However, an administrator would be capable of usingthe Nortel VPN Client to manage the unit from anywhere, as long the admin-istrator is able to establish a successful user tunnel to the
Trang 112 On the PC, enter the network setting of the internal network card for an
IP address that is on the 10.10.0.0 network with a subnet mask of
255.255.255.0 and a default gateway set to 10.10.0.1 Save the network
15 On the PC, launch a browser window and HTTP to 8.8.8.8
16 At the Management screen, select PROFILES→USERS to configure auser with management rights on the Nortel VPN Router with a stati-
cally assigned IP address of 10.10.0.20 If you are unfamiliar with how
to accomplish this, the following lab covers configuring a user tunnelfor managing the Nortel VPN Router
17 After the user has been created, log off the Nortel VPN Router and connect your PC from the Nortel VPN Router
dis-18 Using the same cabling arrangement that was used to connect to thePrivate LAN, connect to the Public LAN of the Nortel VPN Router
19 On the PC, set the network settings on the internal network card to have
an IP address of 100.100.100.200 with a subnet mask of 255.255.255.0 and
a default gateway of 100.100.100.100 Save the network settings.
20 From the PC, ping the Public LAN interface at 100.100.100.100 If pingreplies are received, continue with the lab If no ping replies arereceived verify the settings on the PC and, if they appear correct, verifythe Nortel VPN Router Public LAN settings with the use of the consolecable and the HyperTerminal program
21 On the PC, launch the Nortel VPN Client application Configure a Connection name, add the User Name and Password for the user withadministrator rights that was previously configured, and enter the
Destination address of 100.100.100.100.
22 On the Nortel VPN Client dialog window, click the Connect button
A dialog to save the configuration will appear Click the Yes button toproceed with the client connection to the Nortel VPN Router
23 The client should successfully connect to the Nortel VPN Router with aNortel VPN Client icon appearing in the system tray of Windows
24 Open a Command/DOS window and type the command ipconfig.
Within the DOS window, the settings for the virtual NIC used for theNortel User connection should have the IP address of 10.10.0.20, whichwas statically assigned to that user
Trang 225 Launch a browser window and HTTP to 8.8.8.8 Verify that the NortelVPN Router Management screen appears Log in with the user that wascreated with the management rights For the purposes of this lab, it will
be the same user that was used to connect with the Nortel VPN Client
However, any user with administrator rights may be used, includingthe primary administrator user ID and password Verify that the user isable to navigate the different configuration screens without a denial
26 If the user is capable of navigating the configuration screens withoutbeing denied, then this will conclude this lab If the user has an issue,then log in with an administrator user ID and password, which will beused to verify this user’s profile to ensure that administrator privilegeshave been granted to that user
Lab Summary
This lab showed how a CLIP address may be assigned to the ManagementInterface Although the unit is not bound to any physical interface, the admin-istrators of the Nortel VPN Router are still able to manage the unit Although
it was not mentioned within the context of this lab, there are obvious routingand networking considerations that would come into play in order for theadministrators remote from the unit to manage the unit
Using the example of this lab, you can see that if an administrator on aremote network needed to manage this particular Nortel VPN Router, then themanagement session would need to be capable of being routed to the manage-ment address of 8.8.8.8 However, an administrator would be capable of usingthe Nortel VPN Client to manage the unit from anywhere, as long the admin-istrator is able to establish a successful user tunnel to the Nortel VPN Router
Configuring Administrator User Tunnels
Administrators of the Nortel VPN Router require the ability to manage theunit in a number of ways This lab covers the use of the Nortel VPN Client toallow remote user administrators to configure, control, and manage the unit.Administrators may be given only certain privileges, depending upon theirlevel of responsibility for the unit Where applicable throughout this lab, dis-cussion of privilege options will be noted
Lab Requirements
■■ Nortel VPN Router with version 6.00 VPN Router code loaded
■■ Serial console cable for the Nortel VPN Router being used for this lab
■■ Crossover Ethernet cable, or hub and patch Ethernet cables
Trang 3■■ Windows-based PC with HyperTerminal and the Nortel VPN Clientloaded
■■ Pencil and paper for notes
■■ Management Interface IP address set to 8.8.8.8
1 If the Nortel VPN Router has not been previously set to theseaddresses, then with the use of the console cable and the administra-tor’s user ID and password, set the interfaces with these values
2 Set the Windows-based PC network settings to have an IP address of
10.10.0.20 with a subnet mask of 255.255.255.0, and with the default gateway set to 10.10.0.10 Save the network settings.
3 Connect the PC to the Private LAN Interface of the Nortel VPN Routerusing either Ethernet crossover cable, or hub and Ethernet patch cables
4 From the PC, ping the Management Interface IP address at 8.8.8.8 If pingreplies are received, continue with the lab If no ping replies are received,
go back to verify settings on the PC and then the Nortel VPN Router
5 From the Windows-based PC, launch a browser and HTTP to 8.8.8.8
6 On the Nortel VPN Router Management screen, click the ManageSwitch link and use either the default user ID of admin and the pass-word of setup, or another administrator user ID/password combina-tion that has full management privileges on the Nortel VPN Router
7 From the main menu, select PROFILES→GROUPS to display theGroups configuration screen Click the Add button to add a new group
At the Add screen for group add a Group Name of Admins and leavethe Parent Group at /Base Click the OK button, which will return you
to the Groups configuration screen
8 Select PROFILES→USERS to display the User Management screen OnGroup, click the down arrow to select the group /Base/Admins andclick the Add User button to display the Add User configuration screen
9 To add a new group, perform the following:
Trang 4a Add a First and Last Name in the supplied boxes (for example, First
Name = NVR Last Name = Admin_user).
b Ensure that the group /Base/Admins is displayed If not, then itmay once again be selected by clicking the down arrow
c In the Remote User area, add a Static IP Address of 10.10.0.30 and a Static Subnet Mask of 255.255.255.0
N OT E This address may be dynamically assigned if an address pool has been defined or if DHCP has been configured to allocate addresses for user tunnels.
For the purposes of this lab, the User Tunnel address is statically assigned.
d In the User Accounts area for an IPSec user, enter the user ID of
NVR_Adminand, for the purposes of this lab, a password of
12345678 Re-enter the password in Confirm Password
N OT E The User Accounts area provides for the addition of users with different tunneling clients if needed or desired For this lab, because the Nortel VPN Client will be used to establish the user tunnel, utilize the IPSec User Account.
e Because the user being created will be utilizing local authentication(Internal LDAP), scroll past the various authentication methods tothe Administration Privileges area In the Administrative Authenti-cation Method, ensure that the radio button for Local Authentication
is selected
f In the Admin area, add the User ID NVR_Admin with a password of
12345678and re-enter the password in the Confirm Password box
g In the /admin Rights area for Manage Switch, click the down arrowand select Manage For Manage Users, click the down arrow andselect Manage
N OT E Administrators may be given different levels of responsibility It is possible to limit the abilities of administrators, from only being able to view different screens of the Nortel VPN Router without the ability to change any parameters to full management rights to change a wide range of configurations with the right to add and delete users However, there are a few rights that are permitted to be exercised only by the Primary Administrator of the Nortel VPN Router For the purpose of this lab, the administrator has been given a wide range of management rights on the Nortel VPN Router.
h Click OK to accept the parameters set for this user The User agement screen will be displayed with a banner at the top that theuser has been successfully created If there is an error in a parameter,
Trang 5Man-the banner lists Man-the reason for Man-the exception Correct any errors andclick on the OK button until the user has been correctly added.
10 With the administrator user created, close down the browser and movethe PC connection from the Private LAN Interface to the Public LANInterface
11 Reconfigure the PC network settings to have an IP address of
100.100.100.200 with a subnet mask of 255.255.255.0 and a default way of 100.100.100.100.
gate-12 On the Windows-based PC, launch the Nortel VPN Client and set the
Connection to Lab Setup; enter the username NVR_Admin and a word of 12345678 Enter the destination of the Nortel VPN Router Public LAN Interface IP address of 100.100.100.100 Click the Connect button A
pass-dialog box appears asking if you want to save changes to the current nection Click Yes to establish a user tunnel to the Nortel VPN Router
con-13 If the connection attempt is successful and the user tunnel is lished, the Nortel VPN Client icon will appear in the system tray Con-tinue with the lab with a successful tunnel connection If the tunnel fails
estab-to establish, verify that the settings on the client match the settings thatwere configured for this user Repeat the preceding steps until a suc-cessful user tunnel has been established
14 With the user tunnel established, launch a Command/DOS window
and enter the command ipconfig Notice that the Nortel VPN Client
virtual Network Interface Card is displaying the address of 10.10.0.30
15 Launch a browser and HTTP to 8.8.8.8 The Nortel VPN Router agement screen will be displayed Click the Manage Switch link and
man-enter the user ID NVR_Admin and the password 12345678 to log in to
the Nortel VPN Router
16 Navigate through a few configuration screens to ensure that you areable to navigate the menu system without restriction
N OT E Although this administrative user has been given full rights, restrictions are placed on that user by the fact that a user tunnel is being utilized to
manage the Nortel VPN Router To have full access to all management functions
on the Nortel VPN Router, you must add a tunnel filter in this user’s group settings to allow for functions such as Telnet and FTP.
17 From the main menu, select PROFILES→FILTERS to display the ters configuration screen In the Current Contivity Tunnel Filters area
Fil-(see Figure 11-27), add the name NVR_Admin in the box adjacent to
the Create button and click the Create button after the name has beenentered
Trang 6Figure 11-27: The filters configuration screen
18 The Tunnel Filters Edit screen will be displayed for the Tunnel FilterSet: NVR_Admin From the Available Rules, select “permit all/in” andclick the double left arrow button to move the rule to the Rules in Setcolumn Do this also for the “permit all/out” rule Notice the AllowManagement Traffic area is divided into a “For these Local Services”
grouping and a “For these Remote Servers” grouping Select the ing by checking the appropriate check box:
follow-■■ HTTP: Allow the management of the Nortel VPN Router using the
GUI screen
■■ SNMP: Allow SNMP gets from the Nortel VPN Router, which may
be used to monitor the operation of the unit
■■ FTP: Allow the movement of files to and from the Nortel VPN
Router with the use of an FTP client
■■ Telnet: Allow the ability to Telnet to the Management Interface to
perform Command Line Interface (CLI) commands on the unit
■■ PING: Allow the pinging of the Management Interface to receive
ping echo replies
In the “For these Servers” area, check the FTP check box This permitsthe fetching of VPN Router code upgrades from the tunneled PC while
it is running an FTP server Although this may be accomplished in thismanner, it is more efficient to perform upgrades to the Nortel VPNRouter from an FTP server that is located on the local Private LAN
19 Once the filter is configured as shown in Figure 11-28, click OK at thebottom of the screen to accept these settings and return to the Filtersconfiguration screen The NVR_Admin filter should now be displayed
in the Current Contivity Tunnel Filters selection box
Trang 7Figure 11-28: Verifying the filter via the Tunnel Filters edit screen
20 From the main menu, select PROFILES→GROUPS to display theGroups configuration screen Click the Edit button for the group/Base/Admins to display the Groups Edit configuration screen
21 In the Connectivity area, click the Configure button to open this sectionfor modification
22 Scroll down to the Filters line and click its Configure button, which willcause the Groups Edit Connectivity screen to refresh
23 Once again, scroll down to the Filters line and notice that there is a ters selection drop-down menu displayed Click the down arrow andselect the NVR_Admin filter set
fil-24 Scroll to the bottom of the screen and click OK to display the GroupsEdit screen
25 Scroll to the bottom of the screen and click the Close button to return tothe Groups selection screen This completes the filter configuration andapplies it to the appropriate group However, because this tunnel isestablished already, the filters have not been applied to this particulartunnel Close the browser window and disconnect from the Nortel VPNRouter by clicking the Nortel VPN Client icon to display the clientstatus window and by clicking the Disconnect button
26 Once the user tunnel has been totally disconnected, launch the NortelVPN Client again to establish a new tunnel to the Nortel VPN Router
Trang 827 Once the tunnel is established, launch a browser window and HTTP tothe Management Interface IP address of 8.8.8.8 Log in using the
NVR_Admin user ID and the password 12345678.
28 Verify that it is possible to navigate the different configuration screens
29 Open a Command/DOS window and Telnet to 8.8.8.8 A login prompt
is presented Log in using the NVR_Admin user ID and the password
12345678 On successful login, a command-line prompt will be
dis-played Issue a dir command to display the directory structure of the
Nortel VPN Router
30 Open another Command/DOS window and FTP to 8.8.8.8 A login
screen is presented Log in using NVR_Admin with the password
12345678 On successful login an ftp prompt will be displayed Issue a
dircommand to display the directory structure of the Nortel VPNRouter
N OT E Each service that is called performs a login query Each service is capable of being run simultaneously with the other services This capability is essential for the ongoing maintenance and service of the Nortel VPN Router.
31 This concludes this lab We recommend (and encourage) that you ther explore the capabilities that are granted to an administrator todevelop the required profiles for users who will be responsible for theadministering of the Nortel VPN Router
fur-Lab Summary
In this lab, an administrator user was created and the different capabilities vided to that administrator were discussed In creating this user, we touchedupon the use and configuration of group settings and tunnel filters Adminis-trative users with the proper privileges are essential in the maintenance andongoing support of the Nortel VPN Router
pro-Careful consideration of the capability granted to users is required Withinthe scope of this lab, however, not all possible combinations of administrativecapabilities were explored We encourage you to examine and carefully planthe levels of administrator involvement upon completion of this lab
Trang 9Configuring Syslog Server
The Nortel VPN Router has local logging on the unit that may be viewed andused to monitor different aspects on the Nortel VPN Router, such as events inthe security and configuration of the Nortel VPN Router However, becausethese logs utilize local storage, they are limited in their ability to store histori-cal data, which, in certain organizations, is recorded and archived for exten-sive periods of time
You can take advantage of the Nortel VPN Routers’ logging ability andmonitor storage of those logs over long periods of times by using an externalSyslog server This lab covers the simple configuration and discusses somepoints of logging on the Nortel VPN Router at the same time
Lab Requirements
■■ Nortel VPN Router with version 6.00 VPN Router code loaded
■■ Crossover Ethernet cable, or hub and patch Ethernet cables
■■ Windows-based PC with Syslog server program
■■ Windows-based PC with browser software
■■ Network diagram (see Figure 11-29)
■■ Pencil and paper for notes
Figure 11-29: The Syslog configuration lab diagram
Laptop Computer
IBM Compatible
Syslog Server 10.10.0.51
Private LAN Interface 10.10.0.10
Management Interface 8.8.8.8 Private LAN
Configuration PC 10.10.0.30
Trang 10to configure the Nortel VPN Router However, for this lab, it is anotherstandalone PC that has its network interface configured with an IPaddress of 10.10.0.51 with a subnet mask of 255.255.255.0 and a defaultgateway set to 10.10.0.10.
2 Ensure that the network is connected as shown on the network diagramillustrated in Figure 11-29
3 At the PC being used to configure the Nortel VPN Router, launch abrowser window and HTTP to 8.8.8.8
4 Click the Manage Switch link and log in using an administrator’s user
Figure 11-30: The Syslog Forwarding configuration screen
Trang 118 Entity Level is by default set to All Click the down arrow and noticethat there are different selections for various components of the NortelVPN Router If a component is selected, the screen will refresh and theSubentity will have other selections than the present default setting ofAll For the purposes of this lab, leave both the Entity and Subentity set-tings set on the default of All.
9 Tagged Facility is by default set to KERN, which is the main kernel ofthe operating system that will record all events that occur on the NortelVPN Router Click the down arrow to view the other selections thatmay be selected For the purposes of this lab, the default setting ofKERN will be used
10 UDP Port, by default, is set to 514, which is a common listening port forSyslog servers This may be adjusted if needed For the purposes of thislab, leave the default setting of 514 for the UDP port to communicatewith the Syslog server Click OK to accept these settings for the Syslogserver
11 Click the Change System Logging Capture Level link, which is justbelow the OK button, to display the System Log screen
12 Capture Level is, by default, set to All Click the down arrow to viewthe other selections For now, leave the default setting of All and clickthe link Change SYSLOG Forwarding Details to return to the SysLogForwarding screen
13 This completes the configuration of the Nortel VPN Router to store tem logs to an external Syslog server
sys-14 On the PC that is acting as the Syslog server, if it has been previouslyconfigured and is listening on UDP port 514 for Syslog updates, thencheck the logging on the unit to verify it is receiving updates from theNortel VPN Router If updates are not received, then check all settingsand, in particular, assigned IP addresses on both the PC and the NortelVPN Router
N OT E For testing purposes, there is freeware Syslog server software available for download from various organizations There are also demo programs and shareware (which may have a limited usage license) available for download For the purposes of this lab, no particular Syslog server is specified or recommended All Syslog server software should be able to record and display the logs generated by the Nortel VPN Router.
Trang 12Lab Summary
In this lab, you configured an external Syslog server for use in recording tem logging information from the Nortel VPN Router The external Syslogserver will allow for the storage and archiving of all system logs reported to itfrom the Nortel VPN Router Also, this lab included a discussion on the cus-tomization of logs to set the severity of events, the selection of what entitieswill be logged, as well the use of the common UDP port The amount of log-ging that is accomplished is dependent on the organization that the NortelVPN Router is situated in
sys-Different organizations have various requirements With the Syslog serverlogs that are archived, it is possible to gather historical data on user usage pat-terns, as well as alarms that may have been triggered for a number of reasons.The use of the external Syslog server should be strongly considered a goodpractice for maintaining and monitoring the Nortel VPN Router, along withthe traffic that is passing through the unit
Configuring User IP Address Pools
As users establish user tunnels to the Nortel VPN Router, they require anassigned IP address to allow them to be able to route IP traffic to and from their
PC to the Private LAN behind the Nortel VPN Router Depending on the size
of the user base, using a VPN Client to tunnel to the Nortel VPN Router makesdynamic address allocation more desirable than statically assigning a user to aparticular IP address
Although static IP address assignment is easy to accomplish, it can become
a tedious task to keep track of addresses as they are assigned and retired
There two methods of dynamically assigning user IP address on the NortelVPN Router: DHCP and Address Pool
Lab Requirements
■■ Nortel VPN Router with version 6.00 VPN Router code loaded
■■ Crossover Ethernet cable, or hub and patch Ethernet cables
■■ Windows-based PC with the Nortel VPN Client loaded
■■ Windows-based PC server capable of acting as a DHCP server
■■ Network diagram (see Figure 11-31)
■■ Pencil and paper for notes
Trang 13Figure 11-31: The configuring User IP Address Pools lab diagram
Lab Setup
This lab is divided into two parts You may choose to do either or both to learn
to use each method to dynamically assign IP addresses to user tunnels Thefirst lab deals with DHCP and the second deals with Address Pool
Configuring User IP Address Assignment Using DHCP Lab
For the purpose of this lab, we assume that the Nortel VPN Router has beenpreviously configured with the following IP addresses:
■■ Private LAN Interface IP address is set to 10.10.0.10 with a subnet of255.255.255.0
■■ Public LAN Interface address is set to 100.100.100.100 with a subnet of255.255.255.0
■■ The Management Interface IP address is set to 8.8.8.8
1 On the PC set up to perform the Nortel VPN Router configuration, set
the internal Network Interface Card to the IP address of 10.10.0.20 with
a subnet mask set to 255.255.255.0 and the default gateway set to
10.10.0.10
Internet
Public LAN 100.100.100.100
Management Interface 0.0.0.0
Private LAN 10.10.0.10
DHCP Server 10.10.01
IBM Compatible
Laptop Computer Configuration PC 10.10.0.20
Laptop Computer Client PC 100.100.100.200
Trang 142 On the PC being used for the configuration of the Nortel VPN Router,launch a browser and HTTP to 8.8.8.8 Log in to the Nortel VPN Routerusing an administrator’s user ID and password.
3 At the main menu, select SERVERS→USER IP ADDR to display theRemote User IP Address Pool, which is shown in Figure 11-32
4 Select the radio button for DHCP
5 In the DHCP Server area there are three radio button selections:
■■ Any External DHCP Server: Uses a broadcast to find a DHCP on the
local Private LAN Network
■■ Internal DHCP Server: Uses the DHCP server that is contained within
the Nortel VPN Router Configuration of this server was performed
in the DHCP lab earlier in this chapter
■■ Specified DHCP Server: Is routed to a particular DHCP server For the
purposes of this lab, select this radio button and enter the IP address
assigned to the DHCP server for this lab, which is 10.10.0.1.
6 DHCP Cache Size value is the number of IP addresses the Nortel VPNRouter will request and store internally for use to assign to user tunnels
as they connect to the Nortel VPN Router If the Nortel VPN Router hasmany users that would tunnel to it in a relatively short time, then a num-ber higher than 1 would allow the Nortel VPN Router to make fewerrequests to the DHCP for addresses it will allocate out to user tunnels
For purposes of this lab, set this value to 1 There is a balance to the valuethat would be inserted in this field Too high of a number would causethe Nortel VPN Router to hoard addresses, thus not allowing the externalDHCP server to uses those addresses for other devices on its network
Figure 11-32: The Remote User IP Address Pool DHCP screen
Trang 157 Select the check box for Immediate Address Release, which will diately return IP addresses to the DHCP server as they are freed upwhen a user tunnel disconnects from the Nortel VPN Router.
imme-8 The value for DHCP Blackout Interval is the amount of time in secondsthat the Nortel VPN Router will wait before it will reuse an IP addressthat it has cached Because you are caching only one IP address and theImmediate Address Release check box has been selected, this value willhave no effect on how IP addresses are handled in this lab For the pur-poses of this lab, just allow the default value of 300 to remain
9 The “Override Blackout Interval when no addresses are available” checkbox allows the Nortel VPN Router to use an IP address sooner than theset DHCP Blackout Interval if there are no more addresses in its cachethat are beyond the blackout interval that it can allocate For the pur-poses of this lab, this box may remain either checked or uncheckedbecause there is no caching of more than a single address at a time
10 Scroll to the bottom of the screen and click OK to accept the DHCP tings The Nortel VPN Router is now ready to request IP addressesfrom a DHCP server for allocation to user tunnels as they connect
set-11 Verify that the DHCP server has a scope of addresses it will allocatewithin the subnet range of the Private LAN (for example, an addressrange of 10.10.0.100 to 10.10.0.150)
12 If no users are currently configured on the Nortel VPN Router, ure one to test the ability of the Nortel VPN Router to allocate anaddress to the connecting user tunnel
config-13 Connect a Windows-based PC with the Nortel VPN Client installed tothe Public LAN Interface This can be accomplished with either an Eth-ernet crossover cable, or a hub and Ethernet patch cables
14 Set the PC Network Interface IP address to 100.100.100.200 with a net of 255.255.255.0 and with the default gateway set to 100.100.100.100.
sub-15 On the PC, launch the Nortel VPN Client and set the connection withthe user ID and password that is assigned to the user that was created
for this test Set the destination address to 100.100.100.100 and then
click the Connect button If prompted to save the current connectionsettings click Yes
16 On a successful connection, the Nortel VPN Client icon will appear inthe system tray Double-clicking the icon will open a connection dialogscreen Verify that the assigned address is within the range of the IPaddresses that are being allocated by the DHCP server If the address isnot within the range, or the connection fails, verify all configuration set-tings and repeat until the connection provides the desired result
This concludes this portion of the lab Continue with the Address Pool portion
Trang 16Configuring User IP Address Assignment Using Address Pool Lab
For the purpose of this lab, it is assumed that the Nortel VPN Router has beenpreviously configured with the following IP addresses:
■■ Private LAN Interface IP address is set to 10.10.0.10 with a subnet of255.255.255.0
■■ Public LAN Interface address is set to 100.100.100.100 with a subnet of255.255.255.0
■■ The Management Interface IP address is set to 8.8.8.8
1 On the PC setup to perform the Nortel VPN Router configuration, set
the internal Network Interface Card to the IP address of 10.10.0.20 with
a subnet mask set to 255.255.255.0 and the default gateway set to
10.10.0.10
2 On the PC being used for the configuration of the Nortel VPN Router,launch a browser and HTTP to 8.8.8.8 Log in to the Nortel VPN Routerusing an administrator’s user ID and password
3 At the main menu, select SERVERS→USER IP ADDR to display theRemote User IP Address Pool, which is shown in Figure 11-33
4 Select the Radio button for Address Pool
5 To add an address pool, click the Add button to display the EnterAddress Pool Information screen
6 In the Starting IP Address field, add the address 10.10.0.75.
7 In the Ending IP Address field, add the address 10.10.0.85.
8 In the Subnet Mask field, add 255.255.255.0.
9 Because this is the first pool that is added, leave the Pool selection radiobutton set to Default
Figure 11-33: The Remote User IP Address Pool configuration main screen
Trang 17N OT E Named pools may be created to allocate different address pools to different groups This is accomplished by setting the GROUP PROFILE→
CONNECTIVITY→ADDRESS POOL NAME to the name that was given to that address pool Users that are members of this group are given an address from that address pool.
10 Click OK to accept the address pool settings and return to the RemoteUser IP Address Pool screen
11 For the Address Pool Blackout Interval, insert the value of 300 seconds.
This is the time the IP address will not be available when a user tunneldisconnects
12 In the If Named Pool Unavailable area, the selections are “Failover toDefault pool” and “Deny address request.” Leave “Failover to Defaultpool” selected
N OT E If users of a particular group are to be restricted to a given address pool and not permitted to use addresses from the default pool, the “Deny address request” selection will cause the Nortel VPN Client to fail to connect successfully until an IP address for that named pool is released back to the pool.
13 Verify that the Address Pool radio button is selected and click OK at thebottom of the screen This concludes configuration of the Nortel VPNRouter for allocating IP addresses to user tunnels
14 If no users are currently configured on the Nortel VPN Router, ure one to test the ability of the Nortel VPN Router to allocate anaddress to the connecting user tunnel
config-15 Connect a Windows-based PC with the Nortel VPN Client installed tothe Public LAN Interface This can be accomplished with either an Ethernet crossover cable, or a hub and Ethernet patch cables
16 Set the PC Network Interface IP address to 100.100.100.200 with a net of 255.255.255.0 and with the default gateway set to 100.100.100.100.
sub-17 On the PC, launch the Nortel VPN Client and set the connection withthe user ID and password that is assigned to the user that was created
for this test Set the destination address to 100.100.100.100 and then
click the Connect button If prompted to save the current connectionsettings, click Yes
18 On a successful connection, the Nortel VPN Client icon appears in thesystem tray Double-clicking the icon will open a connection dialog box.Verify that the assigned address is within the range of the IP addressesthat are being allocated by the address pool If the address is not within
Trang 18the range, or the connection fails, verify all configuration settings andrepeat until the connection provides the desired result.
19 Once a successful connection is made and the assigned IP address is inthe range of the addresses allocated by the address pool, click the Dis-connect button to terminate this connection session
20 The Address Pool Blackout Interval has been set to 300 seconds, or 5minutes Reconnect to the Nortel VPN Router with the Nortel VPNClient within that interval and verify that, on the next successful con-nection, the new assigned IP address is not the same as the one that wasreceived in the previous connection session
21 As an optional addition to this lab, you may want to return to theSERVERS →USER IP ADDR configuration screen and edit the defaultaddress pool to have only two addresses (such as 10.10.0.75 and10.10.0.76) and reduce the Address Pool Blackout Interval to 180 seconds
22 Within the three-minute interval period for Address Pool Blackout, nect to the Nortel VPN Router using the Nortel VPN Client three times
con-Note the assigned IP address each time before clicking the Disconnectbutton On the third attempt, if still within the Address Pool BlackoutInterval, the connection will fail because no addresses are available inthe default pool that are not within the interval This can be verified byusing the Management Screen main menu by selecting STATUS→EVENT LOG to display the log Scroll down to the third attempt to con-nect with the Nortel VPN Client and notice that the event log shows thatthe tunnel didn’t establish because the IP address assignment failed
This concludes this portion of the lab
Lab Summary
This lab showed two methods for dynamically allocating IP addresses to remoteusers We discussed various options and testing of the principles used to famil-iarize you with the methods available for user tunnel IP address assignment.Management of IP addresses can also be used to control access for users andgroups, which was described in the discussion on named address pools Youare encouraged to try variations of this lab to further your knowledge of IPaddress allocation with the Nortel VPN Router
Client Address Redistribution Configuration
Client Address Redistribution (CAR) is a feature that can be used to allocate
IP addresses to user tunnels that are not bound to any physical entity on the
Trang 19Private LAN network It uses an address pool of addresses, which can be cated from internal address pools or by using DHCP internal/external servers.The Nortel VPN Router controls the routing of these user tunnels and proxiesall requests to the Private LAN for the clients that are using a CAR IP address The feature also adds additional security because the IP address on theclient is a virtual address and the user has no reference to the IP addressingthat is being used on the Private LAN.
allo-Lab Requirements
■■ Nortel VPN Router with version 6.00 VPN Router code loaded
■■ Crossover Ethernet cable, or hub and patch Ethernet cables
■■ Two Windows-based PCs, one with the Nortel VPN Client loaded
■■ Network diagram (see Figure 11-34)
■■ Pencil and paper for notes
■■ The Management Interface IP address is set to 8.8.8.8
Figure 11-34: The Client Address Redistribution configuration lab diagram
Internet
Public LAN 100.100.100.100
Management Interface 0.0.0.0
Private LAN 10.10.0.10
Laptop Computer
Client PC 100.100.100.200
Laptop Computer
Configuration PC 10.10.0.20
Trang 201 On the PC setup to perform the Nortel VPN Router configuration, set
the internal Network Interface Card to the IP address of 10.10.0.20 with
a subnet mask set to 255.255.255.0 and the default gateway set to
10.10.0.10
2 On the PC being used for the configuration of the Nortel VPN Router,launch a browser and HTTP to 8.8.8.8 Log in to the Nortel VPN Routerusing an administrator’s user ID and password
3 At the main menu, select SERVERS→USER IP ADDR to display theRemote User IP Address Pool configuration screen
4 Select the Radio button for Address Pool
5 To add an address pool, click the Add button to display the EnterAddress Pool Information screen
6 In the Starting IP Address field, add the address 20.20.0.30.
7 In the Ending IP Address field, add the address 20.20.0.40.
8 In the Subnet Mask field, add 255.255.255.0.
9 Because this is to be a named pool, click the New radio button and add
a name for this pool in the box provided For the purposes of this lab,
enter sup_grp.
10 Click OK to accept the Address Pool settings and return to the RemoteUser IP Address Pool screen
11 For the Address Pool Blackout Interval, insert the value of 300 seconds.
This is the time the IP address will not be available when a user tunneldisconnects
12 In the If Named Pool Unavailable area, the selections are “Failover toDefault pool” and “Deny address request.” Click the radio button next
to “Deny address request.”
N OT E If users of a particular group are to be restricted to a given address pool and not permitted to use addresses from the default pool, the “Deny address request” selection will cause the Nortel VPN Client to fail to connect successfully until an IP address for that named pool is released back to the pool.
13 Verify that the Address Pool radio button is selected and click OK at thebottom of the screen This concludes configuration of the Nortel VPNRouter for creating a named IP address pool to allocate IP addresses touser tunnels
Trang 2114 If no users are currently configured on the Nortel VPN Router, ure one to test the ability of the Nortel VPN Router to allocate anaddress to the connecting user tunnel.
config-15 After the user is created and assigned to a group, the group must beconfigured to use the newly created named Address Pool for all userswithin that group From the main menu, select PROFILES→GROUPS
16 Click the Edit button for the group to which the user who will be usedfor testing of the CAR feature is assigned This will display the GroupsEdit configuration screen
17 In the Connectivity area, click the Configure button to allow tion of these parameters
modifica-18 Scroll down to the Address Pool Name area and click the Configurebutton
19 The screen will refresh and a drop-down menu will appear adjacent toAddress Pool Name
20 Click the down arrow for the drop-down menu and select the named
address pool to be used For the purposes of this lab, enter sup_grp.
21 After the group has been selected, scroll to the bottom of the screen andclick OK
22 This concludes the assigning of the named address pool to the groupthe user is a member of However, CAR still remains to be configured
to allow the assigned address pool to route user traffic onto the PrivateLAN
23 From the main menu, select ROUTING→CLIENT-ADDR-DIS to play the Client Address Redistribution configuration screen
dis-24 In the Client Address Redistribution area, click the down arrow forCAR options The options presented are:
■■ Host Only: A route for each user tunnel is added to the route table.
These entries are established each time a user tunnel is establishedusing a CAR-assigned address The route is removed upon clientDisconnect
■■ Dynamic Aggregation: A subnet route is added when the first client
connects and remains until the last user using an assigned IPaddress from the subnet disconnects
■■ Static Aggregation: A subnet route is added when the first client
con-nects and the route remains as long as the address pool remainsvalid
Trang 2225 For the purposes of this lab, select Host Only.
26 Leave the Maximum Number of U Tunnel Host Routes set to thedefault value of 200 and click OK to accept these configuration settingsand enable CAR
27 Connect a Windows-based PC with the Nortel VPN Client installed tothe Public LAN Interface This can be accomplished with either an Eth-ernet crossover cable, or a hub and Ethernet patch cables
28 Set the PC Network Interface IP address to 100.100.100.200 with a net of 255.255.255.0 and with the default gateway set to 100.100.100.100.
sub-29 On the PC, launch the Nortel VPN Client and set the connection withthe user ID and password that are assigned to the user created for this
test Set the destination address to 100.100.100.100 and then click the
Connect button If prompted to save the current connection settings,click Yes
30 On a successful connection, the Nortel VPN Client icon will appear inthe system tray Double-clicking the icon opens a connection dialogscreen Verify that the assigned address is within the range of the IPaddresses that are being allocated by the address pool
(20.20.0.30–20.20.0.40) If the address is not within the range, or the nection fails, verify all configuration settings and repeat until the con-nection provides the desired result
con-31 Once a successful connection is made and the assigned IP address is inthe range of the addresses allocated by the address pool, return to the
PC that is being used to configure the Nortel VPN Router
32 Launch a browser window and HTTP to 8.8.8.8
33 Click on the Manage Switch link and log in to the Nortel VPN Routerusing an administrator’s user ID and password
34 From the main menu, select ROUTING→CLIENT-ADDR-DIS to play the Client Address Redistribution configuration screen
dis-35 Click the Show User Tunnel Routes button The Client Addr Redist→User Tunnel Routes will be displayed
36 Verify that the IP address assigned to the user tunnel is displayed
37 On the PC that is making the user tunnel, double-click the Nortel VPNClient icon that is displayed in the system tray
38 In the connection dialog box that is displayed, click the Disconnect ton to terminate the user tunnel session
Trang 23but-39 Return to the PC that is displaying the Client Addr Redist→User Tunnel Routes screen, and click the Refresh button The user addressthat was assigned to the client should now be removed.
40 On the PC that is being used for establishing the user tunnel, once againlaunch the Nortel VPN Client to establish a user tunnel
41 On a successful connection, verify that the assigned address is from thenamed Address Pool that was created This address will be differentfrom the one that was previously assigned if the connection attemptwas made within the Address Pool Blackout Interval
42 Return to the PC that is displaying the Client Addr Redist→User Tunnel Routes screen, and click the Refresh button The user addressthat was assigned to the client should now be displayed
43 From the main menu, select ROUTING→ROUTE TABLE to displaythe Route Table screen
44 Click the IP Forward Table button to display the Route Table→
47 Click the Route Table button to display the Route Table
48 Verify that the IP address that is assigned to the client user tunnel is played on the table as a host route (for example, 20.20.0.40/24)
dis-We encourage you to further explore the named Address Pool and ClientAddress Redistribution features A suggestion would be to terminate the usertunnel and verify that the IP address that had been assigned to the user tunnelhas been removed from the IP Forward Table and Route Table
Lab Summary
This lab demonstrated the configuration and use of Client Address tion (CAR), as well as its various options Also demonstrated was the use ofnamed Address Pools and their use in controlling users who are members of agroup that is using an assigned address pool The chapter covered the ability
Distribu-of the Nortel VPN Router to route and control traffic flow from a group Distribu-ofaddresses that were not bound to any of its physical interfaces, and discussedthe possible increase of security for the Private LAN by utilizing these addresses
Trang 24This chapter has provided you with basic instructions on configuring yourVPN Router Upon successful completion of this chapter, you should have amuch better understanding of the capabilities of your Nortel VPN Router Thecompletion of this chapter should also help you build confidence in thebrowser-based interface and its use
Now that you have a greater understanding of the VPN Router and its bilities, you must understand how to troubleshoot network problems Chap-ter 12 discusses not only troubleshooting general network data flow issues,but also troubleshooting VPN Router–specific issues
Trang 26In data communications, one thing is guaranteed: Problems do occur in datanetworks Sometimes these problems are created by an individual or group ofindividuals Sometimes these problems occur because of environmental
issues Regardless of why problems occur, they do occur Being able to
effec-tively diagnose a problem and reach a resolution is paramount
When performing network troubleshooting, it is very easy to follow a singlepath and to forget some of the other contributors to the problem Quite often,the problem is more in-depth than it appears from the beginning
Knowing what tools are available to the network administrator can greatlyincrease the effectiveness in diagnosing problems in a network Additionally,several proactive steps can be taken to reduce some of the pain when a net-work problem occurs
Because other issues may arise that are causing issues with the VPN Routerand its performance, it is important to understand some basics of networktroubleshooting This chapter discusses some of these basics, and provides anoverview of troubleshooting problems with the VPN Router
N OT E In several parts of this chapter, some third-party troubleshooting applications and tools are discussed Several examples are listed for many of these tools and applications The examples are for reference only and are not
an endorsement of those products.
Troubleshooting Overview
C H A P T E R
12
Trang 27Overview of Network Troubleshooting
As noted previously, network problems will occur, and they can occur for manyreasons These issues can range from power outages to vendor compatibilityissues Knowing and understanding the tools that are available to you, as well
as the answers to a few basic questions, can be instrumental in resolving thenetwork problems as quickly and painlessly as possible Following are somequestions to consider when faced with an operational issue on the network:
■■ Is the problem related to a change that is occurring (or has recentlyoccurred) on the network?
■■ Has the problem occurred before?
■■ Is the problem causing an outage or is redundancy built in place?
■■ How vital are the applications and users that are affected by the problem?
■■ Is the problem local to an individual subnet, or is it related to multiplesubnets?
■■ Is the problem related to an individual network node, or multiplenodes?
■■ Can you localize the source of the problem?
■■ What are the users complaining about? What applications/services areaffected?
Knowing what to ask and getting the answers to your questions will increaseyour effectiveness in resolving your problem
Logical Steps
When a networking issue arises and it is brought to your attention, it is veryimportant to take a few logical investigative steps before you start makingchanges If you are not careful, you can create even more problems by makingchanges before you have a good, firm understanding of the problem and itssource
Make Sure You Understand the Problem
When a problem arises within a network, it is an issue because a user or tiple users are having problems reaching a service or an application It isimportant to understand, from the user’s point of view, what the problem is.Are the users unable to access anything on the network, or is the problem thatthey cannot access a particular application that resides on the network?
Trang 28mul-Always remember that most issues within a network result from a problemwith the physical connection or with a node that has malfunctioned Of course,other issues can cause problems within a LAN, but these are the most commoncauses of problems.
Following are some questions that should be considered when gatheringinformation to understand the problem:
■■ Are the users normally allowed access to the application or services thatthey are attempting to connect to?
■■ Is the user’s workstation configured correctly?
■■ Is the user’s workstation experiencing a hardware issue?
■■ Are the device/devices that are involved in the issue configured correctly?
■■ Have there been any recent changes?
Diagnosing the Problem
Once you have an understanding of the problem, the next step is to diagnosethe problem Initiate testing to see what layer within the OSI Reference Model
is affected Determine what user, or group of users, is affected It is importantthat you determine the level of impact when diagnosing the problem
It is also important to keep an open mind when diagnosing the problem.Take everything into consideration before formalizing you diagnosis Far toooften, a network administrator heads down the wrong track when diagnosing
a problem, causing a delay in the resolution or compounding the issue
When diagnosing a problem, ensure that you answer some basic questionsthat will assist you in gathering as much information as possible Followingare some sample questions:
■■ What do you know about the problem?
■■ What other factors must be considered?
■■ What testing can be performed on the affected equipment to helpresolve the problem?
■■ If the devices involved in the problem subnet have logging capabilities,what are you able to determine about the problem from the data con-tained within the logs?
Testing
Generally, a problem must be proven or be replicated to be an actual problem
If you experience a momentary lapse of connectivity, and then connectivity isrestored, the best thing to do is to wait to see if the problem arises again Of
Trang 29course, if the device that had the momentary loss has logging capabilities, thenthe event log can give insight as to whether or not there is an actual problem.Occasionally, you may experience an intermittent problem, but it is hard todetermine when the problem will arise again In this case, you can utilize a net-work management station or a network sniffer to try to nail down the problem
as it occurs
When testing a problem within your production network, you will need toensure that you have some basic equipment with you Some examples of net-work troubleshooting equipment include the following:
■■ A laptop computer
■■ A network sniffer, or sniffer software
■■ Appropriate console cables for the affected devices
There are many variables that might cause issues within your network.Understanding the network and historical documentation of network issuescan help in reaching a solution to a problem Solutions are often variable andeach problem can present challenges that have may not have been encoun-tered before Following are some examples of common solutions to networkproblems:
■■ Software upgrade
■■ Hardware upgrade
■■ Network traffic load-balancing
■■ Hardware replacement
■■ Changes introduced by another group
■■ Problems related to another group
■■ Network redesign to accommodate traffic pattern changes and networkgrowth
Trang 30TCP/IP Utilities
The TCP/IP protocol suite is one of the most used protocol suites in ing today Most data equipment supports the TCP/IP protocol suite All nodesthat support TCP/IP contain a few basic tools that can assist in troubleshoot-ing issues within a network
network-This section discusses some of these tools The examples provided will befrom a Windows OS perspective, although any TCP/IP-supported node(including the Nortel VPN Router) has the capability to obtain the same data.All the tools discussed in this section are accessible on a Windows computervia the MS-DOS window Following are the tools that are discussed:
The acronym “Ping” stands for Packet Internet Grouper, but was originallynamed for the sounds that are made by sonar, which is used in submarines todetect other vessels under water The name “Packet Internet Grouper” camelater on
The purpose of Ping is to send a message from one TCP/IP system toanother TCP/IP system to see if the network layer is functioning as expected.Ping sends an echo request from one node to another The node that is being
“pinged” will send an echo reply to the originating node
The Ping command is not as useful as it used to be Beginning in 2003, manyInternet service providers (ISPs) started filtering out the ICMP type 8 packets(echo requests) to reduce the probability of an Internet worm virus floodingthe ISP’s LAN
To issue the ping command from a Windows operating system, you mustaccess an MS-DOS utility This can be done by going to the Start menu andclicking Run, as shown in Figure 12-1
Once you have clicked the Run command, the Run dialog box opens This window can be used to initiate any executable file within your Windows
Trang 31system All Windows systems have a Ping utility loaded within its systemdirectly You can simply issue the command within the Run dialog box, butonce the replies have all been received, the Ping utility will complete Its best
to enter command in the Run dialog box This open an MS-DOS session
Fig-ure 12-2 shows an example of the Run dialog box
Once you have entered the MS-DOS window, you simply have to type ping
followed by the IP address of the node that you are testing for reachability Forexample, if you are testing whether or not a node can reach the IP address
216.109.112.135, you would type ping 216.109.112.135 from the C:\ prompt If
you receive a reply, then the connection is good For example:
C:\>ping 216.109.112.135
Pinging 216.109.112.135 with 32 bytes of data:
Reply from 216.109.112.135: bytes=32 time=22ms TTL=48 Reply from 216.109.112.135: bytes=32 time=23ms TTL=48 Reply from 216.109.112.135: bytes=32 time=23ms TTL=48 Reply from 216.109.112.135: bytes=32 time=21ms TTL=48
Ping statistics for 216.109.112.135:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 23ms, Average = 22ms
Figure 12-1: The Windows Run command
Figure 12-2: Issuing the command to enter the MS-DOS window via the Run dialog box
within the Windows OS
Trang 32In this example, you can see that you are able to reach the node that youwere searching for The tested node has sent back echo replies, which are out-put to the screen within your MS-DOS session In the following example, thetested node is not available:
C:\>ping 216.249.48.1
Pinging 216.249.48.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 216.249.48.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
In this example, it was determined that you are not able to reach the testednode and you can assume that this is either a non-existent IP address, or thatthere is a problem or a reason that you are not able to reach this node
The Ping utility in a Windows environment has a few optional parametersthat can be used to gather some additional information To use one of theseoptional parameters, you simply add a minus (-) and then the letter for theparameter that you would like to use These options are shown in Table 12-1
Table 12-1: Ping Utility Options
OPTION DESCRIPTION
-a Resolve addresses to host names -f Set Don’t Fragment flag in packet -i <TTL> Time-to-Live (TTL)
-j <host-list> Loose source route along host-list -k <host-list> Strict source route along host-list -l <size> Send buffer size
-n <count> Number of echo requests to send -r <count> Record route for count hops -s <count> Timestamp for count hops
-v <TOS> Type Of Service -w <timeout> Timeout in milliseconds to wait for each reply
Trang 33You might use an optional parameter, for example, if you need to issue acontinuous ping to test when a connection drops or when a node comes up.
To issue a continuous ping, your syntax would be as follows:
C:\Ping 216.249.48.1 -t
Traceroute
Traceroute is another helpful tool that is supported by TCP/IP nodes Whatthe traceroute utility does is trace a packet’s path from a source node to a des-tination node
In a Windows Command Line Interpreter (CLI) session, the traceroute tool
is invoked by typing the command tracert followed by the IP address of the
node that you are trying to reach For example, if you want to trace the routefrom your PC to the IP address 216.109.112.135, you initiate the MS-DOS win-dow and enter the command as follows:
Trang 34All of this information is extremely helpful when troubleshooting It canprovide you information about the time it takes to get to a node, as well aswhether or not the node is reachable.
The traceroute utility in a Windows environment has a few optional rameters that can be used to gather some additional information To use one
pa-of these optional parameters, you simply add a minus (–) and then the letterfor the parameter that you would like to use These options are shown in Table 12-2
Traceroute works by incrementing the TTL value for each successive packetthat is sent When a packet reaches a host node that is in the path to the desti-nation, the host node will reduce the TTL value by 1 before passing the packet
to the next node Once the packet has a TTL value of 1, the host node will send
an ICMP time-exceeded packet to the originating node The originating nodewill then generate a list showing what hosts the packet reached on its way to adestination
In other words, the packet destined for the first node will have a TTL of 1.The first node receives the packet, reduces the TTL by 1, and then sends theICMP time-exceeded message to the originator, which will log this informa-tion to the screen The originator then will send the next packet with a TTL of
2 The first node receives the packet, reduces the TTL by 1, and then forwards
it to the second node The second node now receives the packet with a TTL of
1 and then sends the message to the originator This process continues until thedestination node is reached, or the connection times out
Although the traceroute utility can be helpful, it is important to realize thatthere can be a lot of redundancy built into networks, and that just because apacket takes a particular path one time, that does not mean it will take thesame path a second time Usually, when troubleshooting LAN-related issues,the packet will take the same path, but it may take a different path, and thismay need to be considered
Table 12-2: Traceroute Options
OPTION DESCRIPTION
-d Do not resolve addresses to host names -h <maximum_hops> Maximum number of hops to search for target -j <host-list> Loose source route along host-list
-w <timeout> Wait timeout milliseconds for each reply
Trang 35Routing Tables
The route command in MS-DOS allows you to add, remove, and view routeinformation in the routing table Most layer 3 network nodes also provide youwith routing table information The routing table is very useful when trouble-shooting your network
In an MS-DOS window, you can view, add, or delete the route information
by using the route command, followed by the appropriate subcommand oroptional parameter The syntax for the route command is as follows:
C:\>route <-f/-p> <command> <destination> Mask <netmask> <gateway>
<destination> Specifies the host node
<netmask> Subnet mask
<gateway> The default gateway
<metric> Cost to the destination node
<interface> The interface to the destination
One of the most commonly used optional parameters is the print mand, which is used to view the current routing table information for the PCworkstation that you are using Following is an example of the command andits output:
com-C:\>Route print
==================================================================== Interface List
0x1 MS TCP Loopback interface 0x2 44 45 53 54 42 00 NOC Extranet Access Adapter 0x3 00 10 b5 65 4d 1a NDIS 5.0 driver
========================================================================
Trang 36Active Routes:
Ntwk Dest Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 1 Default Gateway: 192.168.1.1
Probably the most helpful of these optional parameters is the -s parameter,which provides you with statistical information for each of the major protocolswithin TCP/IP An example of this follows:
c:\>netstat -s
IP Statistics
Packets Received = 52045 Received Header Errors = 0 Received Address Errors = 0 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 52045 Output Requests = 48287 Routing Discards = 0 Discarded Output Packets = 4 Output Packet No Route = 0 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0
Trang 37Received Sent Messages 0 0 Errors 0 0 Destination Unreachable 0 0 Time Exceeded 0 0 Parameter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echos 0 0 Echo Replies 0 0 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0
TCP Statistics
Active Opens = 1508 Passive Opens = 4 Failed Connection Attempts = 10 Reset Connections = 376 Current Connections = 0 Segments Received = 45440 Segments Sent = 42352 Segments Retransmitted = 14
UDP Statistics
Datagrams Received = 6589
No Ports = 16 Receive Errors = 0 Datagrams Sent = 5919
Table 12-3: Netstat Options
-s Displays statistics for each protocol
<interval> Reissues the command pausing the specified interval before
repeating
Trang 38The IPconfig utility allows you to see the system’s TCP/IP configuration This
is helpful if you are allowing DHCP to assign addresses to nodes, and youmust determine the TCP/IP configuration of the workstation that you are on.The IPconfig utility in a Windows environment has optional parametersthat can be used to gather some additional information To use one of theseoptional parameters, you simply add a forward slash (/) and then the letter for the parameter that you would like to use These options are shown in Table 12-4
To view the TCP/IP configuration of the Windows workstation, you enter the
command IPconfig at the C:\ prompt in an MS-DOS window For example:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix : hsd1.pqn.net.
IP Address : 192.168.1.10 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.1
Other Troubleshooting Tools
In addition to the utilities discussed in the previous section, some optionaltools can be used that can save a lot of time and trouble when trying to narrowdown the source of a connectivity problem These tools include the following:
■■ A packet sniffer captures data packets and sorts the information based on
user-controlled parameters to allow for the analysis of data that istransmitted in the network
■■ A cable tester is a tool that allows for the testing of the physical cabling
in the network to determine if there are any defects
■■ A network management station can provide dynamic statistical
informa-tion about your network, and can alert you to problems as soon as theyarise