36 | Lesson 2 3. Display the MAC addresses of other hosts that your computer has recently connected to by typing arp –a. This will show the IP addresses and the corresponding MAC addresses of the remote computers. The data link layer is where networking standards such as Ethernet 802.3 and Token Ring 802.5 reside. Look up the various IEEE 802 standards at the following link: http:standards.ieee.orggetieee802portfolio.html UNDERSTANDING LAYER 2 SWITCHING The data link layer is also where layer 2 switches reside. A layer 2 switch is the most common type of switch used on a LAN. These switches are hardware based and use the MAC address of each host computer’s network adapter when deciding where to direct frames of data; every port on the switch is mapped to the specific MAC address of the computer that physically connects to it. Layer 2 switches do not normally modify frames as they pass through the switch on their way from one computer to another. Each port on a switch is considered to be its own segment. This means that every computer connected to a layer 2 switch has its own usable bandwidth, which is whatever the switch is rated at: 10 Mbps, 100 Mbps, 1 Gbps, and so on. Security is a concern with layer 2 switches. Switches have memory that is set aside to store the MAC address to port translation table, known as the Content Addressable Memory table or CAM table. This table can be compromised with a MAC Flood attack. Such an attack will send numerous packets to the switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch. If this is successful, the switch will change state to what is known as failopen mode. At this point, the switch will broadcast data on all ports the way a hub does. This means two things: First, that network bandwidth will be dramatically reduced, and second, that a mischievous person could now use a protocol analyzer, running in promiscuous mode, to capture data from any other computer on the network. Layer 2 switching can also allow for a virtual LAN VLAN to be implemented. A VLAN is implemented to segment the network, reduce collisions, organize the network, boost performance, and hopefully, increase security. It is important to place physical network jacks in secure locations when it comes to VLANs that have access to confidential data. There are also logical types of VLANs like the protocol-based VLAN and the MAC address-based VLAN, which have a whole separate set of security precautions. The most common standard associated with VLANs is IEEE 802.1Q, which modifies Ethernet frames by “tagging” them with the appropriate VLAN information, based on which VLAN the Ethernet frame should be directed to. VLANs are used to restrict access to network resources, but this can be bypassed through the use of VLAN hopping. VLAN hopping can be avoided by upgrading firmware or software, picking an unused VLAN as the default VLAN for all trunks, and redesigning the VLAN if multiple 802.1Q switches are being used. Wireless access points, bridges, layer 2 switches, and network adapters all reside on the data link layer. DEFINE THE NETWORK LAYER GET READY. The network layer governs IP addresses, routerslayer 3 switches, and the core communications of TCPIP. Let’s take a look at the network layer in action by analyzing IP addresses, pinging other computers, and by capturing network layer data with a protocol analyzer. Afterward, we’ll define a layer 3 switch: CERTIFICATION READY How can you define and work with switches? 2.1 Defining Networks with the OSI Model | 37 1. Open the command prompt. 2. Type ipconfig. This will display your IP address, for example, 192.168.1.1. The IP address is developed from the Internet Protocol IP that resides on layer 3 of the OSI model. Jot down your IP address and the IP address of a different computer on the network. 3. Ping the other computer’s IP address by typing ping [ip address], for example, ping 192.168.1.2. Make sure you can get replies from the other computer. Ping utilizes the Internet Control Message Protocol ICMP to send test packets to other computers; this is also a network layer protocol. Notice the size of the replies you receive; by default, they should be 32 bytes each.

4. Type arp –a to view the IP address to MAC address table. This table should now show

the IP address you just pinged. This table is known as the Address Resolution Protocol table, or ARP table. The Address Resolution Protocol is another layer 3 protocol that resolves or translates IP addresses to MAC addresses, allowing connectivity between the layer 3 IP system and the layer 2 Ethernet system.

5. Use Wireshark to capture and analyze ICMP packets as follows:

a. Download and install the Wireshark protocol analyzer previously known as

Ethereal from: http:www.wireshark.org. At the time of the writing of this book, the latest stable version is 1.2.8. Install WinPCap as part of the Wireshark installation.

b. Go back to the command prompt and run a continuous ping to another computer,

for example, ping –t 192.168.1.2. Verify that you get replies, and leave the command prompt open and pinging the other computer while you complete the packet capture.

c. In the Wireshark utility, select the interface that serves as your main network

adapter from the Interface List. This will start the capture of data from that network adapter.

d. After a minute or so, stop the capture by clicking Capture on the menu bar and

selecting Stop. e. View the list of captured packets in the top half of the screen. In the Protocol col- umn, you should see many ICMP packets. Select one that says “reply” in the Info. column. When you do so, the packet’s information should show up in the middle win- dow pane, similar to Figure 2-5. The dark blue packet numbered 98 in the figure is the highlighted packet. Now, let’s drill down to see the details of the packet. Hardware-based and personal firewalls can possibly block some of the following tests and exercises. You might need to disable one or more firewalls to complete the exercises properly. TAKE NOTE Figure 2-5 Wireshark packet capture 38 | Lesson 2 f. Click the ⫹ sign next to Internet Control Message Protocol to expand it and display the contents. This should display information about the ICMP packet, such as the fact that it is a reply packet, the checksum, the sequence number, and so on.

g. Click the ⫹ sign next to Internet Protocol. This will show you the version of IP

used IPv4, the size of the packet, and the source and destination IP addresses for the embedded ICMP packet. Both the ICMP and IP pieces of information correspond to the network layer of the OSI model.

h. Now click the ⫹ sign next to Ethernet. This is the network architecture used on

the data link layer. This field of information tells you the source and destination MAC addresses of the computers involved in the ping transaction.

i. Now click the ⫹ sign next to Frame there will be a frame number next to the

word “Frame”. This tells you the size of the frame captured, as well as when it was captured. These are the frames of information that the Wireshark application actually captures directly from the network adapter. Notice that the Ethernet frame is larger than the IP packet. That is because the IP packet is encapsulated into the frame. The encapsulation process started when the command prompt sent a 32-byte ping ICMP packet. This ping was then placed inside an IP packet with a total size of 60 bytes. The additional 28 bytes are known as layer 3 overhead, broken down between 20 bytes for the header includes the IP source and destination addresses and 8 bytes for additional overhead information for example, a trailer or checksum. Then, the IP packet was sent to the network adapter, where it was placed inside a frame. The frame added its own layer 2 overhead, an additional 14 bytes including the source and destination MAC address. This brought the grand total to 74 bytes—more than double what we started with. The frame was then sent out from the other computer’s network adapter in an effort to reply to the pinging computer as a serial bit stream across the network medium on the physical layer. This is what happens with every single communication, and the OSI model, particularly the communications subnetwork layers 1 through 3, helps us define what is happening behind the scenes by categorizing each step with a different layer. Routers also reside on the network layer. Routers make connections between one or more IP networks. They are known as the gateway to another IP network, and you may utilize their IP address in the Gateway address field of a computer’s IP Properties window to allow the com- puter access to other networks. Don’t confuse this definition of a gateway with the application layer gateway that will be defined later. Routers use protocols such as Routing Information Protocol RIP and Open Shortest Path First OSPF to direct packets to other routers and networks. UNDERSTANDING LAYER 3 SWITCHING Switches also reside on the network layer. A layer 3 switch differs from a layer 2 switch in that it determines paths for data using logical addressing IP addresses instead of physical addressing MAC addresses. Layer 3 switches are similar to routers—it’s how a network engineer implements the switch that makes it different. Layer 3 switches forward packets, whereas layer 2 switches forward frames. Layer 3 switches are usually managed switches; the network engineer can manage them utilizing the Simple Network Management Protocol SNMP, among other tools. This allows the network engineer to analyze all of the packets that pass through the switch, which can’t be done with a layer 2 switch. A layer 2 switch is more like an advanced version of a bridge, whereas a layer 3 switch is more like a router. Layer 3 switches are used in busy environments in which multiple IP networks need to be connected together. CERTIFICATION READY Can you define the differences between layer 2 and layer 3 switches? 2.1 There are many proto- col analyzers available. Microsoft incorporates one called Network Monitor into Windows Server products. TAKE NOTE