Vous êtes sur la page 1sur 442

KHOA CNG NGH THNG TIN, HUTECH B mn Mng & Truyn thng My tnh

MNG MY TNH NNG CAO


TS. Nguyn Vn Mi
nv.mui@hutech.edu.vn

Nm hc 2013-2014

NI DUNG MN HC
Knowledge
Chapter 1: TCP/IP, Name Resolving Chapter 2: Domain Name System Chapter 3: Routing & Remote Access Chapter 4: DHCP & FTP Chapter 5: Email Service Chapter 6: WEB Service Chapter 7: Firewalls Chapter 8: MPLS & Border Gateway Protocol

Skill: network administrating


2

Ti liu tham kho


Required textbook
Networking text books
Computer Networking: A Top-Down Approach Featuring the Internet (5rd edition), by Kurose and Ross Computer Networking: (6th edition), by Kurose and Ross

Network administrating references


TCP/IP Illustrated, Volume 1: The Protocols, by Stevens WindowServer 2003 Network Infrastructure Implementation,Management, and Maintenance CCNP-ISCW, Volume 1&2
3

Grading and Schedule


Four assignments (10% each)
95% 3 hours, 70% 2 days late, 50% > 3 days late One free late day during semester Must complete all assignments to pass

Final exams (50% total)


Midterm exam before spring break (25%) Final exam during exam period (25%)

Class participation (10%)


In lecture and precept In the forums
4

Chapter 1: Suite of TCP/IP Protocols

Chapter 1

Suite of TCP/IP Protocols

Chapter 1 : Suite of TCP/IP Protocols

Lessons

Lesson 1: OSI Model Lesson 2: TCP/IP Protocol Suite Lesson 3: Basic Commands Lesson 4: Using Network Monitor

Lesson 1: OSI Model

What is the OSI Model ?


a framework for networking standards can be developed. provided vendors with a set of standards that ensured greater compatibility and interoperability between the various types of network technologies. Researched and developed by the ISO - International Organization for Standardizations. 1977: establish a subcommittee to develop a communications architecture. 1984: publish ISO-7498, the Open System Interconnection (OSI) reference model.

Lesson 1: OSI Model

OSI reference Model

7 5 4 3 2 1

Application

In the OSI model:

6 Presentation
Session Transport Network Data-Link Physical

Each layer has a defined networking function Each layer communicates with the layer above and below it Layer seven provides services for programs to gain access to the network Layers one and two define the networks physical media and related tasks

Lesson 1: OSI Model

The physical layer

Transmission of an unstructured bit stream over a physical link between end systems. Electrical, mechanical,specifications Physical data rate Distances Physical connector

Lesson 1: TCP/IP Protocol Suite


The data-link layer

Provides for the reliable transfer of data cross a physical link. Frames Physical address Network topology Synchronization Error control Flow control

Lesson 1: OSI Model

The network layer

Provides connectivity and path selection between two host systems that may be located on geographically separated networks. Packets Virtual circuits Route, routing table, routing protocol Logical address Fragmentation

Lesson 1: OSI Model

The transport layer

Provides reliable, transparent transfer of data over networks. Segments, data stream, datagram Connection oriented and connectionless End-to-end flow control Error detection and recovery Segmentation & reassembly

Lesson 1: OSI Model

The session layer

Establishes, manages, and terminates sessions between two communicating hosts. Sessions Dialog Conversations Data exchange

Lesson 1: TCP/IP Protocol Suite


The presentation layer

Ensures that the information that the application layer of one system sends out is readable by the application layer of another system. Format of data Data structure Data conversion Data compression Data encryption

Lesson 1: OSI Model

The application layer

Is the OSI layer that is closest to the user; it provides network services to the users applications. File transfer Electronic mail Terminal access Word processing Intended communication partners

Lesson 1: OSI Model

Encapsulation example: E-mail

Lesson 2: TCP/IP Protocol Suite


TCP/IP Protocol Suite

Originally developed by The Defense Advance Research Projects Agency (DARPA) to interconnect various defense department computer networks.

TCP/IP is really a family of protocols referred to as the Internet Protocol Suite

Lesson 2: TCP/IP Protocol Suite


The TCP/IP Model relate to the OSI Model
OSI Application Presentation Session Transport Network Data-Link Physical Transport Internet Link Ethernet Token Ring Frame Relay ATM TCP IP UDP
IGMP ICMP

TCP/IP

TCP/IP Protocol Suite HTTP FTP RIP SMTP SNMP

Application

DNS

ARP

Lesson 2: TCP/IP Protocol Suite


IP Internet Protocol
Provides addressing at the network layer Provides fragmentation and reassembly of packets

Lesson 2: TCP/IP Protocol Suite


TCP Transmission Control Protocol
TCP provides guaranteed delivery by establishing a virtual circuit between sender and receiver this virtual circuit is called a socket

Lesson 2: TCP/IP Protocol Suite


Internet Protocol (TCP/IP) Properties

Lesson 2: TCP/IP Protocol Suite


Viewing IP Configuration

Lesson 2: TCP/IP Protocol Suite


How an IP Packet Moves Through the Suite of TCP/IP Protocols
The Four Layers of the TCP/IP Protocol Suite: Application Transport Internet Link

Lesson 2: TCP/IP Protocol Suite


Practise: Protocols and Layers of the TCP/IP Model
In this practice, you will associate the protocols and layers of the TCP/IP model

7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical

Lesson 3: Basic Commands


Basic Commands

Ping: Used to verify reachability of intended destinations using ICMP Echo


messages.

Ipconfig, ipconfig/all, ipconfig/displaydns, ipconfig/displaydns |more Route: Used to view and modify the entries in the routing table. Tracert: Used to send ICMP Echo messages to discover the path between a
node.

Pathping: Used to discover the path between a host and destination or to


identify high-loss links.

Lesson 3: Basic Commands


What is Ping
You can run Ping from a client computer to test the connection to any host, such as a router or a server: The client computer sends an Echo Request to the server The server sends an Echo Reply back to the client computer You check the details of the Echo Reply to determine the quality of the connection

Lesson 3: Basic Commands


Ipconfig /all Ipconfig /displaydns

Lesson 3: Basic Commands


Route print

Lesson 3: Basic Commands


Tracert & Pathping

Lesson 4: Using Network Monitor


Microsoft Network Monitor
2 3

1 4

Network Monitor: Captures a sample of network traffic Uses filters to select specific packets Decodes the packets in the language of the individual protocols Compiles network statistics

Lesson 4: Using Network Monitor


How to install Microsoft Network Monitor

Lesson 4: Using Network Monitor


Microsoft Network Monitor

Lesson 4: Using Network Monitor


How to capture frames

Lesson 4: Using Network Monitor

Examining Captured Network Traffic

Lesson 4: Using Network Monitor

Examining Captured Network Traffic

Chapter 1: Resolving Names

Chapter 1

Resolving Names

Chapter 1: Resolving Names

Lessons

Lesson 1: Name Resolution Process Lesson 2: Managing the ARP Cache Lesson 3: NETBIOS Name Lesson 4: Configuring NetBIOS Name Resolution Lesson 5: Configuring Host Name Resolution Lesson 6: Static Name Resolution Lesson 7: Dynamic Name Resolution

Lesson 1: Name Resolution Process

IP names
IP addresses might be fine for computers, but humans prefer to use names. For example: http://www.vnn.vn rather than http://203.162.168.130 This is accomplished with either Host lookup tables on each machine or a Domain Name Server (DNS)

Lesson 1: Name Resolution Process

Overview
Explain what a host name is Explain what a NetBIOS name is
DNS Server Corp01.contoso.msft 192.168.2.102

192.168.0.5

192.168.1.5 Payroll.contoso.msft

Lesson 1: Name Resolution Process

What are Host Names ?


A host name is the DNS name, of a device on a network, that is used to locate computers on the network
Examples:
FQDN msft server1.nwtraders.msft. Host Name DNS Suffix FQDN server1.training.nwtraders.msft. Host Name DNS Suffix Server1 = 192.168.0.66 Server1 = 192.168.0.67 training nwtraders . Root

Lesson 1: Name Resolution Process

What are Host names ?


A Host name can exist as a single-part name or it can used with the suffix to create the identifier for a Resource on a TCP/IP network The suffix is essential the the Host name, because it allows two identical Host names to exist on the network without conflict A Host name and Suffix are known together as the Fully Qualyfied Domain Name (FQDN) A fully qualified domain name (FQDN) is a DNS domain name that has been stated unambiguously to indicate with absolute certainty its location in the domain namespace tree

Lesson 1: Name Resolution Process

How Names Are Mapped to IP Addresses


Name Resolution Service Computer44

1
Where is the Computer44 file? 192.168.1.200

2 3
Computer44

Lesson 1: Name Resolution Process

How to View Host Names on a Client

View host names and DNS suffixes by using the Ipconfig utility View host names by using Hostname utility View host names by using System Properties Rename a computer

Lesson 2: Managing the ARP Cache

Managing the ARP Cache


Static and Dynamic ARP Cache Entries How ARP Resolves IP Addresses to MAC Addresses Using the ARP Tool to Manage the ARP Cache

Lesson 2: Managing the ARP Cache

Address Resolution Protocol (ARP)

Lesson 2: Managing the ARP Cache

Static and Dynamic ARP Cache Entries


An ARP cache
The cache is a table of recently resolved IP addresses and their corresponding MAC addresses TCP/IP checks the ARP cache before sending an ARP request To view the cache, type arp a at the command prompt

Static cache entries:


Have no time-out value Must be added manually Must be updated

Dynamic cache entries:


Have a time-out value Are removed after the specified time

Lesson 2: Managing the ARP Cache

How ARP Resolves IP Addresses to MAC Addresses


1 2 3 4 5 6
ARP cache is checked ARP request is sent ARP entry is added ARP reply is sent ARP entry is added IP packet is sent 1 2
ComputerA ComputerC ComputerB

3 4 5 6

Lesson 2: Managing the ARP Cache

Using the ARP Tool to Manage the ARP Cache

Lesson 3: NETBIOS Name

Overview
The Types of Names Computers Use What Is NetBIOS? What Is a NetBIOS Name? What Is NetBT? Types of NetBT Nodes What Is Nbtstat?

Lesson 3: NETBIOS Name

The Types of Names Computers Use


Name Description 16-byte address Can represent a single computer or group of computers 15 characters used for the name 16th character is used by the services that a computer offers to the network Assigned to a computers IP address 255 characters in length Can contain alphabetic and numeric characters, hyphens, and periods. Can take various forms Alias Domain name

NetBIOS Names

Host Names

Lesson 3: NETBIOS Name

What is NETBIOS
OSI Application Presentation Session Transport Network Transport Internet Application NetBIOS Applications NetBIOS Interface NetBIOS Is an API Operates at the session and transport layers of the OSI protocol stack Establishes names, sessions and data transfer TCP/IP

Data-Link Physical

Link

Lesson 3: NETBIOS Name

What is a NetBIOS Name


A NetBIOS name is an identifier used by NetBIOS services running on a computer. It is made up of a 15-character name plus a 16th character (1 byte) denoting the service
NetBIOS Name Server2 Server2 Server2 16th character 00 20 01 Services Workstation Server Messenger IP address 192.168.0.39 192.168.0.39 192.168.0.39

Server2

Lesson 3: NETBIOS Name

NETBIOS Name
Payroll Payroll <00> <20>

Corp1 Corp1

<00> <20>

16 byte name 16th character is a 1 byte hexadecimal identifier Used for the name of a computer or the name of a service running on the computer

Lesson 3: NETBIOS Name

What is NetBT
Application NetBIOS Applications

Transport

NetBIOS Interface NetBT TCP/IP

Internet NetBT

Runs on top of the TCP/IP network protocol Supports discovery, registration and release of NetBIOS names Uses broadcast or a NetBIOS name server, depending on node type

Lesson 3: NETBIOS Name

NetBIOS Name Resolution Process


NetBIOS Name Cache WINS Broadcast Lmhosts File

Salescomputer2 192.168.1.35 What is the IP address for Salescomputer2?

3
Salescomputer2

NetBIOS name resolution is the process of mapping a NetBIOS name to an IP address

Lesson 3: NETBIOS Name

Types of NetBT Nodes


NetBt Node Types B-node (broadcast) P-node (peer-to-peer) M-node (mixed) H-node (hybrid) Microsoft enhanced B-node Uses NetBIOS broadcast name queries Uses NetBios Name Server (NBNS or WINS) A combination of B-node and P-node. Uses broadcast first by default A combination of B-node and P-node. Uses NBNS first by default Uses the Lmhosts file

Lesson 3: NETBIOS Name

What is Nbtstat

Use nbstat to:


Check the state of current NetBT connections Update the Lmhosts cache Determine the registered name of a client

Lesson 4: Configuring NetBIOS Name Resolution

Overview
NetBIOS Name Resolution Process NetBIOS Name Cache How to View and Release the NetBIOS Name Cache Broadcasts Lmhosts File

Lesson 4: Configuring NetBIOS Name Resolution

NetBIOS Name Resolution Process


Client Resolver Cache DNS Hosts File NetBIOS Name Cache WINS Broadcast Lmhost File

Salescomputer2 What is the IP address for Salescomputer2?

192.168.1.35

3
Salescomputer2

NetBIOS name resolution is the process of mapping a NetBIOS name to an IP address.

Lesson 4: Configuring NetBIOS Name Resolution

NetBIOS Name Resolution Process

The NetBIOS Name resolution process is configurable .The default order, in which the client is configured to query a WINS server and to use Lmhosts lookup is as follows :

NetBIOS Cache WINS server Send to the Local network as a broadcast Local Lmhosts file

Lesson 4: Configuring NetBIOS Name Resolution

NetBIOS Name Cache


A NetBIOS name cache is a location in memory that stores NetBIOS names that have recently been resolved to IP addresses whether through a WINS server, broadcast, or Lmhosts file

Computer1

Broadcast Resolved host names from broadcasts

Lmhosts File

Resolved host names from the WINS server

Lesson 4: Configuring NetBIOS Name Resolution

NetBIOS Name Cache


Purpose of a NetBIOS Name Cache is :

The first place that the NetBIOS redirector searches for an IP address to map a NetBIOS name. Resolves IP Addresses more quickly than a WINS server, broadcast, or Lmhosts file. Do not create network traffic.

Lesson 4: Configuring NetBIOS Name Resolution

How to View and Release the NetBIOS Name Cache

View the contents of the local computers NetBIOS name cache Release the NetBIOS name cache and reload the #PRE-tagged entries in the local Lmhosts file Display and view the NetBIOS name table of the local computer

Lesson 4: Configuring NetBIOS Name Resolution

Broadcasts
Local broadcasts are network messages, sent from a single computer, that are distributed to all other devices on the same segment of the network as the sending computer

Broadcast is answered

Broadcast Fails

Broadcast

1 1 2
NetBIOS Redirector

Router

The NetBIOS redirector sends out a local broadcast If the resource is on the local network, the broadcast is answered and an IP address is returned If the resource is on a remote network, then the broadcast will not pass through the router

Lesson 4: Configuring NetBIOS Name Resolution

Lmhosts File
An Lmhosts file is a local text file that maps NetBIOS names to IP addresses for hosts that are not located on the local subnet
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to computernames # (NetBIOS) names. Each entry should be kept on an individual line. # The IP address should be placed in the first column followed by the # corresponding computername. The address and the computername # should be separated by at least one space or tab. The "#" character # is generally used to denote the start of a comment (see the exceptions # below). # # The following example illustrates all of these extensions: # # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC # 102.54.94.102 "appname \0x14" #special app server # 102.54.94.123 popular #PRE #source server # 102.54.94.117 localsrv #PRE #needed for the include # # #BEGIN_ALTERNATE # #INCLUDE \\localsrv\public\lmhosts # #INCLUDE \\rhino\public\lmhosts # #END_ALTERNATE

Computer1

Lmhosts File

Lesson 5: Configuring Host Name Resolution

Overview
The Host Name Resolution Process Client Resolver Cache How to View and Flush the Client Resolver Cache Hosts File How to Preload the Client Resolver Cache by Using a Hosts File

Lesson 5: Configuring Host Name Resolution

The Host Name Resolution Process


Client Resolver Cache DNS Hosts File NetBIOS Name Cache WINS Broadcast Lmhost File

Salescomputer2 What is the IP address for Salescomputer2?

192.168.1.35

3
Salescomputer2

Host Name resolution is the process of resolving a host name to an IP address.

Lesson 5: Configuring Host Name Resolution

Client Resolver Cache


The client resolver cache is a location in memory that stores host names that have recently been resolved to IP addresses. It also stores host nameto-IP address mappings loaded from the Hosts file

Computer1

Hosts File

Resolved host names from the DNS server

Lesson 5: Configuring Host Name Resolution

How to View and Flush the Client Resolver Cache

Display a client resolver cache by using the Ipconfig command Flush a client resolver cache by using the Ipconfig command

Lesson 5: Configuring Host Name Resolution

Hosts File
The Hosts file is a static file that is maintained on the local computer and that is used to load host name-to-IP address mappings into the client resolver cache # Copyright (c) 1993-1999 Microsoft Corp.
# # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost

Computer1

Hosts File

Lesson 6: Static Name Resolution

Overview
Using an Lmhosts File Guidelines for Configuring a Client to Use Lmhosts Using a Hosts File

Lesson 6: Static Name Resolution

Using an Lmhosts File


Add an entry to the client Lmhosts file

1
What is the IP address for london? 127.0.0.1 localhost 131.107.34.1 router 192.168.2.200 london

Lmhosts File

192.168.2.200

Lesson 6: Static Name Resolution

Guidelines for Configuring a Client to Use Lmhosts


Guidelines
An entry consists of the IP address, one space or tab, and the NetBIOS name Each entry must be on a separate line. Use a carriage return after the final entry NetBIOS names can contain uppercase, lowercase and special characters Entries can represent all versions of Windows # marks the start of a comment or a keyword

Lesson 6: Static Name Resolution

Using an Hosts File


Add an entry to the client Hosts file
Hosts File
127.0.0.1 localhost 131.107.34.1 router 172.30.45.121 server1.central.microsoft.com s1

1
What is the IP address for s1?

172.30.45.121

Client

Lesson 7: Dynamic Name Resolution

Overview
What Is WINS ? What Is DNS ? The DNS Suffix

Lesson 7: Dynamic Name Resolution

What is WINS
NetBIOS Name Registration Query

?
OK
Payroll WINS Server

1 2 3

Queries a WINS Server Determines if name is in use or not If not in use, then registers the NetBIOS name and associated IP address

Lesson 7: Dynamic Name Resolution

What is DNS
FQDN: printserver.contoso.com. ( Root)

Root domain

Parent domain

Com Edu Org

Other top-level domains

Contoso

printserver payroll

Child domain

accounts

Lesson 7: Dynamic Name Resolution

DNS suffix

FQDN

. Root com contoso sales corp05 = 192.168.0.66 corp01 = 192.168.0.67

corp05.contoso.com.
Host Name DNS Suffix FQDN

corp01.sales.contoso.com.
Host Name DNS Suffix

Lesson 7: Dynamic Name Resolution

Summary: How Client Names Are Resolved


1
Enter command Name is resolved

8 2 3
DNS name cache

Lmhosts File

7 6 5 4
Hosts File

Broadcast

DNS Server

WINS Server

NetBIOS name cache

Practise

1 2 3 4

Identify a MAC address View the ARP cache and then modify it Determine and then change the NetBT node type of a client computer Resolve names

Practise

1 2 3 4

Use Ipconfig to manage the DNS client cache Configure a client to resolve names using DNS Configure host name resolution Configure NetBIOS name resolution

Practise

1 2 3 4

How to add an entry to the client Lmhosts file How to add an entry to the client Hosts file How to preload a NetBIOS name cache by using an Lmhosts file How to preload the client resolver cache by using a Hosts file

Chapter 2 : Domain Name System

Chapter 2

Domain Name System

Chapter 2: Domain Name System

Lessons

Lesson 1: Domain Name System (DNS) Lesson 2: Configuring the Properties for the DNS Server Service Lesson 3: Configuring DNS Zones Lesson 4: Configuring DNS Zone Transfers Lesson 5: Configuring DNS Dynamic Updates Lesson 6: Configuring a DNS Client Lesson 7: Delegating Authority for Zones

Lesson 1: Domain Name System

Overview
What is DNS DNS Hierarchy What is a Domain Namespace What is InterNIC History of DNS The Role of DNS in the Network Infrastructure Standards for DNS Naming Install the DNS Server Service

Lesson 1: Domain Name System

What is DNS
Domain Name System (DNS) is a hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses
DNS is the foundation of the Internet naming scheme and the foundation of an organizations naming scheme DNS supports accessing resources by using alphanumeric names InterNIC is responsible for delegating administrative responsibility for portions of the domain namespace and for registering domain names DNS was designed to solve issues that arose when there was an increase in the: Number of hosts on the Internet Traffic generated by the update process Size of the Hosts file

Lesson 1: Domain Name System

DNS Hierarchy
DNS is organized into hierarchical domains DNS Root Servers are positioned at the top of the DNS hierarchy. They maintain data about each of the top-level zones.

Top-level Domain Servers exist for arpa, com and edu etc. Local name servers are maintained by individual organizations

Lesson 1: Domain Name System

What is a Domain Namespace


Root Domain Top-Level Domain net com org

Second-Level Domain

nwtraders

Subdomains

west

south

east

FQDN: server1.sales.south.nwtraders.com

sales

Host: server1

Lesson 1: Domain Name System

What is a Domain Namespace

The Domain namespace ia a hierarchical naming tree that DNS uses to identify and locate a given host in a given domain relative to the root of the tree

Domain : in DNS is any tree or subtree within the overall domain namespace. Root domain : this is the root node of the DNS tree Top-level Domain : This is state as a two or three-character name code that identifies either organizational or geographical status. This is a highest-level domain in the internets DNS hierarchy. Second-level Domain : This is the level immediately beneath the Top-level domain in the Internets DNS hierarchy .This is a unique name that InterNIC formally registers to an individual or organization that connects to the Internet. Subdomain : This is a subdivision of a larger domain. For example : mail.yahoo.com is a subdomain of yahoo.com y y

Lesson 1: Domain Name System

What is InterNIC

InterNIC is The Internet Network Information Center The InterNIC manages the root, or the highest level of the domain namespace. Go to http://www.internic.net for more information about InterNIC

Lesson 1: Domain Name System

History of DNS

DNS began in the early days of the Internet DNS was introduced in 1984 and became this new system

Lesson 1: Domain Name System

The Role of DNS in the Network Infrastructure


Explain the role and benefits of DNS in the network infrastructure Define the key components of DNS Discuss the DNS domain namespace Discuss DNS zones and zone transfer Discuss DNS name servers Explain how the hosts name resolution process works Explain forward lookup queries

Lesson 1: Domain Name System

Standards for DNS Naming


The following characters are valid for DNS names: A-Z a-z 0-9 Hyphen (-) The underscore (_) is a reserved character

Lesson 1: Domain Name System

Install the DNS Server Service

Lesson 2: Configuring the Properties for the DNS Server Service

Overview
What are the Components of a DNS Solution What is a DNS Query How Recursive Queries Work How a Root Hint Works How Iterative Queries Work How Forwarders Work How DNS Server Caching Works How to Configure the Properties for the DNS Server Service

Lesson 2: Configuring the Properties for the DNS Server Service

What are The Components of a DNS Solution

Resource Record

Root . .com

Resource Record DNS Clients DNS Servers

.edu

DNS Servers on the Internet

Lesson 2: Configuring the Properties for the DNS Server Service

What are The Components of a DNS Solution The components of DNS


DNS Server : A computer running DNS service DNS Client : A computer running DNS client service DNS Resource Records : Entries in the DNS database that map host names to resources

Lesson 2: Configuring the Properties for the DNS Server Service

How is the DNS Query


A query is a request for name resolution to a DNS server. There are two types of queries: recursive and iterative DNS clients and DNS servers both initiate queries for name resolution An authoritative DNS server for the namespace of the query will either: Check the cache, check the zone, and return the requested IP address Return an authoritative, No A non-authoritative DNS server for the namespace of the query will either: Forward the unresolvable query to a specific query server called a Forwarder Use root hints to locate an answer for the query

Lesson 2: Configuring the Properties for the DNS Server Service

How Recursive Queries Work


A recursive query is a query made to a DNS server, in which the DNS client asks the DNS server to provide a complete answer to the query

DNS server checks the forward lookup zone and cache for an answer to the query Recursive query for mail1.nwtraders.com Database Local DNS Server

172.16.64.11 Computer1

Lesson 2: Configuring the Properties for the DNS Server Service

How Recursive Queries Work

The following steps describe how a recursive query works


The Client sends a recursive query to the local DNS Server The local DNS Server checks the forward lookup zone and cache for an answer to the query If the answer to the query is found, then the DNS Server returns the answer to the client. If an answer is not found, then the DNS Server uses a forwarder address or root hints to locate an answer.

Lesson 2: Configuring the Properties for the DNS Server Service

How a Root Hint Works


Root hints are DNS resource records stored on a DNS server that list the IP addresses for the DNS root servers
Cluster of DNS Servers Root Hints Cluster of Root (.) Servers

DNS Server Computer1

com microsoft

Lesson 2: Configuring the Properties for the DNS Server Service

How a Root Hint Works


Root Hint are stored in the Cache.dns in locate %systemroot%\system32\dns

Lesson 2: Configuring the Properties for the DNS Server Service

How Iterative Queries Work


An iterative query is a query made to a DNS server in which the DNS client requests the best answer that the DNS server can provide without seeking further help from other DNS servers. The result of an iterative query is often a referral to another DNS server lower in the DNS tree
Iterative Query Local DNS Server Ask .com

1 2

Root Hint (.)

.com

Computer1

3
nwtraders.com

Lesson 2: Configuring the Properties for the DNS Server Service

How Forwarders Work


A forwarder is a DNS server designated by other internal DNS servers to forward queries for resolving external or offsite DNS domain names
Iterative Query Forwarder Ask .com Root Hint (.)

.com

Local DNS Server

nwtraders.com Computer1

Lesson 2: Configuring the Properties for the DNS Server Service

How DNS Server Caching Works


Caching Table Host Name IP Address TTL clientA.contoso.msft. 192.168.8.44 28 seconds Wheres ClientA Client is at 192.168.8.44 A?

ClientA Client1 Client2 ClientA Client is at Wheres 192.168.8.44 A?

Caching is the process of temporarily storing recently accessed information in a special memory subsystem for quicker access

Lesson 2: Configuring the Properties for the DNS Server Service

How to Configure Properties for the DNS Server Service


Update root hints on a DNS server Configure a DNS server to use a forwarder Clear the DNS server cache by using the DNS console Clear the DNS server cache by using the DNSCmd command

Lesson 3: Configuring DNS Zones

Overview
How DNS Data Is Stored and Maintained What Are Resource Records and Record Types What Is a DNS Zone What Are DNS Zone Types How to Change a DNS Zone Type What Are Forward and Reverse Lookup Zones How to Configure Forward and Reverse Lookup Zones

Lesson 3: Configuring DNS Zones

How DNS Data is Stored and Maintained


Namespace: training.nwtraders.msft
DNS Server

Resource records for the zone training.nwtraders.msft Host name DNS ClientA IP address 192.168.2.45 192.168.2.46 192.168.2.47

Zone File: Training.nwtraders.msft.dns

DNS ClientB DNS ClientC

DNS ClientA

DNS ClientB

DNS ClientC

A resource record (RR) is a standard DNS database structure containing information used to process DNS queries A zone is a portion of the DNS database that contains the resource records with the owner names that belong to the contiguous portion of the DNS namespace

Lesson 3: Configuring DNS Zones

What Are Resource Records and Record Types

Record type A PTR SOA SRV NS MX CNAME

Description Resolves a host name to an IP address Resolves an IP address to a host name The first record in any zone file Resolves names of servers providing services Identifies the DNS server for each zone The mail server Resolves from a host name to a host name

Lesson 3: Configuring DNS Zones

What is a DNS Zone

Nwtraders

South

West

North

Sales

Support

Training

Lesson 3: Configuring DNS Zones

What Are DNS Zone Types


Zones
Read/Write

Description Read/write copy of a DNS database

Primary
Read-Only

Read-only copy of a DNS database Secondary


Copy of limited records

Copy of a zone containing limited records

Stub

Lesson 3: Configuring DNS Zones

What Are Forward and Reverse Lookup Zones


Namespace: training.nwtraders.msft.
DNS Server Authorized for training Forward zone DNS Client1 Training DNS Client2 DNS Client3 192.168.2.45 Reverse 1.168.192.in- 192.168.2.46 zone addr.arpa 192.168.2.47 DNS Client2 = ? 192.168.2.46 = ? DNS Client3 DNS Client1 DNS Client2 192.168.2.45 192.168.2.46 192.168.2.47 DNS Client1 DNS Client2 DNS Client3

Lesson 3: Configuring DNS Zones

Forward Lookup Zone

Lesson 3: Configuring DNS Zones

Reverse Lookup Zone

Lesson 3: Configuring DNS Zones

How to Configure Forward and Reverse Lookup Zones


Configure a forward lookup zone on a primary zone type Configure a forward lookup stub zone Configure a forward lookup zone on a secondary zone type Configure a reverse lookup zone on a primary zone type Configure a reverse lookup zone on a secondary zone type

Lesson 4: Configuring DNS Zone Transfers

Standards for DNS Naming


How DNS Zone Transfers Work How DNS Notify Works How to Configure DNS Zone Transfers

Lesson 4: Configuring DNS Zone Transfers

How DNS Zone Transfers Work


A DNS zone transfer is the synchronization of authoritative DNS zone data between DNS servers

1 2 3 4
Secondary Server

SOA query for a zone SOA query answered IXFR or AXFR query for a zone IXFR or AXFR query answered (zone transfer)

Primary and Master Server

Lesson 4: Configuring DNS Zone Transfers

How DNS Notify Works


A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur

Destination Server

1 2 3 4
DNS notify

Resource record is updated SOA serial number is updated

Source Server

Zone transfer Primary and Master Server

Secondary Server

Lesson 5: Configuring DNS Dynamic Updates

Overview
What Are Dynamic Updates How DNS Clients Register and Update Their Own Resource Records by Using Dynamic Updates How a DHCP Server Registers and Updates Resource Records by Using Dynamic Updates How to Configure DNS Manual and Dynamic Updates What Is an Active Directory-Integrated DNS Zone How Active Directory-Integrated DNS Zones Use Secure Dynamic Updates How to Configure Active Directory-Integrated DNS Zones to Allow Secure Dynamic Updates

Lesson 5: Configuring DNS Dynamic Updates

What are DNS Dynamic Updates


Explain why DNS dynamic updates are important Explain the difference between manual and dynamic updates Explain that client computers can either dynamically update resource records in DNS themselves or have DHCP perform dynamic updates in DNS on their behalf Explain what secure dynamic updates are

What Are Dynamic Updates

Lesson 5: Configuring DNS Dynamic Updates

A dynamic update is the process of a DNS client dynamically creating, registering, or updating its records in zones that are maintained by DNS servers that can accept and process messages for dynamic updates A manual update is the process of an administrator manually creating, registering, or updating the resource record

Dynamic update enables DNS client computers to interact automatically with the DNS server to register and update their own resource records Organizations that have dynamic changes can benefit from the dynamic method of updating DNS resource records Organizations may benefit from manual update if they: Are in a smaller environment that has few changes to their resource records Have isolated instances, such as when a larger organization chooses to control every address on every host.

Lesson 5: Configuring DNS Dynamic Updates


How DNS Clients Register and Update Their Own Resource Records by Using Dynamic Updates

DNS Server

Resource Records

1 2

Client sends SOA query DNS server sends zone name and server IP address Client verifies existing registration DNS server responds by stating that registration does not exist Client sends dynamic update to DNS server

3 4 5

Windows Server 2003

Windows XP

Windows 2000

Lesson 5: Configuring DNS Dynamic Updates


How a DHCP Server Registers and Updates Resource Records by Using Dynamic Updates

DNS Server Resource Records

1 2 3 3 4 4

DHCP client makes an IP lease request DHCP server grants IP lease DHCP server automatically generates clients FQDN Using dynamic update, the DHCP server updates the DNS forward and reverse records for the client

1 2
Window Server 2003 Running DHCP IP Address Lease DHCP Downlevel Client

Lesson 5: Configuring DNS Dynamic Updates


How a DHCP Server Registers and Updates Resource Records by Using Dynamic Updates

A down-level client is a DHCP client running Windows NT 4.0 or earlier. Down-level clients are unable to register or update their resource records in DNS on their own

Administrator can configure DHCP servers running Windows Server 2003 and Windows 2000 to update DNS client resource records for the following client types:
Any down-level DHCP clients that do not request dynamic updates. Any DHCP client, including those that are running Windows XP and

Windows 2000, regardless of whether it requests a dynamic update.

Lesson 5: Configuring DNS Dynamic Updates


How a DHCP Server Registers and Updates Resource Records by Using Dynamic Updates

Process of performing dynamic updates for a down-level client


The DHCP client makes an IP lease request The DHCP server grants an IP lease The DHCP server automatically generates the clients FQDN by

appending the domain name that is defined for the DHCP scope to the client name. The client name is obtained from the DHCPREQUEST message that the client sends
DNS forward (A) name for the client DNS reverse (PTR) name for the client

Using the dynamic update protocol, the DHCP server updates the :

Lesson 5: Configuring DNS Dynamic Updates


How a DHCP Server Registers and Updates Resource Records by Using Dynamic Updates

Process of performing dynamic updates for a Windows XP client


The DHCP client makes an IP lease request that includes the client

FQDN in option 81 of the DHCP request

The DHCP server grants an IP lease The client connects to the DNS server to update the A record for itself The DHCP server updates the DNS reverse (PTR) name for the

client by using the dynamic update protocol

Lesson 5: Configuring DNS Dynamic Updates

How to Configure DNS Manual and Dynamic Updates


Configure a DNS server running Windows Server 2003 to accept dynamic updates of DNS resource records Configure a Windows XP Professional client to dynamically update its DNS resource records in DNS Configure a DHCP server running Windows Server 2003 to dynamically update DNS resource records in DNS on behalf of DHCP clients Manually create a DNS resource record

Lesson 5: Configuring DNS Dynamic Updates

How to Configure DNS Manual and Dynamic Updates


You need to choose and configure one or both of the following options. Dynamic updates are supported on Primary DNS Zones To use a DNS client for dynamic updates, configure the :
DNS server to accept dynamic updates DNS clients to create dynamic updates for themselves

To use a DHCP server for dynamic updates, configure the :


DNS server to accept dynamic updates DHCP server to create dynamic updates on behalf of the DHCP clients

To manually create a DNS resource record, you need to add a host (A) resource record to a forward lookup zone

Lesson 5: Configuring DNS Dynamic Updates

What is an Active Directory-Integrated DNS Zone


DNS zone type Non Active Directoryintegrated zone Active Directoryintegrated zone Benefit Does not require Active Directory Stores DNS zone data in Active Directory and is thus more secure Uses Active Directory replication instead of zone transfers Allows only secure dynamic updates Uses multi-master instead of single master structure An Active Directory-integrated DNS zone is a DNS zone stored in Active Directory

Lesson 5: Configuring DNS Dynamic Updates

How Active Directory-Integrated DNS Zones Use Secure Dynamic Updates


A secure dynamic update is a process in which a client submits a dynamic update request to a DNS server, and the server attempts the update only if the client can prove its identity and has the proper credentials to make the update DNS Client running Windows XP Find authoritative server Result Local DNS Server

Domain Controller with Active DirectoryIntegrated DNS Zone

Lesson 5: Configuring DNS Dynamic Updates


How to Configure Active Directory-Integrated DNS Zones to Allow Secure Dynamic Updates Only

Configure Active Directory-integrated DNS zones to allow secure dynamic updates Configure security on an Active Directory-integrated DNS zone

Lesson 6: Configuring a DNS Client

Standards for DNS Naming


How Preferred and Alternate DNS Servers Work How Suffixes Are Applied How to Configure a DNS Client

Lesson 6: Configuring a DNS Client

How Preferred and Alternate DNS Servers Work


3. Optionally, you can enter a whole list of alternate DNS servers

1. The preferred DNS server is the one that the client tries first 4. The preferred and alternate DNS servers specified on the Properties page automatically appear at the top of this list, and preferred and alternate servers are queried in the order they are listed

2. If the preferred server fails, the client tries the alternate DNS server

Lesson 6: Configuring a DNS Client

How Suffixes Are Applied

Suffix Selection option

Domain suffix search list

Name query = server1

server1.sales.south.nwtraders.com server1.south.nwtraders.com server1.nwtraders.com

Connection Specific Suffix

Lesson 6: Configuring a DNS Client

How to Configure a DNS Client


Manually configure a DNS client to use preferred and alternate DNS servers Configure the DNS server option and the DNS suffix option in DHCP

Lesson 6: Configuring a DNS Client

DNS

Lesson 6: Configuring a DNS Client

Cached Lookup

Lesson 6: Configuring a DNS Client

Reslove name

Lesson 7: Delegating Authority for Zones

Overview
What Is Delegation of a DNS Zone? How to Delegate a Subdomain to a DNS Zone

Lesson 7: Delegating Authority for Zones

What Is Delegation of a DNS Zone


Namespace: training.nwtraders.msft
The administrator, at the nwtraders.com level of the namespace, delegates authority for training.nwtraders.com and offloads administration of DNS for that part of the namespace Training.nwtraders.com now has its own administrator and DNS server to resolve queries in that part of the namespace/organization DNS server

training.nwtraders.msft DNS server

training.nwtraders.msft

Delegation is the process of assigning authority over child domains in your DNS namespace to another entity by adding records in the DNS database

Practise

1 2 3 4

Install the DNS Server service Configure DNS zones Resolve host names by using DNS Configure a DNS client

Practise

1 2 3 4

Update root hints on a DNS server Configure a DNS server to use a forwarder Clear the DNS server cache by using the DNS console Clear the DNS server cache by using the DNSCmd command

Practise

1 2 3 4

Configure a forward lookup zone on a primary zone type Configure a forward lookup stub zone Configure a forward lookup zone on a secondary zone type Configure a reverse lookup zone on a primary zone type and a secondary zone type

Practise

1 2 3 4

Configure a DNS server running Windows Server 2003 to accept dynamic updates of DNS resource records Configure a Windows XP Professional client to dynamically update its DNS resource records in DNS Configure a DHCP server running Windows Server 2003 to dynamically update DNS resource records in DNS on behalf of DHCP clients Manually create a DNS resource record

Practise

1 2 3

Configure the properties for the DNS Server service How to Configure Forward and Reverse Lookup Zones How to Configure DNS Manual and Dynamic Updates

Practise

1 2 3 4

Configure DNS dynamic updates How to delegate a sub-domain to a DNS zone How to change a DNS zone type How to configure a DNS zone transfer and DNS notify

Chapter 3 : Routing and Remote Access

Chapter 3

Routing and Remote Access

Chapter 3 : Routing and Remote Access

Lessons
Lesson 1: Basic Concepts Lesson 2: Routing Lesson 3: Routing and Remote Access on Windows 2003 Server Lesson 4: Configuring Packet Filters

Lesson 1: Basic Concepts

Overview
Using a Default Gateway What is a Router How the Computer Determines Whether an IP Address is a Local or Remote Address

Lesson 1: Basic Concepts

Using a Default Gateway


When you use a default gateway:
The default gateway: Routes packets to other networks Is used when the internal routing table on the host has no information on the destination subnet DHCP automatically delivers the IP address for the default gateway to the client To configure the client manually for the default gateway, use the General tab on the Network Connections Properties page

Lesson 1: Basic Concepts

Using a Default Gateway

Lesson 1: Basic Concepts

What is a Router
A Router is an intermediate system at the network layer that is used to connect networks together based on a common network layer protocol Router types Hardware router Software router Example A device that performs routing as a dedicated function A router that is not dedicated to performing routing only, but performs routing as one of multiple processes running on the router computer

Main routing components include:


Routing interface Routing protocol Routing table

Lesson 1: Basic Concepts

What is a Router
Communication path A-C-D A C B
Routers

D Communication path A-B-D

Lesson 1: Basic Concepts


How the Computer Determines Whether an IP Address Is a Local or Remote Address

Local and destination hosts IP addresses are each AND with their subnet masks 1 AND 1 = 1 Other combinations = 0 If AND results of source and destination hosts match, the destination is local

IP address Subnet mask

10011111 11111111 10011111

11100000 11111111 11100000

00000111 10000001 00000000 00000000 00000000 00000000

Result

Lesson 2: Routing

Overview
The Role of Routing in the Network Infrastructure What is a Routing Interface What is a Routing Protocol What Is Static and Dynamic Routing What is a Routing Table How the IP Protocol Selects a Route

Lesson 2: Routing

The Role of Routing in the Network Infrastructure


Routing is the process of transferring data across an internetwork

Describe how routing fits into the network infrastructure Explain the difference between local and remote routing Describe how the Microsoft routing solution fits into the network infrastructure

Subnet 1

Router A

Subnet 2

Router B

Subnet 3

Lesson 2: Routing

What is a Routing Interface


A routing interface is an interface over which IP packets are forwarded

Two types of routing interfaces:


LAN Demand-dial

Chapter 4:Dynamic Host Configuration Protocol

Chapter 4

Dynamic Host Configuration Protocol

Chapter 4:Dynamic Host Configuration Protocol

Lessons
Lesson 1: What is DHCP Lesson 2: Adding and Authorizing a DHCP Server Service Lesson 3: Configuring a DHCP Scope and DHCP Reservation Lesson 4: DHCP Options Lesson 5: Configuring a DHCP Relay Agent Lesson 6: Configuring a client Lesson 7: Using Alternate Configuration Lesson 8: Managing a DHCP Database Lesson 9: Monitoring DHCP Lesson 10: Applying Security Guidelines for DHCP

Lesson 1: What is DHCP

The Role of DHCP in the Network Infrastructure


DHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configuration Manual TCP/IP Configuration
IP addresses entered manually on each client computer Possibility of entering incorrect or invalid IP address Incorrect configuration can lead to communication and network issues Administrative overload on networks where computers are frequently moved

Automatic TCP/IP Configuration


IP addresses are supplied automatically to client computers Ensures that clients always use correct configuration information Client configuration updated automatically to reflect changes in network structure Elimination of common source of network problems

Lesson 1: What is DHCP

How DHCP Allocates IP Addresses


IP addresses and Options are sent from DHCP server in response to a request from a DHCP client
Non-DHCP Client DHCP Client

IP Address1 IP Address2 IP Address1 IP Address2 IP Address3 . . . IP AddressN

DHCP Client DHCP Server

DHCP Database

Lesson 1: What is DHCP

How DHCP Allocates IP Addresses (cont)


Non-DHCP Client: Static IP configuration DHCP Client2: IP configuration from DHCP server Lease Renewal Lease Generation DHCP Server DHCP Client1: IP configuration from DHCP server
DHCP Database

IP Address1: Leased to DHCP Client1 IP Address2: Leased to DHCP Client2 IP Address3: Available to be leased

Lesson 1: What is DHCP

How the DHCP Lease Generation Process Works


DHCP Server 2

DHCP Server 1

DHCP Client

1 2 3 4

DHCP client broadcasts a DHCPDISCOVER packet DHCP servers broadcasts a DHCPOFFER packet DHCP client broadcasts a DHCPREQUEST packet DHCP server 1 broadcasts a DHCPACK packet

Lesson 1: What is DHCP

How the DHCP Lease Generation Process Works


A DHCPDISCOVER packet
This is a message that DHCP client send the first time that they attempt logon to the network and request IP address information from a DHCP Server.

A DHCPOFFER packet
This is a message that DHCP Servers use offer the lease of an IP address to DHCP client .

If the clients does not receive an offer after four requests. It use an IP in the reserved range from 169.254.0.1 168.254.255.254

A DHCPREQUEST packet renew the lease of the clients IP address.


This is a message that a client sends to the DHCP Server request or

Lesson 1: What is DHCP

How the DHCP Lease Generation Process Works

A DHCPACK packet
This is a message that DHCP Server send to a client to acknowledge and complete a clients request for leased configuration. This message contains a valid lease for the IP address and other IP configuration data.

Important
Protocol (UDP) port 67 and 68.

DHCP Servers and Clients communicate by using User Datagram

Lesson 1: What is DHCP

How the DHCP Lease Renewal Process Works


DHCP Server2

DHCP Server1

DHCP Client

87.5% 100% 50% of of oflease lease lease duration has expired DHCP Client sends a DHCPREQUEST DHCPREQUEST packet client sends a packet If the client fails to renew its lease, of of the lease 1 its lease, after after 50% 87.5% the lease has expired, the DHCP lease process starts overwill durationthen has expired, then thegeneration DHCP lease renewal process DHCP Server1 sends athe DHCPACK packet again with a after DHCP clientof broadcasting a DHCPDISCOVER 2 begin again 87.5% lease duration has expired

Lesson 1: What is DHCP

How the DHCP Lease Renewal Process Works


Definitions
The DHCP lease renewal process is the process by which the DHCP client renews or updates its IP address configuration data with the DHCP Server.

Automatic lease renewal process


A DHCP Client automatically attempts to renew its lease as soon as 50 percent of the lease duration has expired.

The DHCP client will also attempt to renew its IP address lease each time that the computer restarts.

Manual lease renewal configuration information immediately.


You can renew an IP lease manually if you need to update DHCP

Lesson 2: Adding and Authorizing a DHCP Server Service

Install a DHCP Server Service


Prepare to add a DHCP Server service
Assign a static IP address to the DHCP server Logged on as an administrator.

Add a DHCP Server service


Install DHCP Service using Control Panel Add or Remove Programs Install DHCP Service using Administrative Tools Configure Your Server Wizard

DHCP Client

DNS Server

DHCP Server

Lesson 2: Adding and Authorizing a DHCP Server Service

How a DHCP Server Service Is Authorized


Domain Controller Active Directory

If DHCP Server1 finds its IP DHCP Server1 checks with the address on the list, service domain controller to the obtain a list starts and supports DHCP clients of authorized DHCP servers

DHCP Server1 Authorized Services DHCP requests DHCP Server2

DHCP Client

Unauthorized
DHCPclient Server2 checks If DHCP DHCP Server2 does not findthe its IP receives IPwith address domain controller obtain a list of address on the list,to the service does from authorized DHCP Server1 authorized DHCPDHCP servers not start and support clients

Does not service DHCP requests

DHCP authorization is the process of registering the DHCP Server service in the Active Directory domain to support DHCP clients

Lesson 3: Configuring a DHCP Scope and DHCP Reservation

DHCP Scope
A scope is a range of IP addresses that are available to be leased
DHCP Server

LAN A

LAN B

Scope A

Scope B

Scope Properties
Network ID Subnet mask Network IP address range Lease duration Router Scope name Exclusion range

Lesson 3: Configuring a DHCP Scope and DHCP Reservation

DHCP Scope

Scope property
Network ID : The Network ID for the range of IP addresses. Subnet mask : The subnet mask for the Network ID. Network IP address range : The range of IP addresses that are available to clients. Lease duration : The period of time that the DHCP Server holds a lease IP address for a client before removing the lease. Router : A DHCP option that allows DHCP clients to access remote networks. Scope name : An alphanumeric identifier for administrative purposes. Exclusion range : The range of IP addresses in the scope that are excluded from being leased.

Lesson 3: Configuring a DHCP Scope and DHCP Reservation

How to Configure a DHCP Scope

scope IP Address Range Subnet mask IP address exclusions Lease duration interval Scope Options

Configure a DHCP

Activate a DHCP scope

Lesson 3: Configuring a DHCP Scope and DHCP Reservation

How to Configure a DHCP Scope

Superscope
Superscope which expands the number of IP network addresses that you can use in a network . A Superscope allows several distinct scopes to be logically grouped under a single name.
You must have at least a Scope before create a Superscope

Multicast Scope
Multicast scope which is a group of IP multicast network addresses that are distributed to other computers in a network. The valid IP address range is 224.0.0.0 239.255.255.255

Lesson 3: Configuring a DHCP Scope and DHCP Reservation

DHCP Reservation
A reservation is a specific IP address, within a scope, that is permanently reserved for leased use to a specific DHCP client
Workstation 1 File and Print Server Subnet B

Subnet A

DHCP Server IP Address1: Leased to Workstation 1 IP Address2: Leased to Workstation 2 IP Address3: Reserved for File and Print Server

Workstation 2

Lesson 3: Configuring a DHCP Scope and DHCP Reservation

How to Configure a DHCP Reservation

Configure a DHCP reservation


Specify IP address MAC address of DHCP client

Verify DHCP Reservation

Lesson 3: Configuring a DHCP Scope and DHCP Reservation

How to Configure a DHCP Reservation

Information of a Reservation
Reservation name : Name that the administrator assigns. IP address : IP address from the scope for the client. MAC address : Clients media access control (MAC) address (entered without hyphens). Description : Description that the administrator assigns. Supported type : DHCP reservation, Boot Protocol (BOOTP) reservation or both.

Lesson 4: DHCP Options

DHCP Options
DHCP options are configuration parameters that a DHCP service assigns to clients along with the IP address and subnet mask
DHCP Client

DHCP Client IP Configuration Data Clients IP address Clients subnet mask DHCP options such as: Routers IP address DNS servers IP address WINS servers IP address DNS domain name

DHCP Server

Lesson 4: DHCP Options

Levels of DHCP Options


Level of DHCP Option Server level Description Applies to all DHCP clients that lease an IP address from the DHCP server Available to clients that lease an address from that scope

Scope level

Available to clients that identify Class level (User & Vendor) themselves as belonging to a particular class Reserved Client level

Applies to specific clients

Lesson 4: DHCP Options

DHCP Server, Scope, and Reserved Client Options


DHCP Server Windows 98 File and Print Server

Scope A Router Windows XP

Scope B

Windows XP

DHCP option applied at the reserved-client server scope levellevel

Lesson 4: DHCP Options

DHCP Class-level Options


DHCP Server Windows 98 Router Scope A Router Scope B File and Print Server

Windows XP

Windows XP

DHCP option applied at the class level

Lesson 5: Configuring a DHCP Relay Agent

What is DHCP Relay Agent ?


A DHCP relay agent is a computer or router configured to listen for DHCP/BOOTP broadcasts from DHCP clients and then relay those messages to DCHP servers on different subnets
DHCP Relay Agent DHCP Server

Unicast Broadcast Subnet A


Routers Non-RFC 1542 Compliant Client Client Client Client

Broadcast Subnet B

Lesson 5: Configuring a DHCP Relay Agent

How a DHCP Relay Agent Works


DHCP Relay Agent DHCP Server

Client1

Client2

Non-RFC 1542 Compliant

Router

Client3

1 2 3 4 5 6 7 8

Client1 broadcasts a DHCPDISCOVER packet Relay agent forwards the DHCPDISCOVER message to the DHCP server Server sends a DHCPOFFER message to the DHCP relay agent Relay agent broadcasts the DHCPOFFER packet Client1 broadcasts a DHCPREQUEST packet Relay agent forwards the DHCPREQUEST message to the DHCP server Server sends a DHCPACK message to the DHCP relay agent Relay agent broadcasts the DHCPACK packet

Lesson 5: Configuring a DHCP Relay Agent

How a DHCP Relay Agent Uses Hop Count


The hop count threshold is the number of routers that the packet can be transmitted through before being discarded

DHCP Relay Agent 2 Hop Count = 2 DHCP Relay Agent 1

DHCP Server

Lesson 5: Configuring a DHCP Relay Agent

How a DHCP Relay Agent Uses Boot Threshold


The boot threshold is the length of time in seconds that the DHCP Relay Agent will wait for a local DHCP server to respond to client requests before forwarding the request
Boot Threshold = 10 seconds DHCP Relay Agent DHCP Server 2

Local DHCP Server DHCP Server 3

Lesson 5: Configuring a DHCP Relay Agent

How to Configure a DHCP Relay Agent


Enable RRAS Add DHCP Relay Agent Add a routing interface Specify IP of DHCP server Apply hop count /boot threshold

Lesson 6: Configuring a DHCP client

Static and Dynamic IP Addresses


IP addresses can be:

Static
Addresses that are manually assigned and do not change over time Dynamic Addresses that are automatically assigned for a specific length of time and may be changed

Lesson 6: Configuring a DHCP client

DHCP Assigned Settings on the Client

Lesson 6: Configuring a DHCP client

Renewing an IP Address
1
DHCPREQUEST (unicast)
Lease-holding DHCP Server DHCP Server Non-DHCP Server

2
DHCP Client

DHCPREQUEST (broadcast)

DHCP Servers

DHCPACK

Lesson 6: Configuring a DHCP client

Manually Renew/Release an IP Address


To release and renew an IP address:
Type ipconfig /release Type ipconfig /renew

To verify the address has been renewed:


Type ipconfig /all Note the values for Lease Obtained and Lease Expires

Lesson 7: Using Alternate Configuration

How Alternate Configuration Assigns IP Addresses


DHCP Client attempts to locate DHCP Server
Server found? Yes

DHCP Server assigns address to client

No No Yes

APIPA configured and enabled?

APIPA address is assigned

User configured alternate configuration specified? No

Yes

User configured IP address is assigned

User configured IP address is not assigned

Lesson 7: Using Alternate Configuration

APIPA OR User Configured IP Addresses

Practice

1 2 3 4

Configure a DHCP scope Configure a DHCP reservation Configure DHCP options Add and authorize a DHCP Server service

Practice

1 2

Configure a DHCP Relay Agent Identify and resolve common issues when allocating IP addressing by using DHCP

Practice

1 2 3 4

Assign an IP address to a client (static IP, dynamic IP) Release and renew an IP address Configure an alternate configuration Disable APIPA

Lesson 8: Managing a DHCP Database

Overview

Managing DHCP What Is a DHCP Database? How a DHCP Database Is Backed Up and Restored How To Back Up and Restore a DHCP Database How a DHCP Database Is Reconciled How To Reconcile a DHCP Database

Lesson 8: Managing a DHCP Database

Managing DHCP
The DHCP service needs to be managed to reflect changes in the network and the DHCP server Scenarios for managing DHCP:
Managing DHCP database growth Protecting the DHCP database Ensuring DHCP database consistency Adding clients Adding new network service servers Adding new subnets

Lesson 8: Managing a DHCP Database

What is a DHCP Database


The DHCP database is a dynamic database that is updated when DHCP clients are assigned or as they release their TCP/IP address leases The DHCP database contains DHCP configuration data, such as information about scopes, reservations, options, and leases Windows Server 2003 stores the DHCP database in the directory %Systemroot%\System32\Dhcp The DHCP database files include:
DHCP.mdb Tmp.edb J50.log and J50*.log Res*.log J50.chk

Lesson 8: Managing a DHCP Database

How a DHCP Database Is Backed Up and Restored


DHCP Server DHCP

Restore

Offline Storage

Back up

Restore

DHCP

Back up

In the event that the server hardware fails, the administrator can restore only from the offline storage location

Lesson 8: Managing a DHCP Database

How to Back Up and Restore a DHCP Database

Apply guidelines when backing up and restoring a DHCP database Configure a DHCP database backup path Manually back up a DHCP database to the backup directory on a local drive Manually restore a DHCP database from the backup directory on a local drive

Lesson 8: Managing a DHCP Database

How to Reconcile a DHCP Database


DHCP Database Registry Detailed IP address lease information Summary IP address lease information Compares information to find inconsistencies

DHCP Server

Reconciles inconsistencies in the DHCP database

Example Summary information Detailed information Reconciled DHCP database Create an active lease entry

IP address Client has IP address 192.168.1.34 192.168.1.34 is available

Lesson 8: Managing a DHCP Database

How to Reconcile a DHCP Database

Prepare to reconcile a DHCP database Reconcile all scopes in a DHCP database Reconcile a scope in a DHCP database

Lesson 9: Monitoring DHCP

Overview
What Are DHCP Statistics? How to View DHCP Statistics What is a DHCP Audit Log File? How DHCP Audit Logging Works How to Monitor DHCP Server Performance by Using the DHCP Audit Log Guidelines for Monitoring DHCP Server Performance Common Performance Counters for Monitoring DHCP Server Performance Guidelines for Creating Alerts for a DHCP Server

Lesson 9: Monitoring DHCP

What Are DHCP Statistics?

DHCP Server

DHCP statistics represent statistics collected at either the server level or scope level since the DHCP service was last started

Lesson 9: Monitoring DHCP

How to View DHCP Statistics


In these procedures, you will learn how to:

Enable DHCP statistics to automatically refresh View DHCP server statistics View DHCP scope statistics

Lesson 9: Monitoring DHCP

What is a DHCP Audit Log File?


A DHCP audit log is a log of service-related events, such as when: the service starts and stops; authorizations have been verified; or IP addresses are leased, renewed, released, or denied

Lesson 9: Monitoring DHCP

How DHCP Audit Logging Works


Audit logging is the daily collection of DHCP server events into log files.
DHCP server closes the existing log and moves to the log file for the next day of the week DHCP server writes a header message in the audit log, indicating that logging has started

12:00 am

3. DHCP closes daily audit log


DHCPSrvLog-Tue.Log

1. DHCP opens daily audit log


DHCPSrvLog-Mon.Log

2. DHCP performs disk checks

Disk checks ensure that both the ongoing availability of server disk space and the current audit log file do not become too large or grow too rapidly

Lesson 9: Monitoring DHCP

How to Monitor DHCP Server Performance by Using the DHCP Audit Log
In these procedures, you will learn how to:

Enable and configure DHCP audit logging View the DHCP audit log

Lesson 9: Monitoring DHCP

Guidelines for Monitoring DHCP Server Performance


Create a baseline of performance data on the DHCP server Check the standard counters for server performance, such as processor utilization, paging, disk performance, and network utilization Review DHCP server counters to look for significant drops or increases that indicate a change in DHCP traffic

Lesson 9: Monitoring DHCP

Common Performance Counters for Monitoring DHCP Server Performance


Performance counters Packets received/second Requests/second What to look for after a baseline is established Monitor for sudden increases or decreases which could reflect problems on the network Monitor for sudden increases or decreases which could reflect problems on the network

Monitor for increases both sudden and gradual Active queue length which could reflect increased load or decreased server capacity Duplicates dropped/second Monitor for any activity which could indicate that more than one request is being transmitted on behalf of clients

Lesson 9: Monitoring DHCP

Guidelines for Creating Alerts for a DHCP Server

Define the acceptable level that a DHCP counter can rise above or fall below, before creating an alert Use scripts with your alerts

Lesson 10: Applying Security Guidelines for DHCP

Overview

Guidelines for Restricting an Unauthorized User from Obtaining a Lease Guidelines for Restricting an Unauthorized, non-Microsoft DHCP Server from Leasing IP Addresses Guidelines for Restricting Who Can Administer the DHCP Service Guidelines for Securing the DHCP Database

Lesson 10: Applying Security Guidelines for DHCP

Guidelines for Restricting an Unauthorized User from Obtaining a Lease To restrict an unauthorized user from obtaining a lease:
Ensure that unauthorized persons do not have physical or wireless access to your network Enable audit logging for every DHCP server on your network Regularly check and monitor audit log files Use 802.1X-enabled LAN switches or wireless access points to access the network

Lesson 10: Applying Security Guidelines for DHCP


Guidelines for Restricting an Unauthorized, non-Microsoft DHCP Server from Leasing IP Addresses

To restrict an unauthorized, non-Microsoft DHCP server from leasing IP addresses:


Ensure that unauthorized persons do not have physical or wireless access to your network

Microsoft DHCP Server


Only DHCP servers running Windows 2000 or Windows Server 2003 can be authorized in Active Directory

Unauthorized, non-Microsoft DHCP Server


Non-Microsoft DHCP server software does not include the authorization feature that is included in Windows 2000 and Windows Server 2003

Lesson 10: Applying Security Guidelines for DHCP


Guidelines for Restricting an Unauthorized, non-Microsoft DHCP Server from Leasing IP Addresses

To restrict who can administer the DHCP service:


Restrict the membership of the DHCP Administrators group to the minimum number of users necessary to administer the service If there are users who need read-only access to the DHCP console, then add them to the DHCP Users group instead of the DHCP Administrators group Have read-only DHCP console access to the server Can view and modify any data about the DHCP server

DHCP Users group DHCP Administrators group

Lesson 10: Applying Security Guidelines for DHCP

Guidelines for Securing the DHCP Database


To further secure the DHCP database:
Consider changing the default permissions of the DHCP folder Provide only the minimum permissions required to users to enable them to perform their task Provide Read permissions to users responsible for analyzing DHCP server log files Remove Authenticated Users and Power Users to minimize access to the files in the DHCP folder

Practice

Manage a DHCP database Manage and monitor DHCP

Chapter 4: FTP

Chapter 4

File Transfer Protocol

Lessons

Lesson 1: Introduction to FTP Lesson 2: Setting up an FTP Server Lesson 3: Using FTP Lesson 4: Securing FTP Service

Lesson 1: Introduction to FTP

What is FTP ?
Short for File Transfer Protocol, the protocol for exchanging files over the Internet. FTP works in the same way as HTTP for transferring Web pages from a server to a user's browser and SMTP for transferring electronic mail across the Internet in that, like these technologies, FTP uses the Internet's TCP/IP protocols to enable data transfer FTP is most commonly used to download a file from a server using the Internet or to upload a file to a server, for example: upload a Web page file to a server

Lesson 1: Introduction to FTP

FTP

FTP client

FTP server

Internet

Lesson 1: Introduction to FTP

Architecture of the TCP/IP Protocol Suite


TCP/IP Protocol Suite Application
HTTP FTP SMTP DNS RIP SNMP

Transport

TCP

UDP

Internet

ARP

IP

IGMP

ICMP

Link Token Ring Frame Relay

Ethernet

ATM

Lesson 1: Introduction to FTP

Confusion
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports: Command port : 21 (also known as the control port) Data port : 20 The confusion begins however, when we find that depending on the mode, the data port is not always on port 20. One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. FTP mode: Active mode (Active FTP) Passive mode (Passive FTP)

Lesson 1: Introduction to FTP

Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port) FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)

Lesson 1: Introduction to FTP

Active FTP - Example

The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server, it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client, something that is usually blocked.

Lesson 1: Introduction to FTP

Passive FTP
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode. In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

Lesson 1: Introduction to FTP

Passive FTP
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)

Lesson 1: Introduction to FTP

Passive FTP - Example

Lesson 1: Introduction to FTP

Passive FTP - Confusion


While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client. With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.

Lesson 1: Introduction to FTP

Summary
The following chart should help admins remember how each FTP mode works: Active FTP : command : client > N -> server (Port: 21) data : client > N <- server (Port: 20) Passive FTP : command : client > N -> server (Port: 21) data : client > N -> server > N

Lesson 2: Setting up an FTP Server

Add/Remove Programs

Lesson 2: Setting up an FTP Server

Windows Components

Lesson 2: Setting up an FTP Server

Installing IIS

Lesson 2: Setting up an FTP Server

Installing FTP Service

Lesson 2: Setting up an FTP Server

IIS Manager

Lesson 2: Setting up an FTP Server

Creating an FTP Site

Lesson 2: Setting up an FTP Server

Creating an FTP Site

Lesson 2: Setting up an FTP Server

Creating an FTP Site

Lesson 2: Setting up an FTP Server

Creating an FTP Site

Lesson 2: Setting up an FTP Server

Creating an FTP Site

Lesson 2: Setting up an FTP Server

FTP Administration

Lesson 3: Using FTP

Using Command Prompt

Lesson 3: Using FTP

Using Command Prompt

Lesson 3: Using FTP

Check FTP service

Lesson 3: Using FTP

FTP

1 Using Run Command 2 Using Internet Explorer

Lesson 3: Using FTP

Using Total Commader

Lesson 3: Using FTP

Using Total Commader

Lesson 3: Using FTP

AceFTP

Download and try to use AceFTP

Lesson 4: Securing FTP Service

Permissions

Lesson 4: Securing FTP Service

FTP Properties Directory Security

Lesson 4: Securing FTP Service

Gene FTP Server (secure FTP Server)

Try to deploy Gene FTP Server

Chng 5
DCH V EMAIL

DCH V EMAIL
CC GIAO THC TRONG H THNG MAIL. CC KHI NIM C BN. MT S H THNG MAIL THNG DNG. CC CHNG TRNH MAIL SERVER. CI T EXCHANGE SERVER 2003. CU HNH EXCHANGE MAIL SERVER. GII THIU EXCHANGE SYSTEM MANAGER KHI NG CC DCH V TRONG EXCHANGE QUN L TI KHON MAIL. ADMINISTRATIVE GROUP MICROSOFT OUTLOOK WEB ACCESS THIT LP CHNH SCH CHO H THNG MAIL QUN L PUBLIC FOLDER V MAILBOX CC TIN CH CN THIT CHO MAIL.

CC GIAO THC TRONG H THNG MAIL

Giao thc SMTP. Giao thc X.400. Giao thc POP. Giao thc IMAP.

GIAO THC SMTP


SMTP(Simple Mail Transfer Protocol ) l giao thc tin cy chu trch nhim phn pht mail.
SMTP c nh ngha trong RFC 821, SMTP l mt dch v tin cy, hng kt ni (connection-oriented) n hot ng da trn chun giao thc TCP, s hiu cng hot ng l:25.

Cc tp lnh ca SMTP:
helo <sending-host> Mail from:<from-address> Rcpt to:<to-address> Data Quit s dng cc lnh trn ta s dng lnh telnet theo Port.
TELNET <MAILHOST> 25

V d : telnet

172.29.14.10

25

GIAO THC SMTP (t.t.)

S minh ho k thut store and forward v c ch phn pht trc tip trong h thng mail.

GIAO THC POP

C hai phin bn ca POP(Post Office Protocol ) c s dng rng ri l POP2, POP3.


POP2 s dng 109 POP3 s dng Port 110.

Cc cu lnh trong hai giao thc POP2 v POP3 ny khng ging nhau nhng chng cng thc hin chc nng c bn l:
kim tra tn ng nhp v password ca user chuyn mail ca ngi dng t Server ti h thng c mail ca user (mail client)

GIAO THC POP (t.t.)

Cc tp lnh c s dng trong POP3:


USER username PASS password STAT : xem c bao nhiu mail trong mail box RETR n : c mail th n DELE n : xo mail th n QUIT

s dng cc lnh trn ta s dng lnh telnet theo Port.


TELNET <MAILHOST> 110

V d : telnet 172.29.14.10 110

GIAO THC POP (t.t.)

Cc tp lnh c s dng trong POP3:


USER username PASS password STAT : xem c bao nhiu mail trong mail box RETR n : c mail th n DELE n : xo mail th n QUIT s dng cc lnh trn ta s dng lnh telnet theo Port.
TELNET <MAILHOST> 110

V d : telnet 172.29.14.10 110

CC KHI NiM C BN

Mail User Agent (MUA): l chng trnh dng c v son mail Mail Transfer Agent (MTA):
l chng trnh chuyn mail gia cc mail server dng giao thc SMTP N nhn mail t MUA sau chuyn mail n MTA khc

Mailbox:
l tp tin lu tr tt c mail ca ngi dng. Khi c mail gi n cho ngi dng chng trnh x l mail ca server c b s phn phi mail vo mailbox

Alias mail:
Phn phi n cng mt ngi qua nhiu a ch mail Phn phi n nhiu ngi qua mt a ch mail

GiI THIU H THNG MAIL

S t chc

CC KHI NiM C BN

Mail Gataway: l my kt ni gia cc mng dng giao thc khc nhau hoc cc mng khc nhau dng chung giao thc Mail Host:
L thnh phn chung gian chuyn mail gia cc v tr khng kt ni trc tip vi nhau Dng phn gii a ch ngi nhn chuyn n cc mail server hoc gateway tng ng

Mail Server:
Cha mailbox ca ngi dng Nhn mail t Mail Host v a vo mailbox ca ngi dng H tr POP/IMAP cho php ngi dng download mail v my c b thng qua mail client h tr POP/IMAP

Mail Client: L chng trnh dng c v son tho mail, tch hp giao thc SMTP, POP/IMAP

GII THIU H THNG MAIL(t.t.)

GiI THIU H THNG MAIL(t.t.) Tin trnh phn phi n a ch someone@example.com.


1. Email c submit ti a ch someone@example.com. 2. SMTP service phn gii e-mail domain l example.com, sau chuyn mail n internet mail server. 3. E-mail c nh tuyn ti min example.com do my ch mailserver1.example.com qun l. 4. SMTP service t email ny vo hng i mail (Queue folder). Sau h thng phn phi s thng bo c mail mi cho domain example.com. 5. h thng phn pht chuyn e-mail vo mailbox ca ngi dng (P3_someone.mbx). 6. Ngi dng kim tra e-mail bng cch kt ni vo mailbox ca user someone@example.com. POP3 service kim tra username v mt khu chp nhn hoc cm kt ni ca user. 7. Nu qu trnh chng thc ca user thnh cng, e-mail c download v my tnh cc b ca ngi dng.

CC CHNG TRNH MAIL

Microsoft Exchange Server. Mdaemon Sharemail Sendmail

CI T EXCHANGE SERVER 2003

MT S PHIN BN CHNH CA EXCHANGE SERVER


Exchange Server 5.5
Hot ng trn h iu hnh Windows NT 4 Server, Windows 2000 Server c s dng service pack. Khng cn ci t Active Directory nhng c th nhn bn d liu n Active Directory s dng Active Directory Connector (ADC).

Exchange 2000 Server.


Windows 2000 Server (km theo Service pack 1 hoc cao hn) C th ci t trn member server hoc domain controller.

Exchange Server 2003.


Windows 2000 Server (yu cu SP3, SP4) Windows 2003Server. C th ci t trn member server hoc domain controller.

CI T EXCHANGE SERVER 2003(t.t.)


Thnh phn B x l (CPU) Yu cu ngh Pentium III 500 (Exchange Standard Edition) Pentium III 733 (Exchange Enterprise Edition) Windows 2003 512MB 200MB trn a h thng, 500MB trn a ci t Exchange. Tt c cc partition c lin qua n Exchange phi c nh dng l NTFS. Server Server 2003, 2003,

H iu hnh (OS) B nh (Memory) khng gian a (Disk space) H thng tp tin (File System)

Ngoi yu cu v phn mm ta cn phi ci t thm cc dch v h thng nh: Microsoft .NET Framework. Microsoft ASP.NET. World Wide Web service. Simple Mail Transfer Protocol (SMTP) service. Network News Transfer Protocol (NNTP) service.

CI T EXCHANGE SERVER 2003(t.t.)

Tin trnh ci t
Demo

CU HNH EXCHANGE SERVER

Khi ng cc dch v ca Exchange. Gii thiu Exchange System Manager. Qun l ti khon mail. Administrative group. Cu hnh v s dng OWA. Thit lp lut phn phi mail. Qun l public folder v mailbox. Cc tin ch cn thit ca Exchange Server.

KHI NG CC DCH V TRONG EXCHANGE

Mt s dch v cn khi ng khi s dng Exchange:


Microsoft Exchange Event. Microsoft Exchange IMAP4. Microsoft Exchange Information Store. Microsoft Exchange Management. Microsoft Exchange MTA Stacks. Microsoft Exchange POP3. Microsoft Exchange Routing Engine. Microsoft Exchange System Attendant. Microsoft Exchange Site Replication Service.

KHI NG CC DCH V TRONG EXCHANGE (t.t.)

khi to dch v Microsoft Exchange POP3.


Demo

Qun l ti khon
To ti khon mail. (Xem demo) Mail Exchange s dng Account ca h thng lm Account Mail, mi ngi dng s dng duy nht mt Account thng qua hai thng s username v password. E-mail ca ngi dng c c php nh sau: <username>@<domain> Truy cp thuc tnh ca ti khon mail (xem demo) Exchange General. Email Addresses. Exchange Features. Exchange Advanced. Mt s tc v v ti khon (xem demo) Create mailbox. Move mailbox. Delete mailbox. Configure Exchange Features. Remove Exchange Attributes.

Microsoft Outlook Web Access


Outlook Web Access (OWA): cung cp cho ngi dng s dng mail qua trnh duyt Web, h tr e-mail, calendar, contact management, server-side rules, spell checking, junk mail processing,

Microsoft Outlook Web Access (t.t.)


Th mc lu tr ca OWA
Exchsrvr\Bin Exchsrvr\Exchweb\Bin Exchsrvr\Exchweb\Controls Exchsrvr\Exchweb\Img Exchsrvr\exchweb\help Exchsrvr\exchweb\views Exchange Exadmin Public Exchweb OMA v Microsoft-Server-Active-Sync

Virtual Directory ca OWA

S dng OWA (xem demo)

GiI THIU Exchange System Manager.

Gii thiu cc thnh phn chnh ca Exchange System Manager (Xem demo):
Global Settings Recipients Administrative Groups Tools

Administrative group Administrative group: l mt nhm i tng ca Exchange cng chia s chung mt s quyn hn nht nh no . Thng qua Administrative group cung cp quyn s dng public folder, t mt s chnh sch lu tr, qun l cc mailbox server trong cng site, Routing group System policy Public folder

Routing group
Routing group: l mt nhm cc Exchange Server c kt ni point to point vi nhau to nn mt kin trc truyn thng ip (message topology) ch nh phng thc chuyn th gia cc Exchange Server.

S dng connector kt ni cc Exchange server li vi nhau to nn mt kin trc nh tuyn thng ip (routing topology), cc connector ny bao gm: SMTP connector, X.400 connector. l thnh phn con trong administrative group v n lun lun c to bn trong administrative group.

Cc yu t cn quan tm khi to routing group:


m bo tnh n nh trong kt ni mng. Bng thng cn thit cho vic thit lp kt ni on-demain gia cc server. Cn lp lch kt ni gia cc server. Cn iu khin vic truyn message c kch thc ln (>=10MB). Cn gii hn kt ni cho tng user.

Routing group (t.t.)

Kin trc ca routing group

Kt ni mail server thng qua connector

Administrative group & Routing group

Truy cp v cu hnh administrative group v routing group (xem demo)

THIT LP CHNH SCH CHO H THNG MAIL


Thit lp b lc th (xem demo). Connection Filtering: thit lp cc b lut lc kt ni ca host, network, domain. Recipient Filtering: thit lp lut lc a ch ngi gi (sender) Sender Filtering: thit lp lut lc a ch ngi nhn (recipient) Relay Mail (xem demo). Relay mail l k thut chp nhn x l mail cho mt host/subnet/domain no gi mail vo SMTP Virtual Server ni b, s d SMTP Virtual Server nh ngha relay mail phng chng nhng sparm mail khng cn thit t bn ngoi gi n mail server ni b, hoc ta mun cu hnh mail server lm mail gateway cho cc mail server khc. Ch nh smart host (xem demo). Ch nh Mail Gateway hoc my s nhn v x l mail cho email thuc min ngoi. Exchange Server c cung cp c ch chuyn mail ra ngoi qua connectors trong routing group, nu c hai thng tin connector v smart host c cu hnh th mail server s u tin chuyn mail n connector x l. Ch nh kch thc phn phi/nhn cho mi message (xem demo). Cho php gii hn kch thc phn phi v nhn th cho mail server nhm gim ti x l cho h thng, trnh tc nghn, Ch nh chnh sch cho recipients (xem demo). Chnh sch to email cho min. Chnh sch qun l mailbox.

QUN L PUBLIC FOLDER V MAILBOX


Qun l Public Folder Store (xem demo) L th mc cha cc thng tin dng chung. Thng tin ny thng l cc E-mail c cha cc multimedia clips, text documents, spreadsheets... Ta c th thc thi mt s thao tc qun l Public Store sau:
Ch nh gii hn lu tr public folder. ng b lu tr. To public folder. Gn quyn truy xut public folder cho ngi dng.

Qun l Mailbox Store: Cung cp c ch qun l v theo di b lu tr th cho ngi dng. (xem demo)
Theo di qu trnh logon ca ngi dng Theo di, thng k mailbox cho tng ngi dng. Xa mailbox ca ngi dng. Mount v dismount mailbox. Gii hn lu tr cho maibox.

CC TIN CH CN THIT CA EXCHANGE SERVER

GFI MailEssentials: h tr mt s thao tc qun tr mail nh:


Anti spam Mail archiving to a database. Reporting. Personalized server-based auto replies with tracking number. POP3 downloader Mail monitoring

GFI MailSecurity : h tr mt s tnh nng bo mt cho h thng mail nh:


Kim tra v lc ni dung th Cung cp b phn tch ni dung th T ng loi b cc HTML Scripts scanning virus Trojan Executable scanner

Cu hi v gii p

Chng 06
DCH V WEB

DCH V WEB
GII THIU DCH V WEB CU HNH DCH V WEB

GII THIU DCH V WEB

GII THIU GIAO THC HTTP. WEB SERVER V NGUYN TC HOT NG. WEB CLIENT. WEB NG. WEB TNH. GII THIU IIS 6.0. CI T IIS 6.0 WEB SERVICE CU HNH IIS 6.0 WEB SERVICE

GII THIU GIAO THC HTTP

HTTP l mt giao thc cho php Web Browsers v Servers c th giao tip vi nhau, n chun ho cc thao tc c bn m mt Web Server phi lm c.
HTTP ch yu thc thi hai phng thc GET, POST. HTTP port mc nh c gi tr 80 Thng tin tr v t server theo c php ca ngn ng HTML. Phin bn hin ti HTTP 1.1

WEBSERVER V NGUYN TC HOT NG

S hot ng gia Web Browser v Web Server

WEB CLIENT

L chng trnh duyt Web pha ngi dng nh Internet Explorer, Netscape hin th trang Web cho ngi dng.
Web client c th thc hin mt s php ton n gin trn Web page. Thc thi cc script pha my khch nh JavaScript, VBScripts, Lu tr cache cho cc Object, Image cho Webpage. Tch hp cc tnh nng security.

WEB NG

S hot ng ca web ng

GiI THIU IIS 6.0 IIS 6.0 c xy dng trn Windows 2003, IIS 6.0 cung cp mt s c im mi gip tng tnh nng tin cy, tnh nng qun l, tnh nng bo mt. Cc thnh phn chnh ca IIS 6.0
HTTP.sys: qun l kt ni TCP, chuyn cc HTTP request vo hng i, lu cc response vo vng nh

WWW Service Administration and Monitoring Component. Worker process: b x l cc yu cu v gi kt qu cho ng dng web

GiI THIU IIS 6.0 (t.t.)


Cung cp cc tnh nng bo mt: Anonymous authentication Basic authentication Digest authentication Integrated Windows authentication Certificates .NET Passport Authentication

Cung cp cc ng dng:
Application Pool: l mt nhm ng dng cng chia s worker process ASP.NET: cung cp cc dch v xy dng, phn phi ng dng web v dch v XMLWeb

cng c qun tr:


IIS Manager. Remote Administration (HTML) Tool. Command line administration scipts

Ci t IIS 6.0 Web service


Demo ci t IIS6.0

Cu Hnh IIS 6.0 Web service


Default Web site. Application Pool. Web Service Extensions. To mt Web Site. To th mc o. Cu hnh bo mt cho Web site. To Web Hosting. Cu hnh Forum cho Web site. Qun tr Web site t xa. Sao lu phc hi cu hnh.

Default Web site.


Tm hiu mt s Tab cu hnh c bn ca Default Web site.
Demo

Application Pool
Application Pool
L mt nhm cc ng dng cng chia s mt worker process (W3wp.exe). Application Pool gip c th hiu chnh c ch ti s dng vng nh o, ti s dng worker process, hiu chnh performance (v request queue, CPU), health. demo

Web Service Extensions


Web Service Extensions: l thnh phn cung cp cho IIS kh nng thc thi x l Web ng trn Web site
ASP ASP.NET Server Side Includes WebDAV

To mt Web Site
Cn chun b mt s thng tin khi to Web site:
Tn Web site (v d: www.domain) Loi ni dung ca Web site:
Web ng vit bng ngn ng g: ASP, ASP.NET, PHP, C s d liu ca Web ng lu u? C ch kt ni c s d liu cho Web ng nh th no?

Demo to Web site.

To Web site thng qua lnh:


iisweb.vbs /create <Home Directory> Site Description" /i <IP Address> /b <Port>.

To th mc o
Virtual Directory:
Mc ch ca th mc o trong Web l nh x mt ti nguyn t ng dn th mc vt l thnh ng dn URL, thng qua ta c th truy xut ti nguyn ny qua Web Browser.

Demo to Virtual Directory

Cu hnh bo mt cho Web site


Cu hnh chng thc v iu khin truy cp (Authentication And Access Control) Gii hn truy xut Web cho host/domain (IP address and domain name restriction). Secure communication.

Demo cu hnh bo mt Web Site.

To Web Hosting
Web Hosting: l k thut duy tr nhiu Web site trn Web Server.
xc nh tng Web site. Web Server phi da vo cc thng s nh:
Host Header Name. a ch IP. S hiu cng Port.

cu hnh Web hosting cn chun b cc thng tin sau:


a ch FQDN cho tng Web site. Phng thc to Web hosting. Cp quyn cp nht Web hosting cho user.

Demo to Web hosting.

Cu hnh Forum cho Web site


Gii thiu ci t th nghim SnitzTM Forums 2000 Version 3.4.05
Cc bc ci t c bn:
Gii nn file sf2k_v34_051.zip Sau ta m file config.asp (dng tin ch notepad) thay i mt s thng tin cu hnh kt ni n file lu tr c s d liu MS Access c tn snitz_forums_2000.mdb
strDBType = "access" strConnString="Provider=Microsoft.Jet.OLEDB.4.0; DataSource=" & Server.MapPath("snitz_forums_2000.mdb")

Cp quyn mi ngui c quyn FULL cho th mc forum. To Application Pool cho Forum v gn quyn thc thi Script.

Demo cu hnh forum.

Qun tr Web site t xa


IIS cung cp c ch qun tr dch Web, qun tr mt s tnh nng c bn ca h thng t xa bng cch s dng cng c Remote Administration (HTML). S dng Remote Administration c th: Qun l v cu hnh Web Site t xa. Qun l cu hnh mng. Qun l ngi dng cc b. Qun l v duy tr mt s dch v c bn.

Demo qun tr Web

Cu hi v gii p

Chng 7
DCH V PROXY

DCH V PROXY
Gii thiu FIREWALL. Tng quan v FIREWALL. Kin trc ca FIREWALL. Phn loi FIREWALL v nguyn tc hot ng. Gii thiu phn mm ISA. Ci t phn mm ISA 2004. Cu hnh ISA 2004. Cc chnh sch mc nh. Cu hnh Web Proxy Thay i thuc tnh ca access rule. Publishing Network services. Publish Web Server. Public Mail Server. Publish server. Kim tra v thit lp b lc cho ng dng. Lp b lc ng dng. Thit lp b lc Web. Pht hin v ngn mt s loi tn cng. Gii thiu mt s cng c bo mt. Download Security. Surfcontrol Web Filter. Thit lp Network Rule. Thit lp Cache, Qun l v theo di traffic.

Tng quan v FIREWALL

FIREWALL l mt k thut c tch hp vo h thng mng :


Chng li vic truy cp tri php. Bo v cc ngun ti nguyn. Hn ch s xm nhp vo h thng.

Nhim v ca FIREWALL
Kim sot cc traffic mng. Ch cho php mt s traffic cn thit i qua FIREWALL.

Cc phn mm qun l bo mt mng thng thc hin ba nhim v sau:


Qun l xc thc (Authentication). Qun l cp quyn (Authorization). Qun l kim ton (Accounting Management).

Kin trc FIREWALL

Kin trc Dual-homed Host

Kin trc FIREWALL (t.t.)

Kin trc Screening Router

Kin trc FIREWALL (t.t.)

Kin trc Creened Subnet

Phn loi FIREWALL v hot ng


Packet filtering
a ch IP ni xut pht (source IP address). a ch IP ni nhn (destination IP address). Cng TCP ni xut pht (source TCP port). Cng TCP ni nhn (destination TCP port).

Application gateway
L loi FIREWALL c thit k tng cng chc nng kim sot cc loi dch v da trn nhng giao thc c cho php truy cp vo h thng mng, c ch hot ng ca Application Gateway da trn m hnh Proxy Service. C ch lc ca packet filtering kt hp vi c ch i din ca application gateway cung cp mt kh nng an ton v uyn chuyn hn, c bit khi kim sot cc truy cp t bn ngoi. C ch b lc packet s dng m hnh proxy service c nhc im l hin nay cc ng dng ang pht trin rt nhanh, do nu cc proxy khng p ng kp cho cc ng dng, nguy c mt an ton s tng ln.

Phn loi FIREWALL v hot ng (t.t.)

Proxy service s dng trong Dual-home Host

Gii thiu cc phn mm Proxy Server

Trn mi trng Windows:


ISA. Netscape. Wingate. Winroute.

Trn mi trng Unix/Linux:


Squid Proxy Server. Socks Proxy Server.

Gii Thiu Internet Security and Acceleration Sever (ISA)

L Phn mm share internet ca hng phn mm Microsoft. Phin bn mi nht l ISA 2004. ISA 2004 c mt s t im sau:
Hot ng hiu qu. n nh. D cu hnh. Thit lp FIREWALL tt. Tc truy cp mng nhanh nh ch cache thng minh. Schedule Cache. Multi-Networking. Thit lp mng VPN. Application Layer Filtering.

Ci t ISA 2004
Yu cu ci t:
Thnh phn B x l (CPU) H iu hnh (OS) Yu cu ngh Intel hoc AMD 500Mhz tr ln. Windows 2003 hoc Windows 2000 (Service pack 4). 256 (MB) hoc 512 MB cho h thng khng s dng Web caching, 1GB cho Web-caching ISA firewalls. a ci t ISA thuc loi NTFS file system, t nht cn 150 MB dnh cho ISA. t nht phi c mt card mng (khuyn co phi c 2 NIC)

B nh (Memory)

khng gian a (Disk space) NIC

Ci t ISA 2004 (t.t.)


Phng thc ci t:
Ci t ISA trn my server ch c mt card mng (cn gi l Unihomed ISA Firewall), ch h tr HTTP, HTTPS, HTTP-tunneled (Web proxied) FTP. ISA khng h tr mt s chc nng:
SecureNAT client. Firewall Client. Server Publishing Rule. Remote Access VPN. Site-to-Site VPN. Multi-networking. Application-layer inspection ( tr giao thc HTTP).

ISA Firewall thng c trin khai trn dual-homed host (my ch c hai Ethernet cards) hoc multi-homed host (my ch c nhiu card mng) iu ny c ngha ISA server c th thc thi y cc tnh nng ca n nh ISA Firewall, SecureNAT, Server Publishing Rule, VPN,

Demo ci t ISA 2004

Cu hnh ISA FIREWALL


Cc chnh sch mc nh. Cu hnh Web Proxy. Thay i thuc tnh ca access rule. Publishing Network services. Publish Web Server. Public Mail Server. To lut publish server. Kim tra v thit lp b lc cho ng dng. Lp b lc ng dng. Thit lp b lc Web. Pht hin v ngn mt s loi tn cng. Thit lp Network Rule. Thit lp Cache. Qun l log v theo di traffic. Gii thiu mt s cng c bo mt. Download Security. Surfcontrol Web Filter.

Cc thng tin cu hnh mc nh Mt s thng tin cn lu :


System Policies cung cp 30 rule v mt Last Default rule ngm nh cm tt c cc traffic khc.
H thng s x l theo trnh t top-down cc rule trn. Mt khi packet tha iu kin lut no th s b qua cc lut cn li. Nu packet khng tha 30 rule u th n s c chuyn xung Last Default rule x l.

Cho php nh tuyn gia VPN/VPN-Q Networks v Internal Network. Cho php NAT gia Internal Network v External Network. Ch cho php Administrator c th thay i chnh sch bo mt cho ISA firewall.

Demo cc thng tin cu hnh mc nh.

Cu hnh Web Proxy cho ISA Firewall


Mt yu t quan trng cn lu : Mc nh lut th 17 trong System policy rules ca ISA FIREWALL ch cho php Loalhost truy xut Internet Web site c ch nh sn trong Domain Name Sets nh: *.windows.com *.windowsupdate.com *.microsoft.com Nu mun ISA Firewall truy xut ra ngoi bt k Web Site no bn no th ta phi enable lut th 18 trong System policy rules. Nu mun tt c cc my trong mng ni b (Internal Network) truy xut Internet Web site qua ISA Firewall th ta phi to Access rule cho php outbound traffic t Internet ra External. ISA Firewall c th phn gii c tt c cc tn min bn ngoi Internet. Demo cu hnh Web Proxy cho ISA Firewall (localhost) v cho mng ni b (Internal network), mt s bc lm trong demo: Dng trnh duyt ni b truy xut Web site test lut 17. Enable lut th 18 test lut 18 (Dng trnh duyt ni b). To Access Rule cho php traffic mng ni b truy xut mng ngoi. Dng trnh duyt ca mng ni b truy xut mng bn ngoi. Nu ISA Firewall khng truy xut trc tip ra ngoi Internet ta phi ch nh thm thng s Upstream Server chuyn yu cu truy xut ln Proxy cha (xem demo ch nh proxy cha)

Thay i thuc tnh ca Access Rule


Thng thng ta truy xut hp thoi thuc tnh ca Access Rule kim tra hoc thay i cc iu kin t trc . Mt s thng tin c th thay i:
Enable/Disable Access rule Thc hin cc Action:
Deny/Allow. Redirect HTTP requests to this Web page. Log requests matching this rule.

Giao thc (Protocol) a ch ngun (from) a ch ch (to) Ngi dng truy cp (Users) Lch biu truy cp (Schedule) Loi ni dung truy cp (Content Types)

Demo thay i thuc tnh ca lut.

Publishing Network services.


Publishing services: l mt k thut dng cng b (publishing) dch v ni b ra ngoi mng Internet thng qua ISA Firewall. Thng qua ISA Firewall ta c th publish cc dch v:
SMTP. NNTP. POP3. IMAP4. HTTP. OWA. NNTP. FTP. Terminal Services,

Publish Web Services


Web Publishing i khi c gi l 'reverse proxy' trong ISA Firewall ng vai tr l Web Proxy nhn cc Web request t bn ngoi sau s chuyn yu cu vo Web services ni b x l:
Cung cp c ch truy xut y quyn Web site thng qua ISA firewall. Chuyn hng theo ng dn truy xut Web site (Path redirection) Reverse Caching of published Web site. Cho php publish nhiu Web site thng qua mt a ch IP. C kh nng thay i (re-write) URLs bng cch s dng Link Translator ca ISA firewall. Thit lp c ch bo mt v h tr chng thc truy xut cho Web site (SecurID authentication, RADIUS authentication, Basic Authentication) Cung cp c ch chuyn theo Port v Protocol.

M hnh Publishing Web

Internal Network
External Adapter

Internet

131.107.3.1

Internal Adapter 192.168.9.1 6

Web Server
www.vnn.vn

Cu hnh Web Publishing

Demo cu hnh Web Publishing

Cu hnh Mail Publishing

Demo cu hnh Mail Publishing.

To lut Publish Server


Publish mt server cng tng t nh publish mt Web hoc Mail ch c iu ta c php la chn protocol cn c publish, khi publish server ta cn chun b mt s thng s sau:
Protocol m ta cn publish l protocol g? a ch IP trn ISA firewall chp nhn incoming connection. a ch IP address ca Publish Server ni b (Protected Network server).

Cc bc to Publish server

Cu hnh Server Publishing Rule

Demo cu hnh Server Publishing Rule

Kim tra v thit lp b lc

ISA Firewall thc thi hai chc nng quan trng stateful filtering v stateful application layer inspection.
stateful filtering: kim tra v thit lp b lc ti tng network, transport. Stateful filtering thng c gi l b kim tra trng thi packet (stateful packet inspection). Stateful application layer inspection: yu cu Firewall c th kim tra y thng tin trn tt c cc tng giao tip bao gm hu ht cc tng quan trng v application layer trong m hnh tham chiu OSI.

Thit lp b lc cho ng dng (Application Filtering). Thit lp b lc Web. Pht hin v ngn nga tn cng.

Kim tra v thit lp b lc (t.t.)


Thit lp b lc cho ng dng (Application Filtering)
ISA firewall thit lp b lc ng dng (Application filters) vi mc ch bo v cc publish server chng li mt s c ch tn cng bt hp php t bn ngoi mng. hiu chnh b lc ta chn mc Add-ins trong Configuration Panel, tip theo nhp i chut vo tn b lc cn hiu chnh, Mt s cc b lc ng dng cn tham kho nh:
SMTP filter and Message Screener: SMTP filter v Message Screener c s dng bo v publish SMTP server chng li c ch tn cng lm trn b nh (buffer overflow attacks), SMTP Message Screener bo v mng ni b ngn mt s e-mail messages khng cn thit DNS filter: Thit lp b lc cho dch v DNS, chng li mt s c ch tn cng t bn ngoi mng. POP Intrusion Detection filter: Chng c ch tn cng dng Buffer Overflow. SOCKS V4 filter: Cung cp dch v Sock Proxy.

Demo cu hnh thit lp b lc cho mt s ng dng.

Kim tra v thit lp b lc (t.t.)


Thit lp b lc cho ng dng Web bao gm:
HTTP Security Filter: L mt trong nhng k thut chnh yu thit lp b lc ng dng, HTTP Security filter cho php ISA Firewall thc hin mt s c ch kim tra thng tin ng dng (application layer inspection) da trn tt c cc HTTP traffic qua ISA firewall v chn cc kt ni khng ph hp vi yu cu c m t trong HTTP security. ISA Server Link Translator: l mt trong nhng k thut c xy dng sn trong ISA Firewall Web filter thc hin bin i a ch URL cho cc kt ni ca user bn ngoi truy xut vo Web publishing ni b. RADIUS Authentication Filter. OWA Forms-based Authentication Filter.

Demo cu hnh thit lp b lc Web.

Kim tra v thit lp b lc (t.t.)

Pht hin v ngn nga mt s loi tn cng:


Mt s loi tn cng:
Denial-of-Service Attacks: SYN Attack/LAND Attack: Ping of Death, Teardrop, Ping Flood (ICMP Flood), SMURF Attack, UDP Bomb, UDP Snork Attack, WinNuke (Windows Out-of-Band Attack), Mail Bomb Attack, Scanning and Spoofing, Port Scan.

Demo cu hnh ngn mt s c ch tn cng:

Thit lp Network Rule Mc tiu to Network Rule:


nh tuyn. NAT.

Mc nh h thng to ra cc Network rule cho php thit lp mt s c ch nh nh tuyn (route) gia hai mng, thay i a ch (NAT) : Local Host Access: nh tuyn traffic t localhost n mng ni b. VPN Client to Internal Network: nh tuyn t VPN Client n Internal network. Internet Access: NAT t Internal network ra ngoi mng Internet.

Thit lp Network Rule(t.t.)

M hnh Network Rule

Thit lp Network Rule(t.t.) Demo thit lp Network Rule

Thit lp Cache
Caching: l k thut lu tr cc Objects c ti t Internet nhm h tr c ch ti s dng cho cc request sau ny.
Thun li ca Caching:
Tng tc truy cp Internet cho user. Gim ti cho ng truyn internet. Tng tnh nng sn sng cho Web Content.

Forward caching: l k thut nhm gim ti cho ng truyn Internet bng cch lu tr cc frequently-accessed Internet Web objects trn mng ni b, khi user cc b c th s dng cc Object ny m khng cn request n Internet Server. Reverse caching: l k thut nhm gim ti cho ng truyn cc b, tng tc truy xut Web cho cc external user mt khi cng ty t host mt Web site ring trong h thng ni b. Frequently-requested objects trn Web server cc b c cache ti network edge trn proxy server nh m External User truy xut nhanh hn.

Thit lp Cache(t.t.)

Demo thit lp cache cho proxy

Qun l log v theo di traffic.


Mt trong nhng chc nng quan trng ca Firewall l:
Kh nng gim st (monitoring) Thng k (reporting) s kin xy ra trong h thng. Thit lp cnh bo (Alert) Ghi nhn nht k truy cp (logging)

Demo qun l v theo di traffic

Cu hi v gii p

Chapter 08

Frame Mode MPLS Implementation

Objectives

Describe the MPLS conceptual model with data and control planes, and describe the function of the MPLS label Describe how labels are allocated and distributed in a frame mode MPLS network, and describe how IP packets cross an MPLS network Describe the steps that are required to successfully implement MPLS Explain the evolution of MPLS VPNs, and describe MPLS VPN routing and packet flow

Table of Content
1 2 3 4
Introducing MPLS Networks Assigning MPLS Labels to Packets Implementing Frame Mode MPLS Describing MPLS VPN Technology

Lesson 01

Introducing MPLS Networks

Objectives

Identify the elements of the MPLS conceptual model Describe the router switching mechanisms Describe the MPLS data and control planes Identify the structure of an MPLS label and its format Explain the function of different types of LSRs in MPLS networks Explain the interactions between the control plane and the data plane in an LSR that enable the basic functions of label switching and forwarding of labeled packets to occur

The MPLS Conceptual Model

VPN Topologies

Basic MPLS Features

MPLS is a switching mechanism in which packets are forwarded based on labels. Labels usually correspond to IP destination networks (equal to traditional IP forwarding). Labels can also correspond to other parameters: Layer 3 VPN destination Layer 2 circuit Outgoing interface on the egress router QoS Source address MPLS was designed to support forwarding of non-IP protocols as well.

Basic MPLS Concepts Example

Only edge routers must perform a routing lookup. Core routers switch packets based on simple label lookups and swap labels.

Router Switching Mechanisms

Cisco IOS Platform Switching Mechanisms

The Cisco IOS platform supports three IP switching mechanisms:


Routing table-driven switchingprocess switching: Full lookup is performed at every packet Cache-driven switchingfast switching: Most recent destinations are entered in the cache First packet is always process-switched Topology-driven switching: CEF (prebuilt FIB table)

Standard IP Switching Review

CEF Switching Review

MPLS Architecture

Major Components of MPLS Architecture

Control plane: Exchanges routing information and labels Contains complex mechanisms to exchange routing information, such as OSPF, EIGRP, IS-IS, and BGP Exchanges labels, such as LDP, BGP, and RSVP Data plane: Forwards packets based on labels Has a simple forwarding engine

Control Plane Components Example

Information from control plane is sent to data plane.

MPLS Labels

MPLS Labels

MPLS technology is intended to be used anywhere, regardless of Layer 1 media and Layer 2 protocol. MPLS uses a 32-bit label field that is inserted between Layer 2 and Layer 3 headers (frame mode MPLS). MPLS over ATM uses the ATM header as the label (cell mode MPLS).

Label Format

MPLS uses a 32-bit label field that contains this information:


20-bit label 3-bit experimental field 1-bit bottom-of-stack indicator 8-bit TTL field

Label Stack

Protocol ID (PID) in a Layer 2 header specifies that the payload starts with a label (or labels) and is followed by an IP header. Bottom-of-stack bit indicates whether the next header is another label or a Layer 3 header. Receiving router uses the top label only.

Frame Mode MPLS

Label Switch Routers

Label Switch Routers

LSR primarily forwards labeled packets (swap label). Edge LSR: Labels IP packets (impose label) and forwards them into the MPLS domain Removes labels (pop label) and forwards IP packets out of the MPLS domain

LSR Component Architecture

Functions of LSRs

Component Control plane

Functions Exchanges routing information Exchanges labels

Data plane

Forwards packets (LSRs and edge LSRs)

Component Architecture of LSR

Component Architecture of Edge LSR

Summary

MPLS is a switching mechanism that uses labels to forward packets. The result of using labels is that only edge routers perform a routing lookup; all the core routers simply forward packets based on labels assigned at the edge. MPLS consists of two major components: control plane and data plane. MPLS uses a 32-bit label field that contains label, experimental field, bottom-of-stack indicator, and TTL field. LSR is a device that forwards packets primarily based on labels. Edge LSR is a device that labels packets or removes labels from packets. Exchange routing information and exchange labels are part of the control plane, while forward packets is part of the data plane.

Lesson 02

Assigning MPLS Labels to Packets

Objectives

Identify how label allocation is performed in a frame mode MPLS network Identify how labels are distributed in a frame mode MPLS network Explain how the LFIB table is populated Identify packet propagation across an MPLS network Describe how PHP improves MPLS performance by eliminating routing lookups on egress LSRs

Label Allocation in a Frame Mode MPLS Environment

Label Allocation in a Frame Mode MPLS Environment

Label allocation and distribution in a frame mode MPLS network follows these steps: 1. IP routing protocols build the IP routing table. 2. Each LSR assigns a label to every destination in the IP routing table independently. 3. LSRs announce their assigned labels to all other LSRs. 4. Every LSR builds its LIB, LFIB, and FIB data structures based on the received labels. Note: Label allocation, label imposing, label swapping, and label popping usually happen in the service provider network, not the customer (enterprise) network. Customer routers will never see a label.

Building the IP Routing Table

IP routing protocols are used to build IP routing tables on all LSRs. FIBs are built based on IP routing tables, initially with no labeling information.

Allocating Labels

Every LSR allocates a label for every destination in the IP routing table. Labels have local significance. Label allocations are asynchronous.

LIB and LFIB Setup

LIB and LFIB structures have to be initialized on the LSR allocating the label. Untagged action will remove the label from the frame and the router will send a pure IP packet.

Label Distribution and Advertisement

Label Distribution and Advertisement

The allocated label is advertised to all neighbor LSRs, regardless of whether the neighbors are upstream or downstream LSRs for the destination.

Receiving Label Advertisement

Every LSR stores the received label in its LIB. Edge LSRs that receive the label from their next hop also store the label information in the FIB.

Interim Packet Propagation

Forwarded IP packets are labeled only on the path segments where the labels have already been assigned.

Further Label Allocation

Every LSR will eventually assign a label for every destination.

Receiving Label Advertisement

Every LSR stores received information in its LIB. LSRs that receive their label from their next-hop LSR will also populate the IP forwarding table.

Populating the LFIB Table

Populating the LFIB Table

Router B has already assigned a label to network X and created an entry in the LFIB. The outgoing label is inserted in the LFIB after the label is received from the next-hop LSR.

Packet Propagation Across an MPLS Network

Packet Propagation Across an MPLS Network

Penultimate Hop Popping

Penultimate Hop Popping

PHP optimizes MPLS performance (one less LFIB lookup). The pop or implicit null label uses a reserved value when being advertised to a neighbor.

Before the Introduction of the PHP

Double lookup is not an optimal way of forwarding labeled packets. A label can be removed one hop earlier.

After the Introduction of the PHP

A label is removed on the router before the last hop within an MPLS domain.

Summary

Every LSR assigns a label for every destination in the IP routing table. Although labels are locally significant, they have to be advertised to directly reachable peers. Outgoing labels are inserted in the LFIB after the label is received from the next-hop LSR. Packets are forwarded using labels from the LFIB table rather than the IP routing table. PHP optimizes MPLS performance (one less LFIB lookup).

Lesson 03

Implementing Frame Mode MPLS

Objectives

Describe the procedure for configuring frame mode MPLS on a Cisco IOS router Enable IP CEF on a router as a step in implementing frame mode MPLS Enable MPLS on a frame mode interface as a step in implementing frame mode MPLS Configure the MTU size in label switching as a step in implementing frame mode MPLS

The Procedure to Configure MPLS

The Procedure to Configure MPLS

1.Configure CEF 2.Configure MPLS on a frame mode interface 3.(Optional) Configure the MTU size in label switching

Configuring IP CEF

Step 1: Configure CEF

1. Configure CEF: Start CEF switching to create the FIB table Enable CEF switching on all core interfaces 2. Configure MPLS on a frame mode interface 3. (Optional) Configure the MTU size in label switching

Step 1: Configure CEF (Cont.)


Router(config)#

ip cef [distributed]

Starts CEF switching and creates the FIB table The distributed keyword configures distributed CEF (running on VIP or line cards) All CEF-capable interfaces run CEF switching
Router(config-if)#

ip route-cache cef

Enables CEF switching on an interface Usually not needed

Monitoring IP CEF
Router#

show ip cef detail

Displays a summary of the FIB


Router#show ip cef detail IP CEF with switching (Table Version 6), flags=0x0 6 routes, 0 reresolve, 0 unresolved (0 old, 0 new) 9 leaves, 11 nodes, 12556 bytes, 9 inserts, 0 invalidations 0 load sharing elements, 0 bytes, 0 references 2 CEF resets, 0 revisions of existing leaves refcounts: 543 leaf, 544 node Adjacency Table has 4 adjacencies 0.0.0.0/32, version 0, receive 192.168.3.1/32, version 3, cached adjacency to Serial0/0.10 0 packets, 0 bytes tag information set local tag: 28 fast tag rewrite with Se0/0.10, point2point, tags imposed: {28} via 192.168.3.10, Serial0/0.10, 0 dependencies next hop 192.168.3.10, Serial0/0.10 valid cached adjacency tag rewrite with Se0/0.10, point2point, tags imposed: {28}

Configuring MPLS on a Frame Mode Interface

Step 2: Configure MPLS on a Frame Mode Interface

1. Configure CEF 2. Configure MPLS on a frame mode interface: Enable label switching on a frame mode interface Start LDP or TDP label distribution protocol 3. (Optional) Configure the MTU size in label switching

Step 2: Configure MPLS on a Frame Mode Interface (Cont.)


Router(config-if)#

mpls ip

Enables label switching on a frame mode interface Starts LDP on the interface
Router(config-if)#

mpls label protocol [tdp | ldp | both]

Starts selected label distribution protocol on the specified interface

Configuring MPLS on a Frame Mode Interface: Example 1

Configuring MPLS on a Frame Mode Interface: Example 2

Configuring the MTU Size in Label Switching

Step 3: Configure the MTU Size in Label Switching

1.Configure CEF 2.Configure MPLS on a frame mode interface 3.(Optional) Configure the MTU size in label switching: Increase MTU on LAN interfaces

Step 3: Configure the MTU Size in Label Switching (Cont.)


Router(config-if)#

mpls mtu bytes

Label switching increases the maximum MTU requirements on an interface, because of additional label header Interface MTU is automatically increased on WAN interfaces; IP MTU is automatically decreased on LAN interfaces Label-switching MTU can be increased on LAN interfaces (resulting in jumbo frames) to prevent IP fragmentation

Configuring Label Switching MTU: Example

Summary

MPLS configuration tasks include configuring IP CEF, tag switching, and setting MTU size. CEF is configured globally. Use the mpls ip command to enable MPLS on an interface level. To set MTU for labeled packets, use the mpls mtu interface configuration command.

Lesson 04

Describing MPLS VPN Technology

Objectives
Explain MPLS VPN architecture, and how it improves on the traditional methods of overlay and peer-to-peer VPN Describe the components of an MPLS VPN and how they are interconnected to enable enterprise network connectivity between sites Identify how routing information is propagated across the P-network Identify the end-to-end flow of routing updates in an MPLS VPN Describe MPLS VPN packet forwarding

Defining MPLS VPN

VPN Taxonomy (Phn loi)

VPN Models

VPN services can be offered based on two major models:


Overlay VPNs, in which the service provider provides virtual pointto-point links between customer sites Peer-to-peer VPNs, in which the service provider participates in the customer routing

Overlay VPNs: Frame Relay Example

Overlay VPNs: Layer 3 Routing

The service provider infrastructure appears as point-to-point links to customer routes. Routing protocols run directly between customer routers. The service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.

Peer-to-Peer VPNs

Benefits of VPN Implementations

Overlay VPN: Well-known and easy to implement Service provider does not participate in customer routing Customer network and service provider network are well-isolated Peer-to-peer VPN: Guarantees optimum routing between customer sites Easier to provision an additional VPN Only sites are provisioned, not links between them

Drawbacks of VPN Implementations

Overlay VPN:
Implementing optimum routing requires a full mesh of VCs. VCs have to be provisioned manually. Bandwidth must be provisioned on a site-to-site basis. Overlay VPNs always incur encapsulation overhead (IPsec or GRE).

Peer-to-peer VPN:
The service provider participates in customer routing. The service provider becomes responsible for customer convergence. PE routers carry all routes from all customers. The service provider needs detailed IP routing knowledge.

Drawbacks of Peer-to-Peer VPNs

Shared PE router: All customers share the same (provider-assigned or public) address space. High maintenance costs are associated with packet filters. Performance is lowereach packet has to pass a packet filter. Dedicated PE router: All customers share the same address space. Each customer requires a dedicated router at each POP.

MPLS VPN Architecture

MPLS VPN Architecture

An MPLS VPN combines the best features of an overlay VPN and a peer-to-peer VPN:
PE routers participate in customer routing, guaranteeing optimum routing between sites and easy provisioning. PE routers carry a separate set of routes for each customer (similar to the dedicated PE router approach). Customers can use overlapping addresses.

MPLS VPN Architecture: Terminology

PE Router Architecture

Propagation of Routing Information Across the P-Network

Propagation of Routing Information Across the P-Network

The number of customer routes can be very large; BGP is the only routing protocol that can scale to such a number. BGP is used to exchange customer routes directly between PE routers.

Route Distinguishers

Question: How will information about the overlapping subnetworks of two customers be propagated via a single routing protocol? Answer: Extend the customer addresses to make them unique. The 64-bit RD is prepended to an IPv4 address to make it globally unique. The resulting address is a VPNv4 address. VPNv4 addresses are exchanged between PE routers via BGP. BGP that supports address families other than IPv4 addresses is called multiprotocol BGP (MPBGP).

Route Distinguishers (Cont.)

Route Distinguishers (Cont.)

Usage of RDs in an MPLS VPN

The RD has no special meaning. The RD is used only to make potentially overlapping IPv4 addresses globally unique. This design cannot support all topologies required by the customer.

VoIP Service Example

Requirements:
All sites of one customer need to communicate. Central sites of both customers need to communicate with VoIP gateways and other central sites. Other sites from different customers do not communicate with each other.

VoIP Service Example: Connectivity Requirements

Route Targets

Some sites have to participate in more than one VPN. The RD cannot identify participation in more than one VPN. RTs were introduced in the MPLS VPN architecture to support complex VPN topologies. RTs are additional attributes attached to VPNv4 BGP routes to indicate VPN membership.

How Do RTs Work?

Export RTs: Identify VPN membership Append to the customer route when it is converted into a VPNv4 route Import RTs: Associate with each virtual routing table Select routes inserted into the virtual routing table

End-to-End Routing Information Flow

MPLS VPN Routing Requirements

CE routers have to run standard IP routing software. PE routers have to support MPLS VPN services and Internet routing. P routers have no VPN routes.

MPLS VPN Routing: CE Router Perspective

The CE routers run standard IP routing software and exchange routing updates with the PE router. The PE router appears as another router in the C-network.

PE-CE Routing Protocols

PE-CE routing protocols are configured for individual VRFs. Supported protocols include BGP, OSPF, static, RIP, and EIGRP. Routing configuration on the CE router has no VRF information.

MPLS VPN Routing: Overall Customer Perspective

To the customer, the PE routers appear as core routers connected via a BGP backbone. The usual BGP and IGP design rules apply. The P routers are hidden from the customer.

MPLS VPN Routing: P Router Perspective

P routers perform as follows:


Do not participate in MPLS VPN routing and do not carry VPN routes. Run backbone IGP with the PE routers and exchange information about global subnetworks (core links and loopbacks).

MPLS VPN Routing: PE Router Perspective

PE routers exchange the following:


VPN routes with CE routers via per-VPN routing protocols Core routes with P routers and PE routers via core IGP VPNv4 routes with other PE routers via MPBGP sessions

End-to-End Routing Information Flow

MPLS VPNs and Packet Forwarding

MPLS VPNs and Packet Forwarding

The PE routers will label the VPN packets with a label stack, as follows:
Using the LDP label for the egress PE router as the top label Using the VPN label assigned by the egress PE router as the second label in the stack

VPN PHP

PHP on the LDP label can be performed on the last P router. The egress PE router performs label lookup only on the VPN label, resulting in faster and simpler label lookup. IP lookup is performed only oncein the ingress PE router.

Summary

There are two major VPN paradigms: overlay VPN and peer-to-peer VPN. MPLS VPN architecture combines the best features of the overlay and peer-to-peer VPN models. BGP is used to exchange customer routes between PE routers. Routes are transported using IGP (internal core routes), BGP IPv4 (core Internet routes), and BGP VPNv4 (PE-to-PE VPN routes). PE routers forward packets across the MPLS VPN backbone using label stacking.