Reducing the amount of broadcast traffic on a network is a key way to improve the network’s overall performance. One of the best ways to do that is to segment the network in a way that splits up the broadcast domains. There are two ways to do this: by using routers, which are described in the next section, or by using VLANs, which are described later in this chapter, in the “Understanding VLANs” section.
Managed and unmanaged switches
Most advanced switches have management features built in to them, which means that you can monitor and configure the switch remotely, usually by logging in to a web console. To accomplish this, the switch has a small web server built into it to provide the management console. In addition, the switch itself must have an IP address.
In contrast, inexpensive consumer-grade switches that you would purchase at a retail store are usually unmanaged switches. Unmanaged switches are often appropriate for small networks, but if you have more than a few dozen computers on your network, I suggest you invest in managed switches to give you more control over your network.
With a managed switch, you can monitor traffic over the switch, which can be useful when troubleshooting network issues. In addition, you can often configure certain functions for each port of the switch. Among the most important features you can configure are VLANs, which allow you to actually create separate layer-2 networks on a single switch. I cover VLANs in greater detail later in this chapter, in the “Understanding VLANs” section.
Understanding Routers
A router is a layer-3 device, which means it works at the network layer of the OSI Reference Model. In practical terms, that means that routers know about IP addresses. At least one router is a vital component of any modern network.
A router differs from a switch in the following ways:
Switches work with MAC addresses and know nothing about IP addresses. In contrast, routers work with IP addresses.
Routers can facilitate communication between IP networks with different subnets. For example, if your organization has a 10.0.100.x network and a 192.168.0.x network, a router can enable packets to get from the 10.0.100.x network to the 192.168.0.x network, and vice versa. A switch can’t do that. (For more about subnets, refer to Book 2, Chapter 3.)
Routers also enable a private network to communicate with the Internet. For example, suppose you want to connect your network to the Internet via a broadband cable provider such as Comcast. The cable provider will give you a network interface that has a public IP address. You must then use a router to exchange packets from your private network to the Internet via the public IP address. A switch can’t do that for you.
Switches split up collision domains. The segments created by switches are still part of the same broadcast domain. In contrast, routers split up broadcast domains. So, broadcast packets do not cross the boundaries created by routers. (Actually, as I explain in the “Understanding VLANs” section, later in this chapter, switches can also break up broadcast domains.)
Switches typically have a large number of ports — often as many as 48 in a single switch. Routers usually have fewer ports, typically between two and eight. (However, routers for very large networks may have many more ports. For example, Cisco makes a router that can accommodate as many as 256 ports in a single chassis.)
The basic operation of a router is fairly simple. Consider the simple network depicted in Figure 3-3. Here, an organization has two separate IP networks, one using a 10.0.100.x subnet and the other using 192.168.0.x. (In both cases, the subnet mask is 255.255.255.0. Again, for more information about subnetting, refer to Book 2, Chapter 3.) A router is used to connect these two networks. On either side of the router is a switch, and each switch has just one computer connected. On the 10.0.100.x side, the computer’s IP address is 10.0.100.50. On the 192.168.0.x side, the computer’s IP address is 192.168.0.50. (For simplicity, I only show one computer connected to the switches on either side of the router, but in the real world there would probably be many more.)
FIGURE 3-3: Two IP networks connected by a router.
Now suppose that the computer on the left side of the figure (10.0.100.50) needs to send a packet over to the computer on the right side of the figure (192.168.0.50). The sending computer forms the packet and sends it to Switch 1. Switch 1, in turn, sends the packet to the router. The router examines the destination IP address and determines that the destination computer is on the 192.168.0.50 network, so it forwards the packet over to Switch 2. Switch 2, in turn, forwards the packet to the destination computer.
Note that this exchange is actually considerably more complicated than the previous description lets on. For one thing, the switches — which don’t know about IP addresses — must determine the MAC addresses not only of the sending and receiving computers, but also of the router. And the router must also know the MAC addresses of the two switches. You’ll learn more about how this type of routing actually happens in Book 2, Chapter 4. But for now, I think you get the general idea.
The following sections describe a few of the other features commonly provided by routers.
Network address translation
When a router is used to connect a private network to the Internet, one of the router’s most important functions is routing traffic from all the computers on the private side of the router to the public side, which usually has just a single public IP address. To accomplish this magic, the router uses network address translation (NAT).
In short, when a computer on the private side of the network sends a packet through the router to the Internet, the router substitutes its own public IP address as the sender address, and keeps track of the fact that it sent a packet on behalf of a computer on the private side. When the recipient on the Internet receives the packet, it sees that the sender was the router. It then sends a response back to the router, which then substitutes the original sender’s private IP address for the destination address and forwards the packet to the correct computer on the private network.
For more information about NAT, see Book 2, Chapter 3.
Virtual private network
A virtual private network (VPN) is a secure connection between two private networks over a public network (in other words, over the Internet). All the data that flows over the VPN is encrypted, so anyone who steals packets from the VPN will find them unintelligible; only the parties on either end of the VPN are able to decrypt the packets.
VPN connections are often called tunnels, because they provide an isolated pathway from one point to another through the Internet. The only way to gain meaningful access to a VPN tunnel is at either end.
There are two common uses for VPNs: