MisterSpock
12-06-2002, 08:33 PM
There always seems to be discussion on these boards related to hubs and switches. Hopefully, this post will be useful to those having problems.
BACKGROUND
In order to effectively discuss the topic of hubs and switches, a little background is required. Let's start with some of the basics of Ethernet.
ETHERNET
Ethernet is often referred to as a CSMA/CD-based networking protocol. Essentially this is correct. Ethernet, at its roots, is designed to use "contention-based" media access. CSMA/CD is one of several methods used to accomplish "contention-based: media access. CSMA/CD stands for "Carrier Sense, Multiple Access with Collision Detection."
All the stations on the network SHARE (either logically or physically) the same media for networking. Additionally, there is no special mechanism to prioritize or determine which station gets the use of that media. (Remember - even though the media is shared, only one station can transmit on it at one time. If more than one attempt to use it, both stations' messages will be ruined.) Stations must CONTEND for access, and will have a statistical chance to gain sole use of the bandwidth, based on the laws of probability and the number of machines present on the media.
In a CSMA/CD implementation, stations are smart enough to detect if the media open (available) before transmitting. Additionally, if stations collide, they are smart enough to wait a bit before trying again (through a mechanism known as binary exponential back-off). Thus, once a station "gets" the media (i.e. wins the war of contention), it can send a set of data (known as a frame) with little worry of collisions. Once that frame is complete, the chaos of contention begins again; another winner is determined and another frame is sent. (Note: for the technically inclined: a collision that occurs after a station has won the contention battle can occur. This is called a "late collision" and typically indicates either a defective network card or a network cable that is too long.)
As intuition should indicate, the more stations that fight during the periods of contention (called contention slots), the more of them will collide and have to wait. Also, the lower the relative throughput of the network. This is true. The more stations one adds to an Ethernet-based network, the poorer the performance. While collisions are a natural and inevitable part of an Ethernet network's existence, they do decrease performance. If they become too frequent, action must be taken to reduce their numbers.
Another common question is: "How do machines know if a frame is being sent to them?" They know this because every machine on the network looks that the beginning of every frame sent. They can see every frame on the network because they SHARE the media. This is fundamental to our discussion. They see EVERY frame because all the machines are sharing the same piece of media (either logically or physically). They examine the initial portion of the frame and look to see if the address in the "destination" portion of this frame matches their address. The address used for this determination is called the Media Access Control address - also known as the MAC address. The MAC address is a 48-bit address that is unique (hopefully!) for every station on the network. Every Ethernet card has a MAC address that has been permanently assigned to it by its manufacturer. Fundamentally, stations communicate by sending frames to one another using MAC addresses.
---------------------------------------
NETWORK DEVICES
In a discussion of hubs and switches, it is important to reduce them to their fundamental form. For purposes of this discussion, there are only two fundamental types that are relevant: a REPEATER and a BRIDGE.
REPEATERS
Repeaters are devices with very little brains, so to speak. They are not gifted with the ability to make any decisions whatsoever.
The repeater does not re-time an Ethernet signal. Its purpose in life is to, in effect, "boost" the existing signal so that the overall
length of the network can be increased. Whatever frames come in on one port of a repeater are simply blasted out the other port of the repeater, and so forth. The presense of a repeater creates a new network "segment." Both segments see everything that happens on the other segment. The media is still completely shared. The repeater doesn't restrict any traffic whatsoever. Of course, there are limits to how many repeaters I can add, and how long the overall network length can become, but that is beyond the scope of this message).
If I have two 10-station segments separated by a repeater, I essentially have a 20-station network. Thus, the overall probability of collisions has increased (20 stations contending vs. only 10 stations contending). As I add repeaters and stations, the probability of collisions goes up, and my throughput goes down.
BRIDGES
Bridges have a brain! Bridges were introduced to help alleviate the problems that come in to play when a network is extended and stations are added.
Unlike repeaters which blindly rebroadcast every packet they see, bridges take a look at the packets themselves. Bridges make forwarding decisions based on the source and destination MAC address of the frames. Because of this, they are often called "Layer 2" devices (the MAC sublayer is defined within layer 2 of the OSI network model).
Bridges connect two segments together. They listen for, and remember (called "learning"), the MAC addresses of the machines on each side.
As they learn more addresses, they make better forwarding decisions. A bridge will NOT forward a frame that has a source and destination address that it knows are both on the same "side" of the bridge. There is no need for the stations on the other side of the bridge to see these frames.
Bridges also "regenerate" and "re-time" the signals on both their ports. Because they don't blindly forward, there is no need to the two segments to be sharing the same timing. This has another cool side effect. Collisions on one side of the bridge do not affect machines on the other! So, not only are un-needed frames not forwarded, but collisions are limited to the segment on which they occur (called a collision domain). These factors improve throughput dramatically!
The only frames that are forwarded by a bridge are:
* Frames with a destination MAC address known to be on the other side of the bridge
* Frames with a destination MAC address that the bridge doesn't know about yet
* Broadcasts
So, when a bridge is introduced, machines no longer see every frame from every machine on the network.
AND HERE IS THE BIG, BAD SECRET:
** Hubs are multiport repeaters **
Every port (physical port) on the hub sees everything sent to and from every other port. Hubs are considered "shared media" devices.
** Switches are multiport bridges **
Each port on the switch has a bridge between it and every other port. Thus, a given port sees a limited amount of traffic. Switches are considered "switched media" devices.
Switches have many benefits over hubs. Obviously, they reduce unnecessary network traffic. They also limit the effects of collisions on other stations. Another neat benefit is that an end-node, when connected directly to a switch, can operate in FULL DUPLEX mode. This means that the device can transmit and receive simultaneously, thus creating an effective doubling of the maximum theoretical throughput. Hubs cannot due this due to collisions, and end devices must operate in half-duplex.
In short -- switches are very cool devices.
-----------------------------------------------------------------
HOW DOES THIS RELATE TO ShowEQ?
ShowEQ uses a technique known as "packet sniffing." Packet sniffing allows the station performing the sniffing to see the contents of every packet that appears on its network interface. (for you purists, technically it should be called "frame sniffing") Normally, the network card itself will look at the destination MAC address of every frame. It will only copy the remaining contents of the frame to its buffer if the destination MAC address matches its own MAC address. However, it is possible to enable a special mode of operation on the network card that forces it to copy, entirely, every frame it sees. This mode of operation is called "Promiscuous Mode" (!).
However, for ShowEQ and its promiscuous network card to see the information for which it is looking (ie the frames that contain the packets to and from the EQ box and the EQ server), those frames must be present on the network seqment to which it is connected. That is to say -- the SEQ box has to be able to see the frames to and from the EQ machine.
In order to see these frames, guess what? The two machines cannot be separated by a bridge! Why? Bridges make those nifty forwarding decisions. Essentially, the bridge determines that the SEQ box doesn't need to see those frames. After all, it is on the other side of the bridge, and neither the source nor destination MAC address is the SEQ box.
This is why we are always saying you need a HUB not a SWITCH!
(There are a few exceptions to this rule, which will be discussed later)
-------------------------------------------------------------------------
What to buy, what to buy....?
Unless you are using your SEQ machine as a firewall/router, you must have your EQ machine and you SEQ machine plugged in to the same hub.
Not too long ago, switches were the playthings of the well-to-do (corporations). Just about all SOHO-sized networking equipment was hub based. When 100Mbps (Fast Ethernet) became more common, companies were faced with a problem: how to handle the co-existence of 10Mb devices and 100Mb devices on the same network. Even though the protocols were designed to co-exist, the were not made to be co-operational. That is to say -- both of them can exist on the same piece of media, but a given interface operates at one speed OR the other -- not both. If one wants to plug a 10Mb device and a 100 Mb device into the same segment and have them communicate, additional circuitry is needed beyond a simple hub. This usually comes in the form of a 2-port switch (aka bridge). One port is connected to the network at 10Mb only, the other at 100Mb only. This trick essentially creates two logical "segments" on one network -- one at 10Mb, one at 100. The switch handles forwarding of frames between the two segments. To the outside world, the two devices can communicate with each other, even though one is at 10 Mb, and the other at 100.
All this is really important to understand in the world of hub-based networks. Hubs are too "stupid" (by design) to handle dual speed.
Switches do not have this problem. Because they re-time, make forwarding decisions, respond to flow control requests, and generally have brainpower, their ports can operate at either speed.
Companies produced a variety of devices to handle the dual speed problem. In so doing, they created a few problems as well. This is especially true in the SOHO networking arena. Low-cost switching has been made possible with the creation of some low cost switching ASICs (Integrated Circuits). They don't perform all that well, but they're cheap and for small networks work fairly well. These low-cost switches are becoming very common and show up where you least expect them.
I'll cover the major ones, and comment on how they work with ShowEQ. I'll also cover some alternatives to SOHO gear that are worth consideration.
"DUAL SPEED HUBS"
There are several different ways that dual speed hubs are designed.
The first and most simple method could be called a "two-in-one" combination. Internally, the device contains effectively two separate hubs. One operates at 10Mb, the other at 100Mb, with NO logic between the two. With this style of design, all devices at 10Mb can talk together, and all 100Mb devices can talk together, but without external help (switch), devices of two different speeds cannot talk together. For SEQ these will work just fine if the SEQ box and the EQ box operate at the same speed.
The second method to create a dual speed hub is to start with the same "two-in-one" combination, but to internally add a bridge between the 100Mb hub and the 10Mb hub. This will allow full communication between mixed speed devices. The presence of the switch, however, implies forwarding decisions, so we have to be careful with these where ShowEQ is concerned. With this type of device, if the SEQ and the EQ box are running at the same speed, everything will work properly.
"SINGLE SPEED HUBS"
There are a handful of devices out there that operate at only one speed (typically 10Mb, although there are some 100Mb-only devices out there). As long as they are true hubs, these will work. NOTE -- there are some newer devices out there that are marketed as hubs, but actually use the low-cost switching circuits internally.
"SWITCHING HUBS, SWITCHES, SWITCHPORTS"
These are generall danger signs for ShowEQ operation. There is only ONE way that a switch will work for ShowEQ, and this method is generally available only in commercial-grade switches. If a switch has an option to configure a "monitor port" (or similar name, depending on manufacturer. Nortel calls it "Port Mirroring"), SEQ can work. This option allows the switch to intentionally forward all (or selected) traffic to a given port. If you plug SEQ into the monitor port and direct all traffic from the port to which your SEQ box is connected to the monitor port, SEQ will work.
----------------------------------------
Some alternatives
If you run down to CompUSA, there is an ever growing likelihood that you'll end up with a switch unless you are very careful. Virtually every "Cable/DSL Router" out there comes with a 2, 4, or 8 port switch... Nice for General networking, but bad news for SEQ sniffing. However, there is a plethora of used commercial equipment out there that can be purchased. Commercial equipment has several advantages. It is designed to be durable, it is typically very well documented so you know exactly what you're getting, typically performs better than SOHO gear, and it typically has more than 2, 4, or 8 ports. With some careful shopping, you can get some nice equipment for a song.
If you stick with companies like Nortel (aka Bay Networks), Cisco, Intel, and 3-Com, you can almost certainly find precise documentation on the web so you'll be sure of what you're getting.
Some examples include:
Commercial Class:
* Nortel/Bay 200 and 250-series hubs -- Dual Speed ("two-in-one design") Hub. Will work is SEQ and EQ box are running at the same speed.
* Intel 10/100 Stackable Hub (EE110-series) ("two in one design") dual speed hub. (Available cheap on E-bay all the time)
SOHO-class:
* LinkSys StackPro Workgroup Hub (SPHUB05W) 5-port Dual Speed hub ("two-in-one plus internal bridge design") Will work if the SEQ and EQ
boxes run at the same speed.
* Cisco 1538 (Same technology as LinkSys) -- these are going for pocket change on E-Bay.
Switches that would work if you're adverturesome:
* Nortel (Bay) 310,350,410,450-series switches -- Port mirroring option would allow SEQ machine to see packets.
Most Nortel and Cisco switches have this option. I listed ones that sell inexpensively on E-Bay.
------------------------------------------
BACKGROUND
In order to effectively discuss the topic of hubs and switches, a little background is required. Let's start with some of the basics of Ethernet.
ETHERNET
Ethernet is often referred to as a CSMA/CD-based networking protocol. Essentially this is correct. Ethernet, at its roots, is designed to use "contention-based" media access. CSMA/CD is one of several methods used to accomplish "contention-based: media access. CSMA/CD stands for "Carrier Sense, Multiple Access with Collision Detection."
All the stations on the network SHARE (either logically or physically) the same media for networking. Additionally, there is no special mechanism to prioritize or determine which station gets the use of that media. (Remember - even though the media is shared, only one station can transmit on it at one time. If more than one attempt to use it, both stations' messages will be ruined.) Stations must CONTEND for access, and will have a statistical chance to gain sole use of the bandwidth, based on the laws of probability and the number of machines present on the media.
In a CSMA/CD implementation, stations are smart enough to detect if the media open (available) before transmitting. Additionally, if stations collide, they are smart enough to wait a bit before trying again (through a mechanism known as binary exponential back-off). Thus, once a station "gets" the media (i.e. wins the war of contention), it can send a set of data (known as a frame) with little worry of collisions. Once that frame is complete, the chaos of contention begins again; another winner is determined and another frame is sent. (Note: for the technically inclined: a collision that occurs after a station has won the contention battle can occur. This is called a "late collision" and typically indicates either a defective network card or a network cable that is too long.)
As intuition should indicate, the more stations that fight during the periods of contention (called contention slots), the more of them will collide and have to wait. Also, the lower the relative throughput of the network. This is true. The more stations one adds to an Ethernet-based network, the poorer the performance. While collisions are a natural and inevitable part of an Ethernet network's existence, they do decrease performance. If they become too frequent, action must be taken to reduce their numbers.
Another common question is: "How do machines know if a frame is being sent to them?" They know this because every machine on the network looks that the beginning of every frame sent. They can see every frame on the network because they SHARE the media. This is fundamental to our discussion. They see EVERY frame because all the machines are sharing the same piece of media (either logically or physically). They examine the initial portion of the frame and look to see if the address in the "destination" portion of this frame matches their address. The address used for this determination is called the Media Access Control address - also known as the MAC address. The MAC address is a 48-bit address that is unique (hopefully!) for every station on the network. Every Ethernet card has a MAC address that has been permanently assigned to it by its manufacturer. Fundamentally, stations communicate by sending frames to one another using MAC addresses.
---------------------------------------
NETWORK DEVICES
In a discussion of hubs and switches, it is important to reduce them to their fundamental form. For purposes of this discussion, there are only two fundamental types that are relevant: a REPEATER and a BRIDGE.
REPEATERS
Repeaters are devices with very little brains, so to speak. They are not gifted with the ability to make any decisions whatsoever.
The repeater does not re-time an Ethernet signal. Its purpose in life is to, in effect, "boost" the existing signal so that the overall
length of the network can be increased. Whatever frames come in on one port of a repeater are simply blasted out the other port of the repeater, and so forth. The presense of a repeater creates a new network "segment." Both segments see everything that happens on the other segment. The media is still completely shared. The repeater doesn't restrict any traffic whatsoever. Of course, there are limits to how many repeaters I can add, and how long the overall network length can become, but that is beyond the scope of this message).
If I have two 10-station segments separated by a repeater, I essentially have a 20-station network. Thus, the overall probability of collisions has increased (20 stations contending vs. only 10 stations contending). As I add repeaters and stations, the probability of collisions goes up, and my throughput goes down.
BRIDGES
Bridges have a brain! Bridges were introduced to help alleviate the problems that come in to play when a network is extended and stations are added.
Unlike repeaters which blindly rebroadcast every packet they see, bridges take a look at the packets themselves. Bridges make forwarding decisions based on the source and destination MAC address of the frames. Because of this, they are often called "Layer 2" devices (the MAC sublayer is defined within layer 2 of the OSI network model).
Bridges connect two segments together. They listen for, and remember (called "learning"), the MAC addresses of the machines on each side.
As they learn more addresses, they make better forwarding decisions. A bridge will NOT forward a frame that has a source and destination address that it knows are both on the same "side" of the bridge. There is no need for the stations on the other side of the bridge to see these frames.
Bridges also "regenerate" and "re-time" the signals on both their ports. Because they don't blindly forward, there is no need to the two segments to be sharing the same timing. This has another cool side effect. Collisions on one side of the bridge do not affect machines on the other! So, not only are un-needed frames not forwarded, but collisions are limited to the segment on which they occur (called a collision domain). These factors improve throughput dramatically!
The only frames that are forwarded by a bridge are:
* Frames with a destination MAC address known to be on the other side of the bridge
* Frames with a destination MAC address that the bridge doesn't know about yet
* Broadcasts
So, when a bridge is introduced, machines no longer see every frame from every machine on the network.
AND HERE IS THE BIG, BAD SECRET:
** Hubs are multiport repeaters **
Every port (physical port) on the hub sees everything sent to and from every other port. Hubs are considered "shared media" devices.
** Switches are multiport bridges **
Each port on the switch has a bridge between it and every other port. Thus, a given port sees a limited amount of traffic. Switches are considered "switched media" devices.
Switches have many benefits over hubs. Obviously, they reduce unnecessary network traffic. They also limit the effects of collisions on other stations. Another neat benefit is that an end-node, when connected directly to a switch, can operate in FULL DUPLEX mode. This means that the device can transmit and receive simultaneously, thus creating an effective doubling of the maximum theoretical throughput. Hubs cannot due this due to collisions, and end devices must operate in half-duplex.
In short -- switches are very cool devices.
-----------------------------------------------------------------
HOW DOES THIS RELATE TO ShowEQ?
ShowEQ uses a technique known as "packet sniffing." Packet sniffing allows the station performing the sniffing to see the contents of every packet that appears on its network interface. (for you purists, technically it should be called "frame sniffing") Normally, the network card itself will look at the destination MAC address of every frame. It will only copy the remaining contents of the frame to its buffer if the destination MAC address matches its own MAC address. However, it is possible to enable a special mode of operation on the network card that forces it to copy, entirely, every frame it sees. This mode of operation is called "Promiscuous Mode" (!).
However, for ShowEQ and its promiscuous network card to see the information for which it is looking (ie the frames that contain the packets to and from the EQ box and the EQ server), those frames must be present on the network seqment to which it is connected. That is to say -- the SEQ box has to be able to see the frames to and from the EQ machine.
In order to see these frames, guess what? The two machines cannot be separated by a bridge! Why? Bridges make those nifty forwarding decisions. Essentially, the bridge determines that the SEQ box doesn't need to see those frames. After all, it is on the other side of the bridge, and neither the source nor destination MAC address is the SEQ box.
This is why we are always saying you need a HUB not a SWITCH!
(There are a few exceptions to this rule, which will be discussed later)
-------------------------------------------------------------------------
What to buy, what to buy....?
Unless you are using your SEQ machine as a firewall/router, you must have your EQ machine and you SEQ machine plugged in to the same hub.
Not too long ago, switches were the playthings of the well-to-do (corporations). Just about all SOHO-sized networking equipment was hub based. When 100Mbps (Fast Ethernet) became more common, companies were faced with a problem: how to handle the co-existence of 10Mb devices and 100Mb devices on the same network. Even though the protocols were designed to co-exist, the were not made to be co-operational. That is to say -- both of them can exist on the same piece of media, but a given interface operates at one speed OR the other -- not both. If one wants to plug a 10Mb device and a 100 Mb device into the same segment and have them communicate, additional circuitry is needed beyond a simple hub. This usually comes in the form of a 2-port switch (aka bridge). One port is connected to the network at 10Mb only, the other at 100Mb only. This trick essentially creates two logical "segments" on one network -- one at 10Mb, one at 100. The switch handles forwarding of frames between the two segments. To the outside world, the two devices can communicate with each other, even though one is at 10 Mb, and the other at 100.
All this is really important to understand in the world of hub-based networks. Hubs are too "stupid" (by design) to handle dual speed.
Switches do not have this problem. Because they re-time, make forwarding decisions, respond to flow control requests, and generally have brainpower, their ports can operate at either speed.
Companies produced a variety of devices to handle the dual speed problem. In so doing, they created a few problems as well. This is especially true in the SOHO networking arena. Low-cost switching has been made possible with the creation of some low cost switching ASICs (Integrated Circuits). They don't perform all that well, but they're cheap and for small networks work fairly well. These low-cost switches are becoming very common and show up where you least expect them.
I'll cover the major ones, and comment on how they work with ShowEQ. I'll also cover some alternatives to SOHO gear that are worth consideration.
"DUAL SPEED HUBS"
There are several different ways that dual speed hubs are designed.
The first and most simple method could be called a "two-in-one" combination. Internally, the device contains effectively two separate hubs. One operates at 10Mb, the other at 100Mb, with NO logic between the two. With this style of design, all devices at 10Mb can talk together, and all 100Mb devices can talk together, but without external help (switch), devices of two different speeds cannot talk together. For SEQ these will work just fine if the SEQ box and the EQ box operate at the same speed.
The second method to create a dual speed hub is to start with the same "two-in-one" combination, but to internally add a bridge between the 100Mb hub and the 10Mb hub. This will allow full communication between mixed speed devices. The presence of the switch, however, implies forwarding decisions, so we have to be careful with these where ShowEQ is concerned. With this type of device, if the SEQ and the EQ box are running at the same speed, everything will work properly.
"SINGLE SPEED HUBS"
There are a handful of devices out there that operate at only one speed (typically 10Mb, although there are some 100Mb-only devices out there). As long as they are true hubs, these will work. NOTE -- there are some newer devices out there that are marketed as hubs, but actually use the low-cost switching circuits internally.
"SWITCHING HUBS, SWITCHES, SWITCHPORTS"
These are generall danger signs for ShowEQ operation. There is only ONE way that a switch will work for ShowEQ, and this method is generally available only in commercial-grade switches. If a switch has an option to configure a "monitor port" (or similar name, depending on manufacturer. Nortel calls it "Port Mirroring"), SEQ can work. This option allows the switch to intentionally forward all (or selected) traffic to a given port. If you plug SEQ into the monitor port and direct all traffic from the port to which your SEQ box is connected to the monitor port, SEQ will work.
----------------------------------------
Some alternatives
If you run down to CompUSA, there is an ever growing likelihood that you'll end up with a switch unless you are very careful. Virtually every "Cable/DSL Router" out there comes with a 2, 4, or 8 port switch... Nice for General networking, but bad news for SEQ sniffing. However, there is a plethora of used commercial equipment out there that can be purchased. Commercial equipment has several advantages. It is designed to be durable, it is typically very well documented so you know exactly what you're getting, typically performs better than SOHO gear, and it typically has more than 2, 4, or 8 ports. With some careful shopping, you can get some nice equipment for a song.
If you stick with companies like Nortel (aka Bay Networks), Cisco, Intel, and 3-Com, you can almost certainly find precise documentation on the web so you'll be sure of what you're getting.
Some examples include:
Commercial Class:
* Nortel/Bay 200 and 250-series hubs -- Dual Speed ("two-in-one design") Hub. Will work is SEQ and EQ box are running at the same speed.
* Intel 10/100 Stackable Hub (EE110-series) ("two in one design") dual speed hub. (Available cheap on E-bay all the time)
SOHO-class:
* LinkSys StackPro Workgroup Hub (SPHUB05W) 5-port Dual Speed hub ("two-in-one plus internal bridge design") Will work if the SEQ and EQ
boxes run at the same speed.
* Cisco 1538 (Same technology as LinkSys) -- these are going for pocket change on E-Bay.
Switches that would work if you're adverturesome:
* Nortel (Bay) 310,350,410,450-series switches -- Port mirroring option would allow SEQ machine to see packets.
Most Nortel and Cisco switches have this option. I listed ones that sell inexpensively on E-Bay.
------------------------------------------