Escolar Documentos
Profissional Documentos
Cultura Documentos
Nm hc 2013-2014
NI DUNG MN HC
Knowledge
Chapter 1: TCP/IP, Name Resolving Chapter 2: Domain Name System Chapter 3: Routing & Remote Access Chapter 4: DHCP & FTP Chapter 5: Email Service Chapter 6: WEB Service Chapter 7: Firewalls Chapter 8: MPLS & Border Gateway Protocol
Chapter 1
Lessons
Lesson 1: OSI Model Lesson 2: TCP/IP Protocol Suite Lesson 3: Basic Commands Lesson 4: Using Network Monitor
7 5 4 3 2 1
Application
6 Presentation
Session Transport Network Data-Link Physical
Each layer has a defined networking function Each layer communicates with the layer above and below it Layer seven provides services for programs to gain access to the network Layers one and two define the networks physical media and related tasks
Transmission of an unstructured bit stream over a physical link between end systems. Electrical, mechanical,specifications Physical data rate Distances Physical connector
Provides for the reliable transfer of data cross a physical link. Frames Physical address Network topology Synchronization Error control Flow control
Provides connectivity and path selection between two host systems that may be located on geographically separated networks. Packets Virtual circuits Route, routing table, routing protocol Logical address Fragmentation
Provides reliable, transparent transfer of data over networks. Segments, data stream, datagram Connection oriented and connectionless End-to-end flow control Error detection and recovery Segmentation & reassembly
Establishes, manages, and terminates sessions between two communicating hosts. Sessions Dialog Conversations Data exchange
Ensures that the information that the application layer of one system sends out is readable by the application layer of another system. Format of data Data structure Data conversion Data compression Data encryption
Is the OSI layer that is closest to the user; it provides network services to the users applications. File transfer Electronic mail Terminal access Word processing Intended communication partners
Originally developed by The Defense Advance Research Projects Agency (DARPA) to interconnect various defense department computer networks.
TCP/IP
Application
DNS
ARP
Ipconfig, ipconfig/all, ipconfig/displaydns, ipconfig/displaydns |more Route: Used to view and modify the entries in the routing table. Tracert: Used to send ICMP Echo messages to discover the path between a
node.
1 4
Network Monitor: Captures a sample of network traffic Uses filters to select specific packets Decodes the packets in the language of the individual protocols Compiles network statistics
Chapter 1
Resolving Names
Lessons
Lesson 1: Name Resolution Process Lesson 2: Managing the ARP Cache Lesson 3: NETBIOS Name Lesson 4: Configuring NetBIOS Name Resolution Lesson 5: Configuring Host Name Resolution Lesson 6: Static Name Resolution Lesson 7: Dynamic Name Resolution
IP names
IP addresses might be fine for computers, but humans prefer to use names. For example: http://www.vnn.vn rather than http://203.162.168.130 This is accomplished with either Host lookup tables on each machine or a Domain Name Server (DNS)
Overview
Explain what a host name is Explain what a NetBIOS name is
DNS Server Corp01.contoso.msft 192.168.2.102
192.168.0.5
192.168.1.5 Payroll.contoso.msft
1
Where is the Computer44 file? 192.168.1.200
2 3
Computer44
View host names and DNS suffixes by using the Ipconfig utility View host names by using Hostname utility View host names by using System Properties Rename a computer
3 4 5 6
Overview
The Types of Names Computers Use What Is NetBIOS? What Is a NetBIOS Name? What Is NetBT? Types of NetBT Nodes What Is Nbtstat?
NetBIOS Names
Host Names
What is NETBIOS
OSI Application Presentation Session Transport Network Transport Internet Application NetBIOS Applications NetBIOS Interface NetBIOS Is an API Operates at the session and transport layers of the OSI protocol stack Establishes names, sessions and data transfer TCP/IP
Data-Link Physical
Link
Server2
NETBIOS Name
Payroll Payroll <00> <20>
Corp1 Corp1
<00> <20>
16 byte name 16th character is a 1 byte hexadecimal identifier Used for the name of a computer or the name of a service running on the computer
What is NetBT
Application NetBIOS Applications
Transport
Internet NetBT
Runs on top of the TCP/IP network protocol Supports discovery, registration and release of NetBIOS names Uses broadcast or a NetBIOS name server, depending on node type
3
Salescomputer2
What is Nbtstat
Overview
NetBIOS Name Resolution Process NetBIOS Name Cache How to View and Release the NetBIOS Name Cache Broadcasts Lmhosts File
192.168.1.35
3
Salescomputer2
The NetBIOS Name resolution process is configurable .The default order, in which the client is configured to query a WINS server and to use Lmhosts lookup is as follows :
NetBIOS Cache WINS server Send to the Local network as a broadcast Local Lmhosts file
Computer1
Lmhosts File
The first place that the NetBIOS redirector searches for an IP address to map a NetBIOS name. Resolves IP Addresses more quickly than a WINS server, broadcast, or Lmhosts file. Do not create network traffic.
View the contents of the local computers NetBIOS name cache Release the NetBIOS name cache and reload the #PRE-tagged entries in the local Lmhosts file Display and view the NetBIOS name table of the local computer
Broadcasts
Local broadcasts are network messages, sent from a single computer, that are distributed to all other devices on the same segment of the network as the sending computer
Broadcast is answered
Broadcast Fails
Broadcast
1 1 2
NetBIOS Redirector
Router
The NetBIOS redirector sends out a local broadcast If the resource is on the local network, the broadcast is answered and an IP address is returned If the resource is on a remote network, then the broadcast will not pass through the router
Lmhosts File
An Lmhosts file is a local text file that maps NetBIOS names to IP addresses for hosts that are not located on the local subnet
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to computernames # (NetBIOS) names. Each entry should be kept on an individual line. # The IP address should be placed in the first column followed by the # corresponding computername. The address and the computername # should be separated by at least one space or tab. The "#" character # is generally used to denote the start of a comment (see the exceptions # below). # # The following example illustrates all of these extensions: # # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC # 102.54.94.102 "appname \0x14" #special app server # 102.54.94.123 popular #PRE #source server # 102.54.94.117 localsrv #PRE #needed for the include # # #BEGIN_ALTERNATE # #INCLUDE \\localsrv\public\lmhosts # #INCLUDE \\rhino\public\lmhosts # #END_ALTERNATE
Computer1
Lmhosts File
Overview
The Host Name Resolution Process Client Resolver Cache How to View and Flush the Client Resolver Cache Hosts File How to Preload the Client Resolver Cache by Using a Hosts File
192.168.1.35
3
Salescomputer2
Computer1
Hosts File
Display a client resolver cache by using the Ipconfig command Flush a client resolver cache by using the Ipconfig command
Hosts File
The Hosts file is a static file that is maintained on the local computer and that is used to load host name-to-IP address mappings into the client resolver cache # Copyright (c) 1993-1999 Microsoft Corp.
# # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
Computer1
Hosts File
Overview
Using an Lmhosts File Guidelines for Configuring a Client to Use Lmhosts Using a Hosts File
1
What is the IP address for london? 127.0.0.1 localhost 131.107.34.1 router 192.168.2.200 london
Lmhosts File
192.168.2.200
1
What is the IP address for s1?
172.30.45.121
Client
Overview
What Is WINS ? What Is DNS ? The DNS Suffix
What is WINS
NetBIOS Name Registration Query
?
OK
Payroll WINS Server
1 2 3
Queries a WINS Server Determines if name is in use or not If not in use, then registers the NetBIOS name and associated IP address
What is DNS
FQDN: printserver.contoso.com. ( Root)
Root domain
Parent domain
Contoso
printserver payroll
Child domain
accounts
DNS suffix
FQDN
corp05.contoso.com.
Host Name DNS Suffix FQDN
corp01.sales.contoso.com.
Host Name DNS Suffix
8 2 3
DNS name cache
Lmhosts File
7 6 5 4
Hosts File
Broadcast
DNS Server
WINS Server
Practise
1 2 3 4
Identify a MAC address View the ARP cache and then modify it Determine and then change the NetBT node type of a client computer Resolve names
Practise
1 2 3 4
Use Ipconfig to manage the DNS client cache Configure a client to resolve names using DNS Configure host name resolution Configure NetBIOS name resolution
Practise
1 2 3 4
How to add an entry to the client Lmhosts file How to add an entry to the client Hosts file How to preload a NetBIOS name cache by using an Lmhosts file How to preload the client resolver cache by using a Hosts file
Chapter 2
Lessons
Lesson 1: Domain Name System (DNS) Lesson 2: Configuring the Properties for the DNS Server Service Lesson 3: Configuring DNS Zones Lesson 4: Configuring DNS Zone Transfers Lesson 5: Configuring DNS Dynamic Updates Lesson 6: Configuring a DNS Client Lesson 7: Delegating Authority for Zones
Overview
What is DNS DNS Hierarchy What is a Domain Namespace What is InterNIC History of DNS The Role of DNS in the Network Infrastructure Standards for DNS Naming Install the DNS Server Service
What is DNS
Domain Name System (DNS) is a hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses
DNS is the foundation of the Internet naming scheme and the foundation of an organizations naming scheme DNS supports accessing resources by using alphanumeric names InterNIC is responsible for delegating administrative responsibility for portions of the domain namespace and for registering domain names DNS was designed to solve issues that arose when there was an increase in the: Number of hosts on the Internet Traffic generated by the update process Size of the Hosts file
DNS Hierarchy
DNS is organized into hierarchical domains DNS Root Servers are positioned at the top of the DNS hierarchy. They maintain data about each of the top-level zones.
Top-level Domain Servers exist for arpa, com and edu etc. Local name servers are maintained by individual organizations
Second-Level Domain
nwtraders
Subdomains
west
south
east
FQDN: server1.sales.south.nwtraders.com
sales
Host: server1
The Domain namespace ia a hierarchical naming tree that DNS uses to identify and locate a given host in a given domain relative to the root of the tree
Domain : in DNS is any tree or subtree within the overall domain namespace. Root domain : this is the root node of the DNS tree Top-level Domain : This is state as a two or three-character name code that identifies either organizational or geographical status. This is a highest-level domain in the internets DNS hierarchy. Second-level Domain : This is the level immediately beneath the Top-level domain in the Internets DNS hierarchy .This is a unique name that InterNIC formally registers to an individual or organization that connects to the Internet. Subdomain : This is a subdivision of a larger domain. For example : mail.yahoo.com is a subdomain of yahoo.com y y
What is InterNIC
InterNIC is The Internet Network Information Center The InterNIC manages the root, or the highest level of the domain namespace. Go to http://www.internic.net for more information about InterNIC
History of DNS
DNS began in the early days of the Internet DNS was introduced in 1984 and became this new system
Overview
What are the Components of a DNS Solution What is a DNS Query How Recursive Queries Work How a Root Hint Works How Iterative Queries Work How Forwarders Work How DNS Server Caching Works How to Configure the Properties for the DNS Server Service
Resource Record
Root . .com
.edu
DNS server checks the forward lookup zone and cache for an answer to the query Recursive query for mail1.nwtraders.com Database Local DNS Server
172.16.64.11 Computer1
com microsoft
1 2
.com
Computer1
3
nwtraders.com
.com
nwtraders.com Computer1
Caching is the process of temporarily storing recently accessed information in a special memory subsystem for quicker access
Overview
How DNS Data Is Stored and Maintained What Are Resource Records and Record Types What Is a DNS Zone What Are DNS Zone Types How to Change a DNS Zone Type What Are Forward and Reverse Lookup Zones How to Configure Forward and Reverse Lookup Zones
Resource records for the zone training.nwtraders.msft Host name DNS ClientA IP address 192.168.2.45 192.168.2.46 192.168.2.47
DNS ClientA
DNS ClientB
DNS ClientC
A resource record (RR) is a standard DNS database structure containing information used to process DNS queries A zone is a portion of the DNS database that contains the resource records with the owner names that belong to the contiguous portion of the DNS namespace
Description Resolves a host name to an IP address Resolves an IP address to a host name The first record in any zone file Resolves names of servers providing services Identifies the DNS server for each zone The mail server Resolves from a host name to a host name
Nwtraders
South
West
North
Sales
Support
Training
Primary
Read-Only
Stub
1 2 3 4
Secondary Server
SOA query for a zone SOA query answered IXFR or AXFR query for a zone IXFR or AXFR query answered (zone transfer)
Destination Server
1 2 3 4
DNS notify
Source Server
Secondary Server
Overview
What Are Dynamic Updates How DNS Clients Register and Update Their Own Resource Records by Using Dynamic Updates How a DHCP Server Registers and Updates Resource Records by Using Dynamic Updates How to Configure DNS Manual and Dynamic Updates What Is an Active Directory-Integrated DNS Zone How Active Directory-Integrated DNS Zones Use Secure Dynamic Updates How to Configure Active Directory-Integrated DNS Zones to Allow Secure Dynamic Updates
A dynamic update is the process of a DNS client dynamically creating, registering, or updating its records in zones that are maintained by DNS servers that can accept and process messages for dynamic updates A manual update is the process of an administrator manually creating, registering, or updating the resource record
Dynamic update enables DNS client computers to interact automatically with the DNS server to register and update their own resource records Organizations that have dynamic changes can benefit from the dynamic method of updating DNS resource records Organizations may benefit from manual update if they: Are in a smaller environment that has few changes to their resource records Have isolated instances, such as when a larger organization chooses to control every address on every host.
DNS Server
Resource Records
1 2
Client sends SOA query DNS server sends zone name and server IP address Client verifies existing registration DNS server responds by stating that registration does not exist Client sends dynamic update to DNS server
3 4 5
Windows XP
Windows 2000
1 2 3 3 4 4
DHCP client makes an IP lease request DHCP server grants IP lease DHCP server automatically generates clients FQDN Using dynamic update, the DHCP server updates the DNS forward and reverse records for the client
1 2
Window Server 2003 Running DHCP IP Address Lease DHCP Downlevel Client
A down-level client is a DHCP client running Windows NT 4.0 or earlier. Down-level clients are unable to register or update their resource records in DNS on their own
Administrator can configure DHCP servers running Windows Server 2003 and Windows 2000 to update DNS client resource records for the following client types:
Any down-level DHCP clients that do not request dynamic updates. Any DHCP client, including those that are running Windows XP and
appending the domain name that is defined for the DHCP scope to the client name. The client name is obtained from the DHCPREQUEST message that the client sends
DNS forward (A) name for the client DNS reverse (PTR) name for the client
Using the dynamic update protocol, the DHCP server updates the :
The DHCP server grants an IP lease The client connects to the DNS server to update the A record for itself The DHCP server updates the DNS reverse (PTR) name for the
To manually create a DNS resource record, you need to add a host (A) resource record to a forward lookup zone
Configure Active Directory-integrated DNS zones to allow secure dynamic updates Configure security on an Active Directory-integrated DNS zone
1. The preferred DNS server is the one that the client tries first 4. The preferred and alternate DNS servers specified on the Properties page automatically appear at the top of this list, and preferred and alternate servers are queried in the order they are listed
2. If the preferred server fails, the client tries the alternate DNS server
DNS
Cached Lookup
Reslove name
Overview
What Is Delegation of a DNS Zone? How to Delegate a Subdomain to a DNS Zone
training.nwtraders.msft
Delegation is the process of assigning authority over child domains in your DNS namespace to another entity by adding records in the DNS database
Practise
1 2 3 4
Install the DNS Server service Configure DNS zones Resolve host names by using DNS Configure a DNS client
Practise
1 2 3 4
Update root hints on a DNS server Configure a DNS server to use a forwarder Clear the DNS server cache by using the DNS console Clear the DNS server cache by using the DNSCmd command
Practise
1 2 3 4
Configure a forward lookup zone on a primary zone type Configure a forward lookup stub zone Configure a forward lookup zone on a secondary zone type Configure a reverse lookup zone on a primary zone type and a secondary zone type
Practise
1 2 3 4
Configure a DNS server running Windows Server 2003 to accept dynamic updates of DNS resource records Configure a Windows XP Professional client to dynamically update its DNS resource records in DNS Configure a DHCP server running Windows Server 2003 to dynamically update DNS resource records in DNS on behalf of DHCP clients Manually create a DNS resource record
Practise
1 2 3
Configure the properties for the DNS Server service How to Configure Forward and Reverse Lookup Zones How to Configure DNS Manual and Dynamic Updates
Practise
1 2 3 4
Configure DNS dynamic updates How to delegate a sub-domain to a DNS zone How to change a DNS zone type How to configure a DNS zone transfer and DNS notify
Chapter 3
Lessons
Lesson 1: Basic Concepts Lesson 2: Routing Lesson 3: Routing and Remote Access on Windows 2003 Server Lesson 4: Configuring Packet Filters
Overview
Using a Default Gateway What is a Router How the Computer Determines Whether an IP Address is a Local or Remote Address
What is a Router
A Router is an intermediate system at the network layer that is used to connect networks together based on a common network layer protocol Router types Hardware router Software router Example A device that performs routing as a dedicated function A router that is not dedicated to performing routing only, but performs routing as one of multiple processes running on the router computer
What is a Router
Communication path A-C-D A C B
Routers
Local and destination hosts IP addresses are each AND with their subnet masks 1 AND 1 = 1 Other combinations = 0 If AND results of source and destination hosts match, the destination is local
Result
Lesson 2: Routing
Overview
The Role of Routing in the Network Infrastructure What is a Routing Interface What is a Routing Protocol What Is Static and Dynamic Routing What is a Routing Table How the IP Protocol Selects a Route
Lesson 2: Routing
Describe how routing fits into the network infrastructure Explain the difference between local and remote routing Describe how the Microsoft routing solution fits into the network infrastructure
Subnet 1
Router A
Subnet 2
Router B
Subnet 3
Lesson 2: Routing
Chapter 4
Lessons
Lesson 1: What is DHCP Lesson 2: Adding and Authorizing a DHCP Server Service Lesson 3: Configuring a DHCP Scope and DHCP Reservation Lesson 4: DHCP Options Lesson 5: Configuring a DHCP Relay Agent Lesson 6: Configuring a client Lesson 7: Using Alternate Configuration Lesson 8: Managing a DHCP Database Lesson 9: Monitoring DHCP Lesson 10: Applying Security Guidelines for DHCP
DHCP Database
IP Address1: Leased to DHCP Client1 IP Address2: Leased to DHCP Client2 IP Address3: Available to be leased
DHCP Server 1
DHCP Client
1 2 3 4
DHCP client broadcasts a DHCPDISCOVER packet DHCP servers broadcasts a DHCPOFFER packet DHCP client broadcasts a DHCPREQUEST packet DHCP server 1 broadcasts a DHCPACK packet
A DHCPOFFER packet
This is a message that DHCP Servers use offer the lease of an IP address to DHCP client .
If the clients does not receive an offer after four requests. It use an IP in the reserved range from 169.254.0.1 168.254.255.254
A DHCPACK packet
This is a message that DHCP Server send to a client to acknowledge and complete a clients request for leased configuration. This message contains a valid lease for the IP address and other IP configuration data.
Important
Protocol (UDP) port 67 and 68.
DHCP Server1
DHCP Client
87.5% 100% 50% of of oflease lease lease duration has expired DHCP Client sends a DHCPREQUEST DHCPREQUEST packet client sends a packet If the client fails to renew its lease, of of the lease 1 its lease, after after 50% 87.5% the lease has expired, the DHCP lease process starts overwill durationthen has expired, then thegeneration DHCP lease renewal process DHCP Server1 sends athe DHCPACK packet again with a after DHCP clientof broadcasting a DHCPDISCOVER 2 begin again 87.5% lease duration has expired
The DHCP client will also attempt to renew its IP address lease each time that the computer restarts.
DHCP Client
DNS Server
DHCP Server
If DHCP Server1 finds its IP DHCP Server1 checks with the address on the list, service domain controller to the obtain a list starts and supports DHCP clients of authorized DHCP servers
DHCP Client
Unauthorized
DHCPclient Server2 checks If DHCP DHCP Server2 does not findthe its IP receives IPwith address domain controller obtain a list of address on the list,to the service does from authorized DHCP Server1 authorized DHCPDHCP servers not start and support clients
DHCP authorization is the process of registering the DHCP Server service in the Active Directory domain to support DHCP clients
DHCP Scope
A scope is a range of IP addresses that are available to be leased
DHCP Server
LAN A
LAN B
Scope A
Scope B
Scope Properties
Network ID Subnet mask Network IP address range Lease duration Router Scope name Exclusion range
DHCP Scope
Scope property
Network ID : The Network ID for the range of IP addresses. Subnet mask : The subnet mask for the Network ID. Network IP address range : The range of IP addresses that are available to clients. Lease duration : The period of time that the DHCP Server holds a lease IP address for a client before removing the lease. Router : A DHCP option that allows DHCP clients to access remote networks. Scope name : An alphanumeric identifier for administrative purposes. Exclusion range : The range of IP addresses in the scope that are excluded from being leased.
scope IP Address Range Subnet mask IP address exclusions Lease duration interval Scope Options
Configure a DHCP
Superscope
Superscope which expands the number of IP network addresses that you can use in a network . A Superscope allows several distinct scopes to be logically grouped under a single name.
You must have at least a Scope before create a Superscope
Multicast Scope
Multicast scope which is a group of IP multicast network addresses that are distributed to other computers in a network. The valid IP address range is 224.0.0.0 239.255.255.255
DHCP Reservation
A reservation is a specific IP address, within a scope, that is permanently reserved for leased use to a specific DHCP client
Workstation 1 File and Print Server Subnet B
Subnet A
DHCP Server IP Address1: Leased to Workstation 1 IP Address2: Leased to Workstation 2 IP Address3: Reserved for File and Print Server
Workstation 2
Information of a Reservation
Reservation name : Name that the administrator assigns. IP address : IP address from the scope for the client. MAC address : Clients media access control (MAC) address (entered without hyphens). Description : Description that the administrator assigns. Supported type : DHCP reservation, Boot Protocol (BOOTP) reservation or both.
DHCP Options
DHCP options are configuration parameters that a DHCP service assigns to clients along with the IP address and subnet mask
DHCP Client
DHCP Client IP Configuration Data Clients IP address Clients subnet mask DHCP options such as: Routers IP address DNS servers IP address WINS servers IP address DNS domain name
DHCP Server
Scope level
Available to clients that identify Class level (User & Vendor) themselves as belonging to a particular class Reserved Client level
Scope B
Windows XP
Windows XP
Windows XP
Broadcast Subnet B
Client1
Client2
Router
Client3
1 2 3 4 5 6 7 8
Client1 broadcasts a DHCPDISCOVER packet Relay agent forwards the DHCPDISCOVER message to the DHCP server Server sends a DHCPOFFER message to the DHCP relay agent Relay agent broadcasts the DHCPOFFER packet Client1 broadcasts a DHCPREQUEST packet Relay agent forwards the DHCPREQUEST message to the DHCP server Server sends a DHCPACK message to the DHCP relay agent Relay agent broadcasts the DHCPACK packet
DHCP Server
Static
Addresses that are manually assigned and do not change over time Dynamic Addresses that are automatically assigned for a specific length of time and may be changed
Renewing an IP Address
1
DHCPREQUEST (unicast)
Lease-holding DHCP Server DHCP Server Non-DHCP Server
2
DHCP Client
DHCPREQUEST (broadcast)
DHCP Servers
DHCPACK
No No Yes
Yes
Practice
1 2 3 4
Configure a DHCP scope Configure a DHCP reservation Configure DHCP options Add and authorize a DHCP Server service
Practice
1 2
Configure a DHCP Relay Agent Identify and resolve common issues when allocating IP addressing by using DHCP
Practice
1 2 3 4
Assign an IP address to a client (static IP, dynamic IP) Release and renew an IP address Configure an alternate configuration Disable APIPA
Overview
Managing DHCP What Is a DHCP Database? How a DHCP Database Is Backed Up and Restored How To Back Up and Restore a DHCP Database How a DHCP Database Is Reconciled How To Reconcile a DHCP Database
Managing DHCP
The DHCP service needs to be managed to reflect changes in the network and the DHCP server Scenarios for managing DHCP:
Managing DHCP database growth Protecting the DHCP database Ensuring DHCP database consistency Adding clients Adding new network service servers Adding new subnets
Restore
Offline Storage
Back up
Restore
DHCP
Back up
In the event that the server hardware fails, the administrator can restore only from the offline storage location
Apply guidelines when backing up and restoring a DHCP database Configure a DHCP database backup path Manually back up a DHCP database to the backup directory on a local drive Manually restore a DHCP database from the backup directory on a local drive
DHCP Server
Example Summary information Detailed information Reconciled DHCP database Create an active lease entry
Prepare to reconcile a DHCP database Reconcile all scopes in a DHCP database Reconcile a scope in a DHCP database
Overview
What Are DHCP Statistics? How to View DHCP Statistics What is a DHCP Audit Log File? How DHCP Audit Logging Works How to Monitor DHCP Server Performance by Using the DHCP Audit Log Guidelines for Monitoring DHCP Server Performance Common Performance Counters for Monitoring DHCP Server Performance Guidelines for Creating Alerts for a DHCP Server
DHCP Server
DHCP statistics represent statistics collected at either the server level or scope level since the DHCP service was last started
Enable DHCP statistics to automatically refresh View DHCP server statistics View DHCP scope statistics
12:00 am
Disk checks ensure that both the ongoing availability of server disk space and the current audit log file do not become too large or grow too rapidly
How to Monitor DHCP Server Performance by Using the DHCP Audit Log
In these procedures, you will learn how to:
Enable and configure DHCP audit logging View the DHCP audit log
Monitor for increases both sudden and gradual Active queue length which could reflect increased load or decreased server capacity Duplicates dropped/second Monitor for any activity which could indicate that more than one request is being transmitted on behalf of clients
Define the acceptable level that a DHCP counter can rise above or fall below, before creating an alert Use scripts with your alerts
Overview
Guidelines for Restricting an Unauthorized User from Obtaining a Lease Guidelines for Restricting an Unauthorized, non-Microsoft DHCP Server from Leasing IP Addresses Guidelines for Restricting Who Can Administer the DHCP Service Guidelines for Securing the DHCP Database
Guidelines for Restricting an Unauthorized User from Obtaining a Lease To restrict an unauthorized user from obtaining a lease:
Ensure that unauthorized persons do not have physical or wireless access to your network Enable audit logging for every DHCP server on your network Regularly check and monitor audit log files Use 802.1X-enabled LAN switches or wireless access points to access the network
Practice
Chapter 4: FTP
Chapter 4
Lessons
Lesson 1: Introduction to FTP Lesson 2: Setting up an FTP Server Lesson 3: Using FTP Lesson 4: Securing FTP Service
What is FTP ?
Short for File Transfer Protocol, the protocol for exchanging files over the Internet. FTP works in the same way as HTTP for transferring Web pages from a server to a user's browser and SMTP for transferring electronic mail across the Internet in that, like these technologies, FTP uses the Internet's TCP/IP protocols to enable data transfer FTP is most commonly used to download a file from a server using the Internet or to upload a file to a server, for example: upload a Web page file to a server
FTP
FTP client
FTP server
Internet
Transport
TCP
UDP
Internet
ARP
IP
IGMP
ICMP
Ethernet
ATM
Confusion
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports: Command port : 21 (also known as the control port) Data port : 20 The confusion begins however, when we find that depending on the mode, the data port is not always on port 20. One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. FTP mode: Active mode (Active FTP) Passive mode (Passive FTP)
Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port) FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)
The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server, it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client, something that is usually blocked.
Passive FTP
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode. In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.
Passive FTP
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
Summary
The following chart should help admins remember how each FTP mode works: Active FTP : command : client > N -> server (Port: 21) data : client > N <- server (Port: 20) Passive FTP : command : client > N -> server (Port: 21) data : client > N -> server > N
Add/Remove Programs
Windows Components
Installing IIS
IIS Manager
FTP Administration
FTP
AceFTP
Permissions
Chng 5
DCH V EMAIL
DCH V EMAIL
CC GIAO THC TRONG H THNG MAIL. CC KHI NIM C BN. MT S H THNG MAIL THNG DNG. CC CHNG TRNH MAIL SERVER. CI T EXCHANGE SERVER 2003. CU HNH EXCHANGE MAIL SERVER. GII THIU EXCHANGE SYSTEM MANAGER KHI NG CC DCH V TRONG EXCHANGE QUN L TI KHON MAIL. ADMINISTRATIVE GROUP MICROSOFT OUTLOOK WEB ACCESS THIT LP CHNH SCH CHO H THNG MAIL QUN L PUBLIC FOLDER V MAILBOX CC TIN CH CN THIT CHO MAIL.
Giao thc SMTP. Giao thc X.400. Giao thc POP. Giao thc IMAP.
Cc tp lnh ca SMTP:
helo <sending-host> Mail from:<from-address> Rcpt to:<to-address> Data Quit s dng cc lnh trn ta s dng lnh telnet theo Port.
TELNET <MAILHOST> 25
V d : telnet
172.29.14.10
25
S minh ho k thut store and forward v c ch phn pht trc tip trong h thng mail.
Cc cu lnh trong hai giao thc POP2 v POP3 ny khng ging nhau nhng chng cng thc hin chc nng c bn l:
kim tra tn ng nhp v password ca user chuyn mail ca ngi dng t Server ti h thng c mail ca user (mail client)
CC KHI NiM C BN
Mail User Agent (MUA): l chng trnh dng c v son mail Mail Transfer Agent (MTA):
l chng trnh chuyn mail gia cc mail server dng giao thc SMTP N nhn mail t MUA sau chuyn mail n MTA khc
Mailbox:
l tp tin lu tr tt c mail ca ngi dng. Khi c mail gi n cho ngi dng chng trnh x l mail ca server c b s phn phi mail vo mailbox
Alias mail:
Phn phi n cng mt ngi qua nhiu a ch mail Phn phi n nhiu ngi qua mt a ch mail
S t chc
CC KHI NiM C BN
Mail Gataway: l my kt ni gia cc mng dng giao thc khc nhau hoc cc mng khc nhau dng chung giao thc Mail Host:
L thnh phn chung gian chuyn mail gia cc v tr khng kt ni trc tip vi nhau Dng phn gii a ch ngi nhn chuyn n cc mail server hoc gateway tng ng
Mail Server:
Cha mailbox ca ngi dng Nhn mail t Mail Host v a vo mailbox ca ngi dng H tr POP/IMAP cho php ngi dng download mail v my c b thng qua mail client h tr POP/IMAP
Mail Client: L chng trnh dng c v son tho mail, tch hp giao thc SMTP, POP/IMAP
H iu hnh (OS) B nh (Memory) khng gian a (Disk space) H thng tp tin (File System)
Ngoi yu cu v phn mm ta cn phi ci t thm cc dch v h thng nh: Microsoft .NET Framework. Microsoft ASP.NET. World Wide Web service. Simple Mail Transfer Protocol (SMTP) service. Network News Transfer Protocol (NNTP) service.
Tin trnh ci t
Demo
Khi ng cc dch v ca Exchange. Gii thiu Exchange System Manager. Qun l ti khon mail. Administrative group. Cu hnh v s dng OWA. Thit lp lut phn phi mail. Qun l public folder v mailbox. Cc tin ch cn thit ca Exchange Server.
Qun l ti khon
To ti khon mail. (Xem demo) Mail Exchange s dng Account ca h thng lm Account Mail, mi ngi dng s dng duy nht mt Account thng qua hai thng s username v password. E-mail ca ngi dng c c php nh sau: <username>@<domain> Truy cp thuc tnh ca ti khon mail (xem demo) Exchange General. Email Addresses. Exchange Features. Exchange Advanced. Mt s tc v v ti khon (xem demo) Create mailbox. Move mailbox. Delete mailbox. Configure Exchange Features. Remove Exchange Attributes.
Gii thiu cc thnh phn chnh ca Exchange System Manager (Xem demo):
Global Settings Recipients Administrative Groups Tools
Administrative group Administrative group: l mt nhm i tng ca Exchange cng chia s chung mt s quyn hn nht nh no . Thng qua Administrative group cung cp quyn s dng public folder, t mt s chnh sch lu tr, qun l cc mailbox server trong cng site, Routing group System policy Public folder
Routing group
Routing group: l mt nhm cc Exchange Server c kt ni point to point vi nhau to nn mt kin trc truyn thng ip (message topology) ch nh phng thc chuyn th gia cc Exchange Server.
S dng connector kt ni cc Exchange server li vi nhau to nn mt kin trc nh tuyn thng ip (routing topology), cc connector ny bao gm: SMTP connector, X.400 connector. l thnh phn con trong administrative group v n lun lun c to bn trong administrative group.
Qun l Mailbox Store: Cung cp c ch qun l v theo di b lu tr th cho ngi dng. (xem demo)
Theo di qu trnh logon ca ngi dng Theo di, thng k mailbox cho tng ngi dng. Xa mailbox ca ngi dng. Mount v dismount mailbox. Gii hn lu tr cho maibox.
Cu hi v gii p
Chng 06
DCH V WEB
DCH V WEB
GII THIU DCH V WEB CU HNH DCH V WEB
GII THIU GIAO THC HTTP. WEB SERVER V NGUYN TC HOT NG. WEB CLIENT. WEB NG. WEB TNH. GII THIU IIS 6.0. CI T IIS 6.0 WEB SERVICE CU HNH IIS 6.0 WEB SERVICE
HTTP l mt giao thc cho php Web Browsers v Servers c th giao tip vi nhau, n chun ho cc thao tc c bn m mt Web Server phi lm c.
HTTP ch yu thc thi hai phng thc GET, POST. HTTP port mc nh c gi tr 80 Thng tin tr v t server theo c php ca ngn ng HTML. Phin bn hin ti HTTP 1.1
WEB CLIENT
L chng trnh duyt Web pha ngi dng nh Internet Explorer, Netscape hin th trang Web cho ngi dng.
Web client c th thc hin mt s php ton n gin trn Web page. Thc thi cc script pha my khch nh JavaScript, VBScripts, Lu tr cache cho cc Object, Image cho Webpage. Tch hp cc tnh nng security.
WEB NG
S hot ng ca web ng
GiI THIU IIS 6.0 IIS 6.0 c xy dng trn Windows 2003, IIS 6.0 cung cp mt s c im mi gip tng tnh nng tin cy, tnh nng qun l, tnh nng bo mt. Cc thnh phn chnh ca IIS 6.0
HTTP.sys: qun l kt ni TCP, chuyn cc HTTP request vo hng i, lu cc response vo vng nh
WWW Service Administration and Monitoring Component. Worker process: b x l cc yu cu v gi kt qu cho ng dng web
Cung cp cc ng dng:
Application Pool: l mt nhm ng dng cng chia s worker process ASP.NET: cung cp cc dch v xy dng, phn phi ng dng web v dch v XMLWeb
Application Pool
Application Pool
L mt nhm cc ng dng cng chia s mt worker process (W3wp.exe). Application Pool gip c th hiu chnh c ch ti s dng vng nh o, ti s dng worker process, hiu chnh performance (v request queue, CPU), health. demo
To mt Web Site
Cn chun b mt s thng tin khi to Web site:
Tn Web site (v d: www.domain) Loi ni dung ca Web site:
Web ng vit bng ngn ng g: ASP, ASP.NET, PHP, C s d liu ca Web ng lu u? C ch kt ni c s d liu cho Web ng nh th no?
To th mc o
Virtual Directory:
Mc ch ca th mc o trong Web l nh x mt ti nguyn t ng dn th mc vt l thnh ng dn URL, thng qua ta c th truy xut ti nguyn ny qua Web Browser.
To Web Hosting
Web Hosting: l k thut duy tr nhiu Web site trn Web Server.
xc nh tng Web site. Web Server phi da vo cc thng s nh:
Host Header Name. a ch IP. S hiu cng Port.
Cp quyn mi ngui c quyn FULL cho th mc forum. To Application Pool cho Forum v gn quyn thc thi Script.
Cu hi v gii p
Chng 7
DCH V PROXY
DCH V PROXY
Gii thiu FIREWALL. Tng quan v FIREWALL. Kin trc ca FIREWALL. Phn loi FIREWALL v nguyn tc hot ng. Gii thiu phn mm ISA. Ci t phn mm ISA 2004. Cu hnh ISA 2004. Cc chnh sch mc nh. Cu hnh Web Proxy Thay i thuc tnh ca access rule. Publishing Network services. Publish Web Server. Public Mail Server. Publish server. Kim tra v thit lp b lc cho ng dng. Lp b lc ng dng. Thit lp b lc Web. Pht hin v ngn mt s loi tn cng. Gii thiu mt s cng c bo mt. Download Security. Surfcontrol Web Filter. Thit lp Network Rule. Thit lp Cache, Qun l v theo di traffic.
Nhim v ca FIREWALL
Kim sot cc traffic mng. Ch cho php mt s traffic cn thit i qua FIREWALL.
Application gateway
L loi FIREWALL c thit k tng cng chc nng kim sot cc loi dch v da trn nhng giao thc c cho php truy cp vo h thng mng, c ch hot ng ca Application Gateway da trn m hnh Proxy Service. C ch lc ca packet filtering kt hp vi c ch i din ca application gateway cung cp mt kh nng an ton v uyn chuyn hn, c bit khi kim sot cc truy cp t bn ngoi. C ch b lc packet s dng m hnh proxy service c nhc im l hin nay cc ng dng ang pht trin rt nhanh, do nu cc proxy khng p ng kp cho cc ng dng, nguy c mt an ton s tng ln.
L Phn mm share internet ca hng phn mm Microsoft. Phin bn mi nht l ISA 2004. ISA 2004 c mt s t im sau:
Hot ng hiu qu. n nh. D cu hnh. Thit lp FIREWALL tt. Tc truy cp mng nhanh nh ch cache thng minh. Schedule Cache. Multi-Networking. Thit lp mng VPN. Application Layer Filtering.
Ci t ISA 2004
Yu cu ci t:
Thnh phn B x l (CPU) H iu hnh (OS) Yu cu ngh Intel hoc AMD 500Mhz tr ln. Windows 2003 hoc Windows 2000 (Service pack 4). 256 (MB) hoc 512 MB cho h thng khng s dng Web caching, 1GB cho Web-caching ISA firewalls. a ci t ISA thuc loi NTFS file system, t nht cn 150 MB dnh cho ISA. t nht phi c mt card mng (khuyn co phi c 2 NIC)
B nh (Memory)
ISA Firewall thng c trin khai trn dual-homed host (my ch c hai Ethernet cards) hoc multi-homed host (my ch c nhiu card mng) iu ny c ngha ISA server c th thc thi y cc tnh nng ca n nh ISA Firewall, SecureNAT, Server Publishing Rule, VPN,
Cho php nh tuyn gia VPN/VPN-Q Networks v Internal Network. Cho php NAT gia Internal Network v External Network. Ch cho php Administrator c th thay i chnh sch bo mt cho ISA firewall.
Giao thc (Protocol) a ch ngun (from) a ch ch (to) Ngi dng truy cp (Users) Lch biu truy cp (Schedule) Loi ni dung truy cp (Content Types)
Internal Network
External Adapter
Internet
131.107.3.1
Web Server
www.vnn.vn
Cc bc to Publish server
ISA Firewall thc thi hai chc nng quan trng stateful filtering v stateful application layer inspection.
stateful filtering: kim tra v thit lp b lc ti tng network, transport. Stateful filtering thng c gi l b kim tra trng thi packet (stateful packet inspection). Stateful application layer inspection: yu cu Firewall c th kim tra y thng tin trn tt c cc tng giao tip bao gm hu ht cc tng quan trng v application layer trong m hnh tham chiu OSI.
Thit lp b lc cho ng dng (Application Filtering). Thit lp b lc Web. Pht hin v ngn nga tn cng.
Mc nh h thng to ra cc Network rule cho php thit lp mt s c ch nh nh tuyn (route) gia hai mng, thay i a ch (NAT) : Local Host Access: nh tuyn traffic t localhost n mng ni b. VPN Client to Internal Network: nh tuyn t VPN Client n Internal network. Internet Access: NAT t Internal network ra ngoi mng Internet.
Thit lp Cache
Caching: l k thut lu tr cc Objects c ti t Internet nhm h tr c ch ti s dng cho cc request sau ny.
Thun li ca Caching:
Tng tc truy cp Internet cho user. Gim ti cho ng truyn internet. Tng tnh nng sn sng cho Web Content.
Forward caching: l k thut nhm gim ti cho ng truyn Internet bng cch lu tr cc frequently-accessed Internet Web objects trn mng ni b, khi user cc b c th s dng cc Object ny m khng cn request n Internet Server. Reverse caching: l k thut nhm gim ti cho ng truyn cc b, tng tc truy xut Web cho cc external user mt khi cng ty t host mt Web site ring trong h thng ni b. Frequently-requested objects trn Web server cc b c cache ti network edge trn proxy server nh m External User truy xut nhanh hn.
Thit lp Cache(t.t.)
Cu hi v gii p
Chapter 08
Objectives
Describe the MPLS conceptual model with data and control planes, and describe the function of the MPLS label Describe how labels are allocated and distributed in a frame mode MPLS network, and describe how IP packets cross an MPLS network Describe the steps that are required to successfully implement MPLS Explain the evolution of MPLS VPNs, and describe MPLS VPN routing and packet flow
Table of Content
1 2 3 4
Introducing MPLS Networks Assigning MPLS Labels to Packets Implementing Frame Mode MPLS Describing MPLS VPN Technology
Lesson 01
Objectives
Identify the elements of the MPLS conceptual model Describe the router switching mechanisms Describe the MPLS data and control planes Identify the structure of an MPLS label and its format Explain the function of different types of LSRs in MPLS networks Explain the interactions between the control plane and the data plane in an LSR that enable the basic functions of label switching and forwarding of labeled packets to occur
VPN Topologies
MPLS is a switching mechanism in which packets are forwarded based on labels. Labels usually correspond to IP destination networks (equal to traditional IP forwarding). Labels can also correspond to other parameters: Layer 3 VPN destination Layer 2 circuit Outgoing interface on the egress router QoS Source address MPLS was designed to support forwarding of non-IP protocols as well.
Only edge routers must perform a routing lookup. Core routers switch packets based on simple label lookups and swap labels.
MPLS Architecture
Control plane: Exchanges routing information and labels Contains complex mechanisms to exchange routing information, such as OSPF, EIGRP, IS-IS, and BGP Exchanges labels, such as LDP, BGP, and RSVP Data plane: Forwards packets based on labels Has a simple forwarding engine
MPLS Labels
MPLS Labels
MPLS technology is intended to be used anywhere, regardless of Layer 1 media and Layer 2 protocol. MPLS uses a 32-bit label field that is inserted between Layer 2 and Layer 3 headers (frame mode MPLS). MPLS over ATM uses the ATM header as the label (cell mode MPLS).
Label Format
Label Stack
Protocol ID (PID) in a Layer 2 header specifies that the payload starts with a label (or labels) and is followed by an IP header. Bottom-of-stack bit indicates whether the next header is another label or a Layer 3 header. Receiving router uses the top label only.
LSR primarily forwards labeled packets (swap label). Edge LSR: Labels IP packets (impose label) and forwards them into the MPLS domain Removes labels (pop label) and forwards IP packets out of the MPLS domain
Functions of LSRs
Data plane
Summary
MPLS is a switching mechanism that uses labels to forward packets. The result of using labels is that only edge routers perform a routing lookup; all the core routers simply forward packets based on labels assigned at the edge. MPLS consists of two major components: control plane and data plane. MPLS uses a 32-bit label field that contains label, experimental field, bottom-of-stack indicator, and TTL field. LSR is a device that forwards packets primarily based on labels. Edge LSR is a device that labels packets or removes labels from packets. Exchange routing information and exchange labels are part of the control plane, while forward packets is part of the data plane.
Lesson 02
Objectives
Identify how label allocation is performed in a frame mode MPLS network Identify how labels are distributed in a frame mode MPLS network Explain how the LFIB table is populated Identify packet propagation across an MPLS network Describe how PHP improves MPLS performance by eliminating routing lookups on egress LSRs
Label allocation and distribution in a frame mode MPLS network follows these steps: 1. IP routing protocols build the IP routing table. 2. Each LSR assigns a label to every destination in the IP routing table independently. 3. LSRs announce their assigned labels to all other LSRs. 4. Every LSR builds its LIB, LFIB, and FIB data structures based on the received labels. Note: Label allocation, label imposing, label swapping, and label popping usually happen in the service provider network, not the customer (enterprise) network. Customer routers will never see a label.
IP routing protocols are used to build IP routing tables on all LSRs. FIBs are built based on IP routing tables, initially with no labeling information.
Allocating Labels
Every LSR allocates a label for every destination in the IP routing table. Labels have local significance. Label allocations are asynchronous.
LIB and LFIB structures have to be initialized on the LSR allocating the label. Untagged action will remove the label from the frame and the router will send a pure IP packet.
The allocated label is advertised to all neighbor LSRs, regardless of whether the neighbors are upstream or downstream LSRs for the destination.
Every LSR stores the received label in its LIB. Edge LSRs that receive the label from their next hop also store the label information in the FIB.
Forwarded IP packets are labeled only on the path segments where the labels have already been assigned.
Every LSR stores received information in its LIB. LSRs that receive their label from their next-hop LSR will also populate the IP forwarding table.
Router B has already assigned a label to network X and created an entry in the LFIB. The outgoing label is inserted in the LFIB after the label is received from the next-hop LSR.
PHP optimizes MPLS performance (one less LFIB lookup). The pop or implicit null label uses a reserved value when being advertised to a neighbor.
Double lookup is not an optimal way of forwarding labeled packets. A label can be removed one hop earlier.
A label is removed on the router before the last hop within an MPLS domain.
Summary
Every LSR assigns a label for every destination in the IP routing table. Although labels are locally significant, they have to be advertised to directly reachable peers. Outgoing labels are inserted in the LFIB after the label is received from the next-hop LSR. Packets are forwarded using labels from the LFIB table rather than the IP routing table. PHP optimizes MPLS performance (one less LFIB lookup).
Lesson 03
Objectives
Describe the procedure for configuring frame mode MPLS on a Cisco IOS router Enable IP CEF on a router as a step in implementing frame mode MPLS Enable MPLS on a frame mode interface as a step in implementing frame mode MPLS Configure the MTU size in label switching as a step in implementing frame mode MPLS
1.Configure CEF 2.Configure MPLS on a frame mode interface 3.(Optional) Configure the MTU size in label switching
Configuring IP CEF
1. Configure CEF: Start CEF switching to create the FIB table Enable CEF switching on all core interfaces 2. Configure MPLS on a frame mode interface 3. (Optional) Configure the MTU size in label switching
ip cef [distributed]
Starts CEF switching and creates the FIB table The distributed keyword configures distributed CEF (running on VIP or line cards) All CEF-capable interfaces run CEF switching
Router(config-if)#
ip route-cache cef
Monitoring IP CEF
Router#
1. Configure CEF 2. Configure MPLS on a frame mode interface: Enable label switching on a frame mode interface Start LDP or TDP label distribution protocol 3. (Optional) Configure the MTU size in label switching
mpls ip
Enables label switching on a frame mode interface Starts LDP on the interface
Router(config-if)#
1.Configure CEF 2.Configure MPLS on a frame mode interface 3.(Optional) Configure the MTU size in label switching: Increase MTU on LAN interfaces
Label switching increases the maximum MTU requirements on an interface, because of additional label header Interface MTU is automatically increased on WAN interfaces; IP MTU is automatically decreased on LAN interfaces Label-switching MTU can be increased on LAN interfaces (resulting in jumbo frames) to prevent IP fragmentation
Summary
MPLS configuration tasks include configuring IP CEF, tag switching, and setting MTU size. CEF is configured globally. Use the mpls ip command to enable MPLS on an interface level. To set MTU for labeled packets, use the mpls mtu interface configuration command.
Lesson 04
Objectives
Explain MPLS VPN architecture, and how it improves on the traditional methods of overlay and peer-to-peer VPN Describe the components of an MPLS VPN and how they are interconnected to enable enterprise network connectivity between sites Identify how routing information is propagated across the P-network Identify the end-to-end flow of routing updates in an MPLS VPN Describe MPLS VPN packet forwarding
VPN Models
The service provider infrastructure appears as point-to-point links to customer routes. Routing protocols run directly between customer routers. The service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.
Peer-to-Peer VPNs
Overlay VPN: Well-known and easy to implement Service provider does not participate in customer routing Customer network and service provider network are well-isolated Peer-to-peer VPN: Guarantees optimum routing between customer sites Easier to provision an additional VPN Only sites are provisioned, not links between them
Overlay VPN:
Implementing optimum routing requires a full mesh of VCs. VCs have to be provisioned manually. Bandwidth must be provisioned on a site-to-site basis. Overlay VPNs always incur encapsulation overhead (IPsec or GRE).
Peer-to-peer VPN:
The service provider participates in customer routing. The service provider becomes responsible for customer convergence. PE routers carry all routes from all customers. The service provider needs detailed IP routing knowledge.
Shared PE router: All customers share the same (provider-assigned or public) address space. High maintenance costs are associated with packet filters. Performance is lowereach packet has to pass a packet filter. Dedicated PE router: All customers share the same address space. Each customer requires a dedicated router at each POP.
An MPLS VPN combines the best features of an overlay VPN and a peer-to-peer VPN:
PE routers participate in customer routing, guaranteeing optimum routing between sites and easy provisioning. PE routers carry a separate set of routes for each customer (similar to the dedicated PE router approach). Customers can use overlapping addresses.
PE Router Architecture
The number of customer routes can be very large; BGP is the only routing protocol that can scale to such a number. BGP is used to exchange customer routes directly between PE routers.
Route Distinguishers
Question: How will information about the overlapping subnetworks of two customers be propagated via a single routing protocol? Answer: Extend the customer addresses to make them unique. The 64-bit RD is prepended to an IPv4 address to make it globally unique. The resulting address is a VPNv4 address. VPNv4 addresses are exchanged between PE routers via BGP. BGP that supports address families other than IPv4 addresses is called multiprotocol BGP (MPBGP).
The RD has no special meaning. The RD is used only to make potentially overlapping IPv4 addresses globally unique. This design cannot support all topologies required by the customer.
Requirements:
All sites of one customer need to communicate. Central sites of both customers need to communicate with VoIP gateways and other central sites. Other sites from different customers do not communicate with each other.
Route Targets
Some sites have to participate in more than one VPN. The RD cannot identify participation in more than one VPN. RTs were introduced in the MPLS VPN architecture to support complex VPN topologies. RTs are additional attributes attached to VPNv4 BGP routes to indicate VPN membership.
Export RTs: Identify VPN membership Append to the customer route when it is converted into a VPNv4 route Import RTs: Associate with each virtual routing table Select routes inserted into the virtual routing table
CE routers have to run standard IP routing software. PE routers have to support MPLS VPN services and Internet routing. P routers have no VPN routes.
The CE routers run standard IP routing software and exchange routing updates with the PE router. The PE router appears as another router in the C-network.
PE-CE routing protocols are configured for individual VRFs. Supported protocols include BGP, OSPF, static, RIP, and EIGRP. Routing configuration on the CE router has no VRF information.
To the customer, the PE routers appear as core routers connected via a BGP backbone. The usual BGP and IGP design rules apply. The P routers are hidden from the customer.
The PE routers will label the VPN packets with a label stack, as follows:
Using the LDP label for the egress PE router as the top label Using the VPN label assigned by the egress PE router as the second label in the stack
VPN PHP
PHP on the LDP label can be performed on the last P router. The egress PE router performs label lookup only on the VPN label, resulting in faster and simpler label lookup. IP lookup is performed only oncein the ingress PE router.
Summary
There are two major VPN paradigms: overlay VPN and peer-to-peer VPN. MPLS VPN architecture combines the best features of the overlay and peer-to-peer VPN models. BGP is used to exchange customer routes between PE routers. Routes are transported using IGP (internal core routes), BGP IPv4 (core Internet routes), and BGP VPNv4 (PE-to-PE VPN routes). PE routers forward packets across the MPLS VPN backbone using label stacking.