1. Network concepts

# 1. Network concepts ## 1.1 Explain the purposes and uses of ports and protocols The dominant protocol suite for today’s network is TCP/IP. #### Protocols and Ports The way network communication (1s and 0s) goes in and out of a machine physically is through the NIC (network interface card). The way network communication goes in and out of a machine logically is through a program or service. A **service** is a program that runs in the background, independent of a logon, that performs one or more system functions. In the world of Linux, services are known as **daemons**. A port is an endpoint in communication represented by a logical number. MAC addresses are found in frames at Layer 2 of the OSI model. IP addresses are found in packets at Layer 3. Port numbers are found in either TCP segments or UDP datagrams at Layer 4. #### Types of ports **0 – 1023** Well-known port numbers. Used by major protocols and services. **1024 – 49151** Registered ports. Assigned by IANA to specific companies. Can be used by any system, if not in use. **49.152 – 65.535** Dynamic ports. Used by client applications on an as-needed basis. #### Commonly used ports ![](https://i.imgur.com/6AWDqvi.png) #### Protocol types Each of the protocols in the previous section is placed inside another protocol at Layer 4, either a TCP segment or a UDP datagram. TCP segments and UDP datagrams are always placed inside of IP packets. In addition, Internet Control Message Protocol (ICMP) messages are placed inside IP packets for informational and error reporting. #### TCP and UDP At Layer 4 of the OSI model, all applications use either TCP segments or UDP datagrams to encapsulate and send data coming from Layers 5, 6, and 7. **TCP** = reliable data transfer and flow control. All bytes sent with TCP are ordered and sequenced. TCP guarantees that every single byte sent will be received with integrity and processed in the correct order. TCP resends the unacknowledged bytes. TCP is used for file transfers (FTP), e-mail (IMAP/SMTP), and going to Web sites (HTTP, SSL/TLS). **UDP** is connectionless and has no flow control. Streaming, real-time communications. DNS & DHCP. Real-Time Streaming Protocol (RTSP), which exists at Layer 7, does the ordering for UDP. Using RTSP just for the ordering of the UDP datagrams involves significantly less overhead than TCP would require. The TCP header contains many fields that have functions that add latency, whereas the UDP header has only a few fields with no additional overhead. ![](https://i.imgur.com/ba8Mx2A.png) TCP establish a connection between a source and destination >> **TCP three-way handshake**: **1**st step: the source (client) sets the SYN (Synchronization) flag on by placing a 1 in that bit position, and generates a pseudo-random sequence number that it places in the Sequence Number field. The source places the TCP header in an IP packet, places the packet in a frame, and sends it. ![](https://i.imgur.com/q4s1Cjl.png) **2**nd step: the destination (server) turns on the ACK (Acknowledgment) flag and increments the sequence number that the source sent, by one, in the Acknowledgment Number field. In the same TCP header, the destination also raises the SYN flag and comes up with its own pseudo-randomly generated sequence number, which it places in the Sequence Number field. This is the destination saying “Can I talk to you too?” This TCP segment is sent to the source. **3**rd step: The source responds to this by sending another TCP segment with the ACK flag on, incrementing the sequence number sent by the destination by one in the Acknowledgement Number field, in our example to 2018. At this point, the two systems are connected. ![](https://i.imgur.com/btp5RXo.png) When querying your DNS server to resolve a name to an IP address or querying your DHCP server to get or renew a lease for an IP address, if no reply comes back to your client, your client will simply ask again. There’s no need to for additional overhead. #### IP Internet Protocol encapsulates all messages at Layer 3 in a unit called a packet. It delivers packets from source to destination based on the IP addresses in the IP header portion of the packet. The data portion contains the upper-layer headers and data. IP header contains many fields, some of which we’ll explore later. ![](https://i.imgur.com/00HuMPT.png) #### ICMP ICMP provides informational and error reporting to devices. It is used by utilities like ping and tracert (on Windows) /traceroute (non-Windows) to provide control information to IP. The ping utility sends ICMP echo request messages to a destination. If the destination gets those messages, it sends back ICMP echo reply messages to the source. ICMP messages are encapsulated directly inside of IP headers. 2 types: Informational messages, such as the ICMP echo reply messages and Error messages, such as destination unreachable messages, which are generated for many reasons. ![](https://i.imgur.com/zZvvJiS.png) #### Connection-Oriented vs. Connectionless TCP is connection-oriented, used for accuracy. UDP is connectionless, used for programs that require quick performance. IP is connectionless, and gets connection-oriented information from ICMP. ## 1.2 Explain devices, applications, protocols, andservices at their appropriate OSI layers ISO created OSI, a seven-layer model, a framework. Each layer represents a particular aspect of network function. It helps to: 1. Standardize the design elements of network components and 2. Describe the relationships between network. ### The OSI lodel ![](https://i.imgur.com/BI5ONDN.png) 1.Physical. Includes anything that moves data from one system to another, such as cabling or radio waves. Components: NICs ex, Cables, Wireless transmission, Hubs. Protocols: SONET/SDH, Bluetooth, and Wi-Fi. 2.Data Link. Defines the rules for gathering and completing all the elements that make up a data frame and putting the whole thing together, so that it can be passed to a Physical-layer device and on to the network. Divided into two sublayers: 1. Media Access Control (MAC) responsible for addressing network devices by using the physical address (MAC) and 2. Logical Link Control (LLC), responsible for management protocols, like VTP (VLAN TrunkingProtocol), CDP (Cisco Discovery Protocol), and STP (Spanning TreeProtocol). Components: NICs exist at this layer as well, because they contain the MAC address that’s used, and also because they deal with frames. Protocols: ARP, CDP, Ethernet, STP, VTP, and 802.1Q (VLANs). 3.Network Layer. Responsible for routing functions and logical addressing. It is the last layer to work directly with hardware. It creates and addresses packets. The IP addressing enables routers to make sure the packets get to the correct system without worrying about the type of hardware used for transmission. Anything having to do with logical addressing works at the Network layer. The Network layer IP addresses identify not only a device, but also the network on which the device resides. Routers use the network identification to determine how to send packets to destination networks. If the data being sent is bigger than the maximum transmission unit (MTU) allowed by the Layer 2 protocols (for Ethernet, it’s 1500 bytes), the Network layer breaks the packet into smaller ones that will fit inside two or more frames. Breaking up data into smaller chunks at Layer 3 is known as fragmentation. Components: Internet Protocol (IP), IP addresses and routers. Protocols: IPv4, IPv6, IGMP, and Ipsec. 4.Transport Layer: is where the sending application chooses between connection-oriented TCP and connectionless UDP for end-to-end communication. To see the Transport layer in action, strip away the IP addresses from an IP packet. What’s left is a chunk of data in yet another unit called a TCP segment or a UDP datagram, both discussed earlier. Components: Protocols: TCP and UDP. 5.Session Layer. Is responsible for establishing, maintaining, and terminating connections, called sessions, between programs on communicating devices. The combination of an IP address and a port is known as a socket, and this represents a session for each side of a connection. The netstat utility is used for displaying this socket information. 6.Presentation Layer. Used to be responsible for the conversion of data, including compression/decompression, encryption/decryption, and formatting, but these functions are now performed elsewhere. This layer is the layer that has the least relevance to modern communication today. 7.Application Layer. Represents the network-related program code and functions running on a computer system that either initiate the request (on the sending system) or service the request (on the receiving system). Note that the Application layer does not refer to applications such as Microsoft Outlook. Instead, it refers to the protocols or application programming interfaces (APIs) on which those programs rely. For example, Internet Message Access Protocol (IMAP) and Simple Mail Transfer Protocol (SMTP) are important Application-layer protocols for e-mail, but many different end-user applications use those protocols (such as Outlook and Mozilla Thunderbird). Protocols: DNS, DHCP, FTP, HTTP, HTTPS (SSL/TLS), IMAP, LDAP, SSH, and SNMP. ## 1.3 Explain the concepts and characteristics of routing and switching ### Properties of Network Traffic Network traffic can be identified by certain properties. For example, what happens before sending the message and who hears the message. #### Broadcast domains A broadcast domain represents a set of devices that can hear broadcast traffic from each other. **ARP** (Address Resolution Protocol) requests, which look to resolve a known IP address to an unknown MAC address of that device, are always broadcasts, and are heard by all devices on a network. Switches forward broadcasts out of all interfaces, except the interface on which the message originated. Routers, however, break up a broadcast domain, as they never forward broadcasts out of other interfaces to other networks. #### CSMA/CD Older Ethernet networks that used half-duplex communications, where a node could only transmit or receive at one time (not simultaneously), used carrier sense multiple access with collision detection (CSMA/CD) to determine which computer should use the shared media at a given moment. Carrier sense means that each machine on the network examines the cable before sending a data frame (see Figure 1.3-1). If another machine is using the network, the node detects traffic and waits until the cable is free. If the node detects no traffic, the node sends its data frame. ![](https://i.imgur.com/LQBirbW.png) Multiple access means that all machines have equal access to the wire. If the line is free, an Ethernet node does not have to get approval to use the wire—it just uses it. From the point of view of Ethernet, it does not matter what function the node is performing. The node could be a Windows client, Windows server, Linux box, or Mac. In Ethernet, all nodes are created equal.. #### Collision domains When two nodes use the cable simultaneously, a **collision** occurs, and both of the transmissions are lost. When a collision occurs, both nodes detect the collision by listening to their own transmissions. By comparing their own transmissions with the signal they receive, they can determine whether another node has transmitted at the same time. If the nodes detect a collision, both nodes immediately stop transmitting and wait for a short, random period of time before retrying. A collision domain, therefore, represents all devices that can have their messages collide with messages from other devices. This happend before with half-duplex. Now with full-duplex, collisions are completely eliminated! #### CSMA/CA wireless networks need another way to dealwith potential collisions. Wi-Fi networks use carrier sense multiple access withcollision avoidance (**CSMA/CA**) rather than CSMA/CD. The CSMA/CA access method proactively takes steps to avoid collisions, as does CSMA/CD. CSMA/CA defines two methods for collision avoidance. First, if a wireless network node detects that the network is busy, that node waits a slightly lengthy backoff period before it tries to access the network again. Yes, so far, this is thesame as CSMA/CD. However, CSMA/CA also requires that receiving nodes send an acknowledgment for every frame that they process. If the sending node doesn’t receive an ACK, it assumes that there was a collision, and retransmits the same data frame until it gets a confirmation that the frame reached its destination. Optionally, nodes can also send a request-to-send (RTS) message to the access point, and get a clear-to-send (CTS) message back that is heard by all nodes within range of the access point, including those nodes that weren’t inrange for the request-to-send message. ![](https://i.imgur.com/KvH9WgR.png) #### Protocol Data Units A protocol data unit (PDU) represents a specific set of data at each layer of a model, like OSI. ![](https://i.imgur.com/nRzN6rL.png) PDUs at Layer 4 are called segments if TCP is used and datagrams if UDP is used. #### MTU The Maximum Transmission Unit (MTU) of Ethernet is 1500 bytes, which means that more than 1500 bytes, consisting of an IP header and data, can’t be placed inside of an Ethernet frame. If a packet exceeds an MTU, the packet has to be broken up into multiple packets that stay under or at the MTU. This process is known as **fragmentation**. #### Unicast/Broadcast/Multicast The Layer 2 and Layer 3 (if applicable) addresses will always be of the same type: unicast, broadcast, or multicast. There are three types of ways to send a frame or packet: **A broadcast**: which is where every device on the LAN hears the message. A broadcast is sent to every system in the broadcast domain. Example: ARP request, which is used to find a MAC address given that device’s IP address. ARP requests use a destination MAC address of FF-FFFF-FF-FF-FF. There is no IP header, as ARP exists at Layer 2. ARP replies, though, are unicast. Another example: a DHCP Discover message, which is how a DHCP client finds DHCP servers and starts negotiating for a lease. **A multicast**: where a single device sends a packet to a group of interested computers. Multicasts are used for things like streaming, gaming, and video conferencing. Instead of a server sending numerous unicast packets to all interested listening clients, a single multicast packet is sent from a server. Example: IGMP (Internet Group Management Protocol), used by hosts and routers on IPv4 networks. IPv6 networks use MLD (Multicast Listener Discovery) instead, which is part of ICMPv6. **A unicast**, where one device sends a message directly to another device. ### Segmentation and Interface Properties Layer 2 switches allow for some creative setups for classifying, separating, and dealing with network traffic. VLANs break up broadcast domains, and STP prevents switching loops from happening. MAC address tables are used to cache address pairs. These concepts, as well as others discussed in this section, help make Layer 2 as efficient as possible. #### VLANs To provide a properly segmented network, various departments and components need to be placed into unique VLANs. VLANs provide much better control over the internetwork, with security and optimized performance. To create a VLAN, you take a single physical broadcast domain and chop itup into multiple broadcast domains. What you’re really doing is programmingthe switch to associate any frames coming into a certain port with a specificVLAN. Yes, frames belong to a VLAN. The only membership used today is port-based VLANs, where the VLAN association is statically configured into the port’s configuration. ![](https://i.imgur.com/nouXIOB.png) I’ll configure the ports on my single switch to be in one of two VLANs—VLAN 1 or VLAN 2. Now, broadcast traffic sent into the switch will not be sent out of all ports except the port on which the frame originated. If the frame is associated with VLAN 1, it will only be flooded out of ports also associated with VLAN 1. So VLANs will also cut down on the broadcast traffic, reducing the size of the broadcast domain as well. A single switch configured into two VLANs is the simplest form of VLANs possible. More serious networks will have more than one switch. Let’s say you added a switch to a simple network. You’d like to keep VLAN 1 and VLAN 2, but use both switches. You can configure the new switch to use VLAN 1 and VLAN 2, but you’ve got to enable data to flow between the two switches, regardless of VLAN. That’s where trunking comes into play. #### Trunking (802.1q) Trunking is the process of transferring VLAN traffic between two or more switches. Imagine two switches, each configured with a VLAN 1 and a VLAN 2. You configure a port on each switch as a **trunk port**, which is a port on a switch configured to carry all traffic, regardless of VLAN number, between all switches in a LAN. ![](https://i.imgur.com/aoApnJ5.png) #### Tagging In the early days of VLANs, Cisco had a proprietary form of tagging called Inter-Switch Link (**ISL**). Today, every Ethernet switch uses the **IEEE 802.1Q** tagging standard, which allows frames to be sent within a VLAN. Workstations plug into access ports —regular ports that have been configured as part of a specific VLAN— that do the work of tagging traffic with the appropriate VLAN when frames enter the switch, and removing the tag when frames leave the switch. Note that access ports are ports, just like trunk ports, but configured for the opposite purpose. Access ports connect to workstations, while trunk ports connect to trunk ports on other switches. When the data enters the access port, the switch tags the frames with the appropriate VLAN. #### Port mirroring **Port mirroring**: Many managed switches have the capability to copy data from any or all physical ports on a switch to a single physical port. Port mirroring is incredibly useful for any type of situation where an administrator needs to inspect packets coming to or from certain computers. 2 forms of port mirroring: **Local** port mirroring copies data from one or more ports on a single switch to a specific port on that switch. To monitor this data, you have to plug directly into the switch with ports being monitored. **Remote** port mirroring enables you to access data copied from one or more specific ports on a switch without plugging directly into that switch, but rather into another one. #### Switching Loops / Spanning Tree Without proper controls in place, certain redundant connections would cause *switching loops*. The Ethernet standards body adopted **STP** (Spanning Tree Protocol) to eliminate the problem of potential switching loops. STP-enabled switches use a frame called a BPDU (bridge protocol data unit) to communicate with each other, to keep track of changes, and prevent potential loops on the network. #### Power over Ethernet WAPs support an IEEE standard (802.3af) called PoE (Power over Ethernet), which enables them to receive their power from the same Ethernet cables that transfer their data. #### DMZ and Firewall Placement A **DMZ** (demilitarized zone) is an area of the network carved out by a single or multiple firewalls to provide a special place (a zone) on the network for any servers that need to be publicly accessible from the Internet. A **bastion host** is simply a machine that is fully exposed to the Internet. It sits outside any firewalls, or in a DMZ that is configured to provide no filtering of Internet traffic. #### MAC Address Table As it forwards all frames, a switch copies the source MAC addresses and ports they were heard on, and quickly creates a table of the MAC addresses of each connected computer. The table is called *the MAC address table*. #### ARP Table Before a computer sends out any data, it first compares the destination IP address to its own IP address using the subnet mask. If the destination IP address matches the computer’s IP address wherever there’s a 1 in the subnet mask, then the sending computer knows the destination is local. The network IDs match. If even one bit of the destination IP address where the 1s are in the subnet mask is different, then the sending computer knows it’s a long-distance call. The network IDs do not match. ![](https://i.imgur.com/1F3Nkns.png) Computer A’s and Computer B’s network IDs match! It’s a local call. Knowing this, Computer A can now send out an ARP request to determine Computer B’s MAC address. The Address Resolution Protocol (ARP) is how nodes discover the destination MAC address based on the destination IP address. Whenever a device wants to send to an IP address on another LAN, it knows to send the packet to the default gateway, the router interface responsible for sending packets from the network to other networks, and sending packets from other networks to the network. To minimize the network traffic that ARP presents, especially ARP requests, which are broadcasts, each device maintains its own local ARP table (also known as ARP cache), containing bindings of IP addresses to MAC addresses that were recently resolved. Before sending an ARP request, the source consults its ARP cache. If an entry exists, no ARP request is sent. If no entry exists, an ARP request is sent. Different operating systems have different algorithms for the length of time entries stay in this cache. ### Routing Routes in routing tables come from two sources: *Manually* entered or *Dynamically* detected by the router. Routers have static routes. However, most routers also have the capability to update their routes dynamically, assuming they’re provided with the extra smarts in the form of *dynamic routing protocols*. Default routes are used by routers to forward packets to other routers, for any destination network not in a router’s routing table. Routing tables contain a factor called a *metric*, which is a relative value that routers use when they have more than one route to get to another network. Dynamic routing protocols enable routers to update routing tables by communicating with other routers. If a router suddenly loses a connection, it checks alternative routes to the same network. It’s the role of the metric setting for the router to decide which route to use. The lowest metric always wins. #### Distance vector Distance vector routing protocols use one of several algorithms to determine the best route to other routers based on the cost (*distance*) and direction (*vector*). The simplest total cost sums the hops (the hop count) between a router and a network. A **hop** is defined as each time a packet goes through a router. Routers can use one of three distance vector routing protocols: **RIPv1** only consider hop count for metric (with a maximum of 15) and broadcasting, **RIPv2** (added VLSM and multicasting) or **EIGRP** from Cisco. It only sends updates on changes when they happen, and not the entire routing table at predetermined interval. By default, computes its metric using both the minimum bandwidth on the path to a destination network and the total delay on all links. #### Link state Link state dynamic routing protocols simply announce and forward individual route changes as they appear. So, it is more efficient than RIP. ##### OSPF Most autonomous systems use **OSPF** (Open Shortest Path First). Faster and more efficient than RIP. OSPF’s metric is cost, which is a function of bandwidth. All possible ways to get to a destination network are computed based on this value called cost, which is proportional to bandwidth, which is proportional to the interface type (Gigabit Ethernet, 10 Gigabit Ethernet, etc.). The lowest total cost to a destination network is chosen. #### Hybrid **BGP** is a hybrid routing protocol, because it can be used both within your backbone routers and between your backbone routers and other AS routers. The explosive growth of the Internet in the 1980s required a fundamental reorganization in the structure of the Internet itself, and one big part of this reorganization was the call to make the “big” routers use a standardized dynamic reorganization was the call to make the “big” routers use a standardized dynamic routing protocol. What came out of the reorganization eventually was a multitiered structure. At the top of the structure sits many Autonomous Systems. An Autonomous System (**AS**) is one or more networks, controlled by a single organization (such as an ISP) whose routers are governed by a single dynamic routing policy, and often a single protocol within that AS. An Autonomous System, in addition to IP addresses, uses a special globally unique Autonomous System Number (**ASN**) assigned by IANA. ##### iBGP and eBGP You can use BGP within an AS to propagate information learned from one BGP router to another BGP router. That’s the purpose of **iBGP** (internal BGP). It’s not meant to be used like OSPF or EIGRP. Its only purpose is to have one of your backbone BGP routers tell your other backbone BGP routers what it knows. The reason is that the IGP running inside your AS, like OSPF, can now pick the best backbone BGP router to send traffic to, based on destination network. BGP on the interior, between your backbone exit routers (just to propagate AS information, and not to be used by the routers using an IGP, like OSPF, internally), is internal BGP (iBGP). BGP between your backbone router and routers in different autonomous systems is exterior BGP (eBGP). Even though the CompTIA Network+ exam objectives list BGP as a hybrid routing protocol (because it can be used both within your backbone routers and between your backbone routers and other AS routers), it’s actually not a distance vector or link state protocol, but rather a path vector protocol. Path vector means that the exact path to destination networks is stored, instead of just the next-hop router IP address, which is just what both distance vector and link state routing protocols store. #### Routing Types The three routing types are dynamic, static, and default. The aforementioned types (distance vector, link state and hybrid are all types of dynamic routing but static and default are also very important as well. ##### Dynamic Routing Dynamic routing is when you tell the routers to communicate with each other, and have them learn about networks through a routing protocol like RIP, EIGRP, OSPF and BGP. ##### Static Routing Static routing is when a network engineer manually enters next-hop IP addresses of adjacent routers to get to destination networks. For instance, your home network sends all traffic to your ISP’s router. There’s no need for your ISP’s router and your home router to exchange any routing table updates with BGP. If the link goes down, your traffic is not going to the Internet. Therefore, there’s no need for your router to run BGP with your ISP’s router. Furthermore, your home router doesn’t have the power or storage capabilities needed by a router running BGP. ##### Default Routes Default routes are used by routers to forward packets to other routers, for any destination network not in a router’s routing table. For example, if a router couldn’t determine a specific route for a destination IP address, because the destination network is not listed in the router’s routing table, the router would simply drop the packet and send an ICMP error message back to the source. A default route allows this router to pass the buck and send it to another router, which does the same thing, looking for a match in the routing table, either a matching route or a default route. Default routes on border routers inside companies usually point to the ISP’s router, for Internet-based traffic originating inside the autonomous system. ### IPv6 Concepts #### IPv6 Addressing An IPv6 address is a 128-bit address displayed in hexadecimal format and not the dotted decimal notation that is used by IPv4. The IPv6 address is divided into eight **hextets**, eight 16-bit groups that are separated by a colon (:). 65b3:b834:45a3:0000:0000:762e:0270:5224 The loopback address in IPv6 is 0:0:0:0:0:0:0:1 and can be shortened to ::1 IPv6 uses three types of addresses: • **Unicast** Used for one-to-one communication. The two main types of unicast addresses are • •**Global unicast address** A public IPv6 address that is routable on the Internet. The address assigned to the host must be unique on the Internet.This address type is equivalent to a public IP address with IPv4. This address always starts with a hex character of 2 or 3. • •**Link-local unicast address** An address that’s automatically assigned to the system and is used to communicate only with other nodes on the link. Always start with fe80. This address type is equivalent to a APIPA address (169.254.0.0/16) with IPv4. The big difference is that APIPA addresses are never desired in IPv4, because it indicates the inability to contact a DHCP server, and therefore a lack of routing capabilities. In IPv6, the link-local address is the actual address used for communicating with nodes on your same network. • **Multicast** Used for one-to-many communication. • **Anycast** Applied to a group of systems (sharing the same unicast IP address) providing a service. Clients that send data to the anycast address have their communication routed to the nearest server that’s a part of the address. #### Tunneling Some routers and DNS servers between your IPv6-capable computer and the other IPv6-capable computers to which you would like to connect are not yet ready for IPv6. Tunneling allows you to get past this restriction. 6to4, 6rd, Teredo and Miredo. #### Neighbor Discovery/Router Advertisement It uses router advertisements to allow devices to give themselves IPv6 addresses. It is implemented through ICMPv6 (ICMP for IPv6). In the world of IPv4, you could filter some or all of ICMP and still have a functional network. You just can’t do that in IPv6. Neighbor Discovery Protocol, which is implemented through ICMPv6 (ICMP for IPv6), is a way of life for IPv6. ARP doesn’t exist in IPv6. Instead, two other NDP messages, neighbor solicitation and neighbor advertisement, are used to request and get adestination’s link layer (MAC) address, when just the IP address is known. ### Performance On many advanced routers and switches, you can implement *QoS* through bandwidth management, such as *traffic shaping*, where you control the flow of packets into or out of the network according to the type of packet or other rules. When we talk about QoS, we need to develop the concept of differentiated services (*DiffServ*). DiffServ is the underlying architecture that makes QoS work. #### NAT/PAT The most common form of NAT —called Port Address Translation (**PAT**)— uses port numbers to map traffic from specific machines in the network. The mapping of internal IP address and port number to a translated IP address and port number enables perfect tracking of packets out and in. ![](https://i.imgur.com/AvOioIk.png) A **socket** is a concatenation of an IP address and port number. #### Port forwarding NAT for network address translation only works for *outgoing* communication. For traffic originating outside the network to access an internal machine, such as a Web server hosted inside your network, you need to use other technologies such as: With **port forwarding**, you can designate a specific local address for various network services. Computers outside the network can request a service using the public IP address of the router and the port number of the desired service. The port-forwarding router would examine the packet, look at the list of services mapped to local addresses, and then send that packet along to the proper internal machine. #### Access Control Lists An **ACL** (Access Control List) is a collection of statements applied to an interface that can permit or deny traffic. Standard ACLs can filter based on just source IP address, which can be a host’s 32-bit address, a subnet ID, or a major classful network. Extended ACLs can filter by source IP address, destination IP address, protocol, and port. What you might find on a Cisco router: ``` access-list 10 deny 10.11.12 0.0.0.255 access-list 20 permit any ``` The beginning of the first line, access-list 10, tells Cisco IOS that we want to create an ACL and its number is 10 (in addition to numbered ACLs, named ACLs are also supported). The end of the first line, deny 10.11.12.0 0.0.0.255, is the actual rule we want the firewall to apply. In this case, it means deny all traffic from the 10.11.12.0/24 subnet.