— Hey, we are having our net down for almost 20 minutes, hosts are not receiving DHCP, looks like ARP frames are not passing through.
After these words, you wake up in a cold sweat. Having the nightmare of being a network engineer and understanding nothing at all in networking is sure a bad thing! But do not get intimidated by these scary terms and let me explain the basics.
First of all, I want to ask you one thing: don’t look at networking as at something painful and forget all the bad experiences you had in the past! Once you understand what all the moving parts do, having (or even handling) the networking problems will be a much easier thing to overcome.
Networking hardware 101
Okay, first of all, let’s speak about the participants of the network. First, and the most simple one is a host or client. This machine is the lowest one in the networking hierarchy. A client might be almost any device with a NIC (Network Interface Card), like your PC, or my smartphone.
The next one is the server. A server is a machine, which runs some service on it, like a web service “apache.” It serves the client with the information it requested. Next comes a network switch, which gives us an ability to interconnect many hosts with each other (but wired ones, wireless switch is called an AP, aka Access Point). The switch can come in different shapes, from a simple “dumb” switch at your home to an enterprise-level “cool” switch at your workplace. The difference between those two is — number of ports, quality, and stability of the connection, additional functionalities like VLANs, and SSH remote access.
Next in line is a network router. This device is pretty complicated and is used to interconnect two or more different networks. As with switches, routers can differ in quality and performance.
And another member of networking as a hardware firewall. It’s installed after the router and works as a filter for all the network traffic. Think about it like the gatekeeper, who guards the network.
Building our first network
What is the most straightforward network we can build? Of course, it’s just two clients connected by the ethernet cable (cabling standard, used in wired networks).
We can think of every process on the network as the communication of human beings. Imagine you sit in an empty room with a human in front of you, and you want to start a conversation. What do you need to know before talking to them? Of course, it is his name! And if we, people, have names, surnames, and nicknames, network hosts have two types of addresses: IP address and MAC address.
An IP address is like a human name, but unlike human names, IP addresses can be frequently changed. MAC address is more like DNA — it is given to the host by the manufacturer of the NIC.
Let’s have a closer look at the IP to understand it better. IP is a 32-bit number written in decimal format, divided in octets, which are separated by dots. Yeah, sounds complicated, but it’s nothing crazy!
Here is an example of an IP. It contains 32 bits, every 8 of which are separated by a dot. That’s why it is called an octet! (8 is ‘octo’ in greek). So,
192 is the first octet,
168 is the second one, and so on. This is a decimal number, and if we convert it to binary, we will get:
It’s 32 bits! Every bit can be a
The range of an IP Address can be from
255.255.255.255. Or in binary, from
255.255.255.255 addresses are used in the real world. The creator of an IP is an IANA organization, and it sets standards for using IPs on the net. Some IPs are reserved and cannot be used.
IP addresses can be local and global. Each client on the network has its local IP address, but when its request exits the network router, the local address is being converted to the global one. So, all the clients of your network are exiting the router with one global address.
This means that having only one global address (and this address is the address of the external port of your router), you can have a lot of local addresses you can use in any way you want to. Everything that is before your router is YOURS, and you are the GOD of your network.
But, there are some restrictions on local addresses. There are some ranges you may use for your LAN (Local Area Network, everything that lays behind your router), and they are:
10.0.0.1 - 10.255.255.254 172.16.0.1 - 172.31.255.254 192.168.0.1 - 192.168.255.254
And yes, 254 is the last octet. There are two addresses that you cannot give to the client, which are network and broadcast address. The network address is an address of the network and looks like
192.168.0.0. The broadcast address is when all the host octets end with
255 and is used for sending a request for ALL the hosts on the current network.
MAC address is a hexadecimal number, which looks like this:
So, 12 hexadecimal numbers, each couple separated by the colon sign. This address is the physical machine address of your host’s NIC and is written on the sticker on the device you use to connect to the network:
We can see above a MAC address of the CISCO device. Colons are not written here, though they are implied. The first half (6 numbers) of the MAC address is given by the manufacturer and are the same for all the devices produced by them, the other half is random, so MAC address is unique and cannot be changed (though it can be spoofed).
For example, if I ran a network scanner on my smartphone, I can see a bunch of device MAC addresses that start with the same
1c:bf:ce part. Those are security cameras from the same manufacturer, so the first half of their MACs are the same!
Let’s get back to our network. If we connect two PCs, give each of them a local IP address, and run a
ping command from the CLIENT 1, we will receive a response from the CLIENT 2.
But have you ever seen such a connection in the real world? I don’t think so. If we want to connect more than two hosts, we need to install an additional NIC on each of them because each NIC has only one port, so it can only be connected to one neighbor at the same time. This would be awful. This is why we have switches!
Now we can ping the third host! Simple, isn’t it?
You might have a reasonable question: If we use an IP, why do we even need MAC addresses? It’s not as simple as it looks. The host knows the destination IP address, but all the communications in the ethernet network work with MAC addresses, so all the data is being transferred not by IP, but by MAC.
CLIENT 1 has no idea about CLIENT 2’s MAC address, and how does it know where to send the data? It merely sends a piece of data (called a frame, but this will be discussed later), the destination of which is
FF:FF:FF:FF:FF:FF.This means that this data will be sent to everyone.
What does this frame contain? It contains the following: “Host with the IP of
192.168.0.2, what is your MAC?”. If the receiver’s IP is not
192.168.0.2, it drops the frame, and if it is really
192.168.0.2, it sends a response to the sender, and finally the ICMP (
ping) connection is being established.
This protocol of getting the MAC address of the host knowing his IP is called an ARP protocol. Also, there is an inverted protocol, which helps us find the host’s IP when we know its MAC, and is called an inARP (inverted ARP).
Each host has its own ARP table, in which it writes information about other hosts. It looks like this:
192.168.0.2 → 00:E0:A3:42:B0:10
Before moving on, I would like to introduce you to an OSI model, which is going to organize all this mess into layers. The OSI model consists of 7 independent layers, each with their own responsibilities.
OSI from top to bottom:
Layer #7: Application Layer #6: Presentation Layer #5: Session Layer #4: Transport Layer #3: Network Layer #2: Data Link Layer #1: Physical
#7 Application layer is responsible for the application requests and responses, like HTTP, DNS, and so on.
#6 Presentation layer is responsible for encoding requests in some specific format, like .mp3, .jpeg, and so on.
#5 Session layer is responsible for establishing a session between two applications. This includes checksums and other ways of synchronization. The information unit used on this and previous layers is “data.”
#4 Transport layer is responsible for the way of transmitting data over the network with two common protocols, which are TCP and UDP. TCP is a way of data transmission when the delivery status is being checked every time, so if some part of the transmission is lost, the host will send this piece one more time. UDP is much faster because it checks nothing and just sends out the info. These two protocols can be compared to the phone chat (TCP) and a radio (UDP).
Application ports also work on this layer. All the applications and services have their own ports. For example, websites (HTTP/HTTPS) use ports
443 respectively, FTP uses port
21, SSH uses port
22, DNS runs on
53 and so on. Ports are used to identify the receiver application because there might be multiple services running on the server. The information unit for this layer is a Segment (for TCP) and a Datagram (for UDP).
#3 Network layer is responsible for IP communication. The information unit is a packet.
#2 Data link layer is responsible for MAC communication. Information unit is a frame (that’s the frame we already talked about, the destination of which is
FF:FF:FF:FF:FF:FF. This is called a broadcast frame, and it works on this layer of the OSI model.)
#1 Physical layer is responsible for physical communication (over wi-fi, coaxial cables, ethernet cables, fiberglass and so on).
From a sender device perspective, the process starts with layer #7 and finishes on layer #1. And it’s vice versa on the receiving device. The process of passing information from the upper layer to the lower one is called encapsulation, and decomposing it from lower to upper — de-encapsulation.
This all can be compared to the post office:
The sender depends on the mailbox to hold her letter until a postal worker picks it up and takes it to the post office. The people at the post office, in turn, depend on truck drivers to transport the letter to the correct city. The truck drivers, for their part, rely on the road system. Throughout the entire process, various protocols govern how people behave. For example, the sender follows basic rules for writing business letters, the mail carriers follow postal service regulations for processing the mail, and the truck drivers obey traffic laws. Think of how complex it might be to explain to someone all the different rules or protocols involved if you were not able to separate or categorize these activities into layers.
Now since we have basic knowledge about what the hell is going on, we can have a more in-depth look at some real-life examples.
Let’s imagine that we walk into some fast food eatery and connect to their wi-fi. Then you open the web browser and go to google.com. It looks ridiculously simple, isn’t it? Well, not at all!
Let’s go to the first step of our “journey”: We connect to the wi-fi. What happens next? First of all, to make any communication with the outer world, we need to obtain an IP address, but don’t you even think that sysadmin will come down from the skies and give it to you manually. No, this is being done automatically by the DHCP protocol. DHCP is a protocol of automatic assignment of the IP addresses on the network (most commonly assigned by a router), which works in 4 steps:
Discovery Offer Request Acknowledgment
DORA is a simple acronym to remember these steps ).
Discovery: When you connect to the network, your device wants to obtain an IP. To make it happen, first, the DHCP server needs to be found. Does your device know the address of the DHCP server? No. How does it find it? By the ARP, of course. It sends out a broadcast frame with the request, “Are you a DHCP Server?”
Offer: If the receiver is not a DHCP server, it drops the frame, and if it is a DHCP server, it reads a request and sends a response like “Hey, I am a DHCP server, and I have a free address of 192.168.100.87 for you.”
Request: After receiving an answer from the DHCP server, the client decides if it wants to obtain this address or not. If it does, the client sends a frame to the server: “Hey, it looks great, I’ll take it!”
Acknowledgment: DHCP server sends out options (containing the default gateway, which is the local IP address of the router, DNS server address, usually located inside a router, and the offered IP address itself) and writes information about given IP in his own list. Every IP given with the DHCP server has its lease time, and if the host was inactive for some time, the server gets this IP back.
Okay, we have an IP address, great. Now we can talk to the world. Then, our device needs to get to google.com, but does it know what this is? Hell no. It speaks only IP (in terms of the global network). Does it know the IP of google.com? No. That’s why it asks the DNS server. DNS server is a device, which is responsible for storing and mapping domain names and corresponding IP addresses. Nobody on Earth would like to remember IP addresses to enter the websites, that’s why the DNS was invented. In our case, the DNS address is the address of our router. When it gets the DNS request, it looks in its DNS server for the requested “google.com” and if it does not find anything, it asks the next DNS server.
First, it asks the Root DNS server: “do you know what google.com is?” and gets an answer: “No idea, but ask these guys [list of IP’s of other DNS servers, which are responsible for .com top-level domain]”
Then the router repeats the same for the TLD DNS servers and gets an answer: ”No idea, but ask this guy; it’s responsible for google.com”
Then the router asks the Authoritative DNS server and finally gets a response, which is being written in its own local DNS cache (so it does not send requests over the DNS network every time).
Now, when we have an address of google.com and have our own IP, we can go ahead and ask the Google server to give us the desired google.com page.
The last thing standing between google.com and us is NAT (Network Address Translation). As I said before, even when we have multiple hosts with multiple local addresses, they all are hiding behind the global address of our router. When a host’s request exits LAN, the router remembers the IP of the requestor and transforms it into its own global address, and when the response is back, it sends it to the initial requestor.
In more detail, this process looks like this: the sender generates some random application port, which is being remembered by the router. Then, the router transforms this port to another random port, which can be passed over the web (there are ranges of ports, which are not allowed to travel through the web), maps it to the IP of the local machine, which is the sender and then sends it to the receiver. When the router gets a reply, it does all the steps in the opposite order.
192.168.0.2 -> google.com = 192.168.0.2:60354 -> 18.104.22.168:64287 (at this step router maps 64287 with the 192.168.0.10 address) 22.214.171.124:64287 -> google.com
Another interesting and crucial topic in networking is Subnetting. In layman’s terms, it’s just dividing networks into subnetworks. This is being achieved with the use of subnet masks, which are records with IP-like syntax, like
255.255.255.0 . It defines which part of the IP address belongs to the network and which to the hosts.
For example, if we have an IP address (network address)
192.168.0.0 with the mask of
255.255.255.0, it will mean that the first three octets of the IP are used by the network, and the last one belongs to hosts. So,
255 means that the whole octet belongs to the network, and
0 means that octet entirely belongs to hosts.
192.168.0.253, according to the
255.255.255.0 mask will be in the same network, but
192.168.1.10 will be in different ones. Network addresses of
192.168.0.0 with the mask
255.255.255.0 are called the “C class” addresses.
The “B class” addresses are
172.16.0.0/16 (255.255.0.0). According to our previous logic,
172.16.10.10 will be in the same network, but
172.17.200.112 will be on different networks.
Also, there is an “A class”, which is the biggest one. It looks like
10.0.0.0/8 (255.0.0.0). But what if we see something like
192.168.0.0/25 ? What do we do now? We add another bit to the last octet and get
11111111.11111111.11111111.10000000. We already know that
255, but what the hell is
1000000? Just use a binary to decimal converter. We get
255.255.255.128, which means that the last octet is divided by 2 and has two networks in it. First is
192.168.0.0 with the broadcast address of
192.168.0.127, and the second one with the net address
192.168.0.128 and the broadcast address of
192.168.0.255. This means that
192.168.0.135 are in different subnets. I’ll leave a little hint here for you:
/24 - 255.255.255.0 /25 - 255.255.255.128 /26 - 255.255.255.192 /27 - 255.255.255.224 /28 - 255.255.255.240 /29 - 255.255.255.248 /30 - 255.255.255.252 /31 - 255.255.255.254 /32 - 255.255.255.255 (used to identify a host) Same works with /16 /16 - 255.255.0.0 /17 - 255.255.128.0 And so on!
I hope It was somewhat clear, and you’ve gained some basic knowledge about networking. Good luck and see you next time!