greg jorgensen- How does a device establish a connection with a router and prepare to send web traffic?
- DHCP
- ARP
- DNS
- Local networking issues and how to troubleshoot:
- DHCP
- ARP
- VLANs
- Other issues
- RFC 1918
How does a device establish a connection with a router and prepare to send web traffic?
A device connects to the router through a wired or wireless connection from the device’s network card. The Network Access connections are established at this point.
Once the device is connected and authenticated into the network, an IP address, subnet mask, default gateway and DNS server address to be able to communicate at the internet/network layer of the TCP/IP stack.
It obtains this information using the DHCP process.
DHCP
- DHCP Discovery: The device (also known as a client) that connects to the network broadcasts a DHCP Discover packet to identify any available DHCP servers in the network. It's broadcasted to 255.255.255.255, which is the IP address for all networks.
- DHCP Offer: In response to the discovery request, the DHCP server sends a DHCP Offer packet to the client. This packet is also a broadcast because the client still doesn't have a valid IP address. The Offer packet contains an available IP address from the DHCP server's pool and other network configuration details, such as the default gateway, subnet mask, lease duration, and DNS server(s).
- DHCP Request: The client sends a DHCP Request packet to the server, indicating that it would like to accept the offered IP address and configuration. This message is broadcasted to make sure that all other DHCP servers that received the initial Discover packet know that they do not need to respond with an Offer. This process is called DHCP lease allocation.
- DHCP Acknowledgment (ACK): Finally, the DHCP server sends a DHCP ACK packet back to the client, acknowledging that the IP address has been officially leased to the client for the specified amount of time.
Now the device has an assigned IP address, and knows the default gateway and DNS servers to use.
ARP
The device knows the IP address of its default gateway (the router) from the DHCP process, but it needs the gateway's MAC address to send frames at Layer 2 of the OSI model.
The laptop sends an ARP Request, a broadcast frame at Layer 2, asking "Who has the IP address of the default gateway? Please tell me your MAC address.”
The router responds with an ARP Reply, which contains its MAC address. The laptop now knows the MAC address associated with the router's IP address and stores this mapping in its ARP cache.
DNS
When the device opens a web browser and types in a URL (like www.example.com), the device needs to resolve this domain name to an IP address.
A DNS Query, is encapsulated in UDP (a Layer 4 protocol), which is encapsulated in an IP packet (Layer 3), and finally encapsulated in an Ethernet frame (Layer 2). This frame is sent to the default gateway (the router), using its MAC address.
The router forwards this DNS Query to the DNS server. The DNS server responds with a DNS Response, which contains the IP address associated with the domain name.
Local networking issues and how to troubleshoot:
DHCP
Using Wireshark, you can filter for DHCP packets using the filter expression bootp.
You can then examine the DHCP conversation to see if all the necessary steps (DISCOVER, OFFER, REQUEST, ACK) are happening as expected. If any of these steps are missing, it could indicate where the problem lies.
ARP
The issue might be with the ARP process if a device can't reach its default gateway. You can filter for ARP packets in Wireshark using arp as the filter expression. You should see an ARP request from the device and an ARP reply from the gateway. If the ARP reply is missing, it could be the reason why the device can't reach the gateway.
VLANs
If devices in different VLANs can't communicate with each other, there could be a problem with inter-VLAN routing
Ethernet frames on a trunk link (a network link that carries multiple VLANs), Wireshark will display a field called "802.1Q Virtual LAN" for frames that are tagged for a VLAN. This section will display the VLAN ID (also called the VLAN number) and other VLAN-related fields.
Ethernet II, Src: aa:bb:cc:dd:ee:ff, Dst: 00:11:22:33:44:55
Destination: 00:11:22:33:44:55
Source: aa:bb:cc:dd:ee:ff
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN
802.1Q Tag Control Information
.... ...0 .... .... .... .... = Priority: 0
.... ..00 0000 0001 0011 = ID: 19
Type: IP (0x0800)You can use Wireshark to check if frames are being tagged for the correct VLAN if certain VLANs are experiencing higher traffic volumes, or if there are any unusual patterns in the VLAN traffic. The filter vlan.id == 90 can be used to display only frames tagged for VLAN 19.
Some network interfaces might strip VLAN tags by default. You may need to adjust your network interface settings or use a switch that supports port mirroring with VLAN tag preservation.
Other issues
- Spanning Tree Protocol - if you have redundant paths in your network, STP should be managing them to prevent loops. If STP isn't correctly configured, it could be blocking traffic on a link that should be forwarding.
- Access Control Lists - may be blocking traffic accidentally depending on the configured list
- Policy Routes - a mechanism that is used to make routing decisions, verify traffic is being sent to the correct destinations
- Trunk Links - Trunk links carry traffic for multiple VLANs between switches. Make sure that all needed VLANs are allowed on each trunk link.
- Correct IP addresses and subnet mask configurations
RFC 1918
Private IP addresses are defined by the Internet Engineering Task Force (IETF). These are addresses that are agreed upon to be reserved for use within a private network. They’re not internet-routable.
The following IP ranges are reserved for private networks:
- 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)
A /24 would look something like 192.168.22.0/24; this means everything in the last octet may be used as an IP.