Data Link Layer

Ethernet Switches

like a learning bridge
hardware forwarding of frames from one interface to the next
buffering and queueing of frames for each interface
distributed spanning-tree algorithm used among switches to determine where to send broadcast frames
advantages: breaks the collision domain, reduces the number of collisions
disadvantages: may have to buffer entire frames, more complex
a switch is a layer-2 device

Hub: forward to all (physical layer)
Bridge: something interconnecting LANs (data link layer).
Switch: a bridge that uses hardware to forward packets (data link layer)
Gateway: old name for router (network layer).
Router: a box that forwards packets among networks (network layer).
IP switch: a router with hardware forwarding (network layer).
Firewall or NAT unit: a forwarding engine that looks at and rewrites network and transport layer headers (transport layer).

star topology using hubs
at most 2500 m. with up to 4 repeaters between any two hosts (one hub to a central hub)
avoid collisions if possible:
- split into segments connected by switches, routers
- switch to 100Mb/s, Gb Ethernet
- connect 100Mb/s, Gb directly to switch (full-duplex mode)

likelihood that two hosts are waiting to send at end of current packet (assume all packets are the same size)
load (probability of 1 host wanting to send) is p
probability of collision is p²
cost of collision is: 1 packet lost to collision (plus latency), giving additional load: delta = sum_{i = 1 ... oo} p²ⁱ

Etherswitch:
- security considerations: who gets to see what packets? (e.g. faculty vs. students)
- performance: is it all-to-all, partitionable, or one server to many clients?
- single server case: put the server on its own high-speed link to the switch, every one else on slower shared links
- cost: more ports, or higher speeds?
router: all of the above, plus address (re)assignment considerations (easier with DHCP)

anyone with root access can, with sufficient patience, read all the packets on the network
not all of the network traffic is encrypted (yet), especially passwords and emails
no ideal solution, try to make broadcasts smaller so only mutually trusted individuals can see each other's broadcasts
firewall (L4 switch): appropriate combinations of inside/outside and accessible/inaccessible
firewall typically configured to accept all traffic initiated from "inside", and traffic initiated from "outside" for selected ports
nodes in a DMZ accept connections from "inside", but cannot connect (and therefore cannot attack) nodes "inside"

visitor finds data jack, plugs in, doesn't work, so visitor picks an IP address, works!
the host legitimately using the same IP address has intermittent problems
mostly only an issue if DHCP does not have available leases
if it does happen, a host that has a duplicate IP address is hard to detect on a broadcast network
partition the network and ping on both sides (very painful -- the network MUST stay up)
see (using ARP cache) which host(s) you are reaching on which side of a switch (ping will usually tell if it is getting duplicate replies)
in a small group, find all your visitors and anyone who has bought or is bringing in a laptop...

if using a router to split a network, all addresses in one subnet must be on one side, in the other subnet must be on the other side
assign IPs by location: "these addresses for the post building"
assign IPs by security split: "these addresses for the faculty"
assign IPs dynamically: DHCP

Dynamic assignment, on demand, of temporary IP address "leases"
a lease can be renewed, but no guarantees
hard to allow TCP connections initiated outside the network, since the IP address may change:
- bad for servers
- good for security (maybe)
- for a server, can hard-code a the DHCP addresses to assign only to that specific MAC address
a DHCP block can be configured in the firewall, so no incoming connections would be allowed for DHCP addresses
harder to automatically snoop on specific host (again, both good and bad)

one host, H, connected to the internet
H does Network Address Translation (L4 translation, NAT) so:
- IP packets going out are rewritten to have H as source address, and usually a different source port
- incoming packets are rewritten to have the correct destination host and port number
- for ICMP Echo, can rewrite identifier
- for ICMP Error messages, need to look up port number in original header
for TCP we know when the connection ends, so can deallocate state in the NAT box
for UDP/ICMP we don't know when the connection is done, so we must cache
in case of loss of cached translation, we end up setting up a new connection with different local ports
internally, 10Mb/s or 100Mb/s hub- or switch-based Ethernet, often including a Wireless Access Point, usually supporting WPA2 (preferably) or WPA or WEP (vulnerable)
externally modem over PPP or SLIP, cable modem, A/DSL, 802.11, WiMax, etc