Implementing Networking Concepts
This is a guide on implementing networking concepts.
IP Addressing
In this presentation, we'll take a look at handling IP addressing in Ethernet networks. This begins with ensuring that every system that needs to communicate has an address and that the address is unique. Two systems cannot have the same address, otherwise, they will not be able to communicate. [Video description begins] A diagram illustrates three connected LANs with unique IP addresses for all devices. [Video description ends] Now in smaller environments, this really doesn't represent much of a challenge. If you are only dealing with, say a few dozen systems, then you can very easily manually configure every system. It wouldn't take very long and you could record which device was using which address to avoid duplicates. But if you scale this up to a very large environments where you might have thousands of systems, clearly this is not really a very good option.
You are prone to errors in configuration, it would be very time consuming, and again, any systems that might end up with the same address configuration would not be able to communicate. So we need some kind of approach whereby we can handle a large number of systems while avoiding some of these problems. And the general approach is the dynamically assigned address, but you can certainly still have static addresses as well. Now quite simply a dynamic address is assigned by some kind of entity or process, and it's assigned automatically. In other words, the device requests an address and some kind of service responds and says here you go. So most of the systems in larger environments tend to have that configuration where they get dynamically assigned addresses, but a static address is something that you manually configure, in most cases and it does not change.
A dynamic address can change at any time. A static address does not change until you change it or somebody changes it. Now in this particular configuration, which is only one implementation, [Video description begins] A diagram illustrates a router that connects to a device with a dynamically assigned IP address. The router also connects to a cloud-based internet service provider network, which consists of a web server and a DNS server. In this instance, the servers have static IP addresses. [Video description ends] what we're looking at is an Internet Service Provider and systems that are on the Internet, in the Cloud. Then the router over on the left would represent the device that you have been given by your Internet service provider. So the IP address for that router, that connects you back to the Internet service provider, would have a dynamically assigned address. They give it to you and they decide what it is, but it could change. But as long as it connects you through to the Internet service provider, it really doesn't matter what the address is in terms of you just getting Internet connectivity. But for the systems that are on the Internet such as a web server or a DNS server, they need to be contacted usually using the same address. So they would be statically configured.
You can set this up in your own environment as well. You can have certain systems that dynamically receive their address configuration and you can have others that are statically assigned. And that's up to you, but in very general terms, usually it is the client's systems that receive dynamic addresses and then usually systems such as servers would be statically configured. Now that's not always the case, but that's certainly very common. So when it comes to the automatic configuration, the dynamic addresses, there is a service called Dynamic Host Configuration Protocol or DHCP. Now there are several components and we'll go over them in a minute, but this is a very common service and almost every internal networking environment will use this to handle the large numbers of clients that need addresses. So when a client is configured to obtain an IP address automatically, then when it boots it issues out what's known as a DHCP discover. And this is quite literally searching for some kind of DHCP service somewhere on the network. In most cases, it is a DHCP server that has this service installed, but other devices such as routers can also supply DHCP services. One way or another, there is something that responds and says yes, I have the DHCP service installed.
Once you have that, what you configure is what's known as a scope and this is a pool of addresses from which clients can draw their configuration. And it typically includes the IP address, a subnet mask, and other optional values such as the DNS server they should use, and the default gateway they should use. It's up to you what you setup in a scope but the scope is the pool of available addresses. A DHCP reservation still allows a client to receive its configuration automatically, but they get the same address every time. I mentioned earlier how the address can change with DHCP and that is absolutely true. But if you set up a reservation, what you do is you allocate this particular address to always be assigned to the same client and it's usually done by configuring the MAC address of that client, so that it knows which client is wanting that address. A request is the client saying, okay, I have discovered that there is a DHCP server. I see that there is an offer coming back from that DHCP server, I will request that address configuration. And as long as the server says, okay, yes, you can have that one, then you get what's known as a lease. And this essentially is the time duration for how long it's valid. And when that expires, you go through the process again and you get a new address configuration and again, it could be a different address.
Now there is another option when you are using DHCP that you might consider to be a little bit of a fail safe. If you have a DHCP server, then it is the system that is responsible for allocating those addresses. But of course, it's a server like any other one, and it can go down. So if you have clients requesting addresses from the server and the server is down, then no address is being returned. Rather than get no address, the client will initialize itself automatically with a private IP address. That's automatic private IP addressing, often referred to as a APIPA. And the address is always in the format of 169.254 then dot something, dot something. The last two are random, but the first two values indicate the network and all systems that initialize using APIPA will use 169.254. Now this isn't particularly useful in terms of communication. You really can only communicate with other systems that were also unable to get an address. You won't be able to get on the Internet, but you might still be able to communicate within your LAN. But it's more useful as a diagnostic tool. When you start seeing that address, you know that there is a problem with DHCP, and you can investigate accordingly.
And finally, a Link Local Address is really more of a category than any kind of address assignment. But it just refers to all of the addresses that are able to see each other within the same subnet or the same local area network without having to be routed to a different network. So even if the router went down, all of the systems within that network could still communicate with each other because they'd all be plugged into the same switch. So they're all using the same network address and they can all just communicate with each other without having to be routed. So when you have multiple subnets or multiple networks, all of the systems within any one subnet are considered to be local addresses with respect to each other. One way or another, you just need to make sure that all of the systems that need to communicate have a valid address configuration. And whether that's assigned dynamically or statically is up to you, but ultimately every system must have an address and it must have a unique address as well.
DNS
In this presentation, we'll overview the domain name system or DNS. And this comes down to the fact that, in general, when we are looking to contact any given computer on the Internet, we probably know its name but not its IP address. But when communicating over TCP/IP, you have to determine the IP address. So the name is really a layer that we just overlay on top of the address if you will, and DNS creates a mapping. It says this name equals that address. Because, again, if we were to have to remember the IP address of every system on the Internet, we'd never be able to. But we can follow this naming structure to make things a lot easier for us. So over on the far right, we see the computer with a name of [Video description begins] A diagram illustrates the naming structure for a computer that has a domain name:. There are four columns in the structure. The first column displays a dot. The second column lists the extensions: edu, com, gov, org, and net. The third column includes the company domain name: skillsoft. The fourth column displays the subdomain name: courses. [Video description ends]
That's known as its fully qualified domain name but it is broken down into a hierarchy, and that is essentially the DNS structure. And if we go all the way to the opposite side, over on the left, you see what's actually referred to as a dot, which means really the route domain. That's supposed to be a dot in quotation marks, it maybe isn't all that clear. But the route is where you can start navigating. So again, if there was just a single database with every single computer mapped to its IP address, that would be an exceptionally large database. So they break it down and they spread it across multiple systems. So it's referred to as a distributed database. And the hierarchy allows us to just make it a little more manageable. So after the route, the dot, we see a lot of the extensions that we're very familiar with on the Internet, .com, .gov, .net. Each one of these sections contains some of the names on the Internet but certainly not all of them. So within any given one of them, such as .com, then we see the company names that we typically tend to remember fairly easily, such as, so that has to be publicly registered. You have to find a public registration authority and say, I would like to register. And as long as it's available, you can go ahead and do so.
Now once you have your domain name, you can do whatever you want inside of that. In other words, you can break it down into subdomains, and that's courses in this case, okay? So Skillsoft might have several other subdomains, but that's up to Skillsoft. But ultimately, any computer within the courses subdomain will have the name of whatever its initial name is. computer1 in this case, So that fully qualified domain name, read left to right, goes from the very specific to the very general. computer1 is specifically that computer but .com is not specific at all. Of course there are millions of systems within the .com domain. So how this works is typically through a process known as a forward DNS lookup. And this means that, as a client, you know the name but you don't know the address. So if you open up a browser and just type in you know that name. What you need to do is find the web server for that domain. So you supply the name, the address is looked up for you, that's forward. But they do actually have reverse, which goes the complete opposite way. It means, essentially, you know the address but not the name. That's not as common but they do exist.
So there is simply a store of public host address information that is the DNS database. But, again, it's not a single database. There are multiple database servers that each contain a portion of the database. Again, any one server could never maintain the entire structure of every system on the Internet. So again, when you register well, you maintain that portion of the database. And it's all portions across all database servers that make up the entire DNS database. Now a DNS resolver is quite simply the client. This is the system that is asking for the resolution. So ultimately when you type in that name into your browser, you get an IP address coming back. So you have resolved the name to the IP address, but these requests have to feed through that hierarchy of DNS servers. So we see here in the key features the Resolver, the client, requests something. So again, just open a browser, type in a name. Your system is configured to contact your local DNS server.
So if I'm just looking for a name on the Internet, then chances are my local name server will not know the address of that system, but it knows how to find it. So it contacts the root server, the dot domain, this is where you start searching. Now the root servers do not know the entire DNS database. So if it's something like, the root server will say, well, I've never heard of that but I do know of .com servers. Go check with one of them. So it forwards me off to those .com servers. One of them will say, yes, I have a publicly registered entry for and it will refer me to that server. Within the domain, it will search its portion of the database and say, yes, I have a www server, a web server, here is its address. That will be returned to my local name server and that will cache it as well for future requests. So that if someone else asks for the same address, it doesn't have to go through this process again. So other key benefits, quite simply it's easier to remember names than all of the IP addresses on the Internet. So using that hierarchical approach, we can much more easily navigate the databases and find what we're looking for. It's very flexible and easy to use.
Again, we just need to know the name that we're looking for, the service handles the rest. It uses a consistent naming structure. So again, every system within for example, will always have that structure and it's always the same. The servers have security features to prevent intruders from changing the names or poisoning the databases. And it's very easily scalable and fault tolerant as well, because you can export the entire contents of a DNS database to as many other servers as you want. So if one fails, there's another copy over there and another one over there. So should a failure occur, you can have as many other instances as you want, to ensure there's always at least one DNS server able to respond to client requests and handle that name to address resolution.
DHCP
Now in this presentation we'll take a closer look at the dynamic host configuration protocol or DHCP, which again is responsible for automatically assigning the IP address configuration to client systems. And it typically includes the subnet mask, the default gateway, and DNS servers, as well as some other optional values. But this is essentially the alternative to static configuration. And again, static is fine but it's not very efficient for very large environments. It could take a very long time to statically configure thousands of systems. And again, you're prone to errors, you can end up with duplicate addresses or just invalid addresses that will prevent communication. So DHCP automates the IP address configuration so that clients can obtain an IP address automatically, and again, also obtain DNS server address automatically. Now for Windows-based systems, it should be mentioned that you can set it to obtain the IP address automatically while still setting the DNS server address statically. Okay, now that's up to you. You can absolutely do both or you can just do the IP address and then statically enter a DNS server if you choose to. But in most cases, you will obtain both automatically.
But the process involves several steps, whereby again, the client initially boots up. If it is configured to obtain an IP address automatically, which by the way, is the default for Windows based systems. Then as soon as it sees this, it sends out what's known as a discover packet. This is the client literally asking if there are any DHCP servers available on the network. All of your servers will respond because as the client is just booting up and sending out this discover packet, it does not yet have an IP address. Therefore, the only way it can communicate is to broadcast. Every system on the network hears a broadcast. So if you have more than one server, all of them will hear these discover packets, and all of them will respond. Now even if you only have one, it still does this offer. So it says here is an address available from the pool that you can use, okay? But again, if there's more than one then several offers will come in. The client will then request one of the offers. So again if there's only one server, it's still requested. It says okay I like that one, it looks good, may I use that address? That's the request. But the server that issued that offer acknowledges the client requesting it.
At this point, all other servers withdraw their offers. At that point, when you receive the acknowledgement, your lease duration begins. Now the time of the lease duration is up to you, but around a week is fairly common in most environments. So your time starts as soon as you get that acknowledgement. So all four of those steps have to complete before you actually get the address and can start using it. And unfortunately, it's a little bit noisy because again, you don't start using the address until you get the acknowledgement. So all four of those steps use broadcasts. So it's a little bit noisy, but once you get the acknowledgement, you start using the address and you can stop broadcasting. Now you can also implement Reservations. These are permanent IP address assignments that behave essentially like static address configuration. But you can still handle it automatically so that you don't have to visit each system and manually enter in the address configuration. So it's used for specific DHCP clients, and it's applicable to any DHCP enabled device. It does not have to be a Windows operating system, for example. A printer can do it, a file server could do it, really, anything that is able to receive an IP address automatically. But it uses the MAC address of the client system to assign the reserved address.
The MAC address is the only truly unique value. So you do need to know the MAC address of the target system. But once you have that, you just say this MAC will always get this IP address. Now you also need to make sure that the IP address that you are assigning in the reservation is not part of any other scope or pool. If it is, it might end up getting assigned to someone else as well, and now you have a duplicate. So you need to document which addresses you're going to reserve, and just make sure that they are not offered through any other pool. One final consideration, because as mentioned, the process is broadcast-based, all servers hear these requests. So that does make it susceptible to what's known as DHCP Snooping whereby an intruder can essentially initialize a DHCP server that is unauthorized. So somebody can hack into your network and fire up a DHCP server and start handing out invalid addresses to the client systems, maybe in attempt to reroute them so that they're divulging sensitive information. But you can prevent this in most environments by implementing what's known as an authorized DHCP server. This is a trusted response, so that if a client sees multiple offers coming in, it can actually see that this one is trusted, this one is not, okay?
Now there's a couple of different ways that can be implemented, but ultimately, if a server appears on the network that is not authorized, clients can be configured to simply disregard those offers. And that effectively prevents DHCP snooping so that only the authorized servers are able to actually assign addresses to their clients. Ultimately though, DHCP is one of the most common network services. As long as your pools are configured correctly, and as long as you've taken security into account, then your client system should absolutely receive correct and valid IP address configurations automatically alleviating a tremendous amount of administrative overhead as compared to manually configuring every client system.
IPv4
In this presentation, we'll overview some of the basic characteristics of IPv4, which as its name indicates, is the fourth revision of the Internet protocol. And its primary function is to identify the devices on a network. This is how we implement our IP addressing. Every device that wants to communicate needs to have an IP address. So the protocol was designed for packet-switched communication networks. That draws its name from, let's call them the old days, when there used to be telephone operators in front of a switch board. Maybe you've seen an old TV show or an old movie where they have the operator there in front of that switch board and when a call needed to be made, they would actually run a cable between a physical jack or a port that represented your line, and the one that you were calling. So plugging in the cable completed the circuit between those two end points. That is essentially what happens these days, but it's the switch, the central connection device, that does it for us.
So my system is plugged into one of the physical ports and it knows my IP address. Then the system that I want to communicate with is in some other physical port, so when I initiate communication by the intended IP address, the switch knows where those two systems are and it builds a virtual circuit so that we can communicate. And then once we are done communicating it breaks the circuit. So that's packet switching. And this of course was the most widely deployed protocol for both internal LAN and Internet connectivity. We can use the same protocol internally as we do on the Internet. Now in terms of its basic structure, there really are only two numbers when it comes to computing: zero and one. Those are the two binary digits or bits that we use when referring to anything in computing. So before we get these mappings here, think about a light switch. It has only two positions: off and on. That is essentially the same as the binary numbers of 0 and 1. 0 would be off, 1 would be on. So if you have a single light switch, you have two possibilities: off or on. So we call that base 2. If you have two light switches, then you have four possibilities: both of them off, both of them on, one of them off, the other one off. So with two switches in base 2, you now have two to the power of two possibilities. If you have three light switches, you have two to the power of three. And that just goes on and on and on.
So the number of possible combinations depends on the number of bits. And it's always two, base 2, to the power of however many bits you have. [Video description begins] A table displays the mapping of integers to binary numbers. [Video description ends] In this example, there are eight bits over on the left-hand side. Okay, if you count them up, you'll see that there are eight. So that means, with eight bits, you can have two to the power of eight possible combinations. And that equals 256. 2 to the power of 8 is 256. But note the integer value on the right-hand side. It only goes to 255 down at the bottom. [Video description begins] In the table, the presenter points to the value: 11111111=255. [Video description ends] But look at the first value at the top, it's zero. So in other words, zero counts. [Video description begins] In the table, he points to the value: 00000000=0. [Video description ends] Zero is a perfectly valid number for computing. So if zero is your first number, one is your second number. Two is your third, three is your fourth, and so on and so on, until you get to 255, which is then actually your 256th possible combination.
Now in terms of how the binary values convert to integer values, I'll come to that in a moment, but look at the two extremes. 0 in binary is all zeros, 255 in binary is all ones. So this indicates that you can just use variances of which values are one and which ones are zero to create different integer values. Now with respect to how that works, let's look at this example. Here is an IP address of 192.168.4.5. [Video description begins] An example illustrates the structure of the IP address 192.168.4.5. In the IP address, 192's binary value is 11000000. 168's binary value is 10101000. 4's binary value is 00000100. 5's binary value is 00000101. Eight bits = one byte. Thirty two bits (4x8), or 4 bytes. [Video description ends] Just an arbitrary address. But look at the binary values. What happens with TCP/IP is that each bit has a value and what we would think to be an integer value. So the very first bit is valued at 128. The second bit is valued at half that, 64. The next one is valued half of that, 32. Then 16, then 8, then 4, then 2, then 1. And what you do is you simply enable the bits that equal a certain integer value. So in the very first set of bits, the very first bit is set to 1. That means it's worth 128. The second bit is set to 1. That means it's worth 64. If you add those together, you get 192. The rest of them are off, so they aren't worth anything. So 1 1 followed by 6 zeros is 192.
And the next example, 168. The first bit again is valued at 128, but the 64-bit, the second one, is off so we don't include that in the total. The third bit is worth 32. So you add up 128 plus 32. That gets you to 160. The 16-bit is off, but the 8-bit is on. So we add that to the total. That's 160 plus 8, that's 168. The rest of them are off. Four is quite easy, because the third bit from the right is worth four. That's the only one that's on. Everything else is off. And then five of course is that four-bit on plus the one bit. So again, with each bit having that particular value, it's just a matter of turning on the bits that you want to equal a certain integer value. And with eight bits or one byte, you have the ability to express any number between 0 and 255 for that one set of eight bits or one byte. But of course, there are four sets of eight bits. In other words, the entire address is 32 bits in length or 4 bytes. But for each eight bit section, which we call an octet, then you can only have values between 0 and 255. And again, we saw a moment ago that all zeros equals 0. All ones means add them all up and that's 255. So any number between 0 and 255 can be expressed in binary by simply enabling the appropriate number of bits.
So let's just quickly back up and we see some of the examples here that we didn't really look at, but let's say 252. Well, that's only 3 away from the highest value of 255. So the two bit and the one bit are off. Every other bit is on. [Video description begins] The integer to binary number mapping table displays. The presenter points to the value: 11111100=252. [Video description ends] And that would equal 252 if you were to add them all up, okay. So ultimately, if you have enough bits, you can express any number. But in terms of TCP/IP, it's always eight bits dot eight bits dot eight bits dot eight bits. And then you simply enable the bits that will total the value that you want as an integer. And that's how you can convert from binary to integers or what we call decimal values to read it a little more appropriately, such as 192.168.4.5. And every version for IP address works exactly the same way. So it's always consistent in terms of that structure.
IPv6
In this presentation, we'll overview the basic structure of IP version six, which is the successor to version four. Which immediately begs the question, well, what happened to version five? It was actually going to be released and it was going to be known as the Internet stream protocol. But ultimately that functionality was worked into version six, so they just skipped over five and released six as a more robust protocol. But to understand its structure, we need to briefly revisit version four. Recall this was a 32-bit address, which yields approximately 4.3 billion addresses. That's 2 to the power of 32. And that might seem like a lot, but in practice, many of the addresses of version four were never actually used. For example, there was an entire class or bank of addresses that was dedicated to just testing and development, so they were never used. So a lot of them in fact were not used. But ultimately, we just exhausted the address space.
There are so many devices on the Internet these days that there just aren't enough addresses to publicly address every device. So this is where version six came into play. It implements 128 bits in its address space, which is tremendously larger than the version four address space. When working with binary, when you increase the exponent by even one number, the total number of possible combinations doubles. So in other words, 2 to the 33 is twice as many as 2 to the 32, okay. So by the time you get to 2 to the power of 128, this is 3.4 x 10 to the power of 38. A one with 38 zeroes after it, possible addresses. That is, again, unimaginably large. To give you a very general idea, if every single person on Earth, let's call it 7 billion people, had 1 billion addresses each, we still wouldn't get half way through that address space. So we will never run out of version six addresses.
But the problem is, it's not readily interoperable with version four. You can have both protocols installed and enabled, but any one communication has to use one or the other. So in terms of the structure, when you have 128 bits to work with, We need a more efficient way to express this rather than writing out 128 ones and zeros. Now, the entire address is still divided into two parts and that's no different than version four. Version four still had a network prefix and an interface ID. Again, think of houses on a street. The street is the same for all of us. That's the network. But the number of your house uniquely identifies that house on that street. So the exact same thing happens with version six. Part of the address indicates the network, part indicates the unique interface on that network. And by default in version six, it divides right down the middle. 64 bits for the network, 64 bits for the interface on that network. And it still divides it up into chunks if you will, but each chunk is 16 bits in version six, where it only used to be eight in version four.
So now we need a way to express 16 bits a little more easily. And it does so by using a single character. So each character, each x in this case represents four bits. Four bits per character. Four characters. That's 16 bits. And then in total, there are eight chunks of 16 bits. That's 128 bits. [Video description begins] The IP address displays as eight blocks of x, separated by dots. [Video description ends] So to use a single character to represent four bits, we need a different approach. This is where hexadecimal comes into play. So again, what we need here is a single character that can represent four bits. So for a decimal value of zero through nine, that does still only use a single character. But once you get to a decimal value of ten, well, that's two characters. That's a one and a zero. 11 is a one and a one. 12 is a one and a two. So it's again, the number of characters. We need a single character to represent those four bits. So in hexadecimal, once we pass nine, instead of using ten, we use the letter A. B is 11, C is 12, D is 13, E is 14, and F is 15. And to represent that in binary, we still use the same approach as version four, whereby each bit has a value. So the very first bit of the four is worth 8. The next one is worth 4, the next one is worth 2, and the last one is worth 1. So you then simply enable the bits that will add up to the decimal value.
So 0 in decimal or hexadecimal is all zeros in binary. One, you simply enable the 1 bit. [Video description begins] A decimal to hexadecimal table displays. The presenter points to the binary value: 0001. [Video description ends] Two, you enable the 2 bit. [Video description begins] He points to the binary value: 0010. [Video description ends] Three, you enable the 2 and the 1 bit. 2 plus 1 is 3. [Video description begins] He points to the binary value: 0011. [Video description ends] Four, you enable the 4 bit. [Video description begins] He points to the binary value: 0100. [Video description ends] And that just keeps going, okay. But once we get up into the letters, then we're enabling the bits that add up to these decimal values greater than nine, okay. So 10, 11, 12, 13, 14, and 15, basically still just enables the bits that will add up to that amount. So 15 enables them all. That's 8 plus 4 plus 2 plus 1, okay. [Video description begins] For the decimal 15, he points to the binary value: 1111. [Video description ends]
So it's just a matter of still turning on the bit that will allow you to express that value. But what we're looking for is to be able to do that and express it with a single character, okay. So in looking at an address here, we see at the top the hexadecimal address. [Video description begins] The IP address in hexadecimal displays as 2001:0DB8:AC10:FE01:0000:0000:
0, the next character is all zeros. Again, the next 0 is also all zeros. Then 1, we simply enable the 1 bit. [Video description begins] The bits for the number 1 is 0001. [Video description ends] Then the colon. Then we have another 0. Well, that's still all zeros in binary, but there we see the D, okay. [Video description begins] The bits for D display as 1101. [Video description ends] So the 8 bit is on. The 4 bit is on. That's 12. And then the 2 is off and the 1 is on. So that's 13. Let's quickly go back. And we see that 13 is represented by a D in hexadecimal, okay. [Video description begins] He displays the decimal to hexadecimal table and points to the decimal 13, with the hexadecimal value of D, and a binary value of 1101. Then he returns to the IP address in hexadecimal. [Video description ends] Then B, [Video description begins] The bits for B display as 1011. [Video description ends] the 8 bit is on, the 4 is off, the 2 and the 1 are on. That's 11 in binary.
Let's go back. 11 is represented by a B, okay. [Video description begins] He displays the decimal to hexadecimal table and points to the decimal 11, with the hexadecimal value of B, and a binary value of 1011. Then he returns to the IP address in hexadecimal. [Video description ends] And then eight simply has the 8 bit on, [Video description begins] The bits for 8 display as 1000. [Video description ends] then the colon, and again this just carries on. So that's how you can translate hexadecimal values into binary. We just want to be able to use that single character. Now, that still results in a fairly lengthy address because again, this is only the network portion. So we still have the entire interface side to work with. So there are some other key features. So here's a full address. [Video description begins] The full IP address is 2002:0cc0:0000:0000:0000:0000:
Now, don't worry in terms of the validity of that address. It's just in terms of figuring out the characters for the time being. So for this full address, which again is still very long, what you can do is to shorten it up by omitting leading zeros. So any block of four characters that starts with a zero can have that zero removed. And if it starts with two zeros, you can remove both of them. And if it starts with three zeros, you can remove all three and simply insert a zero. So all leading zeros have been omitted on the second line. [Video description begins] The IP address in the second line is 2002:cc0:0:0:0:b0:1. [Video description ends] Then if you have a string of consecutive zeros, we see that there are four consecutive zeros in the middle. All of them can be removed and replaced by a double colon, okay. So that significantly shortens the address. [Video description begins] The abbreviated IP address is 2002:cc0::b0:1. [Video description ends]
Now, if you happen to have two sections of repeating zeros that were separate from each other, you can only do that one time, okay. When you do it once, the protocol can figure out how many zeros have been eliminated based on how many other blocks remain. But if you were to do it twice, it wouldn't know. Well, were there two in the first block and three in the second? Or one in the first and four in the second or how was that arranged? So you can only omit the repeating zeros one time, okay. But ultimately, that allows you to express the address in a much shorter set of characters.
Subnet Mask
In this presentation we'll take a look at the subnet mask, which is a key component of IP address configurations. And in fact you cannot effectively use an IP address without a subnet mask. Now for starters, every IP address is again, composed of two sections. And I've mentioned this before, but you can think of this as a street and the houses on that street. For all of us who live on the same street, we would include that as part of our address and it would be the same for all of us. But each house on that street would have its own unique number. That is exactly the same as your network address and your host address. So the network address equates to the street. Your host address equates to the number on your house. But within the host address, there are a certain number of bits available to address your hosts. And that value can change but in certain cases there can be a lot of them. In other words, you can have a large network.
In that event, it might make more sense to take that single large network and subdivide it up into multiple smaller units. Which generates a subnet address out of the host address portion. Then you still end up at the end of the day with a host address. But ultimately the subnet mask can be used to make larger networks into smaller networks. So that really is its key feature. Any given network can have an arbitrary size. But if there are too many hosts on that network, they can cause a lot of traffic, a lot of congestion, and can simply be difficult to manage. So there are times when it makes more sense to subdivide them up into smaller networks with fewer host systems. Now the subnet mask itself is still a 32-bit number that masks portions of the host IP address. So that it believes that they are fewer bits available to address the host systems. And if there are fewer bits available, you can only have a fewer number of hosts. So the values of the subnet mask are still 1 and 0. But ones indicate that this is the network portion and 0 indicates that this is the host portion.
Now in an IP address, ultimately at the binary level, it's still ones and zeros. But IP addresses can look like 10010101001. In other words, they can bounce around. Whereas subnet masks are always just consecutive ones, then consecutive zeros. You never see 100111011010 in a subnet mask. And that will make more sense in a moment. But before we get to the binary values, we do need to have a look at these private address spaces. And this will become a little more evident in a moment. But in TCP/IP, any given network can be of any given size. But there are some default sizes and they refer to them as class A, class B, and class C. [Video description begins] A table displays the address ranges for different classes. [Video description ends] Now, the range of addresses is set, so that if you're address is anywhere between 10.0.0.0 and 10.255.255.255, you are using a class A address. Likewise, class B begins at 172.16.0.0 and goes to 172.31.255.255. And class C begins at 192.168.0.0 and goes to 192.168.255.255. Now, you might recognize some of these addresses. Your own home network for example, just your own regular Internet service at home probably uses a 192.168 address or a class C.
And again, we'll come to why that is in the moment. But the reason that these are referred to as private addresses is because we can all use them. On the inside of our routers, we can all use the exact same configurations over and over and over again, without needing to worry about duplicating the addresses. Because my network is isolated from yours by routers. So it doesn't matter if I use 192.168.1.0 as my network and you use the exact same value. Private addresses are never forwarded to the public Internet. So really this was the solution to the fact that we exhausted the IP version four address space. By allowing us to reuse these same ranges over and over and over again, on the insides of our routers. Again, we can all use the same configurations and not worry about duplications, okay. But these classes, again, come into play with respect to the subnet masks. Because each one of them has a default subnet mask that defines the size of the network, okay. [Video description begins] A table displays commonly used subnets. There are columns for Class, Address, #Hosts, Netmask (binary), and Netmask (decimal). [Video description ends]
Now, I'm going to start with the A, B, and C. I'll come back to that CIDR in a moment. But the class A network means that 8 bits are used to identify the network. 24 are then available to address your hosts. [Video description begins] For Class A, the network address value is /8; the #Hosts value is 16,777,216; the Netmask (binary) value is 11111111 00000000 00000000 00000000; and the Netmask (decimal) value is 255.0.0.0. [Video description ends] And the /8 literally means that there are eight ones in the subnet mask. So here we see the consecutive ones, then the consecutive zeros. And it's always that way, it's just a matter of how many ones versus how many zeros. So if 8 bits are used to identify the network, 24 remain to address your host. That's 2 to the power of 24, which is over 16 million. In other words, that's a very large network, okay.
Now class B divides right down the middle. [Video description begins] For Class B, the network address value is /16; the #Hosts value is 65,534; the Netmask (binary) value is 11111111 11111111 00000000 00000000; and the Netmask (decimal) value is 255.255.0.0. [Video description ends] 16 bits identify the network, leaving 16 to address your host. 2 to the 16 is about 65,000 - a much smaller network. Class C has the first 24 bits set to 1 to identify the network and only 8 left to address your hosts. 2 to the power of 8 is only 256. [Video description begins] For Class C, the network address value is /24; the #Hosts value is 256; the Netmask (binary) value is 11111111 11111111 11111111 00000000; and the Netmask (decimal) value is 255.255.255.0. [Video description ends] In other words, that's a very small network, okay. And if we look at the decimal values, again, they are just converting the ones and the zeros into decimal values. And all ones is 255, all zeros is 0.
So most subnet masks look very much like what you see here, okay. But the CIDR as mentioned means that you can configure Classless Inter-Domain Routing, is what that stands for. [Video description begins] For Class CIDR, the network address value is /6; the #Hosts value is 67,108,864; the Netmask (binary) value is 11111100 00000000 00000000 00000000; and the Netmask (decimal) value is 252.0.0.0. [Video description ends] The class A, the class B, and the class C, again, are just starting points, just defaults. With CIDR, you can use any number after the / there. So 6 is just arbitrary in this case. Meaning that the first 6 bits are 1. Then every other 1 is set to 0. So that would leave 26 bits to address your hosts. And that's even larger than the class A. But the point is, with CIDR, it can be slash anything - any number between 1 and 32, really. And what that allows you to do is to take something like, let's say a class A which is very large, which is /8, and say well, let's go with /12 instead of /8. That's somewhere in between class A and class B. Same with a class B. That's still 65,000; it's still pretty large. You can say, well, let's go with /21, okay. And that's just somewhere in between. Regardless, what really matters is how many bits are left.
So for example, using that one that I just mentioned, /21. Well, there are 32 bits in total. So if 21 of them are masked, then you only have 11 left. With 11 bits remaining, that's 2 to the power of 11, that's about 2,000 hosts. Much larger than a class C, but nowhere near as large as a class B. So it's much more medium sized. That's the idea behind subnetting - deciding how many bits you want to have available to address your hosts. You decide what that number is. But however many number of bits it is, that determines the size of the network. So again, it's just / whatever number you feel to be appropriate. If you want to go with the defaults, that's fine. But you can use any number, okay. Whatever you feel to be appropriate. Whatever you feel to be a manageable size. You just go with that and then you just change the binary values into decimal. So again with CIDR, we see 252 instead of 255. It's just whatever the binary to decimal conversions are that determine the number that will actually be shown there. But at the end of the day, it's how many bits are left to address your hosts. And it's always at the point where the ones change to zeros. The 1 values simply are not visible to the host portion. Only the 0 values are when it comes to subnet masks.
Default Gateway
In this presentation, we will take a look at the default gateway, which is certainly very commonly found as a value in an IP configuration. But when it comes to just pure functionality, it's not a necessary value. And to clarify, when you are working with TCP/IP, you need an IP address and you need a subnet mask. You only need a default gateway if you need to communicate with systems on a different network than the one you are on. So in other words, looking at this graphic, [Video description begins] An example of a network displays. In the network, an ISP server connects to an ISP router. A default gateway exists between the ISP router and the connected local network switch. The IP address between the ISP router and local network switch is 192.168.3.1. And the local network switch connects to a local network. [Video description ends] the local network down below would be able to have interconnectivity between all of those systems simply by having them all plugged into the same switch, okay?
We do not need a router just to talk to each other if we all exist within the same network. So in this particular example, 192.168.3 would be the address of the network. The router would probably be address number one on that network, but all of the hosts might be 10, 11, 12, 13, 14, really, any number, it doesn't matter, below 255. But for all systems in the 192.168.3 network, they should all be able to communicate with each other without needing a default gateway. It's only when one of those systems needs to go outside of that network, that it needs the default gateway. So really, it's another term for a router. But that's what routers do, they connect networks together, not individual hosts. The switch connects the individual hosts together. So again, if you wanted an isolated network, where there is no connectivity to external networks of any kind, then you would not need a default gateway. It's just that for most of us these days, we all want Internet access, so our router at least connects us to our Internet service provider, which ultimately gives us Internet access.
So in most practical implementations, it's a necessary value, but for pure functionality within a local area network, it's not required. So looking at traffic flow through a default gateway, again it handles traffic routing, and that term is important because routing refers to network to network to network, not host to host, okay, that's switching. So the default gateway will transmit requests to the Internet through our Internet service provider. Or ultimately just route anything to any other network. And each interconnected network will have a default gateway that allows packets to be forwarded from network to network to network. Information is relayed to a network and back to the requesting device where it originated from, based on the IP address of that requesting device. Because, of course, the default gateways know which networks they are connected to.
So they can form routes to ensure that a packet is ultimately delivered to wherever it needs to go, but that anything coming back is sent back to the originating device that created the request in the first place. So the need for a default gateway is dependent on your scenario. But for any kind of Internet connectivity, whether it be for an enterprise network or just a small or a home office, you do need a default gateway. Again, the Internet counts as a different network. But you might also see them in WAN connectivity for an enterprise network. So it's not so much connecting to the Internet, but larger enterprise environments will often have multiple LANs, maybe in separate geographic areas or maybe just multiple networks in one large data center. But as long as it's more than one network, that needs to connect to any other network, then you must have a default gateway in your IP configuration.
VPN
n this presentation, we'll take a look at virtual private networks, or VPNs, which allow you to use a very public medium such as the Internet in a private fashion, hence the term virtual private network. Now it implements an encrypted connection between two endpoints over the Internet so that you can safely transmit sensitive data and prevent unauthorized eavesdropping. The most common implementation of a VPN is usually to enable remote work. If, for example, you have someone who has a laptop. They might use the laptop at work, but they might take it home with them as well. And they might want to do work while they're at home. But of course, while they're home, they do not have connectivity to the corporate network. Well, establishing a VPN allows them to work exactly as if they were in the corporate network. It allows them to the printers, access the files in the folders, get to their email, or their corporate databases, or really just do anything that they might do while they are actually in the office, but it can be done from anywhere.
Now there are a few different types of VPNs, and we'll take a look at each here, beginning with the Site-to-Site. This is typically implemented when you have multiple locations. [Video description begins] A diagram illustrates the connection between a corporate network and remote site. Both the corporate network and remote site use VPN appliances and connect via the Internet. [Video description ends] So the corporate network, let's consider that to be headquarters. The remote site on the opposite side, let's consider that to be a branch office. So what we would have here is connectivity between the two so that users in either location can access the other one, and again, access the resources of either side.
So it's probably a little more common that people in the remote site, or the branch, might access resources in the corporate headquarters, but it can be either direction. But what you see with a Site-to-Site is some kind of appliance at both sites. They are configured to connect directly with each other by their IP addresses and with encryption, so that it is secure. Once that connection is established, then any user on either side can access the resources of the other side. You don't need to launch any kind of client software on your computer to get to the resources of the other network. The connection is there, and it's essentially permanent. It's always on and always available. So it acts as an extension to the network, but it still uses the Internet as the medium because those two sites could be miles apart.
The next one is a Host-to-Site and this is typically implemented when you might only have a small number of users who require a VPN connection. [Video description begins] A diagram illustrates a connection between a corporate network and remote user via the Internet and VPN concentrator. [Video description ends] So maybe you have a small travelling workforce, maybe only five to ten people who need VPN access. In this case, there is still a device or some kind of server acting as a VPN concentrator. That simply means it's a single point of access where everyone comes in. They all concentrate their connections through that device. But the remote user uses software on their computer to launch the connection.
They would just double-click some kind of icon and it would prompt them for a username and a password, and either the name or the IP address of the VPN concentrator, and it would then establish the connection. Once that is established, now they can work as if they are in the corporate network. When they are done, they can disconnect and then they're simply disconnected again, so they cannot access anything. So it allows the user to establish the connection whenever they want, instead of it being open all the time to all of the users in a specific location. Then finally, there is a Host-to-Host. Now these probably aren't as common but can still be done. But what we don't see here is any kind of appliance or concentrator. [Video description begins] A diagram illustrates an Internet connection between a laptop and PC. [Video description ends]
One system would be the client and another would be the server, if you will, or the concentrator, but essentially, you still use software. The client, let's say it's the laptop at the top of the picture, would still launch some kind of client software and enter a username and a password and make the connection. But that connection would be accepted just by a single system on the other side, so it would also have to have some kind of software configured to allow that connection. But then you can implement a direct Host-to-Host connection if all of the resources you need are only on that computer, then that would certainly be fine. But again, these aren't quite as common but certainly still very viable and very plausible, if that's what you need. But regardless of the type, it's really more so about implementing the encryption, so that we can use this very public medium, such as the Internet, in a private fashion and ensure that all of this data remains as secure as possible.
VLAN
Okay, in this presentation we'll take a look at virtual local area networks or what's more commonly referred to as a VLAN. And this is something you can set up at the level of a switch. [Video description begins] A diagram illustrates an example of a virtual local area network. The network includes three separate subnetworks – Sales, Marketing, and Accounting. The subnetworks are connected to a VLAN switch on an internal network, connected to a WAN, then to the Internet. [Video description ends] When you want to define separate and distinct subnets, that are all plugged in to the same physical switch. Now recall that switching does not really work at the network level. It operates by Mac addresses primarily, and a switch all by itself is not really able to perform any kind of routing functions or essentially anything that works on an IP address. IP addresses work at the network level of the OSI model, that's layer 3 switches inherently work at the MAC address level which is layer 2.
But a VLAN switch essentially does give you the ability to define the subnets, and separate certain systems from each other, even though they're all plugged into the same physical switch. So normally, every system would be able to see every other system. But yet, VLANs switches are able to define these distinct subnets. Now you can divide them up however you see fit. This is just one example where you might see something like the job functionality determining how the VLANs are defined, okay? But again, you can use anything it really doesn't matter. So in this example we see that there's a sales network, a marketing network, and an accounting network, and they essentially need to be separated from each other. So there are three distinct networks defined here, or subnets I should say, but 192.168.10 for Sales, 192.168.20 for Marketing, and 192.168.30 for Accounting. So even though all of those systems are physically plugged into the same switch, by defining these VLANs, they are now effectively isolated from each other.
And if you do still want them to connect to each other, they can, but you have to do the same kind of configuration as if they were physically separate from each other with their own dedicated switches. In other words, you would have to use a router to connect these separate subnets to each other. Now in terms of some of the features that are available, again, it allows you to separate your physical switch ports into these distinct subnets so that you can segregate functional groups. Now the functional groups are simply what we saw in the previous slide, Sales, Marketing, Accounting. Now you can again determine how to separate those groups in any manner that you see fit. But you can still divide them up so that they are isolated from each other. Now certain VLAN switches do offer layer 3 functionality, and again, layer 3 is the network layer where routing happens. So if this is available on the switch, then you can still set it up so that even though they are separate subnets you can implement a degree of routing between them.
This allows you to control traffic between the VLANs, and administer security and access. So maybe subnet 1 should be able to communicate with subnet 2, but not with subnet 3. So that again is up to you. And you can also implement this in a somewhat dynamic fashion if it supports a feature known as Network Access Control or NAC. This is based on authorization and authentication, whereby when the user logs in, they are recognized by some kind of identity. And based on that it automatically assigns them to the appropriate VLAN so that if the user, for example moves around they might physically end up connected to a different physical port. If they have a laptop for example, and they go from office to office to office, plugging into a different data port each time, they might end up on a different and incorrect VLAN. But with NAC it recognizes who they are and it automatically adjusts the interface assignment so that they always end up in the correct the VLAN.
Now there's another feature when it comes to configuring VLANs known as trunking. And this is something that you will encounter when you have a single VLAN that spans multiple physical switches. You then have to get the traffic from switch-to-switch, and this is what is known as a tunneled VLAN. Now this is all defined by a standard known as 802.1Q, and you will often hear most people referred to this as .1Q. But it's simply the specifications for how to move traffic from physical switch to physical switch while still maintaining which VLAN the traffic belongs to. And that's accomplished by a process known as VLAN tagging. So again, we're moving from physical switch 1 to physical switch 2, but the identity of the VLAN remains consistent, it's still VLAN 1. Now the tagging essentially says this traffic belongs to that VLAN, but that requires you to explicitly configure the VLAN identities, usually with numbers. If you don't, you can still also go with what's known as a native VLAN. And you might also hear that referred to as the default VLAN in some instances. But that is simply any traffic that is not otherwise tagged.
So if it's untagged, it assumes to be on the native VLAN, and this whole process is implemented by two protocols. One known as the VLAN Trunking Protocol or VTP. And this is a Proprietary Cisco protocol, so clearly, this would only be something that's implemented on Cisco devices. But if you have non-Cisco then the same task is accomplished by the Multiple VLAN Registration Protocol or MVRP. Essentially, they both do the same thing, it's just dependent on whether you are using a Cisco device or not. Now that may be a little difficult to visualize so this is what it looks like. And you can see here that we do have two physical switches, [Video description begins] A diagram illustrates the trunking configuration of VLAN1 and VLAN2. VLAN1 is indicated by an orange line. VLAN2 is indicated by a green line. Both VLAN1 and VLAN2 span two switches – Ethernet switch 1 and Ethernet switch 2. Both switches are connected via trunk 802.1Q. The trunk conveys data from VLAN1 and VLAN2 between the switches. [Video description ends] switch 1 and switch 2.
But both VLANs, in this case VLAN1 and VLAN2, span both physical switches. So the green VLAN is VLAN2 and you can see that's on both switches, and then the orange one, VLAN1, same thing. So we then have to connect these two switches to each other. That's known as the trunk. So we see the 802.1 trunk here. So as long as traffic remains within the physical switch, we don't have to worry about the trunk. But switch 1 might physically fill up. Let's just assume it's a fairly small switch and there may be are only four or eight ports. Clearly very easy to fill that up. But if we then need to extend the VLAN, well, there are no more ports left in the first switch, so we need a second switch. So again, the VLAN has to span multiple physical switches. So if a system in VLAN1 in switch 1 needs to communicate with the system in the same VLAN on switch 2, we need a method to get that traffic from switch-to-switch.
So you can see that the trunk is carrying traffic for both VLANs which is the green and the orange. This is where the tagging comes into play. So it literally tags the traffic and says this traffic on that single trunk is for VLAN1, this other traffic on this same physical trunk is for VLAN2. And that's how it's able to separate and ensure that the correct traffic goes to the correct VLAN. So the orange sections of the trunk would only go down the orange VLAN. The green sections of the trunk would only go down the green VLAN. And again, that's how you accomplish trunking in VLAN switching.
NAT
In this presentation, we'll take a look at network address translation, which is a service that came about effectively due to the fact that we now have public and private IP addresses. And private IP addresses came about essentially due to the exhaustion of the IP version 4 address space. So they're just aren't enough addresses to publicly address every single system in the world. Well, private addresses essentially corrected that. On the inside of our routers, we can all use the same private address schemes, but that presents another problem. If I'm attempting to communicate with the system that is on the public Internet, it needs to know how to communicate back to me. Now we'll see this in a moment so hold that thought for the time being. And with respect to what we're seeing here the fact that network address translation can operate on either the IP address or the port number or both is certainly something that needs to be revisited just briefly here. Recall that an IP address for all intents and purposes just identifies your computer. Let's just say it's a server of some kind.
The Port Number, however, identifies which services are running on that computer. Any one server can serve up any number of services, that specific service is identified by the port number. So for example, for a web server using the HTTP protocol, that's port number 80. That distinguishes that service from some other type of request. Let's say mail services, which would be SMTP, simple mail transfer protocol, or port 25. But they could both be handled by the same server. So the IP address would be the same but the port number would be different based on the application or the request. But again, coming back to the public-private scenario, this is what it looks like. [Video description begins] A diagram illustrates three steps of network address translation in a network. [Video description ends]
So on the inside of our routers, we see private addresses. In this case 192.168.2 is the internal network address. Then we have several hosts, 201, 202, 203, and the default gateway is host 1. But that's our internal private network. Any one of those systems might make a request for a system that's on the Internet. 11.11.11.11, in this case, might just be some web server, port 80 is being specified here in the destination IP. So if we look at Step 1, we see that the source IP address is private. This is the system that's generating the request. But it is destined for a public Internet server. Okay, so this is where the problem comes into play. The source address tells the system on the other end where to return the packets. So as I request the website, send your packets back to me. But the return address from the perspective of the Internet-based server cannot be a private address. Routers will not forward private addresses out to the public Internet. So we need to map that private address to a public. [Video description begins] Step 2 is to map a private IP and port to a public IP and port. [Video description ends]
And if we look at the router down below, like every router, it has at least two interfaces. One that faces the inside, one that faces the outside. And the outside interface does have a valid public IP address that's visible to the rest of the Internet. So what NAT does is to translate the 192.168.2.201 return address into 145.10.231.3. That is what the destination address sees as the return address as the packet crosses the router. So we see in Step 3, a different address is there. And again, the port can be changed if necessary. That's dependent on the application, okay? But Network Address Translation can work on either or both. But ultimately, the destination system on the public Internet needs to see a public address as the return address. Otherwise you'll never get anything back. Okay, so that's the essence of Network Address Translation. So the NAT device needs to build a table to remember that this request came from that internal system and this request came from some other internal system. So there can be a fairly complex NAT table on the go within that router at any given time. But that's its job, that's what it does so that Internet-based systems can return the information back to a publicly visible address.
Now this is typically referred to as source Network Address Translation because we're changing the source IP. But there's also what's known as Destination Network Address Translation, which kind of works in the opposite direction. This gives us external access to internally hosted services. So I might be on the outside somewhere on the Internet wanting to get to something on the inside network, my own corporate environment. So I'm going the opposite direction. I'm coming from the Internet into my network. So what you can do in this scenario is have an external IP and a port mapping to specific internal hosts. Based on whatever request I'm making, that request can be sent to a specific internal server that has a private IP address. So this is also known as port forwarding. It translates multiple private addresses from a single public address based on the port being used, okay?
So let me just quickly back up here. If I'm on the Internet and I'm trying to get to the internal network, then from my perspective, the interface, and the only interface that is visible to me is 145.10.231.3. That's the public IP address, that's what I see externally. So what I'm trying to do is to get to a service that is hosted on 192.168.2.201. But then based on a different type of service, let's say web services versus email, I might need to get to a different server, 192.168.2.202, for example, okay? So that's what's happening when I say translates multiple private addresses from that single public address. So that public address is the only one that's visible to me. So requests for a web service over port 80 would be directed to the private address of the web server. Requests for, let's say, mail services or port 25 would be directed to the private address of the mail server. And they could be two completely different servers. They don't have to be, but they can be, okay?
Another common example of this is using remote desktop. You might have, let's say, a laptop that you travel with, you might also have a desktop at work. While you are travelling, you might want to remote desktop into your desktop system. That happens to be port 3389 if it's a Windows-based system. So you can setup a port forwarding rule that requests that use the RDP, remote desktop protocol, port 3389 should be directed to the IP address of your desktop system. So it's still translating the addresses but it's just going the opposite direction from the outside in as opposed to inside out. But in either case, Network Address Translation accepts one value and changes it or remaps it to another value so you can locate the appropriate server and the appropriate service.