— Hey, we are having our net down for almost 20 minutes, hosts are not receiving DHCP, looks like ARP frames are not passing through.
After these words, you wake up in a cold sweat. Having the nightmare of being a network engineer and understanding nothing at all in networking is sure a bad thing! But do not get intimidated by these scary terms and let me explain the basics.
First of all, I want to ask you one thing: don’t look at networking as at something painful and forget all the bad experiences you had in the past! Once you understand what all the moving parts do, having (or even handling) the networking problems will be a much easier thing to overcome.
Networking hardware 101
Okay, first of all, let’s speak about the participants of the network. First, and the most simple one is a host or client. This machine is the lowest one in the networking hierarchy. A client might be almost any device with a NIC (Network Interface Card), like your PC, or my smartphone.
The next one is the server. A server is a machine, which runs some service on it, like a web service “apache.” It serves the client with the information it requested. Next comes a network switch, which gives us an ability to interconnect many hosts with each other (but wired ones, wireless switch is called an AP, aka Access Point). The switch can come in different shapes, from a simple “dumb” switch at your home to an enterprise-level “cool” switch at your workplace. The difference between those two is — number of ports, quality, and stability of the connection, additional functionalities like VLANs, and SSH remote access.
Next in line is a network router. This device is pretty complicated and is used to interconnect two or more different networks. As with switches, routers can differ in quality and performance.
And another member of networking as a hardware firewall. It’s installed after the router and works as a filter for all the network traffic. Think about it like the gatekeeper, who guards the network.
Building our first network
What is the most straightforward network we can build? Of course, it’s just two clients connected by the ethernet cable (cabling standard, used in wired networks).
We can think of every process on the network as the communication of human beings. Imagine you sit in an empty room with a human in front of you, and you want to start a conversation. What do you need to know before talking to them? Of course, it is his name! And if we, people, have names, surnames, and nicknames, network hosts have two types of addresses: IP address and MAC address.
An IP address is like a human name, but unlike human names, IP addresses can be frequently changed. MAC address is more like DNA — it is given to the host by the manufacturer of the NIC.
Let’s have a closer look at the IP to understand it better. IP is a 32-bit number written in decimal format, divided in octets, which are separated by dots. Yeah, sounds complicated, but it’s nothing crazy!
192.168.0.1
Here is an example of an IP. It contains 32 bits, every 8 of which are separated by a dot. That’s why it is called an octet! (8 is ‘octo’ in greek). So, 192 is the first octet, 168 is the second one, and so on. This is a decimal number, and if we convert it to binary, we will get:
11000000.10101000.00000000.00000001
It’s 32 bits! Every bit can be a 0 or 1.
The range of an IP Address can be from 0.0.0.0 to 255.255.255.255. Or in binary, from00000000.00000000.00000000.00000000 to 11111111.11111111.11111111.11111111 .
But neither 0.0.0.0 nor 255.255.255.255 addresses are used in the real world. The creator of an IP is an IANA organization, and it sets standards for using IPs on the net. Some IPs are reserved and cannot be used.
IP addresses can be local and global. Each client on the network has its local IP address, but when its request exits the network router, the local address is being converted to the global one. So, all the clients of your network are exiting the router with one global address.
This means that having only one global address (and this address is the address of the external port of your router), you can have a lot of local addresses you can use in any way you want to. Everything that is before your router is YOURS, and you are the GOD of your network.
But, there are some restrictions on local addresses. There are some ranges you may use for your LAN (Local Area Network, everything that lays behind your router), and they are:
10.0.0.1 - 10.255.255.254
172.16.0.1 - 172.31.255.254
192.168.0.1 - 192.168.255.254
And yes, 254 is the last octet. There are two addresses that you cannot give to the client, which are network and broadcast address. The network address is an address of the network and looks like 192.168.0.0. The broadcast address is when all the host octets end with 255 and is used for sending a request for ALL the hosts on the current network.
MAC address is a hexadecimal number, which looks like this:
XX:XX:XX:XX:XX:XX
So, 12 hexadecimal numbers, each couple separated by the colon sign. This address is the physical machine address of your host’s NIC and is written on the sticker on the device you use to connect to the network:
We can see above a MAC address of the CISCO device. Colons are not written here, though they are implied. The first half (6 numbers) of the MAC address is given by the manufacturer and are the same for all the devices produced by them, the other half is random, so MAC address is unique and cannot be changed (though it can be spoofed).
For example, if I ran a network scanner on my smartphone, I can see a bunch of device MAC addresses that start with the same 1c:bf:ce part. Those are security cameras from the same manufacturer, so the first half of their MACs are the same!
Let’s get back to our network. If we connect two PCs, give each of them a local IP address, and run a ping command from the CLIENT 1, we will receive a response from the CLIENT 2.
But have you ever seen such a connection in the real world? I don’t think so. If we want to connect more than two hosts, we need to install an additional NIC on each of them because each NIC has only one port, so it can only be connected to one neighbor at the same time. This would be awful. This is why we have switches!
Now we can ping the third host! Simple, isn’t it?
You might have a reasonable question: If we use an IP, why do we even need MAC addresses? It’s not as simple as it looks. The host knows the destination IP address, but all the communications in the ethernet network work with MAC addresses, so all the data is being transferred not by IP, but by MAC.
CLIENT 1 has no idea about CLIENT 2’s MAC address, and how does it know where to send the data? It merely sends a piece of data (called a frame, but this will be discussed later), the destination of which is FF:FF:FF:FF:FF:FF.This means that this data will be sent to everyone.
What does this frame contain? It contains the following: “Host with the IP of 192.168.0.2, what is your MAC?”. If the receiver’s IP is not 192.168.0.2, it drops the frame, and if it is really 192.168.0.2, it sends a response to the sender, and finally the ICMP (ping) connection is being established.
This protocol of getting the MAC address of the host knowing his IP is called an ARP protocol. Also, there is an inverted protocol, which helps us find the host’s IP when we know its MAC, and is called an inARP (inverted ARP).
Each host has its own ARP table, in which it writes information about other hosts. It looks like this:
192.168.0.2 → 00:E0:A3:42:B0:10
Before moving on, I would like to introduce you to an OSI model, which is going to organize all this mess into layers. The OSI model consists of 7 independent layers, each with their own responsibilities.
OSI from top to bottom:
Layer #7: Application
Layer #6: Presentation
Layer #5: Session
Layer #4: Transport
Layer #3: Network
Layer #2: Data Link
Layer #1: Physical
#7 Application layer is responsible for the application requests and responses, like HTTP, DNS, and so on.
#6 Presentation layer is responsible for encoding requests in some specific format, like .mp3, .jpeg, and so on.
#5 Session layer is responsible for establishing a session between two applications. This includes checksums and other ways of synchronization. The information unit used on this and previous layers is “data.”
#4 Transport layer is responsible for the way of transmitting data over the network with two common protocols, which are TCP and UDP. TCP is a way of data transmission when the delivery status is being checked every time, so if some part of the transmission is lost, the host will send this piece one more time. UDP is much faster because it checks nothing and just sends out the info. These two protocols can be compared to the phone chat (TCP) and a radio (UDP).
Application ports also work on this layer. All the applications and services have their own ports. For example, websites (HTTP/HTTPS) use ports 80 and 443 respectively, FTP uses port 21, SSH uses port 22, DNS runs on 53 and so on. Ports are used to identify the receiver application because there might be multiple services running on the server. The information unit for this layer is a Segment (for TCP) and a Datagram (for UDP).
#3 Network layer is responsible for IP communication. The information unit is a packet.
#2 Data link layer is responsible for MAC communication. Information unit is a frame (that’s the frame we already talked about, the destination of which is FF:FF:FF:FF:FF:FF. This is called a broadcast frame, and it works on this layer of the OSI model.)
#1 Physical layer is responsible for physical communication (over wi-fi, coaxial cables, ethernet cables, fiberglass and so on).
From a sender device perspective, the process starts with layer #7 and finishes on layer #1. And it’s vice versa on the receiving device. The process of passing information from the upper layer to the lower one is called encapsulation, and decomposing it from lower to upper — de-encapsulation.
This all can be compared to the post office:
The sender depends on the mailbox to hold her letter until a postal worker picks it up and takes it to the post office. The people at the post office, in turn, depend on truck drivers to transport the letter to the correct city. The truck drivers, for their part, rely on the road system. Throughout the entire process, various protocols govern how people behave. For example, the sender follows basic rules for writing business letters, the mail carriers follow postal service regulations for processing the mail, and the truck drivers obey traffic laws. Think of how complex it might be to explain to someone all the different rules or protocols involved if you were not able to separate or categorize these activities into layers.
Now since we have basic knowledge about what the hell is going on, we can have a more in-depth look at some real-life examples.
Let’s imagine that we walk into some fast food eatery and connect to their wi-fi. Then you open the web browser and go to google.com. It looks ridiculously simple, isn’t it? Well, not at all!
Let’s go to the first step of our “journey”: We connect to the wi-fi. What happens next? First of all, to make any communication with the outer world, we need to obtain an IP address, but don’t you even think that sysadmin will come down from the skies and give it to you manually. No, this is being done automatically by the DHCP protocol. DHCP is a protocol of automatic assignment of the IP addresses on the network (most commonly assigned by a router), which works in 4 steps:
Discovery
Offer
Request
Acknowledgment
(DORA is a simple acronym to remember these steps ).
Discovery: When you connect to the network, your device wants to obtain an IP. To make it happen, first, the DHCP server needs to be found. Does your device know the address of the DHCP server? No. How does it find it? By the ARP, of course. It sends out a broadcast frame with the request, “Are you a DHCP Server?”
Offer: If the receiver is not a DHCP server, it drops the frame, and if it is a DHCP server, it reads a request and sends a response like “Hey, I am a DHCP server, and I have a free address of 192.168.100.87 for you.”
Request: After receiving an answer from the DHCP server, the client decides if it wants to obtain this address or not. If it does, the client sends a frame to the server: “Hey, it looks great, I’ll take it!”
Acknowledgment: DHCP server sends out options (containing the default gateway, which is the local IP address of the router, DNS server address, usually located inside a router, and the offered IP address itself) and writes information about given IP in his own list. Every IP given with the DHCP server has its lease time, and if the host was inactive for some time, the server gets this IP back.
Okay, we have an IP address, great. Now we can talk to the world. Then, our device needs to get to google.com, but does it know what this is? Hell no. It speaks only IP (in terms of the global network). Does it know the IP of google.com? No. That’s why it asks the DNS server. DNS server is a device, which is responsible for storing and mapping domain names and corresponding IP addresses. Nobody on Earth would like to remember IP addresses to enter the websites, that’s why the DNS was invented. In our case, the DNS address is the address of our router. When it gets the DNS request, it looks in its DNS server for the requested “google.com” and if it does not find anything, it asks the next DNS server.
First, it asks the Root DNS server: “do you know what google.com is?” and gets an answer: “No idea, but ask these guys [list of IP’s of other DNS servers, which are responsible for .com top-level domain]”
Then the router repeats the same for the TLD DNS servers and gets an answer: ”No idea, but ask this guy; it’s responsible for google.com”
Then the router asks the Authoritative DNS server and finally gets a response, which is being written in its own local DNS cache (so it does not send requests over the DNS network every time).
Now, when we have an address of google.com and have our own IP, we can go ahead and ask the Google server to give us the desired google.com page.
The last thing standing between google.com and us is NAT (Network Address Translation). As I said before, even when we have multiple hosts with multiple local addresses, they all are hiding behind the global address of our router. When a host’s request exits LAN, the router remembers the IP of the requestor and transforms it into its own global address, and when the response is back, it sends it to the initial requestor.
In more detail, this process looks like this: the sender generates some random application port, which is being remembered by the router. Then, the router transforms this port to another random port, which can be passed over the web (there are ranges of ports, which are not allowed to travel through the web), maps it to the IP of the local machine, which is the sender and then sends it to the receiver. When the router gets a reply, it does all the steps in the opposite order.
192.168.0.2 -> google.com =
192.168.0.2:60354 -> 100.0.0.1:64287
(at this step router maps 64287 with the 192.168.0.10 address)
100.0.0.1:64287 -> google.com
Subnetting
Another interesting and crucial topic in networking is Subnetting. In layman’s terms, it’s just dividing networks into subnetworks. This is being achieved with the use of subnet masks, which are records with IP-like syntax, like 255.255.255.0 . It defines which part of the IP address belongs to the network and which to the hosts.
For example, if we have an IP address (network address) 192.168.0.0 with the mask of 255.255.255.0, it will mean that the first three octets of the IP are used by the network, and the last one belongs to hosts. So, 255 means that the whole octet belongs to the network, and 0 means that octet entirely belongs to hosts.
192.168.0.10 and 192.168.0.253, according to the 255.255.255.0 mask will be in the same network, but 192.168.0.10 and 192.168.1.10 will be in different ones. Network addresses of 192.168.0.0 with the mask 255.255.255.0 are called the “C class” addresses.
The “B class” addresses are 172.16.0.0/16 (255.255.0.0). According to our previous logic, 172.16.0.10 and 172.16.10.10 will be in the same network, but 172.16.200.24 and 172.17.200.112 will be on different networks.
Also, there is an “A class”, which is the biggest one. It looks like 10.0.0.0/8 (255.0.0.0). But what if we see something like 192.168.0.0/25 ? What do we do now? We add another bit to the last octet and get 11111111.11111111.11111111.10000000. We already know that 11111111 is 255, but what the hell is 1000000? Just use a binary to decimal converter. We get 255.255.255.128, which means that the last octet is divided by 2 and has two networks in it. First is 192.168.0.0 with the broadcast address of 192.168.0.127, and the second one with the net address 192.168.0.128 and the broadcast address of 192.168.0.255. This means that 192.168.0.10 and 192.168.0.135 are in different subnets. I’ll leave a little hint here for you:
/24 - 255.255.255.0
/25 - 255.255.255.128
/26 - 255.255.255.192
/27 - 255.255.255.224
/28 - 255.255.255.240
/29 - 255.255.255.248
/30 - 255.255.255.252
/31 - 255.255.255.254
/32 - 255.255.255.255 (used to identify a host)
Same works with /16
/16 - 255.255.0.0
/17 - 255.255.128.0
And so on!
I hope It was somewhat clear, and you’ve gained some basic knowledge about networking. Good luck and see you next time!