Computer network Lab 2

Question 2.1: Why should you avoid using telnet to remotely administrate computers?

Disadvantages of Telnet

1. It’s not secure – everything is sent in plain text be it over a local network or over the Internet. Its disadvantages are that what you type is sent to the remote machine just as you type it. This means that anyone ‘’sniffing” on the connection anywhere between you and the remote machine can read anything you type, including your passwords.

2. It is old: It is text based only, there are no graphics or colours which makes it boring.

3. It may difficult to use: it is command driven therefore there is no mouse so this may make it difficult for some persons to use. Additionally,You have to know how to run programs at the other end because there might be a different Computer System, different Commands or a different Language – Programming.

What is SSL encryption good for?

SSL (Secure Sockets Layer) is the standard security technology for establishing anencrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

SSL uses a combination of public key and symmetric key encryption to secure a connection between two machines, typically a web or mail server and a client system, communicating over the internet or another TCP/IP network. SSL provides a mechanism for encrypting and authenticating data sent between processes running on a client and server.

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server, they can see and use that information.

More specifically, SSL is a security protocol. Protocols describe how algorithms should be used. In this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

The browser/server requests that the Web server identify itself. The Web server sends the browser/server a copy of its SSL certificate. The browser/server checks to see whether or not it trusts the SSL certificate. … The Web server sends back a digitally signed acknowledgement to start an SSL encrypted session.

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser.

Backward learning 

The backward learning is a simple adaptive routing algorithms . The information on the traffic situation is not obtained directly, but by evaluating the experiences of the backflowing traffic. Receives for example the network node A from the node “B” is a data packet via the intermediate node “C”, then requires the routing algorithm in Backward Learning that the node “B” is optimally achieved by “A” to “C” .

Backward learning in bridges

It simply forward the data everywhere for an unknown address • Except to the network where it came from this cause Flooding by bridges

Send frame F to unknown destination LAN1 LAN2 F21 F21 • And so on …this create packet loop in network

How to restrict flooding?

Avoid packet looping indefinitely by remembering which packets have already been forwarded • If already seen and forwarded a packet, simply drop it.

Bridges have to remember which packets have passed through , Packets must be uniquely identifiable – at least source, destination, and sequence number are necessary to distinguish packets.

Packet loops are caused by cycles in the graph defined by the bridges • Think of bridges as edges, LANs as nodes in this graph • Redundant bridges form loops in this graph • Idea: Turn this into a loop-free, acyclic graph • Simplest approach: Compute a spanning tree on this LANbridge graph • Simple, self-configured, no manual intervention • But not optimal: actual capacity of installed bridges might not be fully exploited

• Think of bridges as edges, LANs as nodes in this graph • Redundant bridges form loops in this graph • Idea: Turn this into a loop-free, acyclic graph • Simplest approach: Compute a spanning tree on this LANbridge graph • Simple, self-configured, no manual intervention • But not optimal: actual capacity of installed bridges might not be fully exploited

• Redundant bridges form loops in this graph • Idea: Turn this into a loop-free, acyclic graph • Simplest approach: Compute a spanning tree on this LANbridge graph • Simple, self-configured, no manual intervention • But not optimal: actual capacity of installed bridges might not be fully exploited

• Idea: Turn this into a loop-free, acyclic graph • Simplest approach: Compute a spanning tree on this LANbridge graph • Simple, self-configured, no manual intervention • But not optimal: actual capacity of installed bridges might not be fully exploited

• Simplest approach: Compute a spanning tree on this LANbridge graph • Simple, self-configured, no manual intervention • But not optimal: actual capacity of installed bridges might not be fully exploited

• Simple, self-configured, no manual intervention • But not optimal: actual capacity of installed bridges might not be fully exploited

• But not optimal: actual capacity of installed bridges might not be fully exploited.

What are „virtual LANs“? Find out about the functioning of VLANs! Question 2.5: Which advantages does the use of “virtual LANs” have?

 

A VLAN is a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexibl

2.0 What are VLAN’s?

In a traditional LAN, workstations are connected to each other by means of a hub or a repeater. These devices propagate any incoming data throughout the network. However, if two people attempt to send information at the same time, a collision will occur and all the transmitted data will be lost. Once the collision has occurred, it will continue to be propagated throughout the network by hubs and repeaters. The original information will therefore need to be resent after waiting for the collision to be resolved, thereby incurring a significant wastage of time and resources. To prevent collisions from traveling through all the workstations in the network, a bridge or a switch can be used. These devices will not forward collisions, but will allow broadcasts (to every user in the network) and multicasts (to a pre-specified group of users) to pass through. A router may be used to prevent broadcasts and multicasts from traveling through the network.

The workstations, hubs, and repeaters together form a LAN segment. A LAN segment is also known as a collision domain since collisions remain within the segment. The area within which broadcasts and multicasts are confined is called a broadcast domain or LAN. Thus a LAN can consist of one or more LAN segments. Defining broadcast and collision domains in a LAN depends on how the workstations, hubs, switches, and routers are physically connected together. This means that everyone on a LAN must be located in the same area (see Figure1).

pic1.gif

Figure 1: Physical view of a LAN.

VLAN’s allow a network manager to logically segment a LAN into different broadcast domains (see Figure2). Since this is a logical segmentation and not a physical one, workstations do not have to be physically located together. Users on different floors of the same building, or even in different buildings can now belong to the same LAN.

pic2.gif

Physical View

pic2supp.gif

Logical View

Figure 2: Physical and logical view of a VLAN.

VLAN’s also allow broadcast domains to be defined without using routers. Bridging software is used instead to define which workstations are to be included in the broadcast domain. Routers would only have to be used to communicate between two VLAN’s [ Hein et al].

Back to Table of Contents


3.0 Why use VLAN’s?

VLAN’s offer a number of advantages over traditional LAN’s. They are:

1) Performance

In networks where traffic consists of a high percentage of broadcasts and multicasts, VLAN’s can reduce the need to send such traffic to unnecessary destinations. For example, in a broadcast domain consisting of 10 users, if the broadcast traffic is intended only for 5 of the users, then placing those 5 users on a separate VLAN can reduce traffic [ Passmore et al (3Com report)].

Compared to switches, routers require more processing of incoming traffic. As the volume of traffic passing through the routers increases, so does the latency in the routers, which results in reduced performance. The use of VLAN’s reduces the number of routers needed, since VLAN’s create broadcast domains using switches instead of routers.

2) Formation of Virtual Workgroups

Nowadays, it is common to find cross-functional product development teams with members from different departments such as marketing, sales, accounting, and research. These workgroups are usually formed for a short period of time. During this period, communication between members of the workgroup will be high. To contain broadcasts and multicasts within the workgroup, a VLAN can be set up for them. With VLAN’s it is easier to place members of a workgroup together. Without VLAN’s, the only way this would be possible is to physically move all the members of the workgroup closer together.

However, virtual workgroups do not come without problems. Consider the situation where one user of the workgroup is on the fourth floor of a building, and the other workgroup members are on the second floor. Resources such as a printer would be located on the second floor, which would be inconvenient for the lone fourth floor user.

Another problem with setting up virtual workgroups is the implementation of centralized server farms, which are essentially collections of servers and major resources for operating a network at a central location. The advantages here are numerous, since it is more efficient and cost-effective to provide better security, uninterrupted power supply, consolidated backup, and a proper operating environment in a single area than if the major resources were scattered in a building. Centralized server farms can cause problems when setting up virtual workgroups if servers cannot be placed on more than one VLAN. In such a case, the server would be placed on a single VLAN and all other VLAN’s trying to access the server would have to go through a router; this can reduce performance [Netreference Inc. article].

3) Simplified Administration

Seventy percent of network costs are a result of adds, moves, and changes of users in the network [ Buerger]. Every time a user is moved in a LAN, recabling, new station addressing, and reconfiguration of hubs and routers becomes necessary. Some of these tasks can be simplified with the use of VLAN’s. If a user is moved within a VLAN, reconfiguration of routers is unnecessary. In addition, depending on the type of VLAN, other administrative work can be reduced or eliminated [ Cisco white paper]. However the full power of VLAN’s will only really be felt when good management tools are created which can allow network managers to drag and drop users into different VLAN’s or to set up aliases.

Despite this saving, VLAN’s add a layer of administrative complexity, since it now becomes necessary to manage virtual workgroups [ Passmore et al (3Com report)].

4) Reduced Cost

VLAN’s can be used to create broadcast domains which eliminate the need for expensive routers.

5) Security

Periodically, sensitive data may be broadcast on a network. In such cases, placing only those users who can have access to that data on a VLAN can reduce the chances of an outsider gaining access to the data. VLAN’s can also be used to control broadcast domains, set up firewalls, restrict access, and inform the network manager of an intrusion [ Passmore et al (3Com report)].

Back to Table of Contents


4.0 How VLAN’s work

When a LAN bridge receives data from a workstation, it tags the data with a VLAN identifier indicating the VLAN from which the data came. This is called explicit tagging. It is also possible to determine to which VLAN the data received belongs using implicit tagging. In implicit tagging the data is not tagged, but the VLAN from which the data came is determined based on other information like the port on which the data arrived. Tagging can be based on the port from which it came, the source Media Access Control (MAC) field, the source network address, or some other field or combination of fields. VLAN’s are classified based on the method used. To be able to do the tagging of data using any of the methods, the bridge would have to keep an updated database containing a mapping between VLAN’s and whichever field is used for tagging. For example, if tagging is by port, the database should indicate which ports belong to which VLAN. This database is called a filtering database. Bridges would have to be able to maintain this database and also to make sure that all the bridges on the LAN have the same information in each of their databases. The bridge determines where the data is to go next based on normal LAN operations. Once the bridge determines where the data is to go, it now needs to determine whether the VLAN identifier should be added to the data and sent. If the data is to go to a device that knows about VLAN implementation (VLAN-aware), the VLAN identifier is added to the data. If it is to go to a device that has no knowledge of VLAN implementation (VLAN-unaware), the bridge sends the data without the VLAN identifier.

In order to understand how VLAN’s work, we need to look at the types of VLAN’s, the types of connections between devices on VLAN’s, the filtering database which is used to send traffic to the correct VLAN, and tagging, a process used to identify the VLAN originating the data.

VLAN Standard: IEEE 802.1Q Draft Standard

There has been a recent move towards building a set of standards for VLAN products. The Institute of Electrical and Electronic Engineers (IEEE) is currently working on a draft standard 802.1Q for VLAN’s. Up to this point, products have been proprietary, implying that anyone wanting to install VLAN’s would have to purchase all products from the same vendor. Once the standards have been written and vendors create products based on these standards, users will no longer be confined to purchasing products from a single vendor. The major vendors have supported these standards and are planning on releasing products based on them. It is anticipated that these standards will be ratified later this year.

Back to Table of Contents

4.1 Types of VLAN’s

VLAN membership can be classified by port, MAC address, and protocol type.

1) Layer 1 VLAN: Membership by Port

Membership in a VLAN can be defined based on the ports that belong to the VLAN. For example, in a bridge with four ports, ports 1, 2, and 4 belong to VLAN 1 and port 3 belongs to VLAN 2 (see Figure3).

Port VLAN
1 1
2 1
3 2
4 1

Figure3: Assignment of ports to different VLAN’s.

The main disadvantage of this method is that it does not allow for user mobility. If a user moves to a different location away from the assigned bridge, the network manager must reconfigure the VLAN.

2) Layer 2 VLAN: Membership by MAC Address

Here, membership in a VLAN is based on the MAC address of the workstation. The switch tracks the MAC addresses which belong to each VLAN (see Figure4). Since MAC addresses form a part of the workstation’s network interface card, when a workstation is moved, no reconfiguration is needed to allow the workstation to remain in the same VLAN. This is unlike Layer 1 VLAN’s where membership tables must be reconfigured.

MAC Address VLAN
1212354145121 1
2389234873743 2
3045834758445 2
5483573475843 1

Figure4: Assignment of MAC addresses to different VLAN’s.

The main problem with this method is that VLAN membership must be assigned initially. In networks with thousands of users, this is no easy task. Also, in environments where notebook PC’s are used, the MAC address is associated with the docking station and not with the notebook PC. Consequently, when a notebook PC is moved to a different docking station, its VLAN membership must be reconfigured.

3) Layer 2 VLAN: Membership by Protocol Type

VLAN membership for Layer 2 VLAN’s can also be based on the protocol type field found in the Layer 2 header (see Figure5).

Protocol VLAN
IP 1
IPX 2

Figure5: Assignment of protocols to different VLAN’s.

4) Layer 3 VLAN: Membership by IP Subnet Address

Membership is based on the Layer 3 header. The network IP subnet address can be used to classify VLAN membership (see Figure 6).

IP Subnet VLAN
23.2.24 1
26.21.35 2

Figure6: Assignment of IP subnet addresses to different VLAN’s.

Although VLAN membership is based on Layer 3 information, this has nothing to do with network routing and should not be confused with router functions. In this method, IP addresses are used only as a mapping to determine membership in VLAN’s. No other processing of IP addresses is done.

In Layer 3 VLAN’s, users can move their workstations without reconfiguring their network addresses. The only problem is that it generally takes longer to forward packets using Layer 3 information than using MAC addresses.

5) Higher Layer VLAN’s

It is also possible to define VLAN membership based on applications or service, or any combination thereof. For example, file transfer protocol (FTP) applications can be executed on one VLAN and telnet applications on another VLAN.

The 802.1Q draft standard defines Layer 1 and Layer 2 VLAN’s only. Protocol type based VLAN’s and higher layer VLAN’s have been allowed for, but are not defined in this standard. As a result, these VLAN’s will remain proprietary.

Back to Table of Contents

4.2 Types of Connections

Devices on a VLAN can be connected in three ways based on whether the connected devices are VLAN-aware or VLAN-unaware. Recall that a VLAN-aware device is one which understands VLAN memberships (i.e. which users belong to a VLAN) and VLAN formats.

1) Trunk Link

All the devices connected to a trunk link, including workstations, must be VLAN-aware. All frames on a trunk link must have a special header attached. These special frames are called tagged frames (see Figure7).

pic3.gif

Figure7: Trunk link between two VLAN-aware bridges.

2) Access Link

An access link connects a VLAN-unaware device to the port of a VLAN-aware bridge. All frames on access links must be implicitly tagged (untagged) (see Figure8). The VLAN-unaware device can be a LAN segment with VLAN-unaware workstations or it can be a number of LAN segments containing VLAN-unaware devices (legacy LAN).

pic4.gif

Figure 8: Access link between a VLAN-aware bridge and a VLAN-unaware device.

3) Hybrid Link

This is a combination of the previous two links. This is a link where both VLAN-aware and VLAN-unaware devices are attached (see Figure9). A hybrid link can have both tagged and untagged frames, but allthe frames for a specific VLAN must be either tagged or untagged.

pic5.gif

Figure9: Hybrid link containing both VLAN-aware and VLAN-unaware devices.

It must also be noted that the network can have a combination of all three types of links.

Back to Table of Contents

4.3 Frame Processing

A bridge on receiving data determines to which VLAN the data belongs either by implicit or explicit tagging. In explicit tagging a tag header is added to the data. The bridge also keeps track of VLAN members in a filtering database which it uses to determine where the data is to be sent. Following is an explanation of the contents of the filtering database and the format and purpose of the tag header [802.1Q].

1) Filtering Database

Membership information for a VLAN is stored in a filtering database. The filtering database consists of the following types of entries:

i) Static Entries

Static information is added, modified, and deleted by management only. Entries are not automatically removed after some time (ageing), but must be explicitly removed by management. There are two types of static entries:

a) Static Filtering Entries: which specify for every port whether frames to be sent to a specific MAC address or group address and on a specific VLAN should be forwarded or discarded, or should follow the dynamic entry, and

b) Static Registration Entries: which specify whether frames to be sent to a specific VLAN are to be tagged or untagged and which ports are registered for that VLAN.

ii) Dynamic Entries

Dynamic entries are learned by the bridge and cannot be created or updated by management. The learning process observes the port from which a frame, with a given source address and VLAN ID (VID), is received, and updates the filtering database. The entry is updated only if all the following three conditions are satisfied:

a) this port allows learning,

b) the source address is a workstation address and not a group address, and

c) there is space available in the database.

Entries are removed from the database by the ageing out process where, after a certain amount of time specified by management (10 sec — 1000000 sec), entries allow automatic reconfiguration of the filtering database if the topology of the network changes. There are three types of dynamic entries:

a) Dynamic Filtering Entries: which specify whether frames to be sent to a specific MAC address and on a certain VLAN should be forwarded or discarded.

b) Group Registration Entries: which indicate for each port whether frames to be sent to a group MAC address and on a certain VLAN should be filtered or discarded. These entries are added and deleted using Group Multicast Registration Protocol (GMRP). This allows multicasts to be sent on a single VLAN without affecting other VLAN’s.

c) Dynamic Registration Entries: which specify which ports are registered for a specific VLAN. Entries are added and deleted using GARP VLAN Registration Protocol (GVRP), where GARP is the Generic Attribute Registration Protocol.

GVRP is used not only to update dynamic registration entries, but also to communicate the information to other VLAN-aware bridges.

In order for VLAN’s to forward information to the correct destination, all the bridges in the VLAN should contain the same information in their respective filtering databases. GVRP allows both VLAN-aware workstations and bridges to issue and revoke VLAN memberships. VLAN-aware bridges register and propagate VLAN membership to all ports that are a part of the active topology of the VLAN. The active topology of a network is determined when the bridges are turned on or when a change in the state of the current topology is perceived.

The active topology is determined using a spanning tree algorithm which prevents the formation of loops in the network by disabling ports. Once an active topology for the network (which may contain several VLAN’s) is obtained, the bridges determine an active topology for each VLAN. This may result in a different topology for each VLAN or a common one for several VLAN’s. In either case, the VLAN topology will be a subset of the active topology of the network (see Figure 10).

pic10.gif

Figure10: Active topology of network and VLAN A using spanning tree algorithm.

2) Tagging

When frames are sent across the network, there needs to be a way of indicating to which VLAN the frame belongs, so that the bridge will forward the frames only to those ports that belong to that VLAN, instead of to all output ports as would normally have been done. This information is added to the frame in the form of a tag header. In addition, the tag header:

i) allows user priority information to be specified,

ii) allows source routing control information to be specified, and

iii) indicates the format of MAC addresses.

Frames in which a tag header has been added are called tagged frames. Tagged frames convey the VLAN information across the network.

The tagged frames that are sent across hybrid and trunk links contain a tag header. There are two formats of the tag header:

i) Ethernet Frame Tag Header: The ethernet frame tag header (see Figure11) consists of a tag protocol identifier (TPID) and tag control information (TCI).

pic11.gif

Figure11: Ethernet frame tag header.

ii) Token Ring and Fiber Distributed Data Interface (FDDI) tag header: The tag headers for both token ring and FDDI networks consist of a SNAP-encoded TPID and TCI.

pic12.gif

Figure12: Token ring and FDDI tag header.

TPID is the tag protocol identifier which indicates that a tag header is following and TCI (see Figure 13) contains the user priority, canonical format indicator (CFI), and the VLAN ID.

pic13.gif

Figure13: Tag control information (TCI).

User priority is a 3 bit field which allows priority information to be encoded in the frame. Eight levels of priority are allowed, where zero is the lowest priority and seven is the highest priority. How this field is used is described in the supplement 802.1p.

The CFI bit is used to indicate that all MAC addresses present in the MAC data field are in canonical format. This field is interpreted differently depending on whether it is an ethernet-encoded tag header or a SNAP-encoded tag header. In SNAP-encoded TPID the field indicates the presence or absence of the canonical format of addresses. In ethernet-encoded TPID, it indicates the presence of the Source-Routing Information (RIF) field after the length field. The RIF field indicates routing on ethernet frames.

The VID field is used to uniquely identify the VLAN to which the frame belongs. There can be a maximum of (2 12 – 1) VLAN’s. Zero is used to indicate no VLAN ID, but that user priority information is present. This allows priority to be encoded in non-priority LAN’s.

 

Classful addressing” was the Internet’s first major IP addressing scheme. Explain the classful addressing scheme!

IP Addresses – Classful

 

Class Starting

Bits

(fixed to m bits)

Decimal Range of First Byte Network

Bits

n bits

Host
Bits
p bits
Max

Networks

2n-m

Max

Hosts

2p-2

A 0  (m-1) 1 to 126
(127 is loopback)
8 24 28-1 = 126 224-2= 16,777,214
B 10  (m=2) 128 to 191 16 16 216-2 = 16,384 216-2=65,534
C 110 (m=3) 192 to 223 24 8 224-3  = 2,097,152 28-2=254
D 1110 224 to 239
E 1111 240 to 254

*** Class A, B, and C are for standard Internet IP addressing.  Class D is for Multicast, and Class E are reserved for future use.

There are a total of 232 = 4,294,967,296 possible addresses.  Classful addressing, no longer used in the backbone but still referred to constantly, divided the total address space up into five Classes of addresses (Class A,B,C,D,E).  The total number of unique addresses per Class depends on the number of bits used for the node (host) address.

Class A uses half of them (2,147,483,648 addresses)
Class B uses one-fourth (1,073,741,824 addresses)
Class C uses one-eighth (536,870,912)
Class D and Class E each use 1/16th – they split the rest of the addresses (268,435,456 each)

The allocation of 4,294,967,296 Addresses

IP Address Components:

Like other network layer protocols, the IP addressing scheme is integral to the process of routing IP data through an internetwork.  Each host on a TCP/IP network is assigned a unique 32-bit logical address. The IP address is divided into two main parts; the Network Number and the Host Number.

The network number identifies the network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet.  The host number identifies a host in the network and is assigned by the local network administrator.

IP Address Format:

The 32-bit IP address is grouped 8 bits at a time, each group of 8 bits is an octet. Each of the four octets are separated by a dot, and represented in decimal format, this is known as dotted decimal notation. Each bit in an octet has a binary weight (128, 64, 32, 16, 8, 4, 2, 1). The minimum value for an octet is 0 (all bits set to 0), and the maximum value for an octet is 255 (all bits set to 1).

The following figure shows the basic format of a typical IP address:

 

IP Address Classes:

IP addressing supports three different commercial address classes; Class A, Class B, and Class C.  The following figure summarizes the network and host portion of each address class:
In a class A address, the first octet is the network portion, so the class A address of, 10.1.25.1, has a major network address of 10. Octets 2, 3, and 4 (the next 24 bits) are for the hosts. Class A addresses are used for networks that have more than 65,536 hosts (actually, up to 16,581,375 hosts!).

In a class B address, the first two octets are the network portion, so the class B address of, 172.16.122.204, has a major network address of 172.16. Octets 3 and 4 (the next 16 bits) are for the hosts. Class B addresses are used for networks that have between 256 and 65,536 hosts.

In a class C address, the first three octets are the network portion. The class C address of, 193.18.9.45, has a major network address of 193.18.9. Octet 4 (the last 8 bits) is for hosts. Class C addresses are used for networks with less than 254 hosts.

Determining the Class from the First-Octet:

The class of address can be easily determined by examining the first octet of the address, and mapping that value to a class range in the table below:

The left-most (high-order) bits in the first octet indicate the network class.  For example, given an IP address of 172.31.1.2, the first octet is 172. 172 falls between 128 and 191, so 172.31.1.2 is a Class B address.

Classful Network Masks:

Each of the commercial address classes has a set classful network mask. The network mask defines which bits out of the 32 bit of the address are defined as the network portion and which are the host portion.  The network mask is calculated by setting all bits to a value of 1 in the octets designated for the network portion and all bits to a value of 0 in the octets designated for the host portion.

As stated above, a Class A address has the first octet as the network portion and the remaining 3 octets as the host portion. Therefore, a Class A network mask is defined as 255.0.0.0.

A Class B address has the first and second octets as the network portion and the third and fourth octets as the host portion. A Class B network mask is shown as 255.255.0.0.

A Class C address has the first, second, and third octet as the network portion and the last octet as the host portion. A Class C network mask is shown as 255.255.255.0.