Data Transmission on WAN PDF
Document Details
Uploaded by SolicitousOklahomaCity
null
Tags
Summary
This document details data transmission over Wide Area Networks (WANs). It discusses the Transmission Control Protocol (TCP) and Internet Protocol (IP) protocols, and their use in network communication.
Full Transcript
Data Transmission on WAN CHAPTER - 4 DATA TRANSMISSION ON WAN 4.0 Introduction In the earlier chapters, essentials for the Data Transmission over a Physical media and over a LAN were discussed. When Data Communication Networ...
Data Transmission on WAN CHAPTER - 4 DATA TRANSMISSION ON WAN 4.0 Introduction In the earlier chapters, essentials for the Data Transmission over a Physical media and over a LAN were discussed. When Data Communication Network extends from within a building to any where across the world, there comes the need for a WAN (Wide Area Network).WAN can be an Intranet or Internet otherwise called as Private Network or Public Network. Majority of applications practically use Transmission Control Protocol (TCP) and Internet Protocol (IP) together. Therefore TCP / IP protocol separately and combinedly as suite are discussed here WAN is established with the help of Routers & Long distance communication links and suitable Network Layer Protocol (Ex. IP) and data units are PACKETs. Packets are routed through networks with the help of IP Routing, Static and Dynamic. The converged networks MPLS (Multi Protocol Label Switching)) is also discussed in detail. 4.1 TCP/IP protocol “TCP/IP” is the acronym that is commonly used for the set of network protocols that compose the Internet Protocol suite. Here the term “Internet” is to describe both the protocol suite and the global wide area network. “TCP/IP” refers specifically to the Internet protocol suite. “Internet” refers to the wide area network and the bodies that govern the Internet. To interconnect our TCP/IP network with other networks, we must obtain a unique IP address for our network. If hosts on our network are to participate in the Internet Domain Name System (DNS), we must obtain and register a unique domain name. The Inter NIC coordinates the registration of domain names through a group of worldwide registries. 4.1.1 Transmission Control Protocol (TCP) The Transmission Control Protocol (TCP) is responsible for reliable end to end delivery of segments as shown in fig 4.1. Segments are the term that is used to describe the data that is transmitted and received at the Transport layer of the OSI model where TCP resides. TCP also redirects the data to the appropriate well known ports (upper level service). Fig 4.1 End to end delivery of segments IRISET 51 TA2 – Data Communication & Networking Data Transmission on WAN The reliable end to end delivery of data is accomplished by: 4.1.2 Connection-oriented service Segments are acknowledged to the source when received by the destination. A sliding window is used to enable unacknowledged segments on the "wire" in order to speed up transmission rates. 4.1.3 Sequencing of segments Data is broken up into segments that are numbered (sequenced) when transmitted. The destination TCP layer keeps track of the received segments and places them in the proper order (re sequences). 4.1.4 Requesting retransmission of lost data If a segment is lost in transmission (missing sequence number). The destination will timeout and request that all segments starting at the lost segment be retransmitted. 4.1.5 Error checking Segments are checked for data integrity when received using a 32 bit CRC check. The redirection of data to the upper level service is accomplished by using Source and Destination Port numbers. Multiple connections to the same service is allowed. For example, we may have many users (clients) connected to a single web server (http is normally port 80). Each client will have a unique Port number assigned (typically above 8000) but the web server will only use Port 80. 4.1.6 TCP Header The Transmission Control Protocol (TCP) header is shown in fig 4.2 & its fields are described in Table 4.1 01234567 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Source Port (16 bits) Destination Port (16 bits) Sequence Number(32 bits) Acknowledgement Number(32 bits) Offset (1st Flags Not used 4bits) (last6 Window (6 bits) bits) Checksum Urgent Pointer Options + Padding Data Fig 4.2 TCP Header IRISET 52 TA2 – Data Communication & Networking Data Transmission on WAN Source Port The Source Port is a 16 bit number that Indicates the upper level service that the source is transmitting. For example: Destination Port The Destination Port is a 16 bit number that Indicates the upper level service that the source wishes to communicate with at the destination. Sequence Number The Sequence Number is a 32 bit number that indicates the first octet of information in the data field. This is used to number each TCP segment transmitted in order to keep track of segments for sequencing of segments and error checking of lost segments. The source numbers the sequence of transmitted segments. Acknowledgement The Acknowledgement Number is a 32 bit number that is used to Number acknowledge the receipt of segments by the destination. The acknowledgement is the next sequence number expected. If the sender does not receive an acknowledgement for a segment transmitted, the sender will time-out and retransmit Offset (4 bits) The Offset field consists of the first 4 bits (xxxx0000) of the first byte. The last 4 bits are reserved for future use and are set to 0. The Offset measures the number of 32 bit (4 byte) words in the TCP header to where the Data field starts. This is necessary because the TCP header has a variable length. The minimum length of the TCP header is 20 bytes which gives an Offset value of 5. Flags (last 6 bits) The Flags Field consists of the last 6 bits (00xxxxxx) of the second byte with the first 2 bits reserved for future use and they are set to 0. The Flags field consists of the following flag bits: URG (Urgent Flag): When set indicates that the Urgent Pointer field is being used. ACK (Acknowledge Flag): When set indicates that the Acknowledgement Number is being used. PSH (Push Flag): An upper level protocol requires immediate data delivery and would use the Push (PSH) flag to immediately forward all of the queued data to the destination. RST (Reset Flag): When set the connection is reset. This is typically used when the source has timed out waiting for an acknowledgement and is requesting retransmission starting at a sequence number. SYN (Synchronize Flag): When set, it indicates that this segment is the first one in the sequence. The first sequence number assigned is called the Initial Sequence Number (ISN) FIN (Finish Flag): When set, it indicates that this is the last data from the sender. Windows (16 bits) This contains the number of unacknowledged segments that are allowed on the network at any one time. This is negotiated by the Source and Destination TCP layers. Checksum The Checksum field is 16 bits long and calculates a checksum based on the complete TCP Header and what is called the TCP Pseudo header. The TCP Pseudo header consists of the Source IP Address, Destination IP Address, Zero, IP Protocol field and TCP Length. The IP Protocol field value is 6 for TCP IRISET 53 TA2 – Data Communication & Networking Data Transmission on WAN Urgent Pointer This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set. Options Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length. The allowed options are: Kind 0 - End of option list. Kind 1 - No Operation. Kind 2 - Length 4 Maximum Segment Size. This is used to indicate the maximum segment size allowed Padding The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary. The padding is composed of zeros. Data Consists of pure form of data (combination of bits) coming from upper layers Table 4.1 Description of TCP header fields 4.2 User Datagram Protocol (UDP) The User Datagram Protocol (UDP) is a connectionless host to host service that operates at the Transport layer of the OSI model. UDP relies on the upper layer protocol for error correction and reliable service. The protocol is transaction oriented; its delivery and duplicate protection are not guaranteed. The major uses of this protocol are DNS and TFTP. UDP has a small header and for all intensive purposes adds Port addressing to the IP header. The IP header routes data grams to the correct host on the network and UDP routes the datagram to the correct application. UDP Header The User datagram Protocol (UDP) header is shown in fig 4.8 & its fields are described in Table 4.11 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Source Port (16 bits) Destination Port (16 bits) Length (16 bits) Checksum (16 bits) Data Fig 4.3 , UDP Header IRISET 54 TA2 – Data Communication & Networking Data Transmission on WAN Source Port The Source Port is a 16 bit number that Indicates the upper level service that the source is transmitting. Appendix I is a complete listing of well known ports. UDP allows port numbers to be in the range from 0 to 65,535. The Source Port is optional and if not used, a field of 0s is inserted. Clients will have a unique port number assigned to them by the server. Typically the number will be above 8,000. Destination The Destination Port is a 16 bit number that Indicates the upper level Port service that the source wishes to communicate with at the destination. Length The Length field is 16 bits long and indicates the length of the UDP datagram and has a maximum value of 65, 535 bytes and a minimum value of 8 bytes. Checksum The Checksum field is 16 bits long and calculates a checksum based on the UDP header, Data field and what is called the UDP Pseudo header. The UDP Pseudo header consists of the Source IP Address, Destination IP Address, Zero, IP Protocol field and UDP Length. The IP Protocol field value is 17 for UDP. Data The data field contains the IP header and data. The Data field may be padded with zero octets at the end (if necessary) to make a multiple of two octets Table 4.2 Description of UDP header fields 4.3 IP COMMUNICATION 4.3.1 IP Datagram Structure The term 'datagram' or 'packet' is used to describe a chunk of IP data. Each IP datagram contains a specific set of fields in a specific order so that the reader knows how to decode and read the stream of data received. The description of the IP datagram format in this tutorial is suitable for most purposes. An IP datagram is illustrated in fig 4.4 and its fields are described in table 4.3 0.. 8.. 16.. 24.. 7 15 23 31 Version IHL TOS Total Length Identification Flags Fragment Offset TTL Protocol Header Checksum Source IP Address Destination IP Address Options Padding Payload (TCP/UDP/ICMP etc.) Fig 4.4 IP datagram IRISET 55 TA2 – Data Communication & Networking Data Transmission on WAN VERSION The version field is set to the value '4' in decimal or '0100' in (4 bits) binary. The value indicates the version of IP (4 or 6, there is no version 5). IHL The Internet Header Length (IHL) describes how big the header (4 bits) is in 32-bit words. For instance, the minimum value is 5, as that is the minimum size of an IP header that contains all the correct fields is 160 bits, or 20 bytes. This allows the receiver to know exactly where the payload data begins TOS Type of service allows the intermediate receiving stations (the (8 bits) routers) to have some notion of the quality of service desired. This allows the network to make adaptations for delay, throughput, or reliability. TOTAL LENGTH (16 bits) This informs the receiver of the datagram where the end of the data in this datagram is. This is the length of the entire datagram in octets, including the header. This is why an IP datagram can be up to 65,535 bytes long, as that is the maximum value of this 16-bit field. IDENTIFICATION (16 bits) Sometimes, a device in the middle of the network path cannot handle the datagram at the size it was originally transmitted, and must break it into fragments. If an intermediate system needs to break up the datagram, it uses this field to aid in identifying the fragments. FLAGS The flags field contains single-bit flags that indicate whether the (3 bits) datagram is a fragment, whether it is permitted to be fragmented, and whether the datagram is the last fragment, or there are more fragments. The first bit in this field is always zero. FRAGMENT OFFSET When a datagram is fragmented, it is necessary to reassemble (13 bits) the fragments in the correct order. The fragment offset numbers the fragments in such a way that they can be reassembled correctly. TIME TO LIVE This field determines how long a datagram will exist. At each (8 bits) hop along a network path, the datagram is opened and it's time to live field is decremented by one (or more than one in some cases). When the time to live field reaches zero, the datagram is said to have 'expired' and is discarded. This prevents congestion on the network that is created when a datagram cannot be forwarded to its destination. Most applications set the time to live field to 30 or 32 by default. PROTOCOL This indicates what type of protocol is encapsulated within the (8 bits) IP datagram. Some of the common values in decimal for ICMP is 1, IGMP is 2, TCP is 6 & UDP is 17 HEADER CHECKSUM According to RFC 791, the header checksum formula is:"the (16 bits) 16-bit ones compliment of the ones compliment sum of all 16- bit words in the header." The checksum allows IP to detect data grams with corrupted headers and discard them. Since the time to live field changes at each hop, the checksum must be re-calculated at each hop. In some cases, this is replaced with a cyclic redundancy check algorithm. IRISET 56 TA2 – Data Communication & Networking Data Transmission on WAN SOURCE ADDRESS This is the IP address of the sender of the IP datagram. (32 bits) DESTINATION ADDRESS This is the IP address of the intended receiver(s) of the (32 bits) datagram. If the host portion of this address is set to all 1's, the datagram is an 'all hosts' broadcast. OPTIONS Various options can be included in the header by a particular & vendor's implementation of IP. If options are included, the PADDING (variable) header must be padded with zeroes to fill in any unused octets so that the header is a multiple of 32 bits, and matches the count of bytes in the Internet Header Length (IHL) field Table 4.3 Description of IP datagram 4.3.1 Internet Protocol (IP) Internet Protocol (IP) is a piece of software that operates at the NETWORK LAYER and provides the following: Unique Addresses Connectionless Communication Routing Data Transmission on IP 4.3.2 UNIQUE ADDRESSES Everything connected to the Internet must have a unique numerical address. Just like, house has a unique address, so does each computer attached to the Internet. These addresses are not fixed, and can be changed when necessary. These addresses are represented in what is called 'dotted-decimal notation' which means is that there are numbers with dots in between them that look like this: 204.25.183.4. Always remember that computers use these dotted-decimal 'IP Addresses' to communicate and never use letters or names. 4.3.3 CONNECTIONLESS COMMUNICATION IP communication is CONNECTIONLESS, and does not bother to set up dedicated end-to-end connections for communication. Upper layer protocols such as TCP are used for setting up connections and tearing them down, managing the recovery of lost data and other errors. These protocols function at the TRANSPORT LAYER of the OSI MODEL or higher. 4.3.4 ROUTING IP is aware when a computer's address is part of the local group of computers, or somewhere else. ROUTING is the part of IP that allows very intelligent and specialized routing devices (ROUTERS) to recognize that information is not part of the local group of machines, and needs to be forwarded to the destination. These devices are smart enough to 'figure out' how to get to destinations they aren't directly connected to. The process of forwarding the information is called ROUTING. ROUTING is covered in detail in ANOTHER SECTION. 4.3.5 DATA TRANSMISSION ON INTERNET PROTOCOL Unicast Broadcast Multicast IRISET 57 TA2 – Data Communication & Networking Data Transmission on WAN Unicast: Unicast packets are sent from host to host. The communication is from a single host to another single host. There is one device transmitting a message destined for one receiver. Broadcast: Broadcast is when a single device is transmitting a message to all other devices in a given address range. This broadcast could reach all hosts on the subnet, all subnets, or all hosts on all subnets. Broadcast packets have the host (and/or subnet) portion of the address set to all ones. By design, most modern ROUTERS will block IP broadcast traffic and restrict it to the local subnet. Multicast: Multicast is a special protocol for use with IP. MULTICAST enables a single device to communicate with a specific set of hosts, not defined by any standard IP address and mask combination. This allows for communication that resembles a conference call. Anyone from anywhere can join the conference, and everyone at the conference hears what the speaker has to say. The speaker's message isn't broadcasted everywhere, but only to those in the conference call itself. A special set of addresses is used for MULTICAST communication. 4.4 IP ADDRESSES (INTERNET PROTOCOL ADDRESSES) When using the INTERNET, humans use names such as WWW.GOOGLE.COM or WWW.EBAY.COM. We call those "web addresses" or "URLs" but those are names. They aren't actually addresses; they are just words that can be easily remembered by humans. The INTERNET uses its own set of addresses because computers run the Internet and computers use numbers. COMPUTERS do their work over the INTERNET and across NETWORKS using numeric addresses. Either end systems are configured with IP addresses (the computer-server that is serving www.google.com for instance). To communicate, a connection is opened from one COMPUTER to the other computer using the IP addresses as the source and destination addresses for that communication. A COMPUTER gets an address one of two ways, either the network administrator enters it into the COMPUTER manually, or it is learned by the COMPUTER dynamically using a protocol called DHCP. When the IP address is assigned by the NETWORK administrator manually, this is called a ´fixed´ or ´static´ IP address. If an IP address is learned by the COMPUTER automatically when the COMPUTER starts up (via DHCP), it's called a ´dynamic´ IP. DHCP of course, needs to be set up and running for our COMPUTER to learn an IP address. IP addresses are two types IPv4 ( IP version 4) IPv6 (IP version 6) Till now there are only IPv4 addresses are used over the network, due to exhaustion of IPv4 address space, the world is moving towards IPv6. Introduction to IPv6 is given at the end of this chapter. 4.4.1 IPv4 Address An IP address is a number used to identify the logical connection of a COMPUTER to a physical NETWORK, is a 32-bit BINARY address, composed of four, 8-bit numbers. IP ADDRESS is represented as four decimal numbers between 0 and 255 separated by dots; (e.g. 199.232.66.20). This is referred to as dotted-decimal notation. Anything attached to an IP NETWORK can be assigned an IP address. Addresses are always unique. Because IP addresses are software configured, it is easy to move hosts from one NETWORK to another simply by changing the IP ADDRESS or the network mask. This process is called RENUMBERING. IRISET 58 TA2 – Data Communication & Networking Data Transmission on WAN i. Network and Host Portion of an IP Address When looking at an IP ADDRESS, the left-most portion of the address identifies which NETWORK the machine (host) belongs to. The right-most portion is used as the address of the host itself. A large number of addresses in use (but not all of them) look something like as shown in table 4.4 VALUE NETWORK HOST IN DECIMAL 199 232 66 20 IN BINARY 11000111 11101000 01000010 00010100 Table 4.4 Network and Host Portion of an IP Address In the example shown in table 4.5 above, the network address is 199.232.66 and the host portion of the address is 20, the complete IP address is 199.232.66.20. All the computers on the same local NETWORK would have the same network number in their address. Thus, two computers on the same NETWORK might be 199.232.66.20 and 199.232.66.41. When two hosts with IP addresses communicate, they send IP data grams. IP DATA GRAMS contain the source and destination addresses of the hosts communicating. Only the addresses are recorded in the packet. There is no information stored in the packet to tell us which part of the address is network and which is host. If this is true, then how will we figure out which part of the address is the network portion, and which is the host portion? First, we must remember that all hosts on the same NETWORK will have the same network address (the network portion will be the same for all hosts). Only the host portion will be different and unique for each host on the network. Different networks also have different network addresses. Network A would have a different address from Network B. From the perspective of determining the correct network, the individual host address is irrelevant. We will need it later to find the host itself ON the network, but we don't need to look at it yet, since we need to find the correct NETWORK first. To find a particular host, we first find the NETWORK that host is on and then ask that NETWORK to find the host. There are two solutions to handling this NETWORK vs. host address problem, and they are similar but separate addressing types: CLASSFUL, and CLASSLESS. CLASSFUL was the first addressing scheme developed. It helped manage the IP space and make organization of networks and hosts possible, but it could not support the growing complexity of the INTERNET, and wasted a lot of address space, so an new scheme was developed called CLASSLESS. i. Source Address: The IP ADDRESS of the HOST that sent the DATAGRAM (sender). ii. Destination Address: The IP ADDRESS of the HOST the DATAGRAM is being sent to (receiver). iii. MASK: The mask is a value that is stored in the configuration of a computer along with the IP address. The mask gives the computer a simple way to figure out whether the IP address of another computer is on the same local network, or on a different local network. Bear in mind that for this definition of a mask, a 'local network' is defined as a group of computers with IP addresses in a limited range. iv. Subnet Mask: A piece of information stored on the local HOST that allows it to determine whether a remote HOST is part of the local NETWORK, or is part of a different outside NETWORK. IRISET 59 TA2 – Data Communication & Networking Data Transmission on WAN During the process of delivering (ROUTING) an IP DATAGRAM, only the destination IP ADDRESS is significant. In CLASSFUL ADDRESSING information about the HOST'S location and the NETWORK it is located on is assumed to be encoded into the IP ADDRESS within the DATAGRAM. There aren't any fields provided in an IP DATAGRAM to inform the receiver where the network portion of the IP ADDRESS leaves off and where the HOST portion of the IP ADDRESS begins. (See IPV4 ADDRESSING section for more information). 4.4.2 Classes of IP Addresses The entire IP ADDRESS space (0.0.0.0 to 255.255.255.255) is divided into 'classes', or special ranges of contiguous IP ADDRESSES (no addresses missing between the first and last address in the range). CLASSFUL ADDRESSING makes it possible to determine the NETWORK portion of the IP ADDRESS by looking at the first four bits of the first octet in the IP ADDRESS. The FIRST FOUR BITS are referred to as the 'most significant bits' of the first octet and are used to DETERMINE WHAT CLASS OF IP ADDRESS IS BEING USED. The value of the first four bits determines the range of actual numerical values of the first octet of the IP ADDRESSES in that class. From this information, a receiving HOST can determine which part of the IP ADDRESS is being used to identify the specific network on which the HOST resides, and which portion of the IP ADDRESS is used to identify the HOST. The different classes of IP ADDRESSES (Class A, Class B, Class C, Class D & Class E) were created to allow for carving up the entire set of all IP ADDRESSES into chunks of different sizes that would 'fit' the number of HOSTS on the NETWORK for which the IP ADDRESS SPACE was being supplied. The table 4.5 shown below gives a breakdown of how the Classful system breaks up the IP ADDRESS space. FIRST OCTET IP ADDRESS CHARACTERISTICS MOST NETWORK VALUE ADDR. SIGNIFICANT VS. # NETWORKS # HOSTS RANGES CLASS BITS HOST 0000 0-126 A N.h.h.h 256 16,777,214 -- 127 - - SPECIAL - LOCAL LOOPBACK 1000 128-191 B N.N.h.h 65,536 65,534 1100 192-223 C N.N.N.h 16,777,216 254 1110 224 - 239 D Special N/A N/A N/A 1111 240 + E Special N/A Table 4.5 Classful IP Addressing It is possible to waste IP ADDRESSES by assigning blocks of IP ADDRESSES which fall along octet boundaries (the dots between the NUMBERS in the DECIMAL representation of the IP ADDRESS). Most often a class C address was supplied to anyone requesting space, as few NETWORKS had more than 256 hosts. But the networks grew to more than 256 HOSTS, and needed more space, so Class B addresses were given out. But if a NETWORK has only 500 HOSTS, and in the case of a class B IP ADDRESS block to that network, 65,034 addresses will go unused. This is a terribly inefficient use of space, and as NETWORKS grew larger the INTERNET grew; the need to use the IP ADDRESS space more and more efficiently became ever more critical. IRISET 60 TA2 – Data Communication & Networking Data Transmission on WAN One solution that was created for reduce utilization of IP ADDRESSES was NETWORK ADDRESS TRANSLATION. This involved the use of PRIVATE IP ADDRESSES and a device that translates PRIVATE IP ADDRESSES into PUBLIC IP ADDRESSES. As the list of available IP ADDRESSES was depleted it became clear that a new solution was needed that provided more addresses and efforts turned towards developing what is called IP v6. i. Classful Addressing: COMPUTERS communicating using INTERNET Protocol (IP) send DATA GRAMS. IP DATAGRAM contains a SOURCE IP ADDRESS, and a DESTINATION IP ADDRESS. However, an IP DATAGRAM does not contain any NETWORK subnet mask information, thus it is difficult to know which groups of COMPUTERS (HOSTS) formed a NETWORK. ii. Classless Addressing: All IP addresses have a network and host portion. In classful addressing, the NETWORK portion ends on one of the separating dots in the address (on an octet boundary). Classless addressing uses a variable number of bits as shown in table 4.6 for the NETWORK and host portions of the address. Decimal 192 160 20 48 Binary 11000000 10100000 00010100 0000 0011 4 bits host Table 4.6 Classless IP Addressing Classfull addressing divides an IP ADDRESS into the Network and Host portions along octet boundaries. Classless addressing treats the IP ADDRESS as a 32 bit stream of ones and zeroes, where the boundary between NETWORK and host portions can fall anywhere between bit 0 and bit 31. The network portion of an IP ADDRESS is determined by how many 1's are in the subnet mask. Again, this can be a variable number of bits, and although it can fall on an octet boundary, it does not necessarily need to. A subnet mask is used locally on each host connected to a network, and masks are never carried in IPv4 data grams. All hosts on the same network are configured with the same mask, and share the same pattern of network bits. The host portion of each host's IP address will be unique. 4.4.3 SUBNETTING and SUPERNETTING Originally the entire range of IP ADDRESSES WAS carved up into small, medium and large chunks of addresses. Networking equipment figured which addresses was all part of a NETWORK by looking at the first four bits of the address. There were five classes of addresses used. Sub- netting is the process of borrowing bits from the host portion of an address to provide bits for identifying additional sub-networks. VLSM is most frequently referred to as sub netting. i. Variable Length Subnet Masking (VLSM): The INTERNET's explosive growth eventually required the more efficient use of the IP ADDRESS space available. Variable Length Subnet Masking is a technique used to allow more efficient assignment of IP ADDRESSES. Originally INTERNET addresses were carved up into small, medium and large size blocks of contiguous addresses based on the values of the first four bits in the first octet of the IP ADDRESS. These were often referred to as CLASS FULL addresses. By carving CLASS FULL address blocks into smaller CLASSLESS blocks, we waste fewer addresses. The process of carving out smaller blocks from the larger blocks was called SUB NETTING. IRISET 61 TA2 – Data Communication & Networking Data Transmission on WAN Many organization's networks started very small and were assigned class C addresses. A class C address range contains 256 addresses. Soon, these organizations grew and so did their networks. Networks that needed to expand beyond their original class C range used a technique called SUPER NETTING to allow them to turn two contiguous IP address blocks into one network. ii. Super netting: Super netting is different. Super netting merges several smaller blocks of IP addresses (networks) that are continuous into one larger block of addresses. There can't be any 'holes' in the range. Super netting is done by borrowing network bits to combine several smaller networks into one larger network. For instance, a class 'C' block has 256 possible addresses in it. This block could be split into four classless blocks of 64 addresses each by borrowing two bits from the host portion of the class 'C' address. Note: Even after borrowing 2 bits from the host portion towards network portion only two subnets can be created as all bits zero & all bits one condition is not allowed in the subnets. Standard Class 'C' network Network Network Network Host CLASS 'C' 192 64 123 0 ADDRESS MASK 255 255 255 0 (DECIMAL) MASK 11111111 11111111 11111111 00000000 (BINARY) Table 4.7a The mask and address shown in table 4.7a above combine to give a range of addresses from 192.64.123.1 through 192.64.123.254. Subnet #1 Network Network Network Subnet Host 192 64 123 64 255 255 255 192 11111111 11111111 11111111 11 000000 Table 4.7b Subnet 192.64.123.64 /26 will fetch the mask and address shown in table 4.7 b above combine to give a range of addresses from 192.64.123.65 through 192.64.123.126. Subnet #2 Network Network Network Subnet Host CLASS 'C' ADDRESS 192 64 123 128 MASK (DECIMAL) 255 255 255 192 MASK (BINARY) 11111111 11111111 11111111 11 000000 Table 4.7c Subnet 192.64.123.128 /26 will fetch the mask and address shown in table 4.7 c above combine to give a range of addresses from 192.64.123.129 through 192.64.123.190. IRISET 62 TA2 – Data Communication & Networking Data Transmission on WAN 4.4.4 SPECIAL IP ADDRESSES There are several IP addresses that are special in one way or another. These addresses are for special purposes or are to be put to special use. Addresses significant to every IP subnet ▪ Network Address ▪ Broadcast Address Addresses significant to individual hosts ▪ Loopback Address ▪ Multicast Addresses ▪ Private Addresses ▪ Reserved Addresses 1. NETWORK ADDRESS: A network address is an address where all host bits in the IP address are set to zero (0). In every subnet there is a NETWORK address. This is the first and lowest numbered address in the range. The network address is defined as the address that contains all zeroes in the host portion of the address and is used to communicate with devices that maintain the network equipment. 2. BROADCAST ADDRESS: A broadcast address is an address where all host bits in the IP address are set to one (1). This address is the last address in the range of addresses, and is the address whose host portion is set to all ones. All hosts are to accept and respond to the broadcast address. This makes special services possible. 3. LOOPBACK ADDRESS (127.0.0.1): The 127.0.0.0 class 'A' subnet is used for only a single address: the loopback address 127.0.0.1. This address is used to test the local NETWORK interface device's functionality. All NETWORK interface devices should respond to this address. If we ping 127.0.0.1, we can be assured that the network hardware is functioning and that the network software is also functioning. 4. PRIVATE ADDRESSES: RFC 1918 defines a number of IP blocks which were set aside by the American Registry of Internet Numbers (ARIN) for use as PRIVATE ADDRESSES on private networks that are not directly connected to the INTERNET. The private addresses are shown in table 4.5. Class Start End A 10.0.0.0 10.255.255.255 B 172.16.0.0 172.31.255.255 C 192.168.0.0 192.168.255.255 Table 4.8 Private IP Address 5. MULTICAST ADDRESSES: Multicast (class D) IP addresses shown in table 4.6 are used in special areas like in Routing algorithms (e.g. ospf uses multicast address for route advertisement) and video conferences etc. that cannot be used on the INTERNET. Class Start End D 224.0.0.0 239.255.255.255 Table 4.9 Multicast IP addresses 6. RESERVED ADDRESSES: There are a number of addresses that are reserved and set aside for future purpose like class E IP addresses. Some special address are shown in table 4.10 IRISET 63 TA2 – Data Communication & Networking Data Transmission on WAN Address CIDR Used for Reference Block Mask 0.0.0.0 /8 USED TO COMMUNICATE WITH "THIS" NETWORK RFC1700, P. 4 10.0.0.0 /8 PRIVATE-USE NETWORKS RFC 1918 14.0.0.0 /8 PUBLIC-DATA NETWORK RFC1700, P.181 24.0.0.0 /8 CABLE TV NETWORKS -- 39.0.0.0 /8 PREVIOUSLY RESERVED RFC1797 AVAILABLE FOR REGIONAL ALLOCATION 127.0.0.0 /8 LOOPBACK ADDRESS RFC1700, P. 5 128.0.0.0 /16 PREVIOUSLY RESERVED -- AVAILABLE FOR REGIONAL ALLOCATION 169.254.0.0 /16 LINK LOCAL (EG. MICROSOFT XP SYSTEMS USE AUTOMATIC PRIVATE IP ADDRESSING (APIPA) WHICH SELECTS ADDRESSES IN THIS RANGE.) Table 4.10 Special IP Addresses 4.5 IP ROUTING: Routing is the process of moving data from one NETWORK to another by forwarding PACKETS via GATEWAYS. With IP based NETWORKS, the routing decision is based on the destination address in the IP PACKET'S header. Routing can be classified as shown in fig 4.5 Fig 4.5 IP Routing 4.5.1 Static Routing: Static routing is the term used to refer to the manual method used to set up routing. An administrator enters routes into the router using configuration commands. This method has the advantage of being predictable, and simple to set up. It is easy to manage in small networks but does not scale well. i. ADVANTAGES Simple to configure Easy to predict and understand in small networks ii. DISADVANTAGES Requires extensive planning and has a high management overhead Does not dynamically adapt to network topology changes or equipment failures. Does not scale well in large networks. IRISET 64 TA2 – Data Communication & Networking Data Transmission on WAN iii. STATIC ROUTE CONFIGURATION (CISCO) Default Route Static Null Route Preferred Routes Backup Routes Static Load Balancing a. Default Route: A default route is often called the 'route of last resort'. It is the last route tried when all other routes fail because it has the fewest number of network bits matching and is therefore less specific. A default route is configured on a CISCO router with the following command: ip route 0.0.0.0 0.0.0.0 OR < exit interface type> b. Static Null Route: Null route, routes traffic to a non-existent interface, what is often called a 'bit bucket'. This traffic is effectively dropped as soon as it is received. A null route is useful for removing packets that cannot make it out of the network or to their destination, and decreases congestion caused by packets with no functional destination. During a denial of service attack, a Null route can temporarily be used near the destination to drop all traffic generated by the attack. CISCO 'NULL ROUTE' COMMAND: ip route null0 c. Preferred Routes: The route which has the greatest number of network bits matching the destination address is the preferred route to a destination. This is referred to as 'longest prefix match'. ip route 202.148.224.0 255.255.255.252 e0 ip route 202.148.224.128 255.255.255.128 e1 d. Backup Routes: In cases where redundancy is required, a second route can be placed on another physical path so that if the first route fails, the second route over the less preferred path(s) will be used. By using a second pair of routes. This method can help compensate for NETWORK failures. CISCO router commands: SPECIFIC ROUTES (used unless down) ip route 202.148.224.0 255.255.255.128 e0 ip route 202.148.224.128 255.255.255.128 e1 BACKUP ROUTES (used when one of the specified routes is down) ip route 202.148.224.0 255.255.255.0 e0 ip route 202.148.224.0 255.255.255.0 e1 e. Static Load Balancing: We can create load balancing without using a dynamic routing protocol. Most routers will perform load balancing automatically if several equal cost paths to a destination exist on multiple interfaces. To configure this using static routing, we need only create multiple static routes for more than one interface. This creates more than one equal cost path which will balance the load. router commands: ip route 202.148.224.0 255.255.255.0 e0 ip route 202.148.224.0 255.255.255.0 e1 IRISET 65 TA2 – Data Communication & Networking Data Transmission on WAN 4.5.2 Dynamic Routing Interior (Intra domain) ▪ RIP - Routing Information Protocol ▪ OSPF - Open Shortest Path First ▪ IS-IS - Intermediate System to Intermediate System ▪ IGRP - Interior Gateway Routing Protocol ▪ EIGRP - Enhanced Interior Gateway Routing Protocol Exterior (Inter domain) ▪ BGP - Border Gateway Protocol i. RIP (Routing Information Protocol): The Routing Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. As such it is classified as an interior gateway protocol (IGP). It uses the distance-vector routing algorithm. The routing algorithm used in RIP, the Bellman-Ford algorithm RIP is a distance-vector routing protocol, which employs the hop count as a routing metric. The hold down time is 180 seconds. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process. In most current networking environments, RIP is not the preferred choice for routing as its time to converge and scalability are poor compared to EIGRP, OSPF. It is easy to configure, because RIP does not require any parameters on a router unlike other protocols. RIP Version2 is in vogue, it includes the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). To maintain backward compatibility, the hop count limit of 15 remained. RIPv2 has facilities to fully interoperate with the earlier versions. ii. OSPF (Open Shortest Path First): OSPF is an internal routing protocol. (Primarily used inside a single company, it can span multiple sites.) It’s an open standard protocol. Like other dynamic routing protocols, OSPF enables routers to disclose their available routes to other routers. OSPF is a link-state routing protocol that runs Dijkstra's algorithm to calculate the shortest path to other networks. Taking the bandwidth of the network links into account, it uses cost as it’s metric. OSPF works by developing adjacencies with its neighbors, periodically sending hello packets to neighbors, flooding changes to neighbors when a link's status changes, and sending "paranoia updates" to neighbors of all recent link state changes every 30 minutes. While OSPF is an excellent routing protocol for networks of all sizes, one of its weaknesses is that it can be quite complex to configure. On the other hand, it offers more features than simpler protocols such as RIP. Here are some of OSPF's strengths: ❖ It converges quickly, compared to a distance vector protocol ❖ Routing update packets are small, as it does not send the entire Routing table ❖ It is not prone to routing loops. ❖ It scales very well for large networks ❖ It recognizes the bandwidth of a link and takes into account in link selection ❖ It supports VLSM or CIDR ❖ It supports a long list of optional features that many others don’t IRISET 66 TA2 – Data Communication & Networking Data Transmission on WAN iii. BGP (Border Gateway Protocol): The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional Interior Gateway Protocol (IGP) metrics, but makes routing decisions based on path, network policies and/or rule sets. BGP was created to replace the Exterior Gateway Protocol (EGP) routing protocol to allow fully decentralized routing in order to allow the removal of the NSFNet Internet backbone network. This allowed the Internet to become a truly decentralized system. Now version four of the BGP is in use on the Internet. All previous versions are now obsolete. The major enhancement in version 4 was support of Classless Inter-Domain Routing and use of route aggregation to decrease the size of routing tables. Most Internet users do not use BGP directly. However, since most Internet service providers must use BGP to establish routing between one another (especially if they are multi homed). It is one of the most important protocols of the Internet. Very large private IP networks use BGP internally, however. An example would be the joining of a number of large Open Shortest Path First (OSPF) networks where OSPF by itself would not scale to size. Another reason to use BGP is multi homing, a network for better redundancy either to multiple access points of a single ISP or to multiple ISPs. BGP neighbors, or peers, are established by manual configuration between routers to create a TCP session on port 179. A BGP speaker will periodically send 19-byte keep-alive messages to maintain the connection (every 60 seconds by default). Among routing protocols, BGP is unique in using TCP as its transport protocol. When BGP is running inside an autonomous system (AS), it is referred to as Internal BGP (iBGP or Interior Border Gateway Protocol). When it runs between autonomous systems, it is called External BGP (eBGP or Exterior Border Gateway Protocol). Routers on the boundary of one AS, exchanging information with another AS, are called border or edge routers. 4.6 WAN DEVICES 4.6.1 ROUTER A router is a specialized computer connected to more than one NETWORK that runs software that allows it to move data from one NETWORK to another based on routing tables as shown in table 4.11 & routing functions are described in fig 4.3. Mask ( / n ) Network Address Next hop Address Interface / 24 201.4.22.0 180.170.65.200 S1/0 /16 140.24.0.0 156.24.32.43 S2/0 Table 4.11 Typical Routing Table IRISET 67 TA2 – Data Communication & Networking Data Transmission on WAN Fig 4.6 Routing functions Routers operate at the NETWORK LAYER (OSI LAYER 3). The primary function of a router is to connect networks together and keep certain kinds of BROADCAST traffic under control. There are several companies that make routers: CISCO, JUNIPER, NORTEL, REDBACK, LUCENT, 3COM, and HP just to name a few. Routers operate in the physical, data link, and network layers of the OSI model. The hardware setup of Router is shown in fig 4.4 and each device functionalities are described below. CONSOLE INTERFACE BOOT ROM ETHERNET INTERFACE FLASH PROCESSOR SERIAL INTERFACE NVRAM DRAM I/O Bus CPU Bus Fig 4.7 Router hardware setup PROCESSOR executes instructions coded in operating system (IOS) to perform the basic operations necessary to accomplish the Router’s functionality. (E.g. all the routing functions, network module high level control & system initialization). Generally the processors used are MPC 860 or higher. BOOT ROM is not erasable and it is used for permanently storing startup diagnostic code (ROM Monitor). The main task for Boot ROM is to perform some hardware diagnostics during boot up on the router (Power on self test - POST) and to load the IOS software from the Flash to the Memory. IRISET 68 TA2 – Data Communication & Networking Data Transmission on WAN DRAM is logically divided into Main Processor memory and Shared Input/output (I/O) memory. Main Processor Memory It is used to store routing tables, fast switching cache, running configuration, and so on. It can take unused shared I/O memory, if needed.· Shared I/O Memory It is used for temporary storage of packets in system buffers at the time of process switching, and interface buffers during fast switching. FLASH is the only way to permanently store and move a complete IOS software image, backup configurations, or any other files. NVRAM is used for permanent storage of the startup configuration that is writeable. It is also used for permanent storage of hardware revision and identification information, and also Media Access Control (MAC) addresses for LAN interfaces. It is a battery backed Static RAM (SRAM). CONSOLE INTERFACE is used for initial configuration of the Router using emulation software like hyper terminal ETHERNET INTERFACE is used for connecting the local area network (LAN) of type Ethernet, Fast Ethernet & Gigabit Ethernet etc. SERIAL INTERFACE is used for connecting wide area networks (WAN) of type synchronous serial, asynchronous serial and smart serial etc. CPU Bus this is used by the CPU for accessing the various components of the router and transferring the instructions and data to or from specified memory addresses. I/O Bus this is the bridge interface between the CPU bus and system bus (where the network modules and other interface boards are connected) Fig 4.8 Routers connecting independent LANs and WANs Routers relay packets among multiple interconnected networks like LANs & WANs as shown in fig 4.6 they route packets from one network to any of a number of potential destination networks on an internet. A packet sent from a station on one network to a station on a neighboring network goes first to the jointly held router, which switches it over to the destination network. If there is no one router connected to both the sending and receiving networks the sending router transfers the packet across one of the connected networks to the next router in the direction of the ultimate destination. That router forwards the packet to the next router on the path and so on until the destination is reached. Routers act like stations on a network. But unlike most stations, which are members of only one network, routers have addresses on and link to two or more networks at the same time. In their IRISET 69 TA2 – Data Communication & Networking Data Transmission on WAN simplest function they receive packets from one connected network and pass them to a second, connected, network. However, if a received packet is addressed to a node on a network of which the router is not a member, the router is capable of determining which of its connected networks is the best next relay point for the packet. Once a router has identified the best route for a packet to travel, it passes the packet along the appropriate network to another router. That route checks the destination address, finds what it considers the best route for the packet and passes it to the destination network (if that network is a neighbor), or across a neighboring network to the next router on the chosen path. Routers perform the following functions Restrict NETWORK broadcasts to the local LAN. Protocol bridging Act as the DEFAULT GATEWAY. Learn and advertise loop free paths between sub-networks. i. Restrict Broadcasts to the Local LAN NETWORKS use BROADCASTS (transmissions sent to all hosts on the NETWORK) to communicate certain kinds of information that the NETWORK uses to function properly (ARP, RARP, DHCP, IPX-SAP broadcasts etc.). As the number of hosts on the NETWORK increases, the amount of what is called "broadcast" traffic increases. If enough broadcast traffic is present on the network, then ordinary communication across the NETWORK becomes difficult. To reduce BROADCASTS, a NETWORK administrator can break up a NETWORK with a large number of hosts into two smaller networks. BROADCASTS are then restricted to each NETWORK, and the router performs as the DEFAULT GATEWAY to reach the hosts on the other NETWORKS. ii. Protocol Bridging: A router can take in an Ethernet frame, strip the Ethernet data and then drop the IP data into a frame of another type such as Token Ring, DS1/T1, SONET or FDDI. A router also performs 'protocol conversion', provided it has the appropriate hardware and software to support such a function. When converting between protocols, the closest equivalent function in the new protocol is set to mirror the old protocol from which the data was received. The idea is to forward the data from the interface it receives data on to another interface that retransmits the received data onto another interface serving another network using a different protocol. iii. Act as the Default Gateway: Especially in today's networks, people are connecting to the INTERNET. When a PC wants to talk to a PC on another network, it does so by sending our data to the DEFAULT GATEWAY (our router). The router receives the datagram and, looks for the remote address of that far-off PC and then makes a routing decision. The router then forwards our data out a different interface that is closer to that remote PC. There could be several routers between the originating PC and the remote PC so several routers will take part in handing off the datagram, much like a fireman's bucket brigade. This allows two networks managed by different organizations to exchange data. They create a NETWORK between them and exchange data between the routers on that network. Because a router can accept traffic from any kind of network it is attached to, and forward it to any other network, it can also allow networks that could not normally communicate with each other to exchange data. In technical terms, a TOKEN RING NETWORK and an ETHERNET NETWORK can communicate over a serial network. Routers make all this possible. IRISET 70 TA2 – Data Communication & Networking Data Transmission on WAN iv. Learn and advertise loop free paths between sub-networks: Over time, networks grew in size. The connections between them outgrew administrator's ability to keep up with them. To make life simpler, routing protocols (RIP, OSPF, IS-IS, IGRP, EIGRP, BGP) were invented so that very large NETWORK systems with lots of sub-networks can automatically learn where each NETWORK is located and advertise that information automatically to other routers. This makes it possible for the networks to automatically learn how they are constructed, find the best ways to get from place to place and move all the data along those best routes as efficiently as possible. This is how data makes it across the INTERNET. 4.6.2 GATEWAY If two networks operate according to different network protocols, a gateway is used to connect them. Gateways usually operate at OSI layer 4 or higher, and basically translate the protocols to allow terminals on two dissimilar networks to communicate. Some gateways also translate data codes. i.e. From ASCII to EBCDIC. This capability would be useful on a LAN when communication server routes traffic from a PC based network using ASCII to an IBM main frame that uses the EBCDIC code Gateways can be either or combinations of hardware & software. They may be implemented on a specially designed circuit card by using specialized software in a standard PC. An Internet service provider, which connects users in a home to the internet, is a Gateway. The Computer routing traffic in an organization from individual work stns to an outside networks Web server is a Gateway. Gateways can suffer from slow performance because of protocol translations, so their performance must be considered and tested when a Gateway installation is contemplated. A dedicated computer action as a gateway, if it is of reasonable speed, usually eliminated any performance problems. Gateways perform an important role in allowing an organization to interconnect different types of LANs so that the network appears as a single entity to the user. The term Gateway is used in many contexts, but in general it refers to a software or hardware interface that enables two different types of networked systems or software to communicate. For example you might use a gateway to Converts commonly used protocols e.g. TCP/IP to a specialized protocols Translates different addressing schemes. Direct electronic mail to the right network destination Connect network with different architectures. 4.6.3 Network Address Translation (NAT) NAT is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes. The most common form of network translation involves a large private network using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play. IRISET 71 TA2 – Data Communication & Networking Data Transmission on WAN A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It then makes the same request to the Internet using its own public address, and returns the response from the Internet resource to the computer inside the private network. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it appears that communication is directly with the site on the Internet. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public addresses is needed for hundreds or even thousands of users. There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows network engineers to more efficiently route internal network traffic to the same resources, and allow access to more ports, while restricting access at the firewall. It also allows detailed logging of communications between the network and the outside world. Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port access and protocols. NAT is a very important aspect of firewall security. It conserves the number of public addresses used within an organization, and it allows for stricter control of access to resources on both sides of the firewall. 4.6.4 Access Control list (ACL): ACLs are basically a set of commands, grouped together by a number or name that is used to filter traffic entering or leaving an interface. When activating an ACL on an interface, you must specify in which direction the traffic should be filtered: ▪ Inbound (as the traffic comes into an interface) ▪ Outbound (before the traffic exits an interface) Inbound ACLs: Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the tests, it is processed for routing. Outbound ACLs: Incoming packets are routed to the outbound interface and then processed through the outbound ACL. IRISET 72 TA2 – Data Communication & Networking Data Transmission on WAN Universal fact about Access control list ACLs come in two varieties: Numbered and named Each of these references to ACLs supports two types of filtering: standard and extended. Standard IP ACLs can filter only on the source IP address inside a packet. Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet. There are two actions an ACL can take: permit or deny. Statements are processed top-down. Once a match is found, no further statements are processed—therefore, order is important. If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet. An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the hidden implicit deny statement at the end of every ACL. No matter what type of ACL you use, though, you can have only one ACL per protocol, per interface, per direction. For example, you can have one IP ACL inbound on an interface and another IP ACL outbound on an interface, but you cannot have two inbound IP ACLs on the same interface. Standard ACLs A standard IP ACL is simple; it filters based on source address only. You can filter a source network or a source host, but you cannot filter based on the destination of a packet, the particular protocol being used such as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), or on the port number. You can permit or deny only source traffic. Extended ACLs: An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters, which allow administrators more flexibility and control. Named ACLs One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a descriptive name. The ACL named Deny Mike is a lot more meaningful than an ACL simply numbered 1. There are both IP standard and IP extended named ACLs. Another advantage to named ACLs is that they allow you to remove individual lines out of an ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create the entire list. Configuration Guidelines Order of statements is important: put the most restrictive statements at the top of the list and the least restrictive at the bottom. ACL statements are processed top-down until a match is found, and then no more statements in the list are processed. If no match is found in the ACL, the packet is dropped (implicit deny). Each ACL needs either a unique number or a unique name. IRISET 73 TA2 – Data Communication & Networking Data Transmission on WAN The router cannot filter traffic that it, itself, originates. You can have only one IP ACL applied to an interface in each direction (inbound and outbound)—you can't have two or more inbound or outbound ACLs applied to the same interface. (Actually, you can have one ACL for each protocol, like IP and IPX, applied to an interface in each direction.) Applying an empty ACL to an interface permits all traffic by default: in order for an ACL to have an implicit deny statement, you need at least one actual permit or deny statement. Remember the numbers you can use for IP ACLs.Standard ACLs can use numbers ranging 1–99 and 1300–1999, and extended ACLs can use 100–199 and 2000–2699. Wildcard mask is not a subnet mask. Like an IP address or a subnet mask, a wildcard mask is composed of 32 bits when doing the conversion; subtract each byte in the subnet mask from 255. There are two special types of wildcard masks: 0.0.0.0 and 255.255.255.255 0.0.0.0 Wildcard mask is called a host mask 255.255.255.255. If you enter this, the router will cover the address and mask to the keyword any. Placement of ACLs: Standard ACLs should be placed as close to the destination devices as possible. Extended ACLs should be placed as close to the source devices as possible. Because a standard access list filters only traffic based on source traffic, all you need is the IP address of the host or subnet you want to permit or deny. ACLs are created in global configuration mode and then applied on an interface. 4.7 MPLS (Multi Protocol Label Switching): MPLS is a mechanism in high-performance telecommunications networks which directs and carries data from one network node to the next with the help of labels. MPLS makes it easy to create "virtual links" between distant nodes. It can encapsulate packets of various network protocols. MPLS is a highly scalable, protocol independant, data-carrying mechanism. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol. The primary benefit is to eliminate dependence on a particular Data Link Layer technology, such as ATM, frame relay, SONET or Ethernet, and eliminate the need for multiple Layer 2 networks to satisfy different types of traffic. MPLS belongs to the family of packet-switched networks. 4.7.1 MPLS Label Stack MPLS works by pre pending packets with an MPLS header, containing one or more ‘labels’. This is called a label stack as shown in fig 4.9. LAYER LAYER LAYER TTL S EXP LABLE LAYER 7-5 4 3 8 1 3 20 2 Fig 4.9 MPLS label stack IRISET 74 TA2 – Data Communication & Networking Data Transmission on WAN Each label stack entry contains four fields: A 20-bit label value. A 3-bit field for QoS priority (experimental). A 1-bit bottom of stack flag. If this is set, it signifies the current label is the last in the stack. An 8-bit TTL (time to live) field. These MPLS labeled packets are switched after a Label Lookup/Switch instead of a lookup into the IP table. Label Lookup and Label Switching may be faster than usual RIB lookup because it can take place directly into the switching fabric and not the CPU. Routers that are performing routing based only on Label Switching are called Label Switch Routers (LSR) and the Routers that are at the exit points of an MPLS network are called Label Edge Routers (LER). Remember that a LER is not usually the one that is popping the label. For more information see Penultimate Hop Popping. Devices that function as ingress and/or egress routers are often called PE (Provider Edge) routers. Devices that function only as transit routers are similarly called P (Provider) routers. The job of a P router is significantly easier than that of a PE router, so they can be less complex and may be more dependable because of this. When an unlabeled packet enters the ingress router and needs to be passed on to an MPLS tunnel, the router first determines the forwarding equivalence class the packet should be in, and then inserts one or more labels in the packet’s newly created MPLS header. The packet is then passed on to the next hop router for this tunnel. When a labeled packet is received by an MPLS router, the topmost label is examined. Based on the contents of the label a swap, push (impose) or pop (dispose) operation can be performed on the packet’s label stack. Routers can have prebuilt lookup tables that tell them which kind of operation to do based on the topmost label of the incoming packet so they can process the packet very quickly. In a swap operation the label is swapped with a new label, and the packet is forwarded along the path associated with the new label. In a push operation a new label is pushed on top of the existing label, effectively “encapsulating” the packet in another layer of MPLS. This allows the hierarchical routing of MPLS packets. Notably, this is used by MPLS VPNs. In a pop operation the label is removed from the packet, which may reveal an inner label below. This process is called “de capsulation”. If the popped label was the last on the label stack, the packet “leaves” the MPLS tunnel. This is usually done by the egress router. During these operations, the contents of the packet below the MPLS Label stack are not examined. Indeed transit routers typically need only to examine the topmost label on the stack. The forwarding of the packet is done based on the contents of the labels, which allows “protocol independent packet forwarding” that does not need to look at a protocol-dependent routing table and avoids the expensive IP longest prefix match at each hop. At the egress router, when the last label has been popped, only the payload remains. This can be an IP packet, or any of a number of other kinds of payload packet. The egress router must therefore have routing information for the packet’s payload, since it must forward it without the help of label lookup tables. An MPLS transit router has no such requirement. IRISET 75 TA2 – Data Communication & Networking Data Transmission on WAN In some special cases, the last label can also be popped off at the penultimate hop (the hop before the egress router). This is called Penultimate Hop Popping (PHP). This may be interesting in cases where the egress router has lots of packets leaving MPLS tunnels, and thus spends inordinate amounts of CPU time on this. By using PHP, transit routers connected directly to this egress router effectively offload it, by popping the last label themselves. MPLS can make use of existing ATM network infrastructure, as its labeled flows can be mapped to ATM virtual circuit a identifiers, and vice-versa. There are two standardized protocols for managing MPLS paths: CR-LDP (Constraint-based Routing Label Distribution Protocol) and RSVP-TE, an extension of the RSVP protocol for traffic engineering. An MPLS header does not identify the type of data carried inside the MPLS path. If one wants to carry two different types of traffic between the same two routers, with different treatment from the core routers for each type, one has to establish a separate MPLS path for each type of traffic. 4.7.2 Comparison of MPLS versus IP MPLS cannot be compared to IP as a separate entity because it works in conjunction with IP and IP’s IGP routing protocols. MPLS gives IP networks simple traffic engineering, the ability to transport Layer3 (IP) VPNs with overlapping address spaces, and support for Layer2 pseudo wires Routers with programmable CPUs and without TCAM/CAM or another method for fast lookups may also see a limited increase in performance. MPLS relies on IGP routing protocols to construct its label forwarding table, and the scope of any IGP is usually restricted to a single carrier for stability and policy reasons. As there is still no standard for carrier-carrier MPLS it is not possible to have the same MPLS service (Layer2 or Layer3 VPN) covering more than one operator 4.7.3 MPLS local protection In the event of a network element failure when recovery mechanisms are employed at the IP layer, restoration may take several seconds which is unacceptable for real-time applications (such as VoIP). In contrast, MPLS local protection meets the requirements of real-time applications with recovery times comparable to those of SONET rings (up to 50ms). 4.7.4 Comparison of MPLS versus ATM While the underlying protocols and technologies are different, both MPLS and ATM provide a connection-oriented service for transporting data across computer networks. In both technologies connections are signaled between endpoints, connection state is maintained at each node in the path and encapsulation techniques are used to carry data across the connection. Excluding differences in the signaling protocols (RSVP/LDP for MPLS and PNNI for ATM) there still remain significant differences in the behavior of the technologies. The most significant difference is in the transport and encapsulation methods. MPLS is able to work with variable length packets while ATM transports fixed-length (53 byte) cells. Packets must be segmented, transported and re-assembled over an ATM network using an adaption layer, which adds significant complexity and overhead to the data stream. MPLS, on the other hand, simply adds a label to the head of each packet and transmits it on the network. IRISET 76 TA2 – Data Communication & Networking Data Transmission on WAN Differences exist, as well, in the nature of the connections. An MPLS connection (LSP) is uni- directional - allowing data to flow in only one direction between two endpoints. Establishing two- way communications between endpoints requires a pair of LSPs to be established. Because 2 LSPs are required for connectivity, data flowing in the forward direction may use a different path from data flowing in the reverse direction. ATM point-to-point connections (Virtual Circuits), on the other hand, are bi-directional, allowing data to flow in both directions over the same path (bi- directional are only svc ATM connections; PVC ATM connections are uni-directional). Both ATM and MPLS support tunneling of connections inside connections. MPLS uses label stacking to accomplish this while ATM uses Virtual Paths. MPLS can stack multiple labels to form tunnels within tunnels. The ATM Virtual Path Indicator (VPI) and Virtual Circuit Indicator (VCI) are both carried together in the cell header, limiting ATM to a single level of tunneling. The biggest single advantage that MPLS has over ATM is that it was designed from the start to be complementary to IP. Modern routers are able to support both MPLS and IP natively across a common interface allowing network operators great flexibility in network design and operation. ATM’s incompatibilities with IP require complex adaptation making it largely unsuitable in today’s predominantly IP networks. 4.7.5 MPLS deployment MPLS is currently in use in large “IP Only” networks, and is standardized by IETF in RFC 3031. In practice, MPLS is mainly used to forward IP data grams and Ethernet traffic. Major applications of MPLS are Telecommunications traffic engineering and MPLS VPN.Rail Tel MPLS network connectivity is shown in fig.4.10. IRISET 77 TA2 – Data Communication & Networking Data Transmission on WAN Fig.4.10 RailTel MPLS Network deployment and connectivity IRISET 78 TA2 – Data Communication & Networking
