CHAPTER 7: TCP/IP and Routing 336 How Packets Travel from Network to Network Let’s look at how a data packet from one host travels to another across the span of networks. After a sending host receives the needed IP address, the packet is sent from the host through the TCP/IP suite to the physical medium for delivery at the target IP address. Routing is the process of send- ing the packet to its destination. A router is a device that forwards packets from one network to another and is also referred to as a gateway (the term gateway is used in several different contexts; in all cases, a gateway connects one thing with another). When the sending host has a packet ready, it already has determined the destination’s IP address by using one of the many name-to-IP resolu- tion methods discussed. However, it may not know where that IP address is located if it is not located on the same subnet as the sending host. When TCP/IP on a host is initialized, it automatically creates a routing table, which consists of default entries, manual entries, and entries made automatically through communication with network routers. To route the packet properly, the IP layer of a host will consult with the routing table that is stored in memory. Depending on whether the destination is on the same network or across the network boundaries (which is determined by examin- ing the network ID of the destination address), the packet will be sent by direct delivery or indirect delivery. Direct delivery is when the router is not used to forward the packet because the destination is on the same network (subnet or network seg- ment) as the sending host. In this case, the packet is sent directly to its destination. When the packet leaves the sending host, the data is encapsulated in a frame format for the network interface layer with the destination’s physical address included (as you’ll recall, the physical or HEAD OF THE CLASS… Network+ Exam is Focused on TCP/IP … Period. For those of you taking the Network+ exam, you will need to know TCP/IP in detail. It’s the most commonly used protocol today and the most tested on the exam. On the Network+ exam, the term IPX/SPX (as well as the others) will come up a lot so it may appear as if many questions are on IPX/SPX, AppleTalk, or Net- BEUI. It’s important to understand that many times, in this scenario, you are being asked fundamental knowledge that was already acquired earlier in this chapter, such as the fact that IPX/SPX uses NLSP as a Dynamic Routing Protocol, whereas TCP/IP will use something such as OSPF. NLSP is an IPX/SPX-based Dynamic Routing Protocol, whereas OSPF is a TCP/ IP-based one. Most of the exam is focused on details about TCP/IP, so don’t get too upset that you see IP-based protocols covered here in depth, whereas, others are not. Understanding Basic IP Routing 337 MAC address that matches the IP address in the destination header is determined by ARP). If the packet is destined for another network, it is sent to an interme- diate point for forwarding. This is called indirect delivery. The IP data is encapsulated in a frame format that is actually addressed to the physical address of the network interface of the IP router that is on the sending computer’s subnet. Thus, the packet is sent from the sending host directly to the router. The router takes a look at the packet and determines where it should be sent to reach its final destination. The router passes the packet from its internal interface (the one with an address on the same subnet as the sender) to its external interface (the interface that’s on a differ- ent subnet). From there, the packet may make its way across many routers before reaching the subnet or network on which the destination computer resides. IP Routing Tables Any IP node that initializes the TCP/IP stack will generate a default rout- ing table based on the configuration of that node. For instance, when your network-connected desktop boots up and initializes the TCP/IP stack, it will create a default routing table based on your computer’s unique IP address, which includes the network ID as well as the default gateway (default router) and subnet mask. The table also contains the logical or physical interface, typically the network interface card, to be used to forward the packet. IP Routing Table Entries Routing table entries can be default, manual, or dynamic. The default values are created when the TCP/IP stack is initialized,  as shown in Figure 7.6. Manual entries can be placed in the table for specific routes that  may be desired. Some organizations, for instance, want specific traf- fic to go through specific routers. In that case, those routes can be entered into the routing table manually. Routes can be added dynamically if the router supports dynamic  routing tables. We’ll discuss the differences between manual and dynamic routing in a moment. For now, let’s look at the specific entries in a routing table. Routing table entries contain a number of elements in a specified order. Each of those elements is required and each is described briefly here. Figure 7.6 shows a typical routing table. CHAPTER 7: TCP/IP and Routing 338  Network Destination The network ID can be class-based, sub- netted, or supernetted.  Netmask The mask used to match the destination network with the IP address in the data.  Next Hop or Gateway The IP address of the next router (a hop is one segment between routers. If a packet has to go through two routers, that would be two hops).  Interface Identifies which network interface is used to forward the packet. Remember that every router has at least two interfaces.  Metric The metric is a number used to help determine the best route for the packet. This typically is used to identify the route with the fewest hops. The metric is often expressed as the cost of the route. Routing tables can also store four specific types of routes:  Directly Attached Network IDs For packets destined for the local or attached network. If the sending and receiving hosts are both on the same subnet, for instance, the packet will be sent via this method.  Remote Network IDs Any packets destined for networks reachable via routers will be sent via this routing method. FIGURE 7.6 Default Routing Table Entries. Understanding Basic IP Routing 339  Host Routes A host route is a route to a specific IP address. This type of route allows a packet to be sent to a specific IP address. The network ID is the IP address of the destination host and the net- work mask is 255.255.255.255.  Default Route The default route is used when a more specific net- work ID or route cannot be found. When all else fails, the default route is used. This is defined as a network ID of 0.0.0.0 and the network mask is 0.0.0.0. Route Determination Process Each IP packet has a destination IP address, which is used to determine how the packet will be routed. Using the logical ANDing process, the desti- nation IP address and the subnet mask (or netmask) are compared. If they match, the packet stays on the local network and is sent directly to the destination IP address. If the destination IP address and the subnet mask do not match, the entries in the routing table are compared to the destination IP address. If a match is found (that is, if the destination IP address and the subnet mask AND to a value found in the routing table), the packet is sent to the gateway listed in the routing table. If no matching entries can be found, the packet is sent to the defined default gateway. If more than one match is found in the routing table entries, the metric is used and the route with the fewest hops is typically selected. To view the route table on a Windows Server 2003 computer, access the command prompt and type route print. If there is no matching entry in the routing table, the packet will be sent to the default gateway for forwarding. When this process is complete, the resulting IP address (either destination IP address or gateway IP address) is then resolved to a physical address. This process uses ARP. Note In this section we used a server (multihomed with two network interface card (NICs)) as a router. When using Routing and Remote Access Service (RRAS), you can use Windows Server 2003 (or 2000) as a router. Because most people have more access to a copy of the server than to a Cisco router, this made the most sense. However, it will be most commonly seen on a vendor router such as Cisco or Juniper. For the exam you will not be asked to analyze different vendor-based routing information tables (RITs), so this example is all that you need to learn the concepts about routing to be able to pass the exam. Make sure that, when you get an opportunity, to work with commonly used equipment whenever possible, especially Cisco’s offerings. CHAPTER 7: TCP/IP and Routing 340 Physical Address Resolution (Using ARP) ARP resolves IP addresses to physical addresses. ARP is used to resolve the next-hop IP address to a physical MAC address. This is done using network broadcasts. The resolved MAC address is placed in the header of the packet as the destination MAC address. ARP Cache Just as a routing table is stored on the local host, so too is a list of the resolved IP-to-MAC addresses. This information is held in the ARP cache. Each time a request and resolution occur, both the sender and receiver store the other’s IP-to-MAC address mapping. When a packet is received, the ARP cache is checked to see if the resolution has already been added to the cache. If so, the packet is immediately forwarded to the resolved address. If the ARP cache does not contain the listing, a process must be initiated to resolve the IP address to the MAC address. Resolved entries are stored for a specified period of time and then discarded. If the same IP address is used within the specified time frame, the MAC address is already known and the packet is simply forwarded. If the ARP cache entry has expired, it no longer exists and the discovery process must be used, even if the MAC address was previously discovered. ARP Process There are two steps involved in resolving the IP address to a MAC address: the ARP request and ARP reply. The node responsible for forwarding the packet (either the sender or a gateway) will use the ARP request message to request the MAC address for the next-hop IP address. The format of the ARP request is a MAC-level broadcast that is sent to all nodes on the same physi- cal segment as the sender. Whichever node sends the ARP request message is called the ARP requester. The ARP reply is the return process. The node whose address matches the MAC address in the ARP request will respond by sending an ARP reply. This is a unicast (directly back to the sender only) MAC frame sent by the node called the ARP responder. The ARP responder’s unicast message con- tains both its IP address and its MAC address. Once this process is complete, both nodes now have new information about an IP address and the associated MAC address. This information is stored in the ARP cache for a specified amount of time. When it expires, if this address is needed again, the same request and reply process is used. RARP (which is Reverse ARP) is the complete opposite of ARP. Where ARP is the process of resolving a known IP address to its MAC address, Understanding Basic IP Routing 341 RARP will resolve an IP address to a known MAC. Remember, it’s sim- ply the opposite of ARP and very easy to remember simply by its name alone. Although not necessarily testable on the Network exam, there are other forms of ARP that you should be aware of as a Network technician that you will see in use in your day-to-day activities. Inverse ARP On non-broadcast-based multiple access (NBMA) networks, such as wide area technologies including ATM (Asynchronous Transfer Mode), Frame Relay, and X.25, the network interface address is not the MAC address. Instead, it is a virtual circuit. In these cases, the IP address is mapped to the virtual circuit over which the packet is traveling. In resolving addresses in NBMA networks, the virtual circuit identifier is known, but the receiving node’s IP address is not. Inverse ARP (InARP) is used to resolve the IP address on the other end of the virtual circuit. InARP was specifically designed for Frame Relay circuits. InARP uses a query on each virtual circuit to determine the IP address of the interface on the other end. A table is built using the results of these queries for use in resolving addresses in NBMA networks. Proxy ARP Proxy ARP occurs when one node answers ARP requests on behalf of another node. This is typically the case in subnets where no router is present. An ARP proxy device is placed between nodes on the network. This device is aware of all nodes on its physical segment and can respond to ARP requests and facilitate the forwarding of packets on the network. An ARP proxy device is often a routing device, but it does not act as an IP router. Note The process of resolving an address to its physical (MAC) address is a very important one and is likely to be the subject of at least one exam question. Typically, questions have to do with how ARP actually resolves the address. Remember that the ARP request is a broadcast datagram and the ARP reply is a unicast datagram. Datagrams, unlike other messages, do not require the ACK message to acknowledge receipt. The broad- cast datagram is sent out to all hosts, which process the ARP request. If a host’s IP address matches the ARP request, it sends an ARP reply. The ARP reply is a unicast because it is sent from the matching host directly back to the requesting host. No other hosts receive this datagram. If it does not match the request, the ARP request is simply discarded. CHAPTER 7: TCP/IP and Routing 342 Static and Dynamic IP Routers Routing tables can be updated manually or dynamically. If the table must be updated manually, it is considered to be static. If the table can be updated auto- matically, it is considered to be dynamic. Static routing works well in small environments, but does not scale well to larger networks. Another useful appli- cation of static routing is in subnets that are separated from the rest of the network. Rather than using routing protocols across WAN connections, static routes can be entered manually at both the main office and remote office rout- ers to make each network segment reachable. A third common use of static routes is to connect a network to the Internet. A Windows Server 2003 com- puter can be used as a static router when it is configured as a multihomed com- puter. This entails installing two or more network interface cards, each with a separate IP address and subnet mask. Static routes can then be configured for the two (or more) networks directly attached to the multi-homed computer. Dynamic routing occurs when routing tables are automatically and peri- odically updated. Dynamic routers rely upon routing protocols. Dynamic routing can be divided into two different classifications. Interior Gateway Routing Protocols Exterior Gateway Routing Protocols Interior Gateway Routing Protocols (IGPs) are designed for routing within an autonomous system. What that means is they were designed to control routing within a company or Local Area Network. Exterior Gateway Routing Protocols (EGPs) were designed to control routing between autono- mous systems such as connecting to your Internet Service Provider (ISP). The three most commonly used IP-based IGP routing protocols are as follows: Routing Information Protocol Open Shortest Path First Enhanced Interior Gateway Routing Protocol (Cisco proprietary  EIGRP) The three most commonly used IP-based EGP routing protocols are as follows: Border Gateway Protocol (BGP) Intermediate System – Intermediate System (IS-IS) Enhanced Interior Gateway Routing Protocol (Cisco proprietary  EIGRP) Understanding Basic IP Routing 343 The Routing Information Protocol (RIP) was originally designed for use on classful networks. RIP is a Distance Vector Routing Protocol and deter- mines routes based on the number of hops (how many routers it must pass through). Any route more than 15 hops away is considered unreachable. For this reason, RIP does not scale well to large networks. RIP routing tables are dynamically updated using a route-advertising mechanism. Ripe now has two versions; v1, which sends updates via broadcasts, and v2, which sends updates via multicast. Other Distance Vector Routing Protocols include BGP. In contrast to RIP, OSPF is a Link State Routing Protocol. The method of dynamically updating routing information is through link state adver- tisements (LSAs) that have information containing both the connected net- works and their costs. The cost of each router interface is determined by the administrator to use best connections first. The combined cost of a connec- tion using this classless routing protocol must be less than 65,535. Other Link-State Routing Protocols include IS-IS. A third way is to combine the nest of advertisements in Link-State Pro- tocols and the simplicity of Distance Vector. These protocols are known as Hybrid Protocols and include the Cisco proprietary EIGRP. A Windows Server 2003 computer can be configured as a dynamic router, using either of these protocols. As with static configurations, multiple NICs must be installed and RRAS must be enabled. In dynamic routing, default routes are seldom used. Thus, it is not necessary to configure a default gate- way on any NIC. When the Routing and Remote Access Service is enabled, static routing is enabled. To enable dynamic routing, add the RIP and OSPF protocols and enable them on your NICs by adding your NICs to the appro- priate routing protocol. RIP is more appropriate for small- to medium-sized networks and OSPF is appropriate for large networks. Therefore, you are most likely to enable one or the other protocol, depending on your network configuration. Test Day Tip One or more questions about routing protocols may come up on the exam. Remember that RIP and OSPF both support dynamic routing, but RIP is not a good choice for a larg- er network. Look for questions that may include more than 16 hops – you’ll immediately know that RIP can’t be used in this case. As OSPF was specifically designed for Frame Relay circuits, questions about OSPF will likely revolve around Frame Relay as opposed to other NBMA types of networks. Also keep in mind that a multihomed computer must have RRAS enabled to function as a router, and that it sets up static routing by default. The only way dynamic routing occurs is if you install the RIP or OSPF protocols and bind your NIC to them. CHAPTER 7: TCP/IP and Routing 344 Routing Utilities There are four commonly used routing utilities. Each typically is run from the command line (Start | Run | cmd). The specific command line options available are displayed when the command is typed in at the prompt.  route Used to view and modify the entries in the routing table.  ping Used to verify reachability of intended destinations using Internet Control Message Protocol (ICMP) Echo messages.  tracert Used to send ICMP Echo messages to discover the path between a node and a destination.  pathping Used to discover the path between a host and destination or to identify high-loss links. A very common use of the ping utility is to check connectivity from one computer to another. From your computer, you can run the ping util- ity from the command window. You can ping using an IP address or host- name. If your computer cannot connect to the network, you can try to ping a known server or another computer (by IP address or name) on your network. If that does not work, the next step is to ping the local com- puter, which tests the internal network communication functions of your computer (NIC and TCP/IP stack) by using the following command: ping localhost or ping 127.0.0.1 (the loopback address). If this fails, the prob- lem is with the configuration of the TCP/IP stack on your computer. If pinging the loopback address is successful, the problem is probably exter- nal to the NIC. Exam Warning Before exam day, try each of these utilities on a networked computer. Once you see how the utility works and what the return values are, you’ll have a much clearer idea of how each is used. Scenarios based on using these utilities may trip you up if you’re not certain which utility has which function. Memorize the functions of these four utilities. You’ll probably see one or more of them used in a network scenario. You will learn more about these commands and utilities as well as troubleshooting in general in Chapters 11 and 12 respectively. IP routing involves using both direct and indirect routes to deliver packets to their intended destinations. Static and dynamic routing tables are used to determine how to best send the packet. With the use of the IP protocol and other associated protocols (Application Layer Protocols, UDP datagrams, ICMP messages, or Routing Protocols), messages are reliably and quickly encoded, sent, and decoded. Understanding Basic IP Routing 345 NAT NAT is designed for IP address simplification and conservation. NAT is a feature of most systems, including Microsoft servers used as routers and configured with RRAS, and Cisco devices that use IOS (Internetwork Operating System – the OS that Cisco devices use). NAT permits an organi- zation’s IP address structure to appear differently to outside networks than the actual address space it is using. This allows organizations to connect to the Internet without having to use globally unique addressing schemes internally. It enables private IP networks that use non-registered RFC1918 IP addresses to connect to the Internet. Generally, NAT is used when a company’s internal addresses are not globally unique and thus cannot be routed on the Internet (for instance, using RFC 1918 private addresses), or because two separate networks that need to communicate are using an overlapping IP address space. In most cases, NAT allows hosts on a private network (inside network) to transparently communicate with destination hosts (outside network) in a global or public network. This is achieved by modifying the source address portion of an IP packet as it traverses the NAT device. The NAT device tracks each translation (conversation) between the source host (inside net- work) and the destination host (outside network), and vice versa. NAT converts IP addresses from the private address space to the public address space. When a device performing NAT receives a packet from the internal network, it changes the source IP address, recalculates the appropri- ate checksums, and sends it to the Internet. This obscures the true source address. NAT is a method by which IP addresses are mapped from one address realm to another. This type of translation provides transparent routing from host to host. There are many variations of address translation that assist in translating different applications. A common use of NAT in an enterprise environment is when someone at home wants to surf the website rsnetworks. net. When the user does, the request goes to the server that holds that infor- mation by DNS over the Internet. Once the request packets are sent to the Web server’s network, the router that sits on the perimeter performs NAT on the packets. In this example, the packets are sent to a server inside the net- work with an IP address of 192.168.1.10. When the data that was requested is sent back, the router maintains the information needed to return the pack- ets in its internal tables. Some router vendors call these translation tables. Cisco calls them xlate on their PIX firewalls. Another commonly used technology, although not on the listed objec- tives, but equally important, is PAT. PAT extends the concept of transla- tion one step further by also translating transport identifiers like TCP and UDP port numbers and ICMP query identifiers. This allows the transport . included (as you’ll recall, the physical or HEAD OF THE CLASS… Network+ Exam is Focused on TCP/IP … Period. For those of you taking the Network+ exam, you will need to know TCP/IP in detail. It’s. CHAPTER 7: TCP/IP and Routing 336 How Packets Travel from Network to Network Let’s look at how a data packet from one host travels. in detail. It’s the most commonly used protocol today and the most tested on the exam. On the Network+ exam, the term IPX/SPX (as well as the others) will come up a lot so it may appear as