IMPLEMENT AN IP ADDRESSING SCHEME AND IP SERVICES TO MEET NETWORK REQUIREMENTS FOR A SMALL BRANCH OFFICE CCIE Security Training Insititute in Delhi NCR

Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP) takes large blocks of information from an application and
breaks them into segments. It numbers and sequences each segment so that the destination’s TCP
stack can put the segments back into the order the application intended. After these segments are
sent, TCP (on the transmitting host) waits for an acknowledgment of the receiving end’s TCP
virtual circuit session, retransmitting those that aren’t acknowledged.
Before a transmitting host starts to send segments down the model, the sender’s TCP stack
contacts the destination’s TCP stack to establish a connection. What is created is known as a
virtual circuit. This type of communication is called connection-oriented. During this initial
handshake, the two TCP layers also agree on the amount of information that’s going to be sent
before the recipient’s TCP sends back an acknowledgment. With everything agreed upon in
advance, the path is paved for reliable communication to take place.
TCP is a full-duplex, connection-oriented, reliable, and accurate protocol, but establishing
all these terms and conditions, in addition to error checking, is no small task. TCP is very complicated
and, not surprisingly, costly in terms of network overhead. And since today’s networks
are much more reliable than those of yore, this added reliability is often unnecessary.
TCP Segment Format
Since the upper layers just send a data stream to the protocols in the Transport layers, I’ll demonstrate
how TCP segments a data stream and prepares it for the Internet layer. When the
Internet layer receives the data stream, it routes the segments as packets through an internetwork.
The segments are handed to the receiving host’s Host-to-Host layer protocol, which
rebuilds the data stream to hand to the upper-layer applications or protocols.
Figure 2.4 shows the TCP segment format. The figure shows the different fields within the
TCP header.
The TCP header is 20 bytes long, or up to 24 bytes with options. You need to understand
what each field in the TCP segment is:
Source port The port number of the application on the host sending the data. (Port numbers
will be explained a little later in this section.)
Destination port The port number of the application requested on the destination host.
Sequence number A number used by TCP to put the data back in the correct order or
retransmit missing or damaged data, a process called sequencing.
Acknowledgment number The TCP octet that is expected next.
Header length The number of 32-bit words in the TCP header. This indicates where the data
begins. The TCP header (even one including options) is an integral number, 32 bits in length.
TCP/IP and the DoD Model 79
FIGURE 2 . 4 TCP segment format
Reserved Always set to zero.
Code bits Control functions used to set up and terminate a session.
Window The window size the sender is willing to accept, in octets.
Checksum The cyclic redundancy check (CRC), because TCP doesn’t trust the lower layers
and checks everything. The CRC checks the header and data fields.
Urgent A valid field only if the Urgent pointer in the code bits is set. If so, this value indicates
the offset from the current sequence number, in octets, where the first segment of non-urgent
data begins.
Options May be 0 or a multiple of 32 bits, if needed. What this means is that no options have
to be present (option size of 0). However, if any options are used that do not cause the option
field to total a multiple of 32 bits, padding 0s must be used to make sure the data begins on
a 32-bit boundary.
Data Handed down to the TCP protocol at the Transport layer, which includes the upperlayer
headers.
Let’s take a look at a TCP segment copied from a network analyzer:
TCP - Transport Control Protocol
Source Port: 5973
Destination Port: 23
Sequence Number: 1456389907
Bit 0 Bit 15
Source port (16) Destination port (16)
Window (16)
Urgent (16)
Reserved (6) Code bits (6)
Checksum (16)
Header
length (4)
Sequence number (32)
Acknowledgment number (32)
Options (0 or 32 if any)
Data (varies)
Bit 16 Bit 31
24 bytes
80 Chapter 2 Internet Protocols
Ack Number: 1242056456
Offset: 5
Reserved: 0000
Code: %011000
Ack is valid
Push Request
Window: 61320
Checksum: 0x61a6
Urgent Pointer: 0
No TCP Options
TCP Data Area:
vL.5.+.5.+.5.+.5 76 4c 19 35 11 2b 19 35 11 2b 19 35 11
2b 19 35 +. 11 2b 19
Frame Check Sequence: 0x0d00000f
Did you notice that everything I talked about earlier is in the segment? As you can see from
the number of fields in the header, TCP creates a lot of overhead. Application developers may
opt for efficiency over reliability to save overhead, so User Datagram Protocol was also defined
at the Transport layer as an alternative.
User Datagram Protocol (UDP)
If you were to compare User Datagram Protocol (UDP) with TCP, you’d find that the former
is basically the scaled-down economy model that’s sometimes referred to as a thin protocol.
Like a thin person on a park bench, a thin protocol doesn’t take up a lot of room—or in this
case, much bandwidth on a network.
UDP doesn’t offer all the bells and whistles of TCP either, but it does do a fabulous job of
transporting information that doesn’t require reliable delivery—and it does so using far fewer
network resources. (UDP is covered thoroughly in Request for Comments 768.)
The Requests for Comments (RFCs) form a series of notes, started in 1969,
about the Internet (originally the ARPAnet). The notes discuss many aspects
of computer communication; they focus on networking protocols, procedures,
programs, and concepts but also include meeting notes, opinion, and sometimes
humor.
There are some situations in which it would definitely be wise for developers to opt for UDP
rather than TCP. Remember the watchdog SNMP up there at the Process/Application layer?
SNMP monitors the network, sending intermittent messages and a fairly steady flow of status
updates and alerts, especially when running on a large network. The cost in overhead to establish,
maintain, and close a TCP connection for each one of those little messages would reduce
what would be an otherwise healthy, efficient network to a dammed-up bog in no time!
TCP/IP and the DoD Model 81
Another circumstance calling for UDP over TCP is when reliability is already handled at the
Process/Application layer. Network File System (NFS) handles its own reliability issues, making
the use of TCP both impractical and redundant. But ultimately, it’s up to the application developer
to decide whether to use UDP or TCP, not the user who wants to transfer data faster.
UDP does not sequence the segments and does not care in which order the segments arrive
at the destination. But after that, UDP sends the segments off and forgets about them. It
doesn’t follow through, check up on them, or even allow for an acknowledgment of safe
arrival—complete abandonment. Because of this, it’s referred to as an unreliable protocol.
This does not mean that UDP is ineffective, only that it doesn’t handle issues of reliability.
Further, UDP doesn’t create a virtual circuit, nor does it contact the destination before
delivering information to it. Because of this, it’s also considered a connectionless protocol.
Since UDP assumes that the application will use its own reliability method, it doesn’t use any.
This gives an application developer a choice when running the Internet Protocol stack: TCP
for reliability or UDP for faster transfers.
So if you’re using Voice over IP (VoIP), for example, you really don’t want to use UDP,
because if the segments arrive out of order (very common in IP networks), they’ll just be passed
up to the next OSI (DoD) layer in whatever order they’re received, resulting in some seriously
garbled data. On the other hand, TCP sequences the segments so they get put back together
in exactly the right order—something UDP just can’t do.
UDP Segment Format
Figure 2.5 clearly illustrates UDP’s markedly low overhead as compared to TCP’s hungry
usage. Look at the figure carefully—can you see that UDP doesn’t use windowing or provide
for acknowledgments in the UDP header?
FIGURE 2 . 5 UDP segment
It’s important for you to understand what each field in the UDP segment is:
Source port Port number of the application on the host sending the data
Destination port Port number of the application requested on the destination host
Length Length of UDP header and UDP data
Checksum Checksum of both the UDP header and UDP data fields
Data Upper-layer data
Bit 0 Bit 15
Source port (16) Destination port (16)
Length (16) Checksum (16)
Data (if any)
Bit 16 Bit 31
8 bytes
82 Chapter 2 Internet Protocols
UDP, like TCP, doesn’t trust the lower layers and runs its own CRC. Remember that the
Frame Check Sequence (FCS) is the field that houses the CRC, which is why you can see the
FCS information.
The following shows a UDP segment caught on a network analyzer:
UDP - User Datagram Protocol
Source Port: 1085
Destination Port: 5136
Length: 41
Checksum: 0x7a3c
UDP Data Area:
..Z......00 01 5a 96 00 01 00 00 00 00 00 11 0000 00
...C..2._C._C 2e 03 00 43 02 1e 32 0a 00 0a 00 80 43 00 80
Frame Check Sequence: 0x00000000
Notice that low overhead! Try to find the sequence number, ack number, and window size
in the UDP segment. You can’t because they just aren’t there!
Key Concepts of Host-to-Host Protocols
Since you’ve seen both a connection-oriented (TCP) and connectionless (UDP) protocol in action,
it would be good to summarize the two here. Table 2.1 highlights some of the key concepts that
you should keep in mind regarding these two protocols. You should memorize this table.
A telephone analogy can really help you understand how TCP works. Most of us know that
before you speak to someone on a phone, you must first establish a connection with that other
person—wherever they are. This is like a virtual circuit with the TCP protocol. If you were giving
someone important information during your conversation, you might say, “You know?” or ask,
“Did you get that?” Saying something like this is a lot like a TCP acknowledgment—it’s designed
TABLE 2 . 1 Key Features of TCP and UDP
TCP UDP
Sequenced Unsequenced
Reliable Unreliable
Connection-oriented Connectionless
Virtual circuit Low overhead
Acknowledgments No acknowledgment
Windowing flow control No windowing or flow control
TCP/IP and the DoD Model 83
to get you verification. From time to time (especially on cell phones), people also ask, “Are you still
there?” They end their conversations with a “Goodbye” of some kind, putting closure on the
phone call. TCP also performs these types of functions.
Alternately, using UDP is like sending a postcard. To do that, you don’t need to contact the
other party first. You simply write your message, address the postcard, and mail it. This is
analogous to UDP’s connectionless orientation. Since the message on the postcard is probably
not a matter of life or death, you don’t need an acknowledgment of its receipt. Similarly, UDP
does not involve acknowledgments.
Let’s discuss TCP, UDP, and the applications and processes associated to each protocol.
Port Numbers
TCP and UDP must use port numbers to communicate with the upper layers because they’re what
keep track of different conversations crossing the network simultaneously. Originating-source port
numbers are dynamically assigned by the source host and will equal some number starting at 1024.
Port numbers 1023 and below are defined in RFC 3232 (or just see www.iana.org), which discusses
what are called well-known port numbers.
Virtual circuits that don’t use an application with a well-known port number are assigned
port numbers randomly from a specific range instead. These port numbers identify the source
and destination application or process in the TCP segment.
Figure 2.6 illustrates how both TCP and UDP use port numbers.
FIGURE 2 . 6 Port numbers for TCP and UDP
The different port numbers that can be used are explained next:
Numbers below 1024 are considered well-known port numbers and are defined in RFC 3232.
Numbers 1024 and above are used by the upper layers to set up sessions with other hosts
and by TCP to use as source and destination addresses in the TCP segment.
In the following sections, we’ll take a look at an analyzer output showing a TCP session.
TCP Session: Source Port
The following listing shows a TCP session captured with OmniPeek analyzer software:
TCP - Transport Control Protocol
Source Port: 5973
Destination Port: 23
FTP Telnet Doom DNS TFTP POP3
Transport TCP
layer
Application
layer
Port
numbers
UDP
News
21 23 666 53 69 110 119
84 Chapter 2 Internet Protocols
Sequence Number: 1456389907
Ack Number: 1242056456
Offset: 5
Reserved: 0000
Code: %011000
Ack is valid
Push Request
Window: 61320
Checksum: 0x61a6
Urgent Pointer: 0
No TCP Options
TCP Data Area:
vL.5.+.5.+.5.+.5 76 4c 19 35 11 2b 19 35 11 2b 19 35 11
2b 19 35 +. 11 2b 19
Frame Check Sequence: 0x0d00000f
Notice that the source host makes up the source port, which in this case is 5973. The destination
port is 23, which is used to tell the receiving host the purpose of the intended connection
(Telnet).
By looking at this session, you can see that the source host makes up the source port by
using numbers from 1024 to 65535. But why does the source make up a port number? To differentiate
between sessions with different hosts, my friend. How would a server know where
information is coming from if it didn’t have a different number from a sending host? TCP and
the upper layers don’t use hardware and logical addresses to understand the sending host’s
address as the Data Link and Network layer protocols do. Instead, they use port numbers. And
it’s easy to imagine the receiving host getting thoroughly confused if all the hosts used the same
source port number to get to FTP!
TCP Session: Destination Port
You’ll sometimes look at an analyzer and see that only the source port is above 1024 and the
destination port is a well-known port, as shown in the following trace:
TCP - Transport Control Protocol
Source Port: 1144
Destination Port: 80 World Wide Web HTTP
Sequence Number: 9356570
Ack Number: 0
Offset: 7
Reserved: 0000
Code: 0010
Synch Sequence
Window: 8192
Checksum: 0x57E7
TCP/IP and the DoD Model 85
Urgent Pointer: 0
TCP Options:
Option Type: 2 Maximum Segment Size
Length: 4
MSS: 536
Option Type: 1 No Operation
Option Type: 1 No Operation
Option Type: 4
Length: 2
Opt Value:
No More HTTP Data
Frame Check Sequence: 0x43697363
And sure enough, the source port is over 1024, but the destination port is 80, or HTTP service.
The server, or receiving host, will change the destination port if it needs to.
In the preceding trace, a “syn” packet is sent to the destination device. The syn sequence is
what’s telling the remote destination device that it wants to create a session.
TCP Session: Syn Packet Acknowledgment
The next trace shows an acknowledgment to the syn packet:
TCP - Transport Control Protocol
Source Port: 80 World Wide Web HTTP
Destination Port: 1144
Sequence Number: 2873580788
Ack Number: 9356571
Offset: 6
Reserved: 0000
Code: %010010
Ack is valid
Synch Sequence
Window: 8576
Checksum: 0x5F85
Urgent Pointer: 0
TCP Options:
Option Type: 2 Maximum Segment Size
Length: 4
MSS: 1460
No More HTTP Data
Frame Check Sequence: 0x6E203132
Notice the Ack is valid, which means that the source port was accepted and the device
agreed to create a virtual circuit with the originating host.
86 Chapter 2 Internet Protocols
And here again, you can see that the response from the server shows that the source is
80 and the destination is the 1144 sent from the originating host—all’s well.
Table 2.2 gives you a list of the typical applications used in the TCP/IP suite, their wellknown
port numbers, and the Transport layer protocols used by each application or process.
It’s important that you study and memorize this table.
Notice that DNS uses both TCP and UDP. Whether it opts for one or the other depends on
what it’s trying to do. Even though it’s not the only application that can use both protocols,
it’s certainly one that you should remember in your studies.
What makes TCP reliable is sequencing, acknowledgments, and flow control
(windowing). UDP does not have reliability.
The Internet Layer Protocols
In the DoD model, there are two main reasons for the Internet layer’s existence: routing and
providing a single network interface to the upper layers.
None of the other upper- or lower-layer protocols have any functions relating to
routing—that complex and important task belongs entirely to the Internet layer. The
Internet layer’s second duty is to provide a single network interface to the upper-layer protocols.
Without this layer, application programmers would need to write “hooks” into
every one of their applications for each different Network Access protocol. This would not
only be a pain in the neck, but it would lead to different versions of each application—one
for Ethernet, another one for Token Ring, and so on. To prevent this, IP provides one
single network interface for the upper-layer protocols. That accomplished, it’s then the job
of IP and the various Network Access protocols to get along and work together.
TABLE 2 . 2 Key Protocols That Use TCP and UDP
TCP UDP
Telnet 23 SNMP 161
SMTP 25 TFTP 69
HTTP 80 DNS 53
FTP 21
DNS 53
HTTPS 443
TCP/IP and the DoD Model 87
All network roads don’t lead to Rome—they lead to IP. And all the other protocols at this
layer, as well as all those at the upper layers, use it. Never forget that. All paths through the
DoD model go through IP. The following sections describe the protocols at the Internet layer:
Internet Protocol (IP)
Internet Control Message Protocol (ICMP)
Address Resolution Protocol (ARP)
Reverse Address Resolution Protocol (RARP)
Proxy ARP
Internet Protocol (IP)
Internet Protocol (IP) essentially is the Internet layer. The other protocols found here merely
exist to support it. IP holds the big picture and could be said to “see all,” in that it’s aware of
all the interconnected networks. It can do this because all the machines on the network have
a software, or logical, address called an IP address, which I’ll cover more thoroughly later in
this chapter.
IP looks at each packet’s address. Then, using a routing table, it decides where a packet is to
be sent next, choosing the best path. The protocols of the Network Access layer at the bottom
of the DoD model don’t possess IP’s enlightened scope of the entire network; they deal only with
physical links (local networks).
Identifying devices on networks requires answering these two questions: Which network is
it on? And what is its ID on that network? The first answer is the software address, or logical
address (the correct street). The second answer is the hardware address (the correct mailbox).
All hosts on a network have a logical ID called an IP address. This is the software, or logical,
address and contains valuable encoded information, greatly simplifying the complex task of
routing. (IP is discussed in RFC 791.)
IP receives segments from the Host-to-Host layer and fragments them into datagrams
(packets) if necessary. IP then reassembles datagrams back into segments on the receiving side.
Each datagram is assigned the IP address of the sender and of the recipient. Each router
(layer 3 device) that receives a datagram makes routing decisions based on the packet’s destination
IP address.
Figure 2.7 shows an IP header. This will give you an idea of what the IP protocol has to go
through every time user data is sent from the upper layers and is to be sent to a remote network.
The following fields make up the IP header:
Version IP version number.
Header length Header length (HLEN) in 32-bit words.
Priority and Type of Service Type of Service tells how the datagram should be handled. The
first 3 bits are the priority bits.
Total length Length of the packet including header and data.
Identification Unique IP-packet value.
Flags Specifies whether fragmentation should occur.
88 Chapter 2 Internet Protocols
FIGURE 2 . 7 IP header
Fragment offset Provides fragmentation and reassembly if the packet is too large to put in a
frame. It also allows different maximum transmission units (MTUs) on the Internet.
Time to Live The time to live is set into a packet when it is originally generated. If the
packet doesn’t get to where it wants to go before the TTL expires, boom—it’s gone. This
stops IP packets from continuously circling the network looking for a home.
Protocol Port of upper-layer protocol (TCP is port 6; UDP is port 17 [hex]). Also supports
Network layer protocols, like ARP and ICMP. Can be called Type field in some analyzers.
We’ll talk about this field in more detail in a minute.
Header checksum Cyclic redundancy check (CRC) on header only.
Source IP address 32-bit IP address of sending station.
Destination IP address 32-bit IP address of the station this packet is destined for.
Options Used for network testing, debugging, security, and more.
Data After the IP option field will be the upper-layer data.
Here’s a snapshot of an IP packet caught on a network analyzer (notice that all the header
information discussed previously appears here):
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5
Precedence: 0
Type of Service: 0
Bit 0 Bit 15
Total length (16)
Time to Live (8) Protocol (8) Header checksum (16)
Version
(4)
Flags
(3)
Header
length (4)
Priority and
Type of Service (8)
Identification (16) Fragment offset (13)
Options (0 or 32 if any)
Destination IP address (32)
Source IP address (32)
Data (varies if any)
Bit 16 Bit 31
20 bytes
TCP/IP and the DoD Model 89
Unused:
Total Length: 187
Identifier: 22486
Fragmentation Flags: %010 Do Not Fragment
Fragment Offset: 0
Time To Live: 60
IP Type: 0x06 TCP
Header Checksum: 0xd031
Source IP Address: 10.7.1.30
Dest. IP Address: 10.7.1.10
No Internet Datagram Options
The Type field—it’s typically a Protocol field, but this analyzer sees it as an IP Type field—
is important. If the header didn’t carry the protocol information for the next layer, IP wouldn’t
know what to do with the data carried in the packet. The preceding example tells IP to hand
the segment to TCP.
Figure 2.8 demonstrates how the Network layer sees the protocols at the Transport layer
when it needs to hand a packet to the upper-layer protocols.
FIGURE 2 . 8 The Protocol field in an IP header
In this example, the Protocol field tells IP to send the data to either TCP port 6 or UDP
port 17 (both hex addresses). But it will only be UDP or TCP if the data is part of a data stream
headed for an upper-layer service or application. It could just as easily be destined for Internet
Control Message Protocol (ICMP), Address Resolution Protocol (ARP), or some other type of
Network layer protocol.
Table 2.3 is a list of some other popular protocols that can be specified in the Protocol field.
TABLE 2 . 3 Possible Protocols Found in the Protocol Field of an IP Header
Protocol Protocol Number
Internet Control Message Protocol (ICMP) 1
IP in IP (tunneling) 4
TCP UDP
Protocol
numbers
IP
Transport
layer
Internet
layer
6 17
90 Chapter 2 Internet Protocols
You can find a complete list of protocol field numbers at www.iana.org/
assignments/protocol-numbers.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP) works at the Network layer and is used by IP for
many different services. ICMP is a management protocol and messaging service provider for IP.
Its messages are carried as IP datagrams. RFC 1256 is an annex to ICMP, which affords hosts’
extended capability in discovering routes to gateways.
ICMP packets have the following characteristics:
They can provide hosts with information about network problems.
They are encapsulated within IP datagrams.
The following are some common events and messages that ICMP relates to:
Destination Unreachable If a router can’t send an IP datagram any further, it uses ICMP
to send a message back to the sender, advising it of the situation. For example, take a look at
Figure 2.9, which shows that interface E0 of the Lab_B router is down.
When Host A sends a packet destined for Host B, the Lab_B router will send an ICMP destination
unreachable message back to the sending device (Host A in this example).
Buffer Full If a router’s memory buffer for receiving incoming datagrams is full, it will use
ICMP to send out this message until the congestion abates.
Hops Each IP datagram is allotted a certain number of routers, called hops, to pass through.
If it reaches its limit of hops before arriving at its destination, the last router to receive that
datagram deletes it. The executioner router then uses ICMP to send an obituary message,
informing the sending machine of the demise of its datagram.
Interior Gateway Routing Protocol (IGRP) 9
Enhanced IGRP (EIGRP) 88
Open Shortest Path First (OSPF) 89
Internet Protocol version 6 (IPv6) 41
Generic Routing Encapsulation (GRE) 47
Layer 2 Tunnel Protocol (L2TP) 115
TABLE 2 . 3 Possible Protocols Found in the Protocol Field of an IP Header (continued)
Protocol Protocol Number
TCP/IP and the DoD Model 91
FIGURE 2 . 9 ICMP error message is sent to the sending host from the remote router.
Ping Packet Internet Groper (Ping) uses ICMP echo request and reply messages to check the
physical and logical connectivity of machines on an internetwork. For example, a network
administrator will use Ping (ICMP) to check basic connectivity from a workstation to a server.
Traceroute Using ICMP time-outs, Traceroute is used to discover the path a packet takes as
it traverses an internetwork.
Both Ping and Traceroute (also just called Trace; Microsoft Windows uses
tracert) allow you to verify address configurations in your internetwork.
The following data is from a network analyzer catching an ICMP echo request:
Flags: 0x00
Status: 0x00
Packet Length: 78
Timestamp: 14:04:25.967000 12/20/03
Ethernet Header
Destination: 00:a0:24:6e:0f:a8
Source: 00:80:c7:a8:f0:3d
Ether-Type: 08-00 IP
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5
Precedence: 0
Type of Service: 0
EO on Lab B is down. Host A is trying to communicate to Host B. What happens?
Lab_A Lab_B
E0 E0
Host A Host B
icmp
92 Chapter 2 Internet Protocols
Unused:
Total Length: 60
Identifier: 56325
Fragmentation Flags: 0
Fragment Offset: 0
Time To Live: 32
IP Type: 0x01 ICMP
Header Checksum: 0x2df0
Source IP Address: 100.100.100.2
Dest. IP Address: 100.100.100.1
No Internet Datagram Options
ICMP - Internet Control Messages Protocol
ICMP Type: 8 Echo Request
Code: 0
Checksum: 0x395c
Identifier: 0x0300
Sequence Number: 4352
ICMP Data Area:
abcdefghijklmnop 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d
qrstuvwabcdefghi 71 72 73 74 75 76 77 61 62 63 64 65 66
Frame Check Sequence: 0x00000000
Notice anything unusual? Did you catch the fact that even though ICMP works at the Internet
(Network) layer, it still uses IP to do the Ping request? The Type field in the IP header is
0x01, which specifies that the data we’re carrying is owned by the ICMP protocol. Remember,
just as all roads lead to Rome, all segments or data must go through IP!
The Ping program uses the alphabet in the data portion of the packet as just
a payload, 100 bytes by default, unless, of course, you are pinging from a
Windows device, which thinks the alphabet stops at the letter W and doesn’t
include X, Y, or Z and then starts at A again. Go figure!
If you remember reading about the Data Link layer and the different frame types in Chapter 1,
you should be able to look at the preceding trace and tell what type of Ethernet frame this is. The
only fields are destination hardware address, source hardware address, and Ether-Type. The only
frame that uses an Ether-Type field exclusively is an Ethernet_II frame.
But before we get into the ARP protocol, let’s take another look at ICMP in action. Figure 2.10
shows an internetwork (it has a router, so it’s an internetwork, right?). The router is configured
with the IP addresses 10.1.2.1, 10.1.3.1 and 10.1.4.1.The 10.1.5.0 subnet is connected but is not
configured on the router interface.
Server1 (10.1.2.2) telnets to 10.1.1.5 from a DOS prompt. What do you think Server1 will
receive as a response? Since Server1 will send the Telnet data to the default gateway, which is
the router, the router will drop the packet because there isn’t a network 10.1.1.0 in the routing
table. Because of this, Server1 will receive a destination unreachable back from ICMP.
TCP/IP and the DoD Model 93
FIGURE 2 . 1 0 ICMP in action
Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP) finds the hardware address of a host from a known IP
address. Here’s how it works: When IP has a datagram to send, it must inform a Network
Access protocol, such as Ethernet, of the destination’s hardware address on the local network.
(It has already been informed by upper-layer protocols of the destination’s IP address.) If
IP doesn’t find the destination host’s hardware address in the ARP cache, it uses ARP to find
this information.
As IP’s detective, ARP interrogates the local network by sending out a broadcast asking
the machine with the specified IP address to reply with its hardware address. So basically,
ARP translates the software (IP) address into a hardware address—for example, the
destination machine’s Ethernet board address—and from it, deduces its whereabouts
on the LAN by broadcasting for this address. Figure 2.11 shows how an ARP looks to a
local network.
ARP resolves IP addresses to Ethernet (MAC) addresses.
Server1
10.1.2.2/24
10.1.3.2/24
10.1.4.2/24
10.1.5.2/24
10.1.5.2.3/24
10.1.5.4/24
10.1.5.5/24
94 Chapter 2 Internet Protocols
FIGURE 2 . 1 1 Local ARP broadcast
The following trace shows an ARP broadcast—notice that the destination hardware
address is unknown, is all Fs in hex (all 1s in binary), and is a hardware address broadcast:
Flags: 0x00
Status: 0x00
Packet Length: 64
Timestamp: 09:17:29.574000 12/06/03
Ethernet Header
Destination: FF:FF:FF:FF:FF:FF Ethernet Broadcast
Source: 00:A0:24:48:60:A5
Protocol Type: 0x0806 IP ARP
ARP - Address Resolution Protocol
Hardware: 1 Ethernet (10Mb)
Protocol: 0x0800 IP
Hardware Address Length: 6
Protocol Address Length: 4
Operation: 1 ARP Request
Sender Hardware Address: 00:A0:24:48:60:A5
Sender Internet Address: 172.16.10.3
Target Hardware Address: 00:00:00:00:00:00 (ignored)
Target Internet Address: 172.16.10.10
Extra bytes (Padding):
................ 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A
0A 0A 0A 0A 0A
Frame Check Sequence: 0x00000000
I need the Ethernet
address of 10.1.1.2
I heard that broadcast.
The message is for me.
Here is my Ethernet address.
10.1.1.1 10.1.1.2
IP: 10.1.1.2 = ???
IP: 10.1.1.2
Ethernet: 4523.7985.7734
TCP/IP and the DoD Model 95
Reverse Address Resolution Protocol (RARP)
When an IP machine happens to be a diskless machine, it has no way of initially knowing its
IP address. But it does know its MAC address. Reverse Address Resolution Protocol (RARP)
discovers the identity of the IP address for diskless machines by sending out a packet that
includes its MAC address and a request for the IP address assigned to that MAC address.
A designated machine, called a RARP server, responds with the answer and the identity crisis
is over. RARP uses the information it does know about the machine’s MAC address to learn
its IP address and complete the machine’s ID portrait.
Figure 2.12 shows a diskless workstation asking for its IP address with a RARP broadcast.
FIGURE 2 . 1 2 RARP broadcast example
RARP resolves Ethernet (MAC) addresses to IP addresses.
Proxy Address Resolution Protocol (Proxy ARP)
On a network, your hosts can’t have more than one default gateway configured. Think about
this…What if the default gateway (router) happens to go down? The host won’t just start
sending to another router automatically—you’ve got to reconfigure that host. But Proxy ARP
can actually help machines on a subnet reach remote subnets without configuring routing or
even a default gateway.
One advantage of using Proxy ARP is that it can be added to a single router on a network
without disturbing the routing tables of all the other routers that live there too. But there’s a
serious downside to using Proxy ARP. Using Proxy ARP will definitely increase the amount of
traffic on your network segment, and hosts will have a larger ARP table than usual in order
to handle all the IP-to-MAC-address mappings. And Proxy ARP is configured on all Cisco
routers by default—you should disable it if you don’t think you’re going to use it.
What’s my IP
address?
I heard that broadcast.
Your IP address
is 192.168.10.3
Ethernet: 4523.7985.7734 IP = ????
Ethernet: 4523.7985.7734
IP: 192.168.10.3
96 Chapter 2 Internet Protocols
One last thought on Proxy ARP: Proxy ARP isn’t really a separate protocol. It is a service
run by routers on behalf of other devices (usually PCs) that are separated from their query to
another device by a router, although they think they share the subnet with the remote device.
If you can afford it, use Cisco’s Hot Standby Router Protocol (HSRP) instead.
It means you have to buy two or more of your Cisco device(s), but it is well
worth it. Check out the Cisco website for more information on HSRP.
IP Addressing
One of the most important topics in any discussion of TCP/IP is IP addressing. An IP address
is a numeric identifier assigned to each machine on an IP network. It designates the specific
location of a device on the network.
An IP address is a software address, not a hardware address—the latter is hard-coded on
a network interface card (NIC) and used for finding hosts on a local network. IP addressing
was designed to allow hosts on one network to communicate with a host on a different network
regardless of the type of LANs the hosts are participating in.
Before we get into the more complicated aspects of IP addressing, you need to understand
some of the basics. First I’m going to explain some of the fundamentals of IP addressing and
its terminology. Then you’ll learn about the hierarchical IP addressing scheme and private
IP addresses.
IP Terminology
In the rest of this chapter you’ll learn several important terms vital to your understanding of
the Internet Protocol. Here are a few to get you started:
Bit A bit is one digit, either a 1 or a 0.
Byte A byte is 7 or 8 bits, depending on whether parity is used. For the rest of this chapter,
always assume a byte is 8 bits.
Octet An octet, made up of 8 bits, is just an ordinary 8-bit binary number. In this chapter,
the terms byte and octet are completely interchangeable.
Network address This is the designation used in routing to send packets to a remote network—
for example, 10.0.0.0, 172.16.0.0, and 192.168.10.0.
Broadcast address The address used by applications and hosts to send information to all nodes
on a network is called the broadcast address. Examples include 255.255.255.255, which is all networks,
all nodes; 172.16.255.255, which is all subnets and hosts on network 172.16.0.0; and
10.255.255.255, which broadcasts to all subnets and hosts on network 10.0.0.0.
IP Addressing 97
The Hierarchical IP Addressing Scheme
An IP address consists of 32 bits of information. These bits are divided into four sections,
referred to as octets or bytes, each containing 1 byte (8 bits). You can depict an IP address
using one of three methods:
Dotted-decimal, as in 172.16.30.56
Binary, as in 10101100.00010000.00011110.00111000
Hexadecimal, as in AC.10.1E.38
All these examples truly represent the same IP address. Hexadecimal isn’t used as often as
dotted-decimal or binary when IP addressing is discussed, but you still might find an IP address
stored in hexadecimal in some programs. The Windows Registry is a good example of a program
that stores a machine’s IP address in hex.
The 32-bit IP address is a structured or hierarchical address, as opposed to a flat or nonhierarchical
address. Although either type of addressing scheme could have been used, hierarchical
addressing was chosen for a good reason. The advantage of this scheme is that it can handle a
large number of addresses, namely 4.3 billion (a 32-bit address space with two possible values
for each position—either 0 or 1—gives you 232, or 4,294,967,296). The disadvantage of the flat
addressing scheme, and the reason it’s not used for IP addressing, relates to routing. If every
address were unique, all routers on the Internet would need to store the address of each and every
machine on the Internet. This would make efficient routing impossible, even if only a fraction of
the possible addresses were used.
The solution to this problem is to use a two- or three-level hierarchical addressing scheme
that is structured by network and host or by network, subnet, and host.
This two- or three-level scheme is comparable to a telephone number. The first section, the
area code, designates a very large area. The second section, the prefix, narrows the scope to
a local calling area. The final segment, the customer number, zooms in on the specific connection.
IP addresses use the same type of layered structure. Rather than all 32 bits being treated
as a unique identifier, as in flat addressing, a part of the address is designated as the network
address and the other part is designated as either the subnet and host or just the node address.
In the following sections, I’m going to discuss IP network addressing and the different
classes of address we can use to address our networks.
Network Addressing
The network address (which can also be called the network number) uniquely identifies each
network. Every machine on the same network shares that network address as part of its IP
address. In the IP address 172.16.30.56, for example, 172.16 is the network address.
The node address is assigned to, and uniquely identifies, each machine on a network. This
part of the address must be unique because it identifies a particular machine—an individual—
as opposed to a network, which is a group. This number can also be referred to as a host
address. In the sample IP address 172.16.30.56, the 30.56 is the node address.
The designers of the Internet decided to create classes of networks based on network size.
For the small number of networks possessing a very large number of nodes, they created the
98 Chapter 2 Internet Protocols
rank Class A network. At the other extreme is the Class C network, which is reserved for the
numerous networks with a small number of nodes. The class distinction for networks between
very large and very small is predictably called the Class B network.
Subdividing an IP address into a network and node address is determined by the class
designation of one’s network. Figure 2.13 summarizes the three classes of networks we use
to address hosts with—a subject I’ll explain in much greater detail throughout the rest of
this chapter.
FIGURE 2 . 1 3 Summary of the three classes of networks
To ensure efficient routing, Internet designers defined a mandate for the leading-bits
section of the address for each different network class. For example, since a router knows
that a Class A network address always starts with a 0, the router might be able to speed a
packet on its way after reading only the first bit of its address. This is where the address
schemes define the difference between a Class A, a Class B, and a Class C address. In the next
sections, I’ll discuss the differences between these three classes, followed by a discussion of
the Class D and Class E addresses (Classes A, B, and C are the only ranges that are used to
address hosts in our networks).
Network Address Range: Class A
The designers of the IP address scheme said that the first bit of the first byte in a Class A network
address must always be off, or 0. This means a Class A address must be between 0 and
127 in the first byte, inclusive.
Consider the following network address:
0xxxxxxx
If we turn the other 7 bits all off and then turn them all on, we’ll find the Class A range of network
addresses:
00000000 = 0
01111111 = 127
Network Host Host Host
Network Network Host Host
Network Network Network Host
Multicast
Research
Class A:
Class B:
Class C:
Class D:
Class E:
8 bits 8 bits 8 bits 8 bits
IP Addressing 99
So, a Class A network is defined in the first octet between 0 and 127, and it can’t be less
or more. (Yes, I know 0 and 127 are not valid in a Class A network. I’ll talk about reserved
addresses in a minute.)
Network Address Range: Class B
In a Class B network, the RFCs state that the first bit of the first byte must always be turned
on but the second bit must always be turned off. If you turn the other 6 bits all off and then
all on, you will find the range for a Class B network:
10000000 = 128
10111111 = 191
As you can see, a Class B network is defined when the first byte is configured from 128 to 191.
Network Address Range: Class C
For Class C networks, the RFCs define the first 2 bits of the first octet as always turned on,
but the third bit can never be on. Following the same process we used with the previous classes,
convert from binary to decimal to find the range. Here’s the range for a Class C network:
11000000 = 192
11011111 = 223
So, if you see an IP address that starts at 192 and goes to 223, you’ll know it is a Class C
IP address.
Network Address Ranges: Classes D and E
The addresses between 224 to 255 are reserved for Class D and E networks. Class D (224–239)
is used for multicast addresses and Class E (240–255) for scientific purposes, but I’m not going
into these types of addresses in this book (and you don’t need to know them).
Network Addresses: Special Purpose
Some IP addresses are reserved for special purposes, so network administrators can’t ever
assign these addresses to nodes. Table 2.4 lists the members of this exclusive little club and the
reasons why they’re included in it.
TABLE 2 . 4 Reserved IP Addresses
Address Function
Network address of all 0s Interpreted to mean “this network or segment.”
Network address of all 1s Interpreted to mean “all networks.”
Network 127.0.0.1 Reserved for loopback tests. Designates the local
node and allows that node to send a test packet to
itself without generating network traffic.
100 Chapter 2 Internet Protocols
Class A Addresses
In a Class A network address, the first byte is assigned to the network address and the three
remaining bytes are used for the node addresses. The Class A format is as follows:
network.node.node.node
For example, in the IP address 49.22.102.70, the 49 is the network address and 22.102.70 is
the node address. Every machine on this particular network would have the distinctive network
address of 49.
Class A network addresses are 1 byte long, with the first bit of that byte reserved and the
7 remaining bits available for manipulation (addressing). As a result, the maximum number
of Class A networks that can be created is 128. Why? Because each of the 7 bit positions can
be either a 0 or a 1, thus 27, or 128.
To complicate matters further, the network address of all 0s (0000 0000) is reserved to designate
the default route (see Table 2.4 in the previous section). Additionally, the address 127,
which is reserved for diagnostics, can’t be used either, which means that you can really only
use the numbers 1 to 126 to designate Class A network addresses. This means the actual number
of usable Class A network addresses is 128 minus 2, or 126.
The IP address 127.0.0.1 is used to test the IP stack on an individual node and
cannot be used as a valid host address.
Each Class A address has 3 bytes (24-bit positions) for the node address of a machine. This
means there are 224—or 16,777,216—unique combinations and, therefore, precisely that
many possible unique node addresses for each Class A network. Because node addresses with
the two patterns of all 0s and all 1s are reserved, the actual maximum usable number of nodes
for a Class A network is 224 minus 2, which equals 16,777,214. Either way, that’s a huge
amount of hosts on a network segment!
Node address of all 0s Interpreted to mean “network address” or any
host on specified network.
Node address of all 1s Interpreted to mean “all nodes” on the specified
network; for example, 128.2.255.255 means “all
nodes” on network 128.2 (Class B address).
Entire IP address set to all 0s Used by Cisco routers to designate the default
route. Could also mean “any network.”
Entire IP address set to all 1s (same as
255.255.255.255)
Broadcast to all nodes on the current network;
sometimes called an “all 1s broadcast” or limited
broadcast.
TABLE 2 . 4 Reserved IP Addresses (continued)
Address Function
IP Addressing 101
Class A Valid Host IDs
Here’s an example of how to figure out the valid host IDs in a Class A network address:
All host bits off is the network address: 10.0.0.0.
All host bits on is the broadcast address: 10.255.255.255.
The valid hosts are the numbers in between the network address and the broadcast address:
10.0.0.1 through 10.255.255.254. Notice that 0s and 255s can be valid host IDs. All you need
to remember when trying to find valid host addresses is that the host bits can’t all be turned
off or all be on at the same time.
Class B Addresses
In a Class B network address, the first 2 bytes are assigned to the network address and the
remaining 2 bytes are used for node addresses. The format is as follows:
network.network.node.node
For example, in the IP address 172.16.30.56, the network address is 172.16 and the node
address is 30.56.
With a network address being 2 bytes (8 bits each), there would be 216 unique combinations.
But the Internet designers decided that all Class B network addresses should start with
the binary digit 1, then 0. This leaves 14 bit positions to manipulate, therefore 16,384 (that is,
214) unique Class B network addresses.
A Class B address uses 2 bytes for node addresses. This is 216 minus the two reserved patterns
(all 0s and all 1s), for a total of 65,534 possible node addresses for each Class B network.
Class B Valid Host IDs
Here’s an example of how to find the valid hosts in a Class B network:
All host bits turned off is the network address: 172.16.0.0.
All host bits turned on is the broadcast address: 172.16.255.255.
The valid hosts would be the numbers in between the network address and the broadcast
address: 172.16.0.1 through 172.16.255.254.
Class C Addresses
The first 3 bytes of a Class C network address are dedicated to the network portion of the
address, with only 1 measly byte remaining for the node address. Here’s the format:
network.network.network.node
Using the example IP address 192.168.100.102, the network address is 192.168.100 and
the node address is 102.
In a Class C network address, the first three bit positions are always the binary 110. The
calculation is as follows: 3 bytes, or 24 bits, minus 3 reserved positions leaves 21 positions.
Hence, there are 221, or 2,097,152, possible Class C networks.
102 Chapter 2 Internet Protocols
Each unique Class C network has 1 byte to use for node addresses. This leads to 28 or 256,
minus the two reserved patterns of all 0s and all 1s, for a total of 254 node addresses for each
Class C network.
Class C Valid Host IDs
Here’s an example of how to find a valid host ID in a Class C network:
All host bits turned off is the network ID: 192.168.100.0.
All host bits turned on is the broadcast address: 192.168.100.255.
The valid hosts would be the numbers in between the network address and the broadcast
address: 192.168.100.1 through 192.168.100.254.
Private IP Addresses
The people who created the IP addressing scheme also created what we call private IP addresses.
These addresses can be used on a private network, but they’re not routable through the Internet.
This is designed for the purpose of creating a measure of well-needed security, but it also conveniently
saves valuable IP address space.
If every host on every network had to have real routable IP addresses, we would have run
out of IP addresses to hand out years ago. But by using private IP addresses, ISPs, corporations,
and home users only need a relatively tiny group of bona fide IP addresses to connect
their networks to the Internet. This is economical because they can use private IP addresses
on their inside networks and get along just fine.
To accomplish this task, the ISP and the corporation—the end user, no matter who they
are—need to use something called Network Address Translation (NAT), which basically takes
a private IP address and converts it for use on the Internet. (Chapter 3 includes an introduction
to NAT.) Many people can use the same real IP address to transmit out onto the Internet.
Doing things this way saves megatons of address space—good for us all!
The reserved private addresses are listed in Table 2.5.
You must know your private address space!
TABLE 2 . 5 Reserved IP Address Space
Address Class Reserved Address Space
Class A 10.0.0.0 through 10.255.255.255
Class B 172.16.0.0 through 172.31.255.255
Class C 192.168.0.0 through 192.168.255.255
Broadcast Addresses 103
According to Cisco, private IP addresses are used for the following reasons:
To create addresses that cannot be routed through the public internet
To conserve public addresses
Broadcast Addresses
Most people use the term broadcast as a generic term, and most of the time, we understand what
they mean. But not always. For example, you might say, “The host broadcasted through a router
to a DHCP server,” but, well, it’s pretty unlikely that this would ever really happen. What you
probably mean—using the correct technical jargon—is, “The host broadcasted for an IP address;
a router then forwarded this as a unicast packet to the DHCP server.” Oh, and remember that with
IPv4, broadcasts are pretty important, but with IPv6, there aren’t any broadcasts sent at all.
Okay, I’ve referred to broadcast addresses throughout this chapter and Chapter 1, and I
even showed you some examples. I really haven’t gone into the different terms and uses associated
with them yet, and it’s about time I did. So here are the four different broadcast (generic
term broadcast) types that I’d like to define for you:
Layer 2 broadcasts These are sent to all nodes on a LAN.
Broadcasts (layer 3) These are sent to all nodes on the network.
So, What Private IP Address Should I Use?
That’s a really great question: Should you use Class A, Class B, or even Class C private addressing
when setting up your network? Let’s take Acme Corporation in SF as an example. This company
is moving into a new building and needs a whole new network (what a treat this is!). It has
14 departments, with about 70 users in each. You could probably squeeze one or two Class C
addresses to use, or maybe you could use a Class B, or even a Class A just for fun.
The rule of thumb in the consulting world is, when you’re setting up a corporate network—
regardless of how small it is—you should use a Class A network address because it gives you
the most flexibility and growth options. For example, if you used the 10.0.0.0 network address
with a /24 mask, then you’d have 65,536 networks, each with 254 hosts. Lots of room for
growth with that network!
But if you’re setting up a home network, you’d opt for a Class C address because it is the easiest
for people to understand and configure. Using the default Class C mask gives you one network
with 254 hosts—plenty for a home network.
With the Acme Corporation, a nice 10.1.x.0 with a /24 mask (the x is the subnet for each
department) makes this easy to design, install, and troubleshoot.
104 Chapter 2 Internet Protocols
Unicast These are sent to a single destination host.
Multicast These are packets sent from a single source and can be transmitted to many devices
on different networks.
First, understand that layer 2 broadcasts are also known as hardware broadcasts—they
only go out only on a LAN, and they don’t go past the LAN boundary (router). The typical
hardware address is 6 bytes (48 bits) and looks something like 0c.43.a4.f3.12.c2. The broadcast
would be all 1s in binary, which would be all Fs in hexadecimal, as in FF.FF.FF.FF.FF.FF.
Then there’s the plain old broadcast addresses at layer 3. Broadcast messages are meant to
reach all hosts on a broadcast domain. These are the network broadcasts that have all host bits
on. Here’s an example that you’re already familiar with: The network address of 172.16.0.0
255.255.0.0 would have a broadcast address of 172.16.255.255—all host bits on. Broadcasts
can also be “all networks and all hosts,” as indicated by 255.255.255.255. A good example
of a broadcast message is an Address Resolution Protocol (ARP) request. When a host has a
packet, it knows the logical address (IP) of the destination. To get the packet to the destination,
the host needs to forward the packet to a default gateway if the destination resides on a
different IP network. If the destination is on the local network, the source will forward the
packet directly to the destination. Because the source doesn’t have the MAC address to which
it needs to forward the frame, it sends out a broadcast, something that every device in the local
broadcast domain will listen to. This broadcast says, in essence, “If you are the owner of IP
address 192.168.2.3, please forward your MAC address to me,” with the source giving the
appropriate information.
A unicast is different because it can be a broadcast packet that goes from 255.255.255.255
to an actual destination IP address—in other words, it’s directed to a specific host. A DHCP
client request is a good example of how a unicast can work. Here’s an example: Your host on
a LAN sends out an FF.FF.FF.FF.FF.FF layer 2 broadcast and 255.255.255.255 layer 3 destination
broadcast looking for a DHCP server on the LAN. The router will see that this is a
broadcast meant for the DHCP server because it has a destination port number of 67 (BootP
server) and will forward the request to the IP address of the DHCP server on another LAN.
So, basically, if your DHCP server IP address is 172.16.10.1, your host just sends out a
255.255.255.255 DHCP client broadcast request, and the router changes that broadcast to
the specific destination address of 172.16.10.1. (In order for the router to provide this service,
you need to configure the interfaces with the ip helper-address command—this is not a
default service.)
Multicast is a different beast entirely. At first glance, it appears to be a hybrid of unicast and
broadcast communication, but that isn’t quite the case. Multicast does allow point-to-multipoint
communication, which is similar to broadcasts, but it happens in a different manner. The crux
of multicast is that it enables multiple recipients to receive messages without flooding the messages
to all hosts on a broadcast domain.
Multicast works by sending messages or data to an IP multicast group addresses. Routers
then forward copies (unlike broadcasts, which are not forwarded) of the packet out every
interface that has hosts subscribed to that group address. This is where multicast differs
from broadcast messages—with multicast communication, copies of packets, in theory, are
sent only to subscribed hosts. When I say in theory, this means that the hosts will receive,
Exam Essentials 105
for example, a multicast packet destined for 224.0.0.9 (this is an EIGRP packet and only a
router running the EIGRP protocol will read these). All hosts on the broadcast LAN (Ethernet
is a broadcast multi-access LAN technology) will pick up the frame, read the destination
address, and immediately discard the frame, unless they are in the multicast group. This
saves PC processing, not LAN bandwidth. Multicasting can cause severe LAN congestion,
in some instances, if not implemented carefully.
There are several different groups that users or applications can subscribe to. The range of
multicast addresses starts with 224.0.0.0 and goes through 239.255.255.255. As you can see,
this range of addresses falls within IP Class D address space based on classful IP assignment.