Understanding Spanning Tree
The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network.
STP was invented by Dr. Radia Perlman, distinguished engineer at Sun Microsystems. Dr. Perlman devised a method by which bridges can obtain Layer 2 routing utopia: redundant and loop-free operation. Think of spanning tree as a tree that the bridge keeps in memory for optimized and fault-tolerant data forwarding.
Spanning tree in a nutshell
- STP provides a means to prevent loops by blocking links in an Ethernet network. Blocked links can be brought in to service if active links fail.
- The root bridge in a spanning tree is the logical center and sees all traffic on a network.
- Spanning tree recalculations are performed automatically when the network changes but cause a temporary network outage.
- Newer protocols, such as TRILL, prevent loops while keeping links that would be blocked by STP in service.
Eliminating loops with spanning tree
If your switches are connected in a loop without STP, each switch would infinitely duplicate the first broadcast packet heard because there’s nothing at Layer 2 to prevent a loop.
STP prevents loops by blocking one or more of the links. If one of the links in use goes down, then it would fail over to a previously blocked link. How spanning tree chooses which link to use depends entirely on the topology that it can see.
The idea behind a spanning tree topology is that bridges can discover a subset of the topology that is loop-free: that’s the tree. STP also makes certain there is enough connectivity to reach every portion of the networkby spanning the entire LAN.
Bridges will perform the spanning tree algorithm when they are first connected to the network or whenever there is a topology change.
When a bridge hears a “configuration message,” a special type of BPDU (bridge protocol data unit), it will begin its disruptive spanning tree algorithm. This starts with the election of a “root bridge” through which all data will flow.
Tip: Cisco hardware normally uses the device with the lowest MAC address as the root bridge. Since this is the oldest and probably slowest device, it’s best to configure the root bridge manually.
The next step is for each bridge to determine the shortest path to the root bridge so that it knows how to get to the “center.” A second election happens on each LAN, and it elects the designated bridge, or the bridge that’s closest to the root bridge. The designated bridge will forward packets from the LAN toward the root bridge.
The final step for an individual bridge is to select a root port. This simply means “the port that I use to send data towards the root bridge.”
Note: Every single port on a bridge, even ones connected to endpoints, will participate in the spanning tree unless a port is configured as “ignore.”
A newly connected bridge will send a reconfiguration BPDU, and the other connected devices will comply. All traffic is stopped for 30-50 seconds while a spanning tree calculation takes place.
In 2001, certain vendors started introducing rapid spanning tree, a modified version of the spanning tree algorithm that reduces outages. It’s fully compatible with older devices that only know the old spanning tree algorithm and reduces the 30-50-second outage time to less than ten in most cases, so use it if you can.
Note: RSTP works by adding an alternative port and a backup port. These ports are allowed to immediately enter the forwarding state rather than passively wait for the network to converge.
VLANs and PVST
STP can cause problems with VLANs if one of the physical links happens to be a VLAN trunk. That’s because with only one spanning tree, it’s possible the link with the VLAN trunk will need to be blocked. That could result in no connectivity for a particular VLAN to the rest of its LAN. To solve this, enable per-VLAN spanning trees (PVST).
With PVST enabled, a bridge will run one spanning tree instance per VLAN on the bridge. If a trunk link contains VLANs 1, 2, and 3, it can then decide that VLANs 1 and 2 should not take that path, but still allow VLAN 3 to use it.
Spanning tree drawbacks
One of the drawbacks of STP is that even though there may be many physical or equal-cost multiple paths through your network from one node to another, all your traffic will flow along a single path that has been defined by a spanning tree. The benefit of this is that traffic loops are avoided, but there is a cost. Restricting traffic to this unique path means blocking alternative, and sometimes more direct, paths.
That means that your full potential network capacity can never be realized. (It is possible to use multiple simultaneous spanning trees for separate VLANs, as mentioned above, but the traffic in any given VLAN will still not be able to use all your available network capacity.)
In the past this has been acceptable, but with the increasing use of virtualization technology in many data centers, there is a need for a more efficient and reliable routing infrastructure that can handle the very high I/O demands of virtualized environments.
Spanning tree alternatives: TRILL and NPB
Transparent Interconnection of Lots of Links (TRILL) is a routing protocol network standard which:
- Uses shortest path routing protocols instead of STP.
- Works at Layer 2, so protocols such as FCoE can make use of it.
- Supports multihopping environments.
- Works with any network topology, and uses links that would otherwise have been blocked.
- Can be used at the same time as STP.
The main benefit of TRILL is that it frees up capacity on your network which can’t be used (to prevent routing loops) if you use STP, allowing your Ethernet frames to take the shortest path to their destination. This in turns mean more efficient utilization of network infrastructure and a decreased cost-to-benefit ratio.
These benefits are particularly important in data centers running cloud computing infrastructure. TRILL is also more stable than STP because it provides faster recovery time in the event of hardware failure.
Why do we need private ip address?
We need private IP (version4) addresses because the total amount public IP (version 4) addresses quickly outgrew the amount available. The total amount available is 3706.65 million addresses after taking out the reserved ranges. You can probably imagine that this easily outstrips the number of devices that need to connect to the Internet. Think mobile phones, office PCs, home networked devices and so on.
To overcome this a whole private IP address range can be used to hide behind a single public IP addresses. The available private IP address ranges are 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255 and 192.168.0.0 – 192.168.255.255.
It is up to you which private range you choose but this comes down to network design and the total addresses required on any given network.
When you go on the Internet you can create a rule on your router or firewall stating that if you are using a private IP between 10.10.10.10 and 10.10.10.100 (for example), present to the Internet as this public IP address of 220.127.116.11. This is known as Network Address Translation (NAT). You may ask that how does it know which IP is mapped to which IP address if we only have one public IP address and hundreds of private addresses? This is where we use Port Address Translation (PAT). The router/firewall maintains a table and does very specific port mappings. So it will say if you come to me on 10.10.10.10 port 12345, present to the Internet on 18.104.22.168 port 45678. That way we can overload a lot of private IP addresses, to one public address using random port numbers as the identifier.
To finish your question, by using this method we can use a lot less public IP addresses per person to achieve global Internet access to each other.
On a side note, the IP (version 6) address space is design with only public IP addresses in mind. That has a possible 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. We won’t be running out of those any time soon. 🙂
What are the limitations of a private ip address?
Private IP addresses are not routable inInternet as well as not registered.
It has some range in all 3 classes.
Its is mainly reserved for private use only but public IPs are reserved and routable ininternet.
Isolation, Maintenance Costs
Which IPv4 address ranges have been reserved for private networks?
|Address block (CIDR)||Range||Number of addresses||Scope||Purpose|
|16,777,216||Software||Used for broadcast messages to the current (“this”)|
|16,777,216||Private network||Used for local communications within a private network|
|4,194,304||Private network||Used for communications between a service provider and its subscribers when using a carrier-grade NAT|
|16,777,216||Host||Used for loopback addresses to the local host|
|65,536||Subnet||Used for link-local addresses between two hosts on a single link when no IP address is otherwise specified, such as would have normally been retrieved from a DHCP server|
|1,048,576||Private network||Used for local communications within a private network|
|256||Private network||Used for the IANA IPv4 Special Purpose Address Registry|
|256||Documentation||Assigned as “TEST-NET” for use in documentation and examples. It should not be used publicly.|
|256||Internet||Used by 6to4 anycast relays|
|65,536||Private network||Used for local communications within a private network|
|131,072||Private network||Used for testing of inter-network communications between two separate subnets|
|256||Documentation||Assigned as “TEST-NET-2” for use in documentation and examples. It should not be used publicly.|
|256||Documentation||Assigned as “TEST-NET-3” for use in documentation and examples. It should not be used publicly.|
|268,435,456||Internet||Reserved for multicast|
|268,435,456||Internet||Reserved for future use|
|255.255.255.255/32||255.255.255.255||1||Subnet||Reserved for the “limited broadcast” destination address|
and the IP address range “127.0.0.0/8”?
It’s also reserved for loopback, so no, it’s not widely used for anything.
In practice, 127.0.0.1 is usually used as “the” loopback address, but the rest of the block should loopback as well, meaning it’s just generally not used for anything. (Though, for example, larger Cisco switches will use 127.0.0.xx IPs to listen for attached cards and modules, so at least some of other addresses are in use.)
As already stated whole block is used as loopback so i’m only adding one example for regular desktop use.
Loopback other than
That’s right, normally you would not connect RDP client to same computer that you are using (and not allowed to do so even if wanted to see nice mirror effects :).
How does PAT (Port Address Translation, also called “IP-Masquerading” or “Source-NAT”) work internally?
Due in large part to alleged NAT support on consumer devices, many people are confused about what NAT really is. Network Address Translation is used for many purposes, including but certainly not limited to, saving IP addresses. In this installment of Networking 101, we’ll try to clear all this up.
NAT is a feature of a router that will translate IP addresses. When a packet comes in, it will be rewritten in order to forward it to a host that is not the IP destination. A router will keep track of this translation, and when the host sends a reply, it will translate back the other way.
Home users who talk about NAT are actually talking about PAT, or Port Address Translation. This is quite easy to remember: PAT translates ports, as the name implies, and likewise, NAT translates addresses. Sometimes PAT is also called Overloaded NAT. It doesn’t really matter what you call it, just be careful about blanket “NAT can’t” statements: they are likely incorrect.
Now that that’s out of the way, let’s clarify some terminology required for a NAT discussion. When we refer to the inside, we’re talking about the internal network interface that receives egress traffic. This internal network may or may not be using private addresses—more on those in a minute. The outside refers to the external-facing network interface, the one that receives ingress traffic. In the real world, it is not the case that NAT is simply using a single outside IP; translating traffic into internal IPs and ports. That’s what your Linksys does.
The “inside” of a NAT configuration is not synonymous with “private” or RFC1918 addresses. The often-referred-to “non-routable” addresses are not unroutable. You may configure most any router to pass traffic for these private IP subnets. If you try and pass a packet to your ISP for any of these addresses, it will be dropped. This is what “non-routable” means: not routable on the Internet. You can and should mix RFC1918 addresses (for management interfaces) on your local internal network.
NAT is not used to simply share a single IP address. But when it is, in this strange configuration that’s really called PAT, issues can arise. Say two geeks want to throw up an IPIP tunnel between their networks so they can avoid all the issues of firewall rules and state-keeping. If they both use the same IP subnet, they can’t just join two networks together: they won’t be able to broadcast for each other, so they will never communicate, right? It would seem that one side or the other would have to renumber their entire subnet, but there is a trick. Using a semi-complicated NAT and DNS setup, the hosts could actually communicate. This is another case of blanket “NAT is evil” statements actually having little reflection on reality. This issue does come up frequently when two companies merge and various branch offices need to communicate.
So why in the world would someone want to use one external IP and map it to one internal IP, as opposed to just translating the port? Policy. It’s even likely that both sides will use real bona fide Internet IP addresses. Everyone understands that NAT (the naive definition) will keep track of state; it’s the only way to make translations happen. What they may not realize is that stateful filtering is a powerful security mechanism.
Stateful filtering means that the router will keep track of a TCP connection. Remember from our previous installment on TCP and its followup that a TCP connection consists of four parts: the remote and local IP address, and the connected ports. Stateful filters verify that every packet into the network is part of an already established, pre-verified connection.
Imagine a b2b transaction that ships very sensitive data across the Internet, even between continents. It’s not feasible to lay fiber for this purpose, so the Internet has to be used. What to do? How would you secure this transaction, or set of transactions? It can be done with IPSEC, but also utilizing NAT at the same time. Each side will have a 1:1 (real) NAT router configured to only allow specific connections from specific hosts. This guarantees that from either network, only authorized hosts will be making a connection. This also guarantees that hosts on both sides have been minimally exposed, and very unlikely compromised, since nobody else can get into that network.
Once the session starts, packets are carefully inspected in and out of each NAT router. If something nefarious happens, and someone in-between is able to inject a forged packet into the stream, at least one side will notice. One of the NAT routers will be able to detect that a sequence number anomaly has occurred, and can immediately terminate all communication. When the TCP session completes with a FIN, the state is wiped clean.
In much the same way, home users take advantage of PAT to keep their less-than-secure machines from being completely taken over on a daily basis. When a connection attempt from the outside hits the external interface of a PAT device, it cannot be forwarded unless state already exists. State setup can only be done from the inside, when an egress attempt is made. If this version of NAT didn’t exist on such a wide scale, the Internet would be a completely different place. Nobody would ever successfully install and patch a Windows computer prior to a compromise without some the minimal protection provided by PAT.
Clearly NAT is useful in these cases. So why do people say that NAT is evil? They are likely referring to PAT, the bastard child of NAT. It’s called “overloaded” for a reason.
IPv6 introduces the ability to have way more IP addresses than we really need. Does that mean that IPv6 will eliminate NAT? No. It also won’t eliminate the usage of NAT everyone’s familiar with: PAT. We all need somewhere to stow Windows boxes away from the myriad of uninitiated connection attempts that come from the Internet.
What is the purpose of DNAT (Destination-NAT, also called “Port-Forwarding”) and how does this process work?
Let’s look at a usage example. A lot of multiplayer video games (as an example, Counter Strike) allow you to run a game server on your computer that other people can connect to in order to play with you. Your computer doesn’t know all the people that want to play, so it can’t connect to them – instead, they have to send new connection requests to your computer from the internet.
If you didn’t have anything set up on the router, it would receive these connection requests but it wouldn’t know which computer inside the network had the game server, so it would just ignore them (or, more specifically, it would send back a packet indicating that it can’t connect). Luckily, you know the port number that will be on connection requests for the game server. So, on the router, you set a port forward with the port number that the game server expects (for example, 27015) and the IP address of the computer with the game server (for example, 192.168.1.105).
The router will know to forward the incoming connection requests to 192.168.1.105 inside the network, and computers outside will be able to connect in.
Another example would be a local network with two machines, where the second one with the IP 192.168.1.10 hosts a website using Apache. Therefore the router should forward incoming port 80 requests to this machine. Using port forwarding, both machines can run in the same network at the same time.
Video games are perhaps the most common place everyday users will encounter port forwarding, although most modern games use UPnP so that you don’t have to do this manually (instead, it’s fully automatic). You’ll need to do this whenever you want to be able to connect directly to something in your network though (rather than through some intermediary on the internet). This might include running your own web server or connecting via Remote Desktop Protocol to one of your computers.
A note on security
One of the nice things about NAT is that it provides some effort-free, built-in security. A lot of people wander the internet looking for machines that are vulnerable… and they do this by attempting to open connections with various ports. These are incoming connections, so, as discussed above, the router will drop them. This means that in a NAT configuration, only the router itself is vulnerable to attacks involving incoming connections. This is a good thing, because the router is much simpler (and thus less likely to be vulnerable) than a computer running a full operating system with a lot of software. You should keep in mind, then, that by DMZing a computer inside your network (setting it as the DMZ destination) you lose that layer of security for that computer: it is now completely open to incoming connections from the internet, so you need to secure it as if it was directly connected. Of course, any time you forward a port, the computer at the receiving end becomes vulnerable on that specific port. So make sure you run up-to-date software that is well configured.
What is DHCP and How DHCP Works? (DHCP Fundamentals Explained.
Computer networks can be of any form like a LAN, WAN etc. If you are connected to a local LAN or an internet connection, the IP addresses form the basis of communication over computer networks. An IP address is the identity of a host or a computer device while connected to any network.
In most of the cases when you connect your computer to a LAN or internet, you’ll notice that the IP address and other information like subnet mask etc are assigned to your computer automatically. Have you ever thought about how this happens? Well, in this article we will understand the concept of DHCP that forms the basis of this functionality.
What is DHCP?
DHCP stands for Dynamic Host Configuration Protocol.
As the name suggests, DHCP is used to control the network configuration of a host through a remote server. DHCP functionality comes installed as a default feature in most of the contemporary operating systems. DHCP is an excellent alternative to the time-consuming manual configuration of network settings on a host or a network device.
DHCP works on a client-server model. Being a protocol, it has it’s own set of messages that are exchanged between client and server. Here is the header information of DHCP :
|op||1||Type of message|
|htype||1||type of hardware address|
|hlen||1||length of hardware address|
|hops||1||used in case of relay agents. Clients sets them to 0.|
|xid||4||Transaction ID used by the client and server for a session.|
|secs||2||Time elapsed (in seconds) since the client requested the process|
|ciaddr||4||Client IP address.|
|yiaddr||4||The IP address assigned by server to the client|
|siaddr||4||Server IP address.|
|giaddr||4||IP address of the relay agent.|
|chaddr||16||Hardware address of the client.|
|sname||64||Host name of the server.|
|file||128||Boot file name.|
Understanding DHCP helps in debugging many network related problems. Read our articles on wireshark and Journey of a packet on network to enhance your understanding on network and network debugging tools.
In the next section, we will cover the working of this protocol.
How DHCP Works?
Before learning the process through which DHCP achieves it’s goal, we first have to understand the different messages that are used in the process.
It is a DHCP message that marks the beginning of a DHCP interaction between client and server. This message is sent by a client (host or device connected to a network) that is connected to a local subnet. It’s a broadcast message that uses 255.255.255.255 as destination IP address while the source IP address is 0.0.0.0
It is DHCP message that is sent in response to DHCPDISCOVER by a DHCP server to DHCP client. This message contains the network configuration settings for the client that sent the DHCPDISCOVER message.
This DHCP message is sent in response to DHCPOFFER indicating that the client has accepted the network configuration sent in DHCPOFFER message from the server.
This message is sent by the DHCP server in response to DHCPREQUEST recieved from the client. This message marks the end of the process that started with DHCPDISCOVER. The DHCPACK message is nothing but an acknowledgement by the DHCP server that authorizes the DHCP client to start using the network configuration it received from the DHCP server earlier.
This message is the exact opposite to DHCPACK described above. This message is sent by the DHCP server when it is not able to satisfy the DHCPREQUEST message from the client.
This message is sent from the DHCP client to the server in case the client finds that the IP address assigned by DHCP server is already in use.
This message is sent from the DHCP client in case the IP address is statically configured on the client and only other network settings or configurations are desired to be dynamically acquired from DHCP server.
This message is sent by the DHCP client in case it wants to terminate the lease of network address it has be provided by DHCP server.
Now as we know about the various DHCP messages, it’s time to go through the the complete DHCP process to give a better Idea of how DHCP works. Note that the steps mentioned below assume that DHCP functionality is enabled by default on the client side.
Here are the steps :
- Step 1: When the client computer (or device) boots up or is connected to a network, a DHCPDISCOVER message is sent from the client to the server. As there is no network configuration information on the client so the message is sent with 0.0.0.0 as source address and 255.255.255.255 as destination address. If the DHCP server is on local subnet then it directly receives the message or in case it is on different subnet then a relay agent connected on client’s subnet is used to pass on the request to DHCP server. The transport protocol used for this message is UDP and the port number used is 67. The client enters the initializing stage during this step.
- Step 2: When the DHCP server receives the DHCPDISCOVER request message then it replies with a DHCPOFFER message. As already explained, this message contains all the network configuration settings required by the client. For example, the yaddr field of the message will contain the IP address to be assigned to client. Similarly the the subnet mask and gateway information is filled in the options field. Also, the server fills in the client MAC address in the chaddr field. This message is sent as a broadcast (255.255.255.255) message for the client to receive it directly or if DHCP server is indifferent subnet then this message is sent to the relay agent that takes care of whether the message is to be passed as unicast or broadcast. In this case also, UDP protocol is used at the transport layer with destination port as 68. The client enters selecting stage during this step
- Step 3: The client forms a DHCPREQUEST message in reply to DHCPOFFER message and sends it to the server indicating it wants to accept the network configuration sent in the DHCPOFFER message. If there were multiple DHCP servers that received DHCPDISCOVER then client could receive multiple DHCPOFFER messages. But, the client replies to only one of the messages by populating the server identification field with the IP address of a particular DHCP server. All the messages from other DHCP servers are implicitly declined. The DHCPREQUEST message will still contain the source address as 0.0.0.0 as the client is still not allowed to use the IP address passed to it through DHCPOFFER message. The client enters requesting stage during this step.
- Step 4: Once the server receives DHCPREQUEST from the client, it sends the DHCPACK message indicating that now the client is allowed to use the IP address assigned to it. The client enters the bound state during this step.
The Concept of Lease
With all the necessary information on how DHCP works, one should also know that the IP address assigned by DHCP server to DHCP client is on a lease. After the lease expires the DHCP server is free to assign the same IP address to any other host or device requesting for the same. For example, keeping lease time 8-10 hours is helpful in case of PC’s that are shut down at the end of the day. So, lease has to be renewed from time to time. The DHCP client tries to renew the lease after half of the lease time has expired. This is done by the exchange of DHCPREQUEST and DHCPACK messages. While doing all this, the client enters the renewing stage.
Computer Networks Prof. S. Ghosh Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture 33 DHCP AND ICMP..