Address Resolution Protocol (ARP) Working

ARP is a layer 2 protocol, used for obtaining MAC address of any devices within a network. Host machines use ARP protocol to obtain MAC Address. ARP protocol in conjunction with Layer 3 IP Protocol addressing (IP Address).

Host machine uses ARP because when machine needs to send packet to another device, destination MAC address is needed to be written in packet sent, so host machine should know the MAC Address of destination machine. Operating Systems also maintain ARP Table (MAC Address Table).

To obtain MAC address, ARP performs following process: (ARP request by host machine)

  • Source machine generate ARP REQUEST packet with source MAC address (of this machine), source IP address (of this machine) and destination IP address and forwards this packet to switch.
  • Switch receives the incoming packet and reads the source MAC address and checks its MAC address table, if entry for packet at incoming port is found then it checks its MAC address with the source MAC address and updates it, if entry not found then switch add and entry for incoming port with MAC address.
  • All ARP REQUEST packets are broadcasted in network, so switch broadcast ARP REQUEST packet in network.

(Broadcast are those packets which are sent to everyone in network except the sender, only in network to which it belongs, it cannot span multiple networks)

  • All devices in network receives ARP packet and compare their own IP address with the destination IP address in that packet.
  • Only the machine which matches the both will reply with ARP reply packet. This packet will have source IP of this machine (which was destination machine in previous packet, as now its replying this machine will be the source machine) , source MAC address, destination MAC address (same as source MAC address in REQUEST packet) and destination IP address (same as source IP address in REQUEST packet).
  • Then switch reads the ARP reply message and add entry in its MAC Address Table for port number on which it has received packet by reading its source MAC address field and forwards that packet to destination machine (source machine in REQUEST packet) as its MAC is in destination MAC address.
  • Further host machine add destination machine entry into its ARP table.

Using this ARP protocol devices in network obtain MAC address of any other device in a network. Remember ARP works on broadcast, so it works only in a single network (local network).

To Understand How Networks Works on Layer 2 (Local Network) click here….

Ping (ICMP) is Layer 3 or Layer 4 Protocol?

Download PDF Version – Click Here

Video Post:

There is always a debate on is Ping (ICMP) a layer 3 or layer 4 protocol? If it is Layer 4 which protocol it uses TCP or UDP?

Ping is very common network utility to test the end to end connectivity between the two end points (can be machines, a router, etc). Ping utility uses ICMP protocol for its functioning.

ICMP is a Layer 3 protocol; it does not use any Layer 4 protocol for its functioning. It packs all its ICMP information under IP packet.

For test, I ping to my own website from my laptop – www.sakunsharma.in

 

So this ping generated following sequence of packets from my computer:

ICMP Packets

ICMP Packets

 

Now, let’s see first ICMP (ping) Echo request packet in detail:

ICMP Packet Detail 1

ICMP Packet Detail 1

 

From the above information we can see that ICMP do not use any Layer 4 protocol (TCP/UDP). It simply packs all ICMP information in ICMP header and packs that ICMP as data in Layer 3 IP Protocol and further in Layer 2 Ethernet and transmits.

So finally Ping (ICMP) is a Layer 3 Protocol.

 

Backup Router/Switch Configuration

Download PDF Version

I am going to mention two easy methods to backup router / switch configuration file.

  • Using Putty logging
  • Using TFTP

Using Putty Logging

  1. Open router / switch terminal via putty connection.
  2. Enter enable mode (by entering enable command).
  3. Enter command terminal length 0 (to display show run commands without breaks)
  4. Right click putty and select Change Settings.
  5. Putty Right Click

  6. Select Session
    • Logging
    • All Session output
    • Log File Name – path and filename of the config file.

    Putty Change Settings

  7. Enter command show run on your router/switch.
  8. Close the session.

Using TFTP

  1. You can transfer file from router/switch to your TFTP server.
  2. For TFTP server, you can use open source TFTPD32 application.
    • Download Link – http://tftpd32.jounin.net/tftpd32_download.html
  3. Configure your TFTPd32 application as shown in screenshot.
  4. TFTPd32 Setting

    • Current Directory – Directory where you want to store your configuration file.
  5. Enter following command in enable mode of your router / switch.
    • Copy running-config tftp:
      • Enter the tftp server address – eg. 192.168.0.101
      • Enter the file name of the config – eg. r1-config

tftp commands

tftp file receive

desktop

Similary you can use this method for copying firewall or other device configurations.

Lab: Access List (ACL) in Simple Networks

Download PDF Version


Description:

This lab demonstrates how to use access list (ACL) in simple network to filter traffic. We will use simple access list as well as ip access list in this.

Scenario:

There are two different networks connected through routers. By default router perform the routing between those two networks and working fine. Now company has deployed Client-Server Architecture, and wants to add security so that only particular hosts can access some particular server. Our responsibility is to fulfill the security requirement.

Topology:

SakunSharma_ACL_Topology

Sakun Sharma ACL Lab Topology



Requirement:

  1. Only HostC can access AccServer.
  2. Both machines can access WebServer only for HTTP Services.
  3. Only AccServer can access DatabaseServer.


Device Details:

Device
IP Address
Remarks
AccServer
192.168.1.51 / 24
Accounts Server
WebServer
192.168.1.91 / 24
Web Server
DatabaseServer
10.1.1.1 / 24
Database Server
SW1
No IP Address
Server Switch (No VLAN’s)
R1
f0/0 – 192.168.1.1/24
f1/0 – 172.16.50.1/16
f2/0 – 10.1.1.2/24
Server Network Gateway
LAN Gateway
Database Server Gateway
HostC
172.16.10.22 / 16
Accounts User
HostD
172.16.15.11 / 16
Normal User


Implementation:

We will use two ACLs which will be as follows:

  1. On R1 at s0/1 IN – IP Extended Access list – To allow HostC to access AccServer, allow both hosts to access WebServer and block access to AccServer.
  2. On R1 f2/0 OUT – Standard Access list – To allow traffic only from AccServer and block rest all.


Access Lists:

On R1 at s0/1 in:

Extended IP access list 101
10 permit ip host 172.16.10.22 host 192.168.1.51
20 permit tcp 172.16.0.0 0.0.255.255 host 192.168.1.91 eq www

Command: access-list 101 permit ip host 172.16.10.22 host 192.168.1.51
access-list 101 permit tcp 172.16.0.0 0.0.255.255 host 192.168.1.91 eq www


Here we have created an extended numbered access list 101, which contains two statements with sequence number 10 and 20.

10 : To permit all ip protocols from host 172.16.10.22 to host 192.168.1.51 – This statement will permit traffic from HostC to AccServer.

20 : To permit only TCP Protocol ‘www’ (Port 80) from network 172.16.x.x to host 192.168.1.91 – This statements permit only HTTP traffic from 172.16.x.x network to WebServer.

:: Implicit Deny – At the end of every access list there is Implicit Deny, means packet which does not match any criteria above will be dropped. So that is why all the traffic to AccServer other than from host 172.16.10.22 is dropped and all other protocol traffic to WebServer is dropped.

On R1 at fa2/0 out:

Standard IP access list 10
10 permit 192.168.1.51

Command: access-list 10 permit 192.168.1.51



Here we are creating an Standard Access List to filter traffic to Database Server. In this command at sequence no 10, we are permitting host 192.168.1.51 only, all other will be denied due to implicit deny at the end.

Accesslist


ACL Interface


Here we are assigning those access lists onto the interfaces.
Extended Access List 101 is applied at ‘interface FastEthernet1/0’ – ip access-group 101 in. It is configured as inbound access list.

Standard Access List 10 is applied at ‘interface FastEthernet2/0’ – ip access-group 10 out. It is configured as outbound access list.

Testing:

From Host C

SakunSharma_ACL


Note: Ping to 192.168.1.91 (WebServer) fails because only HTTP 80, traffic is allowed.


From Host D

SakunSharma_ACL


From AccServer

SakunSharma_AccServer

Account Server Ping




From WebServer

SakunSharma_ACL


Download GNS 3 Lab:

ACL Simple Lab: http://www.sakunsharma.in/Labs/ACL/ACL_Simple.zip



Firewall Rules for Connectionless Protocol / Two Way Firewall Rule (Reverse Rule)

Download PDF Version

Generally, when we configure access via firewall policy, we configure a permit access rule from source to destination. This allows the traffic to be initiated from source to destination and also allows response from destination to source for the service we allowed.

Single access rule works successfully for services using connection oriented protocols like TCP, but not for connection-less protocols like UDP, ESP, etc. In case of connectionless protocols, we have to create two way firewall rule, to allow traffic from either way, which means we need to add another reverse access rule from destination to source, as there is no way for firewall to associate traffic in both direction with a particular session.

Connection-oriented protocols create a session/connection before actual data interchange starts. Firewalls can sniff TCP/IP handshake or in case of NAT they initiate a new connection to destination on behalf of source. Either way, whenever a connection is initiated from source to destination through a firewall, critical information unique to that connection is saved in a state table by Firewall. It consists of source IP, source port, destination IP and destination port. In case of NAT, more information is stored. So when a response is received by firewall from destination, it checks it state table for an existing connection initiated by source. Firewall will forward this response only if:

  • The response is from destination IP and destination port in state table.
  • Response is directed to source IP and source port in state table.

But in case of connection-less protocol, there is no handshake, no sessions are created, each packet is an individual packet. So from source to destination it allows traffic if a matching rule is found, and for response from destination to source a matching rule is required, otherwise the response will be blocked.

So in case of connectionless protocols we need to create reverse firewall access rule to allow two way communication.

However, many firewalls can take care of some well known connectionless services like DNS and can track DNS responses for given requests without requiring any reverse rule. And if there is any such support in firewall it is recommended to use it. Then it is better not to create reverse rules. How they do it, is specific to firewall vendor. For example you can check this link how Juniper handles this.

Configuring VLAN Trunking on Cisco SF 300 Managed L2 Switch

Download PDF Version

Cisco SF 300 is a layer 2 managed switch. You can configure and manage VLANs in it. Devices in same VLAN and on same switch communicate successfully. But for devices to communicate in same VLAN but on different switches, trunking needs to be enabled between both switches.

Always check for what VLANs are allowed on trunk port. For successful communication between same VLAN devices on different switches connected over trunk port, you have to allow that VLAN over trunk port. You need to execute ‘switchport trunk allowed vlan add command in trunk interface mode.

For example, Switch A and Switch B both have five additional VLAN’s – 7, 21, 31, 91 and 8. Devices in VLAN 91 on Switch A try to communicate with devices in VLAN 91 on Switch B, and both switches are connected over trunk port. Check if VLAN 91 is allowed on trunk port or otherwise enter the ‘switchport trunk allowed vlan add 91’ command on trunk port interface mode. After this both devices will be able to communicate with each other, because by default new VLANs are not allowed over trunk port.

Cisco SF 300

Cisco SF 300

How to Attach Analog Exchange Line with IP Exchange

Download PDF Version

Attach Analog Exchange Line with IP Exchange is Part-4 of Complete UC500 Configuration Post, following are link to other parts:

To attach analog exchange line with Cisco Unified Communication Manager UC500, there are two settings – Incoming and Outgoing.

Following are steps to configure incoming call:

  1. Connect analog exchange line to any FXO port.
  2. Open Cisco Configuration Assistant (CCA) and connect to UC500.
  3. Navigate to Telephony –> Dial Plan in left panel of CCA.
  4. Select Incoming to configure incoming call settings.
  5.  

  6. Configure the port to which you have connected line as shown below and click save:
    1. Destination Type – OPERATOR
    2. Destination – (Extension Number to which you want to redirect) 201 (in this case)
  7. By this setting whenever call is made from any analog exchange to this line, it will be ring on extension number configured in destination.

Following are steps to configure outgoing call:

  1. Navigate to Telephony –> Dial Plan –> Outgoing.
  2.  

  3. Firstly select Numbering Plan Locale as per your setting (India in my case).
  4. Set Default Access CodeDefault Access Code is the code number which you press to change dial tone from IP exchange to Analog Exchange. When you want to make a call to analog exchange extension number, you will first press Default Access Code and then Analog Extension Number. (9 in my case, as there is no extension series which starts from 9, neither IP extension nor Analog Extension)
  5. Set Digit Collection Timeout [2 – 120] – Digit Collection Timeout is the time in seconds which it will wait after pressing Default Access Code for entering Analog Extension Number, after that timeout it will make call based on digits it has collected. (eg. If I want to make call to 513 (analog extension number), when I pick up phone, after pressing 9, it will give 5 sec to enter 513 and after 5 sec it will make call. Sometimes problem comes, you set this value too high that clients complaint that it takes time to make call to analog extension numbers, in that case you can check this setting)
  6. Then Click Add Number at bottom and list will be updated.
  7. You can configure more settings like Begins With, Number of Digits, Dial Pattern, Priority etc, which you can see below:

 

 

Thank You

newsletter software