Data Networks and Protocols

CO-2
 Network layer and Internetworking
• Internetworking Devices: Preamble to Network Layer,
Distinguishing of Networking Devices and
Internetworking Devices, Analysis of Router
Processing: Access, core and distribution. VLANS,
Ehternet
• Internetworking Technologies: Wired Router, Wireless
Router, Gateway, CSU/DSU; Addressing: IP addressing
(IPV4 & IPV6), subnetting; Types of Routing: static,
default and dynamic.
• Networking Protocols: RIP, OSPF, BGP; Access Control
list for IPV4, IPV6, Other Protocols: NAT, ARP, Port
Address Translation (PAT), IP Tunneling; DHCP
 Preamble to Network Layer
• Transport and Network layers
– Responsible for moving messages from end-to-end in a
network
– Closely tied together
– TCP/IP: most commonly used protocol
• Used in Internet
• Compatible with a variety of Application Layer protocols as well
as with many Data Link Layer protocols
 Cont..
• Responsible for addressing and routing of messages
– Selects the best path from computer to computer until the message
reaches destination

• Performs encapsulation on sending end

– Adds network layer header to message segments

• Performs decapsulation on receiving end

– Removes the network layer header at receiving end and passes
them up to the transport layer
 Internetworking Devices
Network devices
• Used to connect computers or other electronic devices
• So that they can share files or resources like printers or fax
machines.
• Devices used to setup a Local Area Network (LAN)

Internetwork
• Collection of individual networks, connected by
intermediate networking devices.
Internetworking Devices
Connecting Devices
 Hub
• A hub is used as a central point of connection among media
segments.
• Cables from network devices plug in to the ports on the
hub.
 Cont..
Types of HUBS :
Passive hub is just a connector.
• It connects the wires coming from different branches.
• The signal pass through a passive hub without regeneration or
amplification.
• Connect several networking cables together.
Active hubs or Multiport repeaters-
• It regenerate or amplify the signal before they are retransmitted.
• Hubs operate at the physical layer of the OSI model.
• Hubs propagate signals through the network
• They cannot filter network traffic
• They cannot determine best path
 Cont..
Repeaters
• A repeater is a device that operates only at the PHYSICAL
layer.
• Used to increase the length of the network by eliminating
the effect of attenuation on the signal.
• It connects two segments of the same network
• A repeater forwards every frame; it has no filtering
capability
• A repeater is a generator , not an amplifier
 Bridges
• Operates in both the PHYSICAL and the data link layer.
• As a PHYSICAL layer device , it regenerates the signal it
receives.
• As a data link layer device , the bridge can check the
PHYSICAL / MAC addresses (source and destination)
contained in the frame.
• It can check the destination address of a frame and decide
if the frame should be forwarded or dropped.
• A bridge has a table that maps address to ports.
Cont..
 Cont..
Characteristics of Bridges
Routing Tables
• Contains one entry per station of network to which bridge
is connected.
• Is used to determine the network of destination station of a
received packet
Filtering
• Is used by bridge to allow only those packets intended to
the remote network.
• Packets are filtered with respect to their destination and
multicast addresses.
Forwarding
• The process of passing a packet from one network to
another.
 ROUTERS
• Routes packets based on their logical addresses (host-to-
host addressing).
• A router normally connects LANs and WANs in the Internet
and has a routing table
• The routing tables are normally dynamic and are updated
using routing protocols.
• Routers can increase network efficiency by filtering out
broadcast traffic between networks.
Cont..
 Cont..
Types of Routers
• Static routers: These must have their routing tables
configured manually with all network addresses and paths
in the internetwork.
• Dynamic routers: These automatically create their routing
tables by listening to network traffic.
• Routing tables: Used to selects the fastest or nearest path
to the next "hop" on the way to a data packet's final
destination.
• Hop is simply a router that the packet must travel through.
• Ticks measure the time it takes to traverse a link. Each tick
is 1/18 of a second. When the router selects a route based
on tick and hop metrics
 Routers versus Bridges
Addressing
• Routers are explicitly addressed.
• Bridges are not addressed.
Availability
• Routers can handle failures in links, stations, and other routers.
• Bridges use only source and destination MAC address, which does not
guarantee delivery of frames.
Message Size
• Routers can perform fragmentation on packets and thus handle
different packet sizes.
• Bridges cannot do fragmentation and should not forward a frame
which is too big for the next LAN.
Forwarding
• Routers forward a message to a specific destination.
• Bridges forward a message to an outgoing network.
 Gateways
• Able to convert the format of data in one computing
environment to a format that is usable in another
computer environment (for example, AppleTalk and
DECnet).
• The term gateway is sometimes used when referring to a
router.
• Gateways are devices that link different network types and
protocols.
• For example, gateways translate different electronic mail
protocols and convey email across the Internet
Gateways
 VLAN
• VLAN Membership (Static & Dynamic) and VLAN Connections (Access
link & Trunk link).

• VLAN is a logical grouping of networking devices.

• When we create VLAN, we actually break large broadcast domain in

smaller broadcast domains.

• Consider VLAN as a subnet.

• Same as two different subnets cannot communicate with each other

without router,

• Different VLANs also requires router to communicate.

VLAN
 Cont..
• VLAN membership can be assigned to a device by one of two methods
– Static
– Dynamic
• These methods decide how a switch will associate its ports with
VLANs.
Static
• In this method we manually assign VLAN to switch port.
• VLANs configured in this way are usually known as port-based VLANs.
 Cont..
Dynamic VLAN
• Dynamic membership VLANs are created through network
management software.
• Dynamic VLANs allow for membership based on the MAC address of
the device connected to the switch port.
• As a device enters the network, it queries a database within the switch
for a VLAN membership.
 Cont..
• Switch supports two types of VLAN connection
– Access link
– Trunk link
Access Link
• Access link connection is the connection where switch port is
connected with a device that has a standardized Ethernet NIC.
• Access link connection can only be assigned with single VLAN.
• That means all devices connected to this port will be in same broadcast
domain.
 Cont..
Trunk link
• Device that is capable to understand multiple VLANs.
• Usually trunk link connection is used to connect two switches or switch
to router.
• Trunking allows us to send or receive VLAN information across the
network.
 IPV4

• Internet Protocol Version 4 (IPv4) is the fourth revision

• It is a connectionless protocol used in packet-switched layer
networks, such as Ethernet.
• It provides the logical connection between network devices by
providing identification for each device.
• There are many ways to configure IPv4
• Including manual and automatic configurations
• IPv4 uses 32-bit addresses for Ethernet communication in five
classes: A, B, C, D and E
• IPv4 is used by TCP/IP protocols at network layer
Cont..
Cont..
 Cont..

• Version − Version no. of Internet Protocol used (e.g. IPv4).

• IHL − Internet Header Length; Length of entire IP header.
• DSCP − Differentiated Services Code Point; this is Type of
Service.
– Mechanism for classifying and managing network traffic and providing
quality of service on modern IP networks

• ECN − Explicit Congestion Notification;

– It carries information about the congestion seen in the route.

• Total Length − Length of entire IP Packet (including IP header

and IP Payload).
 Cont..

• Identification − If IP packet is fragmented during the

transmission, all the fragments contain same identification
number to identify original IP packet they belong to.

• Flags − If IP Packet is too large to handle, these ‘flags’ tells if

they can be fragmented or not. In this 3-bit flag, the MSB is
always set to ‘0’.

• Fragment Offset − This offset tells the exact position of the

fragment in the original IP Packet.
 Cont..

• Time to Live − To avoid looping in the network, every packet is

sent with some TTL value set, which tells the network how many
routers (hops) this packet can cross. At each hop, its value is
decremented by one and when the value reaches zero, the
packet is discarded.

• Protocol − Tells the Network layer at the destination host, to

which Protocol this packet belongs to, i.e. the next level Protocol.
For example protocol number of ICMP is 1, TCP is 6 and UDP is
17.
 Cont..
ICMP (Internet Control Message Protocol)
• IP does not have a inbuilt mechanism for sending error and
control messages.
• It is used for reporting errors and management queries.
• It is a supporting protocol and used by networks devices like
routers for sending the error messages and operations
information.
 Cont..
TCP Protocol
• This protocol works at the network layer of the OSI model and at the
Internet layer of the TCP/IP model.
• Thus this protocol has the responsibility of identifying hosts based
upon their logical addresses and to route data among them over
the underlying network.
• IP provides a mechanism to uniquely identify hosts by an IP addressing
scheme.
• IP uses best effort delivery, i.e. it does not guarantee that packets would
be delivered to the destined host, but it will do its best to reach the
destination.
• Internet Protocol version 4 uses 32-bit logical address.
 Cont..
• User Datagram Protocol (UDP) is a Transport Layer protocol.
• TCP provides assured delivery, reliability and much more.
• Though Transmission Control Protocol (TCP) is the dominant transport
layer protocol used with most of Internet services
• All these services cost us with additional overhead and latency.
• Then, UDP comes into picture.
• Used to establish low-latency and loss-tolerating connections
between applications on the internet.
• UDP speeds up transmissions by enabling the transfer of data before an
agreement is provided by the receiving party
• For the real-time services like computer gaming, voice or video
communication, live conferences; we need UDP.
• UDP permits packets to be dropped instead of processing delayed
packets.
 Cont..

• Header Checksum − This field is used to keep checksum value

of entire header which is then used to check if the packet is
received error-free.
• Source Address − 32-bit address of the Sender (or source) of
the packet.
• Destination Address − 32-bit address of the Receiver (or
destination) of the packet.
• Options − This is optional field, which is used if the value of IHL
is greater than 5. These options may contain values for options
such as Security, Record Route, Time Stamp, etc.
 IPv6

• IPv4 is the next generation of IP Address

• 128 bit Hexadecimal address
• Uses both numbers and Alphabets
Cont..
 TRANSITION FROM IPv4 TO IPv6

• Because of the huge number of systems on the Internet, the transition

from IPv4 to IPv6 cannot happen suddenly.
• IPv4 and IPv6 transition is not compatible.
• For a solution to this problem, we use some technologies.

(i) Dual Stack

(ii) Tunneling
(iii) Header Translation
Cont..

Dual Stack

• ISPs have chosen an IP address transition method called dual-stack.

• With the dual-stack solution, every networking device, server, switch,
router, and firewall in an ISP’s network will be configured with both
IPv4 and IPv6 connectivity capabilities.
• Most importantly, dual-stack technology allows ISPs to process IPv4
and IPv6 data traffic simultaneously.
• Able to see if you’re connecting with an IPv4 address, an IPv6 address,
or both. If you see only an IPv4 address on your laptop or desktop
computer, your Internet provider isn’t delivering dual-stack
connectivity yet.
 Cont..

Dual Stack
 Cont..

Tunneling
 Cont..

Header Translation
• IPV6 computer send request to DNS regarding the IPv6 address of
particular website
• DNS server in IPv6 Network cant find the IPv6 address Hence transfer
the request to IPv6 DNS server
• Not getting the address bcz of requested website IP is IPv4
• IPv6 Network DNS server send request to IPv4 network DNS server
and receive the IP of requested address
Cont..
 WHAT IS IP ADDRESS

• All the computers of the world on the Internet network communicate

with each other using an address

• Computer must have an address so that other computers can find and
locate mine in order to deliver that particular file.

• In technical terms, that address is called IP Address or Internet

Protocol Address.

• It is generally expressed in a set of numbers for example 192.155.12.1.

• Here each number in the set is from 0 to 255 range. Or we can say that
a full IP address ranges from 0.0.0.0 to 255.255.255.255.

• IP addresses are assigned by IANA (Internet Corporation For Internet

Assigned Numbers Authority).
 Types of IP Address

• IPV4 and IPV6

• 1. IPv4: Internet Protocol version 4. It consists of 4 numbers separated
by the dots. Each number can be from 0-255 in decimal numbers.
• But computers do not understand decimal numbers, they instead
change them to binary numbers which are only 0 and 1.
• In binary, this (0-255) range can be written as (00000000 –
11111111).
• Since each number N can be represented by a group of 8-digit binary
digits.
• So, a whole IPv4 binary address can be represented by 32-bits of
binary digits.
• In IPv4, a unique sequence of bits is assigned to a computer, so a total
of (2^32) devices approximately = 4,294,967,296 can be assigned with
IPv4.
 Classes of IPv4 Address

• There are around 4.3 billion IPv4 addresses and managing all those
addresses without any scheme is next to impossible.
• For easier management and assignment IP addresses are organized in
numeric order and divided into the following 5 classes :
 Classes of IPv4 Address

• Classless Inter-Domain Routing (CIDR) is a range of IP addresses a

network uses. A CIDR address looks like a normal IP address, except
that it ends with a slash followed by a number.
 Subnet Mask

• Subnet Mask is used in networking to create multiple sub networks in

a network.
• Used to divide an IP address into two parts. One part identifies the
host (computer), the other part identifies the network to which it
belongs.
• Subnet Mask is made by setting the network bits to all "1"s and setting
host bits to all "0"s.
• The binary "0" in the subnet mask tell us about the host address. It tells
us about the IP of the host which has done subnetting.
Subnet Mask (How to find the Binary bits from
the IP)
Cont..
Subnet Mask
Subnet Mask (Network and Host Part)
Subnet Mask
Subnetting

• Subnetting is done by changing the default subnet mask by borrowing

some of the bits from the host portion
Cont..
 Subnetting

• In an CIDR represents 24 in IP address it means the Default subnet

mask is 255.255.255.0
 Subnetting

• In an CIDR represents 24 in IP address it means the Default subnet

mask is 255.255.255.0
Subnetting
That should be continuous 1s and
Even number of 1s only we have
to take
 Classless addressing

RESTRICTIONS

1.The addresses must be contiguous.

2.The number of addresses must be power of 2 (16 = 24)

3.The first address must be divisible by 16. The first address, when
converted to a decimal number, is 3,440,387,360, which when divided by
16 results in 215,024,210.
Cont..
 Cont..

•The first address in the block can be found by setting the

rightmost 32 − n bits to 0s.

•The last address in the block can be found by setting the

rightmost 32 − n bits to 1s.
 Example-1

A block of addresses is granted to a small organization. We know that one of

the addresses is 205.16.37.39/28. What is the first address in the block?

Solution
The binary representation of the given address is
11001101 00010000 00100101 00100111
If we set 32−28 rightmost bits to 0, we get
11001101 00010000 00100101 0010000
or 205.16.37.32.
This is actually the block shown in Figure 19.3.
 Cont..

Find the last address

Solution
The binary representation of the given address is
11001101 00010000 00100101 00100111
If we set 32 − 28 rightmost bits to 1, we get
11001101 00010000 00100101 00101111
or 205.16.37.47

Find the number of addresses

The value of n is 28, which means that number of addresses is 2 32−28 or 16.
 Example
Another way to find the first address, the last address, and the
number of addresses is to represent the mask as a 32- bit binary
(or 8-digit hexadecimal) number. This is particularly useful
when we are writing a program to find these pieces of
information. In Example 19.5 the /28 can be represented as
11111111 11111111 11111111 11110000
(twenty-eight 1s and four 0s).

Find
a.The first address
b.The last address
c.The number of addresses.
 Example (continued)
Solution
a. The first address can be found by ANDing the given
addresses with the mask. ANDing here is done bit by bit.
The result of ANDing 2 bits is 1 if both bits are 1s; the
result is 0 otherwise.
 Example (continued)
b. The last address can be found by ORing the given
addresses with the complement of the mask. ORing here
is done bit by bit. The result of ORing 2 bits is 0 if both
bits are 0s; the result is 1 otherwise. The complement of
a number is found by changing each 1 to 0 and each 0 to
1.
 Example (continued)

c. The number of addresses can be found by

complementing the mask, interpreting it as a
decimal number, and adding 1 to it.
 Distance Vector Routing
• A distance-vector routing (DVR) protocol requires that a
router inform its neighbors of topology changes periodically.
• Historically known as the old ARPANET routing algorithm (or
known as Bellman-Ford algorithm).
• Bellman Ford Basics –
– Each router maintains a Distance Vector table containing the distance
between itself and ALL possible destination nodes.
– Distances, based on a chosen metric, are computed using information
from the neighbors’ distance vectors.
• The least-cost route between any two nodes is the route with
minimum distance.
• The table at each node also guides the packets to the desired
node
 Working of Distance Vector Routing
Algorithm:
• Knowledge about the whole network:
– Each router shares its knowledge through the entire network.
– The Router sends its collected knowledge about the network to its
neighbors.
• Routing only to neighbors:
– The router sends its knowledge about the network to only those
routers which have direct links.
– The router sends whatever it has about the network through the ports.
– The information is received by the router and uses the information to
update its own routing table.
• Information sharing at regular intervals:
– Within 30 seconds, the router sends the information to the neighboring
routers
Distance Vector Routing
 Cont..
• Initialization: At the beginning, each node can know only
the distance between itself and its immediate neighbors
 Cont..
• Sharing: In distance vector routing, each node shares its
routing table (with first two cols) with its immediate
neighbors periodically and when there is a change
 Cont..
• Updating: When a node receives a two-column table from a
neighbor, it need to update its routing table
 Link State Routing
• Router shares the knowledge of its neighborhood with every other
router.
The three keys to understand the Link State Routing algorithm:
• Knowledge about the neighborhood:
– Instead of sending its routing table, a router sends the information about its
neighborhood only.
– A router broadcast its identities and cost of the directly attached links to other
routers.
• Flooding:
– Each router sends the information to every other router on the internetwork
except its neighbors.
– This process is known as Flooding.
– Every router that receives the packet sends the copies to all its neighbors.
Finally, each and every router receives a copy of the same information.
• Information sharing:
– A router sends the information to every other router only when the change
occurs in the information.
 Cont..
• Also known as shortest path first algorithms
• These protocols built around Dijkstra’s SPF
How routers using Link State Routing Protocols reach
convergence
• Each routers learns about its own directly connected networks
• Link state routers exchange hello packet to “meet” other directly
• Each router builds its own Link State Packet (LSP) which
includes information about neighbors such as neighbor ID, link
type, & bandwidth.
• After the LSP is created the router floods it to all neighbors who
then store the information and then forward it until all routers
have the same information
• Once all the routers have received all the LSPs, the routers then
construct a topological map of the network which is used to
determine the best routes to a destination.
 Cont..
• Link State Routing is the Directly Connected Networks
• Link
– This is an interface on a router
• Link state
This is the information about the state of the links
– IP address
– Subnet mask
– Type of network
– Cost associated with link
– Neighboring routers on the link
 Cont..
Advantages of a Link-State Routing Protocol
 Cont..
Requirements for using a link state routing protocol
• Memory requirements
– Typically link state routing protocols use more memory
• Processing Requirements
– More CPU processing is required of link state routing protocols
• Bandwidth Requirements
– Initial startup of link state routing protocols can consume lots of
bandwidth
Two link state routing protocols used for routing IP
• Open Shortest Path First (OSPF)
• Intermediate System-Intermediate System (IS-IS)
Cont..
 Difference Between Distance Vector
and Link State
Distance Vector
• Distance Vector routing protocols are based on Bellman and Ford
algorithms.
• Distance Vector routing protocols are less scalable such as RIP
supports 16 hops and IGRP has a maximum of 100 hops.
• Distance Vector are classful routing protocols which means that there
is no support of Variable Length Subnet Mask (VLSM) and Classless
Inter Domain Routing (CIDR).
• Distance Vector routing protocols uses hop count and composite
metric.
• Common distance vector routing protocols include: Appletalk RTMP,
IPX RIP, IP RIP, IGRP
 Cont..
Link State
• Link State routing protocols are based on Dijkstra algorithms.

• Link State routing protocols are very much scalable supports infinite
hops.

• Link State routing protocols are classless which means that they
support VLSM and CIDR.

• Cost is the metric of the Link State routing protocols.

• Link State routing protocols support contiguous subnets.

 Open Shortest Path First (OSPF)
• Popular intra domain routing protocol based on link state
routing
• To handle routing efficiently and in a timely manner, OSPF
divides an autonomous system into area
• Area is a collection of network, hosts, and routers all contained
within an AS
• AS can also be divided into many different areas
• All networks inside an area must be connected.
 Cont..
• Routers inside an area flood the area with routing information
• At the border contains special router called area border
routers.
• These router summarize the area information and send it to
other areas.
• In an autonomous system a special area is connected to all area
border router is called backbone.
• Backbone serves as the primary area and others are secondary
area.
Cont..
 OSPF Metric
• The OSPF allows the administrator to assign a cost, called the
metric, to each route
• The metric can be based on a type of service (minimum delay,
maximum throughput, and so on).
Types of Link
 Cont..

Point-to-Point Link
• To connect two routers without any other host or router in
between.

Transient Link
• A network with several routers attached to it
 Cont..

Stub Link
• A stub link is a network that is connected to only one router
• The data packets enter the network through this single router
and leave the network through this same router
 Cont..

Virtual Link
• When the link between two routers is broken, the admin may
create a virtual link.
• Probably goes through several routers.
 Routing Information Protocol
• RIP is a standard for exchange of routing information among
gateways and hosts.
• It’s a distance vector routing protocol
• The maximum number of hops allowed for RIP is 15.
• This hop limit, however, also limits the size of networks that RIP
can support.
• Originally each RIP router transmitted full updates every 30
seconds.
• In the early deployments, routing tables were small enough that
the traffic was not significant.
 Cont..

• There are three versions of the Routing Information

Protocol:
– RIP version 1

– RIP version 2

– RIPng (RIP next generation)

 Cont..
RIP version 1
• It is compatible with all RIP-capable devices.
• It is an open standard protocol means it works on the various
vendors routers.
• It is classful routing protocol. Updates are broadcasted.
• Its administrative distance value is 120, it means it is not
reliable.
• Lesser the administrative distance value the reliability is much
more.
• Its metric is hop count and max hop count is 15. There will be
total 16 router in the network.
 Cont..
• When there will be the same number of hop to reach destination, RIP
starts to perform load balancing.

• This reduces traffic and also the load is balanced. It is used in small
companies, in this protocol routing tables are updated in each 30 sec.

Advantages of RIP-1
• Easy to configure

• Less overhead

• No complexity.
 Cont..

Disadvantage of RIP ver-1

• Bandwidth utilization is very high as broadcast for every 30 seconds.

• It works only on hop count.

• It is not scalable as hop count is only 15.

• Convergence is very slow, wastes a lot of time in finding alternate path

 Cont..
RIP version 2
• Developed in 1993
• Last standardized in 1998
• It supports classless Inter-Domain Routing (CIDR) and has
ability to carry subnet information.
• Metric is also hop count and max hop count 15 is same as rip
version 1.
• In RIPv2 Subnet masks are included in the routing update.
• RIPv2 multicasts the entire routing table to all adjacent routers.
 Cont..
Advantages of RIP ver2 –
• It’s a standardized protocol.
• Provides fast convergence.
• It sends triggered updates when the network changes.
Disadvantage of RIP ver2 –
• Max hopcount of 15
• No concept of neighbours.
• Exchanges entire table with all neighbours every 30 seconds (except in
the case of a triggered update)
 Cont..
RIPng
• RIPng (RIP next generation), is an extension of RIPv2 for support of
IPv6.

• The routing algorithm selects a best route for each possible

destination using distance as the main selection criteria.

• Each piece of routing information

– consists of a destination, a gateway and the distance to the destination.

• A router exchanges routing

– only directly connected routers.
 Cont..
• Origin of a route cannot be identified.
• Route computation is distributed selection decision made at
one router depends on the route selection decisions made by
other routers.
• The algorithm can be vulnerable to topological changes and
can converge slowly.
 Border Gateway Protocol (BGP)
• Used to Exchange routing information for the internet.
• Protocol used between ISP which are different AS.
• It can connect together any internetwork of autonomous system
using an arbitrary topology.
• The only requirement is that each AS have at least one router.
• Main function is to exchange network reach-ability information
with other BGP systems.
Cont..
 Cont..

Characteristics of Border Gateway Protocol (BGP):

• Inter-Autonomous System Configuration: The main role of
BGP is to provide communication between two autonomous
systems.
• Path Information: BGP advertisement also include path
information, along with the reachable destination and next
destination pair.

• Runs Over TCP

• BGP supports CIDR

 Cont..

Functionality of Border Gateway Protocol (BGP):

BGP peers performs 3 functions, which are given below.
• The first function consist of initial peer acquisition and
authentication.
• Both the peers established a TCP connection and perform
message exchange
• It guarantees both sides have agreed to communicate.
• The second function mainly focus on sending of negative or
positive reach-ability information.
• The third function verifies that the peers and the network
connection between them are functioning correctly.
 Cont..

BGP Route Information Management Functions:

• Route Storage:
Each BGP stores information about how to reach other networks.
• Route Update:
In this task, Special techniques are used to determine when and how to
use the information received from peers to properly update the routes.
• Route Selection:
Each BGP uses the information in its route databases to select good
routes to each network on the internet network.
• Route advertisement:
Each BGP speaker regularly tells its peer what is knows about various
networks and methods to reach them.
 Access Control List

What are Access Control Lists?

• list of statements to either permit or deny the movement of data from
the network layer and above.
• Used to filter traffic in our networks as required by the security policy.
• Any unwanted or malicious attempts to reach a network resource can
easily be blocked by ACLs.
• ACL configuration can be done with both IPv4 and IPv6 addressing
formats.
• IPv4 is a 32-bit IP addressing scheme that is widely in use and is about
to get exhausted.
• IPv6 is an alternative option to IPv4 which consists of a 128-bit IP
address.
 Cont..

Packet filtering
• Filtering of packets, is a way to check the incoming packets and
outgoing packets.
• Accomplished by a router
• Routers forward packets based on the layer 3 information.
• When we apply filters, the router examines and decides
• Packet passes the set criteria, it is forwarded, if not, it is dropped.
• Criteria used by the router to determine whether packets can traverse
the network is made by configuring ACLs
• With access control lists, we can filter traffic based on;
– Destination and source layer 3 address
– Destination and source port number
– As well as the protocol in use
 Cont..

ACL concepts
• The ACL is usually a script that is executed in the router to check the
packets based on the specified criteria.

• ACL inspect packets against the rules that the administrator has set.

• Guidelines to configuring ACLs.

 Cont..

ACL Configuration
• ACLs configured on the routers that act as firewalls in your network.

• ACLs should be configured to control access to sensitive information in

a particular subnet.
– Eg, Configured to allow authorized access to the finance dept N/W

• ACLs configured on the edge of your network,

– Eg, to separate traffic from the Headquarters to other branches.

• ACL configured to control traffic from the various protocols

• Used to filter traffic that is entering or leaving the router.

 Cont..

The three rules of configuring ACLs

• These rules determine how traffic on a network will flow and therefore
they should not be ignored.
1 ACL per protocol –
• Control each of the protocols that you may have configured on your
router.
1 ACL per direction –
• There are two directions in this case
• Inbound traffic is the traffic that is coming into the router.
• Outbound traffic is traffic that is leaving the router.
1 ACL per interface –
• To control traffic from leaving the router through a specified interface.
 Cont..

What ACLs do
• The ACLs work by doing the following:

• Blocking specified traffic so as to enhance the performance of the

network

• Provide security by blocking packets destined to sensitive areas in your

network

• Determining the type of traffic to forward based on the protocols

• Denying certain users access to the internet while allowing others.

 Cont..

How ACLs work

• There are two directions in which ACLs can be configured.

Inbound ACLs-
• This type of ACL is important since the router does not waste CPU
cycles by processing packets that would eventually be dropped.

Outbound ACLs–
• Packets are usually processed and forwarded to the outward ACL for
filtering.
• In this ACL, the router first checks in its routing table
• Router inspects is whether the outbound interface has an ACL
• Interface does not have an ACL for the packet, it is forwarded.
Cont..
Cont..
 Cont..

Types of ACLs
• There are several types of ACLs
• We focus on two types; standard ACLs and Extended ACLs.
Standard ACLs
• Administrator can permit or deny packets based on their source IP
address ONLY.
• These ACLs do not check the packets for any other criteria
Extended ACLs
• With these ACLs, you have more control over the traffic that you want
to filter.
• Some of the criteria may include :
 Cont..

Access Control Lists for IPv4

• It improves network performance by restricting network usage
through policies such as:
Switch Management Access Policy
• This is used to allow or block in-band management functions
– Including preventing or limiting the use of protocols that run over IPv4,
– Including TCP, IGMP, UDP, and ICMP.

Application Access Security Policy

• Eliminates useless traffic in a network by IPv4 packet filtering
while they enter or exit a switch on VLAN interfaces.
 Cont..

Configuring IPv4 ACLs

• A switch is a layer 2 device that is used to connect multiple host
systems (computers) within a local area network.
• A switch has multiple ports that are connected to hosts through
wires (interface).
• IPv4 filtering configured on any interface on which you want the
traffic filtering to happen.
• There are two types of ACL configurations
1. Static and
2. RADIUS-assigned.
 Cont..

1. Static ACLs
• Routed IPv4 ACLs for traffic control and VLAN ACLs are configured
statically.

• VLAN ACL: VACL or VLAN ACL is configured on VLANs for filtering

traffic that enters the switch through an interface on a VLAN and has
the destination on the same VLAN.

• Static Port Access Control List: This is configured on switch ports for
filtering traffic that enters that port on the switch.
 Cont..

2. Dynamic or RADIUS-Assigned IPv4 ACLs

• This is configured on RADIUS servers on their specific ports that are
used to authenticate their clients.

• This ACL configured on the server filters traffic from its authenticated
client.
 Network Address Translation (NAT)
• Assigns a public address to a computer (or group of computers) inside
a private network.
• NAT is to limit the number of public IP addresses for both economy and
security purposes
 Cont..
• NAT is process in which local IP address is translated into one or more
Global IP address and vice versa.

• Also, it does the translation of port numbers

• i.e. masks the port number of the host with another port number, in the
packet that will be routed to the destination.

• It then makes the corresponding entries of IP address and port number

in the NAT table.

• NAT generally operates on router or firewall

 Cont..
Network Address Translation (NAT) Working

• Generally, the border router is configured for NAT

• When a packet traverse outside the local (inside) network, then NAT
converts that local (private) IP address to a global (public) IP address.

• When a packet enters the local network, the global (public) IP address
is converted to a local (private) IP address.

• If NAT run out of addresses, i.e., no address is left in the pool

configured then the packets will be dropped

• Internet Control Message Protocol (ICMP) host unreachable packet to

the destination is sent.
 Cont..
NAT inside and outside addresses
 Cont..
Inside local address –
• An IP address that is assigned to a host on the Inside (local) network.
• The address is probably not a IP address assigned by the service provider
i.e., these are private IP address.
• This is the inside host seen from the inside network.
Outside local address –
• This is the actual IP address of the destination host in the local network
after translation.
Inside global address –
• IP address that represents one or more inside local IP addresses to the
outside world.
• This is the inside host as seen from the outside network.
Outside global address –
• This is the outside host as seen form the outside network.
• It is the IP address of the outside destination host before translation.
 Cont..
Network Address Translation (NAT) Types –
• There are 3 ways to configure NAT:
1. Static NAT
• Single unregistered (Private) IP address is mapped with a legally
registered (Public) IP address.
• This is generally used for Web hosting.
• These are not used in organisations
• Bcz many devices who will need Internet access and to provide
Internet access, the public IP address is needed.
• Suppose, if there are 100 devices who need access to the Internet, the
organisation have to buy 100 public addresses that will be very costly.
 Cont..
2. Dynamic NAT
• In this type of NAT, an unregistered IP address is translated into a registered
(Public) IP address.
• If the IP address of pool is not free, then the packet will be dropped
• Only a fixed number of private IP address can be translated to public
addresses.
• If pool of 2 public IP addresses then only 2 private IP addresses can be
translated at a given time.
• This is also very costly as the organisation have to buy many global IP
addresses to make a pool.
 Cont..
3. Port Address Translation (PAT)
• This is also known as NAT overload.
• In this, many local (private) IP addresses can be translated to a single
registered IP address.
• Port numbers are used to distinguish the traffic i.e., which traffic belongs to
which IP address.
• It is cost-effective as thousands of users can be connected to the Internet by
using only one real global (public) IP address
 Port Number

What does Port Number mean?

• A port number is the logical address of each application
• Uses a network or the Internet to communicate.
• Each application/program is allocated a 16-bit integer port
number.
• Assigned automatically by the OS, manually by the user or is set
as a default for some popular applications
 Cont..

• Transmission of data between a network and an application.

• Port numbers work in collaboration with networking protocols
to achieve this.
• Eg, in an incoming message/packet, the IP address is used to
identify the destination computer/node,
• Whereas the port number further specifies the destination
application/program in that computer.
• Similarly, all outgoing network packets contain application port
numbers in the packet header
• To enable the receiver to distinguish the specific application.
 Cont..
Port Address Translation (PAT)
• Permits multiple devices on a local area network (LAN) to be mapped
to a single public IP address.
• The goal of PAT is to conserve IP addresses.
• Most home networks use PAT.
• Internet Service Provider (ISP) assigns a single IP address to the home
network's router.
• When Computer “A” logs on the Internet, the router assigns the client
a port number, which is appended to the internal IP address.
• If Computer “B” logs on the Internet at the same time, the router
assigns it the same local IP address with a different port number.
• Although both computers are sharing the same public IP address and
accessing the Internet at the same time
 IP Tunneling
• Tunneling is an internetworking strategy.

• Source and destination networks of same type are connected through a

network of different type.

• Different kind of network that interconnects them.

• Widely used to connect isolated host, network using other network

• The network that results is called an overlay

Cont..
 DHCP
What is DHCP?
• Dynamically assign an IP address to any device
• Rather than requiring network administrators to manually assign IP
addresses to all network devices.
• Implemented on small local networks, as well as large enterprise
networks.
• Assigns new IP addresses in each location when devices are moved
from place to place (moves to a new location on the network).
• Versions of DHCP are available for use in IP version 4 (IPv4) and IP
version 6 (IPv6).
• Two ways Assign an IP address
1. Static, 2. Dynamic
 Cont..
Components of DHCP
• DHCP is made up of numerous components, such as the DHCP server,
Client and Relay.
• The DHCP server typically either a server or router
– Networked device that runs on the DHCP service. The DHCP server holds IP
addresses, as well as related information pertaining to configuration.

• The DHCP client is a device such as a computer or phone

– Connects to a network and communicates with a DHCP server.

• The DHCP relay manages requests between DHCP clients and servers.
– Relays are used when an organization has to handle large or complex networks.

• Other components include the IP address pool, subnet, lease and DHCP
communications protocol.
 DHCP Handshake

Discover The DHCP client broadcasts this message to find a DHCP server.
Offer The DHCP server broadcasts this message to lease an IP
configuration to the DHCP client.
Request The DHCP client uses this message to notify the DHCP server
whether it accepts the proposed IP configuration or not.
Acknowledgme The DHCP server uses this message to confirm the DHCP client
nt that it can use the offered IP configuration.
 Cont..

• The device wants specific IP Address then DHCP server can reserve the
address for the device,
• The device is like
– Server
– Router
– Printer
 Cont..
Advantages –
• centralized management of IP addresses
• ease of adding new clients to a network
• reuse of IP addresses reducing the total number of IP addresses that
are required
• simple reconfiguration of the IP address space on the DHCP server
without needing to reconfigure each client
Disadvantages –
• IP conflict can occur
 Address Resolution Protocol (ARP)

• ARP is a procedure for mapping IP address to a permanent physical

machine address in a local area network (LAN).
• ARP is essentially to translate 32-bit addresses to 48-bit addresses and
vice-versa.
• ARP works between network layers 2 and 3.
• The MAC address exists on layer 2 of the OSI model, while the IP
address exists on layer 3
• ARP can also be used for IP over other LAN technologies, such as token
ring, fiber distributed data interface (FDDI) and IP over ATM.
• In IPv6, which uses 128-bit addresses, ARP has been replaced by the
Neighbor Discovery protocol
 Cont..

• With help of DHCP we can complete the operation until the Network
Router(Gateway)
• To find the MAC Address we have to use ARP from Gateway
Cont..
 Cont..
How ARP works
• When a new computer joins a LAN, it is assigned a unique IP address to use
for identification and communication.
• Gateway asks the ARP program to find a MAC address that matches the IP
address.
• A table called the ARP cache maintains a record of each IP address and its
corresponding MAC address.
• All operating systems in an IPv4 Ethernet network keep an ARP cache.
• Every time a host requests a MAC address in order to send a packet to
another host in the LAN.
• It checks its ARP cache to see if the IP to MAC address translation already
exists.
• If it does, then a new ARP request is unnecessary.
 Cont..
• If the translation does not already exist, then the request for network
addresses is sent and ARP is performed.
• An ARP cache size is limited and is periodically cleansed of all entries
• Addresses tend to stay in the cache for only a few minutes.
• In the cleaning process, unused entries are deleted
Cont..
 Spanning Tree Protocol
• Spanning Tree Protocol (STP) is to ensure that you do not create loops
when you have redundant paths in your network.
• Make a loop-free network by monitoring the network to track all the
links and shut down the redundant ones
Cont..
 Cont..
• Bridge Priority Data Unit (BPDU) – It contains the Bridge ID,
Sender’s Bridge ID, Cost to the Root Bridge, Timer values on Root
Bridge.
– All switches exchange BPDU in order to elect root bridge. The switch with the lowest
Bridge ID become the root bridge.
– If switch multicast every 2 seconds and if it receive own BPDU unit then there is a
loop in the Network
• Bridge ID – It is an 8-byte field that is a combination of bridge priority
(2 bytes) and Base Mac address (6 bytes) of a device.
– If there is a tie on bridge priority then the Base Mac address is considered.
• Bridge Priority – It is a priority, which is assigned to every switch,
32768 by default.
• Root Bridge – The root bridge is the bridge with the lowest Bridge ID.
All the decisions like which ports are the root ports are made from the
perspective of the root bridge.
 Cont..
• Path cost – A switch may encounter one or more switches in the path
to the root bridge. All the paths are analyzed and the path with the
lowest cost will be selected.
• Designated port – The port which sends the best BPDU i.e ports on
the root bridge will be in a forwarding state.
• Root port – Used to reach the root bridge
Criteria for selecting root port:
– Lowest path cost to reach the root bridge
– Lowest sender bridge ID
– Lowest sender port ID

• (Port priority + Port number) – Port priority is by default 128 and port
number is the switch interface number.
 Cont..
Procedure:
• All the switches in the network declare themselves root bridges and
start exchanging their own BPDU.
• The BPDU with the lowest bridge ID is considered as superior. Now the
switch receiving the superior BPDU makes changes in its own BPDU
and carries forward to its neighbours.
• This process goes on until all the switches are satisfied with which
bridge has the lowest bridge ID.
• Hence that switch will be declared as the root bridge.
• Now according to the criteria, the root ports will be selected and then
the port left will be in blocking mode.
 Cont..
Root Bridge election
• In some scenario:
• As all the switches have default priority therefore there is a tie on the
basis of priority.
• Now, the switch with the lowest Mac address will become a root bridge.
• Switch A will become the root bridge as it has the lowest Mac address.
Therefore, the ports of switch A will be in forwarding state i.e
designated port.
 Cont..
Port Rules:
1.Root port(Used to reach the root bridge
2. Designated port(Forwarding port, One per link)
3. Blocking/Non designated port (Loops)
 Cont..
• STP ensures that there is only one logical path between all destinations
on the network by intentionally blocking redundant paths that cause a
loop.
• A port is considered blocked when user data is prevented from
entering or leaving that port. This does not include BPDU frames that
are used by STP to prevent loops
• The physical paths still exist to provide redundancy but these paths are
disabled to prevent the loops from occuring