Networking Switch/Router/Firewall – L2,L3,L4 Headers – and where they change – also a quick look at OSI 7 layers (simple)
####################################################
* http://www.webopedia.com/quick_ref/OSI_Layers.asp
WHAT HAPPENS AT DIFFERENT LAYER
#################################
Basic IP communication from Client to Server goes like this.
Note: each higher level device, like a host, does the operations of all of the lower level devices (although some of the hardware might not be as quick, example, Switches, build the Layer 2 information quickly with asics, where as PCs and regular L3 routers use the processor – yes yes Multilayer switches use ASIC to build the L2 headers quickly)
L7->L6->L5->L4->L3->L2->L1 (the top 3 layers L7, L6, and L5)
* Originator of traffic: gets data from application, puts data in TCP/IP stack, presents it, sets it up in a sessions (Sets up a socket IP and Port), and makes the L4,L3,L2 headers
L1->L2 and finally L2->L1
* L2 Functions: Switch – L2 headers only change if VLAN or CoS change/add/or removed – Switches look at MAC Address Table (MAC Table ties the MAC address to which PORT/INTERFACE has the MAC – this is confused with ARP table, however this is not ARP table – With this info the MAC Table informs the switch which PORT to send out the frame on, based on the Destination MAC in the frame) and send out appropriate port (or sends it out no ports, and thus drops the frame, if the tags don’t agree – Think VLANS – or all ports within the bcast domain if the destination MAC is missing in the MAC Address)
– SEND TO PORT based on MAC ADDRESS TABLE (port to mac table)
L1->L2->L3 and finally L3->L2->L1
* L3 functions: Router – Changes L2 headers (changes Source and Destination MAC) by pointing at new Router, the old IP headers need to stay the same so that target is known and target knows source – how does it change the L2 headers? It looks at packets IP destination, decides from routing table RIB (routing information base, which is the routing table – or if CEF is enabled, then the CEF table which is synonymous with the RIB is used, which is the FIB forwarding information base) to what next-hop IP to send to (next-hop being the next router receiving interface/port, or if lucky the next-hop might be the final destination if its directly connected – either way final-destination or next-hop-router is reached), with this information it updates the L2 headers (SRC MAC becomes the interface it will leave out on, the DST MAC becomes the router its headed towards -> it uses the ARP table to see next-hop ips MAC address to fill in the DST MAC, or if using CEF it uses the ADJACENCY table). After it knows what the next-hop IP is, it looks up the MAC address and updates L2 SRC and DST MAC address (SRC being its own mac, and DST MAC being the next-hop ips MAC) – it gets this information from the ARP table, or if CEF is used then it gets the information from the ADJACENCY TABLE. (any vlan stuff tags or whatever, will happen at the switching step of the router)
RIB (handled with CPU – software slower) analagous to FIB (asic) with CEF: stores routes (routes from RIB are immediately updated into the FIB, they are 1 to 1)
ARP Table (handled with CPU – software slower) analagous to ADJACENCY TABLE (asic) with CEF: both store IP to MAC (ADJ table also stores SRC MAC -the routers own mac address – for quicker L2 Header fill up)
FIB (handled with ASIC – hardware faster, this is CEFs version of the RIB table): this CEFS routing table, maintaining only the next-hop address for a particular IP-route.
ARP TABLE (handled with CPU – software slower): stores IP to MAC information and is used for routing (or just at layer 3), when building the headers to send the next packet. It gets filled up by learning MAC address from STP (Learning phase), or also from packets that have new&unseen SRC MACs.
ADJACENCY TABLE (handled with ASIC – hardware faster, this is CEFs version of ARP table): keeps all of the next-hop ips mac addresses, and auto builds list with its own arps that it sends to build the list.
L2 Headers can change 2 ways then (Depending on if using CEF or not):
– CHANGE L2 HEADERS based on ROUTING TABLE next hop IP decisions and then ARP TABLE nexthops mac (ROUTING TABLES stores next hop for network/subnet, ARP table stores IP to MAC address so can be used to fill out the L2 headers appropriately)
– CHANGE L2 HEADERS based on the FIB from CEF answer and looks up what to put in the L2 HEADERS at ADJACENCY TABLE (FIB is Routing information at quicker access, Adjancecy table is like arp table thats more proactive at being filled up and also hold MAC to IP)
NOTE: because CEF is all a bout moving the routing from the processor to the hardware ASIC it will speed up the L2 headers switch by having the ADJACENCY table hold the DST MAC and SRC MAC (in that order, next to each other in the table)
L1->L2->L3->L4 and finally L4->L3->L2->L1
* L4 functions: Firewall – NAT – L2-L3-L4 headers change – When leaving a NAT, the Source IP is changed from internal to external (maybe even the source port L4 – if the connection started on the source port N example N is 5000, but N or 5000 is in use in the NAT table by another connection, then N+1 or 5001 is used) – When entering the NAT the destination IP is changed from the Public IP to the Internal IP (maybe even the port is changed – if there was translated port forwarding – or if the connection started on the inside with the random source port N at the internal initiating PC but had to be N+1 source port on the way out of the NAT table as N was used by another session)
NAT only changes the SOURCE IP as traffic leaves, it puts in its own SOURCE IP (it also updates the conntrack table – connection tracking table because these are STATEFUL FIREWALLS)
NAT only changes the DESTINATION IP as traffic comes back/enters from outside, it puts in the correct DESTINATION IP of the host from either a) the iptables/portforwardings or b) the nat conntrack table (which is the connection tracking table table)
–STATELESS FIREWALLS–
Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. They are not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall ‘pretending’ to be something you asked for.
–STATEFUL FIREWALLS–
Stateful firewalls can watch traffic streams from end to end. They are are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established), it can tell if the MTU has changed, whether packets have fragmented etc.
L1->L2->L3->L4->L5->L6->L7 and finally L7->L6->L5->L4->L3->L2->L1
Destination – The destination recieves the packet and processes it up the OSI layers to the application, as it repackages it for resending with the reply, it has to flip lots of the of L4 information (source port becomes destination port), L3 information is flipped too (source IP becomes dst IP).
NOTE: N+1, and can be +1 again, until a none used port
THE OSI 7 LAYERS
################
The OSI, or Open System Interconnection, model defines a networking framework to implement protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy.
There’s really nothing to the OSI model. In fact, it’s not even tangible. The OSI model doesn’t do any functions in the networking process, It is a conceptual framework so we can better understand complex interactions that are happening. The OSI model takes the task of internetworking and divides that up into what is referred to as a vertical stack that consists of the following layers:
===Physical (Layer 1)===
This layer conveys the bit stream – electrical impulse, light or radio signal — through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier, including defining cables, cards and physical aspects. Fast Ethernet, RS232, and ATM are protocols with physical layer components.
– Layer 1 Physical examples include Ethernet, FDDI, B8ZS, V.35, V.24, RJ45.
===Data Link (Layer 2)===
At this layer, data packets are encoded and decoded into bits. It furnishes transmission protocol knowledge and management and handles errors in the physical layer, flow control and frame synchronization. The data link layer is divided into two sub layers: The Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sub layer controls how a computer on the network gains access to the data and permission to transmit it. The LLC layer controls frame synchronization, flow control and error checking.
– Layer 2 Data Link examples include PPP, FDDI, ATM, IEEE 802.5/ 802.2, IEEE 802.3/802.2, HDLC, Frame Relay
===Network (Layer 3)===
This layer provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control and packet sequencing.
– Layer 3 Network examples include AppleTalk DDP, IP, IPX.
===Transport (Layer 4)===
This layer provides transparent transfer of data between end systems, or hosts, and is responsible for end-to-end error recovery and flow control. It ensures complete data transfer.
– Layer 4 Transport examples include SPX, TCP, UDP.
===Session (Layer 5)===
This layer establishes, manages and terminates connections between applications. The session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the applications at each end. It deals with session and connection coordination.
– Layer 5 Session examples include NFS, NetBios names, RPC, SQL.
===Presentation (Layer 6)===
This layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa. The presentation layer works to transform data into the form that the application layer can accept. This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems. It is sometimes called the syntax layer.
– Layer 6 Presentation examples include encryption, ASCII, EBCDIC, TIFF, GIF, PICT, JPEG, MPEG, MIDI.
===Application (Layer 7)===
This layer supports application and end-user processes. Communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that exist entirely in the application level. Tiered application architectures are part of this layer.
– Layer 7 Application examples include WWW browsers, NFS, SNMP, Telnet, HTTP, FTP
WHAT IS CEF – CISCO EXPRESS FORWARDING TABLE?
##############################################
CEF is used to increase speed of throughput close to that of line rate, by using the hardware speed of ASICs rather then CPUs. ASICS are processor like chips that are only used to computer one type of task, thus they are faster then CPUs. CEF delegates 2 tasks from the CPU to the ASIC to speed up switching and routing performance. Which 2 tasks? well switching and routing :-). Routing can be broken down into simply what the device does with the packet at Layer 3 based on the RIB (routing table/routing information base), this task is delegated down to the ASICs and the table is now going to be called FIB (so its CEF’s FIB table). Switching can be broken down into simply what the device does with the frame (aka packet) at Layer 2 based on the ARP table, this task is delegated down to the ASICs and the table is now going to be called the ADJACENCY table (so its CEF’s ADJACENCY table).
NOTE: The next part of the equation is the Mac address table, as can be seen in these diagrams. Look at which tables are looked at without CEF being enabled: RIB(cpu slow)->ARP(cpu slow)->MAC Address table(asic fast). This is what tables are looked at with CEF being enabled: FIB(asic fast)->ADJACENCY(asic fast)->MAC Address table(asic fast). The MAC Address table is already handled by ASICs (hardware speed) so there is no need to speed it up with CEF.
NOTE: routing Looks at layer3 ip (writes the TTL etc), writes in layer2 mac- switching writes in layer2 rarely (cos/Vlan), looks in layer2 to see what port to send out on
Here is Wikipedias information on CEF http://en.wikipedia.org/wiki/Cisco_Express_Forwarding:
CEF is mainly used to increase packet switching speed by reducing the overhead and delays introduced by other routing techniques. CEF consists of two key components: The Forwarding Information Base (FIB) and adjacencies.
The FIB is similar to the routing table generated by multiple routing protocols, maintaining only the next-hop address for a particular IP-route.
The adjacency table maintains layer 2 or switching information linked to a particular FIB entry, avoiding the need for an ARP request for each table lookup. There are several types of adjacencies. Some are listed below:
- Cache adjacency: This type of entry contains the correct outbound interface and the correct MAC address for its FIB entry. The MAC address is the IP address’s MAC address if the destination’s subnet is directly connected to the router, or is the MAC address of the router that the packet needs to be sent to if the destination’s subnet is not directly connected to the router currently processing the packet.
- Receive adjacency: This type of entry handles packets whose final destinations include the router itself. This includes packets whose IP addresses are assigned to the router itself, broadcast packets, and multicasts that have set up the router itself as one of the destinations.
- Null adjacency: Handles packets destined to a NULL interface. Packets with FIB entries pointing to NULL adjacencies will normally be dropped.
- Punt adjacency: Deals with packets that require special handling or can not be switched by CEF. Such packets are forwarded to the next switching layer (generally fast switching) where they can be forwarded correctly.
- Glean adjacency: This adjacency is created when the router knows that either the destination IP’s subnet is directly connected to the router itself and it does not know that destination device’s MAC address, or the router knows the IP address of the router to forward a packet to for a destination, but it does not know that router’s MAC address. Packets that trigger this entry will generate an ARP request.
- Discard adjacency: FIB entries pointing to this type of adjacency will be discarded.
- Drop adjacency: Packets pointing to this entry are dropped, but the prefix will be checked.
In order to take full advantage of CEF, it is recommended to use distributed CEF (dCEF), where there is a FIB table on each of the line cards. This avoids the need for querying the main processor or routing table in order to get the next-hop information. Instead, fast switching will be performed on the line card itself.