schoolSession 04

Technologies That Tie It All Together

From Layer 1 cables to Layer 4 firewalls. Switches, routers, NAT, and the complete stack that makes networks work. The unified architecture.

DE
David Emiru Egwell
CTO · SprintUG Internet Limited
5
Major Technologies
7
OSI Layers
3
Routing Protocols
Possibilities
tocSession Outline
electric_boltPhysical Layer

Layer 1: The Physical Net — Cables & Fiber

Everything starts here. Data is electricity. Before packets, before IP addresses, before anything — there are cables. Layer 1 is the literal wires that carry electrical signals.

The Standard Copper Cable: RJ45

RJ45 (Registered Jack 45) is the ubiquitous network cable. Eight tiny wires twisted together, arranged in a specific color order (568B: Orange-White, Orange, Green-White, Blue, Blue-White, Green, Brown-White, Brown).

settings_input_antennaRJ45: The Apartment Building's Water Pipes

Think of an RJ45 cable as the water pipes connecting the apartment building to the city water supply. Eight wires = eight pipes, each carrying a signal. The color order doesn't matter (there's A and B standard), as long as both ends match. It's the consistency that matters.

RJ45 Pinout (568B Standard): 1. Orange/White → Transmit Data + 2. Orange → Transmit Data - 3. Green/White → Receive Data + 4. Blue → (Not used in Gigabit, reserved) 5. Blue/White → (Not used in Gigabit, reserved) 6. Green → Receive Data - 7. Brown/White → (Not used in Gigabit, reserved) 8. Brown → (Not used in Gigabit, reserved) Modern Gigabit Ethernet uses all 8 wires for increased bandwidth. The twist rate of the wires reduces electromagnetic interference (EMI). Maximum length: 100 meters per segment (industry standard).

Fiber Optics: The High-Speed Alternative

For long distances and high speeds, fiber optic cables dominate. Instead of electricity, fiber uses light to transmit data. Two main types:

TypeCore SizeDistanceSpeedUse Case
Single-Mode Fiber (SMF)8-10 μm10–100 km+10Gbps—400GbpsLong-distance, ISP backbone
Multi-Mode Fiber (MMF)50–62.5 μm500m—2 km1Gbps—100GbpsData centers, campus networks

Single-Mode vs. Multi-Mode: The Difference

Single-Mode Fiber (SMF)

Core Diameter: 8–10 micrometers (super narrow)

Light Path: Only one path (mode) for light to travel = straight line = minimal distortion

Distance: 10–100+ kilometers without repeaters

Advantage: Low attenuation; ideal for long distances

Cost: Expensive lasers required

Color Code: Yellow sheath

Multi-Mode Fiber (MMF)

Core Diameter: 50–62.5 micrometers (much wider)

Light Path: Multiple paths (modes) for light = bouncing around = some dispersion

Distance: 500m—2 km before signal degrades

Advantage: Cheaper LEDs; good for shorter distances

Cost: Lower cost than SMF

Color Code: Orange or aqua sheath

SFPs: Small Form-Factor Pluggables

An SFP (Small Form-Factor Pluggable) is a transceiver module — a hot-swappable optical module that converts electrical signals to light (or vice versa). It plugs into a router or switch.

SFP Markings (Example on a fiber module): ┌─────────────────────────────────────┐ │ SFP-10G-SR │ │ Single Mode / 10km / 9.95 Gbps │ │ Made in China │ │ 0°C to 70°C operating │ └─────────────────────────────────────┘ Reading the Label: "SFP-10G-SR" ↑ ↑ ↑ | | └─ Distance code | └───── Speed (10G = 10 Gbps) └──────── Form factor Common SFP Types: • SFP-1G-SX = 1 Gbps, Multi-Mode, short distance (~550m) • SFP-1G-LX = 1 Gbps, Single-Mode, long distance (~10km) • SFP-10G-SR = 10 Gbps, Multi-Mode, medium distance (~300m) • SFP-10G-LR = 10 Gbps, Single-Mode, long distance (~10km) • SFP-10G-ER = 10 Gbps, Single-Mode, extra long distance (~40km)

Reading the Kilometers on SFP Labels

The distance marking on an SFP shows the maximum reach of that module before signal degradation becomes unacceptable. This depends on:

  • check_circleFiber type: Single-mode can go much farther than multi-mode
  • check_circleWavelength: 850nm (infrared) for shorter distances; 1310nm or 1550nm for longer
  • check_circleSignal power: Stronger lasers = longer reach
  • check_circleFiber quality: Clean, well-maintained fiber = longer reach
Real-World Example: SprintUG has a data center 15 km away. They need SFPs rated for at least 15 km. They choose SFP-10G-LR (single-mode, 10 km rated). But they test at 18 km and it works because the installation is clean and the fiber is new. They confirm with the vendor before deploying.
device_hubData Link Layer

Layer 2: Switches — MAC Addresses & VLANs

Layer 1 provides the physical wires. Layer 2 uses those wires to deliver frames between devices on the same network segment. The key identifier is the MAC address.

MAC Addresses: The Building's Room Numbers

Recall from Session 01: every network interface has a unique 48-bit MAC address (Media Access Control). It's burned into the hardware during manufacture and identifies a device on the local network.

badgeMAC in the Apartment Model

In Session 03, we said the IP address is the apartment building (192.168.1.1). The MAC address is the room number inside that building. Two residents in different rooms (different MACs) can share the same building (same IP subnet). A switch uses MAC addresses to forward frames to the correct physical port.

How a Switch Works: The MAC Address Table

A switch is a Layer 2 device. It has many ports (8, 24, 48, or more), and it forwards frames based on MAC addresses using an internal table:

Switch MAC Address Table (dynamically built): ┌──────────────────────────────────┬──────────────┐ │ Destination MAC │ Switch Port │ ├──────────────────────────────────┼──────────────┤ │ 00:1a:2b:3c:4d:5e (Irene's PC) │ Port 1 │ │ 00:2f:5a:3c:8d:9e (Dennis' PC) │ Port 2 │ │ 00:4b:6c:3a:1d:7f (Printer) │ Port 3 │ │ 00:8e:9f:4d:2a:1c (Server) │ Port 4 │ │ 00:3d:5a:2b:8c:9f (Daudi's PC) │ Port 5 │ └──────────────────────────────────┴──────────────┘ How the switch learns: 1. Frame arrives on Port 1 from 00:1a:2b:3c:4d:5e 2. Switch sees: "Ah! Port 1 is connected to 00:1a:2b:3c:4d:5e" 3. Switch adds entry: 00:1a:2b:3c:4d:5e → Port 1 4. When a frame destined for that MAC arrives, forward to Port 1 If a destination MAC is NOT in the table: → FLOOD the frame to all ports (except the incoming port) → The destination will respond, and the switch learns its MAC

This MAC table is built dynamically through a process called MAC learning. It's temporary (entries expire after 5–15 minutes) and self-healing.

VLANs: Virtual Networks Inside One Switch

A VLAN (Virtual LAN) is a logical grouping of ports on a switch, isolated from each other. One physical switch can act like multiple switches.

Example: A 24-port switch, 4 departments: VLAN 10 (Finance): Ports 1–6 (192.168.10.0/24) VLAN 20 (HR): Ports 7–12 (192.168.20.0/24) VLAN 30 (IT): Ports 13–18 (192.168.30.0/24) VLAN 40 (Marketing): Ports 19–24 (192.168.40.0/24) Benefits: ✓ Devices in VLAN 10 CANNOT talk directly to VLAN 20 ✓ Each VLAN has its own broadcast domain ✓ Isolation by policy, not by hardware ✓ Easy to reorganize: just move a port to a different VLAN ✓ Cost-effective: one switch, many networks To communicate between VLANs: → Traffic must go through a Layer 3 device (router) → The router has interfaces in each VLAN → The router handles the IP routing between subnets

Tying It Back to Previous Sessions

How does Layer 2 relate to what we've learned?

  • check_circleIP Addresses (Session 01, 03): IP works at Layer 3. Layer 2 delivers frames to the MAC address on the same subnet. When you ping 192.168.1.100, your PC asks: "What MAC has that IP?" The answer comes from ARP (Address Resolution Protocol).
  • check_circleMAC Addresses (Session 01): The physical address that uniquely identifies a device locally.
  • check_circleSockets & Ports (Session 02, 03): Ports are Layer 4 (or application). Switches don't care about ports; they care about MACs.
routerNetwork Layer

Layer 3: Routers — How Routing Works

A router is a Layer 3 device. It connects different networks (subnets) and forwards IP packets between them. While a switch operates on MAC addresses within a single segment, a router operates on IP addresses across many segments.

The Router: The Postal Service

card_travelThe Mail Carrier Analogy

A switch is like a mailroom inside a building — it delivers mail to rooms using room numbers (MAC addresses). A router is like the postal service — it takes mail and looks at the address (IP) to decide which town/region to send it to. If you send mail to a different city, you need the postal service (router). Mail within your building goes through the mailroom (switch).

The Routing Table: The Router's Decision Map

A router has a routing table that tells it: "For packets destined to this network, send them to this next hop." Routers don't know the full path to the destination; they just know the next step.

Example Routing Table (SprintUG Router): ┌──────────────────────────┬─────────────────┬──────────┬───────┐ │ Destination Network │ Next Hop (GW) │ Metric │ Proto │ ├──────────────────────────┼─────────────────┼──────────┼───────┤ │ 192.168.1.0/24 │ Direct (local) │ 0 │ C │ │ 192.168.2.0/24 │ 192.168.1.254 │ 10 │ O │ │ 10.0.0.0/8 │ 192.168.1.250 │ 20 │ B │ │ 172.16.0.0/12 │ 192.168.1.249 │ 110 │ O │ │ 0.0.0.0/0 (Default Route)│ 197.248.25.1 │ 1 │ S │ └──────────────────────────┴─────────────────┴──────────┴───────┘ Key columns: • Destination Network: The IP subnet we're routing to • Next Hop Gateway: The neighbor router's IP to forward to • Metric: The "cost" of using this route (lower = better) • Proto: How the route was learned (C=Connected, O=OSPF, B=BGP, S=Static)

Three Major Routing Protocols

RIP (Routing Information Protocol)

Type: Distance-Vector Interior Gateway Protocol (IGP)

Metric: Hop count (max 15)

Update Frequency: Every 30 seconds (inefficient)

Convergence: Slow (minutes)

Use Today: Legacy networks only. Rarely used in modern networks.

Versions: RIPv1 (classful), RIPv2 (classless)

OSPF (Open Shortest Path First)

Type: Link-State Interior Gateway Protocol (IGP)

Metric: Cost based on link bandwidth (1–65535)

Update Frequency: Event-driven (fast)

Convergence: Fast (seconds)

Use Today: Common in enterprise networks, ISP backbones

Versions: OSPF v2 (IPv4), OSPF v3 (IPv6)

BGP (Border Gateway Protocol)

Type: Path-Vector Exterior Gateway Protocol (EGP)

Metric: AS path length (how many ASes traversed)

Update Frequency: Incremental (very efficient)

Convergence: Slow (minutes, but stable)

Use Today: THE protocol for the Internet backbone

Versions: BGPv4 (current standard)

The Difference: RIP is old and slow. OSPF is modern and efficient for enterprise networks. BGP is the Internet's nervous system — it's what ISPs use to route trillions of packets between autonomous systems.

How a Packet Routes Across the Internet

When Irene (192.168.1.3) sends a packet to Google (8.8.8.8), here's what happens:

1. Irene's PC checks: Is 8.8.8.8 on my local network (192.168.1.0/24)? → No. Not in my subnet. → I need to send it to the default gateway. 2. Irene sends packet to 192.168.1.1 (SprintUG router): [SRC IP: 192.168.1.3] [DST IP: 8.8.8.8] [SRC MAC: Irene's NIC] [DST MAC: Router's MAC] 3. Router receives packet on Port 1 (192.168.1.1). Router checks routing table: "8.8.8.8... that's in 8.0.0.0/8" Route says: "Send it to next hop 197.248.25.1 (ISP Gateway)" 4. Before forwarding, router REWRITES the packet: [SRC IP: 192.168.1.3] [DST IP: 8.8.8.8] [SRC MAC: Router's external port] [DST MAC: ISP Gateway MAC] 5. Router sends packet to ISP Gateway. ISP Gateway checks routing table, forwards to next hop... This continues hop-by-hop until packet reaches Google's network. 6. Google's network recognizes 8.8.8.8 as local, forwards to the actual server. Server responds: [SRC IP: 8.8.8.8] [DST IP: 192.168.1.3] 7. Response travels backward through the same hops. Each router reverses the MAC rewrite (but NOT the IP addresses). 8. Irene receives response from 8.8.8.8. Total time: ~30–50 milliseconds. Data traveled through ~10–15 hops. Key insight: The IP source and destination NEVER change. Only the source/destination MACs change at each hop.
securityTransport & Application

Layer 4+: Firewalls — The Complete Security Story

Everything so far is the infrastructure. But who is allowed where? That's where firewalls come in. A firewall is a policy engine that decides whether a packet should be allowed or blocked.

Firewalls: The Bouncers at the Club

policySecurity in the Apartment Model

Routers and switches are the infrastructure (the city and the building). Firewalls are the bouncers at the door. They check: "Are you on the list? What's your ID? What time is it? Are you trying to enter a restricted floor?" If you fail the check, denied.

Types of Firewalls

TypeLayerWhat It SeesDecision Basis
Stateless (Packet-filter)3–4Source/Dest IP, Port, ProtocolSimple rules (block this port)
Stateful3–4Connection state, directionAllow if part of established connection
Application-Layer (DPI)7Actual application dataContent inspection, malware detection

Firewall Rules: The VIP List

Firewalls enforce rules. A rule says: "If a packet matches X criteria, then ALLOW/DENY/LOG it."

Example Firewall Rules (SprintUG): RULE 1: Direction: INBOUND Interface: External Source IP: Any Dest IP: 197.248.25.100 (Our public IP) Dest Port: 443 Protocol: TCP Action: ALLOW → Allow external customers to HTTPS RULE 2: Direction: INBOUND Interface: External Source IP: Any Dest IP: 197.248.25.100 Dest Port: 80 Protocol: TCP Action: ALLOW → Allow external customers to HTTP RULE 3: Direction: INBOUND Interface: External Source IP: Any Dest IP: 192.168.1.0/24 (Internal network) Dest Port: Any Protocol: Any Action: DENY → Block external users from accessing internal network directly RULE 4 (Default): Direction: Any Action: DENY → Deny anything not explicitly allowed (Default Deny Policy) Order matters! First matching rule wins.

Tying NAT and Ports Together

This is where Sessions 02, 03, and 04 converge. Recall:

  • check_circlePorts (Session 03): Each service runs on a specific port (3003, 3004, 80, 443)
  • check_circleNAT (Session 02): Translates internal IPs to public IPs
  • check_circleFirewalls (Now): Control what traffic is allowed

In a real company:

Internet User → Tries to access https://company.com 1. Browser does DNS lookup → Gets 197.248.25.100 (public IP) 2. Browser connects to 197.248.25.100:443 3. ISP's firewall (or company's firewall) checks: Inbound, port 443, from internet? Rule says: ALLOW 4. Packet reaches company router 5. Router checks NAT table: "Inbound traffic on public IP:443 → forward to internal 192.168.1.80:443" 6. Internal server (Secure Lift apartment) on 192.168.1.80:443 receives request 7. Server processes and responds 8. Response goes back through NAT (reversed) 9. ISP forwards to customer From outside: They only see: 197.248.25.100:443 They never see: 192.168.1.80 From inside: The server knows real source IP: it came from [Customer IP] Because the firewall/NAT recorded the state

The State Table (Connection Tracking)

Modern firewalls are stateful. They track every active connection.

Firewall State Table: ┌────────────────────────────────────────────────────────────┐ │ PROTOCOL | SRC IP | SRC PORT | DST IP | DST PORT │ STATE ├──────────┼───────────────┼──────────┼────────────┼──────────┼───── │ TCP | 197.248.1.50 | 54321 | 197.248... | 443 | EST* │ TCP | 192.168.1.3 | 39012 | 8.8.8.8 | 53 | EST* │ UDP | 192.168.1.100 | 5353 | 224.0.0.251| 5353 | NEW │ TCP | 197.248.2.100 | 12345 | 197.248... | 22 | — └────────────────────────────────────────────────────────────┘ * ESTABLISHED = Both directions have been seen, connection is open NEW = Just initiated, waiting for response — = BLOCKED by firewall rule (doesn't create state entry)
homeUnified Vision

The Final Tie: The Apartment Block, Reimagined

Now you understand the complete stack. Let's bring it all home with one final unified model: the building is no longer just an IP address with ports. It's a complete network ecosystem.

"

Every layer builds on the one below. Remove Layer 1, and nothing works. Misconfigure Layer 3, and the packets take the wrong path. Forget Layer 4, and hackers walk through the front door.

— Networking Truth

The Complete Apartment Building (192.168.1.0/24)

┌─────────────────────────────────────────────────────────────────┐ │ │ │ LAYER 1: THE PHYSICAL │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ Building connected via: │ │ │ │ • RJ45 cables to internal switch (100m max, Gigabit) │ │ │ │ • Fiber to ISP (10km away, SFP-10G-LR, single-mode) │ │ │ │ • Each cable carries Electrical/Optical signals │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ │ LAYER 2: THE SWITCH │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ 24-port Switch (192.168.1.0/24): │ │ │ │ Port 1 → Irene (MAC: 00:1a:2b:3c:4d:5e, IP:...3) │ │ │ │ Port 2 → Dennis (MAC: 00:2f:5a:3c:8d:9e, IP:...4) │ │ │ │ Port 3 → Msabi (MAC: 00:4b:6c:3a:1d:7f, IP:...5) │ │ │ │ Port 4 → Ibrahim (MAC: 00:8e:9f:4d:2a:1c, IP:...6) │ │ │ │ Port 5 → Daudi (MAC: 00:3d:5a:2b:8c:9f, IP:...7) │ │ │ │ Port 6 → Router (192.168.1.1, gateway) │ │ │ │ Port 7 → Backup/Storage │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ │ LAYER 3: THE ROUTER │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ Gateway: 192.168.1.1 │ │ │ │ Internal Interface: 192.168.1.1 (talks to 192.168.1.0/24)│ │ │ │ External Interface: 197.248.25.100 (public IP) │ │ │ │ │ │ │ │ Routing Table: │ │ │ │ Local: 192.168.1.0/24 → Direct │ │ │ │ ISP: 0.0.0.0/0 → 197.248.25.1 (ISP gateway) │ │ │ │ Uses: OSPF (enterprise) and BGP (to ISP) │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ │ LAYER 4: NAT & FIREWALLS │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ NAT Rules: │ │ │ │ Inside 192.168.1.0/24 → Masquerade to 197.248.25.100 │ │ │ │ (All internal traffic looks like it comes from public) │ │ │ │ │ │ │ │ Firewall Rules: │ │ │ │ Allow: HTTPS (443) from internet to 197.248.25.100 │ │ │ │ Allow: HTTP (80) from internet to 197.248.25.100 │ │ │ │ Block: Internal network (192.168.1.0/24) from internet│ │ │ Allow: SSH (22) from known IPs only (10.20.0.0/16) │ │ │ │ Default: Deny all others │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ │ LAYER 5–7: APPLICATIONS & SERVICES │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ Services Running: │ │ │ │ Apartment 3003: Irene's Dev Server (Node.js) │ │ │ │ Apartment 3004: Dennis' Dev Server (Rails) │ │ │ │ Apartment 3005: Msabi's API (Python) │ │ │ │ Apartment 3006: Ibrahim's Backend (Go) │ │ │ │ Main Gate (80): Web Reverse Proxy → 443 │ │ │ │ Secure Lift (443): HTTPS with TLS → Internal services │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────┘

How a Request Flows Through All Layers

Scenario: A customer visits https://sprintug.example.com from their home IP (203.0.113.50).

═ LAYER 1: PHYSICAL ═ Customer at home → Their ISP → Internet backbone → SprintUG's ISP → SprintUG's building ═ LAYER 2: MAC ═ Packet arrives on SprintUG's switch port (to Router's MAC): Source MAC: Customer's ISP gateway Dest MAC: SprintUG Router's MAC ═ LAYER 3: IP ROUTING ═ Router (197.248.25.100) receives: [SRC IP: 203.0.113.50] [DST IP: 197.248.25.100] Router checks routing table: "Destination 197.248.25.100 is MY external interface" Deliver to port 443 (HTTPS) ═ LAYER 4: NAT & FIREWALL ═ Firewall sees: Inbound, port 443 from 203.0.113.50 Rule: ALLOW HTTPS from internet ✓ Passes firewall NAT checks: "Inbound traffic on 197.248.25.100:443" "My NAT table says: forward to internal server at 192.168.1.80:443" Router forwards internally: [SRC IP: 203.0.113.50 ] [DST IP: 192.168.1.80] [SRC MAC: Router's internal] [DST MAC: Server's MAC] ═ LAYER 2: MAC (INTERNAL) ═ Switch sees: Dest MAC: 192.168.1.80 (Server) Switch lookup: "That MAC is on Port 4" Forward to Port 4 ═ LAYER 1: PHYSICAL ═ Packet travels on RJ45 cable (Port 4 → Server) ═ LAYER 5–7: APPLICATION ═ Server at 192.168.1.80:443 receives HTTPS request GET / HTTP/1.1 Host: sprintug.example.com User-Agent: Mozilla/5.0... Server processes: TLS handshake → HTML generation → HTTPS response Response travels BACKWARD through all 7 layers. ═ RESULT ═ Customer sees: Beautiful website Elapsed time: ~200ms (5 hops to SprintUG, 5 back) All layers working in perfect harmony. Customer never knew: • 192.168.1.80 (internal IP) • 00:xx:xx:xx:xx:xx (MAC address) • RJ45 cable in the office • NAT table entry • SprintUG's firewall rules • That 5 developers' machines were on the same switch Perfect abstraction.

The OSI Model in One Picture

┌───────────────────────────────────────────────────────────────┐ │ OSI LAYER │ NAME │ DEVICE │ KEY INFO │ ├───────────┼───────────────────┼─────────────┼─────────────────┤ │ 7 │ Application │ Server/OS │ HTTP, HTTPS, DNS│ │ 6 │ Presentation │ App │ Encryption, codec │ 5 │ Session │ App │ Session mgmt │ │ 4 │ Transport │ Firewall │ TCP/UDP, ports │ │ 3 │ Network │ Router │ IP, routing │ │ 2 │ Data Link │ Switch │ MAC, frames │ │ 1 │ Physical │ Cable/Fiber │ Electricity │ └───────────┴───────────────────┴─────────────┴─────────────────┘ Data Flow (Downward): Application creates data (HTTP request) → Transport wraps in TCP (adds port info) → Network wraps in IP (adds IP addresses) → Data Link wraps in Ethernet frame (adds MACs) → Physical transmits bits on wire Data Flow (Upward from wire): Physical receives bits → Data Link reads frame, strips Ethernet, checks MAC → Network reads IP, checks destination IP → Transport reads port, routes to correct socket → Application reads data, processes Each layer adds a "header" with useful info. Each layer only understands its own layer (encapsulation). This abstraction is the genius of networking.

Key Takeaways: The Complete Stack

  • check_circleCables (Layer 1) carry physical signals. RJ45 for short, fiber for long. SFP modules determine reach.
  • check_circleSwitches (Layer 2) forward frames based on MAC addresses on the same segment. VLANs create logical separation.
  • check_circleRouters (Layer 3) forward packets between networks using IP addresses. OSPF and BGP guide these decisions.
  • check_circleFirewalls (Layer 4+) enforce security policies. NAT translates IPs. Stateful rules track connections.
  • check_circleThe apartment building is not just IPs and ports—it's a fully functional network with multiple layers working in concert.
  • check_circleAbstraction is everything. The customer doesn't see the 7 layers. They just see a working website. Your job is to understand them all.