This book and its accompanying online resources are designed to be a complete preparation tool for your CCNA.

The book is written in a way that means you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, chapter review questions, interactive flashcards, case studies, and exam tips to help you work on your exam readiness from now till your test day.

Before You Proceed

To learn how to access these resources, head over to Chapter 19, Accessing the Online Practice Resources, at the end of the book.

Figure 1.1: Dashboard interface of the online practice resources

Here are some tips on how to make the most of this book so that you can clear your certification and retain your knowledge beyond your exam:

1. Read each section thoroughly.
2. Make ample notes: You can use your favorite online note-taking tool or use a physical notebook. The free online resources also give you access to an online version of this book. Click the BACK TO THE BOOK link from the dashboard to access the book in Packt Reader. You can highlight specific sections of the book there.
3. Chapter review questions: At the end of this chapter, you’ll find a link to review questions for this chapter. These are designed to test your knowledge of the chapter. Aim to score at least 75% before moving on to the next chapter. You’ll find detailed instructions on how to make the most of these questions at the end of this chapter in the Exam Readiness Drill – Chapter Review Questions section. That way, you’re improving your exam-taking skills after each chapter, rather than at the end of the book.
4. Flashcards: After you’ve gone through the book and scored 75% or more in each of the chapter review questions, start reviewing the online flashcards. They will help you memorize key concepts.
5. Mock exams: Revise by solving the mock exams that come with the book till your exam day. If you get some answers wrong, go back to the book and revisit the concepts you’re weak in.
6. Exam tips: Review these from time to time to improve your exam readiness even further.

In this chapter, you will learn about various network models and how they are used in real-world devices to enable systems to communicate with each other. You will also learn about the role and function of common networking devices, including how they are used to interconnect users and systems and forward traffic between a sender and receiver. Lastly, you will learn about the role and function of common networking devices and gain a better idea of their placement within a network.

This chapter covers Domain 1: Network Fundamentals, objectives 1.1 Explain the role and function of network components, 1.5 Compare TCP to UDP, and 1.13 Describe switching concepts, of the 200-301 CCNA v1.1 certification exam.

In this chapter, you will learn about the following exam topics:

• Network models
• OSI reference model
• TCP/IP network model
• The role and function of networking devices

You can now dive in!

Commonly asked questions among aspiring network professionals are what is a network and why is a network important? A network can be defined as having two or more computing devices interconnected while using a set of communication protocols (rules) that enables them to share a resource with each other. Resources can be anything from a file server, network-attached storage (NAS), a network-connected printer, or even a media server with offline copies of your favorite movies and TV shows.

In the world of computer networking, communication between systems is not possible without using a set of guidelines or rules to ensure data is efficiently delivered between a source (sender) and a destination (receiver) host over a network. For instance, imagine you are currently using your smartphone to access the www.cisco.com website to learn more about the CCNA certification, such as the exam objectives. To ensure you are connected to the internet, there are multiple network components that exist between your smartphone and the destination web server that is hosting Cisco’s website. In addition, before your smartphone sends a web request message to the destination website, a lot of different rules are used to ensure that your device has network connectivity and access to the internet, and even that you can download Cisco’s home page on the web browser on your mobile phone. These sets of rules are commonly referred to as network protocols.

The following are the roles and functions of network protocols:

• Addressing: Addressing helps with identifying the sender and receiver of a message. Addressing in this context refers to logical addressing such as Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) addresses. In addition, it also involves physical addressing, such as the media access control (MAC) address.
• Reliability: Reliability helps ensure the guaranteed delivery of messages between a sender and receiver.
• Flow control: Flow control mechanisms help control the rate at which data is transmitted and received.
• Sequencing: Sequencing mechanisms ensure each message is uniquely assigned a label for easy identification and classification by systems.
• Error detection: Error detection helps a receiving device to identify whether the incoming message is corrupted.
• Application interface: Application interfaces ensure process-to-process mapping between a sender and receiver.

In the networking world, there are a lot of network protocols. Whether you find it intimidating or it piques your curiosity to learn about them all, as an aspiring network professional, you can start by learning about the ones that are essential to you and those that are important for the CCNA certification.

In the early days, prior to the internet, there was an early prototype known as the Advanced Research Projects Agency Network (ARPANET) that was developed by the US Department of Defense (DoD) with the intention to enable US-based educational institutions such as universities and government-funded research centers to establish a long-distance network over the traditional telephone lines in early connections. However, packet-switching was preferred as it provided more efficient and resilient communication over long distances.

To enable network communication over systems that were connected to ARPANET, the Network Control Protocol (NCP) defined the rules for communication, and they were used until January 1, 1983. Due to various issues, such as sustainability and scalability, the ARPANET project was decommissioned in 1990. NCP was used to enable systems to communicate over ARPANET; nowadays, there are many different network protocols, with unique roles and functions in modern networks.

Network models were created to ensure each network-connected device (such as computers, servers, network-attached printers, Internet of Things (IoT) devices, and smartphones) has all the essential protocols to ensure the communication and transmission of data from one system to another. The following are common network models:

• Open Systems Interconnection (OSI)
• Transmission Control Protocol/Internet Protocol (TCP/IP)

The upcoming section will cover the characteristics of both the OSI and TCP/IP network models and the roles and functions of their layers. It will also compare the differences between both of these network models.

The International Organization for Standardization (ISO) started developing the seven-layer OSI model back in the late 1970s, and it became a working model in the 1980s. This OSI model was intended to be a fully operational network model with all the essential networking protocols packed into a unified stack, enabling network-connected devices to communicate and share resources.

Each layer of the OSI model has a unique role and function and enables network professionals to better understand what is happening during the exchange of data from one system to another and identify network-related issues while performing troubleshooting.

Table 1.1 shows the seven layers of the OSI model:

Table 1.1: OSI model

As shown in Table 1.1, the Application layer is where data is created by an application (software) that is running on the host device, such as the web browser on a computer that creates a web request message. Once the web request message is created, it is sent down the network model to the lower layers. The lower layers are responsible for inserting additional information, such as the logical and physical addressing parameters for the delivery of the message to the destination. This principle is similar to writing a traditional letter and adding addressing details to ensure the postal service is able to locate and deliver the letter to the intended recipient.

Note

An easy method to remember the layers of the OSI model is using the mnemonic All People Seem To Need Data Processing, where the first letter of each word in the sentence corresponds with the first letter of each layer in the model, from top to bottom. While this mnemonic has been used for quite a long time, you can develop your own technique of remembering the order of the layers.

Whenever an application, whether it is a web browser or an email application, creates a message, it is commonly referred to as application data. This data is the raw message, like the body of a traditional letter, without any addressing information such as the destination address or the sender’s address. The Application layer passes this raw data down to the lower layers, where each layer has a unique role and responsibility to ensure the appropriate addressing details, such as that the sender’s and destination addresses are correctly appended to the data to ensure it is transported and delivered to the intended recipient using the most efficient route (path).

As you will have noticed, in Table 1.1, there is a column with the name Protocol Data Unit (PDU). A PDU is used at various layers of the OSI model to refer to the form of data as it passes through each layer. As the application data is created at the Application layer, the PDU is referred to as data. As data travels downward to the Transport layer, it is appended with a Layer 4 header, which controls specific details to ensure the delivery of the message between the sender and destination hosts. At this point, the PDU will be referred to as a segment. The process of appending headers onto the PDU at the Transport, Network, and Data Link layers is referred to as encapsulation.

Note

As the PDU moves down to the lower layers and is encapsulated with a Layer 3 header, it is referred to as a packet. A PDU with a Layer 2 header and trailer is referred to as a frame. Lastly, when the PDU is converted into an electrical, light, or radio frequency signal for the network media on the Physical layer, it is called bits.

To put it simply, whenever a host device such as a computer is sending data, the data is created at the Application layer. It travels down the OSI model stack until it arrives at the Data Link layer. Then, it is placed on the Physical layer, that is, the network media, which is wired (copper or fiber) or wireless (radio frequency).

When a host receives a message on a network, it is received on the Physical layer and travels upward to the Application layer. While moving up the OSI model, each layer, such as the Data Link, Network, and Transport layers, will remove the headers until the raw datagram is delivered to the Application layer at the top. This process is commonly referred to as de-encapsulation.

Figure 1.2 shows a high-level visual representation of a computer sending application data to a server over a network. Here, the OSI network model is used as a reference:

Figure 1.2: Sending and receiving messages

Within the OSI model, the upper layers, such as the Application, Presentation, and Session layers, are used to provide support for application functions such as enabling a web browser on your computer to create and process web requests from a web server. The lower layers, such as the Transport, Network, and Data Link layers, are responsible for inserting the appropriate header with addressing and control information to ensure that the data is delivered to the intended destination over a network.

Application Layer

The Application layer is found closest to the end user within the OSI model. This layer provides an interface for enabling communication between applications that are running on the host operating system of your computer and the underlying network protocols that are responsible for delivering your message (data) to the intended destination.

For instance, you may be interested in learning about the 200-301 CCNA v1.1 exam objectives. Typically, you would open the web browser application and go to https://learningnetwork.cisco.com/s/ccna-v1-1-exam-topics, as shown in Figure 1.3:

Figure 1.3: Cisco learning network website

As shown in Figure 1.3, the web browser uses Hypertext Transfer Protocol Secure (HTTPS), an Application-layer protocol that enables the web browser to communicate with the web application that is running on Cisco’s web server. In this scenario, it is important to remember that the end user, such as yourself, will not directly interface with an Application layer such as HTTPS, but would rather use an application that is installed on your host device such as the web browser.

Figure 1.4 shows an example of an HTTP header that is created by a sender device such as a Windows computer using Mozilla Firefox as the web browser application:

Figure 1.4: HTTP header

The following are some common Application-layer protocols:

• Domain Name System (DNS): Used to resolve hostnames to IP addresses over a network.
• Dynamic Host Configuration Protocol (DHCP): Used to distribute IP addresses to connected hosts on a network.
• Hypertext Transfer Protocol (HTTP): Enables web browsers to retrieve web pages and interact with a web application over a network.
• Simple Mail Transfer Protocol (SMTP): SMTP is used to send emails from an email application to an email server, and to send emails from one email server to another over a network.
• Post Office Protocol (POP): POP is used to download a copy of emails from an email server onto an email application on the host, then deletes the emails from the email server.
• Internet Message Access Protocol (IMAP): IMAP synchronizes the email messages between an email server and an email application.
• File Transfer Protocol (FTP): This Application-layer protocol allows the transferring of files between an FTP client on a host and an FTP server.

As shown in Figure 1.5, these are just some of the many Application-layer protocols:

Figure 1.5: Application-layer protocols

Keep in mind that when data is created by an Application-layer protocol, it can only be interpreted by the same Application-layer protocol on another system. For instance, if you are using the web browser application on your smartphone to view websites, your smartphone uses HTTPS to communicate with the web server, which also uses HTTPS to interpret the data.

Figure 1.6 shows a visual representation of this analogy:

Figure 1.6: Process-to-process mapping

Since the Application-layer protocols generate the raw datagram without any addressing or formatting that is recognized by the lower layers of the OSI model, the data created in the Application layer is sent down to the Presentation layer.

Presentation Layer

For hosts that are sending data, such as a computer to a web server, the Application-layer protocols in the sender device are responsible for creating system-dependent data such as ASCII and other unique data types. The Presentation layer is responsible for transforming this system-dependent data into an independent format that is recognizable by the lower layers of the OSI model and systems on a network. On the destination device (the web server), the Presentation layer will be responsible for reversing the transformation of the independent format back to the system-dependent data before sending it upward to the appropriate Application-layer protocol, as shown in Figure 1.7:

Figure 1.7: Presentation layer

The following are the main functions of the Presentation layer:

• Data formatting: Ensuring the data that is created by a sender device is encoded in a compatible format for receipt by the intended destination device over the network
• Data compression and decompression: Responsible for compressing data before transmission and decompression upon receipt
• Data encryption and decryption: Encrypts data before transmission to ensure confidentiality over network communication, and decrypts the encrypted message on the recipient device

During this time, the PDU will still be referred to as data, and once the Presentation layer completes its tasks, the PDU will be sent down to the next layer.

Session Layer

The Session layer helps the Application-layer protocols between the sender and receiver devices to set up and maintain their communication efficiently. The following are the main functions of the Session layer:

• Create or establish a session
• Maintain the session
• Terminate the session

The Session layer is responsible for creating/establishing and maintaining the logical dialogs between the Application-layer protocols of both the sender and receiver devices over the network. In addition, the Session layer is responsible for exchanging the details that are needed to establish a dialog, maintain or keep those established dialogs active, and even restart the sessions if there is any unexpected disruption or idle timeout of the session.

After the Session layer establishes and maintains the session for data communication, the PDU is sent down to the Transport layer, where data encapsulation begins.

Transport Layer

The Transport layer is responsible for ensuring that data sent from an Application-layer protocol is delivered to the same Application-layer protocol on the destination host. Imagine if your computer was sending HTTPS messages to a destination server on the internet, and the destination server is hosting multiple server roles, such as web and email services. How will the OSI model and its layers then know which Application-layer protocol created the datagram on the sender device, and which Application-layer protocol should the datagram be delivered to on the recipient’s system?

Figure 1.8 shows a visual representation of this scenario:

Figure 1.8: Transport layer

As shown in Figure 1.8, there is a problem that needs to be solved. How can the Transport layer ensure that HTTPS messages from the sender are delivered to the same Application-layer protocol or services on the server side?

To better understand the solution to this issue, you will need to take a dive into understanding service port numbers on a system. On a sender device such as a computer or a smartphone, when the Transport layer receives data from the Application layer, it identifies the Application-layer protocol, such as HTTPS, and encapsulates a Layer 4 header onto the PDU.

Figure 1.9 shows a visual representation of encapsulating a Layer 4 header onto the datagram:

Figure 1.9: Layer 4 header encapsulation

Within the Layer 4 header, the Transport layer inserts the source and destination service port numbers. Within a network model such as the OSI and TCP/IP network models, there are 65,535 service port numbers, and each is associated with an Application-layer protocol or service.

These service ports are grouped into the following categories:

• Well-known port: 0–1,023
• Registered ports: 1,024–49,151
• Dynamic or private ports: 49,152–65,535

Since many Application-layer protocols operate in a client-server model, whereby a computer has a client application that requests services or resources from another device on a network, such as a server that provides the services and resources, the sender (client) device is usually assigned an ephemeral, random source port number and a destination port that is associated with the Application-layer protocol.

Figure 1.10 shows the role the source and destination port numbers play at the Transport layer:

Figure 1.10: Service port numbers

As shown in Figure 1.10, the Transport layer on the sender (computer) inserted the destination service port number 443, which is associated with HTTPS, and a randomly generated (ephemeral) source service port number. The destination port number helps the Transport layer on the recipient (server) to determine which Application-layer protocol the message should be sent to.

The source port number plays an important role when a recipient is responding to the sender. For instance, the sender device creates and sends an HTTP request message to the web server. This message contains the instructions to retrieve the web page from the web server. However, before the server responds to the computer (sender), it switches the source and destination port numbers on the Layer 4 header, using the original source port number as the new destination port.

Figure 1.11 shows a visual representation of the flipping of the service port numbers on the Layer 4 header by the server to ensure the message is delivered to the appropriate Application-layer protocol or process on the computer:

Figure 1.11: Reverse port numbers

As previously mentioned, there are 65,535 service port numbers. These service port numbers are categorized as shown in Figure 1.12:

Figure 1.12: Port number categories

The well-known service ports are commonly associated with the essential and most frequently used application and network services. Some of these are HTTP, HTTPS, SMTP, FTP, and IMAP. Registered port numbers are usually used by organizations that have officially registered their applications to operate on a specific number. The private/dynamic port numbers are used for temporary communication between systems on a network.

These service ports are not physical ports that are seen on networking devices; rather, they are logical ports opened by the operating system of a device for sending and receiving data on a network. Think of them as the logical doorways of your operating system. If a port is open, it means the operating system is either sending data to a destination or expecting incoming communication from a remote device.

Table 1.2 shows a list of common Application-layer protocols and their associated service port numbers:

Table 1.2: Common Application-layer protocols

Note

For a list of protocols and their associated port numbers, please see https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.

So far, you have read about the importance of service port numbers and how they are leveraged by the Transport layer to ensure process-to-process mapping between Application-layer protocols. The Transport layer is also responsible for ensuring the delivery of the Application-layer datagrams to the intended recipients over a network.

The following are the Transport-layer protocols that assist with the delivery of a datagram:

• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)

As mentioned earlier, Application-layer protocols and processes are not responsible for ensuring that datagrams are delivered to the intended destination. They are only concerned with the creation of data. Both TCP and UDP have their advantages, disadvantages, and use cases. In the next sub-section, you will learn more about TCP.

Transmission Control Protocol

TCP is a connection-oriented protocol that establishes a logical connection between a sender and receiver over a network, before allowing the transmission of data from the Application-layer protocols or processes.

If an Application-layer protocol uses TCP as the Transport-layer protocol, a TCP Layer 4 header is encapsulated onto the data. Table 1.3 shows the various fields of a TCP header:

Table 1.3: TCP header

The following is a description of each field shown in Table 1.3:

• Source Port: This is a 16-bit field that identifies the source service port number.
• Destination Port: This is a 16-bit field that identifies the destination service port number.
• Sequence Number: This is a 32-bit field that is used during the reassembly process on the recipient’s device.
• Acknowledgment Number: This is a 32-bit field used to indicate the message has been received by the recipient and contains the acknowledgment number (sender’s sequence number + 1).
• Data Offset: This is a 4-bit field, sometimes referred to as the header length. It is commonly used to specify the length of the TCP header.
• Reserved: This is a 6-bit field that’s reserved for future use.
• Flags: This field contains eight sub-fields, each being 1 bit in size and used to specify various TCP flags, such as the following:
  • CWR: Congestion flag, used by the sender to indicate it has received a message with a TCP Explicit Congestion Notification (ECN) flag set and responded to the congestion control
  • ECE: ECN echo flag, used to indicate whether a device is ECN capable or the congestion experienced flag is set to identify network congestion
  • URG: Urgent flag, indicates the significance of the Urgent Pointer field
  • ACK: Acknowledgment flag, indicates the significance of the Acknowledgment Number field
  • PSH: Push flag, indicates the push function is significant
  • RST: Reset flag, indicates to reset the logical network connection
  • SYN: Synchronization flag, used to synchronize the sequence numbers
  • FIN: Finish flag, indicates the last message from the sender device
• Window Size: This is a 16-bit field that specifies the number of bits or bytes that can be received.
• Checksum: This is a 16-bit field that’s used for error checking.
• Urgent Pointer: Used if the TCP URG flag is set. This 16-bit field is used to indicate the last urgent data byte.
• Options: This is an optional field and ranges between 0 and 320 bits.

Figure 1.13 shows a TCP header using Wireshark, a network protocol analyzer application used by network and cybersecurity professionals:

Figure 1.13: TCP header in Wireshark

Before data is sent, the sender device, such as a computer, initiates the TCP three-way handshake between itself and the intended destination, as shown in Figure 1.14:

Figure 1.14: TCP three-way handshake

The following is a technical breakdown of this process:

1. The computer wants to communicate with the destination server using HTTPS as the Application-layer protocol. Since HTTPS is designed to use TCP as the preferred Transport-layer protocol, the Transport layer of the computer sends a TCP Synchronization (SYN) message to the server with the following details in the Layer 4 header:
   • Source port number: This is a dynamic service port number used by the computer.
   • Destination port: The destination service port number for the Application-layer protocol or process on the server.
   • Randomly generated sequence number: The sequence number is used to initialize the starting sequence number for data that belongs to the same data stream.
   • Window size: The window size helps both the sender and recipient to mutually agree upon the amount of data to transmit.

   Figure 1.15 shows the TCP SYN message, including a sequence number:

Figure 1.15: TCP SYN

2. Next, the server receives the TCP SYN message and responds with a TCP Synchronization/Acknowledgment (SYN/ACK). In this response, an acknowledgment sequence number is set. This is the sender’s sequence number + 1. In addition, the response message contains a randomly generated sequence number that informs the sender it also wants to establish a logical connection for communication, as shown in Figure 1.16:

Figure 1.16: TCP SYN/ACK

3. Lastly, when the computer receives the TCP SYN/ACK message from the server to complete the TCP three-way handshake, it responds with a TCP ACK message, which contains an incremented value based on the server’s SYN sequence number, as shown in Figure 1.17:

Figure 1.17: TCP ACK

After the TCP three-way handshake is established between the sender and the destination host, data transmission occurs between the Application-layer protocols of the computer and server.

Figure 1.18 shows the TCP three-way handshake of a packet capture within Wireshark:

Figure 1.18: Packet capture

As shown in Figure 1.18, packets 1, 2, and 3 show the TCP three-way handshake. Once the handshake has been established, the Application-layer protocol HTTP sends data to the destination web server over the network. TCP is a Transport-layer protocol that provides a guarantee of the delivery of data between the sender and destination. When the destination host receives a message, it will respond with a TCP ACK packet to inform the sender it has received the message. If the sender does not receive the TCP ACK response, it will attempt to re-transmit the message until the Application-layer protocol or process experiences a timeout.

What if the Application-layer protocol on either the computer or server no longer wants to exchange data? What happens then? If the Application-layer protocol is using TCP as the preferred Transport-layer protocol, TCP will perform a TCP FIN/ACK handshake to gracefully terminate the session, as shown in Figure 1.19:

Figure 1.19: TCP FIN/ACK handshake

As shown in Figure 1.19, the computer initiates the graceful termination by sending a TCP finish (FIN) message to the server. Then, the server responds with TCP ACK and TCP FIN messages back to the computer. Lastly, the computer sends a TCP ACK to the server to confirm the termination from the server.

Figure 1.20 shows the TCP FIN/ACK messages being exchanged between a sender and receiver host to gracefully terminate their sessions:

Figure 1.20: TCP graceful termination

The following are the advantages of using TCP as the preferred Transport-layer protocol:

• It is a connection-oriented protocol that establishes a TCP three-way handshake before exchanging data.
• It provides a guarantee of delivery of data between Application-layer protocols and processes that use TCP.
• TCP delivers the data using the same order in which it was placed on the physical network and reassembled on the receiver’s device.
• It uses the window size to manage flow control between a sender and receiver device over a network.

The following are the disadvantages of using TCP over a network:

• The receiver device responds with a TCP ACK message to acknowledge receipt of the data. This introduces additional overhead on the network.
• If a host is sending multiple messages to another device, all the messages from the sender are not placed on the network for transmission. TCP will send some of the messages and wait for an acknowledgment from the recipient before proceeding to send another batch. This process is repeated, and therefore, TCP is not suitable for time-sensitive communication.

Up next, you will learn about the fundamentals of UDP.

User Datagram Protocol

Not all Application-layer protocols use TCP. Some use UDP. UDP is a connectionless Transport-layer protocol that does not guarantee the delivery of messages from a sender to a receiver over a network but is preferred for transporting time-sensitive data between hosts over a network. Unlike TCP, UDP uses best-effort techniques when sending messages and does not provide any reassurance to the sender.

Therefore, no acknowledgment is returned to the sender on whether a message is received by the intended destination host or not. If a message were to be lost or dropped along the way, the sender would not be aware of it, and as a result, they would not retransmit any lost or dropped messages to the intended destination host.

If an Application-layer protocol uses UDP as the preferred Transport-layer protocol, a UDP Layer 4 header is encapsulated onto the data. Table 1.4 shows the various fields of a UDP header:

Table 1.4: UDP header fields

The following is a description of each field shown in Table 1.4:

• Source Port: This is a 16-bit field that indicates the source service port number.
• Destination Port: This is a 16-bit field that indicates the destination port number.
• Length: This is a 16-bit field that indicates the length of the header.
• Checksum: This is a 16-bit field used for error detection.

Figure 1.21 shows the UDP header using Wireshark:

Figure 1.21: UDP header in Wireshark

While many Application-layer protocols and processes use TCP, the following are the advantages of using UDP as the preferred Transport-layer protocol:

• UDP does not need to wait for an acknowledgment from the recipient before sending more data on the network to the destination host. As the data is ready, UDP sends it. This is a benefit of using UDP for time-sensitive and real-time data such as Voice over IP (VoIP) and Video over IP technologies.
• Since the recipient does not send any acknowledgment messages when using UDP, there is less overhead on the network.

The following are the disadvantages of using UDP on a network:

• It does not provide a guarantee of the delivery of data between a sender and receiver.
• If data is lost during transmission, the sender does not retransmit lost messages.
• UDP does not assist in reassembling incoming messages if they are received in an out-of-order sequence.

Once either a TCP or UDP Layer 4 header is encapsulated onto the datagram from the upper layers, it is referred to as a segment. The segment is sent down to the Network layer of the OSI model for logical addressing.

Network Layer

The Network layer of the OSI model is responsible for assigning the logical addresses, which are the IP addresses, and inserts the source and destination IP addresses in the packet header. At the Network layer, either an IPv4 or an IPv6 header is encapsulated onto the datagram. This Layer 3 header, whether it is IPv4 or IPv6, enables the message (data) to travel across different networks until it reaches the intended destination host. To put it simply, when the segment is received from the upper Transport layer, the source and destination IP addresses are appended to the message to ensure devices such as routers and firewalls are able to route the messages to a remote device or the internet if needed.

Figure 1.22 shows a visual representation of encapsulating the Layer 3 header:

Figure 1.22: Layer 3 header encapsulation

On a network, each device is assigned or configured with an IPv4 or IPv6 address, which enables them to communicate outside their local network. For instance, if a destination host is located on the internet, the source and destination IP addresses play an important role as the destination address helps the router determine how to forward the message, while the source IP address helps the recipient to identify and reply to the sender.

Figure 1.23 shows the computer (sender) inserting the source and destination IPv4 addresses to ensure the server (recipient) receives the message and verifying that the destination IPv4 address matches the IPv4 address of the server. Once the Network layer of the server verifies the destination IPv4 address, it de-encapsulates the Layer 3 header of the packet before sending it upward to the Transport layer:

Figure 1.23: Importance of the IP header

Note

When an IPv4 or IPv6 header is encapsulated at the Network layer, the PDU is referred to as a packet. Additionally, IP is a connectionless Network-layer protocol that uses best effort to deliver packets to their destination. Therefore, it relies on the Transport-layer protocols for delivery.

Table 1.5 shows the various fields within an IPv4 header:

Table 1.5: IPv4 header

The following are the roles and functions of each field within an IPv4 header:

• Version: A 4-bit field used to identify it as an IPv4 packet.
• Internet Header Length: A 4-bit field that indicates the end of the header and the beginning of the data section.
• Differentiated Services (DS): An 8-bit field used to identify the priority of the packet on the network. This was originally known as the Type of Service (TOS) field and contains the following sub-fields:
  • DSCP: This field, which stands for Differentiated Services Code Point, identifies the classification and management of the packet on networks that use Quality of Service (QoS).
  • ECN: This field indicates network congestion without discarding packets.
• Total Length: A 16-bit field that’s used to indicate the total size of the packet.
• Identification: A 16-bit field that is used for identifying a group of fragments that belong to a single IP datagram.
• Flag: A 3-bit field used to control or identify whether the packet is part of a fragment group.
• Fragment Offset: A 13-bit field used to identify the sequencing position of a fragmented packet.
• Time to Live (TTL): An 8-bit field that contains a TTL value that determines the lifespan of the packet on a network and prevents routing loops. The TTL value decreases by 1 when it arrives at a router along the path from the sender to the receiver. When TTL = 0, the packet is discarded.
• Protocol: An 8-bit field used to identify the payload type that’s within the packet.
• Header Checksum: A 16-bit field used for error checking of the packet.
• Source IP Address: A 32-bit field indicating the sender’s IPv4 address.
• Destination IP Address: A 32-bit field indicating the intended recipient’s IPv4 address.
• Options: This 32-bit field is not always used by the Network layer.

A network protocol analyzer such as Wireshark enables you to inspect the fields and values of an IPv4 packet, as shown in Figure 1.24:

Figure 1.24: IPv4 header using Wireshark

Some networks use IPv6 and the Network layer is responsible for encapsulating the right version of the IP header onto the datagram to ensure it is delivered to the intended destination host. Unlike IPv4, IPv6 has a lot fewer fields within its header, as shown in Table 1.6:

Table 1.6: IPv6 header

The following are the roles and functions of each field within an IPv6 header:

• Version: A 4-bit field that identifies it’s an IPv6 packet
• Traffic Class: An 8-bit field that has the same function as the DS field of an IPv4 packet, used to identify the priority of the packet on the network
• Flow Control: A 2-bit field, also referred to as the Flow Label, used to inform the routers on the network to apply the same handling for IPv6 packets that have the same flow control label
• Payload Length: A 16-bit field used to identify the length of the payload (data)
• Next Header: An 8-bit field used to indicate the payload type
• Hop Limit: An 8-bit field used to specify the TTL value
• Source IP Address: A 128-bit field indicating the sender’s IPv6 address
• Destination IP Address: A 128-bit field indicating the destination host’s IPv6 address

Figure 1.25 shows an IPv6 header and its field using Wireshark:

Figure 1.25: IPv6 header using Wireshark

Once the Network layer encapsulates the Layer 3 header on the data, it is sent down to the Data Link layer.

Data Link Layer

The Data Link layer is responsible for placing the datagram it receives from the upper layers onto the physical network. This layer of the OSI model takes care of managing how much data is placed on the wired or wireless network media for transmission and performing error detection for incoming messages from the physical network.

When the datagram is received from the upper Network layer, the Data Link layer encapsulates a Layer 2 header and trailer onto the datagram, as shown in Figure 1.26:

Figure 1.26: Layer 2 header and trailer

Figure 1.27 shows the various fields found within a Layer 2 header:

Figure 1.27: Layer 2 header fields

Now, take a look at the description of each field within the Layer 2 header:

• Preamble and Start Frame Delimiter (SFD): The preamble is a 56-bit (7-byte) field used to indicate the start of the frame to the receiver and the SFD is an 8-bit (1-byte) field that’s used for synchronizing messages during transmission from a sender to a receiver.
• Destination MAC Address: A 48-bit (6-byte) field that contains the Ethernet (MAC) address of the destination device on the local network.
• Source MAC Address: A 48-bit (6-byte) field that contains the Ethernet (MAC) address of the sender on the local network.
• Type/Length: This is a 16-bit (2-byte) field used for identifying the upper-layer protocol such as IPv4 or IPv6.
• Data: This is a 46–1,500-byte field that contains the data from the Application-layer protocol.
• Frame Check Sequence (FCS): This is a 32-bit (4-byte) field that’s used for error detection and integrity checking.

Within the Data Link layer, there are two sub-layers that are responsible for assigning Layer 2 addressing information and managing flow control. These are Logical Link Control (LLC) and MAC, as shown in Figure 1.28:

Figure 1.28: Layer 2 sub-layers

When the packet is received from the Network layer, LLC encapsulates it with a Layer 2 header that contains the Ethernet source and destination MAC addresses. In addition, LLC also appends a Layer 2 trailer to the end of the packet that contains the Frame Check Sequence (FCS). Once the packet is encapsulated with the Layer 2 header and trailer, it is referred to as a frame.

In addition, a mathematical representation of the contents of the frame, known as the Cyclic Redundancy Check (CRC), is stored within the FCS field of the Layer 2 trailer. The CRC enables the receiver device to perform integrity checks to determine whether the frame was altered or corrupted during transmission.

The MAC sub-layer of the Data Link layer is responsible for inserting the Ethernet addresses, known as the MAC addresses, into the Layer 2 header of the frame before placing the datagram onto the physical network.

Note

The Ethernet address is commonly referred to as the MAC address, burned-in address (BIA), and physical address. The Ethernet address of a host is commonly found on the network interface card (NIC) or network adapter.

A MAC address is uniquely assigned to each NIC on a device and it is unique globally. It is a 48-bit (6-byte) address that is embedded into the firmware of the NIC by the vendor who made the NIC or the device, such as a computer. This 48-bit MAC address is written in the form of hexadecimal, which ranges from 0 to 9, A to F. The first 24 bits of the MAC address are known as the organizational unique identifier (OUI), which helps network and cybersecurity professionals determine the vendor of a device once the MAC address is known. The other 24 bits are uniquely generated by the vendor of the network adapter.

Table 1.7 shows the various representations of a MAC address:

Table 1.7: OUI portion of a MAC address

The following are common representations of MAC addresses from various vendors:

• 0060.5c3d.d901: Format used on Cisco devices
• 00-60-5c-3d-d9-01: Format used on Microsoft Windows operating systems
• 00:60:5c:3d:d9:01: Format used on Linux-based operating systems

To easily identify the vendor of a MAC address, you can perform a lookup using any of the following online MAC address databases:

• https://macvendors.com/
• https://www.wireshark.org/tools/oui-lookup.html

Figure 1.29 shows an example of performing a MAC address lookup using the OUI lookup tool on the Wireshark website:

Figure 1.29: OUI lookup

Figure 1.30 shows the Ethernet header (Layer 2 header) of a frame using Wireshark:

Figure 1.30: Ethernet header

Once the Data Link layer completes its task, it sends the frame to the Physical layer of the OSI model.

Physical Layer

Before the frame is sent to the Physical layer, the Data Link layer hands over the frame to the network adapter or NIC of the sender’s device such as a computer. The sender’s network adapter is responsible for ensuring the frame is placed on the network media, whether the media is a copper cable, fiber optic cable, or radio frequency. Therefore, the entire frame is converted into bits that are represented as electrical signals on a wire or the radio frequency that is being transmitted on a wireless network. These bits are also represented as ones and zeroes when written in binary format.

Figure 1.31 shows the responsibility of the Physical layer:

Figure 1.31: Physical layer

To put it simply, the ensure frame is not placed on the physical media. It is broken down into ones and zeroes. However, these ones and zeroes are sent as high and low voltages over a copper cable from the sender device, such as a computer to a network device. On the sender’s device, the network adapter is responsible for encoding the frame into bits, creating a data stream that is recognizable by both the sender and receiver devices. Additionally, the network adapter is responsible for ensuring that the bits are converted into the appropriate signal to be transported over the network media.

For instance, if the network media is using a copper cable, then the signal is converted into electrical signals by the network adapter. If the network media is a fiber optic cable, then the network adapter converts the bits into light signals. Lastly, if the network media is using wireless communication, then the network adapter converts the signal into radio frequency for transmission.

The OSI network model did not gain enough traction to be widely adopted and eventually became a reference model. Hence, many network professionals commonly refer to the OSI network model as the OSI reference model.

The TCP/IP network model was developed back in the 1970s and was adopted as the standard network model when the internet was officially launched on January 1, 1983.

Unlike the OSI model, which is a seven-layer model, TCP/IP has four layers, as shown in Figure 1.32:

Figure 1.32: TCP/IP network model

When you compare TCP/IP with the OSI reference model, you will see that the Application layer of TCP/IP combines the role and function of the Application, Presentation, and Session layers of the OSI model. However, the role and function of the Transport layer in both TCP/IP and the OSI models remain the same. The Internet layer of TCP/IP is responsible for the Internet Protocol (IP) and routing, whereas the Network layer of the OSI model encompasses a broader range of Layer 3 protocols. Lastly, the Network Access layer of TCP/IP combines the roles and functions of the Data Link and Physical layers of the OSI model.

Figure 1.33 shows how the layers of the OSI reference model aligned with the layers of TCP/IP:

Figure 1.33: TCP/IP network model

Lastly, keep in mind that TCP/IP is implemented on all network-connected devices, such as your computers, servers, laptops, IoT devices, smartphones, and networking devices. Next, you will learn about the role and function of common networking devices.

Networking devices are the essential components that help connect your systems, such as computers, laptops, servers, and even IoT devices, to the network and share resources. In this section, you will explore the role and function of various networking devices.

Network Hubs

In today’s world, you will not find too many legacy networking devices such as network hubs. In the early days of networks, hubs were used to interconnect computers and servers to create a network for sharing resources. However, hubs are now obsolete and are no longer recommended to be used in any modern network.

You can now take a look at the operation of hubs to better understand the issues that made them obsolete. Whenever a connected host, such as a computer, sends an electrical signal over the wire to an interface on a hub, the hub will re-broadcast that same signal out of all other interfaces, except the interface that is connected to the sender.

To get a better understanding of how a hub forwards traffic on a network, take a look at Figure 1.34:

Figure 1.34: Operations of a network hub

As shown in the preceding diagram, there are four computers that are connected to a unique interface on the hub. In our scenario, PC1 wants to send a message to PC4 only. When PC1 sends the message, in the form of an electrical signal on the network media, to the hub, it will accept the incoming electrical signal and repeat/re-broadcast the same signal out of all other interfaces such as those connected to PC2, PC3, and PC4. This means the message from PC1 is also sent to unintended destination devices, such as PC2 and PC3, on the network, which then creates both a networking and security concern.

First, try to understand the network performance issues you may encounter if there are too many hubs within a larger network. Any signal a hub receives is simply re-broadcasted out of its other interfaces. For instance, if a network professional were to implement multiple hubs that are interconnected to extend the local, internal network of an organization, each time one of the hubs receives an incoming electrical signal, it then sends the same signal out on all other interfaces, and this process is repeated on other connected hubs.

Figure 1.35 shows the replication of the broadcast traffic through a small network:

Figure 1.35: Broadcast messages propagating the network

As shown in Figure 1.35, the electrical signal from hub 1 will propagate to all the other interconnected hubs in the same manner, thus causing unnecessary broadcast (noise) traffic, which, in turn, will create network congestion and consume the available network bandwidth. Think of it as a roadway being filled with too many vehicles, resulting in heavy traffic.

What if two or more devices, such as computers, decide to transmit messages at the same time over a hub-based network? The result is the same as two vehicles colliding; in a network, this is known as packet collision. This results in packets being corrupted and requiring the sender to re-transmit the message again over the network.

To ensure no collisions occur over a hub-based network, only one computer can send their message at a time on the network. This creates a challenge because all other computers on the same network will be contending to use the network medium, thus creating a contention-based network.

To overcome such challenges, Carrier-Sense Multiple Access with Collision Detection (CSMA/CD) is implemented within computers and servers. CSMA/CD ensures that a computer checks the network media, such as the network cable, to identify whether an electrical signal is present or not. If it detects an electrical signal, it means another device is using the network and that it should wait until the network is signal-free. The computer will check again; if no electrical signal is detected on the network media (cable/wire), the computer will proceed to send its signal to the hub.

Network switches were developed to overcome these problems. Layer 2 switches are considered to be smarter devices than hubs. You can now take a look at the reasons for this.

Layer 2 Switches

Layer 2 switches are considered to be smarter devices than hubs. Switches are intermediary networking devices that operate at Layer 2 of the OSI reference model and are commonly used by network professionals for interconnecting end devices such as computers, printers, and servers and extending the network infrastructure within a building.

Unlike network hubs that re-broadcast an incoming signal out of all other interfaces, network switches create a logical network connection between the sender and destination devices to ensure that the messages are exchanged between the sender and recipient.

Figure 1.36 shows a small network where PC 1 is transmitting a message to PC 3 and the switch forwards the message only to PC 3:

Figure 1.36: Functions of a switch

Since most network switches operate at Layer 2 of the OSI reference model, switches learn and store the source MAC addresses found in the Layer 2 header of a frame. These source MAC addresses are stored in the Content Addressable Memory (CAM) table on Cisco switches. However, the CAM table is commonly referred to as the MAC address table in general discussions.

Whenever a frame enters a switch’s interface, the source MAC address of the frame is stored in the CAM table and is associated with that interface. To further understand how a switch populates the CAM table, take a look at Figure 1.37, with three computers that are connected to the same switch on different interfaces:

Figure 1.37: Devices interconnected using a switch

When a switch is powered on, the CAM table does not contain any entries because the contents of the CAM table are stored in random access memory (RAM). As you’ll know, the content of RAM is temporary and it is cleared whenever a device loses power or reboots.

Assume PC 1 wants to send a message over to PC 3. For many beginners in the field of networks, it’s easy to think the IP addresses of both the sender and receiver are important to the switch, but they are not. While PC 1 will insert the Layer 3 header with the source and destination IP addresses, the Layer 2 header will contain the source and destination MAC addresses and these Layer 2 addresses will be read by the switch. Since Layer 2 switches operate at the Data Link layer of the OSI reference model, these switches will not be able to read the information from the Layer 3 header. Therefore, Layer 2 switches make their forwarding decisions based on the contents of the destination MAC address found in a frame and the contents of their MAC address table.

Switching Concepts: Understanding the MAC Address Table and ARP

In this scenario, if PC 1 already knows the IP address of PC 3 but not its MAC address, what happens? In this situation, PC 1 will send an Address Resolution Protocol (ARP) request message on the network, requesting any other device on the network with the IP address 192.168.1.30 to respond and provide its MAC address.

Note

ARP is a Layer 2 network protocol used to resolve IP addresses to MAC addresses on a local network. An ARP request message sets the destination MAC address as FF:FF:FF:FF:FF:FF, which informs the switch to broadcast this message to all other devices, except the sender.

Figure 1.38 shows the ARP request being sent through a network:

Figure 1.38: ARP request message

Each device on the LAN will receive the ARP request message. At this point, the switch receives the ARP request message on interface 1 and populates the source MAC address on the CAM table (MAC address table), as shown in Table 1.8:

Table 1.8: MAC address table

The device that is assigned the IP address 192.168.1.30 will respond with an ARP reply message only to the sender, which is PC 1, as shown in Figure 1.39:

Figure 1.39: ARP reply

The ARP reply message is a unicast transmission (one-to-one) and is sent directly to PC 1. The ARP reply is sent only to the sender due to the following reasons:

• The ARP reply message contains the destination MAC address of PC 1.
• The switch already learned PC 1’s MAC address on interface 1 and recognizes that the destination MAC in the Layer 2 header of the ARP reply is associated with interface 1, as shown in Table 1.9:

  Interface	MAC Address
  Port 1	AA-AA-AA-AA-AA-AA
  Port 2
  Port 3	CC-CC-CC-CC-CC-CC

Table 1.9: MAC address table

When PC 1 receives the ARP reply from PC 3, it also temporarily stores PC 3’s MAC address with the associated IP address within its local ARP cache for 300 seconds, or 5 minutes. Once the destination MAC is known, it is inserted within the destination MAC address field of the Layer 2 header that is created by PC 1.

Note

On Cisco devices, the CAM table maintains a default inactivity timer of 300 seconds (5 minutes); this value can be modified. The default inactivity timer on Windows is also 300 seconds (5 minutes).

Switching Concepts: Frame Flooding

In this scenario, there are three computers connected to the same switch. PC 1 already knows the destination MAC address and destination IP address of the recipient, that is, PC 3, but the switch MAC address table is empty and does not know which interface PC 3 is connected to.

Figure 1.40 shows a visual representation of the network diagram:

Figure 1.40: Network diagram

PC 1 will create the message and ensure that all the fields within Layer 2 and Layer 3 headers are filled with the appropriate destination addresses for PC 3. When the switch receives the incoming message from PC 1, it inspects Layer 2 and records the source MAC address under interface 1 within its MAC address table, as shown in Table 1.10:

Table 1.10: MAC address table

Next, the switch will inspect the destination MAC address of the Layer 2 header and check its MAC address table to determine the location of the recipient. In this situation, the destination MAC address, which belongs to PC 3, does not exist in the switch’s MAC address. Therefore, the switch will forward the message out of all other interfaces, except the interface that is connected to the sender (PC 1), as shown in Figure 1.42:

Figure 1.41: Switch sends traffic to all devices

If PC 1 sends a request message that requires a response from PC 3, whenever PC 3 replies, PC 3 will include its own MAC address within the source MAC address field on the Layer 2 header. As a result, the switch will record the source MAC address from the incoming message and associate it to interface 3, as shown in Figure 1.42:

Figure 1.42: PC 3 responds

Table 1.11 shows that the switch has recorded PC 3’s MAC address under interface 3:

Table 1.11: MAC address table

Note

To view the ARP cache on a Cisco device, use the show arp command. To view the MAC address table on a Cisco device, use the show mac-address-table or show mac address-table command. To view the ARP cache on a Windows-based system, use the arp -a command. To view the ARP cache on Linux-based systems, use the arp command.

Next, you will learn about Layer 3 switches.

Layer 3 Switches

Layer 3 switches have all the same functionalities as Layer 2 switches. However, these devices have additional features. Since they operate at Layer 2 and Layer 3 of the OSI reference model, they are able to inspect the Layer 3 header of a packet and make their forwarding decisions based on the destination IP address of the message.

By default, the interfaces of a Layer 3 switch are configured to operate in Layer 2 mode. This means that they will inspect only the Layer 2 header of any incoming message and will make their forwarding decisions like a typical Layer 2 switch. However, these interfaces of a Layer 3 switch can be configured as Layer 3 interfaces, enabling network professionals to configure an IP address on each interface.

This enables the Layer 3 switch to perform both Layer 2 and Layer 3 operations within an organization’s internal network, reducing the need for a dedicated router to forward traffic between networks.

Figure 1.43 shows a scenario with two interfaces, configured to operate in Layer 3 mode with IP addresses:

Figure 1.43: Layer 3 switching

As shown in Figure 1.43, PC 1 is connected to the 192.168.1.0/24 network with a range of usable addresses from 192.168.1.1 to 192.168.1.254 and PC 2 is connected to the 172.16.1.0/24 network with a range of usable addresses from 172.16.1.1 to 172.16.1.254. In addition, Port 1 of the Layer 3 switch is configured with 192.168.1.1, which also acts as the default gateway address for any device within the 192.168.1.0/24 network, including PC 1. Similarly, Port 2 of the Layer 3 switch is configured with the default gateway address for any device within the 172.16.1.0/24 network.

Note

In the world of IPv4 addressing, the network ID and broadcast addresses are not assignable to any device.

Therefore, when PC 1 wants to send a message to a recipient that does not belong to its own network, such as PC 2, which is on 172.16.1.0/24, it will forward the packet to the default gateway, such as the Layer 3 switch or a router.

Similar to a router, the Layer 3 switch has a routing table that contains routes to known destination networks. The Layer 3 switch will inspect the destination IP address within the incoming message, and will then perform a route lookup to identify whether the routing table has a valid destination route. Once a route is found, it will process the route and forward the packet out of the connected interface. If a route is not found, the Layer 3 switch informs the sender that the destination host or destination network is unreachable.

Lastly, Layer 3 switches can also perform Layer 2 switching functions based on MAC addresses. This provides dual functionality and distinguishes them from traditional routers on a network.

Routers

A router is a networking device that is used to interconnect two or more different networks together. Whether the networks are different based on their IP addressing scheme or media type, such as copper cables and fiber optic cables, routers are the specialized devices for connecting them and ensuring network traffic can be routed between them.

Routers operate at Layer 3 of the OSI reference model and inspect the destination IP address of the Layer 3 header of a packet. Routers then perform a route lookup in the routing table to identify a valid route to the destination host. As previously mentioned, the router has a routing table that contains routes to known destination networks. The router will inspect the destination IP address within the incoming message and perform a route lookup to identify whether the routing table has a valid destination route. Once a route is found, it will process the route and forward the packet out of the connected interface. If a route is not found, the router informs the sender that the destination host or destination network is unreachable.

The following diagram shows two different IP networks, 192.168.1.0/24 and 172.16.1.0/16. Devices on the 192.168.1.0/24 network will only be able to intercommunicate with other devices that belong to the same IP segment, but not another IP segment; the same goes for devices on the 172.16.1.0/24 network, as shown in Figure 1.44:

Figure 1.44: Router interconnecting different networks

To enable both IP networks to intercommunicate, that is, to enable devices from the 192.168.1.0/24 network to share resources with devices on the 172.16.1.0/24 network and vice versa, a Layer 3 device such as a router is required. The router enables interconnection between these different networks. Additionally, the router acts as the default gateway for each of the networks. This means that if PC 1 wants to send a message to PC 2, the message must be sent to the default gateway address that is usually configured on the router’s interface, which is directly connected to the same IP network as PC 1. Additionally, the default gateway address needs to be configured on PC 1. If PC 1 does not have a default gateway configured on its network adapter, it will not be able to communicate with devices outside the 192.168.1.0/24 network.

You will read more about IP connectivity, such as static and dynamic routing, later in this book, in Chapter 11, Understanding Static and Dynamic Routing.

Next-Generation Firewalls and Intrusion Prevention Systems

A firewall is a network security appliance that is designed to filter malicious traffic between networks. These network security appliances are typically installed on the network edge of an organization’s network and configured and tuned to carefully inspect all inbound and outbound traffic, looking for any security-related threats and violations of policies to help protect the organization from cyber-attacks and threats.

It is highly recommended that a next-generation firewall (NGFW) network edge is implemented. The internet contains millions of useful resources, from training videos to tutorials and community forums, to help you get started. However, there are many threats, such as malware and threat actors, that roam the internet and attempt to infect and compromise targeted systems and organizations. The firewall will act as the first line of defense against these threats that originate from the internet. However, it is a single line of defense, and a defense-in-depth approach is needed to ensure multiple layers of protection are implemented to safeguard an organization’s assets.

Figure 1.45 shows the typical deployment of a firewall on a network:

Figure 1.45: Perimeter firewall deployment

As shown in Figure 1.45, the NGFW is deployed between the internet and the organization’s network infrastructure. In addition, one of the internal interfaces of the firewall is connected to the internal network, where the end users and internal servers are located. Therefore, another internal interface of the firewall is connected to the demilitarized zone (DMZ), a semi-trusted area of the network that enables external users or systems to access the devices within the DMZ while protecting the internal network from attacks and threats.

An NGFW is designed to be superior in many ways, such as protecting the network and users from advanced threats, providing deep packet inspection (DPI), which enables the firewall to decrypt messages and inspect the application data found within a packet, preventing ransomware from entering the network, and having virtual private network (VPN) features.

A firewall, by default, will allow traffic originating from the internal private network to all other networks, such as the internet. However, any traffic that is initiated from the internet to the internal network is blocked by default. The Cisco firewall uses the concept of identifying a security zone to help it determine the level of trust it has for a network. When deploying a Cisco firewall, the security engineer must assign each configured interface to a security zone and assign a trust-level value.

Figure 1.46 shows the default security level for a legacy Cisco Adaptive Security Appliance (ASA) firewall:

Figure 1.46: Security zones of a firewall

The inside zone is usually your private, internal network, which is supposed to be a fully trusted and safe environment for all devices in the corporate network. This zone will normally have a security level of 100 to indicate that it is a fully trusted security zone. The firewall will allow all traffic originating from the inside zone with a security level of 100 to all other zones that have lower security levels.

The internet, as you know, is the most unsafe network in existence, filled with extremely malicious malware and hackers. The internet-connected interface is usually assigned a security level of 0 and is known as the outside zone. Any traffic that has been initialized from the outside zone to the inside zone will be blocked by default on the firewall. However, keep in mind that if a user on the inside zone has initialized a connection to the outside zone, the firewall will allow it by default, and if there is any returning traffic, the firewall will allow it.

Note

The security-level schemes mentioned in this book are based on the Cisco security technologies.

The DMZ is a semi-trusted zone that is attached to the firewall on the corporate network. This zone is created to place servers that are accessible from the internet and the inside zone. The following are some guidelines for creating a DMZ on your network:

• The traffic initiating from the DMZ should not be allowed to access the inside zone.
• Rules should be created on the firewall to allow specific traffic to flow to the servers that are located in the DMZ.
• Ensure traffic initiating from the inside zone can access the DMZ.
• The security level of the DMZ should be between the values of the inside and outside zones.

However, within an organization, there may be multiple trusted zones that have a security level closer to 100. Therefore, you can consider assigning a security level of 50 to the DMZ.

Intrusion Prevention Systems

An intrusion prevention system (IPS) was previously a dedicated network security appliance that sat between the firewall and the internal network. However, as technology evolved, the IPS was integrated into the NGFWs and it now requires a subscription-based license to be enabled on commercial firewalls. An IPS is used to detect and block network-based intrusion attacks that are undetectable by firewalls.

Figure 1.47 shows how a firewall sends traffic for inspection to the integrated IPS module:

Figure 1.47: Traditional IPS deployment

With the advancement of technologies and innovation, Cisco has integrated their IPS into their NGFW appliances as a module. The benefits of this are reduced physical footprints, such as having fewer physical appliances and using a unified management dashboard for both the Cisco IPS and firewall.

The Cisco IPS downloads a database of malware signatures and cyber threat intelligence (CTI) from Talos, Cisco’s security intelligence and research group. It uses this information to closely inspect all traffic flowing through it and identify any malicious traffic or anomalies. Additionally, the IPS can be manually configured with predefined rules created by a network security engineer. It also automatically learns the behavior of the network to catch suspicious traffic types. The benefit of having an IPS on a network is to detect malicious traffic and proactively stop it in real time, preventing the attack from entering the internal network of an organization.

Note

If you are interested in building your own IPS device, check out Snort at www.snort.org. Snort is an open source IPS application.

Unlike IPS, an intrusion detection system (IDS) is considered to be a reactive security solution. An IDS is configured to receive a copy of the network traffic, detect security threats, and send alerts.

An IDS is not implemented in line with network traffic like an IPS and does not have the capability to stop an attack as it happens in real time. Furthermore, the IDS sends an alert only after a threat is detected, which makes it reactive.

Now that you have learned about the functions of firewalls and IPSs, you can dive into understanding the role and function of access points.

Access Points

A wireless access point (WAP) is a networking device that enables users with mobile devices such as smartphones, IoT devices, and even laptops with a wireless network adapter to connect and access the resources on a wired network. By implementing WAPs within an organization, the mobility of users who perform work using a mobile device can be increased. This will enable the mobile user to roam around within the building and use any free office rooms. Additionally, implementing a wireless infrastructure within an organization reduces the need to install network cables.

WAPs use antennas that emit radio frequency. These radio frequencies operate within the 2.4 GHz and 5 GHz spectrum based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard for wireless networking. The IEEE 802.11 standard enables mobile devices with compatible wireless network adapters to transmit data on these frequencies between itself and an associated WAP.

The 2.4 GHz spectrum provides a lower frequency and provides greater distance. As there are many buildings and homes with WAPs that operate on the 2.4 GHz range, the radio airways of 2.4 GHz are now very saturated. Each device tries to transmit its data to clients without causing interference, but this has become almost impossible now. The 2.4 GHz band uses a total of 14 channels. While it was once recommended to use channels 1, 6, and 11 to minimize overlap and interference between WAPs, this strategy is no longer as effective due to the increasing number of devices and networks competing for the same limited frequency space. Figure 1.48 shows the recommended clean channels of 2.4 GHz:

Figure 1.48: Wireless channels range

However, even this recommendation is no longer beneficial. A WAP can use channel 2, 4, or even 8, which will create an overlap (interference) between the recommended channels (1, 6, and 11).

The 5 GHz frequency provides a lot more channels, with 23 non-overlapping channels, thus creating less interference among nearby WAPs that are also operating on the 5 GHz frequency. The downside of using 5 GHz is the short distance the signal can travel. However, this may be a benefit. Imagine an organization that uses multiple floors to implement a 5 GHz wireless infrastructure to serve employees. Since the 5 GHz frequency travels much shorter distances as compared to the 2.4 GHz, this reduces the likelihood for the signal of a WAP to interfere (overlap) with another WAP that is within the same vicinity that is also using the same 5 GHz band.

More on wireless networking and architecture will be covered in later chapters of this book. Next, you will learn about the role and function of network controllers.

Controllers

Network controllers assist network professionals with centrally managing and optimizing the performance of their network infrastructure and improving their security posture. For instance, network controllers function as the brain of each network device within an organization. This means that the brain functionality of each switch, router, and even WAP is centrally managed by a single network controller.

The following are some common roles and functions of using a network controller:

• Centralize the device management of routers, switches, WAPs, and firewalls.
• Improve configuration management throughout the entire network infrastructure.
• Monitor and improve network performance.
• Monitor and improve the security management of networking devices.
• Monitor and diagnose network performance issues and assist with troubleshooting issues.

By implementing network controllers such as Cisco Digital Network Architecture (Cisco DNA) and a Cisco wireless local area network controller (Cisco WLC), network professionals are better equipped to closely monitor their network infrastructure and ensure that it is fully optimized, reliable, and secure at all times. Using network controllers also helps with automating configurations on network devices, monitoring network performance, and troubleshooting issues.

The Cisco DNA platform is an IP-based software solution designed by Cisco Systems to provide network professionals with applications they can use to manage, automate, and gather intelligence analytics, as well as monitor security, on a Cisco network across multiple devices and platforms.

A WLC provides a centralized management dashboard for the entire wireless infrastructure. This system enables network and security professionals to manage all associated WAPs on the network. For instance, a network professional can simply log in to the web interface of the WLC and configure the entire wireless network, and then the WLC will push the configurations to each connected WAP within a few minutes.

Endpoints and Servers

An end device or an endpoint is simply any device that is used by an end user, such as a desktop, a laptop, a smartphone, or even a tablet computer. End devices usually request services or access to resources that are usually located on a centralized system such as a server. Servers are dedicated systems on a network that provide resources and services to all endpoints and users on a network.

Power over Ethernet

Power over Ethernet (PoE) enables network media that supports electrical signals such as copper cables to carry sufficient electrical power from a source such as a PoE-enabled switch to a low-powered, PoE-supported end device such as a VoIP phone, an IP camera, or even a WAP. PoE allows both data and electrical signals to flow through a single network cable from the PoE switch to the receiver. Using PoE technologies helps reduce the need for additional power outlets within a room or building.

The following are some common PoE standards:

• IEEE 802.3af (PoE): This version of PoE provides up to 15.4 watts of power over a Cat 5 network cable and is commonly used to power up devices such as VoIP phones and WAPs.
• IEEE 802.3at (PoE+): This version of PoE provides up to 25.5 watts of power to support more power-consuming devices.
• IEEE 802.3bt (PoE++ or 4PPoE): This version of PoE is available in Type 3, which provides up to 60 watts of power, and Type 4, which provides up to 100 watts of power.

Figure 1.49 shows how powered devices such as VoIP phones and IP cameras are connected to a PoE switch:

Figure 1.49: PoE switch

Having completed this section, you have learned about the role and function of various network components and systems.

In this chapter, you learned about the roles and functions of key network components, such as routers, which use IP addresses to forward packets to their destinations; Layer 2 switches, which manage the forwarding of frames and use MAC addresses to determine their forwarding decisions; and even Layer 3 switches, which perform both Layer 2 and Layer 3 switching and routing functions.

Furthermore, you’ve learned how NGFW and IPS solutions enhance the network security of organizations. You also gained a better understanding of their placement within a network topology. Additionally, you’ve discovered how various controllers, such as Cisco DNA, assist with network management and automation, while Cisco WLCs provide centralized management of a wireless network architecture.

Lastly, you’ve learned the function of each layer of the OSI and TCP/IP network models and what occurs as application data travels between a sender and a destination host over a network.

This chapter will help in your journey toward learning how to implement and administrate Cisco solutions and prepare for the 200-301 CCNA v1.1 certification. In the next chapter, Chapter 2, Getting Started with Cisco IOS Devices, you will learn about the common network designs, network interface types, and cables.

• OSI model reference chart: https://learningnetwork.cisco.com/s/article/osi-model-reference-chart
• Understanding TCP/IP: https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/linked/tcpip.htm
• The foundation of networking devices: https://www.cisco.com/c/en/us/solutions/small-business/resource-center/networking/networking-basics.html
• What Is Power over Ethernet (PoE)?: https://www.cisco.com/c/en/us/solutions/enterprise-networks/what-is-power-over-ethernet.html
• What Is a WLAN Controller?: https://www.cisco.com/c/en/us/products/wireless/wireless-lan-controller/what-is-wlan-controller.html
• Cisco DNA Center: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-data-sheet-cte-en.html

Apart from mastering key concepts, strong test-taking skills under time pressure are essential for acing your certification exam. That’s why developing these abilities early in your learning journey is critical.

Exam readiness drills, using the free online practice resources provided with this book, help you progressively improve your time management and test-taking skills while reinforcing the key concepts you’ve learned.

HOW TO GET STARTED

• Open the link or scan the QR code at the bottom of this page
• If you have unlocked the practice resources already, log in to your registered account. If you haven’t, follow the instructions in Chapter 19 and come back to this page.
• Once you log in, click the START button to start a quiz
• We recommend attempting a quiz multiple times till you’re able to answer most of the questions correctly and well within the time limit.
• You can use the following practice template to help you plan your attempts:

The above drill is just an example. Design your drills based on your own goals and make the most out of the online quizzes accompanying this book.

First time accessing the online resources?

You’ll need to unlock them through a one-time process. Head to Chapter 19 for instructions.