Tag Archives: OSI Layer 2

Port Numbers, NAT and PAT (Part 2)

One of the key themes that runs through our small labs and examples is that we often use private IP addresses. The problem with private IP addresses is that they cannot be routed out onto the internet. In order to do that, we have to perform something called Network Address Translation (NAT) .

Here is an example.

This is a small business that owns one IP number – the WAN IP, as supplied by the ISP. If the business only has one computer that needs to access the internet, this will work just fine, but in this case we have three.

The three hosts are put on a private Class C network, and can access the WAN via the router (as an aside here, this is most likely the same as your home network).  So when host attempts to access a website – cisco.com for instance, the router takes its private IP address and translates it to the public IP address. If all three computers access the WAN at different times this still works, however if they all try to access the WAN at the same same time, what happens?

We can do one of two things: we can buy more public IP addresses or we can use Port Address Translation (PAT).


What the router does in this case is translate the private IP to its public one again, but it also assigns a different source port to the outgoing request. As you can see in the image above, we have three requests from the same public IP number but with differing source ports. The router maintains a table of translations, and when responses come back from our target web site (in this case cisco.com) the response is translated and routed to the appropriate computer.

But now our small business decides it needs a web site and FTP site for customers. What now?

Port Address Translation, or PAT also works for this scenario. Lets say that 192.168,2.30 is going to host the web site with an Apache install. Great, but how do customers find this web site? We can assign a port map in the router so that all requests to are routed to

Please note that only one translation can be live at any one time, there can only be one … per port.

So if we wanted to implement the FTP server for customers, and that needed to be on, we can put a redirect from, thus routing the FTP traffic to the correct machine.

Just to show you how this works on a simple home router, here is my current set up:


You can see that port 80 is redirected to my web server on and there is a telnet connection redirected to





Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Port Numbers, NAT and PAT (Part 1)

Port numbers are very important in networking. Consider two hosts:

Host A wants to send email, a file and participate in a Telnet session with host B. All of this data flows down the network model to the physical layer, where it moves to host B, only to be reassembled and passed back up the network model to the appropriate applications on host B. Sounds simple but; How does host B know what data is for what application?

This is where the concept of ports comes into play. So far we have looked at addressing at Layer 2 (MAC addresses) and Layer 3 (IP addresses), but there is yet another layer to addressing – Layer 4 the transport layer. Layer 4 addressing is in the form of a SOCKET, which is comprised the Layer 3 IP address and a port. This is often written thus: — would be the HTTP port on the address

So in our example, lets say host A is at and host B is at

Port example_sm

To prevent the data from getting jumbled (a technical term) we assign each application a port. The problem with this is again, how does host B know that the data on port 110 from host A is email. There is a convention called Well Known Ports. This is a networking standard (defined by the IANA) where commonly used ports are defined and only used for those applications they are defined for.


The port has a 16 bit address value, giving a total number of ports of 65,535. Of these the first 1024 are well known ports.

Note that the port address for host A does not have to be the same as the port address for host B. Typically there are two ports; the source and destination, and they don’t have to match.

With the first 1024 ports as well known ports, the remaining ports are split up as follows:

PortAlso note that ports can be UDP or TCP and some exist in both protocols.

Our list of well known ports to know for the CCENT should include:

20 tcp ftp 80 tcp http
21 tcp ftp 110 tcp pop3
22 tcp ssh 119 tcp nntp
23 tcp telnet 123 tcp ntp
25 tcp smtp 443 tcp https (ssl)
53 udp dns
69 udp tftp


Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone



For any data transaction on our networks, we need both the MAC and IP addresses. In order to get this information for our transactions, we use ARP, DNS and DHCP. These are Layer 2 & 3 protocols. Lets consider a data transfer between two hosts (A & B) with the assumption that we know the name of the host we wish to send data to (B).

Dynamic Host Configuration Protocol (DHCP)

Before anything can happen at host A, Host A needs to know what its own IP address is, the address of the DNS servers, subnet info, gateway info, lease time and all of that. DHCP is the mechanism by which this works, We can hard code this, but we generally don’t because networks are dynamic and we are smart.

  • (D) Host sends out a DHCP Discover message (This is a broadcast)
  • (O) DHCP server(s) respond with an offer (This is a unicast)
  • (R) Host responds to the first offer it receives (if multiple DHCPs on the network)
  • (A) DHCP server issues Acknowledgment with any other info the client needs

(DORA the explorer!)


Now we need to establish the IP address of host B and for that, we use DNS.

Domain Name System (DNS)

DNS is used as a human interface protocol to help humans resolve the IP address of web sites and hosts from the host or web site name. The host sends a lookup request to the DNS server, which responds with the IP address of the host. That is it. This is Layer 3.

So how does the host know what the IP address is of the DNS server? There are two answers to this question:

  1. The DNS IP address is hard coded on our host
  2. The DNS IP address is dynamically obtained via a DHCP transaction


Address Resolution Protocol (ARP)

Now that we have our IP address, we still need the MAC address to complete the data required to send our data packet(s) to host B. An ARP request is a layer 2 protocol, for MAC addresses, but beware, there is no ARP server. ARP is a process that used broadcasts and replies.

Host A, sends an ARP packet to the host we want to send data to, Host B, as it knows its IP address. As it does not yet know the MAC address, it uses the broadcast MAC address: ff:ff:ff:ff:ff:ff:ff:ff. Note that all other devices on this network segment also see this request, but ignore it. Host B will then respond with its MAC address, (this is a unicast response) so now Host A has everything it needs to initiate its data transfer. (IP and MAC address)

To reduce network overhead, the ARP data is cached (command line: arp -a … this works on Windows and Linux)


So this is all fine if we are talking local (switch only) topology, but what if there is a router (or three) between host A and host B? This is where the concept of PROXY ARP comes in to play.

Proxy ARP

If host B is not on the same network as host A, the ROUTER will respond to the ARP request with its own MAC address, and that is all there is to it. The IP address does not change.

So in conclusion, ARP and DNS work together to help create our links between hosts as follows:

  • Host A needs to send data to host B
  • Host A sends a DNS request for Host B’s IP number
  • Host A receives the IP number from the DNS server
  • Host A sends an ARP packet to the IP address of host B (with the MAC broadcast address: ff:ff:ff:ff:ff:ff:ff:ff
  • Host B sends an ARP packet in response containing its MAC address
  • ARP data is cached at the host(s) to speed up processing.
  • If a router is in the way, the router responds with its MAC address instead (Routers do not extend broadcast domains)




Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Basic Switch Port Modes & Security

Today I am looking at basic switching and switch operation.

But First …

It is good to add a reminder st this point that we are working exclusively with Ethernet when it comes to switches. Another point worth mentioning is this: I am sure you have a home network, likely with a wireless router. That router probably has some switch outputs (home units are router, switch and wireless access point in one), and one of those outputs is for upstream traffic; i.e. the WAN connection to the DSL or cable modem. If you have some Cisco switches, you’ll notice that they don’t really have an ‘upstream’ connection.

This is in part due to the home router being a 3 in 1 device (so the upstream port is essentially the router Ethernet port) but also, your Cisco switch is configurable. You can form trunks with multiple Ethernet ports to create upstream ports if such a thing is required, or in some cases, special high speed ports are a part of the switch, and they can be designated or configured as upstream.

Switch Port modes

Switch ports can be configured into several modes:

  • Shutdown – This should be the default mode if the port is not being used
  • Trunking – trunking will be covered in a later post
  • Access – access mode is for connecting to hosts
  • Error disabled – a shutdown mode created by a security violation

We can set the mode as follows:

s2950(config)#int fast 0/4
s2950(config-if)#switchport mode ?
 access  Set trunking mode to ACCESS unconditionally
 dynamic Set trunking mode to dynamically negotiate access or trunk mode
 trunk   Set trunking mode to TRUNK unconditionally

Generally we don’t use Dynamic as that is a security risk.

Side note: Dynamic trunking waits for another switch port to be connected to it via a cable, and then trunks with it. This exposes all of your VLANs to the second switch. If this is a rogue switch, you have just opened your network to it.

Basic Switch Security

There are a number of things we can do to keep our networks secure. In this post, we will be looking at some switch basics. Switches can be vulnerable as they are on the edge of the network, allowing users and undesirables alike to connect. How do we prevent the undesirables?

  • Lock up your server room – basic but overlooked
  • Unused VLAN – put unused ports in an unused VLAN rather than VLAN 1
  • Use the shutdown command to close unused ports
  • Prevent the port from trunking with the switchport mode access command
  • Ports not used are put into blocking mode


Port Security

We can secure our ports as we mentioned above, by shutting them down, but what about the ports we need to keep open. In this case we can use port security that is based MAC address. If the source MAC address is wrong, the port will block, shutdown or just indicate that there is a problem.

To set up port security, lets first open up a port in access mode.

conf t
int fast 0/4
switchport mode access    - - puts the port into access mode
switchport port-security  - - enables port security
no shut

So what options does port security give us?

s2950(config-if)#switchport port-security ?
 aging           Port-security aging commands
 mac-address     Secure mac address
 maximum         Max secure addresses
 violation       Security violation mode

Use the mac-address option to define a secure (or several secure) mac addresses.

maximum is the maximum number of ‘secure’ mac addresses on the port (default is one). If we don’t put an address on this, the port can take the first mac address it sees as the secure address.

violation describes the action taken by the port once a violation has occurred.

s2950(config-if)#switchport port-security violation ?
 protect          Security violation protect mode
 restrict         Security violation restrict mode
 shutdown         Security violation shutdown mode
  • shutdown is the default and shuts the port down. It drops the violating frames and puts an entry in the system log file.
  • restrict drops the violating frames and logs the issue, but does not shut the port
  • protect just drops the frames.

Lets assume we have a switch in a small office with a number of hosts attached. We can code the ports thus:

interface FastEthernet0/4
 switchport mode access                      -- enables access mode
 switchport port-security                    -- enables security 
 switchport port-security mac-address sticky -- automatically selects the first mac address as secure
 switchport port-security maximum 1          -- only 1 secure mac address
 switchport port-security violation shutdown -- shuts the port in case of violation
 no shutdown                                 -- opens the port

As the switch powers up or the hosts are connected, the security parameters are satisfied, and the hosts are able to connect to the WAN.

Now, lets say our intrepid employee at host C wants to connect his laptop, so he brings in a wireless router from home. He disconnects host C, plugs in his wireless router, plugs host C into one of his router ports and tries to continue to work. The problem for his is that he now can’t connect to the WAN. Why is this?


The problem for our intrepid employee, is that we don’t want an unsecured access point connected to our network, and in plugging his router in (which has a different MAC address from Host C), he has triggered the port security, putting his switch port into shutdown mode. This is where you get to explain network security again 🙂

To verify that we have our security settings correct, we can issue a per port, show command:

s2950#sh port-security int fast0/4
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0000.0000.0000
Security Violation Count : 0

Obviously I haven’t connected anything yet, so there is no sticky MAC address and the port is down (no cable attached)

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Introduction to VLANs

OK, time to dig into VLANs. So what is a VLAN? It is a Virtual Local Area Network.

When we looked at hubs, we learned that a hub is a single collision and broadcast domain. By moving to switches, we micro segmented the collision domain, but the switch is still one broadcast domain.

VLANs enable us to logically segment a switch (or switches) into multiple broadcast domains.



Port & VLAN commands

When a switch powers on, with its default configuration, all ports are in VLAN 1.

We can see this by using a show vlan brief command

s2950#sh vlan brief
 VLAN   Name     Status   Ports
 1      default  active   Fa0/1, Fa0/2, Fa0/3, Fa0/4
                          Fa0/5, Fa0/6, Fa0/7, Fa0/8
                          Fa0/9, Fa0/10, Fa0/11, Fa0/12
                          Fa0/13, Fa0/14, Fa0/15, Fa0/16
                          Fa0/17, Fa0/18, Fa0/19, Fa0/20
                          Fa0/21, Fa0/22, Fa0/23, Fa0/24
                          Gi0/1, Gi0/2
 1002 fddi-default act/unsup
 1003 token-ring-default act/unsup
 1004 fddinet-default act/unsup
 1005 trnet-default act/unsup

In interface config mode, we can change the VLAN so:

switchport mode access
switchport access vlan 32

… which puts your port into VLAN 32.

To remove it from the VLAN, simply reverse the process using the no command:

no switchport access vlan 32


Other things I should know:

While this is a VLAN lab, there is a brief article here, that lists the 10 commands I should master for IOS.

And that is it for today – internet is getting spotty because of the storm coming across GA right now. Going to take the dog for a walk and batten down the hatches!

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone