Jump to navigationJump to search



I'm trying to study to get my CCNA (640-802) degree :D I'm using my wiki to note what I'm trying to learn ! Much of the stuff here are from SYBEX CCNA Study guide (6th edition). Hope it'll help other people.


I'm using GNS3 to emulate a Cisco environment. Get it from GNS3 Homepage

Internetworking Devices


Error creating thumbnail: File missing

They work at Layer 2

They are basically multiport bridges with more intelligence.

They break up "collision domains" only and create one big broadcast domain by default.

They use hardware addresses to filter the network.

The main purpose of a switch is to make a LAN work better - optimized speed, they don't forward packets to other networks (like routers do) they just switch frames from one port to another

Routers (Layer 3 switches)

Error creating thumbnail: File missing

They work at Layer 3

  • Use the logical address in a Network Layer header to determine the next hop router to forward the packet to.
  • Use logical addressing to filter the network
  • Can use access lists to control security on types of packets that are allowed to enter or exit an interface.
  • Can provide connections between virtual LANs
  • Can provide packet filtering by using ACLs
  • Can provide QoS ( Quality of Service ) for specific types of network traffic.
  • Can provide layer 2 bridging functions if needed and can simultaneously route through the same interface.
  • They don't care where a particular host is located. They're only concerned about where networks are located and the best way to reach them, including remote ones !


  • They break up "broadcast domains" by default ( 1 broadcast domain per interface ).
  • They break up "collision domains".
  • Can filter network based on Layer 3 ( Network Layer ) information ( e.g., IP Address )
  • They don't forward any broadcast or multicast packets.

Useful at:

  • Packet switching
  • Packet filtering
  • Internetwork communication
  • Path selection


Error creating thumbnail: File missing

They break up collision domains giving users more bandwidth.

They create one large broadcast domain.

They use hardware addresses to filter the network


Error creating thumbnail: File missing

Also called a multiport repeater.

They keep all hosts in the same collision domain. They don't segment a network. They connect network segments together.

They often cause traffic congestion if on a busy network.

All hosts in a hub are on the same broadcast domain as well as the same collision domain.

They are physical layer devices. They repeat the signal to all segments except the one from which it was received.

Traffic Congestion

Can be caused by:

  • Too many hosts in a broadcast domain
  • Broadcast storms
  • Multicasting
  • Low bandwidth
  • Hubs
  • ARP or IPX traffic ( a very chatty protocol made by NOVEL that is like IP )


Bob and Sally in a Hub.png

If Bob has Sally's IP address, in order for Bob to be able to connect to Sally it just needs to broadcast a request to find out her hardware address ( MAC ). If it doesn't have it's IP address it needs to find out from a DNS server or if they are on the same network it just needs to broadcast a request to find it. The same goes the other way around. This is IPv4 and basic networking in Windows ( no routers yet ! )

In the future you might want to break up a big network into smaller ones because as the network grows it'll get slower and slower. This is done by network segmentation using routers, switches and bridges.

It is very important to break up collision domains (using switches) and broadcast domains ( using routers ).

Colision Domain is an Ethernet term used to describe a network collection of devices in which on which a particular device sends a packet on a network segment forcing every other device on the same segment to pay attention to it.

Broadcast Domain a set of all devices on a network segment hear all broadcasts sent on that segment.

OSI Layered Reference Model

L1-L4 Define how data is transmitted end to end

L5-L7 Define how applications within the end stations will communicate with each other and with users. Also known as Upper Layers connecting a user interface to an application.

The main advantages of using the OSI Layered Model is that it can allow application developers to change aspects of a program in just one layer of the layer's model specs. Other advantages would be:

  • divisation of the network communication process into smaller (simpler) components providing easier component development, design and troubleshooting.
  • allows multiple-vendor component through standardization of the network components.
  • it encourages industry standardization by specifying what functions occur at each layer of the model
  • it allows communication between various types of network hardware or software
  • prevents changing from one layer from affecting the other layers

Physical Layer (L1)

Function: Physical topology

  • Moves bits between devices
  • Specifies voltage, wire speed and pin-out of cables
  • It just receives bits and sends bits. It is taking 1's and 0's and encoding them into a digital signal for transmission on the network segment.

It communicates directly with various types of actual communication media. Different types of media represent the bits in different ways (audio tons .. state transitions). Specific protocols are needed to describe the proper bit patterns to be used, how data is encoded in media signals and various qualities of the physical media's attachment interface.

It specifies electrical, mechanical, procedural and functional for activating, maintaining and deactivating a physical link between systems.

The connectors and topologies are defined OSI as standards.

Hubs at the Physical Layer

It only receives a digital signal and reamplifies or regenerates the signal and the forwards te signal out all the active ports without looking at any data.

Every device connected to a hub must listen if another device transmits.

Data Link Layer (L2)

Function: Framing

  • Combines packets into bytes and bytes into frames
  • Provides access to media using MAC address
  • Performs error detection not correction
  • Provides framing and placing the data on the network medium

It provides the physical transmission of the data and handles error notification, network topology and flow control.

It ensures that the messages are delivered to the proper device on a LAN using hardware addresses and will translate messages from the Network layer into bits for the Physical layer to transmit.

It formats the messages into pieces - data frames - and ads a customized header containing the hardware destination and source address.

It's responsible for the unique identification of each device that resides on a local network.

It uses hardware addressing for hosts to be able to send packets to other local hosts as well as between routers. When a packet is send between routers it's framed with control information by the Data Link Layer but the data is stripped off so only the original packet remains at the receiving router. This is done from router to router (on each hop) 'till it reaches the destination. The packet isn't altered in any way along the route it is only encapsulated with the type of control information required for it to be properly passed on to different media types.

Switches and Bridges work at this layer and use MAC addresses.


Media Access Control (MAC) 802.3 defines how packets are placed on the media. First come/First served is used and everybody shares the same bandwidth. It defines Physical Addressing (signal path through a physical topology) as well as Logical Topologies. This sublayer can use Line Discipline, error notification (not correction), ordered delivery frames and optional flow control.

Logical Link Control (LLC) 802.2 is responsible for identifying Network Layer protocols and encapsulate them. The LLC header tells the Data Link Layer what to do with a packet once a frame is received. Example: once a host receives a frame, it'll look at the LLC header to find out where the packet is destined, IP protocol at the Network Layer for example. It can also provide flow control and sequencing of control bits. This sub-layer uses service access points.

Switches and Bridges at the Data Link Layer

Switches use ASIC (application-specific-integrated circuit) which can run at gigabit speeds with very low latency rates.

Latency is the time measured from when a frame enters a port to the time it exits a port

Switches and Bridges read each frame as it passes the network, a layer 2 device adds the source hardware address to a filter table and keeps track of which port the frame was received on.

Layer 3 devices ( ex. routers ) are interested in locating networks, Layer 2 (switches and bridges) devices are interested in locating specific devices. Routing tables that "map" the internetwork are for routers as filter tables that "map" individual devices are for switches and bridges.

After a filter table is built on a Layer 2 device it will forward frames only on the segment where the destination address is located. If the destination is on the same segment as the frame the layer 2 device will block the frame from going on any other segment. If the destination is on another segment the frame can be transmited only to that segment.

When a switch interface receives a frame with a destination hardware address not in its filter table it will forward the frame on all connected segments. If the unknown device that received the frame replies to the forwarding action, the switch updates its filter table for that device location. If the destination of the frame is a broadcast address, the switch will forward all broadcasts to every connected segment by default.

All devices that the broadcast is forwarded to are considered to be in the same broadcast domain. The problem here is that layer 2 devices propagate layer 2 broadcast storms and that can choke performance and the only way to stop/interrupt this is a layer 3 device ( a router ).

Network Layer (L3)

Function: Routing

  • Provides logical addressing, which routers use for path determination (routing through an internetwork)

The Network Layer manages device addressing, tracks the location of the devices on the network and determines the best way to move data which means that the Network layer must transport traffic between devices that aren't locally attached.

It happens like this: When a packet is received on a router interface, the destination IP address is checked. If the packet isn't destined for that particular router, it will look up the destination network address in the routing table. Once the router chooses an exit interface, the packet will be sent to that interface to be framed and sent out on the local network. If the router can't find an entry for the packets destination network in the routing table the router drops the packet.

Two types of packets are used at the Network Layer: data and route updates.

Data packets Used to transport user data through the internetwork. Protocols used to support data traffic are called routed protocols. Examples of routed protocols are IP and IPv6.

Route update packets Used to update neighboring routers about the networks connected to all routers within the internetwork. Protocols that send route update packets are called routing protocols. Examples: RIP, RIPv2, EIGRP and OSPF. Route update packets are used to help build and maintain routing tables and each router.

Error creating thumbnail: File missing

Network addresses Protocol-specific network addresses. A router must maintain a routing table for individual routing protocols because each routing protocol keeps track of a network with a different addressing scheme (IP, IPv6, and IPX, for example).

Interface The exit interface a packet will take when destined for a specific network.

Metric The distance to the remote network. Different routing protocols use different ways of computing this distance. Know that some routing protocols (namely RIP) use something called a hop count (the number of routers a packet passes through en route to a remote network), while others use bandwidth, delay of the line, or even tick count (1/18 of a second).

Transport Layer (L4)

Function: End-to-end connection

  • Provides reliable or unreliable delivery
  • Performs error correction before retransmit
  • Provides segmentation, sequencing and virtual circuits

The Transport layer segments and reassembles data into a data stream.

UDP and TCP protocols work at this layer. UDP is a unreliable service. Reliable means that acknowledgments, sequencing and flow control will be used.

The Transport layer is responsible for providing mechanisms for multiplexing upper-layer applications, establishing sessions and tearing down virtual circuits.

It hides details of any network-dependent information from the higher layers by providing transparent data transfer.

Can be connectionless or connection-oriented.

Flow Control

Ensures Data integrity.

Prevents a sending host on one side of the connection from overflowing the buffers on the receiving host.

The purpose is to provides the means for the receiver to govern the amount of data sent by the sender.

Type of flow control:

  • Buffering
  • Windowing
  • Congestion avoidance

Connection-Oriented Communication

In reliable transport operation, a device that wants to transmit sets up a connection-oriented communication with a remote device by creating a session. This is the only concerned with the connection-oriented portion of the Transport layer (L4).

Connection Orientated services use acknowledgements and flow control to create a reliable session. More overhead is used than in a connectionless ( which don't use flow control or acknowledgements - unreliable ) network service.

Error creating thumbnail: File missing
  • The first "connection agreement" segment is a request for synchronization.
  • The second and third segments acknowledge the request and establish connection parameters—the rules—between hosts. These segments request that the receiver's sequencing is synchronized here as well so that a bidirectional connection is formed.
  • The final segment is also an acknowledgment. It notifies the destination host that the connection agreement has been accepted and that the actual connection has been established. Data transfer can now begin.
Error creating thumbnail: File missing

A service is considered connection-oriented if it has the following characteristics:

  • A virtual circuit is set up ( e.g., a three-way handshake )
  • It uses sequencing.
  • It uses acknowledgements.
  • It uses flow control.

The types of flow control are buffering, windowing and congestion avoidance.


The quantity of data segments ( measured in bytes) that the transmitting machine is allowed to send without receiving an acknowledgement for them is called a window

Windows are used to control the amount of outstanding, unacknowledged data segments.

If a receiving host fails to receive all the segments that it should acknowledge, the host can improve the communication session by decreasing the window size slowing down the transmitting host so it doesn't overflow the receiving hosts's buffers.

TCP uses windowing by default.

Error creating thumbnail: File missing


Positive acknowledgement with retransmission ensures the integrity of a stream of data, it ensures the data won't be duplicated or lost.

Error creating thumbnail: File missing

Session Layer (L5)

Function: Dialog control

  • Keeps different applications' data separate

The Session Layer is responsible for setting up, managing and then tearing down sessions between Presentation layer entities.

It also provides dialog control between nodes or devices.

It serves to organize the communication between systems in different modes: simplex, half duplex and full duplex

The Session Layer basically keeps different applications' data separate from other applications' data.

Presentation Layer (L6)

Function: Data encryption, compression and translation services

  • Presents data
  • Handles processing such as encryption

The Presentation layer presents data to the Application layer and is responsible for data translation and code formating.

This layer is essentially a translator providing coding and converting functions.

It's purpose is to ensure that data from the Application Layer (L7)on one system can be read by the Application Layer (L7) of another system.

Actions like compression/decompression and encryption/decryption are associated with this layer.

Application Layer (L7)

Function: File, print, message, database and application services

  • Provides a user interface

Applications residing in the Application Layer: FTP, TFTP

The Application layer is acting as an interface between the actual application programs

It only comes into play when an application needs to access network resources

It is responsible for for identifying and establishing the availability of the intended communication partner and determining if weather enough resources for the intended communication exist.

Converting Binary to Decimal and Hexadecimal

The digits are limited to 1-s and 0-s. Each digit is called a bit. Usually they are counted 4 bits ( nibble ) or 8 bits ( byte ) at a time. Each digit is placed in a value spot starting from the right and moving left with each spot having double the value of the one before. We only count the values that have 1 in the spot

Nibbles have a max value of 15. Bytes have a max value of 255.

Nibble values : 8 4 2 1
Bytes values: 128 64 32 16 8 4 2 1

Examples (see if you can calculate some more alone !):

1111 -> 8 + 4 + 2 + 1 = 15
1010 -> 8 + 0 + 2 + 0 = 10
1100 -> 8 + 4 = 12 (notice I didn't count the 0 values )
1001 -> 8 + 1 = 9

11111111 -> 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = 255
10101010 -> 128 + 0 + 32 + 0 + 8 + 0 + 2 + 0 = 170
01010101 -> 64 + 16 + 4 + 1 = 85
11001100 -> 128 + 64 + 8 + 4 = 200
00110011 -> 32 + 16 + 2 + 1 = 51
10010110 -> 128 + 16 + 4 + 2 = 150
01101100 -> 64 + 32 + 8 + 4 = 108
11101000 -> 128 + 64 + 32 + 8 = 232
11001100 -> 128 + 64 + 8 + 4 = 204
10110101 -> 128 + 32 + 16 + 4 + 1 = 181

This is a table you should remember before continuing.

10000000 -> 128
11000000 -> 192
11100000 -> 224
11110000 -> 240
11111000 -> 248
11111100 -> 252
11111110 -> 254
11111111 -> 255

Converting to HEX is done by reading nibbles. Here's a table of hex->bin->dec values.

0 -> 0000 -> 0
1 -> 0001 -> 1
2 -> 0010 -> 2
3 -> 0011 -> 3
4 -> 0100 -> 4
5 -> 0101 -> 5
6 -> 0110 -> 6
7 -> 0111 -> 7
8 -> 1000 -> 8
9 -> 1001 -> 9
A -> 1010 -> 10
B -> 1011 -> 11
C -> 1100 -> 12
D -> 1101 -> 13
E -> 1110 -> 14
F -> 1111 -> 15

To convert from bin to hex just take a byte and split it into 2 nibbles. Examples:

01010101 -> 0101 0101 -> 5 5 -> 0x55 ( the 0x means it's a hex value ! It doesn't have any other meaning )
01101010 -> 0110 1010 -> 6 10(A) -> 0x6A
11001100 -> 1100 1100 -> 12(C) 12(C) -> 0xCC
10110101 -> 1011 0101 -> 11(B) 5-> 0xB5

Ethernet Networking

Ethernet is a contention access method that allows all hosts on a network to share the same bandwidth of a link.

Ethernet is very popular because it's readily scalable and easy to implement in the first place.

It uses both Data Link Layer (L2) and Physical Layer (L1) specifications.

It uses CSMA/CD (Carrier Sense Multiple Access with Collision Detection), a protocol that helps devices share the bandwidth evenly without having two devices transmit at the same time on the media.

CSMA/CD was created to overcome the problem of those collisions that appear when packets are transmitted simultaneously from different nodes. In a CSMA/CD network when a node transmits, all other nodes on the network receive and examine the transmission. Only bridges and routers can prevent the transmission to propagate throughout the network.

Carrier sense multiple access with collision detection.png

CSMA/CD works like this: a host (when it wants to transmit) first checks the presence of a digital signal on the wire. If it's clear will proceed with its transmission. The transmitting host is constantly monitoring the wire to make sure no other hosts begin transmitting. If it detects another signal on the wire it sends out an extended JAM signal that causes all hosts on the segment to stop sending data. The other nodes respond to this signal by waiting a while before transmitting using backoff algorithms to determine when the colliding stations can retransmit (all hosts have the same priority to transmit after the timers have expired). If after 15 retries the collision still happens it'll time out.

When a CSMA/CD network sustains heavy collisions the effects are : delay, low throughput, congestion.

Half and Full Duplex Ethernet

Half Duplex is defined in the original 802.3 Ethernet. Cisco says it only uses one wire pair with a digital signal running on both directions of the wire but IEEE specifications discuss the process a little bit different, Cisco referring to the general sense of what's happening here with Ethernet.

It also uses CSMA/CD. If a hub is attached to a switch it must operate in Half Duplex mode in order to be able to detect collisions.

Cisco sees Half Duplex Ethernet - 10BaseT - as being only 30 - 40% effective because the network will only have 3 - 4 Mbps at most in a large environment. It also operates in a shared collision domain.

Full Duplex uses two pairs of wires. It is supposed to offer 100% efficiency. The data transfer is faster because one pair is used for transmitting and another one for receiving using a point-to-point connection between the transmitter of the transmitting device and the receiver of the receiving device. Because of this no collisions will occur.

It can be used in three situations:

  • switch to host
  • switch to switch
  • host to host ( cross over cable )

When a Full Duplex port is powered on it connects to the other end of the Fast Ethernet link and tries to negotiate ( using an auto-detect mechanism ) first deciding on the exchange capability ( 10 or 100 Mbps ) then it checks if it can run full duplex, if it can't it'll run half duplex.

Stuff to remember here would be:

  • Collisions in Full Duplex mode don't exist !
  • Each Full Duplex node requires a dedicated switch port.
  • Both switch port and host network card must be capable of operating in Full Duplex mode.

Ethernet at the Data Link Layer (L2)

Ethernet at the Data Link Layer is responsible for Ethernet addressing, known as MAC addressing also for framing packets received from the Network Layer (L3) and preparing them for transmission on the local network through the Ethernet contention media access method.

Ethernet Addressing

MAC (Media Access Control) addresses are burned into every Ethernet Network Card ( NIC ).

The MAC (or hardware) address is a 48 bit ( 6 byte ) address in hex.

Ethernet addressing using MAC addresses.png

The OUI (Organizational unique identifier), composed by 24 bits (3 bytes) is given by the IEEE to an organization. The organization uses the other 24 bits ( 3 bytes ) to uniquely ( supposedly ) to each adapter it manufactures.

The bit order is like this: I/G (Individual/Group). If this is 0 we can assume that this is a MAC address of a device and may appear in the source portion of a MAC header. If this is a 1 we can assume that it's a broadcast or a multicast address... G/L (Global/Local). If it's a 0 it represents a globally administered address ( by IEEE for example ), if it's a 1 it represents a locally administered address. The low order 24 bits represent a locally administered or manufacturer assigned code.

Ethernet Frames

The Data Link Layer is responsible for combining bits -> bytes and bytes -> frames.

Frames are used by the Data Link Layer to encapsulate packets handed down from the Network Layer for transmission on the media access.

This function of Ethernet Stations is pass data frames between them using group of bits known as a MAC frame format. This is providing error detection and cyclic redundancy check ( CRC ), this is only error detection not correction !

802.3 and Ethernet frame formats.png

Preamble is an alternating pattern of 1's and 0's providing a 5MHz clock at the start of each packet which allows devices to lock on the incoming bit stream. It has 7 octets.

Start Frame Delimiter/SFD - With preamble having 7 octets and the SFD having 1 octet to synch. SFD looks like 10101011, the last pair of 1's allows the receiver to come into the alternating 1's and 0's somewhere in the middle and still allow sync up and detect the begining of data.

Destination Address(DA) - 48 bit value ( least significant bit first ). It can be an individual address or a broadcast/multicast MAC address. Broadcasts are all 1's ( F's ) and are sent to all devices and multicasts are only sent to a similar subset of nodes on a network. It is used to determine if the incoming packet for an individual node.

Source Address(SA) - 48 bit value ( least significant bit first ) used to identify the transmitting station. This can't be a broadcast or multicast address.

Length or Type - 802.3 uses a Length field but Ethernet uses a Type field to identify the Network Layer Protocol. 802.3 can't identify the upper layer so it must be used with a proprietary LAN - IPX protocol for example.

Data - this packet can have from 64 to 1500 bytes. It is handed down from the Network Layer to the Data Link Layer.

Frame Check Sequence - is a field at the end of the frame that is used to store the CRC

Ethernet at the Physical Layer

It identifies the cable type and properties.

Firstly created and implemented by Digital,Intel and Xerox (DIX) was then used by IEEE to create IEEE802.3 Committee. This was a 10Mbps network ran coax and after a while twisted pair and fiber physical media.

The IEEE 802.3 Committee extended to 2 new committees known as 802.3u ( Fast Ethernet ) and 802.3ab ( Gigabit Ethernet on category 5 ) and then 802.3ae ( 10Gbps over fiber and coax ).

Ethernet physical layer specs.png

The EIA/TIA (Electronics Industries Association and the newer Telecommunications Industry Alliance) is the body which produces the standards for the Ethernet. They specify that Ethernet uses RJ(Registered Jack) connector with a 4 5 wiring sequence on unshielded twisted pair(UTP) cabling -> RJ45 but the industry is moving to calling this just an 8 pin modular connector.

Each Ethernet Cable type specified by EIA/TIA has inherent attenuation which is measured in decibels (dB) and is defined as the loss of signal strength as it travels the length of a cable. This makes cabling have categories ! Category 5 is better than 3 because it has more twists per meter (and therefor less crosstalk - unwanted signal interference from adjacent pairs in the cable) than category 3.

Here are the original IEEE 802.3 standards:

10Base2 - 10 stands for 10Mbps, Base stands for baseband technology (signaling method for communication on the network ) and 2 stands for almost 200 - up to 185 meters in length. Up to 30 workstations on a single segment. 10Base2 Ethernet cards use a BNC and T-Connector to connect to a network. Known as thinnet.

10Base5 - 10Mbps, baseband technology, up to 500 meters in length. It uses physical and logical bus Attachment Unit Interface (AUI) connectors. It can get up to 2500 meters with repeaters and 1024 users for all segments. Also known as thicknet

10BaseT - 10Mbps using cat 3 UTP wiring. Unlink the 10Base2 and 10Base5 each host has to be connected to a hub or a switch limiting the number of hosts per segment or wire to 1! Uses a RJ45 (8 pin modular) connector with a physical star topology and a logical bus.

Each 802.3 standards define a AUI which allow one-bit-at-a-time transfer to the Physical layer from the Data Link Layer media access method. This allows the Physical Layer to support any existing and new technologies with a constant MAC. The original AUI was a 15 pin connector which allowed a transceiver ( transmitter/receiver ) that provided a 15-pin-to-twisted-pair conversion.

Because of the high frequencies involved the AUI cannot support 100Mbps Ethernet. 100BaseT needed a new interface called Media Independent Interface (MII) was created by the 802.3u specifications and provides 100Mbps throughput. The MII sends a nibble ( 4 bits ) and Giga Media Independent Interface (GMII) sends a byte at a time.

802.3u known as Fast Ethernet is compatible with 802.3 Ethernet because they share the same physical characteristics: same maximum transmission unit (MTU), same MAC mechanisms and preserve the same frame format used by 10BaseT Ethernet. Fast Ethernet is just an extension of 802.3 Ethernet which provides a speed increase of 10 times.

Here are the expanded IEEE 802.3 Ethernet standards:

100BaseTX (IEEE 802.3u) - EIA/TIA cat 5,6,7 UTP two pair wiring. One user per segment up to 100 meters. Uses RJ45 connector with physical star topology and a logical bus.

100BaseFX (IEEE 802.3u) - fiber cabling 62.5/125-micron multimode fiber. Point to Point topology, up to 412 meters, uses SC or ST media interface connectors.

1000BaseCX (IEEE 802.3z) - copper twisted pair ( twinax - balanced coaxial pair ) running only up to 25 meters.

1000BaseT (IEEE 802.3ab) - Category 5, four pair UTP wiring up to 100 meters long.

1000BaseSX (IEEE 802.3z) - multi mode fiber (MMF) using 62.5 and 50 micron core, uses a 850 nano-meter laser and can go up to 220 meters with 62.5-micron, 500 meters with 50-micron.

1000BaseLX (IEEE 802.3z) - single mode (SM) fiber using 9 micron core and 1300 meter laser and can go from 3 up to 10 kilometers.

Fiber optic is a cable that is a more secure long-distance cable that is not susceptible to EMI (ElectroMagnetic Interference) at high speeds.

Ethernet Cabling

There are three types of ethernet cabling:

  • Straight-through cable
  • Crossover cable
  • Rolled cable

Straight-Through cable

Straight Through Ethernet cable.png

It is used to connect:

  • Host to switch or hub
  • Router to switch or hub

There are only 4 pins used ! 1,2,3,6. Connection is easy: 1->1, 2->2, 3->3, 6->6. This would be an ethernet only cable and wouldn't work on anything else ( voice,ISDN,Token Ring... )

Crossover cable

Crossover ethernet cable.png

It is used to connect:

  • Switch to switch
  • Hub to Hub
  • Host to Hub
  • Hub to Switch
  • Router direct to host

The same 4 pins as in straight-through are used only differenece being that they are connected differently: 1->3,2->6,3->1,6->2

Rolled cable

Rolled cable.png

It isn't used to connect Ethernet connections together. It can be used to connect a host to a router's serial console port (COM). 8 wires are used to connect to a serial port but not all are used to send information.

Data Encapsulation

Whenever data goes from one host to another device across the network it gets encapsulated, meaning that at each layer it is wrapped with protocol information. Each layer only communicates peer layer on the other device.

Each layer uses Protocol Data Units (PDUs) to communicate and exchange information. These hold control information attached to the layer of each layer of the model and are usually placed at to the header in front of the data but can be placed in the trailer or at the end of it.

Each layer attaches its own PDU to the encapsulating the data. This information is only read by the peer layer on the receiving device afterwhich it is stripped off and the data is handed to the next upper layer !

Data encapsulation.png

PDU and layer addressing.png

Port numbers at the transport layer.png

The data stream is handed down to the Transport Layer (L4) which sets up a virtual circuit to the receiving device by sending a synch packet after which the data stream is broken up into smaller pieces and a Transport Layer header (PDU) is created and added to the header of the data field, the new piece of data is called a segment. It also sequences the segments and uses acknowledgements and flow control ! In TCP a virtual circuit is defined by the source port number starting at 1024 ( ports under are reserved for well known applications ). The destination port number defines the upper-layer process ( application ) that the data stream is handed to when the data stream is reliably rebuild on the receiving host. The Transport Layer (L4) is also responsible for finding the destination hardware address that dictates where the packet should be sent on the local network ( that is done using ARP ).

Each segment is now handed down to the Network Layer for network addressing and routing through the internetwork. Logical addressing ( IP for example ) is used to get each segment to the correct network. The Network Layer (L3) adds a control header to the segment given from the Transport Layer (L4) and we now have a packet or datagram. The Network and Transport layer work together on the receiving end to rebuild the data stream but it's not a part of their work to place their PDUs on a local network segment - which is the only way to get the information to a router or a host. IP at the network Layer looks at the destination address and compares the address with its own source address and subnet mask if it's a local network request the hardware address of the local host is requested via ARP ) otherwise if it is destined to a remote host IP will look for the IP address of the default gateway ( router ). This packet ( including destination hardware address of the local host or default gateway ) is then given to the Data Link Layer (L2).

The Data Link Layer (L2) is responsible for taking the packets from the Network Layer(L3) and placing them on the network medium ( cable or wireless ). The Data Link Layer encapsulates each packet in a frame, the frame's header containing hardware address of the source and destination hosts ( it is called a frame because both a header and a trailer are added to the packet) . If the destination is on a remote network it is sent to a router to be routed through the internetwork, on the destination network a new frame will be used to get it to the destination host. The frame uses a Ether-Type field to describe which protocol the packet came from the Network Layer ( L3 ). A CRC is ran on the frame and the answer is placed in the Frame Check Sequence in the trailer of the frame. The frame is now ready to be given one-bit-at-a-time to the Physical Layer (L1).

The Physical Layer (L1) is responsible for taking the frames from the Data Link Layer (L2) which are just a bunch of 1's and 0's and encode (using bit timing rules) them into a digital signal to be read by devices on the same local network.

The receiving devices will synchronize on the digital signal and extract ( or decode ) from the 1's and 0's from it and determine. After this is done, the device will build the frames, run a CRC and check their answer against the FCS field in the frame. If it matches the packet is pulled from the frame ( de-encapsulation ) and it's handed to the Network Layer ( L3 ) which checks the address. If the address matches the segment is pulled from the packet and everything else is discarded. The segment is then processed by the Transport Layer ( L4 ) which rebuilds the data stream and acknowledges to the transmitting station that it received each piece. The data stream is then given to the upper-layer application.

Cisco's Three Layer Hierarchical Model

Cisco three layer hierarchical model.png

The following are the three layers and their typical functions:

  • The core layer: backbone
  • The distribution layer: routing
  • The access layer: switching

These 3 layers are logical and aren't necessarily physical devices.

The Core Layer

It's the actual core of the network. It is responsible for transporting large amounts realiably and quickly. It's only purpose is to switch traffic as fast as possible. If there's a failure in the core, ALL USERS can be affected so fault tolerance is an issue. Because of the large amounts of traffic transported at this layer speed and latency are the driving concerns.

There are a few things we want to do in the core and a few we don't. Here are some DON'TS:

  • DON'T do anything that could slow down traffic such as access lists, routing between VLANs, packet filtering.
  • DON'T allow Workgroup access
  • DON'T add routers. If performance is an issue it's better to upgrade than expand !

And here are some DO's:

  • DO think about reliability considering using FDDI, Fast Ethernet ( with redundant links ) thinking about speed and redundancy !
  • DO think about latency ! Design with speed in mind.
  • DO use routing protocols with lower convergence times.

The Distribution Layer

Also known as workgroup layer it provides a communication point between the access layer and the core ! Its primary functions are: providing routing, filtering, WAN access. Data processes user info forwarding requests to the core if needed. It has to determine the fastest way that network services are handled. Here is where we implement policies for the network providing flexibility in defining network operation. Here are some things that should be done at this layer:

  • Routing
  • Implement stuff like access lists, packet filtering and queuing.
  • Implement security and network policies including address translation and firewalls.
  • Redistributing between routing protocols, including static routing.
  • Routing between VLANs and other workgroup support functions
  • Define multicast and broadcast domains.

Everything else that should be done in other layers shouldn't be done here !

The Access Layer

Also known as desktop layer controls workgroup access to the internetwork resources. Most network resources users want will be available locally, the distribution layer handling any traffic for remote ones. Here are some stuff that should be done at this layer:

  • Access Control and policies
  • Segmentation separating collision domains.
  • Workgroup connectivity into the Distribution Layer.

DoD Model

DoD comes from "The Department of Defense". It was created to preserve data integrity and maintain communication in case of a catastrophic was.

It's just a condensed model of the OSI model. It is composed of 4 instead of 7 layers:

  • Process/Application layer -> Application / Presentation / Session Layers

It defines protocols for node-to-node application communication and controls user-interface specs

  • Host to Host layer -> Transfer layer

Defines protocols for setting up the level of transmission service for applications ( Reliable end-to-end communication, error-free delivery, packet sequencing and data integrity )

  • Internet Layer -> Network layer

It designates the protocols relating to the logical transmission of packets over the entire network. It's taking care of hosts addressing giving them IP ( Internet Protocol ) addresses and routing of packets among multiple networks. None of the upper-layers have any functions related to routing.

  • Network Access Layer -> Data Link / Physical Layer

It monitors data exchange between the host and the network. It oversees hardware addressing and defines protocols for the physical transmission of data.

Tcp ip protocol suite.png

Process/Application Layer Protocols

  • Telnet

It's the chameleon of protocols and in special terminal emulation. It allows a user to connect to a remote machine ( telnet client to telnet server. ) so the client machine appears as if it were a terminal directly attached to the remote machine.

  • FTP

File Transfer Protocol. It's not only a protocol it's also an application. It allows file transfers between any 2 machines using it. Usually the users have to login ( or can login as anonymous but the access will be limited ). The file transfer can be in any direction and allows directory listing. It can't execute files or programs on remote hosts.

  • TFTP

Trivial File Transfer Protocol. It's a very stripped down version of FTP. It doesn't need authentication. It doesn't provide directory listing either. It can only send and receive files if you know exactly where they are ! Because the lack of authentication it's very insecure.

  • NFS

It's a protocol specialized in file sharing. It allows 2 different file systems to inter-operate. It does that bu sharing a RAM partion on one system to be accessed by the other system just as it was its own.

  • SMTP

Simple Mail Transfer Protocol. It's what we use to send mail. It uses a spooled/queued method for delivery. When the message is sent to a server it is spooled on a device ( usually a disk ), when the server detects a new queued message and delivers it to its destination.

  • LPD

Line Printer Daemon. It's designed for printer sharing. LPD along with LPR ( Line Printer ) program allows print jobs to be spooled across the network to printers using TCP/IP

  • X Window

It defines a protocol for writing client/server applications based on a GUI. It allows a program to run on a client and have it display things through a window server on another computer.

  • SNMP

Simple Network Management Protocol. It collects and manipulates network information. It does this by polling the devices from the network from a management station ( at fixed or random intervals ) asking them to disclose certain information. It can be used as a watchdog ( called agents ) over the network ( quickly notifying management stations of sudden turn of events - called a trap).

  • DNS

Domain Name System. It's what makes our world easier. It resolves domain names ( like ) to an IP ( like ) and the other way around.

  • DHCP/BootP

Dynamic Host Configuration Protocol. It allows easier administration small/large network environments. It assigns IP addresses to hosts. BootP is different from DHCP in terms that it can also send an OS that a host can boot from ( thing that DHCP can't do ! ) It can also assign other things, the most common being: subnetmask, domain name, default gateway (router) , DNS, WINS information.

It does this by sending a DHCP Discover message at layer 2 ( Data Link ) and layer 3 ( Network ). It is using UDP ( Connection less ) at the Transport Layer.

Host-to-Host Layer Protocols

There are 2 protocols running at this layer:

  • Transmission Control Protocol ( TCP )
  • User Datagram Protocol ( UDP )

They just take the data stream with any instructions and sends it down to the Internet Layer. It protects the upper-layer applications from the complexities of the network.

Transmission Control Protocol (TCP)

  • Sequenced
  • Reliable
  • Connection-orientated
  • Virtual Circuit
  • Acknowledgements
  • Windowing flow control

TCP takes large blocks of information from an application and breaks them into segments. It applies sequences and numbers them so the destination TCP stack can put the information back in the order the application inteded. TCP waits for an acknowledgement from the receiving end so it can retransmit those that aren't acknowledged.

Before a host starts transmitting, TCP contacts the destination TCP layer creating a virtual-circuit ( that's why it's connection orientated ) and agree on the amount of information that will be sent.

TCP Segment Format

In the Host-To-Host layer TCP segments the data stream then the Internet layer takes it and routes them as packets through the internetwork and are given to the Host-To-Host Layer on the receiving host which rebuilds the datastream to give to the upper layers.

Tcp segment format.png

The TCP header is 20 bytes long ( or up to 24 with options ... alot of overhead ). Here's a description of each field in the TCP segment:

Source port - the port number (of the application sending the data) on the host sending the data

Destination port - the port number (of the application receiving the data) on the host receiving the data

Sequence number - a number used by TCP (sequencing) to put the data back in the correct order or retransmit missing or damaged data

Acknowledget number - the TCP octet that is expected next

Header length - the number of 32 bit words in the TCP header. It's an 32bit integral number (even one including options)

Reserved bits - always 0

Code bits - control functions to set up and terminate a session

Window - the window size the sender is willing to accept, in octets

Checksum - because TCP doesn't trust the lower layers a CRC is added. CRC checks header and data fields

Urgent - only valid if the Urgent pointer in the code bit is set. If it is set, this value indicates the offset from the current sequence number, in octets, where the first segment in non-urgent data begins.

Options - may be 0 or multiple of 32 bits ( if any ). 0 means no options have to be present but if they are and if they don't cause the option field to be a total multiple of 32 bits it'll be padded with 0s to make sure the data starts on the 32bit boundary.

Data - the data given to TCP at the Transport Layer including the upper-layer headers.

User Datagram Protocol (UDP)

  • Unreliable
  • Unsequenced
  • Connectionless
  • Low overhead
  • No acknowledgement
  • No windowing or flow control

UDP is a scaled down ( economy ) model of TCP. UDP is used when the application layer takes care of its own checks ( like NFS does ) or when we use a very chatty protocol ( like SNMP sending a steady flow of messages in a large network )

UDP doesn't create a virtual-circuit that is why it's considered a connection-less protocol ( it assumes the application uses its own reliability method). Because the segments are given in the order which are received ( seriously garbled data ) it's not a good choice for stuff like .. VoIP ! It just gives segments to the lower layer and forgets about them. It doesn't use windowing or acknowledgements either.

UDP Segment Format

Udp segment.png

Source port - the port number (of the application sending the data) on the host sending the data

Destination port - the port number (of the application receiving the data) on the host receiving the data

Length - Length of the UDP header including UDP data

CheckSum - for both UDP header and UDP data fields

Data - Data from the upper layer

Port Numbers

Port numbers.png

Both UDP and TCP use port numbers to differentiate the conversations across the network. Source ports are randomly assigned by the sending host and are over 1024 to set up sessions. Numbers lower than 1024 are reserved by IANA for well-known ports. The (source) port numbers are different to differentiate the sessions. TCP and the upper-layers don't use hardware or logical addressing to understand the sending host's address like the Data Link or Network layers do.

A syn packet is sent to the destination service telling the remote destination that the source station wants to create a session. The reply usually will be an accept message.

The Internet Layer Protocols

  • Internet Protocol (IP)
  • Internet Control Message Protocol ( ICMP )
  • Address Resolution Protocol ( ARP )
  • Reverse Address Resolution Protocol ( RARP )
  • Proxy ARP

Internet Protocol (IP)

All the other protocols exist because of IP. It is essentially the Internet Layer.

What it does it check each packet's address, then using a routing table decides where the packet should go next ( choosing the best path ) ( the lower layer - Network Access - doesn't know about these things, it only handles physical link ( local network)).

Identifying devices on networks require a logical ( or software ) address ( which simplifies a lot the routing ) and a hardware address.

IP gets the segments from the Host-to-Host layer fragmenting them into a data stream ( packets ) and then reassembles them back into segments on the receiving side. Each packet contains the IP address of the sender and receiver so each router ( layer 3 ) device makes routing decisions based on these info.

Ip header.png

Version - IP version number ( 4 is most used now )

Header Length - in 32-bit words

Priority and Type of Service - the first 3 bits are the priority bits, the rest tell how the datagram should be handled

Total Length - packet length including header and data

Identification - Unique IP-packet value

Flags - specifies if fragmentation should occur

Fragment offset - it allows fragmentation and reassembly if the packet is too large for a frame. Also allows different maximum transmission units(MTUs)

Time to Live - used to stop IP packets from continuously circle the network looking for a home. It is the number of "hops" a packet is allowed to pass to get to a home, if it doesn't 'till the TTL expires - it's gone

Protocol - port of the upper-layer protocol. TCP has port 0x06, UDP has 0x17, ICMP 0x01, IP in IP(tunneling) 0x04, IGRP 0x09, EIGRP 0x88, OSPF 0x89, IPv6 0x41, GRE 0x47, Layer 2 TUNNEL L2TP 0x115 ( Complete list at [ protocol numbers] ). It supports other Network Protocols like ARP/ICMP.

Header checksum - CRC for header only

Source IP address - 32-bit IP address of the sending station

Destination IP address - 32-bit IP address of the destination station

Options - used for network testing, debugging, security and more.

Data - the actual data given from the upper-layers

Internet Control Message Protocol (ICMP)

An ICMP packet has the following characteristics:

  • It can provide hosts with information about network problems
  • It is encapsulated with IP datagrams

The following are the most common events that an ICMP packet relates to:

Destination Unreachable - is sent back to the sender if a router can't sent a datagram any further.

Buffer Full - is sent while a router's buffer memory for receiving datagram is full

Hops - because each IP datagram is allowed only a certain number of routers to pass through ( called hops ), if it reaches this hop limit before arriving at its destination, the last router to receive the datagram deletes it then it informs the sender of the deletion of the datagram

2 of the most used programs that use this protocol are:

Ping - Packet Internet Groper - uses ICMP to check the connectivity of machines in a network ( both logical and physical )

Traceroute - using ICMP packets, discovers the path of a packet as it traverses a network to its destination

Address Resolution Protocol (ARP)

It's what gets the hardware address of a host when having the logical (IP) address. It does this like this: when the IP has something to send, the Network Access Layer needs to know the hardware address ( if it doesn't have it in cache already ). If it doesn't have it in cache it'll send a broadcast asking for the hardware address of the specified IP address.

Reverse Address Resolution Protocol (RARP)

It's the exact reverse of the ARP. It is used to find the IP address of a hardware address. Usually used by diskless machine who don't have an IP address first.

Proxy Address Resolution Protocol (Proxy ARP)

It isn't a protocol as it's more of a service run by routers on the behalf of other devices ( usually PC machines ). It causes a lot of traffic and cause larger ARP tables but the advantage is that in case the gateway ( router ) goes down a machine on a subnet can reach remote subnets without routing ( or even a gateway ).

IP Addressing

An IP address is a numeric identifier assigned to each machine on a network specifying its specific location in the network.

Unlink the hardware address (MAC) which is hardcoded into the network interface card ( NIC ), the IP address is a software address ( logical address ). It was designed to allow a host on one network to be able to communicate to a host in a different network regardless of the type of LANs the hosts are in.

IP Terminology

A few stuff you should know before continuing:

Bit - one digit .. either 1 or a 0

Byte - 7 or 8 bits ( depending if the parity is used )

Octet - 8 bits. Just an ordinary 8 bit binary number

Network Address - The actual IP address used in routing to send packets to a remote network, like: ; ;

Broadcast Address - Is an address used by applications and hosts to send information to all nodes on a network. Examples would be: -> all networks, all nodes ; -> all subnets on network ; -> all subnets on network

IP Addressing Scheme

An IP address consists of 32 bit of information divided into 4 sections ( octets ), each containing 1 byte - 8 bits. It is usually displayed as:

  • A Dotted decimal:
  • Binary : 10101100.00010000.00011110.00111000
  • Hexadecimal: AC.10.1E.38 - isn't used as often when IP addressing is discussed but is used by Windows in programs like Registry

An IP address is a hierarchical address. The hierarchical addressing structures is a two- or three-level structure, structured by network and host or by network, subnet and host.

Network Addressing

A network address uniquely identifies a netowork. Every machine on a network shares the same network number as a part of its IP address. In for example 172.16 is a network address and 30.56 is the node address ( uniquely identifying a machine on this network ).

Based on the network size there are some classes. Class A is for a small number of networks with large number of nodes. Class C is reserved for a big number of networks with a small number of nodes. Class B is just in between !

To ensure efficient routing the leading bits of an address are the important ones ( a router can speed up the routing by just reading the first bit ).

Classes of networks.png

Network Address Range: Class A

A class A of network addresses always has the first bit set to 0 ( like this: 0xxxxxxx ) -> values between 0 and 127.

00000000 = 0
01111111 = 127

Network Address Range: Class B

A class B network always starts with the first bit set to 1 and the second to 0 ( like : 10xxxxxx ) -> values between 128 and 191

10000000 = 128 10111111 = 191

Network Address Range: Class C

A class C network always starts with the first two bits set to one and the 3rd to 0 ( like 110xxxxx ) -> values between 192 and 223

11000000 = 192 11011111 = 223

Network Addresses Ranges: Class D and E

Classes between 224 and 255 are reserved for D ( 224-239 - multicast ) and E ( 239-255 - scientific purposes ) networks.

Network Addresses Ranges: Special Purpose

Network address of all 0s - this network or segment

Network address of all 1s - All networks

Network - loopback test. Local node can send itself a packet without generating network traffic.

Node Address of all 0s - network address - any host on the network

Node Address of all 1s - all nodes in a network

Entire IP of 0s ( - any network - default route

Entire IP of 1s ( - broadcast to all nodes on network


Is used when you want to break down your network in smaller segments which means less traffic !

Subnetting examples

How many subnets ? - 2^x ; x = the number of turned on bits !

How many hosts per subnet ? - 2^y - 2 ; y = the number of turned off bits ! ( the -2 means minus broadcast and subnet address which aren't valid hosts ! )

What are the valid subnets ? - 256 - subnet mask ; ( one of the 0, 128, 192, 224, 240, 248, 254, 255 mask )

What are the broadcast addresses for each subnet ? - The number right before each subnet !

What are the valid hosts ? - The numbers between the subnet address and broadcast address !

Clas C Subnetting - ( /25 )

128 = 1000000 -> 1 turned on bit !

How many subnets : 2^x = 2^1 = 2

How many hosts per subnet : 2^y - 2 = 2^7 - 2 = 128 - 2 = 126

What are the valid subnets : 256 - 128 = 128 so our subnets are 0 and 128

What are the broadcast addresses for each subnet: 127 and 255

What are the valid hosts : 1-126, 129-254 - ( /26 )

How many subnets : 2^x = 2^2 = 4

How many hosts per subnet : 2^y - 2 = 2^6 - 2 = 64 - 2 = 62

What are the valid subnets : 256 - 192 = 64 -> 0, 64, 128, 192

What are the broadcast addresses for each subnet : 63 , 127, 191 , 255

What are the valid hosts : 1-62 ; 65-126 ; 129-190 ; 193 - 254 - ( /27 )

How many subnets : 2^x = 2^3 = 8

How many hosts per subnet : 2^y - 2 = 2^5 - 2 = 30

What are the valid subnets : 256 - 224 = 32 -> 0, 32, 64, 96, 128, 160, 192, 224

What are the broadcast addresses for each subnet : 31, 63, 95, 127, 159, 191, 223, 255

What are the valid hosts : 1-30; 33-62; 65-94; 97-126; 129-158; 161-190; 193-222; 225-254 - ( /28 )

How many subnets : 2^x = 2^4 = 16

How many hosts per subnet : 2^y - 2 = 2^4 - 2 = 14

What are the valid subnets: 256 - 240 = 16 -> 0, 16, 32, 48 ... 192, 208, 224, 240

What are the broadcast addresses for each subnet : 15, 31, 47, 63 ... 207, 223, 239, 255

What are the valid hosts : 1-14 ; 17-30 ; 33-46 ; 49-62 ... 177-190 ; 193-206 ; 209-222; 241-254 - ' ( /29 )

How many subnets : 2^x = 2^5 = 32

How many hosts per subnet : 2^y - 2 = 2^3 - 2 = 6

What are the valid subnets : 256 - 248 = 8 -> 0, 8, 16, 24 ... 224, 232, 240, 248

What are the broadcast addresses for each subnet : 7, 15, 23, 31 ... 231, 239, 247, 255

What are the valid hosts : 1-6 ; 9-14 ; 17-22 ; 25-30 ... 225-230 ; 233-238 ; 241-246 ; 249-254 - ' ( /30 )

How many subnets : 2^x = 2^6 = 64

How many hosts per subnet : 2^y - 2 = 2^2 - 2 = 2

What are the valid subnets : 256 - 252 = 4 -> 0, 4, 8, 12 ... 240, 244, 248, 252

What are the broadcast addresses for each subnet : 3, 7, 11, 15 .. 243, 247, 251, 255

What are the valid hosts : 1-2 ; 5-6 ; 9-10 ; 13-14 ... 241-242 ; 245-246 ; 249-250 ; 253-254