Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

Chapter 1. Networking Overview

1.1. How Networking Works

The term Networking refers to the act of moving information from one computer to another. At the most basic level, this is performed by running a cable between two machines, each with network interface cards (NICs) installed.


If you’ve ever studied the OSI networking model, this would be layer 1.

Now, if you want more than two computers to get involved in the conversation, you would need to scale out this configuration by adding a device called a switch. Enterprise switches resemble pizza boxes with multiple Ethernet ports for you to plug in additional machines. By the time you’ve done all this, you have on your hands something that’s called a Local Area Network (LAN).

Switches move us up the OSI model to layer two, and apply a bit more intelligence than the lower layer 1: Each NIC has a unique MAC address number assigned to the hardware, and it’s this number that lets machines plugged into the same switch find each other. The switch maintains a list of which MAC addresses are plugged into which ports, so that when one computer attempts to send data to another, the switch will know where they’re both situated, and will adjust entries in the CAM (Content Addressable Memory), which keeps track of MAC-address-to-port mappings.

1.1.1. VLANs

VLANs allow you to segment network traffic for computers running on the same switch. In other words, you can logically carve up your switch by configuring the ports to be members of different networks — they are basically mini-LANs that allow you to separate traffic for security reasons. For example, if your switch has 24 ports in total, you can say that ports 1-6 belong to VLAN200, and ports 7-18 belong to VLAN201. As a result, computers plugged into VLAN200 are completely separate from those on VLAN201; they can no longer communicate directly, and if they wanted to, the traffic would have to pass through a router as if they were two separate physical switches (which would be a useful way to think of them). This is where firewalls can also be useful for governing which VLANs can communicate with each other.

1.2. Connecting two LANs together

Imagine that you have two LANs running on two separate switches, and now you’d like them to share information with each other. You have two options for configuring this:

  • First option: Use 802.1Q VLAN tagging to configure a single VLAN that spans across both physical switches. For this to work, you take a network cable and plug one end into a port on each switch, then you configure these ports as 802.1Q tagged ports (sometimes known as trunk ports). Basically you’ve now configured these two switches to act as one big logical switch, and the connected computers can now successfully find each other. The downside to this option is scalability, you can only daisy-chain so many switches until overhead becomes an issue.
  • Second option: Buy a device called a router and plug in cables from each switch. As a result, the router will be aware of the networks configured on both switches. Each end plugged into the switch will be assigned an IP address, known as the default gateway for that network. The "default" in default gateway defines the destination where traffic will be sent if is clear that the destined machine is not on the same LAN as you. By setting this default gateway on each of your computers, they don’t need to be aware of all the other computers on the other networks in order to send traffic to them. Now they just send it on to the default gateway and let the router handle it from there. And since the router is aware of which networks reside on which interface, it should have no trouble sending the packets on to their intended destinations. Routing works at layer 3 of the OSI model, and is where the familiar concepts like IP addresses and subnets do their work.

This concept is how the internet itself works. Lots of separate networks run by different organizations are all interconnected using switches and routers. Keep following the right default gateways and your traffic will eventually get to where it needs to be.

1.2.1. Firewalls

Firewalls can filter traffic across multiple OSI layers, including layer 7 (for inspecting actual content). They are often situated in the same network segments as routers, where they govern the traffic moving between all the networks. Firewalls refer to a pre-defined set of rules that prescribe which traffic may or may not enter a network. These rules can become very granular, for example:

"Servers on VLAN200 may only communicate with computers on VLAN201, and only on a Thursday afternoon, and only if they are sending encrypted web traffic (HTTPS) in one direction".

To help enforce these rules, some firewalls also perform Deep Packet Inspection (DPI) at layers 5-7, whereby they examine the contents of packets to ensure they actually are whatever they claim to be. Hackers are known to exfiltrate data by having the traffic masquerade as something it’s not, so DPI is one of the means that can help mitigate that threat.

1.3. OpenStack Networking (neutron)

These same networking concepts apply in OpenStack, where they are known as Software-Defined Networking (SDN). The OpenStack Networking (neutron) component provides the API for virtual networking capabilities, and includes switches, routers, and firewalls. The virtual network infrastructure allows your instances to communicate with each other and also externally using the physical network. The Open vSwitch bridge allocates virtual ports to instances, and can span across to the physical network for incoming and outgoing traffic.

1.4. Using CIDR format

IP addresses are generally first allocated in blocks of subnets. For example, the IP address range - with a subnet mask of 255.555.255.0 allows for 254 IP addresses (the first and last addresses are reserved).

These subnets can be represented in a number of ways:

  • Common usage: Subnet addresses are traditionally displayed using the network address accompanied by the subnet mask. For example:

    • Network Address:
    • Subnet mask:
  • Using CIDR format: This format shortens the subnet mask into its total number of active bits. For example, in the /24 is a shortened representation of, and is a total of the number of flipped bits when converted to binary. For example, CIDR format can be used in ifcfg-xxx scripts instead of the NETMASK value: