Monthly Archives: November 2013

Address Resolution Protocol (ARP)

Used in Layer 2, an ARP’s goal is to find the MAC address of a host, given the IP address. If the sender knows the host is on the same subnet, it’ll send the ARP request, once it receives a response, it’ll have that host’s MAC address. At this point the two hosts can communicate directly without a router.

Routers will ARP when forwarding data from another network. It needs the MAC address of the destination in order to send out a Layer 2 frame. It’ll ask “Who has”

OS and router cache ARP requests so they don’t have to be sent for every single packet. They store all ARP broadcasts that have been seen so that they don’t even have to be seen on the first request. A RARP is the opposite where the hosts ask “Who am I?” It’s an alternative to DHCP and is mainly used when a new machine boots up and needs an IP.

Proxy ARP is when a host gives a false ARP response, usually for a host that can’t send ARP requests. Routers normally proxy ARP for addresses outside the subnet range. Gratuitous ARP is an ARP for itself. It is used to update changes in IP or detecting other hosts with the same IP address. Promiscuous ARP can change the IP/MAC mappings.

VLANs Introduction

You can think of VLANs as segmenting a switch into multiple networks. Each port could belong to a different VLAN. Contrary to what some believe, VLANs should not be a security mechanism. The bridge table can be flooded and switch can start to act like a hub, breaking the VLAN broadcast segmentation.

A router is required if an ARP request goes unanswered. That means the host is not on your local network.  So in order to connect multiple VLANs:

  1. You can connect a port from each VLAN to a router and set up the routes.
  2. You can use virtual interfaces in each VLAN. Layer 3 switches.
  3. With 802.1q you can tag frames with VLAN identifiers.  This enables you to connect multiple switches to the same VLAN.
    1. Tag Protocol Identifier (TPID)
    2. Tag Control Information (TCI)
    3. Truck ports



Ethernet Switches

Used to be called “bridges.” Recall that there are really three types of network equipment:

  1. Hubs/Repeaters – Layer 1 devices that just forward everything blindly, including collisions/errors.
  2. Bridges/Switches – Layer 2 devices that flood only broadcasts but has the capability to learn where unicast frames go.
  3. Routers – Operate at layer 3. Some routers are also switches.

Switches can store information on where certain hosts are via a bridge table.  This table lists the MAC address and the associated port. Multiple MAC addresses could be assigned to a single port (For example when you’re daisy chaining switches). This is called adaptive learning.

Unicast Segmentation – Switches can limit which hosts can hear unicast frames.

Collision Domain – Not usually a problem these days.

Broadcast Domain – Segment where broadcast frames can be heard.

Store-and-forward – Traditional approach with CRC checks.

Cut-through Forwarding – The switch will just look at the destination MAC and send frames directly. No CRC checks.

How to Increase Performance of Gigabit Ethernet

Adjusting window size and window scaling options, and buffers (mbufs).

  • FreeBSD
    • kern.ipc.maxsockbuf=262144
    • net.inet.tcp.rfc1323=1
    • kern.ipc-nmbclusters=32768
  • Linux
    • net.core.wmem_max=8388608
    • net.ipv4.tcp_window_scaling=1
    • net.ipv4.tcp_mem = 98304 131072 196608
  • Windows
    • Register: \HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • Add DWORD named “TcpWindowSize” and set it to 131400 (decimal)
    • Tcp1323Opts should be set to 3 (rfc 1323 scaling and timestamps)
    • ForwardBufferMemory 8000
    • NumForwardPackets 6000

Layer 2 – Data Link Layer

Ethernet only deals with MAC addresses. It doesn’t involve any routing or packets. It works with Frames.

Ethernet Frame:

  • Preamble – Start bits
  • Destination (6 bytes) – Destination MAC address
  • Source (6 bytes) – Source MAC address
  • Length/Type (2 bytes) – Length and EtherType
  • Payload (1500 bytes) – Data, zero padded
  • FCS  (4 bytes) -Frame checksum, CRC

The most important part is the EtherType

  • 0x800 – an IP header is next
  • 0x806 – ARP is on the way
  • 0x8035 – RARP is coming
  • 0x810 – this has 801.1q VLAN tags

They can all live in the broadcast domain simultaneously.