Gist: Gigabit connections, which were earlier used for interconnecting network switches (hence forming the backbone connectivity) have become common to connect the desktop. Is 10 GE (10 Gigabit Ethernet) then taking over any time soon both for interconnectig switches as well as directly connecting the servers? We would explore on whether there is a need for 10 GE ports, 10 GE interconnections, standards and types of pluggable optics for 10 GE as well as salient points along with the limitations of the 10 Gigabit Ethernet, in this article.

Need for 10GE Ports:

• Consolidation and virtualization are two of the strategies that many data centers are implementing in order to lower server count, improve server utilization, reduce energy demand, reclaim floor space, and redeploy IT resources to higher value projects, while maintaining, or improving, reliability. Virtualization has enabled dynamic allocation of resources for applications which earlier used to reside in seperate servers. So, the 1GE connectivity to a single server is no longer dedicated to that single server as multiple virtual servers populate every physical server. Hence 10GE Ports on every server (whose capacity will be increasing to more multiple cores and memory in the future) is a reality today, and in certain cases, a must.
• More and more applications (some of them being real-time, requiring extremely less latency) have moved in to the IP Network. Today, HD Video Conferencing/ Streaming (Single MPEG-4 Stream consumes about 3.75 Mbps of Bandwidth), IP Video Surveillance, Centralized IP Telephony, Clustered Business continuity applications like ERP/CRM, E-Commerce etc. & Scheduled back up to SAN/ NAS networks have increased the load on existing server room environments.
• Virtualization and the advances in the storage technologies like iSCSI has enabled consolidation of storage resources like SAN/NAS and hence consolidation of different disparate SAN networks in to a centralized low-cost high speed 10 GE ethernet based storage network saves a lot of cost and management overhead.
• HPCC – High Performance Computing Cluster (which is basically an interconnection of various high capacity servers working togeather to solve big computational tasks) requires higher throughput and low latency between all the nodes in the cluster, which is offered by 10GE.
• Connecting Top of the Rack Access Switchs for Blade Servers to the Core Switch – The Aggregation layer thus formed requires fewer cables/ ports connecting to the core switch when it uses 10GE links for the same.
• High Performance Servers: The availability of next generation multi core CPU’s with multi-threaded networking stacks will be able to fully utilize a 10 GE connection directly from the network switch to the server. Single 10GE connection also avoids the need to interconnect multiple 1 Gbe NIC’s from individual servers to switches in order to acheive higher throughput – increasing server utilization and also reducing power utilization.
• In the WAN (Wide Area Networking) end, carriers have been using SONET and ATM for high capacity long distance interconnections and with the introduction of 10GE standard, the lower costs of setting up and maintaining high speed networks that are scalable is quite appealing.

Need for 10GE Interconnects:

• When a 24/48 Port 1GE Port Switch is deployed in a data centre it is imperative that the interconnecting technology (to other switches) be more than 1GE as all the aggregated throughput goes through this setup. In this case, a 10GE Interconnecting apparatus or a 40GE interconnecting apparatus might be more optimum and the later is required for non-blocking performance if crucial servers are connected through the switch.
• Interconnection of multiple vendor switches (where stacking is not possible) can be achieved through multiple such 10GE/40GE interconnects along with Link Aggregation technology to ensure that the aggregation layer has a fully non-blocking or at least 2.4:1 architecture.

10 GE Cabling / Connectors:

Standards:

• 10GBASE-SR, 10GBASE-ER, 10GBASE-LR, 10GBASE-ZR are the common standards for fiber optic interfaces for 10GE. Both single mode, multimode fiber are supported for longer, shorter distances respectively ranging from a few meters up to 80 KM.
• 10GBaseT is the copper interface standard that can go up to 100 meters using Cat 6a or Cat 7 Cables. It can support lower distances for Cat 6 Cables (55 meters). 10GBaseT is reverse compatible with the earlier 1G and 100 Mbps Base T Connections.
• 10GEBASE-CX4 is another standard that supports 10GE by using twin-axial cable with 24 Gauge wire (same cable used for infiniband) and the primary application is for stacking switches of the same vendor. This technology has distance limitations (like 15 meters max).
• DAC – Direct Attach Cable : Low cost technology, supports shorter distances (For 10 GE). SFP+ Can be used along with DAC.

Common Pluggable optics for 10GE through MSA’s:

• SFP+ (For 10 GE) and SFP Standards use the same physical dimensions and SFP transceivers are supported by SFP+ equipment – So, it supports 1GE Optics as well. This standard supports up to 80 KM. Lower latency, lower power, lower heat when compared to equivalent standards.
• XFP, XENPAK, X2 are the other common types of pluggable optics supporting 10 GE primarily through MSA’s.
• Interoperability between multiple vendor transceivers are governed mostly by MSA – Multi Source Agreement between the various vendors.

Salient Points about 10GE

• 10 GE is an 1EEE 802.3ae Standard
• 10 GE Supports Full Duplex Communication – Hence lower latency and faster response than 1 GE Connections.
• Same frame format, frame size and MAC protocol as previous ethernet versions
• Computer/ Server expansion interface – PCI Express can support up to 12.5 Gbps of bandwidth to accomodate a 10GE Network Interface Card.
• Intelligent Ethernet NIC cards offload protocol (TCP/IP) processing from the host processor and hence has reduced the CPU utilization parameter for 10GE connections and the latency is also lesser for 10GE when compared to 1GE.
• Ethernet based switches and interconnects can be managed by the same Network Management System and protocols currently being used in data centres. For, newer protocols, need for a seperate management interface increases the cost of management.

Challenges in moving to 10GE:

• Cost of 10GE NIC cards as well as the price per port for 10 GE switches / Optical interfaces remain very high.
• The options for connecting 1GE ports alongside with 10GE ports are limited in most of the switches.
• 10GE NIC cards do not come built-in on most of the servers.
• Latency/ server utilization is higher and hence an issue with ethernet, especially with higher throughput applications, when compared with parallel technologies like Infiniband.
• Packet loss due to buffer overflows on congested ports is an issue in ethernet – the IEEE 802.1Q au is working on enhanced congestion management techniques for ethernet.

excITingIP.com

In case you have any clarifications or have anything to add to the topic, please feel free to add your comment in the space given below or you could also contact us using the contact form. You could also submit your email address in the box provided with the title “Get Email Updates when new articles are published” if you want to receive the articles published in this site to your email as and when they are published.

Actually, managed switches are not mandatory to make a computer network. Inexpensive unmanaged switches are sufficient in many smaller networks. The network would work just fine. But maintaining and trouble-shooting such a network becomes very cumbersome = that’s why many companies investing in managed switches even at the network edge. Let us look at some features offered by managed switches which differentiate them from their un-managed counterparts and justify the extra investment.

1. VLAN: This one is easy to guess. A manageable network switch allows the administrators to segment their network in to multiple smaller ones in order to restrict the broadcast domain. A PC or a server generally keeps communicating with every other PC/ server through broadcast packets (like ARP resolution packets etc) at regular intervals. So, if you have a single large network (running in to hundreds of PC’s, then these broadcast messages becomes so cumbersome that they can slow down the network. In such cases, it is better to restrict the broadcast domain so that these broadcasts are restricted to a smaller number of devices. A VLAN also gives an additional layer of security as the members of one VLAN cannot access the files of the members of another VLAN. Of course, exceptions can be created and Inter-VLAN routes/ multiple VLAN registration of a single port can be specified to access common resources like printers etc. It is also difficult for malicious files like viruses to spread from one VLAN to another.

2. Port Security: A manageable switch allows an administrator to enable or disable individual ports – this is very useful in case if a hugely broadcasting port needs to be shut down, without physically removing the cables or if unused ports needs to be locked.

3. Authentication/ Access Control: A manageable switch allows connection of devices based on their MAC addresses. So, administrators can specify a list of MAC addresses which can connect to the switch and even individual ports can be statically configured to allow devices with specified MAC addresses or the same can be dynamically learned (initially, up to a point of time) after which the port is locked to other devices. Some switches also integrate with Radius servers to enable 802.1x User-name/Password based authentication for individual users.

4. Web-browser based Management Interface: Manageable switches can be assigned with a unique IP address and hence can be accessed from a remote location (via a standard web browser over the internet) to monitor/ make any changes in the configuration. This remote management capability enables an administrator to remotely look in to, and make any changes to the switch configuration.

5. Cable visibility: Some manageable switches find out and display information about the cables connected with each port like approximate cable length, whether the cable is connected to the port or not, if the cable is shorted, if the cable is connected to switch only and the other end is open, approximate distance at which there might be a cable fault, etc.

6. Network performance monitoring (SNMP/ RMON Statistics): Manageable switches allow Network monitoring systems to monitor the performance of the devices connected to individual ports in the switches using the common and open-standards based SNMP protocol or RMON protocol which helps in planning for network resources, network fault diagnosis, trouble shooting etc using performance tuning data/ statistics.

7.  Quality of Service (QoS): The QoS parameters are critical for real time applications like voice/ video to run smoothly even in demanding network conditions. QoS allows an administrator to specify which type of data packets need to have greater precedence when traffic is buffered in the switch due to congestion. In such cases, the high priority data traffic queues will be transmitted before those in the lower priority queues. QoS can be specified by individual ports or by layer 2(802.1p)/layer 3(TOS or DSCP) parameters where the prioritization can be implemented based on the application / IP port numbers. automatically or manually.

8.  Rapid Spanning Tree Protocol support: Rapid Spanning Tree Protocol (RSTP) or its variants enables to have additional alternate cabling paths for redundancy while containing/ preventing any infinite loops that might arise by having such circular connections. Actually RSTP identifies alternate routes, if any, and keeps only one of them active at a given point of time. Once this primary route fails, or network topology changes, the alternate route for transferring data is taken automatically without noticeable delays.

9. IGMP Snooping: Manageable switches utilize a feature called IGMP Snooping to prevent multicast messages from chocking the network. This especially applies to bandwidth intensive applications like video which creates bandwidth hogs when broadcasted simultaneously to multiple users.

10. Port Mirroring: Some manageable switches have a feature called Port mirroring where a single or multiple ports are mapped to a single port in the switch and all the traffic passing through those ports are replicated in the mapped port. This enables applications like Intrusion detection, voice call logging etc.

11. Rate Limiting/ Rate Setting: Many manageable switches allow to limit the maximum rate of data traffic transmitted or received in an interface. This prevents a hugely broadcasting station, for example, from choking the entire network and prevents some network attacks like Denial Of Service attacks etc. Some switches even allow for setting the minimum commited rate of bandwidth that a particular port be allocated at all times – useful for critical users in the network. Manageable switches also allow to fix the transmit and receive rates of individual ports (like 10 Mbps or 100 Mbps etc) which can be useful for applications like Link Aggregation where the speeds of ports at both sides needs to be same.

12. Auto MDI/MDIX and Stacking: The MDI/MDIX ports are selected automatically, some ports can be configured as trunk ports, VLAN trunks etc. Some manageable switches can also be stacked together using stacking cables and stack ports which makes multiple switches to behave as a single switch with a higher data throughput capacity between them.

13. Link Aggregation: Administrators can configure multiple links between two manageable switches to increase the uplink throughput between them (Eg. 2 Gpbs with two individual links aggregated together instead of 1 Gpbs with one link). This feature can also be used with some servers with dual NIC cards to increase the bandwidth between the server and the switch. In both the cases, the additional link(s) can also be used for link redundancy (in case of failure of the primary link).

I have mentioned some reasons why manageable switches are required even at the network edge (they are more readily accepted at the core, distribution layers). If you have any points to add for or against the topic, you are welcome to do so in the comments section below.

excITingIP.com

In case you may have any clarifications, you can use the contact form to contact us or leave a comment below. You can also receive email updates when new articles are published in this website, by submitting your email address in the box that says “Get Email Updates when new articles are published”

Wired Options:

The best way is to use fiber cables between the blocks (assuming that a bigger premises has blocks seperated by more than 100 meters – if they are less than 100 meters, you can also use the Cat5/6 Copper UTP Cables).

The fiber cables can be laid in a star topology (as shown in the above diagram) where a central fiber distribution switch / distribution layer switch with fiber modules connect with fiber cables that go to the individual blocks where they can be terminated in the fiber module of a network switch or a media converter and then a LAN segment using a network switch/UTP cables can be created locally.

In some places, it may not be feasible to have the fiber cables running from a central location to all the individual blocks. In those locations, multiple interconnected star fiber networks (as shown in the above diagram) could be utilized, or the departments can be connected with one another directly by fiber cables (as shown below), which is called ring topology.

All the above mentioned topologies are expandable to accomodate more switches in the future.

If you do not want to lay expensive fiber cables/fiber modules for a particular segment, you can also extend the LAN by using a LAN extender pair. These are SHDSL/HDSL/VHDSL based broadband routers that can be configured to operate in the bridge mode. They connect to the LAN on either side through the RJ-45 interface/ Cat5/6 cables and they connect to each other using the copper single pair telephone cables which are cheaper to procure and lay. In many places, the telephone cable networks are already present. You can realize full duplex bandwidths of about 2 Mbps over a couple of Kilo Meters (this depends on the model) using such a set up (HDSL is different from ADSL as it provides equal bandwidth both upstream and downstream, which is better for extending a LAN segment). You can use DSLAM/CPE broad band equipments (Using ADSL2+) to create a complete LAN using existing telephone cables as explained in this post.

Wireless Options:

Wireless technologies today are not only used for Wi-Fi client access but are also used for backhaul/interconnectivity.

A wireless mesh network can be formed with dual radio / multi-radio access points where one radio in each access points connects the clients and the other radio connects neighbouring access points. A mesh architecture is shown below. The number of such wireless mesh hops is limited as the available bandwidth reduces by half with each hop.

For departments/LAN segments that need to be interconnected but are slightly far away, point to point wireless solutions are available. Basically, these outdoor access points are configured to operate in the point-to-point or point-to-multipoint modes and one such access point along with antenna/tower is required in each department/building which needs to be interconnected. They are generally kept over a tower so that line of sight is realized between the locations, for best performance. This set-up can be used to connect two offices that are even up to 50/60 Kilometers apart, provided that a line of sight can be established with a tower. A basic wireless point-to-multipoint architecture is shown in the below diagram.

Service provider options:

In many situations, it is not possible to extend a LAN across a big area as public roads/tracks might be crossing in-between or the locations to be interconnected might be very far away. In such places, the fiber networks of bandwidth service providers can be utilized. Basically it is a shared private network where a limited amount of network bandwidth and infrastructure (in the form of Leased lines, MPLS VPN, Internet leased lines etc) can be leased from the service providers (Usually they charge per Mb per year). In certain areas, metro ethernet might be available where the service privider has the infrastructure to connect two locations of a same branch located in different places at speeds of 10/100 Mbps using his public network infrastructure. This is also provided on a leased basis.

VSAT connectivity is a satellite based connectivity that can be utilized to connect remote locations that are not accessible by wireline/wireless internet/connectivity options. Some examples where such VSAT connectivity can be used are hill tops, ships etc. In branch offices and SOHO type of offices, even broadband/3G internet connectivity can be used to create a small LAN segment. But it is advisable in such situations (where LAN traffic is going through a shared network like Internet) to use VPN tunnels/Encryption between the sites.

So, do you think there are more innovative ways of extending a LAN? Do contribute your suggestions in the comments section below.

excITingIP.com

If you have SNMP based management systems for your network, all your network problems would be instantly diagnosed. No. But what SNMP can do is to give you a top level view of a few important parameters of various network devices that support this protocol including generating alarms when there is a component failure. But the details need to be worked out by the network administrators. For example, it might intimate the user when the router capacity has crossed a certain critical limit and is about to reach the full capacity but it may not tell which applications/ devices/ users are causing the excessive utilization of the router. You get the idea – the overall view.

What is SNMP?

SNMP is the short form of Simple Network Management Protocol. SNMP is a protocol that operates in the Application layer coordinating between a central NMS and various SNMP agents which are running on client devices. It defines a standard language for communications with network devices that are manufactured by multiple vendors and it also defines a standard management framework, security and access control for monitoring and managing different devices in a network. It is a TCP/IP based standard protocol with UDP as its transportation layer protocol.

With an SNMP monitoring tool, a network administrator can query device information, monitor device status, modify device parameters, enable automatic detection of faults, generate alarms, reports etc. Most of the network devices today support management through SNMP and the parameters that can be managed depends on the network device.

Example: A server’s processor utilization, memory usage etc. can be reported to the NMS, if the SNMP agent is running on a server. In a router, parameters like congestion notifications, priority queue levels, interface utilization, interface status etc. can be monitored.

Advantages of SNMP:

¤ SNMP gives a common, non-proprietary interface to manage devices from multiple vendors.
¤ Since it is a standard, different devices can be managed using the same tools and a single interface.
¤ Certain data that cannot be obtained by other means (A protocol analyzer cannot identify physical layer errors in a network switch, for example) can be obtained by an SNMP query.
¤ With SNMP, certain parameters network can be managed automatically. For example, when certain threshold parameters(traps) are set for network devices, alarms are generated via email etc. automatically.
¤ SNMP makes management tasks independent of the features and networking technologies of the managed network devices.
¤ SNMP allows network administrators to constantly monitor key parameters of network devices in order to identify certain trends that enable them to take precautionary measures.
¤ Uniform GUI based reporting makes it easier to monitor the various network devices.

Components of SNMP:

An SNMP enabled network consists of NMS (Network Management Station), SNMP agents and MIB – Management Information Base.

NMS: A network monitoring station is a central server/ software application running on a network device which is used to monitor and manage the various SNMP based network devices in the network. An NMS can request an agent to send a query or change the variables of managed network devices.

Agent: An agent is an application that resides on the network devices that need to be managed. It maintains the information regarding the managed devices, coordinates with the NMS and responds to the NMS queries. It also changes some variables of the managed devices on the instruction of the NMS and is responsible for sending alerts if some preset threshold values are exceeded in the devices.

MIB: A management information base is like a database that resides in each of the agents, and it is a collection of all the Managed Objects. NMS can read or write to the managed objects of the MIB. It also defines the set of characteristics associated with the managed objects like Object Identifier (OI), Access Rights, Data Type of the objects etc. MIB generally stores data in a tree like structure.

SNMP provides the following five basic operations : Get (request sent by the NMS to agent to retrieve any variable), GetNext (request sent by the NMS to retrieve the value of next OID), Set (request sent by the NMS to agent to set the value of a variable), Response (reply message of the agent to NMS) and Traps (Unsolicited message sent by the agent to NMS when a pre-defined event occurs).

What is SNMPv3?

SNMPv3 is the latest version of the protocol. The main difference between the previous versions (SNMPv1, v2c) and the latest version is that, while SNMP v1,v2c used community names for authentication, SNMPv3 uses User based Security Model (USM) and View based Access Control Technologies (VACT).

USM introduces the concept of user name and groups. The authentication packets from the sending end is checked for validity (authentication) and the packets between the NMS and the agent are encrypted to ensure enhanced security.

VASM introduces five elements: Groups, Security level, contexts, MIB views and access policy. Basically these five elements control user rights to management information. The users can be grouped, and the user of a particular group can access the objects defined for a specific MIB view only.

Limitations of SNMP:

While SNMP provides good network management at the macro level, it does not provide many network details required to solve many network issues. Since it needs to manage multiple devices manufactured by different vendors, the parameters that SNMP can manage are quite limited, based on the standards defined. But network devices are always very different from each other. Some are really complex. So, customization for management of particular elements cannot be defined by the user.

excITingIP.com

In case you have any questions, you could get in touch with us using the contact form or leave a comment below. You could also participate in the discussions in the Forum.

What does a RADIUS server do?

A RADIUS server is a software package/ protocol that provides Authentication, Authorization and Accounting services. RADIUS stands for Remote Authentication Dial In User Service but the RADIUS servers of today are much more than authentication services – they can control the access to the network.

A RADIUS server is not a database, and it doesn’t contain a database. But it is a protocol that defines how to  work along with a database like LDAP, MySQL etc. to provide the authentication and authorization services.

Let us take an example of an ISP – Internet Service Provider scenario, where there are so many users connecting and hence a nice place to have a RADIUS server. Each of these users would be trying to access the host servers/NAS system. All these users need to be individually authenticated before allowing them the user session through their servers. So, when each of these users are attempting to start a connection, their user credentials (User name, passwords etc) are sent to the host server/NAS system requesting access. Now, these servers send the required authentication information to a central RADIUS server which looks up to a database like LDAP or uses its internal hashed database to check if the credentials are correct. If they are, then a message indicating as much is sent back to the host server/NAS and a session is started with the client. These messages also include the type of access the particular user can be given access to, based on their authentication parameters.

Once the session is started, the host server/NAS also send an information containing the time-stamp details, to the RADIUS server which stores it along with the session termination details to be sent when the session is broken by the user later. This information is used by some applications for billing purposes/ calculate the total usage time/ bandwidth over a period of time etc.

The host server/NAS application needs to run a client RADIUS software in order to communicate with the central RADIUS server. It is beneficial to run a RADIUS server in any organization with more than 30 users. If the organization is distributed and the users have various means of accessing the network (Wired, wireless access points, broadband, dial-in etc) then it is even better to run RADIUS server along with databases like LDAP etc.

Authentication and Authorization:

There are various types of authentication packets exchanged between the host server, NAS and the RADIUS Server. There are authentication request packets sent to the RADIUS server and there are various types of authentication replies sent from the RADIUS server to the host server/NAS.

One is authentication acknowledgement – which indicated the host server/NAS to initiate a normal session with the user by providing them with an IP address. Additional information like authorization data can also be sent with that packet to determine the type of service that the user is entitled to. Second is authentication rejection, where the RADIUS server tells the host server/NAS not to provide any type of connection to the user and they also include attributes which contain a reason for not allowing the session which can be shown to the users – like user name/ password being incorrect etc. There is also a third type of packet called authentication challenge, which requests for additional authentication information. Here the host server/NAS acts as a liaison between the user and the RADIUS server and requests the user for the additional information and sends them back to the RADIUS server. This continues until the RADIUS server sends an authentication acknowledgement or authentication rejection packets.

Sometimes, a request from the host server/NAS goes un-answered. In those cases, the authentication request packets are re-transmitted with a specified interval gap, till an authentication ack or authentication reject packets are received, or the pre-defined number of tries are exhausted. There can also be a backup RADIUS server which can provide the service to the clients if the primary one fails.

The number of sessions a user can open simultaneously with the host server/ NAS can be restricted by a RADIUS server, which if not restricted is set to unlimited. A RADIUS server also prevents repeated authentication requests by setting up failure counters – this is helpful when someone is trying to break the password. After a specific number of tries, the RADIUS server can stop that user from sending further authentication request packets.

A RADIUS server supports a lot of authentication types like encrypted password authentication type, SQL authentication, Pluggable Authentication Module type etc. It can also support guest authentication – Suppose there is a need to give a temporary access to a guest user – then there is no need to update their credentials or create a new entry for them in LDAP servers etc. They could just be given a default user name like guest and a password with which they could log in and use the network resources (with restricted access) for a specified amount of time.

Accounting:

Like the authentication packets, there are also the accounting packets that are sent between the RADIUS server and host server/NAS. As we mentioned earlier, the RADIUS server stores the accounting information for individual sessions, users, time-span, packets traversed during that session/time-span etc. An accounting request packet can be sent from a host server/NAS to the RADIUS server requesting such user session information and the RADIUS server responds back with appropriate attributes and information. After sending the requested information, the RADIUS server also sends an accounting acknowledgement packet to confirm to the host server/NAS that it has received the request and has sent the required information.

Since RADIUS servers can interface with databases like MySQL, odbc based database applications etc, they can store the accounting information/accounting requests in the database, along with the user credentials.

Information like how many packets have been sent from and to a port for a specific user or a specific session and the time taken for such sessions can be accessed by RADIUS clients. This is mostly used for billing purposes and to determine the time taken/ bandwidth consumed by individual clients and applications.

Extension and Proxy:

To extend the functionality of the RADIUS server without modifying the source code, extension languages are used which can interface to the core of the RADIUS server functionality and extend their applications based on specific requirements. This can also be done in a more simplistic way by using filters. Filters are used to handle the simpler requests – it is actually an external program that communicates with the RADIUS server via its standard input and output channels to extend its functionalities or to get the relevant data in a specified format.

RADIUS servers also support proxy services. This is required during roaming. Imagine there are two ISP’s and the user moves from the area of one ISP to another. This proxy facility is used to give internet access to the user in such situations. The connection request packets are sent to the primary ISP RADIUS server from the secondary ISP RADIUS server which in turn communicates with the former for authenticating the user, who is now accessing the internet through their network. All the accounting information is sent back to the primary RADIUS server for billing purpose.

excITingIP.com

In case you have any clarifications, you could get in touch with us using the contact form or leave a comment below. You could also participate in the discussions in the Forum.

What is NAT?

NAT is the short form of Network Address Translation. Basically, there are two types of IP addresses. Private IP addresses which are used within a network (LAN) and Public IP address which is used for devices to connect to public servers in the Internet. While there are enough private IP addresses to be assigned to all the computers of a LAN private network, there are only a limited number of public IP addresses that can be given to companies to communicate with the outside network.

Let us assume that a company has only one public IP address but several private IP address dynamically assigned by the DHCP server for all its computers. So, a NAT application (Router, Firewall) would change the source address (private IP address) on every outgoing packet from the internal computers in to the single public IP address. But it assigns a different source port for packets coming from each computer, so that while the packets return with a single public IP address, it can still remember which packet needs to go to which computer (Every IP address has source IP, destination IP and associated port numbers). Of course, while coming back, the packets are re-assigned with its respective private IP address of the computer it needs to go to and the public IP address is discarded by the NAT application. This complex process is managed by a port mapping table managed by the NAT application, for all the incoming and outgoing packets from a network.

There is one more reason for using a NAT – Security. As the internal IP addresses are changed for all the computers at the gateway level, the internal IP addresses are never revealed to the external computers receiving the packets/ intercepting the packets.

What is NAT Traversal and why is it required?

Any incoming packets (which come directly from unsolicited sources) would be blocked by such a NAT appliance, as the internal PC’s and IP phone extensions are non-routable from the public network. But most of the incoming calls in IP Telephony (SIP, MGCP) and Video Conferencing applications (H.323) come directly from external sources. Also complicating the whole thing is the behaviour of some firewalls: Some firewalls block traffic based on the direction of their flow. They do not allow packets from outside the network to come inside, without any of the internal systems requesting for the same. But the very idea of IP telephony is to allow anyone from outside to call anyone inside the network. So, in such cases NAT/Firewall traversal is required selectively.

Types of NAT/Firewall Traversal:

¤ Universal Plug and Play (UPnP): VoIP applications require to discover and use the external IP addresses and the port numbers that NAT selects for signalling and media flows – The SIP clients calling from outside can put this information in to the SIP signalling and establish a call. UPnP allows client applications (Firewalls, SIP Phones) to work with each other and find out and establish a call in that manner but all the client applications need to be UPnP compliant (have the software pre-loaded). So, all the involved vendors need to support this.

¤ Simple Traversal of UDP through Network Address Translators (STUN): This method involves a STUN server, in the public address space, accessible to the clients calling from outside the network. But the clients need to be STUN enabled, beforehand. Such clients sends an exploratory message to the STUN server to determine the required information. The STUN server examines the incoming message and informs the client of the public IP address and ports to be used for NAT traversal.

¤ Application Layer Gateway (ALG): This technique proposes the replacement (or up-gradation) of the existing NAT/Firewall with ALG. The ALG can change the signalling to reflect the public IP addresses and ports used by the signalling and media streams and hence the call can be established from outside.

¤ Manual Settings: This method involves using static NAT addressing. That is, each client is manually configured in the NAT to use the public IP address and a certain port every time. These details need to be configured with the external client (SIP phone) now, to establish a call.

¤ Tunneling: In this technique, there are two servers – one outside the network and another inside the network. The server which is outside receives the SIP traffic, modifies its signalling to reflect the public ip address and the port numbers associated with the NAT, creates a tunnel with the other server sitting inside the network (the firewall is reconfigured to allow this traffic) and carries only the SIP signalling and media traffic, in to the network.

¤ Proxy Server: In this technique, two proxy servers sit in-between the IP PBX, internal SIP phones and the external SIP phones. The SIP signalling packets from outside the network are directed to the signal proxy server, which appends the information to include its own ip address and port information and sends it to the PBX. The PBX will send back an ACK message to the proxy, which is forwarded to the calling SIP phone with the required information to set up a media stream connection with the media proxy server. The media proxy then forwards these packets to the internal SIP phones. In the whole process, the external SIP phones assume that the proxy server is the PBX/ internal SIP phones and vice-versa.

excITingIP.com

In case you have any clarifications, you could contact us via the contact form or leave a comment below. You could also participate in the discussions in the Forum.