Networking Video Blog Posts

YouTube Channel Playlist

YouTube Channel


Address Resolution Protocol (ARP) Working

ARP is a layer 2 protocol, used for obtaining MAC address of any devices within a network. Host machines use ARP protocol to obtain MAC Address. ARP protocol in conjunction with Layer 3 IP Protocol addressing (IP Address).

Host machine uses ARP because when machine needs to send packet to another device, destination MAC address is needed to be written in packet sent, so host machine should know the MAC Address of destination machine. Operating Systems also maintain ARP Table (MAC Address Table).

To obtain MAC address, ARP performs following process: (ARP request by host machine)

  • Source machine generate ARP REQUEST packet with source MAC address (of this machine), source IP address (of this machine) and destination IP address and forwards this packet to switch.
  • Switch receives the incoming packet and reads the source MAC address and checks its MAC address table, if entry for packet at incoming port is found then it checks its MAC address with the source MAC address and updates it, if entry not found then switch add and entry for incoming port with MAC address.
  • All ARP REQUEST packets are broadcasted in network, so switch broadcast ARP REQUEST packet in network.

(Broadcast are those packets which are sent to everyone in network except the sender, only in network to which it belongs, it cannot span multiple networks)

  • All devices in network receives ARP packet and compare their own IP address with the destination IP address in that packet.
  • Only the machine which matches the both will reply with ARP reply packet. This packet will have source IP of this machine (which was destination machine in previous packet, as now its replying this machine will be the source machine) , source MAC address, destination MAC address (same as source MAC address in REQUEST packet) and destination IP address (same as source IP address in REQUEST packet).
  • Then switch reads the ARP reply message and add entry in its MAC Address Table for port number on which it has received packet by reading its source MAC address field and forwards that packet to destination machine (source machine in REQUEST packet) as its MAC is in destination MAC address.
  • Further host machine add destination machine entry into its ARP table.

Using this ARP protocol devices in network obtain MAC address of any other device in a network. Remember ARP works on broadcast, so it works only in a single network (local network).

To Understand How Networks Works on Layer 2 (Local Network) click here….

Ping (ICMP) is Layer 3 or Layer 4 Protocol?

Download PDF Version – Click Here

Video Post:

There is always a debate on is Ping (ICMP) a layer 3 or layer 4 protocol? If it is Layer 4 which protocol it uses TCP or UDP?

Ping is very common network utility to test the end to end connectivity between the two end points (can be machines, a router, etc). Ping utility uses ICMP protocol for its functioning.

ICMP is a Layer 3 protocol; it does not use any Layer 4 protocol for its functioning. It packs all its ICMP information under IP packet.

For test, I ping to my own website from my laptop –


So this ping generated following sequence of packets from my computer:

ICMP Packets

ICMP Packets


Now, let’s see first ICMP (ping) Echo request packet in detail:

ICMP Packet Detail 1

ICMP Packet Detail 1


From the above information we can see that ICMP do not use any Layer 4 protocol (TCP/UDP). It simply packs all ICMP information in ICMP header and packs that ICMP as data in Layer 3 IP Protocol and further in Layer 2 Ethernet and transmits.

So finally Ping (ICMP) is a Layer 3 Protocol.


Backup Router/Switch Configuration

Download PDF Version

I am going to mention two easy methods to backup router / switch configuration file.

  • Using Putty logging
  • Using TFTP

Using Putty Logging

  1. Open router / switch terminal via putty connection.
  2. Enter enable mode (by entering enable command).
  3. Enter command terminal length 0 (to display show run commands without breaks)
  4. Right click putty and select Change Settings.
  5. Putty Right Click

  6. Select Session
    • Logging
    • All Session output
    • Log File Name – path and filename of the config file.

    Putty Change Settings

  7. Enter command show run on your router/switch.
  8. Close the session.

Using TFTP

  1. You can transfer file from router/switch to your TFTP server.
  2. For TFTP server, you can use open source TFTPD32 application.
    • Download Link –
  3. Configure your TFTPd32 application as shown in screenshot.
  4. TFTPd32 Setting

    • Current Directory – Directory where you want to store your configuration file.
  5. Enter following command in enable mode of your router / switch.
    • Copy running-config tftp:
      • Enter the tftp server address – eg.
      • Enter the file name of the config – eg. r1-config

tftp commands

tftp file receive


Similary you can use this method for copying firewall or other device configurations.

Lab: Access List (ACL) in Simple Networks

Download PDF Version


This lab demonstrates how to use access list (ACL) in simple network to filter traffic. We will use simple access list as well as ip access list in this.


There are two different networks connected through routers. By default router perform the routing between those two networks and working fine. Now company has deployed Client-Server Architecture, and wants to add security so that only particular hosts can access some particular server. Our responsibility is to fulfill the security requirement.



Sakun Sharma ACL Lab Topology


  1. Only HostC can access AccServer.
  2. Both machines can access WebServer only for HTTP Services.
  3. Only AccServer can access DatabaseServer.

Device Details:

IP Address
AccServer / 24
Accounts Server
WebServer / 24
Web Server
DatabaseServer / 24
Database Server
No IP Address
Server Switch (No VLAN’s)
f0/0 –
f1/0 –
f2/0 –
Server Network Gateway
LAN Gateway
Database Server Gateway
HostC / 16
Accounts User
HostD / 16
Normal User


We will use two ACLs which will be as follows:

  1. On R1 at s0/1 IN – IP Extended Access list – To allow HostC to access AccServer, allow both hosts to access WebServer and block access to AccServer.
  2. On R1 f2/0 OUT – Standard Access list – To allow traffic only from AccServer and block rest all.

Access Lists:

On R1 at s0/1 in:

Extended IP access list 101
10 permit ip host host
20 permit tcp host eq www

Command: access-list 101 permit ip host host
access-list 101 permit tcp host eq www

Here we have created an extended numbered access list 101, which contains two statements with sequence number 10 and 20.

10 : To permit all ip protocols from host to host – This statement will permit traffic from HostC to AccServer.

20 : To permit only TCP Protocol ‘www’ (Port 80) from network 172.16.x.x to host – This statements permit only HTTP traffic from 172.16.x.x network to WebServer.

:: Implicit Deny – At the end of every access list there is Implicit Deny, means packet which does not match any criteria above will be dropped. So that is why all the traffic to AccServer other than from host is dropped and all other protocol traffic to WebServer is dropped.

On R1 at fa2/0 out:

Standard IP access list 10
10 permit

Command: access-list 10 permit

Here we are creating an Standard Access List to filter traffic to Database Server. In this command at sequence no 10, we are permitting host only, all other will be denied due to implicit deny at the end.


ACL Interface

Here we are assigning those access lists onto the interfaces.
Extended Access List 101 is applied at ‘interface FastEthernet1/0’ – ip access-group 101 in. It is configured as inbound access list.

Standard Access List 10 is applied at ‘interface FastEthernet2/0’ – ip access-group 10 out. It is configured as outbound access list.


From Host C


Note: Ping to (WebServer) fails because only HTTP 80, traffic is allowed.

From Host D


From AccServer


Account Server Ping

From WebServer


Download GNS 3 Lab:

ACL Simple Lab:

Firewall Rules for Connectionless Protocol / Two Way Firewall Rule (Reverse Rule)

Download PDF Version

Generally, when we configure access via firewall policy, we configure a permit access rule from source to destination. This allows the traffic to be initiated from source to destination and also allows response from destination to source for the service we allowed.

Single access rule works successfully for services using connection oriented protocols like TCP, but not for connection-less protocols like UDP, ESP, etc. In case of connectionless protocols, we have to create two way firewall rule, to allow traffic from either way, which means we need to add another reverse access rule from destination to source, as there is no way for firewall to associate traffic in both direction with a particular session.

Connection-oriented protocols create a session/connection before actual data interchange starts. Firewalls can sniff TCP/IP handshake or in case of NAT they initiate a new connection to destination on behalf of source. Either way, whenever a connection is initiated from source to destination through a firewall, critical information unique to that connection is saved in a state table by Firewall. It consists of source IP, source port, destination IP and destination port. In case of NAT, more information is stored. So when a response is received by firewall from destination, it checks it state table for an existing connection initiated by source. Firewall will forward this response only if:

  • The response is from destination IP and destination port in state table.
  • Response is directed to source IP and source port in state table.

But in case of connection-less protocol, there is no handshake, no sessions are created, each packet is an individual packet. So from source to destination it allows traffic if a matching rule is found, and for response from destination to source a matching rule is required, otherwise the response will be blocked.

So in case of connectionless protocols we need to create reverse firewall access rule to allow two way communication.

However, many firewalls can take care of some well known connectionless services like DNS and can track DNS responses for given requests without requiring any reverse rule. And if there is any such support in firewall it is recommended to use it. Then it is better not to create reverse rules. How they do it, is specific to firewall vendor. For example you can check this link how Juniper handles this.

Configuring VLAN Trunking on Cisco SF 300 Managed L2 Switch

Download PDF Version

Cisco SF 300 is a layer 2 managed switch. You can configure and manage VLANs in it. Devices in same VLAN and on same switch communicate successfully. But for devices to communicate in same VLAN but on different switches, trunking needs to be enabled between both switches.

Always check for what VLANs are allowed on trunk port. For successful communication between same VLAN devices on different switches connected over trunk port, you have to allow that VLAN over trunk port. You need to execute ‘switchport trunk allowed vlan add command in trunk interface mode.

For example, Switch A and Switch B both have five additional VLAN’s – 7, 21, 31, 91 and 8. Devices in VLAN 91 on Switch A try to communicate with devices in VLAN 91 on Switch B, and both switches are connected over trunk port. Check if VLAN 91 is allowed on trunk port or otherwise enter the ‘switchport trunk allowed vlan add 91’ command on trunk port interface mode. After this both devices will be able to communicate with each other, because by default new VLANs are not allowed over trunk port.

Cisco SF 300

Cisco SF 300

newsletter software