Mang May Tinh NC - Slides - 2

KHOA CNG NGH THNG TIN, HUTECH B mn Mng & Truyn thng My tnh
MNG MY TNH NNG CAO

TS. Nguyn Vn Mi
nv.mui@hutech.edu.vn
Nm hc 2013-2014
NI DUNG MN HC
Knowledge
Chapter 1: TCP/IP, Name Resolving Chapter 2: Domain Name System Chapter 3: Routing & Remote Access Chapter 4: DHCP & FTP Chapter 5: Email Service Chapter 6: WEB Service Chapter 7: Firewalls Chapter 8: MPLS & Border Gateway Protocol
Skill: network administrating

2
Ti liu tham kho

Required textbook
Networking text books
Computer Networking: A Top-Down Approach Featuring the Internet (5rd edition), by Kurose and Ross Computer Networking: (6th edition), by Kurose and Ross
Network administrating references

TCP/IP Illustrated, Volume 1: The Protocols, by Stevens WindowServer 2003 Network Infrastructure Implementation,Management, and Maintenance CCNP-ISCW, Volume 1&2
3
Grading and Schedule

Four assignments (10% each)
95% 3 hours, 70% 2 days late, 50% > 3 days late One free late day during semester Must complete all assignments to pass
Final exams (50% total)

Midterm exam before spring break (25%) Final exam during exam period (25%)
Class participation (10%)

In lecture and precept In the forums
4
Chapter 1: Suite of TCP/IP Protocols
Chapter 1
Suite of TCP/IP Protocols
Chapter 1 : Suite of TCP/IP Protocols
Lessons
Lesson 1: OSI Model Lesson 2: TCP/IP Protocol Suite Lesson 3: Basic Commands Lesson 4: Using Network Monitor
Lesson 1: OSI Model
What is the OSI Model ?

a framework for networking standards can be developed. provided vendors with a set of standards that ensured greater compatibility and interoperability between the various types of network technologies. Researched and developed by the ISO - International Organization for Standardizations. 1977: establish a subcommittee to develop a communications architecture. 1984: publish ISO-7498, the Open System Interconnection (OSI) reference model.
Lesson 1: OSI Model
OSI reference Model
7 5 4 3 2 1
Application
In the OSI model:
6 Presentation
Session Transport Network Data-Link Physical
Each layer has a defined networking function Each layer communicates with the layer above and below it Layer seven provides services for programs to gain access to the network Layers one and two define the networks physical media and related tasks
Lesson 1: OSI Model
The physical layer
Transmission of an unstructured bit stream over a physical link between end systems. Electrical, mechanical,specifications Physical data rate Distances Physical connector
Lesson 1: TCP/IP Protocol Suite

The data-link layer
Provides for the reliable transfer of data cross a physical link. Frames Physical address Network topology Synchronization Error control Flow control
Lesson 1: OSI Model
The network layer
Provides connectivity and path selection between two host systems that may be located on geographically separated networks. Packets Virtual circuits Route, routing table, routing protocol Logical address Fragmentation
Lesson 1: OSI Model
The transport layer
Provides reliable, transparent transfer of data over networks. Segments, data stream, datagram Connection oriented and connectionless End-to-end flow control Error detection and recovery Segmentation & reassembly
Lesson 1: OSI Model
The session layer
Establishes, manages, and terminates sessions between two communicating hosts. Sessions Dialog Conversations Data exchange

The presentation layer
Ensures that the information that the application layer of one system sends out is readable by the application layer of another system. Format of data Data structure Data conversion Data compression Data encryption
Lesson 1: OSI Model
The application layer
Is the OSI layer that is closest to the user; it provides network services to the users applications. File transfer Electronic mail Terminal access Word processing Intended communication partners
Lesson 1: OSI Model
Encapsulation example: E-mail

TCP/IP Protocol Suite
Originally developed by The Defense Advance Research Projects Agency (DARPA) to interconnect various defense department computer networks.
TCP/IP is really a family of protocols referred to as the Internet Protocol Suite

The TCP/IP Model relate to the OSI Model
OSI Application Presentation Session Transport Network Data-Link Physical Transport Internet Link Ethernet Token Ring Frame Relay ATM TCP IP UDP
IGMP ICMP
TCP/IP
TCP/IP Protocol Suite HTTP FTP RIP SMTP SNMP
Application
DNS
ARP

IP Internet Protocol
Provides addressing at the network layer Provides fragmentation and reassembly of packets

TCP Transmission Control Protocol
TCP provides guaranteed delivery by establishing a virtual circuit between sender and receiver this virtual circuit is called a socket

Internet Protocol (TCP/IP) Properties

Viewing IP Configuration

How an IP Packet Moves Through the Suite of TCP/IP Protocols
The Four Layers of the TCP/IP Protocol Suite: Application Transport Internet Link

Practise: Protocols and Layers of the TCP/IP Model
In this practice, you will associate the protocols and layers of the TCP/IP model
7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical
Lesson 3: Basic Commands

Basic Commands
Ping: Used to verify reachability of intended destinations using ICMP Echo

messages.
Ipconfig, ipconfig/all, ipconfig/displaydns, ipconfig/displaydns |more Route: Used to view and modify the entries in the routing table. Tracert: Used to send ICMP Echo messages to discover the path between a
node.
Pathping: Used to discover the path between a host and destination or to

identify high-loss links.

What is Ping
You can run Ping from a client computer to test the connection to any host, such as a router or a server: The client computer sends an Echo Request to the server The server sends an Echo Reply back to the client computer You check the details of the Echo Reply to determine the quality of the connection

Ipconfig /all Ipconfig /displaydns

Route print

Tracert & Pathping
Lesson 4: Using Network Monitor

Microsoft Network Monitor
2 3
1 4
Network Monitor: Captures a sample of network traffic Uses filters to select specific packets Decodes the packets in the language of the individual protocols Compiles network statistics

How to install Microsoft Network Monitor

Microsoft Network Monitor

How to capture frames
Examining Captured Network Traffic
Examining Captured Network Traffic
Chapter 1: Resolving Names
Chapter 1
Resolving Names
Chapter 1: Resolving Names
Lessons
Lesson 1: Name Resolution Process Lesson 2: Managing the ARP Cache Lesson 3: NETBIOS Name Lesson 4: Configuring NetBIOS Name Resolution Lesson 5: Configuring Host Name Resolution Lesson 6: Static Name Resolution Lesson 7: Dynamic Name Resolution
Lesson 1: Name Resolution Process
IP names
IP addresses might be fine for computers, but humans prefer to use names. For example: http://www.vnn.vn rather than http://203.162.168.130 This is accomplished with either Host lookup tables on each machine or a Domain Name Server (DNS)
Overview
Explain what a host name is Explain what a NetBIOS name is
DNS Server Corp01.contoso.msft 192.168.2.102
192.168.0.5
192.168.1.5 Payroll.contoso.msft
What are Host Names ?

A host name is the DNS name, of a device on a network, that is used to locate computers on the network
Examples:
FQDN msft server1.nwtraders.msft. Host Name DNS Suffix FQDN server1.training.nwtraders.msft. Host Name DNS Suffix Server1 = 192.168.0.66 Server1 = 192.168.0.67 training nwtraders . Root
What are Host names ?

A Host name can exist as a single-part name or it can used with the suffix to create the identifier for a Resource on a TCP/IP network The suffix is essential the the Host name, because it allows two identical Host names to exist on the network without conflict A Host name and Suffix are known together as the Fully Qualyfied Domain Name (FQDN) A fully qualified domain name (FQDN) is a DNS domain name that has been stated unambiguously to indicate with absolute certainty its location in the domain namespace tree
How Names Are Mapped to IP Addresses

Name Resolution Service Computer44
1
Where is the Computer44 file? 192.168.1.200
2 3
Computer44
How to View Host Names on a Client
View host names and DNS suffixes by using the Ipconfig utility View host names by using Hostname utility View host names by using System Properties Rename a computer
Lesson 2: Managing the ARP Cache
Managing the ARP Cache

Static and Dynamic ARP Cache Entries How ARP Resolves IP Addresses to MAC Addresses Using the ARP Tool to Manage the ARP Cache
Address Resolution Protocol (ARP)
Static and Dynamic ARP Cache Entries

An ARP cache
The cache is a table of recently resolved IP addresses and their corresponding MAC addresses TCP/IP checks the ARP cache before sending an ARP request To view the cache, type arp a at the command prompt
Static cache entries:

Have no time-out value Must be added manually Must be updated
Dynamic cache entries:

Have a time-out value Are removed after the specified time
How ARP Resolves IP Addresses to MAC Addresses

1 2 3 4 5 6
ARP cache is checked ARP request is sent ARP entry is added ARP reply is sent ARP entry is added IP packet is sent 1 2
ComputerA ComputerC ComputerB
3 4 5 6
Using the ARP Tool to Manage the ARP Cache
Lesson 3: NETBIOS Name
Overview
The Types of Names Computers Use What Is NetBIOS? What Is a NetBIOS Name? What Is NetBT? Types of NetBT Nodes What Is Nbtstat?
The Types of Names Computers Use

Name Description 16-byte address Can represent a single computer or group of computers 15 characters used for the name 16th character is used by the services that a computer offers to the network Assigned to a computers IP address 255 characters in length Can contain alphabetic and numeric characters, hyphens, and periods. Can take various forms Alias Domain name
NetBIOS Names
Host Names
What is NETBIOS
OSI Application Presentation Session Transport Network Transport Internet Application NetBIOS Applications NetBIOS Interface NetBIOS Is an API Operates at the session and transport layers of the OSI protocol stack Establishes names, sessions and data transfer TCP/IP
Data-Link Physical
Link
What is a NetBIOS Name

A NetBIOS name is an identifier used by NetBIOS services running on a computer. It is made up of a 15-character name plus a 16th character (1 byte) denoting the service
NetBIOS Name Server2 Server2 Server2 16th character 00 20 01 Services Workstation Server Messenger IP address 192.168.0.39 192.168.0.39 192.168.0.39
Server2
NETBIOS Name
Payroll Payroll <00> <20>
Corp1 Corp1
<00> <20>
16 byte name 16th character is a 1 byte hexadecimal identifier Used for the name of a computer or the name of a service running on the computer
What is NetBT
Application NetBIOS Applications
Transport
NetBIOS Interface NetBT TCP/IP
Internet NetBT
Runs on top of the TCP/IP network protocol Supports discovery, registration and release of NetBIOS names Uses broadcast or a NetBIOS name server, depending on node type
NetBIOS Name Resolution Process

NetBIOS Name Cache WINS Broadcast Lmhosts File
Salescomputer2 192.168.1.35 What is the IP address for Salescomputer2?
3
Salescomputer2
NetBIOS name resolution is the process of mapping a NetBIOS name to an IP address
Types of NetBT Nodes

NetBt Node Types B-node (broadcast) P-node (peer-to-peer) M-node (mixed) H-node (hybrid) Microsoft enhanced B-node Uses NetBIOS broadcast name queries Uses NetBios Name Server (NBNS or WINS) A combination of B-node and P-node. Uses broadcast first by default A combination of B-node and P-node. Uses NBNS first by default Uses the Lmhosts file
What is Nbtstat
Use nbstat to:

Check the state of current NetBT connections Update the Lmhosts cache Determine the registered name of a client
Lesson 4: Configuring NetBIOS Name Resolution
Overview
NetBIOS Name Resolution Process NetBIOS Name Cache How to View and Release the NetBIOS Name Cache Broadcasts Lmhosts File

Client Resolver Cache DNS Hosts File NetBIOS Name Cache WINS Broadcast Lmhost File
Salescomputer2 What is the IP address for Salescomputer2?
192.168.1.35
3
Salescomputer2
NetBIOS name resolution is the process of mapping a NetBIOS name to an IP address.
The NetBIOS Name resolution process is configurable .The default order, in which the client is configured to query a WINS server and to use Lmhosts lookup is as follows :

NetBIOS Cache WINS server Send to the Local network as a broadcast Local Lmhosts file
NetBIOS Name Cache

A NetBIOS name cache is a location in memory that stores NetBIOS names that have recently been resolved to IP addresses whether through a WINS server, broadcast, or Lmhosts file
Computer1
Broadcast Resolved host names from broadcasts
Lmhosts File
Resolved host names from the WINS server
NetBIOS Name Cache

Purpose of a NetBIOS Name Cache is :
The first place that the NetBIOS redirector searches for an IP address to map a NetBIOS name. Resolves IP Addresses more quickly than a WINS server, broadcast, or Lmhosts file. Do not create network traffic.
How to View and Release the NetBIOS Name Cache
View the contents of the local computers NetBIOS name cache Release the NetBIOS name cache and reload the #PRE-tagged entries in the local Lmhosts file Display and view the NetBIOS name table of the local computer
Broadcasts
Local broadcasts are network messages, sent from a single computer, that are distributed to all other devices on the same segment of the network as the sending computer
Broadcast is answered
Broadcast Fails
Broadcast
1 1 2
NetBIOS Redirector
Router
The NetBIOS redirector sends out a local broadcast If the resource is on the local network, the broadcast is answered and an IP address is returned If the resource is on a remote network, then the broadcast will not pass through the router
Lmhosts File
An Lmhosts file is a local text file that maps NetBIOS names to IP addresses for hosts that are not located on the local subnet
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to computernames # (NetBIOS) names. Each entry should be kept on an individual line. # The IP address should be placed in the first column followed by the # corresponding computername. The address and the computername # should be separated by at least one space or tab. The "#" character # is generally used to denote the start of a comment (see the exceptions # below). # # The following example illustrates all of these extensions: # # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC # 102.54.94.102 "appname \0x14" #special app server # 102.54.94.123 popular #PRE #source server # 102.54.94.117 localsrv #PRE #needed for the include # # #BEGIN_ALTERNATE # #INCLUDE \\localsrv\public\lmhosts # #INCLUDE \\rhino\public\lmhosts # #END_ALTERNATE
Computer1
Lmhosts File
Lesson 5: Configuring Host Name Resolution
Overview
The Host Name Resolution Process Client Resolver Cache How to View and Flush the Client Resolver Cache Hosts File How to Preload the Client Resolver Cache by Using a Hosts File
The Host Name Resolution Process

Client Resolver Cache DNS Hosts File NetBIOS Name Cache WINS Broadcast Lmhost File
Salescomputer2 What is the IP address for Salescomputer2?
192.168.1.35
3
Salescomputer2
Host Name resolution is the process of resolving a host name to an IP address.
Client Resolver Cache

The client resolver cache is a location in memory that stores host names that have recently been resolved to IP addresses. It also stores host nameto-IP address mappings loaded from the Hosts file
Computer1
Hosts File
Resolved host names from the DNS server
How to View and Flush the Client Resolver Cache
Display a client resolver cache by using the Ipconfig command Flush a client resolver cache by using the Ipconfig command
Hosts File
The Hosts file is a static file that is maintained on the local computer and that is used to load host name-to-IP address mappings into the client resolver cache # Copyright (c) 1993-1999 Microsoft Corp.
# # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
Computer1
Hosts File
Lesson 6: Static Name Resolution
Overview
Using an Lmhosts File Guidelines for Configuring a Client to Use Lmhosts Using a Hosts File
Using an Lmhosts File

Add an entry to the client Lmhosts file
1
What is the IP address for london? 127.0.0.1 localhost 131.107.34.1 router 192.168.2.200 london
Lmhosts File
192.168.2.200
Guidelines for Configuring a Client to Use Lmhosts

Guidelines
An entry consists of the IP address, one space or tab, and the NetBIOS name Each entry must be on a separate line. Use a carriage return after the final entry NetBIOS names can contain uppercase, lowercase and special characters Entries can represent all versions of Windows # marks the start of a comment or a keyword
Using an Hosts File

Add an entry to the client Hosts file
Hosts File
127.0.0.1 localhost 131.107.34.1 router 172.30.45.121 server1.central.microsoft.com s1
1
What is the IP address for s1?
172.30.45.121
Client
Lesson 7: Dynamic Name Resolution
Overview
What Is WINS ? What Is DNS ? The DNS Suffix
What is WINS
NetBIOS Name Registration Query
?
OK
Payroll WINS Server
1 2 3
Queries a WINS Server Determines if name is in use or not If not in use, then registers the NetBIOS name and associated IP address
What is DNS
FQDN: printserver.contoso.com. ( Root)
Root domain
Parent domain
Com Edu Org
Other top-level domains
Contoso
printserver payroll
Child domain
accounts
DNS suffix
FQDN
. Root com contoso sales corp05 = 192.168.0.66 corp01 = 192.168.0.67
corp05.contoso.com.
Host Name DNS Suffix FQDN
corp01.sales.contoso.com.
Host Name DNS Suffix
Summary: How Client Names Are Resolved

1
Enter command Name is resolved
8 2 3
DNS name cache
Lmhosts File
7 6 5 4
Hosts File
Broadcast
DNS Server
WINS Server
NetBIOS name cache
Practise
1 2 3 4
Identify a MAC address View the ARP cache and then modify it Determine and then change the NetBT node type of a client computer Resolve names
Practise
1 2 3 4
Use Ipconfig to manage the DNS client cache Configure a client to resolve names using DNS Configure host name resolution Configure NetBIOS name resolution
Practise
1 2 3 4
How to add an entry to the client Lmhosts file How to add an entry to the client Hosts file How to preload a NetBIOS name cache by using an Lmhosts file How to preload the client resolver cache by using a Hosts file
Chapter 2 : Domain Name System
Chapter 2
Domain Name System
Chapter 2: Domain Name System
Lessons
Lesson 1: Domain Name System (DNS) Lesson 2: Configuring the Properties for the DNS Server Service Lesson 3: Configuring DNS Zones Lesson 4: Configuring DNS Zone Transfers Lesson 5: Configuring DNS Dynamic Updates Lesson 6: Configuring a DNS Client Lesson 7: Delegating Authority for Zones
Lesson 1: Domain Name System
Overview
What is DNS DNS Hierarchy What is a Domain Namespace What is InterNIC History of DNS The Role of DNS in the Network Infrastructure Standards for DNS Naming Install the DNS Server Service
What is DNS
Domain Name System (DNS) is a hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses
DNS is the foundation of the Internet naming scheme and the foundation of an organizations naming scheme DNS supports accessing resources by using alphanumeric names InterNIC is responsible for delegating administrative responsibility for portions of the domain namespace and for registering domain names DNS was designed to solve issues that arose when there was an increase in the: Number of hosts on the Internet Traffic generated by the update process Size of the Hosts file
DNS Hierarchy
DNS is organized into hierarchical domains DNS Root Servers are positioned at the top of the DNS hierarchy. They maintain data about each of the top-level zones.
Top-level Domain Servers exist for arpa, com and edu etc. Local name servers are maintained by individual organizations
What is a Domain Namespace

Root Domain Top-Level Domain net com org
Second-Level Domain
nwtraders
Subdomains
west
south
east
FQDN: server1.sales.south.nwtraders.com
sales
Host: server1
What is a Domain Namespace
The Domain namespace ia a hierarchical naming tree that DNS uses to identify and locate a given host in a given domain relative to the root of the tree
Domain : in DNS is any tree or subtree within the overall domain namespace. Root domain : this is the root node of the DNS tree Top-level Domain : This is state as a two or three-character name code that identifies either organizational or geographical status. This is a highest-level domain in the internets DNS hierarchy. Second-level Domain : This is the level immediately beneath the Top-level domain in the Internets DNS hierarchy .This is a unique name that InterNIC formally registers to an individual or organization that connects to the Internet. Subdomain : This is a subdivision of a larger domain. For example : mail.yahoo.com is a subdomain of yahoo.com y y
What is InterNIC
InterNIC is The Internet Network Information Center The InterNIC manages the root, or the highest level of the domain namespace. Go to http://www.internic.net for more information about InterNIC
History of DNS
DNS began in the early days of the Internet DNS was introduced in 1984 and became this new system
The Role of DNS in the Network Infrastructure

Explain the role and benefits of DNS in the network infrastructure Define the key components of DNS Discuss the DNS domain namespace Discuss DNS zones and zone transfer Discuss DNS name servers Explain how the hosts name resolution process works Explain forward lookup queries
Standards for DNS Naming

The following characters are valid for DNS names: A-Z a-z 0-9 Hyphen (-) The underscore (_) is a reserved character
Install the DNS Server Service
Lesson 2: Configuring the Properties for the DNS Server Service
Overview
What are the Components of a DNS Solution What is a DNS Query How Recursive Queries Work How a Root Hint Works How Iterative Queries Work How Forwarders Work How DNS Server Caching Works How to Configure the Properties for the DNS Server Service
What are The Components of a DNS Solution
Resource Record
Root . .com
Resource Record DNS Clients DNS Servers
.edu
DNS Servers on the Internet
What are The Components of a DNS Solution The components of DNS

DNS Server : A computer running DNS service DNS Client : A computer running DNS client service DNS Resource Records : Entries in the DNS database that map host names to resources
How is the DNS Query

A query is a request for name resolution to a DNS server. There are two types of queries: recursive and iterative DNS clients and DNS servers both initiate queries for name resolution An authoritative DNS server for the namespace of the query will either: Check the cache, check the zone, and return the requested IP address Return an authoritative, No A non-authoritative DNS server for the namespace of the query will either: Forward the unresolvable query to a specific query server called a Forwarder Use root hints to locate an answer for the query
How Recursive Queries Work

A recursive query is a query made to a DNS server, in which the DNS client asks the DNS server to provide a complete answer to the query
DNS server checks the forward lookup zone and cache for an answer to the query Recursive query for mail1.nwtraders.com Database Local DNS Server
172.16.64.11 Computer1
How Recursive Queries Work
The following steps describe how a recursive query works

The Client sends a recursive query to the local DNS Server The local DNS Server checks the forward lookup zone and cache for an answer to the query If the answer to the query is found, then the DNS Server returns the answer to the client. If an answer is not found, then the DNS Server uses a forwarder address or root hints to locate an answer.
How a Root Hint Works

Root hints are DNS resource records stored on a DNS server that list the IP addresses for the DNS root servers
Cluster of DNS Servers Root Hints Cluster of Root (.) Servers
DNS Server Computer1
com microsoft
How a Root Hint Works

Root Hint are stored in the Cache.dns in locate %systemroot%\system32\dns
How Iterative Queries Work

An iterative query is a query made to a DNS server in which the DNS client requests the best answer that the DNS server can provide without seeking further help from other DNS servers. The result of an iterative query is often a referral to another DNS server lower in the DNS tree
Iterative Query Local DNS Server Ask .com
1 2
Root Hint (.)
.com
Computer1
3
nwtraders.com
How Forwarders Work

A forwarder is a DNS server designated by other internal DNS servers to forward queries for resolving external or offsite DNS domain names
Iterative Query Forwarder Ask .com Root Hint (.)
.com
Local DNS Server
nwtraders.com Computer1
How DNS Server Caching Works

Caching Table Host Name IP Address TTL clientA.contoso.msft. 192.168.8.44 28 seconds Wheres ClientA Client is at 192.168.8.44 A?
ClientA Client1 Client2 ClientA Client is at Wheres 192.168.8.44 A?
Caching is the process of temporarily storing recently accessed information in a special memory subsystem for quicker access
How to Configure Properties for the DNS Server Service

Update root hints on a DNS server Configure a DNS server to use a forwarder Clear the DNS server cache by using the DNS console Clear the DNS server cache by using the DNSCmd command
Lesson 3: Configuring DNS Zones
Overview
How DNS Data Is Stored and Maintained What Are Resource Records and Record Types What Is a DNS Zone What Are DNS Zone Types How to Change a DNS Zone Type What Are Forward and Reverse Lookup Zones How to Configure Forward and Reverse Lookup Zones
How DNS Data is Stored and Maintained

Namespace: training.nwtraders.msft
DNS Server
Resource records for the zone training.nwtraders.msft Host name DNS ClientA IP address 192.168.2.45 192.168.2.46 192.168.2.47
Zone File: Training.nwtraders.msft.dns
DNS ClientB DNS ClientC
DNS ClientA
DNS ClientB
DNS ClientC
A resource record (RR) is a standard DNS database structure containing information used to process DNS queries A zone is a portion of the DNS database that contains the resource records with the owner names that belong to the contiguous portion of the DNS namespace
What Are Resource Records and Record Types
Record type A PTR SOA SRV NS MX CNAME
Description Resolves a host name to an IP address Resolves an IP address to a host name The first record in any zone file Resolves names of servers providing services Identifies the DNS server for each zone The mail server Resolves from a host name to a host name
What is a DNS Zone
Nwtraders
South
West
North
Sales
Support
Training
What Are DNS Zone Types

Zones
Read/Write
Description Read/write copy of a DNS database
Primary
Read-Only
Read-only copy of a DNS database Secondary

Copy of limited records
Copy of a zone containing limited records
Stub
What Are Forward and Reverse Lookup Zones

Namespace: training.nwtraders.msft.
DNS Server Authorized for training Forward zone DNS Client1 Training DNS Client2 DNS Client3 192.168.2.45 Reverse 1.168.192.in- 192.168.2.46 zone addr.arpa 192.168.2.47 DNS Client2 = ? 192.168.2.46 = ? DNS Client3 DNS Client1 DNS Client2 192.168.2.45 192.168.2.46 192.168.2.47 DNS Client1 DNS Client2 DNS Client3
Forward Lookup Zone
Reverse Lookup Zone
How to Configure Forward and Reverse Lookup Zones

Configure a forward lookup zone on a primary zone type Configure a forward lookup stub zone Configure a forward lookup zone on a secondary zone type Configure a reverse lookup zone on a primary zone type Configure a reverse lookup zone on a secondary zone type
Lesson 4: Configuring DNS Zone Transfers

How DNS Zone Transfers Work How DNS Notify Works How to Configure DNS Zone Transfers
How DNS Zone Transfers Work

A DNS zone transfer is the synchronization of authoritative DNS zone data between DNS servers
1 2 3 4
Secondary Server
SOA query for a zone SOA query answered IXFR or AXFR query for a zone IXFR or AXFR query answered (zone transfer)
Primary and Master Server
How DNS Notify Works

A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur
Destination Server
1 2 3 4
DNS notify
Resource record is updated SOA serial number is updated
Source Server
Zone transfer Primary and Master Server
Secondary Server
Lesson 5: Configuring DNS Dynamic Updates
Overview
What Are Dynamic Updates How DNS Clients Register and Update Their Own Resource Records by Using Dynamic Updates How a DHCP Server Registers and Updates Resource Records by Using Dynamic Updates How to Configure DNS Manual and Dynamic Updates What Is an Active Directory-Integrated DNS Zone How Active Directory-Integrated DNS Zones Use Secure Dynamic Updates How to Configure Active Directory-Integrated DNS Zones to Allow Secure Dynamic Updates
What are DNS Dynamic Updates

Explain why DNS dynamic updates are important Explain the difference between manual and dynamic updates Explain that client computers can either dynamically update resource records in DNS themselves or have DHCP perform dynamic updates in DNS on their behalf Explain what secure dynamic updates are
What Are Dynamic Updates
A dynamic update is the process of a DNS client dynamically creating, registering, or updating its records in zones that are maintained by DNS servers that can accept and process messages for dynamic updates A manual update is the process of an administrator manually creating, registering, or updating the resource record
Dynamic update enables DNS client computers to interact automatically with the DNS server to register and update their own resource records Organizations that have dynamic changes can benefit from the dynamic method of updating DNS resource records Organizations may benefit from manual update if they: Are in a smaller environment that has few changes to their resource records Have isolated instances, such as when a larger organization chooses to control every address on every host.

How DNS Clients Register and Update Their Own Resource Records by Using Dynamic Updates
DNS Server
Resource Records
1 2
Client sends SOA query DNS server sends zone name and server IP address Client verifies existing registration DNS server responds by stating that registration does not exist Client sends dynamic update to DNS server
3 4 5
Windows Server 2003
Windows XP
Windows 2000

How a DHCP Server Registers and Updates Resource Records by Using Dynamic Updates
DNS Server Resource Records
1 2 3 3 4 4
DHCP client makes an IP lease request DHCP server grants IP lease DHCP server automatically generates clients FQDN Using dynamic update, the DHCP server updates the DNS forward and reverse records for the client
1 2
Window Server 2003 Running DHCP IP Address Lease DHCP Downlevel Client

A down-level client is a DHCP client running Windows NT 4.0 or earlier. Down-level clients are unable to register or update their resource records in DNS on their own
Administrator can configure DHCP servers running Windows Server 2003 and Windows 2000 to update DNS client resource records for the following client types:
Any down-level DHCP clients that do not request dynamic updates. Any DHCP client, including those that are running Windows XP and
Windows 2000, regardless of whether it requests a dynamic update.

Process of performing dynamic updates for a down-level client

The DHCP client makes an IP lease request The DHCP server grants an IP lease The DHCP server automatically generates the clients FQDN by
appending the domain name that is defined for the DHCP scope to the client name. The client name is obtained from the DHCPREQUEST message that the client sends
DNS forward (A) name for the client DNS reverse (PTR) name for the client
Using the dynamic update protocol, the DHCP server updates the :

Process of performing dynamic updates for a Windows XP client

The DHCP client makes an IP lease request that includes the client
FQDN in option 81 of the DHCP request
The DHCP server grants an IP lease The client connects to the DNS server to update the A record for itself The DHCP server updates the DNS reverse (PTR) name for the
client by using the dynamic update protocol
How to Configure DNS Manual and Dynamic Updates

Configure a DNS server running Windows Server 2003 to accept dynamic updates of DNS resource records Configure a Windows XP Professional client to dynamically update its DNS resource records in DNS Configure a DHCP server running Windows Server 2003 to dynamically update DNS resource records in DNS on behalf of DHCP clients Manually create a DNS resource record
How to Configure DNS Manual and Dynamic Updates

You need to choose and configure one or both of the following options. Dynamic updates are supported on Primary DNS Zones To use a DNS client for dynamic updates, configure the :
DNS server to accept dynamic updates DNS clients to create dynamic updates for themselves
To use a DHCP server for dynamic updates, configure the :

DNS server to accept dynamic updates DHCP server to create dynamic updates on behalf of the DHCP clients
To manually create a DNS resource record, you need to add a host (A) resource record to a forward lookup zone
What is an Active Directory-Integrated DNS Zone

DNS zone type Non Active Directoryintegrated zone Active Directoryintegrated zone Benefit Does not require Active Directory Stores DNS zone data in Active Directory and is thus more secure Uses Active Directory replication instead of zone transfers Allows only secure dynamic updates Uses multi-master instead of single master structure An Active Directory-integrated DNS zone is a DNS zone stored in Active Directory
How Active Directory-Integrated DNS Zones Use Secure Dynamic Updates

A secure dynamic update is a process in which a client submits a dynamic update request to a DNS server, and the server attempts the update only if the client can prove its identity and has the proper credentials to make the update DNS Client running Windows XP Find authoritative server Result Local DNS Server
Domain Controller with Active DirectoryIntegrated DNS Zone

How to Configure Active Directory-Integrated DNS Zones to Allow Secure Dynamic Updates Only
Configure Active Directory-integrated DNS zones to allow secure dynamic updates Configure security on an Active Directory-integrated DNS zone
Lesson 6: Configuring a DNS Client

How Preferred and Alternate DNS Servers Work How Suffixes Are Applied How to Configure a DNS Client
How Preferred and Alternate DNS Servers Work

3. Optionally, you can enter a whole list of alternate DNS servers
1. The preferred DNS server is the one that the client tries first 4. The preferred and alternate DNS servers specified on the Properties page automatically appear at the top of this list, and preferred and alternate servers are queried in the order they are listed
2. If the preferred server fails, the client tries the alternate DNS server
How Suffixes Are Applied
Suffix Selection option
Domain suffix search list
Name query = server1
server1.sales.south.nwtraders.com server1.south.nwtraders.com server1.nwtraders.com
Connection Specific Suffix
How to Configure a DNS Client

Manually configure a DNS client to use preferred and alternate DNS servers Configure the DNS server option and the DNS suffix option in DHCP
DNS
Cached Lookup
Reslove name
Lesson 7: Delegating Authority for Zones
Overview
What Is Delegation of a DNS Zone? How to Delegate a Subdomain to a DNS Zone
Lesson 7: Delegating Authority for Zones
What Is Delegation of a DNS Zone

Namespace: training.nwtraders.msft
The administrator, at the nwtraders.com level of the namespace, delegates authority for training.nwtraders.com and offloads administration of DNS for that part of the namespace Training.nwtraders.com now has its own administrator and DNS server to resolve queries in that part of the namespace/organization DNS server
training.nwtraders.msft DNS server
training.nwtraders.msft
Delegation is the process of assigning authority over child domains in your DNS namespace to another entity by adding records in the DNS database
Practise
1 2 3 4
Install the DNS Server service Configure DNS zones Resolve host names by using DNS Configure a DNS client
Practise
1 2 3 4
Update root hints on a DNS server Configure a DNS server to use a forwarder Clear the DNS server cache by using the DNS console Clear the DNS server cache by using the DNSCmd command
Practise
1 2 3 4
Configure a forward lookup zone on a primary zone type Configure a forward lookup stub zone Configure a forward lookup zone on a secondary zone type Configure a reverse lookup zone on a primary zone type and a secondary zone type
Practise
1 2 3 4
Configure a DNS server running Windows Server 2003 to accept dynamic updates of DNS resource records Configure a Windows XP Professional client to dynamically update its DNS resource records in DNS Configure a DHCP server running Windows Server 2003 to dynamically update DNS resource records in DNS on behalf of DHCP clients Manually create a DNS resource record
Practise
1 2 3
Configure the properties for the DNS Server service How to Configure Forward and Reverse Lookup Zones How to Configure DNS Manual and Dynamic Updates
Practise
1 2 3 4
Configure DNS dynamic updates How to delegate a sub-domain to a DNS zone How to change a DNS zone type How to configure a DNS zone transfer and DNS notify
Chapter 3 : Routing and Remote Access
Chapter 3
Routing and Remote Access
Chapter 3 : Routing and Remote Access
Lessons
Lesson 1: Basic Concepts Lesson 2: Routing Lesson 3: Routing and Remote Access on Windows 2003 Server Lesson 4: Configuring Packet Filters
Lesson 1: Basic Concepts
Overview
Using a Default Gateway What is a Router How the Computer Determines Whether an IP Address is a Local or Remote Address
Using a Default Gateway

When you use a default gateway:
The default gateway: Routes packets to other networks Is used when the internal routing table on the host has no information on the destination subnet DHCP automatically delivers the IP address for the default gateway to the client To configure the client manually for the default gateway, use the General tab on the Network Connections Properties page
Using a Default Gateway
What is a Router
A Router is an intermediate system at the network layer that is used to connect networks together based on a common network layer protocol Router types Hardware router Software router Example A device that performs routing as a dedicated function A router that is not dedicated to performing routing only, but performs routing as one of multiple processes running on the router computer
Main routing components include:

Routing interface Routing protocol Routing table
What is a Router
Communication path A-C-D A C B
Routers
D Communication path A-B-D

How the Computer Determines Whether an IP Address Is a Local or Remote Address
Local and destination hosts IP addresses are each AND with their subnet masks 1 AND 1 = 1 Other combinations = 0 If AND results of source and destination hosts match, the destination is local
IP address Subnet mask
10011111 11111111 10011111
11100000 11111111 11100000
00000111 10000001 00000000 00000000 00000000 00000000
Result
Lesson 2: Routing
Overview
The Role of Routing in the Network Infrastructure What is a Routing Interface What is a Routing Protocol What Is Static and Dynamic Routing What is a Routing Table How the IP Protocol Selects a Route
Lesson 2: Routing
The Role of Routing in the Network Infrastructure

Routing is the process of transferring data across an internetwork
Describe how routing fits into the network infrastructure Explain the difference between local and remote routing Describe how the Microsoft routing solution fits into the network infrastructure
Subnet 1
Router A
Subnet 2
Router B
Subnet 3
Lesson 2: Routing
What is a Routing Interface

A routing interface is an interface over which IP packets are forwarded
Two types of routing interfaces:

LAN Demand-dial
Chapter 4:Dynamic Host Configuration Protocol
Chapter 4
Dynamic Host Configuration Protocol
Chapter 4:Dynamic Host Configuration Protocol
Lessons
Lesson 1: What is DHCP Lesson 2: Adding and Authorizing a DHCP Server Service Lesson 3: Configuring a DHCP Scope and DHCP Reservation Lesson 4: DHCP Options Lesson 5: Configuring a DHCP Relay Agent Lesson 6: Configuring a client Lesson 7: Using Alternate Configuration Lesson 8: Managing a DHCP Database Lesson 9: Monitoring DHCP Lesson 10: Applying Security Guidelines for DHCP
Lesson 1: What is DHCP
The Role of DHCP in the Network Infrastructure

DHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configuration Manual TCP/IP Configuration
IP addresses entered manually on each client computer Possibility of entering incorrect or invalid IP address Incorrect configuration can lead to communication and network issues Administrative overload on networks where computers are frequently moved
Automatic TCP/IP Configuration

IP addresses are supplied automatically to client computers Ensures that clients always use correct configuration information Client configuration updated automatically to reflect changes in network structure Elimination of common source of network problems
How DHCP Allocates IP Addresses

IP addresses and Options are sent from DHCP server in response to a request from a DHCP client
Non-DHCP Client DHCP Client
IP Address1 IP Address2 IP Address1 IP Address2 IP Address3 . . . IP AddressN
DHCP Client DHCP Server
DHCP Database
How DHCP Allocates IP Addresses (cont)

Non-DHCP Client: Static IP configuration DHCP Client2: IP configuration from DHCP server Lease Renewal Lease Generation DHCP Server DHCP Client1: IP configuration from DHCP server
DHCP Database
IP Address1: Leased to DHCP Client1 IP Address2: Leased to DHCP Client2 IP Address3: Available to be leased
How the DHCP Lease Generation Process Works

DHCP Server 2
DHCP Server 1
DHCP Client
1 2 3 4
DHCP client broadcasts a DHCPDISCOVER packet DHCP servers broadcasts a DHCPOFFER packet DHCP client broadcasts a DHCPREQUEST packet DHCP server 1 broadcasts a DHCPACK packet

A DHCPDISCOVER packet
This is a message that DHCP client send the first time that they attempt logon to the network and request IP address information from a DHCP Server.
A DHCPOFFER packet
This is a message that DHCP Servers use offer the lease of an IP address to DHCP client .
If the clients does not receive an offer after four requests. It use an IP in the reserved range from 169.254.0.1 168.254.255.254
A DHCPREQUEST packet renew the lease of the clients IP address.

This is a message that a client sends to the DHCP Server request or
A DHCPACK packet
This is a message that DHCP Server send to a client to acknowledge and complete a clients request for leased configuration. This message contains a valid lease for the IP address and other IP configuration data.
Important
Protocol (UDP) port 67 and 68.
DHCP Servers and Clients communicate by using User Datagram
How the DHCP Lease Renewal Process Works

DHCP Server2
DHCP Server1
DHCP Client
87.5% 100% 50% of of oflease lease lease duration has expired DHCP Client sends a DHCPREQUEST DHCPREQUEST packet client sends a packet If the client fails to renew its lease, of of the lease 1 its lease, after after 50% 87.5% the lease has expired, the DHCP lease process starts overwill durationthen has expired, then thegeneration DHCP lease renewal process DHCP Server1 sends athe DHCPACK packet again with a after DHCP clientof broadcasting a DHCPDISCOVER 2 begin again 87.5% lease duration has expired
How the DHCP Lease Renewal Process Works

Definitions
The DHCP lease renewal process is the process by which the DHCP client renews or updates its IP address configuration data with the DHCP Server.
Automatic lease renewal process

A DHCP Client automatically attempts to renew its lease as soon as 50 percent of the lease duration has expired.
The DHCP client will also attempt to renew its IP address lease each time that the computer restarts.
Manual lease renewal configuration information immediately.

You can renew an IP lease manually if you need to update DHCP
Lesson 2: Adding and Authorizing a DHCP Server Service
Install a DHCP Server Service

Prepare to add a DHCP Server service
Assign a static IP address to the DHCP server Logged on as an administrator.
Add a DHCP Server service

Install DHCP Service using Control Panel Add or Remove Programs Install DHCP Service using Administrative Tools Configure Your Server Wizard
DHCP Client
DNS Server
DHCP Server
Lesson 2: Adding and Authorizing a DHCP Server Service
How a DHCP Server Service Is Authorized

Domain Controller Active Directory
If DHCP Server1 finds its IP DHCP Server1 checks with the address on the list, service domain controller to the obtain a list starts and supports DHCP clients of authorized DHCP servers
DHCP Server1 Authorized Services DHCP requests DHCP Server2
DHCP Client
Unauthorized
DHCPclient Server2 checks If DHCP DHCP Server2 does not findthe its IP receives IPwith address domain controller obtain a list of address on the list,to the service does from authorized DHCP Server1 authorized DHCPDHCP servers not start and support clients
Does not service DHCP requests
DHCP authorization is the process of registering the DHCP Server service in the Active Directory domain to support DHCP clients
Lesson 3: Configuring a DHCP Scope and DHCP Reservation
DHCP Scope
A scope is a range of IP addresses that are available to be leased
DHCP Server
LAN A
LAN B
Scope A
Scope B
Scope Properties
Network ID Subnet mask Network IP address range Lease duration Router Scope name Exclusion range
DHCP Scope
Scope property
Network ID : The Network ID for the range of IP addresses. Subnet mask : The subnet mask for the Network ID. Network IP address range : The range of IP addresses that are available to clients. Lease duration : The period of time that the DHCP Server holds a lease IP address for a client before removing the lease. Router : A DHCP option that allows DHCP clients to access remote networks. Scope name : An alphanumeric identifier for administrative purposes. Exclusion range : The range of IP addresses in the scope that are excluded from being leased.
How to Configure a DHCP Scope
scope IP Address Range Subnet mask IP address exclusions Lease duration interval Scope Options
Configure a DHCP
Activate a DHCP scope
How to Configure a DHCP Scope
Superscope
Superscope which expands the number of IP network addresses that you can use in a network . A Superscope allows several distinct scopes to be logically grouped under a single name.
You must have at least a Scope before create a Superscope
Multicast Scope
Multicast scope which is a group of IP multicast network addresses that are distributed to other computers in a network. The valid IP address range is 224.0.0.0 239.255.255.255
DHCP Reservation
A reservation is a specific IP address, within a scope, that is permanently reserved for leased use to a specific DHCP client
Workstation 1 File and Print Server Subnet B
Subnet A
DHCP Server IP Address1: Leased to Workstation 1 IP Address2: Leased to Workstation 2 IP Address3: Reserved for File and Print Server
Workstation 2
How to Configure a DHCP Reservation
Configure a DHCP reservation

Specify IP address MAC address of DHCP client
Verify DHCP Reservation
How to Configure a DHCP Reservation
Information of a Reservation
Reservation name : Name that the administrator assigns. IP address : IP address from the scope for the client. MAC address : Clients media access control (MAC) address (entered without hyphens). Description : Description that the administrator assigns. Supported type : DHCP reservation, Boot Protocol (BOOTP) reservation or both.
Lesson 4: DHCP Options
DHCP Options
DHCP options are configuration parameters that a DHCP service assigns to clients along with the IP address and subnet mask
DHCP Client
DHCP Client IP Configuration Data Clients IP address Clients subnet mask DHCP options such as: Routers IP address DNS servers IP address WINS servers IP address DNS domain name
DHCP Server
Levels of DHCP Options

Level of DHCP Option Server level Description Applies to all DHCP clients that lease an IP address from the DHCP server Available to clients that lease an address from that scope
Scope level
Available to clients that identify Class level (User & Vendor) themselves as belonging to a particular class Reserved Client level
Applies to specific clients
DHCP Server, Scope, and Reserved Client Options

DHCP Server Windows 98 File and Print Server
Scope A Router Windows XP
Scope B
Windows XP
DHCP option applied at the reserved-client server scope levellevel
DHCP Class-level Options

DHCP Server Windows 98 Router Scope A Router Scope B File and Print Server
Windows XP
Windows XP
DHCP option applied at the class level
Lesson 5: Configuring a DHCP Relay Agent
What is DHCP Relay Agent ?

A DHCP relay agent is a computer or router configured to listen for DHCP/BOOTP broadcasts from DHCP clients and then relay those messages to DCHP servers on different subnets
DHCP Relay Agent DHCP Server
Unicast Broadcast Subnet A

Routers Non-RFC 1542 Compliant Client Client Client Client
Broadcast Subnet B
How a DHCP Relay Agent Works

DHCP Relay Agent DHCP Server
Client1
Client2
Non-RFC 1542 Compliant
Router
Client3
1 2 3 4 5 6 7 8
Client1 broadcasts a DHCPDISCOVER packet Relay agent forwards the DHCPDISCOVER message to the DHCP server Server sends a DHCPOFFER message to the DHCP relay agent Relay agent broadcasts the DHCPOFFER packet Client1 broadcasts a DHCPREQUEST packet Relay agent forwards the DHCPREQUEST message to the DHCP server Server sends a DHCPACK message to the DHCP relay agent Relay agent broadcasts the DHCPACK packet
How a DHCP Relay Agent Uses Hop Count

The hop count threshold is the number of routers that the packet can be transmitted through before being discarded
DHCP Relay Agent 2 Hop Count = 2 DHCP Relay Agent 1
DHCP Server
How a DHCP Relay Agent Uses Boot Threshold

The boot threshold is the length of time in seconds that the DHCP Relay Agent will wait for a local DHCP server to respond to client requests before forwarding the request
Boot Threshold = 10 seconds DHCP Relay Agent DHCP Server 2
Local DHCP Server DHCP Server 3
How to Configure a DHCP Relay Agent

Enable RRAS Add DHCP Relay Agent Add a routing interface Specify IP of DHCP server Apply hop count /boot threshold
Lesson 6: Configuring a DHCP client
Static and Dynamic IP Addresses

IP addresses can be:
Static
Addresses that are manually assigned and do not change over time Dynamic Addresses that are automatically assigned for a specific length of time and may be changed
DHCP Assigned Settings on the Client
Renewing an IP Address
1
DHCPREQUEST (unicast)
Lease-holding DHCP Server DHCP Server Non-DHCP Server
2
DHCP Client
DHCPREQUEST (broadcast)
DHCP Servers
DHCPACK
Manually Renew/Release an IP Address

To release and renew an IP address:
Type ipconfig /release Type ipconfig /renew
To verify the address has been renewed:

Type ipconfig /all Note the values for Lease Obtained and Lease Expires
Lesson 7: Using Alternate Configuration
How Alternate Configuration Assigns IP Addresses

DHCP Client attempts to locate DHCP Server
Server found? Yes
DHCP Server assigns address to client
No No Yes
APIPA configured and enabled?
APIPA address is assigned
User configured alternate configuration specified? No
Yes
User configured IP address is assigned
User configured IP address is not assigned
Lesson 7: Using Alternate Configuration
APIPA OR User Configured IP Addresses
Practice
1 2 3 4
Configure a DHCP scope Configure a DHCP reservation Configure DHCP options Add and authorize a DHCP Server service
Practice
1 2
Configure a DHCP Relay Agent Identify and resolve common issues when allocating IP addressing by using DHCP
Practice
1 2 3 4
Assign an IP address to a client (static IP, dynamic IP) Release and renew an IP address Configure an alternate configuration Disable APIPA
Lesson 8: Managing a DHCP Database
Overview
Managing DHCP What Is a DHCP Database? How a DHCP Database Is Backed Up and Restored How To Back Up and Restore a DHCP Database How a DHCP Database Is Reconciled How To Reconcile a DHCP Database
Managing DHCP
The DHCP service needs to be managed to reflect changes in the network and the DHCP server Scenarios for managing DHCP:
Managing DHCP database growth Protecting the DHCP database Ensuring DHCP database consistency Adding clients Adding new network service servers Adding new subnets
What is a DHCP Database

The DHCP database is a dynamic database that is updated when DHCP clients are assigned or as they release their TCP/IP address leases The DHCP database contains DHCP configuration data, such as information about scopes, reservations, options, and leases Windows Server 2003 stores the DHCP database in the directory %Systemroot%\System32\Dhcp The DHCP database files include:
DHCP.mdb Tmp.edb J50.log and J50*.log Res*.log J50.chk
How a DHCP Database Is Backed Up and Restored

DHCP Server DHCP
Restore
Offline Storage
Back up
Restore
DHCP
Back up
In the event that the server hardware fails, the administrator can restore only from the offline storage location
How to Back Up and Restore a DHCP Database
Apply guidelines when backing up and restoring a DHCP database Configure a DHCP database backup path Manually back up a DHCP database to the backup directory on a local drive Manually restore a DHCP database from the backup directory on a local drive
How to Reconcile a DHCP Database

DHCP Database Registry Detailed IP address lease information Summary IP address lease information Compares information to find inconsistencies
DHCP Server
Reconciles inconsistencies in the DHCP database
Example Summary information Detailed information Reconciled DHCP database Create an active lease entry
IP address Client has IP address 192.168.1.34 192.168.1.34 is available
How to Reconcile a DHCP Database
Prepare to reconcile a DHCP database Reconcile all scopes in a DHCP database Reconcile a scope in a DHCP database
Lesson 9: Monitoring DHCP
Overview
What Are DHCP Statistics? How to View DHCP Statistics What is a DHCP Audit Log File? How DHCP Audit Logging Works How to Monitor DHCP Server Performance by Using the DHCP Audit Log Guidelines for Monitoring DHCP Server Performance Common Performance Counters for Monitoring DHCP Server Performance Guidelines for Creating Alerts for a DHCP Server
What Are DHCP Statistics?
DHCP Server
DHCP statistics represent statistics collected at either the server level or scope level since the DHCP service was last started
How to View DHCP Statistics

In these procedures, you will learn how to:
Enable DHCP statistics to automatically refresh View DHCP server statistics View DHCP scope statistics
What is a DHCP Audit Log File?

A DHCP audit log is a log of service-related events, such as when: the service starts and stops; authorizations have been verified; or IP addresses are leased, renewed, released, or denied
How DHCP Audit Logging Works

Audit logging is the daily collection of DHCP server events into log files.
DHCP server closes the existing log and moves to the log file for the next day of the week DHCP server writes a header message in the audit log, indicating that logging has started
12:00 am
3. DHCP closes daily audit log

DHCPSrvLog-Tue.Log
1. DHCP opens daily audit log

DHCPSrvLog-Mon.Log
2. DHCP performs disk checks
Disk checks ensure that both the ongoing availability of server disk space and the current audit log file do not become too large or grow too rapidly
How to Monitor DHCP Server Performance by Using the DHCP Audit Log
In these procedures, you will learn how to:
Enable and configure DHCP audit logging View the DHCP audit log
Guidelines for Monitoring DHCP Server Performance

Create a baseline of performance data on the DHCP server Check the standard counters for server performance, such as processor utilization, paging, disk performance, and network utilization Review DHCP server counters to look for significant drops or increases that indicate a change in DHCP traffic
Common Performance Counters for Monitoring DHCP Server Performance

Performance counters Packets received/second Requests/second What to look for after a baseline is established Monitor for sudden increases or decreases which could reflect problems on the network Monitor for sudden increases or decreases which could reflect problems on the network
Monitor for increases both sudden and gradual Active queue length which could reflect increased load or decreased server capacity Duplicates dropped/second Monitor for any activity which could indicate that more than one request is being transmitted on behalf of clients
Guidelines for Creating Alerts for a DHCP Server
Define the acceptable level that a DHCP counter can rise above or fall below, before creating an alert Use scripts with your alerts
Lesson 10: Applying Security Guidelines for DHCP
Overview
Guidelines for Restricting an Unauthorized User from Obtaining a Lease Guidelines for Restricting an Unauthorized, non-Microsoft DHCP Server from Leasing IP Addresses Guidelines for Restricting Who Can Administer the DHCP Service Guidelines for Securing the DHCP Database
Guidelines for Restricting an Unauthorized User from Obtaining a Lease To restrict an unauthorized user from obtaining a lease:
Ensure that unauthorized persons do not have physical or wireless access to your network Enable audit logging for every DHCP server on your network Regularly check and monitor audit log files Use 802.1X-enabled LAN switches or wireless access points to access the network

Guidelines for Restricting an Unauthorized, non-Microsoft DHCP Server from Leasing IP Addresses
To restrict an unauthorized, non-Microsoft DHCP server from leasing IP addresses:

Ensure that unauthorized persons do not have physical or wireless access to your network
Microsoft DHCP Server

Only DHCP servers running Windows 2000 or Windows Server 2003 can be authorized in Active Directory
Unauthorized, non-Microsoft DHCP Server

Non-Microsoft DHCP server software does not include the authorization feature that is included in Windows 2000 and Windows Server 2003

Guidelines for Restricting an Unauthorized, non-Microsoft DHCP Server from Leasing IP Addresses
To restrict who can administer the DHCP service:

Restrict the membership of the DHCP Administrators group to the minimum number of users necessary to administer the service If there are users who need read-only access to the DHCP console, then add them to the DHCP Users group instead of the DHCP Administrators group Have read-only DHCP console access to the server Can view and modify any data about the DHCP server
DHCP Users group DHCP Administrators group
Guidelines for Securing the DHCP Database

To further secure the DHCP database:
Consider changing the default permissions of the DHCP folder Provide only the minimum permissions required to users to enable them to perform their task Provide Read permissions to users responsible for analyzing DHCP server log files Remove Authenticated Users and Power Users to minimize access to the files in the DHCP folder
Practice
Manage a DHCP database Manage and monitor DHCP
Chapter 4: FTP
Chapter 4
File Transfer Protocol
Lessons
Lesson 1: Introduction to FTP Lesson 2: Setting up an FTP Server Lesson 3: Using FTP Lesson 4: Securing FTP Service
Lesson 1: Introduction to FTP
What is FTP ?
Short for File Transfer Protocol, the protocol for exchanging files over the Internet. FTP works in the same way as HTTP for transferring Web pages from a server to a user's browser and SMTP for transferring electronic mail across the Internet in that, like these technologies, FTP uses the Internet's TCP/IP protocols to enable data transfer FTP is most commonly used to download a file from a server using the Internet or to upload a file to a server, for example: upload a Web page file to a server
FTP
FTP client
FTP server
Internet
Architecture of the TCP/IP Protocol Suite

TCP/IP Protocol Suite Application
HTTP FTP SMTP DNS RIP SNMP
Transport
TCP
UDP
Internet
ARP
IP
IGMP
ICMP
Link Token Ring Frame Relay
Ethernet
ATM
Confusion
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports: Command port : 21 (also known as the control port) Data port : 20 The confusion begins however, when we find that depending on the mode, the data port is not always on port 20. One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. FTP mode: Active mode (Active FTP) Passive mode (Passive FTP)
Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port) FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)
Active FTP - Example
The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server, it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client, something that is usually blocked.
Passive FTP
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode. In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.
Passive FTP
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
Passive FTP - Example
Passive FTP - Confusion

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client. With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.
Summary
The following chart should help admins remember how each FTP mode works: Active FTP : command : client > N -> server (Port: 21) data : client > N <- server (Port: 20) Passive FTP : command : client > N -> server (Port: 21) data : client > N -> server > N
Lesson 2: Setting up an FTP Server
Add/Remove Programs
Windows Components
Installing IIS
Installing FTP Service
IIS Manager
Creating an FTP Site
FTP Administration
Lesson 3: Using FTP
Using Command Prompt
Lesson 3: Using FTP
Using Command Prompt
Lesson 3: Using FTP
Check FTP service
Lesson 3: Using FTP
FTP
1 Using Run Command 2 Using Internet Explorer
Lesson 3: Using FTP
Using Total Commader
Lesson 3: Using FTP
Using Total Commader
Lesson 3: Using FTP
AceFTP
Download and try to use AceFTP
Lesson 4: Securing FTP Service
Permissions
FTP Properties Directory Security
Gene FTP Server (secure FTP Server)
Try to deploy Gene FTP Server
Chng 5
DCH V EMAIL
DCH V EMAIL
CC GIAO THC TRONG H THNG MAIL. CC KHI NIM C BN. MT S H THNG MAIL THNG DNG. CC CHNG TRNH MAIL SERVER. CI T EXCHANGE SERVER 2003. CU HNH EXCHANGE MAIL SERVER. GII THIU EXCHANGE SYSTEM MANAGER KHI NG CC DCH V TRONG EXCHANGE QUN L TI KHON MAIL. ADMINISTRATIVE GROUP MICROSOFT OUTLOOK WEB ACCESS THIT LP CHNH SCH CHO H THNG MAIL QUN L PUBLIC FOLDER V MAILBOX CC TIN CH CN THIT CHO MAIL.
CC GIAO THC TRONG H THNG MAIL
Giao thc SMTP. Giao thc X.400. Giao thc POP. Giao thc IMAP.
GIAO THC SMTP

SMTP(Simple Mail Transfer Protocol ) l giao thc tin cy chu trch nhim phn pht mail.
SMTP c nh ngha trong RFC 821, SMTP l mt dch v tin cy, hng kt ni (connection-oriented) n hot ng da trn chun giao thc TCP, s hiu cng hot ng l:25.
Cc tp lnh ca SMTP:
helo <sending-host> Mail from:<from-address> Rcpt to:<to-address> Data Quit s dng cc lnh trn ta s dng lnh telnet theo Port.
TELNET <MAILHOST> 25
V d : telnet
172.29.14.10
25
GIAO THC SMTP (t.t.)
S minh ho k thut store and forward v c ch phn pht trc tip trong h thng mail.
GIAO THC POP
C hai phin bn ca POP(Post Office Protocol ) c s dng rng ri l POP2, POP3.

POP2 s dng 109 POP3 s dng Port 110.
Cc cu lnh trong hai giao thc POP2 v POP3 ny khng ging nhau nhng chng cng thc hin chc nng c bn l:
kim tra tn ng nhp v password ca user chuyn mail ca ngi dng t Server ti h thng c mail ca user (mail client)
GIAO THC POP (t.t.)
Cc tp lnh c s dng trong POP3:

USER username PASS password STAT : xem c bao nhiu mail trong mail box RETR n : c mail th n DELE n : xo mail th n QUIT
s dng cc lnh trn ta s dng lnh telnet theo Port.

V d : telnet 172.29.14.10 110
GIAO THC POP (t.t.)
Cc tp lnh c s dng trong POP3:

USER username PASS password STAT : xem c bao nhiu mail trong mail box RETR n : c mail th n DELE n : xo mail th n QUIT s dng cc lnh trn ta s dng lnh telnet theo Port.
V d : telnet 172.29.14.10 110
CC KHI NiM C BN
Mail User Agent (MUA): l chng trnh dng c v son mail Mail Transfer Agent (MTA):
l chng trnh chuyn mail gia cc mail server dng giao thc SMTP N nhn mail t MUA sau chuyn mail n MTA khc
Mailbox:
l tp tin lu tr tt c mail ca ngi dng. Khi c mail gi n cho ngi dng chng trnh x l mail ca server c b s phn phi mail vo mailbox
Alias mail:
Phn phi n cng mt ngi qua nhiu a ch mail Phn phi n nhiu ngi qua mt a ch mail
GiI THIU H THNG MAIL
S t chc
CC KHI NiM C BN
Mail Gataway: l my kt ni gia cc mng dng giao thc khc nhau hoc cc mng khc nhau dng chung giao thc Mail Host:
L thnh phn chung gian chuyn mail gia cc v tr khng kt ni trc tip vi nhau Dng phn gii a ch ngi nhn chuyn n cc mail server hoc gateway tng ng
Mail Server:
Cha mailbox ca ngi dng Nhn mail t Mail Host v a vo mailbox ca ngi dng H tr POP/IMAP cho php ngi dng download mail v my c b thng qua mail client h tr POP/IMAP
Mail Client: L chng trnh dng c v son tho mail, tch hp giao thc SMTP, POP/IMAP
GII THIU H THNG MAIL(t.t.)
GiI THIU H THNG MAIL(t.t.) Tin trnh phn phi n a ch someone@example.com.

1. Email c submit ti a ch someone@example.com. 2. SMTP service phn gii e-mail domain l example.com, sau chuyn mail n internet mail server. 3. E-mail c nh tuyn ti min example.com do my ch mailserver1.example.com qun l. 4. SMTP service t email ny vo hng i mail (Queue folder). Sau h thng phn phi s thng bo c mail mi cho domain example.com. 5. h thng phn pht chuyn e-mail vo mailbox ca ngi dng (P3_someone.mbx). 6. Ngi dng kim tra e-mail bng cch kt ni vo mailbox ca user someone@example.com. POP3 service kim tra username v mt khu chp nhn hoc cm kt ni ca user. 7. Nu qu trnh chng thc ca user thnh cng, e-mail c download v my tnh cc b ca ngi dng.
CC CHNG TRNH MAIL
Microsoft Exchange Server. Mdaemon Sharemail Sendmail
CI T EXCHANGE SERVER 2003
MT S PHIN BN CHNH CA EXCHANGE SERVER

Exchange Server 5.5
Hot ng trn h iu hnh Windows NT 4 Server, Windows 2000 Server c s dng service pack. Khng cn ci t Active Directory nhng c th nhn bn d liu n Active Directory s dng Active Directory Connector (ADC).
Exchange 2000 Server.

Windows 2000 Server (km theo Service pack 1 hoc cao hn) C th ci t trn member server hoc domain controller.
Exchange Server 2003.

Windows 2000 Server (yu cu SP3, SP4) Windows 2003Server. C th ci t trn member server hoc domain controller.
CI T EXCHANGE SERVER 2003(t.t.)

Thnh phn B x l (CPU) Yu cu ngh Pentium III 500 (Exchange Standard Edition) Pentium III 733 (Exchange Enterprise Edition) Windows 2003 512MB 200MB trn a h thng, 500MB trn a ci t Exchange. Tt c cc partition c lin qua n Exchange phi c nh dng l NTFS. Server Server 2003, 2003,
H iu hnh (OS) B nh (Memory) khng gian a (Disk space) H thng tp tin (File System)
Ngoi yu cu v phn mm ta cn phi ci t thm cc dch v h thng nh: Microsoft .NET Framework. Microsoft ASP.NET. World Wide Web service. Simple Mail Transfer Protocol (SMTP) service. Network News Transfer Protocol (NNTP) service.
CI T EXCHANGE SERVER 2003(t.t.)
Tin trnh ci t
Demo
CU HNH EXCHANGE SERVER
Khi ng cc dch v ca Exchange. Gii thiu Exchange System Manager. Qun l ti khon mail. Administrative group. Cu hnh v s dng OWA. Thit lp lut phn phi mail. Qun l public folder v mailbox. Cc tin ch cn thit ca Exchange Server.
KHI NG CC DCH V TRONG EXCHANGE
Mt s dch v cn khi ng khi s dng Exchange:

Microsoft Exchange Event. Microsoft Exchange IMAP4. Microsoft Exchange Information Store. Microsoft Exchange Management. Microsoft Exchange MTA Stacks. Microsoft Exchange POP3. Microsoft Exchange Routing Engine. Microsoft Exchange System Attendant. Microsoft Exchange Site Replication Service.
KHI NG CC DCH V TRONG EXCHANGE (t.t.)
khi to dch v Microsoft Exchange POP3.

Demo
Qun l ti khon
To ti khon mail. (Xem demo) Mail Exchange s dng Account ca h thng lm Account Mail, mi ngi dng s dng duy nht mt Account thng qua hai thng s username v password. E-mail ca ngi dng c c php nh sau: <username>@<domain> Truy cp thuc tnh ca ti khon mail (xem demo) Exchange General. Email Addresses. Exchange Features. Exchange Advanced. Mt s tc v v ti khon (xem demo) Create mailbox. Move mailbox. Delete mailbox. Configure Exchange Features. Remove Exchange Attributes.
Microsoft Outlook Web Access

Outlook Web Access (OWA): cung cp cho ngi dng s dng mail qua trnh duyt Web, h tr e-mail, calendar, contact management, server-side rules, spell checking, junk mail processing,
Microsoft Outlook Web Access (t.t.)

Th mc lu tr ca OWA
Exchsrvr\Bin Exchsrvr\Exchweb\Bin Exchsrvr\Exchweb\Controls Exchsrvr\Exchweb\Img Exchsrvr\exchweb\help Exchsrvr\exchweb\views Exchange Exadmin Public Exchweb OMA v Microsoft-Server-Active-Sync
Virtual Directory ca OWA
S dng OWA (xem demo)
GiI THIU Exchange System Manager.
Gii thiu cc thnh phn chnh ca Exchange System Manager (Xem demo):
Global Settings Recipients Administrative Groups Tools
Administrative group Administrative group: l mt nhm i tng ca Exchange cng chia s chung mt s quyn hn nht nh no . Thng qua Administrative group cung cp quyn s dng public folder, t mt s chnh sch lu tr, qun l cc mailbox server trong cng site, Routing group System policy Public folder
Routing group
Routing group: l mt nhm cc Exchange Server c kt ni point to point vi nhau to nn mt kin trc truyn thng ip (message topology) ch nh phng thc chuyn th gia cc Exchange Server.
S dng connector kt ni cc Exchange server li vi nhau to nn mt kin trc nh tuyn thng ip (routing topology), cc connector ny bao gm: SMTP connector, X.400 connector. l thnh phn con trong administrative group v n lun lun c to bn trong administrative group.
Cc yu t cn quan tm khi to routing group:

m bo tnh n nh trong kt ni mng. Bng thng cn thit cho vic thit lp kt ni on-demain gia cc server. Cn lp lch kt ni gia cc server. Cn iu khin vic truyn message c kch thc ln (>=10MB). Cn gii hn kt ni cho tng user.
Routing group (t.t.)
Kin trc ca routing group
Kt ni mail server thng qua connector
Administrative group & Routing group
Truy cp v cu hnh administrative group v routing group (xem demo)
THIT LP CHNH SCH CHO H THNG MAIL

Thit lp b lc th (xem demo). Connection Filtering: thit lp cc b lut lc kt ni ca host, network, domain. Recipient Filtering: thit lp lut lc a ch ngi gi (sender) Sender Filtering: thit lp lut lc a ch ngi nhn (recipient) Relay Mail (xem demo). Relay mail l k thut chp nhn x l mail cho mt host/subnet/domain no gi mail vo SMTP Virtual Server ni b, s d SMTP Virtual Server nh ngha relay mail phng chng nhng sparm mail khng cn thit t bn ngoi gi n mail server ni b, hoc ta mun cu hnh mail server lm mail gateway cho cc mail server khc. Ch nh smart host (xem demo). Ch nh Mail Gateway hoc my s nhn v x l mail cho email thuc min ngoi. Exchange Server c cung cp c ch chuyn mail ra ngoi qua connectors trong routing group, nu c hai thng tin connector v smart host c cu hnh th mail server s u tin chuyn mail n connector x l. Ch nh kch thc phn phi/nhn cho mi message (xem demo). Cho php gii hn kch thc phn phi v nhn th cho mail server nhm gim ti x l cho h thng, trnh tc nghn, Ch nh chnh sch cho recipients (xem demo). Chnh sch to email cho min. Chnh sch qun l mailbox.
QUN L PUBLIC FOLDER V MAILBOX

Qun l Public Folder Store (xem demo) L th mc cha cc thng tin dng chung. Thng tin ny thng l cc E-mail c cha cc multimedia clips, text documents, spreadsheets... Ta c th thc thi mt s thao tc qun l Public Store sau:
Ch nh gii hn lu tr public folder. ng b lu tr. To public folder. Gn quyn truy xut public folder cho ngi dng.
Qun l Mailbox Store: Cung cp c ch qun l v theo di b lu tr th cho ngi dng. (xem demo)
Theo di qu trnh logon ca ngi dng Theo di, thng k mailbox cho tng ngi dng. Xa mailbox ca ngi dng. Mount v dismount mailbox. Gii hn lu tr cho maibox.
CC TIN CH CN THIT CA EXCHANGE SERVER
GFI MailEssentials: h tr mt s thao tc qun tr mail nh:

Anti spam Mail archiving to a database. Reporting. Personalized server-based auto replies with tracking number. POP3 downloader Mail monitoring
GFI MailSecurity : h tr mt s tnh nng bo mt cho h thng mail nh:

Kim tra v lc ni dung th Cung cp b phn tch ni dung th T ng loi b cc HTML Scripts scanning virus Trojan Executable scanner
Cu hi v gii p
Chng 06
DCH V WEB
DCH V WEB
GII THIU DCH V WEB CU HNH DCH V WEB
GII THIU DCH V WEB
GII THIU GIAO THC HTTP. WEB SERVER V NGUYN TC HOT NG. WEB CLIENT. WEB NG. WEB TNH. GII THIU IIS 6.0. CI T IIS 6.0 WEB SERVICE CU HNH IIS 6.0 WEB SERVICE
GII THIU GIAO THC HTTP
HTTP l mt giao thc cho php Web Browsers v Servers c th giao tip vi nhau, n chun ho cc thao tc c bn m mt Web Server phi lm c.
HTTP ch yu thc thi hai phng thc GET, POST. HTTP port mc nh c gi tr 80 Thng tin tr v t server theo c php ca ngn ng HTML. Phin bn hin ti HTTP 1.1
WEBSERVER V NGUYN TC HOT NG
S hot ng gia Web Browser v Web Server
WEB CLIENT
L chng trnh duyt Web pha ngi dng nh Internet Explorer, Netscape hin th trang Web cho ngi dng.
Web client c th thc hin mt s php ton n gin trn Web page. Thc thi cc script pha my khch nh JavaScript, VBScripts, Lu tr cache cho cc Object, Image cho Webpage. Tch hp cc tnh nng security.
WEB NG
S hot ng ca web ng
GiI THIU IIS 6.0 IIS 6.0 c xy dng trn Windows 2003, IIS 6.0 cung cp mt s c im mi gip tng tnh nng tin cy, tnh nng qun l, tnh nng bo mt. Cc thnh phn chnh ca IIS 6.0
HTTP.sys: qun l kt ni TCP, chuyn cc HTTP request vo hng i, lu cc response vo vng nh
WWW Service Administration and Monitoring Component. Worker process: b x l cc yu cu v gi kt qu cho ng dng web
GiI THIU IIS 6.0 (t.t.)

Cung cp cc tnh nng bo mt: Anonymous authentication Basic authentication Digest authentication Integrated Windows authentication Certificates .NET Passport Authentication
Cung cp cc ng dng:
Application Pool: l mt nhm ng dng cng chia s worker process ASP.NET: cung cp cc dch v xy dng, phn phi ng dng web v dch v XMLWeb
cng c qun tr:

IIS Manager. Remote Administration (HTML) Tool. Command line administration scipts
Ci t IIS 6.0 Web service

Demo ci t IIS6.0
Cu Hnh IIS 6.0 Web service

Default Web site. Application Pool. Web Service Extensions. To mt Web Site. To th mc o. Cu hnh bo mt cho Web site. To Web Hosting. Cu hnh Forum cho Web site. Qun tr Web site t xa. Sao lu phc hi cu hnh.
Default Web site.

Tm hiu mt s Tab cu hnh c bn ca Default Web site.
Demo
Application Pool
Application Pool
L mt nhm cc ng dng cng chia s mt worker process (W3wp.exe). Application Pool gip c th hiu chnh c ch ti s dng vng nh o, ti s dng worker process, hiu chnh performance (v request queue, CPU), health. demo
Web Service Extensions

Web Service Extensions: l thnh phn cung cp cho IIS kh nng thc thi x l Web ng trn Web site
ASP ASP.NET Server Side Includes WebDAV
To mt Web Site
Cn chun b mt s thng tin khi to Web site:
Tn Web site (v d: www.domain) Loi ni dung ca Web site:
Web ng vit bng ngn ng g: ASP, ASP.NET, PHP, C s d liu ca Web ng lu u? C ch kt ni c s d liu cho Web ng nh th no?
Demo to Web site.
To Web site thng qua lnh:

iisweb.vbs /create <Home Directory> Site Description" /i <IP Address> /b <Port>.
To th mc o
Virtual Directory:
Mc ch ca th mc o trong Web l nh x mt ti nguyn t ng dn th mc vt l thnh ng dn URL, thng qua ta c th truy xut ti nguyn ny qua Web Browser.
Demo to Virtual Directory
Cu hnh bo mt cho Web site

Cu hnh chng thc v iu khin truy cp (Authentication And Access Control) Gii hn truy xut Web cho host/domain (IP address and domain name restriction). Secure communication.
Demo cu hnh bo mt Web Site.
To Web Hosting
Web Hosting: l k thut duy tr nhiu Web site trn Web Server.
xc nh tng Web site. Web Server phi da vo cc thng s nh:
Host Header Name. a ch IP. S hiu cng Port.
cu hnh Web hosting cn chun b cc thng tin sau:

a ch FQDN cho tng Web site. Phng thc to Web hosting. Cp quyn cp nht Web hosting cho user.
Demo to Web hosting.
Cu hnh Forum cho Web site

Gii thiu ci t th nghim SnitzTM Forums 2000 Version 3.4.05
Cc bc ci t c bn:
Gii nn file sf2k_v34_051.zip Sau ta m file config.asp (dng tin ch notepad) thay i mt s thng tin cu hnh kt ni n file lu tr c s d liu MS Access c tn snitz_forums_2000.mdb
strDBType = "access" strConnString="Provider=Microsoft.Jet.OLEDB.4.0; DataSource=" & Server.MapPath("snitz_forums_2000.mdb")
Cp quyn mi ngui c quyn FULL cho th mc forum. To Application Pool cho Forum v gn quyn thc thi Script.
Demo cu hnh forum.
Qun tr Web site t xa

IIS cung cp c ch qun tr dch Web, qun tr mt s tnh nng c bn ca h thng t xa bng cch s dng cng c Remote Administration (HTML). S dng Remote Administration c th: Qun l v cu hnh Web Site t xa. Qun l cu hnh mng. Qun l ngi dng cc b. Qun l v duy tr mt s dch v c bn.
Demo qun tr Web
Cu hi v gii p
Chng 7
DCH V PROXY
DCH V PROXY
Gii thiu FIREWALL. Tng quan v FIREWALL. Kin trc ca FIREWALL. Phn loi FIREWALL v nguyn tc hot ng. Gii thiu phn mm ISA. Ci t phn mm ISA 2004. Cu hnh ISA 2004. Cc chnh sch mc nh. Cu hnh Web Proxy Thay i thuc tnh ca access rule. Publishing Network services. Publish Web Server. Public Mail Server. Publish server. Kim tra v thit lp b lc cho ng dng. Lp b lc ng dng. Thit lp b lc Web. Pht hin v ngn mt s loi tn cng. Gii thiu mt s cng c bo mt. Download Security. Surfcontrol Web Filter. Thit lp Network Rule. Thit lp Cache, Qun l v theo di traffic.
Tng quan v FIREWALL
FIREWALL l mt k thut c tch hp vo h thng mng :

Chng li vic truy cp tri php. Bo v cc ngun ti nguyn. Hn ch s xm nhp vo h thng.
Nhim v ca FIREWALL
Kim sot cc traffic mng. Ch cho php mt s traffic cn thit i qua FIREWALL.
Cc phn mm qun l bo mt mng thng thc hin ba nhim v sau:

Qun l xc thc (Authentication). Qun l cp quyn (Authorization). Qun l kim ton (Accounting Management).
Kin trc FIREWALL
Kin trc Dual-homed Host
Kin trc FIREWALL (t.t.)
Kin trc Screening Router
Kin trc FIREWALL (t.t.)
Kin trc Creened Subnet
Phn loi FIREWALL v hot ng

Packet filtering
a ch IP ni xut pht (source IP address). a ch IP ni nhn (destination IP address). Cng TCP ni xut pht (source TCP port). Cng TCP ni nhn (destination TCP port).
Application gateway
L loi FIREWALL c thit k tng cng chc nng kim sot cc loi dch v da trn nhng giao thc c cho php truy cp vo h thng mng, c ch hot ng ca Application Gateway da trn m hnh Proxy Service. C ch lc ca packet filtering kt hp vi c ch i din ca application gateway cung cp mt kh nng an ton v uyn chuyn hn, c bit khi kim sot cc truy cp t bn ngoi. C ch b lc packet s dng m hnh proxy service c nhc im l hin nay cc ng dng ang pht trin rt nhanh, do nu cc proxy khng p ng kp cho cc ng dng, nguy c mt an ton s tng ln.
Phn loi FIREWALL v hot ng (t.t.)
Proxy service s dng trong Dual-home Host
Gii thiu cc phn mm Proxy Server
Trn mi trng Windows:

ISA. Netscape. Wingate. Winroute.
Trn mi trng Unix/Linux:

Squid Proxy Server. Socks Proxy Server.
Gii Thiu Internet Security and Acceleration Sever (ISA)
L Phn mm share internet ca hng phn mm Microsoft. Phin bn mi nht l ISA 2004. ISA 2004 c mt s t im sau:
Hot ng hiu qu. n nh. D cu hnh. Thit lp FIREWALL tt. Tc truy cp mng nhanh nh ch cache thng minh. Schedule Cache. Multi-Networking. Thit lp mng VPN. Application Layer Filtering.
Ci t ISA 2004
Yu cu ci t:
Thnh phn B x l (CPU) H iu hnh (OS) Yu cu ngh Intel hoc AMD 500Mhz tr ln. Windows 2003 hoc Windows 2000 (Service pack 4). 256 (MB) hoc 512 MB cho h thng khng s dng Web caching, 1GB cho Web-caching ISA firewalls. a ci t ISA thuc loi NTFS file system, t nht cn 150 MB dnh cho ISA. t nht phi c mt card mng (khuyn co phi c 2 NIC)
B nh (Memory)
khng gian a (Disk space) NIC
Ci t ISA 2004 (t.t.)

Phng thc ci t:
Ci t ISA trn my server ch c mt card mng (cn gi l Unihomed ISA Firewall), ch h tr HTTP, HTTPS, HTTP-tunneled (Web proxied) FTP. ISA khng h tr mt s chc nng:
SecureNAT client. Firewall Client. Server Publishing Rule. Remote Access VPN. Site-to-Site VPN. Multi-networking. Application-layer inspection ( tr giao thc HTTP).
ISA Firewall thng c trin khai trn dual-homed host (my ch c hai Ethernet cards) hoc multi-homed host (my ch c nhiu card mng) iu ny c ngha ISA server c th thc thi y cc tnh nng ca n nh ISA Firewall, SecureNAT, Server Publishing Rule, VPN,
Demo ci t ISA 2004
Cu hnh ISA FIREWALL

Cc chnh sch mc nh. Cu hnh Web Proxy. Thay i thuc tnh ca access rule. Publishing Network services. Publish Web Server. Public Mail Server. To lut publish server. Kim tra v thit lp b lc cho ng dng. Lp b lc ng dng. Thit lp b lc Web. Pht hin v ngn mt s loi tn cng. Thit lp Network Rule. Thit lp Cache. Qun l log v theo di traffic. Gii thiu mt s cng c bo mt. Download Security. Surfcontrol Web Filter.
Cc thng tin cu hnh mc nh Mt s thng tin cn lu :

System Policies cung cp 30 rule v mt Last Default rule ngm nh cm tt c cc traffic khc.
H thng s x l theo trnh t top-down cc rule trn. Mt khi packet tha iu kin lut no th s b qua cc lut cn li. Nu packet khng tha 30 rule u th n s c chuyn xung Last Default rule x l.
Cho php nh tuyn gia VPN/VPN-Q Networks v Internal Network. Cho php NAT gia Internal Network v External Network. Ch cho php Administrator c th thay i chnh sch bo mt cho ISA firewall.
Demo cc thng tin cu hnh mc nh.
Cu hnh Web Proxy cho ISA Firewall

Mt yu t quan trng cn lu : Mc nh lut th 17 trong System policy rules ca ISA FIREWALL ch cho php Loalhost truy xut Internet Web site c ch nh sn trong Domain Name Sets nh: *.windows.com *.windowsupdate.com *.microsoft.com Nu mun ISA Firewall truy xut ra ngoi bt k Web Site no bn no th ta phi enable lut th 18 trong System policy rules. Nu mun tt c cc my trong mng ni b (Internal Network) truy xut Internet Web site qua ISA Firewall th ta phi to Access rule cho php outbound traffic t Internet ra External. ISA Firewall c th phn gii c tt c cc tn min bn ngoi Internet. Demo cu hnh Web Proxy cho ISA Firewall (localhost) v cho mng ni b (Internal network), mt s bc lm trong demo: Dng trnh duyt ni b truy xut Web site test lut 17. Enable lut th 18 test lut 18 (Dng trnh duyt ni b). To Access Rule cho php traffic mng ni b truy xut mng ngoi. Dng trnh duyt ca mng ni b truy xut mng bn ngoi. Nu ISA Firewall khng truy xut trc tip ra ngoi Internet ta phi ch nh thm thng s Upstream Server chuyn yu cu truy xut ln Proxy cha (xem demo ch nh proxy cha)
Thay i thuc tnh ca Access Rule

Thng thng ta truy xut hp thoi thuc tnh ca Access Rule kim tra hoc thay i cc iu kin t trc . Mt s thng tin c th thay i:
Enable/Disable Access rule Thc hin cc Action:
Deny/Allow. Redirect HTTP requests to this Web page. Log requests matching this rule.
Giao thc (Protocol) a ch ngun (from) a ch ch (to) Ngi dng truy cp (Users) Lch biu truy cp (Schedule) Loi ni dung truy cp (Content Types)
Demo thay i thuc tnh ca lut.
Publishing Network services.

Publishing services: l mt k thut dng cng b (publishing) dch v ni b ra ngoi mng Internet thng qua ISA Firewall. Thng qua ISA Firewall ta c th publish cc dch v:
SMTP. NNTP. POP3. IMAP4. HTTP. OWA. NNTP. FTP. Terminal Services,
Publish Web Services

Web Publishing i khi c gi l 'reverse proxy' trong ISA Firewall ng vai tr l Web Proxy nhn cc Web request t bn ngoi sau s chuyn yu cu vo Web services ni b x l:
Cung cp c ch truy xut y quyn Web site thng qua ISA firewall. Chuyn hng theo ng dn truy xut Web site (Path redirection) Reverse Caching of published Web site. Cho php publish nhiu Web site thng qua mt a ch IP. C kh nng thay i (re-write) URLs bng cch s dng Link Translator ca ISA firewall. Thit lp c ch bo mt v h tr chng thc truy xut cho Web site (SecurID authentication, RADIUS authentication, Basic Authentication) Cung cp c ch chuyn theo Port v Protocol.
M hnh Publishing Web
Internal Network
External Adapter
Internet
131.107.3.1
Internal Adapter 192.168.9.1 6
Web Server
www.vnn.vn
Cu hnh Web Publishing
Demo cu hnh Web Publishing
Cu hnh Mail Publishing
Demo cu hnh Mail Publishing.
To lut Publish Server

Publish mt server cng tng t nh publish mt Web hoc Mail ch c iu ta c php la chn protocol cn c publish, khi publish server ta cn chun b mt s thng s sau:
Protocol m ta cn publish l protocol g? a ch IP trn ISA firewall chp nhn incoming connection. a ch IP address ca Publish Server ni b (Protected Network server).
Cc bc to Publish server
Cu hnh Server Publishing Rule
Demo cu hnh Server Publishing Rule
Kim tra v thit lp b lc
ISA Firewall thc thi hai chc nng quan trng stateful filtering v stateful application layer inspection.
stateful filtering: kim tra v thit lp b lc ti tng network, transport. Stateful filtering thng c gi l b kim tra trng thi packet (stateful packet inspection). Stateful application layer inspection: yu cu Firewall c th kim tra y thng tin trn tt c cc tng giao tip bao gm hu ht cc tng quan trng v application layer trong m hnh tham chiu OSI.
Thit lp b lc cho ng dng (Application Filtering). Thit lp b lc Web. Pht hin v ngn nga tn cng.
Kim tra v thit lp b lc (t.t.)

Thit lp b lc cho ng dng (Application Filtering)
ISA firewall thit lp b lc ng dng (Application filters) vi mc ch bo v cc publish server chng li mt s c ch tn cng bt hp php t bn ngoi mng. hiu chnh b lc ta chn mc Add-ins trong Configuration Panel, tip theo nhp i chut vo tn b lc cn hiu chnh, Mt s cc b lc ng dng cn tham kho nh:
SMTP filter and Message Screener: SMTP filter v Message Screener c s dng bo v publish SMTP server chng li c ch tn cng lm trn b nh (buffer overflow attacks), SMTP Message Screener bo v mng ni b ngn mt s e-mail messages khng cn thit DNS filter: Thit lp b lc cho dch v DNS, chng li mt s c ch tn cng t bn ngoi mng. POP Intrusion Detection filter: Chng c ch tn cng dng Buffer Overflow. SOCKS V4 filter: Cung cp dch v Sock Proxy.
Demo cu hnh thit lp b lc cho mt s ng dng.

Thit lp b lc cho ng dng Web bao gm:
HTTP Security Filter: L mt trong nhng k thut chnh yu thit lp b lc ng dng, HTTP Security filter cho php ISA Firewall thc hin mt s c ch kim tra thng tin ng dng (application layer inspection) da trn tt c cc HTTP traffic qua ISA firewall v chn cc kt ni khng ph hp vi yu cu c m t trong HTTP security. ISA Server Link Translator: l mt trong nhng k thut c xy dng sn trong ISA Firewall Web filter thc hin bin i a ch URL cho cc kt ni ca user bn ngoi truy xut vo Web publishing ni b. RADIUS Authentication Filter. OWA Forms-based Authentication Filter.
Demo cu hnh thit lp b lc Web.
Pht hin v ngn nga mt s loi tn cng:

Mt s loi tn cng:
Denial-of-Service Attacks: SYN Attack/LAND Attack: Ping of Death, Teardrop, Ping Flood (ICMP Flood), SMURF Attack, UDP Bomb, UDP Snork Attack, WinNuke (Windows Out-of-Band Attack), Mail Bomb Attack, Scanning and Spoofing, Port Scan.
Demo cu hnh ngn mt s c ch tn cng:
Thit lp Network Rule Mc tiu to Network Rule:

nh tuyn. NAT.
Mc nh h thng to ra cc Network rule cho php thit lp mt s c ch nh nh tuyn (route) gia hai mng, thay i a ch (NAT) : Local Host Access: nh tuyn traffic t localhost n mng ni b. VPN Client to Internal Network: nh tuyn t VPN Client n Internal network. Internet Access: NAT t Internal network ra ngoi mng Internet.
Thit lp Network Rule(t.t.)
M hnh Network Rule
Thit lp Network Rule(t.t.) Demo thit lp Network Rule
Thit lp Cache
Caching: l k thut lu tr cc Objects c ti t Internet nhm h tr c ch ti s dng cho cc request sau ny.
Thun li ca Caching:
Tng tc truy cp Internet cho user. Gim ti cho ng truyn internet. Tng tnh nng sn sng cho Web Content.
Forward caching: l k thut nhm gim ti cho ng truyn Internet bng cch lu tr cc frequently-accessed Internet Web objects trn mng ni b, khi user cc b c th s dng cc Object ny m khng cn request n Internet Server. Reverse caching: l k thut nhm gim ti cho ng truyn cc b, tng tc truy xut Web cho cc external user mt khi cng ty t host mt Web site ring trong h thng ni b. Frequently-requested objects trn Web server cc b c cache ti network edge trn proxy server nh m External User truy xut nhanh hn.
Thit lp Cache(t.t.)
Demo thit lp cache cho proxy
Qun l log v theo di traffic.

Mt trong nhng chc nng quan trng ca Firewall l:
Kh nng gim st (monitoring) Thng k (reporting) s kin xy ra trong h thng. Thit lp cnh bo (Alert) Ghi nhn nht k truy cp (logging)
Demo qun l v theo di traffic
Cu hi v gii p
Chapter 08
Frame Mode MPLS Implementation
Objectives
Describe the MPLS conceptual model with data and control planes, and describe the function of the MPLS label Describe how labels are allocated and distributed in a frame mode MPLS network, and describe how IP packets cross an MPLS network Describe the steps that are required to successfully implement MPLS Explain the evolution of MPLS VPNs, and describe MPLS VPN routing and packet flow
Table of Content
1 2 3 4
Introducing MPLS Networks Assigning MPLS Labels to Packets Implementing Frame Mode MPLS Describing MPLS VPN Technology
Lesson 01
Introducing MPLS Networks
Objectives
Identify the elements of the MPLS conceptual model Describe the router switching mechanisms Describe the MPLS data and control planes Identify the structure of an MPLS label and its format Explain the function of different types of LSRs in MPLS networks Explain the interactions between the control plane and the data plane in an LSR that enable the basic functions of label switching and forwarding of labeled packets to occur
The MPLS Conceptual Model
VPN Topologies
Basic MPLS Features
MPLS is a switching mechanism in which packets are forwarded based on labels. Labels usually correspond to IP destination networks (equal to traditional IP forwarding). Labels can also correspond to other parameters: Layer 3 VPN destination Layer 2 circuit Outgoing interface on the egress router QoS Source address MPLS was designed to support forwarding of non-IP protocols as well.
Basic MPLS Concepts Example
Only edge routers must perform a routing lookup. Core routers switch packets based on simple label lookups and swap labels.
Router Switching Mechanisms
Cisco IOS Platform Switching Mechanisms
The Cisco IOS platform supports three IP switching mechanisms:

Routing table-driven switchingprocess switching: Full lookup is performed at every packet Cache-driven switchingfast switching: Most recent destinations are entered in the cache First packet is always process-switched Topology-driven switching: CEF (prebuilt FIB table)
Standard IP Switching Review
CEF Switching Review
MPLS Architecture
Major Components of MPLS Architecture
Control plane: Exchanges routing information and labels Contains complex mechanisms to exchange routing information, such as OSPF, EIGRP, IS-IS, and BGP Exchanges labels, such as LDP, BGP, and RSVP Data plane: Forwards packets based on labels Has a simple forwarding engine
Control Plane Components Example
Information from control plane is sent to data plane.
MPLS Labels
MPLS Labels
MPLS technology is intended to be used anywhere, regardless of Layer 1 media and Layer 2 protocol. MPLS uses a 32-bit label field that is inserted between Layer 2 and Layer 3 headers (frame mode MPLS). MPLS over ATM uses the ATM header as the label (cell mode MPLS).
Label Format
MPLS uses a 32-bit label field that contains this information:

20-bit label 3-bit experimental field 1-bit bottom-of-stack indicator 8-bit TTL field
Label Stack
Protocol ID (PID) in a Layer 2 header specifies that the payload starts with a label (or labels) and is followed by an IP header. Bottom-of-stack bit indicates whether the next header is another label or a Layer 3 header. Receiving router uses the top label only.
Frame Mode MPLS
Label Switch Routers
Label Switch Routers
LSR primarily forwards labeled packets (swap label). Edge LSR: Labels IP packets (impose label) and forwards them into the MPLS domain Removes labels (pop label) and forwards IP packets out of the MPLS domain
LSR Component Architecture
Functions of LSRs
Component Control plane
Functions Exchanges routing information Exchanges labels
Data plane
Forwards packets (LSRs and edge LSRs)
Component Architecture of LSR
Component Architecture of Edge LSR
Summary
MPLS is a switching mechanism that uses labels to forward packets. The result of using labels is that only edge routers perform a routing lookup; all the core routers simply forward packets based on labels assigned at the edge. MPLS consists of two major components: control plane and data plane. MPLS uses a 32-bit label field that contains label, experimental field, bottom-of-stack indicator, and TTL field. LSR is a device that forwards packets primarily based on labels. Edge LSR is a device that labels packets or removes labels from packets. Exchange routing information and exchange labels are part of the control plane, while forward packets is part of the data plane.
Lesson 02
Assigning MPLS Labels to Packets
Objectives
Identify how label allocation is performed in a frame mode MPLS network Identify how labels are distributed in a frame mode MPLS network Explain how the LFIB table is populated Identify packet propagation across an MPLS network Describe how PHP improves MPLS performance by eliminating routing lookups on egress LSRs
Label Allocation in a Frame Mode MPLS Environment
Label Allocation in a Frame Mode MPLS Environment
Label allocation and distribution in a frame mode MPLS network follows these steps: 1. IP routing protocols build the IP routing table. 2. Each LSR assigns a label to every destination in the IP routing table independently. 3. LSRs announce their assigned labels to all other LSRs. 4. Every LSR builds its LIB, LFIB, and FIB data structures based on the received labels. Note: Label allocation, label imposing, label swapping, and label popping usually happen in the service provider network, not the customer (enterprise) network. Customer routers will never see a label.
Building the IP Routing Table
IP routing protocols are used to build IP routing tables on all LSRs. FIBs are built based on IP routing tables, initially with no labeling information.
Allocating Labels
Every LSR allocates a label for every destination in the IP routing table. Labels have local significance. Label allocations are asynchronous.
LIB and LFIB Setup
LIB and LFIB structures have to be initialized on the LSR allocating the label. Untagged action will remove the label from the frame and the router will send a pure IP packet.
Label Distribution and Advertisement
Label Distribution and Advertisement
The allocated label is advertised to all neighbor LSRs, regardless of whether the neighbors are upstream or downstream LSRs for the destination.
Receiving Label Advertisement
Every LSR stores the received label in its LIB. Edge LSRs that receive the label from their next hop also store the label information in the FIB.
Interim Packet Propagation
Forwarded IP packets are labeled only on the path segments where the labels have already been assigned.
Further Label Allocation
Every LSR will eventually assign a label for every destination.
Receiving Label Advertisement
Every LSR stores received information in its LIB. LSRs that receive their label from their next-hop LSR will also populate the IP forwarding table.
Populating the LFIB Table
Populating the LFIB Table
Router B has already assigned a label to network X and created an entry in the LFIB. The outgoing label is inserted in the LFIB after the label is received from the next-hop LSR.
Packet Propagation Across an MPLS Network
Packet Propagation Across an MPLS Network
Penultimate Hop Popping
Penultimate Hop Popping
PHP optimizes MPLS performance (one less LFIB lookup). The pop or implicit null label uses a reserved value when being advertised to a neighbor.
Before the Introduction of the PHP
Double lookup is not an optimal way of forwarding labeled packets. A label can be removed one hop earlier.
After the Introduction of the PHP
A label is removed on the router before the last hop within an MPLS domain.
Summary
Every LSR assigns a label for every destination in the IP routing table. Although labels are locally significant, they have to be advertised to directly reachable peers. Outgoing labels are inserted in the LFIB after the label is received from the next-hop LSR. Packets are forwarded using labels from the LFIB table rather than the IP routing table. PHP optimizes MPLS performance (one less LFIB lookup).
Lesson 03
Implementing Frame Mode MPLS
Objectives
Describe the procedure for configuring frame mode MPLS on a Cisco IOS router Enable IP CEF on a router as a step in implementing frame mode MPLS Enable MPLS on a frame mode interface as a step in implementing frame mode MPLS Configure the MTU size in label switching as a step in implementing frame mode MPLS
The Procedure to Configure MPLS
The Procedure to Configure MPLS
1.Configure CEF 2.Configure MPLS on a frame mode interface 3.(Optional) Configure the MTU size in label switching
Configuring IP CEF
Step 1: Configure CEF
1. Configure CEF: Start CEF switching to create the FIB table Enable CEF switching on all core interfaces 2. Configure MPLS on a frame mode interface 3. (Optional) Configure the MTU size in label switching
Step 1: Configure CEF (Cont.)

Router(config)#
ip cef [distributed]
Starts CEF switching and creates the FIB table The distributed keyword configures distributed CEF (running on VIP or line cards) All CEF-capable interfaces run CEF switching
Router(config-if)#
ip route-cache cef
Enables CEF switching on an interface Usually not needed
Monitoring IP CEF
Router#
show ip cef detail
Displays a summary of the FIB

Router#show ip cef detail IP CEF with switching (Table Version 6), flags=0x0 6 routes, 0 reresolve, 0 unresolved (0 old, 0 new) 9 leaves, 11 nodes, 12556 bytes, 9 inserts, 0 invalidations 0 load sharing elements, 0 bytes, 0 references 2 CEF resets, 0 revisions of existing leaves refcounts: 543 leaf, 544 node Adjacency Table has 4 adjacencies 0.0.0.0/32, version 0, receive 192.168.3.1/32, version 3, cached adjacency to Serial0/0.10 0 packets, 0 bytes tag information set local tag: 28 fast tag rewrite with Se0/0.10, point2point, tags imposed: {28} via 192.168.3.10, Serial0/0.10, 0 dependencies next hop 192.168.3.10, Serial0/0.10 valid cached adjacency tag rewrite with Se0/0.10, point2point, tags imposed: {28}
Configuring MPLS on a Frame Mode Interface
Step 2: Configure MPLS on a Frame Mode Interface
1. Configure CEF 2. Configure MPLS on a frame mode interface: Enable label switching on a frame mode interface Start LDP or TDP label distribution protocol 3. (Optional) Configure the MTU size in label switching
Step 2: Configure MPLS on a Frame Mode Interface (Cont.)

Router(config-if)#
mpls ip
Enables label switching on a frame mode interface Starts LDP on the interface
Router(config-if)#
mpls label protocol [tdp | ldp | both]
Starts selected label distribution protocol on the specified interface
Configuring MPLS on a Frame Mode Interface: Example 1
Configuring MPLS on a Frame Mode Interface: Example 2
Configuring the MTU Size in Label Switching
Step 3: Configure the MTU Size in Label Switching
1.Configure CEF 2.Configure MPLS on a frame mode interface 3.(Optional) Configure the MTU size in label switching: Increase MTU on LAN interfaces
Step 3: Configure the MTU Size in Label Switching (Cont.)

Router(config-if)#
mpls mtu bytes
Label switching increases the maximum MTU requirements on an interface, because of additional label header Interface MTU is automatically increased on WAN interfaces; IP MTU is automatically decreased on LAN interfaces Label-switching MTU can be increased on LAN interfaces (resulting in jumbo frames) to prevent IP fragmentation
Configuring Label Switching MTU: Example
Summary
MPLS configuration tasks include configuring IP CEF, tag switching, and setting MTU size. CEF is configured globally. Use the mpls ip command to enable MPLS on an interface level. To set MTU for labeled packets, use the mpls mtu interface configuration command.
Lesson 04
Describing MPLS VPN Technology
Objectives
Explain MPLS VPN architecture, and how it improves on the traditional methods of overlay and peer-to-peer VPN Describe the components of an MPLS VPN and how they are interconnected to enable enterprise network connectivity between sites Identify how routing information is propagated across the P-network Identify the end-to-end flow of routing updates in an MPLS VPN Describe MPLS VPN packet forwarding
Defining MPLS VPN
VPN Taxonomy (Phn loi)
VPN Models
VPN services can be offered based on two major models:

Overlay VPNs, in which the service provider provides virtual pointto-point links between customer sites Peer-to-peer VPNs, in which the service provider participates in the customer routing
Overlay VPNs: Frame Relay Example
Overlay VPNs: Layer 3 Routing
The service provider infrastructure appears as point-to-point links to customer routes. Routing protocols run directly between customer routers. The service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.
Peer-to-Peer VPNs
Benefits of VPN Implementations
Overlay VPN: Well-known and easy to implement Service provider does not participate in customer routing Customer network and service provider network are well-isolated Peer-to-peer VPN: Guarantees optimum routing between customer sites Easier to provision an additional VPN Only sites are provisioned, not links between them
Drawbacks of VPN Implementations
Overlay VPN:
Implementing optimum routing requires a full mesh of VCs. VCs have to be provisioned manually. Bandwidth must be provisioned on a site-to-site basis. Overlay VPNs always incur encapsulation overhead (IPsec or GRE).
Peer-to-peer VPN:
The service provider participates in customer routing. The service provider becomes responsible for customer convergence. PE routers carry all routes from all customers. The service provider needs detailed IP routing knowledge.
Drawbacks of Peer-to-Peer VPNs
Shared PE router: All customers share the same (provider-assigned or public) address space. High maintenance costs are associated with packet filters. Performance is lowereach packet has to pass a packet filter. Dedicated PE router: All customers share the same address space. Each customer requires a dedicated router at each POP.
MPLS VPN Architecture
MPLS VPN Architecture
An MPLS VPN combines the best features of an overlay VPN and a peer-to-peer VPN:
PE routers participate in customer routing, guaranteeing optimum routing between sites and easy provisioning. PE routers carry a separate set of routes for each customer (similar to the dedicated PE router approach). Customers can use overlapping addresses.
MPLS VPN Architecture: Terminology
PE Router Architecture
Propagation of Routing Information Across the P-Network
Propagation of Routing Information Across the P-Network
The number of customer routes can be very large; BGP is the only routing protocol that can scale to such a number. BGP is used to exchange customer routes directly between PE routers.
Route Distinguishers
Question: How will information about the overlapping subnetworks of two customers be propagated via a single routing protocol? Answer: Extend the customer addresses to make them unique. The 64-bit RD is prepended to an IPv4 address to make it globally unique. The resulting address is a VPNv4 address. VPNv4 addresses are exchanged between PE routers via BGP. BGP that supports address families other than IPv4 addresses is called multiprotocol BGP (MPBGP).
Route Distinguishers (Cont.)
Route Distinguishers (Cont.)
Usage of RDs in an MPLS VPN
The RD has no special meaning. The RD is used only to make potentially overlapping IPv4 addresses globally unique. This design cannot support all topologies required by the customer.
VoIP Service Example
Requirements:
All sites of one customer need to communicate. Central sites of both customers need to communicate with VoIP gateways and other central sites. Other sites from different customers do not communicate with each other.
VoIP Service Example: Connectivity Requirements
Route Targets
Some sites have to participate in more than one VPN. The RD cannot identify participation in more than one VPN. RTs were introduced in the MPLS VPN architecture to support complex VPN topologies. RTs are additional attributes attached to VPNv4 BGP routes to indicate VPN membership.
How Do RTs Work?
Export RTs: Identify VPN membership Append to the customer route when it is converted into a VPNv4 route Import RTs: Associate with each virtual routing table Select routes inserted into the virtual routing table
End-to-End Routing Information Flow
MPLS VPN Routing Requirements
CE routers have to run standard IP routing software. PE routers have to support MPLS VPN services and Internet routing. P routers have no VPN routes.
MPLS VPN Routing: CE Router Perspective
The CE routers run standard IP routing software and exchange routing updates with the PE router. The PE router appears as another router in the C-network.
PE-CE Routing Protocols
PE-CE routing protocols are configured for individual VRFs. Supported protocols include BGP, OSPF, static, RIP, and EIGRP. Routing configuration on the CE router has no VRF information.
MPLS VPN Routing: Overall Customer Perspective
To the customer, the PE routers appear as core routers connected via a BGP backbone. The usual BGP and IGP design rules apply. The P routers are hidden from the customer.
MPLS VPN Routing: P Router Perspective
P routers perform as follows:

Do not participate in MPLS VPN routing and do not carry VPN routes. Run backbone IGP with the PE routers and exchange information about global subnetworks (core links and loopbacks).
MPLS VPN Routing: PE Router Perspective
PE routers exchange the following:

VPN routes with CE routers via per-VPN routing protocols Core routes with P routers and PE routers via core IGP VPNv4 routes with other PE routers via MPBGP sessions
End-to-End Routing Information Flow
MPLS VPNs and Packet Forwarding
MPLS VPNs and Packet Forwarding
The PE routers will label the VPN packets with a label stack, as follows:
Using the LDP label for the egress PE router as the top label Using the VPN label assigned by the egress PE router as the second label in the stack
VPN PHP
PHP on the LDP label can be performed on the last P router. The egress PE router performs label lookup only on the VPN label, resulting in faster and simpler label lookup. IP lookup is performed only oncein the ingress PE router.
Summary
There are two major VPN paradigms: overlay VPN and peer-to-peer VPN. MPLS VPN architecture combines the best features of the overlay and peer-to-peer VPN models. BGP is used to exchange customer routes between PE routers. Routes are transported using IGP (internal core routes), BGP IPv4 (core Internet routes), and BGP VPNv4 (PE-to-PE VPN routes). PE routers forward packets across the MPLS VPN backbone using label stacking.

Mang May Tinh NC - Slides - 2

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Mang May Tinh NC - Slides - 2

Enviado por

Direitos autorais:

Formatos disponíveis

KHOA CNG NGH THNG TIN, HUTECH B mn Mng & Truyn thng My tnh

MNG MY TNH NNG CAO

Skill: network administrating

Ti liu tham kho

Network administrating references

Grading and Schedule

Final exams (50% total)

Class participation (10%)

Chapter 1: Suite of TCP/IP Protocols

Suite of TCP/IP Protocols

Chapter 1 : Suite of TCP/IP Protocols

Lesson 1: OSI Model

What is the OSI Model ?

Lesson 1: OSI Model

OSI reference Model

In the OSI model:

Lesson 1: OSI Model

The physical layer

Lesson 1: TCP/IP Protocol Suite

Lesson 1: OSI Model

The network layer

Lesson 1: OSI Model

The transport layer

Lesson 1: OSI Model

The session layer

Lesson 1: TCP/IP Protocol Suite

Lesson 1: OSI Model

The application layer

Lesson 1: OSI Model

Encapsulation example: E-mail

Lesson 2: TCP/IP Protocol Suite

TCP/IP is really a family of protocols referred to as the Internet Protocol Suite

Lesson 2: TCP/IP Protocol Suite

TCP/IP Protocol Suite HTTP FTP RIP SMTP SNMP

Lesson 2: TCP/IP Protocol Suite

Lesson 2: TCP/IP Protocol Suite

Lesson 2: TCP/IP Protocol Suite

Lesson 2: TCP/IP Protocol Suite

Lesson 2: TCP/IP Protocol Suite

Lesson 2: TCP/IP Protocol Suite

7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical

Lesson 3: Basic Commands

Ping: Used to verify reachability of intended destinations using ICMP Echo

Pathping: Used to discover the path between a host and destination or to

Lesson 3: Basic Commands

Lesson 3: Basic Commands

Lesson 3: Basic Commands

Lesson 3: Basic Commands

Lesson 4: Using Network Monitor

Lesson 4: Using Network Monitor

Lesson 4: Using Network Monitor

Lesson 4: Using Network Monitor

Lesson 4: Using Network Monitor

Examining Captured Network Traffic

Lesson 4: Using Network Monitor

Examining Captured Network Traffic

Chapter 1: Resolving Names

Chapter 1: Resolving Names

Lesson 1: Name Resolution Process

Lesson 1: Name Resolution Process

Lesson 1: Name Resolution Process

What are Host Names ?