internet was only a small network created by the Department of Defence for research purposes. Host names (simple computer names) of computers were manually entered into a file (called HOSTS) which was located on a central server. Each site/computer that needed to resolve host names had to download this file. But as the number of hosts grew, so did the HOSTS file (Linux, Unix, Windows and NetWare still use such files) until it was far too large for computers to download and it was generating great amounts of traffic ! So they thought ... Stuff this .. let's find a better solution ... and in 1984 the Domain Name System was introduced. The Protocol The Domain Name System is a 'hierarchically distributed database', which is a fancy way of saying that its layers are arranged in a definite order and that its data is distributed across a wide range of machines (just like the roots of a tree branch out from the main root). Most companies today have their own little DNS server to ensure the computers can find each other without problems. If you're using Windows 2000 and Active Directory, then you surely are using DNS for the name resolutions of your computers. Microsoft has created its own version of a "DNS" server, called a WINS server, which stands for Windows Internet Name Service, but this is old technology and uses protocols that are nowhere near as efficient as DNS, so it was natural for Microsoft to move away from WINS and towards DNS, after all, the whole Internet works on DNS :) The DNS protocol works when your computer sends out a DNS query to a name server to resolve a domain. For example, you type "www.firewall.cx" in your web browser, this triggers a DNS request, which your computer sends to a DNS server in order to get the website's IP Address ! There is a detailed example on the pages to follow so I won't get into too much detail for the moment.
Page 170 of 1765
The DNS protocol normally uses the UDP protocol as a means of transport because of its small overhead in comparison to TCP; the less overhead a protocol has, the faster it is ! In the case where there are constant errors and the computer trying to request a DNS resolution can't get an error free answer, or any answer at all, it will switch to TCP to ensure the data arrives without errors.
Page 171 of 1765
This process, though, depends on the operating system you're using. Some operating systems might not allow DNS to use the TCP protocol, thus limiting it to UDP only. It is rare that you will get so many errors that you can't resolve any hostname or domain name to an IP Address. The DNS protocol utilises Port 53 for its service. This means that a DNS server listens on Port 53 and expects any client wishing to use the service to use the same port. There are, however, cases where you might need to use a different port, something possible depending on the operating system and DNS server you are running. In the following pages we'll be looking at the actual DNS packet format, where you are able to see exactly the contents of DNS query, so we won't analyse the packet structure here. Next we'll take a close look at how the Internet domains and DNS servers are structured to make sure the model works flawlessly and efficiently ! The Internet Domain Name Server Hierarchy This interesting section will help you understand how domain names on the Internet are structured and where DNS servers fit in to the picture. When you think about the millions of domain names registered today, you probably think that you have to be superhuman to manage such a structure of DNS servers ! Well that's not that case. The DNS structure has been designed in such a way that no DNS server needs to know about all possible domains, but only those immediately above and below it. The picture below shows part of the Internet DNS hierarchical structure:
....... Let's explain how it works : Internic controls the "root" domain, which includes all the top level domains. These are marked in a green oval for clarity. Within the green oval you have the ROOT DNS servers, which know all about the authoritative DNS servers for the domains immediately below them e.g firewall.cx, cisco.com, microsoft.com etc. These ROOT DNS servers can tell you which
Page 172 of 1765
DNS server takes care of firewall.cx, cisco.com, microsoft.com and the rest. Each domain, including the ones we are talking about (cisco, firewall, microsoft), have what we call a "Primary DNS" and "Secondary DNS". The Primary DNS is the one that holds all the information about its domain. The Secondary acts as a backup in case the Primary DNS fails. The process in which a Primary DNS server sends its copy to the Secondary DNS server is called Zone Transfer and is covered in the DNS Database section. Today there are hundreds of websites at which you are able to register your own domain and, once you've done that, you have the power to manage it yourself. In the example above, Cisco bought the "Cisco.com" domain and then created your resource records. Some examples of resource records for the Cisco domain in our example are: support , www and routers. These will be analysed in depth on the next pages. So here comes the million dollar question :) How do you create subdomains and www's (known as resouce records) ? The answer is pretty simple: You use a special DNS administration interface (usually web based - provided by the guys with whom you registered your domain) that allows you to create, change and delete the subdomains, www's or whatever resource record you can come up with. When you're making changes to the DNS settings of your domain, you're actually changing the contents of specific files that are located on that server. These changes then slowly propagate to the authoritative DNS servers, which are responsible for your domain area and then the whole Internet will contact these DNS servers when they need to access any section of your domain. For example, if you need to resolve ftp.firewall.cx, your computer will locate and contact the DNS Server responsible for the .CX domains, which will let you know the DNS server that's in charge of the Firewall.cx domain. The DNS server of Firewall.cx in turn will let your computer know the IP Address of ftp.firewall.cx because it holds all the information for the firewall.cx domain.
Page 173 of 1765
DNS Resolution Process

Introduction This section will help you understand how the DNS queries work on the Internet and your home network. There are two ways to use the domain name system in order to resolve a host or domain name to an IP Address and we're going to look at them here. There is also a detailed example later on this page to help you understand it better. Queries and Resolution As mentioned in the introduction section, there are two ways for a client to use the domain name system to get an answer. One of these involves the client contacting the name servers (this is also called a non Recursive query) one at a time until it finds the authority server that contains the information it requires, while the other way is to ask the name server system to perform the complete translation (this is also called a Recursive query), in which case the client will send the query and get a response that contains the IP Address of the domain it's looking for. It's really exciting to see how DNS queries work. While analysing with you the packets that are sent and received from the DNS server, I'm going to show you how the client chooses the method by which it wants its query to be resolved, so you will truly understand how these cool features work ! The DNS Query/Response Message Format pages contain all this packet analysis information, so let's continue and prepare for it ! Our Example DNS Resolution We will now look at what happens when your workstation requests a domain to be resolved. The example that follows will show you the whole procedure step by step, so make sure you take your time to read it and understand it ! When someone wants to visit the Cisco website (www.cisco.com), they go to their web browser and type "http://www.cisco.com" or just "www.cisco.com" and, after a few seconds, the website is displayed. But what happens in the background after they type the address and hit enter is pretty much unknown to most users. That's what we are going to find out now ! The picture below shows us what would happen in the above example: (for simplicity we are not illustrating both Primary and Secondary DNS servers, only the Primary)
Page 174 of 1765
Explanation : 1. You open your web browser and enter www.cisco.com in the address field. At that point, the computer doesn't know the IP address for www.cisco.com, so it sends a DNS query to your ISP's DNS server (It's querying the ISP's DNS because this has been set through the dial-up properties; if you're on a permanent connection then it's set through your network card's TCP/IP properties). 2. Your ISP's DNS server doesn't know the IP for www.cisco.com, so it will ask one of the ROOT DNS servers. 3. The ROOT DNS server checks its database and finds that the Primary DNS for Cisco.com is 198.133.219.25. It replies to your ISP's server with that answer. 4. Your ISP's DNS server now knows where to contact Cisco's DNS server and find out if www.cisco.com exists and its IP. Your ISP's DNS server sends a recursive query to Cisco.com's DNS server and asks for an IP address for www.cisco.com. 5. Cisco's DNS server checks its database and finds an entry for "www.cisco.com". This entry has an IP address of 198.133.219.25. In other words, the webserver is
Page 175 of 1765
running on the same physical server as the DNS ! If it wasn't running on the same server, then it would have a different IP. (Just a note, you can actually make it look like it's on the same physical server, but actually run the web server on a different box. This is achieved by using some neat tricks like port forwarding) 6. Your ISP's DNS server now knows the IP address for www.cisco.com and sends the result to your computer. 7. Your computer now knows who it needs to contact to get to the website. So it sends an http request directly to Cisco's webserver and downloads the webpage. I hope you didn't find it too hard to follow. Remember that this query is the most common type. The other type of query (non recursive) follows the same procedure, the difference is that the client does all the running around trying to find the authoritative DNS server for the desired domain, I like to think of it as "self service" :)
Page 176 of 1765
DNS Query Message Format

Introduction This section will deal with the analysis of the DNS packets. This will allow us to see the way DNS messages are formatted and the options and variables they contain. To understand a protocol, you must understand the information the protocol carries from one host to another. Because the DNS message format can vary, depending on the query and the answer, I've broken this analysis into two parts. Part 1 analyses the DNS format of a query, in other words, it shows how the packet looks when we ask a DNS server to resolve a domain. Part 2 analyses the DNS format of an answer, where the DNS server is responding to our query. I find this method more informative and easy to understand rather than combining the analysis of queries and answers. DNS Analysis - Host Query As mentioned in the previous sections of the DNS Protocol, a DNS query is generated when the client needs to resolve a domain name into an IP Address. This could be the result of entering "www.firewall.cx" in the url field of your web browser, or simply by launching a program that uses the Internet and therefore generates DNS queries in order to successfully communicate with the host or server it needs. Now, I've also included a live example (using my packet analyser), so you can compare theory with practice for a better understanding. After this we will have a look at the meaning of each field in the packet, so let's check out what a packet containing a DNS query would look like on our network:
This is the captured packet we are going to deal with. To generate this packet, I typed "ping www.firewall.cx" from my linux prompt. The command generated this packet, which was put on my network with the destination being a name server in Australia. Notice the Port Destination which is set to 53, on which the port DNS works, and the protocol used for the DNS Query, which is UDP.
Page 177 of 1765
Ethernet II (Check Ethernet Frames for more info.) is the most common type of frame found on LANs, in fact it probably is the only type you will find on 85% of all networks if you're only running TCP/IP and Windows or Unix-like machines. This particular one contains a DNS section, which could be either a Query or Response. We are assuming a Query, so it can fit nicely in our example. We are going to take the DNS Section above and analyse its contents, which are already shown in the picture above (Right hand side, labeled "Capture") taken from my packet analyser. Here they are again in a cool 3D diagram:
From this whole packet, the DNS Query Section is the part we're interested in (analysed shortly), the rest is more or less overhead and information to let the server know a bit more information about our query. The analysis of each 3D block (field) is shown in the left picture below so you can understand the function of each field and the DNS Query Section captured by my wonderful packet sniffer on the right:
Page 178 of 1765
All fields in the DNS Query section except the DNS Name field (underlined in red in the picture above), have set lengths. The DNS Name field has no set length because it varies depending on the domain name length as we are going to see soon.
Page 179 of 1765
For example, a query for www.cisco.com will require DNS Name field to be smaller than a query for support.novell.com simply because the second domain is longer. The DNS Name Field To prove this I captured a few packets that show different lengths for the domain names I just mentioned but, because the DNS section in a packet provides no length field, we need to look one level above, which is the UDP header, in order to calculate the DNS section length. By subtracting the UDP header length (always 8 bytes - check UDP page for more information) from the bytes in the Length field, we are left with the length of the DNS section:
The two examples clearly show that the Length Field in the UDP header varies depending on the domain we are trying to resolve. The UDP header is 8 bytes in both examples and all fields in the DNS Section, except for the DNS Name field, are always 2 bytes. The Flags/Parameters Field The Parameter Field (labeled Flags) is one of the most important fields in DNS because it is responsible for letting the server or client know a lot of important information about the DNS
Page 180 of 1765
packet. For example, it contains information as to whether the DNS packet is a query or response and, in the case of a query, if it should be a recursive or non-recursive type. This is most important because as we've already seen, it determines how the query is handled by the server. Let's have a closer look at the flags and explain the meaning of each one. I've marked the bit numbers with black on the left hand side of each flag parameter so you can see which ones are used during a response. The picture on the right hand side explains the various bits. You won't see all 16 bits used in a query as the rest are used during a response or might be reserved:
Page 181 of 1765
As you can see, only bits 1, 2-5, 7, 8 and 12 are used in this query. The rest will be a combination of reserved bits and bits that are used only in responses. When you read the DNS response message format page, you will find a similar packet captured which is a reponse to the above query and the rest of the bits used are analysed. And that just about does it for the DNS Query message format page. Next up is the DNS Response message format page which I'm sure you will find just as interesting!
DNS Response Message Format

Introduction The previous page delt with the DNS Query message formats. We analysed them in great detail and showed how various options are selected by the host using the Flags/Parameters field. On this page we will see and analyse the responses we get from the generated queries. These responses, in the case of a recursive query, come directly from the DNS server to which we sent the query and, in the case of a non-recursive query, will come from the last DNS server the client contacts in order to get the required information. Lastly, keep in mind that this page is the continuation of the previous page, so it's important to understand the previous material ! If you have any doubts, read the previous section again. Now that we have all that out of the way ....let's grab a few DNS responses and get our hands
Page 182 of 1765
dirty :) DNS Analysis - Server Response Here is the response (highlighted) to the previous DNS query sent to an Australian DNS server (139.130.4.4), where I asked for the resolution of www.firewall.cx:
Something worth paying attention to is the time this query took to come back to my Linux file server. The time taken, from the moment the packet was sent from the Linux file server, until it received the answer, was only 0.991 seconds ! During this short period of time the packet travelled from Greece to Australia, reached the DNS server, which sent its queries to other DNS servers until it found the answer and then generated a DNS response that was sent back to Greece where my home network is ! There are a lot of factors that contribute to this fairly fast reponse. The transport protocol UDP, which does not require any 3-way handshake, the load of the DNS server to which I sent the query, the load of DNS servers it then had to ask, the speed at which all these servers and myself are connected to the Internet and the general load between the routers that my packet had to travel in order to get to its various destinations ! As you can clearly see, there is a lot happening for just one DNS query and response. Try to consider what happenes when you have 20,000,000 DNS queries happening at once on the Internet and you have a good idea on how well this protocol and the underlying technology have been designed ! Following is the Ethernet II packet that runs on the local network. The structure is the same, but varies in size, regardless of whether it's a DNS Query or Response:
Now, to make the analysis of the DNS Section easier I have also included the DNS Query (left hand side) and DNS Response (right hand side). This allows you to compare what we sent and what we received :
Page 183 of 1765
........ By comparing the two packets, you can see that there are fields in the DNS Response packet (marked with green arrows) that didn't exist in the Query. Let's see again what each field means and anaylse them again as we did in the previous page. The DNS Section in a response packet is considerably larger and more complex than that of a query. For this reason we are going to analyse it in parts rather than all together. The query had only one section that required in-depth analysis whereas the response has three since the first one is the original query sent. Here is the DNS Section of a DNS response in 3D:
You can clearly see that everything after the light green 3D block labeled "DNS Query Section" is new. We are going to focus on these 3 new blocks, which are part of the DNS Response Section, as the rest has been covered in the previous page. DNS Response Section The analysis of this section won't be too difficult because the format that is followed in each 3D block of our DNS Response Section is identical. For this reason, I have not analysed all 3 3D blocks, but only a few to help you get the idea. The diagram below shows you the contents of the 3 3D blocks (sections) we are looking at:
Page 184 of 1765
Answers Section, Authoritative Name Servers Section and the Additional Records Sections:
What we need to need understand is that each one of these three sections have identical fields. Even though the information they contain might seem a bit different, the fields are exactly the same and we will see this shortly. In the picture above, I have only expanded the first part of the Answer section which is underlined in green so you can compare the fields with the ones contained in the left hand picture. This next picture shows you the expanded version from the first part of the Answers and Authoritative sections. I have already marked and labeled the fields to prove to you that they are all identical and vary only in the information they contain:
Page 185 of 1765
If you look carefully you will notice that the Resource Data field is presented first, where according to the analysis of the sections in the picture above (left side), you would expect it last. The truth is that it is last, but it's presented first just because my packet sniffer likes to make the data more readable and less confusing. This is also the reason the first line of each part in each section is used to give you a quick summary of the information captured. For example, looking at line 1, part 1 in the Answers Section (underlined in green), you get a summary of what's to follow: www.firewall.cx, type INET, cname firewall. This proves that all fields in all of these 3 sections contained in the DNS Response Section are identical, but contain different values/data.
You also might wonder why there are 2 parts in each section ? Could there be more or less parts, depending on the domain name or is there always 2 parts in each section ? The answer is simple and logical, there are as many parts as needed, depending always on the domain setup. For example, if I had more than two name servers for the Firewall.cx domain, you would see more than two parts in the Authoritative nameserver section and the other sections. Our example has only 2 parts per section whereas the one we see below has a lot more : This DNS Response Section is based on a query generated for the IBM.COM domain:
Page 186 of 1765
As you can see, our query for IBM.COM gave us a response which has 4 parts per section ! Again, each part in every section has identical fields, but different data/values. You might have noticed a pattern here as well. In every DNS Response you will find the same number of parts per section. For example, the picture on the left shows us 4 parts for the Answers, Authoritative and Additional records sections and this is no coincidence. The reason this is no coincidence - between the 3 sections (Answers, Authoritative and Additional records) is the Type field and I will explain why.
The Type Field The Type field determines the type or part of information we require about a domain. To give you the simplest example, when we have a Type=A , we are given the IP Address of the domain or host (look at Answers section above), whereas a Type=NS means we are given the Authoritative Name Servers that are responsible for the domain (look at Authoritative Name Servers section above). Looking at the picture below, which is from our first example (query for firewall.cx) we can see exactly how the Type field is responsible for the data we receive about a domain:
Page 187 of 1765
As you can see, the Type field in the first part of the Authoritative Name Servers section is set to NS, which means this part contains information about the Authoritative name servers of the queried domain. Going to the first part of the Additional records, we can see that the Type field here is set to A, which means the data contained in this part is an IP Address for a particular host. So where is the logic to all this ? Well, if I told you which servers are authoritative for a domain (Authoritative Name Server Section), it would be useless if I answered you without giving you their IP Addresses (Additional Records Section). This is the reason in this example we have been told about the Name Servers for the firewall.cx domain (Authoritative Name Server Section), but also given their IP Address (Additional Records Section). The same rule and logic explains why there are 2 parts for all three sections of this example. Let's have a look at the different values the Type field can have, this will also give you an insight into the information we can request and receive about any domain: Type A CNAME HINFO MINFO MX NS PTR Meaning Host Address Canonical Name (Alias) CPU & OS Mailbox Mail Exchange Name Server Pointer Contents 32-Bit IP Address of host or domain Canonical domain name for and alias e.g www Name of CPU and Operating System Info about a mailbox or mail list 16-bit preference and name of the host that acts as a mail exchange server for a domain e.g mail.firewall.cx Authoritative name server for the domain Symbolic link for a domain. e.g net.firewall.cx points to www.firewall.cx
Page 188 of 1765
SOA TXT
Start Of Authority Arbitrary Text
Multiple fields that specify which parts of the naming hiererchy a server implements Uninterpreted string of ASCII text
The above values the Type field can take are contained within the DNS database, which is covered next. Our discussion on the DNS Response message format
File Transfer Protocol - FTP

Introduction File transfer is among the most frequently used TCP/IP applications and it accounts for a lot of the network traffic on the Internet. Various standard file transfer protocols existed even before the Internet was available to everyone and it was these early versions of the file transfer software that helped create today's standard known as the File Transfer Protocol (FTP). Most recent specifications of the protocol are listed in RFC 959. The Protocol FTP uses TCP as a transport protocol. This means that FTP inherits TCP's robustness and is very reliable for transferring files. Chances are if you download files, you've probably used ftp a few hundred times without realising it ! And if you have a huge warez collection, then make that a couple of thousand times :) The picture below shows where FTP stands in contrast to the OSI model. As I have noted in other sections, it's important to understand the concept of the OSI model, because it will greatly help you understand all this too :) Now, we mentioned that FTP uses TCP as a transport, but we didn't say which ports it uses! Port numbers 21 and 20 are used for FTP. Port 21 is used to establish the connection between the 2 computers (or hosts) and port 20 to transfer data (via the Data channel). But there are some instances where port 21 is used for both, establishing
Page 189 of 1765
a connection and data transfer and I will analyse them shortly.
Page 190 of 1765
The best thing you can do to "see" it yourself is to grab a packet sniffer which you will conveniently find in our download section and try to capture a few packets while you're ftp'ing to a site. Both Ports - 20 and 21 - Active FTP Mode I have included a screenshot from my workstation which clearly shows the 2 ports used. In the example, I have ftp'ed into ftp.cdrom.com. Please click here to view the full picture
Only Port 21 - Passive FTP Mode Now, in the next picture I ftp'ed into my NetWare server here at home and guess what .... Only Port 21 was used ! Here is the screen shot:
Please click here to view the full picture. Let me explain why this is happening: FTP has two separate modes of operation: Active and Passive. You will use either one depending on whether your PC is behind a firewall. Active Mode FTP Active mode is usually used when there isn't any firewall between you and the FTP server. In such cases you have a direct connection to the Internet. When you (the client) try to establish a connection to a FTP server, your workstation includes a second port number (using the PORT command) that is used when data is to be exchanged, this is known as the Data Channel. The FTP server then starts the exchange of data from its own port 20 to whatever port was designated by your workstation (in the screen shot, my workstation used port 1086), and because the server initiated the communication, it's not controlled by the workstation client. This can also potentially allow uninvited data to arrive to your computer from anywhere posing
Page 191 of 1765
as a normal FTP transfer. This is one of the reasons Passive FTP is more secure. Passive Mode FTP Using normal or passive FTP, a client begins a session by sending a request to communicate through TCP port 21, the port that is conventionally assigned for this use at the FTP server. This communication is known as the Control Channel connection. At this point, a PASV command is sent instead of a PORT command. Instead of specifying a port that the server can send to, the PASV command asks the server to specify a port it wishes to use for the Data Channel connection. The server replies on the Control Channel with the port number which the client then uses to initiate an exchange on the Data Channel. The server will thus always be responding to client-initiated requests on the Data Channel and the firewall can correlate these. It's simple to configure your client FTP program to use either Active or Passive FTP. For example, in Cute FTP, you can set your program to use Passive FTP by going to FTP--> Settings --> Options and then selecting the "Firewall" tab :
If you remove the above options, then your workstation will be using (if possible) Active FTP mode, and I say "if possible" cause if your already behind a firewall, there is probably no way you will be using Active FTP, so the program will automatically change to Passive FTP mode. So let's have a look at the process of a computer establishing an FTP connection with a server: .
Page 192 of 1765
........
..........
The above is assuming a direct connection to the FTP server. For simplicity reasons, we are looking at the way the FTP connection is created and not worring if it's a Passive or Active FTP connection. Since FTP is using TCP as a transport, you would expect to see the 3-way handshake. Once that is completed and there is data connection established, the client will send its login name and then password. After the authentication sequence is finished and the user is authenticated to the Server, it's allowed access and is ready to leach the site dry :) Finally, below are the most commonly used FTP commands: ABOR: abort previous FTP command LIST and NLST: list file and directories DELE: delete a file RMD: remove a directory MKD: create a directory PWD: print current working directory ( show you which dir. your at) PASS: send password PORT: request open port number on specific IP address/port number QUIT: log off from server RETR: retrieve file
Page 193 of 1765
STOR: send or put file SYST: identity system type TYPE: specify type (A for ASCII, I for binary) USER: send username
Page 194 of 1765
Trivial File Transport Protocol - TFTP

Introduction TFTP is a file transport protocol and its name suggests it's something close to the FTP protocol (File Transfer Protocol), which is true .. to a degree. TFTP isn't very popular because it's not really used on the Internet because of its limitations which we'll explore next. The Protocol TFTP's main difference from FTP is the transport protocol it uses and the lack of any authentication mechanisim. Where FTP uses the robust TCP protocol to establish connections and complete the file transfers, TFTP uses the UDP protocol which is unsecure and has no error checking built in to it (unless they have implemented some type of error checking in the program you are using to transfer files), this also explains why you are more likely to find TFTP in a LAN, rather than a WAN (Wide Area Network) or on the Internet.
Page 195 of 1765
The major limitations with TFTP are authentication and directory visibility, meaning you don't get to see the files and directories available at the TFTP server. As mentioned, TFTP uses UDP as a transport, as opposed to TCP which FTP uses, and works on port 69, you can clearly see that in the cool 3D diagram on the left. Port 69 is the default port for TFTP, but if you like, you can modify the settings on your TFTP server so it runs on a different port.
Page 196 of 1765
You will find some very good TFTP servers and clients in the download section. Now, to make things a bit clearer I have included a screen shot of my workstation tftp'ing into a TFTP server which I have setup in my little network.
You can see my workstation (192.168.0.100) contacting the TFTP server (192.168.0.1) on port 69 (destination port). In this first packet, my workstation is contacting the server and requesting the file I entered before I connected to the server. Click here for the full picture. Because you don't get a listing of the files and directories, you must know which file you want to download ! In the response I received (2nd packet) the server gets straight into business and starts sending the file. No authentication whatsoever ! Note: The workstation usally won't send back any acknowlegement (because UDP, which is the transport protocol, by nature, never sends acknowledgements), but the software developers can incorporate such a feature by forcing the workstation to send a small packet which the TFTP server is able to pickup as an acknowledgement of the previous data packet it sent to the workstation. In the example I provide, you can see my workstation sending small packets to the server after it receives one packet from it. These small acknowledgements have been added by the software company who created the program I was using for this example. Below is a screen shot of the program I used to TFTP (TFTP Client) to the server:
Notice how I entered the file I wanted to downloaded (server.exe), and selected the name
Page 197 of 1765
which the file will be saved as on my local computer (Local File). If I didn't provide the Remote File name, I would simply get an error poping up at the server side, complaing that no such file exists. You can also send files using TFTP, as it's not just for downloading :) So where is TFTP used ? TFTP is used mostly for backing up router configuration files like Cisco and its IOS images, it is also used for diskless booting PC's where, after the workstation has booted from the network card's ROM, TFTP is used to download the program it needs to load and run from a central server. Below is a diagram which shows what takes place during a TFTP session:
..... In this diagram we are assuming that there is no error checking built into the software running at both ends (client and server). And that pretty much sums it all up for the TFTP protocol.
Page 198 of 1765
Introduction To The Internet Control Message Protocol

Introduction The Internet Control Message Protocol, or ICMP as we will be calling it, is a very popular protocol and actually part of an Internet Protocol (IP) implementation. Because IP wasn't designed to be absolutely reliable, ICMP came into the scene to provide feedback on problems which existed in the communication environment. If I said the word 'Ping' most people who work with networks would recognise that a 'ping' is part of ICMP and in case you didn't know that, now you do :) ICMP is one of the most useful protocols provided to troubleshoot network problems like DNS resolutions, routing, connectivity and a lot more. Personally, I use ICMP a lot, but you need to keep its limits in mind beause you might end up spending half a day trying to figure out why you're not getting a 'ping reply' ('echo reply' is the correct term) from, for example, www.firewall.cx when, in fact, the site's webserver is configured NOT to reply to 'pings' for security reasons ! Cool Note A few years ago there was a program released, which still circulates around the Internet, called Click ( I got my hands on version 1.4). Click was designed to run on a Windows platform and work against Mirc users. The program would utilise the different messages available within the ICMP protocol to send special error messages to Mirc users, making the remote user's program think it had lost connectivity with the IRC server, thus disconnecting them from the server ! The magic is not what the program can do, but how it does it ! This is where a true networking guru will be able to identify and fix any network security weakness. The Protocol ICMP is defined in RFC (Request For Comments) 792. Looking at its position in the OSI model we can see that it's sitting in the Network layer (layer 3) alongside IP. There are no ports used with ICMP, this is because of where the protocol sits in the OSI model. Ports are only used for protocols which work at the Session layer and above:
Page 199 of 1765
The ICMP protocol uses different 'messages' to identify the purpose of an ICMP packet, for example, an 'echo' (ping) is one type of ICMP message. I am going to break down the different message descriptions as they have been defined by the RFC792. There is a lot of information to cover in ICMP so I have broken it down to multiple pages rather than sticking everything into one huge page that would bore you!
Page 200 of 1765
Also, I haven't included all the messages which ICMP supports, rather I selected a few of the more common ones that you're likely to come across. You can always refer to the RFC792 to get the details on all messages. We will start with a visual example of where the ICMP header and information are put in a packet, to help you understand better what we are dealing with :)
The structure is pretty simple, not a lot involved, but the contents of the ICMP header will change depending on the message it contains. For example, the header information for an 'echo' (ping) message (this is the correct term) is different to that of a 'destination unreachable' message, also a function of ICMP. NOTE: If you were to run a packet sniffer on your LAN and catch a "ping" packet to see what it looks like, you would get more than I am showing here. There will be an extra header, the datalink header, which is not shown here because that header will change (or more likely be removed) as the packet moves from your LAN to the Internet, but the 2 headers you see in this picture will certainly remain the same until they reach their destination. So, that now leaves us to analyse a few of the selected ICMP messages ! The table below shows all the ICMP messages the protocol supports. The messages that are in the green colour are the ones covered. Please click on the ICMP message you wish to read about:
Page 201 of 1765
ICMP - Echo / Echo Reply (Ping) Message

Introduction As mentioned in the previous page, an Echo is simply what most people call a 'ping'. The Echo Reply is the 'ping reply'. ICMP Echos are used mostly for troubleshooting. When there are 2 hosts which have communication problems, a few simple ICMP Echo requests will show if the 2 hosts have their TCP/IP stacks configured correctly and if there are any problems with the routes packets are taking in order to get to the other side. The 'ping' command is very well known, but the results of it are very often misunderstood and for that reason I have chosen to explain all those other parameters next to the ping reply, but we will have a look at that later on. Let's have a look at what an ICMP-Echo or Echo Reply packet looks like:
Page 202 of 1765
If the above packet was an ICMP Echo (ping), then the Type field takes a value of 8. If it's an ICMP Echo Reply (ping reply) then it would take a value of 1. The picture below is a screen shot I took when doing a simple ping from my workstation:
Page 203 of 1765
Okay, now looking at the screen shot above, you can see I 'pinged' www.firewall.cx. The first thing my workstation did was to resolve that URL to an IP address. This was done using DNS. Once the DNS server returned the IP address of www.firewall.cx, the workstation generated an ICMP packet with the Type field set to 8. Here is the proof:
Page 204 of 1765
The picture above is a screenshot from my packet sniffer the same time this experement was taking place. The packet displayed is one of the 4 packets which were sent from my workstation to the webserver of firewall.cx Notice the ICMP type = 8 Echo field right under the ICMP Header section. This clearly shows that this packet is being sent from the workstation and not received. If it was received, it would have been an 'Echo Reply' and have a value of 1. The next weird thing, if anyone noticed, is the data field. Look at the screen shot from command prompt above and notice the value there and the value the packet sniffer is showing on the left. One says 32 Bytes, and the other 40 Bytes ! The reason for this is that the packet sniffer is taking into account the ICMP header files (ICMP type, code, checksum and identifier), and I'll prove it to you right now. Look at the top of this page where we analysed the ICMP headers (the 3d picture), you will notice that the lengths (in Bits) of the various fields are as follows: 8, 8, 16, 16, 16. These add up to a total of 64 Bits. Now 8 Bits = 1 Byte, therefore 64 Bits = 8 Bytes. Take the 32 Bytes of data the workstation's command prompt is showing and add 8 Bytes .... and you have 40 Bytes in total. Packet sniffer
Page 205 of 1765
Page 206 of 1765
ICMP - Destination Unreachable Message

Introduction This ICMP message is quite interesting, because it doesn't actually contain one message, but six! This means that the ICMP Destination unreachable futher breaks down into 6 different messages. We will be looking at them all and analysing a few of them to help you get the idea.
To make sure you don't get confused, keep one thing in mind: The ICMP Destination unreachable is a generic ICMP message, the different code values or messages which are part of it are there to clarify the type of "Destination unreachable" message was received. It goes something like this: ICMP Destination <Code value or message> unreachable. The ICMP - Destination net unreachable message is one which a user would usually get from the gateway when it doesn't know how to get to a particular network. The ICMP - Destination host unreachable message is one which a user would usually get from the remote gateway when the destination host is unreachable. If, in the destination host, the IP module cannot deliver the packet because the indicated protocol module or process port is not active, the destination host may send an ICMP destination protocol / port unreachable message to the source host. In another case, when a packet received must be fragmented to be forwarded by a gateway but the "Don't Fragment" flag (DF) is on, the gateway must discard the packet and send an ICMP destination fragmentation needed and DF set unreachable message to the source host. These ICMP messages are most useful when trying to troubleshoot a network. You can check to see if all routers and gateways are configured properly and have their routing tables updated and synchronised.
Page 207 of 1765
Let's look at the packet structure of an ICMP destination unreachable packet:
Please read on as the following example will help you understand all the above. The Analysis When you open a DOS command prompt and type "ping 200.200.200.200", assuming that your workstation is NOT part of that network, then it would forward the ICMP Echo request to the gateway that's configured in your TCP/IP properties. At that point, the gateway should be
Page 208 of 1765
able to figure out where to forward the ICMP Echo request. The gateway usually has a "default route" entry, this entry is used when the gateway doesn't know where the network is. Now, if the gateway has no "default route" you would get an "ICMP Destination net unreachable" message when you try to get to a network which the gateway doesn't know about. When you're connected to the Internet via a modem, then your default gateway is the modem. In order for me to demonstrate this, I set up my network in a way that should make it easy for you to see how everything works. I have provided a lot of pictures hoping to make it as easy as possible to understand. I will analyse why and how you get an "ICMP - Destination net unreachable" message.
In the example above, I've setup my workstation to use the Linux server as a default gateway, which has an IP of 192.168.0.5. The Linux server also has a default gateway entry and this is IP: 192.168.0.1 (the Windows 2000 Server). When my workstation attempts to ping (send an ICMP Echo request) to IP 200.200.200.200, it realises it's on a different network, so it sends it to the Linux server, which in turn forwards it to its default gateway (the Win2k server) so it can then be forwarded to the Internet and eventually I should get a ping reply (ICMP Echo reply) if the host exists and has no firewall blocking ICMP echo requests. Here is the packet which I captured:
Page 209 of 1765
When looking at the decoded section (picture above) you can see in the ICMP header section that the ICMP Type is equal to 8, so this confirms that it's an ICMP Echo (ping). As mentioned earlier, we would expect to receive an ICMP echo reply. Check out though what happens when I remove the default gateway entry from the Linux server:
Now what I did was to remove the default gateway entry from the Linux server. So when it gets a packet from my workstation, it wouldn't know what to do with it. This is how you get the gateway to generate an "ICMP Destination net unreachable" message and send it back to the source host (my workstation).
Page 210 of 1765
Here is a screen shot from the command prompt:
As you can see, the Linux server has returned an "ICMP Destination net unreachable". This is one of the six possible 'ICMP Destination Unreachable' messages as listed at the beginning of this page. The Linux server doesn't know what to do with the packet since it has no way of getting to that 200.200.200.0 network, so it sends the "ICMP Destination net unreachable" message to my workstation, notifiying it that it doesnt know how to get to that network. Let's now take a look what the packet sniffer caught :
Page 211 of 1765
The decoder on the left shows that the Linux server (192.168.0.5) sent back to my workstation (192.168.0.100) an ICMP Destination unreachable message (look at the ICMP type field, right under the ICMP header) but if you also check out the ICMP Code (highlighted field), it's equal to 0, which means "net unreachable". Scrolling right at the top of this page, the first table clearly shows that when the code field has a value of 0, this is indeed a "net unreachable" message. It is also worth noticing the "Returned IP header" which exists within the ICMP header. This is the IP header of the packet my workstation sent to the Linux server when it attempted to ping 200.200.200.200, and following that is 64 bits (8 bytes) of the original data.
ICMP - Source Quench Message

Introduction The ICMP - Source quench message is one that can be generated by either a gateway or host. You won't see any such message pop up on your workstation screen unless you're working on a gateway which will output to the screen all ICMP messages it gets. In short, an ICMP - Source quench is generated by a gateway or the destination host and tells the sending end to ease up because it cannot keep up with the speed at which it's receiving the data. Analysis
Page 212 of 1765
Now let's get a bit more technical: A gateway may discard internet datagrams (or packets) if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. If a gateway discards a datagram, it may send an ICMP - Source quench message to the internet source host of the datagram. Let's have a look at the packet structure of the ICMP - Source quench message:
A destination host may also send an ICMP - Source quench message if datagrams arrive too fast to be processed. The ICMP - Source quench message is a request to the host to cut back the rate at which it is sending traffic to the internet destination. The gateway may send an ICMP - Source quench for every message that it discards.
Page 213 of 1765
On receipt of an ICMP - Source quench message, the source host should cut back the rate at which it is sending traffic to the specified destination until it no longer receives ICMP - Source quench messages from the gateway. The source host can then gradually increase the rate at which it sends traffic to the destination until it again receives ICMP - Source quench messages. The gateway or host may also send the ICMP - Source quench message when it approaches its capacity limit rather than waiting until the capacity is exceeded. This means that the data datagram which triggered the ICMP - Source quench message may be delivered
ICMP - Redirect Message

Introduction The ICMP - Redirect message is always sent from a gateway to the host and the example below will illustrate when this is used. Putting it simply (before we have a look at the example) the ICMP - Redirect message occurs when a host sends a datagram (or packet) to its gateway (destination of this datagram is a different network), which in turn forwards the same datagram to the next gateway (next hop) and this second gateway is on the same network as the host. The second gateway will generate this ICMP message and send it to the host from which the datagram originated. There are 4 different ICMP - Redirect message types and these are:
The format of this ICMP message is as follows: ICMP - Redirect (0, 1, 2, 3 or 4) message. Our example:
Page 214 of 1765
The gateway (Win2k Server) sends a redirect message (arrow No. 3) to the host in the following situation: Gateway 1 (the linux server), receives an Internet datagram (arrow No. 1) from a host on the same network. The gateway checks its routing table and obtains the address of the next gateway (hop) on the route to the datagram's Internet destination network and sends the datagram to it (arrow No. 2). Now, gateway 2 receives the datagram and, if the host identified by the Internet source address of the datagram (in other words, it checks the source IP of the datagram, which will still be 192.168.0.100), is on the same network, a redirect message (arrow No. 3) is sent to the host. The redirect message advises the host to send its traffic for the Internet network directly to gateway 2 as this is a shorter path to the destination. The gateway then forwards the original datagram's data (arrow No. 1) to its Internet destination (arrow No.4). For datagrams (or packets) with the IP source options and the gateway address in the destination address field, a redirect message is not sent even if there is a better route to the ultimate destination than the next address in the source route. Analysis Let's have a look at the structure of an ICMP - Redirect message:
Page 215 of 1765
ICMP - Time Exceeded Message

Introduction The ICMP - Time exceeded message is one which is usually created by gateways or routers. In order to fully understand this ICMP message, you must be familiar with the IP header within a packet. If you like you can go to the Download - Documents
Page 216 of 1765
section and grab a copy of the TCP/IP in a Ethernet II Frame file which breaks down the IP header nicely. When looking at an IP header, you will see the TTL and Fragment Flag fields which play a big part in how this ICMP message works. Please make sure you check them out before attempting to continue ! The ICMP - Time exceeded message is generated when the gateway processing the datagram (or packet, depending on how you look at it) finds the Time To Live field (this field is in the IP header of all packets) is equal to zero and therefore must be discarded. The same gateway may also notify the source host via the time exceeded message. The term 'fragment' means to 'cut to pieces'. When the data is too large to fit into one packet, it is cut into smaller pieces and sent to the destination. On the other end, the destination host will receive the fragmented pieces and put them back together to create the original large data packet which was fragmented at the source. Analysis Let's have a look at the structure of an ICMP - Time exceeded message:
Page 217 of 1765
If a host reassembling a fragmented datagram (or packet) cannot complete the reassembly due to missing fragments within its time limit it discards the datagram and it may send an ICMP - time exceeded message. If fragment zero is not available then no ICMP - time exceeded message is needed to be sent at all. Code 0 may be received from a gateway and Code 1 from a host. So, summing it up, an ICMP - Time exceeded message can be generated because the Time to live field in the IP header has reached a value of zero (0) or because a host reassembling a fragmented datagram cannot complete the reassembly within its time limit because there are missing fragments (Fragment reassembly time exceeded the allocated time).
Page 218 of 1765
IPSec - Internet Protocol Security

Introduction IPSec is one of the new buzz words these days in the networking security area. It's becoming very popular and also a standard in most operating systems. Windows 2000 fully supports IPSec and that's most probably where you are likely to find it. Routers these days also support IPSec to establish secure links and to ensure that no-one can view or read the data they are exchanging. When the original IP (Internet Protocol) specification was created, it didn't really include much of a security mechanisim to protect it from potential hackers. There were 2 reasons they didn't give IP some kind of security. First was because back then (we are talking around 30 years ago) most people thought that users and administrators would continue to behave fairly well and not make any serious attempts to compromise other people's traffic. Second reason was because the cryptographic technology needed to provide adequate security simply wasn't widely available and in most cases not even known about ! How IPSec works The Internet Security Agreement/Key Management Protocol and Oakley ( ISAKMP) ISAKMP provides a way for two computers to agree on security settings and exchange a security key that they can use to communicate securely. A Security Association (SA) provides all the information needed for two computers to communicate securely. The SA contains a policy agreement that controls which algorithms and key lengths the two machines will use, plus the actual security keys used to securely exchange information. There are two steps in this process. First, the two computers must agree on the following three things: 1) The encryption algorithm to be used (DES, triple DES) 2) Which algorithm they'll use for verifying message integrity (MD5 or SHA-1) 3) How connections will be authenticated: using public-key certificate, a shared secret key or Kerberos. Once all that has been sorted out, they start another round of negotiations which cover the following: 1) Whether the Authentication Header (AH) protocol will be used 2) Whether the Encapsulating Security Payload (ESP) protocol will be used 3) Which encryption algorithm will be used for ESP 4) Which authentication protocol will be used for AH IPSec has 2 mechanisms which work together to give you the end result, which is a secure
Page 219 of 1765
way to send data over public networks. Keep in mind that you can use both or just one of these mechanisms together. These mechanisms are: 1) Authentication Header 2) Encapsulating Security Payload - ESP The Authentication Header (AH) Mechanism The Authentication Header information is added into the packet which is generated by the sender, right between the Network (Layer 3) and Transport (Layer 4) Layer (see picture below). Authentication protects your network, and the data it carries, from tampering. Tampering might be a hacker sitting between the client and server, altering the contents of the packets sent between the client and server, or someone trying to impersonate either the client or server, thus fooling the other side and gaining access to sensitive data. To overcome this problem, IPSec uses an Authentication Header (AH) to digitally sign the entire contents of each packet. This signature provides 3 benefits: 1) Protects against replay attacks. If an attacker can capture packets, save them and modify them, and then send them to the destination, then they can impersonate a machine when that machine is not on the network. This is what we call a replay attack. IPSec will prevent this from happening by including the sender's signature on all packets. 2) Protection against tampering. The signatures added to each packet by IPSec means that you can't alter any part of a packet undetected. 3) Protection against spoofing. Each end of a connection (e.g client-server) verifies the other's identity with the authentication headers used by IPSec. The AH is computed on the entire packet, including payload (upper layers - 4,5,6,7) and headers of each layer. The following picture shows us a packet using AH :
Page 220 of 1765
Page 221 of 1765
On the left you are seeing the analysis of the Authentication Header.
AH Algorithms For point-to-point communication (e.g client to server), suitable authentication algorithms include keyed Message Authentication Codes (MACs) based on symmetric encryption algorithms (e.g DES) or on one-way hash functions (e.g MD5 or SHA-1). For multicast communication (e.g between a group of routers), one-way hash algorithms combined with asymmetric signature algorithms are usually used, but they are also more cpu intensive.
Page 222 of 1765
The Encapsulating Security Payload - ESP The Authentication Header (AH) we spoke about will protect your data from tampering, but it will not stop people from seeing it. For that, IPSec uses an encryption which provides the Encapsulating Security Payload (ESP). ESP is used to encrypt the entire payload of an IPSec packet (Payload is the portion of the packet which contains the upper layer data). ESP is a bit more complex than AH because alone it can provide authentication, replayproofing and integrity checking. It acomplishes this by adding 3 separate components: 1) An ESP header 2) An ESP trailer and 3) An ESP authentication block. Each of these components contains some of the data needed to provide the necessary authentication and integrity checking. To prevent tampering, an ESP client has to sign the ESP header, application data, and ESP trailer into one unit, of course ESP is used to encrypt the application data and the ESP trailer to provide confidentiality. The combination of this overlapping signature and encryption operation provides good security. Let's have a look at a packet using IPSec - ESP:
Page 223 of 1765
Introduction To The Internet Protocol

Introduction Perhaps one of the most important and well known protocols is the Internet Protocol or, if you like, IP. IP gives us the ability to uniquely identify each computer in a network or on the Internet. When a computer is connected to a network or the Internet, it is assigned a unique IP address. If you're connecting to the Internet, chances are you're given an IP automatically by your ISP, if you're connecting to your LAN then you're either given the IP automatically or you manually configure the workstation with an assigned IP. I can't over emphasise the importance of fully understanding IP if you really want to understand how network communications work, especially when it comes to an IP network, like the Internet. DNS, FTP, SNMP, SMTP, HTTP and a lot of other protocols and services rely heavily on the IP protocol in order to function correctly, so you can immediately see that IP is more than just an IP Address on your workstation.
Page 224 of 1765
Now, because IP is a HUGE subject and it's impossible to cover in one or two pages, I decided to split it into a few different sections in order to make it easy to read and learn about. Here is a summary of what's covered: Section 1: Binary and the Internet Protocol. Here we cover a few basic Binary concepts and get to see how Binary and IP fit together. Section 2: Internet Protocol Header. Find out how the Internet Protocol fits in the OSI Model. Also includes a detailed 3d diagram of the IP Header which shows the fields that exist in the IP Header Section 3: Internet Protocol Classes. We get to see the 5 different IP Classes and analyse them in Binary. Also you get to learn about the Network ID and Host ID in an IP Address. Section 4: Subnetting. One of the most important things you should know. Detailed explanation on how subnetting works. Includes simple to complicated examples. You should be comfortable with the first 3 sections in order to understand this section. For more information, please see the Subnetting Introduction page.
So, what are you waiting for ? Let's discover and learn all about one of the most important protocols in the networking world !
Binary & The Internet Protocol

Introduction To understand the Internet Protocol, we need to learn and understand Binary. It is very important to know and understand Binary because part of the IP protocol is also the "Subnetting" section which can only be explained and understood when an IP Address is converted to Binary! Those who are experienced in Binary can skim this section quickly, but do have a look through. A lot of people are not aware that computers do not understand words, pictures and sounds, when we interact with them by playing a game, reading or drawing something on the screen. The truth is that all computers can understand is zeros (0) and ones (1) ! What we see on the screen is just an interpretation of what the computer understands, so the information displayed is useful and meaningful to us. Binary: Bits and Bytes
Page 225 of 1765
Everyone who uses the Internet would have, at one stage or another, come across the "Byte" or "Bit" term, usually when you're downloading, you get the speed indication in bytes or KBytes per second. We are going to see exactly what a Bit, Byte and KByte is, so you understand the terms. To put it as simply as possible, a Bit is the smallest unit/value of Binary notation. The same way we say 1 cent is the smallest amount of money you can have , a Bit is the same thing but not in cents or dollars, but in Binary. A Bit can have only one value, either a one (1) or a zero (0). So If I gave you a value of zero: 0, then you would say that is one Bit. If I gave you two of them: 00, you would say that's two Bits. Now, if you had 8 zeros or ones together: 0110 1010 (I put a space in between to make it easier for the eyes) you would say that's 8 Bits or, one Byte ! Yes that is correct, 8 Bits are equal to one Byte. The picture below gives you some examples:
It's like saying, if you have 100 cents, that is equal to one Dollar. In the same way, 8 Bits (doesn't matter if they are all 1s or 0s or a mixture of the two) would equal one Byte. And to sum this all up, 1024 Bytes equal 1 KByte (Kilobyte). Why 1024 and not 1000 ? Well it's because of the way Binary works. If you did the maths, you would find the above correct. So what's Binary got to do with IP ? Well, just as I explained in the introduction, computers display the zeros and ones in a way that makes the information useful to us. The Internet Protocol works a bit like this as well, where 98% of the time we see it in a decimal notation, but the computer understands it in binary. The picture below gives you an example of how a computer understands an IP Address:
Page 226 of 1765
The above example shows an IP address in decimal notation, which we understand more easily, this IP Address - 192.168.0.1 is then converted to Binary, which is what the computer understands and you can see how big the number gets ! It's easier for us to remember 4 different numbers than 32 zeros or ones ! Now, keeping in mind what we said earlier about Bits and Bytes, have you ever heard or read people saying that an IP Address is a 32 Bit address ? It is, and you can now see why:
So to sum up all the above, we now know what Binary notation is, what a Bit, Byte and KByte is and how Binary relates to an IP Address which is usally represented in its Decimal notation. Understanding the conversion between Decimal and Binary Now we're going to look at how the conversion works between Decimal and Binary. This is an important step, because you'll probably find yourself in need of such a conversion when dealing with complex subnets. The conversion is not that hard once you grasp the concept. The picture below shows an IP Address that we are going to convert to Binary. Keep in mind that the method I'm going to show you is the same for all conversions. We are now going to convert the first octec in the IP Address 192.168.0.1 (Decimal) to Binary, in other words, we take the "192" and convert it to Binary and we are not going to have to do any difficult calculations, just simple additions:
Page 227 of 1765
If you have read and understood the first section of this page, you should know that we need 8 bits to create one octec or, if you like, the 192 number. Each bit takes a certain value which never changes, this value is shown in purple, right above the bit, we then select the bits we need in such a way that the sum of all selected bits gives us the decimal number we need. If you wanted to explain the conversion in mathematical terms, you would say that each bit is a power of 2 (2^), for example, bit 8 is actually '2^7' = 128 in decimal, bit 7 is '2^6 = 64 in decimal, bit 6 is '2^5' = 32 in decimal, bit 5 is '2^4' = 16 in decimal, bit 4 is '2^3' = 8 in decimal, bit 3 is '2^2' = 4 in decimal, bit 2 is '2^1' = 2 in decimal, bit 1 is '2^0' = 1 in decimal. Note: When calculating the decimal value of an octec (192 in the example above), the Bit numbers do NOT represent the power of two value we must use in order to get the decimal value. This means that Bit 1 does NOT translate to 2^1=1 in decimal. In our example, we used the 192. As you saw, we needed bits 8 and 7 and this gave us the Binary number of 11000000 which is 192 in Decimal. You must remember that the values of each bit never change! For example, bit 8 always has a decimal value of 128, whereas bit 1 always takes the value of 1. Using this method, you will find it easy to convert Decimal to Binary without the need for complex mathematical calculations. So let's have a look at the next octec, which is the decimal number 168:
Page 228 of 1765
Here again you can see that we needed to choose bits 8, 6 and 4 (in other words put a "1" in the bit's position) in order to get a decimal value of 168. So the Binary value of 10101000 is equal to the decimal value of 168. Let's now look at all 4 octecs of our IP Address, in Binary:
No matter which way you convert, from Decimal to Binary or Binary to Decimal, the same method is used so you if you understood the above you should be able to convert either way any Binary or Decimal number. That just about does it for this section, you're now ready for the next section !
The Internet Protocol (IP) Header

Introduction Just like every other protocol, the Internet Protocol has a place in the OSI Model. Because it's such an important protocol and other protocols depend upon it, it needs to be placed before them, which is why you will find it in Layer 3 of the OSI model:
Page 229 of 1765
When a computer receives a packet from the network, the computer will firstly check the destination MAC address of the packet at the Datalink layer (2) and if it passes, it's then passed on to the Network layer At the Network layer it will check the packet to see if the destination IP Address matches with the computer's IP Address (if the packet is a broadcast, it will pass the network layer anyway). From there, the packet is processed as required by the upper layers.
Page 230 of 1765
On the other hand, if the computer is generating a packet to send to the network then, as the packet travels down the OSI model and reaches the Network layer, the destination and source IP Address of this packet are added in the IP Header. The IP Header Now we are going to analyse the Internet Protocol header, so you can see the fields it has and where they are placed. In here you will find the destination and source IP Address field which is essential to every packet using the protocol.
Page 231 of 1765
It's worth noting that the 9th field, which is the "Protocol" field, contains some important information that the computer uses to find out where it must pass the datagram once it strips off the IP header. If you remember, TCP and UDP exist on layer 4 of the OSI Model, which is the transport layer. When data arrives at a computer and the packet is processed by each layer, it needs to know whereabouts above to pass the data. This protocol field tells the computer to give the remaining data to either the TCP or UDP protocol, which is directly above it. Also, the Destination IP Address is another important field which contains the IP Address of the destination machine. The next section talks about the 5 different classes of IP Address.
Page 232 of 1765
Internet Protocol Classes - Network & Host ID

Introduction Every protocol suite defines some type of addressing that identifies computers and networks. IP Addresses are no exception to this "rule". There are certain values that an IP Address can take and these have been defined by the IEEE committee (as most things). A simple IP Address is a lot more than just a number. It tells us the network that the workstation is part of and the node ID. If you don't understand what I am talking about, don't let it worry you too much because we are going to analyse everything here :) IP Address Classes and Structure When the IEEE committee sat down to sort out the range of numbers that were going to be used by all computers, they came out with 5 different ranges or, as we call them, "Classes" of IP Addresses and when someone applies for IP Addresses they are given a certain range within a specific "Class" depending on the size of their network. To keep things as simple as possible, let's first have a look at the 5 different Classes:
In the above table, you can see the 5 Classes. Our first Class is A and our last is E. The first 3 classes ( A, B and C) are used to identify workstations, routers, switches and other devices whereas the last 2 Classes ( D and E) are reserved for special use. As you would already know an IP Address consists of 32 Bits, which means it's 4 bytes long. The first octec (first 8 Bits or first byte) of an IP Address is enough for us to determine the Class to which it belongs. And, depending on the Class to which the IP Address belongs, we can determine which portion of the IP Address is the Network ID and which is the Node ID. For example, if I told you that the first octec of an IP Address is "168" then, using the above table, you would notice that it falls within the 128-191 range, which makes it a Class B IP Address.
Page 233 of 1765
Understanding the Classes We are now going to have a closer look at the 5 Classes. If you remember earlier I mentioned that companies are assigned different IP ranges within these classes, depending on the size of their network. For instance, if a company required 1000 IP Addresses it would probably be assigned a range that falls within a Class B network rather than a Class A or C. The Class A IP Addresses were designed for large networks, Class B for medium size networks and Class C for smaller networks. Introducing Network ID and Node ID concepts We need to understand the Network ID and Node ID concept because it will help us to fully understand why Classes exist. Putting it as simply as possible, an IP Address gives us 2 pieces of valuable information: 1) It tells us which network the device is part of (Network ID). 2) It identifies that unique device within the network (Node ID). Think of the Network ID as the suburb you live in and the Node ID your street in that suburb. You can tell exactly where someone is if you have their suburb and street name. In the same way, the Network ID tells us which network a particular computer belongs to and the Node ID identifies that computer from all the rest that reside in the same network. The picture below gives you a small example to help you understand the concept:
Explanation:
Page 234 of 1765
In the above picture, you can see a small network. We have assigned a Class C IP Range for this network. Remember that Class C IP Addresses are for small networks. Looking now at Host A, you will see that its IP Address is 192.168.0.2. The Network ID portion of this IP Address is in blue, while the Host ID is in orange. I suppose the next question someone would ask is: How do I figure out which portion of the IP Address is the Network ID and which is the Host ID ? That's what we are going to answer next. The Network and Node ID of each Class The network Class helps us determine how the 4 byte, or 32 Bit, IP Address is divided between network and node portions. The table below shows you (in binary) how the Network ID and Node ID changes depending on the Class:
Explanation: The table above might seem confusing at first but it's actually very simple. We will take Class A as an example and analyse it so you can understand exactly what is happening here: Any Class A network has a total of 7 bits for the Network ID (bit 8 is always set to 0) and 24 bits for the Host ID. Now all we need to do is calculate how much 7 bits is: 2 to the power of 7 = 128 Networks and for the hosts : 2 to the power of 24 = 16,777,216 hosts in each Network, of which 2 cannot be used because one is the Network Address and the other is the Network Broadcast address (see the table towards the end of this page). This is why when we calculate the "valid" hosts in a
Page 235 of 1765
network we always subtract "2". So if I asked you how many "valid" hosts can you have a on Class A Network, you should answer 16,777,214 and NOT 16,777,216. Below you can see all this in one picture:
The same story applies for the other 2 Classes we use, that's Class B and Class C, the only difference is that the number of networks and hosts changes because the bits assigned to them are different for each class. Class B networks have 14 bits for the Network ID (Bits 15, 16 are set and can't be changed) and 16 bits for the Host ID, that means you can have up to '2 to the power of 14' = 16,384 Networks and '2 to the power of 16' = 65,536 Hosts in each Network, of which 2 cannot be used because one is the Network Address and the other is the Network Broadcast address (see the table towards the end of this page). So if I asked you how many "valid" hosts can you have a on Class B Network, you should answer 65,534 and NOT 65,536.
Page 236 of 1765
Class C networks have 21 bits for the Network ID (Bits 22, 23, 24 are set and can't be changed) and 8 bits for the Host ID, that means you can have up to '2 to the power of 21' = 2,097,152 Networks and '2 to the power of 8' = 256 Hosts in each Network, of which 2 cannot be used because one is the Network Address and the other is the Network Broadcast address (see the table towards the end of this page). So if I asked you how many "valid" hosts can you have a on Class C Network, you should answer 254 and NOT 256. Now, even though we have 3 Classes of IP Addresses that we can use, there are some IP Addresses that have been reserved for special use. This doesn't mean you can't assign them to a workstation but in the case that you did, it would create serious problems within your network. For this reason it's best that you avoid using these IP Addresses. The following table shows the IP Addresses that you should avoid using: IP Address
Network 0.0.0.0
Function
Refers to the default route. This route is to simplify routing tables used by IP.
Network 127.0.0.0
Reserved for Loopback. The Address 127.0.0.1 is often used to refer to the local host. Using this Address, applications can address a local host as if it were a remote host.
IP Address with all
host bits set to "0" (Network Address) e.g 192.168.0.0

IP Address with all
Refers to the actual network itself. For example, network 192.168.0.0 can be used to identify network 192.168. This type of notation is often used within routing tables.
node bits set to "1" IP Addresses with all node bits set to "1" are local network
Page 237 of 1765
/ Network Broadcast) e.g 192.168.255.255

IP Address with
(Subnet
broadcast addresses and must NOT be used. Some examples: 125.255.255.255 (Class A) , 190.30.255.255 (Class B), 203.31.218.255 (Class C). See "Multicasts" & "Broadcasts" for more info.
The IP Address with all bits set to "1" is a broadcast address and must NOT be used. These are destined for all (Network Broadcast) nodes on a network, no matter what IP Address they e.g 255.255.255.255 might have. Now make sure you keep to the above guidelines because you're going to bump into a lot of problems if you don't ! IMPORTANT NOTE: It is imperative that every network, regardless of Class and size, has a Network Address (first IP Address e.g 192.168.0.0 for Class C network) and a Broadcast Address (last IP Address e.g 192.168.0.255 for Class C network), as mentioned in the table and explanation diagrams above, which cannot be used. So when calculating available IP Addresses in a network, always remember to subtract 2 from the number of IP Addresses within that network. That all pretty much covers this section. Next, is the Subnetting section, and before you proceed, make sure you're comfortable with the new concepts and material we have covered, otherwise subnetting will be very hard to understand.
all bits set to "1"
Introduction To Subnetting
Introduction So you have made it this far hey ? Well you are in for an AWESOME ride. Subnetting is one of my favorite subjects. It can be as simple as 1,2,3 or as complex as trying to get free tech support from Microsoft :) Getting serious now.. Subnetting is a very interesting and important topic. I gather that most of you have heard about it or have some idea what it's all about. For those who haven't dealt with subnets before... hang in there because you're not alone ! Keep in mind we also have the website's forum where you can post questions or read up on other people's questions and answers. It's an excellent source of information and I recommend you use it ! For some reason a lot of people consider Subnetting to be a difficult subject, which is true to some extent, but I must say that I think that most of them see it that way because they do not have solid foundations on networking (essential !), and especially the IP protocol. But for you guys (and girls), the above doesn't apply, because we have covered IP in the best possible way and we DO have solid foundations. Right ?
Page 238 of 1765
Some Advice ! If you started reading the IP protocol on this site from the begining and have understood everything, then you won't have any problem understanding subnetting... but (there is always a darn "but" !) on the other hand if you do not understand very well what we have been talking about in the previous pages, then you're going to find this somewhat difficult. Which ever the case, I'm going to try and explain subnetting as simply as possible and hope to answer all your questions. Now, because Subnetting is a big topic to talk about and analyse in one page (yeah right !) I've split it throughout a few sections to break it down into smaller pieces. Logically, as you move on to higher sections, the concepts and material difficulty will increase : Section 1: Basic Subnetting Concepts. This section is to help you understand what a subnet really is. Introduction to the Default Subnet masks is covered at first and then you get to see and learn how the network is affected by changing the subnet mask. There are plenty of them cool diagrams (which you only find on this site !) to ensure that you get the picture right :) Section 2: Subnet Masks and Their Effect. Here we will look at the Default Subnet mask in a bit more detail and introduce a few new concepts. Classless and Classful IP Addresses are covered here and you get to learn how the subnet mask affects them. Section 3: The Subnet Mask Bits. Detailed analysis of subnet mask bits. Learn to recognise the number of bits in a subnet mask, followed by an introduction to complex subnets. Section 4: Routing and Communications between Subnets. Understand how routers deal with subnets, how computers which are in different subnets can communicate with each other, along with a few general notes on subnetting that you should know. Section 5: Subnetting Guidelines. Some last information to help you plan your new networks and a few things to keep in mind so you can avoid future problems with subnets.
IP Subnetting - The Basic Concepts

Introduction Introduction ? We already did that in the previous page :) Let's get stuck right into this cool topic ! What is Subnetting ?
Page 239 of 1765
When we Subnet a network, we basically split it into smaller networks. For example, when a set of IP Addresses is given to a company, e.g 254 they might want to "break" (the correct term is "partition") that one network into smaller ones, one for each department. This way, their Technical department and Management department can each have a small network of their own. By subnetting the network we can partition it to as many smaller networks as we need and this also helps reduce traffic and hides the complexity of the network. By default, all type of Classes (A, B and C) have a subnet mask, we call it the "Default Subnet mask". You need to have one because: 1) All computers need the subnet mask field filled when configuring IP 2) You need to set some logical boundaries in your network 2) You should at least enter the default subnet mask for the Class you're using In the previous pages I spoke about IP Classes, Network IDs and Host IDs, the fact is that the Subnet mask is what determines the Network ID and Host ID portion of an IP Address. The table below shows clearly the subnetmask that applies for each network Class.
When dealing with subnet masks in the real world, we are free in most cases to use any type of subnet mask in order to meet our needs. If for example we require one network which can contain up to 254 computers, then a Class C network with its default subnet mask will do fine, but if we need more, then we might consider a Class B network with its default subnet mask. Note that the default subnet masks have been set by the IEEE committee, the same guys that set and approve the different standards and protocols. We will have a closer look at this later on and see how we can achieve a Class C network with more than 254 hosts. Understanding the concept Let's stop here for one moment and have a look at what I mean by partitioning one network into smaller ones by using different subnet masks. The picture below shows our example network (192.168.0.0). All computers here have been configured with the default Class C subnet mask (255.255.255.0):
Page 240 of 1765
Because of the subnet mask we used, all these computers are part of the one network marked in blue. This also means that any one of these hosts (computers, router and server) can communicate with each other. If we now wanted to partition this network into smaller segments, then we would need to change the subnet mask appropriately so we can get the desired result. Let's say we needed to change the subnet mask from 255.255.255.0 to 255.255.255.224 on each configured host. The picture below shows us how the computers will see the network once the subnet mask has changed:
Page 241 of 1765
In reality, we have just created 8 networks from the one large (blue) network we had, but I am keeping things simple for now and showing only 2 of these smaller networks because I want you to understand the concept of subnetting and see how important the subnet mask is. In the next pages which are to follow I will analyse in great depth the way subnetting works and how to calculate it. It is very important that you understand the concepts introduced in this section, so make sure you do, before continuing !
Subnet Masks & Their Effect

Introduction There are a few different ways to approach subnetting and it can get confusing because of the complexity of some subnets and the flexibility they offer. For this reason I created this little paragraph to let you know how we are going to approach and learn subnetting. So..... We are going to analyse the common subnet masks for each Class, giving detailed examples for most of them and allowing you to "see" how everything is calculated and understand the different effects a subnet mask can have as you change it. Once you have mastered this, you can then go on and create your custom subnet masks using any type of Class. Default Subnet masks of each Class
Page 242 of 1765
By now you should have some idea what the subnet mask does and how it's used to partition a network. What you need to keep in mind is that each Class has its DEFAULT subnet mask, which we can change to suit our needs. I have already mentioned this in the previous page, but we need to look into it in a bit more detail. The picture below shows our 3 Network Classes with their respective default subnet mask:
The Effect of a Subnet Mask on an IP Address In the IP Classes page we analysed and showed clearly how an IP Address consists of two parts, 1) The Network ID and 2) The Host ID. This rule applies for all IP Addresses that use the default subnet mask and we call them Classful IP Addresses. We can see this once again in the picture below, where the IP Address is analysed in Binary, because this is the way you should work when dealing with subnet masks:
We are looking at an IP Address with its subnet mask for the first time. What we have done is take the decimal subnet mask and converted it to binary, along with the IP Address. It is essential to work in binary because it makes things clearer and we can avoid making silly mistakes. The ones (1) in the subnet mask "lock" or, if you like, define the Network ID portion. If we change any bit within the Network ID of the IP Address, then we immediately move to a different network. So in this example, we have a 24 bit subnet mask.
Page 243 of 1765
NOTE: All Class C Classful IP Addresses have a 24 bit subnet mask (255.255.255.0). All Class B Classful IP Addresses have a 16 bit subnet mask (255.255.0.0). All Class A Classful IP Addresses have an 8 bit subnet mask (255.0.0.0). On the other hand, the use of an IP Address with a subnet mask other than the default results in the standard Host bits (the Bits used to indentify the HOST ID) being divided in to two parts: a Subnet ID and Host ID. These type of IP Addresses are called Classless IP Addresses. In order to understand what a "Classless IP Address" is without getting confused, we are going to take the same IP Address as above, and make it a Classless IP Address by changing the default subnet mask:
Looking at the picture above you will now notice that we have a Subnet ID, something that didn't exist before. As the picture explains, we have borrowed 3 bits from the Host ID and used them to create a Subnet ID. Effectively we partitioned our Class C network into smaller networks. If you're wondering how many smaller networks, you'll find the answer on the next page. I prefer that you understanding everything here rather than blasting you with more Subnet ID's, bits and all the rest :) Summary In this page we saw the default subnet mask of each Class and also introduced the Classful and Classless IP Addresses, which are a result of using various subnet masks. When we use IP Addresses with their default subnet masks, e.g 192.168.0.10 is a Class C IP Address so the default subnet mask would be 255.255.255.0, then these are "Classful IP Addresses".
Page 244 of 1765
On the other hand, Classless IP Addresses have their subnet mask modified in a way so that there is a "Subnet ID". This Subnet ID is created by borrowing Bits from the Host ID portion. The picture below shows us both examples:
I hope that you have understood the new concepts and material on this page. Next we are going to talk about subnet bits, learn how to calculate how many bits certain subnet masks are and see the different and most used subnet masks available. If you think you might have not understood a few sections throughout this page, I would suggest you read it once more :)
Subnetting Analysis
Introduction So we have covered to some depth the subnetting topic, but there is still much to learn ! We are going to explain here the available subnet masks and analyse a Class C network, using a specific subnet mask. It's all pretty simple, as long as you understand the logic behind it. Understanding the use, and analysing different subnet masks Okay, so we know what a subnet mask is, but we haven't spoken (yet) about the different values they take, and the guidelines we need when we use them. That's what we are going to do here ! The truth is that you cannot take any subnet mask you like and apply it to a computer or any other device, because depending on the random subnet mask you choose, it will either create a lot of routing and communication problems, or it won't be accepted at all by the device you're trying to configure. For this reason we are going to have a look at the various subnet masks so you know exactly what you need to use, and how to use it. Most important, we are going to
Page 245 of 1765
make sure we understand WHY you need to choose specific subnet masks, depending on your needs. Most people simply use a standard subnet mask without understanding what that does. This is not the case for the visitors to this site. Let's first have a look at the most common subnet masks and then I'll show you where these numbers come from :) Common Subnet Masks In order to keep this place tidy, we are going to see the common Subnet masks for each Class. Looking at each Class's subnet mask is possibly the best and easiest way to learn them. Numer of bits 0 (default mask) 1 2 3 4 5 6 7 Class A 255.0.0.0 (default_mask) 255.128.0.0 (default +1) 255.192.0.0 (default+2) 255.224.0.0 (default+3) 255.240.0.0 (default+4) 255.248.0.0 (default+5) 255.252.0.0 (default+6) 255.254.0.0 (default+7) 255.255.0.0 (default+8) Class B 255.255.0.0 (default_mask) 255.255.128.0 (default+1) 255.255.192.0 (default+2) 255.255.224.0 (default+3) 255.255.240.0 (default+4) 255.255.248.0 (default+5) 255.255.252.0 (default+6) 255.255.254.0 (default+7) 255.255.255.0 (default+8) Class C 255.255.255.0 (default_mask) 255.255.255.128 (default+1) 255.255.255.192 (default+2) 255.255.255.224 (default+3) 255.255.255.240 (default+4) 255.255.255.248 (default+5) 255.255.255.252 (default+6) 255.255.255.254 (default+7) * Only 1 Host per subnet 255.255.255.255 (default+8) * Reserved for Broadcasts
The above table might seem confusing at first, but don't despair ! It's simple, really, you just need to look at it in a different way ! The trick to understanding the pattern of the above table is to think of it in the following way: Each Class has its default subnet mask, which I have noted using the Green colour, and all we are doing is borrowing a Bit at a time (starting from 1, all the way to 8) from the Host ID portion of each class. I have used various colours to show you the decimal numbers that we get each time we borrow a bit from the Host ID portion. If you can't understand how these decimal numbers work out, then you should read up on the Binary & IP page.
Page 246 of 1765
Each time we borrow a bit from the Host ID, we split the network into a different number of networks. For example, when we borrowed 3 Bits in the Class C network, we ended up partitioning the network into 8 smaller networks. Let's take a look at a detailed example (which we will break into three parts) so we can fully understand all the above. We are going to do an analysis using the Class C network and 3 Bits which we took from the Host ID. The analysis will take place once we convert our decimal numbers to binary, something that's essential for this type of work. We will see how we get 8 networks from such a configuration and their ranges !
In this first part, we can see clearly where the 8 Networks come from. The rule applies to all types of Subnets, no matter what Class they are. Simply take the Subnet Bits and place them into the power of 2 and you get your Networks. Now, that was the easy part. The second part is slightly more complicated and I need you focused so you don't get mixed up! At first the diagram below seems quite complex, so try to follow me as we go through it:
Page 247 of 1765
The IP Address and Subnet mask is show in Binary format. We focus on the last octec which contains all the information we are after. Now, the last octec has 2 parts, the Subnet ID and Host ID. When we want to calculate the Subnets and Hosts, we deal with them one at a time. Once that's done, we put the Subnet ID and Host ID portion together so we can get the last octec's decimal number. We know we have 8 networks (or subnets) and, by simply counting or incrementing our binary value by one each time, we get to see all the networks available. So we start off with 000 and finish at 111. On the right hand side I have also put the equivalent decimal number for each network. Next we take the Host ID portion, where the first available host is 0 0001 (1 in Decimal), because the 0 0000 (0 in Decimal) value is reserved as it is the Network Address (see IP Classes page), and the last value which is 1 1111 (31 in decimal) is used as a Broadcast Address for each Subnet (see Broadcast page). Note I've given a formula in the IP Classes page that allows you to calculate the available hosts, that's exactly what we are doing here for each subnet. This formula is :2 to the power of X -2. Where X is the number of Bits we have in the Host ID field, which for our example is 5. When we apply this formula, we get 2 to the power of 5 - 2 = 30 Valid (usable) IP Addresess. If you're wondering why we subtract 2, it's because one is used for the Network Address of that subnet and the other for the Broadcast Address of that subnet. This shouldn't be new news to anyone :)
Page 248 of 1765
Summing up, these are the ranges for each subnet in our new network:
I hope the example didn't confuse you too much; the above example is one of the simplest type, which is why I chose a Class C network, they are the easiest to work with.
Page 249 of 1765
Subnet Routing & Communications

Introduction So we understand all (almost !) about subnetting, but there are few questions/topics which we haven't talked about as yet. Experience shows you can never know everything 100% ! Routing and Communication between subnets is the main topic here. We have analysed subnetting and understood how it works, but haven't yet dealt with the "communication" side of things. These, along with a few other things I would like to bring to your attention, are going to be analysed here ! It's an easy and very interesting page, so sit back and read through it comfortably. Communication Between Subnets So, after reading all the previous pages about subnetting, let me ask you the following: Do you think computers that are on the same physical network but configured to be on separate subnets are able to communicate ? The answer is "no". Why ? Simply because you must keep in mind that we are talking about the communication between 2 different networks ! Looking at our example of the Class C network on the previous page, the fact is that one computer is part of the network 192.168.0.0 and the other one part of network 192.168.0.32, and these are two different networks. In our example, from the moment we modified the default subnet mask from 255.255.255.0 to 255.255.255.224, we split that one network to 8 smaller ones. Let's try it ! And because we just have to prove it..... we are going to try it on my home network ! In the worst case I'll have to spend all night trying to figure out what went wrong but it will be worth it ! :) Without complicating things, here is a diagram of my home network (I've excluded any computers we are not going to be using, in order to save space):
Page 250 of 1765
Well, that's the network we have to play with. I have put on the diagram the results of a few simple pings from each host and as you can see, they all came out nice: PASS. So in order to proceed to phase 2 of our experiment, I modified the Subnet mask of my workstation to 192.168.0.35 / 255.255.255.224 , my Slackware Linux Firewall to 192.168.0.1 / 255.255.255.224 (internal Network Interface Card) and my NetWare 6 Server to 192.168.0.10 / 255.255.255.224 as shown in the diagram below:
Page 251 of 1765
As you can see, the results for my workstation were devastating ... alone and totaly unaware that the other two servers are still there ! When my workstation tries to actually ping the Linux Firewall, it will get no reply, because its Gateway is a host which belongs to another network, something that we knew would never work. So, we have concluded that there cannot be any sort of communication between the computers of Network 1 and Network 2. So how can two hosts in two different subnets talk to each other ? That's what we are going to have a look at right now ! Building The Bridge There is a way to allow the communication between my workstation and my servers and the Internet. Actually there are a few ways to achieve this and I'm going to show you a few ways, even though some might seem silly or impractical. We are not interested in the best solution at the moment, we just want to know the ways in which we can establish communication between the two subnets. Considering that subnets are smaller networks, you would remember that we use routers to achieve communications between two networks. This example of my home network is no exception to this rule. We need a router which will route packets from one network to the other. Let's have a look at the different ways we can solve this problem:
Page 252 of 1765
Method 1: Using a Server with 2 Network Cards Our first option is to use one of the Servers, or a new Server which has at least 2 network cards installed. By connecting each network card to one of our networks and configuring the network cards so that each one belongs to one subnet/network we can route packets between them:
The above diagram shows pretty much everything that's needed. The 2nd network card has been installed and it's been assigned an IP Address that falls within our Network 1 range and therefore can communicate with my workstation . On the other hand the NetWare server now acts as a Gateway for Network 1, so my workstation is reconfigured to use it as its Gateway. Any packets from Network 1 to Network 2 or the Internet will pass through the NetWare server Method 2: Binding 2 IP Addresses to the same network card This method is possibly the best and easiest way around our problem. We use the same network card on the NetWare server and bind another IP Address to it. This second IP Address will obviously fall within the Network 1 IP range so that my workstation can communicate with the server:
Page 253 of 1765
As noted on the diagram, the only problem we might encounter is the need for the operating system of the server to support this type of configuration, but most modern operating systems would comply. Once configured, the Server takes care of any routing between the two networks. Method 3: Installing a router The third method is to install a router in the network. This might seem a bit far fetched but remember that we are looking at all possible ways to establish communications between our networks ! If this was a large network, then a router could possibly be the ideal solution, but given the size of my network, well... let's just say it would be a silly idea :)
Page 254 of 1765
My workstation in this setup would forward all packets to its Gateway, which is the router's interface and is connected to Network 1 and it will be able to see all other servers and access the Internet. It's a similar setup to Method 1 but instead of a Server we have a dedicated router. Oh, and by the way, if we would end up using such a configuration in real life.. the hub which both of the router's interface's connect to, would be replaced by some type of WAN link.
Subnetting Guidelines
Introduction There is always that day when you are called upon to provide a solution to a network problem. The number of problems that can occur in a network are numerous and believe it or not, most of them can be avoided if the initial design and installation of the network are done properly. When I say "done properly" I don't just mean connecting the correct wires into the wall sockets ! Looking at it from an Administrator's point of view, I'd say that a "properly done job" is one that has had a lot of thought put into it to avoid silly routing problems and solve today's and any future needs. This page contains all the information you need to know in order to design a network that won't suffer from any of the above problems. I've seen some network setups which suffered from all the above, and you would be amazed how frequently I see them at large companies.
Page 255 of 1765
Guidelines - Plan for Growth When creating subnets for your network, answer the following questions: How many subnets are needed today? Calculate the maximum number of subnets required by rounding up the maximum number to the nearest power of two. For example, if an organization needs five subnets, 2 to the power of 2 or 4 will not provide enough subnet addressing space, so you must round up to 2 to the power of 3 = 8 subnets. How many subnets are needed in the future? You must plan for future growth. For example, if 9 subnets are required today, and you choose to provide for 2 to the power of 4 = 16 subnets, this might not be enough when the seventeenth subnet needs to be deployed. In this example, it might be wise to provide for more growth and select 2 to the power of 5 = 32 as the maximum number of subnets. What are the maximum number of hosts on a given segment? You must ensure that there are enough bits available to assign host addresses to the organizations largest subnet. If the largest subnet needs to support 40 host addresses today, 2 to the power of 5 = 32 will not provide enough host address space, so you would need to round up to 2 to the power of 6 = 64. How many hosts will there be in the future? Besides planning for additional subnets, you must also plan for more hosts to be added to each subnet in the future. Make sure the organizations address allocation provides enough bits to deploy the required subnet addressing plan. When developing subnets, class C addresses present the greatest challenge because fewer bits are available to divide between subnet addresses and host addresses. If you accommodate too many subnets, there may be no room for additional hosts and growth in the future. All the above points will help you succeed in creating a well designed network which will have the ability to cater for any additional future requirements
Page 256 of 1765
Introduction To The Open Systems Interconnect Model (OSI)

Introduction OSI is a standard description or "reference model" for how messages should be transmitted between any two points in a telecommunication network. Its purpose is to guide product implementors so that their products will consistently work with other products. The Model The OSI model was created by the IEEE committee so different vendors products would work with each other. You see the problem was that when HP decided to create a network product, it would be incompatible with similar products of a different vendor e.g IBM. So when you bought 40 network cards for your company, you would make sure that the rest of the equipment would be from the same vendor, to ensure compatibility. As you would understand things were quite messy, until the OSI model came into the picture.
As most would know, the OSI model consists of 7 layers. Each layer has been designed to do a specific task. Starting from the top layer (7) we will see how the data which you type gets converted into segments, the segments into datagrams and the datagrams into packets, the packets into frames and then the frames are sent down the wire, usually twisted pair, to the receiving computer. Please select one of the 7 layers by clicking on it, or simply use the menu :)
Page 257 of 1765
The OSI flash below is provided to help you futher understand the functionality of the OSI model:
The picture below is another quick summary of the OSI model:
Page 258 of 1765
OSI Layer 1 - Physical Layer

The first four layers define how data is transmitted end-to-end. There are no protocols which work at the Physical layer. As mentioned, Ethernet, Token Ring and other topologies are specified here.
Layer 1 - The Physical Layer The Physical layer has two responsibilities: it sends bits and receives bits. Bits come only in values of 1 or 0. The Physical layer communicates directly with the various types of actual communication media. Different kinds of media represent these bit values in different ways. Specific protocols are needed for each type of media to describe the proper bit patterns to be used, how data is encoded into media signals and the various qualities of the physical media's attachment interface. The Physical layer specifications specify the electrical, mechanical and functional requirements for activating, maintaining and deactivating a physical link between end systems. At the physical layer, the interface between the Data Terminal Equipment (DTE) and the Data Circuit-Terminating Equipment (DCE) is identified. The Physical layer's connectors (RJ-45, BNC e.c.t) and different physical topologies (Bus, Star, Hybrid networks) are defined by the OSI as standards, allowing different systems to communicate.
Page 259 of 1765
OSI Layer 2 - Datalink Layer
The first four layers define how data is transmitted end-to-end. Some common protocols which work at the Datalink layer are: ARP, RARP, DCAP.
Layer 2 - The Datalink Layer The Datalink ensures that messages are delivered to the proper device and translates messages from the Network layer into bits for the Physical layer to transmit. It formats the message into data frames (notice how we are not using the term segments) and adds a customized header containing the hardware destination and source address. This added information forms a sort of capsule that surrounds the original message (or data), think of it like grabbing a letter which has information and putting it into an envelope. The envelope is only used to get the letter to its destination, right? So when it arrives at the addressee, the envelope is opened and discarded, but the letter isn't because it has the information the addressee needs. Data traveling through a network works in a similair manner. Once it gets to the destination, it will be opened and read (processed). This is illustrated in the Data Encapsulation - Decapsulation section. The Datalink layer is subdivided into two other sublayers, the Media Access Control (MAC) and the Logical Link Control (LLC). The figure below illustrates this:
Page 260 of 1765
Media Access Control (MAC) 802.3 This defines how packets are placed on the media (cable). Contention media (Ethernet) access is first come first served access where everyone shares the same bandwidth. Physical addressing is defined here. What's Physical addressing? It's simple. You will come across 2 addressing terms, 1)Logical addressing 2)Physical addressing. Logical addressing is basically the address which is given by software e.g IP address.When you get an IP address, this is considered a "logical address" which is provided to you after your TCP/IP stack is loaded. Physical addressing is an address which is given not by the software, but the hardware. Every network card has a "MAC" address which is burnt into the card's eprom (a special memory chip) and this special address is used to uniquely identify your computer's network card from all the others on the network. There is a whole page dedicated to MAC Addressing if you would like to read more about it. Logical Link Control (LLC) 802.2 This sublayer is responsible for identifying Network layer protocols and then encapsulating them when they are about to be transmitted onto the network or decapsulate them when it receives a packet from the network and pass it onto the layer above it, which is the Network layer. An LLC header tells the Datalink layer what to do with a packet once a frame is received. For example, a host (computer) will receive a frame and then look in the LLC header to understand that the packet is destined for the IP protocol at the Network layer. The LLC can also provide flow control and sequencing of control bits.
Page 261 of 1765
Data Encapsulation & Decapsulation in the OSI Model

Introduction Here we are going to explain in detail how data travels through the OSI model. You must keep in mind that the OSI model is a guideline. It tells the computer what it's supposed to do when data needs to be sent or when data is received.
In order to make it easier for most, there is a movie file available which will show your exactly what we are about to analyse. obtain the encap-decap movie (1MB). You will need Windows media player to view it.
Click here to to
Our Study Case We are going to analyse an example in order to try and understand how data encapsulation and decapsulation works. This should make it easier for most people. Try to see it this way : When a car is built in a factory, one person doesn't do all the jobs, rather it's put into a production line and as the car moves through, each person will add different parts to it so when it comes to the end of the production line, it's complete and ready to be sent out to the dealer. The same story applies for any data which needs to be sent from one computer to another. The OSI model which was created by the IEEE committee is to ensure that everyone follows these guidelines (just like the production line above) and therefore each computer will be able to communicate with every other computer, regardless of whether one computer is a Macintosh and the other is a PC. One important piece of information to keep in mind is that data flows 2 ways in the OSI model, DOWN (data encapsulation) and UP (data decapsulation). The picture below is an example of a simple data transfer between 2 computers and shows how the data is encapsulated and decapsulated:
Page 262 of 1765
Page 263 of 1765
Explanation : The computer in the above picture needs to send some data to another computer. The Application layer is where the user interface exists, here the user interacts with the application he or she is using, then this data is passed to the Presentation layer and then to the Session layer. These three layer add some extra information to the original data that came from the user and then passes it to the Transport layer. Here the data is broken into smaller pieces (one piece at a time transmitted) and the TCP header is a added. At this point, the data at the Transport layer is called a segment. Each segment is sequenced so the data stream can be put back together on the receiving side exactly as transmitted. Each segment is then handed to the Network layer for network addressing (logical addressing) and routing through the internet network. At the Network layer, we call the data (which includes at this point the transport header and the upper layer information) a packet. The Network layer add its IP header and then sends it off to the Datalink layer. Here we call the data (which includes the Network layer header, Transport layer header and upper layer information) a frame. The Datalink layer is responsible for taking packets from the Network layer and placing them on the network medium (cable). The Datalink layer encapsulates each packet in a frame which contains the hardware address (MAC) of the source and destination computer (host) and the LLC information which identifies to which protocol in the prevoius layer (Network layer) the packet should be passed when it arrives to its destination. Also, at the end, you will notice the FCS field which is the Frame Check Sequence. This is used for error checking and is also added at the end by the Datalink layer. If the destination computer is on a remote network, then the frame is sent to the router or gateway to be routed to the desination. To put this frame on the network, it must be put into a digital signal. Since a frame is really a logical group of 1's and 0's, the Physical layer is responsible for encapsulating these digits into a digital signal which is read by devices on the same local network. There are also a few 1's and 0's put at the begining of the frame, only so the receiving end can synchronize with the digital signal it will be receiving. Below is a picture of what happens when the data is received at the destination computer.
Page 264 of 1765
Explanation : The receiving computer will firstly synchronize with the digital signal by reading the few extra 1's and 0's as mentioned above. Once the synchonization is complete and it receives the whole frame and passes it to the layer above it which is the Datalink layer. The Datalink layer will do a Cyclic Redundancy Check (CRC) on the frame. This is a computation which the comupter does and if the result it gets matches the value in the FCS field, then it assumes that the frame has been received without any errors. Once that's out of the way, the Datalink layer will strip off any information or header which was put on by the remote system's Datalink layer and pass the rest (now we are moving from the Datalink layer to the Network layer, so we call the data a packet) to the above layer which is the Network layer. At the Network layer the IP address is checked and if it matches (with the machine's own IP address) then the Network layer header, or IP header if you like, is stripped off from the packet and the rest is passed to the above layer which is the Transport layer. Here the rest of the data is now called a segment. The segment is processed at the Transport layer, which rebuilds the data stream (at this level on the sender's computer it was actually split into pieces so they can be transferred) and acknowledges to the transmitting computer that it received each piece. It is obvious that since we are sending an ACK back to the sender from this layer that we are using TCP and not UDP. Please refer to the Protocols section for more clarification. After all that, it then happily hands the data stream to the upper-layer application.
Page 265 of 1765
OSI Layer 3 - Network Layer
The first four layers define how data is transmitted endto-end. Some common protocols which work at the Network layer are: IP, DHCP, ICMP, IGRP, EIGRP, RIP, RIP2, MARS.
Page 266 of 1765
Layer 3 - The Network Layer The Network layer is responsible for routing through an internetwork and for networking addressing. This means that the Network layer is responsible for transporting traffic between devices that are not locally attached. Routers, or other layer-3 devices, are specified at the Network layer and provide routing services in an internetwork. In the Open Systems Interconnection (OSI) communications model, the Network layer knows the address of the neighboring nodes in the network, packages output with the correct network address information, selects routes and quality of service and recognizes and forwards to the Transport layer incoming messages for local host domains. Among existing protocol that generally map to the OSI network layer are the Internet Protocol (IP) part of TCP/IP and NetWare IPX/SPX. Both IP Version 4 and IP Version 6 (IPv6) map to the OSI network layer. As mentioned above, the Internet Protocol works on this layer. This means that when you see an IP address, for example 192.168.0.1, this IP address maps to the Network layer in the OSI model, in other words only the Network layer deals with or cares about IP addresses in the OSI model. To keep things simple, IP is analysed under the "Protocols" section.
OSI Layer 4 - Transport Layer
Page 267 of 1765
The first four layers define how data is transmitted end-toend. Some common protocols which work at the Transport layer are: TCP, UDP.
Layer 4- The Transport Layer The Transport layer is responsible for providing mechanisms for multiplexing upper-layer application, session establishment, data transfer and tear down of virtual circuits. It also hides details of any network-dependent information from the higher layers by providing transparent data transfer. Services located in the Transport layer both segment and reassemble data from upper-layer applications and unite it onto the same data stream. Some of you might already be familiar with TCP and UDP and know that TCP is a reliable service and UDP is not. Application developers have their choice of the two protocols when working with TCP/IP protocols. As mentioned above, the Transport layer provides different mechanisms for the transfer of data from one computer to another. Below is a brief diagram which tells you a bit about the protocols.
These protocols are also analysed in the Protocols area.
O S I L a y e
Page 268 of 1765
r 5 S e s s i o n L a y e r
T h e l a s t 3 l a y e r s o f t h e
Page 269 of 1765
O S I m o d e l a r e r e f f e r e d t o t h e " U p p e r " l a y e r s . T h e s e
Page 270 of 1765
l a y e r s a r e r e s p o n s i b l e f o r a p p l i c a t i o n s c o m m u n i c a t i n g
Page 271 of 1765
b e t w e e n h o s t s . N o n e o f t h e u p p e r l a y e r s k n o w a n y t h i n
Page 272 of 1765
g a b o u t n e t w o r k i n g o r n e t w o r k a d d r e s s e s .
S o m e c o m m o n
Page 273 of 1765
p r o t o c o l s w h i c h w o r k a t t h e S e s s i o n l a y e r a r e : D N S ,
Page 274 of 1765
L D A P , N e t B I O S .
L a y e r 5 T h e S e s s i o n L a y e r
T h e S e s
Page 275 of 1765
s i o n l a y e r i s r e s p o n s i b l e f o r s e t t i n g u p , m a n a g i n g a n
Page 276 of 1765
d t h e n t e a r i n g d o w n s e s s i o n s b e t w e e n P r e s e n t a t i o n l a y
Page 277 of 1765
e r e n t i t i e s . T h e S e s s i o n l a y e r a l s o p r o v i d e s d i a l o g c
Page 278 of 1765
o n t r o l b e t w e e n d e v i c e s , o r n o d e s . I t c o o r d i n a t e s c o m m
Page 279 of 1765
u n i c a t i o n b e t w e e n s y s t e m s a n d s e r v e s t o o r g a n i s e t h e i
Page 280 of 1765
r c o m m u n i c a t i o n b y o f f e r i n g t h r e e d i f f e r e n t m o d e s : s i
Page 281 of 1765
m p l e x , h a l f d u p l e x a n d f u l l d u p l e x . T h e s e s s i o n l a y e r
Page 282 of 1765
b a s i c a l l y k e e p s o n e a p p l i c a t i o n ' s d a t a s e p a r a t e f r o m
Page 283 of 1765
o t h e r a p p l i c a t i o n ' s d a t a . S o m e e x a m p l e s o f S e s s i o n l
Page 284 of 1765
a y e r p r o t o c o l s a r e : N e t w o r k F i l e S y s t r e m ( N F S ) : W a s
Page 285 of 1765
d e v e l o p e d b y S u n M i c r o s y s t e m s a n d u s e d w i t h T C P / I P a n
Page 286 of 1765
d U n i x w o r k s t a t i o n s t o a l l o w t r a n s p a r e n t a c c e s s t o r e
Page 287 of 1765
m o t e r e s o u r c e s . S t r u c t u r e d Q u e r y L a n g u a g e ( S Q L ) : W a s
Page 288 of 1765
d e v e l o p e d b y I B M t o p r o v i d e u s e r s w i t h a s i m p l e r w a y
Page 289 of 1765
t o d e f i n e t h e i r i n f o r m a t i o n r e q u i r e m e n t s o n b o t h l o c a
Page 290 of 1765
l a n d r e m o t e s y s t e m s . R e m o t e P r o c e d u r e C a l l ( R P C ) : I s
Page 291 of 1765
a b r o a d c l i e n t / s e r v e r r e d i r e c t i o n t o o l u s e d f o r d i s p
Page 292 of 1765
a r a t e s e r v i c e e n v i r o n m e n t s . I t s p r o c e d u r e s a r e c r e a t e
Page 293 of 1765
d o n c l i e n t s a n d p e r f o r m e d o n s e r v e r s . X W i n d o w : I s w
Page 294 of 1765
i d e l y u s e d b y i n t e l l i g e n t t e r m i n a l s f o r c o m m u n i c a t i n g
Page 295 of 1765
w i t h r e m o t e U n i x c o m p u t e r s , a l l o w i n g t h e m t o o p e r a t e
Page 296 of 1765
a s t h o u g h t h e y w e r e l o c a l l y a t t a c h e d m o n i t o r s .
O S I
Page 297 of 1765
L a y e r 6 P r e s e n t a t i o n L a y e r
T h e l a s t 3
Page 298 of 1765
l a y e r s o f t h e O S I m o d e l a r e r e f f e r e d t o t h e " U p p e r " l
Page 299 of 1765
a y e r s . T h e s e l a y e r s a r e r e s p o n s i b l e f o r a p p l i c a t i o n s
Page 300 of 1765
c o m m u n i c a t i n g b e t w e e n h o s t s . N o n e o f t h e u p p e r l a y e r s
Page 301 of 1765
k n o w a n y t h i n g a b o u t n e t w o r k i n g o r n e t w o r k a d d r e s s e s .
Page 302 of 1765
T h e r e a r e n o p r o t o c o l s w h i c h w o r k s p e c i f i c l y a t t h e
Page 303 of 1765
P r e s e n t a t i o n l a y e r , b u t t h e p r o t o c o l s w h i c h w o r k a t
Page 304 of 1765
t h e A p p l i c a t i o n l a y e r a r e s a i d t o w o r k o n a l l 3 u p p e r
Page 305 of 1765
l a y e r s . L a y e r 6 T h e P r e s e n t a t i o n L a y e r T h e P r e s e n t
Page 306 of 1765
a t i o n L a y e r g e t s i t s n a m e f r o m i t s p u r p o s e : I t p r e s e n
Page 307 of 1765
t s d a t a t o t h e A p p l i c a t i o n l a y e r . I t ' s b a s i c a l l y a t r
Page 308 of 1765
a n s l a t o r a n d p r o v i d e s c o d i n g a n d c o n v e r s i o n f u n c t i o n s
Page 309 of 1765
. A s u c c e s s f u l d a t a t r a n s f e r t e c h n i q u e i s t o a d a p t t h
Page 310 of 1765
e d a t a i n t o a s t a n d a r d f o r m a t b e f o r e t r a n s m i s s i o n . C o
Page 311 of 1765
m p u t e r s a r e c o n f i g u r e d t o r e c e i v e t h i s g e n e r i c a l l y f o
Page 312 of 1765
r m a t t e d d a t a a n d t h e n c o n v e r t t h e d a t a b a c k i n t o i t s
Page 313 of 1765
n a t i v e f o r m a t f o r r e a d i n g . B y p r o v i d i n g t r a n s l a t i o n s
Page 314 of 1765
e r v i c e s , t h e P r e s e n t a t i o n l a y e r e n s u r e s t h a t d a t a t r a
Page 315 of 1765
n s f e r r e d f r o m t h e A p p l i c a t i o n l a y e r o f o n e s y s t e m c a n
Page 316 of 1765
b e r e a d b y t h e A p p l i c a t i o n l a y e r o f a n o t h e r h o s t . T h
Page 317 of 1765
e O S I h a s p r o t o c o l s t a n d a r d s t h a t d e f i n e h o w s t a n d a r d
Page 318 of 1765
d a t a s h o u l d b e f o r m a t t e d . T a s k s l i k e d a t a c o m p r e s s i o
Page 319 of 1765
n , d e c o m p r e s s i o n , e n c r y p t i o n a n d d e c r y p t i o n a r e a s s o c
Page 320 of 1765
i a t e d w i t h t h i s l a y e r . S o m e P r e s e n t a t i o n l a y e r s t a n d a
Page 321 of 1765
r d s a r e i n v o l v e d i n m u l t i m e d i a o p e r a t i o n s . T h e f o l l o w
Page 322 of 1765
i n g s e r v e t o d i r e c t g r a p h i c a n d v i s u a l i m a g e p r e s e n t a
Page 323 of 1765
t i o n : J P E G : T h e J o i n t P h o t o g r a p h i c E x p e r t s G r o u p b r i
Page 324 of 1765
n g s t h e s e p h o t o s t a n d a r d s t o u s . M I D I : T h e M u s i c a l I n
Page 325 of 1765
t r u m e n t D i g i t a l I n t e r f a c e i s u s e d f o r d i g i t i z e d m u s i c
Page 326 of 1765
. M P E G : T h e M o v i n g P i c t u r e s E x p e r t s G r o u p ' s s t a n d a r d
Page 327 of 1765
f o r t h e c o m p r e s s i o n a n d c o d i n g o f m o t i o n v i d e o f o r C D
Page 328 of 1765
' s i s v e r y p o p u l a r .
O S I L a y e r 7 A p p l i c a t i o
Page 329 of 1765
n L a y e r
T h e l a s t 3 l a y e r s o f t h e O S I m o d e l a r e r e f
Page 330 of 1765
f e r e d t o t h e " U p p e r " l a y e r s . T h e s e l a y e r s a r e r e s p o n s
Page 331 of 1765
i b l e f o r a p p l i c a t i o n s c o m m u n i c a t i n g b e t w e e n h o s t s . N o
Page 332 of 1765
n e o f t h e u p p e r l a y e r s k n o w a n y t h i n g a b o u t n e t w o r k i n g
Page 333 of 1765
o r n e t w o r k a d d r e s s e s .
F T P , T F T P , T e l n e t , S M T P a n d o
Page 334 of 1765
t h e r p r o t o c o l s w o r k o n t h e f i r s t t h r e e l a y e r s o f t h e
Page 335 of 1765
O S I m o d e l , w h i c h o b v i o u s l y i n c l u d e s t h e A p p l i c a t i o n l
Page 336 of 1765
a y e r . L a y e r 7 T h e A p p l i c a t i o n L a y e r T h e A p p l i c a t i o
Page 337 of 1765
n l a y e r o f t h e O S I m o d e l i s w h e r e u s e r s c o m m u n i c a t e w
Page 338 of 1765
i t h t h e c o m p u t e r . T h e A p p l i c a t i o n l a y e r i s r e s p o n s i b l
Page 339 of 1765
e f o r i d e n t i f y i n g a n d e s t a b l i s h i n g t h e a v a i l a b i l i t y o
Page 340 of 1765
f t h e i n t e n d e d c o m m u n i c a t i o n p a r t n e r a n d d e t e r m i n i n g
Page 341 of 1765
i f s u f f i c i e n t r e s o u r c e s f o r t h e i n t e n d e d c o m m u n i c a t i o
Page 342 of 1765
n e x i s t . T h e u s e r i n t e r f a c e s w i t h t h e c o m p u t e r a t t h e
Page 343 of 1765
a p p l i c a t i o n l a y e r . A l t h o u g h c o m p u t e r a p p l i c a t i o n s s o
Page 344 of 1765
m e t i m e s r e q u i r e o n l y d e s k t o p r e s o u r c e s , a p p l i c a t i o n s
Page 345 of 1765
m a y u n i t e c o m m u n i c a t i n g c o m p o n e n t s f r o m m o r e t h a n o n e
Page 346 of 1765
n e t w o r k a p p l i c a t i o n , f o r e x a m p l e , f i l e t r a n s f e r s , e -
Page 347 of 1765
m a i l , r e m o t e a c c e s s , n e t w o r k m a n a g e m e n t a c t i v i t i e s , c
Page 348 of 1765
l i e n t / s e r v e r p r o c e s s e s .
T h e r e a r e v a r i o u s p r o t o c o l s
Page 349 of 1765
w h i c h a r e u s e d a t t h i s l a y e r . D e f i n i t i o n o f a " P r o t o c o
Page 350 of 1765
l " i s a s e t o f r u l e s b y w h i c h t w o c o m p u t e r s c o m m u n i c a
Page 351 of 1765
t e . I n p l a i n E n g l i s h , y o u c a n s a y t h a t a p r o t o c o l i s
Page 352 of 1765
a l a n g u a g e , f o r e x a m p l e , E n g l i s h . F o r m e t o s p e a k t o
Page 353 of 1765
y o u a n d m a k e s e n s e , I n e e d t o s t r u c t u r e m y s e n t e n c e i
Page 354 of 1765
n a " s t a n d a r d " w a y w h i c h y o u w i l l u n d e r s t a n d . C o m p u t e
Page 355 of 1765
r c o m m u n i c a t i o n w o r k s p r e t t y m u c h t h e s a m e w a y . T h i s
Page 356 of 1765
i s w h y w e h a v e s o m a n y d i f f e r e n t p r o t o c o l s , e a c h o n e
Page 357 of 1765
f o r a s p e c i f i c t a s k .
Da ta En ca ps ul ati on & De ca ps ul ati on in th e OS I Mo de l

Page 358 of 1765
Intr odu ctio n Her e we are goin g to expl ain in deta il how data trav els thro ugh the OSI mod el. You mus t kee p in min d that the OSI mod el is a guid elin e. It tells the com pute r wha t it's sup pos ed to
Page 359 of 1765
do whe n data nee ds to be sent or whe n data is rece ived .

I n o r d e r t o m a k e i t e a s i e r f o r m o s t , t h e r e i s
Page 360 of 1765
a m o v i e f i l e a v a i l a b l e w h i c h w i l l s h o w y o u r e x a c t l y w h a t w e a r e a b o u t t
Page 361 of 1765
o a n a l y s e .
C l i c k h e r e
t o t o o b t a i n t h e e n c a p d e c a p m o v i e ( 1 M B ) . Y o u
Page 362 of 1765
w i l l n e e d W i n d o w s m e d i a p l a y e r t o v i e w i t .
O u r S t u d y C a s e W e a
Page 363 of 1765
r e g o i n g t o a n a l y s e a n e x a m p l e i n o r d e r t o t r y a n d u n
Page 364 of 1765
d e r s t a n d h o w d a t a e n c a p s u l a t i o n a n d d e c a p s u l a t i o n w o r
Page 365 of 1765
k s . T h i s s h o u l d m a k e i t e a s i e r f o r m o s t p e o p l e . T r y t
Page 366 of 1765
o s e e i t t h i s w a y : W h e n a c a r i s b u i l t i n a f a c t o r y ,
Page 367 of 1765
o n e p e r s o n d o e s n ' t d o a l l t h e j o b s , r a t h e r i t ' s p u t
Page 368 of 1765
i n t o a p r o d u c t i o n l i n e a n d a s t h e c a r m o v e s t h r o u g h ,
Page 369 of 1765
e a c h p e r s o n w i l l a d d d i f f e r e n t p a r t s t o i t s o w h e n i t
Page 370 of 1765
c o m e s t o t h e e n d o f t h e p r o d u c t i o n l i n e , i t ' s c o m p l e
Page 371 of 1765
t e a n d r e a d y t o b e s e n t o u t t o t h e d e a l e r .
T h e s a m e
Page 372 of 1765
s t o r y a p p l i e s f o r a n y d a t a w h i c h n e e d s t o b e s e n t f r o
Page 373 of 1765
m o n e c o m p u t e r t o a n o t h e r . T h e O S I m o d e l w h i c h w a s c r
Page 374 of 1765
e a t e d b y t h e I E E E c o m m i t t e e i s t o e n s u r e t h a t e v e r y o n
Page 375 of 1765
e f o l l o w s t h e s e g u i d e l i n e s ( j u s t l i k e t h e p r o d u c t i o n
Page 376 of 1765
l i n e a b o v e ) a n d t h e r e f o r e e a c h c o m p u t e r w i l l b e a b l e
Page 377 of 1765
t o c o m m u n i c a t e w i t h e v e r y o t h e r c o m p u t e r , r e g a r d l e s s
Page 378 of 1765
o f w h e t h e r o n e c o m p u t e r i s a M a c i n t o s h a n d t h e o t h e r
Page 379 of 1765
i s a P C . O n e i m p o r t a n t p i e c e o f i n f o r m a t i o n t o k e e p i
Page 380 of 1765
n m i n d i s t h a t d a t a f l o w s 2 w a y s i n t h e O S I m o d e l , D O
Page 381 of 1765
W N ( d a t a e n c a p s u l a t i o n ) a n d U P ( d a t a d e c a p s u l a t i o n ) .
Page 382 of 1765
T h e p i c t u r e b e l o w i s a n e x a m p l e o f a s i m p l e d a t a t r a n
Page 383 of 1765
s f e r b e t w e e n 2 c o m p u t e r s a n d s h o w s h o w t h e d a t a i s e n
Page 384 of 1765
c a p s u l a t e d a n d d e c a p s u l a t e d :
E x p l a n a t i o n : T h e
Page 385 of 1765
c o m p u t e r i n t h e a b o v e p i c t u r e n e e d s t o s e n d s o m e d a t a
Page 386 of 1765
t o a n o t h e r c o m p u t e r . T h e A p p l i c a t i o n l a y e r i s w h e r e
Page 387 of 1765
t h e u s e r i n t e r f a c e e x i s t s , h e r e t h e u s e r i n t e r a c t s w i
Page 388 of 1765
t h t h e a p p l i c a t i o n h e o r s h e i s u s i n g , t h e n t h i s d a t a
Page 389 of 1765
i s p a s s e d t o t h e P r e s e n t a t i o n l a y e r a n d t h e n t o t h e
Page 390 of 1765
S e s s i o n l a y e r . T h e s e t h r e e l a y e r a d d s o m e e x t r a i n f o r
Page 391 of 1765
m a t i o n t o t h e o r i g i n a l d a t a t h a t c a m e f r o m t h e u s e r a
Page 392 of 1765
n d t h e n p a s s e s i t t o t h e T r a n s p o r t l a y e r . H e r e t h e d a
Page 393 of 1765
t a i s b r o k e n i n t o s m a l l e r p i e c e s ( o n e p i e c e a t a t i m e
Page 394 of 1765
t r a n s m i t t e d ) a n d t h e T C P h e a d e r i s a a d d e d . A t t h i s
Page 395 of 1765
p o i n t , t h e d a t a a t t h e T r a n s p o r t l a y e r i s c a l l e d a s e
Page 396 of 1765
g m e n t .
E a c h s e g m e n t i s s e q u e n c e d s o t h e d a t a s t r e a m
Page 397 of 1765
c a n b e p u t b a c k t o g e t h e r o n t h e r e c e i v i n g s i d e e x a c t l
Page 398 of 1765
y a s t r a n s m i t t e d . E a c h s e g m e n t i s t h e n h a n d e d t o t h e
Page 399 of 1765
N e t w o r k l a y e r f o r n e t w o r k a d d r e s s i n g ( l o g i c a l a d d r e s s
Page 400 of 1765
i n g ) a n d r o u t i n g t h r o u g h t h e i n t e r n e t n e t w o r k . A t t h e
Page 401 of 1765
N e t w o r k l a y e r , w e c a l l t h e d a t a ( w h i c h i n c l u d e s a t t
Page 402 of 1765
h i s p o i n t t h e t r a n s p o r t h e a d e r a n d t h e u p p e r l a y e r i n
Page 403 of 1765
f o r m a t i o n ) a p a c k e t . T h e N e t w o r k l a y e r a d d i t s I P h e a
Page 404 of 1765
d e r a n d t h e n s e n d s i t o f f t o t h e D a t a l i n k l a y e r . H e r e
Page 405 of 1765
w e c a l l t h e d a t a ( w h i c h i n c l u d e s t h e N e t w o r k l a y e r h
Page 406 of 1765
e a d e r , T r a n s p o r t l a y e r h e a d e r a n d u p p e r l a y e r i n f o r m a
Page 407 of 1765
t i o n ) a f r a m e . T h e D a t a l i n k l a y e r i s r e s p o n s i b l e f o r
Page 408 of 1765
t a k i n g p a c k e t s f r o m t h e N e t w o r k l a y e r a n d p l a c i n g t h e
Page 409 of 1765
m o n t h e n e t w o r k m e d i u m ( c a b l e ) . T h e D a t a l i n k l a y e r e
Page 410 of 1765
n c a p s u l a t e s e a c h p a c k e t i n a f r a m e w h i c h c o n t a i n s t h e
Page 411 of 1765
h a r d w a r e a d d r e s s ( M A C ) o f t h e s o u r c e a n d d e s t i n a t i o n
Page 412 of 1765
c o m p u t e r ( h o s t ) a n d t h e L L C i n f o r m a t i o n w h i c h i d e n t i
Page 413 of 1765
f i e s t o w h i c h p r o t o c o l i n t h e p r e v o i u s l a y e r ( N e t w o r k
Page 414 of 1765
l a y e r ) t h e p a c k e t s h o u l d b e p a s s e d w h e n i t a r r i v e s t
Page 415 of 1765
o i t s d e s t i n a t i o n . A l s o , a t t h e e n d , y o u w i l l n o t i c e
Page 416 of 1765
t h e F C S f i e l d w h i c h i s t h e F r a m e C h e c k S e q u e n c e . T h i s
Page 417 of 1765
i s u s e d f o r e r r o r c h e c k i n g a n d i s a l s o a d d e d a t t h e
Page 418 of 1765
e n d b y t h e D a t a l i n k l a y e r . I f t h e d e s t i n a t i o n c o m p u t e
Page 419 of 1765
r i s o n a r e m o t e n e t w o r k , t h e n t h e f r a m e i s s e n t t o t
Page 420 of 1765
h e r o u t e r o r g a t e w a y t o b e r o u t e d t o t h e d e s i n a t i o n .
Page 421 of 1765
T o p u t t h i s f r a m e o n t h e n e t w o r k , i t m u s t b e p u t i n t o
Page 422 of 1765
a d i g i t a l s i g n a l . S i n c e a f r a m e i s r e a l l y a l o g i c a l
Page 423 of 1765
g r o u p o f 1 ' s a n d 0 ' s , t h e P h y s i c a l l a y e r i s r e s p o n s i b
Page 424 of 1765
l e f o r e n c a p s u l a t i n g t h e s e d i g i t s i n t o a d i g i t a l s i g n
Page 425 of 1765
a l w h i c h i s r e a d b y d e v i c e s o n t h e s a m e l o c a l n e t w o r k
Page 426 of 1765
T h e r e a r e a l s o a f e w 1 ' s a n d 0 ' s p u t a t t h e b e g i n i
Page 427 of 1765
n g o f t h e f r a m e , o n l y s o t h e r e c e i v i n g e n d c a n s y n c h r
Page 428 of 1765
o n i z e w i t h t h e d i g i t a l s i g n a l i t w i l l b e r e c e i v i n g .
Page 429 of 1765
B e l o w i s a p i c t u r e o f w h a t h a p p e n s w h e n t h e d a t a i s r
Page 430 of 1765
e c e i v e d a t t h e d e s t i n a t i o n c o m p u t e r .
E x p l a n a t i o
Page 431 of 1765
n : T h e r e c e i v i n g c o m p u t e r w i l l f i r s t l y s y n c h r o n i z e w
Page 432 of 1765
i t h t h e d i g i t a l s i g n a l b y r e a d i n g t h e f e w e x t r a 1 ' s a
Page 433 of 1765
n d 0 ' s a s m e n t i o n e d a b o v e . O n c e t h e s y n c h o n i z a t i o n i s
Page 434 of 1765
c o m p l e t e a n d i t r e c e i v e s t h e w h o l e f r a m e a n d p a s s e s
Page 435 of 1765
i t t o t h e l a y e r a b o v e i t w h i c h i s t h e D a t a l i n k l a y e r .
Page 436 of 1765
T h e D a t a l i n k l a y e r w i l l d o a C y c l i c R e d u n d a n c y C h e c
Page 437 of 1765
k ( C R C ) o n t h e f r a m e . T h i s i s a c o m p u t a t i o n w h i c h t h e
Page 438 of 1765
c o m u p t e r d o e s a n d i f t h e r e s u l t i t g e t s m a t c h e s t h e
Page 439 of 1765
v a l u e i n t h e F C S f i e l d , t h e n i t a s s u m e s t h a t t h e f r a m
Page 440 of 1765
e h a s b e e n r e c e i v e d w i t h o u t a n y e r r o r s . O n c e t h a t ' s o
Page 441 of 1765
u t o f t h e w a y , t h e D a t a l i n k l a y e r w i l l s t r i p o f f a n y
Page 442 of 1765
i n f o r m a t i o n o r h e a d e r w h i c h w a s p u t o n b y t h e r e m o t e
Page 443 of 1765
s y s t e m ' s D a t a l i n k l a y e r a n d p a s s t h e r e s t ( n o w w e a r e
Page 444 of 1765
m o v i n g f r o m t h e D a t a l i n k l a y e r t o t h e N e t w o r k l a y e r ,
Page 445 of 1765
s o w e c a l l t h e d a t a a p a c k e t ) t o t h e a b o v e l a y e r w h i
Page 446 of 1765
c h i s t h e N e t w o r k l a y e r . A t t h e N e t w o r k l a y e r t h e I P
Page 447 of 1765
a d d r e s s i s c h e c k e d a n d i f i t m a t c h e s ( w i t h t h e m a c h i n
Page 448 of 1765
e ' s o w n I P a d d r e s s ) t h e n t h e N e t w o r k l a y e r h e a d e r , o r
Page 449 of 1765
I P h e a d e r i f y o u l i k e , i s s t r i p p e d o f f f r o m t h e p a c k
Page 450 of 1765
e t a n d t h e r e s t i s p a s s e d t o t h e a b o v e l a y e r w h i c h i s
Page 451 of 1765
t h e T r a n s p o r t l a y e r . H e r e t h e r e s t o f t h e d a t a i s n o
Page 452 of 1765
w c a l l e d a s e g m e n t . T h e s e g m e n t i s p r o c e s s e d a t t h e T
Page 453 of 1765
r a n s p o r t l a y e r , w h i c h r e b u i l d s t h e d a t a s t r e a m ( a t t h
Page 454 of 1765
i s l e v e l o n t h e s e n d e r ' s c o m p u t e r i t w a s a c t u a l l y s p l
Page 455 of 1765
i t i n t o p i e c e s s o t h e y c a n b e t r a n s f e r r e d ) a n d a c k n o w
Page 456 of 1765
l e d g e s t o t h e t r a n s m i t t i n g c o m p u t e r t h a t i t r e c e i v e d
Page 457 of 1765
e a c h p i e c e . I t i s o b v i o u s t h a t s i n c e w e a r e s e n d i n g a
Page 458 of 1765
n A C K b a c k t o t h e s e n d e r f r o m t h i s l a y e r t h a t w e a r e
Page 459 of 1765
u s i n g T C P a n d n o t U D P . P l e a s e r e f e r t o t h e P r o t o c o l s
Page 460 of 1765
s e c t i o n f o r m o r e c l a r i f i c a t i o n . A f t e r a l l t h a t , i t t h
Page 461 of 1765
e n h a p p i l y h a n d s t h e d a t a s t r e a m t o t h e u p p e r l a y e r a
Page 462 of 1765
p p l i c a t i o n .
Y o u w i l l f i n d t h a t w h e n a n a l y s i n g t h e w a
Page 463 of 1765
y d a t a t r a v e l s f r o m o n e c o m p u t e r t o a n o t h e r m o s t p e o p
Page 464 of 1765
l e n e v e r a n a l y s e i n d e t a i l a n y l a y e r s a b o v e t h e T r a n s
Page 465 of 1765
p o r t l a y e r . T h i s i s b e c a u s e t h e w h o l e p r o c e s s o f g e t t
Page 466 of 1765
i n g d a t a f r o m o n e c o m p u t e r t o a n o t h e r i n v o l v e s u s u a l l
Page 467 of 1765
y l a y e r s 1 t o 4 ( P h y s i c a l t o T r a n s p o r t ) o r l a y e r 6 ( S
Page 468 of 1765
e s s i o n ) a t t h e m o s t , d e p e n d i n g o n t h e t y p e o f d a t a .
Page 469 of 1765
Introduction To Routing
Introduction Routing is one of the most important features in a network that needs to connect with other networks. In this page we try to explain the difference between Routed and Routing protocols and explain different methods used to achieve the routing of protocols.The fact is that if routing of protocols was not possible, then we wouldn't be able to comminucate using computers because there would be no way of getting the data across to the other end ! Definition Routing is used for taking a packet (data) from one device and sending it through the network to another device on a different network. If your network has no routers then you are not routing. Routers route traffic to all the networks in your internetwork. To be able to route packets, a router must know the following : Destination address Neighbor routers from which it can lean about remote networks Possible routes to all remote networks The best route to each remote network How to maintain and verify routing information
Before we go on, I would like to define 3 networking terms : Convergence: The process required for all routers in an internetwork to update their routing tables and create a consistent view of the network, using the best possible paths. No user data is passed during convergence. Default Route: A "standard" route entry in a routing table which is used as a first option. Any packets sent by a device will be sent first to the default route. If that fails, it will try alternative routes. Static Route: A permanent route entered manually into a routing table. This route will remain in the table, even if the link goes down. It can only be erased manually. Dynamic Route: A route entry which is dynamically (automatically) updated as changes to the network occur. Dynamic routes are basically the opposite to static routes.
T h
Page 470 of 1765
e I P R o u t i n g P r o c e s s
I n t r o d u c t i o n W e a r e g o i n
Page 471 of 1765
g t o t a k e a l o o k a t w h a t h a p p e n s w h e n r o u t i n g o c c u r s
Page 472 of 1765
o n a n e t w o r k . W h e n I w a s n e w t o t h e n e t w o r k i n g a r e a ,
Page 473 of 1765
I t h o u g h t t h a t a l l y o u n e e d e d w a s t h e I P A d d r e s s o f t
Page 474 of 1765
h e m a c h i n e y o u w a n t e d t o c o n t a c t b u t s o l i t t l e d i d I
Page 475 of 1765
k n o w . Y o u a c t u a l l y n e e d a b i t m o r e i n f o r m a t i o n t h a n j
Page 476 of 1765
u s t t h e I P A d d r e s s !
T h e p r o c e s s w e a r e g o i n g t o e x p
Page 477 of 1765
l a i n i s f a i r l y s i m p l e a n d d o e s n ' t r e a l l y c h a n g e , n o m
Page 478 of 1765
a t t e r h o w b i g y o u r n e t w o r k i s .
T h e E x a m p l e : I n o u r e
Page 479 of 1765
x a m p l e , w e h a v e 2 n e t w o r k s , N e t w o r k A a n d N e t w o r k B .
Page 480 of 1765
B o t h n e t w o r k s a r e c o n n e c t e d v i a a r o u t e r ( R o u t e r A ) w
Page 481 of 1765
h i c h h a s 2 i n t e r f a c e s : E 0 a n d E 1 . T h e s e i n t e r f a c e s a r
Page 482 of 1765
e j u s t l i k e t h e i n t e r f a c e o n y o u r n e t w o r k c a r d ( R J 4 5
Page 483 of 1765
) , b u t b u i l t i n t o t h e r o u t e r .
N o w , w e a r e g o i n g t o d
Page 484 of 1765
e s c r i b e s t e p b y s t e p w h a t h a p p e n s w h e n H o s t A ( N e t w o r
Page 485 of 1765
k A ) w a n t s t o c o m m u n i c a t e w i t h H o s t B ( N e t w o r k B ) w h i
Page 486 of 1765
c h i s o n a d i f f e r e n t n e t w o r k .
1 ) H o s t A o p e n s a c o
Page 487 of 1765
m m a n d p r o m p t a n d e n t e r s > P i n g 2 0 0 . 2 0 0 . 2 0 0 . 5 .
2 ) I P w
Page 488 of 1765
o r k s w i t h t h e A d d r e s s R e s o l u t i o n P r o t o c o l ( A R P ) t o d e
Page 489 of 1765
t e r m i n e w h i c h n e t w o r k t h i s p a c k e t i s d e s t i n e d f o r b y
Page 490 of 1765
l o o k i n g a t t h e I P a d d r e s s a n d t h e s u b n e t m a s k o f t h e
Page 491 of 1765
H o s t A . S i n c e t h i s i s a r e q u e s t f o r a r e m o t e h o s t , w h
Page 492 of 1765
i c h m e a n s i t i s n o t d e s t i n e d t o b e s e n t t o a h o s t o n
Page 493 of 1765
t h e l o c a l n e t w o r k , t h e p a c k e t m u s t b e s e n t t o t h e r o u
Page 494 of 1765
t e r ( t h e g a t e w a y f o r N e t w o r k A ) s o t h a t i t c a n b e r o u
Page 495 of 1765
t e d t o t h e c o r r e c t r e m o t e n e t w o r k ( w h i c h i s N e t w o r k B
Page 496 of 1765
) . 3 ) N o w , f o r H o s t A t o s e n d t h e p a c k e t t o t h e r o u t e
Page 497 of 1765
r , i t n e e d s t o k n o w t h e h a r d w a r e a d d r e s s o f t h e r o u t e
Page 498 of 1765
r ' s i n t e r f a c e w h i c h i s c o n n e c t e d t o i t s n e t w o r k ( N e t w
Page 499 of 1765
o r k A ) , i n c a s e y o u d i d n ' t r e a l i s e , w e a r e t a l k i n g a b
Page 500 of 1765
o u t t h e M A C ( M e d i a A c c e s s C o n t r o l ) a d d r e s s o f i n t e r f a
Page 501 of 1765
c e E 0 . T o g e t t h e h a r d w a r e a d d r e s s , H o s t A l o o k s i n i
Page 502 of 1765
t s A R P c a c h e a m e m o r y l o c a t i o n w h e r e t h e s e M A C a d d r
Page 503 of 1765
e s s e s a r e s t o r e d f o r a f e w s e c o n d s .
4 ) I f i t d o
Page 504 of 1765
e s n ' t f i n d i t i n t h e r e i t m e a n s t h a t e i t h e r a l o n g t i
Page 505 of 1765
m e h a s p a s s e d s i n c e i t l a s t c o n t a c t e d t h e r o u t e r o r i
Page 506 of 1765
t s i m p l y h a s n ' t r e s o l v e d t h e I P a d d r e s s o f t h e r o u t e r
Page 507 of 1765
( 1 9 2 . 1 6 8 . 0 . 1 ) t o a h a r d w a r e a d d r e s s ( M A C ) . S o i t t h e
Page 508 of 1765
n s e n d s a n A R P b r o a d c a s t . T h i s b r o a d c a s t c o n t a i n s t h e
Page 509 of 1765
f o l l o w i n g " W h a t i s t h e h a r d w a r e ( M A C ) a d d r e s s f o r I P
Page 510 of 1765
1 9 2 . 1 6 8 . 0 . 1 ? " . T h e r o u t e r i d e n t i f i e s t h a t I P a d d r e
Page 511 of 1765
s s a s i t s o w n a n d m u s t a n s w e r , s o i t s e n d s b a c k t o H o
Page 512 of 1765
s t A a r e p l y , g i v i n g i t t h e M A C a d d r e s s o f i t s E 0 i n t
Page 513 of 1765
e r f a c e . T h i s i s a l s o o n e o f t h e r e a s o n s w h y s o m e t i m e s
Page 514 of 1765
t h e f i r s t " p i n g " w i l l t i m e o u t . B e c a u s e i t t a k e s s o m e
Page 515 of 1765
t i m e f o r a n A R P t o b e s e n t a n d t h e r e q u e s t e d m a c h i n e
Page 516 of 1765
t o r e s p o n d w i t h i t s M A C a d d r e s s , b y t h e t i m e a l l t h a
Page 517 of 1765
t h a p p e n s , t h e T T L ( T i m e T o L i v e ) o f t h e f i r s t p i n g p
Page 518 of 1765
a c k e t h a s e x p i r e d , s o i t t i m e s o u t !
5 ) T h e r o u
Page 519 of 1765
t e r r e s p o n d s w i t h t h e h a r d w a r e a d d r e s s o f i t s E 0 i n t e
Page 520 of 1765
r f a c e , t o w h i c h t h e 1 9 2 . 1 6 8 . 0 . 1 I P i s b o u n d . H o s t A n
Page 521 of 1765
o w h a s e v e r y t h i n g i t n e e d s i n o r d e r t o t r a n s m i t a p a c
Page 522 of 1765
k e t o u t o n t h e l o c a l n e t w o r k t o t h e r o u t e r . N o w , t h e
Page 523 of 1765
N e t w o r k L a y e r h a n d s d o w n t o t h e D a t a l i n k L a y e r t h e p a
Page 524 of 1765
c k e t i t g e n e r a t e d w i t h t h e p i n g ( I C M P e c h o r e q u e s t ) ,
Page 525 of 1765
a l o n g w i t h t h e h a r d w a r e a d d r e s s o f t h e r o u t e r . T h i s p
Page 526 of 1765
a c k e t i n c l u d e s t h e s o u r c e a n d d e s t i n a t i o n I P a d d r e s s
Page 527 of 1765
a s w e l l a s t h e I C M P e c h o r e q u e s t w h i c h w a s s p e c i f i e d
Page 528 of 1765
i n t h e N e t w o r k L a y e r .
6 ) T h e D a t a l i n k L a y e r o f
Page 529 of 1765
H o s t A c r e a t e s a f r a m e , w h i c h e n c a p s u l a t e s t h e p a c k e
Page 530 of 1765
t w i t h t h e i n f o r m a t i o n n e e d e d t o t r a n s m i t o n t h e l o c a
Page 531 of 1765
l n e t w o r k . T h i s i n c l u d e s t h e s o u r c e a n d d e s t i n a t i o n h
Page 532 of 1765
a r d w a r e a d d r e s s ( M A C ) a n d t h e t y p e f i e l d w h i c h s p e c i f
Page 533 of 1765
i e s t h e N e t w o r k L a y e r p r o t o c o l e . g I P v 4 ( t h a t ' s t h e I
Page 534 of 1765
P v e r s i o n w e u s e ) , A R P . A t t h e e n d o f t h e f r a m e , i n t
Page 535 of 1765
h e F C S p o r t i o n o f t h e f r a m e , t h e D a t a l i n k L a y e r w i l l
Page 536 of 1765
s t i c k a C y c l i c R e d u n d a n c y C h e c k ( C R C ) t o m a k e s u r e t h
Page 537 of 1765
e r e c e i v i n g m a c h i n e ( t h e r o u t e r ) c a n f i g u r e o u t i f t h
Page 538 of 1765
e f r a m e i t r e c e i v e d h a s b e e n c o r r u p t e d . T o l e a r n m o r e
Page 539 of 1765
o n h o w t h e f r a m e i s c r e a t e d , v i s i t t h e D a t a E n c a p s u l
Page 540 of 1765
a t i o n D e c a p s u l a t i o n . 7 ) T h e D a t a l i n k L a y e r o f H o s t
Page 541 of 1765
A h a n d s t h e f r a m e t o t h e P h y s i c a l l a y e r w h i c h e n c o d e s
Page 542 of 1765
t h e 1 s a n d 0 s i n t o a d i g i t a l s i g n a l a n d t r a n s m i t s t h
Page 543 of 1765
i s o u t o n t h e l o c a l p h y s i c a l n e t w o r k . 8 ) T h e s i g n a l i s
Page 544 of 1765
p i c k e d u p b y t h e r o u t e r ' s E 0 i n t e r f a c e a n d r e a d s t h e
Page 545 of 1765
f r a m e . I t w i l l f i r s t d o a C R C c h e c k a n d c o m p a r e i t w
Page 546 of 1765
i t h t h e C R C v a l u e H o s t A a d d e d t o t h i s f r a m e , t o m a k e
Page 547 of 1765
s u r e t h e f r a m e i s n o t c o r r u p t . 9 ) A f t e r t h a t , t h e d e s
Page 548 of 1765
t i n a t i o n h a r d w a r e a d d r e s s ( M A C ) o f t h e r e c e i v e d f r a m e
Page 549 of 1765
i s c h e c k e d . S i n c e t h i s w i l l b e a m a t c h , t h e t y p e f i e
Page 550 of 1765
l d i n t h e f r a m e w i l l b e c h e c k e d t o s e e w h a t t h e r o u t e
Page 551 of 1765
r s h o u l d d o w i t h t h e d a t a p a c k e t . I P i s i n t h e t y p e f
Page 552 of 1765
i e l d , a n d t h e r o u t e r h a n d s t h e p a c k e t t o t h e I P p r o t o
Page 553 of 1765
c o l r u n n i n g o n t h e r o u t e r . T h e f r a m e i s s t r i p p e d a n d
Page 554 of 1765
t h e o r i g i n a l p a c k e t t h a t w a s g e n e r a t e d b y H o s t A i s n
Page 555 of 1765
o w i n t h e r o u t e r ' s b u f f e r .
1 0 ) I P l o o k s a t t h e p a c k
Page 556 of 1765
e t ' s d e s t i n a t i o n I P a d d r e s s t o d e t e r m i n e i f t h e p a c k e
Page 557 of 1765
t i s f o r t h e r o u t e r . S i n c e t h e d e s t i n a t i o n I P a d d r e s s
Page 558 of 1765
i s 2 0 0 . 2 0 0 . 2 0 0 . 5 , t h e r o u t e r d e t e r m i n e s f r o m t h e r o u
Page 559 of 1765
t i n g t a b l e t h a t 2 0 0 . 2 0 0 . 2 0 0 . 0 i s a d i r e c t l y c o n n e c t e d
Page 560 of 1765
n e t w o r k o n i n t e r f a c e E 1 .
1 1 ) T h e r o u t e r p l a c e s
Page 561 of 1765
t h e p a c k e t i n t h e b u f f e r o f i n t e r f a c e E 1 . T h e r o u t e r
Page 562 of 1765
n e e d s t o c r e a t e a f r a m e t o s e n d t h e p a c k e t t o t h e d e s
Page 563 of 1765
t i n a t i o n h o s t . F i r s t , t h e r o u t e r l o o k s i n t h e A R P c a c
Page 564 of 1765
h e t o d e t e r m i n e w h e t h e r t h e h a r d w a r e a d d r e s s h a s a l r e
Page 565 of 1765
a d y b e e n r e s o l v e d f r o m a p r i o r c o m m u n i c a t i o n . I f i t i
Page 566 of 1765
s n o t i n t h e A R P c a c h e , t h e r o u t e r s e n d s a n A R P b r o a d
Page 567 of 1765
c a s t o u t E 1 t o f i n d t h e h a r d w a r e a d d r e s s o f 2 0 0 . 2 0 0 . 2
Page 568 of 1765
0 0 . 5
1 2 ) H o s t B r e s p o n d s w i t h t h e h a r d w a r e a d d r e
Page 569 of 1765
s s o f i t s n e t w o r k i n t e r f a c e c a r d w i t h a n A R P r e p l y . T
Page 570 of 1765
h e r o u t e r ' s E 1 i n t e r f a c e n o w h a s e v e r y t h i n g i t n e e d s
Page 571 of 1765
t o s e n d t h e p a c k e t t o t h e f i n a l d e s t i n a t i o n .
1 3
Page 572 of 1765
) T h e f r a m e g e n e r a t e d f r o m t h e r o u t e r ' s E 1 i n t e r f a c e h
Page 573 of 1765
a s t h e s o u r c e h a r d w a r e a d d r e s s o f E 1 i n t e r f a c e a n d t h
Page 574 of 1765
e h a r d w a r e d e s t i n a t i o n a d d r e s s o f H o s t B ' s n e t w o r k i n
Page 575 of 1765
t e r f a c e c a r d . H o w e v e r , t h e m o s t i m p o r t a n t t h i n g h e r e
Page 576 of 1765
i s t h a t e v e n t h o u g h t h e f r a m e ' s s o u r c e a n d d e s t i n a t i o
Page 577 of 1765
n h a r d w a r e a d d r e s s c h a n g e d a t e v e r y i n t e r f a c e o f t h e
Page 578 of 1765
r o u t e r i t w a s s e n t t o a n d f r o m , t h e I P s o u r c e a n d d e s
Page 579 of 1765
t i n a t i o n a d d r e s s e s n e v e r c h a n g e d . T h e p a c k e t w a s n e v e
Page 580 of 1765
r m o d i f i e d a t a l l , o n l y t h e f r a m e c h a n g e d .
1 4 ) H o s t
Page 581 of 1765
B r e c e i v e s t h e f r a m e a n d r u n s a C R C . I f t h a t c h e c k s o
Page 582 of 1765
u t , i t d i s c a r d s t h e f r a m e a n d h a n d s t h e p a c k e t t o I P .
Page 583 of 1765
I P w i l l t h e n c h e c k t h e d e s t i n a t i o n I P a d d r e s s . S i n c e
Page 584 of 1765
t h e I P d e s t i n a t i o n a d d r e s s m a t c h e s t h e I P c o n f i g u r a t
Page 585 of 1765
i o n o f H o s t B , i t l o o k s i n t h e p r o t o c o l f i e l d o f t h e
Page 586 of 1765
p a c k e t t o d e t e r m i n e t h e p u r p o s e o f t h e p a c k e t .
Page 587 of 1765
5 ) S i n c e t h e p a c k e t i s a n I C M P e c h o r e q u e s t , H o s t B g
Page 588 of 1765
e n e r a t e s a n e w I C M P e c h o r e p l y p a c k e t w i t h a s o u r c e I
Page 589 of 1765
P a d d r e s s o f H o s t B a n d a d e s t i n a t i o n I P a d d r e s s o f H
Page 590 of 1765
o s t A . T h e p r o c e s s s t a r t s a l l o v e r a g a i n , e x c e p t t h a t
Page 591 of 1765
i t g o e s i n t h e o p p o s i t e d i r e c t i o n . H o w e v e r , t h e h a r d
Page 592 of 1765
w a r e a d d r e s s o f e a c h d e v i c e a l o n g t h e p a t h i s a l r e a d y
Page 593 of 1765
k n o w n , s o e a c h d e v i c e o n l y n e e d s t o l o o k i n i t s A R P
Page 594 of 1765
c a c h e t o d e t e r m i n e t h e h a r d w a r e ( M A C ) a d d r e s s o f e a c h
Page 595 of 1765
i n t e r f a c e . A n d t h a t j u s t a b o u t c o v e r s o u r r o u t i n g a n
Page 596 of 1765
a l y s i s . I f y o u f o u n d i t c o n f u s i n g , t a k e a b r e a k a n d c
Page 597 of 1765
o m e b a c k l a t e r o n a n d g i v e i t a n o t h e r s h o t . I t s r e a l l
Page 598 of 1765
y s i m p l e o n c e y o u g r a s p t h e c o n c e p t o f r o u t i n g .
R
Page 599 of 1765
o u t e d P r o t o c o l s
I n t r o d u c t i o n W e a l l u n d e r s t a n d
Page 600 of 1765
t h a t T C P / I P , I P X S P X a r e p r o t o c o l s w h i c h a r e u s e d i n
Page 601 of 1765
a L o c a l A r e a N e t w o r k ( L A N ) s o c o m p u t e r s c a n c o m m u n i c
Page 602 of 1765
a t e b e t w e e n w i t h e a c h o t h e r a n d w i t h o t h e r c o m p u t e r s
Page 603 of 1765
o n t h e I n t e r n e t .
C h a n c e s a r e t h a t i n y o u r L A N y o u a r
Page 604 of 1765
e m o s t p r o b a b l y r u n n i n g T C P / I P . T h i s p r o t o c o l i s w h a t
Page 605 of 1765
w e c a l l a " r o u t e d " p r o t o c o l . T h e t e r m " r o u t e d " r e f e r
Page 606 of 1765
s t o s o m e t h i n g w h i c h c a n b e p a s s e d o n f r o m o n e p l a c e
Page 607 of 1765
( n e t w o r k ) t o a n o t h e r . I n t h e e x a m p l e o f T C P / I P , t h i s
Page 608 of 1765
i s w h e n y o u c o n s t r u c t a d a t a p a c k e t a n d s e n d i t a c r o s
Page 609 of 1765
s t o a n o t h e r c o m p u t e r o n t h e I n t e r n e t T h i s a b i l i t y t o
Page 610 of 1765
u s e T C P / I P t o s e n d d a t a a c r o s s n e t w o r k s a n d t h e I n t e
Page 611 of 1765
r n e t i s t h e m a i n r e a s o n i t ' s s o p o p u l a r a n d d o m i n a n t .
Page 612 of 1765
I f y o u ' r e t h i n k i n g a l s o o f N e t B e u i a n d I P x / S P X , t h e n
Page 613 of 1765
n o t e t h a t N e t B e u i i s n o t a r o u t e d p r o t o c o l , b u t I P X /
Page 614 of 1765
S P X i s ! T h e r e a s o n f o r t h i s i s a c t u a l l y i n t h e i n f o r m
Page 615 of 1765
a t i o n a p a c k e t h o l d s w h e n i t u s e s o n e o f t h e p r o t o c o l
Page 616 of 1765
s .
L e t m e e x p l a i n : I f y o u l o o k e d a t a T C P / I P o r I P X /
Page 617 of 1765
S P X p a c k e t , y o u w i l l n o t i c e t h a t t h e y b o t h c o n t a i n a
Page 618 of 1765
" n e t w o r k " l a y e r . F o r T C P / I P , t h i s t r a n s l a t e s t o t h e I
Page 619 of 1765
P l a y e r ( L a y e r 3 ) , a s f o r I P X / S P X , i t ' s t h e I P X l a y e r
Page 620 of 1765
( L a y e r 3 ) . T o m a k e i t e a s y t o u n d e r s t a n d , I w i l l u s e
Page 621 of 1765
T C P / I P a s a n e x a m p l e . I n t h e p i c t u r e b e l o w , y o u c a n
Page 622 of 1765
s e e a T C P / I P p a c k e t w i t h i n a n E t h e r n e t I I F r a m e ( T h e
Page 623 of 1765
f r a m e i s l i k e a n " e n v e l o p e " w h i c h e n c a p s u l a t e s t h e T C
Page 624 of 1765
P / I P p a c k e t ) :
L o o k i n g c l o s e l y , y o u w i l l n o t i c e
Page 625 of 1765
t h a t L a y e r 3 ( N e t w o r k L a y e r ) c o n t a i n s t h e I P h e a d e r .
Page 626 of 1765
I t i s w i t h i n t h i s s e c t i o n t h e c o m p u t e r p u t s t h e S o u r c
Page 627 of 1765
e a n d D e s t i n a t i o n I P n u m b e r . T h a n k s t o t h e e x i s t e n c e
Page 628 of 1765
o f t h i s I P h e a d e r , w e a r e a b l e t o p u t a d e s t i n a t i o n I
Page 629 of 1765
P w h i c h c a n b e o n e t h a t ' s n o t o n o u r n e t w o r k , a n d t h e
Page 630 of 1765
c o m p u t e r w i l l f i g u r e i t o u t a f t e r c o m p l e t i n g a s i m p l
Page 631 of 1765
e c a l c u l a t i o n a n d k n o w i f i t n e e d s t o s e n d t h i s d a t a
Page 632 of 1765
t o t h e r o u t e r f o r i t t o b e s e n t t o i t s d e s t i n a t i o n . Y
Page 633 of 1765
o u c a n r e a d m o r e o n L a y e r 3 b y v i s i t i n g t h e O S I p a g e
Page 634 of 1765
. I P X / S P X c o n t a i n s a s i m i l a r f i e l d w h i c h g i v e s i t t h e
Page 635 of 1765
s a m e a b i l i t y , w h i c h i s t o s e n d p a c k e t s o v e r t o d i f f e
Page 636 of 1765
r e n t n e t w o r k s .
N e t B e u i o n t h e o t h e r h a n d h a s n o s u c h
Page 637 of 1765
i n f o r m a t i o n ! T h i s m e a n s t h a t N e t B e u i h a s n o i n f o r m a t
Page 638 of 1765
i o n a b o u t t h e d e s t i n a t i o n n e t w o r k t o w h i c h i t n e e d s t
Page 639 of 1765
o s e n d t h e d a t a , a s i t w a s d e v e l o p e d f o r L A N u s e o n l y
Page 640 of 1765
, o r y o u c o u l d s a y t h a t a l l h o s t s a r e c o n s i d e r e d t o b
Page 641 of 1765
e o n t h e s a m e l o g i c a l n e t w o r k a n d a l l r e s o u r c e s a r e c
Page 642 of 1765
o n s i d e r e d t o b e l o c a l . T h i s c l a s s i f i e s N e t B e u i a s a "
Page 643 of 1765
n o n r o u t e d " p r o t o c o l .
R o u t i n g P r o t o c o l s
I n
Page 644 of 1765
t r o d u c t i o n R o u t i n g p r o t o c o l s w e r e c r e a t e d f o r r o u t e r s
Page 645 of 1765
. T h e s e p r o t o c o l s h a v e b e e n d e s i g n e d t o a l l o w t h e e x c
Page 646 of 1765
h a n g e o f r o u t i n g t a b l e s , o r k n o w n n e t w o r k s , b e t w e e n r
Page 647 of 1765
o u t e r s . T h e r e a r e a l o t o f d i f f e r e n t r o u t i n g p r o t o c o l
Page 648 of 1765
s , e a c h o n e d e s i g n e d f o r s p e c i f i c n e t w o r k s i z e s , s o I
Page 649 of 1765
a m n o t g o i n g t o b e a b l e t o m e n t i o n a n d a n a l y s e t h e m
Page 650 of 1765
a l l , b u t I w i l l f o c u s o n t h e m o s t p o p u l a r . T h e t w o m a
Page 651 of 1765
i n t y p e s o f r o u t i n g : S t a t i c r o u t i n g a n d D y n a m i c r o u t i
Page 652 of 1765
n g T h e r o u t e r l e a r n s a b o u t r e m o t e n e t w o r k s f r o m n e i g h
Page 653 of 1765
b o r r o u t e r s o r f r o m a n a d m i n i s t r a t o r . T h e r o u t e r t h e n
Page 654 of 1765
b u i l d s a r o u t i n g t a b l e , t h e c r e a t i o n o f w h i c h I w i l l
Page 655 of 1765
e x p l a i n i n d e t a i l , t h a t d e s c r i b e s h o w t o f i n d t h e r e
Page 656 of 1765
m o t e n e t w o r k s . I f t h e n e t w o r k i s d i r e c t l y c o n n e c t e d t
Page 657 of 1765
h e n t h e r o u t e r a l r e a d y k n o w s h o w t o g e t t o t h e n e t w o r
Page 658 of 1765
k . I f t h e n e t w o r k s a r e n o t a t t a c h e d , t h e r o u t e r m u s t
Page 659 of 1765
l e a r n h o w t o g e t t o t h e r e m o t e n e t w o r k w i t h e i t h e r s t
Page 660 of 1765
a t i c r o u t i n g ( a d m i n i s t r a t o r m a n u a l y e n t e r s t h e r o u t e s
Page 661 of 1765
i n t h e r o u t e r ' s t a b l e ) o r d y n a m i c r o u t i n g ( h a p p e n s a
Page 662 of 1765
u t o m a t i c l l y u s i n g r o u t i n g p r o t o c o l s ) .
T h e r o u t e r s t h
Page 663 of 1765
e n u p d a t e e a c h o t h e r a b o u t a l l t h e n e t w o r k s t h e y k n o w
Page 664 of 1765
. I f a c h a n g e o c c u r s e . g a r o u t e r g o e s d o w n , t h e d y n a
Page 665 of 1765
m i c r o u t i n g p r o t o c o l s a u t o m a t i c a l l y i n f o r m a l l r o u t e r
Page 666 of 1765
s a b o u t t h e c h a n g e . I f s t a t i c r o u t i n g i s u s e d , t h e n t
Page 667 of 1765
h e a d m i n i s t r a t o r h a s t o u p d a t e a l l c h a n g e s i n t o a l l r
Page 668 of 1765
o u t e r s a n d t h e r e f o r e n o r o u t i n g p r o t o c o l i s u s e d . O n l
Page 669 of 1765
y D y n a m i c r o u t i n g u s e s r o u t i n g p r o t o c o l s , w h i c h e n a b l
Page 670 of 1765
e r o u t e r s t o : D y n a m i c a l l y d i s c o v e r a n d m a i n t a i n r o u t e
Page 671 of 1765
s C a l c u l a t e r o u t e s D i s t r i b u t e r o u t i n g u p d a t e s t o o t h e
Page 672 of 1765
r r o u t e r s R e a c h a g r e e m e n t w i t h o t h e r r o u t e r s a b o u t t h
Page 673 of 1765
e n e t w o r k t o p o l o g y
S t a t i c a l l y p r o g r a m m e d r o u t e r s a r e
Page 674 of 1765
u n a b l e t o d i s c o v e r r o u t e s , o r s e n d r o u t i n g i n f o r m a t i
Page 675 of 1765
o n t o o t h e r r o u t e r s . T h e y s e n d d a t a o v e r r o u t e s d e f i n
Page 676 of 1765
e d b y t h e n e t w o r k A d m i n i s t r a t o r . A S t u b n e t w o r k i s s o
Page 677 of 1765
c a l l e d b e c a u s e i t i s a d e a d e n d i n t h e n e t w o r k . T h e r
Page 678 of 1765
e i s o n l y o n e r o u t e i n a n d o n e r o u t e o u t a n d , b e c a u s e
Page 679 of 1765
o f t h i s , t h e y c a n b e r e a c h e d u s i n g s t a t i c r o u t i n g , t
Page 680 of 1765
h u s s a v i n g v a l u a b l e b a n d w i d t h . D y n a m i c R o u t i n g P r o t o c
Page 681 of 1765
o l s T h e r e a r e 3 t y p e s o f D y n a m i c r o u t i n g p r o t o c o l s , t
Page 682 of 1765
h e s e d i f f e r m a i n l y i n t h e w a y t h a t t h e y d i s c o v e r a n d
Page 683 of 1765
m a k e c a l c u l a t i o n s a b o u t r o u t e s ( c l i c k t o s e l e c t ) : 1 )
Page 684 of 1765
D i s t a n c e V e c t o r
2 ) L i n k S t a t e
3 ) H y b r i d
D i s t a n c e
Page 685 of 1765
V e c t o r r o u t e r s c o m p u t e t h e b e s t p a t h f r o m i n f o r m a t i o n
Page 686 of 1765
p a s s e d t o t h e m f r o m n e i g h b o r s
L i n k S t a t e r o u t e r s e a
Page 687 of 1765
c h h a v e a c o p y o f t h e e n t i r e n e t w o r k m a p
L i n k S t a t e
Page 688 of 1765
r o u t e r s c o m p u t e b e s t r o u t e s f r o m t h i s l o c a l m a p
T h e
Page 689 of 1765
T a b l e b e l o w ( c l i c k a b l e ) s h o w s t h e m a i n c h a r a c t e r i s t i c
Page 690 of 1765
s o f a f e w d i f f e r e n t t y p e s o f d y n a m i c r o u t i n g p r o t o c o
Page 691 of 1765
l s :
Y o u c a n a l s o c l a s i f y t h e r o u t i n g p r o t o c o l s i n t
Page 692 of 1765
e r m s o f t h e i r l o c a t i o n o n a n e t w o r k . F o r e x a m p l e , r o u
Page 693 of 1765
t i n g p r o t o c o l s c a n e x i s t i n , o r b e t w e e n , a u t o n o m o u s s
Page 694 of 1765
y s t e m s . E x t e r i o r G a t e w a y P r o t o c o l s ( E G P ' s ) a r e f o u n d
Page 695 of 1765
b e t w e e n a u t o n o m o u s s y s t e m s , w h e r e a s I n t e r i o r G a t e w a y
Page 696 of 1765
P r o t o c o l s ( I G P ' S ) a r e f o u n d w i t h i n a u t o n o m o u s s y s t e m s
Page 697 of 1765
E x a m p l e o f a n E G P i s t h e B o r d e r G a t e w a y P r o t o c o l
Page 698 of 1765
( B G P ) w h i c h i s a l s o u s e d a m o n g s t t h e I n t e r n e t r o u t e r s
Page 699 of 1765
, w h e r e a s e x a m p l e s o f I G P p r o t o c o l s a r e R I P , I G R P , E I
Page 700 of 1765
G R P .
Routing Protocols
Introduction Routing protocols were created for routers. These protocols have been designed to allow the exchange of routing tables, or known networks, between routers. There are a lot of different routing protocols, each one designed for specific network sizes, so I am not going to be able to mention and analyse them all, but I will focus on the most popular. The two main types of routing: Static routing and Dynamic routing The router learns about remote networks from neighbor routers or from an administrator. The router then builds a routing table, the creation of which I will explain in detail, that describes how to find the remote networks. If the network is directly connected then the router already knows how to get to the network. If the networks are not attached, the router must learn how to get to the remote network with either static routing (administrator manualy enters the routes in the router's table) or dynamic routing (happens automaticlly using routing protocols). The routers then update each other about all the networks they know. If a change occurs e.g a router goes down, the dynamic routing protocols automatically inform all routers about the change. If static routing is used, then the administrator has to update all changes into all routers and therefore no routing protocol is used. Only Dynamic routing uses routing protocols, which enable routers to: Dynamically discover and maintain routes Calculate routes Distribute routing updates to other routers Reach agreement with other routers about the network topology
Statically programmed routers are unable to discover routes, or send routing information to other routers. They send data over routes defined by the network Administrator. A Stub network is so called because it is a dead end in the network. There is only one route in and one route out and, because of this, they can be reached using static routing, thus saving valuable bandwidth.
Page 701 of 1765
Dynamic Routing Protocols There are 3 types of Dynamic routing protocols, these differ mainly in the way that they discover and make calculations about routes (click to select): 1) Distance Vector 2) Link State 3) Hybrid Distance Vector routers compute the best path from information passed to them from neighbors Link State routers each have a copy of the entire network map Link State routers compute best routes from this local map
The Table below (clickable) shows the main characteristics of a few different types of dynamic routing protocols:
You can also clasify the routing protocols in terms of their location on a network. For example, routing protocols can exist in, or between, autonomous systems. Exterior Gateway Protocols (EGP's) are found between autonomous systems, whereas Interior Gateway Protocols (IGP'S) are found within autonomous systems:
Example of an EGP is the Border Gateway Protocol (BGP) which is also used amongst the Internet routers, whereas examples of IGP protocols are RIP, IGRP, EIGRP
istance Vector Routing Protocols

Introduction Distance Vector routing protocols use frequent broadcasts (255.255.255.255 or FF:FF:FF:FF) of their entire routing table every 30 sec. on all their interfaces in order to communicate with their neighbours. The bigger the routing tables, the more broadcasts. This methodology limits significantly the size of network on which Distance Vector can be used. Routing Information Protocol (RIP) and Interior Gateway Routing Protocol (IGRP) are two very popular Distance Vector routing protocols. You can find links to more information on these protocols at the bottom of the page. (That's if you haven't had enough by the time you get there !)
Page 702 of 1765
Distance Vector protocols view networks in terms of adjacent routers and hop counts, which also happens to be the metric used. The "hop" count (max of 15 for RIP, 16 is deemed unreachable and 255 for IGMP), will increase by one every time the packet transits through a router. So the router makes decisions about the way a packet will travel, based on the amount of hops it takes to reach the destination and if it had 2 different ways to get there, it will simply send it via the shortest path, regardless of the connection speed. This is known as pinhole congestion. Below is a typical routing table of a router which uses Distance Vector routing protocols:
Let's explain what is happening here : In the above picture, you see 4 routers, each connected with its neighbour via some type of WAN link e.g ISDN. Now, when a router is powered on, it will immediately know about the networks to which each interface is directly connected. In this case Router B knows that interface E0 is connected to the 192.168.0.0 network and the S0 interface is connected to the 192.168.10.0 network. Looking again at the routing table for Router B, the numbers you see on the right hand side of the interfaces are the "hop counts" which, as mentioned, is the metric that distance vector protocols use to keep track on how far away a particular network is. Since these 2 networks are connected directly to the router's interface, they will have a value of zero (0) in the router's table entry. The same rule applies for every router in our example. Remember we have "just turn the routers on", so the network is now converging and that means that there is no data being passed. When I say "no data" I mean data from any computer or server that might be on any of the networks. During this "convergence" time, the only type of data being passed between the routers is that which allows them to populate their routing tables and after that's done, the routers will pass all other types of data between them. That's why a fast convergence time is a big advantage. One of the problems with RIP is that it has a slow convergence time.
Let's explain what we see : In the above picture, the network is said to have "converged", in other words, all routers on the network have populated their routing table and are completly aware of the networks they can contact. Since the network is now converged, computers in any of the above networks can contact each other.
Page 703 of 1765
Again, looking at one of the routing tables, you will notice the network address with the exit interface on the right and next to that is the hop count to that network. Remember that RIP will only count up to 15 hops, after which the packet is discarded (on hop 16). Each router will broadcast its entire routing table every 30 seconds. Routing based on Distance Vector can cause a lot of problems when links go up and down, this could result in infinite loops and can also de-synchronise the network. Routing loops can occur when every router is not updated close to the same time. Let's have a look at the problem before we look at the various solutions:
Let's explain : In the above picture you can see 5 routers of which routers A and B are connected with Router C, and they all end up connecting via routers D and E to Network 5.
Now as the above picture shows, Network 5 fails.
All routers know about Network 5 from Router E. For example, Router A, in its tables, has a path to Network 5 through routers B,D and E. When Network 5 fails, Router E knows about it since it's directly connected to it and tells Router D about it on its next update (when it will broadcast its entire routing table). This will result in Router D stopping routing data to Network 5 through Router E. But as you can see in the above picture, routers A B and C don't know about Network 5 yet, so they keep sending out update information. Router D will eventually send out its update and cause Router B to stop routing to Network 5, but routers A and C are still not updated. To them, it appear that Network 5 is still available through Router B with a metric of 3 !
Now Router A sends its regular broadcast of its entire routing table which includes reachability for Network 5. Routers C and B receive the wonderful news that Network
Page 704 of 1765
5 can be reached from Router A, so they send out the information that Network 5 is now available ! From now on, any packet with a destination of Network 5 will go to Router A then to Router B and from there back to Router A (remember that Router B got the good news that Network 5 is available via Router A). So this is where things get a bit messy and you have that wonderful loop, where data just gets passed around from one router to another. Seems like they are playing ping pong :) To deal with these problems we use the following techniques: Maximum Hop Count The routing loop we just looked at is called "counting to infinity" and it is caused by gossip and wrong information being communicated between the routers. Without something to protect against this type of a loop, the hop count will keep on increasing each time the packet goes through a router ! One way of solving this problem is to define a maximum hop count. Distance Vector (RIP) permits a hop count of up to 15, so anything that needs 16 hops is unreachable. So if a loop occurred, it would go around the network until the packet reached a hop count of 15 and the next router would simply discard the packet. Split Horizon Works on the principle that it's never useful to send information about a router back to the destination from which the original packet came. So if for example I told you a joke, it's pointless you telling me that joke again ! In our example it would have prevented Router A from sending the updated information it received from Router B back to Router B. Route Poisoning : Alternative to split horizon, when a router receives information about a route from a particular network, the router advertises the route back to that network with the metric of 16, indicating that the destination is unreachable. In our example, this means that when Network 5 goes down, Router E initiates router poisoning by entering a table entry for Network 5 as 16, which basically means it's unreachable. This way, Router D is not susceptible to any incorrect updates about the route to Network 5. When Router D receives a router poisoning from Router E, it sends an update called a poison reverse, back to Router E. This make sure all routes on the segment have received the poisoned route information. Route poisoning, used with hold-downs (see section below) will certainly speed up convergence time because the neighboring routers don't have to wait 30 seconds before advertising the poisoned route. Hold-Down Timers
Page 705 of 1765
Routers keep an entry for the network-down state, allowing time for other routers to recompute for this topology change, this way, allowing time for either the downed router to come back or the network to stabilise somewhat before changing to the next best route. When a router receives an update from a neighbor indicating that a previously accessible network is not working and is inaccessible, the hold-down timer will start. If a new update arrives from a neighbor with a better metric than the original network entry, the hold-down is removed and data is passed. But an update is received from a neighbor router before the hold-down timer expires and it has a lower metric than the previous route, therefore the update is ignored and the holddown timer keeps ticking. This allows more time for the network to converge. Hold-down timers use triggered updates, which reset the hold-down timer, to alert the neighbor's routers of a change in the network. Unlike update messages from neighbor routers, triggered updates create a new routing table that is sent immediatley to neighbor routers because a change was detected in the network. There are three instances when triggered updates will reset the hold-down timer: 1) The hold-down timer expires 2) The router received a processing task proportional to the number of links in the internetwork. 3) Another update is received indicating the network status has changed. In our example, any update received by Router B from Router A, would not be accepted until the hold-down timer expires. This will ensure that Router B will not receive a "false" update from any routers that are not aware that Network 5 is unreachable. Router B will then send a update and correct the other routers' tables.
Link State Routing Protocols

Introduction Link State protocols, unlike Distance Vector broadcasts, use multicast. Multicast is a "broadcast" to a group of hosts, in this case routers (Please see the multicast page for more information). So if I had 10 router of which 4 where part of a "mutilcast group" then, when I send out a multicast packet to this group, only these 4 routers will receive the updates, while the rest of them will simply ignore the data. The multicast address is usually 224.0.0.5 & 224.0.0.6, this address is defined by the IGRP (Interior Gateway Routing Protocol). Link State routing protocols do not view networks in terms of adjacent routers and hop counts, but they build a comprehensive view of the overall network which fully describes the all possible routes along with their costs. Using the SPF (Shortest Path First) algorithm, the router creates a "topological database" which is a hierarchy reflecting the network routers it knows about. It then puts it's self on the top of this hierarchy, and has a complete picture from it's own perspective.
Page 706 of 1765
When a router using a Link State protocol, such a OSPF (Open Shortest Path First) knows about a change on the network, it will multicast this change instantly, there for flooding the network with this information. The information routers require to build their databases is provided in the form of Link State advertisement packets (LSAP). Routers do not advertise their entire routing tables, instead each router advertises only its information regarding immediately adjacent routers. Link State protocols in comparison to Distance Vector protocols have: Big memory requirements Shortest path computations require many CPU circles If network is stable little bandwidth is used; react quickly to topology changes Announcements cannot be filtered. All items in the database must be sent to neighbors All neighbors must be trusted Authentication mechanisms can be used to avoid undesired adjacencies No split horizon techniques are possible
Even though Link State protocols work more efficiently, problem can arise. Usually problems occur cause of changes in the network topology (links go up-down), and all routers don't get updated immediately cause they might be on different line speeds, there for, routers connected via a fast link will receive these changes faster than the others on a slower link. Different techniques have been developed to deal with these problem and these are : 1) Dampen update frequency 2) Target link-state updates to multicast 3) Use link-state area hierarchy for topology 4) Exchange route summaries at area borders 5) Use Time-stamps Update numbering & counters 6) Manage partitions using a area hierarchy Please select one of the following Link State routing protocols: Open Shortest Path First - OSPF
Page 707 of 1765
Hybrid Routing Protocols

Introduction Hybrid routing protocols are something inbetween Distance Vector and Link State routing protocols. Please select the Hybrid protocol you want to read about: Enhanced Interior Gateway Routing Protocol - EIGRP
Routing Information Protocol - RIP

Introduction Routing Information Protocol (RIP) is a true Distance-Vector routing protocol. It sends the complete routing table out to all active interfaces every 30 seconds. RIP only uses hop count to determine the best way to a remote network, but it has a maximum allowable hop count of 15, meaning that 16 is deemed unreachable. RIP works well in small networks, but it is inefficient on large networks with slow WAN links or on networks with large number of routers installed. RIP comes in two different versions. RIP version 1 uses only classful routing, which means that all devices in the network must use the same subnet mask. This is because RIP version 1 does not include the subnet mask when it sends updates. RIP v1 uses broadcasts (255.255.255.255). RIP version 2 does, however, and this is what we call classless routing (check the Subnetting section for more details). RIP v2 uses multicasts (224.0.0.9) to update its routing tables. Route Update Timer: Sets the interval, usually 30 seconds, between periodic routing updates, in which the router sends a complete copy of its routing table out to all neighbor routers. Route Invalid Timer: Determines the length of time that must expire, usually 90 seconds, before the router determines that a route is invalid. It will come to this conclusion if it doesn't hear any updates about that route for that period. When the timer expires, the router will send out an update to its neighbors letting them know that the route is invalid. Route Flush Timer: Sets the time between a route becoming invalid and its removal from the routing table (240 secs). Before it's removed, the router will notify its neighbors of that route's impending doom ! The value of the route invalid timer must be less than that of the route flush timer. This is to provide the router with enough time to tell its neighbors about the invalid route before the routing table is updated.
Open Shortest Path First (OSPF) Routing Protocol
Page 708 of 1765
Introduction Open Shortest Path First (OSPF) is a routing protocol developed for Internet Protocol (IP) networks by the interior gateway protocol (IGP) working group of the Internet Engineering Task Force (IETF). The working group was formed in 1988 to design an IGP based on the shortest path first (SPF) algorithm for use in the Internet. Similar to the Interior Gateway Routing Protocol (IGRP), OSPF was created because in the mid-1980s, the Routing Information Protocol (RIP) was increasingly unable to serve large, heterogeneous internetworks. OSPF is a classless routing protocol, which means that in its updates, it includes the subnet of each route it knows about, thus, enabling variable-length subnet masks. With variable-length subnet masks, an IP network can be broken into many subnets of various sizes. This provides network administrators with extra networkconfiguration flexibility.These updates are multicasts at specific addresses (224.0.0.5 and 224.0.0.6). The cool 3D diagram below shows us the information that each field of an OSPF packet contains:
Analysis Of "Type" Field All OSPF packets begin with a 24-byte header, which is shown right above. There is however one field I would like to give a bit more attention to, and this is the "Type" field which is 1 byte long. As illustrated in the diagram, the "Type" field identifies the OSPF packet type as one of the following: Hello: Establishes and maintains neighbor relationships. Database Description: Describes the contents of the topological database. These messages are exchanged when an adjacency is initialized. Link-state Request: Requests pieces of the topological database from neighbor routers. These messages are exchanged after a router discovers (by examining database-description packets) that parts of its topological database are out of date. Link-state Update: Responds to a link-state request packet. These messages also are used for the regular dispersal of Link-State Acknowledgments (LSA). Several LSAs can be included within a single link-state update packet. Link-state Acknowledgment: Acknowledges link-state update packets.
OSPF has two primary characteristics:
Page 709 of 1765
1) The protocol is open (non proprietary), which means that its specification is in the public domain. The OSPF specification is published as Request For Comments (RFC) 1247. 2) The second principal characteristic is that OSPF is based on the SPF algorithm, which sometimes is referred to as the Dijkstra algorithm, named for the person credited with its creation. OSPF is a Link State routing protocol that calls for the sending of link-state advertisements (LSAs) to all other routers within the same hierarchical area. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state information, they use the SPF algorithm to calculate the shortest path to each node. As a Link State routing protocol, OSPF contrasts with RIP and IGRP, which are Distance Vector routing protocols. Routers running the Distance Vector algorithm send all or a portion of their routing tables in routing-update messages to their neighbors. Additional OSPF features include equal-cost, multipath routing, and routing based on upper-layer type-of-service (TOS) requests. TOS-based routing supports those upper-layer protocols that can specify particular types of service. An application, for example, might specify that certain data is urgent. If OSPF has high-priority links at its disposal, these can be used to transport the urgent datagram. OSPF supports one or more metrics. If only one metric is used, it is considered to be arbitrary, and TOS is not supported. If more than one metric is used, TOS is optionally supported through the use of a separate metric (and, therefore, a separate routing table) for each of the eight combinations created by the three IP TOS bits (the delay, throughput, and reliability bits). If, for example, the IP TOS bits specify low delay, low throughput, and high reliability, OSPF calculates routes to all destinations based on this TOS designation.
I n t e r i o r G a t e w
Page 710 of 1765
a y P r o t o c o l I G R P
I n t r o d u c t i o n I n t e r i o r G a t e w
Page 711 of 1765
a y R o u t i n g P r o t o c o l ( I G R P ) i s a C i s c o p r o p r i e t a r y D i s
Page 712 of 1765
t a n c e V e c t o r r o u t i n g p r o t o c o l . T h i s m e a n s t h a t a l l y o
Page 713 of 1765
u r r o u t e r s m u s t b e C i s c o r o u t e r s i n o r d e r t o u s e I G R P
Page 714 of 1765
i n y o u r n e t w o r k , k e e p i n m i n d t h a t W i n d o w s 2 0 0 0 n o w
Page 715 of 1765
s u p p o r t s i t a s w e l l b e c a u s e t h e y h a v e b o u g h t a l i c e n c
Page 716 of 1765
e f r o m C i s c o t o u s e t h e p r o t o c o l ! C i s c o c r e a t e d t h i s
Page 717 of 1765
r o u t i n g p r o t o c o l t o o v e r c o m e t h e p r o b l e m s a s s o c i a t e d
Page 718 of 1765
w i t h R I P . I G R P h a s a m a x i m u m h o p c o u n t o f 2 5 5 w i t h a
Page 719 of 1765
d e f a u l t o f 1 0 0 . T h i s i s h e l p f u l i n l a r g e r n e t w o r k s a
Page 720 of 1765
n d s o l v e s t h e p r o b l e m o f t h e r e b e i n g o n l y 1 5 h o p s m a x
Page 721 of 1765
i m u m p o s s i b l e i n a R I P n e t w o r k . I G R P a l s o u s e s a d i f f
Page 722 of 1765
e r e n t m e t r i c f r o m R I P . I G R P u s e s b a n d w i d t h a n d d e l a y
Page 723 of 1765
o f t h e l i n e b y d e f a u l t a s a m e t r i c f o r d e t e r m i n i n g t h
Page 724 of 1765
e b e s t r o u t e t o a n i n t e r n e t w o r k . T h i s i s c a l l e d a c o m
Page 725 of 1765
p o s i t e m e t r i c . R e l i a b i l i t y , l o a d a n d M a x i m u m T r a n s m i s
Page 726 of 1765
s i o n U n i t ( M T U ) c a n a l s o b e u s e d , a l t h o u g h t h e y a r e n
Page 727 of 1765
o t u s e d b y d e f a u l t . I G R P h a s a s e t o f t i m e r s t o e n h a n
Page 728 of 1765
c e i t s p e r f o r m a n c e a n d f u n c t i o n a l i t y : U p d a t e T i m e r : T
Page 729 of 1765
h e s e s p e c i f y h o w f r e q u e n t l y r o u t i n g u p d a t e m e s s a g e s s
Page 730 of 1765
h o u l d b e s e n t . T h e d e f a u l t i s 9 0 s e c o n d s . I n v a l i d T i m
Page 731 of 1765
e r s : T h e s e s p e c i f y h o w l o n g a r o u t e r s h o u l d w a i t b e f o
Page 732 of 1765
r e d e c l a r i n g a r o u t e i n v a l i d i f i t d o e s n ' t r e c e i v e a
Page 733 of 1765
s p e c i f i c u p d a t e a b o u t i t . T h e d e f a u l t i s t h r e e t i m e s
Page 734 of 1765
t h e u p d a t e p e r i o d . H o l d d o w n T i m e r s : T h e s e s p e c i f y t h
Page 735 of 1765
e h o l d d o w n p e r i o d . T h e d e f a u l t i s t h r e e t i m e s t h e u p
Page 736 of 1765
d a t e t i m e r p e r i o d p l u s 1 0 s e c o n d s . R o u t e F l u s h T i m e r :
Page 737 of 1765
T h e s e i n d i c a t e h o w m u c h t i m e s h o u l d p a s s b e f o r e a r o u
Page 738 of 1765
t e s h o u l d b e f l u s h e d f r o m t h e r o u t i n g t a b l e . T h e d e f a
Page 739 of 1765
u l t i s s e v e n t i m e s t h e r o u t i n g p e r i o d .
E n h a n c
Page 740 of 1765
e d I n t e r i o r G a t e w a y R o u t i n g P r o t o c o l -
Page 741 of 1765
E I G R P
I n t r o d u c t i o n E n h a n c e d I n t e r i o r G a t e w a y R o u t i n
Page 742 of 1765
g P r o t o c o l ( E I G R P ) i s a n o t h e r C i s c o p r o p r i e t a r y , h y b r
Page 743 of 1765
i d ( h a s f e a t u r e o f D i s t a n c e V e c t o r a n d L i n k S t a t e p r o
Page 744 of 1765
t o c o l s ) , i n t e r i o r g a t e w a y p r o t o c o l ( I G P ) u s e d b y r o u t
Page 745 of 1765
e r s t o e x c h a n g e r o u t i n g i n f o r m a t i o n . E I G R P u s e s a c o m
Page 746 of 1765
p o s i t e m e t r i c c o m p o s e d o f B a n d w i d t h , D e l a y , R e l i a b i l i
Page 747 of 1765
t y , a n d L o a d i n g t o d e t e r m i n e t h e b e s t p a t h b e t w e e n t w
Page 748 of 1765
o l o c a t i o n s . E I G R P c a n r o u t e I P , I P X a n d A p p l e t a l k . A
Page 749 of 1765
l o n g w i t h I S I S , i t i s o n e o f t h e f e w m u l t i p r o t o c o l
Page 750 of 1765
r o u t i n g p r o t o c o l s . T h e D i f f u s i n g U p d a t e A l g o r i t h m ( D U
Page 751 of 1765
A L ) i s t h e h e a r t o f E I G R P . I n e s s e n c e , D U A L a l w a y s k e
Page 752 of 1765
e p s a b a c k u p r o u t e i n m i n d , i n c a s e t h e p r i m a r y r o u t e
Page 753 of 1765
g o e s d o w n . D U A L a l s o l i m i t s h o w m a n y r o u t e r s a r e a f f
Page 754 of 1765
e c t e d w h e n a c h a n g e o c c u r s t o t h e n e t w o r k . T h e r e i s n
Page 755 of 1765
o m a x i m u m a l l o w a b l e n u m b e r o f h o p s . I n a E I G R P n e t w o r
Page 756 of 1765
k , e a c h r o u t e r m u l t i c a s t s " h e l l o " p a c k s t o d i s c o v e r
Page 757 of 1765
i t s a d j a c e n t n e i g h b o r . T h i s a d j c e n c y d a t a b a s e i s s h a r
Page 758 of 1765
e d w i t h o t h e r r o u t e r t o b u i l d a t o p o l o g y d a t a b a s e . F r
Page 759 of 1765
o m t h e t o p o l o g y d a t a b a s e t h e b e s t r o u t e ( S u c c e s s o r ) a
Page 760 of 1765
n d t h e s e c o n d b e s t r o u t e ( F e a s i b l e S u c c e s s o r ) i s f o u n
Page 761 of 1765
d . E I G R P i s c l a s s l e s s , m e a n i n g i t d o e s i n c l u d e t h e s u
Page 762 of 1765
b n e t m a s k i n r o u t i n g u p d a t e s . H o w e v e r , b y d e f a u l t ' a u
Page 763 of 1765
t o s u m m a r y ' i s e n a b l e . Y o u m u s t d i s a b l e i f y o u w a n t s
Page 764 of 1765
u b n e t i n f o r m a t i o n f r o m o t h e r m a j o r n e t w o r k s . T h e E I G R
Page 765 of 1765
P m e t r i c i s a c a n b e a c o m p l e x c a l c u l a t i o n , b u t b y d e
Page 766 of 1765
f a u l t i t o n l y u s e s b a n d w i d t h a n d d e l a y t o d e t e r m i n e t
Page 767 of 1765
h e b e s t p a t h .
R o u t e d P r o t o c o l s
I n t r o d u c t i o n
Page 768 of 1765
W e a l l u n d e r s t a n d t h a t T C P / I P , I P X S P X a r e p r o t o c o l s
Page 769 of 1765
w h i c h a r e u s e d i n a L o c a l A r e a N e t w o r k ( L A N ) s o c o m p u
Page 770 of 1765
t e r s c a n c o m m u n i c a t e b e t w e e n w i t h e a c h o t h e r a n d w i t h
Page 771 of 1765
o t h e r c o m p u t e r s o n t h e I n t e r n e t .
C h a n c e s a r e t h a t i
Page 772 of 1765
n y o u r L A N y o u a r e m o s t p r o b a b l y r u n n i n g T C P / I P . T h i s
Page 773 of 1765
p r o t o c o l i s w h a t w e c a l l a " r o u t e d " p r o t o c o l . T h e t e
Page 774 of 1765
r m " r o u t e d " r e f e r s t o s o m e t h i n g w h i c h c a n b e p a s s e d o
Page 775 of 1765
n f r o m o n e p l a c e ( n e t w o r k ) t o a n o t h e r . I n t h e e x a m p l e
Page 776 of 1765
o f T C P / I P , t h i s i s w h e n y o u c o n s t r u c t a d a t a p a c k e t
Page 777 of 1765
a n d s e n d i t a c r o s s t o a n o t h e r c o m p u t e r o n t h e I n t e r n e
Page 778 of 1765
t T h i s a b i l i t y t o u s e T C P / I P t o s e n d d a t a a c r o s s n e t w
Page 779 of 1765
o r k s a n d t h e I n t e r n e t i s t h e m a i n r e a s o n i t ' s s o p o p u
Page 780 of 1765
l a r a n d d o m i n a n t . I f y o u ' r e t h i n k i n g a l s o o f N e t B e u i
Page 781 of 1765
a n d I P x / S P X , t h e n n o t e t h a t N e t B e u i i s n o t a r o u t e d p
Page 782 of 1765
r o t o c o l , b u t I P X / S P X i s ! T h e r e a s o n f o r t h i s i s a c t u a
Page 783 of 1765
l l y i n t h e i n f o r m a t i o n a p a c k e t h o l d s w h e n i t u s e s o n
Page 784 of 1765
e o f t h e p r o t o c o l s .
L e t m e e x p l a i n : I f y o u l o o k e d a t
Page 785 of 1765
a T C P / I P o r I P X / S P X p a c k e t , y o u w i l l n o t i c e t h a t t h e
Page 786 of 1765
y b o t h c o n t a i n a " n e t w o r k " l a y e r . F o r T C P / I P , t h i s t r
Page 787 of 1765
a n s l a t e s t o t h e I P l a y e r ( L a y e r 3 ) , a s f o r I P X / S P X , i
Page 788 of 1765
t ' s t h e I P X l a y e r ( L a y e r 3 ) . T o m a k e i t e a s y t o u n d e r
Page 789 of 1765
s t a n d , I w i l l u s e T C P / I P a s a n e x a m p l e . I n t h e p i c t u r
Page 790 of 1765
e b e l o w , y o u c a n s e e a T C P / I P p a c k e t w i t h i n a n E t h e r n
Page 791 of 1765
e t I I F r a m e ( T h e f r a m e i s l i k e a n " e n v e l o p e " w h i c h e n
Page 792 of 1765
c a p s u l a t e s t h e T C P / I P p a c k e t ) :
L o o k i n g c l o s e l y ,
Page 793 of 1765
y o u w i l l n o t i c e t h a t L a y e r 3 ( N e t w o r k L a y e r ) c o n t a i n
Page 794 of 1765
s t h e I P h e a d e r . I t i s w i t h i n t h i s s e c t i o n t h e c o m p u t
Page 795 of 1765
e r p u t s t h e S o u r c e a n d D e s t i n a t i o n I P n u m b e r . T h a n k s
Page 796 of 1765
t o t h e e x i s t e n c e o f t h i s I P h e a d e r , w e a r e a b l e t o p u
Page 797 of 1765
t a d e s t i n a t i o n I P w h i c h c a n b e o n e t h a t ' s n o t o n o u r
Page 798 of 1765
n e t w o r k , a n d t h e c o m p u t e r w i l l f i g u r e i t o u t a f t e r c
Page 799 of 1765
o m p l e t i n g a s i m p l e c a l c u l a t i o n a n d k n o w i f i t n e e d s t
Page 800 of 1765
o s e n d t h i s d a t a t o t h e r o u t e r f o r i t t o b e s e n t t o i
Page 801 of 1765
t s d e s t i n a t i o n . Y o u c a n r e a d m o r e o n L a y e r 3 b y v i s i t
Page 802 of 1765
i n g t h e O S I p a g e . I P X / S P X c o n t a i n s a s i m i l a r f i e l d w h
Page 803 of 1765
i c h g i v e s i t t h e s a m e a b i l i t y , w h i c h i s t o s e n d p a c k e
Page 804 of 1765
t s o v e r t o d i f f e r e n t n e t w o r k s .
N e t B e u i o n t h e o t h e r
Page 805 of 1765
h a n d h a s n o s u c h i n f o r m a t i o n ! T h i s m e a n s t h a t N e t B e u i
Page 806 of 1765
h a s n o i n f o r m a t i o n a b o u t t h e d e s t i n a t i o n n e t w o r k t o
Page 807 of 1765
w h i c h i t n e e d s t o s e n d t h e d a t a , a s i t w a s d e v e l o p e d
Page 808 of 1765
f o r L A N u s e o n l y , o r y o u c o u l d s a y t h a t a l l h o s t s a r e
Page 809 of 1765
c o n s i d e r e d t o b e o n t h e s a m e l o g i c a l n e t w o r k a n d a l l
Page 810 of 1765
r e s o u r c e s a r e c o n s i d e r e d t o b e l o c a l . T h i s c l a s s i f i e
Page 811 of 1765
s N e t B e u i a s a " n o n r o u t e d " p r o t o c o l .
The IP Routing Process

Introduction We are going to take a look at what happens when routing occurs on a network. When I was new to the networking area, I thought that all you needed was the IP Address of the machine you wanted to contact but so little did I know. You actually need a bit more information than just the IP Address ! The process we are going to explain is fairly simple and doesn't really change, no matter how big your network is.
Page 812 of 1765
The Example: In our example, we have 2 networks, Network A and Network B. Both networks are connected via a router (Router A) which has 2 interfaces: E0 and E1. These interfaces are just like the interface on your network card (RJ-45), but built into the router. Now, we are going to describe step by step what happens when Host A (Network A) wants to communicate with Host B (Network B) which is on a different network.
1) Host A opens a command prompt and enters >Ping 200.200.200.5. 2) IP works with the Address Resolution Protocol (ARP) to determine which network this packet is destined for by looking at the IP address and the subnet mask of the Host A. Since this is a request for a remote host, which means it is not destined to be sent to a host on the local network, the packet must be sent to the router (the gateway for Network A) so that it can be routed to the correct remote network (which is Network B). 3) Now, for Host A to send the packet to the router, it needs to know the hardware address of the router's interface which is connected to its network (Network A), in case you didn't realise, we are talking about the MAC (Media Access Control) address of interface E0. To get the hardware address, Host A looks in its ARP cache - a memory location where these MAC addresses are stored for a few seconds .
4) If it doesn't find it in there it means that either a long time has passed since it last contacted the router or it simply hasn't resolved the IP address of the router (192.168.0.1) to a hardware address (MAC). So it then sends an ARP broadcast. This broadcast contains the following "What is the hardware (MAC) address for IP 192.168.0.1 ? ". The router identifies that IP address as its own and must answer, so it sends back to Host A a reply, giving it the MAC address of its E0 interface. This is also one of the reasons why sometimes the first "ping" will timeout. Because it takes some time for an ARP to be sent and the requested machine to respond with its MAC address, by the time all that happens, the TTL (Time To Live) of the first ping packet has expired, so it times out !
5) The router responds with the hardware address of its E0 interface, to which the 192.168.0.1 IP is bound. Host A now has everything it needs in order to transmit a packet out on the local network to the router. Now, the Network Layer hands down to the Datalink Layer the packet it generated with the ping (ICMP echo request), along with the hardware address of the router. This packet includes the source and
Page 813 of 1765
destination IP address as well as the ICMP echo request which was specified in the Network Layer.
6) The Datalink Layer of Host A creates a frame, which encapsulates the packet with the information needed to transmit on the local network. This includes the source and destination hardware address (MAC) and the type field which specifies the Network Layer protocol e.g IPv4 (that's the IP version we use), ARP. At the end of the frame, in the FCS portion of the frame, the Datalink Layer will stick a Cyclic Redundancy Check (CRC) to make sure the receiving machine (the router) can figure out if the frame it received has been corrupted. To learn more on how the frame is created, visit the Data Encapsulation - Decapsulation. 7) The Datalink Layer of Host A hands the frame to the Physical layer which encodes the 1s and 0s into a digital signal and transmits this out on the local physical network. 8)The signal is picked up by the router's E0 interface and reads the frame. It will first do a CRC check and compare it with the CRC value Host A added to this frame, to make sure the frame is not corrupt. 9)After that, the destination hardware address (MAC) of the received frame is checked. Since this will be a match, the type field in the frame will be checked to see what the router should do with the data packet. IP is in the type field, and the router hands the packet to the IP protocol running on the router. The frame is stripped and the original packet that was generated by Host A is now in the router's buffer.
10) IP looks at the packet's destination IP address to determine if the packet is for the router. Since the destination IP address is 200.200.200.5, the router determines from the routing table that 200.200.200.0 is a directly connected network on interface E1.
11) The router places the packet in the buffer of interface E1. The router needs to create a frame to send the packet to the destination host. First, the router looks in the ARP cache to determine whether the hardware address has already been resolved from a prior communication. If it is not in the ARP cache, the router sends an ARP broadcast out E1 to find the hardware address of 200.200.200.5
Page 814 of 1765
12) Host B responds with the hardware address of its network interface card with an ARP reply. The router's E1 interface now has everything it needs to send the packet to the final destination.
13)The frame generated from the router's E1 interface has the source hardware address of E1 interface and the hardware destination address of Host B's network interface card. However, the most important thing here is that even though the frame's source and destination hardware address changed at every interface of the router it was sent to and from, the IP source and destination addresses never changed. The packet was never modified at all, only the frame changed. 14) Host B receives the frame and runs a CRC. If that checks out, it discards the frame and hands the packet to IP. IP will then check the destination IP address. Since the IP destination address matches the IP configuration of Host B, it looks in the protocol field of the packet to determine the purpose of the packet.
15) Since the packet is an ICMP echo request, Host B generates a new ICMP echoreply packet with a source IP address of Host B and a destination IP address of Host A. The process starts all over again, except that it goes in the opposite direction. However, the hardware address of each device along the path is already known, so each device only needs to look in its ARP cache to determine the hardware (MAC) address of each interface.
H u b s & R e p e a t e
Page 815 of 1765
r s
I n t r o d u c t i o n H e r e w e w i l l t a l k a b o u t h u b s a n d e x p
Page 816 of 1765
l a i n h o w t h e y w o r k . I n t h e n e x t s e c t i o n w e w i l l m o v e
Page 817 of 1765
t o s w i t c h e s a n d h o w t h e y d i f f e r f r o m h u b s , h o w t h e y w
Page 818 of 1765
o r k a n d t h e t y p e s o f s w i t c h i n g m e t h o d s t h a t a r e a v a i l
Page 819 of 1765
a b l e ; w e w i l l a l s o c o m p a r e t h e m .
B e f o r e w e s t a r t t h e
Page 820 of 1765
r e a r e a f e w d e f i n i t i o n s w h i c h I n e e d t o s p e a k a b o u t
Page 821 of 1765
s o y o u c a n u n d e r s t a n d t h e t e r m i n o l o g y w e w i l l b e u s i n
Page 822 of 1765
g . D o m a i n : D e f i n e d a s a g e o g r a p h i c a l a r e a o r l o g i c a l
Page 823 of 1765
a r e a ( i n o u r i m a g i n a t i o n ) w h e r e a n y t h i n g i n i t b e c o m e
Page 824 of 1765
s p a r t o f t h e d o m a i n . I n c o m p u t e r l a n d , t h i s m e a n s t h
Page 825 of 1765
a t w h e n s o m e t h i n g h a p p e n s i n t h i s d o m a i n ( a r e a ) e v e r y
Page 826 of 1765
c o m p u t e r t h a t ' s p a r t o f i t w i l l s e e o r h e a r e v e r y t h i
Page 827 of 1765
n g t h a t h a p p e n s i n i t . C o l l i s i o n D o m a i n : P u t t i n g i t s
Page 828 of 1765
i m p l e , w h e n e v e r a c o l l i s i o n b e t w e e n t w o c o m p u t e r s o c c
Page 829 of 1765
u r s , e v e r y o t h e r c o m p u t e r w i t h i n t h e d o m a i n w i l l h e a r
Page 830 of 1765
a n d k n o w a b o u t t h e c o l l i s i o n . T h e s e c o m p u t e r s a r e s a
Page 831 of 1765
i d t o b e i n t h e s a m e c o l l i s i o n d o m a i n . A s y o u ' r e g o i n
Page 832 of 1765
g t o s e e l a t e r o n , w h e n c o m p u t e r s c o n n e c t t o g e t h e r u s
Page 833 of 1765
i n g a h u b t h e y b e c o m e p a r t o f t h e s a m e c o l l i s i o n d o m a
Page 834 of 1765
i n . T h i s d o s e n ' t h a p p e n w i t h s w i t c h e s . B r o a d c a s t D o m a
Page 835 of 1765
i n : A d o m a i n w h e r e e v e r y b r o a d c a s t ( a b r o a d c a s t i s a
Page 836 of 1765
f r a m e o r d a t a w h i c h i s s e n t t o e v e r y c o m e p u t e r ) i s s e
Page 837 of 1765
e n b y a l l c o m p u t e r s w i t h i n t h e d o m a i n . H u b s a n d s w i t c
Page 838 of 1765
h e s d o n o t b r e a k u p b r o a d c a s t d o m a i n s . Y o u n e e d a r o u
Page 839 of 1765
t e r t o a c h i e v e t h i s . T h e r e a r e d i f f e r e n t d e v i c e s w h i c
Page 840 of 1765
h c a n b r e a k u p c o l l i s i o n d o m a i n s a n d b r o a d c a s t d o m a i n
Page 841 of 1765
s a n d m a k e t h e n e t w o r k a l o t f a s t e r a n d e f f i c i e n t . S w
Page 842 of 1765
i t c h e s c r e a t e s e p a r a t e c o l l i s i o n d o m a i n s b u t n o t b r o a
Page 843 of 1765
d c a s t d o m a i n s . R o u t e r s c r e a t e s e p a r a t e b r o a d c a s t a n d
Page 844 of 1765
c o l l i s i o n d o m a i n s . H u b s a r e t o o s i m p l e t o d o e i t h e r ,
Page 845 of 1765
c a n ' t c r e a t e s e p a r a t e c o l l i s i o n o r b r o a d c a s t d o m a i n .
Page 846 of 1765
H u b s & R e p e a t e r s
H u b s a n d r e p e a t e r s a r e b a s i c a l l y
Page 847 of 1765
t h e s a m e , s o w e w i l l b e u s i n g t h e t e r m " H u b " t o k e e p
Page 848 of 1765
t h i n g s s i m p l e . H u b s a r e c o m m o n t o d a y i n e v e r y n e t w o r k
Page 849 of 1765
. T h e y a r e t h e c h e a p e s t w a y t o c o n n e c t t w o o r m o r e c o
Page 850 of 1765
m p u t e r s t o g e t h e r . H u b s a r e a l s o k n o w n a s R e p e a t e r s a n
Page 851 of 1765
d w o r k o n t h e f i r s t l a y e r o f t h e O S I m o d e l . T h e y a r e
Page 852 of 1765
s a i d t o w o r k o n t h e f i r s t l a y e r b e c a u s e o f t h e f u n c t i
Page 853 of 1765
o n t h e y p e r f o r m . T h e y d o n ' t r e a d t h e d a t a f r a m e s a t a
Page 854 of 1765
l l ( l i k e s w i t c h e s a n d r o u t e r s d o ) , t h e y o n l y m a k e s u r
Page 855 of 1765
e t h e f r a m e i s r e p e a t e d o u t o n e a c h p o r t a n d t h a t ' s a
Page 856 of 1765
b o u t i t . T h e N o d e s t h a t s h a r e a n E t h e r n e t o r F a s t E t h
Page 857 of 1765
e r n e t L A N u s i n g t h e C S M A / C D r u l e s a r e s a i d t o b e i n t
Page 858 of 1765
h e s a m e c o l l i s i o n d o m a i n . I n p l a i n E n g l i s h , t h i s m e a n
Page 859 of 1765
s t h a t a l l n o d e s c o n n e c t e d t o a h u b a r e p a r t o f t h e s
Page 860 of 1765
a m e c o l l i s i o n d o m a i n . I n a C o l l i s i o n d o m a i n , w h e n a c
Page 861 of 1765
o l l i s i o n o c c u r s e v e r y o n e i n t h a t d o m a i n / a r e a w i l l h e a
Page 862 of 1765
r i t a n d w i l l b e a f f e c t e d . T h e E t h e r n e t s e c t i o n t a l k s
Page 863 of 1765
a b o u t C S M A / C D a n d c o l l i s i o n d o m a i n s s i n c e t h e y a r e p
Page 864 of 1765
a r t o f t h e r u l e s u n d e r w h i c h E t h e r n e t f u n c t i o n s . T h e
Page 865 of 1765
p i c t u r e b e l o w s h o w s a f e w h u b s : 8 p o r t N e t g e a r a n d a
Page 866 of 1765
D l i n k h u b .
T h e c o m p u t e r s ( n o d e s ) c o n n e c t t o t h e
Page 867 of 1765
h u b u s i n g U n s h i e l d e d T w i s t e d P a i r c a b l e ( U T P ) . O n l y
Page 868 of 1765
o n e n o d e c a n b e c o n n e c t e d t o e a c h p o r t o f t h e h u b . T h
Page 869 of 1765
e p i c t u r e d h u b h a s a t o t a l o f 8 p o r t s , w h i c h m e a n s u p
Page 870 of 1765
t o 8 c o m p u t e r s c a n b e n e t w o r k e d .
W h e n h u b s w e r e n o t
Page 871 of 1765
t h a t c o m m o n a n d a l s o e x p e n s i v e , m o s t o f f i c e s a n d h o m
Page 872 of 1765
e n e t w o r k s u s e t o i n s t a l l c o a x c a b l e . T h e w a y h u b s w o
Page 873 of 1765
r k i s q u i t e s i m p l e a n d s t r a i g h t f o r w a r d : W h e n a c o m p u t
Page 874 of 1765
e r o n a n y o n e o f t h e e i g h t p o r t s t r a n s m i t s d a t a , t h i s
Page 875 of 1765
i s r e p l i c a t e d a n d s e n t o u t t o t h e o t h e r s e v e n p o r t s .
Page 876 of 1765
C h e c k o u t t h e b e l o w p i c t u r e w h i c h s h o w s i t c l e a r l y .
Page 877 of 1765
E X P L A N A T I O N :
N o d e 1 i s t r a n s m i t t i n g s o m e d a t a t o N
Page 878 of 1765
o d e 6 b u t a l l n o d e s a r e r e c e i v i n g t h e d a t a a s w e l l . T
Page 879 of 1765
h i s d a t a w i l l b e r e j e c t e d b y t h e r e s t o f t h e n o d e s o n
Page 880 of 1765
c e t h e y f i g u r e o u t i t ' s n o t f o r t h e m .
T h i s i s a c c o m p
Page 881 of 1765
l i s h e d b y t h e n o d e ' s n e t w o r k c a r d r e a d i n g t h e d e s t i n a
Page 882 of 1765
t i o n M A C a d d r e s s o f t h e f r a m e ( d a t a ) i t r e c e i v e s , i t
Page 883 of 1765
e x a m i n e s i t a n d s e e s t h a t i t d o e s n ' t m a t c h w i t h i t ' s
Page 884 of 1765
o w n a n d t h e r e f o r d i s c a r d s t h e f r a m e . P l e a s e s e e t h e D
Page 885 of 1765
a t a l i n k l a y e r i n t h e O S I s e c t i o n f o r m o r e i n f o r m a t i o n
Page 886 of 1765
o n M A C a d d r e s s e s . M o s t h u b s t h e s e d a y s a l s o h a v e a s
Page 887 of 1765
p e c i a l p o r t w h i c h c a n f u n c t i o n a s a n o r m a l p o r t o r a s
Page 888 of 1765
a n " u p l i n k " p o r t . A n u p l i n k p o r t a l l o w s y o u t o c o n n e
Page 889 of 1765
c t a n o t h e r h u b t o t h e e x i s t i n g o n e , i n c r e a s i n g t h e a m
Page 890 of 1765
o u n t o f p o r t s w h i c h w i l l b e a v a i l a b l e t o y o u . T h i s i s
Page 891 of 1765
a c h e a p s o l u t i o n w h e n y o u n e e d t o g e t a f e w m o r e c o m
Page 892 of 1765
p u t e r s n e t w o r k e d a n d i t w o r k s q u i t e w e l l u p t o a p o i n
Page 893 of 1765
t .
T h i s i s h o w 2 e i g h t p o r t h u b s w o u l d l o o k w h e n c o n
Page 894 of 1765
n e c t e d v i a t h e u p l i n k p o r t a n d h o w t h e d a t a i s r e p l i c
Page 895 of 1765
a t e d t o a l l 1 6 p o r t s :
I n t h e a b o v e p i c t u r e y o u c a n
Page 896 of 1765
s e e t h a t N o d e 1 i s a g a i n t r a n s m i t t i n g d a t a t o N o d e 6
Page 897 of 1765
a n d t h a t e v e r y o t h e r n o d e c o n n e c t e d t o t h e h u b i s r e
Page 898 of 1765
c e i v i n g t h e i n f o r m a t i o n . A s w e s a i d , t h i s i s a p r e t t y
Page 899 of 1765
g o o d a n d c h e a p s o l u t i o n , b u t a s t h e n e t w o r k g e t s b u s
Page 900 of 1765
i e r , y o u c a n c l e a r l y u n d e r s t a n d t h a t t h e r e i s g o i n g t
Page 901 of 1765
o b e a l o t o f u n e c e s s a r y d a t a f l o w i n g a l l o v e r t h e n e
Page 902 of 1765
t w o r k . A l l N o d e s h e r e a r e i n t h e s a m e b r o a s t c a s t a n d
Page 903 of 1765
c o l l i s i o n d o m a i n s i n c e t h e y w i l l h e a r e v e r y b r o a d c a s t
Page 904 of 1765
a n d c o l l i s i o n t h a t o c c u r s .
T h i s i s t h e s a m e s i t u a t i
Page 905 of 1765
o n y o u g e t w h e n y o u u s e c o a x c a b l e , w h e r e e v e r y n o d e
Page 906 of 1765
o r c o m p u t e r i s c o n n e c t e d o n t o t h e s a m e c a b l e a n d t h e
Page 907 of 1765
d a t a t h a t ' s p u t o n t o i t t r a v e l s a l o n g t h e c a b l e a n d i
Page 908 of 1765
s r e c e i v e d b y e v e r y c o m p u t e r .
Y o u p r o b a b l y a l s o n o
Page 909 of 1765
t i c e d t h e t w o o r a n g e b o x e s l a b l e d " 5 0 O h m " . T h e s e a r e
Page 910 of 1765
c a l l e d t e r m i n a t i n g r e s i s t o r s a n d a r e u s e d o n b o t h e n
Page 911 of 1765
d s o f t h e c o a x c a b l e s o w h e n t h e s i g n a l g e t s t o t h e m ,
Page 912 of 1765
i t ' s a b s o r b e d b y t h e m a n d t h a t w a y y o u d o n ' t g e t t h e
Page 913 of 1765
s i g n a l r e f l e c t i n g b a c k . T h i n k o f t h e m a s s h o c k a b s o r
Page 914 of 1765
b e n t a n d t h e d a t a s i g n a l i s t h e s h o c k w a v e w h i c h g e t s
Page 915 of 1765
a b s o r b e d w h e n i t r e a c h e s t h e t e r m i n a t i n g r e s i s t o r s .
Page 916 of 1765
T h e c o a x c a b l e c a n b e u p t o 1 8 5 m e t e r s a n d c a n c o n t a i
Page 917 of 1765
n n o m o r e t h a n 3 0 n o d e s p e r s e g m e n t . W h a t y o u ' r e l o o k
Page 918 of 1765
i n g a t i n t h e a b o v e p i c t u r e i s o n e s e g m e n t 2 5 m e t e r s
Page 919 of 1765
l o n g w i t h 4 n o d e s a t t a c h e d t o i t . N o w c o m i n g b a c k t o
Page 920 of 1765
t h e h u b s , t h e r e a r e a f e w s t a n d a r d f e a t u r e s m o s t o f t
Page 921 of 1765
h e m h a v e t h e s e i n c l u d e a l i n k a n d a c t i v i t y L E D f o r e a
Page 922 of 1765
c h p o r t , a p o w e r L E D a n d c o l l i s i o n L E D . S o m e h u b s h a v
Page 923 of 1765
e s e p a r a t e l i n k l i g h t s a n d a c t i v i t y l i g h t s , o t h e r s c o
Page 924 of 1765
m b i n e t h e m i n t o o n e w h e r e t h e l i n k l i g h t w i l l f l a s h w
Page 925 of 1765
h e n t h e r e i s a c t i v i t y , o t h e r w i s e i t r e m a i n s c o n s t a n t l
Page 926 of 1765
y o n . T h e N e t g e a r h u b w h i c h i s d i s p l a y e d a t t h e b e g i n
Page 927 of 1765
n i n g o f t h i s p a g e h a s t w o s e p a r a t e L E D s f o r t h e a c t i v
Page 928 of 1765
i t y a n d l i n k b u t t h e C o m p e x h u b b e l o w h a s o n l y o n e .
Page 929 of 1765
T h i s l i t t l e h u b a l s o c o n t a i n s a s p e c i a l B N C c o n n e c t i
Page 930 of 1765
o n s o y o u c a n c o n n e c t a c o a x c a b l e t o i t .
W h e n y o u d
Page 931 of 1765
o c o n n e c t i t , t h e B N C l i g h t c o m e s o n . N o t i c e t h e l a b e
Page 932 of 1765
l a t t h e t o p w h e r e t h e y h a v e w r i t t e n " 8 p o r t E t h e r n e t
Page 933 of 1765
R e p e a t e r " .
A s w e a l r e a d y h a v e s a i d , h u b s a r e j u s t s
Page 934 of 1765
i m p l e r e p e a t e r s .
T h e c o l l i s i o n l i g h t o n t h e h u b s w i l l o n l y l i g
Page 935 of 1765
h t u p w h e n a c o l l i s i o n i s d e t e c t e d . C o l l i s i o n i s w h e n 2 c o m p u t e r s o r n o
Page 936 of 1765
d e s t r y t o t a l k o n t h e n e t w o r k a t t h e s a m e t i m e . W h e n t h i s h a p p e n s , t h e
Page 937 of 1765
i r f r a m e s w i l l c o l l i d e a n d b e c o m e c o r r u p t e d . T h e h u b s a r e s m a r t e n o u g h
Page 938 of 1765
t o d e t e c t t h i s a n d w i l l l i g h t u p t h e c o l l i s i o n L E D f o r a s m a l l a m o u n t o
Page 939 of 1765
f t i m e ( 1 / 1 0 o f a s e c o n d f o r e a c h c o l l i s i o n ) . I f y o u f i n d y o u r s e l f w o n d
Page 940 of 1765
e r i n g w h y c o u l d n ' t t h e y m a k e t h i n g s w o r k s o m o r e t h a n t w o c o m p u t e r s c a n
Page 941 of 1765
t a l k o n t h e n e t w o r k . . t h e n i w o u l d a s k y o u t o v i s i t t h e
E t h e r n e t
s
Page 942 of 1765
e c t i o n w h e r e a l l t h i s i s e x p l a i n e d i n d e t a i l . C o l l i s i o n s a n d t h e f a c t t
Page 943 of 1765
h a t o n l y o n e c o m p u t e r c a n t a l k o n t h e n e t w o r k a t a n y g i v e n t i m e a l o n g w
Page 944 of 1765
i t h t h e c a b l i n g r u l e s a r e a l l p a r t o f t h e E t h e r n e t r u l e s . R e m e m b e r t h a t
Page 945 of 1765
a n y n o d e c o n n e c t e d t o a h u b b e c o m e s p a r t o f t h e s a m e
c o l l i s i o n d o
Page 946 of 1765
m a i n
.
S w i t c h e s & B r i d g e s
I n t r o d u c t i o n B y n o w
Page 947 of 1765
y o u c a n s e e t h e l i m i t a t i o n s o f a s i m p l e h u b a n d w h e n
Page 948 of 1765
y o u a l s o r e a d a b o u t E t h e r n e t , y o u s t a r t t o u n d e r s t a n d
Page 949 of 1765
t h a t t h e r e a r e e v e n m o r e l i m i t a t i o n s . T h e c o m p a n i e s
Page 950 of 1765
w h o m a n u f a c t e r h u b s s a w t h e b i g p i c t u r e q u i c k l y a n d c
Page 951 of 1765
a m e o u t w i t h s o m e t h i n g m o r e e f f i c i e n t , b r i d g e s , a n d t
Page 952 of 1765
h e n t h e s w i t c h e s c a m e a l o n g ! B r i d g e s a r e a n a l y s e d l a t
Page 953 of 1765
e r o n i n t h i s s e c t i o n . S w i t c h i n g T e c h n o l o g y
A s w e m e
Page 954 of 1765
n t i o n e d e a r l i e r , h u b s w o r k a t t h e f i r s t l a y e r o f t h e
Page 955 of 1765
O S I m o d e l a n d s i m p l y r e c e i v e a n d t r a n s m i t i n f o r m a t i o n
Page 956 of 1765
w i t h o u t e x a m i n i n g a n y o f i t .
S w i t c h e s ( L a y e r 2 S w i t
Page 957 of 1765
c h i n g ) a r e a l o t s m a r t e r t h a n h u b s a n d o p e r a t e o n t h e
Page 958 of 1765
s e c o n d l a y e r o f t h e O S I m o d e l . W h a t t h i s m e a n s i s t h
Page 959 of 1765
a t a s w i t c h w o n ' t s i m p l y r e c e i v e d a t a a n d t r a n s m i t i t
Page 960 of 1765
t h r o u g h o u t e v e r y p o r t , b u t i t w i l l r e a d t h e d a t a a n d
Page 961 of 1765
f i n d o u t t h e p a c k e t ' s d e s t i n a t i o n b y c h e c k i n g t h e M A
Page 962 of 1765
C a d d r e s s . T h e d e s t i n a t i o n M A C a d d r e s s i s l o c a t e d a l w
Page 963 of 1765
a y s a t t h e b e g i n n i n g o f t h e p a c k e t s o o n c e t h e s w i t c h
Page 964 of 1765
r e a d s i t , i t i s f o r w a r d e d t o t h e a p p r o p r i a t e p o r t s o
Page 965 of 1765
n o o t h e r n o d e o r c o m p u t e r c o n n e c t e d t o t h e s w i t c h w i
Page 966 of 1765
l l s e e t h e p a c k e t . S w i t c h e s u s e A p p l i c a t i o n S p e c i f i c
Page 967 of 1765
I n t e g r a t e d C i r c u i t s ( A S I C ' s ) t o b u i l d a n d m a i n t a i n f i
Page 968 of 1765
l t e r t a b l e s . L a y e r 2 s w i t c h e s a r e a l o t f a s t e r t h a n r o
Page 969 of 1765
u t e r s c a u s e t h e y d o n t l o o k a t t h e N e t w o r k L a y e r ( t h a t
Page 970 of 1765
s L a y e r 3 ) h e a d e r o r i f y o u l i k e , i n f o r m a t i o n . I n s t e a
Page 971 of 1765
d a l l t h e y l o o k a t i s t h e f r a m e ' s h a r d w a r e a d d r e s s ( M
Page 972 of 1765
A C a d d r e s s ) t o d e t e r m i n e w h e r e t h e f r a m e n e e d s t o b e
Page 973 of 1765
f o r w a r d e d o r i f i t n e e d s t o b e d r o p p e d . I f w e h a d t o
Page 974 of 1765
p o i n t a f e w f e a t u r e s o f s w i t c h e s w e w o u l d s a y : T h e y p
Page 975 of 1765
r o v i d e h a r d w a r e b a s e d b r i d g i n g ( M A C a d d r e s s e s )
T h e y
Page 976 of 1765
w o r k a t w i r e s p e e d , t h e r e f o r h a v e l o w l a t e n c y
T h e y c
Page 977 of 1765
o m e i n 3 d i f f e r e n t t y p e s : S t o r e & F o r w a r d , C u t T h r o u g
Page 978 of 1765
h a n d F r a g m e n t F r e e ( A n a l y s e d l a t e r ) B e l o w i s a p i c t u
Page 979 of 1765
r e o f t w o t y p i c a l s w i t c h e s . N o t i c e h o w t h e y l o o k s s i m
Page 980 of 1765
i l a i r t o a h u b s , b u t t h e y a r e n ' t . I t ' s j u s t t h a t t h e
Page 981 of 1765
d i f f e r e n c e i s o n t h e i n s i d e !
T h e T h r e e S t a g e s A l l s
Page 982 of 1765
w i t c h e s r e g a r d l e s s o f t h e b r a n d a n d v a r i o u s e n h a n c e m e
Page 983 of 1765
n t s t h e y c a r r y , h a v e s o m e t h i n g i n c o m m o n , i t ' s t h e t h
Page 984 of 1765
r e e s t a g e s ( s o m e t i m e s 2 s t a g e s ) t h e y g o t h r o u g h w h e n
Page 985 of 1765
p o w e r e d u p a n d d u r i n g o p e r a t i o n . T h e s e a r e a s f o l l o w s
Page 986 of 1765
: A d d r e s s L e a r n i n g
F o r w a r d / F i l t e r d e c i s i o n s
L o o p A
Page 987 of 1765
v o i d a n c e ( O p t i o n a l )
L e t ' s h a v e a l o o k a t t h e m t o g e t
Page 988 of 1765
a b e t t e r u n d e r s t a n d i n g ! A d d r e s s L e a r n i n g W h e n a s w i t
Page 989 of 1765
c h i s p o w e r e d o n , t h e M A C f i l t e r i n g t a b l e i s e m p t y . W
Page 990 of 1765
h e n a d e v i c e t r a n s m i t s a n d a n i n t e r f a c e r e c e i v e s a f r
Page 991 of 1765
a m e , t h e s w i t c h p l a c e s t h e s o u r c e a d d r e s s i n t h e M A C
Page 992 of 1765
f i l t e r i n g t a b l e r e m e m b e r i n g t h e i n t e r f a c e t h e d e v i c e
Page 993 of 1765
o n w h i c h i t i s l o c a t e d . T h e s w i t c h h a s n o c h o i c e b u t
Page 994 of 1765
t o f l o o d t h e n e t w o r k w i t h t h i s f r a m e b e c a u s e i t h a s n
Page 995 of 1765
o i d e a w h e r e t h e d e s t i n a t i o n d e v i c e i s l o c a t e d .
I f a
Page 996 of 1765
d e v i c e a n s w e r s a n d s e n d s a f r a m e b a c k , t h e n t h e s w i t
Page 997 of 1765
c h w i l l t a k e t h e s o u r c e a d d r e s s f r o m t h a t f r a m e a n d p
Page 998 of 1765
l a c e t h e M A C a d d r e s s i n t h e d a t a b a s e , a s s o c i a t i n g t h i
Page 999 of 1765
s a d d r e s s w i t h t h e i n t e r f a c e t h a t r e c e i v e d t h e f r a m e .
Page 1000 of 1765
S i n c e t h e s w i t c h h a s t w o M A C a d d r e s s e s i n t h e f i l t e
Page 1001 of 1765
r i n g t a b l e , t h e d e v i c e s c a n m a k e a p o i n t t o p o i n t c o n
Page 1002 of 1765
n e c t i o n a n d t h e f r a m e s w i l l o n l y b e f o r w a r d e d b e t w e e n
Page 1003 of 1765
t h e t w o d e v i c e s . T h i s m a k e s l a y e r 2 s w i t c h e s b e t t e r
Page 1004 of 1765
t h a n h u b s . A s w e e x p l a i n e d e a r l y o n t h i s p a g e , i n a h
Page 1005 of 1765
u b n e t w o r k a l l f r a m e s a r e f o r w a r d e d o u t t o a l l p o r t s
Page 1006 of 1765
e v e r y t i m e . M o s t d e s k t o p s w i t c h e s t h e s e d a y s c a n h o l d
Page 1007 of 1765
u p t o 8 0 0 0 M A C a d d r e s s e s i n t h e i r t a b l e , a n d o n c e t h e
Page 1008 of 1765
t a b l e i s f i l l e d , t h e n s t a r t i n g w i t h t h e v e r y f i r s t M
Page 1009 of 1765
A C e n t r y , t h e s w i t c h w i l l s t a r t o v e r w r i t t i n g t h e e n t r
Page 1010 of 1765
i e s . E v e n t h o t h e n u m b e r o f e n t r i e s m i g h t s o u n d b i g .
Page 1011 of 1765
. i t o n l y t a k e s a m i n u t e o r t w o t o f i l l i t u p , a n d i f
Page 1012 of 1765
a w o r k s t a t i o n d o s e n ' t t a l k o n t h e n e t w o r k f o r t h a t a
Page 1013 of 1765
m o u n t o f t i m e , t h e n c h a n c e s a r e t h a t i t s M A C a d d r e s s
Page 1014 of 1765
h a s b e e n r e m o v e d f r o m t h e t a b l e a n d t h e s w i t c h w i l l f
Page 1015 of 1765
o r w a r d t o a l l p o r t s t h e p a c k e t w h i c h h a s a s a d e s t i n a
Page 1016 of 1765
t i o n t h i s p a r t i c u l a r w o r k s t a t i o n .
A n d a f t e r t h e f i r
Page 1017 of 1765
s t f r a m e h a s b e e n s u c c e s s f u l l y r e c e i v e d b y N o d e 2 , N o
Page 1018 of 1765
d e 2 s e n d s a r e p l y t o N o d e 1 , c h e c k o u t w h a t h a p p e n s
Page 1019 of 1765
N o t i c e h o w t h e f r a m e i s n o t t r a n s m i t t e d t o e v e r y
Page 1020 of 1765
n o d e o n t h e s w i t c h . T h e s w i t c h b y n o w h a s a l r e a d y l e a
Page 1021 of 1765
r n e d t h a t N o d e 1 i s o n t h e f i r s t p o r t , s o i t s e n d i t
Page 1022 of 1765
s t r a i g h t t h e r e w i t h o u t d e l a y . F r o m n o w o n , a n y c o m m u n
Page 1023 of 1765
i c a t i o n b e t w e e n t h e t w o w i l l b e a p o i n t t o p o i n t c o n n
Page 1024 of 1765
e c t i o n :
F o r w a r d / F i l t e r D e c i s i o n
W h e n a f r a m e a r r
Page 1025 of 1765
i v e s a t t h e s w i t c h , t h e f i r s t s t e p i s t o c h e c k t h e d e
Page 1026 of 1765
s t i n a t i o n h a r d w a r e a d d r e s s , w h i c h i s c o m p a i r e d t o t h e
Page 1027 of 1765
f o r w a r d / f i l t e r M A C d a t a b a s e . I f t h e d e s t i n a t i o n h a r d
Page 1028 of 1765
w a r e a d d r e s s i s k n o w n , t h e n i t w i l l t r a n s m i t i t o u t t
Page 1029 of 1765
h e c o r r e c t p o r t , b u t i f t h e d e s t i n a t i o n h a r d w a r e a d d r
Page 1030 of 1765
e s s i s n o t k n o w n , t h e n i t w i l l b r o a d c a s t t h e f r a m e o u
Page 1031 of 1765
t o f a l l p o r t s , e x c e p t t h e o n e w h i c h i t r e c e i v e d i t f
Page 1032 of 1765
r o m . I f a d e v i c e ( c o m p u t e r ) a n s w e r s t o t h e b r o a d c a s t ,
Page 1033 of 1765
t h e n t h e M A C a d d r e s s o f t h a t d e v i c e i s a d d e d t o t h e
Page 1034 of 1765
M A C d a t a b a s e o f t h e s w i t c h . L o o p A v o i d a n c e ( O p t i o n a l
Page 1035 of 1765
) I t ' s a l w a y s a g o o d i d e a t o h a v e a r e d u n d a n t l i n k b e
Page 1036 of 1765
t w e e n y o u r s w i t c h e s , i n c a s e o n e d e c i d e s t o g o f o r a
Page 1037 of 1765
h o l i d a y . W h e n y o u s e t u p r e d u n d a n t s w i t c h e s i n y o u r n e
Page 1038 of 1765
t w o r k t o s t o p f a i l u r e s , y o u c a n c r e a t e p r o b l e m s . H a v e
Page 1039 of 1765
a l o o k a t t h e p i c t u r e b e l o w a n d I ' l l e x p l a i n :
T h e
Page 1040 of 1765
a b o v e p i c t u r e s h o w s a n e x a m p l e o f t w o s w i t c h e s w h i c h
Page 1041 of 1765
h a v e b e e n p l a c e d i n t h e n e t w o r k t o p r o v i d e r e d u n d a n c y
Page 1042 of 1765
i n c a s e o n e f a i l s . B o t h s w i t c h e s h a v e t h e i r f i r s t p o
Page 1043 of 1765
r t c o n n e c t e d t o t h e u p p e r s e c t i o n o f t h e n e t w o r k , w h i
Page 1044 of 1765
l e t h e i r p o r t 2 i s c o n n e c t e d t o t h e l o w e r s e c t i o n o f
Page 1045 of 1765
t h e s a m e n e t w o r k . T h i s w a y , i f S w i t c h A f a i l s , t h e n S
Page 1046 of 1765
w i t c h B t a k e s o v e r , o r v i c e v e r s a . T h i n g s w i l l w o r k f
Page 1047 of 1765
i n e u n t i l a b r o a d c a s t c o m e a l o n g a n d c a u s e s a l o t o f t
Page 1048 of 1765
r o u b l e . F o r t h e s i m p l i c i t y o f t h i s e x a m p l e , I a m n o t
Page 1049 of 1765
g o i n g t o s h o w a n y w o r k s t a t i o n s , b u t o n l y t h e s e r v e r w
Page 1050 of 1765
h i c h i s g o i n g t o s e n d a b r o a d c a s t o v e r t h e n e t w o r k , a
Page 1051 of 1765
n d k e e p i n m i n d t h a t t h i s i s w h a t h a p p e n s i n r e a l l i f
Page 1052 of 1765
e i f y o u r s w i t c h d o e s n o t s u p p o r t S p a n n i n g T r e e P r o t o
Page 1053 of 1765
c o l ( S T P ) , t h i s i s w h y I s t u c k t h e " O p t i o n a l " n e a r t h
Page 1054 of 1765
e " L o o p A v o i d a n c e " a t t h e s t a r t o f t h i s s e c t i o n :
I t
Page 1055 of 1765
m i g h t l o o k a b i t m e s s y a n d c r a z y a t a f i r s t g l a n c e b
Page 1056 of 1765
u t l e t m e e x p l a i n w h a t i s g o i n g o n h e r e . T h e S e r v e r f
Page 1057 of 1765
o r o n e r e a s o n o r a n o t h e r d e c i d e s t o d o a b r o a d c a s t . T
Page 1058 of 1765
h i s F i r s t R o u n d ( c h e c k a r r o w ) b r o a d c a s t i s s e n t d o w n
Page 1059 of 1765
t o t h e n e t w o r k c a b l e a n d f i r s t l y r e a c h e s P o r t 1 o n S w
Page 1060 of 1765
i t c h A . A s a r e s u l t , s i n c e S w i t c h A h a s P o r t 2 c o n n e c
Page 1061 of 1765
t e d t o t h e o t h e r s i d e o f t h e l a n , i t s e n d s t h e b r o a d c
Page 1062 of 1765
a s t o u t t o t h e l o w e r s e c t i o n o f t h e n e t w o r k , t h i s t h e
Page 1063 of 1765
n i s s e n t d o w n t h e w i r e a n d r e a c h e s P o r t 2 o n S w i t c h
Page 1064 of 1765
B w h i c h w i l l s e n d i t o u t P o r t 1 a n d b a c k o n t o t h e u p p
Page 1065 of 1765
e r p a r t o f t h e n e t w o r k . A t t h i s p o i n t , a s t h e a r r o w s
Page 1066 of 1765
i n d i c a t e ( o r a n g e c o l o u r ) t h e S e c o n d R o u n d o f t h i s b r o
Page 1067 of 1765
a d c a s t s t a r t s . S o a g a i n . . . t h e b r o a d c a s t r e a c h e s P o r t
Page 1068 of 1765
1 o f S w i t c h A a n d g o e s o u t P o r t 2 b a c k d o w n t o t h e l
Page 1069 of 1765
o w e r s e c t i o n o f t h e n e t w o r k a n d b a c k u p v i a P o r t 2 o f
Page 1070 of 1765
S w i t c h B . A f t e r i t c o m e s o u t o f P o r t 1 o f S w i t c h B ,
Page 1071 of 1765
w e g e t t h e T h i r d R o u n d , a n d t h e n t h e F o u r t h R o u n d , F i
Page 1072 of 1765
f t h R o u n d a n d k e e p s o n g o i n g w i t h o u t s t o p p i n g . . . . . ! T
Page 1073 of 1765
h i s i s w h a t w e c a l l a B r o a d c a s t S t o r m . A B r o a d c a s t S t
Page 1074 of 1765
o r m w i l l r e p e a t c o n s t a n t l y , c h e w i n g u p t h e v a l u e b l e b
Page 1075 of 1765
a n d w i d t h o n t h e n e t w o r k . T h i s i s a m a j o r p r o b l e m , s o
Page 1076 of 1765
t h e y h a d t o s o l v e i t o n e w a y o r a n o t h e r , a n d t h e y d i d
Page 1077 of 1765
. . . w i t h t h e S p a n n i n g T r e e P r o t o c o l o r S T P i n s h o r t .
Page 1078 of 1765
W h a t S T P d o e s , i s t o f i n d t h e r e d u n d a n t l i n k s , w h i c h
Page 1079 of 1765
t h i s c a s e w o u l d b e P o r t 2 o f S w i t c h B a n d s h u t i t d o w
Page 1080 of 1765
n , t h u s e l i m i n a t i n g t h e p o s i b i l i t y o f l o o p i n g t o o c c u
Page 1081 of 1765
r . L a n S w i t c h T y p e s A t t h e b e g i n i n g o f t h i s p a g e w e s
Page 1082 of 1765
a i d t h a t t h e s w i t c h e s a r e f a s t , t h e r e f o r h a v e l o w l a t
Page 1083 of 1765
e n c y . T h i s l a t e n c y d o e s v a r y a n d d e p e n d s o n w h a t t y p e
Page 1084 of 1765
o f s w i t c h i n g m o d e t h e s w i t c h i s o p e r a t i n g a t . Y o u m i
Page 1085 of 1765
g h t r e c a l l s e e i n g t h e s e t h r e e s w i t c h i n g m o d e s a t t h e
Page 1086 of 1765
b e g i n n i n g : S t o r e & F o r w a r d , C u t T h r o u g h a n d F r a g m e n t
Page 1087 of 1765
F r e e . T h e p i c t u r e b e l o w s h o w s h o w f a r t h e d i f f e r e n t s
Page 1088 of 1765
w i t c h i n g m o d e s c h e c k t h e f r a m e :
S o w h a t d o e s t h i
Page 1089 of 1765
s a l l m e a n ? S w i t c h i n g m o d e s ? I D o n ' t u n d e r s t a n d ! L
Page 1090 of 1765
e t ' s E x p l a i n !
T h e f a c t i s t h a t s w i t c h e s c a n o p e r a t e
Page 1091 of 1765
i n o n e o f t h e t h r e e m o d e s . S o m e a d v a n c e s w i t c h e s w i l l
Page 1092 of 1765
a l l o w y o u t o a c t u a l l y p i c k t h e m o d e y o u w o u l d l i k e i
Page 1093 of 1765
t t o o p e r a t e i n , w h i l e o t h e r s d o n ' t g i v e y o u a n y c h o i
Page 1094 of 1765
c e . L e t ' s h a v e a q u i c k l o o k a t e a c h m o d e : S t o r e & F o r
Page 1095 of 1765
w a r d m o d e T h i s i s o n e o f t h e m o s t p o p u l a r s w t i c h i n g m
Page 1096 of 1765
e t h o d s . I n t h i s m o d e , w h e n t h e s w i t c h r e c e i v e s a f r a m
Page 1097 of 1765
e f r o m o n e o f i t ' s p o r t s , i t w i l l s t o r e i t i n m e m o r y ,
Page 1098 of 1765
c h e c k i t f o r e r r o r s a n d c o r r u p t i o n , a n d i f i t p a s s e s
Page 1099 of 1765
t h e t e s t , i t w i l l f o r w a r d t h e f r a m e o u t t h e d e s i g n a t
Page 1100 of 1765
e d p o r t , o t h e r w i s e , i f i t d i s c o v e r s t h a t t h e f r a m e h a
Page 1101 of 1765
s e r r o r s o r i s c o r r u p t , i t w i l l d i s c a r d i t . T h i s m e t h
Page 1102 of 1765
o d i s t h e s a f e s t , b u t a l s o h a s t h e h i g h e s t l a t e n c y .
Page 1103 of 1765
C u t T h r o u g h ( R e a l T i m e ) C u t T h r o u g h s w i t c h i n g i s t h e
Page 1104 of 1765
s e c o n d m o s t p o p u l a r m e t h o d . I n t h i s m o d e , t h e s w i t c h r
Page 1105 of 1765
e a d s t h e f r a m e u n t i l i t l e a r n s t h e d e s t i n a t i o n M A C a d
Page 1106 of 1765
d r e s s o f t h e f r a m e i t ' s r e c e i v i n g . O n c e i t l e a r n s i t ,
Page 1107 of 1765
i t w i l l f o r w a r d t h e f r a m e s t r a i g h t o u t t h e d e s i g n a t e
Page 1108 of 1765
d p o r t w i t h o u t d e l a y . T h i s i s w h y w e s a y i t ' s R e a l T
Page 1109 of 1765
i m e , t h e r e i s n o d e l a y o r e r r o r c h e c k i n g d o n e t o t h e
Page 1110 of 1765
f r a m e . F r a g m e n t F r e e
T h e F r a g m e n t f r e e s w i t c h i n g m e
Page 1111 of 1765
t h o d i s m a i n l y u s e d t o c h e c k f o r f r a m e s w h i c h h a v e b e
Page 1112 of 1765
e n s u b j e c t t o a c o l l i s i o n . T h e f r a m e ' s f i r s t 6 4 b y t e s
Page 1113 of 1765
a r e o n l y c h e c k e d b e f o r e f o r w a r d i n g t h e f r a m e o u t t h e
Page 1114 of 1765
d e s i g n a t e d p o r t . R e a s o n f o r t h i s i s b e c a u s e a l m o s t a
Page 1115 of 1765
l l c o l l i s i o n s w i l l h a p p e n w i t h i n t h e f i r s t 6 4 b y t e s o
Page 1116 of 1765
f a f r a m e . I f t h e r e i s a c o r r u p t i o n i n t h e f i r s t 6 4 b
Page 1117 of 1765
y t e s , i t ' s m o s t l i k e l y t h a t t h a t f r a m e w a s a v i c t i m o
Page 1118 of 1765
f a c o l l i s i o n . J u s t k e e p o n e i m p o r t a n t d e t a i l i n m i n d
Page 1119 of 1765
: W h e n y o u g o o u t t o b u y a s w i t c h , m a k e s u r e y o u c h e c
Page 1120 of 1765
k t h e a m o u n t o f m e m o r y i t h a s . A l o t o f t h e c h e a p s w i t
Page 1121 of 1765
c h e s w h i c h s u p p o r t t h e S t o r e & F o r w a r d m o d e h a v e v e r y
Page 1122 of 1765
s m a l l a m o u n t s o f m e m o r y b u f f e r ( 2 5 6 K B 5 1 2 K B ) p e r p o
Page 1123 of 1765
r t . T h e r e s u l t o f t h i s i s t h a t y o u g e t a m a j o r d e c r e a
Page 1124 of 1765
s e i n p e r f o r m a n c e w h e n y o u h a v e m o r e t h a n 2 c o m p u t e r s
Page 1125 of 1765
c o m m u n i c a t i n g v i a t h a t s w i t c h c a u s e t h e r e i s n ' t e n o u
Page 1126 of 1765
g h m e m o r y t o s t o r e a l l i n c o m i n g p a c k e t s ( t h i s a l s o d e
Page 1127 of 1765
p e n d s o n t h s w t i c h i n g t y p e y o u r s w i t c h s u p p o r t s ) , a n d
Page 1128 of 1765
y o u e v e n t u a l l y g e t p a c k e t s b e i n g d i s c a r d e d .
T h e t a b
Page 1129 of 1765
l e b e l o w i s a g u i d e o n w h a t a m o u n t s o f m e m o r y y o u s h o
Page 1130 of 1765
u l d b e l o o k i n g a t f o r s w i t c h e s o f d i f f e r e n t c o n f i g u r a
Page 1131 of 1765
t i o n :
B r i d g e s B r i d g e s a r e r e a l l y j u s t l i k e s w i t c h
Page 1132 of 1765
e s , b u t t h e r e a r e a f e w d i f f e r e n c e s w h i c h w e w i l l m e n
Page 1133 of 1765
t i o n , b u t n o t e x p a n d u p o n . T h e s e a r e t h e f o l l o w i n g : B
Page 1134 of 1765
r i d g e s a r e s o f t w a r e b a s e d , w h i l e s w i t c h e s a r e h a r d w a r
Page 1135 of 1765
e b a s e d b e c a u s e t h e y u s e a n A S I C s c h i p t o h e l p t h e m m
Page 1136 of 1765
a k e f i l t e r i n g d e c i s i o n s . B r i d g e s c a n o n l y h a v e o n e s p
Page 1137 of 1765
a n n i n g t r e e i n s t a n c e p e r b r i d g e , w h i l e s w i t c h e s c a n h
Page 1138 of 1765
a v e m a n y . B r i d g e s c a n o n l y h a v e u p t o 1 6 p o r t s , w h i l e
Page 1139 of 1765
a s w i t c h c a n h a v e h u n d r e d s !
I n t r o d u c t i o n T o
Page 1140 of 1765
R o u t e r s
I n t r o d u c t i o n W e l c o m e t o t h e R o u t e r s s e c t i
Page 1141 of 1765
o n . H e r e w e w i l l a n a l y s e r o u t e r s q u i t e s o m e d e p t h ; w h
Page 1142 of 1765
a t t h e y d o a n d h o w t h e y w o r k . I p o i n t o u t t o y o u t h a t
Page 1143 of 1765
y o u s h o u l d h a v e s o m e k n o w l e g e o n t h e O S I m o d e l a n d u
Page 1144 of 1765
n d e r s t a n d h o w d a t a i s s e n t a c r o s s t h e n e t w o r k m e d i u m .
Page 1145 of 1765
I f y o u f i n d t h e i n f o r m a t i o n a b i t t o o c o n f u s i n g o r d
Page 1146 of 1765
o n ' t q u i t e u n d e r s t a n d i t , I w o u l d s u g g e s t y o u g o b a c k
Page 1147 of 1765
t o t h e n e t w o r k i n g s e c t i o n a n d d o s o m e r e a d i n g o n t h e
Page 1148 of 1765
O S I m o d e l a n d P r o t o c o l s . Y o u w i l l f i n d i n f o r m a t i o n o
Page 1149 of 1765
n C i s c o r o u t e r s a t t h e e n d o f t h i s p a g e . W h a t a r e t h e
Page 1150 of 1765
y a n d w h a t d o t h e y d o ? R o u t e r s a r e v e r y c o m m o n t o d a y
Page 1151 of 1765
i n e v e r y n e t w o r k a r e a , t h i s i s m a i n l y b e c a u s e e v e r y
Page 1152 of 1765
n e t w o r k t h e s e d a y s c o n n e c t t o s o m e o t h e r n e t w o r k , w h e
Page 1153 of 1765
t h e r i t ' s t h e I n t e r n e t o r s o m e o t h e r r e m o t e s i t e . R o u
Page 1154 of 1765
t e r s g e t t h e i r n a m e f r o m w h a t t h e y d o . . . . w h i c h i s r o
Page 1155 of 1765
u t e d a t a f r o m o n e n e t w o r k t o a n o t h e r .
F o r e x a m p l e , i
Page 1156 of 1765
f y o u h a d a c o m p a n y w h i c h h a d a n o f f i c e i n S y d n e y a n d
Page 1157 of 1765
a n o t h e r o n e i n M e l b o u r n e , t h e n t o c o n n e c t t h e t w o y o
Page 1158 of 1765
u w o u l d u s e a l e a s e d l i n e t o w h i c h y o u w o u l d c o n n e c t
Page 1159 of 1765
a r o u t e r a t e a c h e n d . A n y t r a f f i c w h i c h n e e d s t o t r a v
Page 1160 of 1765
e l f r o m o n e s i t e t o a n o t h e r w i l l b e r o u t e d v i a t h e r o
Page 1161 of 1765
u t e r s , w h i l e a l l t h e o t h e r u n e c e s s a r y t r a f f i c i s f i l t
Page 1162 of 1765
e r e d ( b l o c k e d ) , t h u s s a v i n g y o u v a l u a b l e b a n d w i d t h a n
Page 1163 of 1765
d m o n e y . T h e r e a r e t w o t y p e o f r o u t e r s : 1 ) H a r d w a r e r
Page 1164 of 1765
o u t e r s 2 ) S o f t w a r e r o u t e r s .
S o w h a t ' s t h e d i f f e r e n c e
Page 1165 of 1765
? W h e n p e o p l e t a l k a b o u t r o u t e r s , t h e y u s u a l l y d o n ' t
Page 1166 of 1765
u s e t h e t e r m s " h a r d w a r e " o r " s o f t w a r e " r o u t e r b u t w e
Page 1167 of 1765
a r e , f o r t h e p u r p o s e o f d i s t i n g u i s h i n g b e t w e e n t h e t
Page 1168 of 1765
w o . H a r d w a r e r o u t e r s a r e s m a l l b o x e s w h i c h r u n s p e c i a
Page 1169 of 1765
l s o f t w a r e c r e a t e d b y t h e i r v e n d o r s t o g i v e t h e m t h e
Page 1170 of 1765
r o u t i n g c a p a b i l i t y a n d t h e o n l y t h i n g t h e y d o i s s i m p
Page 1171 of 1765
l y r o u t e d a t a f r o m o n e n e t w o r k t o a n o t h e r . M o s t c o m p a
Page 1172 of 1765
n i e s p r e f e r h a r d w a r e r o u t e r s b e c a u s e t h e y a r e f a s t e r
Page 1173 of 1765
a n d m o r e r e l i a b l e , e v e n t h o u g h t h e i r c o s t i s c o n s i d e r
Page 1174 of 1765
a b l y m o r e w h e n c o m p a r e d w i t h a s o f t w a r e r o u t e r . S o w h
Page 1175 of 1765
a t d o e s a h a r d w a r e r o u t e r l o o k l i k e ? C h e c k t h e p i c t u r
Page 1176 of 1765
e b e l o w , i t d i s p l a y s a C i s c o 1 6 0 0 a n d 2 5 0 0 s e r i e s r o u
Page 1177 of 1765
t e r a l o n g w i t h a N e t g e a r R T 3 3 8 r o u t e r . T h e y l o o k l i k e
Page 1178 of 1765
a s m a l l b o x a n d r u n s p e c i a l s o f t w a r e a s w e s a i d . CN C Ie I
Page 1179 of 1765
St S CG C Oe O a 1r 2 6 5 0R 0 0T 0 3 S3 S e8 e r r ii R eo e su s t Re R or o u u tt e e r r
S o f t w a r e r o u t e r s d o t h e s a
Page 1180 of 1765
m e j o b w i t h t h e a b o v e h a r d w a r e r o u t e r s ( r o u t e d a t a ) ,
Page 1181 of 1765
b u t t h e y d o n ' t c o m e i n s m a l l f l a s h y b o x e s . A s o f t w a r e
Page 1182 of 1765
r o u t e r c o u l d b e a n N T s e r v e r , N e t W a r e s e r v e r o r L i n u
Page 1183 of 1765
x s e r v e r . A l l n e t w o r k s e r v e r s h a v e b u i l t i n r o u t i n g c
Page 1184 of 1765
a p a b i l i t i e s .
M o s t p e o p l e u s e t h e m f o r I n t e r n e t g a t e w
Page 1185 of 1765
a y s a n d f i r e w a l l s b u t t h e r e i s o n e b i g d i f f e r e n c e b e t
Page 1186 of 1765
w e e n t h e h a r d w a r e a n d s o f t w a r e r o u t e r s . Y o u c a n n o t ( i
Page 1187 of 1765
n m o s t c a s e s ) s i m p l y r e p l a c e t h e h a r d w a r e r o u t e r w i t h
Page 1188 of 1765
a s o f t w a r e r o u t e r . W h y ? S i m p l y b e c a u s e t h e h a r d w a r e r
Page 1189 of 1765
o u t e r h a s t h e n e c e s s a r y h a r d w a r e b u i l t i n t o a l l o w i t
Page 1190 of 1765
t o c o n n e c t t o t h e s p e c i a l W A N l i n k ( f r a m e r e l a y , I S D
Page 1191 of 1765
N , A T M e t c ) , w h e r e y o u r s o f t w a r e r o u t e r ( e . g a N T s e r
Page 1192 of 1765
v e r ) w o u l d h a v e a f e w n e t w o r k c a r d s o n e o f w h i c h c o n n
Page 1193 of 1765
e c t s t o t h e L A N a n d t h e o t h e r g o e s t o t h e W A N v i a t h e
Page 1194 of 1765
h a r d w a r e r o u t e r . I h a v e s e e n a f e w c a r d s i n t h e m a r k
Page 1195 of 1765
e t w h i c h a l l o w y o u t o c o n n e c t a n I S D N l i n e d i r e c t l y i
Page 1196 of 1765
n t o t h e m . W i t h t h e s e s p e c i a l c a r d s , w h i c h r e t a i l f r o m
Page 1197 of 1765
$ 5 0 0 0 t o $ 1 5 0 0 0 d e p e n d i n g o n t h e i r c a p a c i t y , y o u d o n
Page 1198 of 1765
' t n e e d t h e h a r d w a r e r o u t e r . B u t a s y o u c a n u n d e r s t a n
Page 1199 of 1765
d , i t ' s a m u c h c h e a p e r s o l u t i o n t o b u y a h a r d w a r e r o u
Page 1200 of 1765
t e r . P l u s , t h e h a r d w a r e r o u t e r s a r e f a r m o r e a d v a n c e d
Page 1201 of 1765
a n d f a s t e r t h a n t h e s o f t w a r e r o u t e r s s i n c e t h e y d o n '
Page 1202 of 1765
t h a v e t o w o r r y a b o u t a n y t h i n g e l s e b u t r o u t i n g d a t a ,
Page 1203 of 1765
a n d t h e s p e c i a l e l e c t r o n i c c o m p o n e n t s t h e y h a v e i n t
Page 1204 of 1765
h e m a r e d e v e l o p e d w i t h t h i s i n m i n d . T h e F l a s h i m a g e
Page 1205 of 1765
b e l o w s h o w s u s w h a t a r o u t e r d o e s w h e n i t r e c e i v e s p a
Page 1206 of 1765
c k e t s f r o m t h e L A N o r t h e I n t e r n e t . D e p e n d i n g o n t h e
Page 1207 of 1765
s o u r c e a n d d e s t i n a t i o n , i t w i l l p a s s t h e m t o t h e o t h e
Page 1208 of 1765
r n e t w o r k o r s e n d t h e m t o t h e I n t e r n e t . T h e r o u t e r i s
Page 1209 of 1765
s p l i t t i n g t h e b e l o w n e t w o r k i n t o 2 . E a c h n e t w o r k h a s
Page 1210 of 1765
a h u b t o w h i c h a l l c o m p u t e r s o n t h a t n e t w o r k c o n n e c t
Page 1211 of 1765
t o . F u t h e r m o r e , t h e r o u t e r h a s o n e i n t e r f a c e c o n n e c
Page 1212 of 1765
t e d t o e a c h n e t w o r k a n d o n e c o n n e c t e d t o t h e I n t e r n e t
Page 1213 of 1765
, t h i s a l l o w s i t t o p a s s t h e p a c k e t s t o t h e r i g h t d e s
Page 1214 of 1765
t i n a t i o n : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Page 1215 of 1765
( Y o u c a n c l i c k o n t h e G O b u t t o n ) T h e p i c
Page 1216 of 1765
t u r e b e l o w i l l u s t r a t e s a r o u t e r ' s p l a c e i n t h e L o c a l
Page 1217 of 1765
A r e a N e t w o r k ( L A N ) :
I n t h e e x a m p l e s h o w n , t h e w o r k s
Page 1218 of 1765
t a t i o n s s e e t h e r o u t e r a s t h e i r " g a t e w a y " . T h i s m e a n s
Page 1219 of 1765
t h a t a n y m a c h i n e o n t h i s L A N t h a t w a n t s t o s e n d a p a
Page 1220 of 1765
c k e t ( d a t a ) t o t h e I n t e r n e t o r a n y w h e r e o u t s i d e i t s L
Page 1221 of 1765
o c a l A r e a N e t w o r k ( L A N ) w i l l s e n d t h e p a c k e t v i a t h e
Page 1222 of 1765
g a t e w a y . T h e r o u t e r ( g a t e w a y ) w i l l k n o w w h e r e i t n e e d
Page 1223 of 1765
s t o s e n d i t f r o m t h e r e o n s o i t c a n a r r i v e a t i t s d e
Page 1224 of 1765
s t i n a t i o n .
T h i s e x p l a i n s t h e r e a s o n y o u n e e d t o a d d
Page 1225 of 1765
a n I n t e r n e t P r o t o c o l ( I P ) n u m b e r f o r a g a t e w a y , w h e n
Page 1226 of 1765
y o u h a v e a L A N a t h o m e o r i n t h e o f f i c e , i n y o u r T C P /
Page 1227 of 1765
I P n e t w o r k p r o p e r t i e s o n y o u r w i n d o w s w o r k s t a t i o n . T h
Page 1228 of 1765
e a b o v e f i g u r e s h o w s o n l y o n e e x a m p l e o f h o w r o u t e r s
Page 1229 of 1765
c o n n e c t s o t h e L A N g e t s I n t e r n e t a c c e s s . L e t ' s h a v e a
Page 1230 of 1765
l o o k h o w 2 o f f i c e s w o u l d u s e r o u t e r s t o c o n n e c t t h e m
Page 1231 of 1765
T h e r o u t e r s i n t h e a b o v e p i c t u r e c o n n e c t u s i n g a
Page 1232 of 1765
p a r t i c u l a r W A N p r o t o c o l , e . g I S D N .
I n r e a l i t y , t h e r
Page 1233 of 1765
e w o u l d b e a c a b l e ( p r o v i d e d b y y o u r s e r v i c e p r o v i d e r
Page 1234 of 1765
) w h i c h c o n n e c t s t o t h e " W A N " i n t e r f a c e o f t h e r o u t e r
Page 1235 of 1765
a n d f r o m t h e r e t h e s i g n a l g o e s s t r a i g h t t o y o u r s e r v
Page 1236 of 1765
i c e p r o v i d e r ' s n e t w o r k a n d e v e n t u a l l y e n d s u p a t t h e
Page 1237 of 1765
o t h e r r o u t e r ' s W A N i n t e r f a c e .
D e p e n d i n g o n t h e t y p e
Page 1238 of 1765
o f r o u t e r y o u g e t , i t w i l l s u p p o r t o n e o f t h e m o s t c o
Page 1239 of 1765
m m o n l y u s e d W A N p r o t o c o l s : I S D N , F r a m e R e l a y , A T M , H D
Page 1240 of 1765
L C , P P P . T h e s e p r o t o c o l s a r e d i s c u s e d i n t h e p r o t o c o l
Page 1241 of 1765
s s e c t i o n . I t ' s i m p o r t a n t t o n o t e d o w n a n d r e m e m b e r a
Page 1242 of 1765
f e w o f t h e m a i n f e a t u r e s o f a r o u t e r : R o u t e r s a r e L a
Page 1243 of 1765
y e r 3 d e v i c e s
R o u t e r s w i l l n o t p r o p a g a t e b r o a d c a s t s ,
Page 1244 of 1765
u n l e s s t h e y a r e p r o g r a m m e d t o
M o s t s e r i o u s r o u t e r s
Page 1245 of 1765
h a v e t h e i r o w n o p e r a t i n g s y s t e m
R o u t e r s u s e s p e c i a l
Page 1246 of 1765
p r o t o c o l s b e t w e e n t h e m t o e x c h a n g e i n f o r m a t i o n a b o u t
Page 1247 of 1765
e a c h o t h e r ( n o t d a t a )
( Y o u c a n c l i c k o n
Page 1248 of 1765
t h e G O b u t t o n ) T h e a b o v e f l a s h s h o w s y o u h o w r o u t e r s
Page 1249 of 1765
o n t h e I n t e r n e t w o r k . I n t h e e x a m p l e , y o u r c o m p u t e r w
Page 1250 of 1765
h i c h i s l o c a t e d o n t h e l e f t i s r e q u e s t i n g d a t a f r o m a
Page 1251 of 1765
w e b s e r v e r a n d t h e w e b s e r v e r i s r e s p o n d i n g t o y o u r
Page 1252 of 1765
c o m p u t e r b y s e n d i n g i t t h e r e q u e s t e d d a t a . T h e p a t h w
Page 1253 of 1765
h i c h i s t a k e n f o r a l l t r a n s a c t i o n s w i l l n o t r e m a i n t h
Page 1254 of 1765
e s a m e , b u t w i l l c h a n g e , d e p e n d i n g o n t h e t r a f f i c a n d
Page 1255 of 1765
b e s t r o u t e s a v a i l a b l e . N o w t h a t y o u h a v e a g o o d i d e a
Page 1256 of 1765
o f w h a t a r o u t e r l o o k s l i k e a n d w h a t i t ' s p u r p o s e i s
Page 1257 of 1765
, w e a r e g o i n g t o h a v e a g o o d l o o k a t o n e o f t h e m o s t
Page 1258 of 1765
p o p u l a r r o u t e r b r a n d s C i s c o . P l e a s e c h o o s e o n e o f
Page 1259 of 1765
t h e f o l l o w i n g s e c t i o n s : B a s i c s o f C i s c o r o u t e r s L
Page 1260 of 1765
e a r n t h e b a s i c s f o r t h e p o p u l a r C i s c o r o u t e r s T h e M o
Page 1261 of 1765
d e s i n a C i s c o r o u t e r L e a r n h o w t o c o n f i g u r e C i s c o
Page 1262 of 1765
r o u t e r s R o u t i n g P r o t o c o l s C o m m o n p r o t o c o l s r o u t e r s
Page 1263 of 1765
u s e t o c o m m u n i c a t e a n d e x c h a n g e i n f o r m a t i o n
B a s i c s
Page 1264 of 1765
O f C i s c o R o u t e r s
I n t r o d u c t i o n C i s c o i s w e l l k n
Page 1265 of 1765
o w n f o r i t s r o u t e r s a n d s w i t c h e s . I m u s t a d m i t t h e y a
Page 1266 of 1765
r e v e r y g o o d q u a l i t y p r o d u c t s a n d o n c e t h e y a r e u p a n
Page 1267 of 1765
d r u n n i n g , y o u c a n p r e t t y m u c h f o r g e t a b o u t t h e m b e c a
Page 1268 of 1765
u s e t h e y r a r e l y f a i l .
W e a r e g o i n g t o f o c u s o n r o u t e
Page 1269 of 1765
r s h e r e s i n c e t h a t ' s t h e r e a s o n y o u c l i c k e d o n t h i s p
Page 1270 of 1765
a g e !
C i s c o h a s a n u m b e r o f d i f f e r e n t r o u t e r s , a m o n g
Page 1271 of 1765
s t t h e m a r e t h e p o p u l a r 1 6 0 0 s e r i e s , 2 5 0 0 s e r i e s a n d
Page 1272 of 1765
2 6 0 0 s e r i e s . T h e r a n g e s s t a r t f r o m t h e 6 0 0 s e r i e s a n d
Page 1273 of 1765
g o u p t o t h e 1 2 0 0 0 s e r i e s ( n o w w e a r e t a l k i n g a b o u t
Page 1274 of 1765
a l o t o f m o n e y ) . B e l o w a r e a f e w o f t h e r o u t e r s m e n t i
Page 1275 of 1765
o n e d : C i s c o 7 2 0 0 S e r i e s
CC C C iiii ss ss cc cc oo o o 72 8 1 06 0 6 00 0 0 0 0 S S eS eS re re iir r eii e se se s s
All the
Page 1276 of 1765
abo ve equi pme nt runs spe cial soft war e call ed the Cisc o Inte rnet wor k Ope rati ng Syst em or IOS . This is the kern el of Cisc o rout ers and mos t swit che s. Cisc o has crea ted wha t they call Cisc
Page 1277 of 1765
o Fusi on, whic h is sup pos ed to mak e all Cisc o devi ces run the sam e ope rati ng syst em. We are goin g to begi n with the basi c com pon ents whic h mak e up a Cisc o rout er (an d swit che s) and
Page 1278 of 1765
I will be expl aini ng wha t they are use d for, so gra b that tea or coff ee and let's get goin g! The basi c com pon ents of any Cisc o rout er are : 1) Inte rfac es 2) The Proc esso r
Page 1279 of 1765
(CP U) 3) Inte rnet wor k Ope rati ng Syst em (IO S) 4) RXB oot Ima ge 5) RAM 6) NVR AM 7) RO M 8) Flas h me mor y 9) Con figu rati on Regi ster Now I just hop
Page 1280 of 1765
e you hav en't look ed at the list and tho ugh t "Stu ff this, it look s har d and com plic ated " bec aus eI ass ure you, it's less pain ful tha n you mig ht thin k! In fact, onc e you read it a cou ple of
Page 1281 of 1765
time s, you will find all of it eas y to rem emb er and und erst and. Int erf ace s The se allo w us to use the rout er ! The inte rfac es are the vari ous seri al port s or ethe rnet port s whic h we use to
Page 1282 of 1765
con nect the rout er to our LAN . The re are a num ber of diffe rent inte rfac es but we are goin g to hit the basi c stuf f only . Her e are som e of the nam es Cisc o has give n som e of the inte rfac
Page 1283 of 1765
es: E0 (firs t Eth ern et inte rfac e), E1 (sec ond Eth ern et inte rfac e). S0 (firs t Seri al inte rfac e), S1 (sec ond Seri al inte rfac e), BRI 0 (firs tB cha nnel for Basi c ISD N) and BRI 1 (sec ond B cha
Page 1284 of 1765
nnel for Basi c ISD N). In the pict ure belo w you can see the bac k vie w of a Cisc o rout er, you can clea rly see the vari ous inte rfac es it has: (we are only look ing at ISD N rout ers)
You
Page 1285 of 1765
can see that it eve n has pho ne sock ets ! Yes, that 's nor mal sinc e you hav e to con nect a digit al pho ne to an ISD N line and sinc e this is an ISD N rout er, it has this opti on with the rout er. I
Page 1286 of 1765
sho uld, how ever , expl ain that you don' t nor mall y get rout ers with ISD N S/T and ISD NU inte rfac es toge ther . Any ISD N line req uire sa Net wor k Ter min ator (NT ) inst alle d at the cust ome r's pre
Page 1287 of 1765
mis es and you con nect you r equi pme nt afte r this ter min ator . An ISD N S/T inte rfac e doe sn't hav e the NT devi ce built in, so you nee d an NT devi ce in ord er to use the rout er. On the othe r
Page 1288 of 1765
han d, an ISD NU inte rfac e has the NT devi ce built in to the rout er. Che ck the pict ure belo w to see how to con nect the rout er usin g the diffe rent ISD N inte rfac es: ...... .....
Apa
Page 1289 of 1765
rt fro m the ISD N inte rfac es, we also hav e an Eth ern et inte rfac e that con nect s to a devi ce in you r LAN , usu ally a hub or a com pute r. If con nect ing to a Hub upli nk port , the n you set the
Page 1290 of 1765
sma ll swit ch to "Hu b", but if con nect ing to a PC, you nee d to set it to "No de". This swit ch will sim ply con vert the cabl e fro ma strai ght thro ugh (hu b) to a xover (No de): ...... ...... .. The Con fig
Page 1291 of 1765
or Con sole port is a Fem ale DB9 con nect or whic h you con nect , usin ga spe cial cabl e, to you r com pute rs seri al port and it allo ws you to dire ctly conf igur e the rout er. The Pro ces sor (CP
Page 1292 of 1765
U) All Cisc o rout ers hav ea mai n proc esso r that take s care of the mai n func tion s of the rout er. The CPU gen erat es inte rrup ts (IR Q) in ord er to com mun icat e with the othe r elec tron ic
Page 1293 of 1765
com pon ents in the rout er. The Cisc o rout ers utili se Mot orol a RIS C proc esso rs. Usu ally the CPU utili sati on on a nor mal rout er wou ldn't exc eed 20 %. The IOS The IOS is the mai n ope rati ng
Page 1294 of 1765
syst em on whic h the rout er runs . The IOS is load ed upo n the rout er's boot up. It usu ally is aro und 2 to 5MB in size , but can be a lot larg er dep endi ng on the rout er seri es. The IOS is curr entl
Page 1295 of 1765
y on vers ion 12, and Cisc o peri odic ally rele ases min or vers ions ever y cou ple of mon ths e.g 12. 1, 12. 3 etc. to fix sma ll bug s and also add extr a func tion ality . The IOS give s the rout er its
Page 1296 of 1765
vari ous cap abili ties and can also be upd ated or dow nloa ded fro m the rout er for bac kup pur pos es. On the 160 0 seri es and abo ve, you get the IOS on a PCM CIA Flas h card . This Flas h card the n plug
Page 1297 of 1765
s into a slot loca ted at the bac k of the rout er and the rout er load s the IOS "im age " (as they call it). Usu ally this ima ge of the ope rati ng syst em is com pres sed so the rout er mus t dec omp ress
Page 1298 of 1765
the ima ge in its me mor y in ord er to use it. The IOS is one of the mos t criti cal part s of the rout er, with out it the rout er is pret ty muc h usel ess. Just kee p in min d that it is not nec essa ry to
Page 1299 of 1765
hav ea flas h card (as des crib ed abo ve with the 160 0 seri es rout er) in ord er to load the IOS . You can actu ally conf igur e mos t Cisc o rout ers to load the ima ge off a net wor k tftp serv er
Page 1300 of 1765
or fro m anot her rout er whic h mig ht hold mul tiple IOS ima ges for diffe rent rout ers, in whic h case it will hav ea larg e cap acit y Flas h card to stor e thes e ima ges. The RX Boo t Im age
Page 1301 of 1765
The RXB oot ima ge (als o kno wn as Boo tloa der) is not hing mor e tha na "cut dow n" vers ion of the IOS loca ted in the rout er's RO M (Re ad Onl y Me mor y). If you had no Flas h card to load
Page 1302 of 1765
the IOS fro m, you can conf igur e the rout er to load the RXB oot ima ge, whic h wou ld give you the abili ty to perf orm min or mai nte nan ce ope rati ons and brin g vari ous inte rfac es up or dow n.
Page 1303 of 1765
The RA M The RAM , or Ran dom Acc ess Me mor y, is whe re the rout er load s the IOS and the conf igur atio n file. It wor ks exa ctly the sam e way as you r com pute r's me mor y, whe re the ope rati
Page 1304 of 1765
ng syst em load s alon g with all the vari ous pro gra ms. The amo unt of RAM you r rout er nee ds is subj ect to the size of the IOS ima ge and conf igur atio n file you hav e. To give you an indi cati on
Page 1305 of 1765
of the amo unts of RAM we are talki ng abo ut, in mos t case s, sma ller rout ers (up to the 160 0 seri es) are hap py with 12 to 16 MB whil e the bigg er rout ers with larg er IOS ima ges wou ld nee d
Page 1306 of 1765
aro und 32 to 64 MB of me mor y. Rou ting tabl es are also stor ed in the syst em' s RAM so if you hav e larg e and com plex rout ing tabl es, you will obvi ousl y nee d mor e RAM ! Whe nI trie d to
Page 1307 of 1765
upg rade the RAM on a Cisc o 160 0 rout er, I uns cre wed the case and ope ned it and was ama zed to find a 72 pin SIM M slot whe re you nee ded to atta ch the extr a RAM . For thos e who don' t kno w wha
Page 1308 of 1765
ta 72 pin SIM M is, it's basi call y the type of RAM the olde r Pent ium sock et 7 CPU s took , bac k in '95. This type of me mor y was repl ace d by toda y's stan dar d 168 pin DIM Ms or SDR AM. The NV
Page 1309 of 1765
RA M (No nVol atil e RA M) The NVR AM is a spe cial me mor y plac e whe re the rout er hold s its conf igur atio n. Whe n you conf igur ea rout er and the n sav e the conf igur atio n, it is stor ed
Page 1310 of 1765
in the NVR AM. This me mor y is not big at all whe n com pare d with the syst em' s RAM . On a Cisc o 160 0 seri es, it is only 8 KB whil e on bigg er rout ers, like the 260 0 seri es, it is 32 KB. Nor mall y,
Page 1311 of 1765
whe na rout er star ts up, afte r it load s the IOS ima ge it will look into the NVR AM and load the conf igur atio n file in ord er to conf igur e the rout er. The NVR AM is not eras ed whe n the rout er is relo ade
Page 1312 of 1765
d or eve n swit che d off. RO M (Re ad Onl y Me mor y) The RO M is use d to star t and mai ntai n the rout er. It cont ains som e cod e, like the Boo tstr ap and POS T, whic h help s the rout
Page 1313 of 1765
er do som e basi c test s and boot up whe n it's pow ered on or relo ade d. You can not alte r any of the cod e in this me mor y as it has bee n set fro m the fact ory and is Rea d Onl y. Fla
Page 1314 of 1765
sh Me mor y The Flas h me mor y is that card I spo ke abo ut in the IOS sect ion. All it is, is an EEP RO M (Ele ctric al Eras eabl e Pro gra mm able Rea d Onl y Me mor y) card . It fits into a spe
Page 1315 of 1765
cial slot nor mall y loca ted at the bac k of the rout er and cont ains not hing mor e tha n the IOS ima ge(s ). You can writ e to it or dele te its cont ents fro m the rout er's con sole . Usu ally it com es in size
Page 1316 of 1765
s of 4MB for the sma ller rout ers (16 00 seri es) and goe s up fro m ther e dep endi ng on the rout er mod el. Con figu rati on Reg iste r Kee ping thin gs sim ple, the Con figu rati on Regi ster dete rmi nes
Page 1317 of 1765
if the rout er is goin g to boot the IOS ima ge fro m its Flas h, tftp serv er or just load the RXB oot ima ge. This regi ster is a 16 Bit regi ster , in othe r wor ds has 16 zero s or one s. A sam ple of it in Hex wou ld
Page 1318 of 1765
be the follo win g: 0x2 102 and in bina ry is : 001 0 000 1 000 0 001 0.
Cis co Ro ut er Mo de s
Intr odu ctio n Fro m my pers onal exp erie nce, I hav
Page 1319 of 1765
e noti ced that the low er end rout ers (60 0140 0) use diffe rent com man ds tha n the mid to upp er ran ge rout ers (16 00 and abo ve). The com man ds we are goin g to talk abo ut her e cov er mos t
Page 1320 of 1765
asp ects of the 160 0, 170 0, 250 0, 260 0, 360 0 seri es. Mos t are the sam e, but ther e are alw ays a few vari atio ns to thes e com man ds dep endi ng on the inte rfac es you r rout er has, IOS
Page 1321 of 1765
vers ion, and the type of WA N prot ocol s they sup port . Bec aus e ther e is suc ha wid e ran ge of inte rfac es on a rout er and also alot of diffe rent vers ions of the Cisc o IOS ,I deci ded to stic k to
Page 1322 of 1765
an exa mpl e whe re our rout er is run ning IOS vers ion 12 and has one IDS N S/T (wit hou t NT ter min ator ) inte rfac e and one Eth ern et inte rfac e. That 's a tota l of 2 inte rfac es. I und erst and that this
Page 1323 of 1765
is quit ea spe cific exa mpl e, but it wou ld take an eno urm ous amo unt of time and effo rt to cov er all case s. Now , whe n you pow er up a Cisc o rout er, it will first run a POS T test to ens ure
Page 1324 of 1765
all har dwa re is ok, and the n look into the Flas h to load the IOS . Onc e the IOS is load ed, it will the n che ck the NVR AM for any conf igur atio n file. Sinc e this is a new rout er, it won 't find any, so
Page 1325 of 1765
the rout er will go into "set up mod e". Set up Mo de The setu p mod e is a step -bystep proc ess whic h help s you conf igur e basi c asp ects of the rout er. Whe n usin g this setu p mod e, you
Page 1326 of 1765
actu ally hav e2 opti ons: 1) Basi c Man agm ent Set up, whic h conf igur es only eno ugh con nect ivity for man agm ent to the syst em. 2) Exte nde d Set up, whic h allo ws you to conf igur e som e glob
Page 1327 of 1765
al par ame ters and inte rfac es. It sho uld be note d that whe n you are pro mpt ed to ente ra valu e at the con sole pro mpt , wha teve r is bet wee n the squ are brac kets [] is con side red to be a defa
Page 1328 of 1765
ult valu e. In othe r wor ds, if you hit ente r with out ente ring anyt hing , the valu e in thos e brac kets will be set for the spe cific que stio n. I'll try to kee p this as sim ple and strai ghtf orw ard as
Page 1329 of 1765
pos sibl e. Cisc o rout ers hav e diffe rent conf igur atio n mod es (de pen ding on the rout er mod el), and by this I mea n ther e are diffe rent mod es in whic h diffe rent asp ects of the rout er can be
Page 1330 of 1765
conf igur ed. The se are : 1) Use r Exe c Mod e ( >) Clic k to sele ct 2) Privi lege d Mod e (#) whic h has as a sub set, the Glo bal Con figu rati on mod eClic k to sele ct To be
Page 1331 of 1765
able to get into eith er Use r Exe c or Privi lege d mod e, you will mos t likel y nee da pas swo rd. This pas swo rd is set duri ng the initi al conf igur atio n of the rout er or late r on. Onc e in Privi lege d Mod
Page 1332 of 1765
e, you can the n ente r Glo bal Con figu rati on Mod e (pas swo rd not nee ded to ente r this mod e) to the n futh er conf igur e inte rfac es, rout ing prot ocol s, acce ss lists and mor e. The pict ure
Page 1333 of 1765
belo w sho ws you a quic k vie w of the mod es. Noti ce the red arro w, it's poin ting tow ards the Glo bal Con figu rati on Mod e and Privi lege d mod e mea ning that som e of the spe cific conf igur atio n mod es
Page 1334 of 1765
can be ente red fro m Glo bal Con figu rati on Mod e and othe r fro m Privi lege d mod e:
C i s c o B a s i c s U s
Page 1335 of 1765
e r E x e c M o d e
I n t r o d u c t i o n L e t ' s s e e w h a t i t l o o k
Page 1336 of 1765
s l i k e t o b e i n e a c h o n e o f t h e s e m o d e s . H e r e I h a v e
Page 1337 of 1765
t e l n e t e d i n t o o u r l a b r o u t e r a n d I a m i n U s e r E x e c M o
Page 1338 of 1765
d e :
T h e e a s i e s t w a y t o k e e p t r a c k o f t h e m o d e y o u ' r
Page 1339 of 1765
e i n i s b y l o o k i n g a t t h e p r o m p t . T h e " > " m e a n s w e a r
Page 1340 of 1765
e i n U s e r E x e c M o d e . F r o m t h i s m o d e , w e a r e a b l e t o g
Page 1341 of 1765
e t i n f o r m a t i o n l i k e t h e v e r s i o n o f I O S , c o n t e n t s o f t
Page 1342 of 1765
h e F l a s h m e m o r y a n d a f e w o t h e r s . N o w , l e t ' s c h e c k o u
Page 1343 of 1765
t t h e a v a i l a b l e c o m m a n d s i n t h i s m o d e . T h i s i s d o n e b
Page 1344 of 1765
y u s i n g t h e " ? " c o m m a n d a n d h i t t i n g e n t e r :
W o w ,
Page 1345 of 1765
s e e a l l t h o s e c o m m a n d s a v a i l a b l e ? A n d j u s t t o t h i n k
Page 1346 of 1765
t h a t t h i s i s c o n s i d e r e d a s m a l l p o r t i o n o f t h e t o t a l
Page 1347 of 1765
c o m m a n d s a v a i l a b l e w h e n i n P r i v i l e g e d M o d e ! K e e p i n
Page 1348 of 1765
m i n d t h a t w h e n y o u ' r e i n t h e c o n s o l e a n d c o n f i g u r i n g
Page 1349 of 1765
y o u r r o u t e r , y o u c a n u s e s o m e s h o r t c u t s t o s a v e y o u
Page 1350 of 1765
t y p i n g f u l l c o m m a n d l i n e s . S o m e o f t h e s e a r e : T a b : B
Page 1351 of 1765
y t y p i n g t h e f i r s t f e w l e t t e r s o f a c o m m a n d a n d t h e n
Page 1352 of 1765
h i t t i n g t h e T A B k e y , i t w i l l a u t o m a t i c a l l y c o m p l e t e t
Page 1353 of 1765
h e r e s t o f t h e c o m m a n d . W h e r e t h e r e i s m o r e t h a n o n e
Page 1354 of 1765
c o m m a n d s t a r t i n g w i t h t h e s a m e c h a r a c t e r s , w h e n y o u h
Page 1355 of 1765
i t T A B a l l t h o s e c o m m a n d s w i l l b e d i s p l a y e d . I n t h e p
Page 1356 of 1765
i c t u r e a b o v e , i f i w e r e t o t y p e " l o " a n d h i t T A B , I w
Page 1357 of 1765
o u l d g e t a l i s t i n g o f " l o c k , l o g i n a n d l o g o u t " b e c a u s
Page 1358 of 1765
e a l l 3 c o m m a n d s s t a r t w i t h " l o " . ? : T h e q u e s t i o n m a r
Page 1359 of 1765
k s y m b o l " ? " f o r c e s t h e r o u t e r t o p r i n t a l i s t o f a l l
Page 1360 of 1765
a v a i l a b l e c o m m a n d s . A l o t o f t h e c o m m a n d s h a v e v a r i o
Page 1361 of 1765
u s p a r a m e t e r s o r i n t e r f a c e s w h i c h y o u c a n c o m b i n e . I n
Page 1362 of 1765
t h i s c a s e , b y t y p i n g t h e m a i n c o m m a n d e . g " s h o w " a n d
Page 1363 of 1765
t h e n p u t t i n g t h e " ? " y o u w i l l g e t a l i s t o f t h e s u b c
Page 1364 of 1765
o m m a n d s . T h i s p i c t u r e s h o w s t h i s c l e a r l y :
O t h e r s h o
Page 1365 of 1765
r t c u t k e y s a r e : C T R L A : P o s i t i o n s t h e c u r s o r a t t h e
Page 1366 of 1765
b e g i n n i n g o f t h e l i n e . C T R L E : P o s i t i o n s t h e c u r s o r a
Page 1367 of 1765
t t h e e n d o f t h e l i n e . C T R L D : D e l e t e s a c h a r a c t e r . C
Page 1368 of 1765
T R L W : D e l e t e s a w h o l e w o r d . C T R L B : M o v e s c u r s o r b a c
Page 1369 of 1765
k b y o n e s t e p . C T R L F : M o v e s c u r s o r f o r w a r d b y o n e s t
Page 1370 of 1765
e p . O n e o f t h e m o s t u s e d c o m m a n d s i n t h i s m o d e i s t h e
Page 1371 of 1765
" S h o w " c o m m a n d . T h i s w i l l a l l o w y o u t o g a t h e r a l o t
Page 1372 of 1765
o f i n f o r m a t i o n a b o u t t h e r o u t e r . H e r e I h a v e e x e c u t e d
Page 1373 of 1765
t h e " S h o w v e r s i o n " c o m m a n d , w h i c h d i s p l a y s v a r i o u s i
Page 1374 of 1765
n f o r m a t i o n a b o u t t h e r o u t e r :
T h e " S h o w I n t e r f a c e
Page 1375 of 1765
< i n t e r f a c e > " c o m m a n d s h o w s u s i n f o r m a t i o n o n a p a r t
Page 1376 of 1765
i c u l a r i n t e r f a c e . T h i s i n c l u d e s t h e I P a d d r e s s , e n c a p
Page 1377 of 1765
s u l a t i o n t y p e , s p e e d , s t a t u s o f t h e p h y s i c a l a n d l o g i
Page 1378 of 1765
c a l a s p e c t o f t h e i n t e r f a c e a n d v a r i o u s s t a t i s t i c s . W
Page 1379 of 1765
h e n i s s u i n g t h e c o m m a n d , y o u n e e d t o r e p l a c e t h e < i n t
Page 1380 of 1765
e r f a c e > w i t h t h e a c t u a l i n t e r f a c e y o u w a n t t o l o o k a t
Page 1381 of 1765
. F o r e x a m p l e , e t h e r n e t 0 , w h i c h i n d i c a t e s t h e f i r s t
Page 1382 of 1765
e t h e r n e t i n t e r f a c e :
S o m e o t h e r g e n e r i c c o m m a n d s y o
Page 1383 of 1765
u c a n u s e a r e t h e s h o w " r u n n i n g c o n f i g " a n d s h o w " s t a
Page 1384 of 1765
r t u p c o n f i g " . T h e s e c o m m a n d s s h o w y o u t h e c o n f i g u r a t i
Page 1385 of 1765
o n o f y o u r r o u t e r . T h e r u n n i n g c o n f i g r e f e r s t o t h e r
Page 1386 of 1765
u n n i n g c o n f i g u r a t i o n , w h i c h i s b a s i c a l l y t h e c o n f i g u r
Page 1387 of 1765
a t i o n o f t h e r o u t e r l o a d e d i n t o i t s m e m o r y a t t h a t t i
Page 1388 of 1765
m e . S t a r t u p c o n f i g r e f e r s t o t h e c o n f i g u r a t i o n f i l e s
Page 1389 of 1765
t o r e d i n t h e N V R A M . T h i s , u p o n b o o t u p o f t h e r o u t e r ,
Page 1390 of 1765
g e t s l o a d e d i n t o t h e r o u t e r ' s R A M a n d t h e n b e c o m e s t h
Page 1391 of 1765
e r u n n i n g c o n f i g !
S o y o u c a n s e e t h a t U s e r E x e c M o d
Page 1392 of 1765
e i s u s e d m o s t l y t o v i e w i n f o r m a t i o n o n t h e r o u t e r , r
Page 1393 of 1765
a t h e r t h a n c o n f i g u r i n g a n y t h i n g . J u s t k e e p i n m i n d t h
Page 1394 of 1765
a t w e a r e t o u c h i n g t h e s u r f a c e h e r e a n d n o t g e t t i n g i
Page 1395 of 1765
n t o a n y d e t a i l s .
T h i s c o m p l e t e s t h e U s e r E x e c M o d e s
Page 1396 of 1765
e c t i o n . I f y o u l i k e , y o u c a n g o b a c k a n d c o n t i n u e t o
Page 1397 of 1765
t h e P r i v i l e g e d M o d e s e c t i o n .
C i s c o B a s i c s P
Page 1398 of 1765
r i v e l i g e d M o d e
I n t r o d u c t i o n T o g e t i n t o P r i v i l e g
Page 1399 of 1765
e d M o d e w e e n t e r t h e " E n a b l e " c o m m a n d f r o m U s e r E x e c
Page 1400 of 1765
M o d e . I f s e t , t h e r o u t e r w i l l p r o m p t y o u f o r a p a s s w o
Page 1401 of 1765
r d . O n c e i n P r i v i l e g e d M o d e , y o u w i l l n o t i c e t h e p r o m
Page 1402 of 1765
p t c h a n g e s f r o m " > " t o a " # " t o i n d i c a t e t h a t w e a r e
Page 1403 of 1765
n o w i n P r i v i l e g e d M o d e . T h e P r i v i l e g e d M o d e ( a n d G l o b
Page 1404 of 1765
a l C o n f i g u r a t i o n M o d e ) i s u s e d m a i n l y t o c o n f i g u r e t
Page 1405 of 1765
h e r o u t e r , e n a b l e i n t e r f a c e s , s e t u p s e c u r i t y , d e f i n e
Page 1406 of 1765
d i a l u p i n t e r f a c e s e t c .
I h a v e p u t a s c r e e n s h o t o f t
Page 1407 of 1765
h e r o u t e r t o g i v e y o u a n i d e a o f t h e c o m m a n d s a v a i l a b
Page 1408 of 1765
l e i n P r i v i l e g e d M o d e i n c o m p a r i s o n t o t h e U s e r E x e c
Page 1409 of 1765
M o d e . R e m e m b e r t h a t t h e s e c o m m a n d s h a v e s u b c o m m a n d s
Page 1410 of 1765
a n d c a n g e t q u i t e c o m p l i c a t e d :
A s y o u c a n s e e , t h e r
Page 1411 of 1765
e i s a w i d e r c h o i c e o f c o m m a n d s i n P r i v i l e g e d M o d e .
Page 1412 of 1765
N o w , w h e n y o u w a n t t o c o n f i g u r e c e r t a i n s e r v i c e s o r p
Page 1413 of 1765
a r t s o f t h e r o u t e r y o u w i l l n e e d t o e n t e r G l o b a l C o n f
Page 1414 of 1765
i g u r a t i o n M o d e f r o m w i t h i n P r i v i l e g e d M o d e . I f y o u ' r e
Page 1415 of 1765
c o n f u s e d b y n o w w i t h t h e d i f f e r e n t m o d e s a v a i l a b l e t
Page 1416 of 1765
r y t o s e e i t t h i s w a y : U s e r E x e c M o d e ( d i s t i n g u i s h e d
Page 1417 of 1765
b y t h e " > " p r o m p t ) i s y o u r f i r s t m o d e , w h i c h i s u s e d
Page 1418 of 1765
t o g e t s t a t i s t i c s f r o m r o u t e r , s e e w h i c h v e r s i o n I O S
Page 1419 of 1765
y o u ' r e r u n n i n g , c h e c k m e m o r y r e s o u r c e s a n d a f e w m o r
Page 1420 of 1765
e t h i n g s .
P r i v i l e g e d M o d e ( d i s t i n g u s h e d b y t h e " # " p
Page 1421 of 1765
r o m p t ) i s t h e s e c o n d m o d e . H e r e y o u c a n e n a b l e o r d i s
Page 1422 of 1765
a b l e i n t e r f a c e s o n t h e r o u t e r , g e t m o r e d e t a i l e d i n f o
Page 1423 of 1765
r m a t i o n o n t h e r o u t e r , f o r e x a m p l e , v i e w t h e r u n n i n g
Page 1424 of 1765
c o n f i g u r a t i o n o f t h e r o u t e r , c o p y t h e c o n f i g u r a t i o n ,
Page 1425 of 1765
l o a d a n e w c o n f i g u r a t i o n t o t h e r o u t e r , b a c k u p o r d e l
Page 1426 of 1765
e t e t h e c o n f i g u r a t i o n , b a c k u p o r d e l e t e t h e I O S a n d a
Page 1427 of 1765
l o t m o r e .
G l o b a l C o n f i g u r a t i o n M o d e ( d i s t i n g u s h e d b
Page 1428 of 1765
y t h e " ( c o n f i g ) # " p r o m p t ) i s a c c e s s a b l e v i a P r i v i l e
Page 1429 of 1765
g e d M o d e . I n t h i s m o d e y o u ' r e a b l e t o c o n f i g u r e e a c h
Page 1430 of 1765
i n t e r f a c e i n d i v i d u a l l y , s e t u p b a n n e r s a n d p a s s w o r d s ,
Page 1431 of 1765
e n a b l e s e c r e t s ( e n c r y p t e d p a s s w o r d s ) , e n a b l e a n d c o n f
Page 1432 of 1765
i g u r e r o u t i n g p r o t o c o l s a n d a l o t m o r e . I d a r e s a y t h
Page 1433 of 1765
a t 7 0 % o f t h e t i m e y o u w a n t t o c o n f i g u r e o r c h a n g e s o
Page 1434 of 1765
m e t h i n g o n t h e r o u t e r , y o u w i l l n e e d t o b e i n t h i s m o
Page 1435 of 1765
d e . G e t t i n g i n t o G l o b a l C o n f i g u r a t i o n T h e p i c t u r e b e l
Page 1436 of 1765
o w s h o w s y o u h o w t o e n t e r G l o b a l C o n f i g u r a t i o n M o d e :
Page 1437 of 1765
A s y o u c a n s e e , I h a v e t e l n e t e d i n t o t h e r o u t e r a n d
Page 1438 of 1765
i t p r o m p t e d m e f o r a p a s s w o r d . I e n t e r e d t h e p a s s w o r
Page 1439 of 1765
d , w h i c h i s n o t s h o w n , a t t h i s p o i n t I a m i n U s e r E x e
Page 1440 of 1765
c M o d e a n d t h e n e n t e r e d " e n a b l e " i n o r d e r t o g e t i n t o
Page 1441 of 1765
t h e P r i v i l e g e d M o d e . F r o m h e r e t o g e t i n t o G l o b a l C o
Page 1442 of 1765
n f i g u r a t i o n M o d e y o u n e e d t o e n t e r t h e " c o n f i g u r e s e l
Page 1443 of 1765
e c t i o n " c o m m a n d . N o w y o u m u s t b e w o n d e r i n g w h a t t h e v
Page 1444 of 1765
a r i o u s p a r a m e t e r s s h o w n i n t h e p i c t u r e a r e , u n d e r t h e
Page 1445 of 1765
" c o n f i g u r e " c o m m a n d . T h e s e a l l o w y o u t o s e l e c t h o w y
Page 1446 of 1765
o u w i l l c o n f i g u r e t h e r o u t e r : C o n f i g u r e M e m o r y m e a n s
Page 1447 of 1765
y o u e n t e r G l o b a l C o n f i g u r a t i o n M o d e a n d a r e c o n f i g u r i
Page 1448 of 1765
n g t h e r o u t e r i n i t s N V R A M . T h i s c o m m a n d w i l l f o r c e t
Page 1449 of 1765
h e r o u t e r t o l o a d u p t h e s t a r t u p c o n f i g f i l e s t o r e d i
Page 1450 of 1765
n t h e N V R A M a n d t h e n y o u c a n p r o c e e d w i t h t h e c o n f i g u
Page 1451 of 1765
r a t i o n . W h e n y o u ' r e h a p p y w i t h t h e c o n f i g u r a t i o n , s a v
Page 1452 of 1765
e i t t o N V R A M b y e n t e r i n g " c o p y r u n n i n g c o n f i g s t a r t u
Page 1453 of 1765
p c o n f i g " .
C o n f i g u r e N e t w o r k m e a n s y o u e n t e r G l o b a l
Page 1454 of 1765
C o n f i g u r a t i o n M o d e a n d l o a d a s t a r t u p c o n f i g f i l e f r o
Page 1455 of 1765
m a r e m o t e r o u t e r ( u s i n g t f t p ) i n t o y o u r l o c a l r o u t e r
Page 1456 of 1765
' s m e m o r y a n d c o n f i g u r e i t . O n c e y o u ' r e f i n i s h e d , y o u
Page 1457 of 1765
n e e d t o e n t e r " c o p y r u n n i n g c o n f i g t f t p " w h i c h w i l l
Page 1458 of 1765
f o r c e t h e r o u t e r t o c o p y i t s m e m o r y c o n f i g u r a t i o n o n t
Page 1459 of 1765
o a t f t p s e r v e r . T h e r o u t e r w i l l p r o m p t y o u f o r t h e I
Page 1460 of 1765
P a d d r e s s o f t h e r e m o t e t f t p s e r v e r .
C o n f i g u r e O v e r w
Page 1461 of 1765
r i t e n e t w o r k m e a n s t h a t y o u o v e r w r i t e t h e N V R A M ' s c o n
Page 1462 of 1765
f i g u r a t i o n w i t h a c o n f i g u r a t i o n s t o r e d o n a t f t p s e r v
Page 1463 of 1765
e r . I s s u i n g t h i s c o m m a n d w i l l f o r c e t h e r o u t e r t o p r o
Page 1464 of 1765
m p t f o r a n I P a d d r e s s o f t h e r e m o t e t f t p s e r v e r . P e r s
Page 1465 of 1765
o n a l l y , I h a v e n e v e r n e e d e d t o u s e t h i s c o m m a n d .
C o n
Page 1466 of 1765
f i g u r e T e r m i n a l m e a n s y o u e n t e r G l o b a l C o n f i g u r a t i o n
Page 1467 of 1765
M o d e a n d w o r k w i t h t h e c o n f i g u r a t i o n w h i c h i s a l r e a d y
Page 1468 of 1765
l o a d e d i n t o t h e r o u t e r ' s m e m o r y ( C i s c o c a l l s t h i s t h
Page 1469 of 1765
e r u n n i n g c o n f i g ) . T h i s i s t h e m o s t p o p u l a r c o m m a n d ,
Page 1470 of 1765
a s i n m o s t c a s e s y o u n e e d t o m o d i f y o r r e c o n f i g u r e t
Page 1471 of 1765
h e r o u t e r o n t h e s p o t a n d t h e n s a v e y o u r c h a n g e s .
Y o
Page 1472 of 1765
u w i l l n e e d t o s a v e t h i s c o n f i g u r a t i o n o t h e r w i s e e v e r
Page 1473 of 1765
y t h i n g y o u c o n f i g u r e w i l l b e l o s t u p o n p o w e r f a i l u r e
Page 1474 of 1765
o r r e b o o t o f t h e r o u t e r !
B e l o w a r e t h e c o m m a n d s y o u
Page 1475 of 1765
n e e d t o e n t e r t o s a v e t h e c o n f i g u r a t i o n , d e p e n d i n g o
Page 1476 of 1765
n y o u r n e t w o r k s e t u p : C o p y r u n n i n g c o n f i g s t a r t u p c o n
Page 1477 of 1765
f i g : C o p i e s t h e c o n f i g u r a t i o n w h i c h i s r u n n i n g i n t h e
Page 1478 of 1765
r o u t e r ' s R A M i n t o t h e N V R A M a n d g i v e s i t a f i l e n a m
Page 1479 of 1765
e o f s t a r t u p c o n f i g ( d e f a u l t ) . I f o n e a l r e a d y e x i s t s
Page 1480 of 1765
i n t h e N V R A M , i t w i l l b e o v e r w r i t t e n b y t h e n e w o n e .
Page 1481 of 1765
C o p y r u n n i n g c o n f i g t f t p : C o p i e s t h e c o n f i g u r a t i o n
Page 1482 of 1765
w h i c h i s r u n n i n g i n t h e r o u t e r ' s R A M i n t o a t f t p s e r
Page 1483 of 1765
v e r w h i c h m i g h t b e r u n n i n g o n y o u r n e t w o r k . Y o u w i l l
Page 1484 of 1765
b e a s k e d f o r t h e I P a d d r e s s o f t h e t f t p s e r v e r a n d g i
Page 1485 of 1765
v e n t h e c h o i c e t o s e l e c t a f i l e n a m e f o r t h e c o n f i g u r a
Page 1486 of 1765
t i o n . S o m e a d v a n c e d r o u t e r s c a n a l s o a c t a s t f t p s e r v
Page 1487 of 1765
e r s .
G e n e r i c C o n f i g u r a t i o n T h e r e a r e a f e w s t a n d a
Page 1488 of 1765
r d t h i n g s w i t h w h i c h y o u a l w a y s n e e d t o c o n f i g u r e t h e
Page 1489 of 1765
r o u t e r . F o r e x a m p l e , a h o s t n a m e . T h i s i s a l s o u s e d
Page 1490 of 1765
a s a l o g i n n a m e f o r t h e r e m o t e r o u t e r t o w h i c h y o u r r
Page 1491 of 1765
o u t e r n e e d s t o a u t h e n t i c a t e . B e f o r e w e g e t s t u c k i n t o
Page 1492 of 1765
t h e i n t e r f a c e c o n f i g u r a t i o n w e a r e g o i n g t o r u n t h r o
Page 1493 of 1765
u g h a f e w o f t h e s e c o m m a n d s . T h e f o l l o w i n g e x a m p l e s a
Page 1494 of 1765
s s u m e n o p a s s w o r d s h a v e b e e n s e t a s y e t a n d t h a t t h e
Page 1495 of 1765
r o u t e r h a s a d e f a u l t h o s t n a m e o f " r o u t e r " : W e c o n n e c t
Page 1496 of 1765
t o t h e r o u t e r v i a t h e c o n s o l e p o r t u s i n g t h e s e r i a l
Page 1497 of 1765
c a b l e a n d t y p e t h e f o l l o w i n g R o u t e r > e n a b l e ( g e t s u s
Page 1498 of 1765
i n t o P r i v i l e g e d M o d e ) R o u t e r # c o n f i g u r e t e r m i n a l ( T h i
Page 1499 of 1765
s c o m m a n d g e t s u s i n t o t h e a p p r o p r i a t e G l o b a l C o n f i g u
Page 1500 of 1765
r a t i o n M o d e a s o u t l i n e d a b o v e ) R o u t e r ( c o n f i g ) # h o s t n a
Page 1501 of 1765
m e s w i f t p o n d ( T h i s c o m m a n d s e t s t h e r o u t e r ' s h o s t n a m e
Page 1502 of 1765
t o s w i f t p o n d . F r o m t h i s m o m e n t o n w a r d s , s w i f t p o n d w i
Page 1503 of 1765
l l a p p e a r b e f o r e t h e " > " o r " # " d e p e n d i n g o n w h i c h m o
Page 1504 of 1765
d e w e a r e i n ) s w i f t p o n d ( c o n f i g ) # u s e r n a m e r o u t e r 2 . i s p
Page 1505 of 1765
p a s s w o r d f i r e w a l l c x ( H e r e w e a r e t e l l i n g t h e r o u t e r
Page 1506 of 1765
t h a t t h e r e m o t e r o u t e r w h i c h w e a r e c o n n e c t i n g t o , h a
Page 1507 of 1765
s a u s e r n a m e o f " r o u t e r 2 . i s p " a n d o u r p a s s w o r d t o a u t
Page 1508 of 1765
h e n t i c a t e t o r o u t e r 2 . i s p i s " f i r e w a l l c x " ) T h i s i s a s
Page 1509 of 1765
t a n d a r d w a y o f a u t h e n t i c a t i o n w i t h C i s c o r o u t e r s . Y o u
Page 1510 of 1765
r r o u t e r ' s h o s t n a m e i s y o u r l o g i n n a m e a n d y o u r p a s s w
Page 1511 of 1765
o r d ( i n o u r c a s e " f i r e w a l l c x " ) i s e n t e r e d a t t h e s a m e
Page 1512 of 1765
t i m e y o u d e f i n e t h e r e m o t e r o u t e r ' s h o s t n a m e .
N e x t
Page 1513 of 1765
w e c r e a t e a s t a t i c r o u t e s o t h e r o u t e r w i l l p a s s a l l
Page 1514 of 1765
p a c k e t s o r i g i n a t i n g f r o m o u r n e t w o r k t o t h e r e m o t e r o
Page 1515 of 1765
u t e r . T h i s i s u s u a l l y t h e c a s e w h e n y o u c o n n e c t t o y o
Page 1516 of 1765
u r i s p . s w i f t p o n d ( c o n f i g ) # i p r o u t e 0 . 0 . 0 . 0 0 . 0 . 0 . 0 1
Page 1517 of 1765
3 9 . 1 3 0 . 3 4 . 4 3 ( H e r e w e t e l l o u r r o u t e r t o c r e a t e a d e f
Page 1518 of 1765
a u l t r o u t e w h e r e a n y p a c k e t d e f i n e d b y t h e f i r s t 0 . 0
Page 1519 of 1765
. 0 . 0 n o m a t t e r w h a t s u b n e t m a s k d e f i n e d b y t h e s e c o n
Page 1520 of 1765
d 0 . 0 . 0 . 0 i s t o b e s e n t t o i p 1 3 9 . 1 3 0 . 3 4 . 4 3 w h i c h w o
Page 1521 of 1765
u l d b e t h e r o u t e r w e a r e c o n n e c t i n g t o ) I n t h e c a s e w
Page 1522 of 1765
h e r e y o u w e r e n o t c o n f i g u r i n g t h e r o u t e r t o c o n n e c t t
Page 1523 of 1765
o t h e I n t e r n e t b u t t o j o i n a s m a l l W A N w h i c h c o n n e c t s
Page 1524 of 1765
a f e w o f f i c e s , t h e n y o u p r o b a b l y w a n t t o u s e a r o u t i
Page 1525 of 1765
n g p r o t o c o l : s w i f t p o n d ( c o n f i g ) # r o u t e r r i p ( E n a b l e s R
Page 1526 of 1765
I P r o u t i n g p r o t o c o l . A f t e r t h i s c o m m a n d y o u e n t e r t h e
Page 1527 of 1765
r o u t i n g p r o t o c o l s c o n f i g u r a t i o n s e c t i o n s e e b e l o w -
Page 1528 of 1765
w h e r e y o u c a n c h a n g e t i m i n g p a r a m e t e r s a n d o t h e r ) s w i
Page 1529 of 1765
f t p o n d ( c o n f i g r o u t e r ) #
A t t h i s p r o m p t y o u c a n f i n e t
Page 1530 of 1765
u n e R I P o r j u s t l e a v e i t t o t h e d e f a u l t s e t t i n g w h i c h
Page 1531 of 1765
w i l l w o r k f i n e . T h e " e x i t " c o m m a n d t a k e s y o u o n e s t e
Page 1532 of 1765
p b a c k : s w i f t p o n d ( c o n f i g r o u t e r ) # e x i t s w i f t p o n d ( c o n f
Page 1533 of 1765
i g ) #
A l t e r n a t i v e l y , y o u c a n u s e I G R P a s a r o u t i n g p r
Page 1534 of 1765
o t o c o l , i n w h i c h c a s e y o u w o u l d h a v e t o e n t e r t h e f o l
Page 1535 of 1765
l o w i n g : s w i f t p o n d ( c o n f i g ) # r o u t e r i g r p 1 ( T h e " 1 " d e f
Page 1536 of 1765
i n e s t h e A u t o n o m o u s s y s t e m n u m b e r ) s w i f t p o n d ( c o n f i g r
Page 1537 of 1765
o u t e r ) #
A g a i n , t h e " e x i t " c o m m a n d w i l l t a k e y o u b a c k
Page 1538 of 1765
o n e s t e p : s w i f t p o n d ( c o n f i g r o u t e r ) # e x i t s w i f t p o n d ( c
Page 1539 of 1765
o n f i g ) #
A f t e r t h a t , w e n e e d t o c r e a t e a d i a l e r l i s t
Page 1540 of 1765
w h i c h o u r W A N i n t e r f a c e B R I ( I S D N ) w i l l u s e t o m a k e a
Page 1541 of 1765
c a l l t o o u r I S P .
s w i f t p o n d ( c o n f i g ) # d i a l e r l i s t 1 p
Page 1542 of 1765
r o t o c o l i p p e r m i t ( N o w w e a r e t e l l i n g t h e r o u t e r t o c
Page 1543 of 1765
r e a t e a d i a l e r l i s t a n d b i n d i t t o g r o u p 1 . T h e " p r o t
Page 1544 of 1765
o c o l i p p e r m i t " t e l l s t h e r o u t e r t o i n i t i a t e a c a l l f
Page 1545 of 1765
o r a n i p p a c k e t ) I ' l l g i v e y o u a q u i c k e x a m p l e t o m a k
Page 1546 of 1765
e s u r e y o u u n d e r s t a n d t h e r e a s o n w e p u t t h i s c o m m a n d
Page 1547 of 1765
: I f y o u l a u n c h e d y o u r w e b b r o w s e r , i t w o u l d s e n d a n
Page 1548 of 1765
h t t p r e q u e s t t o t h e s e r v e r y o u h a v e s e t a s a h o m e p a g e
Page 1549 of 1765
e . g w w w . f i r e w a l l . c x . T h i s r e q u e s t w h i c h y o u r c o m p u t e
Page 1550 of 1765
r i s g o i n g t o s e n d , i s e n c a p s u l a t e d i n a n i p p a c k e t t
Page 1551 of 1765
h a t w i l l c a u s e y o u r r o u t e r t o i n i t i a t e a c o n n e c t i o n ,
Page 1552 of 1765
a s i t i s n o w c o n f i g u r e d t o d o s o .
T h e d i a l u p i n t e r f a
Page 1553 of 1765
c e f o r C i s c o r o u t e r s i s b r o k e n i n t o 2 p a r t s : a D i a l e r
Page 1554 of 1765
l i s t a n d a D i a l e r g r o u p . T h e D i a l e r l i s t d e f i n e s t h e
Page 1555 of 1765
r u l e s f o r p l a c i n g a c a l l . L a t e r o n w h e n y o u c o n f i g u r
Page 1556 of 1765
e t h e W A N i n t e r f a c e , y o u b i n d t h a t D i a l e r l i s t t o t h e
Page 1557 of 1765
i n t e r f a c e b y u s i n g t h e D i a l e r g r o u p c o m m a n d ( s h o w n l
Page 1558 of 1765
a t e r o n ) .
C o n f i g u r i n g I n t e r f a c e s I n o u r e x a m p l e w e
Page 1559 of 1765
s a i d w e h a v e a r o u t e r w i t h o n e E t h e r n e t a n d o n e b a s i
Page 1560 of 1765
c I S D N i n t e r f a c e ( m a x o f 1 2 8 K b i t ) . W e a r e g o i n g t o g o
Page 1561 of 1765
t h r o u g h t h e p r o c e s s o f c o n f i g u r i n g t h e i n t e r f a c e s . W
Page 1562 of 1765
e w i l l s t a r t w i t h t h e E t h e r n e t I n t e r f a c e . I n o r d e r t o
Page 1563 of 1765
c o n f i g u r e t h e i n t e r f a c e , w e n e e d t o b e i n G l o b a l C o n
Page 1564 of 1765
f i g u r a t i o n M o d e , s o w e n e e d t o t y p e f i r s t " e n a b l e " i n
Page 1565 of 1765
o r d e r t o g e t i n t o P r i v i l e g e d M o d e a n d t h e n " c o n f i g u r
Page 1566 of 1765
e t e r m i n a l " t o g e t i n t o t h e a p p r o p r i a t e G l o b a l C o n f i g
Page 1567 of 1765
u r a t i o n M o d e ( a s e x p l a i n e d a b o v e ) . N o w w e n e e d t o s e l
Page 1568 of 1765
e c t t h e i n t e r f a c e w e w a n t t o c o n f i g u r e , i n t h i s c a s e
Page 1569 of 1765
t h e f i r s t e t h e r n e t i n t e r f a c e ( E 0 ) s o w e t y p e " i n t e r f a
Page 1570 of 1765
c e e 0 " .
T h i s p i c t u r e s h o w s c l e a r l y a l l t h e s t e p s :
Page 1571 of 1765
A n y c o m m a n d s e n t e r e d h e r e w i l l a f f e c t t h e f i r s t e t h
Page 1572 of 1765
e r n e t i n t e r f a c e o n l y . S o w e s t a r t w i t h t h e I P a d d r e s s
Page 1573 of 1765
. I t ' s i m p o r t a n t t o u n d e r s t a n d t h a t t h i s I P a d d r e s s w
Page 1574 of 1765
o u l d b e v i s i b l e t o b o t h n e t w o r k s t o w h i c h t h e r o u t e r
Page 1575 of 1765
i s c o n n e c t e d . I f w e w e r e c o n n e c t i n g t o t h e I n t e r n e t t
Page 1576 of 1765
h e n e v e r y o n e w o u l d b e a b l e t o s e e t h i s I P . F u t h e r m o r e
Page 1577 of 1765
, t h e I P a d d r e s s w o u l d a l s o b e t h e d e f a u l t g a t e w a y f o
Page 1578 of 1765
r o u r f i r e w a l l o r m a c h i n e w h i c h w o u l d p h y s i c a l l y c o n n
Page 1579 of 1765
e c t d i r e c t l y t o t h e r o u t e r . T h e f o l l o w i n g c o m m a n d s w i
Page 1580 of 1765
l l c o n f i g u r e t h e e t h e r n e t i n t e r f a c e ' s I P a d d r e s s : : ( c
Page 1581 of 1765
o n f i g i f ) # i p a d d r e s s 1 9 2 . 1 6 8 . 0 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0
o r (
Page 1582 of 1765
c o n f i g i f ) # i p a d d r e s s 1 3 9 . 1 3 0 . 4 . 5 2 5 5 . 2 5 5 . 2 5 5 . 0 s e c o
Page 1583 of 1765
n d a r y N o w t h a t w e h a v e g i v e n e 0 i t s I P a d d r e s s , w e n e
Page 1584 of 1765
e d t o g i v e t h e I S D N i n t e r f a c e i t s I P a s w e l l , s o w e n
Page 1585 of 1765
e e d t o m o v e t o t h e c o r r e c t i n t e r f a c e b y t y p i n g t h e f o
Page 1586 of 1765
l l o w i n g : ( c o n f i g i f ) # e x i t ( t h i s e x i t s f r o m t h e e 0 i n
Page 1587 of 1765
t e r f a c e c o n f i g u r a t i o n ) ( c o n f i g i f ) # i n t e r f a c e b r i 0 ( t
Page 1588 of 1765
h i s c o m m a n d e n t e r s t h e c o n f i g u r a t i o n f o r t h e f i r s t I S
Page 1589 of 1765
D N i n t e r f a c e ) ( c o n f i g i f ) # i p a d d r e s s 1 0 . 0 . 0 . 2 2 5 5 . 2 5
Page 1590 of 1765
5 . 2 5 5 . 2 2 4 ( t h i s c o m m a n d s e t s t h e I P a d d r e s s f o r B R I 0
Page 1591 of 1765
w h i c h i s a l s o k n o w n a s t h e W A N I P a d d r e s s ) N o w w h e n
Page 1592 of 1765
i t c o m e s t o c o n f i g u r i n g W A N i n t e r f a c e s , y o u n e e d m o r e
Page 1593 of 1765
t h a n j u s t a n I P a d d r e s s ( L A N i n t e r f a c e s s u c h a s E 0 a
Page 1594 of 1765
r e a l o t e a s i e r t o c o n f i g u r e ) . Y o u n e e d t o s e t t h e e n
Page 1595 of 1765
c a p s u l a t i o n t y p e , t h e a u t h e n t i c a t i o n p r o t o c o l t h e r o u
Page 1596 of 1765
t e r w i l l u s e t o a u t h e n t i c a t e t o t h e r e m o t e r o u t e r , t h
Page 1597 of 1765
e p h o n e n u m b e r i t w i l l n e e d t o d i a l a n d a f e w m o r e : (
Page 1598 of 1765
c o n f i g i f ) # e n c a p s u l a t i o n p p p ( T h i s c o m m a n d s e t s t h e
Page 1599 of 1765
p a c k e t ' s e n c a p s u l a t i o n t o p p p w h i c h i s 1 0 0 % c o m p a t i b l
Page 1600 of 1765
e w i t h a l l r o u t e r s n o m a t t e r w h a t b r a n d ) ( c o n f i g i f ) #
Page 1601 of 1765
d i a l e r s t r i n g 0 2 9 4 8 8 3 4 5 2 ( T h i s c o m m a n d t e l l s t h e r o u
Page 1602 of 1765
t e r w h i c h p h o n e n u m b e r i t n e e d s t o d i a l i n o r d e r t o e
Page 1603 of 1765
s t a b l i s h a c o n n e c t i o n w i t h o u r r e m o t e r o u t e r e . g y o u r
Page 1604 of 1765
I S P ) ( c o n f i g i f ) # d i a l e r g r o u p 1 ( T h i s c o m m a n d t e l l s
Page 1605 of 1765
t h e r o u t e r t o u s e t h e d i a l e r l i s t 1 ( c o n f i g u r e d p r e v
Page 1606 of 1765
i o u s l y ) t o i n i t i a t e a c o n n e c t i o n ) ( c o n f i g i f ) # i d l e t
Page 1607 of 1765
i m e o u t 2 0 0 0 0 0 0 ( T h i s c o m m a n d i s o p t i o n a l a n d a l l o w s u
Page 1608 of 1765
s t o s e t a n i d l e t i m e o u t s o i f t h e r o u t e r i s i d l e f o r
Page 1609 of 1765
s o m a n y s e c o n d s , i t w i l l d i s c o n n e c t . A v a l u e o f 2 m i
Page 1610 of 1765
l l i o n s e c o n d s m e a n s t h e r o u t e r w i l l n e v e r d i s c o n n e c t
Page 1611 of 1765
) ( c o n f i g i f ) # i s d n s w i t c h t y p e b a s i c n e t 3 ( T h i s c o m m
Page 1612 of 1765
a n d t e l l s t h e r o u t e r t h e t y p e o f I S D N i n t e r f a c e w e a r
Page 1613 of 1765
e u s i n g . E a c h c o u n t r y h a s i t s o w n t y p e , s o y o u n e e d t
Page 1614 of 1765
o c o n s u l t y o u r C i s c o m a n u a l t o f i g u r e o u t w h i c h t y p e
Page 1615 of 1765
y o u n e e d t o p u t h e r e ) ( c o n f i g i f ) # d i a l e r l o a d t h r e s h
Page 1616 of 1765
o l d 1 2 5 o u t b o u n d ( T h i s c o m m a n d i s o p t i o n a l a n d a l l o w s
Page 1617 of 1765
u s t o s p e c i f y a t h r e s h o l d u p o n w h i c h i t w i l l p l a c e a
Page 1618 of 1765
n o t h e r c a l l . T h e v a l u e i t t a k e s i s f r o m 1 t o 2 5 5 . A v
Page 1619 of 1765
a l u e o f 1 2 5 m e a n s b r i n g u p t h e s e c o n d B c h a n n e l i f e i
Page 1620 of 1765
t h e r t h e i n b o u n d o r o u t b o u n d t r a f f i c l o a d i s 5 0 % . T h a
Page 1621 of 1765
t p r e t t y m u c h d o e s i t f o r o u r I S D N ( W A N ) i n t e r f a c e . A
Page 1622 of 1765
l l y o u n e e d t o d o n o w i s t o S A V E t h e c o n f i g u r a t i o n !
Page 1623 of 1765
T h e E t h e r n e t D a t a l i n k
I n t r o d u c t i o n " E t h e r n e
Page 1624 of 1765
t " i s t h e t e r m t h a t i s c a s u a l l y a p p l i e d t o a n u m b e r o
Page 1625 of 1765
f v e r y d i f f e r e n t d a t a l i n k i m p l e m e n t a t i o n s . Y o u w i l l
Page 1626 of 1765
h e a r p e o p l e r e f e r t o " E t h e r n e t " a n d t h e y m i g h t b e r e
Page 1627 of 1765
f e r r i n g t o t h e o r i g i n a l D E C , I n t e l a n d X e r o x i m p l e m e n
Page 1628 of 1765
t a t i o n o f V e r s i o n 1 o r V e r s i o n 2 E t h e r n e t . T h i s , i n
Page 1629 of 1765
a s e n s e , i s t h e " t r u e " d e f i n i t i o n o f " E t h e r n e t " . W h e
Page 1630 of 1765
n t h e I E E E b u i l t t h e 8 0 2 . 3 s t a n d a r d s i n 1 9 8 4 t h e t e r m
Page 1631 of 1765
" E t h e r n e t " w a s b r o a d l y a p p l i e d t o t h e m a s w e l l . T o d
Page 1632 of 1765
a y w e t a l k a b o u t " F a s t E t h e r n e t " a n d , a l t h o u g h t h i s t
Page 1633 of 1765
e c h n o l o g y b e a r s m a n y s i m i l a r i t i e s t o i t s p r e d e c e s s o r s
Page 1634 of 1765
, t h e e n g i n e e r i n g t e c h n o l o g y h a s c h a n g e d d r a m a t i c a l l y
Page 1635 of 1765
. W h a t e v e r y o u c a l l i t , t h i s i s a D a t a L i n k t e c h n o l o g
Page 1636 of 1765
y r e s p o n s i b l e f o r d e l i v e r i n g a f r a m e o f b i t s f r o m o
Page 1637 of 1765
n e n e t w o r k i n t e r f a c e t o a n o t h e r p e r h a p s t h r o u g h a r
Page 1638 of 1765
e p e a t e r , s w i t c h o r b r i d g e . P l e a s e s e l e c t o n e o f t h e f
Page 1639 of 1765
o l l o w i n g l i n k s : F r a m e F o r m a t s
T h e f o u r w a y s t h a t f r
Page 1640 of 1765
a m e s m a y b e s t r u c t u r e d ( c o n t a i n s 3 D d i a g r a m s a n d a n a l
Page 1641 of 1765
y s i s o f f r a m e s ) .
M e d i a A c c e s s
T a k i n g t u r n s a c c e s s i n
Page 1642 of 1765
g t h e c a b l e u s i n g t h e r u l e s o f C a r r i e r S e n s e M u l t i p l e
Page 1643 of 1765
A c c e s s w i t h C o l l i s i o n D e t e c t i o n ( C S M A / C D )
C o l l i s i o n
Page 1644 of 1765
T h e r e s u l t s o f s i m u l t a n e o u s t r a n s m i s s i o n s o n t h e m
Page 1645 of 1765
e d i a : F r a g m e n t s , R u n t s , C R C E r r o r s
P r o p a g a t i o n D e l a y
Page 1646 of 1765
T h e r e l a t i o n s h i p b e t w e e n m a x i m u m c a b l e l e n g t h a n d m
Page 1647 of 1765
i n i m u m f r a m e s i z e i s b a s e d o n t h e p r o p a g a t i o n d e l a y o
Page 1648 of 1765
f t h e s i g n a l
F r a m e C o r r u p t i o n
T r o u b l e s h o o t i n g c o a x i
Page 1649 of 1765
a l E t h e r n e t n e t w o r k s b y e x a m i n i n g t h e t y p e s o f c o r r u p
Page 1650 of 1765
t i o n p a t t e r n s t h a t r e s u l t f r o m s p e c i f i c e v e n t s I n t e r f
Page 1651 of 1765
r a m e G a p
T h e 9 . 6 m i c r o s e c o n d i n t e r f r a m e g a p a n d a n u
Page 1652 of 1765
n d e r s t a n d i n g o f i t s p u r p o s e
S i g n a l E n c o d i n g
M a n c h e s
Page 1653 of 1765
t e r E n c o d i n g f o r t h e e l e c t r i c a l E t h e r n e t s i g n a l
Page 1654 of 1765
Ethernet Frame Formats Introduction An understanding of the basics of the Ethernet Frame Format is crucial to any discussion of Ethernet technology.
In this section, we will discuss:
The four different frame formats used in the Ethernet world; the purpose of each of the fields in an Ethernet frame; the reasons that there are so many different versions of the Ethernet Frame Format - Ethernet, Ethernet, Ethernet, or Ethernet?! When somebody tells me that they are running Ethernet on their network, I inevitably have to ask: "Which Ethernet?". Currently, there are many versions of the Ethernet Frame Format in the commercial marketplace, all subtly different and not necessarily compatible with each other.
The explanation for the many types of Ethernet Frame Formats currently on the marketplace lies in Ethernet's history. In 1972, work on the original version of Ethernet, Ethernet Version 1, began at the Xerox Palo Alto Research Center. Version 1 Ethernet was released in 1980 by a consortium of companies comprising DEC, Intel, and Xerox. In the same year, the IEEE meetings on Ethernet began. In 1982, the DIX (DEC/Intel/Xerox) consortium released Version II Ethernet and since then it has almost completely replaced Version I in the marketplace. In 1983 Novell NetWare '86 was released, with a proprietary frame format based on a preliminary release of the 802.3 spec. Two years later, when the final version of the 802.3 spec was released, it had been modified to include the 802.2 LLC Header, making NetWare's proprietary format incompatible. Finally, the 802.3 SNAP format was created to address backwards compatibility issues between Version 2 and 802.3 Ethernet.
As you can see, the large number of players in the Ethernet world has created a number of different choices. The bottom line is this: either a particular driver supports a particular frame format, or it doesn't. Typically, Novell stations can support any of the frame formats, while TCP/IP stations will support only one although there are no hard and fast rules in Networking.
Page 1655 of 1765
Ethernet Frame Formats
The following sections will outline the specific fields in the different types of Ethernet frames. Throughout the section, we will refer to fields by referencing their "offset" or number of bytes from the start of the frame beginning with zero. Therefore, when we say that the destination address field is from offset zero through five we are referring to the first six bytes of the frame.
The Preamble
Regardless of the frame type being used, the means of digital signal encoding on an Ethernet network is the same. While a discussion of Manchester Encoding is beyond the scope of this page, it is sufficient to say that on an idle Ethernet network, there is no signal. Because each station has its own oscillating clock, the communicating stations have to have some way to "synch up" their clocks and thereby agree on how long one bit time is. The preamble facilitates this. The preamble consists of 8 bytes of alternating ones and zeros, ending in 11.
A station on an Ethernet network detects the change in voltage that occurs when another station begins to transmit and uses the preamble to "lock on" to the sending station's clock signal. Because it takes some time for a station to "lock on", it doesn't know how many bits of the preamble have gone by. For this reason, we say that the preamble is "lost" in the "synching up" process. No part of the preamble ever enters the adapter's memory buffer. Once locked on, the receiving station waits for the 11 that signals that the Ethernet frame follows.
Most modern Ethernet adapters are guaranteed to achieve a signal lock within 14 bit-times.
The Different "Flavors" of Ethernet
While the preamble is common to every type of Ethernet, what follows it is certainly not. The major types of Ethernet Frame Format are:
Page 1656 of 1765
FRAME TYPE Novell calls it... Cisco calls it... IEEE 802.3 ETHERNET_802.2 LLC Version II ETHERNET_II ARPA IEEE 802.3 SNAP ETHERNET_SNAP SNAP Novell Proprietary ("802.3 Raw") ETHERNET_802.3 NOVELL
You can click on the Frame type to get more information about it.
As you examine the table above please note that an IEEE 802.3 frame is referred to as an 802.2 frame by Novell. The frame that Novell refers to as "802.3 Raw" or "Ethernet_802.3" is their own proprietary frame format.
The IEEE 802.3 Frame Format

Introduction The following is a description of the Ethernet Frame Format described in the IEEE 802.3 Specification. The 802.3 Specification defines a 14 byte Data Link Header followed by a Logical Link Control Header that is defined by the 802.2 Specification. The 3D Diagram below analyses the Ethernet 802.3 Frame:
THE DATA LINK HEADER Offset 0-5: The Destination Address The first six bytes of an Ethernet frame make up the Destination Address. The Destination Address specifies to which adapter the data frame is being sent. A Destination Address of all ones specifies a Broadcast Message that is read in by all receiving Ethernet adapters. The first three bytes of the Destination Address are assigned by the IEEE to the vendor of the adapter and are specific to the vendor. The Destination Address format is identical in all implementations of Ethernet.
Offset 6-11: The Source Address
Page 1657 of 1765
The next six bytes of an Ethernet frame make up the Source Address. The Source Address specifies from which adapter the message originated. Like the Destination Address, the first three bytes specify the vendor of the card. The Source Address format is identical in all implementations of Ethernet.
Offset 12-13: Length Bytes 13 and 14 of an Ethernet frame contain the length of the data in the frame frame, not including the preamble, 32 bit CRC, DLC addresses, or the Length field itself. An Ethernet frame can be no shorter than 64 bytes total length, and no longer than 1518 bytes total length.
THE 802.2 LOGICAL LINK CONTROL (LLC) HEADER Following the Data Link Header is the Logical Link Control Header, which is described in the IEEE 802.2 Specification. The purpose of the LLC header is to provide a "hole in the ceiling" of the Data Link Layer. By specifying into which memory buffer the adapter places the data frame, the LLC header allows the upper layers to know where to find the data. Offset 15: The DSAP The DSAP, or Destination Service Access Point, is a 1 byte field that simply acts as a pointer to a memory buffer in the receiving station. It tells the receiving NIC in which buffer to put this information. This functionality is crucial in situations where users are running multiple protocol stacks, etc...
Offset 16: The SSAP The SSAP, or Source Service Access Point is analogous to the DSAP and specifies the Source of the sending process.
Offset 17: The Control Byte Following the SAPs is a one byte control field that specifies the type of LLC frame that this is.
USER DATA AND THE FRAME CHECK SEQUENCE (FCS) Data: 43-1497 Bytes
Page 1658 of 1765
Following the 802.2 header are 43 to 1,497 bytes of data, generally consisting of upper layer headers such as TCP/IP or IPX and then the actual user data.
FCS: Last 4 Bytes The last 4 bytes that the adapter reads in are the Frame Check Sequence or CRC. When the voltage on the wire returns to zero, the adapter checks the last 4 bytes it received against a checksum that it generates via a complex polynomial. If the calculated checksum does not match the checksum on the frame, the frame is discarded and never reaches the memory buffers in the station.
The Ethernet Version II Frame Format

Introduction The following is a description of the frame format described by the original Ethernet Version II specification as released by DEC, Intel, and Xerox. Like the 802.3 spec, the Version II spec defines a Data Link Header consisting of 14 bytes (6+6+2) of information, but the Version II spec does not specify an LLC header. Let's now have a closer look at the frame format:
THE DATA LINK HEADER Offset 0-5: The Destination Address The first six bytes of an Ethernet frame make up the Destination Address. The Destination Address specifies to which adapter the data frame is being sent. A Destination Address of all ones specifies a Broadcast Message that is read in by all receiving Ethernet adapters. The first three bytes of the Destination Address are assigned by the IEEE to the vendor of the adapter and are specific to the vendor. See the MAC Address page for more information. The Destination Address format is identical in all implementations of Ethernet.
Offset 6-11: The Source Address The next six bytes of an Ethernet frame make up the Source Address. The Source Address specifies from which adapter the message originated. Like the Destination Address, the first three bytes specify the vendor of the card. The Source Address format is identical in all implementations of Ethernet.
Offset 12-13: The Ethertype
Page 1659 of 1765
Following the Source Address is a 2 byte field called the Ethertype. The Ethertype is analogous to the SAPs in the 802.3 frame in that it specifies the memory buffer in which to place this frame.
An interesting question arises when one considers the 802.3 and Version II frame formats: Both formats specify a 2 byte field following the source address (an Ethertype in Version II, and a Length field in 802.3) -- How does a driver know which format it is seeing, if it is configured to support both? The answer is actually quite simple. All Ethertypes have a value greater than 05DC hex, or 1500 decimal. Since the maximum frame size in Ethernet is 1518 bytes, there is no point in overlapping between Ethertypes and lengths. If the field that follows the Source Address is greater than O5DC hex, the frame is a Version II, otherwise it is something else (either 802.3, 802.3 SNAP or Novell Proprietary).
USER DATA AND FCS Data: 46-1500 Bytes Following the Ethertype are 46 to 1,500 bytes of data, generally consisting of upper layer headers such as TCP/IP or IPX and then the actual user data.
The IEEE 802.3 SNAP Frame Format

Introduction While the original 802.3 specification worked well, the IEEE realized that some upper layer protocols required an Ethertype to work properly. For example, TCP/IP uses the Ethertype to differentiate between ARP packets and normal IP data frames. In order to provide this backwards compatibility with the Version II frame type, the 802.3 SNAP (SubNetwork Access Protocol) format was created. The SNAP Frame Format consists of a normal 802.3 Data Link Header followed by a normal 802.2 LLC Header and then a 5 byte SNAP field, followed by the normal user data and FCS. You can see the above mentioned headers in the 3D diagram of the frame below:
Page 1660 of 1765
THE DATA LINK HEADER Offset 0-5: The Destination Address The first six bytes of an Ethernet frame make up the Destination Address. The Destination Address specifies to which adapter the data frame is being sent. A Destination Address of all ones specifies a Broadcast Message that is read in by all receiving Ethernet adapters. The first three bytes of the Destination Address are assigned by the IEEE to the vendor of the adapter and are specific to the vendor. The Destination Address format is identical in all implementations of Ethernet.
Offset 12-13: Length Bytes 13 and 14 of an Ethernet frame contain the length of the data in the frame, not including the preamble, 32 bit CRC, DLC addresses, or the Length field itself. An Ethernet frame can be no shorter than 64 bytes total length and no longer than 1518 bytes total length.
THE 802.2 LOGICAL LINK CONTROL (LLC) HEADER Following the Data Link Header is the Logical Link Control Header, which is described in the IEEE 802.2 Specification. The purpose of the LLC header is to provide a "hole in the ceiling" of the Data Link Layer. By specifying into which memory buffer the adapter places the data frame, the LLC header allows the upper layers to know where to find the data. Offset 15: The DSAP The DSAP, or Destination Service Access Point, is a 1 byte field that simply acts as a pointer to a memory buffer in the receiving station. It tells the receiving NIC in which buffer to put this information. This functionality is crucial in situations where users are running multiple protocol stacks, etc...
Page 1661 of 1765
Offset 16: The SSAP The SSAP, or Source Service Access Point is analogous to the DSAP and specifies the Source of the sending process. In order to specify that this is a SNAP frame, the SSAP is set to AA hex.
Offset 17: The Control Byte Following the SAPs is a one byte control field that specifies the type of LLC frame that this is.
THE SUB-NETWORK ACCESS PROTOCOL (SNAP) HEADER Offset 18-20: The Vendor Code The first 3 bytes of the SNAP header is the vendor code, generally the same as the first three bytes of the source address although it is sometimes set to zero.
Offset 21-22: The Local Code Following the Vendor Code is a 2 byte field that typically contains an Ethertype for the frame. This is where the backwards compatibility with Version II Ethernet is implemented.
USER DATA AND THE FRAME CHECK SEQUENCE (FCS) Data: 38-1492 Bytes Following the 802.2 header are 38 to 1,492 bytes of data, generally consisting of upper layer headers such as TCP/IP or IPX and then the actual user data.
Page 1662 of 1765
The Novell Proprietary Frame Format

Introduction Novell's Proprietary Frame Format was developed based on a preliminary release of the 802.3 specification. After Novell released its proprietary format, the LLC Header was added, making Novell's format incompatible. Below is a 3D diagram of the frame, let's have a look at it and try to analyse it:
THE DATA LINK HEADER Offset 0-5: The Destination Address The first six bytes of an Ethernet frame make up the Destination Address. The Destination Address specifies to which adapter the data frame is being sent. A Destination Address of all ones specifies a Broadcast Message that is read in by all receiving Ethernet adapters. The first three bytes of the Destination Address are assigned by the IEEE to the vendor of the adapter, and are specific to the vendor. The Destination Address format is identical in all implementations of Ethernet.
Offset 12-13: Length Bytes 13 and 14 of an Ethernet frame contain the length of the data in the frame frame, not including the preamble, 32 bit CRC, DLC addresses, or the Length field itself. An Ethernet frame can be no shorter than 64 bytes total length, and no longer than 1518 bytes total length.
USER DATA AND THE FRAME CHECK SEQUENCE (FCS) Data: 46-1500 Bytes
Page 1663 of 1765
Following the Data Link header are 46 to 1500 bytes of data. In all Novell frames, the user data begins with an IPX (Novell's network layer protocol) header. The IPX header contains as its first two bytes an optional checksum, with the value FFFF signifying that the checksum is not used. By convention, the checksum is always turned off, and the FFFF that occurs 3 bytes after the end of the source address is how device drivers differentiate Novell frames from 802.3 frames, which look identical until the first byte following the length field.
A FINAL NOTE ON THE NOVELL ETHERNET FRAME FORMAT "A Novell client can only use one frame format for NetWare" This is a true statement that needs some clarification to be fully understood. It should be noted that Novell workstations are capable of using any of the four Ethernet frame types mentioned in the Ethernet Frame section, based on the LOAD and BIND settings in the NET.CFG file. A Novell client will use the list of frame formats in NET.CFG to attempt to locate a file server (or a Netware Directory Server for the VLM shell). The client starts at the top of the list of frame types in NET.CFG and broadcasts a 'Find Nearest Server' message. If no file server answers (or Directory Services server in a VLM client) then the client tries the next frame format. When a server finally does answer then the client will use the successful frame format from then on, until the client is rebooted. As a result, you should remember that a Novell client will ultimately use only one of the four frame formats; it cannot actually use multiple formats for NetWare at the same time. The format it selects will be based on its initial attempt to locate a server. This behavior is restricted to the frame format used by NCP and SPX - if the client is also running a TCP/IP stack then the IP protocol can be configured to use any other frame format (typically Version II Ethernet).
What is CSMA/CD ?
Introduction CSMA/CD stands for Carrier Sense Multiple Access with Collision Detection. It refers to the means of media access, or deciding "who gets to talk" in an Ethernet network.
Page 1664 of 1765
A more elegant term for "who gets to talk" is to refer to the "media access method", which, in this case, would be "CSMA/CD". Carrier Sense means that before a station will "talk" onto an Ethernet wire, it will listen for the "carrier" that is present when another station is talking. If another station is talking, this station will wait until there is no carrier present. Multiple Access refers to the fact that when a station is done transmitting it is allowed to immediately make another access to the medium (a 'multiple' access). This is as opposed to a Token-Ring network where a station is required to perform other tasks inbetween accessing the medium (like releasing a token or sometimes releasing a management frame). Collision Detection refers to the ability of an Ethernet adapter to detect the resulting "collision" of electrical signals and react appropriately. In a normally operating Ethernet network, it will sometimes occur that two stations simultaneously detect no carrier and begin to talk. In this case the two electrical signals will interfere with each other and result in a collision; an event which is detected by the Collision Detection circuitry in the transmitting network interface cards. The The process of CSMA/CD is implemented slightly differently in a twisted pair (as opposed to a coaxial) Ethernet network.
Ethernet Collisions
Introduction The word "Collision" shouldn't be any new news to people who work with networks everyday. If it is thought, don't worrie, that's why you are here. A collision is an event that happens on an Ethernet network when two stations simultaneously "talk" on the wire. Collisions are a normal part of life in an Ethernet network and under most circumstances should not be considered a problem. Even thought alot of people know that collisions do happen on a network, what they don't know is that there are two different type of collisions ! Yes, thats right, two different type of collissions, one is the Early Collision and the other, the Late Collision. We will have a look at two collision examples (one of each) in the next couple of pages, and these examples have been carefully selected to help you understand the difference between the two types of collisions. Also, we are going to have a look at the events leading up to and immediately following a collision. So, grab that favorite mug of yours, fill it up with something to drink and let's start learning about collisions !
Page 1665 of 1765
You can use the cool menu to get to the next pages or simply click on the links below
Early Collisions
Introduction We are going to have a look at a step-by-step early collision example to help everyone (including myself !) understand what it's all about. Early Collisions In this example, we will refer to an imaginary Ethernet network consisting of Stations A and B and any number of other stations. The status of the network is such that the wire is idle (nobody is talking) and 9.6 microseconds have passed since anybody last talked on the wire. An early collision is any collision that occurs before 512 bits of the frame have been put onto the wire. The rationale behind this is discussed in the next essay. The following is an outline of a normal or "early" collision event: Station A, detecting that the wire has been idle for 9.6 microseconds, begins to transmit its data frame, beginning with the 64 bit preamble. While Station A is transmitting, it is also listening for abnormal voltage on the wire -- a signal that a collision has occurred. (Stage 1)
Some period of time later, but before the signal from Station A has had time to propagate down the wire to Station B, Station B also detects that the wire has been idle for 9.6 microseconds and begins to transmit its data frame beginning with the 64 bit preamble. Station B is also listening for a collision on the wire. (Stage 2)
At some point on the wire in between Station A and Station B the electrical signals overlap, creating a point of abnormal voltage. As the signals continue to propagate, this abnormal voltage travels down the wire towards both Station A and Station B. (Stage 3)
Whichever station is closest to the physical point on the wire where the two signals overlapped will detect the collision first. For the sake of this discussion, we will say that Station A detects the collision first. (Stage 4)
Page 1666 of 1765
Station A, detecting the abnormal voltage on the wire and realizing that a collision has occurred, immediately stops transmitting data and transmits a 32 bit "jam" onto the wire. (Stage 5)
The 32 bit jam consists of any combination of values that is not a valid CRC for the frame that was just interrupted by the collision. Most Ethernet cards today just send 32 ones and know that there is only a 1/(2^32) chance that that will be the checksum -- pretty good odds. The purpose of the 32 bit jam is to fully propagate the wire with voltage, preventing anybody else from talking. Station A will then implement an algorithm known as the Truncated Binary Exponential Backoff Algorithm, which determines how long it will wait before it attempts to retransmit the frame that was just interrupted. The interrupted frame is referred to as a Runt. Next, Station B will detect the collision. Station B will also send a 32 bit jam and implement the Truncated Binary Exponential Backoff Algorithm. (Stage 6)
Early collisions occur regularly in a normally operating Ethernet network. There is no hardware malfunction or misbehaving station -- it just so happens that two NICs start to talk at the same time. Generally, after the talkers implement the backoff algorithm which is specially designed to not have both NICs attempt to talk at the same time again, both talkers will successfully put their frame onto the wire. It typically takes no longer than 2-3 milliseconds for a station to recover from a collision and successfully retransmit its frame.
Propagation delay & its relationship to max. cable length

Introduction You may know that the minimum frame size in an Ethernet network is 64 bytes or 512 bits, including the 32 bit CRC. You may also know that the maximum length of an Ethernet cable segment is 500 meters for 10BASE5 thick cabling and 185 meters for 10BASE2 thin cabling. It is, however, a much less well known fact that these two specifications are directly related. In this essay, we will discuss the relationship between minimum frame size and maximum cable length. Propagation Delay Before we discuss frame size and cable length, an understanding of signal propagation in copper media is necessary. Electrical signals in a copper wire travel at
Page 1667 of 1765
approximately 2/3 the speed of light. This is referred to as the propagation speed of the signal. Since we know that Ethernet operates at 10Mbps or 10,000,000 bits per second, we can determine that the length of wire that one bit occupies is approximately equal to 20 metres or 60 feet via the following maths: speed of light in a vacuum = 300,000,000 metres/second speed of electricity in a copper cable = 200,000,000 metres/second (200,000,000 m/s) / (10,000,000 bits / s) = 20 metres per bit
We can further determine that a minimum size Ethernet frame consisting of 64 bytes or 512 bits will occupy 10,240 metres of cable. The Relationship The only time that an Ethernet controller can detect collisions on the wire is when it is in the transmit mode. When an Ethernet NIC has finished transmitting and switches to receive mode, the only thing it listens for is the 64 bit preamble that signals the start of a data frame. The minimum frame size in Ethernet is specified such that, based on the speed of propagation of electrical signals in copper media, an Ethernet card is guaranteed to remain in transmit mode and therefore detecting collisions long enough for a collision to propagate back to it from the farthest point on the wire from it. Take, for example, a length of 10BASE5 thick Ethernet cabling exactly 500 meters long (the maximum that the spec allows) with two stations, Station A and Station B, attached to the farthest ends of it. If Station A begins to transmit, it will have transmitted 25 bits by the time the signal reaches Station B, 500 meters away. If Station B begins to transmit at the last possible instant before Station A's signal reaches it, the collision will reach Station A 25 bit-times later (the time it takes for the signal on the wire to travel one bit-length -- 20 metres in copper cable). Station A will have transmitted only 50 bits when the collision reaches it -- nowhere near the 512 bit boundary for an early collision. Upon closer examination, however, a peculiarity arises. If a normal collision happens before the 512 bit boundary, Station A would have to be over 5000 metres away from Station B before a late collision occurred. Examine the maths for yourself: 512 bits times 20 metres/bit = 10,240 metres. That's 256 bits or approximately 5000 metres for the signal to propagate from Station A to Station B and 5000 metres for the collision event to propagate back to and be detected by Station A. It seems like a late collision would never occur with a maximum cable length of only 500 meters. What is the reason for the overhead? The reason for the overhead is twofold. First of all, while the maximum possible cable segment length in Ethernet is 500 metres, it is possible to extend that length with up to 4 repeaters before the IEEE 802.3 spec is violated. This means that the signal may have to travel through as much as 2500 metres of cable to reach Station B, or 5000 metres of cable round trip. The second and final reason for the overhead
Page 1668 of 1765
lies solely in the carefulness of Ethernet's inventors. Generally the spec is twice as strict as it needs to be, allowing ample room for errors. Herein lies one of the greatest strengths and weaknesses of Ethernet. It is a strength in that if you need to, you can probably get away with violating the specs -- an extra length of cable here, an extra repeater there and your network continues to run normally. It is a weakness in that while you can get away with violating the specs, there is a very fine line between a network that is violating the specs and is running and a network that is violating the specs and is crippled by late collisions and you never know which extra bit of wire or extra repeater is going to cross the line. Despite this dire warning, there are some general rules for violating specs: If your vendor tells you you can violate the spec and you're not mixing vendors, it's probably ok. If you mix vendors, obey the strictest vendor. If something is wrong with your network and you know that it violates the spec in places, those places should be the first ones you check. Try segmenting the network with a bridge and see which side of the bridge the problems are on.
Late Collisions
Introduction Again, we are going to make use of a step-by-step example in order to fully understand how and why late collisions occur. Late Collisions Late collisions, on the other hand, are not normal and are usually the result of out of spec. cabling or a malfunctioning adapter. A late collision is defined as any collision that occurs after 512 bits of the frame have been transmitted. The rationale behind this is discussed in the next essay. In this discussion we will refer to the same network described in the discussion of early collisions, but with one modification: In this network, the network administrator has violated the maximum cable length (500 meters for 10BASE5 thick ethernet, 185 meters for 10BASE2 thin ethernet) by either adding too many repeaters in between Stations A and B or by laying too much wire between them. The following is an outline of a late collision event caused by out of spec. cabling: Station A, detecting that the wire has been idle for 9.6 microseconds, begins to transmit its data frame, beginning with the 64 bit preamble. Station A transmits 256 bits of its frame. If the cabling were in spec and Station B began to transmit, causing a collision, even if Stations A and B were on the farthest ends of the wire from each other the collision would be detected by station A before it could transmit its 512th bit. (Stage 1)
Page 1669 of 1765
Station A continues to transmit bits, and meanwhile, down at the other end of the wire, just before the electrical signal reaches Station B, Station B detects idle wire for 9.6 microseconds and begins to transmit. (Stage 2)
A minute amount of time later, a collision occurs. (Stage 3) Station B, being extremely close to the collision, detects it first and begins transmitting a 32 bit jam signal.
The collision begins to propagate down the wire towards Station A (Stage 4), followed by the 32 Bit Jam signal generated from Station B.
But because the cabling was out of spec. by the time it gets to Station A, Station A has already finished transmitting and is no longer listening for collisions! (Stage 5) Station A is completely unaware that a collision has occurred!
The reason that late collisions are a problem is that once the NIC misses the fact that a collision has occurred, recovery and retransmission are left to the upper layers and recovery time goes up drastically. While a NIC will typically recover and retransmit a frame in 2-3 milliseconds, it typically takes anywhere from 10 to 100 times that long for upper layers. The other major cause of late collisions is a malfunctioning NIC. If a NIC malfunctions in such a manner that it is unable to detect that another station is talking, late (and early) collisions will occur.
Introduction Of Fast Ethernet

Introduction Full motion video for video conferencing requires, typically, at least 25 Mb/sec. That means that a legacy Ethernet, at 10 Mb/sec, can only deliver poor quality real-time video. With 100 Mb/sec, however, you can be watching a broadcast presentation in
Page 1670 of 1765
one window while you're in conference with three people in three other windows (for a total of 100 megabits of bandwidth). Consider a file server that requires 0.6 Mb/sec (6 million bits per second; 60% utilization on a 10 Mb/sec Ethernet). With a 100 Mb/sec Ethernet this server can now utilize interface hardware that can pump data down the pipe at a greatly increased rate. It seems clear that the evolution of the industry is moving away from 10 Mb/sec Ethernet and towards the 100 Mb/sec (or higher) rates of data transfer. This section of the compendium discusses 100 Mb/sec Ethernet technology Virtually everyone who uses Ethernet has wished from time to time that their network had a higher bandwidth. When Ethernet was being designed in the late 1970s, 10Mbps seemed immense. With today's bandwidth-intensive multimedia applications, or even with just the departmental server, that number sometimes is barely adequate. Yes, faster network technologies were available, but they were complicated and expensive. Then came Fast Ethernet. Anyone who understands classic Ethernet already understands much about Fast Ethernet. Fast Ethernet uses the same cabling and access method as 10Base-T. With certain exceptions, Fast Ethernet is simply regular Ethernet - just ten times faster! Whenever possible, the same numbers used in the design of 10Base-T were used in Fast Ethernet, just multiplied or divided by ten. Fast Ethernet is defined for three different physical implementations. The Implementations of Fast Ethernet: 100BASE-TX: Category 5 100BASE-FX: Multimode fibre 100BASE-T4: Category 3
Probably the most popular form of Fast Ethernet is 100BASE-TX. 100BASE-TX runs on EIA/TIA 568 Category 5 unshielded twisted pair, sometimes called UTP-5. It uses the same pair and pin configurations as 10Base-T, and is topologically similar in running from a number of stations to a central hub. As an upgrade to 10Mbps Ethernet over multimode fibre (10Base-F), 100BASE-FX is Fast Ethernet over fibre. Single duplex runs are supported up to 400m and full duplex runs are supported for up to 2km. Fast Ethernet is possible on Category 3 UTP with 100BASE-T4. There is a popular misconception that Fast Ethernet will only run on Category 5 cable. That is true only for 100BASE-TX. If you have Category 3 cable with all four pairs (8 wires) connected between station and hub, you can still use it for Fast Ethernet by running 100BASET4. 100BASE-T4 sends 100Mbps over the relatively slow UTP-3 wire by fanning out the signal to three pairs of wire.
Page 1671 of 1765
This "demultiplexing" slows down each byte enough that the signal won't overrun the cable. Category 3 cable has four pairs of wire, eight wires total, running from point to point. 10Base-T only uses four wires, two pairs. Some cables only have these two pairs connected in the RJ-45 plug. If the category 3 cabling at your site has all four pairs between hub and workstation, you can use Fast Ethernet by running 100BASET4. Please select on of the following sections: Differences Between 100 Mb/sec and 10 Mb/sec Ethernet
Differences Between Classic Ethernet And Fast Ethernet

Introduction The two primary areas for concern when upgrading the network from 10Mbps to 100Mbps are cabling and hubs. As discussed on the Fast Ethernet Introduction page, in Fast Ethernet twisted pair cabling needs either to be category 5 or to be category 3 with proper twist on all four pairs. The problem with hubs is the number of hubs allowed in a single collision domain. Classic Ethernet allows hubs to be cascaded up to four deep between any two stations. In Fast Ethernet, the number of hubs allowed in a collision domain is drastically reduced - to a single hub. Sometimes it may be possible to have more than one hub in a collision domain, but it will probably be easier in the long term to design a Fast Ethernet network assuming that only one hub is allowed. What the IEEE 802.3 spec does not explicitly state is that this limitation only applies to shared 100BASE-T, not to switched 100BASE-T. Since switches act like bridges in defining a separate collision domain, installing Fast Ethernet switches will allow you to work around the single-hub problem. Even if it is not necessary to deliver dedicated switched Fast Ethernet to each desktop, Fast Ethernet hubs can be connected to switches. Connecting a number of repeaters to a switch will provide shared Fast Ethernet and allow you to maintain the size of your network. Integration Of 100 Mb/sec Ethernet Into Existing 10 Mb/sec networks Intergrating Fast Ethernet into 10MB Ethernet Networks Introduction Now that Fast Ethernet is here, the question becomes, "How do I start using it ?" Integrating Fast Ethernet into existing networks need not be done all at once. Here are some aspects of 100Mbps implementation that should be considered: Implementing Switching Eliminating Bottlenecks Expand The Topology Outwards and Downwards
Page 1672 of 1765
Implementing Switching Implement switching in high-traffic areas to concentrate the bottlenecks on the network. Since Fast Ethernet provides higher throughput of bits, it makes sense to figure out which network connections need the most relief. Which segments consistently attempt to pump the most bytes? Which segments consistently demonstrate the highest average percent bandwidth usage according to your protocol analyzer? Installing switches will help you figure out which network segments are moving the most information due to the effect switches have on your network. Installing switches is like moving from traffic lights to limited-access highways. The idea works extremely well in isolating cross-town traffic, e.g. peer-topeer networking, but doesn't necessarily help when all of the traffic slows down at particular locations, e.g. an enterprise-wide server or the network Internet firewall. Because there are other ways of isolating network bottlenecks, implementing switches is primarily useful when installing 10/100 switches in preparation for 100Mbps Ethernet. Installing switches also gives the added benefit of segmenting collision domains. In classic Ethernet, there can be up to four hubs or repeaters between any two stations, but in Fast Ethernet that number is only one or two. Installing switches in place of repeaters spares you having to segment your network at a later point, allowing the cost of the transition to be spread over a longer period of time. Eliminating Bottlenecks Once bottlenecks have been identified, upgrade those network connections to 100 Mbps. The primary difficulty in this step is verifying that the existing cabling will be sufficient for Fast Ethernet. On UTP, the cable either needs to meet Category 5 specifications or have four pairs with proper twist maintained on Category 3. If you're planning on using 100BASE-TX, your wiring closet will also need to be certified for a higher speed. There are many devices available such as wire pair scanners, which will make this job much easier. Installing the initial Fast Ethernet connections is much easier if the switches installed earlier are 10/100, capable of operating at either classic Ethernet speeds or Fast Ethernet speeds. If the switches installed were only 10Mbps switches, they could be used as "hand-me-downs," replacing hubs in segments where users require more bandwidth. Expand The Topology Outwards and Downwards Gradually work the Fast Ethernet out into the rest of the network, as far out and down as desired. Note that the price of 10/100 cards is not substantially higher than that of 10Mbps cards, so it may be a wise idea to plan ahead by installing 10/100 cards when installing new machines. If there comes a point in the future when 100Mbps Ethernet needs to be implemented on that machine, all that will need to be changed is the connection on the other end. On the other hand, upgrading a machine from a
Page 1673 of 1765
10Mbps card to a 100Mbps card will require reconfiguring the user's machine, installing a new driver, etc. A short-term expenditure can greatly offset the cost in man-hours and down-time later on. Migration from 10 Mb/sec to 100 Mb/sec
Upgrading And Migrating From Ethernet To Fast Ethernet

Introduction Here we are going to analyse the following aspects of upgrading/migrating from 10Mbit Ethernet to 100Mbit Ethernet. Cabling Incompatible Implementations Repeaters In Fast Ethernet o Replacement Of Illegal Byte o Codes Data Translation o Error Handling And Partitioning
Cabling There are two methods of running Fast Ethernet over UTP and one method of running it over fibre. IMPLEMENTATION ..........CABLE TYPE............... NUMBER OF PAIRS ..100BASE-TX ................ Category 5 .........................2 ..100BASE-T4..................Category 3 or 5................. ..4 ..100BASE-FX.................. Fiber....................... (Not Applicable) Category 3 cabling is not rated to carry the fast signaling of 100BASE-TX, so 100BASE-T4 must be used. 100BASE-T4 may also be used on Category 5 cabling, but 100BASE-TX is probably a better choice. Incompatible Implementations Fast Ethernet brings a new urgency to an old problem. Many network technologies use RJ-45 connectors. In the past, it was usually not difficult to figure out whether a jack was Ethernet or token ring: even at a site where both were in use they seldom were found in the same vicinity, so the network administrator could make an "educated guess". Today, with Fast and classic Ethernet interspersed and 10/100
Page 1674 of 1765
cards common, some mechanism is needed to allow quick identification of the signal that is running across the wire. Autonegotiation works by having each end of the connection send a series of pulses down the wire to the other end. These pulses are the same signals used in 10Base-T to test link integrity and cause the link indicator light to turn on. If a station receives a single pulse, referred to as a Normal Link Pulse (NLP), it recognizes that the other end is only capable of 10Base-T. If autonegotiation is being used, a station will transmit a series of these pulses spaced closely together, referred to as a Fast Link Pulse (FLP). An FLP consists of 17 "clocking" pulses interspersed with up to 16 "signal" pulses to form a 16-bit code word. If a signal pulse occurs between two clocking pulses, that bit is a one. Absence of a signal pulse is a zero. By comparing the 16-bit code words received in the FLP, a station and hub will agree on what implementation of Ethernet to use. The 16-bit code word describes what implementations of Ethernet are supported. Both station and hub will compare what it supports to what the other end supports, then choose which implementation to use for that link according to following priorities, defined by IEEE 802.3 clause 28B.3: 100BASE-TX full duplex 100BASE-T4 100BASE-TX 1 10BASE-T full duplex 10BASE-T If the station supports 100BASE-T4, 100BASE-TX, and 10BASE-T and the hub supports full duplex 100BASE-TX, single-duplex 100BASE-TX, and 10BASE-T, they will each discover that the Ethernet implementations they have in common are 100BASE-TX and 10BASE-T. Since 100BASE-TX is defined to have a higher priority that 10BASE-T, the station and hub will use 100BASE-TX. This decision takes place independently on each side of the link, but since each side uses the same decisionmaking process and priorities, the same decision is reached on each end. Because each end of the connection agrees on what implementation of Ethernet is being used, the potential problem of incompatible signaling is averted. Repeaters In Fast Ethernet In Fast Ethernet the number of repeaters allowed per network segment is only 1 or 2. Whether one or two repeaters may be used is determined by what class of repeater will be used on the segment. Two classes of Fast Ethernet repeater are defined, Class I and Class II. Only one Class I repeater can be used in a single collision domain. Two Class II repeaters are allowed in a single collision domain, with up to a 5 metre inter-repeater link between them. The only technical difference between Class I and Class II repeaters is that Class II repeaters are faster than Class I repeaters. This allows Class I repeaters to provide other services besides simple
Page 1675 of 1765
repeating, such as translating between 100BASE-TX and 100BASE-T4. Class II repeaters are primarily used to link two hubs supporting only a single implementation of Fast Ethernet. However, with the trade-off in fewer repeaters comes greater intelligence in each repeater. In addition to implementing the functionality of 10Mbps repeaters, 100Mbps repeaters are responsible for the following: Replacement Of Illegal Byte Unlike classic Ethernet, Fast Ethernet does not send a straightforward representation of the actual bits across the physical layer. A different representation of the information is sent instead. As a result, there are possible patterns on the wire which are not defined for use in Fast Ethernet. If a repeater detects an illegal pattern on the wire, it may replace that pattern (and every remaining pattern in the frame) with a special symbol identifying that the frame is corrupt. Codes Data Translation For repeaters that implement more than one implementation of Ethernet, the repeater will change the data encoding to be appropriate to the outgoing ports. 100BASE-T4 and 100BASE-TX use very different representations when sending data across a network. A Class I repeater which implements both 100BASE-TX and 100BASE-T4 needs to ensure that the signal going across the wire is the appropriate representation for the Ethernet implementation. Error handling and partitioning A Fast Ethernet repeater will monitor the state of each port in order to protect the network from any faults that might interrupt the flow of information. If 60 consecutive collisions are detected from any particular port, the repeater will partition that port: it will stop forwarding information from that port to the rest of the network, but will still continue to repeat all frames from the network to the port. If the station on that port has broken so that it no longer is obeying the rules of CSMA/CD, then it needs to be separated from the network to allow traffic to flow. However, it is possible that there could be 60 consecutive collisions on an extremely busy segment, so the repeater still forwards information to that port. If the repeater detects between 450 and 560 bits of information from that port without a collision occurring, the repeater will re-activate that port. A legal frame is received from the partitioned port, so we know that the hardware is working. If between 40000 and 75000 consecutive bits are received from a port, the device at the other end of that cable is assumed to be "jabbering", sending an endless stream of bits, so the output from the port is cut off from the rest of the network. Such a "jabbering" device could prevent any traffic from flowing on a network, since there would never be a break for the other stations to transmit. If the station stops "jabbering", then the repeater will once again activate the port.
Page 1676 of 1765
In 100BASE-TX and 100BASE-FX, a repeater will further monitor traffic to ensure that only frames with a valid preamble are passed. If two consecutive "false carrier events" occur, or a "false carrier event" lasts for 450-500 bits, the repeater will declare that link to be "unstable" and stop sending information to that port. As a result, faulty links are isolated from the rest of the network, resulting in improved overall network reliability. The link will be reactivated if between 24814 and 37586 bit-times have passed without any information having been received, or if a valid carrier is received after between 64 and 86 bit-times of idle have occurred. Fast Ethernet Model
8 0 2 . 3 F a s t E t h e r n e t ( 1 0 0 M b / S e c
Page 1677 of 1765
) M o d e l
I n t r o d u c t i o n H e r e w e s e e a l o g i c a l d r a w i n g
Page 1678 of 1765
o f t h e F a s t E t h e r n e t D a t a L i n k L a y e r s u b l a y e r s . D a t a
Page 1679 of 1765
i s p a s s e d d o w n f r o m t h e u p p e r l a y e r s ( s u c h a s T C P / I P
Page 1680 of 1765
o r N o v e l l N e t w a r e ) t o t h e L L C s u b l a y e r . F r o m t h e r e i t
Page 1681 of 1765
i s p a s s e d t o t h e M A C s u b l a y e r a n d t h e n , d e p e n d i n g o n
Page 1682 of 1765
w h e t h e r t h i s i s a 1 0 0 B A S E T 4 o r 1 0 0 B A S E T X e n v i r o n m e
Page 1683 of 1765
n t , e i t h e r d o w n t h e r i g h t o r l e f t h a n d p a t h t o t h e w i
Page 1684 of 1765
r e .
W e w i l l i n t e n t i o n a l l y a v o i d a d e t a i l e d d i s c u s s i o
Page 1685 of 1765
n o f e x a c t l y w h a t g o e s o n a t e a c h o f t h e s e l a y e r s h e r
Page 1686 of 1765
e . S o m e o f t h e l a y e r s ' f u n c t i o n s , s u c h a s 8 B 6 T e n c o d i
Page 1687 of 1765
n g , F a n o u t a n d N R Z I s i g n a l i n g a r e l a b e l e d a n d w i l l b
Page 1688 of 1765
e d i s c u s s e d i n t h i s e s s a y . I n 1 0 M b p s E t h e r n e t , t h e d a
Page 1689 of 1765
t a i s h a n d e d d i r e c t l y f r o m t h e M A C l a y e r t o t h e P M A (
Page 1690 of 1765
P h y s i c a l M e d i u m A t t a c h m e n t ) s u b l a y e r a n d o n t o t h e w i r
Page 1691 of 1765
e . T h e R e c o n c i l i a t i o n , P C S a n d P M D s u b l a y e r s d o n o t e
Page 1692 of 1765
x i s t i n 1 0 M b p s E t h e r n e t .
Troubleshooting
Troubleshooting techniques for Fast Ethernet

Introduction This page will primarily discuss problems unique to Fast Ethernet.
The Collision Domain Incompatible Ethernet Jabber Auto-negotiation Priorities And Alternatives Incompatible Cabling Specifications Page 1693 of 1765
The Collision Domain The single biggest change in network design in Fast Ethernet is the smaller collision domain. Technically, the size of a collision domain in all flavors of Ethernet is exactly the same - 256 bits. On the wire, ten times as many 100Mbps bits can occupy the same space as an equal number of 10Mbps bits, so the collision domain in 100Mbps Ethernet can be only physically one tenth the size of a 10Mbps collision domain. Effectively this means that whereas up to four hubs can legally be cascaded in 10Base-T between any two stations, only one (or two) hubs can be used in a single segment in 100BASE-T without going through an interconnect device that provides link segmentation; such as a store-and-forward bridge, switch or bridge, or a router. A separate section of the Compendium discusses INTERCONNECT DEVICES in detail. If you see signs of corruption on your network that correspond to propagation delay, check to make sure that you're not cascading too many hubs. You can make some generalizations regarding the structure of corrupted data frames (as discussed in the 10 Mbps Ethernet FRAME CORRUPTION section) but remember that these corruption patterns may be quite misleading, since you have a hub or switch in the network. Note that many hub vendors sell stackable hubs. Hubs in a single stack connected via a common backplane are usually considered to be a single hub in terms of propagation delay, but multiple stacks cascaded externally via 100BASE-TX, 100BASE-T4, or 100BASE-FX could definitely cause problems. These 100BASE standards are discussed in the INTRODUCTION to this Fast Ethernet section. Incompatible Ethernet Jabber Another potential problem in 100Mbps Ethernet is the use of RJ-45 jacks for more than one flavor of Ethernet. Since 100BASE-TX and 100BASE-T4 both use RJ-45 jacks, as do 10Base-T and many other network technologies, the IEEE 802.3 specified an auto-negotiation protocol to allow stations to figure out the networking technology to use. Unfortunately, they made its implementation optional. If you're using equipment that does not implement IEEE-spec auto-negotiation, the incompatible Ethernet signals could prevent one of your stations from connecting to your network, or even simulate "jabber" by constantly transmitting a TX idle stream and bringing down the network. The possibility for this jabber is uncertain, considering that the flavors of Ethernet use different signal formats in transmission. Even if data is not exchanged, it is still possible that incompatible Ethernet flavors could assume that they have a proper connection. Ethernets using RJ-45 connections to a hub use a Link Test Pulse to verify link integrity. This pulse is the same in all flavors of Ethernet if autonegotiation is not used. The auto-negotiation protocol itself uses a modified form of these pulses to negotiate a common Ethernet implementation.
Page 1694 of 1765
If Ethernet incompatibility jabber were to occur between 100BASE-TX and another flavor of Ethernet, the results could be catastrophic, as 100BASE-TX transmits a continuous idle signal between frames. Although transparent to 100BASE-TX, this idle signal would completely busy out a 10Base-T or 100BASE-T4 segment. On the other hand, the 802.3 specifies that a Fast Ethernet repeater should implement jabber control, automatically partitioning off any port that is streaming information for more than 40000 to 75000 bits. If the repeater were to partition off the "jabbering" port, the symptom would be reduced to inability to connect the 100BASE-TX station to the network. Auto-negotiation Priorities And Alternatives If the station and repeater both support 100BASE-TX and 100BASE-T4 and 802.3 auto-negotiation, the link will autonegotiate to 100BASE-T4 instead of 100BASE-TX. Since 100BASE-TX requires Category 5 cabling but 100BASE-T4 requires only Category 3, 100BASE-T4 is assumed to be a better default. If the cabling is known to be UTP-5, then it is probably more efficient to turn off auto-negotiation and use 100BASE-TX wherever possible. 100BASE-T4 requires more overhead than TX because it multiplexes and demultiplexes the data stream over three wire pairs. There is also significantly less overhead in translating between 100BASE-TX and 100BASE-FX than between 100BASE-T4, as TX and FX both use 4B5B encoding instead of T4's 8B6T. 100BASE-TX and 100BASE-FX also leave open the possibility of Full Duplex communication, although full duplex is not yet part of the 802.3 spec. On the other hand, 100BASE-TX sends an idle signal whenever it is not transmitting data. The 802.3 spec implies that it may very well be preferable to use 100BASE-T4 for battery-powered operation, since the card would only be transmitting when there is actual information to be moved. Incompatible Cabling Specifications One final problem with the advent of Fast Ethernet is the different cabling specifications. In classic Ethernet it was difficult to mistake 10Base-2 for 10Base-5. With Fast Ethernet, special care must be taken to verify that the entire connection between station and concentrator either supports TX's 31.25MHz signal or maintains T4's four pairs with proper twist. There are a number of good cable testers and pair scanners available to assist you in determining this for your network.
Ethernet Troubleshooting - Physical Frame Corruption

Introduction When troubleshooting your Ethernet network, the first thing to look for is physical frame corruption. In this essay, we will discuss the different causes of physical frame corruption and the characteristics of each one. It is important to remember that the frame corruption being discussed is SPECIFIC TO COAXIAL ETHERNET. Twisted-pair Ethernet implementation will NOT manifest these types of corruption patterns!
Page 1695 of 1765
Let's find the problem ! I am going to discusses troubleshooting with reference to the Network General Expert Sniffer Network Analyzer. While the tips here are universal, other Analyzers' behavior might differ in such a way as to make these tips invalid or unusable. There are four possible causes of physical frame corruption in an Ethernet Network, each one different in the way it corrupts the frame and therefore recognizable. The four causes are:
Collisions. Caused by out of spec. cabling or faulty hardware. Signal Reflections. Caused by un-terminated cables, impedance mismatch and exceeding the maximum allowable bend radius of the cable. Electrical Noise. Caused by nearby power grids, fluorescent lighting, X-ray machines, etc... Malfunctioning Hardware. Caused by gremlins, helpful users, natural disasters, etc...
At the end of the section there is a troubleshooting flowchart to help you identify the cause of frame corruption. It is important to remember that these corruption patterns will only be evident on a coaxial Ethernet (10BASE-2 Thin Ethernet, 10BASE-5 Thick Ethernet). Twisted-Pair Ethernet networks, where each station is connected to a hub or switch, do not manifest these exact corruption patterns. Collisions Collisions are the most easily recognizable of the four causes of physical frame corruption. Generally, when a collision occurs, several bytes of the preamble of the colliding frame will be read into your Sniffer's buffer before the signal is completely destroyed. You will see these bytes in the hexadecimal decode of the packet as either several bytes of AAs or several bytes of 55s at the very end of the frame (Remember, AAh=1010b, 55h=0101b. Depending on where the collision occurred, the preamble could be perceived as either of these). Because the preamble is only 8 bytes long, ending in 1011, if you see more than 8 bytes of AA or 55, then the corruption was not caused by a collision and more investigation is necessary.
Signal Reflections Signal reflections are caused by electrons literally "bouncing" back along the wire. One cause of signal reflection is an un-terminated cable. Electrons travel down the wire until they reach the cable's end where, with no resistor to absorb the voltage potential, they reflect back from the open end of the cable.
Page 1696 of 1765
Another cause of signal reflections is mixing cables with different impedances. Impedance can be thought of as the "rate of flow" of the wire. When electrons from the higher impedance wire attempt to travel through the lower impedance wire, some of them can't make it and are reflected back, destroying the signal. The final cause of signal reflections is when the maximum allowable bend radius of the cable is exceeded - the copper media is deformed, causing reflections. The characteristic of signal reflection is very short frames (typically less than 16-32 bytes), with no preamble in the frame and with all frames cut short within one or two bytes of the same place in the frame. Once again, this can be determined by viewing the frames in the Hexadecimal Decode view of your analyzer. The Expert Sniffer will also probably detect a high number of short or runt frames, as well as a high rate of physical frame corruption.
Electrical Noise Physical frame corruption caused by electrical noise is similar in appearance to corruption caused by reflections in that there is no preamble in the frame -- the frame just seems to stop short, but it is different in that the frames are generally cut off at random lengths.
Hardware Malfunctions Frame corruption caused by hardware malfunctions is potentially the hardest to diagnose because of the large number of ways that hardware can malfunction. Generally, hardware malfunctions will occur either randomly or constantly, but not regularly. The type of frame corruption is impossible to predict, generally manifesting as random "garbage" in the frame, but some common signs are:
A stream of ones or zeros. A transceiver has malfunctioned and is "jabbering" on the wire. Most transceivers have jabber detection circuitry that prevents the adapter from transmitting for longer than a certain preset time. Gigantic frames (greater than 1500 bytes). Same as above.
Troubleshooting Flowchart REMEMBER: This applies to corruption patterns that would be visible when viewing frames on a COAXIAL Ethernet. 1. Is a preamble (less than 8 bytes of AA or 55) visible at the very end of the frame? If yes:
Page 1697 of 1765
1. Make sure you haven't exceeded the specifications of your cable (maximum cable length, maximum repeaters in between nodes, etc)
2. Use a "divide and conquer" method to isolate the troublemakers. Separate the network into halves using a bridge and see which side of the bridge the problems occur on. Now separate that half into halves, etc....
If no, go on. 2. Are the corrupt frames very short, and consistently the same length? If yes: 1. Your problem is probably related to signal reflection. First check for unterminated cables. If the cable is terminated properly, your job becomes a lot harder. If new cable has been installed recently, impedance mismatch is probably the problem. Avoid this problem by buying all your cabling from the same lot (if possible) and buying cabling all at once and putting extra in storage rather than ordering as needed. Finally, check for cable deformation due to bending the cable or placing heavy objects on the cable.
2. A Time Domain Reflectometer can really save you some work when diagnosing this type of problem. This device can tell you, probably to the foot, how far down the wire the signal reflection is occurring.
If no, go on. 3. Are the frames random in length, all cut off cleanly with no signs of bit streaming or other hardware malfunction? If yes:
1. Your problem is probably electrical noise. Use the "divide and conquer" method outlined in bullet number 1 to determine where the noise is occurring and then use your intuition. I've seen problems as bizarre as a dentist's X-ray machine being on the other side of the wall to the wiring closet and every time the dentist took an Xray the network would go down!
If no, go on. 4. If you've arrived at this point, your problem is probably hardware related. Use the "divide and conquer" method outlined in bullet 1
The Truth About Interframe Spacing

Introduction The IEEE 802.3 specification states that before a station can attempt to transmit on the wire, it must first wait until it has heard 9.6 microseconds of silence. Many
Page 1698 of 1765
popular myths have arisen surrounding the reasons for the 9.6 microsecond interframe gap. The purpose of this section is to clarify the true reason for the 9.6 microsecond interframe gap. The Truth The sole reason for the 9.6 microsecond interframe gap is to allow the station that last transmitted to cycle its circuitry from transmit mode to receive mode. Without the interframe gap, it is possible that a station would miss a frame that was destined for it because it had not yet cycled back into receive mode. There is, however, an interesting sidebar to this discussion and that is that most Ethernet cards in today's market are capable of switching from transmit to receive in much less time than 9.6 microseconds. This is an example of what can happen when 1970's specifications are applied to 1990's technology. In fact, some adapter manufacturers are designing their cards with a smaller interframe spacing, thereby achieving higher data transfer rates than their competitors. The problem arises when cards with a smaller interframe spacing are mixed on a network with cards that meet the specifications. In this case, there is a potential for lost data. The moral of the story is that a network administrator needs to know what is going on in his or her network and be aware that not all vendors will stick to the specs. Contact your vendors and find out what they're doing differently -- it'll pay off!
Manchester Signal Encoding

Introduction The device driver software receives a frame of IP, IPX, NetBIOS, or other higher-layer protocol data. From this data, the device driver constructs a frame, with appropriate Ethernet header information and frame check sequence at the end.
The circuitry on the adapter card then takes the frame and converts it into an electrical signal. The voltage transitions in the transmitted bit stream are in accordance to the format called Manchester Signal Encoding. Manchester encoding describes how a binary ONE and ZERO are to be represented electrically. Manchester encoding is used in all 10 Megabit per second Ethernets; for example, 10BASE2 Thin Ethernet, 10BASE5 Thick Ethernet and 10BASE-T Twisted-Pair Ethernet. Here we see an example of the signal transitions used to encode the hexadecimal value "0E", which converts to "00001110" in binary:
Notice that there is a consistent transition in the middle of each bit-time. Sometimes this transition is from low-to-high and sometimes it's from high-to-low. This is the clock transition. The receiving adapte circuitry 'locks on' to this constant signal transition and, thereby, identifies the timing to determine the beginning and end of each bit. To represent a binary ONE, the first half of the bit-time is a low voltage; the second half of a bit is
Page 1699 of 1765
always the opposite of the first half, that's how the clock transition is created. To represent a binary ZERO, the first half of the bit-time is a high voltage. You see that sometimes there is an additional transition at the beginning of a bit-time (not drawn in in the diagram above) where the signal is pulled either up or down in preparation for the next bit.
Consider what happens if an external electromagnetic field interferes with the Manchester bit encoding. This external field could be the result of an electric motor, radio transmission or other source of interference. You should be able to see that if the Manchester signal is disrupted the bits will be destroyed - because the clock signal will be disrupted.
It would not be reasonably possible for electrical interference to change a binary ONE into a binary ZERO. Since each bit is symmetrical (second half is always opposite the first half) the result of electrica noise would be the destruction of the bit, not a change in bit value.
Introduction Of Fast Ethernet

Introduction Full motion video for video conferencing requires, typically, at least 25 Mb/sec. That means that a legacy Ethernet, at 10 Mb/sec, can only deliver poor quality real-time video. With 100 Mb/sec, however, you can be watching a broadcast presentation in one window while you're in conference with three people in three other windows (for a total of 100 megabits of bandwidth). Consider a file server that requires 0.6 Mb/sec (6 million bits per second; 60% utilization on a 10 Mb/sec Ethernet). With a 100 Mb/sec Ethernet this server can now utilize interface hardware that can pump data down the pipe at a greatly increased rate. It seems clear that the evolution of the industry is moving away from 10 Mb/sec Ethernet and towards the 100 Mb/sec (or higher) rates of data transfer. This section of the compendium discusses 100 Mb/sec Ethernet technology Virtually everyone who uses Ethernet has wished from time to time that their network had a higher bandwidth. When Ethernet was being designed in the late 1970s, 10Mbps seemed immense. With today's bandwidth-intensive multimedia applications, or even with just the departmental server, that number sometimes is barely adequate. Yes, faster network technologies were available, but they were complicated and expensive. Then came Fast Ethernet.
Page 1700 of 1765
Anyone who understands classic Ethernet already understands much about Fast Ethernet. Fast Ethernet uses the same cabling and access method as 10Base-T. With certain exceptions, Fast Ethernet is simply regular Ethernet - just ten times faster! Whenever possible, the same numbers used in the design of 10Base-T were used in Fast Ethernet, just multiplied or divided by ten. Fast Ethernet is defined for three different physical implementations. The Implementations of Fast Ethernet:

100BASE-TX: Category 5 100BASE-FX: Multimode fibre 100BASE-T4: Category 3
Probably the most popular form of Fast Ethernet is 100BASE-TX. 100BASE-TX runs on EIA/TIA 568 Category 5 unshielded twisted pair, sometimes called UTP-5. It uses the same pair and pin configurations as 10Base-T, and is topologically similar in running from a number of stations to a central hub. As an upgrade to 10Mbps Ethernet over multimode fibre (10Base-F), 100BASE-FX is Fast Ethernet over fibre. Single duplex runs are supported up to 400m and full duplex runs are supported for up to 2km. Fast Ethernet is possible on Category 3 UTP with 100BASE-T4. There is a popular misconception that Fast Ethernet will only run on Category 5 cable. That is true only for 100BASE-TX. If you have Category 3 cable with all four pairs (8 wires) connected between station and hub, you can still use it for Fast Ethernet by running 100BASE-T4. 100BASE-T4 sends 100Mbps over the relatively slow UTP-3 wire by fanning out the signal to three pairs of wire. This "demultiplexing" slows down each byte enough that the signal won't overrun the cable. Category 3 cable has four pairs of wire, eight wires total, running from point to point. 10Base-T only uses four wires, two pairs. Some cables only have these two pairs connected in the RJ-45 plug. If the category 3 cabling at your site has all four pairs between hub and workstation, you can use Fast Ethernet by running 100BASE-T4.
Differences Between Classic Ethernet And Fast Ethernet

Introduction The two primary areas for concern when upgrading the network from 10Mbps to 100Mbps are cabling and hubs. As discussed on the Fast Ethernet Introduction page, in Fast Ethernet twisted pair cabling needs either to be category 5 or to be category 3 with proper twist on all four pairs.
Page 1701 of 1765
The problem with hubs is the number of hubs allowed in a single collision domain. Classic Ethernet allows hubs to be cascaded up to four deep between any two stations. In Fast Ethernet, the number of hubs allowed in a collision domain is drastically reduced - to a single hub. Sometimes it may be possible to have more than one hub in a collision domain, but it will probably be easier in the long term to design a Fast Ethernet network assuming that only one hub is allowed. What the IEEE 802.3 spec does not explicitly state is that this limitation only applies to shared 100BASE-T, not to switched 100BASE-T. Since switches act like bridges in defining a separate collision domain, installing Fast Ethernet switches will allow you to work around the single-hub problem. Even if it is not necessary to deliver dedicated switched Fast Ethernet to each desktop, Fast Ethernet hubs can be connected to switches. Connecting a number of repeaters to a switch will provide shared Fast Ethernet and allow you to maintain the size of your network. Intergrating Fast Ethernet into 10MB Ethernet Networks Introduction Now that Fast Ethernet is here, the question becomes, "How do I start using it ?" Integrating Fast Ethernet into existing networks need not be done all at once.
Here are some aspects of 100Mbps implementation that should be considered:
Implementing Switching Eliminating Bottlenecks Expand The Topology Outwards and Downwards
Implementing Switching
Implement switching in high-traffic areas to concentrate the bottlenecks on the network. Since Fast Ethernet provides higher throughput of bits, it makes sense to figure out which network connections need the most relief. Which segments consistently attempt to pump the most bytes? Which segments consistently demonstrate the highest average percent bandwidth usage according to your protocol analyzer?
Page 1702 of 1765
Installing switches will help you figure out which network segments are moving the most information due to the effect switches have on your network. Installing switches is like moving from traffic lights to limited-access highways. The idea works extremely well in isolating cross-town traffic, e.g. peer-to-peer networking, but doesn't necessarily help when all of the traffic slows down at particular locations, e.g. an enterprise-wide server or the network Internet firewall. Because there are other ways of isolating network bottlenecks, implementing switches is primarily useful when installing 10/100 switches in preparation for 100Mbps Ethernet.
Installing switches also gives the added benefit of segmenting collision domains. In classic Ethernet, there can be up to four hubs or repeaters between any two stations, but in Fast Ethernet that number is only one or two. Installing switches in place of repeaters spares you having to segment your network at a later point, allowing the cost of the transition to be spread over a longer period of time.
Eliminating Bottlenecks
Once bottlenecks have been identified, upgrade those network connections to 100 Mbps. The primary difficulty in this step is verifying that the existing cabling will be sufficient for Fast Ethernet. On UTP, the cable either needs to meet Category 5 specifications or have four pairs with proper twist maintained on Category 3. If you're planning on using 100BASE-TX, your wiring closet will also need to be certified for a higher speed. There are many devices available such as wire pair scanners, which will make this job much easier.
Installing the initial Fast Ethernet connections is much easier if the switches installed earlier are 10/100, capable of operating at either classic Ethernet speeds or Fast Ethernet speeds. If the switches installed were only 10Mbps switches, they could be used as "hand-me-downs," replacing hubs in segments where users require more bandwidth.
Expand The Topology Outwards and Downwards
Gradually work the Fast Ethernet out into the rest of the network, as far out and down as desired. Note that the price of 10/100 cards is not substantially higher than that of 10Mbps cards, so it may be a wise idea to plan ahead by installing 10/100 cards when installing new machines.
Page 1703 of 1765
If there comes a point in the future when 100Mbps Ethernet needs to be implemented on that machine, all that will need to be changed is the connection on the other end. On the other hand, upgrading a machine from a 10Mbps card to a 100Mbps card will require reconfiguring the user's machine, installing a new driver, etc. A short-term expenditure can greatly offset the cost in man-hours and downtime later on. Troubleshooting techniques for Fast Ethernet Introduction This page will primarily discuss problems unique to Fast Ethernet.
The Collision Domain Incompatible Ethernet Jabber Auto-negotiation Priorities And Alternatives Incompatible Cabling Specifications
The Collision Domain
The single biggest change in network design in Fast Ethernet is the smaller collision domain. Technically, the size of a collision domain in all flavors of Ethernet is exactly the same - 256 bits. On the wire, ten times as many 100Mbps bits can occupy the same space as an equal number of 10Mbps bits, so the collision domain in 100Mbps Ethernet can be only physically one tenth the size of a 10Mbps collision domain.
Effectively this means that whereas up to four hubs can legally be cascaded in 10Base-T between any two stations, only one (or two) hubs can be used in a single segment in 100BASE-T without going through an interconnect device that provides link segmentation; such as a store-and-forward bridge, switch or bridge, or a router. A separate section of the Compendium discusses INTERCONNECT DEVICES in detail. If you see signs of corruption on your network that correspond to propagation delay, check to make sure that you're not cascading too many hubs.
Page 1704 of 1765
You can make some generalizations regarding the structure of corrupted data frames (as discussed in the 10 Mbps Ethernet FRAME CORRUPTION section) but remember that these corruption patterns may be quite misleading, since you have a hub or switch in the network.
Note that many hub vendors sell stackable hubs. Hubs in a single stack connected via a common backplane are usually considered to be a single hub in terms of propagation delay, but multiple stacks cascaded externally via 100BASE-TX, 100BASE-T4, or 100BASE-FX could definitely cause problems. These 100BASE standards are discussed in the INTRODUCTION to this Fast Ethernet section.
Incompatible Ethernet Jabber
Another potential problem in 100Mbps Ethernet is the use of RJ-45 jacks for more than one flavor of Ethernet. Since 100BASE-TX and 100BASE-T4 both use RJ-45 jacks, as do 10Base-T and many other network technologies, the IEEE 802.3 specified an auto-negotiation protocol to allow stations to figure out the networking technology to use.
Unfortunately, they made its implementation optional. If you're using equipment that does not implement IEEE-spec auto-negotiation, the incompatible Ethernet signals could prevent one of your stations from connecting to your network, or even simulate "jabber" by constantly transmitting a TX idle stream and bringing down the network.
The possibility for this jabber is uncertain, considering that the flavors of Ethernet use different signal formats in transmission. Even if data is not exchanged, it is still possible that incompatible Ethernet flavors could assume that they have a proper connection. Ethernets using RJ-45 connections to a hub use a Link Test Pulse to verify link integrity. This pulse is the same in all flavors of Ethernet if autonegotiation is not used. The auto-negotiation protocol itself uses a modified form of these pulses to negotiate a common Ethernet implementation.
If Ethernet incompatibility jabber were to occur between 100BASE-TX and another flavor of Ethernet, the results could be catastrophic, as 100BASE-TX transmits a continuous idle signal between frames. Although transparent to 100BASE-TX, this idle signal would completely busy out a 10Base-T or 100BASE-T4 segment. On the other hand, the 802.3 specifies that a Fast Ethernet repeater should implement jabber control, automatically partitioning off any port that is streaming information
Page 1705 of 1765
for more than 40000 to 75000 bits. If the repeater were to partition off the "jabbering" port, the symptom would be reduced to inability to connect the 100BASE-TX station to the network.
Auto-negotiation Priorities And Alternatives
If the station and repeater both support 100BASE-TX and 100BASE-T4 and 802.3 auto-negotiation, the link will autonegotiate to 100BASE-T4 instead of 100BASE-TX. Since 100BASE-TX requires Category 5 cabling but 100BASE-T4 requires only Category 3, 100BASE-T4 is assumed to be a better default.
If the cabling is known to be UTP-5, then it is probably more efficient to turn off auto-negotiation and use 100BASE-TX wherever possible. 100BASE-T4 requires more overhead than TX because it multiplexes and demultiplexes the data stream over three wire pairs. There is also significantly less overhead in translating between 100BASE-TX and 100BASE-FX than between 100BASE-T4, as TX and FX both use 4B5B encoding instead of T4's 8B6T. 100BASE-TX and 100BASE-FX also leave open the possibility of Full Duplex communication, although full duplex is not yet part of the 802.3 spec.
On the other hand, 100BASE-TX sends an idle signal whenever it is not transmitting data. The 802.3 spec implies that it may very well be preferable to use 100BASE-T4 for battery-powered operation, since the card would only be transmitting when there is actual information to be moved.
Incompatible Cabling Specifications
One final problem with the advent of Fast Ethernet is the different cabling specifications. In classic Ethernet it was difficult to mistake 10Base-2 for 10Base-5. With Fast Ethernet, special care must be taken to verify that the entire connection between station and concentrator either supports TX's 31.25MHz signal or maintains T4's four pairs with proper twist. There are a number of good cable testers and pair scanners available to assist you in determining this for your network.
Virtual Local Area Networks (VLANs) - Introduction Introduction
Page 1706 of 1765
Virtual Local Area Networks or VLANs are one of the latest and coolest network technologies developed in the past few years, though have only recently started to gain recognition. The non-stop growth of Local Area Networks (LANs) and the need to minimize the cost for this expensive equipment, without sacrificing network performance and security, created the necessary soil for the VLAN seed to surface and grow into most modern networks.
The truth is that VLANs are not as simple as most people peceive it to be. Instead they cover extensive material to be a whole study in itself as they contain a mixture of protocols, rules, and guidelines that a network administrator should be well aware of. Unfortunately, most documentation provided by vendors and other sites is inadequate or very shallow. They lightly touch upon the VLAN topic and fail to give the reader a good understanding on how VLANs really work and the wonderful things one can do when implementing them.
Like most topics covered on our site, VLANs have been broken down into a number of pages, each one focusing on specific areas to help the reader build up their knowledge as preparation for designing and building their own VLAN network.
Since VLANs is a topic that requires strong background knowledge of certain areas, as they contain a lot of information at the techincal and protocol level, we believe that the reader should be familiar and comfortable with the following concepts:
Switches and hubs Broadcast and collision domains Internet Protocol (IP) IP routing As we cover all the theory behind VLANs and how they are implemented within various network topologies, we will finally demonstrate the configuration of a Cisco powered network utilising VLANs!
Protocols such as Spanning Tree Protocol (STP) are essential when implementing VLANs within a mid to large sized network, so we will briefly touch upon the topic, without thoroughly analysing it in great detail because STP will be covered as a separate topic.
Page 1707 of 1765
So What's Covered ?
Before we begin our journey into the VLAN world, let's take a look at what we will be covering:
Section 1: The VLAN Concept. This page explains what a VLAN is and how it differs from a normal switched environment. Be sure to find our well known diagrams along with illustrations to help cover your questions. In short, its a great introductory page for the topic.
Section 2: Designing VLANs.
Section 2.1: Designing VLANs - [Subsection 1] A Comparison With Old Networks. This subsection will give you an insight to the different VLAN implemenations: Static and Dynamic VLANs. The subsection begins with an introduction page to help you 'see' the actual difference in the network infrastructure between the old boring networks and VLAN powered networks. This way, you will be able to appreciate the technology much better!
Section 2.2: Designing VLANs - [Subsection 2]: Static VLANs. Definately the most wide spread VLAN implementation. The popular Static VLANs are analysed here. We won't be covering any configuration commands here as this page serves as an introduction to this VLAN implementation. As always, cool 3D diagrams and examples are included to help you understand and process the information.
Section 2.3: Designing VLANs - [Subsection 3]: Dynamic VLANs. Dynamic VLANs are less common to most networks but offer substantial advantages over Static VLANs for certain requirements. Again, this page serves as an introduction to the specific VLAN implementation.
Section 3: VLAN Links: Access Links & Trunk Links. Access links are used to connect hosts, while Trunk links connect to the network backbone. Learn how Access & Trunk links operate, the logic which dictates the type of link and interface used and much more.
Page 1708 of 1765
Section 4: VLAN Tagging - ISL, 802.1q, LANE and IEEE 802.10. To tag or not to tag! Understand the VLAN tagging process and find out the different tagging methods available, which are the most popular and how they diffirentiate from each other. Neat diagrams and examples are included to ensure no questions are left unanswered!
Section 5: Analysing Popular Tagging Protocols.
Section 5.1: InterSwitch Link Analysis (ISL): Analysis of Cisco's proprietry ISL protocol. We take a look at how it is implemented and all available fields it contains.
Section 5.2: IEEE 802.1q Analysis: IEEE's 802.1q protocol is the most widely spead trunking protocol. Again, we take a look at its implementation with an analysis of all its fields.
Section 6: InterVLAN Routing. A very popular topic, routing between VLANs is very important as it allows VLANs to communicate. We'll examine all possible InterVLAN routing methods and analyse each one's advantages and disadvantages. Needless to say, our cool diagrams also make their appearance here!
Section 7: Virtual Trunk Protocol (VTP)
Section 7.1: Introduction To The VTP Protocol. The introductory page deals with understanding the VTP concept. Why it's required and what are its advantages.
Section 7.2: In-Depth Analysis Of VTP. Diving deeper, this page will analyse the VTP protocol structure. It includes 3d diagrams explaining each VTP message usage and much more.
Section 7.3: Virtual Trunk Protocol Prunning ( VTP Pruning). VTP Prunning is an essential service in any large network to avoid broadcast flooding over trunk links. This page will explain what VTP Prunning does and how it works by reading through our excellent examples. The diagrams used here have been given extra special attention!
Page 1709 of 1765
Virtual Local Area Networks (VLANs) - The Concept

Introduction We hear about them everywhere, vendors around the world are constantly trying to push them into every type of network and as a result, the Local Area Network (LAN) we once knew starts to take a different shape. And yet, for some of us, the concept of what VLANs are and how they work might still be a bit blurry. To help start clearing things up we will define the VLAN concept not only through words, but through the use of our cool diagrams and at the same time, compare VLANs to our standard flat switched network. We will start by taking a quick look at a normal switched network, pointing out it's main characteristics and then move on to VLANs. So, without any delay, let's get right into this cool stuff! The Traditional Switched Network Almost every network today has a switch interconnecting all network nodes, providing a fast and reliable way for the nodes to communicate. Switches today are what hubs were a while back - the most common and necessary equipment in our network, and there is certainly no doubt about that. While switches might be adequate for most type of networks, they prove inadequate for mid to large sized networks where things are not as simple as plugging a switch into the power outlet and hanging a few Pc's from it! For those of you who have already read our "switches and bridges" section, you will be well aware that switches are layer 2 devices which create a flat network:
The above network diagram illustrates a switch with 3 workstations connected. These workstations are able to communicate with each other and are part of the same broadcast domain, meaning that if one workstation were to send a broadcast, the rest will receive it. In a small network multiple broadcast might not be too much of a problem, but as the size of the network increases, so will the broadcasts, up to the point where they start to become a big problem, flooding the network with garbage (most of the times!) and consuming valuable bandwidth. To visually understand the problem, but also the idea of a large flat network, observe the diagram below:
The problem here starts to become evident as we populate the network with more switches and workstations. Since most workstations tend to be loaded with the
Page 1710 of 1765
Windows operating system, this will result in unavoidable broadcasts being sent occasionaly on the network wire - something we certainly want to avoid. Another major concern is security. In the above network, all users are able to see all devices. In a much larger network containing critical file servers, databases and other confidential information, this would mean that everyone would have network access to these servers and naturally, they would be more susceptible to an attack. To effectively protect such systems from your network you would need to restrict access at the network level by segmenting the exisiting network or simply placing a firewall in front of each critical system, but the cost and complexity will surely make most administrators think twice about it. Thankfully there is a solution ..... simply keep reading.
Designing VLANs - A Comparison With Old Networks

Introduction Designing and building a network is not a simple job. VLANs are no exception to this rule, in fact they require a more sophisticated approach because of the variety of protocols used to maintain and administer them. Our aim here is not to tell you how to setup your VLANs and what you should or shouldn't do, this will be covered later on. For now, we would like to show you different physical VLAN layouts to help you recognise the benefits offered when introducing this technology into your network, regardless of its size. The technology is available and we simply need to figure out how to use it and implement it using the best possible methods, in order to achieve outstanding performance and reliability. We understand that every network is unique as far as its resources and requirements are concerned, which is another reason why we will take a look at a few different VLAN implementations. However, we will not mention the method used to set them up - this is up to you to decide once you've read the following pages! Designing your first VLAN Most common VLAN setups involve grouping departments together regardless of their physical placement through the network. This allows us to centralise the administration for these departments, while also limiting unwanted incidents of unauthorised access to resources of high importance. As always, we will be using neat examples and diagrams to help you get a visual on what we are talking about.
Page 1711 of 1765
Let's consider the following company: Packet Industries Packet Industries is a large scale company with over 40 workstations and 5 servers. The company deals with packet analysis and data recovery and has labs to recover data from different media that require special treatment due to their sensitivity. As with every other company, there are quite a few different departments that deal with different aspects of the business and these are:
Management/HR Department Accounting Department Data Recovery & IT Department
These five departments are spread throughout 3 floors in the building the company is situated. Because the IT department takes confidentiality of their own and customer's data seriously, they have decided to redesign their network and also take a look at the VLAN solutions available, to see if they are worth the investment. We are going to provide two different scenarios here, the first one will not include VLANs, while the second one will. Comparing the two different solutions will help you see the clear advantages of VLANs and also provide an insight to how you can also apply this wonderful technology with other similar networks you might be working with. Solution 1 - Without VLANs! The IT department decided that the best way to deal with the security issue would be to divide the existing network by partitioning it. Each department would reside in one broadcast domain and access lists would be placed between each network's boundaries to ensure access to and from them are limited according to the access policies. Since there are three departments, it is important that three new networks had to be created to accommodate their new design. The budget, as in most cases, had to be controlled so it didn't exceed the amount granted by the Accounting Department. With all the above in mind, here's the proposal the IT department created:
Page 1712 of 1765
As you can see, each department has been assigned a specific network. Each level has a dedicated switch for every network available. As a result, this will increase the network security since we have separate physical networks and this solution also seems to be the most logical one. These switches are then grouped together via the network backbone which, in its turn, connects to the network's main router. The router here undertakes the complex role of controlling access and routing between the networks and servers with the use of access lists as they have been created by the IT Department. If needed, the router can also be configured to allow certain IP's to be routed between the three networks, should there be such a requirement. The above implementation is quite secure as there are physical and logical restrictions placed at every level. However, it is somewhat restrictive as far as expanding and administering the network since there is no point of central control. Lastly, if you even consider adding full redundancy to the above, essentially doubling the amount of equipment required, the cost would clearly be unreasonable... So let's now take a look at the second way we could implement the above, without blowing the budget, without compromising our required security level and also at the same time create a flexible and easily expandable network backbone.
Page 1713 of 1765
Solution 2 - With VLANs! The solution we are about to present here is surely the most preferred and economical. The reasons should be fairly straight forward: We get the same result as the previous solution, at almost half the cost and as a bonus, we get the flexibility and expandability we need for the future growth of our network, which was very limited in our previous example. By putting the VLAN concept we covered on the previous page into action, you should be able to visualise the new setup:
As you can see, the results in this example are a lot neater and the most apparent change would be the presence of a single switch per level, connecting directly to the network backbone. These switches of course are VLAN capable, and have been configured to support the three separate logical and physical networks. The router from the previous solution has been replaced by what we call a 'layer 3 switch'. These type of switches are very intelligent and understand layer 3 (IP Layer) traffic. With such a switch, you are able to apply access-lists to restrict access between the networks, just like you normally would on a router, but more importantly, route
Page 1714 of 1765
packets from one logical network to another! In simple terms, layer 3 switches are a combination of a powerful switch, with a built-in router :) Summary If the above example was interesting and provided a insight into the field of VLANs, we can assure you - you haven't seen anything yet. When unleashing the power of VLANs, there are amazing solutions given for any problem or need that your network requires. It's now time to start looking at the VLAN technology in a bit more detail, that is, how it's configured, the postive and negative areas for each type of VLAN configuration and more much. The next page analyses Static VLANs which are perhaps the most popular implementation of VLANs around the world. Take a quick break for some fresh air if needed, otherwise, gear up and let's move!
Designing VLANs - Static VLANs

Introduction VLANs are usually created by the network administrator, assigning each port of every switch to a VLAN. Depending on the network infrastructure and security policies, the assignment of VLANs can be implemented using two different methods: Static or Dynamic memberships - these two methods are also known as VLAN memberships. Each of these methods have their advantages and disadvantages and we will be analysing them in great depth to help you decide which would best suite your network. Depending on the method used to assign the VLAN membership, the switch may require further configuration, but in most cases it's a pretty straight forward process. This page deals with Static VLANs while Dynamic VLANs are covered next. Static VLANs Static VLAN membership is perhaps the most widely used method because of the relatively small administration overhead and security it provides. With Static VLANs, the administrator will assign each port of the switch to one VLAN. Once this is complete, they can simply connect each device or workstation to the appropriate port. The picture below depicts an illustration of the above, where 4 ports have been configured for 4 different VLANs:
Page 1715 of 1765
The picture shows a Cisco switch (well, half of it :>) where ports 1, 2, 7 and 10 have been configured and assigned to VLANs 1, 5, 2 and 3 respectively. At this point, we should remind you that these 4 VLANs are not able to communicate between each other without the use of a router as they are treated as 4 separate physical networks, regardless of the network addressing scheme used on each of them. However, we won't provide further detail on VLAN routing since it's covered later on. Static VLANs are certainly more secure than traditional switches while also considerably easy to configure and monitor. As one would expect, all nodes belonging to a VLAN must also be part of the same logical network in order to communicate with one another. For example, on our switch above, if we assigned network 192.168.1.0/24 to VLAN 1, then all nodes connecting to ports assigned to VLAN 1 must use the same network address for them to communicate between each other, just as if this was an ordinary switch. In addition, Static VLANs have another strong point - you are able to control where your users move within a large network. By assigning specific ports on your switches throughout your network, you are able to control access and limit the network resources to which your users are able to use. A good example would be a large network with multiple departments where any network administrator would want to control where the users can physically connect their workstation or laptop and which servers they are able to access. The following diagram shows a VLAN powered network where the switches have been configured with Static VLAN support.
Page 1716 of 1765
The network diagram might look slightly complicated at first, but if you pay close attention to each switch, you will notice that it's quite simple - six switches with 6 VLANs configured- one VLAN per department, as shown. While each VLAN has one logical network assigned to it, the IT department has, in addition, placed one workstation in the following departments for support purposes: Management, R&D, and HR department. The network administrator has assigned Port 1 (P1) on each department switch to VLAN 5 for the workstation belonging to the IT department, while the rest of the ports are assigned to the appropriate VLAN as shown in the diagram. This setup allows the administrator to place any employee in the IT department, anywhere on the network, without worrying if the user will be able to connect and access the IT department's resources. In addition, if a user in any of the above departments e.g the Management department, decided to get smart by attempting to gain access to the IT department's network and resources by plugging his workstation to Port 1 of his department's switch. He surely wouldn't get far because his workstation would be configured for the 192.168.1.0 network (VLAN 1), while Port 1 requires him to use a 192.168.5.0 network address (VLAN 5). Logically, he would have to change his IP address to match the network he is trying to gain access to, and in this case this would be network 192.168.5.0.
Page 1717 of 1765
Summary To sum up, with Static VLANs, we assign each individual switch port to a VLAN. The network addresses are totally up to us to decide. In our example, the switches do not care what network address is used for each VLAN as they totally ignore this information unless routing is performed (this is covered in the InterVLAN routing page). As far as the switches are concerned, if you have two ports assigned to the same VLAN, then these two ports are able to communicate between each other as it would happen on any normal layer 2 switch.
Designing VLANs - Dynamic VLANs

Introduction Dynamic VLANs were introduced to grant the flexibility and complexity(!) that Static VLANs did not provide. Dynamic VLANs are quite rare because of their requirements and initial administrative overhead. As such, most administrators and network engineers tend to prefer Static VLANs. Dynamic VLANs Dynamic VLANs, as opposed to Static VLANs, do not require the administrator to individually configure each port, but instead, a central server called the VMPS (VLAN Member Policy Server). The VMPS is used to handle the on-the-spot port configuration of every switch participating on the VLAN network. The VMPS server contains a database of all workstation MAC addresses, along with the associated VLAN the MAC address belongs to. This way, we essentially have a VLAN-to-MAC address mapping:
Page 1718 of 1765
The above diagram works as an aim to help us understand the mapping relationship that exists in the VMPS server. As shown, each MAC address, which translates to a host on the network, is mapped to a VLAN, allowing this host to move inside the network, connecting to any switch that is part of the VMPS network and maintain its VLAN configuration. You can now start to imagine the initial workload involved when configuring a VMPS server for a network of over 300 workstations:) As one would expect, the above model works very well and also requires the switches to be in constant contact with the VMPS server, requesting configuration information everytime a host connects to a switch participating in the VLAN network. Of course, there is a lot more information we can use to configure the VMPS database, but we won't be covering that just as yet. Like all network services offered, Cisco has cleverly designed this model to be as flexible as our network might require. For example, you are able to connect more than one host on one dynamically configured port, as long as all hosts are part of the same VLAN:
Page 1719 of 1765
The diagram on the left shows us a VLAN capable switch that has been configured to support Dynamic VLANs. On port No.5, we have connected a simple switch (not VLAN aware) from which another 4 workstations are connected. As mentioned previously, this type of configuration is valid and therefore supported, but it also has its restrictions and limitations. One of the restrictions, which by the way can also be considered as a semisecurity feature, is that all workstations connected to the same port, must be configured in the VMPS server as part of the same VLAN, otherwise the port is most likely to shut down as a security precaution. To consider the limitations of this configuration: if the switch detects more than 20 active hosts (20 MAC addresses) on the port, it will once again shut it down, leaving the workstations without any network connection. When this happens, the port that shuts down will return into an isolated state, not belonging to any VLAN. The fact is that Dynamic VLANs are really not suitable for every network, even though they allow a great deal of flexibility and security. If you consider the advantage one single feature of Dynamic VLANs can provide you with, then it might be all you need to implement them. Because each host connected to the switch is checked against the VMPS database for its VLAN membership before the port is activated and assigned to a VLAN, this gives the network administrator the ability to ensure no foreign host is able to walk up to a wall socket and simply plug their workstation to access the network, if his MAC address is not stored in the VMPS database. For a large scale network, this could be considered an ACE card under your sleeve. Choosing Correct Switches One important factor we haven't yet mentioned is that you cannot run the VMPS server on a Cisco Catalyst 2900 or 3500 series. The Catalyst 4500 and upwards are able to act as a VMPS, and at the time of writing, this switch has reached its end of retail life. For those who have dealt with Cisco Catalyst switches in the past, you would know that a Catalyst 4500 is not the type of switch you would use in a 20 or 50 node network! The Catalyst 4500, 6500 series, are switches designed for enterprise networks, as such, they are built to be modular, easily expandable depending on your needs, and lastly, fully redundant because you can't have your core backbone switch failing when all other switches
Page 1720 of 1765
and network equipment are directly connected to it. We've added a few pictures of the Catalyst 6500 series for you to admire :)
You can clearly see the slots available that allow the Catalyst switches to expand and grow with your network. In the likely event you require more ports as your network expands, you simply buy a Fastethernet blade (some people call them 'slices') and insert it into an available slot! Dynamic VLANs & FallBack VLANs Another very interesting and smart feature Dynamic VLANs support is the fallback VLAN. This neat feature allows you to automatically configure a port to a VLAN specially created for workstations whose MAC address is not in the VMPS server. Consider company visitors or clients who require specific or restricted access to your network, they can freely connect to the network and have Internet access, alongside with limited rights on public directories. In the event the fallback VLAN has not been configured and the MAC address connected to the switch's port is unknown, the VMPS server will send an 'access-denied' response, blocking access to the network, but the port will remain active. If the VMPS server is running in 'secure-mode', it will proceed and shutdown the port as an additional security measure.
Page 1721 of 1765
The above diagram represents a portion of a large scale network using a Cisco 6500 Catalyst as the core switch. The switch has been configured to support Dynamic VLANs, therefore a VMPS server has been configured inside the switch, alongside with a DHCP server for each created VLAN. The administrator has already assigned the 3 workstations MAC addresses to the VLANs shown and also created the fallback VLAN for any MAC address that does not exist in the database. Now consider this interesting scenario: One morning a visitor arrives in the office and requires Internet connection so he can demonstate a new product to the management. As an administrator, you've already configured a fallback VLAN with a DHCP server activated for the VLAN, pushing the necessary settings to the clients so they may obtain Internet access services. The visitor finds a free RJ-45 socket on the wall, which connects to a Catalyst 3550 switch nearby, and plugs in his laptop. Before the user is allowed to access the network, the Cisco 3550 switch checks the laptop's MAC address and reads 4B:63:3F:A2:3E:F9. At this point, the port is blocked, not allowing the laptop computer to send or receive data. The Cisco 3550 switch sends the MAC address to the 6500 Catalyst switch which is acting as the VMPS server and it checks for an entry that matches the specified MAC address but is unable to find one. Naturally, it determines that this a visitor, so it creates an entry for that MAC address to the fallback VLAN and sends the information back to the Cisco 3550 switch. The switch will then enable access to the port our visitor is connected to by configuring the port to the fallback
Page 1722 of 1765
VLAN. If the visitor's computer is configured to obtain an IP Address automatically, it will do so, once the operating system has booted. When this happens, the visitor's DHCP request will arrive to the 6500 Catalyst switch and its DHCP server will send the requested information, enabling the client (our visitor) to configure itself with all the parameters required to access the VLAN. This will also mean our visitor is now able to access the Internet! Finishing, if the computer is not configured for DHCP, the client must be advised with the correct network settings or asked to enable automatic IP configuration in their network properties. Summary The past pages could be considered as an 'eye-opener' for people who are new to the VLAN concept, and at the same time a 'quick-overview' for those who are well aware of their existence! We hope all your questions to this point have been answered, if not, they are most likely too advanced and will surely be answered in the pages that follow. As we complete our Dynamic & Static VLAN overview we are ready to dive in deeper. The next page begins by examining VLAN interfaces and their properties. There's no turning back now so click on the lower right link to get started!
VLAN Links: Access & Trunk Links

Introduction By now we should feel comfortable with terms such as 'VLAN', 'Static & Dynamic VLANs', but this is just the beginning in this complex world. On this page, we will start to slowly expand on these terms by introducing new ones! To begin with, we will take a closer look at the port interfaces on these smart switches and then start moving towards the interfaces connecting to the network backbone where things become slightly more complicated, though do not be alarmed since our detailed and easy to read diagrams are here to ensure the learning process is as enjoyable as possible. VLAN Links - Interfaces When inside the world of VLANs there are two types of interfaces, or if you like, links. These links allow us to connect multiple switches together or just simple network devices e.g PC, that will access the VLAN network. Depending on their configuration, they are called Access Links, or Trunk Links. Access Links Access Links are the most common type of links on any VLAN switch. All network hosts connect to the switch's Access Links in order to gain access to the local network. These links are your ordinary ports found on every switch, but configured in a special way, so you are able to plug a computer into them and access your network.
Page 1723 of 1765
Here's a picture of a Cisco Catalyst 3550 series switch, with it's Access Links (ports) marked in the Green circle:
We must note that the 'Access Link' term describes a configured port - this means that the ports above can be configured as the second type of VLAN links - Trunk Links. What we are showing here is what's usually configured as an Access Link port in 95% of all switches. Depending on your needs, you might require to configure the first port (top left corner) as a Trunk Link, in which case, it is obviously not called a Access Link port anymore, but a Trunk Link! When configuring ports on a switch to act as Access Links, we usually configure only one VLAN per port, that is, the VLAN our device will be allowed to access. If you recall the diagram below which was also present during the introduction of the VLAN concept, you'll see that each PC is assigned to a specific port:
In this case, each of the 6 ports used have been configured for a specific VLAN. Ports 1, 2 and 3 have been assigned to VLAN 1 while ports 4, 5 and 6 to VLAN 2. In the above diagram, this translates to allowing only VLAN 1 traffic in and out of ports 1, 2 and 3, while ports 4, 5 and 6 will carry VLAN 2 traffic. As you would remember, these two VLANs do not exchange any traffic between each other, unless we are using a layer 3 switch (or router) and we have explicitly configured the switch to route traffic between the two VLANs.
Page 1724 of 1765
It is equally important to note at this point that any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them. The following diagram illustrates this to help you get the picture:
As shown, all packets arriving, entering or exiting the port are standard Ethernet II type packets which are understood by the network device connected to the port. There is nothing special about these packets, other than the fact that they belong only to the VLAN the port is configured for. If, for example, we configured the port shown above for VLAN 1, then any packets entering/exiting this port would be for that VLAN only. In addition, if we decided to use a logical network such as 192.168.0.0 with a default subnet mask of 255.255.255.0 (/24), then all network devices connecting to ports assigned to VLAN 1 must be configured with the appropriate network address so they may communicate with all other hosts in the same VLAN. Trunk Links What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port. There is, however, one more type of port configuration which we mentioned in the introductory section on this page - the Trunk Link. A Trunk Link, or 'Trunk' is a port configured to carry packets for any VLAN. These type of ports are usually found in connections between switches. These links require
Page 1725 of 1765
the ability to carry packets from all available VLANs because VLANs span over multiple switches. The diagram below shows multiple switches connected throughout a network and the Trunk Links are marked in purple colour to help you identify them:
As you can see in our diagram, our switches connect to the network backbone via the Trunk Links. This allows all VLANs created in our network to propagate throughout the whole network. Now in the unlikely event of Trunk Link failure on one of our switches, the devices connected to that switch's ports would be isolated from the rest of the network, allowing only ports on that switch, belonging to the same VLAN, to communicate with each other. So now that we have an idea of what Trunk Links are and their purpose, let's take a look at an actual switch to identify a possible Trunk Link:
Page 1726 of 1765
As we noted with the explanation of Access Link ports, the term 'Trunk Link' describes a configured port. In this case, the Gigabit ports are usually configured as Trunk Links, connecting the switch to the network backbone at the speed of 1 Gigabit, while the Access Link ports connect at 100Mbits. In addition, we should note that for a port or link to operate as a Trunk Link, it is imperative that it runs at speeds of 100Mbit or greater. A port running at speeds of 10Mbit's cannot operate as a Trunk Link and this is logical because a Trunk Link is always used to connect to the network backbone, which must operate at speeds greater than most Access Links! Summary This page introduced the Access and Trunk links. We will be seeing a lot of both links from now on, so it's best you get comfortable with them! Configuration of these links is covered later on, because there is still quite a bit of theory to cover! Next up is the VLAN Tagging topic where we will see what really runs through those Access and Trunk links!
VLAN Tagging
Introduction We mentioned that Trunk Links are designed to pass frames (packets) from all VLANs, allowing us to connect multiple switches together and independently configure each port to a specific VLAN. However, we haven't explained how these packets run through the Trunk Links and network backbone, eventually finding their way to the destination port without getting mixed or lost with the rest of the packets flowing through the Trunk Links. This is process belongs to the world of VLAN Tagging! VLAN Tagging VLAN Tagging, also known as Frame Tagging, is a method developed by Cisco to help identify packets travelling through trunk links. When an Ethernet frame traverses a trunk link, a special VLAN tag is added to the frame and sent across the trunk link.
Page 1727 of 1765
As it arrives at the end of the trunk link the tag is removed and the frame is sent to the correct access link port according to the switch's table, so that the receiving end is unaware of any VLAN information. The diagram below illustrates the process described above:
Here we see two 3500 series Catalyst switches and one Cisco 3745 router connected via the Trunk Links. The Trunk Links allow frames from all VLANs to travel throughout the network backbone and reach their destination regardless of the VLAN the frame belongs to. On the other side, the workstations are connected directly to Access Links (ports configured for one VLAN membership only), gaining access to the resources required by VLAN's members. Again, when we call a port 'Access Link' or 'Trunk Link', we are describing it based on the way it has been configured. This is because a port can be configured as an Access Link or Trunk Link (in the case where it's 100Mbits or faster). This is stressed because a lot of people think that it's the other way around, meaning, a switch's uplink is always a Trunk Link and any normal port where you would usually connect a workstation, is an Access Link port! VLAN Tagging Protocol
Page 1728 of 1765
We're now familiar with the term 'Trunk Link' and its purpose, that is, to allow frames from multiple VLANs to run across the network backbone, finding their way to their destination. What you might not have known though is that there is more than one method to 'tag' these frames as they run through the Trunk Links or ... the VLAN Highway as we like to call it. InterSwitch Link (ISL) ISL is a Cisco propriety protocol used for FastEthernet and Gigabit Ethernet links only. The protocol can be used in various equipments such as switch ports, router interfaces, server interface cards to create a trunk to a server and much more. You'll find more information on VLAN implementations on our last page of the VLAN topic. Being a propriety protocol, ISL is available and supported naturally on Cisco products only:) You may also be interested in knowing that ISL is what we call, an 'external tagging process'. This means that the protocol does not alter the Ethernet frame as shown above in our previous diagram - placing the VLAN Tag inside the Ethernet frame, but encapsulating the Ethernet frame with a new 26 byte ISL header and adding an additional 4 byte frame check sequence (FCS) field at the end of frame, as illustrated below:
Despite this extra overhead, ISL is capable of supporting up to 1000 VLANs and does not introduce any delays in data transfers between Trunk Links. In the above diagram we can see an ISL frame encapsulating an Ethernet II frame. This is the actual frame that runs through a trunk link between two Cisco devices when configured to use ISL as their trunk tagging protocol. The encapsulation method mentioned above also happens to be the reason why only ISL-aware devices are able to read it, and because of the addition of an ISL header and FCS field, the frame can end up being 1548 bytes long! For those who can't remember, Ethernet's maximum frame size is 1518 bytes, making an ISL frame of 1548 bytes, what we call a 'giant' or 'jumbo' frame! Lastly, ISL uses Per VLAN Spanning Tree (PVST) which runs one instance of the Spanning Tree Protocol (STP) per VLAN. This method allows us to optimise the root switch placement for each available VLAN while supporting neat features such as VLAN load balancing between multiple trunks.
Page 1729 of 1765
Since the ISL's header fields are covered on a separate page, we won't provide further details here. IEEE 802.1q The 802.1q standard was created by the IEEE group to address the problem breaking large networks into smaller and manageable ones through the use of VLANs. The 802.1q standard is of course an alternative to Cisco's ISL, and one that all vendors implement on their network equipment to ensure compatibility and seamless integration with the existing network infrastructure. As with all 'open standards' the IEEE 802.1q tagging method is by far the most popular and commonly used even in Cisco oriented network installations mainly for compatability with other equipment and future upgrades that might tend towards different vendors. In addition to the compatability issue, there are several more reasons for which most engineers prefer this method of tagging. These include: Support of up to 4096 VLANs Insertion of a 4-byte VLAN tag with no encapsulation Smaller final frame sizes when compared with ISL
Amazingly enough, the 802.1q tagging method supports a whopping 4096 VLANs (as opposed to 1000 VLANs ISL supports), a large amount indeed which is merely impossible to deplet in your local area network. The 4-byte tag we mentioned is inserted within the existing Ethernet frame, right after the Source MAC Address as illustrated in the diagram below:
Because of the extra 4-byte tag, the minimum Ethernet II frame size increases from 64 bytes to 68 bytes, while the maximum Ethernet II frame size now becomes 1522 bytes. If you require more information on the tag's fields, visit our protocol page where further details are given. As you may have already concluded yourself, the maximum Ethernet frame is considerably smaller in size (by 26 bytes) when using the IEEE 802.1q tagging
Page 1730 of 1765
method rather than ISL. This difference in size might also be interpreted by many that the IEEE 802.1q tagging method is much faster than ISL, but this is not true. In fact, Cisco recommends you use ISL tagging when in a Cisco native environment, but as outlined earlier, most network engineers and administrators believe that the IEEE802.1q approach is much safer, ensuring maximum compatability. And because not everything in this world is perfect, no matter how good the 802.1q tagging protocol might seem, it does come with its restrictions: In a Cisco powered network, the switch maintains one instance of the Spanning Tree Protocol (STP) per VLAN. This means that if you have 10 VLANs in your network, there will also be 10 instances of STP running amongst the switches. In the case of non-Cisco switches, then only 1 instance of STP is maintained for all VLANs, which is certainly not something a network administrator would want. It is imperative that the VLAN for an IEEE 802.1q trunk is the same for both ends of the trunk link, otherwise network loops are likely to occur. Cisco always advises that disabling a STP instance on one 802.1q VLAN trunk without disabling it on the rest of the available VLANs, is not a good idea because network loops might be created. It's best to either disable or enable STP on all VLANs.
LAN Emulation (LANE) LAN Emulation was introduced to solve the need of creating VLANs over WAN links, allowing network managers to define workgroups based on logical function, rather than physical location. With this new technology (so to speak - it's actually been around since 1995!), we are now able to create VLANs between remote offices, regardless of their location and distance. LANE is not very common and you will most probably never see it implemented in small to mid-sized networks, however, this is no reason to ignore it. Just keep in mind that we won't be looking at it in much depth, but briefly covering it so we can grasp the concept. LANE has been supported by Cisco since 1995 and Cisco's ISO release 11.0. When implemented between two point-to-point links, the WAN network becomes totally transparent to the end users:
Page 1731 of 1765
Every LAN or native ATM host, like the switch or router shown in the diagram, connects to the ATM network via a special software interface called 'LAN Emulation Client'. The LANE Client works with the LAN Emulation Server (LES) to handle all messages and packets flowing through the network, ensuring that the end clients are not aware of the WAN network infrastructure and therefore making it transparent. The LANE specification defines a LAN Emulation Configuration Server (LECS), a service running inside an ATM switch or a physical server connected to the ATM switch, that resides within the ATM network and allows network administrators to control which LANs are combined to form VLANs. The LAN Emulation Server with the help of the LANE Client, maps MAC addresses to ATM addresses, emulating Layer 2 protocols (DataLink layer) and transporting higher layer protocols such as TCP/IP, IPX/SPX without modification. 802.10 (FDDI) Tagging VLAN frames on Fiber Distributed Data Interface (FDDI) networks is quite common in large scale networks. This implementation is usually found on Cisco's high-end switch models such as the Catalyst 5000 series where special modules are installed inside the switches, connecting them to an FDDI backbone. This backbone interconnects all major network switches, providing a fully redundant network. The various modules available for the Cisco Catalyst switches allow the integration of Ethernet into the FDDI network. When intalling the appropriate switch modules and with the use of the 802.10 SAID field, a mapping between the Ethernet VLAN and 802.10 network is created, and as such, all Ethernet VLANs are able to run over the FDDI network.
Page 1732 of 1765
The diagram above shows two Catalyst switches connected to a FDDI backbone. The links between the switches and the backbone can either be Access type links (meaning one VLAN passes through them) or Trunk links (all VLANs are able to pass through them). At both ends, the switches have an Ethernet port belonging to VLAN 6, and to 'connect' these ports we map each switch's Ethernet module with its FDDI module. Lastly, the special FDDI modules mentioned above support both single VLANs (nontrunk) and multiple VLANs (trunk). To provide further detail, the diagram below shows the IEEE 802.10 frame, along with the SAID field in which the VLAN ID is inserted, allowing the frame to transit trunk links as described:
It's okay if your impressed or seem confused with the structure of the above frame, that's normal:) You'll be suprised to find out that the Cisco switch in the previous diagram must process the Ethernet II frame and convert it before placing it on the IEEE 802.10 backbone or trunk. During this stage, the original Ethernet II frame is converted to an Ethernet SNAP frame and then finally to an IEEE 802.10 frame. This conversion is required to maintain compatability and reliability between the two different topologies. The most important bit to remember here is the SAID field and its purpose. Summary
Page 1733 of 1765
This page introduced four popular VLAN tagging methods, providing you with the frame structure and general details of each tagging method. Out of all, the IEEE 802.1q and ISL tagging methods are the most popular, so make sure you understand them quite well. The next page provides further detail by analysing the two popular tagging methods mentioned above. While some readers might find the details unnecessary and time wasting, we feel that they are required if you want to build a rock solid network library in your head:)
Analysing The InterSwitch Link Protocol

Introduction Deciding whether to use ISL or IEEE 802.1q to power your trunk links can be quite confusing if you cannot identify the advantages and disadvantages of each protocol within your network. This page will cover the ISL protocol in great detail, providing an insight to its secrets and capabilities which you probably were unaware of. In turn, this will also help you understand the existence of certain limitations the protocol has, but most importantly allow you to decide if ISL is the tagging process you require within your network. InterSwitch Link (ISL) ISL is Cisco's propriety tagging method and supported only on Cisco's equipment through Fast & Gigabit Ethernet links. The size of an ISL frame can be expected to start from 94 bytes and increase up to 1548 bytes due to the overhead (additional fields) the protocol places within the frame it is tagging. These fields and their length are also shown on the diagram below:
We will be focusing on the two purple coloured 3D blocks, the ISL header and ISL Frame Check Sequence (FCS) respectively. The rest of the Ethernet frame shown is a standard Ethernet II frame as we know it. If you need more information, visit our Ethernet II page.
Page 1734 of 1765
The ISL Header The ISL header is 26 byte field containing all the VLAN information required (as one would expect), to allow a frame traverse over a Trunk Link and find its way to its destination. Here is a closer look at the header and all the fields it contains:
You can see that the ISL header is made out of quite a few fields, perhaps a lot more than what you might have expected, but this shouldn't alarm you as only a handful of these fields are important. As usual, we will start from the left field and work our way to the far right side of the header. First up...... the DA field: Destination Address (DA) Field The 'DA' field is a 40 bit destination address field that contains a multicast address usually set to "0x01-00-0C-00-00" or "0x03-00-0C-00-00". This address is used to signal to the receiver that the packet is in ISL format. Type Field The 'Type' field is 4 bits long and helps identify the encapsulated original frame. Depending on the frame type, the ISL 'Type' field can take 4 possible values as outlined in the table below:
Type Value
0000 0001 0010 0011
Encapsulated Frame
Ethernet Token-Ring FDDI ATM
The 4 bits of space assigned to the 'Type Value' field allow a maximum of 2^4=16 different values. Since all combinations are not used, there is plenty of room for future encapsulations that might be developed. User Defined Field The 'User' field occupying 4 bits serves as an extension to the previous 'Type' field and is mostly used when the original encapsulated frame is an Ethernet II type
Page 1735 of 1765
frame. When this happens, the first two bits of the 'User' field act as a prioritisation mechanism, allowing the frames to find their way to the destination much faster. Currently, there are 4 different priorities available, as shown in the table below:
Type Value
XX00 XX01 XX10 XX11
Frame Priority
Normal Priority Priority 1 Priority 2 Highest Priority
We should also note that the use of priorities is optional and not required.
Source Address (SA) Field The 'SA' field is the source MAC address of the switch port transmitting the frame. This field is -as expected- 48 bits long. The receiving device can choose to ignore this field. It is worth noting that while the Destination Address field located at the beginning of the header contains a multicast MAC Address, the Source MAC address field we are looking at here contains the MAC address of the sending device - usually a switch. Length Field The 'Length' field is 16 bits long and contains the whole ISL frame's length minus the DA, Type, User, SA, LEN and FCS fields. If you're good at mathematics, you can easily calculate the total length of the excluded fields, which is 18 bytes. With this in mind, a quick way to find this field's value is to take the total frame size and subtract 18 bytes :) Length fields are used in frames to help the receiving end identify where specific portions of the frame exist within the frame received. AAAA03 (SNAP) Field The SNAP field is a 24 bit long field with a value of "0xAAAA03".
Page 1736 of 1765
High bits Source Address (HSA) Field The 'HSA' field is a 24 bit value. This field represents the upper three bytes of the SA field (the manufacturers ID portion) and must contain the value "0x00-00-0C". Since the SA field is 48 bits long or 6 bytes, the upper 3 bytes of the SA field would translate to 24 bits, hence the length of the HSA field.
VLAN - Destination Virtual LAN ID Field The 'VLAN' field is the Virtual LAN ID of the frame. This is perhaps the most important field of all as our frame moves between trunk links because it allows all trunk links to identify the VLAN this frame belongs to. The VLAN ID field is 15 bits long and often referred to as the "color" of the frame. Without this field, there would be no way of identifying which VLAN the frame transitting a trunk link belongs to. Bridge Protocol Data Unit (BPDU) & Cisco Discovery Protocol (CDP) Indicator The 'BPDU' field is only 1 bit long but very important as it is set for all BPDU packets encapsulated by the ISL frame. For those unaware, BPDU's are used by the Spanning Tree Protocol (STP) to shut down redundant links and avoid network loops. This field is also used for CDP and Virtual Trunk Protocol (VTP) frames that are encapsulated. Index Field The 'Index' field is a 16 bit value and indicates the port index of the source of the packet as it exits the switch. It is used for diagnostic purposes only and may be set to any value by other devices. RES Field - Reserved for Token Ring and Fiber Distributed Data Interface (FDDI) The 'RES' field is a 16 bit value and used when Token Ring or FDDI packets are encapsulated with an ISL frame. In the case of Token Ring frames, the Access Control (AC) and Frame Control (FC) fields are placed here whereas in the case of FDDI, the FC field is placed in the Least Significant Byte (LSB) of this field (as in a FC of "0x12" would have a RES field of "0x0012"). For Ethernet packets, the RES field should be set to all zeros.
Page 1737 of 1765
Frame Check Sequence (ISL FCS)
Coming to the end of the ISL protocol analysis, we met the 'FCS' field which consists of four bytes. The FCS contains a 32-bit CRC value, which is created by the sending MAC (switch) and is recalculated by the receiving MAC (switch) to check for corrupt frames. In an Ethernet II frame, the FCS is generated using the Destination MAC, Source MAC, Ethertype, and Data fields while ISL's FCS is calculated based on the entire ISL frame and added to the end of it. Summary This page analysed all fields of the ISL header and FCS. The next page deals with the popular IEEE 802.1q, an alternative to Cisco's ISL tagging protocol. If you require, have a quick break to freshen up and when you return, click on the link below to be transported to the wonderful IEEE 802.1q world!
Analysing The IEEE 802.1q Link Protocol

Introduction Our VLAN Tagging page briefly covered the IEEE 802.1q protocol and we are about to continue its analysis here. As mentioned previously, the IEEE 801.2q tagging method is the most popular as it allows the seemless integration of VLAN capable devices from all vendors who support the protocol. So, without any more delay, let's get right into the protocol. IEEE 802.1q Analysis The IEEE 802.1q tagging mechanism seems quite simple and efficient thanks to its 4-byte overhead squeezed between the Source Address and Type/Length field of our Ethernet II frame:
Page 1738 of 1765
The process of inserting the 802.1q tag into an Ethernet II frame results in the original Frame Check Sequence (FCS) field to become invalid since we are altering the frame, hence it is essential that a new FCS is recalculated, based on the new frame now containing the IEEE 802.1q field. This process is automatically performed by the switch, right before it sends the frame down a trunk link. Our focus here will be the pink 3D block, labeled as the IEEE 802.1q header. The IEEE 802.1q Header As noted, the 802.1q header is only 4 bytes or 32 bits in length while within this space there is all the necessary information required to successfully identify the frame's VLAN and ensure it arrived to the correct destination. The diagram below analyses all fields contained in a 802.1q header:
The structure is quite simple as there are only 4 fields when compared with the 11 ISL has. We will continue by analysing each of these fields in order to discover what the protocol is all about. TPID - Tag Protocol IDentifier The TPID field is 16 bit long with a value of 0x8100. It is used to identify the frame as an IEEE 802.1q tagged frame. Note: The next three fields, Priority, CFI and VLAN ID are also known as the TCI (Tag Control Information) field and are often represented as one single field (TCI Field).
Page 1739 of 1765
Priority The Priority field is only 3 bits long but used for prioritisation of the data this frame is carrying. Data Prioritisation is a whole study in itself but we won't be analysing it here since it's well beyond the scope of our topic. However, for those interested, data prioritisation allows us to give special priority to time-latency sensitive services, such as Voice Over IP (VoIP), over normal data. This means that the specified bandwidth is allocated for these critical services to pass them through the link without any delay. The IEEE 802.1p priority protocol was developed to provide such services and is utilised by the IEEE 802.1q tagging protocol. The Priority field is approximately 3 bits long, allowing a total of 2^3=8 different priorities for each frame, that is, level zero (0) to seven (7) inclusive.
CFI - Canonical Format Indicator The CFI field is only 1 bit long. If set to '1', then it means the MAC Address is in noncanonical format, otherwise '0' means it is canonical format. For Ethernet switches, this field is always set to zero (0). The CFI field is mainly used for compatibility reasons between Ethernet and Token Ring networks. In the case where a frame arrives to an Ethernet port and the CFI flag is set to one (1), then that frame should not be forwarded as it was received to any untagged port (Access Link port). VLAN ID - Virtual Local Area Network Identifier The VLAN ID field is perhaps the most important field out of all because we are able to identify which VLAN the frame belongs to, allowing the receiving switch to decide which ports the frame is allowed to exit depending on the switch configuration. For those who recall our VLAN Tagging page, we mentioned that the IEEE 802.1q tagging method supports up to 4096 different VLANs. This number derives from the 12 bit VLAN ID field we are analysing right now and here are the calculations to prove this: 2^12=4096, which translates from VLAN 0 to VLAN 4095 inclusive. Summary
Page 1740 of 1765
That completes our analysis on the IEEE 802.1q protocol. As a last note, you should remember that this protocol is the most wide spread tagging method used around the world that supports up to 4096 VLANs! Next up is the popular InterVLAN Routing topic, which is often a misunderstood and confusing subject, but we have managed to make it simple and clear. It's now time for a break - go get some fresh air and we'll see you back in a few moments for the rest of our cool VLAN topic!
InterVLAN Routing
Introduction Surely most of you network gurus would agree without a doubt that the invention of VLANs for networks are as good, if not better, as the invention of the mouse for computers! Being able to create new network segments using the existing backbone and without rewiring is, for most administrators, a dream come true! Add the ability to move users or deparments between these networks with a just few keystrokes and you're in paradise. VLANs have certainly become popular and are very welcomed in every administrator's or engineer's network. However, they also raised several issues which troubled many of us. One major issue concerns routing between existing and newly created VLANs. The Need For Routing Each network has it's own needs, though whether it's a large or small network, internal routing, in most cases, is essential - if not critical. The ability to segment your network by creating VLANs, thus reducing network broadcasts and increasing your security, is a tactic used by most engineers. Popular setups include a separate broadcast domain for critical services such as File Servers, Print servers, Domain Controllers e.t.c, serving your users non-stop. The issue here is how can users from one VLAN (broadcast domain), use services offered by another VLAN? Thankfully there's an answer to every problem and in this case, its VLAN routing:
Page 1741 of 1765
The above diagram is a very simple but effective example to help you get the idea. Two VLANs consisting of two servers and workstations of which one workstation has been placed along with the servers in VLAN 1, while the second workstation is placed in VLAN 2. In this scenario, both workstations require access to the File and Print servers, making it a very simple task for the workstation residing in VLAN 1, but obviously not for our workstation in VLAN 2. As you might have already guessed, we need to somehow route packets between the two VLANs and the good news is that there is more than one way to achieve this and that's what we'll be covering on this page. VLAN Routing Solutions While the two 2924 Catalyst switches are connected via a trunk link, they are unable to route packets from one VLAN to another. If we wanted the switch to support routing, we would require it to be a layer 3 switch with routing capabilities, a service offered by the popular Catalyst 3550 series and above. Since there are quite a few ways to enable the communcation between VLANs (InterVLAN Routing being the most popular) there is a good chance that we are able to view all possible solutions. This follows our standard method of presenting all possible solutions, giving you an in-depth view on how VLAN routing can be setup, even if you do not have a layer 3 switch. Note: The term 'InterVLAN Routing' refers to a specific routing method which we will cover as a last scenario, however it is advised that you read through all given solutions to ensure you have a solid understanding on the VLAN routing topic. VLAN Routing Solution No.1: Using A Router With 2 Ethernet Interfaces A few years ago, this was one of the preferred and fastest methods to route packets between VLANs. The setup is quite simple and involves a Cisco router e.g 2500 series with two Ethernet interfaces as shown in the diagram, connecting to both
Page 1742 of 1765
VLANs with an appropriate IP Address assigned to each interface. IP Routing is of course enabled on the router and we also have the option of applying access lists in the case where we need to restrict network access between our VLANs.
In addition, each host (servers and workstations) must either use the router's interface connected to their network as a 'default gateway' or a route entry must be created to ensure they use the router as a gateway to the other VLAN/Network. This scenario is however expensive to implement because we require a dedicated router to router packets between our VLANs, and is also limited from an expandability prospective. In the case where there are more than two VLANs, additional Ethernet interfaces will be required, so basically, the idea here is that you need one Ethernet interface on your router that will connect to each VLAN. To finish this scenario, as the network gets bigger and more VLANs are created, it will very quickly get messy and expensive, so this solution will prove inadequate to cover our future growth. VLAN Routing Solution No.2: Using A Router With One Ethernet (Trunk) Interface This solution is certainly fancier but requires, as you would have already guessed, a router that supports trunk links. With this kind of setup, the trunk link is created, using of course the same type of encapsulation the switches use (ISL or 802.1q), and enabling IP routing on the router side.
Page 1743 of 1765
The downside here is that not many engineers will sacrifice a router just for routing between VLANs when there are many cheaper alternatives, as you will soon find out. Nevertheless, despite the high cost and dedicated hardware, it's still a valid and workable solution and depending on your needs and available equipment, it might be just what you're looking for! Closing this scenario, the router will need to be configured with two virtual interfaces, one for each VLAN, with the appropriate IP Address assigned to each one so routing can be performed. VLAN Routing Solution No.3: Using A Server With Two Network Cards We would call this option a "Classic Solution". What we basically do, is configure one of the servers to perform the routing between the two VLANs, reducing the overal cost as no dedicated equipment is required.
In order for the server to perform the routing, it requires two network cards - one for each VLAN and the appropriate IP Addresses assigned, therefore we have configured
Page 1744 of 1765
one with IP Addresses 192.168.1.1 and the other with 192.168.2.1. Once this phase is complete, all we need to do is enable IP routing on the server and we're done. Lastly, each workstation must use the server as either a gateway, or a route entry should be created so they know how to get to the other network. As you see, there's nothing special about this configuration, it's simple, cheap and it gets the job done. VLAN Routing Solution No.4: InterVLAN Routing And at last.... InterVLAN routing! This is without a doubt the best VLAN routing solution out of all of the above. InterVLAN routing makes use of the latest in technology switches ensuring a super fast, reliable, and acceptable cost routing solution.
The Cisco Catalyst 3550 series switches used here are layer 3 switches with built-in routing capabilities, making them the preferred choice at a reasonable cost. Of course, the proposed solution shown here is only a small part of a large scale network where switches such as the Catalyst 3550 are usually placed as core switches, connecting all branch switches together (2924's in this case) via superfast fiber Gigabit or Fast Ethernet links, ensuring a fast and reliable network backbone. We should also note that InterVLAN routing on the Catalyst 3550 has certain software requirements regarding the IOS image loaded on the switch as outlined on the table below:
Image Type & Version Enhanced Multilayer Image (EMI) All Versions Standard Multilayer Image (SMI) prior to 12.1(11)EA1 Standard Multilayer Image (SMI) InterVLAN Routing Capability YES NO YES
Page 1745 of 1765
12.1(11)EA1 and later
If you happen to have a 3550 Catalyst in hand, you can issue the 'Show version' to reveal your IOS version and find out if it supports IP routing. In returning to our example, our 3550 Catalyst will be configured with two virtual interfaces, one for each VLAN, and of course the appropriate IP Address assigned to them to ensure there is a logical interface connected to both networks. Lastly, as you might have guessed, we need to issue the 'IP Routing' command to enable the InterVLAN Routing service!
The diagram above was designed to help you 'visualise' how switches and their interfaces are configured to specific VLAN, making the InterVLAN routing service possible. The switch above has been configured with two VLANs, VLAN 1 and 2. The Ethernet interfaces are then assigned to each VLAN, allowing them to communicate directly with all other interfaces assigned to the same VLAN and the other VLAN, when the internal routing process is present and enabled. Access Lists & InterVLAN Routing Another common addition to the InterVLAN routing service is the application of Access Lists (packet filtering) on the routing switch,to restrict access to services or hosts as required. In modern implementations, central file servers and services are usually placed in their own isolated VLAN, securing them from possible network attacks while controlling access to them. When you take into consideration that most trojans and viruses perform an initial scan of the network before attacking, an administrator can smartly disable ICMP echoes and other protocols used to detect a live host, avoiding possible detection by an attacker host located on a different VLAN. Summary
Page 1746 of 1765
InterVLAN is a terrific service and one that you simply can't live without in a large network. The topic is a fairly easy one once you get the idea, and this is our aim here, to help you get that idea, and extend it further by giving you other alternative methods. The key element to the InterVLAN routing service is that you must have at least one VLAN interface configured with an IP Address on the InterVLAN capable switch, which will also dictate the IP network for that VLAN. All hosts participating in that VLAN must also use the same IP addressing scheme to ensure communication between them. When the above requirements are met, it's then as simple as enabling the IP Routing service on the switch and you have the InterVLAN service activated.
Introduction To The Virtual Trunk Protocol - VTP

Introduction The invention of VLANs was very much welcomed by all engineers and administrators, allowing them to extend, redesign and segment their existing network with minimal costs, while at the same time making it more secure, faster and reliable! If you're responsible for a network of up to 4-6 switches that include a few VLANs, then you'll surely agree that it's usually a low overhead to administer them and periodically make changes - most engineers can live with that:) Ask now an engineer who's in charge of a medium to a large scale network and you will definately not receive the same answer, simply because these small changes can quickly become a nightmare and if you add the possibility of human error, then the result could be network outages and possibly downtime. Welcome To VTP VTP was designed with the network engineer and administrator in mind, reducing the administration overhead and the possibility of error as described above in any switched network environment. When a new VLAN is created and configured on a switch without the VTP protocol enabled, this must be manually replicated to all switches on the network so they are all aware of the newly created VLAN. This means that the administrator must configure each switch separately, a task that requires a lot of time and adds a considerable amount of overhead depending on the size of the network. The configuration of a VLAN includes the VLAN number, name and a few more parameters which will be analysed further on. This information is then stored on each switch's NVRAM and any VLAN changes made to any switch must again be replicated manually on all switches. If the idea of manually updating all switches within your network doesn't scare you because your network is small, then imagine updating more than 15-20 switches a few times per week, so your network can respond to your organisation's needs....have we got you thinking now? :)
Page 1747 of 1765
With the VTP protocol configured and operating, you can forget about running around making sure you have updated all switches as you only need to make the changes on the nominated VTP server switch(es) on your network. This will also ensure these changes are magically propagated to all other switches regardless of where they are. Introducing The VTP Modes The VTP protocol is a fairly complex protocol, but easy to understand and implement once you get to know it. Currently, 3 different versions of the protocol exist, that is, version 1, 2 (adds support for Token Ring networks) and 3, with the first version being used in most networks. Despite the variety of versions, it also operates in 3 different modes: Server, client and transparent mode, giving us maximum flexibility on how changes in the network effect the rest of our switches. To help keep things simple and in order to avoid confusion, we will work with the first version of the VTP protocol - VTP v1, covering more than 90% of networks. Below you'll find the 3 modes the VTP protocol can operate on any switch throughout the network: VTP Server mode VTP Client mode VTP Transparent mode
Each mode has been designed to cover specific network setups and needs, as we are about to see, but for now, we need to understand the purpose of each mode and the following network diagram will help us do exactly that.
Page 1748 of 1765
A typical setup involves at least one switch configured as a VTP Server, and multiple switches configured as VTP Clients. The logic behind this setup is that all information regarding VLANs is stored only on the VTP Server switch from which all clients are updated. Any change in the VLAN database will trigger an update from the VTP Server towards all VTP clients so they can update their database. Lastly, be informed that these VTP updates will only traverse Trunk links. This means that you must ensure that all switches connect to the network backbone via Trunk links, otherwise no VTP updates will get to your switches. Let's now take a closer look at what each VTP mode does and where it can be used. VTP Server Mode By default all switches are configured as VTP Servers when first powered on. All VLAN information such as VLAN number and VLAN name is stored locally, on a separate NVRAM from where the 'startup-config' is stored. This happens only when the switch is in VTP Server mode. For small networks with a limited number of switches and VLANs, storing all VLAN information on every switch is usually not a problem, but as the network expands and VLANs increase in number, it becomes a problem and a decision must be made to select a few powerful switches as the VTP Servers while configuring all other switches to VTP Client mode.
Page 1749 of 1765
The diagram above shows a Cisco Catalyst 3550 selected to take the role of the network's VTP Server since it is the most powerful switch. All other Catalyst switches have been configured as VTP Clients, obtaining all VLAN information and updates from the 3550 VTP Server. The method and frequency by which these updates occur is covered in much detail on the pages that follow, so we won't get into any more detail at this point. However, for those who noticed, there is a new concept introduced in the above diagram that we haven't spoken about: The VTP Domain. The VTP Domain - VLAN Management Domain The VTP Domain, also known as the VLAN Management Domain, is a VTP parameter configured on every switch connected to the network and used to define the switches that will participate in any changes or updates made in the specified VTP domain. Naturally, the core switch (VTP Server) and all other switches participate in the same domain, e.g firewall, so when the VTP Server advertises new VLAN information for the VTP firewall domain, only clients (switches) configured with the same VTP Domain parameter will accept and process these changes, the rest will simply ignore them. Lastly, some people tend to relate the VTP Domain with the Internet Domain name space, however, this is completely incorrect. Even though the acronym 'DNS' contains the word 'Domain', it is not related in any way with the VTP Domain. Here (in VTP land), the word 'Domain' is simply used to describe a logical area in which certain hosts (switches) belong to or participate in, and are affected by any changes made within it.
Page 1750 of 1765
We should also note that all Cisco switches default to VTP Server mode but will not transmit any VLAN information to the network until a VTP Domain is set on the switch. At this point we are only referencing the VTP Domain concept as this is also analysed in greater depth further on, so let's continue with the VTP modes! VTP Client Mode In Client Mode, a switch will accept and store in its RAM all VLAN information received from the VTP Server, however, this information is also saved in NVRAM, so if the switch is powered off, it won't loose its VLAN information. The VTP Client behaves like a VTP Server, but you are unable to create, modify or delete VLAN's on it. In most networks, the clients connect directly to the VTP Server as shown in our previous diagram. If, for any reason, two clients are cascaded together, then the information will propagate downwards via the available Trunk links, ensuring it reaches all switches:
The diagram shows a 3550 Catalyst switch configured as a VTP Server and 4 Catalyst 2950 switches configured as VTP Clients and cascaded below our 3550. When the VTP Server sends a VTP update, this will travel through all trunk links (ISL, 802.1q, 802.10 and ATM LANE), as shown in the diagram. The advertised information will firstly reach the two Catalyst 2950 switches directly connected to the 3550 and will then travel to the cascaded switches below and through the trunk links. If the link between the cascaded 2950's was not a trunk link but an access link, then the 2nd set of switches would not receive and VTP updates:
Page 1751 of 1765
As you can see, the VTP updates will happlily arrive at the first catalyst switches but stop there as there are no trunk links between them and the 2950's below them. It is very important you keep this in mind when designing a network or making changes to the existing one. VTP Transparent Mode The VTP Transparent mode is something between a VTP Server and a VTP Client but does not participate in the VTP Domain. In Transparent mode, you are able to create, modify and delete VLANs on the local switch, without affecting any other switches regardless of the mode they might be in. Most importantly, if the transparently configured switch receives an advertisement containing VLAN information, it will ignore it but at the same time forward it out its trunk ports to any other switches it might be connected to.
NOTE: A Transparent VTP switch will act as a VTP relay (forward all VTP information it receives, out its trunk ports) only when VTP version 2 is used in the network. With VTP version 1, the transparent switch will simply ignore and discard any VTP messages received from the rest of the network.
Lastly, all switches configured to operate in Transparent mode save their configuration in their NVRAM (just like all the previous two modes) but not to advertise any VLAN information of its own, even though it will happily forward any VTP information received from the rest of the network. This important functionality allows transparently configured switches to be placed anywhere within the network, without any implications to the rest of the network because as mentioned, they act as a repeater for any VLAN information received:
Page 1752 of 1765
Our 3550 Catalyst here is configured as a VTP Server for the domain called "Firewall". In addition, we have two switches configured in VTP Client mode, obtaining their VLAN information from the 3550 VTP Server, but between these two VTP Clients, we have placed another switch configured to run in VTP Transparent mode. Our Transparent switch has been configured with the domain called "Lab", and as such, the switch will forward all incoming VTP updates belonging to the "Firewall" domain out its other trunk link, without processing the information. At the same time, it won't advertise its own VLAN information to its neighbouring switches. Closing, the VTP Transparent mode is not often used in live networks, but is well worth mentioning and learning about. Summary This page introduced a few new and very important concepts. The VTP Protocol is considered to be the heart of VLANs in large scale networks as it completely makes the administration point of view easy and transparent for every switch on your network. We briefly spoke about the three different modes offered by the VTP protocol: Server, Client and Transparent mode. To assist in providing a quick summary, the table below shows the main characteristics for each mode:
VTP Mode Description
The default mode for all switches supporting VTP. You can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version) for the entire VTP domain.
VTP Server
VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links. VLAN configurations are saved in NVRAM.
VTP Client
Behaves like a VTP server, but you cannot create, change, or delete VLANs on a VTP client. VLAN configurations are saved in NVRAM.
Page 1753 of 1765
VTP Transparent
Does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, they will forward VTP advertisements as they are received from other switches. You can create, modify, and delete VLANs on a switch in VTP transparent mode. VLAN configurations are saved in NVRAM, but they are not advertised to other switches.
All switches by default are configured as VTP Servers but without a domain. At this point we need to select the 'Core' switch (usually the most powerful) and configure it as a VTP Server, while reconfiguring all the rest to Client mode. Also, VTP Updates sent by the Server will only propagate through trunk links configured for ISL, IEEE 802.1q, 802.10 or LANE encapsulation. NOTE: You should be aware that all VTP Messages are sent through what we call the "Management VLAN". This specially created VLAN is usually the first one in the network - VLAN 1 - and by rule is never used by anyone else other than the switches themselves. The creation of a Management VLAN ensures all switches have their own network to communicate between each other without any disruptions. The next page will analyse the VTP Protocol structure, messages and updates. This will provide a deep understanding on how VTP works and what information it's messages contain. For those out there keen on configuring a switch for VTP, it's covered towards the end of the VLAN topic as shown on the VLAN Introduction page.
In-Depth Analysis Of VTP

Introduction The previous page introduced the VTP protocol and we saw how it can be used within a network, to help manage your VLANs and ease the administrative overhead providing a stress-free VLAN environment, automatically updating all the network switches with the latest VLAN information. This page extends on the above by delving into the VTP protocol itself and analysing it's structure and format in order to gain a better understanding and enhance those troubleshooting skills. The VTP Protocol Structure We've mentioned that the VTP protocol runs only over trunk links interconnecting switches in the network. Whether you're using ISL or IEEE 802.1q as your encapsulation protocol, it really doesn't matter as the VTP structure in both cases remains the same.
Page 1754 of 1765
Following are the fields which consist the VTP protocol: VTP Protocol Version (1 or 2) VTP Message Type (See Below) Management Domain Length Management Domain Name
What we need to note here is that because there are a variety of "VTP Message Types", the VTP Header changes depending on these messages, but the fields we just mentioned above are always included. To be more specific, here are the different messages currently supported by the VTP protocol: Summary Advertisements Subset Advertisement Advertisement Requests VTP Join Messages
It is obvious that all switches use these different messages to request information or advertise the VLANs they are aware of. These messages are extremely important to understand as they are the foundations of the VTP protocol. We'll take each message and analyse them individually, explaining their purpose and usage, but before we proceed, let's take a quick visual look at the messages and their types to help make all the above clearer:
First up is the 'Summary Advertisements'. VTP Protocol - Summary Advertisement Message The 'Summary Advertisement' message is issued by all VTP Domain Servers in 5 minute intervals, or every 300 seconds. These advertisements inform nearby Catalyst switches with a variety of information, including the VTP Domain name, configuration revision number, timestamp, MD5 encryption hash code, and the number of subset advertisements to follow.
Page 1755 of 1765
The configuration version number is a value each switch stores to help it identify new changes made in the VTP domain. For those experienced with DNS, it's pretty much the same as the DNS serial number. Each time a VTP Server's configuration is changed, the configuration revision number will automatically increment by one.
When a switch receives a summary advertisement message, it will first compare the VTP domain name (Mgmt Domain Name field) with its own. If the Domain Name is found to be different, it will discard the message and forward it out its trunk links. However, in the likely case that the domain name is found to be the same, it will then check the configuration revision number (Config Revision No.) and if found to be the same or lower than it's own, it will ignore the advertisement. If, on the other hand, it is found to be greater, an advertisement request is sent out. The Updater Identity field contains the IP Address of the switch that last incremented the Configuration Revision Number, while the Update Timestamp field gives the time the last update took place. The MD5 (Message Digest 5) field contains the VTP password in the case where it is configured and used to ensure the validation of the VTP Update. Lastly, summary advertisements are usually followed by Subset Advertisements, this is indicated by the Followers field and is the next message we'll be closely examining. VTP Protocol - Subset Advertisement As mentioned in the previous message, when VLAN changes are made on the Catalyst VTP Server, it will then issue a Summary Advertisement, followed by a Subset Advertisement. Depending on how many VLANs are configured in the domain, there might be more than one Subset Advertisement sent to ensure all VLAN information is updated on the VTP Clients.
Page 1756 of 1765
Comparing the fields of this message with the previous one, you'll notice most of them are identical, except for the Sequence No. and VLAN Info. Field. The Code field for a Subset Advertisement of this type is set to 0x02 while the Sequence No. field contains the sequence of the packet in the stream of packets following a summary advertisement. The sequence starts with 1 and increments based on the number of packets in the stream. Apart from these fields, we also have the VLAN Info Field, which happens to be the most important as it contains all the VLAN information the switches are waiting for. The VLAN Info Field will be presented in segments. Complexity and importance requires us to break it up further and analyse the subfields it contains:
Each VLAN Info Field contains all the information required for one VLAN. This means that if our network is powered with 10 VLANs and a Subset Advertisement is triggered, the VTP Server will send a total of 10 Subset Advertisements since each VLAN Info Field contains data for one VLAN. The most important subfields in the VLAN Info Field are the VLAN Name Length, ISL VLAN ID, MTU Size and VLAN Name. These subfields contain critical information about the VLAN advertised in the particular Subset Advertisement frame. Some might be suprised to see settings such as MTU's to be configurable in VLAN's, and
Page 1757 of 1765
this confirms that each VLAN is treated as a separate network, where even different MTU sizes are possible amongst your network's VLANS. Advertisement Requests Turning a switch off will result loosing all its VTP information stored in its memory (RAM). When the switch is next turned on, all its database information is reset and therefore requires to be updated with the latest version available from the VTP Server(s). A switch will also send an Advertisement Request when it hears a VTP summary advertisement with a higher revision number than what it currently has. Another scenario where a request would be issued is when the VTP domain membership has changed, even though this is quite uncommon since the VTP domain name is rarely, if ever, changed after its initial configuration. So what happens when a Advertisement Request hits the streets of your network? As you would already be aware from the message types we have just covered, the VTP Server will respond with Summary Advertisement, followed by as many Subset Advertisements required to inform the VTP Clients about the currently configured VLANs. The diagram below shows the structure of an Advertisement Request sent by a VTP Client switch:
Most fields as you can see, are similar to the previous messages we've seen, except two: The Reserved and Starting Advertisement To Request . The Reserved is exactly what it implies - reserved and not used in the Advertisement Request messages, while the Starting Advertisement To Request is the actual request sent by the VTP Client. VTP Join Messages VTP Join Messages are similar to the Advertisement Request messages but with a different Message Type field value and a few more parameters. As indicated by the message name, a VTP Join Message is sent when the VTP Client first joins a VTP domain, informing the VTP Server(s) about the new guy in 'town':) Other VTP Options - VTP Password
Page 1758 of 1765
The VTP Password is a feature that all security conscious Administrators/Engineers will welcome. With the password feature, you are able to secure your VTP Domain since only switches configured with the correct password are able to properly decrypt the VTP messages advertised in the management VLAN. By default the VTP Password option is not turned on and therefore most management VLANs are set to use non-secure advertisements. Once enabled on the VTP Domain Server(s), all switches participating in the domain must be manually configured with the same password, otherwise it will fail to decrypt all incoming VTP messages. Summary This page analysed the structure of each message the VTP protocol currently supports to maintain the network's switches in synchronisation with the VTP domain server(s): Summary Advertisements Subset Advertisement Advertisement Requests VTP Join Messages
We're sure you would agree that VLAN's are in fact a whole study case alone, but surely at the same time it's quite exciting as new concepts and methods of ensuring stability, speed and reliability are revealed. This completes our in-depth discussion on the VTP Protocol messages. Next up is VTP Prunning, a nice service that ensures our network backbone is not constantly flooded with unnecessary traffic. We are sure you'll enjoy the page, along with the awesome diagrams we have prepared.
VTP Pruning
Introduction As you would be aware a switched network creates one broadcast domain, similar to that of a VLAN powered network where all nodes belonging to the same VLAN are part of the same broadcast domain, receiving all broadcasts sent on their network. The Broadcast And Unicast Problem In VLAN Networks What we are about to see is how these broadcasts can actually create problems by flooding the VLAN network with unnecessary traffic, and depending on your network setup, this can prove to be a huge problem. The reason for this is because the trunk links interconecting your network switches will carry these broadcasts to every switch in the network, regardless of which VLAN the broadcast is intended for.
Page 1759 of 1765
As shown and described, a host connected to a port configured for VLAN 2 on Switch 1 (first switch on the left), generates a network broadcast. Naturally, the switch will forward the broadcast out all ports assigned to the same VLAN it was received from, that is, VLAN 2. In addition, the Catalyst switch will forward the broadcast out its trunk link, so it may reach all ports in the network assigned to VLAN 2. The Root switch receives the broadcast through one of it's trunks and immediately forwards it out the other two towards Switch 2 & 3. Switch 2 is delighted to receive the broadcast as it does in fact have one port assigned to VLAN 2. Switch 3 however, is a different case - it has no ports assigned to VLAN 2 and therefore will drop the broadcast packet it receives. In this example, the bandwidth usage was ineffecient because one broadcast packet was sent over all possible trunk links, and was then dropped by Switch 3. You might ask yourself 'So what's the big deal?'. The problem here is small and can easily be ignored... but consider a network of fifteen or more 12 port switches (this translates to at least 210 nodes) and you can start to appreciate how serious the problem can get. To make things worse (and more realistic), consider you're using 24 port switches, then you're all of a sudden talking about more than 300 nodes! To further help you understand how serious the problem gets, take a look at our example network below:
Page 1760 of 1765
Here you see a medium sized network powered by Cisco Catalyst switches. The two main switches up the top are the VTP servers and also perform 3rd layer switching by routing packets between the VLANs we've created. Right below them you'll find our 2950's Catalyst switches which are connected to the core switches via redundant fiber trunk links. Directly below our 2950's are our 2948 Catalyst switches that connect all workstations to the network. A workstation connected to a port assigned to VLAN 2 decided to send a network broadcast looking for a specific network resource. While the workstation is totally unaware of our network design and complexity, its broadcast is the reason all our trunks will flood with unwanted traffic, consuming valuable bandwidth! Take a look at what happens:
Page 1761 of 1765
We don't think describing the above is actually required as the diagram shows all the information we need and we're confident you will agree that we dealing with a big problem:) So how do we fix this mess ? Keep reading on as you're about to learn........ The Solution: Enabling VTP Pruning VTP Pruning as you might have already guessed solves the above problem by reducing the unnecessary flooded traffic described previously. This is done by forwarding broadcasts and unknown unicast frames on a VLAN over trunk links only if the receiving end of the trunk has ports in that VLAN.
Page 1762 of 1765
Looking at the above diagram you will notice that the Root Catalyst 3550 Switch receives a broadcast from Switch 1, but only forwards it out one of it's trunks. The Root Switch knows that the broadcast belongs to VLAN 2 and furthermore it's aware no port is assigned to VLAN 2 on Switch 3, therefore it won't forward it out the trunk that leads to that switch. Support For VTP Pruning The VTP Pruning service is supported by both VTP 1 and VTP 2 versions of the VTP protocol. With VTP 1, VTP pruning is possible with the use of additional VTP message types. When a Cisco Catalyst switch has ports associated with a VLAN, it will send an advertisement to its neighboring switches informing them about the ports it has active on that VLAN. This information is then stored by the neighbors and used to decide if flooded traffic from a VLAN should be forwarded to the switch via the trunk port or not. Note: VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by issuing the "set vtp pruning enable" command. If this command is issued on the VTP Server(s) of your network, then pruning is enabled for the entire management domain. VTP Pruning configuration and commands are covered in section 11.4 as outlined in the VLAN Introduction page, however, we should inform you that you can actually enable pruning for specific VLANs in your network. When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links. This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear all VLANs from the list using the "clear vtp prune-eligible vlan-range" command and then set the VLAN range you wish to add in the prune eligible list by issuing the following command: "set vtp prune-eligible vlan-range" where the 'vlan-range' is the actual inclusive range of VLANs e.g '2-20'. By default, VLANs 21000 are eligible for pruning. VLAN 1 has a special meaning because it is normally used as a management VLAN and is never eligible for pruning, while VLANs 10011005 are also never eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated in our examples. Summary VTP Pruning can in fact be an administrator's best friend in any Cisco powered network, increasing available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. At this point, we have also come to the end of the first part of our VLAN presentation. As we are still working on the second and final part of the VLAN topic, we hope these pages will keep you going until it is complete.
Page 1763 of 1765
Page 1764 of 1765
Page 1765 of 1765

Intro To Comp Netwks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Intro To Comp Netwks

Uploaded by

Copyright:

Available Formats

Introduction To Networking

NETWORKING 1.0.0 Introduction

1.0.2 Network Topologies 1.0.3 Introduction

Figure 3: Ring Topology

Figure3: Mesh Topology

Figure 4: Hybrid-Star Bus Topology

Broadcast Multicast Unicast

Currently available protocols to read about are :

ng TCP into the OSI Model

se refer to the Ethernet II Frame page for more information.

ere and why would we use the TCP ?

ick Overview Of The Transmission Control Protocol - TCP

1.1.0 The Internet Protocol Address

2.4 IP Header Fields

1.1.1 Media Access Control-MAC Address

Figure 8: Position of MAC address in the Open System Interconnection model

Figure 10: Specifications in MAC address

Figure 11: Converting MAC address from HEX to Binary

Figure 14: The structure of a packet

Figure 15 A Subnet Broadcast

Figure 18: A simple Multicast example

Figure22: Classes of IP address

Figure 22: A screen shot of a Packet

Figure 22: Packet Header

1.2.4 Multicast IP List

Figure 24:A Broadcast example

s a "broadcast" look like ?

e image below, which is taken from my packet sniffer:

ve a closer look at the above packet:

o that lies within the various protocols used on our networks !

e 25: IP Header field

t Broadcast or Direct Broadcast

Figure 26: Subnet Broadcast

1.2.8 Controlling Broadcasts

Figure 30: A Class C Network with its default Subnet mask

Subnet Masks & Their Effect

1.3.5 Subnet mask and their effect

Figure 33:Class C Classful IP address

The picture below shows us both examples:

Figure 32: Subnet Mask Hierarchy

Subnet Routing & Communications

The Supernetting/CIDR Chart

Securing Your Home Network

Unshielded Twisted Pair

Straight Thru UTP Cables

T-568A & T-568B 4-pair Wiring

6 green (pair 3) ...........RecvData7 white/brown (pair 4) 8 brown (pair 4)

Pin Number Designations for T568A

Where are they used ?

CAT5 UTP X-Over Cable

Why do we need an x-over ?

Where else can I use a x-over ?

100Base-(T) TX/T4/FX - Ethernet

The picture below shows you a few of these devices:

Fibre Optic Cable

So what about the single-mode fibre?

Direct Cable Connection

Serial Direct Cable Connection

Page 100 of 1765

Page 101 of 1765

Page 102 of 1765

Parallel Direct Cable Connection Parallel Direct Connection

Page 103 of 1765