Network Fundamentals

The Importance of a Network Analyzer – Packet Sniffer. Must-Have Features for Demanding Engineers & Administrators

2015-04-21T03:58:21+10:00

Network Analyzers, also known as Packet Sniffers, are amongst the most popular network tools found inside any Network Engineer’s toolkit. A Network Analyzer allows users to capture network packets as they flow within the enterprise network or Internet.

Engineers usually make use of Network Analyzers to help uncover, diagnose and fix network problems, but they are also used by hackers to obtain access to sensitive information and user data.

Features Offered In High-Quality Network Analyzers

When dealing with network problems, engineers usually follow standard tests to try to identify the source of the problem and make any necessary corrections. These tests usually involve checking the source (Client or Network device) IP address, Gateway, DNS server, Nslookup and performing a few ICMP Echo Requests (aka Ping) to verify connectivity with the local network and destination IP.

These methods are usually enough to diagnose simple problems, but are clearly inadequate when dealing with complex network problems. This is where a high-quality network analyzer comes into play.

Any typical network analyzer will capture and display packets, providing basic packet information such as time of capture, source & destination MAC address, source & destination IP address, Layer 4 protocol information (TCP/UDP flags, ports, sequence/acknowledgement numbers) and the data payload. While this information is extremely useful information, it often means that additional time is required by the engineer to locate the data stream/conversation of interest and track down all associated packets.

Further analysis of the captured data usually increases the difficulty and expertise level required to make sense of the information captured.

Let’s take a look at the most important features high-end network analyzers have, that helps simplify complex troubleshooting in our everyday routine.

Extensive How-To articles can be found in our Network Protocol Analyzers section.

Real-Time Network Card Utilization

Real-time network card utilization is a very handy ‘visual tool’ as it shows the bandwidth utilization of the network card used to capture packets.

When configuring SPAN on Cisco Catalyst switches to monitor a switchport that connects to a router or server, the real-time visual representation of network traffic has proven to be extremely useful as it’s much easier spot packet bursts and other traffic patterns.

Real-time network utilization

Configurable Buffer Size

All traffic captured by the network analyzer is stored in a special buffer. This buffer usually resides in the workstation’s RAM and can be saved on the hard disk, so that additional analysis can be performed later. While most packet analyzers allow the buffer size to changed, its size is usually restricted to a few MB.

The ability to use an extremely large capture buffer e.g 1024MB or 1 Gigabyte, is necessary when performing analysis of heavy traffic where a couple of hundreds of MBs are typically required.

IP Conversation Tracking & Transaction Sequence Diagrams

A high-quality network analyzer smartly presents all captured information in an easy-to-understand manner, making it easy and fast to locate any IP Conversation between hosts:

A high-quality packet analyzer displays IP Conversations between our workstation and Firewall.cx

Having the ability to drill-down into each IP Conversation is equally important. An Enterprise-class packet analyzer provides this important feature by simply double-clicking on any of the displayed conversations:

Enterprise-class packet analyzer allows us to drill-into each IP Conversation

The Transaction Sequence Diagram section on the left side displays the flow of packets of the displayed IP Conversation. Tracking TCP sequence numbers and TCP acknowledgements is often a very time-consuming process so using the right network analyzer will allow engineers to focus on the more important information.

Automatic Diagnostic Tools

Network engineers often need to deal with network problems that occur either from user configuration errors (e.g invalid Domain, incorrect URL etc) or other problems that are often difficult to identify.

Considering the fact your network analyzer captures all traffic, it should be able to automatically identify network/session problems and errors. This helpful feature helps dramatically when dealing with various network issues as it provides an overall view of problems that have been identified.

In many cases, these errors can lead to uncovering suspicious user activity or hacking attempts:

Automatically identift network problems that would otherwise be missed

As shown in the screenshot above, our network analyzer has identified 36 events that can be examined by double-clicking on the specific event in the left window and then selecting the associated addresses from the right window. Packets are then displayed at the bottom area. Double-clicking on these packets will open them for further examination.

Top Network Talkers

During times of excessive traffic, it is usually required to identify the network’s top talkers and take action. When supported by the network analyzer, it makes life very easy. When not supported, a sample of network traffic must be taken and sorted by the IP address with the greatest amount of data transferred.

Monitoring the network’s top talkers and their traffic

Enterprise-class network analyzers provide 4 reports of Top Talkers: Top100 IPv4 Nodes (shown above), Top100 IPv4 Conversations (IP Based), Top100 Physical Nodes (MAC Based) and Top100 Physical Conversations (MAC Based).

Top IP’s can also be obtained via a Dashboard (shown below) which provides Global Utilization (% of total interface bandwidth) and Traffic (bytes) within a specific timeframe, Top IPs based on bytes transferred, and Top Application Protocols based on the protocol used:

Network Analyzer dashboard providing a healthy amount of real-time information and traffic captured

Advanced Filtering

Filtering is a core feature that allows network engineers to select specific type of traffic based on its characteristics. Common filtering found on most network analyzers includes: Source/Destination MAC or IP address, Protocol and Port numbers.

Advanced filtering is a feature most engineers require in their network analyzer, but often don’t have. Advanced filtering allows special complex filters to be created based on additional characteristics such as Time, Packet size, Data Payload values in conjunction with AND/OR/NOT logical operations:

Advanced Filtering options are a must!

Summary

A high-quality network analyzer bundled with useful advanced features as the above will help any engineer or administrator diagnose and deal with network problems quickly and efficiently, but also capture suspicious network traffic patterns often associated with hacking attempts. When selecting your network tools, ensure they are of the highest quality and provide features that will help make your job easier. Our Network Protocol Analyzer section contains valuable articles to help you get started with Wireshark Network Protocol Analyzer.

Measuring Network Performance: Test Network Throughput, Delay-Latency, Jitter, Transfer Speeds, Packet loss & Reliability. Packet Generation Using Iperf / Jperf

2013-08-06T08:45:00+10:00

Measuring network performance has always been a difficult and unclear task, mainly because most engineers and administrators are unsure which approach is best suited for their LAN or WAN network.

A common (and very simple) method of testing network performance is by initiating a simple file transfer from one end (usually workstation) to another (usually server), however, this method is frequently debated amongst engineers and there is good reason for that: When performing file transfers, we are not only measuring the transfer speed but also hard disk delays on both ends of the stream. It is very likely that the destination target is capable of accepting greater transmission rates than the source is able to send, or the other way around. These bottlenecks, caused by hard disk drives, operating system queuing mechanism or other hardware components, introduce unwanted delays, ultimately providing incorrect results.

The best way to measure the maximum throughput and other aspects of a network is to minimise the delay introduced by the machines participating in the test. High/Mid-end machines (servers, workstations or laptops) can be used to perform these tests, as long as they are not dealing with other tasks during the test operations.

While large companies have the financial resources to overcome all the above and purchase expensive equipment dedicated to testing network environments, the rest of us can rely on other methods and tools, most of which are freely available from the open source community.

Related articles:

Introducing Iperf

Iperf is a simple and very powerful network tool that was developed for measuring TCP and UDP bandwidth performance. By tuning various parameters and characteristics of the TCP/UDP protocol, the engineer is able to perform a number of tests that will provide an insight into the network’s bandwidth availability, delay, jitter and data loss.

Main features of Iperf include:

TCP and UDP Bandwidth Measurement
Reporting of Maximum Segment Size / Maximum Transmission Unit
Support for TCP Window size
Multi-threaded for multiple simultaneous connections
Creation of specific UDP bandwidth streams
Measurement of packet loss
Measurement of delay jitter
Ability to run as a service or daemon
Option to set and interval to automate performance tests
Save results and errors to a file (useful for reviewing results later)
Runs under Windows, Linux OSX or Solaris

Unlike other fancy tools, Iperf is a command line program that accepts a number of different options, making it very easy and flexible to use. Users who prefer GUI based tools can download Kperf or Jperf, which are enhancement projects aimed to provide a friendly GUI interface for Iperf.

Another great thing about Iperf is that both ends do not require to be on the same type of operating system. This means that one end can be running on a Windows PC/Server while the other end is a Linux based system.

Currently supported operating systems are as follows:

Windows 2000, XP, 2003, Vista, 7, 8 & Windows 2008
Linux 32bit (i386)
Linux 64bit (AMD64)
MacOS X (Intel & PowerPC)
Oracle Solaris (8, 9 and 10)

Downloading Iperf/Jperf for Windows & Linux - Compiling & Installing on Linux

Iperf is available as a free download from our Administrator Utilities download section. The downloadable zip file contains the Windows and Linux version of Iperf, along with the Java-based graphical interfaces (Jperf). Full installation instructions are available within the .zip file.

The Linux version is easily installed using the procedure outlined below. First step is to untar and unzip the file containing the Iperf application:

[root@Nightsky ~]# tar -zxvf iperf-2.0.5.tar.gz

Next, enter the Iperf directory, configure, compile and install the application:

[root@Nightsky ~]# cd iperf-2.0.5
[root@Nightsky iperf-2.0.5]# ./configure
[root@Nightsky iperf-2.0.5]# make
<output omitted>
[root@Nightsky iperf-2.0.5]# make install
<output omitted>

Finally, clean the directory containing our compiled leftover files:

[root@Nightsky iperf-2.0.5]# make clean

Iperf can be conveniently found in the /usr/local/bin/ directory on the Linux server or workstation.

Below is a screenshot from the Windows GUI - Jperf application. Its friendly interface makes it easy to select bandwidth speed, protocol specific parameters, and much more, with just a few clicks. At the top of the GUI, Jperf will also display the CLI command used for the options selected - a neat feature:

Ideas On Unleashing Iperf – Detailed Examples On How To Use Iperf

Having a great tool like Iperf to measure network performance, packet loss, jitter and other characteristics of a network, opens a number of brilliant possibilities that can help an engineer not only identify possible pitfalls in their network (LAN or WAN), but also test different vendor equipment and technologies to discover real performance differences between them.

Here are a few ideas the Firewall.cx team came up with during our brainstorming session on Iperf:

Measuring the network (LAN) backbone throughput.
Measuring Jitter and packet loss across links. The jitter value is particularly important on network links supporting voice over IP (VoIP) because a high jitter can break a VoIP call.
Test WAN link speeds and CIR – Is the Telco provider delivering the speeds we are paying for?
Test router or firewall VPN throughput between links. By tuning IPSec encryption algorithms we can increase our throughput significantly.
Test Access Point performance between clients. Wireless clients connect at 150Mbps or 300Mbps to an access point, but what are the maximum speeds that can be achieved between them?
Test Client – Server bottlenecks. If there’s a server performance issue and we are not quite sure if its network related, Iperf can help shed light on the source of the problem, leaving out of the equation possible bottlenecks such as hard disk drives.
Creating parallel data transfer streams to increase load on the network to test router or switch utilisation. By running Iperf on multiple workstations with multiple threads, we can create a significant amount of load on our network and perform various stress-tests.

At first sight, it is evident that Iperf is a tool that can be used to test any part of your network, whether it be Copper (UTP) links, fiber optic links, Wi-Fi, leased lines, VoIP infrastructure and much more.

Because every network has different needs and problems we thought it would be better to take a different approach to Iperf and, instead of presenting test results of our setups (LAB Environment), show how it can be used to test and diagnose different problems engineers are forced to deal with.

By having a firm understanding how to use the options supported by Iperf, engineers can tweak the commands to help them identify their own network problems and test their network performance.

For this reason, we have split this Iperf presentation by covering its various parameters. Note the parameters are case sensitive:

Default Iperf Settings for Server and Client
Communications Ports (-p), Interval (-i) and timing (-t)
Data format report (Kbps, Mbps, Kbytes, Mbytes) (-f)
Buffer lengths to read or write (-l)
UDP Protocol Tests (-u) & UDP bandwidth settings (-b)
Multiple parallel threads (-P)
Bi-directional bandwidth measurement (-r)
Simultaneous bi-directional bandwidth measurement (-d)
TCP Window size (-w)
TCP Maximum Segment Size (MSS) (-M)
Iperf Help (-h)

Default Iperf Settings for Server and Client

Server Side

By default, Iperf server listens on TCP port 5001 with a TCP window size of 85Kbytes. When running Iperf in server mode under Windows, the TCP window size is set to 64Kbytes. The Iperf server is run using the following command:

[root@Nightsky bin]# iperf -s

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

Client Side

The Iperf client connects to the Iperf server at TCP port 5001. When running in client mode we must specify the Iperf server’s IP address. Iperf will run immediately and present its results:

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 52339 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-10.0 sec 105 MBytes 87.6 Mbits/sec

The average bandwidth test was 87.6Mbps

Server Side Results

The server also provides the test results, allowing both ends to verify the results. In some cases there might be a minor difference in the bandwidth because of how it's calculated from each end:

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

[ 4] local 192.168.5.5 port 5001 connected with 192.168.5.237 port 52339

[ ID] Interval Transfer Bandwidth

[ 4] 0.0-10.0 sec 105 MBytes 87.5 Mbits/sec

Communications Ports (-p), Interval (-i) and Timing (-t)

The port under which Iperf runs can be changed using the –p parameter. The same value must be configured on both server and client side. The interval -i is a Server/Client parameter used to set the interval between periodic bandwidth reports, in seconds, and is very useful to see how bandwidth reports change during the testing period.

The timing parameter –t is client specific and specifies the duration of the test in seconds. The default is 10 seconds.

Server Side

[root@Nightsky bin]# iperf -s -p 32000

------------------------------------------------------------

Server listening on TCP port 32000

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

Client Side

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -p 32000 -i 2 -t 5

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 32000

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 52602 connected with 192.168.5.5 port 32000

[ ID] Interval Transfer Bandwidth

[ 3] 0.0- 2.0 sec 20.4 MBytes 85.5 Mbits/sec

[ 3] 2.0- 4.0 sec 20.8 MBytes 87.0 Mbits/sec

[ 3] 0.0- 5.0 sec 51.8 MBytes 86.5 Mbits/sec

Server Side Results

------------------------------------------------------------

Server listening on TCP port 32000

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

[ 4] local 192.168.5.5 port 32000 connected with 192.168.5.237 port 52678

[ ID] Interval Transfer Bandwidth

[ 4] 0.0- 5.0 sec 51.6 MBytes 86.2 Mbits/sec

Data Format Report (Kbytes & Kbps, Mbytes & Mbps) (-f) – Server/Client Parameter

Iperf can display the bandwidth results in different format, making it easy to read. Bandwidth measurements and data transfers will be displayed in the format selected.

Server side

[root@Nightsky bin]# iperf -s

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

Client Side

Here a test is performed on a 10Mbps link using default parameters. Notice the Transfer and Bandwidth report at the end:

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 53006 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-10.2 sec 11.4 MBytes 9.39 Mbits/sec

Same test was executed with the –f k parameter so that Iperf would display the results in Kilobytes and Kbps format:

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -f k

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 53038 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-10.2 sec 11648 KBytes 9373 Kbits/sec

Buffer Lengths To Read Or Write (-l) – Server/Client Parameter

The buffer lengths are rarely used, however, they are useful when dealing with large capacity links such as local networks (LAN). The –l parameter specifies the length of buffer read/write for each side and is a client/server parameter. Values specified can be in K (Kbytes) or M (Mbytes). It’s best to always ensure both sides have the same buffer value set. The default length of read/write buffer is 8K.

Server Side

[root@Nightsky bin]# iperf -s -l 256K

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

Client Side with default read/write buffer of 8K.

Note that for test, the Server side was not set, making it the default value of 8K.

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.241

------------------------------------------------------------

Client connecting to 192.168.5.241, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 53331 connected with 192.168.5.241 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-10.0 sec 735 MBytes 616 Mbits/sec

Client Side with read/write buffer of 256K.

Note that, for this test, the Server side was set to the same buffer length value of 256K.

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.241 -l 256K

------------------------------------------------------------

Client connecting to 192.168.5.241, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 53330 connected with 192.168.5.241 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-10.0 sec 796 MBytes 667 Mbits/sec

Client Side with read/write buffer of 20MB.

Note that, for this test, the Server side was set to the same buffer length value of 20MB. Notice the dramatic increase of Transfer and Bandwidth with a 20MB read/write buffer:

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.241 -l 20M

------------------------------------------------------------

Client connecting to 192.168.5.241, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 53860 connected with 192.168.5.241 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-10.2 sec 980 MBytes 803 Mbits/sec

When running tests with large read/write buffers it is equally interesting to monitor the client’s or server’s CPU, memory and bandwidth usage.

Since the 20MB buffer is swapped to memory during the test there will be a noticeable increase of memory usage. Those curious can also try a much larger buffer such as 100MB to see how the system will respond. At the same time, CPU usage will also increase as it is handing the packets being generated and received. Our Dual-Core CPU handled the test without a problem, however, it doesn't take much to bring the system to its knees. For this reason it is highly advisable not run other heavy applications during the tests:

On the other hand, monitoring the network utilisation through the Windows Task Manager also helps provide a visual result of the network throughput test:

UDP Protocol Tests (-u) & UDP Bandwidth Settings (-b) – Important For VoIP Networks

The –u parameter is a Server/Client specific parameter.

VoIP networks are great candidates for this type of test and extremely important. UDP tests can provide us with valuable information on jitter and packet loss. Jitter is the latency variation and does not depend on the latency itself. We can have high response times and low jitter values without introducing VoIP communications problems. High jitter can cause serious problems to VoIP calls and even break them.

The UDP test also measures the packet loss of your network. A good quality link must have a packet loss less than 1%.

The –b parameter is client specific and allows us to specify the bandwidth to send in bits/sec. The useful combination of –u and –b allows us to control the rate at which data is sent across the link being tested. The default value is 1Mbps.

Server Side

[root@Nightsky bin]# iperf -s -u

------------------------------------------------------------

Server listening on UDP port 5001

Receiving 1470 byte datagrams

UDP buffer size: 224 KByte (default)

------------------------------------------------------------

Client Side

The following command instructs our client to send UDP data at the rate of 10Mbps:

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -u -b10m

------------------------------------------------------------

Client connecting to 192.168.5.5, UDP port 5001

Sending 1470 byte datagrams

UDP buffer size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 64214 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-10.0 sec 11.8 MBytes 9.89 Mbits/sec

[ 3] Sent 8418 datagrams

[ 3] Server Report:

[ 3] 0.0-10.0 sec 5.23 MBytes 4.39 Mbits/sec 0.218 ms 4683/ 8417 (56%)

[ 3] 0.0-10.0 sec 1 datagrams received out-of-order

It is important to note that the Iperf client presents its local and remote Iperf server statistics. While the client reports that it was able to send data at the rate of 9.89Mbps, the server reported it was receiving data at the rate of 4.39Mbps, clearly indicating a problem in our link.

Next in the server’s bandwidth report (4.39Mbps) are the jitter and packet loss statistics. The jitter was measured at 0.218msec – an acceptable delay, however, the 56% packet loss is totally unacceptable and explains why the server received slightly less than half (4.39Mbps) of the transmitted rate of 9.89Mbps.

When tests reveal possible network problems it is always best to re-run the test to determine if packet loss is constant or happens at specific times during the total transfer. This information can be revealed by repeating the Iperf command but including the –i 2 parameter, which instructs our client to send UDP data at the rate of 10Mbps and sets interval between periodic bandwidth reports to 2 seconds:

Client Side

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -u -b10m -i 2

------------------------------------------------------------

Client connecting to 192.168.5.5, UDP port 5001

Sending 1470 byte datagrams

UDP buffer size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 64609 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0- 2.0 sec 2.32 MBytes 9.74 Mbits/sec

[ 3] 2.0- 4.0 sec 2.40 MBytes 10.1 Mbits/sec

[ 3] 4.0- 6.0 sec 2.34 MBytes 9.80 Mbits/sec

[ 3] 6.0- 8.0 sec 2.07 MBytes 8.68 Mbits/sec

[ 3] 8.0-10.0 sec 2.06 MBytes 8.64 Mbits/sec

[ 3] 0.0-10.3 sec 11.2 MBytes 9.10 Mbits/sec

[ 3] Sent 7983 datagrams

[ 3] Server Report:

[ 3] 0.0-50.4 sec 4.76 MBytes 793 Kbits/sec 0.270 ms 4584/ 7982 (57%)

[ 3] 0.0-50.4 sec 1 datagrams received out-of-order

The results with 2 second interval reporting show that there was a significant drop in transmission speed a bit later than half way through the test, between 6 and 10 seconds. If this was a leased line or Frame Relay link, it would most likely indicate that we are hitting our CIR (Committed Information Rate) and the service provider is slowing down our transmission rates.

Of course, further testing is needed, but any engineer can appreciate the valuable information provided with this simple test.

Multiple Parallel Threads (-P) - Client Specific Parameter

The multiple parallel thread parameter –P is client specific and allows the client side to run multiple threads at the same time. Obviously, using this parameter would divide the bandwidth to the amount of threads running and it's considered a valuable parameter when testing QoS functionality. We combined it with the –l 4M parameter to increase the read/write buffer to 4MB, increasing the performance on both ends.

Server Side

[root@Nightsky bin]# iperf -s -l 4M

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

Client Side

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -l 4M -P 3

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 5] local 192.168.5.237 port 54222 connected with 192.168.5.5 port 5001

[ 3] local 192.168.5.237 port 54220 connected with 192.168.5.5 port 5001

[ 4] local 192.168.5.237 port 54221 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 5] 0.0-11.5 sec 44.0 MBytes 32.1 Mbits/sec

[ 4] 0.0-11.7 sec 44.0 MBytes 31.5 Mbits/sec

[ 3] 0.0-11.8 sec 44.0 MBytes 31.4 Mbits/sec

[SUM] 0.0-11.8 sec 132 MBytes 94.1 Mbits/sec

Individual Bi-directional Bandwidth Measurement (-r) - Client Specific Parameter

The bi-directional parameter –r forces an individual bi-directional test, forcing the client to become the server after its initial test is complete. This option is considered very useful when it is necessary to test the performance in both directions and saves us manually switching the roles between the client and server.

Server Side

[root@Nightsky bin]# iperf -s

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

Client Side

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -r

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 4] local 192.168.5.237 port 54538 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 4] 0.0-10.0 sec 103 MBytes 86.3 Mbits/sec

[ 4] local 192.168.5.237 port 5001 connected with 192.168.5.5 port 39426

[ 4] 0.0-10.0 sec 110 MBytes 92.5 Mbits/sec

Notice the two connections created, one for each direction. A similar report is generated on the server’s side.

Simultaneous Bi-directional Bandwidth Measurement (-d) – Client Specific

The simultaneous bi-directional bandwidth measurement parameter –d is client specific and forces a simultaneous two way data transfer test. Think about is as a full-duplex test between the server and client. This test is great for leased line WAN links which offer synchronous download/upload speeds.

We tested it between our Linux server and Windows 7 client using the –l 5M parameter, to increase the send/receive buffer and test out speeds through a 100Mbit link.

Server Side

[root@Nightsky bin]# iperf -s -l 5M

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

Client Side

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -d -l 5M

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 4] local 192.168.5.237 port 52671 connected with 192.168.5.5 port 5001

[ 5] local 192.168.5.237 port 5001 connected with 192.168.5.5 port 39430

[ ID] Interval Transfer Bandwidth

[ 5] 0.0-10.3 sec 90.0 MBytes 73.2 Mbits/sec

[ 4] 0.0-10.7 sec 115 MBytes 90.0 Mbits/sec

We can see the two sessions [4 & 5] created between our two endpoints along with their results – an average of 81,6Mbps ( (73.2+90) / 2), falling slightly short of our expectations of our 100Mbps test link.

TCP Window Size (-w) – Server/Client Parameter

The TCP Window size can be set using the –w parameter. The TCP Window size represents the amount of data that can be sent from the server without the receiver being required to acknowledge it. Typical values are between 2 and 65,535bytes. The default value is 64KB.

Firewall.cx has covered the TCP Window size concept in great depth. Readers can refer to our TCP Windows Size article to understand its importance and how it can help increase throughput on links with increased latency e.g Satellite links.

Server Side

On Linux, when specifying a TCP Window size, the kernel allocated double that requested. Ironically, the Windows operating system allowed a 1MB and even 5MB window size without any problem.

[root@Nightsky bin]# iperf -s -l 5M -w 4000

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 7.81 KByte (WARNING: requested 3.91 KByte)

------------------------------------------------------------

Client Side

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -l 5M -w 4000

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 5001

TCP window size: 3.91 KByte

------------------------------------------------------------

[ 3] local 192.168.5.237 port 54172 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-11.5 sec 55.0 MBytes 40.1 Mbits/sec

Using a 4KB TCP Window size gave us only 40.1Mbps - half of our potential 100Mbps link. When we increased this to 64KB, we managed to squeeze out 93.9Mbps throughput!

TCP Maximum Segment Size (MSS) (-M) - Server/Client Parameter

The Maximum Segment Size (mss) is the largest amount of data, in bytes, that a computer can support in a single unfragmented TCP segment. Readers interested in understanding the importance of mss and how it works can refer to our TCP header analysis article.

If the MSS is set too low or high it can greatly affect network performance, especially over WAN links.

Below are some default values for various networks:

Ethernet – Lan: 1500 Bytes

PPPoE ADSL: 1492 Bytes

Dialup: 576 Bytes

Server Side

[root@Nightsky bin]# iperf -s

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 85.3 KByte (default)

------------------------------------------------------------

Client Side

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -c 192.168.5.5 -M 1350

WARNING: attempt to set TCP maximum segment size to 1350, but got 1281

------------------------------------------------------------

Client connecting to 192.168.5.5, TCP port 5001

TCP window size: 64.0 KByte (default)

------------------------------------------------------------

[ 3] local 192.168.5.237 port 54877 connected with 192.168.5.5 port 5001

[ ID] Interval Transfer Bandwidth

[ 3] 0.0-10.0 sec 105 MBytes 88.2 Mbits/sec

Iperf Help –(h)

While we’ve covered most of the Iperf supported parameters, there are still more readers can discover and work with. Using the iperf –h command will reveal all available options:

C:\Users\Chris\Desktop\iperf-2.0.5-2-win32> iperf -h

Usage: iperf [-s|-c host] [options]

iperf [-h|--help] [-v|--version]

Client/Server:

-f, --format [kmKM] format to report: Kbits, Mbits, KBytes, MBytes

-i, --interval # seconds between periodic bandwidth reports

-l, --len #[KM] length of buffer to read or write (default 8 KB)

-m, --print_mss print TCP maximum segment size (MTU - TCP/IP header)

-o, --output output the report or error message to this specified file

-p, --port # server port to listen on/connect to

-u, --udp use UDP rather than TCP

-w, --window #[KM] TCP window size (socket buffer size)

-B, --bind bind to, an interface or multicast address

-C, --compatibility for use with older versions does not sent extra msgs

-M, --mss # set TCP maximum segment size (MTU - 40 bytes)

-N, --nodelay set TCP no delay, disabling Nagle's Algorithm

-V, --IPv6Version Set the domain to IPv6

Server specific:

-s, --server run in server mode

-U, --single_udp run in single threaded UDP mode

-D, --daemon run the server as a daemon

Client specific:

-b, --bandwidth #[KM] for UDP, bandwidth to send at in bits/sec

(default 1 Mbit/sec, implies -u)

-c, --client run in client mode, connecting to

-d, --dualtest Do a bidirectional test simultaneously

-n, --num #[KM] number of bytes to transmit (instead of -t)

-r, --tradeoff Do a bidirectional test individually

-t, --time # time in seconds to transmit for (default 10 secs)

-F, --fileinput input the data to be transmitted from a file

-I, --stdin input the data to be transmitted from stdin

-L, --listenport # port to receive bidirectional tests back on

-P, --parallel # number of parallel client threads to run

-T, --ttl # time-to-live, for multicast (default 1)

-Z, --linux-congestion set TCP congestion control algorithm (Linux only)

In this article we showed how IT Administrators, IT Managers and Network Engineers can use IPerf to correctly test their network throughput, network delay, packet loss and link reliability.

Introduction to Content Switching - Application & Virtual Server Load Balancing via Deep Packet Inspection

2013-06-10T07:00:00+10:00

Content switches (also sometimes called application switches) is a class of network device that is becoming increasingly common in medium to large sized data centres and web-facing infrastructures.

The devices we traditionally call switches work at Layer 2 of the OSI model and simply direct incoming frames to the appropriate exit port based on their destination MAC address. Content switches, however, also inspect the contents of the data packet all the way from Layer 4 right up to Layer 7 and can be configured to do all sorts of clever things depending on what they find.

An increasing number of vendors are offering these products. Cisco’s CSM (Content Switching Module) and ACE (Application Control Engine) module will slot into its 6500 Series switches and 7600 Series routers and Cisco provides standalone appliances such as the ACE 4710. F5 Networks is another major contender with its BigIP LTM (Local Traffic Manager) and GTM (Global Traffic Manager) range of appliances.

In functional terms what you get here is a dedicated computer running a real OS (the BigIP LTMs run a variant of Linux) with added hardware to handle the packet manipulation and switching aspects. The content switching application, running on top of the OS and interacting with the hardware, provides both in-depth control and powerful traffic processing facilities.

So what can these devices do? We’ll consider that by looking at an example. Suppose you have a number of end-user PCs out on the internet that need to access an application running on a server farm in a data centre:

Obviously you have a few things to do here. Firstly you need to somehow provide a single ‘target’ IP address for those users to aim at, as opposed to publishing all the addresses of all the individual servers. Secondly you need some method of routing all those incoming sessions through to your server farm and sharing them evenly across your servers while still providing isolation between your internal network and the outside world. And, thirdly, you need it to be resilient so it doesn’t fall over the moment one of your servers goes off-line or something changes. A content switch can do all of this for you and much more:

Let’s look at each of these aspects in more detail.

Virtual Servers

This is one of the most basic things you can do with these devices. On your content switch you can define a virtual server which the switch will then ‘offer’ to the outside world. This is more, though, than just a virtual IP address - you can specify the ports served, the protocols accepted, the source(s) allowed and a whole heap of other parameters. And because it’s your content switch the users are accessing now, you can take all this overhead away from your back-end servers and leave them to do what they do best - serve up data.

For example, if this is a secure connection, why make each server labour with the complexities of certificate management and SSL session decryption? Let the content switch handle the SSL termination and manage the client and server certificates for you. This reduces the server load, the application complexity and your administration overhead. Do you need users to authenticate to gain access to the application? Again, do it at the virtual server within the content switch and everything becomes much easier. Timeouts, session limits and all sorts of other things can be defined and controlled at this level too.

Load Balancing

Once our users have successfully accessed the virtual server, what then? Typically you would define a resource pool (of servers) on your content switch and then define the members (individual servers) within it. Here you can address issues such as how you want the pool to share the work across the member servers (round robin or quietest first), and what should happen if things go wrong.

This second point is important – you might need two servers as a minimum sharing the load to provide a good enough service to your users, but what happens if there’s only one? And what happens if a server goes down while your service is running? You can take care of all this inside the content switch within the configuration of your pool. For example, you could say that if there is fewer than two servers up then the device should stop offering the virtual service to new clients until the situation improves. And you can set up monitors (Cisco calls them probes) so that the switch will check for application availability (again, not just simple pings) across its pool members and adjust itself accordingly. And all this will happen automatically while you sit back and sip your coffee.

You also need to consider established sessions. If a user opens a new session and their initial request is handled by server 1, you need to make sure that all subsequent communications from that user also go to server 1 as opposed to servers 2 or 3 which have no record of the data the user has already entered. This is called persistence, and the content switch can handle that for you as well.

Deep Packet Inspection

Content switches do all the above because they inspect the contents of incoming packets right up to Layer 7. They know the protocol in use, for example, and can pull the username and password out of the data entered by the user and use those to grant or deny access. This ability unleashes the ultimate power of the device – you can inspect the whole of the packet including the data and basically have your switch do anything you want.

Perhaps you feel malicious and want to deny all users named “Fred”. It’s a silly example, but you could do it. Maybe you’d like the switch to look in the packet’s data and change every instance of “Fred” to “idiot” as the data passes through. Again, you could do it. The value of this becomes clearer when you think of global enterprises (Microsoft Update is a prime example) where they want to know, perhaps, what OS you’re running or which continent you’re on so you can be silently rerouted to the server farm most appropriate for your needs. Your content switch can literally inspect and modify the incoming data on the fly to facilitate intelligent traffic-based routing, seamless redirects or disaster recovery scenarios that would be hard to achieve by conventional means. Want to inspect the HTTP header fields and use, say, the browser version to decide which back-end server farm the user should hit? Want to check for a cookie on the user’s machine and make a routing decision based on that? Want to create a cookie if there isn’t one? You can do all of this and more.

With the higher-end devices this really is limited only by your creativity. For example, the F5 and Cisco devices offer a whole programming language in which you can implement whatever custom processing you need. Once written, you simply apply these scripts (called I-Rules on the F5) at the appropriate points in the virtual server topology and off they go.

Scalability

What happens if you suddenly double your user base overnight and now need six back-end servers to handle the load instead of three? No problem – just add three more servers into the server pool on your content switch, plug them into your back-end network and they’re ready to go. And remember all you need here are simple application servers because all the clever stuff is being handled for them by the content switch. With an architecture like this server power becomes a commodity you can add or remove at will, and it’s also very easy to make application-level changes across all your servers because it’s all defined in the content switch.

Topologies

How might you see a content switch physically deployed? Well, these are switches so you might well see one in the traditional ‘straight through’ arrangement:

Or since they are VLAN aware you might also see a ‘content-switch-on-a-stick’:

You’ll also often find them in resilient pairs or clusters offering various failover options to ensure high availability. And it’s worth pointing out here that failover means just that – the session data and persistence information is constantly passed across to the standby so that if failover occurs even the in-flight sessions can be taken up and the end users won’t even notice.

And, finally, you can now even get virtual content switches that you can integrate with other virtual modules to provide a complete application service-set within a single high-end switch or router chassis. Data centre in a box, anyone?

Summary

Content switches go far beyond the connectivity and packet-routing services offered by traditional layer 2 and 3 switches. By inspecting the whole packet right up to Layer 7 including the end-user data they can:

Intelligently load balance traffic across multiple servers based on the availability of the content and the load on the servers.
Monitor the health of each server and provide automatic failover by re-routing user sessions to the remaining devices in the server farm.
Provide intelligent traffic management capabilities and differentiated services.
Handle SSL termination and certificate management, user access control, quality-of-service and bandwidth management.
Provide increased application resilience and improve scalability and flexibility.
Allow content to be flexibly located and support virtual hosting.

Further information

Links to Cisco webpages

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/Data_Sheet_Cisco_ACE_4710.html

http://www.cisco.com/en/US/products/ps6906/index.html

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_brochure0900aecd804585e5.pdf

Links to F5 webpages

http://www.f5.com/products/big-ip/big-ip-local-traffic-manager/overview/

http://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf

Need for Speed – The Data Tsunami & Advancements in Networking. From FastEthernet 100Mbps to Wireless 17.6Tbps!

2013-05-17T08:00:00+10:00

A long-long time ago (not long ago in earth time) 100 Mbps was THE technology. 100 Mbps uplinks bundled with ether-channel was the ultimate uplink technology. This was the prevailing technology during the tech boom. Gigabit Ethernet was up and coming.

Fast forward to today and we are looking forward to deploying 40 Gbps. Every now and then we hear in the news about deployment of +100 Gbps links. The very fact that it is newsworthy tells us that it is not common.

Cisco says that mobile data traffic alone will increase 13X (thirteen times) over the next four years and will outpace the global fixed data traffic by a factor of 3 by 2017.

These trends have prompted IEEE to consider the Ethernet solution beyond the 100 Gbps, which is just coming to the market.

Interesting Fact:

Large Hadron Collider at CERN generates 1Petabyte of data/sec (a Peta has 15 zeros and is also called a quintillion). Of course, they cannot store all of it and so they filter it to keep INTERESTING data only, which is still about 25 Peta Bytes per year (1000 years’ worth of DVDs). This data is sent out by CERN to 11 Tier 1 institutions around the globe for analysis.

Keeping all this in mind, I was intrigued to read that in Feb 2013 400 Gbps per wavelength had been deployed between the French Cities of Paris and Lyon. The link actually uses 44 such wavelengths to achieve 17.6 Tbps of traffic in total. To give you an idea, at 17.6 Tbs you can transfer 44 Blu-ray discs each second.

Interesting Fact:

The work on ratification of 100 Gbps was started in 2006 when there were no smartphones as we know them today.

The latest news (March 2013) is about Fujitsu creating newer modulation demodulation technology that can use the standard, widely available hardware used in 10 Gbps networking to transmit 100 Gbps of data on a single channel. Combining four streams of 100 Gbps each to an optical transceiver would result in a 400 Gbps Ethernet transceiver.

This made me very curious and I looked further to see that researchers at AT&T labs had achieved this feat of sending 400 Gbps over fiber an extremely long distance. Can you guess, how long? 12000Km! which is approximately 7500 miles, breaking their old record of 9000Km. This is exciting because it increases the reach by a factor of 2.5.

Interesting Fact:

It took IEEE 4 years to ratify the standard for 100 Gbps from 2006 to 2010. It is expected that the new 400 Gbps standard will be ratified by 2017.

IEEE announced, on 2 April 2013, that the IEEE 802.3 400 Gbps study group is meeting May 14-17 in Victoria BC Canada to explore the development of a 400 Gbps Ethernet standard.

Previously this group had concluded that by 2015 networks would need to support the capacity of 1 Tbps and by 2020 to support 10 Tbps, however, in September 2012, they decided to focus on 400 Gbps.

The reason for this was that 400 Gbps was immediately feasible technically and economically. Any of these speeds could be achieved by bundling multiple connections together. This will get expensive and cumbersome especially over copper. For 400 Gbps you will need 16 pathways of 25-gigabit connections. This increases to 40 pathways of 25-gigabit connections for 1 TbE, making these full duplex would double the connections. Imagine a copper cable that will be very short for these speeds and would be potentially 2 or 3 inches in diameter. Datacenter physical infrastructure will surely need reinforcement to run multiple runs of these cables.

My concern is that 400 Gbps may end up slightly unpopular like 40 Gbps because the market will decide to aggregate 10 Gbps ports instead of buying new hardware.

Interesting Fact:

In March 2013 five leading global companies intend to enter into a multi-source agreement (MSA) to create a 400 Gbps pluggable module for the industry. These companies are:

Avago Technologies
Brocade Communications Systems Inc.
JDS Uniphase Corporation
Molex Incorporated
TE Connectivity

This 400 Gbps hot pluggable module integrates 16 transmit and 16 receive channels supporting passive and active copper cables and active optical modules.

This article was written because history was created and all network engineers like us are a proud part of this history.

Ethernet is 40 years old and I wish humanity could grow this fast. (From 10 Mbps to 100 Gbps today and 400 Gbps in the near future to 10 TbE by 2020).

Bibliography

Alcatel-Lucent and France-Telecom deploy world's first live 400 Gbps-per-wavelength optical link: https://www.tmcnet.com/usubmit/2013/02/07/6909019.htm
Fujitsu Develops First Optical Transmission Technology to Achieve 100 Gbps Using 10 Gbps Transmission Components: https://www.fujitsu.com/global/news/pr/archives/month/2013/20130314-02.html
https://www.cablinginstall.com/articles/2013/03/att-400g-distance.html

Power over Ethernet - Understanding PoE Technology, PoE Options & Power Requirements

2012-01-18T09:03:28+11:00

Power over Ethernet (PoE) was invented by PowerDsine back in 1997 and the first power injector (Midspan) was installed in 1998! Many manufacturespartnered with PowerDsine to make useof this innovation. The Institute of Electrical and Electronic Engineers (IEEE) was approached to form an international standard to facilitate wide spread deployment of the technology.

In June of 2003 the PoE specification became the IEEE 802.3af standard defining the delivery of safe power over standard Ethernet cables, Cat5 and Cat5E. PowerDsine assisted the industry further by providing a service to Ethernet device manufacturers to test conformance with the new standard.

To date, over three hundred terminal devices have been compliance tested by PowerDsine, including most of the leading voice over IP telephones, wireless access points and IP security cameras. Today the University of New Hampshire, being vendor independent, is the official conformance testing body appointed by the IEEE.

Why Power over Ethernet (PoE)?

Whether you consider running IP telephony across your existing data network, or extending the reach of the network with strategically placed wireless access points, or just adding a physical security layer to your premises with IP cameras, the risk of possible failure is increased by having remote devices that need AC power connections. Losing data during a power outage is one thing, but losing data, voice and the company security is something else entirely.

A common goal is to consistently achieve 99.999% availability with 5.3 minutes of downtime per year or less. By connecting a UPS to a PoE source in the communications room, the entire network, including the remotely located resources, is capable of continuous operation during a power outage. Most UPS’s also provide for surge protection which is normally unavailable for remotely connected devices, the disruption created by power surges is more common than that created by power outages.

Manage the Risk

To understand the risk here are some stats reported for North America but are generally applicable to any location. The average number of power outages sufficient to cause IT system malfunction per year at a typical site is 15.

• 90% of the outages are less than five minutes in duration.

• 99% of the outages are less than one hour in duration.

• Total cumulative outage duration is approximately 100 minutes per year.

Based on the theoretical availability and the power protection strategy to achieve five nines or higher, Power over Ethernet sources must be backed up by a UPS. system with a minimum of one hour battery life. This will protect the vast majority of systems.

How’s the Economics?

For IP telephony, scalability is important; for wireless and security systems, the location is crucial. Understanding one example of the installation costs will highlight the benefits to be gained from PoE in each scenario.

If you are installing a Wireless Access point, you tend to put it in ceiling or high up on a wall out of reach of the general public. This area is usually void of AC outlets, therefore to power the units traditionally an AC contractor is needed to install an outlet. In a private area, average costs are in the region of $1200 dependent on country and vendor.

In public areas, there is a health and safety issue associated with AC power provisioning, which usually means that the power must be channelled into the wall or supplied through metal conduit. This can increase the costs by a factor of 10. The alternative is to run an Ethernet cable from the Wireless Access point to the Switch or Router. It is very simple, at this location, to connect to a PoE port on the Switch or to use a one port power injector. Either way no AC contactor is needed and worst case scenario you are looking at $50 for the PoE port.

You save money, installation is quicker and easier and there is no disruption while holes are cut into walls. Is there something useful you can do with the money you saved on the installation? Buy a UPS.

Understand the Options for Delivering PoE

IEEE802.3af allows for switches to provide power on the Data Pair or the Spare Pair. Most switches select the Data Pair. If you are considering separate Power Injectors called Midspans, the standard states they must use the spare pairs. Therefore you should check your cabling installation to see if you have all pairs or only data pairs. Note that most Midspans cannot be used on a Gigabit connection because there are no Spare Pairs in a Gigabit installation. This is why PowerDsine has the 6000G range to support Gigabit connections.

An Ethernet cable connected to a PoE source will not carry power if no end device is connected. The IEEE 802.3af standard requires that the source first tests the connected device for compliance to the standard before enabling power. After passing the signature test for compliance, a second test is carried out. This test is to determine the amount of power required at the remote location. This information is recorded by the power source as the Class of PoE.

Pre-standard Cisco powering method is different from IEEE802.3af in the polarity of the power on the connector and the signature of the end device. So if these devices have to be supported, you will need to know how the cable connection can rectify the polarity of the power and how the power source, Midspan or Switch, can recognize the Cisco signature.

Pre-Standard capacitive test. There are still legacy devices in the market that were early adopters of PoE and implemented a pre-standard signature based on capacitive signature, which is different obviously from today’s resistive test.

Devices that do not conform to the PoE specifications can still benefit with the use of a Splitter. The Splitter is mounted next to the remote device and receives the PoE Ethernet cable ac input. It then splits the out put into a standard Ethernet data connection and a separate DC power connection.

Understand the Power Requirements of Attached Devices

According to the IEEE 802.3af standard, the amount of power available after 100 meters of Cat5 or Cat 5E cable, is up to 12.95 watts. See below the typical power requirements of the most common IP devices. The power consumption of each IP device can be found at the technical specifications of the manufacturer’s data sheets.

**Power Levels Available**
Class	Usage	Classification current [mA]	Power range [Watt]	Class description
0	Default	0–4	0.44–12.94	Classification unimplemented
1	Optional	9–12	0.44–3.84	Very Low power
2	Optional	17–20	3.84–6.49	Low power
3	Optional	26–30	6.49–12.95	Mid power
4	Valid for 802.3at (Type 2) devices, not allowed for 802.3af devices	36–44	12.95–25.50	High power

IEEE802.3af power is 15.4 watts at the power source and 12.95 watts at the Powered Device. However part of the standard’s specification involves testing the class of power, which refers to the specific power requirement of the end device.

As an example, a 7 watt device is Class 2. Manufacturers marketing departments are using this as a tool instead of saying their Switch only supplies 7 watts they say their Switch is a Class 2 PoE conformant device. This is a problem if Wireless AP, Video IP phones or many security cameras should be powered, as these devices require more power than 7W (Class 2).

The standard mechanism when a device requires more power than can be delivered is to disable the power. The solution from the Switch manufacturers is to provide additional external power supplies.

Note: when installing PoE switches with class 2 PoE, you should check the cost and sizing of adding external power supplies before deciding whether to have internal or external PoE capabilities.

The following table from Wikipedia shows the standard PoE parameters and comparison between them:

**Standard PoE Parameters and Comparison**
Property	802.3af (802.3at Type 1)	802.3at Type 2
Power available at PD	12.95 W	25.50 W
Maximum power delivered by PSE	15.40 W	34.20 W
Voltage range (at PSE)	44.0–57.0 V	50.0–57.0 V
Voltage range (at PD)	37.0–57.0 V	42.5–57.0 V
Maximum current	350 mA	600 mAper mode
Maximum cable resistance	20 Ω (Category 3)	12.5 Ω (Category 5)
Power management	Three power class levels negotiated at initial connection	Four power class levels negotiated at initial connection or 0.1 W steps negotiated continuously
Derating of maximum cable ambient operating temperature	None	5°C with one mode (two pairs) active
Supported cabling	Category 3 and Category 5	Category 5
Supported modes	Mode A (endspan), Mode B (midspan)	Mode A, Mode B

You do not have to worry about powering non compliant devices ,such as Printers, Fax machines or PC’s because these devices do not carry the IEEE802.3af signature, thus the ports will automatically disable power. However if you are using integrated PoE on a 24 port networking blade and many of the ports are supporting non powered devices, it might be more prudent to use a Midspan and only connect powered ports to the devices that need it. This will lower the overall cost of the installation.

Caution Regarding Full Power & Forced Power

The question of using managed power or full power has to be considered. Full power is where the power delivered by all ports simultaneously is 15.4 watts. This looks like an attractive option, however the issue to consider is the actual power requirements in an organization. If the installation mainly consists of IP phones with power consumption of 3-5 watts per phone, the overall power consumption will be in the range of 120W. Thus, putting a 24 port PoE injector in the computer room delivering 400 watts is false economy.

All systems installation teams have to calculate the BTU’s and Airflow requirements in the computer room to ensure the air conditioning systems can perform adequately. A better solution is to use power injectors that use the Class of Power information to manage the power delivery to the ports that require higher levels. Power management allows the automation of efficient power distribution from a power injectors with smaller power supplies.

Some PoE injector manufacturers are using the term Forced Power. This is where they leave the power on continuously. This is outside the standard. IEEE802.3af requires that power is removed within 47 milli-seconds of disconnect. The reason is that an engineer might be swapping cables at a ‘cross connect panel’ and by accident connect a powered port into a PC connection. Today, PC’s cannot be powered using PoE thus 48volts can burn out the Ethernet port at the computer side and it also runs the risk of damaging Switch ports.

Cable Specifications Often Missed

In order to avoid EMI from noise generated by the power source, it is important to conform to the cable specifications of Cat5 and Cat 5E. Among the crucial tests is crosstalk. Devices that do not conform to these specifications will generate excessive errors into the data path. The worst case of cross talk we have measured to date from an uncertified power injector is taking a 10 Mbps link and dropping it to 1 Mbps.

There is a defined limit to the current that can be sent down a pair of twisted wires. Currently the ITA specification is 175milliamps on one pair of cables. According to the IEEE802.3af specification for delivering the required power, it is 350 milliamps on two pairs. PoE is running the cable at its maximum allowed capacity. Therefore there is a real need for effective current protection to prevent failing end devices from drawing too much current and causing cable faults.

Evaluate Internal Power or Separate Midspan Units

Here are some of the questions to consider when evaluating how to deploy PoE:

1) How old are your Switches and do they have the features such as QOS that fit your requirements? Midspans were designed to be used with any switch and save on the expense and time involved in doing an upgrade to the switch to implement a PoE solution. Midspans can be installed while the network is live with zero down time.

2) Will the proposed Switch have the correct power level to support all devices, or are additional external power supplies needed? What are the costs of these external PSU’s? How much rack space do they take? Can they be redeployed if you change your supplier?

3) What is your history of upgrades? Companies keep their networking switches for 3-10 years. Over the last 5 years how many adaptors did you swap out of the switch for new ones, most probably, with new features? If you are doing 2–3 upgrades, then you will buy power 2–3 times if it is integral to the switch. Compare the purchase cost (over 5 years) between integrated PoE and external Midspans which are designed to be part of the cabling scheme and last for 10 years.

4) How much rack space does the Switch’s external PSU take? Midspans consume rack space. 48-port Midspan from PowerDsine takes 1U.

5) In some cases, integrated PoE will be a better strategy for powering terminals with low power consumption. However, when an external power supply is required for higher power levels, a Midspan solution might be your cost effective choice.

Managed or Unmanaged PoE?

PoE Midspans can be SNMP managed or unmanaged. The areas of relevance to most enterprises are power consumption and the ability to remotely control Power On – Power Off. Management data and control functions need to be secured against unauthorized personnel. A hacker intruding into your network could use the power to disable all peripheral PoE devices.

Wireless Access Points and Security Cameras tend to be installed out of reach of the public. This means they are also not very accessible to engineers. The ability to remotely perform a power on reset could be extremely useful.

IPT requires that all IP phones be powered. SNMP management might be useful as the controlling tool for applications that can power telephones on and off when the relevant staff has passed security into the building and powering the phones off when they leave. It might be interesting for energy conservation to use batch files to enable telephones during work hours and disabling telephones in the evenings, weekends and holidays.

Enterprise users might need to account for power usage by the different departments inside the company. Therefore consideration should be given to the ability of the PoE system to monitor power consumption of the remote devices. Also on power failure, when the UPS kicks in, the management could use a priority scheme to ensure that as the power outage continues, the power is directed to key resources. This management of failed power distribution could enable cost savings in the size of UPS needed for any given scenario. This will extend the life of the UPS support and it is a non linear function. If you halve the load on a UPS, it doesn’t last twice as long, but more like 3-4 times as long. Better value and increased business continuity.

Summary

1) PoE is a must. Savings in power outlet installation costs, the speed of installation and the lack of disruptions to office environments are good justifications for PoE Midspan. The use of a central UPS’s in conjunction with a Midspan to deliver the UPS service to remote locations is a better justification for PoE.

2) Use the Integrated PoE supplied with the switch unless you need higher power than its standard PSU can deliver. Use a Midspan for all additional power and high power requirements.

3) Choose units that conform to the IEEE standard and legacy support where needed.

4) Ensure that they conform to EMI and Xtalk specification and have current protection. The biggest single investment in your network infrastructure is the cable plant so you should protect it.

5) It is recommended to use power management SNMP v3 for secure control, monitoring and management of power distribution. It allows you to control an orderly shut down of connected devices, and optimize the power backup of the UPS in the system.

About this Article

Some information provided in this article was obtained from various sources such as PowerDsine, Cisco and WikiPedia.

Network Switches & Bridges

2011-06-10T06:58:22+10:00

Network Switches are the evolution of Hubs and Repeaters, and enable the creation of networks by connecting multiple devices together. They are critical components in computer networking and are used to connect devices like computers, printers, and servers in local area networks (LANs) and wide area networks (WANs). Switches are designed to manage the flow of data between devices, ensuring that each device is able to communicate efficiently and effectively with other devices on the network.

Switches operate at the data link layer (layer 2) of the OSI (Open Systems Interconnection) model and use MAC (Media Access Control) addresses to identify devices on the network. When a device sends data to another device on the network, the switch reads the MAC address of the data packet and determines the best route for the packet to take to reach its destination. This process is called packet switching, and it allows multiple devices on a network to communicate simultaneously without interfering with each other.

There are various types of switches, including unmanaged switches, managed switches, and Layer 3 switches. Unmanaged switches are basic switches that are easy to set up and use, while managed switches offer more advanced features and greater control over the network. Layer 3 switches are used in large networks and are capable of routing data at the network layer of the OSI model. Switches are critical components in modern networks and play an important role in enabling communication and data exchange between devices.

Switches (Layer-2 Switching) do not receive and transmit data throughout every port, like hubs, but instead examine a packet's destination by checking the MAC address. The destination MAC address is always located at the beginning of the packet (see Ethernet II Protocol article) as shown below:

A switch will then forward the frame via the intended port, or out all its ports, depending if it finds an entry for this MAC address in its memory (filter table). This process is explained in more detail later in this article.

Switches use Application Specific Integrated Circuits (ASIC's) to build and maintain filter tables. Layer-2 switches switch packets between ports at a faster rate compared to routers, simply because routers need to examine the Network layer (layer-3) information of the packet, which is higher up in the OSI model and requires additional processing power and time.

They provide hardware based bridging (MAC addresses)
They work at wire speed, therefor have low latency
They come in 3 different types: Store & Forward, Cut-Through and Fragment Free (Analysed later)

Physically, it's difficult to tell a switch from a hub as they both look alike. The difference between them is under the hood! The photos below show a 8-port hub (left) and 18 port switch (right). Notice the switch provides two ports on the far right - these are uplink ports, allowing the switch to connect to the rest of the network (other switches):

The Three Operating Stages of a Network Switch

Network switches operate in three stages: learning, forwarding, and filtering.

Stage 1: Learning
Stage 2: Forwarding
Stage 3: Filtering
Loop Avoidance (Optional)

Overall, the three stages of learning, forwarding, and filtering allow the network switch to effectively manage the flow of data on a computer network, ensuring that devices can communicate with each other efficiently and securely.

Stage 1: Address Learning

The address learning phase of a network switch is the process by which the switch builds and maintains a table of MAC addresses and their corresponding switch ports, known as the MAC address table or the Content Addressable Memory (CAM) table. When a switch receives a frame, it examines the source MAC address of the frame and records it in the MAC address table along with the port on which the frame was received. This allows the switch to forward future frames to that device more efficiently, without having to flood the network with unnecessary traffic.

During the address learning phase, the switch also updates its MAC address table as it receives frames with new source addresses. If the switch already has an entry for a particular MAC address, it updates the associated port information. If the switch does not have an entry for the MAC address, it adds a new entry to the table.

It is important to note that the MAC address table has a limited size, usually a few thousand entries (8000-10,000), and can become full if the switch receives frames from too many devices. When the table becomes full, the switch must discard old entries to make room for new ones. This can result in temporary network disruptions as the switch re-learns the addresses of devices that it has not seen in a while.

Overall, the address learning phase is a crucial aspect of switch operation, as it allows switches to efficiently forward frames and reduce network congestion. By maintaining an up-to-date MAC address table, switches can ensure that network traffic is delivered to the correct destination with minimal delay.

The diagrams below shows how frames are forwarded out all switchports when the destination MAC address is unknown (there is no entry in the MAC address table). This is usually the case when a switch is initially powered on (or has an empty MAC address table). In this example, Node 1 sends a packet desitined to Node 2. The switch at this point has already inserted Node1's MAC address in its MAC address table:

And after the first frame has been successfully received by Node 2, it then sends a reply to Node 1. The switch is now aware of the two nodes MAC addresses and will send all frames between them, out through the switchports they are connected to:

Notice how Node 2's frame destined to Node 1, is not transmitted out every switchport . The switch is now aware of the switch ports both Node 1 and Node 2 are connected to:

Forward/Filter Decision

When a frame arrives at a switch, the switch examines the destination MAC address of the frame to determine which port it should forward the frame to. As noted previously, the switch maintains a table, called the MAC address table or the CAM table, which maps MAC addresses to their associated switch ports. If the destination MAC address is already in the MAC address table, the switch will forward the frame out the corresponding port. If the destination MAC address is not in the table, the switch will flood the frame to all ports except the one on which it was received.

This is known as unknown unicast flooding and ensures that the frame reaches its intended destination. Once the frame reaches its destination, the switch updates its MAC address table with the source MAC address and the port on which the frame was received, so that it can forward future frames to that device more efficiently.

Loop Avoidance (Optional) - Spanning-tree protocol

The Spanning Tree Protocol (STP) is a networking protocol designed to prevent loops in networks with redundant links. When multiple paths are available between devices in a network, a loop can occur if the same packet is forwarded indefinitely between devices. This can cause network congestion and ultimately result in a network outage. STP solves this problem by creating a loop-free logical topology for the network.

STP works by selecting a root bridge, which is the device that has the highest priority in the network. Once the root bridge and port roles have been determined, STP builds a tree-like topology that includes all devices in the network. The topology is designed to ensure that there is only one active path between any two devices, which prevents loops from occurring. The tree-like topology is also designed to provide redundancy in the event of a link failure. If a link fails, STP recalculates the topology to find a new path between the affected devices.

STP has several variations, including Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). RSTP is an improvement on STP that reduces the time it takes for the network to recover from link failures. MSTP is a protocol that allows multiple VLANs to be mapped to a single spanning tree instance, which reduces the number of spanning tree instances required in a network.

In summary, STP is a networking protocol that creates a loop-free logical topology for networks with redundant links. By selecting a root bridge and assigning roles to other devices in the network, STP ensures that there is only one active path between any two devices, which prevents network congestion and outages. STP operates in three phases and has several variations, including RSTP and MSTP.

Switching Modes: Store-and-forward, Cut-through & Fragment-free

There are three primary switching methods: store-and-forward, cut-through, and fragment-free. While all three methods are analyzed in detail, the below diagram shows the portion of a receiving frame a switch will process (check), before forwarding it out its intended port(s):

Store-and-forward switching is the most common method and involves the switch receiving and buffering the entire frame before forwarding it to the destination device. During this process, the switch performs error checking on the frame to ensure it is complete and error-free. If the frame is damaged, the switch discards it. Store-and-forward switching is considered the most reliable switching method as it ensures that only complete, error-free frames are forwarded, but it also has the highest latency due to the buffering and error checking process.

Cut-through switching is a faster method than store-and-forward, as the switch starts forwarding the frame as soon as it reads the destination MAC address. With cut-through, the switch only buffers the minimum amount of the frame (up to the destination MAC address section) required to determine the destination port. Cut-through switching is faster than store-and-forward because it does not wait for the entire frame to be received and verified before forwarding. Keep in mind that this method can forward corrupted frames since there is no error checking before forwarding.

Fragment-free switching is a variation of cut-through switching that reads the first 64 bytes of a frame before forwarding it. This is done to prevent forwarding of frames that may have been damaged during transmission. In general, the first 64 bytes of a frame contain the frame header, which includes the source and destination MAC addresses, as well as the frame type. By reading the first 64 bytes, fragment-free switching can ensure that the frame is not corrupted without having to wait for the entire frame to be received.

Generally speaking, store-and-forward switching is the most reliable but has the highest latency due to the buffering and error checking process. Cut-through switching is faster than store-and-forward but can forward corrupted frames. Fragment-free switching is a variation of cut-through that reads the first 64 bytes of a frame before forwarding it, which reduces the likelihood of forwarding corrupted frames. The choice of switching method depends on the specific needs of the network, and a combination of these methods can be used in larger networks to achieve a balance between reliability and speed.

Network Switches Memory Buffer

The memory buffer in a network switch is an essential component that plays a critical role in ensuring efficient and reliable data transmission. The buffer is responsible for temporarily storing incoming data packets before forwarding them to their destination. Without a memory buffer, the switch would be unable to handle high volumes of network traffic, resulting in packet loss and network congestion. The buffer also helps to prevent data loss by holding packets in case of congestion, allowing time for the switch to clear the congestion and forward the packets. The size of the buffer is an important factor in determining the performance of the switch, as it determines the amount of data that can be temporarily stored. A switch with a larger buffer can handle more traffic and is better equipped to handle bursts of data. As such, the memory buffer is a critical component in ensuring reliable and efficient network performance.

Network Bridges

A network bridge is a device that connects two or more separate network segments and forwards traffic between them. Bridges operate at the data link layer of the OSI model and use the MAC address of devices to determine where to forward traffic. When a bridge receives a frame from one network segment, it examines the destination MAC address of the frame and forwards it to the appropriate segment based on the MAC address table it has learned. The bridge also filters out any frames with destination MAC addresses that are not present on the other side of the bridge, helping to reduce unnecessary network traffic.

Bridges are commonly used to segment networks, isolate network problems, and extend the reach of networks by connecting segments over long distances. With the advent of more advanced network devices such as switches and routers, bridges have become less common but still serve a useful purpose in some network configurations.

Interesting facts:

Bridges are software based, while switches are hardware based because they use an ASICs chip to help them make filtering decisions.
Bridges can only have one spanning-tree instance per bridge, while switches can have many.
Bridges can only have upto 16 ports, while a switch can have hundreds!

Summary

This article explained how network switches operate and compared them with hubs. We examined the three operating stages of a switch: learning, forwarding, and filtering, and provided an overview of network loop avoidance with the help of the Spanning-Tree protocol. We talked about the three switching modes used by switches to forward frames: Store-and-forward, Cut-through & Fragment-free, and how the switch memory buffer plays a critical role in this process. Lastly touched on network bridges and how they we used in the early days to segment networks.

Hubs & Repeaters

2011-06-09T08:20:04+10:00

Network hubs were once the primary method of interconnecting network devices to create a local area network (LAN). Hubs were inexpensive, easy to install, and provided a simple means of connecting multiple devices in a network. However, as networks grew in size and complexity, hubs were found to be inefficient and were gradually replaced by more advanced network devices such as switches and routers. Despite their obsolescence, hubs remain a useful tool in certain network scenarios and are worth discussing to understand their limitations and strengths.

It is important at this point to cover a few network terms that are used to describe how hubs work:

Domain: refers to a logical grouping of network devices that share the same broadcast domain.

Broadcast domain is a group of devices that receive the same broadcast messages. When a device sends a broadcast message, it is transmitted to all devices on the same broadcast domain.

Collision domain is a group of devices that share the same physical network segment, where data collisions can occur.

How Network Hubs Work

Returning back to our discussion on network hubs, they are a simple devices that connect multiple network devices together by forwarding incoming data to all connected devices. Hubs operate at the physical layer of the OSI model and act as a repeater, amplifying the electrical signal of incoming data before broadcasting it to all connected devices:

As shown in the example above, frames transmitted by Node 1 are received by the hub and forwarded out all its ports.

Hubs do not analyze or manage network traffic in any way, and as such, they are not able to distinguish between different types of network traffic.

One of the key limitations of hubs is their inability to isolate network traffic. When a device connected to a hub sends data, the data is broadcast to all devices connected to the hub, regardless of whether they are the intended recipient or not. This means that all connected devices receive the data, regardless of whether they need it or not. This can lead to network congestion, as unnecessary traffic is transmitted to devices that have no use for it. In addition, because all devices on a hub share the same domain, any traffic that is transmitted on the hub creates a collision domain, where multiple devices may attempt to transmit data simultaneously, resulting in a collision and lost data.

One advantage of hubs is their simplicity. Hubs are inexpensive and easy to install, making them an attractive option for small networks or temporary network setups. Hubs are also transparent to the network, which means they do not modify network traffic in any way, making them ideal for troubleshooting network connectivity issues.

Hubs are often used to tap into a network by placing them between critical devices e.g between a server and a network switch, then connecting a laptop loaded with a network protocol analyzer to capture and analyze packets.

However, the limitations of hubs, particularly their inability to isolate network traffic, make them unsuitable for larger networks or networks with high traffic volumes. As network traffic increases, the potential for collisions (early or late collisions) and congestion also increases, leading to decreased network performance and increased network downtime.

The diagram below shows how multiple hubs can connect to perform a larger network. Keep in mind that such a setup will create a larger broadcast domain that will affect more devices and further reducing network bandwidth:

Network Repeaters

A network repeater is a network device that is used to regenerate and amplify a network signal that has become weak or distorted due to attenuation or interference. When a signal is transmitted over a long distance, it may weaken or become distorted due to various factors such as cable attenuation, electromagnetic interference, or signal reflections. A repeater receives the weakened signal and regenerates it, amplifying it to its original strength before retransmitting it to the next device in the network. A repeater does not analyze or manage network traffic in any way.

One of the key differences between a hub and a repeater is the way they handle network traffic. A repeater simply regenerates and amplifies a network signal, while a hub broadcasts incoming data to all connected devices on the network. A repeater is used to extend the reach of a network signal, while a hub is used to connect multiple devices together to create a LAN.

Another difference between a hub and a repeater is their ability to isolate network traffic. A repeater does not isolate network traffic and does not create collision domains. A hub, on the other hand, shares the same domain with all connected devices and creates a collision domain. When a device connected to a hub sends data, all devices connected to the hub receive the data, which as we've outlined earlier, can cause collisions and network congestion.

The Three Type of Hubs

There are primarily three types of network hubs: passive, active, and intelligent.

Passive Hub: A passive hub is a basic type of hub that does not require an external power source. It simply amplifies the incoming signal and broadcasts it to all connected devices on the network. Passive hubs do not have any built-in intelligence or management features, and they do not isolate network traffic.

Active Hub: An active hub, also known as a powered hub, requires an external power source. It contains a power supply that amplifies and regenerates the incoming signal, boosting its strength before broadcasting it to all connected devices. Active hubs also include features such as automatic detection of network speeds and error detection, which allows them to manage and optimize network traffic.

Intelligent Hub: An intelligent hub, also known as a managed hub, is a more advanced type of hub that includes management and monitoring features. Intelligent hubs allow network administrators to monitor and manage network traffic, isolate network segments, and configure network settings. They also provide features such as port mirroring, which allows administrators to monitor the traffic on a specific port, and virtual LANs (VLANs), which allow administrators to segment the network and isolate traffic.

Network Hubs with BNC Connectors (Coax Cable)

Coaxial cable, also known as coax, is a type of cable that is commonly used for transmitting data signals in computer networks. Coaxial cables consist of a copper wire that is surrounded by an insulating layer, which is then covered by a braided shield and an outer jacket. The braided shield provides protection against electromagnetic interference, which can distort or weaken the data signal.

When data is transmitted over coaxial cable, it is done so using electrical impulses. These impulses travel along the copper wire at the center of the cable, which is surrounded by the insulating layer and braided shield. The data is transmitted in the form of analog signals that are converted into digital signals by network devices such as hubs or switches.

Some older network hubs are designed to support coaxial cable connections. These hubs typically include a coax BNC (Bayonet Neill-Concelman) connector, which is a type of connector that is commonly used with coaxial cables. The BNC connector is a twist-lock connector that provides a secure and reliable connection between the coaxial cable and the hub:

To connect a coaxial cable to a hub, the cable is first connected to the BNC connector on the hub using a coaxial BNC connector. The hub then amplifies and broadcasts the data signal to all connected devices on the network. However, as previously mentioned, hubs have largely been replaced by switches in modern networking, and coaxial cable connections are becoming less common.

Coaxial cable was once a popular choice for networking because it is relatively inexpensive, easy to install, and can transmit data over long distances without significant signal loss. However, coaxial cable has several limitations that make it less desirable for modern networking. For example, coaxial cable has a lower bandwidth than other types of cables, such as twisted pair or fiber optic cables. This means that it can transmit data at slower speeds and may not be suitable for high-bandwidth applications.

Network Hub with BNC connector

It's also worth noting that coaxial cable networks use 50-ohm terminating resistors to prevent signal reflections that can cause interference and degrade signal quality. When an electrical signal travels along a coaxial cable, it encounters impedance, which is the resistance to the flow of electrical current. If the cable is not properly terminated, the signal can reflect back towards the source and interfere with the original signal. This can cause signal distortion, attenuation, and loss of data.

By adding a 50-ohm terminating resistor at the end of the cable, the impedance is matched and the signal can be properly absorbed, preventing reflections. This helps to maintain signal integrity and improve overall network performance. The 50-ohm terminating resistor is designed to match the characteristic impedance of the coaxial cable, which is typically 50 ohms:

The coax cable can be up to 185 meters long and can contain no more than 30 nodes per segment.

Summary

In this article we explained how hubs and repeaters operate within a network. We listed the main advantages and disadvantages of hubs and covered the three different type of hub devices: passive hubs, active hubs and intelligent hubs. Finally we took a look at older coaxial-based networks and talked about their limitations and components.

Introduction Here we will talk about hubs and explain how they work. In the next section we will move to switches and how they differ from hubs, how they work and the types of switching methods that are available; we will also compare them. Before we start there are a few definitions which I need to speak about so you can understand the terminology we will be using. Domain: Defined as a geographical area or logical area (in our imagination) where anything in it becomes part of the domain. In computer land, this means that when something happens in this domain (area) every computer that's part of it will see or hear everything that happens in it. Collision Domain: Putting it simple, whenever a collision between two computers occurs, every other computer within the domain will hear and know about the collision. These computers are said to be in the same collision domain. As you're going to see later on, when computers connect together using a hub they become part of the same collision domain. This dosen't happen with switches. Broadcast Domain: A domain where every broadcast (a broadcast is a frame or data which is sent to every comeputer) is seen by all computers within the domain. Hubs and switches do not break up broadcast domains. You need a router to achieve this. There are different devices which can break-up collision domains and broadcast domains and make the network a lot faster and efficient. Switches create separate collision domains but not broadcast domains. Routers create separate broadcast and collision domains. Hubs are too simple to do either, can't create separate collision or broadcast domain. Hubs & Repeaters Hubs and repeaters are basically the same, so we will be using the term "Hub" to keep things simple. Hubs are common today in every network. They are the cheapest way to connect two or more computers together. Hubs are also known as Repeaters and work on the first layer of the OSI model. They are said to work on the first layer because of the function they perform. They don't read the data frames at all (like switches and routers do), they only make sure the frame is repeated out on each port and that's about it. The Nodes that share an Ethernet or Fast Ethernet LAN using the CSMA/CD rules are said to be in the same collision domain. In plain English, this means that all nodes connected to a hub are part of the same collision domain. In a Collision domain, when a collision occurs everyone in that domain/area will hear it and will be affected. The Ethernet section talks about CSMA/CD and collision domains since they are part of the rules under which Ethernet functions. The picture below shows a few hubs : 8 port Netgear and a D-link hub.


The computers (nodes) connect to the hub using Unshielded Twisted Pair cable (UTP). Only one node can be connected to each port of the hub. The pictured hub has a total of 8 ports, which means up to 8 computers can be networked. When hubs were not that common and also expensive, most offices and home networks use to install coax cable. The way hubs work is quite simple and straightforward: When a computer on any one of the eight ports transmits data, this is replicated and sent out to the other seven ports. Check out the below picture which shows it clearly.

EXPLANATION: Node 1 is transmitting some data to Node 6 but all nodes are receiving the data as well. This data will be rejected by the rest of the nodes once they figure out it's not for them. This is accomplished by the node's network card reading the destination MAC address of the frame (data) it receives, it examines it and sees that it doesn't match with it's own and therefor discards the frame. Please see the Datalink layer in the OSI section for more information on MAC addresses. Most hubs these days also have a special port which can function as a normal port or as an "uplink" port. An uplink port allows you to connect another hub to the existing one, increasing the amount of ports which will be available to you. This is a cheap solution when you need to get a few more computers networked and it works quite well up to a point. This is how 2 eight port hubs would look when connected via the uplink port and how the data is replicated to all 16 ports :

In the above picture you can see that Node 1 is again transmitting data to Node 6 and that every other node connected to the hub is receiving the information. As we said, this is a pretty good and cheap solution, but as the network gets busier, you can clearly understand that there is going to be a lot of unecessary data flowing all over the network. All Nodes here are in the same broastcast and collision domain since they will hear every broadcast and collision that occurs. This is the same situation you get when you use coax cable, where every node or computer is connected onto the same cable and the data that's put onto it travels along the cable and is received by every computer.

You probably also noticed the two orange boxes labled "50 Ohm". These are called terminating resistors and are used on both ends of the coax cable so when the signal gets to them, it's absorbed by them and that way you don't get the signal reflecting back. Think of them as shock absorbent and the data signal is the shock wave which gets absorbed when it reaches the terminating resistors. The coax cable can be up to 185 meters and can contain no more than 30 nodes per segment. What you're looking at in the above picture is one segment 25 meters long with 4 nodes attached to it. Now coming back to the hubs, there are a few standard features most of them have these include a link and activity LED for each port, a power LED and collision LED. Some hubs have separate link lights and activity lights, others combine them into one where the link light will flash when there is activity, otherwise it remains constantly on. The Netgear hub which is displayed at the beginning of this page has two separate LEDs for the activity and link but the Compex hub below has only one.

Securing Your Home Network

2011-05-30T00:35:14+10:00

In today's world, securing your home network is more important than ever. With the increasing number of cyberattacks, data breaches, and online frauds, protecting your home network from potential threats is crucial. A home network is a combination of devices such as routers, modems, computers, smartphones, and other smart devices that are connected to the internet. This article will discuss the various methods to secure your home network, including antivirus software, Windows file sharing, personal firewall, malware scanners, secure Wi-Fi, and other recommended methods.

Antivirus Software

Antivirus software is a crucial component in securing your home network from potential cyber threats. Antivirus software is designed to detect and remove malicious software, viruses, and other malware that can harm your computer and other devices connected to the network. It works by scanning files and programs on your computer and identifying any malicious code or suspicious activity.

Antivirus software plays an important role in protecting your home network by preventing malware from infecting your devices and spreading to other devices on the network. It can also block potentially harmful websites and downloads, and alert you if you are about to access a dangerous website or download a harmful file.

In addition to detecting and removing malware, antivirus software can also provide real-time protection against new and emerging threats. Many antivirus software options offer automatic updates to ensure that you are protected against the latest threats.

However, it is important to choose a reputable antivirus software and keep it updated regularly to ensure the best protection. Antivirus software can only protect you against known threats, so it is important to keep it up-to-date to ensure that you are protected against new and emerging threats.

Windows File Sharing

Windows file sharing can play an important role in securing your home network by allowing you to share files and folders between multiple devices connected to the network. However, it is essential to ensure that file sharing is enabled only for authorized devices and users to prevent unauthorized access to your network.

Setting up a password-protected user account and limiting the access to shared files and folders can help prevent unauthorized access to your network. It is also recommended to use encryption to secure your files and prevent them from being intercepted by unauthorized users.

Another way to secure your file sharing is by enabling network discovery and file sharing only on private networks. This can be done in the advanced sharing settings of your Windows computer.

In addition to securing your file sharing, it is important to also keep your devices and software up-to-date, use strong passwords, and enable two-factor authentication whenever possible. By taking these steps, you can further enhance the security of your home network and reduce the risk of cyberattacks and online fraud.

Windows file sharing can be a useful tool in sharing files and folders between devices on your home network. However, it is important to ensure that file sharing is enabled only for authorized devices and users to prevent unauthorized access to your network. By taking additional steps to secure your file sharing, keeping your devices and software up-to-date, and using strong passwords, you can ensure the safety and security of your home network.

Personal Software Firewall

A personal software firewall is a key component in securing your home network. It is designed to monitor and control the traffic that enters and exits your computer or device, allowing you to block unauthorized access and prevent malware from communicating with the outside world.

A personal software firewall provides an additional layer of protection against cyberattacks by preventing unauthorized access to your computer or device. It works by analyzing the traffic that passes through it and blocking any incoming traffic that does not meet the specified rules and criteria.

Personal software firewalls are especially important for devices that are constantly connected to the internet, such as routers, smartphones, and computers. They can prevent attackers from accessing your network and stealing sensitive information or installing malware on your devices.

In addition to blocking unauthorized traffic, personal software firewalls can also alert you to suspicious activity and provide valuable information about the traffic that is passing through your network. This can help you identify potential threats and take steps to mitigate them.

However, it is important to note that personal software firewalls are not a substitute for strong passwords, regular software updates, and other security measures. They should be used in conjunction with other security measures to provide comprehensive protection for your home network.

Summarizing the above, a personal software firewall is a critical component in securing your home network. It provides an additional layer of protection against cyberattacks and prevents unauthorized access to your devices and sensitive information. By using a personal software firewall in conjunction with other security measures, you can ensure the safety and security of your home network.

Malware Scanners

Malware scanners are another important tool in securing your home network. Malware scanners are designed to detect and remove malware from your computer and other devices. They can also help prevent malware from spreading to other devices on your network. There are several malware scanner options available, including Malwarebytes and Spybot. It is important to keep your malware scanner updated and run regular scans to ensure maximum protection.

Secure Wi-Fi

Secure Wi-Fi is crucial in securing your home network. Wi-Fi is a convenient way to connect to the internet, but it can also be a potential security risk if not secured correctly. It is recommended to secure your Wi-Fi network with a strong password, WPA2 encryption, and a unique network name (SSID). Disabling WPS (Wi-Fi Protected Setup) and disabling guest access can also help increase your network's security.

In addition to the methods mentioned above, there are several other ways to secure your home network. These include keeping your devices and software up-to-date, disabling remote access to your router, using a VPN (Virtual Private Network) for added security when accessing the internet, and enabling two-factor authentication (2FA) for online accounts. Two-factor authentication adds an extra layer of security to your online accounts by requiring a code in addition to your password.

Summary

Securing your home network is essential in today's digital world. By following the methods mentioned above, you can ensure the safety and security of your devices and personal information. Antivirus software, secure Windows file sharing, personal firewall, malware scanners, secure Wi-Fi, and other recommended methods are all important components in securing your home network. Remember to keep your devices and software up-to-date, use strong passwords, and enable two-factor authentication whenever possible. By taking these steps, you can protect your home network and reduce the risk of cyberattacks and online fraud.

DoS & DDoS Attacks

2011-05-30T00:16:20+10:00

A Denial of Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a website, server or network by flooding it with traffic or overloading its resources. The aim of such an attack is to make the targeted system unavailable to legitimate users, resulting in a denial of service.

A Distributed Denial of Service (DDoS) attack is a type of DoS attack that is carried out by multiple devices, such as computers or smartphones, that are coordinated by a single attacker or group of attackers. This type of attack is more sophisticated and difficult to mitigate because it originates from a large number of sources, making it challenging to identify and block the attacking traffic. DDoS attacks can be launched using a variety of techniques, including botnets, amplification attacks, and application-layer attacks. These attacks have become a significant threat to businesses, organizations, and individuals as they can cause significant financial losses, reputational damage, and even result in the loss of sensitive data. Therefore, it is essential to implement robust security measures to protect against these attacks.

Denial of Service Attacks

Denial of Service (DoS) attacks can be a serious federal crime with penalties that include years of imprisonment and many countries have laws that attempt to protect against this. At the very least, offenders routinely lose their Internet Service Provider (ISP) accounts, get suspended if school resources are involved, etc.

There are two types of DoS attacks:

Application-based attacks.
Network-based attacks.

Let's take a closer look at each type of attack.

Application-based Attacks

These attacks target the applications or services running on a system, such as a web server or database, with the aim of overloading them or exploiting vulnerabilities to crash the system. Some examples of application-based attacks include HTTP flooding, where the attacker sends a large number of HTTP requests to the target, or buffer overflow attacks, where the attacker exploits a vulnerability in the application to overload the system's memory.

Developers, Security engineers and Cybersecurity specilists often use special software such as Web Application Vulnerability Scanners to scan and identify application-level vulnerabilities, and patch them before hackers find and exploit them.

Networking Attacks

These attacks target the network infrastructure of a system, such as routers, switches, or firewalls, with the aim of overwhelming them with traffic. This can be achieved through techniques such as flooding, where the attacker sends a large number of packets to the target, or through a ping flood, where the attacker sends a large number of ping requests to the target, causing it to become unresponsive. Other flooding methods include UDP or TCP SYN packets.

Spoofing attacks involve the attacker disguising their IP address to make it appear as if the attack is coming from a different source. This technique can be used to bypass filters and access control mechanisms, making it difficult for defenders to trace the source of the attack.

Amplification attacks are a more sophisticated type of network-based DoS attack. In these attacks, the attacker exploits a vulnerability in a third-party system to generate a large amount of traffic and direct it to the target system. This can be achieved through techniques such as DNS amplification, NTP amplification, or SNMP reflection.

Defending against network-based DoS attacks requires a multi-layered approach that includes firewalls, intrusion detection systems, and traffic filtering. Additionally, organizations can use techniques such as rate-limiting, blacklisting, and IP blocking to mitigate the effects of these attacks. Regular security audits and updates to network devices and software can also help reduce the risk of network-based DoS attacks.

Distributed Denial-of-Service

A distributed denial-of-service (DDoS) attack is similair to the DoS attack described above, but involves a multitude of compromised systems which attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

A hacker (or, if you prefer, cracker) begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of -- compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The result of these packets which are sent to the target causes a denial of service.

While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack -- the final target and as well the systems controlled by the intruder.

Implications of DoS and DDoS attacks

Denial of Service (DoS) attacks can have severe implications on organizations, including financial losses, reputational damage, and disruption of business operations. Some of the main implications of a DoS attack include:

Revenue loss: If an organization's website or online services are unavailable due to a DoS attack, it can result in revenue loss. This is particularly true for e-commerce businesses that rely on their online presence to generate sales.

Damage to reputation: A DoS attack can damage an organization's reputation, especially if it results in prolonged downtime or data breaches. Customers may lose trust in the organization's ability to protect their data and may choose to take their business elsewhere.

Business disruption: DoS attacks can disrupt business operations, causing significant delays and downtime. This can affect the productivity of employees and disrupt the supply chain, leading to additional losses.

Data loss or theft: In some cases, DoS attacks can be a smokescreen for more sophisticated attacks such as data theft. Attackers can use the DoS attack to distract security personnel while they attempt to steal sensitive data.

Legal and regulatory consequences: If an organization is unable to protect its customers' data, it can face legal and regulatory consequences, such as fines or legal action.

It is crucial for organizations to have robust security measures in place to protect against DoS attacks, such as firewalls, intrusion detection systems, and regular security audits. In addition, organizations should have a contingency plan in place to ensure business continuity in the event of a DoS attack.

Next-Gen Firewalls & Topologies. Designing & Building DMZs. Concepts, Best Practices & Tips

2011-05-29T23:42:43+10:00

Next-generation firewalls (NGFWs) and DMZ zones are two critical components of network security that work hand in hand to protect an organization's network from external threats. Firewalls act as a barrier between the internal network and the external world, filtering traffic and preventing unauthorized access. A DMZ zone provides an extra layer of protection by segregating public-facing servers from the internal network, making it harder for attackers to gain access to critical systems.

The combination of firewalls and DMZ zones helps to reduce the attack surface of an organization's network, making it more difficult for attackers to exploit vulnerabilities and gain access to critical systems. Together, these technologies provide an effective defense against external threats and ensure that an organization's network remains secure.

Key topics covered in this article:

Next-Generation Firewalls
The Role and Importance of DMZ Zones
DMZ Design and Operating Recommendations
Firewall Topologies
- Dual-Homed Firewall
- Three-Legged Firewall
- Dual-Firewalls or Screened Subnets
Summary

Next-Generation Firewalls

Next-generation firewalls (NGFWs) are an evolution of traditional firewalls, offering advanced features that enable more comprehensive security for modern networks. NGFWs go beyond the traditional firewall's simple packet filtering and provide advanced security features such as intrusion detection and prevention, web filtering, application control, and deep packet inspection.

While both Cisco and Palo Alto provide NGFW products and services, Palo Alto has taken the lead with its NGFW products thanks to their intuitive interface, ease of management and brilliant design. Cisco's attempt to enter the NGFW market was a bumpy ride as they purchase the opensource SourceFire project and integrated it into their ASA Firewall products to produce the known FirePower Next-Gen firewalls. Cisco next came out with their Firepower series firewall appliances.

Cisco's Firepower NGFW provides a comprehensive set of security features that are integrated with Cisco's Advanced Malware Protection (AMP) technology. This integration enables the Firepower NGFW to detect and block advanced threats, including malware and ransomware, with advanced threat intelligence capabilities.

Cisco Firepower 2100 series appliance

Palo Alto's NGFW, the Palo Alto Networks Security Operating (PANOS) platform, uses a unique approach to security called Zero Trust, which assumes that no user or device can be trusted by default. It includes features such as policy-based segmentation, which isolates network segments and provides granular control over access to resources. It also includes advanced threat detection capabilities using machine learning algorithms and AI-based threat analysis.

Palo Alto Next-Gen 5400 series appliance

Both Cisco and Palo Alto's NGFWs provide centralized management and reporting, making it easier for security teams to manage and monitor security policies across their networks. They also support integration with other security solutions, such as endpoint protection and security information and event management (SIEM) tools.

Don't forget to check out our popular Cisco Firewall and Palo Alto Firewall section where you'll find technical how-to articles covering firewall security and DMZ topics.

The Role & Importance of a DMZ

The Demilitarized Zone, or DMZ, is an expression that comes from the Korean War. There, it meant a strip of land forcibly kept clear of enemy soldiers.

The importance of a DMZ cannot be overstated, as it serves as a crucial barrier that limits the impact of a security breach on an organization's internal network. If a hacker were to breach the perimeter security of a company's network, they would first encounter the DMZ. The DMZ serves as a safe area where public-facing servers are isolated, reducing the risk of a security breach impacting sensitive data on the internal network.

The example below shows how a public-facing web server is securely isolated inside a DMZ. The web server is protected by two sets of firewalls that limit access to it, and increase network security by providing inspection and advanced threat detection services. The CMS's built-in web application firewall protects against unknown web application vulnerabilities and blocks malicious requests that managed to evade the front-end firewalls:

Additionally, a DMZ helps reduce the attack surface of the network by limiting access to critical systems. By keeping the public-facing servers in a separate network segment, it's easier to manage access control and apply stricter security policies. This way, even if a hacker gains access to the DMZ, they won't necessarily have access to sensitive information or control over critical systems.

Another advantage of a DMZ is that it provides flexibility to IT administrators to manage and monitor the network. A DMZ allows administrators to configure different security policies for internal and external networks. This means that administrators can have more control over who has access to specific resources, and it can be easier to detect and block suspicious network activity.

In summary, the importance of a DMZ cannot be overstated in today's world where cyber-attacks are becoming more sophisticated and frequent. A DMZ helps to protect an organization's internal network from external threats and reduces the risk of sensitive information being compromised. It provides administrators with a more secure and manageable network environment and limits the attack surface, making it harder for attackers to penetrate an organization's network. For these reasons, a DMZ is a critical component of any organization's network security strategy.

DMZ Design and Operating Recommendations

Designing and operating a DMZ requires careful planning, configuration, and management. Below are tips that can help organizations ensure their DMZ is properly configured and managed to provide the best level of protection for their network.

1. Define the DMZ network: The first step in setting up a DMZ is to define the network segments and the servers that will be hosted in the DMZ. This includes identifying the public-facing servers and their respective security policies.

2. Implement proper network segmentation: Proper network segmentation is critical in preventing unauthorized access to the internal network. Ensure that network segments are isolated and that access controls are implemented to restrict traffic flow between the DMZ and the internal network.

3. Use proper network security controls: Deploy appropriate security controls to prevent unauthorized access and attacks on public-facing servers in the DMZ. This includes implementing firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).

4. Regularly update and patch servers: Ensure that all servers in the DMZ are up to date with the latest software updates and security patches. This helps to prevent known vulnerabilities from being exploited by attackers.

5. Monitor network traffic: Regularly monitor network traffic to detect any suspicious activity that may indicate an attack. This includes monitoring logs from firewalls and IDS/IPS systems.

6. Implement strict access controls: Implement strict access controls to restrict access to the DMZ and public-facing servers. This includes implementing two-factor authentication, restricting administrative access, and using secure protocols like SSL/TLS for server access.

7. Implement proper backup and recovery procedures: Implement proper backup and recovery procedures to ensure that in the event of a security breach, data can be restored quickly and efficiently.

Firewall Topologies

Firewall topologies refer to the different ways in which firewalls can be deployed within a network. There are several common firewall topologies, each with its own advantages and disadvantages. It is important to understand that there is no one-size-fits-all answer to which is the best firewall topology since this depends on the organization's specific security needs, including the size and complexity of the network, the level of security required, and the resources available for configuration and management.

Let's now take a look at the most common firewall topologies and discuss the advantages and disadvantes of each.

Dual-Homed Firewall

This is a simple topology where a firewall with two interfaces has one connected to the untrusted network (internet) and the other to the internal network. Dual-homed topologies are mostly used by small businesses because of their simplified design, complexity and low cost to maintain.

You'll quickly notice the absence of a DMZ zone on a dual-homed firewall, making this firewall topology unsuitable to provide any protection for public-facing servers, such as web servers or email servers.

What we often see, when there is a need to access an internal resource from the Internet, Destination Network Address Translation (DNAT) is configured on the firewall, to allow hosts from the untrusted network (internet) directly access an internal host:

Regrettably, numerous businesses lack awareness of the security hazards associated with such practices, which frequently lead to their appearance on the front page of IT news.

It is important to note that dual-homed firewall setup provides a small level of security. If an attacker is able to breach the firewall, they have direct access to the internal network. This makes the internal network vulnerable to cyber threats, including malware, data breaches, and unauthorized access.

In addition, a dual-homed firewall These servers are typically located in a DMZ in other firewall topologies, which provides an extra layer of protection between the internet and the internal network.

Three-Legged Firewall

The three-legged firewall topology provides a higher level of security than a dual-homed firewall as it isolates the internal network and DMZ from the internet, reducing the risk of a breach.

One advantage of a three-legged firewall is that it provides strong network segmentation, which helps prevent unauthorized access to sensitive data. By isolating the internal network and DMZ from the internet, attackers have a harder time accessing and compromising internal systems. Additionally, the DMZ acts as an intermediary between the internet and the internal network, allowing organizations to host public-facing servers, without exposing their network to external threats.

Another advantage of a three-legged firewall is that it allows for more granular control over network traffic. Administrators can configure the firewall to allow only necessary traffic between the DMZ and the internal network, while blocking all other traffic. This helps prevent the spread of malware or other threats in case a system in the DMZ is compromised.

These advantages come at a price since three-legged firewall can be more complex to configure and manage compared to a dual-homed firewall. It requires more networking components and devices, such as switches and routers (in some cases), which can increase the cost and complexity of the network.

Dual-Firewall or Screened Subnet

The dual-firewall or screened subnet topology offers significant advantages compared to all other setups. This topology consists of two firewalls. The first firewall, also known as the external or perimeter firewall, is connected to the internet and is responsible for filtering and blocking incoming traffic. The second firewall, also known as the internal or DMZ firewall, is placed behind the perimeter firewall and provides an extra layer of protection for the DMZ zone and the internal network:

The dual-firewall or screened subnet topology provides a high level of security for organizations that require strong isolation between the internet, DMZ zone, and internal network. However, it can be more complex and expensive to set up and maintain compared to other firewall topologies, such as the three-legged or dual-homed firewall.

Setting apart the significant costs involved for this setup, its increased complexity requires a higher level of knowlege and experience. Firewall security policies, VLAN assignments and IP network addressing must be carefully designed and configured so that the necessary isolation exists between DMZ segments, internal network and the internet.

Summary

This article introduced Next-Gen firewalls, analyzed their capabilities and explained how they are used to create DMZ zones to reduce risk and effects of a security breach. We covered the purpose and importance of DMZ zones, provided tips to help manage them and also examined number of different firewall topologies including dual-homed firewalls, three-legged firewalls and dual-firewalls aka screened subnets.

Firewall Topologies

2011-05-29T23:07:13+10:00

In this section we are going to talk about the different ways a firewall can be set up. Depending on your needs, you can have a very simple firewall setup which will provide enough protection for your personal computer or small network, or you can choose a more complicated setup which will provide more protection and security.

Let's have a look starting from the simple solutions, and then move on to the more complicated ones. Just keep in mind we are not talking about a firewall which is only a piece of software which runs on the same computer you use to connect to the internet and do your work, but we are talking about a physical computer which is a dedicated firewall.

A Simple Dual-Homed Firewall

The dual-homed firewall is one of the simplest and possibly most common way to use a firewall. The Internet comes into the firewall directly via a dial-up modem (like me :) ) or through some other type of connection like an ISDN line or cable modem. You can't have a DMZ (See the DMZ page for more info) in this type of a configuration.

The firewall takes care of passing packets that pass its filtering rules between the internal network and the Internet, and vice versa. It may use IP masquerading and that's all it does. This is known as a dual-homed host. The two "homes" refer to the two networks that the firewall machine is part of - one interface connected to the outside home, and the other connected to the inside home.

This particular setup has the advantage of simplicity and if your Internet connection is via a modem and you have only one IP address, it's what you're probably going to have to live with unless you create a more complex network like the one we are going to talk about.

A Two-Legged Network with a Full Exposed DMZ

In this more advanced configuration, shown in the picture below, the router that connects to the outside work is connected to a hub (or switch).

Machines that want direct access to the outside world, unfiltered by the firewall, connect to this hub. One of the firewall's network adapters also connects to this hub. The other network adapter connects to the internal hub. Machines that need to be protected by the firewall need to connect to this hub. Any of these hubs could be replaced with switches for added security and speed, and it would be more effective to use a switch for the internal hub.

There are good things about the exposed DMZ configuration. The firewall needs only two network cards. This simplifies the configuration of the firewall. Additionally, if you control the router you have access to a second set of packet-filtering capabilities. Using these, you can give your DMZ some limited protection completely separate from your firewall.

On the other hand, if you don't control the router, your DMZ is totally exposed to the Internet. Hardening a machine enough to live in the DMZ without getting regularly compromised can be tricky.

The exposed DMZ configuration depends on two things: 1) an external router, and 2) multiple IP addresses.

If you connect via PPP (modem dial-up), or you don't control your external router, or you want to masquerade your DMZ, or you have only 1 IP address, you'll need to do something else.There are two straightforward solutions to this, depending on your particular problem.

One solution is to build a second router/firewall. This is useful if you're connecting via PPP. One machine is the exterior router/ firewall (Firewall No.1). This machine is responsible for creating the PPP connection and controls the access to our DMZ zone. The other firewall (Firewall No.2) is a standard dual-homed host just like the one we spoke about at the beginning of the page, and its job is to protect the internal network. This is identical to the situation of a dual homed firewall where your PPP machine is the local exterior router.

The other solution is to create a three-legged firewall, which is what we are going to talk about next.

The Three-Legged Firewall

This means you need an additional network adapter in your firewall box for your DMZ. The firewall is then configured to route packets between the outside world and the DMZ differently than between the outside world and the internal network. This is a useful configuration, and I have seen many of our customers using it.

The three-legged setup can also give you the ability to have a DMZ if you're stuck with the simple topology outlined first (dual homed firewall). Replace "router" with "modem," and you can see how this is similar to the simple topology (dual homed firewall), but with a third leg stuck on the side :)

If you're being forced or have chosen to IP masquerade, you can masquerade the machine or machines in the DMZ too, while keeping them functionally separate from protected internal machines. People who have cable modems or static PPP connections can use this system to run various servers within a DMZ as well as an entire internal network off a single IP address. It's a very economic solution for small businesses or home offices.

The primary disadvantage to the three-legged firewall is the additional complexity. Access to and from the DMZ and to and from the internal network is controlled by one large set of rules. It's pretty easy to get these rules wrong if you're not careful !

On the other hand, if you don't have any control over the Internet router, you can exert a lot more control over traffic to and from the DMZ this way. It's good to prevent access into the DMZ if you can.

Controlling Broadcasts and Multicasts

2011-04-18T10:00:00+10:00

The first step in controlling broadcast and multicast traffic is to identify which devices are involved in a broadcast or multicast storm. The following protocols can send broadcast or multicast packets:

Address Resolution Protocol (ARP)
Open Shortest Path First (OSPF)
IP Routing Information Protocol Version 1 (RIP1)
Service Advertising Protocol (SAP)
IPX Routing Information Protocol (RIP)
NetWare Link Services Protocol (NLSP)
AppleTalk Address Resolution Protocol (AARP)

After identifying the source of the broadcast or multicast storm, you must examine the packets to find out which protocol or application triggered the broadcast or multicast storm. For example, if a single device is responsible for a broadcast storm, you can examine the device's broadcast traffic to determine exactly what the device was doing. For example, you can find out what the device was looking for or what the device was announcing.

Broadcast or multicast storms are often caused by a fault that occurs during the device discovery process. For example, if an IPX-based printing environment has been misconfigured, a print driver client may continually send SAP packets to locate a specific print server. Unanswered broadcast or multicast requests usually indicate that a device is missing or has been misconfigured.

Examine the broadcast traffic on your company's network. Do you see numerous unanswered, repeat queries? Do you see protocols (such as IP RIP1, SAP, and IPX RIP) that just "blab" all day even when no other devices may be listening?

Or, is the majority of the broadcast and multicast traffic on your company's network purposeful? That is, does the broadcast and multicast traffic have a request-reply communication pattern? For example, are broadcast lookups answered?

Do broadcast packets contain meaningful information? For example, if a network has numerous routers, do broadcast packets contain routing update information?

Is the broadcast rate acceptable? Does your company's network need RIP updates every 30 seconds, or can you increase the interval to one minute?

BROADCAST/MULTICAST DOMAINS

If your company's network is experiencing excessive broadcast or multicast traffic, you should also check the scope of the broadcast or multicast domain. (A broadcast or multicast domain is the range of devices that are affected by a broadcast or a multicast packet.) Understanding broadcast and multicast domains can help you determine how harmful a broadcast storm can be from any point on the network.

The scope of a broadcast and multicast domain depends, to some degree, on the network design. For example, the picture below shows two networks, a switched network and a routed network:

On a switched network, Device 1 sends a broadcast or multicast packet that is propagated to all ports of the switch. (A typical layer-2 switch does not filter either broadcast or multicast traffic.)

On a routed network, however, a router does not forward broadcast traffic. If Device 1 sends a broadcast packet, only Device 2 and the router see the broadcast packet. If appropriate, the router processes the broadcast packet and sends a reply. Because the broadcast packet is not forwarded, it does not affect Devices 3 or 4.

Network Broadcast

2011-04-18T06:23:57+10:00

The term "Broadcast" is used very frequently in the networking world . You will see it in most networking books and articles, or see it happening on your hub/switch when all the LED's start flashing at the same time !

If you have been into networking for a while you most probably have come across the terms "broadcast" and "subnet broadcast" . When I first dived into the networking world, I was constantly confused between the two, because they both carried the "broadcast" term in them. We will analyse both of them here, to help you understand exactly what they are and how they are used !

Broadcast

A Broadcast means that the network delivers one copy of a packet to each destination. On bus technologies like Ethernet, broadcast delivery can be accomplished with a single packet transmission. On networks composed of switches with point-to-point connections, software must implement broadcasting by forwarding copies of the packet across individual connections until all switches have received a copy. We will be focusing only on Ethernet broadcasts.

The picture below illustrates a router which has sent a broadcast to all devices on its network:

Normally, when the computers on the network receive a packet, they will first try to match the MAC address of the packet with their own and if that is successful, they process the packet and hand it to the OSI layer above (Network Layer), if the MAC address is not matched, then the packet is discarded and not processed. However, when they see a MAC address of FF:FF:FF:FF:FF:FF, they will process this packet because they recognise it as a broadcast.

But what does a "broadcast" look like ?

The screenshot below was taken from the packet sniffer application and shows the basic information contained within a network broadcast:

Let's now have a closer look at the above captured packet.

The image below shows a broadcast packet. You can clearly see that the "MAC destination address" is set to FF:FF:FF:FF:FF:FF. The "Address IP destination" is set to 255.255.255.255, this is the IP broadcast address and ensures that no matter what IP address the receiving computer(s) have, they will not reject the data but process it.

Now you might ask yourself "Why would a workstation want to create a broadcast packet ?"

The answer to that lies within the various protocols used on our networks !

Let's take for example Address Resolution Protocol, or ARP. ARP is used to find out which MAC address (effectively , which network card or computer) has a particular IP address bound to it. You will find a detailed example of the whole process in the IP Routing section.

For a network device such as a router to ask "Who has IP address 192.168.0.100?", it must "shout" it out so it can grab everyone's attention, which is why it will use a broadcast address to make sure everyone on the network listens and processes the packet.

In the example image above, the particular machine was looking for a DHCP server (notice the "bootps" protocol under the UDP Header - Layer 4, which is basically DHCP).

Subnet Broadcast or Direct Broadcast

A Subnet or Direct broadcast is targetted not to all hosts on a network, but to all hosts on a subnet. Since a physical network can contain different subnets/networks e.g 192.168.0.0 and 200.200.200.0, the purpose of this special broadcast is to send a message to all the hosts in a particular subnet.

In the example below, Router A sends a subnet broadcast onto the network. Hosts A,B,C and the Server are configured to be part of the 192.168.0.0 network so they will receive and process the data, but Host D is configured with a different IP Adress, so it's part of a different network, it will accept the packet cause of its broadcast MAC address, but will drop the packet when it reaches its Network Layer, where it will see that this packet was for a different IP network.

It is very similar to the network broadcast we just talked about but varies slightly in the sense that its IP broadcast is not set to 255.255.255.255 , but is set to the subnet broadcast address. For example, my home network is a Class C network : 192.168.0.0 with a subnetmask of 255.255.255.0 or, if you like to keep it simple, : 192.168.0.0/24.

This means that the available valid hosts for this network are from 192.168.0.1 to 192.168.0.254. In this Class C network, as in every other network, there are 2 addresses which I can't use. The first one is preserved to identify the network (192.168.0.0) and the second one for the subnet broadcast (192.168.0.255).

The above packet, captured from my packet sniffer, shows my workstation broadcasting to the subnet 192.168.0.0. From the broadcast address you can tell that I am using a full Class C network range, otherwise the Destination IP wouldn't be 192.168.0.255.

The Packet decoder on the right shows you the contents of each header from the above packet.

Looking at the MAC Header (Datalink Layer), the destination MAC address is set to FF:FF:FF:FF:FF:FF and the IP Header (Network Layer) has the Destination IP set to 192.168.0.255 which is, as I said, the Subnet Broadcast Address. Again, all computers on the network which are part of the 192.168.0.0 subnet will process this packet, the rest will drop the packet once they see it's for a network to which they do not belong.

In this example, I double clicked at my "Network Places" and was searching for a computer, this forced my workstation to send out a Subnet Broadcast on the network asking if a particular computer existed on the network.

Multicast - Understand How IP Multicast Works

2011-04-18T05:13:35+10:00

Multicast is a communication method used in computer networking where data is sent from a single sender to a group of destination devices. In this method, the sender sends the data packet to a specific multicast address, which is assigned to a group of devices. The data packet is then forwarded by network devices to all devices that have subscribed to the multicast group.

Multicasting is an efficient method of sending data to a group of devices, as it reduces network traffic and ensures that data is delivered to all devices in the group simultaneously. Multicasting is widely used in various network protocols, such as IPTV, video conferencing, and online gaming. In this article, we will discuss the importance and benefits of multicasting, as well as its use in different network applications.

Note: Understanding Multicast requires solid knowledge on the structure and purpose of MAC Addresses.

Some describe a multicast similar to a broadcast in that it targets a number of devices or hosts on a network, but not all. While a broadcast is directed to all hosts on the local segment, a multicast is directed to a group of hosts. With multicast, the hosts can select whether they wish to participate in the multicast group with the use of the Internet Group Management Protocol (IGMP) protocol.

Below is a simple example of a group of hosts (host A and D) being part of a multicast group who receive and process a stream of data:

Multicast Fundamentals

To help explain how multicast works, we've split this section into three different topics:

Hardware/Ethernet Multicasting
IP Multicasting
Mapping IP Multicast to Ethernet Multicast

A typical multicast on an Ethernet network, using the TCP/IP protocol, consists of two parts: Hardware/Ethernet multicast and IP Multicast. Later on I will talk about Mapping IP Multicast to Ethernet Multicast which is really what happens with multicasting on our Ethernet network using the TCP/IP protocol.

The brief diagram below shows you the relationship between the 3 and how they complete the multicasting model:

Hardware/Ethernet Multicasting

When a computer joins a multicast group, it needs to be able to distinguish between normal unicasts (which are packets directed to one computer or one MAC address) and multicasts. With hardware multicasting, the network card is configured, via its drivers, to watch out for particular MAC addresses (in this case, multicast MAC addresses) apart from its own. When the network card picks up a packet which has a destination MAC that matches any of the multicast MAC addresses, it will pass it to the upper layers for further processing.

And this is how they do it:

Ethernet uses the low-order bit of the high-order octet to distinguish conventional unicast addresses from multicast addresses. A unicast would have this bit set to ZERO (0), whereas a multicast would be set to ONE (1)

To understand this, we need to analyse the destination MAC address of a unicast and multicast packet, so you can see what we are talking about:

When a normal (unicast) packet is put on the network by a computer, it contains the Source and Destination MAC address, found in the 2nd Layer of the OSI model. The following picture is an example of my workstation (192.168.0.6) sending a packet to my network's gateway (192.168.0.5):

Now let's analyse the destination MAC address:

When my gateway receives the packet, it knows it's a unicast packet as explained in the above image.

Let's now have a look at the destination MAC address of a multicast packet. Keep in mind, a multicast packet is not directed to one host but a group of hosts, so the destination MAC address will not match the unique MAC address of any computer, but the computers which are part of the multicast group will recognise the destination MAC address and accept it for processing.

The following multicast packet was sent from our multicast server. Notice the destination MAC address (it's a multicast):

Analysis of the multicast destination MAC address will help make things clearer:

So now you should be able to understand how computers can differentiate between a normal or unicast packet and a multicast packet. Remember, the destination MAC address 01-00-5E-00-00-05 does not belong to a host, and is recognised by computers that are part of the multicast group.

Multicast MAC addresses are always used in the destination MAC address field of an Ethernet packet.

The IEEE group used a special Rule to determine the various MAC addresses that will be considered for multicasting. This rule is covered in the last section of this page, but you don't need to know it now in order to understand Hardware multicasting. Using this special rule it was determined that MAC address 01:00:5E:00:00:05 will be used for the OSPF protocol, which happens to be a routing protocol, and then this MAC address also maps to an IP address which is analysed in IP Multicast.

IP Multicast

The IP Multicast is the second part of multicasting which, combined with the hardware multicasting, gives us a multicasting model that works for our Ethernet network. If hardware multicasting fails to work, then the packet will never arrive at the network layer upon which IP multicasting is based, so the whole model fails.

With IP multicasting the hardware multicasting MAC address is mapped to an IP Address. Once Layer 2 (Datalink) picks the multicast packet from the network (because it recognises it, as the destination MAC address is a multicast) it will strip the MAC addresses off and send the rest to the above layer, which is the Network Layer. At that point, the Network Layer needs to be able to understand it's dealing with a multicast, so the IP address is set in a way that allows the computer to see it as a multicast datagram. A host may send multicast datagrams to a multicast group without being a member.

Multicasts are used a lot between routers so they can discover each other on an IP network. For example, an Open Shortest Path First (OSPF) router sends a "hello" packet to other OSPF routers on the network. The OSPF router must send this "hello" packet to an assigned multicast address, which is 224.0.0.5, and the other routers will respond.

IP Multicast uses Class D IP Addresses:

Let's have a look at an example so we can understand that a bit better:

The picture below is a screenshot from my packet sniffer, it shows a multicast packet which was sent from my NetWare server, notice the destination IP address:

The screenshot above shows the packet which was captured, it's simply displaying a quick summary of what was caught. But, when we look on the left, we see the above packet in much more detail.

You can clearly see the markings I have put at the bottom which show you that the destination IP for this packet is IP Address 224.0.0.5. This corresponds to a multicast IP and therefore is a multicast packet.

The MAC header also shows a destination MAC address of 01-00-5E-00-00-05 which we analysed in the previous section to show you how this is identified as a multicast packet at Layer 2 (Datalink Layer).

Some examples of IP multicast addresses:

224.0.0.0 Base Address (Reserved) [RFC1112,JBP]
224.0.0.1 All Systems on this Subnet [RFC1112,JBP]
224.0.0.2 All Routers on this Subnet [JBP]
224.0.0.3 Unassigned [JBP]
224.0.0.4 DVMRP Routers [RFC1075,JBP]
224.0.0.5 OSPFIGP OSPFIGP All Routers [RFC2328,JXM1]

Remember that these IP Addresses have been assigned by the IEEE !

Now all that's left is to explain how the IP multicast and MAC multicast map between each other...

Mapping IP Multicast to Ethernet Multicast

The last part of multicast which combines the Hardware Multicasting and IP Multicasting is the Mapping between them. There is a rule for the mapping, and this is it:

To map an IP Multicast address to the corresponding Hardward/Ethernet multicast address, place the low-order 23 bits of the IP multicast address into the low-order 23 bits of the special Ethernet multicast address. The rest of the high-order bits are defined by the IEEE (yellow colour in the example)

The above rule basically determines the Hardware MAC address. Let's have a look at a real example to understand this.

We are going to use Multicast IP Address 224.0.0.5 - a multicast for the OSPF routing protocol. The picture below shows us the analysis of the IP address in binary so we can clearly see all the bits:

It might seem a bit confusing at first, but let's break it down:

We have an IP Address of 224.0.0.5, this is then converted into binary so we can clearly see the mapping of the 23 bits to the MAC address of the computer. The MAC Address part which is in yellow has been defined by the IEEE group. So the yellow and pink line make the one MAC Address as shown in binary mode, then we convert it from binary to hex and that's about it !

You should keep in mind that multicast routers should not forward any multicast datagram with destination addresses in the following 224.0.0.0 and 224.0.0.255. The next page (multicasting list) gives a bit more information on this.

Internet Multicast Addressess

Host Extensions for IP Multicasting [RFC1112] specifies the extensions required of a host implementation of the Internet Protocol (IP) to support multicasting. Current addresses are listed below.

The range of addresses between 224.0.0.0 and 224.0.0.255, inclusive, is reserved for the use of routing protocols and other low-level topology discovery or maintenance protocols, such as gateway discovery and group membership reporting. Multicast routers should not forward
any multicast datagram with destination addresses in this range, regardless of its TTL.

224.0.0.0 Base Address (Reserved) [RFC1112,JBP]
224.0.0.1 All Systems on this Subnet [RFC1112,JBP]
224.0.0.2 All Routers on this Subnet [JBP]
224.0.0.3 Unassigned [JBP]
224.0.0.4 DVMRP Routers [RFC1075,JBP]
224.0.0.5 OSPF - IGP All Routers [RFC1583,JXM1]
224.0.0.6 OSPF - IGP Designated Routers [RFC1583,JXM1]
224.0.0.7 ST Routers [RFC1190,KS14]
224.0.0.8 ST Hosts [RFC1190,KS14]
224.0.0.9 RIP2 Routers [RFC1723,GSM11]
224.0.0.10 IGRP Routers [Dino Farinacci]
224.0.0.11 Mobile-Agents [Bill Simpson]
224.0.0.12 DHCP Server / Relay Agent [RFC1884]
224.0.0.12 - 224.0.0.255 Unassigned [JBP]

224.0.1.23 XINGTV

224.0.2.1 "rwho" Group (BSD) (unofficial) [JBP]
224.0.2.2 SUN RPC PMAPPROC_CALLIT [BXE1]

224.0.3.000-224.0.3.255 RFE Generic Service [DXS3]
224.0.4.000-224.0.4.255 RFE Individual Conferences [DXS3]
224.0.5.000-224.0.5.127 CDPD Groups [Bob Brenner]
224.0.5.128-224.0.5.255 Unassigned [IANA]
224.0.6.000-224.0.6.127 Cornell ISIS Project [Tim Clark]
224.0.6.128-224.0.6.255 Unassigned [IANA]
224.0.7.000-224.0.7.255 Where-Are-You [Simpson]
224.0.8.000-224.0.8.255 INTV [Tynan]
224.0.9.000-224.0.9.255 Internet Railroad [Malamud]

224.1.0.0-224.1.255.255 ST Multicast Groups [RFC1190,KS14]
224.2.0.0-224.2.255.255 Multimedia Conference Calls [SC3]

224.252.0.0-224.255.255.255 DIS transient groups [Joel Snyder]

232.0.0.0-232.255.255.255 VMTP transient groups [RFC1045,DRC3]

These addresses are listed in the Domain Name Service under MCAST.NET and 224.IN-ADDR.ARPA.

Note that when used on an Ethernet or IEEE 802 network, the 23 low-order bits of the IP Multicast address are placed in the low-order
23 bits of the Ethernet or IEEE 802 net multicast address 1.0.94.0.0.0.

Summary

This article explained what multicasting is, how it works and its importance within a network and the internet. We analyzed the structure of a multicast address, the concept of multicast groups, purpose of IGMP and more. We talked about IP multicasting, Ethernet multicasting and their role. Finally we provided a list of IP multicast addresses and related RFCs. For more information on network protocols, analysis and functionality, please visit our Network Protocols or Network Fundamentals section.

Network Unicast - Its role and Importance

2011-04-18T00:38:14+10:00

Unicast is a communication method used in computer networking where data is sent from a single sender to a specific destination device. In this method, the sender sends the data packet to a unique IP address, which is assigned to the destination device. This is in contrast to broadcast or multicast communication methods, where data is sent to all devices on the network or to a group of devices, respectively.

Unicast is a widely used communication method in computer networking, and it plays a critical role in ensuring efficient communication between devices on a network. Some of the important aspects of unicast communication are discussed below:

The Purpose of Unicast

The purpose of unicast communication is to enable one-to-one communication between devices on a network. This is useful when the sender wants to send data to a specific destination device, without broadcasting the data to all devices on the network. For example, when you access a website, your computer sends a unicast message to the web server requesting data, and the web server sends a unicast message back to your computer with the requested data.

The Importance of Unicast

Unicast communication is an essential part of network infrastructure, as it is used in various network protocols such as TCP, HTTP, and SMTP. It plays a crucial role in ensuring efficient data transfer between devices on a network, as data packets are sent directly to the destination device, without causing network congestion or unnecessary data transmission.

Unicast Addressing

In unicast communication, devices are identified by their unique IP addresses. An IP address is a 32-bit number that identifies a device on a network. In IPv4, which is the most widely used Internet Protocol, IP addresses are represented as four sets of decimal numbers separated by dots. For example, 192.168.1.1 is an IP address that identifies a device on a network.

Unicast's Role in Routing

Unicast communication relies on routing protocols to ensure that data packets are sent to the correct destination device. Routing protocols are algorithms used by network devices, such as routers, to determine the best path for data packets to reach their destination. They use various metrics, such as hop count, link speed, and network congestion, to determine the optimal path for data packets.

Unicast's role in Communication Efficiency

Unicast communication is a highly efficient method of data transfer, as data packets are sent directly to the destination device. This reduces network congestion and ensures that data is delivered to the intended recipient without unnecessary delay. It also allows for efficient use of network resources, as only the intended recipient receives the data packet, and not all devices on the network.

Unicast Security

Unicast communication is more secure than broadcast communication, as data packets are only sent to the intended recipient. This reduces the risk of data interception and eavesdropping, which can occur in broadcast communication, where data packets are sent to all devices on the network.

Summary

Unicast communication is an essential part of network infrastructure, enabling efficient and secure communication between devices on a network. It plays a critical role in ensuring efficient data transfer, reducing network congestion, and improving network performance. By using unique IP addresses to identify devices on a network, and routing protocols to determine the best path for data packets, unicast communication allows for efficient and secure communication between devices on a network.

Back to Network Fundamentals Section

Media Access Control - MAC Addresses

2011-04-17T23:46:33+10:00

A MAC address, or Media Access Control address, is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. It is a 48-bit address consisting of six sets of two hexadecimal digits, separated by colons or hyphens.

MAC addresses are essential in the functioning of Ethernet and Wi-Fi networks, as they are used to ensure that data packets are sent to the correct destination device. Every NIC has a unique MAC address, which is assigned by the device manufacturer and cannot be changed. MAC addresses are used by network switches and routers to forward data packets to the correct destination, and they play a crucial role in preventing network collisions and ensuring efficient network traffic management. MAC addresses are an essential part of network infrastructure and are used in almost all network communication protocols.

The Reason for MAC

The purpose of MAC addresses is to provide a unique identifier for network devices and enable efficient and accurate communication between them within a network.

The diagram below provides a visual representation how important MAC Addresses are on our network and at which layer of the OSI Model they exist:

You see, the IP address of a machine exists on the Network Layer of the OSI model and, when a packet reaches the computer, it will travel from Layer 1 upwards, so we need to be able to identify the computer before Layer 3.

This is where the MAC address - Layer 2 comes into the picture. All machines on a network will listen for packets that have their MAC address in the destination field of the packet (they also listen for broadcasts and other stuff, but that's analysed in other sections). The Physical Layer understands the electrical signals on the network and creates the frame which gets passed to the Datalink layer. If the packet is destined for the computer then the MAC address in the destination field of the packet will match, so it will accept it and pass it onto the Layer above (3) which, in turn, will check the network address of the packet (IP Address), to make sure it matches with the network address to which the computer has been configured.

Examining a MAC Address

Let's now have a look at a MAC address and see what it looks like! We will use our workstation's MAC address as an example:

As mentioned previously, MAC Addresses are always presented in HEX format, just as our example above. It is very rare that a MAC address is represented in Binary format because it is simply too long and difficult to understand, as we will see futher on.

When a vendor, e.g Intel, produces network cards for computers, they don't just assign them any MAC address they like, this would create a big confusion in identifying who is the vendor of each network card and could possibly result in clashing with another MAC address from another vendor e.g D-link, who happened to choose the same MAC address for their network card!

To avoid these kind of problems, the IEEE group split the MAC address in half, and used the first half to identify the vendor, and the second half is used by the vendor to allocate serial numbers:

The Vendor code is specified by RFC - 1700. You might find a particular vendor having more than just one code; this is because of the wide range of products they might have. They just apply for more, as they need !

Keep in mind that even tho the MAC address is "burnt-in" to the network card's memory, some vendors will allow you to download special programs to change the second half of the MAC address on the card. This is because the vendors actually reuse the same MAC addresses for their network cards because they create so many that they run out of numbers ! But at the same time, the chances of you buying two network cards which have the same MAC address are so small that it's almost impossible !

Let's start talking bits and bytes!

Now that we know what a MAC address looks like, we need to start analysing it. A MAC address of any network card is always the same length, that is, 6 Bytes long or 48 Bits long. If you're scratching your head wondering where these figures came from, then just have a look at the picture below which makes it a bit easier to understand:

Summary

In this article we explained the purpose and importance of MAC address, or Media Access Control address. We examined the 48-bit MAC address structure and how vendors assign serial numbers to their MAC address ranges.

Network Data Transmission

2011-04-17T23:28:57+10:00

Network data transmission refers to the process of sending and receiving information between two or more devices connected to a network. It is a critical aspect of modern-day networking, and it enables devices to communicate with each other over long distances. There are several ways in which data can be transmitted over a network, including broadcast, unicast, and multicast.

Each method has its own advantages and disadvantages, and the choice of transmission method depends on the specific requirements of the network. For example, broadcast transmission is useful for sending messages that need to be received by every device on the network, while unicast transmission is useful for sending messages between specific devices.

Broadcast

Broadcast transmission is a network communication technique in which data packets are sent to all devices on the network. In this method, the sender sends a single message, which is then received and processed by every device on the network. This method is often used for sending important notifications or messages that need to be received by every device on the network. For example, when a device joins or leaves a network, the network administrator may send a broadcast message to inform all devices on the network of the change.

However, broadcast transmission can be inefficient because all devices on the network receive the message, even if the message is not intended for them. This can lead to a significant amount of network traffic, which can slow down the network and reduce its performance.

Unicast

Unicast transmission is a network communication technique in which data packets are sent from one device to a specific destination device. In this method, the sender sends a message to a single recipient, and the message is only received and processed by the intended recipient. This method is often used for sending private or confidential messages between devices on a network. For example, when a user sends an email to another user on the same network, the email is sent using unicast transmission.

Unicast transmission is much more efficient than broadcast transmission because only the intended recipient receives the message. This reduces the amount of network traffic and improves the network's performance. However, unicast transmission can be slower than broadcast transmission because the sender has to address each packet to the intended recipient.

Multicast

Multicast transmission is a network communication technique in which data packets are sent from one device to a group of devices on the network. In this method, the sender sends a message to a multicast group, and the message is received and processed by all devices that are members of the group. This method is often used for sending messages to a specific group of users or devices on a network. For example, when a user wants to send a message to all devices on a specific network segment, multicast transmission can be used.

Multicast transmission is more efficient than unicast transmission because it enables the sender to send a message to multiple recipients simultaneously. This reduces the amount of network traffic and improves the network's performance. However, multicast transmission requires support from the network infrastructure, and not all network devices or protocols support multicast transmission.

Summary

In summary, network data transmission is a critical aspect of modern-day networking, and it enables devices to communicate with each other over long distances. There are several ways in which data can be transmitted over a network, including broadcast, unicast, and multicast. Each of these methods has its advantages and disadvantages, and the choice of transmission method depends on the specific requirements of the network.

LAN Network Topologies

2011-04-17T20:35:47+10:00

Network topologies can take a bit of time to understand when you're all new to this kind of cool stuff, but it's very important to fully understand them as they are key elements to understanding and troubleshooting networks and will help you decide what actions to take when you're faced with network problems.

This article explains the different network topologies found in today's networks. We examine Bus Topology, Ring Topology, Star Topology, Mesh Topology, Hybrid Topology and many more.

Physical and Logical Topologies

There are two types of topologies: Physical and Logical. The physical topology of a network refers to the layout of cables, computers and other peripherals. Try to imagine yourself in a room with a small network, you can see network cables coming out of every computer that is part of the network, then those cables plug into a hub or switch. What you're looking at is the physical topology of that network !

Logical topology is the method used to pass the information between the computers. In other words, looking at that same room, if you were to try to see how the network works with all the computers talking (think of the computers generating traffic and packets of data going everywhere on the network) you would be looking at the logical part of the network. The way the computers will be talking to each other and the direction of the traffic is controlled by the various protocols (like Ethernet) or, if you like, rules.

If we used token ring, then the physical topology would have to change to meet the requirements of the way the token ring protocol works (logically).

If it's all still confusing, consider this: The physical topology describes the layout of the network, just like a map shows the layout of various roads, and the logical topology describes how the data is sent accross the network or how the cars are able to travel (the direction and speed) at every road on the map.

The most common types of physical topologies, which we are going to analyse, are: Bus, Hub/Star and Ring.

The Physical Bus Topology

Bus topology is fairly old news and you probably won't be seeing much of these around in any modern office or home.

With the Bus topology, all workstations are connect directly to the main backbone that carries the data. Traffic generated by any computer will travel across the backbone and be received by all workstations. This works well in a small network of 2-5 computers, but as the number of computers increases so will the network traffic and this can greatly decrease the performance and available bandwidth of your network.

As you can see in the above example, all computers are attached to a continuous cable which connects them in a straight line. The arrows clearly indicate that the packet generated by Node 1 is transmitted to all computers on the network, regardless the destination of this packet.

Also, because of the way the electrical signals are transmitted over this cable, its ends must be terminated by special terminators that work as "shock absorbers", absorbing the signal so it won't reflect back to where it came from. The value of 50Ohms has been selected after carefully taking in consideration all the electrical characteristics of the cable used, the voltage that the signal which runs through the cables, the maximum and minimum length of the bus and a few more.

If the bus (the long yellow cable) is damaged anywhere in its path, then it will most certainly cause the network to stop working or, at the very least, cause big communication problems between the workstations.

Thinnet - 10 Base2, also known as coax cable (Black in colour) and Thicknet - 10 Base 5 (Yellow in colour) is used in these type of topologies.

The Physical HUB or STAR Topology

The Star or Hub topology is one of the most common network topologies found in most offices and home networks. It has become very popular in contrast to the bus type (which we just spoke about), because of the cost and the ease of troubleshooting.

The advantage of the star topology is that if one computer on the star topology fails, then only the failed computer is unable to send or receive data. The remainder of the network functions normally.

The disadvantage of using this topology is that because each computer is connected to a central hub or switch, if this device fails, the entire network fails!

A classic example of this type of topology is the UTP (10 base T), which normaly has a blue colour.

The Physical Ring Topology

In the ring topology, computers are connected on a single circle of cable. Unlike the bus topology, there are no terminated ends. The signals travel around the loop in one direction and pass through each computer, which acts as a repeater to boost the signal and send it to the next computer. On a larger scale, multiple LANs can be connected to each other in a ring topology by using Thicknet coaxial or fiber-optic cable.

The method by which the data is transmitted around the ring is called token passing. IBM's token ring uses this method. A token is a special series of bits that contains control information. Possession of the token allows a network device to transmit data to the network. Each network has only one token.

The Physical Mesh Topology

In a mesh topology, each computer is connected to every other computer by a separate cable. This configuration provides redundant paths through the new work, so if one computer blows up, you don't lose the network :) On a large scale, you can connect multiple LANs using mesh topology with leased telephone lines, Thicknet coaxial cable or fiber optic cable.

Again, the big advantage of this topology is its backup capabilities by providing multiple paths through the network.

The Physical Hybrid Topology

With the hybrid topology, two or more topologies are combined to form a complete network. For example, a hybrid topology could be the combination of a star and bus topology. These are also the most common in use.

Star-Bus

In a star-bus topology, several star topology networks are linked to a bus connection. In this topology, if a computer fails, it will not affect the rest of the network. However, if the central component, or hub, that attaches all computers in a star, fails, then you have big problems since no computer will be able to communicate.

Star-Ring

In the Star-Ring topology, the computers are connected to a central component as in a star network. These components, however, are wired to form a ring network.

Like the star-bus topology, if a single computer fails, it will not affect the rest of the network. By using token passing, each computer in a star-ring topology has an equal chance of communicating. This allows for greater network traffic between segments than in a star-bus topology.

Back to Network Fundamentals

Introduction To Networking

2011-04-17T11:45:51+10:00

A network is simply a group of two or more Personal Computers linked together. Many types of networks exist, but the most common types of networks are Local-Area Networks (LANs), and Wide-Area Networks (WANs).

In a LAN, computers are connected together within a "local" area (for example, an office or home). In a WAN, computers are further apart and are connected via telephone/communication lines, radio waves or other means of connection.