Chapter 3: Network Devices and Technologies

Lesson 1: Routers, switches, hubs, and their functionalities.

Your office network is the foundation of your IT infrastructure. It connects all your devices and
allows users to access business resources and to communicate with each other as well as to the
outside world. Without a functioning network, a business cannot really function. However,
merely having a functioning network is not enough. Poor network connectivity and intermittent
issues are not only frustrating but also a drain on your employee productivity.

Network-related problems such as choppy VoIP audio, lagging video calls, and application
slowness negatively impact office productivity. In many cases, these problems are a result of
using the wrong network components or settings.

WHAT IS A ROUTER?
A router is a networking device that facilitates communication between computer networks. In
simple terms, a router makes it possible for the devices such as laptops, smartphones, etc. on
your local network to communicate with other networks such as the internet.

WHAT DOES A ROUTER DO?

Communication or data sent on the network is in the form of data packets. When you type in a
web address in your browser, the web page is sent as packets of data. On the internet, routers
perform traffic direction forwarding data packets between computer networks. The data packets
are typically forwarded from one router to another through the networks until it reaches its
destination node.

There are different types of routers but the most common ones are those that connect LANs
(local area networks) and WANs (wide area networks).

HOW DOES A ROUTER WORK IN A NETWORK?

A router can be thought of as a small computer. It has a CPU and memory that deal with the
incoming and outgoing data and has software similar to the operating system in a computer.
Routers work on layer 3, i.e. the network layer of the OSI model. They use routing tables or
routing policies to direct incoming traffic to the appropriate destinations.

Routers serve two main functions, namely, they manage the traffic moving between networks by
forwarding data to the desired IP address, and they allow multiple devices to use the same
internet connection.

WHAT IS THE DIFFERENCE BETWEEN HOME NETWORK ROUTERS AND

ENTERPRISE ROUTERS?
In their simplest form such as home or small office routers, routers simply forward the data
packets between the local network and the internet. Enterprise routers are more sophisticated
devices that do a lot more than that. Enterprise routers are integrated service devices, which
means that they provide network, application, and security services on a single device.
Home network routers have a small coverage area and limited forwarding and band capacity.
Enterprise routers, on the other hand, have higher specs CPU, cache, memory, and more NAT
forwarding numbers, allowing a greater number of users to connect to the device and access the
internet. Enterprise routers are highly configurable and offer advanced options for managing
connected devices and types of traffic.

Cisco Small Business RV Series Router

WHAT IS A NETWORK SWITCH?
A network switch is a piece of network hardware that connects devices on a network by grouping
data that is transmitted over the network into packets to receive and forward data to the
destination devices. In other words, it is a network device that enables the devices connected to
the network to communicate and share information with each other.

Typical home networks don’t need switches because, on a small scale, wireless routers also
function as switches. So if you compare a simple home network with a business network,
understanding the function of a switch can be a little difficult. For simplicity, we can say that
while the router connects your network to the internet, a switch connects the different devices
within your network.

Switches perform an important role in a network and without them building small business
networks would not be possible. By connecting together the network devices and enabling them
to communicate with each other, switches facilitate the sharing of resources such as printers,
servers, NAS, etc.

HOW DOES A SWITCH WORK?

When a device connected to a network sends information to another device on that network, the
information packet first enters the switch, which then matches the destination address or
addresses and sends the packet to the destination devices through the appropriate ports.

Devices connect to the network using a network interface card (NIC) and each NIC has a media
access code (MAC) address. Switches note the MAC address of all devices connected to the
network and use it to identify which devices are sending packets and where to deliver those
packets. Unlike IP addresses, which can be dynamically assigned and change over time, MAC
addresses are associated with the physical device and don’t change.

Network switches can operate OSI layer 2 (the data link layer) as well as layer 3 (the network
layer). Switches that operate in Layer 2 forward data based on the destination MAC address.
While switches that operate in layer 3 forward data based on the destination IP address. Some
switches can operate in both layers. Most switches are those that operate in layer 2 and are
connected to the devices in their networks using Ethernet cables.

Using network switches, you can easily create logical network segments and virtual LANs by
configuring groups of ports on the network switch to behave as a separate network. Switches
have built-in routing capabilities that enable traffic to get from one subnet to another. Network
switches are, therefore, necessary components of any modern business network.

WHAT ARE THE DIFFERENT TYPES OF SWITCHES?

There are two main types of network switches:
1. UNMANAGED SWITCHES
Unmanaged network switches are the simplest and most basic type of switches. They have built-
in services that ensure easy setup and utility. So you can simply use it out of the box without any
need for configurations. It is ideal for small offices that have simple networks.
2. MANAGED SWITCHES
Managed network switches give you greater control over the performance and management of
your switches. It allows you to configure how your network consumes an internet connection by
setting port bandwidth. It also allows you to create and modify VLANs. And all this can be done
remotely via an SNMP (Simple Network Management Protocol), or a web interface.

Although managed network switches are more expensive, all of the functionalities it offers make
it a great choice for businesses that have large, or complex networks.

WHAT IS A NETWORK HUB?

A network hub is a basic network device that does not need an IP address and operates in layer 1
(physical layer) of the OSI model. It connects multiple network devices together, making them
act as a single network segment. Network hubs have multiple ports and when a signal is
introduced at any port, it is broadcast to every port except the original incoming port. Unlike
switches or routers, network hubs have no routing capabilities and simply broadcast all
information to multiple ports.
Because of how the network hubs function, they present serious performance and security issues.
As a result, hubs are now largely obsolete, having been replaced by network switches.

NETWORK SWITCHES VS ROUTERS

It is easy to confuse network switches and routers as they perform similar functions, i.e.
forwarding and routing network traffic. However, they serve different purposes. In simple terms,

here’s how they are different- network switches connect devices while routers connect networks.
Therefore, while routers are necessary for an Internet connection, switches are only necessary for
interconnecting devices.

Most home and small office networks need routers for Internet access, but they do not need
network switches. However, large offices with hundreds of connected devices need a large
number of Ethernet ports, which makes switches a necessity.
Hub vs. Switch vs. Routers – Differences Discussed
As mentioned, hubs, routers and switches function differently, and can be used as individual
devices in a network. Sometimes, two or more of these are combined into a single device. This
section offers a clear comparison of hub vs switch, switch vs router, and hub vs router based on
various parameters.
Hub vs. Switch
A hub is quite primitive and works on the physical layer (which is layer 1) of open system
interconnection (OSI) model. This was widely used earlier when virtual connectivity was not
required. A switch, on the other hand, works on the data link layer (layer 2) of the OSI model.
While a hub can connect multiple Ethernet devices as a single segment, it cannot filter a data
packet and forward it to the right device or destination. It sends a data packet to all the devices
on the network, and the devices then filter and accept or reject that packet. A switch can identify
the destination by reading the header on the data packet. It forwards the message to the right
device.
A hub can connect two or more devices on LAN via Ethernet. However, a switch can join
multiple devices in one LAN.
The hub uses a half-duplex mode to exchange the data. A switch uses a half/full-duplex mode.
A hub transmits data in the form of an electrical signal or bits, while a switch sends it in the form
of frame and packet.

Switch vs. Router

The router works on the network layer of the OSI model, while the switch works on data link
layer.
A router can link both LAN as well as WAN, and transmit data to other connected networks. A
switch can join multiple devices in a LAN.
An Ethernet switch transmits data based on the MAC address, however, a router routes data
packets across networks based on the IP address.
Routers can be used in wired and wireless networks, while switches are typically designed for
wired networks.
Since virtual networks are gaining traction, the demand for both switches and routers has gone
up. Both these devices are useful for VLANs or virtual LAN networks.
Switches split a LAN into multiple virtual LANs. This makes it easy for layer 2 devices to
communicate without any external components. However, if a device on layer 2 wants to connect
with one on layer 3, routers are used.
The routers facilitate inter-VLAN communication, while switches allow inter-device
communication on the same VLAN.
Beyond layer 2 switches and routers, layer 3 switches are also developed and used an integrated
approach to switching and routing.

Hub vs. Router

A hub is a basic device and simply works as a broadcaster when it comes to data transmission. It
transmits data in the form of electrical signals. A router sends data in the form of a packet and
uses the IP address for data transmission.
A router is an advanced and intelligent networking device, while a hub is passive and without
any intelligence.
The advanced and ever expanding networks today need wireless routers which facilitate data
transmission across networks and inter-LAN as well as inter-layer device communication.
Which is Better – Hub, Switch or Router?
Making the right choice depends on your application requirement, network complexity, budget,
and many other factors. While a hub may not even be considered for today’s business networks,
the choice largely remains between switches and routers. Both switches and routers are available
in varied configurations. For most wired networks, switches may work well in terms of budget
and functionality. Routers are definitely more advanced than switches when it comes to device
compatibility, supporting wireless networks, and so on. However, they are more expensive than
switches. So, one needs to weigh all the options in terms of cots and functionality against their
network requirements to make the right choice.
Hub vs Switch vs Router – What Is the Real Difference?
Criteria Hub Switch Router
Data link layer (layer Network layer
Layers Physical layer (layer 1)
2) (layer 3)
Connect multiple Ethernet Join multiple devices Link both LAN as
Functions
devices as a single segment within one LAN well as WAN
Device Type Least intelligent device Intelligent device Intelligent device
Data Transmission
Electrical signal or bits Frame and packet Packet
Form
Transmission Mode Half-duplex Half/full-duplex Full-duplex
Address Used for Data No addressing, broadcast to Based on MAC Based on IP
Transmission all devices address address
 Lesson 2: Network addressing (IPv4, IPv6) and subnetting.
IPv4 addresses are 32-bit numbers that are typically displayed in dotted decimal notation and
contains two primary parts: the network prefix and the host number. The topics below describes
the IPv4 Classful Addressing, IPv4 Dotted Decimal Notation, IPv4 Subnetting, IPv4 Variable-
Length Subnet Masks, understanding IP Version 6, IPv6 address types and use of them in Junos
OS RX Series Services Gateway, and configuration of inet6 IPv6 Protocol Family.
Understanding IPv4 Addressing
IPv4 addresses are 32-bit numbers that are typically displayed in dotted decimal notation. A 32-
bit address contains two primary parts: the network prefix and the host number.
All hosts within a single network share the same network address. Each host also has an address
that uniquely identifies it. Depending on the scope of the network and the type of device, the
address is either globally or locally unique. Devices that are visible to users outside the network
(webservers, for example) must have a globally unique IP address. Devices that are visible only
within the network must have locally unique IP addresses.
IP addresses are assigned by a central numbering authority called the Internet Assigned Numbers
Authority (IANA). IANA ensures that addresses are globally unique where needed and has a
large address space reserved for use by devices not visible outside their own networks.
This topic contains the following sections:
 IPv4 Classful Addressing
 IPv4 Dotted Decimal Notation
 IPv4 Subnetting
 IPv4 Variable-Length Subnet Masks
IPv4 Classful Addressing
To provide flexibility in the number of addresses distributed to networks of different sizes, 4-
octet (32-bit) IP addresses were originally divided into three different categories or classes:
class A, class B, and class C. Each address class specifies a different number of bits for its
network prefix and host number:
 Class A addresses use only the first byte (octet) to specify the network prefix, leaving
3 bytes to define individual host numbers.
 Class B addresses use the first 2 bytes to specify the network prefix, leaving 2 bytes to
define host addresses.
 Class C addresses use the first 3 bytes to specify the network prefix, leaving only the last
byte to identify hosts.
In binary format, with an x representing each bit in the host number, the three address classes can
be represented as follows:
content_copy zoom_out_map
00000000 xxxxxxxx xxxxxxxx xxxxxxxx (Class A)
00000000 00000000 xxxxxxxx xxxxxxxx (Class B)
00000000 00000000 00000000 xxxxxxxx (Class C)
Because each bit (x) in a host number can have a 0 or 1 value, each represents a power of 2. For
example, if only 3 bits are available for specifying the host number, only the following host
numbers are possible:
content_copy zoom_out_map
111 110 101 100 011 010 001 000
In each IP address class, the number of host-number bits raised to the power of 2 indicates how
many host numbers can be created for a particular network prefix. Class A addresses have 224 (or
16,777,216) possible host numbers, class B addresses have 216 (or 65,536) host numbers, and
class C addresses have 28 (or 256) possible host numbers.
IPv4 Dotted Decimal Notation
The 32-bit IPv4 addresses are most often expressed in dotted decimal notation, in which each
octet (or byte) is treated as a separate number. Within an octet, the rightmost bit represents 2 0 (or
1), increasing to the left until the first bit in the octet is 27 (or 128). Following are IP addresses in
binary format and their dotted decimal equivalents:
content_copy zoom_out_map
11010000 01100010 11000000 10101010 = 208.98.192.170
01110110 00001111 11110000 01010101 = 118.15.240.85
00110011 11001100 00111100 00111011 = 51.204.60.59
IPv4 Subnetting
Because of the physical and architectural limitations on the size of networks, you often must
break large networks into smaller subnetworks. Within a such a subnetted network, each
interface requires its own network number and identifying subnet address.
NOTE:
The IP routing world has shifted to Classless Inter-Domain Routing (CIDR). As its name implies,
CIDR eliminates the notion of address classes and simply conveys a network prefix along with a
mask. The mask indicates which bits in the address identify the network (the prefix). This
document discusses subnetting in the traditional context of classfull IP addresses.
Figure 1 shows a network comprised of three subnets.
Figure 1: Subnets in a Network

Figure 1 shows three devices connected to the Alpha subnet on the left, three devices connected
to the Beta subnet on the right, and a third subnet named Gamma that interconnects the left and
right subnets over a WAN link. Collectively, the six devices and three subnets are contained
within the larger class B network prefix. In this example, the organization is assigned the
network prefix 172.16/16, which is a class B address. Each subnet is assigned an IP address that
falls within this class B network prefix.
In addition to sharing the class B network prefix (the first two octets), each subnet shares the
third octet. Because we are using a /24 network mask in conjunction with a class B address, the
third octet identifies the subnet. All devices on a subnet must have the same subnet address. In
this case, the alpha subnet has the IP address 172.16.1.0/24, the beta subnet has the IP
address 172.16.2.0/24, and the Gamma subnet is assigned 172.16.10.10/24.
Taking one of these subnets as an example, the Beta subnet address 172.16.2.0/24 is represented
in binary notation as:
content_copy zoom_out_map
10101100 . 00010000 . 00000010 . xxxxxxxx
Because the first 24 bits in the 32-bit address identify the subnet, the last 8 bits are available to
assign to hosts attachments on each subnet. To reference a subnet, the address is written
as 172.16.10.0/24 (or just 172.16.10/24). The /24 indicates the length of the subnet mask
(sometimes written as 255.255.255.0). This network mask indicates that the first 24 bits identify
the network and subnetwork while the last 8 bits identify hosts on the respective subnetwork.
IPv4 Variable-Length Subnet Masks
Traditionally, subnets were divided by address class. Subnets had either 8, 16, or 24 significant
bits, corresponding to 224, 216, or 28 possible hosts. As a result, an entire /16 subnet had to be
allocated for a network that required only 400 addresses, wasting 65,136 (216 – 400 = 65,136)
addresses.
To help allocate address spaces more efficiently, variable-length subnet masks (VLSMs) were
introduced. Using VLSM, network architects can allocate more precisely the number of
addresses required for a particular subnet.
For example, suppose a network with the prefix 192.14.17/24 is divided into two smaller
subnets, one consisting of 18 devices and the other of 46 devices.
To accommodate 18 devices, the first subnet must have 25 (32) host numbers. Having 5 bits
assigned to the host number leaves 27 bits of the 32-bit address for the subnet. The IP address of
the first subnet is therefore 192.14.17.128/27, or the following in binary notation:
content_copy zoom_out_map
11000000 . 00001110 . 00010001 . 100xxxxx
The subnet mask includes 27 significant digits.
To create the second subnet of 46 devices, the network must accommodate 26 (64) host numbers.
The IP address of the second subnet is 192.14.17.64/26, or
content_copy zoom_out_map
11000000 . 00001110 . 00010001 . 01xxxxxx
By assigning address bits within the larger /24 subnet mask, you create two smaller subnets that
use the allocated address space more efficiently.
Understanding IPv6 Address Space, Addressing, Address Format, and Address Types
 Understanding IP Version 6 (IPv6)
 Understanding IPv6 Address Types and How Junos OS for SRX Series Services Gateway
Uses Them
 IPv6 Address Scope
 IPv6 Address Structure
 Understanding IPv6 Address Space, Addressing, and Address Types
 Understanding IPv6 Address Format
Understanding IP Version 6 (IPv6)
The ongoing expansive growth of the Internet and the need to provide IP addresses to
accommodate it—to support increasing numbers of new users, computer networks, Internet-
enabled devices, and new and improved applications for collaboration and communication—is
escalating the emergent use of a new IP protocol. IPv6, with its robust architecture, was designed
to satisfy these current and anticipated near future requirements.
IP version 4 (IPv4) is widely used throughout the world today for the Internet, intranets, and
private networks. IPv6 builds upon the functionality and structure of IPv4 in the following ways:
 Provides a simplified and enhanced packet header to allow for more efficient routing.
  Improves support for mobile phones and other mobile computing devices.
 Enforces increased, mandatory data security through IPsec (which was originally
designed for it).
 Provides more extensive quality-of-service (QoS) support.
IPv6 addresses consist of 128 bits, instead of 32 bits, and include a scope field that identifies the
type of application suitable for the address. IPv6 does not support broadcast addresses, but
instead uses multicast addresses for broadcast. In addition, IPv6 defines a new type of address
called anycast.
Understanding IPv6 Address Types and How Junos OS for SRX Series Services Gateway Uses
Them
IP version 6 (IPv6) includes the following types of addresses:
 Unicast
A unicast address specifies an identifier for a single interface to which packets are delivered.
Under IPv6, the vast majority of Internet traffic is foreseen to be unicast, and it is for this reason
that the largest assigned block of the IPv6 address space is dedicated to unicast addressing.
Unicast addresses include all addresses other than loopback, multicast, link-local-unicast, and
unspecified.
For SRX Series Firewalls, the flow module supports the following kinds of IPv6 unicast packets:
 Pass-through unicast traffic, including traffic from and to virtual routers. The
device transmits pass-through traffic according to its routing table.
 Host-inbound traffic from and to devices directly connected to SRX Series
interfaces. For example, host-inbound traffic includes logging, routing protocol,
and management types of traffic. The flow module sends these unicast packets to
the Routing Engine and receives them from it. Traffic is processed by the Routing
Engine instead of by the flow module, based on routing protocols defined for the
Routing Engine.
The flow module supports all routing and management protocols that run on the Routing Engine.
Some examples are OSPFv3, RIPng, TELNET, and SSH.
 Multicast
A multicast address specifies an identifier for a set of interfaces that typically belong to different
nodes. It is identified by a value of 0xFF. IPv6 multicast addresses are distinguished from unicast
addresses by the value of the high-order octet of the addresses.
The devices support only host-inbound and host-outbound multicast traffic. Host inbound traffic
includes logging, routing protocols, management traffic, and so on.
 Anycast
An anycast address specifies an identifier for a set of interfaces that typically belong to different
nodes. A packet with an anycast address is delivered to the nearest node, according to routing
protocol rules.
There is no difference between anycast addresses and unicast addresses except for the subnet-
router address. For an anycast subnet-router address, the low order bits, typically 64 or more, are
zero. Anycast addresses are taken from the unicast address space.
The flow module treats anycast packets in the same way as it handles unicast packets. If an
anycast packet is intended for the device, it is treated as host-inbound traffic, and it delivers it to
the protocol stack which continues processing it.

IPv6 Address Scope

Unicast and multicast IPv6 addresses support address scoping, which identifies the application
suitable for the address.
Unicast addresses support global address scope and two types of local address scope:
 Link-local unicast addresses—Used only on a single network link. The first 10 bits of the
prefix identify the address as a link-local address. Link-local addresses cannot be used
outside the link.
 Site-local unicast addresses—Used only within a site or intranet. A site consists of
multiple network links. Site-local addresses identify nodes inside the intranet and cannot
be used outside the site.
Multicast addresses support 16 different types of address scope, including node, link, site,
organization, and global scope. A 4-bit field in the prefix identifies the address scope.
IPv6 Address Structure
Unicast addresses identify a single interface. Each unicast address consists of n bits for the
prefix, and 128 – n bits for the interface ID.
Multicast addresses identify a set of interfaces. Each multicast address consists of the first 8 bits
of all 1s, a 4-bit flags field, a 4-bit scope field, and a 112-bit group ID:
content_copy zoom_out_map
11111111 | flgs | scop | group ID
The first octet of 1s identifies the address as a multicast address. The flags field identifies
whether the multicast address is a well-known address or a transient multicast address. The scope
field identifies the scope of the multicast address. The 112-bit group ID identifies the multicast
group.
Similar to multicast addresses, anycast addresses identify a set of interfaces. However, packets
are sent to only one of the interfaces, not to all interfaces. Anycast addresses are allocated from
the normal unicast address space and cannot be distinguished from a unicast address in format.
Therefore, each member of an anycast group must be configured to recognize certain addresses
as anycast addresses.
Understanding IPv6 Address Space, Addressing, and Address Types
Addressing is the area where most of the differences between IP version 4 (IPv4) and IPv6 exist,
but the changes are largely about the ways in which addresses are implemented and used. IPv6
has a vastly larger address space than the impending exhausted IPv4 address space. IPv6
increases the size of the IP address from the 32 bits that compose an IPv4 address to 128 bits.
Each extra bit given to an address double the size of the address space.
IPv4 has been extended using techniques such as Network Address Translation (NAT), which
allows for ranges of private addresses to be represented by a single public address, and
temporary address assignment. Although useful, these techniques fall short of the requirements
of novel applications and environments such as emerging wireless technologies, always-on
environments, and Internet-based consumer appliances.
In addition to the increased address space, IPv6 addresses differ from IPv4 addresses in the
following ways:
 Includes a scope field that identifies the type of application that the address pertains to
  Does not support broadcast addresses, but instead uses multicast addresses to broadcast a
packet
 Defines a new type of address, called anycast
Understanding IPv6 Address Format
All IPv6 addresses are 128 bits long, written as 8 sections of 16 bits each. They are expressed in
hexadecimal representation, so the sections range from 0 to FFFF. Sections are delimited by
colons, and leading zeroes in each section may be omitted. If two or more consecutive sections
have all zeroes, they can be collapsed to a double colon.
IPv6 addresses consist of 8 groups of 16-bit hexadecimal values separated by colons (:). IPv6
addresses have the following format:
content_copy zoom_out_map
aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa
Each aaaa is a 16-bit hexadecimal value, and each a is a 4-bit hexadecimal value. Following is a
sample IPv6 address:
content_copy zoom_out_map
3FFE:0000:0000:0001:0200:F8FF:FE75:50DF
You can omit the leading zeros of each 16-bit group, as follows:
content_copy zoom_out_map
3FFE:0:0:1:200:F8FF:FE75:50DF
You can compress 16-bit groups of zeros to double colons (::) as shown in the following
example, but only once per address:
content_copy zoom_out_map
3FFE::1:200:F8FF:FE75:50DF
An IPv6 address prefix is a combination of an IPv6 prefix (address) and a prefix length. The
prefix takes the form ipv6-prefix/prefix-length and represents a block of address space (or a
network). The ipv6-prefix variable follows general IPv6 addressing rules. The prefix-
length variable is a decimal value that indicates the number of contiguous, higher-order bits of
the address that make up the network portion of the address. For example,
10FA:6604:8136:6502::/64 is a possible IPv6 prefix with zeros compressed. The site prefix of
the IPv6 address 10FA:6604:8136:6502::/64 is contained in the left most 64
bits, 10FA:6604:8136:6502.
For more information on the text representation of IPv6 addresses and address prefixes, see RFC
4291, IP Version 6 Addressing Architecture.
Limitations
SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices have the following
limitations:
 Changes in source AS and destination AS are not immediately reflected in exported
flows.
 IPv6 traffic transiting over IPv4 based IP over IP tunnel (for example, IPv6-over-IPv4
using ip-x/x/x interface) is not supported.
SEE ALSO
 About the IPv6 Basic Packet Header
 Understanding IPv6 Packet Header Extensions
Configuring the inet6 IPv6 Protocol Family
In configuration commands, the protocol family for IPv6 is named inet6. In the configuration
hierarchy, instances of inet6 are parallel to instances of inet, the protocol family for IPv4. In
general, you configure inet6 settings and specify IPv6 addresses in parallel to inet settings and
IPv4 addresses.
NOTE:
On SRX Series Firewalls, on configuring identical IPs on a single interface, you will not see a
warning message; instead, you will see a syslog message.
The following example shows the CLI commands you use to configure an IPv6 address for an
interface:
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/0 {
unit 0 {
 family inet {
address 10.100.37.178/24;
}
}
}

[edit]
user@host# set interfaces ge-0/0/0 unit 0 family ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> ccc Circuit cross-connect parameters
> ethernet-switching Ethernet switching parameters
> inet IPv4 parameters
> inet6 IPv6 protocol parameters
> iso OSI ISO protocol parameters
> mpls MPLS protocol parameters
> tcc Translational cross-connect parameters
> vpls Virtual private LAN service parameters

[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 address 8d8d:8d01::1/64
user@host# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 10.100.37.178/24;
}
family inet6 {
 address 8d8d:8d01::1/64;
}
}
}

Lesson 3: Network security devices (firewalls, IDS/IPS) and concepts.

This article will discuss the differences between network security devices – firewalls, Intrusion
Prevention Systems (IPS), and Intrusion Detection Systems (IDS). The major distinction is that a
firewall blocks and filters network traffic, but an IDS/IPS detects and alerts an administrator or
prevents the attack, depending on the setup.
A firewall permits traffic depending on a set of rules that have been set up. It is based on the
source, destination, and port addresses. A firewall can deny any traffic that does not satisfy the
specified criteria. IDS are passive monitoring system devices that monitor network traffic as they
travel over the network, compare signature patterns, and raise an alarm if suspicious activity or
known security threat is detected. On the other hand, IPS is an active device that prevents attacks
by blocking them.

Firewalls
A firewall employs rules to filter incoming and outgoing network traffic. It uses IP addresses and
port numbers to filter traffic. It can be set to either Layer 3 or transparent mode. The firewall
should be the first line of defense and installed inline at the network’s perimeter.
There are also different types of firewalls like proxy firewall, stateful inspection firewall, unified
threat management (UTM) firewall, next-generation firewall (NGFW), threat-focused NGFW,

and a virtual firewall.

Intrusion Prevention System (IPS)

IPS is a device that inspects, detects, classifies, and proactively prevents harmful traffic. It
examines real-time communications for attack patterns or signatures and then blocks attacks
when they have been detected. Placement and configuration in inline mode and generally being
in Layer 2 after the firewall. In inline mode, traffic passes into one of the device’s ethernet ports
and out of the other.
Intrusion Prevention System must work efficiently to avoid decreasing network performance. It
must be quick because exploits might occur anytime. To eliminate threats and false positives, the
IPS must detect and respond accurately.
Some of the actions of IPS include:
 Alerting network administrators (anomaly-based detection)
  Dropping the malicious traffic
 Denying traffic from the source address
 Reset the connection

Intrusion Detection System (IDS)

IDS is either a hardware or software program that analyzes incoming network traffic for
malicious activities or policy breaches (network behavior analysis) and issues alerts when they
are detected. It detects real-time traffic and searches for attack signatures or traffic patterns, then
sends out alarms. Unlike IPS, a network Intrusion Detection System is not in line with the data
path, so it can only alert and alarm on detection of anomalies.

IPS vs. IDS vs. Firewalls

Many organizations looking to improve their cybersecurity want to implement the best solution
without paying too much or spending vast amounts of time and energy setting it up.

That’s why many compare IDS vs. IPS vs. firewalls, to help themselves understand the
differences between these security approaches and identify which solutions are best for their
needs.

Fully understanding the benefits of each solution and (more importantly) how they work together
is critical in ensuring that your organization’s approach to cybersecurity is proactive against
threats without slowing down productivity.
IPS vs. IDS

On the surface, IPS and IDS systems look very similar. They are both responsible for overseeing
network traffic and monitoring for suspicious activity. They identify suspicious or anomalous
activity by reading a database of known threats and comparing incoming traffic to that
information.

However, IDS vs. IPS differs when it comes to what happens after a threat or suspicious activity
is identified.

 IDS systems exist as a monitoring tool and are not capable of taking any action other than
reporting the threat. If any proactive action needs to be taken, it must be triggered by a
human who reads the system alert and decides what should be done next.

 IPS systems make decisions about suspicious activity or traffic and subsequently take
action based on a set of rules. These rules typically come from a reliable external source,
allowing the system to act on its own based on the prescribed rules.

IPS vs. Firewalls

Comparing IPS vs. firewalls can be challenging since they both work to prevent bad actors from
entering a closed system. Both do this by comparing incoming traffic to pre-programmed
intelligence. However, there are critical differences in how they operate.

 IPS systems or devices inspect traffic with the ultimate goal of identifying suspicious
patterns or signatures. If this pattern matches something that had already been identified
as suspicious, the system blocks the attack.

 In contrast, a firewall filters traffic based on IP addresses without analyzing the broader
pattern. A firewall should always be the first line of defense against bad actors.

IDS vs. Firewalls

While an IDS and a firewall are both devices that can help prevent bad actors from gaining entry
into your system, they work in different ways.

 An IDS system exists to alert IT personnel and other stakeholders about potential
suspicious events. It does not block any traffic or provide protection itself.

 A firewall is a complementary technology, since it blocks activity originating from

known suspicious IP addresses or entities.