Admin-Guide-Tcp-Ip.Pdf

TECHREPUBLIC RESOURCE CD LICENSE AGREEMENT READ THIS AGREEMENT BEFORE USING THIS TECHREPUBLIC B. You shall not (and shall not permit other persons or entities to) COST OF RECOVERING SOFTWARE, DATA, OR THE MATERIALS RESOURCE CD-ROM DISK (“CD”) FROM TECHREPUBLIC. BY reverse-engineer, decompile, disassemble, merge, modify, create IN THE COLLECTION; THE COST OF SUBSTITUTE SOFTWARE, USING THE CD YOU AGREE TO BE BOUND BY THE TERMS AND derivative works of, or translate the Collection or use the DATA OR MATERIALS IN THE COLLECTION; CLAIMS BY THIRD CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO Collection for any purpose. PARTIES; OR OTHER SIMILAR COSTS. THE TERMS AND CONDITIONS OF THIS AGREEMENT, IMMEDI- C. You shall not (and shall not permit other persons or entities to) C. THE WARRANTIES AND REMEDIES SET FORTH HEREIN ARE ATELY RETURN THE UNUSED CD FOR A FULL REFUND OF remove or obscure TechRepublic’s or its suppliers’ copyright, EXCLUSIVE AND IN LIEU OF ALL OTHERS, ORAL OR WRITTEN, MONIES PAID, IF ANY. trademark, or other proprietary notices or legends from any portion EXPRESSED OR IMPLIED. NO TECHREPUBLIC AGENT OR The articles, forms, tools, templates, programs, and other materials of the Collection or any related materials. EMPLOYEE OR THIRD PARTY IS AUTHORIZED TO MAKE ANY included on this CD and their compilation (the ‘Collection’) are 3. Limited Warranty and Limited Liability MODIFICATION OR ADDITION TO THIS WARRANTY. licensed to you subject to the terms and conditions of this A. THE ONLY WARRANTY MADE BY TECHREPUBLIC IS THAT D. SOME STATES DO NOT ALLOW EXCLUSION OR LIMITATION Agreement by TechRepublic, having a place of business at 9900 THE ORIGINAL CD IN WHICH THE COLLECTION IS EMBODIED OF IMPLIED WARRANTIES OR LIMITATION OF LIABILITY FOR Corporate Campus Drive, Louisville, KY 40223 (‘TechRepublic’). AND WHICH IS DISTRIBUTED BY TECHREPUBLIC SHALL BE FREE INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE By using the Collection, in whole or in part, you agree to be bound OF DEFECTS IN MATERIALS AND WORKMANSHIP FOR A PERIOD LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. by the terms and conditions of this Agreement. TechRepublic owns OF NINETY (90) DAYS AFTER DELIVERY TO YOU. TECHREPUB- 4. U.S. Government Restricted Rights the title to the Collection and to all intellectual property rights LIC’S AND ITS SUPPLIERS’ ENTIRE LIABILITY AND YOUR EXCLU- The Collection is licensed subject to RESTRICTED RIGHTS. Use, therein, except in so far as it contains materials that are proprietary SIVE REMEDY SHALL BE LIMITED TO THE REPLACEMENT OF duplication, or disclosure by the U.S. Government or any person or to third-party suppliers. All rights in the Collection except those THE ORIGINAL CD, IF DEFECTIVE, WITHIN A REASONABLE entity acting on its behalf is subject to restrictions as set forth in expressly granted to you in this Agreement are reserved to PERIOD OF TIME. subdivision (c)(1)(ii) of the Rights in Technical Data and Computer TechRepublic and such suppliers, as their respective interests may B. EXCEPT AS SPECIFICALLY PROVIDED ABOVE, THE COLLEC- Software Clause at DFARS (48 CFR 252.227-7013) for DoD con- appear. TION IS PROVIDED ‘AS IS’ WITHOUT WARRANTY OF ANY KIND, tracts, in paragraphs (c)(1) and (2) of the Commercial Computer 1. Limited License EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITA- Software and the Restricted Rights clause in the FAR (48 CER TechRepublic grants you a limited, nonexclusive, nontransferable TION, ANY WARRANTY OF MERCHANTABILITY AND FITNESS 52.227-19) for civilian agencies or in other comparable agency license to use the Collection on a single dedicated computer. This FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE clauses. The contractor, manufacturer, is TechRepublic. Agreement and your rights hereunder shall automatically terminate RESULTS AND PERFORMANCE OF THE SOFTWARE AND OTHER 5. General Provision if you fail to comply with any provision of this Agreement. Upon MATERIAL THAT IS PART OF THE COLLECTION IS ASSUMED BY Nothing in this Agreement constitutes a waiver of TechRepublic’s such termination, you agree to destroy the CD and all copies of the YOU, AND TECHREPUBLIC AND ITS SUPPLIERS ASSUME NO or its suppliers rights under US copyright laws or any other feder- CD, whether or not lawful, that are in your possession or under RESPONSIBILITY FOR THE ACCURACY ON APPLICATION OF OR al, state, local, or foreign law. You are responsible for installation, your control. ERRORS OR OMISSIONS IN THE COLLECTION. IN NO EVENT management, and operation of the Collection. This Agreement 2. Additional Restrictions SHALL TECHREPUBLIC OR ITS SUPPLIERS BE LIABLE FOR ANY shall be construed, interpreted, and governed under California law. DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL A. You shall not (and shall not permit other persons or entities to) CD-ROM Requirements DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE directly or indirectly, by electronic or other means, copy or repro- The TechRepublic Resource CD requires: COLLECTION, EVEN IF TECHREPUBLIC OR ITS SUPPLIERS HAVE duce (except for archival purposes as permitted by law), publish, • Windows 98/98SE/ME/NT4/2000 or XP BEEN ADVISED OF THE LIKELIHOOD OF SUCH DAMAGES distribute, rent, lease, sell, sublicense, assign, of otherwise transfer • Internet Explorer 5.0 or later OCCURRING. TECHREPUBLIC AND ITS SUPPLIERS SHALL NOT the Collection or any part thereof or this Agreement, and neither the • 16 MB of RAM or more BE LIABLE FOR ANY LOSS, DAMAGES, OR COSTS ARISING OUT CD nor its contents can be shared over a network for access by • 10 MB of free disk space or more OF, BUT NOT LIMITED TO, LOST PROFITS OR REVENUE; LOSS multiple users without a separate site license agreement. Any • Windows-compatible CD-ROM drive attempt to do so shall be void and of no effect. OF USE OF THE COLLECTION; LOSS OF DATA OR EQUIPMENT; Administrator’s Guide to TCP/IP, Second Edition Copyright Credits ©1995-2003 by CNET Networks, Inc. All rights reserved. Vice President, TechRepublic TechRepublic and its logo are trademarks of CNET Bob Artner Networks, Inc. All other product names or services identi- Assistant Vice President, TechRepublic fied throughout this book are trademarks or registered Kimberly Henderson trademarks of their respective companies. Reproduction of this publication in any form without prior written permis- Executive Editor, Premium Products sion is forbidden. Erik Eckel Managing Editor, Premium Products Disclaimer Janice Conard The information contained herein has been obtained from Content Resources Manager sources believed to be reliable. CNET Networks, Inc. dis- Marilyn Bryan claims all warranties as to the accuracy, completeness, or Graphic Artists adequacy of such information. CNET Networks, Inc. shall Natalie Strange have no liability for errors, omissions, or inadequacies in the Kimberly Wright information contained herein or for the interpretations Executive Editor, thereof. The reader assumes sole responsibility for the TechRepublic and Builder.com selection of these materials to achieve its intended results. Veronica Combs The opinions expressed herein are subject to change Senior Editors without notice. Paul Baldwin Beth Blakely CD-ROM License Toni Bowers TechRepublic grants you a limited, nonexclusive, nontrans- Bill Detwiler ferable license to use the CD-ROM on a single dedicated Jason Hiner computer. The use of the TechRepublic Resource CD is Judy Mottl governed by the license agreement that can be found in the John Sheesley printed documentation included with the CD-ROM. Read Jim Wells the agreement carefully before using the CD-ROM that Review Edit Manager accompanies this book. Rich Crossett Review Editors Contact Us Kachina Dunn TechRepublic Jody Gilbert 9900 Corporate Campus Drive Kim Mays Suite 1500 Amy Sellers Louisville, KY 40223 Copy Editors E-mail: [email protected] Selena Frye Tel.: 1.800.217.4339 Joyce Mathai www.techrepublic.com Suzanne Thornberry Janice Walter ISBN 1-931490-80-5 Linda Watkins B056 Editorial Intern Michelle Hamilton Membership Director Dan Scofield Promotions Manager Megan Hancock Foreword

Administering TCP/IP networks may be the most stressful task that IT professionals undertake. Whether you’re designing, maintaining, or troubleshooting TCP/IP-powered networks, much is at stake. The slightest error or unplanned outage can bring an organization to a standstill.

When TCP/IP networks fail, employees can’t access important network connections, including the Internet. Remote users are stopped in their tracks. E-mail fails. Files can’t be shared. In short, operations grind to a halt.

Regardless of your organization’s size, you must ensure that its network is designed and subnetted properly, administered efficiently, and troubleshot quickly. TechRepublic has built a solution- packed book and CD tool kit to help you do just that.

TechRepublic’s newly updated Administrator’s Guide to TCP/IP, Second Edition, and its accompany- ing CD-ROM tool kit, provides you with proven expertise, timesaving solutions, and helpful tips to build and keep enterprise TCP/IP networks running smoothly. Whether you have questions regarding TCP/IP fundamentals, DHCP, DNS, routing, cabling, or troubleshooting, you’ll find a wealth of solutions for all things TCP/IP.

For example, TechRepublic’s Administrator’s Guide to TCP/IP, Second Edition will help you:

X Master TCP/IP basics. X Subnet and supernet networks. X Implement efficient routing techniques. X Troubleshoot TCP/IP failures. X Configure NAT, WINS, DNS, DHCP, and other critical protocols. X Monitor and optimize your TCP/IP network.

The TCP/IP CD-ROM tool kit included with the Administrator’s Guide to TCP/IP, Second Edition is packed with helpful tools to help ensure you have the checklists, forms, and scripts you need to diagnose and repair network failures quickly and efficiently. The CD-ROM also contains a special bonus chapter outlining critical Cisco solutions.

Don’t attack network failures alone; turn to TechRepublic for expert, field-tested advice.

If you have comments or suggestions regarding this TechRepublic product, please e-mail us at [email protected]. Quick Reference Networking Fundamentals ...... 1 Routing and Design ...... 55 Windows Networking ...... 167 Administrator’s Guide to TCP/IP, Second Edition

Networking Fundamentals The top 10 must-haves for a network engineer’s toolbox ...... 1 Within the walls: The art of the cable run...... 4 When is it appropriate to replace network cabling? ...... 8 Use the right networking components for your next cabling job ...... 10 Know the facts about network cabling...... 13 Deploying and managing 10/100BaseT Ethernet hardware...... 16 Understanding how 10/100BaseT Ethernet operates ...... 19 Prepare for Gigabit Ethernet networking ...... 21 IPv6: A larger, more secure Net ...... 25 Tunneling terms you should know when deploying a VPN ...... 28 Learn the basics of subnetting a TCP/IP network ...... 30 Expand your network by supernetting IP addresses ...... 34 Understanding wireless LAN protocols and components...... 37 Defend your network’s perimeter with these strategies ...... 40 Strengthen your network defenses with these four steps ...... 44 Protocol analyzers make short work of net admin tasks...... 47 Common causes of network slowdowns and how to locate them quickly ...... 50 Routing and Design Dissecting and diagnosing TCP/IP routing...... 55 Discover how routers power internetworks...... 60 Understanding routing tables ...... 64 Select the right routing protocol for your network...... 67 Understanding the protocols underlying dynamic routing ...... 70 Selecting the best address translation option for your network ...... 74 Provide multiple paths between networks with tunneling and NAT...... 77 Learn why NAT can cause VPN connection problems ...... 82 IP routing in 40 short steps ...... 84 Configuring static and default routing ...... 89 Dynamic routing with RIP ...... 96 Configuring IGRP routing with redistribution ...... 105 Getting to know Open Shortest Path First (OSPF)...... 111 Summarizing IP routes with EIGRP and OSPF ...... 119 Configuring OSPF with multiple areas...... 123 Understanding the RIP protocol ...... 129 RIP explained: The gory details...... 134 Advanced RIP configuration ...... 138 Using RIP on Windows 2000 Server ...... 142 Using OSPF on Windows 2000 Server ...... 146 Getting autonomous with BGP: How Border Gateway Protocol can help you with routing ...... 150 Using the Border Gateway Protocol ...... 155 See how BGP and route redistribution can link remote sites...... 159 How FTP port requests challenge firewall security ...... 162 Windows Networking Provide VPN services using Windows Server 2003...... 167 Troubleshoot Windows Server 2003 networking errors ...... 172 How to fine-tune Windows Server 2003 network connections ...... 176 How to configure Windows XP client VPN connections...... 179 Create custom IPSec configurations for Windows XP ...... 181 The complete Windows 2000 client TCP/IP configuration guide ...... 184 Setting up a VPN with Windows 2000...... 191 Configuring certificates for an L2TP/IPSec VPN ...... 195 Customize the security of L2TP/IPSec connections ...... 200 Troubleshooting L2TP/IPSec VPN connections in Win2K ...... 203 Configure Windows NT to support VPN connections...... 206 Monitoring and troubleshooting VPN connections in WinNT ...... 210 Tune Windows NT for better network performance...... 214 The Win9x VPN client connection guide ...... 218 Troubleshoot Windows RAS and VPN connections with these tips ...... 223 Fix the four biggest problems with VPN connections ...... 226 Networking Fundamentals

The top 10 must-haves for a network engineer’s toolbox ...... 1 Within the walls: The art of the cable run ...... 4 When is it appropriate to replace network cabling?...... 8 Use the right networking components for your next cabling job ...... 10

Know the facts about network cabling ...... 13 Networking Fundamentals Deploying and managing 10/100BaseT Ethernet hardware ...... 16 Understanding how 10/100BaseT Ethernet operates...... 19 Prepare for Gigabit Ethernet networking ...... 21 IPv6: A larger, more secure Net ...... 25 Tunneling terms you should know when deploying a VPN ...... 28 Learn the basics of subnetting a TCP/IP network ...... 30 Expand your network by supernetting IP addresses ...... 34 Understanding wireless LAN protocols and components ...... 37 Defend your network’s perimeter with these strategies ...... 40 Strengthen your network defenses with these four steps ...... 44 Protocol analyzers make short work of net admin tasks ...... 47 Common causes of network slowdowns and how to locate them quickly ...... 50 The top 10 must-haves for a network engineer’s toolbox Jun 18, 2002 By Brien M. Posey, MCSE Behind every good network guru is a good set Figure A of tools. Quick access to the right tools can mean the difference between an easy job and an impossible one. But with the wide variety of gadgets on the market, it’s tough to know which tools are really helpful. In this article, I’ll review my picks for the 10 best tools to keep on hand. 1. Cable tester The number-one tool that no network guru should be without is a cable tester. A good cable tester detects shorts in a cable and will tell you if the wires inside an RJ-45 connector are arranged correctly. You can see a LANtest cable tester in Figure A. You can use the cable tester shown in Fig- ure A on coaxial cable and RJ-45 based Ether- net cable. Notice that there are two pieces to A cable tester should be at the top of your must-have list. the cable tester. For shorter cables, such as patch cables, both ends of the length that’s Figure B being tested may be plugged into the main testing tool. For longer cable runs, one end of the cable to be tested will be plugged into the main testing tool, and the other end of the cable to be tested will be plugged into the secondary piece. Although every cable tester works a little differently, this cable tester tells you whether or not a connection is solid through a series of LED displays. LED lights on both ends of the test unit circuit means the cable is fine; if the second LED is dark, it indicates a short. If a second LED is illuminated but the numbers don’t match up, you’ll know that an RJ-45 connector is wired incorrectly. 2. RJ-45 crimper Another handy tool is an RJ-45 crimper, A good RJ-45 crimper can cut, strip, and crimp. shown in Figure B. The crimper in the figure actually contains a wire cutter, a wire stripper, and a crimper. This single tool can cut a pierce 3. Cordless screwdriver of Cat 5 cable, strip off the end, and place an One of the tools I use most often is a cordless RJ-45 connector onto the cable’s end. screwdriver, which is a great time saver for anyone who has to routinely open PC cases.

Networking Fundamentals 1 When selecting a cordless screwdriver, I Phillips and flat-head screws. The bit set in the chose the 3.6-volt Craftsman screwdriver, figure also includes a few nut drivers. Some shown in Figure C. I like this model because it computer cases use screws with heads that has adjustable torque and a higher voltage rat- have edges like those found on nuts. If the ing, and therefore more power than many oth- head grove is damaged, you can remove it with ers that are available. a nut driver. You might even consider picking After purchasing a cordless screwdriver, I up a flexible extension bit, which is great for recommend getting a good set of bits, such as getting to screws in those hard-to-reach areas. the one shown in Figure D, to make sure you have the right fit for any job that comes along. 4. Two-way radios Remember that some PCs use Torx (star- Another tool that comes in really handy is a set shaped) screws rather than the standard of two-way radios, such as the Motorola mod- els shown in Figure E. These radios are useful when two or more technicians are working in Figure C different parts of the building. For example, when testing cables, one technician may be in a wiring closet while another may be at a user’s desk. A set of radios lets the two techs compare test results and talk about repair ideas. These radios can also receive FM stereo, marine radio, and weather radio, so I can use them on my boat on the weekends. 5. Multimeter You probably don’t want to get caught without a multimeter. Many different types of multimeters are available, ranging in price from about $20 to about $200. I use a midrange unit, the Craftsman Digital + Ana- This 3.6-volt Craftsman cordless screwdriver has adjustable torque and plenty of power. log Multimeter 82322, shown in Figure F. It’s priced around $100. I use my multimeter for four basic tasks. Figure D First, I sometimes use it to check electrical outlets for proper current levels. Second, I test PC power supplies. I sometimes use my multimeter to test for proper termination on coaxial Ethernet lines. Finally, because my specific multimeter contains a temperature probe, I can use it to measure the temperature inside a PC case to check for overheating. 6. Phone line tester It’s easy to think of networks as consisting strictly of network cables and components. However, phone lines are still widely used in networks that offer remote dial-in services. Just as network problems may be related to a bad patch cable, modem problems might be caused by a bad phone jack. It’s important to have plenty of screwdriver bits on hand.

2 Administrator’s Guide to TCP/IP,Second Edition Figure E Figure F

A set of two-way radios can help technicians working in The Craftsman 82322 is very versatile. different parts of the building exchange ideas.

I can’t count the number of times when 8. Tone probe I’ve seen the phone company or another tech- If you work on networks that rely on patch nician accidentally deactivate a phone jack or panels, you’ll find a tone probe to be an crosswire a jack, particularly in large offices. extremely valuable piece of equipment. Sup- You can use several approaches to test for pose you have to service a network and none phone line problems. I like to conduct the ini- of the punch downs are labeled. You could tial tests with a phone line tester, such as the hook a network jack to an inducer, which one that’s shown in Figure G. This tester dis- would put an audible tone on the network plays a green light if the line is good and a red cable. You could then go down to the wiring light if the line is cross-wired. No light means closet and use a tone probe to see which the line is completely dead. You can find punch down is carrying the tone. The punch testers similar to this one for a few dollars at down with the tone corresponds to the jack any hardware store. with the inducer. 7. Telephone 9. Cable snake Having a phone line tester on hand will help One tool that I have found incredibly useful is you diagnose many common problems, but the cable snake. This gadget is little more than there are some phone line glitches that you can a retractable spool of flexible metal with a detect only by using an actual telephone. I’ve hook at the end. I use my cable snake for seen several situations in which a problem with pulling network cable through difficult places, the phone company allows a modem to dial such as from the top of a wall to a jack that’s out but not receive calls. Likewise, I’ve seen near the floor or through a building’s plenum phone lines that will let you receive calls, but space or subflooring. A cable snake is also not dial out. That’s why I keep a generic analog especially helpful for feeding network cable phone on hand. through conduit. An analog phone is also useful for listening for line noise. I sometimes just dial into a RAS 10. Lantern server just to see if the modem picks up and if It may seem strange to end my list of essential the various modulation tones sound correct. tools with a lantern, but I can’t tell you how many wiring closets and server rooms I’ve

Networking Fundamentals 3 Figure G been in that were so dark that I couldn’t see the back of the servers or read the markings on a patch panel. So I always keep a lantern with me when I go to fix a network. A lantern also is useful when trying to run wires through an attic or crawlspace. What I like about my specific lantern is that it’s designed to omit 360 degrees of light and is bright enough to light an entire room. The best laid plans No matter how carefully you plan your toolkit, it always seems that the one tool you need for a job won’t be there. By collecting this top-10 list—or by compiling one of your own— you’re less likely to find yourself missing that one tool that will get you through the day’s emergency. A phone line tester can help you to quickly diagnose phone jack problems.

Within the walls: The art of the cable run Nov 29, 2001 By Jack Wallen, Jr. unning network cable is an art that cable from point A to point B would really be should garner your full attention when an understatement. I’m going to share the tips R the time comes. For a long time, I and tricks I learned while doing it. worked as a professional audio installation technician with an amazing little mom-and- UNIVERSALITY pop company (IRC Audio). My duties included You may ask yourself, “What does that hanging speakers from various dangerously have to do with running networking cable?” high locations; varnishing, staining, and paint- Well, my friend, some universal truths do ing outrageously expensive loudspeakers exist. Although some specifics don’t apply, (“Jack, that speaker you’re painting is about many of the fundamentals are the same. three months pay. I’d be careful!” my boss would fondly say); and running cables of all sorts. Terminology To say that we ran miles and miles of cable You’ll need to know some terms throughout in the strangest and snuggest of places would this article: be an understatement. To say that we had to X AWG stands for American Wire Gauge, come up with creative means to get a run of which rates the size of a wire. This number

4 Administrator’s Guide to TCP/IP,Second Edition is inversely proportional to the size of the X Rigid Metal Conduit (RMC): This type is wire (smaller number = larger diameter very solid and offers much better bonding wire). and grounding. X Bonding is the process of connecting two X Rigid Nonmetallic Conduit (RNC): This or more conductive objects by means of a type is very simple to work with. It can be conductor so that there is no conductive applied with standard tools but doesn’t offer gap between the objects. the shielding and grounding that conducting X Grounding is the process of connecting conduit offers. one or more conductive objects to the earth A few other types of conduit are available, but so that the earth can act as an electromag- this list will typically get you where you need netic “sink.” to go. X Shielding prevents electrical noise from Although it may be tempting to gravitate to creating false digital signals and from cor- RNC-type conduit, remember this: It’s simple rupting analog signals. to use, but you’ll have to run extra wire within the conduit to act as ground and bonding X Plenum: Actually, the term plenum refers to wires. You should also consider that RNC the air-return area in an HVAC system. The doesn’t offer shielding, so the location of this term has also been commonly adopted in type of conduit will be critical. You won’t want many fields to mean a fire-retardant cable to use RNC around anything that could cause (or heat-retardant) cable. corruption to transmitted data, such as fluo- X EMI stands for electro-magnetic rescent lighting, power wiring, and sound interference. equipment. Fortunately, Cat-5 Ethernet X HVAC is the acronym for Heating, Venti- cabling offers fairly good EMI immunity. lating, and Air Conditioning systems. Regardless of its immunity, it’s always best to be safe than sorry. ANSI How do you decide whether to run free lines or use conduit? The answer can be a bit Understand that it’s always best to adhere conditional. The guideline you should follow is to American National Standards Institute this: If you’re using nonplenum cable for your (ANSI) specifications. Regardless of run, you should be running in conduit. Why? whether you’re running cable in your home Safety. The inclination for most is going to be or in a larger organization, following stan- to get the job done as quickly as possible; how- dards will ensure not only your safety, but ever, this can lead to severe problems, such as also your liability. fire, if caution is not used. Err on the side of caution. If you know for sure that you’re not running line anywhere Conduit vs. free run near a hot location (such as lighting, HVAC, Conduit is a means to safely route wire from etc.), a damp location, a location rife with EMI, one location to another. It’s used either when or a location where aesthetics is not crucial, the wire needs protection from various ele- then it’s safe to run your line without conduit. ments (heat, electrical interference, traffic, etc.) If you do run the risk of any of the preceding or when it’s aesthetically pleasing. Conduit conditions, be smart and take the time to comes in two types: conducting (metallic) and install conduit. Not only will your network nonconducting (plastic or some variation). runs be safer, they’ll also last much longer, Typically, you’ll see the following types of con- thanks to the protection offered by conduit. duit used: X Electrical Metallic Tubing (EMT): This Installing conduit type is very versatile due to its availability, The art of installing conduit is one that takes a cost, and ease of use. long time to master. Of course, most of you

Networking Fundamentals 5 won’t be concerned with taking it to an art you’ll want to have a blueprint of the structure form. In that case, here are some guidelines you’ll be installing within. you’ll want to follow: When I’m doing free-run cables, I tend to X Make sure you have your run mapped out stick to routing my cable along seams and ceil- correctly and your measurements are on tar- ing-tile tracks (so long as these seams don’t run get. It’s always best to plan this out with a along anything that would cause interference). to-scale blueprint of the building you’re Here are some tips that should aid you in run- working within. Plan your run so that the ning free cable: conduit will be easily accessible. X Plan ahead and buy in bulk. You’ll save both X Plan the number of bends in the conduit time and money. carefully. The fewer bends, the easier the X Use the best cables you can afford. Don’t wire pull will be. try to skimp in this area because these beau- X Try to keep your conduit parallel to walls ties will need to be around for a long time. and ceilings to keep it more easily located. X Make sure you measure your runs, keeping X Choose conduit diameter with expansion in in mind the distance limitations of the type mind. It’s better to have wasted space than of wiring you’re using. If you need to use to have to run more conduit along the repeaters or concentrators, make sure you same run. strategically locate them for best access and use. X If you need them, precut holes for conduit in headers and joists before you begin X Always run more cables than you think you your run. need so you’ll have room to expand, and terminate cables only when needed. X Before cutting your conduit, make sure you have measured with couplings, fittings, and X The minimum bend radius for Unshielded junction boxes in mind. Twisted Pair is four times the cable’s outside diameter (approximately one inch). For mul- X Cut EMT tubing with a hacksaw or band- tipair cables, the minimum bending radius is saw; don’t use roll-type tube cutters. 10 times the outside diameter. X Always dry-fit your conduit before applying X Don’t use multibundled cables. They’re adhesives. much more difficult to run for numerous X Don’t attempt to bond painted surfaces, as reasons (weight, increased bend radius). the paint can easily detract from the con- X Mark your cables before you make your run, ductibility of the material. and standardize your color-coding scheme. Conduit doesn’t have to be difficult to X Wait until the run is complete before you tie install. Your primary objective when beginning anything down. this installation is giving yourself enough time to carefully plan and execute the installation. Creative cable-running tips Free-run cables Everyone has his or her own methods. Some Running cables without conduit is a much are fairly pedestrian, and some are amazingly faster method of routing networking cables. clever. A technician I worked with was a rather The biggest problem you’ll run across with industrious fellow who took advantage of his this method is sloppiness. With the help of surroundings. On two particularly tricky occa- conduit, you’ll finish with a neat, secure, and sions, this man’s strange perspective came in safe installation. Without conduit in place, your quite handy. The first was a long, straight run run can lean towards sloppy and haphazard, within a very large conduit. The conduit was which should, of course, be avoided. empty, and it seemed as if we weren’t going to Avoiding slop is possible, primarily through get the pull line from one end of the conduit careful planning. As with a conduit installation, to the other. After thinking awhile, this guy

6 Administrator’s Guide to TCP/IP,Second Edition found a remote control car, tied the pull line to the Cat-5 cables into a loop and use electri- the antenna, put the car in the conduit, and cian’s tape to hold the loop together. You now drove the car to the other end. have a perfect place to tie the pull line. The second incident might seem a bit cruel, Before you actually begin pulling your cable but it really wasn’t. The installation was a PA through, do yourself a favor and lubricate the system for a horse stable. The run was to go cable. Although you may assume your run is a across the entire length of the barn, but the straight shot from point A to point B, you can’t ceiling it was to run on was not strong enough be sure how much friction will build up and to support a human. Being the resourceful whether the cable will get caught up. A num- man he was, he located the nearest barn cat, ber of different cable pulling lubrications are tied the pull line to the cat’s collar, put the cat available. Here’s a small listing of some of the on the ceiling, and called the cat to the other better lubes: side. None of us knew why the cat actually X Dyna Blue came to him, but it did, and the run was suc- X Easy Pull Plus cessful. These two stories only illustrate that there X Greenlee CRM-Q are limitless ways to get your pull line to its X Merlin’s Wire Helper destination. If you’re looking for a more stan- X Yellow 77 dard approach, you’ll want to look at a plumb- ing snake. These coiled spring-like wires, which Conclusion can be rented at most tool rental shops, are Running cable shouldn’t be rushed or done perfect for fishing through conduit to run a without forethought. In fact, with careful plan- pull line. Once you have fished the snake ning and design, a good cable-run job will out- through the conduit (the snake must be longer last most of your networking equipment and than the conduit run, of course), attach the probably many of your employees. pull line to the end of the snake and pull the Take the time to design your cable runs as snake back out. Be careful to securely attach you would your networking infrastructure. The your pull line to the snake or else you’ll be money you’ll save in the long run (in the form pushing the snake back through the conduit. of man hours, primarily) will be a welcome With the pull line through, you can now relief in tough times. Although not the work attach the Cat-5 (or whatever type of line of Michelangelo, the art of cable running you’re pulling) to the pull line. One very simple should be taken seriously and patiently. way to make this attachment is to fold one of

Networking Fundamentals 7 When is it appropriate to replace network cabling? Apr 23, 2002 By Ray Geroski dministrators typically perform a wide errors is the first sign that you might have variety of maintenance tasks, includ- problems with your cabling and should begin A ing backing up data, archiving old looking at replacing cables or hubs/switches. data, cleaning up shared drives, updating and Others, including dburk of Encyrion Tech- patching software, and various other chores, all nologies, said that performance issues can indi- in an effort to keep their networks running cate the need for updates. When cost is a smoothly and employees working productively. factor, dburk noted, you might have to replace But what about the infrastructure on which the only the parts that must be fixed when prob- network resides? What kinds of preventative lems occur. maintenance should you perform on the basic You want to do whatever you can to stay cabling infrastructure of the network? When ahead of network issues, so heeding the warn- do you know it’s time to replace it and/or the ing signs of performance issues and data switches and hubs that support it? errors is a necessary part of maintaining the That’s what Titus Ablorh recently asked infrastructure. in our Technical Q&A forums. Ablorh said that his cabling infrastructure is about eight Heading off potential problems years old and that he’s using Cat 5 cabling If you want to avoid networking issues alto- and 10/100 Nortel Bay switches. He wanted gether, though, you must take proactive steps to know when he should consider replacing to anticipate problems before they occur. The parts and whether any standard guidelines for obvious solution is to inspect regularly your infrastructure replacement exist. While network cabling and other parts. there’s not a single clear-cut answer to the “I believe the best solution,” Yourchenko question, TechRepublic members offered wrote, “is to invite a technician…at least once feedback that provides some excellent input a year to test the infrastructure.” The techni- on the subject. cian will have the equipment and the knowledge necessary to spot potential problems, If it ain’t broke… Yourchenko added. A typical answer to the question of when to It’s also possible to inspect the jacketing and look at updating network cabling and other connectors yourself, said TheChas. “If the parts might be to wait until something goes jacketing is starting to break down, or the fin- wrong. In one respect, this is a logical gers on the connectors are corroding, you response: Why bother replacing something if should begin to plan for a rebuild.” there’s nothing wrong with it? While this may While a physical inspection of the cabling seem like a logical way to approach the issue, and other parts won’t reveal all of the potential especially from a cost perspective, it overlooks trouble spots in the network, it can help you the primary goal of administering a network: determine which parts should be replaced to keeping everything up and running smoothly prevent hardware-related data errors from with minimal to no interruption of service. To occurring. that end, admins must be a little more proactive in determining the status of the network The money issue switches and cabling. One of the obvious considerations is the allot- But what should you watch for? According ted budget for IT infrastructure. If every com- to Gleb Yourchenko, a systems analyst at pany had an unlimited amount of money to InFocus, an increase in the number of data spend on hardware, the easy way to maintain

8 Administrator’s Guide to TCP/IP,Second Edition the network would be to regularly replace parts Another instance in which you should and cabling regardless of their condition. replace the cabling is when you see signs of Unfortunately, no company has that luxury, so physical wear, he said. Other readers echoed the condition of network hardware must be this advice. Again, some kind of inspection of balanced against how much a company can the cabling is important, regardless of whether spend to fix it. As several members noted, you do it yourself or pay a technician to do it. sometimes you just have to replace parts as they begin to malfunction or as performance Your budget, your call issues begin to occur. At the very least, you can Although your budget may determine how anticipate and plan for budget needs by con- much you can do to upgrade your network ducting regularly scheduled inspections. infrastructure and how often you replace cabling and other parts, it will be useful to Replace when you perform keep these maintenance tips in mind: other upgrades X Pay attention to data errors as possible signs Because infinite variables come into play when of cabling issues. examining a network infrastructure—such as X Regularly inspect the cabling and other budget constraints, environmental variances, parts for signs of wear. and hardware quality differences—it’s hard to X Replace cabling simultaneously with other generalize about the timing for replacements. upgrades. However, roger_simpson2002 offered a couple of good rules of thumb. First, he sug- Some networks may run for a decade or gested that if you’re upgrading your switching more on the same cabling with no problem; backbone, you should go ahead and replace others may have to be updated after a few the cabling too. Taking this extra step ensures years. As our members have pointed out, that all of the equipment is updated. And, because of the vast differences that can exist from a financial perspective, the cabling can be from one company network to the next, you considered an integral, even necessary, part of often have to make your own call about it. But the upgrade and can therefore be absorbed you should be able to use some of these when budgeting that item. insights to help you make the decision.

Networking Fundamentals 9 Use the right networking components for your next cabling job Oct 10, 2002 By Scott Lowe, MCSE oes your organization contract out its The patch panel cabling work, or is most of it done There isn’t much to look for in patch panels, Din-house? In either case, you should but it’s important to check what there is. For know how to choose the cabling components example, check the rating. Is the panel rated and tools for any kind of installation. And, for Category (Cat) 5, 5e, or the new Cat 6? In while most vendors are trustworthy, it’s impor- today’s networks, you should consider patch tant to watch over their shoulders and make panels and remote jacks that meet Cat 5e rat- sure that the equipment they choose is up to ings at a minimum. standards and that the work that they do is sat- Cat 5e rated cabling and components isfactory. For that you need to know what to undergo more rigorous testing than Cat 5 look for and how to choose the right equip- installations, such as tests for far end crosstalk ment for your infrastructure. In this article, I’ll (FEXT) and return loss. Another reason to use take a look at some of the components you Cat 5e components, cabling, and installation is need to know about. because Cat 5e supports gigabit Ethernet Key components applications. With the original Cat 5 standards, the tests that are specific for a cabling plant to While it’s often overlooked as a minor detail, be deemed “gigabit Ethernet ready” are not choosing the right components can make a huge performed. difference in your network. The decisions you While most people associate cable with dif- make can mean the difference between a net- ferent categories, all of the components in the work that just gets the job done and one that overall system must meet the specifications for works well today and is also ready for tomorrow. the entire system to rate a certain category. I prefer to do a job once, possibly paying a Your overall network is only as fast as your little more up front, and not have to worry slowest component. So, if you purchase Cat 5e about it later when I need to upgrade a con- cable but you install only Cat 3-rated patch nection or add a new device to the network. panels, your overall network will be limited to The first rule is simple: the lowest bid is not Cat 3 speeds—if it will work at all. always your best choice. Even though it’s a Angled jacks are also a good idea in many cliché, it’s often true: You get what you pay for. patch panel installations. You may have seen The backbone of a network is built around jacks angled toward the floor in some offices. these key components: These types of jacks place less stress on the X The network cable patch cables that connect to them. As a conse- X The patch panel quence, they bring greater longevity to the sys- X The network jack tem as a whole, as well as fewer cabling-related problems. Belkin makes a 12-, 24-, and 48-port X The gang box patch panel system that includes angled con- Network cable is too complicated to com- nectors. pletely cover it in this article. Read “Know the The use of angled jacks in a patch panel is facts about network cabling,” on page 13, for completely dependent on how you run cabling information on selecting the proper cabling. in your closets. If your patch cables angle For now, let’s look at the remaining compo- downward toward the network equipment, nents in turn. angled patch panels may be useful. If your patch panels go off to the side of the rack and you use cable management to get to the net-

10 Administrator’s Guide to TCP/IP,Second Edition work equipment, then angled patch panels solution is basically a piece of metal that won’t be of much use to you. bends, or a piece of plastic with teeth. In either The network jack case, you simply need to cut a rectangular hole in the wall about the size of the piece of metal While it’s important to choose appropriate or plastic and insert the metal or plastic piece components at the network center or equip- into the hole. With the metal units, you gener- ment closets, it’s just as important to choose ally bend a piece of the metal around the back jacks at the remote end that will help to main- of the drywall to hold the unit in place. With a tain the quality of your infrastructure. The plastic unit, there are three pieces—the first jacks you choose should conform to the stan- piece is the housing, while the other two are dard you’ve chosen for your overall system. small pieces that you place over the teeth that If you’re using Cat 5e equipment, then use a keep it connected to the wall. The entire pur- 5e wall jack as well. While some wall jack com- pose of these solutions is to give you some- ponents are interchangeable with different face- thing to screw a faceplate to. Without one of plates, make sure of this before you buy a lot of these, you’d have to screw directly into the dry- both. The jack faceplate will cover the hole in wall, and that can be problematic. the wall that you make to put up a gang box. For the height of the box, it’s useful to If you decide to run a number of different know the height of the electrical boxes that types of cables to the same jack location, such surround it. Even if the box is not a standard as telephone and/or video cables, most manu- height off the ground, it will look much better facturers also make RJ-11 or RJ-23 type tele- when finished if it matches the height of the phone jack inserts as well as inserts with a electrical boxes near it. To exactly match the cable TV “F” connector, which is the standard height, you can use a tape measure or a tool cable TV outlet type. If you’re thinking way such as the Siemon Wall Box Locator. ahead, you may also be running fiber optic cabling at the same time. You’ll be pleased to Don’t forget permits and know that most manufacturers make matching building codes! connectors for fiber optic cables as well. In some areas, you need a permit to install net- In addition to the patch panel, you can also work, cable TV, and telephone cabling and get angled connectors for the remote wall components. In most areas, a low voltage jacks, where they’re likely to be more useful. installation permit will suffice. If you don’t get It’s much more likely that the cables in offices a permit and later have a problem or want to will be moved around as people change offices, sell your house or building, you may have diffi- move furniture, and get new systems, so culty, so be careful and check this out before angled connectors can take some stress off you begin. Always make sure your installations patch cables that see a lot of use. meet building codes. This is especially impor- The gang box/wall connection tant for liability reasons. Fortunately, there isn’t much to think about when selecting a gang box. A gang box is sim- Tools you’ll need Obviously, if you’re planning to hire a contrac- ply the housing behind the wall where your tor for all of your cabling work, you don’t need cabling will go and to which the faceplate will any specialized tools. If, however, you decide attach. A gang box looks like the housing to do the installation work yourself, or if you behind the faceplate on your electrical outlets. just want to be able to quickly and properly In my cabling jobs, I’ve found it’s normally run a cable now and then, there are a few tools only feasible to install gang boxes when there’s that can make the job much easier and more no drywall up yet. After drywall goes up, it likely to succeed. Some of the tools you becomes both expensive and difficult to put should have at your disposal are: gang boxes in place. However, almost any electrical or cabling store will have a solution. This

Networking Fundamentals 11 X Hammer: An essential tool for everything you’re managing a very large cabling plant from replacing watch batteries and building or are a cabling contractor, these are must- houses to dealing with uncooperative have devices. coworkers, a hammer makes it easier to nail For network cable testers, my favorite a gang box to a stud in network installation cabling tester is the Microscanner Pro from jobs where there is no drywall present yet. Fluke. It’s fairly inexpensive. Besides testing X Screwdriver: Used to secure the patch continuity to make sure that all of the cable panel to a rack and to secure faceplates to pairs are intact and working, it verifies the the wall. Also useful when you make a mis- length of the cable to make sure that you’re take and need to separate one of the RJ-45 within specifications. It also includes a wire- snap-ins from the faceplate. mapping adapter that can help you to verify that your cables are wired properly. This unit X 110 punch tool: While most patch panels costs around $350, but it’s worth it because it will come with a small plastic punch tool, I considerably reduces the time it takes to trou- highly recommend buying a professional- bleshoot network problems and test your grade unit. It is much sturdier, and it will installations. keep you from ruining your fingers when When it comes to cable certification tools, you slip. You can get a decent punch tool the Fluke OMNIScanner 2 is one of my perfor around $50. sonal favorites. It’s capable of doing basic cer- X Cutters: For trimming the ends of cables. tification as well as producing reports that you X Network cable tester: In order to know can pass on to your clients. But be prepared to that your cable plant is going to work, you spend some money: These devices start in the need to test the cables afterwards, and you’ll low $5,000 range, and you can add options on need this tool to do it. top of it. X Cabling certification tool: If you’re a pro- Don’t get tied up in knots fessional who installs network cabling for a about cabling living, it’s critical to be able to certify that While you may not actually be installing cable the cabling plants that you install are up to yourself, it’s important to know how it’s done the job and to be able to prove that it is so that you know what things will cost and can indeed Category 5e and gigabit ready. If monitor contractors’ work. If you do some of the work yourself, you definitely need to know THE 110 PUNCH TOOL how to do it right. Don’t buy what’s cheap- You may have seen some tools in the list est—buy what’s best for your network and that you’re not immediately familiar with, what best meets your needs. such as the 110 Punch Tool. The reason for the name ”110” is this—the patch panel that you use in networks uses a 110-type wiring interface. Individual network cables are placed at specific locations and then “punched” into the unit. “Punching” simply strips a small portion of the wire and pushes it deep into the patch panel grooves so that it makes contact with the metal and can transmit an electrical signal. Some punch tools also come with a 66-type punch head, which is commonly used in telephone/voice applications.

12 Administrator’s Guide to TCP/IP,Second Edition Know the facts about network cabling Oct 24, 2002 By Scott Lowe, MCSE hen it comes to network design, Many different kinds of unshielded twisted- one of the most important deci- pair (UTP) cabling are available, and you need W sions you’ll make is choosing and to pick the one that will best serve your needs installing the right cable for your network. without breaking your budget. UTP cabling is Even if you hire professional cabling contrac- generally rated by incremental “categories.” tors, it is important for you to know what For example, when someone is talking about they’re doing and what to look for so that you Category 3 cabling, they mean a type of can properly evaluate their work. In this article, cabling commonly found in telephone and I’ll show how to choose the right cable and other voice applications or low-speed data how to install it the right way the first time. transmission, and that has a transmission fre- Fewer but better choices quency of 16 MHz. If you’re running the cable for a network today, your choices are much clearer than they MEGAHERTZ, NOT MEGABITS were just a few years ago. Not so long ago, Please note that I’m using megahertz coaxial cable was still in widespread use. (MHz) and not megabits per second Unshielded twisted-pair cabling was primarily (Mbps) to describe the transmission fre- based on Category 3 standards, running at a quency. The MHz rating directly affects maximum of 10 Mbps. Category 5 cable was the Mbps rating, but they’re not the still out of reach for most network administra- same value. tors’ budgets. Those with money to burn also had fiber to consider. Different kinds of UTP cabling are avail- Standards were, at best, fuzzy. Several dif- able. Each type runs at a different speed and ferent standards were fighting it out for the has different uses. The key types of UTP cable supremacy of running 100 Mbps over you’ll encounter are: unshielded twisted-pair. There was a lot of X Category 3: Cat 3 was the earliest success- uncertainty about whether it was even possible ful implementation of UTP. It’s primarily to run data over copper at such speeds. Some used for voice and lower-speed data applica- critics claimed that 100 Mbps was suitable only tions. It’s rated for a maximum of 10 Mbps. for fiber. Today, deciding on a particular type of cable X Category 4: Cat 4 never achieved the popu- isn’t as much a matter of which cable will larity of Cat 3 or Cat 5. It’s primarily used eventually become the standard as it is a matter for voice and lower-speed data at a maxi- of what you need to do right now and for the mum of 16 Mbps. next few years. Most of today’s network instal- X Category 5: As Fast Ethernet became a lations generally use some type of unshielded standard, Cat 5 became the basis for most twisted-pair cabling, although some organiza- high-speed data implementations. Cat 5 tions are running fiber directly to their desktop runs at a maximum of 100 Mbps. machines.

AUTHOR’S NOTE: TWISTED-PAIR CABLING I’ll be focusing on twisted-pair cabling since that’s the prevalent technology today. You still have the same choices of fiber, shielded twisted-pair, and coax cable that you had in the past. However, because unshielded twisted-pair is so inexpensive and has such a large market share, it’s the first choice for most network administrators.

Networking Fundamentals 13 X Category 5e: With the need for higher cable, which can be two to three times the cost speeds, Gigabit Ethernet has become the of PVC. new replacement for Fast Ethernet. To make it work, Cat 5e extends the life of Cat Follow the rules 5 cable. It can run at a maximum of 1,000 Second only to choosing the appropriate cable Mbps. is making sure it’s run throughout your organization in a manner consistent with standards X Category 6: Cat 5e can run at gigabit that ensure the best possible performance. In speeds, but with 10-Gigabit Ethernet on the fact, if you don’t follow a few basic tenets, you horizon, Cat 5e has stretched the Cat 5 stan- could end up with an installation that’s expen- dard to its limits. Cat 6 can currently run at sive but not functional. Here are a few basic 1,000 Mbps (1 Gbps). The Category 6 spec- rules you should follow when installing cable. ification was released for publication very recently, however as designed, Category 6 Watch the length of your cable runs cabling will be able to support speeds up to No cable run should be more than 100 meters at least 10 Gbps. (approximately 327 feet) in length, including For new installations, I highly recommend run- patch cables. The in-wall/-ceiling distance— ning a minimum of Category 5e cabling for also called the horizontal run distance—should both voice and data. In today’s environment, be no longer than 90 meters. This allows for there’s no reason to use anything less. Cat 3 up to 10 meters for patch cables on either end may be a little cheaper, but you’ll lose this sav- of the connection. ings in the costs of replacement when you find Watch for interference out it can’t go fast enough for you. Although No cables should be run near devices that gen- you may get away with running regular Cat 5 erate electromagnetic interference. This is one cable, Cat 5e is only slightly more expensive. of the rules most often broken by amateur The incremental cost is well worth the speed cabling installers. Devices that generate elec- advantage and future expandability you gain tromagnetic fields include heating/cooling with Cat 5e. units, printers, copiers, electrical wiring, video Pay attention to the jacketing equipment, and much more. You should be UTP cabling is almost always sheathed in some very careful to keep UTP cabling at least 3 feet type of plastic-like insulating material. Less away from anything that can create an EM expensive cabling uses PVC (polyvinyl chlo- field. In addition, it’s critical to keep UTP ride) as the jacket material. Not all environ- cabling as far away from fluorescent lighting as ments can use this type of cabling, for both possible since cables are very susceptible to safety and legal reasons. When PVC burns, it interference from fluorescent lights. gives off noxious dioxin fumes that are dan- Handle with care gerous to those who breathe them. While a Take care not to damage cable when installing single burning PVC cable may not be deadly, it. Don’t exceed the bend radius of UTP firefighters who must enter burning buildings cabling or it may not work as expected. It’s that have thousands of cables can be at risk. generally accepted that cable that is bent Check your local laws—in many places, it’s within a radius of four times the width of the illegal to use PVC cables in any air-handling cable is not run properly. Be very careful not spaces, such as in the ceiling or below a raised to flatten cable with a hammer or a staple. floor. In these situations, you need to use a Hammer and staple indentations on UTP cable with a more expensive but much safer cabling can create problems such as changing jacket, called plenum. If your cables are just the signal’s properties, resulting in a less effi- run into the wall and you’re positive that they cient (or nonfunctional) network. If you’re don’t run in air handling spaces, you should be tying a bundle of cables together, use a zip tie fine with standard Cat 5 cable. If you don’t that is secure but leaves a little wiggle room. If need it, don’t incur the expense of plenum you tie the cables too tightly together, you run

14 Administrator’s Guide to TCP/IP,Second Edition TESTING EQUIPMENT IS IMPORTANT If you’re a professional installing network cabling for a living, it’s critical to be able to certify that the cabling plants you install are up to the job and to prove that it is indeed Category 5e and gigabit ready. The Fluke OMNIScanner 2 is capable of doing this as well as producing reports that you can pass onto your clients. But be prepared to spend some money, as these devices start in the low $5,000 range, with options available. If you manage a very large cabling plant or are a cabling contractor, these are must-have devices. the same risks as when you flatten it. Finally, untwisted to prepare them for termination. when pulling cable through the ceiling or con- The twisting of Category 5e cabling is one of duit, be careful about how hard you pull at the the characteristics that define the communica- cable. Don’t exceed 25 pounds of pulling force tion properties for the cabling and enable it to in order to avoid stretching the cable, which can do its job. Removing too much twist from the damage its electrical characteristics and render it cable results in an imperfect installation, and it out of compliance for high-speed data networks. can put the cable out of specification and pos- Use the right equipment sibly make it unable to support high-speed data transmission. Wherever possible, make use of a ladder rack The current Category 5e specifications indi- or a cabling tray with a solidly installed bot- cate that up to 13 mm of twist may be tom. It will make your interconnections go removed in order to support cable installation, much more smoothly. and up to 60 mm of the jacket may be stripped Termination and testing of UTP: away. This is the same at both ends of the hor- Category 5e izontal run—i.e., at both the network closet patch panel and the wall jack—as well as for The next areas you need to focus on are prop- patch cables used with the system. erly terminating your cable and testing it to make sure that it’s within specifications. I’m Get to work going to concentrate on the proper termina- Installing cabling properly and for the long run tion of Category 5e cabling because it is the is no walk in the park. Besides some very strict latest officially standardized UTP cabling cur- installation guidelines, you need to test each rently available and it supports gigabit Ether- and every cable for specific parameters in net installations. order to make sure that your cable plant can Like every other phase of cable installation, support your requirements. Cabling isn’t as a set of standards governs the termination complicated as it sounds, but if you’re not phase in order to ensure that the plant will careful, you can wind up wasting a lot of time support high-speed data. and money. Follow these guidelines to do it One of the primary standards specifies right the first time. exactly what should take place when the cable jacket is stripped back and the individual pairs

Networking Fundamentals 15 Deploying and managing 10/100BaseT Ethernet hardware Oct 5, 2001 By Mike Mullins, CCNA, MCP ince the late 1990s, 10/100BaseT Ether- same time, Ethernet detects collisions. All net has become the de facto standard for devices immediately stop transmitting and Slocal area networks. Here’s a look at the wait a randomly determined period of time hardware components involved in using Ether- before they attempt to transmit again. net in a 10/100BaseT network, including cable pinouts and specs, network cards, hubs, and Phase 1: Preplanning switches. The first decision is a technology and cost decision. Will your network be 10BaseT or Some background on Ethernet 100BaseT? Can you afford 100 Mbps from So you want to build an Ethernet LAN? Or POP (Point of Presence, your connection to maybe you’re wondering exactly what Ethernet the outside world) to client or do you just need is. Well, Ethernet (the name commonly used the higher bandwidth on your backbone? The for IEEE 802.3 CSMA/CD—carrier sense following is a comparison of the two tech- multiple access with collision detection) is the nologies. dominant cabling and low-level data delivery technology used in local area networks Standard Ethernet (10BaseT) (LANs). First developed in the 1970s, it was Standard Ethernet (10BaseT) uses RJ-45 con- published as an open standard by DEC, Intel, nectors on Unshielded Twisted Pair (UTP) or and Xerox (or DIX) and later described as a Shielded Twisted Pair (STP, also called formal standard by the IEEE. Following are Plenum) cable and operates at 10 Mbps. Using some Ethernet features: a Star topology, all computers connect to a X Ethernet transmits data at up to 10 million Hub/Switch using patch cables with RJ-45 bits per second (10 Mbps). Fast Ethernet male connectors on both ends. These hubs can supports up to 100 Mbps. Gigabit Ethernet be linked to increase the number of ports supports up to 1,000 Mbps (but that’s available for patch cables; however, no more another story). than three hubs should be linked together. Sometimes these hubs/switches have X Currently, 10BaseT and 100BaseT (Fast “uplink” ports that allow them to be con- Ethernet) Ethernets are the most common, nected to each other using special cables that and both can be built with twisted-pair blend two hubs into one without daisy chain- cabling. ing. Both clients and hubs have RJ-45 female X Data is transmitted over the network in connections. Ideally, Category 5 patch cables discrete packets (frames), which are should be used in 10BaseT (so that you can between 64 and 1,518 bytes in length (46 to upgrade to 100BaseT without recabling). Spec- 1,500 bytes of data, plus a mandatory 18 ifications: 10BaseT networks are wired (within bytes of header and cyclical redundancy the plugs and ports) according to EIA/TIA code [CRC] information). 568B specifications. Maximum cable length is X Each device on an Ethernet operates inde- 100 meters. Maximum number of devices is pendently and equally, precluding the need 1,024, although performance would be unac- for a central controlling device. ceptable long before this number is reached. X Ethernet supports a wide array of data types, Fast Ethernet (Also called 100BaseT) including TCP/IP, AppleTalk, IPX, etc. This technology is essentially the same as X To prevent the loss of data, when two or 10BaseT in terms of specifications and limita- more devices attempt to send packets at the tions, but it has higher bandwidth. However,

16 Administrator’s Guide to TCP/IP,Second Edition the network interface cards (NICs) and the Plan for a failure rate of 1 in 100 and pur- ports on the hubs and switches operate at 100 chase additional cards when you are populating Mbps. It is very common to have a 10BaseT your network. When a NIC fails and cuts a LAN that runs from clients to a central switch client or server off your network (or disables or hub and a 100BaseT LAN as the backbone your network with chatter), that’s not the time for your servers. to learn how to install a NIC. Phase 2: Plan Hubs Building any network should begin with a Hubs are used to connect multiple hosts to physical plan. Draw your network out and one segment of wire, and all hosts share the measure the distance from the POP to each same bandwidth—meaning one large collision workstation. By having a physical reference for domain. Use hubs at points where you would your network, you can determine how far your deploy a network sensor. That way, the hubs cable runs are going to be and where you will can see all the traffic on their portion of the need to use switches and hubs to segment and network. extend your network. Switches The heart of an Ethernet network is the Switches transfer data between different ports cable you use. One of the reasons for your based on the destination MAC addresses. Each physical plan is to ensure that your wiring plan segment or port connection is its own collision will not violate the maximum cable length (100 domain, but all ports are in the same broadcast meters for 10BaseT/100BaseT networks) for domain. You can use switches to connect mul- the type of wire you will use to connect your tiple ports to the same destination (that is, network. Currently, the majority of copper multiple uplink ports), but only one port can cable used for Ethernet is Category 5. This be active at a time. refers to a standard for cabling developed by If cost allows, use “intelligent” switches the IEEE. Category 5 cable offers speeds up that offer port spanning. This will enable you to 100 MHz and a data throughput rate up to to place a network sensor on that switch and 100 Mbps. let it inspect all of the traffic regardless of des- When networking with Ethernet, it is highly tination. When buying hubs or switches, plan recommended that you use Category 5 (or Cat- on 50 to 100 percent growth rate. So, for egory 5e) cable. You may not have switches/ example, if you currently need to connect only hubs that support 100-Mbps connections to 12 hosts to a switch, buy a switch with 24 the desktop. But having the ability to upgrade ports. This allows for growth as well as poten- that switch/hub without the expense and tial port failure. time associated with rewiring your network is enough reason to justify the additional cost of Phase 4: Build Category 5 rated wire. Once you’ve planned properly and bought the Your wiring should begin from the heart of hardware, it’s time to build out your Ethernet your network—your data center or server hardware. Whether you outsource the cabling room—and fan out to the clients. job or do it yourself, here are some tips to Phase 3: Buy follow: X When you place your servers, hubs, and Network interface cards switches, remember to allow for the proper NICs connect a client/host device to your net- ventilation and cooling in your data center work. Cheap NICs can introduce chatter and or server room. collisions. They can deny bandwidth and cause X Don’t skimp on cable layout. Make cable endless hours of troubleshooting. The same is runs from switches and hubs to a patch true with hubs and switches. Find a good NIC panel, preferably in your data center/server that is within your price range and use that type room. Then, run the cable through your of card consistently throughout your network. walls from the patch panel to the wall

Networking Fundamentals 17 Figure A Figure B

Orange Green Pair 2 Pair 3

Green Blue Brown Orange Blue Brown Pair 3 Pair 1 Pair 4 Pair 2 Pair 1 Pair 4

RJ-45 JACK RJ-45 JACK EIA/TIA 568A STANDARD EIA/TIA 568B STANDARD

mounts and run a separate cable from the I would recommend using one standard wall mounts to the client devices. Never run throughout your network. The most popular is cable from an intermediate device (switch/ 568B. It doesn’t matter which standard you hub) directly to a client device. This can use; just be consistent. result in troubleshooting and design Also, remember the following: problems. X To connect two similar devices (two clients, X Do not run Ethernet cable alongside power two hubs, etc.), you should make one end of cables. If costs allow, buy cable ducting and your cable 568A and the other 568B. This is use it to route and protect your cables. often called a crossover cable. X After installation, test your cables with data X To connect two different devices (client/ testing equipment or known good devices. server to a hub or switch), your cable should have the same wiring scheme on Cabling both connectors. If you are the network manager, you should have a firm understanding of the layout (also Summing up called pinouts) of the RJ-45 connectors on Now you have the information you need to your Ethernet data cables. There are two stan- decide what type of Ethernet network dards for cable ends: EIA/TIA 568A (Figure A) (10BaseT or 100BaseT) you’ll need, how to and EIA/TIA 568B (Figure B). plan, what to buy, and how to build. In the When looking at an RJ-45 wall jack (female), next article, I’ll cover the protocols that can contact 1 is on the left, and contact 8 is on the run over your Ethernet LAN and explain what right. When looking at the RJ-45 connector on your data looks like “on the wire,” as well as the end of a cable (male) with the tab on the offer some helpful troubleshooting tips spe- bottom and the contacts on the top, contact 8 cific to Ethernet LANs. is on the left, and contact 1 is on the right.

18 Administrator’s Guide to TCP/IP,Second Edition Understanding how 10/100BaseT Ethernet operates Oct 10, 2001 By Mike Mullins, CCNA, MCP ince the late 1990s, 10/100BaseT Ether- X Destination and source MAC addresses: net (also known as IEEE 802.3 and These addresses have 48 bits each to iden- SCSMA/CD) has become the de facto tify the frame’s destination and source standard for local area networks. We’re going addresses. The addresses used are the MAC to look at the elements involved in using Eth- addresses of the network adapters. A desti- ernet in a 10/100BaseT network, including the nation address may specify either an indi- components of a frame, how Ethernet tech- vidual address destined for a single network nology functions, and where this suite of tech- adapter or a multicast address destined for a nologies fits into the OSI reference model. group of network adapters, as in the case of Ethernet frames are the a broadcast. X Length/Type: These 16 bits indicate the building blocks number of bytes in the Data field. The core of the Ethernet system is the Ether- net frame, which is used to deliver data between X Data: These are the 46 to 1,500 bytes that Ethernet network adapters. The frame (Figure A) represent the data transferred from the consists of a set of bits organized into several source to the destination. fields. These fields include address fields, a X Frame check sequence (FCS): A 4-byte variable-size data field that carries from 46 to cyclical redundancy check (CRC) value is 1,500 bytes of data, and an error-checking field used for error checking. This value is recal- that checks the integrity of the bits in the frame culated at the destination network adapter. to make sure that the frame has arrived intact. If the value is different from what is trans- Here is a closer look at the components of mitted, the receiving network adapter an Ethernet frame: assumes that an error has occurred during X Preamble: These 56 bits having alternating transmission and discards the frame. 1 and 0 values are used for synchronization. As each Ethernet frame is sent onto the They give components in the network time shared medium, all Ethernet network adapters to detect the presence of a signal and read look at the first 48-bit field of the frame, the signal before the frame data arrives. which contains the destination address. The X Start frame delimiter: This involves 8 bits network adapters then compare their address having the bit configuration 10101011, indi- with the destination address of the frame. The cating the start of the frame. network adapter with the same address as the

Figure A

Ethernet 802.3 frame

7 bytes 1 byte 6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes

Preamble Start Frame Destination Source Length/ Data FCS Delimiter MAC MAC Type Address Address

Networking Fundamentals 19 destination address in the frame will read in destined for it because it had not yet cycled the entire frame and deliver it to the network- back into receive mode. ing software running on that computer. All This standard is based on 1970s technology, other network interfaces will stop reading the and most network adapters in today’s market frame when they discover that the destination are capable of switching from transmit to address does not match their own address. receive in much less time than 9.6 microsec- An Ethernet LAN can simultaneously carry onds. Some adapter manufacturers have several different kinds of software protocol designed their cards with a smaller interframe data. A single Ethernet can carry data between gap cycle and advertise higher data transfer computers in the form of TCP/IP protocols, rates than their competitors. This is another as well as Novell IPX or AppleTalk protocols. reason to be consistent with the network The Ethernet is simply a transport system that adapters you use. carries frames of data between computers; it Multiple access doesn’t care what’s inside the frames. After each frame transmission, all network The nuts and bolts of adapters on the network will wait 9.6 microsec- the Ethernet onds and compete equally for the next frame The Ethernet consists of the following transmission opportunity. This ensures that elements: access to the network media is fair and that no single station can lock out the other stations. Physical media After the interframe gap, if two network The first requirement for the Ethernet to oper- adapters start transmitting at the same instant, ate is the existence of the actual wires and they detect each other’s presence (collision devices used to carry Ethernet signals between detection) and stop transmitting. devices, which I covered in the previous article, “Deploying and managing 10/100BaseT Collision detection Ethernet hardware.” Ethernet frames are a series of voltage pulses on a wire and take a specific amount of time Media Access Control rules to travel from one end of an Ethernet system Media Access Control rules are embedded in to the other. The first bits of a transmitted each Ethernet network interface card (network frame do not reach all parts of the network adapter). They allow multiple computers to simultaneously. Therefore, it’s possible for two reasonably decide who gets access to the network adapters to sense that the network is shared Ethernet medium and when they get idle and to start transmitting their frames that access. simultaneously. When this happens, the Ether- The Media Access Control rules are based net system has a way to sense the collision of on a system called carrier sense multiple access signals and to stop the transmission and resend with collision detection (CSMA/CD). Only the frames. one network adapter can talk at a time on a The network adapters are notified of this shared wire. To send data, a network adapter event and instantly reschedule their transmis- first listens (carrier sense) to the wire. sion using a specially designed backoff algorithm. Carrier sense As part of this algorithm, the network adapters involved choose a random time inter- The IEEE 802.3 specification states that val to schedule the retransmission of the before a station can attempt to transmit on the frame, which keeps the network adapters from wire, it must wait until it has heard 9.6 constantly colliding during retransmission. microseconds (millionths of a second) of Collisions on an Ethernet network are nor- silence. This 9.6-microsecond interframe gap mal and indicate that the CSMA/CD protocol allows the network adapter that last transmit- is functioning properly. As more computers ted to cycle its circuitry from transmit mode to are added to a given Ethernet network, the receive mode. Without the interframe gap, a traffic level will increase and more collisions network adapter could miss a frame that was

20 Administrator’s Guide to TCP/IP,Second Edition will occur as part of the normal operations. If a network is experiencing an excessive num- The design of the system ensures that the ber of collisions, an Ethernet switch can be majority of collisions on an Ethernet will be used to segment the collision domains. resolved in microseconds. On a network with heavy traffic, there Delivering the data might be multiple collisions for a given frame Ethernet systems operate as a best effort data transmission attempt. This is also normal delivery system. No guarantee of reliable data behavior. If repeated collisions occur for a delivery is made. The Ethernet is engineered to given transmission attempt, the stations produce a system that normally delivers data involved begin expanding the set of potential extremely well. However, errors still occur. For backoff times from which they chose their instance, electrical noise may occur somewhere random retransmission time. Repeated colli- in a cabling system, which corrupts the data in sions for a given packet transmission attempt a frame and causes it to be dropped. No LAN indicate a busy network. The expanding backoff system is perfect, which is why higher protocol process, formally known as the truncated binary layers of network software are designed to exponential backoff, is a feature of the Ethernet recover from errors. MAC that provides an automatic method for It is up to the high-level protocol sending network adapters to adjust to traffic conditions data over the network to make sure that the on the network. data is correctly received at the destination. Only after 16 consecutive collisions for a These protocols do this by establishing a reli- given transmission attempt will the network able data transport service using sequence adapter finally discard the Ethernet packet. numbers and acknowledgment mechanisms in This can happen only if the Ethernet is over- the packets that they send over the LAN. loaded for a long period of time or is broken.

Prepare for Gigabit Ethernet networking Nov 21, 2002 By Brien M. Posey, MCSE f you’ve been working with networks as because you’re not deploying Gigabit Ether- long as I have, you probably remember net today doesn’t mean you can’t get your net- Ithe days when 10-Mbps Ethernet seemed work ready to handle it. In this article, I’ll fast. And when 100-Mbps “Fast” Ethernet show you what you need to do to prepare for debuted—Wow! Just when it seemed as if Gigabit Ethernet. Ethernet couldn’t get any faster, along came Gigabit Ethernet with speeds up to 1,000 What’s so great about Mbps (1 Gbps). Gigabit Ethernet? Even if you’re not deploying Gigabit Eth- Although Gigabit Ethernet is growing in pop- ernet right now, eventually you will. After all, ularity, few people I know are actually running just look at all of the Fast Ethernet equip- it yet. When I ask why, many explain that ment in your wiring closet. However, just they’d been burned by ATM and weren’t ready

Networking Fundamentals 21 to go through that whole experience again. you’re probably wondering why traffic is flow- ATM was originally touted as the replacement ing at 200 to 300 Mbps below its potential. for Ethernet. It was faster than Ethernet and There are several factors that reduce Gigabit didn’t have some of Ethernet’s initial prob- Ethernet’s performance. One of the most lems, such as packet collisions. common factors is the cabling. However, ATM can be costly. It’s also difficult to set up and doesn’t work well in environ- Cabling considerations ments that require routing between many One of the biggest considerations to take into different subnets. In the end, ATM’s perform- account when implementing Gigabit Ethernet ance can be disappointing. is cabling. When you first read the specs on This is what makes Gigabit Ethernet such a Gigabit Ethernet, it sounds like an ideal tech- great technology. While Gigabit Ethernet is a nology, in part because it’s compatible with the high-speed medium, it’s still Ethernet-based. Category 5 (Cat 5) cable that you already have. This means that setting up a Gigabit Ethernet However, just because you can use your exist- network isn’t much different from setting up ing Cat 5 cable for Gigabit Ethernet, it doesn’t any other type of Ethernet network. necessarily mean that you should. Best of all, since Gigabit Ethernet is a true Most big companies will probably be OK Ethernet medium, it will interface with your with existing copper Cat 5 cable. However, I’ve existing Ethernet network. A Gigabit Ethernet done network repair for many small organiza- switch can move packets between 10/100- tions, and the cabling just wasn’t up to par in Mbps and 1,000-Mbps networks without any more of them than I can count. For example, type of packet translation. This not only leads in one location, most of the PCs had 10/100 to better efficiency than you’d get with ATM, NICs, but the company was still using a 10- but it also means less complexity and therefore Mbps hub. I swapped the hub out for a 10/ less chance that something will go wrong. 100 model, and all of the PCs with 100-Mbps cards began to fail. Upon closer examination I How fast is it really? found that voice-grade phone cabling had been Because Gigabit Ethernet supports transmis- used instead of Cat 5 cable. When I told the sion speeds of roughly 1,000 Mbps, many net- facility’s manager about the problem, he said that work gurus assume that installing a few he had told the installers to use phone cable Gigabit Ethernet NICs and attaching the because it was cheaper than Cat 5 cable. cabling and a high-speed switch will make their While this is an extreme example, other networks perform at warp speeds. However, cable issues tend to be much more common. for several reasons the actual network speed For example, although Cat 5 cable has eight will probably be a bit less. wires, 10/100-Mbps Ethernet uses only four Suppose for a moment that you were to of them. I’ve seen quite a few organizations in install Gigabit Ethernet NICs in a server and which the cable installer saved time by only a workstation, and then connect the two connecting the four wires that were actually machines with a gigabit switch. Assuming there used. In most cases like this, the other four is no other traffic on the network, you’d proba- wires are simply cut off. But I’ve also seen situ- bly expect traffic to flow between the two ations in which the additional wires were used machines at 1,000 Mbps. Unfortunately, you’d to attach a second PC to the network or as be sadly disappointed. The truth is that, in most wiring for a phone jack. installations, Gigabit Ethernet implemented in Even if your cable installer didn’t use cheap the manner I’ve just described doesn’t even cable or neglect to connect half of the wires in come close to reaching gigabit speeds. In the the cable, there are other Cat 5 issues that could example above, the best you could hope for is cause problems when you use Gigabit Ether- typically between 700 and 800 Mbps. net. For example, 10/100-Mbps Ethernet stan- While 700 Mbps is a huge improvement dards require that no cable run exceed 100 over the 100-Mbps speed of Fast Ethernet, meters. However, Ethernet and Fast Ethernet

22 Administrator’s Guide to TCP/IP,Second Edition tend to be very forgiving when cable lengths using good quality, properly installed fiber will are exceeded, so many organizations tend to only help you so much. ignore the limit. Ignoring the 100-meter limit The reason is that most computers are inca- will come back to bite you when you imple- pable of producing packets at gigabit rates. ment Gigabit Ethernet. Currently, most PCs produce packets at the Likewise, I’ve seen many Ethernet and Fast CPU level and then pass those packets through Ethernet networks in which Cat 5 cable seg- the PCI bus to the NIC and across the net- ments are spliced together. While this isn’t sup- work. While there are processors that can proposed to work, it does when segments are duce packets at gigabit speeds, it’s important to spliced together well. However, splices tend to remember that most of the time your proces- cause big problems for Gigabit Ethernet. sors are busy doing things other than produc- Before implementing Gigabit Ethernet, I ing packets. For example, in addition to strongly recommend making sure that your producing packets, a server’s processor is man- cabling is up to the job. I suggest running three aging memory, running services, and maintain- different types of tests on your cabling. First, ing the user interface. run a continuity test to verify that all eight wires Windows 2000 is more efficient than Win- are properly connected. Next, run a far-end dows NT and can produce packets faster, but crosstalk test. Finally, run a return signal loss this is still typically not enough to utilize a test. If your cabling passes all three tests, the gigabit NIC’s full potential. There are several cable is adequate for Gigabit Ethernet use. new technologies that will help you get the most out of Gigabit Ethernet and may soon NETWORK CABLING BASICS allow 10- or even 100-gigabit connections. What about Category 5e and Category 6 The PCI-X bus and other cabling? Learn the latest on current and new technologies emerging network cable standards by One such technology is the PCI-X bus. The reading the article “Know the facts about PCI-X bus is a new bus that’s similar to the PCI network cabling,” on page 13. bus but isn’t as bandwidth-intensive when used in conjunction with PCI-X cards. This means Speeding things up that when a PCI-X bus and a PCI-X-based As you can see, the condition and length of NIC are in use, packets can flow between the your Cat 5 cable can affect your network’s per- CPU and the NIC much more quickly than formance in a big way. One way of getting they could on a purely PCI machine. around the problems caused by poor cable While faster bus speeds will usually allow a conditions or longer cable runs is to use fiber- gigabit connection to utilize its full potential, optic cable instead of copper cable. Gigabit there are other new technologies at work. Ethernet is designed to work with either fiber Some companies are developing NICs that or copper cable. However, merely switching to have built-in microprocessors. The idea is hav- fiber-optic cable won’t solve all your problems. ing a CPU dedicated to the sole task of gener- Fiber-optic cable is just as susceptible to ating packets. Because this CPU is integrated problems as copper cable. While it’s true that into the card, it’s guaranteed to be fast enough fiber is more secure than copper and supports to produce packets at speeds for which the higher data speeds and longer runs, fiber is card is intended (1, 10, or 100 Gbps). also much more delicate than copper. Things Still another experimental technology is like excessive epoxy on the cable ends, poorly bonding. Several NIC manufacturers have made splices, too many splices, cable damage, prototype NICs with multiple onboard fiber- and excessive cable bends can dramatically optic ports. These NICs use several cables at slow or even stop network traffic flowing once for parallel traffic flow, and they have an through fiber. I personally prefer using fiber onboard microprocessor that does IP process- over copper in many environments, but even ing at the card level.

Networking Fundamentals 23 Some advice on implementing most of the server’s available bandwidth. Of course, there are situations that would prevent Gigabit Ethernet this from happening, such as when traffic is Currently, Gigabit Ethernet tends to be a bit already excessively high or when QoS is in use. pricey, and it probably won’t deliver true giga- But generally speaking, if the workstation con- bit performance across your network. I still sumes most of the server’s bandwidth, there’s believe that implementing Gigabit Ethernet is little left for anything else. However, if the worthwhile in any organization with growing workstation has a 100-Mbps NIC and the bandwidth needs. After all, a well-installed server has a gigabit NIC, then the workstation Gigabit Ethernet connection will perform at won’t even come close to consuming all of the least seven times better than a standard Fast available bandwidth. Ethernet connection. I’d recommend using the server’s second The challenge when implementing Gigabit NIC to connect to a dedicated switch that is Ethernet is getting the most performance for linked only to servers (not workstations). Hav- the least cost. I recommend beginning the roll- ing a dedicated backbone between the servers out by replacing your existing switches with makes it possible for server-related traffic, switches that support 10/100/1000-Mbps such as that generated by replication and other connections and that support both fiber and network functions, to flow through a dedicated copper. network without placing any traffic on the Once you’ve replaced the switches, the next main network. trick is to figure out where to begin imple- I’d also suggest implementing specific giga- menting gigabit connections. I suggest using bit connections with fiber-optic cable. Use Gigabit Ethernet for all connections between fiber for any connection to a switch or server, switches. Remember that at any given time and for any gigabit connection that requires a there’s probably a lot of traffic flowing cable run exceeding 100 meters or that flows between your switches. Placing gigabit connec- through an area in which radio interference, tions between the switches will prevent the crosstalk, or attenuation might be a problem. switches from becoming a bottleneck. You should run your workstations at 100 Best of all, most switches aren’t PCI-based Mbps for reasons that I explained earlier. As and therefore can achieve true gigabit speeds. Gigabit Ethernet NICs become cheaper, you This means that, assuming your cabling is may later want to upgrade your desktop com- good, the traffic flowing between your puters to gigabit speeds. If you do, however, I switches can actually flow at 1,000 Mbps, strongly advise that you run copper cable to regardless of the limits on other gigabit con- the desktops. I’ve seen far too many cases of nections on your network. cable abuse over the years to recommend run- The next thing I’d recommend is installing ning a fiber-optic cable to someone’s desk. two gigabit NICs in each server. One of the Fiber-optic cable is too delicate to survive the gigabit NICs should be attached to one of abuse that users can subject a cable to. your switches. Since workstations are also connected to the switches (but at lower speeds), Pump up the volume this allows traffic to flow between the worksta- Although relatively few people are using it tions and the servers. The reason for imple- compared to other forms of Ethernet, Gigabit menting this architecture is that it prevents a Ethernet is quickly becoming more affordable, server’s network interface from becoming a and eventually it will be as widely used as Fast bottleneck. Ethernet is today. Planning for Gigabit Ether- For example, suppose that a workstation net today will save you money and effort when with a 100-Mbps NIC began a very network- you eventually make the switch. Before you intensive operation, such as copying a huge file know it, you’ll be running your network at from a server. If the server and the worksta- gigabit speeds and wondering how it ever tion both have 100-Mbps NICs, then it would worked when it was slower. be possible for the workstation to consume

24 Administrator’s Guide to TCP/IP,Second Edition IPv6: A larger, more secure Net Mar 11, 2002 By Debra Littlejohn Shinder, MCSE icrosoft’s newest OSs, the Windows Workaround for the address shortage XP client and the .Net server family, One way of dealing with this shortage of IP M include a number of improvements addresses is for private networks that connect that take advantage of current and future tech- to the Internet to use Network Address Trans- nologies in order to make life easier for users lation (NAT). With NAT, one or a few public and administrators. IP addresses that are visible to the Internet can One such improvement available in both be used to connect a large number of comput- OSs is built-in support for Internet Protocol ers to the Internet. version 6 (IPv6), also referred to as the next NAT has some drawbacks, though. One of generation IP or IPng. This version of IP pro- the most serious in today’s security-conscious vides several advancements over the most-used environment is the fact that the IPSecurity IP version, IPv4. In this article, I’ll give a brief protocol (IPSec) does not work through an overview of IPv6, discuss the features of address translator. Also, there are a number of Microsoft’s implementation, and show you application programs that will not work with how to install and configure the protocol as NAT. supported by XP and .Net. NAT is a stopgap solution, not a permanent What is it and why is it needed? one. The number of computers and other devices connected to the Internet continues to The global Internet and most medium-to-large grow at an amazing rate. Larger address private networks run on the TCP/IP protocol space—which will allow for more addresses— stack. The half of that team that works at the is needed. That’s where IPv6 comes in. network layer is the Internet Protocol (IP). The currently most-used version of IP, WHAT ABOUT IPV5? IPv4, is based on the assignment to each net- IPv5 never existed. The version number work interface of a 32-bit address, usually “5” in the IP header was assigned to iden- denoted in “dotted quad” decimal format; for tify packets carrying an experimental, non- example: 192.168.1.1. IP, real-time stream protocol called ST. ST THE BINARY ADDRESS was never widely used, but since the ver- The decimal number 192.168.1.1 actu- sion number 5 had already been allocated, ally represents the binary address the new version of IP was given the num- 11000000.10101000.00000001.00000001, ber 6. ST is described in RFC 1819. but the decimal equivalent is generally easier for people to work with. Computers, Advantages of IPv6 of course, process all data in binary format. IPv6 provides for a 128-bit address space, which will exponentially increase the number As more and more nodes have joined the of available public IP addresses. However, global network over the years, a flaw in IPv4 IPv6 offers other improvements over IPv4: has become apparent. For IP addressing to X It supports IPSec, for better security when work, every network device must have a sending data across a TCP/IP network. unique address. When IPv4 was developed, the 32-bit address space provided more than X It supports Quality of Service (QoS), for enough unique addresses. However, today better transmission of real time, high-band- the world is running out of available IP width applications such as videoconferenc- addresses. ing and voice over IP.

Networking Fundamentals 25 X It is more efficient—header overhead is X 4to6 and 4over6 tunneling for interoperabil- minimized, and backbone routers require ity between IPv4 and IPv6 networks. smaller routing tables. X Anonymous global addresses for privacy X Configuration is easier—both stateful when connected to the Internet. addressing (where addresses are automati- X Support for DNS name resolution using cally assigned by a DHCP server) and IPv4 DNS servers. stateless addressing (use of local-link X autoconfiguration without DHCP) are The ability to act as a static IPv6 router to supported. forward IPv6 packets between two installed network interfaces. Denoting IPv6 addresses X Internet Explorer version 6 (included in While IPv4 addresses are traditionally denoted Windows XP and .NET Server) and the tel- in decimal format, the longer and more com- net and FTP client programs included with plex IPv6 addresses are expressed in hexadeci- the new Microsoft operating systems sup- mal format. A sample IPv6 address looks like port IPv6 for connection to IPv6-enabled this: 21DA:00D3:0000:2F3B:02AA:00FF: FTP, telnet, and Web servers. FE28:9C5A. Each hexadecimal number, separated by IPV6 AND IE 6 PROXY SERVERS colons, represents 16 bits (binary digits). Zeros If IE 6 is configured to use a proxy server, at the beginning of a block can be omitted to you will not be able to access IPv6 Web simplify the address. sites unless the proxy server is IPv6 Characteristics of IPv6 addressing enabled. Unlike those on IPv4 networks, computers on IPv6 networks generally have more than one For the most up-to-date information about IP address assigned to a single network inter- IPv6, see Microsoft’s IPv6 support site. face. This is called logical multihoming. IPv6 addresses fall into the following IPv6 name resolution For users to use “friendly names” (for exam- categories: ple, URLs such as www.microsoft.com) X Unicast addresses, which are used to iden- instead of IP addresses for communicating tify an individual network interface on a network, there must be a mechanism by X Multicast addresses, which identify a which the names are resolved (or matched) group of network interfaces for simultane- to their corresponding IP addresses. This is ously sending to many interfaces necessary because computers process infor- X Anycast addresses, which identify multiple mation in numerical form. interfaces but send the packet only to the Hosts on the IPv6 network can be identi- nearest interface fied by nicknames (host names that use a flat namespace) or by hierarchical domain names. Features of Microsoft’s IPv6 Name resolution is performed by the same IPv6 is an Internet standard, developed by the methods used to resolve the name of IPv4 Internet Engineering Task Force (IETF). hosts. It can be either: Microsoft’s implementation of IPv6 is based X A HOSTS file stored in the systemroot\ on these standards. Various aspects of IPv6 System32\Drivers\Etc directory on each are laid out in a number of Request for Com- computer’s hard disk, with the addresses ment pages (RFCs), which are available on the expressed in hexadecimal notation, as IETF Web site. The IPv6 specification is con- described previously. tained in RFC 2460. X A DNS server that has mapping records for Microsoft’s IPv6 for Windows XP and IPv6 addresses. Because the DNS queries .NET Server includes many useful features. are sent using IPv4, the address of the DNS Some of these are:

26 Administrator’s Guide to TCP/IP,Second Edition server entered in the computer’s TCP/IP form the same type of test on an IPv6 net- properties configuration must be an IPv4 work with the ping6 utility. address. The familiar tracert command also has an IPv6 counterpart, appropriately named tracert6, How to install IPv6 which is used to trace the routes of IPv6 IPv6 is installed as a networking protocol. The packets. IPv6 command-line utility is used to install the protocol on an XP or .Net computer. Currently supported applications Follow this procedure to install IPv6: The majority of applications supporting IPv6 1. Click Start | Run. belong to the Linux/UNIX space. As of this writing, that list looks like: 2. In the Run box, type ipv6 install. Note that you cannot tell if IPv6 has been Chat software installed by checking the networking protocols X UNIX IRC chat application—This is the on the properties sheet for the network inter- first IPv6 version of this popular IRC face because it will not be listed there. client. To find out whether IPv6 is installed, use X RAT and SDR—These two utilities—the the ipv6 if command. If IPv6 is installed, this audio tool, RAT, and session directory tool, will display a list of IPv6 addresses assigned to SDR—are used in conferencing for an IPv6 each interface. To uninstall IPv6, use the ipv6 network. uninstall command. DNS How to configure IPv6 X BIND 9.2.0—The new version of BIND To configure an IPv6 address manually, you uses A6 records to map a domain name to must first know the interface index for the an IPv6 address and offers IPv6 transport interface you want to configure. This is a num- of packets. ber that represents the interface. You can find this out using the ipv6 if command as described X Totd—This lightweight DNS proxy name- above. server supports IPv6. At the command line, enter the following: X IPv6 transport for BIND 8—A patch for ipv6 adu / BIND 8.2.3 that helps resolvers talk to

nameservers using IPv6. There are a number of attributes you can Firewalls configure for each interface, using various switches with the ipv6 command. X IPFilter—Download this software package For example, if you want the packets that supports IPv6 filtering. received on the interface to be forwarded, use X IPFW—This IPv6-aware IPFW tool is the /forwards switch. To turn off forwarding, included within the FreeBSD 4.0 release. use the /-forwards switch. You can also set the maximum transmis- FTP sion unit (MTU) size (with the /mtu switch), X LFTP—This FTP client supports IPv6. enable or disable router advertisements on X NcFTP (Windows)—This is a robust the interface (the /advertises or /-advertises IPv6 FTP client for Windows. switches), or configure a site identifier (the X NcFTP (BSD)—This is a robust IPv6 /site switch). FTP client for BSD. IPv6 diagnostic utilities Games Most TCP/IP network administrators are X familiar with the use of the ping utility to test Quakeforge—A FreeBSD port of Quake- connectivity on an IPv4 network. You can per- forge is available that’s IPv6-aware.

Networking Fundamentals 27 IPsec Monitoring tools X IPv6 FreeS/WAN for Linux—Download X ASpath-tree—Use this tool on an IPv6 site this prototype IPsec implementation that to monitor BGP4+ routing. was developed by IABG as part of the X COLD—Download this free IPv6-aware 6INIT project. packet sniffer. X IPv6 IPsec in KAME—KAME IPv6 supports IPsec with Racoon. News X INN v2.3.2—Download this IPv6 patch Mail from the Japanese NORTH site. X Exim—This mail transfer agent offers X IPv6 socket 1.1—Here’s a simple and use- built-in IPv6 support. ful example of Advanced Socket API pro- X Qmail—IPv6 support is available through gramming that’s IPv6 aware. the v1.03 patch by Kazunori Fujiwara. Web servers and clients X Public Sendmail—Version 8.10 of this X Apache (Linux)—This release of the mail product officially supports IPv6. Apache Web server for Linux has built-in X WIDE Sendmail—Version 8.9.1 of this IPv6 support. popular Sendmail tool supports IPv6. X Apache (BSD)—The Apache Web server X Fetchmail—This mail utility supports both for BSD offers built-in IPv6 support. IPv6 and IPsec. X Apache 2.0.x—This beta code of Apache Mobile IPv6 2.0 supports IPv6. X MIPL Mobile IPv6 for Linux—Devel- oped at HUT software project in Finland, it’s freely available under GPL.

Tunneling terms you should know when deploying a VPN Jan 27, 2003 By Scott Lowe, MCSE hile almost all organizations use global network capable of addressing both of TCP/IP in their networks, others these needs—it’s called the Internet. W continue to use legacy protocols But wait—the Internet is based on TCP/IP, such as Novell’s IPX/SPX to access NetWare not IPX/SPX, NetBIOS, or a secure IP solu- servers and NetBIOS/NetBEUI to access tion. This is where tunneling comes in. Often, older Windows systems. While these organiza- the term virtual private network (VPN) is used to tions likely have a stake in continuing to sup- refer to the concept of tunneling. The purpose port these protocols, they may also want to of a tunnel is to securely extend the reach of a provide access to remote users. Or they may network to a remote office or to a remote client. want to provide TCP/IP-based services to Using tunneling, an organization can embed users, but in a secure manner. Luckily, there’s a these protocols inside a standard TCP/IP

28 Administrator’s Guide to TCP/IP,Second Edition packet and send it securely across the Internet L2TP is a “best of breed” technology cre- to a remote destination, where the original ated by the merging of PPTP and the less protocol is then pulled out of the packet and widely used L2F. sent on to its destination. A tunnel is not just for non-IP based services, though. You can Authentication also use tunneling to provide “IP in IP” serv- For any of the above tunneling methods, the ices to users. remote PPP client needs to be able to authenticate to the remote access server. There are a Tunneling methods number of ways to do this: Although there are several ways to tunnel pro- X PAP (Password Authentication Protocol) is tocols, I’ll focus on four of the most common the weakest of the methods, as it sends a tunneling methods. All four were developed clear text password across the tunnel for based on the structure of PPP (Point-to-Point authentication. It’s only recommended for Protocol): use with clients that don’t support anything X PPPoE (Point-to-Point over Ethernet): better. DSL and cable modem providers use X CHAP (Challenge Handshake Authentica- PPPoE to give their subscribers an authenti- tion Protocol) is an improvement over PAP, cated service, which allows the provider to but it still has its own security problems. keep track of who’s using its service and Rather than sending a clear text password how much they’re using it. This is not a over the Internet, a CHAP-based server common tunneling protocol for remote instead computes an MD5 hash based on the access to offices, but network administra- stored user’s password and sends a challenge tors should be aware of it if they support string over the Internet to the client. The remote users with broadband connections. client then performs an MD5 hash on what As such, I won’t discuss it as an option for the user has typed in. A matched hash signals providing remote services to users. a match. Unfortunately, CHAP requires the X PPTP (Point-to-Point Tunneling Proto- storing of clear text passwords or the use of col): PPTP is a common but older tunnel- reversible encryption on the password, both ing technology. PPTP allows PPP packets to of which present security risks. be encapsulated inside TCP/IP packets and X MSCHAP (Microsoft CHAP) is an exten- routed over the Internet. Many VPNs are sion of CHAP developed by Microsoft. based on PPTP, which uses built-in encryp- Rather than having to store passwords on tion to provide some level of data security. the server in a clear text format, MSCHAP X L2F (Layer Two Forwarding): L2F was allows the storage of an MD4 hash of the developed by Cisco and supports any password, which adds an important layer of authentication scheme that is supported by security not found in PAP or CHAP. In PPP. L2F has been superseded by L2TP, so addition, MSCHAP supports error-code I won’t discuss it further in this article. I information passing and password changes. included it only since you may run across it X MSCHAP Version 2 provides security in a legacy application. improvements over MSCHAP as well as the X L2TP (Layer Two Tunneling Protocol): ability to change passwords with a single This newer tunneling technology performs packet. a function similar to that of PPTP, but it X EAP (Extensible Authentication Protocol) offloads the encryption job to a different is a more recent innovation that allows for and very powerful technology called IPSec. the use of alternate methods of authentica- IPSec requires machine authentication for tion, such as smart cards. Two common the establishment of the tunnel and pro- EAP systems in use today are EAP-MD5 vides further security by requiring user CHAP and EAP-TLS. EAP-TLS requires authentication for access to resources. “mutual authentications,” which require

Networking Fundamentals 29 both the client and the server to authenti- PPTP, on the other hand, is very widely cate with each other. EAP-MD5 CHAP is supported, but it’s not recommended for par- similar to CHAP, but it uses EAP packets ticularly sensitive environments. PPTP gener- instead of the older network transport. ally uses CHAP, MSCHAP, or MSCHAPv2 for authentication. As stated earlier, these methods Providing remote services don’t send a clear text password over the Inter- to users net, but rather they send a hash of the pass- The two most likely methods to consider when word. Unfortunately, this hash can be providing remote access to users are PPTP and reverse-engineered back into the user’s original L2TP. Depending on your situation, one may password using utilities such as l0phtcrack. be a better option than the other. If your Of course, at some point, you’ll need to remote clients are behind NAT devices, they implement something. If you can’t implement use addresses from RFC 1918, which are L2TP because of NAT, you should implement addresses in the 10.x.x.x range, the 172.16.x.x PPTP instead. range, or the 192.168.x.x range. In such cases, L2TP will be more difficult to implement Dig it because IPSec doesn’t work with NAT. VPNs and tunnels are powerful, convenient, While current proposals being worked on and secure ways to access resources remotely. by the Internet Engineering Task Force Windows 2000 includes the ability to set them (IETF) will address this major problem with up easily. If you’re running services that rely IPSec, standards are not yet defined or sup- on IPX or NetBEUI, those services will also ported. The reason that IPSec has trouble with be enabled. This is because of the encapsula- NAT is simple: NAT makes modifications to tion nature of an IP tunnel, whereby foreign the data inside the IP packet, while IPSec guar- protocols are embedded inside IP packets in antees nonmodified delivery of an IP packet. order to be able to traverse the Internet. These two technologies, therefore, are mutually exclusive.

Learn the basics of subnetting a TCP/IP network May 20, 2003 By Thomas Nooning, CCNA, CCDA ubnetting involves dividing an IP address address data flow and security and creates a range into two or more separate ranges, logical map that can facilitate troubleshooting Scalled subnets. Although subnetting can in the event of a problem. Subnetting involves be done for a variety of reasons, from depart- the use of an IP address and subnet mask to mental to geographic to political, it is usually determine whether a destination network is done to simplify administration in some way. local or remote. I’m going to explain the basics Breaking networks into smaller, easily defined of IP addressing, reasons to subnet, and the subnets allows the administrator to better logic behind slicing up an IP network.

30 Administrator’s Guide to TCP/IP,Second Edition IP addressing This use of classes represents the original IP addresses are perhaps the most fundamen- method of dividing networks, but it is some- tal components of modern networking. They what dated. There just isn’t enough middle are the identifiers that computers use to talk to ground between B and C. While a standard each other on a TCP/IP-based network class C network contains 254 addresses (too (including the Internet, most corporate net- few addresses for a moderate-size company), a works, and many home networks). class B network has 65,534 (far too many for An IP address is a 32-bit number repre- the average network). This is where subnetting sented in a dotted decimal format. This comes into play. address is further divided into four sections, Reasons for subnetting with each section representing eight bits, or an Before the advent of subnetting, networks “octet.” So this 32-bit, four-octet number is in were divided solely on the basis of class. This many ways similar to a telephone number. Like was a good place to start, but it soon became a telephone number, it must be unique. obvious that greater flexibility would be Although there are roughly four billion or needed. For one thing, we’re quickly running so available IP addresses, we still need to be out of usable addresses in IPv4 as the Internet picky with how many are given out. With the continues to expand. Since IPv6 (the next ver- dawn of the Internet and our increasingly IP- sion of the standard) is still around the corner, enabled world, every address counts. In the subnetting remains a practical way to get more United States, the American Registry for Inter- use out of the IPv4 system. net Numbers (ARIN) handles the manage- Subnetting is also used commonly in a num- ment of public IP addresses. Typically, ber of other circumstances. For instance, in a addresses are handed out by ISPs and fall mixed media environment, you usually see a under their management. An ISP will have separation between hosts using Ethernet and multiple pools of addresses (and subnets) to hosts running on Token Ring. Performance assign. can also be a reason for subdividing one net- Also, as defined in RFC 1918, private network into two or more. On Ethernet networks, works are available. These are for internal use all hosts in the same broadcast domain will and are not routed through the Internet. Pri- need to share the wire. This means a lot of vate addresses look like this: communication is going on, and collisions will 10.0.0.0 – 10.255.255.255 rise, increasing latency. If you had an entire 172.16.0.0 – 172.31.255.255 class C in one subnet, it would be a good idea 192.168.0.0 – 192.168.255.255 to cut it into some smaller chunks to make bet- In IP version 4 (IPv4), the standard that ter use of available bandwidth and to enhance currently dominates the networks of the performance. world, IP addresses fall into one of five But subnetting is not just a way to extend classes: A, B, C, D, or E. Classes D and E are class-based IP addresses or solve performance for multicast and experimental uses, respec- issues; it can also be used for a number of tively, and are less common. A, B, and C net- administrative purposes. Creating separate works are defined in Table A. ranges of IPs based on a logical design allows an administrator to more easily view and manage the network. Traffic flows can be better Table A studied and handled, security between subnets First Octet Class Subnet mask is increased, and overall organization is 1-127 Class A 255.0.0.0 improved. 128-191 Class B 255.255.0.0 Learning how subnetting works Okay, now let’s see how subnetting is actually 192-223 Class C 255.255.255.0 done. The key player in subnetting is the

Networking Fundamentals 31 subnet mask. A subnet mask, also 32 bits, It helps to have an understanding of the divides the IP address into network and host binary math involved in the above computations. sections. This allows the sending computer to Let’s start by looking at how to convert an IP determine whether routing will be required address to binary. Table B below shows that when communicating to another system. If the binary math is made up of bits and values, which computer determines that it is a local address, correspond to the numbers in an IP address. the packet is sent via Ethernet (or another So given an address such as 192.168.0.1 Layer 2 mechanism). If the address is not and a mask of 255.255.255.0, what does that local, the packet is forwarded to the default mean? Let’s break down the four octets of gateway for routing. 192.168.0.1. First, the IP address is converted to binary, To get the 192 in the first octet we need a and the network address of the system is 128 and a 64 (added together they equal 192), determined. The source IP and subnet mask which would look like Table C. are compared to get this. This is done so we To get 168 for the second octet requires a can eventually compare it to the destination 128, a 32, and an 8, as shown in Table D. network. If they match, the destination is local; The next two are easy with all zeroes for the otherwise, the packet is forwarded along to a third octet and a single 1 for the fourth octet, router. shown in Tables E and F.

Table B Bit12345678 Value 128 64 32 16 8421

Table C Bit11000000 Value 128 64 32 16 8421

Table D Bit10101000 Value 128 64 32 16 8421

Table E Bit00000000 Value 128 64 32 16 8421

Table F Bit00000001 Value 128 64 32 16 8421

32 Administrator’s Guide to TCP/IP,Second Edition Table G 11111111.11111111.11111111.00000000 255.255.255.0 [Subnet mask] 11000000.10101000.00000000.00000001 192.168.0.1 [IP address] 11000000.10101000.00000000.00000000 192.168.0.0 [Network address]

When put together, the binary representa- address. In our example, the network address tion of 192.168.0.1 is: would be 192.168.0.0 and the broadcast would 11000000.10101000.00000000.00000001 be 192.168.0.255. You can’t use these two Next, we’ll break down the subnet mask, addresses for hosts. That leaves us with which in our example is 255.255.255.0. In 192.168.0.1–192.168.0.254 to use with hosts. binary, that would look like this: No matter how you subnet your network, you 11111111.11111111.11111111.00000000 must always remember to avoid using the network address (the first address) or the broad- This was pretty easy. As you can see above, cast (the last address) for any hosts. decimal 255 is the same as having all 1s. There- fore, a mask of 255.255.255.0 tells us that the Valuable knowledge first three octets are used for the network por- Of course, there’s a lot more to subnetting, tion of the address and the last octet is used but this should help you to understand basics. for the host portion. Reading from left to I recommend downloading a subnet calculator right, wherever the 1s stop in the subnet mask and playing with some example networks. The is where the network portion of the address more you work with IP addressing and subnet- stops. The 0s represent the host portion of the ting, the easier it becomes. address. Thus, if you compare the IP address Knowledge of subnetting can be extremely to the subnet mask and you bring down the 0s helpful, even if you aren’t breaking up net- in the subnet mask to “erase” any of the 1s in works all the time. Not only will it help you corresponding slots in the IP address, you will manage whatever networks may be under your arrive at the network address. Table G shows control, but it’s also good to have an under- how it works. standing of what’s going on in the back- Subnetting means planning ground. Being able to subnet helps you understand how computers make decisions on Before actually subnetting a network, it’s good whether to route a packet. Subnetting also to do some planning. How many host allows you to make better use of available IP addresses will be needed? How much room addresses, makes dividing networks easy, and will be needed for expansion? It’s easier to allows you separate subnets logically. make room when first subnetting than it is to go back later and resegment a large network. Also remember that in every IP subnet, there will be a network address and broadcast

Networking Fundamentals 33 Expand your network by supernetting IP addresses May 19, 2003 By Rick Vanover ut simply, supernetting a TCP/IP net- How supernetting works work address is the opposite of subnet- Supernetting acts to bridge the gap between Pting it. Supernetting is also known as a Class C network that is limited to 254 CIDR (classless interdomain routing) as addresses and a Class B network that is too defined by RFCs 1517, 1518, 1519, and 1520. large, with over 65,000 addresses. In this way, In IPv4, CIDR is one way of attempting to it’s possible to have a “logical” network that manage the shortage of TCP/IP addresses offers the number of hosts that best suits your until IPv6 takes over. situation. Supernetting in itself does not give you Supernetting achieves this by making a sin- more TCP/IP addresses; however, it provides gle network that has your specified number of larger single networks for use. Here’s how to hosts and corresponding supernet (like a sub- implement supernetting on your network or net mask). A supernetted address will look like support a supernetted network that you may any other TCP/IP address in dotted decimal have inherited. format (xxx.xxx.xxx.xxx), but it will have a

Table A: Supernetting Class C addresses This represents part of the CIDR/supernetting chart to help determine which supernet option to choose. CIDR Block Supernet Mask # of Networks* # of Hosts** /17 255.255.128.0 128 32766 /18 255.255.192.0 64 16382 /19 255.255.224.0 32 8190 /20 255.255.240.0 16 4094 /21 255.255.248.0 8 2046 /22 255.255.252.0 4 1022 /23 255.255.254.0 2 510 /24 255.255.255.0 1 254 /25 255.255.255.128 Less than 1* 126 /26 255.255.255.192 Less than 1* 62 /27 255.255.255.224 Less than 1* 30 /28 255.255.255.240 Less than 1* 14 /29 255.255.255.248 Less than 1* 6 /30 255.255.255.252 Less than 1* 2 *Number of full Class C networks—256 or more available addresses **Available addresses—network and broadcast addresses excluded

34 Administrator’s Guide to TCP/IP,Second Edition supernetted subnet mask. This looks like a you will need to determine a valid starting normal subnet mask, but the last octet is not 0 network. (however, the leading octets of the supernet This starting network must meet certain mask are still 255). Supernetted addresses will criteria: require a default gateway that needs to be X All networks are consecutive from your supernetted as well. starting network. Address ranges, or blocks, are important in X The third octet of the first network must supernetting. They allow you to identify the be an even number (zero is valid for certain valid addresses in a tabular format that helps situations). identify boundaries on networks. There are many tables you can create or find on the X When combining eight networks (as in our Internet to plan your networks when using example below), the third octet of the supernetting. Table A shows a supernetting network number must be evenly divisible chart using an example configuration that we’ll by eight. examine in this article. Create a table listing the available networks(s), This is a chart of the /17 through the /30 addresses, supernet mask(s), default gateway(s), block of Class C supernets. These ranges are and other networking objects to outline the scalable, helping you select how many net- network. works and hosts you would like to use. You may notice that /24 CIDR block looks famil- Usage scenario iar, as that is really not a supernetted network In this example, we’ll need approximately but a subnetted single Class C network with a 1,220 IP addresses for a training lab scenario standard 24-bit subnet. that involves 150 people, each of whom requires two servers, five network-attached, Calculating supernet addresses multiport serial devices, and their own laptop. Calculating a supernet address is easy if We’ll also need extra addresses for a few the approach is organized. Determine how routers (including one for Internet access) and many hosts you want to have available on addresses for the instructors. This example your network and, using the chart in Table A, would be a good candidate for using CIDR. I’ll reference that against the # of Hosts column use the 192.168.16.0 network for our starting to select the best match. Then, once you address. select the appropriate number of hosts, you To satisfy the 1,220 TCP/IP addresses for can look across the chart and see the corre- this scenario, we can use many of the differ- sponding supernet mask. With that, ent CIDR blocks. We will use eight Class C

Table B Network Available Addresses Usage Circumstances 192.168.16.0 1-255 First address not available 192.168.17.0 0-255 All addresses in range available 192.168.18.0 0-255 All addresses in range available 192.168.19.0 0-255 All addresses in range available 192.168.20.0 0-255 All addresses in range available 192.168.21.0 0-255 All addresses in range available 192.168.22.0 0-255 All addresses in range available 192.168.23.0 0-254 Last address not available

Networking Fundamentals 35 networks, or CIDR /21, to give us 2,048 possi- example, there is no route necessary for host ble addresses. The 2,048 possible addresses are 192.168.17.49 to access 192.168.19.244 or any calculated by taking eight networks that will other hosts in the range. have 256 addresses each (8 x 256 = 2048). We have to subtract two for the network and Implementing a supernetted broadcast addresses (as in a subnetted net- network work), giving us 2048 – 2 = 2046 possible I set up a supernetted network in a lab that I addresses. Starting with 192.168.16.0, all “con- have access to. While I do not have over 1,000 nected” networks must be consecutive in the computers, I did allocate all of my computers numbering of the third octet. Table B outlines and virtual machines to reside on each network the networks and available addresses. of this supernetted network. The supernetted Note that certain IP addresses are valid network required no settings beyond the IP with atypical numbers in the last octet of the address, supernet mask, and default gateway address. For example, both 192.168.19.0 and options of the operating systems in question. 192.168.22.255 are valid addresses for a client, There were no special routing requirements or but they may not be available for use by all hardware necessary to quickly implement this clients that connect to this network. This is network. The supernetted network was imple- because certain operating systems may not mented easily, and I was able to perform all net- allow these types of addresses to be assigned work activities as if it were a more typical 24-bit as an IP address, since they may view the subnet mask (255.255.255.0) network. Address- address as a network or broadcast address and ing, name resolution, and network-based appli- as invalid for use as a client address (based on cations all performed without incident. standard TCP/IP usage). You can also use supernetting in a reverse Specifically, Windows NT and 2000 do not fashion by decreasing the number of hosts allow the use of the x.x.x.255 or x.x.x.0 IP per network. This is common in ISP situa- addresses. (For more information on this, see tions where you need only a limited number Microsoft Knowledge Base Article 281579.) of addresses on the Internet, and the carrier Because the available hosts for this range of provides you with a subnet mask of addresses will exceed our requirements, the loss 255.255.255.248, for example. This particular of these few addresses will not be an issue. supernet means that you will have six avail- The resulting networks will start at able hosts on the network. In this scenario, 192.168.16.0 and increase in single increments the first and last addresses are removed for up to 192.168.23.0. The supernet mask (it func- the network and broadcast addresses, so tions as a subnet mask for all involved network dividing 256 hosts by 32 gives us eight hosts devices/systems) for these networks will be in 32 networks. Removing the first and last 255.255.248.0. This same supernet and default addresses for each network gives us six avail- gateway will be used for all of the networks on able hosts per network. this supernet. Rendering the 255.255.248.0 supernet mask is easy from the chart in Table Why would I want to use A, but we will now prove how this is achieved. supernetting? We obtain our example supernet mask by ISPs frequently use supernetting to allocate IP taking the number of Class C networks we addresses most effectively. There may be sce- would like (eight in our case) and subtracting narios where you have many LANS, WLANs, that from 256. This result is 248. We take this or VLANs that might be optimally suited for value and place it into the third octet of the supernetting to best administer your network mask, making our result 255.255.248.0. If we needs. Keep in mind that supernetting intro- want to have 256 or more Class C networks, this duces complexity to network administration quick rule will not work. The addresses listed in that needs thorough planning, testing, docu- Table B will all be on the same network. For mentation, and administrator competence.

36 Administrator’s Guide to TCP/IP,Second Edition Most new routing equipment and current as supernetting. These links can provide you operating systems support CIDR in their with more examples, usage situations, and implementation of the TCP/IP protocol. details on using supernetting: However, before a supernetting implementa- X Supernetting/CIDR introduction tion, it is critical to ensure that all components (www.firewall.ex/supernetting-intro.php) of your network are supernetting-aware. This X Supernetting charts (www.pantz.org/ includes operating systems, network services, networking/tcipip/subnetchart.shtml) routers, routing protocols (RIP2, for example does not support CIDR), and any network- X A detailed explanation of CIDR based services used on your network. (www.kazungu.com/navigate.shtml? articles/subnetting.html) For more information I’ve shown how you can take advantage of the flexibility offered by CIDR, commonly know

Understanding wireless LAN protocols and components May 3, 2002 By Del Smith, CCNA, CCA, MCSE f you listen closely, you can almost hear lished by the Institute of Electrical and Elec- the sound of wireless LAN radio frequen- tronic Engineering (IEEE). Before 802.11, all Icies zipping network traffic through the radio-frequency wireless network communica- air. Well, of course you can’t literally hear RF tions was proprietary. 802.11 established the waves, but wireless LANs (WLANs) are cer- standards for WLANs that vendors and manu- tainly being planted in IT networks from east facturers follow to ensure interoperability. to west. One of the most exciting technologies Entire books have been written in an attempt available today, wireless networks are being to clarify the various specifications and differ- implemented by organizations of all sizes ences between the 802.11 protocol families. and verticals to improve productivity and Table A briefly outlines the differences among decrease costs. the four. In this article, I will describe some recent Less confused? I didn’t think so. It takes a standards affecting WLAN technologies and lot more reading and research to fully under- discuss the standard components of a typical stand not only the differences but also the pros WLAN solution. Additionally, I will address the and cons of each standard. The main thing to issue of security on a WLAN. know is that the current de facto standard being adopted by most vendors and organiza- Understanding the different tions is 802.11b. The next few months will flavors of 802.11 more than likely reveal the slow adoption of To know where we are with WLAN solutions, 802.11g products based on its higher transfer we need to take a quick look at how the tech- rate and compatibility with existing 802.11b nology has evolved. By now, most of us have specifications. heard of the 802.11 WLAN standards estab-

Networking Fundamentals 37 Table A: Comparing WLAN specifications 802.11 802.11b 802.11a 802.11g Date established July 1997 September 1999 September 1999 January 2002—draft specification Compatibility 802.11 only 802.11g 802.11a only 802.11b Data transfer 1 and 2 Mbps Up to 11 Mbps Up to 54 Mbps Up to 54 Mbps Frequency 2.4 GHz 2.4 GHz 5 GHz 2.4 GHz Modulation FHSS and DSSS DSSS only OFDM OFDM/DSSS

WLAN components and and PC cards for laptops and other mobile devices. They can act in an ad hoc mode, as in topologies client-to-client, or in a pure client-to-access- Now, let’s take a look at the typical compo- point mode. In an ad hoc mode, the wireless nents that make up a basic WLAN solution. network card is configured to talk with other It’s important to remember that wireless local wireless network access cards that are within area networks are just that—local. They are its range. This functionality will vary depend- used within a single building or in a campus ing on the product and the 802.11 specifica- area building-to-building connection. WLANs tion being used. Client-to-client (also known as are most often used on mobile systems as an peer-to-peer) WLANs are useful for small extension to a wired LAN, as illustrated in roaming workgroups of desktops or laptops Figure A. that do not require access to the LAN back- You need to be familiar with three types of bone. The plug and play capabilities of most WLAN components: wireless network cards make this type of setup X Wireless network cards rather simple. X Wireless access points Most wireless network cards will connect to X Wireless bridges an access point. An access point is essentially a hub that gives wireless clients the ability to Wireless network cards come in a couple of attach to the wired LAN backbone. The use of flavors, including a PCI card for workstations

Figure A

Wireless Laptop

Wireless Laptop Wireless Laptop

Access Point

Hub

Switch Server Hub

Laptop Network Printer Workstation Workstation

Example of a standard wireless LAN topology

38 Administrator’s Guide to TCP/IP,Second Edition Figure B

Wireless LAN to LAN Wireless Bridge Building Configuration

UNIVERSITY Wireless Bridge

Wireless can also be used for building-to-building connectivity. more than one access point in a given area is Based on line-of-sight, wireless bridges are not facilitated by the use of cell structures, which affected by obstacles such as freeways, rail- are similar to what cell phone providers use to roads, and bodies of water, which typically maintain your coverage area. pose a problem for copper and fiber-optic A site survey can determine where to place cable. Wireless bridges are often the ideal access points within a building to create a map choice for campus environments where the of the areas (cell structures) that will require cost of multiple T-1 lines or fiber runs can be wireless LAN access. The data transfer rate for very costly. each wireless client will be determined by its location within the cell structure. Locations The question of wireless security closer to the center of an access point radius No wireless project should be implemented will experience higher throughput than those without a lengthy discussion of security. Over that are closer to the outside of the cell cover- the past year, much has been written about the age area. This is facilitated by auto shifting, vulnerabilities of 802.11 wireless LANs. Older which allows the data rate to downshift based forms of security on WLANs included the on distance from access point. Again, this SSID, which was not really a security method functionality will vary depending on the prod- at all, since the SSID can easily be retrieved by uct and 802.11 standard used. sniffing the network. One of the greatest benefits to roaming Authentication based on MAC filters was mobile users is the ability for one access point found inappropriate because they, too, could to hand off communication to the next access be sniffed on the network, and the allowable point in the roaming cell. Known as seamless MACs could be spoofed. Newer 802.11 secu- roaming, this allows the user to move from cell rity uses 128-bit Wireless Encryption Privacy structure to cell structure without losing con- (WEP) for data encryption, along with shared nectivity to the network. key authentication. Unfortunately, researchers Wireless bridges enable high-speed long- have recently identified holes in WEP that let range outdoor links between buildings (Figure B). attackers learn the keys used to encrypt The high-speed links between the wireless 802.11b traffic. bridges deliver throughput several times faster So how does an organization protect its than T-1 lines at distances up to 25 miles. wireless LAN access? The IEEE has a new

Networking Fundamentals 39 security standard called 802.1X that may pro- at this time, encryption (usually in the form of vide the best solution. The 802.1X standard VPN), traffic filtering, and other basic security takes authentication away from access points restrictions on wireless network access in sen- and places it in an authentication server such sitive areas are still the best options for ensur- as RADIUS or Kerberos. It uses the current ing a secure wireless network. Extensible Authentication Protocol (EAP) commonly used in PPP to control access. The Summary 802.1X standard allows for the use of dynami- As changes are in the works to establish new cally generated WEP keys on a per-session, 802.11 standards and improve security, wireless per-user basis in place of a static WEP key LANs are moving into corporate America at placed in the access point. There are still weak- an increasing rate. Who knows? In a few short nesses with this technology, and it has yet to be years, wireless networks may be as common- ratified and implemented by many vendors. So, place as their wired counterparts.

Defend your network’s perimeter with these strategies Jan 23, 2003 By Brien M. Posey, MCSE our private network and the data that tion may provide a basic level of perimeter resides on it is one of your organiza- security, you can do much better with a custom Y tion’s most valuable assets. As such, it configuration. makes sense to defend it against those in the Disable unused ports outside world who would do it harm. Nearly Although you’ve probably heard this a million every network is protected by a firewall these times, the first thing you should do is to dis- days. However, perimeter defense goes way able all TCP and UDP ports that aren’t beyond simply installing a firewall. There are absolutely necessary through your firewall— many ways that outsiders can cross your net- especially ports 135, 137, 139, and 445. An work perimeter. I’ll show you some of the dif- ideal arrangement would be to enable only ferent techniques that hackers can use to TCP ports 80 and 443, but your own individ- penetrate your network’s perimeter. I’ll also ual business needs may require you to open explain what you can do to eliminate, or at more ports. For example, it’s probably neces- least reduce, these potential vulnerabilities. sary for you to open ports 110 and 25, the Firewalls ports associated with POP3 and SMTP, to Of course, the first thing people tend to think have e-mail. of in network perimeter defense is a firewall. Once you’ve covered the basics of disabling Many of the newer firewalls are preconfigured. any unused ports, I recommend going back Simply plug them in, enter some basic IP through and disabling outbound traffic on all address information, and you’re good to go. ports that aren’t absolutely necessary. It’s easy But while an out-of-the box firewall configura- to think of a firewall as a device for keeping

40 Administrator’s Guide to TCP/IP,Second Edition outside users out of your network. However, inventory which PCs on your network have it’s just as important to keep certain types of modems and how those modems are config- traffic from leaving your network. ured. At every network administration job I’ve For example, suppose someone was able to ever had, I’ve discovered at least one unautho- plant a Trojan horse on your network. Now, rized modem. Unauthorized modems repre- imagine that the Trojan’s job was to launch a sent a serious security risk. Basically, if you denial-of-service attack against a competitor. don’t know that a modem exists, you can’t When the Trojan activated, you probably control how it’s used. wouldn’t know anything about the attack until There are a couple of ways of spotting it was too late. However, it would be possible rogue modems. One technique involves main- to trace the attack to your IP address, and taining an automated hardware inventory. The you’d have some serious explaining to do. If, inventory software can send you an e-mail on the other hand, you had blocked all but a message when hardware changes occur. few key outbound ports, then the attack would Another technique that works well is to probably never have happened because the maintain a list of every telephone number that outbound packets used in the attack would the company owns. You can then configure a have been stopped by your firewall—assuming PC to call every single number (preferably late that the attack wasn’t using one of the key at night) to search for rogue modems. Bear in ports you left open. mind that I’ve also known of hackers using Port scans this technique to call every number in a company to look for modems. One way of identifying exactly how well your In the early 1990s, I worked for a company firewall is functioning is to do a port scan. A where each phone number began with 580. port scan is a technique by which an outside The IT security team frequently encountered system systematically attempts to see if any incidents in which someone would attempt to TCP or UDP ports on your network are listen- call all 10,000 numbers in the 580 exchange ing (open). There are many types of port within a relatively short period of time. As you scans, ranging from the very simple to the very can see, it’s of the utmost importance for you complex. An easy and effective one is Steve to discover all of the modems on the network Gibson’s ShieldsUp!! test. before a hacker does. Remote access servers Wireless access points Once you’ve secured your firewall(s), turn your Still another way that intruders can get past attention to your remote access servers. There your perimeter is by going through a wireless are many techniques for securing remote access point (WAP). WAPs present a special access servers. Some of the most common challenge because an intruder can access your techniques include requiring callbacks to preset network through one without ever having to numbers, recording caller ID information to pass through a firewall or a remote access log files, denying dial-up access to everyone server. Fortunately, there are several things you except those who have a legitimate business can do to guard against wireless intrusions. need for it, and limiting the times and days First, be sure to enable WEP encryption. when employees can dial in. There are several flavors of WEP available. Rogue modems Just about every wireless access point made in In most organizations, the firewalls and the last year supports 128-bit WEP encryption. remote access servers are the main perimeter Some of the newer devices support up to 152- access points. However, there are other bit WEP encryption. Therefore, use the high- perimeter holes that you might not have est level of WEP encryption you can. thought about. Any PC with a modem could Remember that you must adhere to the lowest potentially act as a remote access server. Ide- common denominator. For example, it does ally, you should know from your hardware you no good to implement 152-bit encryption

Networking Fundamentals 41 if your wireless client’s NIC cards support only vate network. An example of an extranet 128-bit encryption. would be an Internet banking system. Your Some other wireless defense techniques account information exists within a database include defining which clients are allowed to on the bank’s private network, but it’s made use the access point. Not all access points sup- available to you over the Web after you enter port this, but many allow you to define clients the necessary credentials. by MAC address. If a client’s MAC address There are a couple of things you can do to isn’t on the list of approved addresses, that make extranets more secure. First, if possible, client will be denied access. configure IIS to use only NTLM security for A more controversial wireless defense tech- the extranet Web site. Remember, though, that nique is to disable DHCP for your wireless you can only use NTLM security with Win- clients. By doing so, you can ensure that your dows clients. If you have other clients, such as access point won’t be handing out IP addresses Linux or Macintosh clients, you must use to wireless hackers. Usually, an access point either basic or anonymous authentication. won’t distribute IP addresses unless the client Basic authentication transmits the logon cre- requesting the address knows the WEP pass dentials in clear text, while anonymous authen- phrase. tication doesn’t require the end user to enter However, using static IP addresses for legit- any logon credentials at all. imate wireless clients offers one more way that In the case of an extranet, I recommend you can make a hacker’s job just a little more using basic authentication, assuming that difficult. It also makes it a bit easier for you to NTLM isn’t an option. Anonymous authenti- spot an intruder since an intruder would have cation would be acceptable if all of the to take a guess as to what IP address to use, extranet data is accessible to the world. For and would likely have to use an address that’s example, a car dealership might have a Web different from the static addresses you’ve site that shows the current vehicle inventory. assigned. Since no one can do anything but view the Before wireless networking became so pop- inventory and there’s no reason to block any- ular, a close friend was running a wireless net- one from doing so, there’s no reason to use work in his office. Since he ran a small business anything beyond anonymous authentication. with fewer than 10 employees, he didn’t see the For those whose only choice is basic need for WEP encryption. However, over authentication, there remains the problem of time, he began noticing that his bandwidth authentication information being transmitted wasn’t what it should be. After doing some in clear text form. One thing that you can do investigating, my friend discovered that the to significantly enhance security is to enable company across the hall had installed wireless SSL just before the user transmits the logon NICs into all of its machines and was spong- credentials. ing off my friend’s Internet connection. The Once you’ve secured the authentication lesson here is that even if you aren’t worried process, you’ll need to secure the server itself. about someone stealing your data or hacking Remember that, in an IIS environment, your network, it’s still a good idea to imple- extranet users are users in the same sense as ment WEP encryption to prevent outsiders local users and domain users. Even anony- from stealing your bandwidth. Whatever their mous users still authenticate into the server via motivation, you don’t want outsiders on your the IUSR_servername account. The point is network. that when outside users access your extranet, you must make sure that they can’t access any- Extranets thing else. Extranets represent yet another hole in your Part of that is done through the Internet network’s perimeter. An extranet is a Web site Services Manager. However, a frequently over- that is designed to allow users from outside the looked step is to set up NTFS-level security. company to connect to resources on your pri- You should set explicit denies on extranet

42 Administrator’s Guide to TCP/IP,Second Edition users for any files or folders that they don’t you’re not publicizing the fact that the account need to access. Likewise, you should assign has administrative privileges, but if hackers extranet users the lowest set of possible per- really wanted to break into your network, they missions for resources that they do need to might start by trying to exploit known account access. names. Setting up an explicit deny for extranet If you use a software-based firewall, such users may seem like overkill at first. After all, as Microsoft’s ISA Server, then you need to go you haven’t directly assigned these users rights through the server with a fine-tooth comb to anything outside the Web site. However, looking for weaknesses. It may sound dumb, extranet users are usually included in the but I can’t count the number of times that Domain Users group. There are several places I’ve seen an ISA Server configured to be a where Windows depends on the Domain domain controller. This is especially common Users group having rights to something, so in small companies. Support staffers often you don’t want to remove the group. Instead, find themselves in need of another domain it’s much easier to create an Extranet Users controller. They see the ISA Server as not group and explicitly deny the group access to really doing anything, so why not make it a the various resources. domain controller? Remember that the ISA Server is the point Other perimeter holes that everyone in the world passes through to One last technique for securing your perimeter get to your network from the Internet. Do you is to make sure that you aren’t giving anything really want this server to contain sensitive away. Avoiding the use of wireless DHCP domain information? The same goes for Web services is one example of this, since you want servers and mail servers. Often such servers to avoid giving a hacker an IP address, DHCP exist in DMZs that allow them to be accessed server number, and so on. However, the idea through the Web. Don’t make the mistake of of not giving anything away goes way beyond making a publicly accessible server a domain mere IP configuration information. controller. Such servers should be isolated One of the first things you should do is from the rest of your network as much as scrutinize your company’s Web site for any- possible. thing that a hacker could use to launch an attack. This includes information that could be Safe and sound used for social engineering purposes and infor- Securing your network needn’t be rocket sci- mation that could aid an actual break-in. For ence. It may sound complicated, but if you example, it’s not uncommon for Web sites to keep track of the basics, you can go a long way provide an e-mail address to which users can toward ensuring that your network and the send messages. You should make sure that data it contains remain safe. Make a checklist none of the e-mail addresses on your Web site of your network’s security to make sure you’ve belong to accounts with administrative permis- covered all the bases. Sometimes it’s the little sions. If you list administrative mailboxes on things you overlook that can leave your net- your Web site, you’ve just given the world the work open to attack. name of an administrator’s account. Sure,

Networking Fundamentals 43 Strengthen your network defenses with these four steps Feb 27, 2003 By Brien M. Posey, MCSE ecently, Microsoft has been publicizing that it doesn’t cover firewalls at all. One of the the idea that if you want to have a first steps that I recommend taking toward R truly secure network, there are five securing your network defenses is to enable primary areas on which you must focus your internal firewalls where possible. Internal fire- efforts. These areas include perimeter walls are basically the same as external fire- defenses, network defenses, application walls. The main difference is that their primary defenses, data defenses, and host defenses. job is to protect the machine against traffic In this article, I’ll discuss network defenses as that is already on your network. There are a they apply to Microsoft’s five steps for achiev- couple of reasons for implementing internal ing security in depth. firewalls. First, imagine for a moment that a hacker or AUTHOR’S NOTE a virus was able to manipulate your external The idea behind Microsoft’s security in- firewall in a way that allowed all varieties of depth philosophy is that you should focus traffic to flow through it. Normally, this would on each of the five areas that I named indi- mean that it was open season against your net- vidually, as if each of those areas were work. However, if you had enabled internal your only line of defense. By doing so, firewalls, the internal firewalls would block the you’ll ensure that each area is as secure malicious packets that the external firewall had let slip through. as it can be. By focusing on the areas indi- The other main reason for enabling some vidually, you’ll also ensure that if one of the internal firewalls is that many attacks tend to defense layers is compromised, the other be internal in nature. At first, you might hear four layers are still intact and will protect this statement and think that an internal attack your network against a full-blown security couldn’t possibly happen on your network, but nightmare. I’ve seen internal attacks and other security breaches in every company that I’ve ever worked for. What are network defenses? At two of the places that I used to work, At first, the subject of network defenses might people in other departments who were hacker seem redundant or very general. However, or administrator wannabes thought that it there’s nothing redundant or general about this would be cool to probe the network to see area. Network defenses address the issues how much information they could acquire. involved in connecting networks to each other In both cases, they had no ill intent (or so they and in operating a network as a whole. Net- said); they were just looking to impress their work defenses don’t address things such as friends by hacking the system. Whatever their external firewalls or dial up connections, since motivation, they did attempt to break through the perimeter security layer covers these. Nor the network’s security. You’ve got to protect do network defenses cover individual servers your network from people like this. and workstations, since the host-defenses layer In other places that I’ve worked, I’ve seen covers these. Instead, network defenses cover people bring in unauthorized software that was things like protocols and routers. infected with Trojan horses (remember “Back Internal firewalls Orifice”?). These Trojan horses would then Just because the subject of network defenses broadcast on specific ports. The firewall was doesn’t cover external firewalls, it doesn’t mean powerless to stop malicious packets from

44 Administrator’s Guide to TCP/IP,Second Edition entering the network because the packets were the communications session will begin. If, on already on the network. the other hand, the other machine is incapable This actually brings up an interesting point: of IPSec encryption, then the communications Most of the techs I know configure their session will be denied because the required external firewalls to block all but a few encryption can’t occur. inbound ports and to allow all outbound traf- The request encryption option works a little fic. I recommend being just as picky with the differently. When a machine requests a con- outbound ports as you are with the inbound nection, it also requests encryption. If both ports because you never know when a Trojan machines support IPSec encryption, then a horse could be using some obscure port to secure channel is established and communica- broadcast information about your network to tions begin. If one of the machines doesn’t the world. support IPSec encryption, then the communi- Internal firewalls ideally should be placed cations session is established anyway, but the on each PC and on each server. There are sev- data simply isn’t encrypted. eral good personal firewall products on the For this reason, there are a couple of things market, such as Norton’s Personal Firewall that I recommend doing. First, I recommend 2003 from Symantec. However, you may not placing all of the servers within a site on a have to spend a dime on an internal firewall secure network. This network should be com- for your workstations, as Windows XP con- pletely isolated from the normal network. tains its own built-in personal firewall. Each server that users require access to should To enable the Windows XP firewall, right- have two network cards, one for connecting to click on My Network Places and select the the main network and the other for connecting Properties command from the resulting short- to the private server network. The server net- cut menu to display the Network Connections work should consist of only servers and window. Next, right-click on the network con- should have a dedicated hub or switch. nection that you want to protect and select By implementing such a configuration, you Properties. Now, select the Advanced tab and create a dedicated backbone between the then click on the check box in the Internet servers. All server-based traffic, such as RPC Connection Firewall section. There’s also a traffic and traffic used for replication, can flow Settings button that you can click to enable any across this dedicated backbone. By doing so, ports that should remain open. Although the you’ve helped to secure the server-based traffic Windows XP firewall is intended as an Inter- and you’ve increased the amount of available net firewall, it works great as an internal fire- bandwidth on the main network. wall as well. Next, I recommend implementing IPSec. For the server-only network, IPSec should be Encryption configured to require encryption. After all, this The next step that I recommend taking is to network consists of nothing but servers, so encrypt your network traffic. Begin by imple- unless you’ve got UNIX, Linux, Macintosh, or menting IPSec wherever possible. However, some other non-Microsoft server, there’s no there are a few things that you need to know reason why all of your servers shouldn’t sup- about implementing IPSec security. port IPSec. Therefore, you’re perfectly safe When you configure a machine to use requiring encryption. IPSec, you have the option of configuring Now, for all of the workstations and IPSec to either request encryption or to the server connections on the primary net- require encryption. If you configure IPSec to work, you should configure the machines to require encryption, then any machine that the request encryption. By doing so, you’ve machine attempts to connect to will be achieved the optimal balance between secu- informed that encryption is required. If the rity and functionality. other machine is capable of IPSec encryption, Unfortunately, IPSec can’t distinguish then a secure channel will be established and between network adapters on multihomed

Networking Fundamentals 45 computers. Therefore, unless a server is network, then there’s no reason to place it on attached exclusively to the server network, your private network. Why run the risk of you’ll want to use the request encryption someone using a Web server as an entry point option or else clients may not be able to access to your private network when you can fix the the server. problem by isolating the server into its own Of course IPSec isn’t the only type of network? encryption available for your network traffic. If your Web server does require access to a You must also consider how you’ll secure traf- database or to some other resource on your fic that flows through your perimeter and the private network, then I recommend placing an traffic flowing across your wireless networks. ISA Server between your firewall and the Web Wireless encryption tends to be a touchy server. Internet users will communicate with subject these days because the wireless net- the ISA Server rather than with the Web server working devices are still evolving. A lot of directly. ISA Server will proxy requests administrators view wireless networks as inher- between the users and the Web server. You ently insecure because of the fact that network may then establish an IPSec connection packets are flying through the air and anyone between the Web server and the database with a laptop and a wireless NIC card can server and an SSL connection between the intercept those packets. Web server and the ISA Server. While there are certainly risks associated with wireless networks, in some ways wireless Packet sniffers networks are even more secure than wired net- After you have taken the necessary steps to works. The reason is that the primary mecha- secure the traffic flowing across your network, nism for encrypting wireless traffic is WEP I recommend occasionally using a packet snif- encryption. WEP encryption ranges in strength fer to monitor network traffic. This is just a from 40 bit on up to 152 bit or even higher. precautionary step because it allows you to see The actual strength depends on the lowest what types of traffic are actually present. If common denominator. For example, if your you detect unexpected packet types, you can access point supports 128-bit WEP encryption, see where those packets are coming from. but one of your wireless clients only supports The biggest problem with protocol analyz- 64-bit WEP encryption, then you’ll be limited ers is that they can be used as a hacker tool. I to using 64-bit encryption. These days, how- used to think that it was impossible to detect ever, just about all wireless devices support at someone who was using a packet sniffer on my least 128-bit WEP encryption. network because of the nature of packet sniff- What many administrators fail to realize is ing. Packet sniffers simply watch traffic flowing that just because wireless networks use WEP across the wire and report the contents of each encryption, it isn’t the only encryption type packet. Since packet sniffers don’t transmit that they can use. WEP encryption simply packets, how could you possibly detect them? encrypts whatever traffic is flowing across the It’s actually easier than you might think to network. It doesn’t care what type of traffic it detect packet sniffing. All you need is a bait is encrypting. Therefore, if you are already machine. The bait machine should be a work- encrypting data with IPSec, as you should be, station that no one knows exists except for then WEP will simply provide a second level you. Make sure that the bait machine has an IP of encryption to the already encrypted data. address, but is not a part of a domain. Now, place the bait machine on the network and Network isolation generate some packets. If someone is sniffing If your company is very big, then there’s a the network, the sniffer will pick up the pack- good chance that you have a Web server that ets that the bait machine produces. The prob- hosts the company’s Web site. If this Web lem is that the sniffer will know the machine’s server doesn’t require access to a backend IP address, but not its host name. Usually, the database or to other resources on your private sniffer will do a DNS lookup to try to deter-

46 Administrator’s Guide to TCP/IP,Second Edition mine the machine’s host name. Since you are cult for someone who might be sniffing the the only one who knows about the machine, network to get anything useful. no one should be doing DNS lookups on the These types of switches have another bene- machine. Therefore, if you check the DNS fit as well. With a standard hub, all of the logs and see that someone has been doing nodes fall into a single collision domain. This DNS lookups on your bait machine, then means that if you have 100 Mbps of total there’s a good chance that the detected bandwidth, then the bandwidth is divided machine is sniffing the network. among all of the nodes. However, with a Another step that you can take toward pre- VLAN switch, each virtual LAN has a dedi- venting sniffing is to replace any existing hubs cated amount of bandwidth that it doesn’t with VLAN switches. The idea is that these have to share. That means that a 100 Mbps switches create virtual networks between the switch could potentially handle many hundreds sender and the recipient of a packet. No of Mbps at a time, all on different virtual net- longer does the packet flow to every machine works. Implementing VLAN switches will on the network. Instead it flows directly to its improve both security and efficiency. destination. This means that it would be diffi-

Protocol analyzers make short work of net admin tasks Mar 11, 2002 By Ron Nutter t used to be that protocol analyzers were Know what’s normal for expensive pieces of hardware, costing upwards of $20,000 and requiring special- your network I I have never used a protocol analyzer for a ized training to use. Things have changed quite byte-level analysis to resolve a problem. a bit in just a few years. Some protocol analyz- Instead, I usually use one to benchmark my ers are now available for free, and others can network. Once you know what is normal for cost up to $1000, but they can all make the life your network, finding problems or exceptions of a network admin much easier. to the benchmark becomes easier. Several In this article, I’ll explain how you can use years ago, I received a panicked phone call various protocol analyzers on your network to from a network administrator in a bank several perform such tasks as benchmarking, intru- hours away from the office where I worked. sion detection, and troubleshooting e-mail Their network was locking up every 10 to 15 problems. minutes.

Networking Fundamentals 47 I talked with the administrator for several download filters, which allows you to view spe- minutes and had him make sure other possible cific types of traffic on your network. So causes, such as a bad electrical ground, faulty instead of having to sort through all the net- network cable, or a broken network card, work traffic, you can download predefined fil- weren’t the source of the problem. After I ters to scan for virus activity such as Code Red arrived at the site, I ran the protocol analyzer and Nimda. I like to run these filters in what I for a few minutes. It was then that I noticed call a global mode, which looks at all the pack- something strange: Each workstation on the ets crossing the wire regardless of source or network was requesting the current date and destination. time from the Novell server 20 to 30 times per You can also create your own virus filters. minute. In normal conditions, this should hap- The information you need is contained in the pen only when the workstations boot up. A lit- virus alerts put out by such companies as tle investigation found that a third-party utility McAfee and Norton. Looking for a file attach- was being loaded that was supposed to get the ment by name in a mail message or looking for current date and time about two or three times a certain command on an HTTP header line per day. After removing this utility from the are just a couple of ways you can take a more workstations, the problem disappeared. Had I proactive stance toward virus protection. not been using a protocol analyzer, my troubleshooting time would have been much Watch out for unauthorized longer. programs With the IP-based network and the Internet Perform intrusion detection becoming commonplace, it’s easier to find Unfortunately, detecting intrusions is becom- unauthorized programs on your network and ing more and more important as unwelcome stop their use. The proliferation of peer-to- visitors from the outside try to access and do peer file sharing applications such as BearShare damage to your network. This is where a pro- and Napster have consumed network band- tocol analyzer can be handy. First, look for width that could be better used elsewhere. The services that shouldn’t be running on a partic- best way to halt usage of such applications is ular server, such as FTP. It’s good practice to to download the applications onto a test work- check for and disable such rogue services station and have a protocol analyzer watch for whenever new servers are added to your net- traffic going to and coming from the IP work and when service packs or updates are address of the test workstation. Once you’ve applied to existing servers. seen the traffic created, you can create filters You should also watch for people trying to that stop the apps’ usage. Each analyzer has a do things that they shouldn’t be doing on your different method for creating such filters, so servers. For example, say you have a server you will want to take a look at your applica- that allows you to use the Secure Shell utility tion’s documentation for this step. for remote administration. Upon analyzing the server, you find another user taking advantage Check for WAN Link usage of this open port (ssh or port 22). This allows When you have more than one T1 connec- you to immediately track down their source tion to the Internet, knowing these links are address and block that address from accessing working correctly is critical to the health of your network. Another way to find intrusions your network. If routing protocols such as is to look at login accounts that have been dis- OSPF and BGP4 are being used, it can be abled or should have been disabled to see if helpful to be able to see what the problem is they are being used to access the network. when things go awry. Not all protocol analyzers can track all IP traffic patterns, so know- Check for virus activity ing what is required to monitor your T1 or Several of the protocol analyzers (Etherpeek similar link can help decide what analyzer will and Sniffer, for example) offer the ability to be best for you.

48 Administrator’s Guide to TCP/IP,Second Edition One tool that has the ability to track pat- Is your firewall working terns is the Sniffer Portable WAN tool. This high-end utility automatically finds and labels correctly? Since firewalls protect your network from Internetwork problems such as retransmis- unwelcome visitors, knowing that they are sions, duplicate IP addresses, high rate of working correctly is paramount to the security physical cyclic redundancy check (CRC) errors, of your network. Checking the firewall will WAN overload, and frame relay congestion. involve using several different filters (these can Once an issue is detected, Sniffer recommends be predefined filters, administer-created filters, solutions to potential network problems. or downloaded filters, all with various func- Many enterprise-level analyzers require spe- tions), depending on the level of sophistica- cial PCMCIA cards with the appropriate type tion of the packet filtering being used. of connectors to sit in series with the V.35 or In general, you will have two sets of filters: other type of connector that your laptop or one checking for the traffic based on outgoing workstation may use. For nonportable solu- traffic and one based on incoming traffic. tions, you may end up getting either an exter- Leaving the incoming filter running 24/7 nal pod-like interface or a special interface would be a good idea, because this filter will be board to go into a conventional desktop form a good indication that the firewall is working as factor. This same process also applies to ATM expected and will provide a quick alert if the and DS3 connections. firewall fails for some reason and begins letting Check for e-mail problems every packet through. I use protocol analyzers to monitor e-mail For example, NetDoppler utilizes several problems much more often than I would have features of the ICMP, IP, and DNS protocols thought. To do this, you must set up an ana- to perform tasks and tests on remote hosts to lyzer with a filter that monitors the IP ports check latency and throughput and to isolate used by a mail server (typically port 25 for problems. Also, PacketScrubber removes sen- SMTP, 110 for POP3, and 143 for IMAP) to sitive or confidential data from frames and send and receive mail. Several good examples packets within a trace file by changing the of how to do this can be found on the Packet- packet and frame payloads to null data. Level site. I’ve found the type of filter I described Conclusion The ideas presented here just scratch the sur- above to be useful in figuring out why a partic- face on the possible uses of a protocol ana- ular e-mail won’t go through when the only lyzer. Before you go out and buy the first one error I get in the Exchange server logs is you see or something that a vendor recom- “communications error.” I have made the mends, try to obtain trial versions of a few, modification to the filter that the site suggests, use them, and see which candidate best meets but this modification examines only e-mail to your needs. It’s also a good idea to keep the and from a particular mail server. However, analyzer you buy under some type of mainte- this technique is still a big help because I don’t nance contract from the vendor to keep the have to go through an entire capture session to decodes and the application up to date and look for the mail traffic. (Entire capture ses- problem-free. sions can be quite large, depending on the size of your network.)

Networking Fundamentals 49 Common causes of network slowdowns and how to locate them quickly Apr 30, 2002 By Scott Lowe, MCSE few years ago, when the use of problem. Here is a list of some of the basic twisted pair cabling for Ethernet was possible causes of network slowness. Please A still a young science and RG-58A/U remember that the causes of such problems coaxial cable was the norm, I was working for can be numerous, and sometimes multiple a state agency that supported many local problems occurring at once can make it even school districts. One of the techs at a different more difficult to pinpoint where the problem school district needed to get network connec- originated. tivity between two buildings that were within a Network interface card couple of hundred feet of each other. This Troubleshooting slowdowns or bottlenecks was before wireless was the easy answer. depends on the network devices. In some Not wanting to just run the cable across the cases, you may need to use specialized equip- grass, he needed another alternative. He ment, which I’ll explain later in this article. looked up and noticed that there were power One common cause of network slowdowns is lines on poles connecting the two buildings. the result of a bad network adapter on a PC, “Aha!” he said, realizing that he had found a which has been known to bring down an entire solution to his problem. After running the network. cable, he spent quite a significant amount of When a network adapter goes bad, it may time trying to figure out why he was still hav- begin to broadcast junk packets (useless pack- ing so much trouble and such a slow speed on ets of data) onto the network. If this is broad- both networks. cast traffic, any device in the same broadcast After asking for help, a more knowledgeable domain as the offending network interface IT pro told him that while using the poles card may experience problems, including slow- seemed like a good idea, wrapping the coaxial downs. I have experienced a “junk spitting” Ethernet cable around the high-voltage power NIC more than once. In the worst case, a PC line to hold it in the air was not. The electricity with a bad network adapter was bringing down from the power lines was adding an enormous all student PCs in the buildings within a partic- amount of noise on the network. If he’d had ular VLAN. the proper knowledge and tools, this poor tech By using the ping command, I found I was might have discovered the cause of the prob- only able to send packets of data so far down lem without having to suffer the embarrass- the network before they stopped at a certain ment of having this flaw pointed out. Here I point. This point was the device with the NIC will explain how to identify some of the com- problem. I was then able to go to the building, mon causes of network slowdowns. I will also find the switch port with a solid light indicat- introduce you to some basic tools you can use ing it was sending out constant traffic, and dis- to locate where such problems originate. connect it. As soon as I disconnected the What causes slow networks? offending NIC, the problem went away. So I Sometimes, the nature of networking makes informed the student that he needed a new slow network problems seem intermittent. network adapter. Network traffic also has a habit of “peaking” Cabling from time to time, which may result in a slow- Bad network cabling can lead to a whole host down. Once you’ve determined that there is a of issues, including a slow network. When the consistent network slowdown or bottleneck, prevalent speed of an Ethernet network was the hard part is pinpointing the location of the 10 Mbps over Category 3 or 5 cabling, a little

50 Administrator’s Guide to TCP/IP,Second Edition problem here and there wasn’t as big a deal as it is today. With more modern networks run- MORE RELIABLE SOLUTIONS ning at 100 Mbps or even 1,000 Mbps, you Had I been in my office, I could have used must take more care in the design and mainte- the management server running HP Open- nance of the cable plant. View, a network monitoring software prod- Many cable installation jobs come with a uct. This would have told me the MAC warranty for a specific period. Most common hardware address of the offending NIC. cabling problems aren’t related to those instal- You can also detect a bad NIC by using a lations; however, I have seen odd cases where packet sniffer or other specialized network the vendor tied all of the cables to the high troubleshooting hardware, such as the voltage electrical service in the ceiling. And Gigabit Observer Probe. then there are cabling problems like the one I mentioned that involved wrapping the coaxial Ethernet cable around the high-voltage Figure A power line. Most cabling problems won’t be a result of strange issues like these. The bulk of them are likely to involve the patch cables that connect the PC to the network jack. A badly or improperly crimped cable, loose ends, or the wrong type of cable connecting the PC to the network jack can create a network slowdown. The easiest way to determine if the patch cable is causing the problem is to replace it and see what happens. In many cases, a bad patch cable on the network can be detected by looking at statistics on the network equipment and checking to see if there are excessive Cyclical Redundancy Check (CRC) errors on a given port. If you replace a patch cable that you suspect is bad and the network is still slow, the problem may lie in the autonegotiation of network speed and duplex that many of today’s dual-speed hubs and switches support. These Select Link Speed And Duplex from the Properties window, and then devices are configured to automatically deter- select the proper speed and duplex from the drop-down list. mine the speed and duplex at which the remote PC is capable of communicating on duplex and speed of a network adapter, open the network. In certain circumstances, even the adapter’s Properties window and click the though the two ends correctly negotiate their Configure button. From the Advanced tab, set parameters, errors are still generated, resulting the appropriate values based on the actual in a slower network connection. speed and duplex of the switch, as shown in The easiest solution to this problem is to Figure A. manually force the speed and duplex at both The speed and duplex on a Cisco router is ends of the network connection. Forcing the user configurable. For example, to set ports 1 speed and duplex to specific values is generally through 8 on module 1 at a speed of 100 done either in the Network Connection Set- Mbps on a Cisco switch, use this command tings in the operating system or in the configu- (from enable mode): ration of the network equipment. For set port speed 1/1-8 100 example, in Windows 2000, to manually set the

Networking Fundamentals 51 Listing A Pinging sample.somedomain.com [192.168.1.7] with 32 bytes of data: Reply from 192.168.1.7: bytes=32 time=886ms TTL=240 Reply from 192.168.1.7: bytes=32 time=526ms TTL=240 Reply from 192.168.1.7: bytes=32 time=158ms TTL=240 Reply from 192.168.1.7: bytes=32 time=405ms TTL=240 Ping statistics for 192.168.1.7: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 158ms, Maximum = 886ms, Average = 493ms

Listing B Tracing route to 192.168.1.7 over a maximum of 30 hops 1 27 ms 29 ms 30 ms 192.168.6.1 2 28 ms 28 ms 27 ms 192.168.16.5 3 31 ms 32 ms 30 ms 192.168.19.1 4 30 ms 27 ms 31 ms 172.23.1.1 5 30 ms 30 ms 31 ms 192.168.178.1 6 98 ms 96 ms 95 ms 10.1.5.1 7 96 ms 95 ms 96 ms 192.168.44.1 8 97 ms 99 ms 96 ms 172.17.1.1 9 94 ms 96 ms 95 ms 172.155.1.1 10 90 ms 98 ms 103 ms 192.168.192.1 11 101 ms 98 ms 94 ms 10.166.56.1 12 103 ms 106 ms 102 ms 10.11.99.3 13 97 ms 102 ms 96 ms 172.122.111.32 14 95 ms 97 ms 93 ms 192.168.99.44 15 155 ms 414 ms 219 ms 192.168.1.7 Trace complete

To set the duplex to Full for port 1 on mod- lar statistics to ping. Using these two utilities ule 1 of the same router, run this command together will show you almost instantly where (from enable mode): a network bottleneck might be because of the set port duplex 1/1 full excessive time it takes to get a reply from a particular node. Software-based Suppose someone tells you that a certain troubleshooting tools host on your WAN is responding very slowly. Two of the most important tools used to To determine if there is a network-related determine the location of a network problem problem causing the perceived slowdown, you are the ping and tracert in Windows utilities. would issue this command: ping 192.168.1.7, Ping stands for Packet Internet Groper. It which will respond with the type of output issues Internet Control Message Protocol shown in Listing A. (ICMP) packets to a network device that Depending on the type of link, an average responds with a reply if it is active. Ping also round trip of 493 ms could be good or bad. reports the amount of time that it takes for a For this example, assume that the host particular device to respond, which makes it 192.168.1.7 is on the company’s network and invaluable in locating network trouble spots. no links are slower than T1 (1.544 Mbps). In Tracert serves a similar purpose, but it this case 493 ms is a pretty bad round-trip tracks the entire network path, reporting simi- time. But it may not necessarily be a problem

52 Administrator’s Guide to TCP/IP,Second Edition with that particular host. Instead, there may be ment. Microtest’s PentaScanner is another net- a problem somewhere along the path to that work cable test unit that can measure the fol- host. What the Ping utility shows is that the lowing cabling statistics: reply from the host is taking a long time. This X Near-End Crosstalk (NEXT)—NEXT is is where the tracert command comes in. a condition where the electrical signal from I will use the tracert command to determine one wire is “leaked” onto another wire and where along the path the problem is occurring. can be caused by crossed or crushed wires. By issuing the command tracert -d 192.168.1.7,I This condition is generally found towards will see the output shown in the end of a cable where connectors are Listing B. attached. Looking at the results of the tracert com- X Attenuation—Attenuation, also known as mand, I see that the last round-trip time is loss, is the reduction in the strength of the more than double the next longest time. The signal on the network cable as a result of long round-trip time of the last host would long cable distances. (An Ethernet cable run indicate that the problem lies at the end node. should not exceed 90 meters.) Hardware-based X Return loss—This is a measurement of troubleshooting tools “noise” on the network cable. While often There are specialized tools that can help with not considered in older cabling plant pinpointing and correcting network-related designs, with Ethernet networks being problems. One common tool is a simple cable deployed and expected to maintain gigabit tester. An example of a typical cable tester can speeds, this is becoming a more important be found on the IC Network Web site. Like factor. Improper connectors or network many other cable testers, the IC Network patch panels that are not up to proper spec- Enhanced Network Cable Tester RJ-45 unit ifications can cause return loss. can be used to test the continuity between the X Power Sum NEXT—This is similar to pairs in the twisted-pair cable. There are four NEXT, but measures the effects of lights on each portion of the unit. One end is crosstalk from three pairs of cables on plugged in to the patch panel with a patch the fourth pair. cable that is known to be good, and the other The recommended ranges for these end is plugged in to the PC’s patch cable. If all parameters are dependent on the type of net- four lights come on, the cable is good. If not, work cabling being used. If you want more then there is a broken wire somewhere along information on cabling specifications, read the line in the cable. The Siemon Company’s whitepaper One of my favorite network cable testers is “De-Mystifying Category 5, 5e, 6, and 7 Per- the Microscanner Pro by Microtest. The formance Specifications.” Microscanner Pro can test the network cable for continuity, shorted pairs, and crossed pairs Final words and can determine the length of the cable When your network experiences a slowdown, using a built-in time-delay reflectometer make sure the problem is constant and not just (TDR). The TDR can also determine how far a result of peaking or other intermittent issues. down the cable the fault is located, which can If the problem is ongoing, check for these expedite repairing a cabling problem. basic causes first. Then, use the tools I sug- While the Microscanner Pro is indispensa- gested to help locate the problem or to help ble when it comes to solving basic network find out if the slowness is a result of cabling cabling plant problems, more complicated problems. problems require even more specialized equip-

Networking Fundamentals 53 Notes

54 Administrator’s Guide to TCP/IP,Second Edition Routing and Design

Dissecting and diagnosing TCP/IP routing ...... 55 Discover how routers power internetworks ...... 60 Understanding routing tables...... 64 Select the right routing protocol for your network ...... 67 Understanding the protocols underlying dynamic routing ...... 70 Selecting the best address translation option for your network ...... 74 Provide multiple paths between networks with tunneling and NAT ...... 77 Learn why NAT can cause VPN connection problems ...... 82 IP routing in 40 short steps ...... 84 Configuring static and default routing ...... 89 Dynamic routing with RIP...... 96 Configuring IGRP routing with redistribution...... 105 Getting to know Open Shortest Path First (OSPF) ...... 111 Summarizing IP routes with EIGRP and OSPF ...... 119 Configuring OSPF with multiple areas ...... 123 Understanding the RIP protocol...... 129 RIP explained: The gory details ...... 134 Advanced RIP configuration ...... 138 Routing and Design Using RIP on Windows 2000 Server ...... 142 Using OSPF on Windows 2000 Server ...... 146 Getting autonomous with BGP: How Border Gateway Protocol can help you with routing...... 150 Using the Border Gateway Protocol ...... 155 See how BGP and route redistribution can link remote sites ...... 159 How FTP port requests challenge firewall security...... 162 Dissecting and diagnosing TCP/IP routing May 15, 2003 By Robert L. Bogue ost of us take for granted the com- the hardware address for which the packet is plexities of the Internet and even intended. It is for this reason that TCP/IP M our own intranets when we start up must broadcast to determine the physical a Web browser and browse the Web. However, address for an IP address. Typically, this repre- in order for the packets to flow from your sents only a small percentage of the number of computer to the server, there are a variety of packets on the network, because once the mechanisms being used by the local computer address is discovered, it is cached by the local and its nearest neighbor routers that you should machine. know about. By understanding the process in If, on the other hand, the address is not which a computer can discover routes, you can local, the computer uses a local routing table to make better decisions about how to architect determine where it should send the packet. your network and how to troubleshoot any The default gateway is simply a special default routing problems that may arise. entry in the routing table that is used whenever the computer does not have a specific entry in TCP/IP basics its routing table. Almost everyone who has been exposed to TCP/IP knows that there are three pieces of Routing table basics information that are mandatory in a networked When every computer boots up, it builds its TCP/IP environment: IP address, subnet own routing table. The table is used to deter- mask, and default gateway. The function of the mine how to send a packet from its source to IP address is clear; it is a unique address that the destination. Above, when I mentioned that refers to the machine, just like a street address the subnet mask is logically ANDed to deter- refers to a house. mine whether the address is local or not, I was There is, however, a lot more confusion referring to a small part of the process where about how the subnet mask and the default the computer consults the routing table to gateway are used. The subnet mask, put simply, determine what to do with the packets. determines whether the destination host for a Each routing table contains the appropriate packet is local or not. The subnet mask is logi- entries to push a packet destined for the local cally ANDed with the IP address of the local network to the ARP protocol for the IP machine and ANDed with the destination IP address to be resolved. The same routing table address. If the result is the same, then the des- pushes a packet towards a router connected to tination is local. If not, it is remote. A logical the local subnet. AND takes each bit and returns a one or a In the simplest form, the routing table con- zero. The logical AND only returns a one tains entries for: when both of the numbers being ANDed are X Every local adapter ones. Logical ANDing is done on a bit-by-bit X The networks attached to every local basis. By ANDing an IP address with a subnet adapter mask, you get only the network portion of the address—and so you can determine if the host X Default gateways is local or not. X A local loop back address If the address is local, TCP/IP uses the X A multicast address address resolution protocol (ARP) to deter- In more complicated environments, the mine the physical address or media access con- routing table would also contain entries for the trol (MAC) address. Ultimately, communication networks that have routers connected to the on a physical network is done by identifying local network.

Routing and Design 55 The local adapter entries point packets that ally. They are added by using the route com- are destined for a network that is locally mand. attached to the computer. The loop back Routing protocols are used for routers to address entry sends packets back to an internal communicate between one another and learn a interface in the computer for processing. The complete set of routes. They are typically not multicast address, although rarely used, routes used on computers—however, several versions packets in such a way that they can be sent to of Windows servers offer some of the basic multiple destinations simultaneously. routing protocols. These protocols are not The routing table is reviewed using three installed by default, but they can be added, and criteria. First, the length of the subnet mask is they can automatically modify the routing table. considered. The more specific the entry in the The final way that routing tables are routing table, the more likely that it will be updated is by Internet control message proto- used. This is necessary to allow you to have col (ICMP) redirect messages. This message is routes to specific locations as well as default sent back from a router when a packet is sent destinations for traffic that has no specific to a router—but it knows that it is not the best routes. The routes to a destination have a long route to reach the final destination. These mes- subnet mask associated with them. The traffic sages cause the computer to add the informa- without a route uses the default gateway entry, tion about the new router and the route to the which has a subnet mask of no length. routing table. These messages are the reason The second criterion is the metric associ- why a network can have two different routers ated with the route. This helps determine the connected to the same network, leading to dif- cost of the route. It is used to provide standby ferent places, with only one default gateway routes in the event of a primary route loss. In configured. other words, it is used primarily to trigger dial- up backup routes when the main line is cut. In The making of a redirect message most networks, metrics are not used on PCs. Redirect messages are sent back to a computer They exist only in the routing tables of the when a router detects that it is receiving a core routers. packet from an interface where the best route The final criterion on a Windows computer would send it back out that same interface. is a random order in which items of equal sub- Let us say a router has a local interface with an net, depth, and metric are tested. One entry address of 10.55.1.1 (255.255.255.0), and it starts at the top of this list and is not bumped has a route in its routing table that sends from its spot until Windows tries to send it to 10.254.1.0 (255.255.255.0) to 10.55.1.2 for the gateway and it fails. From that point, the further routing. When it receives a packet next entry is used until it cannot be reached. from a computer on 10.55.1.3 destined for This randomness applies only when there are 10.254.1.13, it responds by indicating that two routes with equal priority. This rarely 10.55.1.2 is the best route to the destination. occurs, unless there are two default gateways. The computer adds an entry to its routing This might occur if you have a local area net- table indicating that it should use the router on work and you dial in to the network. Your local 10.55.1.2 to reach the host. area network has a default gateway, as does the In effect, these ICMP redirect messages dial-up connection. allow the client computers to be configured with only a single default router, when, in fact, The building of a routing table there are several routers on the local network Routing tables are built through local inter- that the computer may have to communicate faces, static routes, routing protocols, and with in order to reach both internal and exter- router discovery messages. The local internal hosts. faces are automatically added when they are activated. Static routes are those routes that Route and repeat have been added to the routing table manu- One of the fundamentals of IP routing is that each device gets the packet closer to the

56 Administrator’s Guide to TCP/IP,Second Edition destination. Each router knows a small amount three bytes (24 bits) long. Each vendor is then about the IP addresses that are in use on the responsible for keeping hardware IDs with Internet. These routers route the packet to the that prefix unique. best of their ability. The hope is that the desti- The process of resolving a hardware address nation is closer after the route than before. from an IP address isn’t complicated, but it The process is repeated as the packet is trans- does involve a broadcast packet. The first step mitted from router to router until it reaches its is that the computer looks in the routing table destination. and determines that the address is a local However, this isn’t always the case. It is address. From there, it transmits a broadcast possible for routers to route a packet back packet from the appropriate interface. The and forth between two neighbors. This case, packet contains the hardware address of the called a routing loop, causes the packet to be current system and the IP address that is being bounced back and forth until a special field sought. The system that has the IP address in in the packet, called time to live (TTL), question responds to the packet by sending a reaches zero. packet back to the originating computer. TTL is decremented by each router before Only the first solicitation packet is broadcast it routes the packet on. When the time to live and then all of the remaining packets are sent reaches zero, a response is sent to the originat- directly between the two computers that are ing computer indicating that the time to live communicating. This is important because has expired. This is the message that ping will switches are a common part of network infra- show you when a routing loop exists. This structure today. They forward packets to com- technique is used to prevent packets from puters only if they need to see them. This is in routing back and forth forever. contrast to a hub, which sends all packets to all ports. Because switches send only the necessary Address resolution protocol packets to each port, they can improve per- Thus far, I’ve been talking about how packets formance on a network by allowing the traffic are routed from one router to another until to exceed the bandwidth of any one port. they reach their final destination. However, However, even switches must transmit broad- you should have a basic understanding of how cast packets to every port. When there are a packets are transmitted on the local network large number of broadcast packets on a net- before I explore how to troubleshoot problems. work, the value of network switches is reduced. As I mentioned above, the ARP is responsi- Once ARP has looked up an IP address, the ble for associating TCP/IP addresses with the address is added to the local ARP table. The hardware or MAC addresses. All transmissions ARP table is simply a list of IP addresses and on a local network can be directed to a single their associated hardware addresses. ARP machine or all machines on the network. All tables are created primarily through the discov- transmissions on the network use a hardware ery process discussed above, but they can also address to determine their destination. A spe- have static entries added. cial condition exists whereby if a packet is One odd thing about ARP is that it is used transmitted with all bits in the address set, even when the packet’s final destination isn’t every machine in the network receives a copy local. This is because the hardware address of and processes it. This is a broadcast. the default gateway must be located. So even if The hardware address is technically named a none of the packets are local, ARP will have to MAC address because the address operates at be used at least once. the media access control layer of the protocol stack. IP addresses live in the network layer of Seeing your ARP table the OSI network protocol model. MAC If you want to see what’s happening behind addresses in an Ethernet environment are six the scenes, you can look at your ARP table by bytes (48 bits) long. They are unique because typing: each vendor is defined with a prefix that is ARP -a

Routing and Design 57 at the command line. You’ll see a response is local, you should verify its connectivity to similar to that shown in Listing A. the network. If the device is remote, you’ll This shows the machines on the local net- have to investigate what devices are between work that ARP has found and, thus, the hard- you and the destination and try to diagnose the ware addresses that have been resolved. In this problem from the device that isn’t allowing case, 10.254.1.247 is a domain controller and ICMP messages to be transmitted. 10.254.1.254 is the default gateway on the local The third possible response from ping is network. As you can see, even the default gate- Destination Host Unreachable. In this case, way’s address gets resolved. you either have not specified a valid default gateway, or one of the routers along the path Troubleshooting your routing to the destination has lost its connection. This There are two basic tools used in the trou- response tells that the route that should lead to bleshooting of IP networks. The first tool, the destination is not working. This is most which is perhaps the most often used TCP/IP typically found when the only connectivity to network-testing tool, is ping. It’s joined by the site is down. If you receive this message, traceroute, a more informative tool that can help you should follow up by using the traceroute you diagnose the path a packet takes to its des- command to determine which router believes tination. On Windows operating systems this the destination is unreachable. is called tracert. The fourth possible response from ping is Ping Time To Live Expired. This message typically The ping command, in its simplest form, uses indicates a routing loop where one router only one parameter. That parameter is the IP sends a packet to its peer and then the peer address to be pinged. Ping will return one of router sends it back. This generally indicates a only a few responses. The possible first routing table problem. You’ll need to use the response is the number of milliseconds that it traceroute command to locate the routers that took for the ping command to send a packet to have the problem. the remote machine and for a response to be There are other possible responses from returned. If ping responded, then there are no ping, such as Hardware Failure. This can occur problems with connectivity to the remote when you disconnect the network cable during device. the ping process. However, most of the other The second possible response is No messages that can be generated by ping are Response. This message is generated when the messages that are not normally associated with ping command didn’t receive a response to its the troubleshooting process. request. The most likely cause of this is that Traceroute the device is offline or that a device, such as a Ping is a great tool, however, it gives a rather firewall, between you and the device will not limited set of information. Traceroute, on the pass along ICMP messages. Both traceroute and other hand, can return the complete path that ping use ICMP messages to do their work. This the packet takes on its way to the final destina- means that neither of the two tools that you tion. The basic execution of the traceroute com- typically have at your disposal for resolving mand is simply the command name followed TCP/IP problems will function. If the device by the IP address to trace to. In the case of

Listing A Interface: 10.254.1.16 on Interface 0x1000004 Internet Address Physical Address Type 10.254.1.247 00-01-03-d0-b4-8f dynamic 10.254.1.254 00-10-5a-07-84-23 dynamic

58 Administrator’s Guide to TCP/IP,Second Edition Listing B Tracing route to penguin.datacenterdaily.com [216.37.52.229] over a maximum of 30 hops:

1 <10 ms 10 ms 10 ms WEBMASTER [10.254.1.254] 2 <10 ms <10 ms 10 ms adsl-68-23-14-174.dsl.lgtpmi.ameritech.net [68.23.14.174] 3 20 ms 40 ms 20 ms adsl-68-23-14-1.dsl.lgtpmi.ameritech.net [68.23.14.1] 4 20 ms 30 ms 40 ms dist1-vlan50.ipltin.ameritech.net [67.36.128.226] 5 10 ms 20 ms 20 ms bb1-fa2-1-0.ipltin.ameritech.net [67.36.128.115] 6 30 ms 30 ms 20 ms sl-gw22-chi-2-0.sprintlink.net [144.228.153.125] 7 30 ms 20 ms 30 ms 144.232.10.9 8 30 ms 50 ms 40 ms sl-st21-chi-14-1.sprintlink.net [144.232.20.86] 9 30 ms 30 ms 40 ms 204.255.174.153 10 40 ms 30 ms 40 ms 0.so-3-1-0.XL2.CHI2.ALTER.NET [152.63.71.97] 11 50 ms 40 ms 30 ms 0.so-7-0-0.XR2.CHI2.ALTER.NET [152.63.67.134] 12 121 ms 60 ms 60 ms 192.at-6-2-0.CL2.IND6.ALTER.NET [152.63.66.217] 13 40 ms 60 ms 50 ms 190.ATM7-0.GW5.IND1.ALTER.NET [152.63.68.245] 14 60 ms 50 ms 50 ms onecall-POS-core-gw1.customer.alter.net [63.122.162.214] 15 50 ms 60 ms 50 ms Obelisk-2-Cedar-Oc3c.Onecall.net [216.37.0.114] 16 60 ms 50 ms 60 ms JayQualls-55-60.OneCall.Net [216.37.55.60] 17 40 ms 50 ms 121 ms GM-Colo-52-229.OneCall.Net [216.37.52.229]

Trace complete.

Windows, the command is called tracert; in all indicates that the router’s path to the destina- flavors of UNIX, it is traceroute. The command tion has been severed. will return output similar to that shown in Listing B. It’s not that complicated This shows the complete path that is taken When troubleshooting TCP/IP problems, for a packet from my private network attached keep in mind that it’s critical that you get the to Ameritech DSL to a system located in One IP address, subnet mask, and default gateway Call Internet’s colocation facility. If the utility correct. After those few parameters are met, had returned a list of alternating routers, then the TCP/IP protocol’s infrastructure can begin you could identify that one or the other of to help your system reach every other con- those routers had a configuration problem. nected computer. The ping and traceroute com- Alternatively, you may receive a message indi- mands are key to diagnosing your network cating Destination Unreachable. This message problems.

Routing and Design 59 Discover how routers power internetworks Apr 26, 2001 By Todd Lammle n this article, I will explain how a router net links, and the Fa interfaces are Fast Ether- (Layer 3 switching) is used in an internet- net connections. Iwork, and I will discuss the details of the Once you connect networks to a router, you Network layer. must provide logical addressing to each device Routers have been around commercially so it can communicate on the internetwork. since the late 1980s. They were not really Which brings up a very important point: You prevalent until the early 1990s and have must be able to uniquely identify every device increased their position in the internetwork on the internetwork, regardless of where these directly because of the Internet. It is important devices are located. This is called logical to understand that routers, in some fashion, addressing. will never go away. Let’s define the difference between a logical address and a hardware address: What is a router? X A logical address uniquely identifies a device Routers are hardware devices that use software on an internetwork. to perform routing of packets in an internetwork. Routing is the term used to define the X A hardware (MAC) address uniquely identi- process of taking a packet of data from a fies a device on a LAN. device on one network and sending it through Figure B shows how a device communicates the router to another device on a different net- on a LAN using the hardware address of the work. If your network has no routers, then you device and how the same device communicates are not routing. Routers are used within a net- to another device on the internetwork using a work to route traffic to all the networks in your logical address. internetwork. Hardware addresses are used to find unique In Figure A, notice how both LANs and hosts on a LAN. However, if a device on a WANs are connected to a router. This is the LAN wants to communicate to a device on main purpose of a router—to break up another network, it must use its logical address. broadcast domains. By connecting multiple Typically, this would be Internet Protocol (IP), networks to a router, you create an internet- but it can just as easily be IPX from the Novell work. The E0, E1, etc., are 10Base-T Ether- stack or Datagram Delivery Protocol (DDP) from the AppleTalk stack, for example. Figure A

E2 Fa1 E1 S0 S0 Fa2

E0 S1

Internet

Notice how both LANs and WANs are connected to a router.

60 Administrator’s Guide to TCP/IP,Second Edition The benefit of routers Figure B Unlike switches (bridges), routers by default break up broadcast domains. This is a good Send packets via thing, if the network is designed correctly. (I’ll IP address further explain domains in the next section of this article.) Routers provide security by filtering the network. By placing routers in optimal positions E2 in your network, you can effectively allow and deny packets from being transmitted all over E1 the internetwork. These filters are called access lists. Communicate on local Routers also provide connection to WAN network using MAC services. Although many switches allow a card addresses in a frame to be placed in the switch to provide this serv- Devices communicate on a LAN using the hardware address of the device. ice, this is a Layer 3 technology, and a router or Layer 3 device is needed to provide WAN connection services. with routers because network broadcast domains are created by physical location. Take Routers break up broadcast domains a look at Figure C. Notice that each floor has its You probably know about collision domains own switch and that each switch is connected and how switches break up collision domains to the router on the first floor. This is a good by default. However, switches create one large design that has worked well for many years. broadcast domain. Also in Figure C, notice how each floor A collision domain is defined as a network holds a different department. Everything segment that shares bandwidth with every works well since each floor is its own broad- device connected to this particular segment. If cast domain. However, problems can occur if one device transmits, all other devices on this you have to place users from one department segment must listen and not transmit. If a sec- into the wrong broadcast domain. ond device does transmit at the same time, a What if, for example, a salesperson is hired collision occurs. By using switches, we can cre- to work with the sales team, but the second ate individual collision domains, but if one floor has no room for the new salesperson? host sends any type of broadcast, all segments The accounting department, which sits on the connected to the switch must listen. To break first floor, has plenty of room, and this new up broadcast domains in a Layer 2 switched salesperson now sits on the first floor. Where internetwork, you have two options: routers or do you plug in the computer for this new sales- Virtual LANs (VLANs). person? This salesperson’s computer is placed Routers plug in to a hub or switch port, and physically into the accounting department’s every device connected to that hub or switch is broadcast domain. For this salesperson to reach in the same physical broadcast domain. For the network resources for the sales department, any device to transmit data to another host on his or her information must go through the a different network (broadcast domain), the router. This can cause latency, which is the devices must be configured with logical net- measurement of time that a packet takes to get work addresses. If not, only local communica- from a transmitting device to a receiving tion can take place. device. This is not the biggest problem, how- Designing broadcast domains is the key to ever. When the sales server, which sits on the success in any network design and implemen- second floor, broadcasts application informa- tation. Typically, a broadcast domain should be tion designed to provide network services to created by groups of users that share the same the sales force, the salesperson on the first network resources. This is not always possible floor does not see the broadcast.

Routing and Design 61 To solve this problem, you could make the security. Do you really want all those salespeo- accounting department’s broadcast domain ple on the same network as the accountants? part of the sales department’s broadcast Another solution may be to run a cable to the domain by connecting the two networks second floor switch so that the new salesper- together without the router, but that would son is plugged in to the right network. A third defeat the purpose of creating broadcast solution would be to add another switch on domains for better network response time and the first floor that plugs in to a fourth router interface, which would create a new broadcast Figure C domain. The salesperson would have to go through the router to send and receive any Marketing LAN information via computer, but at least the (Collision/Broadcast computer would not be part of the accounting Domain) broadcast domain. All of the solutions I provided above are ter-

Sales LAN rible! You’re probably saying, “There has got to (Collision/Broadcast be a better way,” and there is. If you have a busi- Domain) ness requirement problem of creating broadcast domains by physical location, you can instead create Virtual LANs (VLANs) with Layer 2 Finance LAN switches. A VLAN is a broadcast domain cre- (Collision/Broadcast Domain) ated in a Layer 2 switched internetwork. The beauty of VLANs is that you do not have to create broadcast domains by physical E0 E1 E2 location like you do with routers. You can create VLANs by assigning any switch port, on any switch in your internetwork, to any VLAN. Figure D shows how our network could look The first floor holds the finance department, the second floor holds the sales department, and the third floor holds the marketing if we used VLANs instead of router interfaces department. to break up our broadcast domains.

Figure D

Marketing LAN Sales LAN Finance LAN (Broadcast Domain) (Broadcast Domain) (Broadcast Domain)

This is how a network might look if we used VLANs to break up our broadcast domains.

62 Administrator’s Guide to TCP/IP,Second Edition Notice that each floor has a salesperson, learn how to get to the remote network with marketing person, and accounting person, and either static routing—which means that the each person is in the appropriate broadcast administrator must manually type all network domain. Although you can still create broad- locations into the routing table—or the admin- casts by physical location with VLANs, the istrator can turn on dynamic routing. solution I showed you here is the most typical Dynamic routing is used to allow routers to configuration. This is dependant solely on the broadcast information about all the networks business requirements, however. known by this transmitting router to neighbor- Do you still need routers if you are using ing routers. The receiving router (or routers), VLANs? Absolutely! For the broadcast domains in turn will add these routes to its own routing to communicate, a Layer 3 device is needed. table and then broadcast this information to its There are a few different ways to configure the neighbors, which will add the routes to their router for inter-VLAN communication, but we routing tables. Any changes that occur in the won’t cover this here. Just understand that you network are automatically propagated to all need a router, or Layer 3 card in a switch, for a routers through a routing protocol such as device on each VLAN to communicate to RIP, IGRP, or OSPF. If a router is not running another device in a different VLAN. a routing protocol but static routing instead, Routers are packet switches! the administrator has to make all changes to all routers by hand. Routers are called routers because their main The routers can only send packets to purpose in life is to route data from one net- remote networks by looking at the routing work to another network. To be able to move table and finding out how to get to the remote data, however, a router must switch packets of networks. What happens when a router information from the interface it was received receives a packet with a network that is not on to the destination exit interface. This is listed in the routing table? It discards it! It called packet switching. doesn’t send a broadcast looking for the Obviously, this is different from frame remote network—the router just throws it out. (LAN) switching. Frame switching uses only Period. the hardware destination address found in the frame header to find the exit port on the Conclusion switch. A router uses the logical destination Routers are an important part of the Internet address found in the packet header to find the and any medium- to large-size network. By exit interface on the router. understanding the configuration of the differ- Routers create maps of the ent protocols used with routers, you prepare internetwork yourself for a promising and prosperous career; however, studying and getting as much hands- By running routing protocols, the router learns on experience as you can is a must before work- about remote networks from neighbor routers. ing on large, corporate-routed networks. The router then builds a routing table that describes how to find the remote networks. If the network is directly connected, the router already knows how to get to the network. If the networks are not attached, the router must

Routing and Design 63 Understanding routing tables May 23, 2001 By Debra Littlejohn Shinder, MCSE outing, a.k.a. packet forwarding, is a order to update routing table entries without wonderful thing. It enables a computer human intervention. R to communicate with other computers Whichever way the table is built, when a that are not on the same network or subnet. router or host computer on which IP forward- What vehicles do for human transportation, ing is enabled sends an IP datagram, it must routers do for computer communications— determine which physical interface address to without them, we would be stuck in our own use. (Remember that it is connected to at least “neighborhood,” able to interact only with two networks, with a separate interface to each those who live close by. network.) If the packet is destined for an Most network administrators have at least a address on a subnet to which it is not con- basic idea of how IP routing works. A router nected, it will use the routing table to deter- (either a dedicated device or a multihomed mine that the packet should be sent to a computer configured for IP forwarding) is gateway. The routing table contains the (logi- connected to at least two networks and makes cal) IP address of the gateway. The Address decisions about where to send the packets it Resolution Protocol (ARP) will then use the IP receives based on the destination address. address to determine the physical (MAC) Routers connect multiple networks or subnets address of the gateway. The datagram will be in an internetwork. forwarded from router to router until it even- But how does the router determine where a tually reaches the router that is connected to packet with a particular destination address the destination subnet or host. should be sent? One way is by using dynamic routing protocols, such as the Routing Infor- DEFAULT GATEWAY mation Protocol (RIP) or Open Shortest Path A gateway is the entrance point to another First (OSPF), which automatically create and network. A default gateway is the address update a database, or routing table. Another to which packets are sent if there is no way is by static routing, consulting a manually specific gateway for a given destination created routing table in which an administrator listed in the routing table. has entered a series of routes, each of which contains information about how to get to a The default gateway is important because it specific network ID within the internetwork. is generally not feasible for all hosts to main- In this article, I will discuss how routing tain knowledge of the routes to all other net- tables are used, the information they contain, works on the internetwork. The hosts can set a and how to view and configure a static routing particular router as their default gateway, and table. only that router must maintain the routes to How routing tables work remote network IDs. However, if there are Static routing uses a routing table that has been networks that are heavily used (a large number preconfigured manually; all entries will remain of packets are destined for those networks), the same unless they are changed manually. you can manually add routes for them to the This works fine if all machines remain on the routing tables to optimize the process. same subnet and always have the same IP Routing tables can be maintained by indi- address (and assuming all routers remain func- vidual host computers as well as by routers. tional). Unfortunately, this ideal set of circum- Routing table entries stances doesn’t always apply. Dynamic routing Each entry in the routing table defines a route. protocols allow routers to get information The routing table will contain at least one from other (peer) routers on the network in entry: the default route. This route typically

64 Administrator’s Guide to TCP/IP,Second Edition forwards the datagram to the default gateway For example, Cisco routers use the IOS; oper- for the local subnet. There are two other types ating systems such as Windows 2000 and of routes: UNIX have routing functionality built into the X Network routes operating systems. Our examples will use a Windows 2000 X Host routes multihomed server. There are two ways to Network routes are entries that contain view the routing table; the first uses the GUI, information on how to reach a specific net- and the second uses the command line. work ID (a network or subnet) within the To use the GUI, select Start | Programs | internetwork. A host route provides informa- Administrative Tools | Routing And Remote tion for reaching a particular node or host on a Access. In the RRAS console, expand the particular network or subnet. server name in the left pane, expand the IP A typical IP routing table entry contains the Routing node, and right-click Static Routes. following information: Choose Show IP Routing Table from the con- 1. Network ID or host route internetwork text menu, as shown in Figure A. address. The routing table will be displayed, as 2. Subnet mask (netmask), used to determine shown in Figure B. the network ID from the IP address. 3. Forwarding address or gateway. (This may be the address of the network interface Figure A that is attached to the network, if the address is on a network/subnet to which the router is directly attached.) 4. Port number (or other logical identifier) of the network interface used to forward packets to the network ID. 5. The metric, which is a number that indicates the preference level or priority of a particular route (with the lowest metric usually indicating the most preferred route). The metric indicates the cost of using a particular route; usually it is expressed as the number of hops (the number of routers that must be crossed) In Windows 2000, you can view the IP routing table using the RRAS console. to reach a particular destination. In addition to the default route, the routing table may contain routes to the loopback net- Figure B work address (127.0.0.0), the local network, the local IP address of the host, and multicast and broadcast addresses. A multihomed computer (one with multiple network interfaces) will have the above entries for each interface. Viewing and configuring the routing table The commands used to view and create entries in the routing table depend on the router being used and the operating system it is running. Routing table entries for the multihomed Windows 2000 server are displayed.

Routing and Design 65 Figure C You can perform many administrative tasks with the Route command. Typing route will display a list of switches and associated commands. Use the Add, Delete, and Change commands to add a new route to the table, remove an existing route, or modify a route entry.

ROUTE COMMAND MISSING Note that the route command will not be available at the Windows 2000 command prompt unless the TCP/IP protocol is installed.

You can display the routing table at the command line using the Route Print command. See Listing A for the syntax of the route command. You can add a new static route by selecting If no subnet mask is specified, the default New Static Route from the context menu 255.255.255.255 will be used. shown in the first figure. You will be prompted Summary to select the interface for which you want to Routing is essential to the functioning of add a route, the destination address, mask, and today’s internetworks, including the biggest gateway, and to set a metric. (The default met- one of all, the global Internet. Routing tables, ric is 1.) which can be built manually or created and REFRESH updated by dynamic routing protocols, are used by routers to determine where to send an You can refresh the routing table by right- IP datagram next in order to further its jour- clicking anywhere in the table and select- ney toward its destination. In this article, I ing Refresh. discussed how routing tables work, the infor- To view the routing table via the command mation they contain, and how to view and line (cmd at the Start | Run box), type route manually configure a static routing table on a print at the command prompt. This will display Windows 2000 multihomed server configured the active routes, as shown in Figure C. to function as a router.

Listing A: Route command syntax ROUTE [switch] [command] [destination IP address] [MASK subnet mask] [gateway] [METRIC cost metric from 1 to 9999] [IF interface]

66 Administrator’s Guide to TCP/IP,Second Edition Select the right routing protocol for your network Jan 4, 2002 By David Davis, MCSE+I, CCNP, SCSA any of us work on networks we X Doesn’t support a variable-length subnet didn’t have the luxury of design- mask (VLSM), which means that it sends M ing—with routing protocols we routing updates based only on a fixed- weren’t given the chance to choose. But you length subnet mask (FLSM) or routes that may be starting a new network, or you may fall on classful boundaries. Thus, RIP V1 have the opportunity to redesign your existing will not work with a network that has been one. If you’re tasked with selecting the best subnetted beyond the normal /8, /16, /24 routing protocol for your network, which will (255.0.0.0, 255.255.0.0, 255.255.255.0) or you choose? Class A, B, and C network boundaries While there is often a “right tool for the X Converges slowly, especially on large job,” all routing protocols have their strengths networks and weaknesses, and I don’t believe that there is a clear-cut best routing protocol that is the X Doesn’t have knowledge of the bandwidth right tool for every network. Thus, to help you of a link select the most appropriate routing protocol X Doesn’t support multiple paths for the for your network, I am going to examine the same route pros and cons of the best-known routing pro- X Routing updates can require significant tocols and offer some guidance on when it bandwidth, as the entire routing table is makes sense to use one or the other. sent when a link’s status changes RIP V1—Routing Information X Prone to routing loops Protocol Origin: Based on RFC 1058 RIP V2—Routing Information Type of protocol: Distance vector, based on Protocol Origin: Based on RFC 1388 the Bellman-Ford distance vector algorithm Type of protocol: Distance vector, based on Metric: Hop count the Bellman-Ford distance vector algorithm Methodology: Selects routers with the lowest Metric: Hop count hop count; updates other routers by broadcast- ing the entire routing table to all routers every Methodology: Selects routers with the lowest 30 seconds hop count; updates other routers by multicast- ing the entire routing table to all routers every Ideal topology: Smaller networks that aren’t 30 seconds very dynamic, have fewer than 15 hops, and are not subnetted from classful boundaries Ideal topology: Smaller networks that aren’t (see Weaknesses) very dynamic, have fewer than 15 hops Strengths: Strengths: X Easy to configure and use X Easy to configure and use X Since it has been around so long, it is well X Since it has also been around so long, it is known and widely used well known and widely used Weaknesses: X Version 2 adds support for VSLM or X Limited to a hop count of 15; after a packet Classless Internet Domain Routing travels through 15 routers and still has another (CIDR), MD5 Authentication, and route router to travel to, it will be discarded summarization

Routing and Design 67 Weaknesses: EIGRP—Enhanced Interior X Limited to a hop count of 15; after a packet Gateway Routing Protocol travels through 15 routers and still has another Origin: Based only on Cisco’s implementation, router to travel to, it will be discarded not an Internet RFC X Converges slowly, especially on large Type of protocol: Hybrid distance vector networks Metric: Delay, bandwidth, reliability, and load, X Doesn’t have knowledge of the bandwidth using the Diffusing Update Algorithm of a link (DUAL) X Doesn’t support multiple paths for the Methodology: Sends hello packets every five same route seconds to neighbors (can interoperate with X Routing updates can require significant IGRP) to see if the neighbors are still avail- bandwidth as the entire routing table is able; updates other routers by notifying them sent when a link’s status changes only when routes change X Prone to routing loops Ideal topology: Any network, small to very large; all routers must be Cisco IGRP—Interior Gateway Strengths: Routing Protocol X Uses DUAL to provide very quick conver- Origin: Based only on Cisco’s implementation, gence and a loop-free network not an Internet RFC X Supports IP and IPX Type of protocol: Distance vector, based on X Requires less CPU than OSPF (see next the Bellman-Ford distance vector algorithm section) Metric: Delay, bandwidth, reliability, and load X Requires little bandwidth for routing Methodology: Sends hello packets every five updates seconds to neighbors to see if the neighbor is X still available; updates other routers by notify- Supports VLSM or CIDR ing them only when routes change X Uses the delay, bandwidth, reliability, and Ideal topology: Any network, small to very load of a link as its metric; this makes it large; all routers must be from Cisco. Cannot very accurate in selecting the proper route subnet network beyond classful boundaries X Offers backward compatibility with IGRP Strengths: Weaknesses: X Easy to configure and use X Not an Internet standard; all routers must X Uses the delay, bandwidth, reliability, and be from Cisco Systems load of a link as its metric. This makes it OSPF V2—Open Shortest very accurate in selecting the proper route Weaknesses: Path First [Note that version 1 of OSPF was never implemented.] X Not an Internet standard; all routers must Origin: Based on RFC 2328 be from Cisco Systems Type of protocol: Link-state, runs the Dijk- X Converges slowly; slower than RIP stra algorithm to calculate the shortest-path X Doesn’t support VLSM first (SPF) tree X Prone to routing loops Metric: Calculates the cost to traverse router links to get to the destination, taking the bandwidth of the links into account DEFINITION Convergence: The process that a routing protocol goes Methodology: Develops adjacencies with its through to alert all routers on the network of the next available neighbors, periodically sending hello packets to neighbors, flooding changes to neighbors path when the primary path becomes unavailable.

68 Administrator’s Guide to TCP/IP,Second Edition when a link’s status changes, and sending external to your network. An EGP doesn’t “paranoia updates” to neighbors every 30 min- know how to deliver data within your network, utes of all recent link state changes just how to deliver data outside your network. Ideal topology: Any network, small to While a variety of IGPs are currently used, very large about the only EGP in use today is the Border Strengths: Gateway Protocol (BGP). This is the routing protocol of the Internet. X Converges quickly, compared to a distance From talking with administrators who man- vector protocol age a variety of networks, the consensus is that X Routing update packets are small, as the OSPF is becoming the most popular interior entire routing table is not sent routing protocol today. I would recommend X Not prone to routing loops OSPF or EIGRP for any new network, based X Scales very well to large networks on their popularity, flexibility, and fast convergence. Of course, the choice is yours based on X Recognizes the bandwidth of a link, taking the requirements of your network. This article this into account in link selection should help you get a better understanding of X Supports VLSM or CIDR your options. X Supports a long list of optional features Additional references that many of the other protocols do not X Cisco: An Introduction to IGRP (www. Weaknesses: cisco.com/warp/public/103/5.html) X More complex to configure and understand X Cisco: OSPF Design Guide (www. than a distance vector protocol cisco.com/warp/public/104/1.html) Final word X Cisco Press: Routing TCP/IP Volume I, Just to clarify this comparison, one way routing by Jeff Doyle protocols are classified is according to how X Cisco Press: Routing TCP/IP Volume II, they are used. Interior routing protocols are by Jeff Doyle used within a single domain on your interior X network. Also called an Interior Gateway Pro- Cisco Certification: Bridges, Routers, & Switches tocol (IGP), this is the type of routing proto- for CCIEs, by Andrew Bruce Caslow and col you usually think of using for your internal Val Pavlichenko network. The protocols we looked at in this X Network Computing: “Choosing an Interior article are all IGPs. Note that I omitted a few Gateway Protocol” (www.networkcom- of the lesser-known interior routing protocols puting.com/1021/1021ws2.html) to keep the discussion reasonably short. These X RIP V1 RFC 1058 include IS-IS, NLSP, RTMP, and IPX RIP. X RIP V2 RFC 1388 Another type of routing protocol is an exterior routing protocol, or Exterior Gateway X OSPF V2 RFC 2328 Protocol (EGP). These protocols maintain routing information for networks that are

Routing and Design 69 Understanding the protocols underlying dynamic routing Jul 24, 2001 By Lance Cockcroft, MCSE, MCT, CCA, CCNP ynamic routing occurs through the communicated directly with router A. Because router’s use of one or more routing routers learn routes from their neighbors and Dprotocols. This article will discuss the not directly from the source, distance vector use of routing protocols and the details associ- routing is sometimes called routing by rumor. ated with their operation, as well as how they Link state enable routers to dynamically discover routes. Link state protocols rely on information gath- What are routing protocols? ered directly from the source for a particular Routing protocols are simply a set of proce- network. Link state routers send out network dures and languages that a router uses to com- updates to all neighbors, and each neighbor municate routing information with other then forwards the update out to each of its routers. The advantage to using a routing pro- own neighbors. Link state routers compile this tocol is the ability to adapt to changing net- information to build a map of the entire inter- work topology. A properly working routing network. Distance vector protocols simply protocol will respond to a change in the net- remember the next hop to reach a destination, work by notifying other routers of the change, whereas link state protocols maintain a com- as well as finding an alternate route around the plete map of the network. change or failure. Many routing protocols dis- There are eight common dynamic routing cover not only the best path but also backup protocols in use today, each with its own or redundant routes to remote networks to use strengths and weaknesses. What makes routing as a backup or for load balancing. protocols different is the algorithm that each Most of today’s routing protocols can be uses. An algorithm is simply a set of proce- categorized in one of two classes: distance vec- dures used for various tasks; therefore, what tor or link state. Protocols are considered dis- makes one routing protocol different from tance vector or link state based on the others is simply the procedures used to per- algorithm used to find the best route between form the various tasks that all routing proto- two networks. cols must perform. Routing protocols do not differ in what they do; they only differ in how Distance vector they do it. At the very least, each routing pro- Developed by Bellman and Ford, this class of tocol must discover the best route to all net- protocols is sometimes referred to as the Bell- works, recover from network topology man-Ford algorithm. Distance vector proto- changes, and prevent routing loops. Routing cols can be distinguished by the fact that these protocols accomplish these tasks by exchang- routing protocols advertise distance and vector ing information with other routers on the information for each network and use this internetwork. information to update their routing tables. Typically, distance vector protocols broadcast Exchanging information their entire routing table to all connected All dynamic protocols must have some meth- neighbors with all advertisements. ods for exchanging routing information with In Figure A, router A will advertise all known other dynamic routers. Initially, routers will networks to router B; router B will then adver- begin to exchange information about net- tise those networks as well as all other known works that they are directly connected to. networks to router C. Router C has learned of For example, in Figure B, router A is only network A through router B and has never aware of network 192.168.1.0, which is

70 Administrator’s Guide to TCP/IP,Second Edition directly attached to router A’s Ethernet inter- Figure A face. Router A will advertise network 192.168.1.0 to router B. Once received, router B will record in the routing table that Network 10.1.1.0 Network 10.1.2.0 packets destined for the 192.168.1.0 network Mask 255.255.255.0 Mask 255.255.255.0 should be forwarded to 192.168.2.1. Router B knows that 192.168.2.1 can be reached by its serial interface because it is a directly attached network. Router C will advertise its own network, Network 192.168.1.0 192.168.5.0, to router B. Router B will record Mask 255.255.255.0 this new information in the routing table, as well. Router B will then advertise both networks 192.168.3.0 and 192.168.5.0 to router A and networks 192.168.3.0 and 192.168.1.0 to router C. Routers A, B, and C all now have Distance vector protocols rely on their directly connected neighbors to provide information knowledge of all networks on the internetwork regarding the internetwork. and how to reach each one. Addressing Figure B When a router first comes online, it has no knowledge of what other networks or routers 192.168.1.0 192.168.3.0 it is connected to, so how does it know whom E0 192.168.2.1 to exchange data with? A router simply sends S0 Router A Router B routing updates to either the broadcast address S0 192.168.2.2 255.255.255.255 or a multicast address T1 192.168.4.1 reserved for that routing protocol. This ensures that all routers receive the routing T1 updates. 192.168.4.2 Update information Router C Routers not only advertise network addresses; they also must advertise specific information 192.168.5.0 regarding each destination network. Informa- tion that a router announces with each network includes whether that network is a locally attached or a remote network. Depending on is only used when there are multiple routing the routing protocol in use, there are many protocols in use on the network. Consider a additional parameters that are used to describe network that is running both Routing Infor- a route to a particular network. mation Protocol (RIP) and EIGRP. Both rout- When there are multiple routes to the same ing protocols discover different routes to the destination, routers need some mechanism for same network. Which route should the router choosing the best route. Routing protocols use use? The router will use the route advertised two variables, administrative distance and the by the routing protocol with the lowest admin- metric, to discover the best route. istrative distance; EIGRP, in this case. See Administrative distance Table A for a list of routing protocols and their Administrative distance has nothing to do with default administrative distances. distance, as the name implies. Administrative Metric distance is used to rate the validity of routes When there are multiple routes to the same discovered by a particular routing protocol and destination with the same administrative dis-

Routing and Design 71 tance, the metric is used as a mechanism to network shown in Figure C. Router A can reach discover the best route. Each routing protocol network C via 192.168.2.2 or 192.168.6.2. has its own way of finding the best route RIP will choose the next hop address of based on its metric or metrics. RIP, for exam- 192.168.6.2 to reach network C; however, ple, defines the best route as being the route EIGRP would choose 192.168.2.2 as the next with the fewest hops; however, EIGRP uses a hop for network C. Each protocol would formula that takes into account the delay, choose a different path because of the differ- bandwidth, and many other metrics. To under- ences in how they use metrics to calculate the stand the importance of metrics, consider the best route. Below is a list of commonly used metrics used by routing protocols to dynami- Table A: Default administrative distances for routing protocols cally discover the best route. Route source Default distance X Hop count: The hop count is simply the number of routers that a packet must tra- Connected interface 0 verse to reach the destination network. Static route 1 Each time a router advertises a network number, it also lists the number of hops Enhanced IGRP summary route 5 away the network is from the advertising External BGP 20 router. For example, router B will advertise network 192.168.5.0 with a hop count of 1 Internal Enhanced IGRP 90 and will advertise network 192.168.3.0 with IGRP 100 a hop count of 0. When router A receives the update, it will increment all the hop OSPF 110 counts by 1. Router A will record in the IS-IS 115 routing table that network 192.168.5.0 is two hops away and that the next hop is RIP 120 192.168.2.2. EGP 140 X Bandwidth: The bandwidth parameter is External Enhanced IGRP 170 simply the bandwidth supported by a link between two routers. Bandwidth by itself is Internal BGP 200 not a very good metric because it does not Unknown 255 take into account the delay introduced for a link or the load on a particular link. The fastest link is not the best if the circuit is Figure C constantly at saturation limits (Load) or if the router at the other end of the link is too 192.168.1.0 192.168.3.0 busy to accept additional packets (Delay). X Delay: The delay identifies the amount of E0 192.168.2.1 time it takes a packet to traverse a path from S0 Router A Router B start to finish. The delay includes not only S0 192.168.2.2 T1 the transmission speed of the media but 192.168.6.1 192.168.4.1 also the latency introduced at each router

ISDN T1 along the path. Delay sometimes may not be calculated but instead will be the combi- 192.168.6.2 192.168.4.2 Router C nation of static numbers based on the interfaces used along the path. Ethernet interfaces, for example, would be consid- 192.168.5.0 ered to have a lower delay than an ISDN interface. The use of metrics allows router A to discover which route to network C is best.

72 Administrator’s Guide to TCP/IP,Second Edition X Load: The load metric describes the per- Periodic updates are sent every interval, centage of bandwidth that is currently used even if nothing on the network has changed. on the circuits along the route. Load is nor- When a router detects a change on the net- mally displayed as a fractional percentage of work, it will wait until the next update interval 255. For example, a 50 percent load would before sending the changed information. be displayed as 128/255. Legacy distance vector protocols use periodic X Reliability: The reliability metric describes updates as their update method. To prevent how reliable a link is, based on past per- the wasteful use of bandwidth for unneeded formance of the link as well as the current updates and to speed the detection of changes number of errors a link has had in a speci- on the network, more modern routing proto- fied amount of time. The network adminis- cols use triggered updates. trator can also statically configure the Triggered updates reliability metric. Unlike periodic updates, triggered updates are X Cost: Cost is a generic term used to sent only when a change is detected on the describe a particular route. The route with network and only the changed information is the lowest cost is generally the route used. sent, not the entire routing table. The use of EIGRP, OSPF, and IGRP, for example, all triggered updates and the process of only use the bandwidth, delay, and load metrics. sending information regarding the change Each metric is used as a variable within an instead of the entire routing table better uti- algorithm (formula) in order to figure the lizes available network bandwidth, as well as cost associated with the route. This is the optimizing router processor use. Triggered formula used by IGRP to calculate the cost: updates also allow routers to learn of new Cost = [K1*BANDWIDTH +(K2* changes faster, since updates are sent out as BANDWIDTH)/(256-LOAD) soon as a change is detected, allowing for +K3*DELAY] * K5/(RELIABILITY + K4) faster convergence. Link state protocols typically use triggered updates as their update METRIC = COST method. Caution: The terms metric and cost are Convergence often used interchangeably Convergence is a term used to describe a network in which all routers within the internet- Update process work are aware of all other networks and have There are two types of routing information routes to each network. For example, in Figure updates: the periodic update and the triggered B, when routers A, B, and C are all aware of update. Each routing protocol performs every network and the path to each network, updates differently from others; however, all we say that the network has converged. Con- routing protocols can be categorized as per- vergence time is the amount of time it takes forming periodic updates or triggered updates. for all routers to learn the entire internetwork or learn of a change on the network. Conver- Periodic updates gence time is very important to network engi- The periodic update is performed once in each neers because it describes the amount of time configured time span (update interval), regard- it will take for the network to recover from a less of network status. The default update failure. interval can vary from 10 seconds to 90 seconds or more, depending on the routing pro- Conclusion tocol and the configuration. The update Dynamic routing protocols allow routers to interval can usually be changed. Typically, the automatically discover each connected network update contains the entire routing table of and adapt to changes in the internetwork the advertising router. topology. These protocols are used to free the

Routing and Design 73 administrator from having to enter multitudes bandwidth and processor time on each router, of static routes for traffic flow and fault toler- and the amount of bandwidth and processor ance; however, the use of routing protocols is time should be understood during capacity not without cost. Dynamic protocols use planning.

Selecting the best address translation option for your network Jun 27, 2001 By Debra Littlejohn Shinder, MCSE ddress translation is the process of gateway for computers on the LAN that are “translating” multiple IP addresses configured with its internal IP address as their A from the private address range to one default gateway address. or more public registered addresses. There are When an internal computer sends a mes- a number of ways to do this: Some operating sage destined for the Internet (for example, systems include built-in address translation when its Web browser attempts to access a capabilities; there are third-party software pro- URL that points to an Internet Web server), grams available to provide address translation the gateway intercepts the request, maps the services; and vendors make hardware devices internal address of the sending computer to a that are capable of translation tasks. Network port number in its address translation table, address translation is also called NAT. replaces the sending computer’s source address In this article, we will take a look at how in the packet headers with its own, and for- address translation works, some of the address wards the message to the Internet. When a translation options available, and how you can reply is returned to the gateway computer, it select the best translation solution for your consults the address translation table to deter- network. mine which internal computer should receive How address translation works the response and sends it to that machine. The address translation gateway computer or Advantages of address device is connected to the public network via a translation modem, broadband connection, T1, or other Advantages of using an address translation Internet connection. It is also connected, via a method to connect your LAN’s computers to second interface, to the internal LAN. This the Internet include: computer has an internal address from the pri- X Cost: You don’t have the expense of extra vate address range assigned to its internal IP addresses from your ISP. interface and a public address assigned by the ISP (either a static address or one allocated by X Conservation of IP addresses: You don’t DHCP) to its external interface. Address trans- use more of the available addresses than lation software allows it to function as the necessary.

74 Administrator’s Guide to TCP/IP,Second Edition X Security: The computers on the Internet Figure A “see” only the gateway computer, not any of the computers on the internal LAN. Disadvantages of address translation There are a few disadvantages to using address translation instead of a routed connection with each computer on the LAN having its own public IP address: X Compatibility issues: Not all programs and protocols are compatible with address translation. Those protocols that have neither the IP addresses in the IP header nor TCP/UDP port numbers in the TCP or UDP headers may require NAT “editors” or may not be able to work with address translation at all. For example, IPSec is not compatible with NAT. X Performance: Translation requires some overhead in system resources; thus, per- ICS in Windows 2000/XP provides an easy way to set up a formance may be slightly slower when “lite” version of NAT. using NAT. Figure B Address translation options If you determine that a translated connection is the best option for your network, you have several choices for implementing NAT. Internet Connection Sharing (ICS) in Windows 98SE/Me/2000/XP ICS is a “lite” form of NAT that is built in to both Windows 2000 Pro and Server as well as Windows XP/2002 and Windows 98SE/Me. The Windows 2000 machine can function as a connection gateway for internal computers running TCP/IP, even if they are running older operating systems, such as Windows 95. ICS is easy to set up, but its flexibility is limited. You must use the preconfigured private address range, for example, and you cannot NAT is added and configured as a routing protocol in Windows translate the internal addresses to multiple 2000 Server RRAS. external interfaces. Also, you cannot use ICS on your network if there is a DNS or DHCP The ICS gateway computer will become a server on the network. ICS is most appropriate DHCP allocator, assigning IP addresses from for small peer-to-peer Windows networks. the 192.168.0.0 network to the computers on To share a connection with ICS, you need the internal LAN. These other computers must only check a box on the Sharing tab of the be set up as DHCP clients in their TCP/IP Properties sheet for the connection (see properties. Figure A).

Routing and Design 75 NAT in Windows 2000/2002 Server X NAT32 For configuring a translated connection in a X Wingate Windows network when ICS won’t do (for example, in a Windows 2000 domain with Proxy servers DNS and DHCP servers on the network), Proxy servers use address translation to pro- Microsoft provides a component simply called vide an Internet connection to internal com- NAT, which is installed as a routing protocol puters via one public IP address, but they also in the Routing and Remote Access (RRAS) provide additional functionality beyond con- administrative tool (see Figure B). nection sharing. Proxy servers are used for This “full-fledged” NAT is available only on added security; they sit between the internal the server operating system. network and the public Internet and can per- NAT is more complex than ICS but allows form packet filtering (and in some cases, cir- you to specify the address range from which cuit level and application level filtering) to private IP addresses will be assigned to internal control what leaves and enters the private net- computers by the NAT gateway acting as work. Proxy servers may even have built-in DHCP allocator. Alternatively, you can disable firewall functionality. the allocator and let your DHCP server assign Proxy server software often costs more than the addresses. NAT products because of its added sophisti- Other reasons for choosing NAT over ICS cation. Examples include: on a Windows 2000 network include: X Microsoft Proxy Server 2.0 X Support for inbound mappings X Microsoft Internet Security and Accelera- X Ability to disable the DNS proxy function tion Server (ISA) X Need to use static IP addresses on the X Midpoint network X WinProxy IP Masquerading for Linux X Rideway IP Masquerade (IPMASQ) is a Linux network- Hardware NAT ing feature that provides a translated connec- Many router vendors build NAT functionality tion through the Linux gateway machine. into their ISDN and DSL routers, making it Support for masquerade has been built into easy to implement an address translation solu- the Linux kernel since version 1.3.x. It is a tion without worrying about installing special form of NAT and is configured similarly, with software on a gateway machine. internal computers that access the Internet through the Linux box being configured to use Selection considerations the Linux machine’s internal IP address as In determining which NAT solution is best for their default gateway. your network, you should take into account the Third-party NAT solutions following: What if the computers on your network are all X Cost: If you are running an operating sys- running operating systems that don’t have built- tem that has a connection-sharing compo- in NAT support as does Linux or Windows nent built in, you will save money by using it 98SE/2000/2002, and you want to use a trans- instead of buying third-party software or a lated connection? There are several third-party hardware device that supports NAT. NAT solutions available that can be installed on X Features: If you need additional security Windows 95 or Windows NT computers. features as well as address translation, you A few products that are reasonably priced, may wish to consider a proxy server. easily configured, and have been found to X Ease of Configuration: Some solutions work well are: are easier to implement than others. For X Sygate example, Windows 2000 ICS is easier to set

76 Administrator’s Guide to TCP/IP,Second Edition up than Windows 2000 NAT, and the Conclusion Sygate NAT product is easier to configure Network address translation provides a way to than the Rideway proxy. Balance ease of conserve the limited number of available pub- configuration against cost factors and lic IP addresses, save money, and provide a needed features. measure of security while connecting all the X Operating System Compatibility:The computers on an internal LAN to the Internet solution you choose must be compatible through a gateway computer using a single with the operating system running on the public IP address. NAT has both advantages computer you want to be the gateway. and disadvantages compared to a traditional X Application and Protocol Compatibility: routed connection; if you decide NAT is the If you use applications or protocols that do best solution for your network, there are a not carry the IP address in the IP header or variety of different ways in which it can be otherwise won’t work with NAT, you may implemented. need to choose a different option for connecting your LAN to the Internet.

Provide multiple paths between networks with tunneling and NAT Nov 13, 2001 By Robert McIntire he terms tunneling and NAT come up public IP, thereby allowing access between pri- fairly regularly now in networking con- vate and public networks (i.e., the Internet). T versations. Over time, these techniques With tunneling, we can direct packets from the have become invaluable in the face of an IPv4 aforementioned private network across a public address space shortage and in facilitating network to another private network attached to secure internetworking across the public Inter- the same public network. Mind you, the fea- net. Both methods are vital to internetworking tures and functionality provided with NAT and and are not at all mutually exclusive in their tunneling are by no means limited to this. implementations. We can use both techniques These are only somewhat common uses of the within the same router configurations for methods. The issues I’ll address are based on access to intranets, extranets, and the Internet. these uses. How and why would we use both The key is to configure these methods simultaneously? What if we want to provide together. In this article, I’ll show you how to general Internet access to private network hosts configure these two methods together in order and a secure tunnel between private networks to get tunneling and NAT to complement one across the Internet? Which do we do first: another and provide multiple paths between translate the address before sending it down a networks. tunnel to another office or encapsulate it? Do we even want to NAT sessions that are bound So many questions for our other private network? Let’s take a With NAT, we can transform an address origi- deeper look into these concepts. nating from a private network host into a valid

Routing and Design 77 Tunneling NAT AND IPSEC INFORMATION To better understand our topic, we must exam- The configuration information provided ine some of the details to determine how best here is not meant as an in-depth example to design such an implementation. The process of tunneling implies encapsulating or wrapping of IPSec or NAT setup but rather to pro- one protocol within another. Often, the terms vide an overview focused on attaining VPN, tunneling, and encryption are used in interoperability. For more information on conjunction. In fact, a VPN consists of two NAT, take a look at Debra Littlejohn Shin- basic concepts: tunneling and encryption. In der’s “Selecting the best address transla- this case, we’re encapsulating the packets bound tion option for your network,” on page 74. from one private network to another so that they can be carried across the Internet. Other- connect to the Internet will be used as peers in wise, these private address packets couldn’t be our scenario. Listing A shows a partial configu- routed across the Internet’s public address infra- ration highlighting the IPSec configuration for structure. With respect to tunneling, we must Router A. designate endpoints for our tunnel. And Listing B shows is the partial configura- In this case, we’ll assume the use of two tion for Router B. Cisco access series routers running the IOS On both routers, the outside interfaces IP/Firewall Plus IPSec 56 software as the end- are Ethernet0/1, and the addresses are points for our tunnel (see Figure A). 100.100.100.1 and 200.200.200.1 for routers Each connects one of our private networks A and B, respectively. The inside interfaces are to the Internet. With both the firewall and Ethernet0/0 on both; the private address IPSec feature sets, we can provide firewall spaces are 192.168.1.0 and 192.168.2.0, respec- security for the private network and tunnel tively. Notice in the first few lines of both encryption across the Internet to the remote VPN peer router A and B configurations that private network. Since we have both inside and we create a new Internet Key exchange (IKE) outside interfaces on our edge or access policy with the ISAKMP statements, a require- routers, which do we designate as the tunnel ment for IPSec. To do so, we specify the hash endpoint? Actually, the outside interfaces that and the authentication type (a pre-shared key of a-b-vpn in our scenario), along with the Figure A address of the peer VPN router. Then we create a name for our IPSec transform set, tset-1. External Net This transform set name is referenced later in the set transform statement. The crypto map specifies a name for the map, cmap-1, and puts us into Crypto configuration mode. Also, this E0/0 E0/0 map name is also referenced in the Ether- 100.100.100.1 200.200.200.1 net0/1 (outside interface) configuration. The next several statements complete our Router A Router B tunnel configuration. The last statement in this section is the one that makes all the difference. E0/1 E0/1 The match address statement is entered in crypto 192.168.1.1 192.168.2.1 config mode and references an access list, 101, Tunnel which specifies what traffic we want to direct Internal Net Endpoint down our VPN tunnel. Access list 101 on each Configuration router includes a statement to allow traffic to the other private network (192.168.1.0 <–>

Our Cisco routers will handle both tunneling and NAT between the external and 192.1068.2.0) via the tunnel and excludes all internal networks. other traffic. This is one step in solving the

78 Administrator’s Guide to TCP/IP,Second Edition problem of how we selectively direct private, interoffice traffic down our tunnel. Listing A: Router A IPSec configuration crypto isakmp policy 1 NAT hash md5 Now it’s time to look at how this works in conjunction with NAT for simultaneous access to authentication pre-share both the Internet and the interoffice WAN. In crypto isakmp key a-b-vpn address 200.200.200.1 NAT configurations, we must specify inside crypto ipsec transform-set tset-1 esp-des esp-md5-hmac and outside interfaces. Allowed traffic coming crypto map cmap-1 1 ipsec-isakmp from the inside is generally translated using a set peer 200.200.200.1 public IP pool as it heads for the outside interface. If this session is bound for the Internet set transform-set tset-1 to surf a Web site, we want to translate it to a match address 101 valid address and direct it to the default route. ! However, our private networks employ private interface Ethernet0/0 addressing, and we don’t want to translate the addresses of packets passing between our two ip address 192.168.1.1 255.255.255.0 private networks down the tunnel across the no ip directed-broadcast Internet. Figure B illustrates two machines on ip nat inside our internal network using NAT. ! Since the packets are encapsulated at one end and unencapsulated at the other end of interface Ethernet0/1 the tunnel, we don’t really need to NAT this ip address 100.100.100.1 255.255.255.255 traffic. But can we selectively NAT? We can no ip directed-broadcast use a standard access list to control which pri- ip nat outside vate host addresses get NATed by source no ip route-cache address, but that isn’t really the functionality we’re looking for. The key here is to maintain no ip mroute-cache our private addresses with respect to data tun- crypto map cmap-1 neled to the other private network but to NAT ! the address if headed for public Internet access-list 101 permit ip 192.168.1.0 0.0.0.255 access. To do so, we can use an extended 192.168.2.0 0.0.0.255 access list to specify which traffic gets NATed access-list 101 deny ip 192.168.1.0 0.0.0.255 any by destination, which is what we’re looking for. Note the following NAT and access list-related portion of the configurations for Router A allows any traffic from A’s private network to (Listing C) and Router B (Listing D). the Internet. The next entry creates the route In the first line of the NAT configuration, map, un-nat, referenced in the previous we perform a dynamic NAT mapping from dynamic NAT map statement. This places the the inside interface to the outside interface, router into route map config mode, where we Ethernet0/1. In this statement, we specify the set the matching IP address based on access un-nat route map. The third line is the default list 102. The same is true for Router B. Now route to the ISP. And then we have our access this is what we’re looking for. With the proper list, 102, controlling which traffic gets NATed NAT configuration, we can configure our in conjunction with the aforementioned access/VPN router to handle private and pub- dynamic NAT map statement. All private traf- lic traffic in the appropriate manner. fic from Router A (192.168.1.0) to Router B’s private network (192.168.2.0) is explicitly Allowing VPN traffic The one thing that we have not looked at yet is denied and excluded from the NATing the final detail. Chances are we have either the process. The second access list statement

Routing and Design 79 Figure B Listing B: Router B IPSec configuration crypto isakmp policy 1 hash md5 External Net authentication pre-share crypto isakmp key a-b-vpn address 100.100.100.1 E0/0 crypto ipsec transform-set tset-1 esp-des esp-md5-hmac 100.100.100.1 crypto map cmap-1 1 ipsec-isakmp Router A set peer 100.100.100.1 E0/1 set transform-set tset-1 192.168.1.1 match address 101 Internal Traffic ! To Outside Network interface Ethernet0/0 Internal PC 192.168.2.1 255.255.255.0 Internal PC 192.168.1.2 no ip directed-broadcast 192.168.1.3 ip nat inside ! interface Ethernet0/1 Machine 192.168.1.2 routes to the external network only; machine 192.168.1.3 routes to the internal network only. ip address 200.200.200.1 255.255.255.0 no ip directed-broadcast IOS firewall or an access list configured to ip nat outside restrict incoming traffic at the outside interface no ip route-cache of both access routers. For this scenario, we’ll assume that an extended access list guards the no ip mroute-cache outside interface. We’ll need to make a hole to crypto map cmap-1 pass the VPN traffic. To do that, we’ll specify ! the IKE and IPSec protocol information for access-list 101 permit ip 192.168.2.0 0.0.0.255 Router A (Listing E) and Router B (Listing F). 192.168.1.0 0.0.0.255 The protocol identification numbers required access-list 101 deny ip 192.168.2.0 0.0.0.255 any are 50 and 51, and the port is UDP 500. Naturally, these access list entries should be placed at or near the beginning of your ACL

Listing C: Router A NAT configuration ip nat inside source route-map un-nat interface Ethernet0/1 overload ip classless ip route 0.0.0.0 0.0.0.0 100.100.100.2 ! access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 any ! route-map un-nat permit 12 match ip address 102

80 Administrator’s Guide to TCP/IP,Second Edition Listing D: Router B NAT configuration ip nat inside source route-map un-nat interface Ethernet0/1 overload ip classless ip route 0.0.0.0 0.0.0.0 200.200.200.2 ! access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 102 permit ip 192.168.2.0 0.0.0.255 any ! route-map un-nat permit 12 match ip address 102

Listing E: Configure Router A for VPN hole Access-list 103 permit tcp host 200.200.200.1 host 100.100.100.1 eq 50 Access-list 103 permit tcp host 200.200.200.1 host 100.100.100.1 eq 51 Access-list 103 permit udp host 200.200.200.1 500 host 100.100.100.1 500

Listing F: Configure Router B for VPN hole Access-list 103 permit tcp host 100.100.100.1 host 200.200.200.1 eq 50 Access-list 103 permit tcp host 100.100.100.1 host 200.200.200.1 eq 51 Access-list 103 permit udp host 100.100.100.1 500 host 200.200.200.1 500 since these routers will be hosting a dedicated clients, but we gain the additional benefit of a tunnel between them. By doing so, you secure WAN link between our remote private decrease the processing load incurred by the networks. inbound access list. The cost advantages can be compelling. So compelling that VPNs, once considered a Conclusion security risk, have become more and more Although an in-depth discussion of IPSec and prevalent as encryption technology has NAT is not the aim here, we begin to see how improved over the years. An even more com- these features can be configured to work pelling fact is that implementation is becom- together to handle network traffic appropri- ing easier as manufacturers continue to ately, whether private or public. By configuring develop all-in-one security appliances and NAT and tunneling together in our networks, VPN configuration tools that can assist net- we can leverage our investment in Internet work administrators when deploying Internet connectivity. In this manner, we not only use connectivity, as well as secure VPN tunneling our Internet link for general Internet access technology. from and to private application servers and

Routing and Design 81 Learn why NAT can cause VPN connection problems Nov 8, 2001 By David Davis, MCSE+I, CCNP, SCSA any a network administrator has but it may also swap TCP source and desti- tried to set up a virtual private net- nation ports, change the IP and TCP header M work (VPN) client from a worksta- checksums, change the TCP sequence and tion with a nonroutable (private) IP address acknowledgment numbers, and change IP only to find out—amid much frustration— addresses contained in the data payload. that the network address translation (NAT) on the Internet router keeps the VPN client from VPN protocols making the connection. We’re going to look at Now we need to look at a few of the impor- the reasons behind this common problem and tant differences between the two VPN tunnel- see what you can do about it. ing methods: X IPSec and L2TP—These two open proto- Important concepts cols are popular across multiple platforms. First, here are four basic concepts you need to However, they usually encapsulate and understand: encrypt the IP datagram, which contains the X Encapsulation involves wrapping a header IP source and destination addresses. This around a data unit, typically an IP packet. can make them troublesome for NAT. Encapsulation can also be referred to as IPSec can work in two different ways: trans- tunneling. For instance, IP packets get port and tunnel. Transport mode is between encapsulated in a frame-relay header when a client and a server. Tunnel mode is they traverse a frame-relay WAN. between two IPSec tunneling gateways (for X Encryption provides a way to secure sensi- instance, two routers or servers). In trans- tive data by translating it into private code. port mode, the application headers, It can then be decrypted only by using a TCP/UDP headers, and data are encrypted, secret key or a password. leaving the IP headers exposed. The authentication data is calculated based on X A VPN encapsulates and encrypts packets the values in the IP header (among other to send a private network’s data over a pub- things). In tunnel mode, the entire packet lic network (such as the Internet) to another (including the IP headers) is encrypted and private network. Point-to-Point Tunneling new IP headers are appended. Protocol (PPTP), Layer 2 Tunneling Proto- col (L2TP), and IP Security (IPSec) are the X PPTP—This Microsoft proprietary proto- most popular protocols for securing VPN col does not encapsulate or encrypt the IP traffic. datagram, which makes this protocol compatible with NAT, or “NAT friendly.” Win- X NAT is based on RFC1631 (http://www. dows 2000 RRAS (Routing and Remote rfc-editor.org/rfc/rfc1631.txt) and is typi- Access Services) uses this VPN protocol by cally used to connect a private network to a default. If you are using NAT, choosing public network, such as connecting your Windows 2000 VPN (RRAS) services with company network to the Internet. For more PPTP can greatly simplify your VPN-NAT information, refer to Cisco’s article “How issues. NAT Works” (http://www.cisco.com/ warp/public/556/nat-cisco.shtml). Keep NAT and VPN in mind that to function, NAT doesn’t just NAT is supposed to be transparent to what- swap IP source and destination addresses, ever applications it works with. Many NAT

82 Administrator’s Guide to TCP/IP,Second Edition and VPN dilemmas are created by this router, the IP headers are modified (NATed). assumption. NAT can break a VPN tunnel Upon arriving at the VPN server, the authenti- because NAT changes the Layer 3 network cation data in the packet is invalid because the address of a packet (and checksum values), IP header information was modified by NAT. whereas the tunneling, used by an IPSec or So the VPN server drops the packet, and the L2TP VPN gateway, encapsulates/encrypts VPN client never gets connected. the Layer 3 network address of a packet with To deal with this issue, VPN product ven- another Layer 3 network address, stripping it dors are beginning to build IPSec NAT tra- off on the other side. versal capabilities into their products. Different In other words, after a packet goes through standards and vendor implementations are the NAT process, it has a different network being used to make this work. Most rely on address. But after a packet goes through the some kind of IPSec encapsulation into UDP IPSec or L2TP VPN tunneling process, it has packets. Because the IPSec packet is now the same network address. This concept is encapsulated, NAT devices do not affect the invaluable when setting up and troubleshoot- packet’s IP header information, and the IPSec ing NAT and VPN together. authentication data is still valid. Thus, a con- As I said, choosing PPTP can often elimi- nection can be made. nate the NAT-VPN issues created with IPSec and/or L2TP. However, if you are trying to Final word create a tunnel through the Internet between This is a complex topic that should not be two Cisco routers (or other non-Microsoft taken lightly. Understanding how NAT and the devices or operating systems), you will likely be different VPN implementations do what they using IPSec. If you are using IPSec with NAT do is crucial. You should also check with your on a Cisco router, you can get around the router and VPN vendors for specific solutions VPN-NAT issues by selecting the traffic that is that their products may have for dealing with to be NATed and making sure that that traffic NAT and VPN interoperability. is not NATed but encapsulated and encrypted Cisco provides the following sample net- in the IPSec header. work configurations and scenarios that can In other words, you want the traffic bound help to better understand and manage NAT- for true Internet destinations to be NATed, VPN issues: and you want the traffic destined to travel X “Configuring Router to VPN Client, through the IPSec tunnel to be tunneled, not Mode-config, Wild-card Pre-shared Key NATed. On Cisco equipment, this is accom- with NAT” plished using an access control list. (http://www.cisco.com/warp/public/ Let’s return to our original scenario of the 707/25.shtml) troubled network administrator who config- X “Configuring an IPSec Tunnel through a ures a workstation with a private IP address Firewall with NAT” and tries to use a VPN client to go through a (http://www.cisco.com/warp/public/ NAT-enabled router. We’ll assume that the 707/ipsecnat.html) administrator is using an IPSec-based VPN X “Configuring a Router IPSec Tunnel client (not PPTP). Because this is from a client Private-to-Private Network with NAT to a server, this means that the admin is using and a Static IP Address” IPSec in transport mode. (http://www.cisco.com/warp/public/ Remember that in transport mode, the IP 707/static.html) header is not encrypted but exposed. However, the authentication data is calculated based on X “Configuring Router-to-Router Dynamic- the values in the IP header (among other to-Static IPSec with NAT” things). When the packets arrive at the NAT (http://www.cisco.com/warp/public/ 707/ios_804.html)

Routing and Design 83 X “Configuring IPSec Router-to-Router, X “Configuring IPSec Router-to-Router with Pre-shared, NAT Overload Between NAT Overload and CiscoSecure VPN Client” Private Networks” (http://www.cisco.com/warp/public/ (http://www.cisco.com/warp/public/ 707/ios_D.html) 707/overload_private.shtml)

IP routing in 40 short steps Jul 10, 2001 By Todd Lammle his article will zoom in on the principle routing packets throughout an internetwork, of moving packets of data from one and we know that routing is the term used to T network to another network using a describe the process of taking a packet of data router and the IP protocol. This is called rout- from a device on one network and switching it ing, and I’m going to demonstrate an IP rout- through that router over to another device on ing example in 40 steps. Why 40? Well, I really a different network—packet distribution and could give it to you in 10 steps or so, but that delivery. So if your network has no routers, would be more of a summarized approach. you’re not routing. And since I really want you to thoroughly Figure A highlights the routing raison d’etre: understand this process, I’m going to cover the to make it possible to connect multiple net- details of how a packet is actually handled works, thereby creating an internetwork so that when it’s sent through an internetwork. all hosts within that internetwork can commu- Because we’re taking an in-depth approach nicate with each other by sending and receiv- here, you’ll find it helpful to be familiar with ing data. the following: Now take a closer look at Figure A so we X IP addressing and subnetting can go step-by-step through the IP routing process. Let’s begin by pretending that HostA X The difference between a router and a wants to send a ping request (packet internet switch groper) to HostB. X How collision and broadcast domains work By looking at the IP networks and addresses within an internetwork in the figure, we can see that HostA is on the IP addressing, subnetting, and IP routing 192.168.10.32 network and that the /27 is a are very important fundamentals; once you subnet block of 32. What this tells us is that have a good grasp on them you can move on our valid hosts are 33-62. Also, notice that to exploring more advanced, really exciting HostA’s IP address is 192.168.10.34 with a subjects like supernetting and Variable Length configured default gateway of 192.168.10.33. Subnet Masking (VLSM)! HostB is on the 192.168.10.96 subnet and it has an IP address of 192.168.10.98 with a con- Move that data! figured default gateway of 192.168.10.97. It’s Okay, we know routers are hardware devices very important to make sure that a host’s that employ software to perform the task of default gateway is configured correctly because

84 Administrator’s Guide to TCP/IP,Second Edition Figure A

192.168.10.32/27 192.168.10.96/27 .98

192.168.10.64/27 .33 .34 .97 E1 S0 S0/0 Fa0/0 HostB .65 .66 S0/1

HostA

Internet

Did you notice that a LAN and two WANs are connected to the 2600A router?

it’s used to tell the host how to send packets The registry in Windows is parsed to find out of the local network. the configured default gateway. Okay, that said, let’s type a ping request to 5. The default gateway of host 192.168.10.34 192.168.10.98 from HostA at the command is 192.168.10.33. To be able to send this prompt and follow it through from beginning packet to the default gateway, the hardware to end. Here’s what happens, starting at HostA address of the router’s interface Ethernet1 (these are our 40 steps to IP routing): (configured with the IP address of 1. The router’s FastEthernet 0/0 interface 192.168.10.33) must be known. Why? So will receive the bits and build a frame. The the packet can be handed down to the CRC is run, and the FCS field is checked Data Link Layer, framed, and sent to the to make sure the answers match. Internet router’s interface for the 192.168.10.32 Control Message Protocol (ICMP) creates network. an echo request payload (which is just the 6. Now, the ARP cache is checked to see if alphabet forward and backwards). the IP address of the default gateway has 2. ICMP hands that payload to IP, which been already resolved to a hardware then creates a packet. At a minimum, this address. If it has, the packet is then free packet contains an IP source address, an to be handed to the Data Link Layer for IP destination address, and a protocol field framing. (The hardware destination with 01h. All of that tells the receiving address is also handed down with that host whom to hand the payload to—in packet.) this example, ICMP. 7. If the hardware address isn’t already in the 3. Once the packet is created, IP works with ARP cache of the host, an ARP broadcast the Address Resolution Protocol (ARP) to will be sent out onto the local network to determine whether the destination IP search for the hardware address of address is on the local network or on a 192.168.10.33. The router will respond to remote one. the request and provide the hardware 4. Since this is a remote request, the packet address of Ethernet1, and the host will needs to be sent to the default gateway. cache this address. The 2500A router will

Routing and Design 85 also cache the hardware address of HostA work Unavailable message. in the ARP cache. 14. If the router does find an entry for the 8. Once the packet and destination hardware destination network in its table, the packet address are handed to the Data Link Layer, will be switched to the exit interface—in the LAN driver is used to provide media this example, interface serial 0. access via the type of LAN being used. (In 15. Serial interfaces don’t use Ethernet fram- this example, it’s Ethernet.) A frame is ing techniques, but by default, Cisco then generated, encapsulating the packet routers use something called High-Level with control information. Within that Data Link Control (HDLC) to frame the frame are the hardware destination and packet. When serial interfaces are used, source address, plus an Ethernet-Type though, it’s not called framing; it’s known field that describes the Network Layer pro- as “encapsulating.” And because this is a tocol that handed the packet to the Data point-to-point circuit, hardware addresses Link Layer (in this case, IP). At the end of aren’t used or needed. Instead, HDLC the frame is the Frame Check Sequence encapsulation is sent out one bit at a time (FCS) field, which houses the answers to to the next router. the Cyclic Redundancy Check (CRC). 16. Serial 0/0 on 2600A then extracts the 9. Once the frame is completed, the frame is packet from the HDLC encapsulation and handed down to the Physical Layer to be checks the IP destination address. Since put on the physical medium (in this exam- the IP addresses of the different router ple, twisted-pair wire), one bit at a time. interfaces do not match, the router will 10. Every device in the collision domain check its routing to determine whether it receives these bits and builds the frame. knows how to get the packet over to the They each run a CRC and check the destination network. answer in the FCS field. If the answers 17. The routing table will show that to get to don’t match, the frame is discarded. If the network 192.168.10.96, it must use exit CRC matches (in this example, it is the interface FastEthernet 0/0 so the packet is router’s interface Ethernet1), then the switched to interface FastEthernet 0/0. hardware destination address is checked to see if it matches too. If it’s a match, then 18. The FastEthernet interface has the packet the Ethernet-Type field is checked to find in the buffers and needs to send the packet the protocol used at the Network Layer. to HostB, or IP address 192.168.10.98, but the hardware address must be known in 11. The packet is pulled from the frame and order to deliver the packet to the correct the frame is discarded. The packet is host. The router checks the ARP cache, handed to the protocol listed in the Ether- and if no match is found, an ARP broad- net-Type field, meaning it’s given to IP. cast is sent out interface FastEthernet 0/0. 12. IP receives the packet and checks the IP 19. HostB will respond with its hardware destination address. Since the packet’s des- address, and the packet and destination tination address doesn’t match any of the hardware address are both sent to the Data addresses configured on the receiving Link Layer for framing. router itself, the router will look up the destination IP network address in its rout- 20. The Data Link Layer will create a frame ing table. with the destination and source hardware address, Ethernet-Type field, and an FCS 13. The routing table must have an entry for field at the end of the frame. The frame is the network 192.168.10.96 or the packet handed to the Physical Layer to be sent out will be discarded immediately and an on the physical medium one bit at a time. ICMP message will be sent back to the originating device with a Destination Net- 21. HostB receives the frame and immediately runs a CRC. If the answer matches what’s

86 Administrator’s Guide to TCP/IP,Second Edition in the FCS field, the hardware destination 31. Once the CRC is found to be okay, the address is then checked. If it finds a hardware destination address is checked. match, the Ethernet-Type field is then Since the router’s interface is a match, the checked to determine where the packet packet is pulled from the frame and the should be received on the Network Layer. Ethernet-Type field is checked to see what 22. At the Network Layer, IP gets the packet protocol at the Network Layer the packet and checks the IP destination address. should be delivered to. Since there’s finally a match made, the pro- 32. That’s determined to be IP, so it gets the tocol field is checked to find out to whom packet. IP runs a CRC check on the IP the payload should be given. header first and then checks the destina- 23. The payload is handed to ICMP, which tion IP address. (Note: IP does not run a understands that this is an echo request. complete CRC like the Data Link Layer— ICMP responds to this by immediately dis- it only checks the header for errors.) Since carding the packet and generating a new the IP destination address doesn’t match payload as an echo reply. any of the router’s interfaces, the routing table is checked to see if it has a route to 24. A packet is then created that includes the 192.168.10.32. If it doesn’t have a route source and destination address, protocol over to the 32 network, the packet will be field, and payload. discarded immediately. (This is the source 25. ARP then checks to see if the destination point of confusion for a lot of administra- IP address is a local device on the local tors. When a ping fails, most people think LAN or if it’s a device on a remote net- the packet never reached the destination work. Since the destination device is on a host. But as we see here, that’s not always remote network, the packet needs to be the case! All it takes is for just one of the sent to the default gateway. remote routers to be lacking a route back 26. The default gateway address is found in to the originating host’s network and the registry of the Windows device, and POOF! The packet is dropped on the the ARP cache is checked to see if the return trip, not en route to the host.) hardware address has already been 33. But Router 2600A does know how to get resolved from an IP address. to network 192.168.10.32—the exit inter- 27. Once the hardware address of the default face is serial 0/0—so the packet is gateway is found, the packet and destina- switched to serial interface 0/0. tion hardware address are handed down to 34. The serial interface builds an HDLC the Data Link Layer for framing. encapsulation and sends the packet inside 28. The Data Link Layer frames the packet of an HDLC encapsulation method out inter- information and includes the following in face 0/0, one bit at a time, to the 2500A the header: the destination and source router. The 2500A router receives the hardware address, Ethernet-Type field with HDLC encapsulation and hands over the IP in it, and the FCS field with the CRC packet to IP. answer in tow. 35. IP checks the destination address, and 29. The frame is now handed down to the since no interface on the router matches, Physical Layer (of the OSI model) to be the routing table is checked for a path to sent out over the network medium one bit network 192.168.10.32. at a time. 36. The routing table tells IP that the path to 30. The router’s FastEthernet 0/0 interface network 192.168.10.32 is out interface will receive the bits and build a frame. The Ethernet1, so over it goes—the packet is CRC is run and the FCS field is checked to switched to interface Ethernet1. make sure the answers match.

Routing and Design 87 37. The hardware address must first be found in order to send the packet to the destina- ONLY ONE PING? tion IP address of 192.168.10.34, and the Five pings are sent by default, but I don’t ARP cache is checked for that first. Since think we need to go there! For those indi- the address is in the ARP cache, the packet viduals in the audience who want this arti- and the destination hardware address are cle to describe the process exactly as it sent to the Data Link Layer to be framed. actually happens in the real world, just 38. The frame adds the hardware source and start back at step one and read through to destination address and the Ethernet-Type number 40 four more times! field, and puts the CRC answer in the FCS field. Conclusion 39. The frame is then given to the Physical The beauty of IP routing is that no matter Layer to be sent out onto the local net- how many more routes we might decide to put work, one bit at a time. into this example, the process would never 40. The destination host receives the frame, change! The packet is just sent from hop to runs a CRC, checks the destination hard- hop until it reaches the destination network. ware address, and then looks in the Ether- Remember to keep these important points net-Type field to find who to hand the in mind: packet to. IP, at the Network Layer, is the X Some things never change, and this includes designated receiver, and after the packet is packets. They never change in any way; they handed to IP at the Network Layer, it are only encapsulated in control informa- checks the protocol field for further direc- tion to enable them to be sent from one tion. IP finds instructions to give the pay- router to another. load to ICMP, and ICMP determines the X Routers are impersonal; they do not keep packet to be an ICMP echo reply. It host addresses in their routing tables. acknowledges that it has received the reply Routers only care about networks and the by sending an exclamation point (!) to the best path to each one. user interface. ICMP will then attempt to X Each and every one of us is unique, and so send four more echo requests to the desti- are hardware addresses. These are what nation host. devices use to find a unique host on a local network.

88 Administrator’s Guide to TCP/IP,Second Edition Configuring static and default routing Jul 12, 2001 By Todd Lammle he previous article, “IP routing in extremely concerned about networks and the 40 short steps,” described how a best path to access each one. T packet is sent from an originating Logical addressing (IP, for example) is host on one network over to another host on what’s used to identify each host on the inter- a different network through an internetwork, network. Routers read the network portion of as well as exactly what happens to those an IP address to figure out where in the Net packets during that process. This article is world a host is and then use a routing table to going to take things a step further and focus determine the best path to the network that on both IP routing and how routers use a the destination host is located on. routing table to accomplish the task of for- Once that network is located, the packet is warding those packets properly throughout sent to the destination network by forwarding an internetwork. the packet, hop-to-hop, until it reaches the There are three different ways a routing specific router that’s directly connected to the table is built: destination host’s network. From there, the X Statically destination host’s unique hardware address is used to get the packet to the host that’s sup- X By default posed to receive it. X Dynamically I’m going to talk about the first two—static It’s all about maps and default routing tables that are built by net- Routers have maps, or at least a form of them. work administrators. They must have a map of the entire internetwork to explain to them where each logical A little review network is located, as well as to guide their But first, a little review. Remember that an decision in choosing the quickest, most effi- internetwork is defined as two or more net- cient way to get there. This map is called a works connected with a router or routers. Also routing table, and each routed protocol you recall that routers don’t keep track of, or care use has to have its own map. For instance, if even the slightest bit about, hosts, but they are you’re running IP, IPX, and AppleTalk on your

Figure A

192.168.10.32/27 192.168.10.96/27

.98 .33 192.168.10.64/27 .97 .34 E0 S0 S0 E0 HostB .65 .66 S1

HostA 200.43.89.65/30

Internet

Each router must have all three networks in the routing table in order to send packets through the internetwork.

Routing and Design 89 network, each of your routers will have three table. Before we take a look at the routing maps—one for each routing protocol—all tables, let’s view the configuration used on describing the same physical networks in a dif- each router. ferent way. Listing A shows the basic configuration for It’s kind of a language barrier thing; the rea- the 2500A router. son each protocol has separate routing tables is Listing B shows the basic configuration for because each protocol really is like a different the 2500B router. language. Say you’ve built a gated community, The 2500B router had the DCE end of the and in it, you have a street you named Cat serial link, so the clock rate command needed Street. Everyone on that block speaks English, to be added. We should now have two net- and the street sign is in English. Then a Span- works in each routing table. Let’s view each ish family moves in that doesn’t speak any table with the show ip route command (or the English, so you add a sign that reads Avenida short form: sh ip route). Listing C (page 92) Gato. Next, a French family moves in—they shows the 2500A router. don’t speak English or Spanish—so you add Listing D (page 93) shows the 2500B router. Le Chat to the sign. You now have three sepa- The 2500A router is directly connected to rate signs describing Cat Street in three differ- subnets 32 and 64. The 2500A must have a ent ways. route entered for the 96 subnet. The 2500B Take a look at Figure A, which has two 2500 router is directly connected to the 64 and 96 routers connected with a serial link. subnets. The 2500B router must have an entry By default, each router will have the for the 32 subnet. directly connected networks in its routing

Listing A: Basic configuration for 2500A router Router> Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname 2500A 2500A(config)#interface ethernet0 2500A(config-if)#ip address 192.168.10.33 255.255.255.224 2500A(config-if)#no shut 2500A(config-if)#int serial0 2500A(config-if)# 00:16:04: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 00:16:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up 2500A(config-if)#ip address 192.168.10.65 255.255.255.224 2500A(config-if)#no shut 2500A(config-if)# 00:16:28: %LINK-3-UPDOWN: Interface Serial0, changed state to up 00:16:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 2500A(config-if)# ^Z 2500A#

90 Administrator’s Guide to TCP/IP,Second Edition Configuring static routes The ip route command is broken down as Static routes are routes configured and entered follows: into the routing table by the administrator. X ip route: The command issued to add a Typically, in larger networks, creating nothing route to a routing table but static routes would be a gruesome task (if X 192.168.10.96: The destination network not impossible), so dynamic routing is usually X 255.255.255.224: The subnet mask used on used (examples are RIP and OSPF). However, the network in smaller networks, static routing can work well; it saves overhead on the router CPU and X 192.168.10.66: Where to send a packet with bandwidth on the serial links that dynamic a destination IP network of 192.168.10.96 routing protocols greedily consume as fast as Notice that the IP routing table now has my golden retriever will steal and swallow an an entry for the 192.168.10.96 subnet via unattended turkey sandwich! 192.168.10.66, which is the next hop gateway To configure a static route, use the global from the 2500A router. configuration command ip route. Since the This is working great; we’re halfway to fin- 2500A router must understand how to get to ishing our routing tables. The reason we’re the 96 subnet, let’s configure a static route that only half done is that the 2500B router still describes to the router what to do when it doesn’t know how to send packets to the 32 receives a packet with a destination IP network subnet. If a packet is sent from HostA on the of 192.168.10.96 (see Listing E on page 93). 32 subnet over to HostB on the 96 subnet, it

Listing B: Basic configuration for 2500B router Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname 2500B 2500B(config)#interface ethernet0 2500B(config-if)#ip address 192.168.10.97 255.255.255.224 2500B(config-if)#no shut 2500B(config-if)#interface serial0 2500B(config-if)# 00:19:27: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 00:19:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up 2500B(config-if)#ip address 192.168.10.66 255.255.255.224 2500B(config-if)#clock rate 1000000 2500B(config-if)#no shut 2500B(config-if)#^Z 2500B# 00:19:47: %SYS-5-CONFIG_I: Configured from console by console 00:19:48: %LINK-3-UPDOWN: Interface Serial0, changed state to up 00:19:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 2500B#

Routing and Design 91 will definitely get to HostB, and HostB will X 255.255.255.224: The mask used in the respond by sending a new packet back to the network configured default gateway. The problem is X 192.168.10.65: The next hop router used to that 2500B will discard the packet since it get to subnet 32 doesn’t know how to get to the 32 subnet. So, The routing table for the 2500B router let’s configure 2500B with a route to network now knows how to get to subnet 32 and 192.168.10.32 (see Listing F on page 94). packets can be sent from HostA to HostB The ip route command is broken down as and back again. follows: X ip route: The command used to add a static Configuring default routing route Since we have an Internet connection off the X 192.168.10.32: The destination route we 2500B serial 0 interface, we need to add a want router 2500B to know about default route to the routing table of the 2500B Continued on page 95

Listing C: Viewing the 2500A routing table with the show ip route command 2500A#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L2500A#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is not set

192.168.10.0/27 is subnetted, 2 subnets C 192.168.10.64 is directly connected, Serial0 C 192.168.10.32 is directly connected, Ethernet0 2500A# 1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is not set

192.168.10.0/27 is subnetted, 2 subnets C 192.168.10.64 is directly connected, Serial0 C 192.168.10.32 is directly connected, Ethernet0 2500A#

92 Administrator’s Guide to TCP/IP,Second Edition Listing D: Viewing the 2500B routing table with the show ip route command 2500B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is not set

192.168.10.0/27 is subnetted, 2 subnets C 192.168.10.96 is directly connected, Ethernet0 C 192.168.10.64 is directly connected, Serial0 2500B#

Listing E: Configuring a static route with the ip route command 2500A#config t Enter configuration commands, one per line. End with CNTL/Z. 2500A(config)#ip route 192.168.10.96 255.255.255.224 192.168.10.66 2500A(config)#^Z 2500A# 00:31:11: %SYS-5-CONFIG_I: Configured from console by console 2500A#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is not set

192.168.10.0/27 is subnetted, 3 subnets S 192.168.10.96 [1/0] via 192.168.10.66 C 192.168.10.64 is directly connected, Serial0 C 192.168.10.32 is directly connected, Ethernet0 2500A#

Routing and Design 93 Listing F: 2500B configured with a route to 192.168.10.32 2500B>en 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#ip route 192.168.10.32 255.255.255.224 192.168.10.65 2500B(config)#^Z 2500B# 00:46:42: %SYS-5-CONFIG_I: Configured from console by console 2500B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is not set

192.168.10.0/27 is subnetted, 3 subnets C 192.168.10.96 is directly connected, Ethernet0 C 192.168.10.64 is directly connected, Serial0 S 192.168.10.32 [1/0] via 192.168.10.65 2500B#

Listing G: Configuring the serial 1 interface 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#int s1 2500B(config-if)#ip address 200.43.89.65 255.255.255.252 2500B(config-if)#no shut 2500B(config-if)# 00:53:31: %LINK-3-UPDOWN: Interface Serial1, changed state to down 2500B(config-if)#exit 2500B(config)#ip route 0.0.0.0 0.0.0.0 200.43.89.66 2500B(config)#ip classless 2500B(config)#^Z 2500B# 00:53:58: %SYS-5-CONFIG_I: Configured from console by console 2500B#

94 Administrator’s Guide to TCP/IP,Second Edition Continued from page 92 ip route 0.0.0.0 0.0.0.0 s1 This will tell the router to send packets that router. This is just like adding a static route, aren’t in the routing table out serial 1. Also, except wildcards of all zeros (0s) are used notice that I used the ip classless command. This instead of a network and mask. tells the route not to drop packets that are des- Listing G (page 94) is an example of config- tined for a network that’s not in the routing uring the serial 1 interface on the 2500B router table, but to use the default route instead. If and then setting up the default route. The ISP you don’t use the ip classless command, packets provided an IP address of 200.43.89.65/30 for like that would be dropped before being sent the interface. Since /30 is a block size of 4, the to the default route. (ip classless is on by default valid hosts are 65 and 66. We can set our next in IOS 12.x.) hop to 66 since we were given 65 for our Okay, so the routing table on the 2500B router’s interface. router now looks like Listing H. The default route command is broken down The S* is a static default route. Notice also as follows: that the gateway of last resort is now set as X ip route: The command used to add a static well. Since a router cannot set a default gate- or default route way and since it actually is the default gateway X 0.0.0.0: The wildcard used to say “any” net- for a network, routers use a gateway of last work not already in the routing table resort instead, which is really a default route. X 0.0.0.0: Wildcard mask to say “any” net- A couple of tips work mask X Routers need current, up-to-date “maps.” X 200.43.89.66: Next hop gateway If a routing table doesn’t have a route to If you don’t know the next hop gateway for each network that it’s going to be required some reason, you can always create the com- to send packets to, then packets will be mand like this: dropped.

Listing H: The 2500B routing table 2500B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is 200.43.89.66 to network 0.0.0.0

192.168.10.0/27 is subnetted, 3 subnets C 192.168.10.96 is directly connected, Ethernet0 C 192.168.10.64 is directly connected, Serial0 S 192.168.10.32 [1/0] via 192.168.10.65 200.43.89.0/30 is subnetted, 1 subnets C 200.43.89.64 is directly connected, Serial1 S* 0.0.0.0/0 [1/0] via 200.43.89.66 2500B#

Routing and Design 95 X Troubleshooting a routing table problem is used in an internetwork and how important it tough. But by using the ping program and is to be able to read a routing table and under- traceroute command, you can find exactly stand the output. There are many tools that where a packet is failing in an internetwork. can help you understand this concept, but the best tool is experience. Use the tools I’ve Conclusion shown you, and eventually, you’ll be whipping By now it should be pretty clear both why it’s up routing tables faster than you can say “cat” important to understand how a routing table is in three different languages.

Dynamic routing with RIP Jul 17, 2001 By Todd Lammle he Routing Information Protocol The rumor mill (RIP) was the first dynamic routing Like most early inceptions, RIP certainly does T protocol to be used in an internetwork, have its limitations! A biggie is that it’s a dis- so it was created and used primarily with tance vector routing protocol, meaning that it UNIX hosts for the purpose of sharing rout- sends the complete routing table out all active ing information. interfaces by default on periodic time intervals. In the previous article, “Configuring static This is known as routing by rumor because a and default routing,” I covered both default router that receives those broadcasts just and static routing, so now we’re going to jump believes the information, even though it has no into dynamic RIP routing using Cisco routers.

Figure A

192.168.10.32/27 192.168.10.96/27 .98 .33 192.168.10.64/27 .97 .34 E0 S0 S0 E0 .65 .66 HostB S0/1

HostA 200.43.89.65/30

Internet

Each router must have all three networks in the routing table in order to send packets through the internetwork.

96 Administrator’s Guide to TCP/IP,Second Edition way to verify that information as true (that the ing somewhere in your network is an old routes really exist). legacy router, say, a UNIX router. That being the case, you just might be stuck supporting Why use RIP? RIP on the network so this old horse can par- So why do we use RIP at all? Well, we probably ticipate in the routing updates. shouldn’t. But sadly, there are some routers Because IT spending budgets aren’t always that don’t run anything but RIP (or OSPF), so unlimited, this article will show you how to we’re not always left with a choice. Maybe lurk- replace static routing and add dynamic routing

Listing A: Our 2500A routing table 2500A#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E – EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o – ODR

Gateway of last resort is not set

192.168.10.0/27 is subnetted, 3 subnets S 192.168.10.96 [1/0] via 192.168.10.66 C 192.168.10.64 is directly connected, Serial0 C 192.168.10.32 is directly connected, Ethernet0 2500A#

Listing B: Our 2500B routing table 2500B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is 200.43.89.66 to network 0.0.0.0

Routing and Design 97 using the RIP protocol. The good news is that lazy—it’ll really help you understand if we adding RIP routing on a Cisco router is really build on our existing model! Plus, before we easy, to say the least. The bad news is that what begin, I’m going to show you how to remove happens in the background is the problem! RIP our existing static routes and replace all that sends out periodic updates every 30 seconds by with the dynamic routing protocol RIP. default. This nasty habit can cause problems on At this point, the routing tables look like already overly stressed serial links. But no wor- the ones shown in Listing A (page 97). The ries—future articles will cover some solutions 2500A router must know how to get to the and strategies for dealing with the bandwidth 192.168.10.96 network, so a static route was gremlins and evils caused by RIP routing. used telling the router to forward all packets to 192.168.10.66, which is the next hop. Deleting the existing static routes Next, let’s look at the 2500B router (see To show you how to configure RIP, I’m going Listing B on page 97). The 2500B router has a to use the same figure I used in my last article, static route that describes how to get to subnet “Configuring static and default routing” (see 32 and a default route to the Internet. Figure A). I’m not doing that because I’m

Listing C: Remove the route to subnet 96 from 2500A 2500A(config)#no ip route 192.168.10.96 255.255.255.224 192.168.10.66

Listing D: Only directly connected routes are shown 2500A#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is not set

192.168.10.0/27 is subnetted, 2 subnets C 192.168.10.64 is directly connected, Serial0 C 192.168.10.32 is directly connected, Ethernet0 2500A#

Listing E: Remove route to subnet 32 from 2500B 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#no ip route 192.168.10.32 255.255.255.224 192.168.10.65 2500B(config)#^Z 2500B# 00:32:47: %SYS-5-CONFIG_I: Configured from console by console

98 Administrator’s Guide to TCP/IP,Second Edition Removing the static routes RIP uses an administrative distance of 120 by First, before we can add RIP routing, we must default. If we added RIP without first removing remove the static routes, since the administrative the static routes, then RIP routes would never be distance of a static route is one (1) by default. updated and placed in the routing table.

Listing F: Routers connected to the default router 2500B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is 200.43.89.66 to network 0.0.0.0

192.168.10.0/27 is subnetted, 2 subnets C 192.168.10.96 is directly connected, Ethernet0 C 192.168.10.64 is directly connected, Serial0 200.43.89.0/30 is subnetted, 1 subnets C 200.43.89.64 is directly connected, Serial1 S* 0.0.0.0/0 [1/0] via 200.43.89.66 2500B#

Listing G: Use the router rip command 2500A#config t Enter configuration commands, one per line. End with CNTL/Z. 2500A(config)#router rip 2500A(config-router)#network 192.168.10.0 2500A(config-router)#^Z 2500A# 00:41:07: %SYS-5-CONFIG_I: Configured from console by console

Listing H: Add RIP to 2500B 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#router rip 2500B(config-router)#network 192.168.10.0 2500B(config-router)#^Z 2500B# 00:41:42: %SYS-5-CONFIG_I: Configured from console by console

Routing and Design 99 From the 2500A router, we need to remove From the 2500B router, we’ll remove the the route to subnet 96. Listing C (page 98) static route to subnet 32, but leave the default shows how that will look. route to the Internet (see Listing E on page 98). The routing table now only shows the directly Notice that the routing table now shows connected routes (see Listing D on page 98). only the two directly connected and the

Listing I: Routing tables with RIP configured 2500A#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is 192.168.10.66 to network 0.0.0.0

192.168.10.0/27 is subnetted, 3 subnets R 192.168.10.96 [120/1] via 192.168.10.66, 00:00:24, Serial0 C 192.168.10.64 is directly connected, Serial0 C 192.168.10.32 is directly connected, Ethernet0 R* 0.0.0.0/0 [120/1] via 192.168.10.66, 00:00:24, Serial0 2500A#

Listing J: 2500B routing table 2500B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is 200.43.89.66 to network 0.0.0.0

192.168.10.0/27 is subnetted, 3 subnets C 192.168.10.96 is directly connected, Ethernet0 C 192.168.10.64 is directly connected, Serial0 R 192.168.10.32 [120/1] via 192.168.10.65, 00:00:01, Serial0 200.43.89.0/30 is subnetted, 1 subnets C 200.43.89.64 is directly connected, Serial1 S* 0.0.0.0/0 [1/0] via 200.43.89.66 2500B#

100 Administrator’s Guide to TCP/IP,Second Edition default router to the Internet (see Listing F on Now that both routers have been config- page 99). ured with the RIP routing protocol, let’s take a look at the routing tables (see Listing I). Configuring RIP routing The R’s represent a RIP-found route. The Now that the static routes have been removed, most interesting part of this output is the R*, we can add the RIP routing protocol to each which indicates a default route. We have a router and allow the dynamic routing to find default route configured on the 2500B router, each network and place these into the routing which is now being advertised by RIP as the tables of both routers. network’s default route—perfect since that’s From the 2500A router, the router rip com- our Internet connection! mand is used to turn on RIP routing (see List- The routing table on the 2500B router is ing G on page 99). shown in Listing J. This output tells us that the The router rip command turns on RIP rout- 32 subnet was found and is being advertised by ing and places you at the config-router the serial 0 interface of the 2500A router. The prompt. The network command must be used default route has been both found and adver- to tell RIP which network you want advertised tised by RIP to the 2500A router. with RIP. Notice that this is a classful network address and a subnet address is not used. The Verifying RIP routing router will now find all the subnets and adver- The show ip route command is probably the best tise each one throughout the internetwork. command to use when verifying your router’s RIP is a classful routing protocol, which means configuration of routing protocols, but there that every device on the network must use the are a few more commands that are pretty help- same subnet mask. ful, as well. Next, let’s add RIP to the 2500B router (see Listing H on page 99).

Listing K: 2500A with show ip protocols command 2500A#sh ip protocols Routing Protocol is “rip” Sending updates every 30 seconds, next due in 16 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Key-chain Ethernet0 1 1 2 Serial0 1 1 2 Routing for Networks: 192.168.10.0 Routing Information Sources: Gateway Distance Last Update 192.168.10.66 120 00:00:01 Distance: (default is 120)

2500A#

Routing and Design 101 Show ip protocols Show protocols The show ip protocols command provides routing Although the show protocols command displays protocol information, including the timers and no routing protocol information, it does pro- neighbors found. Listing K (page 101) shows vide a list of all configured interfaces and the an example from the 2500A router. logical addresses that are configured on each All configured routing protocols on the interface (see Listing L). This is truly very valu- router will be displayed with this command, able information. but only RIP is configured, so we see only RIP Debug ip rip information. This command provides the The debug ip rip command is a great way to see update time and hold down and flush timers, RIP updates being sent and received on the as well as the neighbor’s IP address and admin- router. To turn off debugging, use the no debug istrative distance. ip rip command or the undebug all command (see Listing M).

Listing L 2500A#show protocols Global values: Internet Protocol routing is enabled Ethernet0 is up, line protocol is up Internet address is 192.168.10.33/27 Serial0 is up, line protocol is up Internet address is 192.168.10.65/27 Serial1 is administratively down, line protocol is down 2500A#

Listing M: Using no debug ip rip or undebug all 2500A#debug ip rip RIP protocol debugging is on 2500A# 00:55:40: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (192.168.10.33) 00:55:40: subnet 192.168.10.96, metric 2 00:55:40: subnet 192.168.10.64, metric 1 00:55:40: default, metric 2 00:55:40: RIP: sending v1 update to 255.255.255.255 via Serial0 (192.168.10.65) 00:55:40: subnet 192.168.10.32, metric 1 00:55:51: RIP: received v1 update from 192.168.10.66 on Serial0 00:55:51: 192.168.10.96 in 1 hops 00:55:51: 0.0.0.0 in 1 hops 2500A#undebug all All possible debugging has been turned off 2500A#

102 Administrator’s Guide to TCP/IP,Second Edition Let’s take this apart piece by piece, because to each network. Since the 2500A router is this is important information (see Listing N). connected to the 64 network, it’s advertising Notice that the 2500A router is sending out that route in one hop. However, the 96 subnet Ethernet0 an update telling about the path to is one hop away, so it will advertise that route subnets 64 and 96. The metric is the hop count as a hop count of 2. The default route is also

Listing N: What is our router sending? 00:55:40: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (192.168.10.33) 00:55:40: subnet 192.168.10.96, metric 2 00:55:40: subnet 192.168.10.64, metric 1 00:55:40: default, metric 2

Listing O: Advertising out serial 0 00:55:40: RIP: sending v1 update to 255.255.255.255 via Serial0 (192.168.10.65) 00:55:40: subnet 192.168.10.32, metric 1

Listing P: Incoming! 00:55:51: RIP: received v1 update from 192.168.10.66 on Serial0 00:55:51: 192.168.10.96 in 1 hops 00:55:51: 0.0.0.0 in 1 hops

Listing Q: Stop RIP from being sent out Ethernet0 2500A>en 2500A#config t Enter configuration commands, one per line. End with CNTL/Z. 2500A(config)#router rip 2500A(config-router)#passive-interface ethernet0 2500A(config-router)#^Z 2500A# 01:09:41: %SYS-5-CONFIG_I: Configured from console by console

2500B>en 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#router rip 2500B(config-router)#passive-interface ethernet0 2500B(config-router)#passive-interface serial1 2500B(config-router)#^Z 2500B# 01:10:12: %SYS-5-CONFIG_I: Configured from console by console

Routing and Design 103 being advertised as two hops away. to the 96 subnet, and the other advertises the Let’s take a look at the next output (see default route. Listing O on page 103). Notice that network 32 is only being adver- Suppressing RIP updates tised out serial 0. Why? Because the 2500B But wait. Remember the Ethernet0 interface router already knows about network 64 and 96. of 2500A advertising RIP networks? RIP is This is called the split-horizon rule, and it’s advertised out all active interface routes every used to stop incorrect information from being 30 seconds by default. So what if we don’t advertised throughout the internetwork. If want RIP advertised out Ethernet0, or even networks 64 and 96 were advertised out serial worse, the serial 1 interface of the 2500B 0 of the 2500A router, then the 2500B router router that’s connected to the Internet? Can might consider the 2500A router to get to the you say “security problem”? Do you really 96 subnet. That would be bad because it’s want to advertise your network out to the incorrect; it’s how network loops can occur. Internet? We’ll solve that little issue with the Okay, now let’s look at what we are receiv- passive-interface command. ing (see Listing P on page 103). Listing Q (page 103) shows an example of The 2500B router is advertising two routers stopping RIP from being sent out the Ether- to the 2500A router. One describes how to get net0 interface of the 2500A router and the

Listing R: Using the debug ip rip command 2500B#debug ip rip RIP protocol debugging is on 2500B# 01:11:34: RIP: sending v1 update to 255.255.255.255 via Serial0 (192.168.10.66) 01:11:34: subnet 192.168.10.96, metric 1 01:11:34: default, metric 1 01:11:37: RIP: received v1 update from 192.168.10.65 on Serial0 01:11:37: 192.168.10.32 in 1 hops 2500B#undebug all All possible debugging has been turned off 2500B#

Listing S: 2500A with debug ip rip 2500A#debug ip rip RIP protocol debugging is on 2500A# 01:13:45: RIP: received v1 update from 192.168.10.66 on Serial0 01:13:45: 192.168.10.96 in 1 hops 01:13:45: 0.0.0.0 in 1 hops 01:13:50: RIP: sending v1 update to 255.255.255.255 via Serial0 (192.168.10.65) 01:13:50: subnet 192.168.10.32, metric 1 2500A#un all All possible debugging has been turned off 2500A#

104 Administrator’s Guide to TCP/IP,Second Edition serial 1 and Ethernet0 interfaces of the 2500B Conclusion router. One man’s trash is another man’s treasure— Now, let’s take a look at a debug ip rip com- RIP routing is actually a good, fast routing mand from the 2500B router (see Listing R). protocol in smaller networks, but if you con- The 2500B router is now sending routing figure larger networks, you can be in for some information out serial 0 only. serious trouble because RIP has a tendency to Okay, let’s check the 2500A router with the consume bandwidth and CPU processes! debug ip rip command (see Listing S). Cool! The 2500A router is now advertising the routing table only out serial 0 and not out Ethernet0.

Configuring IGRP routing with redistribution Jul 19, 2001 By Todd Lammle e finished talking about RIP in my my last article. But our 2500C router still needs last article, “Dynamic routing with to be configured with both IP addresses and W RIP,” which is kind of what Inte- RIP routing, and our 2500A router needs to rior Gateway Routing Protocol (IGRP) was have the serial 1 interface configured. We’re designed to do—finish RIP. Rest in peace, going to set up the 2500C router to run only RIP! IGRP is a Cisco proprietary routing pro- RIP in this example, but keep in mind that in tocol that was created to replace RIP in small reality, it can run any and all routing protocols. to medium-size networks. But there’s a catch— Because I want to give you a configuring redistri- you have to run Cisco routers, and only Cisco bution demonstration in this article, we’ll pretend routers, in your whole internetwork to be able it is an old router that can only run RIP routing. to configure IGRP on that internetwork. So what’s IGRP all about? Well, like RIP, it’s Configuring the old gray mare— a distance vector routing algorithm, but instead the legacy router of using hop count as a metric, IGRP uses If you’re just joining us and you want to get bandwidth and delay of the line as metrics by brought up to date, you’ll need to see the com- default. And just like RIP, it sends periodic plete configurations of routers 2500A and updates out all active interfaces, but instead of 2500B. You can do that by checking out “Con- sending them every 30 seconds as RIP does, figuring static and default routing,” on page 89, IGRP sends them out every 90 seconds. and “Dynamic routing with RIP,” on page 96. I know I said I was finished talking about Here we go. RIP, but just like IGRP, I’ve actually only kind As we can see from the router output in of finished it. We will talk about IGRP, but Listing A (page 106), router 2500C needs to be first, I actually have some more configuration configured. to show you, so let’s get started! Great. Notice that the 2500C routing table Okay, the 2500A and 2500B routers have knows about all networks in the internetwork, already been configured using RIP routing with a as well as the default route to the Internet! default route to the Internet off of 2500B from Continued on page 107

Routing and Design 105 Listing A: Router 2500C output Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname 2500C 2500C(config)#int e0 2500C(config-if)#ip address 192.168.10.161 255.255.255.224 2500C(config-if)#no shut 2500C(config-if)# 00:04:25: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 2500C(config-if)#int s0 2500C(config-if)#ip address 192.168.10.130 255.255.255.224 2500C(config-if)#clock rate 64000 2500C(config-if)#no shut 2500C(config-if)#router rip 2500C(config-router)#netw 192.168.10.0 2500C(config-router)#^Z 2500C# 00:04:51: %SYS-5-CONFIG_I: Configured from console by console

And router 2500A needs to have the serial1 interface configured:

2500A#config t Enter configuration commands, one per line. End with CNTL/Z. 2500A(config)#int s1 2500A(config-if)#ip address 192.168.10.129 255.255.255.224 2500A(config-if)#no shut 2500A(config-if)#^Z 2500A#

Now let’s take a look at the routing table of the 2500C router:

2500C#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is 192.168.10.129 to network 0.0.0.0

192.168.10.0/27 is subnetted, 5 subnets R 192.168.10.96 [120/2] via 192.168.10.129, 00:00:10, Serial0 R 192.168.10.64 [120/1] via 192.168.10.129, 00:00:10, Serial0 R 192.168.10.32 [120/1] via 192.168.10.129, 00:00:10, Serial0 C 192.168.10.160 is directly connected, Ethernet0 C 192.168.10.128 is directly connected, Serial0 R* 0.0.0.0/0 [120/2] via 192.168.10.129, 00:00:10, Serial0 2500C#

106 Administrator’s Guide to TCP/IP,Second Edition Continued from page 105 We can see that the 2500A router is receiving IGRP updates from the 2500B router of Configuring IGRP in an subnet 96. RIP is advertising the default route, internetwork and router 2500C is running RIP, so the Configuring IGRP on a Cisco router is pretty remote subnet 160 is being advertised via RIP. much the same as adding RIP routing. There is But if we were to turn off RIP on the 2500A only one small difference: You configure an router, we would lose both our Internet route autonomous system (AS) number on each and the route to subnet 160! We definitely have router that will share routing information. You to fix that, and we will—in a minute; but first, must use the same AS number on each router let’s take a look at the 2500B’s routing table if you want the routers to share routing infor- (see Listing E on page 108). mation. In this network, all routers will use the The 2500B router is receiving a RIP update same AS number of 10. This can be any num- from the 2500A router about subnet 160. But ber you want, and each router can be a mem- we want to determine if only IGRP found ber of multiple ASs. routes in our routers. We can do that with the Listing B shows how to configure the 2500A redistribute command. router with IGRP with an AS of 10. That’s all, folks! Configuring IGRP is pretty much the Redistributing Redistribution is used to translate from one same as configuring RIP in that it’s a classful routing protocol to another. The most difficult distance vector routing protocol. Now we’ll process of redistribution is the metrics transla- configure the 2500B router (see Listing C). tion. Since RIP uses hop count and IGRP uses Now that both routers are configured with bandwidth and delay of the line by default as IGRP, let’s check out both of their routing well as reliability, load, and MTU (if the tables. administrator configures the optional metrics),

Listing B: Configuring a 2500A router with IGRP 2500A>en 2500A#config t Enter configuration commands, one per line. End with CNTL/Z. 2500A(config)#router igrp 10 2500A(config-router)#network 192.168.10.0 2500A(config-router)#^Z 2500A# 01:57:12: %SYS-5-CONFIG_I: Configured from console by console

Listing C: Configure the 2500B router with IGRP 2500B>en 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#router igrp 10 2500B(config-router)#network 192.168.10.0 2500B(config-router)#^Z 2500B# 01:58:24: %SYS-5-CONFIG_I: Configured from console by console

Routing and Design 107 the redistribute command is responsible for con- Notice anything? How about the fact that verting metrics. there are no longer any RIP found routes? The Remember that in our network, the 2500C 2500A router is converting the RIP routes to router runs only RIP, so the 2500A router IGRP and advertising them to the 2500B must translate between the RIP and IGRP router! But we’re not out of the swamp yet. routing protocols. Listing F shows what the We still have one problem. Look at the 2500C configuration would look like. router and see if you can figure out what it is The redistribute command told IGRP to (see Listing H on page 110). advertise RIP found routes. The metrics are If you have a problem with the fact that configured to replace the hop count used by the 96 subnet is not being advertised to the RIP since IGRP does not use hop count. 2500C router, congratulations—you’re on the Let’s take a look at the routing table for the money! The 2500A router is converting RIP 2500B router and see what it looks like now advertised network into IGRP, but it’s not (see Listing G). converting IGRP into RIP advertisements.

Listing D: 2500A’s routing table 2500A#sh ip route [output cut] Gateway of last resort is 192.168.10.66 to network 0.0.0.0

192.168.10.0/27 is subnetted, 5 subnets I 192.168.10.96 [100/8576] via 192.168.10.66, 00:00:00, Serial0 C 192.168.10.64 is directly connected, Serial0 C 192.168.10.32 is directly connected, Ethernet0 R 192.168.10.160 [120/1] via 192.168.10.130, 00:00:00, Serial1 C 192.168.10.128 is directly connected, Serial1 R* 0.0.0.0/0 [120/1] via 192.168.10.66, 00:00:15, Serial0 2500A#

Listing E: 2500B’s routing table 2500B#sh ip route [output cut] Gateway of last resort is 200.43.89.66 to network 0.0.0.0

192.168.10.0/27 is subnetted, 5 subnets C 192.168.10.96 is directly connected, Ethernet0 C 192.168.10.64 is directly connected, Serial0 I 192.168.10.32 [100/8576] via 192.168.10.65, 00:00:06, Serial0 R 192.168.10.160 [120/2] via 192.168.10.65, 00:00:19, Serial0 I 192.168.10.128 [100/10476] via 192.168.10.65, 00:00:06, Serial0 200.43.89.0/30 is subnetted, 1 subnets C 200.43.89.64 is directly connected, Serial1 S* 0.0.0.0/0 [1/0] via 200.43.89.66 2500B#

108 Administrator’s Guide to TCP/IP,Second Edition This means that the 2500C router will not get So let’s take a look at the routing table for the the update for the 96 subnet. We can fix this 2500C router now (see Listing J on page 110). little issue on the 2500B router (see Listing I All routes are now in all routers, and the on page 110). 2500A router is providing the translation for The command redistribute igrp 10 metric 2 tells the network between RIP and IGRP and the 2500A router to change any IGRP adver- IGRP and RIP. We’ve achieved Networld tised routes into RIP and advertise the routes peace! with a hop count of 2. Continued on page 111

Listing F: Translating RIP and IGRP 2500A(config-router)#redistribute rip metric ? <1-4294967295> Bandwidth metric in Kbits per second

2500A(config-router)#redistribute rip metric 64 ? <0-4294967295> IGRP delay metric, in 10 microsecond units

2500A(config-router)#redistribute rip metric 64 20000 ? <0-255> IGRP reliability metric where 255 is 100% reliable

2500A(config-router)#redistribute rip metric 64 20000 255 ? <1-255> IGRP Effective bandwidth metric (Loading) where 255 is 100% loaded

2500A(config-router)#redistribute rip metric 64 20000 255 1 ? <1-4294967295> IGRP MTU of the path

2500A(config-router)#redistribute rip metric 64 20000 255 1 1500 2500A(config-router)#

Listing G: Routing table for 2500B router 2500B#sh ip route [output cut] Gateway of last resort is 200.43.89.66 to network 0.0.0.0

192.168.10.0/27 is subnetted, 5 subnets C 192.168.10.96 is directly connected, Ethernet0 C 192.168.10.64 is directly connected, Serial0 I 192.168.10.32 [100/8576] via 192.168.10.65, 00:00:05, Serial0 I 192.168.10.160 [100/178250] via 192.168.10.65, 00:00:05, Serial0 I 192.168.10.128 [100/10476] via 192.168.10.65, 00:00:05, Serial0 200.43.89.0/30 is subnetted, 1 subnets C 200.43.89.64 is directly connected, Serial1 S* 0.0.0.0/0 [1/0] via 200.43.89.66 2500B#

Routing and Design 109 Listing H: Can you figure out this problem? 2500C#sh ip route [output cut] Gateway of last resort is 192.168.10.129 to network 0.0.0.0

192.168.10.0/27 is subnetted, 4 subnets R 192.168.10.64 [120/1] via 192.168.10.129, 00:00:08, Serial0 R 192.168.10.32 [120/1] via 192.168.10.129, 00:00:08, Serial0 C 192.168.10.160 is directly connected, Ethernet0 C 192.168.10.128 is directly connected, Serial0 R* 0.0.0.0/0 [120/2] via 192.168.10.129, 00:00:09, Serial0 2500C#

Listing I: Fixing our problem 2500A#config t Enter configuration commands, one per line. End with CNTL/Z. 2500A(config)#router rip 2500A(config-router)#redistribute igrp 10 metric ? <0-4294967295> Default metric 2500A(config-router)#redistribute igrp 10 metric 2 2500A(config-router)#^Z 2500A# 02:58:04: %SYS-5-CONFIG_I: Configured from console by console 2500A#

Listing J: 2500C routing table 2500C#sh ip route [output cut] Gateway of last resort is 192.168.10.129 to network 0.0.0.0

192.168.10.0/27 is subnetted, 5 subnets R 192.168.10.96 [120/2] via 192.168.10.129, 00:00:11, Serial0 R 192.168.10.64 [120/1] via 192.168.10.129, 00:00:11, Serial0 R 192.168.10.32 [120/1] via 192.168.10.129, 00:00:11, Serial0 C 192.168.10.160 is directly connected, Ethernet0 C 192.168.10.128 is directly connected, Serial0 R* 0.0.0.0/0 [120/2] via 192.168.10.129, 00:00:11, Serial0 2500C#

110 Administrator’s Guide to TCP/IP,Second Edition Continued from page 109 works on your routers that are running multiple routing protocols within your internet- Conclusion work. Here’s a tip: The best way to understand Now you have a nice example of how and redistribution is to build a network like the one when to use redistribution within your net- in this Article and configure the routing proto- work, as well as how to configure IGRP on a cols using as many different configuration Cisco router. techniques as you can think of. You’ll become Redistribution can be really confusing when an expert in no time! you’re trying to advertise a lot of different net-

Getting to know Open Shortest Path First (OSPF) Aug 9, 2001 By Todd Lammle his article will introduce you to OSPF cols because it does not send out periodic and how to configure basic OSPF in routing updates as distance vector routing pro- T an internetwork. OSPF is a true Link tocols do. OSPF sends out changes only to the State routing algorithm that uses only band- neighbor routers when a change occurs, and width of a link to determine the best path then only the actual change is propagated, not through an internetwork. If you have a large the whole routing table, as in RIP and IGRP, internetwork with a variety of routers from for example. multiple manufacturers, then OSPF is proba- OSPF uses Link State Advertisements bly your best option as a routing protocol since (LSAs) and Hello messages to communicate OSPF is an open standard that all routing with the neighbor routers on a link. The LSAs manufacturing companies support. are used to update and receive updates to and If you have a small to very large network from neighbor routers, and the Hello messages that runs only Cisco routers, then Cisco rec- are sent out every 10 seconds to verify that ommends Enhanced IGRP (EIGRP) as a rout- nothing has changed and that all routers are ing protocol, and I am inclined to agree with still functioning properly. If a Hello message is them. EIGRP is much easier to configure and not received in 40 seconds, the neighbor will maintain in a large internetwork than OSPF is. be considered dead. The Hello protocol is Unfortunately, you may not have a choice of used to establish peering sessions between which routing protocol you must implement. routers. Hello packets are multicast out every OSPF was designed and developed by the interface on a router. IETF to provide a scalable, quickly converging, OSPF areas and efficient routing protocol that could be OSPF uses areas in place of the autonomous used by all routing equipment. Complete system used by IGRP and EIGRP. An OSPF details for OSPF are found in RFC2178. area consists of a group of routers or inter- OSPF: The basics faces on a router that are assigned to a com- A Link State routing algorithm, such as OSPF, mon area. OSPF allows and uses different area is more advanced than distance vector proto- types. When deploying OSPF, there must be a

Routing and Design 111 backbone area, called area 0. You can create router. different types of areas to connect to the back- A unique aspect of OSPF configuration is bone, depending on your network. (The article that you can choose which interface is partici- “Configuring OSPF with multiple areas,” on pating in an OSPF network or even which sub- page 123, will focus on the different types of net will be advertised in an LSA OSPF update. areas that can be used in OSPF.) This is much different from how RIP, IGRP, Router ID (RID) and EIGRP are configured. OSPF provides granular control during configuration, and A router’s RID is very important in OSPF. The wildcards are the part of the configuration that RID is the highest IP address configured on a tells the router what you are actually trying to router. For example, an IP address of advertise. 200.10.10.2 is higher than 200.10.10.1 and For example, if you wanted to advertise a would become the router’s RID. A RID is used Class B network of 172.16.0.0, where the first to determine the Designated Router (DR) in two octets must match exactly but the last two an area. Think of a DR as a congressman who bytes can be any value, the wildcard would be is elected to speak for an area of the country. 0.0.255.255. The 0 in an octet represents an Instead of having each and every citizen from exact match, where 255 represent a wildcard an area approach Congress, one elected official of any value. As another example, if we speaks for the chosen area. OSPF areas have a wanted the Class C network 192.168.10.0 to DR and backup DRs in case the DR is assassi- participate in an OSPF area, then the wildcard nated and can no longer speak for the area. would be 0.0.0.255, where the first three Link State Advertisements (LSAs) octets must match exactly, but the fourth octet LSAs are the heart of OSPF’s information can be any value. exchange, and different types of LSAs repre- Okay, so far wildcards are pretty easy. The sent different types of route information: problem comes when you want to advertise a X LSA Type 1: This is the typical update subnet within an octet. In other words, you sent as a multicast to all routers within the want to advertise 192.168.10.32/27. You same area. would not want to use the 0.0.0.255 wildcard, as that would allow any subnet in the fourth X LSA Type 2: The DR uses this to send net- octet to be in that particular OSPF area and work information it learned from a back- you might not want that. bone router to routers within the area. To understand how to configure wildcards X LSA Type 3/4: These are summary LSAs. other than by denying and permitting an entire LSA 3 is used to send a summary route octet, you need to really understand the use of from a DR to the backbone. LSA 4 is used block sizes. to send a summary route from an The available block sizes are: 128, 64, 32, Autonomous System Boundary Router 16, 8, and 4. These never change so they are (ASBR) out of the AS. easy to remember. X LSA Type 5: These are LSAs that contain These are the only block sizes you will use information about networks outside the within an OSPF or access-list configuration. Autonomous System and are only received To figure out a wildcard for each block, just by the ASBR. subtract one (-1). Here is an example of each wildcard Wildcards block size: Before I show you how to configure OSPF in 0.0.0.127: Block size of 128. an internetwork, you must have an understand- 0.0.0.63: Block size of 64 ing of wildcards and how they are used within 0.0.0.31: Block size of 32 a router’s configuration. Wildcards are used 0.0.0.15: Block size of 16 with access-list and OSPF configurations on a 0.0.0.7: Block size of 8 0.0.0.3: Block size of 4

112 Administrator’s Guide to TCP/IP,Second Edition You don’t always have to use a block size in Figure A the fourth octet. Here is an example of using a block size in the third octet: ospfa 0.0.15.255 This tells the OSPF process to use a subnet 172.16.10.88/29 block of 16 in the third octet, but any value is acceptable in the fourth octet. 172.16.10.80/29 172.16.10.96/29 Configuring OSPF in a single area 81 e0 .89 e0.97 e0 OSPF is configured in an area. This is a por- s0 tion of the network that shares the same rout- .70 .74 s0 s0 .78 ing information; routers within an area are called neighbor routers. Many areas can all be .73 configured together within an internetwork .69 .77 s1 s2 s3 called an Autonomous System (AS). This arti- serial0: 172.16.10.64/30 2500B cle will focus on configuring OSPF in a single serial1: 172.16.10.68/30 area. OSPF networks must have an area 0, s0 serial2: 172.16.10.72/30 .65 also referred to as a backbone area, so in this serial3: 172.16.10.76/30 example, I’ll configure all routers in a single area of 0. Figure A shows the internetwork that I will .66 configure. Notice that a VLSM network- s0 addressing scheme has been designed. OSPF will work with this because it is a classless routing protocol, which means it sends prefix sub- .33 e0 net mask information with each route update. To configure OSPF, you need to start the 192.168.0.32/24 routing process with the router ospf process-id command. The process ID can be any number and is only locally significant, so each router’s .34 ID is irrelevant. They can all be the same or all One issue we have is that the 2500B router cannot run OSPF, so we will need to provide different; it doesn’t matter. redistribution.

Listing A: 1005A routing table 1005#sh ip route [output cut] Gateway of last resort is not set C 192.168.0.0/24 is directly connected, Ethernet0 172.16.0.0/16 is variably subnetted, 7 subnets, 3 masks D 172.16.0.0/16 is a summary, 00:00:14, Null0 D 172.16.10.80/29 [90/2707456] via 172.16.10.65, 00:00:12, Serial0 D 172.16.10.88/29 [90/23310336] via 172.16.10.65, 00:00:12, Serial0 D 172.16.10.68/30 [90/2681856] via 172.16.10.65, 00:00:12, Serial0 C 172.16.10.64/30 is directly connected, Serial0 D 172.16.10.76/30 [90/23284736] via 172.16.10.65, 00:00:12, Serial0 D 172.16.10.72/30 [90/23284736] via 172.16.10.65, 00:00:12, Serial0 1005#

Routing and Design 113 After you start the OSPF process, you Here, I will demonstrate redistribution from need to tell OSPF which networks you will OSPF to EIGRP and EIGRP to OSPF. advertise with the network command and wild- 1005A cards. The 1005A router is already configured with To get OSPF working on this internetwork, EIGRP, and it is working within the internet- we will need to turn off EIGRP for IP since it work. However, let’s take a look at the routing has an administrative distance of 90 by default, table to verify connectivity (see Listing A on and OSPF has an administrative distance of page 113). 110. Because of this, OSPF would never show Looks like everything is still in working up in the routing tables if EIGRP were run- order, and the 1005A router is connected to ning. After EIGRP is disabled, I will demon- both the 172.16.0.0 network and the strate how to configure OSPF on each router, 192.168.0.0 network off of Ethernet 0 using and then I will go through the commands on EIGRP. (The D is for DUAL, which is the how to verify the configuration. routing algorithm used in EIGRP.) If you look back to my article “Configuring IGRP routing with redistribution,” I per- 2500B formed redistribution between IGRP and RIP. From this router, we will start our OSPF configuration by first removing EIGRP and then

Listing B: OSPF configuration on 2500B 2500B>en Password: 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#no router eigrp 10 2500B(config)#router ospf 10 2500B(config-router)#network 172.16.10.64 0.0.0.3 area 0 2500B(config-router)#network 172.16.10.68 0.0.0.3 area 0 2500B(config-router)#network 172.16.10.72 0.0.0.3 area 0 2500B(config-router)#network 172.16.10.76 0.0.0.3 area 0

Listing C: Use this command if you’re not using VLSM 2500B(config-router)#network 172.16.10.0 0.0.0.255 area 0

Listing D: Make sure that no routers are overlapping advertised networks 2500C>en Password: 2500C#config t Enter configuration commands, one per line. End with CNTL/Z. 2500C(config)#no router eigrp 10 2500C(config)#router ospf 1 2500C(config-router)#network 172.16.10.70 0.0.0.0 area 0 2500C(config-router)#network 172.16.10.81 0.0.0.0 area 0

114 Administrator’s Guide to TCP/IP,Second Edition adding the OSPF process (see Listing B). (Later into the 172.16.10.0 network to be in OSPF in this article, we’ll configure EIGRP back on area 0. My first example was to show you how 2500B for redistribution purposes.) block sizes can be used, and if you use the first I configured each individual interface into command strings, you’ll look really smart! One OSPF area 0 using a wildcard block size of 4. problem with the second command string However, you could use this one command if example is that if you are using VLSM and you you are not using VLSM (see Listing C). This use the 172.16.10.0 0.0.0.255 command, your command will tell any interface configured router is now saying that all networks in the

Listing E: 2500D configuration with two block sizes 2500D>en Password: 2500D#config t Enter configuration commands, one per line. End with CNTL/Z. 2500D(config)#no router eigrp 10 2500D(config)#router ospf 34 2500D(config-router)#network 172.16.10.72 0.0.0.3 area 0 2500D(config-router)#network 172.16.10.88 0.0.0.7 area 0

Listing F: 2500E configuration 2500E>en Password: 2500E#config t Enter configuration commands, one per line. End with CNTL/Z. 2500E(config)#no router eigrp 10 2500E(config)#router ospf 5 2500E(config-router)#network 172.16.10.76 0.0.0.3 area 0 2500E(config-router)#network 172.16.10.96 0.0.0.7 area 0

Listing G: Use the show ip route command 2500E#sh ip route Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks C 172.16.10.96/29 is directly connected, Ethernet0 O 172.16.10.80/29 [110/138] via 172.16.10.77, 00:00:16, Serial0 O 172.16.10.88/29 [110/943] via 172.16.10.77, 00:00:16, Serial0 O 172.16.10.68/30 [110/128] via 172.16.10.77, 00:00:16, Serial0 O 172.16.10.64/30 [110/128] via 172.16.10.77, 00:00:16, Serial0 C 172.16.10.76/30 is directly connected, Serial0 O 172.16.10.72/30 [110/933] via 172.16.10.77, 00:00:16, Serial0 2500E#

Routing and Design 115 fourth octet can be found on this router. This 2500C is not the case and can cause the OSPF net- To configure the 2500C router, I need to first work to be unstable if you use this same com- turn off EIGRP routing and then configure mand string on another router. the OSPF process. The 2500C is connected to

Listing H: Enabling EIGRP 2500B>en Password: 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#router eigrp 10 2500B(config-router)#network 172.16.0.0

Listing I: The 2500B routing table 2500B#sh ip route Gateway of last resort is not set

D 192.168.0.0/24 [90/2195456] via 172.16.10.66, 00:00:20, Serial0 172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks O 172.16.10.96/29 [110/879] via 172.16.10.78, 00:01:50, Serial3 O 172.16.10.80/29 [110/74] via 172.16.10.70, 00:01:50, Serial1 O 172.16.10.88/29 [110/879] via 172.16.10.74, 00:01:50, Serial2 C 172.16.10.68/30 is directly connected, Serial1 C 172.16.10.64/30 is directly connected, Serial0 C 172.16.10.76/30 is directly connected, Serial3 C 172.16.10.72/30 is directly connected, Serial2 2500B#

Listing J: The 2500C router 2500C>sh ip route Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks O 172.16.10.96/29 [110/943] via 172.16.10.69, 00:05:18, Serial0 C 172.16.10.80/29 is directly connected, Ethernet0 O 172.16.10.88/29 [110/943] via 172.16.10.69, 00:05:18, Serial0 C 172.16.10.68/30 is directly connected, Serial0 O 172.16.10.64/30 [110/128] via 172.16.10.69, 00:05:18, Serial0 O 172.16.10.76/30 [110/933] via 172.16.10.69, 00:05:18, Serial0 O 172.16.10.72/30 [110/933] via 172.16.10.69, 00:05:18, Serial0 2500C>

116 Administrator’s Guide to TCP/IP,Second Edition 172.16.10.68/30 and 172.16.10.80/29. When I 2500E am in production, I use this type of command Listing F (page 115)shows the last configuration string to make sure that no routers overlap for our network. I’ll use the same configura- what networks they advertise (see Listing D on tion as I did for 2500D. page 114). Notice that I used the IP address of To verify that our OSPF network is work- each interface with the wildcard 0.0.0.0. This ing, I’ll use the show ip route command (see will ensure that only those two interfaces are Listing G on page 115). placed in area 0 and nothing can overlap. The problem we have is that we do not see 2500D the 192.168.0.32/24 network that is connected The 2500D configuration is the same as the to the 1005A router. This is because we need others, although I will demonstrate two dif- to redistribute OSPF to EIGRP from the ferent block sizes: 4 and 8 (see Listing E on 2500B router. First, we must turn on EIGRP page 115). for the router that will provide the translation It is very important to remember to not between EIGRP and OSPF (see Listing H). cross over block sizes with another block size Let’s now look at the 2500B routing table used on a different router. For example, if I (see Listing I). typed 172.16.10.72 0.0.0.31, this would say that We can see the 192.168.0.0 on the 2500B any interface configured between 64 and 95 and 1005A routers only because those are the will be in area 0. This will be no problem as two routers running EIGRP. Let’s take a look long as another router is not advertising those at the 2500C router (see Listing J); notice that it same addresses. does not see the 192.168.0.0 network.

Listing K: Redistributing EIGRP into OSPF 2500B(config)#router eigrp 10 2500B(config-router)# redistribute ospf 10 metric 64 20000 255 1 1500

Listing L: 1005A routing table showing all OSPF routes 1005#sh ip route Gateway of last resort is not set

C 192.168.0.0/24 is directly connected, Ethernet0 172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks D EX 172.16.10.96/29 [170/45632000] via 172.16.10.65, 00:01:49, Serial0 D EX 172.16.10.80/29 [170/45632000] via 172.16.10.65, 00:01:49, Serial0 D EX 172.16.10.88/29 [170/45632000] via 172.16.10.65, 00:01:49, Serial0 D 172.16.10.68/30 [90/2681856] via 172.16.10.65, 00:07:19, Serial0 C 172.16.10.64/30 is directly connected, Serial0 D 172.16.10.76/30 [90/23284736] via 172.16.10.65, 00:07:19, Serial0 D 172.16.10.72/30 [90/23284736] via 172.16.10.65, 00:07:19, Serial0 1005#

Listing M: Use this command to redistribute EIGRP into OSPF 2500B(config)#router ospf 10 2500B(config-router)#redistribute eigrp 10 metric 10 subnets

Routing and Design 117 Listing N: Our 192.168.0.0 network shows up as an external route 2500C>sh ip route Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks O 172.16.10.96/29 [110/943] via 172.16.10.69, 00:01:25, Serial0 C 172.16.10.80/29 is directly connected, Ethernet0 O 172.16.10.88/29 [110/943] via 172.16.10.69, 00:01:25, Serial0 C 172.16.10.68/30 is directly connected, Serial0 O 172.16.10.64/30 [110/128] via 172.16.10.69, 00:01:25, Serial0 O 172.16.10.76/30 [110/933] via 172.16.10.69, 00:01:25, Serial0 O 172.16.10.72/30 [110/933] via 172.16.10.69, 00:01:25, Serial0 O E2 192.168.0.0/24 [110/10] via 172.16.10.69, 00:01:25, Serial0 2500C>

Listing K on page 117 shows the commands Listing N shows the routing table on the to have the 2500B redistribute EIGRP into 2500C router now. OSPF. The 192.168.0.0 network is showing up as This will now allow OSPF to be translated an external route into OSPF. In other words, into EIGRP, and OSPF routes will now be OSPF sees this network as coming from a sent to the 1005A router as EIGRP. The met- different AS. ric command string is bandwidth, delay, reliability, load, and MTU. Conclusion Listing L (page 117) shows the 1005A routing OSPF is a fast, strong routing protocol that table now. can work great in large networks if configured Notice that the 1005A can now see all correctly. However, if you have a small config- the OSPF routes on the network as EIGRP- uration problem on just one of your routers in found routes. The 2500B router is redistribut- your network, then your whole OSPF network ing the OSPF routes into EIGRP. However, can become unstable. This isn’t always the the routers running OSPF cannot see the case, but I have seen it happen many times. 192.168.0.0 network because EIGRP is not And don’t forget—the O in OSPF stands being redistributed into OSPF. Listing M for open, which means its specifications are (page 117) shows the command. Very odd totally open to the public. Even Cisco gets command, I know. The subnets command at open source! the end is really not documented, although Cisco says that when that command is available when redistributing OSPF, use it. The metric 10 is the cost of the link we are advertising.

118 Administrator’s Guide to TCP/IP,Second Edition Summarizing IP routes with EIGRP and OSPF Aug 16, 2001 By Todd Lammle ummarizing (sometimes referred to as You will learn how to summarize contiguous supernetting) is the process of combin- blocks of networks and then configure the Sing multiple routes listed in a routing summary routes on a Cisco router using OSPF table and listing them as one route. The advan- and EIGRP. tage to summarization is lower overhead on the router, saving memory and CPU process- Designing summary routes ing time. This can be important in very large As mentioned, summary routes are important networks, which can have hundreds of routes. in a larger network. However, the problem is Without summarization, each router must that routes must be in contiguous blocks to be have a route to every network listed in the summarized. What this means is that, for routing table. This might be impossible with example, networks 172.16.32–63.0 are located large networks because a router may lack suffi- in the same area and not spread out among dif- cient memory or CPU processing power. ferent buildings or cities. Other possible routing solutions on a large Since networks are typically installed over network include creating default routes on stub years, not weeks or months, finding a network networks. The default route command creates a design that considered a building for a possible static route that works somewhat like a default future summarization point is usually impossi- gateway, but not exactly. When a router is con- ble. Most networks were built on the fly and figured with a default route, and a packet is the network administrators did not even destined for a route not listed in the routing understand IP addressing; they just had a list table, the packet is forwarded by the router to of available networks and valid hosts. When a the listed default route. This will allow you to building needed a new network installed, the turn off dynamic routing, and the router will administrators just configured the next IP sub- then forward all packets destined for a remote net on their list, without thinking in contigu- network to the listed default route. However, ous blocks. There is not much you can do with the router must be part of a stub network. this type of network and unfortunately in all What this means is that the router only has a my years of consulting, I never once found an connection to a LAN and to the default route existing large network that was in contiguous and not a third network. If the router has a blocks. The only time I was able to perform third network connection, then you cannot use summarization for a large client was when they default routing as your only routing for the moved into a new campus environment and I router because a loop will occur. This will be was able to build the network from scratch. seen with the traceroute command. That was a great experience, but probably one You can use a combination of static and I’ll never have again. If you ever experience default routing on the router to solve your being able to build a network from the ground routing needs. However, this doesn’t solve the up in a new building or campus, you may want problem of too many routing table entries in a to consider it a once-in-a-lifetime experience, router that does not have the power to handle so enjoy it, and design it in contiguous blocks! multiple routes. If possible, you can add an Once you have your physical network in access list that eliminates unwanted routes place, you can then add an IP addressing being added to a routing table. This is an scheme to your network. If possible, tell the option that has administrative overhead and customer that AppleTalk and IPX are not sup- can be difficult and cumbersome. ported on the new wiring and hardware. If This article will assume a network design you’re lucky, they’ll buy that, discard their old that allows summarization points as a solution computers, and you can then put in a pure IP for too many routes in a router’s routing table. network. It’s worth a shot.

Routing and Design 119 I typically would tell you that deciding on an addresses to a valid IP address if a packet is IP scheme is done on a case-by-case project, destined for the Internet. etc. That is not really true anymore, though. Once you have your physical network The subnet mask assigned to each network is design completed, as well as an IP addressing based on the needed number of valid hosts for scheme, you can configure your routers and a particular network, but the actual IP address finally, as a very last step to your configuration, should be 10.0.0.0. Why? Because this is a pri- configure summary routes. Do not configure vate IP address that is not routable on the summary routes until your network is up and Internet. Yes, there are other private IP running without any problems. Designing and addresses, but the 10.0.0.0 provides the most implementing networks is harder than it may flexibility in your network design. This private seem, and configuring your network with a IP addressing scheme provides another layer logical step-by-step approach can save you of security for your internal network. You then many a headache! would use Port Address Translation (PAT) on the boundary to the Internet. NAT/PAT is A sample design another subject, and I won’t discuss it more Figure A shows the physical network design that here. However, since you can use PAT on the I will use to configure our summary routes. boundary router, you can then use the 10.0.0.0 Consider that the serial WAN link between IP address on your internal networks and let the 1005A and 2500B routers is a 128K link. the boundary router translate the private IP Terrible thought, but that makes a case for creating a summary route from the 2500B to the 1005A listing all networks connected the Figure A 2500C, D, and E routers as one route. Since 172.16.10.88/29 the 1005A router is a small router with very low memory and CPU processing power, this 172.16.10.80/29 172.16.10.96/29 now becomes a good example. 81 e0 .89 e0 .97 e0 First, I need an IP addressing scheme, in contiguous blocks. Since we are using a 2500C 2500D 2500E 10.0.0.0 network, this will be very easy because s0 s0 .70 .74 s0 .78 of the number of subnets available with this IP scheme. .69 .73 .77 For the 2500B, C, D, and E routers, I will s2 s1 s3 use a network ID of 10.1.x.0, where x represents different subnets for each physical net- 2500B serial0: 172.16.10.64/30 work. The LAN off the 1005A will be in the s0 serial1: 172.16.10.68/30 .65 serial2: 172.16.10.72/30 10.2.2.0 network, which will allow me to sum- serial3: 172.16.10.76/30 marize the 10.1.0.0 network easily. Here are my configurations for the routers: 1005A: .66 s0 interface serial 0: 10.2.2.5/30 interface ethernet 0: 10.2.2.33/27

.33 e0 2500B: interface serial 0: 10.2.2.6/30 interface serial 1: 10.1.1.5/30 192.168.0.32/24 interface serial 2: 10.1.1.9/30 interface serial 3: 10.1.1.13/30

.34 2500C: interface serial 0: 10.1.1.6/30 Obviously, this is a smaller network than you would typically have to worry about when configuring your routing table. interface ethernet 0: 10.1.1.33/27

120 Administrator’s Guide to TCP/IP,Second Edition 2500D: Figure B interface serial 0: 10.1.1.10/30 interface ethernet 0: 10.1.1.65/27 88

2500E: 80 96 interface serial 0: 10.1.1.14/30 e0 e0 e0 interface ethernet 0: 10.1.1.97/27 I have used a VLSM design with 2500C 2500D 2500E s0 255.255.255.252 masks for the WANs and s0 .78 255.255.255.224 for the LANs. This provides two valid hosts for each WAN and 30 hosts .77 s2 for each LAN. Figure B shows the network s1 s3 design with our IP addresses assigned to each 2500B interface. serial0: 65 s0 Listing A shows all the routes in the routing serial1: 68 table of the 1005A router. serial2: 72 The routes show up as RIP-found routes serial3: 76 since I am redistributing between the 2500B and 1005A router from OSPF to RIP. s0 Notice that the 1005A has eight subnets showing in the routing table. We can make this 1005A three routes with a summary route on the e0 2500B router (see Listing B on page 122). This will then summarize the 10.1.0.0 network as 192 one entry to the 1005A router. All network devices with the range 10.1.0.0 through 10.1.255.254 will then have to be located off .34 the router 2500B. You could also use the summary address 10.1.1.0 255.255.255.0, which I will configure the routers and then turn on OSPF for each router. will then summarize the network 10.1.1.0 through 10.1.1.254. This would be better if OSPF to RIP, complicated redistribution com- you needed a more succinct summary route. mands were added to the 2500B router. This To get the above summary to work from summary route between OSPF and RIP will not work by default.

Listing A: The 1005A routing table 1005A#sh ip route

10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks R 10.1.1.8/30 [120/1] via 10.2.2.6, 00:00:15, Serial0 R 10.1.1.12/30 [120/1] via 10.2.2.6, 00:00:15, Serial0 R 10.1.1.4/30 [120/1] via 10.2.2.6, 00:00:15, Serial0 C 10.2.2.4/30 is directly connected, Serial0 R 10.1.1.32/27 [120/2] via 10.2.2.6, 00:00:15, Serial0 C 10.2.2.32/27 is directly connected, Ethernet0 R 10.1.1.64/27 [120/2] via 10.2.2.6, 00:00:15, Serial0 R 10.1.1.96/27 [120/2] via 10.2.2.6, 00:00:15, Serial0 1005A#

Routing and Design 121 Before we configure summary routes with The 2500B is now summarizing and send- EIGRP, let’s take a look at the 1005A routing ing only one route about network 10.1.1.0 to table (see Listing C). the 1005A router instead of six separate The 1005A can run EIGRP so no redistrib- routes. ution is needed between the 2500B and the Let’s take a peek at the 1005A router (see 1005A. Listing D shows how you add a sum- Listing E), which now has in the routing table mary route with EIGRP. Notice that the sum- only the two directly connected routes and one mary is placed on the interface for EIGRP and summary route for network 10.1.1.0 out not under the routing protocol configuration serial0. like it is with OSPF.

Listing B: Setting up a summary route on 2500B 500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#router ospf 1 2500B(config-router)#area 0 range 10.1.0.0 255.255.0.0 2500B(config-router)#^Z

Listing C: Our 1005A routing table now 1005A#sh ip route

10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks D 10.1.1.8/30 [90/23284736] via 10.2.2.6, 00:07:43, Serial0 D 10.1.1.12/30 [90/23284736] via 10.2.2.6, 00:07:43, Serial0 D 10.1.1.4/30 [90/2681856] via 10.2.2.6, 00:07:43, Serial0 C 10.2.2.4/30 is directly connected, Serial0 D 10.1.1.32/27 [90/2707456] via 10.2.2.6, 00:04:43, Serial0 C 10.2.2.32/27 is directly connected, Ethernet0 D 10.1.1.64/27 [90/23310336] via 10.2.2.6, 00:04:56, Serial0 D 10.1.1.96/27 [90/23310336] via 10.2.2.6, 00:03:55, Serial0 1005A#

Listing D: Adding a summary route with EIGRP 2500B#config t Enter configuration commands, one per line. End with CNTL/Z. 2500B(config)#router eigrp 10 2500B(config-router)#no auto-summary 2500B(config-router)#int s0 2500B(config-if)#ip summary-address eigrp 10 10.1.1.0 255.255.255.0 2500B(config-if)#^Z 2500B#

122 Administrator’s Guide to TCP/IP,Second Edition Listing E: 1005A showing the two directly connected routes and the summary route 1005A#sh ip route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks D 10.1.1.0/24 [90/2681856] via 10.2.2.6, 00:02:38, Serial0 C 10.2.2.4/30 is directly connected, Serial0 C 10.2.2.32/27 is directly connected, Ethernet0 1005A#

Conclusion If you have all Cisco routers, run EIGRP, The example in this article showed you how to and if you create your network design cor- configure summary routes with EIGRP and rectly, you can easily summarize and have a OSPF. Typically, you would only use summary smooth-running network. routes on larger networks, but this example is helpful in describing how to both design and implement a network design in a contiguous block.

Configuring OSPF with multiple areas Sep 13, 2001 By Todd Lammle pen Shortest Path First (OSPF) is a nately, it is much harder to configure than fast, strong routing protocol that can EIGRP in a larger network. Obe used effectively in large, multiven- OSPF in multiple areas dor routed networks. As I mentioned in “Get- ting to know Open Shortest Path First The other article focused on the basics of (OSPF),” on page 111, if you have all Cisco OSPF and how to configure OSPF in a single routers, you’ll be better off running Enhanced area. Remember that OSPF must have an area 0 IGRP (EIGRP). EIGRP is a Cisco proprietary and that any other area must connect to area 0. protocol that runs great in very small to very I’ll use the same network here that I used in large Cisco networks, but it will not work in that article. See Figure A for a review of the net- networks with multivendor routers. work. We’ll use the same IP addresses, but As hard as this may be to believe, not all each Ethernet network will be in a different networks have all Cisco routers (no!), and a OSPF area (except the Ethernet network off routing protocol must be used that can work in of the 1005A router, since that router does not a large internetwork with multiple router ven- run OSPF). dors. OSPF has this capability, but unfortu-

Routing and Design 123 Figure A The 1005A and 2500B routers do not need to be configured since they are already running Area 2 EIGRP between each other and we have Area 1 Area 3 172.16.10.88/29 already redistributed OSPF into EIGRP and EIGRP into OSPF on the 2500B router. 172.16.10.80/29 172.16.10.96/29 Let’s start by reconfiguring the 2500C e0 .89 e0 .97 e0 81 router (see Listing A). Interface Ethernet0 is

2500C 2500D 2500E now going to be in area 1, and serial0 will be in s0 s0 .70 .74 s0 .78 area 0. We need to be careful here and use a Area 0 granular approach when configuring each .73 .77 interface. .69 s1 s2 s3 Notice the wildcard 0.0.0.0, which tells the

2500B OSPF process 1 to find the IP address listed s0 serial0: 172.16.10.64/30 on an active interface and place the found .65 serial1: 172.16.10.68/30 interface into the area listed in the command serial2: 172.16.10.72/30 string. This is the best approach when config- serial3: 172.16.10.76/30 uring multiple areas since it would prevent us .66 from accidentally configuring a network range s0 into the wrong area with an overlap. 1500A To configure the 2500D router, we’ll .33 e0 remove OSPF and then place Ethernet0 into area 2 and serial0 into area 0 (see Listing B). 192.168.0.32/24 I did not have to use the process ID of 34 again; I could have used any number. Remem- ber that the process ID in OSPF is irrelevant. .34 The only time it matters is if you have an Autonomous System Boundary Router Typically, you will not use your WAN net- (ASBR) (which means that the router connects work as area 0, but this network will still work as to two or more Autonomous Systems). an example of a multiple area OSPF network. Now, I’ll configure the last router. Router 2500E places Ethernet0 into area 3 and serial0 Configuring multiple area into the backbone area 0 (see Listing C). OSPF networks Now, let’s take a look at the routing table of Since we are still using the same IP addresses the 2500B router (see Listing D), which should from the earlier article, I’ll just remove OSPF show any OSPF inter-area routes. on the 2500C, D, and E routers and then reconfigure OSPF. This is the easiest option. Continued on page 126

Listing A: Reconfiguring router 2500C 2500C#config t Enter configuration commands, one per line. End with CNTL/Z. 2500C(config)#no router ospf 1 2500C(config)#router ospf 1 2500C(config-router)#network 172.16.10.81 0.0.0.0 area 1 2500C(config-router)#network 172.16.10.70 0.0.0.0 area 0 2500C(config-router)#^Z 2500C#

124 Administrator’s Guide to TCP/IP,Second Edition Listing B: Configuring the 2500D router 2500D#config t Enter configuration commands, one per line. End with CNTL/Z. 2500D(config)#no router ospf 34 2500D(config)#router ospf 34 2500D(config-router)#network 172.16.10.89 0.0.0.0 area 2 2500D(config-router)#network 172.16.10.74 0.0.0.0 area 0 2500D(config-router)#^Z 2500D#

Listing C: Configuring the 2500E router 2500E#config t Enter configuration commands, one per line. End with CNTL/Z. 2500E(config)#no router ospf 10 2500E(config)#router ospf 1 2500E(config-router)#network 172.16.10.97 0.0.0.0 area 3 2500E(config-router)#network 172.16.10.78 0.0.0.0 area 0 2500E(config-router)#^Z 2500E#

Listing D: The 2500B routing table 2500B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR

Gateway of last resort is not set

D 192.168.0.0/24 [90/2195456] via 172.16.10.66, 00:35:53, Serial0 172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks O IA 172.16.10.96/29 [110/879] via 172.16.10.78, 00:01:02, Serial3 O IA 172.16.10.80/29 [110/74] via 172.16.10.70, 00:01:02, Serial1 O IA 172.16.10.88/29 [110/879] via 172.16.10.74, 00:01:02, Serial2 C 172.16.10.68/30 is directly connected, Serial1 C 172.16.10.64/30 is directly connected, Serial0 C 172.16.10.76/30 is directly connected, Serial3 C 172.16.10.72/30 is directly connected, Serial2 2500B#

Routing and Design 125 Continued from page 124 highest RID decides which router is the Desig- nated Router (DR) for each area. Cool. Notice that the O IA areas are what From the 2500C router, Listing G shows the the 2500B router is receiving. Listing E shows show ip ospf interface command. Notice that it the 1005A routing table, which looks the same shows the RID of the router under each inter- as when we had only one OSPF area. The D face as well as the area each interface is EX is a route received from an external AS. assigned. The hello time is shown as 10 and Verifying OSPF the dead time as 40 seconds. If the 2500B does not hear a hello message from a neighbor It is important to understand the command router in four update periods, it will consider used to verify OSPF. The first command you that neighbor dead. typically will use is the show ip route command, Another thing to notice from this output is but since we already covered that in the previ- the network type. By default, a LAN interface ous article, we will use the more advanced will be broadcast network type and a WAN OSPF commands here instead. interface will be point-to-point. From the 2500B router, the show ip ospf neighbor command will show us Listing F. OSPF area types Notice the first thing shown is the RID of The reason you would create multiple area each neighbor. This is the highest IP address types is to avoid overwhelming routers with a of each router. This is important because the huge routing table and topology database

Listing E: The 1005A routing table 1005#sh ip route Gateway of last resort is not set

C 192.168.0.0/24 is directly connected, Ethernet0 172.16.0.0/16 is variably subnetted, 7 subnets, 2 masks D EX 172.16.10.96/29 [170/45632000] via 172.16.10.65, 00:05:05, Serial0 D EX 172.16.10.80/29 [170/45632000] via 172.16.10.65, 00:15:28, Serial0 D EX 172.16.10.88/29 [170/45632000] via 172.16.10.65, 00:12:06, Serial0 D 172.16.10.68/30 [90/2681856] via 172.16.10.65, 00:40:14, Serial0 C 172.16.10.64/30 is directly connected, Serial0 D 172.16.10.76/30 [90/23284736] via 172.16.10.65, 00:40:14, Serial0 D 172.16.10.72/30 [90/23284736] via 172.16.10.65, 00:40:14, Serial0 1005#

Listing F: Using show ip ospf on 2500B 2500B#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface 172.16.10.81 1 FULL/ - 00:00:31 172.16.10.70 Serial1 172.16.10.89 1 FULL/ - 00:00:31 172.16.10.74 Serial2 172.16.10.97 1 FULL/ - 00:00:36 172.16.10.78 Serial3 2500B#

126 Administrator’s Guide to TCP/IP,Second Edition when they do not need to understand this (Understand that this is Cisco proprietary.) information. If you wanted to create a stub network that To reduce router overhead in a large OSPF does not receive summary routes but that does network, you can create different types of receive external redistributed routes, then you areas. In the example above, I created what would use the not-so-stubby area (NSSA). was called a standard area. This is an area that Configuring area types is connected to the backbone, and the Area In this section, I will show you how to config- Border Router (ABR) communicates to the ure each type of area. Configuring a stub area routers in the internal area. is pretty simple. From the ABR, just use the Another type of area that can be used is area 1 stub command. For example, on the called a stub area. This reduces router over- 2500C router, you would use the command head since the ABR will only send a default shown in Listing H (page 128). route to the internal routers in the area. We cannot verify this command, because we If you have an entirely Cisco network, you would need another router within area 1 to can use what is called a totally stubby area, check the routing table. If we did have a router which will reduce the overhead associated with in area 1, that router would now only receive a OSPF further. The totally stubby area does not default route to the ABR. This is used to save receive type 5 LSAs, which means that external memory on internal area routers because the routes will not be advertised into the area, only internal routers will not have to have all routes a default route, just like a stub route. However, to all networks in the routing table. They only the totally stub area will not receive summary need the path out of the area. routes from the ABR; the stub network will.

Listing G: Using show ip ospf on 2500C 2500C#sh ip ospf interface Ethernet0 is up, line protocol is up Internet Address 172.16.10.81/29, Area 1 Process ID 1, Router ID 172.16.10.81, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 172.16.10.81, Interface address 172.16.10.81 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:07 Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Serial0 is up, line protocol is up Internet Address 172.16.10.70/30, Area 0 Process ID 1, Router ID 172.16.10.81, Network Type POINT_TO_POINT, Cost: 64 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 172.16.10.77 Suppress hello for 0 neighbor(s)

Routing and Design 127 To configure a totally stubby area, where a Any router in the internal area 3 would now summary route will not be advertised to inter- receive a default route with a path out of the nal routers in an area, we use the command area, as well as any redistributed routes being shown in Listing I, demonstrated on 2500D. advertised on the network. The internal routers that would be in area 2 Creating a totally stubby area is the most would now receive a default route out of the common choice in a Cisco environment since area, but they would not receive any summary receiving redistributed routes is not going to routes, while area 1 would still receive sum- provide you anything that a totally stubbed mary routes. area won’t provide. The last type of area to configure is an NSSA. Basically, we are trying to get an OSPF Conclusion area to receive only redistributed routes from OSPF can work well in a large network another protocol. By default, it would receive environment where you have multiple router summary route updates and redistributed vendors (a typical situation when you have a routes. There are some circumstances when we large network environment). It would be want to receive either a summary route or a hard to find a huge network that has only redistributed route. Listing J shows the configu- Cisco routers. If you did have only Cisco ration, as demonstrated on the 2500E router. routers, then EIGRP would be the better choice since it can now create stub areas

Listing H: Using area 1 stub on 2500C 2500C#config t Enter configuration commands, one per line. End with CNTL/Z. 2500C(config)#router ospf 1 2500C(config-router)#area 1 stub 2500C(config-router)#^Z 2500C#

Listing I: Configuring a totally stubby area on 2500D 2500D#config t Enter configuration commands, one per line. End with CNTL/Z. 2500D(config)#router ospf 34 2500D(config-router)#area 2 stub no-summary 2500D(config-router)#^Z 2500D#

Listing J: Configuring a not-so-stubby area on 2500E 2500E#config t Enter configuration commands, one per line. End with CNTL/Z. 2500E(config)#router ospf 1 2500E(config-router)#area 3 nssa 2500E(config-router)#^Z 2500E#

128 Administrator’s Guide to TCP/IP,Second Edition like OSPF and is very easy to configure tions is immense. By creating a stub network, and run. you can effectively have smaller routers with Remember that creating stub areas is very low memory participate in a very large OSPF important in large networks because the network. memory involved in large OSPF configura-

Understanding the RIP protocol May 23, 2000 By Alexander Prohorenko IP (Routing Information Protocol) to RIP in RFC1388 in January 1993. This RFC was born to make system administra- was later superseded by RFC1723 in Novem- R tors happy. Every administrator who ber 1994 by Gary Scott Malkin and Scott Brad- has to supervise a large number of routers ner. Neither of these RIPv2 proposals was with never-ending connectivity changes should intended to be a replacement for RIP, but they know RIP. There are a lot of other routing were both designed as an extension of RIP to protocols that are much better and more full- provide additional functionality and capability. featured than RIP, but RIP was and still is the Some of these capabilities are compatible with basic routing protocol. In this article, I’ll take a RIP (first version) and some are not. To avoid look at this useful protocol. supplying information to RIPv1 routes that could be misinterpreted, RIPv2 can use only Let’s start from the beginning noncompatible features when its packets are RIP is one of the most enduring of all routing multicast. On interfaces that aren’t capable of protocols. It’s a very simple protocol, based on IP multicast, RIPv1-compatible packets that distance-vector (or Bellman-Ford, as it’s also don’t contain potentially confusing informa- known) routing algorithms that predate tion are used. Some of the most notable ARPANet (the Advanced Research Projects RIPv2 enhancements are: Agency Network). To be exact, these algo- X Next hop rithms were originally described academically by R. E. Bellman, L. R. Ford, Jr., and D. R. X Network mask Fulkerston between 1957 and 1962. During X Authentication the 1960s, these algorithms were widely X RIP tag field deployed by various companies and marketed under different names. RIP at run time The RIP protocol in the form that we use Because RIP is a distance-vector protocol, a now was developed in the 1970s at Xerox Labs router running RIP will send updates to its as part of the XNS (Xerox Network Systems) neighbors, thus allowing the convergence to a Routing Protocol suite. The most popular vari- known topology. In each update, the distance ants are RIP version 1, described in RFC1058, of any given router will be broadcast to its and RIP version 2, described in RFC2453. neighbor. RIP classifies routers as active and RIP version 2, or RIPv2 as it is more com- passive (silent). Active routers advertise their monly known, was first proposed as an update routes (reachability information) to others.

Routing and Design 129 Passive routers listen and update their routes all traffic would be routed via the default based on advertisements but do not advertise. (0.0.0.0) route. We’ll also be interested in the Typically, routers run RIP in active mode, private network’s (192.168.2.0) announcements while hosts use passive mode. to enable it to communicate with hosts on this I’d rather not dwell on the internal RIP network. structure, but I will discuss ways of implementing this protocol on routers and on Back to our Cisco router servers working as routers. If you’re interested Our configuration begins by telling the router in the protocol structure, please refer to the to start a RIP process. It then tells the router appropriate RFCs. the networks on which it should send and lis- Let’s look at a sample corporate network, ten for RIP updates. Because RIP is a classed which I used to supervise as a network admin- protocol, the configuration can’t specify the istrator and security engineer some time ago. aggregate 192.168.85.0/28 directly. Instead, Its scheme is depicted in Figure A. you supply a network statement for each of the class B networks. These statements don’t The server restrict what routes can be carried to and from The next important node of this network is this router, only which of the router’s directly the server (192.168.85.33), which serves as a attached networks will be configured for RIP router, operating on the FreeBSD 3.2-STA- processing. BLE operating system and which serves the In this configuration, I’ve added a static local network alongside the remote corporate default route through the host 172.16.92.16, network connected by dial-up connection to which is used as the Internet connection. this router. However, I’ve commented out the string that The state of the dial-up connection to the tells the router to redistribute all static routes corporate network (192.168.140.0) is very using the RIP protocol. In the topology of the important because it will influence the building network I’m using as an example, all hosts are of the correct route to this network. In the using Cisco’s IP as a static default route. case of a working dial-up connection, traffic ! process RIP addressed to any host from this network would router rip be routed through 192.168.85.33. Otherwise, version 2 Figure A

CISCO Ethernet Serial Internet 10MB E1 172.16.92.16 192.168.85.46 172.16.92.15 192.168.2.5 FreeBSD 192.168.85.33 WinNT WinNT Ethernet 100MB

192.168.85.34 192.168.140.44 192.168.2.1 192.168.2.X Solaris Dialup 56KB 192.168.128.150

192.168.140.41 192.168.2.5 192.168.140.42 192.168.140.X Ethernet Dialup 10MB 56KB FreeBSD Win95 Win95 Internet 192.168.128.65

A Cisco router is the connection point between the Internet and a private network.

130 Administrator’s Guide to TCP/IP,Second Edition network 192.168.85.0 Cisco router earlier and change the static route network 192.168.140.0 not to the Cisco’s E1 link but to the router network 192.168.2.0 directly. This looks pretty easy: ! redistribute static routes with a ip route 0.0.0.0 0.0.0.0 192.168.85.46 ! default metric ! redistribute static This is the sample cut of /etc/gated.conf, ip route 0.0.0.0 0.0.0.0 which will enable the RIP protocol and will 172.16.92.16 allow it to send its announcements to the ed2 interface (192.168.85.0). You don’t need any Applications announcements to the ed3 interface since you After you’ve configured the Cisco router, you have no host to use this information in the should start the same process on the server Windows NT network: (192.168.85.33) that runs FreeBSD. There are a rip yes { lot of tools for configuring this on the interface “ed2” ripin ripout FreeBSD OS. The most popular one is GateD, version 2; a routing daemon that handles multiple routing }; protocols. Since GateD is very popular in the import proto rip { UNIX world, a lot of UNIX distributions all; already include it in the binary package. But I’ll }; export proto rip restrict; get back to it a bit later; now I’d like to discuss software solutions from a rather new but still Now, we should check to see whether potentially profitable and promising source— everything is okay. To do this, let’s look at our GNU Zebra. routing table on the Cisco router: GNU Zebra is free software (distributed kitty#show ip route under GNU General Public License) that man- Codes: C - connected, S - static, I ages TCP/IP-based routing protocols. Unlike - IGRP, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP external, O traditional, GateD-based, monolithic architec- - OSPF, IA - OSPF inter area tures and even the so-called new modular E1 - OSPF external type 1, E2 architectures that remove the burden of pro- - OSPF external type 2, E – EGP cessing routing functions from the CPU and i - IS-IS, L1 - IS-IS level-1, L2 utilize special ASIC chips instead, Zebra soft- - IS-IS level-2, * - candidate ware offers true modularity. Zebra is intended default to be used as a route server and a route reflec- U - per-user static route tor. Currently, Zebra is available on the GNU/Linux platform and almost all branches Gateway of last resort is of FreeBSD, NetBSD, and OpenBSD, and it’s 172.16.92.16 to network 0.0.0.0 in the development stage for Solaris 7. R 192.168.2.0/24 [120/1] via A Cisco of a different color 192.168.85.33, 00:00:13, Ethernet0 From the user’s side, Zebra looks like Cisco 192.168.85.0/28 is subnetted, 1 with the same interface and with all the basic subnets commands of Cisco routers. It consists of C 192.168.85.32 is directly separate daemons for numerous routing proto- connected, Ethernet0 cols. The main daemon starts on the server 172.16.0.0/30 is subnetted, and accepts connections to the port 2601 1 subnets (Zebra). After you’ve connected to it, you’ll get C 172.16.92.16 is directly connected, an interface very similar to Cisco’s. Serial0 And that’s why, in the case of a server run- S* 0.0.0.0/0 [1/0] via 172.16.92.16 ning Zebra, all you need to do is perform the same operations with it as you did with the And on the FreeBSD server, running Zebra:

Routing and Design 131 dixi#show ip route comes from the dynamic routing protocol. To set this distance, you need to know at least the Codes: K - kernel route, C basic administrative distances that Cisco has - connected, S - static, R - RIP, assigned. These are the most important ones O - OSPF, for us: B - BGP, * - FIB route. X Connected Interface 0 X Static Route 1 K* 0.0.0.0/0 ed2 (1) 195.3.85.46 R 0.0.0.0/0 ed2 (1) 195.3.85.46 X RIP 120 C* 127.0.0.0/8 lo0 (6) direct X Unknown 255 C* 192.168.2.0/24 ed3 (2) direct For a complete list, refer to the Cisco docu- C* 195.3.85.32/28 ed2 (1) direct mentation, which comes with the router. FREEBSD To set the route preference for this static route, insert the distance number after the ip The state of the FreeBSD server, running route statement. For example: GateD, can be easily checked with the ! set the administrative distance on ipquery command, which accompanies the ! the static route to be higher than GateD package. ! RIP, what will make any route which ! comes from RIP be more preferable You’ve now finished with the RIP setup in ip route 0.0.0.0 0.0.0.0 your network! 192.168.140.1 130 Security The next potential problem appears when you need to get away without sending routing Unless you implement defense methods to updates to the specific interfaces. There are a secure your network, it will be vulnerable to a lot of reasons that can be pertinent here, start- RIP protocol attack, which has as its target a ing from a low-bandwidth link between the default route change. In our example, you have two sites and ending with the absence of a your traffic going through the hacker’s host. device that can process such updates. To That’s why I’ll spend some time describing accomplish this, you should turn such inter- how to use the RIP protocol and secure it faces to the “passive” state. For example, to effectively. exclude your serial interface from sending any During RIP protocol setup in a network route updates there, use the following: with a complex topology, you have a lot of chances to mistakenly reconfigure one of the ! process RIP router rip routers, which will cause a routing loop and version 2 cause you to lose control of your remote network 192.168.85.0 routers. To avoid this, you have to propagate network 192.168.140.0 static backup routes on your remote routers to network 192.168.2.0 be able to access them in either case. The trou- ! suppress advertisements on serial ble with a static route is that, on most routers, ! interface static routes normally overlap any route gath- passive-interface serial 0 ered from a dynamic protocol. And you want Unfortunately, sometimes this isn’t enough the static route to take effect only in an emer- to solve the problem. Often, when you’re sup- gency. pressing updates on an interface, you also want The secret to allowing a static route to be to avoid getting any updates that another overlapped by any route gathered from a router can send. The solution is rather simple: dynamic routing protocol in the Cisco IOS lies administrative distances. Let’s look at this in assigning an administrative distance to the example: static route. The administrative distance makes ! process RIP that route less preferable than any route that router rip

132 Administrator’s Guide to TCP/IP,Second Edition version 2 ! set the administrative distance for network 192.168.85.0 ! these sources normal but only got network 192.168.140.0 ! routes that pass access list 1 network 192.168.2.0 distance 120 192.168.2.0 0.0.0.255 1 ! suppress advertisements on serial ! ! interface access-list 1 permit 192.168.2.0 passive-interface serial 0 0.0.0.255 ! set the default administrative access-list 1 deny 0.0.0.0 ! distance to 255 make router ignore 255.255.255.255 ! routing updates as far as 255 is ! considered unusable by Cisco IOS Suggestions and evolution distance 255 It goes without saying that I don’t pretend to ! set the administrative distance for fully cover the subject of the RIP protocol in ! these sources back to normal this article. I’ve described only some basics of distance 120 192.168.85.0 0.0.0.255 theory and practice of implementing of the distance 120 192.168.140.0 0.0.0.255 RIP protocol. For more full coverage of this distance 120 192.168.2.0 0.0.0.255 subject, I suggest you refer to the book IP An administrative distance of 255 is consid- Routing Fundamentals (ISBN: 1-57870-071-x), ered unusable by Cisco IOS; therefore, by written by Mark A. Sportack and published by using this rule set, you can easily avoid having Cisco Press in 1999. the router get any updates from the “passive” The evolution of information and network interface. infrastructure has required a rethinking of the Finally, I’d like to address the problem of importance of routing in future networks. restricting the sources of the route advertise- Nowadays, routing technologies are being used ments. First, suppose I want to set my router to perform tasks beyond the capabilities of to trust the routers on 192.168.140.0/24 and traditional hardware-based routers. As 192.168.85.0/24 to tell me anything. At the progress never stops, the need for new routing same time, I don’t want the router on algorithms and technologies will follow step by 192.168.2.0/24 to be fully trusted, and I want step as the demand multiplies. However, steps to trust only route updates for the forward cannot be accomplished without a 192.168.2.0/24 network. knowledge of the basics. The RIP protocol is ! process RIP one of the main components of this basic router rip knowledge foundation. It’s worth pointing out version 2 that even now, RIP is still a core routing proto- network 192.168.85.0 col in a lot of corporate as well as scientific network 192.168.140.0 network 192.168.2.0 and technical networks. distance 120 192.168.140.0 0.0.0.255 distance 120 192.168.85.0 0.0.0.255

Routing and Design 133 RIP explained: The gory details Sep 25, 2001 By Lance Cockcroft, MCSE, MCT, CCA, CCNP outing Information Protocol (RIP) is than 16 hops, they will find RIP to be sorely the oldest and most used routing pro- lacking. However, if RIP is used on a small R tocol today. There are two versions of 5–10 router network that changes frequently, it RIP: v1 and v2. Version 1 is the most-deployed will work efficiently, saving the administrator version, since it is compatible with all RIP- the labor of adding static routes each time the capable devices. RIP evolved from the Gate- network changes. way Information Protocol, which was part of the original Xerox Network Systems (XNS) Enabling RIP on a Cisco router protocol used on the very first Ethernet net- RIP can be enabled on a Cisco router by enter- works. XNS RIP was the predecessor for many ing router configuration mode from configura- distance vector routing protocols, including IP tion mode. You must be in exec mode to RIP, Novell’s IPX RIP, and AppleTalk’s Rout- perform the following commands: ing Table Maintenance Protocol (RTMP). RouterA(config)# router rip In this article, I will explain the RIP proto- RouterA(config)# network 192.168.1.0 col in detail. We’ll start with some history and RouterA(config)# network 192.168.2.0 then discuss the ways RIP works. Believe it or not, this is all that is required to enable and configure RIP on a Cisco router. A bit of history The router rip command changes the mode to In the early 1980s, UNIX versions such as router protocol configuration mode. This BSD began to include RIP daemons that command must be entered each time changes allowed UNIX servers to act as network gate- to the RIP configuration are made. The network ways and use RIP as their routing protocol. In command actually tells the router which con- 1988, RFC 1058 was written by Charles nected network(s) are to be advertised, as well Hedrick. 1058 details RIP; however, the RFC as the router interface(s) that you want to par- was not written until after the RIP protocol ticipate in the RIP process. RIP version 1 is a was in widespread use. RFC 1058 is the only classful routing protocol; therefore, any inter- RFC detailing the RIP protocol. faces that belong to the classful network number used in the network command will What is RIP? participate in the RIP routing protocol. Class- RIP is a distance vector routing protocol that ful routing will be discussed later. uses only the hop count as its metric to deter- What if you want to advertise a specific net- mine the best path from source to destination. work number, but you do not want RIP adver- It is a very simple protocol to use and under- tisements to be sent out a particular interface? stand; however, its simplicity comes at the cost In other words, you want an interface to listen of not having some of the more advanced fea- to RIP advertisements but you do not want it tures and abilities of today’s more modern to send advertisements. Cisco has a special routing protocols. command for this situation. Within router Depending on whom you talk to, RIP can configuration mode, simply use the passive-inter- be considered a godsend or a protocol unde- face command: serving of its popularity. The truth is that RIP RouterA(config)# router rip is a very good all-around routing protocol for RouterA(config)# passive-interface the small internetwork, but it’s not the best ethernet0 protocol for large enterprise networks. Think of the saying “using the right tool for the right Routing by rumor job.” If someone tries to use RIP on a large RIP’s typical operation uses two types of pack- network with many different paths and more ets: request packets and response packets.

134 Administrator’s Guide to TCP/IP,Second Edition Figure A

192.168.1.0 192.168.3.0

E0 192.168.2.1 S0 192.168.2.2

Router A Router B T1 192.168.4.1 192.168.6.1 T1 56K

192.168.4.2 192.168.6.2 192.168.8.1 192.168.8.2

Router C Router D T1

192.168.5.0 192.168.7.0

The RIP protocol works well with smaller networks.

When a RIP-enabled router is first started, each advertising router advertises its own met- the router sends request packets out all ric (hop count) to a destination. For example, RIP interfaces to the broadcast address if router A receives an update from router B 255.255.255.255. All RIP packets, whether they containing a route with a metric of 2, router A are request or response packets, use UDP will add the route to its routing table, list (port 520) as the Transport layer protocol. All router B as the next hop for that network RIP-enabled routers will respond to the route, and record a metric of 3 to account for request packets by sending response packets. the hop between router A and router B. Response packets contain the contents of If router B advertises network(s) that router each router’s routing table. The response A already has a route for, router A will simply packet can contain up to 25 routes. Response discard the advertisement, unless router B has packets are only received by directly connected a lower metric to the destination network. A routers and are not forwarded. Since each directly connected network has a hop count of router only speaks to its neighbors, we say that 0, just as a network connected to a directly RIP routes by rumor. Networks are learned connected router has a hop count of 1. A hop only from neighbors, not necessarily from the count of 16 is considered unreachable. router that is directly connected to the net- To fully understand how RIP operates, let’s work. Each route sent in response packets look at a simple network (see Figure A). Router includes the network address and the metric C advertises its network, 192.168.5.0, to router associated with the network address. B. Router B adds 192.168.5.0 to its own rout- Think of the response packet as a message ing table with a metric of 1 and a next hop telling the requesting router “these are the net- address of 192.168.4.1. Router B then adver- works that I know how to get to.” A router tises its own routing table to router A and receiving a response packet will process the router C. Router A learns from router B about packet by analyzing the routes included and networks 192.168.3.0 and 192.168.5.0. Router adding routes to new networks to its routing A adds network 192.168.3.0 with a metric of 1 table or changing routes to existing networks if and network 192.168.5.0 with a metric of 2. the routes have lower metrics (fewer hops). The next hop address for both of these net- The router will add one to the metric, since works is 192.168.2.2. Router A now knows

Routing and Design 135 Figure B

192.168.1.0 192.168.3.0

E0 192.168.2.1 192.168.2.2

Router A Router B T1 192.168.6.1 192.168.4.1

56K 192.168.4.2

192.168.8.1

Router C

192.168.5.0

Router A must rely on the other routers to figure out the best path to Router D.

that it can send packets destined for network B and router D, it will update its routing table to or network C to router B for delivery. reroute packets through router C. Router B A RIP-enabled router will send out will continue to advertise network D response packets every 30 seconds. Once a (192.168.7.0) to router A; however, the adver- router has received a route from a neighbor, it tised metric will now be 2. Router A will see will expect to receive response packets from that the metric has changed and will temporar- that router every 30 seconds. Additionally, a ily change the network route to unreachable router will expect to see the same routes adver- (metric 16) to prevent routing loops. Once the tised each time from a responding router. If a timers have expired, router A will accept the router stops advertising a network route or if new advertised metric from router B. the metric to that network route changes, the If router B were to stop advertising net- receiving router will temporarily change the work D, router A would remove the entry for metric of that network route to 16. Consider network D from the routing table. Any packets Figure B. Router A has received a route to net- received with a destination of 192.168.7.x work D (192.168.7.0) from router B with a would be discarded, and an ICMP destination metric of 1. Router A increments the metric to unreachable message would be sent back to 2 and adds the network route to the routing the source address. table. If router B loses the link between itself RIP timers As you have read, the RIP protocol should Table A: The only timer default that differs is the Flush timer. send out the contents of its entire routing Timer Cisco default RFC 1058 default table every 30 seconds because the default value for the update interval is 30 seconds. You Update 30 seconds 30 seconds can force the routers to update less frequently Invalid 180 seconds 180 seconds by increasing the update interval or force them to update more often by decreasing the update Flush 60 seconds 120 seconds interval. All routers participating in the RIP

136 Administrator’s Guide to TCP/IP,Second Edition routing process must be configured with the Convergence same update interval. One of the drawbacks of RIP is the amount Only the router’s neighbors receive these of time that it takes for a network to converge advertisements. These neighbors expect these in the event of a failure. Convergence, as you advertisements every 30 seconds, by default, may recall, is the amount of time it takes for all with the same network route entries. If a routers on an internetwork to become aware router does not receive an advertisement for a of a network change. If the power to router C route in 180 seconds, the route is marked as were to fail, how long would it take before all unreachable (given a metric of 16). Cisco calls routers were aware of the change? Router B this timer the invalid timer; however, it is also would stop receiving updates from router C called the expiration timer or simply the time- and, after 30 seconds, would mark the route as out. The route will remain in the routing table unreachable. Router C would also mark the for an additional 60 seconds beyond the route as unreachable. Router B would also invalid timer. The flush timer will then expire advertise network D as unreachable in its own and will force the route to be flushed advertisements so router A would learn that (removed) from the routing table. The flush network D was unreachable. After 240 sec- timer is sometimes called the garbage collec- onds, router B would flush the entry from the tion timer. Within the Cisco IOS, it is known router table. It would take three to four min- as the flush timer. The Cisco timers and their utes before all the routes were removed from defaults are shown in Table A. the routing tables. In comparison, OSPF Timers should only be changed if the would have detected the error and converged effects of such a change are thoroughly under- in one minute or less. stood. To change the default value for the timers, use the command timers. The syntax for Conclusion the timers command is: RIP has provided many years of trouble-free timers basic update invalid holddown dynamic routing for thousands of networks. flush Although it does not provide the speed and RouterA(config)# router rip agility of more modern routing protocols, RouterA(config)# timers basic 60 360 RIP still remains a practical and viable 360 420 dynamic routing protocol solution for today’s The invalid timer should be at least three small internetworks. In my next article on times the update interval, and the flush timer RIP, I will discuss some of the more compli- must be greater than the invalid timer. Nor- cated aspects of RIP, such as loop avoidance, mally, the default values are best left in effect classful routing, and how to modify RIP’s for standard operations. default metrics.

Routing and Design 137 Advanced RIP configuration Sep 27, 2001 By Lance Cockcroft, MCSE, MCT, CCA, CCNP lthough many administrators think send unicast (not broadcast) updates to only RIP means Rest In Peace, the RIP the configured neighbors. A protocol is still quite alive and very Loop prevention useful. You saw how RIP is used in my previous article “RIP explained: The gory details,” RIP has many features built into the protocol but did you know that there are more to help prevent routing loops from occurring. advanced configurations? A routing loop is created when a packet is for- In this article, I will introduce you to some of warded from one router to another and even- the more advanced techniques used with RIP. tually ends up back at a router it has already been routed by. For instance, a packet is for- Unicast warded from router B to router C, router C You learned in “RIP explained: The gory forwards the packet to router D, and router D details” that the passive-interface command can sends the packet to router B again. This is a be used to allow an interface to receive updates routing loop, and it can continue forever with- but prevent the interface from sending adver- out the proper safeguards. tisements. In some cases, you may want an interface to participate in the RIP routing Holddown process and send advertisements; however, One of the loop prevention mechanisms is the there may be one router that you do not wish holddown timer. The holddown timer prevents to send updates to. In cases such as these, you a router from making hasty routing decisions would still use the passive-interface command, as when there has been a change or failure some- well as the neighbor command, as shown here: where on the network. To completely under- RouterB(config)# router rip stand the purpose of the holddown timer, look RouterB(router-config)# network at Figure A and consider the following situation. 192.168.3.0 Routers C and D both have entries in their RouterB(router-config)# network routing tables that list the next hop address for 192.168.2.0 network 192.168.1.0 as the IP address of RouterB(router-config)# neighbor router B. If the connection between router A 192.168.3.5 and B were to fail, router B would update its RouterB(router-config)# own table to reflect that 192.168.1.0 was passive-interface ethernet0 unreachable. When router B sent the next The first command, as you may recall, advertisement, router D would see that router places the router in router-config mode. The B is no longer advertising 192.168.1.0. Then network command tells the router which inter- let’s say that router C (in this particular mil- faces to send advertisements on, as well as lisecond) is unaware of the change and sends what networks to advertise. The passive-interface its routing table to router D. Router D would command tells the router not to advertise the mistakenly see that router C has a route to networks out the Ethernet0 interface. The 192.168.1.0 and would begin forwarding all addition of the neighbor command allows the packets for that destination to router C, instead passive interface (Ethernet0) to advertise to of sending a Destination Host Unreachable only the IP address specified in the neighbor message to the source. command. Router B would send advertise- To prevent this scenario, RIP implements ments over Ethernet0 to only the neighbor holddown timers. Holddown timers prevent with the IP address of 192.168.3.5. RIP from updating information to routers Normally, RIP advertises to the broadcast once one change has already taken place on address of 255.255.255.255; however, when that route. More clearly stated, when a route is the neighbor command is used, RIP is forced to

138 Administrator’s Guide to TCP/IP,Second Edition Figure A

192.168.1.0 192.168.3.0

E0 192.168.2.1 192.168.2.2

Router A Router B T1 192.168.6.1 192.168.4.1 T1

56K 192.168.4.2 192.168.6.2 192.168.8.1 192.168.8.2

Router C Router D

192.168.5.0 192.168.7.0

Holddown timers can prevent catastrophe within your routed network. changed to unreachable, no other changes can Poison Reverse be made to that entry in the routing table until Poison Reverse is a form of Split Horizon. the holddown timer expires. Let’s apply this to Instead of preventing the advertisement of a the previous example. specific route out a specific interface, Poison Router B advertises a Network Unreachable Reverse causes the route to be advertised back message to router D for network 192.168.1.0. to the source; however, the route is marked as Router D changes the entry for network unreachable within the advertisement. In this 192.168.1.0 in the routing table and places that case, router D would advertise network entry in holddown. Now, router C advertises 192.168.1.0 back to router B with a hop count its own routing table to router D. Since the of 16. Since RIP routing only allows one entry entry for network 192.168.1.0 is in holddown, in the routing table for each network and router D will ignore the entry for network because router D is performing Split Horizon, 192.168.1.0 from router C. router B will ignore the advertisement for Split Horizon 192.168.1.0 from router D. Split Horizon is another tool used to prevent Classful routing routing loops. The Split Horizon rule speci- RIP is a classful routing protocol, which sim- fies that a RIP router should not advertise ply means that RIP does not advertise subnet routes through the same interface that it mask information with the networks. RIP learned the route from. Consider what would expects each address to use the default subnet happen if router B advertised network mask associated with classful routing. As you 192.168.1.0 to router D, and router D then may already know, the IP address range was added the entry in its own routing table. broken into classes to help organize IP Router D would then advertise its own table addresses as well as routing. The first octet of to router B. Router B might then falsely send the IP address derives the address class. The packets to router D that are destined for net- number to the left of the first period (.) is the work A. Router D would then send them first octet. For example, the first octet is repre- right back to router B. This process would sented by the 154 in the following example: continue until the packet reached its maxi- 154.10.196.10. mum hop count of 16.

Routing and Design 139 Figure B

Network 10.1.1.0 Network 10.1.2.0 Mask 255.255.255.0 Mask 255.255.255.0

Router A Router B Router C

Network 192.168.1.0 Mask 255.255.255.0

RIP is capable of making routing decisions based on the default subnet mask.

10.0.0.0; however, networks A and C are using FRESHEN UP YOUR SUBNETTING a classless subnet of 255.255.255.0. If subnetting is new to you or you are a bit Router B does not have any interfaces in the rusty, you may want to freshen up by read- 10.0.0.0 network. Router B will receive adver- ing Thomas Nooning’s article, “Learn the tisements for the 10.x.y.z network from both basics of subnetting a TCP/IP network,” on router C and router A. Since subnet mask page 30. information is not sent with the advertisements, router B thinks that routers A and C are There are three major classes of addresses: advertising the same network. Since router A Class A, Class B, and Class C. Class A was the first to advertise the 10.x.y.z network, addresses include addresses where the first router B will send all traffic destined for the octet is from 1 to 127. Class B addresses range 10. network to router A. from 128 to 191, and the Class C address There is a very simple solution to this situa- range includes 192 to 223: tion. As mentioned earlier, router B will use the default subnet mask because it does not Class A 1.0.0.0 to 127.255.255.255 Class B 128.0.0.0 to 191.255.255.255 have an interface in the 10.x.y.z network. If Class C 192.0.0.0 to 192.255.255.255 router B did have an interface in the 10.x.y.z network, then router B would use its own sub- The issue with classful routing is that it is net mask with all 10.x.y.z network entries, not rarely used anymore, if at all. Today, we are not the default subnet address. If we added a sec- forced to use the default subnet masks; how- ondary address to any of router B’s interfaces ever, RIP will examine the first octet and will and used a 10.x.y.z address on that secondary then make a routing decision based on the address, router B would then have the ability to default (classful) subnet mask. To see how this distinguish network 10.1.1.0 and 10.1.2.0. affects the design of our network, see Figure B. You add a secondary IP address just as you As you know, any IP address that begins would the primary address. Using the ip address with a “10.” is considered a Class A address. command simply adds the secondary address, Because of this, router B will use the default followed by the word secondary. The secondary subnet mask for the “10.” network entry in its keyword tells the router that this is a secondary own routing table. Routers A and C will not use address in addition to the previously config- the default classful subnet mask; they will use ured address. whatever subnet mask is configured on their 10.x.y.z interface. A and C both contain networks starting with the Class A address

140 Administrator’s Guide to TCP/IP,Second Edition Listing A: Using the ip address command RouterB(config)# interface serial 0 RouterB(config-if)# ip address 10.1.3.1 255.255.255.0 secondary

Figure C SECONDARY ADDRESS CAUTION Extreme caution should be used when 192.168.3.0 adding a secondary address to an interface. If the secondary keyword is not used, the new address will overwrite the original 192.168.2.2 address and will disconnect the telnet ses- Router B 192.168.6.1 sion. Depending on the network design, 192.168.4.1 you may not be able to reestablish the tel- T1 net session if the address is overwritten. 56K 192.168.4.2 192.168.6.2 If you use secondary addresses, RIP treats 192.168.8.1 the secondary address much like a new inter- 192.168.8.2 Router C Router D face. RIP advertisements will be sent for each T1 primary address and secondary address. Since the number of secondary addresses that you can add to an interface is practically unlimited, 192.168.5.0 192.168.7.0 you should understand that RIP advertisements could begin to cause congestion on a The shortest hop count is generally the route that will be chosen by a router. link if too many advertisements are sent. (Sometimes the shortest distance between two packets to 192.168.6.2 (router D), which has a points is a third point.) hop count of 2. Router B will, of course, use Manipulating the metrics the shortest hop count and send the packets to RIP uses a rather outdated metric/cost system. 192.168.4.2; however, this is not the best path As you know, it uses a hop count as the metric. based on true speed and throughput. The best Hop count is the number of routers that a path is through router D. We can force router packet must traverse to reach a given destina- B to use router D to reach 192.168.5.0 by tion. This procedure works fine in a network increasing the metric advertised for the where all the links are of equal capacity and 192.168.5.0 network. equal speed. RIP, if left to its own devices, will We must simply configure router B to add always choose the shortest route between two two hops to any metric advertisement coming points, which may or may not be the best from router C. We can force router B to add to route. metrics by using the offset command. We must In Figure C, router B has two different paths use an access list to specify which routes we to network C. Router B could send packets to want to apply this offset to (see Listing B). 192.168.4.2, which is the path with the fewest This offset command will be applied to any number of hops. Router B could also send the IP address that matches the access list. RIP

Listing B: Using the access-list command to specify routes RouterB(config)# access-list 5 permit 192.168.1.0 0.0.0.0 RouterB(config)# router rip RouterB(router-config)# offset-list 5 in 2 serial 1

Routing and Design 141 will add two hops to any advertised routes Conclusion from any IP address that matches the access The routing information protocol has been list. The offset command allows personal inter- serving networks and network administrators vention into router selection by allowing the for as long as there has been modern network- administrator to predetermine the routes data ing. The roots of this protocol extend into the should take when destined for a particular earliest days of Ethernet at Xerox Parc, yet it network. still remains a viable solution for dynamic routing in today’s smaller networks.

Using RIP on Windows 2000 Server Dec 14, 2000 By Jim Boyce tatic routes enable a router to route IP absolute route for every packet, but it needs to packets without relying on a protocol, know through which of its interfaces it needs to Swhich routers use to share route table route the packet to move the packet one hop data. In this article, I’ll take a closer look at closer to its destination. Routing Information Protocol (RIP), one of Assuming a simple network with three local the routing protocols included with Windows subnets and an Internet connection, for exam- 2000 Server. In an upcoming article, I’ll focus ple, the router needs to know which interface on the other routing protocol, Open Shortest to use to transmit Internet traffic coming from Path First (OSPF). the internal subnets. The router at the other end of that connection passes the traffic on to What’s a router again? its next hop. Here’s a quick review: A router resides as a node on two or more subnets, each of which is Configuring and using RIP connected through one of the router’s network Routers use one of two methods to determine interfaces. By residing on each subnet, the how to route traffic: static routing or dynamic router is accessible to each node on a given routing. With static routing, you manually cre- subnet and is able to route IP packets between ate the router’s routing table by adding static the two subnets. routes that tell the router how to route traffic As the network grows beyond two subnets, destined for specific subnets or hosts. The routing becomes a little more complex. Not default route tells the router how to route only might a router be tasked with routing pack- packets that don’t fit the criteria of any of the ets from subnet A to subnet B, but it might also other routes in the routing table. need to route traffic to other local subnets or Dynamic routing becomes a necessity as the the Internet. A router concerns itself only with number of subnets and routers grows, particu- routing traffic to the next router up the line (the larly in a dynamic environment where new next hop), which simplifies the problem some- routers come on line frequently. Instead of what. The router doesn’t have to know the using static routes in this situation, a dynamic

142 Administrator’s Guide to TCP/IP,Second Edition means for routers to share routing information Figure A is needed. RIP is the most common routing protocol routers use to share routing data. RIP is relatively easy to configure but is limited to a maximum of 15 hops, making it suitable mainly for small to midsized networks. RIP considers to be unreachable any destination more than 15 hops away. A router that uses RIP builds its routing table dynamically when it first boots. Initially, the routing table contains only the routes for the networks that are physically connected to the router. RIP then periodically broadcasts announcements containing its routing table entries, and adjacent routers update their own routing tables based on these RIP announcements. RIP also supports triggered updates, which occur when a router detects a network change, such as another router going down. The router that detects the condition generates a triggered update broadcast, which other routers use to modify their routing tables. Here’s the General property page for a RIP interface. When the adjacent router comes back on line, another triggered update occurs. Windows 2000 supports both RIP version 1 and RIP select the RIP branch and then right-click the version 2. interface and choose Properties. The General page lets you configure several properties, as Adding RIP shown in Figure A. The first step in configuring RIP is to add the The Operation Mode property specifies the protocol, which you do through the Routing way in which RIP updates routes. The Auto- and Remote Access Service (RRAS) console. Static Update Mode option configures RIP to Expand the server you want to manage in the send out route announcements only when RRAS console, expand the IP Routing branch, adjacent routers request an update. Routes and then right-click General and choose New learned through Auto-Static Mode are treated Routing Protocol. Select RIP Version 2 For as static routes and are not removed from the Internet Protocol and click OK. You’ll see a routing table even if the router is rebooted, new node named RIP under the IP Routing although you can manually remove the routes. branch. The next step is to specify the inter- Auto-Static Update Mode is the default mode face(s) on which RIP will operate. In the used for demand-dial interfaces. RRAS console, right-click RIP and choose The second option for operation mode is New Interface. Select the appropriate interface Periodic Update Mode. When you enable this from the list and click OK. option, RIP automatically generates RIP announcements at a predefined interval (con- Configuring RIP interface figured through the Periodic Announcement properties Interval on the Advanced property page). Any Next, you need to configure RIP’s properties. routes added using this mode are handled as If you’ve just specified an interface for RIP, RIP routes and are flushed when the router is Windows 2000 automatically pops up the rebooted. They must be added again through property sheet for the interface. Otherwise, RIP advertisements. Periodic Update Mode is

Routing and Design 143 the default mode for LAN interfaces. This feature serves as a means for routers to The Outgoing Packet Protocol property recognize one another but doesn’t actually pro- specifies the protocol that RIP uses for outgo- vide security. It simply provides a way for adja- ing RIP announcements. If all adjacent routers cent routers to exclude RIP announcements support RIP v2, select RIP Version 2 Multi- from routers that are not configured with the cast. In a mixed environment where RIP v1 specified password. In effect, it gives you a and RIP v2 routers are present, select RIP Ver- means of grouping routers into a logical set. sion 2 Broadcast. You can’t use the multicast Use the Security page of the interface’s option in this scenario because RIP v1 doesn’t properties to specify which routes are accepted support multicast announcements. If none of or rejected based on the routes’ destination the adjacent routers supports RIP v2, select addresses. For outgoing routes, specify which RIP Version 1 Broadcast. The final option, routes are broadcast based on their destination Silent RIP, prevents the router from generating addresses. RIP announcements and causes it to operate in The Neighbors page lets you configure how Listen-Only Mode. In this mode, the router lis- your Windows 2000 router interacts with adja- tens for RIP announcements from other cent routers. Use the option Use Broadcast Or routers and updates its routing table based on Multicast Only to restrict RIP announcements those RIP announcements, but it doesn’t to the protocol specified for outgoing packets broadcast its own announcements. on the General page. Select the option Use The Incoming Packet Protocol property Neighbors In Addition To Broadcast Or Multi- specifies the protocol the router uses for cast if you want to specify routers to which your incoming packets. Select an option based on router sends unicast RIP announcements as well the capabilities of the adjacent routers. Or as RIP announcements using the protocol speci- select Ignore Incoming Packets if you want the fied for outgoing packets on the General page. router to ignore RIP announcements from To disable broadcast announcements, select the adjacent routers. This option places the router option Use Neighbors Instead Of Broadcast Or in Announce-Only Mode. Multicast and define a list of routers to which Use the Added Cost For Routes property to your router sends unicast RIP announcements. modify the cost for the route. You would This latter option is useful in networks with increase this number to increase the cost of routers that don’t support RIP broadcasts but the route and direct traffic through other, less do accept unicast announcements. costly routes when possible. Keep in mind that RIP is limited to a maximum of 15 hops, and Advanced options routes with an effective cost of more than 15 The Advanced property page for a RIP inter- are considered unreachable. face, shown in Figure B, offers several options. The Tag For Announced Routes property I’ll look at each of these options. lets you assign a tag number to be included X Periodic Announcement Interval: This with all RIP announcements. Inclusion of a value specifies the frequency of RIP tag number is applicable only to RIP v2. The announcements from the local router. This tag is used to mark specific routes for adminis- value is used in conjunction with Periodic trative purposes and is generally not required. Update Mode, which you set through the The Activate Authentication option lets you General property page for the RIP interface. enable a password for incoming and outgoing You can specify a value in seconds between RIP announcements. With this option enabled, 15 seconds and 24 hours. all other routers connected to the selected X Time Before Routes Expire: This setting interface must also be configured for the same specifies the time-to-live (TTL) for routes password. The plain-text password specified that are learned from other routers through by the Password field is added to all outgoing RIP. Routes that do not update before they RIP announcements. Incoming announce- exceed the specified TTL are marked as ments are scanned for the password, as well. invalid. As with the announcement interval,

144 Administrator’s Guide to TCP/IP,Second Edition this setting is applicable only with Periodic Figure B Update Mode. X Time Before Route Is Removed: Use this setting to specify the amount of time a route will remain in the routing table before it expires and is removed. Valid values are between 15 seconds and 72 hours. This setting is applicable only with Periodic Update Mode. X Enable Split-Horizon Processing: This option, when enabled, prevents routes learned on a given network from being announced on that same network. Deselect- ing the option allows those routes to be announced. X Enable Poison-Reverse Processing: Use this option to assign a metric of 16 to those routes learned on a given network that are announced on the same network. Assigning a metric higher than 15 marks the routes as unreachable. X Enable Triggered Updates: Use this The Advanced property page for a RIP interface offers several options. option to allow the router to generate triggered updates, as discussed earlier. abled if the default routes learned through X Send Clean-Up Updates When Stop- RIP are not applicable to the local router. ping: Selecting this option causes the local So, use this option with discretion and only router to broadcast RIP announcements for if the default routes apply to all routers on all routes with a metric of 15 to indicate to the interface. adjacent routers that the routes are unreach- X Include Default Routes In Sent able. When the router comes back up, it Announcements: Use this option to generates additional announcements that include default routes in outgoing RIP reannounce the routes with their default announcements. See the previous item for metrics, making them available again. an explanation of why this can cause X Process Host Routes In Received problems. Announcements: Use this option to X Disable Subnet Summarization: Use this include host routes received in incoming option to prevent subnet routes from being RIP announcements. By default, host routes summarized by class-based network ID for are ignored. outgoing RIP announcements generated to X Include Host Routes In Sent Announce- networks that are not part of the same ments: Use this option to include host class-based network. Subnet summarization routes in outgoing RIP announcements. can improve routing performance by, in By default, host routes are not included. effect, sorting the routes. Subnet summa- X Process Default Routes In Received rization requires that all adjacent routers Announcements: Use this option to support either RIP v2 Broadcast or RIP v2 include default routes learned through Multicast. The option is disabled by default. incoming RIP announcements. By default, That takes care of configuration for the the default routes are ignored. Enabling this selected interface. Go through the process option could result in the router being dis- again for any other interfaces on which you

Routing and Design 145 want to use RIP. If you’re using all of the all announcements, accept all announcements default settings, you need to add RIP to the from a list you specify, or reject all announce- desired interface only. ments from a list you specify. There are a few general properties you can configure for RIP, as well. In the RRAS con- Conclusion sole, right-click RIP under the IP Routing When your Windows 2000 server acts as a branch and choose Properties. You can config- router on your network, it communicates with ure the maximum delay for triggered updates other routers in one of two ways—by using as well as logging options, and you can specify RIP or by using OSPF. In this article, I’ve how the local router handles RIP announce- shown you how to configure your Windows ments. You can configure the router to accept 2000 server to support RIP.

Using OSPF on Windows 2000 Server Dec 18, 2000 By Jim Boyce n my previous article, “Using RIP on Win- on the information contained in its LDB, mak- dows 2000 Server,” I introduced you to ing it a very efficient means of routing. Adja- IRIP, one of the routing protocols that cent routers recalculate and synchronize their Windows 2000 can use when you configure it LDBs as network changes occur, such as net- to act as a router on your network. Windows work interfaces going down or coming on line. 2000 Server also supports OSPF. In this arti- OSPF is more complicated to configure cle, I’ll show you how OSPF works and how than RIP. Its performance advantages are you can configure Windows 2000 to support it. geared primarily toward very large networks, so if you’re setting up a router for a small or Configuring and using OSPF medium-size network, RIP is generally the bet- The second routing protocol supported by ter option. Where network size is a factor, Windows 2000 RRAS is Open Shortest Path however, OSPF is the better choice. First, or OSPF. Each OSPF router maintains a link-state database (LDB) that contains link- Adding OSPF state advertisements (LSAs) from adjacent Adding OSPF requires essentially the same routers. The LSA contains information about a process as adding RIP, in that you first add the router, its connected networks, and configured protocol and then specify the interface(s) on costs. The cost is similar to a route metric used which OSPF will function. The settings for by RIP, in that it defines the relative cost of OSPF are quite different from RIP, however. using the route. OSPF uses an algorithm to To add OSPF, open the RRAS console, calculate the shortest path for routing based open the IP Routing branch, right-click

146 Administrator’s Guide to TCP/IP,Second Edition General, and choose New Routing Protocol. Figure A From the list of available protocols, select OSPF and click OK. You should now see an OSPF node under the IP Routing branch. As with RIP, you need to add interfaces for OSPF, so right-click OSPF and click New Interface. Select the desired interface and click OK. Win- dows 2000 opens the property sheet for OSPF, with which you configure the protocol. The configuration steps are explained next. Configuring OSPF interface properties Windows 2000 displays the OSPF property sheet when you add an interface, and you can access the properties by right-clicking the interface and choosing Properties. As with RIP, you need to configure OSPF’s properties on each interface for which OSPF is enabled (unless you use the default values for all settings). Use the settings on the General page, shown in Figure A, to specify the IP address on which the router interface responds (if the The General page for an OSPF interface interface has multiple addresses bound to it). The first option, Enable OSPF For This The Router Priority value on the General Address, has a twofold purpose. It lets you page designates the relative priority of the enable or disable OSPF on the selected inter- local router, which enables you to control face. For interfaces bound by multiple IP router adjacency. On a multi-access network addresses, it lets you specify on which address where multiple OSPF routers are present, it’s OSPF will operate. possible that all OSPF routers could attempt The Area ID property lets you identify the to establish adjacency with every other router, interface as a member of a specific OSPF area. resulting in a significant number of adjacen- OSPF areas enable the enterprise to be segre- cies. This would result in an excessive amount gated into contiguous groups of networks, of traffic as all those routers tried to synchro- which allows the Link State Database (LSDB) nize with one another. to be smaller, requiring less overhead for rout- To avoid this problem, a multi-access net- ing table calculation. In effect, OSPF areas work elects a Designated Router (DR) that allow a router to concentrate only on those forms adjacencies with all other routers. The routers that fall within its area. DR acts as a hub router for the others in dis- Although the area ID is expressed as a dot- tributing link-state data and performing LSDB ted decimal value, it has no relation to an IP synchronization. address or network ID. Area IDs are an admin- The Router Priority value also specifies the istrative tool only. However, it’s often most priority of the local router. Set this value practical from an administrative standpoint to according to the needs of your network, but use network IDs for area IDs to make it easy remember that at least one router must have a to identify areas based on placement within the value of 1 or higher. If all routers have a prior- enterprise. By default, only the backbone inter- ity of zero, none can become the DR, resulting face of 0.0.0.0 exists. You can add other areas in no adjacencies, no synchronization, and ulti- through the general properties for OSPF, as mately, no routing. However, you might want explained a little later. to assign a value of zero to any routers that

Routing and Design 147 you don’t want to be able to be elected as the X Transit delay: This is the estimated time in DR. If multiple routers have the same router seconds required to transmit a link-state priority value, the one with the highest router update packet over the selected interface. ID becomes the DR. Specify a value based on the transmission The Cost option on the General property and reliability of the selected interface. page specifies the relative cost (metric) for the X Retransmit interval: Use this value to interface. As with RIP, the route with the low- specify the interval in seconds between est cost is used when multiple routes exist for retransmission of link state advertisements the same destination. Set the value according for adjacent routers. You should set the to your network’s structure. value to be higher than the total round-trip Just as with RIP v2, you can use passwords time between any two routers on the net- to enable OSPF routers to identify themselves work to avoid excessive retransmissions. to other routers. The Password property on Determine the round-trip time based on the General page specifies the password used network structure, number of routers, and by the local router in communicating with so on. other routers. All routers in the same area must use the same password, and the default pass- X Hello interval: OSPF uses Hello packets word is 12345678. This field is unavailable if as a means for discovering neighboring plain text passwords are disabled for the routers. This value specifies the interval selected area. If that’s the case and you want to between Hello packet broadcasts by the enable the use of passwords for the area, open local router. You can decrease the value to the general properties for OSPF and edit the allow quicker router discovery, but doing so area’s properties. increases the amount of OSPF traffic on Use the Network Type radio buttons to the network. The value must be the same specify the type of network to which the inter- for all routers on the common network. face is connected. Select Broadcast if the inter- Choose a value based on the network struc- face is connected to a broadcast-type network, ture and type. Thirty seconds is a reasonable such as Ethernet, Token Ring, or FDDI. Use value for X.25, and 10 seconds is a good Point-to-Point if the interface is connected to choice for a LAN. a T1/E1, T3/E3, ISDN, or other point-to- X Dead interval: This value specifies the point type network. Select Non-Broadcast period the local router can be down before Multiple Access (NBMA) if the interface is adjacent routers will consider it dead connected to a Frame Relay, X.25, or ATM (unavailable). Adjacent routers determine network. the state based on the amount of time that The NBMA Neighbors page of the inter- passes between issuing a Hello packet and face’s properties lets you specify the address receiving a response. If a response isn’t and priority of neighboring routers if the local received in the specified time, the adjacent router is configured for NBMA in the Net- routers assume the router is down. All work Type group on the General page. If the routers in the common network should interface has multiple IP addresses, select the have the same Dead interval, and it should appropriate one from the drop-down list, then be a multiple of the Hello interval. Four enter the IP address and router priority value times the Hello interval is a good rule of for all other neighboring routers. thumb. The Advanced page of the Interface’s prop- X Poll interval: Use this setting in conjunc- erties controls a range of transmission and tion with the Dead interval setting. The Poll polling properties for the interface. These set- interval specifies the interval between polls tings include: to determine if a dead neighbor has come X IP address: If the interface has more back on line. Make the Poll interval at least than one IP, select the address you want to twice the Dead interval. manage.

148 Administrator’s Guide to TCP/IP,Second Edition X MTU size: This value specifies the maxi- Figure B mum transmission unit size, which is the maximum IP datagram size that can be sent without fragmentation. The default for Eth- ernet is 1,500. Configuring OSPF global properties After you configure the OSPF interface properties, you also need to configure or at least review some global properties. To configure global properties, open the RRAS console, expand the IP Routing branch, right-click OSPF, and choose Properties. The options on the General page configure the router’s logging options and address identity. The Router Identification lets you specify a 32-bit number in dotted decimal format to uniquely identify the router. While this doesn’t have to be the router’s IP address, using the address is the best way to ensure a unique value. The Enable Autonomous System Boundary Router option, if selected, enables the router to Create an OSPF area through the OSPF Area Configuration page. advertise routing data gained through other sources, such as RIP and static routes. The log- routers on other segments can use other ging options are self-explanatory. passwords. Use the OSPF Area Configuration page, X Stub area: Use this option to configure the shown in Figure B, to add and configure OSPF areas, which were discussed earlier. Recall that area as a stub area, which is an OSPF area OSPF areas enable the enterprise to be segre- that accepts external routes from other gated into contiguous groups of networks, OSPF routers but doesn’t broadcast exter- which allows the Link State Database (LSDB) nal routes to other OSPF routers. to be smaller, requiring less overhead for rout- X Stub metric: This value sets the metric for ing table calculation. The settings you can use the summary default route advertised into to configure an area are: the stub area. X Area ID: The area ID is a 32-bit number in X Import summary advertisements: If dotted decimal format that uniquely identi- deselected, all non-intra-area routes are fies the area. The value 0.0.0.0 is reserved based on a single default route. If selected, for the backbone. The number doesn’t have inter-area routes are imported into the stub to correlate to a network ID, but using the area. network ID is the easiest way to recognize X Ranges: The Ranges page lets you define the area’s physical location based on its the ranges of IP addresses that belong to area ID. the selected OSPF area. OSPF uses the X Enable plaintext password: Use this ranges to summarize the routes within option to require that routers in the area use the area. the password specified in the interface The Virtual Interfaces tab lets you create properties to identify themselves. All virtual links between a backbone area router routers in an area on the same network seg- and an area border router that can’t be physi- ment must use the same password, but cally connected to the backbone area. The vir-

Routing and Design 149 tual link transmits routing data between the based on several criteria. Click Route Filters to two routers. Specify the transit delay, retrans- configure filters to accept or ignore routes mit interval, hello interval, dead interval, and based on their destination addresses. plain text password for each virtual link when you add the link. Conclusion The options on the External Routing page In this article, I gave you an overview of are available only if you select Enable OSPF. I also showed you how to configure a Autonomous System Boundary Router on the Windows 2000 router to support OSPF. If you General page for OSPF. These options enable need more background information on OSPF, you to define the sources from which the local you’ll find additional information in Microsoft router will accept routes. You can configure TechNet and in the Microsoft Windows 2000 the router to either accept or ignore routes Resource Kit online documentation.

Getting autonomous with BGP: How Border Gateway Protocol can help you with routing Dec 26, 2000 By Alexander Prohorenko ... BGP is the primary routing protocol that Internet omous system routing protocol, is highly het- backbones use to exchange routing information... erogeneous. In terms of link bandwidth, it —Michael Dillon varies from 56 Kbps to 45 Mbps. In terms of the actual routes that run BGP, it ranges from kay, let’s start from the very begin- relatively slow PCs to the very high-perform- ning. What is BGP? In response to ance RS/6000, and it includes both the special- Othe various faults and limitations of purpose routers (Cisco) and the Exterior Gateway Protocol (EGP), the Inter- general-purpose workstations running UNIX. net research community developed a new In terms of the actual topologies, it varies exterior gateway protocol called the Border from very sparse (spanning tree or a ring of Gateway Protocol, in short: BGP. In this arti- CA*Net [Canada’s Research and Education cle, I’ll show you how BGP can help you with Internet] Backbone) to quite dense (T1 or T3 routing. NSFNET [National Science Foundation Net- BGP is an interautonomous system routing work] backbones). protocol designed for TCP/IP networks. A few words about changes between ver- The BGP protocol was developed by the sions: Version 2 of BGP removed from the IWG/BGP Working Group of the Internet protocol the concept of up, down, and hori- Engineering Task Force. The current version zontal relations between autonomous systems of the BGP protocol is version 4 (BGP-4). that were present in version 1 and introduced A little background the concept of path attributes. Version 3 of BGP has been used in the production environ- BGP lifted some of the restrictions on the use ment since 1989. The present production envi- of the NEXT_HOP path attribute and added ronment, where BGP is used as the interauton- the BGP Identifier field to the BGP OPEN

150 Administrator’s Guide to TCP/IP,Second Edition message. It also clarified the procedure for dis- X Bay Networks (Wellfleet) tributing BGP routes between the BGP speak- X Proteon ers within an autonomous system. One more BGP implementation with public BGP fixes several of EGP’s problems and domain code (GPL-licensed) for BGP is a allows the protocol to scale to a much larger young, but very promising one: Zebra. network. For example, to fix the problem of GNU Zebra is free software (distributed processing time for EGP updates, BGP under the GNU General Public License) that exchanges the full routing table only at initial- manages TCP/IP-based routing protocols. ization; afterwards, it simply exchanges infor- Zebra software offers true modularity, unlike mation about what has changed at each traditional, GateD-based, monolithic architec- update. To fix the problem of IP fragmenta- tures, and even the so-called new modular tion, BGP uses a TCP connection, which guar- architectures that remove the burden of pro- antees in-order delivery without loss or cessing routing functions from the CPU and duplication. utilize special ASIC chips instead. Zebra is Security intended for use as a route server and a route As far as security is concerned, BGP provides reflector. Currently, Zebra is available on the a flexible and extensible mechanism for GNU/Linux platform and almost all branches authentication and security. The mechanism of FreeBSD, NetBSD, and OpenBSD and is in allows it to support schemes with various development for Solaris 7. From the user’s degrees of complexity. As part of the BGP standpoint, Zebra looks like Cisco with the authentication mechanism, the protocol allows same interface and with all the basic com- BGP to carry an encrypted digital signature in mands of Cisco routers. It consists of separate every BGP message. All authentication failures daemons for numerous routing protocols. The result in the sending of notification messages main daemon starts on the server and accepts and immediate termination of the BGP con- connections to port 2601 (zebra). Once you nection. Since BGP runs over TCP and IP, connect to it, you’ll get an interface very simi- BGP’s authentication scheme may be aug- lar to Cisco’s. That’s why, in the case of a mented by any authentication or security server running Zebra, all you need to do is mechanism provided by either TCP or IP. perform the same operations with it as you do with a Cisco router. Routing But for the rest of this article, I’ll focus on BGP-4 provides a new set of mechanisms for the most popular implementations of BGP. supporting classless interdomain routing, Cisco’s BGP implementation was wholly introduces mechanisms that allow the aggrega- developed by Cisco and runs on the propri- tion of routes, including aggregation of AS etary operating system used by the Cisco (autonomous system) paths. BGP-4 runs over routers. GateD’s implementation was devel- a reliable transport protocol. This eliminates oped entirely by Jeff Honig and Dennis Fergu- the need to implement explicit update frag- son and runs on a variety of operating mentation, retransmission, acknowledgement, systems. RFC1226 claims GateD to be the and sequencing. BGP-4 uses TCP as its trans- only available public domain code for BGP. port protocol. TCP meets BGP’s transport requirements and is present in virtually all Autonomous systems commercial routers and hosts. The BGP routing protocol employs the con- There are several interoperable implementa- cept of the autonomous system (AS). The def- tions of BGP currently available from the fol- inition of AS has been unclear and ambiguous lowing companies: for some time. Nowadays BGP-4 states, “The X Cisco Systems classic definition of an autonomous system is a set of routers under a single technical admin- X The GateD Consortium istration, using an Interior Gateway Protocol X 3Com (IGP) and common metrics to route packets

Routing and Design 151 within the AS and using an Exterior Gateway 65533 from the private block, which is not Protocol (EGP) to route packets to other being distributed to the outside world. If your ASs.” Since this classic definition was devel- network isn’t big enough, or if you just don’t oped, it has become common for a single AS want to get an ASN, feel free to use this one to use several IGPs and sometimes several sets (for internal use only, of course). Our neigh- of metrics within an AS. bor is another router from our network, so the The use of the term autonomous system remote ASN is the same. stresses the fact that, even when multiple IGPs ! our ASN is 65533 and metrics are used, the administration of an router bgp 65533 AS appears to other ASs to have a single bgp router-id 192.168.169.37 coherent interior routing plan and presents a network 192.168.134.0 mask consistent picture of which networks are 255.255.254.0 reachable through it. (To rephrase succinctly: network 192.168.169.200 mask An AS is a connected group of one or more 255.255.255.248 network 192.168.133.0 IP prefixes run by one or more network opera- neighbor internal peer-group tors that has a single and clearly defined rout- neighbor 192.168.169.33 remote-as ing policy.) Typically, the AS would be the 65533 networks of a single organization, but it might neighbor 192.168.169.33 peer-group be a group of cooperating organizations, such internal as a subsidiary. Because a router must be able default-metric 1 to determine which AS it is in, as well as the This configuration isn’t much more com- ASs of its neighbors, each AS is assigned a plex than the basic IGP configuration. A router globally unique 16-bit number (sometimes statement starts a BGP process. Following the referred to as an ASN, or autonomous system router statement is one or more network state- number). This number is used both in the ments. These statements specify networks that exchange of exterior routing information BGP considers local to the AS and that BGP (between neighboring ASs) and as an identifier will originate to its partners in the BGP of the AS itself. The same central authority exchange. Next, I’ll tell the BGP process who that assigns IP network addresses assigns these its neighbors are, using a neighbor statement ASNs. Also, according to RFC1930, the Inter- with the autonomous systems to which each net Assigned Numbers Authority (IANA) has neighbor belongs. reserved the block of AS numbers from 64512 I’ve already noticed that BGP-4 can handle through 65535 for private use (not to be adver- classless network routes. In the case of the tised on the global Internet). 192.168.133.0 network block, where I did not Let’s get to work! specify a mask on the network statement, the IOS assumes that I meant the natural mask for Now that you have a little overview of what the old-style classified networks. For classless BGP is, let’s start working with it. As I men- networks, which 192.168.134.0/23 and tioned, BGP is much more flexible than EGP. 192.168.169.200/29 are, I’ve appended the Unfortunately, when a protocol becomes more mask to the network statements. flexible, at the same time it becomes more complex. I’ll present a sample BGP configura- Less-basic configuration tion scheme because a full discussion of all The network 192.168.134.0 mask 255.255.254.0 that’s possible could fill a book or even more. statement specifies the 192.168.134.0/23 network to be included in BGP updates, but this Basic configuration—Cisco doesn’t mean that BGP will automatically This is the basic BGP configuration for a aggregate the two networks 192.168.134.0/24 Cisco router (IP address 192.168.169.37) with and 192.168.135.0/24. It only means that if a few local networks (192.168.134.0/23, your IGP carries the network route, BGP will 192.168.169.200/29, and 192.168.133.0) and send it out, too. To get automatic summariza- one neighbor (192.168.169.33). I’ll use ASN

152 Administrator’s Guide to TCP/IP,Second Edition tion, you must use a more complex configura- Default redistribution metric is 1 tion, like the one below: Neighbor(s): ! our ASN is 65533 Address FiltIn FiltOut DistIn router bgp 65533 DistOut Weight RouteMap bgp router-id 192.168.169.37 192.168.169.33 aggregate-address 192.168.134.0 Routing for Networks: 255.255.254.0 summary-only 192.168.134.0/23 network 192.168.169.200 mask 192.168.169.200/29 255.255.255.248 192.168.133.0 network 192.168.133.0 Routing Information Sources: neighbor internal peer-group Gateway Distance Last Update neighbor 192.168.169.33 remote-as 192.168.169.33 200 1w0d 65533 Distance: external 20 internal 200 neighbor 192.168.169.33 peer-group local 200 internal Well, our configuration looks fine. default-metric 1 We’re starting to announce routing from redistribute rip route-map aggregate 192.168.169.33 for our networks, which are Also, we have to add these blocks to our 192.168.134.0/23, 192.168.169.200/29, and configuration: 192.168.133.0. ! setting the origin of route As you can see, BGP configurations can be ! matching access list 41 to IGP very simple, but they can also quickly become route-map aggregate extremely complex. A good way to solve your match ip address 41 own specific configuration problem is to look set origin igp at other configurations. There are many of them on the Net. Cisco specialists like to ! select the component routes of share their experience with the world and ! 192.168.134.0/23 for aggregation often put configurations of their routers on access-list 41 permit 192.168.134.0 their home pages. 0.0.1.255 A bit more complex Basic configuration—GateD Okay, now let’s jump to our UNIX-router, When either 192.168.134.0/24 or which is running GateD, and learn a bit from 192.168.135.0/24 (or both) appears in the its configuration. router’s table, BGP includes an advertisement Our UNIX router is a FreeBSD-powered for the CIDR (classless interdomain routing, PC system, which is running FreeBSD 3.4- RFC1519) aggregate 192.168.134.0/23 and STABLE and the GateD routing daemon, the suppresses the advertisement of the two more most popular one that handles multiple rout- specific routes. The redistribute, route-map, and ing protocols and replaces routed and egpup. access-list statements are used to get routes for Since GateD is very popular in the UNIX the two networks redistributed from our IGP world, many UNIX distributions already to BGP. (I’m using RIP in this example.) include it in the binary package. FreeBSD Okay, now let’s test: includes it in a package distribution as well as kitty>sh ip pro in ports. Routing Protocol is "bgp 65533" Sending updates every 60 seconds, This router’s IP is 192.168.169.33, and it has next due in 0 seconds one network and one neighbor peer. Outgoing update filter list for all GateD’s configuration file is named interfaces is not set gated.conf and is placed in the /etc directory. It Incoming update filter list for all looks like this: interfaces is not set interfaces { IGP synchronization is enabled interface all passive; Automatic route summarization is }; enabled

Routing and Design 153 autonomoussystem 65533; ip as-path access-list 61 deny routerid 192.168.169.33; ^65500$ ip as-path access-list permit .* bgp yes { Applied AS path access list 61 blocks any preference 20; routes from uplinking with an AS path that traceoptions none; contains AS 65500. As you can see, Cisco’s group type internal peeras 65533 { IOS AS path syntax is a bit strange. This is a peer 192.168.169.37; }; pattern-matching syntax based on UNIX regu- }; lar expressions. First, a “$” symbol matches the end of the path, and a “^” symbol matches rip no; the beginning of the path. Since the AS path static { describes the path from your network to a des- default gateway 192.168.169.36 tination network, your ASN (or your uplink’s preference 220; number) will normally be at the start of any 192.168.169.200 masklen 29 gateway path you see, and the destination ASN will be 192.168.169.37 retain; at the end. Second, a “.” character matches }; anything, and an “*” means zero or more occurrences of a thing. This means that the import proto bgp as 65533 { two-character sequence “.*” matches anything, default preference 222; all or nothing, as appropriate. Finally, the “_” }; symbol matches any break between two ASNs or between an ASN and the beginning or end This configuration is a bit more complex of the path. than Cisco’s, but not by too much. Better security Experiment, experiment! As you can easily see, the options that can be Let’s spend some time looking at ways to pro- used for a BGP configuration are endless. vide better security for your routers. It goes Each BGP configuration for each router is without saying that one of the first things you unique in some way, and there really is no typi- should do is filter some routes that your router cal BGP configuration. The best way to figure learns from one or more of our BGP neigh- out how to achieve a goal is to look through bors. Let’s look at the updated configuration: several configurations and to experiment. ! our ASN is 65533 router bgp 65533 Conclusion bgp router-id 192.168.169.37 From a network administrator’s viewpoint, network 192.168.134.0 mask BGP has proven to be very effective for big 255.255.254.0 networks. Experience with implementing network 192.168.169.200 mask 255.255.255.248 BGP shows that the protocol is relatively sim- network 192.168.133.0 ple to implement. On the average, a BGP neighbor internal peer-group implementation takes about one man/month neighbor 192.168.169.33 remote-as of effort. That’s not much, which makes BGP 65533 very popular. It’s not a panacea, however, and neighbor 192.168.169.33 filter-list sometimes it’s much better to use RIP than 61 in BGP (or even an OSPF scheme). In this arti- neighbor 192.168.169.33 peer-group cle, I showed you how BGP can help you with internal routing. default-metric 1 Whether you’re connecting to the Internet or to your company’s intranet, and whether ! define an AS path access list that you’re dealing with a permanent connection or ! will block routes announced from AS ! 65500 an on-demand one, any connection to the

154 Administrator’s Guide to TCP/IP,Second Edition world outside your network should be very consideration as a new internal link. This is carefully thought out, planned, and imple- especially true for security, the most important mented. After all, if the network is a living factor of any network connection. You should organism (and it is!), then the impact of an never take security risks! external link should be given at least as much

Using the Border Gateway Protocol Mar 26, 2001 By Jim McIntyre he Border Gateway Protocol (BGP) is X The next router used to provide routing services X The path to the destination network between autonomous systems. An T The path to the destination network is usu- autonomous system consists of all of the ally a list of autonomous systems that an IP routers and computers that are controlled by packet would travel through to reach the desti- the same administration. For example, at nation network. Below you can see a sample TechRepublic, the autonomous system con- routing table employing Path Vector Routing sists of all the workstations, servers, and (Table A). routers that are the administrative responsibil- The boundary of an autonomous system is ity of the IT staff at TechRepublic. determined by the location of its autonomous The BGP has been in use since 1989, and it boundary router. Autonomous boundary has steadily evolved since its inception. In this routers advertise the availability of networks article, we’ll take an introductory look at BGP within the autonomous system to which they and how the routing method associated with are connected. When two autonomous system BGP provides internetworking efficiency. boundary routers are connected to the same Path Vector Routing network, the routers are called neighbors. When Path Vector Routing is employed on a Autonomous system boundary routers receive router, each entry in the routing table contains their information from either the Routing the following entries: Information Protocol (RIP) or the Open X The destination network Shortest Path First protocol (OSPF).

Table A: Sample routing table employing Path Vector Routing Destination network Next router Path to destination 192.168.30.0 192.168.30.100 192.168.10.0, 10.30.120.0, 192.168.51.0

192.168.40.0 192.168.40.100 192.168.28.0, 10.26.130.0, 192.168.21.0

10.76.110.0 10.76.115.100 10.76.100.0, 192.168.120.0, 10.54.116.0

Routing and Design 155 When a router receives a path vector mes- 3. Router R2 adds itself to the routing message via RIP or OSPF, the router must confirm sage as the next router and then forwards that the routing policy allows the path adver- the message to router R3. tised in the message. A routing policy is simply 4. When router R3 receives the routing mes- a set of rules created by the system administra- sage, the information in the message is tor to control routing. If the advertised route used to update router R3’s routing table. is allowed by the routing policy, the router updates its own routing table, adds the IP 5. R3 is added as the next router, and the IP address of its own autonomous system, and address of the autonomous system con- replaces the next router IP address with its nected to R3 is added to the routing table. own IP address. The message is forwarded to 6. The message is forwarded to router R4, the next router, then on to the next router, and which is the autonomous boundary router so forth. for the autonomous system. Path Vector Routing is accomplished on an internetwork consisting of four separate Policy routing and BGP autonomous systems (Figure A). Whenever a router receives a routing message, As you can see in Figure A, Path Vector the path contained in the message may be Routing is accomplished via the following checked against the router’s policy. If any of the procedure: autonomous systems listed in the path are not 1. Router R1 sends a Path Vector Routing included in the router’s policy, both the path message advertising the availability of and the destination address may be discarded. network. The discarded path is not used to update the routing table, and the message is not for- 2. The message is forwarded to router R2. warded to the next router. The result is that Router R2 updates its own routing table the routing tables used in Path Vector Routing and adds the IP address of its own are not based on a hop count or a minimum autonomous system to the path contained metric. Routing tables in Path Vector Routing in the routing message. are updated according to the routing policy

Figure A

Autonomous System 1 Autonomous System 2

Router R2 Router

Router

Router R3 Router R1

Router Autonomous System 4 Autonomous System 3

Router R4

Router

Accomplishing Path Vector Routing is a six-step process.

156 Administrator’s Guide to TCP/IP,Second Edition Table B: Six fields in an open message Field Function Version The version field defines the version of BGP in use. My Autonomous System This is a two-byte field containing the Autonomous System IP address. Hold Time This is a two-byte field, which sets the time in seconds that may pass before one of the routers using the connection receives a keepalive or update message. If one router does not receive one of these messages in the specified amount of time, the other router is assumed to be down. BGP Identifier This is a four-byte field containing the IP address of the router sending the open message. Option Parameter Length This is a one-byte field identifying the total length of all option parameters. If there are no option parameters, this field is set to zero. Option Parameters This field defines the length of the parameter and the parameter value. The only option defined for use with BGP is authentication. that the system administrator establishes for Open messages any specific router. To establish a relationship with one of its BGP message types neighboring routers, a router using BGP must first open a Transmission Control Protocol BGP uses four types of messages: (TCP) connection with the other router. X Open messages Once the TCP connection is established, an X Update messages open message is sent. When the neighboring X Keepalive messages router accepts the connection from the first router, it returns a keepalive message to the X Notification messages

Table C: An update message contains five fields. Field Function Unfeasible Routes Length A two-byte field defining the length of the next field Withdrawn Routes A variable-length field listing all routes deleted from the previous list Path Attributes Length A two-byte field defining the length of the next field Path Attributes The attributes of the route to the network being announced in the message Network Layer Reachability Identifies the network announced in the message (This field Information (NLRI) contains two subfields. The first subfield sets the number of bits in the prefix subfield. The prefix subfield contains the netid of the network being announced. If a class C network with the netid 192.168.10.0 is being announced, the length field is 24 [24 bits], and the prefix is 192.168.10.)

Routing and Design 157 first router. There are six fields in an open update may be used to remove several destina- message (Table B). tions at once, only one new destination may be Update messages advertised in an update message. There are five fields in an update message The update message distinguishes BGP from (Table C). other routing protocols. Routers running BPG use update messages for two critical tasks: Keepalive messages X Removing destination addresses that have Routers using BGP exchange keepalive messages been advertised earlier, but are now consid- before the specified hold time expires to confirm ered to be unfeasible destinations that each router is still operating. The keepalive message consists of one 19-byte header. X Announcing a new route to a new destination address Notification messages Update messages are typically used for both Routers running BGP use notification mes- purposes at the same time. However, while an sages to close a connection whenever a router

Table D: There are three fields in a notification message. Field Function Error code A one-byte field used to define the error code Error subcode A one-byte filed used to define the subcategory of error Error data Used to provide troubleshooting data about the error

Table E: BGP error codes Error code Description Error subcodes 1 Message header error Synchronization error; Bad message length; Bad message type 2 Open message error Bad version number Bad peer autonomous system Bad BGP identifier Bad optional parameter Authentication failure Unacceptable hold time 3 Update message error Malformed attribute list Unrecognized well-known attribute Missing well-known attribute Attribute flag error Attribute length error Invalid origin attribute AS loop or routing loop Optional attribute error Invalid network field Malformed AS_PATH 4 Hold timer expired 5 Finite state machine error 6 Cease

158 Administrator’s Guide to TCP/IP,Second Edition detects an error condition. A notification mes- Conclusion sage contains three fields (Table D). BGP is used to update routing tables that are There are several error codes used with shared by distinct networks. This article pro- BGP (Table E). vided an introduction to BGP. We covered BGP encapsulation Path Vector Routing and the advantages it pro- BGP messages are encapsulated in TCP seg- vides in internetworking. We also covered the ments using well-known port 179. This encap- message types employed by BGP, how these sulation eliminates the need for error control messages affect routing, and the types of error and flow control. Whenever a TCP connection messages and conditions associated with these is opened by a BGP open message, messages messages. are exchanged between routers until a cease message is sent.

See how BGP and route redistribution can link remote sites Aug 13, 2002 By Ray Geroski n today’s merger-happy corporate environ- accomplished just what was intended. The key ment, linking distant corporate entities was using BGP and configuring routers so that Ithat have suddenly become partners is a the routing tables were filtered between the necessity, and VPN is often the method of two sites. choice. Administrators face many challenges in establishing these VPN links—challenges that Accommodating privacy requests are often complicated not by technical issues Suzie’s company uses VPN to link the home but by human ones. office in the United States to several locations Take the case of one company that sought across Europe. When links to two new sites to link multiple sites to a home office via VPN became necessary as a result of company tunnels. Two of the sites did not want their acquisitions, officials at the two locations said routing tables to be open to one another. This that they did not want their routing tables for- presented a bit of a challenge to the company, warded to the other. The sites are located in which had VPN links from the home office different countries, thousands of miles apart. over OSPF going out to multiple sites. Sud- In the existing setup, OSPF governs VPN denly, two locations in the mix were throwing a traffic. But because OSPF does not allow for curve by saying they wanted their networks filtering routes on outbound traffic, the kept private from each other. request to not forward routing table informa- Suzie, one of the company’s systems admin- tion necessitated a move to BGP for commu- istrators, was tasked with solving the puzzle of nication between the two sites. how to achieve this without creating other Using BGP, Suzie said, “You can filter problems in the process. Her solution made incoming data so that it won’t show up in rout- the existing setup a bit more complex but ing tables, but it will still pass all the routes to the next location.”

Routing and Design 159 Matters were further complicated because Suzie said the issue was purely a political the administrator at one site didn’t want anyone. Each site was concerned about protecting body poking around in his routers, so he its privacy from the other, so she was obliged wouldn’t grant access to anyone outside of his to accommodate the request. IT department. “We could’ve turned to static routes,” she The solution to the problem was to create said, “but that would’ve been a [network] man- separate BGP sessions on the routers at each agement nightmare.” of the sites, adding parameters in the routers at Suzie said the biggest danger in what she each to filter routes from the other location. was doing was that if she didn’t do it cor- The diagram in Figure A shows how the sites rectly, she could end up with routing loops. were linked. The first issue she encountered with BGP As you can see, the protocol used from the was its defaulting to auto summarize. This corporate headquarters out to all sites is OSPF. caused problems until she discovered that But at the two sites that want their routes fil- the auto summarize option was causing tered, BGP governs outbound traffic from the recursive routing. After she disabled this routers, while private OSPF sessions are used property, she was able to make the BGP internally. This ensures that routes are adver- solution work. tised correctly within the networks at each site “It took me a while to figure that one out,” but filtered on outbound traffic so that VPN-3 she said. “Basically, what happens is, if BGP and VPN-4 cannot view each other’s tables. sees recursive routing, it shuts itself down. It may seem like an odd setup, but it’s the Once I figured out that it was auto summariz- solution that satisfied officials at both locations. ing and turned that off, it worked fine.”

Figure A

fa0/0 1.1.12 fa0/0 2.2.2.1 Corporate OSPF vpn-1 vpn-2

100.1.10.250 fa0/1 fa0/1 2.2.20.223 BGP 1

BGP Advertisements BGP Advertisements block Site 3 and Site 4 block Site 3 and Site 4 IPs IPs

BGP 1 BGP 2

3.3.3.1 fa0/1 4.4.4.92 fa0/1 L/0 200.333.21.5 vpn-3 L/0 200.333.10.5 vpn-4 fa0/0 3.3.3.9 fa0/0 4.4.4.1 Private Private OSPF OSPF

E0/1 3.3.3.92 E0/1 4.4.4.82

RT_EXT1-Site 3 L/0 300.338.31.3 L/0 400.468.40.4 RT_EXT1-Site 4

E0/0 3.3.3.55 E0/0 4.4.4.3

Site VPN links

160 Administrator’s Guide to TCP/IP,Second Edition Suzie used access list parameters to config- neighbor xxx.xxx.x.1 distribute-list ure the router filters, as shown below. Note that 56 out IP addresses were changed from the originals neighbor xxx.xxx.0.9 remote-as 03 and coincide with the diagram in Figure A. neighbor xxx.xxx.0.9 next-hop-self access-list 55 deny 112.11.11.99 neighbor xxx.xxx.0.9 distribute-list access-list 55 permit any 57 out access-list 56 deny no auto-summary 4.4.4.0 0.0.7.255 redistribute ospf 1 match internal access-list 56 deny external 1 external 2 3.3.3.0 0.0.7.255 In the redistribution into OSPF, however, access-list 56 deny these IPs are not blocked to VPN-1 and VPN- 200.333.21.5 0.0.0.255 2. Thus, VPN-3 and VPN-4 cannot see each access-list 56 deny other’s route tables, but VPN-1 and VPN-2 can. 200.333.10.5 0.0.0.255 After setting the parameters necessary to access-list 56 permit any block specific routes and then redistribute access-list 57 deny them, Suzie had to test everything to ensure 4.4.4.0 0.0.3.255 that routes were being filtered and redistrib- access-list 57 deny uted as intended. 3.3.3.0 0.0.7.255 She Telnetted into the routers at VPN-3 access-list 57 deny and VPN-4 and used the command show IP 200.333.10.0 0.0.0.255 route to view the routes displayed at each. As access-list 57 deny intended, neither showed the other’s routes. 200.333.21.0 0.0.0.255 Suzie then Telnetted one router hop out from The IP aliases may make it difficult to tell, VPN-3 and VPN-4 to ensure that they were but if you match the IPs to those shown in seeing only OSPF and directly connected Figure A, you’ll see that BGP is essentially interfaces as well as VPN-1 and VPN-2 routes. blocking VPN-3 and VPN-4 IPs. Again, the routes were advertised as expected. Suzie also had to include commands for She then Telnetted into routers at VPN-1 and redistributing the routes. She said this is com- VPN-2 and verified that all routes were visible mon when company acquisitions take place at these sites. because different organizations often use dif- Suzie’s solution, though perhaps unortho- ferent protocols. dox, resulted in her being able to accommo- Suzie used Cisco IOS commands similar to date the two locations that wanted their routes the following to redistribute the routes: kept private from one another without disrupt- router ospf 1 ing VPN links among the other sites in the no log-adjacency-changes network. redistribute bgp 01 metric-type Final word 1 subnets Company mergers can result in complicated passive-interface FastEthernet0/1 technology requests for the administrators passive-interface Tunnel1 who are called upon to integrate what are passive-interface Tunnel23 often disparate networks. In this case, a privacy network x.x.x.0 0.0.0.255 area 0 issue forced one admin to take steps that network xx.xx.0.0 0.0.255.255 area 0 would otherwise have been unnecessary, but ! the end result was that sites located thousands router bgp 01 of miles apart were successfully linked via no synchronization VPN without being able to see each other’s bgp log-neighbor-changes routes, as requested for political and competi- neighbor xxx.xxx.x.1 remote-as 02 tive reasons. neighbor xxx.xxx.x.1 next-hop-self

Routing and Design 161 How FTP port requests challenge firewall security Mar 4, 2002 By Dr. Thomas Shinder MCSE he File Transfer Protocol (FTP) is one (the command channel link). The com- of the most popular, but also most mand channel is established at this point. T misunderstood, protocols in use today. 4. FTP client: Sends a data request (PORT I get many questions every day from router command) to the FTP server. The FTP and firewall administrators asking why a partic- client includes in the PORT command the ular FTP client or server configuration isn’t data port number it opened to receive data. working. If these administrators understood In this example, the FTP client has opened how FTP worked and how typical firewalls TCP port 6001 to receive the data. augment the protocol’s sometimes dicey security demands, they would be able to easily solve 5. FTP server: The FTP server opens a new the FTP-related problems they encounter. inbound connection to the FTP client on In this article, we’ll look at the following the port indicated by the FTP client in the issues: PORT command. The FTP server source port is TCP port 20. In this example, the X How the FTP works FTP server sends data from its own TCP X Challenges created by the FTP port 20 to the FTP client’s TCP port 6001. X Solving FTP problems In this conversation, two connections were established: an outbound connection initiated How FTP works by the FTP client and an inbound connection FTP is a messy protocol because it requires established by the FTP server. Note that the multiple connections, sometimes in both direc- information contained in the PORT command tions. How your clients and servers make these (sent over the command channel) is stored in connections depends on the FTP mode. There the data portion of the packet. are two FTP modes: PASV-mode FTP X PORT mode (also known as Normal or The most popular FTP implementation is the Active mode) Passive or PASV mode. PASV-mode FTP con- X PASV mode (also known as Passive mode) nections are the default on most popular Let’s look at these two modes in more detail. browsers. One of the major advantages of PORT-mode FTP PASV mode is that the server does not need to create a new inbound connection to the FTP The traditional FTP mode is referred to as client. As we’ll see later, this makes PASV- PORT (or Normal or Active) mode FTP. The mode FTP a bit more firewall-friendly. sequence of events for a PORT FTP connec- A PASV mode FTP sequence of events tion goes like this: would go like this: 1. FTP client: Opens random response 1. FTP client: This opens random response ports in the high number range. (For the ports in the high number range. (For the purposes of this example, we’ll assume purposes of this example, we’ll assume ports TCP 6000 and TCP 6001.) ports TCP 6000 and TCP 6001.) 2. FTP client: Sends a request to open a 2. FTP client: This sends a request to open command channel from its TCP port 6000 a command channel from its TCP port to the FTP server’s TCP port 21. 6000 to the FTP server’s TCP port 21. 3. FTP server: Sends an “OK” from its TCP 3. FTP server: This sends an “OK” from its port 21 to the FTP client’s TCP port 6000 TCP port 21 to the FTP client’s TCP port

162 Administrator’s Guide to TCP/IP,Second Edition 6000. The command channel is now ever, there are a number of tools available that established. allow administrators—and hackers—to set the 4. FTP client: This sends a PASV command source port manually. So you can’t be sure that requesting that the FTP server open a port incoming connections from TCP port 20 actu- number that the FTP client can connect to ally are sourcing from an FTP server. establish the data channel. You can improve on these restraints somewhat by limiting inbound access to the high- 5. FTP server: This sends over the com- number ports only from TCP port 20 and from mand channel the TCP port number that a limited number of IP addresses of trusted the FTP client can initiate a connection to FTP servers. The major drawback here is that establish the data channel. In this example, you must be able to identify the trusted FTP the FTP server opens port 7000. server addresses in advance, and you still have 6. FTP client: This opens a new connection to be concerned by hackers spoofing a source from its own response port TCP 6001 to port and IP address. the FTP server’s data channel 7000. Data transfer takes place through this channel. PORT-mode FTP server-side firewall What if you’re the firewall/router administra- Note that the PASV-mode FTP client initi- tor who has to deal with an FTP server behind ates all connections. The FTP server never your device? In this case, you need to open the needs to create a new connection back to the following ports: FTP client. X Outbound: TCP ports 1025 and above Firewalls and FTP X Inbound: TCP port 21 FTP modes pose distinct security challenges, This situation is a bit less hazardous than depending on whether you’re the client-side or the one the client-side firewall/router adminis- the server-side firewall administrator. trator has to handle. However, allowing such a PORT-mode FTP client-side firewall wide array of ports outbound access just to How do you handle PORT-mode requests support a single server application is still a made from your FTP clients? You need to poor security practice. Any internal network allow both inbound and outbound connec- client may have access to network services on tions to support PORT-mode FTP client the Internet that use the high-number TCP requests made from behind your firewall: ports for a primary connection. X Outbound: TCP port 21 You can tighten up security a bit by allowing outbound access to the high-number ports only X Inbound: TCP ports 1025 and above when the source port is TCP port 20. In this way, As you can see, packet filters required to you can safely assume that only FTP servers are support PORT-mode FTP clients don’t lead to able to connect to these high-number ports on a very secure firewall/router configuration the Internet. You could strengthen this approach simply because such a wide range of ports is even more by limiting TCP port 20 access to the left standing open to the masses. Another sig- high-number ports to a limited number of IP nificant problem is that you must give new addresses on your internal network. However, inbound connections (non-ACK packets) you still have to deal with problems of spoofed access to the internal network. Allowing new, IP addresses and manipulated port numbers. unsolicited inbound connections to such a wide range of ports represents a definite secu- PASV-mode FTP client-side firewall rity hazard. If you’re the firewall/router administrator on One way of dealing with this problem is to the PASV-mode client side, you’ll need to open allow inbound connections to the high-num- the following ports: ber ports only from source port TCP 20. X Outbound: TCP port 21 and TCP ports Using this approach, you limit access to what is 1025 and above assumed to be the FTP server data port. How- X Inbound: TCP ports 1025 and above

Routing and Design 163 Note that the PASV mode FTP client walls/routers do not require you to open static requires outbound access to TCP ports 1025 response port ranges because they include and above. While this doesn’t seem like a big mechanisms that read the data portion of FTP difference from the PORT-mode FTP client packets, which include the details of the requirements, it is in fact a tremendous differ- PORT- and PASV-mode commands. ence from a security point of view. To allow For example, when the FTP client sends a the PASV-mode FTP client outbound access PORT-mode command to the FTP server, the to the FTP server, you must let these clients firewall/router can temporarily open a have outbound access to all high-number response port and allow the FTP server to cre- ports. Since you have no way of determining ate a new (non-ACK) connection on that port. in advance what high-number port the FTP The port will close after the communication is server will assign to the data channel, you must complete. This approach prevents the need to open all the high-numbered ports. open static inbound packet filters for the high This configuration might be fine if you had port range on the firewall/router. some way to ensure that only FTP clients Another example of improved firewall would be accessing an FTP server on these security is when the PASV client sends a PASV ports. Unfortunately, you can’t easily control command to the FTP server. The firewall will what applications can access what ports. And intercept the information in the PASV com- even if you did limit just FTP clients to these mand and allow outbound access to the high- ports, you would be blocking other applica- number port on the FTP server from the FTP tions access to the high-number ports. client until the communication is complete. To further complicate matters, you must This prevents the need to open outbound also allow inbound access to all high-number access to all high-number ports for PASV- ports. The result is that you must allow mode FTP clients. inbound and outbound access to all high-num- Computations get a bit more complex when ber ports. Needless to say, this is an untenable the firewall/router also is performing Port Net- security configuration. work Address Translation (PNAT) services for One way you can improve the packet-filter- FTP clients and servers. The firewall/router ing situation is to limit access to outbound cannot use the IP address and port number of TCP port 21 from certain clients. However, the FTP client or server (included in the PORT you still run into the spoofing problem. or PASV command) because these addresses PASV-mode FTP client-side firewall are not directly routable and the firewall/router cannot guarantee that the port in the PASV or These are the ports you need to open on the PORT command will be available on its exter- server side of the PASV-mode connection: nal (Internet connected) interface. In the case of X Outbound: TCP ports 1025 and above the PNAT firewall/router, the device must re- X Inbound: TCP port 21 and TCP ports create the communication (proxy the request) 1025 and above and replace the IP address and ports contained This is the flip side of the packet-filter con- in the PORT and PASV commands with those figuration for the FTP client. TCP ports 1025 that are valid on the external interface of the and above must be opened for inbound and firewall/router. In effect, the firewall/router outbound access. Again, you could get a mod- becomes the FTP client or server on the behalf icum of control by limiting what IP addresses of the internal network FTP client or server. have access, but you run into the same prob- Most firewalls and PNAT routers can perform lems you do with the PASV clients. this proxying of FTP requests. Solving the FTP problem Summary Fortunately, most of us use firewall/routers The FTP protocol is a somewhat messy proto- that have a bit more smarts in them than basic col that definitely wasn’t designed with firewall packet filtering. Stateful packet filtering fire- security in mind. FTP clients can use one of

164 Administrator’s Guide to TCP/IP,Second Edition two modes: PORT and PASV mode. While ern firewalls and routers have components that PORT mode has been around longer, PASV are able to handle the connection request mode is more popular because it doesn’t details contained in the PORT and PASV require a new inbound connection to be made commands to improve on the security issues to the FTP client from the FTP server. Mod- related to the FTP.

Notes

Routing and Design 165 Notes

166 Administrator’s Guide to TCP/IP,Second Edition Windows Networking

Provide VPN services using Windows Server 2003 ...... 167 Troubleshoot Windows Server 2003 networking errors...... 172 How to fine-tune Windows Server 2003 network connections...... 176 How to configure Windows XP client VPN connections ...... 179 Create custom IPSec configurations for Windows XP...... 181 The complete Windows 2000 client TCP/IP configuration guide ...... 184 Setting up a VPN with Windows 2000 ...... 191 Configuring certificates for an L2TP/IPSec VPN ...... 195 Customize the security of L2TP/IPSec connections ...... 200 Troubleshooting L2TP/IPSec VPN connections in Win2K...... 203 Configure Windows NT to support VPN connections ...... 206 Monitoring and troubleshooting VPN connections in WinNT ...... 210 Tune Windows NT for better network performance ...... 214 The Win9x VPN client connection guide ...... 218 Troubleshoot Windows RAS and VPN connections with these tips...... 223 Fix the four biggest problems with VPN connections...... 226 Windows Networking Provide VPN services using Windows Server 2003 Jul 3, 2003 By Scott Lowe, MCSE irtual private networks have fast without the need for DNS and WINS servers replaced dial-up connections as the through the use of a NetBIOS over TCP/IP V preferred method for achieving (NetBT) name resolution proxy service run- remote access to corporate information ning at the VPN server. This resolves some resources. Although Windows NT and 2000 name resolution problems at the client side. both boast remote access services, including Up to 1,000 PPTP and 1,000 L2TP connec- VPN, Windows Server 2003 offers the next tions can be supported in Windows Server level of these services, providing a secure 2003 Standard and Enterprise editions, while a communications mechanism for your users single connection of each type is supported in and infrastructure. the Web edition. A single connection in the Web edition can help to support a secure The services at a glance remote administration mechanism. Windows Server 2003 provides a number of enhancements to VPN/remote access services Preparing the Windows Server that are superior to the features found in older 2003 system for VPN services versions of the operating system. The core Like all other services in Windows Server support is still available for Point-to-Point 2003, the Routing And Remote Access Ser- Tunneling Protocol (PPTP), Layer 2 Tunneling vices (of which VPN is but one component) Protocol (L2TP), IP Security (IPSec), Extensi- are disabled by default. Before they are ble Authentication Protocol (EAP), Microsoft enabled, a couple of things need to be verified. Challenge Handshake Authentication Protocol First, are two communications devices enabled version 2 (MS-CHAP 2) and Remote Access at the server? At least one of them should be a Services (RAS), but there are also some desir- network adapter. After all, the point of a able new features. remote access VPN is to provide access to In Windows Server 2003, Microsoft has improved the reach, security, and availability of Figure A the VPN services by providing NAT-aware L2TP/IPSec services and enabling VPN services to be used in conjunction with Network Load Balancing Services. Previously, to provide VPN services to clients behind NAT devices, the solution was to use the less secure PPTP. To use L2TP/IPSec services from behind a NAT device, the remote end of the connection must be running a VPN client that supports drafts from the IPSec Protocol Working Group: Negotiation of NAT-Traversal in the IKE and UDP Encapsulation of IPSec Pack- ets. Microsoft’s L2TP client has the appropriate support. The Network Load Balancing Services work in conjunction with both PPTP and L2TP/IPSec-based connections. Windows Server 2003 also includes the ability to support client NetBIOS name resolution Enable VPN and/or dial-up services on the local server.

Windows Networking 167 internal network resources from outside the accomplish this via the network’s existing organization. DHCP server or by defining an address pool Second, check to make sure you’re running in the Routing And Remote Access Services the proper protocols on your server and work- configuration. This will also provide the stations. As far as protocols go, today’s typical remote client with appropriate addressing VPN uses TCP/IP in one form or another information for DNS and WINS to enable with either PPTP or L2TP for security. To pro- efficient name lookups. vide users with access to resources on the internal network via a VPN connection, you Allowing and restricting access must distribute IP addresses to them. You can Any type of remote access to a network opens up the potential for abuse and unauthorized access, although you can take steps to mitigate Figure B these risks. For example, with Windows Server 2003 RRAS/VPN, you must explicitly allow each user to make use of the services by grant- ing dial-in privileges in each user’s profile. In addition, you can create strict policies, such as time of day restrictions, maximum session times, and MAC address restrictions, at the server to reduce the inherent security risk. Enabling VPN services To enable VPN services, you must enable Routing And Remote Access Services, which include VPNs. First, open Start | All Programs | Administrative Tools | Routing And Remote Access on the server where you want to support VPN. Next, right-click on the server name and choose Configure And Enable Rout- ing And Remote Access. This will start a wiz- This server will allow only VPN connections. ard that will help you configure these services. RRAS includes a number of other capabili- Figure C ties besides VPN services, including NAT and dial-up (PPP). On the Configuration screen, shown in Figure A, you can specify which services you want to enable. For this example, we’ll enable only dial-up/VPN. Choosing dial-up/VPN brings up the Remote Access screen, shown in Figure B. Here, you must select which of these services (or both) that you want to offer from this server. For this example, we’ll choose only the VPN components. Since VPN servers are generally installed with one interface facing outside the organization to support remote connections, the wizard will now display the VPN Connection screen, shown in Figure C. You’ll need to identify which interface will act in this capacity. On the VPN server in my lab for this exer- The 192.168.1.120 interface is used for remote connections. cise, I have two interfaces. The first interface’s

168 Administrator’s Guide to TCP/IP,Second Edition address is 192.168.1.120/24 and the second’s is Figure D 192.168.2.2/24. Since this server is in my lab, it does not have a true “public” address. How- ever, for the purposes of this example, I’ll use the 192.168.1.120 interface. Below the interface list, you’ll notice a check box indicating that static packet filters can be applied to this interface to allow VPN traffic only. I recommend that you enable this feature, especially if this interface is outside the corporate firewall. To access resources on the internal network, the remote client needs an IP address that is allowed to do so. The IP Address Assignment screen, shown in Figure D, gives you two choices for automatically providing the client with an IP address. First, you can use an existing DHCP server on your network after making sure that it is configured properly. Second, you can provide the VPN server with a range Choose an IP addressing mechanism. of addresses that it can dole out to the clients. I prefer the second method, as it makes me Figure E feel a little more in control. I have to provide a range of addresses, and it allows me to quickly determine just by looking at a list of IP connections to a server if they are internal or VPN clients. If you choose this method and are using addresses from the same space as your internal network, make sure you exclude the range you choose from any DHCP scopes you’ve defined on other DHCP servers to prevent addressing conflicts. For this article, we’ll choose this option. Because we’re assigning addresses from a specified pool, the pool or pools must be set up, which you’ll do on the Address Range Assignment screen, shown in Figure E. Unless you have specific needs, you can specify a range of addresses from the LAN side of the VPN server. In this example, that network is Create an address space for remote clients. 192.168.2.0/24. To add a range, click the New button. You they can get to your VPN server. If your net- need to supply the starting address of the work includes a RADIUS server, the Windows range and either the ending address or the Server 2003 VPN services are more than capa- number of addresses you would like in the ble of using it for authentication. If you don’t pool. For this example, we’ll create a range of have one, you can just let the RRAS services 25 addresses ranging from 192.168.2.100 to handle the authentication. You’ll specify 192.168.2.124. authentication on the Managing Multiple A key aspect in providing remote access Remote Access Servers screen. services is authentication. Without it, anyone After this step, the wizard will configure can access your internal network as long as RRAS based on the parameters you specified.

Windows Networking 169 When the process is completed, you’ll be noti- user has permissions to use the VPN services. fied that you need to allow DHCP relays to One good thing about RRAS is that Windows clients if you chose to use an existing DHCP does not automatically enable every user to use server. You should then see a green arrow next RRAS. Rather, an administrator needs to to your local server on the RRAS screen indi- proactively enable this privilege for each user cating that the service is active, as shown in who needs it. Figure F. To enable someone to use the VPN services, start Active Directory Users And Com- Connecting clients puters. Next, right-click on a user object and With the VPN server minimally installed to choose Properties. On the properties page for support PPTP and L2TP connections, you can the user, go to the Dial-in tab and choose the now initiate these connections as long as the Allow Access option under Remote Access Permission (Dial-in Or VPN). Click Apply or Figure F OK to continue. The user will now be able to use the VPN services. In Figure G, the Adminis- trator user VPN dial-in permissions are enabled, but this is for demonstration purposes only. I would not recommend enabling the Administrator user outside of a lab setting, since this account is a favorite target for exploitation. Testing the connection With this out of the way, a client computer can now be connected to the VPN server using this user’s credentials. For this step, we’ll use a Windows XP Professional SP1 client. This sys- More options are available now that RRAS is enabled. tem resides on the outside of the network and needs to use the VPN services to gain access Figure G to the inside. To begin, choose Start | My Network Places and choose View Network Connections from the Network Tasks shortcut menu. Next, click Create A New Connection. This will start a wizard to help you set up the connection. The wizard first asks what kind of connection you want to create. Since this example is designed to test the new VPN server, choose the Connect To The Network At My Work- place option. The next step asks whether this will be a dial-up or a VPN connection. Because your users are going to connect to a VPN, naturally you’ll choose a VPN connection. The wizard will also ask for a name for this connection. If you need to dial up to an ISP before establishing the VPN connection, you can allow the VPN connection to do so when you open it. If you’re using DSL, a cable modem, Enabling someone to use the VPN server or another always-on connection, you don’t

170 Administrator’s Guide to TCP/IP,Second Edition Figure H Figure I

These are the details for our VPN connection.

You can also view server details for our VPN connection. need to dial anything beforehand. The IP details about the connection by choosing address or DNS name for the VPN server is RRAS Console | VPN Server Name | Remote required in the next step of the wizard. Finally, Access Clients and then right-clicking on the you need to provide the username and pass- connection. Just choose Status from the short- word credentials for a user who is allowed dial- cut menu, and you’ll see the screen shown in in access to the network. Figure I. Click Connect to establish the connection. If everything is set up properly, you will be It’s as easy as that connected to the VPN server and be provided To provide a better level of security, you can an IP address from the static pool that was cre- enable remote access policies that, for instance, ated during the installation of the VPN server. allow only L2TP/IPSec connections or spe- As you can see in the VPN connection details cific authentication types. VPN services in this for this test, shown in Figure H, the server IP new operating system are flexible and can give address is the VPN server, and this connection your users secure remote access to the network has been assigned an IP address from the pool. to increase their productivity. On the VPN server, you can also view

Windows Networking 171 Troubleshoot Windows Server 2003 networking errors Jul 10, 2003 By Scott Lowe, MCSE icrosoft has worked so long at On the Properties page for the connection, releasing Windows Server 2003 that click the Install button. From the Select Com- M you might be tempted to think that ponent Type window, choose Protocol and it’s gotten rid of all the problems associated click Add. From the list of available protocols, with connecting it to a network. But, like it or choose IPX/SPX Compatible Transport and not, you’re going to run into problems with click OK. networking in Windows Server 2003. You need Be default, IPX/SPX is configured to auto- a little knowledge up front about which errors matically detect the appropriate frame type. you’ll most likely face and a strategy to over- Also, the Windows server is assigned an inter- come them. Here are some of the problems nal network number of 00000000, which is you’ll encounter. perfectly adequate unless you plan to install Gateway Services for NetWare or File and Adding protocols Print Services for NetWare on the server, at By default, Windows Server 2003 installs only which point it will need a unique IPX address. TCP/IP. You have to add additional protocols If you’re having trouble with your server such as IPX/SPX manually. Some applica- detecting the appropriate frame type, or if you tions still require these protocols. To install use multiple frame types, you need to manually IPX/SPX on Windows Server 2003, select specify this information. Open the properties Start | Control Panel | Network Connections. for the IPX/SPX transport and select the Open the connection you want to work with Manual Frame Type Detection radio button by double-clicking it. For this article, I’ll be (see Figure A). Click the Add button to choose describing the Local Area Connection on my the appropriate frame type and to specify the lab server. network number for it. If you’re unsure of the frame types in use Figure A on the network, use the config command at the NetWare server to see this information. On the Windows server, you can use ipxroute config to view this information. You’ll see a screen listing that looks similar to Listing A. Diagnose replication problems Windows Server 2003 networks rely on a properly working replication scheme for a number of services, including Active Direc- tory and Distributed File System. When this system breaks down, services are not supplied properly. Troubleshooting these types of problems can be difficult. To aid in diagnosing the cause of replication problems, Microsoft has provided a utility called DNSLint, which is available for download. Run the downloaded executable to extract two files. One is the dnslint.exe executable, and the second is

Choose a frame type for IPX/SPX. documentation.

172 Administrator’s Guide to TCP/IP,Second Edition Listing A C:\WINNT\Profiles\Administrator|ipxroute Config

NWLink IPX Routing and Source Routing Control Program v2.00

Num Name Network Node Frame ======1. IpxLoopbackAdapter 1234cdef 000000000002 [802.2] 2. Local Area Connection 00000000 0003ff484f06 [802.2] 3. NDISWANIPX 00000000 500120524153 [EthII] -

Legend ======- down wan line

You can use DNSLint to troubleshoot three Windows Server 2003 available and preferably specific types of problems: one that is on the Hardware Compatibility List. X Diagnose problems potentially causing a Using drivers from other versions of Windows lame delegation situation. Lame delegation can introduce instability to the system and is a situation in which a DNS server has even result in blue screen errors. been made responsible for a particular domain but either doesn’t exist or is not the Network load balancing authoritative DNS server for that domain. hardware problem Network load balancing (NLB) can be a very X Verify a specific set of DNS records on useful tool for providing high availability and multiple DNS servers. more reliable services to your users. However, X Verify the DNS records specifically needed some users who have enabled this feature for Active Directory replication. under Windows Server 2003 have found that DNSLint produces an HTML report after it they are no longer able to ping the balanced completes its tests. To use DNSLint to verify adapters. This can result in the failure of mon- Active Directory DNS records on the local itoring systems, which rely on this information server, use the following command from a to determine whether the system is available. command prompt: To be able to ping load-balanced network dnslint /ad /s localhost /v adapters in Windows Server 2003, the adapters must support multipacket receive indications. Windows Server 2003 network Only a few adapters currently support this fea- adapter drivers not available ture. To see if your NICs are supported under Quite a few times in various newsgroups, I’ve NLB, use the Chknic utility from the Windows come across messages from people who have Server 2003 Resource Kit. You can download indicated that they haven’t been able to find the Resource Kit tools from Microsoft’s Web Windows Server 2003 drivers for their particu- site. The following is sample output from this lar network adapter. Quite a few interesting command on my lab server: workarounds have been tried, including using C:\WINNT\Profiles\Administrator| drivers from Windows XP and, in one case, chknic from Windows NT. While these are good short-term solutions, Device : Intel 21140-Based PCI Fast the appropriate long-term solution is to Ethernet Adapter (Generic) Physical address : 00-03-FF-48-4F-06 replace the NIC with one that has drivers for Device is supported by NLB

Windows Networking 173 Keep up with hot fixes fig on Windows machines, especially for those Within two weeks of the Windows Server 2003 machines that get their IP addresses from release, Microsoft started releasing hot fixes for DHCP. You’ve probably used the commands it to correct specific networking problems. For ipconfig /release and ipconfig /renew more than example, on May 2, 2003, Microsoft released a once to release and renew DHCP addressing hot fix (Knowledge Base Article 817689) to information. I’m also willing to bet that you’ve correct a problem in which disconnecting a used ipconfig more than a few times to get net- network adapter from the network caused rout- working information such as MAC address, ing entries associated with that adapter to not system IP address, etc. be removed from the routing table. While these steps aren’t that difficult, if A more serious related problem has also you’re troubleshooting a network problem, it’s been corrected via hot fix. If you have two more than likely that you’re already viewing the network adapters in a Windows Server 2003 network connection from the GUI. Just do the system, and both are configured with static IP DHCP release/renew there and also get addresses and connected to the same network, DHCP information for the network adapter. on disconnecting and reconnecting the pri- On the adapter status screen, click the Support mary adapter, the secondary adapter also loses tab. As you can see in Figure B, this particular its connection. Because both adapters point to adapter is manually configured since this the same destination, when the primary is server is a domain controller. reconnected, its route is re-created, but the Notice the Repair button at the lower left- secondary one never is. This is corrected via a hand corner of the window. This button will hot fix that you’ll find in Knowledge Base refresh the DHCP lease; clear the ARP, Net- Article 817690. BIOS, and DNS caches; and reregister the As time goes on, the number of hot fixes adapter with WINS and DNS services. will grow. Keeping up to date with them will Determine which process help you keep your problems to a minimum. is using a port Get your IP address without Only a single program at a time is allowed to using the command line use a particular TCP port. There may come a When troubleshooting network problems, you time when you need to determine which pro- often need to use the command-line tool ipcon- gram is using a particular port or which port a

Figure B Figure C

Network adapter status Add the PID column to the list.

174 Administrator’s Guide to TCP/IP,Second Edition Listing B Active Connections

Proto Local Address Foreign Address State PID TCP nt4-2:ldap nt4-2.hlab.com:1041 ESTABLISHED 396 TCP nt4-2:ldap nt4-2.hlab.com:1043 ESTABLISHED 396 TCP nt4-2:ldap nt4-2.hlab.com:1046 ESTABLISHED 396 TCP nt4-2:ldap nt4-2.hlab.com:1047 ESTABLISHED 396 TCP nt4-22:1041 nt4-22.hlab.com:ldap ESTABLISHED 1320 TCP nt4-2:1043 nt4-2.hlab.com:ldap ESTABLISHED 1320 particular process is using. A new feature of Figure D the netstat command makes this easy in Win- dows Server 2003. To get a list of the current TCP information on your server, issue the command netstat –o from your server’s command line. The –o parameter indicates that netstat should also display the process identifier (PID) associated with each connection. Locate the service in the netstat list for which you need more information and take note of the number in the PID column. As an example, I want to determine what is using TCP port 1041 on my lab server. Issuing netstat –o yields the following partial results, shown in Listing B. Note that the process associated with port 1041 is PID 1320. Open Task Manager. By default, Task Manager doesn’t show the PID. To add this column, click View | Select Columns, add the PID column, and click OK, as shown in The Task Manager can help you track down troublesome services. Figure C. Sort the Task Manager by PID by clicking ing people at times. But Microsoft has made it on the PID column. In Figure D, you can see easier to troubleshoot and diagnose some of that PID 1320 is associated with ismserv.exe, these problems by adding new features and which is the Intersite Messaging service. improving existing ones. Slowly getting better While it adds a lot of new and improved features, Windows Server 2003 is still confound-

Windows Networking 175 How to fine-tune Windows Server 2003 network connections Jul 17, 2003 By Scott Lowe, MCSE indows Server 2003 is Microsoft’s servers if you have to in order to increase newest and fastest operating sys- performance. W tem. If you’ve decided to deploy Likewise, make sure that other unnecessary Windows Server 2003, you’ve probably also networking components have not been decided to put it on the biggest, fastest server installed. For example, do you have a NetWare your budget can afford. However, just because server on your network? If not, don’t install the software is fast and you’ve got a lot of the Client Services for NetWare on your Win- hardware behind it, that’s no reason to neglect dows 2003 system. You can verify which the basics of network administration tuning. components are installed on a particular con- You can make Windows Server 2003 more nection by choosing Start | Control Panel | efficient by making sure that the proper net- Network Connections and then choosing the working components are all installed and con- network connection you wish to view. On the figured for optimal performance. Here are status screen for the connection, click the some areas where you might be able to Properties button to see a list of the compo- improve the networking connections on your nents installed. Remove any that are not Windows Server 2003 system. needed.

DANGER! DANGER! DANGER! Make sure network errors This article suggests making changes to aren’t a problem your server’s registry. Make sure you have Not all performance tweaks can be performed a complete backup of your server before at the server. Often, such tweaks, and network performing any technique in this article. problems in general, are the result of problems on the physical network itself and not the If you make a mistake when making server. Ensuring there are no errors on the changes to your server’s registry, you physical network may be the best way to begin may cause your server to be unbootable, improving server networking performance. requiring a reinstallation of Windows. By default, Windows will report only the Proceed with extreme caution. total bytes sent and received on the network medium. However, by adding a key to the Getting rid of the nonessentials registry, you can allow Windows to report error statistics on the status page for any One way to improve networking speed in network connection. To add this status Windows Server 2003 is to make sure you’re information, you’ll have to make a trip to the running only what you absolutely need to run server’s registry. Run regedit and browse to to support networking services. For example, HKEY_LOCAL_MACHINE\SYSTEM\ are you running a DNS server on a system on CurrentControlSet\Control\Network\ which it is essential that other networking Connections. services be as highly responsive as possible? Create a new key called StatMon by choos- Consider moving the DNS component to a ing Edit | New Key. (Skip this step if the key different server to free up that valuable band- already exists.) In the new key, create a width and to release the server from these DWORD value called ShowLanErrors. To do particular duties. Take some time to plan what so, choose Edit | New | DWORD value. The you want the server to do, and make sure that possible data for this value is either 0 (dis- it isn’t doing anything else. Buy additional abled) or 1 (enabled). Give it a value of 1.

176 Administrator’s Guide to TCP/IP,Second Edition Now, open up the status for one of your Figure A network connections. Under the Activity box, you’ll see text that wasn’t there before. Hope- fully, the numbers indicate 0 errors on your network. In Figure A, you can see that some of the error information is covered by the buttons on the status window. If these numbers are not 0, it’s time to break out the network troubleshooting skill set. Start with a different patch cable and then follow the appropriate steps until the problem is resolved. These types of problems are beyond the scope of this article. Use the right drivers If your network adapter manufacturer has not yet released drivers for its hardware certified for Windows Server 2003, you won’t be able to The network status window displays error statistics. use the native drivers. In these instances, you Figure B can attempt to make use of the Windows XP or Windows 2000 drivers instead. However, be aware that using inappropriate drivers can introduce instability into the system and may not achieve an optimal level of performance. Even if you’re using Windows Server 2003 drivers, be sure to keep up with the latest driver releases. If you keep up to date on the drivers for the network card for your server, you can gain efficiency in the networking component of Windows. Make sure that protocol bindings and providers are optimally configured Like all previous versions of Windows, the order in which protocols are bound to the network adapters can make a difference in how the network performs. For example, if your primary network connections are TCP/IP- The protocol bindings for the Local Area Connection based, but you have IPX/SPX bound to the network adapter before TCP/IP, you can realize an instant overall performance increase by Advanced | Advanced Settings. In this win- modifying this order. Even better, you can dow, make sure that you’re on the Adapters modify the bindings on a per-network-adapter And Bindings tab, and choose the network basis, allowing a great deal of granularity in adapter for which you’d like to view or modify optimizing your network connection. the binding order. In the area of the window To modify the order in which communica- marked Bindings For , tions protocols are bound to the network choose the primary protocol for each service, adapters, open Start | Control Panel | Net- and use the up and down arrows at the right- work Connections. From the menu bar, choose hand side of the screen to modify the order.

Windows Networking 177 Likewise, you can reorder the network Therefore, you should delete unnecessary adapters themselves by choosing an adapter protocols. To do so, select the unnecessary and moving it up and down the list with the up protocol in the Local Area Connections Prop- and down arrows. (See Figure B.) erties screen and click Uninstall. In a matter of In addition to modifying the binding order seconds, the useless protocol will be gone and to better match your business network traffic, the speed of your network will jump. you can also specify the order for each of the provider services, such as Terminal Services Get rid of NetBIOS over and Windows Network services. If you aren’t TCP/IP if you can running Terminal Services, move it to the end In a networking environment where all of the of the list. clients are running at least Windows 2000 and You can modify provider order from the using DNS or the host’s files for all name-reso- same location as protocol binding order. Sim- lution chores, you can consider disabling Net- ply click on the Provider Order tab, shown in BIOS over TCP/IP. However, be careful with Figure C, and make the appropriate changes. this option. A lot of services depend on it, and If you don’t need a particular protocol for careful analysis and testing should be per- some reason, don’t install it. For example, if formed before taking this step. The considera- there are no NetWare servers on your network, tions include: there’s no reason to have IPX/SPX installed on X Does the server act in a WINS capacity in your server. By having more than one protocol any way—as either a server or a client? If running on your network, you’re doubling, so, NetBIOS over TCP/IP is a required tripling, or quadrupling the amount of data the component. server must put out. For example, if you’re X The Client for Microsoft Network and File running both IPX and TCP/IP on your server, and Printer sharing is possible only for the server will broadcast the same data on two other machines with NetBIOS over different packets—IPX and TCP/IP. TCP/IP disabled, as well as when this service is disabled at the server. Figure C X If you’re running any version of Windows prior to Windows 2000 on your network, disabling NetBIOS over TCP/IP is not recommended. With all that said, if you’re able to safely disable NetBIOS over TCP/IP, take the following steps to do so. Choose Start | Control Panel | Network Connections | . On the status screen, click the Proper- ties button. Choose TCP/IP from the Items list and open up its properties. On the TCP/IP properties window, click the Advanced button and choose the WINS tab. Under the section marked Netbios Setting, select the option labeled Disable Netbios Over TCP/IP and click the OK button until you’re back at the desktop. I can’t stress enough how important it is to carefully test this suggestion before implementing it in a production environment. In You can modify provider order for this server. certain newsgroups, users have indicated that

178 Administrator’s Guide to TCP/IP,Second Edition they have attempted to do this, but ran into followed by the resource name. This will problems even though they met all of the preload any entries with this identifier. requirements. “In the end,” one user wrote, “I X If you add a new entry to the Lmhosts file re-enabled NetBIOS over TCP/IP and my with the #PRE keyword, add it immediately problems magically disappeared.” to the local cache with the nbtstat –R com- Since this is an article on doing everything mand at the command line. you can to get more performance out of your network connections in Windows 2003, I New doesn’t always mean fast thought it was important to include this tip. Windows Server 2003 includes a great number of enhancements to the networking subsys- Be careful setting up Lmhosts tem, including large TCP windows, IGMP ver- With Lmhosts’ long history built on NetBIOS, sion 3, IPv6, and selective acknowledgements, many network administrators are still maintain- among other things. What this means is that, ing an Lmhosts file to facilitate the location of out of the box, Windows Server 2003 will network resources. To keep this file efficient, require less tuning than previous versions. take the following steps: However, by following the steps above, you X Since the file is processed sequentially, place can improve the networking component in this the frequently used options near the top. newest operating system. X Automatically add names from Lmhosts to the local name cache by specifying #PRE

How to configure Windows XP client VPN connections Apr 25, 2002 By TechRepublic Staff PNs have caught on quickly with Control Panel | Network And Internet Con- small and medium-size businesses, nections and click the Set Up Or Change Your V primarily for three reasons: Internet Connection link. Once the Internet 1. VPNs permit employees to connect to Properties window opens (Figure A), click the office resources from home or other loca- Setup button, which will open the New Con- tions using common hardware. nection Wizard. In the wizard, you’ll find four selections (instead of the five in Windows 2. VPNs provide secure connections. 2000 Professional). The connection type you’ll 3. The cost to set up and maintain a VPN is select is Connect To The Network At My low compared to other networking con- Workplace. Then, the next window will ask nection solutions. you to specify the type of connection you’re In this article, we’ll describe the process of creating. Select the Virtual Private Network setting up a VPN client connection within the Connection option and click Next. The next Windows XP operating system. two screens will ask for the company name If you’re configuring laptops for remote and the IP address of the VPN server. Once VPN connections via DSL modem, LAN, or you’ve clicked through these screens, you’ll be WAN connectivity, navigate through Start | greeted with the final screen, which will ask if

Windows Networking 179 Figure A Figure B

Supply your networking User Name and Password for authentication purposes.

You can configure a variety of settings for dial-up and VPN connections.

you’d like to add a shortcut to this connection you’ll be ready to start enjoying the benefits of to the desktop. If you want a VPN icon, click secure, remote access. Yes; choose No if you don’t. Click Finish. If you want to edit the settings for the connection, you can do so from the Properties DIAL-UP window. You can modify Dialing and Redialing If you’re connecting via dial-up, there are options, Security options, TCP/IP, and only two differences. In the New Connec- Advanced options, such as Firewalling and tion Wizard, under the Network Connection NAT. Several other options can be configured screen, you’ll select Dial-up Connection on the tabs in your connection’s Properties instead of Virtual Private Network connec- window, including: tion, and you’ll enter a phone number X Changing security settings of individual instead of an IP address. components. X Selecting privacy settings for Internet zones. If you need to change the telephone num- X Configuring a proxy server. ber or other settings associated with the VPN X connection, you can do so easily through the Associating programs with a specific service. Properties window (see Figure A). XP makes VPN a cinch Connecting to the VPN Windows XP includes a VPN functionality To connect, double-click the shortcut—if you that is more robust and clearer than in previ- chose to create one—or select the connection ous versions of Windows. Given that more by clicking Start | Connect To and selecting and more companies are turning to VPNs for the name of the connection you created. Sup- security reasons, you need to understand how ply your User Name and Password for the net- to configure this networking option. work you wish to access (see Figure B) and

180 Administrator’s Guide to TCP/IP,Second Edition Create custom IPSec configurations for Windows XP Mar 19, 2003 By Debra Littlejohn Shinder, MCSE ike any security mechanism, Internet Protocol Security or IPSec is imperfect. TIPS L There are ways that hackers can defeat Microsoft allows you to set key lifetimes; that is, you can force its protections in certain situations—for exam- new keys to be generated after a specific number of seconds. ple, by using replay attacks (in which network This makes the communication more secure because several communications are recorded and then different keys are used over the course of the transmission. replayed to “fool” the receiving computer), Even if a hacker manages to crack one key, he’ll only have man-in-the-middle attacks, source routing part of the message. exploits (in transport mode), and IP session hijacking (when you use IPSec without an You can also manage IPSec policies on a remote computer, authenticating header). by creating an IPSec MMC and selecting Another computer, To help you overcome these threats, I will and then browsing for the name of the computer whose poli- show you how to configure your Windows XP cies you want to manage. client computers to use IPSec when communicating with IPSec-enabled servers. You will learn how to set up basic IPSec connections, Figure A how to select the appropriate IPSec policy to be applied, and how to create and assign custom policies if none of the predefined policies included in XP meets your needs. Microsoft default IPSec implementation Microsoft has taken steps to make its implementation of IPSec as secure as possible, including use of short-term session keys that expire quickly. The XP IPSec implementation prevents man-in-the-middle attacks by authenticating identities after the Diffie-Hellman key exchange. A feature called Perfect Forward

Secrecy (PFS) makes it impossible for a key To use IPSec, the IPSec Services must be started. used in protecting IPSec communications to be used to generate more keys. In addition, fol- puter and select Manage), expand the Services lowing recommended best practices can ame- And Applications node and click Services. In liorate many of IPSec’s vulnerabilities. the right pane, the status of IPSec services Configuring the Windows XP should be Started, as shown in Figure A. client to use IPSec If the service is not started, double-click its To configure a Windows XP client computer name and click the Start button on the General Figure B to use IPSec at the local level, you must be a tab, shown in . member of the Administrators group. First, Next, you must assign an IPSec policy. To ensure that the IPSec Services service is assign a policy locally, first create a new MMC enabled on the computer. In the Computer by typing mmc in the Run box (Start | Run), Management console (right-click My Com- and adding the IPSecurity Policy Management snap-in (select Add/Remove Snap-in from the

Windows Networking 181 File menu). In the Select Computer or Domain Here you can select to use PFS for the mas- dialog box, ensure that the Local Computer ter key, change the interval at which new keys option is selected and click the Finish button. are authenticated and generated (in minutes or This will create the IPSec console shown in after a specified number of sessions) and Figure C. select the security methods (DES or 3DES By default, there is no IPSec policy assigned. encryption algorithm, SHA1 or MD5 hashing To assign one of the three predefined policies algorithm for integrity, and Diffie-Hellman (listed in the right console pane when you click group 1 or 2). IP Security Policies On Local Computer in the Using the Rules tab, you can add or edit left pane), right click the policy you want to IPSec rules. The Create IP Security Rule Wiz- assign (for example, Client) and select Assign ard makes this easy. On the first page of the from the context menu. Under the Policy Wizard, you’ll be asked whether to specify a Assigned field, a “Yes” will appear. tunnel endpoint (and the IP address of the endpoint if you elect to use tunneling), as Editing or creating IPSec policies shown in Figure E. Usually, one of the predefined policies will The next page of the Wizard lets you meet your needs, but you can edit one of the choose the network type(s) to which the rule policies to customize it if you like. To do so, must be applied: LAN, remote access, or (the double click the policy you want to edit. You default) all network connections. Next, you can can edit the key exchange settings by clicking choose the initial authentication method. The the Advanced button on the General tab. This default is Active Directory (Kerberos v5). will display the Key Exchange Settings dialog However, Kerberos can only be used if the box shown in Figure D. computer is a member of a domain. If it’s not,

Figure B Figure C

You can assign an IPSec policy via the IPSecurity Policy Management MMC.

Figure D

You can start the IPSec services via the General tab on its properties sheet.

You can edit the key exchange settings of any of the predefined policies.

182 Administrator’s Guide to TCP/IP,Second Edition you’ll need to select another method. Alterna- Figure E tively, you can choose to use a certificate (you’ll have to specify the issuing certification authority) or a preshared key (in which case you must enter the character string that makes up the key). The next page of the Wizard prompts you to select an IP filter list for the type of IP traffic to which the rule will apply. You can select to apply the rule to all ICMP traffic, all IP traffic, or add a custom list (this selection brings up another Wizard within the Wizard: the IP Filter Wizard). Next, you select a filter action. The default actions are: X Permit unsecured IP packets The Security Rule Wizard begins by asking if you want to specify a tunnel endpoint. X Request security (optional) X Require security Figure F This completes the Wizard, and when you click Finish, your new rule will appear in the IP Security rules list on the Rules tab of the policy’s properties sheet, as shown in Figure F.You can check or uncheck it to specify whether it is to be used. Editing an existing policy will usually suffice, but if you want to create an entirely new policy from scratch, you can do so by selecting Create IP Security Policy from the Action menu of the IPSec Policy Management console. As you might have guessed, this invokes the IP Security Policy Wizard. This Wizard starts by asking for a name and description for your new policy, then asks you to specify how the policy will respond to requests for secure communications from When you complete the Security Rule Wizard, your new other computers. If you elect to use the default rule appears on the Rules tab. response rule, you’ll be asked to set an initial authentication method for it (Kerberos, certificate, or preshared key). This completes the Recommendations for IPSec Wizard and it appears in the list of policies in best practices the right pane of the console, along with the IPSec is simple in concept, but complex in three predefined policies. It can now be edited implementation. Microsoft recommends that or assigned. before applying IPSec policies, you develop an The IPSec console also provides ways for IPSec plan (as part of your overall security you to manage the IP filter lists and actions, plan). The first step is to evaluate how your restore the default policies if you’ve changed sensitive information routes through the net- them, and import and export policies (save work and which computers have access to it. them to a file).

Windows Networking 183 Specifically: X Determine the encryption strength X Determine the level of IPSec security you needed—whether DES will do, or whether need. That is, decide whether you need to you need the stronger 3DES. Decide what secure all traffic between all computers, or hashing algorithms to use. only the traffic to/from specific computers (or maybe only traffic to/from specific Test policies before deployment ports or using specific protocols). Decide Now you can create an IPSec deployment plan whether to secure LAN traffic only, remote and create policies based on your evaluation. access traffic only, or both. Be sure to test the policies before putting them to work in a production environment. Be X Determine the type of IPSec security you aware that incorrect (or overzealous) applica- need. This means deciding whether you tion of policies may result in an inability for need authentication, integrity, confidential- computers to communicate. You should use a ity, or a combination of these. packet sniffer (protocol analysis software) to X Determine the level at which IPSec policies ascertain whether the data in transit is being will be applied and managed: site, domain, successfully encrypted. OU, or locally.

The complete Windows 2000 client TCP/IP configuration guide Nov 5, 2001 By Dr. Thomas Shinder, MCSE e take it for granted that our net- X Configuring services on the local interface work uses the TCP/IP protocol for X Configuring basic TCP/IP properties network communications. While it W X Configuring advanced TCP/IP properties might seem like second nature to use TCP/IP now, it wasn’t always this way. It’s only in the After you finish this article, you’ll never be last few years that TCP/IP has reached a posi- mystified by TCP/IP client-side configuration as the premier networking protocol. tion again. The primary reason TCP/IP wasn’t used more often was that it’s not easy to set up and Configuring services on configure. Unlike other protocols, such as Net- the local interface BEUI and IPX/SPX, you can’t just install To begin configuring the Windows 2000 TCP/IP and let ’er rip! To design a TCP/IP TCP/IP client configuration, right-click the network, you must have a good understanding My Network Places object on the desktop and of the protocols and how to configure them. click Properties. In the Network And Dial-up In this article, I’ll take a look at the Windows Connections dialog box, right-click Local Area 2000 Professional TCP/IP configuration Connection and then click Properties. You’ll options. While basic TCP/IP configuration see the screen shown in Figure A. might seem easy, there are many options that In the Components Checked Are Used By are less than intuitive. It’s these options that can This Connection frame is a list of network make or break your TCP/IP network client services bound to the interface. Remember configuration. I’ll cover the following topics: that these networking components are bound

184 Administrator’s Guide to TCP/IP,Second Edition Figure A Figure B

The General tab allows you to configure the network interface card (NIC) and TCP/IP components for this interface. The default is Windows Locator. You should not change this unless you are participating in a DCE Cell Directory Services environment. to all IP addresses on this interface. There is Figure C no way via the GUI to bind components selectively to a particular address bound to the interface. By default, the following components are included on a Windows 2000 Professional machine: X Client for Microsoft Networks X File and Printer Sharing for Microsoft Networks X Internet Protocol (TCP/IP) Selecting a component and clicking the Properties button will allow you to configure it. Client for Microsoft Networks The Client for Microsoft Networks component performs a number of duties; its main job is acting as the CIFS redirector. The redirector allows the machine to be a Common Internet File System (CIFS)/Server Message Block (SMB) client. Windows uses CIFS as its Memory allocated to the server service is manipulated by selecting file-sharing protocol. When you select the these options. Client For Microsoft Networks option and File and Printer Sharing for click Properties, you see the screen shown in Microsoft Networks Figure B . You can choose either the Windows The File and Printer Sharing for Microsoft Locator or DCE Cell Directory Service. Networks component is the Windows CIFS

Windows Networking 185 Server service. You must have the server serv- These options are available in the top frame: ice enabled to share printers, files, and folders. X Obtain An IP Address Automatically The server service is implemented as a file sys- X Use The Following IP Address tem driver that accepts requests from the client-side redirectors. The Obtain An IP Address Automatically On Windows 2000 Professional computers, option makes the machine a DHCP client. If this feature is not configurable. However, there is a DHCP server available, the client will when you click on the File And Printer Sharing be able to obtain and use IP addressing infor- For Microsoft Networks component and click mation provided by the DHCP server without Properties on a Windows 2000 Server, you will needing to reboot. The Use The Following IP see the screen shown in Figure C. Address option allows you to manually configure the IP Address, Subnet Mask, and Default Configuring the NIC properties Gateway. The first two entries are required. Click the Configure button on the Local Area These options are available in the lower Connection Properties dialog box’s General frame: tab to configure the NIC. When you click this X Obtain DNS Server Address Automatically button and then click the Advanced tab, you’ll X Use The Following DNS Server Addresses see a screen like the one shown in Figure D.The configuration options for each NIC vary with The Obtain DNS Server Address Automati- the type and manufacturer of the interface. cally option allows the machine to obtain its DNS server address from a DHCP server. You Configuring basic TCP/IP can manually configure the DNS server address properties by selecting Use The Following DNS Server To configure TCP/IP properties, select Inter- Addresses. The Preferred DNS Server address net Protocol (TCP/IP) (see Figure A) and click is used first to perform host name queries. If the Properties button. You will see the screen the Preferred DNS Server is not available, then shown in Figure E. the Alternate DNS Server is tried. Configuring advanced Figure D TCP/IP properties Click the Advanced button to access the advanced TCP/IP properties. The IP Settings tab appears first, as seen in Figure F. In the IP Addresses frame, you can bind additional IP addresses to the physical interface. The IP address at the top of the binding order is the Primary IP address for the interface. You can add as many IP addresses as you need because there are no hard-coded limits. The Default Gateways frame allows you to add additional default gateways. Each gateway includes an address and a metric. The metric is a way to assign preference to a particular gateway. If dead gateway detection is enabled, the client will be able to detect that a gateway is down and will move down the list of gateways. Advanced DNS client settings When you click on the DNS tab, you’ll see the screen shown in Figure G (on page 188). In the Be sure you keep your NIC documentation available so that you can decipher the configuration options on the Advanced tab! DNS Server Addresses, In Order Of Use

186 Administrator’s Guide to TCP/IP,Second Edition Figure E Figure F

The Default Gateway is only required on a routed network and then only if you want the client to contact machines on remote network IDs. When a packet is destined for a remote network, it will be sent to the gateway with the lowest metric. frame, you can add DNS servers to query in the event that the Preferred and first Alternate WHEN ALTERNATE DNS SERVERS DNS servers become unavailable. After adding ARE SEARCHED more DNS servers, you can change the DNS DNS servers are searched based on their position on server search order by selecting the IP address the DNS server search list. As soon as a DNS server of the DNS server and clicking either the up returns a positive or negative answer, no other servers or down arrow just to the right of the DNS on the list are searched. This means that if the server server addresses. at the top of the DNS server search list is available but There are two options below the DNS not able to resolve the name, the alternate DNS server addresses that control how DNS queries servers are not searched. are formulated for unqualified requests before they are sent to the DNS server: For example, suppose you typed the URL X Append Primary And Connection Specific http://fileserver1. This is an unqualified DNS Suffixes request because there is only a single label in X Append These DNS Suffixes (In Order) the request. A Fully Qualified Domain Name The first option will append the machine’s (FQDN) must be sent to the DNS, so in this primary and connection-specific suffixes to the case, the tacteam.net domain name will be DNS query. You can find the primary DNS appended to the query. The client-side resolver suffix, shown in Figure H, by opening the Sys- will send a query for fileserver1.tacteam.net. tem applet in the Control Panel and clicking You can use a custom DNS suffix to be on the Properties button located under the added to unqualified queries by typing in the Network Identification tab. The primary DNS name in the DNS Suffix For This Connection suffix is the portion of the name listed under text box (Figure G). If the query with the pri- Full Computer Name that follows the portion mary connection’s suffix does not return a listed under Computer Name. positive response, the client-side resolver will send a query with the connection-specific

Windows Networking 187 DNS suffix. This option is useful if you are The second option, Append These DNS using WINS Referral Zones. Suffixes (In Order), allows you to fine-tune the Enabling the Append Parent Suffixes Of DNS suffix search order for unqualified The Primary DNS Suffix check box allows the requests. This is often useful if you have cre- DNS client-side resolver to send multiple ated a WINS Referral Zone that is responsible queries by devolving the primary and connec- for resolving DNS queries by sending them to tion-specific suffix. For example, if your pri- a WINS server. Rather than using the primary mary DNS suffix were dev.tacteam.net, the connection’s DNS suffix, you can add a cus- resolver would first append the dev.tacteam.net tom list of suffixes that will be sent for DNS suffix to an unqualified request. If that unqualified requests. request returned a negative response, the Put a check mark in the check box for Reg- resolver would formulate a second query using ister This Connection’s Addresses In DNS to tacteam.net for the DNS suffix. Note that the have the Host (A) record information for this resolver will not devolve the request past the connection entered into a Dynamic DNS second-level domain. server (DDNS). Note that it is a good idea to remove this check mark when you have a multihomed server that has one interface con- THE LMHOSTS FILE DOES NOT nected directly to the Internet. HAVE A FILE EXTENSION The Use This Connection’s DNS Suffix In DNS Registration option allows you to register When editing the LMHOSTS file, make sure that you do not save the custom DNS Suffix For This Connection. the file with an extension. For example, if you create an This connection is registered in addition to the LMHOSTS file in Notepad, the default is to save the file with the primary DNS suffix, which is appended to the .txt file extension. To prevent an application from saving the file computer name. with an extension, enclose the file name in quotes. This will save the file with the name exactly as you have typed it.

Figure G Figure H

Identify the machine’s primary DNS suffix, which, in this case, is tacteam.net

The DNS tab displays options to configure advanced DNS client settings.

188 Administrator’s Guide to TCP/IP,Second Edition Figure I FILTERING PING PACKETS Ping requests and responses use ICMP, which is IP protocol number 1. If you entered a packet filter that permitted only IP protocols 6 (TCP) and 17 (UDP), ICMP messages (IP protocol 1) would still make it through the filter because TCP/IP filtering does not support filtering ICMP messages. You must use the Windows 2000 RRAS service to filter ICMP messages.

Advanced WINS client configuration Click on the WINS tab and you will see the screen shown in Figure I. In the WINS Addresses, In Order Of Use frame, you add WINS server addresses to use for NetBIOS name resolution. You can enter up to 12 WINS servers. However, while additional WINS servers can provide fault tolerance for NetBIOS name resolution, they will also increase the total The overwhelming majority of networks contain NetBIOS time it takes to get a negative response if all applications and services; therefore, you should leave WINS servers are unable to resolve the request. NetBIOS enabled. The Enable LMHOSTS Lookup option allows you to use a text file containing Net- Figure J BIOS name/IP address mappings. This is the LMHOSTS file located at \\ system32\drivers\etc. If you already have an LMHOSTS file, you can click the Import LMHOSTS button to import the entries into the LMHOSTS file. There are three options related to how NetBIOS is configured for the interface: X Enable NetBIOS Over TCP/IP X Disable NetBIOS Over TCP/IP X Use NetBIOS Setting From The DHCP Server NetBIOS over TCP/IP (NetBT) is a session layer interface included with the TCP/IP protocol stack that allows NetBIOS applications to resolve NetBIOS names to an IP address before sending the request down the protocol stack. If you have any legacy components on your network that require NetBIOS, you should use either Enable NetBIOS Over TCP/IP or Use NetBIOS Setting From The Use the Options tab of the Advanced TCP/IP settings dialog box to access the IP Security and TCP/IP Filtering options. DHCP Server option.

Windows Networking 189 Figure K Figure L

If you create custom IPSec policies, they will show up on this list.

You can create similar packet filters for UDP ports.

Advanced TCP/IP options ter by IP protocol number. In this example, the Click the Options tab and you will see the filter allows only TCP packets destined for screen shown in Figure J. There are two ports 21, 25, 53, and 80 through the network options: interface. All other packets will be dropped. X IP Security The IP protocol filters allow you to type in the number of the IP protocol. For example, if X TCP/IP Filtering you wish to allow only Generic Routing The IP Security option allows you to con- Encapsulation (GRE) protocol packets figure IPSec policies on the interface. When through the interface, you could add a packet you click on the IP Security option and click filter for IP protocol 47. Properties, you’ll see the screen shown in Figure K. The default setting is to not apply Conclusion IPSec policy to the interface. If you select the In this article, I covered all the client-side Use This IP Security Policy option and click TCP/IP configuration parameters. I identified the down arrow, the three built-in IPSec poli- the three main networking components on a cies are made available. Windows 2000 client and broke each down to When you click the TCP/IP Filtering explain their main functions and attributes. I option and click Properties, you will see the focused heavily on the TCP/IP properties screen shown in Figure L. When you put a since this is often the most confusing area for check mark in the check box for Enable anyone new to networking. Armed with this TCP/IP Filtering (All Adapters), you make knowledge, you will be able to manually con- TCP/IP filtering available for all adapters on figure and troubleshoot any Windows 2000 the machine. Note that this does not imply Professional computer’s IP parameters. that all adapters in the machine have the same settings. TCP/IP filters allow you to configure packet filtering on the local interface. You can filter by TCP and UDP ports. You can also fil-

190 Administrator’s Guide to TCP/IP,Second Edition Setting up a VPN with Windows 2000 Oct 18, 2000 By Jason Hiner, MCSE, CCNA ave you heard about the magical ben- Your server will need to have two network efits of the virtual private network? cards. One card will connect to the Internet H Are you ready to test its merits in and the other will connect to the local area net- your remote access infrastructure? If so, you’ll work. As you’ve probably realized, this means be happy to hear that Windows 2000 provides your VPN server is actually functioning as an excellent VPN platform, especially for con- more of a VPN router than as a server. It necting small remote offices and supporting authenticates the users, creates the secure tun- telecommuters from their home offices. You’ll nel, and then, like any router, allows users to be amazed at how easy the basic setup of a access resources on the subnet to which they VPN has become with Windows 2000. At the are connecting or to another subnet, based on same time, Win2K offers dramatic improve- routing tables. Keep in mind that this can ments in functionality and security over the include non-Windows resources such as Net- bare bones VPN of Windows NT. Ware and UNIX servers. In this article, we’ll examine what hardware The final major consideration is your Inter- and software you’ll need for your VPN, explain net connection. Using a VPN server can mean how to configure a VPN server on your cor- that you’ll be able to get rid of many of your porate network, and show you how to config- phone lines that are currently dedicated to ure telecommuters to make a VPN connection RAS. However, in one sense, this is robbing to the corporate LAN. We’ll focus on the Peter to pay Paul because you’ll probably need basics of VPN setup, but we won’t touch on to consider increasing the Internet bandwidth advanced topics, such as setting up a server-to- at your corporate office. This will depend on server VPN with a remote office network, set- how much bandwidth you have to begin with, ting up Remote Access Policies, or configuring what your current utilization is, and the num- your VPN connection to pass through fire- bers of users and remote offices that will be walls and proxy servers. With this in mind, let’s connecting to your VPN server. Also, VPN get started on configuring your Windows 2000 works best if you have an always-on Internet remote access VPN. connection at your corporate network. If you have a dial-up Internet connection, the only Preparing the infrastructure VPN solution I would recommend would be a The first thing you need to consider is the server-to-server connection between your cor- hardware requirements for your VPN server. porate office and a remote office. Remember that Windows 2000 by itself requires substantial hardware resources. In an Configuring the VPN server enterprise environment, you will want your Once you’ve dealt with the hardware issues, VPN server to be a dedicated server with you need to install Windows 2000 Server and nothing but Windows 2000 Server or Win- the latest Service Pack on your machine. Make dows 2000 Advanced Server running on the sure you don’t install other unnecessary serv- machine. For this configuration, I would rec- ices, such as DNS, DHCP, and IIS. Also avoid ommend at least a 450-MHz Pentium III with loading any additional third-party software, at least 256 megabytes of RAM. For a small except for things that are absolutely necessary, business or branch office with fewer than 100 such as backup agents. users and fewer than 20 remote access connec- During installation, you should choose to tions, you can use a 300 MHz (or better) Pen- statically assign IP addresses. You’ll need to set tium II or Celeron machine with at least 128 up one network card with a true Internet IP megabytes of RAM. address and the default gateway of your

Windows Networking 191 Internet router. The other network card use Windows 2000 domain security, or you can should have an IP address assigned to the pass authentication to a RADIUS server. If local network, and it should not contain a you have the VPN server authenticate users default gateway. locally, you’ll want to set up a workgroup just You’ll also need to set the domain/work- for the VPN server—something like “Inter- group for your VPN server. This setting will net.” If you want to use Active Directory and depend on how you decide to do authentica- have a Windows 2000 domain controller han- tion. There are three basic options: The VPN dle authentication, have the VPN server join a server can authenticate users locally, you can Windows 2000 domain. If you’re going to have a cluster of VPN servers, you may want Figure A to use a RADIUS server (such as Microsoft’s Internet Authentication Service) to perform VPN authentication. In this example, we’ll have the VPN server authenticate users locally. Once you have Windows 2000 Server installed, go to Start | Programs | Administra- tive Tools | Routing And Remote Access to pull up the RRAS Microsoft Management Console, shown in Figure A. Then, click on the icon with the name of your server and click Action | Configure And Enable Routing And Remote Access. This will launch a wizard that sets up a new server. Select Manually Config- ured Server, which will take you into RRAS to begin your configuration. You may be tempted to select the VPN option in the wizard, but please control yourself. The VPN wizard is still a little quirky, and it’s much better to configure RRAS Microsoft Management Console the few basic VPN settings in RRAS manually

Figure B Figure C

General tab in the Properties dialog box Settings in the IP tab

192 Administrator’s Guide to TCP/IP,Second Edition Figure D Figure E

The Ports Properties dialog box Options in the Dial-In tab so you’ll know how to troubleshoot and tweak ommend using DHCP to assign IP informa- them in the future. tion to your VPN clients. This is especially Start the configuration by right-clicking on effective when using the same DHCP server the icon with the name of your VPN server that clients on your LAN use to receive their and selecting Properties. This will bring up the IP information. VPN users can also receive main options you’ll use to activate your VPN static IPs, as you will see when we get to client server. In the General tab, shown in Figure B, configuration. make sure that you have checked the Router After completing the VPN server proper- and Remote Access Server selections and that ties, there are only a few more settings to con- the LAN And Demand-Dial Routing option is figure. If you did opt to use DHCP, you’ll need selected under Router. Switch to the Security to right-click on DHCP Relay Agent (a con- tab and select Windows Authentication if the tainer under IP Routing), select Properties, and VPN server is doing its own authentication or add the IP address of the DHCP server(s) for if you’re using a Windows domain for authen- your local area network. tication. If you’re using a RADIUS server, After that, right-click on Ports and select choose RADIUS Authentication. As for PPP Properties, and you should see the default con- and Event Logging, you can leave the default figuration of 5 PPTP ports, 5 L2TP ports, and settings or tweak them to your preferences. 1 Parallel port, as shown in Figure D. The settings in the IP tab, shown in Figure C, You can leave the default Parallel port alone, are very important. You’ll want to check but you can double-click on the PPTP and Enable IP Routing and Allow IP-based L2TP ports and configure the number of Remote Access And Demand-Dial Connec- ports you need for these protocols. You want tions, and then configure IP Address Assign- to make sure that there are enough ports for all ment for DHCP or assign a static address pool of your users and remote servers, but you (in the subnet you want clients to connect on). don’t want to enable more ports than you Set the Adapter option to the adapter that con- need. Keep in mind that Windows 2000 Pro- nects to your LAN. The settings in the IP tab fessional is currently the only client that sup- are crucial because they regulate the IP and ports L2TP, so most clients will connect using network information that incoming VPN PPTP. While L2TP is destined to become the clients will receive. In most cases, I would rec- new standard in VPN, this article will focus on

Windows Networking 193 making connections using the simpler and Access Through Remote Access Policy and more universal PPTP protocol. use Remote Access Policies for greater control and security. The Dial-In tab also lets you set Configuring remote clients up users to receive a static IP address, rather You have now completed all of the basic steps than receiving their IP information from for preparing a VPN server on your corporate DHCP when they connect. network. Now, let’s take a look at how to con- On a Windows 2000 Professional machine nect a remote client. In this example, I’ll focus with an Internet connection, connecting to a on the best VPN client, Windows 2000 Profes- corporate VPN server is simple. First, click sional. You can also make good VPN connec- Start | Settings | Network And Dial-up Con- tions with Windows NT 4.0 and Windows 98, nections | Make New Connection. Click Next but they aren’t nearly as fast or as functional as to begin the wizard, and then select Connect Win2K Pro. However, before any client can To A Private Network Through The Internet. connect to your VPN server, you need to pro- At the next prompt, you’ll need to specify how vide their user account with remote access to connect to the Internet. If you have an permission. “always-on” connection, such as a DSL or If your VPN server is authenticating users cable modem, choose Do Not Dial The Initial locally, set up user remote access permissions Connection. If you have a dial-up connection, by going to Start | Programs | Administrative choose Automatically Dial This Connection Tools | Computer Management | Local Users and select your Internet dial-up connection And Groups | Users and double-clicking a from the list. Now, you’ll need to select your user (or creating a username) that you want to destination address, which will be the fully enable for remote access. Next, select the qualified domain name or IP address of your Dial-In tab and then select the Allow Access VPN server. Choose whether the connection option, as shown in Figure E. As you get more will be accessible for all users or only for your- advanced with VPN, you can select Control self. Then, name the connection (I suggest something like Office VPN) and click Finish. Figure F Now, when you open Network And Dial-up Connections, you’ll notice the Office VPN icon, as shown in Figure F. Right-click on the Office VPN icon and click Properties. This will bring up your client VPN options, which you’ll use to troubleshoot and adjust settings in the future. Now you can dou- The Network And Dial-up Connections window ble-click the Office VPN icon to display a login screen, shown in Figure G. Enter a username and Figure G password for a user who has remote access permission and click Connect. If you have an always-on Internet connection, this should bring up a dialog box to follow along with the authentication steps. If you have a dial-up connection, you should see the dial-up connection triggered first (you may have to hit Connect for that one and then hit Connect again for the VPN connection), and then you will see the dialog box showing the VPN authentication process. Summary This article has provided a primer for setting

The Office VPN login screen up a VPN using Windows 2000. We’ve

194 Administrator’s Guide to TCP/IP,Second Edition focused on VPN as a remote access solution I recommend further study on VPN concepts for telecommuters, but the scope of VPN in and troubleshooting by consulting Microsoft’s Windows 2000 extends far beyond the basic VPN Web site (http://www.microsoft.com/ concepts reviewed here. If you’re ready to serviceproviders/vpn_ras/default.asp). pilot a Windows 2000 VPN in your enterprise,

Configuring certificates for an L2TP/IPSec VPN Dec 14, 2001 By Carol Bailey, MCSE+I uch has been written on the merits of using a virtual private network WIN2K VPN AND RRAS BASICS M (VPN) connection for remote access For the basics on using and configuring and how Windows 2000’s Routing and Remote Windows RRAS with VPN connections, see Access (RRAS) service has greatly simplified “Setting up a VPN with Windows 2000” the process. The main benefit of a VPN is cost (page 191). savings, since it allows corporations to use a persistent Internet connection rather than a bank of modems, and calls are cheaper for certificates. In its default configuration, a valid users because they incur only local charges to computer certificate is required on both the their ISP rather than long-distance costs. client and the server. There are various ways Many of us have mastered the use of PPTP of obtaining a computer certificate for a connections for a VPN. However, Windows L2TP/IPSec connection, such as using a third- 2000 (and Windows XP) natively supports the party Certification Authority like VeriSign more secure form of VPN, L2TP/IPSec. (which should provide its own instructions on Unfortunately, little has been written about this) or using Windows 2000 Active Directory how to configure L2TP/IPSec beyond saying, automatic certificate deployment. “It’s more complicated.” So this three-part However, this article will describe how to series will provide a step-by-step tutorial on use L2TP/IPSec connections by issuing your how to get Windows 2000 Professional to own certificates—without Active Directory— make an L2TP/IPSec connection to a Win- using the Windows 2000 Certification Author- dows 2000 VPN server, as well as how to cus- ity service in Stand-alone mode. This allows tomize and maintain that connection. In this anyone with a Windows 2000 Server to benefit installment, I’ll explain how to use the Win- from L2TP/IPSec connections regardless of dows 2000 Certification Authority service to whether they’re running Active Directory or achieve a connection. Then, my next two arti- they have an NT 4.0 domain or even a simple cles will focus on customizing and trouble- Windows Workgroup. shooting L2TP/IPSec connections. These instructions also hold good for using just IPSec on your network, outside the VPN It all starts with the certificates environment, although we won’t describe the The most likely reason that L2TP/IPSec IPSec policy configuration. connections fail is because of problems with

Windows Networking 195 Preliminary configuration steps venting the L2TP/IPSec connections from Make the following checks before we begin: working. X First, ensure that your Windows 2000 Pro- Configuring the Certification fessional can successfully connect to your Windows 2000 RRAS server using PPTP Authority service with TCP/IP. This will verify that the basics Deploying your own certificates with an in- of RRAS are working, that associated hard- house Certification Authority requires careful ware (modem, router, cable modem, etc.) is planning. For example, you need to think working, that the user is allowed remote about the hierarchy you’ll be using (root CA, access, that remote access policies aren’t subordinate and issuing servers), the certificate preventing a successful connection, and that lifetimes and key lengths, and how you will IP address assignment is handled correctly. secure this service. (Standard advice is to take the root CA offline and physically secure it X Second, ensure that your client’s Internet until needed.) One of the best sources of connection is not going through a network information on this is Microsoft’s white address translation (NAT) server. paper “Windows 2000 Certificate Services” Microsoft’s IPSec implementation has (www.microsoft.com/technet/treeview/ known problems with NAT. If all your default.asp?url=/TechNet/prodtechnol/ clients’ Internet connections must go windows2000serv/deploy/2000cert.asp). through NAT (as opposed to having static To streamline the process for the testing IP addresses), Microsoft’s L2TP/IPSec purposes of this tutorial, we will use only an implementation is probably not for you. online root CA as the issuing certificate server. X Third, if you have a firewall between the Certificates will be requested and issued client and server, you may need to reconfig- through the Web browser, so IIS also needs to ure it to allow the L2TP/IPSec connection be running on the certification server. How- through. Open UDP port 500 and IP port ever, these services will be on a different server 50. If you suspect your firewall or another from the one running RRAS, just as they intermediary device (e.g., NAT server) may should be on a production network. be preventing your L2TP/IPSec connec- On the Windows 2000 server, you will be tions from working, my next article will installing the Certification Authority service. help. I’ll describe how to eliminate Internet First, double-check to make sure that the date devices to confirm whether these are pre- and time are correct on the server, because

Figure A Figure B

Specifying the Certification Authority Type Specifying the CA details

196 Administrator’s Guide to TCP/IP,Second Edition certificates are based on timestamps. Then, go Figure C to the Add/Remove Windows Components and select Certificates Services. You’ll see a warning dialog box telling you that after installing this service, the computer cannot be renamed, join a domain, or be removed from one. Click Yes to continue and then click Next. Now, you’ll be prompted to configure the Certification Authority service. The first window prompts for Certification Authority Type. Select Stand-alone Root CA (Figure A) and click Next. The next prompt will ask for CA Identifying Information, with some defaults already in The newly installed Certification Authority service place. The defaults are for your country/ region, the validity time of the certificate (two Figure D years), and the expiration date/time. Fill in the other boxes with as much or little information as you desire, although you must supply a CA name. My example uses the CA name MyCompany Root (reminding me that this is root CA), as you can see in Figure B. The next screen is for the Data Storage Location, which refers to the certificate database and log. Keep the defaults and click Next. You should now see a warning box that IIS is running on the computer and must be stopped to proceed. Stopping IIS will allow us to create the virtual directory we are going to use for deploying the certificates. Click OK, and the CA virtual directory will install (prompting for the Windows 2000 source files, so have the CD handy or have the files available locally or Connecting to the Microsoft Certificate Services Web site over a network connection). When the installation is complete, click the Finish button and both client and server need to have a Certifica- then click Close. There’s no need to reboot. tion Authority in common. Then, both need to You should now have Certification Author- have a computer certificate issued by that CA. ity listed as one of your Administrative Tools If you are using one of the well-known third- on this server. Load it up, and it should look party CAs (such as VeriSign), you won’t need like Figure C. Under the CA, you’ll see folders to complete the additional step of retrieving for Revoked Certificates, Issued Certificates, the Certification Authority certificate. Win- Pending Requests, and Failed Requests. At the dows 2000 ships with these, as you will see if moment, all of these should be empty. Keep you run Internet Explorer, choose Internet this console open, because you will need it to Options from the Tools menu, select the Con- manually issue the computer certificate tent tab, click the Certificates button, and requests. select the Trusted Root Certification Authori- Configuring the systems for your ties tab. You’ll need to complete the following steps Certification Authority on both the Windows 2000 RRAS Server and For the computer certificate element to work, the Win2K Pro client machine. Again, before

Windows Networking 197 you begin, verify the correct date and time on Open Internet Explorer and go to these machines, as we did for the CA server. http:///certsrv (where Note that in this tutorial, the client workstation is the name or IP address and the RRAS server will need to connect to of the CA server we just set up). In my exam- the CA server. The workstation could com- ple, this would be http://w2kca/certsrv.You plete this step when it’s on the corporate net- should see the home page for Microsoft Cer- work (if it’s a laptop) or after connecting tificate Services with the name you gave the through the VPN server using PPTP (if it’s a CA displayed at the top, as shown in Figure D. remote workstation). Instead of requesting a certificate immediately (the default option), select the top option, Figure E Retrieve The CA Certificate Or Certificate Revocation List, and click Next. The following page allows you to install the CA path directly from the server (possible because we are connecting to it over the network) or download the CA certificate into a file (an approach you should use when the CA server is not connected to the network, as would be the case with an offline CA). Click on the Install This CA Certification Path link, as shown in Figure E. This will result in a warning message asking you to confirm that you want to add the certificate to your Root Store. You’ll then see some information about the certificate, including the name you gave it, the fact that it was self-issued (because it is a root CA, there is no higher server to sign this certificate), and other information, such as the time validity, serial number, and unique thumbprint. Click Yes. The next screen should inform you that the Installing the CA certificate over the network CA certificate has been successfully installed. Figure F Requesting the certificate Once you’ve installed the CA Certificate, click Home or connect to the Certificate Web site again. This time, we’re ready to request a certificate (the default option), so make sure this option is selected and click Next. The Choose Request Type screen will appear with the default being User Certificate Request For Web Browsing. Remember that IPSec uses computer certificates and not user certificates, so this default will not work for our L2TP/IPSec connection. Instead, select Advanced Request and click Next to display the Advanced Certificate Requests screen. Accept the default selection of Submit A Cer- tificate Request To This CA Using A Form and click Next. Requesting a computer certificate for IPSec

198 Administrator’s Guide to TCP/IP,Second Edition Now you’ll be prompted to fill in the details Figure G of the certificate you require. The information you supply here is twofold. First, it allows the CA administrator (who must manually inspect each certificate request) to identify you and check that the information you are supplying is in accordance with acceptance policies. Sec- ond, it dictates the certificate’s specification in terms of its usage and security. Fill this in with care. You will need to specify an identifying name (e.g., RRAS Server), and the Intended

Purpose must be either Server Authentication The Pending Certificate request Certificate (e.g., for the RRAS server) or Client Authentication Certificate (e.g., for the VPN Figure H client). You must also select both Create New Key Set and Use Local Machine Store, as shown in Figure F. For a production environment, you might need to change some of the other options for security reasons (e.g., the key size), but these settings will suffice for our test connection. Click Submit, and the next screen will tell you that your certificate is pending—waiting on the administrator to issue it—and that you must retrieve it within 10 days. Happily, since you are the CA administrator, you don’t have to wait that long. Issuing a certificate from the Certification Authority In the Certification Authority console on your server, you should now have an entry Installing the certificate under the Pending Requests folder, as shown in Figure G. again. This time, select Check On A Pending If you scroll across the details pane so you Certificate, and you will be prompted to select can see all the column information, you’ll the certificate you requested. Because it’s the notice that this is where the administrator only one, it will be selected by default, so go would check the identification details before ahead and click Next. The following screen issuing the certificate and use the e-mail will inform you that the certificate was issued. address supplied if necessary to check or verify Click on Install This Certificate, as shown in information. However, since we know this is Figure H. The final screen should tell you that our certificate request, we can quickly issue it your certificate has been successfully installed, by right-clicking on it in the details pane and and you can now close the browser. selecting All Tasks | Issue. The entry will dis- appear from the Pending Requests folder and Ready to connect will appear under Issued Certificates. That’s it. When you’ve completed these steps on both your client computer and RRAS Installing the certificate server, they should have your CA root certifi- Back on the server or workstation, click on cate installed and have computer certificates Home or reconnect to the Certificate Web site from this CA that allow them to use IPSec.

Windows Networking 199 Because Windows 2000 automatically If it lists a WAN Miniport (L2TP) VPN generates IPSec policies for L2TP/IPSec device as Active, you have an L2TP/IPSec connections, you should have nothing further connection up and running. to do but stop and restart your RRAS service and try a VPN connection from the client Final word machine. The defaults supplied with Win- This tutorial has explained how to achieve an dows 2000 mean that an L2TP/IPSec con- L2TP/IPSec VPN connection between a Win- nection will be tried before a PPTP dows 2000 RAS client and Windows 2000 connection. If your RAS client connects, RRAS server using the Windows 2000 Certifi- check the Ports listed in the RRAS console. cation Authority service.

Customize the security of L2TP/IPSec connections Dec 18, 2001 By Carol Bailey, MCSE+I hose who are familiar with a PPTP Microsoft uses a hidden, automatic IPSec pol- VPN in Windows 2000 will find that icy for L2TP connections, which you won’t see T an L2TP/IPSec VPN is quite similar in the Security Policy console. It is called the but contains some more complicated settings L2TP Rule, and you can see it only when it’s and management. Along with configuring in use. computer certificates, which I discussed in The default L2TP Rule policy is in use on “Configuring certificates for an L2TP/IPSec the server when the RRAS server is listening VPN” (page 191), an L2TP/IPSec connection on L2TP ports and on the remote workstation involves some in-depth work with the VPN when the client tries to connect over L2TP/ settings and other configuration options. This IPSec. If you stop the IPSec policy agent on article will introduce you to the more advanced the VPN server (for example, by typing net stop approaches that will enable you to customize policyagent) after RRAS has initialized, you will the security of your Win2K L2TP/IPSec con- delete this default policy. To re-create it, restart nections. This will include: the policyagent service and then the RRAS X How the default L2TP/IPSec policies work. service or reboot. The default L2TP Rule is automatically deleted on the Windows 2000 X How to monitor the IPSec connections. client whenever the L2TP/IPSec connection is X How to override the default IPSec settings. terminated. By default, a Windows 2000 client VPN How the default L2TP/IPSec connection will try an L2TP/IPSec connection policies work first. If this fails, it then falls back to trying When you’re using Microsoft’s IP Security PPTP. This is why there is no need to change (IPSec) outside a VPN environment, you must anything on the client’s connection properties assign a preconfigured IPSec policy to the if the defaults are still in use when you try to computers. The Security Policy console (under make an L2TP connection from the client. Administrative Tools) allows you to view and However, you might want to change this for edit these IPSec policies. However, by default, security reasons so that only an L2TP/IPSec

200 Administrator’s Guide to TCP/IP,Second Edition connection will be tried. If so, you will need to Figure A go into the connection’s Network properties and change the Type Of VPN Server I Am Calling setting from Automatic to Layer-2 Tunneling Protocol (L2TP). You can check to see that an L2TP connection is being used on the VPN server by looking at the Ports folder in the RRAS console on the VPN server. Look for an Active status on an L2TP WAN Miniport, as shown in Figure A. The RRAS console will tell you that an L2TP connection is being used, but it won’t tell you anything about the IPSec side of the connection. To see exactly what IPSec settings RRAS showing an active L2TP connection are being used, you’ll have to delve a little deeper. by typing netdiag /test:ipsec /v at the command How to monitor the IPSec line. You’ll also have this level of information connections recorded in your Security Event log if you You use some of Win2K’s standard IPSec have enabled auditing for successful logons. monitoring utilities to see what IPSec settings The policy filters on the VPN server are are being used for your L2TP/IPSec connec- sensible ones that you probably shouldn’t tions. This article assumes that you have a change. You’ll find them under the Current basic understanding of how IPSec connections Phase 2 SAs section when you use the Netdiag work, along with their basic components. command. They are the source address(es) of However, if you need some background infor- the VPN server’s Internet NIC to any destina- mation, these two resources are a good place tion address and any source port from the to start: VPN server to destination port UDP 1701. However, what is interesting is that (as with X “IP Security for MS Windows 2000 Server” any IPSec connection) the remote access client white paper and VPN server can negotiate security options (http://www.microsoft.com/technet/ that will be used for the connection. The treeview/default.asp?url=/TechNet/ default L2TP Rule allows the VPN server to prodtechnol/windows2000serv/ offer 16 security preferences. (The equivalent evaluate/featfunc/ipsecure.asp) options can be found under the Security Meth- X “Internet Protocol security (IPSec)” from ods tab when using the Security Policy con- the Windows 2000 Server Manual sole.) To see all offers, type netdiag /test:ipsec (http://www.microsoft.com/ /debug on the server. WINDOWS2000/en/server/help/ The first match between client and server ipsec.htm) will be used, so if your Windows 2000 client You can see the L2TP policy in use with the and Windows 2000 VPN server offer the IP Security Monitor. When you have a success- same level of encryption (e.g., both support ful L2TP/IPSec connection, type ipsecmon only 56-bit encryption), the resulting security from a command prompt on the RRAS server, methods used will be data encryption (ESP) and you’ll see the L2TP Rule policy. It should with DES and Cipher Block Chaining (CBC), look similar to Figure B. together with MD5 as the chosen algorithm This monitor gives you some (but not all) of method. This matches the ESP DES/CBC the information on the current IPSec connec- HMAC MD5 in Figure B. If both server tion. To see all the information, you’ll have to and client support strong encryption (i.e., use the Netdiag Windows 2000 Support tool they both have Win2K SP2 installed), the

Windows Networking 201 resulting policy will be ESP 3DES/CBC tional processing, and if you use AH as well as HMAC MD5. ESP, you will also need to open Protocol ID If the encryption levels are not the same on 51 on your firewall. the server and the client, the lower one will be The least secure offer on the list has AHs used. So if you want the highest encryption without encrypting the data at all. This is not level on your L2TP/IPSec connections, ensure most people’s idea of a virtual private network, that both the server and all clients support but there may be times when this option is nec- 128-bit encryption. The easiest way to do this essary for political reasons—for example, when is to install SP2 or to install the High Encryp- the data is being transferred in a country where tion Pack if you are running a pre-SP2 encryption is banned. However, if you specifi- machine with 56-bit encryption. However, you cally want to ensure that all connecting remote should realize that connections using 3DES clients will encrypt their data, having this offer are slower and demand more processing on automatically listed (albeit at the bottom of the the server. offer list) may worry you because you cannot You may be surprised when looking change this default offer list. Fortunately, you through the full list of 16 “offers” in Netdiag can customize your IPSec settings to prevent that there are more secure security methods the possibility that this offer will be used. on the list that will not be used by default because they are farther down the offer list. How to override the default For example, you can use both Authenticated IPSec settings Headers (AHs) and ESP to ensure that the You may be wondering how it is possible to header information (addresses) is not changed use any of the other offers if a Windows 2000 in transit, and you can use SHA1, which is a remote client to Windows 2000 VPN server stronger algorithm than MD5. However, both uses the same policy, which always results in of these come with the overheads of addi- matching ESP with 3DES and MD5. Because the first match between client and server will be used, a VPN client that doesn’t use the Figure B Microsoft default L2TP Rule may be configured with different security options, so you can’t predict which of the 16 offers will be used. Because of this uncertainty, or a desire to use IPSec settings that are different from the default, you may have good cause to change the IPSec options on the VPN server. For example, you may have deployed SP2 on all of your Windows 2000 computers for the security patches but do not want the extra processing of 3DES, and you want to use DES instead. Or you may want to use the strongest combination possible, AH and ESP, using the SHA1 algorithm. Or you may decide you don’t want the risk of potentially offering a VPN connection that doesn’t encrypt data. If you decide to go this route, you’ll need to disable the default L2TP/IPSec policy and cre- The default L2TP/IPSec policy in use ate one manually that matches the security

Listing A: Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

202 Administrator’s Guide to TCP/IP,Second Edition options you want to use. To disable the default and use Netdiag to ensure that your options policy, add a new registry key (REG_DWORD) are being implemented. Make sure you also of ProhibitIpSec and set the value to 1 under choose to rekey every so often and select your the Windows Registry key shown in Listing A. own settings for this or use the sensible Next, reboot the computer. You can do this defaults in the L2TP/IPSec policy, which are just on your VPN server to ensure that only every 3,600 seconds or every 250,000 bytes. the security settings you want will be used and then let the client work through its default Summary offer list until a match is found. Or you can do This article has provided information that the same on the client side so that both sides should help you understand, monitor, and tailor use only one offer. Microsoft’s L2TP/IPSec connections for a Now, you need to configure your own IPSec more secure VPN connection. You’ll find addi- policy and assign it. Make sure that you change tional information on Microsoft’s VPN site the default authentication from Kerberos to (http://www.microsoft.com/windows2000/ certificates. Use the filters previously men- technologies/communications/vpn/). tioned, select the security methods you want,

Troubleshooting L2TP/IPSec VPN connections in Win2K Dec 20, 2001 By Carol Bailey, MCSE+I etting up and managing an L2TP/IPSec in-house CA to issue computer certificates VPN in Windows 2000 is quite different required for L2TP/IPSec connections in Win- Sin many respects from working with a dows 2000. If you suspect that certificates may standard PPTP VPN. So it’s not surprising that be to blame for your L2TP/IPSec connections troubleshooting these connections also failing to connect, try the steps in this article. requires some unique tactics, as this article will Alternatively, you can use Microsoft’s testing demonstrate. site (http://sectestca1.rte.microsoft.com/) Microsoft’s L2TP/IPSec connections usu- to install a computer certificate from ally fail for two main reasons: Microsoft’s online CA. X Problems with certificates Here are a few other things to check: X Internet device problems (e.g., routers, X Verify that the date/time is correct on the switches, firewalls, or NAT) client and the VPN server (and the issuing CA, if using an in-house CA). Other potential problems include: X Straining server resources X Open the Certificates console on the client and verify that the CA path is installed, if X Interoperability with other systems using an in-house CA. You can confirm that Problems with certificates it exists under Trusted Root Certificates Authority | Certificates or by checking that My article “Configuring certificates for an the computer certificate is listed and valid L2TP/IPSec VPN” (page 195) worked under Personal | Certificates. through an example of how to use your own

Windows Networking 203 If you still suspect that certificates may be also help if you’re configuring your custom the problem, an option to confirm this is elim- L2TP/IPSec policy with certificates. For the inating them and using password authentica- Authentication Method, instead of selecting a tion instead of certificates. This is possible preshared key, select Use A Certificate From only if you disable the default L2TP/IPSec This Certificate Authority (CA) and select the policy and configure your own IPSec settings. CA by browsing. One of the advantages of using your own IPSec policy is that you can change the authen- Internet device problems tication method from certificates to passwords. Check any Internet device that might be block- You may decide that this is a configuration ing the connection or changing the packets. you actually want to use all the time rather than Typically, this will be a firewall or a NAT just for troubleshooting because it allows you server but can also include a faulty switch that to use L2TP/IPSec and bypass all the over- is occasionally corrupting packets or a router heads of installing, managing, and maintaining that isn’t forwarding Protocol ID 50. your own Certificate Authority. Perhaps you In the first article in this series, we said cannot justify the expense of using a third- that Microsoft’s L2TP/IPSec is not compati- party Certificate Authority, or you have a non- ble with NAT. However, some L2TP imple- Microsoft L2TP/IPSec client that is mentations are NAT-friendly (e.g., Cisco’s compatible but can use only passwords. version) because they use a different imple- However, Microsoft does not endorse using mentation. See Microsoft’s VPN FAQs computer password authentication for (http://www.microsoft.com/windows2000/ L2TP/IPSec connections. It argues that it is techinfo/howitworks/communications/ not a secure implementation because pass- remoteaccess/vpnfaq.asp) for more infor- words are always vulnerable to guessing and/or mation on the Microsoft implementation and cracking and will be stored in the registry or how it differs from other vendors’. With the Active Directory as part of the IPSec policy. So Microsoft implementation, it may be possible remember that it is possible to use Microsoft’s for NAT to allow one client to connect with L2TP/IPSec connections with password L2TP/IPSec but not allow subsequent con- authentication instead of certificates, but you’re nections, so you should always connect at least unlikely to get a sympathetic hearing from two remote clients before celebrating. Microsoft if you report problems with them. Even if you’re not using NAT and think To use passwords instead of certificates for you have configured your firewall correctly (to your L2TP/IPSec connections, you’ll have to allow UDP port 500 and Protocol ID 50), if disable the L2TP policy on both server and your L2TP/IPSec connections are not work- clients and then configure and assign your own ing, it may be a good idea to eliminate the IPSec policy as described in my article “Cus- Internet side of the equation by trying to make tomize the security of L2TP/IPSec connec- a VPN connection from a client machine on tions” (page 196). But specify password your LAN. If your connections still don’t authentication and type in the password you work, at least you have narrowed it down to want to use. For production use, don’t forget all something on the client or server rather than the rules about choosing secure passwords (at attempting to verify all the possible Internet least eight characters, mixture of alphanumeric issues (hardware devices, ISP services, band- and nonalphanumeric, mixture of cases, etc.). width, firewall, etc.). If you need help setting up this policy, To test this connection, you’ll need to tem- there are step-by-step instructions in the porarily rearrange your network so that there’s Microsoft Knowledge Base article Q240262, a standard Ethernet connection between the “How to Configure a L2TP/IPSec Connec- VPN server’s Internet adapter and your testing tion Using Pre-shared Key Authentication” workstation. Assign the workstation a static IP (http://support.microsoft.com/default.aspx address in the same range as the VPN server ?scid=kb;EN-US;q240262). This article will so that routing is not required and then make

204 Administrator’s Guide to TCP/IP,Second Edition sure that you can successfully ping between the default IPSec settings that will be tried, the client and server. order they’ll be tried, and how you can disable Next, create a new VPN connection on the them and define your own policy if necessary. Windows 2000 Professional machine that However, you can’t change Microsoft’s doesn’t automatically dial the ISP connection implementation of L2TP/IPSec, which uses first. (This is not the default.) Attempt to con- IPSec in Transport mode (not Tunnel mode), nect your newly created VPN connection. and the UDP port number of 1701 cannot be PPTP and L2TP connections work just fine changed. If the third-party vendor’s implemen- over Ethernet since all they care about is a tation also uses Transport mode and port 1701 valid underlying TCP/IP connection. So, if for the IPSec side of the connection, chances your client and server are configured correctly, are you can configure the custom IPSec set- you should have a good L2TP/IPSec connec- tings to match if the defaults do not work. tion. It’s important to verify that the connection is an L2TP connection. (On the server, Additional guidance check the Active Ports under the RRAS con- L2TP/IPSec connections must establish an sole, or on the client check the connection’s IPSec connection before the tunnel (L2TP), so Status Details). If you have a successful if the IPSec connection fails, the tunnel is L2TP/IPSec connection when connecting this never even attempted. Enable logon auditing way but not when you connect a similar client and check the Event Viewer’s Security log for over the Internet, it’s time to start inspecting IPSec errors such as negotiation timeouts your Internet devices. (could be the lack of a valid certificate or a packet being blocked by network devices). Straining server resources Make a note of the actual error logged and L2TP/IPSec connections consume more server then processing power—specifically, for the data look it up on Microsoft’s Knowledge Base encryption—than PPTP connections. This will (http://support.microsoft.com/default.aspx be especially true if you are using strong ?scid=fh;en-us;kbinfo). You may also find encryption, which will happen by default if these TechNet articles useful: both client and server can support it. Keep an X “Basic IPSec Troubleshooting in Windows eye on the VPN server’s CPU usage, either with 2000” (Q257225) the Performance utility running as a service or, (http://support.microsoft.com/default. more crudely, with Task Manager’s CPU Perfor- aspx?scid=kb;EN-US;q257225) mance figures. If you discover the processor X “Basic L2TP/IPSec Troubleshooting in slowing down, you have several options, includ- Windows” (Q259335) ing adding another processor, using a network (http://support.microsoft.com/default. card that offloads some of the IPSec process- aspx?scid=kb;EN-US;q259335) ing, or disabling the default policy and specifying DES encryption instead of 3DES. Summary Interoperability with I hope this article has provided some useful tips to help you troubleshoot your Microsoft other systems L2TP/IPSec connections and, combined with If you are hoping to use either the client side my previous articles, has given you a good or the server with a different vendor’s imple- basic understanding of how Microsoft’s implementation of L2TP/IPSec, check for interop- mentation of L2TP/IPSec works. erability issues and determine whether they can be configured to communicate, and when. Check my previously mentioned article on customizing security for information on the

Windows Networking 205 Configure Windows NT to support VPN connections May 31, 2002 By John Sheesley n the good old networking days, life as a don’t necessarily have to invest in a hardware network administrator was simple. The VPN or upgrade to Windows 2000. You can Ionly users you had to worry about con- deploy a VPN solution using NT’s RAS. Doing necting to your network were the ones in your so is almost as easy as deploying a VPN using building. Users at other locations had their Windows 2000. own networks with another network adminis- However, because Windows NT is older trator to take care of them. Users working than Windows 2000, you don’t gain all of Win- from home or on the road couldn’t access net- dows 2000’s additional features in the Win- work resources but had to transport floppies, dows NT VPN. Some of the things missing so you didn’t have to worry about them either. from Windows NT’s VPN include: Not any more. Nowadays, users are scat- X Support for L2TP tered all across the globe, and they all want X Policy support for remote access access to your network with the same ease and rights as if they were in the office next door to X Support for an Internet Key Exchange you. That’s where VPNs come in. Deploying a X Support for IPSec VPN doesn’t mean that you have to upgrade to X Active Directory integration Windows 2000 or wait for Windows .NET. That said, NT’s VPN solution is still very Even though you’re still running Windows NT, robust and secure. For security, NT’s VPN you can deploy a VPN for those users in need uses Point-to-Point Tunneling Protocol by using NT’s RAS. In this article, I’ll show (PPTP). NT uses either 40-bit or 128-bit you how it’s done. encryption keys to encrypt traffic that travels AUTHOR’S NOTE to and from the server, with the actual You can configure NT to act as a VPN for encryption level depending on the software used by the VPN client. For authentication both dial-up and Internet connections. For purposes, PPTP can use any of the following the purposes of this article, I’ll show you protocols: how to configure NT to act as a VPN for X Password Authentication Protocol (PAP) users who are coming in over the Internet. X Shiva Password Authentication Protocol (SPAP) VPN on Windows NT X Challenge Handshake Authentication Pro- If you want to deploy a VPN on your network tocol (CHAP) and you already run Windows NT, then you

Figure A Figure B

You must specify the number of PPTP connections.

Make sure RASPPTPM is selected as the default device.

206 Administrator’s Guide to TCP/IP,Second Edition X Microsoft Challenge Handshake Authenti- Figure C cation Protocol (MS-CHAP) You can support up to 256 simultaneous logons to your Windows NT server over the VPN. Once connected, users have the same rights on the network as if they were connected via a LAN. Configuring Windows NT for VPN support Configuring Windows NT for VPN support is a fairly easy task. By default Windows NT configures its RAS to allow connections via dial- up. To set up a VPN that will allow access from the Internet, you must add PPTP. First, right-click Network Neighborhood and select Properties. When the Network Properties window appears, click Protocols. Click Add on the Protocols screen. You’ll The Network Configuration screen controls network then see the Select Network Protocol screen. settings for the connection. Select Point-to-Point Tunneling Protocol and click OK. Your server will prompt you to Figure D insert the Windows NT Server CD. Do so and wait while it copies the files to your server. When the files finish copying, NT will begin configuring PPTP. You’ll then see the PPTP Configuration screen, shown in Figure A. The first thing you must do to configure PPTP is set the maximum number of connections that you want to allow via VPN. You can specify anywhere from 10 to 256 connections. Oddly enough, you can’t directly type the number of connections in the Number drop-down list box. Instead, you must select the number of connections from the box. You can speed up the process somewhat by pressing the first number of the connection you want. So, if you want to connect 50 users, you would press 5 twice, which will cause the list box to scroll This screen allows you configure the protocol for the user. first to 5 and then to 50. You would press 5 three times to scroll to 51, and four times to To allow remote connections, make sure scroll to 52, and so on. Click OK to close the VPN1-RASPPTM is selected in the RAS window after you’ve set the number of con- Capable Devices drop-down list box. You can nections you want. add other devices later if you want, such as Next, NT will prompt you to install the dial-up modems. Click OK to continue. RAS service. Click OK to continue. NT will You’ll then see the Remote Access Setup then begin copying the RAS files to your screen. On this screen, you can see any RAS server. When it’s done, you’ll see the Add RAS connections your server is prepared to handle. Device screen, shown in Figure B. Select VPN1 and click Configure. When the Configure Port Usage screen appears, make

Windows Networking 207 sure that the Receive Calls Only radio button is access that remote users have. You can limit selected. This will ensure that users don’t them to resources only on the VPN server by attempt to use RAS to connect to external selecting This Computer Only. To allow users resources. Click OK if everything looks correct. to access any network resource, select Entire Next, click Network to configure the net- Network. work settings for the remote connection. You can either use DHCP to assign network You’ll see the Network Configuration screen, addresses or assign addresses from a static as shown in Figure C. pool. From an administrative standpoint, it’s The Server Settings pane contains the selec- easiest to use DHCP. That way you don’t have tions for network protocols the client will be to worry about overlapping addresses or filter- able to use once connected to the VPN. NT ing rights based on TCP/IP addresses. If users will display the protocols currently running on need a particular static IP address for some your network. You should select only proto- reason, you can select the Allow Remote cols necessary for the users to get their work Clients To Request A Predetermined IP done. Chances are you’ll use only TCP/IP, so Address check box. Click OK once you’ve deselect any other protocols. made all of your selections To configure the protocol, click the Config- When you get back to the Network Configu- ure button. You’ll then see the RAS Server TCP/ ration screen, double-check the other selections. IP Configuration screen, shown in Figure D.On To secure communications between clients this screen, you make selections that dictate and the server, select the Require Microsoft how NT will assign the TCP/IP address for Encrypted Authentication radio box. Don’t the remote user. worry about selecting the Enable Multilink The Allow Remote TCP/IP Clients To check box. This is used primarily by dial-up Access box allows you to control the type of clients to maximize throughput. Click OK to close the Network Configuration window. Figure E After you return to the Remote Access Setup screen, you can click Continue to close the screen and finish the configuration. NT will copy more files to your server and configure the RAS service based on the selections you made. When the configuration finishes, NT will display an informational screen telling you what utilities to use to administer RAS. Click OK to shut down the window. You’ll then have to restart your Windows NT Server. After the server restarts, reapply the last Service Pack you applied to your server and restart it again. After this last restart, you’ll be ready to start using RAS. You can control user rights using the Remote Access Admin utility. Allowing users to access RAS Figure F Just because you install RAS and VPN support on your server, that doesn’t mean your users can use it. By default, Windows NT denies everyone the ability to access the server via VPN. This increases security on your network and allows you to rest easy knowing that not just anyone can get in through your VPN. To allow a user to use the VPN, you have two

You can control the Remote Access Service using Remote Access Admin. choices: You can either change the user’s rights

208 Administrator’s Guide to TCP/IP,Second Edition within User Manager For Domains or you can Figure G use the Remote Access Admin utility. Let’s look first at the User Manager For Domains. Start the User Manager For Domains by clicking Start | Programs | Administrative Tools (Common) | User Manager For Domains. When the utility starts, select the user to whom you want to grant VPN rights. Select Properties from the User menu. When the User Properties screen appears for the user, click the Dialin button. You’ll then see the Dialin Information screen. Select the Grant Dialin Permission To User check box. Make sure the No Call Back is set in the Call Back box. This box is only useful for users that dial in to a modem, and it won’t work if users are connecting via VPN. Click OK to close the Dialin Information screen and then OK again to close the User Properties screen.

You can also use the Remote Access Admin The Port Status screen shows you detailed information about utility. To start the Remote Access Admin util- a user’s session. ity, click Start | Programs | Administrative Tools (Common) | Remote Access Admin. Figure H You’ll then see the Remote Access Admin Window. This window lists the available RAS Server and other information for the RAS server, which I’ll discuss more below. To grant a user the right to use the VPN, select Permissions from the Users menu. You’ll then see the Remote Access Permissions screen, shown in Figure E. Remote Access Admin shows information about logged on users. To allow a user to use the VPN, scroll through the Users list box until you find the user you and thereby the VPN. As you can see, Remote want. Click the Grant Dialin Permission To User Access Admin lists the servers that can sup- check box to allow access to the VPN. Again, port VPN, along with the maximum number make sure that No Call Back is also selected. of connections and current number of logged Unfortunately, there’s no easy way to select on connections. Remote Access Admin has a multiple users at once. You must select each static display. It doesn’t change as users log on user one at a time. Alternatively, you can click and log off. To refresh the screen, select the Grant All button to give VPN rights to Refresh from the View menu. every user on your NT server and then scroll You can start or stop RAS from the Server through the User list box and remove the menu. To stop the service, select Stop Remote check from the Grant check box. If you want Access Service. To start it, select Start Remote to quickly remove access to the VPN from Access Service. You can also pause access every user, click the Remove All button. without unloading the service by selecting Pause Remote Access Service. Other Remote Access To view detailed information, double-click Admin tasks the server. You’ll then see the Communica- The Remote Access Admin utility, shown in tions Ports screen. From this screen you can Figure F, gives you full control over the RAS, do the following:

Windows Networking 209 X Disconnect the user from the VPN by click- nections, it shows connected users. Like the ing Disconnecting User Communications Ports screen, you can send X Send a message to a specific user by select- messages or disconnect users from this screen. ing the user and clicking Send Message If you want to view information about a user account, highlight it and click User X Send a message to all users by clicking Send Account. You’ll then see the screen shown in To All Figure H. While it doesn’t show detailed infor- X View detailed information about the con- mation about permissions and such, it does nection by clicking Port Status show information about user rights in general, If you click the Port Status button, you’ll along with callback and password information. see the Port Status screen, shown in Figure G. Here you can see detailed information about VPNs on NT: Virtually Painless the user’s connection, including such things as Networking how much bandwidth the user can use, how Even though you’re still using Windows NT, many packets have been transmitted, and the you don’t have to be left out in the cold when it user’s VPN IP address. comes to deploying such things as VPNs. Using Remote Access Admin also allows you to NT’s RAS, you can quickly deploy a VPN for view user information. To do so, select Active your network. Users can dial in and have the Users from the Users menu. You’ll then see same rights as if they were connected locally, the Remote Access Users screen. This screen and you can administer their access without looks similar to the Communication Ports learning any new operating systems. screen except that rather than showing con-

Monitoring and troubleshooting VPN connections in WinNT Jun 12, 2002 By Rick Vanover indows 2000 Server has been on day-to-day administration of an NT VPN the market for more than two years, server. W and its successor, Windows .NET, Troubleshooting is just around the corner. But many enterprises have consolidated around Windows NT Server In supporting VPN clients, I have found most 4 as a back-end infrastructure. That includes issues to be related to the client-side configura- using NT as a first-generation, PPTP-based tion, but some important server-side issues VPN server, even though VPN was a very new must be considered as well. In terms of VPN technology back when NT was released in the troubleshooting, we’re going to take a look at mid-1990s. rights issues, connection types, networking Of course, supporting an NT VPN server setup, and client configurations. requires the administrator to be diligent in Rights issues monitoring and optimizing the VPN and to be The rights needed to access an NT VPN server able to troubleshoot issues that appear in the are assigned by the Grant Dialin Permission To

210 Administrator’s Guide to TCP/IP,Second Edition Figure A Figure B

Enable Dialin Permission for users who will make VPN connections.

User option in each user account. This option simply states whether this NT account can access the Remote Access Service (RAS). This Use the Grant All button to enable RAS/VPN permissions for all users. option is assigned in each user account from within the User Manager For Domains admin- where the only accounts on that computer are istrative tool, as shown in Figure A. the dial-in accounts (not the domain If a user does not have this option accounts). enabled on the account, the connection will not be established and the user will be told Connection types that dial-in permission does not exist for the Supporting VPN clients entails an assortment selected account. This will also generate an of responsibilities, and depending on your Event 20082 of source Remote Access in the situation, you may have a mix of how users Event Log of the Remote Access/VPN server. Figure C Microsoft provides a nice list of all RAS- related error codes and a description of each in Knowledge Base article Q117304 (http://support.microsoft.com/search/ preview.aspx?scid=kb;en-us;Q117304). Windows NT, unfortunately, does not allow the dial-in right to be assigned to a local or global group. You can bypass this limitation somewhat by using the Remote Access Admin administrative tool. The Remote Access Admin will allow you to assign the dial-in right to all users, as shown in Figure B. If you take this approach, you’ll need to watch the situation carefully. This option does not allow you to select a number of users and assign the right—it assigns all listed users the right to dial in. It also lets you revoke all users. Using the Remote Access Admin console to give all users dial-in rights is most useful if you are using your Windows NT VPN server exclusively for remote dial-in (including VPN), Set the allowed number of incoming VPN connections.

Windows Networking 211 connect to your VPN server. If you are sup- Networking setup porting telecommuters, users needing occa- The networking of a VPN can be a frequent sional remote access, and/or site-to-site trouble spot. Topics like RAS setup, ISP net- VPNs, you will be dealing with different con- working issues, name resolution means, and nection types. gateways can affect the reliability of your VPN While it is likely that the VPN server will solution. not be changing ISPs frequently, I have learned On the server, be sure that you have enough to have the clients connect to the VPN’s fully VPN connections enabled for the number of qualified domain name instead of an IP potential VPN users that will be connecting. address. That way, if you do change ISPs, you This setting is configured in the properties of don’t have to reconfigure all of your client the Point-To-Point Tunneling Protocol within configurations. For example, have the client the Network applet of the control panel on connect to “vpn.company.com” and make sure the VPN server, as shown in Figure C. that your DNS records are modified accord- Another concern related to connection ingly during your ISP change, which will make types and networking setup comes up when an ISP change easier for everyone involved. users try to use a nonstandard ISP to connect Users tend to change ISP connections fre- their VPN. A nonstandard ISP is one that adds quently. Various dial-up, broadband, satellite, items into the Network applet of the control wireless, and other connections may cause you panel. I have had many issues with ISPs that headaches in trying to support VPN users. Make add protocols or adapters into the client net- an effort to be aware of how your VPN clients working setup. When supporting users, you are connecting to the Internet (and then to your should provide or recommend a good ISP for VPN server). Also, try to provide or recommend dial-up access in order to save yourself a lot of the best solutions based on your experience. headaches down the road. If you have a user Figure D Figure E

Set up the client to use the gateway of the remote network.

Select whether you want the connecting client to be part of the Windows domain.

212 Administrator’s Guide to TCP/IP,Second Edition who is having trouble accessing the VPN, ask Client configurations whether any software was installed that may Client VPN problems can be tough to diag- have affected the network stacks, such as spe- nose. I have found client troubleshooting cial client software from the ISP. issues generally not to be related to VPN/ For the VPN client, an important consider- PPTP but to changes on the end user’s PC. ation is whether the VPN connection will This can include problems with: authenticate the client to be part of the Win- X Virtual hardware devices (modems in par- dows domain or authenticate it on the VPN ticular) not operating correctly. server and simply give it a connection to the internal network. This setting is configured on X Bogus DHCP leases/assignments requiring the VPN client, and it varies slightly with dif- a manual release/renew. ferent versions of Windows. Generally, you X Installed software that has modified the can configure this setting by selecting (or not networking stack of Windows. selecting) the Include Windows Logon X Settings that have been accidentally changed Domain in the Properties dialog box for the on the VPN connection itself. VPN connection in the Network/Dial-up While diagnosing these problems is chal- Figure D Connections applet. shows an example lenging, getting the VPN to work again is usu- of what this looks like using Windows XP as ally fairly easy. One trick I’ve relied on is the client operating system. (Windows 2000 creating two identical PPTP connections on looks almost identical to this.) the client computer. I put one on the desktop Another important aspect of the VPN as a shortcut and keep one untouched. Since client setup is the default gateway. If the client the end user does not utilize it, I can use it as a VPN connection is set up to use the default support tool. This setup allows you to tell if gateway on the remote network, all Internet the settings of a PPTP connection are inhibit- traffic will be routed through the VPN con- ing the user from authenticating and/or connection. For example, if someone makes a necting correctly. VPN connection from a home machine, any time that person tries to access an Internet site, Monitoring the request will be sent over the VPN tunnel Monitoring the VPN connections is important to the company network and out the Internet. to ensure that they are working correctly and The downloaded page will then be sent back are not being abused. Here are some ways you down the VPN tunnel to the client. Obviously, can monitor your VPN server: most of the time you’re not going to want this X Use Remote Access Admin—This to happen. configuration applet shows you current But if you do want to enable this setting— connections, lets you see how long the for example, for tracking all Internet traffic active connections have been online, and from a company laptop—on a Win2K client, provides statistics on the number of bytes go to the Properties of the VPN connection transferred. and select the Networking tab. Then, select X Use WINS/DHCP Admin—This tool TCP/IP, click Properties, click Advanced, and lets you determine whether you have a select the Use Default Gateway On Remote DHCP lease reserved for a VPN client. Network check box, as shown in Figure E. Name resolution is also an important part X Reevaluate VPN strategy—If the VPN of supporting a VPN client. The easy option is solution is a trusted VPN (all TCP ports to have RAS use DHCP assignments for VPN open) to all clients, consider adding TCP/IP connections. This option will usually give the security (Advanced Properties of TCP/IP clients the same network resolution services from the Network applet of the control that DHCP connections on the internal net- panel) for the explicit ports needed to the work are entitled to use and will greatly sim- VPN server’s internal interface. plify the work of an admin.

Windows Networking 213 MICROSOFT RESOURCES Final word The Windows NT 4 VPN server is still in use Microsoft provides detailed information in many organizations, and keeping the con- about client and server PPTP connections nections working correctly will ease your on Windows NT Server 4. You can down- administration worries. The tips provided here load these documents from the Microsoft should be a valuable companion for trou- Web site (http://www.microsoft.com/ bleshooting and monitoring your NT 4 VPN ntserver/techresources/commnet/ servers and their connecting clients. default.asp).

Tune Windows NT for better network performance Jun 26, 2003 By Scott Lowe, MCSE well tuned Windows NT server pro- While you’re looking at the properties for vides users with a much better experi- your network adapter, take a look at the duplex A ence, improves productivity, and can settings. If it’s set for half duplex but capable help reduce help desk calls complaining about of full, you’re cheating yourself out of simul- speed. Out of the box, a Windows NT system taneous sending and receiving of data in addi- is a fully functional system, but there are steps tion to introducing more collisions on the you can take to improve the performance of Ethernet. Full duplex allows the server to both your systems. send and receive data at the same time. Because of this, collisions are reduced since Check your hardware there is never unanticipated traffic on that par- Especially on older equipment, you can ticular network connection. achieve an immediate performance boost by For my example, I am using a Compaq simply replacing network hardware. If your Netelligent network adapter in a Compaq Pro- Windows NT server is using a 16-bit board, it’s liant 1600 server. Your system may work a little time to replace it. Network adapters are an differently, but the concepts will be the same. inexpensive and easy replacement. To view the statistics for your Windows NT- One other easy thing to check is whether or based network adapter, open the Network not your server’s network hardware is capable Control Panel and click on the Adapters tab. of faster speeds. Is the existing adapter only Choose an adapter and click the Properties but- capable of 10 Mbps? If so, replace it with a ton. On my server, I am provided with a list of board that supports 100-Mbps speeds if your Compaq adapters and must choose one and network can support it. While replacing hard- click Properties again to continue, as in Figure A. ware isn’t exactly “tuning,” the desired result is When the Properties window appears, select faster networking, and faster network hard- the Settings tab. As you can see in Figure B, this ware will help to achieve that goal. server’s network adapter is running at 100

214 Administrator’s Guide to TCP/IP,Second Edition Mbps in full duplex mode. You can change any Figure A of these settings, by making the appropriate selection from the respective drop-down list. For example, if you wanted to set the card to half duplex (if for some reason, full duplex doesn’t work on your network), select Half from the Duplex Setting drop-down list. Check your protocol usage TCP/IP is the protocol of choice for almost every major network operating system. While some legacy applications might require other protocols such as NetBEUI or IPX/SPX, if your organization doesn’t run one of these applications, there is very little reason to keep the extra protocols around. To see a list of protocols on your Windows NT server, open the Network List of available Compaq network adapters Control Panel and choose the Protocols tab. Figure C In , you can see that this particular Figure B Windows NT system has NWLink IPX/SPX, NWLink NetBIOS, and TCP/IP enabled. You can improve performance on the server by dis- carding unneeded protocols. Just remove them by selecting the protocol and clicking Remove. If you’re running a network without any older NetWare servers or with no other IPX/SPX applications, you can safely do without IPX. Also, some NT servers run NetBeui in addition to TCP/IP. You’ll only need Net- Beui if there are special applications on your network that require it (which is highly unlikely) or if you have very old client workstations running DOS or Windows 3.x that connect to your server. Check the order of things Properties for the Compaq network adapter If you’re forced to run multiple protocols, the order in which they are bound to the network You WINS some, you lose some… adapter can also affect overall perceived per- In many circumstances, making sure that formance for users. For example, if the pri- WINS is bound to the NetBIOS interface first mary protocol used is TCP/IP, it should be will improve overall performance. Windows bound to the adapter first. You can view the NT uses NetBIOS for its underlying work. bindings on Windows NT by looking at the This will also result in fewer broadcasts and Bindings tab on the Network Control Panel improved overall network performance on the (see Figure D). network since the server is using WINS for To change the order of the protocols, start name resolution rather than broadcasts. by expanding the service you want to tweak. Next, select the protocol and click Move Up to Registry tweaks increase its priority. If you want to decrease the Because Windows networks rely on the repli- priority, click Move Down. You can also tem- cation of information between domain con- porarily disable a protocol by clicking Disable. trollers, the servers can generate a lot of

Windows Networking 215 Figure C Figure D

Three protocols are enabled on this Windows NT system. NetBIOS and Server bindings for this server

network broadcast traffic. Depending on the made. If you don’t make regular updates to the location, number of controllers, and how SAM database, such as adding or deleting users often changes are made to user information, from your network, you can safely increase this this can negatively impact network perform- interval. This is especially useful when you ance. By modifying certain registry entries on have servers spread out across multiple loca- each server, you can reduce the amount of tions and have to deal with replication across traffic generated by NT servers. These registry slower links. tweaks revolve around three different areas: To make the change, run Regedit. In the reg- X PDCs istry, browse to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Services\ X BDCs Netlogon\Parameters. X The Browser service Modify the value of the Pulse registry key to be the number of seconds you would like to DANGER! DANGER! DANGER! wait between SAM checks. The end result will This article suggests making changes to be less network traffic, assuming that you don’t your server’s registry. Make sure you have make too many SAM changes. a complete backup of your server before If you make a lot of changes in this period, performing any of the techniques in this however, you run the risk of trying to fit too article. If you make a mistake when mak- much information into the incremental update ing changes to your server’s registry, you buffer. This can result in a full replication of may cause your server to be unbootable, the PDC to the BDC, thus tying up network which would require you to reinstall Win- resources. This buffer is 64 KB in size. To increase the size of the buffer, browse to dows. Proceed with extreme caution. HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Netlogon\ PDC changes Parameters. Every five minutes, the PDC checks the SAM Modify the ChangeLogSize key to be the database to see if any changes have been size you think you need.

216 Administrator’s Guide to TCP/IP,Second Edition For administrators that make very infre- of network resources from other browsers by quent changes to the SAM, there is little repli- downloading the domain/workgroup list from cation that takes place. However, every two the WINS server and contacting the master hours, the PDC sends BDCs a message indi- browser in each one. This contact takes place cating that it is still operating. This interval can every 12 minutes, which is why a new resource also be increased to reduce network traffic. In on a Windows network might not show up the same registry location as above, modify the immediately after being added. contents of the PulseMaximum key to reflect When a browse master becomes unavailable, the number of seconds you would like the the network performs an election to choose a PDC to send no updates before sending this new one based on the OS. For example, a Win- “alive” message. dows NT system will be chosen over a Windows BDC, member server, and 95 system for this purpose if it is available. By modifying the registry on an NT system in each workstation changes subnet, you can force a specific system to An increase in the number of buffers allowed assume this role without an election. To do so, by the redirector service on BDCs, member modify this key: HKEY_LOCAL_MACHINE\ servers, and workstations may result in an SYSTEM\CurrentControlSet\Services\ increase in overall network performance. If an Browser\Parameters\IsDomainMaster. application uses an additional thread because Change its value to Yes. This will reduce net- of the increase, the result is an additional 1 KB work traffic as well as load on the individual of non-paged RAM that is used. systems. Be sure to select systems that are To increase buffers and add processing highly available if you choose to do this. threads, browse to HKEY_LOCAL_ Clients use backup browsers to locate MACHINE\System\CurrentControlSet\ resources on the network. These browsers are Services\LanmanWorkstation\Parameters. fed information from the masters. You can Either add a key named MaxCmds or mod- choose which systems will be or will not be made ify the existing key if it is there. This should be backup browsers by modifying the contents a DWORD key. The default is 15, but can of this key: HKEY_LOCAL_MACHINE\ range anywhere from 0 to 255. Likewise, either SYSTEM\CurrentControlSet\Services\ add a new or modify an existing key named Browser\Parameters\MaintainServerList. MaxThreads and set it to the same value as the Set the value to Yes or No. MaxCmds key. Additionally, you may want to try increasing the size of the MaxCollection- It just keeps going and going Count key, which is the buffer responsible for Windows NT has been around for a long time character-mode named pipe writes. It has a now, and if everything is running fine in your default value of 16, but can range anywhere organization, there’s no real reason to migrate from 0 to 65,535. to a newer OS yet. But just because Windows NT is old, it doesn’t mean that you can’t Browsers increase its performance. By checking hard- I’m not talking about Web browsers—instead ware, checking networking system compo- I’ll discuss the network browser services that nents, and modifying registry entries to control allow resources to be accessed by name on system behavior, you can get more out of your Windows networks. By default, the Windows Windows NT systems and improve overall net- NT primary domain controller is assigned the work performance. role of domain master browser on the network. In this role, it is responsible for compiling a list

Windows Networking 217 The Win9x VPN client connection guide Jun 5, 2002 By Dr. Thomas Shinder, MCSE PN Servers go a long way toward sav- 2000 VPN servers is that the Windows NT 4.0 ing money for companies with remote VPN servers do not support the L2TP/IPSec V access clients. In the not-so-distant VPN protocol. However, this doesn’t pose past, companies that wanted to give road war- much of a problem for our Win9x VPN riors access to corporate internal network clients, because the only VPN protocol sup- resources needed to install modem banks and ported by Win9x operating systems is the multiple phone lines. The cost of installing Point-to-Point Tunneling Protocol (PPTP). multiple dial-up RAS servers was compounded by the long distance charges or costs incurred Windows 9x Dial-up Networking from 1-800 numbers. VPN servers remove this Service 1.4 (DUN 1.4) cost-rich hardware/telco layer and allow you to Before getting into the nuts and bolts of con- support dozens and even hundreds of remote figuring the Win9x VPN client, you need to access calls with a single VPN server and high- familiarize yourself with the latest update to speed Internet connection. the Win9x Dial-Up Networking Service, DUN Most of the articles I see on the Internet 1.4. There are several reasons why you’ll want focus on how to set up and configure the VPN to download and install DUN 1.4, including: server. This makes sense, since most of the X Support for 128-bit encryption. complicated work in setting up a VPN X A Y2K fix for the VPN DHCP client client/server solution is done at the VPN component. server. However, configuring VPN clients is not always a piece of cake. This is especially X Fixes that improve the stability of the PPTP true when dealing with legacy VPN client oper- connection. ating systems, such as the Windows 9x line. X Support for internal ISDN adapters. We’ll look at how to configure your Win9x X Multilink support. computers to be VPN clients that connect to X Windows NT 4.0 VPN servers. You can use Support for PPTP connections over a the same procedures to configure the Win9x “LAN” or dedicated connection (such as clients to connect to Windows 2000 VPN DSL or cable). servers. The only major difference between Check out Microsoft Knowledge Base arti- connecting to Windows NT 4.0 and Windows cle Q297774 (http://support.microsoft.com/ default.aspx?scid=kb;en-us;Q297774& Figure A SD=MSKB&) for full details on DUN 1.4. There are several versions of DUN 1.4, one each designed for Windows 95, Windows 98, and Windows 98SE. Information about the updates and files for download can be found in Microsoft Knowledge Base article Q285189 (http://support.microsoft.com/default.aspx ?scid=kb;en-us;Q285189). Be aware that you will need to restart the computer at the end of the DUN 1.4 installation.

NOTE Windows Me does not require the DUN 1.4 Dial-up Networking update.

218 Administrator’s Guide to TCP/IP,Second Edition Configuring the Windows 9x 2. The Dial-up Network Wizard Welcome VPN client dialog box will appear (Figure A). Click Next to continue. The procedure for configuring the Windows 9x VPN clients is very similar, with only very 3. On the next page, type in a name for the minor differences between each version. Prior connection in the Type A Name For The to configuring the PPTP VPN client connec- Computer You Are Dialing text box. tion on the Win9x client, make sure you have Click the down arrow in the Select A an Internet connection to the Internet VPN Device drop-down list box and select the server. The Internet connection device can be Microsoft VPN Adapter option (Figure B). an analog dial-up modem, ISDN terminal DUN 1.4 added this feature to your Win- adapter, a DSL line, or a cable connection. dows 95 computer. Click Next. Let’s use the Windows 95 client as an exam- 4. On the Make New Connection page, type ple of how to configure all the Win9x clients. in the IP address or the Fully Qualified Perform the following steps on your Windows Domain Name (FQDN) of the VPN 95 computer: server that the Windows 95 computer will 1. Click Start | Programs | Accessories. connect with (Figure C). If you use an Point to Communications, and then click FQDN, make sure that there is an entry in on Dial-up Networking. the public DNS that resolves to the IP

Figure B Figure C

Figure D Figure E

Windows Networking 219 address on your VPN server that is listen- VPN server changes, you don’t have to create a ing for incoming VPN connections. If new connectoid. Just change an existing one. you do not have a DNS entry for your You can make many customizations on the VPN server, enter an IP address instead. Server Types tab (Figure G). By default, the Log Click Next. On To Network and Enable Software Com- 5. On the last page of the wizard (Figure D), pression options are enabled. For connections you’ll be told that you’ve done everything that support MS-CHAP, check the Require right and that you’ve created a new con- Encrypted Password box. If you want to use nection. After you click Finish, the con- MS-CHAP version 2, the client will negotiate nectoid will appear in your Dial-Up MS-CHAP version 2 with the VPN server Networking folder. first. If the server does not support MS- CHAP version 2, the client will drop down to 6. Return to the Dial-Up Networking win- support MS-CHAP version 1. Also, make sure dow. You should see the icon for the VPN that data encryption is enabled. If you want to connectoid you just created, and another optimize connection speed, uncheck protocols connectoid for an ISP connection if you that you do not use. If you do not disable the require a dial-up connection to access the protocols, the client will attempt to negotiate Internet (Figure E). each one selected. When you click on the TCP/IP Settings NOTE button at the bottom of the Server Types tab, You must create the dial-up connection you’ll see the options shown in Figure H. Most separate from the VPN connection. VPN servers will automatically assign IP addressing information to the VPN client. Further tweaking with VPN Properties Therefore, you should leave the default set- You might want to do some further tweaking tings Server Assigned IP Address and Server of the VPN connection. Right-click the VPN Assigned Name Server Addresses as they are. connectoid and click Properties. On the Gen- The Use IP Header Compression option eral tab (Figure F), you can change the name or should be set if the VPN server supports this IP address of the VPN server. This is conven- option. ient because, if the name or address of the

Figure F Figure G

Set high encryption for the link.

220 Administrator’s Guide to TCP/IP,Second Edition The most interesting option is the Use Figure H Default Gateway On Remote Network. When this option is selected, the VPN client uses the VPN interface as the gateway for all nonlocal network addresses. If the client dialed in to an ISP first, the ISP assigned the computer a default gateway at the ISP to allow the client access to the Internet. However, when the Use Default Gateway On Remote Network option is enabled, the VPN client is assigned a new default gateway, which is the VPN server’s VPN interface. The end result is that the VPN client cannot access the Internet once it connects to the corporate VPN. If this option is disabled, the VPN client will be able to access both the internal corporate network and the Internet at the same time. This creates the possibility that the VPN client will be able to route packets from the Internet to the internal network. Allowing the VPN client dows 95 client. The interfaces are virtually to access the Internet through the ISP and also identical after installing DUN 1.4. The only the corporate network through the VPN at the difference you’ll see is found in the Connec- same time is poor security practice. This is akin tions menu in the Dial-up Networking win- to allowing users on the internal network to dow. In the Dial-up Networking window, click plug modems into their computers and thus Connections and then click Settings (Figure I). bypass corporate Internet access policies. Windows 98/98SE allows you to configure The Windows 98/98SE VPN client a redial value and a wait interval before redial- Configuring the Windows 98/98SE client ing. This option isn’t available in the Windows works exactly the same as configuring the Win- 95 dial-up networking. You also have the

Figure I Figure J

Windows Networking 221 option to be prompted before a dial-up con- Windows 9x clients will not be able to connection is established. This is helpful when you nect to VPN NLB server clusters if the NLB use dial-up networking to map network drives interface still has the actual IP address config- via the VPN interface. ured on the cluster servers. Only the virtual IP Click on the Security tab and you’ll see the address can be listed on the external interfaces options shown in Figure J. Both Disable Send- of the cluster members if you expect to con- ing Of LAN Manager Passwords and Require nect down-level clients to a PPTP VPN NLB Secure VPN Connections are enabled by cluster. If the VPN client fails to connect to a default. LAN Manager password authentica- PPTP NLB cluster, confirm that only the vir- tion is inherently insecure and should always tual IP address appears on the external inter- be disabled. The secure VPN connection face of each of the cluster members. option will force 128-bit encryption. If the If a WINS server is manually assigned to a VPN server does not support 128-bit encryp- NIC, the PPTP VPN client will not be able to tion, the connection attempt will fail. If this obtain a WINS server address on the PPTP option is not enabled, the client will first nego- VPN interface. This is in spite of the fact that tiate 128-bit encryption. If the negotiation the WINS address is configured only on the fails, it will fall back to 40-bit encryption. NIC. Note that manually setting a DNS server address on the machine’s NIC will not prevent Some final thoughts on the PPTP VPN client from obtaining a DNS troubleshooting server address from the VPN server. There are a handful of troubleshooting issues You may run in to issues when users plug you should be aware of before finalizing your directly into the corporate network with an VPN client/server solution. Many ISPs do not Ethernet card while at work, and then go allow incoming GRE packets into their net- home and try to connect to the same network works, or they require that the user pay extra through the PPTP VPN interface. The user for a “business account.” If the VPN client may need to run the Winipcfg utility from the cannot establish a VPN connection with the Run menu to renew the IP address. If that corporate VPN server, the user should contact does not work, the NIC may need to be his ISP to determine if GRE connections are removed before the VPN user can connect to allowed for the user’s account. the network remotely.

222 Administrator’s Guide to TCP/IP,Second Edition Troubleshoot Windows RAS and VPN connections with these tips Oct 19, 2001 By Carol Bailey, MCSE+I anaging remote access servers itself. But a quicker and more elegant solution can be among the most high- is to run the RAS Server Monitor (Rassrv- M maintenance activities that any mon.exe) from the Windows 2000 Resource administrator has to juggle. Simply put, tons of Kit (http://www.microsoft.com/win- things can go wrong that prevent a user from dows2000/techinfo/reskit/default.asp), connecting, stop a user from accessing network which, unfortunately, works only with Win- resources, or slow down the user’s connection. dows 2000 RAS servers and not with NT4 However, many of these problems are RAS servers. beyond the administrator’s immediate control, You can have the utility running perma- such as client configuration difficulties, hard- nently on your workstation so that you can ware problems at the remote user’s end, issues quickly check the server’s status with the util- with the user’s ISP (if connecting over a VPN), ity’s GUI, or you can run it on another com- and Internet bandwidth problems. puter and leave it to collect the monitored In my experience, once a RAS server is up information to a file. You can then check the and running, subsequent reported problems information ad hoc. If you have multiple RAS tend to be user-related issues rather than servers, you should have multiple instances of server problems. Nevertheless, you can bet the RAS Server Monitor—one for each server. users will contact you and complain about This utility produces three files, which all problems with the RAS server(s). And when have the base name of the server (name or they do, you usually have to confirm that address) that you provide when you load the everything is working as expected on the utility, with the extensions .webstatus, .userlist, server side before they will doubt their end of and .userdetails. The .webstatus file is designed the connection. to be posted on a Web server, so you can pub- I’ve had many frantic calls from remote lish the current status of your RAS server on users complaining that the RAS server is down your company intranet. This includes informa- and must be fixed immediately because it is tion such as the number of currently con- imperative for them to do their work, and only nected users, total calls, total bytes transferred, after I’ve proved that the problem is not with and the total and peak number of connections. the RAS server have they looked a little closer The .userlist and .userdetails files provide more to home and found the problem. details on each connection made and include So what can you do to streamline the trou- information such as user name and worksta- bleshooting process? I’ve put together some tion name, the IP address allocated and type of tips that can help with this time-consuming port used, the number of bytes transferred, exercise. the first and last connection, the connection duration, and the line speed. Gather timely information As a background task, you can also config- When a user complains that the RAS server is ure the RAS Server Monitor to alert you if it down, the most obvious thing to check is that detects problems, so that you will know about the server is running and that the RAS service them before a user contacts you. The first is started. Most admins check this by pinging alerting service monitors whether the RAS the server and then connecting to the server to service is up by sending the MprAdmin- verify that the RAS service is up. PortEnum API to the server you specify. A Of course, you can do this from your work- failure to respond means the service or server station rather than physically on the server is down. You configure the alert (for example,

Windows Networking 223 send an e-mail message or log an error) by My first tip here would be to make sure that running a program of your choice when the you know how the administration modes work number of failed responses continues over a for Remote Access Policies, use the simplest period of time. By default, this time period is policies you can, bear in mind the order of 10 minutes. processing, and document your choices (per- The second alerting service monitors for haps with a flowchart to show their decision inactive RAS connections over a specified time criteria for allowing connections). period. Obviously, there may be legitimate rea- My second tip—particularly when using sons for this inactivity (for example, overnight multiple RAS servers—is to centralize authen- hours and quiet periods during popular vaca- tication with Windows 2000’s Internet Authen- tion times), but on RAS servers that are usually tication Service (IAS), even if you have to load busy during the day, it could indicate that it on the same machine as Win2K RRAS. This there’s a problem with the line(s), which would is because IAS will record which Remote not be detected by the service API monitor. Access Policy is being used with each connection in the Event Log, which makes it much Does the user have dial-in easier to troubleshoot policy problems. permission? If you’re running RAS servers in a native- Is your firewall preventing VPN mode Active Directory domain, you can use users from connecting? the new permission Control Access Through If you have VPN connections using PPTP, you Remote Access Policy on all user accounts so will need to allow TCP port 1723 and IP pro- that dial-in permissions are always kept cen- tocol port 47 to pass through your firewall. If trally on your RAS servers as part of your you are using L2TP/IPSec, you will need UDP Remote Access Policies. However, if you are port 500 and IP protocol port 50 to pass still using NT4 RAS servers or your Active through the firewall. If you are using AH as Directory is not in native mode, you will need well as ESP in your IPSec policies, you will to grant the dial-in permission on each user also need IP protocol port 51 to pass. account. You can use the Windows 2000 Resource It can be quite tedious and time-consuming Kit utility PPTP Ping to confirm that this pro- to individually check this on multiple accounts. tocol is working between client and server. One way to ease the burden a bit is to make it a Simply install pptpsrv.exe on the RAS server regular administrative task to use the Resource and install pptpclnt.exe on the client. Issue the Kit tool RASUsers to output a list of all users command pptpclnt on a server or domain that have been granted on the client. If the protocol reaches the this right. You can then import this informa- server, the server will display a successful mes- tion into a database or spreadsheet, making it sage. If port 1723 is blocked or if port 1723 is very quick to search and confirm whether a open but protocol 47 is blocked (the most user account has been granted that right. common configuration mistake with firewalls), this will be reported as an error since there will Are Remote Access Policies be no connectivity taking place. preventing users from In the early stages, when you are testing connecting? your VPN server, the simplest way to check Windows 2000 Remote Access Policies are the viability of the VPN server itself is to great for granular control of user permissions eliminate the firewall by setting up a client and connections. However, they can also be a VPN connection over Ethernet rather than pain to support, and they can get so complex over the Internet. If this doesn’t work when that it’s difficult to figure out which policy is there is no firewall between the server and the being used, and thus, which condition is client, you can’t blame the firewall for the con- responsible for a failed connection. nection problem.

224 Administrator’s Guide to TCP/IP,Second Edition Are certificates preventing from the information produced by Rassrv- mon, which can help provide trend analysis to L2TP/IPSec users from help you determine whether reports of poor connecting? performance are linked to high usage. When it comes to troubleshooting L2TP/ IPSec connections, I would put problems with Prevent user misconfiguration certificates at the top of the list of potential problems problems. Verify that both client and server If possible, discourage or prevent most users have a Certificate Authority (CA) in common from changing their RAS settings if their con- and that both have been issued with a valid figuration is working. (Windows 2000 Local computer certificate from this CA. If the cer- Group Policies are fantastic for enforcing this.) tificates have been issued outside Active Direc- However, when a user has to configure a con- tory, it’s particularly important to ensure that nection from scratch, this is another matter. the certification path has been installed and You may find that deploying preconfigured the system date/time is correct on both connections with a dialer program is a worth- computers. while investment of time. Windows 2000 Server now ships with Con- Are there performance problems? nection Manager Administration Kit (CMAK), There are a hundred and one reasons for con- which allows you to preconfigure remote nections not going as quickly as users would access connections for your users and cus- like, but one of my tips is to give remote tomize the configuration with your own com- clients LMHOSTS and/or HOSTS files that pany logos, etc. You can include a static contain the domain name and the main address book for your RAS server details or, if servers, such as domain controllers, WINS you think your RAS server details may change, servers, and any servers the user needs for you can supply the phone book as an auto- network resources. This should reduce any matic download that will update clients with problems that might be caused by name reso- any changes. You’ll find details for using lution issues. CMAK at http://www.microsoft.com/ If you think poor performance could be WINDOWS2000/en/server/help/cmak_ due to overstressing your RAS server, use the ops.htm. Performance Monitor counters to keep an eye on memory and processor metrics. PPTP will Contingencies incur more processing than PPP (because of Many network admins prefer VPN connec- the encryption), and L2TP/IPSec will be tions over dial-up modems these days because higher still (because of the IPSec processing). they have many cost advantages and it’s easier If you suspect the additional stress of run- to run multiple simultaneous connections, ning L2TP/IPSec is responsible for poor per- which eliminate the need for modem banks. formance, look to see whether you are using However, consider keeping some PPP ports 3DES encryption on most connections (the in case users have problems connecting over the default for 128-bit versions). If so, consider VPN—for example, if their ISP is having prob- disabling the default L2TP/IPSec policy and lems. Because these dial-up connections use configuring your own policy that uses DES Point-to-Point rather than the Internet, they also rather than 3DES. You could also invest in a offer a more secure medium, which means that network card that offloads some of the IPSec you may consider configuring them with lower processing. security options, such as CHAP authentication The RAS Server Monitor also provides sta- for non-Windows clients and no encryption for tistical information you might find useful here, better throughput. If you are using Windows such as peak connection time, total connect 2000 Remote Access Policies, you can easily time, and total bytes transferred. You can use configure the security settings for these different its sister utility, Reportgen, to provide reports connections based on the port type being used.

Windows Networking 225 Summing up tus, verifying dial-in permission and Remote Running a trouble-free RAS service isn’t easy, Access Policies, firewall configuration, cer- but I hope these tips and tools will help you tificate verification, performance improve- streamline troubleshooting this important ments, preconfiguring connection details for service. The tips have included gathering users, and having some contingency plans to timely information on your RAS servers’ sta- call upon.

Fix the four biggest problems with VPN connections May 8, 2003 By Brien M. Posey, MCSE PNs have gone from obscurity to is rejecting client connections, the first thing being a common method of linking you need to do is to check to make sure the V private networks together across the Routing And Remote Access service is run- Internet. Although VPNs initially became pop- ning. You can check this by opening the ular because they free companies from the server’s Control Panel and clicking on the expense of connecting networks with dedi- Administrative Tools icon, followed by the cated leased lines, part of the reason that Services icon. VPNs have become so accepted is that they Once you’ve verified that the necessary tend to be very reliable. Even so, VPN connec- services are running, try pinging the VPN tions do occasionally experience problems. server by IP address from the VPN client. You Here are several techniques you can use to should ping by IP address initially so that you troubleshoot VPN connections. can verify that basic TCP/IP connectivity exists. If the ping is successful, then ping the What’s the problem? server again, but this time ping by the server’s There are four types of problems that tend to fully qualified domain name (FQDN) rather occur with VPN connections. These include: than by its address. If this ping fails where the X The VPN connection being rejected. IP address ping succeeded, you have a DNS X The acceptance of an unauthorized problem, because the client is unable to resolve connection. the server’s name to an IP address. X The inability to reach locations that lie Check on the authentication process beyond the VPN server. Once you’ve established that there is a valid X The inability to establish a tunnel. TCP/IP connection between the VPN client and server, and that name resolution is working The VPN connection is rejected correctly, the next thing to check is the authen- Having a VPN client’s connection rejected is tication process. As you may know, there are a perhaps the most common VPN problem. lot of different authentication methods avail- Part of the reason this problem is so common able to a VPN connection. Both the VPN is that there are a lot of issues that can cause a client and the VPN server must have at least connection to be rejected. If your VPN server one authentication method in common.

226 Administrator’s Guide to TCP/IP,Second Edition You can check to see which authentication no dial-in privileges. You can check the privi- methods the VPN server is configured to use leges either by looking at the Dial In tab on the by entering the MMC command at the Run user’s properties sheet in Active Directory prompt. When you do, Windows will open an Users And Computers, or by looking at the empty Microsoft Management Console ses- domain’s remote access policy. This would also sion. Now, select the Add / Remove Snap In be a good time to verify that the user actually command from the Console menu. When you knows how to establish the VPN connection see the Add / Remove Snap In properties and that the user is using the correct username sheet, click the Add button on the Standalone and password. tab. This will reveal a list of the available snap- This may sound obvious, but if your ins. Select Routing And Remote Access from domain is running in Windows 2000 Native the list and click the Add button, followed by Mode, your VPN server needs to be a member the Close and OK buttons. of the domain. If the VPN server hasn’t Now, the Routing And Remote Access joined the domain, it will be unable to authen- snap-in should be added to the console. Right- ticate logins. click on the listing for your VPN server and You also need to take a look at IP addresses. select the Properties command from the Each Web-based VPN connection actually resulting shortcut menu. This will display the uses two different IP addresses for the VPN server’s properties sheet. Select the Security client computer. The first IP address is the one tab and click the Authentication Methods but- that was assigned by the client’s ISP. This is the ton. This will cause Windows to display a dia- IP address that’s used to establish the initial log box with all of the available authentication TCP/IP connection to the VPN server over methods. You can enable or disable authentica- the Internet. However, once the client attaches tion methods by selecting or deselecting the to the VPN server, the VPN server assigns the appropriate check boxes. client a secondary IP address. This IP address The method for checking the authentication has the same subnet as the local network and method on the client end varies depending on thus allows the client to communicate with the the client’s operating system. For a Windows local network. XP system, right-click on the VPN connection At the time you set up the VPN server, you and select the Properties command from the must either specify that the server will use a resulting shortcut menu. This will reveal the DHCP server to assign addresses to clients, or connection’s properties sheet. Now, select the you can create a bank of IP addresses to assign properties sheet’s Security tab, select the to clients directly from the VPN server. In Advanced radio button, and click the Settings either case, if the server runs out of valid IP button to reveal the available authentication addresses, it will be unable to assign an address methods. to the client and the connection will be I usually prefer to use Windows Authentica- refused. tion in VPN environments, but RADIUS is For environments in which a DHCP server also a popular choice. If you are using is used, one of the more common setup errors RADIUS Authentication, you must verify that is specifying an incorrect NIC. If you right- the client supports RADIUS and that the VPN click on the VPN server in the Routing And server has no trouble communicating with the Remote Access console and select the Proper- RADIUS server. ties command from the resulting shortcut More things to check menu, you’ll see the server’s properties sheet. The properties sheet’s IP tab contains radio If the authentication methods appear to be set buttons that allow you to select whether a correctly, the next step is to check the tech- static address pool or a DHCP server will be nique by which the client is trying to connect used. If you select the DHCP server option, to the VPN server. If the client is dialing in to you must select the appropriate network the server, rather than connecting through the adapter from the drop-down list at the bottom Internet, it could be that the remote user has

Windows Networking 227 of the tab. You must select a network adapter the properties sheet’s IP tab. At the top of the that has a TCP/IP path to the DHCP server. IP tab is an Enable IP Routing check box. If this check box is enabled, VPN and RAS users Acceptance of unauthorized will be able to get to the rest of the network. If connections the check box is not selected, these users will Now that I’ve discussed reasons why a connec- be able to access only the VPN server, but tion might be refused, let’s take a look at the nothing beyond. opposite problem in which unauthorized con- The problem could also be related to other nections are accepted. This problem is much routing issues. For example, if a user is dialing less common than not getting connected at all, directly in to the VPN server, it’s usually best but it is much more serious because of the to configure a static route between the client potential security issues. and the server. You can configure a static route If you look at a user’s properties sheet in by going to the Dial In tab of the user’s prop- the Active Directory Users And Computers erties sheet in Active Directory Users And console, you’ll notice that the Dial In tab con- Computers, and selecting the Apply A Static tains an option to control access through the Route check box. This will cause Windows to remote access policy. If this option is selected display the Static Routes dialog box. Click the and the effective remote access policy is set to Add Route button and then enter the destina- allow remote access, the user will be able to tion IP address and network mask in the space attach to the VPN. Although I have been provided. The metric should be left at 1. unable to re-create the situation personally, I If you’re using a DHCP server to assign IP have heard rumors that a bug exists in Win- addresses to clients, there are a couple of dows 2000 that causes the connection to be other problems that could cause users not to accepted even if the effective remote access be able to go beyond the VPN server. One policy is set to deny a user’s connection, and such problem is that of duplicate IP that it’s best to allow or deny connections addresses. If the DHCP server assigns the directly through the Active Directory Users user an IP address that is already in use else- And Computers console. where on the network, Windows will detect the conflict and prevent the user from access- Inability to reach locations ing the rest of the network. beyond the VPN server Another common problem is the user not Another common VPN problem is that a con- receiving an address at all. Most of the time, if nection is successfully established, but that the the DHCP server can’t assign the user an IP remote user is unable to access the network address, the connection won’t make it this far. lying beyond the VPN server. By far, the most However, there are situations in which an common cause of this problem is that permis- address assignment fails, so Windows automat- sion hasn’t been granted for the user to access ically assigns the user an address from the the entire network. If you have ever worked 169.254.x.x range. If the client is assigned an with Windows NT 4.0, you may recall a setting address in this range, but this address range in RAS that allowed you to control whether a isn’t present in the system’s routing tables, the user had access to one computer or to the user will be unable to navigate the network entire network. This particular setting doesn’t beyond the VPN server. exist in Windows 2000, but there is another setting that does the same thing. Difficulty establishing a tunnel To allow a user to access the entire network, If everything seems to be working well, but go to the Routing And Remote Access console you can’t seem to establish a tunnel between and right-click on the VPN server that’s having the client and the server, there are two main the problem. Select the Properties command possibilities of what could be causing the from the resulting shortcut menu to display problem. The first possibility is that one or the server’s properties sheet, and then select more of the routers involved is performing IP

228 Administrator’s Guide to TCP/IP,Second Edition packet filtering. IP packet filtering could pre- and the Internet. This means that packets vent IP tunnel traffic. I recommend checking appear to be coming from the proxy server the client, the server, and any machines in rather than from the client itself. In some between for IP packet filters. You can do this cases, this interaction could prevent a tunnel by clicking the Advanced button on each from being established, especially if the VPN machine’s TCP/IP Properties sheet, selecting server is expecting the client to have a specific the Options tab from the Advanced TCP/IP IP address. You must also keep in mind that a Settings Properties sheet, selecting TCP/IP lot of older or low-end proxy servers (or NAT Filtering, and clicking the Properties button. firewalls) don’t support the L2TP, IPSec, or The other possibility is that a proxy server is PPTP protocols that are often used for VPN standing between the client and the VPN connections. server. A proxy server performs NAT translation on all traffic flowing between the client

Notes

Windows Networking 229 Notes

230 Administrator’s Guide to TCP/IP,Second Edition Builder.com | CNET.com | TechRepublic.com | ZDNet.com

e-mail: [email protected] Phone: 845-566-1866 • 800-217-4339 Product code: B056