Rack of Ethernet switches.

TCP/IP Networking Resources

Routing Table of Contents

The OSI Model

This idealized model organizes any look at network protocols. Remember this by reading from bottom to top:

People's          Presentation
Sales'          Session
Take          Transport
Not          Network
Do          Data-Link
Please          Physical
Application Let's be honest: The top three layers are pretty much just academic. Practical implementations like TCP/IP leave this to the application itself. Some network applications like NFS really have seven or so layers, analogous to these, but they are the exception!
Transport Deals with end-to-end process addressing using ports. TCP is a connection-oriented protocol, UDP is a message-passing protocol.
Network Route a packet from its source to its destination, including hops through routers across multiple networks. IP is the protocol.
Data Link Data link layer uses hardware addresses (also called MAC addresses or physical addresses) to transmit a frame across a network link.
Physical layer is physics and electrical engineering — how to modulate electrical signals and photons to send zeros and ones.
Both these layers are done in the network interface. ARP is a protocol mapping MAC address to IP address.

Understanding the Protocols

Quick Overview of Protocol Header Structures

The protocols are defined by RFCs and those RFCs can be found at rfc-editor.org and tools.ietf.org/html.

These organizations design protocols, identify standards, and define and dissemenate The Truth:
Internet Engineering Task Force (IETF)
Internet Assigned Numbers Authority (IANA)
Internet International Ad-Hoc Committee
Internet Society (ISOC)
Institute of Electrical and Electronics Engineers (IEEE)

Here are some of the books on my shelf:

Internetworking with TCP/IP, Volume 1, Douglas Comer, Prentice Hall. This is a very readable description of the major components (and many of the minor ones) of the TCP/IP internetworking protocol suite. Comer's book is the best place to start.

TCP/IP Illustrated, Volume 1, W. Richard Stevens, Addison-Wesley. A bit tough for an introduction, but a good one to follow Comer's book with lots more details. Comer's book is readable, this is more like an encyclopedia.

DNS and BIND, Paul Albitz and Cricket Liu, O'Reilly and Associates. Since you use DNS, use it correctly!

Managing IP Networks with Cisco Routers, Scott M. Ballew, O'Reilly and Associates. And use those routers correctly, too!

Interconnections: Bridges and Routers, Radia Perlman, Addison-Wesley. Loads of details on routing algorithms and protocols.

Typical racks of network equipment.

Typical racks of network equipment: switches, routers, and WAN interfaces.

Physical / Data Link Layers

Network and Telecommunication Cables

Undersea Cables

The interactive Submarine Cable Map is a great resource for investigating undersea cables.

Cisco Catalyst 2900 XL Ethernet switch disassembly and repair

IEEE OUI assignments Organizationally Unique Identifiers, or Ethernet MAC address manufacturer codes.

WLAN link specifications

WAN link specifications

Ethernet Infrastructure

Modern switched networks are built in a multi-tier architecture. It may be as simple as spine switches at the core and leaf switches for the host connections.

A three-tier architecture uses core, distribution (or aggregation), and access switches. The core switches at, well, the core of your network, distribution switches in data centers, and access switches for host connections.

A top-of-rack or TOR model has an access switch in each rack. Not necessarily at the top! All the servers in that rack connect to the TOR switch. It then connects to a distribution switch for a row of racks, which then connects to a core switch. If the inter-switch connections are fibre, the architecture is somewhat "future-proofed" or "upgrade-proofed" — if you upgrade the TOR access switches, it's a simple replacement.

An end-of-rack or EOR model connects all the servers in all the racks in that row directly to a distribution switch at the end of the row. The advantage is that there is one less switch in the end-to-end connection, and a little less latency. The disadvantage is that the cabling is much more difficult to manage.

Ethernet 5-4-3 rule (the IEEE way)

The rule was needed in the days of 10BASE5 and 10BASE2 bus topologies built from coaxial cable, as the Ethernet standard required that a signal reach every part of the network within a specified time:

Modern switched Ethernet LANs are exempt from the 5-4-3 rule because switches have buffers to temporarily store frames and all nodes can access a switched Ethernet LAN simultaneously.

Network Layer — IP — Internet Protocol

Rack of Cisco 3600 and 2600 routers.

A rack of Cisco 3600 and 2600 routers forwarding packets based on their destination IP addresses.

Understanding IP Addressing

In order to understand IP addresses, netmasks, subnet design, VLSM, CIDR, etc., you should read this paper:
Understanding IP Addressing:
Everything You Ever Wanted To Know

IP Address Assignment Authorities

The Internet Assigned Numbers Authority handles global coordination of the DNS root servers and IP address allocation.

North and South America ARIN, the American Registry of Internet Numbers, has a page listing the the IP address space allocated to ARIN.

Latin America and Caribbean LACNIC or Latin American and Caribbean Internet Addresses Registry.

Europe RIPE, Reseaux IP Europeens, is the European authority.

Asia and Pacific APNIC, Asia Pacific Network Information Center, is the Asia-Pacific authority.

AfriNIC is the Africa IP address registry.

Click here for a list of all Class A networks

U.S. Government/Military — The U.S. Department of Defense Network Information Center is no longer accessible to non-DoD users.

Here is information on your IP address block — a lookup of the DNS PTR record, the network assignment and possibly some routing information:

client IP address information

Block Countries

Block traffic
by country
Countries as
CIDR blocks

This archive of country IP block lists in CIDR format lets you block traffic or email on a country-by-country basis.

The IP2location site has a tool that will build rules to block traffic by country. It supports Cisco ACLs, Linux iptables, Apache .htaccess, and more.

Slash Versus Dotted-Quad Notation

The key to all this is the following relations of decimal versus binary:

Decimal Binary How the binary is built
0 00000000
128 10000000 128
192 11000000 128 + 64
224 11100000 128 + 64 + 32
240 11110000 128 + 64 + 32 + 16
248 11111000 128 + 64 + 32 + 16 + 8
252 11111100 128 + 64 + 32 + 16 + 8 + 4
254 11111110 128 + 64 + 32 + 16 + 8 + 4 + 2
255 11111111 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1

Given that, we can build the following table of netmasks:

Useful only for CIDR
block of any networks
Useful for subnets of /8,
or for CIDR blocks of
/16 and /24 networks
Useful for subnets of /8 or
/16, or for CIDR blocks of
/24 networks
Useful for subnets
of any networks    /0      /8      /16      /24    /1    /9    /17    /25    /2    /10    /18    /26    /3    /11    /19    /27    /4    /12    /20    /28    /5    /13    /21    /29    /6    /14    /22    /30    /7    /15    /23    /31

Note that not all combinations are really useful, apply the follow exceptions. isn't useful for much of anything at all. Plus, those CIDR blocks represented by the rest of the first column are awfully big! You probably won't encounter them unless you're running a backbone or selling IP space to a continent.,, and define the classful /8, /16, and /24, or Class A, B, and C, respectively. They cannot define subnets of their own classful nets.,, and cannot define subnets of /8, /16, and /24 nets, respectively, as that would only allow one bit for the host number, and that is not allowed by the RFC's.

Really Simple CIDR Block Rule

CIDR is an acronym for Classless Inter-Domain Routing, and relates to higher level abstractions of IP address blocks.

To answer the question, "Does this set of classful network addresses form a CIDR block", instead answer the following question.
Is there a netmask /X such that:

If so, the answer is "Yes", and the CIDR block description is the first network address followed by /X.

As an example, this is a CIDR block, divided as indicated:

network host bits = 1100 1000  1100 1001  1100 10 00  xxxx xxxx = 1100 1000 1100 1001 1100 10 01  xxxx xxxx = 1100 1000 1100 1001 1100 10 10  xxxx xxxx = 1100 1000 1100 1001 1100 10 11  xxxx xxxx
22 constant bits varying
CIDR block =

But this is not a CIDR block:

network host bits = 1100 1000  1100 1001  1100 1 001  xxxx xxxx = 1100 1000 1100 1001 1100 1 010  xxxx xxxx = 1100 1000 1100 1001 1100 1 011  xxxx xxxx = 1100 1000 1100 1001 1100 1 100  xxxx xxxx
21 constant bits varying

The above is not a CIDR block, because not all eight possible combinations of the last three bits of the classful network designations are used, 001, 101, 110 and 111 are missing. But this shows us what would have to be added to make it a CIDR block:

network host bits = 1100 1000  1100 1001  1100 1 000  xxxx xxxx added! = 1100 1000  1100 1001  1100 1 001  xxxx xxxx = 1100 1000 1100 1001 1100 1 010  xxxx xxxx = 1100 1000 1100 1001 1100 1 011  xxxx xxxx = 1100 1000 1100 1001 1100 1 100  xxxx xxxx = 1100 1000  1100 1001  1100 1 101  xxxx xxxx added! = 1100 1000  1100 1001  1100 1 110  xxxx xxxx added! = 1100 1000  1100 1001  1100 1 111  xxxx xxxx added!
21 constant bits varying
CIDR block =

A VLSM Example

VLSM stands for Variable Length Subnet Mask, and is used with CIDR.

The best place to look is the 3com paper (see above), but here's a fairly simple example. Let's say you're allocated the /24 address space, and you have to address hosts on the following networks:

Assign the addresses as below, where bits marked "x" can take all possible patterns other than all zeros and all ones.

IP addresses, dotted-quad and binary Net base address Number
of hosts
200 . 201 . 202 . ???
1100 1000 1100 1001 1100 1010 01xx xxxx 62 65-126
1100 1000 1100 1001 1100 1010 10xx xxxx 62 128-190
1100 1000 1100 1001 1100 1010 001x xxxx 30 33- 62
1100 1000 1100 1001 1100 1010 110x xxxx 30 193-222
1100 1000 1100 1001 1100 1010 1110 xxxx 14 225-238
1100 1000 1100 1001 1100 1010 0001 xxxx 14 17- 30
1100 1000 1100 1001 1100 1010 0000 01xx 2 5-  6
1100 1000 1100 1001 1100 1010 0000 10xx 2 9- 10
1100 1000 1100 1001 1100 1010 0000 11xx 2 13- 14
1100 1000 1100 1001 1100 1010 1111 00xx 2 241-242
1100 1000 1100 1001 1100 1010 1111 01xx 2 245-246
1100 1000 1100 1001 1100 1010 1111 10xx 2 249-250

Final octet for host addresses on each network:
     Minimum = final octet of base address plus one
     Maximum = final octet of base address plus number of hosts
Final octet for broadcast on each net:
     Broadcast = final octet of base address plus one plus number of hosts

Inadequately theoretical for you? Then read the paper by Mikail Atallah and Doug Comer.


What is IPsec?

See my simple explanation of what IPsec is, what cryptographic security it provides, and a little about how to set it up. For more details:
RFC 4301 — Security Architecture for the Internet Protocol
RFC 4302 — IP Authentication Header
RFC 4303 — IP Encapsulating Security Payload (ESP)
RFC 4306 — Internet Key Exchange (IKEv2) Protocol

Multicast and Anycast

Assigned multicast addresses and address blocks

RFC 1112 describes how to do multicast.

Anycast, on the other hand, is described in RFC 1546 and RFC 4786.


RFC 2460 is the formal specification of IPv6 or Internet Protocol, Version 6. RFC 4291 defines the IPv6 addressing architecture. And RFC 2461, RFC 2462, RFC 2463, RFC 2464, RFC 2465, RFC 2466, RFC 2471, and RFC 2473 specify various details and applications of IPv6.


See the NSA's US Patent 6,947,978, "Method for Geolocating Logical Network Addresses". It builds a network latency topology map using latency to and between known nodes.

Routing, NAT, and DNS

The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.

Check the current Internet backbone activity with the Internet Traffic Report. The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.

Cisco 2514 router, Cisco 2912 Catalyst switch, and Cisco 4500 router

Cisco 2514 router, Cisco 2912XL Catalyst switch, Cisco 4500 router

How routing works
How NAT (Network Address Translation) works


DNS security issues — how DNS should work, exploits based on stateless DNS, and the Kaminsky DNS Vulnerability.

Mapping DNS to geographic information with IP2geo, cities.lk.net, and dns-loc.

The standard introductory RFC's to read are RFC 1034 and RFC 1035. for the truth about DNS. Also see:

Other great DNS and BIND documents are at isc.org and Team Cymru's Secure BIND Template.

You can get BIND at isc.org.

Transport Layer — TCP and UDP

IANA maintains the list of all the assigned TCP/UDP port numbers.

The netstat command gives you loads of information on a machine's network communications. Listening TCP ports, currently active sockets, etc. It's available under Linux, Unix, Apple OS X, and Windows, but the precise format of the output varies between operating systems. Here are some examples of netstat -s output.

Cisco Router Simulators

Dynamips, the Cisco 7200 simulator itself.

VNUML (Virtual Network User Mode Linux), the Linux simulator.

Odds & Ends

TCP/IP Haikus

I was working on this networking project in Japan, and ... Click here to be subjected to them.

Client IP / OS / Browser Identification

A demonstration of how a PHP script on the server can read and reformat the connection information and the client's request: moanmyip.com.

RouterGod Magazine

Including Jessica Simpson's thoughts on open-source routers, Gillian Anderson's on LAN switching, Elizabeth Hurley on the Cisco 2600 series routers, Mr Rogers on the RS-232 standard, and other really odd stuff: routergod.com.

History of the Internet

If you're curious, look here:
The history of the Internet
The isoc.org Internet history
Also, see RFC 2235

Just What Is A "Daemon", Anyway?

According to the Oxford English Dictionary, it is "an attendant, ministering, or indwelling spirit." Socrates wrote of his daemon as his inner spirit. The designers of daemons in Linux/Unix (a concept later ported to most other operating systems) intended this meaning, as pointed out in some manual pages. It's an uncommon word these days, we usually use the Arabic djinn, these days often spelled genie, when we're talking about what used to be called a daemon in the Middle Ages.