Shulou(Shulou.com)06/02 Report--

Network concept

Learn about public and private IP addresses

IP subnetting concept

IP address, subnet and gateway configuration

Understand CIDR subnet mask notation

Overview of CIDR

Broadcast domain name

IPv6

This book is not an introduction to the network, but there are some network concepts that need to be addressed. For readers who do not have a basic knowledge of the network, we recommend finding more introductory materials, as this chapter will not provide all the necessary information. The concept of IPv6 is introduced in IPv6 later in this chapter. For clarity, the traditional IP address is called the IPv4 address. Unless otherwise noted, most features can use IPv4 or IPv6 addresses. The general term IP address refers to IPv4 or IPv6.

Brief introduction of OSI Model layer

The OSI model has a network framework composed of seven layers. These layers are arranged in order from lowest to highest. The brief information for each level is explained below. More information can be found in Wikipedia (http://en.wikipedia.org/wiki/OSI_model)).

Layer 1-physical layer:

Refers to the transmission of raw data to all higher-level cables or fiber-optic cables. Layer 2-data Link:

It usually refers to Ethernet or another similar protocol that is talking on the line. In this book, the second layer is usually referred to as an Ethernet switch or other related topics, such as ARP and MAC addresses. Layer 3-Network layer:

A protocol used to pass data along the path from one host to another, such as IPv4,IPv6, routing, subnets, etc. Layer 4-Transport layer:

Data transfer between users usually refers to TCP or UDP or other similar protocols. Layer 5-session layer:

Manage connections and sessions between users (often referred to as "dialog boxes"), and how to properly connect and disconnect. Layer 6-presentation layer:

Handle any conversion between data formats required by the user, such as different character sets, encoding, compression, encryption, etc. Layer 7-Application layer:

Interact with users or software applications, including familiar protocols such as HTTP,SMTP,SIP, to understand public and private IP addresses, private IP addresses

The network standard RFC 1918 defines reserved IPv4 subnets for private networks only (table RFC 1918 private IP address space). RFC 4193 defines a unique local address (ULA) for IPv6, the RFC 4193 unique local address space. In most environments, the private IP subnet of RFC 1918 is selected and used for all internal network devices. The device is then connected to the Internet through a firewall or router that implements network address translation (NAT) software, such as pfSense. IPv6 is completely routed from the internal network through a global unicast address (GUA) without the need for NAT. NAT will be further explained in network address translation.

RFC 1918 private IP address space CIDR range IP address range 10.0.0.0 192.168.255.255RFC 810.0.0.0-10.255.255.255172.16.0.0 IP address range 12172.16.0.0-172.31.255.255192.168.0.0 16192.168.0.0-Local address space prefix IP address range fc00::/7fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

A complete list of special purpose IPv4 networks can be found in RFC 3330. There are some private IPv4 addresses, such as 1.0.0.0swap 8 and 2.0.0.0swap 8, which have been assigned to the shrinking IPv4 pool. It is problematic to use these addresses and is not recommended. In addition, avoid using 169.254.0.0 Link-Local 16 and keep the "Link-Local" automatic configuration according to Link-Local 3927. It should not be assigned or manually set by DHCP, and the router will not allow packets from that subnet to propagate outside a specific broadcast domain. RFC 1918 has enough address space, so there is no need to break out of the address range in the private IP address space of RFC 1918. Incorrect addressing can lead to network failure and should be corrected.

Public IP address

Except for the largest network, public IP addresses are assigned by Internet service providers. Networks that require hundreds or thousands of public IP addresses usually have address space allocated directly from their regional Internet registries (RIR). RIR is an organization that oversees the allocation and registration of public IP addresses in designated areas of the world.

Most residential Internet connections are assigned a public IPv4 address. Most business class connections are assigned multiple public IP addresses. In many cases, a single public IP address is sufficient and can be used with NAT to connect hundreds of private address systems to Internet. This book will help determine the number of public IP addresses required.

Most IPv6 deployments will allow end users to have at least one / 64 prefix network used as a routing internal network. For each site, there are approximately 264 IPv6 addresses or 18 addresses that are routed entirely from Internet without the need for NAT.

Reservation and file address

In addition to the scopes defined in RFC 1918, RFC 5735 describes the IP scopes reserved for other special purposes, such as documentation, testing, and benchmarking. RFC 6598 updates RFC 5735 and defines an address space for carrier-grade NAT. These special networks include:

RFC 5735 reserved address space CIDR range purpose 192.0.2.0Compact 24 document and sample code 198.51.100.0amp24 document and sample code 203.0.113.0Uniq24 document and sample code 198.18.0.0amp25 benchmark network equipment 100.64.0.0amp 10 carrier-level NAT space

Throughout the book, we use addresses from the scope of the above documents and examples of RFC 1918 networks because they are more familiar to users.

Some people found that these addresses were used yesterday for xxx or even local networks. We do not recommend them for any purpose other than the intended purpose, but they are less visible than RFC 1918 networks.

IP subnetting concept

When configuring TCP / IP settings on the device, you must specify the subnet mask (or the prefix length of the IPv6). This mask enables the device to determine which IP addresses are on the local network and which IP addresses the gateways in the device routing table must reach. The default LAN IP address is 192.168.1.1, the mask is 255.255.255.0, or the network address of / 24 represented by CIDR is 192.168.1.0 bank 24.

IP address, subnet and gateway configuration

The TCP / IP configuration of a host consists of an address, a subnet mask (or the prefix length of IPv6), and a gateway. The combination of IP addresses and subnet masks is how hosts identify which IP addresses on the local network. Addresses outside the local network are sent to the default gateway configured by the host, which assumes that traffic will be delivered to the desired destination. An exception to this rule is a static route that instructs the device to contact a specific non-local subnet that is reachable through a locally connected router. A list of gateways and static routes is kept on the routing table of each host.

In a typical pfSense deployment, the host assigns an IP address, subnet mask, and gateway within the LAN range of the pfSense device. The LAN IP address on pfSense becomes the default gateway. For hosts connected through interfaces other than LAN, use the appropriate configuration for the interface to which the device is connected.

Hosts in a network communicate directly with each other without the participation of a default gateway. This means that there are no firewalls, including pfSense, that can control host-to-host communication within the network segment. If you need this feature, you need to split the host by using multiple switches, VLAN, or use equivalent switch functions such as PVLAN. Virtual local area network (VLAN) covers VLAN.

Understand CIDR subnet mask notation

When configuring addresses and networks, pfSense uses CIDR (Classless Inter-Domain Routing, also known as classless inter-domain routing), which eliminates the traditional concept of class A, B, and C addresses and subnetting, so that IPv4 address space can be allocated more efficiently. It can combine several IP networks together and use a classless interdomain routing algorithm to merge them into a single route so that there are fewer route entries in the routing table to reduce the burden on Internet routers. Instead of the generic subnet mask 255.x.x.x See the following CIDR subnet table: find the CIDR value of the decimal subnet mask.

CIDR Subnet Table Subnet Mask CIDR prefix Total IP addresses number of available IP addresses 24 number of networks 255.255.255.255/32111/256th255.255.255.254/3122*1/128th255.255.255.252/30421/64th255.255.255.248/29861/32nd255.255.255.240/2816141/16th255.255.255.224/2732301/8th255.255.255.192/2664621/4th255.255.255.128/251281261 half255.255.255.0/242562541255. 255.254.0/235125102255.255.252.0/22102410224255.255.248.0/21204820468255.255.240.0/204096409416255.255.224.0/198192819032255.255.192.0/1816,38416,38264255.255.128.0/1732,76832,766128255.255.0.0/1665,53665,534256255.254.0.0/15131,072131,070512255.252.0.0/14262,144262,1421024255.248.0.0/13524,288524,2862048255.240.0.0/121,048,5761,048,5744096255.224.0 0/112,097,1522,097,1508192255.192.0.0/104,194,3044,194,30216,384255.128.0.0/98,388,6088,388,60632,768255.0 . 0.0/816,777,21616,777,21465,536254.0.0.0/733,554,43233,554,430131,072252.0.0.0/667,108,86467,108,862262,144248.0.0.0/5134,217,728134,217,7261,048,576240.0.0.0/4268,435,456268,435,4542,097,152224.0.0.0/3536,870,912536,870,9104,194,304192.0.0.0/21,073,741,8241,073,741,8228,388,608128.0.0.0/12,147,483,6482,147,483,64616,777,2160.0.0.0/04,294,967,2964,294,967,29433554432

Be careful

Using the / 31 network is a special case defined by RFC 3021, where two IP addresses in the subnet can be used for point-to-point links to save IPv4 address space. Not all operating systems support RFC 3021, so use it with caution. On systems that do not support RFC 3021, subnets are not available because the only two addresses defined by the subnet mask are empty routing and broadcast, and there are no available host addresses.

PfSense 2.3.4-RELEASE-p1 supports the use of / 31 network interfaces and virtual IP addresses.

So where does the CIDR value come from?

When converted to binary, the cidr value comes from the number in the subnet mask.

The common subnet mask 255.255.255.0 is binary 11111111.1111111111111111.00000000. That adds up to 24, so it's / 24.

The subnet mask 255.255.255.192 is binary 11111111111111.11111111.11111111.11000000, or 26, so it is / 26.

Overview of CIDR

In addition to specifying the subnet mask, CIDR can also be used for IP or network summary purposes. The Total IP address column in the CIDR subnet table indicates how many addresses are summarized for a given CIDR mask. The number of 24 Networks column is useful for network summarization purposes. CIDR summarization can be used for multiple parts of the pfSense Web interface, including firewall rules, NAT, virtual IP,IPsec, and static routes.

IP addresses or networks that can be included in a single CIDR mask are called "CIDR summarizable".

When designing a network, make sure that all private IP subnets used in a specific location are CIDR aggregable. For example, if you need three / 24 subnets in one location, use a / 22 network that is subnetted into four / 24 networks. The following table shows the four / 24 subnets used with the subnet 10.70.64.0swap 22.

CIDR routes can be summarized as 10.70.64.0ax 22 into 24 networks 10.70.64.0Universe 2410.70.65.0Universe 2410.70.66.0Universe 2410.70.67.0Universe 24.

This makes it easier to manage routes through the use of dedicated WAN lines or multisite networks connected to another physical location. Using subnets that can be summarized by CIDR, a routing destination covers all networks at each location. Without it, each location has several different target networks.

CIDR calculations can be done on the web calculator found on the subnetmask.info website.

Calculators are converted from dotted decimal to CIDR masks, and vice versa, as shown in the following figure. If the CIDR subnet table provided in this chapter is not available, you can use this tool to convert the CIDR prefix to dotted decimal notation. Enter the CIDR prefix or dotted decimal mask, and then click the appropriate calculation button to find the transformation.

Subnet mask conversion

Enter the decimal mask and IP address in the Network/Node Calculator (Network / Node Calculator) section, click Calculate, and the calculated results will be displayed below. In this example, the network address is 10.70.64.0Universe 22, and the available / 24 networks are 64 to 67. The term "Broadcast Address" in this table refers to the highest address in this range.

Network/Node Calculator (network / node calculator)

Find a matching CIDR network

Aliases support a range of IPv4 addresses in the format x.x.x.x-y.y.y.y. For network type aliases, the IPv4 range is automatically converted to the equivalent CIDR block. For host type aliases, the range is converted to a list of IPv4 addresses.

If you do not need an exact match, you can enter the numbers into the Network/Node Calculator (Network / Node Calculator) to calculate.

Broadcast domain name

A broadcast domain is a part of a network that shares the same layer 2 network segment. In a network without a single switch with VLAN, the broadcast domain is the entire switch. In networks that do not use multiple interconnected switches that use VLAN, the broadcast domain includes all of these switches.

A single broadcast domain can contain multiple IPv4 or IPv6 subnets, but this is generally not considered a good network design. IP subnets should be isolated to different broadcast domains by using a separate switch or VLAN. The exception is to run IPv4 and IPv6 networks within a single broadcast domain. This is called dual stack, which is a common and useful technique that uses IPv4 and IPv6 connections for hosts.

Broadcast domains can be combined by bridging two network interfaces together, but in this case care must be taken to avoid switch loops. For some protocols that do not have a combined broadcast domain but have the same net effect, you can also use a proxy, such as a DHCP relay that forwards an DHCP request to a broadcast domain on another interface.

Translated from pfsense book!

2017-11-11

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.