Networking Concepts   A

  This chapter describes general network concepts that you must understand before you configure your PortMaster.

  This chapter discusses the following topics:

•  "Network Addressing" on page A-1
•  "Using Naming Services and the Host Table" on page A-7
•  "Managing Network Security" on page A-7

  See the PortMaster Routing Guide for information on routing and how Lucent's ComOS implements routing protocols. See the glossary for unfamiliar terms.

       Network Addressing

  PortMaster products support packet routing using the IP protocol. The Internet Protocol (IP) is a packet-based protocol used to exchange data over computer networks. IP provides addressing and control information that allows data packets to be routed across networks.

  Novell Internetwork Packet Exchange (IPX) is another protocol used to exchange data over PC-based networks. IPX uses Novell's proprietary Service Advertising Protocol (SAP) to advertise special services such as print and file servers. The PortMaster 4 supports the IPX protocol if it is running ComOS 4.1 or later. IPX is not supported on ComOS 4.0.

       IP Addressing

  IP address descriptions are found in RFC 1166, Internet Numbers. Refer to "Additional References" in the preface for more information. The Internet Network Information Center (InterNIC) maintains and distributes the RFC documents. The InterNIC also assigns IP addresses and network numbers to Internet service providers (ISPs), who in turn provide to their customers a range of addresses appropriate to the number of host devices on their network.

  The sections that follow describe the various types of IP addresses, how addresses are given, and routing issues related to IP.

       IP Address Notation

  IP addresses are written in dotted decimal notation consisting of four numbers separated by dots (periods). Each number, written in decimal, represents an 8-bit octet (sometimes informally referred to as a byte) giving each number a range of 0 through 255, inclusive. When strung together, the four octets form the 32-bit IP address. Table A-1 shows 32-bit values expressed as IP addresses.

  Table A-1 IP Address Notation

 

32-Bit Value	Dotted Decimal Notation
01100100.01100100.01100100.00001010	100.100.100.10
11000011.00100000.00000100.11001000	195.32.4.200

  The largest possible value of a field in dotted decimal notation is 255, which represents an octet where all the bits are 1s.

 

IP Address Classes

  IP addresses are generally divided into different classes of addresses based on the number of hosts and subnetworks required to support the hosts. As described in RFC 1166, IP addresses are 32-bit quantities divided into five classes. Each class has a different number of bits allocated to the network and host portions of the address. For this discussion, consider a network to be a collection of computers (hosts) that have the same network field values in their IP addresses.

  The concept of classes is being made obsolete by classless interdomain routing (CIDR). Instead of dividing networks by class, CIDR groups them into address ranges. A network range consists of an IP address prefix and a netmask length. The address prefix specifies the high-order bits of the IP network address. The netmask length specifies the number of high-order bits in the prefix that an IP address must match to fall within the range indicated by the prefix.

  For example, 192.168.42.x describes a Class C network with addresses ranging from 192.168.42.0 through 192.168.42.255. CIDR uses 192.168.42.0/24 to describe the same range of addresses.

  RIP-1 is an example of a protocol that uses address classes. RIP-2, OSPF, and BGP-4 are examples of protocols that do not use address classes.

 

Class A Addresses

  The class A IP address format allocates the highest 8 bits to the network field and sets the highest-priority bit to 0 (zero). The remaining 24 bits form the host field. Only 126 class A networks can exist (0 is reserved, and 127 is used for loopback networks), but each class A network can have almost 17 million hosts. No new class A networks can be assigned at this time.

  For example:

 

 

Class B Addresses

  The class B IP address format allocates the highest 16 bits to the network field and sets the two highest-order bits to 1 and 0, providing a range from 128 through 191, inclusive. The remaining 16 bits form the host field. More than 16,000 class B networks can exist, and each class B network can have up to 65,534 hosts. For example:

 

 

Class C Addresses

  The class C IP address format allocates the highest 24 bits to the network field and sets the three highest-order bits to 1, 1, and 0, providing a range from 192 through 223, inclusive. The remaining 8 bits form the host field. More than two million class C networks can exist, and each class C network can have up to 254 hosts. For example:

 

 

Class D Addresses

  The class D IP address format was designed for multicast groups, as discussed in RFC 1112. In class D addresses, the 4 highest-order bits are set to 1, 1, 1, and 0, providing a range from 224 through 239, inclusive.

  Class D addresses are currently used primarily for the multicast backbone (MBONE) of the Internet. Many routers, including those from Lucent, do not support MBONE or multicast and therefore ignore class D addresses.

 

Class E Addresses

  The class E IP address is reserved for future use. In class E addresses, the 4 highest--order bits are set to 1, 1, 1, and 1. Routers currently ignore class E IP addresses.

       Reserved I-P Addresses

  Some IP addresses are reserved for special uses and cannot be used for host addresses. Table A-2 lists ranges of IP addresses and shows which addresses are reserved, which are available to be assigned, and which are for broadcast.

  Table A-2 Reserved and Available IP Addresses  

 

Class	IP Address	Status
A	0.0.0.0  1.0.0.0 through 126.0.0.0  127.0.0.0	Reserved  Available  Loopback networks on the local host
B	128.0.0.0  128.1.0.0 through 191.254.255.255  191.255.0.0	Reserved  Available  Reserved
C	192.0.0.0  192.0.1.0 through 223.255.254.255  223.255.255.0	Reserved  Available  Reserved
D	224.0.0.0 through 239.255.255.255	Multicast group addresses
E	240.0.0.0 through 255.255.255.254  255.255.255.255	Reserved  Broadcast

       Private IP Networks

  RFC 1597 reserves three IP network addresses for private networks. The addresses 10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/20 can be used by anyone for setting up their own internal IP networks.

       IP Address Conventions

  If the bits in the host portion of an address are all 0, that address refers to the network specified in the network portion of the address. For example, the class C address 192.31.7.0 refers to a particular network. Historically, this address was used as a broadcast.

  The standard for broadcast is high, which uses all 1s in the host portion (for example, 192.168.1.255); however, many networks still use all 0s. The PortMaster can be configured either way and should be set to match the other systems on your network.

  Note ¯ Do not assign an IP address with all 0s or all 1s in the host portion of the address to a host on the network, because these are reserved as broadcast addresses.

  With CIDR, networks are specified with an IP prefix and netmask length--for example, 172.16.0.0/16, 192.168.1.0/24, or 192.168.200.240/28.

       IPX Addressing

  An IPX address consists of 10 bytes (expressed in hexadecimal notation), which gives an IPX network host a unique identifier. IPX addresses are made up of the following two parts:

•  Network segment address, expressed as 8 hexadecimal digits

    These 4 bytes (32 bits) specify on which network segment the node resides.

•  Node address, expressed as dotted triplets of 4-digit hexadecimal numbers

    These 6 bytes (48 bits) provide the media access control (MAC) address of the node.

  The two elements of the IPX address are separated by a colon. For example:

 

  The first 8 digits represent the network segment, and the following 12 digits represent the node or MAC address of the node. All digits are expressed in hexadecimal.

       Netmasks

  A netmask is a four-octet number that identifies either a supernetwork (supernet) or a subnetwork (subnet). A netmask that designates a subnet is called a subnet mask.

 

Using Subnet Masks to Create IP Subnets

  Subnet masks are used to divide networks into smaller, more manageable groups of hosts known as subnets. Subnetting is a scheme for imposing a hierarchy on hosts on a single physical network. The usual practice is to use the first few bits in the host portion of the network address for a subnet field. RFC 950, Internet Standard Subnetting Procedure, describes subnetting.

  A subnet mask identifies the subnet field of a network address. This mask is a 32-bit number written in dotted decimal notation with all 1s (ones) in the network and subnet portions of the address, and all 0s (zeros) in the host portion. This scheme allows for the identification of the host portion of any address on the network.

  Table A-3 shows the subnet masks you can use to divide a class C network into subnets.

  Table A-3 Subnet Masks for a Class C Network  

 

Length (Subnet Bits)	Number of Subnets	Number of Hosts per Subnet	Hexadecimal Subnet Mask	Dotted Decimal Subnet Mask
24	1	254	0xffffff00	255.255.255.0
25	2	126	0xffffff80	255.255.255.128
26	4	62	0xffffffc0	255.255.255.192
27	8	30	0xffffffe0	255.255.255.224
28	16	14	0xfffffff0	255.255.255.240
29	32	6	0xfffffff8	255.255.255.248
30	64	2	0xfffffffc	255.255.255.252
32	256	1	0xffffffff	255.255.255.255

 

Subnetting, Routing, and VLSMs

  Routers and hosts can use the subnet field for routing. The rules for routing on subnets are identical to the rules for routing on networks.

  Releases before ComOS 3.5.  Before ComOS 3.5, correct routing required all subnets of a network to be physically contiguous. The network must be set up so that it does not require traffic between any two subnets to cross another network. Also, RFC 950 implicitly requires that all subnets of a network have the same number of bits in the subnet field. As a result, ComOS releases before ComOS 3.5 require the use of the same subnet mask for all subnets of a network. ComOS used the value of 255.255.255.255 for the user's Framed-IP-Netmask regardless of the value of the attribute.

  ComOS 3.5 and Later Releases.  ComOS 3.5 and subsequent releases support variable-length subnet masks (VLSMs); therefore, the restrictions in earlier ComOS releases no longer apply. The subnets of a network need not be physically contiguous and can have subnet masks of different lengths.

  However, ComOS still ignores the Framed-IP-Netmask value by default. To ease the transition to use of VLSMs, ComOS sets user-netmask  to off  by default. This means that all netmasks specified in the user table or RADIUS are treated as if they were 255.255.255.255. To use VLSMs and have ComOS accept the value in Framed-IP-Netmask, enter the following commands:

  Command> set  user-netmask on
 Command> save all 

  Caution ¯ The VLSM feature affects both routing and proxy ARP on the PortMaster and must be used with caution.

       Using Naming Services and the Host Table

  Naming services are used to associate IP addresses with hostnames. Many networks use the Domain Name System (DNS) or the Network Information Service (NIS) for mapping hostnames to IP addresses. Both services are used to identify and locate objects and resources on the network. To use DNS or NIS, you must specify the IP address of the name server during the configuration process.

  The PortMaster enables you to specify an internal host table, which can be used in addition to DNS and NIS. The host table allows each unique IP address to be aliased to a unique name. The host table is consulted when a port set for host access prompts for the name of the host. The table is used to identify the IP address of the requested host. If the user-specified hostname is not found in the host table, then NIS or DNS is consulted.

  Note ¯ The internal host table should be used only when no other host mapping facility is available. Using the host table only when necessary reduces confusion and the amount of network maintenance required.

       Managing Network Security

  PortMaster products allow you to maintain network security using a variety of methods. Security  is a general term that refers to restricting access to network devices and data. To enable security features, you must identify sensitive information, find the network access points to the sensitive information, and secure and maintain the access points.

  PortMaster security methods include

•  Callback for InterNetworking Systems users
•  Assignment of local passwords before connections are established
•  Access control filters for host connections
•  Inbound and outbound packet filtering
•  IP packet filtering by protocol, source and destination address, and port
•  IPX packet filtering by source and destination network, node, and socket
•  SAP filtering
•  PAP and CHAP authentication protocols for PPP connections
•  Password security for administrative access
•  Remote Authentication Dial-In User Service (RADIUS) or PortAuthority^TM RADIUS support
•  ChoiceNet filtering

  Each of these security methods is described in more detail in this guide. All or some of these security methods can be configured as you configure the system-wide parameters and each interface. RADIUS, PortAuthority RADIUS, and ChoiceNet are described briefly in the next sections.

  PortAuthority RADIUS must be purchased separately.

       RADIUS

  RADIUS is a nonproprietary protocol invented by Lucent and described in RFC 2138 and RFC 2139. RADIUS provides an open and scalable client/server security system for distributed network environments. The RADIUS server can be adapted to work with third-party security products. Any communications server or network hardware that supports the RADIUS protocol can communicate with a RADIUS server.

  RADIUS consolidates all user authentication and network service access information on the authentication (RADIUS) server. The server can authenticate users against a UNIX password file, NIS databases, or separately maintained RADIUS database. The PortMaster acts as a RADIUS client: it sends authentication requests to the RADIUS server, and acts on responses sent back by the server. For more information about RADIUS, refer to the RADIUS for Windows NT Administrator's Guide and RADIUS for UNIX Administrator's Guide.

       ChoiceNet

  ChoiceNet is a client/server packet-filtering application created by Lucent. ChoiceNet provides a mechanism to filter network traffic on dial-up InterNetworking Systems, synchronous leased line, or asynchronous connections. Filter information is stored in a central location known as the ChoiceNet server.

  ChoiceNet clients can be one or more PortMaster products. ChoiceNet clients communicate with the ChoiceNet server to determine user access.

  ChoiceNet can use filter names specified by the RADIUS user record. For more information about ChoiceNet, refer to the ChoiceNet Administrator's Guide.

       PortAuthority RADIUS

  Lucent's PortAuthority RADIUS software provides enhanced RADIUS functionality and must be purchased separately.