Chapter 01: Networking Concept

Chapter 1: Networking Concept

Chapter 01: Networking Concept

Technology Brief

Generating a network from the ground up needs a large number of hardware and software technologies to operate together to obtain the information from one machine to another: In essence, there is sets of rules on what a network should do and how it should be done.
These sets of rules and the software written to follow these rules are broken down into individual rules known as protocol. When a series of protocols are specifically designed to operate together, they are called a protocol suite. These protocol suites invariably are named with some form of protocol name/protocol name format.
Purposes and Uses of Ports and Protocols
The TCP/IP suite is a set of protocols used on today’s computer networks specifically on the Internet. It provides end-to-end connectivity by specifying that the data should be packetized, addressed, transmitted, routed and received on a TCP/IP network. This functionality is arranged into four consideration layers, and each protocol in the suite operates in a particular layer. This section will focus only on three protocols- ICMP, TCP, and UDP.
Protocols and Ports
Many protocols run on the different layers of the OSI model and their port numbers identifies those protocols. This section will discuss the importance of protocols and ports associated with them.
SSH 22
Secure Shell (SSH) has replaced an unsecure protocol Telnet. SSH involves SSH servers that use Public Key Infrastructure (PKI) in the form of an RSA key. When a client tries to log into an SSH server, the server sends its public key to the client first then the client receives this key. It creates a session ID and encrypts it using the public key, and sends it back to the server. The server decrypts this session key ID and uses to forward all data. It is secure therefore only the client, and the server knows this session ID. SSH uses port 22 and TCP for connections.
DNS 53
Domain Name System (DNS) translates the human-readable domain names to IP addresses. A DNS server is a special type of server that directs, holds and processes internet domain names and their related records. The DNS uses TCP port 53.
Simple Mail Transfer Protocol (SMTP) defines the process of email transferring between the hosts on a network. SMTP works at the Application layer of the OSI model and uses TCP to guarantee error-free delivery of messages, to hosts using port 25.
SFTP (SSH File Transfer Protocol) is a secure alternate of File Transfer Protocol (FTP). It runs over the SSH protocol. SFTP offers security and authentication of SSH to secure the communication channel. SSH port 22 is the SFTP port number.
SFTP has replaced the FTP providing more security against password sniffing and man-in-the-middle attacks and more reliability (it protects the integrity of the data using encryption) with ease of configuration. There is no reason to use the vulnerable file transferring protocols any more.
FTP 20 and 21
File Transfer Protocol (FTP) is the most common way of sending and receiving files between two computers. FTP is not very secure because data transfers are not encrypted by default, so add usernames and passwords to prevent all but the most severe hackers from accessing your FTP server. The old active FTP used TCP ports 21 and 20 by default, although passive FTP only uses port 21 for a default.
Real World Scenario


FTP is an application layer protocol within the TCP/IP protocol suite that enables transfer of information primarily via ports 20 and 21. Port 21 is the FTP control port, while port 20 is the data port.
Although FTP is widely used, several vulnerabilities should be addressed to ensure security. FTP authentication is sent as clear-text, making it easy for an individual to view usernames and passwords with a packet sniffer. Because hackers and malicious software can be used to get this data quite easily, when traffic does not need to cross firewalls or routers on a network, it is essential to block ports 20 and 21.


Healthcare data is the most coveted data type for hackers and cyber criminals, far more than credit card data. The FBI alerted medical and dental facilities about a new cybercrime threat that involves the active targeting of anonymous FTP servers in order to gain access to Protected Health Information (PHI) and Personally Identifiable Information (PII).
The anonymous extension of FTP “allows a user to be authenticated to the FTP server with a common username such as ‘anonymous’ or ‘ftp’ without submitting a password or by submitting a generic password or email address”.
As a result, hackers continuously launch cyberattacks on businesses that use anonymous FTP within the medical and dental industries attempting to compromise sensitive PHI and PII data with the “purposes of intimidating, harassing, and blackmailing” business owners.


Here are three steps to help eliminate the risk:

  1. Do a Systems Audit: Performing a systems audit will help to identify any systems that might be running on anonymous.
  2. Stop Using Anonymous FTP: An outdated protocol carries more risks than rewards.
  3. Start Using a Secure Managed File Transfer (MFT) Solution: A quality Managed File Transfer (MFT) solution not only offers a variety of secure protocols like FTPS, HTTPS, and SFTP, but also provides other security features, such as multi-factor authentication, resource controls with permission groups, password complexity, expiring inactive accounts, and of course, encryption.


FTP is same as Telnet where credentials and information are sent in clear-text so that, if captured through a passive attack such as sniffing, the data could be exploited to provide unauthorized access. Although FTP is a popular protocol to use for transmitting data, the fact that it transfers the authentication data in a cleartext format also makes it extremely insecure.

Trivial File Transfer Protocol (TFTP) has similar functionality as FTP that both allows the transfer of files within a network. Although FTP allows for the browsing of files and folders on a server, TFTP requires to know the exact name of the file users want to transfer and the exact location of where to find the file. In addition, whereas FTP uses the connection-oriented TCP, TFTP uses the connectionless UDP. TFTP is most often used for simple downloads such as transferring firmware to a network device (router or switch). Data transfer through TFTP is usually initiated through port 69.
It is a terminal emulation that enables a user to connect to a remote host or device using a telnet client. Telnet is measured insecure because it transfers all data in clear text. Users who want secure transmission of data consider SSH as opposed to telnet. The port associated with Telnet is 23.
DHCP 67 and 68
Dynamic Host Configuration Protocol (DHCP) is a dynamic IP addressing protocol working on client-server based model, which allows the network devices to request and the DHCP server to allocate the IP address to this host automatically. It helps to reduce the workload of a network administrator to manually assign an IP address to each device. DHCP uses User Datagram Protocol (UDP) port 67 for the server and UDP port 68 for the client.
DHCP provides the following benefits:

  • Reliable IP address configuration
  • Reduced network administration

Hypertext Transfer Protocol (HTTP) is the protocol to browse the World Wide Web via port no 80. HTTP clients use a browser to make special requests from an HTTP server that contains the files they require. The files on the HTTP server are formatted in web languages such as Hypertext Markup Language (HTML) and are located using a Uniform Resource Locator (URL). The URL contains the type of request being generated (http://, for example), the DNS name of the server to which the request is being processed, and optionally, the path to the file on the server.

Hypertext Transfer Protocol Secure (HTTPS) provides a more secure solution that uses a Secure Sockets Layer (SSL) to encrypt information that is sent between the client and the server. For HTTPS to operate, both the client and the server must support it. While browsing through HTTPS, you need to fill out forms, sign in, authenticate, and encrypt an HTTP message when users make a reservation or buy something online. HTTPS uses port 443.
SNMP 161
Simple Network Management Protocol (SNMP) is a tool that can help in identifying devices called agents in the network such as routers, and switches. It also determines the status and configuration of these devices. SNMP uses UDP ports 161 and 162 for non-secure communication. The Network Management Station (NMS) receives/listens on port 162. The agent receives/listens on port 161.
RDP 3389
Remote Desktop Protocol (RDP) is a proprietary protocol used by computers running the MS Operating Systems, although clients exist that allow Linux and Unix systems to connect to MS computers using RDP. It can be used to connect to a computer and take control of the system remotely. Every MS client since Windows XP has RDP software built-in. For security means, it is not initially enabled. To connect to a computer remotely, users must enable the software and configure the appropriate authentication. By default, the server listens on TCP port 3389 and UDP port 3389.
RTP 5004 and 5005
RTP defines a standardized packet format for delivering audio and video over the Internet. It is frequently used in streaming, video conferencing, and push-to-talk applications. RTP typically runs over User Datagram Protocol (UDP).

  • 5004 UDP port is used for delivering data packets to clients that are streaming by using Real Time Streaming Protocol UDP (RTSPU)
  • 5005 UDP port is used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU

NTP 123
Network Time Protocol (NTP) provides time synchronization to all our network devices. In simple words, NTP synchronizes clocks of computer systems over packet-switched, variable-latency data networks. The current protocol is version 4 (NTPv4), which is a proposed standard as documented in RFC 5905. It sends and receives timestamps using the User Datagram Protocol (UDP) on port number 123.
Typically, users will have an NTP server that connects through the Internet to an atomic clock. This time can then be synchronized through the network to keep all routers, switches, servers, etc. receiving the same time information.
Correct network time within the network is important:

  • Tracking of events in the network is possible with correct time
  • Clock synchronization is critical for the correct interpretation of events within the syslog data
  • Clock synchronization is critical for digital certificates

SIP 5060 and 5061
Session Initiation Protocol (SIP) is an incredibly popular signaling protocol used to build up and break down multimedia communication sessions, for many things like voice and video calls, video conferencing, streaming multimedia distribution, instant messaging, presence information, and online games over the internet. It also enables IP telephony networks to utilize advanced call features such as SS7. SIP clients typically use TCP or UDP on port numbers 5060 or 5061 for SIP traffic to servers and other endpoints. Port 5060 is commonly used for non-encrypted signaling traffic whereas, port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).
SMB 445
Server Message Block (SMB) is a legacy protocol that is used to provide shared access to files, folders, printers, and so on over a computer network. It has been substituted by other more efficient and more secure protocols. SMB Protocol can also be used without a separate transport protocol directly over TCP, port 445.
POP 110
Post Office Protocol (POP) gives us a storage facility for incoming mail, and the latest version is called POP3. POP3 is one of the protocols that is used to retrieve emails from SMTP servers. Using POP3, clients connect to the server, authenticate, and then download their email. Once they have downloaded their email, they can read it. Normally, the email is then deleted from the server, although some systems hold a copy of the email for a period of time specified by an administrator. One of the drawbacks of POP3 authentication is that it is generally performs in clear text. This means that an attacker could sniff the POP3 password from the network as users enter it. POP protocol uses port number 110.
IMAP 143
Internet Message Access Protocol (IMAP) version-4 is another protocol that is used to retrieve email from SMTP servers, but IMAPv4 offers some advantages over POP3. IMAPv4 provides a more flexible method of handling email through port 143. Users can read the email on the email server and then determine whether they to want to download this email to the PC. Since the email can stay in the mailbox on the server, users can retrieve it from any computer that they want to use. Google Gmail is a good example of an IMAPv4 type of service. Users can access Gmail account from any browser. Users can then read, answer, and forward email without downloading the messages to the computer.
LDAP 389
The Lightweight Directory Access Protocol LDAP is an open standard, application protocol. LDAP is for accessing and maintaining distributed directory information services. A directory service plays an important role by allowing the sharing of information like user, system, network, service, etc. throughout the network. LDAP provides a central place to store usernames and passwords. Applications and Services connect to the LDAP server to validate users. LDAP functions by default on TCP and UDP port 389.
LDAPS (LDAP over SSL). LDAPS is the non-standardized “LDAP over SSL” protocol in contrast with StartTLS (LDAP with TLS). LDAPS functions by default on port 636.
H.323 1720
H.323 is a protocol that provides a standard for video on an IP network that defines how real-time audio, video, and data information is transmitted. This standard provides signaling, multimedia, and bandwidth control solution. H.323 uses the RTP standard for communication. H.323 is also used for multimedia communications on mobile phones and other portable devices. H.323 uses TCP port number 1720.
MGCP 2427
Media Gateway Control Protocol (MGCP) is a standard protocol for handling the signaling and session management necessary during a multimedia conference such as Voice over IP (VoIP) telecommunication systems. The protocol defines a means of communication between a media gateway, which converts data from the required format for a circuit-switched network to that required format for a packet-switched network. MGCP can be used to set up, maintain, and terminate calls between multiple endpoints. The architecture of the MGCP and its methodologies and programming interfaces are described in RFC 2805. Media gateways use the UDP port number 2427, and call agents use 2727 by default.
NetBIOS is a legacy protocol that was used by computers, running Microsoft operating systems as a name-resolution tool. It has been superseded now by DNS. There is still an implementation of NetBIOS over TCP/IP on newer operating systems, if a legacy application requires it. NetBIOS protocol uses port number 137-139.

  • UDP port 137 (name services)
  • UDP port 138 (datagram services)
  • TCP port 139 (session services)

Types of Protocol
Several types of protocols are discussed below.
Internet Control Message Protocol (ICMP) works at the Network layer of the OSI model and the internet layer of the TCP/IP suite. ICMP provides error checking and reporting functionality. Additionally, ICMP provides many functions; the most commonly known is its ping utility. The ping utility is most often used for troubleshooting. In a typical ping scenario, an administrator uses a host’s command line, and the ping utility, to send a stream of packets, called an echo request to another host. When the destination host receives the packets, ICMP sends back a stream of packets referred to as an echo reply. This confirms that the connection between the two hosts is configured properly, and that TCP/IP is operational.
User Datagram Protocol (UDP) also operates at the Transport layer of the OSI model and uses IP as its transport protocol, but it is a connectionless protocol, which means it does not guarantee the delivery of packets because UDP does not establish a session. However, UDP is quite demanding unlike TCP because of its advantage of low overhead regarding bandwidth and processing effort. Whereas a TCP header has 11 fields of information that have to be processed, a UDP header has only 4 fields. Applications that can handle their own acknowledgments and that do not require the additional features of TCP, might use UDP to take advantage of the lower overhead. Services such as the Domain Name System (DNS) service also take advantage of the lower overhead provided by UDP.
Figure 1-01: UDP Segment Format
Transmission Control Protocol (TCP) is a connection-oriented protocol that works at the Transport layer of the OSI model. It uses IP as its transport protocol and assists IP by providing a guaranteed mechanism for delivery. TCP requires establishing a session first between two computers, before communicating. Additionally, TCP also includes features such as flow control, sequencing, and error detection and correction. TCP works by a process referred to as a three-way handshake.
The TCP three-way handshake works as follows:

  1. TCP sends a short message called an SYN to the target host
  2. The target host opens a connection for the request and sends back an acknowledgment message called a SYN ACK
  3. The host that originated the request, sends back another acknowledgment, called an ACK, confirming that it has received the SYN ACK message and that the session is ready to be used to transfer data

A similar process is used to close the session when the data exchange is complete. If a packet is not acknowledged within the timeout period, the packet is resent automatically by TCP. The only disadvantage of a connection-oriented protocol, is that the large overhead associated with the acknowledgments, inclines to slow it down.

Figure 1-02: TCP Segment Format
Internet Protocol (IP) is a layer 3 protocol containing address information as well as control information of the packet. This control information helps the packet to be routed. IP is documented in RFC 791. This protocol is called on by host-to-host protocols in an internet environment. Being the primary network layer protocol in the internet protocol suit, IP has two primary responsibilities:

  1. Addressing
  2. Fragmentation

The internet protocol uses four key mechanisms in providing its service:

  1. Type of Service: Indicates the quality of the service.
  2. Time to Live: An indication of an upper bound on the lifetime of an internet datagram.
  3. Options: The options include provisions for timestamps, security, and special routing.
  4. Header Checksum: Provides a verification that the information used in processing internet datagram has been transmitted correctly.

Connectionless Vs Connection Oriented
Following table shows the difference of connectionless and connection oriented protocols with respect to connection, reliability and usage:

Connection-Oriented Connectionless
Connection Prior connection establishment required No prior connection establishment
Resource Allocation Prior resources allocation No prior resources allocation
Reliability Reliable data transfer Best effort delivery
Congestion No congestion Congestion may occur
Transfer Mode Circuit switching or Virtual Circuits Packet Switching
Retransmission Retransmission of data lost in communication No retransmission of lost bits in communication
Signaling Signaling for connection establishment No signaling concept
Packet Travel Sequential packet receiving at destination Random packet receiving at destination
Delay Delay due to connection establishment No delay of connection establishment
Application TCP, ATM, Frame Relay, MPLS IP, UDP, ICMP, DNS etc.

Table 1-01: Difference of Connectionless and Connection-Oriented Protocols

Exam Tip
Be able to describe protocols and ports for the exam objective. Know different types of protocols such as ICMP, UDP, TCP and IP.

Mind Map of Ports and Protocols

Figure 1-03: Mind Map of Purposes and Uses of Ports and Protocols
Devices, Applications, Protocols and Services at their Appropriate OSI Layers
The Open Standards Interconnection (OSI) model was developed by the International Organization for Standardization (ISO) in the 1980’s. The purpose of the model was to allow developers to focus on only the layers that applied to them and only on the protocols at those layers. OSI provides a means of relating the components and their functions to each other, and a way of standardizing components and protocols.
The seven layers and their function in the OSI model are as follows:
Layer 1 – Physical
The Physical layer (Layer-1) controls the signalling and transferring of raw bits onto the physical medium. The Physical layer is closely related to the Data-Link layer, as many technologies such as Ethernet, contain both data-link and physical functions. The Physical layer provides specifications for a variety of hardware:

  • Cabling
  • Connectors and Transceivers
  • Network Interface Cards (NICs)
  • Hubs

Layer 2 – Data Link
The Data-Link layer (Layer-2) is responsible for transporting data within a network. The Data-Link layer consists of two sublayers:
Logical Link Control (LLC) Sublayer: The LLC sublayer serves as the midway between the physical link and all higher layer protocols. It ensures that protocols like IP can function irrespective of what type of physical technology is being used. Additionally, the LLC sublayer can perform flow-control and error-checking.
Media Access Control (MAC) Sublayer: The MAC sublayer controls access to the physical medium, serving as a mediator. If multiple devices are competing for the same physical link, Data-Link layer technologies have various methods of doing this. Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD), and Token Ring utilizes a token.
The Data-Link layer packages the higher-layer data into frames so that the data can be put onto the physical layer. This packaging process is referred to as framing or encapsulation. The encapsulation type will vary depending on the fundamental technology.
Common Data-Link layer technologies include the following:

  • Ethernet – the most common LAN data-link technology
  • Token Ring – almost entirely deprecated
  • FDDI (Fiber Distributed Data Interface)
  • 802.11 Wireless
  • Frame-Relay
  • ATM (Asynchronous Transfer Mode)

Layer 3 – Network
The Network layer (Layer-3) controls the internetworking of communication and has two key responsibilities:
Logical Addressing: Provides a unique address that identifies both the host, and the network that host exists on.
Routing: Determines the best path to a particular destination network and then routes data accordingly.
Two of the most common Network layer protocols are:

  • Internet Protocol (IP)
  • Novell’s Internetwork Packet Exchange (IPX)

Layer 4 – Transport
The Transport layer (Layer-4) is responsible for the reliable transfer of data, by ensuring that data arrives at its destination, error-free, and in order.
Transport layer communication falls into two categories:
Connection-Oriented: Requires a connection establishment with specific collaborated parameters before sending data.
Connectionless: Requires no connection before data is sent.
Connection-oriented protocols provide several important services:

  • Segmentation and Sequencing – Data is segmented into smaller parts for transport. Each segment is assigned a sequence number so that the receiving device can reassemble the data on arrival
  • Connection Establishment – Connections are established, maintained, and ultimately terminated between devices
  • Acknowledgments – Receipt of data is confirmed through the use of acknowledgments. Otherwise, data is retransmitted
  • Flow Control (or windowing) – Data transfer rate is exchanged, to prevent congestion

The TCP/IP protocol suite incorporates two Transport layer protocols:

  • Transmission Control Protocol (TCP) – connection-oriented
  • User Datagram Protocol (UDP) – connectionless

Layer 5 – Session
The Session layer (Layer-5) is responsible for establishing, maintaining, and ultimately terminating sessions between devices. If a session is broken, this layer can attempt to recover the session.
Sessions communication falls under one of three categories:

  • Full-Duplex – simultaneous two-way communication
  • Half-Duplex – two-way communication, but not simultaneous
  • Simplex – one-way communication

Many modern protocol suites, such as TCP/IP, do not implement Session layer protocols. Lower layers, such as the Transport layer, often control connection management.
Layer 6 – Presentation
The Presentation layer (Layer-6) controls the formatting and syntax of user data for the application layer. This ensures that data from the sending application can be known by the receiving application.
Standards have been developed for the formatting of data types, such as text, images, audio, and video.
Examples of Presentation-layer formats include:

  • Images – GIF, JPG, TIF • Audio – MIDI, MP3, WAV
  • Movies – MPEG, AVI, MOV

If two devices do not support the same format or syntax, the Presentation layer can provide conversion or translation services to assist communication.
Moreover, the Presentation layer can perform encryption and compression of data, as required.

Layer 7 – Application
The Application layer (Layer-7) provides the interface between the user application and the network. A web browser and an email client are examples of user applications. The user application itself does not present at the Application layer, but the protocol does. The user interacts with the application through application layer protocol.
Examples of Application layer protocols include:

  • FTP by an FTP client
  • HTTP by a web browser
  • POP3 and SMTP by an email client
  • Telnet

The Application layer provides a variety of functions:

  • Identifies communication partners
  • Determines resource availability
  • Synchronizes communication
Exam Tip
The CompTIA Network+ exam expects you to know the layers by name, how they function in relation to each other, and what they represent.

Mind Map of OSI Layers

Figure 1-04: Mind Map of OSI Layers Protocols and Servicesa
The Concepts and Characteristics of Routing and Switching
Routing allows users to interconnect individual LANs into WANs. Routers, the magic boxes that act as the interconnection points, have all the built-in smarts to inspect incoming packets and forward them toward their eventual LAN destination.
Properties of Network Traffic
Network traffic can be identified by certain properties. For example, what happens before sending the message and who hears the message. Let’s explore these concepts in greater detail.
Multicast vs. Unicast vs. Broadcast
Three major types of addressing schemes are used on IPv4 networks. These are unicast, multicast, and broadcast. Unicast addressing has one source address and one destination address. Multicast addressing can be much more complex than unicast. With multicast addressing, there is still only one source address, but there can be multiple destination addresses.
Every IPv4 network or subnet has a broadcast address, which is the last numerical address before the next network. In the binary form of a broadcast address, you will notice that all the host bits are 1s. For example, the broadcast address of the network is
Broadcast Domains vs. Collision Domains
Collision domains occur when network devices share the same transmission medium, and their packets can collide. Collisions increase as the number of devices in a collision domain increases.
Broadcast domain occurs in the network where computers can receive frame-level broadcasts from their neighbors. Increasing devices on a network segment increases broadcast traffic on a segment.

Device Collision Domain Broadcast Domain
Hub All devices connected to the hub are in the same collision domain All devices are in the same broadcast domain
Bridge or Switch All devices connected to a single port are in the same collision domain; each port is its collision domain All devices connected to the bridge or the switch are in the same broadcast domain
Router All devices connected to a single interface are in the same collision domain All devices accessible through an interface (network) are in the same broadcast domain. Each interface represents its broadcast domain if the router is configured to not forward broadcast packets

Table 1-02: Broadcast Vs. Collision Domain

Figure 1-05: Broadcast Domain Vs. Collision Domain
In the past, networks had contained devices called hubs. These hubs created a shared network, which meant that each computer connected to the network had equal access to the same electrical paths as the others. Since the paths were baseband and therefore could carry only one communication at a time, the computers had to take turns accessing the wire. A protocol called Carrier Sense Multiple Access with Collision Detection (CSMA/CD) was developed to sense the wire that determines whether current is fluctuating and therefore whether some other computer is using it. If another computer has the wire, then the first computer must wait until the wire is not in use before it can send its data. Once the collision is detected by the protocol, each computer will be given a set time to go again, based on a back-off algorithm created by the protocol. In this way, the computers will be kept from creating subsequent collisions.
While using wireless communication between computers and devices, use a Carrier Sense Multiple Access with Collision Avoidance instead of Collision Detection.
The main purpose of this protocol is to guarantee that the data to be transmitted can be transmitted and received successfully between the two devices. It does this by first, listening, and then using additional frames to negotiate the network access.
As data is passed from the host device to destination device by following the OSI model, before transmission of the data, each layer adds a header, or sometimes trailer, containing protocol information specific to that layer. These headers are called Protocol Data Units (PDUs), and the process of adding these headers, is called Encapsulation.
When the receiving device receives the data off the wire, reading and interpreting the header information, it is referred to as De-encapsulation.

Figure 1-06: Encapsulation/De-encapsulation
During encapsulation on the sending host:

  • Data from the user application is handed off to the Transport layer
  • The Transport layer adds a header containing protocol-specific information, and then hands over the segment to the Network layer
  • The Network layer adds a header containing source and destination logical addressing, and then hands over the packet to the Data-Link layer
  • The Data-Link layer adds a header, containing source, destination physical addressing and other hardware-specific information
  • The Data-Link frame is then handed over to the Physical layer to be transmitted on the network medium as bits

During de-encapsulation on the receiving host, the reverse process occurs:

  • The frame is received from the physical medium
  • The Data-Link layer processes its header, strips it off, and then hands it off to the Network layer
  •  The Network layer processes its header, strips it off, and then hands it off to the Transport layer
  •  The Transport layer processes its header, strips it off, and then hands the data to the user application

The Layer 2 and Layer 3 (if applicable) addresses will always be of the same type: unicast, broadcast, or multicast.
Unicast messages are sent from one source to exactly one destination. A broadcast is sent to every system in the broadcast domain. A common example of a broadcast is an ARP request, which is used to find a MAC address given that device’s IP address.
Multicasts are sent from routers to networks that have at least one interested client. Multicasts are used for things like streaming, gaming, and video conferencing.
Modulation Techniques
In networks, modulation is the process of varying one or more properties of a waveform, called the carrier signal, with a transmitted signal that typically contains information.
Modulation of a waveform transforms a baseband message signal into a passband signal. In recent networks, modulation takes a digital or analog signal and puts it in another signal that can be physically transmitted.
The purpose of digital modulation is to transfer a digital bit stream over an analog bandpass channel. The purpose of analog modulation is to transfer an analog baseband (or lowpass) signal over an analog bandpass channel at a different frequency.
The digital baseband modulation methods found in our Ethernet networks, and also known as line coding, are used to transfer a digital bit stream over a baseband channel. Baseband means that the signal being modulated has used the complete available bandwidth.
Multiplexing is the process, in which multiple Data Streams, coming from different Sources are combined and Transmitted over a Single Data Channel.
In networking, the two basic forms of Multiplexing are Time Division Multiplexing (TDM) and Frequency Division Multiplexing (FDM).
In Time Division Multiplexing, Transmission Time on a Single Channel is divided into non-overlapped Time Slots. Data Streams from different Sources, are divided into Parts with the same size and interleaved successively into the Time Slots.
In Frequency Division Multiplexing, Data Streams are carried simultaneously on the same Transmission medium by allocating to each of them, a different Frequency Band within the Bandwidth of the Single Channel.
De-Multiplexing is the reverse process of multiplexing that performs at the receiving end. The multiplexed signal is separated by a device called De-Multiplexer (DEMUX).
Maximum Transmission Unit (MTU)
MTU is considered as a legacy metric that is used to signify the largest packet that could be sent across the entire route. EIGRP uses MTU but it is not used in the calculation of the best route. EIGRP uses bandwidth and delays to make decisions.
Segementation and Interface Properties
Layer 2 switches enable many creative setups for classifying, separating, and dealing with network traffic. VLANs break up broadcast domains, and STP avoids switching loops from occurring. MAC address tables are used to cache address pairs. These concepts, as well as others are discussed in the following sections.
Virtual Local Area Network (VLAN)
Switches and routers have physical interfaces, commonly known as a physical port; these ports can be configured in a variety of ways, depending upon the topology, design, type of encapsulation, duplex, and speed of the link. On switches, the additional configuration is VLAN port assignment.

  • Native VLAN:

When enabling IEEE 802.1Q tunneling on an edge switch, you must use IEEE 802.1Q trunk ports for sending packets into the service-provider network. However, packets pass through the core of the service-provider network and can be carried through IEEE 802.1Q trunks, ISL trunks, or non-trunking links. When IEEE 802.1Q trunks are used in these core switches, the native VLANs of the IEEE 802.1Q trunks must not match any native VLAN of the non-trunking (tunneling) port on the same switch because traffic on the native VLAN would not be tagged on the IEEE 802.1Q sending trunk port

  • VTP: VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the databases of VLANs within a VTP domain. A VTP domain is made up of one or more network devices that share the same VTP domain name and that are interconnected with trunks. VTP can make configuration changes centrally on one or more network devices and have those changes automatically configured to all the other network devices in the network

VLAN Interface Configuration
A VLAN is a subnet created using a switch instead of a router. For this reason, VLANs have many advantages over subnets created by routers. One of the main advantages of VLANs is that the logical network design does not have to follow the physical network topology. It gives administrators much more flexibility in network design and in the subsequent changes of that design. All the administrator has to do is configure the interface with the right VLAN and connect the appropriate cables.
Trunking 802.1Q
VLAN Trunking (802.1Q) allows physical network interfaces in a computing environment to be shared. As data centers become more complex and the number of interconnected services increase, it is expensive to provide dedicated cabling and network switch ports to allow all the required connections. VLAN trunking allows multiple virtual network connections to be maintained on a small number of physical adapters.
Tagging and Untagging Ports
Tagging means that the port will send out a packet with a header that has a tag number that matches its VLAN tag number. Trunk Tagging protocol 802.1Q, ISL and DTP are the types of Tag VLAN.
Untagged VLAN means that the frame cannot be tagged while traveling from one switch to another switch e.g., VLAN1, Native VLAN or Management VLAN. The frame does not mention which VLAN it belongs to. Untagged VLAN is a port-based VLAN.
Port Mirroring
Port mirroring, also known as Switch Port Analyzer (SPAN) and Remote Switch Port Analyzer (RSPAN), allows you to sniff traffic on a network when using a switch.
Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are on the same switch. Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis.
Remote SPAN supports source ports, source VLANs, and destination ports on different switches. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches.
Switching Loops / Spanning Tree
Users can generate redundant connections in a network because they can connect switches together in any fashion. Certain redundant connections would cause switching loops, without proper control in place.
Spanning Tree (802.1d)/Rapid Spanning Tree (802.1w)
Spanning tree is used to ensure that only one active path exists between two nodes at one time on the network. If a network has more than one active path, you can block all the redundant paths by enabling spanning tree. STP prevents network switching loops. STP has two main types; the original spanning tree 802.1d and the improved rapid spanning tree 802.1w. The leading advantage of 802.1w is much faster convergence on link failure. It is accomplished by the protocol automatically, determining the designated ports that will be used as well as the backups and alternates that might be used in case of a link failure.
When a switch does not know what to do with traffic, or the switches, or it does not have a specific destination address, then it forwards the data to all the connected ports except the host address. This process is called flooding.
When switches learn the destination of the data, it forwards it. Alternatively, if users do not allow the traffic from unknown ports, then it is blocked.
If switches want to allow traffic from only the specific port, then you must configure the switches according to it. This process is called filtering traffic.
Power over Ethernet (PoE) / PoE+ (802.3af, 802.3at)
Power over Ethernet PoE (802.3af) and PoE+ (802.3at), technologies describe a system for transmitting electrical power along with data to remote devices over twisted-pair cable in an Ethernet network. Many switches, IP telephones, embedded computers, wireless access points, cameras can use this technology for convenient installation. The main difference between PoE and PoE+ is an increase in the wattage, PoE ( provides 15.4W; whereas PoE+ ( provides 25.5W from the same source.
Demilitarized Zone (DMZ)
Generally, three zones are related with firewalls: Internal, External, and Demilitarized (DMZ). The internal zone is the zone inside of all firewalls, and it is considered to be the protected area where most critical servers, such as domain controllers that control sensitive information, are placed. The external zone is the area outside the firewall that represents the network against inside protection such as the internet. The DMZ is placed where the network has more than one firewall. It is a zone that is between two firewalls. It is created using a device that has at least three network connections, sometimes referred to as a three-pronged firewall. In DMZ, the servers that are used by hosts are placed on both the internal network and the external network that may include web, VPN, and FTP servers.

Figure 1-07: DMZ using One Firewall
MAC Address Table
The MAC address is a 48-bit binary address that is represented as a hexadecimal format.  The below figure illustrates the structure of a MAC address in which the first 2 bits on the left represent whether the address is broadcast, and whether it is local or remote. The next 22 bits are assigned to vendors that manufacture network devices, such as routers and NICs. This is the Organizational Unique Identifier (OUI). The next 24 bits should be uniquely assigned to the OUI.

Figure 1-08: The Structure of a MAC Address
MAC Learning and Aging
To learn the MAC address of devices is the fundamental responsibility of switches. The switch transparently observes incoming frames. It records the source MAC address of these frames in its MAC address table. It also records the specific port for the source MAC address. Based on this information, it can make intelligent frame forwarding (switching) decisions. Notice that a network machine could be turned off or moved at any point. As a result, the switch must also age MAC addresses and remove them from the table after they have not been seen for some duration.
Frame Switching
Along with building a MAC address table (learning MAC address to port mappings), the switch also forwards (switches) frames intelligently from port to port. Think about this as the opposite of how a Layer 1 Hub works. Device hub takes in a frame and always forwards this frame out all other ports. In a hub-based network, every port is part of the same collision domain. The switch is too smart for that. If its MAC address table is fully populated for all ports, then it “filters” the frame from being forward out ports unnecessarily. It forwards the frame to the correct port based on the destination MAC address.
Frame Flooding
What happens when a frame has a destination address that is not in the MAC address table? The frame is flooded out all ports (other than the port on which the frame was received). This also happens when the destination MAC address in the frame is the broadcast address.
Obviously, the MAC address table is a critical component in the modern switch and act as a brain of switch operation. It contains the MAC address to port mappings so the switch can work its network magic.
Example 2-1 shows how easy it is to examine the MAC address table of a Cisco switch.

Example 2-1: Examining a Real MAC Address Table

Figure 1-09: MAC Address Table
Address Resolution Protocol (ARP) Table
An Autonomous System (AS) is a group of networks under a single administrative. When Border Gateway Protocol (BGP) was in progress and standardization stage, a 16-bit binary number was used as the Autonomous System Number (ASN) to identify the Autonomous Systems. 16-bit Autonomous System Number (ASN) is also known as 2-Octet Autonomous System Number (ASN). The 16-bit binary number is used represented as (2^16) numbers, which is equal to 65536 in decimals. The Autonomous System Number (ASN) value 0 is reserved, and the largest ASN value (65,535), is also reserved. The values from 1 to 64,511 are available for use in Internet routing, and the values 64,512 to 65,534 are selected for private use.
BGP was also known as Border Gateway Routing Protocol, a dynamic routing protocol, which is mostly used in Global Internet. Typically, the connection between the ISPs is BGP. Because of its complex path selection method, it allows more flexibility to configure best path selection. IBGP and EBGP are interior and exterior BGPs, which are used within an autonomous system and with different autonomous systems respectively. BGP uses TCP port number 179 to send its routing information. The main difference of BGP is that it does not need neighbors to be connected to the same subnet. ASN stands for Autonomous System Number or a unique number that makes the Autonomous System Number different from others. IANA or ICANN also provide ASN.

Figure 1-10: Autonomous System
BGP is a very robust and scalable routing protocol, as evidenced by the fact that BGP is the routing protocol employed on the internet. Internet BGP routing tables gas more than 600,000 routes. To achieve scalability at this level, BGP uses many route parameters, called attributes, to define routing policies and maintain a stable routing environment.
Routes in routing tables come from two sources: either they are manually entered or the router detects them dynamically.
IPv4 and IPv6 Routing Protocols
There are basically three types of routing protocols, which are as follows:

  1. Distance Vector Routing Protocol
  2. Link State Routing Protocol
  3. Path Vector Routing Protocol

Figure 1-11: Types of Routing Protocol
Distant-Vector Routing Protocol
Distance Vector is one of the two Interior Gateway Routing Protocols. It uses Bellman-Ford, Ford-Fulkerson, or DUAL FSM (Cisco only) algorithm for the calculation of its paths. In Distance Vector, the router informs about topology changes periodically. There are two main parameters in Distance Vector routing protocol:

  • Distance (Cost to the destination)
  • Direction (Next Hop and the exit interface)

RIP and EIGRP are the two known Distance Vector Protocols. The others are DSDV and Babel. RIP uses hop count, EIGRP uses delay and Bandwidth as a cost to reach the destination. It also uses RIP UDP as a transport protocol with port number 520. It uses Poison reverse and Split Horizon to prevent routing loops. EIGRP, DSDV, and Babel are the loop-free routing protocols of Distance Vector. EIGRP runs over IP using Protocol no 88 (it does not use TCP or UDP).
Routing Information Protocol (RIP)
Routing Information Protocol (RIP) is a standardized Distance Vector protocol, designed for use on smaller networks. RIP was the first true Distance Vector routing protocol. It has two versions; RIPv1 and RIPv2. RIPv1 is a class-full protocol and does not support Variable Length Subnet Masks (VLSMs). RIPv2 is a classless protocol and includes the subnet mask with its routing table updates. RIPv2 supports VLSMs, and is still based on hop count metric, because of this limitation, RIPv2 cannot be used effectively in today’s network.
Enhanced Interior Gateway Routing Protocol (EIGRP)
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary protocol. EIGRP uses more sophisticated metric than RIPv1 RIPv2. This metric depends upon the bandwidth of a connection and delay. The only drawback of EIGRP is that it operates only on Cisco routers and Cisco layer 3 switches.
Link-State Routing Protocol
Link State Routing protocol including OSPF (Open System Shortest Path First) and IS-IS (Intermediate System to Intermediate System) are the second main types of Interior Gateway Routing Protocol. In link state routing protocol, each node prepares a table or map of connectivity, about which node is connected to the other. Each node independently calculates the best logical path to every destination. This collection of best path forms the Routing Table. Link State Routing uses Dijkstra Algorithm for calculating its shortest path. OSPF does not use TCP/UDP as a transport protocol. It is encapsulated on IP with protocol no 89; whereas IS-IS is OSI Layer 2 Protocol.
A comparison of Distance Vector and Link State Routing protocols are given below:

Distance Vector Link State
Distance vector means that routes are advertised by providing two characteristics: In link-state protocols, also called Shortest-Path-First (SPF) protocols, the routers each create three separate tables. One of these tables keep track of directly attached neighbors, one determines the topology of the entire internetwork, and one is used as the routing table
Distance: Identifies how far it is to the destination network and is based on a metric such as the hop count, cost, bandwidth, delay, and more A router configured with a link-state routing protocol can create a complete view or topology of the network by gathering information from all of the other routers
Vector: Specifies the direction of the next-hop router or exit interface to reach the destination Link-state routing tables are not exchanged periodically. Instead, triggered updates, containing only specific link-state information, are sent
A router using a Distance Vector routing protocol does not know the entire path to a destination network Periodic keep lives that are small and efficient, in the form of hello messages, are exchanged between directly connected neighbors to establish and maintain neighborly relationships
Distance vector protocols use routers as signposts along the path to the final destination
The only information a router knows about a remote network is the distance or metric to reach that network and which path or interface to use to get there
Distance Vector routing protocols do not have an actual map of the network topology
RIP is a Distance Vector routing protocol and periodically sends out the entire routing table to directly connected neighbors

Table 1-03: Difference between Distance Vector & Link State

Basis for Comparison Distance Vector Link-State
Speed Of Convergence Slow Slow Slow Fast Fast Fast
Scalability Small Small Small Large Large Large
VLSM No Yes No Yes Yes Yes
Resource Usage Low Low Low Medium High High
Implementation and Maintenance Simple Simple Simple Complex Complex Complex

Table 1-04: Link-State and Distance-Vector Routing Protocol Comparison

While EIGRP is an advanced routing protocol that combines many of the features of both link-state and distance-vector routing protocols, EIGRP’s DUAL algorithm contains many features, which make it more of a Distance Vector routing protocol than a link-state routing protocol.

Open Shortest Path First (OSPF)
Open Shortest Path First (OSPF) is the most common link state protocol in use today. OSPF operates on algorithm Shortest Path First (SPF) developed by Dijkstra. The main advantage of EIGRP is that it updates the routing table immediately if any changes occur in the network. OSPF can easily be used on small, medium and large networks.
Intermediate System to Intermediate System (IS-IS)
Another important routing protocol is Intermediate System to Intermediate System (IS-IS). IS-IS is designed for large networks like Internet Service Providers. It selects the routing path by packet switched network and also follows Dijkstra’s algorithm.
The below-mentioned table describes the difference between Distance Vector, Link state, and Hybrid routing protocol.
Interior Gateway Protocol vs. Exterior Gateway Protocol

Basis for Comparison Interior Gateway Protocols Exterior Gateway Protocols
Routing Routing inside an autonomous system Routing across an autonomous system
Configuration Fast convergence and easy configuration Slow convergence and complex configuration
Routing Decisions Administrator influence is low on routing decisions Administrator influence is high on routing decisions
Examples RIP, IGRP, OSPF, and IS-IS BGP

Table 1-05: IGP Vs. EGP
Hybrid Routing Protocol
BGP is listed as a hybrid routing protocol, because it can be used both within the backbone routers and between the backbone routers and other AS routers.
Border Gateway Protocol (BGP)
Path Vector Routing Protocols are those dynamic routing protocols, which operate over path information. This path information is dynamically updated throughout the autonomous system. It is different from the Distance Vector routing and Link State routing. Each entry in the routing table contains the destination network, the next router, and the path to reach the destination.
Routing Types
This section describes the various routing concepts and protocols.
Loopback Interface
A logical interface is a virtual interface. It is not a physical interface like fast Ethernet interface or Gigabit Ethernet interface. A loopback interface is a software interface, which can be used to imitate a physical interface. The router does not have any default loopback interfaces, but they can easily be created. Loopback interfaces are created by assigning IP addresses to the router. Loopback interface has many advantages; it is used for redirecting traffic. A loopback interface’s IP Address determines an OSPF Router ID.
Routing Loops
Routing loops are issues that must be avoided in networks. Routing loops makes the routing path more difficult, so the properly configured static routes and dynamic routes avoid routing loops by assuring that only the most efficient paths are used.
Routing Tables
Routing table is a set of rules used to determine the path of the data packet traveling over an Internet Protocol network. The routing table consists of specific routing destinations, next hop, interface, metric, and routes. Routing tables can be maintained manually or automatically. Routing tables for static network devices do not change until the network administrator changes them manually. In dynamic routing, devices update its routing table automatically by using routing protocols to exchange information about the neighborhood network topology.
Static Routing
Static routing is a type of network routing technique. It is the manual configuration and selection of a network route, usually managed by the network administrator.

Advantages Disadvantages
Simple to configure, Low Processor overhead( It don’t spend CPU cycles to calculate best path ) High maintenance configuration
Secure Operation Topology Change cannot detect
Predictability Manual update of routes after changes
Secure as only defined routes can be accessed Misconfiguration can lead to routing loops

Table 1-06: Static Routing Advantages and Disadvantages
Configuration syntax of static route on Cisco Router:

Config)# Ip route Destination-Network-ID Subnet Mask Next-Hop/Exit interface
ip route [destination_network] [mask] [next-hop_address or
exitinterface] [administrative_distance] [permanent]

This list describes each command in the string:
IP Route: The command used to create the static route.
Destination network:  The network you are placing in the routing table.
Mask:  The subnet mask being used on the network.
Next-hop address: This is the IP address of the next-hop router that will receive packets and forward them to the remote network,
Exit-Interface:  Used in place of the next-hop address if you want, and shows up as a directly connected route.
Administrative Distance:  By default, static routes have an administrative distance of 1 or 0 if you use an exit interface instead of a next-hop address.
Permanent: If the interface is shut down or the router cannot communicate to the next-hop router, the route will automatically be discarded from the routing table by default.
Next-Hop Static Route: Only Next-Hop address is specified for the packet destined to exit the network.
Directly Connected Static Routes: By introducing the exit interface in a directly connected static route, the router assumes that the destination is directly connected to the exit interface and the packet destination is used as next-hop.
Fully Specified Static Routes: A fully specified static route, when the exit interface is a multi-access interface and you need to identify the next-hop address. The next-hop address must be directly attached to the specified out interface. In a fully specified Static route, exit interface and Nest hop IP address both are defined.
Floating Static Routes: A floating static route is what the router uses to back up a dynamic route. You need to configure a floating static route with higher Administrative Distance than the other route that it backs up. In this instance, the router prefers a dynamic route to a floating static route. Floating static route can be used as a replacement if the dynamic route is lost.

Lab: Static Routing

Case Study: A company requires the installation of two new routers to deploy a small static network. Being a network administrator, you have to configure static routing on these routers. Requirements are as follows:
Router 1 Ethernet interface 0/0:
Router 1 Ethernet interface 0/1:
Router 2 Ethernet interface 0/1:
Router 1 Ethernet interface 0/0:
PC1 IP Address:
PC2 IP Address:

Topology Diagram:

Figure 1-12: Topology Diagram

Router 1
Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int e0/0
Router(config-if)#ip address
Router(config-if)#no shutdown
*May 10 00:47:21.146: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*May 10 00:47:22.150: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Router(config)#int e0/1
Router(config-if)#ip address
Router(config-if)#no shutdown
*May 10 01:05:34.662: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*May 10 01:05:35.662: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
Router(config)# ip route
Router 2
Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int e0/0
Router(config-if)#ip address
Router(config-if)#no shutdown
*May 10 00:56:00.888: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*May 10 00:56:01.892: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Router(config)#int e0/1
Router(config-if)#ip address
Router(config-if)#no shutdown
*May 10 01:07:49.996: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*May 10 01:07:50.996: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
Router(config)# ip route
Virtual PC
Go to PC1 and enter the following command:
Similarly, go to PC2 and enter the following command:
In case you are using Windows PC, go to “Control Panel” > “Network and Internet” > “Internet and Sharing” > “Change Adapter Settings” > “Adapter” > “Properties”. Select “IPv4” > “Properties” > “Manual IP Addressing” then enter your IP address, subnet and default gateway.
Go to PC1 and ping PC2 (
VPC> ping

Go to PC2 and ping PC1 (
VPC> ping

Go to Router and enter the following command:
Router# show ip interface brief

Interface IP-Address OK? Method Status    Protocol
Ethernet0/0 YES manual up    up
Ethernet0/1 YES manual up    up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
//As shown in the output, we configured Ethernet 0/0 and 0/1 interfaces. Both interfaces are holding the configured IP address, method is manual, status is up, and protocol is up.
Router# show ip route