Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 495The client and server must both use a common authentication andencryption method.. Troubleshooting NAT and I
Trang 1To check the status of the ports, select the remote access server in theright pane of the RRAS console and double-click Ports in the right panel.You will see a display similar to Figure 9.12, informing you which portsare active and which are inactive.
Figure 9.12 Check the status of the remote server ports for activity.
Ensure there are sufficient IP addresses in the static address pool ofaddresses assigned by RRAS to dial-in clients if the server is configuredwith a static address pool
To add addresses to the static pool, right-click the server name in theleft pane of the RRAS console, select Properties, select the IP tab, andclick ADD
Inability to Aggregate the Bandwidth of Multiple
Trang 2Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 493
■ Ensure that the Remote Access Server’s PPP options areconfigured to support multilink
On the Remote Access Server, PPP configuration options are set in theRRAS console’s Properties sheet for the remote access server, as shown inFigure 9.13
Figure 9.13 Windows 2000 RRAS allows you to configure PPP options on the
remote server
Here, you can select the following PPP options to be used by the server:
■ Select whether multilink connections are allowed Multilink is away of aggregating two or more phone lines for greater
bandwidth
■ If multilink is enabled, you can select whether to use theBandwidth Allocation Protocols (BAP and BACP) to allowmultilink to adapt to changing bandwidth demands
■ Choose to enable the Link Control Protocol (LCP) extensions Forinformation about LCP options, see RFC 1661
■ Enable software compression for greater throughput
Trang 3Inability to Access the Entire Network
If the client is able to establish a remote connection but cannot accessthe resources of any computer other than the remote server, ensure that
IP routing has been enabled on the server Check the Enable IP Routingcheck box on the IP Properties sheet for the server (refer back to Figure9.11 to see this Properties sheet)
Also, check to see that packet filtering has not been configured to vent TCP/IP packets from being sent
pre-If a static address pool has been configured instead of using DHCP,ensure that the routes to the address range(s) of the static IP addresspool can be reached by the hosts and routers on the network You mayhave to add routes to your routers via a static routing entry, or use adynamic routing protocol like RIP or OSPF
If you have set up the remote access server to use DHCP for IP addressallocation, and the DHCP server is not available, APIPA addresses(169.254.0.1 through 169.254.255.254) will be used Unless your networkcomputers are using addresses from this range, the remote clients will not
be able to communicate over IP with them
Client Configuration Problems
Although there is much more that can be misconfigured on the server, ifonly one client is having connection problems, and there is no physicalreason (bad cable, NIC, etc.), chances are good that the client machine isnot configured properly to make the remote connection
Inability to Establish a Remote Connection
■ Ensure that the client is configured to use the sameauthentication method as the remote server
■ Ensure that the client is configured to use the same encryptionstrength as the remote server
To check (and change) the authentication method on the clientmachine, right-click the connection name after clicking Start | Settings |Network and Dial-up Connections, and select Properties On the Securitytab, choose ADVANCED, and you will see a dialog box similar to the one inFigure 9.14
NOTE
Trang 4Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 495
The client and server must both use a common authentication andencryption method
■ Ensure that the user account is configured to allow dial-inaccess To do so, from the Active Directory Users and Computersadministrative tool on a domain controller, expand the domain
in the left pane of the console and right-click the user’s name inthe right pane Select Properties, and then select the Dial-in tab,shown in Figure 9.15
The Allow Access radio button must be checked for the user account
to be able to make a remote connection
The user Properties Dial-in sheet also allows you to configure callbacksecurity requirements, assign a static IP address for remote connections, orapply static routes
Figure 9.14 The authentication method and encryption are set in Advanced
Security settings
NOTE
Trang 5Troubleshooting Remote Access Policy Problems
Remote access policies consist of conditions and parameters placed onthe incoming connection Windows 2000 allows you to set policies to con-trol client access based on such things as day of the week or time of theday, group membership, connection type (VPN or dial-in), and set limits
on duration of connection, idle time after which the connection is nected, and security parameters Figure 9.16 shows some of the limita-tions that can be placed on dial-in access
discon-When a user attempts to make a remote connection, the tics of the connection attempt are compared with the authenticationinformation, user dial-in properties, and remote access policies
characteris-When the connection attempt doesn’t match any of the remote accesspolicies, access will be denied Multiple remote access policies can be inplace, but this makes troubleshooting connection denials more complex
Figure 9.15 Remote access permission must be granted in the user Properties
sheet
Trang 6Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 497
Determining Which Multiple Policy
Is Causing the Problem
Microsoft recommends that one way to verify which policy is causing thedenial is to create a new remote access policy called Troubleshooter andconfigure it to grant remote access permission for all days/times Then,move this policy to the top of the list so it will be processed first If theconnection is denied, the problem is either with the Troubleshooter testpolicy itself, or more likely, with the user account’s dial-in Properties set-tings
If the connection succeeds, move the test policy down one level andattempt to connect again If this connection fails, the problem is mostlikely with the policy just above the Troubleshooter policy If it succeeds,keep moving the test policy down the hierarchy until a connection isdenied, and then examine the properties of the policy that is causing thedenial
Figure 9.16 Remote access policies let you place restrictions on dial-in access.
Trang 7Troubleshooting NAT
and ICS Configuration Problems
Windows 2000 makes it easy to share a single public IP address for
access to the Internet by using Internet Connection Sharing (ICS) on aWindows 2000 Professional computer or a choice of ICS or Network
Address Translation (NAT) on a Windows 2000 Server
The Difference between ICS and NAT
ICS is available on both Windows 2000 Professional and Server, whileNAT is only available on the Server family of operating systems This
statement in itself could be a little confusing, since ICS actually is a form
of NAT You can think of Internet Connection Sharing as NAT Lite—ituses NAT to map internal network IP addresses and ports to a singleexternal IP address, but it is not as flexible and configurable as the full-fledged form of NAT that comes with Windows 2000 Server
Common NAT Configuration Problems
If you are having problems with the NAT computer not properly ing translation, so that packets don’t get delivered to the internal comput-
perform-er (NAT client) for which they are intended, check the configuration of theNAT interfaces The NAT routing protocol must have both public and pri-vate interfaces To check this, in the RRAS console, under the servername, expand IP Routing and select Network Address Translation Youshould see a public and a private interface listed, as shown in Figure9.17
The public interface connects to the ISP, and the private interface nects to the LAN Ensure that the public interface is configured for
con-address translation, as shown in Figure 9.18 Right-click the interfacename and select Properties
The radio button for “Public interface connected to the Internet” must
be selected You should also check the Translate TCP/UDP headers checkbox to allow NAT clients to send and receive data through the interface.Now, ensure that the private interface is also properly configured.Right-click the private interface’s name, and select Properties The sameconfiguration box will appear, only in this case the “Private interface con-nected to private network” radio button should be checked
Trang 8Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 499
Which Connection Sharing Solution
Is Right for My Network?
If you have a small network that needs access to the Internet, andonly one public IP address, Windows 2000 Server gives you thechoice of using ICS or NAT to provide Internet access to the entirenetwork through a single computer’s Internet connection
Either of these solutions will save the cost of additional phonelines, modems, and ISP accounts for connecting additional comput-ers to the Net, as well as the time and work involved in setting themall up for Internet access and the difficulty of maintaining and mon-itoring their access
Which one, then, should you use to connect your network? ICSand NAT work in a similar fashion, but NAT is the more sophisticat-
ed of the two ICS is configured by right-clicking the connection’sicon in Network and Dial-up Connections and selecting Sharing It isquick and easy to configure and suitable for many small, simple net-works ICS assumes that this is the only computer on the networkthat is connected to the Internet, and it sets up all the internal net-work addresses By selecting Enable Internet Connection Sharing forthis Connection, you make the computer an ICS host This computerwill assign IP addresses to its ICS clients as a DHCP allocator
ICS is appropriate if you don’t have DNS servers, DHCP servers,Windows 2000 domain controllers, or systems using static IPaddresses That limits its use to small peer-to-peer networks
For larger or more complex networks, sharing of an Internet nection can be accomplished via NAT, which is configured as part ofRRAS To use it, you must install and configure the Routing andRemote Access Service (if it is not already installed) NAT requiresmore configuration by the administrator, but also allows you to spec-ify or change the IP address range assigned to NAT clients, and can
con-be used on Windows 2000 domain networks or those connected togateways or routers
So, if you have a small peer-to-peer workgroup among which youwish to share an Internet connection, and don’t need control overthe IP address range, ICS will be the simplest solution In most busi-ness networks, you will need the more sophisticated features of NAT
For Managers
Trang 9Incorrect Public Address Range
Another problem that can occur with NAT configuration is incorrect figuration of the public addresses when you have multiple public IPaddresses
con-Ensure that the addresses are entered in the Properties sheet of thepublic interface, under the Address Pool tab All addresses entered hereshould be addresses that were assigned to you by your ISP
NAT can provide address translation using multiple public IP addresses; ICScannot
Incompatible Application Programs
The packets of some programs will not work through NAT If a programruns from the NAT host computer but you cannot run it from a NATclient, it may be because the program uses a protocol that is not translat-able by NAT Windows 2000 NAT includes NAT editors for the followingcommon protocols: FTP, ICMP, PPTP, and NetBIOS over TCP/IP
Additionally, some protocols such as HTTP do not require a NAT editor
Figure 9.17 NAT requires both a public and a private interface.
NOTE
Trang 10Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 501
A related problem, and a major limitation of NAT, is the inability to use itwith IPSec for host-to-host security (sometimes called end-to-end) This isbecause IPSec hides the IP headers required by NAT for translation You can,however, use NAT if you are using IPSec for a gateway-to-gateway solution
Other NAT Problems
If none of the solutions just discussed uncovers the culprit, ensure that
IP packet filtering is not configured to prevent sending and receiving IPtraffic If the problem is related to name resolution, ensure that NATname resolution has been enabled on the private interface TroubleshootInternet name resolution problems as outlined in Chapter 7,
“Troubleshooting Windows 2000 DNS Problems.”
Figure 9.18 The public interface must be configured for address translation.
NOTE
Trang 11Troubleshooting VPN Connectivity Problems
Virtual Private Networking (VPN) is a popular solution for those who need
a secure, yet inexpensive way to connect from a remote computer to aLAN when dialing in directly either isn’t possible or is costly due to longdistance charges Using encapsulation and encryption, a VPN allows you
to establish a private “tunnel” through a public network such as theInternet, using the client’s and server’s Internet connections
A detailed explanation of how VPN works is beyond the scope of this book,but if you are interested in the basic “how-to’s” of setting up a VPN, see
“Managing Windows 2000 Network Services,” published by Syngress
The Tunneling Protocols
Windows 2000 supports VPN connections using either Point-to-PointTunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP)
PPTP: Point-to-Point Tunneling Protocol
PPTP is an industry standard tunneling protocol It was in Windows NT4.0 and is also supported in Windows 2000 PPTP is an extension of thePoint-to-Point Protocol (PPP) and uses the authentication, compression,and encryption mechanisms of PPP
L2TP: Layer 2 Tunneling Protocol
The Layer Two Tunneling Protocol (L2TP) supports multiprotocol VPNsthat allow remote users to access corporate networks securely across theInternet It is similar to PPTP in that it can be used for tunneled end-to-end Internet connections through the Internet or other remote accessmedia However, unlike PPTP, L2TP doesn’t depend on vendor-specificencryption technologies to establish a fully secured and successful imple-mentation L2TP utilizes the benefits of IPSec, and will likely eventuallyreplace PPTP as the “tunneling protocol of choice.”
Troubleshooting VPN Connections
Troubleshooting a remote VPN connection is similar to troubleshootingother remote access connections, with a bit of added complexity
NOTE
Trang 12Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 503
Inability to Connect to the Remote Access Server
There are many causes for this problem As usual, you should begin withthe most basic and simplest possibilities:
■ Ensure that the RRAS service is started on the VPN server
■ Ensure that RRAS is installed and enabled on the VPN server
■ Ensure that PPTP or L2TP ports are enabled for inbound remoteaccess traffic
■ Ensure that LAN protocol(s) used by the VPN client are enabled
on the VPN server
■ Ensure that all PPTP or L2TP ports are not already in use
■ Ensure that the VPN client and server are configured with acommon authentication method and a common encryptionmethod
■ Ensure that the user account has the proper dial-in permissionsgranted
■ Ensure that remote access policies are not causing a denial ofthe connection
As you can see, most of these problems are related to the same uration considerations we discussed earlier concerning general RRAStroubleshooting
config-Summary
In this chapter, we have provided some basic information about howWindows 2000’s Routing and Remote Access Services, hand-in-hand withthe dial-up networking component, make it easy for users to connect to aremote server and for administrators to provide dial-in access to those ontheir networks
We looked at the differences between a remote access connection tothe company network and participating as a local (cabled) node on thenetwork, and concluded that the only practical difference is the speed ofthe connection Data transfer speed is limited to the media over which theconnection is made, and we saw that typical wide area networking linksprovide for speeds from 56 Kbps or less (analog modems) to about 6 Mbps(high-speed ADSL)
We examined the differences between remote access and remote trol, and learned that the latter is usually used by administrators to takeover control of the server from a remote location This is often done totroubleshoot problems or administer the server services when the admin-istrator is offsite We saw that remote access is used to connect to the
Trang 13con-network and access shared files, print to shared printers, or otherwiseparticipate as another node on the network.
We then discussed the elements of different available wide area working technologies over which our remote access sessions can be
net-established We provided an overview of remote networking using the log phone lines on the Public Switched Telephone Network (PSTN)
ana-We then looked at a faster and “cleaner” technology, IntegratedServices Digital Network (ISDN) We learned that ISDN is usually provi-sioned in one of two forms: Basic Rate ISDN (BRI), which provides two 64Kbps data channels, and Primary Rate ISDN (PRI), which provides for up
to 23 64 Kbps data channels for a total throughput of 1.544 Mbps
Next we talked about the newest “kid on the block,” AsymmetricDigital Subscriber Line (ADSL), and how its cost advantage and “alwayson” technology make it a popular alternative to ISDN—if your location iswithin 17,500 feet of a telephone company Central Office (CO)
After that, we looked at how Windows 2000 supports connection to anX.25 network, which uses a Packet Assembler/Disassembler (PAD) andprovides for data transfer over a public packet switched network
Then we discussed the WAN protocols used for remote access working: SLIP and PPP
net-We learned that SLIP is used on some UNIX servers, but Windows
2000, like NT 4.0, supports only PPP for dial-in connections
We talked about the four steps involved in making a PPP connection:configuration, authentication, callback (optional), and configuration Then
we moved on to some specific tips for troubleshooting PPP problems,which include authentication failures, inadequate link/line quality, loss ofcarrier, and timeouts
We looked at how to configure a dial-up connection to use PPP, and
we gained an understanding of encapsulation, the method by whichTCP/IP or other LAN protocol packets are wrapped inside the PPP or SLIPprotocol headers
Next we saw how we could use Network Monitor and PPP trace loggingfor gathering information about a PPP connection
We then focused on troubleshooting configuration problems Welooked at common configuration problems involving the remote accessserver, including inability to establish a remote connection, inability toaggregate the bandwidth of multiple phone lines, and the inability toaccess the rest of the network even though a connection with the server isestablished
After that, we looked at client configuration problems, and the tance of ensuring that the remote client uses the same authenticationand encryption methods as the remote server
Trang 14impor-Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 505
We talked about remote access policies, and some of the commonproblems that arise in using them We also learned a method of determin-ing which of multiple policies is causing a connection denial problem, bycreating a test policy and manipulating its position in the order of appli-cation
Next we looked at Internet Connection Sharing (ICS) and NetworkAddress Translation (NAT), and discussed common configuration andimplementation problems that can occur when you share an Internet con-nection with a network through one ICS/NAT host We learned that ICS isconfigured through Network and Dialup Connections, while NAT is config-ured via the RRAS console We also found out that NAT requires both apublic interface (connected to the ISP) and a private interface (connected
to the LAN), and that each must be configured according to its role Wediscussed the ramifications of entering the wrong public IP address range
in NAT properties, incompatible application programs whose protocolscannot be translated, and the importance of ensuring that IP packet filter-ing is not configured to prevent IP traffic from getting through
Finally, we took a brief look at virtual private networking (VPN), thetwo tunneling protocols supported by Windows 2000 (PPTP and L2TP),and how to troubleshoot VPN connectivity problems
Remote access gets easier to configure with each new Microsoft ating system, but there are still many things that can go wrong with aremote connection These problems benefit from a methodical, organizedapproach to troubleshooting—keeping in mind that a remote access con-nection in many ways is no different from a cabled network connection,except for the added layer of the WAN link used to achieve it
oper-FAQs
Q: How can I use caller ID with RRAS to enhance dial-in security?
A: If the phone system(s) used by the caller and the remote access server
support the caller ID feature, you can use the caller ID feature whenyou set dial-in security You can specify the phone number fromwhich the user must dial in If the user calls from a different phonenumber, the connection will not be successful Be careful in using thisfeature, because if you do configure dial-in security with a specifiedcaller ID phone number for the user and the system does not supportcaller ID, the connection will be denied Note that if the connection is
a VPN connection, the caller ID number will be the IP address of theclient
Trang 15Q: Does Windows 2000 work with modem-pooling equipment?
A : Yes, as long as the modem-pooling device generates and accepts
command strings equivalent to one of the supported modem typeslisted in the Install New Modem wizard In that case, you connect theequipment to the COM ports and configure the ports for remote accessusing RRAS Microsoft recommends that you configure modem-poolingdevices to behave like a Hayes-compatible modem since that is acommonly used standard
Q: Does the Windows 2000 remote access server support callback
security on an X.25 network?
A: No, Microsoft advises that callback is not currently supported on X.25
connections
Q: In what way is Windows 2000’s remote access component more
configurable in terms of security than Windows NT 4.0?
A: In NT 4.0, a user’s authorization to dial in to the network was
dependent on one simple check box to grant dial-in permission touser, set in User Manager or the Remote Access Administrative Tool.Windows 2000 allows you to grant or deny remote access to a user inthe user’s property sheet in Active Directory Users and Computers,and also allows you to further restrict dial-in permissions based onremote access policies, which can be applied to members of specificgroups, to specific connection types, and other more broad-basedcriteria
Q: What is BAP, and how does it work?
A: The Bandwidth Allocation Protocol (BAP) is used to increase the
efficient use of the network bandwidth by adding or droppingadditional links according to changes in traffic flow, on a dynamicbasis To do this, BAP works in conjunction with Multilink PPP inWindows 2000 BAP policies can be set through the remote accesspolicy feature to make it easy for administrators to control connectioncosts and still provide for optimum bandwidth for users
Q: What are NAT editors, and why might I need one?
A: NAT editors are software components that are added to NAT in order
to make modifications to the IP packet beyond the translation of the IPaddress in the IP header, TCP port in the TCP header, and UDP port in
Trang 16Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 507
the UDP header This additional translation is required with certainprotocols that store the IP address, TCP port, or UDP port in thepayload (for instance, FTP) Windows 2000 includes NAT editorsalready built-in for FTP, ICMP, and PPTP Windows 2000 doesn’tinclude editors to translate SNMP, LDAP, Microsoft COM, or RPC
Trang 18Troubleshooting Windows 2000 Connectivity Problems
at the Network Interface Level
Solutions in this chapter:
Trang 19Now that we have discussed some of the protocols and services related toTCP/IP, and know how to use the built-in utilities and add-on monitoringand troubleshooting tools, we’ll take a look at connectivity problems fromthe ground up—or perhaps we should say “from the bottom up.” That’sthe bottom of the OSI and DoD networking models we’re referring to, ofcourse You’ll recall that the Network Interface layer in the DoD model isroughly equivalent to the Physical and Data Link layers of OSI In thischapter, we will examine some of the things that can go wrong at thislevel, and how to address them
The Network Interface layer involves physical problems—networkinterface cards (NICs), cable, and network connectivity devices such ashubs, repeaters, and bridges The differences between these variousNetwork Interface layer devices, and how they compare to higher layerdevices such as Layer 3 switches, routers, and gateways, is sometimes asource of confusion even for IT professionals For that reason, we will look
at how the various connectivity devices work, and some of the reasonsthey don’t always work properly Because the DoD Network Interface layeralso encompasses the OSI Data Link layer, it also involves software driv-ers for the hardware We will discuss the importance of updated andproperly configured NIC drivers in making it possible for the TCP/IP pro-tocol suite (or any other) to send data across the network
We will not spend a lot of time discussing the details of how to installand configure networking hardware In this chapter, we will be pointingout those areas in which Network Interface layer problems, such as thoserelated to physical devices or software drivers, can affect TCP/IP connec-tivity and even mimic protocol configuration problems
Problems with
Network Interface Card Configuration
Configuration of the NIC at the physical level is the first step in achieving
a TCP/IP connection Although an improperly configured card is not aprotocol-specific issue, it may be mistaken for one, and much time can belost in trying to troubleshoot TCP/IP when the problem lies elsewhere.Thus, it is important for an administrator to know how to determinewhen the connection is failing due to a lower-level problem
One easy way to determine that the problem lies in the lower layers is
to attempt to establish a connection using a different protocol If yourcomputer is unable to communicate with others on the network usingTCP/IP, but can make the connection when NetBEUI or NWLink is
Trang 20Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 511
installed on the machines, you know to start troubleshooting the protocolconfiguration If you still have no luck in making a connection with othernetwork transport protocols, it is likely that you have a problem with thehardware or the hardware drivers This simple test can save you muchtime and effort
The Role of the NICThe NIC (also sometimes called the network adapter, or just the networkcard) plays an essential role in TCP/IP and other network communica-tions The NIC is the device that physically joins the computer and thecable or other network media, but its function is more complex than that.The data cannot just flow through the network card and out onto thecable (or from the cable through the NIC into the computer’s memory)because the form in which the computer processes the data is differentfrom the format necessary to send it out over the cable
The NIC must convert outgoing data from a parallel format, in which
bits of information are sent in multiple lines or paths, as takes place
inside the computer, to serial format, where the bits move in “single file”
on the cable
Network cards also have memory chips, called buffers, in which
infor-mation is stored so that if the data comes in or goes out too quickly, itcan “rest” there while the bottleneck clears and there is room for it topass onto the cable or up into the computer’s components
Types of NICs
Of course, it is essential that you ensure that the NIC installed in thecomputer is the proper type for both the media and architecture used byyour network For instance, Ethernet and Token Ring require differenttypes of NICs This is because of the different ways in which the mediaaccess methods function And, of course, the card must have the properconnector for the cable type being used These are basic, relativelystraightforward issues, but don’t overlook them when troubleshootingconnectivity problems
Be sure to check the Windows 2000 Hardware Compatibility List (HCL) toensure that your card is supported The list can be accessed from theMicrosoft Web site at www.microsoft.com/hcl Although devices not listedmay still work with Windows 2000, if your card is on the list you can beconfident that it has been tested and is compatible with the operatingsystem
NOTE
Trang 21Driver Issues
Like other hardware devices, the NIC requires a software driver to providethe interface between the operating system and the card Be sure thedriver that is designated for your specific model of NIC is installed, andthat it is the latest incarnation Experienced administrators know thatsimply installing an updated NIC driver can solve countless connectionproblems
Windows 2000 supports a large number of common brands and models ofNICs, and the drivers are included on the Windows 2000 CD However,these may not be the latest versions Always check the manufacturer’s Website for a download area where you can obtain the latest drivers
Since Windows 2000, unlike NT 4.0, is a plug-and-play operating tem, supported cards are more likely to be automatically detected and thedrivers installed from the Windows 2000 installation files (or you will beprompted to supply the disk or network location) Be cautioned again,however, that the drivers installed by the operating system may be out-dated
sys-Windows NT did have the capability to detect some network cards with itslimited plug-and-play capability
Updating Drivers
NIC drivers (and drivers for other hardware devices) can be updatedthrough the Device Manager To do so, click Start | Settings | ControlPanel | System Select the Hardware tab and click DEVICEMANAGER Thelist of installed devices will be displayed, as shown in Figure 10.1
You can select the card you wish to configure or update and click it, then select the Driver tab This interface makes it easy for you toupdate the files, as shown in Figure 10.2, and also makes available usefulinformation about the resources being used by the device, any conflicts,and troubleshooting tools
double-A handy feature is the Hardware Troubleshooter, which can beaccessed from the General tab
NOTE
NOTE
Trang 22Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 513
Figure 10.1 Use Device Manager to configure and update drivers for the NIC.
Figure 10.2 The properties sheet for the device provides valuable information
about the driver
Trang 23In order to access the Device Manager and install or update device drivers,you must be logged on to an account with the appropriate permissions Beaware that network policy settings (Group Policy, IPSec, and other securitysettings) may also prevent you from performing these tasks.
Problems with Cable
and Other Network Media
Another type of problem that can mimic TCP/IP protocol configurationproblems is damaged, defective or improperly installed cable or other net-work media Broken or shorted cables can be detected with a cable tester
or TDR (time domain reflectometer) Some of the more sophisticated (andmore expensive) LAN testers will even pinpoint the exact location of thebreak
As a network administrator, you may have other personnel who dle hardware and cabling It is important, however, that you are able torecognize the symptoms of Physical layer problems so that you will knowwhen to call in the technicians, rather than spend your time attempting
han-to “fix what isn’t broken.”
Damage to the media is not the only factor when considering Physicallayer problems
All network architectures—for example, Ethernet, Token Ring,
AppleTalk—include specifications that must be met concerning ing equipment and media If those rules are ignored, connectivity may belost completely, or you may experience intermittent problems
network-Common areas of noncompliance, which can result in difficulties inestablishing or maintaining a connection, include cable type and grade,and the limitations on the allowable segment length for various
network/cable types
Network Cable Specifications
Be sure that the cabling for your network meets specifications for the ticular architecture For instance, a 10Base2 network requires not justthin coaxial cable, but a particular type of thin coax: RG-58 A/U (thecable grade is usually indicated on the side of the cable itself) Don’t try
par-WARNING
Trang 24Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 515
to substitute something else that is “close” or looks similar; you will besetting yourself up for connectivity problems if you do
It is not an unknown occurrence for a cable technician (or perhapsmore likely, a net admin with little hardware experience) to attempt toreplace a broken or bad length of thin coax cable with RG-58 U or evenRG-59 (the cable used for cable TV) Therefore, in checking the Physicallayer for the source of a connectivity problem, ascertain not only that thecable is connected and appears to be undamaged, but that the cable typemeets specifications
Another example of improper cable type would be substituting
catego-ry 3 twisted pair for cat 5, when running a 100 Mbps (100BaseT) work
net-Cable type is generally indicated on the cable itself If it is not, you canidentify the cable type by counting the wire pairs or measuring the ohmrating
Cable Length IssuesYou undoubtedly are also aware that because of the susceptibility of cop-
per cabling to attenuation, or signal loss over distance, network
specifica-tions place limits on the acceptable length of a segment of cable,depending on the architecture and cable type
A cable segment is generally defined as the length of cable between repeaters A repeater (or other connectivity devices that perform boosting
of the signal) allows you to increase the distance of your network We willdiscuss these devices in the next section of this chapter
Violating the length specifications may be tempting, especially if youonly need to go “a tiny bit further” in order to get the cable to a specificoffice or other location You might get away with it—the cable does notjust automatically stop working when you exceed the specified distance
But going beyond these limitations can cause you to have connectivityproblems that you might easily mistake for software/protocol problemswhen the real trouble is at the physical level
Table 10.1 shows common network/cable types and the maximumcable segment length for acceptable performance
NOTE
Trang 25The Role of Network Connectivity Devices
We call them “network connectivity devices” for the obvious reason: They
are used to connect networks (also called network segments or subnets).
But why are there so many different types, and how do we know when touse which on our TCP/IP networks?
Let’s first think about the characteristics of the TCP/IP suite One ofits strong suits—in fact, the number-one reason it is the protocol ofchoice for so many networks today, as well as the protocol of the global
Internet—is its routing capability Routing refers to transferring data from
one network or subnetwork to another Thus, it makes sense that tivity devices are common in TCP/IP networks
connec-Usually the type of device we associate with an internetwork is the router,which works at the DoD’s Internetwork layer (Network layer in the OSI model)
We will briefly discuss routers in this chapter, in the context of how they differfrom the Network Interface layer devices, and we will devote an entire chapter(Chapter 11, “Troubleshooting Windows 2000 Connectivity Problems at theInternetwork Level”) to routing problems and other Internetwork layer trou-bleshooting But we also should remember that there are other, lower-leveldevices that can be used for such purposes as:
■ Extending the distance limitations of network cable
■ Connecting network segments that use different media types (forinstance, thin coax and UTP)
■ Segmenting the network to reduce traffic without dividing thenetwork into separate IP subnets
Although a large percentage of network connectivity problems occur atthe Network Interface level, it is often overlooked in the troubleshootingprocess That is, until you discover, after spending an entire afternooncompletely reconfiguring both your server and your client, that yourinability to connect or your loss of data packets was caused by a physicalproblem with your repeater or bridge
Network Type Cable Type Distance Limitation per Segment
Thin coax
Thick coax10BaseT
100BaseTX
185 meters (607 feet)
500 meters (1640 feet)Category 5 UTP 100 meters (328 feet)
Table 10.1 Cable Length Limitations
Trang 26Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 517
Understanding Layer 1 and 2 Connectivity DevicesThere are three basic types of network connectivity devices that operate atthe Network Interface level In OSI terminology, this means Layers 1(Physical layer) and 2 (Data Link layer) These are:
Some books refer to components such as BNC barrel connectors asconnectivity devices Strictly speaking, since they do indeed connect twolengths of cable, this would be correct In this chapter, when we speak ofconnectivity devices, we are referring to active devices, not mere connectionpoints See the discussion of active vs passive hubs for more information
on this
How and Why Repeaters and Hubs Are Used
We will discuss repeaters and hubs together because, in many cases, theyare the same thing In fact, you will hear hubs referred to as “multiportrepeaters.” All that means is that the hub does what a repeater does:
boosts the signal before passing it on from one segment of cable on which
it came in, to another on which it goes out
Hubs are different from basic repeaters, however, in that the lattergenerally has only two ports The repeater is used to extend the usablelength of a given type of cable For instance, a 10Base5 Ethernet network,using thick coax cable, has a maximum cable segment length of 500meters, or 1640 feet At that distance, attenuation (signal loss due to dis-tance) begins to take place But when you place a repeater at the end of
NOTE
Trang 27the cable and attach another length to the repeater’s second port, the nal is boosted and the data can travel further without damage or loss SeeFigure 10.3.
sig-Figure 10.3 A repeater is used to address attenuation problems.
Repeater
Repeaters extend distance limits
Data loss or complete loss of connectivity may occur if a network isconstructed with a segment length greater than that designated in theIEEE specifications for the architecture/cable type, and no connectivitydevice is used to boost the signal Remember to always check for physicalproblems rather than assume software/networking protocol configuration
is at fault when packets are lost
What’s the Difference between Repeaters, Amplifiers, and Hubs?
A repeater boosts the signal traveling across an Ethernet cable in muchthe same way an amplifier boosts the signal input from an old radiotuner The difference between a repeater and an amplifier lies not in whatthey do, but in what kind of signals they do it to
While amplifiers boost analog signals (such as those used in the lic telephone network or in older home stereo systems), a repeater boosts
pub-the digital signals used in most computer communications
The typical Ethernet hub is also a kind of repeater, a multiportrepeater that allows for 5, 8, 12, 16, 24 or more connections While a
Trang 28Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 519
standard repeater is more often associated with 10Base2 and 10Base5(coax) networks, hubs are used with 10BaseT and other UTP-based net-works
Repeaters are not very “smart” devices; they simply boost whatever signalthey receive—not distinguishing between data and noise—and pass it on
They also aren’t very “polite.” They don’t follow the usual CSMA/CD processthat NICs use, listening for traffic on the network before transmitting Arepeater just goes ahead and transmits even if another node is in themiddle of a transmission This, of course, results in a data collision, whichmeans data must be re-sent, and network performance is negativelyimpacted This is the reason for the Ethernet (coax) 5-4-3 Rule: The totallength of the network cable must be limited so that all computers on thenetwork will be able to monitor all segments before they transmit, sincethe repeater won’t do it for them
Using a Repeater in Troubleshooting
A repeater can be of use in troubleshooting situations, in that it allowsyou to isolate a segment when there is a failure or fault condition Youcan disconnect one side of a repeater to effectively isolate the associatedsegment(s) from the rest of the network You can then perform trou-bleshooting functions without any impact on the rest of your productionnetwork
Repeaters do not logically segment or subnet the network and do nofiltering of traffic, nor do they divide the network into collision domains
You cannot reduce the traffic load or increase available network bandwidth
by using repeaters; you can only amplify the signal and extend themaximum length of the cable The repeater divides the network into
“segments” only in relation to maximum segment length for purposes ofavoiding attenuation problems
NOTE
NOTE
Trang 29a twisted-pair Ethernet cable with the transmit and receive wires crossed.
This type of hub, which boosts the signal before sending it back out,
requires electric power and is also sometimes called an active hub There
are several other types of hubs, as summarized in Table 10.2
NOTE
Table 10.2 Basic Hub Types
Active hub Requires electric power; boosts the incoming
signal before sending it back out all ports
Passive hub Does not require electric power; serves as a
con-nection point, sending the signal back out on allports without boosting it
Intelligent hub
(also known as "managed
hub")
Switching hub
(also known as "switch")
Sends the signal out the port to which the nation computer is connected only
desti-Includes a processor chip with diagnostic tures that allow you to troubleshoot individualport problems This is helpful when you need totroubleshoot ports remotely and cannot justlook at the lights on the hub
fea-Switching hubs, or switches, are becoming more and more popular(and becoming less expensive, which contributes to the popularity) Let’sexamine this connectivity device a little more closely
Trang 30Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 521
Another type of hub, called a concentrator, is a sophisticated device that
offers the ability to provide each client with exclusive access to the fullbandwidth of the media Each workstation plugs into a separate port, andthere is no connection These hubs also allow for buffering and filtering ofpackets so that unwanted packets are discarded Another feature of thesehubs is support for SNMP (Simple Network Management Protocol) to
configure and administer the hub The term concentrator is most often
associated with Token Ring hubs (also called Multistation Access Units, orMAUs) A remote access hub that handles incoming dial-up calls for anInternet (or other network) point-of-presence and performs other services is
referred to as a concentrator (or aggregator).
How and Why Switches Are Used
Layer 2 switches, or switching hubs, work at the Data Link layer, andthey are installed in place of the active hubs that traditionally have beenused to connect computers on a UTP-cabled network Replacing hubswith switches will cost a bit more, but offers several important advan-tages
Advantages of Switches over Hubs
A switch combines the characteristics of hubs and bridges (we’ll discussbridges in the next section) Like a bridge, a switch constructs a table ofMAC addresses The switch knows which computer network interface(identified by its physical address) is attached to which of its ports It canthen determine the destination address for a particular packet and route
it only to the port to which that NIC is attached Obviously, this cutsdown a great deal on unnecessary bandwidth usage since the packet isnot sent out to the other ports, where it will be disregarded when thosecomputers determine that it is not intended for them See Figure 10.4
Using switches instead of hubs creates individual “collision domains”for each segment This means a particular computer receives only thepackets addressed to it, to a multicast address to which it belongs, or tothe broadcast address You increase potential bandwidth in this way bythe number of devices connected to the switch, because each can sendand receive at the same time another node is doing so
NOTE
Trang 31Advantage of Switches over Bridges
Switches can forward data frames more quickly than bridges, becauseinstead of reading the entire incoming Ethernet frame before forwarding it
to the destination segment, the switch typically only reads the destinationaddress in the frame, and then retransmits it to the correct segment This
is why switches can offer fewer and shorter delays throughout the work, resulting in better performance
net-Bridges normally have only two ports, dividing the network into twoparts, while switches have multiple ports, each of which may connectdirectly to a host computer (or alternately can connect to a hub or anoth-
er switch)
Switching Modes
Switches generally use one of two methods of forwarding data:
cut-through or store-and-forward
Cut-through mode Switches that use cut-through mode read only
the first few bytes of the packet to determine the source and
Figure 10.4 A switch reduces traffic by sending data only out the port with
which the destination MAC address is associated
Switch
Packet destined for F's MAC address
Switch consults table, sends out port connected
to Computer F only
Trang 32Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 523
destination addresses, and then pass the packets through to thedestination segment The rest of the packet is not checked forerrors This means invalid packets can still be passed on to othersegments, but there is the advantage of speed; there is very littledelay involved in packet throughput with this mode
Store-and-forward mode Switches using store-and-forward could
be thought of as careful and methodical, but not speedy Theybuffer and examine the entire packet, and filter out any badpackets that are detected The good packets are then forwarded tothe correct segment This results in some delay in throughput, butfewer errors get through to other segments
When to Switch to a SwitchReplacing hubs with switches is a good idea when there is a great deal ofpoint-to-point network traffic Switches won’t cut down on network con-gestion problems caused by broadcasts, since broadcast messages willstill be sent out all ports This is another way in which they are similar tobridges
Switches offer the following benefits:
■ Switches eliminate contention (one of the major disadvantages ofEthernet), and therefore allow each port to use the full
bandwidth
■ A switch can be used to divide an overloaded network intosegments, creating separate collision domains and increasingperformance
■ Switches offer low latency, which improves the efficiency andperformance of the network
■ Switches can be used to create virtual networks, or VLANs
How and Why Bridges Are Used
A bridge builds a MAC table like a switch, but like the repeater, it is atwo-port device rather than a multiport device like a hub or switch Thebridge is used to segment a network to reduce traffic and collisions Italso boosts the signals that it passes across
How Bridges Reduce Network Traffic
A bridge monitors the data frames it receives to construct its MACaddress table, using the source addresses on the frames This is a simpletable that tells the bridge on which side a particular address resides Thebridge can then look at the destination address on a frame, and if it is inthe table, determine whether to let it cross the bridge (if the address is on
Trang 33the other side) or not (if the address is on the side from which it wasreceived)
In this way, there is less unnecessary traffic, because when a
comput-er on side A sends a message to anothcomput-er computcomput-er that is also on side A,the signal goes only to those computers on side A Those on side B, onthe other side of the bridge, go blithely on with their business and neverhave to deal with it See Figure 10.5
Figure 10.5 A bridge segments the network to reduce traffic.
Bridge
Data is transmitted from a computer on Side A to another computer on Side A
Bridge recognizes destination MAC address and does not send to Side B
Using a bridge can, in effect, double the available bandwidth sincethere can be two “conversations” between computers going on simultane-ously, on opposite sides of the bridge, without data collision
What Is a Translation Bridge?
Bridges can be used not only to segment a network, but also to connecttwo network segments that use different types of media For instance, youcan use an AUX/BNC bridge to connect one segment running on thickcoax cable (10Base5) to another segment running on thin coax (10Base2)
Trang 34Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 525
A translation bridge is a type of bridge that can go a step further, and
not only connect two different media types, but can connect segmentsusing two different media access methods The translation bridge “trans-lates” between the two access methods, typically Ethernet and TokenRing
Translation bridges do not translate between protocols Bridges areunaware of and not dependent on which network/transport protocols areused for communication Bridges can use only the MAC addresses Becausebridges do not look at the upper-layer protocols (such as IP), they cannotmake decisions about where to send data frames based on the IP address
In most cases, a better solution for connecting Ethernet and TokenRing, when both are using TCP/IP, is a router, which is capable of com-plex routing based on protocols and the logical network address
Advantages and Disadvantages of BridgesBridges enjoy several advantages over other connectivity devices:
■ Bridges are less expensive than routers and brouters
■ Bridges allow you to add more computers and segments to thenetwork
■ Bridges are transparent to higher-level protocols like TCP/IPbecause they operate at the Data Link layer of the OSI model
■ Bridges can be used with nonroutable protocols like NETBEUI(which will not cross a router)
■ Bridges localize network traffic and thus can increase networkperformance
Some disadvantages of bridges include their propensity to causebroadcast storms because they pass broadcast messages across thebridge, and the fact that the bridge is not “smart” enough to evaluate anduse the most efficient path for each transmission as a router does
Bridges are not very efficient for use in large, complex networks If yournetwork fits that description, you may need to consider a router, whichworks at a higher layer of the OSI model
NOTE
Trang 35Understanding Upper-Layer Connectivity Devices
Like hubs and switches, routers are multiport connectivity devices Unlikehubs and switches, routers are appropriate for use on large, complex net-works because they are able to use the logical IP address to determinewhere packets need to go
How Routers Work
How does using the IP address help to simplify the routing process? Youwill recall that an IP address is divided into two parts: the network ID andthe Host ID The network ID is the key here, as it “narrows down” thelocation of the particular destination computer by acting somewhat likethe zip code does for the post office
Using the Network ID to “Narrow the Search”
In a small town, all streets may share the same zip code, so that a letteraddressed to 100 Hall Street, Seagoville TX doesn’t really need a zip code
It will reach its destination because there is only one Seagoville postoffice, and it can easily keep up with where all the streets in town arelocated In a big city, however, a letter addressed to 100 Hall Street,Dallas TX will have more difficulty reaching its destination That’s
because there are several post offices in Dallas, each designed to serveonly a designated part of the city The zip code identifies which of thesepost office stations will handle the delivery of the letter, much as the net-work ID identifies which subnet, or part of the network, a destinationcomputer is on
In order to use this information, though, the post office must be zipcode-aware That is, the employees there who sort the mail must under-stand what the zip codes mean If we had employees performing this taskwho came from the era before the advent of zip codes, they would see theseries of numbers at the end of the address and, not understanding theirsignificance, disregard it Like those postal employees from a former time,bridges and other lower-layer devices don’t recognize IP addresses or uti-lize them in making decisions about where to send the data
Routers, however, working at the Network layer where IP operates,can understand and use IP addresses A router keeps a table, too, butunlike a bridge or switch, which only deals in MAC addresses, the rout-ing table tells the router how to get to other known networks (or sub-nets) based on the network ID Then, when a packet reaches the
appropriate network, the Host ID is used to get it to the particular puter for which it is destined
Trang 36com-Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 527
The Routing TableWhere does the router get this information? Routes can be entered intoits routing table manually (this is necessary when static routing protocolsare used), or the router can “learn” routes from other routers with which
it communicates, using dynamic routing protocols (such as RIP andOSPF, both supported by Windows 2000)
The Routing Process
A packet is routed across multiple subnets using a complex process ofstripping off and replacing the header information as it goes from onenetwork to the next This is necessary because the source and destinationaddress change for each network it goes through In other words, theprocess works something like this:
1 Computer A with IP address 192.168.1.4 sends a message toComputer B with IP address 201.234.1.12 Both have a subnetmask of 255.255.255.0
2 Because IP recognizes that the destination address is not on thesame subnet as the source address, it sends the message toRouter 1, which is Computer A’s default gateway
3 Router 1 is connected to the 192.168.1.0 network and the210.45.9.0 network It is not connected to the 201.234.1.0network, but it has an entry in its routing table telling it thatthe way to get there is via Router 2
4 Router 1 replaces the original source address (Computer A’s)with its own, and sends the packet to Router 2
5 Router 2 is connected to both the 210.45.9.0 network and the201.234.1.0 network It replaces the source address with its ownand routes the packet to the destination computer (ComputerB), which with an address of 201.234.1.12, is on its subnet
6 Now when Computer B replies, it will send the packet back toRouter 2, which will forward it to Router 1, which will return theresponse to Computer A
See Figure 10.6 for an illustration of this process
Routers must understand the network protocol being used, thus they
are called protocol-specific devices A bridge isn’t concerned with
proto-cols, but a router must support the protocol(s) used by your network
Trang 37How and Why Routers Are Used
Routers are used to handle complex routing tasks Routers also reducenetwork congestion by confining broadcast messages to a single subnet
A router can either be a dedicated device (such as those made by Cisco) or
a computer running an operating system that is capable of acting as arouter Windows 2000, like Windows NT, can function as a router when twonetwork cards are installed and IP forwarding is enabled
Routers are capable of filtering, so that you can, for instance, blockinbound traffic This allows the router to act as a firewall, creating a bar-rier that prevents undesirable packets from either entering or leaving aparticular designated area of the network
Figure 10.6 Packets are forwarded from one router to the next across multiple
subnets
Computer A 192.168.1.4
Computer B 201.234.1.12
Router 210.45.9.1
Router 201.234.1.1
192.168.1.4
210.45.9.2
NOTE