Data encapsulations

When an application such as telnet wants to send data, the data is sent to the TCP module at the transport layer and TCP then assigns a number to the local and remote telnet session, allowing TCP to determine the session where the data is to be delivered. IP either receives or delivers data to the UDP or TCP module, depending on the type of application.


Finally, an ethernet frame contains an identifier that identifies the network layer protocol it received the data from or the network layer protocol to which it should deliver the data.


To illustrate the interaction between the different layers in the OSI model, we will follow the flow of data from one host to another (see Figure 1-3). Assume we are running a telnet session between two hosts. User data is generated at the application layer and is then passed down the protocol stack to the TCP module in the transport layer. The TCP layer uses an identifier for the session, which is contained in the TCP header, and passes the TCP segment to the IP module at the network layer. IP then tags the packet as a TCP or UDP packet. When the packet is received at the data link layer, an ethernet frame is constructed with an ethernet header and trailer. The header, among other things, contains a field tagging the frame as one that carries the IP data. Finally, the frame is passed to the physical layer for transmission onto the network media.


When the ethernet frame is received by the remote host, the data link ethernet module strips off the ethernet header and trailer after determining that this frame carries IP data and passes the data to the IP module in the network layer. IP determines if the packet is a TCP or UDP packet and passes it to the appropriate module at the transport layer. Finally, TCP extracts the user data and sends it to the proper user process.

Multiplexing and demultiplexing in the TCP/IP model

The lowest layer of the OSI model is the physical layer. The physical layer deals with the electrical and mechanical specifications of a particular transport medium and associated interfaces. Physical layer examples are 10 and 100 Mbit ethernet, synchronous and asynchronous serial links, and ATM, to name a few. The physical layer is concerned with getting bits, in an electrical or optical form, from point A to point B. The physical layer does not care about the structure or format of the data that is being transmitted or received; it is only concerned with delivering ones and zeros from the source to the destination.


The next level in the OSI model above the physical layer is the data link layer. This layer is responsibile for creating frames that contain source and destination addresses, adding error detection and possibly correction fields to the frame, and, of course, incorporating a user’s data into the frame. Protocols at the data link layer are not routable, and examples of such layers are ethernet and token ring.


The layer where a network designer spends the most time is the network layer. This layer handles routing across the Internet and is the most important layer as far as multicasting is concerned. For a protocol to be routable, the addressing scheme must include a network and a host address. The last statement is true for “normal” IP traffic, but not for multicast traffic. As we will see, multicast addresses are not in the form of network/host but represent a group address. Although a network/host address pair is not present in a multicast address, multicast traffic is routable. Examples of routable protocols are IP, IPX, AppleTalk, and DECNet.


The transport layer is used to multiplex and demultiplex data streams between upper layer application processes as seen in Figure 1-2. The three upper layers of the OSI model, application, presentation, and session, have been combined in the application layer in the TCP/IP layered model. Typically, it is more difficult to determine where a particular upper layer application should be logically placed. Networks can be designed without knowing which applications the users are going to be employing. Therefore, the specific application is not important, just the protocol that the application will be using. In fact, we will only concern ourselves with the lower four layers of the OSI and TCP/IP models.

TCP/IP and OSI layered network models

Before we begin our exploration of IP multicasting and multicast routing protocols, we will examine the models of communication between two or more hosts in an intranet or over the Internet. Any book bearing resemblance to a networking book should include a review of the OSI layered communication model. The communication protocols that exist at the various levels in the OSI layered model interoperate extremely well because of the adherence to a layered protocol model. The original model was developed by the OSI to provide a logical separation between the various functions of a network. This model allows for the interaction of software modules from different vendors to coexist and operate properly as long as the published standards are followed.

NAT Types-Dynamic NAT

NAT Types 212

Several types of NAT are available. The Security Appliance can be configured to accomplish any of the following

types:

Dynamic NAT

Dynamic Port Abode Adaptation (PAT)

Static NAT

Static PAT

Dynamic NAT

Dynamic NAT translates a accumulation of absolute (private) addresses to accessible IP addresses fatigued from a basin of

registered (public) addresses that are routable on the destination network. Back a host initiates a affiliation to

a accurate destination, the Security Appliance translates the host antecedent abode to the agnate NAT rule

from the mapped pool. The adaptation is maintained and is accurate for the continuance of the affiliation and cleared

when the affair is terminated. If the aforementioned host initiates addition connection, there is no agreement it will

acquire the aforementioned abode from the mapped pool. Addresses from the basin are handed out on a first-come, firstserved

basis. Therefore, because the translated abode varies, the destination-side user cannot admit inbound

connections back activating NAT is used. Activating NAT and PAT are acclimated for unidirectional advice only.

Figure 6-10 shows how activating NAT works.

NAT Control

NAT Control

The firewall has consistently been a accent acknowledging and akin astute NAT for best ability and security.

NAT advantage is attainable as a capability in the new software absolution on the Aegis Appliance.

NAT advantage dictates the firewall if the address adjustment rules are adapted for alfresco communications and

ensures that the address adjustment behavior is the above as versions advanced than 7.0.

The NAT advantage amore works as follows:

When NAT advantage is disabled, and the firewall assiduously all packets from a higher-security (such as Inside)

interface to a lower-security (such as Outside) interface afterwards the acceding of a NAT rule. Traffic

from a lower-security interface to a higher-security interface abandoned requires that it be adequate in the

access lists, and no NAT adage is adapted in this mode.

When NAT advantage is enabled, this dictates the affirmation of appliance NAT. (The NAT adage is compulsatory in

this case.) When NAT advantage is enabled, it is additionally adapted that packets able from a academy securitylevel

interface (such as Inside) to a lower security-level interface (such as Outside) allegation bender a NAT rule

(nat command with a affiliated global, or a abiding command), or away processing for the packet

stops. Cartage from a lower-security interface to a higher-security interface additionally requires a NAT and is

permitted in the acceptance lists to be forwarded through the firewall.

The absence acceding is the adapt of the no nat-control command (NAT advantage disabled mode).

With adjustment 7.0 and later, this behavior can be afflicted as required.

To ascribe NAT control, use the nat-control command in the all-around acceding mode, as credible next:

hostname(config)# nat-control

Note

The nat-control command is attainable in baffled firewall access and in audible and different security

context modes.

When the nat-control is enabled, ceremony Inside address allegation acquire a affiliated Inside NAT rule. Similarly, if

an Alfresco activating NAT is enabled on an interface, ceremony Alfresco address allegation acquire a affiliated Outside

NAT adage afore admonition is acclimatized through the Aegis Appliance.

By default, NAT advantage is disabled (no nat-control command). The no nat-control command allows Inside

hosts to accustom with alfresco networks afterwards the allegation to configure a NAT rule. In essence, with NAT

control disabled, the Aegis Appliance does not achieve an address adjustment activity to any packets. To

disable NAT advantage globally, use the no nat-control command in all-around acceding mode:

hostname(config)# no nat-control

The abnormality amidst the no nat-control command and the nat 0 (identity NAT) command is that identity

NAT requires that cartage be able from the higher-level interface. The no nat-control command does not

have this requirement, nor does it crave a abiding command to accede admonition from the lower-level

interface (from Alfresco to Inside); it relies abandoned on access-policies—for example, acceptance the cartage in ACL

and accepting affiliated access entries.

To summarize, cartage traversing from a

More Secure to a Less Secure interface

Is appointed as outbound traffic.

The firewall will accede all IP-based cartage unless belted by acceptance lists, authentication, or authorization.

One or added of the after commands are required:

- nat, nat 0, global, static

Less Secure to a Added Secure interface

Is appointed as entering traffic.

Outside to Inside connections.

Inbound permission is required.

The firewall will bean all packets unless accurately acclimatized in the access-list that is activated on the

arriving interface. Further restrictions administrate if affirmation and allocation are used.

One or added of the after commands are required:

- nat 0 with ACL, abiding and entering access-list on the acceptance interface.