IPv4

An IPv4 address is composed of four sets of 8 binary bits, which are called octets. The result is that IP addresses contain 32 bits. Each bit in each octet is assigned a decimal value. The far-left bit has a value of 128, followed by 64, 32, 16, 8, 4, 2, and 1, left to right.

Each bit in the octet can be either a 1 or a 0. If the value is 1, it is counted as its decimal value, and if it is 0, it is ignored. If all the bits are 0, the value of the octet is 0. If all the bits in the octet are 1, the value is 255, which is 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1.

By using the set of 8 bits and manipulating the 1s and 0s, you can obtain any value between 0 and 255 for each octet.

Table 3.1 shows some examples of decimal-to-binary value conversions.

IP Address Classes

IP addresses are grouped into logical divisions called classes. The IPv4 address space has five address classes (A through E); however, only three (A, B, and C) assign addresses to clients. Class D is reserved for multicast addressing, and Class E is reserved for future development and research.

Of the three classes available for address assignments, each uses a fixed-length subnet mask to define the separation between the network and the node (host) address. A Class A address uses only the first octet to represent the network portion; a Class B address uses two octets; and a Class C address uses the first three octets. The upshot of this system is that Class A has a small number of network addresses, but each Class A address has a large number of possible host addresses. Class B has a larger number of networks, but each Class B address has a smaller number of hosts. Class C has an even larger number of networks, but each Class C address has an even smaller number of hosts. The exact numbers are provided in Table 3.2.

Be prepared for questions asking you to identify IP class ranges, such as the IP range for a Class A network.

Subnet Mask Assignment

Like an IP address, a subnet mask is most commonly expressed in 32-bit dotted-decimal format. Unlike an IP address, though, a subnet mask performs just one function: it defines which parts of the IP address refers to the network address and which refers to the node (host) address. Each class of the IP address used for address assignment has a default subnet mask associated with it. Table 3.3 lists the default subnet masks.

Subnetting

Now that you have looked at how IPv4 addresses are used, you can learn the process of subnetting. Subnetting is a process by which the node (host) portions of an IP address create more networks than you would have if you used the default subnet mask.

To illustrate subnetting, for example, suppose that you have been assigned the Class B address 150.150.0.0. Using this address and the default subnet mask, you could have a single network (150.150) and use the rest of the address as node (host) addresses. This would give you a large number of possible node addresses, which in reality is probably not useful. With subnetting, you use bits from the node portion of the address to create more network addresses. Doing so reduces the number of nodes per network, but you probably will still have more than enough.

Following are two main reasons for subnetting:

• It enables you to more effectively use IP address ranges.

• It makes IP networking more secure and manageable by providing a mechanism to create multiple networks rather than having just one. Using multiple networks confines traffic to the network that it needs to be on, which reduces overall network traffic levels. Multiple subnets also create more broadcast domains, which in turn reduces network-wide broadcast traffic. A difference exists between broadcast domains and collision domains: the latter is all the connected nodes, whereas the former is all the logical nodes that can reach each other. As such, collision domains are typically subsets of broadcast domains.

With Variable Length Subnet Masking (VLSM), it is possible to use a different subnet mask for the same network number on different subnets. This way, a network administrator can use a long mask on networks with few hosts and a short mask on subnets with many hosts, thus allowing each subnet in a routed system to be correctly sized for the required size. The routing protocol used (EIGRP, OSPF, RIPv2, IS-IS, or BGP) must be able to advertise the mask for each subnet in the routing update, which means that it must be classless. Classless interdomain routing is discussed shortly.

Identifying the Differences Between IPv4 Public and Private Networks

IP addressing involves many considerations, not the least of which are public and private networks:

• A public network is a network to which anyone can connect. The best (and perhaps only pure) example of such a network is the Internet.

• A private network is any network to which access is restricted. A corporate network and a network in a school are examples.

The main difference between public and private networks, other than access—a private network is tightly controlled and access to a public network is not—is that the addressing of devices on a public network must be carefully considered. Addressing on a private network has a little more latitude.

As already discussed, for hosts on a network to communicate by using TCP/IP, they must have unique addresses. This number defines the logical network that each host belongs to and the host’s address on that network. On a private network with, for instance, three logical networks and 100 nodes on each network, addressing is not a difficult task. On a network on the scale of the Internet, however, addressing is complex.

If you connect a system to the Internet, you need to get a valid registered IP address. Most commonly, you obtain this address from your Internet service provider (ISP). Alternatively, if you want a large number of addresses, for example, you could contact the organization responsible for address assignment in your area. You can determine who the regional numbers authority for your area is by visiting the IANA website.

Because of the nature of their business, ISPs have large blocks of IP addresses that they can assign to their clients. If you need a registered IP address, getting one from an ISP is almost certainly a simpler process than going through a regional numbers authority. Some ISP plans include blocks of registered IP addresses, working on the principle that businesses want some kind of permanent presence on the Internet. However, if you discontinue your service with the ISP, you can no longer use the provided IP address.

Classless Interdomain Routing

Classless interdomain routing (CIDR) is an IPv4 method of assigning addresses outside the standard Class A, B, and C structure. Specifying the number of bits in the subnet mask offers more flexibility than the three standard class definitions.

Using CIDR, addresses are assigned using a value known as the slash. The actual value of the slash depends on how many bits of the subnet mask are used to express the network portion of the address. For example, a subnet mask that uses all 8 bits from the first octet and 4 from the second would be described as /12, or “slash 12.” A subnet mask that uses all the bits from the first three octets would be called /24. Why the slash? In addressing terms, the CIDR value is expressed after the address, using a slash. So, the address 192.168.2.1/24 means that the node’s IP address is 192.168.2.1, and the subnet mask is 255.255.255.0.

Default Gateways

Default gateways are the means by which a device can access hosts on other networks for which it does not have a specifically configured route. Most workstation configurations default to using default gateways rather than having any static routes configured. This enables workstations to communicate with other network segments or with other networks, such as the Internet.

When a system wants to communicate with another device, it first determines whether the host is on the local network or a remote network. If the host is on a remote network, the system looks in the routing table to determine whether it has an entry for the network on which the remote host resides. If it does, it uses that route. If it does not, the data is sent to the default gateway.

In essence, the default gateway is simply the path out of the network for a given device. Figure 3.1 shows how a default gateway fits into a network infrastructure.

On the network, a default gateway could be a router or a computer with network interfaces (multihomed) for all segments to which it is connected. These interfaces have local IP addresses for the respective segments. If a system is not configured with any static routes or a default gateway, it is limited to operating on its own network segment.

Virtual IP

A virtual IP address (VIP) is an IP address assigned to multiple applications and is often used in high availability implementations. Data packets coming in are sent to the address and that routes them to the correct network interfaces. This allows hosting of different applications and virtual appliances on servers with only one (logical) IP address.

IPv4 Address Types

IPv4 has three primary address types: unicast, broadcast, and multicast. You need to distinguish among these three types of IPv4 addresses.

IPv6 Addressing

Internet Protocol version 4 (IPv4) has served as the Internet’s protocol for decades. When IPv4 was in development all those years ago, it would have been impossible for its creators to imagine or predict the future demand for IP devices and therefore IP addresses.

Identifying IPv6 Addresses

As previously discussed, IPv4 uses a dotted-decimal format: 8 bits converted to its decimal equivalent and separated by periods. An example of an IPv4 address is 192.168.2.1.

Because of the 128-bit structure of the IPv6 addressing scheme, it looks quite a bit different. An IPv6 address is divided along 16-bit boundaries, and each 16-bit block is converted into a four-digit hexadecimal number and separated by colons. The resulting representation is called colon hexadecimal. Now look at how it works. Figure 3.2 shows the IPv6 address 2001:0:4137:9e50:2811:34ff:3f57:febc from a Windows system.

An IPv6 address can be simplified by removing the leading 0s within each 16-bit block. Not all the 0s can be removed, however, because each address block must have at least a single digit. Removing the 0 suppression, the address representation becomes

2001:0000:4137:9e50:2811:34ff:3f57:febc

Some of the IPv6 addresses you will work with have sequences of 0s. When this occurs, the number is often abbreviated to make it easier to read. In the preceding example you saw that a single 0 represented a number set in hexadecimal form. To further simplify the representation of IPv6 addresses, a contiguous sequence of 16-bit blocks set to 0 in colon hexadecimal format can be compressed to ::, known as the double colon.

For example, the IPv6 address of

2001:0000:0000:0000:3cde:37d1:3f57:fe93

can be compressed to

2001::3cde:37d1:3f57:fe93

However, there are limits on how the IPv6 0s can be reduced. Within the IPv6 address, 0s cannot be eliminated when they are not first in the number sequence. For instance, 2001:4000:0000:0000:0000:0000:0000:0003 cannot be compressed as 2001:4::3. This would actually appear as 2001:4000::3.

When you look at an IPv6 address that uses a double colon, how do you know exactly what numbers are represented? The formula is to subtract the number of blocks from 8 and then multiply that number by 16. For example, the address 2001:4000::3 uses three blocks: 2001, 4000, and 3. So the formula is as follows:

(8 – 3) × 16 = 80

Therefore, the total number of bits represented by the double colon in this example is 80.

Note

You can remove 0s only once in an IPv6 address. Using a double colon more than once would make it impossible to determine the number of 0 bits represented by each instance of ::.

Comparing IPv4 and IPv6 Addressing

Table 3.5 compares IPv4 and IPv6 addressing.

Assigning IP Addresses

Now that you understand the need for each system on a TCP/IP-based network to have a unique address, the following sections examine how those systems receive their addresses.

Dynamic Addressing

Dynamic addressing refers to the automatic assignment of IP addresses. On modern networks, the mechanism used to do this is Dynamic Host Configuration Protocol (DHCP). DHCP, part of the TCP/IP suite, enables a central system to provide client systems with IP addresses. Automatically assigning addresses with DHCP alleviates the burden of address configuration and reconfiguration that occurs with static IP addressing.

The basic function of the DHCP service is to automatically assign IP addresses to client systems. To do this, ranges of IP addresses, known as scopes, are defined on a system running a DHCP server application. When another system configured as a DHCP client is initialized, it asks the server for an address.

If all things are as they should be, the server assigns an address to the client for a predetermined amount of time, known as the lease, from the scope.

ExamAlert

As you study DHCP for the exam, make sure you know reservations, scopes, leases, options, and IP helper/DHCP relay. These topics were discussed in Chapter 2, “Models, Ports, Protocols, and Network Services.”

A DHCP server typically can be configured to assign more than just IP addresses. It often is used to assign the subnet mask, the default gateway, and Domain Name Service (DNS) information.

Using DHCP means that administrators do not need to manually configure each client system with a TCP/IP address. This removes the common problems associated with statically assigned addresses, such as human error. The potential problem of assigning duplicate IP addresses is also eliminated. DHCP also removes the need to reconfigure systems if they move from one subnet to another, or if you decide to make a wholesale change in the IP addressing structure.

ExamAlert

Even when a network is configured to use DHCP, several mission-critical network systems continue to use static addressing: DHCP server, DNS server, web server, network printers, and more. They do not have dynamic IP addressing because their IP addresses can never change. If they do, client systems may be unable to access the resources from that server.

Configuring a client for TCP/IP can be relatively complex, or it can be simple. Any complexity involved is related to the possible need to manually configure TCP/IP. The simplicity is because TCP/IP configuration can occur automatically via DHCP or through APIPA. At the least, a system needs an IP address and subnet mask to log on to a network. The default gateway and DNS server IP information is optional, but network functionality is limited without them. The following list briefly explains the IP-related settings used to connect to a TCP/IP network, many of which are shown in Figure 3.3:

• IP address: This value is the unique address that each system must be assigned so that it can communicate on the network.

• Subnet mask: This value enables the system to determine what portion of the IP address represents the network address and what portion represents the node address.

• Default gateway: This value identifies the node on the network that enables the system to communicate on a remote network, without the need for explicit routes to be defined.

• DNS server addresses: This value identifies the server that is enabling dynamic hostname resolution to be performed. It is common practice to have two DNS server addresses defined so that if one server becomes unavailable, the other can be used.

ExamAlert

At the very minimum, an IP address and subnet mask are required to connect to a TCP/IP network. With this minimum configuration, connectivity is limited to the local segment, and DNS resolution is not possible.

DHCP6 (or, more correctly, DHCPv6) is the IPv6 counterpart to DHCP. It issues the necessary configuration information for clients on IPv6-based networks. When it comes to assigning the addresses, the preferred method of assigning IP addresses in an IPv6 network is to use Stateless Address Auto Configuration (SLAAC). With SLAAC, devices send the router a request for the network prefix, and the device then uses the prefix along with its own MAC address to create an IP address.

Identifying MAC Addresses

Many times this book refers to MAC addresses and how certain devices use them. However, it has not yet discussed why MAC addresses exist, how they are assigned, and what they consist of.

A MAC address is a 6-byte (48-bit) hexadecimal address that enables a NIC to be uniquely identified on the network. The MAC address forms the basis of network communication, regardless of the protocol used to achieve network connection. Because the MAC address is so fundamental to network communication, mechanisms are in place to ensure that duplicate addresses cannot be used.

To combat the possibility of duplicate MAC addresses being assigned, the Institute of Electrical and Electronics Engineers (IEEE) took over the assignment of MAC addresses. But rather than be burdened with assigning individual addresses, the IEEE decided to assign each manufacturer an ID and then let the manufacturer further allocate IDs. The result is that in a MAC address, the first 3 bytes define the manufacturer, and the last 3 are assigned by the manufacturer.

For example, consider the MAC address of the computer on which this book is being written: 00:D0:59:09:07:51. The first 3 bytes (00:D0:59) identify the manufacturer of the card. Because only this manufacturer can use this address, it is known as the organizational unique identifier (OUI). The last 3 bytes (09:07:51) are called the universal LAN MAC address: they make this interface unique. You can find a complete listing of organizational MAC address assignments at http://standards-oui.ieee.org/oui.txt.

Because MAC addresses are expressed in hexadecimal, only the numbers 0 through 9 and the letters A through F can be used in them. If you get an exam question about identifying a MAC address and some of the answers contain letters and numbers other than 0 through 9 and the letters A through F, you can immediately discount those answers.

You can discover the NIC’s MAC address in various ways, depending on what system or platform you work on (several of the ways can be found at https://carleton.ca/its/help-centre/how-to-find-your-mac-address/). Table 3.6 defines various platforms and methods you can use to view an interface’s MAC address.

Just as there was fear that there would not be enough IP addresses for all the devices needed to access the Internet if we stayed with IPv4, there has also been considerable fear that there are not enough MAC addresses to assign. To deal with this, 64-bit addresses are now available. The IEEE refers to 48-bit addresses as EUI-48 (for extended unique identifier) and longer addresses as EUI-64. It is projected that there are a sufficient number of 48-bit addresses to last for quite some time, but the IEEE is encouraging the adoption of the 64-bit addressing as soon as possible. EUI-64 is used to automatically configure IPv6 host addresses by using the MAC address of its interface to generate a 64-bit interface ID. The MAC address is split in two and “FFFE” is inserted into the middle. Then the 7th bit of the interface ID is inverted and EUI-64 uses hyphens between number sets instead of colons. A good explanation/overview can be found at https://community.cisco.com/t5/networking-documents/understanding-ipv6-eui-64-bit-address/ta-p/3116953.

NAT and PAT

This chapter has defined many acronyms and continues to do so with NAT and PAT. Since the technologies are related, and commonly used, SNAT and DNAT are also touched on.

NAT

The basic principle of Network Address Translation (NAT) is that many computers can “hide” behind a single IP address. The main reason you need to do this (as pointed out earlier in the section “IP Addressing”) is that there aren’t enough IPv4 addresses to go around. Using NAT means that only one registered IP address is needed on the system’s external interface, acting as the gateway between the internal and external networks. Figure 3.4 shows an example of enabling NAT on a SOHO router.

Note

Don’t confuse NAT with proxy servers. The proxy service is different from NAT, but many proxy server applications do include NAT functionality.

NAT enables you to use whatever addressing scheme you like on your internal networks; however, it is common practice to use the private address ranges, which were discussed earlier.

When a system is performing NAT, it funnels the requests given to it to the Internet. To the remote host, the request looks like it is originating from a single address. The system performing the NAT function keeps track of who asked for what and makes sure that when the data is returned, it is directed to the correct system. Servers that provide NAT functionality do so in different ways. For example, you can statically map a specific internal IP address to a specific external one (known as the one-to-one NAT method) so that outgoing requests are always tagged with the same IP address. Alternatively, if you have a group of public IP addresses, you can have the NAT system assign addresses to devices on a first-come, first-served basis. Either way, the basic function of NAT is the same.

Tunneling can be used for transmitting packets of one type (such as IPv6) over another network (such as IPv4). 6to4 is one such tunneling technology, allowing IPv6 packets to be transmitted over an IPv4 network without having to create a complex tunnel. It is often used during the transition period when a network is being updated and is not intended to be a permanent solution. Its counterpart is 4to6.

For a more long-term solution, there is a transition technology known as Teredo that gives full IPv6 connectivity for IPv6-capable hosts, which are on the IPv4 Internet but lack direct native connection to an IPv6 network. The distinguishing feature of Teredo is that it can do this from behind NAT devices (such as home routers). One of the most popular Teredo implementations is Miredo; it is a client designed to allow full IPv6 connectivity to systems that are strictly IPv4-based.

DNAT

To get more granular, Destination Network Address Translation (DNAT) can be implemented on any router to change the destination IP address on a packet (and do the inverse operation on replies). It is typically used between services located on a private network and IP addresses that are publicly accessible. It is more commonly referred to as port forwarding.

Cram Quiz

1. What is the IPv6 equivalent of 127.0.0.1? (Choose two.)

A. 0:0:0:0:0:0:0:1

B. 0:0:0:0:0:0:0:24

C. ::1

D. ::24

2. Which of the following is a Class B address?

A. 129.16.12.200

B. 126.15.16.122

C. 211.244.212.5

D. 193.17.101.27

3. You are the administrator for a network with two Windows Server systems and 65 Windows desktop systems. At 10 a.m., three users call to report that they are experiencing network connectivity problems. Upon investigation, you determine that the DHCP server has failed. How can you tell that the DHCP server failure is the cause of the connectivity problems experienced by the three users?

A. When you check their systems, they have an IP address of 0.0.0.0.

B. When you check their systems, they have an IP address in the 192.168.x.x address range.

C. When you check their systems, they have a default gateway value of 255.255.255.255.

D. When you check their systems, they have an IP address from the 169.254.x.x range.

4. Which of the following address types are associated with IPv6? (Choose three.)

A. Broadcast

B. Multicast

C. Unicast

D. Anycast

5. Which of the following IP addresses is not from a private address range?

A. 192.168.200.117

B. 172.16.3.204

C. 127.45.112.16

D. 10.27.100.143

6. You have been assigned to set up a new network with TCP/IP. For the external interfaces, you decide to obtain registered IP addresses from your ISP, but for the internal network, you choose to configure systems by using one of the private address ranges. Of the following address ranges, which one would you not consider?

A. 192.168.0.0 to 192.168.255.255

B. 131.16.0.0 to 131.16.255.255

C. 10.0.0.0 to 10.255.255.255

D. 172.16.0.0 to 172.31.255.255

7. You ask your ISP to assign a public IP address for the external interface of your Windows server, which is running a proxy server application. In the email message that contains the information, the ISP tells you that you have been assigned the IP address 203.15.226.12/24. When you fill out the subnet mask field on the IP configuration dialog box on your system, what subnet mask should you use?

A. 255.255.255.255

B. 255.255.255.0

C. 255.255.240.0

D. 255.255.255.240

8. Examine the diagram shown here. What is the most likely reason that user Spencer cannot communicate with user Evan?

A. The default gateways should have different values.

B. Spencer’s IP address is not a loopback address.

C. The subnet values should be the same.

D. There is no problem identifiable by the values given.

Cram Quiz Answers

1. A and C. The IPv4 address 127.0.0.1 is reserved as the loopback address, and IPv6 has the same reservation. IPv6 addresses 0:0:0:0:0:0:0:0 and 0:0:0:0:0:0:0:1 are reserved as the loopback addresses. The address 0:0:0:0:0:0:0:1 can be shown using the :: notation with the 0s removed, resulting in ::1.

2. A. Class B addresses fall into the range 128 to 191. Answer A is the only address listed that falls into that range. Answer B is a Class A address, and answers C and D are Class C IP addresses.

3. D. When a Windows desktop system that is configured to obtain an IP address via DHCP fails to obtain an address, it uses APIPA to assign itself an address from the 169.254.x.x address range. An address of 0.0.0.0 normally results from a system that does not support APIPA. APIPA does not use the 192.168.x.x address range. The IP address 255.255.255.255 is the broadcast address. A DHCP failure would not lead to a system assigning itself this address.

4. B, C, and D. A key difference between IPv4 and IPv6 is in the address types. IPv6 addressing has three main types of addresses: unicast, multicast, and anycast. IPv4 uses broadcast addressing, but IPv6 doesn’t.

5. C. The 127.x.x.x network range is reserved for the loopback function. It is not one of the recognized private address ranges. The private address ranges as defined in RFC 1918 are 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x.

6. B. The 131.16 range is from the Class B range and is not one of the recognized private IP address ranges. All the other address ranges are valid private IP address ranges.

7. B. In CIDR terminology, the number of bits to be included in the subnet mask is expressed as a slash value. If the slash value is 24, the first three octets form the subnet mask, so the value is 255.255.255.0.

8. C. The most likely problem, given the IP values for each user’s workstation, is that the subnet value is not correct on Spencer’s machine and should be 255.255.255.0.

The Default Gateway

A default gateway is the router’s IP address, which is the pathway to any and all remote networks. To get a packet of information from one network to another, the packet is sent to the default gateway, which helps forward the packet to its destination network. Computers that live on the other side of routers are said to be on remote networks. Without default gateways, Internet communication is not possible because your computer does not have a way to send a packet destined for any other network. On the workstation, it is common for the default gateway option to be configured automatically through DHCP configuration.

Routing Tables

Before a data packet is forwarded, a chart is reviewed to determine the best possible path for the data to reach its destination. This chart is the computer’s routing table. Maintaining an accurate routing table is essential for effective data delivery. Every computer on a TCP/IP network has a routing table stored locally. Figure 3.5 shows the routing table on a Windows system.

As shown in Figure 3.5, the information in the routing table includes the following:

• Network Destination: The host IP address.

• Netmask: The subnet mask value for the destination parameter.

• Gateway: Where the IP address is sent. This may be a gateway server, a router, or another system acting as a gateway.

• Interface: The address of the interface that’s used to send the packet to the destination.

• Metric: A measurement of the directness of a route. The lower the metric, the faster the route. If multiple routes exist for data to travel, the one with the lowest metric is chosen.

Routing tables play an important role in the network routing process. They are the means by which the data is directed through the network. For this reason, a routing table needs to be two things. It must be up to date and complete. The router can get the information for the routing table in two ways: through static routing or dynamic routing.

Static Routing

In environments that use static routing, routes and route information are manually entered into the routing tables. Not only can this be a time-consuming task, but also errors are more common. In addition, when a change occurs to the network’s layout, or topology, statically configured routers must be manually updated with the changes. Again, this is a time-consuming and potentially error-laden task. For these reasons, static routing is suited to only the smallest environments, with perhaps just one or two routers. A far more practical solution, particularly in larger environments, is to use dynamic routing.

You can add a static route to a routing table using the route add command. To do this, specify the route, the network mask, and the destination IP address of the network card your router will use to get the packet to its destination network.

The syntax for the route add command is as follows:

Click here to view code image

route add 192.168.2.1 mask (255.255.255.0) 192.168.2.4

Adding a static address is not permanent; in other words, it will most likely be gone when the system reboots. To make it persistent (the route is still in the routing table on boot), you can use the -p switch with the command.

Distributed switching is typically associated with telephone networks and is nothing more than an architecture in which multiple processor-controlled switching units are distributed. In this environment, there is usually a hierarchy of switches, with a centralized host switch working with remote switches located close to concentrations of users.

Default Route

In environments that use dynamic routing, there is usually one static route defined that this known as the default route. The default route, sometimes called the route (or gateway) of last resort, specifies the path to be used if no other route is known (no next-hop host is available from the routing table or other routing mechanisms). All packets with unknown destination addresses are sent to the default route.

Switching Methods

For systems to communicate on a network, the data needs a communication path or multiple paths on which to travel. To allow entities to communicate, these paths move the information from one location to another and back. This is the function of switching, which provides communication pathways between two endpoints and manages how data flows between them. Following are two of the more common switching methods used today:

• Packet switching

• Circuit switching

Dynamic Routing

In a dynamic routing environment, routers use special routing protocols to communicate. The purpose of these protocols is simple: they enable routers to pass on information about themselves to other routers so that other routers can build routing tables. Two types of routing protocols are used: the older distance-vector protocols and the newer link-state protocols. A third type, hybrid, combines features of these two.

Distance-Vector Routing

With distance-vector router communications, each router on the network communicates all the routes it knows about to the routers to which it is directly attached. In this way, routers communicate only with their router neighbors and are unaware of other routers that may be on the network.

The communication between distance-vector routers is known as hops. On the network, each router represents one hop, so a network using six routers has five hops between the first and last router.

The tracert command is used in a Windows environment to see how many hops a packet takes to reach a destination (the same functionality exists in macOS and Linux with the traceroute command). To try this at the command prompt, enter tracert comptia.org. Figure 3.6 shows an example of the output on a Windows workstation.

In addition to the tracert command in IPv4, you can get similar functionality in IPv6 with tracert -6, traceroute6, and traceroute -6.

Several distance-vector protocols are in use today, including Routing Information Protocol (RIP and RIPv2), and Enhanced Interior Gateway Routing Protocol (EIGRP):

• RIP: As mentioned earlier, RIP is a distance-vector routing protocol. RIP is limited to a maximum of 15 hops. One of the downsides of the protocol is that the original specification required router updates to be transmitted every 30 seconds. On smaller networks this is acceptable; however, this can result in a huge traffic load on larger networks. The original RIP specification also did not support router authentication, leaving it vulnerable to attacks.

• RIPv2: The second version of RIP dealt with the shortcomings of the original design. Authentication was included to enable secure transmissions; also, it changed from a network-wide broadcast discovery method to a multicast method to reduce overall network traffic. However, to maintain compatibility with RIP, RIPv2 still supports a limit of 15 hops.

• EIGRP: This protocol enables routers to exchange information more efficiently than earlier network protocols. EIGRP uses its neighbors to help determine routing information. Routers configured to use EIGRP keep copies of their neighbors’ routing information and query these tables to help find the best possible route for transmissions to follow. EIGRP uses Diffusing Update Algorithm (DUAL) to determine the best route to a destination.

ExamAlert

Be sure that you can identify the differences between the distance-vector protocols discussed here.

Note

Just as with DNS (discussed in Chapter 2), a TTL (time to live) value can be set with routing. In this case, the TTL value will equal the amount of time or number of hops that a packet can reach at a maximum before being discarded by a router.

Distance-vector routing protocols operate by having each router send updates about all the other routers it knows about to the routers directly connected to it. The routers use these updates to compile their routing tables. The updates are sent automatically every 30 or 60 seconds. The interval depends on the routing protocol used. Apart from the periodic updates, routers can also be configured to send a triggered update if a change in the network topology is detected. The process by which routers learn of a change in the network topology is called convergence.

Routing loops can occur on networks with slow convergence. Routing loops occur when the routing tables on the routers are slow to update and a redundant communication cycle is created between routers. Two strategies can combat potential routing loops:

• Split horizon: Works by preventing the router from advertising a route back to the other router from which it was learned. This prevents two nodes from bouncing packets back and forth between them, creating a loop.

• Poison reverse (also called split horizon with poison reverse): Dictates that the route is advertised back on the interface from which it was learned, but it has a hop count of infinity, which tells the node that the route is unreachable.

ExamAlert

If a change in the routing is made, it takes some time for the routers to detect and accommodate this change. This is known as convergence.

Although distance-vector protocols can maintain routing tables, they have three problems:

• The periodic update system can make the update process slow.

• The periodic updates can create large amounts of network traffic—much of the time unnecessarily, because the network’s topology should rarely change.

• Perhaps the most significant problem is that because the routers know about only the next hop in the journey, incorrect information can be propagated between routers, creating routing loops.

ExamAlert

Know that “next hop” in routing is the next closest router that a packet can go through.

Network Traffic

Network access methods govern how systems access the network media and send data. Access methods are necessary to ensure that systems on the network can communicate with each other. Without an access method, two systems could communicate at the exclusion of every other system. Access methods ensure that everyone gets an opportunity to use the network.

Several access methods are used in networks; the most popular are CSMA/CD and CSMA/CA. Look at CSMA/CD first and then CSMA/CA.

Carrier Sense Multiple Access/Collision Detection (CSMA/CD), which is defined in the IEEE 802.3 standard, is the most common media access method because it is associated with 802.3 Ethernet networking, which is by far the most popular networking standard. CSMA/CD is a Media Access Control (MAC) protocol.

On a network that uses CSMA/CD, when a system wants to send data to another system, it first checks to see whether the network medium is free. It must do this because each piece of network medium used in a LAN can carry only one signal at a time. If the sending node detects that the medium is free, it transmits, and the data is sent to the destination. It seems simple.

Now, if it always worked like this, you wouldn’t need the CD part of CSMA/CD. Unfortunately, in networking, as in life, things do not always go as planned. The problem arises when two systems attempt to transmit at the same time. It might seem unlikely that two systems would pick the same moment to send data, but you are dealing with communications that occur many times in a single second—and most networks have more than two machines. Imagine that 200 people are in a room. The room is silent, but then two people decide to say something at the same time. Before they start to speak, they check (listen) to see whether someone else is speaking; because no one else is speaking, they begin to talk. The result is two people speaking at the same time, which is similar to a network collision.

Collision detection works by detecting fragments of the transmission on the network media that result when two systems try to talk at the same time. The two systems wait for a randomly calculated amount of time before attempting to transmit again. This amount of time—a matter of milliseconds—is known as the backoff period or jam signal.

When the backoff period has elapsed, the system attempts to transmit again. If the system does not succeed on the second attempt, it keeps retrying until it gives up and reports an error.

The upside of CSMA/CD is that it has relatively low overhead, meaning that not much is involved in the workings of the system. The downside is that as more systems are added to the network, more collisions occur, and the network becomes slower. The performance of a network that uses CSMA/CD degrades exponentially as more systems are added. Its low overhead means that CSMA/CD systems theoretically can achieve greater speeds than high-overhead systems. However, because collisions take place, the chance of all that speed translating into usable bandwidth is relatively low.

Despite its problems, CSMA/CD is an efficient system. As a result, rather than replace it with some other technology, workarounds have been created that reduce the likelihood of collisions. One such strategy is the use of network switches that create multiple collision domains and therefore reduce the impact of collisions on performance.

Instead of collision detection, as with CSMA/CD, the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) access method uses signal avoidance rather than detection. In a networked environment, CSMA/CA is the access mechanism used with the 802.11 wireless standards.

On CSMA/CA networks, each computer signals its intent to transmit data before any data is actually sent. When a networked system detects a potential collision, it waits before sending the transmission, allowing systems to avoid transmission collisions. The CSMA/CA access method uses a random backoff time that determines how long to wait before trying to send data on the network. When the backoff time expires, the system again “listens” to verify a clear channel on which to transmit. If the medium is still busy, another backoff interval is initiated that is less than the first. The process continues until the wait time reaches zero, and the medium is clear.

CSMA/CA uses a broadcast method to signal its intention to transmit data. Network broadcasts create a considerable amount of network traffic and can cause network congestion, which could slow down the entire network. Because CSMA/CD and CSMA/CA differ only in terms of detection and avoidance, they have similar advantages and disadvantages.

Routing Metrics

Following are several metrics related to routing that you should know for the exam:

• Hop counts are the number of hops necessary to reach a node. A hop count of infinity means the route is unreachable.

• The maximum transmission unit (MTU) defines the largest data unit that can be passed without fragmentation.

• Bandwidth specifies the maximum packet size permitted for Internet transmission.

• Costs are the numbers associated with traveling from point A to point B (often hops). The lower the total costs (the fewer links in the route), the more that route should be favored.

• Administrative distance is a numerical value assigned to a route based on its perceived quality. The number may be manually assigned, or assigned based on an algorithm employed by a routing protocol. The lower the number, the better the route is believed to be: 0 is the best and 255 is the worst.

• Latency is the amount of time it takes for a packet to travel from one location to another.

In the following section, we look at Spanning Tree Protocols, but before we do, it is important to point out here that they are being replaced by shortest path bridging (SPB), based on IEEE 802.1aq. The big advantage of SPB is that it allows for multiple equal cost paths, leading to faster convergence times and improving the use of mesh topologies for increased bandwidth.

Virtual Local-Area Networks

The word virtual is used a lot in the computing world—perhaps too often. For virtual local-area networks (VLANs), the word virtual does little to help explain the technology. Perhaps a more descriptive name for the VLAN concept might have been segmented. For now at least, use virtual.

VLANs are used for network segmentation, a strategy that significantly increases the network’s performance capability, removes potential performance bottlenecks, and can even increase network security. A VLAN is a group of connected computers that act as if they are on their own network segment, even though they might not be. For instance, suppose that you work in a three-story building in which the advertising employees are spread over all three floors. A VLAN can enable all the advertising personnel to be combined and access network resources as if they were connected on the same physical segment. This virtual segment can be isolated from other network segments. In effect, it would appear to the advertising group that they were on a network by themselves.

VLANs offer some clear advantages. Logically segmenting a network gives administrators flexibility beyond the restrictions of the physical network design and cable infrastructure. VLANs enable easier administration because the network can be divided into well-organized sections. Furthermore, you can increase security by isolating certain network segments from others. For example, you can segment the marketing personnel from finance or the administrators from the students. VLANs can ease the burden on overworked routers and reduce broadcast storms. Table 3.8 summarizes the benefits of VLANs.

VLAN Trunking Protocol (VTP), a Cisco proprietary protocol, is used to reduce administration in the switched network. You can, for example, put all switches in the same VTP domain and reduce the need to configure the same VLAN everywhere.

Trunking falls under 802.1Q and a trunk port is one that is assigned to carry traffic for a specific switch (as opposed to an access port). The trunk port is usually fiber optic and used to interconnect switches to make a network, to interconnect LANs to make a WAN, and so on.

Port binding determines whether and how a port is bound. This can be done in one of three ways: static, dynamic, or ephemeral. Conversely, port aggregation is the combining of multiple ports on a switch, and it can be done in one of three ways: auto, desirable, or on.

The Link Aggregation Control Protocol (LACP) is a common aggregation protocol that enables multiple physical ports to be bound together. Most devices allow you to bind up to four, but some go up to eight.

VLAN Membership

You can use several methods to determine VLAN membership or how devices are assigned to a specific VLAN. The following sections describe the common methods to determine how VLAN membership is assigned:

• Protocol-based VLANs: With protocol-based VLAN membership, computers are assigned to VLANs using the protocol in use and the Layer 3 address. For example, this method enables a particular IP subnet to have its own VLAN.
  
  The term Layer 3 address refers to one of the most important networking concepts, the Open Systems Interconnection (OSI) reference model. This conceptual model, created by the International Organization for Standardization (ISO) in 1978 and revised in 1984, describes a network architecture that enables data to be passed between computer systems. There are seven layers in total, which are discussed in detail in Chapter 2. In brief, Layer 3, known as the network layer, identifies the mechanisms by which data can be moved between two networks or systems, such as transport protocols, which in the case of TCP/IP is IP.
  
  Although VLAN membership may be based on Layer 3 information, this has nothing to do with routing or routing functions. The IP numbers are used only to determine the membership in a particular VLAN, not to determine routing.

• Port-based VLANs: Port-based VLANs require that specific ports on a network switch be assigned to a VLAN. For example, ports 1 through 4 may be assigned to marketing, ports 5 through 7 may be assigned to sales, and so on. Using this method, a switch determines VLAN membership by taking note of the port used by a particular packet. Figure 3.7 shows how the ports on a server could be used for port-based VLAN membership.

• MAC address-based VLANs: The Media Access Control (MAC) address is a unique 12-digit hexadecimal number that is stamped into every network interface card. Every device used on a network has this unique address built in to it. It cannot be modified in any way. As you may have guessed, the MAC address type of a VLAN assigns membership according to the workstation’s MAC address. To do this, the switch must keep track of the MAC addresses that belong to each VLAN. The advantage of this method is that a workstation computer can be moved anywhere in an office without needing to be reconfigured. Because the MAC address does not change, the workstation remains a member of a particular VLAN. Table 3.9 provides examples of the membership of MAC address-based VLANs.

MAC Address	VLAN	Description
44-45-53-54-00-00	1	Sales
44-45-53-54-13-12	2	Marketing
44-45-53-54-D3-01	3	Administration
44-45-53-54-F5-17	1	Sales

VLAN Segmentation

The capability to logically segment a LAN provides a level of administrative flexibility, organization, and security. Whether the LAN is segmented using the protocol, MAC address, or port, the result is the same: the network is segmented. The segmentation is used for several reasons, including security, organization, and performance. To give you a better idea of how this works, Figure 3.8 shows a network that doesn’t use a VLAN.

In Figure 3.8, all systems on the network can see each other. That is, the students can see the finance and administrator computers. Figure 3.9 shows how this network may look using a VLAN.

ExamAlert

Remember that one of the primary purposes of segmentation is to protect sensitive information from other hosts or the rest of the network in general.

The Spanning Tree Protocol

An Ethernet network can have only a single active path between devices on a network. When multiple active paths are available, switching loops can occur. Switching loops are the result of having more than one path between two switches in a network. Spanning Tree Protocol (STP) is designed to prevent these loops from occurring.

STP is used with network bridges and switches. With the help of Spanning Tree Algorithm (STA), STP avoids or eliminates loops on a Layer 2 bridge.

STA enables a bridge or switch to dynamically work around loops in a network’s topology. Both STA and STP were developed to prevent loops in the network and provide a way to route around any failed network bridge or ports. If the network topology changes, or if a switch port or bridge fails, STA creates a new spanning tree, notifies the other bridges of the problem, and routes around it. STP is the protocol, and STA is the algorithm STP uses to correct loops.

If a particular port has a problem, STP can perform a number of actions, including blocking the port, disabling the port, or forwarding data destined for that port to another port. It does this to ensure that no redundant links or paths are found in the spanning tree and that only a single active path exists between any two network nodes.

STP uses bridge protocol data units (BPDUs) to identify the status of ports and bridges across the network. BPDUs are simple data messages exchanged between switches. BPDUs contain information on ports and provide the status of those ports to other switches. If a BPDU message finds a loop in the network, it is managed by shutting down a particular port or bridge interface.

Redundant paths and potential loops can be avoided within ports in several ways:

• Blocking: A blocked port accepts BPDU messages but does not forward them.

• Disabled: The port is offline and does not accept BPDU messages.

• Forwarding: The port is part of the active spanning tree topology and forwards BPDU messages to other switches.

• Learning: In a learning state, the port is not part of the active spanning tree topology but can take over if another port fails. Learning ports receive BPDUs and identify changes to the topology when made.

• Listening: A listening port receives BPDU messages and monitors for changes to the network topology.

Most of the time, ports are in either a forwarding or blocked state. When a disruption to the topology occurs or a bridge or switch fails for some reason, listening and learning states are used.

Interface Configuration and Switch Management

Aside from VLAN trunking (802.1Q), binding, and a number of other possibilities previously discussed in this chapter, when you configure a switch interface, there are often other options that you can choose or tweak. They include the following:

• Tag versus untag VLANs: Tagging should be used if you are trunking. Because trunking combines VLANs, you need a way to identify which packet belongs to which VLAN; this is easily accomplished by placing a VLAN header (a tag) in the data packet. The only VLAN that is not tagged in a trunk is the native VLAN, and frames are transmitted to it unchanged.

• Default VLAN: The default VLAN is mandatory (cannot be deleted) and is used for communication between switches (such as configuring STP). In the Cisco world, the default VLAN is VLAN 1.

• Flow control: Ethernet provides a means of temporarily stopping the transmission of data to ensure zero packet loss in the presence of network congestion. This is accomplished using flow control and the pause frame. First appearing as a part of the IEEE 802.3x standard, it was further expanded upon in the IEEE 802.1Qbb standard.

• Port mirroring: Also known as port spanning, port mirroring is covered in more detail later in this chapter.

• Port security: Port security works at Layer 2 of the OSI model and allows an administrator to configure switch ports so that only certain MAC addresses can use the port. This essentially differentiates so-called dumb switches from managed (or intelligent) switches. Three main areas of port security are (1) MAC limiting and filtering (limit access to the network to MAC addresses that are known, and filter out those that are not); (2) 802.1X (adding port authentication to MAC filtering takes security for the network down to the switch port level and increases your security exponentially); and (3) blocking unused ports (all ports not in use should be disabled).

• Authentication, accounting, and authorization (AAA): AAA overrides can also be configured for network security parameters as needed. AAA is the primary method for access control and often uses RADIUS, TACACS+, or Kerberos to accomplish integrated security.

• Usernames/passwords: It is possible to configure, without AAA, local username authentication using a configured username and password. This does not provide the same level of access control as AAA does and is not recommended.

• Virtual consoles and terminals: The console port (often called the virtual console or VC) is often a serial or parallel port, and it is possible for virtual ports to connect to physical ports. The virtual terminal (vt or vty) is a remote port connected to through Telnet or a similar utility and, as an administrator, you will want to configure an access list to limit who can use it.

• Jumbo Frames: One of the biggest issues with networking is that data of various sizes is crammed into packets and sent across the medium. Each time this is done, headers are created (more data to process), along with any filler needed, creating additional overhead. To get around this, the concept of jumbo frames is used to allow for very large Ethernet frames; by sending a lot of data at once, the number of packets is reduced, and the data sent is less processor intensive.

• Other: Other common configuration parameters include the speed, whether duplexing will be used or not, IP addressing, and the default gateway. Duplexing determines the direction in which data can flow through the network media and is discussed in Chapter 5, “Cabling Solutions and Issues.”

MDI-X

One technology that simplifies crossovers is the auto-medium-dependent interface crossover (MDI-X to friends). This technology expands on MDI (medium dependent interface) and enables ports on newer network interfaces to detect if the connection would require a crossover: if it would, then it automatically chooses the configuration (MDI or MDI-X) needed to match the other end of the link.

Trunking

In computer networking, the term trunking refers to the use of multiple network cables or ports in parallel to increase the link speed beyond the limits of any one cable or port. Sound confusing? If you have network experience, you might have heard the term link aggregation, which is essentially the same thing. It is using multiple cables to increase the throughput. The higher-capacity trunking link is used to connect switches to form larger networks.

VLAN trunking is the application of trunking to the virtual LAN—now common with routers, firewalls, VMware hosts, and wireless access points. VLAN trunking provides a simple and cheap way to offer a nearly unlimited number of virtual network connections. The requirements are only that the switch, the network adapter, and the OS drivers all support VLANs. The VLAN Trunking Protocol (VTP) is a proprietary protocol from Cisco for just such a purpose.

Port Mirroring

You need some way to monitor network traffic and monitor how well a switch works. This is the function of port mirroring, also known as port spanning. Port mirroring copies the traffic from all ports to a single port and disallows bidirectional traffic on that port. There are a number of reasons why port mirroring can be used (duplicating the data for one port and sending it to another). One of the most common is to monitor the traffic. This can be done locally or remotely—the latter using a remote protocol such as Remote Switched Port Analyzer (RSPAN) instead of Switched Port Analyzer (SPAN). To use port mirroring, administrators configure a copy of all inbound and outbound traffic to go to a certain port. A protocol analyzer examines the data sent to the port and therefore does not interrupt the flow of regular traffic.

Port Authentication

Port authentication is what it sounds like—authenticating users on a port-by-port basis. One standard that specifies port authentication is the 802.1X standard, often associated with wireless security. Systems that attempt to connect to a LAN port must be authenticated. Those who are authenticated can access the LAN; those who are not authenticated get no further.

Power over Ethernet (PoE and PoE+)

The purpose of Power over Ethernet (PoE) is pretty much described in its name. Essentially, PoE is a technology defined by 802.3af that enables electrical power to transmit over twisted-pair Ethernet cable. This was enhanced/extended in 2009 by 802.3at, also known as Power over Ethernet plus (PoE+), to be able to provide more power (increasing from 12.95W to 25.5W) and raising the maximum current (from 350mA to 600mA).

The electrical current sent, along with data, can provide power to remote devices. These devices may include remote switches, wireless access points, voice over IP (VoIP) equipment, and more.

One of the key advantages of PoE is the centralized management of power. For instance, without PoE, all remote devices need to be independently powered. In the case of a power outage, each of these devices requires an uninterruptible power supply (UPS) to continue operating. A UPS is a battery pack that enables devices to operate for a period of time. With PoE supplying power, a UPS is required only in the main facility. In addition, centralized power management enables administrators to power remote equipment up or down.

MAC Address Table

It was mentioned earlier that the MAC (Media Access Control) address is a unique 12-digit hexadecimal number that is stamped into every network interface card. This value can be used by a switch to “switch” frames between LAN ports efficiently. When the switch receives a frame, it associates the MAC address of the sending network device with the LAN port on which it was received and dynamically builds a MAC address table by using the source address of the frames received. Then, when the switch receives a frame for a MAC destination address not listed in its address table, it floods the frame to all LAN ports of the same VLAN except the port that received the frame.

When a destination station replies, the switch adds the MAC source address and port ID to this address table. Now that it knows the value, the switch can then forward all subsequent frames to a single LAN port without flooding all LAN ports.

If there were a situation in which DHCP were not enabled on the management port of a switch and it was necessary to connect to it, then the IP address of that device would need to be known and used to establish a connection.

Switch Management

Devices can be managed several ways: using Simple Network Management Protocol (SNMP), Windows Management Instrumentation (WMI), or Intelligent Platform Management Interface (IPMI). If the monitoring of devices is done remotely, this is known as out-of-band management; otherwise, it is known as in-band management.

Managed and Unmanaged

If the switch has any configuration interface or options, it is said to be managed. If it does not have any configuration interface or options, it is said to be unmanaged. Although not always the case, it is generally such that unmanaged devices are less-expensive plug-and-play devices intended for a home or small office.

Quality of Service

Quality of service (QoS) describes the strategies used to manage and increase the flow of network traffic. QoS features enable administrators to predict bandwidth use, monitor that use, and control it to ensure that bandwidth is available to the applications that need it. These applications generally can be broken into two categories:

• Latency sensitive: These applications need bandwidth for quick delivery where network lag time impacts their effectiveness. This includes voice and video transfer. For example, voice over IP (VoIP) would be difficult to use if there were a significant lag time in the conversation.

• Latency insensitive: Controlling bandwidth also involves managing latency-insensitive applications. This includes bulk data transfers such as huge backup procedures and File Transfer Protocol Secure (FTPS) transfers.

With bandwidth limited, and networks becoming increasingly congested, it becomes more difficult to deliver latency-sensitive traffic. If network traffic continues to increase and you cannot always increase bandwidth, the choice is to prioritize traffic to ensure timely delivery. This is where QoS comes into play. QoS ensures the delivery of applications, such as videoconferencing (and related video applications), VoIP telephony, and unified communications without adversely affecting network throughput. QoS achieves more efficient use of network resources by differentiating between latency-insensitive traffic such as fax data and latency-sensitive streaming media.

Two important components of QoS are DSCP and CoS. Differentiated services code point (also known as Diffserv) is an architecture that specifies a simple and coarse-grained mechanism for classifying and managing network traffic and providing QoS on modern networks. Class of service (CoS) is a parameter that is used in data and voice to differentiate the types of payloads being transmitted.

One important strategy for QoS is priority queuing. Essentially, traffic is placed in order based on its importance of delivery time. All data is given access, but the more important and latency-sensitive data is given higher priority.

Traffic Shaping

The demand for bandwidth on networks has never been higher. Internet and intranet applications demand a large amount of bandwidth. Administrators must ensure that despite all these demands, adequate bandwidth is available for mission-critical applications while few resources are dedicated to spam or peer-to-peer downloads. To do this, you need to monitor network traffic to ensure that data flows as you need it to.

The term traffic shaping describes the mechanisms used to control bandwidth usage on the network. With this, administrators can control who uses network bandwidth, for what purpose, and what time of day bandwidth can be used. Traffic shaping establishes priorities for data traveling to and from the Internet and within the network.

A packet shaper essentially performs two key functions: monitoring and shaping. Monitoring includes identifying where usage is high and the time of day. After that information is obtained, administrators can customize or shape bandwidth usage for the best needs of the network.

Access Control Lists

When it comes to computing, many things serve a similar function and go by the name of an access control list (ACL). When it comes to websites, determining which ones users can or cannot access is usually done through a list of allowed or nonallowed websites. When it comes to routing and switching, an ACL provides rules that are applied to port numbers or IP addresses that are available on a host or other Layer 3 device, each with a list of hosts and/or networks permitted to use the service.

Although these two uses of ACL may seem disparate, in both cases, the ACL is the list of what is allowed by the entity trying to access. An alternative approach that can serve the same purpose is to reverse the situation and deny access to all entities (pages or ports, depending on the case) except those that appear in an “allowed” list. This approach has high administrative overhead and can greatly limit the productivity benefits available.

ARP and RARP

Address Resolution Protocol (ARP), which is defined in RFC 826, is responsible for resolving IP addresses to Media Access Control (MAC) addresses. When a system attempts to contact another host, IP first determines whether the other host is on the same network it is on by looking at the IP address. If IP determines that the destination is on the local network, it consults the ARP cache to see whether it has a corresponding entry. The ARP cache is a table on the local system that stores mappings between data link layer addresses (the MAC address or physical address) and network layer addresses (IP addresses). Following is a sample of the ARP cache:

Click here to view code image

Interface: 192.168.1.66 --- 0x8
Internet Address    Physical Address    Type
192.168.1.65        00-1c-c0-17-41-c8   dynamic
192.168.1.67        00-22-68-cb-e2-f9   dynamic
192.168.1.254       00-18-d1-95-f6-02   dynamic
224.0.0.2           01-00-5e-00-00-02   static
239.255.255.250     01-00-5e-7f-ff-fa   static

If the ARP cache does not have an entry for the host, a broadcast on the local network asks the host with the target IP address to send back its MAC address. The communication is sent as a broadcast because without the target system’s MAC address, the source system cannot communicate directly with the target system.

Because the communication is a broadcast, every system on the network picks it up. However, only the target system replies because it is the only device whose IP address matches the request. The target system, recognizing that the ARP request is targeted at it, replies directly to the source system. It can do this because the ARP request contains the MAC address of the system that sent it. If the destination host is determined to be on a different subnet than the sending host, the ARP process is performed against the default gateway and then repeated for each step of the journey between the sending and receiving host. Table 3.10 lists the common switches used with the arp command.

When you work with the ARP cache, you can dynamically or statically make entries. With dynamic entries, the ARP cache is automatically updated. The ARP cache is maintained with no intervention from the user. Dynamic entries are the ones most used. Static entries are configured manually using the arp -s command. The static entry becomes a permanent addition to the ARP cache until it is removed using the arp -d command.

Reverse Address Resolution Protocol (RARP) performs the same function as ARP, but in reverse. In other words, it resolves MAC addresses to IP addresses. RARP makes it possible for applications or systems to learn their own IP address from a router or Domain Name Service (DNS) server. Such a resolution is useful for tasks such as performing reverse lookups in DNS. RARP is defined in RFC 903.