Скачать книгу

of a given IP address. If one IP device wants to send a packet to another IP device, the sender needs to know the MAC address of the recipient. So, the sender broadcasts an ARP request, which is essentially the question “Does anyone know the MAC address of this particular IP address? If so, please let me know.”

      Reducing the amount of broadcast traffic on a network is a key way to improve the network’s overall performance. One of the best ways to do that is to segment the network in a way that splits up the broadcast domains. There are two ways to do this: by using routers, which are described in the next section, or by using VLANs, which are described later in this chapter, in the “Understanding VLANs” section.

      Managed and unmanaged switches

      Most advanced switches have management features built in to them, which means that you can monitor and configure the switch remotely, usually by logging in to a web console. To accomplish this, the switch has a small web server built into it to provide the management console. In addition, the switch itself must have an IP address.

      In contrast, inexpensive consumer-grade switches that you would purchase at a retail store are usually unmanaged switches. Unmanaged switches are often appropriate for small networks, but if you have more than a few dozen computers on your network, I suggest you invest in managed switches to give you more control over your network.

      A router is a layer-3 device, which means it works at the network layer of the OSI Reference Model. In practical terms, that means that routers know about IP addresses. At least one router is a vital component of any modern network.

      A router differs from a switch in the following ways:

       Switches work with MAC addresses and know nothing about IP addresses. In contrast, routers work with IP addresses.

       Routers can facilitate communication between IP networks with different subnets. For example, if your organization has a 10.0.100.x network and a 192.168.0.x network, a router can enable packets to get from the 10.0.100.x network to the 192.168.0.x network, and vice versa. A switch can’t do that. (For more about subnets, refer to Book 2, Chapter 3.)

       Routers also enable a private network to communicate with the Internet. For example, suppose you want to connect your network to the Internet via a broadband cable provider such as Comcast. The cable provider will give you a network interface that has a public IP address. You must then use a router to exchange packets from your private network to the Internet via the public IP address. A switch can’t do that for you.

       Switches split up collision domains. The segments created by switches are still part of the same broadcast domain. In contrast, routers split up broadcast domains. So, broadcast packets do not cross the boundaries created by routers. (Actually, as I explain in the “Understanding VLANs” section, later in this chapter, switches can also break up broadcast domains.)

       Switches typically have a large number of ports — often as many as 48 in a single switch. Routers usually have fewer ports, typically between two and eight. (However, routers for very large networks may have many more ports. For example, Cisco makes a router that can accommodate as many as 256 ports in a single chassis.)

Schematic illustration of two IP networks connected by a router.

      FIGURE 3-3: Two IP networks connected by a router.

      Now suppose that the computer on the left side of the figure (10.0.100.50) needs to send a packet over to the computer on the right side of the figure (192.168.0.50). The sending computer forms the packet and sends it to Switch 1. Switch 1, in turn, sends the packet to the router. The router examines the destination IP address and determines that the destination computer is on the 192.168.0.50 network, so it forwards the packet over to Switch 2. Switch 2, in turn, forwards the packet to the destination computer.

      Note that this exchange is actually considerably more complicated than the previous description lets on. For one thing, the switches — which don’t know about IP addresses — must determine the MAC addresses not only of the sending and receiving computers, but also of the router. And the router must also know the MAC addresses of the two switches. You’ll learn more about how this type of routing actually happens in Book 2, Chapter 4. But for now, I think you get the general idea.

      The following sections describe a few of the other features commonly provided by routers.

      Network address translation

      When a router is used to connect a private network to the Internet, one of the router’s most important functions is routing traffic from all the computers on the private side of the router to the public side, which usually has just a single public IP address. To accomplish this magic, the router uses network address translation (NAT).

      In short, when a computer on the private side of the network sends a packet through the router to the Internet, the router substitutes its own public IP address as the sender address, and keeps track of the fact that it sent a packet on behalf of a computer on the private side. When the recipient on the Internet receives the packet, it sees that the sender was the router. It then sends a response back to the router, which then substitutes the original sender’s private IP address for the destination address and forwards the packet to the correct computer on the private network.

      For more information about NAT, see Book 2, Chapter 3.

      Virtual private network

      A virtual private network (VPN) is a secure connection between two private networks over a public network (in other words, over the Internet). All the data that flows over the VPN is encrypted, so anyone who steals packets from the VPN will find them unintelligible; only the parties on either end of the VPN are able to decrypt the packets.

      VPN connections are often called tunnels, because they provide an isolated pathway from one point to another through the Internet. The only way to gain meaningful access to a VPN tunnel is at either end.

      There are two common uses for VPNs:

Скачать книгу