Tag Archives: OSI Layer 3

Port Numbers, NAT and PAT (Part 2)

One of the key themes that runs through our small labs and examples is that we often use private IP addresses. The problem with private IP addresses is that they cannot be routed out onto the internet. In order to do that, we have to perform something called Network Address Translation (NAT) .

Here is an example.

This is a small business that owns one IP number – the WAN IP, as supplied by the ISP. If the business only has one computer that needs to access the internet, this will work just fine, but in this case we have three.

The three hosts are put on a private Class C network, and can access the WAN via the router (as an aside here, this is most likely the same as your home network).  So when host attempts to access a website – cisco.com for instance, the router takes its private IP address and translates it to the public IP address. If all three computers access the WAN at different times this still works, however if they all try to access the WAN at the same same time, what happens?

We can do one of two things: we can buy more public IP addresses or we can use Port Address Translation (PAT).


What the router does in this case is translate the private IP to its public one again, but it also assigns a different source port to the outgoing request. As you can see in the image above, we have three requests from the same public IP number but with differing source ports. The router maintains a table of translations, and when responses come back from our target web site (in this case cisco.com) the response is translated and routed to the appropriate computer.

But now our small business decides it needs a web site and FTP site for customers. What now?

Port Address Translation, or PAT also works for this scenario. Lets say that 192.168,2.30 is going to host the web site with an Apache install. Great, but how do customers find this web site? We can assign a port map in the router so that all requests to are routed to

Please note that only one translation can be live at any one time, there can only be one … per port.

So if we wanted to implement the FTP server for customers, and that needed to be on, we can put a redirect from, thus routing the FTP traffic to the correct machine.

Just to show you how this works on a simple home router, here is my current set up:


You can see that port 80 is redirected to my web server on and there is a telnet connection redirected to





Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Port Numbers, NAT and PAT (Part 1)

Port numbers are very important in networking. Consider two hosts:

Host A wants to send email, a file and participate in a Telnet session with host B. All of this data flows down the network model to the physical layer, where it moves to host B, only to be reassembled and passed back up the network model to the appropriate applications on host B. Sounds simple but; How does host B know what data is for what application?

This is where the concept of ports comes into play. So far we have looked at addressing at Layer 2 (MAC addresses) and Layer 3 (IP addresses), but there is yet another layer to addressing – Layer 4 the transport layer. Layer 4 addressing is in the form of a SOCKET, which is comprised the Layer 3 IP address and a port. This is often written thus: — would be the HTTP port on the address

So in our example, lets say host A is at and host B is at

Port example_sm

To prevent the data from getting jumbled (a technical term) we assign each application a port. The problem with this is again, how does host B know that the data on port 110 from host A is email. There is a convention called Well Known Ports. This is a networking standard (defined by the IANA) where commonly used ports are defined and only used for those applications they are defined for.


The port has a 16 bit address value, giving a total number of ports of 65,535. Of these the first 1024 are well known ports.

Note that the port address for host A does not have to be the same as the port address for host B. Typically there are two ports; the source and destination, and they don’t have to match.

With the first 1024 ports as well known ports, the remaining ports are split up as follows:

PortAlso note that ports can be UDP or TCP and some exist in both protocols.

Our list of well known ports to know for the CCENT should include:

20 tcp ftp 80 tcp http
21 tcp ftp 110 tcp pop3
22 tcp ssh 119 tcp nntp
23 tcp telnet 123 tcp ntp
25 tcp smtp 443 tcp https (ssl)
53 udp dns
69 udp tftp


Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Layer 3 Addressing

Layer 3 Addressing.

There are two IP address schemes; IP V4 and IP V6. For the CCENT we are only looking at IP V4.

  • IP V4: xxx.xxx.xxx.xxx
  • IP V6: xxxx.xxxx.xxxx.xxxx

Address Classes:

subnet mask for different ip classess

  • Class A: 1-126 /8
  • Class B: 128 – 191 /16
  • Loopback: 127
  • Autoconfig: 169.254.x.x
  • Class C: 192 – 223 /24
  • Class D: 224 – 239 — reserved for multicast
  • Class E: 240 – 255 — reserved experimental

With respect to subnet masks, these are also 32 bit numbers, where the number is split to define the network and the hosts (See graphic).

Private Network Addresses

Another way of writing that might be:

  • Class A : /8
  • Class B : /12
  • Class C : 192.168 .0.0 /16

A private network is one that you might have at home or in an office, where the hosts concerned are not addressable or accessible from the internet. The hosts may access the internet via a Network Address Translator, or Proxy Server. There is also PAT (Port Address Translation) but we will not cover that here.  Private addresses are a part of the overall address range, so you will not see a private address used on the public internet.

The Subnet Mask.

Much has been written about subnet masks and the task of subnetting. Needless to say one does need to be able to do binary math to make any sense of this. Subnetting is apparently a large part of the CCENT exam and one needs to be able to:

  • Subnet based on the number of networks required
  • Subnet based on the number of hosts required
  • Reverse engineer any subnet.

There is a ton of resource out there for explanations of subnetting and practice questions – start googling!

Also, try to get to the point where you can recognize binary numbers without having to go through the math. It never hurts to check your math, but we aware of patterns that always occur and in subnetting, these patterns will always occur:

128 64  32  16   8   4   2   1
 1   1   1   1   1   1   1   0 = 254
 1   1   1   1   1   1   0   0 = 252
 1   1   1   1   1   0   0   0 = 248
 1   1   1   1   0   0   0   0 = 240
 1   1   1   0   0   0   0   0 = 224
 1   1   0   0   0   0   0   0 = 192
 1   0   0   0   0   0   0   0 = 128

I will cover routing in future posts, as we will cover routing protocols, the routing process itself, setting up dynamic and static routes etc.

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Layer 3 and Layer 4


Today I reinforced my existing knowledge of the OSI 7 layer Network model and compared it to the TCP/IP model.
I also took note of the different mechanisms for chopping up the data at the various layers:

  • Layers 5-7: Protocol Data Units (PDUs)
  • Layer 4: Segments
  • Layer 3: Packets
  • Layer 2: Frames
  • Layer 1: bits



I took a look at ports and sockets.
I learned that MAC addresses are layer 2 addresses, IP addresses are Layer 3 and Socket/Port numbers are Layer 4, the Transport layer, all controlled by Layer 5, the session layer.


There are also some port numbers that I need to remember:

Well known port numbers
There are 65535 (16 bit address field) ports available per IP address. Each port can be UDP or TCP.

All ports below 1024 are considered well known port numbers
16384 – 32767 reserved for voice traffic.

Port Number Description

  • 20 TCP FTP — Data
  • 21 TCP FTP — Control
  • 22 TCP SSH Remote Login Protocol
  • 23 TCP Telnet
  • 24 TCP/UDP Private mail
  • 25 TCP Simple Mail Transfer Protocol (SMTP)
  • 37 Time
  • 42 Host Name Server (Nameserv)
  • 43 WhoIs
  • 49 Login Host Protocol (Login)
  • 53 UDP/TCP Domain Name System (DNS)
  • 67 UDP DHCP
  • 68 UDP DHCP
  • 69 UDP Trivial File Transfer Protocol (TFTP)
  • 79 Finger
  • 80 TCP HTTP
  • 110 TCP POP3
  • 119 TCP Newsgroup (NNTP)
  • 143 Interim Mail Access Protocol (IMAP)
  • 161 UDP SNMP
  • 194 Internet Relay Chat (IRC)
  • 443 TCP HTTPS (SSL)
  • 546 DHCP Client
  • 547 DHCP Server

Also note that FTP and TFTP are different. FTP is secure and can be used on a public network. TFTP is much less secure, and more limited in terms of capability (including in some cases, file size) and should only be used on a private network.


reliable vs best-effort

These are the two primary mechanisms for shipping data about a network. These are controlled from layer4, the transport layer, and here is a handy graphic to show the differences:

Now what does all that mean?

TCP, being connection oriented, uses handshaking to establish a connection. UPD does not do this, the packet is just sent and we ‘hope’ it arrives!

TCP uses sequence numbers to perform error detection and correction, UDP has no error detection or recovery.

So why does UDP exist? The answer lies in the overhead each protocol requires. The packet header for TCP is much larger than the packet header for UDP which makes UDP a much more efficient user of bandwidth than TCP.

TCP handshaking:

This is the process by which a TCP connection is established, and data can be transferred, The three way handshake can be described as follows:

Remember there is also a FIN message (bit) to end the data flow.

Also note that during the data transfer, there is a process called windowing. Check out Eli’s TCP/IP video which has an excellent section on windowing. Windowing allows larger and larger chunks of data to be sent until an error occurs, then the sending station sends one packet and starts the process all over again. The receiving station performs rudimentary error detection by telling the sending station what packet number to expect next”

For example; if packets 1,2,3,4,5 are sent, packet 6 is the next packet expected. If however there is noise on the cables and packets 3,4 & 5 are lost, then the receive station will send packet 3 to be its next expected packet, thus letting the sending station know that 3,4,5 did not make it. Simple but effective!

The amount of data sent in one window is set by the receive station as is known as flow control.


Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone



For any data transaction on our networks, we need both the MAC and IP addresses. In order to get this information for our transactions, we use ARP, DNS and DHCP. These are Layer 2 & 3 protocols. Lets consider a data transfer between two hosts (A & B) with the assumption that we know the name of the host we wish to send data to (B).

Dynamic Host Configuration Protocol (DHCP)

Before anything can happen at host A, Host A needs to know what its own IP address is, the address of the DNS servers, subnet info, gateway info, lease time and all of that. DHCP is the mechanism by which this works, We can hard code this, but we generally don’t because networks are dynamic and we are smart.

  • (D) Host sends out a DHCP Discover message (This is a broadcast)
  • (O) DHCP server(s) respond with an offer (This is a unicast)
  • (R) Host responds to the first offer it receives (if multiple DHCPs on the network)
  • (A) DHCP server issues Acknowledgment with any other info the client needs

(DORA the explorer!)


Now we need to establish the IP address of host B and for that, we use DNS.

Domain Name System (DNS)

DNS is used as a human interface protocol to help humans resolve the IP address of web sites and hosts from the host or web site name. The host sends a lookup request to the DNS server, which responds with the IP address of the host. That is it. This is Layer 3.

So how does the host know what the IP address is of the DNS server? There are two answers to this question:

  1. The DNS IP address is hard coded on our host
  2. The DNS IP address is dynamically obtained via a DHCP transaction


Address Resolution Protocol (ARP)

Now that we have our IP address, we still need the MAC address to complete the data required to send our data packet(s) to host B. An ARP request is a layer 2 protocol, for MAC addresses, but beware, there is no ARP server. ARP is a process that used broadcasts and replies.

Host A, sends an ARP packet to the host we want to send data to, Host B, as it knows its IP address. As it does not yet know the MAC address, it uses the broadcast MAC address: ff:ff:ff:ff:ff:ff:ff:ff. Note that all other devices on this network segment also see this request, but ignore it. Host B will then respond with its MAC address, (this is a unicast response) so now Host A has everything it needs to initiate its data transfer. (IP and MAC address)

To reduce network overhead, the ARP data is cached (command line: arp -a … this works on Windows and Linux)


So this is all fine if we are talking local (switch only) topology, but what if there is a router (or three) between host A and host B? This is where the concept of PROXY ARP comes in to play.

Proxy ARP

If host B is not on the same network as host A, the ROUTER will respond to the ARP request with its own MAC address, and that is all there is to it. The IP address does not change.

So in conclusion, ARP and DNS work together to help create our links between hosts as follows:

  • Host A needs to send data to host B
  • Host A sends a DNS request for Host B’s IP number
  • Host A receives the IP number from the DNS server
  • Host A sends an ARP packet to the IP address of host B (with the MAC broadcast address: ff:ff:ff:ff:ff:ff:ff:ff
  • Host B sends an ARP packet in response containing its MAC address
  • ARP data is cached at the host(s) to speed up processing.
  • If a router is in the way, the router responds with its MAC address instead (Routers do not extend broadcast domains)




Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone