index-of.co.ukindex-of.co.uk › networking › networking the complete... · about the author...
TRANSCRIPT
Copyright©2015byMcGraw-HillEducation.Allrightsreserved.ExceptaspermittedundertheUnitedStatesCopyrightActof1976,nopartofthispublicationmaybereproducedordistributedinanyformorbyanymeans,orstoredinadatabaseorretrievalsystem,withoutthepriorwrittenpermissionofthepublisher.
ISBN:978-0-07-182765-2MHID:0-07-182765-X
ThematerialinthiseBookalsoappearsintheprintversionofthistitle:ISBN:978-0-07-182764-5,MHID:0-07-182764-1.
eBookconversionbycodeMantraVersion1.0
Alltrademarksaretrademarksoftheirrespectiveowners.Ratherthanputatrademarksymbolaftereveryoccurrenceofatrademarkedname,weusenamesinaneditorialfashiononly,andtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.Wheresuchdesignationsappearinthisbook,theyhavebeenprintedwithinitialcaps.
McGraw-HillEducationeBooksareavailableatspecialquantitydiscountstouseaspremiumsandsalespromotionsorforuseincorporatetrainingprograms.Tocontactarepresentative,pleasevisittheContactUspageatwww.mhprofessional.com.
InformationhasbeenobtainedbyMcGraw-HillEducationfromsourcesbelievedtobereliable.However,becauseofthepossibilityofhumanormechanicalerrorbyoursources,McGraw-HillEducation,orothers,McGraw-HillEducationdoesnotguaranteetheaccuracy,adequacy,orcompletenessofanyinformationandisnotresponsibleforanyerrorsoromissionsortheresultsobtainedfromtheuseofsuchinformation.
TERMSOFUSE
ThisisacopyrightedworkandMcGraw-HillEducationanditslicensorsreserveallrightsinandtothework.Useofthisworkissubjecttotheseterms.ExceptaspermittedundertheCopyrightActof1976andtherighttostoreandretrieveonecopyofthework,youmaynotdecompile,disassemble,reverseengineer,reproduce,modify,createderivativeworksbasedupon,transmit,distribute,disseminate,sell,publishorsublicensetheworkoranypartofitwithoutMcGraw-HillEducation’spriorconsent.Youmayusetheworkforyourownnoncommercialandpersonaluse;anyotheruseoftheworkisstrictlyprohibited.Yourrighttousetheworkmaybeterminatedifyoufailtocomplywiththeseterms.
THEWORKISPROVIDED“ASIS.”McGRAW-HILLEDUCATIONANDITSLICENSORSMAKENOGUARANTEESORWARRANTIESASTOTHEACCURACY,ADEQUACYORCOMPLETENESSOFORRESULTSTOBEOBTAINEDFROMUSINGTHEWORK,INCLUDINGANYINFORMATIONTHATCANBEACCESSEDTHROUGHTHEWORKVIAHYPERLINKOROTHERWISE,ANDEXPRESSLYDISCLAIMANYWARRANTY,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.McGraw-HillEducationanditslicensorsdonotwarrantorguaranteethatthefunctionscontainedinthe
workwillmeetyourrequirementsorthatitsoperationwillbeuninterruptedorerrorfree.NeitherMcGraw-HillEducationnoritslicensorsshallbeliabletoyouoranyoneelseforanyinaccuracy,errororomission,regardlessofcause,intheworkorforanydamagesresultingtherefrom.McGraw-HillEducationhasnoresponsibilityforthecontentofanyinformationaccessedthroughthework.UndernocircumstancesshallMcGraw-HillEducationand/oritslicensorsbeliableforanyindirect,incidental,special,punitive,consequentialorsimilardamagesthatresultfromtheuseoforinabilitytousethework,evenifanyofthemhasbeenadvisedofthepossibilityofsuchdamages.Thislimitationofliabilityshallapplytoanyclaimorcausewhatsoeverwhethersuchclaimorcausearisesincontract,tortorotherwise.
Greatthanksandhumbleappreciationtoallofthosewhohelpedwiththisbook.Andtomykidsandtheirkids,andeverandalwaystoSandy.
AbouttheAuthorBobbiSandbergisasmallbusinessconsultantandretiredCPAwhohasbeenatrainer,instructor,andteacherofallthingscomputerinthePacificNorthwestformorethan40years.Shehas“played”withcomputerssincetheyoccupiedentireroomsandrequiredperforatedpapertapeandpunchcards.Today,sheteacheshardwareandsoftwareclasses,solveshardwareandsoftwareissuesforanumberofclients,andkeepsnetworksfunctionalonaregularbasis.Bobbiistheauthororcoauthorofseveralcomputerbooks,includingQuickBooks2015:TheSmallBusinessGuide,Quicken2015:TheOfficialGuide,Quicken2014:TheOfficialGuide,MicrosoftOffice2013QuickSteps,andComputingforSeniorsQuickSteps.
AbouttheTechnicalEditorsRandalNollanhasbeenworkingwithtechnologysincethelate1970swhenhewrotehisfirstprogramonpinkpunchcards.RandaljoinedtheU.S.Navyin1980asanAviationOrdnancemanandretiredin2001.Duringthattime,hemaintainedthedBaseIIIvaccinationdatabaseforthesquadroncorpsmanandwasalwaysinthethickofmaintainingthetokenringnetwork,computers,andterminalstheyhadatthetime.HegraduatedfromSkagitValleyCollegeCIS(networking)andMIT(programming)in2003.HeworkedinInternettechsupportfrom2003to2005andhassincebeenworkingincomputerrepairforalocaltelephonecompanyonWhidbeyIsland,Washington.Inhissparetime,heenjoystheoutdoorsbyfishing,crabbing,bicycling,camping,andhunting.Indoorfunincludesplayingwithanythingtechrelated,remodelinghishome,andmakingwinefromanyfruitthatlandsonhisdoorstep;sometimehemayevenstopworkinganddrinkit.
DwightSpiveyistheauthorofmorethan20booksoncomputersandtechnologyandhashappilylenthisexpertiseasatechnicaleditortoseveralmoretitles.DwightishappilymarriedtoCindy,andtheyresideontheGulfCoastofAlabamaalongwiththeirfourchildren.Hestudiestheology,drawscomicstrips,androotsfortheAuburnTigersinhisever-decreasingsparetime.
VanAguirreisaninformationtechnologyspecialistwhohasbroadexperienceinthefield.Sincethelate1990s,hehasdevelopedandtaughtcoursesinnetworkingandmultimediatechnology,computingsecurity,computercrimeforensics,ITriskmanagement,ITbusinesscontinuity,anddisasterrecoveryplanning.WorkingwithotherITprofessionals,hehasplannedandmanagedtheimplementationofevolvingtechnologies,includingvirtualization,mobile,andcloudcomputingtosupportinstitutionalbusinessandstrategicinitiatives.Asaprojectmanagerineducationaltechnology,VanhasestablishedandpromotedsuccessfulapprenticeshipprogramsinITdeskservicemanagementforcollegestudents,integratingLEANprinciplesandITILprocessestosupplementtechnicalskills.
Contents
Acknowledgments
Introduction
PartINetworkBasicsChapter1WhatIsaNetwork?
LocalAreaNetwork
Basebandvs.Broadband
PacketSwitchingvs.CircuitSwitching
CablesandTopologies
MediaAccessControl
Addressing
Repeaters,Bridges,Switches,andRouters
WideAreaNetworks
ProtocolsandStandards
ClientsandServers
OperatingSystemsandApplications
Chapter2TheOSIReferenceModel
CommunicationsBetweentheLayers
DataEncapsulation
HorizontalCommunications
VerticalCommunications
EncapsulationTerminology
ThePhysicalLayer
PhysicalLayerSpecifications
PhysicalLayerSignaling
TheDataLinkLayer
Addressing
MediaAccessControl
ProtocolIndicator
ErrorDetection
TheNetworkLayer
Routing
Fragmenting
Connection-OrientedandConnectionlessProtocols
TheTransportLayer
ProtocolServiceCombinations
TransportLayerProtocolFunctions
SegmentationandReassembly
FlowControl
ErrorDetectionandRecovery
TheSessionLayer
DialogControl
DialogSeparation
ThePresentationLayer
TheApplicationLayer
PartIINetworkHardwareChapter3NetworkInterfaceAdapters
NICFunctions
NICFeatures
FullDuplex
BusMastering
ParallelTasking
Wake-on-LANorWake-on-Wireless-LAN
SelectingaNIC
Protocol
TransmissionSpeed
NetworkInterface
BusInterface
Bottlenecks
ISAorPCI?
IntegratedAdapters
Fiber-OpticNICs
PortableSystems
HardwareResourceRequirements
PowerRequirements
Servervs.WorkstationNICs
Chapter4NetworkInterfaceAdaptersandConnectionDevices
Repeaters
Hubs
PassiveHubs
Repeating,Active,andIntelligentHubs
TokenRingMAUs
HubConfigurations
TheUplinkPort
StackableHubs
ModularHubs
Bridges
TransparentBridging
BridgeLoops
SourceRouteBridging
BridgingEthernetandTokenRingNetworks
Routers
RouterApplications
RouterFunctions
RoutingTables
WindowsRoutingTables
RoutingTableParsing
StaticandDynamicRouting
SelectingtheMostEfficientRoute
DiscardingPackets
PacketFragmentation
RoutingandICMP
RoutingProtocols
Switches
SwitchTypes
Routingvs.Switching
VirtualLANs
Layer3Switching
Multiple-LayerSwitching
Chapter5CablingaNetwork
CableProperties
CablingStandards
DataLinkLayerProtocolStandards
CoaxialCable
ThickEthernet
ThinEthernet
CableTelevision
Twisted-PairCable
UnshieldedTwisted-Pair
Category5e
Cat6and6a
Cat7
ConnectorPinouts
ShieldedTwisted-Pair
Fiber-OpticCable
Fiber-OpticCableConstruction
Fiber-OpticConnectors
Chapter6WirelessLANs
WirelessNetworks
AdvantagesandDisadvantagesofWirelessNetworks
TypesofWirelessNetworks
WirelessApplications
TheIEEE802.11Standards
ThePhysicalLayer
PhysicalLayerFrames
TheDataLinkLayer
DataLinkLayerFrames
MediaAccessControl
Chapter7WideAreaNetworks
IntroductiontoTelecommunications
WANUtilization
SelectingaWANTechnology
PSTN(POTS)Connections
LeasedLines
Leased-LineTypes
Leased-LineHardware
Leased-LineApplications
ISDN
ISDNServices
ISDNCommunications
ISDNHardware
DSL
SwitchingServices
Packet-SwitchingServices
Circuit-SwitchingServices
FrameRelay
Frame-RelayHardware
VirtualCircuits
Frame-RelayMessaging
ATM
ThePhysicalLayer
TheATMLayer
TheATMAdaptationLayer
ATMSupport
SONET
Chapter8ServerTechnologies
PurchasingaServer
UsingMultipleProcessors
ParallelProcessing
ServerClustering
UsingHierarchicalStorageManagement
FibreChannelNetworking
NetworkStorageSubsystems
Chapter9DesigningaNetwork
ReasoningtheNeed
SeekingApproval
DesigningaHomeorSmall-OfficeNetwork
SelectingComputers
SelectingaNetworkingProtocol
ChoosingaNetworkMedium
ChoosingaNetworkSpeed
DesigninganInternetwork
SegmentsandBackbones
DistributedandCollapsedBackbones
BackboneFaultTolerance
SelectingaBackboneLANProtocol
ConnectingtoRemoteNetworks
SelectingaWANTopology
PlanningInternetAccess
LocatingEquipment
WiringClosets
DataCenters
FinalizingtheDesign
PartIIINetworkProtocolsChapter10EthernetBasics
EthernetDefined
EthernetStandards
EthernetII
IEEE802.3
DIXEthernetandIEEE802.3Differences
IEEEShorthandIdentifiers
CSMA/CD
Collisions
LateCollisions
PhysicalLayerGuidelines
10Base-5(ThickEthernet)
10Base-2(ThinEthernet)
10Base-Tor100Base-T(Twisted-PairEthernet)
Fiber-OpticEthernet
CablingGuidelines
ExceedingEthernetCablingSpecifications
TheEthernetFrame
TheIEEE802.3Frame
TheEthernetIIFrame
TheLogicalLinkControlSublayer
TheSNAPHeader
Full-DuplexEthernet
Full-DuplexRequirements
Full-DuplexFlowControl
Full-DuplexApplications
Chapter11100BaseEthernetandGigabitEthernet
100BaseEthernet
PhysicalLayerOptions
CableLengthRestrictions
Autonegotiation
GigabitEthernet
GigabitEthernetArchitecture
MediaAccessControl
TheGigabitMedia-IndependentInterface
ThePhysicalLayer
EthernetTroubleshooting
EthernetErrors
IsolatingtheProblem
100VG-AnyLAN
TheLogicalLinkControlSublayer
TheMACandRMACSublayers
ThePhysicalMedium–IndependentSublayer
TheMedium-IndependentInterfaceSublayer
ThePhysicalMedium–DependentSublayer
TheMedium-DependentInterface
Workingwith100VG-AnyLAN
Chapter12NetworkingProtocols
TokenRing
TheTokenRingPhysicalLayer
TokenPassing
TokenRingFrames
TokenRingErrors
FDDI
FDDITopology
PartIVNetworkSystemsChapter13TCP/IP
TCP/IPAttributes
TCP/IPArchitecture
TheTCP/IPProtocolStack
IPVersions
IPv4Addressing
SubnetMasking
IPAddressRegistration
SpecialIPAddresses
Subnetting
PortsandSockets
TCP/IPNaming
TCP/IPProtocols
SLIPandPPP
ARP
IP
Chapter14OtherTCP/IPProtocols
IPv6
IPv6Addresses
IPv6AddressStructure
OtherProtocols
ICMP
UDP
TCP
Chapter15TheDomainNameSystem
HostTables
HostTableProblems
DNSObjectives
DomainNaming
Top-LevelDomains
Second-LevelDomains
Subdomains
DNSFunctions
ResourceRecords
DNSNameResolution
ReverseNameResolution
DNSNameRegistration
ZoneTransfers
DNSMessaging
TheDNSHeaderSection
TheDNSQuestionSection
DNSResourceRecordSections
DNSMessageNotation
NameResolutionMessages
RootNameServerDiscovery
ZoneTransferMessages
Chapter16InternetServices
WebServers
SelectingaWebServer
HTML
HTTP
FTPServers
FTPCommands
FTPReplyCodes
FTPMessaging
E-mailAddressing
E-mailClientsandServers
SimpleMailTransferProtocol
PostOfficeProtocol
InternetMessageAccessProtocol
PartVNetworkOperatingServicesChapter17Windows
TheRoleofWindows
Versions
ServicePacks
MicrosoftTechnicalSupport
OperatingSystemOverview
KernelModeComponents
UserModeComponents
Services
TheWindowsNetworkingArchitecture
TheNDISInterface
TheTransportDriverInterface
TheWorkstationService
TheServerService
APIs
FileSystems
FAT16
FAT32
NTFS
ResilientFileSystem
TheWindowsRegistry
OptionalWindowsNetworkingServices
ActiveDirectory
MicrosoftDHCPServer
MicrosoftDNSServer
WindowsInternetNamingService
Chapter18ActiveDirectory
ActiveDirectoryArchitecture
ObjectTypes
ObjectNaming
Domains,Trees,andForests
DNSandActiveDirectory
GlobalCatalogServer
DeployingActiveDirectory
CreatingDomainControllers
DirectoryReplication
Sites
MicrosoftManagementConsole
DesigninganActiveDirectory
PlanningDomains,Trees,andForests
Chapter19Linux
UnderstandingLinux
LinuxDistributions
AdvantagesandDisadvantagesofLinux
FileSystems
LinuxInstallationQuestions
DirectoryStructure
QuickCommandsinLinux
WorkingwithLinuxFiles
Journaling
Editing
LackofFragmentation
Chapter20Unix
UnixPrinciples
UnixArchitecture
UnixVersions
UnixSystemV
BSDUnix
UnixNetworking
UsingRemoteCommands
BerkeleyRemoteCommands
DARPACommands
NetworkFileSystem
Client-ServerNetworking
Chapter21OtherNetworkOperatingSystemsandNetworkingintheCloud
HistoricalSystems
FreeBSD
NetBSD
OpenBSD
OracleSolaris
OperatingintheCloud
HistoryoftheCloud
BenefitsoftheCloud
DisadvantagesintheCloud
HowtheCloudWorks
CloudTypes
CloudServiceModels
InfrastructureasaService
PlatformasaService
SoftwareasaService
NetworkasaService
PartVINetworkServicesChapter22NetworkClients
WindowsNetworkClients
WindowsNetworkingArchitecture
NetWareClients
MacintoshClients
ConnectingMacintoshSystemstoWindowsNetworks
UnixClients
Applications
UnixAccess
Windows7Interface
Windows8Interface
Chapter23NetworkSecurityBasics
SecuringtheFileSystem
TheWindowsSecurityModel
WindowsFileSystemPermissions
UnixFileSystemPermissions
VerifyingIdentities
FTPUserAuthentication
Kerberos
PublicKeyInfrastructure
DigitalCertificates
Token-BasedandBiometricAuthentication
SecuringNetworkCommunications
IPsec
SSL
Firewalls
PacketFilters
NetworkAddressTranslation
ProxyServers
Circuit-LevelGateways
CombiningFirewallTechnologies
Chapter24WirelessSecurity
WirelessFunctionality
WirelessNetworkComponents
WirelessRouterTypes
WirelessTransmission
WirelessAccessPoints
CreatingaSecureWirelessNetwork
SecuringaWirelessHomeNetwork
SecuringaBusinessNetwork
SecuringaWirelessRouter
SecuringMobileDevices
WhatAretheRisks?
UnsecuredHomeNetworks
WirelessInvasionTools
UnderstandingEncryption
Chapter25OverviewofNetworkAdministration
LocatingApplicationsandDatainWindowsSystems
Server-BasedOperatingSystems
Server-BasedApplications
StoringDataFiles
ControllingtheWorkstationEnvironment
DriveMappingsinWindows
UserProfiles
ControllingtheWorkstationRegistry
UsingSystemPolicies
Chapter26NetworkManagementandTroubleshootingTools
OperatingSystemUtilities
WindowsUtilities
TCP/IPUtilities
NetworkAnalyzers
FilteringData
TrafficAnalysis
ProtocolAnalysis
CableTesters
Chapter27BackingUp
BackupHardware
BackupCapacityPlanning
HardDiskDrives
RAIDSystems
UsingRAID
Network-AttachedStorage
MagneticTapeDrives
TapeDriveInterfaces
MagneticTapeCapacities
BackupSoftware
SelectingBackupTargets
BackingUpOpenFiles
RecoveringfromaDisaster
JobScheduling
RotatingMedia
BackupAdministration
EventLogging
PerformingRestores
Index
TAcknowledgments
hisbook,likemostothers,istheendproductofalotofhardworkbymanypeople.Allofthepeopleinvolveddeservegreatthanks.Aspecialthank-youtothefollowing:
•RogerStewart,acquisitionseditoratMcGraw-HillEducation,forhissupport,understanding,andalwaysavailableear.Heandhisteamareunbeatable.
•Twoothermembersoftheteam,PattyMonandAmandaRussell.Pattyisthefinesteditorialsupervisoraround.Sheisbeyondhelpful,alwaysconsiderateandthoughtful,andjust“there”foranyquestions.Sheisagem.Thegenerous,organized,andalwayson“top”ofanyconcernorissue,editorialcoordinatorAmandaRussell.Amandaeitherhastheanswerathandorfindsoutquicklyandreliably.Thesefewdescriptivewordsareonlythetipoftheicebergwhendiscussingtheirtalent,professionalism,andalwaysgenerousspirits.
•Thetechnicaleditors,RandyNollanandDwightSpivey,forthesupport,suggestions,andideas.Theseskilledandproficientgentlemenmadetheprocessfun.Andaspecialthank-youtoVanAguirreforhishardworkatthebeginningoftheproject.
•AsheeshRatraandhisteamatMPSLimited,whodeservegreatthanksandappreciationfortheirhardworkandexpertise.Itwasapleasureandhonorworkingwiththem!
TIntroduction
hisbookisdesignedasathorough,practicalplanningguideandunderpinningofknowledgeforITnetworkingprofessionalsaroundtheworld,includingstudentsofIT
networkingcourses,beginningnetworkadministrators,andthoseseekingworkintheITnetworkingfield.
BenefittoYou,theReaderAfterreadingthisbook,youwillbeabletosetupaneffectivenetwork.Thebookteacheseverything,includingmethodology,analysis,caseexamples,tips,andallthetechnicalsupportingdetailsneededtosuitanITaudience’srequirements,soitwillbenefiteveryonefrombeginnerstothosewhoareintermediate-levelpractitioners.
WhatThisBookCoversThisbookcoversthedetailsaswellasthebigpicturefornetworking,includingbothphysicalandvirtualnetworks.Itdiscusseshowtoevaluatethevariousnetworkingoptionsandexplainshowtomanagenetworksecurityandtroubleshooting.
OrganizationThisbookislogicallyorganizedintosixparts.Withineachpart,thechaptersstartwithbasicconceptsandprocedures,mostofwhichinvolvespecificnetworkingtasks,andthenworktheirwayuptomoreadvancedtopics.
Itisnotnecessarytoreadthisbookfrombeginningtoend.Skiparoundasdesired.Thefollowingsectionssummarizethebook’sorganizationandcontents.
PartI:NetworkBasicsThispartofthebookintroducesnetworkingconceptsandexplainsboththeOSIandTCP/IPmodels.
•Chapter1:WhatIsaNetwork?
•Chapter2:TheOSIReferenceModel
PartII:NetworkHardwareThispartofthebookdiscussesthevarioushardwareitemsusedinacomputernetwork.Italsoexplainssomebasicswhendesigninganetwork.
•Chapter3:NetworkInterfaceAdapters
•Chapter4:NetworkInterfaceAdaptersandConnectionDevices
•Chapter5:CablingaNetwork
•Chapter6:WirelessLANs
•Chapter7:WideAreaNetworks
•Chapter8:ServerTechnologies
•Chapter9:DesigningaNetwork
PartIII:NetworkProtocolsThispartofthebookexplainsthevariousrulesandprotocolsfornetworks.
•Chapter10:EthernetBasics
•Chapter11:100BaseEthernetandGigabitEthernet
•Chapter12:NetworkingProtocols
PartIV:NetworkSystemsThispartofthebookdiscussesthevariousnetworkoperatingsystems.
•Chapter13:TCP/IP
•Chapter14:OtherTCP/IPProtocols
•Chapter15:TheDomainNameSystem
•Chapter16:InternetServices
PartV:NetworkOperatingServicesInthispartofthebook,youwilllearnabitmoreaboutthebasicsofsomeoftheotherservicesavailable,includingcloudnetworking.InChapter23,youwilllearnsomeofthebasicsneededtosecureyournetwork.
•Chapter17:Windows
•Chapter18:ActiveDirectory
•Chapter19:Linux
•Chapter20:Unix
•Chapter21:OtherNetworkOperatingSystemsandNetworkingintheCloud
PartVI:NetworkServicesFromclientstosecuritytotheall-importantbackup,thissectioncoverssomeoftheday-to-dayoperationsinnetworking.
•Chapter22:NetworkClients
•Chapter23:NetworkSecurityBasics
•Chapter24:WirelessSecurity
•Chapter25:OverviewofNetworkAdministration
•Chapter26:NetworkManagementandTroubleshootingTools
•Chapter27:BackingUp
ConventionsAllhow-tobooks—especiallycomputerbooks—havecertainconventionsforcommunicatinginformation.Here’sabriefsummaryoftheconventionsusedthroughoutthisbook.
MenuCommandsWindowsandmostotheroperatingsystemsmakecommandsaccessibleonthemenubaratthetopoftheapplicationwindow.Throughoutthisbook,youaretoldwhichmenucommandstochoosetoopenawindowordialogortocompleteatask.Thefollowingformatisusedtoindicatemenucommands:Menu|Submenu(ifapplicable)|Command.
KeystrokesKeystrokesarethekeysyoumustpresstocompleteatask.Therearetwokindsofkeystrokes:
•KeyboardshortcutsCombinationsofkeysyoupresstocompleteataskmorequickly.Forexample,theshortcutfor“clicking”aCancelbuttonmaybetopresstheEsckey.Whenyouaretopressakey,youwillseethenameofthekeyinsmallcaps,likethis:ESC.Ifyoumustpresstwoormorekeyssimultaneously,theyareseparatedwithahyphen,likethis:CTRL-P.
•LiteraltextTextyoumusttypeinexactlyasitappearsinthebook.Althoughthisbookdoesn’tcontainmanyinstancesofliteraltext,thereareafew.Literaltexttobetypedisinboldfacetype,likethis:Typehelpattheprompt.
•MonospacefontTextthatyouseeatthecommandline.Itlookslikethis:Nslookup–nameserver
PART
I NetworkBasics
CHAPTER1
WhatIsaNetwork?
CHAPTER2
TheOSIReferenceModel
CHAPTER
1 WhatIsaNetwork?
Atitscore,anetworkissimplytwo(ormore)connectedcomputers.Computerscanbeconnectedwithcablesortelephonelines,ortheycanconnectwirelesslywithradiowaves,fiber-opticlines,oreveninfraredsignals.Whencomputersareabletocommunicate,theycanworktogetherinavarietyofways:bysharingtheirresourceswitheachother,bydistributingtheworkloadofaparticulartask,orbyexchangingmessages.Today,themostwidelyusednetworkistheInternet.Thisbookexaminesindetailhowcomputersonanetworkcommunicate;whatfunctionstheyperform;andhowtogoaboutbuilding,operating,andmaintainingthem.
Theoriginalmodelforcollaborativecomputingwastohaveasinglelargecomputerconnectedtoaseriesofterminals,eachofwhichwouldserviceadifferentuser.Thiswascalledtimesharingbecausethecomputerdivideditsprocessorclockcyclesamongtheterminals.Usingthisarrangement,theterminalsweresimplycommunicationsdevices;theyacceptedinputfromusersthroughakeyboardandsentittothecomputer.Whenthecomputerreturnedaresult,theterminaldisplayeditonascreenorprinteditonpaper.Theseterminalsweresometimescalleddumbterminalsbecausetheydidn’tperformanycalculationsontheirown.Theterminalscommunicatedwiththemaincomputer,neverwitheachother.
Astimepassedandtechnologyprogressed,engineersbegantoconnectcomputerssothattheycouldcommunicate.Atthesametime,computerswerebecomingsmallerandlessexpensive,givingrisetomini-andmicrocomputers.Thefirstcomputernetworksusedindividuallinks,suchastelephoneconnections,toconnecttwosystems.Thereareanumberofcomputernetworkingtypesandseveralmethodsofcreatingthesetypes,whichwillbecoveredinthischapter.
LocalAreaNetworkSoonafterthefirstIBMPCshitthemarketinthe1980sandrapidlybecameacceptedasabusinesstool,theadvantagesofconnectingthesesmallcomputersbecameobvious.Ratherthansupplyingeverycomputerwithitsownprinter,anetworkofcomputerscouldshareasingleprinter.Whenoneuserneededtogiveafiletoanotheruser,anetworkeliminatedtheneedtoswapfloppydisks.Theproblem,however,wasthatconnectingadozencomputersinanofficewithindividualpoint-to-pointlinksbetweenallofthemwasnotpractical.Theeventualsolutiontothisproblemwasthelocalareanetwork(LAN).
ALANisagroupofcomputersconnectedbyasharedmedium,usuallyacable.Bysharingasinglecable,eachcomputerrequiresonlyoneconnectionandcanconceivablycommunicatewithanyothercomputeronthenetwork.ALANislimitedtoalocalareabytheelectricalpropertiesofthecablesusedtoconstructthemandbytherelativelysmallnumberofcomputersthatcanshareasinglenetworkmedium.LANsaregenerallyrestrictedtooperationwithinasinglebuildingor,atmost,acampusofadjacentbuildings.
Sometechnologies,suchasfiberoptics,haveextendedtherangeofLANstoseveral
kilometers,butitisn’tpossibletouseaLANtoconnectcomputersindistantcities,forexample.Thatistheprovinceofthewideareanetwork(WAN),asdiscussedlaterinthischapter.
Inmostcases,aLANisabaseband,packet-switchingnetwork.Anunderstandingofthetermsbasebandandpacketswitching,whichareexaminedinthefollowingsections,isnecessarytounderstandhowdatanetworksoperatebecausethesetermsdefinehowcomputerstransmitdataoverthenetworkmedium.
Basebandvs.BroadbandAbasebandnetworkisoneinwhichthecableorothernetworkmediumcancarryonlyasinglesignalatanyonetime.Abroadbandnetwork,ontheotherhand,cancarrymultiplesignalssimultaneously,usingadiscretepartofthecable’sbandwidthforeachsignal.Asanexampleofabroadbandnetwork,considerthecabletelevisionserviceyouprobablyhaveinyourhome.AlthoughonlyonecablerunstoyourTV,itsuppliesyouwithdozensofchannelsofprogrammingatthesametime.Ifyouhavemorethanonetelevisionconnectedtothecableservice,theinstallerprobablyusedasplitter(acoaxialfittingwithoneconnectorfortheincomingsignalsandtwoconnectorsforoutgoingsignals)torunthesinglecableenteringyourhousetotwodifferentrooms.ThefactthattheTVscanbetunedtodifferentprogramsatthesametimewhileconnectedtothesamecableprovesthatthecableisprovidingaseparatesignalforeachchannelatalltimes.Abasebandnetworkusespulsesapplieddirectlytothenetworkmediumtocreateasinglesignalthatcarriesbinarydatainencodedform.Comparedtobroadbandtechnologies,basebandnetworksspanrelativelyshortdistancesbecausetheyaresubjecttodegradationcausedbyelectricalinterferenceandotherfactors.Theeffectivemaximumlengthofabasebandnetworkcablesegmentdiminishesasitstransmissionrateincreases.ThisiswhylocalareanetworkingprotocolssuchasEthernethavestrictguidelinesforcableinstallations.
NOTEAcablesegmentisanunbrokennetworkcablethatconnectstwonodes.
PacketSwitchingvs.CircuitSwitchingLANsarecalledpacket-switchingnetworksbecausetheircomputersdividetheirdataintosmall,discreteunitscalledpacketsbeforetransmittingit.Thereisalsoasimilartechniquecalledcellswitching,whichdiffersfrompacketswitchingonlyinthatcellsarealwaysaconsistent,uniformsize,whereasthesizeofpacketsisvariable.MostLANtechnologies,suchasEthernet,TokenRing,andFiberDistributedDataInterface(FDDI),usepacketswitching.AsynchronousTransferMode(ATM)isthecell-switchingLANprotocolthatismostcommonlyused.
UnderstandingPacketsE-mailmaybetheeasiestwaytounderstandpackets.Eachmessageisdividedbythesendingserviceintoaspecificnumberofbytes,oftenbetween1,000and1,500.Theneachpacketissentusingthemostefficientroute.Forexample,ifyouaresendingan
e-mailtoyourcompany’shomeofficefromyourvacationcabin,eachpacketwillprobablytravelalongadifferentroute.Thisismoreefficient,andifanyonepieceofequipmentisnotworkingproperlyinthenetworkwhileamessageisbeingtransferred,thepacketthatwouldusethatpieceofequipmentcanberoutedaroundtheproblemareaandsentonanotherroute.Whenthemessagereachesitsdestination,thepacketsarereassembledfordeliveryoftheentiremessage.
SegmentingthedatainthiswayisnecessarybecausethecomputersonaLANshareasinglecable,andacomputertransmittingasingleunbrokenstreamofdatawouldmonopolizethenetworkfortoolong.Ifyouweretoexaminethedatabeingtransmittedoverapacket-switchingnetwork,youwouldseethepacketsgeneratedbyseveraldifferentsystemsintermixedonthecable.Thereceivingsystem,therefore,musthaveamechanismforreassemblingthepacketsintothecorrectorderandrecognizingtheabsenceofpacketsthatmayhavebeenlostordamagedintransit.
Theoppositeofpacketswitchingiscircuitswitching,inwhichonesystemestablishesadedicatedcommunicationchanneltoanothersystembeforeanydataistransmitted.Inthedatanetworkingindustry,circuitswitchingisusedforcertaintypesofwideareanetworkingtechnologies,suchasIntegratedServicesDigitalNetwork(ISDN)andframerelay.Theclassicexampleofacircuit-switchingnetworkisthepublictelephonesystem.Whenyouplaceacalltoanotherperson,aphysicalcircuitisestablishedbetweenyourtelephoneandtheirs.Thiscircuitremainsactivefortheentiredurationofthecall,andnooneelsecanuseit,evenwhenitisnotcarryinganydata(thatis,whennooneistalking).
Intheearlydaysofthetelephonesystem,everyphonewasconnectedtoacentralofficewithadedicatedcable,andoperatorsusingswitchboardsmanuallyconnectedacircuitbetweenthetwophonesforeverycall.Whiletodaytheprocessisautomatedandthetelephonesystemtransmitsmanysignalsoverasinglecable,theunderlyingprincipleisthesame.
LANswereoriginallydesignedtoconnectasmallnumberofcomputersintowhatlatercametobecalledaworkgroup.Ratherthaninvestingahugeamountofmoneyintoalarge,mainframecomputerandthesupportsystemneededtorunit,businessownerscametorealizethattheycouldpurchaseafewcomputers,cablethemtogether,andperformmostofthecomputingtaskstheyneeded.Asthecapabilitiesofpersonalcomputersandapplicationsgrew,sodidthenetworks,andthetechnologyusedtobuildthemprogressedaswell.
CablesandTopologiesMostLANsarebuiltaroundcoppercablesthatusestandardelectricalcurrentstorelaytheirsignals.Originally,mostLANsconsistedofcomputersconnectedwithcoaxialcables,buteventually,thetwisted-paircablingusedfortelephonesystemsbecamemorepopular.Anotheralternativeisfiber-opticcable,whichdoesn’tuseelectricalsignalsatallbutinsteadusespulsesoflighttoencodebinarydata.Othertypesofnetworkinfrastructureseliminatecablesentirelyandtransmitsignalsusingwhatisknownasunboundedmedia,suchasradiowaves,infrared,andmicrowaves.
NOTEFormoreinformationaboutthevarioustypesofcablesusedindatanetworking,seeChapter5.
LANsconnectcomputersusingvarioustypesofcablingpatternscalledtopologies(seeFigure1-1),whichdependonthetypeofcableusedandtheprotocolsrunningonthecomputers.Themostcommontopologiesareasfollows:
•BusAbustopologytakestheformofacablethatrunsfromonecomputertothenextoneinadaisy-chainfashion,muchlikeastringofChristmastreelights.Allofthesignalstransmittedbythecomputersonthenetworktravelalongthebusinbothdirectionstoalloftheothercomputers.Thetwoendsofthebusmustbeterminatedwithelectricalresistorsthatnullifythevoltagesreachingthemsothatthesignalsdonotreflectintheotherdirection.Theprimarydrawbackofthebustopologyisthat,likethestringofChristmaslightsitresembles,afaultinthecableanywherealongitslengthsplitsthenetworkintwoandpreventssystemsonoppositesidesofthebreakfromcommunicating.Inaddition,thelackofterminationateitherhalfcanpreventcomputersthatarestillconnectedfromcommunicatingproperly.AswithChristmaslights,findingasinglefaultyconnectioninalargebusnetworkcanbetroublesomeandtimeconsuming.Mostcoaxialcablenetworks,suchastheoriginalEthernetLANs,useabustopology.
•Star(hubandspoke)Astartopologyusesaseparatecableforeachcomputerthatrunstoacentralcablingnexuscalledahuborconcentrator.Thehubpropagatesthesignalsenteringthroughanyoneofitsportsoutthroughalloftheotherportssothatthesignalstransmittedbyeachcomputerreachalltheothercomputers.Hubsalsoamplifythesignalsastheyprocessthem,enablingthemtotravellongerdistanceswithoutdegrading.Astarnetworkismorefaulttolerantthanabusbecauseabreakinacableaffectsonlythedevicetowhichthatcableisconnected,nottheentirenetwork.Mostofthenetworkingprotocolsthatcallfortwisted-paircable,suchas10Base-Tand100Base-TEthernet,usethestartopology.
•StarbusAstarbustopologyisonemethodforexpandingthesizeofaLANbeyondasinglestar.Inthistopology,anumberofstarnetworksarejoinedtogetherusingaseparatebuscablesegmenttoconnecttheirhubs.Eachcomputercanstillcommunicatewithanyothercomputeronthenetworkbecauseeachofthehubstransmitsitsincomingtrafficoutthroughthebusportaswellastheotherstarports.Designedtoexpand10Base-TEthernetnetworks,thestarbusisrarelyseentodaybecauseofthespeedlimitationsofcoaxialbusnetworks,whichcanfunctionasabottleneckthatdegradestheperformanceoffasterstarnetworktechnologiessuchasFastEthernet.
•RingThistopologyissimilartoabustopology,exceptthesetopologiestransmitinonedirectiononlyfromstationtostation.Aringtopologyoftenusesseparatephysicalportsandwirestosendandreceivedata.Aringtopologyisfunctionallyequivalenttoabustopologywiththetwoendsconnectedsothatsignalstravelfromonecomputertothenextinanendlesscircularfashion.However,thecommunicationsringisonlyalogicalconstruct,notaphysicalone.
Thephysicalnetworkisactuallycabledusingastartopology,andaspecialhubcalledamultistationaccessunit(MSAU)implementsthelogicalringbytakingeachincomingsignalandtransmittingitoutthroughthenextdownstreamportonly(insteadofthroughalloftheotherports,likeastarhub).Eachcomputer,uponreceivinganincomingsignal,processesit(ifnecessary)andsendsitrightbacktothehubfortransmissiontothenextstationonthering.Becauseofthisarrangement,systemsthattransmitsignalsontothenetworkmustalsoremovethesignalsaftertheyhavetraversedtheentirering.Networksconfiguredinaringtopologycanuseseveraldifferenttypesofcable.TokenRingnetworks,forexample,usetwisted-paircables,whileFDDInetworksusetheringtopologywithfiber-opticcable.
•DaisychainsThesetopologiesarethesimplestformasonedeviceisconnectedtoanotherthroughserialports.Thinkofacomputerhookedtoaprinterandtheprinter,inturn,beinghookedtoalaptop.
•HierarchicalstarThehierarchicalstartopologyisthemostcommonmethodforexpandingastarnetworkbeyondthecapacityofitsoriginalhub.Whenahub’sportsareallfilledandyouhavemorecomputerstoconnecttothenetwork,youcanconnecttheoriginalhubtoasecondhubusingacablepluggedintoaspecialportdesignatedforthispurpose.Trafficarrivingateitherhubisthenpropagatedtotheotherhubaswellastotheconnectedcomputers.ThenumberofhubsthatasingleLANcansupportisdependentontheprotocolituses.
Figure1-1Commoncabletopographies
Thetopologiesdiscussedherearephysicaltopologies,whichdifferfromlogicaltopologiesthatarediscussedinlaterchapters.Physicaltopologiesrefertotheplacementofcablesandothercomponentsofthenetwork.Logicaltopologiesrefertotheflowofdataonthenetwork.
MediaAccessControlWhenmultiplecomputersareconnectedtothesamebasebandnetworkmedium,theremustbeamediaaccesscontrol(MAC)mechanismthatarbitratesaccesstothenetworktopreventsystemsfromtransmittingdataatthesametime.AMACmechanismisafundamentalpartofalllocalareanetworkingprotocolsthatuseasharednetworkmedium.ThetwomostcommonMACmechanismsareCarrierSenseMultipleAccesswithCollisionDetection(CSMA/CD),whichisusedbyEthernetnetworks,andtokenpassing,whichisusedbyTokenRing,FDDI,andotherprotocols.Thesetwomechanismsarefundamentallydifferent,buttheyaccomplishthesametaskbyprovidingeachsystemonthenetworkwithanequalopportunitytotransmititsdata.(FormoreinformationabouttheseMACmechanisms,seeChapter10forCSMA/CDandChapter12fortokenpassing.)
AddressingForsystemsonasharednetworkmediumtocommunicateeffectively,theymusthavesomemeansofidentifyingeachother,usuallysomeformofnumericaladdress.Inmostcases,thenetworkinterfacecard(NIC)installedintoeachcomputerhasanaddresshard-codedintoitatthefactory,calleditsMACaddressorhardwareaddress,whichuniquelyidentifiesthatcardamongallothers.Everypacketthateachcomputertransmitsoverthenetworkcontainstheaddressofthesendingcomputerandtheaddressofthesystemforwhichthepacketisintended.
InadditiontotheMACaddress,systemsmayhaveotheraddressesoperatingatotherlayers.Forexample,TransmissionControlProtocol/InternetProtocol(TCP/IP)requiresthateachsystembeassignedauniqueIPaddressinadditiontotheMACaddressitalreadypossesses.Systemsusethevariousaddressesfordifferenttypesofcommunications.(SeeChapter3formoreinformationonMACaddressingandChapter13formoreinformationonIPaddressing.)
Repeaters,Bridges,Switches,andRoutersLANswereoriginallydesignedtosupportonlyarelativelysmallnumberofcomputers—30forthinEthernetnetworksand100forthickEthernet—buttheneedsofbusinessesquicklyoutgrewtheselimitations.Tosupportlargerinstallations,engineersdevelopedproductsthatenabledadministratorstoconnecttwoormoreLANsintowhatisknownasaninternetwork,whichisessentiallyanetworkofnetworksthatenablesthecomputersononenetworktocommunicatewiththoseonanother.Don’tconfusethegenericterminternetworkwiththeInternet.TheInternetisanexampleofanextremelylargeinternetwork,butanyinstallationthatconsistsoftwoormoreLANsconnectedisalsoaninternetwork.Thisterminologyisconfusingbecauseitissooftenmisused.Sometimeswhatusersmeanwhentheyrefertoanetworkisactuallyaninternetwork,andatothertimes,whatmayseemtobeaninternetworkisactuallyasingleLAN.Strictlyspeaking,aLANoranetworksegmentisagroupofcomputersthatshareanetworkcablesothatabroadcastmessagetransmittedbyonesystemreachesalloftheothersystems,evenifthatsegmentisactuallycomposedofmanypiecesofcable.Forexample,onatypical10Base-TEthernetLAN,allofthecomputersareconnectedtoahubusingindividuallengthsofcable.Regardlessofthatfact,thisarrangementisstillanexampleofanetworksegmentorLAN.IndividualLANscanbeconnectedusingseveraldifferenttypesofdevices,someofwhichsimplyextendtheLANwhileanothercreatesaninternetwork.Thesedevicesareasfollows:
•RepeatersArepeaterisapurelyelectricaldevicethatextendsthemaximumdistanceaLANcablecanspanbyamplifyingthesignalspassingthroughit.Thehubsusedonstarnetworksaresometimescalledmultiportrepeatersbecausetheyhavesignalamplificationcapabilitiesintegratedintotheunit.Stand-alonerepeatersarealsoavailableforuseoncoaxialnetworkstoextendthemoverlongerdistances.UsingarepeatertoexpandanetworksegmentdoesnotdivideitintotwoLANsorcreateaninternetwork.
•BridgesAbridgeprovidestheamplificationfunctionofarepeater,along
withtheabilitytoselectivelyfilterpacketsbasedontheiraddresses.Packetsthatoriginateononesideofthebridgearepropagatedtotheothersideonlyiftheyareaddressedtoasystemthatexiststhere.Becausebridgesdonotpreventbroadcastmessagesfrombeingpropagatedacrosstheconnectedcablesegments,they,too,donotcreatemultipleLANsortransformanetworkintoaninternetwork.
•SwitchesSwitchesarerevolutionarydevicesthatinmanycaseseliminatethesharednetworkmediumentirely.Aswitchisessentiallyamultiportrepeater,likeahub,exceptthatinsteadofoperatingatapurelyelectricallevel,theswitchreadsthedestinationaddressineachincomingpacketandtransmitsitoutonlythroughtheporttowhichthedestinationsystemisconnected.
•RoutersArouterisadevicethatconnectstwoLANstoformaninternetwork.Likeabridge,arouterforwardsonlythetrafficthatisdestinedfortheconnectedsegment,butunlikerepeatersandbridges,routersdonotforwardbroadcastmessages.Routerscanalsoconnectdifferenttypesofnetworks(suchasEthernetandTokenRing),whereasbridgesandrepeaterscanconnectonlysegmentsofthesametype.
WideAreaNetworksInternetworkingenablesanorganizationtobuildanetworkinfrastructureofalmostunlimitedsize.InadditiontoconnectingmultipleLANsinthesamebuildingorcampus,aninternetworkcanconnectLANsatdistantlocationsthroughtheuseofwideareanetworklinks.AWANisacollectionofLANs,someorallofwhichareconnectedusingpoint-to-pointlinksthatspanrelativelylongdistances.AtypicalWANconnectionconsistsoftworouters,oneateachLANsite,connectedusingalong-distancelinksuchasaleasedtelephoneline.AnycomputerononeoftheLANscancommunicatewiththeotherLANbydirectingitstraffictothelocalrouter,whichrelaysitovertheWANlinktotheothersite.
WANlinksdifferfromLANsinthattheydonotuseasharednetworkmediumandtheycanspanmuchlongerdistances.Becausethelinkconnectsonlytwosystems,thereisnoneedformediaaccesscontrolorasharednetworkmedium.Anorganizationwithofficeslocatedthroughouttheworldcanbuildaninternetworkthatprovidesuserswithinstantaneousaccesstonetworkresourcesatanylocation.TheWANlinksthemselvescanusetechnologiesrangingfromtelephonelinestopublicdatanetworkstosatellitesystems.UnlikeaLAN,whichisnearlyalwaysprivatelyownedandoperated,anoutsideserviceprovider(suchasatelephonecompany)isnearlyalwaysinvolvedinaWANconnectionbecauseprivateorganizationsdon’tusuallyownthetechnologiesneededtocarrysignalsoversuchlongdistances.Generallyspeaking,WANconnectionscanbeslowerandmoreexpensivethanLANs,andsometimesmuchmoreso.Asaresult,oneofthegoalsofthenetworkadministratoristomaximizetheefficiencyofWANtrafficbyeliminatingunnecessarycommunicationsandchoosingthebesttypeoflinkfortheapplication.SeeChapter7formoreinformationonWANtechnologies.
TherearealsowirelessLAN/WANnetworksandmetropolitanareanetworks(MANs).AMANhasthreefeaturesthatdifferentiateitfrombothaLANandaWAN:
•AMAN’ssizeisusuallybetweenthatofaLANandaWAN.Typically,itcoversbetween3and30miles(5to50km).AMANcanencompassseveralbuildings,acompanycampus,orasmalltown.
•AswithWANs,MANsarenormallyownedbyagrouporanetworkprovider.
•MANsareoftenusedasawaytoprovidesharedaccesstooneormoreWANs.
ProtocolsandStandardsCommunicationsbetweencomputersonanetworkaredefinedbyprotocols,standardizedmethodsthatthesoftwareprogramsonthecomputershaveincommon.Theseprotocolsdefineeverypartofthecommunicationsprocess,fromthesignalstransmittedovernetworkcablestothequerylanguagesthatenableapplicationsondifferentmachinestoexchangemessages.Networkedcomputersrunaseriesofprotocols,calledaprotocolstack,thatspansfromtheapplicationuserinterfaceatthetoptothephysicalnetworkinterfaceatthebottom.Thestackistraditionallysplitintosevenlayers.TheOpenSystemsInterconnection(OSI)referencemodeldefinesthefunctionsofeachlayerandhowthelayersworktogethertoprovidenetworkcommunications.Chapter2coverstheOSIreferencemodelindetail.
Earlynetworkingproductstendedtobeproprietarysolutionscreatedbyasinglemanufacturer,butastimepassed,interoperabilitybecameagreaterpriority,andorganizationswereformedtodevelopandratifynetworkingprotocolstandards.Mostofthesebodiesareresponsibleforlargenumbersoftechnicalandmanufacturingstandardsinmanydifferentdisciplines.Today,mostoftheprotocolsincommonusearestandardizedbythesebodies,someofwhichareasfollows:
•InstituteofElectricalandElectronicEngineers(IEEE)AU.S.-basedsocietyresponsibleforthepublicationoftheIEEE802workinggroup,whichincludesthestandardsthatdefinetheprotocolscommonlyknownasEthernetandTokenRing,aswellasmanyothers.
•InternationalOrganizationforStandardization(ISO)Aworldwidefederationofstandardsbodiesfrommorethan100countries,responsibleforthepublicationoftheOSIreferencemodeldocument.
•InternetEngineeringTaskForce(IETF)AnadhocgroupofcontributorsandconsultantswhocollaboratetodevelopandpublishstandardsforInternettechnologies,includingtheTCP/IPprotocols.
ClientsandServersLocalareanetworkingisbasedontheclient-serverprinciple,inwhichtheprocessesneededtoaccomplishaparticulartaskaredividedbetweencomputersfunctioningasclientsandservers.Thisisindirectcontrasttothemainframemodel,inwhichthecentralcomputerdidalloftheprocessingandsimplytransmittedtheresultstoauserataremoteterminal.Aserverisacomputerrunningaprocessthatprovidesaservicetoother
computerswhentheyrequestit.Aclientisthecomputerrunningaprogramthatrequeststheservicefromaserver.
Forexample,aLAN-baseddatabaseapplicationstoresitsdataonaserver,whichstandsby,waitingforclientstorequestinformationfromit.Usersatworkstationcomputersrunadatabaseclientprograminwhichtheygeneratequeriesthatrequestspecificinformationinthedatabaseandtransmitthosequeriestotheserver.Theserverrespondstothequerieswiththerequestedinformationandtransmitsittotheworkstations,whichformatitfordisplaytotheusers.Inthiscase,theworkstationsareresponsibleforprovidingauserinterfaceandtranslatingtheuserinputintoaquerylanguageunderstoodbytheserver.Theyarealsoresponsiblefortakingtherawdatafromtheserveranddisplayingitinacomprehensibleformtotheuser.Theservermayhavetoservicedozensorhundredsofclients,soitisstillapowerfulcomputer.Byoffloadingsomeoftheapplication’sfunctionstotheworkstations,however,itsprocessingburdenisnowherenearwhatitwouldbeonamainframesystem.
OperatingSystemsandApplicationsClientsandserversareactuallysoftwarecomponents,althoughsomepeopleassociatethemwithspecifichardwareelements.Thisconfusionisbecausesomenetworkoperatingsystemsrequirethatacomputerbededicatedtotheroleofserverandthatothercomputersfunctionsolelyasclients.Thisisaclient-serveroperatingsystem,asopposedtoapeer-to-peeroperatingsystem,inwhicheverycomputercanfunctionasbothaclientandaserver.Themostbasicclient-serverfunctionalityprovidedbyanetworkoperatingsystem(NOS)istheabilitytosharefilesystemdrivesandprinters,andthisiswhatusuallydefinestheclientandserverroles.Atitscore,aNOSmakesservicesavailabletoitsnetworkclients.Thesystemcanprovidethefollowing:
•Printerservices,includingmanagingdevices,printjobs,whoisusingwhatasset,andwhatassetsarenotavailabletothenetwork
•Managinguseraccesstofilesandotherresources,suchastheInternet
•Systemmonitoring,includingprovidingnetworksecurity
•Makingnetworkadministrationutilitiesavailabletonetworkadministrators
Apartfromtheinternalfunctionsofnetworkoperatingsystems,manyLANapplicationsandnetworkservicesalsooperateusingtheclient-serverparadigm.Internetapplications,suchastheWorldWideWeb,consistofserversandclients,asdoadministrativeservicessuchastheDomainNameSystem(DNS).
Mostoftoday’sdesktopoperatingsystemsarecapableofprovidingsomeoftheservicestraditionallyascribedtoNOSssincemanysmall-office/home-office(SOHO)LANimplementationstakeadvantageofthefact.UnderstandingthismayhelpclarifythedistinctionbetweenLANsthataretrulyclient-server,relyingonnetworkoperatingsystems,andthosenetworkconfigurationsthatleveragepowerfulcomputerswithtoday’soperatingsystems.Theseoperatingsystemsarenotlimitedtocomputers,butcanincludecellphones,tablets,andotherproductsthatarenotconsideredtobe“computers.”
CHAPTER
2 TheOSIReferenceModel
Networkcommunicationstakeplaceonmanylevelsandcanbedifficulttounderstand,evenfortheknowledgeablenetworkadministrator.TheOpenSystemsInterconnection(OSI)referencemodelisatheoreticalconstructionthatseparatesnetworkcommunicationsintosevendistinctlayers,asshowninFigure2-1.Eachcomputeronthenetworkusesaseriesofprotocolstoperformthefunctionsassignedtoeachlayer.Thelayerscollectivelyformwhatisknownastheprotocolstackornetworkingstack.Atthetopofthestackistheapplicationthatmakesarequestforaresourcelocatedelsewhereonthenetwork,andatthebottomisthephysicalmediumthatactuallyconnectsthecomputersandformsthenetwork,suchasacable.
Figure2-1TheOSIreferencemodelwithitssevenlayers
TheOSIreferencemodelwasdevelopedintwoseparateprojectsbytheInternationalOrganizationforStandardization(ISO)andtheComitéConsultatifInternationalTéléphoniqueetTélégraphique(ConsultativeCommitteeforInternationalTelephoneandTelegraphy,orCCITT),whichisnowknownastheTelecommunicationsStandardizationSectoroftheInternationalTelecommunicationsUnion(ITU-T).Eachofthesetwobodiesdevelopeditsownseven-layermodel,butthetwoprojectswerecombinedin1983,resultinginadocumentcalled“TheBasicReferenceModelforOpenSystemsInterconnection”thatwaspublishedbytheISOasISO7498andbytheITU-TasX.200.
TheOSIstackwasoriginallyconceivedasthemodelforthecreationofaprotocolsuitethatwouldconformexactlytothesevenlayers.Thissuitenevermaterializedinacommercialform,however,andthemodelhassincebeenusedasateaching,reference,andcommunicationstool.Networkingprofessionals,educators,andauthorsfrequentlyrefertoprotocols,devices,orapplicationsasoperatingataparticularlayeroftheOSImodelbecauseusingthismodelbreaksacomplexprocessintomanageableunitsthatprovideacommonframeofreference.Manyofthechaptersinthisbookusethelayersofthemodeltohelpdefinenetworkingconcepts.However,itisimportanttounderstandthatnoneoftheprotocolstacksincommonusetodayconformsexactlytothelayersoftheOSImodel.Inmanycases,protocolshavefunctionsthatoverlaptwoormorelayers,suchasEthernet,whichisconsideredadatalinklayerprotocolbutwhichalsodefineselementsof
thephysicallayer.
TheprimaryreasonwhyrealprotocolstacksdifferfromtheOSImodelisthatmanyoftheprotocolsusedtoday(includingEthernet)wereconceivedbeforetheOSImodeldocumentswerepublished.Infact,theTCP/IPprotocolshavetheirownlayeredmodel,whichissimilartotheOSImodelinseveralwaysbutusesonlyfourlayers(seeFigure2-2).Inaddition,developersareusuallymoreconcernedwithpracticalfunctionalitythanwithconformingtoapreexistingmodel.Theseven-layermodelwasdesignedtoseparatethefunctionsoftheprotocolstackinsuchawayastomakeitpossibleforseparatedevelopmentteamstoworkontheindividuallayers,thusstreamliningthedevelopmentprocess.However,ifasingleprotocolcaneasilyprovidethefunctionsthataredefinedasbelonginginseparatelayersofthemodel,whydivideitintotwoseparateprotocolsjustforthesakeofconformity?
Figure2-2TheOSIreferencemodelandtheTCP/IPprotocolstack
CommunicationsBetweentheLayersNetworkingistheprocessofsendingmessagesfromoneplacetoanother,andtheprotocolstackillustratedintheOSImodeldefinesthebasiccomponentsneededtotransmitmessagestotheirdestinations.Thecommunicationprocessiscomplexbecausetheapplicationsthatgeneratethemessageshavevaryingrequirements.Somemessageexchangesconsistofbriefrequestsandrepliesthathavetobeexchangedasquicklyaspossibleandwithaminimumamountofoverhead.Othernetworktransactions,suchasprogramfiletransfers,involvethetransmissionoflargeramountsofdatathatmustreachthedestinationinperfectcondition,withoutalterationofasinglebit.Stillothertransmissions,suchasstreamingaudioorvideo,consistofhugeamountsofdatathatcansurvivethelossofanoccasionalbit,byte,orpacket,butthatmustreachthedestinationinatimelymanner.
Thenetworkingprocessalsoincludesanumberofconversionsthatultimatelytaketheapplicationprogramminginterface(API)callsgeneratedbyapplicationsandtransformthemintoelectricalcharges,pulsesoflight,orothertypesofsignalsthatcanbetransmittedacrossthenetworkmedium.Finally,thenetworkingprotocolsmustseetoitthatthetransmissionsreachtheappropriatedestinationsinatimelymanner.Justasyou
packagealetterbyplacingitinanenvelopeandwritinganaddressonit,thenetworkingprotocolspackagethedatageneratedbyanapplicationandaddressittoanothercomputeronthenetwork.
DataEncapsulationTosatisfyalloftherequirementsjustdescribed,theprotocolsoperatingatthevariouslayersworktogethertosupplyaunifiedqualityofservice.Eachlayerprovidesaservicetothelayersdirectlyaboveandbelowit.Outgoingtraffictravelsdownthroughthestacktothenetworkphysicalmedium,acquiringthecontrolinformationneededtomakethetriptothedestinationsystemasitgoes.Thiscontrolinformationtakestheformofheaders(andinonecaseafooter)thatsurroundthedatareceivedfromthelayerabove,inaprocesscalleddataencapsulation.Theheadersandfooterarecomposedofindividualfieldsthatcontaincontrolinformation(necessary/requiredbythesystemtodeliver)usedtogetthepackettoitsdestination.Inasense,theheadersandfooterformtheenvelopethatcarriesthemessagereceivedfromthelayerabove.
Inatypicaltransaction,showninFigure2-3,anapplicationlayerprotocol(whichalsoincludespresentationandsessionlayerfunctions)generatesamessagethatispasseddowntoatransportlayerprotocol.Theprotocolatthetransportlayerhasitsownpacketstructure,calledaprotocoldataunit(PDU),whichincludesspecializedheaderfieldsandadatafieldthatcarriesthepayload.Inthiscase,thepayloadisthedatareceivedfromtheapplicationlayerprotocol.BypackagingthedatainitsownPDU,thetransportlayerencapsulatestheapplicationlayerdataandthenpassesitdowntothenextlayer.
Figure2-3Theapplicationlayerdataisencapsulatedfortransmissionbytheprotocolsatthelowerlayersinthestack.
ThenetworklayerprotocolthenreceivesthePDUfromthetransportlayerand
encapsulatesitwithinitsownPDUbyaddingaheaderandusingtheentiretransportlayerPDU(includingtheapplicationlayerdata)asitspayload.ThesameprocessoccursagainwhenthenetworklayerpassesitsPDUtothedatalinklayerprotocol,whichaddsaheaderandfooter.Toadatalinklayerprotocol,thedatawithintheframeistreatedaspayloadonly,justaspostalemployeeshavenoideawhatisinsidetheenvelopestheyprocess.Theonlysystemthatreadstheinformationinthepayloadisthecomputerpossessingthedestinationaddress.Thatcomputertheneitherpassesthenetworklayerprotocoldatacontainedinthepayloadupthroughitsprotocolstackorusesthatdatatodeterminewhatthenextdestinationofthepacketshouldbe.Inthesameway,theprotocolsoperatingattheotherlayersareconsciousoftheirownheaderinformationbutareunawareofwhatdataisbeingcarriedinthepayload.
Onceitisencapsulatedbythedatalinklayerprotocol,thecompletedpacket(nowcalledaframe)isthenreadytobeconvertedtotheappropriatetypeofsignalusedbythenetworkmedium.Thus,thefinalpacket,astransmittedoverthenetwork,consistsoftheoriginalapplicationlayerdataplusseveralheadersappliedbytheprotocolsatthesucceedinglayers,asshowninFigure2-4.
Figure2-4Anencapsulatedframe,readyfortransmission
NOTEEachlayermusttranslatedataintoitsspecificformatbeforesendingiton.Therefore,eachlayercreatesitsownPDUtotransmittothenextlayer.Aseachlayerreceivesdata,thePDUofthepreviouslayerisread,andanewPDUiscreatedusingthatlayer’sprotocol.Remember,aPDUisacompletemessage(orpacket)thatincludestheprotocolofthesendinglayer.Atthephysicallayer,youendupwithamessagethatconsistsofallthedatathathasbeenencapsulatedwiththeheadersand/orfootersfromeachofthepreviouslayers.
HorizontalCommunicationsFortwocomputerstocommunicateoveranetwork,theprotocolsusedateachlayeroftheOSImodelinthetransmittingsystemmustbeduplicatedatthereceivingsystem.Whenthepacketarrivesatitsdestination,theprocessbywhichtheheadersareappliedatthesourceisrepeatedinreverse.Thepackettravelsupthroughtheprotocolstack,andeachsuccessiveheaderisstrippedoffbytheappropriateprotocolandprocessed.Inessence,theprotocolsoperatingatthevariouslayerscommunicatehorizontallywiththeircounterpartsintheothersystem,asshowninFigure2-5.
Figure2-5Eachlayerhaslogicalconnectionswithitscounterpartinothersystems.
Thehorizontalconnectionsbetweenthevariouslayersarelogical;thereisnodirectcommunicationbetweenthem.Theinformationincludedineachprotocolheaderbythetransmittingsystemisamessagethatiscarriedtothesameprotocolinthedestinationsystem.
VerticalCommunicationsTheheadersappliedbythevariousprotocolsimplementthespecificfunctionscarriedoutbythoseprotocols.Inadditiontocommunicatinghorizontallywiththesameprotocolintheothersystem,theheaderinformationenableseachlayertocommunicatewiththelayersaboveandbelowit,asshowninFigure2-6.Forexample,whenasystemreceivesapacketandpassesitupthroughtheprotocolstack,thedatalinklayerprotocolheaderincludesafieldthatidentifieswhichnetworklayerprotocolthesystemshouldusetoprocessthepacket.Thenetworklayerprotocolheaderinturnspecifiesoneofthetransportlayerprotocols,andthetransportlayerprotocolidentifiestheapplicationforwhichthedataisultimatelydestined.Thisverticalcommunicationmakesitpossibleforacomputertosupportmultipleprotocolsateachofthelayerssimultaneously.Aslongasapackethasthecorrectinformationinitsheaders,itcanberoutedontheappropriatepaththroughthestacktotheintendeddestination.
Figure2-6EachlayerintheOSImodelcommunicateswiththelayeraboveandbelowit.
EncapsulationTerminologyOneofthemostconfusingaspectsofthedataencapsulationprocessistheterminologyusedtodescribethePDUsgeneratedbyeachlayer.Thetermpacketspecificallyreferstothecompleteunittransmittedoverthenetworkmedium,althoughitalsohasbecomea
generictermforthedataunitatanystageintheprocess.Mostdatalinklayerprotocolsaresaidtoworkwithframesbecausetheyincludebothaheaderandafooterthatsurroundthedatafromthenetworklayerprotocol.ThetermframereferstoaPDUofvariablesize,dependingontheamountofdataenclosed.AdatalinklayerprotocolthatusesPDUsofauniformsize,suchasAsynchronousTransferMode(ATM),issaidtodealincells.
Whentransportlayerdataisencapsulatedbyanetworklayerprotocol,suchastheInternetProtocol(IP)orInternetworkPacketExchange(IPX),theresultingPDUiscalledadatagram.Duringthecourseofitstransmission,adatagrammightbesplitintofragments,eachofwhichissometimesincorrectlycalledadatagram.Theterminologyatthetransportlayerismoreprotocol-specificthanatthelowerlayers.TCP/IP,forexample,hastwotransportlayerprotocols.Thefirst,calledtheUserDatagramProtocol(UDP),alsoreferstothePDUsitcreatesasdatagrams,althoughthesearenotsynonymouswiththedatagramsproducedatthenetworklayer.
WhentheUDPprotocolatthetransportlayerisencapsulatedbytheIPprotocolatthenetworklayer,theresultisadatagrampackagedwithinanotherdatagram.ThedifferencebetweenUDPandtheTransmissionControlProtocol(TCP),whichalsooperatesatthetransportlayer,isthatUDPdatagramsareself-containedunitsthatweredesignedtocontaintheentiretyofthedatageneratedbytheapplicationlayerprotocol.Therefore,UDPistraditionallyusedtotransmitsmallamountsofdata,whileTCP,ontheotherhand,isusedtotransmitlargeramountsofapplicationlayerdatathatusuallydonotfitintoasinglepacket.Asaresult,eachofthePDUsproducedbytheTCPprotocoliscalledasegment,andthecollectionofsegmentsthatcarrytheentiretyoftheapplicationlayerprotocoldataiscalledasequence.ThePDUproducedbyanapplicationlayerprotocolistypicallycalledamessage.Thesessionandpresentationlayersareusuallynotassociatedwithindividualprotocols.Theirfunctionsareincorporatedintootherelementsoftheprotocolstack,andtheydonothavetheirownheadersorPDUs.Allofthesetermsarefrequentlyconfused,anditisnotsurprisingtoseeevenauthoritativedocumentsusethemincorrectly.
NOTEWhileTCPisoftenusedtotransmitdatapacketstoday,thereareinstanceswhereUDPissuitable.Forexample,UDPisusedwhennewerdatawillreplacepreviousdata,suchasinvideostreamingorgaming.Asanotherexampleoftheneedfornewerdata,considerweatherinformationthatmustbeupdatedquicklyduringinclementweather.Also,sinceTCPisaconnection-oriented,streamingprotocol,UDPisthepreferredwaytomulticast(senddataacrossanetworktoseveralusersatthesametime).
ThefollowingsectionsexamineeachofthesevenlayersoftheOSIreferencemodelinturn,thefunctionsthatareassociatedwitheach,andtheprotocolsthataremostcommonlyusedatthoselayers.Asyouproceedthroughthisbook,youwilllearnmoreabouteachoftheindividualprotocolsandtheirrelationshipstotheotherelementsoftheprotocolstack.
ThePhysicalLayer
ThephysicallayeroftheOSImodeldefinestheactualmediumthatcarriesdatafromonecomputertoanother.Thetwomostcommontypesofphysicallayerusedindatanetworkingarecopper-basedelectricalcableandfiber-opticcable.Anumberofwirelessphysicallayerimplementationsuseradiowaves,infraredorlaserlight,microwaves,andothertechnologies.Thephysicallayerincludesthetypeoftechnologyusedtocarrythedata,thetypeofequipmentusedtoimplementthattechnology,thespecificationsofhowtheequipmentshouldbeinstalled,andthenatureofthesignalsusedtoencodethedatafortransmission.
Forexample,formanyyears,themostpopularphysicallayerstandardsusedforlocalareanetworkingwas10Base-TEthernet.Ethernetisprimarilythoughtofasadatalinklayerprotocol.However,aswithmostprotocolsfunctioningatthedatalinklayer,Ethernetincludesspecificphysicallayerimplementations,andthestandardsfortheprotocoldefinetheelementsofthephysicallayeraswell.10Base-TreferredtothetypeofcableusedtoformaparticulartypeofEthernetnetwork.TheEthernetstandarddefined10Base-Tasanunshieldedtwisted-paircable(UTP)containingfourpairsofcopperwiresenclosedinasinglesheath.Today,Ethernetisfoundatmuchfasterspeedssuchas100Base-Trunningat100megabitspersecond,or1000Base-T,whichrunsat1gigabitpersecond.
NOTEThephysicallayerusesthebinarydatasuppliedbythedatalinklayerprotocoltoencodethedataintopulsesoflight,electricalvoltages,orotherimpulsessuitablefortransmissionoverthenetworkmedium.
However,theconstructionofthecableitselfisnottheonlyphysicallayerelementinvolved.ThestandardsusedtobuildanEthernetnetworkalsodefinehowtoinstallthecable,includingmaximumsegmentlengthsanddistancesfrompowersources.Thestandardsspecifywhatkindofconnectorsyouusetojointhecable,thetypeofnetworkinterfacecard(NIC)toinstallinthecomputer,andthetypeofhubyouusetojointhecomputersintoanetworktopology.Finally,thestandardspecifieshowtheNICshouldencodethedatageneratedbythecomputerintoelectricalimpulsesthatcanbetransmittedoverthecable.
Thus,youcanseethatthephysicallayerencompassesmuchmorethanatypeofcable.However,yougenerallydon’thavetoknowthedetailsabouteveryelementofthephysicallayerstandard.WhenyoubuyEthernetNICs,cables,andhubs,theyarealreadyconstructedtotheEthernetspecificationsanddesignedtousethepropersignalingscheme.Installingtheequipment,however,canbemorecomplicated.
PhysicalLayerSpecificationsWhileitisrelativelyeasytolearnenoughaboutaLANtechnologytopurchasetheappropriateequipment,installingthecable(orothermedium)ismuchmoredifficultbecauseyoumustbeawareofallthespecificationsthataffecttheprocess.Forexample,theEthernetstandardspublishedbytheIEEE802.3workinggroupspecifythebasicwiringconfigurationguidelinesthatpertaintotheprotocol’smediaaccesscontrol(MAC)andcollisiondetectionmechanisms.Theserulesspecifyelementssuchasthemaximumlengthofacablesegment,thedistancebetweenworkstations,andthenumberofrepeaters
permittedonanetwork.TheseguidelinesarecommonknowledgetoEthernetnetworkadministrators,buttheserulesalonearenotsufficienttoperformalargecableinstallation.Inaddition,therearelocalbuildingcodestoconsider,whichmighthaveagreateffectonacableinstallation.Forthesereasons,largephysicallayerinstallationsshould,inmostcases,beperformedbyprofessionalswhoarefamiliarwithallofthestandardsthatapplytotheparticulartechnologyinvolved.SeeChapter4formoreinformationonnetworkcablingandcableinstallation.
NOTEThelatestrevisiontotheIEEE802.3“StandardforEthernet”waspublishedinSeptember2012.Itwasamendedto“addressnewmarkets,bandwidthspeeds,andmediatypes”accordingtotheIEEEwebsiteathttp://standards.ieee.org.
NOTECollisiondetectioniswhenonedevice(ornode)onanetworkdeterminesthatdatahas“collided.”Thisissimilartotwopeoplecomingthrougharevolvingdooratthesametime,butinthatcase,onepersoncanseetheotherpersonandstops.Ifonenodehearsadistortedversionofitsowntransmission,thatnodeunderstandsthatacollisionhasoccurredand,justlikethepersonwhostopstoallowtheothertogothroughtherevolvingdoor,thatnodewillstopthetransmissionandwaitforsilenceonthenetworktosenditsdata.
PhysicalLayerSignalingTheprimaryoperativecomponentofaphysicallayerinstallationisthetransceiverfoundinNICs,repeatinghubs,andotherdevices.Thetransceiver,asthenameimplies,isresponsiblefortransmittingandreceivingsignalsoverthenetworkmedium.Onnetworksusingcoppercable,thetransceiverisanelectricaldevicethattakesthebinarydataitreceivesfromthedatalinklayerprotocolandconvertsitintosignalsofvariousvoltages.Unlikealloftheotherlayersintheprotocolstack,thephysicallayerisnotconcernedinanywaywiththemeaningofthedatabeingtransmitted.Thetransceiversimplyconvertszerosandonesintovoltages,pulsesoflight,radiowaves,orsomeothertypeofsignal,butitiscompletelyoblivioustopackets,frames,addresses,andeventhesystemreceivingthesignal.
Thesignalsgeneratedbyatransceivercanbeeitheranalogordigital.Mostdatanetworksusedigitalsignals,butsomeofthewirelesstechnologiesuseanalogradiotransmissionstocarrydata.Analogsignalstransitionbetweentwovaluesgradually,formingthesinewavepatternshowninFigure2-7,whiledigitalvaluetransitionsareimmediateandabsolute.Thevaluesofananalogsignalcanbedeterminedbyvariationsinamplitude,frequency,phase,oracombinationoftheseelements,asinamplitudemodulated(AM)orfrequencymodulated(FM)radiosignalsorinanalogphaselooplock(PLL)circuits.
Figure2-7Analogsignalsformwavepatterns.
Theuseofdigitalsignalsismuchmorecommonindatanetworking,however.Allofthestandardcopperandfiber-opticmediausevariousformsofdigitalsignaling.Thesignalingschemeisdeterminedbythedatalinklayerprotocolbeingused.AllEthernetnetworks,forexample,usetheManchesterencodingscheme,whethertheyarerunningovertwisted-pair,coaxial,orfiber-opticcable.Digitalsignalstransitionbetweenvaluesalmostinstantaneously,producingthesquarewaveshowninFigure2-8.Dependingonthenetworkmedium,thevaluescanrepresentelectricalvoltages,thepresenceorabsenceofabeamoflight,oranyotherappropriateattributeofthemedium.Inmostcases,thesignalisproducedwithtransitionsbetweenapositivevoltageandanegativevoltage,althoughsomeuseazerovalueaswell.Givenastablevoltagewithincircuitspecifications,thetransitionscreatethesignal.
Figure2-8Polarencoding
NOTEDigitalsignalsaresusceptibletovoltagedegradation;adigitalcircuitdesignedfora5-voltapplicationwillmostlikelybehaveerroneouslyifvoltageattenuationresultsinsignalsof3volts,meaningthecircuitwillnownotbeabletodistinguishwhethertherewasatransitioneventsincethesignalisbelowthedesignthreshold.
Figure2-8illustratesasimplesignalingschemecalledpolarsignaling.Inthisscheme,
thesignalisbrokenupintounitsoftimecalledcells,andthevoltageofeachcelldenotesitsbinaryvalue.Apositivevoltageisazero,andanegativevoltageisaone.Thissignalingcodewouldseemtobeasimpleandlogicalmethodfortransmittingbinaryinformation,butithasonecrucialflaw,andthatistiming.Whenthebinarycodeconsistsoftwoormoreconsecutivezerosorones,thereisnovoltagetransitionforthedurationoftwoormorecells.Unlessthetwocommunicatingsystemshaveclocksthatarepreciselysynchronized,itisimpossibletotellforcertainwhetheravoltagethatremainscontinuousforaperiodoftimerepresentstwo,three,ormorecellswiththesamevalue.Rememberthatthesecommunicationsoccuratincrediblyhighratesofspeed,sothetimingintervalsinvolvedareextremelysmall.
Somesystemscanusethistypeofsignalbecausetheyhaveanexternaltimingsignalthatkeepsthecommunicatingsystemssynchronized.However,manydatanetworksrunoverabasebandmediumthatpermitsthetransmissionofonlyonesignalatatime.Asaresult,thesenetworksuseadifferenttypeofsignalingscheme,onethatisself-timing.Inotherwords,thedatasignalitselfcontainsatimingsignalthatenablesthereceivingsystemtocorrectlyinterpretthevaluesandconvertthemintobinarydata.
TheManchesterencodingschemeusedonEthernetnetworksisaself-timingsignalbyvirtueofthefactthateverycellhasavaluetransitionatitsmidpoint.Thisdelineatestheboundariesofthecellstothereceivingsystem.Thebinaryvaluesarespecifiedbythedirectionofthevaluetransition;apositive-to-negativetransitionindicatesavalueofzero,andanegative-to-positivetransitionindicatesavalueofone(seeFigure2-9).Thevaluetransitionsatthebeginningsofthecellshavenofunctionotherthantosetthevoltagetotheappropriatevalueforthemidcelltransition.
Figure2-9TheManchesterencodingscheme
TokenRingnetworksuseadifferentencodingschemecalledDifferentialManchester,whichalsohasavaluetransitionatthemidpointofeachcell.However,inthisscheme,thedirectionofthetransitionisirrelevant;itexistsonlytoprovideatimingsignal.Thevalueofeachcellisdeterminedbythepresenceorabsenceofatransitionatthebeginningofthecell.Ifthetransitionexists,thevalueofthecelliszero;ifthereisnotransition,thevalueofthecellisone(seeFigure2-10).Aswiththemidpointtransition,thedirectionofthetransitionisirrelevant.
Figure2-10TheDifferentialManchesterencodingscheme
TheDataLinkLayerThedatalinklayerprotocolprovidestheinterfacebetweenthephysicalnetworkandtheprotocolstackonthecomputer.Adatalinklayerprotocoltypicallyconsistsofthreeelements:
•Theformatfortheframethatencapsulatesthenetworklayerprotocoldata
•Themechanismthatregulatesaccesstothesharednetworkmedium
•Theguidelinesusedtoconstructthenetwork’sphysicallayer
Theheaderandfooterappliedtothenetworklayerprotocoldatabythedatalinklayerprotocolaretheoutermostonthepacketasitistransmittedacrossthenetwork.Thisframeis,inessence,theenvelopethatcarriesthepackettoitsnextdestinationand,therefore,providesthebasicaddressinginformationneededtogetitthere.Inaddition,datalinklayerprotocolsusuallyincludeanerror-detectionfacilityandanindicatorthatspecifiesthenetworklayerprotocolthatthereceivingsystemshouldusetoprocessthedataincludedinthepacket.
OnmostLANs,multiplesystemsaccessasinglesharedbasebandnetworkmedium.Thismeansthatonlyonecomputercantransmitdataatanyonetime.Iftwoormoresystemstransmitsimultaneously,acollisionoccurs,andthedataislost.Thedatalinklayerprotocolisresponsibleforcontrollingaccesstothesharedmediumandpreventinganexcessofcollisions.
Whenspeakingofthedatalinklayer,thetermsprotocolandtopologyareoftenconfused,buttheyarenotsynonymous.Ethernetissometimescalledatopologywhenthetopologyactuallyreferstothewayinwhichthecomputersonthenetworkarecabledtogether.SomeformsofEthernetuseabustopology,inwhicheachofthecomputersiscabledtothenextoneinadaisy-chainfashion,whilethestartopology,inwhicheachcomputeriscabledtoacentralhub,ismoreprevalenttoday.Aringtopologyisabuswiththeendsjoinedtogether,andameshtopologyisoneinwhicheachcomputerhasacableconnectiontoeveryothercomputeronthenetwork.Theselasttwotypesaremainlytheoretical;LANstodaydonotusethem.TokenRingnetworksusealogicalring,butthe
computersareactuallycabledusingastartopology.Thisconfusionisunderstandablesincemostdatalinklayerprotocolsincludeelementsofthephysicallayerintheirspecifications.Itisnecessaryforthedatalinklayerprotocoltobeintimatelyrelatedtothephysicallayerbecausemediaaccesscontrolmechanismsarehighlydependentonthesizeoftheframesbeingtransmittedandthelengthsofthecablesegments.
AddressingThedatalinklayerprotocolheadercontainstheaddressofthecomputersendingthepacketandthecomputerthatistoreceiveit.Theaddressesusedatthislayerarethehardware(orMAC)addressesthatinmostcasesarehard-codedintothenetworkinterfaceofeachcomputerandrouterbythemanufacturer.OnEthernetandTokenRingnetworks,theaddressesare6byteslong,thefirst3bytesofwhichareassignedtothemanufacturerbytheInstituteofElectricalandElectronicEngineers(IEEE),andthesecond3bytesofwhichareassignedbythemanufacturer.Someolderprotocolsusedaddressesassignedbythenetworkadministrator,butthefactory-assignedaddressesaremoreefficient,insofarastheyensurethatnoduplicationcanoccur.
Thedatalinklayerprotocoldoesthefollowing:
•Providespacketaddressingservices
•Packagesthenetworklayerdatafortransmission
•Arbitratesnetworkaccess
•Checkstransmittedpacketsforerrors
Datalinklayerprotocolsarenotconcernedwiththedeliveryofthepackettoitsultimatedestination,unlessthatdestinationisonthesameLANasthesource.Whenapacketpassesthroughseveralnetworksonthewaytoitsdestination,thedatalinklayerprotocolisresponsibleonlyforgettingthepackettotherouteronthelocalnetworkthatprovidesaccesstothenextnetworkonitsjourney.Thus,thedestinationaddressinadatalinklayerprotocolheaderalwaysreferencesadeviceonthelocalnetwork,eveniftheultimatedestinationofthemessageisacomputeronanetworkmilesaway.
ThedatalinklayerprotocolsusedonLANsrelyonasharednetworkmedium.Everypacketistransmittedtoallofthecomputersonthenetworksegment,andonlythesystemwiththeaddressspecifiedasthedestinationreadsthepacketintoitsmemorybuffersandprocessesit.Theothersystemssimplydiscardthepacketwithouttakinganyfurtheraction.
MediaAccessControlMediaaccesscontrolistheprocessbywhichthedatalinklayerprotocolarbitratesaccesstothenetworkmedium.Inorderforthenetworktofunctionefficiently,eachoftheworkstationssharingthecableorothermediummusthaveanopportunitytotransmititsdataonaregularbasis.Thisiswhythedatatobetransmittedissplitintopacketsinthefirstplace.Ifcomputerstransmittedalloftheirdatainacontinuousstream,theycouldconceivablymonopolizethenetworkforextendedperiodsoftime.
Twobasicformsofmediaaccesscontrolareusedonmostoftoday’sLANs.Thetokenpassingmethod,usedbyTokenRingandFDDIsystems,usesaspecialframecalledatokenthatispassedfromoneworkstationtoanother.Onlythesysteminpossessionofthetokenisallowedtotransmititsdata.Aworkstation,onreceivingthetoken,transmitsitsdataandthenreleasesthetokentothenextworkstation.Sincethereisonlyonetokenonthenetworkatanytime(assumingthatthenetworkisfunctioningproperly),itisn’tpossiblefortwosystemstotransmitatthesametime.
Theothermethod,usedonEthernetnetworks,iscalledCarrierSenseMultipleAccesswithCollisionDetection(CSMA/CD).Inthismethod,whenaworkstationhasdatatosend,itlistenstothenetworkcableandtransmitsifthenetworkisnotinuse.OnCSMA/CDnetworks,itispossible(andevenexpected)forworkstationstotransmitatthesametime,resultinginpacketcollisions.Tocompensateforthis,eachsystemhasamechanismthatenablesittodetectcollisionswhentheyoccurandretransmitthedatathatwaslost.
BothoftheseMACmechanismsrelyonthephysicallayerspecificationsforthenetworktofunctionproperly.Forexample,anEthernetsystemcandetectcollisionsonlyiftheyoccurwhiletheworkstationisstilltransmittingapacket.Ifanetworksegmentistoolong,acollisionmayoccurafterthelastbitofdatahasleftthetransmittingsystemandthusmaygoundetected.Thedatainthatpacketisthenlost,anditsabsencecanbedetectedonlybytheupperlayerprotocolsinthesystemthataretheultimatedestinationsofthemessage.Thisprocesstakesarelativelylongtimeandsignificantlyreducestheefficiencyofthenetwork.Thus,whiletheOSIreferencemodelmightcreateaneatdivisionbetweenthephysicalanddatalinklayers,intherealworld,thefunctionalityofthetwoismorecloselyintertwined.
ProtocolIndicatorMostdatalinklayerprotocolimplementationsaredesignedtosupporttheuseofmultiplenetworklayerprotocolsatthesametime.Thismeansthereareseveralpossiblepathsthroughtheprotocolstackoneachcomputer.Tousemultipleprotocolsatthenetworklayer,thedatalinklayerprotocolheadermustincludeacodethatspecifiesthenetworklayerprotocolthatwasusedtogeneratethepayloadinthepacket.Thisrequirementissothatthereceivingsystemcanpassthedataenclosedintheframeuptotheappropriatenetworklayerprocess.
ErrorDetectionMostdatalinklayerprotocolsareunlikealloftheupperlayerprotocolsinthattheyincludeafooterthatfollowsthepayloadfieldinadditiontotheheaderthatprecedesit.Thisfootercontainsaframechecksequence(FCS)fieldthatthereceivingsystemusestodetectanyerrorsthathaveoccurredduringthetransmission.Todothis,thesystemtransmittingthepacketcomputesacyclicalredundancycheck(CRC)valueontheentireframeandincludesitintheFCSfield.Whenthepacketreachesitsnextdestination,thereceivingsystemperformsthesamecomputationandcomparesitsresultswiththevalueintheFCSfield.Ifthevaluesdonotmatch,thepacketisassumedtohavebeendamagedintransitandissilentlydiscarded.
Thereceivingsystemtakesnoactiontohavediscardedpacketsretransmitted;thisisleftuptotheprotocolsoperatingattheupperlayersoftheOSImodel.Thiserror-detectionprocessoccursateachhopinthepacket’sjourneytoitsdestination.Someupper-layerprotocolshavetheirownmechanismsforend-to-enderrordetection.
TheNetworkLayerThenetworklayerprotocolistheprimaryend-to-endcarrierformessagesgeneratedbytheapplicationlayer.Thismeansthat,unlikethedatalinklayerprotocol,whichisconcernedonlywithgettingthepackettoitsnextdestinationonthelocalnetwork,thenetworklayerprotocolisresponsibleforthepacket’sentirejourneyfromthesourcesystemtoitsultimatedestination.Anetworklayerprotocolacceptsdatafromthetransportlayerandpackagesitintoadatagrambyaddingitsownheader.Likeadatalinklayerprotocolheader,theheaderatthenetworklayercontainstheaddressofthedestinationsystem,butthisaddressidentifiesthepacket’sfinaldestination.Thus,thedestinationaddressesinthedatalinklayerandnetworklayerprotocolheadersmayactuallyrefertotwodifferentcomputers.Thenetworklayerprotocoldatagramisessentiallyanenvelopewithinthedatalinklayerenvelope,andwhilethedatalinklayerenvelopeisopenedbyeverysystemthatprocessesthepacket,thenetworklayerenveloperemainssealeduntilthepacketreachesitsfinaldestination.
Thenetworklayerprotocolprovides
•End-to-endaddressing
•Internetroutingservices
•Packetfragmentationandreassembly
•Errorchecking
RoutingNetworklayerprotocolsusedifferenttypesofaddressingsystemstoidentifytheultimatedestinationofapacket.Themostpopularnetworklayerprotocol,theInternetProtocol(IP),providesitsown32-bitaddressspacethatidentifiesboththenetworkonwhichthedestinationsystemresidesandthesystemitself.
Anaddressbywhichindividualnetworkscanbeuniquelyidentifiedisvitaltotheperformanceofthenetworklayerprotocol’sprimaryfunction,whichisrouting.WhenapackettravelsthroughalargecorporateinternetworkortheInternet,itispassedfromroutertorouteruntilitreachesthenetworkonwhichthedestinationsystemislocated.Properlydesignednetworkshavemorethanonepossibleroutetoaparticulardestination,forfault-tolerancereasons,andtheInternethasmillionsofpossibleroutes.Eachrouterisresponsiblefordeterminingthenextrouterthatthepacketshouldusetotakethemostefficientpathtoitsdestination.Becausedatalinklayerprotocolsarecompletelyignorantofconditionsoutsideofthelocalnetwork,itisleftuptothenetworklayerprotocoltochooseanappropriateroutewithaneyeontheend-to-endjourneyofthepacket,notjustthenextinterimhop.
Thenetworklayerdefinestwotypesofcomputersthatcanbeinvolvedinapackettransmission:endsystemsandintermediatesystems.Anendsystemiseitherthecomputergeneratingandtransmittingthepacketorthecomputerthatistheultimaterecipientofthepacket.Anintermediatesystemisarouterorswitchthatconnectstwoormorenetworksandforwardspacketsonthewaytotheirdestinations.Onendsystems,allsevenlayersoftheprotocolstackareinvolvedineitherthecreationorthereceptionofthepacket.Onintermediatesystems,packetsarriveandtravelupthroughthestackonlyashighasthenetworklayer.Thenetworklayerprotocolchoosesarouteforthepacketandsendsitbackdowntoadatalinklayerprotocolforpackagingandtransmissionatthephysicallayer.
NOTEOnintermediatesystems,packetstravelnohigherthanthenetworklayer.
Whenanintermediatesystemreceivesapacket,thedatalinklayerprotocolchecksitforerrorsandforthecorrecthardwareaddressandthenstripsoffthedatalinkheaderandfooterandpassesituptothenetworklayerprotocolidentifiedbytheEthernet-typefieldoritsequivalent.Atthispoint,thepacketconsistsofadatagram—thatis,anetworklayerprotocolheaderandapayloadthatwasgeneratedbythetransportlayerprotocolonthesourcesystem.Thenetworklayerprotocolthenreadsthedestinationaddressintheheaderanddetermineswhatthepacket’snextdestinationshouldbe.Ifthedestinationisaworkstationonalocalnetwork,theintermediatesystemtransmitsthepacketdirectlytothatworkstation.Ifthedestinationisonadistantnetwork,theintermediatesystemconsultsitsroutingtabletoselecttherouterthatprovidesthemostefficientpathtothatdestination.
Thecompilationandstorageofroutinginformationinareferencetableisaseparatenetworklayerprocessthatisperformedeithermanuallybyanadministratororautomaticallybyspecializednetworklayerprotocolsthatroutersusetoexchangeinformationaboutthenetworkstowhichtheyareconnected.Onceithasdeterminedthenextdestinationforthepacket,thenetworklayerprotocolpassestheinformationdowntothedatalinklayerprotocolwiththedatagramsothatitcanbepackagedinanewframeandtransmitted.WhentheIPprotocolisrunningatthenetworklayer,anadditionalprocessisrequiredinwhichtheIPaddressofthenextdestinationisconvertedintoahardwareaddressthatthedatalinklayerprotocolcanuse.
FragmentingBecauserouterscanconnectnetworksthatusedifferentdatalinklayerprotocols,itissometimesnecessaryforintermediatesystemstosplitdatagramsintofragmentstotransmitthem.If,forexample,aworkstationonaTokenRingnetworkgeneratesapacketcontaining4,500bytesofdata,anintermediatesystemthatjoinstheTokenRingnetworktoanEthernetnetworkmustsplitthedataintofragmentsbetween64and1,518bytesbecause1,518bytesisthelargestamountofdatathatanEthernetframecancarry.
Dependingonthedatalinklayerprotocolsusedbythevariousintermediatenetworks,thefragmentsofadatagrammaybefragmentedthemselves.Datagramsorfragmentsthatarefragmentedbyintermediatesystemsarenotreassembleduntiltheyreachtheirfinaldestinations.
Connection-OrientedandConnectionlessProtocolsTherearetwotypesofend-to-endprotocolsthatoperateatthenetworkandtransportlayers:connection-orientedandconnectionless.Thetypeofprotocolusedhelpstodeterminewhatotherfunctionsareperformedateachlayer.Aconnection-orientedprotocolisoneinwhichalogicalconnectionbetweenthesourceandthedestinationsystemisestablishedbeforeanyupper-layerdataistransmitted.Oncetheconnectionisestablished,thesourcesystemtransmitsthedata,andthedestinationsystemacknowledgesitsreceipt.Afailuretoreceivetheappropriateacknowledgmentsservesasasignaltothesenderthatpacketshavetoberetransmitted.Whenthedatatransmissioniscompletedsuccessfully,thesystemsterminatetheconnection.Byusingthistypeofprotocol,thesendingsystemiscertainthatthedatahasarrivedatthedestinationsuccessfully.Thecostofthisguaranteedserviceistheadditionalnetworktrafficgeneratedbytheconnectionestablishment,acknowledgment,andterminationmessages,aswellasasubstantiallylargerprotocolheaderoneachdatapacket.
Aconnectionlessprotocolsimplypackagesdataandtransmitsittothedestinationaddresswithoutcheckingtoseewhetherthedestinationsystemisavailableandwithoutexpectingpacketacknowledgments.Inmostcases,connectionlessprotocolsareusedwhenaprotocolhigherupinthenetworkingstackprovidesconnection-orientedservices,suchasguaranteeddelivery.Theseadditionalservicescanalsoincludeflowcontrol(amechanismforregulatingthespeedatwhichdataistransmittedoverthenetwork),errordetection,anderrorcorrection.
MostoftheLANprotocolsoperatingatthenetworklayer,suchasIPandIPX,areconnectionless.Inbothcases,variousprotocolsareavailableatthetransportlayertoprovidebothconnectionlessandconnection-orientedservices.Ifyouarerunningaconnection-orientedprotocolatonelayer,thereisusuallynoreasontouseoneatanotherlayer.Theobjectoftheprotocolstackistoprovideonlytheservicesthatanapplicationneeds,andnomore.
TheTransportLayerOnceyoureachthetransportlayer,theprocessofgettingpacketsfromtheirsourcetotheirdestinationisnolongeraconcern.Thetransportlayerprotocolsandallthelayersabovethemrelycompletelyonthenetworkanddatalinklayersforaddressingandtransmissionservices.Asdiscussedearlier,packetsbeingprocessedbyintermediatesystemstravelonlyashighasthenetworklayer,sothetransport-layerprotocolsoperateononlythetwoendsystems.ThetransportlayerPDUconsistsofaheaderandthedataithasreceivedfromtheapplicationlayerabove,whichisencapsulatedintoadatagrambythenetworklayerbelow.
Thetransportlayerprovidesdifferentlevelsofservicedependingontheneedsoftheapplication:
•Packetacknowledgment
•Guaranteeddelivery
•Flowcontrol
•End-to-enderrorchecking
Oneofthemainfunctionsofthetransportlayerprotocolistoidentifytheupper-layerprocessesthatgeneratedthemessageatthesourcesystemandthatwillreceivethemessageatthedestinationsystem.ThetransportlayerprotocolsintheTCP/IPsuite,forexample,useportnumbersintheirheaderstoidentifyupper-layerservices.
ProtocolServiceCombinationsDatalinkandnetworklayerprotocolsoperatetogetherinterchangeably;youcanusealmostanydatalinklayerprotocolwithanynetworklayerprotocol.However,transportlayerprotocolsarecloselyrelatedtoaparticularnetworklayerprotocolandcannotbeinterchanged.Thecombinationofanetworklayerprotocolandatransportlayerprotocolprovidesacomplementarysetofservicessuitableforaspecificapplication.Asatthenetworklayer,transportlayerprotocolscanbeconnectionoriented(CO)orconnectionless(CL).TheOSImodeldocumentdefinesfourpossiblecombinationsofCOandCLprotocolsatthesetwolayers,dependingontheservicesrequired,asshowninFigure2-11.Theprocessofselectingacombinationofprotocolsforaparticulartaskiscalledmappingatransportlayerserviceontoanetworklayerservice.
Figure2-11Anyconfigurationofconnection-orientedandconnectionlessprotocolscanbeused.
Theselectionofaprotocolatthetransportlayerisbasedontheneedsoftheapplicationgeneratingthemessageandtheservicesalreadyprovidedbytheprotocolsatthelowerlayers.TheOSIdocumentdefinesfivetheoreticalclassesoftransportlayerprotocol,asshownhere:
•TP0Thisclassdoesnotprovideanyadditionalfunctionalitybeyondfragmentingandreassemblyfunctions.ThisclassdeterminesthesizeofthesmallestPDUrequiredbyanyoftheunderlyingnetworksandsegmentsasneeded.
•TP1ThisclassperformsthefunctionsofTP0plusprovidingthecapabilitytocorrecterrorsthathavebeendetectedbytheprotocolsoperatingatthelowerlayers.
•TP2Thisclassprovidesfragmentationandreassemblyfunctions,multiplexing,anddemultiplexingandincludescodesthatidentifytheprocessthatgeneratedthepacketandthatwillprocessitatthedestination,thusenablingthetrafficfrommultipleapplicationstobecarriedoverasinglenetworkmedium.
•TP3Thisclassofferserrorrecovery,segmentation,reassembly,multiplexing,anddemultiplexing.ItcombinestheservicesprovidedbyTP1andTP2.
•TP4Thisclassprovidescompleteconnection-orientedservice,includingerrordetectionandcorrection,flowcontrol,andotherservices.Itassumestheuseofaconnectionlessprotocolatthelowerlayersthatprovidesnoneoftheseservices.
ThisclassificationoftransportlayerservicesisanotherplacewherethetheoreticalconstructsoftheOSImodeldiffersubstantiallyfromreality.Noprotocolsuiteincommonusehasfivedifferenttransportlayerprotocolsconformingtotheseclasses.Mostofthesuites,likeTCP/IP,havetwoprotocolsthatbasicallyconformtotheTP0andTP4classes,providingconnectionlessandconnection-orientedservices,respectively.
TransportLayerProtocolFunctionsTheUDPprotocolisaconnectionlessservicethat,togetherwithIPatthenetworklayer,providesminimalservicesforbrieftransactionsthatdonotneedtheservicesofaconnection-orientedprotocol.DomainNameSystem(DNS)transactions,forexample,generallyconsistofshortmessagesthatcanfitintoasinglepacket,sonoflowcontrolisneeded.Atypicaltransactionconsistsofarequestandareply,withthereplyfunctioningasanacknowledgment,sonootherguaranteeddeliverymechanismisneeded.UDPdoeshaveanoptionalerror-detectionmechanismintheformofachecksumcomputationperformedonboththesourceanddestinationsystems.BecausetheUDPprotocolprovidesaminimumofadditionalservices,itsheaderisonly8byteslong,providinglittleadditionalcontroloverheadtothepacket.
TCP,ontheotherhand,isaconnection-orientedprotocolthatprovidesafullrangeofservicesbutatthecostofmuchhigheroverhead.TheTCPheaderis20byteslong,andtheprotocolalsogeneratesalargenumberofadditionalpacketssolelyforcontrolprocedures,suchasconnectionestablishment,termination,andpacketacknowledgment.
SegmentationandReassemblyConnection-orientedtransportlayerprotocolsaredesignedtocarrylargeamountsofdata,butthedatamustbesplitintosegmentstofitintoindividualpackets.Thesegmentationofthedataandthenumberingofthesegmentsarecriticalelementsinthetransmissionprocessandalsomakefunctionssuchaserrorrecoverypossible.Theroutingprocessperformedatthenetworklayerisdynamic;inthecourseofatransmission,itispossibleforthesegmentstotakedifferentroutestothedestinationandarriveinadifferentorderfromthatinwhichtheyweresent.Itisthenumberingofthesegmentsthatmakesitpossibleforthereceivingsystemtoreassemblethemintotheiroriginalorder.Thisnumberingalsomakesitpossibleforthereceivingsystemtonotifythesenderthatspecific
packetshavebeenlostorcorrupted.Asaresult,thesendercanretransmitonlythemissingsegmentsandnothavetorepeattheentiretransmission.
FlowControlOneofthefunctionscommonlyprovidedbyconnection-orientedtransportlayerprotocolsisflowcontrol,whichisamechanismbywhichthesystemreceivingthedatacannotifythesenderthatitmustdecreaseitstransmissionrateorriskoverwhelmingthereceiverandlosingdata.TheTCPheader,forexample,includesaWindowfieldinwhichthereceiverspecifiesthenumberofbytesitcanreceivefromthesender.Ifthisvaluedecreasesinsucceedingpackets,thesenderknowsthatithastoslowdownitstransmissionrate.Whenthevaluebeginstoriseagain,thesendercanincreaseitsspeed.
ErrorDetectionandRecoveryTheOSImodeldocumentdefinestwoformsoferrorrecoverythatcanbeperformedbyconnection-orientedtransportlayerprotocols.Oneisaresponsetosignalederrorsdetectedbyotherprotocolsinthestack.Inthismechanism,thetransportlayerprotocoldoesnothavetodetectthetransmissionerrorsthemselves.Instead,itreceivesnotificationfromaprotocolatthenetworkordatalinklayerthatanerrorhasoccurredandthatspecificpacketshavebeenlostorcorrupted.Thetransportlayerprotocolonlyhastosendamessagebacktothesourcesystemlistingthepacketsandrequestingtheirretransmission.
Themorecommonlyimplementedformoferrorrecoveryatthetransportlayerisacompleteprocessoferrordetectionandcorrectionthatisusedtocopewithunsignalederrors,whichareerrorsthathavenotyetbeendetectedbyothermeans.Eventhoughmostdatalinklayerprotocolshavetheirownerror-detectionandcorrectionmechanisms,theyfunctiononlyovertheindividualhopsbetweentwosystems.Atransportlayererror-detectionmechanismprovideserrorcheckingbetweenthetwoendsystemsandincludesthecapabilitytorecoverfromtheerrorsbyinformingthesenderwhichpacketshavetoberesent.Todothis,thechecksumincludedinthetransportlayerprotocolheaderiscomputedonlyonthefieldsthatarenotmodifiedduringthejourneytothedestination.Fieldsthatroutinelychangeareomittedfromthecalculation.
TheSessionLayerWhenyoureachthesessionlayer,theboundariesbetweenthelayersandtheirfunctionsstarttobecomemoreobscure.Therearenodiscreteprotocolsthatoperateexclusivelyatthesessionlayer.Rather,thesessionlayerfunctionalityisincorporatedintootherprotocols,withfunctionsthatfallintotheprovincesofthepresentationandapplicationlayersaswell.NetworkBasicInput/OutputSystem(NetBIOS)andNetBIOSExtendedUserInterface(NetBEUI)aretwoofthebestexamplesoftheseprotocols.Thesessionlayerprovidesmechanismsbywhichthemessagedialogbetweencomputersisestablished,maintained,andterminated.Forspecificexamplesthatmayfurtherclarify,seetheISO8327standardthatdefinessessionlayerprotocolsandisassumedtobeusedbyvariousIOS8823standardprotocolsinthepresentationlayer.
Theboundarytothesessionlayerisalsothepointatwhichallconcernforthetransmissionofdatabetweentwosystemsistranscended.Questionsofpacketacknowledgment,errordetection,andflowcontrolareallleftbehindatthispointbecauseeverythingthatcanbedonehasbeendonebytheprotocolsatthetransportlayerandbelow.
Thesessionlayerisalsonotinherentlyconcernedwithsecurityandthenetworklogonprocess,asthenameseemstoimply.Rather,theprimaryfunctionsofthislayerconcerntheexchangeofmessagesbetweenthetwoconnectedendsystems,calledadialog.Therearealsonumerousotherfunctionsprovidedatthislayer,whichreallyservesasamultipurpose“toolkit”forapplicationdevelopers.
Theservicesprovidedbythesessionlayerarewidelymisunderstood,andevenatthetimeoftheOSImodel’sdevelopment,therewassomequestionconcerningwhethertheyshouldbeallottedalayeroftheirown.Infact,22differentservicesareprovidedbythesessionlayer,groupedintosubsetssuchastheKernelFunctionUnit,theBasicActivitySubset,andtheBasicSynchronizationSubset.Mostoftheseservicesareofinterestonlytoapplicationdevelopers,andsomeareevenduplicatedasaresultofacompromisethatoccurredwhenthetwocommitteescreatingOSImodelstandardswerecombined.
CommunicationsbetweenthelayersoftheOSIreferencemodelarefacilitatedthroughtheuseofservicerequestprimitives,whicharethetoolsinthetoolkit.Eachlayerprovidesservicestothelayerimmediatelyaboveit.Aprocessatagivenlayertakesadvantageofaserviceprovidedbythelayerbelowbyissuingacommandusingtheappropriateservicerequestprimitive,plusanyadditionalparametersthatmayberequired.Thus,anapplicationlayerprocessissuesarequestforanetworkresourceusingaprimitiveprovidedbythepresentationlayer.Therequestisthenpasseddownthroughthelayers,witheachlayerusingtheproperprimitiveprovidedbythelayerbelow,untilthemessageisreadyfortransmissionoverthenetwork.Oncethepacketarrivesatitsdestination,itisdecodedintoindicationprimitivesthatarepassedupwardthroughthelayersofthestacktothereceivingapplicationprocess.
Thetwomostimportantservicesattributedtothesessionlayeraredialogcontrolanddialogseparation.Dialogcontrolisthemeansbywhichtwosystemsinitiateadialog,exchangemessages,andfinallyendthedialogwhileensuringthateachsystemhasreceivedthemessagesintendedforit.Whilethismayseemtobeasimpletask,considerthefactthatonesystemmighttransmitamessagetotheotherandthenreceiveamessagewithoutknowingforcertainwhentheresponsewasgenerated.Istheothersystemrespondingtothemessagejustsentorwasitsresponsetransmittedbeforethatmessagewasreceived?Thissortofcollisioncasecancauseseriousproblems,especiallywhenoneofthesystemsisattemptingtoterminatethedialogorcreateacheckpoint.Dialogseparationistheprocessofinsertingareferencemarkercalledacheckpointintothedatastreampassingbetweenthetwosystemssothatthestatusofthetwomachinescanbeassessedatthesamepointintime.
DialogControlWhentwoendsystemsinitiateasessionlayerdialog,theychooseoneoftwomodesthatcontrolsthewaytheywillexchangemessagesforthedurationofthesession:eithertwo-
wayalternate(TWA)ortwo-waysimultaneous(TWS)mode.Eachsessionconnectionisuniquelyidentifiedbya196-bytevalueconsistingofthefollowingfourelements:
•InitiatorSS-USERreference
•ResponderSS-USERreference
•Commonreference
•Additionalreference
Oncemade,thechoiceofmodeisirrevocable;theconnectionmustbeseveredandreestablishedinordertoswitchtotheothermode.
InTWAmode,onlyoneofthesystemscantransmitmessagesatanyonetime.Permissiontotransmitisarbitratedbythepossessionofadatatoken.Eachsystem,attheconclusionofatransmission,sendsthetokentotheothersystemusingtheS-TOKEN-GIVEprimitive.Onreceiptofthetoken,theothersystemcantransmititsmessage.
TheuseofTWSmodecomplicatesthecommunicationprocessenormously.Asthenameimplies,inaTWSmodeconnection,thereisnotoken,andbothsystemscantransmitmessagesatthesametime.
NOTERememberthatthereferencestotokensandconnectionsatthesessionlayerhavenothingtodowiththesimilarlynamedelementsinlower-layerprotocols.AsessionlayertokenisnottheequivalentofthetokenframeusedbytheTokenRingprotocol,norisasessionlayerconnectiontheequivalentofatransportlayerconnectionsuchasthatusedbyTCP.Itispossibleforendsystemstoterminatethesessionlayerconnectionwhileleavingthetransportlayerconnectionopenforfurthercommunication.
Theuseofthetokenpreventsproblemsresultingfromcrossedmessagesandprovidesamechanismfortheorderlyterminationoftheconnectionbetweenthesystems.Anorderlyterminationbeginswithonesystemsignalingitsdesiretoterminatetheconnectionandtransmittingthetoken.Theothersystem,onreceivingthetoken,transmitsanydataremaininginitsbuffersandusestheS-RELEASEprimitivetoacknowledgetheterminationrequest.OnreceivingtheS-RELEASEprimitive,theoriginalsystemknowsthatithasreceivedallofthedatapendingfromtheothersystemandcanthenusetheS-DISCONNECTprimitivetoterminatetheconnection.
Thereisalsoanegotiatedreleasefeaturethatenablesonesystemtorefusethereleaserequestofanother,whichcanbeusedincasesinwhichacollisionoccursbecausebothsystemshaveissuedareleaserequestatthesametime,andareleasetokenthatpreventstheoccurrenceofthesecollisionsinthefirstplacebyenablingonlyonesystematatimetorequestarelease.
Allofthesemechanismsare“tools”inthekitthatthesessionlayerprovidestoapplicationdevelopers;theyarenotautomaticprocessesworkingbehindthescenes.Whendesigninganapplication,thedevelopermustmakeanexplicitdecisiontousetheS-TOKEN-GIVEprimitiveinsteadofS-TOKEN-PLEASE,forexample,ortousea
negotiatedreleaseinsteadofanorderlytermination.
DialogSeparationApplicationscreatecheckpointsinordertosavetheircurrentstatustodiskincaseofasystemfailure.ThiswasamuchmorecommonoccurrenceatthetimethattheOSImodelwasdevelopedthanitisnow.Aswiththedialogcontrolprocessesdiscussedearlier,checkpointingisaprocedurethatmustbeexplicitlyimplementedbyanapplicationdeveloperasneeded.
Whentheapplicationinvolvescommunicationbetweentwosystemsconnectedbyanetwork,thecheckpointmustsavethestatusofbothsystemsatthesamepointinthedatastream.Performinganyactivityatpreciselythesamemomentontwodifferentcomputersisnearlyimpossible.Thesystemsmightbeperformingthousandsofactivitiespersecond,andtheirtimingisnowherenearaspreciseaswouldbeneededtoexecuteaspecifictasksimultaneously.Inaddition,theproblemagainarisesofmessagesthatmaybeintransitatthetimethecheckpointiscreated.Asaresult,dialogseparationisperformedbysavingacheckpointataparticularpointinthedatastreampassingbetweenthetwosystems,ratherthanataparticularmomentintime.
WhentheconnectionusesTWAmode,thecheckpointingprocessisrelativelysimple.OnesystemcreatesacheckpointandissuesaprimitivecalledS-SYNC-MINOR.Theothersystem,onreceivingthisprimitive,createsitsowncheckpoint,secureintheknowledgethatnodataisleftintransitatthetimeofsynchronization.Thisiscalledaminorsynchronizationbecauseitworkswithdataflowinginonlyonedirectionatatimeandrequiresonlyasingleexchangeofcontrolmessages.
ItisstillpossibletoperformaminorsynchronizationinTWSmodeusingaspecialtokenthatpreventsbothsystemsfromissuingtheS-SYNC-MINORprimitiveatthesametime.IfitwaspossibletoswitchfromTWStoTWAmodeinmidconnection,theuseofanadditionaltokenwouldnotbenecessary,butmodeswitchingisnotpossible.Thisissomethingthatmanypeoplethinkisamajorshortcominginthesessionlayerspecification.
Inmostcases,systemsusingTWSmodecommunicationsmustperformamajorsynchronization,whichaccountsnotonlyfortrafficthatcanberunninginbothdirectionsbutalsoforexpeditedtraffic.AprimitivecalledS-EXPEDITEDenablesonesystemtotransmittotheotherusingwhatamountstoahigh-speedpipelinethatisseparatefromthenormalcommunicationschannel.Toperformamajorsynchronization,thesysteminpossessionofyetanothertokencalledthemajor/activitytokenissuesaprimitivecalledS-SYNC-MAJORandthenstopstransmittinguntilitreceivesaresponse.However,thesystemissuingthisprimitivecannotcreateitscheckpointyet,asinaminorsynchronization,becausetheremaybetrafficfromtheothersystemcurrentlyintransit.
Onreceivingtheprimitive,theothersystemisabletocreateitsowncheckpointbecauseallofthedataintransithasbeenreceived,includingexpediteddata,whichhastohavearrivedbeforetheprimitive.ThereceivingsystemthentransmitsaconfirmationresponseoverthenormalchannelandtransmitsaspecialPREPAREmessageovertheexpeditedchannel.Thesystemthatinitiatedthesynchronizationprocedurereceivesthe
PREPAREmessagefirstandthentheconfirmation,atwhichtimeitcancreateitsowncheckpoint.
ThePresentationLayerUnlikethesessionlayer,whichprovidesmanydifferentfunctions,thepresentationlayerhasonlyone.Infact,mostofthetime,thepresentationlayerfunctionsprimarilyasapass-throughservice,meaningthatitreceivesprimitivesfromtheapplicationlayerandissuesduplicateprimitivestothesessionlayerbelowusingthePresentationServiceAccessPoint(PSAP)andtheSessionServiceAccessPoint(SSAP).Allofthediscussionintheprevioussectionsaboutapplicationsutilizingsessionlayerservicesactuallyinvolvestheuseofthepass-throughserviceatthepresentationlayerbecauseitisimpossibleforaprocessatanylayeroftheOSImodeltocommunicatedirectlywithanylayerotherthantheoneimmediatelyaboveorbeneathit.Thepresentationlayernegotiatestheuseofatransfersyntaxthatissupportedbybothoftheconnecteddevicessotheendsystemsofdifferenttypescancommunicate.
Whilethebasicfunctionsoftheprimitivesarenotchangedastheyarepasseddownthroughthepresentationlayer,theycanundergoacrucialtranslationprocessthatistheprimaryfunctionofthelayer.Applicationsgeneraterequestsfornetworkresourcesusingtheirownnativesyntax,butthesyntaxoftheapplicationatthedestinationsystemreceivingtherequestmaybedifferentinseveralways.Thesystemsmightalsoimplementencryptionand/orcompressiononthedatatobetransmittedoverthenetwork.
Thistranslationprocessoccursintwophases,oneofwhichrunsatthepresentationlayeroneachsystem.Eachcomputermaintainsanabstractsyntax,whichisthenativesyntaxfortheapplicationrunningonthatsystem,andatransfersyntax,whichisacommonsyntaxusedtotransmitthedataoverthenetwork.Thepresentationlayeronthesystemsendingamessageconvertsthedatafromtheabstractsyntaxtothetransfersyntaxandthenpassesitdowntothesessionlayer.Whenthemessagearrivesatthedestinationsystem,thepresentationlayerconvertsthedatafromthetransfersyntaxtotheabstractsyntaxoftheapplicationreceivingthemessage.Thetransfersyntaxchosenforeachabstractsyntaxisbasedonanegotiationthatoccurswhenapresentationlayerconnectionisestablishedbetweentwosystems.Dependingontheapplication’srequirementsandthenatureoftheconnectionbetweenthesystems,thetransfercontextmayprovidedataencryption,datacompression,orasimpletranslation.
NOTEThepresentationlayerconnectionisnotsynonymouswiththeconnectionsthatoccuratthelowerlayers,noristheredirectcommunicationbetweenthepresentationlayersofthetwosystems.Messagestraveldownthroughtheprotocolstacktothephysicalmediumandupthroughthestackonthereceivertothepresentationlayerthere.
ThesyntaxnegotiationprocessbeginswhenonesystemusestheP-CONNECTprimitivetotransmitasetofpresentationcontexts,whicharepairsofassociatedabstractcontextsandtransfercontextssupportedbythatsystem.Eachpresentationcontextisnumberedusingauniqueodd-numberedintegercalledapresentationcontextidentifier.
Withthismessage,onesystemisessentiallyinformingtheotherofitspresentationlayercapabilities.Themessagemaycontainmultipletransfercontextsforeachabstractcontexttogivethereceivingsystemachoice.
OncetheothersystemreceivestheP-CONNECTmessage,itpassesthepresentationcontextsuptotheapplication-layerprocesses,whichdecidewhichofthetransfercontextssupportedbyeachabstractcontexttheywanttouse.Thereceiverthenreturnsalistofcontextstothesenderwitheitherasingletransfercontextoranerrormessagespecifiedforeachabstractcontext.Onreceiptbytheoriginalsender,thislistbecomesthedefinedcontextset.Errormessagesindicatethatthereceivingsystemdoesnotsupportanyofthetransfercontextsspecifiedforaspecificabstractcontext.Oncethenegotiationprocessiscompleted,thesystemscanproposenewpresentationcontextsforadditiontothedefinedcontextsetorremovecontextsfromthesetusingaprimitivecalledP-ALTER-CONTEXT.
TheApplicationLayerAsthetoplayerintheprotocolstack,theapplicationlayeristheultimatesourceanddestinationforallmessagestransmittedoverthenetwork.Alloftheprocessesdiscussedintheprevioussectionsaretriggeredbyanapplicationthatrequestsaccesstoaresourcelocatedonanetworksystem.Application-layerprocessesarenotnecessarilysynonymouswiththeapplicationsthemselves,however.Forexample,ifyouuseawordprocessortoopenadocumentstoredonanetworkserver,youareredirectingalocalfunctiontothenetwork.Thewordprocessoritselfdoesnotprovidetheapplicationlayerprocessneededtoaccessthefile.Inmostcases,itisanelementoftheoperatingsystemthatdistinguishesbetweenrequestsforfilesonthelocaldriveandthoseonthenetwork.Otherapplications,however,aredesignedspecificallyforaccessingnetworkresources.WhenyourunadedicatedFTPclient,forexample,theapplicationitselfisinseparablefromtheapplicationlayerprotocolitusestocommunicatewiththenetwork.Theapplicationlayerprotocolistheinterfacebetweentheapplicationrunningonthecomputerthatisrequestingtheservicesofthenetworkandtheprotocolstackthatconvertsthatrequestintothetransmittedsignals.
Someoftheotherprotocolsthatarecloselytiedtotheapplicationsthatusethemareasfollows:
•DHCPDynamicHostConfigurationProtocol
•TFTPTrivialFileTransferProtocol
•DNSDomainNameSystem
•NFSNetworkFileSystem
•RIPRoutingInformationProtocol
•BGPBorderGatewayProtocol
NOTETheseprotocolsaresomewhatdifferentfromapplicationsthataredesignedfortheusers,suchaswordprocessorsorspreadsheets.Theseprotocolsareprimarilydesignedtobeusedbythesystems.
Inbetweenthesetwoextremesarenumerousapplicationtypesthataccessnetworkresourcesindifferentwaysandfordifferentreasons.Thetoolsthatmakethataccesspossiblearelocatedintheapplicationlayer.Someapplicationsuseprotocolsthatarededicatedtospecifictypesofnetworkrequests,suchastheSimpleMailTransportProtocol(SMTP)andPostOfficeProtocol(POP3)bothusedfore-mail,theSimpleNetworkManagementProtocol(SNMP)usedforremotenetworkadministration,andtheHypertextTransferProtocol(HTTP)usedforWorldWideWebcommunications.
Asyouhaveseeninthischapter,thebottomfourlayersoftheOSIreferencemodelperformfunctionsthatareeasilydifferentiated,whilethefunctionsofthesession,presentation,andapplicationlayerstendtobleedtogether.Manyoftheapplicationlayerprotocolslistedherecontainfunctionsthatrightlybelongatthepresentationorsessionlayers,butitisimportantnottolettheOSImodelassertitselftooforciblyintoyourperceptionofdatanetworking.Themodelisatoolforunderstandinghownetworksfunction,notaguideforthecreationofnetworkingtechnologies.
PART
II NetworkHardware
CHAPTER3
NetworkInterfaceAdapters
CHAPTER4
NetworkInterfaceAdaptersandConnectionDevices
CHAPTER5
CablingaNetwork
CHAPTER6
WirelessLANs
CHAPTER7
WideAreaNetworks
CHAPTER8
ServerTechnologies
CHAPTER9
DesigningaNetwork
CHAPTER
3 NetworkInterfaceAdapters
Everycomputerthatparticipatesonanetworkmusthaveaninterfacetothatnetwork,usingeitheracableorsomeformofwirelesssignalthatenablesittotransmitdatatotheotherdevicesonthenetwork.Themostcommonformofwirednetworkinterfaceispartofthemainboardandconnectstoanetworkcable,typicallyreferredtoasanetworkinterfacecard(orcontroller),orNICforshort(seeFigure3-1).Alsocalledanetworkinterfaceadapter,thisisnormallyanEthernetconnectionandisusedbysmallandmedium-sizedbusinessesaswellashomenetworkconfigurations.
Figure3-1AtypicalEthernetnetworkcard(photoprovidedbyDsimicatEnglishWikipediaundertheGNUFreeDocumentationLicense)
NICFunctionsThenetworkinterfaceadapter,incombinationwiththenetworkadapterdriver,implementsthedatalinklayerprotocolusedonthecomputer,usuallyEthernet,aswellaspartofthephysicallayer.TheNICalsoprovidesthelinkbetweenthenetworklayerprotocol,whichisimplementedcompletelyintheoperatingsystem,andthenetworkmedium,whichisusuallyacableconnectedtotheNIC.IfyouuseanEthernetNIC,yourconnectionismadewithanEthernetcablewithanRJ-45connection.TheRJ-45connectorlookslikeatelephoneconnection(RJ-11)butislarger.
TheNICanditsdriverperformthebasicfunctionsneededforthecomputertoaccessthenetwork.Theprocessoftransmittingdataconsistsofthefollowingsteps(which,
naturally,arereversedduringpacketreception):
1.DatatransferThedatastoredinthecomputer’smemoryistransferredtotheNICacrossthesystembususingoneofthefollowingtechnologies:directmemoryaccess(DMA),sharedmemory,orprogrammedI/O.
2.DatabufferingTherateatwhichthePCprocessesdataisdifferentfromthetransmissionrateofthenetwork.TheNICincludesmemorybuffersthatitusestostoredatasoitcanprocessanentireframeatonce.
NOTEBandwidthisthetermusedtoindicatespeedcapabilitiesofthephysicaldevicesusedwheninteractingwithanetwork.BasicEthernet,forexample,hasabandwidthof10Mbps,sousinganInternetconnectionfasterthanthatwouldbelargelywastedspeed.FastEthernetreaches100Mbps,usuallyadequateforhomecomputerconnections.GigabitEthernetcanreach1Gbps,and10GigabitEthernetis10Gbps.Evenwirelessconnectionsarelimitedbybandwidth.Wireless802.11bis11Mbps,andWireless-G802.11ghasatopspeedof54Mbps.Wireless-N802.11canreach300Mbps.
3.FrameconstructionTheNICreceivesdatathathasbeenpackagedbythenetworklayerprotocolandencapsulatesitinaframethatconsistsofitsowndatalinklayerprotocolheaderandfooter.Dependingonthesizeofthepacketandthedatalinklayerprotocolused,theNICmayalsohavetosplitthedataintosegmentsoftheappropriatesizefortransmissionoverthenetwork.Forincomingtraffic,theNICreadstheinformationinthedatalinklayerframe,verifiesthatthepackethasbeentransmittedwithouterror,anddetermineswhetherthepacketshouldbepasseduptothenextlayerinthenetworkingstack.lfso,theNICstripsoffthedata1inklayerframeandpassestheencloseddatatothenetworklayerprotocol.
4.MediaaccesscontrolTheNICisresponsibleforarbitratingthesystem’saccesstothesharednetworkmedium,usinganappropriatemediaaccesscontrol(MAC)mechanism.Thisisnecessarytopreventmultiplesystemsonthenetworkfromtransmittingatthesametimeandlosingdatabecauseofapacketcollision.TheMACmechanismisthesinglemostdefiningelementofadatalinklayerprotocol.(TheMACmechanismisnotneededforincomingtraffic.)
5.Parallel/serialconversionThesystembusconnectingtheNICtothecomputer’smainmemoryarraytransmitsdata16or32bitsatatimeinparallelfashion,whiletheNICtransmitsandreceivesdatafromthenetworkserially—thatis,onebitatatime.TheNICisresponsiblefortakingtheparalleldatatransmissionthatitreceivesoverthesystembusintoitsbuffersandconvertingittoaserialbitstreamfortransmissionoutoverthenetworkmedium.Forincomingdatafromthenetwork,theprocessisreversed.
6.Dataencoding/decodingThedatageneratedbythecomputerinbinaryformmustbeencodedinamattersuitableforthenetworkmediumbeforeitcanbe
transmitted,andinthesameway,incomingsignalsmustbedecodedonreceipt.ThisandthefollowingsteparethephysicallayerprocessesimplementedbytheNIC.Foracoppercable,thedataisencodedintoelectricalimpulses;forfiber-opticcable,thedataisencodedintopulsesoflight.Othermediamayuseradiowaves,infraredlight,orothertechnologies.Theencodingschemeisdeterminedbythedatalinklayerprotocolbeingused.7.Datatransmission/receptionTheNICtakesthedataithasencoded,
amplifiesthesignaltotheappropriateamplitude,andtransmitsitoverthenetworkmedium.Thisprocessisentirelyphysicalanddependswhollyonthenatureofthesignalusedonthenetworkmedium.
TheNICalsoprovidesthedatalinklayerhardware(orMAC)addressthatisusedtoidentifythesystemonthelocalnetwork.Mostdatalinklayerprotocolsrelyonaddressesthatarehard-codedintotheNICbythemanufacturer.Inactuality,theMACaddressidentifiesaparticularnetworkinterface,notnecessarilythewholesystem.InthecaseofacomputerwithtwoNICsinstalledandconnectedtotwodifferentnetworks,eachNIChasitsownMACaddressthatidentifiesitonthenetworktowhichitisattached.
Someolderprotocols,suchasARCnet,requiredthenetworkadministratortosetthehardwareaddressmanuallyoneachNIC.Ifsystemswithduplicateaddresseswereonthenetwork,communicationsproblemsresulted.Today,MACaddressesareassignedintwoparts,muchlikeIPaddressesanddomainnames.TheInstituteofElectricalandElectronicEngineers(IEEE)maintainsaregistryofNICmanufacturersandassigns3-byteaddresscodescalledorganizationallyuniqueidentifiers(OUIs)tothemasneeded.
NICFeaturesInadditiontothebasicfunctionalitydescribedthusfar,NICscanhaveavarietyofotherfeatures,dependingonthemanufacturer,protocol,pricepoint,andthetypeofcomputerinwhichthedeviceistobeused.Someofthesefeaturesarediscussedinthefollowingsections.
FullDuplexMostofthedatalinklayerprotocolsthatusetwisted-paircableseparatethetransmittedandreceivedsignalsontodifferentwirepairs.Evenwhenthisisthecase,however,theNICtypicallyoperatesinhalf-duplexmode,meaningthatatanygiventime,itcanbetransmittingorreceivingdata,butnotbothsimultaneously.NICsthatoperateinfull-duplexmodecantransmitandreceiveatthesametime,effectivelydoublingthethroughputofthenetwork(seeFigure3-2).
Figure3-2Full-duplexsystemscantransferdatainbothdirectionsatthesametime,whilehalf-duplexsystemstransferinformationinonedirectionatatime.
WhenaNICisoperatinginfull-duplexmode,itcantransmitandreceivedataatanytime,eliminatingtheneedforamediaaccesscontrolmechanism.Thisalsoeliminatescollisions,whichincreasestheoverallefficiencyofthenetwork.Runningafull-duplexnetworkrequiresmorethanjustNICsthatsupportthisfeature,however.Thehub,switch,router,orotherdevicetowhicheachcomputerconnectsmustalsosupportfull-duplexoperation.
BusMasteringNormally,whendataistransmittedbetweenthecomputer’smemoryandanexpansioncardoverthesystembus,theprocessorfunctionsasthemiddleman,readingdatafromthesourceandtransmittingittothedestination.Thisutilizesprocessorclockcyclesthatcouldotherwiseberunningapplicationsorperformingotherimportanttasks.Anexpansioncardcapableofbusmasteringhasachipsetthatarbitratesthecard’saccesstothebus,eliminatingtheneedforthesystemprocessor’sinvolvementinthetransferofdatatoandfrommemory.BusmasteringNICsenablethecomputertooperatemoreefficientlybecausetheyconservetheprocessorclockcyclesthatwouldotherwisebeexpendedindatatransfers.
ParallelTaskingParallelTaskingisafeaturethatwasdevelopedby3ComCorporationandsubsequentlyimplementedbyotherNICmanufacturers,usingdifferentnames.ThetermdescribesaprocessbywhichtheNICcanbegintotransmitapacketoverthenetworkwhilethedataisstillbeingtransferredtotheNICoverthesystembus.ANICwithoutthiscapabilitymustwaituntilanentirepacketisstoredinitsbuffersbeforeitcantransmit.Today,manyNICsfeatureParallelTaskingII,whichimprovesbusmasteringcommunicationsoverthePeripheralComponentInterconnect(PCI)bus.Previously,aPCINICcouldtransferonly64bytesatatimeduringasinglebusmasteroperation,whichrequireddozensofoperationstotransfereachpacket.ParallelTaskingIIenablestheNICtostreamuptoanentireEthernetpacket’sworthofdata(1,518bytes)duringasinglebusmasteroperation.
Wake-on-LANorWake-on-Wireless-LANToday’sindustrystandard,Wake-on-LAN(WoL)isafeaturethatenablesacomputerto“wake”fromaverylowpowerstate.WoLisanenhancementbuiltintonetworkinterfaceadaptersandcomputermotherboardsthatenablesanadministratortoturnacomputeronfromaremotelocation.Onceturnedon,theadministratorcanperformanynecessarymaintenancetasks.Forthisfeaturetofunction,boththecomputer’smotherboardandtheNICmusthaveathree-pinremotewake-upconnector,whichisconnectedwithacable.Whenthecomputeristurnedoff,itactuallyswitchestoalow-powersleepstateinsteadofbeingcompletelypoweredoff.Whileinthisstate,theNICcontinuouslymonitorsthenetworkforaspecialwake-uppacketthatcanbedeliveredtoitbyadesktopmanagementapplicationrunningonanadministrator’scomputer.
WhentheNICreceivesthepacket,itsignalsthemotherboard,whichinturnswitchesthepowersupplybackintoitsfullpowerstate,effectivelyturningonthecomputer.Oncethecomputerisupandrunning,theadministratorcantakecontrolofthesystemusingwhatevertoolsareavailable.
SelectingaNICWhenyourmainboarddoesnothaveanacceptableNICoryousimplywanttoupgradethebuilt-incard,youneedtoconsiderseveralfactors:
•Thedatalinklayerprotocolusedbythenetwork
•Thetransmissionspeedofthenetwork
•ThetypeofinterfacethatconnectstheNICtothenetwork
•ThetypeofsystembusintowhichyouwillinstalltheNIC
•ThehardwareresourcestheNICrequires
•TheelectricpowertheNICrequires
•TheroleofthecomputerusingtheNIC(serverversusworkstationandhomeversusoffice)
•Appropriatedriveravailability
NOTEThemostcommonnetworkinterfacecardsareaPCI,ISA,orPCMCIAcard.Thekindyouchooselargelydependsonthecomputeryouwillbeinstallingthecardinandwhattypeofinterfacethatcomputeroffers.APCIcardgoesintoaPCIslotofyourcomputerandoperatesatafastspeed.Thisisthemostcommonchoiceformostusers.AnISAcardthatconnectstoacomputer’smotherboardcanbelessexpensivethanaPCIcardbutmayalsobelessreliable.PCMCIAcardsareplacedinanappropriateslotinlaptops.
Thefollowingsectionsexaminethesecriteriaandhowtheycanaffecttheperformance
oftheNICandyournetwork.
ProtocolThedatalinklayerprotocolisthesinglemostdefiningcharacteristicofanetworkinterfaceadapter.ThemostpopularprotocolusedatthedatalinklayerisEthernet,butNICsarealsoavailablethatsupportTokenRing,FDDI,ATM,andothers,aswellasvariationsontheseprotocols.
Allofthecomputersonthenetworkmust,ofcourse,beusingthesamedatalinklayerprotocol,andtheselectionofthatprotocolshouldbeadecisionmadelongbeforeyou’rereadytopurchaseNICs.Thisisbecausealloftheothernetworkhardware,suchascables,hubs,andotherdevices,arealsoprotocolspecific.TheNICyouselectmustalsosupportthetypeofcableorothermediumthenetworkuses,aswellasthetransmissionspeedofthenetwork.YoucanalsoselectEthernetNICsthatsupporttheuseofunshieldedtwisted-pair(UTP),twotypesofcoaxial,orfiber-opticcable,aswellasvarioustypesofwirelesstransmissions.TheseareallaspectsofthenetworkconfigurationthatyoumustconsiderbeforemakingNICpurchases.
TransmissionSpeedSomedatalinklayerprotocolscanrunatdifferentspeeds,andthecapabilityofaNICtosupportthesespeedscanbeanimportantpartofselectingthecorrectproductforyournetwork.Insomeprotocols,anincreaseinspeedhasbeenfullyassimilatedintothetechnology,whileinothers,thefasterversionisstillanoptionalfeature.FastEthernet(runningat100Mbps)has,forallpracticalpurposes,replacedtraditional10MbpsEthernet.SomeoftheFastEthernetNICsmanufacturedtodayarecombinationdevicesthatsupportboth10and100Mbpsoperation,makingitpossibletograduallyupgradeanolderEthernetnetwork.WhentheconnectionisestablishedbetweentheNICandthehub,thedevicesnegotiatethehighestpossiblespeedtheyhaveincommon.
NetworkInterfaceThetypeofcable(orothermedium)thatformsthefabricofthenetworkdeterminesthenetworkinterfaceusedontheNIC.Thenetworkcabletypeistypicallyselectedatthesametimeasthedatalinklayerprotocol,andtheNICsyoupurchasemustsupportthatmedium.Somedatalinklayerprotocolssupportdifferenttypesofcables,andNICsareavailableforeachone,whileotherprotocolsaredesignedtouseonlyonetypeofcable.
Today,youcanchoosetoinstallaNICthatusestheEthernetcablewithanRJ-45connector.ThePCIorPCIExpresscardsrequirethatyouopenthecomputertoinstallthecards.YoucanalsopurchaseUniversalSerialBus(USB)devicesthatsimplyconnecttoyourcomputerataUSBport.
Ethernetalsosupportstheuseoffiber-opticcableinthatitcarriesdatacodedintolightpulsesratherthanintoelectricvoltages.Thecomponentsonafiber-opticNICarethereforesubstantiallydifferentinform(ifnotfunction)fromthoseonacopper-basedEthernetNIC,includingthenetworkinterface,whichisusuallyastraight-tip(ST)connector.FastEthernetcanusefiber-opticcabletorunat100Mbpsoverfarlonger
distancesthananycoppermedium.Becauseofthesetechnologicaldifferences,fiber-opticFastEthernetNICsarenotusuallycombinedwithothertechnologies.Fiber-opticnetworkhardwareisoftenmoreexpensivethancomparablecopper-basedproducts.
BusInterfaceThenetworkinterfaceadapterenablesanetworksystemtotransmitdatafromitsmainmemoryarraytoanoutsidedestination,justlikeaparallelorserialportdoes.Thedatatravelsfromthememorytothenetworkadapteracrossthesystembus,inthesamemanneraswithanyotherexpansioncard,likeagraphicsoraudioadapter.ThetypeofbustheNICusestocommunicatewiththecomputercanaffecttheperformanceofthenetworkconnection,buttheselectionofabustypefortheNICisuniquetoeachcomputer.PCIisthebustypeusedinvirtuallyallofthedesktopcomputerssoldtoday.LaptopsandotherportablesusethePCCardbus(formerlyknownasthePersonalComputerMemoryCardInternationalAssociation,orPCMCIAbus).Oldersystemsusedvariousothertypesofexpansionbuses,suchasVESALocalBus(VLB),MicroChannelArchitecture(MCA),orExtendedIndustryStandardArchitecture(EISA).USBadaptersrequirenointernalinstallation.Yousimplyplugtheadapterintoacomputer’sUSBport,plugthenetworkcableintotheadapter,andinstalltheappropriatedriverforthenewdevice.Noexternalpowerconnectionisneeded;theadapterderivespowerfromthebus.Thismakesforanextremelysimpleinstallation,buttheperformanceofaUSBnetworkadaptercanbeinferiortootherNICs.
Table3-lliststhecharacteristicsofthesebusesandtheirrespectivebusspeed.
Table3-1PCBusTypes,Widths,Speed,andBandwidth
BottlenecksThebustypeselectioncanaffectnetworkperformanceiftheselectedbusisslowenoughtocauseabottleneckinthenetwork.Innetworking,abottleneckoccurswhenoneelementofanetworkconnectionrunsatasignificantlyslowerspeedthanalloftheothers.Thiscancausetheentirenetworktoslowdowntothespeedofitsweakestcomponent,resultinginwastedbandwidthandneedlessexpense.Asanexaggeratedexample,consideranetworkthatconsistsofmodernPCswiththefastprocessors,connectedbyaFastEthernetnetworkrunningat100Mbps.AlloftheworkstationsonthenetworkhaveNICsthatusethePCIbusexceptforthemaindatabaseserver,whichhasanoldISANIC.TheresultofthisisthattheISANICwillprobablybetheslowestcomponentinalloftheworkstation/serverconnectionsandwillbeabottleneckthatpreventstherestoftheequipmentfromachievingitsfullpotential.
Theprocessofidentifyingactualbottlenecksisrarelythisclean-cut.Justbecauseanetworkprotocolrunsat100Mbpsdoesn’tmeanthatdataiscontinuouslytravelingoverthecableatthatspeed,andtherawspeedofaparticularbustypeisnotindicativeofthatactualthroughputrateforthedatageneratedbythesystem.However,itisagoodideatousecommonsensewhenpurchasingNICsandtotrytomaximizetheperformanceofyournetwork.
ISAorPCI?Ifyouhavetodealwiththeolderbustypes,youmayencounterIndustryStandardArchitecture(ISA)cards.Thechoiceformostdesktopsystemsmanufacturedafterabout1995wasbetweenISAandPCI.ForatraditionalEthernetnetworkrunningat10MbpsoraTokenRingnetworkrunningat4or16Mbps,anISANICwasmorethansufficient.Infact,ISANICscanbeperfectlyserviceableon100Mbpsnetworksaswell,atleastforworkstations,becausetheaveragenetworkuserdoesnotrequireanythingapproaching100Mbpsofbandwidthonacontinuousbasis.ThemainreasonfortheISANICbeingthebottleneckinthescenariodescribedearlieristhatitisinstalledintheserver.AserverPCthatishandlingdatarequestsgeneratedbydozensorhundredsofworkstationssimultaneouslynaturallyrequiresmorebandwidththananysingleworkstation.Inaserver,therefore,theuseofthefastestbusavailableisalwaysrecommended.
However,thereisanotherelementtothebustypedecisionthatyoumustconsider,andthatistheavailabilityofexpansionbusslotsinyourcomputers.Obviously,toinstallanetworkinterfacecardintoaPC,itmusthaveafreebusslot.LegacyPCshavevaryingnumbersofPCIandISAslots,andthehardwareconfigurationofthemachinedetermineshowmanyofthoseslots(ifany)arefree.Manyolder“full-featuredcomputers”haveperipheraldevicesinstalledthatoccupymanyofthebusslots.Becauseitispossibleforacardtooccupyaslotwithoutprotrudingthroughthebackofthecomputer,simplylookingattheoutsideofasystemisnotsufficienttodeterminehowmanyfreeslotsthereare.Youmustopenthemachinetocheckforfreeslotsandtodeterminewhichtypesofslotsareavailable.Ifnoslotsareavailable,anexternalnetworkadapterusingtheUSBportmaybeyouronlyrecourse.
Administratorsoflargenetworksoftenpurchaseworkstationsthatdonothaveallthestate-of-the-artfeaturesfoundinmanyhomesystems,whichmayleavemoreslotsfreeforadditionalcomponentssuchasaNIC.Inaddition,PCstargetedatthecorporatemarketaremorelikelytohaveperipheraldevicessuchasaudioandvideoadaptersintegratedintothemotherboard,whichalsocanleavemorefreeslots.However,anofficecomputermayalsouseaslimlineorlow-profilecasedesignthatreducesthenumberofslotstominimizethecomputer’sfootprint.
Eveninlegacysystems,theselectionofthebustypefortheNICshouldbebasedonthenetworkbandwidthrequirementsoftheuserandnotonthetypeofbusslotthecomputerhasfree.However,youmayhavenootherchoicethantoputanISANICinacomputerthatcouldbenefitfromaPCIcardbuthasonlyanISAslotfree.
IntegratedAdapters
Asmentionedearlier,manyPCshaveperipheraldevicesintegratedintothemotherboard.Oneofthesedevicesmaybethenetworkinterfaceadapter.Becauseanintegratednetworkadapterisnotaseparatecard,itcannotrightfullybecalledaNIC,butitdoesperformthesamefunctionasanetworkadapterthatisinstalledintothesystem’sexpansionbus.Althoughtheyreducethedistancethesignalshavetotraveltoreachtheadapterandavoidtheelectricalinterferencethatoccursduringabustransfer,theproblemwithintegratednetworkadaptersisthattheyarenotupgradable.Asystemthathasanintegratednetworkadapterisundernoobligationtouseit.YoucannearlyalwaysdisabletheadapterbygoingthroughthesystemBIOS,bymanipulatingaswitchorjumperonthemotherboard,orsimplybyinstallingaNICintoabusslot.YoumightfindadealonworkstationswiththewrongtypeofintegratednetworkadapterthatisgoodenoughtobeworthbuyingNICsforthecomputersaswell.
Fiber-OpticNICsThefirstconsiderationsforchoosingafiber-opticnetworkcardarenetworktypeandtransmissionrate.Considerthebandwidthneedsoftheserverorworkstation,alongwiththephysicalmediumusedfortransmissiontodeterminethetransmissionrateofthecardyoupurchase.SinceEthernetoffersspeedsthatvarybetween10Mbps,10/100Mbps,1000Mbps,andeven10Gbps,itisusuallybesttochooseacardthatworkswiththelowestcomponentinthenetwork.Forexample,ifyournetworkusesa100Mbpscable,usinga1000Mbpscardwillstillonlyresultin100Mbps.
Also,payattentiontothebustype.ServersandworkstationstypicallyusesomeformofthePCIbus,suchasthePeripheralComponentInterconnectExpress(PCIe)card.Today,mostPCsnolongersupporttheISAconnector,sowhenyoupurchasenetworkcardsforyourPC,donotbuytheoutdatedISAnetworkcard.Instead,chooseacurrentPCIcard.
Remember,youmustalsoconsidertheconnectortypeusedbytheNIC.Thenetworkcardneedstobeconnectedwiththenetwork,soitmusthaveafiber-opticconnectortolinkwithothercomputernetworkequipment.
PortableSystemsNetworkinterfaceadaptersforlaptopsandotherportablesystemstaketheformofPCCardBusNICsorUSB-connectedadapters.Assuch,considerthespeedofthenetworkwithwhichyouwillbeconnecting,aswellasthepriceandreliabilityofthedeviceyouchoose.
HardwareResourceRequirementsInadditiontoabusslotoranavailableUSBport,acomputermusthavetheappropriatehardwareresourcesfreetosupportaNIC.Anetworkinterfaceadapterrequiresafreeinterruptrequestline(IRQ)andusuallyeitheranI/Oportaddress,amemoryaddress,orboth.WhenevaluatingNICs,youmusttakeintoaccountboththeresourcerequirementsoftheNICandtheresourcesavailableonthecomputer.OnaPCwithalotofperipheraldevicesalreadyinstalled,mostoftheIRQsmayalreadybeinuse,andaddingaNICmay
bedifficult.ThisisbecauseaNICmaybeabletouseonlyaselectfewofthesystem’sIRQs,andifallofthoseIRQsareoccupied,thecardcannotfunction.Twodevicesconfiguredtousethesameresourcewillsometimesconflict,causingbothtomalfunction.Insomecases,however,it’spossiblefortwodevicestoshareanIRQ.TofreeuponeoftheIRQsusablebytheNIC,youmayhavetoconfigureanotherdevicetouseadifferentIRQ.Thus,youhavetoconsidernotonlythenumberofavailableIRQsonthecomputerbutalsowhichonesareavailable.Thesameistruefortheotherresourcesrequiredbythecard.
ManyolderNICssupportedonlytwoorthreeIRQsandotherresources,andconfiguringthedevicesinthecomputerwasamanualtrial-and-errorprocess.Systemadministratorscouldspendhourstryingdifferentcombinationsofhardwaresettingsforthecomponentsinasinglecomputerbeforefindingonethatenabledallofthedevicestofunctionsimultaneously.Today,however,NICsaregenerallymoreflexibleandsupportawiderrangeofresourcesettings.Inaddition,theBIOSandtheoperatingsystemofamodernPChavefeaturesthatsimplifytheprocessofconfiguringperipheraldevicestoworktogether.
Plug-and-play,whenitfunctionsproperly,eliminatestheneedtoworryabouthardwareresourceconfigurationforperipheraldevices.WhenasystemhasaBIOS,anoperatingsystem,andhardwarethatallsupporttheplug-and-playstandard,thecomputerassignshardwareresourcestoeachdevicedynamicallywhenthesystemstarts.Whenplug-and-playisnotsupportedforaparticulardevicesuchasaNIC,operatingsystems(suchasMicrosoftWindows)providetoolsthatcanidentifythefreeresourcesinthemachineandindicatewhethertheNIC’scurrentconfigurationconflictswithanyotherdevicesinthesystem.
Thus,whenselectingNICs,youshouldbeconsciousofthehardwareresourcesinuseonthecomputersthatwillusethem.WhenusingNICsandcomputersofrecentmanufacture,thisisrarelyaproblem.However,acomputerwithalotofinstalledperipheralsmaybeunabletosupportanadditionalcardwithoutremovingoneoftheexistingcomponents.Inothercases,youmayhavetoreconfigureotherdevicestosupporttheadditionofaNIC.MostNICmanufacturerspublishspecificationsheets(oftenavailableontheirwebsites)thatlistthehardwareresourcestheirNICscanuse.BycomparingthisinformationtothecurrentconfigurationofaPC,youcandeterminewhetherthecomputerhastheresourcestosupporttheNIC.
PowerRequirementsThepowersuppliesintoday’scomputersusuallyprovidemorethanenoughvoltagetosupportafullloadofexpansioncardsandotherinternalperipherals.However,ifyou’rerunningasystemwithalargenumberofinternaldevices,youmaywanttocomparethepowerloadincurredbythesedeviceswiththevoltagefurnishedbythecomputer’spowersupplybeforeyouinstallaNIC.Becausethepowerdrainofmechanicaldrivesvariesdependingonhowoftenandhowheavilythey’reused,asystemputtingoutinsufficientpowertosupportitshardwareloadmayexperienceintermittentproblemsthataredifficulttodiagnose.Whatmayseemtobeafaultydrivemay,infact,betheeffectofaninsufficientpowersupplyforthehardware.
Servervs.WorkstationNICsTheNICsinserversandworkstationsperformthesamebasicfunctions,andyettherearecardsonthemarketthataretargetedspecificallyforuseinservers.SomeoftheseNICsuseprotocols,suchasGigabitEthernet,thatareintendedprimarilyforserversbecausetheircostandcapabilitiesmakethemimpracticalforuseindesktopworkstations.Others,however,areNICsthatusestandardprotocolsbutthatcontainadditionalfeaturestomakethemmoreusefulinservers.Naturally,theseextrafeaturesdrivethepriceoftheNICupconsiderably,anditisuptoyoutodecidewhethertheyareworththeextraexpense.
Today,serverNICsaremoresophisticatedandperformmanyfunctions.AdvancessuchasflexibleLANsonmotherboard(LOMs)andsmartNICscanusetheirownonboardprocessorstoprovidefunctionalitiessuchasencryption/decryption,firewall,TCP/IPoffloadengine(TOE),iSCSI,andremotedirectmemoryaddress.UnderstandingthesecontemporaryNICtechnologiesiscriticalintheadventofvirtualizationandcloudcomputing.
CHAPTER
4 NetworkInterfaceAdaptersandConnectionDevices
Originally,LANsconsistedofnothingmorethancomputersandcables,butasthetechnologyevolved,moreequipmentwasrequired.Astheearlycoaxialcablenetworksgrewtospanlongerdistances,devicescalledrepeaterswereaddedtoboostthesignals.Later,whenthedominantmediumforEthernetnetworksshiftedfromcoaxialtounshieldedtwisted-pair(UTP)cable,hubsbecameanessentialnetworkcomponent.Asnetworksgrewfromtoolsforlocalizedworkgroupstocompanywideresources,componentssuchasbridges,switches,androutersweredevelopedinordertocreatelargernetworks.Usingthesedevicesmakesitpossibletobuildnetworksthatspanlongerdistances,supportmorecomputers,andprovideincreasedbandwidthforeachsystemonthenetwork.Thischapterexaminesthefunctionsofthesedevicesandhowyoucanintegratethemintoyournetworkinfrastructure.
Today,awidevarietyofdevicesareusedinnetworking.Manyofthefollowingitemsareconsideredlegacydevices,inthattheyarenolongerusedinnetworksbuilttoday.However,youmaystillencountertheminoldersystems.
RepeatersAsasignaltravelsoveracable,thenaturalresistanceofthemediumcausesittograduallyweakenuntilitisnolongerviable.Thelongerthecable,theweakerthesignalgets.Thisweakeningiscalledattenuation,anditisaproblemthataffectsalltypesofcabletosomedegree.Theeffectofattenuationisdependentonthetypeofcable.Coppercable,forexample,ismuchmorepronetoattenuationthanfiber-opticcable.Thisisonereasonwhyfiber-opticcablesegmentscanbemuchlongerthancopperones.
WhenbuildingaLAN,thestandardforthedatalinklayerprotocolyouintendtousecontainsspecificationsforthetypesofcableyoucanuseandtheguidelinesforinstallingthem.Theseguidelinesinclude,amongotherthings,theminimumandmaximumlengthsforthecablesconnectingthecomputers.Thecable’sattenuationrateisoneofthemostimportantfactorsaffectingthemaximumcablelength.Whenyouhavetorunacableacrossalongerdistancethanisspecifiedinthestandard,youcanusearepeatertoamplifythesignal,enablingittotravelgreaterdistanceswithoutattenuatingtothepointofbeingunreadablebythedestinationsystem.Initssimplestform,arepeaterisanelectricaldeviceusedonacopper-basednetworkthatreceivesasignalthroughonecableconnection,amplifiesit,andtransmitsitoutthroughanotherconnection.
RepeaterswerefirstusedindatanetworkingtoexpandthelengthofcoaxialcablesegmentsonEthernetnetworks.Onacoaxialnetwork,suchasathinorthickEthernetLAN,astand-alonerepeaterenablesyoutoextendthemaximumbuslengthpast185meters(forthinEthernet)or500meters(forthickEthernet).ThistypeofrepeaterissimplyasmallboxwithtwoBNCconnectorsonitandapowercable.UsingTconnectors
andterminators,youconnecttwocablesegmentstotherepeaterandtherepeatertoapowersource.Signalsenteringeitheroneofthetwoconnectorsareimmediatelyamplifiedandtransmittedoutthroughtheotherconnector.Onmostnetworkstoday,itisraretoseeastand-alonerepeaterbecausethisfunctionisbuiltintoanotherdevice,suchasahuboraswitch.
Becauseitsfunctionispurelyelectrical,thistypeofrepeaterfunctionedatthenetwork’sphysicallayeronly.Therepeatercannotreadthecontentsofthepacketstravelingoverthenetworkorevenknowthattheyarepackets.Thedevicesimplyamplifiedtheincomingelectricalsignalsandpassedthemon.Repeatersarealsoincapableofperforminganysortoffiltrationonthedatatravelingoverthenetwork.Asaresult,twocablesegmentsjoinedbyarepeaterformasinglecollisiondomainandthereforeasinglenetwork.
HubsAhubisadevicethatfunctionsasthecablingnexusforanetworkthatusesthestartopology.Eachcomputerhasitsowncablethatconnectstothecentralhub.Theresponsibilityofthehubistoseetoitthattrafficarrivingoveranyofitsportsispropagatedoutthroughtheotherports.Dependingonthenetworkmedium,ahubmightuseelectricalcircuitry,opticalcomponents,orothertechnologiestodisseminatetheincomingsignaloutamongtheoutgoingports.Afiber-optichub,forexample,actuallyusesmirrorstosplitthelightimpulses.
Thehubitselfisabox,eitherfreestandingorrack-mounted,withanumberofportstowhichthecablesconnect.TheportscanbethestandardRJ-45connectorsusedbytwisted-pairnetworks,STconnectorsforfiber-opticcable,oranyothertypeofconnectorusedonastarnetwork.Inmanycases,hubsalsohaveoneormoreLEDsforeachportthatlightuptoindicatewhenadeviceisconnectedtoit,whentrafficispassingthroughtheport,orwhenacollisionoccurs.
ThetermhuborconcentratorisusedprimarilyinreferencetoEthernetnetworks;theequivalentdeviceonaTokenRingnetworkiscalledamultistationaccessunit(MAU).Otherprotocolstypicallyuseoneortheotheroftheseterms,dependingonthemediaaccesscontrol(MAC)mechanismtheprotocoluses.TheinternalfunctionsofhubsandMAUsareverydifferent,buttheyservethesamebasicpurpose:toconnectacollectionofcomputersandotherdevicesintoasinglecollisiondomain.
PassiveHubsUnlikestand-alonerepeaters,whichwereallessentiallythesame,manydifferenttypesofhubsexistwithdifferentcapabilities.Atitssimplest,ahubsuppliescableconnectionsbypassingallthesignalsenteringthedevicethroughanyportoutthroughalltheotherports.Thisisknownasapassivehubbecauseitoperatesonlyatthephysicallayer,hasnointelligence,anddoesnotamplifyormodifythesignalinanyway.ThistypeofhubwasatonetimeusedonARCnetnetworks,butitisalmostneverusedonnetworkstoday.
Repeating,Active,andIntelligentHubs
ThehubsusedonEthernetnetworkspropagatedreceivedsignalsthroughanyoftheirportsoutthroughalloftheotherportsinthedevicesimultaneously.Thiscreatesasharednetworkmediumandjoinsthenetworkedcomputersintoasinglecollisionandbroadcastdomain,justasiftheywereconnectedtothesamecable,asonacoaxialEthernetnetwork.Ethernethubsalsosupplyrepeatingfunctionalitybyamplifyingtheincomingsignalsastheypropagatethemtotheotherports.Infact,Ethernethubsweresometimesreferredtoasmultipointrepeaters.Unlikeapassivehub,arepeating(oractive)hubrequiresapowersourcetoboostthesignal.Thedevicestilloperatesatthephysicallayer,however,becauseitdealsonlywiththerawsignalstravelingoverthecables.
Somehubsgobeyondrepeatingandcanrepairandretimethesignalstosynchronizethetransmissionsthroughtheoutgoingports.Thesehubsuseatechniquecalledstoreandforward,whichinvolvesreadingthecontentsofthepacketstoretransmitthemoverindividualportsasneeded.Ahubwiththesecapabilitiescanlowerthenetworkperformanceforthesystemsconnectedtoitbecauseofprocessingdelays.Atthesametime,packetlossisdiminished,andthenumberofcollisionsisreduced.
AnEthernethubconnectsallofyourcomputersintoasinglecollisiondomain,whichisnotaproblemonasmallnetwork.Largernetworksconsistofmultiplenetworksegmentsconnectedbyothertypesofdevices,suchasbridges,switches,orrouters.BecauseanEthernethubalsofunctionsasarepeater,eachofthecablesconnectingthehubtoacomputercanbethemaximumlengthallowedbytheprotocolstandard.ForEthernetrunningonUTPcable,themaximumlengthis100meters.
UsingmultiplehubsonasingleLANispossiblebyconnectingthemtogethertoformahierarchicalstarnetwork,asshowninFigure4-1.Whenyoudothisusingstandardrepeatinghubs,allthecomputersremaininthesamecollisiondomain,andyoumustobservetheconfigurationguidelinesforthedatalinklayerprotocolusedonthenetwork.Justaswiththestand-alonerepeatersdiscussedearlierinthischapter,thepathbetweenanytwomachinesona10MbpsEthernetnetworkcannotincludemorethanfourrepeaters(hubs).FastEthernetnetworkstypicallysupportonlytwohubs.
Figure4-1Thisstarnetworkusesmultiplehubstoexpandthecollisiondomain.
Intelligenthubsareunitsthathavesomeformofintegratedmanagementcapability.Abasicrepeatinghubisessentiallyanelectricaldevicethatpropagatesincomingpacketstoallavailableportswithoutdiscrimination.Intelligenthubsdothesamething,buttheyalsomonitortheoperationofeachport.Themanagementcapabilitiesvarywidelybetweenproducts,butmanyintelligenthubsusetheSimpleNetworkManagementProtocol(SNMP)tosendinformationtoacentralizednetworkmanagementconsole.OtherdevicesmightuseaterminaldirectlyconnectedtothehuboranHTMLinterfaceeasilyaccessedfromtheInternetfromanywhereonthenetwork.
Theobjectofthemanagementcapabilityistoprovidethenetworkadministratorwithacentralizedsourceofinformationaboutthehubsandthesystemsconnectedtothem.Thiseliminatestheneedforthestaffsupportingalargenetworktogorunningtoeachwiringclosetlookingforthehuborsystemcausingaproblem.Themanagementconsoletypicallydisplaysagraphicalmodelofthenetworkandalertstheadministratorwhenaproblemorfailureoccursonanysystemconnectedtothehub.
Onsmallernetworks,thiscapabilityisn’tneeded,butwhenyou’remanaginganenterprisenetworkwithhundredsorthousandsofnodes,atechnologythatcantellyouexactlywhichoneofthehubportsismalfunctioningcanbehelpful.Thedegreeofintelligencebuiltintoahubvariesgreatlywiththeproduct.Mostdeviceshavesufficientintelligencetogobeyondthedefinitionofahubandprovidebridging,switching,orroutingfunctions.
CollisionDomainsandBroadcastDomainsAcollisiondomainisagroupofcomputersconnectedbyanetworksothatifanytwocomputerstransmitatthesametime,acollisionbetweenthetransmittedpacketsoccurs,causingthedatainthepacketstobedamaged.Thisisincontrasttoabroadcastdomain,whichisagroupofcomputersnetworkedtogetherinsuchawaythatifonecomputergeneratesabroadcasttransmission,alloftheothercomputersinthegroupreceiveit.Thesetwoconceptsarethetestsusedtodefinethefunctionalityofnetworkconnectiondevices(suchasrepeaters,hubs,bridges,switches,androuters)andareusedrepeatedlyinthischapter.Otherfactorsbesidesattenuationlimitthemaximumdistanceanetworksignalcantravel.OnanEthernetnetwork,forexample,thefirstbitofapacketbeingtransmittedbyonecomputermustreachalltheothercomputersonthelocalnetworkbeforethelastbitistransmitted.Therefore,youcannotextendanetworksegmentwithoutlimitbyaddingmultiplerepeaters.A10MbpsEthernetnetworkcanhaveuptofivecablesegmentsconnectedbyfourrepeaters.FastEthernetnetworksaremorelimited,allowingamaximumofonlytworepeaters.
TokenRingMAUsTokenRingnetworksusehubsaswell,althoughtheycallthemmultistationaccessunits.WhiletheMAU,toallexternalappearances,performsthesamefunctionasanEthernethub,itsinternalworkingsarequitedifferent.Insteadofpassingincomingtraffictoalltheotherportsatonetime,likeinanEthernethub,theMAUtransmitsanincomingpacket
outthrougheachportinturn,oneatatime.Aftertransmittingapackettoaworkstation,theMAUwaitsuntilthatpacketreturnsthroughthesameportbeforeittransmitsitoutthenextport.Thisimplementsthelogicalringtopologyfromwhichtheprotocolgetsitsname.
MAUscontainswitchesthatenablespecificportstobeexcludedfromtheringintheeventofafailureofsomekind.Thispreventsamalfunctioningworkstationfromdisturbingthefunctionalityoftheentirering.MAUsalsohavering-inandring-outportsthatyoucanusetoenlargetheringnetworkbyconnectingseveralMAUs.
NOTESeeChapter12formoreinformationonnetworkprotocols.
HubConfigurationsHubsareavailableinawidevarietyofsizesandwithmanydifferentfeatures,rangingfromsmall,simpledevicesdesignedtoserviceahandfulofcomputerstohugerack-mountedaffairsforlarge,enterprisenetworks.Hubdesignsfallintothreecategories,asfollows:
•Stand-alonehubs
•Stackablehubs
•Modularhubs
Astand-alonehubisausuallyasmallboxaboutthesizeofapaperbackbookthathasanywherefrom4to16portsinit.Asthenameimplies,thedeviceisfreestanding,hasitsownpowersource,andcaneasilyfitonorunderadesk.Four-orfive-porthubscanworkforhomenetworksorforprovidingquick,adhocexpansionstoalargernetwork.LargerunitscansupportmoreconnectionsandoftenhaveLEDsthatindicatethepresenceofalinkpulsesignalontheconnectedcableand,possibly,theoccurrenceofacollisiononthenetwork.
Despitethename,astand-alonehubusuallyhassomemechanismforconnectingwithotherhubstoexpandthenetworkwithinthesamecollisiondomain.Thefollowingsectionsexaminehowthemostcommonmechanismsareusedforthispurpose.
TheUplinkPortThecablesusedonatwisted-pairnetworkarewiredstraightthrough,meaningthateachoftheeightpinsontheRJ-45connectorononeendofthecableiswiredtothecorrespondingpinontheotherend.UTPnetworksuseseparatewirepairswithinthecablefortransmittingandreceivingdata.ForaUTPconnectionbetweentwocomputerstofunction,however,thetransmitcontactsoneachsystemmustbeconnectedtothereceivecontactsontheother.Therefore,acrossovermustexistsomewhereintheconnection,andtraditionallythisoccursinthehub,asshowninFigure4-2.Thepinsineachofahub’sportsareconnectedtothoseofeveryotherportusingcrossovercircuitsthattransposethetransportdata(TD)andreceivedata(RD)signals.Withoutthiscrossovercircuit,thetransmitcontactsonthetwosystemsareconnected,asarethereceivecontacts,preventing
anycommunicationfromtakingplace.
Figure4-2Hubsthatcontaincrossovercircuitsallowcablestobewiredstraightthrough.
NOTESeemoreinformationoncablinginChapter5.Manyhubshaveaportthatbypassesthecrossovercircuit,whichyoucanuseto
connecttoanotherhub.Thisportistypicallylabeleduplinkandmayormaynothaveaswitchthatenablesyoutospecifywhethertheportshouldbecrossedoverorwiredstraightthrough.lfyouhavemorethanonehubonyoursystem,youconnectthemusingtheuplinkportononehubonlyandastandardportontheother.lfyouconnecttwohubsusingtheuplinkportsonbothdevices,thetwocrossoverswouldcanceleachotherout,andtheconnectionbetweenacomputerattachedtoonehubandacomputerattachedtotheotherwouldbetheequivalentofastraight-throughconnection.Ifahubdoesnothaveanuplinkport,youcanstillconnectittoanotherhubusingastandardportandacrossovercable,whichisacablethathasthetransmitpinsoneachendwireddirectlytothereceivepinsontheotherend.Youtypicallyusetheuplinkporttoconnecthubswhenthey’relocatedsomedistanceawayfromeachotherandyouwanttousethesamecablemediumthroughoutthenetwork.Whenyouareevaluatinghubs,beingawareofjusthowmanyhubportsareavailableforworkstationconnectionsisimportant.Adeviceadvertisedasaneight-porthubmayhavesevenstandardportsandoneuplinkport,leavingonlysevenconnectionsforcomputers.Nomatterwhatthesizeofthenetwork,purchasinghubswithafewportsmorethanyouneedrightnow,forexpansionpurposes,isalwaysagoodidea.
Whenyouhaveseveral10Base-TEthernethubsconnectedinahierarchicalstartopologyusingtheiruplinkports,eachlengthofcableisaseparatesegment.BecausetheEthernetguidelinesallowthepathfromonesystemtoanothertotravelacrossonlyfivesegments,connectedbyfourrepeaters,youarelimitedtofourhubsonanyparticularLAN.
Asyouexpandthistypeofnetworkfurther,youmayrunintoanotherEthernetlimitationnotyetmentioned.Thebusconnectingthehubsiscalledamixingsegmentbecauseithasmorethantwodevicesconnectedtoit.Asegmentthatconnectsonlytwodevices,suchastheUTPcableconnectinghubsthroughtheuplinkport,iscalledalinksegment.Ofthefivesegmentspermittedona10BaseTLAN,onlythreeofthesecanbemixingsegments.Thisguideline,statingthatyoucanconnectuptofivesegmentsusingfourrepeatersandthatnomorethanthreeofthesegmentscanbemixingsegments,isknownastheEthernet5-4-3rule.
StackableHubsAsyoumoveupthescaleofhubsizeandcomplexity,youfindunitscalledstackablehubsthatprovidegreaterexpandability.Asthenameimplies,thesehubshavecasesdesignedto
stackoneontopoftheother,butthisisnottheonlydifference.Unlikestand-alonehubs,whichcanbelocatedindifferentroomsorfloorsandstillconnectedtogether,stackablehubsaretypicallylocatedinadatacenterorwiringclosetandareconnectedtogetherwithshortcables.
Whenyouconnectstackablehubs,theyformwhatisfunctionallyasinglelargerhub.Thecablesconnectingtheunitsdonotformseparatesegments,soyoucanhavemorethanfourhubsinterconnected.Inaddition,thesedevicescansharetheircapabilities.Asingleintelligenthubunitcanmanageitsownports,aswellasthoseofalltheotherunitsinthearray.
Stackablehubshavetheirownpowersuppliesandcanfunctionindependently,thusprovidingamuchmoreexpandableenvironmentthanstand-alonehubs.Youcanstartwithasingleunit,withoutincurringthemajorexpenseofachassis(likethatusedbymodularhubs),andconnectadditionalunitsasthenetworkgrows.
ModularHubsModularhubsaredesignedtosupportthelargernetworksandprovidethegreatestamountofexpandabilityandflexibility.Amodularhubconsistsofachassisthatisnearlyalwaysmountedinastandard19-inchequipmentrackandcontainsseveralslotsintowhichyouplugindividualcommunicationsmodules.Thechassisprovidesacommonpowersourceforallthemodules,aswellasaback-planethatenablesthemtocommunicatewitheachother.Themodulescontaintheportstowhichyouconnectthecomputercables.Whenyouplugmultiplemodulesintothechassis,theybecome,ineffect,asinglelargehub.
BridgesAbridgeisanotherdeviceusedtoconnectLANcablesegments,butunlikehubs,bridgesoperateatthedatalinklayeroftheOSImodelandareselectiveaboutthepacketsthatpassthroughthem.Repeatersandhubsaredesignedtopropagateallthenetworktraffictheyreceivetoalloftheconnectedcablesegments.Abridgehastwoormorenetworkinterfaces(completewiththeirownMACaddresses)withtheirportsconnectedtodifferentcablesegmentsandoperatinginpromiscuousmode.
NOTEIfacomputerisinpromiscuousmode,itcouldmeanthenetworkorthatcomputerhasbeenaccessedillegally.
Promiscuousmodemeansthattheinterfacesreceiveallofthepacketstransmittedontheconnectedsegments.Aseachpacketentersthebridge,thedevicereadsitsdestinationaddressinthedatalinklayerprotocolheaderand,ifthepacketisdestinedforasystemonanothersegment,forwardsthepackettothatsegment.lfthepacketisdestinedforasystemonthesegmentfromwhichitarrived,thebridgediscardsthepacketbecauseithasalreadyreacheditsdestination.Thisprocessiscalledpacketfiltering.Packetfilteringisoneofthefundamentalprinciplesusedbynetworkconnectiondevicestoregulatenetworktraffic.Inthiscase,thepacketfilteringisoccurringatthedatalinklayer,butitcanalsooccuratthenetworkandtransportlayers.
Justtheabilitytoreadthecontentsofapacketheaderelevatesabridgeabovethelevelofahuborrepeater,bothofwhichdealonlywithindividualsignals.However,aswithahuborrepeater,thebridgemakesnochangesinthepacketwhatsoeverandiscompletelyunawareofthecontentswithinthedatalinklayerframe.InChapter2,theprotocoloperatingattheOpenSystemsInterconnection(OSI)model’sdatalinklayerwascomparedtoapostalsystem,inwhicheachpacketisapieceofmailandthedatalinklayerframefunctionsastheenvelopecontainingthedatageneratedbytheupperlayers.Toextendthatanalogy,thebridgeisabletoreadtheaddressesonthepacketenvelopes,butitcannotreadthelettersinside.Asaresult,youdon’thavetoconsidertheprotocolsrunningatthenetworklayerandaboveatallwhenevaluatingorinstallingbridges.
Byusingpacketfiltering,thebridgereducestheamountofexcesstrafficonthenetworkbynotpropagatingpacketsneedlessly.Broadcastmessagesareforwardedtoalloftheconnectedsegments,however,makingitpossibletouseprotocolsthatrelyonbroadcastswithoutmanualsystemconfiguration.Unlikearepeaterorhub,however,abridgedoesnotrelaydatatotheconnectedsegmentsuntilithasreceivedtheentirepacket.(Remember,hubsandrepeatersworkwithsignals,whilebridgesworkwithpackets.)Becauseofthis,twosystemsonbridgedsegmentscantransmitsimultaneouslywithoutincurringacollision.Thus,abridgeconnectsnetworksegmentsinsuchawayastokeeptheminthesamebroadcastdomainbutindifferentcollisiondomains.ThesegmentsarestillconsideredtobepartofthesameLAN,however.
If,forexample,youhaveaLANthatisexperiencingdiminishedperformancebecauseofhighlevelsoftraffic,youcansplititintotwosegmentsbyinsertingabridgeatthemidpoint.Thiswillkeepthelocaltrafficgeneratedoneachsegmentlocalandstillpermitbroadcastsandothertrafficintendedfortheothersegmenttopassthrough.OnanEthernetnetwork,reducingtrafficinthiswayalsoreducesthenumberofcollisions,whichfurtherincreasesthenetwork’sefficiency.Bridgesalsoprovidethesamerepeatingfunctionsasahub,enablingyoutoextendthecablelengthaccordingly.
Bridgeshavemainlybeenreplacedbyroutersandswitches,whicharecoveredlaterinthischapter.Today,bridgesareusedprimarilyinwirelessconfigurations.SeeChapter6forinformationaboutwirelessLANs.
TheSpanningTreeProtocolToaddresstheproblemofendlessloopsandbroadcaststormsonnetworkswithredundantbridging,theDigitalEquipmentCorporationdevisedthespanningtreealgorithm(STA),whichpreservesthefaulttoleranceprovidedbytheadditionalbridges,whilepreventingtheendlessloops.STAwaslaterrevisedbytheInstituteofElectricalandElectronicEngineers(IEEE)andstandardizedasthe802.1dspecification.
Thealgorithmworksbyselectingonebridgeforeachnetworksegmentthathasmultiplebridgesavailable.Thisdesignatedbridgetakescareofallthepacketfilteringandforwardingtasksforthesegment.Theothersremainidlebutstandreadytotakeovershouldthedesignatedbridgefail.
Duringthisselectionprocess,eachbridgeisassignedauniqueidentifier(using
oneofthebridge’sMACaddresses,plusapriorityvalue),asiseachindividualportoneachbridge(usingtheport’sMACaddress).Eachportisalsoassociatedwithapathcost,whichspecifiesthecostoftransmittingapacketontotheLANusingthatport.Pathcoststypicallycanbespecifiedbyanadministratorwhenareasonexiststopreferoneportoveranother,ortheycanbelefttodefaultvalues.
Onceallthecomponentshavebeenidentified,thebridgewiththelowestidentifierbecomestherootbridgefortheentirenetwork.Eachoftheotherbridgesthendetermineswhichofitsportscanreachtherootbridgewiththelowestcost(calledtherootpathcost)anddesignatesitastherootportforthatbridge.
Finally,foreachnetworksegment,adesignatedbridgeisselected,aswellasadesignatedportonthatbridge.Onlythedesignatedportonthedesignatedbridgeispermittedtofilterandforwardthepacketsforthatnetworksegment.Theother(redundant)bridgesonthatsegmentremainoperative—incasethedesignatedbridgeshouldfail—butareinactiveuntiltheyareneeded.Nowthatonlyonebridgeisoperatingoneachsegment,packetscanbeforwardedwithoutloopsforming.
Toperformthesecalculations,bridgesmustexchangemessagesamongthemselves,usingamessageformatdefinedinthe802.1dstandard(seeFigure4-3).Thesemessagesarecalledbridgeprotocoldataunits(BPDUs).
Figure4-3Theformatofthedatamessageusedwhencomputingthespanningtreeprotocolalgorithm
Foreachcriterion,alowervalueisbetterthanahigherone.IfabridgereceivesaBPDUmessagewithbettervaluesthanthoseinitsownmessages,itstopstransmittingBPDUsovertheportthroughwhichitarrived—ineffectrelinquishingitsdutiestothebridgebettersuitedforthejob.ThebridgealsousesthevaluesinthatincomingBPDUtorecalculatethefieldsofthemessagesitwillsendthroughtheotherports.
NOTEThespanningtreealgorithmmustcompletebeforethebridgesbeginforwardinganynetworktraffic.
Oncethespanningtreealgorithmhasdesignatedabridgeforeachnetworksegment,itmustalsocontinuetomonitorthenetworksothattheprocesscanbeginagainwhenabridgefailsorgoesoffline.AllofthebridgesonthenetworkstoretheBPDUsthey’vereceivedfromtheotherbridgesandtracktheirages.Onceamessageexceedsthemaximumallowableage,itisdiscardedandthespanningtreemessageexchangesbeginagain.
Today,avariationofSTPcalledRapidSpanningTreeProtocol(RSTP)isrecommendedandhasbeenaddedasIEEE802.1w,whichhasbecomethestandard.TheconvergencetimeforlegacySTP(IEEE802.1d),whichisthegapwhennetworkbridgesandswitchesarenotforwardinganytraffic,isabout30to50seconds.Inmodernnetworks,thisconvergencetimegapissueisunacceptable.RSTP(IEEE802.1w)addressestheproblem.Thisnewstandardenablesrootportsanddesignatedportstoforwardtrafficinafewseconds.
TransparentBridgingTofilterthepacketsreachingiteffectively,abridgehastoknowwhichsystemsarelocatedonwhichnetworksegmentssoitcandeterminewhichpacketstoforwardandwhichtodiscard.Thebridgestoresthisinformationinanaddresstablethatisinternaltotheunit.Originally,networkadministratorshadtocreatetheaddresstableforabridgemanually,buttoday’sbridgescompiletheaddresstableautomatically,aprocesscalledtransparentbridging.
Assoonasatransparentbridge(alsoknownasalearningbridge)isconnectedtothenetworksegments,itbeginstocompileitsaddresstable.Byreadingthesourceaddressesinthearrivingpacketsandnotingtheinterfaceoverwhichtheyarrived,thebridgecanbuildatableofnodeaddressesforeachsegmentconnectedtoit.
Toillustrate,pictureanetworkcomposedofthreesegments(A,B,andC),allconnectedtoalocalbridge,asshowninFigure4-4.Whenthebridgeisfirstactivated,itreceivesapacketfromNode1overtheinterfacetoNetworkAthatisdestinedforNode2onNetworkB.BecausethebridgenowknowsNode1islocatedonNetworkA,itcreatesanentryinitstableforNetworkAthatcontainsNode1’sMACaddress.
Figure4-4Atransparentbridgeforwardspacketsbasedonaddresstablesitcompilesfrompreviouslytransmittedpackets.
Atthistime,thebridgehasnoinformationaboutNode2andthesegmentonwhichit’slocated,soittransmitsitspacketouttoNetworksBandC—thatis,alloftheconnectedsegmentsexcepttheonefromwhichthepacketarrived.Thisisthedefaultbehaviorofabridgewheneveritreceivesapacketdestinedforasystemnotinitstables.Ittransmitsthepacketoveralloftheothersegmentstoensurethatitreachesitsdestination.
OnceNode2receivesthepacket,ittransmitsareplytoNode1.BecauseNode2islocatedonNetworkB,itsreplypacketarrivesatthebridgeoveradifferentinterface.NowthebridgecanaddanentrytoitstableforNetworkBcontainingNode2’saddress.Onexaminingthepacket,thebridgelooksforthedestinationaddressinitstablesanddiscoversthattheaddressbelongstoNodel,onNetworkA.ThebridgethentransmitsthepacketovertheinterfacetoNodeAonly.
Fromthispointon,whenanyothersystemonNetworkAtransmitsapackettoNodel,thebridgeknowstodiscarditbecausethereisnoneedtopassitalongtotheothersegments.However,thebridgestillusesthosepacketstoaddthetransmittingstationstoitsaddresstableforNetworkA.
Eventually,thebridgewillhaveaddresstableentriesforallthenodesonthenetwork,anditcandirectalloftheincomingpacketstotheappropriateoutgoingports.
BridgeLoopsWhenthesegmentsofanetworkareconnectedusingbridges,thefailureormalfunctionofabridgecanbecatastrophic.Forthisreason,administratorsoftenconnectnetworksegmentswithredundantbridgestoensurethateverynodecanaccesstheentirenetwork,evenifabridgeshouldfail.
InFigure4-5,threesegmentsareconnectedbytwobridges.Ifoneofthebridgesfails,oneofthesegmentsiscutofffromtherestofthenetwork.Toremedythisproblemandtoprovidefaulttolerance,youcanaddathirdbridgeconnectingthetwoendsegments,asshowninFigure4-6.Thisway,eachsystemalwayshastwopossiblepathstotheothersegments.
Figure4-5Wheneachsegmentisconnectedtotheothersusingonebridge,asinglepointoffailureiscreated.
Figure4-6Connectingeachsegmenttotwobridgesprovidesfaulttolerance.
Installingredundantbridgescanbeagoodidea,butitalsoproduceswhatcanbeaseriousproblem.Whenacomputer(Node1)islocatedonasegmentconnectedtotwobridges,asshowninFigure4-7,bothofthebridgeswillreceivethefirstpacketthesystemtransmitsandaddthemachine’saddresstotheirtablesforthatsegment,NetworkA.Bothbridgeswillthentransmitthesamepacketontotheothersegment,NetworkB.Asaresult,eachbridgewillthenreceivethepacketforwardedbytheotherbridge.ThepacketheaderswillstillshowtheaddressofNode1asthesource,butbothbridgeswillhavereceivedthepacketovertheNetworkBinterface.Asaresult,thebridgesmay(ormaynot)modifytheiraddresstablestoshowNode1asbeingonNetworkB,notA.Ifthisoccurs,anysubsequenttransmissionsfromNode2onNetworkBthataredirectedtoNode1willbedroppedbecausethebridgesthinkNode1isonNetworkB,whenitis,infact,onA.
Figure4-7Redundantbridgesprovidefaulttolerance,buttheycanalsocreatebridgingloopsandbroadcaststorms.
Theresultofthisoccurrenceislostdata(becausethebridgesareimproperlydropping
frames)anddegradednetworkperformance.Eventually,theincorrectentriesinthebridges’addresstableswillexpireorbemodified,butintheinterim,Node1iscutofffromthesystemsontheothernetworksegments.
Ifthisproblemisn’tbadenough,whathappenswhenNode1transmitsabroadcastmessageisworse.BothofthebridgesforwardthepackettoNetworkB,whereitisreceivedbytheotherbridge,whichforwardsitagain.Becausebridgesalwaysforwardbroadcastpacketswithoutfilteringthem,multiplecopiesofthesamemessagecirculateendlesslybetweenthetwosegments,constantlybeingforwardedbybothbridges.Thisiscalledabroadcaststorm,anditcaneffectivelypreventallothertrafficonthenetworkfromreachingitsdestination.
SourceRouteBridgingSourceroutebridgingisanalternativetotransparentbridgingthatwasdevelopedbyIBMforuseonmultisegmentTokenRingnetworksandisstandardizedinIEEE802.5.Onanetworkthatusestransparentbridging,thepathapackettakestoadestinationonanothersegmentisdeterminedbythedesignatedbridgesselectedbythespanningtreealgorithm.Insourceroutebridging,thepathtothedestinationsystemisdeterminedbytheworkstationandcontainedineachindividualpacket.
Todiscoverthepossibleroutesthroughthenetworktoagivendestination,aTokenRingsystemtransmitsanAllRingsBroadcast(ARB)framethatallthebridgesforwardtoallconnectedrings.Aseachbridgeprocessestheframe,itaddsitsroutedesignator(RD),identifyingthebridgeandport,tothepacket.ByreadingthelistofRDs,bridgespreventloopsbynotsendingthepackettothesamebridgetwice.
Ifmorethanonerouteexiststothedestinationsystem,multipleARBswillarrivethere,containinginformationaboutthevariousroutestheytook.ThedestinationsystemthentransmitsareplytoeachoftheARBsitreceives,usingthelistofRDstoroutethepacketbacktothesender.
WhentheoriginalsenderoftheARBsreceivestheresponses,itselectsoneoftheroutestothedestinationasthebestone,basedononeormoreofthefollowingcriteria:
•Theamountoftimerequiredfortheexplorerframetoreturntothesender
•Thenumberofhopsbetweenthesourceandthedestination
•Thesizeoftheframethesystemcanuse
Afterselectingoneoftheroutes,thesystemgeneratesitsdatapacketsandincludestheroutinginformationintheTokenRingframeheader.
TheformatfortheARBpacketandforadatapacketcontainingroutinginformationisthesameasastandardIEEE802.5frame,exceptthatthefirstbitofthesourceaddressfield,calledtheroutinginformationindicator(RII)bit,issettoavalueof1,indicatingthatthepacketcontainsroutinginformation.Theroutinginformationitself,whichisnothingmorethanalistofthebridgesthepacketwillusewhentravelingthroughthenetwork,iscarriedthroughtheroutinginformationfield(RIF)thatappearsaspartoftheinformationfield,justaftertheframe’ssourceaddressfield.
TheRIFconsistsofa2-byteroutingcontrolsectionandanumberof2-byteroutedesignatorsections.
Broadcastindicators(3bits)specifythetypeofroutingtobeusedbytheframe,accordingtothefollowingvalues:
•NonbroadcastIndicatesthatthepacketcontainsaspecificroutetothedestinationintheroutedesignatorsectionsoftheRIFfield.
•100:AllroutesbroadcastIndicatesthatthepacketshouldberoutedthroughallthebridgesonthenetwork(withouttraversingthesamebridgetwice)andthateachbridgeshouldaddaroutedesignatorsectiontotheRIFfieldidentifyingthebridgeandtheportontowhichitisbeingforwarded.
•110:SingleroutebroadcastIndicatesthatthepacketshouldberoutedonlythroughthebridgesdesignatedbythespanningtreealgorithmandthateachbridgeshouldaddaroutedesignatorsectiontotheRIFfieldidentifyingthebridgeandtheportontowhichitisbeingforwarded.
•Length(5bits)IndicatesthetotallengthoftheRIFfield,from2to30bytes.
•Directionbit(1bit)Specifiesthedirectioninwhichthepacketistraveling.ThevalueofthisbitindicateswhetherthetransmittingnodeshouldreadtheroutedesignatorsectionsintheRIFfieldfromlefttoright(0)orfromrighttoleft(1).
•Largestframe(3bits)Indicatesthelargestframesizethatcanbeaccommodatedbytheroute,calledthemaximumtransferunit(MTU).Initiallysetbythetransmittingsystem,abridgelowersthisvalueifitforwardsthepacketontoasegmentthatsupportsonlysmallerframes.Thepermittedvaluesareasfollows:
•000indicatesaMACMTUof552bytes
•001indicatesaMACMTUofl,064bytes
•010indicatesaMACMTUof2,088bytes
•011indicatesaMACMTUof4,136bytes
•100indicatesaMACMTUof8,232bytes
•Unused(4bits)
TheIBMstandardforsourceroutebridgingoriginallyspecifiedamaximumof8routedesignatorsectionsinasinglepacket,buttheIEEE802.5standardallowsupto14.Eachworkstationmustmaintainitsownroutinginformationtoeachofthesystemswithwhichitcommunicates.ThiscanresultinalargenumberofARBframesbeingprocessedbyadestinationsystembeforeitevenseesthefirstbyteofapplicationdata.
BridgingEthernetandTokenRingNetworksGenerallyspeaking,Ethernetnetworksusetransparentbridging,andTokenRingnetworksusesourceroutebridging.So,whathappenswhenyouwanttoconnectanEthernet
segmenttoaTokenRingusingabridge?Theansweriscomplicatedbecausethetaskpresentsanumberofsignificantobstacles.
Someofthefundamentalincompatibilitiesofthetwodatalinklayerprotocolsareasfollows:
•BitorderingEthernetsystemsconsiderthefirstbitofaMACaddresstobethelow-orderbit,whileTokenRingsystemstreatthefirstbitasthehigh-orderbit.
•MTUsizesEthernetframeshaveamaximumtransferunitsizeof1,500bytes,whileTokenRingframescanbemuchlarger.BridgesarenotcapableoffragmentingpacketsfortransferoverasegmentwithalowerMTUandthenreassemblingthematthedestination,likeroutersare.Atoo-largepacketarrivingatabridgetoasegmentwithasmallerMTUcanonlybediscarded.
•ExclusiveTokenRingfeaturesTokenRingnetworksuseframestatusbits,priorityindicators,andotherfeaturesthathavenoequivalentinEthernet.
Inaddition,thetwobridgingmethodshavetheirownincompatibilities.TransparentbridgesneitherunderstandthespecialfunctionoftheARBmessagesusedinsourceroutebridgingnorcantheymakeuseoftheRIFfieldinTokenRingpackets.Conversely,sourceroutebridgesdonotunderstandthespanningtreealgorithmmessagesgeneratedbytransparentbridges,andtheydonotknowwhattodowhentheyreceiveframeswithnoroutinginformation.
Twoprimarymethodsexistforovercomingtheseincompatibilities,neitherofwhichisanidealsolution:
•Translationalbridging
•Sourceroutetransparentbridging
TranslationalBridgingIntranslationalbridging,aspecialbridgetranslatesthedatalinklayerframesbetweentheEthernetandTokenRingformats.Nostandardatallexistsforthisprocess,sothemethodsusedbyindividualproductmanufacturerscanvarywidely.Somecompromiseisneededinthetranslationprocessbecausenowayexiststoimplementallthefeaturesfullyineachoftheprotocolsandtobridgethosefeaturestoitscounterpart.Someofthetechniquesusedinvarioustranslationalbridgestoovercometheincompatibilitiesaredescribedinthefollowingparagraphs.
OneofthebasicfunctionsofthebridgeistomapthefieldsoftheEthernetframeontotheTokenRingframeandviceversa.ThebridgereversesthebitorderofthesourceanddestinationaddressesforthepacketspassingbetweenthesegmentsandmayormaynottakeactionbasedonthevaluesofaTokenRingpacket’sframestatus,priority,reservation,andmonitorbits.BridgesmaysimplydiscardthesebitswhentranslatingfromTokenRingtoEthernetandsetredeterminedvaluesforthemwhentranslatingfromEthernettoTokenRing.
TodealwiththedifferentMTUsizesofthenetworksegments,atranslationbridgecansetthelargestframevalueintheTokenRingpacket’sRIFfieldtotheMTUforthe
Ethernetnetwork(1,500bytes).AslongastheTokenRingimplementationsontheworkstationsreadthisfieldandadjusttheirframesizesaccordingly,noproblemshouldoccur,butanyframeslargerthantheMTUontheEthernetsegmentswillbedroppedbythebridgeconnectingthetwonetworks.
Thebiggestdifferencebetweenthetwotypesofbridgingisthat,onEthernetnetworks,theroutinginformationisstoredinthebridges,whileonTokenRingnetworks,it’sstoredattheworkstations.Forthetranslationalbridgetosupportbothnetworktypes,itmustappearasatransparentbridgetotheEthernetsideandasourceroutebridgetotheTokenRingside.
TotheTokenRingnetwork,thetranslationalbridgehasaringnumberandbridgenumber,justlikeastandardsourceroutebridge.Theringnumber,however,representstheentireEthernetdomain,notjustthesegmentconnectedtothebridge.AspacketsfromtheTokenRingnetworkpassthroughthebridge,theinformationfromtheirRIFfieldsisremovedandcachedinthebridge.Fromthatpointon,standardtransparentbridginggetsthepacketstotheirdestinationsontheEthernetnetwork.
WhenapacketgeneratedbyanEthernetworkstationisdestinedforasystemontheTokenRingnetwork,thetranslationalbridgelooksupthesysteminitscacheofRIFinformationandaddsanRIFfieldtothepacketcontainingaroutetothenetwork,ifpossible.lfnorouteisavailableinthecacheorifthepacketisabroadcastormulticast,thebridgetransmitsitasasingle-routebroadcast.
SourceRouteTransparentBridgingIBMhasalsocomeupwithaproposedstandardthatcombinesthetwoprimarybridgingtechnologies,calledsourceroutetransparent(SRT)bridging.ThistechnologyisstandardizedinAppendixCoftheIEEE802.1ddocument.SRTbridgescanforwardpacketsoriginatingoneithersourceroutebridgingortransparentbridgingnetworks,usingaspanningtreealgorithmcommontoboth.ThestandardspanningtreealgorithmusedbyTokenRingnetworksforsingle-routebroadcastmessagesisincompatiblewiththealgorithmusedbyEthernet,asdefinedinthe802.1dspecification.Thisappendixreconcilesthetwo.
SRTbridgesusethevalueoftheRIFbittodeterminewhetherapacketcontainsRlFinformationand,consequently,whetheritshouldusesourcerouteortransparentbridging.Themixingofthetwotechnologiesisnotperfect,however,andnetworkadministratorsmayfinditeasiertoconnectEthernetandTokenRingsegmentswithaswitchorarouterratherthaneitheratranslationalorSRTbridge.
RoutersIntheprevioussections,youlearnedhowrepeaters,hubs,andbridgescanconnectnetworksegmentsatthephysicalanddatalinklayersoftheOSImodel,creatingalargerLANwithasinglecollisiondomain.ThenextstepupinthenetworkexpansionprocessistoconnecttwocompletelyseparateLANsatthenetworklayer.Thisisthejobofarouter.Routersaremoreselectivethanbridgesinthetraffictheypassbetweenthenetworks,andtheyarecapableofintelligentlyselectingthemostefficientpathtoaspecificdestination.
Becausetheyfunctionatthenetworklayer,routerscanalsoconnectdissimilarnetworks.Youcan,forexample,connectanEthernetnetworktoaTokenRingnetworkbecausepacketsenteringarouterarestrippedoftheirdatalinklayerprotocolheadersastheypassuptheprotocolstacktothenetworklayer.Thisleavesaprotocoldataunit(PDU)encapsulatedusingwhatevernetworklayerprotocolisrunningonthecomputer.Afterprocessing,therouterthenencapsulatesthePDUinanewdatalinklayerheaderusingwhateverprotocolisrunningontheothernetworktowhichtherouterisconnected.
Routersareusedforbothhomesandbusinessnetworks.If,forexample,youuseyourhomecomputertodialintoyoursystematworkandaccessresourcesontheofficenetwork,yourworkcomputerisfunctioningasarouter.Inthesameway,ifyoushareanInternetconnectionwithsystemsonaLAN,themachineconnectedtotheInternetisarouter.Arouter,therefore,canbeeitherahardwareorasoftwareentity,anditcanrangefromthesimpletotheextraordinarilycomplex.
Routersareprotocolspecific;theymustsupportthenetworklayerprotocolusedbyeachpacket.Byfar,themostcommonnetworklayerprotocolinusetodayistheInternetProtocol(IP),whichisthebasisfortheInternetandformostprivatenetworks.
Acomputerthatisconnectedtotwoormorenetworksissaidtobeamultihomedsystem.MostWindowssystemstodayfunctionasroutersaswell.Whetherwiredorwireless,networkroutersworkatthenetworklayeroftheOSImodel.
Mostoftheroutersusedonlargenetworks,though,arestand-alonedevicesthatareessentiallycomputersdedicatedtoroutingfunctions.Routerscomeinvarioussizes,fromsmallunitsthatconnectaworkgroupnetworktoabackbonetolarge,modular,rack-mounteddevices.However,whileroutersvaryintheircapabilities,suchasthenumberofnetworkstowhichtheyconnect,theprotocolstheysupport,andtheamountoftraffictheycanhandle,theirbasicfunctionsareessentiallythesame.
RouterApplicationsAlthoughtheprimaryfunctionofarouteristoconnectnetworksandpasstrafficbetweenthem,routerscanfulfillseveraldifferentrolesinnetworkdesigns.Thetypeofrouterusedforaspecificfunctiondeterminesitssize,cost,andcapabilities.ThesimplesttypeofroutingarchitectureiswhenaLANmustbeconnectedtoanotherLANsomedistanceaway,usingawideareanetwork(WAN)connection.Abranchofficeforalargecorporation,forexample,mighthaveaWANconnectiontothecorporateheadquartersinanothercity(seeFigure4-8).
Figure4-8WiredandwirelessroutersenabletheuseofwideareaconnectionstojointwoLANs.
Tomakecommunicationsbetweenthenetworksinthetwoofficespossible,eachmust
connectitsLANtoarouter,andthetworoutersarelinkedbytheWANconnection.
TheWANconnectionmaytaketheformofaleasedtelephoneline,anIntegratedServicesforDigitalNetwork(ISDN)connection,oradigitalsubscriberline(DSL)connection.Thetechnologyusedtoconnectthetwonetworksisirrelevant,aslongastheroutersinbothofficesareconnected.RoutersarerequiredinthisexamplebecausetheLANandWANtechnologiesarefundamentallyincompatible.Youcan’trunanEthernetconnectionbetweentwocities,norcanyouuseleasedtelephonelinestoconnecteachworkstationtothefileserverinthenextroom.
Inaslightlymorecomplicatedarrangement,asitewithalargernetworkmayhaveseveralLANs,eachofwhichisconnectedtoabackbonenetworkusingarouter.Here,routersareneededbecauseonesingleLANmaybeunabletosupportthenumberofworkstationsrequired.Inaddition,theindividualLANsmaybelocatedinotherpartsofabuildingorinseparatebuildingsonthesamecampusandmayrequireadifferenttypeofnetworktoconnectthem.Connectionsbetweencampusbuildings,forexample,requireanetworkmediumthatissuitableforoutdooruse,suchasfiber-opticcable,whiletheLANsineachbuildingcanusemoreinexpensivecoppercabling.Routersareavailablethatcanconnectthesedifferentnetworktypes,nomatterwhatprotocolstheyuse.
Thesetwoexamplesofrouteruseareoftencombined.AlargecorporatenetworkusingabackbonetoconnectmultipleLANswillalmostcertainlywanttobeconnectedtotheInternet.ThismeansthatanotherrouterisneededtosupportsometypeofWANconnectiontoanInternetserviceprovider(ISP).UsersanywhereonthecorporatenetworkcanthenaccessInternetservices.
Bothofthesescenariosuserouterstoconnectarelativelysmallnumberofnetworks,andtheyaredwarfedbytheInternet,whichisaroutednetworkcomposedofthousandsofnetworksallovertheworld.Tomakeitpossibleforpacketstotravelacrossthismazeofrouterswithreasonableefficiency,ahierarchyofroutersleadsfromsmaller,localISPstoregionalproviders,whichinturngettheirservicefromlargenationalservices(seeFigure4-9).TrafficoriginatingfromasystemusingasmallISPtravelsupthroughthisvirtualtreetooneofthemainbackbones,acrosstheupperlevelsofthenetwork,andbackdownagaintothedestination.
Figure4-9AhierarchyofroutershelpsyouforwardtraffictoanylocationusingtheInternet.
YoucanseetheroutethatpacketstakefromyourcomputerthroughtheInternettoaspecificdestinationbyusingtheTracerouteutility.TheWindowscommandistracert.Thiscommand-lineutilitytakestheIPaddressorDNSnameyouspecifyandusesInternetControlMessageProtocol(ICMP)messagestodisplaythenamesandaddressesofalltheintermediateroutersonthepathtothedestination.AtypicalTraceroutedisplaygeneratedbyaWindows8systemappearsinFigure4-10.
Figure4-10AtypicalTracerouteinWindows8.
RouterFunctionsThebasicfunctionofarouteristoevaluateeachpacketarrivingononeofthenetworkstowhichitisconnectedandsenditontoitsdestinationthroughanothernetwork.Thegoalisfortheroutertoselectthenetworkthatprovidesthebestpathtothedestinationforeachpacket.Apacketcanpassthroughseveraldifferentroutersonthewaytoitsdestination.Eachrouteronapacket’spathisreferredtoasahop,andtheobjectistogetthepacketwhereit’sgoingwiththesmallestnumberofhops.Onaprivatenetwork,apacketmayneedthreeorfour(ormore)hopstogettoitsdestination.OntheInternet,apacketcaneasilypassthrough20ormoreroutersalongitspath.
Arouter,bydefinition,isconnectedtotwoormorenetworks.Therouterhasdirectknowledgeaboutthosenetworksfortheprotocolsthatitsupports.If,forexample,a
workstationonNetwork1(seeFigure4-11)transmitsapackettoasystemonNetwork2,therouterconnectingNetworks1,2,and3candirectlydeterminewhichofthetwonetworks(2or3)containsthedestinationsystemandforwardthepacketappropriately.
Figure4-11Routershavedirectknowledgeaboutthenetworkstowhichtheyareconnected.
RoutingTablesTherouterforwardspacketsbymaintainingalistofnetworksandhosts,calledaroutingtable.Forcomputerstocommunicateoveranetwork,eachmachinemusthaveitsownaddress.Inadditiontoidentifyingthespecificcomputer,however,itsaddressmustidentifythenetworkonwhichit’slocated.OnTCP/IPnetworks,forexample,thestandard32-bitIPaddressconsistsofanetworkidentifierandahostidentifier.Aroutingtableconsistsofentriesthatcontainthenetworkidentifierforeachconnectednetwork(orinsomecasesthenetworkandhostidentifiersforspecificcomputers).WhentherouterreceivesapacketaddressedtoaworkstationonNetwork3,itlooksatthenetworkidentifierinthepacket’sdestinationaddress,comparesittotheroutingtable,andforwardsittothenetworkwiththesameidentifier.
Thisisarathersimpletask,aslongastherouterisconnectedtoalloftheLANsonthenetwork.Whenanetworkislargerandusesmultiplerouters,however,nosinglerouterhasdirectknowledgeofalltheLANs.InFigure4-12,RouterAisconnectedtoNetworks1,2,and3asbeforeandhastheidentifiersforthosenetworksinitsroutingtable,butithasnodirectknowledgeofNetwork4,whichisconnectedusinganotherrouter.
Figure4-12RouterAhasnodirectknowledgeofNetwork4becauseitisconnectedtoadifferentrouter.
HowthendoesRouterAknowwheretosendpacketsthatareaddressedtoa
workstationonadistantnetwork?Theansweristhatroutersmaintaininformationintheirroutingtablesaboutothernetworksbesidesthosetowhichtheyaredirectlyattached.Aroutingtablemaycontaininformationaboutmanydifferentnetworksallovertheenterprise.Onaprivatenetwork,itisnotuncommonforeveryroutertohaveentriesforalloftheconnectednetworks.OntheInternet,however,therearesomanynetworksandsomanyroutersthatnosingleroutingtablecancontainallofthemandfunctionefficiently.Thus,arouterconnectedtotheInternetsendspacketstoanotherrouterthatitthinkshasbetterinformationaboutthenetworktowhichthepacketisultimatelydestined.
WindowsRoutingTablesEverycomputeronaTCP/IPnetworkhasaroutingtable,evenifitisconnectedtoonlyonenetwork.Attheveryleast,theroutingtableidentifiesthesystem’sdefaultgatewayandinstructsithowtohandletrafficsenttothelocalnetworkandtheloopbacknetworkaddress(127.0.0.0).AtypicalroutingtableforaWindowssystemappearsinFigure4-13.
Figure4-13AtypicalroutingtableinaWindowssystem
TodisplaytheroutingtableinaWindowsoraLinuxsystem,typerouteatacommandprompt.Youcanalsousenetstat–rninWindows,Linux,Unix,orMacOS.
Theentriesinthetablerunhorizontally.Thefunctionoftheinformationineachcolumnisasfollows:
•NetworkaddressSpecifiesthenetworkaddressforwhichroutinginformationistobeprovided.Whilemostentrieshavenetworkaddressesinthisfield,it’salsopossibletosupplyroutinginformationforaspecifichostaddress.Thisiscalledahostroute.
•NetmaskSpecifiesthesubnetmaskusedtodeterminewhichbitsofthenetworkaddressfunctionasthenetworkidentifier.
•GatewaySpecifiestheIPaddressofthegateway(router)thesystemshouldusetosendpacketstothenetworkaddress.Whentheentryisforanetworktowhichthesystemisdirectlyattached,thisfieldcontainstheaddressofthesystem’snetworkinterface.
•InterfaceSpecifiestheIPaddressofthenetworkinterfacethesystemshouldusetosendtraffictothegatewayaddress.
•MetricSpecifiesthedistancebetweenthesystemandthedestinationnetwork,usuallyintermsofthenumberofhopsneededfortraffictoreachthenetworkaddress.
NOTETCP/IPandInternetterminologyoftenusethetermgatewaysynonymouslywithrouter.Ingeneralnetworkingparlance,agatewayis
anapplicationlayerinterfacebetweennetworksthatinvolvessomeformofhigh-levelprotocoltranslation,suchasane-mailgatewayoragatewaybetweenaLANandamainframe.WhenaWindowssystemreferstoits“defaultgateway,”however,itisreferringtoastandardrouter,operatingatthenetworklayer.
RoutingTableParsingWhetherasystemisfunctioningasarouterornot,theresponsibilityofanetworklayerprotocollikeIPistodeterminewhereeachpacketshouldbetransmittednext.TheIPheaderineachpacketcontainstheaddressofthesystemthatistobeitsultimatedestination,butbeforepassingeachpacketdowntothedatalinklayerprotocol,IPusestheroutingtabletodeterminewhatthedatalinklayerdestinationaddressshouldbeforthepacket’snexthop.ThisisbecauseadatalinklayerprotocollikeEthernetcanaddressapacketonlytoasystemonthelocalnetwork,whichmayormaynotbeitsfinaldestination.Tomakethisdetermination,IPreadsthedestinationaddressforeachpacketitprocessesfromtheIPheaderandsearchesforamatchingentryintheroutingtable,usingthefollowingprocedure:
1.IPfirstscanstheroutingtable,lookingforahostroutethatexactlymatchesthedestinationIPaddressinthepacket.lfoneexists,thepacketistransmittedtothegatewayspecifiedintheroutingtableentry.
2.Ifnomatchinghostrouteexists,IPusesthesubnetmasktodeterminethenetworkaddressforthepacketandscanstheroutingtableforanentrythatmatchesthataddress.IfIPfindsamatch,thepacketistransmittedeithertothespecifiedgateway(ifthesystemisnotdirectlyconnectedtothedestinationnetwork)oroutthespecifiednetworkinterface(ifthedestinationisonthelocalnetwork).
3.Ifnomatchingnetworkaddressisintheroutingtable,IPscansforadefault(or0.0.0.0)routeandtransmitsthepackettothespecifiedgateway.
4.Ifnodefaultrouteisinthetable,IPreturnsadestinationunreachablemessagetothesourceofthepacket(eithertheapplicationthatgenerateditorthesystemthattransmittedit).
StaticandDynamicRoutingThenextlogicalquestionconcerningtheroutingprocessis,howdotheentriesgetintotheroutingtable?Asystemcangenerateentriesforthedefaultgateway,thelocalnetwork,andthebroadcastandmulticastaddressesbecauseitpossessesalloftheinformationneededtocreatethem.Fornetworkstowhichtherouterisnotdirectlyconnected,however,routingtableentriesmustbecreatedbyanoutsideprocess.Thetwobasicmethodsforcreatingentriesintheroutingtablearecalledstaticrouting,whichisthemanualcreationofentries,anddynamicrouting,whichusesanexternalprotocoltogatherinformationaboutthenetwork.
Onarelativelysmall,stablenetwork,staticroutingisapracticalalternativebecause
youhavetocreatetheentriesinyourrouters’tablesonlyonce.Manuallyconfiguringtheroutingtableonworkstationsisn’tnecessarybecausetheytypicallyhaveonlyonenetworkinterfaceandcanaccesstheentirenetworkthroughonedefaultgateway.Routers,however,havemultiplenetworkinterfacesandusuallyhaveaccesstomultiplegateways.Theymust,therefore,knowwhichroutetousewhentryingtotransmittoaspecificnetwork.
Tocreatestaticentriesinacomputer’sroutingtable,youuseaprogramsuppliedwiththeoperatingsystem.ThestandardtoolforthisonUnixandWindowssystemsisacharacter-basedutilitycalledroute(inUnix)orroute.exe(inWindows).TocreateanewentryintheroutingtableonaWindowscomputer,forexample,youuseacommandlikethefollowing:
ROUTEADD192.168.5.0MASK255.255.255.0192.168.2.1METRIC2
Thiscommandinformsthesystemthattoreachanetworkwiththeaddress192.168.5.0,thesystemmustsendpacketstoagateway(router)withtheaddress192.168.2.1,andthatthedestinationnetworkistwohopsaway.
Insomecases,graphicalutilitiesareavailablethatcanperformthesametask.Forexample,theWindows2012ServersystemwithitsRoutingandRemoteAccessServerservicerunningenablesyoutocreatestaticroutes.
Staticroutescreatedthiswayremainintheroutingtableuntilyoumanuallychangeorremovethem,andthiscanbeaproblem.Ifagatewayspecifiedinastaticrouteshouldfail,thesystemcontinuestosendpacketstoit,tonoavail.Youmusteitherrepairthegatewayormodifythestaticroutesthatreferenceitthroughoutthenetworkbeforethesystemscanfunctionnormallyagain.
Onlargernetworks,staticroutingbecomesincreasinglyimpractical,notonlybecauseofthesheernumberofroutingtableentriesinvolved,butalsobecausenetworkconditionscanchangetoooftenandtooquicklyforadministratorstokeeptheroutingtablesoneverysystemcurrent.Instead,thesenetworksusedynamicrouting,inwhichspecializedroutingprotocolsshareinformationabouttheotherroutersinthenetworkandmodifytheroutingtablesaccordingly.Onceconfigured,dynamicroutingneedslittleornomaintenancefromnetworkadministratorsbecausetheprotocolscancreate,modify,orremoveroutingtableentriesasneededtoaccommodatechangingnetworkconditions.TheInternetistotallydependentondynamicroutingbecauseitisconstantlymutating,andnomanualprocesscouldpossiblykeepupwiththechanges.
SelectingtheMostEfficientRouteManynetworks,evenrelativelysmallones,aredesignedwithmultipleroutersthatprovideredundantpathstoagivendestination.Thus,whilecreatinganetworkthatconsistsofseveralLANsjoinedinaseriesbyrouterswouldbepossible,mostusesomethingapproachingameshtopologyinstead,asshowninFigure4-14.Thisway,ifanyoneroutershouldfail,allofthesystemscanstillsendtraffictoanyothersystemonanynetwork.
Figure4-14Byinterconnectingrouters,packetsfromonecomputercantraveltoadestinationcomputeronanothernetworkonadifferentroute.
Whenanetworkisdesignedinthisway,anotherimportantpartoftheroutingprocessisselectingthebestpathtoagivendestination.Theuseofdynamicroutingonthenetworktypicallyresultsinallpossibleroutestoagivennetworkbeingenteredintheroutingtables,eachofwhichincludesametricthatspecifieshowmanyhopsarerequiredtoreachthatnetwork.Mostofthetime,theefficiencyofaparticularrouteismeasuredbythemetricvaluebecauseeachhopinvolvesprocessingbyanotherrouter,whichintroducesaslightdelay.Whenarouterhastoforwardapackettoanetworkrepresentedbymultipleentriesintheroutingtable,itchoosestheonewiththelowermetric.
DiscardingPacketsThegoalofarouteristotransmitpacketstotheirdestinationsusingthepaththatincursthesmallestnumberofhops.Routersalsotrackthenumberofhopsthatpacketstakeonthewaytotheirdestinationsforanotherreason.Whenamalfunctionormisconfigurationoccursinoneormorerouters,itispossibleforpacketstogetcaughtinarouterloopandbepassedendlesslyfromoneroutertoanother.
Topreventthis,theIPheadercontainsaTimetoLive(TTL)fieldthatthesourcesystemgivesacertainnumericalvaluewhenapacketiscreated.Thisvalueis128onmanysystemsandcannotstarthigherthan255.Asapackettravelsthroughthenetwork,eachrouterthatprocessesitdecrementsthevalueofthisfieldby1.If,foranyreason,thepacketpassesthroughroutersenoughtimestobringthevalueofthisfielddownto0,thelastrouterremovesitfromthenetworkanddiscardsit.TherouterthenreturnsanICMPTimetoLiveExceededinTransitmessagetothesourcesystemtoinformitoftheproblem.
PacketFragmentationRouterscanconnectnetworksofvastlydifferenttypes,andtheprocessoftransferringdatagramsfromonedatalinklayerprotocoltoanothercanrequiremorethansimplystrippingoffoneheaderandapplyinganewone.Thebiggestproblemthatcanoccurduringthistranslationprocessiswhenoneprotocolsupportsframesthatarelargerthantheotherprotocol.
If,forexample,arouterconnectsaTokenRingnetworktoanEthernetone,itmayhavetoaccept4,500-bytedatagramsfromonenetworkandthentransmitthemoveranetworkthatcancarryonlyl,500-bytedatagrams.Routersdeterminethemaximumtransferunitofaparticularnetworkbyqueryingtheinterfacetothatnetwork.Tomakethispossible,therouterhastobreakupthedatagramintofragmentsoftheappropriatesize
andthenencapsulateeachfragmentinthecorrectdatalinklayerprotocolframe.Thisfragmentationprocessmayoccurseveraltimesduringapacket’sjourneyfromthesourcetoitsdestination,dependingonthenumberandtypesofnetworksinvolved.
Forexample,apacketoriginatingonaTokenRingnetworkmaybedividedinto1,500-bytefragmentstoaccommodatearoutethroughanEthernetnetwork,andtheneachofthosefragmentsmaythemselvesbedividedinto576-bytefragmentsfortransmissionovertheInternet.Note,however,thatwhileroutersfragmentpackets,theyneverdefragmentthem.Evenifthe576-bytedatagramsarepassedtoanEthernetnetworkastheyapproachtheirdestination,therouterdoesnotreassembletheminto1,500-bytedatagrams.Allreassemblyisperformedatthenetworklayerofthefinaldestinationsystem.
RoutingandICMPTheInternetControlMessageProtocolprovidesseveralimportantfunctionstoroutersandthesystemsthatusethem.ChiefamongtheseisthecapabilityofrouterstouseICMPmessagestoprovideroutinginformationtootherrouters.RouterssendICMPredirectmessagestosourcesystemswhentheyknowofabetterroutethanthesystemiscurrentlyusing.Forexample,aworkstationonNetworkAsendsapackettoRouterAthatisdestinedforacomputeronNetworkB,andRouterAdeterminesthatthenexthopshouldbetoRouterB,whichisonthesamenetworkasthetransmittingworkstation,RouterAwilluseanICMPmessagetoinformtheworkstationthatitshoulduseRouterBtoaccessNetworkBinstead(seeFigure4-15).Theworkstationthenmodifiestheentryinitsroutingtableaccordingly.
Figure4-15ICMPredirectmessagesprovidesimpleroutinginformationtotransmittingsystems.
RoutersalsogenerateICMPDestinationUnreachablemessagesofvarioustypeswhentheyareunabletoforwardpackets.Ifarouterreceivesapacketthatisdestinedforaworkstationonalocallyattachednetworkanditcan’tdeliverthepacketbecausetheworkstationisoffline,theroutergeneratesaHostUnreachablemessageandtransmitsittothesystemthatoriginatedthepacket.Iftherouterisunabletoforwardthepackettoanotherrouterthatprovidesaccesstothedestination,itgeneratesaNetworkUnreachable
messageinstead.Networklayerprotocolsprovideend-to-endcommunications,meaningitisusuallytheendsystemsthatareinvolvedinadialog.ICMPisthereforeamechanismthatenablesintermediatesystems(routers)tocommunicatewithasourceendsystem(thetransmitter)intheeventthatthepacketscan’treachthedestinationendsystem.
OtherICMPpackets,calledRouterSolicitationandAdvertisementmessages,canenableworkstationstodiscovertheroutersonthelocalnetwork.AhostsystemgeneratesaRouterSolicitationmessageandtransmitsitaseitherabroadcastoramulticasttotheAllRoutersonThisSubnetaddress(2240.02).RoutersreceivingthemessagerespondwithRouterAdvertisementmessagesthatthehostsystemusestoupdateitsroutingtable.Theroutersthengenerateperiodicupdatestoinformthehostoftheircontinuedoperationalstatus.MostsystemscanupdatetheirroutingtableswithinformationfromICMPRouterAdvertisementmessages.Supportforthesemessagesinhardwarerouterimplementationsvariesfromproducttoproduct.
TheICIVIPRedirectandRouterSolicitation/Advertisementmessagesdonotconstitutearoutingprotocolpersebecausetheydonotprovidesystemswithinformationaboutthecomparativeefficiencyofvariousroutes.Routingtableentriescreatedormodifiedasaresultofthesemessagesarestillconsideredtobestaticroutes.
RoutingProtocolsRoutersthatsupportdynamicroutingusespecializedprotocolstoexchangeinformationaboutthemselveswithotherroutersonthenetwork.Dynamicroutingdoesn’taltertheactualroutingprocess;it’sjustadifferentmethodofcreatingentriesintheroutingtable.Therearetwotypesofroutingprotocols:interiorgatewayprotocolsandexteriorgatewayprotocols.Privatenetworkstypicallyuseonlyinteriorgatewayprotocolsbecausetheyhavearelativelysmallnumberofroutersanditispracticalforallofthemtoexchangemessageswitheachother.
OntheInternet,thesituationisdifferent.HavingeveryoneoftheInternet’sthousandsofroutersexchangemessageswitheveryotherrouterwouldbeimpossible.Theamountoftrafficinvolvedwouldbeenormous,andtherouterswouldhavelittletimetodoanythingelse.Instead,asisusualwiththeInternet,atwo-levelsystemwasdevisedthatsplitsthegiganticnetworkintodiscreteunitscalledautonomoussystemsoradministrativedomainsorjustdomains.
Anautonomoussystem(AS)isusuallyaprivatenetworkadministeredbyasingleauthority,suchasthoserunbycorporations,educationalinstitutions,andgovernmentagencies.TherouterswithinanASuseaninteriorgatewayprotocol,suchastheRoutingInformationProtocol(RIP)ortheOpenShortestPathFirst(OSPF)protocol,toexchangeroutinginformationamongthemselves.AttheedgesofanASareroutersthatcommunicatewiththeotherautonomoussystemsontheInternet,usinganexteriorgatewayprotocol,themostcommonofwhichontheInternetaretheBorderGatewayProtocol(BC-P)andtheExteriorGatewayProtocol(EGP).
Bysplittingtheroutingchoresintoatwo-levelhierarchy,packetstravelingacrosstheInternetpassthroughroutersthatcontainonlytheinformationneededtogetthemtotherightAS.OncethepacketsarriveattheedgeoftheASinwhichthedestinationsystemis
located,therouterstherecontainmorespecificinformationaboutthenetworkswithintheAS.TheconceptismuchlikethewaythatIPaddressesanddomainnamesareassignedontheInternet.Outsideentitiestrackonlythevariousnetworkaddressesordomains.Theindividualadministratorsofeachnetworkareresponsibleformaintainingthehostaddressesandhostnameswithinthenetworkordomain.
SeeChapter12formoreinformationonroutingprotocols.
SwitchesThetraditionalnetworkconfigurationusesmultipleLANsconnectedbyrouterstoformanetworkthatislargerthanwouldbepossiblewithasingleLAN.ThisisnecessarybecauseeachLANisbasedonanetworkmediumthatissharedbymultiplecomputers,andthereisalimittothenumberofsystemsthatcansharethemediumbeforethenetworkisoverwhelmedbytraffic.RouterssegregatethetrafficontheindividualLANs,forwardingonlythosepacketsaddressedtosystemsonotherLANs.
Routershavebeenaroundfordecades,buttodayswitcheshaverevolutionizednetworkdesignandmadeitpossibletocreateLANsofalmostunlimitedsize.Aswitchisessentiallyamultiportbridgingdeviceinwhicheachportisaseparatenetworksegment.Similarinappearancetoahub,aswitchreceivesincomingtrafficthroughitsports.Unlikeahub,whichforwardsthetrafficoutthroughallofitsotherports,aswitchforwardsthetrafficonlytothesingleportneededtoreachthedestination(seeFigure4-16).If,forexample,youhaveasmallnetworkwitheachcomputerconnectedtoaportinthesameswitchinghub,eachsystemhaswhatamountstoadedicated,full-bandwidthconnectiontoeveryothersystem.Nosharednetworkmediumexists,andconsequently,therearenocollisionsortrafficcongestion.Asanaddedbonus,youalsogetincreasedsecuritybecause,withoutasharedmedium,anunauthorizedworkstationcannotmonitorandcapturethetrafficnotintendedforit.
Figure4-16Switchesrepeatincomingtraffic,butonlytothespecificportforwhichthepacketisintended.
Switchesoperateatlayer2oftheOSIreferencemodel,thedatalinklayer,soconsequently,theyareusedtocreateasinglelargenetworkinsteadofaseriesofsmallernetworksconnectedbyrouters.Thisalsomeansthatswitchescansupportanynetworklayerprotocol.Liketransparentbridges,switchescanlearnthetopologyofanetworkandperformfunctionssuchasforwardingandpacketfiltering.Manyswitchesarealsocapableoffull-duplexcommunicationsandautomaticspeedadjustment.Inthetraditionalarrangementforalargernetwork,multipleLANsareconnectedtoabackbonenetworkwithrouters.Thebackbonenetworkisashared-mediumLANlikealloftheothers,however,andmustthereforecarryallofthenetworktrafficgeneratedbythehorizontalnetworks.Thisiswhythebackbonenetworktraditionallyusesafasterprotocol.Onaswitchednetwork,workstationsareconnectedtoindividualworkgroupswitches,whichinturnareconnectedtoasingle,high-performanceswitch,thusenablinganysystemonthenetworktoopenadedicatedconnectiontoanyothersystem(seeFigure4-17).Thisarrangementcanbeexpandedfurthertoincludeanintermediatelayerofdepartmentalswitches.Serversaccessedbyalluserscanthenbeconnecteddirectlytoadepartmentalswitchortothetop-levelswitchforbetterperformance.
Figure4-17Today,hierarchiesofswitchesreplacebothhubsandrouters.
Replacinghubswithswitchesisanexcellentwaytoimprovetheperformanceofanetworkwithoutchangingprotocolsormodifyingindividualworkstations.EvenalegacyEthernetnetworkexhibitsadramaticimprovementwheneachworkstationisgivenafulltenMbpsofbandwidth.Today,switchesareavailablefornearlyallnetworks,bothwiredandwireless.
SwitchTypesTherearetwobasictypesofswitching:cut-throughswitchingandstore-and-forwardswitching.Acut-throughswitchreadsonlytheMACaddressofanincomingpacket,looksuptheaddressinitsforwardingtable,andimmediatelybeginstotransmititoutthroughtheportprovidingaccesstothedestination.Theswitchforwardsthepacketwithoutanyadditionalprocessing,suchaserrorchecking,andbeforeithasevenreceivedtheentirepacket.Thistypeofswitchisrelativelyinexpensiveandmorecommonlyusedattheworkgroupordepartmentlevel,wherethelackoferrorcheckingwillnotaffecttheperformanceoftheentirenetwork.Theimmediateforwardingofincomingpacketsreducesthelatency(thatis,thedelay)thatresultsfromerrorcheckingandotherprocessing.Ifthedestinationportisinuse,however,theswitchbuffersincomingdatainmemory,incurringalatencydelayanyway,withouttheaddedbenefitoferrorchecking.
Astore-and-forwardswitch,asthenameimplies,storesanentireincomingpacketinbuffermemorybeforeforwardingitoutthedestinationport.Whileinmemory,theswitchchecksthepacketforerrorsandotherconditions.Theswitchimmediatelydiscardsanypacketswitherrors;thosewithouterrorsareforwardedoutthroughthecorrectport.Theseswitchingmethodsarenotnecessarilyexclusiveofeachother.Someswitchescanworkincut-throughmodeuntilapreseterrorthresholdisreached,andthenswitchtostore-and-
forwardoperation.Oncetheerrorsdropbelowthethreshold,theswitchrevertstocut-throughmode.
Switchesimplementthesefunctionsusingoneofthreehardwareconfigurations.Matrixswitching,alsocalledcrossbarswitching,usesagridofinputandoutputconnections,suchasthatshowninFigure4-18.Dataenteringthroughanyport’sinputcanbeforwardedtoanyportforoutput.Becausethissolutionishardwarebased,thereisnoCPUorsoftwareinvolvementintheswitchingprocess.Incaseswheredatacan’tbeforwardedimmediately,theswitchbuffersituntiltheoutputportisunblocked.
Figure4-18Matrixswitchingusesagridofinputandoutputcircuits.
Inasharedmemoryswitch,allincomingdataisstoredinamemorybufferthatissharedbyalloftheswitch’sportsandthenforwardedtoanoutputport(seeFigure4-19).Amorecommonlyusedtechnology(showninFigure4-20),calledbus-architectureswitching,forwardsalltrafficacrossacommonbus,usingtime-divisionmultiplexingtoensurethateachporthasequalaccesstothebus.Inthismodel,eachporthasitsownindividualbufferandiscontrolledbyanapplication-specificintegratedcircuit(ASIC).Today,switchesareavailableforanysizenetwork,frominexpensiveworkgroupswitchesdesignedforsmallofficenetworkstostackableandmodularunitsusedinthelargestnetworks.
Figure4-19Sharedmemoryswitching
Figure4-20Bus-architectureswitching
Routingvs.SwitchingThequestionofwhethertorouteorswitchonanetworkisadifficultone.Switchingisfasterandcheaperthanrouting,butitraisessomeproblemsinmostnetworkconfigurations.Byusingswitches,youeliminatesubnetsandcreateasingleflatnetworksegmentthathostsallofyourcomputers.Anytwosystemscancommunicateusingadedicatedlinkthatisessentiallyatemporarytwo-nodenetwork.Theproblemsarisewhenworkstationsgeneratebroadcastmessages.Becauseaswitchednetworkformsasinglebroadcastdomain,broadcastmessagesarepropagatedthroughoutthewholenetwork,andeverysystemmustprocessthem,whichcanwasteenormousamountsofbandwidth.
OneoftheadvantagesofcreatingmultipleLANsandconnectingthemwithroutersisthatbroadcastsarelimitedtotheindividualnetworks.Routersalsoprovidesecuritybylimitingtransmissionstoasinglesubnet.Toavoidthewastedbandwidthcausedbybroadcasts,ithasbecomenecessarytoimplementcertainroutingconceptsonswitchednetworks.Thishasledtoanumberofnewtechnologiesthatintegrateroutingandswitchingtovaryingdegrees.Someofthesetechnologiesareexaminedinthefollowingsections.
VirtualLANsAvirtualLAN(VLAN)isagroupofsystemsonaswitchednetworkthatfunctionsasasubnetandcommunicateswithotherVLANsthroughrouters.Thephysicalnetworkisstillswitched,however;theVLANsexistasanoverlaytotheswitchingfabric,asshowninFigure4-21.NetworkadministratorscreateVLANsbyspecifyingtheMACportorIPaddressesofthesystemsthataretobepartofeachsubnet.MessagesthatarebroadcastonaVLANarelimitedtothesubnet,justasinaroutednetwork.BecauseVLANsareindependentofthephysicalnetwork,thesystemsinaparticularsubnetcanbelocatedanywhere,andasinglesystemcanevenbeamemberofmorethanoneVLAN.
Figure4-21VLANsarepseudo-subnetsofswitchedworkstations,connectedbyrouters.
Despitethefactthatallthecomputersareconnectedbyswitches,routersarestillnecessaryforsystemsindifferentVLANstocommunicate.VLANsthatarebasedsolelyonlayer2technology,suchasthosethatuseportconfigurationorMACaddressestodefinethemembersystems,musthaveaportdedicatedtoarouterconnection.InthistypeofVLAN,thenetworkadministratoreitherselectscertainswitchportstodesignatethemembersofaVLANorcreatesalistoftheworkstations’MACaddresses.
Becauseoftheadditionalprocessinginvolved,routingisslowerthanswitching.Thisparticulararrangementissometimesreferredtoas“switchwhereyoucan,routewhereyoumust”becauseroutingisusedforcommunicationonlybetweenVLANs;allcommunicationwithinaVLANisswitched.Thisisanefficientarrangementaslongasthemajorityofthenetworktraffic(70to80percent)isbetweensystemsinthesameV/LAN.CommunicationspeedwithinaVLANismaximizedattheexpenseoftheinter-VLANcommunication.Whentoomuchtrafficoccursbetweensystemsindifferentsubnets,theroutingslowsdowntheprocesstoomuch,andthespeedoftheswitchesislargelywasted.
Layer3SwitchingLayer3switchesaresimilartoroutersandoftensupportthesameroutingprotocols.Layer3switchesalsouseVLANsbutmixroutingandswitchingfunctionstomakecommunicationbetweenVLANsmoreefficient.Thistechnologyisknownbyseveraldifferentnames,dependingonthevendoroftheequipment.Theessenceoftheconceptisdescribedas“routeonce,switchafterward.”ArouterisstillrequiredtoestablishconnectionsbetweensystemsindifferentVLANs,butoncetheconnectionhasbeenestablished,subsequenttraffictravelsoverthelayer2switchingfabric,whichismuchfaster.
Mostofthehardwaredevicescalledlayer3switchescombinethefunctionsofaswitchandarouterintooneunit.Thedeviceiscapableofperformingallofarouter’sstandardfunctionsbutisalsoabletotransmitdatausinghigh-speedswitches,allatasubstantiallylowercostthanastandardrouter.Layer3switchesareoptimizedforuseonLANandmetropolitanareanetwork(MAN)connections,notWANs.Byreplacingtheroutersthatconnectworkgroupordepartmentnetworkstothebackbonewithlayer3switches,youretainalloftherouterfunctionality,whileincreasingtheoverallspeedatwhichdataisforwarded.
Multiple-LayerSwitchingAsGigabitEthernetbecomesthenorm,newerswitchescanprioritizenetworktrafficbyusinginformationfromotherOSIlayersineitherhardwareorsoftwareconfigurations.Forexample,layer4switchingisawaytoallowbetterqualityofservice(QoS)withbettermanagementacrossseveralservers.RoutershaveusedOSIlayer4informationforprioritizingnetworktrafficformanyyears.Sincetodayglobalapplicationsneedrapiddisseminationofsessioninformation,layer4switchescanmakeintelligentdecisionsforforwardingframes,basedonTCP/UDPportinformationandtheIPdestination/sourceaddresses.Thistypeofswitchingcandothefollowing:
•Examinethedirectionofclientrequestsatthelayer4switch
•Processmultiplerequestsacrossanyavailableserver
•Measurebothavailabilityandresponsivenessofeachserver
•Establishpolicycontrolsfortrafficmanagement
Formoreinformationaboutmodernservertechnologies,seeChapter8.
CHAPTER
5 CablingaNetwork
Althoughtherearenetworksthatuseradiotransmissionsandotherwirelesstechnologiestotransmitdata,thevastmajorityoftoday’snetworksusesomeformofcableasthenetworkmedium.Mostofthecablesusedfordatanetworkinguseacopperconductortocarryelectricalsignals,butfiber-optic,aspunglasscablethatcarriespulsesoflight,isanincreasinglypopularalternative.
Cablingissueshave,inrecentyears,becomeseparatedfromthetypicalnetworkadministrator’strainingandexperience.Manyveteranadministratorshaveneverinstalled(orpulled)cablethemselvesandarelessthanfamiliarwiththetechnologythatformsthebasisforthenetwork.Inmanycases,theuseoftwisted-paircablehasresultedintelephonesystemcontractorsbeingresponsibleforthenetworkcabling.Networkconsultantstypicallyoutsourceallbutthesmallestcablingjobstooutsidecompanies.
Networkcablingis,inmanycases,structurallyintegratedinthebuildingorotherstructureswithinthewholenetworksite.Therefore,cableinstallation,replacement,orupgradeoftentimesentailsplanningbeyondtheinformationtechnologydepartment’soperationalcontrol.Evenwhatmayseeminglyappeartobeasimplecablesegmentreplacementprojectcanturnouttobelogisticallycomplicated.
However,althoughthecablingrepresentsonlyasmallpartofanetwork’stotalcost(aslittleas6percent),ithasbeenestimatedtoberesponsibleforasmuchas75percentofnetworkdowntime.Thecablingisalsousuallythelongest-livedelementofanetwork.Youmayreplaceserversandothercomponentsmorethanoncebeforeyoureplacethecable.Forthesereasons,spendingabitextraongood-qualitycable,properlyinstalled,isaworthwhileinvestment.Thischapterexaminesthetypesofcablesusedfornetworks,theircomposition,andtheconnectorstheyuse.
CablePropertiesDatalinklayerprotocolsareassociatedwithspecificcabletypesandincludeguidelinesfortheinstallationofthecable,suchasmaximumsegmentlengths.Inmostcases,youhaveachoiceastowhatkindofcableyouwanttousewiththeprotocol,whileinothersyoudonot.Partoftheprocessofevaluatingandselectingaprotocolinvolvesexaminingthecabletypesandtheirsuitabilityforyournetworksite.Forexample,aconnectionbetweentwoadjacentbuildingsisbetterservedbyfiber-opticthancopper,sowiththatrequirementinmind,youshouldproceedtoevaluatethedatalinklayerprotocolsthatsupporttheuseoffiber-opticcable.
Yourcableinstallationmayalsobegoverned,inpart,bythelayoutofthesiteandthelocalbuildingcodes.Cablesgenerallyareavailableinbothnonplenumandplenumtypes.Aplenumisanairspacewithinabuilding,createdbythecomponentsofthebuildingthemselves,thatisdesignedtoprovideventilation,suchasaspacebetweenfloorsorwalls.Buildingsthatuseplenumstomoveairusuallydonothaveaductedventilationsystem.Inmostcommunities,toruncablethroughaplenum,youmustuseaplenum-rated
cablethatdoesnotgiveofftoxicgaseswhenitburnsbecausetheairintheplenumisdistributedthroughoutthebuilding.TheoutercoveringofaplenumcableisusuallysomesortofTeflonproduct,whilenonplenumcableshaveapolyvinylchloride(PVC)sheath,whichdoesproducetoxicgaseswhenitburns.Notsurprisingly,plenumcablecostsmorethannonplenum,anditisalsolessflexible,makingitmoredifficulttoinstall.However,itisimportanttousethecorrecttypeofcableinanyinstallation.Ifyouviolatethebuildingcodes,thelocalauthoritiescanforceyoutoreplacetheoffendingcableandpossiblymakeyoupayfinesaswell.Becauseofalwaysincreasinginsurancecosts,somecompanieswillusespecificplenumcablestolowertheirliabilityincaseoffirebecausetheuseofplenumcablecanresultinlessphysicaldamageshouldtherebeafire.
Costiscertainlyanelementthatshouldaffectyourcableselectionprocess,notonlyofthecableitselfbutalsooftheancillarycomponentssuchasconnectorsandmountinghardware,thenetworkinterfacecards(NICs)forthecomputers,andthelaborrequiredforthecableinstallation.Thequalitiesoffiber-opticcablemightmakeitseemanidealchoiceforyournetwork,butwhenyouseethecostsofpurchasing,installing,andmaintainingit,youropinionmaychange.
Finally,thequalityofthecableisanimportantpartoftheevaluationandselectionprocess.Whenyouwalkintoyourlocalcomputercentertobuyaprefabricatedcable,youwon’thavemuchofaselection,exceptforcablelengthandpossiblycolor.Vendorsthatprovideafullcableselection,however(manyofwhomsellonlineorbymailorder),haveavarietyofcabletypesthatdifferintheirconstruction,theircapabilities,and,ofcourse,theirprices.
Dependingonthecabletype,agoodvendormayhavebothbulkcableandprefabricatedcables.Bulkcable(thatis,unfinishedcablewithoutconnectors)shouldbeavailableinvariousgrades,inbothplenumandnonplenumtypes.Thegradeofthecablecandependonseveralfeatures,includingthefollowing:
•ConductorgaugeThegaugeisthediameteroftheactualconductorwithinacable,whichinthecaseofcoppercablesismeasuredusingtheAmericanWireGauge(AWG)scale.ThelowertheAWGrating,thethickertheconductor.A24AWGcable,therefore,isthinnerthana22AWGcable.Athickerconductorprovidesbetterconductivityandmoreresistanceagainstattenuation.
•CategoryratingSometypesofcablesareassignedratingsbyastandardsbody,liketheElectronicIndustriesAlliance/TelecommunicationsIndustryAssociation(EIA/TIA).Twisted-paircable,forexample,isgivenacategoryratingthatdefinesitscapabilities.Mostofthetwisted-paircablefoundtodayisCategory5eorCategory6,knownasCat5eorCat6.NewerinstallationsmayuseCat6a,whichhasimprovedperformanceatfrequenciesupto500MHz.
•ShieldedorunshieldedSomecablesareavailablewithcasingsthatprovidedifferentlevelsofshieldingagainstelectromagneticinterference.Theshieldingusuallytakestheformoffoilorcopperbraid,thelatterofwhichprovidesbetterprotection.Twisted-paircabling,forexample,isavailableinshieldedandunshieldedvarieties.Foratypicalnetworkenvironment,unshieldedtwisted-pairprovidessufficientprotectionagainstinterferencebecausethetwistingofthewire
pairsitselfisapreventativemeasure.
•SolidorstrandedconductorAcablewithasolidmetalconductorprovidesbetterprotectionagainstattenuation,whichmeansitcanspanlongerdistances.However,thesolidconductorhamperstheflexibilityofthecable.Ifflexedorbentrepeatedly,theconductorinsidethecablecanbreak.Solidconductorcables,therefore,areintendedforpermanentcablerunsthatwillnotbemoved,suchasthoseinsidewallsorceilings.(Notethatthecablecanbeflexedaroundcornersandotherobstaclesduringtheinstallation;itisrepeatedflexingthatcandamageit.)Cableswithconductorscomposedofmultiplecopperstrandscanbeflexedrepeatedlywithoutbreakingbutaresubjecttogreateramountsofattenuation.Strandedcables,therefore,shouldbeusedforshorterrunsthatarelikelytobemoved,suchasforpatchcablesrunningfromwallplatestocomputers.
NOTEAttenuationreferstothetendencyofsignalstoweakenastheytravelalongacablebecauseoftheresistanceinherentinthemedium.Thelongeracable,themorethesignalsattenuatebeforereachingtheotherend.Attenuationisoneoftheprimaryfactorsthatlimitsthesizeofadatanetwork.Differenttypesofcablehavedifferentattenuationrates,withcoppercablebeingfarmoresusceptibletotheeffectthanfiber-opticcable.
Thesefeaturesnaturallyaffectthepriceofthecable.Alowergaugeismoreexpensivethanahigherone,ahighercategoryismoreexpensivethanalower,shieldedismoreexpensivethanunshielded,andsolidismoreexpensivethanstranded.Thisisnottosay,however,thatthemoreexpensiveproductispreferableineverysituation.Inadditiontothecable,agoodvendorshouldhavealloftheequipmentyouneedtoattachtheappropriateconnectors,includingtheconnectorcomponentsandthetoolsforattachingthem.
Prefabricatedcableshavetheconnectorsalreadyattachedandshouldbeavailableinvariouslengthsandcolors,usingcablewiththefeaturesalreadylisted,andwithvariousgradesofconnectors.Thehighest-qualityprefabricatedcables,forexample,usuallyhavearubberbootaroundtheconnectorthatsealsittothecableend,preventsitfromlooseningorpullingout,protectstheconnectorpinsfrombending,andreducessignalinterferencebetweenthewires(calledcrosstalk).Onlower-costcables,theconnectorissimplyattachedtotheend,withoutanyextraprotection.
CablingStandardsPriorto1991,thecablingusedfornetworkswasspecifiedbythemanufacturersofindividualnetworkingproducts.Thisresultedintheincompatibilitiesthatarecommoninproprietarysystems,andtheneedwasrecognizedforastandardtodefineacablingsystemthatcouldsupportamultitudeofdifferentnetworkingtechnologies.Toaddressthisneed,theAmericanNationalStandardsInstitute(ANSI),theElectronicIndustryAssociation,andtheTelecommunicationsIndustryAssociation,alongwithaconsortiumoftelecommunicationscompanies,developedtheANSI/EIA/TIA-568-1991Commercial
BuildingTelecommunicationsCablingStandard.Thisdocumentwasrevisedin1995andwasknownasANSI/TIA/EIA-T568-A.Anadditionalwiringstandard,theT568-B,wasadoptedin2001.Theprimarydifferencebetweenthetwoisthattwoofthewiringpairsareswapped.Eachstandarddefinesthepinout(ororderofconnection)fortheeight-pinconnectorplugs.See“ConnectorPinouts”laterinthischapterformoreinformation.
BothofthesestandardsweresupersededbythecurrentTIA/EIA-568-Cstandard.
TIA/EIA-568The568standarddefinesastructuredcablingsystemforvoiceanddatacommunicationsinofficeenvironmentsthathasausablelifespanofatleasttenyears,supportsproductsofmultipletechnologyvendors,andusesanyofthefollowingcabletypesforvariousapplications.Thecurrentstandard(TIA/EIA-568-C)definesthegeneralrequirementswithsubsectionsthatfocusoncablingsystems.Additionalstandards,suchasTIA-569-AandTIA-570-A,addresscommercialandresidentialcabling.
Thedocumentsalsoincludespecificationsforinstallingthecablewithinthebuildingspace.Towardthisend,thebuildingisdividedintothefollowingsubsystems:
•BuildingentranceThelocationatwhichthebuilding’sinternalcablinginterfaceswithoutsidecabling.Thisisalsoreferredtoasthedemarcationpoint,wheretheexternalprovidernetworkendsandconnectswiththecustomer’son-premisewiring.
•EquipmentroomThelocationofequipmentthatcanprovidethesamefunctionsasthatinatelecommunicationsclosetbutthatmaybemorecomplex.
•TelecommunicationsclosetThelocationoflocalizedtelecommunicationsequipment,suchastheinterfacebetweenthehorizontalcablingandthebackbone.
•BackbonecablingThecablingthatconnectsthebuilding’svariousequipmentrooms,telecommunicationsclosets,andthebuildingentrance,aswellasconnectionsbetweenbuildingsinacampusnetworkenvironment.
•HorizontalcablingThecablingandotherhardwareusedtoconnectthetelecommunicationsclosettotheworkarea.
Thewiringsareusuallyrunthroughwireways,conduits,orceilingspacesofeachfloorandcaneitherbeplenumcablingorinternalwiring(IW).
•WorkareaThecomponentsusedtoconnectthetelecommunicationsoutlettotheworkstation.
Thus,thecableinstallationforamodernbuildingmightlooksomethinglikethediagramshowninFigure5-1.Theconnectionstoexternaltelephoneandotherservicesarriveatthebuildingentranceandleadtotheequipmentroom,whichcontainsthenetworkserversandotherequipment.Abackbonenetworkconnectstheequipmentroomtovarioustelecommunicationsclosetsthroughoutthebuilding,whichcontainnetworkinterfaceequipment,suchasswitches,bridges,routers,orhubs.Fromthetelecommunicationsclosets,thehorizontalcablingbranchesoutintotheworkareas,terminatingatwallplates.Theworkareathenconsistsofthepatchcablesthatconnectthe
computersandotherequipmenttothewallplates.
Figure5-1AgenericbuildingcablingsystemasdefinedbyTIA/EIAT-568
Thisis,ofcourse,asimplifiedandgeneralizedplan.TheT568standard,incoordinationwithotherTIA/EIAstandards,providesguidelinesforthetypesofcablingwithinandbetweenthesesubsystemsthatyoucanusetocreateawiringplancustomizedtoyoursiteandyourequipment.
Contractorsyouhiretoperformanofficecableinstallationshouldbefamiliarwiththesestandardsandshouldbewillingtocertifyinwritingthattheirworkconformstotheguidelinestheycontain.
DataLinkLayerProtocolStandards
TheprotocolstraditionallyassociatedwiththedatalinklayeroftheOSIreferencemodel,suchasEthernetandTokenRing,alsooverlapintothephysicallayerinthattheycontainspecificationsforthenetworkcabling.Thus,EthernetandTokenRingstandards,likethoseproducedbytheIEEE802workinggroup,canalsobesaidtobecablingstandards.However,thesedocumentsdonotgoasdeeplyintothedetailsofthecablepropertiesandenterprisecablesystemdesignasT568.
CoaxialCableThefirstcommerciallyviablenetworktechnologiesintroducedinthe1970susedcoaxialcableasthenetworkmedium.Coaxialcableisnamedforthetwoconductorsthatsharethesameaxisrunningthroughthecable’scenter.Manytypesofcoppercablehavetwoseparateconductors,suchasastandardelectricalcord.Inmostofthese,thetwoconductorsrunsidebysidewithinaninsulatingsheaththatprotectsandseparatesthem.Acoaxialcable,ontheotherhand,isround,withacoppercoreatitscenterthatformsthefirstconductor.Itisthiscorethatcarriestheactualsignals.Alayerofdielectricfoaminsulationsurroundsthecore,separatingitfromthesecondconductor,whichismadeofbraidedwiremeshandfunctionsasaground.Aswithanyelectricalcable,thesignalconductorandthegroundmustalwaysbeseparatedorashortwilloccur,producingnoiseonthecable.Thisentireassemblyisthenenclosedwithinaninsulatingsheath(seeFigure5-2).
Figure5-2Across-sectionofacoaxialcable
NOTECoaxialcablescanhaveeitherasolidorastrandedcoppercare,andtheirdesignationsreflectthedifference.Thesuffix/Uindicatesasolidcore,whileA/Uindicatesastrandedcore.ThinEthernetusedeitheranRC-58-UoranRG-58A/Ucable.
Severaltypesofcoaxialcableswereusedfornetworking,andtheyhaddifferentproperties,eveniftheyweresimilarinappearance.Datalinklayerprotocolscalledforspecifictypesofcable,thepropertiesofwhichdeterminedtheguidelinesandlimitationsforthecableinstallation.
Today,coaxcableisprimarilyusedforconnectingtelevisionstocableboxesorsatellitereceivers.Italsomaybeusedtoconnectacomputer’scablemodemtoanInternetserviceprovider(ISP).Intheearlydaysofcomputernetworks,thecablewasconnected
withaspecialconnectorcalledaBNC.Theactualmeaningofthebayonet-styleconnecter’snameisshroudedinmystery,withmosttechniciansdividedbetweenBritishNavalConnectorandBayonetNeill-Concelman.
ThickEthernetRG-8/UcablewasusuallyreferredtoasthickEthernettrunkcablebecausethatwasitsprimaryuse.TheRG-8/UcableusedforthickEthernetnetworkshadtheleastamountofattenuationofthecoaxialcables,dueinnosmallparttoitbeingmuchthickerthantheothertypes.ThisiswhyathickEthernetnetworkcouldhavecablesegmentsupto500meterslong,whilethinEthernetwaslimitedto185meters.
At.405inchesindiameter,RG-8/Uwassimilarinsizetoagardenhosebutmuchheavierandlessflexible,whichmadeitdifficulttobendaroundcorners.Forthesereasons,thecablewastypicallyinstalledalongthefloorofthesite.Bycontrast,theRC-58A/UcableusedbythinEthernetwasthinner,lighter,andflexibleenoughtorundirectlytotheNIC.
ThickEthernetcablewasusuallyyellowandwasmarkedevery2.5metersforthetapstowhichtheworkstationsconnect.Toconnectaworkstationtothecable,youappliedwhatwasknownasavampiretap.Avampiretapisaclampthatyouconnectedtothecableafterdrillingaholeinthesheath.Theclamphadmetal“fangs”thatpenetratedintothecoretosendandreceivesignals.Thevampiretapalsoincludedthetransceiver(externaltothecomputeronathickEthernetnetwork),whichconnectedtotheNICwithacablewithconnectorsatbothends.
Asaresultoftheinconveniencecausedbyitsexpenseandrigidity,anddespiteitsbetterperformancethanitssuccessor,thinEthernet,thickEthernetisrarelyseentoday,evenonlegacynetworks.
ThinEthernetThemainadvantageoftheRG-58cableusedforthinEthernetnetworksoverRG-8wasitsrelativeflexibility,whichsimplifiestheinstallationprocessandmakesitpossibletorunthecabledirectlytothecomputer,ratherthanusingaseparateAUIcable.Comparedtotwisted-pair,however,thinEthernetisstillungainlyanddifficulttoconcealbecauseeveryworkstationmusthavetwocablesconnectedtoitsNICusingaTfitting.Insteadofneatwallplateswithmodularjacksforpatchcables,aninternalthinEthernetinstallationhadtwothick,semirigidcablesprotrudingfromthewallforeverycomputer.
Asaresultofthisinstallationmethod,thebuswasactuallybrokenintoseparatelengthsofcablethatconnecteachcomputertothenext,unlikeathickEthernetbus,whichideallywasonelongcablesegmentpiercedwithtapsalongitslength.Thismadeabigdifferenceinthefunctionalityofthenetworkbecauseifoneofthetwoconnectionstoeachcomputerwasbrokenforanyreason,thebuswassevered.Whenthishappened,networkcommunicationsfailedbetweensystemsondifferentsidesofthebreak,andthelossofterminationononeendofeachfragmentjeopardizedallofthenetwork’straffic.
RG-58cableusedBNCconnectorstoconnecttotheTandtoconnecttheTtotheNIC
inthecomputer.Evenattheheightofitspopularity,thinEthernetcablewastypicallypurchasedinbulk,andtheconnectorswereattachedbytheinstalleroradministrator;prefabricatedcableswererelativelyrare.TheprocessofattachingaBNCconnectorinvolvedstrippingtheinsulationoffthecableendtoexposeboththecoppercoreandtheground.Theconnectoristhenappliedasseparatecomponents(asocketthatthecablethreadsthroughandapostthatslipsoverthecore).Finally,thesocketiscompressedsoitgripsthecableandholdsthepostinplace,usingapliersliketoolcalledacrimper.
CableTelevisionJustbecausecoaxialcableisnolongerusedfornetworksdoesnotmeanthatithastotallyoutliveditsusefulness.Antennas,radios,andparticularlythecabletelevisionindustrystilluseitextensively.ThecabledeliveringTVservicetoyourhomeisRG-5975-ohmcoaxial,usedinthiscaseforbroadbandratherthanbasebandtransmission(meaningthatthesinglecablecarriesmultiple,discretesignalssimultaneously).ThiscableisalsosimilarinappearancetothinEthernet,butithasdifferentpropertiesandusesdifferentconnectors.TheEconnectorusedforcableTVconnectionsscrewsintothejack,whileBNCconnectorsuseabayonetlockcoupling.
ManycableTVprovidersusethissamecoaxialcabletosupplyInternetaccesstosubscribers,aswellastelevisionsignals.Intheseinstallations,thecoaxialcableconnectstoadevicetypicallyreferredtoasacablemodem,whichthenisconnectedtoacomputerusinga10Base-TEthernetcable.
Twisted-PairCableTwisted-paircableisthecurrentstandardfornetworks.Whencomparedtocoaxial,itiseasiertoinstall,issuitableformanydifferentapplications,andprovidesfarbetterperformance.Perhapsthebiggestadvantageoftwisted-paircable,however,isthatitisalreadyusedincountlesstelephonesysteminstallationsthroughouttheworld.
Thismeansthatmanycontractorsarefamiliarwiththeinstallationproceduresandthatinanewlyconstructedofficeitispossibletoinstallthecablesatthesametimeasthetelephonecables.Infact,manyprivatehomesnowbeingbuiltincludetwisted-pairnetworkcablingaspartofthebasicserviceinfrastructure.
Unlikecoaxialcable,whichhasonlyonesignal-carryingconductorandoneground,thetwisted-paircableusedinmostdatanetworkshasfourpairsofinsulatedcopperwireswithinasinglesheath.Eachwirepairistwistedwithadifferentnumberoftwistsperinchtoavoidelectromagneticinterferencefromtheotherpairsandfromoutsidesources(seeFigure5-3).
Figure5-3Across-sectionofatwisted-paircable
Eachpairofwiresinatwisted-paircableiscolorcoded,usingcolorsdefinedintheTIA/EIA-T568-AorBstandard,asshowninTable5-1.Ineachpair,thesolid-coloredwirecarriesthesignals,whilethestripedwireactsasaground.
Table5-1ColorCodesforTIA/EIAT-568
UnshieldedTwisted-PairTheoutersheathingofatwisted-paircablecanbeeitherrelativelythin,asinunshieldedtwisted-pair(UTP)cable,orthick,asinshieldedtwisted-pair(STP).UTPcableisthemorecommonlyusedofthetwo;mostEthernetnetworksaremorethanadequatelyservedbyUTPcable.TheUTPcableuses22or24AWGcopperconductorsandhasanimpedanceof100ohms.Theinsulationcanbeplenumratedornonplenum.
Beyondthesespecifications,theTIA/EIA-T568standarddefineslevelsofperformanceforUTPcablethatarereferredtoascategories.Ahighercategoryratingmeansthatacableismoreefficientandabletotransmitdataatgreaterspeeds.Themajordifferencebetweenthedifferentcablecategoriesisthetightnessofeachwirepair’stwisting,commonlyreferredtoastwistperinch.Table5-2listssomeofthecategoriesdefinedbytheT568standard,thespeedratings,themaximumrunlength,thenetworkapplications,andthemaximumfrequencyforeachcategory.
Table5-2CableCategorySpecifications
Category3cablewastraditionallyusedfortelephonesysteminstallationsandwasalsosuitablefor10Base-TEthernetnetworks,whichrunat10Mbps.Category3wasnotsuitableforthe100MbpsspeedusedbyFastEthernet,exceptinthecaseof100Base-T4,whichwasspecificallydesignedtorunonCategory3cable.100BaseT4wasabletofunctiononlyonthiscablebecauseitusedallfourofthewirepairstocarrydata,whilethestandardtechnologiesofthetimeusedonlytwopairs.
Category4cableprovidedamarginalincreaseinperformanceoverCategory3andwas,foratime,usedinTokenRingnetworks.Sinceitsratificationin1995,however,mostoftheUTPcableinstalledforcomputernetworks(andtelephonenetworksaswell)wasCategory5.Category5UTPcable(oftenknownsimplyasCat5)providedasubstantialperformanceincrease,supportingtransmissionsatupto100MHz.
Category5eWhileCategory5cablewassufficientforuseon100MbpsnetworkssuchasFastEthernet,technologycontinuedtoadvance,andwithGigabitEthernetproductsbecomingavailable,runningat1Gbps(1,000Mbps),itwasnecessarytoaccommodatethehigherspeeds.
UTPcableratingshavecontinuedtoadvanceaswell.However,theprocessbywhichtheTIA/EIAstandardsaredefinedandratifiedismuchslowerthanthepaceoftechnology,andmanyhigh-performancecableproductsarrivedonthemarketthatexceededtheCategory5specificationstovaryingdegrees.In1999,afterasurprisinglyaccelerateddevelopmentperiodoflessthantwoyears,theTIA/ETAratifiedtheCategory5e(orEnhancedCategory5)standard.
TheCategory5estandardwasrevisedmorethan14timesduringitsdevelopmentbecausetherewasagreatdealofconflictamongtheconcernedpartiesastohowfarthestandardshouldgo.Category5ewasintendedprimarilytosupporttheIEEE802.3abGigabitEthernetstandard,alsoknownas1000Base-T,whichisaversionofthe1,000Mbpsnetworkingtechnologydesignedtorunonthestandard100-metercoppercablesegmentsalsousedbyFastEthernet.AsyoucanseeinTable5-2,theCategory5estandardcallsforamaximumfrequencyratingofonly100MHz,thesameasthatofCategory5cable.However,GigabitEthernetusesfrequenciesupto125MHz,andAsynchronousTransferMode(ATM)networks,whichwerealsoexpectedtousethiscable,couldrunatfrequenciesofupto155MHz.Asaresult,therewasagooddealof
criticismleveledatthe5estandard,sayingthatitdidn’tgofarenoughtoensureadequateperformanceofGigabitEthernetnetworks.
It’simportanttounderstandthattheTlA/EIAUTPcablestandardsconsistofmanydifferentperformancerequirements,butthefrequencyratingistheonethatismostcommonlyusedtojudgethetransmissionqualityofthecable.Infact,theCategory5estandardisbasicallytheCategory5standardwithslightlyelevatedrequirementsforsomeofitstestingparameters,suchasnearendcrosstalk(NEXT),theattenuation-to-crosstalkratio(ACR),returnloss,anddifferentialimpedance.
Cat6and6aCat6wasestablishedin2001.ThisstandardforGigabitEthernetisbackwardcompatiblewiththeCat3,5,and5estandards.Thiscablefeatureshigherspecificationsforsuppressionofbothsystemnoiseandcrosstalkissues.Itwasspecificallydesignedtobeinteroperable,meaningcablemeetingthisstandardmustworkwithproductsmanufacturedbymostvendors.
BecauseCat6cablescontainlargercopperconductors,thesizeisabitlargerthantheearlierCategory5and5ecables.ThediameterofCat6rangesfrom.021inchto.25inch(5.3mmto5.8mm).SinceCat5and5ecablesfallintherangefrom0.19inchto0.22inch(4.8mmto5.5mm),thephysicalsizecanmakeadifferenceinaninstallation.
CrosstalkisreducedinCat6bymakingeachpairatwistof.5inchorless,whilethelargerconductorsizeprovideslesssignalloss(attenuation)overthelengthofthecable.
AugmentedCategory6(Cat6a)cableimprovesthebandwidthofCat6.However,becauseitisavailableinSTPformat,itmusthavespecializedconnectorstogroundthecableandisthereforemoreexpensivethanCat6.
Cat7Cat7(originallyknownasClassF)isbackwardcompatiblewithbothCat5andCat6.Itisatwisted-paircablethatwasdesignedasastandardforGigabitEthernet.Ithasadditionalshieldingthathelpstoreducebothcrosstalkandsystemnoise.Becauseofthisadditionalshielding,Cat7cableisbulkierandmoredifficulttobend.AswithCat6a,eachlayermustbegroundedoritsthrough-putperformancedeclinestonearlythatofCat6.
NOTERemember,whenupgradingcabling,allofthenetworkcomponentsmustberatedatthesamecategory.ThismeansyouwillnothaveaCat6networkifsomeoftheconnectorsorothercomponentsareratedatCat5.
Currently,astechnologyadvances,sodonewstandards.Cat7aiscurrentlyavailableforsomeapplications,primarilymultipleapplicationsacrossasinglecable.Cat8andbeyondareintheworks.
ConnectorPinouts
Twisted-paircablesuseRJ-45modularconnectorsatbothends(seeFigure5-4).AnRJ-45(RJistheacronymforregisteredjack)isaneight-pinversionofthefour-pin(orsometimessix-pin)RJ-11connectorusedonstandardsatintelephonecables.Thepinoutsfortheconnector,whicharealsodefinedintheTIA/ElA-T568-AandBstandards,areshowninFigure5-5.
Figure5-4AnRJ-45connector
Figure5-5The568Aand568Bpinouts
TheUSOCstandard(asshowninFigure5-6)wasthetraditionalpinoutoriginatedforvoicecommunicationsintheUnitedStates,butthisconfigurationisnotsuitablefordata.Thisisbecausewhilepins3and6doconnecttoasingle-wirepair,pins1and2areconnectedtoseparatepairs.AT&Tdiscoveredthisshortcomingwhenitbegandoingresearchintocomputernetworksthatwouldrunovertheexistingtelecommunicationsinfrastructure.In1985,AT&Tpublisheditsownstandard,called258A,whichdefinedanewpinoutinwhichtheproperpinsusedthesamewirepairs.
Figure5-6The568BandUSOCpinouts
TheTIA/EIA,whichwasestablishedin1985afterthebreakupofAT&T,thenpublishedthe258AstandardasanadjuncttoTIA/EIA-T568-Ain1995,givingitthenameT568-B(asshownontheleftinFigure5-6).Thus,whilethepinoutnowknownas568Bwouldseemtobenewerthan568A,itisactuallyolder.Pinout568BbegantobeusedwidelyintheUnitedStatesbeforetheTIA/EIA-T568-Astandardwasevenpublished.
AsyoucanseeinFigure5-6,theUSOCstandardusesadifferentlayoutforthewirepairs,whilethe568Aand568Bpinoutsareidenticalexceptthatthegreenandorangewirepairsaretransposed.Thus,thetwoTIA/EIAstandardsarefunctionallyidentical;neitheroneoffersaperformanceadvantageovertheother,aslongasbothendsofthecableusethesamepinout.Prefabricatedcablesareavailablethatconformtoeitheroneofthesestandards.
Inmostcases,twisted-paircableiswiredstraightthrough,meaningthateachofthepinsononeconnectoriswiredtoitscorrespondingpinontheotherconnector,asshowninFigure5-7.Onatypicalnetwork,however,computersuseseparatewirepairsfortransmittingandreceivingdata.Fortwomachinestocommunicate,thetransmittedsignalgeneratedateachcomputermustbedeliveredtothereceivepinsontheother,meaningthatasignalcrossovermustoccurbetweenthetransmitandreceivewirepairs.Thecablesarewiredstraightthrough(thatis,withoutthecrossover)onanormalEthernetLANbecausethehubisresponsibleforperformingthecrossover.Ifyouwanttoconnectonecomputertoanotherwithoutahubtoformasimpletwo-nodeEthernetnetwork,youmustuseacrossovercable,inwhichthetransmitpinsoneachendofthecableareconnectedtothereceivepinsontheotherend,asshowninFigure5-8.
Figure5-7UTPstraight-throughwiring
Figure5-8UTPcrossoverwiring
Becauseeachpinonastraight-throughcableisconnectedtothecorrespondingpinattheotherend,itdoesn’tmatterwhatcolorsthewiresare,aslongasthepairsareproperlyoriented.So,whenpurchasingprefabricatedcables,eitherthe568Aor568Bpinoutswillfunctionproperly.Thetimewhenyoumustmakeaconsciousdecisiontouseonestandard
ortheotheriswhenyouinstallbulkcable(orhaveitinstalled).Youmustconnectthesamecolorsoneachendofthecabletothesamepinssoyougetastraight-throughconnection.Selectingonestandardandstickingtoitisthebestwaytoavoidconfusionthatcanresultinnonfunctioningconnections.
Attachingtheconnectorstoacablerequiresacrimpertool,muchliketheoneusedforcoaxialcable,exceptthattheprocessiscomplicatedbyhavingeightconductorstodealwithinsteadofonlytwo.Anetworkadministratorwhoisnothandywithacrimpercaneasilypurchasetwisted-paircableswithconnectorsattachedinawidevarietyofgrades,lengths,andcolors.
ShieldedTwisted-PairShieldedtwisted-pairis150-ohmcablecontainingadditionalshieldingthatprotectssignalsagainsttheelectromagneticinterference(EMI)producedbyelectricmotors,powerlines,andothersources.OriginallyusedinTokenRingnetworks,STPisalsointendedforinstallationswhereUTPcablewouldprovideinsufficientprotectionagainstinterference.
TheshieldinginSTPcableisnotjustanadditionallayerofinertinsulation,asmanypeoplebelieve.Rather,thewireswithinthecableareencasedinametallicsheaththatisasconductiveasthecopperinthewires.Thissheath,whenproperlygrounded,convertsambientnoiseintoacurrent,justlikeanantenna.Thiscurrentiscarriedtothewireswithin,whereitcreatesanequalandoppositecurrentflowinginthetwistedpairs.Theoppositecurrentscanceleachotherout,eliminatingnoisethatinjectsdisturbancetothesignalspassingoverthewires.
Thisbalancebetweentheoppositecurrentsisdelicate.Iftheyarenotexactlyequal,thecurrentcanbeinterpretedasnoiseandcandisturbthesignalsbeingtransmittedoverthecable.Tokeeptheshieldcurrentsbalanced,theentireend-to-endconnectionmustbeshieldedandproperlygrounded.Thismeansthatallofthecomponentsinvolvedintheconnection,suchasconnectorsandwallplates,mustalsobeshielded.Itisalsovitaltoinstallthecablecorrectlysothatitisgroundedproperlyandtheshieldingisnotrippedorotherwisedisturbedatanypoint.
TheshieldinginanSTPcablecanbeeitherfoilorbraidedmetal.Themetalbraidisamoreeffectiveshield,butitaddsweight,size,andexpensetothecable.Foil-shieldedcable,sometimesreferredtoasscreenedtwisted-pair(ScTP)orfoiltwisted-pair(FTP),isthinner,lighter,andcheaperbutisalsolesseffectiveandmoreeasilydamaged.Inbothcases,theinstallationisdifficultwhencomparedtoUTPbecausetheinstallersmustbecarefulnottoflexandbendthecabletoomuch,ortheycouldriskdamagingtheshielding.
Thecablemayalsosufferfromincreasedattenuationandotherproblemsbecausetheeffectivenessoftheshieldingishighlydependentonamultitudeoffactors,includingthecompositionandthicknessoftheshielding,thetypeandlocationoftheEMIinthearea,andthenatureofthegroundingstructure.
ThepropertiesoftheSTPcableitselfweredefinedbyIBMduringthedevelopmentoftheTokenRingprotocol:
•Type1ATwopairsof22AWCwires,eachpairwrappedinfoil,witha
shieldlayer(foilorbraid)aroundbothpairs,andanoutersheathofeitherPVCorplenum-ratedmaterial
•Type2ATwopairsof22AWGwires,eachpairwrappedinfoil,withashieldlayer(foilorbraid)aroundbothpairs,plusfouradditionalpairsof22AWGwiresforvoicecommunications,withinanoutersheathofeitherPVCorplenum-ratedmaterial
•Type6ATwopairsof22AWGwires,withashieldlayer(foilorbraid)aroundbothpairs,andanoutersheathofeitherPVCorplenum-ratedmaterial
•Type9ATwopairsof26AWGwires,withashieldlayer(foilorbraid)aroundbothpairs,andanoutersheathofeitherPVCorplenum-ratedmaterial
Fiber-OpticCableFiber-opticcableiscompletelydifferentfromalloftheothercablescoveredthusfarinthischapterbecauseitisnotbasedonelectricalsignalstransmittedthroughcopperconductors.Instead,fiber-opticcableusespulsesoflight(photons)totransmitthebinarysignalsgeneratedbycomputers.Becausefiber-opticcableuseslightinsteadofelectricity,nearlyalloftheproblemsinherentincoppercable,suchaselectromagneticinterference,crosstalk,andtheneedforgrounding,arecompletelyeliminated.Inaddition,attenuationisreducedenormously,enablingfiber-opticlinkstospanmuchgreaterdistancesthancopper—upto120kilometersinsomecases.
Fiber-opticcableisidealforuseinnetworkbackbones,especiallyforconnectionsbetweenbuildings,becauseitisimmunetomoistureandotheroutdoorconditions.Fibercableisalsoinherentlymoresecurethancopperbecauseitdoesnotradiatedetectableelectromagneticenergylikecopper,anditisextremelydifficulttotap.
Thedrawbacksoffiberopticmainlycenterarounditsinstallationandmaintenancecosts,whichareusuallythoughtofasbeingmuchhigherthanthoseforcoppermedia.Whatusedtobeagreatdifference,however,hascomeclosertoeveningoutinrecentyears.Thefiber-opticmediumisatthispointonlyslightlymoreexpensivethanUTP.Evenso,theuseoffiberdoespresentsomeproblems,suchasintheinstallationprocess.Pullingthecableisbasicallythesameaswithcopper,butattachingtheconnectorsrequirescompletelydifferenttoolsandtechniques—youcanessentiallythroweverythingyoumayhavelearnedaboutelectricwiringoutthewindow.
Fiberopticshasbeenaroundforalongtime;eventheearly10MbpsEthernetstandardssupporteditsuse,callingitFOIRL,andlater10BaseF.Fiberopticscameintoitsown,however,asahigh-speednetworktechnology,andtodayvirtuallyallofthedatalinklayerprotocolscurrentlyinusesupportitinsomeform.
Fiber-OpticCableConstructionAfiber-opticcableconsistsofacoremadeofglassorplasticandacladdingthatsurroundsthecore;thenithasaplasticspacerlayer,alayerofKevlarfiberforprotection,andanoutersheathofTeflonorPVC,asshowninFigure5-9.Therelationshipbetweenthecoreandthecladdingenablesfiber-opticcabletocarrysignalslongdistances.The
transparentqualitiesofthecoreareslightlygreaterthanthoseofthecladding,whichmakestheinsidesurfaceofthecladdingreflective.Asthelightpulsestravelthroughthecore,theyreflectbackandforthoffthecladding.Thisreflectionenablesyoutobendthecablearoundcornersandstillhavethesignalspassthroughitwithoutobstruction.
Figure5-9Cross-sectionofafiber-opticcable
Therearetwomaintypesoffiber-opticcable,calledsinglemodeandmultimode,thatdifferinseveralways.Themostimportantdifferenceisinthethicknessofthecoreandthecladding.Singlemodefiberistypicallyratedat8.3/125micronsandmultimodefiberat62.5/125microns.Thesemeasurementsrefertothethicknessofthecoreandthethicknessofthecladdingandthecoretogether.Lighttravelsdowntherelativelythincoreofsinglemodecablewithoutreflectingoffthecladdingasmuchasinmultimodefiber’sthickercore.Thesignalcarriedbyasinglemodecableisgeneratedbyalaserandconsistsofonlyasinglewavelength,whilemultimodesignalsaregeneratedbyalight-emittingdiode(LED)andcarrymultiplewavelengths.Together,thesequalitiesenablesinglemodecabletooperateathigherbandwidthsthanmultimodeandtraversedistancesupto50timeslonger.
However,singlemodecableisoftenmoreexpensiveandhasarelativelyhighbendradiuscomparedtomultimode,whichmakesitmoredifficulttoworkwith.Mostfiber-opticLANsusemultimodecable,which,althoughinferiorinperformancetosinglemode,isstillvastlysuperiortocopper.
Multimodecablesareoftenusedforlocalnetworkinstallationswhenextremedistanceisnotanissue.Sincesinglemodecablestransmitlaserlight,ittravelsinonlyonedirectionsothatthewavelengthitusesiscompatiblewiththelaserlightdetectoratthereceivingend.Thistypeoffiber-opticcableisusedprimarilywheredataspeedanddistanceareparamount.
Fiber-opticcablesareavailableinavarietyofconfigurationsbecausethecablecanbe
usedformanydifferentapplications.Simplexcablescontainasinglefiberstrand,whileduplexcablescontaintwostrandsrunningsidebysideinasinglesheath.Breakoutcablescancontainasmanyas24fiberstrandsinasinglesheath,whichyoucandividetoservevarioususesateachend.Becausefiber-opticcableisimmunetocoppercableproblemssuchasEMIandcrosstalk,it’spossibletobundlelargenumbersofstrandstogetherwithouttwistingthemorworryingaboutsignaldegradation,aswithUTPcable.
Fiber-OpticConnectorsTheoriginalconnectorusedonfiber-opticcableswascalledastraighttip(ST)connector.Itwasabarrel-shapedconnectorwithabayonetlockingsystem,asshowninFigure5-10.ItwasreplacedbytheSCtype(whichstandsforsubscriberconnector,standardconnector,orSiemonconnector),whichmanyconsidernowtobethetraditionalconnector.TheSChasasquarebodyandlocksbysimplypushingitintothesocket.Figure5-10showstheSTandSCconnectors.
Figure5-10Fiber-opticconnectorsSC(left)andST(right)
Today,connectorswithsmallerformfactorsarereplacingthetraditionalfiber-opticconnectors.Thesesmallerconnectorsreducethefootprintofthenetworkbyallowingmoreconnectorstobeinstalledineachfaceplate.OneofthemostcommonofthesesmallconnectorsistheLC(whichstandsforlocalconnectororLucentconnector).TheLCisaduplexconnectorthatisdesignedfortwofiber-opticcables.
Usingfiber-opticcableimpartsafreedomtothenetworkdesignerthatcouldneverberealizedwithcoppermedia.BecausefiberopticpermitssegmentlengthsmuchgreaterthanUTP,havingtelecommunicationsclosetscontainingswitchesorhubsscatteredaboutalargeinstallationisnolongernecessary.Instead,horizontalcablerunscanextendallthewayfromwallplatesdowntoacentralequipmentroomthatcontainsallofthenetwork’spatchpanels,hubs,switches,routers,andothersuchdevices.Thisisknownasacollapsedbackbone.Ratherthantravelingconstantlytoremoteareasoftheinstallation,themajorityoftheinfrastructuremaintenancecanbeperformedatthisonelocation.Formoreinformationaboutnetworkdesign,seeChapter9.
CHAPTER
6 WirelessLANs
Untilrecently,computernetworkswerethoughtofasusingcablesfortheircommunicationsmedium,buttherehavealsobeenwirelessnetworkingsolutionsavailableformanyyears.Wirelessnetworkingproductstypicallyusesomeformofradioorlightwaves;thesearecalledunboundedmedia(asopposedtoboundedmedia,whichreferstocablednetworks).Thesemediaenableuserswithproperlyequippedcomputerstointeractwithothernetworkedcomputers,justasiftheywereconnectedtothemwithcables.Wirelessnetworkingproductslonghadareputationforpoorperformanceandunreliability.Itisonlyinthelasttenortwelveyearsthatthesetechnologieshavedevelopedtothepointatwhichtheyareserioustoolsforbusinessusers.
Inmanycases,usershavecometoexpectconnectivityinnearlyeverysetting,whetheritbeinthegrocerystore,onacommutertrain,orinarestaurantline.Whetheritbewithacellphone,atablet,oralaptop,weexpecttobeabletodownloade-mailandaccessboththeInternetandourcompany’snetworkinaninstant.Mosttelephoneserviceprovidersnowenableuserstoaccessalloftheseservicesinanylocation.Oneoftheadvantagesofcellular-baseddatanetworkingisitsrange.UserscanaccesstheInternetandothernetworksfromanyplacesupportedbythecellularnetwork.
WirelessNetworksWirelessnetworks,orwirelesslocalareanetworks(WLANs),connectdeviceswithradiowavesratherthancables.Theabilitytoconnectservers,printers,scanningdevices,andworkstationswithoutdraggingcablingthroughwallsisthebiggestadvantageofwirelessnetworking.
NOTEWideareanetworksarealsowirelessandareintroducedinChapter7.Themaindifferencebetweenatraditional,cablednetworkandawirelessnetworkis
thewaythedataistransmitted.Wirelessnetworksuseatransmittercalledawirelessaccesspoint(WAP)thathasbeenwiredintoanInternetconnectiontocreateahotspotfortheconnection.Accesstothewirelessnetworkthendependsonseveralthings:
•DistancefromaWAPThecloseroneistoanaccesspoint,thebetterthesignal.
•TransmissionstrengthofthewirelesscardWirelessfidelity(WiFi)cardshavevaryingdegreesoftransmittingcapabilities.Normally,lower-costcardshavelesspowerthanmoreexpensivecardsandthereforemustbeclosertotheaccesspoint.
•ExistinginterferenceMicrowavedevices,cordlessphones,computers,andevenBluetoothdevicescaninterferewithaWiFinetwork.
•Currenttrafficonthenetwork,includingthenumberofcurrentusers
DependingontheIEEE802.11standardofaWAPandwhatthecurrentusersaredoing,morethan20usersaccessingaspecificWAPcancausetheconnectiontodegrade.Thisisespeciallytrueifusersareusingfile-sharingsoftwareorpeer-to-peerapplicationssuchasSkype.
•LocalenvironmentcharacteristicsBesuretonotehowphysicalobstructionsorbarrierssuchaswalls,placementofdevices,andothersuchissueswillaffectyournetwork.Inasmall-officeenvironment,therearemanycasesofpoorlydesignedwirelessinstallationsduetolackofunderstandingoftheeffectsofphysicalobstructionsandthechoicebetweenlowerandhigherfrequenciestomitigatetheselimitations.
NOTESee“TheIEEE802.11Standards”sectionlaterinthischapterformoreinformation.
AdvantagesandDisadvantagesofWirelessNetworksWhilewirelessnetworksarecertainlyusefulandhavetheiradvantages,theyhavesomedefinitedisadvantageswhencomparedwithwired(cabled)networks.Table6-1discussessomeoftheadvantagesanddisadvantages.
Table6-1AdvantagesandDisadvantagesofWirelessNetworksvs.WiredNetworks
TypesofWirelessNetworks
Therearemanytypesofwireless,suchasWiFi,Bluetooth,satelliteservices,andothers,inusetoday.Bluetooth,namedforatenth-centuryDanishking,providesshort-rangewirelesscommunicationsbetweendevicessuchascellularphones,keyboards,orprintersataverylowcost.Bluetoothusesradiofrequencysignals,whicharenotlimitedtoline-of-sighttransmissions.Often,keyboardsormiceareavailablewithBluetoothtechnologytousewithacellphone,laptop,ortablet.
ThemostwidelyusedtechnologytodayisWiFi.Thistechnologyhasbetterconnectionspeedsand,ifconfiguredproperly,ismoresecurethanaBluetoothconnection.Table6-2showssomeofthedifferencesbetweenthetwo.
Table6-2Bluetoothvs.WiFi
WirelessApplicationsThemostimmediateapplicationforwirelesslocalareanetworkingisthesituationwhereitisimpracticalorimpossibletoinstallacablednetwork.Insomecases,theconstructionofabuildingmaypreventtheinstallationofnetworkcables,whileinothers,cosmeticconcernsmaybetheproblem.Forexample,akioskcontainingacomputerthatprovidesinformationtoguestsmightbeaworthwhileadditiontoaluxuryhotel,butnotattheexpenseofrunningunsightlycablesacrossthefloororwallsofameticulouslydecoratedlobby.Thesamemightbethecaseforasmalltwo-orthree-nodenetworkinaprivatehome,whereinstallingcablesinsidewallswouldbedifficultandusingexternalcableswouldbeunacceptableinappearance.
AnotherapplicationforwirelessLANsistosupportmobileclientcomputers.Thesemobileclientscanrangefromlaptop-equippedtechnicalsupportpersonnelforacorporateinternetworktorovingcustomerservicerepresentativeswithspecializedhandhelddevices,suchasrentalcarandbaggagecheckworkersinairports.Withtoday’shandheldcomputersandawirelessLANprotocolthatisreliableandreasonablyfast,thepossibilitiesforitsuseareendless.Herearesomeexamples:
•Hospitalscanstorepatientrecordsinadatabaseandpermitdoctorsandnursestocontinuallyupdatethembyenteringnewinformationintoamobilecomputer.
•Workersinretailstorescandynamicallyupdateinventoryfiguresbyscanningtheitemsontheshelves.
•Atravelingsalespersoncanwalkintothehomeofficewithalaptopinhand,andassoonasthecomputeriswithinrangeofthewirelessnetwork,itconnectstotheLAN,downloadsnewe-mail,andsynchronizestheuser’sfileswithcopiesstoredonanetworkserver.
TheIEEE802.11StandardsIn1997,theIEEEpublishedthefirstversionofastandardthatdefinedthephysicalanddatalinklayerspecificationsforawirelessnetworkingprotocolthatwouldmeetthefollowingrequirements:
•Theprotocolwouldsupportstationsthatarefixed,portable,ormobile,withinalocalarea.Thedifferencebetweenportableandmobileisthataportablestationcanaccessthenetworkfromvariousfixedlocations,whileamobilestationcanaccessthenetworkwhileitisactuallyinmotion.
•Theprotocolwouldprovidewirelessconnectivitytoautomaticmachinery,equipment,orstationsthatrequirerapiddeployment—thatis,rapidestablishmentofcommunications.
•Theprotocolwouldbedeployableonaglobalbasis.
Thisdocument(asofthewritingofthischapter)isnowknownasIEEE802.11,2012edition,“WirelessLANMediumAccessControl(MAC)andPhysicalLayer(PHY)Specifications.”Because802.11wasdevelopedbythesameIEEE802committeeresponsibleforthe802.3(Ethernet)and802.5(TokenRing)protocols,itfitsintothesamephysicalanddatalinklayerstackarrangement.Thedatalinklayerisdividedintothelogicallinkcontrol(LLC)andmediaaccesscontrol(MAC)sublayers.The802.11documentsdefinethephysicallayerandMACsublayerspecificationsforthewirelessLANprotocol,andthesystemsusethestandardLLCsublayerdefinedinIEEE802.2.Fromthenetworklayerup,thesystemscanuseanystandardsetofprotocols,suchasTCP/IPorIPX.
NOTEFormoreinformationonLLC,seeChapter10.Despitetheinclusionof802.11inthesamecompanyasEthernetandTokenRing,the
useofwirelessmediacallsforcertainfundamentalchangesinthewayyouthinkaboutalocalareanetworkanditsuse.Someofthesechangesareasfollows:
•UnboundedmediaAwirelessnetworkdoesnothavereadilyobservableconnectionstothenetworkorboundariesbeyondwhichnetworkcommunicationceases.
•DynamictopologyUnlikecablednetworks,inwhichtheLANtopologyismeticulouslyplannedoutbeforetheinstallationandremainsstaticuntildeliberatechangesaremade,thetopologyofawirelessLANchangesfrequently,ifnotcontinuously.
•UnprotectedmediaThestationsonawirelessnetworkarenotprotectedfromoutsidesignalsascablednetworksare.Onacablednetwork,outsideinterferencecanaffectsignalquality,butthereisnowayforthesignalsfromtwoseparatebutadjacentnetworkstobeconfused.Onawirelessnetwork,rovingstationscanconceivablywanderintoadifferentnetwork’soperationalperimeter,compromisingsecurity.
•UnreliablemediaUnlikeacablednetwork,aprotocolcannotworkundertheassumptionthateverystationonthenetworkreceiveseverypacketandcancommunicatewitheveryotherstation.
•AsymmetricmediaThepropagationofdatatoallofthestationsonawirelessnetworkdoesnotnecessarilyoccuratthesamerate.Therecanbedifferencesinthetransmissionratesofindividualstationsthatchangeasthedevicemovesortheenvironmentinwhichitisoperatingchanges.
Asaresultofthesechanges,thetraditionalelementsofadatalinklayerLANprotocol(theMACmechanism,theframeformat,andthephysicallayerspecifications)havetobedesignedwithdifferentoperationalcriteriainmind.
ThePhysicalLayerThe802.11physicallayerdefinestwopossibletopologiesandthreetypesofwirelessmedia,operatingatfourpossiblespeeds.
PhysicalLayerTopologiesAsyoulearnedinChapter1,thetermtopologyusuallyreferstothewayinwhichthecomputersonanetworkareconnected.Abustopology,forexample,meansthateachcomputerisconnectedtothenextone,indaisy-chainfashion,whileinastartopology,eachcomputerisconnectedtoacentralhub.Theseexamplesapplytocablednetworks,however.Wirelessnetworksdon’thaveaconcretetopologylikecabledonesdo.Unboundedmediadevices,bydefinition,enablewirelessnetworkdevicestotransmitsignalstoalloftheotherdevicesonthenetworksimultaneously.However,thisdoesnotequatetoameshtopology,asdescribedinChapter1.Althougheachdevicetheoreticallycantransmitsignalstoalloftheotherwirelessdevicesonthenetworkatanytime,thisdoesnotnecessarilymeanthatitwill.Mobilityisanintegralpartofthewirelessnetworkdesign,andawirelessLANprotocolmustbeabletocompensateforsystemsthatenterandleavetheareainwhichthemediumcanoperate.Theresultisthatthetopologiesusedbywirelessnetworksarebasicrulesthattheyusetocommunicate,andnotstaticarrangementsofdevicesatspecificlocations.IEEE802.11supportstwotypesofwirelessnetworktopologies:theadhoctopologyandtheinfrastructuretopology.
Thefundamentalbuildingblockofan802.11wirelessLANisthebasicserviceset(BSS).ABSSisageographicalareainwhichproperlyequippedwirelessstationscancommunicate.TheconfigurationandareaoftheBSSaredependentonthetypeofwirelessmediumbeingusedandthenatureoftheenvironmentinwhichit’sbeingused,amongotherthings.Anetworkusingaradiofrequency–basedmediummighthaveaBSSthatisroughlyspherical,forexample,whileaninfrarednetworkwoulddealmorein
straightlines.TheboundariesoftheBSScanbeaffectedbyenvironmentalconditions,architecturalelementsofthesite,andmanyotherfactors,butwhenastationmoveswithinthebasicserviceset’ssphereofinfluence,itcancommunicatewithotherstationsinthesameBSS.WhenitmovesoutsideoftheBSS,communicationceases.
ThesimplesttypeofBSSconsistsoftwoormorewirelesscomputersorotherdevicesthathavecomewithintransmissionrangeofeachother,asshowninFigure6-1.TheprocessbywhichthedevicesenterintoaBSSiscalledassociation.Eachwirelessdevicehasanoperationalrangedictatedbyitsequipment,andasthetwodevicesapproacheachother,theareaofoverlapbetweentheirrangesbecomestheBSS.Thisarrangement,inwhichallofthenetworkdevicesintheBSSaremobileorportable,iscalledanadhoctopologyoranindependentBSS(IBSS).Thetermadhoctopologyreferstothefactthatanetworkofthistypemayoftencometogetherwithoutpriorplanningandexistonlyaslongasthedevicesneedtocommunicate.Thistypeoftopologyoperatesasapeer-to-peernetworkbecauseeverydeviceintheBSScancommunicatewitheveryotherdevice.Anexamplemightbetransmittingafiletoyourprinterordiagramtoacolleague’stablet.Multipleadhocnetworkscanbecreatedtotransferdatabetweenseveraldevices.Bytheirnature,adhocnetworksaretemporary.WhileFigure6-1depictstheBSSasroughlyovularandtheconvergenceofthecommunicatingdevicesasbeingcausedbytheirphysicallyapproachingeachother,theactualshapeoftheBSSislikelytobefarlessregularandmoreephemeral.Therangesofthedevicescanchangeinstantaneouslybecauseofmanydifferentfactors,andtheBSScangrow,shrink,orevendisappearentirelyatamoment’snotice.
Figure6-1Abasicservicesetcanbeassimpleastwowirelessstationswithincommunicationrangeofeachother.
Whileanadhocnetworkusesbasicservicesetsthataretransientandconstantlymutable,it’salsopossibletobuildawirelessnetworkwithbasicservicesetsthataremore
permanent.Thisisthebasisofanetworkthatusesaninfrastructuretopology.Aninfrastructurenetworkconsistsofatleastonewirelessaccesspoint(AP),whichiseitherastand-alonedeviceorawireless-equippedcomputerthatisalsoconnectedtoastandardboundednetworkusingacable.Theaccesspointhasanoperationalrangethatisrelativelyfixed(whencomparedtoanIBSS)andfunctionsasthebasestationforaBSS.AnymobilestationthatmoveswithintheAP’ssphereofinfluenceisassociatedintotheBSSandbecomesabletocommunicatewiththecablednetwork(seeFigure6-2).Notethatthisismoreofaclient-serverarrangementthanapeer-to-peerone.TheAPenablesmultiplewirelessstationstocommunicatewiththesystemsonthecablednetworkbutnotwitheachother.However,theuseofanAPdoesnotpreventmobilestationsfromcommunicatingwitheachotherindependentlyoftheAP.
Figure6-2Anaccesspointenableswirelessstationstoaccessresourcesonacablednetwork.
ItisbecausetheAPispermanentlyconnectedtothecablednetworkandnotmobilethatthistypeofnetworkissaidtouseaninfrastructuretopology.Thisarrangementistypicallyusedforcorporateinstallationsthathaveapermanentcablednetworkthatalsomustsupportwirelessdevicesthataccessresourcesonthecablednetwork.Aninfrastructurenetworkcanhaveanynumberofaccesspointsandthereforeanynumberofbasicservicesets.Thearchitecturalelementthatconnectsbasicservicesetstogetheriscalledadistributionsystem(DS).Together,thebasicservicesetsandtheDSthatconnectsthemarecalledtheextendedservicesset(ESS).Inpractice,theDSistypicallyacablednetworkusingIEEE802.3(Ethernet)oranotherstandarddatalinklayerprotocol,butthenetworkcanconceivablyuseawirelessdistributionsystem(WDS).Technically,theAPinanetworkofthistypeisalsocalledaportalbecauseitprovidesaccesstoanetworkusinganotherdatalinklayerprotocol.It’spossiblefortheDStofunctionsolelyasameansof
connectingAPsandnotprovideaccesstoresourcesonacablednetwork.WhetherthemediausedtoformtheBSSandtheDSarethesameordifferent(thestandardtakesnostanceeitherway),802.11logicallyseparatesthewirelessmediumfromthedistributionsystemmedium.
Thebasicservicesetsconnectedbyadistributionsystemcanbephysicallyconfiguredinalmostanyway.Thebasicservicesetscanbewidelydistantfromeachothertoprovidewirelessnetworkconnectivityinspecificremoteareas,ortheycanoverlaptoprovidealargeareaofcontiguouswirelessconnectivity.It’salsopossibleforaninfrastructureBSStobeconcurrentwithanIBSS.The802.11standardmakesnodistinctionbetweenthetwotopologiesbecausebothmustpresentthesameappearancetotheLLCsublayeroperatingattheupperhalfofthedatalinklayer.
PhysicalLayerMediaTheoriginalIEEE802.11standarddefinedthreephysicallayermedia,twothatusedradiofrequency(RF)signalsandonethatusedinfraredlightsignals.AwirelessLANcoulduseanyoneofthethreemedia,allofwhichinterfacewiththesameMAClayer.Thesethreemediawereasfollows:
•Frequency-hoppingspreadspectrum(FHSS)
•Direct-sequencespreadspectrum(DSSS)
•Infrared
ThetwoRFmediabothusedspreadspectrumcommunication,whichisacommonformofradiotransmissionusedinmanywirelessapplications.Inventedduringthe1940s,spreadspectrumtechnologytakesanexistingnarrowbandradiosignalanddividesitamongarangeoffrequenciesinanyoneofseveralways.Theresultisasignalthatutilizesmorebandwidthbutislouderandeasierforareceivertodetect.Atthesametime,thesignalisdifficulttointerceptbecauseattemptstolocateitbyscanningthroughthefrequencybandsturnuponlyisolatedfragments.Itisalsodifficulttojambecauseyouwouldhavetoblockawiderrangeoffrequenciesforthejammingtobeeffective.
The802.11RFmediaoperateinthe2.4GHzfrequencyband,occupyingthe83MHzofbandwidthbetween2.400and2.483GHz.Thesefrequenciesareunlicensedinmostcountries,althoughtherearevaryinglimitationsonthesignalstrengthimposedbydifferentgovernments.
Thedifferencebetweenthevarioustypesofspreadspectrumcommunicationsliesinthemethodbywhichthesignalsaredistributedamongthefrequencies.Frequency-hoppingspreadspectrum,forexample,usedapredeterminedcodeoralgorithmtodictatefrequencyshiftsthatoccurcontinually,indiscreteincrements,overawidebandoffrequencies.The802.11FHSSimplementationcalledforseventynine1MHzchannels,althoughsomecountriesimposedsmallerlimits.Obviously,thereceivingdevicemustbeequippedwiththesamealgorithminordertoreadthesignalproperly.Therateatwhichthefrequencychanges(thatis,theamountoftimethatthesignalremainsateachfrequencybeforehoppingtothenextone)isindependentofthebitrateofthedatatransmission.Ifthefrequency-hoppingrateisfasterthanthesignal’sbitrate,thetechnologyiscalledafasthopsystem.lfthefrequency-hoppingrateisslowerthanthebit
rate,youhaveaslowhopsystem.The802.11FHSSimplementationranat1Mbps,withanoptional2Mbpsrate.
Indirect-sequencespreadspectrumcommunications,thesignaltobetransmittedismodulatedbyadigitalcodecalledachiporclappingcode,whichhasabitratelargerthanthatofthedatasignal.Thechippingcodeisaredundantbitpatternthatessentiallyturnseachbitinthedatasignalintoseveralbitsthatareactuallytransmitted.Thelongerthechippingcode,themoretheoriginaldatasignalisenlarged.Thisenlargementofthesignalmakesiteasierforthereceivertorecoverthetransmitteddataifsomebitsaredamaged.Themorethesignalisenlarged,thelesssignificanceattributedtoeachbit.LikewithFHSS,areceiverthatdoesn’tpossessthechippingcodeusedbythetransmittercan’tinterprettheDSSSsignal,seeingitasjustnoise.TheDSSSimplementationintheoriginal802.11documentsupported1and2Mbpstransmissionrates.IEEE802.11bexpandedthiscapabilitybyaddingtransmissionratesof5.5and11Mbps.OnlyDSSSsupportedthesefasterrates,whichistheprimaryreasonwhyitwasthemostcommonlyused802.11physicallayerspecification.
Lateramendmentshaveimprovedonthetransmissionrates,asshowninTable6-3.
Table6-3802.11StandardsandCurrentAmendments
Infraredcommunicationsusefrequenciesinthe850to950nanometerrange,justbelowthevisiblelightspectrum.ThismediumisrarelyimplementedonwirelessLANsbecauseofitslimitedrange.Unlikemostinfraredmedia,theIEEE802.11infraredimplementationdoesnotrequiredirectline-of-sightcommunications;aninfrarednetworkcanfunctionusingdiffuseorreflectedsignals.However,therangeofcommunicationsislimitedwhencomparedtoFHSSandDSSS,about10to20meters,andcanfunctionproperlyonlyinanindoorenvironmentwithsurfacesthatprovideadequatesignaldiffusionorreflection.ThismakesinfraredunsuitableformobiledevicesandplacesmoreconstraintsonthephysicallocationofthewirelessdevicethaneitherFHSSorDHSS.LikeFHSS,the802.11infraredmediumsupporteda1Mbpstransmissionrateandanoptionalrateof2Mbps.
OrthogonalFrequencyDivisionMultiplexingwasapprovedin1999.Thisprotocolincreasesthroughputto54Mbps,andin2003thisprocesswasapprovedforthe2.4GHzband.ThismethodisoftenusedforwidebandtransmissionpopularforDSLInternetaccess,4Gmobilecommunication,anddigitaltelevision.Itsmainadvantageistheuseofmultiple,narrowbandcarriersratherthanonewidebandcarriertotransportdata.Itisefficientandworkswellevenwhenreceivinginterferencefromanarrowband.However,
OFDMissensitivetofrequencyoffset,anintentionalshiftofbroadcastfrequenciesdonetoeliminateorlesseninterferencefromotherradiotransmitters.
Since1999therehavebeenseveralamendmentstotheIEEE802.11standard,asshowninTable6-3.
NOTETable6-3showsinformationasofthewritingofthischapter.
PhysicalLayerFramesInsteadofarelativelysimplesignalingschemesuchastheManchesterandDifferentialManchestertechniquesusedbyEthernetandTokenRing,respectively,themediaoperatingatthe802.11physicallayerhavetheirownframeformatsthatencapsulatetheframesgeneratedatthedatalinklayer.Thisisnecessarytosupportthecomplexnatureofthemedia.
TheFrequency-HoppingSpreadSpectrumFrameTheFHSSframeconsistsofthefollowingfields:
•Preamble(10bytes)Contains80bitsofalternatingzerosandonesthatthereceivingsystemusestodetectthesignalandsynchronizetiming.
•StartofFrameDelimiter(2bytes)Indicatesthebeginningoftheframe.
•Length(12bits)Specifiesthesizeofthedatafield.
•Signaling(4bits)Containsonebitthatspecifieswhetherthesystemisusingthe1or2Mbpstransmissionrate.Theotherthreebitsarereservedforfutureuse.Nomatterwhichtransmissionratethesystemisusing,thepreambleandheaderfieldsarealwaystransmittedat1Mbps.Onlythedatafieldistransmittedat2Mbps.
•CRC(2bytes)Containsacyclicredundancycheckvalue,usedbythereceivingsystemtotestfortransmissionerrors.
•Data(0to4,095bytes)Containsthedatalinklayerframetobetransmittedtothereceivingsystem.
TheDirect-SequenceSpreadSpectrumFrameTheDSSSframeisillustratedinFigure6-3andconsistsofthefollowingfields:
•Preamble(16bytes)Contains128bitsthatthereceivingsystemusestoadjustitselftotheincomingsignal
•StartofFrameDelimiter(SFD)(2bytes)Indicatesthebeginningoftheframe
•Signal(1byte)Specifiesthetransmissionrateusedbythesystem
•Service(1byte)ContainsthehexadecimalvalueO0,indicatingthatthesystemcomplieswiththeIEEE802.11standard
•Length(2bytes)Specifiesthesizeofthedatafield
•CRC(2bytes)Containsacyclicredundancycheckvalue,usedbythereceivingsystemtotestfortransmissionerrors
•Data(variable)Containsthedatalinklayerframetobetransmittedtothereceivingsystem
Figure6-3TheDSSSframeformat
TheInfraredFrameTheframeusedforinfraredtransmissionsconsistsofthefollowingfields:
•Synchronization(SYNC)(57to73slots)Usedbythereceivingsystemtosynchronizetimingand,optionally,toestimatethesignal-to-noiseratioandperformotherpreparatoryfunctions
•StartofFrameDelimiter(SFD)(4slots)Indicatesthebeginningoftheframe
•DataRate(3slots)Specifiesthetransmissionrateusedbythesystem
•DCLevelAdjustment(DCLA)(32slots)UsedbythereceivertostabilizetheDClevelafterthetransmissionoftheprecedingfields
•Length(2bytes)Specifiesthesizeofthedatafield
•CRC(2bytes)Containsacyclicredundancycheckvalue,usedbythereceivingsystemtotestfortransmissionerrors
•Data(0to2,500bytes)Containsthedatalinklayerframetobetransmittedtothereceivingsystem
TheOrthogonalFrequencyDivisionMultiplexingFrameTheOFDMframehasfourregions:
•ShortPreambleThissectionconsistsof10shortsymbolsthathavebeenassignedtosubcarriers(-24through24).
•LongPreambleThisincludestwolongsymbolsthathavebeenassignedtoallsubcarriers.
•SignalFieldThiscontainsoneOFDMsymbolthatisassignedtoall
subcarriers.Thesignalfieldisnotscrambled.
•Data/ServiceFieldThisregionisscrambledandtheencodinganddataratesvary,alongwiththemodulation.
TheDataLinkLayerLikewithIEEE802.3(Ethernet)and802.5(TokenRing),the802.11documentdefinesonlyhalfofthefunctionalityfoundatthedatalinklayer.LiketheotherIEEE802protocols,theLLCsublayerformstheupperhalfofthedatalinklayerandisdefinedintheIEEE802.2standard.The802.11documentdefinestheMACsublayerfunctionality,whichconsistsofaconnectionlesstransportservicethatcarriesLLCdatatoadestinationonthenetworkintheformofMACservicedataunits(MSDUs).Likeotherdatalinklayerprotocols,thisserviceisdefinedbyaframeformat(actuallyseveralframeformats,inthiscase)andamediaaccesscontrolmechanism.TheMACsublayeralsoprovidessecurityservices,suchasauthenticationandencryption,andreorderingofMSDUs.
DataLinkLayerFramesThe802.11standarddefinesthreebasictypesofframesattheMAClayer,whichareasfollows:
•DataframesUsedtotransmitupperlayerdatabetweenstations
•ControlframesUsedtoregulateaccesstothenetworkmediumandtoacknowledgetransmitteddataframes
•ManagementframesUsedtoexchangenetworkmanagementinformationtoperformnetworkfunctionssuchasassociationandauthentication
Figure6-4showsthegeneralMACframeformat.Thefunctionsoftheframefieldsareasfollows:
•FrameControl(2bytes)Contains11subfieldsthatenablevariousprotocolfunctions.Thesubfieldsareasfollows:
•ProtocolVersion(2bits)Thisspecifiestheversionofthe802.11standardbeingused.
•Type(2bits)Thisspecifieswhetherthepacketcontainsamanagementframe(00),acontrolframe(01),oradataframe(10).
•Subtype(4bits)Thisidentifiesthespecificfunctionoftheframe.
•ToDS(1bit)Avalueof1inthisfieldindicatesthattheframeisbeingtransmittedtothedistributionsystem(DS)viaanaccesspoint(AP).
•FromDS(1bit)Avalueof1inthisfieldindicatesthattheframeisbeingreceivedfromtheDS.
•MoreFrag(1bit)Avalueof1indicatesthatthepacketcontainsafragmentofaframeandthattherearemorefragmentsstilltobetransmitted.WhenfragmentingframesattheMAClayer,an802.11systemmustreceivean
acknowledgmentforeachfragmentbeforetransmittingthenextone.
•Retry(1bit)Avalueof1indicatesthatthepacketcontainsafragmentofaframethatisbeingretransmittedafterafailuretoreceiveanacknowledgment.Thereceivingsystemusesthisfieldtorecognizeduplicatepackets.
•PwrMgt(1bit)Avalueof0indicatesthatthestationisoperatinginactivemode;avalueof1indicatesthatthestationisoperatinginpower-savemode.APsbufferpacketsforstationsoperatinginpower-savemodeuntiltheychangetoactivemodeorexplicitlyrequestthatthebufferedpacketsbetransmitted.
•MoreData(1bit)Avalueof1indicatesthatanAPhasmorepacketsforthestationthatarebufferedandawaitingtransmission.
•WEP(1bit)Avalueof1indicatesthattheFrameBodyfieldhasbeenencryptedusingtheWiredEquivalentPrivacy(WEP)algorithm,whichisthesecurityelementofthe802.11standard.WEPcanbeusedonlyinmanagementframesusedtoperformauthentications.
•Order(1bit)Avalueof1indicatesthatthepacketcontainsadataframe(orfragment)thatisbeingtransmittedusingtheStrictlyOrderedserviceclass,whichisdesignedtosupportprotocolsthatcannotprocessreorderedframes.
•Duration/ID(2bytes)Incontrolframesusedforpower-savepolling,thisfieldcontainstheassociationidentity(AID)ofthestationtransmittingtheframe.Inallotherframetypes,thefieldindicatestheamountoftime(inmicroseconds)neededtotransmitaframeanditsshortinterframespace(SIFS)interval.
•Address1(6bytes)Thiscontainsanaddressthatidentifiestherecipientoftheframe,usingoneofthefiveaddressesdefinedin802.11MACsublayercommunications,dependingonthevaluesoftheToDSandFromDSfields.
•Address2(6bytes)Thiscontainsoneofthefiveaddressesusedin802.11MACsublayercommunications,dependingonthevaluesoftheToDSandFromDSfields.
•Address3(6bytes)Thiscontainsoneofthefiveaddressesusedin802.11MACsublayercommunications,dependingonthevaluesoftheToDSandFromDSfields.
•SequenceControl(2bytes)Thiscontainstwofieldsusedtoassociatethefragmentsofaparticularsequenceandassemblethemintotherightorderatthedestinationsystem:
•FragmentNumber(4bits)Containsavaluethatidentifiesaparticularfragmentinasequence.
•SequenceNumber(12bits)Containsavaluethatuniquelyidentifiesthesequenceoffragmentsthatmakeupadataset.
•Address4(6bytes)Thiscontainsoneofthefiveaddressesusedin802.11
MACsublayercommunications,dependingonthevaluesoftheToDSandFromDSfields.Itisnotpresentincontrolandmanagementframesandsomedataframes.
•FrameBody(0to2,312bytes)Thiscontainstheactualinformationbeingtransmittedtothereceivingstation.
•FrameCheckSequence(4bytes)Thiscontainsacyclicredundancycheck(CRC)valueusedbythereceivingsystemtoverifythattheframewastransmittedwithouterrors.
Figure6-4TheIEEE802.11MACsublayerframeformat
ThefouraddressfieldsintheMACframeidentifydifferenttypesofsystemsdependingonthetypeofframebeingtransmittedanditsdestinationinrelationtotheDS.Thefivedifferenttypesofaddressesareasfollows:
•Sourceaddress(SA)AnIEEEMACindividualaddressthatidentifiesthesystemthatgeneratedtheinformationcarriedintheFrameBodyfield.
•Destinationaddress(DA)AnIEEEMACindividualorgroupaddressthatidentifiesthefinalrecipientofanMSDU.
•Transmitteraddress(TA)AnIEEEMACindividualaddressthatidentifiesthesystemthattransmittedtheinformationintheFrameBodyfieldonthecurrentwirelessmedium(typicallyanAP).
•Receiveraddress(RA)AnIEEEMACindividualorgroupaddressthatidentifiestheimmediaterecipientoftheinformationintheFrameBodyfieldonthecurrentwirelessmedium(typicallyanAP).
•BasicservicesetID(BSSID)AnIEEEMACaddressthatidentifiesaparticularBSS.Onaninfrastructurenetwork,theBSSIDistheMACaddressofthestationfunctioningastheAPoftheBSS.Onanadhocnetwork(IBSS),theBSSIDisarandomlygeneratedvaluegeneratedduringthecreationoftheIBSS.
MediaAccessControl
Aswithalldatalinklayerprotocolsthatuseasharednetworkmedium,themediaaccesscontrolmechanismisoneoftheprotocol’sprimarydefiningelements.IEEE802.11definestheuseofaMACmechanismcalledCarrierSenseMultipleAccesswithCollisionAvoidance(CSMA/CA),whichisavariationoftheCarrierSenseMultipleAccesswithCollisionDetection(CSMA/CD)mechanismusedbyEthernet.
ThebasicfunctionalcharacteristicsofwirelessnetworkshaveaprofoundeffectontheMACmechanismstheycanuse.Forexample,theEthernetCSMA/CDmechanismandthetoken-passingmethodusedbyTokenRingandFDDInetworksbothrequireeverydeviceonthenetworktoreceiveeverytransmittedpacket.AnEthernetsystemthatdoesn’treceiveeverypacketcan’tdetectcollisionsreliably.Inaddition,theEthernetcollisiondetectionmechanismrequiresfull-duplexcommunications(becausetheindicationthatacollisionhasoccurredissimultaneoustransmitandreceivesignals),whichisimpracticalinawirelessenvironment.Ifatoken-passingsystemfailstoreceiveapacket,theproblemisevenmoreseverebecausethepacketcannotthenbepassedontotherestofthenetwork,andnetworkcommunicationstopsentirely.Oneofthecharacteristicsofthewirelessnetworksdefinedin802.11,however,isthatstationscanrepeatedlyenterandleavetheBSSbecauseoftheirmobilityandthevagariesofthewirelessmedium.Therefore,theMACmechanismonawirelessnetworkmustbeabletoaccommodatethisbehavior.
TheCSMApartoftheCSMA/CDmechanismisthesameasthatofanEthernetnetwork.Acomputerwithdatatotransmitlistenstothenetworkmediumand,ifitisfree,beginstransmittingitsdata.lfthenetworkisbusy,thecomputerbacksoffforarandomlyselectedintervalandbeginsthelisteningprocessagain.AlsolikeEthernet,theCSMApartoftheprocesscanresultincollisions.ThedifferenceinCSMA/CAisthatsystemsattempttoavoidcollisionsinthefirstplacebyreservingbandwidthinadvance.ThisisdonebyspecifyingavalueintheDuration/IDfieldorusingspecializedcontrolmessagescalledrequest-to-send(RTS)andclear-to-send(CTS).
Thecarriersensepartofthetransmissionprocessoccursontwolevels,thephysicalandthevirtual.ThephysicalcarriersensemechanismisspecifictothephysicallayermediumthenetworkisusingandisequivalenttothecarriersenseperformedbyEthernetsystems.Thevirtualcarriersensemechanism,calledanetworkallocationvector(NAV),involvesthetransmissionofanRTSframebythesystemwithdatatotransmitandaresponsefromtheintendedrecipientintheformofaCTSframe.BothoftheseframeshaveavalueintheDuration/IDfieldthatspecifiestheamountoftimeneededforthesendertotransmittheforthcomingdataframeandreceiveanacknowledgment(ACK)frameinreturn.Thismessageexchangeessentiallyreservesthenetworkmediumforthelifeofthisparticulartransaction,whichiswherethecollisionavoidancepartofthemechanismcomesin.SinceboththeRTSandCTSmessagescontaintheDuration/IDvalue,anyothersystemonthenetworkreceivingeitheroneofthetwoobservesthereservationandrefrainsfromtryingtotransmititsowndataduringthattimeinterval.Thisway,astationthatiscapableofreceivingtransmissionsfromonecomputerbutnottheothercanstillobservetheCSMA/CAprocess.
Inaddition,theRTS/CTSexchangeenablesastationtomoreeasilydeterminewhethercommunicationwiththeintendedrecipientispossible.IfthesenderofanRTSframefails
toreceiveaCTSframefromtherecipientinreturn,itretransmitstheRTSframerepeatedlyuntilapreestablishedtimeoutisreached.RetransmittingthebriefRTSmessageismuchquickerthanretransmittinglargedataframes,whichshortenstheentireprocess.
Todetectcollisions,IEEE802.11usesapositiveacknowledgmentsystemattheMACsublayer.EachdataframethatastationtransmitsmustbefollowedbyanACKframefromtherecipient,whichisgeneratedafteraCRCcheckoftheincomingdata.Iftheframe’sCRCcheckfails,therecipientconsidersthepackettohavebeencorruptedbyacollision(orotherphenomenon)andsilentlydiscardsit.ThestationthattransmittedtheoriginaldataframethenretransmitsitasmanytimesasneededtoreceiveanACK,uptoapredeterminedlimit.NotethatthefailureofthesendertoreceiveanACKframecouldbebecauseofthecorruptionornondeliveryoftheoriginaldataframeorthenondeliveryofanACKframethattherecipientdidsendinreturn.The802.11protocoldoesnotdistinguishbetweenthetwo.
NOTEForadditionalinformationaboutcurrent802.11standards,seeChapters12and24.
CHAPTER
7 WideAreaNetworks
Thephysicalanddatalinklayerprotocolsusedtobuildlocalareanetworks(LANs)arequiteefficientoverrelativelyshortdistances.Evenforcampusconnectionsbetweenbuildings,fiber-opticsolutionsenableyoutouseaLANprotocolsuchasEthernetthroughoutyourwholeinternetwork.However,whenyouwanttomakeaconnectionoveralongdistance,youmoveintoanentirelydifferentworldofdatacommunicationscalledwideareanetworking.Awideareanetwork(WAN)isacommunicationslinkthatspansalongdistanceandconnectstwoormoreLANs.
WANconnectionsmakeitpossibletoconnectnetworksindifferentcitiesorcountries,enablinguserstoaccessresourcesatremotelocations.ManycompaniesuseWANlinksbetweenofficelocationstoexchangee-mail,groupware,anddatabaseinformation,orevenjusttoaccessfilesandprintersonremoteservers.Banksandairlines,forexample,useWANsbecausetheymustbeincontinualcommunicationwithalloftheirbranchofficestokeeptheirdatabasesupdated,butWANconnectionscanalsofunctiononamuchsmallerscale,suchasasystemthatperiodicallydialsintoaremotenetworktosendandretrievethelateste-mailmessages.
Today,withtheincreaseduseofcloudtechnology,WANvisualizationandoptimizationarebecomingmorecommon.SeeChapter26formoreinformationaboutthesetwoareas.
AWANconnectionrequiresarouterorabridgeateachendtoprovidetheinterfacetotheindividualLANs,asshowninFigure7-1.Thisreducestheamountoftrafficthatpassesacrossthelink.RemotelinkbridgesconnectLANsrunningthesamedatalinklayerprotocolatdifferentlocationsusingananalogordigitalWANlink.ThebridgespreventunnecessarytrafficfromtraversingthelinkbyfilteringpacketsaccordingtotheirdatalinklayerMACaddresses.However,bridgesdopassbroadcasttrafficacrosstheWANlink.Dependingonthespeedoftheintendedlinkandapplications,thismaybeahugewasteofbandwidth.It’spossibletomakeagoodcasethatusingremotelinkbridgestoconnectnetworksattwositesistechnicallynotaWANbecauseyouareactuallyjoiningthetwositesintoasinglenetwork,insteadcreatinganinternetwork.However,whetherthefinalresultisanetworkoraninternetwork,thetechnologiesusedtojointhetwositesarethesameandarecommonlycalledWANlinks.
Figure7-1RoutersorbridgesconnectWANlinkstoLANs.
IftheWANlinkisintendedonlyforhighlyspecificuses,suchase-mailaccess,datalinklayerbridgescanbewastefulbecausetheyprovidelesscontroloverthetrafficthatispermittedtopassoverthelink.Routers,ontheotherhand,keepthetwoLANscompletelyseparate.Infact,theWANlinkisanetworkinitselfthatconnectsonlytwosystems,
namely,theroutersateachendoftheconnection.RouterspassnobroadcastsovertheWANlink(exceptinexceptionalcases,suchaswhenyouuseDHCPorBOOTPrelayagents).Therefore,administratorscanexercisegreatercontroloverthetrafficpassingbetweentheLANs.RoutersalsoenableyoutousedifferentdatalinklayerprotocolsoneachoftheLANsbecausetheyoperateatthenetworklayeroftheOpenSystemsInterconnection(OSI)model.
Whilebridgesarealwaysseparateunits,theroutersusedtoconnecttwonetworkswithaWANlinkcantaketheformofeitheracomputeroradedicatedhardwaredevice.WhenaremoteuserconnectstoahostPCwithaconnectionandaccessesothersystemsonthenetwork,thehostPCisfunctioningasarouter.Mostsitesusededicatedrouters.TherouterorbridgelocatedateachterminusoftheWANlinkisconnectedtothelocalLANandtowhateverhardwareisusedtomakethephysicallayerconnectiontotheWAN.
IntroductiontoTelecommunicationsWhenyouentertheworldofwideareanetworking,youexperienceamajorparadigmshiftfromthelocalareanetworkingworld.Whenyoudesign,build,andmaintainaLAN,youareworkingwithequipmentthatyou(oryourorganization)ownsandcontrolscompletely.Onceyoupayfortheequipmentitself,thenetworkanditsbandwidthareyourstodowithasyouplease.WhenyouconnectnetworksusingWANlinks,however,youalmostneverownallofthetechnologyusedtomaketheconnections.Unlessyourorganizationhasthemeanstorunitsownlong-distancefiber-opticcablesorlaunchitsownsatellite(andwe’retalkingmillions,ifnotbillions,ofdollarsneededtodothisinmostcases),youhavetodealwithathird-partytelecommunicationsserviceproviderthatmakesitpossibleforyoutosendyourdatasignalsoverlongdistances.
TheneedtorelyonanoutsideserviceproviderforWANcommunicationscanenormouslycomplicatetheprocessofdesigning,installing,andmaintainingthenetwork.LANtechniciansareoftentinkerersbytrade.Whenproblemswiththenetworkoccur,theyhavetheirownproceduresforinvestigating,diagnosing,andresolvingthem,knowingthatthecauseissomewherenearbyiftheycanonlyfindit.ProblemswithWANconnectionscanconceivablybecausedbytheequipmentlocatedatoneoftheconnectedsites,butit’smorelikelyforthetroubletobesomewhereintheserviceprovider’snetworkinfrastructure.AheavyequipmentoperatorathousandmilesawayinAkron,Ohio,canseveratrunkcablewhilediggingatrench,causingyourWANlinktogodown.Solarflaresonthesurfaceofthesun93millionmilesawaycandisturbsatellitecommunications,causingyourWANlinktogodown.Ineithercase,thereisnothingyoucandoaboutitexceptcallyourserviceproviderandcomplain.Becauseofthisrelianceonoutsideparties,manynetworkadministratorsmaintainbackupWANlinksthatuseadifferenttechnologyorserviceproviderforcriticalconnections.
Telecommunicationsisaseparatenetworkingdisciplineuntoitselfthatisatleastascomplicatedasdatanetworking,ifnotmoreso.(lfyouthinkthatlocalareanetworkinghasalotofcrypticacronyms,waituntilyoustartstudyingtelecommunications.)Alargeorganizationreliesatleastasmuchontelecommunicationstechnologyasonitsdatanetworkingtechnology.lfthecomputernetworkgoesdown,peoplecomplainloudly;ifthephonesystemgoesdown,peoplequicklybegintopanic.Inmanylargeorganizations,
thepeoplewhomanagethetelecommunicationsinfrastructurearedifferentfromthosewhoadministerthedatanetwork.However,itisintheareaofWANcommunicationsthatthesetwodisciplinescometogether.Itisn’tcommontofindtechnicalpeoplewhoareequallyadeptatdatanetworkingandtelecommunications;mosttechnicianstendtospecializeinoneortheother.However,aLANadministratorhastoknowsomethingabouttelecommunicationsiftheorganizationhasofficesatmultiplelocationsthataretobeconnectedusingWANs.
Alldatanetworkingisaboutbandwidth,ortheabilitytotransmitsignalsbetweensystemsatagivenrateofspeed.OnaLAN,whenyouwanttoincreasethebandwidthavailabletousers,youcanupgradetoafasterprotocoloraddnetworkconnectioncomponentssuchasbridges,switches,androuters.Aftertheinitialoutlayforthenewequipmentanditsinstallation,thenetworkhasmorebandwidth,forever.Intheworldoftelecommunications,bandwidthcostsmoney,oftenlotsofit.IfyouwanttoincreasethespeedofaWANlinkbetweentwonetworks,notonlydoyouhavetopurchasenewequipment,butyouprobablyalsohavetopayadditionalfeestoyourserviceprovider.Dependingonthetechnologyyou’vechosenandyourserviceprovider,youmayhavetopayafeetohavetheequipmentinstalled,afeetosetupthenewservice,andpermanentmonthlysubscriberfeesbasedontheamountofbandwidthyouwant.Combined,thesefeescanbesubstantial,andthey’reongoing;youcontinuetopayaslongasyouusetheservice.
TheresultofthisexpenseisthatWANbandwidthisfarmoreexpensivethanLANbandwidth.Innearlyeverycase,yourLANswillrunatspeedsfarexceedingthoseofyourWANconnections,asshowninTable7-1.
Table7-1LANsvs.WANs
WANUtilizationWANtechnologiesvaryinthewaythey’restructured,thewayyoupayforthem,andthewayyouusethem.Thecostsofspecifictechnologiesdependonyourlocation.
SelectingaWANTechnologyTheselectionofaWANconnectionforaspecificpurposeisgenerallyatrade-offbetweenspeedandexpense.BecauseyourWANlinkswillalmostcertainlyrunmoreslowlythanthenetworksthattheyconnect,andcostmoreaswell,it’simportanttodeterminejusthowmuchbandwidthyouneedandwhenyouneeditasyoudesignyournetwork.
ItusuallyisnotpracticaltouseaWANlinkinthesamewayyouwoulduseaLANconnection.Youmighthavetolimittheamountoftrafficthatpassesoverthelinkinwaysotherthanjustusingroutersateachend.OnewayistoschedulecertaintasksthatrequireWANcommunicationstorunatoff-peakhours.Forexample,databasereplicationtaskscaneasilymonopolizeaWANlinkforextendedperiodsoftime,delayingnormaluseractivities.Manyapplicationsthatrequireperiodicdatareplication,includingdirectoryservicessuchasActiveDirectory,enableyoutospecifywhentheseactivitiesshouldtakeplace.ActiveDirectory,forexample,enablesyoutosplityourinternetworkintounitscalledsitesandregulatethetimeandfrequencyofthereplicationthatoccursbetweendomaincontrollersatdifferentsites.
BeforeyouselectaWANtechnology,youshouldconsidertheapplicationsforwhichitwillbeused.Differentfunctionsrequiredifferentamountsofbandwidthanddifferenttypesaswell.E-mail,forexample,notonlyrequiresrelativelylittlebandwidthbutalsoisintermittentinitstraffic.High-endapplications,suchasfull-motionvideo,notonlyrequireenormousamountsofbandwidthbutalsorequirethatthebandwidthbecontinuouslyavailabletoavoiddropoutsinservice.Theneedsofmostorganizationsfallsomewherebetweenthesetwoextremes,butitisimportanttorememberthatthecontinuityofthebandwidthcansometimesbeasimportantasthetransmissionrate.
NOTEWhilethetransmissionratesshowninTable7-2indicatethemaximumratedthroughput,theseratesarenotusuallyreflectedinrealitybecauseofavarietyofreasons.
Table7-2WANTechnologiesandTheirTransmissionRates
Table7-2listssomeofthetechnologiesusedforWANconnectionsandtheir
transmissionspeeds.ThesectionsfollowingthetableexaminesomeofthetechnologiesthataremostcommonlyusedforWANconnectivity.Thesetechnologies,foravarietyofreasons,usuallydonotnecessarilyreflecttheactualthroughputrealizedbyapplicationsusingthem.Intherealworld,thethroughputisgenerallylower.
PSTN(POTS)ConnectionsAWANconnectiondoesnotnecessarilyrequireamajorinvestmentinhardwareandinstallationfees.Manynetworkconnectionsareformedusingapublicswitchedtelephonenetwork(PSTN)orplainoldtelephoneservice(POTS).Astandardasynchronousmodemthatconnectstelephonelinestoconnectyourcomputertoanetwork(suchasthatofanISP)istechnicallyawidearealink,andforsomepurposes,thisisallthatisneeded.Forexample,anemployeeworkingathomeorontheroadcandialintoaserverattheofficeandconnecttotheLANtoaccesse-mailandothernetworkresources.Inthesameway,asmallLANconnectionmaybesufficientforasmallbranchofficetoconnecttothecorporateheadquartersforthesamepurposes.
Themaximumpossibleconnectionspeedis56Kbps(fordigital-to-analogtrafficonly;analog-to-digitaltrafficislimitedto31.2Kbps).Analogmodemcommunicationsarealsodependentonthequalityofthelinesinvolved.Manytelephonecompaniesstillcertifytheirlinesforvoicecommunicationsonly,anddonotperformrepairstoimprovethequalityofdataconnections.
Usingthesepubliccarrierlinesusuallycostsmuchlessthantryingtoestablishaprivateline.Whenusingpubliclines,manysharethecosts,andthelinesare,bytheirnature,morereliablethantryingtocreateaprivateinfrastructure.TheissuesinvolvedinanyWANarethesame:delaytime,qualityofthelink,andavailablebandwidth.Thelargerthegeographicarea,themoretheseissuescomeintoplay.
Inmostcases,aLANtoWANconnectionusesacomputerasarouter,althoughmanyusestand-alonedevicesthatperformthesamefunction.Themostbasicarrangementusesacomputer,tablet,orsmartphoneforremotenetworkaccess.Theremotecomputercanberunningane-mailclient,awebbrowser,oranotherapplicationdesignedtoaccessnetworkresources,orsimplyaccessthefilesystemonthenetwork’sservers.Thissimplearrangementisbestsuitedtouserswhowanttoconnecttotheirofficecomputerswhileathomeortraveling.
Acomputercanalsohostmultipleconnections.WhenauserononeLANperformsanoperationthatrequiresaccesstotheotherLAN,theserverautomaticallydialsintoaserverontheothernetwork,establishestheconnection,andbeginsroutingtraffic.Whenthelinkremainsidleforapresettime,theconnectionterminates.Therearealsostand-aloneroutersthatperforminthesameway,enablinguserstoconnecttoaremoteLANortheInternetasneeded.ThisarrangementprovidesWANaccesstouserswithoutthemhavingtoestablishtheconnectionmanually.
Today,theworld’slargestWAN,theInternet,actuallyusesPSTNlinesformuchofitsinfrastructure,sothistechnologywillnotsoonbeobsolete.Obviously,thechiefdrawbacktousingthePSTNforotherWANconnectionsisthelimitedbandwidth,butthelowcostofthehardwareandservicesrequiredmaketheseconnectionscompelling,andmany
networkadministratorsmakeuseofthemininterestingandcreativeways.Inearlierdial-upconnections,somenetworksusedinversemultiplexingtocombinetwosmallbandwidthchannelsintoalargerchannel.Inversemultiplexingistheprocessofcombiningbandwidthofmultipleconnectionsintoasingleconduit.Seethesections“FrameRelay”and“ATM”formoreinformationabouthowinversemultiplexingisusedtoday.
LeasedLinesAleasedlineisadedicated,permanentconnectionbetweentwositesthatrunsthroughthetelephonenetwork.Thelineissaidtobededicatedbecausetheconnectionisactive24hoursadayanddoesnotcompeteforbandwidthwithanyotherprocesses.Thelineispermanentbecausetherearenotelephonenumbersordialinginvolvedintheconnection,norisitpossibletoconnecttoadifferentlocationwithoutmodifyingthehardwareinstallation.WhilethisbookisnaturallymoreinterestedinleasedlinesasWANtechnologies,it’simportanttounderstandthattheyarealsoavitalelementofthevoicetelecommunicationsnetworkinfrastructure.Whenalargeorganizationinstallsitsownprivatebranchexchange(PBX)tohandleitstelephonetraffic,theswitchboardistypicallyconnectedtooneormoreT-llines,whicharesplitintoindividualchannelswithenoughbandwidthtohandleasinglevoice-gradeconnection(56to64Kbps).Eachofthesechannelsbecomesastandardvoice“telephoneline,”whichisallocatedbythePBXtousers’telephonesasneeded.
Youinstallaleasedlinebycontactingatelephoneserviceprovider,eitherlocalorlongdistance,andagreeingtoacontractthatspecifiesalinegrantingacertainamountofbandwidthbetweentwolocations,foraspecifiedcost.Thepricetypicallyinvolvesaninstallationfee,hardwarecosts,andamonthlysubscriptionfee,anditdependsonboththebandwidthofthelineandthedistancebetweenthetwositesbeingconnected.Theadvantagesofaleasedlinearethattheconnectiondeliversthespecifiedbandwidthatalltimesandthatthelineisasinherentlysecureasanytelephonelinebecauseitisprivate.Whiletheservicefunctionsasadedicatedlinebetweenthetwoconnectedsites,thereisnotreallyadedicatedphysicalconnection,suchasaseparatewirerunningtheentiredistance.Theserviceproviderinstallsadedicatedlinebetweeneachofthetwositesandtheprovider’snearestpointofpresence(POP),butfromthere,theconnectionusestheprovider’sstandardswitchingfacilitiestomaketheconnection.Theproviderguaranteesthatitsfacilitiescanprovideaspecificbandwidthandqualityofservice.
FromtheLANside,thelineusuallyconnectstoarouterandontheWANside,ahub.Thistypeofconnectioncanbecomeveryexpensiveovertime.Theperformanceoftheserviceisbasedonthepercentageoferror-freesecondsperday,anditsavailabilityiscomputedintermsofthetimethattheserviceisfunctioningatfullcapacityduringaspecificperiod,alsoexpressedasapercentage.Iftheproviderfailstomeettheguaranteesspecifiedinthecontract,thecustomerreceivesafinancialremunerationintheformofservicecredits.Aleased-linecontracttypicallyquantifiesthequalityofserviceusingtwocriteria:serviceperformanceandavailability.
Leased-LineTypes
Leasedlinescanbeanalogordigital,butdigitallinesaremorecommon.Ananaloglineissimplyanormaltelephonelinethatiscontinuouslyopen.WhenusedforaWANconnection,modemsarerequiredatbothendstoconvertthedigitalsignalsofthedatanetworktoanalogformfortransmissionandbacktodigitalattheotherend.Insomecases,thelinemayhaveagreaterservicequalitythanastandardPSTNline.
Digitalleasedlinesaremorecommonbecausenoanalog-to-digitalconversionisrequiredfordatanetworkconnections,andthesignalqualityofadigitallineisusuallysuperiortothatofananalogline,whetherleasedordial-up.Digitalleasedlinesarebasedonahierarchyofdigitalsignal(D5)speedsusedtoclassifythespeedsofcarrierlinks.Theselevelstakedifferentformsindifferentpartsoftheworld.InNorthAmerica,theD5levelsareusedtocreatetheT-carrier(for“trunk-carrier”)service.EuropeandmostoftherestoftheworldusestheE-carrierservice,whichisstandardizedbytheTelecommunicationssectoroftheInternationalTelecommunicationsUnion(ITU-T),exceptforJapan,whichhasitsownJ-carrierservice.EachoftheseservicesnamesthevariouslevelsbyreplacingtheDSprefixwiththatoftheparticularcarrier.Forexample,theDS-llevelisknownasaT-1inNorthAmerica,anE-1inEurope,andaJ-1inJapan.
TheonlyexceptiontothisistheDS-0level,whichrepresentsastandard64Kbpsvoice-gradechannelandisknownbythisnamethroughouttheworld.AsyougobeyondtheDS-lservice,bandwidthlevelsrisesteeply,asdothecosts.InNorthAmerica,manynetworksusemultipleT-1linesforbothvoiceanddata.T-3sareusedmainlybyISPsandotherserviceproviderswithhigh-bandwidthneeds.SeeTable7-3foranexplanationofthevarious“T”linesinNorthAmerica.
Table7-3“T”LineTypesinNorthAmerica
Whileit’spossibletoinstallaleasedlineusinganyoftheservicelevelslistedforyourgeographicallocation,youarenotlimitedtotheamountsofbandwidthprovidedbytheseservices.Becausethebandwidthofeachserviceisbasedonmultiplesof64Kbps,youcansplitadigitallinkintoindividual64Kbpschannelsanduseeachoneforvoiceordatatraffic.Serviceprovidersfrequentlytakeadvantageofthiscapabilitytoofferleasedlinesthatconsistofanynumberofthese64Kbpschannelsthatthesubscriberneeds,combinedintoasingledatapipe.ThisiscalledfractionalT-1service.
Leased-LineHardwareAT-llinerequirestwotwistedpairsofwires,andoriginallythelinewasconditioned,meaningthatarepeaterwasinstalled3,000feetfromeachendpointandevery6,000feetinbetween.Later,asignalingschemecalledhigh-bit-ratedigitalsubscriberline(HDSL)
madeitpossibletotransmitdigitalsignalsatT-lspeedsoverlongerdistanceswithouttheneedforrepeatinghardware.
Thehardwarethatwasrequiredateachendofadigitalleasedlinewascalledachannelserviceunit/dataserviceunit(CSU/DSU),whichwasactuallytwodevicesthatareusuallycombinedintoasingleunit.TheCSUprovidedtheterminusforthedigitallinkandkepttheconnectionactiveevenwhentheconnectedbridge,router,privatebranchexchange(PBX),orotherdevicewasn’tactuallyusingit.TheCSUalsoprovidedtestinganddiagnosticfunctionsfortheline.TheDSUwasthedevicethatconvertsthesignalsitreceivedfromthebridge,router,orPBXtothebipolardigitalsignalscarriedbytheline.
Inappearance,aCSU/DSUlookedsomethinglikeamodem,andasaresult,theyweresometimesincorrectlycalleddigitalmodems.(Sinceamodem,bydefinition,isadevicethatconvertsbetweenanaloganddigitalsignals,thetermdigitalmodemwasactuallysomethingofanoxymoron.However,justaboutanydeviceusedtoconnectacomputerornetworktoatelephoneorInternetservicehasbeenincorrectlycalledamodem,includingISDNandcablenetworkequipment.)
TheCSU/DSUwasconnectedtotheleasedlineononesideusinganRJconnectorandtoadevice(ordevices)ontheothersidethatprovidedtheinterfacetothelocalnetwork(seeFigure7-2),usingaV.35orRS-232connector.ThisinterfacecanbeabridgeorarouterfordatanetworkingoraPBXforvoiceservices.Thelinecanbeeitherunchanneled,meaningthatitisusedasasingledatapipe,orchanneled,meaningthatamultiplexorislocatedinbetweentheCSU/DSUandtheinterfacetobreakupthelineintoseparatechannelsformultipleuses.
Figure7-2TheCSU/DSUprovidestheinterfacebetweenaLANandaleasedline.
Digitalleasedlinesusetimedivisionmultiplexing(TDM)tocreatetheindividualchannelsinwhichtheentiredatastreamisdividedintotimesegmentsthatareallocatedtoeachchannelinturn.Eachtimedivisionisdedicatedtoaparticularchannel,whetheritisusedornot.Thus,whenoneofthe64KbpsvoicelinesthatarepartofaT-1wasidle,thatbandwidthwaswasted,nomatterhowbusytheotherchannelswere.
Leased-LineApplicationsT-1sandotherleasedlinesareusedformanydifferentpurposes.T-1sarecommonlyusedtoprovidetelephoneservicestolargeorganizations.OntheWANfront,organizationswithofficesinseverallocationscanuseleasedlinestobuildaprivatenetworkforbothvoiceanddatatraffic.Withsuchanetworkinplace,userscanaccessnetworkresourcesinanyofthesitesatwill,andtelephonecallscanbetransferredtousersinthedifferentoffices.Theproblemwithbuildinganetworkinthismanneristhatitrequiresatruemesh
topologyofleasedlines—thatis,aseparateleasedlineconnectingeachofficetoeveryotheroffice—tobereliable.Anorganizationwithfoursites,forexample,wouldneedsixleasedlines,asshowninFigure7-3,andeightsiteswouldrequiretwenty-eightleasedlines!Itwouldbepossibleforthesitestobeconnectedinseries,usingsevenlinkstoconnecteightsites,butthenthefailureofanyonelinkorrouterwouldsplitthenetworkintwo.
Figure7-3AprivateWANthatusesleasedlinesrequiresaseparateconnectionbetweeneverytwosites.
Today,mostorganizationsusealessexpensivetechnologytocreateWANlinksbetweentheirvariousoffices.OnealternativetoaprivatenetworkwouldbetouseleasedlinesateachsitetoconnecttoapubliccarriernetworkusingatechnologysuchasframerelayorATMtoprovidetherequiredbandwidth.Eachsitewouldrequireonlyasingle,relativelyshort-distanceleasedlinetoalocalserviceprovider,insteadofaseparatelinetoeachsite.Formoreinformationonthisalternative,see“Packet-SwitchingServices”laterinthischapter.ThemostcommonapplicationforT-1linesinWANstoday,however,istousethemtoconnectaprivatenetworktoanISPinordertoprovideInternetaccesstoitsusersandtohostInternetservices,suchaswebande-mailservers.
T-1sarewell-suitedforprovidingInternetaccesstocorporatenetworksbecauseservicessuchase-mailhavetobeconnectedaroundtheclock.ISPsalsousuallyhavealocalpointofpresence,sotheleasedlinedoesnothavetospanatremendouslylongdistanceandisnottooterriblyexpensive.AsingleT-1connectiontotheInternetcanservetheneedsofhundredsofaverageuserssimultaneously.
ISDNIntegratedservicedigitalnetwork(ISDN)anddigitalsubscriberline(DSL)arebothservicesthatutilizetheexistingcopperPOTScableataninstallationtocarrydataatmuch
highertransmissionrates.Inbothcases,thesitemustberelativelyclosetothetelephonecompany’snearestpointofpresence(POP),alocationcontainingtelephoneswitchingequipment.BasicrateISDN,forexample,requiresalocationnofartherthan18,000feet(3.4miles)fromthePOP;DSLdistancesvarywiththedatarate.ISDNandDSLaresometimescalledlast-miletechnologiesbecausetheyaredesignedtogetdatafromtheusersitetothePOPathighspeed.
ThecoppercablerunningfromthePOPtotheindividualusersiteistraditionallytheweakestlinkinthephonesystem.OnceasignalreachesthePOP,itmovesthroughthetelephonecompany’sswitchesathighspeed.Byeliminatingthebottlenecksatbothendsofthelink,trafficcanmaintainthatspeedfromendtoend.WhilethesetechnologieshavebeenmarketedintheUnitedStatesprimarilyasInternetconnectivitysolutionsforhomeusers,theybothareusableforoffice-to-officeWANconnections.
ISDNwasadigitalpoint-to-pointtelephonesystemthathadbeenaroundformanyyearsbutthatwasnotadoptedaswidelyintheUnitedStatesasitsproponentshadhoped.Originally,ISDNwasdesignedtocompletelyreplacethecurrentphonesystemwithall-digitalservice,butitthenbecamepositionedasanalternativetechnologyforhomeuserswhorequiredhigh-bandwidthnetworkconnectionsandforlinksbetweenbusinessnetworks.Inthiscountry,ISDNtechnologygarneredareputationforbeingoverlycomplicated,difficulttoinstall,andnotparticularlyreliable,andtosomeextent,thisreputationwasjustified.Atonetime,inquiriestomostlocalphonecompaniesaboutISDNservicewouldbemetonlywithpuzzlement,andhorrorstoriesfromconsumersaboutinstallationdifficultieswerecommon.
ISDNwasadigitalservicethatprovidedagooddealmorebandwidththanstandardtelephoneservice,butunlikealeasedline,itwasnotpermanent.ISDNdevicesdialedanumbertoestablishaconnection,likeastandardtelephone,meaningthatusersconnectedtodifferentsitesasneeded.Forthisreason,ISDNwasknownasacircuit-switchingservicebecauseitcreatedatemporarypoint-to-pointcircuitbetweentwosites.ForthehomeorbusinessuserconnectingtotheInternet,thismeanttheycouldchangeISPswithoutanymodificationstotheISDNservicebythetelephonecompany.FororganizationsusingISDNforWANconnectionsbetweenoffices,thismeanttheycouldconnecttodifferentofficenetworkswhentheyneededaccesstotheirresources.
ISDNServicesTherearetwomaintypesofISDNservice,whicharebasedonunitsofbandwidthcalledBchannels,runningat64Kbps,andDchannels,runningat16or64Kbps.Bchannelscarryvoiceanddatatraffic,andDchannelscarrycontroltrafficonly.Theservicetypesareasfollows:
•BasicRateInterface(BRI)Alsocalled2B+D,becauseitconsistsoftwo64KbpsBchannelsandone16KbpsDchannel.BRIwastargetedprimarilyathomeusersforconnectionstobusinessnetworksortheInternet.
•PrimaryRateInterface(PRI)Consistsofupto23Bchannelsandone64KbpsDchannel,foratotalbandwidthequivalenttoaT-1leasedline.PR1wasaimedmoreatthebusinesscommunity,asanalternativetoleasedlinesthat
providedthesamebandwidthandsignalqualitywithgreaterflexibility.
OneoftheprimaryadvantagesofISDNwastheabilitytocombinethebandwidthofmultiplechannelsasneeded,usinginversemultiplexing.EachBchannelhasitsownseparateten-digitnumber.Forthehomeuser,oneoftheBchannelsoftheBRIservicecarriedvoicetrafficwhiletheotherBchannelwasusedfordata,orbothBchannelscouldbecombinedtoformasingle128KbpsconnectiontotheInternetortoaprivatenetwork.
ThePR1servicecombinesanynumberoftheBchannelsinanycombinationtoformconnectionsofvariousbandwidths.Inaddition,theISDNservicesupportsbandwidth-on-demand,whichcansupplementaconnectionwithadditionalBchannelstosupportatemporaryincreaseinbandwidthrequirements.Dependingontheequipmentused,it’spossibletoaddbandwidthaccordingtoapredeterminedscheduleofusageneedsortodynamicallyaugmentaconnectionwhenthetrafficrisesaboveaparticularlevel.Forbandwidthneedsthatfluctuated,anISDNconnectionwasoftenfarmoreeconomicalthanaleasedlinebecauseyoupayonlyforthechannelsthatarecurrentlyinuse.Withaleasedline,youmustpaywhetherit’sbeingusedornot.
ISDNCommunicationsTheISDNBchannelscarryusertrafficonly,whetherintheformofvoiceordata.TheDchannelisresponsibleforcarryingallofthecontroltrafficneededtoestablishandterminateconnectionsbetweensites.ThetrafficonthesechannelsconsistsofprotocolsthatspanthebottomthreelayersoftheDSTreferencemodel.Thephysicallayerestablishesacircuit-switchedconnectionbetweentheuserequipmentandthetelephonecompany’sswitchingofficethatoperatesat64Kbpsandalsoprovidesdiagnosticfunctionssuchasloopbacktestingandsignalmonitoring.Thislayerisalsoresponsibleforthemultiplexingthatenablesdevicestosharethesamechannel.
Atthedatalinklayer,bridgesandPBXsusinganISDNconnectionemploytheLinkAccessProcedureforDChannel(LAPD)protocol,asdefinedbytheInternationalTelecommunicationsUnion(ITU-T)documentsQ.920throughQ.923,toprovideframe-relayandframe-switchingservices.Thisprotocol(whichissimilartotheLAP-BprotocolusedbyX.25)usestheaddressinformationprovidedbytheISDNequipmenttocreatevirtualpathsthroughtheswitchingfabricofthetelephonecompany’snetworktotheintendeddestination.Theendresultisaprivatenetworkconnectionmuchlikethatofaleasedline.
Thenetworklayerisresponsiblefortheestablishment,maintenance,andterminationofconnectionsbetweenISDNdevices.Unlikeleasedlinesandsimilartechnologies,whichmaintainapermanentlyopenconnection,ISDNmustuseahandshakeproceduretoestablishaconnectionbetweentwopoints.TheprocessofestablishinganISDNconnectioninvolvesmessagesexchangedbetweenthreeentities:thecaller,theswitch(atthePOP),andthereceiver.Asusual,networklayermessagesareencapsulatedwithindatalinklayerprotocolframes.Theconnectionprocedureisasfollows:
1.ThecallertransmitsaSETUPmessagetotheswitch.
2.lftheSETUPmessageisacceptable,theswitchreturnsaCALLPROC(callproceeding)messagetothecallerandforwardstheSETUPmessagetothe
receiver.
3.IfthereceiveracceptstheSETUPmessage,itringsthephone(eitherliterallyorfiguratively)andsendsanALERTINGmessagebacktotheswitch,whichforwardsittothecaller.
4.Whenthereceiveranswersthecall(again,eitherliterallyorfiguratively),itsendsaCONNECTmessagetotheswitch,whichforwardsittothecaller.
5.ThecallerthensendsaCONNECTACK(connectionacknowledgment)messagetotheswitch,whichforwardsittothereceiver.Theconnectionisnowestablished.
ISDNHardwareISDNdoesnotrequireanymodificationstothestandardcopperPOTSwiring.Aslongasyoursiteiswithin18,000feetofaPOP,youcanconvertanexistingtelephonelinetoISDNjustbyaddingtheappropriatehardwareateachend.Thetelephonecompanyusesspecialdata-encodingschemes(called2BIQinNorthAmericaand4B3TinEurope)toprovidehigherdatatransmissionratesoverthestandardcable.AllISDNinstallationsneededadevicecalledaNetworkTermination1(NT1)connectedtothetelephonelineateachend.TheservicefromthetelephonecompanyprovideswhatisknownasaUinterfaceoperatingoveronetwistedpairofwires.TheNT1connectstotheUinterfaceandconvertsthesignalstothefour-wireS/TinterfaceusedbyISDNterminalequipment(thatis,thedevicesthatusetheconnection).
DevicesthatconnectdirectlytotheS/Tinterface,suchasISDNtelephonesandISDNfaxmachines,werereferredtoasterminalequipment1(TE1).DevicesthatwerenotISDNcapable,suchasstandardanalogphonesandfaxmachines,aswellascomputers,werecalledterminalequipment2(TE2).ToconnectaTE2devicetotheS/Tinterface,youneededaninterveningterminaladapter(TA).YoucouldconnectuptosevendevicestoanNT1,bothTE1andTE2.
InNorthAmerica,itwasuptotheconsumertoprovidetheNT1,whichwasavailableinseveralformsasacommercialproduct.InEuropeandJapan,whereISDNwasmuchmoreprevalent,theNT1wasownedandprovidedbythetelephonecompany;usersonlyneededtoprovidetheterminalequipment.FortheBRIservice,aseparateNT1isrequiredifyouaregoingtousemorethanonetypeofterminalequipment,suchasaterminaladapterforacomputerandanISDNtelephone.Iftheservicewasgoingtobeusedonlyfordatanetworking,aswasoftenthecaseintheUnitedStates,thereweresingledevicesavailablethatcombinedtheNT1withaterminaladapter.ThesecombinationdevicesoftentooktheformofanexpansioncardforaPC,oraseparatedevice.Onceagain,theunitsthatareoftencalledISDNmodemsweretechnicallynotmodemsatallbecausetheydidnotconvertsignalsbetweenanaloganddigitalformats.
DSLAdigitalsubscriberline(DSL)isacollectivetermforagroupofrelatedtechnologiesthatprovideaWANservicethatissomewhatsimilartoISDNbutatmuchhigherspeeds.Like
ISDN,DSLusesstandardPOTSwiringtotransmitdatafromausersitetoatelephonecompanyPOPusingaprivatepoint-to-pointconnection.Fromthere,signalstravelthroughthetelephonecompany’sstandardswitchingequipmenttoanotherDSLconnectionatthedestination.AlsolikeISDN,thedistancebetweenthesiteandthePOPislimited;thefasterthetransmissionrate,theshortertheoperabledistance.
ThetransmissionratesforDSLservicesvarygreatly,andmanyoftheservicesfunctionasymmetrically,meaningtheyhavedifferentuploadanddownloadspeeds.ThisspeedvarianceoccursbecausethebundleofwiresatthePOPismoresusceptibletoatypeofinterferencecallednear-endcrosstalkwhendataisarrivingfromtheusersitethanwhenitisbeingtransmittedouttotheusersite.Theincreasedsignallossrateresultingfromthecrosstalkrequiresthatthetransmissionratebelowerwhentravelinginthatdirection.
StandardtelephonecommunicationsuseonlyasmallamountofthebandwidthprovidedbythePOTScable.DSLworksbyutilizingfrequenciesabovethestandardtelephonebandwidth(300to3,200Hz)andbyusingadvancedsignalencodingmethodstotransmitdataathigherratesofspeed.SomeoftheDSLservicesuseonlyfrequenciesthatareoutoftherangeofstandardvoicecommunications,whichmakesitpossibleforthelinetobeusedfornormalvoicetrafficwhileitiscarryingdigitaldata.
DSLisstillthemostcommonInternetaccesssolution.However,thehigher-speedserviceslikehigh-bit-ratedigitalsubscriberline(HDSL)havebeendeployedheavilybylocaltelephonecarriers.Asymmetricaloperationisnotmuchofaproblemforservicessuchasasymmetricaldigitalsubscriberline(ADSL),whichwereusedforInternetaccess,becausetheaverageInternetusersdownloadfarmoredatathantheyupload.ForWANconnections,however,symmetricalserviceslikeHDSLarestandardforsometime.DSLdiffersfromISDNinthatitusespermanentconnections;ithasdial-upservice,nonumbersassignedtotheconnections,andnosession-establishmentprocedures.Theconnectioniscontinuouslyactiveandprivate,muchlikethatofaleasedline.
AsanInternetaccesssolution,DSLgrewquicklybecauseofitsrelativelylowpricesandhightransmissionratesandhasallbuteclipsedISDNinthismarket.DSLandcableconnectionsarenowthetwobiggestcompetingtechnologiesintheend-user,high-speedInternetconnectionmarket.
ThevariousDSLserviceshaveabbreviationswithdifferentfirstletters,whichiswhythetechnologyissometimescalledXDSL,withtheXactingasaplaceholder.Table7-4showstheseservicesandtheirproperties.
Table7-4DSLTypesandProperties
ThehardwarerequiredforaDSLconnectionisastandardPOTSlineandaDSL“modem”atbothendsofthelink.Forservicesthatprovidesimultaneousvoiceanddatatraffic,aPOTSsplitterisneededtoseparatethelowerfrequenciesusedbyvoicetrafficfromthehigherfrequenciesusedbytheDSLservice.Inaddition,thetelephonelinecannotuseloadingcoils,inductorsthatextendtherangeofthePOTSlineattheexpenseofthehigherfrequenciesthatDSLusestotransmitdata.AsshowninTable7-4,mostDSLconnectionsareasymmetrical,althoughtherearesomesymmetricalvariationsthatdeliverthesamespeedbothuploadinganddownloading.
AstelephonecompanieshaveupgradedtheirT1andT3linestofiber-opticlines,sohaveDSLspeedsincreased.However,dataratestilldependsonthedistancetothecentraltelephoneoffice.And,inmanycases,linenoiseisafactorthatreduceslinespeed.
NOTEAscabletelevisionhasgrown,sohaveitsservices.Manycablecompaniesnowofferhigh-speedInternetaccessinadditiontotelevisionandVoiceoverInternetProtocol(VoIP)services.SeeChapter23formoreinformationaboutVoIPandcableconnections.
SwitchingServicesEachWANinvolvesmovinginformationthroughuptothousandsofindividualnetworks.Thishappensbywayofseveralswitching(routing)technologies.Switchingentailsmovingdata,includinge-mails,largedocuments,andallofthemyriadtypesofinformationbeingtransmittedthroughouttheworld.Eachitemissentinintermediatesteps,ratherthaninformationfollowingadirectlinefromtheoriginationpointtothedestination.
Packet-SwitchingServicesEachmessageisbrokendownintosmallpacketstobesentthroughthenetwork.Apacket-switchingservicetransmitsdatabetweentwopointsbyroutingpacketsthroughthe
switchingnetworkownedbyacarriersuchasAT&T,Sprint,oranothertelephonecompany.Theendresultisahigh-bandwidthconnectionsimilarinperformancetoaleasedline,buttheadvantageofthistypeofserviceisthatasingleWANconnectionatanetworksitecanprovideaccesstomultipleremotesitessimplybyusingdifferentroutesthroughthenetwork.Today,packet-switchingnetworkstransmiteverythingfromavoicetelephonecalltodigitaltelevisionreception.
Thepacket-switchingserviceconsistsofanetworkofhigh-speedconnectionsthatissometimesreferredtoasthecloud.Oncedataarrivesatthecloud,theservicecanrouteittoaspecificdestinationathighspeeds.ItisuptotheconsumerstogettheirdatatothenearestPOPconnectedtothecloud,afterwhichallswitchingisperformedbythecarrier.Therefore,anorganizationsettingupWANconnectionsbetweenremotesitesinstallsalinktoanedgeswitchatalocalPOPusingwhatevertechnologyprovidessuitableperformance.Thislocallinkcantaketheformofaleasedline,ISDN,orDSL.
Oncethedataarrivesattheedgeswitch,itistransmittedthroughthecloudtoanedgeswitchatanotherPOP,whereitisroutedtoaprivatelinkconnectingthecloudtothedestinationsite(seeFigure7-4).
Figure7-4Packet-switchingnetworksuseanetworkcloudtoroutedatabetweenremotesites.
Forexample,anorganizationwitheightofficesscatteredaroundthecountrywouldneed28leasedlinestointerconnectallofthesites,someofwhichmayhavetospanlongdistances.Inthisarrangement,theorganizationdoesallofitsownswitching.Usingapacket-switchingserviceinsteadrequiresoneleasedlineconnectingeachsitetotheservice’slocalPOP.Eightleasedlinesarefarcheaperthan28,especiallywhentheyspanrelativelyshortdistances.Togetthedatawhereit’sgoing,thecarrierprogramsvirtual
circuits(VCs)fromthePOPusedbyeachsitetoeachofthesevenotherPOPs.Thus,therearestill28routesconnectingeachlocationtoeveryotherlocation,buttheservicemaintainsthem,andtheclientpaysonlyforthebandwidthused.
Unlikealeasedline,however,apacket-switchingservicesharesitsnetworkamongmanyusers.Thelinkbetweentwositesisnotpermanentlyassignedaspecificbandwidth.Insomeinstances,thiscanbeadrawback,becauseyourlinksarecompetingwiththoseofotherclientsforthesamebandwidth.However,youcannowcontractforaspecificbandwidthoveraframe-relaynetwork,andATMisbuiltaroundaqualityofservice(QoS)featurethatallocatesbandwidthforcertaintypesoftraffic.Inaddition,thesetechnologiesenableyoutoalterthebandwidthallottedtoyourlinks.Unlikealeasedlinewithaspecificbandwidththatyoucan’texceedandthatyoupayforwhetheryou’reusingitornot,youcontractwithapacket-switchingservicetoprovideacertainamountofbandwidth,whichyoucanexceedduringperiodsofheavytraffic(possiblywithanadditionalcharge)andwhichyoucanincreaseasyournetworkgrows.
Asthepacket-switchingnetworkbecomesmorecrowded,theentirenetworkslowsdown.Thinkaboutahighwaysystem.Themorecarsusingthehighway,themoretrafficslows.Sincethismediumoftransportationisshared,thereisnoguaranteeforthetimeofarrivalatthepacket’sdestination.Eachpacketmayuseadifferentcircuit,andthemessageisnotconnecteduntilitarrivesatitsdestination.
Circuit-SwitchingServicesThisserviceisatemporaryconnection,suchasISDNoradial-upconnection.Becausetheconnectionisdedicated,informationcanbetransmittedrapidly.However,unlessthebandwidthisbeingused,thatbandwidthiswasted.Today,narrowbandISDNandswitchedT1connectionsstillusecircuit-switchedtechnologies.
FrameRelayFrame-relaynetworksprovidethehigh-speedtransmissionofleasedlineswithgreaterflexibilityandlowercosts.Frame-relayserviceoperatesatthedatalinklayeroftheOSIreferencemodelandrunsatbandwidthsfrom56Kbpsto44.736Mbps(T-3speed).Younegotiateacommittedinformationrate(CIR)withacarrierthatguaranteesyouaspecificamountofbandwidth,eventhoughyouaresharingthenetworkmediumwithotherusers.ItispossibletoexceedtheCIR,however,duringperiodsofheavyuse,calledbursts.Aburstcanbeamomentaryincreaseintrafficoratemporaryincreaseoflongerduration.Usually,burstsuptoacertainbandwidthordurationcarrynoextracharge,buteventually,additionalchargeswillaccrue.
Thecontractwiththeserviceprovideralsoincludesacommittedburstinformationrate(CBIR),whichspecifiesthemaximumbandwidththatisguaranteedtobeavailableduringbursts.IfyouexceedtheCBIR,thereisachancethatdatawillbelost.Theadditionalbandwidthprovidedduringaburstmaybe“borrowed”fromyourothervirtualcircuitsthataren’toperatingatfullcapacityorevenfromotherclients’circuits.Oneoftheprimaryadvantagesofframerelayisthatthecarriercandynamicallyallocatebandwidthtoitsclientconnectionsasneeded.Inmanycases,itistheleasedlinetothecarrier’s
nearestPOPthatisthefactorlimitingbandwidth.
Frame-RelayHardwareEachsiteconnectedtoaframe-relaycloudmusthaveaframe-relayaccessdevice(FRAD),whichfunctionsastheinterfacebetweenthelocalnetworkandtheleasedline(orotherconnection)tothecloud(seeFigure7-5).TheFRADissomethinglikearouter,inthatitoperatesatthenetworklayer.TheFRADacceptspacketsfromtheLANthataredestinedforothernetworks,stripsoffthedatalinklayerprotocolheader,andpackagesthedatagramsinframesfortransmissionthroughthecloud.Inthesameway,theFRADprocessesframesarrivingthroughthecloudandpackagesthemfortransmissionovertheLAN.ThedifferencebetweenaFRADandastandardrouter,however,isthattheFRADtakesnopartintheroutingofpacketsthroughthecloud;itsimplyforwardsallthepacketsfromtheLANtotheedgeswitchatthecarrier’sPOP.
Figure7-5Frame-relayconnectionsuseaFRADtoconnectaLANtothecloud.
Theonlyotherhardwareelementinvolvedinaframe-relayinstallationistheconnectiontothenearestPOP.Inframerelay,theleasedlineisthemostcommonlyusedtypeofconnection.Whenselectingacarrier,itisimportanttoconsiderthelocationsoftheirPOPsinrelationtothesitesyouwanttoconnectbecausethecostoftheleasedlines(whichisnotusuallyincludedintheframe-relaycontract)dependsontheirlength.Thelargelong-distancecarriersusuallyhavethemostPOPS,scatteredoverthewidestareas,butitisalsopossibletousedifferentcarriersforyoursitesandcreateframe-relaylinksbetweenthem.
Wheninstallingleasedlines,itisimportanttotakeintoaccountthenumberofvirtualcircuitsthatwillrunfromtheFRADtoyourvarioussites.Unliketheprivatenetworkcomposedofseparateleasedlinestoeverysite,thesingleleased-lineconnectionbetweentheFRADandthecarrier’sedgeserverwillcarryalloftheWANdatatoandfromthe
localnetwork.MultipleVCswillberunningfromtheedgeserverthroughthecloudtotheothersites,andtheleasedlinefromtheFRADwillessentiallymultiplexthetrafficfromallofthoseVCstotheLAN,asshowninFigure7-6.Thus,ifyouareconnectingeightremotesitestogetherwithframe-relayWANlinks,theleasedlineateachlocationshouldbecapableofhandlingthecombinedbandwidthofallsevenVCstotheotherlocations.
Figure7-6TheconnectionfromtheFRADtothecloudcarriesdataforallofthevirtualcircuits.
Inmostcases,theactualtrafficmovingacrossaWANlinkdoesnotutilizeallofthebandwidthallottedtoitatalltimes.Therefore,itmaybepossibletocreateaserviceableWANbycontractingforVCsthathaveT-lspeedsbetweenalleightofficesandusingT-lleasedlinestoconnectallofthesitestothecloud.Beaware,however,thattheleasedlinesaretheonlyelementsoftheWANthatarenotflexibleintheirbandwidth.lfyoufindthatyourWANtrafficexceedsthecapacityoftheleasedline,theonlyrecourseistoaugmentitsbandwidthbyinstallinganotherconnection.ThisdoesnotnecessarilymeaninstallinganotherT-1,however.YoucanaugmentthebandwidthconnectingtheFRADtotheedgeserverbyaddingafractionalT-1orevenadial-upconnectionthatactivatesduringperiodsofhightraffic.
VirtualCircuitsThevirtualcircuitsthatarethebasisforframe-relaycommunicationscomeintwotypes:permanentvirtualcircuits(PVCs)andswitchedvirtualcircuits(SVCs).PVCsareroutesthroughthecarrier’scloudthatareusedfortheWANconnectionsbetweenclientsites.Unlikestandardinternetworkrouting,PVCsarenotdynamic.Theframe-relaycarriercreatesaroutethroughitscloudforaconnectionbetweensites,assignsitaunique10-bitnumbercalledadatalinkconnectionidentifier(DLCI),andprogramsitintoitsswitches.ProgrammingaFRADconsistsofprovidingitwiththeDLCIsforallofthePVCSleadingtootherFRADS.DLCIsarelocallysignificantonly;eachFRADhasitsownDLCIforaparticularvirtualcircuit.FramespassingbetweentwositesalwaystakethesameroutethroughthecloudandusetheDLCIasadatalinklayeraddress.Thisisoneofthereasonswhyframerelayissofast;thereisnoneedtodynamicallyroutethepacketsthroughthecloudorestablishanewconnectionbeforetransmittingdata.
EachPVCcanhaveitsownCIRandCBIR,anddespitethedescriptionoftheVCas
permanent,thecarriercanmodifytheroutewithinamatterofhoursifoneofthesitesmoves.ItisalsopossibletohavethecarriercreateaPVCfortemporaryuse,suchasforameetinginwhichaspecialvideoconferencingsessionisrequired.Althoughitwasoriginallycreatedfordatatransfers,youcanalsouseframerelaytocarryothertypesoftraffic,suchasvoiceorvideo.Tosetupavoicecalloravideoconferencebetweentwosites,therehastobeavirtualcircuitbetweenthem.Thisiseasyifthecommunicationsarebetweentwoofanorganization’sownsites,whicharealreadyconnectedbyaPVC;butconferencingwithaclientorotheroutsideuserrequiresacalltothecarriertosetupanewPVC.
Frame-RelayMessagingFramerelayusestwoprotocolsatthedatalinklayer:LAPDforcontroltrafficandLinkAccessProcedureforFrame-modeBearerServices(LAPF)forthetransferofuserdata.TheLAPDprotocol,thesameoneusedbyISDN(ITL-TQ921),isusedtoestablishVCsandprepareforthetransmissionofdata.LAPFisusedtocarrydataandforotherprocesses,suchasmultiplexinganddemultiplexing,errordetection,andflowcontrol.
Figure7-7showstheformatoftheframeusedtocarrydataacrossaframe-relaycloud.Thefunctionsofthefieldsareasfollows:
•Flag,1byteContainsthebinaryvalue01111110(or7Einhexadecimalform)thatservesasadelimiterfortheframe.
•LinkInfo,2bytesContainstheframe’saddressandcontrolfields,asfollows:
•UpperDLCI,6bitsContainsthefirst6bitsofthe10-bitDLCIidentifyingthevirtualcircuitthattheframewillusetoreachitsdestination.
•Command/Response(C/R),1bitUndefined.
•ExtendedAddress(EA),1bitIndicateswhetherthecurrentbytecontainsthelastbitoftheDLCI.TheeighthbitofeverybyteintheLinkInfofieldisanEAbit.Whentheframesusestandard10-bitDLCIs,thevalueofthisbitwillalwaysbe0.
•LowerDLCI,4bitsContainsthelast4bitsofthe10-bitDLCIidentifyingthevirtualcircuitthattheframewillusetoreachitsdestination.
•ForwardExplicitCongestionNotification(FECN),1bitIndicatesthatnetworkcongestionwasencounteredinthedirectionfromsourcetodestination.
•BackwardExplicitCongestionNotification(BECN),1bitIndicatesthatnetworkcongestionwasencounteredinthedirectionfromdestinationtosource.
•DiscardEligibility(DE),1bitIndicatesthataframeisoflesserimportancethantheotherframesbeingtransmittedandthatitcanbediscardedintheeventofnetworkcongestion.
•ExtendedAddress(EA),1bitIndicateswhetherthecurrentbyte
containsthelastbitoftheDLCI.Whentheframesusestandard10-bitDLCIs,thevalueofthisbitwillalwaysbel.TheEAfieldisintendedtosupportthefutureexpansionofframe-relaycloudsinwhichDLCIslongerthan10bitsareneeded.
•Information,variableContainsaprotocoldataunit(PDU)generatedbyanetworklayerprotocol,suchasanIPdatagram.Theframe-relayprotocolsdonotmodifythecontentsofthisfieldinanyway.
•FrameCheckSequence(FCS),2bytesContainsavaluecomputedbythesourceFRADthatischeckedateachswitchduringtheframe’sjourneythroughthecloud.Framesinwhichthisvaluedoesnotmatchthenewlycomputedvaluearesilentlydiscarded.Detectionofthemissingframeandretransmissionarelefttotheupper-layerprotocolsattheendsystems.
•Flag,1byteContainsthebinaryvalue01111110(or7Einhexadecimalform)thatservesasadelimiterfortheframe.
Figure7-7Theframe-relayframeformat
ATMAsynchronousTransferMode(ATM)haslongbeentheholygrailofthenetworkingindustry.Onceknownastheultimatenetworkingtechnology,ATMisdesignedtocarryvoice,data,andvideoovervariousnetworkmedia,usingahigh-speed,cell-switched,connection-oriented,full-duplex,point-to-pointprotocol.
Insteadofusingvariable-lengthframeslikeEthernet,framerelay,andotherprotocols,allATMtrafficisbrokendowninto53-bytecells.Thismakesiteasiertoregulateandmeterthebandwidthpassingoveraconnectionbecausebyusingdatastructuresofa
predeterminedsize,networktrafficbecomesmorereadilyquantifiable,predictable,andmanageable.WithATM,it’spossibletoguaranteethatacertainquantityofdatawillbedeliveredwithinagiventime.Thismakesthetechnologymoresuitableforaunifiedvoice/data/videonetworkthananondeterministicprotocollikeEthernet,nomatterhowfastitruns.Inaddition,ATMhasqualityofservice(Q0S)featuresbuiltintotheprotocolthatenableadministratorstoreserveacertainamountofbandwidthforaspecificapplication.
ATMisbothaLANandWANprotocolandisaradicaldeparturefromtheotherlower-layerprotocolsexaminedinthisbook.AllATMcommunicationispoint-to-point.Therearenobroadcasts,whichmeansthatswitching,andnotrouting,isanintegralpartofthistechnology.ATMcanalsobedeployedonpublicnetworks,aswellasprivateones.PubliccarrierscanprovideATMservicesthatenableclientstoconnectLANsatremotelocations.Onprivatenetworks,ATMimplementationsatvariousspeedscanrunthroughoutthenetwork,fromthebackbonetothedesktop.Thus,thesamecellsgeneratedbyaworkstationcantraveltoaswitchthatconnectstheLANtoanATMcarrierservice,throughthecarrier’sATMcloud,andthentoaworkstationonthedestinationnetwork.Atnopointdothecellshavetoreachhigherthanthedatalinklayerofanintermediatesystem,andtransmissionspeedsthroughthecloudcanreachashighas2.46Gbps.
Whilenotyettotallyrealized,alargepartofthispotentialhascometopass.ATMisbeingusedasahigh-speedbackboneprotocolandforWANconnections,butthe25.6MbpsATMLANsolutionintendedfordesktopusehasbeeneclipsedbyFastEthernet,whichrunsat100Mbpsandisfarmorefamiliartothemajorityofnetworkadministrators.ManyenterprisebackbonesrunoverATM,largelybecauseadministratorsfindthatitsQ05capabilitiesandsupportforvoice,data,andvideomakeitabetterperformerthantraditionalLANprotocols.
YoucanuseanATMpacket-switchingserviceforyourWANlinksinroughlythesamewayasyouwoulduseframerelay,byinstallingarouteratyoursitesandconnectingthemtothecarrier’sPOPsusingleasedlines.ThisprocesstransmitstheLANdatatothePOPfirstandthenrepackagesitintocells.It’salsopossible,however,toinstallanATMswitchateachremotesite,eitheraspartofanATMbackboneorasaseparatedeviceprovidinganinterfacetothecarrier’snetwork.Thisway,theLANdataisconvertedtoATMcellsateachsitebeforeitistransmittedovertheWAN.Likeframerelay,ATMsupportsbothPVCsandSVCs,butATMwasdesignedfromthebeginningtosupportvoiceandvideousingSVCs,whileinframerelay,PVCsandSVCswerealateraddition.ATMhasanadvantageoverframerelaybecauseofitsgreaterspeedandmanageability.
Manyofthefamiliarconceptsofotherprotocols,suchasmediaaccesscontrolandvariable-lengthframes,arenotapplicabletoATM.BecauseATMdoesnotsharebandwidthamongsystems,thereisnoneedforaMACmechanismsuchasCSMA/CDortokenpassing.SwitchesprovideadedicatedconnectiontoeverydeviceontheATMnetwork.BecauseallATMtransmissionsarecomposedoffixed-lengthcells,theswitchingprocessissimplerandpredictable.AllATMswitchingishardwarebasedbecausethereisnoneedforsoftware-managedflowcontrolandothersuchtechnologies.ReferencestoATMsystemsanddevicesrefertoswitchesandrouters,aswellasactualcomputers.ThebandwidthdeliveredbyanATMnetworkisalsoreadilyquantifiable,makingiteasierto
designatetheappropriateamountofbandwidthforaspecificapplication.OnanEthernetnetwork,forexample,itmaybenecessarytoprovidemuchmorebandwidththanisactuallyneededtoensuregoodperformancefromavideoconferencingapplication.Thisisbecauseyoumustaccountforthebandwidthrequiredforvideoconferencingontopofthemaximumbandwidthusedbyallotherapplicationscombined.Thenetwork,therefore,isdesignedtoaccommodatethepeaktrafficconditionthatoccursonlyasmallfractionofthetime.OnanATMnetwork,bandwidthcanbemorepreciselycalculated.
LikeEthernetandTokenRing,ATMencompassesthephysicalanddatalinklayersoftheOSIreferencemodelbutisitselfdividedintothreelayers(seeFigure7-8),whichareasfollows:
•Physicallayer
•ATMlayer
•ATMadaptationlayer
Figure7-8ATMarchitecture
Thefollowingsectionsexaminethefunctionsperformedateachoftheselayers.
ThePhysicalLayerTheATMstandardsdonotspecifyprecisephysicallayertechnologiesasmostotherdatalinklayerprotocolsdo.Thismediaindependenceisoneoftheguidingdesignprinciplesbehindthetechnology.ATMcanrunatvariousspeedsoverSynchronousOpticalNetwork(SONET)andD5-3connectionsandlocallyovermultimodefiber-opticandshieldedtwisted-pair(STP)cable,amongothers.Speedsrangefrom25.6Mbpsfordesktopconnectionsto2.46Gbps,althoughthemostcommonimplementationsrunat155or625Mbps.
ThehigherspeedsarecommonlyusedforbackbonesandWANconnections.
NOTESONETisafiber-opticstandardthatdefinesaseriesofopticalcarrier(OC)servicesrangingfromOC-1,operatingat51.84Mbps,toOC-192operatingat9,952Mbps.
TheATMphysicallayerisdividedintotwosublayers,calledthephysicalmedium
dependent(PMD)sublayerandthetransmissionconvergence(TC)sublayer.ThePMDsublayerdefinestheactualmediumusedbythenetwork,includingthetypeofcableandotherhardware,suchasconnectors,andthesignalingschemeused.Thissublayerisalsoresponsibleformaintainingthesynchronizationofalltheclocksinthenetworksystems,whichitdoesbycontinuouslytransmittingandreceivingclockbitsfromtheothersystems.
TheTCsublayerisresponsibleforthefollowingfourfunctions:
•CelldelineationMaintainstheboundariesbetweencells,enablingsystemstoisolatecellswithinabitstream
•Headererrorcontrol(HEC)sequencegenerationandverificationEnsuresthevalidityofthedatainthecellsbycheckingtheerror-controlcodeinthecellheaders
•CellratedecouplingInsertsorremovesidlecellstosynchronizethetransmissionratetothecapacityofthereceivingsystem
•TransmissionframeadaptationPackagescellsintotheappropriateframefortransmissionoveraparticularnetworkmedium
TheATMLayerTheATMlayerspecifiestheformatofthecell,constructstheheader,implementstheerror-controlmechanism,andcreatesanddestroysvirtualcircuits.Therearetwoversionsofthecellheader,onefortheUserNetworkInterface(UNI),whichisusedforcommunicationsbetweenusersystemsorbetweenusersystemsandswitches,andtheNetwork-to-NetworkInterface(NNI),whichisusedforcommunicationsbetweenswitches.
Ineachcase,the53bytesofthecellaredividedintoa5-byteheaderanda48-bytepayload.ComparedtoanEthernetheader,whichis18bytes,theATMheaderseemsquitesmall,butrememberthatanEthernetframecancarryupto1,500bytesofdata.Thus,forafull-sizedEthernetframe,theheaderislessthan2percentofthepacket,whileanATMheaderisalmost10percentofthecell.ThismakesATMconsiderablylessefficientthanEthernet,asfarastheamountofcontroldatatransmittedacrossthewireisconcerned.
Figure7-9showstheformatoftheATMcell.Thefunctionsofthefieldsareasfollows:
•Genericflowcontrol(GFC),4bitsProvideslocalfunctionsintheUNIcellthatarenotcurrentlyusedandarenotincludedintheNXIcell.
•Virtualpathidentifier(VPI),8bitsSpecifiesthenextdestinationofthecellonitspaththroughtheATMnetworktoitsdestination.
•Virtualchannelidentifier(VCI),16bitsSpecifiesthechannelwithinthevirtualpaththatthecellwilluseonitspaththroughtheATMnetworktoitsdestination.
•Payloadtypeindicator(PTI),3bitsSpecifiesthenatureofthedatacarriedinthecell’spayload,usingthefollowingbitvalues:
•Bit1Specifieswhetherthecellcontainsuserdataorcontroldata.
•Bit2Whenthecellcontainsuserdata,specifieswhethercongestionispresentonthenetwork.
•Bit3Whenthecellcontainsuserdata,specifieswhetherthepayloadcontainsthelastsegmentofanAAL-5PDU.
•Celllosspriority(CLP),1bitSpecifiesapriorityforthecell,whichisusedwhenanetworkisforcedtodiscardcellsbecauseofcongestion.Avalueof0indicatesahighpriorityforthecell,whileavalueof1indicatesthatthecellmaybediscarded.
•Headererrorcontrol(EC),8bitsContainsacodecomputedontheprecedingfourbitsoftheheader,whichisusedtodetectmultiple-bitheadererrorsandcorrectsingle-biterrors.ThisfeaturedetectserrorsintheATMheaderonly;thereisnoerrorcontrolofthepayloadatthislayer.
•Payload,48bytesContainstheuser,network,ormanagementdatatobetransportedinthecell.
Figure7-9TheATMcellformat
VirtualCircuitsAconnectionbetweentwoATMsystemstakestheformofavirtualcircuit.Likeframerelay,ATMusestwotypesofvirtualcircuits:permanentvirtualcircuits(PVCs),whichnetworkadministratorsmanuallycreateandwhicharealwaysavailable,andswitchedvirtualcircuits(SVCs),whichsystemsdynamicallycreateasneededandthenterminateafteruse.
Establishingavirtualcircuitthroughthenetworktoadestinationenablesthetransmissionofcellsthroughthatcircuitwithoutextensiveprocessingbyintermediate
systemsalongtheway.Avirtualcircuitiscomposedofavirtualpath(VP)andavirtualchannel(VC).Avirtualpathisalogicalconnectionbetweentwosystemsthatiscomposedofmultiplevirtualcircuits,muchasacablebetweentwopointscancontainmultiplewires,eachcarryingaseparatesignal.OnceaVPisestablishedbetweentwopoints,creatinganadditionalVCforanewconnectionwithinthatVPisarelativelysimplematter.
Inaddition,managingtheVPisaneasywayofmodifyingthepropertiesofalloftheVCsitcontains.Whenaswitchfails,forexample,theVPcanbereroutedtouseanotherpath,andallofitsVCsarereroutedwithit.EveryATMcellheadercontainsavirtualpathidentifierandavirtualchannelidentifier,whichspecifytheVPthatthecellisusingandtheVCwithinthatVP.
ATMAddressingATMnetworkshavetheirownaddressesforeachdevice,inadditiontoanyupper-layeraddressestheymightpossess.Theaddressesare20byteslongandhierarchical,muchliketelephonenumbers,enablingthemtosupportextremelylargenetworks.Unlikeprotocolsthatsharenetworkbandwidth,itisn’tnecessarytoincludesourceanddestinationaddressesineachcellbecauseATMtransmissionsusededicatedpoint-to-pointlinks.Instead,theaddressesareusedbytheATMswitchestoestablishtheVPIsandVCIsforaconnection.
TheATMAdaptationLayerTheprimaryfunctionoftheATMadaptationlayer(AAL)istopreparethedatareceivedfromthenetworklayerprotocolfortransmissionandsegmentitinto48-byteunitsthattheATMlayerwillpackageascellsbyapplyingtheheader.TheAALconsistsoftwosublayers,calledtheconvergencesublayer(CS)andthesegmentationandreassemblysublayer(SAR).TheCSpreparesthenetwork-layerdataforsegmentationbyapplyingvariousfieldsthatarespecifictothetypeofservicethatwilltransmitthedata,creatingconvergencesublayerprotocoldataunits(CS-PDUs).TheSARthensplitstheCS-PDUsintosegmentsoftheappropriatesizeforpackagingincells.
SeveralAALprotocolsareavailableatthissublayer,whichprovidedifferenttypesofservicetosupportvariousapplications.TheAALprotocolsareasfollows:
•AAL-1Aconnection-orientedserviceintendedforapplicationsthatrequirecircuitemulation,suchasvoiceandvideoconferencing.Thisservicerequiresclocksynchronization,soanetworkmediumthatsupportsclocking,suchasSONET,isrequired.Forthisservice,theCSsublayeraddsSequenceNumber(SN)andSequenceNumberProtection(SNP)fieldstothedatathatenablethereceivingsystemtoassemblethecellsintheproperorder.
•AAL-3/4Supportsbothconnection-orientedandconnectionlessdatatransferswithcell-by-cellerrorcheckingandmultiplexing.TheCScreatesaPDUbyaddingabeginning/endingtagtothedataasaheaderandalengthfieldasafooter.AftertheSARlayersplitstheCS-PDUintocell-sizedsegments,itaddsaCRCvaluetoeachsegmentforerror-detectionpurposes.
•AAL-5AlsocalledSimpleandEfficientAdaptationLayer(SEAL),AAL-5providesbothconnection-orientedandconnectionlessservicesandismostcommonlyusedforLANtraffic.TheCStakesablockofnetworklayerdataupto64KBinsizeandaddsavariable-lengthpadandan8-bytetrailertoit.Thepadensuresthatthedatablockfallsonacellboundary,andthetrailerincludesablocklengthfieldandaCRCvaluefortheentirePDU.TheSARsplitsthePDUinto48-bytesegmentsforpackagingintocells.ThethirdbitofthePTIfieldintheATMheaderisthensettoavalueof0forallofthesegmentsofthedatablockexceptthelastone,inwhichitissetto1.
ATMSupportOneproblemisthecostandcomplexityofinstallingandsupportinganATMnetwork.WhileacompetentEthernetLANadministratorshouldbeabletoinstallthecomponentsofaGigabitEthernetbackbonewithlittletrouble,anATMbackboneisacompletelydifferentstory.ATMnetworksareahybridoftelecommunicationsanddatanetworkingtechnologies.Thesearetwoseparatetypesofnetworks,butinthecaseofATM,bothcanusethesamecablesandswitches.AnATMbackbone,therefore,maybeconnectednotonlytodatanetworkingcomponentssuchasrouters,switches,andservers,butalsotoPBXsandothertelecommunicationsdevices.
SONETSynchronousOpticalNetwork(SONET)carriesdataoverfiber-opticcablesusedtodaybymanylong-distancecarriers.Itwasoriginallydesignedtotransmitmanyinformationtypes,includingvoice,video,anddata.Thissystem,alongwithSynchronousDigitalHierarchy(SDH),isusedthroughouttheworldtotransmitinformation.
SONETworksatthephysicallayer,anditsprotocolsspecifyaconsistentmethodofmultiplexingmanysmallsignalsintoonelarger(andfaster)transmission.Severalcharacteristicsmakethistechnologyattractive:
•Built-insupportformaintenanceandmanagement
•Theabilitytocarrynearlyallhigher-levelprotocols
•Definitionofclearstandardsbetweenvariousproducts
Thistechnologyprovidesstandardsforlineratesupto9.953Gbps.Becausesomehaveexperiencedlineratesapproaching20Gbps,SONEThasbeencalledthefoundationforthephysicallayerofbroadbandISDN.ATMcanrunasalayerontopofbothSONETandothertechnologies.
CHAPTER
8 ServerTechnologies
Allofthecomputersonalocalareanetworkcontainroughlythesamecomponents,suchasamicroprocessor,memorymodules,massstoragedevices,keyboards,videoadapters,andotherinput/outputmechanisms.However,youcanstilldividethecomputersintotwobasiccategories:serversandclientworkstations.Atonetime,itwaseasytodifferentiatebetweenserversandclientsbecauseserversfunctionedonlyasserversandclientsonlyasclients.Serversinearlierdayswereessentiallycomputerswithmoreofeverything:fasterprocessors,morememory,andlargerharddrives,forexample.Nowthatmanycomputerscanfunctionasbothserversandclientssimultaneously,theboundarybetweentheserverandclientfunctionshasbeenobscuredsomewhat.Recentyearshaveseengreatdevelopmentsinthefeaturesandtechnologiesthatmakeaserverdifferentfromaworkstation.Fromapplicationserverstowebservers,eachmachineoffersdifferentservicesandhasdifferentfeatures.Thischapterexaminessomeofthesefeaturesandtechnologiesandexplainshowtheycanenhancetheperformanceofyournetwork.
PurchasingaServerWhenbuildingalocalareanetwork(LAN),youcanpurchasevirtuallyanycomputeranduseitasaserver.Theprimaryattributesthatmakeacomputeraserveraredeterminedbythenetworkoperatingsystem’shardwarerequirements.Forexample,theWindows2012Serverrequirementscallfor256MBofmemory,butyoucanactuallyruntheoperatingsystemonastandardworkstationcomputerwithaslittleas128MB.Itwon’trunaswell,butitwillrun.Whenshoppingforcomputers,you’llseethatsomeproductsarespecificallydesignedtobeserversandnotjustbecauseoftheoperatingsysteminstalledonthemortheamountofmemoryordiskspacetheycontain.Forasmallnetworkconsistingofonlyahandfulofnodes,itmaynotbepracticalforyoutospendtheextramoneyonacomputerdesignedtobeaserver.Instead,youcanpurchaseahigh-endworkstationwithsufficientresourcestoruntheserveroperatingsystemandusethat.Whenyoudoneedthefeaturesofarealserver,it’simportanttounderstandhowaservercandifferfromaworkstationandwhichfeaturesyouneedforyournetwork.
Whenyoulookatthedescriptionofaservercomputerinacatalogoronawebsite,itmayseematfirstasthoughyou’repayingmoremoneyforless.Serversoftendonotcomewithmonitors,andtheygenerallydonotincludethehigh-performancevideoadaptersandaudiosystemsyoufindinnearlyeveryhomeorofficecomputerpackage.
Thevideoadapterinaserverisinmanycasesintegratedintothecomputer’smotherboardandincludessufficientmemorytopoweradisplayatavarietyofresolutions.However,thevideosubsysteminaserverusuallydoesnotincludethe3-Dacceleratorandothercomponentsfoundonaseparateadaptercardusedinaworkstationformorevideo-intensivetasks,suchasgame-playingandmultimediaapplications.AvideoadapterinaserveralsotendsnottousetheAcceleratedGraphicsPort(AGP)foritsinterfacetothecomputerbecauseAGPusessystemmemoryforsomeofitsfunctions,andinaserver,youwantasmuchsystemmemoryaspossibletobedevotedtoyourserverapplications.
Asforaudio,mostserversincludenoaudioadapteratallor,atmost,arudimentaryonethatisalsointegratedintothemotherboard.Speakersareusuallynotincluded.Theonlypurposeforhavinganyaudiocapabilitiesinaserveristoprovideaudiblefeedbackalertingtheadministratorofparticularsystemconditions.However,sinceserversareoftenkeptinalockedclosetordatacenter,eventhisbasicaudiocapabilityusuallyisn’tnecessary.
NOTEAlthoughserversgenerallydonotcomeequippedwithhigh-endvideoandaudioadapters,thereisusuallynoreasonwhyyoucan’taddthemlaterandusethecomputerfortasksmoretraditionallyassociatedwithclientworkstations.
Thequestionthenremains,whatdoyougetwhenyoupurchaseaserverformoremoneythanyouwouldspendonaworkstationwiththesameprocessorandacomparableamountofmemoryanddiskspace?Thefollowinglistexaminesthewaysinwhichthebasiccomponentsinaserverdifferfromtheircounterpartsinaworkstation:
•CaseAservercasecanbelargerthanthatofaworkstationinordertoprovideroomforgreaterexpansion.Servercasesareusuallyeitherfreestandingtowersorspeciallydesignedtobemountedinastandard19-inchequipmentrack.Expandabilityisanimportantqualityinaserver,andthecasestypicallyhavealargenumberandvarietyofbaystosupporttheinstallationofadditionaldrives.
Sinceaserverdoesn’tusuallytakeupspaceonauser’sdesk,maintainingasmallfootprintisnotaconcern,andservercasestendnottohavetheircomponentsshoehornedintothemintheinterestofsavingspace.Theresultisthatthereismoreroomtoworkinsidethecaseandeasieraccesstothecomponents.Aservercasemightalsohavegreaterphysicalsecuritythanastandardcomputercase,suchasakey-lockablecoverthatpreventsanyaccesstotheservercontrolsanddrives.
•PowersupplyTosupportthegreaternumberofdrivesandotherdevicesfrequentlyfoundinaserver,thepowersupplyistypicallymorerobust.Thepowersupplyusuallyalsohasmoreinternalpowerconnectorsavailabletoattachtoinstalleddevices.Insomecases,aserver’spowersupplymighthaveitsowninternalsurgeprotectioncircuitry.Someserversalsohaveredundantpowersupplies,providingfaulttoleranceintheeventofapowersupplyfailure.
•FansThepossibilityofhavingmanymoredrivesandmultipleprocessorsinaservermeansthatthecomputercanpotentiallygeneratealotmoreheatthanaworkstation.Servercasestypicallyhavemultiplefansinthem,asidefromtheoneinthepowersupply.Awell-designedcasewillalsohaveacarefullyplannedventilationpaththatblowsthecoolerairfromtheoutsidedirectlyacrossthecomponentsthatmostneedtobekeptcool.Insomecases,serversuseasealedcasedesigninwhichalloftheairenteringthecaserunsthroughafilter,enablingtheservertofunctioninanindustrialenvironmentwithoutcontaminatingtheinternalcomponentswithdustandotherparticles.Somehigh-endserversdesignedformission-criticalapplicationsalsohavehot-swappablemodularfan
assemblies,meaningthatshouldafanfail,it’spossibletoreplacetheunitwithoutshuttingdowntheserver.•ProcessorServersusethesamemodelprocessorsasworkstations,andgiven
thecomputerindustry’sdedicationtoaggressivelymarketingthenewestandfastestprocessorstohomeusers,youmayfindthataserver’sprocessorisnotanyfasterthanaworkstation’s.Infact,becauseserversaredesignedwithanemphasisonexpandabilityandbecausetheycostmore,theytendtohavelongerlivesthanworkstations,meaningthattheymighthaveaprocessorthatisslowerthanthe“latestandgreatest.”Whereserversdodifferfromworkstationinthisareaisthattheyoftenhavemorethanoneprocessor.Formoreinformation,see“UsingMultipleProcessors”laterinthischapter.
•MemoryServersaretypicallycapableofsupportingmorememorythanworkstations,sometimesalotmore.Examiningtheinsideoftheserverandaworkstation,youmaynotseeanydifferencebecauseaservermayhavethesamenumberofmemoryslotsasaworkstationandusethesamebasictypeofmemorymodules.Theserverwillsupportmodulescontainingmorememory,however,inagreatervarietyofconfigurations.
Inadditiontothesedifferencesinaserver’sbasiccomponents,thereareothermoreadvancedtechnologiesthatcanhaveanevengreaterimpactonthecomputer’sperformance,asdiscussedinthefollowingsections.
UsingMultipleProcessorsEventhoughtheprocessordesignsusedincomputerstodayarecontinuallybeingenhancedandupgradedtorunateverfasterspeeds,serversoftenrequiremoreprocessingpowerthananysingleprocessorcanprovide.Thisisbecauseaserverapplicationsuchasadatabaseenginemayhavetoservicerequestsfromdozensorevenhundredsofusersatthesametime.Toincreasetheprocessingpoweravailabletotheapplication,youcanaddmoreprocessors.Youcanmultiplytheprocessingpowerofaserverintwoways:byinstallingmultipleprocessorsintothecomputerorbyconnectingmultiplecomputersusingahardwareorsoftwareproductthatjoinsthemintoaclusterorasystemareanetwork(SAN).
ParallelProcessingTheuseofmultipleprocessorsinasinglecomputerisnotanewidea,althoughithasbecomecommoninthePCindustryonlyinthelastfewyears.Thetwobiggestadvantagesofusingmultipleprocessorsareeconomyandexpandability.Whenaprocessormanufacturerreleasesanewproduct,itspricecomparedtothepreviousmodelsisalwaysdisproportionatelyhighfortheperformanceincreaseitprovides.Aseachnewprocessorissupersededbythenextmodel,thepricedropsquickly.Bypurchasingaserverwithmultipleprocessorsinit,youcanrealizenearlythesameprocessingpowerasthelatestchiponthemarketformuchlessmoney.Multipleprocessorsupportcanalsoextendthelifeofaserverbyenablingtheownertoupgradeitasneeded.Youcanbuyasingle-processorservercontainingamotherboardthatsupportsuptofourprocessorsforonly
slightlymorethanacomputerwithastandardsingleprocessormotherboard.Later,astheburdenontheserverisincreasedbytheadditionofmoreusersorapplications,youcanbuyadditionalprocessorsandinstallthemintotheemptymotherboardsockets.
Themethodbywhichacomputermakesuseofmultipleprocessorsisknownasparallelprocessing.Thisconsistsofdistributingcomputingtasksamongtheavailableprocessorssothattheyareallcontinuouslyactive.Therearevariousmethodsinwhichcomputerswithmultipleprocessorscanimplementparallelprocessing.Supercomputersystems,forexample,cancombinethecapabilitiesofhundredsofprocessorstoperformcomplextasksthatrequireenormousnumbersofcomputations,suchasweatherforecasting.Inmostcases,thesesupercomputersuseatechniquecalledmassivelyparallelprocessing(MPP),inwhichtheprocessorsaregroupedintonodesandconnectedbyahigh-speedswitch.Inthisarrangement,eachnodehasitsownmemoryarrayanditsownbusconnectingtheprocessorstothememory.Thereisnosharingofresourcesbetweennodes,andcommunicationbetweenthemisrestrictedtoadedicatedmessagingsystem.
SymmetricMultiprocessingTheserverswithmultipleprocessorsusedonLANstodayemployadifferentmethod,calledsymmetricalmultiprocessing(SMP).InanSMPsystem,theprocessorsshareasinglememoryarray,input/output(I/O)system,andinterrupts,asshowninFigure8-1.Processingtasksaredistributedevenlybetweenalloftheprocessors,soitisn’tpossibleforoneprocessortobeoverloadedwhileanothersitsidle.Thisisincontrasttoanothersystem,calledasymmetricalmultiprocessing,inwhichtasksareassignedtoeachprocessorindividuallyandtheworkloadmaynotbebalanced.
Figure8-1SMPcomputershaveasinglememoryarrayandI/Obus,whicharesharedbyalloftheprocessors.
SharingasinglememoryarrayeliminatestheneedforthemessagingsystemfoundinMPP.TheprocessorsinanSMPcomputercancommunicateandsynchronizetheiractivitiesmorequicklythanmostotherparallelprocessingtechnologies.
Itisimportanttonotethathavingmultipleprocessorsinacomputerisnotconsideredtobeafault-tolerancemechanism.Ifoneoftheprocessorsshouldfailwhilethesystemisrunning,thecoherencyofthecachedoperatingsystemandapplicationinformationarelikelytobeaffected,eventuallycausingacrash.Failureorremovalofaprocessorwhilethecomputerisshutdown,however,willnothaveadeleteriouseffectsincetheoperatingsystemdetectsthenumberofavailableprocessorsduringthestartupsequenceandconfiguresitselfaccordingly.
HardwareandSoftwareRequirementsTousemultipleprocessorsinaLANserver,SMPmustbesupportedbytheprocessorsthemselves,thecomputer’smotherboard,theoperatingsystem,andtheapplicationsrunningontheserver.Ifyouinstallanoperatingsystemoranapplicationthatdoesn’tsupportSMPonaserverwithmultipleprocessors,thesoftwarefunctionsinthenormalmannerusingonlyoneoftheprocessors.
MostoftheoperatingsystemsintendedforuseonserverssupportSMP.MostoftheUnixoperatingsystemssupportSMP,includingLinuxversionsaswellasMac.Insomecases,suchasFreeBSD,youhavetosubstituteamultiprocessorkernelforthestandardonesuppliedwiththeoperatingsystem.Interestingly,althoughitisnotconsideredaserverapplication,AdobePhotoshopalsosupportsSMP,makingitpossibleforgraphicdesignersworkingwithlargeimagefilesandcomplexfunctionstotakeadvantageofacomputerwithmultipleprocessors.
ServerClusteringAclusterisagroupofserversthatareconnectedbycablesandthatfunctionasasingleentity.Toaclientonthenetwork,theclusterappearstobeasingleserver,eventhoughitconsistsoftwoormorecomputers.Clusteringcanprovidethesameadvantageashavingmultipleprocessorsinasingleserversinceitispossibletodividetheserver’sworkloadbetweentheprocessorsinthevariouscomputersthatmakeupthecluster.However,clusteringcanalsoprovidefaulttoleranceinwaysthatSMPcannot.
Thecomputersthatmakeupaclusterareconnectedprogrammaticallyaswellasphysically.Insomecases,operatingsystemsprovidedirectsupportforclustering,whileinothers,aseparateapplicationisrequired.
Clusteringcanprovidetwobasicadvantagesoverasingleserver:loadbalancingandfaulttolerance.Loadbalancingistheprocessbywhichthetasksassignedtotheserveraredistributedevenlyamongthecomputersinthecluster.Thisconceptcanworkindifferentways,dependingontheapplicationinvolved.Forexample,aclusterofwebserverscanbalanceitsloadbysendingeachoftheincomingrequestsfromwebbrowserclientstoadifferentserver.WhenyouconnecttoahugelypopularInternetwebsite,youcanbesurethatallofitsthousandsofconcurrentusersarenotbeingservedbyasinglecomputer.
Instead,thesiteusesaserverfarmthatconsistsofmanyidenticallyconfiguredcomputers.Eachtimeyouconnecttothesitewithyourwebbrowser,youareprobablyaccessingadifferentserver.Aclusteredterminalserverworksinthesameway;eachnewclientconnectingtotheserverisdirectedtothecomputerthatiscurrentlycarryingthelightestload.Otherapplicationsthatsplittheprocessingintothreadscandistributethosethreadsequallyamongthecomputersinthecluster.
Thisloadbalancingcapabilitygreatlyenhancestheexpandabilityoftheserver.Ifyoureachapointwheretheserverisoverburdenedbytheapplicationtrafficitmusthandle,youcansimplyaddanothercomputertothecluster,andtheworkloadwillautomaticallybebalancedamongtheavailablesystems,thusreducingtheloadoneachone.YoucanalsoupgradetheserverbyinstallingadditionalprocessorstoSMPcomputersintheclusterorbyreplacingacomputerwithonethatisfasterandmorecapable.
Loadbalancingalsoprovidesfaulttolerance.Ifoneofthecomputersintheclustershouldfail,theotherscontinuetofunctionwiththeloadredistributedbetweenthem.However,it’salsopossibletoconstructaclusterwithmoreextensivefailovercapabilities.Afailoverclusterisoneonwhichconnectedcomputersareconfiguredsothatwhenonefails,theothertakesoverallofitsfunctions.Thistypeofclusterisbettersuitedtodatabaseande-mailserversthatmustbecontinuouslyavailable.E-commerceisoneofthefewtechnologiesthatcanrequirebothloadbalancingandfailovertechnologiesinonecluster.
Intoday’sclusteringproducts,agroupofcomputerscanbeclusteredinafailoverconfigurationwithoutleavingsomeofthemachinesidle.Ifoneofthecomputersfails,itsapplicationsaremigratedtoanothercomputerinthecluster,whichtakesoveritsfunctions,asshowninFigure8-2.(Forthistooccur,allofthecomputersintheclustermusthaveaccesstotheapplicationsanddatausedbytheothercomputers.)
Figure8-2Inaservercluster,alloftheserversareactive,withfunctionsreadytofailovertootherservers.
SystemAreaNetworksAsystemareanetwork(orSAN,nottobeconfusedwithastorageareanetwork,alsoabbreviatedSAN)isessentiallyadedicated,switchednetworkthatconnectsagroupofcomputersthatareinthesameadministrativedomainandlocatedrelativelyclosetoeachother.Thenetworkachievesgreatertransmissionspeedsbyimplementingareliabletransportservice(muchliketheTransmissionControlProtocol[TCP])inhardwareinsteadofsoftware.TheSANhardwareconsistsofnetworkinterfaceadaptercardsthatuseFibreChannelconnectionstoacentralswitch.ASANnetworkinterfaceadaptermakesindividualtransportendpoints(muchliketheportsusedinaTCPsoftwareimplementation)availabletotheconnectedcomputers.Theseendpointsarememory-basedregistersthataresharedbytheSANnetworkadapterandthecomputer’sprocessor.Theprocessorcanthereforepasstheincomingtrafficdirectedataparticularendpointimmediatelytotheappropriateapplicationrunningonthecomputer.Inasense,aSANoperatesmuchlikeadistributedmemoryarray,ratherthanastandardnetworking
technology.
ClusterNetworkingHardwareTherearetwoareasinwhichtheuseofserverclusteringcanaffectthehardwareusedtoconstructanetwork:thenetworkconnectionsthemselvesandtheserver’smassstoragehardware.Thecomputersinaclusterusestandardnetworkconnectionstocommunicatewitheachother.Infact,itispossibletobuildaserverclusterwithnoadditionalnetworkinghardwareotherthaneachcomputer’snormalconnectiontotheenterprisenetwork.Inafailoverconfiguration,theserversintheclustercommunicatebyexchangingsignalsatregularintervalscalledheartbeats.Theseheartbeatsserveasanindicationtoeachcomputerthattheothercomputersintheclusterareupandrunningproperly.Ifacomputerfailstotransmitapredeterminednumberofconsecutiveheartbeats,theothercomputersintheclusterassumethatithasfailedandtakeactiontoassumeitsfunctions.Thissameheartbeatmethodalsofunctionsattheapplicationlevel.Ifasingleapplicationfailsononeofthecomputersinthecluster,theclusterserviceattemptstorestartitonthesamecomputer.Ifthisshouldfail,theservicethenmigratestheapplicationtoanothercomputerinthecluster.
Theheartbeatscanbeexchangedoverthenormalnetworkconnection,butiftheclusterisonasharednetworkwithothersystems,theadditionaltrafficgeneratedbytheheartbeatscanbeaproblem.Inaddition,thenetworkconnectionprovidesasinglepointoffailure.Ifacablebreakorafailureinahuborothernetworkcomponentshouldoccur,theheartbeatscanfailtoreachallofthecomputersinthecluster,resultinginaconditioninwhichbothcomputersattempttotakeonthefunctionsoftheother.
Toaddresstheseproblems,it’sagoodideatobuildaseparate,privatenetworkthatisdedicatedtothecomputersinthecluster.Ethernetistypicallytheprotocolofchoiceforthisarrangement,withGigabitEthernetanoptionforinstallationsthatcanbenefitfromgreaterspeeds.Notonlydoesthisprivatenetworkensurethattheheartbeatsgeneratedbyeachcomputerreachtheothersinatimelyfashion,italsoprovidesabackupfortheintraclustercommunications.Laterinthischapter,youwillseehowthisseparatenetworkcanalsobeusedwithahigher-speedprotocolsuchasFibreChanneltoconnecttheserverstoexternaldrivearraysandotherstoragedevices.Thisiscalledastorageareanetwork.
ClusterStorageHardwareOneoftheelementsthatcomplicatetheimplementationofaclusteringsolutioninafailoverconfigurationisthateachofthecomputersintheclusterrequiresaccesstotheapplicationsanddatarunningontheothercomputers.Therearethreewaystoaccomplishthis,whichhavecometodefinethethreebasichardwareconfigurationsyoucanuseinacomputerthatispartofacluster.Thesethreehardwareconfigurationsareasfollows:
•ShareddiskInashareddiskconfiguration,thecomputersintheclusterareallconnectedtothesamediskarrayusingacommonI/Obussothatallofthecomputerscanaccessthesameapplicationsanddatasimultaneously.ThediskarraytypicallyusessomeformofSCSI,FibreChannel,orserialstoragearchitecture(SSA)toconnecttothecomputers.Becausethisarrangementmakesitpossiblefortwocomputerstoupdatefilesontheshareddrivesatthesametime,
anadditionalsoftwarecomponentcalledadistributedlockmanagerisneededtopreventfilesfrombeingcorruptedandnewdatafrombeingoverwritten.
•SharednothingAsharednothingconfigurationisoneinwhichthereisnosimultaneousaccessofthesamedatastoresbydifferentcomputersinthecluster.Theredundantconnectionissothatifonecomputershouldfailanditsapplicationsfailovertoanothercomputer,thesubstitutecanimmediatelyaccessthesamedatastoresastheoriginalsystemandcontinuewhereitleftoff.
•MirroreddiskInamirroreddiskconfiguration,eachcomputermaintainsitsownstoragedrives,anddataisreplicatedbetweenthecomputersonaregularbasis.
UsingHierarchicalStorageManagementHierarchicalstoragemanagement(HSM)isatechniqueforstoringdataonavarietyofdevicetypesinordertominimizestoragecostswhileprovidingeasyaccessibility.Asageneralrule,thecheaperthemedium,thesloweritsaccesstime.Byinstallingvarioustypesofdrivesinaserver,youcanminimizeyourstoragecostsbyputtingthemostfrequentlyusedfilesonharddrives,occasionallyusedfilesonopticaldiscs,andseldomusedfilesonmagnetictape.
Theproblemwiththisarrangementiskeepingtrackofwhichfilesarestoredonwhichdevice,andthisiswhereHSMprovidesasolution.HSMisasoftwareproductthatautomaticallymigratesfilesbetweenthevariousmedia,dependingonhowoftenthey’reaccessed.AtypicalHSMinstallationconsistsofaserverwithoneormoreharddrivesandanopticaldiscjukeboxormagnetictape,orboth.Thesedevicesenableyoutomaintainlargeamountsofstorageandstillaccessitwithouthumanintervention.Thisisknownasnearlinestorage.
Whenafileonaharddrivegoesacertainnumberofdayswithoutbeingaccessed,theHSMsoftwaremigratesittothesecondarymedium,suchasanopticaldisc.Aftercopyingthefiletotheopticaldisc,thesoftwarecreatesatinykeyfileinitsplaceontheharddrive.Thekeyfilespecifiesthelocationoftheactualfileandprovidesaplaceholderfornetworkusers.Ifthefilegoesevenlongerwithoutbeingaccessed,HSMmigratesittoatertiarymedium(suchastape)andupdatesthekeyfile.Toauseronthenetwork,thefilesthathavebeenmigratedtoothermediaappeartostillbeontheharddrive.Whentheuserattemptstoaccessthefile,HSMreadsthecontentsofthekeyfile,loadstheappropriatediskortapeintothedrive,readsthefile,andsuppliesittotheuser.TheonlysigntotheuserthatthefileisnotstoredontheharddriveistheadditionaltimeittakesforHSMtosupplythefile.Everythingelseiscompletelyinvisible.Iftheusermodifiesthefile,HSMmigratesitbacktotheharddrive,whereitremainsuntilitreachesthemigrationintervalonceagain.
HSMsoftwareproductsareusuallyhighlyconfigurable,enablingyoutousevariouscombinationsofmediaandspecifywhatevermigrationintervalsyouwant.AnHSMinstallationisnotcheap,butforanetworkthatmuststorevastamountsofdatawhilekeepingitallavailableatafewminutes’notice,HSMisaviablesolution.
FibreChannelNetworkingThedevelopmentofnewnetworkstoragetechnologies,suchasnetworkattachedstorage(NAS)andstorageareanetworks(SANs),thatcallforstoragehardwareexternaltotheserverhasresultedintheneedforameanstotransmitlargeamountsofdatabetweenrelativelydistantdevicesathighspeeds.
FibreChannelwasconceivedin1988asahigh-speednetworkingtechnologythatitsadvocateshopedwouldbethesuccessortoFastEthernetandFiberDistributedDataInterface(FDDI)onbackbonenetworksthatrequiredlargeamountsofbandwidth.RatifiedinaseriesofAmericanNationalStandardsInstitute(ANSI)standardsin1994,FibreChannelneverfoundacceptanceasagenerallocalareanetworkingprotocol,althoughGigabitEthernet,anextensionoftheEthernetstandardusingtheFibreChannelphysicallayeroptions,did.Instead,FibreChannelhasbecometheprotocolofchoiceforhigh-endnetworkstoragetechnologiesandhasparticularlybecomeassociatedwithSANs.AFibreChannelconnectioncantransferdataattherateof32Gbps.
NOTETheunusualspellingoffibreisdeliberateandintendedtodistinguishthetermFibreChannelfromfiberoptic.
Unlikedevicesthatconnectstoragedevicesandserversusingabus,FibreChannelisessentiallyaseparatenetworkthatcanconnectvarioustypesofstoragedeviceswiththeserversonanetwork.FibreChannelusesstandardnetworkinghardwarecomponents,suchascables,hubs,andports,toformthenetworkmedium,andtheconnectednodestransmitandreceivedatausinganyoneofseveralservices,providingvariouslevelsofperformance.FibreChanneldiffersfromstandardnetworkingprotocolssuchastheInternetProtocol(IP)inthatmuchofits“intelligence”isimplementedinhardware,ratherthaninsoftwarerunningonahostcomputer.
TheFibreChannelprotocolstackconsistsoffivelayersthatperformthefunctionsattributedtothephysicalanddatalinklayersoftheOpenSystemsInterconnection(OSI)referencemodel.Theselayersareasfollows:
•FC-0ThislayerdefinesthephysicalcomponentsthatmakeuptheFibreChannelnetwork,includingthecables,connectors,transmitters,andreceivers,aswellastheirproperties.
•FC-1Thislayerdefinestheencodingschemeusedtotransmitthedataoverthenetwork,aswellasthetimingsignalsanderrordetectionmechanism.FibreChannelusesanencodingschemecalled8B/10B,inwhich10bitsareusedtorepresent8bitsofdata,thusyieldinga25percentoverhead.
•FC-2Thislayerdefinesthestructureoftheframeinwhichthedatatobetransmittedisencapsulatedandthesequenceofthedatatransfer.
•FC-3Thislayerdefinesadditionalservicessuchasthestripingofdataacrossmultiplesignallinestoincreasebandwidthandtheuseofmultipleportswithasinglealiasaddress.
•FC-4ThislayermapstheFibreChannelnetworktotheupper-layer
protocolsrunningoverit.Whileit’spossibletomapFibreChanneltostandardnetworkingprotocols,suchasIP,theFibreChannelProtocol(FCP)istheprotocolusedtoadaptthestandardparallelSCSIcommandstotheserialSCSI-3communicationsusedbystoragedevicesonaFibreChannelnetwork.
TheFibreChannelPhysicalLayerFibreChannelsupportsbothfiber-opticandcoppercables,withfiberopticprovidinggreatersegmentlengths.
Thethreephysicallayercableoptionsareasfollows:
•SinglemodefiberopticNine-micronsinglemodefiber-opticcable,usingstandardSCconnectors,withamaximumcablelengthof10,000meters
•MultimodefiberopticFifty-or62.5-micronmultimodefiber-opticcablewithSCconnectors,withamaximumcablelengthof500meters
•Shieldedtwisted-pair(STP)Type1STPcablewithDB-9connectors,withamaximumcablelengthof30meters
Usinganyofthesecabletypes,youcanbuildaFibreChannelnetworkwithanyoneofthethreefollowingtopologies:
•Point-to-pointThepoint-to-pointtopologylinksaFibreChannelhostbusadapterinstalledintoacomputertoasingleexternalstoragedeviceorsubsystem.
•LoopThelooptopology,alsocalledacontinuousarbitratedloop,cancontainanunlimitednumberofnodes,althoughonly127canbeactiveatanyonetime.Youcanconnectthenodestoeachotherusingaphysicalloop,oryoucanimplementthelooplogicallyusingahubandaphysicalstartopology,asinaTokenRingnetwork.Traffictravelsonlyonedirectionontheloop,unlikeSSAandFDDI,whichhaveredundantloopsthatpermitbidirectionalcommunications.Therefore,inthecaseofaphysicalloop,acablebreakornodefailurecantakedownthewholeloop,whilethehubinalogicalloopcanremovethemalfunctioningnodeandcontinueoperating.EachofthenodesinaFibreChannelloopactsasarepeater,whichpreventssignaldegradationduetoattenuation,butaloopisstillasharednetworkwithmultipledevicesutilizingthesamebandwidth,whichcanlimittheperformanceofeachdevice.
•FabricThefabrictopologyconsistsofnodesconnectedtoswitcheswithpoint-to-pointconnections.JustasonanEthernetnetwork,switchingenableseachdevicetousethefullbandwidthofthenetworktechnologyinitstransmissions.FibreChannelusesnonblockingswitches,whichenablemultipledevicestosendtrafficthroughtheswitchsimultaneously.AswitchedFibreChannelnetworkhasthebenefitofalmostunlimitedexpandabilitywhilemaintainingexcellentperformance.
FibreChannelCommunicationsCommunicationsoveraFibreChannelnetworkarebrokendownintothreehierarchicalstructures.Thehighest-levelstructureiscalledanexchange,whichisabidirectional,
application-orientedcommunicationbetweentwonodesonthenetwork.Inthecontextofastorageoperation,anexchangewouldbetheprocessofreadingfromorwritingtoafile.Asingledevicecanmaintainmultipleexchangessimultaneously,withcommunicationsrunninginbothdirections,ifneeded.
Anexchangeconsistsofunidirectionaltransmissionsbetweenportscalledsequences,whichinthecontextofareadorwriteoperationaretheindividualblockstransmittedoverthenetwork.Eachsequencemustbecompletedbeforethenextonecanbegin.Sequencesarecomposedofframes,andtheframeisthesmallestprotocoldataunittransmittedoveraFibreChannelnetwork.FibreChannelframesareconstructedmuchliketheframesusedinothernetworkingprotocols,suchasEthernetandIP.Theframeconsistsofdiscretefieldsthatcontainaddressinganderrordetectioninformation,aswellastheactualdatatobetransmitted.Inthestoragecontext,aframeistheequivalentofaSCSIcommand.
FibreChannelprovidesthreeclassesofservice,withdifferentresourcerequirementsandlevelsofperformanceprovidedbyeach.Theseserviceclassesareasfollows:
•Class1Class1isareliable,connection-oriented,circuit-switchedserviceinwhichtwoportsonthenetworkreserveapaththroughthenetworkswitchestoestablishaconnectionforaslongastheyneedit.Theresultisthefunctionalequivalentofapoint-to-pointconnectionthatcanremainopenforanylengthoftime,evenpermanently.Becauseavirtualcircuitexistsbetweenthetwonodes,framesarealwaystransmittedandreceivedinthesameorder,eliminatingtheadditionalprocessingrequiredtoreorderthepackets,asonanIPnetwork.TheClass1servicetendstowastebandwidthwhentheconnectionisnotinuseallofthetime,butforapplicationsthatrequireaconnectionwiththeultimateinreliabilityandperformance,theexpenditurecanbeworthwhile.
•Class2Class2isaconnectionlessservicethatprovidesthesamereliabilityasClass1throughtheuseofmessagedeliveryandnondeliverynotifications.SinceClass2isnotacircuit-switchedservice,framesmayarriveatthedestinationportinthewrongorder.However,itistheportinthereceivingnodethatreorderstheframes,nottheprocessorinsidetheserverorstoragesubsystemcontainingtheport.Byplacingtheresponsibilityforordereddeliveryofframesontheportratherthanontheswitch,asintheClass1service,theswitchesarebetterabletoprovidethemaximumamountofbandwidthtoallofthenodesonthenetwork.TheClass2servicecanthereforeprovideperformanceandreliabilitythatisnearlythatoftheClass1service,withgreateroverallefficiency.MoststoragenetworkimplementationsuseClass2ratherthanClass1forthisreason.
•Class3Class3isanunreliableconnectionlessservicethatdoesnotprovidenotificationofdeliveryandnondeliverylikeClass2.Removingtheprocessingoverheadrequiredtoimplementthenotificationsreducesportlatencyandthereforegreatlyincreasestheefficiencyofthenetwork.Thisisparticularlytrueinthecaseofaloopnetwork,whichusesasharedmedium.Inthecaseofastoragenetwork,theFCPprotocolprovidesframeacknowledgmentandreorderingservices,makingitunnecessarytoimplementtheminthenetworkhardware.
NOTEThereisalsoanextensiontotheClass1servicecalledIntermix,whichenablesotherprocessestoutilizetheunusedbandwidthofaClass1connectionforthetransmissionofClass2andClass3traffic.Inthisarrangement,however,theClass1trafficmaintainsabsolutepriorityovertheconnection,whichcancausethenodestobufferordiscardClass2and3frames,ifnecessary.
NetworkStorageSubsystemsIntheoriginalclient-servernetworkdesign,theserverwasacomputerconstructedverymuchlikeaclient,exceptwithmorestoragecapacity,morememory,afasterprocessor,andsoon.Astheyearshavepassedanddatastoragerequirementshaveincreasedatanexponentiallevel,ithasbecomeunwieldyforapersonalcomputertocontainenoughspaceandpowerforthemanydrivesusedinmodernstoragearrays.Movingthestoragemanagementtasksawayfromtheserverandintoadedicateddevicealsoreducestheprocessingburdenontheserver.Today,withserverclustersandotheradvancedservertechnologiesbecomingmorepopular,thereisadrivetowardstoragearrayswithgreatercapabilities.
OneofthesolutionsistointegratethestandardstorageI/Oarchitecturewiththenetworkingarchitectureusedforothercommunicationsbetweensystems.CombiningI/Oandnetworkingmakesitpossibletolocatetheserversandthestoragearraysvirtuallyanywhere,buildamoreflexibleandexpandablestoragesolution,andenableanyserveronthenetworktoworkwithanystoragedevice.Therearetwotechnologiesthatareleadingthewayinthisnewareaofdevelopment:networkattachedstorageandstorageareanetworks.Thesetechnologiesarenotmutuallyexclusive;infact,thefuturenetworkislikelytoencompassbothtosomedegree.
NetworkAttachedStorageNetworkattachedstorageisatermthatisgenerallyappliedtoastand-alonestoragesubsystemthatconnectstoanetworkandcontainseverythingneededforclientsandserverstoaccessthedatastoredthere.AnNASdevice,sometimescalledanetworkstorageappliance,isnotjustaboxwithapowersupplyandanI/Obuswithharddrivesinstalledinit.Theunitalsohasaself-containedfilesystemandastripped-down,proprietaryoperatingsystemthatisoptimizedforthetaskofservingfiles.TheNASapplianceisessentiallyastand-alonefileserverthatcanbeaccessedbyanycomputeronthenetwork.Foranetworkthathasserversdedicatedprimarilytofile-servingtasks,NASappliancescanreducecostsandsimplifythedeploymentandongoingmanagementprocesses.Becausetheapplianceisacompleteturnkeysolution,thereisnoneedtointegrateseparatehardwareandoperatingsystemproductsorbeconcernedaboutcompatibilityissues.
NASappliancescanconnecttonetworksindifferentways,anditisherethatthedefinitionofthetechnologybecomesconfusing.AnNASserverisadevicethatcanrespondtofileaccessrequestsgeneratedbyanyothercomputeronthenetwork,includingclientsandservers.Thedevicetypicallyusesastandardfilesystemprotocollikethe
NetworkFileSystem(NFS)ortheCommonInternetFileSystem(CIFS)foritsapplicationlayercommunications.TherearetwodistinctmethodsfordeployinganNASserver,however.YoucanconnecttheappliancedirectlytotheLAN,usingastandardEthernetconnection,enablingclientsandserversaliketoaccessitsfilesystemdirectly,oryoucanbuildadedicatedstoragenetwork,usingEthernetorFibreChannel,enablingyourserverstoaccesstheNASandsharefileswithnetworkclients.
Thelattersolutionplacesanadditionalburdenontheservers,butitalsomovestheI/OtrafficfromtheLANtoadedicatedstoragenetwork,thusreducingnetworktrafficcongestion.WhichoptionyouchooselargelydependsonthetypeofdatatobestoredontheNASserver.IfyouusetheNAStostoreusers’ownworkfiles,forexample,itcanbeadvantageoustoconnectthedevicetotheLANandletusersaccesstheirfilesdirectly.However,iftheNASservercontainsdatabasesore-mailstores,aseparateapplicationserverisrequiredtoprocessthedataandsupplyittoclients.Inthiscase,youmaybenefitmorebycreatingadedicatedstoragenetworkthatenablestheapplicationservertoaccesstheNASserverwithoutfloodingtheclientnetworkwithI/Otraffic.
StorageAreaNetworksAstorageareanetworkissimplyaseparatenetworkwithanenterprisethatisusedtoconnectstoragedevicesandthecomputersthatusethem.Inpractice,SANsareusuallyassociatedwithFibreChannelnetworks,butactuallyyoucanuseanytypeofnetworkforthispurpose,includingSSAorEthernet(usuallyGigabitEthernet).ThereasonsforbuildinganSANhavebeenrepeatedthroughoutthischapter.Servertechnologiessuchasclusteringandremotediskarraysrequirehigh-bandwidthconnections,andusingthesamedatanetworkastheclientcomputersforthispurposecouldeasilyresultinmassiveamountsoftraffic.Inaddition,thebandwidthrequirementsofastorageI/Onetworkfarexceedthoseofatypicaldatanetwork.ConstructingaseparateSANusingFibreChannelorGigabitEthernetisfarcheaperthanequippingallofthecomputersonyournetworkwithultra-high-speednetworkinterfaceadapters.
InatypicalenterprisenetworkcontaininganSAN,theservershaveinterfacestoboththedatanetwork(theLAN)andthestoragenetwork(theSAN).TheLAN,therefore,iscompletelyordinary,containingclientandservercomputers,andthestoragedevicesareconnectedonlytotheSAN.Wheretheserversstoretheirdataisofnoconsequencetotheclients,whichdonotevenhavetoknowoftheSAN’sexistence.
AtypicalSANusingFibreChanneltoconnectserverstothestoragedevicescantakemanyforms.ThesimplestpossibleSANconsistsofasingleserverconnectedtoadrivearrayusingapoint-to-pointFibreChannelconnection.Theserveraccessesthedatastoredonthearray,whichwouldtypicallyuseRAIDtoprovideaddedperformanceandfaulttolerance.OneoftheprimarydifferencesbetweenanSANandanNASdeviceisthatSANsprovideblock-levelaccesstodata,whileNASappliancesprovidefile-levelaccess.
AmorecomplicatedSANwouldconsistofseveralserversandseveralstoragearrays,allconnectedtothesamenetwork,asshowninFigure8-3.IftheSANusesFibreChannelforitscommunications,thenetwork’stopologycantaketheformofalooporafabric,dependingonwhetherthedevicesareallconnectedtoahuboraswitch.ThisenablestheserverstocommunicatewitheachotherandwithallofthestoragedevicesontheSAN.
ThestoragedevicescanbedrivearraysusingRAID,NASservers,oranyothertechnologythatmayevolve,aslongasitsupportsFibreChannelorwhatevernetworkingprotocoltheSANuses.
Figure8-3AcomplexSANusingaFibreChannellooporfabricnetwork
CHAPTER
9 DesigningaNetwork
Planningisanessentialpartofanynetworkdeployment,andthedesignofthenetworkisacrucialelementoftheplanningprocess.Dependingonitssizeandlocation,theprocessofdesigningyournetworkcanbesimpleorextremelycomplex.Thischapterexaminessomeoftheconceptsinvolvedindesigningnetworksthatrangefromsmallhomenetworkstolargeenterpriseinternetworks.
Anetworkdesigncanencompassdecisionsmadeatmanylevels.Ataminimum,thedesignshouldincludewhathardwareyouintendtopurchase,howmuchitcosts,whereyou’regoingtolocateitatyoursite,andhowyou’regoingtoconnectitall.Forahomeorsmall-businessnetwork,thiscanbeaseasyastakingafewcomputers,choosinganetworkinterfacecard(NIC)foreachone,andbuyingsomecablesandahuband/orawirelessrouter.Youcanmakealloftheotherdecisionsinvolvedinsettingupandconfiguringthenetworkasyouproceed.Foralargeenterpriseinternetwork,thedesignprocessisconsiderablymorecomplicated.Asyou’velearned,aninternetworkisacollectionofLANsthathavebeenconnectedsothateachcomputercancommunicatewithanyothercomputeronanyoftheLANs.YoucandesigneachLANseparately,usingstandardhardwarealreadymentioned,butthenyoumustconsiderhowyouaregoingtoconnecttheLANsintoaninternetworkandregulatethecommunicationsbetweenthem.Youalsohavetoconsideralloftheservicesthatyoumustprovidetoyourusersandhowyouintendtoprovidethem.Thismeansthenetworkdesignmightincludesoftwareproductsandconfigurations,outsideservicesprovidedbythirdparties,andoperatingprocedures,aswellasahardwarelistandanetworkdiagram.
Inadditiontopurelytechnicalissues,designingalargeinternetworkinvolvesanumberofimportantbusinessdecisions.Generally,theearlyphasesoftheinternetworkdesignprocesstendtoproceedasfollows:
1.Identifythebusinessneedsthatthenetworkisintendedtosatisfy.
2.Createanidealnetworkdesignthatsatisfiesallofthepreviouslydefinedneeds.
3.Estimatethecostofbuildingthenetworkasdesigned.
4.Determinewhetherthebenefitsofbuildingthenetworkrationalizetheexpense.
5.Revisethenetworkdesigntobringtheexpenseinlinewiththebenefits.
Thisisahigh-leveloverviewofthenetworkdesignprocessasabusinessdecision,andwhileeconomicissuesmaynotbetheprimaryconcernofthepeopleinvolvedinthetechnicalsideoftheprocess,thecostoftheprojectwillcertainlyhaveaprofoundeffectonthedesign.Thischapterismoreinvolvedwiththetechnicalsideofthedesignprocessthanwiththebusinessside,buthavingsomeideaofthebudgetallottedforthenetworkandthecostofimplementingthetechnologiesyouselectcanstreamlinethewholedesignandapprovalprocessconsiderably.
ReasoningtheNeedThefirststepindesigninganetworkisalwaystolistthereasonsforbuildingitinthefirstplace.Forahomeorsmall-businessnetwork,thelistisoftenshortandsimple,containingitemssuchasthedesiretoshareoneprinteramongseveralcomputersandtoaccesstheInternetusingasingleconnection.Inmostcases,theeconomicdecisionisequallysimple.WeighthepriceofafewcablesandahuborawirelessrouteragainstthecostofsupplyingeachcomputerwithitsownprinterorInternetconnection,andtheconclusionisobvious.
Foralargeinternetworkinstallation,thelistofrequirementsisusuallymuchlonger,andthedecision-makingprocessisfarmorecomplex.Someofthequestionsthatyoushouldaskyourselfasyou’refirstconceivingthenetworkareasfollows:
•Whatbusinessneedswillthenetworksatisfy?
•Whatservicesdoyouexpectthenetworktoprovidenowandinthefuture?
•Whatapplicationsmustthenetworkrunnowandinthefuture?
•Whatarethedifferenttypesofusersyouexpectthenetworktosupportnow?
•Whattypesofusers(andhowmanyofthem)doyouexpectthenetworktosupportinthefuture?
•Whatlevelofservicedoyouexpectthenetworktoprovideintermsofspeed,availability,andsecurity?
•Whatenvironmentalfactorsatthesitecanpossiblyaffectthenetwork?
•Whatisthegeographiclayoutofthebusiness?Arethereremoteofficestoconnect?
•Whatnetworkmaintenanceskillsandresourcesareavailabletotheorganization?
Byansweringquestionslikethese,youshouldbeabletocomeupwithabasic,high-levelconceptofthetypeofnetworkyouneed.Thisconceptshouldincludeasketchofthenetworkindicatingthenumberoflevelsinthehierarchy.Forexample,anetworkatasinglesitemightconsistofanumberofLANsconnectedbyabackbone,whileanetworkencompassingmultiplesitesmightconsistofseveralLANs,connectedbyabackboneateachlocation,allofwhicharethenconnectedbyWANlinks.Thisplanmayalsoincludedecisionsregardingthenetworkmediaandprotocolstouse,aroutingstrategy,andothertechnicalelements.
NOTEDependingontheenvironmentinwhichabackboneexists,itcanhavetwomeanings.ThefirstisthephysicalconnectionsuchasfiberorGigabitEthernet,andthesecondisatransmissionmethodsuchasframerelaythroughthecloud.
SeekingApprovalThenextstepistostartmakinggenerictechnologyandequipmentselectionsinorderto
developanestimateofthecostsofbuildingandmaintainingthenetwork.Forexample,youmightatthispointdecidethatyouaregoingtobuildaninternetworkconsistingoftenLANs,connectedbyafiber-opticbackboneandusingaT-1lineforaccesstotheInternet.Withthisinformation,youcanstarttofigureoutthegeneralcostsofpurchasingandinstallingthenecessaryequipment.
Witharoughcostestimateinhand,it’sgenerallytimetodecidewhetherbuildingthenetworkasconceivediseconomicallyfeasible.Inmanycases,thisrequiresanevaluationbynontechnicalpeople,soalayperson’ssummaryoftheprojectanditscostisusuallyinorder.Atthispoint,someofthefollowingquestionsmaybeconsidered:
•Doesthenetworkdesignsatisfyallofthebusinessneedslistedearlier?
•Dothebusinessneedsthatthenetworkwillsatisfyjustifythecostexpenditures?
•Canthecostsofthenetworkbereducedwhilestillprovidingaminimumstandardofperformance?
•Howwillreducingthequalityofthenetwork(inregardtoelementssuchasspeed,reliability,and/orsecurity)affectthebusinessneedsitisabletosatisfy?
•Canthenetworkbereconceivedtolowertheinitialcostswhilestillprovidingsufficientcapabilityforexpansioninthefuture?
Thisreviewprocessmayinvolveindividualsatseveralmanagementlayers,eachwiththeirownconcerns.Inmanycases,businessandeconomicfactorsforcearedesignofthenetworkplanatthispoint,eithertobetteraddressbusinessneedsnotconsideredearlierortoreducecosts.Usually,it’sbetterforthesemodificationstooccurnow,whilethenetworkdesignplanisstillinitspreliminarystages.Oncetheelementsoftheplanaredevelopedingreaterdetail,itwillbecomemoredifficultandinefficienttodrasticallychangethem.
Whentheeconomicandbusinessfactorsofthenetworkdesignhavebeenreconciledwiththetechnicalfactors,youcanbegintofleshouttheplanindetail.Thefollowingsectionsexaminesomeofthespecificelementsthatshouldbeincludedinyournetworkdesignplan.
DesigningaHomeorSmall-OfficeNetworkAnetworkforahomeorsmallofficetypicallyconsistsofasingleLANconnectinganywherefrom2to16computers.TheLANmightalsohaveadditionalnetworkdevicesattachedtoit,suchasanetworkprinterorarouterprovidingaconnectiontotheInternetoranotheroffice.Forthiskindofnetwork,thedesignprocessconsistsmostlyofselectingproductsthataresuitableforyourusers’needsandforthephysicallayoutofthesite.
SelectingComputersVirtuallyallthecomputersonthemarkettodaycanbeconnectedtoanetwork,socompatibilityinthisareaisnotusuallyaconcern.However,forthesakeofconvenience,it’seasiertodesign,build,andmaintainasmallnetworkinwhichallofthecomputersusethesameplatform.IfmostofyourusersareaccustomedtousingWindowsPCs,then
makethenetworkallWindowsPCs.IfmostarecomfortablewithMacintosh,Linux,orUnixsystems,thenusethose.It’snotimpossibletoconnectcomputersrunningdifferentplatformstothesamenetworkbyanymeans,butifyou’replanningasmallnetworkandyouwanttohaveaseasyatimeofitaspossible,sticktooneplatform.
Standardizingonasingleplatformmaybedifficultinsomesituations,however.Forahomenetwork,forexample,youmayhavekidswhouseMacsinschoolandadultswhousePCsatwork.Inasmall-businessenvironment,youaremorelikelytobeabletoimposeoneplatformonyouremployees,unlesstheyhavespecialrequirementssuchasdifferenttypesofmachines.Ifyoudofeelcompelledtomixplatforms,youmustbecarefultoselectproductsthatarecompatiblewitheverytypeofcomputeryouplantouse.Generally,itisnottoodifficulttoconfiguredifferenttypesofcomputerstoaccesssharednetworkresourcessuchasprintersandInternetconnections.However,filesharingcanbeaproblembecausethecomputersmayusedifferentfileformats.Theotherimportantconsiderationwhenselectingthecomputerstobeconnectedtoanetworkiswhethertheyhavetheresourcesneededfornetworking.Forthemostpart,thisjustmeansyoumustdeterminewhattypeofnetworkinterfaceadapterthecomputeruses.Ifanyofthemachinestobeincludedinthenetworkdonothaveappropriateadapters,youcanpurchaseanetworkinterfacecardandeitherinstalltheadapterinafreePCIslotorpurchaseaUniversalSerialBus(USB)networkinterfaceadapter.
SelectingaNetworkingProtocolTheprotocolyournetworkusesatthedatalinklayeroftheOSIreferencemodelisthesinglemostdefiningelementofthenetworkdesign.Thedatalinklayerprotocoldetermines,amongotherthings,whatnetworkmediumyouwilluse,whatnetworkinghardwareyouwillbuy,howyouwillconnectthecomputers,andhowfastthenetworkcantransferdata.ThemostcommonchoicesindatalinklayerprotocolsareEthernetforLANsorpoint-to-point(PPP)forlargernetworks.
ChoosingaNetworkMediumTheEthernetprotocolsupportsavarietyofnetworkmedia,butwheninstallinganewnetworktoday,thechoiceforabounded(cabled)networkcomesdowntounshieldedtwisted-pair(UTP)orfiber-opticcable.Theotheralternativeisawireless(unbounded)medium.UTPcableisperfectlysuitableformosthomeandsmall-businessnetworks.TouseUTP,youhavetopurchaseanEthernethub(unlessyouarenetworkingonlytwocomputers),andeachofyournetworkdevicesmustbeconnectedtothehubusingacablenomorethan100meterslong.Category5UTPissufficientfornetworksrunningatspeedsupto100Mbps.Forspeedsupto1,000Mbps(1Gbps),useeitherCategory5eorCategory6UTPcables.Cat5etransmitsat100MHzandCat6transmitsat250MHz.Bothhaveamaximumlengthof100meterswhenbeingusedfor1Gbpsnetworking.ThedifferenceisiftheCat6isusedina10Gbpsnetwork,andthenitgetscutdowntobetween37and55meters,dependingonthecrosstalkenvironment.
Ifyouareinasituationwherethelocationsofyourcomputerscallforlongersegments,however,orthenetworkmustoperateinanenvironmentwithextremeamountsofelectromagneticinterference(EMI)present,youcanopttousefiber-opticcable.Fiber-
opticcableisimmunetoEMIandsupportslongersegments,butitisalsomoreexpensivethanUTPandmoredifficulttoinstall.
Forasmallnetwork,theeaseofinstallationisoftenamajorfactorintheselectionofanetworkmedium.AnEthernetnetworkusingUTPisthesimplesttypeofcablednetworktoinstall.UTPEthernetNICs,hubs,andprefabricatedcablesareavailableinalmostanycomputerstore;allyouhavetodoisusethecablestoconnectthecomputerstothehub.(IfyourcomputersdonothaveaNIC,youwillhavetoinstalltheadaptersbeforemakingtheconnection.)
Thesameisnottrueforfiber-opticcables,whicharegenerallypurchasedascomponents(bulkcable,connectors,andsoon)fromprofessionalsuppliers.Unlessyouarewillingtospendagooddealofmoney,time,andeffortonlearningaboutfiber-opticcabling,youarenotgoingtoinstallityourself.
It’spossibletoinstallUTPcablefromcomponentsalso,andthisisusuallyhowprofessional,internalinstallationsareperformed.Aninternalcableinstallationisoneinwhichthecablesareinstalledinsidewallcavitiesanddropceilings.Theonlyelementsoftheinstallationthatarevisibletothenetworkuserarethewallplatestowhichtheircomputersareattached.Thistypeofinstallationisneaterthananexternalonethatusesprefabricatedcablesthatareusuallyleftexposed,butitrequiresmoreexpertisetoperformcorrectly,aswellasadditionaltoolsandaccesstointernalwallcavities.Forasmall-businessnetworkinatraditionallydesignedofficespace,asmall-scaleinternalinstallationisfeasible,buthomeownersarelesslikelytowanttodrillholesintheirwalls,floors,andceilingsfortheinstallationofcables,despiteagreaterconcernfortheinstallation’scosmeticappearance.
Fornetworkinstallationswherecablesareimpracticalorundesirable,youcanalsoelecttoinstallawirelessLAN.Therearemanyproductsnowonthemarketatcompetitiveprices,andforhomeuserswantingtonetworktheircomputerswithoutleavingcablesexposedorperformingamajorcableinstallation,thissolutioncanbeideal.
ChoosingaNetworkSpeedAnotherconsiderationwhendesigninganEthernetLANisthespeedatwhichthenetworkwillrun.EastEthernetrunsat100Mbps,andGigabitEthernetrunsat1,000Mbps.YoucanfindmanyEthernetNICsthatsupporteitherspeed.TheNICautodetectsthespeedofthehubtowhichit’sattachedandconfiguresitselfaccordingly.
DesigninganInternetworkThedesignelementsdiscussedthusfarapplytolargeinternetworksaswellastosmall,single-segmentLANs.EventhelargestinternetworkconsistsofindividualLANsthatrequirethesamecomponentsasastand-aloneLAN,suchascomputers,NICs,cables,hubs,andswitches.Foralargeinternetworkwithmorevariedrequirements,youcandesigneachLANseparately,selectingprotocolsandhardwarethatbestsuitthephysicalenvironmentandtherequirementsoftheusers,oryoucancreateauniformdesignsuitableforalloftheLANs.OnceyougetbeyondtheindividualLANs,however,youfacetheproblemofconnectingthemtoformtheinternetwork.Thefollowingsectionsexaminethe
technologiesyoucanusetodothis.
SegmentsandBackbonesThetraditionalconfigurationforaprivateinternetworkistohaveaseriesofLANs(callednetworksegmentsorsometimeshorizontalnetworks)connectedusinganother,separatenetworkcalledabackbone.Abackboneisnothingmorethananetworkthatconnectsothernetworks,forminganinternetwork.Theindividualsegmentscanbenetworksthatserviceworkgroups,departments,floorsofabuilding,orevenwholebuildings.Eachofthesegmentsisthenconnectedtoabackbonenetwork,usingarouteroraswitch,asshowninFigure9-l.Thisenablesaworkstationonanyofthenetworkstocommunicatewithanyotherworkstation.ThetermbackbonecanrefertoaLANthatconnectsotherLANs(usuallyinthesamebuildingorcampus)ortoanetworkofwidearealinksthatconnectnetworksorinternetworksatremotelocations.
Figure9-1AnexampleofmultipleLANs,connectedbyabackbone
OneofthemostcommonconfigurationsforalargeinternetworkthatencompassesanentirebuildingwithmultiplefloorsistohaveaseparateLANconnectingallofthenetworkdevicesoneachfloor(whichistheoriginofthetermhorizontalnetwork)andabackbonenetworkrunningverticallybetweenthefloors,connectingalloftheLANs.Ofcourse,theconfigurationyouusemustdependonthebuildinginwhichtheinternetwork
isinstalled.Ifyourentireorganizationishousedinanenormousbuildingwithonlytwofloors,youwillprobablyhavetocreateseveralLANsoneachfloorandconnectthemwithabackbonethatrunsthroughoutthebuilding.
WhentwocomputersonthesameLANcommunicatewitheachother,thetrafficstaysonthatlocalnetwork.However,whenthecommunicatingcomputersareondifferentLANs,thetrafficgoesthroughtherouterconnectingthesourcecomputertothebackboneandthentotheLANonwhichthedestinationcomputerislocated.Itisalsocommonpracticetoconnectnetworkresourcesrequiredbyalloftheinternetwork’susersdirectlytothebackbone,insteadoftooneofthehorizontalnetworks.Forexample,ifyouhaveasinglee-mailserverforyourentireorganization,connectingittooneofthehorizontalnetworksforcesallofthee-mailclienttrafficfromtheentireinternetworktotraveltothatsegment,possiblyoverburdeningit.Connectingtheservertothebackbonenetworkenablesthetrafficfromallofthehorizontalsegmentstoreachitequitably.Becausethebackboneissharedbythehorizontalnetworks,itcarriesalloftheinternetworktrafficgeneratedbyeachofthecomputersoneveryLAN.Thiscanbeagreatdealoftraffic,andforthisreason,thebackbonetypicallyrunsatahigherspeedthanthehorizontalnetworks.Backbonesmayalsohavetotraversegreaterdistancesthanhorizontalnetworks,soitiscommonforthemtousefiber-opticcable,whichcanspanmuchlongerdistancesthancopper.
Whentheconceptofthebackbonenetworkoriginated,thetypicaldepartmentalLANwasrelativelyslow,running10MbpsEthernet.ThefirstbackboneswerethickEthernettrunks,selectedbecausetheRG-8coaxialcablecouldbeinstalledinsegmentsupto500meterslong.Thesebackbonesranatthesamespeedasthehorizontalnetworks,however.Tosupportalloftheinternetworktraffic,adistributedbackbonerunningatahigherspeedwasneeded.ThisledtotheuseofdatalinklayerprotocolslikeFiberDistributedDataInterface(FDDI).FDDIranat100Mbps,whichwasfasterthananythingelseatthetime,anditusedfiber-opticcable,whichcanspanmuchgreaterdistancesthanthickEthernet.
OnceFastEthernetproductsarrivedonthemarket,thesituationchangedbyanorderofmagnitude;100Mbpshorizontalnetworksbecamecommon,andanevenfasterbackbonetechnologywasneededtokeepupwiththetrafficloadtheygenerate.ThisledtothedevelopmentofprotocolslikeAsynchronousTransferMode(ATM),runningatspeedsupto655Mbps,andGigabitEthernet,at1,000Mbps.
DistributedandCollapsedBackbonesTherearetwobasictypesofbackboneLANsingeneraluse:thedistributedbackboneandthecollapsedbackbone.Inadistributedbackbone,thebackbonetakestheformofaseparatecablesegmentthatrunsthroughouttheenterpriseandisconnectedtoeachofthehorizontalnetworksusingarouterorswitch.Inacollapsedbackbone,thehuboneachofthehorizontalnetworksisconnectedtoacentrallylocatedmodularrouterorswitch(seeFigure9-2).Thisrouterorswitchfunctionsasthebackbonefortheentireinternetworkbypassingtrafficbetweenthehorizontalnetworks.Thistypeofbackboneusesnoadditionalcablesegmentbecausethecentralrouter/switchhasindividualmodulesforeachnetwork,connectedbyabackplane.Thebackplaneisaninternalcommunicationsbusthattakestheplaceofthebackbonecablesegmentinadistributedbackbonenetwork.
Figure9-2AsinglerouterorswitchconnectsalloftheLANsinacollapsedbackbone.
Theadvantageofacollapsedbackboneisthatinternetworktraffichastopassthroughonlyonerouteronthewaytoitsdestination,unlikeadistributedbackbone,whichhasseparateroutersconnectingeachnetworktothebackbone.Thedisadvantageofacollapsedbackboneisthatthehuboneachnetworkmustconnecttothecentralrouterwithonecablesegment.Dependingonthelayoutofthesiteandthelocationoftherouter,thisdistancemaybetoolongforcoppercable.
Becauseacollapsedbackbonedoesnotuseaseparatecablesegmenttoconnectthehorizontalnetworks,itdoesnotneeditsownprotocol.Today’stechnologyhasmadethecollapsedbackboneapracticalsolution.
Whilethismaybeanidealsolutionforanewnetworkbeingconstructedtoday,therearethousandsofexistingnetworksthatstilluse10MbpsEthernetorotherrelativelyslowprotocolsontheirhorizontalnetworksandcan’teasilyadapttothecollapsedbackboneconcept.Someorallofthehorizontalnetworksmightbeusingoldermedia,suchasCategory3UTPoreventhinEthernet,andcan’tsupportthelongcablerunstoacentralrouter.Thehorizontalnetworksmightevenbeinseparatebuildingsonacampus,inwhichcaseacollapsedbackbonewouldrequireeachbuildingtohaveacableruntothelocationoftherouter.Incaseslikethese,adistributedbackboneisnecessary.
BackboneFaultToleranceBecauseitprovidesallinternetworkcommunications,thebackbonenetworkisavitallyimportantpartoftheoveralldesign.Ahorizontalnetworkthatcan’taccessthebackboneisisolated.ComputersonthatLANcancommunicatewitheachotherbutnotwiththecomputersonotherLANs,whichcancutthemofffromvitalnetworkservices.Toensurecontinuousaccesstothebackbone,someinternetworksdesignredundantelementsintotheplanforfault-tolerancepurposes.Youcan,forexample,usetworoutersoneachLAN,bothofwhichconnecttothebackbonenetworkhubsothatifonerouterfails,theotherprovidescontinuedaccesstotherestofthenetwork.Somedesignsgosofarastoincludetwoseparatedistributedbackbonenetworks.
Thisplanalsocallsfortworoutersoneachhorizontalnetwork,butinthiscase,theroutersareconnectedtotwodifferentbackbonenetworks,asshowninFigure9-3.Thisway,theinternetworkcancontinuetofunctiondespitethefailureofarouter,abackbonehub,oranybackbonecablesegment.Anotherbenefitofthisdesignistheabilitytobalancetheinternetworktrafficloadamongthetwobackbones.Byconfiguringhalfofthecomputerstouseonebackboneandhalftheother(byvaryingtheirdefaultgatewayaddresses),yousplittheinternetworktrafficbetweenthetwo.ThiscanmaketheuseofEthernetonboththehorizontalandbackbonenetworksapracticalproposition,evenonahighlytraffickednetwork.WithasinglebackboneconnectingEthernetLANs,youmayfindthatyouneedtouseGigabitEthernetoranotherhigh-speedprotocoltosupporttheinternetworktraffic.
Figure9-3Redundantbackbonescanprovidebothloadbalancingandfaulttolerance.
SelectingaBackboneLANProtocolTheprotocolthatyouuseonthebackboneconnectingyourhorizontalnetworksshoulddependontheamountoftrafficithastocarryandthedistanceithastospan.Insomeorganizations,mostofthenetworkcommunicationsarelimitedtotheindividual
horizontalLANs.If,forexample,yourcompanyconsistsofseveraldepartmentsthatarelargelyautonomous,eachwiththeirownserversonaseparatehorizontalLAN,alloftheintradepartmentaltrafficremainsonthehorizontalnetworkandneverreachesthebackbone.Inacaselikethis,youcanprobablyusethesametechnologyonthebackboneasthehorizontalLANs,suchasEthernetthroughout.If,ontheotherhand,yourcompanyconsistsofdepartmentsthatallrelyonthesameresourcestodotheirwork,suchasacentraldatabase,itmakessensetoconnectthedatabaseserversdirectlytothebackbone.Whenyoudothis,however,thebackbonemustbeabletosupportthetrafficgeneratedbyallofthehorizontalnetworkscombined.IfthehorizontalnetworksarerunningFastEthernet,thebackboneshouldusuallyuseafastertechnology,suchasGigabitEthernet,inordertokeepup.
ThedistancethatthebackboneLANmustspanandtheenvironmentinwhichit’susedcanalsoaffecttheprotocolselection.Ifyoursiteislargeenoughthatthebackbonecablerunsarelikelytoexceedthe100-meterlimitforunshieldedtwisted-paircable,youshouldconsiderusingfiber-opticcable.FiberopticisalsothepreferredsolutionifyouhavetoconnecthorizontalLANsthatarelocatedindifferentbuildingsonthesamecampus.FiberopticismoreexpensivetopurchaseandinstallthanUTP,butitisinteroperablewithcoppercableinmostcases.Forexample,youcanpurchaseFastEthernethubsandroutersthatsupportbothcabletypessothatyoucanuseUTPonyourhorizontalnetworksandfiberopticonthebackbone.
ConnectingtoRemoteNetworksInadditiontoconnectingLANsatthesamesite,manyinternetworksuseabackbonetoconnecttoremotenetworks.Insomecases,theorganizationconsistsofmultipleofficesindifferentcitiesorcountriesthatmustcommunicatewitheachother.Ifeachofficehasitsowninternetwork,connectingtheofficeswithWANlinksformsanotherbackbonethataddsathirdleveltothenetworkhierarchyandcreatesasingle,enterpriseinternetwork.However,evenanorganizationwithoneinternetworkatasinglelocationislikelytoneedaWANconnectiontoanInternetserviceprovidersothatuserscanaccesse-mailandotherInternetservices.
ThetechnologyyouselectforyourWANconnectionsdependsonfactorssuchastheamountofbandwidthyournetworkneeds,whenitneedsit,and,asalways,yourbudget.Youcanuseanythingfromdial-on-demandtelephoneconnectionstohigh-speedleasedlinestoflexiblebandwidthsolutions,suchasframerelay.
SelectingaWANTopologyAnotherfactorinselectingaWANtechnologyisthetopologyyouwillusetoconnectyourvarioussites.WANtopologiesaremoreflexiblethanthoseonLANs,whicharedictatedbythedatalinkandphysicallayerprotocolsyouelecttouse.YoucanuseWANlinkstobuildaninternetworkinmanydifferentways.Forexample,thefullmeshtopology,whenusedonaWAN,consistsofaseparate,dedicatedlink(suchasaleasedline)betweeneachtwositesinyourorganization.Ifyouhavefiveofficesindifferentcities,eachofficehasfourseparateWANlinksconnectingittotheotheroffices,foratotaloftenlinks(seeFigure9-4).Ifyouhaveeightoffices,atotalof28separateWANlinks
arerequired.Thisarrangementprovidesthegreatestamountoffaulttolerancesinceasinglelinkfailureaffectsonlythetwositesinvolved,aswellasthemostefficientnetwork,sinceeachsitecancommunicatedirectlywitheachoftheothersites.However,thissolutioncanalsobeexpensiveaswellaswasteful,unlessyournetworkgeneratessufficientWANtrafficbetweeneachpairofsitestofillalloftheselinksmostofthetime.
Figure9-4ThefullmeshWANtopology
Afullmeshtopology,consistingofindividuallinksbetweenthesites,assumestheuseofdedicated,point-to-pointWANconnectionssuchasleasedlines.However,therearealternativestothistypeoflinkthatcanprovidewhatamountstoafullmeshtopologyatmuchlessexpense.Framerelayusesasingleleasedlineateachsitetoconnecttoaserviceprovider’snetwork,calledthecloud.Withallofthesitesconnectedtothesamecloud(usingaccesspointslocaltoeachlocation),eachsitecanestablishavirtualcircuittoeveryothersiteasneeded.
Attheotherendofthespectrumfromthefullmeshtopologyisthestartopology,whichdesignatesonesiteasthemainoffice(orhub)andconsistsofaseparate,dedicatedconnectionbetweenthehubandeachoftheotherbranchsites.ThistopologyusesthefewestnumberofWANlinkstoconnectallofthesites,providingthegreatesteconomy,andenablesthemainofficetocommunicatedirectlywitheachofthebranchsites.However,whentwoofthebranchsiteshavetocommunicate,theymustdosobygoingthroughthehub.Whetherthestartopologyissuitableforyournetworkdependsonwhetherthebranchsitesfrequentlyneedtocommunicatewitheachother.
Aringtopologyhaseachsiteconnectedtotwoothersites,asshowninFigure9-5.Thistopologyusesonlyonelinkmorethanastar,butitprovidesagreaterdegreeoffaulttolerance.Ifanyonelinkfails,itisstillpossibleforanytwositestocommunicatebysendingtrafficaroundtheringintheotherdirection.Bycontrast,alinkfailureinastarinternetworkdisconnectsoneofthesitesfromtheotherscompletely.Thedisadvantageoftheringisthedelayintroducedbytheneedfortraffictopassthroughmultiplesitesinordertoreachitsdestination,inmostcases.Asiteonastarinternetworkisnevermorethantwohopsfromanyothersite,whileringsitesmayhavetopassthroughseveralhops.
Figure9-5TheringWANtopology
Eachofthesetopologiesrepresentsanextremeexampleofanetworkcommunicationtechnique,butnoneofthemhastobefollowedabsolutelyineverycase.Youcan,forexample,createapartialmeshtopologybyeliminatingsomeofthelinksfromthefullmeshdesign.Notallofyoursitesmayrequireadedicatedlinktoeveryothersite,soyoucaneliminatetheextraneouslinks,thusreducingthecostofthenetwork.Whenasitehastocommunicatewithanothersitetowhichitdoesnothaveadirectconnection,itcangothroughoneofitsconnectedsitesinstead.Inthesameway,youcanbuildmorefaulttoleranceintoastarnetworkbyhavingtwohubsitesinsteadofoneandconnectingeachoftheothersitestobothhubs.Thisrequirestwiceasmanylinksasastandardstartopologybutstillfewerthanafullmesh.
PlanningInternetAccessConnectinganetworktotheInternetisusuallyfarlesscomplicatedthanconnectingmultiplesiteswithWANlinks.Evenifyourinternetworkconsistsofseveralsites,itismorecommontoequipeachonewithitsownInternetconnection,ratherthanconnectonesiteandhavetheothersitesaccesstheInternetthroughtheintersiteWAN.TheWANtechnologyyouusetoconnecteachsitetotheInternetshouldonceagaindependonthebandwidthyourequireandyourbudget.
LocatingEquipmentDesigningtheindividualLANsthatmakeuptheinternetworkissimilartodesigningasingle,stand-aloneLAN,exceptyoumustworkthebackboneconnectionsintothedesign.Largeinternetworksaremorelikelytouseinternalbulkcableinstallationsforthenetworksegments,ratherthantheprefabricated,externalcablescommonlyusedforhomeandsmall-businessnetworks.Inaninternalinstallation,cablesruninsidewallsandceilingsandterminateatwallplatesandpatchpanels.Thistypeofinstallationismuchmorecomplicatedthananexternalonewherethecablesareleftexposed.Therefore,thisinstallationisfrequentlyoutsourcedtoacontractorwhospecializesinon-premiseswiring.Forthesereasons,adetailednetworkplanshowingtherouteofeachcableandthelocationofeachwallplateandpatchpanelisessential.Youdon’twanttohavetocallthecontractorinaftertheinstallationisfinishedtopulladditionalcables.
Designingsuchanetworkandcreatingtheplanaretasksthatrequireanintimateknowledgeofthebuildinginwhichthenetworkistobelocated.Aswithahomeorsmall-businessLAN,youmustdecidewhereallofthecomputersandothernetworkdevicesaregoingtobelocatedandthenworkouthowyouaregoingtorunthecablesthatconnectthemtothehub.Foraninternetworkdesign,youalsohavetodecidewhereyou’regoingtoputtherouterthatconnectseachLANtothebackbone(inthecaseofadistributedbackbonenetwork)orhowyou’regoingtoconnecteachLANtothemainrouter/switch(inthecaseofacollapsedbackbonenetwork).
WiringClosetsIntheclassicexampleofamultiflooredofficebuildingwithahorizontalnetworkoneachfloorandadistributedbackboneconnectingthemvertically,itiscommonpracticetohaveatelecommunicationsroom,oftencalledawiringcloset,oneachfloor.Thisclosetcanserveasthelocationforthepatchpanelwhereallofthecablerunsforthefloorterminate,aswellasthehubthatconnectsallofthedevicesonthefloorintoaLANandtherouterthatconnectstheLANtothebackbonenetwork.It’salsopossibletoinstallworkgrouporevenenterpriseserversintheseclosets.Tofacilitatethebackbonecabling,thebestarrangementisforthewiringclosetsoneachfloortobeontopofeachother,withachaseorwiringconduitrunningverticallythroughthemandconnectingalloftheclosetsinthebuilding.
Tosomepeople,thetermwiringclosetmightinvokevisionsofhubsandroutersshovedintoadarklittlespacealongwithmopsandbuckets,butthisshoulddefinitelynotbethecase.Wiringclosetsmayalreadyexist,eveninabuildingnotalreadycabledforadatanetwork,tosupporttelephoneequipmentandotherbuildingservices.Theclosetmayindeedbeasmallspace,butitshouldbewelllitandhaveroomenoughtoworkin,ifnecessary.Theroomiscalledaclosetbecausethereistypicallynoroom(orneed)fordesksandworkstationsinside.Mostoftherouters,servers,andothernetworkingequipmentavailabletodaycanbeequippedwithremoteadministrationcapabilities,whichminimizestheneedtoactuallyopentheclosettophysicallyaccesstheequipment.Unlikeanequipmentstoragecloset,awiringorserverclosetmustalsomaintainanappropriateenvironmentfortheequipmentinside.Aspacethatisnotheatedinthewinternorairconditionedinthesummercangreatlyshortenthelifeofdelicateelectronics.Wiringclosetsmustalsobekeptlocked,ofcourse,toprotectthevaluableequipmentfromtheftand“experimentation”byunauthorizedpersonnel.
DataCentersWiringclosetsareeminentlysuitablefordistributedbackbonenetworksbecausethistypeofnetworkrequiresthatarelativelylargeamountofexpensiveequipmentbescatteredthroughoutthebuilding.Anotherorganizationaloption,bettersuitedforacollapsedbackbonenetwork,istohaveasingledatacentercontainingallofthenetworkingequipmentfortheentireenterprise.Inthiscontext,adatacenterisreallyjustalarger,moreelaboratewiringcloset.Typically,adatacenterisasecuredroomorsuitethathasbeenoutfittedtosupportlargeamountsofelectronicequipment.Thisusuallyincludesspecialairconditioning,extrapowerlines,powerconditioningandbackup,additional
fixturessuchasamodularfloorwithawiringspacebeneathit,andextrasecuritytopreventunauthorizedaccess.
Thecentertypicallycontainsthenetwork’senterpriseserversandtheroutersthatjointheLANstogetherandprovideInternetandWANaccess.Ifthebuildinghousingthenetworkisnottoolarge,youcanplaceallofthehubsfortheindividualLANsinthedatacenteraswell.Thismeansthateverywallplateinthebuildingtowhichacomputerisconnectedhasacableconnectingittoahubinthedatacenter.Thisarrangementisfeasibleonlyifthelengthofthecablerunsarelessthan100meters,assumingthatthehorizontalnetworksareusingUTPcable.Ifthedistancebetweenanyofyourwallplatelocationsandthedatacenterexceeds100meters,youmusteitherusefiber-opticcable(whichsupportslongersegments)orplacethehubsatthelocationofeachLAN.Ifyouchoosetodothelatter,youonlyhavetofindarelativelysecureplaceforeachhub.
Whenthehubsaredistributedaroundthebuilding,youneedonlyonecablerunfromeachhubtothedatacenter.Ifyouusecentralizedhubs,eachofyourcablerunsextendsallthewayfromthecomputertothedatacenter.Notonlycanthisusemuchmorecable,butthesheerbulkofthecablesmightexceedthesizeofthewiringspacesavailableinthebuilding.However,theadvantageofhavingcentralizedhubsisthatnetworksupportpersonnelcaneasilyservicethemandmonitortheirstatus,andconnectingthemtothehuborswitchthatjoinstheLANsintoaninternetworkissimplyamatterofrunningacableacrosstheroom.
Typically,theequipmentinadatacenterismountedinracks,whichcanextendfromfloortoceiling.Virtuallyallmanufacturersofservers,hubs,routers,andothernetworkdevicesintendedforlargeenterprisenetworkstohaveproductsdesignedtoboltintothesestandard-sizedracks,whichmakesiteasiertoorganizeandaccesstheequipmentinthedatacenter.
FinalizingtheDesignAsyoufleshoutthenetworkdesignindetail,youcanbegintoselectspecificvendors,products,andcontractors.Thisprocesscanincludeshoppingforthebesthardwarepricesincatalogsandonwebsites,evaluatingsoftwareproducts,interviewingandobtainingestimatesfromcableinstallationcontractors,andinvestigatingserviceprovidersforWANtechnologies.Thisisthemostcriticalpartofthedesignprocess,forseveralreasons.First,thisisthepointatwhichyou’llbeabletodeterminetheactualcostofbuildingthenetwork,notjustanestimate.Second,itisatthisphasethatyoumustmakesureallthecomponentsyouselectareactuallycapableofperformingasyourpreliminaryplanexpectsthemto.If,forexample,youdiscoverthattheroutermodelwithallofthefeaturesyouneedisnolongeravailable,youmayhavetomodifytheplantouseadifferenttypeofrouterortoimplementthefeatureyouneedinanotherway.Third,theconcreteinformationyoudevelopatthisstageenablesyoutocreateadeploymentschedule.Anetworkdesignplancanneverhavetoomuchdetail.Documentingyournetworkascompletelyaspossible,bothbefore,during,andafterconstruction,canonlyhelpyoutomaintainandrepairitlater.Theplanningprocessforalargenetworkcanbelongandcomplicated,butitisrareforanyofthetimespenttobewasted.
PART
III NetworkProtocols
CHAPTER10
EthernetBasics
CHAPTER11
100BaseEthernetandGigabitEthernet
CHAPTER12
NetworkingProtocols
CHAPTER
10 EthernetBasics
Ethernetisthedatalinklayerprotocolusedbythevastmajorityofthelocalareanetworksoperatingtoday.Sincethe1990s,theEthernetstandardshavebeenrevisedandupdatedtosupportmanydifferenttypesofnetworkmediaandtoprovidedramaticspeedincreasesovertheoriginalprotocol.BecausealloftheEthernetvariantsoperateusingthesamebasicprinciplesandbecausethehigh-speedEthernettechnologiesweredesignedwithbackwardcompatibilityinmind,upgradingastandardnetworkisusuallyrelativelyeasy.Thisisinmarkedcontrasttootherhigh-speedtechnologiessuchasFiberDistributedDataInterface(FDDI)andAsynchronousTransferMode(ATM),forwhichupgradescanrequireextensiveinfrastructuremodifications,suchasnewcabling,aswellastrainingandacclimationforthepersonnelsupportingthenewtechnology.
ThischapterexaminesthefundamentalEthernetmechanismsandhowtheyprovideaunifiedinterfacebetweenthephysicallayeroftheOpenSystemsInterconnection(OSI)referencemodelandmultipleprotocolsoperatingatthenetworklayer.Thenyou’lllearnhownewertechnologiessuchasFastEthernetandGigabitEthernetimproveontheolderstandardsandprovidesufficientbandwidthfortheneedsofvirtuallyanynetworkapplication.Finally,therewillbeadiscussionofupgradestrategiesandreal-worldtroubleshootingtechniquestohelpyouimprovetheperformanceofyourownnetwork.
EthernetDefinedTheEthernetprotocolprovidesaunifiedinterfacetothenetworkmediumthatenablesanoperatingsystemtotransmitandreceivemultiplenetworklayerprotocolssimultaneously.LikemostofthedatalinklayerprotocolsusedonLANs,Ethernetis,intechnicalterms,connectionlessandunreliable.Ethernetmakesitsbestefforttotransmitdatatotheappointeddestination,butnomechanismexiststoguaranteeasuccessfuldelivery.Instead,servicessuchasguaranteeddeliveryareleftuptotheprotocolsoperatingatthehigherlayersoftheOSImodel,dependingonwhetherthedatawarrantsit.
NOTEInthiscontext,thetermunreliablemeansonlythattheprotocollacksameansofacknowledgingthatpacketshavebeensuccessfullyreceived.
AsdefinedbytheEthernetstandards,theprotocolconsistsofthreeessentialcomponents:
•Aseriesofphysicallayerguidelinesthatspecifythecabletypes,wiringrestrictions,andsignalingmethodsforEthernetnetworks
•AframeformatthatdefinestheorderandfunctionsofthebitstransmittedinanEthernetpacket
•Amediaaccesscontrol(MAC)mechanismcalledCarrierSenseMultipleAccesswithCollisionDetection(CSMA/CD)thatenablesallofthecomputersontheLANequalaccesstothenetworkmedium.
Fromaproductperspective,theEthernetprotocolconsistsofthenetworkinterfaceadaptersinstalledinthenetwork’scomputersusuallyintheformofnetworkinterfacecards(NICs),thenetworkadapterdriverstheoperatingsystemusestocommunicatewiththenetworkadapters,andthehubsandcablesyouusetoconnectthecomputers.Whenyoupurchasenetworkadaptersandhubs,youmustbesuretheyallsupportthesameEthernetstandardsforthemtobeabletoworktogetheroptimally.
EthernetStandardsWhenEthernetwasfirstdesignedinthe1970s,itcarrieddataoverabasebandconnectionusingcoaxialcablerunningat10MbpsandasignalingsystemcalledManchesterencoding.ThiseventuallycametobeknownasthickEthernetbecausethecableitselfwasapproximately1centimeterwide,aboutthethicknessofagardenhose(indeed,itscolorandrigidityledtoitsbeingreferredtoasthe“frozenyellowgardenhose”bywhimsicalnetworkadministrators).ThefirstEthernetstandard,whichwastitled“TheEthernet,aLocalAreaNetwork:DataLinkLayerandPhysicalLayerSpecifications,”waspublishedin1980byaconsortiumofcompaniesthatincludedDEC,Intel,andXerox,givingrisetotheacronymDIX,thus,thedocumentbecameknownastheDIXEthernetstandard.
EthernetIITheDIX2.0standard,commonlyknownasDIXEthernetII,waspublishedin1982andexpandedthephysicallayeroptionstoincludeathinnertypeofcoaxialcable,whichcametobecalledthinEthernet,ThinNet,orcheapernetbecauseitwaslessexpensivethantheoriginalthickcoaxialcable.
IEEE802.3Duringthistime,adesirearosetobuildaninternationalstandardaroundtheEthernetprotocol.In1980,aworkinggroupwasformedbyastandards-makingbodycalledtheInstituteofElectricalandElectronicsEngineers(IEEE),underthesupervisionoftheirLocalandMetropolitanAreaNetworks(LAN/MAN)StandardsCommittee,forthepurposeofdevelopingan“Ethernet-like”standard.Thiscommitteeisknownbythenumber802,andtheworkinggroupwasgiventhedesignationIEEE802.3.Theresultingstandard,publishedin1985,wascalledthe“IEEE802.3CarrierSenseMultipleAccesswithCollisionDetection(CSMA/CD)AccessMethodandPhysicalLayerSpecifications.”ThetermEthernetwas(andstillis)scrupulouslyavoidedbytheIEEE802.3groupbecausetheywantedtoavoidcreatinganyimpressionthatthestandardwasbasedonacommercialproductthathadbeenregisteredasatrademarkbyXerox.However,withafewminordifferences,thisdocumentessentiallydefinesanEthernetnetworkunderanothername,andtothisday,theproductsconformingtotheIEEE802.3standardarecalledbythenameEthernet.
NOTETheIEEEStandardsareavailablefordownloadingathttp://standards.ieee.org/about/get/802/802.3.html.
DIXEthernetandIEEE802.3DifferencesWhiletheDIXEthernetIIstandardtreatedthedatalinklayerasasingleentity,theIEEEstandardsdividethelayerintotwosublayers,calledlogicallinkcontrol(LLC)andmediaaccesscontrol(MAC).TheLLCsublayerisolatesthefunctionsthatoccurbeneathitfromthoseaboveitandisdefinedbyaseparatestandard:IEEE802.2.TheIEEEcommitteeusesthesameabstractionlayerwiththenetworktypesdefinedbyother802standards,suchasthe802.5TokenRingnetwork.TheuseoftheLLCsublayerwiththe802.3protocolalsoledtoasmallbutimportantchangeintheprotocol’sframeformat,asdescribedinthe“TheEthernetFrame”sectionlaterinthischapter.TheMACsublayerdefinesthemechanismbywhichEthernetsystemsarbitrateaccesstothenetworkmedium,asdiscussedintheforthcomingsection“CSMA/CD.”
By1990,theIEEE802.3standardhadbeendevelopedfurtherandnowincludedotherphysicallayeroptionsthatmadecoaxialcableallbutobsolete,suchasthetwisted-paircablecommonlyusedintelephoneinstallationsandfiber-opticcable.Becauseitiseasytoworkwith,inexpensive,andreliable,twisted-pair(or10Base-T)Ethernetquicklybecamethemostpopularmediumforthisprotocol.MostoftheEthernetnetworksinstalledtodayusetwisted-paircable,whichcontinuestobesupportedbythenew,higher-speedstandards.Fiber-optictechnologyenablesnetworkconnectionstospanmuchlongerdistancesthancopperandisimmunefromelectromagneticinterference.
Table10-1liststheprimarydifferencesbetweentheIEEE802.3standardandtheDIXEthernetIIstandard.
Table10-1DifferencesBetweentheIEEE802.3StandardsandtheOldDIXEthernetIIStandards
IEEEShorthandIdentifiersTheIEEEisalsoresponsiblefortheshorthandidentifiersthatareoftenusedwhenreferringtospecificphysicallayerEthernetimplementations,suchas100Base-TforaFastEthernetnetwork.Inthisidentifier,the100referstothespeedofthenetwork,whichis100Mbps.AlloftheEthernetidentifiersbeginwith10,100,or1000.
TheBasereferstothefactthatthenetworkusesbasebandtransmissions.AsexplainedinChapter1,abasebandnetworkisoneinwhichthenetworkmediumcarriesonlyonesignalatatime,asopposedtoabroadbandnetwork,whichcancarrymanysignalssimultaneously.AlloftheEthernetvariantsarebaseband,exceptforonebroadbandversion,whichisrarely,ifever,used.
TheTin100Base-Tspecifiesthetypeofmediumthenetworkuses.Forexample,theTin100Base-Tstandsfortwisted-paircable.Table10-2explainssomeoftheEthernetidentifiers.Foracompletelist,gotohttp://standards.ieee.org/about/get/802/802.3.htmlandenterthespecificstandard.
Table10-2IEEEShorthandIdentifiersforEthernetNetworks
NOTEBeginningwiththe10Base-Tspecification,theIEEEbeganincludingahyphenaftertheBasedesignatortopreventpeoplefrompronouncing10Base-Tas“tenbassett.”
CSMA/CDToday,manyoftheissueswithcollisionsonanEthernetnetworkhavebeeneliminatedwithshared,full-duplex,point-to-pointchannelsbetweenthenodeoriginatingtransmissionandthereceiver.However,sinceCSMA/CDissupportedforbackwardcompatibility,IEEE802.3stilldefinesthespecification.
LikeanyMACmethod,CSMA/CDenabledthecomputersonthenetworktoshareasinglebasebandmediumwithoutdataloss.TherearenoprioritiesonanEthernetnetworkasfarasmediaaccessisconcerned;theprotocolwasdesignedsothateverynodehasequalaccessrightstothenetworkmedium.Figure10-1illustratestheprocessbywhichCSMA/CDarbitratesaccesstothenetworkmediumonanEthernetnetwork.Whileobsoleteintoday’sEthernetnetworks,itissupportedforcompatibilitywithearliernetworks,soyouneedtounderstandtheprocess.
Figure10-1IfNodeBbeginstotransmitdatabeforethetransmissionfromNodeAreachesit,acollisionwilloccur.
WhenanodeonanEthernetnetworkwantstotransmitdata,itfirstmonitorsthenetworkmediumtoseewhetheritiscurrentlyinuse.Thisisthecarriersensephaseoftheprocess.Ifthenodedetectstrafficonthenetwork,itpausesforashortintervalandthenlistenstothenetworkagain.Oncethenetworkisclear,anyofthenodesonthenetwork
mayuseittotransmittheirdata.Thisisthemultipleaccessphase.Thismechanisminitselfarbitratesaccesstothemedium,butitisnotwithoutfault.
Itisentirelypossiblefortwo(ormore)systemstodetectaclearnetworkandthentransmittheirdataatnearlythesamemoment.Thisresultsinwhatthe802.3standardcallsasignalqualityerror(SQE)or,astheconditionismorecommonlyknown,apacketcollision.Collisionsoccurwhenonesystembeginstransmittingitsdataandanothersystemperformsitscarriersenseduringthebriefintervalbeforethefirstbitinthetransmittedpacketreachesit.Thisintervalisknownasthecontentiontime(orslottime)becauseeachofthesystemsinvolvedbelievesithasbeguntotransmitfirst.Everynodeonthenetworkis,therefore,alwaysinoneofthreepossiblestates:transmission,contention,oridle.
Whenpacketsfromtwodifferentnodescollide,anabnormalconditioniscreatedonthecablethattravelsontowardbothsystems.Onacoaxialnetwork,thevoltagelevelspikestothepointatwhichitisthesameorgreaterthanthecombinedlevelsofthetwotransmitters(+/−0.85V).Onatwisted-pairorfiber-opticnetwork,theanomalytakestheformofsignalactivityonboththetransmitandreceivecircuitsatthesametime.
Wheneachtransmittingsystemdetectstheabnormality,itrecognizesthatacollisionhastakenplace,immediatelystopssendingdata,andbeginstakingactiontocorrecttheproblem.Thisisthecollisiondetectionphaseoftheprocess.Becausethepacketsthatcollidedareconsideredtobecorrupted,boththesystemsinvolvedtransmitajampatternthatfillstheentirenetworkcablewithvoltage,informingtheothersystemsonthenetworkofthecollisionandpreventingthemfrominitiatingtheirowntransmissions.
Thejampatternisasequenceof32bitsthatcanhaveanyvalue,aslongasitdoesnotequalthevalueofthecyclicredundancycheck(CRC)calculationinthedamagedpacket’sframechecksequence(FCS)field.AsystemreceivinganEthernetpacketusestheFCSfieldtodeterminewhetherthedatainthepackethasbeenreceivedwithouterror.AslongasthejampatterndiffersfromthecorrectCRCvalue,allreceivingnodeswilldiscardthepacket.Inmostcases,networkadapterssimplytransmit32bitswiththevalue1.TheoddsofthisalsobeingthevalueoftheCRCforthepacketare1in232(inotherwords,notlikely).
Aftertransmittingthejampattern,thenodesinvolvedinthecollisionbothrescheduletheirtransmissionsusingarandomizeddelayintervaltheycalculatewithanalgorithmthatusestheirMACaddressesasauniquefactor.Thisprocessiscalledbackingoff.Becausebothnodesperformtheirownindependentbackoffcalculations,thechancesofthembothretransmittingatthesametimearesubstantiallydiminished.Thisisapossibility,however,andifanothercollisionoccursbetweenthesametwonodes,theybothincreasethepossiblelengthoftheirdelayintervalsandbackoffagain.Asthenumberofpossiblevaluesforthebackoffintervalincreases,theprobabilityofthesystemsagainselectingthesameintervaldiminishes.TheEthernetspecificationscallthisprocesstruncatedbinaryexponentialbackoff(ortruncatedBEB).AnEthernetsystemwillattempttotransmitapacketasmanyas16times(reportedasan“excessivecollisionerror”),andifacollisionresultseachtime,thepacketisdiscarded.
Collisions
EverysystemonanEthernetnetworkusestheCSMA/CDMACmechanismforeverypacketittransmits,sotheentireprocessobviouslyoccursquickly.MostofthecollisionsthatoccuronatypicalEthernetnetworkareresolvedinmicroseconds(millionthsofasecond).ThemostimportantthingtounderstandwhenitcomestoEthernetmediaarbitrationisthatpacketcollisionsarenaturalandexpectedoccurrencesonthistypeofnetwork,andtheydonotnecessarilysignifyaproblem.IfyouuseaprotocolanalyzerorothernetworkmonitoringtooltoanalyzethetrafficonanEthernetnetwork,youwillseethatacertainnumberofcollisionsalwaysoccur.
NOTEThetypeofpacketcollisiondescribedhereisnormalandexpected,butthereisadifferenttype,calledalatecollision,thatsignifiesaseriousnetworkproblem.Thedifferencebetweenthetwotypesofcollisionsisthatnormalcollisionsaredetectableandlatecollisionsarenot.Seethenextsection,“LateCollisions,”formoreinformation.
Normalpacketcollisionsbecomeaproblemonlywhentherearetoomanyofthemandsignificantnetworkdelaysbegintoaccumulate.Thecombinationofthebackoffintervalsandtheretransmissionofthepacketsthemselves(sometimesmorethanonce)incursdelaysthataremultipliedbythenumberofpacketstransmittedbyeachcomputerandbythenumberofcomputersonthenetwork.
ThefundamentalfaultoftheCSMA/CDmechanismwasthatthemoretraffictherewasonthenetwork,themorecollisionstherewerelikelytobe.Theutilizationofanetworkisbasedonthenumberofsystemsconnectedtoitandtheamountofdatatheysendandreceiveoverthenetwork.Whenexpressedasapercentage,thenetworkutilizationrepresentstheproportionofthetimethenetworkisactuallyinuse—thatis,theamountoftimethatdataisactuallyintransit.OnanaverageEthernetnetwork,theutilizationwaslikelytobesomewhereinthe30to40percentrange.Whentheutilizationincreasestoapproximately80percent,thenumberofcollisionsincreasestothepointatwhichtheperformanceofthenetworknoticeablydegrades.Inthemostextremecase,knownasacollapse,thenetworkissoheavilytrafficked,itisalmostperpetuallyinastateofcontention,waitingforcollisionstoberesolved.Thisconditioncanconceivablybecausedbythecoincidentaloccurrenceofrepeatedcollisions,butitismorelikelytoresultfromamalfunctioningnetworkinterfacethatiscontinuouslytransmittingbadframeswithoutpausingforcarriersenseorcollisiondetection.Anadapterinthisstateissaidtobejabbering.
NOTEDatalinklayerprotocolsthatuseatoken-passingmediaaccesscontrolmechanism,suchasTokenRingandFDDI,arenotsubjecttoperformancedegradationcausedbyhigh-networktrafficlevels.Thisisbecausetheseprotocolsuseamechanismthatmakesitimpossibleformorethanonesystemonthenetworktotransmitatanyonetime.Onnetworkslikethese,collisionsarenotnormaloccurrencesandsignifyaseriousproblem.Formoreinformationontokenpassing,seeChapter12.
LateCollisionsThephysicallayerspecificationsfortheEthernetprotocolaredesignedsothatthefirst64bytesofeverypackettransmissioncompletelyfilltheentireaggregatelengthofcableinthecollisiondomain.Thus,bythetimeanodehastransmittedthefirst64bytesofapacket,everyothernodeonthenetworkhasreceivedatleastthefirstbitofthatpacket.Atthispoint,theothernodeswillnottransmittheirowndatabecausetheircarriersensemechanismhasdetectedtrafficonthenetwork.
Itisessentialforthefirstbitofeachtransmittedpackettoarriveateverynodeonthenetworkbeforethelastbitleavesthesender.Thisisbecausethetransmittingsystemcandetectacollisiononlywhileitisstilltransmittingdata.(Remember,onatwisted-pairorfiber-opticnetwork,itisthepresenceofsignalsonthetransmitandreceivewiresatthesametimethatindicatesacollision.)Oncethelastbithasleftthesendingnode,thesenderconsidersthetransmissiontohavecompletedsuccessfullyanderasesthepacketfromthenetworkadapter’smemorybuffer.ItisbecauseofthiscollisiondetectionmechanismthateverypackettransmittedonanEthernetnetworkmustbeatleast64bytesinlength,evenifthesendingsystemhastopaditwithuseless(0)bitstoreachthatlength.
Ifacollisionshouldoccurafterthelastbithasleftthesendingnode,itiscalledalatecollision,orsometimesanout-of-windowcollision.(Todistinguishbetweenthetwotypesofcollisions,thenormallyoccurringtypewassometimescalledanearlycollision.)Becausethesendingsystemhasnowayofdetectingalatecollision,itconsidersthepackettohavebeentransmittedsuccessfully,eventhoughthedatahasactuallybeendestroyed.Anydatalostasaresultofalatetransmissioncannotberetransmittedbyadatalinklayerprocess.ItisuptotheprotocolsoperatingathigherlayersoftheOSImodeltodetectthedatalossandtousetheirownmechanismstoforcearetransmission.Thisprocesscantakeupto100timeslongerthananEthernetretransmission,whichisonereasonwhythistypeofcollisionisaproblem.
Latecollisionsresultfromseveraldifferentcauses.Ifanetworkinterfaceadaptershouldmalfunctionandtransmitapacketlessthan64byteslong(calledarunt),thelastbitcouldleavethesenderbeforethepackethasfullypropagatedaroundtheInternet.Inothercases,theadapter’scarriersensemechanismmightfail,causingittotransmitatthewrongtime.Inbothinstances,youshouldreplacethemalfunctioningadapter.AnotherpossiblecauseoflatecollisionsisanetworkthatdoesnotfallwithintheEthernetcablingguidelines.
PhysicalLayerGuidelinesTheEthernetspecificationsdefinenotonlythetypesofcableyoucanusewiththeprotocol,butalsotheinstallationguidelinesforthecable,suchasthemaximumlengthofcablesegmentsandthenumberofhubsorrepeaterspermitted.Asexplainedearlier,theconfigurationofthephysicallayermediumisacrucialelementoftheCSMA/CDmediaaccesscontrolmechanism.Iftheoveralldistancebetweentwosystemsonthenetworkistoolongortherearetoomanyrepeaters,diminishedperformancecanresult,whichisquitedifficulttodiagnoseandtroubleshoot.
Tables10-3and10-4displaythecablingguidelines,whichvaryforeachofthemediatocompensatefortheperformancecharacteristicsofthedifferentcabletypes.
Table10-3PhysicalLayerOptionsfor10MbpsEthernet
Table10-4PhysicalLayerOptionsforToday’sEthernetTypes
10Base-5(ThickEthernet)ThickEthernet,orThickNet,usedRG-8coaxialcableinabustopologytoconnectupto100nodestoasinglesegmentnomorethan500meterslong.Becauseitcanspanlongdistancesandiswellshielded,thickEthernetwascommonlyusedforbackbonenetworksintheearlydaysofEthernet.However,RG-8cable,likeallofthecoaxialcablesusedinEthernetnetworks,cannotsupporttransmissionratesfasterthan10Mbps,whichlimitsitsutilityasabackbonemedium.Assoonasafasteralternativewasavailable(suchasFDDI),mostnetworkadministratorsabandonedthickEthernet.However,althoughitishardlyeverusedanymore,thecomponentsofathickEthernetnetworkareagoodillustrationofthevariouscomponentsinvolvedinthephysicallayerofanEthernetnetwork.
ThecoaxialcablesegmentonathickEthernetnetworkshould,wheneverpossible,beasingleunbrokenlengthofcable,oratleastbepiecedtogetherfromthesamespoolorcablelotusingNconnectorsoneachcableendandanNbarrelconnectorbetweenthem.Thereshouldbeasfewbreaksaspossibleinthecable,andifyoumustusecablefromdifferentlots,theindividualpiecesshouldbe23.4,70.2,or117meterslongtominimizethesignalreflectionsthatmayoccur.Bothendsofthebusmustbeterminatedwitha50-ohmresistorbuiltintoanNterminator,andthecableshouldbegroundedatone(andonlyone)endusingagroundingconnectorattachedtotheNterminator.
NOTEFormoreinformationonRG-8andallofthecablesusedtobuildEthernetnetworks,seeChapter4.
UnlikealloftheotherEthernetphysicallayeroptions,thethickEthernetcabledidnotrundirectlytothenetworkinterfacecardinthePC.Thisisbecausethecoaxialcableitselfwaslarge,heavy,andcomparativelyinflexible.Instead,theNICisconnectedtotheRG-8trunkcablewithanothercable,calledtheattachmentunitinterface(AUI)cable.TheAUIcablehas15-pinD-shellconnectorsatbothends,oneofwhichplugsdirectlyintotheNIC,andtheotherintoamediumattachmentunit(MAU),alsoknownasatransceiver.TheMAUconnectstothecoaxialcableusingadevicecalledthemediumdependentinterface(MDI),whichclampstothecableandmakesanelectricalconnectionthroughholescutintotheinsulatingsheath.Becauseofthefanglikeappearanceoftheconnector,thisdeviceiscommonlyreferredtoasavampiretap.
NOTEDonotconfusetheMAUsusedonthickEthernetnetworkswiththemultistationaccessunits(MAUs)usedashubsonTokenRingnetworks.Themaximumof100nodesonathickEthernetcablesegment(and30nodesonaThinNetsegment)isbasedonthenumberofMAUspresentonthenetwork.BecauserepeatersincludetheirownMAUs,theycounttowardthemaximum.
NOTEIffornootherreason,theDIXEthernetstandardshouldbefondlyrememberedforusingmoresensiblenamesformanyofEthernet’stechnicalconcepts,suchascollisionratherthansignalqualityerror.TheDIXEthernetnameforthemediumattachmentunitisthetransceiver(becauseitbothtransmitsandreceives),anditsnamefortheattachmentunitinterfacecableistransceivercable.
EachstandardAUIcableonathickEthernetnetworkcouldbeupto50meterslong,whichprovidedforanaddeddegreeofflexibilityintheinstallation.StandardAUIcableswerethesamethicknessasthethickEthernetcoaxialandsimilarlyhardtoworkwith.Therewerealsothinnerandmoreflexible“office-grade”AUIcables,butthesewerelimitedtoamaximumlengthof12.5meters.
The500-metermaximumlengthforthethickEthernetcablemadeitpossibletoconnectsystemsatcomparativelylongdistancesandprovidedexcellentprotectionagainstinterferenceandattenuation.Unfortunately,thecablewasdifficulttoworkwithandevenhardertohide.Today,sitesthatrequirelongcablesegmentsorbetterinsulationareapttousefiberoptic.
10Base-2(ThinEthernet)ThinEthernet,orThinNet,wassimilarinfunctionalitytoThickEthernet,exceptthatthecablewasRG-58coaxial,about5millimetersindiameter,andmuchmoreflexible.ForthinEthernet(andallotherEthernetphysicallayeroptionsexceptthickEthernet),the
MAU(transceiver)wasintegratedintothenetworkinterfacecardandnoAUIcablewasneeded.
ThinEthernetusedBayonetNeill-Concelman(BNC)connectorsandafittingcalledaT-connectorthatattachestothenetworkcardinthePC.ThisconnectorissometimeserroneouslycalledaBritishNavalConnectororBayonetNutConnector.YoucreatedthenetworkbusbyrunningacabletooneendoftheT-connector’scrossbarandthenusinganothercableontheotherendofthecrossbartoconnecttothenextsystem,asshowninFigure10-2.LikethickEthernet,athinEthernetnetworkmustbeterminatedandgrounded.Thetwosystemsattheendsofthebusmusthaveaterminatorcontaininga50-ohmresistorononeendoftheirTstoterminatethebus,andoneend(only)shouldbeconnectedtoaground.
Figure10-2ThinEthernetnetworksusedT-connectorstoformasinglecablesegmentconnectingupto30computersinabustopology.
NOTETheT-connectorsonanEthernetnetworkhadtobedirectlyconnectedtothenetworkinterfacecardsinthecomputers.UsingalengthofcabletojointheT-connectortothecomputerwasnotpermitted.
Becausethecablewasthinner,thinEthernetwasmorepronetointerferenceandattenuationandwaslimitedtoasegmentlengthof185metersandamaximumof30nodes.Eachpieceofcableformingthesegmenthadtobeatleast0.5meterslong.
ConnectorfaultswereacommonoccurrenceonthinEthernetnetworksbecauseprefabricatedcableswererelativelyrare(comparedtotwistedpair),andtheBNCconnectorswereusuallycrimpedontotheRG-58cablesbynetworkadministrators,whichcanbeatrickyprocess.Also,somecheapconnectorswerepronetoaconditioninwhichanoxidelayerbuildsupbetweentheconductorsresultinginaseriousdegradationinthenetworkconnectivity.Theseconnectorswerenotoriouslysensitivetoimpropertreatment.Anaccidentaltugorapersontrippingoveroneofthetwocablesconnectedtoeachmachineeasilyweakenedtheconnectionandcausedintermittenttransmissionproblemsthataredifficulttoisolateanddiagnose.
10Base-Tor100Base-T(Twisted-PairEthernet)MostoftheEthernetnetworkstodayuseunshieldedtwisted-pair(UTP)cable,originallyknownintheEthernetworldas10Base-T,whichsolvedseveraloftheproblemsthatplaguecoaxialcables.Today,thedifferencesareinthespeedoftransmission.
Amongotherthings,UTPEthernetnetworksare
•EasilyhiddenUTPcablescanbeinstalledinsidewalls,floors,andceilingswithstandardwallplatesprovidingaccesstothenetwork.Onlyasingle,thin
cablehastoruntothecomputer.PullingtoohardonaUTPcableinstalledinthismannerdamagesonlyaneasilyreplaceablepatchcableconnectingthecomputertothewallplate.•FaulttolerantUTPnetworksuseastartopologyinwhicheachcomputer
hasitsowndedicatedcablerunningtothehub.Abreakinacableoralooseconnectionaffectsonlythesinglemachinetowhichitisconnected.
•UpgradeableUTPcableinstallationrunning10MbpsEthernetor100MbpsEthernetcanbeupgradedatalatertime.
Unshieldedtwisted-paircableconsistsoffourpairsofwiresinasinglesheath,witheachpairtwistedtogetheratregularintervalstoprotectagainstcrosstalkand8-pinRJ-45connectorsatbothends.Sincethisisn’tabusnetwork,noterminationorgroundingisnecessary.Both10Base-Tand100Base-TEthernetuseonlytwoofthefourwirepairsinthecable,however:onepairfortransmittingdatasignals(TD)andoneforreceivingthem(RD),withonewireineachpairhavingapositivepolarityandoneanegative.
Unlikecoaxialnetworks,10Base-Tcallsfortheuseofahub.Thisisadevicethatfunctionsbothasawiringnexusandasasignalrepeater,towhicheachofthenodesonthenetworkhasanindividualconnection(seeFigure10-3).Themaximumlengthforeachcablesegmentis100meters,butbecausethereisnearlyalwaysaninterveninghubthatrepeatsthesignals,thetotaldistancebetweentwonodescanbeasmuchas200meters.
Figure10-310Base-Tnetworksusedahubtoconnectallthenetworknodesinastartopology.
UTPcablesaretypicallywiredstraightthrough,meaningthewireforeachpinisconnectedtothecorrespondingpinattheotherendofthecable.Fortwonodestocommunicate,however,theTDsignalsgeneratedbyeachmachinemustbedeliveredtotheRDconnectionsintheothermachine.Inmostcases,thisisaccomplishedbyacrossovercircuitwithinthehub.Youcanconnecttwocomputersdirectlytogetherwithoutahubbyusingacrossovercable,though,whichconnectstheTDsignalsateachendtotheRDsignalsattheotherend.
NOTEFormoreinformationonnetworkcablesandtheirinstallation,seeChapter4.Formoreinformationonhubsandrepeaters,seeChapter6.
Fiber-OpticEthernetFiber-opticcableisaradicaldeparturefromthecopper-based,physicallayeroptionsdiscussedsofar.Becauseitusespulsesoflightinsteadofelectriccurrent,fiberopticisimmunetoelectromagneticinterferenceandismuchmoreresistanttoattenuationthancopper.Asaresult,fiber-opticcablecanspanmuchlongerdistances,andbecauseoftheelectricisolationitprovides,itissuitablefornetworklinksbetweenbuildings.Fiber-opticcableisanexcellentmediumfordatacommunications,butinstallingandmaintainingitissomewhatmoreexpensivethancopper,anditrequirescompletelydifferenttoolsandskills.
Themediumitselfonafiber-opticEthernetnetworkistwostrandsof62.5/125multimodefibercable,withonestrandusedtotransmitsignalsandonetoreceivethem.
Thereweretwomainfiber-opticstandardsfor10MbpsEthernet:theoriginalFOIRLstandardand10Base-F,whichdefinesthreedifferentfiber-opticconfigurationscalled10Base-FL,10Base-FB,and10Base-FP.Ofallthesestandards,10Base-FLwasalwaysthemostpopular,butrunningfiber-opticcableat10Mbpsisanunderuseofthemedium’spotentialthatbordersonthecriminal.Nowthat100Mbpsdatalinklayerprotocols,suchasFastEthernetandFDDI,runonthesamefiber-opticcable,thereisnoreasontouseanyoftheseslowersolutionsinanewinstallation.
FOIRLTheoriginalfiber-opticstandardforEthernetfromtheearly1980swascalledtheFiber-OpticInter-RepeaterLink(FOIRL).Itwasdesignedtofunctionasalinkbetweentworepeatersupto1,000metersaway.Intendedforuseincampusnetworks,FOIRLcouldjointwodistantnetworks,particularlythoseinadjacentbuildings,usingafiber-opticcable.
10Base-FLThe10Base-FsupplementwasdevelopedbytheIEEE802.3committeetoprovideagreatervarietyoffiber-opticalternativesforEthernetnetworks.Designedwithbackwardcompatibilityinmind,10Base-FLwastheIEEEcounterparttoFOIRL.Itincreasedthemaximumlengthofafiber-opticlinkto2,000metersandpermittedconnectionsbetweentworepeaters,twocomputers,oracomputerandarepeater.
Asinallofthe10Base-Fspecifications,acomputerconnectedtothenetworkusesanexternalfiber-opticMAU(orFOMAU)andanAUIcableupto25meterslong.Theotherendofthecableconnectstoafiber-opticrepeatinghubthatprovidesthesamebasicfunctionsasahubforcoppersegments.
CablingGuidelinesInadditiontotheminimumandmaximumsegmentlengthsforthevarioustypesof
10BaseEthernetmedia,thestandardsimposedlimitsonthenumberofrepeatersyoucoulduseinasinglecollisiondomain.ThiswasnecessarytoensurethateverypackettransmittedbyanEthernetnodebegantoreachitsdestinationbeforethelastbitleftthesender.Ifthedistancetraveledbyapacketwastoolong,thesenderwasunabletodetectcollisionsreliably,anddatalossescouldoccur.
LinkSegmentsandMixingSegmentsWhendefiningthelimitsonthenumberofrepeatersallowedonthenetwork,the802.3standarddistinguishesbetweentwotypesofcablesegments,calledlinksegmentsandmixingsegments.Alinksegmentisalengthofcablethatjoinsonlytwonodes,whileamixingsegmentjoinsmorethantwo.
The5-4-3RuleTheEthernetstandardsstatethat,inasingleEthernetcollisiondomain,theroutetakenbetweenanytwonodesonthenetworkcanconsistofnomorethanfivecablesegments,joinedbyfourrepeaters,andonlythreeofthesegmentscanbemixingsegments.ThisisknownastheEthernet5-4-3rule.Thisruleismanifestedindifferentways,dependingonthetypeofcableusedforthenetworkmedium.
NOTEAcollisiondomainisdefinedasanetworkconfigurationonwhichtwonodestransmittingdataatthesametimewillcauseacollision.Theuseofbridges,switches,orintelligenthubs,insteadofstandardrepeaters,doesnotextendthecollisiondomainanddoesnotfallundertheEthernet5-4-3rule.Ifyouhaveanetworkthathasreacheditsmaximumsizebecauseofthisrule,youshouldconsiderusingoneofthesedevicestocreateseparatecollisiondomains.SeeChapter6formoreinformation.
Onacoaxialnetwork,whetheritwasthickorthinEthernet,youcouldhavefivecablesegmentsjoinedbyfourrepeaters.Onacoaxialnetwork,arepeaterhadonlytwoportsanddidnothingbutamplifythesignalasittraveledoverthecable.Asegmentisthelengthofcablebetweentworepeaters,eventhoughinthecaseofthinEthernetthesegmentcouldconsistofmanyseparatelengthsofcable.ThisrulemeantthattheoveralllengthofathickEthernetbus(calledthemaximumcollisiondomaindiameter)couldbe2,500meters(500×5),whileathinEthernetbuscouldbeupto925meters(185×5)long.
Oneitherofthesenetworks,however,onlythreeofthecablesegmentsactuallyhadnodesconnectedtothem(seeFigure10-4).Youcanusethetwolinksegmentstojoinmixingsegmentslocatedatsomedistancefromeachother,butyoucannotpopulatethemwithcomputersorotherdevices.
Figure10-4Coaxialnetworksconsistedofuptofivecablesegments,withonlythreeofthefiveconnectedtocomputersorotherdevices.
UTPCablingOna10Base-TUTPnetwork,thesituationwasdifferent.Becausetherepeatersonthistypeofnetworkwereactuallymultiporthubsorswitches,everycablesegmentconnectinganodetothehubisalinksegment.Youcanhavefourhubsinacollisiondomainthatareconnectedtoeachotherandeachofwhichcanbeconnectedtoasmanynodesasthehubcansupport(seeFigure10-5).Becausedatatravelingfromonenodetoanyothernodepassesthroughamaximumofonlyfourhubsandbecauseallthesegmentsarelinksegments,thenetworkisincompliancewiththeEthernetstandards.
Figure10-5Twisted-pairnetworksuselinksegmentstoconnecttothecomputers,makingitpossibletohavefourpopulatedhubs.
NOTEOnepotentiallycomplicatingfactortothisarrangementwaswhenyouconnected10Base-ThubsusingthinEthernetcoaxialcable.Some10Base-ThubsincludedBNCconnectorsthatenabledyoutouseabusto
chainmultiplehubstogether.Whenyoudidthiswithmorethantwohubsconnectedbyasinglecoaxialsegment,youwereactuallycreatingamixingsegment,andyouhadtocountthistowardthemaximumofthreemixingsegmentspermittedonthenetwork.
The10Base-Fspecificationsincludedsomemodificationstothe5-4-3rule.Whenfivecablesegmentswerepresentona10Base-Fnetworkconnectedbyfourrepeaters,FOIRL,10Base-FL,and10Base-FBsegmentscouldbenomorethan500meterslong.10Base-FPsegmentscanbenomorethan300meterslong.
EthernetTimingCalculationsThe5-4-3ruleisageneralguidelinethatisusuallyaccurateenoughtoensureyournetworkwillperformproperly.However,itisalsopossibletoassessthecomplianceofanetworkwiththeEthernetcablingspecificationsmorepreciselybycalculatingtwomeasurements:theround-tripsignaldelaytimeandtheinterframegapshrinkagefortheworst-casepaththroughyournetwork.
Theround-tripsignaldelaytimeistheamountoftimeittakesabittotravelbetweenthetwomostdistantnodesonthenetworkandbackagain.Theinterframegapshrinkageistheamountthenormal96-bitdelaybetweenpacketsisreducedbynetworkconditions,suchasthetimerequiredforrepeaterstoreconstructasignalbeforesendingitonitsway.
Inmostcases,thesecalculationsareunnecessary;aslongasyoucomplywiththe5-4-3rule,yournetworkshouldfunctionproperly.IfyouareplanningtoexpandacomplexnetworktothepointatwhichitpushesthelimitsoftheEthernetguidelines,however,itmightbeagoodideatogetaprecisemeasurementtoensurethateverythingfunctionsasitshould.Ifyouendupwithaseverelatecollisionproblemthatrequiresanexpensivenetworkupgradetoremedy,yourbossisn’tlikelytowanttohearabouthowreliablethe5-4-3ruleusuallyis.
NOTECalculatingtheround-tripsignaldelaytimeandtheinterframegapshrinkageforyournetworkisnotpartofaremedyforexcessivenumbersofearlycollisions.
FindingtheWorst-CasePathTheworst-casepathistheroutedatatakeswhentravelingbetweenthetwomostdistantnodesonthenetwork,bothintermsofsegmentlengthandnumberofrepeaters.Onarelativelysimplenetwork,youcanfindtheworstcasepathbychoosingthetwonodesonthetwooutermostnetworksegmentseitherthathavethelongestlinksegmentsconnectingthemtotherepeaterorthatareatthefarendsofthecablebus,asshowninFigure10-6.
Figure10-6Onasimplenetworkwithall10Base-Tsegments,theworst-casepathranbetweenthenodeswiththelongestcablesonbothendsegments.
Onmorecomplexnetworksusingvarioustypesofcablesegments,youhavetoselectseveralpathstotestyournetwork.Inaddition,youmayhavetoaccountforthevariationscausedbyhavingdifferentcablesegmenttypesattheleftandrightendsofthepath.
Ifyournetworkiswelldocumented,youshouldhaveaschematiccontainingtheprecisedistancesofallyourcableruns.Youneedthesefigurestomakeyourcalculations.Ifyoudon’thaveaschematic,determiningtheexactdistancesmaybethemostdifficultpartofthewholeprocess.Themostaccuratemethodfordeterminingthelengthofacablerunistouseamultifunctioncabletester,whichutilizesatechniquecalledtimedomainreflectometry(TDR).TDRissimilartoradar,inthattheunittransmitsatestsignal,preciselymeasuresthetimeittakesthesignaltotraveltotheotherendofthecableandbackagain,andthenusesthisinformationtocomputethecable’slength.Ifyoudon’thaveacabletesterwithTDRcapabilities,youcanmeasurethecablelengthsmanuallybyestimatingthedistancesbetweentheconnectors.Thiscanbeparticularlydifficultwhencablesareinstalledinsidewallsandceilingsbecausetheremaybeunseenobstaclesthatextendthelengthofthecable.Ifyouusethismethod,youshoulderronthesideofcautionandincludeanadditionaldistancefactortoaccountforpossibleerrors.Alternatively,youcansimplyusethemaximumallowablecabledistancesforthevariouscablesegments,aslongasyouaresurethecablerunsdonotexceedtheEthernetstandard’smaximumsegmentlengthspecifications.
Onceyouhavedeterminedtheworst-casepath(orpaths)youwilluseforyourcalculations,it’sagoodideatocreateasimplediagramofeachpathwiththecabledistancesinvolved.Eachpathwillhaveleftandrightendsegmentsandmayhaveoneormoremiddlesegments.Youwillthenperformyourcalculationsontheindividualsegmentsandcombinetheresultstotesttheentirepath.
ExceedingEthernetCablingSpecificationsTheEthernetspecificationshaveacertainamountofleewaybuiltintothemthatmakesitpossibletoexceedthecablinglimitations,withinreason.Ifanetworkhasanextrarepeateroracablethat’salittletoolong,itwillprobablycontinuetofunctionwithoutcausingthelatecollisionsthatoccurwhenthespecificationsaregrosslyexceeded.Youcanseehow
thisissobycalculatingtheactualamountofcoppercablefilledbyanEthernetsignal.
Electricalsignalspassingthroughacoppercabletravelatapproximately200,000,000meters/second(2/3ofthespeedoflight).Ethernettransmitsat10Mbps,or10,000,000bits/second.Bydividing200,000,000by10,000,000,youarriveatafigureof20metersofcableforeverytransmittedbit.Thus,thesmallestpossibleEthernetframe,whichis512bits(64bytes)long,occupies10,240metersofcoppercable.
IfyoutakethelongestpossiblelengthofcoppercablepermittedbytheEthernetstandards,a500-meterthickEthernetsegment,youcanseethattheentire500meterswouldbefilledbyonly25bitsofdata(at20meters/bit).Twonodesatthefarendsofthesegmentwouldhavearound-tripdistanceof1,000meters.
Whenoneofthetwonodestransmits,acollisioncanoccuronlyiftheothernodealsobeginstransmittingbeforethesignalreachesit.Ifyougrantthatthesecondnodebeginstransmittingatthelastpossiblemomentbeforethefirsttransmissionreachesit,thenthefirstnodecansendnomorethan50bits(occupying1,000metersofcable,500downand500back)beforeitdetectsthecollisionandceasestransmitting.Obviously,this50bitsiswellbelowthe512-bitbarrierthatseparatesearlyfromlatecollisions.
Ofcourse,thisexampleinvolvesonlyonesegment.ButevenifyouextendathickEthernetnetworktoitsmaximumcollisiondomaindiameter—fivesegmentsof500meterseach,or2,500meters—anodewouldstilltransmitonly250bits(occupying5,000metersofcable,2,500downand2,500back)beforedetectingacollision.
Thus,youcanseethattheEthernetspecificationsfortheround-tripsignaldelaytimearefullytwiceasstrictastheyneedtobeinthecaseofathickEthernetnetwork.Fortheothercoppermedia,thinEthernetand10Base-T,thespecificationsareevenmorelaxbecausethemaximumsegmentlengthsaresmaller,whilethesignalingspeedremainsthesame.Forafull-lengthfive-segment10Base-Tnetworkonly500meterslong,thespecificationistentimesstricterthanitneedstobe.
Thisisnottosaythatyoucansafelydoublethemaximumcablelengthsonyournetworkacrosstheboardorinstalladozenrepeaters(althoughitispossibletosafelylengthenthesegmentsona10Base-Tnetworkupto150metersifyouuseCategory5UTPcableinsteadofCategory3).Otherfactorscanaffecttheconditionsonyournetworktobringitclosertothelimitsdefinedbythespecifications.Infact,thesignaltimingisnotasmuchofarestrictingfactoron10MbpsEthernetinstallationsasisthesignalstrength.Theweakeningofthesignalduetoattenuationisfarmorelikelytocauseperformanceproblemsonanoverextendednetworkthanareexcesssignaldelaytimes.ThepointhereistodemonstratethatthedesignersoftheEthernetprotocolbuiltasafetyfactorintothenetworkfromthebeginning,perhapspartiallyexplainingwhyitcontinuestoworksowellmorethan20yearslater.
TheEthernetFrameTheEthernetframeisthesequenceofbitsthatbeginsandendseveryEthernetpackettransmittedoveranetwork.TheframeconsistsofaheaderandfooterthatsurroundandencapsulatethedatageneratedbytheprotocolsoperatingathigherlayersoftheOSI
model.Theinformationintheheaderandfooterspecifiestheaddressesofthesystemsendingthepacketandthesystemthatistoreceiveitandalsoperformsseveralotherfunctionsthatareimportanttothedeliveryofthepacket.
TheIEEE802.3FrameThebasicEthernetframeformat,asdefinedbytheIEEE802.3standard,isshowninFigure10-7.Thefunctionsoftheindividualfieldsarediscussedinthefollowingsections.
Figure10-7TheEthernetframeenclosesthedatapasseddowntheprotocolstackfromthenetworklayerandpreparesitfortransmission.
PreambleandStartofFrameDelimiterThepreambleconsistsof7bytesofalternatingzerosandones,whichthesystemsonthenetworkusetosynchronizetheirclocksandthendiscard.TheManchesterencoding
schemeEthernetusesrequirestheclocksoncommunicatingsystemstobeinsyncsothattheybothagreeonhowlongabittimeis.Systemsinidlemode(thatis,notcurrentlytransmittingandnotintheprocessofrectifyingacollision)areincapableofreceivinganydatauntiltheyusethesignalsgeneratedbythealternatingbitvaluesofthepreambletopreparefortheforthcomingdatatransmission.
NOTEFormoreinformationonManchesterencodingandthesignalingthatoccursatthephysicallayer,seeChapter2.
Bythetimethe7bytesofthepreamblehavebeentransmitted,thereceivingsystemhassynchronizeditsclockwiththatofthesender,butthereceiverisalsounawareofhowmanyofthe7byteshaveelapsedbeforeitfellintosync.Tosignalthecommencementoftheactualpackettransmission,thesendertransmitsa1-bytestartofframedelimiter,whichcontinuesthealternatingzerosandones,exceptforthelasttwobits,whicharebothones.Thisisthesignaltothereceiverthatanydatafollowingispartofadatapacketandshouldbereadintothenetworkadapter’smemorybufferforprocessing.
DestinationAddressandSourceAddressAddressingisthemostbasicfunctionoftheEthernetframe.Becausetheframecanbesaidtoformanenvelopeforthenetworklayerdatacarriedinsideit,itisonlyfittingthattheenvelopehaveanaddress.TheaddressestheEthernetprotocolusestoidentifythesystemsonthenetworkare6byteslongandhard-codedintothenetworkinterfaceadaptersineachmachine.TheseaddressesarereferredtoashardwareaddressesorMACaddresses.ThehardwareaddressoneveryEthernetadaptermadeisunique.TheIEEEassigns3-byteprefixestoNICmanufacturersthatitcallsorganizationallyuniqueidentifiers(OUIs),andthemanufacturerssupplytheremaining3bytes.Whentransmittingapacket,itisthenetworkadapterdriveronthesystemthatgeneratesthevaluesforthedestinationaddressandsourceaddressfields.
Thedestinationaddressfieldidentifiesthesystemtowhichthepacketisbeingsent.Theaddressmayidentifytheultimatedestinationofthepacketifit’sonthelocalnetwork,ortheaddressmaybelongtoadevicethatprovidesaccesstoanothernetwork,suchasarouter.Addressesatthedatalinklayeralwaysidentifythepacket’snextstoponthelocalnetwork.Itisuptothenetworklayertocontrolend-to-endtransmissionandtoprovidetheaddressofthepacket’sultimatedestination.
EverynodeonasharedEthernetnetworkreadsthedestinationaddressfromtheheaderofeverypackettransmittedbyeverysystemonthenetworktodeterminewhethertheheadercontainsitsownaddress.Asystemreadingtheframeheaderandrecognizingitsownaddressthenreadstheentirepacketintoitsmemorybuffersandprocessesitaccordingly.Adestinationaddressofallonessignifiesthatthepacketisabroadcast,meaningitisintendedforallofthesystemsonthenetwork.Certainaddressescanalsobedesignatedasmulticastaddressesbythenetworkingsoftwareonthesystem.Amulticastaddressidentifiesagroupofsystemsonthenetwork,allofwhicharetoreceivecertainmessages.
Thesourceaddressfieldcontainsthe6-byteMACaddressofthesystemsendingthe
packet.(Thespecificationsallowfor2-byteaddressesaswell.)
LengthThelengthfieldinan802.3frameis2byteslongandspecifieshowmuchdataisbeingcarriedasthepacket’spayloadinbytes.Thisfigureincludesonlytheactualupper-layerdatainthepacket.ItdoesnotincludetheframefieldsfromtheheaderorfooteroranypaddingthatmighthavebeenaddedtothedatafieldtoreachtheminimumsizeforanEthernetpacket(64bytes).ThemaximumsizeforanEthernetpacket,includingtheframe,is1,518bytes.Becausetheframeconsistsof18bytes,themaximumvalueforthelengthfieldis1,500.
DataandPadThedatafieldcontainsthepayloadofthepacket—thatis,the“contents”oftheenvelope.Aspasseddownfromthenetworklayerprotocol,thedatawillincludeanoriginalmessagegeneratedbyanupper-layerapplicationorprocess,plusanyheaderinformationaddedbytheprotocolsintheinterveninglayers.Inaddition,an802.3packetwillcontainthe3-bytelogicallinkcontrolheaderinthedatafield.
Forexample,thepayloadofapacketcontaininganInternethostnametoberesolvedintoanIPaddressbyaDNSserverconsistsoftheoriginalDNSmessagegeneratedattheapplicationlayer,aheaderappliedbytheUDPprotocolatthetransportlayer,aheaderappliedbytheIPprotocolatthenetworklayer,andtheLLCheader.Althoughthesethreeadditionalheadersarenotpartoftheoriginalmessage,totheEthernetprotocoltheyarejustpayloadthatiscarriedinthedatafieldlikeanyotherinformation.Justaspostalworkersarenotconcernedwiththecontentsoftheenvelopestheycarry,theEthernetprotocolhasnoknowledgeofthedatawithintheframe.
TheentireEthernetpacket(excludingthepreambleandthestartofframedelimiter)mustbeaminimumof64bytesinlengthfortheprotocol’scollisiondetectionmechanismtofunction.
Therefore,subtracting18bytesfortheframe,thedatafieldmustbeatleast46byteslong.Ifthepayloadpasseddownfromthenetworklayerprotocolistooshort,theEthernetadapteraddsastringofmeaninglessbitstopadthedatafieldouttotherequisitelength.
ThemaximumallowablelengthforanEthernetpacketis1,518bytes,meaningthedatafieldcanbenolargerthan1,500bytes(includingtheLLCheader).
FrameCheckSequenceThelast4bytesoftheframe,followingthedatafield(andthepad,ifany),carryachecksumvaluethereceivingnodeusestodeterminewhetherthepackethasarrivedintact.Justbeforetransmission,thenetworkadapteratthesendingnodecomputesacyclicredundancycheck(CRC)onallofthepacket’sotherfields(exceptforthepreambleandthestartofframedelimiter)usinganalgorithmcalledtheAUTODINIIpolynomial.ThevalueoftheCRCisuniquelybasedonthedatausedtocomputeit.
Whenthepacketarrivesatitsdestination,thenetworkadapterinthereceivingsystemreadsthecontentsoftheframeandperformsthesamecomputation.Bycomparingthe
newlycomputedvaluewiththeoneintheFCSfield,thesystemcanverifythatnoneofthepacket’sbitvalueshaschanged.Ifthevaluesmatch,thesystemacceptsthepacketandwritesittothememorybuffersforprocessing.Ifthevaluesdon’tmatch,thesystemdeclaresanalignmenterroranddiscardstheframe.Thesystemwillalsodiscardtheframeifthenumberofbitsinthepacketisnotamultipleof8.Onceaframeisdiscarded,itisuptothehigher-layerprotocolstorecognizeitsabsenceandarrangeforretransmission.
TheEthernetIIFrameThefunctionofthe2-bytefieldfollowingthesourceaddresswasdifferentintheframeformatsofthetwopredominantEthernetstandards.Whilethe802.3frameusesthisfieldtospecifythelengthofthedatainthepacket,theEthernetIIstandardusedittospecifytheframetype,alsocalledtheEthertype.TheEthertypespecifiesthememorybufferinwhichtheframeshouldbestored.Thelocationofthememorybufferspecifiedinthisfieldidentifiesthenetworklayerprotocolforwhichthedatacarriedintheframeisintended.
Thisisacrucialelementofeveryprotocoloperatinginthedatalink,network,andtransportlayersofasystem’snetworkingstack.Thedatainthepacketmustbedeliverednotonlytothepropersystemonthenetwork,butalsototheproperapplicationorprocessonthatsystem.Becausethedestinationcomputercanberunningmultipleprotocolsatthenetworklayeratthesametime,suchasIP,NetBEUI,andIPX,theEthertypefieldinformstheEthernetadapterdriverwhichoftheseprotocolsshouldreceivethedata.
WhenasystemreadstheheaderofanEthernetpacket,theonlywaytotellanEthernetIIframefroman802.3framewasbythevalueofthelength/Ethertypefield.Becausethevalueofthe802.3lengthfieldcanbenohigherthan1,500(0x05DC,inhexadecimalnotation),theEthertypevaluesassignedtothedevelopersofthevariousnetworklayerprotocolsareallhigherthan1,500.
TheLogicalLinkControlSublayerTheIEEEsplitsthefunctionalityofthedatalinklayerintotwosublayers:mediaaccesscontrolandlogicallinkcontrol.OnanEthernetnetwork,theMACsublayerincludeselementsofthe802.3standard:thephysicallayerspecifications,theCSMA/CDmechanism,andthe802.3frame.ThefunctionsoftheLLCsublayeraredefinedinthe802.2standard,whichisalsousedwiththeother802MACstandards.
TheLLCsublayeriscapableofprovidingavarietyofcommunicationsservicestonetworklayerprotocols,includingthefollowing:
•UnacknowledgedconnectionlessserviceMultisourceagreements(MSA)simpleservicethatprovidesnoflowcontrolorerrorcontrolanddoesnotguaranteeaccuratedeliveryofdata
•Connection-orientedserviceMSAfullyreliableservicethatguaranteesaccuratedatadeliverybyestablishingaconnectionwiththedestinationbeforetransmittingdataandbyusingerrorandflowcontrolmechanisms
•AcknowledgedconnectionlessserviceMSAmidrangeservicethatusesacknowledgmentmessagestoprovidereliabledeliverybutthatdoesnotestablish
aconnectionbeforetransmittingdata
Onatransmittingsystem,thedatapasseddownfromthenetworklayerprotocolisencapsulatedfirstbytheLLCsublayerintowhatthestandardcallsaprotocoldataunit(PDU).ThenthePDUispasseddowntotheMACsublayer,whereitisencapsulatedagaininaheaderandfooter,atwhichpointitcantechnicallybecalledaframe.InanEthernetpacket,thismeansthedatafieldofthe802.3framecontainsa3-or4-byteLLCheader,inadditiontothenetworklayerdata,thusreducingthemaximumamountofdataineachpacketfrom1,500to1,496bytes.
TheLLCheaderconsistsofthreefields,thefunctionsofwhicharedescribedinthefollowingsections.
DSAPandSSAPThedestinationserviceaccesspoint(DSAP)fieldidentifiesalocationinthememorybuffersonthedestinationsystemwherethedatainthepacketshouldbestored.Thesourceserviceaccesspoint(SSAP)fielddoesthesameforthesourceofthepacketdataonthetransmittingsystem.Bothofthese1-bytefieldsusevaluesassignedbytheIEEE,whichfunctionsastheregistrarfortheprotocol.
InanEthernetSNAPpacket,thevalueforboththeDSAPandSSAPfieldsis170(or0xAA,inhexadecimalform).ThisvalueindicatesthatthecontentsoftheLLCPDUbeginwithaSubnetworkAccessProtocol(SNAP)header.TheSNAPheaderprovidesthesamefunctionalityastheEthertypefieldtothe802.3frame.
ControlThecontrolfieldoftheLLCheaderspecifiesthetypeofserviceneededforthedatainthePDUandthefunctionofthepacket.Dependingonwhichoftheservicesisrequired,thecontrolfieldcanbeeither1or2byteslong.InanEthernetSNAPframe,forexample,theLLCusestheunacknowledged,connectionlessservice,whichhasa1-bytecontrolfieldvalueusingwhatthestandardcallstheunnumberedformat.Thevalueforthecontrolfieldis3,whichisdefinedasanunnumberedinformationframe—thatis,aframecontainingdata.Unnumberedinformationframesarequitesimpleandsignifyeitherthatthepacketcontainsanoncriticalmessageorthatahigher-layerprotocolissomehowguaranteeingdeliveryandprovidingotherhigh-levelservices.
Theothertwotypesofcontrolfields(whichare2byteseach)aretheinformationformatandthesupervisoryformat.Thethreecontrolfieldformatsaredistinguishedbytheirfirstbits,asfollows:
•Theinformationformatbeginswitha0bit.
•Thesupervisoryformatbeginswitha1bitanda0bit.
•Theunnumberedformatbeginswithtwo1bits.
TheremainderofthebitsspecifytheprecisefunctionofthePDU.Inamorecomplexexchangeinvolvingtheconnection-orientedservice,unnumberedframescontaincommands,suchasthoseusedtoestablishaconnectionwiththeothersystemandterminateitattheendofthetransmission.Thecommandstransmittedinunnumbered
framesareasfollows:
•Unnumberedinformation(UI)Usedtosenddataframesbytheunacknowledged,connectionlessservice
•Exchangeidentification(XID)Usedasbothacommandandaresponseintheconnection-orientedandconnectionlessservices
•TESTUsedasbothacommandandaresponsewhenperforminganLLCloopbacktest
•Framereject(FRMR)Usedasaresponsewhenaprotocolviolationoccurs
•SetAsynchronousBalancedModeExtended(SABME)Usedtorequestthataconnectionbeestablished
•Unnumberedacknowledgment(UA)UsedasthepositiveresponsetotheSABMEmessage
•Disconnectmode(DM)UsedasanegativeresponsetotheSABMEmessage
•Disconnect(DISC)Usedtorequestthataconnectionbeclosed;aresponseofeitherUAorDMisexpected
Informationframescontaintheactualdatatransmittedduringconnection-orientedandacknowledgedconnectionlesssessions,aswellastheacknowledgmentmessagesreturnedbythereceivingsystem.Onlytwotypesofmessagesaresentininformationframes:N(S)andN(R)forthesendandreceivepackets,respectively.Bothsystemstrackthesequencenumbersoftheframestheyreceive.AnN(S)messageletsthereceiverknowhowmanypacketsinthesequencehavebeensent,andanN(R)messageletsthesenderknowwhatpacketinthesequenceitexpectstoreceive.
Supervisoryframesareusedonlybytheconnection-orientedserviceandprovideconnectionmaintenanceintheformofflowcontrolanderror-correctionservices.Thetypesofsupervisorymessagesareasfollows:
•Receiverready(RR)Usedtoinformthesenderthatthereceiverisreadyforthenextframeandtokeepaconnectionalive
•Receivernotready(RNR)UsedtoinstructthesendernottosendanymorepacketsuntilthereceivertransmitsanRRmessage
•Framereject(REJ)Usedtoinformthesenderofanerrorandrequestretransmissionofallframessentafteracertainpoint
LLCApplicationsInsomecases,theLLCframeplaysonlyaminorroleinthenetworkcommunicationsprocess.OnanetworkrunningTCP/IPalongwithotherprotocols,forexample,theonlyfunctionofLLCmaybetoenable802.3framestocontainaSNAPheader,whichspecifiesthenetworklayerprotocoltheframeshouldgoto,justliketheEthertypeinanEthernetIIframe.Inthisscenario,theLLCPDUsallusetheunnumberedinformationformat.Otherhigh-levelprotocols,however,requiremoreextensiveservicesfromLLC.
TheSNAPHeaderBecausetheIEEE802.3frameheaderdoesnothaveanEthertypefield,itwouldnormallybeimpossibleforareceivingsystemtodeterminewhichnetworklayerprotocolshouldreceivetheincomingdata.Thiswouldnotbeaproblemifyouranonlyonenetworklayerprotocol,butwithmultipleprotocolsinstalled,itbecomesaseriousproblem.802.3packetsaddressthisproblembyusingyetanotherprotocolwithintheLLCPDU,calledtheSubnetworkAccessProtocol.
TheSNAPheaderis5byteslongandfounddirectlyaftertheLLCheaderinthedatafieldofan802.3frame.Thefunctionsofthefieldsareasfollows:
•OrganizationcodeTheorganizationcode,orvendorcode,isa3-bytefieldthattakesthesamevalueasthefirst3bytesofthesourceaddressinthe802.3header.
•LocalcodeThelocalcodeisa2-bytefieldthatisthefunctionalequivalentoftheEthertypefieldintheEthernetIIheader.
NOTEMany,ifnotall,oftheregisteredvaluesfortheNIChardwareaddressprefixes,theEthertypefield,andtheDSAP/SSAPfieldsarelistedinthe“AssignedNumbers”documentpublishedasarequestforcomments(RFC)bytheInternetEngineeringTaskForce(IETF).Findthecurrentversionnumberforthisdocumentatwww.ietf.org/rfc.html.
Full-DuplexEthernetTheCSMA/CDmediaaccesscontrolmechanismisthedefiningelementoftheEthernetprotocol,butitisalsothesourceofmanyofitslimitations.ThefundamentalshortcomingoftheEthernetprotocolisthatdatacantravelinonlyonedirectionatatime.Thisisknownashalf-duplexoperation.Withspecialhardware,itisalsopossibletorunEthernetconnectionsinfull-duplexmode,meaningthatthedevicecantransmitandreceivedatasimultaneously.Thiseffectivelydoublesthebandwidthofthenetwork.Full-duplexcapabilityforEthernetnetworkswasstandardizedinthe802.3xsupplementtothe802.3standardin1997.
Whenoperatinginfull-duplexmode,theCSMA/CDMACmechanismisignored.Systemsdonotlistentothenetworkbeforetransmitting;theysimplysendtheirdatawhenevertheywant.Becausebothofthesystemsinafull-duplexlinkcantransmitandreceivedataatthesametime,thereisnopossibilityofcollisionsoccurring.Becausenocollisionsoccur,thecablingrestrictionsintendedtosupportthecollisiondetectionmechanismarenotneeded.Thismeansyoucanhavelongercablesegmentsonafull-duplexnetwork.Theonlylimitationisthesignaltransmittingcapability(thatis,theresistancetoattenuation)ofthenetworkmediumitself.
ThisisaparticularlyimportantpointonaFastEthernetnetworkusingfiber-opticcablebecausethecollisiondetectionmechanismisresponsibleforitsrelativelyshortmaximumsegmentlengths.Whileahalf-duplex100Base-FXlinkbetweentwodevices
canbeamaximumofonly412meterslong,thesamelinkoperatinginfull-duplexmodecanbeupto2,000meters(2km)longbecauseitisrestrictedonlybythestrengthofthesignal.A100Base-FXlinkusingsingle-modefiber-opticcablecanspandistancesof20kmormore.Thesignalattenuationontwisted-pairnetworks,however,makes10Base-T,100Base-TX,and1000Base-Tnetworksstillsubjecttothe100-metersegmentlengthrestriction.
Full-DuplexRequirementsTherearethreerequirementsforfull-duplexEthernetoperation:
•Anetworkmediumwithseparatetransmitandreceivechannels
•Adedicatedlinkbetweentwosystems
•Networkinterfaceadaptersandswitchesthatsupportfull-duplexoperation
Full-duplexEthernetispossibleonlyonlinksegmentsthathaveseparatechannelsforthecommunicationsineachdirection.Thismeansthattwisted-pairandfiber-opticnetworkscansupportfull-duplexcommunicationsusingregular,Fast,andGigabitEthernet,butcoaxialcablecannot.OftheEthernetvariantsusingtwisted-pairandfiber-opticcables,10Base-FBand10Base-FPdidnotsupportfull-duplex(whichisnotagreatloss,sincenooneusedthem),nordoes100Base-T4(whichisalsorarelyused).Alloftheothernetworktypessupportfull-duplexcommunications.
Full-duplexEthernetalsorequiresthateverytwocomputershaveadedicatedlinkbetweenthem.Thismeansyoucan’tuserepeatinghubsonafull-duplexnetworkbecausethesedevicesoperateinhalf-duplexmodebydefinitionandcreateasharednetworkmedium.Instead,youmustuseswitches,alsoknownasswitchinghubs,whicheffectivelyisolateeachpairofcommunicatingcomputersonitsownnetworksegmentandprovidethepacket-bufferingcapabilitiesneededtosupportbidirectionalcommunications.
Finally,eachofthedevicesonafull-duplexEthernetnetworkmustsupportfull-duplexcommunicationsandbeconfiguredtouseit.Switchesthatsupportfull-duplexarereadilyavailable,asareFastEthernetNICs.Full-duplexoperationisanessentialcomponentof1000Base-TGigabitEthernet,andmany1000Base-XGigabitEthernetadapterssupportfull-duplexaswell.Ensuringthatyourfull-duplexequipmentisactuallyoperatinginfull-duplexmodecansometimesbetricky.Autonegotiationisdefinitelytheeasiestwayofdoingthis;dual-speedFastEthernetequipmentautomaticallygivesfull-duplexoperationpriorityoverhalf-duplexatthesamespeed.However,adaptersandswitchesthatdonotsupportmultiplespeedsmaynotincludeautonegotiation.Forexample,virtuallyall100Base-TXNICsaredualspeed,supportingboth10and100Mbpstransmissions.AutonegotiationisalwayssupportedbytheseNICs,whichmeansthatsimplyconnectingtheNICtoafull-duplexswitchwillenablefull-duplexcommunications.FastEthernetNICsthatusefiber-opticcables,however,areusuallysingle-speeddevicesandmayormaynotincludeautonegotiationcapability.YoumayhavetomanuallyconfiguretheNICbeforeitwillusefull-duplexcommunications.
Full-DuplexFlowControl
Theswitchinghubsonfull-duplexEthernetnetworkshavetobeabletobufferpacketsastheyreadthedestinationaddressineachoneandperformtheinternalswitchingneededtosenditonitsway.Theamountofbuffermemoryinaswitchis,ofcourse,finite,andasaresult,it’spossibleforaswitchtobeoverwhelmedbytheconstantinputofdatafromfreelytransmittingfull-duplexsystems.Therefore,the802.3xsupplementdefinesanoptionalflowcontrolmechanismthatfull-duplexsystemscanusetomakethesystemattheotherendofalinkpauseitstransmissionstemporarily,enablingtheotherdevicetocatchup.
Thefull-duplexflowcontrolmechanismiscalledtheMACControlprotocol,whichtakestheformofaspecializedframethatcontainsaPAUSEcommandandaparameterspecifyingthelengthofthepause.TheMACControlframeisastandardEthernetframeofminimumlength(64bytes)withthehexadecimalvalue8808intheEthertypeorSNAPLocalCodefield.Theframeistransmittedtoaspecialmulticastaddress(01-80-C2-00-00-01)designatedforusebyPAUSEframes.ThedatafieldoftheMACControlframecontainsa2-byteoperationalcode(opcode)withahexadecimalvalueof0001,indicatingthatitisaPAUSEframe.Atthistime,thisistheonlyvalidMACControlopcodevalue.A2-bytepause-timeparameterfollowstheopcode,whichisanintegerspecifyingtheamountoftimethereceivingsystemsshouldpausetheirtransmissions,measuredinunitscalledquanta,eachofwhichisequalto512bittimes.Therangeofpossiblevaluesforthepause-timeparameteris0to65,535.
Full-DuplexApplicationsFull-duplexEthernetcapabilitiesaremostoftenprovidedinFastEthernetandGigabitEthernetadaptersandswitches.Whilefull-duplexoperationtheoreticallydoublesthebandwidthofanetwork,theactualperformanceimprovementthatyourealizedependsonthenatureofthecommunicationsinvolved.Upgradingadesktopworkstationtofullduplexwillprobablynotprovideadramaticimprovementinperformance.Thisisbecausedesktopcommunicationstypicallyconsistofrequest/responsetransactionsthatarethemselveshalf-duplexinnature,andprovidingafull-duplexmediumwon’tchangethat.Full-duplexoperationisbettersuitedtothecommunicationsbetweenswitchesonabackbone,whicharecontinuallycarryinglargeamountsoftrafficgeneratedbycomputersalloverthenetwork.
CHAPTER
11 100BaseEthernetandGigabitEthernet
100BaseEthernetandGigabitEthernetaretoday’s100and1,000MbpsvariantsoftheEthernetprotocol,respectively.Althoughsimilarto10BaseEthernetinmanyways,the100Baseprotocolshavesomeconfigurationissuesthatyoumustbeawareofinordertodesign,install,andadministerthenetworksthatusethem.
100BaseEthernetTheIEEE802.3uspecification,ratifiedin1995,definedwhatiscommonlyknownas100BaseEthernet,adatalinklayerprotocolrunningat100Mbps,whichistentimesthespeedoftheoriginalEthernetprotocol.Thisisnowtheindustrystandardformanynewinstallations,largelybecauseitimprovesnetworkperformancesomuchwhilechangingsolittle.
100BaseEthernetlefttwoofthethreedefiningelementsofanEthernetnetworkunchanged.TheprotocolusesthesameframeformatasIEEE802.3andthesameCSMA/CDmediaaccesscontrolmechanism.Thechangesthatenabletheincreaseinspeedareinseveralelementsofthephysicallayerconfiguration,includingthetypesofcableused,thelengthofcablesegments,andthenumberofhubspermitted.
PhysicalLayerOptionsThefirstdifferencebetween10Baseand100BaseEthernetwasthatcoaxialcablewasnolongersupported.100BaseEthernetrunsonlyonUTPorfiber-opticcable,althoughshieldedtwisted-pair(STP)isanoptionaswell.GonealsowastheManchestersignalingscheme,tobereplacedbythe4B/5BsystemdevelopedfortheFiberDistributedDataInterface(FDDI)protocol.Thephysicallayeroptionsdefinedin802.3uwereintendedtoprovidethemostflexibleinstallationparameterspossible.Virtuallyeveryaspectofthe100BaseEthernetprotocol’sphysicallayerspecificationswasdesignedtofacilitateupgradesfromearliertechnologiesand,particularly,from10Base-T.Inmanycases,existingUTPnetworksupgradedto100BaseEthernetwithoutpullingnewcable.Theonlyexceptiontothiswasincasesofnetworksthatspannedlongerdistancesthan100BaseEthernetcouldsupportwithcoppercabling.
100BaseEthernetdefinedthreephysicallayerspecifications,asshowninTable11-1.
Table11-1IEEE802.3uPhysicalLayerSpecifications
Inadditiontotheconnectorsshownforeachofthecabletypes,the802.3ustandarddescribedamedium-independentinterface(MII)thatuseda40-pinD-shellconnector.TakingfromthedesignoftheoriginalthickEthernetstandard,theMIIconnectedtoanexternaltransceivercalledaphysicallayerdevice(PHY),which,inturn,connectedtothenetworkmedium.TheMIImadeitpossibletobuilddevicessuchashubsandcomputersthatintegrated100BaseEthernetadaptersbutwerenotcommittedtoaparticularmediatype.BysupplyingdifferentPHYunits,youcouldconnectthedevicetoa100BaseEthernetnetworkusinganysupportedcabletype.SomePHYdevicesconnecteddirectlytotheMII,whileothersusedacablenotunliketheAUIcablearrangementinthickEthernet.Whenthiswasthecase,theMIIcablecouldbenomorethan0.5meterslong.
Mostofthe100BaseEthernethardwareonthemarkettodayusesinternaltransceiversanddoesnotneedanMIIconnectororcable,butafewproductsdotakeadvantageofthisinterface.
100Base-TXUsingstandardsforphysicalmediadevelopedbytheAmericanNationalStandardsInstitute(ANSI),100Base-TXanditsfiber-opticcounterpart,100Base-FX,wereknowncollectivelyas100Base-X.Theyprovidedthecorephysicallayerguidelinesfornewcableinstallations.Like10Base-T,100Base-TXcalledfortheuseofunshieldedtwisted-paircablesegmentsupto100metersinlength.Theonlydifferencefroma10Base-Tsegmentwasinthequalityandcapabilitiesofthecableitself.
100Base-TXwasbasedontheANSITP-PMDspecificationandcallsfortheuseofCategory5UTPcableforallnetworksegments.Asyoucanseeinthetable,theCategory5cablespecificationprovidedthepotentialformuchgreaterbandwidththantheCategory3cablespecifiedfor10Base-Tnetworks.Asanalternative,usingType1shieldedtwisted-paircablewasalsopossibleforinstallationswheretheoperatingenvironmentpresentedagreaterdangerofelectromagneticinterference.
Forthesakeofcompatibility,100Base-TX(aswellas100Base-T4)usedthesametypeofRJ-45connectorsas10Base-T,andthepinassignmentswerethesameaswell.ThepinassignmentsweretheoneareainwhichthecablespecificationsdifferedfromANSITP-PMDtomaintainbackwardcompatibilitywith10Base-Tnetworks.
100Base-T4100Base-T4wasintendedforuseonnetworksthatalreadyhadUTPcableinstalled,butthecablewasnotratedasCategory5.The10Base-Tspecificationallowedfortheuseofstandardvoice-grade(Category3)cable,andthereweremanynetworksthatwerealreadywiredfor10Base-TEthernet(orevenfortelephonesystems).100Base-T4ranat100MbpsonCategory3cablebyusingallfourpairsofwiresinthecable,insteadofjusttwo,as10Base-Tand100Base-TXdo.
Thetransmitandreceivedatapairsina100Base-T4circuitarethesameasthatof100Base-TX(and10Base-T).Theremainingfourwiresfunctionasbidirectionalpairs.Asona10Base-Tnetwork,thetransmitandreceivepairsmustbecrossedoverfortraffictoflow.Thecrossovercircuitsina100BaseEthernethubconnectthetransmitpairtothereceivepair,asalways.Ina100Base-T4hub,thetwobidirectionalpairsarecrossedas
wellsothatpair3connectstopair4,andviceversa.
100Base-FXThe100Base-FXspecificationcalledforthesamehardwareasthe10Base-FLspecificationexceptthatthemaximumlengthofacablesegmentwasnomorethan412meters.Aswiththeother100BaseEthernetphysicallayeroptions,themediumwascapableoftransmittingasignaloverlongerdistances,butthelimitationwasimposedtoensuretheproperoperationofthecollision-detectionmechanism.Asmentionedearlier,whenyoueliminatetheCSMA/CDMACmechanism,likeonafull-duplexEthernetnetwork,100Base-FXsegmentscanbemuchlonger.
CableLengthRestrictionsBecausethenetworkoperatesattentimesthespeedof10BaseEthernet,100BaseEthernetcableinstallationsweremorerestricted.Ineffect,the100BaseEthernetstandardusesupagooddealofthelatitudebuiltintotheoriginalEthernetstandardstoachievegreaterperformancelevels.In10MbpsEthernet,thesignaltimingspecificationswereatleasttwiceasstrictastheyhadtobeforsystemstodetectearlycollisionsproperlyonthenetwork.Thelengthsofthenetworksegmentsweredictatedmorebytheneedtomaintainthesignalstrengththanthesignaltiming.
On100Base-Tnetworks,however,signalstrengthisnotasmuchofanissueassignaltiming.TheCSMA/CDmechanismona100BaseEthernetnetworkfunctionsexactlylikethatofa10MbpsEthernetnetwork,andthepacketsarethesamesize,buttheytraveloverthemediumattentimesthespeed.Becausethecollisiondetectionmechanismisthesame,asystemstillmustbeabletodetectthepresenceofacollisionbeforetheslottimeexpires(thatis,beforeittransmits64bytesofdata).Becausethetrafficismoving100Mbps,though,thedurationofthatslottimeisreduced,andthemaximumlengthofthenetworkmustbereducedaswelltosensecollisionsaccurately.Forthisreason,themaximumoveralllengthofa100Base-TXnetworkisapproximately205meters.Thisisafigureyoushouldobservemuchmorestringentlythanthe500-metermaximumfora10Base-Tnetwork.
NOTEWhenyouplanyournetwork,besuretoremainconsciousthatthe100-metermaximumcablesegmentlengthspecificationinthe100BaseEthernetstandardincludestheentirelengthofcableconnectingacomputertothehub.Ifyouhaveaninternalcableinstallationthatterminatesatwallplatesatthecomputersiteandapatchpanelatthehubsite,youmustincludethelengthsofthepatchcablesconnectingthewallplatetothecomputerandthepatchpaneltothehubinyourtotalmeasurement.Thespecificationrecommendsthatthemaximumlengthforaninternalcablesegmentbe90meters,leaving10metersforthepatchcables.
HubConfigurations
Becausethemaximumlengthfora100Base-TXsegmentis100meters,thesameasthatfor10Base-T,therestrictionsontheoveralllengthofthenetworkarefoundintheconfigurationoftherepeatinghubsusedtoconnectthesegments.The802.3usupplementdescribedtwotypesofhubsforall100Base-Tnetworks:ClassIandClassII.Every100BaseEthernethubmusthaveacircledRomannumeralIorIIidentifyingitsclass.
ClassIhubsareintendedtosupportcablesegmentswithdifferenttypesofsignaling.100Base-TXand100Base-FXusethesamesignalingtype,while100Base-T4isdifferent(becauseofthepresenceofthetwobidirectionalpairs).AClassIhubcontainscircuitrythattranslatesincoming100Base-TX,100Base-FX,and100Base-T4signalstoacommondigitalformatandthentranslatesthemagaintotheappropriatesignalforeachoutgoinghubport.Thesetranslationactivitiescausecomparativelylongtimingdelaysinthehub,soyoucanhaveonlyoneClassIhubonthepathbetweenanytwonodesonthenetwork.
ClassIIhubscanonlysupportcablesegmentsofthesamesignalingtype.Becausenotranslationisinvolved,thehubpassestheincomingdatarapidlytotheoutgoingports.Becausethetimingdelaysareshorter,youcanhaveuptotwoClassIIhubsonthepathbetweentwonetworknodes,butallthesegmentsmustusethesamesignalingtype.ThismeansaClassIIhubcansupporteither100Base-TXand100Base-FXtogetheror100Base-T4alone.
Additionalsegmentlengthrestrictionsarealsobasedonthecombinationofsegmentsandhubsusedonthenetwork.Themorecomplexthenetworkconfigurationgets,theshorteritsmaximumcollisiondomaindiametercanbe.Table11-2summarizestheserestrictions.
Table11-2100BaseEthernetMultisegmentConfigurationGuidelines
NotethatanetworkconfigurationthatusestwoClassIIhubsactuallyusedthreelengthsofcabletoestablishthelongestconnectionbetweentwonodes:twocablestoconnectthenodestotheirrespectivehubsandonecabletoconnectthetwohubs.Forexample,theassumptionofthestandardisthattheadditional5metersaddedtothelengthlimitforanall-coppernetworkwillaccountforthecableconnectingthetwohubs,asshowninFigure11-1.Butinpractice,thethreecablescanbeofanylengthaslongastheirtotallengthdoesnotexceed205meters.
Figure11-1Thecablesegmentsinanetworkwithtwohubscanbeofanylength,aslongasyouobservethemaximumcollisiondomaindiameter.
Whattheserestrictionsmeanto100Base-FXnetworksisthattheonlyfibersegmentthatcanbe412meterslongisonethatdirectlyconnectstwocomputers.Onceyouaddahubtothenetwork,thetotaldistancebetweencomputersdropsdrastically.Thislargelynegatesoneofthemajorbenefitsofusingfiber-opticcable.YousawearlierinthischapterthattheoriginalEthernetstandardsallowforfiber-opticsegmentsupto2kilometers(2,000meters)long.Theclosertolerancesofthecollision-detectionmechanismona100BaseEthernetnetworkmakeitimpossibletoduplicatethecollisiondomaindiameterofstandardslike10Base-FL.Consideringthatotherhigh-speedprotocolssuchasFDDIusethesametypeofcableandcansupportdistancesupto200kilometers,100BaseEthernetmightnotbetheoptimalfiber-opticsolution,unlessyouusethefull-duplexoptiontoincreasethesegmentlength.
100BaseEthernetTimingCalculationsAswiththeoriginalEthernetstandards,thecablingguidelinesintheprevioussectionsarenomorethanrulesofthumbthatprovidegeneralsizelimitationsfora100BaseEthernetnetwork.Makingmoreprecisecalculationstodetermineifyournetworkisfullycompliantwiththespecificationsisalsopossible.For100BaseEthernet,thesecalculationsconsistonlyofdeterminingtheround-tripdelaytimeforthenetwork.Nointerframegapshrinkagecalculationexistsfor100BaseEthernetbecausethelimitednumberofrepeaterspermittedonthenetworkallbuteliminatesthisasapossibleproblem.
CalculatingtheRound-TripDelayTimeTheprocessofcalculatingtheround-tripdelaytimebeginswithdeterminingtheworst-casepaththroughyournetwork,justasinthecalculationsfor10BaseEthernetnetworks.Asbefore,ifyouhavedifferenttypesofcablesegmentsonyournetwork,youmayhavemorethanonepathtocalculate.Thereisnoneedtoperformseparatecalculationsforeachdirectionofacomplexpath,however,becausetheformulamakesnodistinctionbetweentheorderofthesegments.
Theround-tripdelaytimeconsistsofadelaypermetermeasurementforthespecifictypeofcableyournetworkuses,plusanadditionaldelayconstantforeachnodeandrepeateronthepath.Table11-3liststhedelayfactorsforthevariousnetworkcomponents.
Table11-3DelayTimesfor100BaseEthernetNetworkComponents
Tocalculatetheround-tripdelaytimefortheworst-casepaththroughyournetwork,youmultiplythelengthsofyourvariouscablesegmentsbythedelayfactorslistedinthetableandaddthemtogether,alongwiththeappropriatefactorsforthenodesandhubsandasafetybufferof4bittimes.Ifthetotalislessthan512,thepathiscompliantwiththe100BaseEthernetspecification.Thus,thecalculationsforthenetworkshowninFigure11-2wouldbeasfollows:(150meters×1.112bittimes/meter)+100bittimes+(2×92bittimes)+4bittimes=454.8bittimes
Figure11-2Thisworst-casepathiscompliantwiththeround-tripdelaytimelimitationsdefinedintheEthernetstandard.
So,150metersofCategory5cablemultipliedbyadelayfactorof1.112bittimespermeteryieldsadelayof166.8bittimes,plus100bittimesfortwo100Base-TXnodes,twohubsat92bittimeseach,andanextra4forsafetyyieldsatotalround-tripdelaytimeof454.8bittimes,whichiswellwithinthe512limit.
NOTEAswiththecalculationsfor10BaseEthernetnetworks,youmaybeabletoavoidhavingtomeasureyourcablesegmentsbyusingthemaximumpermittedsegmentlengthinyourcalculations.Onlyiftheresultofthiscalculationexceedsthespecificationdoyouhavetoconsidertheactuallengthsofyourcables.
AutonegotiationMostoftoday’sEthernetadapterssupportmultiplespeedsanduseanautonegotiationsystemthatenablesamultispeeddevicetosensethecapabilitiesofthenetworktowhichitisconnectedandtoadjustitsspeedaccordingly.Theautonegotiationmechanismin100BaseEthernetisbasedon100Baselinkpulse(FLP)signals,whicharethemselvesavariationonthenormallinkpulse(NLP)signalsusedbytheold10Base-Tand10Base-FLnetworks.
StandardEthernetnetworksuseNLPsignalstoverifytheintegrityofalinkbetweentwodevices.MostEthernethubsandnetworkinterfaceadaptershavealink-pulseLEDthatlightswhenthedeviceisconnectedtoanotheractivedevice.Forexample,whenyoutakeaUTPcablethatisconnectedtoahubandplugitintoacomputer’sNICandturnthecomputeron,theLEDsonboththeNICandthehubporttowhichit’sconnectedshouldlight.ThisistheresultofthetwodevicestransmittingNLPsignalstoeachother.WheneachdevicereceivestheNLPsignalsfromtheotherdevice,itlightsthelink-pulseLED.Ifthenetworkiswiredincorrectly,becauseofacablefaultorimproperuseofacrossovercableorhubuplinkport,theLEDswillnotlight.Thesesignalsdonotinterferewithdatacommunicationsbecausethedevicestransmitthemonlywhenthenetworkisidle.
NOTEThelink-pulseLEDindicatesonlythatthenetworkiswiredcorrectly,notthatit’scapableofcarryingdata.Ifyouusethewrongcablefortheprotocol,youwillstillexperiencenetworkcommunicationproblems,eventhoughthedevicespassedthelinkintegritytest.
100BaseEthernetdevicescapableoftransmittingatmultiplespeedselaborateonthistechniquebytransmittingFLPsignalsinsteadofNLPsignals.FLPsignalsincludea16-bitdatapacketwithinaburstoflinkpulses,producingwhatiscalledanFLPburst.Thedatapacketcontainsalinkcodeword(LCW)withtwofields:theselectorfieldandthetechnologyabilityfield.Together,thesefieldsidentifythecapabilitiesofthetransmittingdevice,suchasitsmaximumspeedandwhetheritiscapableoffull-duplexcommunications.
BecausetheFLPbursthasthesameduration(2nanoseconds)andinterval(16.8nanoseconds)asanNLPburst,astandardEthernetsystemcansimplyignoretheLCWandtreatthetransmissionasanormallinkintegritytest.Whenitrespondstothesender,themultiple-speedsystemsetsitselftooperateat10Base-Tspeed,usingatechniquecalledparalleldetection.Thissamemethodappliesalsoto100BaseEthernetdevicesincapableofmultiplespeeds.
Whentwo100BaseEthernetdevicescapableofoperatingatmultiplespeedsautonegotiate,theydeterminethebestperformanceleveltheyhaveincommonandconfigurethemselvesaccordingly.Thesystemsusethefollowinglistofprioritieswhencomparingtheircapabilities,withfull-duplex1000Base-Tprovidingthebestperformanceandhalf-duplex10Base-Tprovidingtheworst:
•1000Base-T(full-duplex)
•1000Base-T
•100Base-TX(full-duplex)
•100Base-T4
•100Base-TX
•10Base-T(full-duplex)
•10Base-T
NOTEFLPsignalsaccountonlyforthecapabilitiesofthedevicesgeneratingthem,nottheconnectingcable.Ifyouconnectadual-speed100Base-TXcomputerwitha100Base-TXhubusingaCategory3cablenetwork,autonegotiationwillstillconfigurethedevicestooperateat100Mbps,eventhoughthecablecan’tsupporttransmissionsatthisspeed.
Thebenefitofautonegotiationisthatitpermitsadministratorstoupgradeanetworkgraduallyto100BaseEthernetwithaminimumofreconfiguration.If,forexample,youhave10/100dual-speedNICsinallyourworkstations,youcanrunthenetworkat10Mbpsusing10Base-Thubs.Later,youcansimplyreplacethehubswithmodelssupporting100BaseEthernet,andtheNICswillautomaticallyreconfigurethemselvestooperateatthehigherspeedduringthenextsystemreboot.Nomanualconfigurationattheworkstationisnecessary.
GigabitEthernetWhen100MbpsnetworkingtechnologieslikeFDDIwerefirstintroduced,mosthorizontalnetworksused10MbpsEthernet.Thesenewprotocolswereusedprimarilyonbackbones.Nowthat100Baseand1000BaseEthernethavetakenoverthehorizontalnetworkmarket,a100Mbpsbackboneis,inmanycases,insufficienttosupporttheconnectionsbetweenswitchesthathavetoaccommodatemultiple100BaseEthernetnetworks.GigabitEthernetwasdevelopedtobethenextgenerationofEthernetnetwork,runningat1Gbps(1,000Mbps),tentimesthespeedof100BaseEthernet.
GigabitEthernetusesthesameframeformat,framesize,andmediaaccesscontrolmethodaswasstandardin10MbpsEthernet.100BaseEthernetovertookFDDIasthedominant100Mbpssolutionbecauseitpreventednetworkadministratorsfromhavingtouseadifferentprotocolonthebackbone.Inthesameway,GigabitEthernetpreventsadministratorsfromhavingtouseadifferentprotocolfortheirbackbones.
ConnectinganATMorFDDInetworktoanEthernetnetworkrequiresthatthedatabeconvertedatthenetworklayerfromoneframeformattoanother.ConnectingtwoEthernetnetworks,evenwhenthey’rerunningatdifferentspeeds,isadatalinklayeroperationbecausetheframesremainunchanged.Inaddition,usingEthernetthroughoutyournetworkeliminatestheneedtotrainadministratorstoworkwithanewprotocolandpurchasenewtestinganddiagnosticequipment.Thebottomlineisthatinmostcasesitispossibletoupgradea100BaseEthernetbackbonetoGigabitEthernetwithoutcompletelyreplacinghubs,switches,andcables.Thisisnottosay,however,thatsomehardwareupgradeswillnotbenecessary.Hubsandswitcheswillneedmodulessupportingthe
protocol,andnetworkingmonitoringandtestingproductsmayalsohavetobeupgradedtosupportthefasterspeed.
GigabitEthernetArchitectureGigabitEthernetwasfirstdefinedinthe802.3zsupplementtothe802.3standard,whichwaspublishedinJune1998.The802.3zdefinedanetworkrunningat1,000Mbpsineitherhalf-duplexorfull-duplexmode,overavarietyofnetworkmedia.Theframeusedtoencapsulatethepacketsisidenticaltothatof802.3Ethernet,andtheprotocol(inhalf-duplexmode)usesthesameCarrierSenseMultipleAccesswithCollisionDetection(CSMA/CD)MACmechanismastheotherEthernetincarnations.
Aswith10Baseand100BaseEthernet,theGigabitEthernetstandardcontainsbothphysicalanddatalinklayerelements,asshowninFigure11-3.Thedatalinklayerconsistsofthelogicallinkcontrol(LLC)andmediaaccesscontrol(MAC)sublayersthatarecommontoalloftheIEEE802protocols.TheLLCsublayerisidenticaltothatusedbytheotherEthernetstandards,asdefinedintheIEEE802.2document.TheunderlyingconceptoftheMACsublayer,theCSMA/CDmechanism,isfundamentallythesameasonastandardEthernetor100BaseEthernetnetworkbutwithafewchangesinthewaythatit’simplemented.
Figure11-3TheGigabitEthernetprotocolarchitecture
MediaAccessControlGigabitEthernetisdesignedtosupportfull-duplexoperationasitsprimarysignalingmode.Asmentionedearlier,whensystemscantransmitandreceivedatasimultaneously,thereisnoneedforamediaaccesscontrolmechanismlikeCSMA/CD.However,somemodificationsarerequiredforsystemsona1000Base-Xnetworktooperateinhalf-duplexmode.Ethernet’scollision-detectionmechanismworksproperlyonlywhencollisionsaredetectedwhileapacketisstillbeingtransmitted.Oncethesourcesystemfinishestransmittingapacket,thedataispurgedfromitsbuffers,anditisnolongerpossibletoretransmitthatpacketintheeventofacollision.
Whenthespeedatwhichsystemstransmitdataincreases,theround-tripsignaldelay
timeduringwhichacollisioncanbedetecteddecreases.When100BaseEthernetincreasedthespeedofanEthernetnetworkbytentimes,thestandardcompensatedbyreducingthemaximumdiameterofthenetwork.Thisenabledtheprotocoltousethesame64-byteminimumpacketsizeastheoriginalEthernetstandardandstillbeabletodetectcollisionseffectively.
GigabitEthernetincreasesthetransmissionspeedanothertentimes,butreducingthemaximumdiameterofthenetworkagainwasimpracticalbecauseitwouldresultinnetworksnolongerthan20metersorso.Asaresult,the802.3zsupplementincreasesthesizeoftheCSMA/CDcarriersignalfrom64bytesto512bytes.Thismeansthatwhilethe64-byteminimumpacketsizeisretained,theMACsublayerofaGigabitEthernetsystemappendsacarrierextensionsignaltosmallpacketsthatpadsthemoutto512bytes.Thisensuresthattheminimumtimerequiredtotransmiteachpacketissufficientforthecollision-detectionmechanismtooperateproperly,evenonanetworkwiththesamediameteras100BaseEthernet.
ThecarrierextensionbitsareaddedtotheEthernetframeaftertheframechecksequence(FCS),sothatwhiletheyareavalidpartoftheframeforcollision-detectionpurposes,thecarrierextensionbitsarestrippedawayatthedestinationsystembeforetheFCSiscomputed,andtheresultsarecomparedwiththevalueinthepacket.Thispadding,however,cangreatlyreducetheefficiencyofthenetwork.Asmallpacketmayconsistofupto448bytesofpadding(512minus64),theresultofwhichisathroughputonlyslightlygreaterthan100BaseEthernet.Toaddressthisproblem,802.3zintroducesapacket-burstingcapabilityalongwiththecarrierextension.Packetburstingworksbytransmittingseveralpacketsbacktobackuntila1,500-bytebursttimerisreached.Thiscompensatesforthelossincurredbythecarrierextensionbitsandbringsthenetworkbackuptospeed.
WhenGigabitEthernetisusedforbackbonenetworks,full-duplexconnectionsbetweenswitchesandserversarethemorepracticalchoice.Theadditionalexpenditureinequipmentisminimal,andasidefromeliminatingthiscollision-detectionproblem,itincreasesthetheoreticalthroughputofthenetworkto2Gbps.
TheGigabitMedia-IndependentInterfaceTheinterfacebetweenthedatalinkandphysicallayers,calledthegigabitmedium-independentinterface(GMII),enablesanyofthephysicallayerstandardstousetheMACandLLCsublayers.TheGMIIisanextensionofthemedium-independentinterfacein100BaseEthernet,whichsupportstransmissionspeedsof10,100,and1,000Mbpsandhasseparate8-bittransmitandreceivedatapaths,forfull-duplexcommunication.TheGMIIalsoincludestwosignalsthatarereadablebytheMACsublayer,calledcarriersenseandcollisiondetect.Oneofthesignalsspecifiesthatacarrierispresent,andtheotherspecifiesthatacollisioniscurrentlyoccurring.ThesesignalsarecarriedtothedatalinklayerbywayofthereconciliationsublayerlocatedbetweentheGMIIandtheMACsublayer.
TheGMIIisbrokenintothreesublayersofitsown,whichareasfollows:
•Physicalcodingsublayer(PCS)
•Physicalmediumattachment(PMA)
•Physicalmedium-dependent(PMD)
Thefollowingsectionsdiscussthefunctionsofthesesublayers.
ThePhysicalCodingSublayerThephysicalcodingsublayerisresponsibleforencodinganddecodingthesignalsonthewaytoandfromthePMA.Thephysicallayeroptionsdefinedinthe802.3zdocumentallusethe8B/10Bcodingsystem,whichwasadoptedfromtheANSIFibreChannelstandards.Inthissystem,each8-bitdatasymbolisrepresentedbya10-bitcode.Therearealsocodesthatrepresentcontrolsymbols,suchasthoseusedintheMACcarrierextensionmechanism.Eachcodeisformedbybreakingdownthe8databitsintotwogroupsconsistingofthe3mostsignificantbits(y)andthe5remainingbits(x).Thecodeisthennamedusingthefollowingnotation:/Dx,y/,wherexandyequalthedecimalvaluesofthetwogroups.Thecontrolcodesarenamedthesameway,exceptthattheletterDisreplacedbyaK:/Kx,y/.
Theideabehindthistypeofcodingistominimizetheoccurrenceofconsecutivezerosandones,whichmakeitdifficultforsystemstosynchronizetheirclocks.Tohelpdothis,eachofthecodegroupsmustbecomposedofoneofthefollowing:
•Fivezerosandfiveones
•Sixzerosandfourones
•Fourzerosandsixones
NOTEThe1000Base-Tphysicallayeroptiondoesnotusethe8B/10Bcodingsystem.See“1000Base-T”laterinthischapterformoreinformation.
ThePCSisalsoresponsibleforgeneratingthecarriersenseandcollision-detectsignalsandformanagingtheautonegotiationprocessusedtodeterminewhatspeedthenetworkinterfacecardshoulduse(10,100,or1,000Mbps)andwhetheritshouldruninhalf-duplexorfull-duplexmode.
ThePhysicalMediumAttachmentSublayerThephysicalmediumattachmentsublayerisresponsibleforconvertingthecodegroupsgeneratedbythePCSintoaserializedformthatcanbetransmittedoverthenetworkmediumandforconvertingtheserialbitstreamarrivingoverthenetworkintocodegroupsforusebytheupperlayers.
ThePhysicalMedium-DependentSublayerThephysicalmedium-dependentsublayerprovidestheinterfacebetweenthecodedsignalsgeneratedbythePCSandtheactualphysicalnetworkmedium.Thisiswheretheactualopticalorelectricsignalsthataretransmittedoverthecablearegeneratedandpassedontothecablethroughthemedium-dependentinterface(MDI).
ThePhysicalLayerCollectivelycalled1000Base-X,therewerethreephysicallayeroptionsforGigabitEthernetdefinedintheoriginal802.3zdocument,twoforfiber-opticcableandoneforcopper.Thesethreephysicallayeroptionsin802.3zwereadoptedfromtheANSIX3T11FibreChannelspecifications.Theuseofanexistingstandardforthiscrucialelementofthetechnologyhasgreatlyacceleratedthedevelopmentprocess,bothoftheGigabitEthernetstandardsandofthehardwareproducts.Ingeneral,1000Base-Xcallsfortheuseofthesametypesoffiber-opticcablesasFDDIand100Base-FXbutatshorterdistances.ThelongestpossibleGigabitEthernetsegment,usingsingle-modefibercable,is5kilometers.
Intheensuingyears,additionshavebeenmadetotheoriginaldescription,includingIEEE802.bj,whichdefinesafour-lane100Gbpsstandardthatoperatesatlengthsuptoatleast5metersonlinksconsistentwithcoppertwin-axialcables.TheIEEEisalsoworkingonGigabitEthernettooperateoverasingletwisted-paircableforindustrial(andautomotive)use(IEEE802.3bp),aswellas40GBase-T(IEEE802.3bq)forfour-pairbalancedtwisted-paircableswithtwoconnectionsover30-meterdistances.Thelatterstandardisscheduledforimplementationinearly2016.
NOTEForitsmultimodecableoptions,the802.3zstandardpioneeredtheuseoflaserlightsourcesathighspeeds.Mostfiber-opticapplicationsuselasersonlywithsingle-modecable,whilethesignalsonmultimodecablesareproducedbylight-emittingdiodes(LEDs).Thejittereffect,whichwasaproblemwithpreviouseffortstouselaserswithmultimodecable,wasresolvedbyredefiningthepropertiesofthelasertransmittersusedtogeneratethesignals.
Unlikestandardand100BaseEthernet,thefiber-opticphysicallayerstandardsfor1000Base-Xwerenotbasedonthepropertiesofspecificcabletypes,butratheronthepropertiesoftheopticaltransceiversthatgeneratethesignalonthecable.Eachofthefiber-opticstandardssupportsseveralgradesofcable,usingshort-orlong-wavelengthlasertransmitters.Thephysicallayeroptionsfor1000Base-Xaredescribedinthefollowingsections.
1000Base-LX1000Base-LXwasintendedforuseinbackbonesspanningrelativelylongdistances,usinglongwavelengthlasertransmissionsinthe1,270-to1,355-nanometerrangewitheithermultimodefibercablewithinabuildingorsingle-modefiberforlongerlinks,suchasthosebetweenbuildingsonacampusnetwork.Multimodefibercablewithacorediameterof50or62.5micronssupportslinksofupto550meters,while9-micronsingle-modefibersupportslinksofupto5,000meters(5km).BothfibertypesusestandardSCconnectors.
1000Base-SX
1000Base-SXusedshort-wavelengthlasertransmissionsrangingfrom770to860nanometersandisintendedforuseonshorterbackbonesandhorizontalwiring.Thisoptionismoreeconomicalthan1000Base-LXbecauseitusesonlytherelativelyinexpensivemultimodefibercable,inseveralgrades,andthelasersthatproducetheshortwavelengthtransmissionsarethesameasthosecommonlyusedinCDandCD-ROMplayers.Asofthiswriting,mostofthefiber-opticGigabitEthernetproductsonthemarketsupportthe1000Base-SXstandard.
1000Base-TAlthoughitwasnotincludedinthe802.3zstandard,oneoftheoriginalgoalsoftheGigabitEthernetdevelopmentteamwasforittorunonstandardCategory5UTPcableandsupportconnectionsupto100meterslong.Thisenablesexisting100BaseEthernetnetworkstobeupgradedtoGigabitEthernetwithoutpullingnewcableorchangingthenetworktopology.1000Base-Twasdefinedinaseparatedocumentcalled802.3ab.
Toachievethesehighspeedsovercopper,1000Base-TmodifiedthewaythattheprotocolusestheUTPcable.Whiledesignedtousethesamecableinstallationsas100Base-TX,1000Base-Tusesallfourofthewirepairsinthecable,while100Base-TXusesonlytwopairs.Inaddition,allfourpairscancarrysignalsineitherdirection.Thiseffectivelydoublesthethroughputof100Base-TX,butitstilldoesn’tapproachspeedsof1,000Mbps.However,1000Base-Talsousesadifferentsignalingschemetotransmitdataoverthecablethantheother1000Base-Xstandards.Thismakesitpossibleforeachofthefourwirepairstocarry250Mbps,foratotalof1,000Mbpsor1Gbps.ThissignalingschemeiscalledPulseAmplitudeModulation5(PAM-5).
WhiledesignedtorunoverstandardCategory5cable,asdefinedintheTIA/EIAstandards,thestandardrecommendsthat1000Base-TnetworksuseatleastCategory5e(orenhancedCategory5)cable.Category5ecableistestedforitsresistancetoreturnlossandequal-levelfar-endcrosstalk(ELFEXT).Aswith100BaseEthernet,1000Base-TNICsandotherequipmentareavailablethatcanrunatmultiplespeeds,either100/1000or10/100/1000Mbps,tofacilitategradualupgradestoGigabitEthernet.Autonegotiation,optionalin100BaseEthernet,ismandatoryinGigabitEthernet.
WhilenetworksthatrunGigabitEthernettothedesktoparenotlikelytobecommonplaceforsometime,itwilleventuallyhappen,ifhistoryisanyindicator.
EthernetTroubleshootingTroubleshootinganEthernetnetworkoftenmeansdealingwithaprobleminthephysicallayer,suchasafaultycableorconnectionorpossiblyamalfunctioningNICorhub.Whenanetworkconnectioncompletelyfails,youshouldimmediatelystartexaminingthecablingandotherhardwareforfaults.Ifyoufindthattheperformanceofthenetworkisdegrading,however,orifaproblemisaffectingspecificworkstations,youcansometimesgetanideaofwhatisgoingwrongbyexaminingtheEtherneterrorsoccurringonthenetwork.
EthernetErrors
ThefollowingaresomeoftheerrorsthatcanoccuronanEthernetnetwork.Somearerelativelycommon,whileothersarerare.Detectingtheseerrorsusuallyrequiresspecialtoolsdesignedtoanalyzenetworktraffic.Mostsoftwareapplicationscandetectsomeoftheseconditions,suchasthenumberofearlycollisionsandFCSerrors.Others,suchaslatecollisions,aremuchmoredifficulttodetectandmayrequirehigh-endsoftwareorhardwaretoolstodiagnose.
•EarlycollisionsStrictlyspeaking,anearlycollisionisnotanerrorbecausecollisionsoccurnormallyonanEthernetnetwork.Buttoomanycollisions(morethanapproximately5percentofthetotalpackets)isasignthatnetworktrafficisapproachingcriticallevels.Itisagoodideatokeeparecordofthenumberofcollisionsoccurringonthenetworkatregularintervals(suchasweekly).Ifyounoticeamarkedincreaseinthenumberofcollisions,youmightconsidertryingtodecreasetheamountoftraffic,eitherbysplittingthenetworkintotwocollisiondomainsorbymovingsomeofthenodestoanothernetwork.
•LatecollisionsLatecollisionsarealwaysacauseforconcernandaredifficulttodetect.Theyusuallyindicatethatdataistakingtoolongtotraversethenetwork,eitherbecausethecablesegmentsaretoolongorbecausetherearetoomanyrepeaters.ANICwithamalfunctioningcarriersensemechanismcouldalsobeatfault.Networkanalyzerproductsthatcantracklatecollisionscanbeextremelyexpensive,butarewellworththeinvestmentforalargeenterprisenetwork.Becauselatecollisionsforcelostpacketstoberetransmittedbyhigher-layerprotocols,youcansometimesdetectatrendofnetworklayerretransmissions(bytheIPprotocol,forexample)causedbylatecollisions,usingabasicprotocolanalyzersuchasNetworkMonitor.
•RuntsAruntisapacketlessthan64byteslong,causedeitherbyamalfunctioningNICorhubportorbyanodethatceasestransmittinginthemiddleofapacketbecauseofadetectedcollision.Acertainnumberofruntpacketsoccurnaturallyasaresultofnormalcollisions,butaconditionwheremoreruntsoccurthancollisionsindicatesafaultyhardwaredevice.
•GiantsAgiantisapacketthatislargerthantheEthernetmaximumof1,518bytes.TheproblemisusuallycausedbyaNICthatisjabbering,ortransmittingimproperlyorcontinuously,or(lesslikely)bythecorruptionoftheheader’slengthindicatorduringtransmission.Giantsneveroccurnormally.Theyareanindicationofamalfunctioninghardwaredeviceoracablefault.
•AlignmenterrorsApacketthatcontainsapartialbyte(thatis,apacketwithasizeinbitsthatisnotamultipleof8)issaidtobemisaligned.Thiscanbetheresultofanerrorintheformationofthepacket(intheoriginatingNIC)orevidenceofcorruptionoccurringduringthepacket’stransmission.MostmisalignedpacketsalsohaveCRCerrors.
•CRCerrorsApacketinwhichtheframechecksequencegeneratedatthetransmittingnodedoesnotequalthevaluecomputedatthedestinationissaidtohaveexperiencedaCRCerror.Theproblemcanbecausedbydatacorruptionoccurringduringtransmission(becauseofafaultycableorotherconnecting
device)orconceivablybyamalfunctionintheFCScomputationmechanismineitherthesendingorreceivingnode.
•BroadcaststormsWhenamalformedbroadcasttransmissioncausestheothernodesonthenetworktogeneratetheirownbroadcastsforatotaltrafficrateof126packetspersecondormore,theresultisaself-sustainingconditionknownasabroadcaststorm.Becausebroadcasttransmissionsareprocessedbeforeotherframes,thestormeffectivelypreventsanyotherdatafrombeingsuccessfullytransmitted.
IsolatingtheProblemWheneveryouexceedanyoftheEthernetspecifications(orthespecificationsforanyprotocol,forthatmatter),theplacewhereyou’repushingtheenvelopeshouldbethefirstplaceyoucheckwhenaproblemarises.Ifyouhaveexceededthemaximumlengthforasegment,forexample,trytoeliminatesomeoftheexcesslengthtoseewhethertheproblemcontinues.OnathinEthernetnetwork,thisusuallymeanscross-cablingtoeliminatesomeoftheworkstationsfromthesegment.OnaUTPnetwork,connectthesamecomputertothesamehubportusingashortercablerun.Ifyouhavetoomanyworkstationsrunningonacoaxialbus(thickorthinEthernet),youcandeterminewhetheroverpopulationistheproblemsimplybyshuttingdownsomeofthemachines.
EncounteringexcessiverepeatersonaUTPnetworkisaconditionthatyoucantestforbycheckingtoseewhetherproblemsoccurmoreoftenonpathswithalargernumberofhubs.Youcanalsotrytocross-cablethehubstoeliminatesomeofthemfromaparticularpath.Thisisrelativelyeasytodoinanenvironmentinwhichallthehubsarelocatedinthesamewiringclosetordatacenter,butifthehubsarescatteredalloverthesite,youmayhavetodisconnectsomeofthehubstemporarilytoreducethesizeofthecollisiondomaintoperformyourtests.Thesameistrueofacoaxialnetworkonwhichtheprimaryfunctionoftherepeatersistoextendthecollisiondomaindiameter.Youmayhavetodisconnectthecablefromeachoftherepeatersinturn(rememberingtoterminatethebusproperlyeachtime)toisolatetheproblem.
Reducingthesizeofthecollisiondomainisalsoagoodwaytonarrowdownthelocationofacablefault.InaUTPnetwork,thestartopologymeansthatacablebreakwillaffectonlyonesystem.Onacoaxialnetworkusingabustopology,however,asinglecablefaultcanbringdowntheentirenetwork.Onamultisegmentnetwork,terminatingthebusateachrepeaterinturncantellyouwhichsegmenthasthefault.
Abetter,albeitmoreexpensive,methodforlocatingcableproblemsistouseamultifunctioncabletester.Thesedevicescanpinpointtheexactlocationofmanydifferenttypesofcablefaults.
NOTEOnceyoulocateamalfunctioningcable,it’sagoodideatodisposeofitimmediately.Leavingabadcablelyingaroundcanresultinsomeoneelsetryingtouseitandthustheneedforanothertroubleshootingsession.
100VG-AnyLAN100VG-AnyLANisa100Mbpsdesktopnetworkingprotocolthatisusuallygroupedwith100BaseEthernetbecausethetwowerecreatedatthesametimeandbrieflycompetedforthesamemarket.However,thisprotocolcannotstrictlybecalledanEthernetvariantbecauseitdoesnotusetheCSMA/CDmediaaccesscontrolmechanism.
100VG-AnyLANisdefinedintheIEEE802.12specification,whilealloftheEthernetvariantsaredocumentedbythe802.3workinggroup.OriginallytoutedbyHewlett-PackardandAT&Tasa100MbpsUTPnetworkingsolutionthatissuperiorto100BaseEthernet,themarkethasnotupheldthatbelief.Whileafew100VGproductsarestillavailable,100BaseEthernethasclearlybecomethedominant100Mbpsnetworkingtechnology.
Aswith100BaseEthernet,theintentionbehindthe100VGstandardistouseexisting10Base-Tcableinstallationsandtoprovideaclear,gradualupgradepathtothe100Basetechnology.Originallyintendedtosupportallthesamephysicallayeroptionsas100BaseEthernet,onlythefirst100VGcablingoptionhasactuallymaterialized,usingallfourwirepairsinaUTPcableratedCategory3orbetter.Themaximumcablesegmentlengthis100metersforCategory3and4cablesandis200metersforCategory5.Upto1,024nodesarepermittedonasingle-collisiondomain.100VG-AnyLANusesatechniquecalledquartetsignalingtousethefourwirepairsinthecable.
100VGusesthesameframeformataseither802.3Ethernetor802.5TokenRing,makingitpossibleforthetraffictocoexistonanetworkwiththeseotherprotocols.Thisisanessentialpointthatprovidesaclearupgradepathfromtheolder,slowertechnologies.Aswith100BaseEthernet,dual-speedNICsareavailabletomakeitpossibletoperformupgradesgradually,onecomponentatatime.
A10Base-T/100VG-AnyLANNIC,however,wasasubstantiallymorecomplexdevicethana10/100100BaseEthernetcard.Whilethesimilaritybetweenstandardand100BaseEthernetenablestheadaptertousemanyofthesamecomponentsforbothprotocols,100VGissufficientlydifferentfrom10Base-Ttoforcethedevicetobeessentiallytwonetworkinterfaceadaptersonasinglecard,whichsharelittleelsebutthecableandbusconnectors.This,andtherelativelackofacceptancefor100VG-AnyLAN,hasledthepricesofthehardwaretobesubstantiallyhigherthanthosefor100BaseEthernet.
Theoneareainwhich100VG-AnyLANdiffersmostsubstantiallyfromEthernetisinitsmediaaccesscontrolmechanism.100VGnetworksuseatechniquecalleddemandpriority,whicheliminatesthenormallyoccurringcollisionsfromthenetworkandalsoprovidesameanstodifferentiatebetweennormalandhigh-prioritytraffic.Theintroductionofprioritylevelsisintendedtosupportapplicationsthatrequireconsistentstreamsofhighbandwidth,suchasreal-timeaudioandvideo.
The100VG-AnyLANspecificationsubdividesitsfunctionalityintoseveralsublayers.LiketheotherIEEE802standards,theLLCsublayerisatthetopofanode’sdatalinklayer’sfunctionality,followedbytheMACsublayer.Onarepeater(hub),therepeatermediaaccesscontrol(RMAC)sublayerisdirectlybelowtheLLC.BeneaththeMACorRMACsublayer,thespecificationcallsforaphysicalmedium–independent(PMI)
sublayer,amedium-independentinterface,andaphysicalmedium–dependentsublayer.Finally,themedium-dependentinterfaceprovidestheactualconnectiontothenetworkmedium.Thefollowingsectionsexaminetheactivitiesateachoftheselayers.
TheLogicalLinkControlSublayerTheLLCsublayerfunctionalityisdefinedbytheIEEE802.2standardandisthesameasthatusedwith802.3(Ethernet)and802.5(TokenRing)networks.
TheMACandRMACSublayers100VG’sdemand-prioritymechanismreplacestheCSMA/CDmechanisminEthernetand100BaseEthernetnetworks.UnlikemostotherMACmechanisms,accesstothemediumonademand-prioritynetworkiscontrolledbythehub.Eachnodeonthenetwork,initsdefaultstate,transmitsanIdle_Upsignaltoitshub,indicatingthatitisavailabletoreceivedata.Whenanodehasdatatotransmit,itsendseitheraRequest_NormalsignaloraRequest_Highsignaltothehub.Thesignalthenodeusesforeachpacketisdeterminedbytheupper-layerprotocols,whichassignprioritiesbasedontheapplicationgeneratingthedata.
Thehubcontinuouslyscansallofitsportsinaround-robinfashion,waitingtoreceiverequestsignalsfromthenodes.Aftereachscan,thehubselectsthenodewiththelowestportnumberthathasahigh-priorityrequestpendingandsendsittheGrantsignal,whichisthepermissionforthenodetotransmit.AftersendingtheGrantsignaltotheselectednode,thehubsendstheIncomingsignaltoalloftheotherports,whichinformsthenodesofapossibletransmission.Aseachnodereceivestheincomingsignal,itstopstransmittingrequestsandawaitstheincomingtransmission.
Whenthehubreceivesthepacketfromthesendingnode,itreadsthedestinationaddressfromtheframeheaderandsendsthepacketouttheappropriateport.AlltheotherportsreceivetheIdle_Downsignal.AfterreceivingeitherthedatapacketortheIdle_Downsignal,thenodesreturntotheiroriginalstateandbegintransmittingeitherarequestoranIdle_Upsignal.Thehubthenprocessesthenexthigh-priorityrequest.Whenallthehigh-priorityrequestshavebeensatisfied,thehubthenpermitsthenodestotransmitnormal-prioritytraffic,inportnumberorder.
NOTEBydefault,a100VGhubtransmitsincomingpacketsoutonlytotheport(orports)identifiedinthepacket’sdestinationaddress.Thisisknownasoperatinginprivatemode.Configuringspecificnodestooperateinpromiscuousmodeispossible,however,inwhichcasetheyreceiveeverypackettransmittedoverthenetwork.
Theprocessingofhigh-priorityrequestsfirstenablesapplicationsthatrequiretimelyaccesstothenetworktoreceiveit,butamechanismalsoexiststoprotectnormal-prioritytrafficfromexcessivedelays.Ifthetimeneededtoprocessanormal-priorityrequestexceedsaspecifiedinterval,therequestisupgradedtohighpriority.
Onanetworkwithmultiplehubs,oneroothubalwaysexists,towhichalltheothers
areultimatelyconnected.Whentheroothubreceivesarequestthroughaporttowhichanotherhubisconnected,itenablesthesubordinatehubtoperformitsownportscanandprocessonerequestfromeachofitsownports.Inthisway,permissiontoaccessthemediaispropagateddownthenetworktree,andallnodeshaveanequalopportunitytotransmit.
MACFramePreparationInadditiontocontrollingaccesstothenetworkmedium,theMACsublayerassemblesthepacketframefortransmissionacrossthenetwork.Fourpossibletypesofframesexistona100VG-AnyLANnetwork:
•802.3
•802.5
•Void
•Linktraining
802.3and802.5Frames100VG-AnyLANiscapableofusingeither802.3(Ethernet)or802.5(TokenRing)framessothatthe100VGprotocolcancoexistwiththeothernetworktypesduringagradualdeploymentprocess.Usingbothframetypesatonceisimpossible,however.Youmustconfigureallthehubsonthenetworktouseoneortheotherframetype.
All100VGframesareencapsulatedwithinaStartofStreamfieldandanEndofStreamfieldbythephysicalmedium–independentsublayer,whichinformsthePMIsublayeronthereceivingstationwhenapacketisbeingsentandwhenthetransmissioniscompleted.Insidethesefields,the802.3and802.5framesusethesameformatsdefinedintheirrespectivespecifications.
TheMACsublayersuppliesthesystem’sownhardwareaddressforeachpacket’ssourceaddressfieldandalsoperformstheCRCcalculationsforthepacket,storingthemintheFCSfield.
Onincomingpackets,theMACsublayerperformstheCRCcalculationsandcomparestheresultswiththecontentsoftheFCSfield.Ifthepacketpassestheframecheck,theMACsublayerstripsoffthetwoaddressesandtheFCSfieldsandpassestheremainingdatatothenextlayer.
VoidFramesVoidframesaregeneratedbyrepeatersonlywhenanodefailstotransmitapacketwithinagiventimeperiodaftertherepeaterhasacknowledgedit.
LinkTrainingFramesEverytimeanodeisrestartedorreconnectedtothenetwork,itinitiatesalinktrainingprocedurewithitshubbytransmittingaseriesofspecializedlinktrainingpackets.Thisprocedureservesseveralpurposes,asfollows:
•ConnectiontestingForanodetoconnecttothenetwork,itmustexchange24consecutivetrainingpacketswiththehubwithoutcorruptionorloss.ThisensuresthatthephysicalconnectionisviableandthattheNICandhubportarefunctioningproperly.
•PortconfigurationThedatainthetrainingpacketsspecifieswhetherthenodewilluse802.3or802.5frames,whetheritwilloperateinprivateorpromiscuousmode,andwhetheritisanendnode(computer)orarepeater(hub).
•AddressregistrationThehubreadsthenode’shardwareaddressfromthetrainingpacketsandaddsittothetableitmaintainsofalltheconnectednodes’addresses.
Trainingpacketscontain2-byterequestedconfigurationandallowedconfigurationfieldsthatenablenodesandrepeaterstonegotiatetheportconfigurationsettingsfortheconnection.Thetrainingpacketsthenodegeneratescontainitssettingsintherequestedconfigurationfieldandnothingintheallowedconfigurationfield.Therepeater,onreceivingthepackets,addsthesettingsitcanprovidetotheallowedconfigurationfieldandtransmitsthepacketstothenode.
Thepacketsalsocontainbetween594and675bytesofpaddinginthedatafieldtoensurethattheconnectionbetweenthenodeandtherepeaterisfunctioningproperlyandcantransmitdatawithouterror.
ThePhysicalMedium–IndependentSublayerAsthenameimplies,thephysicalmedium–independentsublayerperformsthesamefunctionsforall100VGpackets,regardlessofthenetworkmedium.WhenthePMIsublayerreceivesaframefromtheMACsublayer,itpreparesthedatafortransmissionusingatechniquecalledquartetsignaling.ThequartetreferstothefourpairsofwiresinaUTPcable,allofwhichtheprotocolusestotransmiteachpacket.Quartetsignalingincludesfourseparateprocesses,asfollows:
1.Eachpacketisdividedintoasequenceof5-bitsegments(calledquintets)andassignedsequentiallytofourchannelsthatrepresentthefourwirepairs.Thus,thefirst,fifth,andninthquintetswillbetransmittedoverthefirstpair;thesecond,sixth,andtenthoverthesecondpair;andsoon.
2.Thequintetsarescrambledusingadifferentalgorithmforeachchanneltorandomizethebitpatternsforeachpairandeliminatestringsofbitswithequalvalues.Scramblingthedatainthiswayminimizestheamountofinterferenceandcrosstalkonthecable.
3.Thescrambledquintetsareconvertedtosextets(6-bitunits)usingaprocesscalled5B6Bencoding,whichreliesonapredefinedtableofequivalent5-bitand6-bitvalues.Becausethesextetscontainanequalnumberofzerosandones,thevoltageonthecableremainsevenanderrors(whichtaketheformofmorethanthreeconsecutivezerosorones)aremoreeasilydetected.Theregularvoltagetransitionsalsoenablethecommunicatingstationstosynchronizetheirclocksmoreaccurately.
4.Finally,thepreamble,StartofFramefield,andEndofFramefieldareaddedtotheencodedsextets,and,ifnecessary,paddingisaddedtothedatafieldtobringituptotheminimumlength.
TheMedium-IndependentInterfaceSublayerThemedium-independentinterfacesublayerisalogicalconnectionbetweenthePMIandPMDlayers.Aswith100BaseEthernet,theMIIcanalsotaketheformofaphysicalhardwareelementthatfunctionsasaunifiedinterfacetoanyofthemediasupportedby100VG-AnyLAN.
ThePhysicalMedium–DependentSublayerThephysicalmedium–dependentsublayerisresponsibleforgeneratingtheactualelectricalsignalstransmittedoverthenetworkcable.Thisincludesthefollowingfunctions:
•LinkstatuscontrolsignalgenerationNodesandrepeatersexchangelinkstatusinformationusingcontroltonestransmittedoverallfourwirepairsinfull-duplexmode(twopairstransmittingandtwopairsreceiving).Normaldatatransmissionsaretransmittedinhalf-duplexmode.
•DatastreamsignalconditioningThePMDsublayerusesasystemcallednonreturntozero(NRZ)encodingtogeneratethesignalstransmittedoverthecable.NRZminimizestheeffectsofcrosstalkandexternalnoisethatcandamagepacketsduringtransmission.
•ClockrecoveryNRZencodingtransmits1bitofdataforeveryclockcycle,at30MHzperwirepair,foratotalof120MHz.Becausethe5B6Bencodingschemeuses6bitstocarry5bitsofdata,thenettransmissionrateis100MHz.
TheMedium-DependentInterfaceThemedium-dependentinterfaceistheactualhardwarethatprovidesaccesstothenetworkmedium,asrealizedinanetworkinterfacecardorahub.
Workingwith100VG-AnyLANWhencomparedtothesuccessof100BaseEthernetproductsinthemarketplace,100VG-AnyLANobviouslyhasnotbeenacceptedasanindustrystandard,butafewnetworksstilluseit.Theproblemisnotsomuchoneofperformance,because100VGcertainlyrivals100BaseEthernetinthatrespect,but,instead,ofmarketingandsupport.
Despiteusingthesamephysicallayerspecificationsandframeformats,100VG-AnyLANissufficientlydifferentfromEthernettocausehesitationonthepartofnetworkadministratorswhohaveinvestedlargeamountsoftimeandmoneyinlearningtosupportCSMA/CDnetworks.Deployinganew100VG-AnyLANwouldnotbeawisebusinessdecisionatthispoint,andeventryingtopreserveanexistinginvestmentinthistechnologyisadoubtfulcourseofaction.
Mixing100VG-AnyLANand100BaseEthernetnodesonthesamecollisiondomainisimpossible,butyoucancontinuetouseyourexisting100VGsegmentsandtoaddnew100BaseEthernetsystemsaslongasyouuseaswitchtocreateaseparatecollisiondomain.Themostpracticalmethodfordoingthisistoinstallamodularswitchintowhich
youcanplugtransceiverssupportingdifferentdatalinklayerprotocols.
CHAPTER
12 NetworkingProtocols
Althoughthevastmajorityoflocalareanetworks(LANs)useoneoftheEthernetvariants,otherdatalinklayerprotocolsprovidedtheirownuniqueadvantages.Chiefamongtheseadvantageswastheuseofmediaaccesscontrolmechanisms(MACs)otherthanCarrierSenseMultipleAccesswithCollisionDetection(CSMA/CD).TokenRingandFiberDistributedDataInterface(FDDI)werebothviableLANprotocolsthatapproachedtheproblemofsharinganetworkcableinawhollydifferentway.
TokenRingTokenRingwasthetraditionalalternativetotheEthernetprotocolatthedatalinklayer.ThesupportersofTokenRingwereand,inmanycasesare,stalwart,andwhileitdidnoteverovertakeEthernetinpopularity,itwasfarfrombeingoutoftherace.TokenRingwasoriginallydevelopedbyIBMandlaterstandardizedintheIEEE802.5document,so,likeEthernet,therewereslightlydivergentprotocolstandards.
ThebiggestdifferencebetweenTokenRingandEthernetwasthemediaaccesscontrolmechanism.Totransmititsdata,aworkstationmustbetheholderofthetoken,aspecialpacketcirculatedtoeachnodeonthenetworkinturn.Onlythesysteminpossessionofthetokencantransmit,afterwhichitpassesthetokentothenextsystem.Thiseliminatesallpossibilityofcollisionsinaproperlyfunctioningnetwork,aswellastheneedforacollision-detectionmechanism.
TheTokenRingPhysicalLayerAsthenameimplies,thenodesonaTokenRingnetworkconnectinaringtopology.Thisis,inessence,abuswiththetwoendsconnectedtoeachothersothatsystemscanpassdatatothenextnodeonthenetworkuntilitarrivesbackatitssource.Thisisexactlyhowtheprotocolfunctions:Thesystemthattransmitsapacketisalsoresponsibleforremovingitfromthenetworkafterithastraversedthering.
Thisring,however,islogical,notphysical.Thatis,thenetworktoallappearancestakestheformofastartopology,withtheworkstationsconnectedtoacentralhubcalledamultistationaccessunit(MAU,orsometimesMSAU).Thelogicalring(sometimescalledacollapsedring)isactuallyafunctionoftheMAU,whichacceptspacketstransmittedbyonesystemanddirectsthemouteachsuccessiveportinturn,waitingforthemtoreturnoverthesamecablebeforeproceedingtothenextport(seeFigure12-1).Inthisarrangement,therefore,thetransmitandreceivecircuitsineachworkstationareactuallyseparateportsthatjusthappentousethesamecablebecausethesystemalwaystransmitsdatatothenextdownstreamsystemandreceivesdatafromthenextupstreamsystem.
Figure12-1TokenRingnetworksappeartouseastartopology,butdatatravelsintheformofaring.
NOTETheMAUisalsoknownasaconcentrator.
CableTypesTheoriginalIBMTokenRingimplementationsusedaproprietarycablesystemdesignedbyIBM,whichtheyreferredtoasType1,ortheIBMCablingSystem(ICS).Type1wasa150-ohmshieldedtwisted-pair(STP)cablecontainingtwowirepairs.TheportsofaType1MAUuseproprietaryconnectorscalledIBMdataconnectors(IDCs)oruniversaldataconnectors(UDCs),andthenetworkinterfacecardsusedstandardDB9connectors.AcablewithIDCsateachend,usedtoconnectMAUs,wascalledapatchcable.AcablewithoneIDCandoneDB9,usedtoconnectaworkstationtotheMAU,wascalledalobecable.
TheothercablingsystemusedonTokenRingnetworks,calledType3byIBM,usedstandardunshieldedtwisted-pair(UTP)cable,withCategory5recommended.LikeEthernet,TokenRingusedonlytwoofthewirepairsinthecable,onepairtotransmitdataandonetoreceiveit.Type3cablesystemsalsousedstandardRJ-45connectorsforboththepatchcablesandthelobecables.ThesignalingsystemusedbyTokenRingnetworksatthephysicallayerisdifferentfromthatofEthernet,however.TokenRingusesDifferentialManchestersignaling,whileEthernetusesManchester.
Type3UTPcablinglargelysupplantedType1intheTokenRingworld,mainlybecauseitwasmucheasiertoinstall.Type1cablewasthickandrelativelyinflexiblewhencomparedtoType3,andtheIDCconnectorswerelarge,makinginternalcableinstallationsdifficult.
NOTEThephysicallayerstandardsforTokenRingnetworkswerenotaspreciselyspecifiedasthoseforEthernet.Infact,theIEEE802.5standardisquiteabriefdocumentthatcontainsnophysicallayerspecificationsatall.ThecabletypesandwiringstandardsforTokenRingderivedfromthepracticesusedinproductsmanufacturedbyIBM,theoriginaldeveloperandsupporteroftheTokenRingprotocol.Asaresult,productsmadebyothermanufacturersdifferedintheirrecommendationsforphysicallayerelementssuchascablelengthsandthemaximumnumberofworkstationsallowedonanetwork.
TokenRingNICsThenetworkinterfacecardsforTokenRingsystemsweresimilartoEthernetNICsinappearance.MostofthecardsusedRJ-45connectorsforUTPcable,althoughDB9connectorswerealsoavailable,andtheinternalconnectorssupportedallofthemajorsystembuses,includingPCIandISA.EveryTokenRingadapterhadaverylarge-scaleintegration(VLSI)chipsetthatconsistedoffiveseparateCPUs,eachofwhichhaditsownseparateexecutablecode,datastoragearea,andmemoryspace.EachCPUcorrespondedtoaparticularstateorfunctionoftheadapter.ThiscomplexityisoneofthemainreasonswhyTokenRingNICsweresubstantiallymoreexpensivethanEthernetNICs.
TokenRingMAUsTomaintaintheringtopology,alloftheMAUsonaTokenRingnetworkneededtobeinterconnectedusingtheRingInandRingOutportsintendedforthispurpose.Figure12-2illustrateshowtheMAUsthemselveswerecabledinaringthatwasextendedbythelobecablesconnectingeachoftheworkstations.ItwasalsopossibletobuildaTokenRingnetworkusingacontrolaccessunit(CAU),whichwasessentiallyanintelligentMAUthatsupportedanumberoflobeattachmentmodules(LAMs).ToincreasethenumberofworkstationsconnectedtoaTokenRingnetworkwithoutaddinganewMAU,youcoulduselobeaccessunits(LAUs)thatenabledyoutoconnectseveralworkstationstoasinglelobe.
Figure12-2TheMAUsinaTokenRingnetworkformedthebasicring.Thisringwasextendedwitheachworkstationaddedtothenetwork.
NOTELAMscansupportupto20nodeseach.TokenRingMAUs(nottobeconfusedwithanEthernethub,whichwasoccasionally
calledaMAU,ormediumaccessunit)werequitedifferentfromEthernethubsinseveralways.First,thetypicalMAUwasapassivedevice,meaningitdidnotfunctionasarepeater.ThecablingguidelinesforTokenRingnetworkswerebasedontheuseofpassiveMAUs.TherewererepeatingMAUsonthemarket,however,thatenabledyoutoextendthenetworkcablelengthsbeyondthepublishedstandards.
Second,theportsonallMAUsremainedinaloopbackstateuntiltheywereinitializedbytheworkstationconnectedtothem.Intheloopbackstate,theMAUpassedsignalsitreceivedfromthepreviousportdirectlytothenextportwithoutsendingthemoutoverthelobecable.Whentheworkstationbooted,ittransmittedwhatwasknownasaphantomvoltagetotheMAU.Phantomvoltagedidnotcarrydata;itjustinformedtheMAUofthepresenceoftheworkstation,causingtheMAUtoaddittothering.OnolderType1TokenRingnetworks,anadministratorhadtomanuallyinitializeeachportintheMAUwithaspecial“key”plugbeforeattachingalobecabletoit.ThisinitializationwasessentialinTokenRingbecauseofthenetwork’srelianceoneachworkstationtosendeachpacketitreceivedfromtheMAUrightback.TheMAUcouldnotsendthepackettothenextworkstationuntilitreceiveditfromthepreviousone.IfaMAUweretotransmitapacketoutthroughaporttoaworkstationthatwasturnedoffornonexistent,thepacketwould
neverreturn,theringwouldbebroken,andthenetworkwouldceasefunctioning.Becauseoftheneedforthisinitializationprocess,itwasimpossibletoconnecttwoTokenRingnetworkswithoutaMAU,likeyoucanwithEthernetandacrossovercable.
Finally,MAUsalwayshadtwoportsforconnectingtotheotherMAUsinthenetwork.Ethernetsystemsusingastartopologyconnectedtheirhubsinahierarchicalstarconfiguration(alsocalledabranchingtree),inwhichonehubcouldbeconnectedtoseveralothers,eachofwhich,inturn,wasconnectedtootherhubs,asshowninFigure12-3.TokenRingMAUswerealwaysconnectedinaring,withtheRingInportconnectedtothenextupstreamMAUandtheRingOutportconnectedtothenextdownstreamMAU.EvenifyournetworkhadonlytwoMAUs,youhadtoconnecttheRingInportoneachonetotheRingOutportontheotherusingtwopatchcables.
Figure12-3Ethernethubs(atleft)wereconnectedusingabranchingtreearrangement,whileTokenRingMAUs(atright)wereconnectedinaring.
TheconnectionsbetweenTokenRingMAUswereredundant.Thatis,ifacableorconnectorfailurecausedabreakbetweentwooftheMAUs,theadjacentMAUstransmittedanydatareachingthembackintheotherdirection,sothepacketsalwaysreachedalloftheworkstationsconnectedtothenetwork.TheTokenRingstandardsusedaspecificationcalledtheadjustedringlength(ARL)todeterminethetotallengthofthedatapathintheeventofthistypeoffailure.
CalculatingtheARLTocalculatetheARLforanetwork,youtookthesumofallthepatchcablelengthsbetweenwiringclosetsminusthelengthoftheshortestpatchcableconnectingtwowiringclosetsandmadethefollowingadjustments:
•Added3metersforeverypunchdownconnectioninvolvedinthepathbetweentwoMAUs
•Added30metersforeverysurgeprotectorusedonthenetwork
•Added16metersforeveryeight-portMAU
BecauseMAUswereoftenstoredinwiringclosets,thestandardreferstothenumberofwiringclosetsusedonthenetworkusingMAUsmorethan3metersapart.WhethertheMAUswerephysicallylocatedindifferentclosetsisnotrelevant;anytwoMAUsconnectedbyacablemorethan3meterslongweresaidtobeindifferentwiringclosets.Patchcablesshorterthan3meterswerenottobeincludedintheARLcalculations.
NOTEAlloftheringlengthsdiscussedinreferencetoTokenRingnetworksrefertopassiveMAUnetworks.UnlikeanEthernethub,aTokenRingMAUdidnotusuallyfunctionasarepeater.WhenyouusedactiveMAUsthatincludedsignal-repeatingcapabilities,thecablescouldbemuchlonger,dependingonthecapabilitiesoftheindividualMAU.
TokenPassingAccesstothenetworkmediumonaTokenRingnetworkwasarbitratedthroughtheuseofa3-bytepacketknownasthetoken.Whenthenetworkwasidle,theworkstationsweresaidtobeinbitrepeatmode,awaitinganincomingtransmission.Thetokencirculatedcontinuouslyaroundthering,fromnodetonode,untilitreachedaworkstationthathaddatatotransmit.Totransmititsdata,theworkstationmodifiesasinglemonitorsettingbitinthetokentoreflectthatthenetworkisbusyandsendsittothenextworkstation,followedimmediatelybyitsdatapacket.
Thepacketalsocirculatesaroundthering.Eachnodereadthedestinationaddressinthepacket’sframeheaderandeitherwrotethepackettoitsmemorybuffersforprocessingbeforetransmittingittothenextnodeorjusttransmitteditwithoutprocessing.(ComparethiswithEthernetsystemsthatsimplydiscardpacketsthatarenotaddressedtothem.)Inthisway,thepacketreacheseverynodeonthenetworkuntilitarrivesattheworkstationthatoriginallysentit.
Onreceiptofthepacketafterithadtraversedthering,thesendingnodecomparedtheincomingdatawiththedataitoriginallytransmittedtoseewhetheranyerrorshadoccurredduringtransmission.Iferrorshadoccurred,thecomputerretransmittedthepacket.Ifnoerrorsoccurred,thecomputerremovedthepacketfromthenetworkanddiscardeditandthenchangedthemonitorsettingbitbacktoitsfreestateandtransmittedit.Theprocesswasthenrepeated,witheachsystemhavinganequalchancetotransmit.
Althoughitwasnotpartoftheoriginalstandard,most16MbpsTokenRingsystemstodayincludedafeaturecalledearlytokenrelease(ETR),whichenabledthetransmittingsystemtosendthe“free”tokenimmediatelyafterthedatapacket(insteadofthe“busy”tokenbeforethedatapacket),withoutwaitingforthedatatotraversethenetwork.Thatway,thenextnodeonthenetworkreceivedthedatapacket,capturedthefreetoken,andtransmitteditsowndatapacket,followedbyanotherfreetoken.Thisenabledmultipledatapacketstoexistonthenetworksimultaneously,buttherewasstillonlyonetoken.Earlytokenreleaseeliminatessomeofthelatencydelaysonthenetworkthatoccurredwhilesystemswaitedforthefreetokentoarrive.
NOTEEarlytokenreleasewaspossibleonlyon16MbpsTokenRingnetworks.SystemsthatuseETRcouldcoexistonthesamenetworkwithsystemsthatdidnot.
Becauseonlythecomputerholdingthetokencantransmitdata,TokenRingnetworksdidnotexperiencecollisionsunlessaseriousmalfunctionoccurred.Thismeantthatthe
networkcouldoperateuptoitsfullcapacitywithnodegradationofperformance,ascanhappeninanEthernetnetwork.Thetoken-passingsystemwasalsodeterministic,whichmeantthatitcouldcalculatethemaximumamountoftimethatwouldelapsebeforeaparticularnodecouldtransmit.
TokenRingisnottheonlydatalinklayerprotocolthatusedtokenpassingforitsmediaaccesscontrolmethod.FDDIusestokenpassing.
SystemInsertionBeforeitcouldjointhering,aworkstationhadtocompleteafive-stepinsertionprocedurethatverifiedthesystem’scapabilitytofunctiononthenetwork.Thefivestepswereasfollows:
1.MedialobecheckThemedialobechecktestedthenetworkadapter’scapabilitytotransmitandreceivedataandthecable’scapabilitytocarrythedatatotheMAU.WiththeMAUloopingtheincomingsignalforthesystembackoutthroughthesamecable,theworkstationtransmittedaseriesofMACLobeMediaTestframestothebroadcastaddress,withthesystem’sownaddressasthesource.ThenthesystemtransmittedaMACDuplicationAddressTestframewithitsownaddressasboththesourceandthedestination.Toproceedtothenextstep,thesystemhadtosuccessfullytransmit2,047MACLobeMediaTestframesandoneMACDuplicationAddressTestframe.Thetestingsequencecouldberepeatedonlytwotimesbeforetheadapterwasconsideredtohavefailed.
2.PhysicalinsertionDuringthephysicalinsertionprocess,theworkstationsentaphantomvoltage(alow-voltageDCsignalinvisibletoanydatasignalsonthecable)upthelobecabletotheMAUtotriggertherelaythatcausedtheMAUtoaddthesystemintothering.Afterdoingthis,theworkstationwaitedforasignthatanactivemonitorispresentonthenetwork,intheformofeitheranActiveMonitorPresent(AMP),StandbyMonitorPresent(SMP),orRingPurgeframe.Ifthesystemdidnotreceiveoneoftheseframeswithin18seconds,itinitiatedamonitorcontentionprocess.Ifthecontentionprocessdidnotcompletewithinonesecondoriftheworkstationbecametheactivemonitor(see“TokenRingMonitors”laterinthischapter)andinitiatedaringpurgethatdidnotcompletewithinonesecond,oriftheworkstationreceivedaMACBeaconorRemoveStationframe,theconnectiontotheMAUfailedtoopen,andtheinsertionwasunsuccessful.
3.AddressverificationTheaddressverificationprocedurecheckedtoseewhetheranotherworkstationontheringhadthesameaddress.BecauseTokenRingsupportedlocallyadministeredaddresses(LAAs),itwaspossibleforthistooccur.ThesystemgeneratedaseriesofMACDuplicationAddressTestframeslikethoseinstep1,exceptthatthesewerepropagatedovertheentirenetwork.Ifnoothersystemwasusingthesameaddress,thetestframesshouldcomebackwiththeirAddressRecognized(ARI)andFrameCopied(FCI)bitssetto0,atwhichtimethesystemproceededtothenextstep.IfthesystemreceivedtwotestframeswiththeARIandFCIbitssetto1orifthetestframesdidnotreturnwithin18seconds,theinsertionfailed,andtheworkstationwasremovedfromthering.
4.RingpollparticipationThesystemmustsuccessfullyparticipateinaringpollbyreceivinganAMPorSMPframewiththeARIandFCIbitssetto0,changingthosebitsto1,andtransmittingitsownSMPframe.IftheworkstationdidnotreceiveanAMPorSMPframewithin18seconds,theinsertionfailed,andtheworkstationwasremovedfromthering.
5.RequestinitializationTheworkstationtransmittedfourMACRequestInitializationframestothefunctionaladdressofthenetwork’sringparameterserver.IfthesystemreceivedtheframeswiththeARIandFCIbitssetto0,indicatingthattherewasnofunctioningringparameterserver,thesystem’snetworkadapteruseditsdefaultvalues,andtheinitialization(aswellastheentiresysteminsertion)wasdeemedsuccessful.IfthesystemreceivedoneofitsframeswiththeARIandFCIbitssetto1(indicatingthataringparameterserverhadreceivedtheframe),itwaitedtwosecondsforaresponse.Iftherewasnoresponse,thesystemretrieduptofourtimes,afterwhichtheinitializationfailed,andtheworkstationwasremovedfromthering.
SystemStatesDuringitsnormalfunctions,aTokenRingsystementersthreedifferentoperationalstates,whichareasfollows:
1.RepeatWhileintherepeatstate,theworkstationtransmittedallthedataarrivingattheworkstationthroughthereceiveporttothenextdownstreamnode.Whentheworkstationhadapacketofitsownqueuedfortransmission,itmodifiedthetokenbitintheframe’saccesscontrolbytetoavalueof1andenteredthetransmitstate.Atthesametime,thetokenholdingtimer(THT)thatallowsthesystem8.9msoftransmissiontimewasresettozero.
2.TransmitOnceinthetransmitstate,theworkstationtransmittedasingleframeontothenetworkandreleasedthetoken.Aftersuccessfullytransmittingtheframe,theworkstationtransmittedidlefill(asequenceofones)untilitreturnedtotherepeatstate.IfthesystemreceivedaBeacon,RingPurge,orClaimTokenMACframewhileitwastransmitting,itinterruptedthetransmissionandsentanAbortDelimiterframetoclearthering.
3.StrippingAtthesametimethataworkstation’stransmitportwasinthetransmitstate,itsreceiveportwasinthestrippingstate.Asthetransmitteddatareturnedtotheworkstationaftertraversingthering,thesystemstrippeditfromthenetworksothatitwouldnotcirculateendlessly.Oncethesystemdetectedtheenddelimiterfieldonthereceiveport,itknewthattheframehadbeencompletelystrippedandreturnedtotherepeatstate.Ifthe8.9msTHTexpiredbeforetheenddelimiterarrived,thesystemrecordedalostframeerrorforlatertransmissioninaSoftErrorReportframebeforereturningtotherepeatstate.
TokenRingMonitorsEveryTokenRingnetworkhadasystemthatfunctionedastheactivemonitorthatwasresponsibleforensuringtheproperperformanceofthenetwork.Theactivemonitordidnothaveanyspecialprogrammingorhardware;itwassimplyelectedtotherolebya
processcalledmonitorcontention.Alloftheothersystemsonthenetworkthenfunctionedasstandbymonitors,shouldthecomputerfunctioningastheactivemonitorfail.Thefunctionsoftheactivemonitorwereasfollows:
•TransmitActiveMonitorPresentframesEverysevenseconds,theactivemonitor(AM)transmittedanActiveMonitorPresentMACframethatinitiatedtheringpollingprocess.
•MonitorringpollingTheAMhadtoreceiveeitheranActiveMonitorPresentorStandbyMonitorPresentframefromthenodeimmediatelyupstreamofitwithinsevensecondsofinitiatingaringpollingprocedure.Iftherequiredframedidnotarrive,theAMrecordedaringpollingerror.
•ProvidemasterclockingTheAMgeneratedamasterclocksignalthattheotherworkstationsonthenetworkusedtosynchronizetheirclocks.Thisensuredthatallthesystemsonthenetworkknewwheneachtransmittedbitbeginsandends.Thisalsoreducednetworkjitter,thesmallamountofphaseshiftthattendedtooccuronthenetworkasthenodesrepeatedthetransmitteddata.
•ProvidealatencybufferInthecaseofasmallring,itwaspossibleforaworkstationtobegintransmittingatokenandtoreceivethefirstbitsonitsreceiveportbeforeithadfinishedtransmitting.TheAMpreventedthisbyintroducingapropagationdelayofatleast24bits(calledalatencybuffer),whichensuredthatthetokencirculatesaroundthenetworkproperly.
NOTEAlatencybufferisalsoknownasfixedlatency.•Monitorthetoken-passingprocessTheactivemonitorhadtoreceivea
goodtokenevery10milliseconds,whichensuredthatthetoken-passingmechanismwasfunctioningproperly.Ifaworkstationraisedthetokenpriorityandfailedtoloweritorfailedtocompletelystripitspacketfromthering,theAMdetectedtheproblemandremedieditbypurgingtheringandgeneratinganewtoken.Everynode,onreceivingaRingPurgeMACframefromtheAM,stoppedwhatitwasdoing,resetitstimers,andenteredbitrepeatmodeinpreparationforreceiptofanewpacket.
RingPollingRingpollingwastheprocessbywhicheachnodeonaTokenRingnetworkidentifieditsnearestactiveupstreamneighbor(NAUN).Theworkstationsusedthisinformationduringthebeaconingprocesstoisolatethelocationofanetworkfault.
Thering-pollingprocesswasinitiatedbytheactivemonitorwhenittransmittedanActiveMonitorPresent(AMP)MACframe.ThisframecontainedanAddressRecognizedbitandaFrameCopiedbit,bothofwhichhaveavalueof0.ThefirstsystemdownstreamoftheAMreceivedtheframeandchangedtheARIandFCIbitsto1.ThereceivingsystemalsorecordedtheaddressofthesendingsystemasitsNAUN.ThisisbecausethefirststationthatreceivedanAMPframealwayschangedthevaluesofthosetwobits.Therefore,thesystemreceivingaframewithzero-valuedARIandFCIbitsknewthesenderwasitsnearestactiveupstreamneighbor.
BeaconingWhenastationonaTokenRingnetworkfailedtodetectasignalonits
receiveport,itassumedthattherewasafaultinthenetworkandinitiatedaprocesscalledbeaconing.ThesystembroadcastMACbeaconframestotheentirenetworkevery20milliseconds(withoutcapturingatoken)untilthereceivesignalcommencedagain.Eachstationtransmittingbeaconframeswassaying,inessence,thataproblemexistedwithitsnearestactiveupstreamneighborbecauseitwasnotreceivingasignal.IftheNAUNbeganbeaconingalso,thisindicatedthattheproblemwasfartherupstream.Bynotingwhichstationsonthenetworkwerebeaconing,itwaspossibletoisolatethemalfunctioningsystemorcablesegment.TherewerefourtypesofMACbeaconframes,asfollows:
•SetRecoveryMode(priority1)TheSetRecoveryModeframewasrarelyseenbecauseitwasnottransmittedbyaworkstation’sTokenRingadapter.Thisframewasusedonlyduringarecoveryprocessinitiatedbyanattachednetworkmanagementproduct.
•SignalLoss(priority2)TheSignalLossframewasgeneratedwhenamonitorcontentionprocessfailedbecauseofatimeoutandthesystementeredthecontentiontransmitmodebecauseofafailuretoreceiveanysignalfromtheactivemonitor.Thepresenceofthisframeonthenetworkusuallyindicatedthatacablebreakorahardwarefailurehadoccurred.
•StreamingSignal,NotClaimToken(priority3)TheStreamingSignal,NotClaimTokenframewasgeneratedwhenamonitorcontentionprocessfailedbecauseofatimeoutandthesystemhadreceivednoMACClaimTokenframesduringthecontentionperiod.Thesystemhadreceivedaclocksignalfromtheactivemonitor,however,ortheSignalLossframewouldhavebeengeneratedinstead.
•StreamingSignal,ClaimToken(priority4)TheStreamingSignal,ClaimTokenframewasgeneratedwhenamonitorcontentionprocessfailedbecauseofatimeoutandthesystemhadreceivedMACClaimTokenframesduringthecontentionperiod.Thisframewasusuallyanindicationofatransientproblemcausedbyacablethatwastoolongorbysignalinterferencecausedbyenvironmentalnoise.
Whenasystemsuspectedthatitmaybethecauseofthenetworkproblemresultinginbeaconing,itremoveditselffromtheringtoseewhethertheproblemdisappeared.Ifthesystemtransmittedbeaconframesformorethan26seconds,itperformedabeacontransmitauto-removaltest.
IfthesystemreceivedeightconsecutivebeaconframesthatnameitastheNAUNofabeaconingsystemdownstream,itperformedabeaconreceiveauto-removaltest.
TokenRingFramesFourdifferenttypesofframeswereusedonTokenRingnetworks,unlikeEthernetnetworks,whichhadonesingle-frameformat.Thedataframetypewastheonlyonethatactuallycarriedthedatageneratedbyupper-layerprotocols,whilethecommandframetypeperformedringmaintenanceandcontrolprocedures.Thetokenframetypewasaseparateconstructionusedonlytoarbitratemediaaccess,andtheabortdelimiterframe
typewasusedonlywhencertaintypesoferrorsoccurred.
TheDataFrameTokenRingdataframescarriedtheinformationgeneratedbyupper-layerprotocolsinastandardlogicallinkcontrol(LLC)protocoldataunit(PDU),asdefinedintheIEEE802.2document.Table12-1describesthefieldsthatmadeuptheframeandtheirfunctions.
Table12-1TokenRingDataFramesandTheirFunctions
TheCommandFrameCommandframes,alsocalledMACframes,differedfromdataframesonlyintheinformationfieldandsometimestheframecontrolfield.MACframesdidnotuseanLLCheader;instead,theycontainedaPDUconsistingof2bytesthatindicatedthelengthofthecontrolinformationtofollow,a2-bytemajorvectorIDthatspecifiedthecontrolfunctionoftheframe,andavariablenumberofbytescontainingthecontrolinformationitself.
MACframesperformedringmaintenanceandcontrolfunctionsonly.Theynevercarriedupper-layerdata,andtheywereneverpropagatedtoothercollisiondomainsbybridges,switches,orrouters.
TheTokenFrameThetokenframewasextremelysimple,consistingofonlythree1-bytefields:thestartdelimiter,accesscontrol,andenddelimiterfields.Thetokenbitintheaccesscontrolfieldwasalwayssettoavalueof1,andthedelimiterfieldstookthesameformasinthedataandcommandframes.
TheAbortDelimiterFrameTheabortdelimiterframeconsistedonlyofthestart
delimiterandtheenddelimiterfields,usingthesameformatastheequivalentfieldsinthedataandcommandframes.Thisframetypewasusedprimarilywhenanunusualeventoccurred,suchaswhenthetransmissionofapacketwasinterruptedandendedprematurely.Whenthishappened,theactivemonitortransmittedanabortdelimiterframethatflushedoutthering,removingalltheimproperlytransmitteddataandpreparingitforthenexttransmission.
TokenRingErrorsTheIEEE802.5standarddefinedanumberofsofterrortypesthatsystemsonthenetworkcouldreporttotheworkstationfunctioningastheringerrormonitorusingMACframes.WhenaTokenRingadapterdetectedasofterror,itbeganatwo-secondcountdown,duringwhichitwaitedtoseewhetherothererrorsoccurred.Afterthetwoseconds,thesystemsentasofterrorreportmessagetotheaddressoftheringerrormonitor.TherewereseveraltypesofsofterrorsdetectablebyTokenRingsystems,asshownnext:
•BursterrorAbursterroroccurredwhenasystemdetectedfivehalf-bittimes(thatis,threetransmittedbits)thatlackedtheclocktransitioninthemiddleofthebitcalledforbytheDifferentialManchesterencodingsystem.Thistypeoferrorwastypicallycausedbynoiseonthecableresultingfromfaultyhardwareorsomeotherenvironmentalinfluence.
•LineerrorAlineerroroccurredwhenaworkstationreceivedaframethathadanerrordetectionbitintheenddelimiterfieldwithavalueof1,eitherbecauseofaCRCerrorintheframechecksequenceorbecauseabitviolatingtheDifferentialManchesterencodingsystemwasdetectedinanyfieldsotherthanthestartdelimiterandenddelimiter.Anetworkwithnoiseproblemswouldtypicallyhaveonelineerrorforeverytenbursterrors.
•LostframeerrorAlostframeerroroccurredwhenasystemtransmittedaframeandfailedtoreceiveitbackwithinthefourmillisecondsallottedbythereturntorepeattimer(RRT).Thiserrorcouldbecausedbyexcessivenoiseonthenetwork.
•TokenerrorAtokenerroroccurredwhentheactivemonitor’sten-millisecondvalidtransmissiontimer(VTX)expiredwithoutthereceiptofaframeandtheAMhadtogenerateanewtoken,oftencausedbyexcessivenoiseonthenetwork.
•InternalerrorAninternalerroroccurredwhenasystemdetectedaparityerrorduringdirectmemoryaccess(DMA)betweenthenetworkadapterandthecomputer.
•FrequencyerrorAfrequencyerroroccurredwhenastandbymonitorsystemreceivedasignalthatdifferedfromtheexpectedfrequencybymorethanagivenamount.
•ACerrorAnACerroroccurredwhenasystemreceivedtwoconsecutivering-pollingframeswithARIandFCIbitssetto0,inwhichthefirstframewasanAMPoranSMPandthesecondframewasanSMP.
•FCerrorAFrameCopiederroroccurredwhenasystemreceivedaunicastMACframewiththeARIbitsetto1,indicatingeitheranoiseproblemoraduplicateaddressonthenetwork.
•AbortdelimitertransmittederrorAnabortdelimitertransmittederroroccurredwhenanetworkconditioncausedaworkstationtostoptransmittinginthemiddleofaframeandtogenerateanabortdelimiterframe.
•ReceivecongestionerrorAreceivecongestionerroroccurredwhenasystemreceivedaunicastframebuthadnoavailablebufferspacetostorethepacketbecauseitwasbeingoverwhelmedbyincomingframes.
FDDIAppearingfirstinthelate1980sanddefinedinstandardsdevelopedbytheAmericanNationalStandardsInstitute(ANSI)X3T9.5committee,FiberDistributedDataInterface(FDDI,pronounced“fiddy”)wasthefirst100Mbpsdatalinklayerprotocoltoachievepopularuse.
AtthetimeofFDDI’sintroduction,10MbpsthickandthinEthernetwerethedominantLANtechnologies,andFDDIrepresentedamajorstepforwardinspeed.Inaddition,theuseoffiber-opticcableprovideddramaticincreasesinpacketsize,networksegmentlength,andthenumberofworkstationssupported.FDDIpacketscancarryupto4,500bytesofdata(comparedto1,500forEthernet),and,undercertainconditions,anetworkcanconsistofupto100kmofcable,supportingupto500workstations.Theseimprovements,incombinationwithfiberoptics’completeresistancetotheeffectsofelectromagneticinterference,makeitanexcellentprotocolforconnectingdistantworkstationsandnetworks,eventhoseindifferentbuildings.Asaresult,FDDIoriginallybecameknownprimarilyasabackboneprotocol,aroleforwhichitisadmirablysuited.Whileitoriginallywasdesignedtorunonfiber-opticcables,FDDIcanalsorunoncoppercablesusingelectricalsignals.
Becauseofitsuseasabackboneprotocol,productssuchasbridgesandroutersthatconnectEthernetnetworkstoFDDIbackbonesarecommon.FDDIiscompletelydifferentfromEthernet,andthetwonetworktypescanbeconnectedonlybyusingadevicesuchasarouteroratranslationbridgethatisdesignedtoprovideaninterfacebetweendifferentnetworks.ThisprotocolisreliablebecauseFDDInetworkshavetwocounter-rotatingringsthatbackeachotherup.Thatis,shouldoneringfailtofunction,thesystemprovidesanalternativemethodofsendingdata.
FDDITopologyFDDIisatoken-passingprotocollikeTokenRingthatuseseitheradouble-ringorastartopology.UnlikeTokenRing,inwhichtheringtopologyislogicalandnotphysical,theoriginalFDDIspecificationcalledforthesystemstoactuallybecabledinaringtopology.Inthiscase,itisadoublering,however.Thedoublering(alsocalledatrunkring)consistsoftwoseparaterings,aprimaryandasecondary,withtrafficrunninginoppositedirectionstoprovidefaulttolerance.Thecircumferenceofthedoubleringcanbeupto100km,andworkstationscanbeupto2kmapart.
Workstationsconnectedtobothringsarecalleddualattachmentstations(DASs).Ifacableshouldbreakoraworkstationshouldmalfunction,trafficisdivertedtothesecondaryringthatisrunningintheoppositedirection,enablingittoaccessanyothersystemonthenetworkusingthesecondarypath.AFDDInetworkoperatinginthisstateiscalledawrappedring.Figure12-4showsaproperlyfunctioningFDDIdual-ringnetworkandawrappedring.
Figure12-4TheFDDIdoublering,functioningnormallyontheleftandwrappedontheright
Ifasecondcablebreakshouldoccur,thenetworkisthendividedintotwoseparaterings,andnetworkcommunicationsareinterrupted.Awrappedringisinherentlylessefficientthanthefullyfunctionaldoubleringbecauseoftheadditionaldistancethatthetrafficmusttravelandis,therefore,meanttobeatemporarymeasureonlyuntilthefaultisrepaired.
FDDIcanalsouseastartopologyinwhichworkstationsareattachedtoahub,calledadualattachmentconcentrator(DAC).Thehubcaneitherstandaloneorbeconnectedtoadoublering,formingwhatissometimescalledadualringoftrees.Workstationsconnectedtothehubaresingle-attachmentstations(SASs);theyareconnectedonlytotheprimaryringandcannottakeadvantageofthesecondaryring’swrappingcapabilities.TheFDDIspecificationsdefinefourtypesofportsusedtoconnectworkstationstothenetwork:
•ADASconnectiontosecondaryring
•BDASconnectiontoprimaryring
•MDACportforconnectiontoanSAS
•SSASconnectiontoMportinaconcentrator
Table12-2describesthevarioustypesofconnectionsusingthefourtypesofFDDIports.
Table12-2FDDIConnectionTypes
DASsandDACshavebothAandBportstoconnectthemtoadoublering.SignalsfromtheprimaryringenterthroughtheBportandexitfromtheAport,whilethesignalsfromthesecondaryringenterthroughAandexitthroughB.AnSAShasasingleSport,whichconnectsittotheprimaryringonlythroughanMportonaDAC.
NOTEThe500workstationand100kmnetwork-lengthlimitationsarebasedontheuseofDAScomputers.AFDDInetworkcomposedonlyofSASmachinescanbeupto200kmlongandsupportupto1,000workstations.
DAScomputersthatareattacheddirectlytothedoubleringfunctionasrepeaters;theyregeneratethesignalsastheypasseachpacketalongtotherestofthenetwork.Whenasystemisturnedoff,however,itdoesnotpassthepacketsalong,andthenetworkwraps,unlessthestationisequippedwithabypassswitch.Abypassswitch,implementedeitheraspartofthenetworkinterfaceadapterorasaseparatedevice,enablesincomingsignalstopassthroughthestationandontotherestofthenetwork,butitdoesnotregeneratethem.Onafiber-opticnetwork,thisistheequivalentofopeningawindowtoletthesunlightintoaroominsteadofturningonanelectriclight.Aswithanynetworkmedium,thesignalhasatendencytoattenuateifitisnotregenerated.Iftoomanyadjacentsystemsarenotrepeatingthepackets,thesignalscanweakentothepointatwhichstationscan’treadthem.
TheDACfunctionsmuchlikeaTokenRingMAUinthatitimplementsalogicalringwhileusingaphysicalstartopology.ConnectingaDACtoadoubleringextendstheprimaryringtoeachconnectedworkstationandback,asshowninFigure12-5.NoticethatwhiletheDACisconnectedtoboththeprimaryandsecondaryrings,theMportsconnectonlytheprimaryringtotheworkstations.Thus,whiletheDACitselftakesadvantageofthedoublering’sfaulttolerance,abreakinthecableconnectingaworkstationtotheDACseverstheworkstationfromthenetwork.However,theDACiscapableofdynamicallyremovingamalfunctioningstationfromthering(again,likeaTokenRingMAU)sothattheproblemaffectsonlythesingleworkstationandnottheentirering.
Figure12-5DACsconnectedtothedoubleringprovidemultipleSASconnections
ItissometimespossibletoconnectaDAStotwoDACportstoprovideastandbylinktothehubiftheactivelinkfails.Thisiscalleddualhoming.However,thisisdifferentfromconnectingtheDASdirectlytothedoubleringbecauseboththeAandBportsontheworkstationareconnectedtoMportsonthehub.Mportsareconnectedonlytotheprimaryring,soadual-homedsystemsimplyhasabackupconnectiontotheprimaryring,notaconnectiontobothrings.
CascadinghubsarepermittedonaFDDInetwork.ThismeansyoucanplugoneDACintoanMportofanotherDACtoextendthenetwork.Thereisnolimittothenumberoflayers,aslongasyouobservethemaximumnumberofworkstationspermittedonthering.Itisalsopossibletocreateatwo-stationringbyconnectingtheSportsontwoSAS
computersorbyconnectinganSporttoeithertheAorBportofaDAS.SomeFDDIadaptersmayrequirespecialconfigurationtodothis.
FDDISubsystemsThefunctionalityoftheFDDIprotocolisbrokendownintofourdistinctlayers,asfollows:
•Physicalmediadependent(PMD)Preparesdatafortransmissionoveraspecifictypeofnetworkmedium
•Physical(PHY)Encodesanddecodesthepacketdataintoaformatsuitablefortransmissionoverthenetworkmediumandisresponsibleformaintainingtheclocksynchronizationonthering
•Mediaaccesscontrol(MAC)ConstructsFDDIpacketsbyapplyingtheframecontainingaddressing,scheduling,androutingdata,andthennegotiatesaccesstothenetworkmedium
•Stationmanagement(SMT)ProvidesmanagementfunctionsfortheFDDIring,includinginsertionandremovaloftheworkstationfromthering,faultdetectionandreconfiguration,neighboridentification,andstatisticsmonitoring
TheFDDIstandardsconsistofseparatedocumentsforeachoftheselayers,aswellasseparatespecificationsforsomeoftheoptionsatcertainlayers.Theoperationsperformedateachlayerarediscussedinthefollowingsections.
ThePhysicalMediaDependentLayerThephysicalmediadependentlayerisresponsibleforthemechanicsinvolvedintransmittingdataoveraparticulartypeofnetworkmedium.TheFDDIstandardsdefinetwophysicallayeroptions,asfollows.
Fiber-OpticTheFiber-PMDstandardsdefinetheuseofeithersingle-modeormultimodefiber-opticcable,aswellastheoperatingcharacteristicsoftheothercomponentsinvolvedinproducingthesignals,includingtheopticalpowersources,photo-detectors,transceivers,andmediuminterfaceconnectors.Forexample,theopticalpowersourcesmustbeabletotransmita25-microwattsignal,whilethephotodetectorsmustbecapableofreadinga2-microwattsignal.
The2kmmaximumdistancebetweenFDDIstationscitedearlierisformultimodefiber;withsingle-modecable,runsof40kmto60kmbetweenworkstationsarepossible.Thereisalsoalow-costmultimodefibercablestandard,calledLCF-PMD,thatallowsonly500metersbetweenworkstations.Allofthesefibercablesusethesamewavelength(1300nm),soit’spossibletomixthemonthesamenetwork,aslongasyouadheretothecablingguidelinesoftheleastcapablecableinuse.
Twisted-PairTheTP-PMDstandard,sometimescalledtheCopperDistributedDataInterface(CDDI,pronounced“siddy”),callsfortheuseofeitherstandardCategory5unshieldedtwisted-pairorType1shieldedtwisted-paircable.Inbothcases,themaximumdistanceforacablerunis100meters.Twisted-paircableistypicallyusedforSASconnectionstoconcentrators,whilethebackboneusesfiberoptic.Thismakesitpossible
touseinexpensivecoppercableforhorizontalwiringtotheworkstationsandretaintheattributesoffiberopticonthebackbonewithouttheneedtobridgeorroutebetweenFDDIandEthernet.CDDInevergainedwideacceptanceinthemarketplace,probablybecauseoftheintroductionofFastEthernetatapproximatelythesametime.
ThePhysicalLayerWhilethePMDlayerdefinesthecharacteristicsofspecificmediatypes,thePHYlayerisimplementedinthenetworkinterfaceadapter’schipsetandprovidesamedia-independentinterfacetotheMAClayeraboveit.IntheoriginalFDDIstandards,thePHYlayerisresponsiblefortheencodinganddecodingofthepacketsconstructedbytheMAClayerintothesignalsthataretransmittedoverthecable.FDDIusesasignalingschemecalledNon-ReturntoZeroInverted(NRZI)4B/5B,whichissubstantiallymoreefficientthantheManchesterandDifferentialManchesterschemesusedbyEthernetandTokenRing,respectively.
TheTP-PMDstandard,however,callsforadifferentsignalingscheme,whichisMulti-LevelTransition(MLT-3),whichusesthreesignalvaluesinsteadofthetwousedbyNRZI4B/5B.Bothoftheseschemesprovidethesignalneededtosynchronizetheclocksofthetransmittingandreceivingworkstations.
TheMediaAccessControlLayerTheMAClayeracceptsprotocoldataunits(PDUs)ofupto9,000bytesfromthenetworklayerprotocolandconstructspacketsupto4,500bytesinsizebyencapsulatingthedatawithinaFDDIframe.Thislayerisalsoresponsiblefornegotiatingaccesstothenetworkmediumbyclaimingandgeneratingtokens.
DataFramesMostofthepacketstransmittedbyaFDDIstationaredataframes.Adataframecancarrynetworklayerprotocoldata,MACdatausedinthetokenclaimingandbeaconingprocesses,orstationmanagementdata.
FDDIframescontaininformationencodedintosymbols.Asymbolisa5-bitbinarystringthattheNRZI4B/5Bsignalingschemeusestotransmita4-bitvalue.Thus,twosymbolsareequivalentto1byte.Thisencodingprovidesvaluesforthe16hexadecimaldatasymbols,8controlsymbolsthatareusedforspecialfunctions(someofwhicharedefinedintheframeformatthatfollows),and8violationsymbolsthatFDDIdoesnotuse.Table12-3liststhesymbolsusedbyFDDIandthe5-bitbinarysequencesusedtorepresentthem.
Table12-3FDDISymbolValues
Figure12-6showstheformatofaFDDIdataframe.Thefunctionsoftheframefieldsareasfollows:
•Preamble(PA),8bytesContainsaminimumof16symbolsofidle,thatis,alternating0sand1s,whichtheothersystemsonthenetworkusetosynchronizetheirclocks,afterwhichtheyarediscarded.
•StartingDelimiter(SD),1byteContainsthesymbolsJandK,whichindicatethebeginningoftheframe.
•FrameControl(FC),1byteContainstwosymbolsthatindicatewhatkindofdataisfoundintheINFOfield.Someofthemostcommonvaluesareasfollows:
•40(Voidframe)ContainsnothingbutIusedtoresettimersduringinitialization.
•41,4F(StationManagement[SMT]frame)IndicatesthattheINFOfieldcontainsanSMTPDU,whichiscomposedofanSMTheaderandSMTinformation.
•C2,C3(MACframe)IndicatesthattheframeiseitheraMACClaimframe(C2)oraMACBeaconframe(C3).Theseframesareusedtorecoverfromabnormaloccurrencesinthetoken-passingprocess,suchasfailuretoreceiveatokenorfailuretoreceiveanydataatall.
•50,51(LLCframe)IndicatesthattheINFOfieldcontainsastandardIEEE802.2LLCframe.FDDIpacketscarryingapplicationdatauselogicallinkcontrol(LLC)frames.
•60(implementerframe)Theseframesaredefinedbytheuserofthenetworkorvendor.
•70(reservedframe)Theseframesarereservedforfutureuse.
•DestinationAddress(DA),6bytesSpecifiestheMACaddressofthesystemonthenetworkthatwillnextreceivetheframeoragrouporbroadcastaddress.
•SourceAddress(SA),6bytesSpecifiestheMACaddressofthesystemsendingthepacket.
•Data(INFO),variableContainsnetworklayerprotocoldata,anSMTheaderanddata,orMACdata,dependingonthefunctionoftheframe,asspecifiedintheFCfield.
•FrameCheckSequence(FCS),4bytesContainsacyclicredundancycheckvalue,generatedbythesendingsystem,thatwillberecomputedatthedestinationandcomparedwiththisvaluetoverifythatthepackethasnotbeendamagedintransit.
•EndingDelimiter(ED),4bitsContainsasingleTsymbolindicatingthattheframeiscomplete.
•EndofFrameSequence(FS),12bitsContainsthreeindicatorsthatcanhaveeitherthevalueR(Reset)orthevalueS(Set).AllthreehavethevalueRwhentheframeisfirsttransmittedandmaybemodifiedbyintermediatesystemswhentheyretransmitthepacket.Thefunctionsofthethreeindicatorsareasfollows:
•E(Error)Indicatesthatthesystemhasdetectedanerror,eitherintheFCSorintheframeformat.AnysystemreceivingaframewithavalueofSforthisindicatorimmediatelydiscardstheframe.
•A(Acknowledge)Indicatesthatthesystemhasdeterminedthattheframe’sdestinationaddressappliestoitself,becausetheDAfieldcontainseithertheMACaddressofthesystemorabroadcastaddress.
•C(Copy)Indicatesthatthesystemhassuccessfullycopiedthecontentsoftheframeintoitsbuffers.Undernormalconditions,theAandCindicators
aresettogether;aframeinwhichtheAindicatorissetandCisnotindicatesthattheframecouldnotbecopiedtothesystem’sbuffers.Thisismostlikelybecauseofthesystemshavingbeenoverwhelmedwithtraffic.
Figure12-6TheFDDIdataframe
TokenPassingFDDIusestokenpassingasitsmediaaccesscontrolmechanism,liketheTokenRingprotocol.Aspecialpacketcalledatokencirculatesaroundthenetwork,andonlythesysteminpossessionofthetokenispermittedtotransmititsdata.TheoptionalfeaturecalledearlytokenreleaseonaTokenRingnetwork,inwhichasystemtransmitsanewtokenimmediatelyafteritfinishestransmittingitslastpacket,isstandardonaFDDInetwork.FDDIsystemscanalsotransmitmultiplepacketsbeforereleasingthetokento
thenextstation.Whenapackethastraversedtheentireringandreturnedtothesystemthatoriginallycreatedit,thatsystemremovesthetokenfromtheringtopreventitfromcirculatingendlessly.
Figure12-7showstheformatofthetokenframe.Thefunctionsofthefieldsareasfollows:
•Preamble(PA),8bytesContainsaminimumof16symbolsofidle,thatis,alternating0sand1s,whichtheothersystemsonthenetworkusetosynchronizetheirclocks,afterwhichtheyarediscarded
•StartingDelimiter(SD),1byteContainsthesymbolsJandK,whichindicatethebeginningoftheframe
•FrameControl(FC),1byteContainstwosymbolsthatindicatethefunctionoftheframe,usingthefollowinghexadecimalvalues:
•80(NonrestrictedToken)
•C0(RestrictedToken)
•EndingDelimiter(ED),1byteContainstwoTsymbolsindicatingthattheframeiscomplete
Figure12-7TheFDDItokenframe
FDDIisadeterministicnetworkprotocol.Bymultiplyingthenumberofsystemsonthenetworkbytheamountoftimeneededtotransmitapacket,youcancalculatethemaximumamountoftimeitcantakeforasystemtoreceivethetoken.Thisiscalledthetargettokenrotationtime.FDDInetworkstypicallyruninasynchronousringmode,inwhichanycomputercantransmitdatawhenitreceivesthetoken.SomeFDDIproductscanalsoruninsynchronousringmode,whichenablesadministratorstoallocateaportionofthenetwork’stotalbandwidthtoasystemorgroupofsystems.Alloftheothercomputersonthenetworkrunasynchronouslyandcontendfortheremainingbandwidthinthenormalmanner.
TheStationManagementLayer
UnlikeEthernetandmostotherdatalinklayerprotocols,FDDIhasnetworkmanagementandmonitoringcapabilitiesintegratedintoitandwasdesignedaroundthesecapabilities.TheSMTlayerisresponsibleforringmaintenanceanddiagnosticsoperationsonthenetwork,suchasthefollowing:
•Stationinitialization
•Stationinsertionandremoval
•Connectionmanagement
•Configurationmanagement
•Faultisolationandrecovery
•Schedulingpolicies
•Statisticscollection
AcomputercancontainmorethanoneFDDIadapter,andeachadapterhasitsownPMD,PHY,andMAClayerimplementations,butthereisonlyoneSMTimplementationfortheentiresystem.SMTmessagesarecarriedwithinstandardFDDIdataframeswithavalueof41or4Fintheframecontrolfield.Instationmanagementframes,theINFOfieldoftheFDDIdataframecontainsanSMTPDU,whichiscomposedofanSMTheaderandanSMTinfofield.Figure12-8showstheformatoftheSMTPDU.Thefunctionsofthefieldsareasfollows:
•FrameClass,1byteSpecifiesthefunctionofthemessage,usingthefollowingvalues:
•01(NeighborInformationFrame[NIF])FDDIstationstransmitperiodicannouncementsoftheirMACaddresses,whichenablethesystemsonthenetworktodeterminetheirupstreamneighboraddresses(UNAs)andtheirdownstreamneighboraddresses(DNAs).ThisisknownastheNeighborNotificationProtocol.NetworkmonitoringproductscanalsousethesemessagestocreateamapoftheFDDIring.
•02(StatusInformationFrame-Configuration[SIF-Cfg])Usedtorequestandprovideasystem’sconfigurationinformationforpurposesoffaultisolation,ringmapping,andstatisticsmonitoring.
•03(StatusInformationFrame-Operation[SIF-Opr])Usedtorequestandprovideasystem’soperationinformationforpurposesoffaultisolation,ringmapping,andstatisticsmonitoring.
•04(EchoFrame)UsedforSMT-to-SMTloopbacktestingbetweenFDDIsystems.
•05(ResourceAllocationFrame[RAF])Usedtoimplementnetworkpolicies,suchastheallocationofsynchronousbandwidth.
•06(RequestDeniedFrame[RDF])UsedtodenyarequestissuedbyanotherstationbecauseofanunsupportedVersionIDvalueoralengtherror.
•07(StatusReportFrame[SRF])Usedtoreportastation’sstatusto
networkadministratorswhenspecificconditionsoccur,muchlikeanSNMPtrap.Someoftheseconditionsareasfollows:
•FrameErrorConditionIndicatestheoccurrenceofanunusuallyhighnumberofframeerrors
•LERConditionIndicatestheoccurrenceoflinkerrorsonaportaboveaspecifiedlimit
•DuplicateAddressConditionIndicatesthatthesystemoritsupstreamneighborisusingaduplicateaddress
•PeerWrapConditionIndicatesthataDASisoperatinginwrappedmode—inotherwords,thatitisdivertingdatafromtheprimaryringtothesecondarybecauseofacablebreakorothererror
•HoldConditionIndicatesthatthesystemisinaholding-prmorholding-secstate
•NotCopiedConditionIndicatesthatthesystem’sbuffersareoverwhelmedandthatpacketsarebeingrepeatedwithoutbeingcopiedintothebuffers
•EBErrorConditionIndicatesthepresenceofanelasticitybuffererroronanyport
•MACPathChangeIndicatesthatthecurrentpathhaschangedforanyofthesystem’sMACaddresses
•PortPathChangeIndicatesthatthecurrentpathhaschangedforanyofthesystem’sports
•MACNeighborChangeIndicatesachangeineithertheupstreamordownstreamneighboraddress
•UndesirableconnectionIndicatestheoccurrenceofanundesirableconnectiontothesystem
•08(ParameterManagementFrame-Get[PMF-Get])Providesthemeanstolookatmanagementinformationbase(MIB)attributesonremotesystems.
•09(ParameterManagementFrame-Set[PMF-Set])ProvidesthemeanstosetvaluesforcertainMIBattributesonremotesystems.
•FF(ExtendedServiceFrame[ESF])IntendedforusewhendefiningnewSMTservices.
•FrameType,1byteIndicatesthetypeofmessagecontainedintheframe,usingthefollowingvalues:
•01Announcement
•02Request
•03Response
•VersionID,2bytesSpecifiesthestructureoftheSMTInfofield,usingthe
followingvalues:
•0001Indicatestheuseofaversionlowerthan7.x
•0002Indicatestheuseofversion7.x
•TransactionID,4bytesContainsavalueusedtoassociaterequestandresponsemessages.
•StationID,8bytesContainsauniqueidentifierforthestation,consistingoftwouser-definablebytesandthe6-byteMACaddressofthenetworkinterfaceadapter.
•Pad,2bytesContainstwobyteswithavalueof00thatbringtheoverallsizeoftheheaderto32bytes.
•InfoFieldLength,2bytesSpecifiesthelengthoftheSMTInfofield.
•SMTInfo,variableContainsoneormoreparameters,eachofwhichiscomposedofthefollowingsubfields:
•ParameterType,2bytesSpecifiesthefunctionoftheparameter.Thefirstofthetwobytesindicatestheparameter’sclass,usingthefollowingvalues:
•00Generalparameters
•10SMTparameters
•20MACparameters
•32PATHparameters
•40PORTparameters
•ParameterLength,2bytesSpecifiesthetotallengthoftheResourceIndexandParameterValuefields.
•ResourceIndex,4bytesIdentifiestheMAC,PATH,orPORTobjectthattheparameterisdescribing.
•ParameterValue,variableContainstheactualparameterinformation.
Figure12-8TheFDDIstationmanagementlayerPDUformat
AFDDIsystemusesSMTmessagestoinsertitselfintotheringwhenitispoweredup.Theprocedureconsistsofseveralsteps,inwhichitinitializestheringandteststhelinktothenetwork.Thenthesysteminitiatesitsconnectiontotheringusingaclaimtoken,whichdetermineswhetheratokenalreadyexistsonthenetwork.Ifatokenframealreadyexists,theclaimtokenconfiguresittoincludethenewlyinitializedsysteminthetoken’spath.Ifnotokenisdetected,allofthesystemsonthenetworkgenerateclaimframes,whichenablethesystemstodeterminethevalueforthetokenrotationtimeanddeterminewhichsystemshouldgeneratethetoken.
BecauseoftheSMTheader’ssizeandthenumberoffunctionsperformedbySMTmessages,thecontroloverheadonaFDDInetworkishigh,relativetootherprotocols.
PART
IV NetworkSystems
CHAPTER13
TCP/IP
CHAPTER14
OtherTCP/IPProtocols
CHAPTER15
TheDomainNameSystem
CHAPTER16
InternetServices
CHAPTER
13 TCP/IP
Sinceitsinceptioninthe1970s,theTCP/IPprotocolsuitehasevolvedintotheindustrystandardfordatatransferprotocolsatthenetworkandtransportlayersoftheOpenSystemsInterconnection(OSI)model.Inaddition,thesuiteincludesmyriadotherprotocolsthatoperateaslowasthedatalinklayerandashighastheapplicationlayer.
Operatingsystemstendtosimplifytheappearanceofthenetworkprotocolstacktomakeitmorecomprehensibletotheaverageuser.OnaWindowsworkstation,forexample,youinstallTransmissionControlProtocol/InternetProtocol(TCP/IP)byselectingasinglemodulecalledaprotocol,butthisprocessactuallyinstallssupportforawholefamilyofprotocols,ofwhichTCPandIPareonlytwo.UnderstandinghowtheindividualTCP/IPprotocolsfunctionandhowtheyworktogethertoprovidecommunicationservicesisanessentialpartofadministeringaTCP/IPnetwork.
TCP/IPAttributesThereareseveralreasonswhyTCP/IPistheprotocolsuiteofchoiceonthemajorityofdatanetworks,nottheleastofwhichisthatthesearetheprotocolsusedontheInternet.TCP/IPwasdesignedtosupportthefledglingInternet(thencalledtheARPANET)atatimebeforetheintroductionofthePCwheninteroperabilitybetweencomputingproductsmadebydifferentmanufacturerswasallbutunheardof.TheInternetwas,andis,composedofmanydifferenttypesofcomputers,andwhatwasneededwasasuiteofprotocolsthatwouldbecommontoallofthem.
ThemainelementthatsetsTCP/IPapartfromtheothersuitesofprotocolsthatprovidenetworkandtransportlayerservicesisitsself-containedaddressingmechanism.EverydeviceonaTCP/IPnetworkisassignedanIPaddress(orsometimesmorethanone)thatuniquelyidentifiesittotheothersystems.Devicestodayusenetworkinterfaceadaptersthathaveuniqueidentifiers(MACaddresses)hard-codedintothem,whichmakestheIPaddressredundant.Othertypesofcomputershaveidentifiersassignedbynetworkadministrators,however,andnomechanismexiststoensurethatanothersystemonaworldwideinternetworksuchastheInternetdoesnotusethesameidentifier.
BecauseIPaddressesareregisteredbyacentralizedbody,youcanbecertainthatnotwo(properlyconfigured)machinesontheInternethavethesameaddress.Becauseofthisaddressing,theTCP/IPprotocolscansupportvirtuallyanyhardwareorsoftwareplatforminusetoday.TheIPXprotocolswillalwaysbeassociatedprimarilywithNovellNetWare,andNetBEUIisusedalmostexclusivelyonMicrosoftWindowsnetworks.TCP/IP,however,istrulyuniversalinitsplatforminteroperability,supportedbyallanddominatedbynone.
AnotheruniqueaspectoftheTCP/IPprotocolsisthemethodbywhichtheirstandardsaredesigned,refined,andratified.Ratherthanrelyingonaninstitutionalizedstandards-makingbodyliketheInstituteofElectricalandElectronicsEngineers(IEEE),theTCP/IPprotocolsaredevelopedinademocraticmannerbyanadhocgroupofvolunteerswho
communicatelargelythroughtheInternet.Anyonewhoisinterestedenoughtocontributetothedevelopmentofaprotocoliswelcome.Inaddition,thestandardsthemselvesarepublishedbyabodycalledtheInternetEngineeringTaskForce(IETF)andarereleasedtothepublicdomain,makingthemaccessibleandreproduciblebyanyone.StandardslikethosepublishedbytheIEEEareavailable,butuntilveryrecently,youhadtopayhundredsofdollarstopurchaseanofficialcopyofanIEEEstandardlikethe802.3documentonwhichEthernetisbased.Ontheotherhand,youcanlegallydownloadanyoftheTCP/IPstandards,calledrequestforcomments(RFCs),fromtheIETF’swebsiteatwww.ietf.org/orfromanynumberofotherInternetsites.
TheTCP/IPprotocolsarealsoextremelyscalable.Asevidenceofthis,considerthattheseprotocolsweredesignedatatimewhentheARPANETwasessentiallyanexclusiveclubforscientistsandacademicsandnooneintheirwildestdreamsimaginedthattheprotocolstheywerecreatingwouldbeusedonanetworkthesizeoftheInternetasitexiststoday.ThemainfactorlimitingthegrowthoftheInternetisthe32-bitsizeoftheIPaddressspaceitself,andanewerversionoftheIPprotocol,calledIPv6,addressesthatshortcomingwitha128-bitaddressspace.BySeptember30,2014,allU.S.governmentagenciesmustupdatetheirpublicnetworkstothisversion.
NOTEFormoreinformationaboutIPv6,seeChapter14.
TCP/IPArchitectureTCP/IPisdesignedtosupportnetworksofalmostanypracticalsize.Asaresult,TCP/IPmustbeabletoprovidetheservicesneededbytheapplicationsusingitwithoutbeingoverlyprofligateinitsexpenditureofnetworkbandwidthandotherresources.Toaccommodatetheneedsofspecificapplicationsandfunctionswithinthoseapplications,TCP/IPusesmultipleprotocolsincombinationtoprovidethequalityofservicerequiredforthetaskandnomore.
TheTCP/IPProtocolStackTCP/IPpredatestheOSIreferencemodel,butitsprotocolsbreakdownintofourlayersthatcanberoughlyequatedtotheseven-layerOSIstack,asshowninFigure13-1.
Figure13-1TheTCP/IPprotocolshavetheirownprotocolstackthatcontainsonlyfourlayers.
OnLANs,thelinklayerfunctionalityisnotdefinedbyaTCP/IPprotocolbutbythestandarddatalinklayerprotocols,suchasEthernetandTokenRing.ToreconciletheMACaddresssuppliedbyanetworkinterfaceadapterwiththeIPaddressusedatthenetworklayer,systemsuseaTCP/IPprotocolcalledtheAddressResolutionProtocol(ARP).However,theTCP/IPstandardsdodefinethetwoprotocolsmostcommonlyusedtoestablishlinklayercommunicationsusingmodemsandotherdirectconnections.ThesearethePoint-to-PointProtocol(PPP)andtheSerialLineInternetProtocol(SLIP).
AttheInternetlayeristheInternetProtocol(IP),whichistheprimarycarrierforalloftheprotocolsoperatingattheupperlayers,andtheInternetControlMessageProtocol(ICMP),whichTCP/IPsystemsusefordiagnosticsanderrorreporting.IP,asageneralcarrierprotocol,isconnectionlessandunreliablebecauseservicessuchaserrorcorrectionandguaranteeddeliveryaresuppliedatthetransportlayerwhenrequired.
Twoprotocolsoperateatthetransportlayer:theTransmissionControlProtocol(TCP)andtheUserDatagramProtocol(UDP).TCPisconnection-orientedandreliable,whileUDPisconnectionlessandunreliable.Anapplicationusesoneortheother,dependingonitsrequirementsandtheservicesalreadyprovidedforitattheotherlayers.
Thetransportlayercan,insomeways,besaidtoencompasstheOSIsessionlayeraswellasthetransportlayerintheOSImodel,butnotineverycase.Windowssystems,forexample,canuseTCP/IPtocarrytheNetBIOSmessagestheyusefortheirfileandprinter-sharingactivities,andNetBIOSstillprovidesthesamesessionlayerfunctionalityaswhenasystemusesNetBEUIorIPXinsteadofTCP/IP.ThisisjustoneillustrationofhowthelayersoftheTCP/IPprotocolstackareroughlyequivalenttothoseoftheOSImodel,butnotdefinitivelyso.Bothofthesemodelsarepedagogicalandarediagnostictoolsmorethantheyareguidelinesforprotocoldevelopmentanddeployment,andtheydonotholduptostrictcomparisonsofthevariouslayers’functionswithactualprotocols.
Theapplicationlayeristhemostdifficulttodefinebecausetheprotocolsoperatingtherecanbefullyrealized,self-containedapplicationsinthemselves,suchastheFile
TransferProtocol(FTP),ormechanismsusedbyotherapplicationstoperformaservice,suchastheDomainNameSystem(DNS)andtheSimpleMailTransferProtocol(SMTP).
IPVersionsCurrently,twoversionsofIParebeingused.ThenextseveralsectionsinthischapterdiscusstheolderversionofIPv4,thatis,IPversion4.Initiallypublishedintheearly1980s,thisversiondidnotanticipatethegrowthoftheInternetnorthemillionsofmobiledevicesinusetoday.WhilesuchenhancementsasClasslessInter-DomainRouting(CIDR)andNetworkAddressTranslators(NATs)forestalledtheissueforatime,thedramaticincreaseintheuseofsmartphones,tablets,andothersuchdevicescreatedthedemandformoreIPaddressavailability.(Seethesectionsdiscussingtheseenhancementslaterinthischapter.)
Inthe1990s,IPv6wasestablishedandcreated128-bitaddressfieldsintheIPpacketheaderratherthanthe32-bitaddressespresentinIPv4.Inthismanner,eachtimeasinglebitisadded,thenumberofpossibleaddressesdoubles.However,asdiscussedinChapter14,thislatestversiondoesnotsolvealloftheissueswithIPaddresses.Table13-1showssomeofthedifferencesbetweenIPv4andIPv6.
Table13-1SomeDifferencesBetweenIPv4andIPv6
IPv4AddressingTheIPv4addressesusedtoidentifysystemsonaTCP/IPnetworkwerethesinglemostdefinitivefeatureoftheprotocolsuite.TheIPaddressisanabsoluteidentifierofboththeindividualmachineandthenetworkonwhichitresides.EveryIPdatagrampackettransmittedoveraTCP/IPnetworkcontainstheIPaddressesofthesourcesystemthatgenerateditandthedestinationsystemforwhichitisintendedinitsIPheader.WhileEthernetandTokenRingsystemshaveauniquehardwareaddresscodedintothenetworkinterfacecard,thereisnoinherentmethodtoeffectivelyroutetraffictoanindividualsystemonalargenetworkusingthisaddress.
ANIC’shardwareaddressiscomposedofaprefixthatidentifiesthemanufacturerofthecardandanodeaddressthatisuniqueamongallthecardsbuiltbythatmanufacturer.Themanufacturerprefixisuseless,asfarasroutingtrafficisconcerned,becauseanyonemanufacturer’scardscanbescatteredaroundthenetworkliterallyatrandom.Todelivernetworkpacketstoaspecificmachine,amasterlistofallofthesystemsonthenetworkandtheirhardwareaddresseswouldbeneeded.OnanetworkthesizeoftheInternet,thiswouldobviouslybeimpractical.Byidentifyingthenetworkonwhichasystemislocated,
IPaddressescanberoutedtotheproperlocationusingarelativelymanageablelistofnetworkaddresses,notalistofindividualsystemaddresses.
IPaddressesare32bitslongandarenotatedasfour8-bitdecimalnumbersseparatedbyperiods,asin192.168.2.45.Thisisknownasdotteddecimalnotation;eachofthe8-bitnumbersissometimescalledanoctetoraquad.(Thesetermswereoriginallyusedbecausetherearecomputersforwhichthemorecommontermbytedoesnotequal8bits.)Becauseeachquadisthedecimalequivalentofan8-bitbinarynumber,theirpossiblevaluesrunfrom0to255.Thus,thefullrangeofpossibleIPaddressesis0.0.0.0to255.255.255.255.
IPaddressesdonotrepresentcomputersperse;rather,theyrepresentnetworkinterfaces.AcomputerwithtwonetworkinterfacecardshastwoIPaddresses.Asystemwithtwoormoreinterfacesissaidtobemultihomed.Iftheinterfacesconnectthecomputertodifferentnetworksandthesystemisconfiguredtopasstrafficbetweenthenetworks,thesystemissaidtofunctionasarouter.
NOTEAroutercanbeastandardcomputerwithtwonetworkinterfacesandsoftwarethatprovidesroutingcapabilities,oritcanbeadedicatedhardwaredevicedesignedspecificallyforroutingnetworktraffic.Attimes,theTCP/IPstandardsrefertoroutersofanykindasgateways,whilestandardnetworkingterminologydefinesagatewayasbeinganapplicationlayerdevicethatforwardstrafficbetweennetworksthatusedifferentprotocols,asinane-mailgateway.Donotconfusethetwo.
EveryIPaddresscontainsbitsthatidentifyanetworkandbitsthatidentifyaninterface(calledahost)onthatnetwork.Toreferenceanetwork,systemsusejustthenetworkbits,replacingthehostbitswithzeros.Routersusethenetworkbitstoforwardpacketstoanotherrouterconnectedtothedestinationnetwork,whichthentransmitsthedatatothedestinationhostsystem.
SubnetMaskingIPaddressesalwaysdedicatesomeoftheirbitstothenetworkidentifierandsometothehostidentifier,butthenumberofbitsusedforeachpurposeisnotalwaysthesame.Manycommonaddressesuse24bitsforthenetworkand8forthehost,butthesplitbetweenthenetworkandhostbitscanbeanywhereintheaddress.Toidentifywhichbitsareusedforeachpurpose,everyTCP/IPsystemhasasubnetmaskalongwithitsIPaddress.Asubnetmaskisa32-bitbinarynumberinwhichthebitscorrespondtothoseoftheIPaddress.Abitwitha1valueinthemaskindicatesthatthecorrespondingbitintheIPaddressispartofthenetworkidentifier,whilea0bitindicatesthatthecorrespondingaddressbitispartofthehostidentifier.AswithanIPaddress,thesubnetmaskisexpressedindotteddecimalnotation,soalthoughitmaylooksomethinglikeanIPaddress,themaskhasacompletelydifferentfunction.
Asanexample,considerasystemwiththefollowingTCP/IPconfiguration:IPaddress:192.168.2.45
Subnetmask:255.255.255.0
Inthiscase,the192.168.2portionoftheIPaddressidentifiesthenetwork,whilethe45identifiesthehost.Whenexpressedindecimalform,thismayappearconfusing,butthebinaryequivalentsareasfollows:IPaddress:11000000101010000000001000101101
Subnetmask:11111111111111111111111100000000
Asyoucanseeinthisexample,thedividinglinebetweenthenetworkandhostbitsliesbetweenthethirdandfourthquads.Thedividinglineneednotfallbetweenquads,however.Asubnetmaskof255.255.240.0allocates12bitsforthehostaddressbecausethebinaryequivalentofthemaskisasfollows:11111111111111111111000000000000
Thedividinglinebetweenthenetworkandhostbitscanfallanywhereinthe32bitsofthemask,butyouneverseenetworkbitsmixedupwithhostbits.Aclearlinealwaysseparatesthenetworkbitsontheleftfromthehostbitsontheright.
IPAddressRegistrationForIPaddressestouniquelyidentifythesystemsonthenetwork,itisessentialthatnotwointerfacesbeassignedthesameaddress.Onaprivatenetwork,theadministratorsmustensurethateveryaddressisunique.Theycandothisbymanuallytrackingtheaddressesassignedtotheirnetworksandhosts,ortheycanuseaserviceliketheDynamicHostConfigurationProtocol(DHCP)toassigntheaddressesautomatically.
OntheInternet,however,thisproblemisconsiderablymorecomplicated.Withindividualadministratorscontrollingthousandsofdifferentnetworks,notonlyisitimpracticaltoassumethattheycangettogetherandmakesurethatnoaddressesareduplicated,butnoworldwideserviceexiststhatcanassignaddressesautomatically.Instead,theremustbeaclearinghouseorregistryforIPaddressassignmentsthatensuresnoaddressesareduplicated.
Eventhistaskismonumental,however,becausemillionsofsystemsareconnectedtotheInternet.Infact,sucharegistryexists,butinsteadofassigningindividualhostaddressestoeachsystem,itassignsnetworkaddressestocompaniesandorganizations.TheorganizationchargedwithregisteringnetworkaddressesfortheInternetiscalledtheInternetAssignedNumbersAuthority(IANA).Afteranorganizationobtainsanetworkaddress,theadministratorissolelyresponsibleforassigninguniquehostaddressestothemachinesonthatnetwork.
NOTETheIANAmaintainsawebsiteatwww.iana.org.Thistwo-tieredsystemofadministrationisoneofthebasicorganizationalprinciples
oftheInternet.Domainnameregistrationworksthesameway.Anindependentdomainregistryregistersdomainnamestoorganizationsandindividuals,andtheindividualadministratorsofthosedomainsareresponsibleforassigningnamesinthosedomainstotheirhosts.
IPAddressClassesTheIANAregistersseveraldifferentclassesofnetworkaddresses,whichdifferintheirsubnetmasks,thatis,thenumberofbitsusedtorepresentthenetworkandthehost.Table13-2summarizestheseaddressclasses.
Table13-2IPv4AddressClasses
Theideabehindthedifferentclasseswastocreatenetworksofvaryingsizessuitablefordifferentorganizationsandapplications.AcompanybuildingarelativelysmallnetworkcanregisteraClassCaddressthat,becausetheaddresseshaveonly8hostbits,supportsupto254systems,whilelargerorganizationscanuseClassBorAaddresseswith16or24hostbitsandcreatesubnetsoutofthem.Youcreatesubnetsby“borrowing”someofthehostbitsandusingthemtocreatesubnetworkidentifiers,essentiallynetworkswithinanetwork.
Thesurestwaytoidentifytheclassofaparticularaddressistolookatthevalueofthefirstquad.ClassAaddressesalwayshada0astheirfirstbit,whichmeansthatthebinaryvaluesforthefirstquadrangefrom00000000to01111111,whichtranslatesintothedecimalvalues0through127.Inthesameway,ClassBaddressesalwayshad10astheirfirsttwobits,providingfirstquadvaluesof10000000to10111111,or128to191.ClassCaddresseshad110astheirfirstthreebits,sothefirstquadcanrangefrom11000000to11011111,or192to223.
TheIPaddressclassdeterminedtheboundarybetweenthehostandthenetworkaddresses.
Inpractice,networkaddressesarenotregisteredwiththeIANAdirectlybythecompaniesandorganizationsrunningtheindividualnetworks.Instead,companiesinthebusinessofprovidingInternetaccess,calledInternetserviceproviders(ISPs),registermultiplenetworksandsupplyblocksofaddressestoclientsasneeded.
ClassDaddressesarenotintendedforallocationinblocksliketheotherclasses.Thispartoftheaddressspaceisallocatedformulticastaddresses.Multicastaddressesrepresentgroupsofsystemsthathaveacommonattributebutthatarenotnecessarilylocatedinthesameplaceorevenadministeredbythesameorganization.Forexample,packetssenttothemulticastaddress224.0.0.1areprocessedbyalloftheroutersonthelocalsubnet.
UnregisteredIPAddressesIPaddressregistrationisdesignedfornetworksconnectedtotheInternetwithcomputers
thatmustbeaccessiblefromothernetworks.Whenyouregisteranetworkaddress,nooneelseispermittedtouseit,andtheroutersontheInternethavetheinformationneededtoforwardpacketstoyournetwork.ForaprivatenetworkthatisnotconnectedtotheInternet,itisnotnecessarytoregisternetworkaddresses.Inaddition,mostbusinessnetworksconnectedtotheInternetusesomesortoffirewallproducttopreventintrudersfromaccessingtheirnetworksfromoutside.Innearlyallcases,thereisnorealneedforeverysystemonanetworktobedirectlyaccessiblefromtheInternet,andthereisagenuinedangerindoingso.Manyfirewallproducts,therefore,isolatethesystemsonthenetwork,makingregisteredIPaddressesunnecessary.
ForanetworkthatiscompletelyisolatedfromtheInternet,administratorscanuseanyIPaddressestheywant,aslongastherearenoduplicatesonthesamenetwork.Ifanyofthenetwork’scomputersconnecttotheInternetbyanymeans,however,thereispotentialforaconflictbetweenaninternaladdressandthesystemontheInternetforwhichtheaddresswasregistered.If,forexample,youhappenedtoassignoneofyournetworksystemsthesameaddressasaMicrosoftwebserver,auseronyournetworkattemptingtoaccessMicrosoft’ssitemayreachtheinternalmachinewiththesameaddressinstead.
Topreventtheseconflicts,RFC1918,“AddressAllocationforPrivateInternets,”specifiedthreeaddressrangesintendedforuseonunregisterednetworks,asshownhere.Theseaddresseswerenotassignedtoanyregisterednetworkandcould,therefore,beusedbyanyorganization,publicorprivate.
•ClassA10.0.0.0through10.255.255.255
•ClassB172.16.0.0through172.31.255.255
•ClassC192.168.0.0through192.168.255.255
UsingunregisteredIPaddressesnotonlysimplifiedtheprocessofobtainingandassigningaddressestonetworksystems,italsoconservedtheregisteredIPaddressesforusebysystemsthatactuallyneededthemfordirectInternetcommunications.Aswithmanydesigndecisionsinthecomputerfield,nooneexpectedatthetimeofitsinceptionthattheInternetwouldgrowtobeasenormousasitisnow.The32-bitaddressspacefortheIPprotocolwasthoughttobebigenoughtosupportallfuturegrowth(aswastheoriginal640KBmemorylimitationinPCs).
SpecialIPAddressesAsidefromtheblocksofaddressesdesignatedforusebyunregisterednetworks,therewereotheraddressesnotallocatedtoregisterednetworksbecausetheywereintendedforspecialpurposes.Table13-3liststheseaddresses.
Table13-3Special-PurposeIPAddresses
SubnettingTheoretically,theIPaddressesyouassigntothesystemsonyournetworkdonothavetocorrelateexactlytothephysicalnetworksegments,butinstandardpractice,it’sagoodideaiftheydo.Obviously,anorganizationthatregistersaClassBaddressdoesnothave65,534nodesonasinglenetworksegment;theyhaveaninternetworkcomposedofmanysegments,joinedbyrouters,switches,orotherdevices.TosupportamultisegmentnetworkwithasingleIPnetworkaddress,youcreatesubnetscorrespondingtothephysicalnetworksegment.
Asubnetissimplyasubdivisionofthenetworkaddressthatyoucreatebytakingsomeofthehostidentifierbitsandusingthemasasubnetidentifier.Todothis,youmodifythesubnetmaskonthemachinestoreflecttheborrowedbitsaspartofthenetworkidentifier,insteadofthehostidentifier.
Forexample,youcansubnetaClassBnetworkaddressbyusingthethirdquad,originallyintendedtobepartofthehostidentifier,asasubnetidentifierinstead,asshowninFigure13-2.Bychangingthesubnetmaskfrom255.255.0.0to255.255.255.0,youdividetheClassBaddressinto254subnetsof254hostseach.Youthenassigneachofthephysicalsegmentsonthenetworkadifferentvalueforthethirdquadandnumbertheindividualsystemsusingonlythefourthquad.Theresultisthattheroutersonyournetworkcanusethevalueofthethirdquadtodirecttraffictotheappropriatesegments.
Figure13-2ThetopexampleshowsastandardClassBaddress,splitinto16-bitnetworkandhostidentifiers.Inthebottomexample,theaddresshasbeensubnettedbyborrowingeightofthehostbitsforuseasasubnetidentifier.
NOTEThesubnetidentifierispurelyatheoreticalconstruction.Toroutersandothernetworksystems,anIPaddressconsistsonlyofnetworkandhostidentifiers,withthesubnetbitsincorporatedintothenetworkidentifier.
Thepreviousexampledemonstratesthemostbasictypeofsubnetting,inwhichtheboundariesofthesubnetidentifierfallbetweenthequads.However,youcanuseany
numberofhostbitsforthesubnetidentifierandadjustthesubnetmaskandIPaddressaccordingly.Thisiscalledvariablemasksubnetting.If,forexample,youhaveaClassBaddressanddecidetouse4hostbitsforthesubnetidentifier,youwoulduseasubnetmaskwiththefollowingbinaryvalue:11111111111111111111000000000000
Thefirst4bitsofthethirdquadarechangedfromzerosandonestoindicatethatthesebitsarenowpartofthenetworkidentifier.Thedecimalequivalentofthisnumberis255.255.240.0,whichisthevalueyouwoulduseforthesubnetmaskinthesystem’sTCP/IPconfiguration.Byborrowing4bitsinthisway,youcancreateupto14subnets,consistingof4,094hostseach.Theformulafordeterminingthenumberofsubnetsandhostsisasfollows:2x-2
wherexequalsthenumberofbitsusedforthesubnetidentifier.Yousubtract2toaccountforidentifiersconsistingofallzerosandallones,whicharetraditionallynotused,becausethevalue255isusedforbroadcasts,andthevalue0torepresentthenetwork.Forthisexample,therefore,youperformthefollowingcalculations:24-2=14
212-2=4,094
NOTESomeTCP/IPimplementationsarecapableofusing0asasubnetidentifier,butyoushouldavoidthispracticeunlessyouarecertainthatallofyourroutersalsosupportthisfeature.
TodeterminetheIPaddressesyouassigntoparticularsystems,youincrementthe4bitsofthesubnetidentifierseparatelyfromthe12bitsofthehostidentifierandconverttheresultsintodecimalform.Thus,assumingaClassBnetworkaddressof172.16.0.0withasubnetmaskof255.255.240.0,thefirstIPaddressofthefirstsubnetwillhavethefollowingbinaryaddress:10101100000100000001000000000001
Thefirsttwoquadsarethebinaryequivalentsof172and16.Thethirdquadconsistsofthe4-bitsubnetidentifier,withthevalue0001,andthefirst4bitsofthe12-bithostidentifier.Becausethisisthefirstaddressonthissubnet,thevalueforthehostidentifieris000000000001.
Althoughthese12bitsareincrementedasasingleunit,whenconvertingthebinaryvaluestodecimals,youtreateachquadseparately.Therefore,thevalueofthethirdquad(00010000)indecimalformis16,andthevalueofthefourthquad(00000001)indecimalformis1,yieldinganIPaddressof172.16.16.1.
Fortunately,manuallycomputingthevaluesforyourIPaddressesisn’tnecessarywhenyousubnetthenetwork.Utilitiesareavailablethatenableyoutospecifyanetworkaddressandclassandthenselectthenumberofbitstobeusedforthesubnetidentifier.TheprogramthensuppliesyouwiththeIPaddressesforthemachinesintheindividualsubnets.
NOTEThereareseveralfreeIPv4andIPv6subnetcalculatorutilitiesavailable.Typefreesubnetcalculatorinanysearchengine.
PortsandSocketsTheIPv4addressmakesitpossibletoroutenetworktraffictoaparticularsystem,butoncepacketsarriveatthecomputerandbegintravelinguptheprotocolstack,theystillmustbedirectedtotheappropriateapplication.Thisisthejobofthetransportlayerprotocol,eitherTCPorUDP.Toidentifyspecificprocessesrunningonthecomputer,TCPandUDPuseportnumbersthatareincludedineveryTCPandUDPheader.Typically,theportnumberidentifiestheapplicationlayerprotocolthatgeneratedthedatacarriedinthepacket.
Theportnumberspermanentlyassignedtospecificservices,whicharecalledwell-knownports,arestandardizedbytheInternetAssignedNumbersAuthority(IANA)andpublishedinthe“AssignedNumbers”RFC(RFC1700).EveryTCP/IPsystemhasafilecalledServicesthatcontainsalistofthemostcommonwell-knownportnumbersandtheservicestowhichtheyareassigned.
Forexample,theIPheaderofaDNSquerymessagecontainstheIPaddressofaDNSserverinitsDestinationAddressfield.Oncethepackethasarrivedatthedestination,thereceivingcomputerseesthattheUDPheader’sDestinationPortfieldcontainsthewell-knownportvalue53.Thesystemthenknowstopassthemessagetotheserviceusingportnumber53,whichistheDNSservice.
NOTETheportnumberassignmentsfortheTCPandUDPprotocolsareseparate.Althoughnottypical,itispossibleforaservicetousedifferentportnumbersforTCPandUDPandforthesameportnumbertobeassignedtoadifferentserviceforeachprotocol.
ThecombinationofanIPaddressandaportnumberisknownasasocket.Theuniformresourcelocator(URL)formatcallsforasockettobenotatedwiththeIPaddressfollowedbytheportnumber,separatedbyacolon,asin192.168.2.45:80.
Notallportnumbersarewellknown.Whenaclientconnectstoawell-knownservice,suchasawebserver,itusesthewell-knownportnumberforthatservice(whichinthecaseofawebserveris80),butselectstheportnumberthatitwilluseasitsSourcePortvalueatrandom.Thisisknownasanephemeralportnumber.Thewebserver,onreceivingthepacketfromtheclientaddressedtoport80,readstheSourcePortvalueandknowstoaddressitsreplytotheephemeralportnumbertheclienthaschosen.Topreventclientsfromselectingwell-knownportsfortheirephemeralportnumbers,allofthewell-knownportnumberassignmentsfallbelow1,024,andallephemeralportnumbersmustbeover1,024andhigher.
TCP/IPNamingIPaddressesareanefficientmeansofidentifyingnetworksandhosts,butwhenitcomestouserinterfaces,theyaredifficulttouseandremember.Therefore,theDomainName
System(DNS)wasdevisedtosupplyfriendlynamesforTCP/IPsystems.InadiscussionofthenetworkandtransportlayerTCP/IPprotocols,themostimportantinformationtorememberaboutDNSnamesisthattheyhavenothingtodowiththeactualtransmissionofdataacrossthenetwork.
PacketsareaddressedtotheirdestinationsusingIPaddressesonly.WheneverausersuppliesaDNSnameinanapplication(suchasaURLinawebbrowser),thefirstthingthesystemdoesisinitiateatransactionwithaDNSservertoresolvethenameintoanIPaddress.Thisoccursbeforethesystemtransmitsanytrafficatalltothedestinationsystem.OncethesystemhasdiscoveredtheIPaddressofthedestination,itusesthataddressintheIPheadertosendpacketstothatdestination;theDNSnameisnolongerusedafterthatpoint.
NOTEThestructureofDNSnamesandthefunctionsofDNSserversarediscussedmorefullyinChapter15.
TCP/IPProtocolsThefollowingsectionsexaminesomeofthemajorprotocolsthatmakeuptheTCP/IPsuite.TherearedozensofTCP/IPprotocolsandstandards,butonlyafewarecommonlyusedbythesystemsonaTCP/IPnetwork.
SLIPandPPPTheSerialLineInternetProtocol(SLIP)andthePoint-to-PointProtocol(PPP)areuniqueamongtheTCP/IPprotocolsbecausetheyprovidefulldatalinklayerfunctionality.SystemsconnectedtoaLANrelyononeofthestandarddatalinklayerprotocols,suchasEthernetandTokenRing,tocontroltheactualconnectiontothenetwork.ThisisbecausethesystemsareusuallysharingacommonmediumandmusthaveaMACmechanismtoregulateaccesstoit.
SLIPandPPPweredesignedforusewithdirectconnectionsinwhichthereisnoneedformediaaccesscontrol.Becausetheyconnectonlytwosystems,SLIPandPPParecalledpoint-to-pointorend-to-endprotocols.OnasystemusingSLIPorPPP,theTCP/IPprotocolsdefinetheworkingsoftheentireprotocolstack,exceptforthephysicallayeritself,whichreliesonahardwarestandardlikethatfortheRS-232serialportinterface,whichprovidesaconnectiontothemodem.
Inmostcases,systemsuseSLIPorPPPtoprovideInternetorWANconnectivity,whetherornotthesystemisconnectedtoaLAN.Virtuallyeverystand-alonePCthatusesamodemtoconnecttoanISPforInternetaccessdoessousingaPPPconnection,althoughafewsystemtypesstilluseSLIP.LANsalsouseSLIPorPPPconnectionsintheirrouterstoconnecttoanISPtoprovideInternetaccesstotheentirenetworkortoconnecttoanotherLAN,formingaWANconnection.Althoughcommonlyassociatedwithmodemconnections,otherphysicallayertechnologiescanalsouseSLIPandPPP,includingleasedlines,ISDN,framerelay,andATMconnections.
SLIPandPPPareconnection-orientedprotocolsthatprovideadatalinkbetweentwo
systemsinthesimplestsenseoftheterm.TheyencapsulateIPdatagramsfortransportbetweencomputers,justasEthernetandTokenRingdo,buttheframetheyuseisfarsimpler.ThisisbecausetheprotocolsarenotsubjecttothesameproblemsastheLANprotocols.Becausethelinkconsistsonlyofaconnectionbetweenthetwocomputers,thereisnoneedforamediaaccesscontrolmechanismlikeCSMA/CDortokenpassing.Also,thereisnoproblemwithaddressingthepacketstoaspecificdestination;becauseonlytwocomputersareinvolvedintheconnection,thedatacangotoonlyoneplace.
SLIPSLIPwascreatedintheearly1980stoprovidethesimplestpossiblesolutionfortransmittingdataoverserialconnections.Noofficialstandarddefinedtheprotocol,mainlybecausethereisnothingmuchtostandardizeandinteroperabilityisnotaproblem.ThereisanIETFdocument,however,called“ANonstandardforTransmissionofIPDatagramsoverSerialLines”(RFC1055),thatdefinesthefunctionalityoftheprotocol.
TheSLIPframeissimplicityitself.Asingle1-bytefieldwiththehexadecimalvaluec0servesasanENDdelimiter,followingeveryIPdatagramtransmittedoverthelink.TheENDcharacterinformsthereceivingsystemthatthepacketcurrentlybeingtransmittedhasended.SomesystemsalsoprecedeeachIPdatagramwithanENDcharacter.Thisway,ifanylinenoiseoccursbetweendatagramtransmissions,thereceivingsystemtreatsitasapacketuntoitselfbecauseitisdelimitedbytwoENDcharacters.Whentheupper-layerprotocolsattempttoprocessthenoise“packet,”theyinterpretitasgibberishanddiscardit.
Ifadatagramcontainsabytewiththevaluec0,thesystemaltersittothe2-bytestringdbdcbeforetransmissiontoavoidterminatingthepacketincorrectly.ThedbbyteisreferredtoastheESC(escape)character,which,whencoupledwithanothercharacter,servesaspecialpurpose.IfthedatagramcontainsanactualESCcharacteraspartofthedata,thesystemsubstitutesthestringdbddbeforetransmission.
NOTETheESCcharacterdefinedbySLIPisnottheequivalentoftheASCIIESCcharacter.
SLIPShortcomingsBecauseofitssimplicity,SLIPwaseasytoimplementandaddedlittleoverheadtodatatransmissions,butitalsolackedfeaturesthatcouldmakeitamoreusefulprotocol.Forexample,SLIPlacksthecapabilitytosupplytheIPaddressofeachsystemtotheother,meaningthatbothsystemshadtobeconfiguredwiththeIPaddressoftheother.SLIPalsohadnomeansofidentifyingtheprotocolitcarriedinitsframe,whichpreventeditfrommultiplexingnetworklayerprotocols(suchasIPandIPX)overasingleconnection.SLIPalsohadnoerror-detectionorcorrectioncapabilities,whichleftthesetaskstotheupper-layerprotocols,causinggreaterdelaysthanadatalinklayererror-detectionmechanismwould.
PPPPPPwascreatedasanalternativetoSLIPthatprovidedgreaterfunctionality,suchasthe
capabilitytomultiplexdifferentnetworklayerprotocolsandsupportvariousauthenticationprotocols.Naturally,thecostoftheseadditionalfeaturesisalargerheader,butPPPstilladdedonlyamaximumof8bytestoapacket(ascomparedtothe16bytesneededforanEthernetframe).MostoftheconnectionstoInternetserviceproviders,whetherbystand-alonesystemsorrouters,usePPPbecauseitenablestheISPtoimplementaccesscontrolmeasuresthatprotecttheirnetworksfromintrusionbyunauthorizedusers.
AtypicalPPPsessionconsistsofseveralconnectionestablishmentandterminationprocedures,usingotherprotocolsinadditiontothePPP.Theseproceduresareasfollows:
•ConnectionestablishmentThesysteminitiatingtheconnectionusestheLinkControlProtocol(LCP)tonegotiatecommunicationparametersthatthetwomachineshaveincommon.
•AuthenticationAlthoughnotrequired,thesystemmayuseanauthenticationprotocolsuchasthePasswordAuthenticationProtocol(PAP)ortheChallengeHandshakeAuthenticationProtocol(CHAP)tonegotiateaccesstotheothersystem.
•NetworklayerprotocolconnectionestablishmentForeachnetworklayerprotocolthatthesystemsuseduringthesession,theyperformaseparateconnectionestablishmentprocedureusingaNetworkControlProtocol(NCP)suchastheInternetProtocolControlProtocol(IPCP).
UnlikeSLIP,PPPisstandardized,butthespecificationsaredividedamongseveraldifferentRFCs.Table13-4liststhedocumentsforeachoftheprotocols.
Table13-4PPPandRelatedStandards
ThePPPFrameRFC1661definedthebasicframeusedbythePPPprotocoltoencapsulateotherprotocolsandtransmitthemtothedestination.Theframeissmall,only8(orsometimes10)bytes,andisillustratedinFigure13-3.
Figure13-3ThePPPframeformat
Thefunctionsofthefieldsareasfollows:
•Flag(1byte)Containsahexadecimalvalueof7eandfunctionsasapacket
delimiter,likeSLIP’sENDcharacter.
•Address(1byte)Containsahexadecimalvalueofff,indicatingthepacketisaddressedtoallstations.
•Control(1byte)Containsahexadecimalvalueof03,identifyingthepacketascontaininganHDLCunnumberedinformationmessage.
•Protocol(2bytes)Containsacodeidentifyingtheprotocolthatgeneratedtheinformationinthedatafield.Codevaluesinthe0xxxto3xxxrangeareusedtoidentifynetworklayerprotocols,valuesfrom4xxxto7xxxidentifylow-volumenetworklayerprotocolswithnocorrespondingNCP,valuesfrom8xxxtobxxxidentifynetworklayerprotocolswithcorrespondingNCPs,andvaluesfromcxxxtofxxxidentifylinklayercontrolprotocolslikeLCPandtheauthenticationprotocols.Thepermittedcodes,specifiedintheTCP/IP“AssignedNumbers”document(RFC1700),includethefollowing:
•0021UncompressedIPdatagram(usedwhenVanJacobsoncompressionisenabled)
•002bNovellIPXdatagram
•002dIPdatagramswithcompressedIPandTCPheaders(usedwhenVanJacobsoncompressionisenabled)
•002fIPdatagramscontaininguncompressedTCPdata(usedwhenVanJacobsoncompressionisenabled)
•8021InternetProtocolControlProtocol(IPCP)
•802bNovellIPXControlProtocol(IPXIP)
•c021LinkControlProtocol(LCP)
•c023PasswordAuthenticationProtocol(PAP)
•c223ChallengeHandshakeAuthenticationProtocol(CHAP)
•DataandPad(variable,upto1,500bytes)Containsthepayloadofthepacket,uptoadefaultmaximumlength(calledthemaximumreceiveunit[MRU])of1,500bytes.ThefieldmaycontainmeaninglessbytestobringitssizeuptotheMRU.
•FrameCheckSequence(FCS,2or4bytes)ContainsaCRCvaluecalculatedontheentireframe,excludingtheflagandframechecksequencefields,forerror-detectionpurposes.
•Flag(1byte)Containsthesamevalueastheflagfieldatthebeginningoftheframe.Whenasystemtransmitstwopacketsconsecutively,oneoftheflagfieldsisomittedbecausetwowouldbemistakenasanemptyframe.
SeveralofthefieldsinthePPPframecanbemodifiedasaresultofLCPnegotiationsbetweenthetwosystems,suchasthelengthoftheprotocolandFCSfieldsandtheMRUforthedatafield.Thesystemscanagreetousea1-byteprotocolfieldora4-byteFCSfield.
TheLCPFramePPPsystemsuseLinkControlProtocol(LCP)tonegotiatetheircapabilitiesduringtheconnectionestablishmentprocesssotheycanachievethemostefficientpossibleconnection.LCPmessagesarecarriedwithinPPPframesandcontainconfigurationoptionsfortheconnection.Oncethetwosystemsagreeonaconfigurationtheycanbothsupport,thelinkestablishmentprocesscontinues.Byspecifyingtheparametersfortheconnectionduringthelinkestablishmentprocess,thesystemsdon’thavetoincluderedundantinformationintheheaderofeverydatapacket.
Figure13-4showstheLCPmessageformat.
Figure13-4TheLCPmessageformat
Thefunctionsoftheindividualfieldsarelistedhere:
•Code(1byte)SpecifiestheLCPmessagetype,usingthefollowingcodes:
•1Configure-Request
•2Configure-Ack
•3Configure-Nak
•4Configure-Reject
•5Terminate-Request
•6Terminate-Ack
•7Code-Reject
•8Protocol-Reject
•9Echo-Request
•10Echo-Reply
•11Discard-Request
•Identifier(1byte)ContainsacodeusedtoassociatetherequestandrepliesofaparticularLCPtransaction.
•Length(2bytes)SpecifiesthelengthoftheLCPmessage,includingthecode,identifier,length,anddatafields.
•Data(variable)Containsmultipleconfigurationoptions,eachofwhichiscomposedofthreesubfields.
EachoftheoptionsintheLCPmessage’sdatafieldconsistsofthesubfieldsshowninFigure13-5.Thefunctionsofthesubfieldsareasfollows:
•Type(1byte)Specifiestheoptiontobeconfigured,usingacodefromthe“AssignedNumbers”RFC,asfollows:
•0VendorSpecific
•1MaximumReceiveUnit
•2AsyncControlCharacterMap
•3AuthenticationProtocol
•4QualityProtocol
•5MagicNumber
•6Reserved
•7ProtocolFieldCompression
•8AddressandControlFieldCompression
•9FCSAlternatives
•10Self-DescribingPad
•11NumberedMode
•12MultilinkProcedure
•13Callback
•14ConnectTime
•15CompoundFrames
•16NominalDataEncapsulation
•17MultilinkMRRU
•18MultilinkShortSequenceNumberHeaderFormat
•19MultilinkEndpointDiscriminator
•20Proprietary
•21DCEIdentifier
•Length(1byte)SpecifiesthelengthoftheLCPmessage,includingthecode,identifier,length,anddatafields.
•Data(variable)ContainsinformationpertinenttothespecificLCPmessagetype,asindicatedbythecodefield.
Figure13-5TheLCPoptionformat
TheLCPprotocolisalsodesignedtobeextensible.Byusingacodevalueof0,vendorscansupplytheirownoptionswithoutstandardizingthemwiththeIANA,asdocumentedinRFC2153,“PPPVendorExtensions.”
AuthenticationProtocolsPPPconnectionscanoptionallyrequireauthenticationtopreventunauthorizedaccess,usinganexternalprotocolagreedonduringtheexchangeofLCPconfigurationmessagesandencapsulatedwithinPPPframes.Twoofthemostpopularauthenticationprotocols—PAPandCHAP—aredefinedbyTCP/IPspecifications,butsystemscanalsouseotherproprietaryprotocolsdevelopedbyindividualvendors.
ThePAPFramePAPistheinherentlyweakerofthetwoprimaryauthenticationprotocolsbecauseitusesonlyatwo-wayhandshakeandtransmitsaccountnamesandpasswordsoverthelinkincleartext.SystemsgenerallyusePAPonlywhentheyhavenootherauthenticationprotocolsincommon.PAPpacketshaveavalueofc023inthePPPheader’sprotocolfieldanduseamessageformatthatisbasicallythesameasLCP,exceptfortheoptions.
TheCHAPFrameTheCHAPprotocolisconsiderablymoresecurethanPAPbecauseitusesathree-wayhandshakeandnevertransmitsaccountnamesandpasswordsincleartext.CHAPpacketshaveavalueofc223inthePPPheader’sprotocolfieldanduseamessageformatalmostidenticaltoPAP’s.
TheIPCPFramePPPsystemsuseNetworkControlProtocols(NCPs)tonegotiateconnectionsforeachofthenetworklayerprotocolstheywilluseduringthesession.BeforeasystemcanmultiplexthetrafficgeneratedbydifferentprotocolsoverasinglePPPconnection,itmustestablishaconnectionforeachprotocolusingtheappropriateNCPs.
TheInternetProtocolControlProtocol(IPCP),whichistheNCPforIP,isagoodexampleoftheprotocolstructure.ThemessageformatoftheNCPsisnearlyidenticaltothatofLCP,exceptthatitsupportsonlyvalues1through7forthecodefield(thelinkconfiguration,linktermination,andcoderejectvalues)andusesdifferentoptionsinthedatafield.LikeLCP,themessagesarecarriedinPPPframes,butwithavalueof8021inthePPPheader’sprotocolfield.
TheoptionsthatcanbeincludedinthedatafieldofanIPCPmessageusethefollowingvaluesinthetypefield:
•2(IPCompressionProtocol)SpecifiestheprotocolthesystemshouldusetocompressIPheaders,forwhichtheonlyvalidoptionisVanJacobsoncompression.
NOTEVanJacobsonTCP/IPHeaderCompressionisadatacompressionprotocoldescribedinRFC1144,specificallydesignedbyVanJacobsontoimproveTCP/IPperformanceoverslowseriallinks.Thiscompressionreducesthenormal40-byteTCP/IPpacketheadersdownto3to4bytesfortheaveragecasebysavingthestateofTCPconnectionsatbothendsofalinkandsendingthedifferencesonlyintheheaderfieldsthatchange.Whilethismakesabigdifferenceonlow-speedlinks,itwillnotdo
anythingabouttheprocessingdelayinherenttomostdial-upmodems.•3(IPAddress)UsedbythetransmittingsystemtorequestaparticularIP
addressor,ifthevalueis0.0.0.0,torequestthatthereceivingsystemsupplyanaddress(replacesthetype1IPAddressesoption,whichisnolongerused).
PPPConnectionEstablishmentOncethephysicallayerconnectionbetweenthetwosystemshasbeenestablished,thePPPconnectionestablishmentprocessbegins.Thetwosystemspassthroughseveraldistinctphasesduringthecourseofthesession,asillustratedinFigure13-6anddiscussedinthefollowingsections.
Figure13-6PPPconnectionphases
LinkDeadBothsystemsbeginandendthesessionintheLinkDeadphase,whichindicatesthatnophysicallayerconnectionexistsbetweenthetwomachines.Onatypicalsession,anapplicationorserviceononesysteminitiatesthephysicallayerconnection.Oncethehardwareconnectionprocessiscompleted,thesystemspassintotheLinkEstablishmentphase.
LinkEstablishmentIntheLinkEstablishmentphase,thesysteminitiatingtheconnectiontransmitsanLCPConfigureRequestmessagetothedestinationcontainingtheoptionsitwouldliketoenable,suchastheuseofspecificauthentication,link-qualitymonitoring,andnetworklayerprotocols(ifany),andwhetherthesystemsshouldmodifystandardfeatures,suchasthesizeoftheFCSfieldoradifferentMRUvalue.Ifthereceivingsystemcansupportallthespecifiedoptions,itreplieswithaConfigureAckmessagecontainingthesameoptionvalues,andthisphaseoftheconnectionprocessiscompleted.
Ifthereceivingsystemrecognizestheoptionsintherequestmessagebutcannotsupportthevaluesforthoseoptionssuppliedbythesender(suchasifthesystemsupportsauthenticationbutnotwiththeprotocolthesenderhasspecified),itreplieswithaConfigureNakmessagecontainingtheoptionswithvaluesitcannotsupport.Withtheseoptions,thereplyingsystemsuppliesallthevaluesitdoessupportandalsomayincludeotheroptionsitwouldliketoseeenabled.Usingthisinformation,theconnectingsystemgeneratesanotherConfigureRequestmessagecontainingoptionsitknowsaresupported,
towhichthereceiverreplieswithaConfigureAckmessage.
Ifthereceivingsystemfailstorecognizeanyoftheoptionsintherequest,itreplieswithaConfigureRejectmessagecontainingonlytheunrecognizedoptions.ThesenderthengeneratesanewConfigureRequestmessagethatdoesnotcontaintherejectedoptions,andtheprocedurecontinuesaspreviouslyoutlined.Eventually,thesystemsperformasuccessfulrequest/acknowledgmentexchange,andtheconnectionprocessmovesontothenextphase.
AuthenticationTheAuthenticationphaseoftheconnectionprocessisoptionalandistriggeredbytheinclusionoftheAuthenticationProtocoloptionintheLCPConfigureRequestmessage.DuringtheLCPlinkestablishmentprocess,thetwosystemsagreeonanauthenticationprotocoltouse.UseofthePAPandCHAPprotocolsiscommon,butotherproprietaryprotocolsareavailable.
ThemessageformatandexchangeproceduresfortheAuthenticationphasearedictatedbytheselectedprotocol.InaPAPauthentication,forexample,thesendingsystemtransmitsanAuthenticateRequestmessagecontaininganaccountnameandpassword,andthereceiverreplieswitheitheranAuthenticateAckorAuthenticateNakmessage.
CHAPisinherentlymoresecurethanPAPandrequiresamorecomplexmessageexchange.ThesendingsystemtransmitsaChallengemessagecontainingdatathatthereceiveruseswithitsencryptionkeytocomputeavalueitreturnstothesenderinaResponsemessage.Dependingonwhetherthevalueintheresponsematchesthesender’sowncomputations,ittransmitsaSuccessorFailuremessage.
Asuccessfultransactioncausestheconnectionproceduretoproceedtothenextphase,buttheeffectofafailureisdictatedbytheimplementationoftheprotocol.SomesystemsproceeddirectlytotheLinkTerminationphaseintheeventofanauthenticationfailure,whileothersmightpermitretriesorlimitednetworkaccesstoahelpsubsystem.
LinkQualityMonitoringTheuseofalinkqualitymonitoringprotocolisalsoanoptionalelementoftheconnectionprocess,triggeredbytheinclusionoftheQualityProtocoloptionintheLCPConfigureRequestmessage.Althoughtheoptionenablesthesendingsystemtospecifyanyprotocolforthispurpose,onlyonehasbeenstandardized,theLinkQualityReportprotocol.Thenegotiationprocessthatoccursatthisphaseenablesthesystemstoagreeonanintervalatwhichtheyshouldtransmitmessagescontaininglinktrafficanderrorstatisticsthroughoutthesession.
NetworkLayerProtocolConfigurationPPPsupportsthemultiplexingofnetworklayerprotocolsoverasingleconnection,andduringthisphase,thesystemsperformaseparatenetworklayerconnectionestablishmentprocedureforeachofthenetworklayerprotocolsthattheyhaveagreedtouseduringtheLinkEstablishmentphase.Eachnetworklayerprotocolhasitsownnetworkcontrolprotocol(NCP)forthispurpose,suchastheInternetProtocolControlProtocol(IPCP)ortheInternetworkingPacketExchangeControlProtocol(IPXCP).ThestructureofanNCPmessageexchangeissimilartothatofLCP,excepttheoptionscarriedintheConfigureRequestmessageareuniquetotherequirementsoftheprotocol.DuringanIPCPexchange,forexample,thesystemsinformeachotheroftheirIPaddressesandagreeonwhethertouseVanJacobsonheadercompression.Otherprotocolshavetheirownindividualneedsthatthesystemsnegotiate
asneeded.NCPinitializationandterminationprocedurescanalsooccuratanyothertimeduringtheconnection.
LinkOpenOncetheindividualNCPexchangesarecompleted,theconnectionisfullyestablished,andthesystemsentertheLinkOpenphase.Networklayerprotocoldatacannowtraveloverthelinkineitherdirection.
LinkTerminationWhenoneofthesystemsendsthesessionorasaresultofotherconditionssuchasaphysicallayerdisconnection,anauthenticationfailure,oraninactivitytimeout,thesystemsentertheLinkTerminationphase.Toseverthelink,onesystemtransmitsanLCPTerminateRequestmessagetowhichtheothersystemreplieswithaTerminateAck.BothsystemsthenreturntotheLinkDeadphase.
NCPsalsosupporttheTerminateRequestandTerminateAckmessages,buttheyareintendedforusewhilethePPPconnectionremainsintact.Infact,thePPPconnectioncanremainactiveevenifallofthenetworklayerprotocolconnectionshavebeenterminated.ItisunnecessaryforsystemstoterminatethenetworklayerprotocolconnectionsbeforeterminatingthePPPconnection.
ARPTheAddressResolutionProtocol(ARP)occupiesanunusualplaceintheTCP/IPsuitebecauseitdefiesallattemptsatcategorization.UnlikemostoftheotherTCP/IPprotocols,ARPmessagesarenotcarriedwithinIPdatagrams.Aseparateprotocolidentifierisdefinedinthe“AssignedNumbers”documentthatdatalinklayerprotocolsusetoindicatethattheycontainARPmessages.Becauseofthis,thereissomedifferenceofopinionaboutthelayeroftheprotocolstacktowhichARPbelongs.SomesayARPisalinklayerprotocolbecauseitprovidesaservicetoIP,whileothersassociateitwiththeInternetlayerbecauseitsmessagesarecarriedwithinlinklayerprotocols.
ThefunctionoftheARPprotocol,asdefinedinRFC826,“AnEthernetAddressResolutionProtocol,”istoreconciletheIPaddressesusedtoidentifysystemsattheupperlayerswiththehardwareaddressesatthedatalinklayer.Whenitrequestsnetworkresources,aTCP/IPapplicationsuppliesthedestinationIPaddressusedintheIPprotocolheader.ThesystemmaydiscovertheIPaddressusingaDNSorNetBIOSname-resolutionprocess,oritmayuseanaddresssuppliedbyanoperatingsystemorapplicationconfigurationparameter.
DatalinklayerprotocolssuchasEthernet,however,havenouseforIPaddressesandcannotreadthecontentsoftheIPdatagramanyway.Totransmitthepackettoitsdestination,thedatalinklayerprotocolmusthavethehardwareaddresscodedintothedestinationsystem’snetworkinterfaceadapter.ARPconvertsIPaddressesintohardwareaddressesbybroadcastingrequestpacketscontainingtheIPaddressonthelocalnetworkandwaitingfortheholderofthatIPaddresstorespondwithareplycontainingtheequivalenthardwareaddress.
NOTEARPwasoriginallydevelopedforusewithDIXEthernetnetworks,buthasbeengeneralizedtoallowitsusewithotherdatalinklayerprotocols.
ThebiggestdifferencebetweenIPaddressesandhardwareaddressesisthatIPisresponsibleforthedeliveryofthepackettoitsultimatedestination,whileanEthernetimplementationisconcernedonlywithdeliverytothenextstoponthejourney.Ifthepacket’sdestinationisonthesamenetworksegmentasthesource,theIPprotocolusesARPtoresolvetheIPaddressoftheultimatedestinationintoahardwareaddress.If,however,thedestinationislocatedonanothernetwork,theIPprotocolwillnotuseARPtoresolvetheultimatedestinationaddress(thatis,thedestinationaddressintheIPheader).Instead,itwillpasstheIPaddressofthedefaultgatewaytotheARPprotocolforaddressresolution.
Thisisbecausethedatalinkprotocolheadermustcontainthehardwareaddressofthenextintermediatestopasitsdestination,whichmaywellbearouter.Itisuptothatroutertoforwardthepacketonthenextlegofitsjourney.Thus,inthecourseofasingleinternetworktransmission,manydifferentmachinesmayperformARPresolutionsonthesamepacketwithdifferentresults.
ARPMessageFormatARPmessagesarecarrieddirectlywithindatalinklayerframes,using0806astheEthertypeorSNAPLocalCodevaluetoidentifytheprotocolbeingcarriedinthepacket.ThereisoneformatforalloftheARPmessagetypes,whichisillustratedinFigure13-7.
Figure13-7TheARPmessageformat
ARPTransactionsAnARPtransactionoccurswhentheIPprotocolinaTCP/IPsystemisreadytotransmitadatagramoverthenetwork.ThesystemknowsitsownhardwareandIPaddresses,aswellastheIPaddressofthepacket’sintendeddestination.Allitlacksisthehardwareaddressofthesystemonthelocalnetworkthatistoreceivethepacket.TheARPmessageexchangeproceedsaccordingtothefollowingsteps:
1.ThetransmittingsystemgeneratesanARPRequestpacketcontainingitsownaddressesintheSenderHardwareAddressandSenderProtocolAddressfields.TheTargetProtocolAddresscontainstheIPaddressofthesystemonthelocalnetworkthatistoreceivethedatagram,whiletheTargetHardwareAddressisleftblank.SomeimplementationsinsertabroadcastaddressorothervalueintotheTargetHardwareAddressfieldoftheARPRequestmessage,butthisvalueisignoredbytherecipientbecausethisistheaddresstheprotocolistryingto
ascertain.
2.ThesystemtransmitstheARPRequestmessageasabroadcasttothelocalnetwork,askingineffect,“WhoisusingthisIPaddress,andwhatisyourhardwareaddress?”
3.EachTCP/IPsystemonthelocalnetworkreceivestheARPRequestbroadcastandexaminesthecontentsoftheTargetProtocolAddressfield.Ifthesystemdoesnotusethataddressononeofitsnetworkinterfaces,itsilentlydiscardsthepacket.Ifthesystemdoesusetheaddress,itgeneratesanARPReplymessageinresponse.Thesystemusesthecontentsoftherequestmessage’sSenderHardwareAddressandSenderProtocolAddressfieldsasthevaluesforitsreplymessage’sTargetHardwareAddressandTargetProtocolAddressfields.ThesystemtheninsertsitsownhardwareaddressandIPaddressintotheSenderHardwareAddressandSenderProtocolAddressfields,respectively.
4.ThesystemusingtherequestedIPaddresstransmitsthereplymessageasaunicasttotheoriginalsender.Onreceiptofthereply,thesystemthatinitiatedtheARPexchangeusesthecontentsoftheSenderHardwareAddressfieldastheDestinationAddressforthedatalinklayertransmissionoftheIPdatagram.
ARPCachingBecauseofitsrelianceonbroadcasttransmissions,ARPcangenerateasignificantamountofnetworktraffic.Tolessentheburdenoftheprotocolonthenetwork,TCP/IPsystemscachethehardwareaddressesdiscoveredthroughARPtransactionsinmemoryforadesignatedperiodoftime.Thisway,asystemtransmittingalargestringofdatagramstothesamehostdoesn’thavetogenerateindividualARPrequestsforeachpacket.
Thisisparticularlyhelpfulinaninternetworkenvironmentinwhichsystemsroutinelytransmitthemajorityoftheirpacketstodestinationsonothernetworks.Whenanetworksegmenthasonlyasinglerouter,allIPdatagramsdestinedforothernetworksaresentthroughthatrouter.WhensystemshavethehardwareaddressforthatrouterintheARPcache,theycantransmitthemajorityoftheirdatagramswithoutusingARPbroadcasts.
TheamountoftimethatentriesremainintheARPcachevarieswithdifferentTCP/IPimplementations.Windowssystemspurgeentriesaftertwominuteswhentheyarenotusedtotransmitadditionaldatagrams.
IPTheInternetProtocol(IP),asdefinedinRFC791,istheprimarycarrierprotocolfortheTCP/IPsuite.IPisessentiallytheenvelopethatcarriesthemessagesgeneratedbymostoftheotherTCP/IPprotocols.OperatingatthenetworklayeroftheOSImodel,IPisaconnectionless,unreliableprotocolthatperformsseveralfunctionsthatareacriticalpartofgettingpacketsfromthesourcesystemtothedestination.Amongthesefunctionsarethefollowing:
•AddressingIdentifyingthesystemthatwillbetheultimaterecipientofthepacket
•PackagingEncapsulatingtransportlayerdataindatagramsfortransmissiontothedestination
•FragmentingSplittingdatagramsintosectionssmallenoughfortransmissionoveranetwork
•RoutingDeterminingthepathofthepacketthroughtheinternetworktothedestination
Thefollowingsectionsexaminethesefunctionsinmoredetail.
AddressingIPistheprotocolresponsibleforthedeliveryofTCP/IPpacketstotheirultimatedestination.ItisvitaltounderstandhowthisdiffersfromtheaddressingperformedbyadatalinklayerprotocollikeEthernetorTokenRing.Datalinklayerprotocolsareawareonlyofthemachinesonthelocalnetworksegment.Nomatterwherethepacketfinallyendsup,thedestinationaddressinthedatalinklayerprotocolheaderisalwaysthatofamachineonalocalnetwork.
Iftheultimatedestinationofthepacketisasystemonanothernetworksegment,thedatalinklayerprotocoladdresswillpointtoarouterthatprovidesaccesstothatsegment.Onreceiptofthepacket,therouterstripsoffthedatalinklayerprotocolheaderandgeneratesanewonecontainingtheaddressofthepacket’snextintermediatedestination,calledahop.Thus,throughoutthepacket’sjourney,thedatalinkprotocolheaderwillcontainadifferentdestinationaddressforeachhop.
ThedestinationaddressintheIPheader,however,alwayspointstothefinaldestinationofthepacket,regardlessofthenetworkonwhichit’slocated,anditneverchangesthroughoutthejourney.IPisthefirstprotocolinthestack(workingupfromthebottom)tobeconsciousofthepacket’send-to-endjourneyfromsourcetodestination.Mostoftheprotocol’sfunctionsrevolvearoundthepreparationofthetransportlayerdatafortransmissionacrossmultiplenetworkstothedestination.
PackagingIPisalsoresponsibleforpackagingtransportlayerprotocoldataintostructurescalleddatagramsforitsjourneytothedestination.Duringthejourney,routersapplyanewdatalinklayerprotocolheadertoadatagramforeachhop.Beforereachingitsfinaldestination,apacketmaypassthroughnetworksusingseveraldifferentdatalinklayerprotocols,eachofwhichrequiresadifferentheader.TheIP“envelope,”ontheotherhand,remainsintactthroughouttheentirejourney,exceptforafewbitsthataremodifiedalongtheway,justlikeamailingenvelopeispostmarked.
Asitreceivesdatafromthetransportlayerprotocol,IPpackagesitintodatagramsofasizesuitablefortransmissionoverthelocalnetwork.Adatagram(inmostcases)consistsofa20-byteheaderplusthetransportlayerdata.Figure13-8illustratestheheader.
Figure13-8TheIPheaderformat
Thefunctionsoftheheaderfieldsareasfollows:
•Version,4bitsSpecifiestheversionoftheIPprotocolinuse.Thevalueforthecurrentimplementationis4.
•IHL(InternetHeaderLength),4bitsSpecifiesthelengthoftheIPheader,in32-bitwords.Whentheheadercontainsnooptionalfields,thevalueis5.
•TOS(TypeofService),1byteBits1through3and8areunused.Bits4through7specifytheserviceprioritydesiredforthedatagram,usingthefollowingvalues:
•0000Default
•0001MinimizeMonetaryCost
•0010MaximizeReliability
•0100MaximizeThroughput
•1000MinimizeDelay
•1111MaximizeSecurity
•TotalLength,2bytesSpecifiesthelengthofthedatagram,includingalltheheaderfieldsandthedata.
•Identification,2bytesContainsauniquevalueforeachdatagram,usedbythedestinationsystemtoreassemblefragments.
•Flags,3bitsContainsbitsusedduringthedatagramfragmentationprocess,withthefollowingvalues:
•Bit1Notused.
•Bit2(Don’tFragment)Whensettoavalueof1,preventsthedatagramfrombeingfragmentedbyanysystem.
•Bit3(MoreFragments)Whensettoavalueof0,indicatesthatthelastfragmentofthedatagramhasbeentransmitted.Whensetto1,indicatesthatfragmentsstillawaittransmission.
•FragmentOffset,13bitsSpecifiesthelocation(in8-byteunits)ofthecurrentfragmentinthedatagram.
•TTL(TimetoLive),1byteSpecifiesthenumberofroutersthedatagramshouldbepermittedtopassthroughonitswaytothedestination.Eachrouterthatprocessesthepacketdecrementsthisfieldby1.Oncethevaluereaches0,thepacketisdiscarded,whetherornotithasreachedthedestination.
•Protocol,1byteIdentifiestheprotocolthatgeneratedtheinformationinthedatafield,usingvaluesfoundinthe“AssignedNumbers”RFC(RFC1700)andthePROTOCOLfilefoundoneveryTCP/IPsystem,someofwhichareasfollows:
•1InternetControlMessageProtocol(ICMP)
•2InternetGroupManagementProtocol(IGMP)
•3Gateway-to-GatewayProtocol(GGP)
•6TransmissionControlProtocol(TCP)
•8ExteriorGatewayProtocol(EGP)
•17UserDatagramProtocol(UDP)
•HeaderChecksum,2bytesContainsachecksumvaluecomputerintheIPheaderfieldsonlyforerror-detectionpurposes.
•SourceIPAddress,4bytesSpecifiestheIPaddressofthesystemfromwhichthedatagramoriginated.
•DestinationIPAddress,4bytesSpecifiestheIPaddressofthesystemthatwillbetheultimaterecipientofthedatagram.
•Options(variable)Cancontainanyof16optionsdefinedinthe“AssignedNumbers”RFC,describedlaterinthissection.
•Data(variable,uptotheMTUfortheconnectednetwork)Containsthepayloadofthedatagram,consistingofdatapasseddownfromatransportlayerprotocol.
SystemsusetheIPheaderoptionstocarryadditionalinformation,eithersuppliedbythesenderorgatheredasthepackettravelstothedestination.Eachoptioniscomposedofthefollowingfields:
•OptionType(1byte)Containsavalueidentifyingtheoptionthatconsistsofthefollowingthreesubfields:
•CopyFlag(1bit)Whensettoavalueof1,indicatestheoptionshouldbecopiedtoeachofthefragmentsthatcomprisethedatagram.
•OptionClass(2bits)Containsacodethatidentifiestheoption’sbasicfunction,usingthefollowingvalues:
•0Control
•2Debuggingandmeasurement
•OptionNumber(5bits)Containsauniqueidentifierfortheoption,asspecifiedinthe“AssignedNumbers”RFC.
•OptionLength(1byte)Specifiesthetotallengthoftheoption,includingtheOptionType,OptionLength,andOptionDatafields.
•OptionData(OptionLengthminus2)Containstheoption-specificinformationbeingcarriedtothedestination.
Table13-5listssomeoftheoptionssystemscaninsertintoIPdatagrams,thevaluesfortheoptionsubfields,andtheRFCsthatdefinetheoption’sfunction.Thefunctionsoftheoptionsareasfollows:
•EndofOptionsListConsistingonlyofanOptionTypefieldwiththevalue0,thisoptionmarkstheendofalltheoptionsinanIPheader.
•NoOperationConsistingonlyofanOptionTypefield,systemscanusethisoptiontopadoutthespacebetweentwootheroptions,toforcethefollowingoptiontobeginattheboundarybetween32-bitwords.
•LooseSourceRouteandStrictSourceRouteSystemsusetheLooseSourceRouteandStrictSourceRouteoptionstocarrytheIPaddressesofroutersthedatagrammustpassthroughonitswaytothedestination.WhenasystemusestheLooseSourceRouteoption,thedatagramcanpassthroughotherroutersinadditiontothoselistedintheoption.TheStrictSourceRouteoptiondefinestheentirepathofthedatagramfromthesourcetothedestination.
•TimeStampThisoptionisdesignedtoholdtimestampsgeneratedbyoneormoresystemsprocessingthepacketasittravelstoitsdestination.ThesendingsystemmaysupplytheIPaddressesofthesystemsthataretoaddtimestampstotheheader,enablethesystemstosavetheirIPaddressestotheheaderalongwiththetimestamps,oromittheIPaddressesofthetime-stampingsystemsentirely.Thesizeoftheoptionisvariabletoaccommodatemultipletimestamps,butmustbespecifiedwhenthesendercreatesthedatagramandcannotbeenlargedenroutetothedestination.
•RecordRouteThisoptionprovidesthereceivingsystemwitharecordofalltheroutersthroughwhichthedatagramhaspassedduringitsjourneytothedestination.Eachrouteraddsitsaddresstotheoptionasitprocessesthepacket.
Table13-5IPHeaderOptions
FragmentingThesizeoftheIPdatagramsusedtotransmitthetransportlayerdatadependsonthedatalinklayerprotocolinuse.Ethernetnetworks,forexample,cancarrydatagramsupto
1,500bytesinsize,whileTokenRingnetworkstypicallysupportpacketsaslargeas4,500bytes.Thesystemtransmittingthedatagramusesthemaximumtransferunit(MTU)oftheconnectednetwork,thatis,thelargestpossibleframethatcanbetransmittedusingthatdatalinklayerprotocol,asonefactorindetermininghowlargeeachdatagramshouldbe.
Duringthecourseofitsjourneyfromthesourcetothedestination,packetsmayencounternetworkswithdifferentMTUs.AslongastheMTUofeachnetworkislargerthanthepacket,thedatagramistransmittedwithoutaproblem.IfapacketislargerthantheMTUofanetwork,however,itcannotbetransmittedinitscurrentform.Whenthisoccurs,theIPprotocolintherouterprovidingaccesstothenetworkisresponsibleforsplittingthedatagramintofragmentssmallerthantheMTU.TherouterthentransmitseachfragmentinaseparatepacketwithitsownIPheader.
Dependingonthenumberandnatureofthenetworksitpassesthrough,adatagrammaybefragmentedmorethanoncebeforeitreachesthedestination.Asystemmightsplitadatagramintofragmentsthatarethemselvestoolargefornetworksfurtheralonginthepath.Anotherrouter,therefore,splitsthefragmentsintostillsmallerfragments.Reassemblyofafragmenteddatagramtakesplaceonlyatthedestinationsystemafterithasreceivedallofthepacketscontainingthefragments,notattheintermediaterouters.
NOTETechnicallyspeaking,thedatagramisdefinedastheunitofdata,packagedbythesourcesystem,containingaspecificvalueontheIPheader’sIdentificationfield.Whenarouterfragmentsadatagram,itusesthesameIdentificationvalueforeachnewpacketitcreates,meaningtheindividualfragmentsarecollectivelyknownasadatagram.Referringtoasinglefragmentasadatagramisincorrectuseoftheterm.
Whenarouterreceivesadatagramthatmustbefragmented,itcreatesaseriesofnewpacketsusingthesamevaluefortheIPheader’sIdentificationfieldastheoriginaldatagram.Theotherfieldsoftheheaderarethesameaswell,withthreeimportantexceptions,whichareasfollows:
•ThevalueoftheTotalLengthfieldischangedtoreflectthesizeofthefragment,insteadofthesizeoftheentiredatagram.
•Bit3oftheFlagsfield,theMoreFragmentsbit,ischangedtoavalueof1toindicatethatfurtherfragmentsaretobetransmitted,exceptinthecaseofthedatagram’slastfragment,inwhichthisbitissettoavalueof0.
•ThevalueoftheFragmentOffsetfieldischangedtoreflecteachfragment’splaceinthedatagram,basedonthesizeofthefragments(whichis,inturn,basedontheMTUofthenetworkacrosswhichthefragmentsaretobetransmitted).Thevalueforthefirstfragmentis0;thenextisincrementedbythesizeofthefragment,inbytes.
ThesechangestotheIPheaderareneededforthefragmentstobeproperlyreassembledbythedestinationsystem.TheroutertransmitsthefragmentslikeanyotherIPpackets,andbecauseIPisaconnectionlessprotocol,theindividualfragmentsmaytakedifferentroutestothedestinationandarriveinadifferentorder.Thereceivingsystemuses
theMoreFragmentsbittodeterminewhenitshouldbeginthereassemblyprocessandusestheFragmentOffsetfieldtoassemblethefragmentsintheproperorder.
SelectingthesizeofthefragmentsisleftuptoindividualIPimplementations.Typically,thesizeofeachfragmentistheMTUofthenetworkoverwhichitmustbetransmitted,minusthesizeofthedatalinkandIPprotocolheaders,androundeddowntothenearest8bytes.Somesystems,however,automaticallycreate576-bytefragmentsbecausethisisthedefaultpathMTUusedbymanyrouters.
Fragmentationisnotdesirable,butitisanecessaryevil.Obviously,becausefragmentingadatagramcreatesmanypacketsoutofonepacket,itincreasesthecontroloverheadincurredbythetransmissionprocess.Also,ifonefragmentofadatagramislostordamaged,theentiredatagrammustberetransmitted.Nomeansofreproducingandretransmittingasinglefragmentexistsbecausethesourcesystemhasnoknowledgeofthefragmentationperformedbytheintermediaterouters.TheIPimplementationonthedestinationsystemdoesnotpasstheincomingdatauptothetransportlayeruntilallthefragmentshavearrivedandbeenreassembled.Thetransportlayerprotocolmustthereforedetectthemissingdataandarrangefortheretransmissionofthedatagram.
RoutingBecausetheIPprotocolisresponsibleforthetransmissionofpacketstotheirfinaldestinations,IPdeterminestheroutethepacketswilltake.Apacket’srouteisthepathittakesfromoneendsystem,thesource,toanotherendsystem,thedestination.Theroutersthepacketpassesthroughduringthetriparecalledintermediatesystems.Thefundamentaldifferencebetweenendsystemsandintermediatesystemsishowhighthepacketdatareachesintheprotocolstack.
Onthesourcecomputer,arequestforaccesstoanetworkresourcebeginsattheapplicationlayerandwendsitswaydownthroughthelayersoftheprotocolstack,eventuallyarrivingatthephysicallayerencapsulatedinapacket,readyfortransmission.Whenitreachesthedestination,thereverseoccurs,andthepacketispassedupthestacktotheapplicationlayer.Onendsystems,therefore,theentireprotocolstackparticipatesintheprocessingofthedata.Onintermediatesystems,suchasrouters,thedataarrivingoverthenetworkispassedonlyashighasthenetworklayerprotocol,which,inthiscase,isIP(seeFigure13-9).
Figure13-9Packetspassingthroughrouterstravelnohigherthanthenetworklayeroftheprotocolstack.
IPstripsoffthedatalinklayerprotocolheaderand,afterdeterminingwhereitshouldsendthepacketnext,preparesitforpackaginginadatalinklayerprotocolframesuitablefortheoutgoingnetwork.ThismayinvolveusingARPtoresolvetheIPaddressofthepacket’snextstopintoahardwareaddressandthenfurnishingthataddresstothedatalinklayerprotocol.
Routingisaprocessthatoccursonehopofapacket’sjourneyatatime.Thesourcesystemtransmitsthepackettoitsdefaultgateway(router),andtherouterdetermineswheretosendthepacketnext.Ifthefinaldestinationisonanetworksegmenttowhichtherouterisattached,itsendsthepacketthere.Ifthedestinationisonanothernetwork,therouterdetermineswhichoftheotherroutersitshouldsendthepackettoinorderforittoreachitsdestinationmostefficiently.Thus,thenextdestinationforthepacket,identifiedbythedestinationaddressinthedatalinklayerprotocol,maynotbethesamesystemasthatspecifiedintheIPheader’sDestinationIPAddressfield.
Eventually,oneoftherouterswillhaveaccesstothenetworkonwhichthepacket’sfinaldestinationsystemislocatedandwillbeabletosenditdirectlytothatmachine.Usingthismethod,theroutingprocessisdistributedamongthenetwork’srouters.Noneofthecomputersinvolvedintheprocesshascompleteknowledgeofthepacket’sroute
throughthenetworkatanytime.ThisdistributionoflabormakeshugenetworksliketheInternetpossible.NopracticalmethodexistsforasinglesystemtodetermineaviablepaththroughthemanythousandsofroutersontheInternettoaspecificdestinationforeachpacket.
Themostcomplexpartoftheroutingprocessisthemannerinwhichtherouterdetermineswheretosendeachpacketnext.Routershavedirectknowledgeonlyofthenetworksegmentstowhichtheyareconnected.Theyhavenomeansofunilaterallydeterminingthebestroutetoaparticulardestination.Inmostcases,routersgainknowledgeaboutothernetworksbycommunicatingwithotherroutersusingspecializedprotocolsdesignedforthispurpose,suchastheRoutingInformationProtocol(RIP).Eachrouterpassesinformationaboutitselftotheotherroutersonthenetworkstowhichitisconnected,thoseroutersupdatetheirneighboringrouters,andsoon.
Regularupdatesfromtheneighboringroutersenableeachsystemtokeepupwithchangingconditionsonthenetwork.Ifaroutershouldgodown,forexample,itsneighborswilldetectitsabsenceandspreadthewordthattherouterisunavailable.Theotherrouterswilladjusttheirbehaviorasneededtoensurethattheirpacketsarenotsentdownadead-endstreet.
Routingprotocolsenableeachroutertocompileatableofnetworkswiththeinformationneededtosendpacketstothatnetwork.Essentially,thetablesays“sendtraffictonetworkx;useinterfacey”whereyisoneoftherouter’sownnetworkinterfaces.Administratorscanalsomanuallyconfigureroutesthroughthenetwork.Thisiscalledstaticrouting,asopposedtoprotocol-basedconfiguration,whichiscalleddynamicrouting.
Oncomplexnetworks,theremaybeseveralviableroutesfromasourcetoaparticulardestination.Routerscontinuallyratethepossiblepathsthroughthenetwork,sotheycanselecttheshortest,fastest,oreasiestrouteforapacket.
CHAPTER
14 OtherTCP/IPProtocols
WhileInternetProtocolversion4(IPv4)hasbeenthemostcommonlyused,therearemanyotherpartsoftheTransmissionControlProtocol/InternetProtocol(TCP/IP)suiteofprotocols.ThischapterdiscussesotherpartsoftheTCP/IPfamilyaswellasothergroupsorprotocolsuitesencounteredintoday’snetworks.
IPv6AsmentionedinChapter13,nooneinvolvedintheoriginaldesignandimplementationoftheInternetcouldhavepredicteditsexplosivegrowth.TheTCP/IPprotocolsheldupremarkablywelloverthedecades,provingthatthescalabilityfeaturesincorporatedintothemwerewelldesigned.However,thesinglebiggestproblemwiththeuseoftheseprotocolsistherapidconsumptionoftheaddressspaceprovidedbyIPv4,thecurrentversion.ThelastblockofIPv4addresseswereallottedbytheInternetAssignedNumbersAuthority(IANA)inFebruary2011,sothefreepoolofIPv4addressesisnowgone.
IPaddressesarenolongerbeingusedonlybycomputers;cellularphones,tablets,globalpositioningsystems,andothermobiledevicesneedtheseaddressesaswell.Anticipatingtheeventualdepletionofthe32-bitaddressspace,workcommencedonanupgradedversionofIPin1998,whichhasresultedinseveraldozenrequestsforcomments(RFCs),includingRFC2460,“InternetProtocol,Version6(IPv6)Specification.”IPv6doesnotreplaceIPv4,whichisstillusedinmanyapplications.ThisversionenhancesandsolvessomeoftheinherentissuesinIPv4.
TheprimaryimprovementinIPv6istheexpansionoftheaddressspacefrom32to128bits.Forthenearfuture,thisshouldprovideasufficientnumberofIPaddressesforalldevicesthatcanmakeuseofthem(whichisprobablywhatthedesignersofIPv4saidwhentheydecidedtouse32-bitaddresses).Inadditiontotheexpandedaddressspace,IPv6includesthefollowingenhancements:
•SimplifiedheaderformatIPv6removesextraneousfieldsfromtheprotocolheaderandmakesotherfieldsoptionaltoreducethenetworktrafficoverheadgeneratedbytheprotocol.
•HeaderextensionsIPv6introducestheconceptofextensionheaders,whichareseparate,optionalheaderslocatedbetweentheIPheaderanditspayload.Theextensionheaderscontaininformationthatisusedonlybytheendsystemthatisthepacket’sfinaldestination.Bymovingthemintoextensionheaders,theintermediatesystemsdon’thavetoexpendthetimeandprocessorclockcyclesneededtoprocessthem.
•FlowlabelingIPv6enablesapplicationstoapplya“flowlabel”tospecificpacketsinordertorequestanonstandardqualityofservice.Thisisintendedtoenableapplicationsthatrequirereal-timecommunications,suchasstreamingaudioandvideo,torequestpriorityaccesstothenetworkbandwidth.
•SecurityextensionsIPv6includesextensionsthatsupportauthentication,dataintegrity,anddataconfidentiality.
IPv6requiresanumberoffundamentalchangestothehardwareandsoftwarethatmakeupthenetworkinfrastructure,apartfromjusttheadaptationto128-bitaddresses.Forexample,theoperatingsystemsandapplicationsthatuseIPv6mustalsoincludetheIPv6versionofICMP,definedinRFC2463.Also,networksthatuseIPv6mustsupportamaximumtransferunitvalueofatleast1,280bytes.IssueslikethesecomplicatedtheprocessoftransitioningtheInternetfromIPv4toIPv6.RFC1933definedmechanismsdesignedtofacilitatethetransitionprocess,suchassupportforbothIPv4andIPv6layersinthesamesystemandthetunnelingofIPv6datagramswithinIPv4datagrams,enablingtheexistingIPv4routinginfrastructuretocarryIPv6information.Thesearesomeofthedifferences:
•LargeraddressspaceThe128-bitaddressesinIPv6allowjustover340trilliontrilliontrillionaddresses.
•DatagramformatThepacketheaderinIPv6enablesmoresecureandefficientrouting.
•ImprovedreassemblyThemaximumtransmissionunit(MTU)is1,280bytesinIPv6.
•BetterconnectivityUnderIPv6,everysystemhasauniqueIPaddressandcanmovethroughtheInternetwithoutany“translators.”Onceitisfullyimplemented,eachhostcanreacheveryotherhostdirectly.However,firewallsandnetworkpoliciesdocreatesomelimitationsonthisconnectivity.
IPv6AddressesAccordingtoRFC4291,“IPVersion6AddressingArchitecture,”therearethreetypesofidentifiersforIPv6addresses:
•AnycastWhenusingananycastaddress,apacketisdeliveredtooneoftheinterfacesidentifiedbythataddress.
•MulticastPacketssenttoamulticastaddressinIPv6aredeliveredtoallinterfacesidentifiedbythataddress.ThisisthesameasIPv4.
•UnicastPacketssenttoaunicastaddressaredeliveredonlytothataddress.
UnicastAddressTypesTherearethreetypesofunicastaddressesinIPv6:linklocal,uniquelocal,andglobalunicast.Eachhasitsownconfiguration.
Link-LocalAddressInthisconfiguration,theautoconfiguredIPv6startswithFE80,asshownhere:
1111111010000000(FE80inhexadecimal)
withthenext48bitssetto0.
TheseaddressesareusedbetweenIPv6hostsonabroadcastsegmentonlyandarenot
routable.Thus,arouterneverforwardstheaddressoutsidethelink.
Unique-LocalAddressThistypeshouldbeusedonlyforlocalcommunication,eventhoughitisgloballyunique.Theaddressisdividedbetweenprefix(1111110),localbit(1bitonly),globalID(40bits),subnetID(16bits),andinterfaceID(64bits).Theprefixisalwayssetto1111110(asshown),withthelocalbitsetto1iftheaddressislocallyassigned.Atthistime,thelocalbithasnotyetbeendefined.
GlobalUnicastAddressEssentially,thisisIPv4’spublicaddress.InIPv6,theseaddressesaregloballyidentifiableanduniquelyaddressable.Themostsignificant48bitsaredesignatedastheglobalroutingprefix,andthe3mostsignificantbitsoftheprefixarealwayssetto001,asshowninTable14-1.
Table14-1TheGlobalUnicastAddressinIPv6
IPv6AddressStructureAllIPv6addressesarefourtimeslonger(128bitsinsteadof32bits)thanIPv4addresses.AsdiscussedinChapter13,anIPv4addresscontainsfouroctetsandhasadecimalvaluebetween0and255.Aperiodseparateseachoftheoctets.IPv4addressmustincludefouroctets.
NormalIPv6AddressesIPv6addresseshaveaformatthatlookslikethis:
y:y:y:y:y:y:y:y.
Inthisformat,eachyiscalledasegmentandcanbeanyhexadecimalvaluebetween0andFFFF.NormalIPv6addressesrequireeightsegments.
DualIPv6AddressesThedualIPv6addresscombinesbothanIPv6andanIPv4addressandlookslikethis:
y:y:y:y:y:y:x.x.x.x.
TheIPv6portionisalwaysfirst,andthesegmentsareseparatedbycolonsinsteadofperiods.Itmusthavesixsegments.TheIPv4portionmustcontainthreeperiodsandfouroctets.
OtherProtocolsThereareothertypesofnetworkprotocols,someofwhicharediscussedhere.SeeChapters15and16foradditionalinformation.
ICMPTheInternetControlMessageProtocol(ICMP)isanetworklayerprotocolthatdoesnot
carryuserdata,althoughitsmessagesareencapsulatedinIPdatagrams.ICMPfillstworolesintheTCP/IPsuite.Itprovideserror-reportingfunctions,informingthesendingsystemwhenatransmissioncannotreachitsdestination,forexample,anditcarriesqueryandresponsemessagesfordiagnosticprograms.Thepingutility,forinstance,whichisincludedineveryTCP/IPimplementation,usesICMPechomessagestodeterminewhetheranothersystemonthenetworkcanreceiveandsenddata.
TheICMPprotocol,asdefinedinRFC792,consistsofmessagescarriedinIPdatagrams,withavalueof1intheIPheader’sProtocolfieldand0intheTypeofServicefield.Figure14-1illustratestheICMPmessageformat.
Figure14-1TheICMPmessageformat
TheICMPmessageformatconsistsofthefollowingfields:
•Type(1byte)Containsacodeidentifyingthebasicfunctionofthemessage
•Code(1byte)Containsasecondarycodeidentifyingthefunctionofthemessagewithinaspecifictype
•Checksum(2bytes)ContainstheresultsofachecksumcomputationontheentireICMPmessage,includingtheType,Code,Checksum,andDatafields(withavalueof0intheChecksumfieldforcomputationpurposes)
•Data(variable)Containsinformationspecifictothefunctionofthemessage
TheICMPmessagetypesarelistedinTable14-2.
Table14-2ICMPMessageTypes
ICMPErrorMessagesBecauseofthewayTCP/IPnetworksdistributeroutingchoresamongvarioussystems,thereisnowayforeitheroftheendsystemsinvolvedinatransmissiontoknowwhathashappenedduringapacket’sjourney.IPisaconnectionlessprotocol,sonoacknowledgmentmessagesarereturnedtothesenderatthatlevel.Whenusingaconnection-orientedprotocolatthetransportlayer,likeTCP,thedestinationsystem
acknowledgestransmissions,butonlyforthepacketsitreceives.Ifsomethinghappensduringthetransmissionprocessthatpreventsthepacketfromreachingthedestination,thereisnowayforIPorTCPtoinformthesenderaboutwhathappened.
ICMPerrormessagesaredesignedtofillthisvoid.Whenanintermediatesystem,suchasarouter,hastroubleprocessingapacket,theroutertypicallydiscardsthepacket,leavingtheupper-layerprotocolstodetectthepacket’sabsenceandarrangeforaretransmission.ICMPmessagesenabletheroutertoinformthesenderoftheexactnatureoftheproblem.DestinationsystemscanalsogenerateICMPmessageswhenapacketarrivessuccessfullybutcannotbeprocessed.
TheDatafieldofanICMPerrormessagealwayscontainstheIPheaderofthedatagramthesystemcouldnotprocess,plusthefirst8bytesofthedatagram’sownDatafield.Inmostcases,these8bytescontainaUDPheaderorthebeginningofaTCPheader,includingthesourceanddestinationportsandthesequencenumber(inthecaseofTCP).Thisenablesthesystemreceivingtheerrormessagetoisolatetheexacttimetheerroroccurredandthetransmissionthatcausedit.
However,ICMPerrormessagesareinformationalonly.Thesystemreceivingthemdoesnotrespondnordoesitnecessarilytakeanyactiontocorrectthesituation.Theuseroradministratormayhavetoaddresstheproblemthatiscausingthefailure.
Ingeneral,allTCP/IPsystemsarefreetotransmitICMPerrormessages,exceptincertainspecificsituations.TheseexceptionsareintendedtopreventICMPfromgeneratingtoomuchtrafficonthenetworkbytransmittinglargenumbersofidenticalmessages.Theseexceptionalsituationsareasfollows:
•TCP/IPsystemsdonotgenerateICMPerrormessagesinresponsetootherICMPerrormessages.Withoutthisexception,itwouldbepossiblefortwosystemstobounceerrormessagesbackandforthbetweenthemendlessly.SystemscangenerateICMPerrorsinresponsetoICMPqueries,however.
•Inthecaseofafragmenteddatagram,asystemgeneratesanICMPerrormessageonlyforthefirstfragment.
•TCP/IPsystemsnevergenerateICMPerrormessagesinresponsetobroadcastormulticasttransmissions,transmissionswithasourceIPaddressof0.0.0.0,ortransmissionsaddressedtotheloopbackaddress.
ThefollowingsectionsexaminethemostcommontypesofICMPerrormessagesandtheirfunctions.
DestinationUnreachableMessagesDestinationunreachablemessageshaveavalueof3intheICMPTypefieldandanyoneof13valuesintheCodefield.Asthenameimplies,thesemessagesindicatethatapacketortheinformationinapacketcouldnotbetransmittedtoitsdestination.Thevariousmessagesspecifyexactlywhichcomponentwasunreachableand,insomecases,why.Thistypeofmessagecanbegeneratedbyarouterwhenitcannotforwardapackettoacertainnetworkortothedestinationsystemononeoftherouter’sconnectednetworks.Destinationsystemsthemselvescanalsogeneratethesemessageswhentheycannotdeliverthecontentsofthepackettoaspecificprotocolorhost.
Inmostcases,theerrorisaresultofsometypeoffailure,eithertemporaryorpermanent,inacomputerorthenetworkmedium.TheseerrorscouldalsopossiblyoccurasaresultofIPoptionsthatpreventthetransmissionofthepacket,suchaswhendatagramsmustbefragmentedfortransmissionoveraspecificnetworkandtheDon’tFragmentflagintheIPheaderisset.
SourceQuenchMessagesThesourcequenchmessage,withaTypevalueof4andaCodevalueof0,functionsasanelementaryformofflowcontrolbyinformingatransmittingsystemthatitissendingpacketstoofast.Whenthereceiver’sbuffersareindangerofbeingoverfilled,thesystemcantransmitasourcequenchmessagetothesender,whichslowsdownitstransmissionrateasaresult.Thesendershouldcontinuetoreducetherateuntilitisnolongerreceivingthemessagesfromthereceiver.
Thisisabasicformofflowcontrolthatisreasonablyeffectiveforusebetweensystemsonthesamenetworkbutthatgeneratestoomuchadditionaltrafficonroutednetworks.Inmostcases,thisisunnecessarybecauseTCPprovidesitsownflow-controlmechanismoveradditionaltrafficoninternetworks.
RedirectMessagesRedirectmessagesaregeneratedonlybyrouterstoinformhostsorotherroutersofbetterroutestoaparticulardestination.
BecausehavingthehostsendthepacketsintendedforthatdestinationdirectlytoRouter2wouldbemoreefficient,Router1sendsaredirectdatagramfortheNetworkmessage(Type5,Code0)tothetransmittinghostafteritforwardstheoriginalpackettoRouter2.TheredirectmessagecontainstheusualIPheaderandpartialdatainformation,aswellastheIPaddressoftherouterthehostshoulduseforitsfuturetransmissionstothatnetwork.
Inthisexample,theredirectmessageindicatesthatthehostshouldusetheotherrouterforthepacketsitwilltransmittoallhostsonNetworkBinthefuture.Theotherredirectmessages(withCodes1through3)enabletheroutertospecifyanalternativerouterfortransmissionstothespecifichost,tothespecifichostwiththesameTypeofServicevalue,andtotheentirenetworkwiththesameTypeofServicevalue.
TimeExceededMessagesTimeexceededmessagesareusedtoinformatransmittingsystemthatapackethasbeendiscardedbecauseatimeouthaselapsed.TheTimetoLiveExceededinTransitmessage(Type11,Code0)indicatesthattheTime-to-Livevalueinapacket’sIPheaderhasreachedzerobeforearrivingatthedestination,forcingtheroutertodiscardit.
ThismessageenablestheTCP/IPtracerouteprogramtodisplaytheroutethroughthenetworkthatpacketstaketoagivendestination.BytransmittingaseriesofpacketswithincrementedvaluesintheTime-to-Livefield,eachsuccessiverouteronthepathtothedestinationdiscardsapacketandreturnsanICMPtimeexceededmessagetothesource.
TheFragmentReassemblyTimeExceededmessage(Code1)indicatesthatadestinationsystemhasnotreceivedallthefragmentsofaspecificdatagramwithinthetimelimitspecifiedbythehost.Asaresult,thesystemmustdiscardallthefragmentsithasreceivedandreturntheerrormessagetothesender.
ICMPQueryMessages
ICMPquerymessagesarenotgeneratedinresponsetootheractivities,asaretheerrormessages.Systemsusethemforself-containedrequest/replytransactionsinwhichonecomputerrequestsinformationfromanother,whichrespondswithareplycontainingthatinformation.
BecausetheyarenotassociatedwithotherIPtransmissions,ICMPqueriesdonotcontaindatagraminformationintheirDatafields.Thedatatheydocarryisspecifictothefunctionofthemessage.ThefollowingsectionsexaminesomeofthemorecommonICMPquerymessagesandtheirfunctions.
EchoRequestsandRepliesEchoRequestandEchoReplymessagesarethebasisfortheTCP/IPpingutility,whichsendstestmessagestoanotherhostonthenetworktodeterminewhetheritiscapableofreceivingandrespondingtomessages.EachpingconsistsofanICMPEchoRequestmessage(Type8,Code0)that,inadditiontothestandardICMPType,Code,andChecksumfields,addsIdentifierandSequenceNumberfieldsthatthesystemsusetoassociaterequestsandreplies.
Ifthesystemreceivingthemessageisfunctioningnormally,itreversestheSourceandDestinationIPAddressfieldsintheIPheader,changesthevalueoftheICMPTypefieldto0(EchoReply),andrecomputesthechecksumbeforetransmittingitbacktothesender.
RouterSolicitationsandAdvertisementsThesemessagesmakeitpossibleforahostsystemtodiscovertheaddressesoftheroutersconnectedtothelocalnetwork.Systemscanusethisinformationtoconfigurethedefaultgatewayentryintheirroutingtables.WhenahostbroadcastsormulticastsaRouterSolicitationmessage(Type10,Code0),theroutersonthenetworkrespondwithRouterAdvertisementmessages(Type9,Code0).Routerscontinuetoadvertisetheiravailabilityatregularintervals(typicallyseventotenminutes).Ahostmaystopusingarouterasitsdefaultgatewayifitfailstoreceivecontinuedadvertisements.
TheRouterSolicitationmessageconsistsonlyofthestandardType,Code,andChecksumfields,plusa4-bytepadintheDatafield.Figure14-2showstheRouterAdvertisementmessageformat.
Figure14-2TheRouterAdvertisementmessageformat
TheRouterAdvertisementmessageformatcontainsthefollowingadditionalfields:
•NumberofAddresses(1byte)Specifiesthenumberofrouteraddressescontainedinthemessage.Theformatcansupportmultipleaddresses,eachofwhichwillhaveitsownRouterAddressandPreferenceLevelfields.
•AddressEntrySize(1byte)Specifiesthenumberof4-bytewordsdevotedtoeachaddressinthemessage.Thevalueisalways2.
•Lifetime(2bytes)Specifiesthetime,inseconds,thatcanelapsebetweenadvertisementsbeforeasystemassumesarouterisnolongerfunctioning.Thedefaultvalueisusually1,800seconds(30minutes).
•RouterAddress(4bytes)SpecifiestheIPaddressoftheroutergeneratingtheadvertisementmessage.
•PreferenceLevel(4bytes)Containsavaluespecifiedbythenetworkadministratorthathostsystemscanusetoselectonerouteroveranother.
UDPTwoTCP/IPprotocolsoperateatthetransportlayer:TCPandUDP.TheUserDatagramProtocol(UDP),definedinRFC768,isaconnectionless,unreliableprotocolthatprovidesminimaltransportservicetoapplicationlayerprotocolswithaminimumofcontroloverhead.Thus,UDPprovidesnopacketacknowledgmentorflow-controlserviceslikeTCP,althoughitdoesprovideend-to-endchecksumverificationonthecontentsofthepacket.
Althoughitprovidesaminimumofservicesofitsown,UDPdoesfunctionasapass-throughprotocol,meaningthatitprovidesapplicationswithaccesstonetworklayerservices,andviceversa.If,forexample,adatagramcontainingUDPdatacannotbedeliveredtothedestinationandarouterreturnsanICMPDestinationUnreachablemessage,UDPalwayspassestheICMPmessageinformationupfromthenetworklayertotheapplicationthatgeneratedtheinformationintheoriginaldatagram.UDPalsopassesalonganyoptionalinformationincludedinIPdatagramstotheapplicationlayerand,intheoppositedirection,informationfromapplicationsthatIPwilluseasvaluesfortheTime-to-LiveandTypeofServiceheaderfields.
ThenatureoftheUDPprotocolmakesitsuitableonlyforbrieftransactionsinwhichallthedatatobesenttothedestinationfitsintoasingledatagram.ThisisbecausenomechanismexistsinUDPforsplittingadatastreamintosegmentsandreassemblingthem,asinTCP.ThisdoesnotmeanthatthedatagramcannotbefragmentedbyIPinthecourseoftransmission,however.Thisprocessisinvisibletothetransportlayerbecausethereceivingsystemreassemblesthefragmentsbeforepassingthedatagramupthestack.
Inaddition,becausenopacketacknowledgmentexistsinUDP,itismostoftenusedforclient-servertransactionsinwhichtheclienttransmitsarequestandtheserver’sreplymessageservesasanacknowledgment.Ifasystemsendsarequestandnoreplyisforthcoming,thesystemassumesthedestinationsystemdidnotreceivethemessageandretransmits.ItismostlyTCP/IPsupportserviceslikeDNSandDHCP,servicesthatdon’tcarryactualuserdata,thatusethistypeoftransaction.ApplicationssuchasDHCPalsouseUDPwhentheyhavetosendbroadcastormulticasttransmissions.BecausetheTCPprotocolrequirestwosystemstoestablishaconnectionbeforetheytransmituserdata,itdoesnotsupportbroadcastsandmulticasts.
TheheaderforUDPmessages(sometimesconfusinglycalleddatagrams,likeIPmessages)issmall,only8bytes,asopposedtothe20bytesoftheTCPheader.Figure14-3illustratestheformat.
Figure14-3TheUDPmessageformat
Thefunctionsofthefieldsareasfollows:
•SourcePortNumber(2bytes)IdentifiestheportnumberoftheprocessinthetransmittingsystemthatgeneratedthedatacarriedintheUDPdatagram.Insomecases,thismaybeanephemeralportnumberselectedbytheclientforthistransaction.
•DestinationPortNumber(2bytes)IdentifiestheportnumberoftheprocessonthedestinationsystemthatwillreceivethedatacarriedintheUDPdatagram.Well-knownportnumbersarelistedinthe“AssignedNumbers”RFCandintheServicesfileoneveryTCP/IPsystem.
•UDPLength(2bytes)SpecifiesthelengthoftheentireUDPmessage,includingtheHeaderandDatafields,inbytes.
•UDPChecksum(2bytes)ContainstheresultsofachecksumcomputationcomputedfromtheUDPheaderanddata,alongwithapseudo-headercomposedoftheIPheader’sSourceIPAddress,DestinationIPAddress,andProtocolfields,plustheUDPLengthfield.Thispseudo-headerenablestheUDPprotocolatthereceivingsystemtoverifythatthemessagehasbeendeliveredtothecorrectprotocolonthecorrectdestinationsystem.
•Data(variable,upto65,507bytes)Containstheinformationsuppliedbytheapplicationlayerprotocol.
TCPTheTransmissionControlProtocolistheconnection-oriented,reliablealternativetoUDP,whichaccountsforthemajorityoftheuserdatatransmittedacrossaTCP/IPnetwork,aswellasgivingtheprotocolsuiteitsname.TCP,asdefinedinRFC793,providesapplicationswithafullrangeoftransportservices,includingpacketacknowledgment,errordetectionandcorrection,andflowcontrol.
TCPisintendedforthetransferofrelativelylargeamountsofdatathatwillnotfitintoasinglepacket.Thedataoftentakestheformofcompletefilesthatmustbesplitupintomultipledatagramsfortransmission.InTCPterminology,thedatasuppliedtothetransportlayerisreferredtoasasequence,andtheprotocolsplitsthesequenceintosegmentsfortransmissionacrossthenetwork.AswithUDP,however,thesegmentsarepackagedinIPdatagramsthatmayenduptakingdifferentroutestothedestination.TCP,therefore,assignssequencenumberstothesegmentssothereceivingsystemcan
reassembletheminthecorrectorder.
BeforeanytransferofuserdatabeginsusingTCP,thetwosystemsexchangemessagestoestablishaconnection.Thisensuresthatthereceiverisoperatingandcapableofreceivingdata.Oncetheconnectionisestablishedanddatatransferbegins,thereceivingsystemgeneratesperiodicacknowledgmentmessages.Thesemessagesinformthesenderoflostpacketsandalsoprovidetheinformationusedtocontroltherateofflowtothereceiver.
TheTCPHeaderToprovidetheseservices,theheaderappliedtoTCPsegmentsisnecessarilylargerthanthatforUDP.At20bytes(withoutoptions),it’sthesamesizeastheIPheader.
Thefunctionsofthefieldsareasfollows:
•SourcePort(2bytes)IdentifiestheportnumberoftheprocessinthetransmittingsystemthatgeneratedthedatacarriedintheTCPsegments.Insomecases,thismaybeanephemeralportnumberselectedbytheclientforthistransaction.
•DestinationPort(2bytes)IdentifiestheportnumberoftheprocessonthedestinationsystemthatwillreceivethedatacarriedintheTCPsegments.Well-knownportnumbersarelistedinthe“AssignedNumbers”RFCandintheServicesfileoneveryTCP/IPsystem.
•SequenceNumber(4bytes)Specifiesthelocationofthedatainthissegmentinrelationtotheentiredatasequence.
•AcknowledgmentNumber(4bytes)Specifiesthesequencenumberofthenextsegmentthattheacknowledgingsystemexpectstoreceivefromthesender.ThisisactiveonlywhentheACKbitisset.
•DataOffset(4bits)Specifiesthelength,in4-bytewords,oftheTCPheader(whichmaycontainoptionsexpandingittoasmuchas60bytes).
•Reserved(6bits)Unused.
•ControlBits(6bits)Containssix1-bitflagsthatperformthefollowingfunctions:
•URGIndicatesthatthesequencecontainsurgentdataandactivatestheUrgentPointerfield
•ACKIndicatesthatthemessageisanacknowledgmentofpreviouslytransmitteddataandactivatestheAcknowledgmentNumberfield
•PSHInstructsthereceivingsystemtopushallthedatainthecurrentsequencetotheapplicationidentifiedbytheportnumberwithoutwaitingfortherest
•RSTInstructsthereceivingsystemtodiscardallthesegmentsinthesequencethathavebeentransmittedthusfarandresetstheTCPconnection
•SYNUsedduringtheconnectionestablishmentprocesstosynchronize
thesequencenumbersinthesourceanddestinationsystems
•FINIndicatestotheothersystemthatthedatatransmissionhasbeencompletedandtheconnectionistobeterminated
•Window(2bytes)ImplementstheTCPflow-controlmechanismbyspecifyingthenumberofbytesthesystemcanacceptfromthesender.
•Checksum(2bytes)ContainsachecksumcomputationcomputedfromtheTCPheader;data;andapseudo-headercomposedoftheSourceIPAddress,DestinationIPAddress,Protocolfieldsfromthepacket’sIPheader,andthelengthoftheentireTCPmessage.
•UrgentPointer(2bytes)ActivatedbytheURGbit,specifiesthedatainthesequencethatshouldbetreatedbythereceiverasurgent.
•Options(variable)MaycontainadditionalconfigurationparametersfortheTCPconnection,alongwithpaddingtofillthefieldtothenearest4-byteboundary.Theavailableoptionsareasfollows:
•MaximumSegmentSizeSpecifiesthesizeofthelargestsegmentsthecurrentsystemcanreceivefromtheconnectedsystem
•WindowScaleFactorUsedtodoublethesizeoftheWindowSizefieldfrom2to4bytes
•TimestampUsedtocarrytimestampsindatapacketsthatthereceivingsystemreturnsinitsacknowledgments,enablingthesendertomeasuretheround-triptime
•Data(variable)Maycontainasegmentoftheinformationpasseddownfromanapplicationlayerprotocol.InSYN,ACK,andFINpackets,thisfieldisleftempty.
ConnectionEstablishmentDistinguishingTCPconnectionsfromtheothertypesofconnectionscommonlyusedindatanetworkingisimportant.Whenyoulogontoanetwork,forexample,youinitiateasessionthatremainsopenuntilyoulogoff.Duringthatsession,youmayestablishotherconnectionstoindividualnetworkresourcessuchasfileserversthatalsoremainopenforextendedlengthsoftime.TCPconnectionsaremuchmoretransient,however,andtypicallyremainopenonlyforthedurationofthedatatransmission.Inaddition,asystem(orevenasingleapplicationonthatsystem)mayopenseveralTCPconnectionsatoncewiththesamedestination.
Asanexample,considerabasicclient-servertransactionbetweenawebbrowserandawebserver.WheneveryoutypeaURLinthebrowser,theprogramopensaTCPconnectionwiththeservertotransferthedefaultHTMLfilethatthebrowserusestodisplaytheserver’shomepage.Theconnectionlastsonlyaslongasittakestotransferthatonepage.Whentheuserclicksahyperlinktoopenanewpage,anentirelynewTCPconnectionisneeded.Ifthereareanygraphicsonthewebpages,aseparateTCPconnectionisneededtotransmiteachimagefile.
Theadditionalmessagesrequiredfortheestablishmentoftheconnection,plusthesizeoftheheader,addconsiderablytothecontroloverheadincurredbyaTCPconnection.ThisisthemainreasonwhyTCP/IPhasUDPasalow-overheadtransportlayeralternative.
ThecommunicationprocessbetweentheclientandtheserverbeginswhentheclientgeneratesitsfirstTCPmessage,beginningthethree-wayhandshakethatestablishestheconnectionbetweenthetwomachines.Thismessagecontainsnoapplicationdata;itsimplysignalstotheserverthattheclientwantstoestablishaconnection.TheSYNbitisset,andthesystemsuppliesavalueintheSequenceNumberfield,calledtheinitialsequencenumber(ISN),asshowninFigure14-4.
Figure14-4Theclient’sSYNmessageinitiatestheconnectionestablishmentprocess.
ThesystemusesacontinuouslyincrementingalgorithmtodeterminetheISNitwilluseforeachconnection.Theconstantcyclingofthesequencenumbersmakesithighlyunlikelythatmultipleconnectionsusingthesamesequencenumberswilloccurbetweenthesametwosockets.TheclientsystemthentransmitsthemessageasaunicasttothedestinationsystemandenterstheSYN-SENTstate,indicatingthatithastransmitteditsconnectionrequestandiswaitingforamatchingrequestfromthedestinationsystem.
Theserver,atthistime,isintheLISTENstate,meaningthatitiswaitingtoreceiveaconnectionrequestfromaclient.Whentheserverreceivesthemessagefromtheclient,itreplieswithitsownTCPcontrolmessage.Thismessageservestwofunctions:Itacknowledgesthereceiptoftheclient’smessage,asindicatedbytheACKbit,anditinitiatesitsownconnection,asindicatedbytheSYNbit(seeFigure14-5).TheserverthenenterstheSYN-RECEIVEDstate,indicatingthatithasreceivedaconnectionrequest,issuedarequestofitsown,andiswaitingforanacknowledgmentfromtheothersystem.BoththeACKandSYNbitsarenecessarybecauseTCPisafull-duplexprotocol,meaningthataseparateconnectionisactuallyrunningineachdirection.Bothconnectionsmustbe
individuallyestablished,maintained,andterminated.Theserver’smessagealsocontainsavalueintheSequenceNumberfield(116270),aswellasavalueintheAcknowledgmentNumberfield(119841004).
Figure14-5Theserveracknowledgestheclient’sSYNandsendsaSYNofitsown.
Bothsystemsmaintaintheirownsequencenumbersandarealsoconsciousoftheothersystem’ssequencenumbers.Later,whenthesystemsactuallybegintosendapplicationdata,thesesequencenumbersenableareceivertoassembletheindividualsegmentstransmittedinseparatepacketsintotheoriginalsequence.
Remember,althoughthetwosystemsmustestablishaconnectionbeforetheysendapplicationdata,theTCPmessagesarestilltransmittedwithinIPdatagramsandaresubjecttothesametreatmentasanyotherdatagram.Thus,theconnectionisactuallyavirtualone,andthedatagramsmaytakedifferentroutestothedestinationandarriveinadifferentorderfromthatinwhichtheyweresent.
Aftertheclientreceivestheserver’smessage,ittransmitsitsownACKmessage(seeFigure14-6)acknowledgingtheserver’sSYNbitandcompletingthebidirectionalconnectionestablishmentprocess.Thismessagehasavalueof119841004asitssequencenumber,whichisthevalueexpectedbytheserver,andanacknowledgmentnumberof116271,whichisthesequencenumberitexpectstoseeintheserver’snexttransmission.BothsystemsnowentertheESTABLISHEDstate,indicatingthattheyarereadytotransmitandreceiveapplicationdata.
Figure14-6Theclientthenacknowledgestheserver’sSYN,andtheconnectionisestablishedinbothdirections.
DataTransferOncetheTCPconnectionisestablishedinbothdirections,thetransmissionofdatacanbegin.Theapplicationlayerprotocoldetermineswhethertheclientortheserverinitiatesthenextexchange.InaFileTransferProtocol(FTP)session,forexample,theserversendsaReadymessagefirst.InaHypertextTransferProtocol(HTTP)exchange,theclientbeginsbysendingtheURLofthedocumentitwantstoreceive.
Thedatatobesentisnotpackagedfortransmissionuntiltheconnectionisestablished.ThisisbecausethesystemsusetheSYNmessagestoinformtheothersystemofthemaximumsegmentsize(MSS).TheMSSspecifiesthesizeofthelargestsegmenteachsystemiscapableofreceiving.ThevalueoftheMSSdependsonthedatalinklayerprotocolusedtoconnectthetwosystems.
EachsystemsuppliestheotherwithanMSSvalueintheTCPmessage’sOptionsfield.LikewiththeIPheader,eachoptionconsistsofmultiplesubfields,whichfortheMaximumSegmentSizeoption,areasfollows:
•Kind(1byte)Identifiesthefunctionoftheoption.FortheMaximumSegmentSizeoption,thevalueis2.
•Length(1byte)Specifiesthelengthoftheentireoption.FortheMaximumSegmentSizeoption,thevalueis4.
•MaximumSegmentSize(2bytes)Specifiesthesize(inbytes)ofthelargestdatasegmentthesystemcanreceive.
Intheclientsystem’sfirstTCPmessage,shownearlierinFigure14-4,thevalueoftheOptionsfieldis(inhexadecimalnotation)020405B001010402.Thefirst4bytesofthisvalueconstitutetheMSSoption.TheKindvalueis02,theLengthis04,andtheMSSis
05B0,whichindecimalformis1,456bytes.ThisworksouttothemaximumframesizeforanEthernetIInetwork(1,500bytes)minus20bytesfortheIPheaderand24bytesfortheTCPheader(20bytesplus4optionbytes).Theserver’sownSYNpacketcontainsthesamevalueforthisoptionbecausethesetwocomputerswerelocatedonthesameEthernetnetwork.
NOTETheremaining4bytesintheOptionsfieldconsistof2bytesofpadding(0101)andtheKind(04)andLength(02)fieldsoftheSACK-Permittedoption,indicatingthatthesystemiscapableofprocessingextendedinformationaspartofacknowledgmentmessages.
Whenthetwosystemsarelocatedondifferentnetworks,theirMSSvaluesmayalsobedifferent,andhowthesystemsdealwiththisisleftuptotheindividualTCPimplementations.Somesystemsmayjustusethesmallerofthetwovalues,whileothersmightreverttothedefaultvalueof536bytesusedwhennoMSSoptionissupplied.Windows2000systemsuseaspecialmethodofdiscoveringtheconnectionpath’sMTU(thatis,thelargestpacketsizepermittedonaninternetworklinkbetweentwosystems).Thismethod,asdefinedinRFC1191,enablesthesystemstodeterminethepacketsizespermittedonintermediatenetworks.Thus,evenifthesourceanddestinationsystemsarebothconnectedtoEthernetnetworkswith1,500-byteMTUs,theycandetectanintermediateconnectionthatsupportsonlya576-byteMTU.
OncetheMSSfortheconnectionisestablished,thesystemscanbeginpackagingdatafortransmission.InthecaseofanHTTPtransaction,thewebbrowserclienttransmitsthedesiredURLtotheserverinasinglepacket(seeFigure14-7).Noticethatthesequencenumberofthispacket(119841004)isthesameasthatforthepreviouspacketitsentinacknowledgmenttotheserver’sSYNmessage.ThisisbecauseTCPmessagesconsistingonlyofanacknowledgmentdonotincrementthesequencecounter.Theacknowledgmentnumberisalsothesameasinthepreviouspacketbecausetheclienthasnotyetreceivedthenextmessagefromtheserver.NotealsothatthePSHbitisset,indicatingthattheservershouldsendtheencloseddatatotheapplicationimmediately.
Figure14-7ThefirstdatapacketsentovertheconnectioncontainstheURLrequestedbythewebbrowser.
Afterreceivingtheclient’smessage,theserverreturnsanacknowledgmentmessage,asshowninFigure14-8,thatusesthesequencenumberexpectedbytheclient(116271)andhasanacknowledgmentnumberof119841363.Thedifferencebetweenthisacknowledgmentnumberandthesequencenumberoftheclientmessagepreviouslysentis359;thisiscorrectbecausethedatagramtheclientsenttotheserverwas399byteslong.Subtracting40bytesfortheIPandTCPheadersleaves359bytesofdata.Thevalueintheserver’sacknowledgmentmessage,therefore,indicatesthatithassuccessfullyreceived359bytesofdatafromtheclient.Aseachsystemsendsdatatotheother,theyincrementtheirsequencenumbersforeachbytetransmitted.
Figure14-8Theserveracknowledgesallofthedatabytestransmittedbytheclient.
Thenextstepintheprocessisfortheservertorespondtotheclient’srequestbysendingittherequestedHTMLfile.UsingtheMSSvalue,theservercreatessegmentssmallenoughtobetransmittedoverthenetworkandtransmitsthefirstoneinthemessage,asshowninFigure14-9.Thesequencenumberisagainthesameastheserver’spreviousmessagebecausethepreviousmessagecontainedonlyanacknowledgment.Theacknowledgmentnumberisalsothesamebecausetheserverissendingasecondmessagewithoutanyinterveningcommunicationfromtheclient.
Figure14-9Inresponsetotheclient’srequest,theserverbeginstotransmitthewebpageaftersplittingitintomultiplesegments.
Inadditiontotheacknowledgmentservicejustdescribed,theTCPheaderfieldsprovidetwomoreservices:
•Errorcorrection
•Flowcontrol
Thefollowingsectionsexamineeachofthesefunctions.
ErrorCorrectionYousawinthepreviousexamplehowareceivingsystemusestheacknowledgmentnumberinitsACKmessagetoinformthesenderthatitsdatawasreceivedcorrectly.Thesystemsalsousethismechanismtoindicatewhenanerrorhasoccurredanddataisnotreceivedcorrectly.
TCP/IPsystemsuseasystemofdelayedacknowledgments,meaningtheydonothavetosendanacknowledgmentmessageforeverypackettheyreceive.Themethodusedtodeterminewhenacknowledgmentsaresentisleftuptotheindividualimplementation,buteachacknowledgmentspecifiesthatthedata,uptoacertainpointinthesequence,hasbeenreceivedcorrectly.Thesearecalledpositiveacknowledgmentsbecausetheyindicatethatdatahasbeenreceived.Negativeacknowledgmentsorselectiveacknowledgments,whichspecifythatdatahasnotbeenreceivedcorrectly,arenotpossibleinTCP.
Whatif,forexample,inthecourseofasingleconnection,aservertransmitsfivedatasegmentstoaclientandthethirdsegmentmustbediscardedbecauseofachecksumerror?Thereceivingsystemmustthensendanacknowledgmentbacktothesenderindicating
thatallthemessagesupthroughthesecondsegmenthavebeenreceivedcorrectly.Eventhoughthefourthandfifthsegmentswerealsoreceivedcorrectly,thethirdsegmentwasnot.Usingpositiveacknowledgmentsmeansthatthefourthandfifthsegmentsmustberetransmitted,inadditiontothethird.
ThemechanismusedbyTCPiscalledpositiveacknowledgmentwithretransmissionbecausethesendingsystemautomaticallyretransmitsalloftheunacknowledgedsegmentsafteracertaintimeinterval.Thewaythisworksisthatthesendingsystemmaintainsaqueuecontainingallofthesegmentsithasalreadytransmitted.Asacknowledgmentsarrivefromthereceiver,thesenderdeletesthesegmentsthathavebeenacknowledgedfromthequeue.Afteracertainelapsedtime,thesendingsystemretransmitsalloftheunacknowledgedsegmentsremaininginthequeue.ThesystemsusealgorithmsdocumentedinRFC1122tocalculatethetimeoutvaluesforaconnectionbasedontheamountoftimeittakesforatransmissiontotravelfromonesystemtotheotherandbackagain,calledtheround-triptime.
FlowControlFlowcontrolisanimportantelementoftheTCPprotocolbecauseitisdesignedtotransmitlargeamountsofdata.Receivingsystemshaveabufferinwhichtheystoreincomingsegmentswaitingtobeacknowledged.Ifasendingsystemtransmitstoomanysegmentstooquickly,thereceiver’sbufferfillsupandanypacketsarrivingatthesystemarediscardeduntilspaceinthebufferisavailable.TCPusesamechanismcalledaslidingwindowforitsflowcontrol,whichisessentiallyameansforthereceivingsystemtoinformthesenderofhowmuchbufferspaceithasavailable.
EachacknowledgmentmessagegeneratedbyasystemreceivingTCPdataspecifiestheamountofbufferspaceithasavailableinitsWindowfield.Aspacketsarriveatthereceivingsystem,theywaitinthebufferuntilthesystemgeneratesthemessagethatacknowledgesthem.ThesendingsystemcomputestheamountofdataitcansendbytakingtheWindowvaluefromthemostrecentlyreceivedacknowledgmentandsubtractingthenumberofbytesithastransmittedsinceitreceivedthatacknowledgment.Iftheresultofthiscomputationiszero,thesystemstopstransmittinguntilitreceivesacknowledgmentofoutstandingpackets.
ConnectionTerminationWhentheexchangeofdatabetweenthetwosystemsiscomplete,theyterminatetheTCPconnection.Becausetwoconnectionsareactuallyinvolved—oneineachdirection—bothmustbeindividuallyterminated.TheprocessbeginswhenonemachinesendsamessageinwhichtheFINcontrolbitisset.Thisindicatesthatthesystemwantstoterminatetheconnectionithasbeenusingtosenddata.
Whichsysteminitiatestheterminationprocessisdependentontheapplicationgeneratingthetraffic.InanHTMLtransaction,theservercanincludetheFINbitinthemessagecontainingthelastsegmentofdatainthesequence,oritcantaketheformofaseparatemessage.TheclientreceivingtheFINfromtheserversendsanacknowledgment,closingtheserver’sconnection,andthensendsaFINmessageofitsown.Notethat,unlikethethree-wayhandshakethatestablishedtheconnection,theterminationprocedurerequiresfourtransmissionsbecausetheclientsendsitsACKandFINbitsinseparatemessages.Whentheservertransmitsitsacknowledgmenttotheclient’sFIN,the
connectioniseffectivelyterminated.
CHAPTER
15 TheDomainNameSystem
Computersaredesignedtoworkwithnumbers,whilehumansaremorecomfortableworkingwithwords.ThisfundamentaldichotomyisthereasonwhytheDomainNameSystem(DNS)cametobe.Backinthedarkdaysofthe1970s,whentheInternetwastheARPANETandtheentireexperimentalnetworkconsistedofonlyafewhundredsystems,aneedwasrecognizedforamechanismthatwouldpermituserstorefertothenetwork’scomputersbyname,ratherthanbyaddress.TheintroductionoftheTransmissionControlProtocol/InternetProtocol(TCP/IP)protocolsintheearly1980sledtotheuseof32-bitIPaddresses,whichevenindotteddecimalformweredifficulttoremember.
HostTablesThefirstmechanismforassigninghuman-friendlynamestoaddresseswascalledahosttable,whichtooktheformofafilecalled/etc/hostsonUnixsystems.ThehosttablewasasimpleASCIIfilethatcontainedalistofnetworksystemaddressesandtheirequivalenthostnames.Whenuserswantedtoaccessresourcesonothernetworksystems,theywouldspecifyahostnameintheapplication,andthesystemwouldresolvethenameintotheappropriateaddressbylookingitupinthehosttable.ThishosttablestillexistsonallTCP/IPsystemstoday,usuallyintheformofafilecalledHostssomewhereonthelocaldiskdrive.Ifnothingelse,thehosttablecontainsthefollowingentry,whichassignstothestandardIPloopbackaddressthehostnamelocalhost:127.0.0.1localhost
Today,theDomainNameSystemhasreplacedthehosttablealmostuniversally,butwhenTCP/IPsystemsattempttoresolveahostnameintoanIPaddress,itisstillpossibletoconfigurethemtochecktheHostsfilefirstbeforeusingDNS.IfyouhaveasmallnetworkofTCP/IPsystemsthatisnotconnectedtotheInternet,youcanusehosttablesonyourmachinestomaintainfriendlyhostnamesforyourcomputers.ThenameresolutionprocesswillbeveryfastbecausenonetworkcommunicationsarenecessaryandyouwillnotneedaDNSserver.
HostTableProblemsTheuseofhosttablesonTCP/IPsystemscausedseveralproblems,allofwhichwereexacerbatedasthefledglingInternetgrewfromasmall“family”ofnetworkedcomputersintotoday’sgiganticnetwork.Themostfundamentalproblemwasthateachcomputerhadtohaveitsownhosttable,whichlistedthenamesandaddressesofalloftheothercomputersonthenetwork.Whenyouconnectedanewcomputertothenetwork,youcouldnotaccessituntilanentryforitwasaddedtoyourcomputer’shosttable.
Foreveryonetokeeptheirhosttablesupdated,itwasnecessarytoinformtheadministratorswhenasystemwasaddedtothenetworkoranameoraddresschangeoccurred.HavingeveryadministratorofanARPANETsysteme-maileveryotheradministratoreachtimetheymadeachangewasobviouslynotapracticalsolution,soit
wasnecessarytodesignatearegistrarthatwouldmaintainamasterlistofthesystemsonthenetwork,theiraddresses,andtheirhostnames.
ThetaskofmaintainingthisregistrywasgiventotheNetworkInformationCenter(NIC)attheStanfordResearchInstitute(SRI),inMenloPark,California.ThemasterlistwasstoredinafilecalledHosts.txtonacomputerwiththehostnameSRI-NIC.AdministratorsofARPANETsystemswoulde-mailtheirmodificationstotheNIC,whichwouldupdatetheHosts.txtfileperiodically.Tokeeptheirsystemsupdated,theadministratorswoulduseFTPtodownloadthelatestHosts.txtfilefromSRI-NICandcompileitintoanewHostsfilefortheirsystems.
Initially,thiswasanadequatesolution,butasthenetworkcontinuedtogrow,itbecameincreasinglyunworkable.Asmoresystemswereaddedtothenetwork,theHosts.txtfilegrewlarger,andmorepeoplewereaccessingSRI-NICtodownloaditonaregularbasis.Theamountofnetworktrafficgeneratedbythissimplemaintenancetaskbecameexcessive,andchangesstartedoccurringsofastthatitwasdifficultforadministratorstokeeptheirsystemsupdated.
Anotherseriousproblemwasthattherewasnocontroloverthehostnamesusedtorepresentthesystemsonthenetwork.OnceTCP/IPcameintogeneraluse,theNICwasresponsibleforassigningnetworkaddresses,butadministratorschosetheirownhostnamesforthecomputersontheirnetworks.Theaccidentaluseofduplicatehostnamesresultedinmisroutedtrafficanddisruptionofcommunications.ImaginethechaosthatwouldresulttodayifanyoneontheInternetwasallowedtosetupawebserverandusethenamemicrosoft.comforit.Clearly,abettersolutionwasneeded,andthisledtothedevelopmentoftheDomainNameSystem.
DNSObjectivesToaddresstheproblemsresultingfromtheuseofhosttablesfornameregistrationandresolution,thepeopleresponsiblefortheARPANETdecidedtodesignacompletelynewmechanism.Theirprimaryobjectivesatfirstseemedtobecontradictory:todesignamechanismthatwouldenableadministratorstoassignhostnamestotheirownsystemswithoutcreatingduplicatenamesandtomakethathostnameinformationgloballyavailabletootheradministratorswithoutrelyingonasingleaccesspointthatcouldbecomeatrafficbottleneckandasinglepointoffailure.Inaddition,themechanismhadtobeabletosupportinformationaboutsystemsthatusevariousprotocolswithdifferenttypesofaddresses,andithadtobeadaptableforusebymultipleapplications.
ThesolutionwastheDomainNameSystem,designedbyPaulMockapetrisandpublishedin1983astwoInternetEngineeringTaskForce(IETF)documentscalledrequestforcomments(RFC):RFC882,“DomainNames:ConceptsandFacilities,”andRFC883,“DomainNames:ImplementationSpecification.”Thesedocumentswereupdatedin1987,publishedasRFC1034andRFC1035,respectively,andratifiedasanIETFstandard.Sincethattime,numerousotherRFCshaveupdatedtheinformationinthestandardtoaddresscurrentnetworkingissues.
Currentrequestsandupdatestoolderentriescanbefoundatrfc-editor.org.
TheDNS,asdesignedbyMockapetris,consistsofthreebasicelements:
•Ahierarchicalnamespacethatdividesthehostsystemdatabaseintodiscreteelementscalleddomains
•Domainnameserversthatcontaininformationaboutthehostandsubdomainswithinagivendomain
•Resolversthatgeneraterequestsforinformationfromdomainnameservers
Theseelementsarediscussedinthefollowingsections.
DomainNamingTheDomainNameSystemachievesthedesignatedobjectivesbyusingahierarchicalsystem,bothinthenamespaceusedtonamethehostsandinthedatabasethatcontainsthehostnameinformation.BeforetheDNSwasdeveloped,administratorsassignedsimplehostnamestothecomputersontheirnetworks.Thenamessometimesreflectedthecomputer’sfunctionoritslocation,aswithSRI-NIC,buttherewasnopolicyinplacethatrequiredthis.Atthattime,therewerefewenoughcomputersonthenetworktomakethisapracticalsolution.
Tosupportthenetworkasitgrewlarger,Mockapetrisdevelopedahierarchicalnamespacethatmadeitpossibleforindividualnetworkadministratorstonametheirsystems,whileidentifyingtheorganizationthatownsthesystemsandpreventingtheduplicationofnamesontheInternet.TheDNSnamespaceisbasedondomains,whichexistinahierarchicalstructuremuchlikethedirectorytreeinafilesystem.Adomainistheequivalentofadirectory,inthatitcancontaineithersubdomains(subdirectories)orhosts(files),formingastructurecalledtheDNStree(seeFigure15-1).BydelegatingtheresponsibilityforspecificdomainstonetworkadministratorsallovertheInternet,theresultisadistributeddatabasescatteredonsystemsalloverthenetwork.
Figure15-1TheDomainNameSystemusesatreestructurelikethatofafilesystem.
NOTEThetermdomainhasmorethanonemeaninginthecomputerindustry.Adomaincanbeagroupofdevicesonanetworkadministeredasoneunit.OntheInternet,itcanbeanIPaddress,suchasmcgrawhill.comin
whichallthedevicessharingpartofthisaddressareconsideredpartofthesamedomain.Youmayalsoseesoftwarethatisinthepublicdomain,whichmeanstheprogramcanbeusedwithoutcopyrightrestrictions.
ToassignuniqueIPaddressestocomputersallovertheInternet,atwo-tieredsystemwasdevisedinwhichadministratorsreceivethenetworkidentifiersthatformthefirstpartoftheIPaddressesandthenassignhostidentifierstoindividualcomputersthemselvestoformthesecondpartoftheaddresses.Thisdistributestheaddressassignmenttasksamongthousandsofnetworkadministratorsallovertheworld.TheDNSnamespacefunctionsinthesameway:Administratorsareassigneddomainnamesandarethenresponsibleforspecifyinghostnamestosystemswithinthatdomain.
TheresultisthateverycomputerontheInternetisuniquelyidentifiablebyaDNSnamethatconsistsofahostnameplusthenamesofallofitsparentdomains,stretchinguptotherootoftheDNStree,separatedbyperiods.Eachofthenamesbetweentheperiodscanbeupto63characterslong,withatotallengthof255charactersforacompleteDNSname,includingthehostandallofitsparentdomains.Domainandhostnamesarenotcasesensitiveandcantakeanyvalueexceptthenullvalue(nocharacters),whichrepresentstherootoftheDNStree.Domainandhostnamesalsocannotcontainanyofthefollowingsymbols:_:,/\?.@#!$%^&*(){}[]|;"<>~`
NOTEUsingashellprompt,youcanentertheIPaddressofacomputertolookuptheDNSname.
InFigure15-2,acomputerinthemycorpdomainfunctionsasawebserver,andtheadministratorhasthereforegivenitthehostnamewww.Thisadministratorisresponsibleforthemycorpdomainandcanthereforeassignsystemsinthatdomainanyhostnamehewants.Becausemycorpisasubdomainofcom,thefullDNSnameforthatwebserveriswww.mycorp.com.Thus,aDNSnameissomethinglikeapostaladdress,inwhichthetop-leveldomainistheequivalentofthestate,thesecond-leveldomainisthecity,andthehostnameisthestreetaddress.
Figure15-2ADNSnamelikewww.mycorp.comreflectsasystem’splaceinthedomainhierarchy.
BecauseacompleteDNSnametracesthedomainpathallthewayupthetreestructuretotheroot,itshouldtheoreticallyendwithaperiod,indicatingthedivisionbetweenthetop-leveldomainandtheroot.However,thistrailingperiodisnearlyalwaysomittedincommonuse,exceptincasesinwhichitservestodistinguishanabsolutedomainnamefromarelativedomainname.Anabsolutedomainname(alsocalledafullyqualifieddomainname[FQDN])doesspecifythepathallthewaytotheroot,whilearelativedomainnamespecifiesonlythesubdomainrelativetoaspecificdomaincontext.Forexample,whenworkingonacomplexnetworkcalledzacker.comthatusesseverallevelsofsubdomains,youmightrefertoasystemusingarelativedomainnameofmail.pariswithoutaperiodbecauseit’sunderstoodbyyourcolleaguesthatyou’reactuallyreferringtoasystemwithanabsolutenameofmail.paris.zacker.com.(withaperiod).
It’salsoimportanttounderstandthatDNSnameshavenoinherentconnectiontoIPaddressesoranyothertypeofaddress.Theoretically,thehostsystemsinaparticulardomaincanbelocatedondifferentnetworks,thousandsofmilesapart.
Top-LevelDomainsIneveryDNSname,thefirstwordontherightrepresentsthedomainatthehighestlevelintheDNStree,calledatop-leveldomain.Thesetop-leveldomainsessentiallyfunctionasregistrarsforthedomainsatthesecondlevel.Forexample,theadministratorofzacker.comwenttothecomtop-leveldomainandregisteredthenamezacker.Inreturnforafee,thatadministratornowhasexclusiveuseofthenamezacker.comandcancreateanyhostorsubdomainnamesinthatdomainthathewants.Itdoesn’tmatterthatthousandsofothernetworkadministratorshavenamedtheirwebserverswwwbecausetheyallhavetheirownindividualdomainnames.Thehostnamewwwmaybeduplicatedanywhere,aslongastheDNSnameisunique.
TheoriginalDNSnamespacecalledforseventop-leveldomains,centeredinU.S.nomenclatureanddedicatedtospecificpurposes,asfollows:
•comCommercialorganizations
•eduFour-year,degree-grantingeducationalinstitutionsinNorthAmerica
•govU.S.governmentinstitutions
•intOrganizationsestablishedbyinternationaltreaty
•milU.S.militaryapplications
•netNetworkingorganizations
•orgNoncommercialorganizations
Theedu,gov,int,andmildomainswereoriginallyreservedforusebycertifiedorganizations,butthecom,org,andnetdomainswereandarecalledglobaldomains,becauseorganizationsanywhereintheworldcanregistersecond-leveldomainswithinthem.Originally,thesetop-leveldomainsweremanagedbyacompanycalledNetworkSolutions(NSI,formerlyknownasInterNIC,theInternetNetworkInformationCenter)asaresultofcooperativeagreementwiththeU.S.government.Youcanstillgotoitswebsiteatwww.networksolutions.com/andregisternamesinthesetop-leveldomains.
In1998,theagreementwiththeU.S.governmentwaschangedtopermitotherorganizationstocompetewithNSIinprovidingdomainregistrations.AnorganizationcalledtheInternetCorporationforAssignedNamesandNumbers(ICANN)isresponsiblefortheaccreditationofdomainnameregistrars.Underthisnewpolicy,theproceduresandfeesforregisteringnamesinthecom,net,andorgdomainsmayvary,buttherewillbenodifferenceinthefunctionalityofthedomainnames,norwillduplicatenamesbepermitted.ThecompletelistofregistrarsthathavebeenaccreditedbyICANNisavailableathttp://www.webhosting.info/registrars/.
Currently,morethan1,900newtop-leveldomainnameshavebeensubmittedtoICANN,andduring2015,itisanticipatedthateachweeknewnameswillbeavailableforopenregistration.Whiletheremaybeconflicts,theissueswill,atthistime,besettledbyauctionornegotiation.Approvalfornewtop-leveldomainnamescurrentlyhasthreestages:
•SunrisestageDuringthis60-dayperiod,legaltrademarkownerscan“staketheirclaim”beforeregistrationforthatname.
•LandrushstageThisisapreregistrationperiodwhereapplicantscanpayafee(whichinmanycaseswillbesubstantial)foraspecificdomainname.
•OpenregistrationDuringthistime,anyonecanregisteranewdomain.
.comDomainConflictsThecomtop-leveldomainistheonemostcloselyassociatedwithcommercialInternetinterests,andnamesofcertaintypesinthecomdomainarebecomingscarce.Forexample,itisdifficultatthistimetocomeupwithasnappynameforanInternettechnologycompanythatincludestheword“net”thathasnotalreadybeenregisteredinthecomdomain.
Therehavealsobeenconflictsbetweenorganizationsthatthinktheyhavearighttoa
particulardomainname.Trademarklawpermitstwocompaniestohavethesamename,aslongastheyarenotdirectlycompetitiveinthemarketplace.However,A1AutoPartsCompanyandA1Softwaremaybothfeelthattheyhavearighttothea1.comdomain,andlawsuitshaveariseninsomecases.Inotherinstances,forward-thinkingprivateindividualswhoregistereddomainsusingtheirownnameshavelaterbeenconfrontedbycorporationswiththesamenamewhowanttojumpontheInternetbandwagonandthinktheyhavearighttothatname.IfacertainindividualofScottishextractionregistershisdomainonlytofindoutsomeyearslaterthatafast-foodcompany(forexample)isveryanxioustoacquirethatdomainname,theendresultcanbeeitheraprofitablesettlementfortheindividualoranastycourtcase.
ThisphenomenongaverisetoaparticularbreedofInternetbottom-feederknownasdomainnamespeculators.Thesepeopleregisterlargenumbersofdomainnamesthattheythinksomecompanymightwantsomeday,hopingthattheycanreceivealargefeeinreturnforsellingthemthedomainname.Anotherunscrupulouspracticeisforacompanyinaparticularbusinesstoregisterdomainsusingthenamesoftheircompetitors.Thus,whenInternetusersgotopizzaman.com,expectingtofindRaythePizzaMan’swebsite,theyinsteadfindthemselvesredirectedtothesiteforBob’sPizzaPalace,whichislocatedacrossthestreetfromRay’s.
CybersquattingBydefinition,cybersquattingisthepracticeofregisteringanInternetdomainnamesimplyforthepurposeofprofitingbysellingthenametosomeoneelse.AccordingtotheWorldIntellectualPropertyOrganization(WIPO),thispracticeincludesthefollowing:
•Abusiveregistrationofadomainnamethatismisleadinglysimilaroridenticaltoanexistingtrademark.
•Aregistereddomainnameforwhichtheregisteringpartyhasnorightsorlegitimateinterests.
•Adomainnamethatisregisteredandusedinbadfaith.
ICANNcreateditsUniformDomainNameResolutionPolicy(UDRP)tocounteractcybersquatting.Since2000,allregistrantsofdomainssuchas.com,.net,and.orghavebeensubjecttothispolicy.Inresponsetothenewtop-leveldomains(TLDs),inMarch2013,ICANNlaunchedtheIPTrademarkClearinghouse,acentralizeddatabaseofvalidtrademarkstoprotectthesetrademarks,especiallyduringthetimeinwhichthenewTLDsarelaunched.
Country-CodeDomainsTherearemanycountry-codedomains(alsocalledinternationaldomains),namedforspecificcountriesusingtheISOdesignations,suchasfrforFranceanddeforDeutschland(Germany).Manyofthesecountriesallowfreeregistrationofsecond-leveldomainstoanyone,withoutrestrictions.Fortheothercountries,anorganizationmustconformtosomesortoflocalpresence,tax,ortrademarkguidelinesinordertoregisterasecond-leveldomain.Eachofthesecountry-codedomainsismanagedbyanorganizationinthatcountry,whichestablishesitsowndomainnameregistrationpolicies.
NOTEForthecountrycodesmaintainedbytheInternationalOrganizationforStandardization(ISO),seewww.iso.org/iso/country_codes.htm.
Thereisalsoaustop-leveldomainthatisaviablealternativefororganizationsunabletoobtainasatisfactorynameinthecomdomain.InMarch2014,theNationalTelecommunicationsandInformationAdministration(NTIA)armoftheU.S.DepartmentofCommerceawardedtheadministrativecontracttoNeustarforthreeyears.Thisentityregisterssecond-leveldomainstobusinessesandindividuals,aswellastogovernmentagencies,educationalinstitutions,andotherorganizations.Theonlyrestrictionisthatallusdomainsmustconformtoanaminghierarchythatusestwo-letterstateabbreviationsatthethirdlevelanduseslocalcityorcountynamesatthefourthlevel.Thus,anexampleofavaliddomainnamewouldbesomethinglikemgh.newyork.ny.us.Thegeneralformatis<organization-name>.<locality>.<state>.us,where<state>isastate’stwo-letterpostalabbreviation.
Second-LevelDomainsTheregistrarsofthetop-leveldomainsareresponsibleforregisteringsecond-leveldomainnames,inreturnforasubscriptionfee.Aslongasanorganizationcontinuestopaythefeesforitsdomainname,ithasexclusiverightstothatname.Thedomainregistrarmaintainsrecordsthatidentifytheownerofeachsecond-leveldomainandspecifythreecontactswithintheregistrant’sorganization—anadministrativecontact,abillingcontact,andatechnicalcontact.Inaddition,theregistrarmusthavetheIPaddressesoftwoDNSserversthatfunctionasthesourceforfurtherinformationaboutthedomain.Thisistheonlyinformationmaintainedbythetop-leveldomain.Theadministratorsoftheregistrant’snetworkcancreateasmanyhostsandsubdomainswithinthesecond-leveldomainastheywantwithoutinformingtheregistrarsatall.
Tohostasecond-leveldomain,anorganizationmusthavetwoDNSservers.ADNSserverisasoftwareprogramthatrunsonacomputer.DNSserverproductsareavailableforallofthemajornetworkoperatingsystems.TheDNSserversdonothavetobelocatedontheregistrant’snetwork;manycompaniesoutsourcetheirInternetserverhostingchoresandusetheirserviceprovider’sDNSservers.TheDNSserversidentifiedinthetop-leveldomain’srecordaretheauthorityforthesecond-leveldomain.Thismeansthattheseserversaretheultimatesourceforinformationaboutthatdomain.Whennetworkadministratorswanttoaddahosttothenetworkorcreateanewsubdomain,theydosointheirownDNSservers.Inaddition,wheneverauserapplicationsomewhereontheInternethastodiscovertheIPaddressassociatedwithaparticularhostname,therequesteventuallyendsupatoneofthedomain’sauthoritativeservers.
Thus,initssimplestform,theDomainNameSystemworksbyreferringrequestsfortheaddressofaparticularhostnametoatop-leveldomainserver,whichinturnpassestherequesttotheauthoritativeserverforthesecond-leveldomain,whichrespondswiththerequestedinformation.ThisiswhytheDNSisdescribedasadistributeddatabase.Theinformationaboutthehostsinspecificdomainsisstoredontheirauthoritativeservers,whichcanbelocatedanywhere.ThereisnosinglelistofallthehostnamesontheentireInternet,whichisactuallyagoodthingbecauseatthetimethattheDNSwasdeveloped,noonewouldhavepredictedthattheInternetwouldgrowaslargeasithas.
ThisdistributednatureoftheDNSdatabaseeliminatesthetraffic-congestionproblemcausedbytheuseofahosttablemaintainedonasinglecomputer.Thetop-leveldomainserverhandlesmillionsofrequestsaday,buttheyarerequestsonlyfortheDNSserversassociatedwithsecond-leveldomains.Ifthetop-leveldomainshadtomaintainrecordsforeveryhostineverysecond-leveldomaintheyhaveregistered,theresultingtrafficwouldbringtheentiresystemtoitsknees.
Distributingthedatabaseinthiswayalsosplitsthechoresofadministeringthedatabaseamongthousandsofnetworkadministratorsaroundtheworld.Domainnameregistrantsareeachresponsiblefortheirownareaofthenamespaceandcanmaintainitastheywantwithcompleteautonomy.
SubdomainsManyofthedomainsontheInternetstopattwolevels,meaningthatthesecond-leveldomaincontainsonlyhostsystems.However,itispossiblefortheadministratorsofasecond-leveldomaintocreatesubdomainsthatformadditionallevels.Theustop-leveldomain,forexample,requiresaminimumofthreelevels:thecountrycode,thestatecode,andthelocalcityorcountycode.Thereisnolimitonthenumberoflevelsyoucancreatewithinadomain,exceptforthoseimposedbypracticalityandthe255-charactermaximumDNSnamelength.
Insomecases,largeorganizationsusesubdomainstosubdividetheirnetworksaccordingtogeographicalororganizationalboundaries.Alargecorporationmightcreateathird-leveldomainforeachcityorcountryinwhichithasanoffice,suchasparis.zacker.comandnewyork.zacker.com,orforeachofseveraldepartments,suchassales.zacker.comandmis.zacker.com.Theorganizationalparadigmforeachdomainisleftcompletelyuptoitsadministrators.
Theuseofsubdomainscanmakeiteasiertoidentifyhostsonalargenetwork,butmanyorganizationsalsousethemtodelegatedomainmaintenancechores.TheDNSserversforatop-leveldomaincontaintheaddressesforeachsecond-leveldomain’sauthoritativeservers.Inthesameway,asecond-leveldomain’sserverscanrefertoauthoritativeserversforthird-leveladministratorsateachsitetomaintaintheirownDNSservers.
Tomakethisdelegationpossible,DNSserverscanbreakupadomain’snamespaceintoadministrativeunitscalledzones.Adomainwithonlytwolevelsconsistsofonlyasinglezone,whichissynonymouswiththedomain.Athree-leveldomain,however,canbedividedintomultiplezones.AzonecanbeanycontiguousbranchofaDNStreeandcanincludedomainsonmultiplelevels.Forexample,inthediagramshowninFigure15-3,theparis.zacker.comdomain,includingallofitssubdomainsandhosts,isonezone,representedbyitsownDNSservers.Therestofthezacker.comdomain,includingnewyork.zacker.com,chicago.zacker.com,andzacker.comitself,isanotherzone.Thus,azonecanbedefinedasanypartofadomain,includingitssubdomains,thatisnotdesignatedaspartofanotherzone.
Figure15-3AzoneisanadministrativeentitythatcontainsabranchoftheDNStree.
EachzonemustberepresentedbyDNSserversthataretheauthorityforthatzone.AsingleDNSservercanbeauthoritativeformultiplezones,soyoucouldconceivablycreateaseparatezoneforeachofthethird-leveldomainsinzacker.comandstillhaveonlytwosetsofDNSservers.
DNSFunctionsDNSserversareaubiquitouspartofmostTCP/IPnetworks,evenifyouaren’tawareofit.IfyouconnecttotheInternet,youuseaDNSservereachtimeyouenteraservernameorURLintoawebbrowserorotherapplicationtoresolvethenameofthesystemyouspecifiedintoanIPaddress.Whenastand-alonecomputerconnectstoanInternetserviceprovider(ISP),theISP’sserverusuallysuppliestheaddressesoftheDNSserversthatthesystemwilluse.OnaTCP/IPnetwork,administratorsorusersconfigureclientswiththeaddressesoftheDNSserverstheywilluse.ThiscanbeamanualprocessperformedforeachworkstationoranautomaticprocessperformedusingaservicesuchasDynamicHostConfigurationProtocol(DHCP).TheenduserwillnotusuallyseetheIPaddressbecausethisisalltakencareofinthebackground.
TCP/IPcommunicationsarebasedsolelyonIPaddresses.Beforeonesystemcancommunicatewithanother,itmustknowitsIPaddress.Often,theusersuppliesafriendlyname(suchasaDNSname)foradesiredservertoaclientapplication.TheapplicationmustthenresolvethatservernameintoanIPaddressbeforeitcantransmitamessagetoit.Ifthenameresolutionmechanismfailstofunction,nocommunicationwiththeserverispossible.
VirtuallyallTCP/IPnetworksusesomeformoffriendlynameforhostsystemsandincludeamechanismforresolvingthosenamesintotheIPaddressesneededtoinitiatecommunicationsbetweensystems.IfthenetworkisconnectedtotheInternet,DNSnameresolutionisanecessity.Privatenetworksdonotnecessarilyneedit,however.MicrosoftWindowsNTnetworks,forexample,useNetBIOSnamestoidentifytheirsystemsandhavetheirownmechanismsforresolvingthosenamesintoIPaddresses.ThesemechanismsincludetheWindowsInternetNamingSystem(WINS)andalsothetransmissionofbroadcastmessagestoeverysystemonthenetwork.NetBIOSnamesandnameresolutionmechanismsdonotreplacetheDNS;theyareintendedforuseonrelativelysmall,privatenetworksandwouldnotbepracticalontheInternet.AcomputercanhavebothaNetBIOSnameandaDNShostnameandusebothtypesofnameresolution.
ResourceRecordsDNSserversarebasicallydatabaseserversthatstoreinformationaboutthehostsandsubdomainforwhichtheyareresponsibleinresourcerecords(RRs).WhenyourunyourownDNSserver,youcreatearesourcerecordforeachhostnamethatyouwanttobeaccessiblebytherestofthenetwork.ThereareseveraldifferenttypesofresourcerecordsusedbyDNSservers,themostimportantofwhichareasfollows:
•Startofauthority(SOA)Indicatesthattheserveristhebestauthoritativesourcefordataconcerningthezone.EachzonemusthaveanSOArecord,andonlyoneSOArecordcanbeinazone.
•Nameserver(NS)IdentifiesaDNSserverfunctioningasanauthorityforthezone.EachDNSserverinthezone(whetherprimary,master,orslave)mustberepresentedbyanNSrecord.
•Address(A)Providesaname-to-addressmappingthatsuppliesanIPaddressforaspecificDNSname.ThisrecordtypeperformstheprimaryfunctionoftheDNS,convertingnamestoaddresses.
•PTR(Pointer)Providesanaddress-to-namemappingthatsuppliesaDNSnameforaspecificaddressinthein-addr.arpadomain.ThisisthefunctionaloppositeofanArecord,usedforreverselookupsonly.
•Canonicalname(CNAME)Createsanaliasthatpointstothecanonicalname(thatis,the“real”name)ofahostidentifiedbyanArecord.CNAMErecordsareusedtoprovidealternativenamesbywhichsystemscanbeidentified.Forexample,youmayhaveasystemwiththenameserver1.zacker.comonyournetworkthatyouuseasawebserver.Changingthehostnameofthecomputerwouldconfuseyourusers,butyouwanttousethetraditionalnameofwwwtoidentifythewebserverinyourdomain.OnceyoucreateaCNAMErecordforthenamewww.zacker.comthatpointstoserver1.zacker.com,thesystemisaddressableusingeithername.
•Mailexchanger(MX)Identifiesasystemthatwilldirecte-mailtrafficsenttoanaddressinthedomaintotheindividualrecipient,amailgateway,oranothermailserver.
InadditiontofunctioningastheauthorityforasmallsectionoftheDNSnamespace,serversprocessclientnameresolutionrequestsbyeitherconsultingtheirownresourcerecordsorforwardingtherequesttoanotherDNSserveronthenetwork.Theprocessofforwardingarequestiscalledareferral,andthisishowalloftheDNSserversontheInternetworktogethertoprovideaunifiedinformationresourcefortheentiredomainnamespace.
DNSNameResolutionAllInternetapplicationsuseDNStoresolvehostnamesintoIPaddresses.WhenyoutypeaURLcontainingaDNSname(suchasmcgrawhill.com)intothebrowser’sAddressfieldandpressENTER,itiswhiletheapplicationgoesthroughtheprocessoffindingthesiteandconnectingthattheDNSnameresolutionprocessoccurs.
Fromtheclient’sperspective,theprocedurethatoccursduringthesefewsecondsconsistsoftheapplicationsendingaquerymessagetoitsdesignatedDNSserverthatcontainsthenametoberesolved.TheserverthenreplieswithamessagecontainingtheIPaddresscorrespondingtothatname.Usingthesuppliedaddress,theapplicationcanthentransmitamessagetotheintendeddestination.ItisonlywhenyouexaminetheDNSserver’sroleintheprocessthatyouseehowcomplextheprocedurereallyis.
ResolversThecomponentintheclientsystemthatgeneratestheDNSqueryiscalledaresolver.Inmostcases,theresolverisasimplesetoflibraryroutinesintheoperatingsystemthatgeneratesthequeriestobesenttotheDNSserver,readstheresponseinformationfromtheserver’sreplies,andfeedstheresponsetotheapplicationthatoriginallyrequestedit.Inaddition,aresolvercanresendaqueryifnoreplyisforthcomingafteragiventimeoutperiodandcanprocesserrormessagesreturnedbytheserver,suchaswhenitfailstoresolveagivenname.
DNSRequestsATCP/IPclientusuallyisconfiguredwiththeaddressesoftwoDNSserverstowhichitcansendqueries.AclientcansendaquerytoanyDNSserver;itdoesnothavetousetheauthoritativeserverforthedomaininwhichitbelongs,nordoestheserverhavetobeonthelocalnetwork.UsingtheDNSserverthatisclosesttotheclientisbest,however,becauseitminimizesthetimeneededformessagestotravelbetweenthetwosystems.AclientneedsaccesstoonlyoneDNSserver,buttwoareusuallyspecifiedtoprovideabackupincaseoneserverisunavailable.
TherearetwotypesofDNSqueries:recursiveanditerative.Whenaserverreceivesarecursivequery,itisresponsiblefortryingtoresolvetherequestednameandfortransmittingareplytotherequestor.Eveniftheserverdoesnotpossesstherequiredinformationitself,itmustsenditsownqueriestootherDNSserversuntilitobtainstherequestedinformationoranerrormessagestatingwhytheinformationwasunavailableandmustthenrelaytheinformationtotherequestor.Thesystemthatgeneratedthequery,therefore,receivesareplyonlyfromtheoriginalservertowhichitsentthequery.TheresolversinclientsystemsnearlyalwayssendrecursivequeriestoDNSservers.
Whenaserverreceivesaniterativequery(alsocalledanonrecursivequery),itcaneitherrespondwithinformationfromitsowndatabaseorrefertherequestortoanotherDNSserver.Therecipientofthequeryrespondswiththebestansweritcurrentlypossesses,butisnotresponsibleforsearchingfortheinformation,aswitharecursivequery.DNSserversprocessingarecursivequeryfromaclienttypicallyuseiterativequeriestorequestinformationfromotherservers.ItispossibleforaDNSservertosendarecursivequerytoanotherserver,thusineffect“passingthebuck”andforcingtheotherservertosearchfortherequestedinformation,butthisisconsideredbadformandisrarelydonewithoutpermission.
OneofthescenariosinwhichDNSserversdosendrecursivequeriestootherserversiswhenyouconfigureaservertofunctionasaforwarder.OnanetworkrunningseveralDNSservers,youmaynotwantalloftheserverssendingqueriestootherDNSserversontheInternet.IfthenetworkhasarelativelyslowconnectiontotheInternet,forexample,severalserverstransmittingrepeatedqueriesmayusetoomuchoftheavailablebandwidth.
Topreventthis,someDNSimplementationsenableyoutoconfigureoneservertofunctionastheforwarderforallInternetqueriesgeneratedbytheotherserversonthenetwork.AnytimethataserverhastoresolvetheDNSnameofanInternetsystemandfailstofindtheneededinformationinitscache,ittransmitsarecursivequerytotheforwarder,whichisthenresponsibleforsendingitsowniterativequeriesovertheInternetconnection.Oncetheforwarderresolvesthename,itsendsareplytotheoriginalDNSserver,whichrelaysittotheclient.
Thisrequest-forwardingbehaviorisafunctionoftheoriginalserveronly.Theforwardersimplyreceivesstandardrecursivequeriesfromtheoriginalserverandprocessesthemnormally.Aservercanbeconfiguredtouseaforwarderineitherexclusiveornonexclusivemode.Inexclusivemode,theserverreliescompletelyontheforwardertoresolvetherequestedname.Iftheforwarder’sresolutionattemptfails,theserverrelaysafailuremessagetotheclient.Aserverthatusesaforwarderinexclusivemodeiscalledaslave.Innonexclusivemode,iftheforwarderfailstoresolvethenameandtransmitsanerrormessagetotheoriginalserver,thatservermakesitsownresolutionattemptbeforerespondingtotheclient.
RootNameServersInmostcases,DNSserversthatdonotpossesstheinformationneededtoresolveanamerequestedbyaclientsendtheirfirstiterativequerytooneoftheInternet’srootnameservers.Therootnameserverspossessinformationaboutallofthetop-leveldomainsintheDNSnamespace.WhenyoufirstinstallaDNSserver,theonlyaddressesthatitneedstoprocessclientrequestsarethoseoftherootnameserversbecausetheseserverscansendarequestforanameinanydomainonitswaytotheappropriateauthority.
Therootnameserverscontaintheaddressesoftheauthoritativeserversforallthetop-leveldomainsontheInternet.Infact,therootnameserversaretheauthoritiesforcertaintop-leveldomains,buttheycanalsoreferqueriestotheappropriateserverforanyoftheothertop-leveldomains,includingthecountry-codedomains,whicharescatteredallovertheworld.Therearecurrently13rootnameservers,andtheyprocessmillionsofrequests
eachday.Theserversarealsoscatteredwidelyandconnectedtodifferentnetworktrunks,sothechancesofallofthembeingunavailableareminimal.Ifthisweretooccur,virtuallyallDNSnameresolutionwouldcease,andtheInternetwouldbecrippled.
Currently,theNTIAadministersauthoritythroughICANNovertheserootnameservers.However,inMarch2014,theNTIAannounceditwillcedeauthoritytoanotherorganization,whichhasnotyetbeenidentified.
ResolvingaDomainNameWiththeprecedingpiecesinplace,youarenowreadytoseehowtheDNSserversworktogethertoresolvethenameofaserverontheInternet(seeFigure15-4).Theprocessisasfollows:
Figure15-4DNSserverscommunicateamongthemselvestolocatetheinformationrequestedbyaclient.
1.AuseronaclientsystemspecifiestheDNSnameofanInternetserverinanapplicationsuchasawebbrowserorFileTransferProtocol(FTP)client.
2.Theapplicationgeneratesanapplicationprogramminginterface(API)calltotheresolverontheclientsystem,andtheresolvercreatesaDNSrecursivequerymessagecontainingtheservername.
3.TheclientsystemtransmitstherecursivequerymessagetotheDNSserveridentifiedinitsTCP/IPconfiguration.
4.Theclient’sDNSserver,afterreceivingthequery,checksitsresourcerecordstoseewhetheritistheauthoritativesourceforthezonecontainingtherequestedservername.Ifitistheauthority,itgeneratesareplymessageandtransmitsittotheclient.IftheDNSserverisnottheauthorityforthedomaininwhichtherequestedserverislocated,itgeneratesaniterativequeryandsubmitsittooneoftherootnameservers.
5.TherootnameserverexaminesthenamerequestedbytheoriginalDNSserverandconsultsitsresourcerecordstoidentifytheauthoritativeserversforthename’stop-leveldomain.Becausetherootnameserverreceivedaniterativerequest,itdoesnotsenditsownrequesttothetop-leveldomainserver.Instead,ittransmitsareplytotheoriginalDNSserverthatcontainsareferraltothetop-leveldomainserveraddresses.
6.TheoriginalDNSserverthengeneratesanewiterativequeryandtransmitsittothetop-leveldomainserver.Thetop-leveldomainserverexaminesthesecond-leveldomainintherequestednameandtransmitstotheoriginalserverareferralcontainingtheaddressesofauthoritativeserversforthatsecond-leveldomain.
7.Theoriginalservergeneratesyetanotheriterativequeryandtransmitsittothesecond-leveldomainserver.Iftherequestednamecontainsadditionaldomainnames,thesecond-leveldomainserverreplieswithanotherreferraltothethird-leveldomainservers.Thesecond-leveldomainservermayalsorefertheoriginalservertotheauthoritiesforadifferentzone.Thisprocesscontinuesuntiltheoriginalserverreceivesareferraltothedomainserverthatistheauthorityforthedomainorzonecontainingtherequestedhost.
8.Oncetheauthoritativeserverforthedomainorzonecontainingthehostreceivesaqueryfromtheoriginalserver,itconsultsitsresourcerecordstodeterminetheIPaddressoftherequestedsystemandtransmitsitinareplymessagetothatoriginalserver.
9.TheoriginalserverreceivesthereplyfromtheauthoritativeserverandtransmitstheIPaddressbacktotheresolverontheclientsystem.Theresolverrelaystheaddresstotheapplication,whichcantheninitiatecommunicationswiththesystemspecifiedbytheuser.
Thisprocedureassumesasuccessfulcompletionofthenameresolutionprocedure.IfanyoftheauthoritativeDNSserversqueriedreturnsanerrormessagetotheoriginalserverstating,forexample,thatoneofthedomainsinthenamedoesnotexist,thiserrormessageisrelayedtotheclientandthenameresolutionprocessissaidtohavefailed.
DNSServerCachingThisprocessmayseemextremelylongandcomplex,butinmanycases,itisn’tnecessaryfortheclient’sDNSservertosendqueriestotheserversforeachdomainspecifiedintherequestedDNSname.DNSserversarecapableofretainingtheinformationtheylearnabouttheDNSnamespaceinthecourseoftheirnameresolutionproceduresandstoringitinacacheonthelocaldrive.
ADNSserverthatreceivesrequestsfromclients,forexample,cachestheaddressesoftherequestedsystems,aswellastheaddressesforparticulardomains’authoritativeservers.Thenexttimethataclienttransmitsarequestforapreviouslyresolvedname,theservercanrespondimmediatelywiththecachedinformation.Inaddition,ifaclientrequestsanothernameinoneofthesamedomains,theservercansendaquerydirectlytoanauthoritativeserverforthatdomain,andnottoarootnameserver.Thus,usersshouldgenerallyfindthatnamesincommonlyaccesseddomainsresolvemorequicklybecause
oneoftheserversalongthelinehasinformationaboutthedomaininitscache,whilenamesinobscuredomainstakelongerbecausetheentirerequest/referralprocessisneeded.
NegativeCachingInadditiontostoringinformationthataidsinthenameresolutionprocess,mostmodernDNSserverimplementationsarecapableofnegativecaching.NegativecachingoccurswhenaDNSserverretainsinformationaboutnamesthatdonotexistinadomain.If,forexample,aclientsendsaquerytoitsDNSservercontaininganameinwhichthesecond-leveldomaindoesnotexist,thetop-leveldomainserverwillreturnareplycontaininganerrormessagetothateffect.Theclient’sDNSserverwillthenretaintheerrormessageinformationinitscache.Thenexttimeaclientrequestsanameinthatdomain,theDNSserverwillbeabletorespondimmediatelywithitsownerrormessage,withoutconsultingthetop-leveldomain.
CacheDataPersistenceCachingisavitalelementoftheDNSarchitecturebecauseitreducesthenumberofrequestssenttotherootnameandtop-leveldomainservers,which,beingatthetopoftheDNStree,arethemostlikelytoactasabottleneckforthewholesystem.However,cachesmustbepurgedeventually,andthereisafinelinebetweeneffectiveandineffectivecaching.BecauseDNSserversretainresourcerecordsintheircaches,itcantakehoursorevendaysforchangesmadeinanauthoritativeservertobepropagatedaroundtheInternet.Duringthisperiod,usersmayreceiveincorrectinformationinresponsetoaquery.Ifinformationremainsinservercachestoolong,thechangesthatadministratorsmaketothedataintheirDNSserverstaketoolongtopropagatearoundtheInternet.Ifcachesarepurgedtooquickly,thenumberofrequestssenttotherootnameandtop-leveldomainserversincreasesprecipitously.
TheamountoftimethatDNSdataremainscachedonaserveriscalleditstimetolive(TTL).Unlikemostdatacaches,thetimetoliveisnotspecifiedbytheadministratoroftheserverwherethecacheisstored.Instead,theadministratorsofeachauthoritativeDNSserverspecifyhowlongthedatafortheresourcerecordsintheirdomainsorzonesshouldberetainedintheserverswhereitiscached.Thisenablesadministratorstospecifyatime-to-livevaluebasedonthevolatilityoftheirserverdata.OnanetworkwherechangesinIPaddressesortheadditionofnewresourcerecordsisfrequent,alowertime-to-livevalueincreasesthelikelihoodthatclientswillreceivecurrentdata.Onanetworkthatrarelychanges,youcanusealongertime-to-livevalueandminimizethenumberofrequestssenttotheparentserversofyourdomainorzone.
DNSLoadBalancingInmostcases,DNSserversmaintainoneIPaddressforeachhostname.However,therearesituationsinwhichmorethanoneIPaddressisrequired.Inthecaseofahighlytraffickedwebsite,forexample,oneservermaynotbesufficienttosupportalloftheclients.Tohavemultiple,identicalserverswiththeirownIPaddresseshostingthesamesite,somemechanismisneededtoensurethatclientrequestsarebalancedamongthemachines.
OnewayofdoingthisistocontrolhowtheauthoritativeserversforthedomainonwhichthesiteislocatedresolvetheDNSnameofthewebserver.SomeDNSserverimplementationsenableyoutocreatemultipleresourcerecordswithdifferentIPaddresses
forthesamehostname.Astheserverrespondstoqueriesrequestingresolutionofthatname,itusestheresourcerecordsinarotationalfashiontosupplytheIPaddressofadifferentmachinetoeachclient.
DNScachingtendstodefeattheeffectivenessofthisrotationalsystembecauseserversusethecachedinformationaboutthesite,ratherthanissuinganewqueryandpossiblyreceivingtheaddressforanothersystem.Asaresult,itisgenerallyrecommendedthatyouusearelativelyshorttime-to-livevaluefortheduplicatedresourcerecords.
ReverseNameResolutionTheDomainNameSystemisdesignedtofacilitatetheresolutionofDNSnamesintoIPaddresses,buttherearealsoinstancesinwhichIPaddresseshavetoberesolvedintoDNSnames.Theseinstancesarerelativelyrare.Inlogfiles,forexample,somesystemsconvertIPaddressestoDNSnamestomakethedatamorereadilyaccessibletohumanreaders.Certainsystemsalsousereversenameresolutioninthecourseofauthenticationprocedures.
ThestructureoftheDNSnamespaceandthemethodbywhichit’sdistributedamongvariousserversisbasedonthedomainnamehierarchy.Whentheentiredatabaseislocatedononesystem,suchasinthecaseofahosttable,searchingforaparticularaddresstofindoutitsassociatednameisnodifferentfromsearchingforanametofindanaddress.However,locatingaparticularaddressintheDNSnamespacewouldseemtorequireasearchofalloftheInternet’sDNSservers,whichisobviouslyimpractical.
TomakereversenameresolutionpossiblewithoutperformingamassivesearchacrosstheentireInternet,theDNStreeincludesaspecialbranchthatusesthedotteddecimalvaluesofIPaddressesasdomainnames.Thisbranchstemsfromadomaincalledin-addr.arpa,whichislocatedjustbeneaththerootoftheDNStree,asshowninFigure15-5.Justbeneaththein-addrdomain,thereare256subdomainsnamedusingthenumbers0to255torepresentthepossiblevaluesofanIPaddress’sfirstbyte.Eachofthesesubdomainscontainsanother256subdomainsrepresentingthepossiblevaluesofthesecondbyte.Thenextlevelhasanother256domains,eachofwhichcanhaveupto256numberedhosts,whichrepresentthethirdandfourthbytesoftheaddress.
Figure15-5Thein-addr.arpadomainhierarchy
Usingthein-addr.arpadomainstructure,eachofthehostsrepresentedbyastandardnameonaDNSserveralsohasanequivalentDNSnameconstructedusingitsIPaddress.Therefore,ifasystemwiththeIPaddress192.168.214.23islistedintheDNSserverforthezacker.comdomainwiththehostnamewww,thereisalsoaresourcerecordforthatsystemwiththeDNSname23.214.168.192.in-addr.arpa,meaningthatthereisahostwiththename23inadomaincalled214.168.192.in-addr.arpa,asshowninFigure15-6.ThisdomainstructuremakesitpossibleforasystemtosearchfortheIPaddressofahostinadomain(orzone)withouthavingtoconsultotherserversintheDNStree.Inmostcases,youcanconfigureaDNSservertoautomaticallycreateanequivalentresourcerecordinthein-addr.arpadomainforeveryhostyouaddtothestandarddomainnamespace.
Figure15-6EachhostintheDNSdatabasehastworesourcerecords.
ThebytevaluesofIPaddressesarereversedinthein-addr.arpadomainbecauseinaDNSname,theleastsignificantwordcomesfirst,whereasinIPaddresses,theleastsignificantbytecomeslast.Inotherwords,aDNSnameisstructuredwiththerootoftheDNStreeontherightsideandthehostnameontheleft.InanIPaddress,thehostidentifierisontheright,andthenetworkidentifierisontheleft.ItwouldbepossibletocreateadomainstructureusingtheIPaddressbytesintheirregularorder,butthiswouldcomplicatetheadministrationprocessbymakingithardertodelegatemaintenancetasksbasedonnetworkaddresses.
DNSNameRegistrationAsyouhavealreadylearned,nameresolutionistheprocessbywhichIPaddressinformationforahostnameisextractedfromtheDNSdatabase.Theprocessbywhichhostnamesandtheiraddressesareaddedtothedatabaseiscallednameregistration.NameregistrationreferstotheprocessofcreatingnewresourcerecordsonaDNSserver,thusmakingthemaccessibletoalloftheotherDNSserversonthenetwork.
ThenameregistrationprocessonatraditionalDNSserverisdecidedlylow-tech.ThereisnomechanismbywhichtheservercandetectthesystemsonthenetworkandentertheirhostnamesandIPaddressesintoresourcerecords.Infact,acomputermaynotevenbeawareofitshostnamebecauseitreceivesallofitscommunicationsusingIPaddressesandneverhastoanswertoitsname.
ToregisterahostintheDNSnamespace,anadministratorhastomanuallycreatearesourcerecordontheserver.ThemethodforcreatingresourcerecordsvariesdependingontheDNSserverimplementation.Unix-basedserversrequireyoutoeditatextfile,whileMicrosoftDNSServerusesagraphicalinterface.
ManualNameRegistrationThemanualnameregistrationprocessisanadaptationofthehosttableforuseonaDNSserver.Itiseasytoseehow,intheearlydays,administratorswereabletoimplementDNSserversontheirnetworkbyusingtheirhosttableswithslightmodifications.Today,however,themanualnameregistrationprocesscanbeproblematiconsomenetworks.
Ifyouhavealargenumberofhosts,manuallycreatingresourcerecordsforallofthemcanbeatediousaffair,evenwithagraphicalinterface.However,dependingonthenatureofthenetwork,itmaynotbenecessarytoregistereverysystemintheDNS.If,forexample,youarerunningaWindowsNTnetworkusingunregisteredIPaddresses,youmaynotneedyourownDNSserveratall,exceptpossiblytoprocessclientnameresolutionrequests.WindowsNTnetworkshavetheirownNetBIOSnamingsystemandnameresolutionmechanisms,andyougenerallydon’tneedtorefertothemusingDNSnames.
TheexceptionstothiswouldbesystemswithregisteredIPaddressesthatyouuseaswebserversorothertypesofInternetservers.ThesemustbevisibletoInternetusersand,therefore,musthaveahostnameinaregisteredDNSdomain.Inmostcases,thenumberofsystemslikethisonanetworkissmall,somanuallycreatingtheresourcerecordsisnot
muchofaproblem.IfyouhaveUnixsystemsonyournetwork,however,youaremorelikelytouseDNStoidentifythemusingnames,andinthiscase,youmustcreateresourcerecordsforthem.
DynamicUpdatesAsnetworksgrowlargerandmorecomplex,thebiggestproblemarisingfrommanualnameregistrationstemsfromtheincreasinguseofDHCPserverstodynamicallyassignIPaddressestonetworkworkstations.ThemanualconfigurationofTCP/IPclientsisanotherlong-standingnetworkadministrationchorethatisgraduallybeingphasedoutinfavorofanautomatedsolution.AssigningIPaddressesdynamicallymeansthatworkstationscanhavedifferentaddressesfromonedaytothenext,andtheoriginalDNSstandardhasnowayofkeepingupwiththechanges.
OnnetworkswhereonlyafewservershavetobevisibletotheInternet,itwasn’ttoogreataninconveniencetoconfigurethemmanuallywithstaticIPaddressesanduseDHCPfortheunregisteredsystems.ThissituationchangedwiththeadventofWindows2000andActiveDirectory.WindowsNTnetworksusedWINStoresolveNetBIOSnamesintoIPaddresses,butnameregistrationwasautomaticwithWINS.WINSautomaticallyupdateditsdatabaserecordforaworkstationassignedanewIPaddressbyaDHCPserversothatnoadministratorinterventionwasrequired.ActiveDirectory,however,reliedheavilyonDNSinsteadofWINStoresolvethenamesofsystemsonthenetworkandtokeeptrackofthedomaincontrollersavailableforusebyclientworkstations.
TomaketheuseofDNSpractical,membersoftheIETFdevelopedanewspecification,publishedasRFC2136,“DynamicUpdatesintheDomainNameSystem.”ThisdocumentdefinedanewDNSmessagetype,calledanUpdate,withwhichsystemssuchasdomaincontrollersandDHCPserverscouldgenerateandtransmittoaDNSserver.TheseUpdatemessagesmodifyordeleteexistingresourcerecordsorcreatenewones,basedonprerequisitesspecifiedbytheadministrator.
ZoneTransfersMostnetworksuseatleasttwoDNSserverstoprovidefaulttoleranceandtogiveclientsaccesstoanearbyserver.Becausetheresourcerecords(inmostcases)havetobecreatedandupdatedmanuallybyadministrators,theDNSstandardsdefineamechanismthatreplicatestheDNSdataamongtheservers,thusenablingadministratorstomakethechangesonlyonce.
ThestandardsdefinetwoDNSserverroles:theprimarymasterandthesecondarymaster,orslave.Theprimarymasterserverloadsitsresourcerecordsandotherinformationfromthedatabasefilesonthelocaldrive.Theslave(orsecondarymaster)serverreceivesitsdatafromanotherserverinaprocesscalledazonetransfer,whichtheslaveperformseachtimeitstartsandperiodicallythereafter.Theserverfromwhichtheslavereceivesitsdataiscalleditsmasterserver,butitneednotbetheprimarymaster.Aslavecanreceivedatafromtheprimarymasteroranotherslave.
Zonetransfersareperformedforindividualzones,andbecauseasingleservercanbetheauthorityformultiplezones,morethanonetransfermaybeneededtoupdateallofa
slaveserver’sdata.Inaddition,theprimarymasterandslaverolesarezonespecific.Aservercanbetheprimarymasterforonezoneandtheslaveforanother,althoughthispracticegenerallyshouldnotbenecessaryandislikelytogeneratesomeconfusion.
Althoughslaveserversreceiveperiodiczonetransfersfromtheirprimaries,theyarealsoabletoloaddatabasefilesfromtheirlocaldrives.Whenaslaveserverreceivesazonetransfer,itupdatesthelocaldatabasefiles.Eachtimetheslaveserverstarts,itloadsthemostcurrentresourcerecordsithasfromthedatabasefilesandthenchecksthisdatawiththeprimarymastertoseewhetheranupdateisneeded.Thispreventszonetransfersfrombeingperformedneedlessly.
DNSMessagingDNSnameresolutiontransactionsuseUserDatagramProtocol(UDP)datagramsonport53forserversandonanephemeralportnumberforclients.Communicationbetweentwoserversusesport53onbothmachines.IncasesinwhichthedatatobetransmitteddoesnotfitinasingleUDPdatagram,inthecaseofzonetransfers,thetwosystemsestablishastandardTCPconnection,alsousingport53onbothmachines,andtransmitthedatausingasmanypacketsasneeded.
TheDomainNameSystemusesasinglemessageformatforallofitscommunicationsthatconsistsofthefollowingfivesections:
•HeaderContainsinformationaboutthenatureofthemessage
•QuestionContainstheinformationrequestedfromthedestinationserver
•AnswerContainsRRssupplyingtheinformationrequestedintheQuestionsection
•AuthorityContainsRRspointingtoanauthorityfortheinformationrequestedintheQuestionsection
•AdditionalContainsRRswithadditionalinformationinresponsetotheQuestionsection
EveryDNSmessagehasaHeadersection,andtheotherfoursectionsareincludedonlyiftheycontaindata.Forexample,aquerymessagecontainstheDNSnametoberesolvedintheQuestionsection,buttheAnswer,Authority,andAdditionalsectionsaren’tneeded.Whentheserverreceivingthequeryconstructsitsreply,itmakessomechangestotheHeadersection,leavestheQuestionsectionintact,andaddsentriestooneormoreoftheremainingthreesections.Eachsectioncanhavemultipleentriessothataservercansendmorethanoneresourcerecordinasinglemessage.
TheDNSHeaderSectionTheHeadersectionoftheDNSmessagecontainscodesandflagsthatspecifythefunctionofthemessageandthetypeofservicerequestedfromorsuppliedbyaserver.Figure15-7showstheformatoftheHeadersection.
Figure15-7TheDNSHeadersectionformat
ThefunctionsoftheHeaderfieldsareasfollows:
•ID,2bytesContainsanidentifiervalueusedtoassociatequerieswithreplies.
•Flags,2bytesContainsflagbitsusedtoidentifythefunctionsandpropertiesofthemessage,asfollows:
•QR,1bitSpecifieswhetherthemessageisaquery(value0)oraresponse(value1).
•OPCODE,4bitsSpecifiesthetypeofquerythatgeneratedthemessage.Responsemessagesretainthesamevalueforthisfieldasthequerytowhichtheyareresponding.Possiblevaluesareasfollows:
•0Standardquery(QUERY)
•1Inversequery(IQUERY)
•2Serverstatusrequest(STATUS)
•3–15Unused
•AA(AuthoritativeAnswer),1bitIndicatesthataresponsemessagehasbeengeneratedbyaserverthatistheauthorityforthedomainorzoneinwhichtherequestednameislocated.
•TC(Truncation),1bitIndicatesthatthemessagehasbeentruncatedbecausetheamountofdataexceedsthemaximumsizeforthecurrenttransportmechanism.InmostDNSimplementations,thisbitfunctionsasasignalthatthemessageshouldbetransmittedusingaTCPconnectionratherthanaUDPdatagram.
•RD(RecursionDesired),1bitInaquery,indicatesthatthedestinationservershouldtreatthemessageasarecursivequery.Inaresponse,indicatesthatthemessageistheresponsetoarecursivequery.Theabsenceofthisflagindicatesthatthequeryisiterative.
•RA(RecursionAvailable),1bitSpecifieswhetheraserverisconfiguredtoprocessrecursivequeries.
•Z,3bitsUnused.
•RCODE(ResponseCode),4bitsSpecifiesthenatureofaresponse
message,indicatingwhenanerrorhasoccurredandwhattypeoferror,usingthefollowingvalues:
•0Noerrorhasoccurred.
•1–FormatErrorIndicatesthattheserverwasunabletounderstandthequery.
•2–ServerFailureIndicatesthattheserverwasunabletoprocessthequery.
•3–NameErrorUsedbyauthoritativeserversonlytoindicatethatarequestednameorsubdomaindoesnotexistinthedomain.
•4–NotImplementedIndicatesthattheserverdoesnotsupportthetypeofqueryreceived.
•5–RefusedIndicatesthatserverpolicies(suchassecuritypolicies)havepreventedtheprocessingofthequery.
•6–15Unused.
•QDCOUNT,2bytesSpecifiesthenumberofentriesintheQuestionsection.
•ANCOUNT,2bytesSpecifiesthenumberofentriesintheAnswersection.
•NSCOUNT,2bytesSpecifiesthenumberofnameserverRRsintheAuthoritysection.
•ARCOUNT,2bytesSpecifiesthenumberofentriesintheAdditionalsection.
TheDNSQuestionSectionTheQuestionsectionofaDNSmessagecontainsthenumberofentriesspecifiedintheheader’sQDCOUNTfield.Inmostcases,thereisonlyoneentry.EachentryisformattedasshowninFigure15-8.
Figure15-8TheDNSQuestionsectionformat
Thefunctionsofthefieldsareasfollows:
•QNAME,variableContainstheDNS,domain,orzonenameaboutwhichinformationisbeingrequested
•QTYPE,2bytesContainsacodethatspecifiesthetypeofRRthequeryisrequesting
•QCLASS,2bytesContainsacodethatspecifiestheclassoftheRRbeingrequested
DNSResourceRecordSectionsThethreeremainingsectionsofaDNSmessage,theAnswer,Authority,andAdditionalsections,eachcontainresourcerecordsthatusetheformatshowninFigure15-9.Thenumberofresourcerecordsineachsectionisspecifiedintheheader’sANCOUNT,NSCOUNT,andRCOUNTfields.
Figure15-9TheformatoftheDNSAnswer,Authority,andAdditionalsections
Thefunctionsofthefieldsareasfollows:
•NAME,variableContainstheDNS,domain,orzonenameaboutwhichinformationisbeingsupplied.
•TYPE,2bytesContainsacodethatspecifiesthetypeofRRtheentrycontains.
•CLASS,2bytesContainsacodethatspecifiestheclassoftheRR.
•TTL,4bytesSpecifiestheamountoftime(inseconds)thattheRRshouldbecachedintheservertowhichitisbeingsupplied.
•RDLENGTH,2bytesSpecifiesthelength(inbytes)oftheRDATAfield.
•RDATA,variableContainsRRdata,thenatureofwhichisdependentonitsTYPEandCLASS.ForanA-typerecordintheINclass,forexample,thisfieldcontainstheIPaddressassociatedwiththeDNSnamesuppliedintheNAMEfield.
Differenttypesofresourcerecordshavedifferentfunctionsand,therefore,maycontaindifferenttypesofinformationintheRDATAfield.Mostresourcerecords,suchastheNS,A,PTR,andCNAMEtypes,haveonlyasinglenameoraddressinthisfield,whileothershavemultiplesubfields.TheSOAresourcerecordisthemostcomplexinthe
DomainNameSystem.Forthisrecord,theRDATAfieldisbrokenupintosevensubfields.
ThefunctionsoftheSOAresourcerecordsubfieldsareasfollows:
•MNAME,variableSpecifiestheDNSnameoftheprimarymasterserverthatwasthesourcefortheinformationaboutthezone.
•RNAME,variableSpecifiesthee-mailaddressoftheadministratorresponsibleforthezonedata.Thisfieldhasnoactualpurposeasfarastheserverisconcerned;itisstrictlyinformational.ThevalueforthisfieldtakestheformofaDNSname.Standardpracticecallsfortheperiodafterthefirstwordtobeconvertedtothe@symbolinordertousethevalueasane-mailaddress.
•SERIAL,4bytesContainsaserialnumberthatisusedtotrackmodificationstothezonedataontheprimarymasterserver.Thevalueofthisfieldisincremented(eithermanuallyorautomatically)ontheprimarymasterservereachtimethezonedataismodified,andtheslavecomparesitsvaluetotheonesuppliedbytheprimarymastertodeterminewhetherazonetransferisnecessary.
•REFRESH,4bytesSpecifiesthetimeinterval(inseconds)atwhichtheslaveshouldtransmitanSOAquerytotheprimarymastertodeterminewhetherazonetransferisneeded.
•RETRY,4bytesSpecifiesthetimeinterval(inseconds)atwhichtheslaveshouldmakerepeatattemptstoconnecttotheprimarymasterafteritsinitialattemptfails.
•EXPIRE,4bytesSpecifiesthetimeinterval(inseconds)afterwhichtheslaveserver’sdatashouldexpire,intheeventthatitcannotcontacttheprimarymasterserver.Oncethedatahasexpired,theslaveserverstopsrespondingtoqueries.
•MINIMUM,4bytesSpecifiesthetime-to-liveinterval(inseconds)thattheservershouldsupplyforalloftheresourcerecordsinitsresponsestoqueries.
DNSMessageNotationThelatterfoursectionsoftheDNSmessagearelargelyconsistentinhowtheynotatetheinformationintheirfields.DNS,domain,andzonenamesareallexpressedinthesameway,andthesectionsallusethesamevaluesfortheresourcerecordtypeandclasscodes.TheonlyexceptionsareafewadditionalcodesthatareusedonlyintheQuestionsection,calledQTYPESandQCLASSES,respectively.ThefollowingsectionsdescribehowthesevaluesareexpressedintheDNSmessage.
DNSNameNotationDependingonthefunctionofthemessage,anyorallofthefoursectionscancontainthefullyqualifiednameofahostsystem,thenameofadomain,orthenameofazoneonaserver.Thesenamesareexpressedasaseriesofunits,calledlabels,eachofwhichrepresentsasinglewordinthename.Theperiodsbetweenthewordsarenotincluded,so
todelineatethewords,eachlabelbeginswithasinglebytethatspecifiesthelengthoftheword(inbytes),afterwhichthespecifiednumberofbytesfollows.Thisisrepeatedforeachwordinthename.Afterthefinalwordofafullyqualifiedname,abytewiththevalueof0isincludedtorepresentthenullvalueoftherootdomain.
ResourceRecordTypesAllofthedatadistributedbytheDomainNameSystemisstoredinresourcerecords.Querymessagesrequestcertainresourcerecordsfromservers,andtheserversreplywiththoseresourcerecords.TheQTYPEfieldinaQuestionsectionentryspecifiesthetypeofresourcerecordbeingrequestedfromtheserver,andtheTYPEfieldsintheAnswer,Authority,andAdditionalsectionentriesspecifythetypeofresourcerecordsuppliedbytheserverineachentry.Table15-1containstheresourcerecordtypesandthecodesusedtorepresenttheminthesefields.AllofthevaluesinthistablearevalidforboththeQTYPEandTYPEfields.Table15-2containsfouradditionalvaluesthatrepresentsetsofresourcerecordsthatarevalidfortheQTYPEfieldinQuestionsectionentriesonly.
Table15-1DNSResourceRecordTypesandValuesforUseintheTYPEorQTYPEField
Table15-2AdditionalValuesRepresentingSetsofResourceRecordsforUseintheQTYPEFieldOnly
ClassTypes
TheQCLASSfieldintheQuestionsectionandtheCLASSfieldintheAnswer,Authority,andAdditionalsectionsspecifythetypeofnetworkforwhichinformationisbeingrequestedorsupplied.Althoughtheyperformedavalidfunctionatonetime,thesefieldsarenowessentiallymeaninglessbecausevirtuallyallDNSmessagesusetheINclass.CSNETandCHAOSclassnetworksareobsolete,andtheHesiodclassisusedforonlyafewexperimentalnetworksatMIT.Foracademicpurposesonly,thevaluesfortheCLASSandQCLASSvaluesareshowninTables15-3and15-4.
Table15-3ValuesfortheResourceRecordCLASSandQCLASSFields
Table15-4AdditionalValuefortheResourceRecordQCLASSFieldOnly
NameResolutionMessagesTheprocessofresolvingaDNSnameintoanIPaddressbeginswiththegenerationofaquerybytheresolverontheclientsystem.Figure15-10showsaquerymessage,capturedinanetworkmonitorprogram,generatedbyawebbrowsertryingtoconnecttotheURLwww.zacker.com/.Thevalueofthemessage’sOPCODEflagis0,indicatingthatthisisaregularquery,andtheRDflaghasavalueof1,indicatingthatthisisarecursivequery.Asaresult,theDNSserverreceivingthequery(whichiscalledCZ1)willberesponsibleforresolvingtheDNSnameandreturningtheresultstotheclient.TheQDCOUNTfieldindicatesthatthereisoneentryintheQuestionsectionandnoentriesinthethreeresourcerecordsections,whichisstandardforaquerymessage.TheQuestionsectionspecifiestheDNSnametoberesolved(www.zacker.com)andthetype(1=A)andclass(1=IN)oftheresourcerecordbeingrequested.
Figure15-10Thenameresolutionquerymessagegeneratedbytheresolver
CZ1isnottheauthoritativeserverforthezacker.comdomain,nordoesithavetherequestedinformationinitscache,soitmustgenerateitsownqueries.CZ1firstgeneratesaquerymessageandtransmitsittooneoftherootnameservers(198.41.0.4)configuredintotheserversoftware.TheentryintheQuestionsectionisidenticaltothatoftheclient’squerymessage.TheonlydifferencesinthisqueryarethattheserverhasincludedadifferentvalueintheIDfield(4114)andhaschangedthevalueoftheRDflagto0,indicatingthatthisisaniterativequery.
TheresponsethatCZ1receivesfromtherootnameserverbypassesonestepoftheprocessbecausethisrootnameserverisalsotheauthoritativeserverforthecomtop-leveldomain.Asaresult,theresponsecontainstheresourcerecordthatidentifiestheauthoritativeserverforthezacker.comdomain.IftherequestedDNSnamehadbeeninatop-leveldomainforwhichtherootnameserverwasnotauthoritative,suchasoneofthecountry-codedomains,theresponsewouldcontainaresourcerecordidentifyingtheproperauthoritativeservers.
TheresponsemessagefromtherootdomainserverhasaQRbitthathasavalueof1,indicatingthatthisisaresponsemessage,andthesameIDvalueastherequest,enablingCZ1toassociatethetwomessages.TheQDCOUNTfieldagainhasavalueof1becausetheresponseretainstheQuestionsection,unmodified,fromthequerymessage.TheNSCOUNTandARCOUNTfieldsindicatethattherearetwoentrieseachintheAuthorityandAdditionalsections.ThefirstentryintheAuthoritysectioncontainstheNSresourcerecordforoneoftheauthoritativeserversforzacker.comknowntotherootname/top-leveldomainserver,andthesecondentrycontainstheNSrecordfortheother.Thetypeandclassvaluesarethesameasthoserequestedinthequerymessage;thetime-to-livevalueassignedtobothrecordsis172,800seconds(48hours).TheRDATAfieldinthefirstentryis16byteslongandcontainstheDNSnameofthefirstauthoritativeserver(ns1.secure.net).TheRDATAfieldinthesecondentryisonly6byteslongandcontainsonlythehostname(ns2)fortheotherauthoritativeserversinceit’sinthesamedomainasthefirstone.
TheseAuthoritysectionentriesidentifytheserversthatCZ1needstocontacttoresolvethewww.zacker.comdomainname,butitdoessousingDNSnames.TopreventCZ1fromhavingtogothroughthiswholeprocessagaintoresolvens1.secure.netandns2.secure.netintoIPaddresses,therearetwoentriesintheAdditionalsectionthatcontaintheAresourcerecordsforthesetwoservers,whichincludetheirIPaddresses.
Usingtheinformationcontainedinthepreviousresponse,CZ1transmitsaquerytothefirstauthoritativeserverforthezacker.comdomain(ns1.secure.net–192.41.1.10).Exceptforthedestinationaddress,thisqueryisidenticaltotheonethatCZ1senttotherootnameserver.TheresponsemessagethatCZ1receivesfromthens1.secure.netserver(finally)containstheinformationthattheclientoriginallyrequested.ThismessagecontainstheoriginalQuestionsectionentryandtwoentrieseachintheAnswer,Authority,andAdditionalsections.
ThefirstentryintheAnswersectioncontainsaresourcerecordwithaTYPEvalueof5(CNAME)andatime-to-livevalueof86,400seconds(24hours).TheinclusionofaCNAMEresourcerecordinaresponsetoaqueryrequestinganArecordindicatesthatthehostnamewwwexistsinthezacker.comdomainonlyasacanonicalname(thatis,analiasforanothername),whichisspecifiedintheRDATAfieldaszacker.com.ThesecondentryintheAnswersectioncontainstheAresourcerecordforthenamezacker.com,whichspecifiestheIPaddress192.41.15.74intheRDATAfield.ThisistheIPaddressthattheclientsystemmustusetoreachthewww.zacker.comwebserver.TheentriesintheAuthorityandAdditionalsectionsspecifythenamesandaddressesoftheauthoritativeserverforzacker.comandareidenticaltotheequivalententriesintheresponsemessagefromtherootnameserver.
RootNameServerDiscoveryEachtimetheDNSserverstarts,itloadstheinformationstoredinitsdatabasefiles.Oneofthesefilescontainsrootnameserverhints.Actually,thisfilecontainsthenamesandaddressesofalltherootnameservers,buttheDNSserver,insteadofrelyingonthisdata,usesittosendaquerytothefirstoftherootnameservers,requestingthatitidentifytheauthoritativeserversfortherootdomain.Thisistoensurethattheserverisusingthemostcurrentinformation.Thequeryisjustlikethatforanameresolutionrequest,exceptthatthereisnovalueintheNAMEfield.
Thereplyreturnedbytherootnameservercontains13entriesinboththeAnswerandAdditionalsections,correspondingtothe13rootnameserverscurrentlyinoperation(seeFigure15-11).EachentryintheAnswersectioncontainstheNSresourcerecordforoneoftherootnameservers,whichspecifiesitsDNSname,andthecorrespondingentryintheAdditionalsectioncontainstheArecordforthatserver,whichspecifiesitsIPaddress.Alloftheseserversarelocatedinadomaincalledroot-server.netandhaveincrementalhostnamesfromatom.Becausetheinformationabouttheseserversdoesnotchangeoften,ifatall,theirresourcerecordscanhavealongtime-to-livevalue:518,400seconds(144hoursor6days)fortheNSrecordsand3,600,000(1,000hoursor41.67days)fortheArecords.
Figure15-11Therootnameserver’sresponsemessage,containingtheRRsforall13rootnameservers
ZoneTransferMessagesAzonetransferisinitiatedbyaDNSserverthatfunctionsasaslaveforoneormorezoneswhenevertheserversoftwareisstarted.TheprocessbeginswithaniterativequeryforanSOAresourcerecordthattheslavesendstotheprimarymastertoensurethatitisthebestsourceforinformationaboutthezone(seeFigure15-12).ThesingleQuestionsectionentrycontainsthenameofthezoneintheQNAMEfieldandavalueof6fortheQTYPEfield,indicatingthattheserverisrequestingtheSOAresourcerecord.
Figure15-12TheSOAquerymessagegeneratedbyaslaveservertodeterminewhetherazonetransferiswarranted
TheprimarymasterthenrepliestotheslavewitharesponsethatincludestheoriginalQuestionsectionandasingleAnswersectioncontainingtheSOAresourcerecordforthezone(seeFigure15-13).Theslaveusestheinformationintheresponsetoverifytheprimarymaster’sauthorityandtodeterminewhetherazonetransferisneeded.IfthevalueoftheSOArecord’sSERIALfield,asfurnishedbytheprimarymaster,isgreaterthantheequivalentfieldontheslaveserver,thenazonetransferisrequired.
Figure15-13TheresponsemessagefromtheprimarymasterservercontainingtheSOAresourcerecord
AzonetransferrequestisastandardDNSquerymessagewithaQTYPEvalueof252,whichcorrespondstotheAXFRtype.AXFRistheabbreviationforaresourcerecordsetthatconsistsofalloftherecordsinthezone.However,inmostcases,alloftheresourcerecordsinthezonewillnotfitintoasingleUDPdatagram.UDPisaconnectionless,unreliableprotocolinwhichtherecanbeonlyoneresponsemessageforeachquerybecausetheresponsemessagefunctionsastheacknowledgmentofthequery.Becausetheprimarymasterwillalmostcertainlyhavetousemultiplepacketsinordertosendalloftheresourcerecordsinthezonetotheslave,adifferentprotocolisneeded.Therefore,beforeittransmitsthezonetransferrequestmessage,theslaveserverinitiatesaTCPconnectionwiththeprimarymasterusingthestandardthree-wayhandshake.Oncetheconnectionisestablished,theslavetransmitstheAXFRqueryinaTCPpacketusingport53(seeFigure15-14).
Figure15-14TheAXFRqueryrequestingazonetransfer,transmittedtotheprimarymasterserverusingaTCPconnection
Inresponsetothequery,theprimarymasterservertransmitsalloftheresourcerecordsintherequestedzoneasentriesintheAnswersection,asshowninFigure15-15.Onceallofthedatahasbeentransmitted,thetwosystemsterminatetheTCPconnectionintheusualmanner,andthezonetransferiscompleted.
Figure15-15Onepacketfromazonetransfertransmittedbytheprimarymasterserver
CHAPTER
16 InternetServices
Atonetime,thetermserverincomputernetworkingwasnearlyalwaysusedinthephrasefileserver,referringtoaPCrunninganetworkoperatingsystem(NOS)thatenablesuserstoaccesssharedfilesandprinters.However,therapidgrowthoftheInternethaschangedthecommonmeaningoftheterm.TomostInternetusers,serversaretheinvisiblesystemsthathostwebsitesorthatenablethemtosendandreceivee-mail.ForLANusers,serversstillfillthetraditionalfileandprintersharingroles,butalsoprovideapplication-relatedfunctions,suchasaccesstodatabases.Thus,peoplearegraduallylearningthataserverisbothasoftwareaswellasahardwareentityandthatasinglecomputercanactuallyfunctioninmultipleserverrolessimultaneously.
InternetserversaresoftwareproductsthatprovidetraditionalInternetservicestoclients,whetherornottheyareactuallyconnectedthroughtheInternet.Web,FTP,ande-mailareallservicesthatcanbeasusefulonaLAN,asmartphone,oratabletasontheInternet.Thischapterexaminesthetechnologybehindtheseservicesandtheproceduresforimplementingthemonyournetwork.
WebServersTheWebisaubiquitoustoolforbusiness,education,andrecreation.Alongwiththeproliferationofmobiledevices,a“webpresence”isnearlyrequiredformostbusinesses.ThebasicbuildingblocksoftheWebareasfollows:
•WebserversComputersrunningasoftwareprogramthatprocessesresourcerequestsfromclients
•BrowsersClientsoftwarethatgeneratesresourcerequestsandsendsthemtowebservers
•HypertextTransferProtocol(HTTP)TheTransmissionControlProtocol/InternetProtocol(TCP/IP)applicationlayerprotocolthatserversandbrowsersusetocommunicate
•HypertextMarkupLanguage(HTML)Themarkuplanguageusedtocreatewebpages
SelectingaWebServerAwebserverisactuallyarathersimpledevice.Whenyouseecomplexpagesfulloffancytextandgraphicsonyourmonitor,you’reactuallyseeingsomethingthatismoretheproductofthepagedesignerandthebrowsertechnologythanofthewebserver.Initssimplestform,awebserverisasoftwareprogramthatprocessesrequestsforspecificfilesfrombrowsersanddeliversthosefilestothebrowser.Theserverdoesnotreadthecontentsofthefiles,nordoesitparticipateintherenderingprocessthatcontrolshowawebpageisdisplayedinthebrowser.Thedifferencesbetweenwebserverproductsareintheadditionalfeaturestheyprovideandtheirabilitytohandlelargenumbersofrequests.
WebServerFunctionsAwebserverisaprogramthatrunsinthebackgroundonacomputerandlistensonaparticularTCPportforincomingrequests.Simplyspeaking,theprocessisasfollows:
1.Acomputerclientasksforafile.
2.Theserverfindsthefile.
3.Theserverssendsaresponsetotheclient,usuallyaheaderaswellasthedata.
4.Theserverclosestheconnection.
ThestandardTCPportforanHTTPserveris80,althoughmostserversenableyoutospecifyadifferentportnumberforasiteandmayuseasecondportnumberfortheserver’sadministrativeinterface.Toaccessawebserverusingadifferentport,youmustspecifythatportnumberaspartoftheURL.
UniformResourceLocatorsTheformatoftheuniformresourcelocator(URL)thatyoutypeintoabrowser’sAddressfieldtoaccessaparticularwebsiteisdefinedinRFC1738,publishedbytheInternetEngineeringTaskForce(IETF).AURLconsistsoffourelementsthatidentifytheresourcethatyouwanttoaccess:
•ProtocolSpecifiestheapplicationlayerprotocolthatthebrowserwillusetoconnecttotheserver.SomeofthevaluesdefinedintheURLstandardareasfollows(othershavebeendefinedbyadditionalstandardspublishedsinceRFC3986,whichupdatedRFC1738):
•httpHypertextTransferProtocol
•ftpFileTransferProtocol
•mailtoMailaddress
•newsUsenetnews
•telnetReferencetointeractivesessions
•waisWideareainformationservers
•fileHost-specificfilenames
•ServernameSpecifiestheDNSnameorIPaddressoftheserver.
•PortnumberSpecifiestheportnumberthattheserverismonitoringforincomingtraffic.
•DirectoryandfileIdentifiesthelocationofthefilethattheservershouldsendtothebrowser.
TheformatofaURLisasfollows:
protocol://name:port/directory/file.html
Mostofthetime,usersdonotspecifytheprotocol,port,directory,andfileintheirURLs,andthebrowserusesitsdefaultvalues.WhenyouenterjustaDNSname,suchaswww.zacker.com,thebrowserassumestheuseoftheHTTPprotocol,port80,andtheweb
server’shomedirectory.Fullyexpanded,thisURLwouldappearsomethinglikethefollowing:http://www.zacker.com:80/index.html
Theonlyelementthatcouldvaryamongdifferentserversisthefilenameofthedefaultwebpage,hereshownasindex.html.ThedefaultfilenameisconfiguredoneachserverandspecifiesthefilethattheserverwillsendtoaclientwhennofilenameisspecifiedintheURL.
Ifyouconfigureawebservertouseaportotherthan80tohostasite,usersmustspecifytheportnumberaspartoftheURL.Themainexceptiontothisiswhentheadministratorwantstocreateasitethatishiddenfromtheaverageuser.Somewebserverproducts,forexample,areconfigurableusingawebbrowser,andtheservercreatesaseparateadministrativesitecontainingtheconfigurationcontrolsfortheprogram.Duringthesoftwareinstallation,theprogrampromptstheadministratorforaportnumberthatitshouldusefortheadministrativesite.Thus,specifyingthenameoftheserveronabrowseropensthedefaultsiteonport80,butspecifyingtheservernamewiththeselectedportaccessestheadministrativesite.
Theuseofanonstandardportisnotreallyasecuritymeasurebecausethereareprogramsavailablethatcanidentifytheportsthatawebserverisusing.Theadministrativesiteforaserverusuallyhassecurityintheformofuserauthenticationaswell;theportnumberisjustameansofkeepingthesitehiddenfromcurioususers.
CGIMuchofthetrafficgeneratedbytheWebtravelsfromthewebservertothebrowser.TheupstreamtrafficfrombrowsertoserverconsistsmainlyofHTTPrequestsforspecificfiles.However,therearemechanismsbywhichbrowserscansendothertypesofinformationtoservers.Theservercanthenfeedtheinformationtoanapplicationforprocessing.TheCommonGatewayInterface(CGI)isawidelysupportedmechanismofthistype.Inmostcases,theusersuppliesinformationinaformbuiltintoawebpageusingstandardHTMLtagsandthensubmitstheformtoaserver.Theserver,uponreceivingthedatafromthebrowser,executesaCGIscriptthatdefineshowtheinformationshouldbeused.Theservermightfeedtheinformationasaquerytoadatabaseserver,useittoperformanonlinefinancialtransaction,oruseitforanyotherpurpose.
LoggingVirtuallyallwebservershavethecapabilitytomaintainlogsthattrackallclientaccesstothesiteandanyerrorsthathaveoccurred.Thelogstypicallytaketheformofatextfile,witheachserveraccessrequestorerrorappearingonaseparateline.Eachlinecontainsmultiplefields,separatedbyspacesorcommas.Theinformationloggedbytheserveridentifieswhoaccessedthesiteandwhen,aswellastheexactdocumentssenttotheclientbytheserver.
Mostwebserversenabletheadministratortochooseamongseveralformatsforthelogstheykeep.Someserversuseproprietarylogformats,whichgenerallyarenotsupportedbythestatisticsprograms,whileotherserversmayalsobeabletologserverinformationtoanexternaldatabaseusinganinterfacesuchasOpenDatabaseConnectivity(ODBC).Mostservers,however,supporttheCommonLogFileformatdefinedbytheNationalCenterforSupercomputingApplications(NCSA).Thisformat
consistsofnothingbutone-lineentrieswithfieldsseparatedbyspaces.TheformatforeachCommonLogFileentryandthefunctionsofeachfieldareasfollows:remotehostlognameusernamedaterequeststatusbytes
•remotehostSpecifiestheIPaddressoftheremoteclientsystem.SomeserversalsoincludeaDNSreverselookupfeaturethatresolvestheaddressintoaDNSnameforloggingpurposes.
•lognameSpecifiestheremotelognameoftheuserattheclientsystem.Mostoftoday’sbrowsersdonotsupplythisinformation,sothefieldinthelogisfilledwithaplaceholder,suchasadash.
•usernameSpecifiestheusernamewithwhichtheclientwasauthenticatedtotheserver.
•dateSpecifiesthedateandtimethattherequestwasreceivedbytheserver.Mostserversusethelocaldateandtimebydefault,butmayincludeaGreenwichmeantimedifferential,suchas–0500forU.S.EasternStandardTime.
•requestSpecifiesthetextoftherequestreceivedbytheserver.
•statusContainsoneofthestatuscodesdefinedintheHTTPstandardthatspecifieswhethertherequestwasprocessedsuccessfullyand,ifnot,why.
•bytesSpecifiesthesize(inbytes)ofthefiletransmittedtotheclientbytheserverinresponsetotherequest.
ThereisalsoalogfileformatcreatedbytheWorldWideWebConsortium(W3C),calledtheExtendedLogFileformat,thataddressessomeoftheinherentproblemsoftheCommonLogFileformat,suchasdifficultiesininterpretingloggeddatabecauseofspaceswithinfields.TheExtendedLogFileprovidesanextendableformatwithwhichadministratorscanspecifytheinformationtobeloggedorinformationthatshouldn’tbelogged.TheformatfortheExtendedLogFileconsistsoffields,aswellasentries.Fieldsappearonseparatelines,beginningwiththe#symbol,andspecifyinformationaboutthedatacontainedinthelog.Thevalidfieldentriesareasfollows:
•#Version:integer.integerSpecifiestheversionofthelogfileformat.Thisfieldisrequiredineverylogfile.
•#Fields:[specifiers]Identifiesthetypeofdatacarriedineachfieldofalogentry,usingabbreviationsspecifiedintheExtendedLogFileformatspecification.Thisfieldisrequiredineverylogfile.
•#SoftwarestringIdentifiestheserversoftwarethatcreatedthelog.
•#Start-Date:datetimeSpecifiesthedateandtimethatloggingstarted.
•#End-Date:datetimeSpecifiesthedateandtimethatloggingceased.
•#Date:datetimeSpecifiesthedateandtimeatwhichaparticularentrywasaddedtothelogfile.
•#Remark:textContainscommentinformationthatshouldbeignoredbyallprocesses.
Thesefieldsenableadministratorstospecifytheinformationtoberecordedinthelogwhilemakingitpossibleforstatisticsprogramstocorrectlyparsethedatainthelogentries.
RemoteAdministrationAllwebserversneedsomesortofadministrativeinterfacethatyoucanusetoconfiguretheiroperationalparameters.Evenano-frillsserverletsyoudefineahomedirectorythatshouldfunctionastherootofthesiteandotherbasicfeatures.Someserverproductsincludeaprogramthatyoucanrunonthecomputerthatprovidesthisinterface,butmanyproductshavetakentheopportunitytoincludeanadministrativewebsitewiththeproduct.Withasitelikethis,youcanconfiguretheserverfromanycomputerusingastandardwebbrowser.Thisisaconvenienttoolforthenetworkadministrator,especiallywhenthewebserversystemislocatedinaserverclosetorotherremotelocationorwhenonepersonisresponsibleformaintainingseveralservers.
Thebiggestproblemwiththisformofremoteadministrationissecurity,buttherearemechanismsthatcanpreventunauthorizedusersfrommodifyingtheserverconfiguration.Themostbasicofthesemechanisms,asmentionedearlier,istheuseofanonstandardportnumberfortheadministrativesite.Serversthatusenonstandardportstypicallyrequirethatyouspecifytheportnumberduringtheserverinstallation.
AsecondmethodistoincludeameansbywhichyoucanspecifytheIPaddressesoftheonlysystemsthataretobepermittedaccesstotheadministrativeinterface.IISincludesthismethod,andbydefault,theonlysystemthatcanaccesstheweb-basedinterfaceistheoneonwhichtheserverisinstalled.However,youcanopenuptheservertoremoteadministrationandspecifytheaddressesofotherworkstationstobegrantedaccessorspecifytheaddressesofsystemsthataretobedenied.
VirtualDirectoriesAwebserverutilizesadirectoryonthecomputer’slocaldriveasthehomedirectoryforthewebsiteithosts.TheservertransmitsthedefaultfilenameinthatdirectorytoclientswhentheyaccessthesiteusingaURLthatconsistsonlyofaDNSnameorIPaddress.Subdirectoriesbeneaththatdirectoryalsoappearassubdirectoriesonthewebsite.IIS,forexample,usestheC:\InetPub\wwwrootdirectoryasthedefaulthomedirectoryforitswebsite.IfthatwebserverisregisteredintheDNSwiththenamewww.zacker.com,thedefaultpagedisplayedbyabrowseraccessingthatsitewillbethedefault.htmfileinthewwwrootdirectory.AfileintheC:\InetPub\wwwroot\docsdirectoryontheserverwill,therefore,appearonthesiteinwww.zacker.com/docs.
Usingthissystem,allthefilesanddirectoriesthataretoappearonthewebsitemustbelocatedbeneaththehomedirectory.However,thisisnotaconvenientarrangementforeverysite.Onanintranet,forexample,administratorsmaywanttopublishdocumentsinexistingdirectoriesusingawebserverwithoutmovingthemtothehomedirectory.Tomakethispossible,someserverproductsenableyoutocreatevirtualdirectoriesonthesite.Avirtualdirectoryisadirectoryatanotherlocation—elsewhereonthedrive,onanotherdrive,orsometimesevenonanothercomputer’sshareddrive—thatispublishedonawebsiteusinganalias.Theadministratorspecifiesthelocationofthedirectoryandthealiasunderwhichitwillappearonthesite.Thealiasfunctionsasasubdirectoryonthesitethatuserscanaccessinthenormalmannerandcontainsthefilesandsubdirectoriesfromtheotherdrive.
NOTESeeChapters25and26forinformationaboutwebandnetworksecurity.
HTMLTheHypertextMarkupLanguageisthelinguafrancaoftheWeb,butitactuallyhaslittletodowiththefunctionsofawebserver.Webserversareprogramsthatdeliverrequestedfilestoclients.ThefactthatmostofthesefilescontainHTMLcodeisimmaterialbecausetheserverdoesnotreadthem.Theonlywayinwhichtheyaffecttheserver’sfunctionsiswhentheclientparsestheHTMLcodeandrequestsadditionalfilesfromtheserverthatareneededtodisplaythewebpageinthebrowser,suchasimagefiles.Eveninthiscase,however,theimagefilerequestsarejustadditionalrequeststotheserver.
HTTPCommunicationbetweenwebserversandtheirbrowserclientsisprovidedbyanapplicationlayerprotocolcalledtheHypertextTransferProtocol.HTTPisarelativelysimpleprotocolthattakesadvantageoftheservicesprovidedbytheTCPprotocolatthetransportlayertotransferfilesfromserverstoclients.WhenaclientconnectstoawebserverbytypingaURLinabrowserorclickingahyperlink,thesystemgeneratesanHTTPrequestmessageandtransmitsittotheserver.Thisisanapplicationlayerprocess,butbeforeitcanhappen,communicationatthelowerlayersmustbeestablished.
UnlesstheuserorthehyperlinkspecifiestheIPaddressofthewebserver,thefirststepinestablishingtheconnectionbetweenthetwosystemsistodiscovertheaddressbysendinganameresolutionrequesttoaDNSserver.ThisaddressmakesitpossiblefortheIPprotocoltoaddresstraffictotheserver.Oncetheclientsystemknowstheaddress,itestablishesaTCPconnectionwiththeserver’sport80usingthestandardthree-wayhandshakeprocessdefinedbythatprotocol.
OncetheTCPconnectionisestablished,thebrowserandtheservercanexchangeHTTPmessages.HTTPconsistsofonlytwomessagetypes,requestsandresponses.Unlikethemessagesofmostotherprotocols,HTTPmessagestaketheformofASCIItextstrings,notthetypicalheaderswithdiscretecodedfields.Infact,youcanconnecttoawebserverwithaTelnetclientandrequestafilebyfeedinganHTTPcommanddirectlytotheserver.TheserverwillreplywiththefileyourequestedinitsrawASCIIform.
EachHTTPmessageconsistsofthefollowingelements:
•StartlineContainsarequestcommandorareplystatusindicator,plusaseriesofvariables
•Headers[optional]Containsaseriesofzeroormorefieldscontaininginformationaboutthemessageorthesystemsendingit
•EmptylineContainsablanklinethatidentifiestheendoftheheadersection
•Messagebody[optional]Containsthepayloadbeingtransmittedtotheothersystem
HTTPRequestsThestartlineforallHTTPrequestsisstructuredasfollows:RequestTypeRequestURIHTTPVersion
HTTPstandardsdefineseveraltypesofrequestmessages,whichincludethefollowingvaluesfortheRequestTypevariable:
•GETContainsarequestforinformationspecifiedbytheRequestURIvariable.Thistypeofrequestaccountsforthevastmajorityofrequestmessages.
•HEADFunctionallyidenticaltotheGETrequest,exceptthatthereplyshouldcontainonlyastartlineandheaders;nomessagebodyshouldbeincluded.
•POSTRequeststhattheinformationincludedinthemessagebodybeacceptedbythedestinationsystemasanewsubordinatetotheresourcespecifiedbytheRequestURIvariable.
•OPTIONSContainsarequestforinformationaboutthecommunicationoptionsavailableontherequest/responsechainspecifiedbytheRequestURIvariable.
•PUTRequeststhattheinformationincludedinthemessagebodybestoredatthedestinationsysteminthelocationspecifiedbytheRequestURIvariable.
•DELETERequeststhatthedestinationsystemdeletetheresourceidentifiedbytheRequestURIvariable.
•TRACERequeststhatthedestinationsystemperformanapplicationlayerloopbackoftheincomingmessageandreturnittothesender.
•CONNECTReservedforusewithproxyserversthatprovideSSLtunneling.
TheRequestURIvariablecontainsauniformresourceidentifier(URI),atextstringthatuniquelyidentifiesaparticularresourceonthedestinationsystem.Inmostcases,thisvariablecontainsthenameofafileonawebserverthattheclientwantstheservertosendtoitorthenameofadirectoryfromwhichtheservershouldsendthedefaultfile.TheHTTPVersionvariableidentifiestheversionoftheHTTPprotocolthatissupportedbythesystemgeneratingtherequest.
Thus,whenausertypesthenameofawebsiteintoabrowser,therequestmessagegeneratedcontainsastartlinethatappearsasfollows:GET/HTTP/1.1
TheGETcommandrequeststhattheserversendafile.TheuseoftheforwardslashasthevaluefortheRequestURIvariablerepresentstherootofthewebsite,sotheserverwillrespondbysendingthedefaultfilelocatedintheserver’shomedirectory.
HTTPHeadersFollowingthestartline,anyHTTPmessagecanincludeaseriesofheaders,whicharetextstringsformattedinthefollowingmanner:
FieldName:FieldValue
Here,theFieldNamevariableidentifiesthetypeofinformationcarriedintheheader,andtheFieldValuevariablecontainstheinformation.Thevariousheadersmostlyprovideinformationaboutthesystemsendingthemessageandthenatureoftherequest,whichtheservermayormaynotusewhenformattingthereply.Thenumber,choice,andorderoftheheadersincludedinamessagearelefttotheclientimplementation,buttheHTTPspecificationrecommendsthattheybeorderedusingfourbasiccategories.
GeneralHeaderFieldsGeneralheadersapplytobothrequestandresponsemessagesbutdonotapplytotheentity(thatis,thefileorotherinformationinthebodyofthemessage).ThegeneralheaderFieldNamevaluesareasfollows:
•Cache-ControlContainsdirectivestobeobeyedbycachingmechanismsatthedestinationsystem
•ConnectionSpecifiesoptionsdesiredforthecurrentconnection,suchthatitbekeptaliveforusewithmultiplerequests
•DateSpecifiesthedateandtimethatthemessagewasgenerated
•PragmaSpecifiesdirectivesthatarespecifictotheclientorserverimplementation
•TrailerIndicatesthatspecificheaderfieldsarepresentinthetrailerofamessageencodedwithchunkedtransfer-coding
•Transfer-EncodingSpecifieswhattypeoftransformation(ifany)hasbeenappliedtothemessagebodyinordertosafelytransmitittothedestination
•UpgradeSpecifiesadditionalcommunicationprotocolssupportedbytheclient
•ViaIdentifiesthegatewayandproxyserversbetweentheclientandtheserverandtheprotocolstheyuse
•WarningContainsadditionalinformationaboutthestatusortransformationofamessage
RequestHeaderFieldsRequestheadersapplyonlytorequestmessagesandsupplyinformationabouttherequestandthesystemmakingtherequest.TherequestheaderFieldNamevaluesareasfollows:
•AcceptSpecifiesthemediatypesthatareacceptableintheresponsemessage
•Accept-CharsetSpecifiesthecharactersetsthatareacceptableintheresponsemessage
•Accept-EncodingSpecifiesthecontentcodingsthatareacceptableintheresponsemessage
•Accept-LanguageSpecifiesthelanguagesthatareacceptableintheresponsemessage
•AuthorizationContainscredentialswithwhichtheclientwillbe
authenticatedtotheserver
•ExpectSpecifiesthebehaviorthattheclientexpectsfromtheserver
•FromContainsane-mailaddressfortheusergeneratingtherequest
•HostSpecifiestheInternethostnameoftheresourcebeingrequested(usuallyaURL),plusaportnumberifdifferentfromthedefaultport(80)
•If-MatchUsedtomakeaparticularrequestconditionalbymatchingparticularentitytags
•If-Modified-SinceUsedtomakeaparticularrequestconditionalbyspecifyingthemodificationdateoftheclientcacheentrycontainingtheresource,whichtheservercomparestotheactualresourceandreplieswitheithertheresourceoracachereferral
•If-None-MatchUsedtomakeaparticularrequestconditionalbynotmatchingparticularentitytags
•If-RangeRequeststhattheservertransmitthepartsofanentitythattheclientismissing
•If-Unmodified-SinceUsedtomakeaparticularrequestconditionalbyspecifyingadatethattheservershouldusetodeterminewhethertosupplytherequestedresource
•Max-ForwardsLimitsthenumberofproxiesorgatewaysthatcanforwardtherequesttoanotherserver
•Proxy-AuthorizationContainscredentialswithwhichtheclientwillauthenticateitselftoaproxyserver
•RangeContainsoneormorebyterangesrepresentingpartsoftheresourcespecifiedbytheResourceURIvariablethattheclientisrequestingbesentbytheserver
•RefererSpecifiestheresourcefromwhichtheResourceURIvaluewasobtained
•TESpecifieswhichextensiontransfer-codingstheclientcanacceptintheresponseandwhethertheclientwillaccepttrailerfieldsinachunkedtransfer-coding
•User-AgentContainsinformationaboutthebrowsergeneratingtherequest
ResponseHeaderFieldsTheresponseheadersapplyonlytoresponsemessagesandprovideadditionalinformationaboutthemessageandtheservergeneratingthemessage.TheresponseheaderFieldNamevaluesareasfollows:
•Accept-RangesEnablesaservertoindicateitsacceptanceofrangerequestsforaresource(usedinresponsesonly)
•AgeSpecifiestheelapsedtimesinceacachedresponsewasgeneratedataserver
•EtagSpecifiesthecurrentvalueoftheentitytagfortherequestedvariant
•LocationDirectsthedestinationsystemtoalocationfortherequestedresourceotherthanthatspecifiedbytheRequestURIvariable
•Proxy-AuthenticateSpecifiestheauthenticationschemeusedbyaproxyserver
•Retry-AfterSpecifieshowlongarequestedresourcewillbeunavailabletotheclient
•ServerIdentifiesthewebserversoftwareusedtoprocesstherequest
•VarySpecifiestheheaderfieldsusedtodeterminewhetheraclientcanuseacachedresponsetoarequestwithoutrevalidationbytheserver
•WWW-AuthenticateSpecifiesthetypeofauthenticationrequiredinorderfortheclienttoaccesstherequestedresource
EntityHeaderFieldsThetermentityisusedtodescribethedataincludedinthemessagebodyofaresponsemessage,andtheentityheadersprovideadditionalinformationaboutthatdata.TheentityheaderFieldNamevaluesareasfollows:
•AllowSpecifiestherequesttypessupportedbyaresourceidentifiedbyaparticularRequestURIvalue
•Content-EncodingSpecifiesadditionalcontent-codingmechanisms(suchasgzip)thathavebeenappliedtothedatainthebodyofthemessage
•Content-LanguageSpecifiesthelanguageofthemessagebody
•Content-LengthSpecifiesthelengthofthemessagebody,inbytes
•Content-LocationSpecifiesthelocationfromwhichtheinformationinthemessagebodywasderived,whenitisseparatefromthelocationspecifiedbytheResourceURIvariable
•Content-MD5ContainsanMD5digestofthemessagebody(asdefinedinRFC1864)thatwillbeusedtoverifyitsintegrityatthedestination
•Content-RangeIdentifiesthelocationofthedatainthemessagebodywithinthewholeoftherequestedresourcewhenthemessagecontainsonlypartoftheresource
•Content-TypeSpecifiesthemediatypeofthedatainthemessagebody
•ExpiresSpecifiesthedateandtimeafterwhichthecachedresponseistobeconsideredstale
•Last-ModifiedSpecifiesthedateandtimeatwhichtheserverbelievestherequestedresourcewaslastmodified
•Extension-HeaderEnablestheuseofadditionalentityheaderfieldsthatmustberecognizedbyboththeclientandtheserver
HTTPResponses
TheHTTPresponsesgeneratedbywebserversusemanyofthesamebasicelementsastherequests.Thestartlinealsoconsistsofthreeelements,asfollows:HTTPVersionStatusCodeStatusPhrase
TheHTTPVersionvariablespecifiesthestandardsupportedbytheserver,usingthesamevalueslistedearlier.TheStatusCodeandStatusPhrasevariablesindicatewhethertherequesthasbeenprocessedsuccessfullybytheserverand,ifithasn’t,whynot.Thecodeisathree-digitnumber,andthephraseisatextstring.ThecodevaluesaredefinedintheHTTPspecificationandareusedconsistentlybyallwebserverimplementations.Thefirstdigitofthecodespecifiesthegeneralnatureoftheresponse,andthesecondtwodigitsgivemorespecificinformation.Thestatusphrasesaredefinedbythestandardaswell,butsomewebserverproductsenableyoutomodifythetextstringsinordertosupplymoreinformationtotheclient.Thecodesandphrasesdefinedbythestandardarelistedinthefollowingsections.
InformationalCodesInformationalcodesareusedonlyinresponseswithnomessagebodiesandhavethenumeral1astheirfirstdigit,asshownhere:
•100–ContinueIndicatesthattherequestmessagehasbeenreceivedbytheserverandthattheclientshouldeithersendanothermessagecompletingtherequestorcontinuetowaitforaresponse.Aresponseusingthiscodemustbefollowedbyanotherresponsecontainingacodeindicatingcompletionoftherequest.
•101–SwitchingProtocolAresponsetoanUpdaterequestbytheclientandindicatestheserverisswitchingaswell.Whilenotincommonuse,thiscodewascreatedtoallowmigrationtoanincompatibleprotocolversion.
SuccessfulCodesSuccessfulcodeshavea2astheirfirstdigitandindicatethattheclient’srequestmessagehasbeensuccessfullyreceived,understood,andaccepted.Thevalidcodesareasfollows:
•200–OKIndicatesthattherequesthasbeenprocessedsuccessfullyandthattheresponsecontainsthedataappropriateforthetypeofrequest.
•201–CreatedIndicatesthattherequesthasbeenprocessedsuccessfullyandthatanewresourcehasbeencreated.
•202–AcceptedIndicatesthattherequesthasbeenacceptedforprocessingbutthattheprocessinghasnotyetbeencompleted.
•203–NonauthoritativeInformationIndicatesthattheinformationintheheadersisnotthedefinitiveinformationsuppliedbytheserverbutisgatheredfromalocalorathird-partycopy.
•204–NoContentIndicatesthattherequesthasbeenprocessedsuccessfullybutthattheresponsecontainsnomessagebody.Itmaycontainheaderinformation.
•205–ResetContentIndicatesthattherequesthasbeenprocessedsuccessfullyandthattheclientbrowserusershouldresetthedocumentview.Thismessagetypicallymeansthatthedatafromaformhasbeenreceivedandthatthe
browsershouldresetthedisplaybyclearingtheformfields.
•206–PartialContentIndicatesthattherequesthasbeenprocessedsuccessfullyandthattheserverhasfulfilledarequestthatusestheRangeheadertospecifypartofaresource.
RedirectionCodesRedirectioncodeshavea3astheirfirstdigitandindicatethatfurtheractionfromtheclient(eitherthebrowserortheuser)isrequiredtosuccessfullyprocesstherequest.Thevalidcodesareasfollows:
•300–MultipleChoicesIndicatesthattheresponsecontainsalistofresourcesthatcanbeusedtosatisfytherequest,fromwhichtheusershouldselectone.
•301–MovedPermanentlyIndicatesthattherequestedresourcehasbeenassignedanewpermanentURIandthatallfuturereferencestothisresourceshoulduseoneofthenewURIssuppliedintheresponse.
•302–FoundIndicatesthattherequestedresourceresidestemporarilyunderadifferentURIbutthattheclientshouldcontinuetousethesameRequestURIvalueforfuturerequestssincethelocationmaychangeagain.
•303–SeeOtherIndicatesthattheresponsetotherequestcanbefoundunderadifferentURIandthattheclientshouldgenerateanotherrequestpointingtothenewURI.
•304–NotModifiedIndicatesthattheversionoftherequestedresourceintheclientcacheisidenticaltothatontheserverandthatretransmissionoftheresourceisnotnecessary.
•305–UseProxyIndicatesthattherequestedresourcemustbeaccessedthroughtheproxyspecifiedintheLocationheader.
•306–UnusedNolongerusedandiscurrentlyreservedforfutureuse.
•307–TemporaryRedirectIndicatesthattherequestedresourceresidestemporarilyunderadifferentURIbutthattheclientshouldcontinuetousethesameRequestURIvalueforfuturerequestssincethelocationmaychangeagain.
•308–PermanentRedirectIndicatesthattheresourceisnowatanotherURL.Whilesimilartothe301responsecode,theexceptionfora308codeisthattheuseragentmustnotchangetheHTTPmethodused.
ClientErrorCodesClienterrorcodeshavea4astheirfirstdigitandindicatethattherequestcouldnotbeprocessedbecauseofanerrorbytheclient.Thevalidcodesareasfollows:
•400–BadRequestIndicatesthattheservercouldnotunderstandtherequestbecauseofmalformedsyntax
•401–UnauthorizedIndicatesthattheservercouldnotprocesstherequestbecauseuserauthenticationisrequired
•402–PaymentRequiredReservedforfutureuse
•403–ForbiddenIndicatesthattheserverisrefusingtoprocesstherequestandthatitshouldnotberepeated
•404–NotFoundIndicatesthattheservercouldnotlocatetheresourcespecifiedbytheRequestURIvariable
•405–MethodNotAllowedIndicatesthattherequesttypecannotbeusedforthespecifiedRequestURI
•406–NotAcceptableIndicatesthattheresourcespecifiedbytheRequestURIvariabledoesnotconformtoanyofthedatatypesspecifiedintherequestmessage’sAcceptheader
•407–ProxyAuthenticationRequiredIndicatesthattheclientmustauthenticateitselftoaproxyserverbeforeitcanaccesstherequestedresource
•408–RequestTimeoutIndicatesthattheclientdidnotproducearequestwithintheserver’stimeoutperiod
•409–ConflictIndicatesthattherequestcouldnotbeprocessedbecauseofaconflictwiththecurrentstateoftherequestedresource,suchaswhenaPUTcommandattemptstowritedatatoaresourcethatisalreadyinuse
•410–GoneIndicatesthattherequestedresourceisnolongeravailableattheserverandthattheserverisnotawareofanalternativelocation
•411–LengthRequiredIndicatesthattheserverhasrefusedtoprocessarequestthatdoesnothaveaContent-Lengthheader
•412–PreconditionFailedIndicatesthattheserverhasfailedtosatisfyoneofthepreconditionsspecifiedintherequestheaders
•413–RequestEntityTooLargeIndicatesthattheserverisrefusingtoprocesstherequestbecausethemessageistoolarge
•414–RequestURITooLongIndicatesthattheserverisrefusingtoprocesstherequestbecausetheRequestURIvalueislongerthantheserveriswillingtointerpret
•415–UnsupportedMediaTypeIndicatesthattheserverisrefusingtoprocesstherequestbecausetherequestisinaformatnotsupportedbytherequestedresourcefortherequestedmethod
•416–RequestedRangeNotSatisfiableIndicatesthattheservercannotprocesstherequestbecausethedataspecifiedbytheRangeheaderintherequestmessagedoesnotexistintherequestedresource
•417–ExpectationFailedIndicatesthattheservercouldnotsatisfytherequirementsspecifiedintherequestmessage’sExpectheader
ServerErrorCodesServererrorcodeshavea5astheirfirstdigitandindicatethattherequestcouldnotbeprocessedbecauseofanerrorbytheserver.Thevalidcodesareasfollows:
•500–InternalServerErrorIndicatesthattheserverencounteredan
unexpectedconditionthatpreventeditfromfulfillingtherequest
•501–NotImplementedIndicatesthattheserverdoesnotsupportthefunctionalityrequiredtosatisfytherequest
•502–BadGatewayIndicatesthatagatewayorproxyserverhasreceivedaninvalidresponsefromtheupstreamserveritaccessedwhileattemptingtoprocesstherequest
•503–ServiceUnavailableIndicatesthattheservercannotprocesstherequestbecauseofitbeingtemporarilyoverloadedorundermaintenance
•504–GatewayTimeoutIndicatesthatagatewayorproxyserverdidnotreceiveatimelyresponsefromtheupstreamserverspecifiedbytheURIorsomeotherauxiliaryserverneededtocompletetherequest
•505–HTTPVersionNotSupportedIndicatesthattheserverdoesnotsupport,orrefusestosupport,theHTTPprotocolversionusedintherequestmessage
Afterthestartline,aresponsemessagecancontainaseriesofheaders,justlikethoseinarequest,thatprovideinformationabouttheserverandtheresponsemessage.Theheadersectionconcludeswithablankline,afterwhichcomesthebodyofthemessage,typicallycontainingthecontentsofthefilerequestedbytheclient.Ifthefileislargerthanwhatcanfitinasinglepacket,theservergeneratesadditionalresponsemessagescontainingmessagebodiesbutnostartlinesorheaders.
FTPServersTheFileTransferProtocolisanapplicationlayerTCP/IPprotocolthatenablesanauthenticatedclienttoconnecttoaserverandtransferfilestoandfromtheothermachine.FTPisnotthesameassharingadrivewithanothersystemonthenetwork.Accessislimitedtoafewbasicfilemanagementcommands,andtheprimaryfunctionoftheprotocolistocopyfilestoyourlocalsystem,nottoaccesstheminplaceontheserver.
LikeHTTP,FTPusestheTCPprotocolforitstransportservicesandreliesonASCIItextcommandsforitsuserinterface.TherearenowmanygraphicalFTPclientsavailablethatautomatethegenerationandtransmissionoftheappropriatetextcommandstoaserver.
ThebigdifferencebetweenFTPandHTTP(aswellasmostotherprotocols)isthatFTPusestwoportnumbersinthecourseofitsoperations.WhenanFTPclientconnectstoaserver,itusesport21toestablishacontrolconnection.Thisconnectionremainsopenduringthelifeofthesession;theclientandserveruseittoexchangecommandsandreplies.Whentheclientrequestsafiletransfer,theserverestablishesasecondconnectiononport20,whichitusestotransferthefileandthenterminatesimmediatelyafterward.
FTPCommandsAnFTPclientconsistsofauserinterface,whichmaybetextbasedorgraphical,andauserprotocolinterpreter.Theuserprotocolinterpretercommunicateswiththeserver
protocolinterpreterusingtextcommandsthatarepassedoverthecontrolconnection(seeFigure16-1).Whenthecommandscallforadatatransfer,oneoftheprotocolinterpreterstriggersadatatransferprocess,whichcommunicateswithalikeprocessontheothermachineusingthedataconnection.Thecommandsissuedbytheuserprotocolinterpreterdonotnecessarilycorrespondtothetraditionaltext-baseduserinterfacecommands.Forexample,toretrieveafilefromaserver,thetraditionaluserinterfacecommandisGETplusthefilename,butaftertheuserprotocolinterpreterreceivesthiscommand,itsendsanRETRcommandtotheserverwiththesamefilename.Thus,theuserinterfacecanbemodifiedforpurposesoflanguagelocalizationorotherreasons,butthecommandsusedbytheprotocolinterpretersremainconsistent.
Figure16-1TheprotocolinterpretersintheFTPclientandserverexchangecontrolmessages
ThefollowingsectionslistthecommandsusedbytheFTPprotocolinterpreters.
AccessControlCommandsFTPclientsusetheaccesscontrolcommandstologintoaserver,authenticatetheuser,andterminatethecontrolconnectionattheendofthesession.Thesecommandsareasfollows:
•USERusernameSpecifiestheaccountnameusedtoauthenticatetheclienttotheserver.
•PASSpasswordSpecifiesthepasswordassociatedwiththepreviouslyfurnishedusername.
•ACCTaccountSpecifiesanaccountusedforaccesstospecificfeaturesoftheserverfilesystem.TheACCTcommandcanbeissuedatanytimeduringthesessionandnotjustduringtheloginsequence,aswithUSER.
•CWDpathnameChangestheworkingdirectoryintheserverfilesystemtothatspecifiedbythepathnamevariable.
•CDUPShiftstheworkingdirectoryintheserverfilesystemoneleveluptotheparentdirectory.
•SMNTpathnameMountsadifferentfilesystemdatastructureontheserver,withoutalteringtheuseraccountauthentication.
•REINTerminatesthecurrentsession,leavingthecontrolconnectionopenandcompletinganydataconnectiontransferinprogress.AnewUSERcommandisexpectedtofollowimmediately.
•QUITTerminatesthecurrentsessionandclosesthecontrolconnectionaftercompletinganydataconnectiontransferinprogress.
TransferParameterCommandsThetransferparametercommandspreparethesystemstoinitiateadataconnectionandidentifythetypeoffilethatistobetransferred.Thesecommandsareasfollows:
•PORThost/portNotifiestheserveroftheIPaddressandephemeralportnumberthatitexpectsadataconnectiontouse.Thehost/portvariableconsistsofsixintegers,separatedbycommas,representingthefourbytesoftheIPaddressandtwobytesfortheportnumber.
•PASVInstructstheservertospecifyaportnumberthattheclientwillusetoestablishadataconnection.Thereplyfromtheservercontainsahost/portvariable,likePORT.
•TYPEtypecodeSpecifiesthetypeoffiletobetransferredoveradataconnection.Currentlyusedoptionsareasfollows:
•AASCIIplain-textfile
•IBinaryfile
•STRUstructurecodeSpecifiesthestructureofafile.Thedefaultsetting,F(forFile),indicatesthatthefileisacontiguousbytestream.Twootheroptions,R(forRecord)andP(forPage),arenolongerused.
•MODEmodecodeSpecifiesthetransfermodeforadataconnection.Thedefaultsetting,S(forStream),indicatesthatthefilewillbetransferredasabytestream.Twootheroptions,B(forBlock)andC(forCompressed),arenolongerused.
FTPServiceCommandsTheFTPservicecommandsenabletheclienttomanagethefilesystemontheserverandinitiatefiletransfers.Thesecommandsareasfollows:
•RETRfilenameInstructstheservertotransferthespecifiedfiletotheclient.
•STORfilenameInstructstheservertoreceivethespecifiedfilefromthe
client,overwritinganidenticallynamedfileintheserverdirectoryifnecessary.
•STOUInstructstheservertoreceivethefilefromtheclientandgiveitauniquenameintheserverdirectory.Thereplyfromtheservermustcontaintheuniquename.
•APPEpathnameInstructstheservertoreceivethespecifiedfilefromtheclientandappendittotheidenticallynamedfileintheserverdirectory.Ifnofileofthatnameexists,theservercreatesanewfile.
•ALLObytesAllocatesaspecifiednumberofbytesontheserverbeforetheclientactuallytransmitsthedata.
•RESTmarkerSpecifiesthepointinafileatwhichthefiletransfershouldberestarted.
•RNFRfilenameSpecifiesthenameofafiletoberenamed;mustbefollowedbyanRNTOcommand.
•RNTOfilenameSpecifiesthenewnameforthefilepreviouslyreferencedinanRNFRcommand.
•ABORAbortsthecommandcurrentlybeingprocessedbytheserver,closinganyopendataconnections.
•DELEfilenameDeletesthespecifiedfileontheserver.
•RMDpathnameDeletesthespecifieddirectoryontheserver.
•MKDpathnameCreatesthespecifieddirectoryontheserver.
•PWDReturnsthenameoftheserver’scurrentworkingdirectory.
•LISTpathnameInstructstheservertotransmitanASCIIfilecontainingalistofthespecifieddirectory’scontents,includingattributes.
•NLSTpathnameInstructstheservertotransmitanASCIIfilecontainingalistofthespecifieddirectory’scontents,withnoattributes.
•SITEstringCarriesnonstandard,implementation-specificcommandstotheserver.
•SYSTReturnsthenameoftheoperatingsystemrunningontheserver.
•STATfilenameWhenusedduringafiletransfer,returnsastatusindicatorforthecurrentoperation.Whenusedwithafilenameargument,returnstheLISTinformationforthespecifiedfile.
•HELPstringReturnshelpinformationspecifictotheserverimplementation.
•NOOPInstructstheservertoreturnanOKresponse.Thisisusedasasessionkeep-alivemechanism;thecommandperformsnootheractions.
FTPReplyCodesAnFTPserverrespondstoeachcommandsentbyaclientwithathree-digitreplycode
andatextstring.AswithHTTP,thesereplycodesmustbeimplementedasdefinedintheFTPstandardonallserverssothattheclientcandetermineitsnextaction,butsomeproductsenableyoutomodifythetextthatisdeliveredwiththecodeanddisplayedtotheuser.
Thefirstdigitofthereplycodeindicateswhetherthecommandwascompletedsuccessfully,unsuccessfully,ornotatall.Thepossiblevaluesforthisdigitareasfollows:
•1##–PositivepreliminaryreplyIndicatesthattheserverisinitiatingtherequestedactionandthattheclientshouldwaitforanotherreplybeforesendinganyfurthercommands
•2##–PositivecompletionreplyIndicatesthattheserverhassuccessfullycompletedtherequestedaction
•3##–PositiveintermediatereplyIndicatesthattheserverhasacceptedthecommandbutthatmoreinformationisneededbeforeitcanexecuteitandthattheclientshouldsendanothercommandcontainingtherequiredinformation
•4##–TransientnegativecompletionreplyIndicatesthattheserverhasnotacceptedthecommandorexecutedtherequestedactionduetoatemporaryconditionandthattheclientshouldsendthecommandagain
•5##–PermanentnegativecompletionreplyIndicatesthattheserverhasnotacceptedthecommandorexecutedtherequestedactionandthattheclientisdiscouraged(butnotforbidden)fromresendingthecommand
Theseconddigitofthereplycodeprovidesmorespecificinformationaboutthenatureofthemessage.Thepossiblevaluesforthisdigitareasfollows:
•#0#–SyntaxIndicatesthatthecommandcontainsasyntaxerrorthathaspreventeditfrombeingexecuted
•#1#–InformationIndicatesthatthereplycontainsinformationthatthecommandrequested,suchasstatusorhelp
•#2#–ConnectionsIndicatesthatthereplyreferstothecontrolordataconnection
•#3#–AuthenticationandaccountingIndicatesthatthereplyreferstotheloginprocessortheaccountingprocedure
•#4#–UnusedCurrentlyunused.Isavailableforfutureuse.
•#5#–FilesystemIndicatesthestatusoftheserverfilesystemasaresultofthecommand
TheerrorcodesdefinedbytheFTPstandardareasfollows:
•110Restartmarkerreply
•120Servicereadyinnnnminutes
•125Dataconnectionalreadyopen;transferstarting
•150Filestatusokay;abouttoopendataconnection
•200Commandokay
•202Commandnotimplemented,superfluousatthissite
•211Systemstatus,orsystemhelpreply
•212Directorystatus
•213Filestatus
•214Helpmessage
•215NAMEsystemtype
•220Servicereadyfornewuser
•221Serviceclosingcontrolconnection
•225Dataconnectionopen;notransferinprogress
•226Closingdataconnection
•227EnteringPassiveMode(h1,h2,h3,h4,p1,p2)
•230Userloggedin,proceed
•250Requestedfileactionokay,completed
•257“PATHNAME”created
•331Usernameokay,needpassword
•332Needaccountforlogin
•350Requestedfileactionpendingfurtherinformation
•421Servicenotavailable;closingcontrolconnection
•425Can’topendataconnection
•426Connectionclosed;transferaborted
•450Requestedfileactionnottaken
•451Requestedactionaborted;localerrorinprocessing
•452Requestedactionnottaken;insufficientstoragespaceinsystem
•500Syntaxerror,commandunrecognized
•501Syntaxerrorinparametersorarguments
•502Commandnotimplemented
•503Badsequenceofcommands
•504Commandnotimplementedforthatparameter
•530Notloggedin
•532Needaccountforstoringfiles
•550Requestedactionnottaken;fileunavailable(e.g.,filenotfound,noaccess)
•551Requestedactionaborted;pagetypeunknown
•552Requestedfileactionaborted;exceededstorageallocation(forcurrentdirectoryordataset)
•553Requestedactionnottaken;filenamenotallowed
FTPMessagingAnFTPsessionbeginswithaclientestablishingaconnectionwithaserverbyusingeitheraGUIorthecommandlinetospecifytheserver’sDNSnameorIPaddress.ThefirstorderofbusinessistoestablishaTCPconnectionusingthestandardthree-wayhandshake.TheFTPserverislisteningonport21forincomingmessages,andthisnewTCPconnectionbecomestheFTPcontrolconnectionthatwillremainopenforthelifeofthesession.ThefirstFTPmessageistransmittedbytheserver,announcingandidentifyingitself,asfollows:220CZ2MicrosoftFTPService(Version5.0)
AswithallmessagestransmittedoveraTCPconnection,acknowledgmentisrequired.Duringthecourseofthesession,themessageexchangeswillbepunctuatedbyTCPACKpacketsfrombothsystems,asneeded.Afteritsendstheinitialacknowledgment,theclientpromptstheuserforanaccountnameandpasswordandperformstheuserloginsequence,asfollows:USERanonymous
331Anonymousaccessallowed,sendidentity(e-mailname)aspassword.
230Anonymoususerloggedin.
TheclienttheninformstheserverofitsIPaddressandtheportthatitwillusefordataconnectionsontheclientsystem,asfollows:PORT192,168,2,3,7,233
200PORTcommandsuccessful.
Thevalues192,168,2,and3arethefourdecimalbytevaluesoftheIPaddress,andthe7and233arethe2bytesoftheportnumbervalue,whichtranslatesas2025.Byconvertingthese2portbytestobinaryform(0000011111101001)andthenconvertingthewhole2-bytevaluetoadecimal,youget2025.
Atthispoint,theclientcansendcommandstotheserverrequestingfiletransfersorfilesystemprocedures,suchasthecreationanddeletionofdirectories.Onetypicalclientcommandistorequestalistingofthefilesintheserver’sdefaultdirectory,asfollows:NLST-l
Inresponsetothiscommand,theserverinformstheclientthatitisgoingtoopenadataconnectionbecausethelististransmittedasanASCIIfile.150OpeningASCIImodedataconnectionfor/bin/ls.
TheserverthencommencestheestablishmentofthesecondTCPconnection,usingitsownport20andtheclientport2025specifiedearlierinthePORTcommand.Oncethe
connectionisestablished,theservertransmitsthefileithascreatedcontainingthelistingforthedirectory.Dependingonthenumberoffilesinthedirectory,thetransfermayrequirethetransmissionofmultiplepacketsandacknowledgments,afterwhichtheserverimmediatelysendsthefirstmessageinthesequencethatterminatesthedataconnection.Oncethedataconnectionisclosed,theserverrevertstothecontrolconnectionandfinishesthefiletransferwiththefollowingpositivecompletionreplymessage:226Transfercomplete.
Atthispoint,theclientisreadytoissueanothercommand,suchasarequestforanotherfiletransfer,whichrepeatstheentireprocessbeginningwiththePORTcommandorsomeotherfunctionthatusesonlythecontrolconnection.Whentheclientisreadytoterminatethesessionbyclosingthecontrolconnection,itsendsaQUITcommand,andtheserverrespondswithanacknowledgmentlikethefollowing:221
E-mailWhileInternetservicessuchastheWebandFTParewildlypopular,theservicethatistheclosesttobeingaubiquitousbusinessandpersonalcommunicationstoolise-mail.E-mailisauniquecommunicationsmediumthatcombinestheimmediacyofthetelephonewiththeprecisionofthewrittenword,andnoInternetserviceismorevaluabletothenetworkuser.Untilthemid-1990s,thee-mailsystemsyouwerelikelytoencounterwereself-contained,proprietarysolutionsdesignedtoprovideanorganizationwithinternalcommunications.Asthevalueofe-mailasabusinesstoolbegantoberecognizedbythegeneralpublic,businesspeoplebeganswappingthee-mailaddressessuppliedtothembyspecificonlineservices.However,ifyousubscribedtoadifferentservicethanyourintendedcorrespondent,youwereoutofluck.TheriseoftheInternetrevolutionizedthee-mailconceptbyprovidingasingle,worldwidestandardformailcommunicationsthatwasindependentofanysingleserviceprovider.Today,e-mailaddressesarealmostascommonastelephonenumbers,andvirtuallyeverynetworkwithanInternetconnectionsuppliesitsuserswithe-mailaddresses.
E-mailAddressingThee-mailaddressformatsoonbecomessecondnaturetobeginninge-mailusers.AnInternete-mailaddressconsistsofausernameandadomainname,separatedbyan“at”symbol(@),[email protected],thedomainnameinane-mailaddress(whichiseverythingfollowingthe@symbol)identifiestheorganizationhostingthee-mailservicesforaparticularuser.Forindividualusers,thedomainistypicallythatofanISP,whichnearlyalwayssuppliesoneormoree-mailaddresseswithanInternetaccessaccount.Forcorporateusers,thedomainnameisusuallyregisteredtotheorganizationandisusuallythesamedomainusedfortheirwebsitesandotherInternetservices.
Theusernamepartofane-mailaddress(whichiseverythingbeforethe@symbol)representsthenameofamailboxthathasbeencreatedonthemailserverservicingthedomain.Theusernameoftenconsistsofacombinationofnamesand/orinitialsidentifying
anindividualuserattheorganization,butit’salsocommontohavemailboxesforspecificrolesandfunctionsinthedomain.Forexample,mostdomainsrunningawebsitehaveawebmaster@mydomain.commailboxforcommunicationsconcerningthefunctionalityofthewebsite.
BecauseInternete-mailreliesonstandarddomainnamestoidentifymailservers,theDomainNameSystem(DNS)isanessentialpartoftheInternete-mailarchitecture.DNSserversstoreinformationinunitsofvarioustypescalledresourcerecords.TheMXresourcerecordistheoneusedtoidentifyane-mailserverinaparticulardomain.Whenamailserverreceivesanoutgoingmessagefromane-mailclient,itreadstheaddressoftheintendedrecipientandperformsaDNSlookupofthedomainnameinthataddress.TheservergeneratesaDNSmessagerequestingtheMXresourcerecordforthespecifieddomain,andtheDNSserver(afterperformingthestandarditerativeprocessthatmayinvolverelatingtherequesttootherdomainservers)replieswiththeIPaddressofthee-mailserverforthedestinationdomain.Theserverwiththeoutgoingmessagethenopensaconnectiontothedestinationdomain’smailserverusingtheSimpleMailTransferProtocol(SMTP).Itisthedestinationmailserverthatprocessestheusernamepartofthee-mailaddressbyplacingthemessageintheappropriatemailbox,whereitwaitsuntiltheclientpicksitup.
E-mailClientsandServersLikeHTTPandFTP,Internete-mailisaclient-serverapplication.However,inthiscase,severaltypesofserversareinvolvedinthee-mailcommunicationprocess.SMTPserversareresponsibleforreceivingoutgoingmailfromclientsandtransmittingthemailmessagestotheirdestinationservers.Theothertypeofserveristheonethatmaintainsthemailboxesandwhichthee-mailclientsusetoretrievetheirincomingmail.ThetwopredominantprotocolsforthistypeofserverarethePostOfficeProtocol,version3(POP3)andtheInternetMessageAccessProtocol(IMAP).Thisisanothercasewhereit’simportanttounderstandthatthetermserverreferstoanapplicationandnotnecessarilytoaseparatecomputer.Inmanycases,theSMTPandeitherthePOP3orIMAPserverrunonthesamecomputer.
E-mailserverproductsgenerallyfallintotwocategories,thosethataredesignedsolelyforInternete-mailandthosethatprovidemorecomprehensiveinternale-mailservicesaswell.TheformerarerelativelysimpleapplicationsthattypicallyprovideSMTPsupportandmayormaynotincludeeitherPOP3orIMAPaswell.Ifnot,youhavetopurchaseandinstallaPOP3orIMAPserveralsosothatyouruserscanaccesstheirmail.OneofthemostcommonSMTPserversusedontheInternetisafreeUnixprogramcalledsendmail,buttherearemanyotherproducts,bothopensourceandcommercial,thatrunonavarietyofcomputingplatforms.
Afterinstallingthemailserverapplications,theadministratorcreatesamailboxforeachuserandregisterstheserver’sIPaddressinaDNSMXresourcerecordforthedomain.ThisenablesotherSMTPserversontheInternettosendmailtotheusers’mailboxes.ClientsaccessthePOP3orIMAPservertodownloadmailfromtheirmailboxesandsendoutgoingmessagesusingtheSMTPserver.ISPstypicallyusemailserversofthistypebecausetheirusersarestrictlyconcernedwithInternete-mail.The
servermayprovideotherconvenienceservicesforusersaswell,suchasweb-basedclientaccess,whichenablesuserstoaccesstheirmailboxesfromanywebbrowser.
Themorecomprehensivee-mailserversareproductsthatevolvedfrominternale-mailsystems.ProductslikeMicrosoftExchangestartedoutasserversthatacorporationwouldinstalltoprovideprivatee-mailservicetouserswithinthecompany,aswellasotherservicessuchascalendars,personalinformationmanagers,andgroupscheduling.AsInternete-mailbecamemoreprevalent,theseproductswereenhancedtoincludethestandardInternete-mailconnectivityprotocolsaswell.Today,asingleproductsuchasExchangeprovidesawealthofcommunicationsservicesforprivatenetworkusers.Onthistypeofe-mailproduct,themailmessagesandotherpersonaldataarestoredpermanentlyonthemailservers,andusersrunaspecialclienttoaccesstheirmail.Storingthemailontheservermakesiteasierforadministratorstobackitupandenablesuserstoaccesstheirmailfromanycomputer.E-mailapplicationssuchasExchangearemuchmoreexpensivethanInternet-onlymailservers,andadministeringthemismorecomplicated.
Ane-mailclientisanyprogramthatcanaccessauser’smailboxonamailserver.Somee-mailclientprogramsaredesignedstrictlyforInternete-mailandcanthereforeaccessonlySMTP,POP3,and/orIMAPservers.Therearemanyproducts,bothcommercialandfree,thatperformthesamebasicfunctions.Inmanycases,e-mailclientfunctionalityisintegratedintootherprograms,suchaspersonalinformationmanagers(PIMs).BecausetheInternete-mailprotocolsarestandardized,userscanrunanyInternete-mailclientwithanySMTP/POP3/IMAPservers.ConfiguringanInternete-mailclienttosendandretrievemailissimplyamatterofsupplyingtheprogramwiththeIPaddressesofanSMTPserver(foroutgoingmail)andaPOP3orIMAPserver(forincomingmail),aswellasthenameofamailboxonthePOP3/IMAPserveranditsaccompanyingpassword.
Themorecomprehensivee-mailserverproductsrequireaproprietaryclienttoaccessalloftheirfeatures.InthecaseofExchange,theclientistheMicrosoftOutlookprogramincludedaspartofthemanyMicrosoftOfficeversions.Outlookisanunusuale-mailclientinthatyoucanconfigureittooperateincorporate/workgroupmode,inwhichtheclientconnectstoanExchangeserver,orinInternet-onlymode.BothmodesenableyoutoaccessSMTPandPOP3/IMAPservices,butcorporate/workgroupmodeprovidesaccesstoalloftheExchangefeatures,suchasgroupscheduling,andstorestheuser’smailontheserver.Internet-onlymodestoresthemailonthecomputer’slocaldrive.
SimpleMailTransferProtocolSMTPisanapplicationlayerprotocolthatisstandardizedintheIETF’sRFC821document.SMTPmessagescanbecarriedbyanyreliabletransportprotocol,butontheInternetandmostprivatenetworks,theyarecarriedbytheTCPprotocol,usingwell-knownportnumber25attheserver.LikeHTTPandFTP,SMTPmessagesarebasedonASCIItextcommands,ratherthantheheadersandfieldsusedbytheprotocolsatthelowerlayersoftheprotocolstack.SMTPcommunicationscantakeplacebetweene-mailclientsandserversorbetweenservers.Ineachcase,thebasiccommunicationmodelisthesame.Onecomputer(calledthesender-SMTP)initiatescommunicationwiththeother(thereceiver-SMTP)byestablishingaTCPconnectionusingthestandardthree-way
handshake.
SMTPCommandsOncetheTCPconnectionisestablished,thesender-SMTPcomputerbeginstransmittingSMTPcommandstothereceiver-SMTP,whichrespondswithareplymessageandanumericcodeforeachcommanditreceives.Thecommandsconsistofakeywordandanargumentfieldcontainingotherparametersintheformofatextstring,followedbyacarriagereturn/linefeed(CR/LF).
NOTETheSMTPstandardusesthetermssender-SMTPandreceiver-SMTPtodistinguishthesenderandthereceiveroftheSMTPmessagesfromthesenderandthereceiverofanactualmailmessage.Thetwoarenotnecessarilysynonymous.
Thecommandsusedbythesender-SMTPandtheirfunctionsareasfollows(theparenthesescontaintheactualtextstringstransmittedbythesendingcomputer):
•HELLO(HELO)Usedbythesender-SMTPtoidentifyitselftothereceiver-SMTPbytransmittingitshostnameastheargument.Thereceiver-SMTPrespondsbytransmittingitsownhostname.
•MAIL(MAIL)Usedtoinitiateatransactioninwhichamailmessageistobedeliveredtoamailboxbyspecifyingtheaddressofthemailsenderastheargumentand,optionally,alistofhoststhroughwhichthemailmessagehasbeenrouted(calledasourceroute).Thereceiver-SMTPusesthislistintheeventithastoreturnanondeliverynoticetothemailsender.
•RECIPIENT(RCPT)Identifiestherecipientofamailmessage,usingtherecipient’smailboxaddressastheargument.Ifthemessageisaddressedtomultiplerecipients,thesender-SMTPgeneratesaseparateRCPTcommandforeachaddress.
•DATA(DATA)Containstheactuale-mailmessagedata,followedbyaCRLF,aperiod,andanotherCRLF(<CRLF>.<CRLF>),whichindicatestheendofthemessagestring.
•SEND(SEND)Usedtoinitiateatransactioninwhichmailistobedeliveredtoauser’sterminal(insteadoftoamailbox).LiketheMAILcommand,theargumentcontainsthesender’smailboxaddressandthesourceroute.
•SENDORMAIL(SOML)Usedtoinitiateatransactioninwhichamailmessageistobedeliveredtoauser’sterminal,iftheyarecurrentlyactiveandconfiguredtoreceivemessages,ortotheuser’smailbox,iftheyarenot.TheargumentcontainsthesamesenderaddressandsourcerouteastheMAILcommand.
•SENDANDMAIL(SAML)Usedtoinitiateatransactioninwhichamailmessageistobedeliveredtoauser’sterminal,iftheyarecurrentlyactiveandconfiguredtoreceivemessages,andtotheuser’smailbox.Theargumentcontains
thesamesenderaddressandsourcerouteastheMAILcommand.
•RESET(RSET)Instructsthereceiver-SMTPtoabortthecurrentmailtransactionanddiscardallsender,recipient,andmaildatainformationfromthattransaction.
•VERIFY(VRFY)Usedbythesender-SMTPtoconfirmthattheargumentidentifiesavaliduser.Iftheuserexists,thereceiver-SMTPrespondswiththeuser’sfullnameandmailboxaddress.
•EXPAND(EXPN)Usedbythesender-SMTPtoconfirmthattheargumentidentifiesavalidmailinglist.Ifthelistexists,thereceiver-SMTPrespondswiththefullnamesandmailboxaddressesofthelist’smembers.
•HELP(HELP)Usedbythesender-SMTP(presumablyaclient)torequesthelpinformationfromthereceiver-SMTP.Anoptionalargumentmayspecifythesubjectforwhichthesender-SMTPneedshelp.
•NOOP(NOOP)Performsnofunctionotherthantorequestthatthereceiver-SMTPgenerateanOKreply.
•QUIT(QUIT)Usedbythesender-SMTPtorequesttheterminationofthecommunicationschanneltothereceiver-SMTP.Thesender-SMTPshouldnotclosethechanneluntilithasreceivedanOKreplytoitsQUITcommandfromthereceiver-SMTP,andthereceiver-SMTPshouldnotclosethechanneluntilithasreceivedandrepliedtoaQUITcommandfromthesender-SMTP.
•TURN(TURN)Usedbythesender-SMTPtorequestthatitandthereceiver-SMTPshouldswitchroles,withthesender-SMTPbecomingthereceiver-SMTPandthereceiver-SMTPthesender-SMTP.Theactualroleswitchdoesnotoccuruntilthereceiver-SMTPreturnsanOKresponsetotheTURNcommand.
NOTENotallSMTPimplementationsincludesupportforallofthecommandslistedhere.TheonlycommandsthatarerequiredtobeincludedinallSMTPimplementationsareHELO,MAIL,RCPT,DATA,RSET,NOOP,andQUIT.
SMTPRepliesThereceiver-SMTPisrequiredtogenerateareplyforeachofthecommandsitreceivesfromthesender-SMTP.Thesender-SMTPisnotpermittedtosendanewcommanduntilitreceivesareplytothepreviousone.Thispreventsanyconfusionofrequestsandreplies.Thereplymessagesgeneratedbythereceiver-SMTPconsistofathree-digitnumericalvalueplusanexplanatorytextstring.Thenumberandthetextstringareessentiallyredundant;thenumberisintendedforusebyautomatedsystemsthattakeactionbasedonthereply,whilethetextstringisintendedforhumans.Thetextmessagescanvaryfromimplementationtoimplementation,butthereplynumbersmustremainconsistent.
Thereplycodesgeneratedbythereceiver-SMTPareasfollows(italicizedvaluesrepresentvariablesthatthereceiver-SMTPreplaceswithanappropriatetextstring):
•211Systemstatus,orsystemhelpreply
•214Helpmessage
•220Domainserviceready
•221Domainserviceclosingtransmissionchannel
•250Requestedmailactionokay,completed
•251Usernotlocal;willforwardtoforward-path
•354Startmailinput;endwith<CRLF>.<CRLF>
•421Domainservicenotavailable,closingtransmissionchannel
•450Requestedmailactionnottaken:mailboxunavailable
•451Requestedactionaborted:localerrorinprocessing
•452Requestedactionnottaken:insufficientsystemstorage
•500Syntaxerror,commandunrecognized
•501Syntaxerrorinparametersorarguments
•502Commandnotimplemented
•503Badsequenceofcommands
•504Commandparameternotimplemented
•550Requestedactionnottaken:mailboxunavailable
•551Usernotlocal;pleasetryforward-path
•552Requestedmailactionaborted:exceededstorageallocation
•553Requestedactionnottaken:mailboxnamenotallowed
•554Transactionfailed
SMTPTransactionsAtypicalSMTPmailtransactionbegins(afteraTCPconnectionisestablished)withthesender-SMTPtransmittingaHELOcommandtoidentifyitselftothereceiver-SMTPbyincludingitshostnameasthecommandargument.Ifthereceiver-SMTPisoperational,itrespondswitha250reply.Next,thesender-SMTPinitiatesthemailtransactionbytransmittingaMAILcommand.Thiscommandcontainsthemailboxaddressofthemessagesenderastheargumentonthecommandline.Notethatthissenderaddressreferstothepersonwhogeneratedthee-mailmessageandnotnecessarilytotheSMTPservercurrentlysendingcommands.
NOTEInthecasewheretheSMTPtransactionisbetweenane-mailclientandanSMTPserver,thesenderofthee-mailandthesender-SMTPrefertothesamecomputer,butthereceiver-SMTPisnotthesameastheintendedreceiver(thatis,theaddressee)ofthee-mail.Inthecaseoftwo
SMTPserverscommunicating,suchaswhenalocalSMTPserverforwardsthemailmessagesithasjustreceivedfromclientstotheirdestinationservers,neitherthesender-SMTPnorthereceiver-SMTPrefertotheultimatesenderandreceiverofthee-mailmessage.
Ifthereceiver-SMTPisreadytoreceiveandprocessamailmessage,itreturnsa250responsetotheMAILmessagegeneratedbythesender-SMTP.AfterreceivingapositiveresponsetoitsMAILcommand,thesender-SMTPproceedsbysendingatleastoneRCPTmessagethatcontainsasitsargumentthemailboxaddressofthee-mailmessage’sintendedrecipient.Iftherearemultiplerecipientsforthemessage,thesender-SMTPsendsaseparateRCPTcommandforeachmailboxaddress.Thereceiver-SMTP,onreceivinganRCPTcommand,checkstoseewhetherithasamailboxforthataddressand,ifso,acknowledgesthecommandwitha250reply.Ifthemailboxdoesnotexist,thereceiver-SMTPcantakeoneofseveralactions,suchasgeneratinga251UserNotLocal;WillForwardresponseandtransmittingthemessagetotheproperserverorrejectingthemessagewithafailureresponse,suchas550RequestedActionNotTaken:MailboxUnavailableor551UserNotLocal.Ifthesender-SMTPgeneratesmultipleRCPTmessages,thereceiver-SMTPmustreplyseparatelytoeachonebeforethenextcanbesent.
ThenextstepintheprocedureisthetransmissionofaDATAcommandbythesender-SMTP.TheDATAcommandhasnoargument,andisfollowedsimplybyaCRLF.OnreceivingtheDATAcommand,thereceiver-SMTPreturnsa354responseandassumesthatallofthelinesthatfollowarethetextofthee-mailmessageitself.Thesender-SMTPthentransmitsthetestofthemessage,onelineatatime,endingwithaperiodonaseparateline(inotherwords,aCRLF.CRLFsequence).Onreceiptofthisfinalsequence,thereceiver-SMTPrespondswitha250replyandproceedstoprocessthemailmessagebystoringitinthepropermailboxandclearingitsbuffers.
MultipurposeInternetMailExtensionSMTPisdesignedtocarrytextmessagesusing7-bitASCIIcodesandlinesnomorethan1,000characterslong.Thisexcludesforeigncharactersand8-bitbinarydatafrombeingcarriedine-mailmessages.TomakeitpossibletosendthesetypesofdatainSMTPe-mail,anotherstandardcalledtheMultipurposeInternetMailExtension(MIME)waspublishedinfiveRFCdocuments,numbered2045through2049.MIMEisessentiallyamethodforencodingvarioustypesofdataforinclusioninane-mailmessage.
ThetypicalSMTPe-mailmessagetransmittedaftertheDATAcommandbeginswithaheadercontainingthefamiliarelementsofthemessageitself,suchastheTo,From,andSubjectfields.MIMEaddstwoadditionalfieldstothisinitialheader,aMIME-VersionindicatorthatspecifieswhichversionofMIMEthemessageisusingandaContent-TypefieldthatspecifiestheformatoftheMIME-encodeddataincludedinthemessage.TheContent-TypefieldcanspecifyanyoneofseveralpredeterminedMIMEformats,oritcanindicatethatthemessageconsistsofmultiplebodyparts,eachofwhichusesadifferentformat.
Forexample,theheaderofamultipartmessagemightappearasfollows:
MIME-Version:1.0
From:[email protected]
Subject:Networkdiagrams
Content-Type:multipart/mixed;boundary=gc0p4Jq0M2Yt08j34c0p
TheContent-Typefieldinthisexampleindicatesthatthemessageconsistsofmultipleparts,indifferentformats.Theboundaryparameterspecifiesatextstringthatisusedtodelimittheparts.Thevaluespecifiedintheboundaryparametercanbeanytextstring,justaslongasitdoesnotappearinthemessagetext.Afterthisheadercomestheseparatepartsofthemessage,eachofwhichbeginswiththeboundaryvalueonaseparatelineandaContent-Typefieldthatspecifiestheformatforthedatainthatpartofthemessage,asfollows:—gc0p4Jq0M2Yt08j34c0p
Content-Type:image/jpeg
Theactualmessagecontentthenappears,intheformatspecifiedbytheContent-Typevalue.
Theheaderforeachpartofthemessagecanalsocontainanyofthefollowingfields:
•Content-Transfer-EncodingSpecifiesthemethodusedtoencodethedatainthatpartofthemessage,usingvaluessuchas7-bit,8-bit,Base64,andBinary
•Content-IDOptionalfieldthatspecifiesanidentifierforthatpartofthemessagethatcanbeusedtoreferenceitinotherplaces
•Content-DescriptionOptionalfieldthatcontainsadescriptionofthedatainthatpartofthemessage
ThemostcommonlyrecognizableelementsofMIMEarethecontenttypesusedtodescribethenatureofthedataincludedaspartofane-mailmessage.AMIMEcontenttypeconsistsofatypeandasubtype,separatedbyaforwardslash,asinimage/jpeg.Thetypeindicatesthegeneraltypeofdata,andthesubtypeindicatesaspecificformatforthatdatatype.Theimagetype,forexample,hasseveralpossiblesubtypes,includingjpegandgif,whicharebothcommongraphicsformats.SystemsinterpretingthedatausetheMIMEtypestodeterminehowtheyshouldhandlethedata,eveniftheydonotrecognizetheformat.Forexample,anapplicationreceivingdatawiththetext/richtextcontenttypemightdisplaythecontenttotheuser,evenifitcannothandletherichtextformat.Becausethebasictypeistext,theapplicationcanbereasonablysurethatthedatawillberecognizabletotheuser.Iftheapplicationreceivesamessagecontainingimage/gifdata,however,andisincapableofinterpretingthegifformat,itcanbeequallysure,becausethemessagepartisoftheimagetype,thattheraw,uninterpreteddatawouldbemeaninglesstotheuserandasaresultwouldnotdisplayitinitsrawform.
ThesevenMIMEcontenttypesareasfollows:
•TextContainstextualinformation,eitherunformatted(subtype:plain)orenrichedbyformattingcommands
•ImageContainsimagedatathatrequiresadevicesuchasagraphicaldisplayorgraphicalprintertoviewtheinformation
•AudioContainsaudioinformationthatrequiresanaudiooutputdevice(suchasaspeaker)topresenttheinformation
•VideoContainsvideoinformationthatrequiresthehardware/softwareneededtodisplaymovingimages
•ApplicationContainsuninterpretedbinarydata,suchasaprogramfile,orinformationtobeprocessedbyaparticularapplication
•MultipartContainsatleasttwoseparateentitiesusingindependentdatatypes
•MessageContainsanencapsulatedmessage,suchasthosedefinedbyRFC822,whichmaythemselvescontainmultiplepartsofdifferenttypes
PostOfficeProtocolThePostOfficeProtocol,version3(POP3)isaservicedesignedtoprovidemailboxservicesforclientcomputersthatarethemselvesnotcapableofperformingtransactionswithSMTPservers.Forthemostpart,thereasonfortheclientsrequiringamailboxserviceisthattheymaynotbecontinuouslyconnectedtotheInternetandarethereforenotcapableofreceivingmessagesanytimearemoteSMTPserverwantstosendthem.APOP3serveriscontinuouslyconnectedandisalwaysavailabletoreceivemessagesforofflineusers.Theserverthenretainsthemessagesinanelectronicmailboxuntiltheuserconnectstotheserverandrequeststhem.
POP3issimilartoSMTPinthatitreliesontheTCPprotocolfortransportservices(usingwell-knownport110)andcommunicateswithclientsusingtext-basedcommandsandresponses.AswithSMTP,theclienttransmitscommandstotheserver,butinPOP3,thereareonlytwopossibleresponsecodes,+OK,indicatingthesuccessfulcompletionofthecommand,and–ERR,indicatingthatanerrorhasoccurredtopreventthecommandfrombeingexecuted.InthecaseofPOP3,theserveralsosendstherequestede-mailmessagedatatotheclient,ratherthantheclientsendingoutgoingmessagestotheserverasinSMTP.
APOP3client-serversessionconsistsofthreedistinctstates:theauthorizationstate,thetransactionstate,andtheupdatestate.Thesestatesaredescribedinthefollowingsections.
TheAuthorizationStateThePOP3sessionbeginswhentheclientestablishesaTCPconnectionwithanactiveserver.OncetheTCPthree-wayhandshakeiscomplete,theservertransmitsagreetingtotheclient,usuallyintheformofan+OKreply.Atthispoint,thesessionenterstheauthorizationstate,duringwhichtheclientmustidentifyitselftotheserverandperformanauthenticationprocessbeforeitcanaccessitsmailbox.ThePOP3standarddefinestwopossibleauthenticationmechanisms.OneoftheseutilizestheUSERandPASScommands,whichtheclientusestotransmitamailboxnameandthepasswordassociated
withittotheserverincleartext.Another,moresecure,mechanismusestheAPOPcommand,whichperformsanencryptedauthentication.
Whileintheauthorizationstate,theonlycommandpermittedtotheclientotherthanauthentication-relatedcommandsisQUIT,towhichtheserverrespondswitha+OKreplybeforeterminatingthesessionwithoutenteringthetransactionorupdatestates.
Oncetheauthenticationprocesshasbeencompletedandtheclientgrantedaccesstoitsmailbox,thesessionentersthetransactionstate.
TheTransactionStateOncethesessionhasenteredthetransactionstate,theclientcanbegintotransmitthecommandstotheserverwithwhichitretrievesthemailmessageswaitinginitsmailbox.Whentheserverentersthetransactionstate,itassignsanumbertoeachofthemessagesintheclient’smailboxandtakesnoteofeachmessage’ssize.Thetransactionstatecommandsusethesemessagenumberstorefertothemessagesinthemailbox.Thecommandspermittedwhilethesessionisinthetransactionstateareasfollows.WiththeexceptionoftheQUITcommand,allofthefollowingcommandscanbeusedonlyduringthetransactionstate.
•STATCausestheservertotransmitadroplistingofthemailboxcontentstotheclient.Theserverrespondswithasinglelinecontainingan+OKreply,followedonthesamelinebythenumberofmessagesinthemailboxandthetotalsizeofallthemessages,inbytes.
•LISTCausestheservertotransmitascanlistingofthemailboxcontentstotheclient.Theserverrespondswithamultilinereplyconsistingofa+OKonthefirstline,followedbyanadditionallineforeachmessageinthemailbox,containingitsmessagenumberanditssize,inbytes,followedbyalinecontainingonlyaperiod,whichindicatestheendofthelisting.AclientcanalsoissuetheLISTcommandwithaparameterspecifyingaparticularmessagenumber,whichcausestheservertoreplywithascanlistingofthatmessageonly.
•RETRCausestheservertotransmitamultilinereplycontainingan+OKreply,followedbythefullcontentsofthemessagenumberspecifiedasaparameterontheRETRcommandline.Aseparatelinecontainingonlyaperiodservesasadelimiter,indicatingtheendofthemessage.
•DELECausestheservertomarkthemessagerepresentedbythemessagenumberspecifiedasaparameterontheDELEcommandlineasdeleted.Oncemarked,clientscannolongerretrievethemessage,nordoesitappearindroplistingsandscanlistings.However,theserverdoesnotactuallydeletethemessageuntilitenterstheupdatestate.
•NOOPPerformsnofunctionotherthantocausetheservertogeneratean+OKreply.
•RSETCausestheservertounmarkanymessagesthathavebeenpreviouslymarkedasdeletedduringthesession.
•QUITCausesthesessiontoentertheupdatestatepriortotheterminationof
theconnection.
TheUpdateStateOncetheclienthasfinishedretrievingmessagesfromthemailboxandperformingothertransactionstateactivities,ittransmitstheQUITcommandtotheserver,causingthesessiontotransitiontotheupdatestate.Afterenteringtheupdatestate,theserverdeletesallofthemessagesthathavebeenmarkedfordeletionandreleasesitsexclusiveholdontheclient’smailbox.Iftheserversuccessfullydeletesallofthemarkedmessages,ittransmitsa+OKreplytotheclientandproceedstoterminatetheTCPconnection.
InternetMessageAccessProtocolPOP3isarelativelysimpleprotocolthatprovidesclientswithonlythemostbasicmailboxservice.Innearlyallcases,thePOP3serverisusedonlyasatemporarystoragemedium;e-mailclientsdownloadtheirmessagesfromthePOP3serveranddeletethemfromtheserverimmediatelyafterward.Itispossibletoconfigureaclientnottodeletethemessagesafterdownloadingthem,buttheclientmustthendownloadthemagainduringthenextsession.TheInternetMessageAccessProtocol(IMAP)isamailboxservicethatisdesignedtoimproveuponPOP3’scapabilities.
IMAPfunctionssimilarlytoPOP3inthatitusestext-basedcommandsandresponses,buttheIMAPserverprovidesconsiderablymorefunctionsthanPOP3.ThebiggestdifferencebetweenIMAPandPOP3isthatIMAPisdesignedtostoree-mailmessagesontheserverpermanently,andIMAPprovidesawiderselectionofcommandsthatenableclientstoaccessandmanipulatetheirmessages.Storingthemailontheserverenablesuserstoeasilyaccesstheirmailfromanycomputerorfromdifferentcomputers.
Take,forexample,anofficeworkerwhonormallydownloadshere-mailmessagestoherworkcomputerusingaPOP3server.ShecancheckhermailfromherhomecomputerifshewantstobyaccessingthePOP3serverfromthere,butanymessagesthatshedownloadstoherhomecomputerarenormallydeletedfromthePOP3server,meaningthatshewillhavenorecordofthemonherofficecomputer,wheremostofhermailisstored.UsingIMAP,shecanaccessallofhermailfromeitherherhomeorofficecomputeratanytime,includingallofthemessagesshehasalreadyreadatbothlocations.
Tomakethestorageofclients’e-mailontheserverpractical,IMAPincludesanumberoforganizationalandperformancefeatures,includingthefollowing:
•Userscancreatefoldersintheirmailboxesandmovetheire-mailmessagesamongthefolderstocreateanorganizedstoragehierarchy.
•Userscandisplayalistofthemessagesintheirmailboxesthatcontainsonlytheheaderinformationandthenselectthemessagestheywanttodownloadintheirentirety.
•Userscansearchformessagesbasedonthecontentsoftheheaderfields,themessagesubject,orthebodyofthemessage.
WhileIMAPcanbeasensiblesolutionforacorporatee-mailsysteminwhichusersmightbenefitfromitsfeatures,itisimportanttorealizethatIMAPrequiresconsiderably
moreinthewayofnetworkandsystemresourcesthanPOP3.Inadditiontothediskspacerequiredtostoremailontheserverindefinitely,IMAPrequiresmoreprocessingpowertoexecuteitsmanycommandsandconsumesmorenetworkbandwidthbecauseusersremainconnectedtotheserverformuchlongerperiodsoftime.Forthesereasons,POP3remainsthemailboxserverofchoiceforInternetserviceproviders,thelargestconsumersoftheseserverproducts.
PART
V NetworkOperatingServices
CHAPTER17
Windows
CHAPTER18
ActiveDirectory
CHAPTER19
Linux
CHAPTER20
Unix
CHAPTER21
OtherNetworkOperatingSystemsandNetworkingintheCloud
CHAPTER
17 Windows
Intheyearssinceitsinitialreleasein1985,Microsoft’sWindowsoperatingsystemhasbecomethemostprevalentoperatingsystemonthemarket.Window’sfamiliarinterfaceandeaseofuseenabledrelativelyunsophisticateduserstoinstallandmaintainlocalareanetworks(LANs),makingLANtechnologyaubiquitouspartofdoingbusiness.ThevariousversionsofWindows8(and8.1),thelatestincarnationsoftheoperatingsystem,aredesignedforusebymobiledevices,stand-alonecomputers,andthemostpowerfulservers.
TheRoleofWindowsWindowsoperatesonapeer-to-peermodel,inwhicheachsystemcanfunctionbothasaclientandasaserver.Asaresult,thesamefamiliarinterfaceisusedinallWindowscomputers,bothclientsandservers,simplifyingthelearningcurveforusersaswellasthedevelopmenteffortforsoftwaredesigners.
AtthetimeofWindowsNT’sintroduction,installingaserverwaslargelyamanualprocessinwhichyouhadtomodifytheserver’sconfigurationfilesinordertoloadtheappropriatedrivers.Windows,ontheotherhand,hadanautomatedinstallationprogrammuchlikethoseofmostapplications.Whiletheprocessofsettingupearliernetworksrequiredconsiderableexpertise,manypeoplediscoveredthatareasonablysavvyPCusercouldinstalltheWindowsoperatingsystem(OS)andWindowsapplicationswithlittledifficulty.
AmajorfactorthatcontributedtoWindows’riseinpopularitywasitsadoptionofTransmissionControlProtocol/InternetProtocol(TCP/IP)asitsdefaultprotocols.AstheInternetgrew,amarketdevelopedforaplatformthatwaseasiertousethanUnixthatwouldrunInternetandintranetserverapplications,andWindowsfitthebillnicely.Eventually,majordatabaseengineswererunningonWindowsservers,andthesimilarityoftheclientandserverplatformsstreamlinedthedevelopmentprocess.
VersionsThefirstversionofWindowsNT(whichwasgiventheversionnumber3.1toconformwiththethen-currentversionofWindows)wasintroducedin1993.Themotivationbehinditwastocreateanew32-bitOSfromthegroundupthatleftallvestigesofDOSbehind.AlthoughtheinterfacewasnearlyidenticalinappearancetothatofaWindows3.1system,NTwasacompletelynewOSinmanyfundamentalways.Backwardcompatibilitywithexistingapplicationsisafactorthathasalwayshinderedadvancesinoperatingsystemdesign,andonceMicrosoftdecidedthatrunninglegacyprogramswasnottobeaprioritywithWindowsNT,itwasfreetoimplementradicalchanges.
ThevariousversionsofWindowsNTfellintothreedistinctgenerations,basedontheuserinterface.ThefirstgenerationconsistedofWindowsNT3.1,3.5,and3.51,allthree
ofwhichusethesameWindows3.1–styleinterface.Version3.1usedNetBEUIasitsdefaultprotocol,whichimmediatelylimiteditsusetorelativelysmallnetworks.TCP/IPandIPXsupportwereavailable,butonlythroughtheSTREAMSinterface.
ThesecondgenerationconsistedofWindowsNT4.0,whichwasreleasedin1996asaninterimupgradeleadingtowardthemajorinnovationthatMicrosoftbeganpromisingin1993.NT4usedthesameinterfaceintroducedinWindows95andpositionedtheOSmorepositivelyasanInternetplatformwiththeinclusionoftheInternetExplorerwebbrowserandInternetInformationServices—acombinationWorldWideWeb,FTP,andGopherserver.
ThethirdgenerationwasWindows2000,whichwasthelong-awaitedreleaseoftheoperatingsystemthatwasoriginallycode-namedCairo.TheWindows2000interfacewasarefinedversionoftheNT4/Windows95graphicaluserinterface(GUI),butthebiggestimprovementwastheinclusionofActiveDirectory,anenterprisedirectoryservicethatrepresentedaquantumleapoverthedomain-baseddirectoryserviceincludedinWindowsNT.WindowsXPwasthenext-generationoperatingsystemthatbroughttheDOS-basedworldofWindows95,98,andMEtogetherwiththeWindowsNT/2000designtoformasingleproductlinethatwassuitableforbothhomeandofficecomputers.
SinceWindowsXP(whichwasnolongerautomaticallyupdatedafterApril2014),therehavebeenseveralnewsystems.WindowsVistawasreleasedin2006andincludedIPv6,comprehensivewirelessnetworking,and64-bitsupport.Vistareceivedgeneralcriticismbasedonseveralfactors,suchasperformance,whichwascriticizedasnotbeingmuchofanimprovementoverWindowsXP.ManyusersresoundinglyattackedtheenhancementsthatweresupposedtocreateadditionalsecuritysuchastheproductactivationrequirementsandthepersistentUserAccountControl(UAC)securityfeature.(UACinWindowsVistarequiredapprovalofeachapplicationbeforeitcouldbeutilized.)Inretrospect,WindowsVistaisoftenconsideredtobeoneofthebiggesttechfailuresoftheearlyyearsofthe21stcentury.
AfterthefailureofWindowsVista,MicrosoftintroducedWindows7in2009.Originallydesignedasanincrementalupgrade,thisversionincludedarevampedUACandmuchbetterperformanceandintuitiveinterface.Itofferedimprovedperformancewiththemulticoreprocessorsthatwerebecomingcommon,supportformoremoderngraphicscards,mediafeatures,andfastboottimes,aswellassupportforvirtualharddisks.
In2013,MicrosoftintroducedWindows8.Windows8wasvisuallyquitedifferentfromearliersystemsandwasdesignedtoworkontouchscreens(suchasthoseonmobiledevices)aswellaswithamouseandkeyboard.Bycombiningthemobile-friendlyscreenswiththeWindowsdesktopwithwhichmostwerefamiliar,theresultwasasystemthatpleasednoone.Withinafewmonths(byMicrosoftstandards),Windows8.1wasreleased,whichkeptmanyofthefeaturesofthe“mobile”screensbutmadethedesktopmoreaccessibletopleasedesktopusers.
Microsofthastraditionallyreleaseditsserversoftwareinconjunctionwithitsoperatingsystems.However,startingwithWindowsServer2008(R2),ithassometimeschangedreleasetimes.Thelatestversion,WindowsServer2012R2,however,was
releasedatthesametimeasWindows8.1inOctoberof2013.
ServicePacksTraditionally,MicrosofthasreleasedregularupdatestotheWindowsproductsintheformofservicepacks,whichcontainnumerousfixesandupgradesinonepackage,usingasingleinstallationroutine.Microsoftwasoneofthefirstsoftwarecompaniestoadoptthisupdatereleasemethod,whichwasavastimprovementoverdozensofsmallpatchreleases(sometimescalledhotfixes)thataddressedsingle,specificissues.Apartfromtheinconvenienceofdownloadingandinstallingmanysmallpatches,thisupdatemethodwasatechnicalsupportnightmarebecauseitwasdifficultforboththeuserandthetechniciantoknowexactlywhichpatcheshadbeeninstalled.ServicepacksweredesignedtodetectthecomponentsinstalledonaWindowscomputerandinstallonlytheupdatesneededbythosecomponents.
Servicepacksconsistofasinglereleaseforallofthevariouseditionsofanoperatingsystem.Servicepacksoftenconsistofmorethanjustbugfixes.Theymayincludeupgradedversionsofoperatingsystemutilities,newfeatures,orentirelynewprograms.Allofthecomponentsareinstalledatthesametimebytheservicepack’ssetupprogram.Servicepacksaresometimes(butnotalways)cumulative,meaningthateachsuccessiveservicepackforaparticularproductcontainsthecontentsofallofthepreviousservicepacksforthatproduct.ThissimplifiestheprocessofinstallingWindowsonanewcomputerorupdatingonethathasn’tbeenpatchedinsometime,butitalsocausestheservicepackreleasestogrowverylarge.MicrosoftmakesitsservicepacksavailableasfreedownloadsoronCD-ROMs,forwhichyoumustpaypostage,handling,andmediafees.
Again,traditionally,Microsoft’spolicywastoproducesecurityfixesforboththecurrentservicepackandthepreviousone.ITpeopleappreciatedthisbecausethisallowedplentyoftimetotestthenewupdatebeforeitwasdeployedacrosstheirnetworks.However,whenthefirstupdatetoWindows8.1wasreleasedinApril2014,thispolicyseemstohavechanged.MicrosoftstatedthatthisupdatewasmandatoryandthatallfuturesecurityupdateswouldrequiretheAprilupdatetobeinstalled.Thispolicyandtheupdatemaysignaltheendofservicepacksastheypreviouslybeenknown.
MicrosoftTechnicalSupportForthenetworkadministratorwhoisheavilycommittedtotheuseofMicrosoftproducts,MicrosoftTechNetwasasubscription-basedCD-ROMproductthatwasaninvaluableresourcefortechnicalinformationandproductupdatesthatendedin2013.ThemonthlyreleasestypicallyincludedsixormoreCD-ROMscontainingresourcekits,documentation,theentireKnowledgeBaseforalloftheMicrosoftproducts,andalotofothermaterial.
Startingin2013,Microsoftreplacedthisprogramwithanumberoffreeresources,includingtheTechNetEvaluationCenterlocatedathttp://technet.microsoft.com/en-US/evalcenter.ThesenewservicesforITprofessionalsincludeTechNetVirtualLabsforfreeonlinetesting.Thisenvironmentisdesignedtoevaluatenewproducts;the
documentationstatesthatthetestingcanbecompletedonlineinlessthantwohours,sothereisnoneedtoinstallevaluationcopieslocally.MicrosoftalsohaspaidsubscriptionsforaccesstobothcurrentandpriorsoftwareversionsthroughitsMSDNandMAPSprograms.BothofferITprofessionalsthechancetodownloadproducts,askquestions,testproducts,andtakee-learningclassesonMicrosoftproducts.
Inaddition,MicrosofthascreatedaprogramforstudentscalledDreamSpark.Thisprogramallowsregisteredstudentstodownloadsoftwarefortestingandstudy.Forsmallbusinessstartups,asimilarprogramcalledBizSparkisavailablebasedoncertaineligibilitycriteria.Thereareadditional(free)coursesavailablethroughtheMicrosoftVirtualAcademysiteatwww.microsoftvirtualacademy.com.
OperatingSystemOverviewWindowssystemsaremodularoperatingsystemsthataredesignedtotakeadvantageoftheadvancedcapabilitiesbuiltintothelatestprocessors,whileleavingbehindthememoryandstorageconstraintsimposedbyDOS-basedoperatingsystems.EarlyoperatingsystemssuchasDOSweremonolithic—thatis,theentireOSconsistedofasinglefunctionalunit,whichmadeitdifficulttoupgradeandmodify.BycreatinganOScomposedofmanyseparatecomponents,Microsoftmadeiteasiertoupgradeandmodifypartsoftheoperatingsystemwithoutaffectingotherelementsintheoverallfunctionalityofthewhole.
KernelModeComponentsTheWindowsoperatingsystemsarecomposedofcomponentsthatruninoneoftwomodes:kernelmodeandusermode(seeFigure17-1).Acomponentrunninginkernelmodehasfullaccesstothesystem’shardwareresourcesviathehardwareabstractionlayer(HAL),whichisavirtualinterfacethatisolatesthekernelfromthecomputerhardware.AbstractingthekernelfromthehardwaremakesitfareasiertoporttheOStodifferenthardwareplatforms.
Figure17-1Windowsarchitecture
TheOSkernelitselfisresponsiblefordelegatingspecifictaskstothesystemprocessororprocessorsandotherhardware.Tasksconsistofprocesses,brokendownintothreads,whicharethesmallestunitsthatthekernelcanscheduleforexecutionbyaprocessor.Athreadisasequenceofinstructionstowhichthekernelassignsaprioritylevelthatdetermineswhenitwillbeexecuted.Whenthecomputerhasmultipleprocessors,thekernelrunsonallofthemsimultaneously,sharingaccesstospecificmemoryareasandallocatingthreadstospecificprocessorsaccordingtotheirpriorities.
InadditiontotheHALandthekernel,Windows’executiveservicesruninkernelmode.Theseexecutiveservicesconsistofthefollowingcomponents.
ObjectManagerWindowscreatesobjectsthatfunctionasabstractrepresentationsofoperatingsystemresources,suchashardwaredevicesandfilesystementities.Anobjectconsistsofinformationabouttheresourceitrepresentsandalistofmethods,whichareproceduresusedtoaccesstheobject.Afileobject,forexample,consistsofinformationsuchasthefile’snameandmethodsdescribingtheoperationsthatcanbeperformedonthefile,suchasopen,close,anddelete.
TheWindowsObjectManagermaintainsahierarchical,globalnamespaceinwhichtheobjectsarestored.Forexample,whenthesystemloadsakernelmodedevicedriver,itregistersadevicenamewiththeObjectManager,suchas\Device\CDRom0foraCD-ROMdriveor\Device\Serial0foraserialport.Theobjectsthemselvesarestoredindirectoriessimilartothoseinafilesystem,buttheyarenotpartofanyWindowsfilesystem.Inadditiontohardwaredevices,objectscanreferencebothabstractandconcreteentities,includingthefollowing:
•Files
•Directories
•Processes
•Threads
•Memorysegments
•Semaphores
Byusingastandardformatforallobjects,regardlessofthetypeofentitiestheyrepresent,theObjectManagerprovidesaunifiedinterfaceforobjectcreation,security,monitoring,andauditing.Accesstoobjectsinthenamespaceisprovidedtosystemprocessesusingobjecthandles,whichcontainpointerstotheobjectsandtoaccesscontrolinformation.
NOTEThekernelmodeobjectsdiscussedherearenotequivalenttotheobjectsintheActiveDirectorydatabase.Theyaretwocompletelydifferenthierarchies.ActiveDirectoryrunsinusermodewithintheWindowssecuritysubsystem.
Usually,theonlyplacesthatyouseedevicesreferredtobytheseobjectnamesareentriesintheregistry’sHKEY_LOCAL_MACHINE\HARDWAREkeyanderrormessagessuchasthosedisplayedintheinfamous“bluescreenofdeath.”ApplicationstypicallyrunintheWin32subsystem,whichisausermodecomponentthatcannotuseinternalWindowsdevicenames.Instead,theWin32subsystemreferencesdevicesusingstandardMS-DOSdevicenames,likedrivelettersandportdesignationssuchasCOM1.TheseMS-DOSnamesexistasobjectsintheObjectManager’snamespace,inadirectorycalled\??,buttheydonothavethesamepropertiesastheoriginalresources;theyareactuallyonlysymboliclinkstotheequivalentWindowsdevicenames.
SecurityReferenceMonitorEveryWindowsobjecthasanaccesscontrollist(ACL)thatcontainsaccesscontrolentries(ACEs)thatspecifythesecurityidentifiers(SIDs)ofusersorgroupsthataretobepermittedaccesstotheobject,aswellasthespecificactionsthattheuserorgroupcanperform.Whenausersuccessfullylogsontothecomputer,Windowscreatesasecurityaccesstoken(SAT)thatcontainstheSIDsoftheuserandallthegroupsofwhichtheuserisamember.Whenevertheuserattemptstoaccessanobject,theSecurityReferenceMonitorisresponsibleforcomparingtheSATwiththeACLtodeterminewhethertheusershouldbegrantedthataccess.
ProcessandThreadManagerTheProcessandThreadManagerisresponsibleforcreatinganddeletingtheprocessobjectsthatenablesoftwaretorunonaWindowssystem.Eachprocess(orsoftwareprogram)hasitsuniqueidentifier,andathreadistheidentifierforthepartoftheprogramthatiscurrentlyrunning.Aprocessobjectincludesavirtualaddressspaceandacollectionofresourcesallocatedtotheprocess,aswellasthreadscontainingtheinstructionsthatwillbeassignedtothesystemprocessors.Whenamachinehasonlyoneprocessor,each
threadmustberunbyitself.Afterthatthreadhascompleted,theprocessorexecutesthenextthread.Onamachinewithmorethanoneprocessor,aprogram(application)withmultiplethreadscanexecutethosemultiplethreads,withonethreadbeingrunoneachprocessor.
VirtualMemoryManagerTheabilitytousevirtualmemorywasoneofthemajorPCcomputingadvancementsintroducedintheIntel80386processor,andWindowsNTand2000weredesignedaroundthiscapability.Virtualmemoryistheabilitytousethecomputer’sdiskspaceasanextensiontothephysicalmemoryinstalledinthemachine.
EveryprocesscreatedonaWindowscomputerbytheProcessManagerisassignedavirtualaddressspacethatappearstobe4GBinsize.TheVirtualMemoryManager(VMM)isresponsibleformappingthatvirtualaddressspacetoactualsystemmemory,asneeded,in4KBunitscalledpages.Whenthereisnotenoughphysicalmemoryinthecomputertoholdallofthepagesallocatedbytherunningprocesses,theVMMswapstheleastrecentlyusedpagestoafileonthesystem’sharddiskdrivecalledPagefile.sys.Thisswappingprocessisknownasmemorypaging.
LocalProcedureCallFacilityTheenvironmentalsubsystemsthatruninWindows’usermode(suchastheWin32subsystem)areutilizedbyapplications(alsorunninginusermode)inaserver-clientrelationship.Themessagesbetweentheclientsandserversarecarriedbythelocalprocedurecall(LPC)facility.Localprocedurecallsareessentiallyaninternalizedversionoftheremoteprocedurecallsusedformessagingbetweensystemsconnectedbyanetwork.
Whenanapplication(functioningasaclient)makesacallforafunctionthatisprovidedbyoneoftheenvironmentalsubsystems,amessagecontainingthatcallistransmittedtotheappropriatesubsystemusingLPCs.Thesubsystem(functioningastheserver)receivesthemessageandrepliesusingthesametypeofmessage.Theprocessiscompletelytransparenttotheapplication,whichisnotawarethatthefunctionisnotimplementedinitsowncode.
I/OManagerTheI/OManagerhandlesallofaWindowscomputer’sinput/outputfunctionsbyprovidingauniformenvironmentforcommunicationbetweenthevariousdriversloadedonthemachine.UsingthelayeredarchitectureshowninFigure17-2,theI/OManagerenableseachdrivertoutilizetheservicesofthedriversinthelowerlayers.Forexample,whenanapplicationneedstoaccessafileonadrive,theI/OManagerpassesanI/Orequestpacket(IRP)generatedbyafilesystemdriverdowntoadiskdriver.SincetheI/OManagercommunicateswithallofthedriversinthesameway,therequestcanbesatisfiedwithoutthefilesystemhavinganydirectknowledgeofthediskdevicewherethefileisstored.
Figure17-2TheI/OManagerprovidesalayeredinterfacebetweenWindowsdrivers.
WindowManagerTheWindowManager,alongwiththeGraphicalDeviceInterface(GDI),isresponsibleforcreatingthegraphicaluserinterfaceusedbyWindowsapplications.ApplicationsmakecallstoWindowManagerfunctionsinordertocreatearchitecturalelementsonthescreen,suchasbuttonsandwindows.Inthesameway,theWindowManagerinformstheapplicationwhentheusermanipulatesscreenelementsbymovingthecursor,clickingbuttons,orresizingawindow.
UserModeComponentsInadditiontothekernelmodeservices,Windowshastwotypesofprotectedsubsystemsthatruninusermode:environmentsubsystemsandintegralsubsystems.TheenvironmentsubsystemsenableWindowstorunapplicationsthatweredesignedforvariousOSenvironments,suchasWin32.Integralsubsystems,likethesecuritysystem,performvitalOSfunctions.UsermodesubsystemsareisolatedfromeachotherandfromtheWindowsexecutiveservicessothatmodificationstothesubsystemcodedonotaffectthefundamentaloperabilityoftheOS.Ifausermodecomponentsuchasasubsystemorapplicationshouldcrash,theothersubsystemsandtheWindowsexecutiveservicesarenotaffected.
TheWin32SubsystemWin32istheprimaryenvironmentsubsystemthatprovidessupportforallnativeWindowsapplications.AlloftheotherenvironmentsubsystemsincludedwithWindowsareoptionalandloadedonlywhenaclientapplicationneedsthem,butWin32isrequiredandrunsatalltimes.Thisisbecauseitisresponsibleforhandlingthekeyboardandmouseinputsandthedisplayoutputforalloftheothersubsystems.SincetheyrelyonWin32APIcalls,theotherenvironmentsubsystemscanallbesaidtobeclientsofWin32.
TheDOS/Win16SubsystemUnlikeearlierversionsofWindows,Windows2000andNTdidnotrunaDOSkernel,andasaresult,theycouldnotshellouttoaDOSsession.Instead,2000andNTemulatedDOSusingasubsystemthatcreatesvirtualDOSmachines(VDMs).EveryDOSapplicationusedaseparateVDMthatemulatedanIntelx86processorinVirtual86mode(evenonanon-Intelsystem).Alloftheapplication’sinstructionsrannativelywithintheVDMexceptforI/Ofunctions,whichwereemulatedusingvirtualdevicedrivers(VDDs).VDDsconvertedtheDOSI/OfunctionsintostandardWindowsAPIcallsandfedthemtotheI/OManager,whichsatisfiedthecallsusingthestandardWindowsdevicedrivers.
NOTEBecauseofthisemulation,notallDOSprogramsareguaranteedtorunoptimally.
ServicesAserviceisaprogramorothercomponentthatWindowsloadswiththeOSbeforeauserlogsonorseesthedesktopinterface.Servicesusuallyloadautomaticallyandpermitnointerferencefromthesystemuserasthey’reloading.Thisisincontrasttoothermechanismsthatloadprogramsautomatically,suchastheStartupprogramgroup.Auserwithappropriaterightscanstart,stop,andpauseservicesusingtheServicesconsoleortheNETcommandandalsospecifywhetheraparticularserviceshouldloadwhenthesystemstarts,notloadatall,orrequireamanualstartup.SeeFigure17-3fortheoptions.
Figure17-3TheNETcommandisusedfromthecommandprompt.
Userswithoutadministrativerightscannotcontroltheservicesatall,whichmakestheservicesausefultoolfornetworkadministrators.Youcan,forexample,configureaworkstationtoloadaparticularserviceatstartup,anditwillrunwhetherauserlogsonornot.TheServerservice,forexample,whichenablesnetworkuserstoaccessthecomputer’sshares,loadsautomaticallybydefault.Evenifnoonelogsontothecomputer,itispossibletoaccessitssharesfromthenetwork.
TheWindowsNetworkingArchitectureNetworkingisanintegralpartofWindows,andtheoperatingsystemsuseamodularnetworkingarchitecturethatprovidesagreatdealofflexibilityforthenetworkadministrator.WhilenotperfectlyanalogoustotheOpenSystemsInterconnection(OSI)referencemodel,theWindowsnetworkingarchitectureisstructuredinlayersthatprovideinterchangeabilityofmodulessuchasnetworkadapterdriversandprotocols.Figure17-4showsthebasicstructureofthenetworkingstack.
Figure17-4TheWindowsnetworkingarchitecture
Windowsreliesontwoprimaryinterfacestoseparatethebasicnetworkingfunctions,calledtheNDISinterfaceandTransportDriverInterface(TDI).Betweenthesetwointerfacesaretheprotocolsuitesthatprovidetransportservicesbetweencomputersonthenetwork:TCP/IP,NetBEUI,andIPX.Althoughtheyhavedifferentfeatures,thesethreesetsofprotocolsareinterchangeablewhenitcomestobasicnetworkingservices.AWindowscomputercanuseanyoftheseprotocolsorallofthemsimultaneously.TheTDIandNDISinterfacesenablethecomponentsoperatingaboveandbelowthemtoaddresswhicheverprotocolisneededtoperformaparticulartask.
TheNDISInterface
TheNetworkDriverInterfaceSpecification(NDIS)isastandarddevelopedjointlybyMicrosoftand3Comthatdefinesaninterfacebetweenthenetworklayerprotocolsandthemediaaccesscontrol(MAC)sublayerofthedatalinklayerprotocol.TheNDISinterfaceliesbetweenthenetworkadapterdriversandtheprotocoldrivers.Protocolsdonotcommunicatedirectlywiththenetworkadapter;instead,theygothroughtheNDISinterface.ThisenablesaWindowscomputertohaveanynumberofnetworkadaptersandanynumberofprotocolsinstalled,andanyprotocolcancommunicatewithanyadapter.
ThelatestversionofNDISis6.10,whichappearedinWindowsVista.NDIS6.30isincludedinWindows8,andNDIS6.40withWindows8.1.ItisimplementedonaWindows8systemintwoparts:theNDISwrapper(Ndis.sys)andtheNDISMACdriver.TheNDISwrapperisnotdevicespecific;itcontainscommoncodethatsurroundstheMACdriversandprovidestheinterfacebetweenthenetworkadapterdriversandtheprotocoldriversinstalledinthecomputer.ThisreplacestheProtocolManager(PROTMAN)usedbyotherNDISversionstoregulateaccesstothenetworkadapter.
TheNDISMACdriverisdevicespecificandprovidesthecodeneededforthesystemtocommunicatewiththenetworkinterfaceadapter.Thisincludesthemechanismforselectingthehardwareresourcesthedeviceuses,suchastheIRQandI/Oportaddress.AllofthenetworkinterfaceadaptersinaWindowssystemmusthaveanNDISdriver,whichisprovidedbyvirtuallyallofthemanufacturersproducingNICstoday.
TheTransportDriverInterfaceTheTransportDriverInterface(TDI)performsroughlythesamebasicfunctionastheNDISwrapperbuthigherupinthenetworkingstack.TheTDIfunctionsastheinterfacebetweentheprotocoldriversandthecomponentsoperatingabovethem,suchastheserverandtheredirectors.Trafficmovingupanddownthestackpassesthroughtheinterfaceandcanbedirectedtoanyoftheinstalledprotocolsorothercomponents.
AbovetheTDI,Windowshasseveralmorecomponentsthatapplicationsusetoaccessnetworkresourcesinvariousways,usingtheTDIastheinterfacetotheprotocoldrivers.BecauseWindowsisapeer-to-peeroperatingsystem,therearecomponentsthathandletrafficrunninginbothdirections.ThemostbasicofthesecomponentsaretheWorkstationandServerservices,whichenablethesystemtoaccessnetworkresourcesandprovidenetworkclientswithaccesstolocalresources(respectively).Alsoatthislayerareapplicationprogramminginterfaces(APIs),suchasNetBIOSandWindowsSockets,whichprovideapplicationsrunningonthesystemspecialaccesstocertainnetworkresources.
EffectivewithWindows8,whichhastwoworkingmodes,MetroandDesktop,TDIisbeingphasedout.(Youmayseeamessage“TDIfiltersandLSPsarenotallowed”whenworkinginMetromode.)MostappsthatworkedinWindows7alsoworkinDesktopmode,includingLSP.However,MetromodecannotusethenormalWinAPIandinsteadusesWinRT,whichhasbeendevelopedespeciallyforWindows8.
NOTELayerServiceProtocolsisaretiredMicrosoftWindowsservicethatcouldinsertitselfintotheTCP/IPprotocolstackandmodifyandintercept
bothinboundandoutboundtraffic.
TheWorkstationServiceWhenyouopenafileorprintadocumentinanapplication,theprocessisthesamewhetherthefileorprinterispartofthelocalsystemoronthenetwork,asfarastheuserandtheapplicationareconcerned.TheWorkstationservicedetermineswhethertherequestedfileorprinterislocaloronthenetworkandsendstherequesttotheappropriatedriver.Byprovidingaccesstonetworkresourcesinthisway,theWorkstationserviceisessentiallytheclienthalfofWindows’client-servercapability.
TheWorkstationserviceconsistsoftwomodules:Services.exe,theServiceControlManager,whichfunctionsastheusermodeinterfaceforallservices;andtheWindowsnetworkredirector.Whenanapplicationrequestsaccesstoafile,therequestgoestotheI/OManager,whichpassesittotheappropriatefilesystemdriver.Theredirectorisalsoafilesystemdriver,butinsteadofprovidingaccesstoalocaldrive,theredirectortransmitstherequestdownthroughtheprotocolstacktotheappropriatenetworkresource.TheI/OManagertreatsaredirectornodifferentlyfromanyotherfilesystemdrivers.WindowsinstallsaredirectorfortheMicrosoftWindowsnetworkbydefault.
TheMultipleUNCProviderInthecaseofasystemwithmultiplenetworkclients(andmultipleredirectors),Windowsusesoneoftwomechanismsfordeterminingwhichredirectoritshoulduse,dependingonhowanapplicationformatsitsrequestsfornetworkresources.ThemultipleUNCprovider(MUP)isusedforapplicationsthatuseUniformNamingConvention(UNC)namestospecifythedesiredresource,andthemultiproviderrouter(MPR)isusedforapplicationsthatuseWin32networkAPIs.
TheUNCdefinestheformatthatWindowsusesforidentifyingnetworkitems.UNCnamestakethefollowingform:
\server\share
TheMultiproviderRouterForapplicationsthatrequestaccesstonetworkresourcesusingtheWin32networkAPIs(alsoknownastheWNetAPIs),themultiproviderrouterdetermineswhichredirectorshouldprocesstherequests.Inadditiontoaredirector,anetworkclientinstalledonaWindowscomputerincludesaproviderDLLthatfunctionsasaninterfacebetweentheMPRandtheredirector.TheMPRpassestherequeststhatitreceivesfromapplicationstotheappropriateproviderDLLs,whichpassthemtotheredirectors.
TheServerServiceJustastheWorkstationserviceprovidesnetworkclientcapabilities,theServerserviceenablesotherclientsonthenetworktoaccessthecomputer’slocalresources.Whentheredirectoronaclientsystemtransmitsarequestforaccesstoafileonaserver,thereceivingsystempassestherequestuptheprotocolstacktotheServerservice.TheServer
serviceisafilesystemdriver(calledSrv.sys)thatisstartedbytheServiceControlManager,justliketheWorkstationservice,thatoperatesjustabovetheTDI.WhentheServerservicereceivesarequestforaccesstoafile,itgeneratesareadrequestandsendsittotheappropriatelocalfilesystemdriver(suchastheNTFSorFATdriver)throughtheI/OManager.ThelocalfilesystemdriveraccessestherequestedfileintheusualmannerandreturnsittotheServerservice,whichtransmitsitacrossthenetworktotheclient.TheServerservicealsoprovidessupportforprintersharing,aswellasremoteprocedurecalls(RPCs)andnamedpipes,whichareothermechanismsusedbyapplicationstocommunicateoverthenetwork.
APIsServicesarenottheonlycomponentsthatinteractwiththeTDIonaWindowssystem.Applicationprogramminginterfaces,suchasNetBIOSandWindowsSockets,alsosendandreceivedatathroughtheTDI,enablingcertaintypesofapplicationstocommunicatewithothernetworksystemswithoutusingtheServerandWorkstationservices.WindowsalsosupportsotherAPIsthatoperatehigherupinthestackandusethestandardservicestoreachtheTDI.
NetBIOSNetBIOSwasanintegralcomponentofMicrosoftWindowsnetworkingthroughWindowsXPbecauseitprovidesthenamespaceusedtoidentifythedomains,computers,andsharesonthenetwork.BecauseofitsdependenceonNetBIOS,Windowssupportsitinallofitsprotocols.NetBEUIisinherentlydesignedforusewithNetBIOScommunications,andtheNetBIOSoverTCP/IP(NetBT)standardsdefinedbytheInternetEngineeringTaskForce(IETF)enableitsusewiththeTCP/IPprotocols.BecauseNetBIOScouldbeusedtogatherinformationaboutyournetwork(andeachcomputer),manypeopledisableitinbothWindows7andWindows8.
NOTEIntoday’snetworks,NetBIOSisoftenusedforfileandprintsharingonalocalnetwork.Thisleavesanopenpathforhackers.Youcanremovetheriskintwoways.DisableNetBIOSthroughyournetworkconnectionsettingsonyourEthernetadapterordisabletheportsusedbyNetBIOS:
UDP137,theNetBIOSnameserviceport
UDP138,theNetBIOSdatagramserviceport
TCP139,theNetBIOSsessionserviceport
WindowsSocketsTheWindowsSocketsspecificationdefinesoneoftheAPIsthatismostcommonlyusedbyapplicationsbecauseitistheacceptedstandardforInternetnetworkaccess.Webbrowsers,FTPclients,andotherInternetclientandserverapplicationsalluseWindowsSockets(Winsock)togainaccesstonetworkresources.UnlikeNetBIOS,WinsockdoesnotsupportalloftheWindowsprotocols.WhileitcanbeusedwithNWLink(IPX),theoverwhelmingmajorityofWinsockapplicationsuseTCP/IPexclusively.Aswith
NetBIOS,WinsockisimplementedinWindowsasakernelmodeemulatorjustabovetheTDIandausermodedriver,calledWsock32.dll.
FileSystemsTheFATfilesystemwasaholdoverfromtheDOSdaysthatthedevelopersoftheoriginalWindowsNTproductwereseekingtotranscend.Whileanadequatesolutionforaworkstation,the16-bitFATfilesystemusedbyDOScannotsupportthelargevolumestypicallyrequiredonservers,anditlacksanysortofaccesscontrolmechanism.
FAT16ThetraditionalDOSfilesystemdividedaharddiskdriveintovolumesthatwerecomposedofuniformlysizedclustersandusedafileallocationtable(FAT)tokeeptrackofthedatastoredineachcluster.Eachdirectoryonthedrivecontainedalistofthefilesinthatdirectoryand,inadditiontothefilenameandotherattributes,specifiedtheentryintheFATthatrepresentedtheclustercontainingthebeginningofthefile.ThatfirstFATentrycontainedareferencetoanotherentrythatreferencesthefile’ssecondcluster,thesecondentryreferencesthethird,andsoon,untilenoughclustersareallocatedtostoretheentirefile.ThisisknownasaFATchain.
NOTEItwasonlywiththeintroductionoftheFAT32filesystemthatthetraditionalFATfilesystemcametobecalledFAT16.Inmostcases,referencestoaFATdrivewithoutanumericalidentifierrefertoaFAT16drive.
TheotherlimitingfactoroftheFATfilesystemisthatasclustersgrowlarger,moredrivespaceiswastedbecauseofslack.Slackisthefractionofaclusterleftemptywhenthelastbitofdatainafilefailstocompletelyfillthelastclusterinthechain.When3KBofdatafromafileislefttostore,forexample,avolumewith4KBclusterswillcontain1KBofslack,whileavolumewith64KBclusterswillwaste61KB.WindowsNTisdesignedtobeaserverOSaswellasaworkstationOS,andserversarenaturallyexpectedtohavemuchlargerdrives.Theamountofslackspaceandthe4GBlimitonvolumesizearenotacceptableforaserverOS.
TheothermajorshortcomingoftheFATfilesystemistheamountofinformationabouteachfilethatisstoredonthediskdrive.Inadditiontothedataitself,aFATdrivemaintainsthefollowinginformationabouteachfile:
•FilenameLimitedtoaneight-characternameplusathree-characterextension
•AttributesContainsfourusablefileattributes:Read-only,Hidden,System,andArchive
•Date/timeSpecifiesthedateandtimethatthefilewascreatedorlastmodified
•SizeSpecifiesthesizeofthefile,inbytes
FAT32Asharddiskdrivecapacitiesgrewovertheyears,thelimitationsoftheFATfilesystembecamemoreofaproblem.Toaddresstheproblem,Microsoftcreatedafilesystemthatused32-bitFATentriesinsteadof16-bitones.Thelargerentriesmeantthattherecouldbemoreclustersonadrive.TheresultswerethatthemaximumsizeofaFAT32volumeis2terabytes(or2,048GB)insteadof2GBforaFAT16drive,andtheclusterscanbemuchsmaller,thusreducingthewastebecauseofslackspace.
TheFAT32filesystemwasintroducedintheWindows95OSR2releaseandwasalsoincludedinWindows98,WindowsME,andWindows2000.FAT32supportedlargervolumesandsmallerclusters,butitdidnotprovideanyappreciablechangeinperformance,anditstilldidnothavetheaccesscontrolcapabilitiesneededfornetworkserverslikeNTFSdoes.
NTFSNTFSwasthefilesystemintendedtobeusedthroughWindows7.Withoutit,youcannotinstallActiveDirectoryorimplementthefileanddirectory-basedpermissionsneededtosecureadrivefornetworkuse.BecauseitusesacompletelydifferentstructurethanFATdrives,youcannotcreateNTFSdrivesusingtheFDISKutility.
IntheNTFSfilesystem,filestaketheformofobjectsthatconsistofanumberofattributes.UnlikeDOS,inwhichthetermattributetypicallyrefersonlytotheRead-only,System,Hidden,andArchiveflags,NTFStreatsalloftheinformationregardingthefileasanattribute,includingtheflags,thedates,thesize,thefilename,andeventhefiledataitself.NTFSalsodiffersfromFATinthattheattributesarestoredwiththefile,insteadofinaseparatedirectorylisting.
TheequivalentstructuretotheFATonanNTFSdriveiscalledthemasterfiletable(MFT).UnlikeFAT,however,theMFTcontainsmorethanjustpointerstootherlocationsonthedisk.Inthecaseofrelativelysmallfiles(uptoapproximately1,500bytes),alloftheattributesareincludedintheMFT,includingthefiledata.Whenlargeramountsofdataneedtobestored,additionaldiskclusterscalledextentsareallocated,andpointersareincludedwiththefile’sattributesintheMFT.TheattributesstoredintheMFTarecalledresidentattributes;thosestoredinextentsarecallednonresidentattributes.
InadditiontothefourstandardDOSfileattributes,anNTFSfileincludesaCompressionflag;twodates/timesspecifyingwhenthefilewascreatedandwhenitwaslastmodified;andasecuritydescriptorthatidentifiestheownerofthefile,liststheusersandgroupsthatarepermittedtoaccessit,andspecifieswhataccesstheyaretobegranted.
ResilientFileSystemStartingwithWindowsServer2012andWindowsServer8,MicrosofthasintroducedResilientFileSystem(ReFS),animprovedsystemthathastheabilitytohandlemuchhighervolumesandcansharestoragepoolsacrossmachines.ItisbuiltontheNTFS,andoneofitsmainadvantagesistheabilitytodetectallformsofdiskcorruption.Primarilydesignedforstorageatthispoint,itcannotbootanoperatingsystemorbeusedon
removablemedia.
TheWindowsRegistryTheregistryisthedatabasewhereWindowsstoresnearlyallofitssystemconfigurationdata.Asasystemornetworkadministrator,you’llbeworkingwiththeregistryinavarietyofways,sincemanyoftheWindowsconfigurationtoolsfunctionbymodifyingentriesintheregistry.Theregistryisahierarchicaldatabasethatisdisplayedinmostregistryeditorapplicationsasanexpandabletree,notunlikeadirectorytree.Attherootofthetreearefivecontainers,calledkeys,withthefollowingnames:
•HKEY_CLASSES_ROOTContainsinformationonfileassociations—thatis,associationsbetweenfilenameextensionsandapplications.
•HKEY_CURRENT_USERContainsconfigurationinformationspecifictotheusercurrentlyloggedontothesystem.Thiskeyistheprimarycomponentofauserprofile.
•HKEY_LOCAL_MACHINEContainsinformationonthehardwareandsoftwareinstalledinthecomputer,thesystemconfiguration,andtheSecurityAccountsManagerdatabase.Theentriesinthiskeyapplytoallusersofthesystem.
•HKEY_USERSContainsinformationonthecurrentlyloadeduserprofiles,includingtheprofilefortheuserwhoiscurrentlyloggedonandthedefaultuserprofile.
•HKEY_CURRENT_CONFIGContainshardwareprofileinformationusedduringthesystembootsequence.
Inmostcases,youworkwiththeentriesintheHKEY_LOCAL_MACHINEandHKEY_CURRENT_USERkeys(oftenabbreviatedastheHKLMandHKCU,respectively)whenyouconfigureaWindowssystem,whetheryouareawareofitornot.Whenthekeysaresavedasfiles,asinthecaseofuserprofiles,they’reoftenreferredtoashives.Whenyouexpandoneofthesekeys,youseeaseriesofsubkeys,ofteninseverallayers.Thekeysandsubkeysfunctionasorganizationalcontainersfortheregistryentries,whichcontaintheactualconfigurationdataforthesystem.Aregistryentryconsistsofthreecomponents:thevaluename,thevaluetype,andthevalueitself.
Thevaluenameidentifiestheentryforwhichavalueisspecified.Thevaluetypespecifiesthenatureofthedatastoredintheentry,suchaswhetheritcontainsabinaryvalue,analphanumericstringofagivensize,ormultiplevalues.Thevaluetypesfoundintheregistryareasfollows:
•REG_SZIndicatesthatthevalueconsistsofastringofalphanumericcharacters.Manyoftheuser-configurablevaluesintheregistryareofthistype.
•REG_DWORDIndicatesthatthevalueconsistsofa4-bytenumericalvalueusedtospecifyinformationsuchasdeviceparameters,servicevalues,andothernumericconfigurationparameters.
•REG_MULTI_SZSameastheREG_SZvaluetype,exceptthattheentry
containsmultiplestringvalues.
•REG_EXPAND_SZSameastheREG_SZvaluetype,exceptthattheentrycontainsavariable(suchas%SystemRoot%)thatmustbereplacedwhenthevalueisaccessedbyanapplication.
•REG_BINARYIndicatesthatthevalueconsistsofrawbinarydata,usuallyusedforhardwareconfigurationinformation.Youshouldnotmodifytheseentriesmanuallyunlessyouarefamiliarwiththefunctionofeverybinarybitinthevalue.
•REG_FULL_RESOURCE_DESCRIPTORIndicatesthatthevalueholdsconfigurationdataforhardwaredevicesintheformofaninformationrecordwithmultiplefields.
Theregistryhierarchyislargeandcomplex,andthenamesofitskeysandentriesareoftencryptic.Locatingthecorrectentrycanbedifficult,andthevaluesareoftenlessthanintuitive.Whenyouedittheregistrymanually,youmustbecarefultosupplythecorrectvalueforthecorrectentryortheresultscanbecatastrophic.Anincorrectregistrymodificationcanhaltthecomputerorpreventitfrombooting,forcingyoutoreinstallWindowsfromscratch.
Becauseoftheregistry’ssensitivitytoimproperhandling,selectingthepropertooltomodifyitiscrucial.Thetrade-offinWindows’registryeditingtoolsisbetweenasafe,easy-to-useinterfacewithlimitedregistryaccessandcomprehensiveaccessusingalessintuitiveinterface.ThefollowingsectionsexaminethevariousregistryeditingtoolsincludedwithWindows.
TheControlPanelAlthoughitisn’tevidentfromtheinterface,mostofthefunctionsintheWindowsControlPanelworkbymodifyingsettingsintheregistry.TheControlPanel’sgraphicalinterfaceprovidesuserswithsimplifiedaccesstotheregistryandpreventsthemfromintroducingincorrectvaluesduetotypographicalerrors.YoucanalsouseWindows’securitymechanismstopreventunauthorizedaccesstocertainregistrysettingsthroughtheControlPanel.ThemaindisadvantageofusingtheControlPaneltomodifytheregistryisthatitprovidesuseraccesstoonlyasmallfractionoftheregistry’ssettings.
TheSystemPolicyEditorSystempoliciesarecollectionsofregistrysettingssavedinapolicyfilethatyoucanconfigureaWindowscomputertoloadwheneverauserlogsontothesystemorthenetwork.YoucancreatedifferentsetsofpoliciesforeachofyournetworkuserssothatwhenJohnDoelogsontoaworkstation,hiscustomizedregistrysettingsaredownloadedtothecomputerandloadedautomatically.WindowsincludesatoolcalledtheSystemPolicyEditorthatyoucanusetocreatepolicyfiles;youcanalsouseittomodifytheregistrydirectly.LiketheControlPanel,theSystemPolicyEditorusesagraphicalinterfacetosetregistryvalues,butitisfarmoreconfigurablethantheControlPanelandcanprovideaccesstoagreatmanymoreregistryentries.
ThesystempoliciesthattheSystemPolicyEditorlistsinitshierarchicaldisplayarederivedfromafilecalledapolicytemplate.ThetemplateisanASCIItextfilewithan
.admextensionthatusesaspecialformattodefinehoweachpolicyshouldappearintheSystemPolicyEditorandwhichregistrysettingseachpolicyshouldmodify.Windowsincludesseveraltemplatefilesthatdefinepoliciesforawiderangeofsystemsettings,someofwhicharealsoconfigurablethroughtheControlPanel.Becausecreatinganewsystempolicyissimplyamatterofcreatinganewtemplate,softwaredeveloperscanincludewiththeirproductstemplatefilesthatdefineapplication-specificsystempolicies.Youcanalsocreateyourowntemplatestomodifyotherregistrysettings.
TheprocessofsettingvaluesforasystempolicybyusingtheSystemPolicyEditorconsistsofnavigatingthroughthehierarchicaldisplayandselectingapolicy.Somepoliciesconsistofasinglefeaturethatyoucantoggleonandoff,whileothershaveadditionalcontrolsintheformofcheckboxes,pull-downmenus,ordataentryfields.Tocreateapolicyfile,youselectthepoliciesyouwanttoset,specifyvaluesforthem,andthensavethemtoafilewitha.polextension.
TheSystemPolicyEditorcanalsodirectlymodifytheWindowsregistry,however.WhenyouselectFile|OpenRegistry,theprogramconnectstotheregistryonthelocalmachine.Whenyouconfigureapolicy,theprogramappliesthenecessarychangesdirectlytotheregistry.Inaddition,whenyouchooseFile|Connect,youcanselectanotherWindowscomputeronthenetworkandmodifyitsregistryfromyourremotelocation.
TheuseofcustomizabletemplatefilesmakestheSystemPolicyEditorafarmorecomprehensiveregistry-editingtoolthantheControlPanel.Youcanspecifyvaluesforawiderrangeofregistryentries,whilestillretainingtheadvantagesofthegraphicalinterface.BecausethechangesthattheSystemPolicyEditormakestotheregistryarecontrolledbythepolicytemplate,thepossibilityofamisspelledvalueinadataentryfieldstillexists,butthechancesofanincorrectvaluedamagingthesystemisfarlessthanwheneditingtheregistrymanually.
GroupPoliciesWindowsgrouppoliciesarethenextstepintheevolutionofthesystempoliciesfoundinWindowsNTand98.GrouppoliciesincludealloftheregistrymodificationcapabilitiesfoundinNTsystempolicies,plusagreatdealmore,suchastheabilitytoinstallandupdatesoftware,implementdiskquotas,andredirectfoldersonuserworkstationstonetworkshares.WhileNTsystempoliciesareassociatedwithdomainusersandgroups,WindowsgrouppoliciesareassociatedwithActiveDirectoryobjects,suchassites,domains,andorganizationalunits.
TheRegistryEditorsWindowsincludesaRegistryEditor,calledregedit.exe,thatprovidesdirectaccesstotheentireregistry.TherearemanyWindowsfeaturesyoucanconfigureusingtheRegistryEditorthatarenotaccessiblebyanyotheradministrativeinterface.TheseprogramsarethemostpowerfulandcomprehensivemeansofmodifyingregistrysettingsinWindowsandalsothemostdangerous.Theseeditorsdonotsupplyfriendlynamesfortheregistryentries,andtheydonotusepull-downmenusorcheckboxestospecifyvalues.Youmustlocate(orcreate)thecorrectentryandsupplythecorrectvalueintheproperformat,ortheresultscanbewildlyunpredictable.WindowsinstallstheRegistryEditorwiththeOS,but
itdoesnotcreateshortcutsforthemintheStartmenuoronthedesktop.YoumustlaunchtheRegistryEditorbyusingtheRundialogbox,byusingWindowsExplorer,orbycreatingyourownshortcuts.LiketheSystemPolicyEditor,theRegistryEditorenablesyoutoconnecttoanotherWindowssystemonthenetworkandaccessitsregistry.
NOTEMakingregistryadjustmentscancausemajorissueswithyourcomputer.Registryeditingshouldbedoneonlyafteracompleteregistrybackup.
OptionalWindowsNetworkingServicesInadditiontoitscoreservices,Windows,particularlyintheServerversions,includesalargecollectionofoptionalservicesthatyoucanchoosetoinstalleitherwiththeOSoratanytimeafterward.Someoftheseservicesarediscussedinthefollowingsections.
ActiveDirectoryActiveDirectory,theenterprisedirectoryserviceincludedwithmostWindowsServerproducts,isahierarchical,replicateddirectoryservicedesignedtosupportnetworksofvirtuallyunlimitedsize.FormoreinformationonActiveDirectory,seeChapter18.
MicrosoftDHCPServerUnlikeNetBEUIandIPX,usingtheTCP/IPprotocolsonanetworkrequiresthateachcomputerbeconfiguredwithauniqueIPaddress,aswellasotherimportantsettings.ADynamicHostConfigurationProtocol(DHCP)serverisanapplicationdesignedtoautomaticallysupplyclientsystemswithTCP/IPconfigurationsettingsasneeded,thuseliminatingatediousmanualnetworkadministrationchore.
MicrosoftDNSServerTheDomainNameSystem(DNS)facilitatestheuseoffamiliarnamesforcomputersonaTCP/IPnetworkinsteadoftheIPaddressestheyusetocommunicate.DesignedforuseontheInternet,DNSserversresolvedomainnames(Internetdomainnames,notNTdomainnames)intoIPaddresses,eitherbyconsultingtheirownrecordsorbyforwardingtherequesttoanotherDNSserver.TheDNSserverincludedwithWindowshasaservertofunctionontheInternetinthiscapacity.
WindowsInternetNamingServiceWindowsInternetNamingService(WINS)isanotherservicethatsupportstheuseofTCP/IPonaWindowsnetwork.Windows9xandNTidentifiedsystemsusingNetBIOSnames,butinordertotransmitapackettoamachinewithagivennameusingTCP/IP,thesenderhadtofirstdiscovertheIPaddressassociatedwiththatname.WINSisessentiallyadatabaseserverthatstorestheNetBIOSnamesofthesystemsonthenetworkandtheirassociatedIPaddresses.Whenasystemwantstotransmit,itsendsaquerytoaWINSservercontainingtheNetBIOSnameofthedestinationsystem,andtheWINSserver
replieswithitsIPaddress.
CHAPTER
18 ActiveDirectory
Thedomain-baseddirectoryserviceusedbyWindowsoncecameunderfireforitsinabilitytoscaleuptosupportlargernetworks.Anenterprisenetworkthatconsistsofmultipledomainsislimitedinitscommunicationbetweenthosedomainstothetrustrelationshipsthatadministratorsmustmanuallyestablishbetweenthem.Inaddition,becauseeachdomainmustbemaintainedindividually,theaccountadministrationprocessiscomplicatedenormously.SincetheoriginalWindowsNT3.1releasein1993,Microsoftpromisedtodeliveramorerobustdirectoryservicebettersuitedforuseonlargenetworks,andfinallyMicrosoftaccomplishedthetaskinWindows2000withActiveDirectory.
ActiveDirectory(AD)isanobject-oriented,hierarchical,distributeddirectoryservicesdatabasesystemthatprovidesacentralstorehouseforinformationaboutthehardware,software,andhumanresourcesofanentireenterprisenetwork.BasedonthegeneralprinciplesoftheX.500globaldirectorystandards,networkusersarerepresentedbyobjectsintheActiveDirectorytree.Administratorscanusethoseobjectstograntusersaccesstoresourcesanywhereonthenetwork,whicharealsorepresentedbyobjectsinthetree.Unlikeaflat,domain-basedstructureforadirectory,ActiveDirectoryexpandsthestructureintomultiplelevels.ThefundamentalunitoforganizationintheActiveDirectorydatabaseisstillthedomain,butagroupofdomainscannowbeconsolidatedintoatree,andagroupoftreescanbeconsolidatedintoaforest.Administratorscanmanagemultipledomainssimultaneouslybymanipulatingthetreeandcanmanagemultipletreessimultaneouslybymanipulatingaforest.
Adirectoryserviceisnotonlyadatabaseforthestorageofinformation,however.Italsoincludestheservicesthatmakethatinformationavailabletousers,applications,andotherservices.ActiveDirectoryincludesaglobalcatalogthatmakesitpossibletosearchtheentiredirectoryforparticularobjectsusingthevalueofaparticularattribute.Applicationscanusethedirectorytocontrolaccesstonetworkresources,andotherdirectoryservicescaninteractwithADusingastandardizedinterfaceandtheLightweightDirectoryAccessProtocol(LDAP).
ActiveDirectoryArchitectureActiveDirectoryiscomposedofobjects,whichrepresentthevariousresourcesonanetwork,suchasusers,usergroups,servers,printers,andapplications.Anobjectisacollectionofattributesthatdefinetheresource,giveitaname,listitscapabilities,andspecifywhoshouldbepermittedtouseit.Someofanobject’sattributesareassignedautomaticallywhenthey’recreated,suchasthegloballyuniqueidentifier(GUID)assignedtoeachone,whileothersaresuppliedbythenetworkadministrator.Auserobject,forexample,hasattributesthatstoreinformationabouttheuseritrepresents,suchasanaccountname,password,telephonenumber,ande-mailaddress.Attributesalsocontaininformationabouttheotherobjectswithwhichtheuserinteracts,suchasthegroupsofwhichtheuserisamember.Therearemanydifferenttypesofobjects,eachofwhichhasdifferentattributes,dependingonitsfunctions.
ActiveDirectoryprovidesadministratorsanduserswithaglobalviewofthenetwork.EarlierWindowsNTdirectoryservicescouldusemultipledomains,butinsteadofmanagingtheusersofeachdomainseparately,forexample,asinWindowsNT4.0,ADadministratorscreateasingleobjectforeachuserandcanuseittograntthatuseraccesstoresourcesinanydomain.
Eachtypeofobjectisdefinedbyanobjectclassstoredinthedirectoryschema.Theschemaspecifiestheattributesthateachobjectmusthave,theoptionalattributesitmayhave,thetypeofdataassociatedwitheachattribute,andtheobject’splaceinthedirectorytree.TheschemaarethemselvesstoredasobjectsinActiveDirectory,calledclassschemaobjectsandattributeschemaobjects.Aclassschemaobjectcontainsreferencestotheattributeschemaobjectsthattogetherformtheobjectclass.Thisway,anattributeisdefinedonlyonce,althoughitcanbeusedinmanydifferentobjectclasses.
TheschemaisextensiblesothatapplicationsandservicesdevelopedbyMicrosoftorthirdpartiescancreatenewobjectclassesoraddnewattributestoexistingobjectclasses.ThisenablesapplicationstouseActiveDirectorytostoreinformationspecifictotheirfunctionsandprovidethatinformationtootherapplicationsasneeded.Forexample,ratherthanmaintainitsowndirectory,ane-mailserverapplicationsuchasMicrosoftExchangecanmodifytheActiveDirectoryschemasothatitcanuseADtoauthenticateusersandstoretheire-mailinformation.
ObjectTypesTherearetwobasictypesofobjectsinActiveDirectory,calledcontainerobjectsandleafobjects.Acontainerobjectissimplyanobjectthatstoresotherobjects,whilealeafobjectstandsaloneandcannotstoreotherobjects.Containerobjectsessentiallyfunctionasthebranchesofthetree,andleafobjectsgrowoffofthebranches.ActiveDirectoryusescontainerobjectscalledorganizationalunits(OUs)tostoreotherobjects.Containerscanstoreothercontainersorleafobjects,suchasusersandcomputers.Theguidingruleofdirectorytreedesignisthatrightsandpermissionsflowdownwardthroughthetree.Assigningapermissiontoacontainerobjectmeansthat,bydefault,alloftheobjectsinthecontainerinheritthatpermission.Thisenablesadministratorstocontrolaccesstonetworkresourcesbyassigningrightsandpermissionstoasinglecontainerratherthantomanyindividualusers.
Bydefault,anActiveDirectorytreeiscomposedofobjectsthatrepresenttheusersandcomputersonthenetwork,thelogicalentitiesusedtoorganizethem,andthefoldersandprinterstheyregularlyaccess.Theseobjects,theirfunctions,andtheiconsusedtorepresentthemintoolssuchasActiveDirectoryUsersandComputersarelistedinTable18-1.
Table18-1SomeActiveDirectoryObjectTypes
ObjectNamingEveryobjectintheActiveDirectorydatabaseisuniquelyidentifiedbyanamethatcanbeexpressedinseveralforms.ThenamingconventionsarebasedontheLightweightDirectoryAccessProtocol(LDAP)standarddefinedinRFC2251,publishedbytheInternetEngineeringTaskForce(IETF).Thedistinguishedname(DN)ofanobjectconsistsofthenameofthedomaininwhichtheobjectislocated,plusthepathdownthedomaintreethroughthecontainerobjectstotheobjectitself.Thepartofanobject’snamethatisstoredintheobjectiscalleditsrelativedistinguishedname(RDN).
NOTETheLightweightDirectoryAccessProtocolisanadaptationoftheDirectoryAccessProtocol(DAP)designedforusebyX.500directories.ActiveDirectorydomaincontrollersandseveralotherdirectoryservicesuseLDAPtocommunicatewitheachother.
Byspecifyingthenameoftheobjectandthenamesofitsparentcontainersuptotherootofthedomain,theobjectisuniquelyidentifiedwithinthedomain,eveniftheobjecthasthesamenameasanotherobjectinadifferentcontainer.Thus,ifyouhavetwousers,calledJohnDoeandJaneDoe,youcanusetheRDNjdoeforbothofthem.Aslongastheyarelocatedindifferentcontainers,theywillhavedifferentDNs.
CanonicalNamesMostActiveDirectoryapplicationsrefertoobjectsusingtheircanonicalnames.AcanonicalnameisaDNinwhichthedomainnamecomesfirst,followedbythenamesoftheobject’sparentcontainersworkingdownfromtherootofthedomainandseparatedbyforwardslashes,followedbytheobject’sRDN,asfollows:mgh.com/sales/inside/jdoe
Inthisexample,jdoeisauserobjectintheinsidecontainer,whichisinthesalescontainer,whichisinthemgh.comdomain.
LDAPNotationThesameDNcanalsobeexpressedinLDAPnotation,whichwouldappearasfollows:cn=jdoe,ou=inside,ou=sales,dc=mgh,dc=com
Thisnotationreversestheorderoftheobjectnames,startingwiththeRDNontheleftandthedomainnameontheright.TheelementsareseparatedbycommasandincludetheLDAPabbreviationsthatdefineeachtypeofelement.Theseabbreviationsareasfollows:
•cnCommonname
•ouOrganizationalunit
•dcDomaincomponent
Inmostcases,LDAPnamesdonotincludetheabbreviations,andtheycanbeomittedwithoutalteringtheuniquenessorthefunctionalityofthename.ItisalsopossibletoexpressanLDAPnameinaURLformat,asdefinedinRFC1959,whichappearsasfollows:ldap://cz1.mgh.com/cn=jdoe,ou=inside,ou=sales,dc=mgh,dc=com
Thisformatdiffersinthatthenameofaserverhostingthedirectoryservicemustappearimmediatelyfollowingtheldap://identifier,followedbythesameLDAPnameasshownearlier.ThisnotationenablesuserstoaccessActiveDirectoryinformationusingastandardwebbrowser.
GloballyUniqueIdentifiersInadditiontoitsDN,everyobjectinthetreehasagloballyuniqueidentifier(GUID),whichisa128-bitnumberthatisautomaticallyassignedbytheDirectorySystemAgentwhentheobjectiscreated.UnliketheDN,whichchangesifyoumovetheobjecttoadifferentcontainerorrenameit,theGUIDispermanentandservesastheultimateidentifierforanobject.
UserPrincipalNamesDistinguishednamesareusedbyapplicationsandserviceswhentheycommunicatewithActiveDirectory,buttheyarenoteasyforuserstounderstand,type,orremember.Therefore,eachuserobjecthasauserprinciplename(UPN)thatconsistsofausernameandasuffix,separatedbyan@symbol,justlikethestandardInternete-mailaddressformatdefinedinRFC822.Thisnameprovidesuserswithasimplifiedidentityonthenetworkandinsulatesthemfromtheneedtoknowtheirplaceinthedomaintreehierarchy.
Inmostcases,theusernamepartoftheUPNistheuserobject’sRDN,andthesuffixistheDNSnameofthedomaininwhichtheuserobjectislocated.However,ifyournetworkconsistsofmultipledomains,youcanopttouseasingledomainnameasthesuffixforallofyourusers’UPNs.Thisway,theUPNcanremainunchangedevenifyou
movetheuserobjecttoadifferentdomain.
TheUPNisaninternalnamethatisusedonlyontheWindows2000network,soitdoesn’thavetoconformtotheuser’sInternete-mailaddress.However,usingyournetwork’se-maildomainnameasthesuffixisagoodideasothatusershavetorememberonlyoneaddressforaccessinge-mailandloggingontothenetwork.
NOTEYoucanusetheActiveDirectoryDomainsandTrustsconsoletospecifyalternativeUPNsuffixessothatallofyouruserscanlogontothenetworkusingthesamesuffix.
Domains,Trees,andForestsWindowshasalwaysbaseditsnetworkingparadigmondomains,andallbutsmallnetworksrequiremultipledomainstosupporttheirusers.ActiveDirectorymakesiteasiertomanagemultipledomainsbycombiningthemintolargerunitscalledtreesandforests.WhenyoucreateanewActiveDirectorydatabasebypromotingaservertodomaincontroller,youcreatethefirstdomaininthefirsttreeofanewforest.Ifyoucreateadditionaldomainsinthesametree,theyallsharethesameschema,configuration,andglobalcatalogserver(GCS,amasterlistdirectoryofActiveDirectoryobjectsthatprovidesuserswithanoverallviewoftheentiredirectory)andareconnectedbytransitivetrustrelationships.
Trustrelationshipsarehowdomainsinteractwitheachothertoprovideaunifiednetworkdirectory.IfDomainAtrustsDomainB,theusersinDomainBcanaccesstheresourcesinDomainA.InWindowsNTdomains,trustrelationshipsoperateinonedirectiononlyandmustbeexplicitlycreatedbynetworkadministrators.Ifyouwanttocreateafullnetworkoftrustsbetweenthreedomains,forexample,youmustcreatesixseparatetrustrelationshipssothateachdomaintrustseveryotherdomain.ActiveDirectoryautomaticallycreatestrustrelationshipsbetweendomainsinthesametree.Thesetrustrelationshipsflowinbothdirections,areauthenticatedusingtheKerberossecurityprotocol,andaretransitive,meaningthatifDomainAtrustsDomainBandDomainBtrustsDomainC,thenDomainAautomaticallytrustsDomainC.Atree,therefore,isasingleadministrativeunitthatencompassesanumberofdomains.Theadministrativenightmareofmanuallycreatingtrustrelationshipsbetweenlargenumbersofdomainsisdiminished,andusersareabletoaccessresourcesonotherdomains.
Thedomainsinatreeshareacontiguousnamespace.UnlikeaWindowsNTdomain,whichhasasingle,flatname,anActiveDirectorydomainhasahierarchicalnamethatisbasedontheDNSnamespace,suchasmycorp.com.Sharingacontiguousnamespacemeansthatifthefirstdomaininatreeisgiventhenamemycorp.com,thesubsequentdomainsinthattreewillhavenamesthatbuildontheparentdomain’sname,suchassales.mycorp.comandmis.mycorp.com(seeFigure18-1).
Figure18-1ActiveDirectoryparentandchilddomains
Theparent-childrelationshipsinthedomainhierarchyarelimitedsolelytothesharingofanamespaceandthetrustrelationshipsbetweenthem.Unlikethecontainerhierarchywithinadomain,rightsandpermissionsdonotflowdownthetreefromdomaintodomain.
Inmostcases,asingletreeissufficientforanetworkofalmostanysize.However,itispossibletocreatemultipletreesandjointheminaunitknownasaforest.Allofthedomainsinaforest,includingthoseinseparatetrees,sharethesameschema,configuration,andGCS.Everydomaininaforesthasatransitivetrustrelationshipwiththeotherdomains,regardlessofthetreestheyarein.Theonlydifferencebetweenthetreesinaforestisthattheyhaveseparatenamespaces.Eachtreehasitsownrootdomainandchilddomainsthatbuildoffofitsname.Thefirstdomaincreatedinaforestisknownastheforestrootdomain.
Themostcommonreasonforhavingmultipletreesisthemergingoftwoorganizations,bothofwhichalreadyhaveestablisheddomainnamesthatcannotbereadilyassimilatedintoonetree.Usersareabletoaccessresourcesinothertreesbecausethetrustrelationshipsbetweendomainsindifferenttreesarethesameasthosewithinasingletree.Itisalsopossibletocreatemultipleforestsonyournetwork,buttheneedforthisisrare.
Differentforestsdonotsharethesameschema,configuration,andGCS,noraretrustrelationshipsautomaticallycreatedbetweenforests.Itispossibletomanuallycreateunidirectionaltrustsbetweendomainsindifferentforests,justasyouwouldonaWindowsNTnetwork.Inmostcases,though,theprimaryreasonforcreatingmultipleforestsistocompletelyisolatetwoareasofthenetworkandpreventinteractionbetweenthem.
DNSandActiveDirectoryWindowsNTisbasedonNetBIOSandusesaNetBIOSnameservercalledWindowsInternetNamingService(WINS)tolocatecomputersonthenetworkandresolvetheirnamesintoIPaddresses.TheprimarylimitationofNetBIOSandWINSisthattheyuseaflatnamespace,whereasActiveDirectory’snamespaceishierarchical.TheADnamespaceisbasedonthatoftheDomainNameSystem(DNS),sothedirectoryusesDNSserversinsteadofWINStoresolvenamesandlocatedomaincontrollers.YoumusthaveatleastoneDNSserverrunningonyournetworkinorderforActiveDirectorytofunction
properly.
ThedomainsinActiveDirectoryarenamedusingstandardDNSdomainnames,whichmayormaynotbethesameasthenamesyourorganizationusesontheInternet.If,forexample,youhavealreadyregisteredthedomainnamemycorp.comforusewithyourInternetservers,youcanchoosetousethatsamenameastheparentdomaininyourADtreeorcreateanewnameforinternaluse.Thenewnamedoesn’thavetoberegisteredforInternetuse,becauseitsusewillbelimitedtoyourWindows2000networkonly.
DNSisbasedonresourcerecords(RRs)thatcontaininformationaboutspecificmachinesonthenetwork.Traditionally,administratorsmustcreatetheserecordsmanually,butonaWindowsnetwork,thiscausesproblems.Thetaskofmanuallycreatingrecordsforhundredsofcomputersislonganddifficult,anditiscompoundedbytheuseoftheDynamicHostConfigurationProtocol(DHCP)toautomaticallyassignIPaddressestonetworksystems.BecausetheIPaddressesonDHCP-managedsystemscanchange,theremustbeawayfortheDNSrecordstobeupdatedtoreflectthosechanges.
TheMicrosoftDNSserversupportsdynamicDNS(DDNS),whichworkstogetherwithMicrosoftDHCPServertodynamicallyupdatetheresourcerecordsforspecificsystemsastheirIPaddresseschange.
GlobalCatalogServerTosupportlargeenterprisenetworks,ActiveDirectorycanbebothpartitionedandreplicated,meaningthatthedirectorycanbesplitintosectionsstoredondifferentservers,andcopiesofeachsectioncanbemaintainedonseparateservers.Splittingupthedirectoryinthisway,however,makesitmoredifficultforapplicationstolocatespecificinformation.Therefore,ActiveDirectorymaintainstheglobalcatalog,whichprovidesanoverallpictureofthedirectorystructure.WhileadomaincontrollercontainstheActiveDirectoryinformationforonedomainonly,theglobalcatalogisareplicaoftheentireActiveDirectory,exceptthatitincludesonlytheessentialattributesofeachobject,knownasbindingdata.
Becausetheglobalcatalogconsistsofasubstantiallysmalleramountofdatathantheentiredirectory,itcanbestoredonasingleserverandaccessedmorequicklybyusersandapplications.TheglobalcatalogmakesiteasyforapplicationstosearchforspecificobjectsinActiveDirectoryusinganyoftheattributesincludedinthebindingdata.
DeployingActiveDirectoryAllofthearchitecturalelementsofActiveDirectorythathavebeendescribedthusfar,suchasdomains,trees,andforests,arelogicalcomponentsthatdonotnecessarilyhaveanyeffectonthephysicalnetwork.Inmostcases,networkadministratorscreatedomains,trees,andforestsbasedonthepoliticaldivisionswithinanorganization,suchasworkgroupsanddepartments,althoughgeographicalelementscancomeintoplayaswell.Physically,however,anActiveDirectoryinstallationismanifestedasacollectionofdomaincontrollers,splitintosubdivisionscalledsites.
CreatingDomainControllersAdomaincontroller(DC)isasystemthathostsallorpartoftheActiveDirectorydatabaseandprovidestheservicestotherestofthenetworkthroughwhichapplicationsaccessthatdatabase.Whenauserlogsontothenetworkorrequestsaccesstoaspecificnetworkresource,theworkstationcontactsadomaincontroller,whichauthenticatestheuserandgrantsaccesstothenetwork.
ActiveDirectoryhasonlyonetypeofdomaincontroller.Wheninstallingaserver,youhavetospecifywhetheritshouldbeaprimarydomaincontroller(PDC),abackupdomaincontroller(BDC),oramemberserver.Onceasystemisinstalledasadomaincontrollerforaspecificdomain,thereisnowaytomoveittoanotherdomainorchangeitbacktoamemberserver.AllWindowsserversstartoutasstand-aloneormemberservers;youcanthenpromotethemtodomaincontrollersandlaterdemotethembacktomemberservers.ActiveDirectoryhasnoPDCsorBDCs;alldomaincontrollersfunctionaspeers.
AserverthatistofunctionasadomaincontrollermusthaveatleastoneNTFS5.0drivetoholdtheActiveDirectorydatabase,logfiles,andthesystemvolume,anditmusthaveaccesstoaDNSserverthatsupportstheSRVresourcerecordand(optionally)dynamicupdates.IfthecomputercannotlocateaDNSserverthatprovidesthesefeatures,itofferstoinstallandconfiguretheMicrosoftDNSServersoftwareontheWindowssystem.
DirectoryReplicationEverydomainonyournetworkshouldberepresentedbyatleasttwodomaincontrollersforreasonsoffaulttolerance.OnceyournetworkisreliantonActiveDirectoryforauthenticationandotherservices,inaccessibledomaincontrollerswouldbeamajorproblem.Therefore,eachdomainshouldbereplicatedonatleasttwodomaincontrollerssothatoneisalwaysavailable.Directoryservicereplicationisnothingnew,butActiveDirectoryreplicatesitsdomaindatadifferentlyfromWindowsNT.
WindowsNTdomainsarereplicatedusingatechniquecalledsinglemasterreplication,inwhichasinglePDCwithread-writecapabilitiesreplicatesitsdatatooneormoreBDCsthatareread-only.Inthismethod,replicationtrafficalwaystravelsinonedirection,fromthePDCtotheBDCs.IfthePDCfails,oneoftheBDCscanbepromotedtoPDC.ThedrawbackofthisarrangementisthatchangestothedirectorycanbemadeonlytothePDC.Whenanadministratorcreatesanewuseraccountormodifiesanexistingone,forexample,theUserManagerforDomainsutilitymustcommunicatewiththePDC,evenifitislocatedatadistantsiteconnectedbyaslowWANlink.
ActiveDirectoryusesmultiplemasterreplication,whichenablesadministratorstomakechangesonanyofadomain’sreplicas.ThisiswhytherearenolongerPDCsorBDCs.Theuseofmultiplemastersmakesthereplicationprocessfarmoredifficult,however.Insteadofsimplycopyingthedirectorydatafromonedomaincontrollertoanother,theinformationoneachdomaincontrollermustbecomparedwiththatonalloftheotherssothatthechangesmadetoeachreplicaarepropagatedtoeveryotherreplica.Inaddition,it’spossiblefortwoadministratorstomodifythesameattributeofthesameobjectontwodifferentreplicasatvirtuallythesametime.Thereplicationprocessmustbe
abletoreconcileconflictsliketheseandseetoitthateachreplicacontainsthemostup-to-dateinformation.
MultimasterDataSynchronizationSomedirectoryservices,suchasNDS,basetheirdatasynchronizationalgorithmsontimestampsassignedtoeachdatabasemodification.Whicheverchangehasthelatertimestampistheonethatbecomesoperativewhenthereplicationprocessiscompleted.Theproblemwiththismethodisthattheuseoftimestampsrequirestheclocksonallofthenetwork’sdomaincontrollerstobepreciselysynchronized,whichisdifficulttoarrange.TheActiveDirectoryreplicationprocessreliesontimestampsinonlycertainsituations.Instead,ADusesupdatesequencenumbers(USNs),whichare64-bitvaluesassignedtoallmodificationswrittentothedirectory.Wheneveranattributechanges,thedomaincontrollerincrementstheUSNandstoresitwiththeattribute,whetherthechangeresultsfromdirectactionbyanadministratororreplicationtrafficreceivedfromanotherdomaincontroller.
Theonlyproblemwiththismethodiswhenthesameattributeismodifiedontwodifferentdomaincontrollers.IfanadministratorchangesthevalueofaspecificattributeonServerBbeforeachangemadetothesameattributeonServerAisfullypropagatedtoallofthereplicas,thenacollisionissaidtohaveoccurred.Toresolvethecollision,thedomaincontrollersusepropertyversionnumberstodeterminewhichvalueshouldtakeprecedence.UnlikeUSNs,whichareasinglenumericalsequencemaintainedseparatelybyeachdomaincontroller,thereisonlyonepropertyversionnumberforeachobjectattribute.
Whenadomaincontrollermodifiesanattributeasaresultofdirectactionbyanetworkadministrator,itincrementsthepropertyversionnumber.However,whenadomaincontrollerreceivesanattributemodificationinthereplicationtrafficfromanotherdomaincontroller,itdoesnotmodifythepropertyversionnumber.Adomaincontrollerdetectscollisionsbycomparingtheattributevaluesandpropertyversionnumbersreceivedduringareplicationeventwiththosestoredinitsowndatabase.Ifanattributearrivingfromanotherdomaincontrollerhasthesamepropertyversionnumberasthelocalcopyofthatattributebutthevaluesdon’tmatch,acollisionhasoccurred.Inthiscase,andonlyinthiscase,thesystemusesthetimestampsincludedwitheachoftheattributestodeterminewhichvalueisnewerandshouldtakeprecedenceovertheother.
SitesAsingledomaincanhaveanynumberofdomaincontrollers,allofwhichcontainthesameinformation,thankstotheADreplicationsystem.Inadditiontoprovidingfaulttolerance,youcancreateadditionaldomaincontrollerstoprovideuserswithlocalaccesstothedirectory.InanorganizationwithofficesinmultiplelocationsconnectedbyWANlinks,itwouldbeimpracticaltohaveonlyoneortwodomaincontrollersbecauseworkstationswouldhavetocommunicatewiththeADdatabaseoverarelativelyslow,expensiveWANconnection.Therefore,administratorsoftencreateadomaincontrollerateachlocationwherethereareresourcesinthedomain.
TherelativelyslowspeedoftheaverageWANconnectionalsoaffectsthereplication
processbetweendomaincontrollers,andforthisreason,ActiveDirectorycanbreakupadomainintosites.Asiteisacollectionofdomaincontrollersthatareassumedtobewellconnected,meaningthatallofthesystemsareconnectedusingthesamerelativelyhigh-speedLANtechnology.TheconnectionsbetweensitesareassumedtobeWANsthatareslowerandpossiblymoreexpensive.
Theactualspeedoftheintrasiteandintersiteconnectionsisnotanissue.Theissueistherelativespeedbetweenthedomaincontrollersatthesamesiteandthoseatdifferentsites.ThereasonfordividingadomainintologicalunitsthatreflectthephysicallayoutofthenetworkistocontrolthereplicationtrafficthatpassesovertheslowerWANlinks.ActiveDirectoryalsousessitestodeterminewhichdomaincontrolleraworkstationshouldaccesswhenauthenticatingauser.Wheneverpossible,authenticationproceduresuseadomaincontrollerlocatedonthesamesite.
IntrasiteReplicationThereplicationofdatabetweendomaincontrollerslocatedatthesamesiteiscompletelyautomaticandself-regulating.AcomponentcalledtheKnowledgeConsistencyChecker(KCC)dynamicallycreatesconnectionsbetweenthedomaincontrollersasneededtocreateareplicationtopologythatminimizeslatency.Latencyistheperiodoftimeduringwhichtheinformationstoredonthedomaincontrollersforasingledomainisdifferent—thatis,theintervalbetweenthemodificationofanattributeononedomaincontrollerandthepropagationofthatchangetotheotherdomaincontrollers.TheKCCtriggersareplicationeventwheneverachangeismadetotheADdatabaseonanyofthesite’sreplicas.
TheKCCmaintainsatleasttwoconnectionstoeachdomaincontrolleratthesite.Thisway,ifacontrollergoesoffline,replicationbetweenalloftheotherdomaincontrollersisstillpossible.TheKCCmaycreateadditionalconnectionstomaintaintimelycontactbetweentheremainingdomaincontrollerswhilethesystemisunavailableandthenremovethemwhenthesystemcomesbackonline.Inthesameway,ifyouaddanewdomaincontroller,theKCCmodifiesthereplicationtopologytoincludeitinthedatasynchronizationprocess.Asarule,theKCCcreatesareplicationtopologyinwhicheachdomaincontrollerisnomorethanthreehopsawayfromanyotherdomaincontroller.Becausethedomaincontrollersarealllocatedonthesamesite,theyareassumedtobewellconnected,andtheKCCiswillingtoexpendnetworkbandwidthintheinterestofreplicationspeed.Allupdatesaretransmittedinuncompressedformbecauseeventhoughthisrequiresthetransmissionofmoredata,itminimizestheamountofprocessingneededateachdomaincontroller.
Replicationoccursprimarilywithindomains,butwhenmultipledomainsarelocatedatthesamesite,theKCCalsocreatesconnectionsbetweentheglobalcatalogserversforeachdomainsothattheycanexchangeinformationandcreateareplicaoftheentireActiveDirectorycontainingthesubsetofattributesthatformthebindingdata.
IntersiteReplicationBydefault,adomainconsistsofasinglesite,calledDefault-First-Site-Name,andanyadditionaldomainsyoucreateareplacedwithinthatsite.Youcan,however,usethe
ActiveDirectorySitesandServicesconsoletocreateadditionalsitesandmovedomainsintothem.Justaswithdomainsinthesamesite,ActiveDirectorycreatesareplicationtopologybetweendomainsindifferentsites,butwithseveralkeydifferences.
BecausetheWANlinksbetweensitesareassumedtobeslower,ActiveDirectoryattemptstominimizetheamountofreplicationtrafficthatpassesbetweenthem.First,therearefewerconnectionsbetweendomaincontrollersatdifferentsitesthanwithasite;thethree-hopruleisnotobservedfortheintersitereplicationtopology.Second,allreplicationdatatransmittedoverintersiteconnectionsiscompressedtominimizetheamountofbandwidthutilizedbythereplicationprocess.Finally,replicationeventsbetweensitesarenotautomaticallytriggeredbymodificationstotheActiveDirectorydatabase.Instead,replicationcanbescheduledtooccuratspecifiedtimesandintervalstominimizetheeffectonstandardusertrafficandtotakeadvantageoflowerbandwidthcostsduringoff-hours.
MicrosoftManagementConsoleMicrosoftManagementConsole(MMC)isanapplicationthatprovidesacentralizedadministrationinterfaceformanyoftheservicesincludedinWindows,includingthoseusedtomanageActiveDirectory.Windowsreliesonseparatemanagementapplicationsformanyofitsservices,suchastheDHCPManager,WINSManager,andDiskAdministrator.Windowsconsolidatesalloftheseapplications,andmanyothers,intoMMC.MostofthesystemadministrationtasksfortheoperatingsystemarenowperformedthroughMMC.
MMChasnoadministrativecapabilitiesofitsown;itis,essentially,ashellforapplicationmodulescalledsnap-insthatprovidetheadministrativefunctionsformanyofWindows’applicationsandservices.Snap-instaketheformoffileswithan.mscextensionthatyouloadeitherfromthecommandlineorinteractivelythroughtheMMCmenus.Windowssuppliessnap-infilesforallofitstools,buttheinterfaceisdesignedsothatthird-partysoftwaredeveloperscanusetheMMCarchitecturetocreateadministrationtoolsfortheirownapplications.
MMCcanloadmultiplesnap-inssimultaneouslyusingtheWindowsmultiple-documentinterface(MDI).Youcanusethiscapabilitytocreateacustomizedmanagementinterfacecontainingallofthesnap-insyouuseonaregularbasis.WhenyourunMMC(bylaunchingtheMmc.exefilefromtheRundialogbox)andselectConsole|New,yougetanemptyConsoleRootwindow.ByselectingConsole|Add/RemoveSnap-in,youcanbuildalistoftheinstalledsnap-insandloadselectedonesintotheconsole.Thevarioussnap-insappearinanexpandable,Explorer-likedisplayintheleftpaneofMMC’smainscreen,asshowninFigure18-2.
Figure18-2Workingwithsnap-insinWindows7
NOTEInWindows8or8.1,locatetheWindowsSystemsappandchooseRun.
ManyofWindow’sadministrativetools,suchasActiveDirectorySitesandServices,areactuallypreconfiguredMMCconsoles.SelectingComputerManagementfromthePrograms/AdministrativeToolsgroupintheStartmenudisplaysaconsolethatcontainsacollectionofthebasicadministrationtoolsforaWindowssystem.Bydefault,theComputerManagementconsoleadministersthelocalsystem,butyoucanuseallofitstoolstomanagearemotenetworksystembyselectingAction|ConnectToAnotherComputer.
CreatingandConfiguringSitesSplittinganetworkintositeshasnoeffectonthehierarchyofdomains,trees,andforeststhatyouhavecreatedtorepresentyourenterprise.However,sitesstillappearasobjectsinActiveDirectory,alongwithseveralotherobjecttypesthatyouusetoconfigureyournetwork’sreplicationtopology.TheseobjectsarevisibleonlyintheActiveDirectorySitesandServicestool.TheobjectcalledDefault-First-Site-Nameiscreatedautomaticallywhenyoupromotethefirstserveronyournetworktoadomaincontroller,alongwithaserverobjectthatappearsintheServersfolderbeneathit.Serverobjectsarealwayssubordinatetositeobjectsandrepresentthedomaincontrollersoperatingatthatsite.Asitecancontainserverobjectsfordomaincontrollersinanynumberofdomains,locatedinanytreeorforest.Youcanmoveserverobjectsbetweensitesasneeded.
Theothertwoimportantobjecttypesassociatedwithsitesandserversaresubnetandsitelinkobjects.SubnetobjectsrepresenttheparticularIPsubnetsthatyouuseatyour
varioussitesandareusedtodefinetheboundariesofthesite.Whenyoucreateasubnetobject,youspecifyanetworkaddressandsubnetmask.Whenyouassociateasitewithasubnetobject,serverobjectsforanynewdomaincontrollersthatyoucreateonthatsubnetareautomaticallycreatedinthatsite.Youcanassociatemultiplesubnetobjectswithaparticularsitetocreateacompletepictureofyournetwork.
SitelinkobjectsrepresenttheWANlinksonyournetworkthatActiveDirectorywillusetocreateconnectionsbetweendomaincontrollersatdifferentsites.ActiveDirectorysupportstheuseoftheInternetProtocol(IP)andtheSimpleMailTransportProtocol(SMTP)forsitelinks,bothofwhichappearintheInter-SiteTransportsfolderinActiveDirectorySitesandServices.AnSMTPsitelinkcantaketheformofanyapplicationsyouusetosende-mailusingtheSMTPprotocol.Whenyoucreateasitelinkobject,youselectthesitesthatareconnectedbytheWANlinktheobjectrepresents.TheattributesofsitelinkobjectsincludevariousmechanismsfordeterminingwhenandhowoftenActiveDirectoryshouldusethelinktotransmitreplicationtrafficbetweensites:
•CostThecostofasitelinkcanreflecteitherthemonetarycostoftheWANtechnologyinvolvedorthecostintermsofthebandwidthneededforotherpurposes.
•ScheduleThisspecifiesthehoursofthedayduringeachdayoftheweekthatthelinkcanbeusedtocarryreplicationtraffic.
•ReplicationperiodThisspecifiestheintervalbetweenreplicationproceduresthatusethislink,subjecttothescheduledescribedpreviously.
Bydefault,ActiveDirectorycreatesanIPsitelinkobject,DEFAULTIPSITELINK,thatyoucanuseasisorcanmodifytoreflectthetypeoflinkusedtoconnectyoursites.IfallofyoursitesareconnectedbyWANlinksofthesametype,youdon’thavetocreateadditionalsitelinkobjectsbecauseasinglesetofschedulingattributesshouldbeapplicableforallofyourintersiteconnections.IfyouusevarioustypesofWANconnections,however,youcancreateaseparatesitelinkobjectforeachtypeandconfigureitsattributestoreflecthowyouwantittobeused.
ThereisanothertypeofobjectthatyoucancreateintheInter-SiteTransportscontainer,calledasitelinkbridgeobject,thatisdesignedtomakeitpossibletoroutereplicationtrafficthroughoneremotesitetoothers.Bydefault,thesitelinksyoucreatearetransitive,meaningthattheyarebridgedtogether,enablingthemtoroutereplicationtraffic.Forexample,ifyouhaveasitelinkobjectconnectingSiteAtoSiteBandanotheroneconnectingSiteBtoSiteC,thenSiteAcansendreplicationtraffictoSiteC.Ifyouwant,youcandisablethedefaultbridgingbyopeningthePropertiesdialogboxfortheIPfolderandclearingtheBridgeAllSiteLinkscheckbox.Ifyoudothis,youmustmanuallycreatesitelinkbridgeobjectsinordertoroutereplicationtrafficinthisway.Asitelinkbridgeobjectgenerallyrepresentsarouteronthenetwork.Whileasitelinkobjectgroupstwositeobjects,asitelinkbridgeobjectgroupstwositelinkobjects,makingitpossibleforreplicationtraffictoberoutedbetweenthem.
Onceyouhavecreatedobjectsrepresentingthesitesthatformyournetworkandthelinksthatconnectthem,theKCCcancreateconnectionsthatformthereplicationtopologyfortheentireinternetwork,subjecttothelimitationsimposedbythesitelink
objectattributes.TheconnectionscreatedbytheKCC,bothwithinandbetweensites,appearasobjectsintheNTDSSettingscontainerbeneatheachserverobject.Aconnectionobjectisunidirectional,representingthetrafficrunningfromtheserverunderwhichtheobjectappearstothetargetserverspecifiedasanattributeoftheobject.Inmostcases,thereshouldbenoneedtomanuallycreateorconfigureconnectionobjects,butitispossibletodoso.Youcancustomizethereplicationtopologyofyournetworkbycreatingyourownconnectionsandschedulingthetimesduringwhichtheymaybeused.ManuallycreatedconnectionobjectscannotbedeletedbytheKCCtoaccommodatechangingnetworkconditions;theyremaininplaceuntilyoumanuallyremovethem.
DesigninganActiveDirectoryAswithanyenterprisedirectoryservice,theprocessofdeployingActiveDirectoryonyournetworkinvolvesmuchmorethansimplyinstallingthesoftware.Theplanningprocessis,inmanycases,morecomplicatedthantheconstructionofthedirectoryitself.Naturally,thelargeryournetwork,themorecomplicatedtheplanningprocesswillbe.YoushouldhaveaclearideaoftheformthatyourADstructurewilltakeandwhowillmaintaineachpartofitbeforeyouactuallybegintodeploydomaincontrollersandcreateobjects.
Inmanycases,theplanningprocesswillrequiresomehands-ontestingbeforeyoudeployActiveDirectoryonyourproductionnetwork.Youmaywanttosetupatestnetworkandtrysomeforestdesignsbeforeyoucommityourselftoanyoneplan.Althoughatestnetworkcan’tfullysimulatetheeffectsofhundredsofusersworkingatonce,thetimethatyouspendfamiliarizingyourselfwiththeActiveDirectorytoolsandprocedurescanonlyhelpyoulaterwhenyou’rebuildingthelivedirectoryservice.
PlanningDomains,Trees,andForestsActiveDirectoryexpandsthescopeofthedirectoryservicebytwoordersofmagnitudebyprovidingtreesandforeststhatyoucanusetoorganizemultipledomains.Inaddition,thedomainsthemselvescanbesubdividedintosmalleradministrativeentitiescalledorganizationalunits.Tousethesecapabilitieseffectively,youmustevaluateyournetworkinlightofbothitsphysicallayoutandtheneedsoftheorganizationthatitserves.
CreatingMultipleTreesInmostcases,asingletreewithoneormoredomainsissufficienttosupportanenterprisenetwork.ThemainreasonforcreatingmultipletreesisifyouhavetwoormoreexistingDNSnamespacesthatyouwanttoreflectinActiveDirectory.Forexample,acorporationthatconsistsofseveraldifferentcompaniesthatoperateindependentlycanusemultipletreestocreateaseparatenamespaceforeachcompany.Althoughtherearetransitivetrustrelationshipsbetweenallofthedomainsinatree,separatetreesareconnectedonlybytrustsbetweentheirrootdomains.
Ifyouhaveseverallevelsofchilddomainsineachtree,theprocessofaccessingaresourceinadifferenttreeinvolvesthepassingofauthenticationtrafficupfromthedomaincontainingtherequestingsystemtotherootofthetree,acrosstotherootofthe
othertree,anddowntothedomaincontainingtherequestedresource.Ifthetreesoperateautonomouslyandaccessrequestsforresourcesinothertreesarerare,thismaynotbemuchofaproblem.Ifthetrustrelationshipsinadirectorydesignlikethisdocausedelaysonaregularbasis,youcanmanuallycreatewhatareknownasshortcuttrustsbetweenchilddomainslowerdowninbothtrees.
Justasyoucancreatemultipletreesinaforest,youcancreatemultipleforestsintheActiveDirectorydatabase.Scenariosinwhichtheuseofmultipleforestsisnecessaryareevenrarerthanthosecallingformultipletreesbecauseforestshavenoinherenttrustrelationshipsbetweenthematallanduseadifferentglobalcatalog,makingitmoredifficultforuserseventolocateresources.Youmaywanttouseaseparateforestforalab-basedtestnetworkorforaprojectthatyoudon’twantothernetworkuserstoknowevenexists.
CHAPTER
19 Linux
DevelopedasacollegeprojectbyLinusTorvaldsofSweden,theLinuxoperatingsystemhasemergedasoneofthemostpopularUnixvariants.ThischaptercoverstheadvantagesanddisadvantagesofLinux,Linuxfilesystems,andhowtoworkwithLinuxfiles.
UnderstandingLinuxWrittenintheCprogramminglanguage,LinuxusesGNUtools,whicharefreelyavailable.Likeothervariants,LinuxisavailableasafreedownloadfromtheInternetinversionsformoststandardhardwareplatformsandiscontinuallyrefinedbyanadhocgroupofprogrammerswhocommunicatemainlythroughInternetmailinglistsandnewsgroups.Becauseofitspopularity,manyLinuxmodulesandapplicationshavebeendeveloped.Oftennewfeaturesandcapabilitiesaretheresultofprogrammersadaptingtheexistingsoftwarefortheirownusesandthenpostingtheircodeforotherstouse.Astheproductincreasesinpopularity,morepeopleworkonitinthisway,andthedevelopmentprocessaccelerates.ThisactivityhasalsoledtothefragmentationoftheLinuxdevelopmentprocess.ManydifferentLinuxversionsareavailable,whicharesimilarintheirkernelfunctionsbutvaryinthefeaturestheyinclude.SomeoftheseLinuxpackagesareavailablefordownloadontheInternet,butthegrowthinthepopularityoftheoperatingsystem(OS)hasledtocommercialdistributionreleasesaswell.
NOTEGNUisanoperatingsystemannouncedin1993thatcontainstotallyfreesoftware.Accordingtowww.gnu.org,GNUstandsforGNU’sNotUnix.
LinuxDistributionsManyLinuxvariationsareavailablefreeforthedownload,andothersrequiresomesortofpaymentordonation.Table19-1showssomeoftheLinuxdistributions(oftencalleddistros)available.Theyarelistedinalphabeticorder,notinorderofpopularity.
Table19-1SomeLinuxDistros
Today’sLinuxsystemsrunondevicesfromtabletsandcellphonestoworkstationsandhigh-endservers.Sincethesystemisopensource(meaningthatitisavailableforanyone),asproblemsorglitchesoccur,anyoneworldwidecanreporttheproblem,andmanypeoplewillwritecodetofixtheissueforfutureusers.AsLinuxhasmatured,somenewerusersjustwanttousetheprogram,notwritecode.Theseuserswantaprogramthattheycandownloadanduserightaway.Itisforthoseusersthatsomecompanieshavedevelopeddistributionsthatareguaranteedtowork“outofthebox.”ThesecompaniesrequirepaymentforLinuxandofferbothtechnicalsupportandwarrantiesonthedownloadedprogram.
AdvantagesandDisadvantagesofLinuxBesidesbeinganopensourcesystem,Linuxoftenrequireslessdiskspacethanmanyotheroperatingsystems.Thereareotheradvantagesaswell:
•Sincethesystemisopensource,manypeoplehavecontributedtoitsstability.
•Securityflawsareoftenfoundbeforetheybecomeanissue.
•Itsrobustadaptabilityadjuststomanysituations.
•Itiseasilycustomizableandupdatable.
•Appsareusuallyfree,andthenumberofappsisincreasing.
•Linuxisscalable,meaningitcanbeusedastheoperatingsystemforsmallitemssuchaswirelessroutersandtabletstolarge,multitieredsystemssuchasstorageclustersanddatacenters.
Opensourcealsohassomedisadvantages:
•Applicationsmaybemoredifficulttofindandlearn(althoughtodaymanyapplicationsareavailable,andsomeevenlooklikemorefamiliarWindowsprograms).Forexample,OpenOfficeandLibreOfficebothofferasetofapplicationsincludingawordprocessor,aspreadsheet,andapresentation
manager.ThescreenslookmuchthesameinWindowsandLinux,asshowninFigure19-1.
Figure19-1TheOpenOfficeWriterscreenlookssimilarinbothWindowsandLinux.
•TherearemanydistributionsofLinux,soitcanbedifficulttotransferknowledgeofonedistrotoanother.
•Linuxcanbeconfusingatfirstfornewusers.
ThepopularityofLinuxhasreachedthepointatwhichitisexpandingbeyondUnix’straditionalmarketofcomputerprofessionalsandtechnicalhobbyists.Inpart,thisisbecauseofabacklashagainstMicrosoft,whichsomepeoplebelieveisclosetoholdingamonopolyonoperatingsystems.Whenyoupayfora“commercial”LinuxreleasesuchasUbuntu,youdownloadnotonlytheOSandsourcecodebutalsoavarietyofapplications,productdocumentation,andtechnicalsupport,whichareoftenlackinginthefreedownloadreleases.Otherdistributorsprovidesimilarproductsandservices,butthisdoesnotnecessarilymeanthattheseLinuxversionsarebinarycompatible.Insomecases,softwarewrittenforonedistributionwillnotrunonanotherone.
ThefreeLinuxdistributionsprovidemuchofthesamefunctionalityasthecommercialonesbutinalessconvenientpackage.Thedownloadscanbelargeandtimeconsuming,andyoumayfindyourselfinterruptingtheinstallationprocessfrequentlytotrackdownsomeessentialpieceofinformationortodownloadanadditionalmoduleyoudidn’tknowyouneeded.OneofthebiggestadvantagesofLinuxoverotherUnixvariantsisitsexcellentdriversupport.Devicedriversareanintegralpartofanyoperatingsystem,andifUnixisevergoingtobecomearivaltoWindowsinthepersonalcomputermainstream,it’sgoingtohavetorunonthesamecomputersthatrunWindows,usingthesameperipherals.ManyoftheotherUnixvariantshaverelativelylimiteddevicedriversupport.IfyouaretryingtoinstallaUnixproductonanIntel-basedcomputerwiththelatestandgreatestvideoadapter,forexample,youmaynotbeabletofindadriverthattakesfulladvantageofitscapabilities.
Devicedrivers,eventhoseincludedwithoperatingsystems,aregenerallywrittenbythedevicemanufacturer.Notsurprisingly,hardwaremanufacturersdevotemostoftheirdriverdevelopmentattentiontoWindows,withothersystemsgettingonlyperfunctorysupport,ifanyatall.ThefansofLinuxarelegion,however,andtheOS’sdevelopmentmodelhasledtheoperatingsystem’ssupporterstodeveloptheirowndriversformanyofthedevicescommonlyfoundinIntel-basedcomputers.IfyouarehavingtroublefindingappropriatedriversforyourhardwarethatrunonotherUnixvariants,youaremorelikelytohavesuccesswithLinux.
Forexample,acomputerrunningLinuxasitsOSandApacheasitswebserversoftwareisapowerfulcombinationthatiseasilyequalorsuperiortomostofthecommercialproductsonthemarket—andthesoftwareiscompletelyfree.
FileSystemsForthemanycomputeruserswhoarefamiliarwiththeMicrosoftNTFSandtheolderFATfilesystem,themyriadoffilesystemsavailableinopensourceoperatingsystemscanbedaunting.Table19-2showssomeofthefilesystemsthatareavailableforLinuxusers.
Table19-2LinuxFileSystems
BitsandBytesAlldatainacomputerisacombinationofzerosandones.Eachzerooroneisdesignatedasabit.Abyteconsistsof8bits.Forexample,00110111isonebyte.Thereareanumberofotherdesignations,indicatingtheamountofstoragespaceavailableineachdesignation.Today,harddrivesaremeasuredinterabytes,whilerandomaccessmemory(RAM)iscurrentlymeasuredingigabytes.
•Akilobyteis1,024bytesshownas1KB.
•Amegabyteis1,024kilobytes,shownas1MB.
•Agigabyteis1,024megabytes,shownas1GB.
•Aterabyteis1,024gigabytes,shownas1TB.
•Apetabyteis1,024terabytes,shownas1PB.
•Aexabtyeis1,024petabytes,shownas1EB.
NOTEAnoldtechiesayingisthat4bits=1nibble.
NOTEAlegacysystemisonethatisoutdated,unsupported,orobsolete.Someorganizationsstilluseoldersystemsbecauseofsoftwareorhardwarerequirements.
LinuxInstallationQuestionsBeforeyouinstallLinuxonamachine,youshouldknowtheanswerstothefollowing:
•Haveyoureadthedocumentationforthedistributionyoudownloaded?
•Willthisdistributionworkonthehardwareyouareusing?
•HowmuchRAMisavailableonthismachine?
•DoyouwanttoinstalljustaworkstationorcreateaLinuxserver?Canyoudownloadallthenecessarysoftware?
•DoyouhavetocreateaCDorDVDfromthedownloadedfile?Normally,Linuxdownloadsarein.isoformat,andmanyrequirethatyouburnthedownloadedfiletoaCDorDVDinordertoperformtheinstallation.
•Doyouunderstandhowtousean.isofile?
•IsLinuxthemainoperatingsystemoroneofseveral?
•Doyouneedtocreateanewpartitionbeforeyouinstallthesystem?
•SinceLinuxexpectstobeonanetwork,whatistheIPaddressandhostname?
BootingLinuxWhenyoubootyourLinuxcomputer,thereareseveralstepstotheprocess,asshowninFigure19-2.Intextmode,onceyourLinuxterminaldisplaystheloginpromptaswhitelettersonablackbackground,youenteryourusernameandpassword(pressingenteraftereach).
Figure19-2ThebootsequenceinLinux
LoggingOutofLinuxIntextmode,enterthelogoutcommandandpressenter.
DirectoryStructure
MostLinuxdistributionscontainthedirectoriesdescribedinTable19-3.
Table19-3TypicalLinuxDirectories
QuickCommandsinLinuxYoucanuseseveralcommandsinLinuxtofindyourwayaround.Table19-4listsseveralcommoncommandsandtheresultingaction.Thecommandstructureisasfollows:
Table19-4CommonLinuxCommands
commandoption(s)argument(s)
Eachwouldbeshownfromtherootprompt,suchasthis:root@username:~#command
Unlikeotheroperatingsystems,Linuxcommandsarecasesensitive.
WorkingwithLinuxFilesForthosefamiliarwithWindowspathnames,thisishowyouwouldfindafile:C:\MyFolder\MyFinances\MyBudget.txt
TofindthesamefileinLinux,youwouldusethispathway:/MyFolder/MyFinances/MyBudget.txt
Youmaynoteseveraldifferencesinthetwo.First,thereisnodrivenameshown.Linuxmountstherootpartitionwhenthecomputerfirstboots.Therefore,allthefilesandfoldersarefoundat/.Second,theslashesareforwardslashesinsteadofthebackslashesinWindows.Also,inLinux,allfilesandfolderarecasesensitive,whileinWindows,casedoesnotmatter.InLinux,/School/English/essay1.txtisadifferentfilethan/School/English/Essay1.txt.
Linuxfilesystemsareoftenmorereliablethanothersystemsbecauseofseveralfactors.
JournalingInmorefamiliarfilesystems,eachfileiswrittendirectlytoalocationontheharddrive,andifthecomputershutsdownforanyreason,theinformationinthatfilemaybelostorcorrupted.Afilesystemthatjournalsfirstwritesinformationtoaspecialfilecalledajournalthatisstoredonanotherpartoftheharddrive.Thisjournalcontainsdataaboutboththefileandlocationandismucheasiertoretrieveifthereisaproblem.Atanygiventime,thissystemhasthreepossiblestates:asavedfile,ajournalreportthatshowsthefileasnotbeingsaved,orajournalfilethatshowsinconsistenciesbutcanberebuilt.
Thissystemismorereliablethansystemswritingdirectlytotheharddrive.Somesystemswritethedatatwice,whichcanpreventcorruptionandsaveafterapowerorsoftwareproblemrequirestheusertorebootthesystem.
EditingOneofthebestfeaturesofaLinux(orUnix)fileisthatitcanbeeditedwhileitisopen.Unix/Linuxfilesareindexedbynumber(calledainode)thatcontainstheattributessuchasname,permissions,location,andsoon.Whenafileisdeleted,theinodeisjustunlinkedfromthefilename.Ifotherprogramsareusingthatfile,thelinktotheoperatingsystemisstillopenandwillbeupdatedaschangesaremadetoit.
LackofFragmentationFATandNTFSsystemsdonotkeepallthepiecesoftheirfilestogetherinordertoutilizespacemoreefficiently.Whilethispracticesavedspaceinthesmallerharddrivesoftheday,itmadefordifficultieswhenitcametoperformancebecausetheprocessorwouldhavetoconnectthepartsofthefilesbeforetheycouldberun.Startingwiththeext3system,Linuxfileblocksarekepttogether.
CHAPTER
20 Unix
Unixisamultiuser,multitaskingoperatingsystem(OS)withrootsthatdatebacktothelate1960s.Itwasdevelopedthroughoutthe1970sbyresearchersatAT&T’sBellLabs,finallyculminatinginUnixSystemVRelease1in1983.Duringthistime,andsincethen,manyotherorganizationshavebuilttheirownvariantsontheUnixformula,andnowdozensofdifferentoperatingsystemsfunctionusingthesamebasicUnixcomponents,includingbothAppleandLinux.Thiswaspossiblebecause,fromthebeginning,Unixhasbeenmoreofacollaborativeresearchprojectthanacommercialproduct.Whilesomecompaniesguardthesourcecodetotheiroperatingsystems,manyUnixdevelopersmaketheircodefreelyavailable.ThisenablesanyonewiththeappropriateskillstomodifytheOStotheirownspecifications.
Unixisnotauser-friendlyOS,norisitcommonlyfoundonthedesktopoftheaveragepersonalcomputeruser.Toitsdetractors,UnixisanoutdatedOSthatreliesprimarilyonanarchaic,character-basedinterface.Toitsproponents,however,Unixisthemostpowerful,flexible,andstableOSavailable.Asisusuallythecase,bothopinionsarecorrecttosomedegree.
YouarenotgoingtoseeracksofUnix-basedgamesandotherrecreationalsoftwareatthecomputerstoreanytimesoon,norareyoulikelytoseeofficesfullofemployeesrunningproductivityapplications,suchaswordprocessorsandspreadsheets,onUnixsystems.However,whenyouuseabrowsertoconnecttoawebsite,there’sagoodchancethattheserverhostingthesiteisrunningsomeformofUnix.Yoursmartphone,tablet,orMacusesaformofUnix.Inaddition,manyoftheverticalapplicationsdesignedforspecificindustries,suchasthoseusedwhenyoubookahotelroomorrentacar,runonUnixsystems.Inthisinstance,wearediscussingthebaseformofUnix,akatheterminalorcommandline.
Asaserveroperatingsystem,Unixhasareputationforbeingstableenoughtosupportmission-criticalapplications,portableenoughtorunonmanydifferenthardwareplatforms,andscalableenoughtosupportauserbaseofalmostanysize.AllUnixsystemsuseTransmissionControlProtocol/InternetProtocol(TCP/IP)astheirnativeprotocols,sotheyarenaturallysuitedforuseontheInternetandfornetworkingwithotheroperatingsystems.Infact,UnixsystemswereinstrumentalinthedevelopmentoftheInternetfromanexperimentindecentralized,packet-switchednetworkingtotheworldwidephenomenonitistoday.
UnixPrinciplesMorethanotheroperatingsystems,Unixisbasedonaprincipleofsimplicitythatmakesithighlyadaptabletomanydifferentneeds.ThisisnottosaythatUnixissimpletousebecausegenerallyitisn’t.Rather,itmeansthattheOSisbasedonguidingprinciplesthattreatthevariouselementsofthecomputerinasimpleandconsistentway.Forexample,aUnixsystemtreatsphysicaldevicesinthecomputer,suchastheprinter,thekeyboard,and
thedisplay,inthesamewayasittreatsthefilesanddirectoriesonitsdrives.Youcancopyafiletothedisplayortoaprinterjustasyouwouldcopyittoanotherdirectoryandusethedeviceswithanyotherappropriatefile-basedtools.
AnotherfundamentalprincipleofUnixistheuseofsmall,simpletoolsthatperformspecificfunctionsandthatcaneasilyworktogetherwithothertoolstoprovidemorecomplexfunctions.Insteadoflargeapplicationswithmanybuilt-infeatures,Unixoperatingsystemsarefarmorelikelytoutilizeasmalltoolthatprovidesabasicservicetoothertools.Agoodexampleisthesortcommand,whichtakesthecontentsofatextfile,sortsitaccordingtouser-suppliedparameters,andsendstheresultstoanoutputdevice,suchasthedisplayoraprinter.Inadditiontoapplyingthecommandtoanexistingtextfile,youcanuseittosorttheoutputofothercommandsbeforedisplayingorprintingit.
Theelementthatletsyoujointoolsinthiswayiscalledapipe(|),whichenablesyoutouseonetooltoprovideinputtooracceptoutputfromanothertool.DOScanusepipestoredirectstandardinputandoutputinvariousways,butUnixincludesamuchwidervarietyoftoolsandcommandsthatcanbecombinedtoprovideelaborateandpowerfulfunctions.
Thus,Unixisbasedonrelativelysimpleelements,butitsabilitytocombinethoseelementsmakesitquitecomplex.Whilealargeapplicationattemptstoanticipatetheneedsoftheuserbycombiningitsfunctionsinvariouspredeterminedways,Unixsuppliesuserswiththetoolsthatprovidethebasicfunctionsandletsthemcombinethetoolstosuittheirownneeds.TheresultisanOSwithgreatflexibilityandextensibilitybutthatrequiresanoperatorwithmorethantheaveragecomputeruser’sskillstotakefulladvantageofit.However,theoperatorhastorememberallthecommands.
Becauseofthisguidingprinciple,Unixisinmanywaysa“programmer’soperatingsystem.”Ifatooltoperformacertaintaskisnotincluded,youusuallyhavetheresourcesavailabletofashiononeyourself.ThisisnottosaythatyouhavetobeaprogrammertouseUnix,butmanyofthetechniquesthatprogrammersusewhenwritingcodeareinstrumentaltotheuseofmultipletoolsontheUnixcommandline.
Ifallofthistalkofprogrammingandcommand-linecomputingisintimidating,beassuredthatitisquitepossibletoinstall,maintain,anduseaUnixsystemwithoutasubstantialinvestmentinlearningcommand-linesyntax.SomeoftheUnixoperatingsystemsarebeinggearedmoreandmoretotheaveragecomputeruser,withmostofthecommonsystemfunctionsavailablethroughthegraphicaluserinterface(GUI).Youcanperformmostofyourdailycomputingtasksontheseoperatingsystemswithouteverseeingacommandprompt.
ThevariousUnixoperatingsystemsarebuiltaroundbasicelementsthatarefundamentallythesame,buttheyincludevariouscollectionsoftoolsandprograms.Dependingonwhichvariantyouchooseandwhetheritisacommercialproductorafreedownload,youmayfindthattheOScomescompletewithmodulessuchaswebandDNSserversandotherprograms,oryoumayhavetoobtaintheseyourself.However,oneoftheotherprinciplesofUnixdevelopmentthathasenduredthroughtheyearsisthecustomofmakingthesourcecodeforUnixsoftwarefreelyavailabletoeveryone.TheresultofthisopensourcemovementisawealthofUnixtools,applications,andothersoftwarethatis
freelyavailablefordownloadfromtheInternet.
Insomecases,programmersmodifyexistingUnixmodulesfortheirownpurposesandthenreleasethosemodificationstothepublicdomainsothattheycanbeofhelptoothers.SomeprogrammerscollaborateonUnixsoftwareprojectsassomethingofahobbyandreleasetheresultstothepublic.OneofthebestexamplesofthisistheLinuxoperatingsystem,whichwasdesignedfromthebeginningtobeafreeproductandwhichhasnowbecomeoneofthemostpopularUnixvariantsinusetoday.
UnixArchitectureBecauseUnixisavailableinsomanyvariants,Unixoperatingsystemscanrunonavarietyofhardwareplatforms.ManyoftheUnixvariantsareproprietaryversionscreatedbyspecificmanufacturerstorunontheirownhardwareplatforms.Mostofthesoftware-onlyUnixsolutionsrunonIntel-basedPCs,andsomeareavailableinversionsformultipleplatforms.
ThehardwarerequirementsforthevariousUnixplatformsvarygreatly,dependingonthefunctionsrequiredofthemachine.YoucanrunLinuxonanold386,forexample,aslongasyoudon’texpecttouseaGUIorrunaserversupportingalargenumberofusers.Today,manylargebusinessesareusingLinuxasacost-savingalternativebecauseevenmid-rangeUnixserverscancostmorethan$200,000,includinghardware.
NomatterwhathardwareaUnixsystemuses,thebasicsoftwarecomponentsarethesame(seeFigure20-1).Thekernelisthecoremodulethatinsulatestheprogramsrunningonthecomputerfromthehardware.Thekernelusesdevicedriversthatinteractwiththespecifichardwaredevicesinstalledinthecomputertoperformbasicfunctionssuchasmemorymanagement,input/output,interrupthandling,andaccesscontrol.
Figure20-1BasiccomponentsofaUnixsystem
TheUnixkernelprovidesapproximately100systemcallsthatprogramscanusetoexecutecertaintasks,suchasopeningafile,executingaprogram,andterminatinga
process.However,thesystemcallscanvarywildlydependingonthevariant.Thesearethebuildingblocksthatprogrammersusetointegratehardware-relatedfunctionsintotheirapplications’morecomplextasks.ThesystemcallscanvarybetweenthedifferentUnixversionstosomeextent,particularlyinthewaythatthesysteminternalsperformthedifferentfunctions.
Abovethekernelistheshell,whichprovidestheinterfaceyouusetoissuecommandsandexecuteprograms.Theshellisacommandinterpreter,muchlikeCommand.cominDOSandCmd.exeinWindows,whichprovidesacharacter-basedcommandpromptthatyouusetointeractwiththesystem.Theshellalsofunctionsasaprogramminglanguageyoucanusetocreatescripts,whicharefunctionallysimilartooldDOSbatchfilesbutmuchmoreversatileandpowerful.
UnlikeWindows,whichlimitsyoutoasinglecommandinterpreter,Unixtraditionallyhasseveralshellsyoucanchoosefrom,withdifferentcapabilities.TheshellsthatareincludedwithparticularUnixoperatingsystemsvary,andothersareavailableasfreedownloads.Often,theselectionofashellisamatterofpersonalpreference,guidedbytheuser’spreviousexperience.Thebasiccommandsusedforfilemanagementandotherstandardsystemtasksarethesameinalloftheshells.Thedifferencesbecomemoreevidentwhenyourunmorecomplexcommandsandcreatescripts.
TheoriginalUnixshellisaprogramcalledshthatwascreatedbySteveBourneandiscommonlyknownastheBourneshell.Someoftheothercommonshellsareasfollows:
•cshKnownastheCshellandoriginallycreatedforusewithBerkeleySoftwareDistribution(BSD)Unix;utilizesasyntaxsimilartothatoftheClanguageandintroducesfeaturessuchasacommandhistorylist,jobcontrol,andaliases.ScriptswrittenfortheBourneshellusuallyneedsomemodificationtorunintheCshell.
•kshKnownastheKornshell;buildsontheBourneshellandaddselementsoftheCshell,aswellasotherimprovements.ScriptswrittenfortheBourneshellusuallycanrunintheKornshellwithoutmodification.
•bashThedefaultshellusedbyLinux;closelyrelatedtotheKornshell,withelementsoftheCshell.
Runningontopoftheshellarethecommandsthatyouusetoperformtasksonthesystem.Unixincludeshundredsofsmallprograms,usuallycalledtoolsorcommands,whichyoucancombineonthecommandlinetoperformcomplextasks.HundredsofothertoolsareavailableontheInternetthatyoucancombinewiththoseprovidedwiththeOS.Unixcommand-linetoolsareprograms,butdon’tconfusethemwiththecomplexapplicationsusedbyotheroperatingsystems,suchasWindows.Unixhasfull-blownapplicationsaswell,butitsrealpowerliesinthesesmallprograms.AddinganewtoolonaUnixsystemdoesnotrequireaninstallationprocedure;yousimplyhavetospecifytheappropriatelocationofthetoolinthefilesysteminorderfortheshelltorunit.
UnixVersionsThesheernumberofUnixvariantscanbebewilderingtoanyonetryingtofindthe
appropriateoperatingsystemforaparticularapplication.However,apartfromsystemsintendedforspecialpurposes,virtuallyanyUnixOScanperformwellinavarietyofroles,andtheselectionyoumakemaybebasedmoreoneconomicfactors,hardwareplatform,orpersonaltastethanonanythingelse.If,forexample,youdecidetopurchaseproprietaryUnixworkstations,you’llbeusingtheversionoftheOSintendedforthemachine.IfyouintendtorunUnixonIntel-basedcomputers,youmightchoosetheOSbasedontheGUIthatyoufeelmostcomfortablewith,oryoumightbelookingforthebestbargainyoucanfindandlimityourselftotheversionsavailableasfreedownloads.ThefollowingsectionsdiscusssomeofthemajorUnixversionsavailable.
UnixSystemVUnixSystemVistheculminationoftheoriginalUnixworkbegunbyAT&T’sBellLabsinthe1970s.Upuntilrelease3.2,theprojectwaswhollydevelopedbyAT&T,evenwhileotherUnixworkwasongoingattheUniversityofCaliforniaatBerkeleyandotherplaces.UnixSystemVRelease4(SVR4),releasedinthelate1980s,consolidatedthebenefitsoftheSVRoperatingsystemwiththoseofBerkeley’sBSD,Sun’sSunOS,andMicrosoft’sXenix.ThisreleasebroughttogethersomeofthemostimportantelementsthatarenowindeliblyassociatedwiththenameUnix,includingnetworkingelementssuchastheTCP/IPInternetPackagefromBSD,whichincludesfiletransfer,remotelogin,andremoteprogramexecutioncapabilities,andtheNetworkFileSystem(NFS)fromSunOS.
AT&TeventuallysplititsUnixdevelopmentprojectoffintoasubsidiarycalledUnixSystemLaboratories(USL),whichreleasedSystemVRelease4.2.In1993,AT&TsoldUSLtoNovell,whichreleaseditsownversionofSVR4underthenameUnixWare.InlightofpressurefromtheothercompaniesinvolvedinUnixdevelopment,NovelltransferredtheUnixtrademarktoaconsortiumcalledX/Open,thusenablinganymanufacturertodescribeitsproductasaUnixOS.In1995,NovellsoldallofitsinterestinUnixSVR4andUnixWaretotheSantaCruzOperation(SCO),whichownsittothisday.In1997,SCOreleasedUnixSystemVRelease5(SVR5)underthenameOpenServer,aswellasversion7ofitsUnixWareproduct.ThesearethedescendantsoftheoriginalAT&Tproducts,andtheyarestillonthemarket.
BSDUnixIn1975,oneoftheoriginaldevelopersofUnix,KenThompson,tookasabbaticalattheUniversityofCaliforniaatBerkeley,andwhilethere,heportedhiscurrentUnixversiontoaPDP-11/70system.Theseedheplantedtookroot,andBerkeleybecameamajordeveloperofUnixinitsownright.BSDUnixintroducedseveralofthemajorfeaturesassociatedwithmostUnixversions,includingtheCshellandthevitexteditor.SeveralversionsofBSDUnixappearedthroughoutthe1970s,culminatingin3BSD.In1979,theU.S.DepartmentofDefense’sAdvancedResearchProjectsAgency(DARPA)fundedthedevelopmentof4BSD,whichcoincidedwiththedevelopmentandadoptionoftheTCP/IPnetworkingprotocols.FormoreinformationaboutBSDUnix,seeChapter21.
UnixNetworking
Unixisapeer-to-peernetworkoperatingsystem,inthateverycomputeriscapableofbothaccessingresourcesonothersystemsandsharingitsownresources.Thesenetworkingcapabilitiestakethreebasicforms,asfollows:
•Theabilitytoopenasessiononanothermachineandexecutecommandsonitsshell
•Theabilitytoaccessthefilesystemonanothermachine,usingaservicelikeNFS
•Theabilitytorunaservice(calledadaemon)ononesystemandaccessitusingaclientonanothersystem
TheTCP/IPprotocolsareanintegralpartofallUnixoperatingsystems,andmanyoftheTCP/IPprogramsandservicesthatmaybefamiliartoyoufromworkingwiththeInternetarealsoimplementedonUnixnetworks.Forexample,UnixnetworkscanuseDNSserverstoresolvehostnamesintoIPaddressesanduseBOOTPorDHCPserverstoautomaticallyconfigureTCP/IPclients.StandardInternetservicessuchasFileTransferProtocol(FTP)andTelnethavelongbeenavitalelementofUnixnetworking,asareutilitiessuchasPingandTraceroute.
ThefollowingsectionsexaminethetypesofnetworkaccessusedonUnixsystemsandthetoolsinvolvedinimplementingthem.
UsingRemoteCommandsOneformofnetworkaccessthatisfarmorecommonlyusedonUnixthanonothernetworkoperatingsystemsistheremoteconsolesession,inwhichauserconnectstoanothercomputeronthenetworkandexecutescommandsonthatsystem.Oncetheconnectionisestablished,commandsenteredbytheuserattheclientsystemareexecutedbytheremoteserver,andtheoutputisredirectedoverthenetworkbacktotheclient’sdisplay.It’simportanttounderstandthatthisisnottheequivalentofaccessingasharednetworkdriveonaWindowscomputerandexecutingafile.Inthelattercase,theprogramrunsusingtheclientcomputer’sprocessorandmemory.WhenyouexecuteacommandonaUnixcomputerusingaremoteconsolesession,theprogramactuallyrunsontheothercomputer,usingitsresources.
BecauseUnixreliesheavilyonthecommandprompt,character-basedremotesessionsaremoreusefulthantheyareinamoregraphicallyorientedenvironmentlikethatofWindows.
BerkeleyRemoteCommandsTheBerkeleyremotecommandswereoriginallypartofBSDUnixandhavesincebeenadoptedbyvirtuallyeveryotherUnixOS.Sometimesknownasther*commands,thesetoolsareintendedprimarilyforuseonlocalareanetworks(LANs),ratherthanoverwideareanetwork(WAN)orInternetlinks.Thesecommandsenableyounotonlytoopenasessiononaremotesystembuttoperformspecifictasksonaremotesystemwithoutlogginginandwithoutworkinginteractivelywithashellprompt.
rloginTherlogincommandestablishesaconnectiontoanothersystemonthenetworkandprovidesaccesstoitsshell.Onceconnected,anycommandsyouenterareexecutedbytheothercomputerusingitsprocessor,filesystem,andothercomponents.Toconnecttoanothermachineonthenetwork,youuseacommandlikethefollowing:rlogin[-lusername]hostname
wherethehostnamevariablespecifiesthenameofthesystemtowhichyouwanttoconnect.
NOTEYoucansometimesusetheIPaddressinsteadofyourhostname.Authenticationisrequiredforthetargetsystemtoestablishtheconnection,whichcan
happenusingeitherhost-leveloruser-levelsecurity.Tousehost-levelsecurity,theclientsystemmustbetrustedbytheserverbyhavingitshostnamelistedinthe/etc/host.equivfileontheserver.Whenthisisthecase,theclientlogsinwithoutausernameorpasswordbecauseitisautomaticallytrustedbytheservernomatterwho’susingthesystem.
User-levelsecurityrequirestheuseofausernameandsometimesapassword,inadditiontothehostname.Bydefault,rloginsuppliesthenameoftheusercurrentlyloggedinontheclientsystemtotheremotesystem,aswellasinformationaboutthetypeofterminalusedtoconnect,whichistakenfromthevalueoftheTERMvariable.Thenamedusermusthaveanaccountintheremotesystem’spassworddatabase,andiftheclientsystemisnottrustedbytheremotesystem,theremotesystemmaythenprompttheclientforthepasswordassociatedwiththatusername.It’salsopossibletologinusingadifferentusernamebyspecifyingitontherlogincommandlinewiththe-lswitch.
Fortheusernametobeauthenticatedbytheremotesystemwithoutusingapassword,itmustbedefinedasanequivalentuserbybeinglistedina.rhostsfilelocatedintheuser’shomedirectoryonthatsystem.The.rhostsfilecontainsalistofhostnamesandusernamesthatspecifywhetherauserworkingonaspecificmachineshouldbegrantedimmediateaccesstothecommandprompt.Dependingonthesecurityrequirementsfortheremotesystem,the.rhostsfilescanbeownedeitherbytheremoteusersthemselvesorbytherootaccountonthesystem.Addinguserstoyour.rhostsfileisasimplewayofgivingthemaccesstoyouraccountonthatmachinewithoutgivingthemthepassword.
NOTETherootaccountonaUnixcomputerisabuilt-insuperuserthathasfullaccesstotheentiresystem,muchliketheAdministratoraccountinWindowsbutevenmorepowerful(dependingontheversionofWindows).
Onceyouhavesuccessfullyestablishedaconnectiontoaremotesystem,youcanexecuteanycommandinitsshellthatyouwouldonyourlocalsystem,exceptforthosethatlaunchgraphicalapplications.Youcanalsouserloginfromtheremoteshelltoconnecttoathirdcomputer,givingyousimultaneousaccesstoallthree.Toterminatetheconnectiontoaremotesystem,youcanusetheexitcommand,presstheCTRL-Dkeycombination,ortypeatildefollowedbyaperiod(~.).
rshInsomeinstances,youmaywanttoexecuteasinglecommandonaremotesystemandviewtheresultingoutputwithoutactuallyloggingin.Youcandothiswiththershcommand,usingthefollowingsyntax:rshhostnamecommand
wherethehostnamevariablespecifiesthesystemonwhichyouwanttoopenaremoteshell,andthecommandvariableisthecommandtobeexecutedontheremotesystem.Unlikerlogin,interactiveauthenticationisnotpossiblewithrsh.Forthecommandtowork,theusermusthaveeitheraproperlyconfigured.rhostsfileontheremotesystemoranentryinthe/etc/host.equivfile.Thershcommandprovidesessentiallythesamecommand-linecapabilitiesasrlogin,exceptthatitworksforonlyasinglecommandanddoesnotmaintainanopensession.
NOTEThershcommandwascalledremshonHP-UXsystems.TherearemanycasesinwhichcommandsprovidingidenticalfunctionshavedifferentnamesonvariousUnixoperatingsystems.
rcpThercpcommandisusedtocopyfilestoorfromaremotesystemacrossanetworkwithoutperforminganinteractivelogin.Thercpfunctionsmuchlikethecpcommandusedtocopyfilesonthelocalsystem,usingthefollowingsyntax:rcp[-r]sourcehost:filenamedesthost:filename
wherethesourcehost:filenamevariablespecifiesthehostnameofthesourcesystemandthenameofthefiletobecopied,andthedesthost:filenamevariablespecifiesthehostnameofthedestinationsystemandthenamethatthefileshouldbegivenonthatsystem.Youcanalsocopyentiredirectoriesbyaddingthe-rparametertothecommandandspecifyingdirectorynamesinsteadoffilenames.Aswithrsh,thereisnologinprocedure,sotousercp,eithertheclientsystemmustbetrustedbytheremotesystemortheusermustbelistedinthe.rhostsfile.
SecureShellCommandsThedownsideoftheBerkeleyremotecommandsisthattheyareinherentlyinsecure.Passwordsaretransmittedoverthenetworkincleartext,makingitpossibleforintruderstointerceptthem.Becauseofthissusceptibilitytocompromise,manyadministratorsprohibittheuseofthesecommands.Toaddressthisproblem,thereisaSecureShellprogramthatprovidesthesamefunctionsasrlogin,rsh,andrcp,butwithgreatersecurity.TheequivalentprogramsintheSecureShellarecalledslogin,ssh,andscp.Theprimarydifferencesinusingthesecommandsarethattheconnectionisauthenticatedonbothsidesandallpasswordsandotherdataaretransmittedinencryptedform.
DARPACommandsTheBerkeleyremotecommandsaredesignedforuseonlikeUnixsystems,butthe
DARPAcommandsweredesignedaspartoftheTCP/IPprotocolsuiteandcanbeusedbyanytwosystemsthatsupportTCP/IP.VirtuallyallUnixoperatingsystemsincludeboththeclientandserverprogramsforTelnet,FTP,andTrivialFileTransferProtocol(TFTP)andinstallthembydefault,althoughsomeadministratorsmaychoosetodisablethemlater.
telnetThetelnetcommandissimilarinitsfunctionalitytorlogin,exceptthattelnetdoesnotsendanyinformationabouttheuserontheclientsystemtotheserver.Youmustalwayssupplyausernameandpasswordtobeauthenticated.AswithalloftheDARPAcommands,youcanuseaTelnetclienttoconnecttoanycomputerrunningaTelnetserver,evenifitisrunningadifferentversionofUnixoranon-UnixOS.Thecommandsyoucanusewhileconnected,however,arewhollydependentontheOSrunningtheTelnetserver.If,forexample,youinstallaTelnetserveronaWindowssystem,youcanconnecttoitfromaUnixclient,butonceconnected,youcanuseonlythecommandsrecognizedbyWindows.SinceWindowsisnotprimarilyacharacter-basedOS,itscommand-linecapabilitiesarerelativelylimited,unlessyouinstalloutsideprograms.
ftpTheftpcommandprovidesmorecomprehensivefiletransfercapabilitiesthanrcpandenablesaclienttoaccessthefilesystemonanycomputerrunninganFTPserver.However,insteadofaccessingfilesinplaceontheothersystem,ftpprovidesonlytheabilitytotransferfilestoandfromtheremotesystem.Forexample,youcannoteditafileonaremotesystem,butyoucandownloadittoyourownsystem,edititthere,andthenuploadthenewversiontotheoriginallocation.LikewithTelnet,usersmustauthenticatethemselvestoanFTPserverbeforetheyaregrantedaccesstothefilesystem.ManysystemsrunningFTP,suchasthoseontheInternet,supportanonymousaccess,buteventhisrequiresanauthenticationprocessofsortsinwhichtheusersuppliesthename“anonymous”andtheserverisconfiguredtoacceptanypassword.
tftpThetftpcommandusestheTrivialFileTransferProtocoltocopyfilestoorfromaremotesystem.WhereasftpreliesontheTransmissionControlProtocolatthetransportlayer,tftpusestheUserDatagramProtocol(UDP).BecauseUDPisaconnectionlessprotocol,noauthenticationbytheremotesystemisneeded.However,thislimitsthecommandtocopyingonlyfilesthatarepubliclyavailableontheremotesystem.TheTFTPprotocolwasdesignedprimarilyforusebydisklessworkstationsthathavetodownloadanexecutableoperatingsystemfilefromaserverduringthebootprocess.
NetworkFileSystemSharingfilesisanessentialpartofcomputernetworking,andUnixsystemsuseseveralmechanismstoaccessfilesonothersystemswithoutfirsttransferringthemtoalocaldrive,aswithftpandrcp.ThemostcommonlyusedofthesemechanismsistheNetworkFileSystem(NFS),whichwasdevelopedbySunMicrosystemsinthe1980sandhasnow
beenstandardizedbytheInternetEngineeringTaskForce(IETF)asRFC1094(NFSVersion2)andRFC1813(NFSVersion3).ByallowingNFStobepublishedasanopenstandard,Sunmadeitpossibleforanyonetoimplementtheservice,andtheresultisthatNFSsupportisavailableforvirtuallyeveryOSinusetoday.
PracticallyeveryUnixvariantavailableincludessupportforNFS,whichmakesitpossibletosharefilesamongsystemsrunningdifferentUnixversions.Non-Unixoperatingsystems,suchasWindowsandNetWare,canalsosupportNFS,butaseparateproduct(marketedbyeitherthemanufacturerorathirdparty)isrequired.SinceWindowsandNetWarehavetheirowninternalfile-sharingmechanisms,theseotheroperatingsystemsmostlyrequireNFSonlytointegrateUnixsystemsintotheirnetworks.
NFSisaclient-serverapplicationinwhichaservermakesallorpartofitsfilesystemavailabletoclients(usingaprocesscalledexportingorsharing),andaclientaccessestheremotefilesystembymountingit,whichmakesitappearjustlikepartofthelocalfilesystem.NFSdoesnotcommunicatedirectlywiththekernelonthelocalcomputerbutratherreliesontheremoteprocedurecalls(RPC)service,alsodevelopedbySun,tohandlecommunicationswiththeremotesystem.RPChasalsobeenreleasedasanopenstandardbySunandpublishedasanIETFdocumentcalledRFC1057.ThedatatransmittedbyNFSisencodedusingamethodcalledExternalDataRepresentation(XDR),asdefinedinRFC1014.Inmostcases,theserviceusestheUDPprotocolfornetworktransportandlistensonport2049.
NFSisdesignedtokeeptheserversideoftheapplicationassimpleaspossible.NFSserversarestateless,meaningtheydonothavetomaintaininformationaboutthestateofaclienttofunctionproperly.Inotherwords,theserverdoesnotmaintaininformationaboutwhichclientshavefilesopen.Intheeventthataservercrashes,clientssimplycontinuetosendtheirrequestsuntiltheserverresponds.Ifaclientcrashes,theservercontinuestooperatenormally.Thereisnoneedforacomplicatedreconnectionsequence.Becauserepeatediterationsofthesameactivitiescanbetheconsequenceofthisstatelessness,NFSisalsodesignedtobeasidempotentaspossible,meaningthattherepeatedperformanceofthesametaskwillnothaveadeleteriouseffectontheperformanceofthesystem.NFSserversalsotakenopartintheadaptationoftheexportedfilesystemtotheclient’srequirements.Theserversuppliesfilesysteminformationinageneralizedform,anditisuptotheclienttointegrateitintoitsownfilesystemsothatapplicationscanmakeuseofit.
ThecommunicationbetweenNFSclientsandserversisbasedonaseriesofRPCproceduresdefinedintheNFSstandardandlistedinTable20-1.Thesebasicfunctionsenabletheclienttointeractwiththefilesystemontheserverinallofthewaysexpectedbyatypicalapplication.AnInternet-DraftreleasedinApril2014byIETFdescribesminorupdatestoearlierNFSversions.Thegoalofthisrevision,accordingtothedraft,isto“improveaccessandgoodperformanceontheInternet,providestrongsecurity,goodcross-platforminteroperability,andisdesignedforprotocolextensionswhichdonotcompromisebackwardcompatibility.”(Seehttp://tools.ietf.org/html/draft-ietf-nfsv4-rfc3530bis-33#section-1.1formoreinformation.)
Table20-1SomeRPCProceduresinNFSVersions
OnasystemconfiguredtofunctionasanNFSserver,youcancontrolwhichpartsofthefilesystemareaccessibletoclientsbyusingcommandssuchasshareonSolarisandSVR4systemsandexportfsonLinuxandHP-UX.Usingthesecommands,youspecifywhichdirectoriesclientscanaccessandwhatdegreeofaccesstheyareprovided.Youcanchoosetoshareadirectoryonaread-onlybasis,forexample,orgrantread-writeaccess,andyoucanalsodesignatedifferentaccesspermissionsforspecificusers.
Clientsystemsaccessthedirectoriesthathavebeensharedbyaserverbyusingthemountcommandtointegratethemintothelocalfilesystem.Themountcommandspecifiesadirectorysharedbyaserver,theaccessthatclientapplicationsshouldhavetotheremotedirectory(suchasread-writeorread-only),andthemountpointfortheremotefiles.Themountpointisadirectoryonthelocalsysteminwhichthesharedfilesanddirectorieswillappear.Applicationsandcommandsrunningontheclientsystemcanreferencetheremotefilesjustasiftheywerelocatedonalocaldrive.
Client-ServerNetworking
Client-servercomputingisthebasisfornetworkingonUnixsystems,asitisonmanyothercomputingplatforms.Unixisapopularapplicationserverplatformlargelybecauseitsrelativesimplicityandflexibilityenablethecomputertodevotemoreofitsresourcestowarditsprimaryfunction.OnaWindowsserver,forexample,asignificantamountofsystemresourcesaredevotedtorunningtheGUIandothersubsystemsthatmayhavelittleornothingtodowiththeserverapplicationsthatareitsprimaryfunctions.Whenyoudedicateacomputertofunctioningasawebserver,forexample,andyouwantittobeabletoserviceasmanyclientsaspossible,itmakessensetodisableallextraneousfunctions,whichissomethingthatisfareasiertodoonaUnixsystemthaninWindows.
ServerapplicationsonUnixsystemstypicallyrunasdaemons,whicharebackgroundprocessesthatruncontinuously,regardlessofthesystem’sotheractivities.TherearemanycommercialserverproductsavailableforvariousUnixversionsandalsoagreatmanythatareavailablefreeofcharge.BecausetheTCP/IPprotocolswerelargelydevelopedontheUnixplatform,UnixserversoftwareisavailableforeveryTCP/IPapplicationinexistence.
CHAPTER
21 OtherNetworkOperatingSystemsandNetworkingintheCloud
Additionaloperatingsystemshavebeencreatedascomputinghasevolved.Today,manyusersareturningtothecloudfornetworking(andotherservices).Astechnologyadvances,newmethodsandapproacheswilldevelop.
HistoricalSystemsIn1977,aUnix-basedoperatingsystemwasdevelopedbytheUniversityofCalifornia,Berkeley.ThissystemwasoriginallyanextensionofAT&TResearch’sUnixoperatingsystem.Eventually,BerkeleySoftwareDistribution(BSD)Unixcametobetheoperatingsystem(OS)thatmanyotherorganizationsusedasthebasisfortheirownUnixproducts,includingSunMicrosystems’SunOS.TheresultisthatmanyoftheprogramswrittenforoneBSD-basedUnixversionarebinary-compatiblewithotherversions.OncetheSVR4releaseconsolidatedthebestfeaturesofBSDandseveralotherUnixversionsintooneproduct,theBSDproductbecamelessinfluentialandculminatedinthe4.4BSDversionin1992.
AlthoughmanyoftheUnixvariantsthatarepopulartodayoweagreatdebttotheBSDdevelopmentproject,theversionsofBSDthatarestillcommonlyusedarepublicdomainoperatingsystems,suchasFreeBSD,Linux,NetBSD,andOpenBSD.AlloftheseoperatingsystemsarebasedonBerkeley’s4.4BSDreleaseandcanbedownloadedfromtheInternetfreeofchargeandusedforprivateandcommercialapplicationsatnocost.
FreeBSDFreeBSD,availableatfreebsd.org/inversionsfortheIntelandAlphaplatforms,isbasedontheBerkeley4.4BSD-Lite2releaseandisbinary-compatiblewithLinux,SCO,SVR4,andNetBSDapplications.TheFreeBSDdevelopmentprojectisdividedintotwobranches:theSTABLEbranch,whichincludesonlywell-testedbugfixesandincrementalenhancements,andtheCURRENTbranch,whichincludesallofthelatestcodeandisintendedprimarilyfordevelopers,testers,andenthusiasts.ThecurrentstableversionasofJanuary2015is10.1.
NetBSDNetBSD,availableatnetbsd.org/,isderivedfromthesamesourcesasFreeBSDbutboastsportabilityasoneofitshighestpriorities.NetBSDisavailableinformalreleasesfor15hardwareplatforms,rangingfromIntelandAlphatoMac,SPARC,andMIPSprocessors,includingthosedesignedforhandheldWindowsCEdevices.Manyotherportsareinthedevelopmentalandexperimentalstages.NetBSD’sbinarycompatibilityenablesittosupportapplicationswrittenformanyotherUnixvariants,includingBSD,FreeBSD,HP/UX,Linux,SVR4,Solaris,SunOS,andothers.Networkingcapabilitiessupported
directlybythekernelincludeNFS,IPv6,networkaddresstranslation(NAT),andpacketfiltering.ThelatestversionofNetBSD,releasedinSeptember2014is6.1.5.
OpenBSDOpenBSDisavailableatopenbsd.org/;thecurrentversionis5.6,releasedinNovember2014.LiketheotherBSD-derivedoperatingsystems,OpenBSDisbinary-compatiblewithmostofitspeers,includingFreeBSD,SVR4,Solaris,SunOS,andHP/UX,anditcurrentlysupports20hardwareplatforms,includingIntel,Alpha,SPARC,PowerPC,andothers.However,thetopprioritiesofOpenBSD’sdevelopersaresecurityandcryptography.BecauseOpenBSDisanoncommercialproduct,itsdevelopersfeeltheycantakeamoreuncompromisingstanceonsecurityissuesanddisclosemoreinformationaboutsecuritythancommercialsoftwaredevelopers.Also,becauseitisdevelopedinanddistributedfromCanada,OpenBSDisnotsubjecttotheAmericanlawsthatprohibittheexportofcryptographicsoftwaretoothercountries.Thedevelopersare,therefore,morelikelytotakeacryptographicapproachtosecuritysolutionsthanareAmerican-basedcompanies.
OracleSolarisSunMicrosystems(sun.com)becameinvolvedinUnixdevelopmentintheearly1980s,whenitsoperatingsystemwasknownasSunOS.In1991,SuncreatedasubsidiarycalledSunSoftthatbeganworkonanewUnixversionbasedonSVR4,whichitcalledSolaris.PurchasedbyOraclein2010,OracleSolarisisnowacompletecloudinfrastructureoperatingsystemandbillsitselfasthe“industry’smostwidelydeployedUnixoperatingsystem”andthe“firstfullyvirtualizedoperatingsystem.”Seethenextsectiontolearnmoreaboutcloudcomputing.
OperatingintheCloudWorking“inthecloud”isnotanewconcept.WhenVannevarBushandJ.C.R.LickliderwereformulatingtheAdvancedResearchProjectsAgencyNetwork(ARPANET)inthe1960s,Lickliderenvisionedthe“IntergalacticComputerNetwork.”ApaperwrittenwithRobertW.Taylorin1968entitled“TheComputerasaCommunicationDevice”predictedthatcomputernetworkswouldbeusedforcommunication.Althoughhisideaswerenotrealizeduntiltheavailabilityofhigherbandwidthsinthe1990s,muchofwhathedescribedisusedtoday.HispaperisstillavailableatseverallocationsontheInternet,includinghttp://memex.org/licklider.pdf.
HistoryoftheCloudThetermcloudcomputinghasbeeninuseforseveraldecades.Whiletheexactoriginseemstobeunknown,acloudsymbolhaslongbeenusedtorepresenttheInternetwhencreatingcomputerdiagrams.And,theclouditselfisanetworkedgroupofserversthatcanbeaccessedovertheInternet,makingitpossibletoobtainservices,resources,andstoragefromanyworldlocationwhereanInternetconnectionisavailable.
PrecursorstotheCloud
Inthe1950s,mainframecomputerswereusedforcommunicationatlargecompaniesanduniversities.Manywereincapableofprocessinginformationbutwereaccessiblefromso-calledthin-clientworkstations.Theseunitswerequitecostly,andtimeonthemwasoftenrentedtoothers;therefore,“time-sharing”becameapopularmethodofrecoupingthehighcostoftheseunits.
In1960,theDataphonewascreatedbyAT&TtoconvertdigitalcomputersignalstoanalogsignalssothedigitalsignalscouldbesentviaAT&T’slong-distancenetwork.Onlinetransactionprocessingbecameavailableovertelephonelinesin1964.CreatedbyIBMforAmericanAirlines,telephonelineslinked65citiestoIBMcomputers.
Thefirstphoto-digitalstoragesystemwascreatedbyIBMin1967andcouldreadandwriteuptoatrillionbitsofinformation.Modemsappearedin1970,andresource-sharingbecamecommonplacethankstoARPANETandseveraluniversities.E-mailfirstappearedin1971,andtheEthernetmethodwascreatedin1973.
In1975,TelenetbecamethecommercialequivalentofARPANETandlinkedcomputersinsevencities.By1979,Usenetcameintocommonusageandexistedthroughthe1990s.TransmissionControlProtocol/InternetProtocol(TCP/IP)wasadoptedin1980,andwithinafewyears,ARPANETwasdividedintotwosegments:MILNETformilitaryuseandARPANETforcivilianusage.ThisciviliansegmentbecameknownastheInternetin1995.In1989,thefirstInternetserviceproviders(ISPs)appearedinboththeUnitedStatesandAustralia.
By1990,HypertextMarkupLanguage(HTML),createdbyTimBerners-Lee,madetheWorldWideWebpossible.ThespecificationsBerners-Leedevelopedmadeitpossibleforbrowserstosendqueriestoserversandviewdocumentsonlinked,farawaysites.Shortlythereafter,thefirstcommercialwebbrowsersoftware(Mosaic)wasreleasedforseveraloperatingsystems.In1991,Berners-LeefoundedtheW3ConsortiumfordevelopmentontheWorldWideWeb.
Ascomputingpower,bandwidthavailability,andcomputersthemselvesgainedwiderusage,sometelecommunicationfirmsstartedofferingvirtualprivatenetworks(VPNs)totheirlargercustomers.Thesenetworksmadeitpossiblefordatatobeprocessedacrossapublicorsharednetworkasifthenetworkwasfunctioningasaprivatenetwork.VPNsoperateinasimilarmannertowideareanetworksandallowuserstosecurelyconnectofficesandpersonnelacrosswidelyseparatedgeographicaldistances.Table21-1showshowthecloudhasevolvedfromthemainframesofthe1950s.
Table21-1ComputingThroughtheDecades
EarlyCloudProvidersWidelyacceptedasthebeginningofcloudcomputingserviceswastheSalesforce.comwebsite,whichlaunchedin1999,providingbusinessapplicationsandothercustomerrelationshipmanagement(CRM)products.Stillinbusiness,itoffersawidevarietyofsalesandmarketingproducts.
In2002,AmazonunveileditsAmazonWebServices,whichofferedstorageandcomputationservices.ItalsowasthefirstappearanceoftheAmazonMechanicalTurk,aservicethatprovidesbusinesseswithworkerswhoperformtasksthatcomputerscannotyetaccomplish.Amazon’sElasticComputeCloud(EC2)wasintroducedin2006.Thisserviceprovidescomputerrentaltimetoindividualsandsmallcompaniesonwhichtheycanruntheirownprograms.
Googlejoinedthecloudin2009whenitoffered,alongwithseveralotherservices,GoogleApps,whichissimilartowell-knowndesktopsoftwareproducts;usingGoogleApps,ausercancreatewordprocessingdocuments,spreadsheets,andpresentationsonline.Fromthere,userscansavethemtotheirowncomputeraswellasaccessthefilefromanylocationwithanInternetconnection.
BenefitsoftheCloudTherearemanybenefitsforbothbusinessandindividualswhenworkinginthecloud.Thefollowingarejustsomeofthebenefitsofthecloud:
•AccessibilityDatastoredinthecloudcanbeaccessedfromanywhere.FilescanbesharedandupdatedonanydevicethathasInternetconnectivity.Allservicescanbeusedondemandwithoutoutsideinteraction.
•AffordabilityApplicationscanbeusedasneeded,insteadofinvestinginhardwareorsoftwarethatmaybeneededonlypartofthetime.Thecloudalsoeliminateslong-termcommitmenttoanyspecifictechnology.
•AvailabilityNearlyanyserviceoneneedsisavailableforafeefromacloudprovider.
•CompetitiveadvantagesEspeciallyforsmallerbusinesses,technicalexpertisecanbeexpensive.Companiesutilizingthecloudfortechnicalservicescanoperateatmuchlesscostthanthosebusinesseswhohavein-housestaff.
•DisasterrecoveryInformationstoredinthecloudisavailableatanytime.Ifadisasterstrikes,dataisstillavailable.
•EfficiencyBecauseoftheeconomiesofscaleinherenttocloudproviders,costsper“transaction”aremuchsmallerthanin-houseoperations.Also,theload-balancingcapabilitiesincreasereliability.
•ElasticityAsbusinessgrows,thecloudprovidesscalability.
•TheftprotectionInformationstoredonalaptoportabletcanbecompromisedifitisstolen.Werethesameinformationstoredinthecloudratherthanonthemobiledevice,thedatawouldnotbeatrisk.
DisadvantagesintheCloudAswithanytechnology,therearedisadvantagestocloudcomputing,coveredinthefollowingsections.
SecurityThemostcommonconcernwhendiscussingmovingtothecloudissecurity.Malware,hackers,andunauthorizedaccessbecomemajorconcerns,andrelyingonathirdpartytoensureconfidentialclientdataorpatentedinternalinformationcanbeamajorissue.
LossofControlInternaldataandinformationarenolongerunderyourimmediatecontrol.Ifapplicationsareruninanotherlocation,theymayexperiencedowntime,slowresponses,orotherproblemsthatcanaffectdailyworkloads.
DependencyIfanenterprisecannotconnecttotheInternet,cloudcomputingbecomesaliabilityinsteadofanasset;therefore,reliable,consistent,high-speedInternetaccessiscritical.Also,onceacompanyiscommittedtoaspecificcloudvendor,itcanbedifficulttomovetoanothersupplier.
InitialCostSmallcompaniesoftenfindtheinitialinvestmentcanbecostly.Researchingexactlywhatacompanyrequiresandcomparingthoserequirementstoservicesofferedbyeachoutside
servicecanhelpfindthelowestcost.
Also,beforecommittingtoaspecificvendorforoutsidecloudservices,companiesmustensuretheirequipmentiscompatiblewithanoutsidecloudserviceprovidertoeliminateanyadditionalin-houseequipmentpurchases.
LackofRedundancyEachservice,especiallythoseofferingdatastorage,offersdifferentlevelsofdatastorageprotection,oftenwithdifferentpricepoints.Evenwhenallisgoingwell,equipmentcanmalfunction.
HowtheCloudWorksToday,cloudcompaniesareeverywhere.But,howdoesthecloudwork?Thecloudworksinmuchthesamewayasyourofficecomputer.However,insteadofinstallingapplicationsorstoringdatalocally,yourapplications,yourdata,andeventheprocessorareinstalledonacomputerinanotherlocation.Figure21-1showsthetraditionalsetupforanofficecomputerwithdataandapplicationsstoredonadesktop(orlaptop)computerwithinoneoffice.
Figure21-1Atypicalofficecomputersetupwithcomputers,server,storage,andwebaccess
Withresources,software,information,andevenoperatingsystemsavailableinthecloudtoday,itispossibleforbusinessesandindividualstobypasstheonsitestorageandserverandhaveallstorage,applications,andprocessingdoneviathecloud,asshowninFigure21-2.
Figure21-2Thecloudprovidesmanyservicesthatwereoncehandledonsite.
Front-EndCloudArchitectureThefrontendofthecloudarchitectureistheclientinterface,themethodbywhichtheenduserconnectstotheInternet.Itincludesthewaytheclient(enduser)connectstotheInternet,suchasane-mailclientthatuseswebbrowsersortask-specificapplications.
Back-EndCloudArchitectureAtthebackendarealltheresourcesthecloudprovides.Thiscanbestorage,software,platforms,andsecurity,asshowninFigure21-3.
Figure21-3Thearchitectureofcloudcomputing
MiddlewareTheresourcesatthebackendusemiddlewaretosupportthevariouscomponents.Middlewarewasonceatermthatdefinedthesoftwareconnectingapplicationsandnetworks.However,todaymiddlewarecanbeconstruedasacloudintermediary;it’ssoftwarethatallowsothercomponentstoworktogether.Thereareseveraltypesofmiddleware,someofwhichareshownhere:
•Content/data-centricThismethodallowsuserstoobtainspecificitemsbyauniqueidentifier,ratherthangoingthroughservers.
•DatabaseThismiddlewareallowsdirectaccesstodatabases,includingSQLdatabases.
•EmbeddedThistypeprovidescommunicationbetweenotherembeddedapplicationsorbetweenembeddedoperatingsystemsandexternalapplications.
•Message-orientedThisenablesdisbursementofapplicationsovervariousplatformsandoperatingsystems.Itisthemostcommonlyused.
•PortalsWhileportalsarenotalwaysconsideredmiddleware,theycreateconnectionsbetweentheuser’sdeviceandback-endservices.
•TransactionThistype,whichisbecomingmorecommon,includeswebapplicationserversandtransactionapplications.
ComponentsBack-endcomponentsvaryfromservicetoservicebutgenerallyhavethreemainparts:
•DatastorageMostcloudservicesofferthiscomponent.Whetherstoredbytheserviceitself,byacloudapplication,orbytheuser,itisoftendesignedtostoremorethanonecopyofeachdataset.
•ApplicationserverEachserverwithintheserviceisusuallydesignedtoperformorprovideonlyoneserviceorfunction.Inmostcases,applicationserversareavailablefortheclientinterface.
•ControlnodesThesetask-specificcomputersconnecttodatastorageorapplicationserversbytheInternetorothernetworks.Theyaretheconnectionbetweenthefront-endarchitectureandservers,maintainingcommunicationandproperdataflowbetweenthetwo.
CloudTypesTherearefourmaintypesofcloudservices.Eachhasitsownadvantagesanddisadvantages.
PublicCloudPubliccloudsareownedandmanagedbyaprivatecompanythatofferstheservicetousers.Theservicesareseparatefromtheusers,andusershavenocontroloverthestructureofthecompany’sequipmentornetwork.Therearemanycompaniesofferingtheseservicestoday,suchasAmazon,Google,andMicrosoft.
Userspayonlyfortheservices,sometimesforshort-termusagetocompleteatime-criticalprojectoroveralongerterm,suchastostoredataoff-site.ThiscanreducethecapitalexpendituresforequipmentandITsupportwithinanorganization.
Whilesuchservicesarescalableandusuallyreliable,becauseofitspublicnature,publiccloudsarevulnerabletomalwareandotherattacks.Moreover,somecompaniescannottakeadvantageofpubliccloudservicesbecauseofsecurityregulationswithintheirindustry.Also,publiccloudscanbeslowerthanin-housenetworks.
PrivateCloudPrivateclouds(alsocalledinternalclouds)areownedandoperatedbyonegroup,company,ororganization.Forexample,theresourcesareusedbyofficesinthreedifferentcities,buttheequipmentandotherassetsarekeptinafourthlocation.Thecompanyownsandmaintainscontrolovertheentirecloud.
Whiletheinitialcostsofcreatingsuchanetworkmaybehigh,thismethodcanalleviatesomesecurityconcernsandgivemuchmorecontrolthanthatofpublicofferings.Privatecloudscanofferthesameservicesaspublicclouds,asdiscussedin“CloudServiceModels”laterinthischapter.
HybridCloudAhybridcloudserviceutilizesbothpublicandprivateclouds,eachofwhichhaveseparateuses.Forexample,acompanymayuseitsinternalinfrastructure(thatis,itsownprivatecloud)forsecurity,speed,orprivacyandthencontractwithanoutsidedatastorage
service.
CommunityCloudEssentially,thiscloudserviceisdesignedforusebyagroupthatwantsmorecontrolthancanbeobtainedfromapubliccloudservice.Thismodelcanbeeithermanagedbythecommunityorcontractedwithanoutsideservice.Itisusuallyformedtoaddressacommonissue,suchasregulatorycomplianceorsecurity.
CloudServiceModelsAscloudcomputingisbecomingmorewidespread,thereareseveraltypesofcloudservicesofferedbytoday’svendors.Severalofthecommonlyusedtypesarediscussedhere.
InfrastructureasaServiceInfrastructureasaservice(IaaS)replacesmanyofthephysicalassetsusedincomputing.Userspayregularfees,oftenmonthlyorannually,touseservers,usenetworks,orstoredataonacomputeratalocationotherthantheirphysicaloffice.Thissavescostsassociatedwithrunningandmaintaininghardwarelocally.
IaaSisoftenplatformindependent,andtheusersarechargedforonlytheresourcestheyactuallyuse.Sincetheinfrastructureexpenseissharedamongalltheusers,hardwareexpenseisgreatlyreduced.Paymentfortheservicecanbeona“pay-as-you-go”basis,wheretheuserpaysforbothsoftwareandinfrastructure,or“bring-your-own-license,”wherethebusinesssuppliesitsownsoftwarelicensesandusesonlytheinfrastructureinthecloud.
Mostprovidersofferauserinterfacethatservesasthemanagementconsolefortheclient.Loggingonwithapasswordofferstheclientmuchthesamegraphicuserinterface(GUI)withwhichtheyarealreadyfamiliar.IaaSisespeciallyusefulforbusinessesthataregrowingrapidlyorhaveperiodswhentheworkloadisespeciallyheavy.
Thisserviceeliminatestheneedtoupgradehardwareandprovidesflexibilityaslongasahigh-speedconnectiontotheInternetisavailable.Providersnormallymanagetheservers,harddrives,networking,andstorage.Someevenofferdatabaseservicesandmessagingqueues.Theuserisstillresponsibleformanagingtheirapplicationsanddata.Mostprovidersrequirethattheusermaintainmiddlewareaswell.
BenefitsofIaaSThereareseveralbenefitstousingIaaS,asshownhere:
•StretchesfinancialresourcesWhencompaniesneedtogrowbutcurrentlyhavelimitedfinancialresources,IaaSisusefulforaccesstoenterprise-levelstructureswithouttheneedtoinvestinmorehardware.Thisfreesfundsforaddingpersonnelorenhancedmarketingcampaigns.
•FlexibilityTheflexibilityofusingjusttheserviceacompanyneeds,suchas
hardware(asaservice)orstorage(asaservice),isanotheradvantagetoIaaS.Thispay-as-you-usemethodcanbeuseful.
•DisasterrecoveryBecauseinformationisstoredawayfromtheuser’sfacility,recoverycanbemuchfasterintheeventoffire,weather-relatedincidents,orothercatastrophes.
•ScalabilityForbusinesseswithtemporarybusycycles,usingIaaScanallowuserstoaccommodatetheschedulesefficiently.
DisadvantagesofIaaSInadditiontotheissuesofusingtheclouddiscussedin“DisadvantagesintheCloud”earlierinthischapter,therearesomespecificIaaSconcerns:
•UseofmobiledevicesBecauseofitson-demandnature,mobiledeviceaccesscancauseusagetoexhausttheresourcesavailable.
•InternalrequirementsIfusersdonotclearlydefineandunderstandtheirneeds,IaaSmayendupcostingmorethaninvestinginadditionalequipment.
•MinimalusageIfthecompanyusageisminimal,IaaSmaynotbethebestsolution.
PlatformasaServiceThesecondlayerinthecloud“stack”isplatformasaservice(PaaS).TheNationalInstituteofStandardsandTechnology(NIST)definesPaaSasfollows:
“PlatformasaService(PaaS).Thecapabilityprovidedtotheconsumeristodeployontothecloudinfrastructureconsumer-createdoracquiredapplicationscreatedusingprogramminglanguages,libraries,services,andtoolssupportedbytheprovider.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,orstorage,buthascontroloverthedeployedapplicationsandpossiblyconfigurationsettingsfortheapplication-hostingenvironment.”
PaaSisdesignedfordevelopingandmanagingapplications,asopposedtoIaaS,whichistheprovisionoftheunderlyinghardwareresourcesrequiredinbusiness.Thecloudserviceprovidesboththelower-levelinfrastructureresourcesandtheapplicationdevelopmentanddeploymentstructure.Inthisway,applicationdeveloperscanfocusonthedevelopmentandmanagementofnewapplications.
BenefitsofPaaSAscloudcomputinggrows,thedifferencesbetweenIaaSandPaaSareblurring.Evenso,theabilitytocreate,test,assess,anddeploynewsoftwareapplicationsmakesPaaSappealingforsomeofthefollowingreasons:
•NophysicalinvestmentTheabilitytorentthehardwareresourcesnecessarytodevelopnewsoftwaremakesitpossiblefordeveloperstofocusontheirapplications.
•AnyonecanbeadeveloperUsingawebbrowser,evennovicescancreateanapplication.Usingbrowser-basedsoftwaredevelopmenttools,thedeveloperneedsonlyacomputerwithabrowserandInternetconnection.
•AdaptableandflexibleDevelopershavecontrolofthefeatures,whichcanbechangedifnecessary.
•ConnectivityUsingtheInternet,developersindifferentgeographiclocationscanworkonthesameprojectatthesametimetobuildtheirapplications.
•FasttestinganddeployingTeamscanassessresponseandperformanceacrossmultiplelocations,platforms,andmachines.Smallapplicationsmeantforalimitedcustomerbasenowbecomemorecost-effective.
DisadvantagesofPaaSEvenasPaaSisbeingutilizedinthefield,therearesomeconcerns:
•LackofconfidenceinsecurityDevelopersofnewapplicationsorproductsoftenareconcernedaboutthesecrecyandsecurityofthatinformation.Skepticismaboutrevealingtheirplanstosomeoneoutsidethecompany(thecloudprovider)remainshigh.Otherclientsareconcernedaboutregulatorycomplianceanddataretention.
•SystemintegrationThereisachanceoftheapplicationnotworkingwithunderlyingresources.
•WorkaroundsSomeusershavereportedthenecessityofusingworkaroundstobypassthelimitationsinvolvedonvariousPaaSplatforms.
SoftwareasaServiceWiththeadventofOffice365andGoogleDocs,softwareasaserviceinsteadofaproducttobeinstalledandmaintainedonofficemachinesisbecomingmainstream.Thisfreesusersfromupdatingtheirapplicationsandinvestinginnewhardwareasnewfeaturesareaddedtotheapplication.Userspurchaseusagetimeratherthanalicense,essentiallyrentingtheapplication.
Insomecases,theuserspaynothing,likewithFacebookorsearchengines.Revenueisgeneratedbyadvertisingonthosesites.Insteadofinstallingthesoftwareonanindividualdevice,theuseraccessesthesiteviatheInternet.InsteadofpurchasinganewcomputerwithlotsofRAM,youcanaccessthesesitesfromasmartphoneortabletbecausealloftheheavy-dutytechnologyisontheservercomputer.
BenefitsofSaaSInadditiontothecostbenefitstotheuser,SaaSoffersthefollowing:
•LessuserresponsibilityThereisnoneedtoupgrade,maintain,orcustomizesoftwareapplications.
•AnywhereavailabilityWhetheratafootballgameorintheoffice,documents,spreadsheets,marketingplans,andanyotherdocumentscanbeaccessedquicklyonmostanydevicethatconnectswiththeInternet.
DisadvantagesofSaaSDespiteitsconvenience,therearesomedownsidestoSaaS:
•SlownessAnapplicationaccessedovertheInternetviaabrowsermaybeslowerthanthesameprogramrunningonalocalcomputer.
•ComplianceThereareconcernsinsomeindustriesaboutdataregulationsandrequirements.SoftwareaccessedovertheInternetmaynotmeetthoseregulations.
•Third-partydependencyLikewithallcloudservices,SaaSisdependentonthecloudprovider.Thisisperhapsmostconcerningwhenusingsoftwarefordailytasks.
NetworkasaServiceAswiththeothercloudservices,networkasaservice(NaaS)deliversnetworkservicesovertheInternet.Insteadofinvestinginnetworkinghardware,software,andITstaff,abusinesscancreateaVPNoramobilenetworkwithonlyonecomputer,anInternetconnection,andamonthlyorpay-per-usesubscription.
PART
VI NetworkServices
CHAPTER22
NetworkClients
CHAPTER23
NetworkSecurityBasics
CHAPTER24
WirelessSecurity
CHAPTER25
OverviewofNetworkAdministration
CHAPTER26
NetworkManagementandTroubleshootingTools
CHAPTER27
BackingUp
CHAPTER
22 NetworkClients
Althoughnetworkadministratorsfrequentlyspendalotoftimeinstallingandconfiguringservers,theprimaryreasonfortheservers’existenceistheclients.Thechoiceofapplicationsandoperatingsystemsforyourserversshouldbebasedinpartontheclientplatformsandoperatingsystemsthathavetoaccessthem.Usuallyitispossibleforanyclientplatformtoconnecttoanyserver,onewayoranother,butthisdoesn’tmeanyoushouldchooseclientandserverplatformsfreelyandexpectthemalltoworkwelltogetherineverycombination.
Foreaseofadministration,it’sagoodideatousethesameoperatingsystemonallofyourclientworkstationswhereverpossible.Eventoday,manynetworkinstallationsusestandardIntel-basedPCsrunningsomeversionofMicrosoftWindows,butevenifyouchoosetostandardizeonWindows,youmayhavesomeuserswithspecialneedswhorequireadifferentplatform.Manynetworkadministratorsoverthelastthreetofouryearsaremuchmoreopentothefactthattheyhavetobereadyforanythingandeverythingintheiroperatingsystems.SincetheadventofiPadsandiPhonesandotherAppledevices,manycollegegraduatesmovingintothecorporateworldareusedtoworkingonAppleproducts,soyoungerITadministratorsarealreadyusedtoworkingwiththattypeofsystem.Graphicartists,forexample,areoftenaccustomedtoworkingonApplesystems,andotherusersmayneedUnixorLinux.Whenselectingserverplatforms,youshouldconsiderwhatisneededtoenableusersonvariousclientplatformstoaccessthem.
Whenyourunvariousserverplatformsalongwithmultipleclients,theprocessbecomesevenmorecomplicatedbecauseeachworkstationmightrequiremultipleclients.Theimpactofmultiplenetworkclientsontheperformanceofthecomputerdependsonexactlywhichclientsareinvolved.Thischapterexaminestheclientplatformscommonlyusedonnetworkstodayandthesoftwareusedtoconnectthemtovariousservers.
WindowsNetworkClientsAlthoughMicrosoftWindowsbeganasastand-aloneoperatingsystem,networkingsoonbecameaubiquitouspartofWindows,andallversionsnowincludeaclientthatenablesthemtoconnecttoanyotherWindowscomputer.WindowsnetworkingwasfirstintroducedintheWindowsNT3.1andWindowsforWorkgroupsreleasesin1993.TheWindowsnetworkingarchitectureisbasedonnetworkadapterdriverswrittentotheNetworkDeviceInterfaceSpecification(NDIS)standardand,originally,ontheNetBEUIprotocol.Later,TransmissionControlProtocol/InternetProtocol(TCP/IP)becamethedefaultnetworkingprotocol.
Windowsnetworkingisapeer-to-peersystemthatenablesanycomputeronthenetworktoaccessresourcesonanyothercomputer,aslongastheothercomputersarerunningaprotocolsupportedbyWindows.WhenMicrosoftintroducednetworkingintoWindows,thepredominantnetworkoperatingsystemwasNovellNetWare,whichusedtheclient-servermodelthatenablesclientstoaccessserverresourcesonly.Addingpeer-
to-peernetworkingtoanalreadypopular,user-friendlyoperatingsystemsuchasWindowsledtoitsrapidgrowthinthebusinesslocalareanetwork(LAN)industryanditseventualencroachmentintoNetWare’smarketshare.
WindowsNetworkingArchitectureWindows3.1and3.11weretheonlymajorversionsoftheoperatingenvironmentthatlackedanetworkingstackoftheirown,butitwaspossibletouseMicrosoftClient3.0forMS-DOStoconnectthemtoaWindowsnetwork.AlloftheotherWindowsversionshavebuilt-innetworkingcapabilitiesthatenablethecomputertoparticipateonaWindowsnetwork.
ThebasicarchitectureoftheWindowsnetworkclientisthesameinalloftheoperatingsystems,althoughtheimplementationsdiffersubstantially.Initssimplestform,theclientfunctionalityusesthemodulesshowninFigure22-1.AtthebottomoftheprotocolstackisanNDISnetworkadapterdriverthatprovidesaccesstothenetworkinterfacecard(NIC)installedinthecomputer.Abovethenetworkadapterdriveraredriversfortheindividualprotocolsrunningonthesystem.Atthetopofthestackistheclientitself,whichtakestheformofoneormoreservices.
Figure22-1ThebasicWindowsclientarchitecture
ThesethreelayersformacompleteprotocolstackrunningfromtheapplicationlayeroftheOpenSystemsInterconnection(OSI)modeldowntothephysicallayer.Applicationsgeneraterequestsforspecificresourcesthatpassthroughamechanismthatdetermineswhethertheresourceislocatedonalocaldeviceoronthenetwork.RequestsfornetworkresourcesareredirecteddownthroughthenetworkingstacktotheNIC,whichtransmitsthemtotheappropriatedevices.Thefollowingsectionsexaminetheseelements
inmoredetail.
NDISDriversTheNetworkDeviceInterfaceSpecificationwasdesignedbyMicrosoftand3ComtoprovideaninterfacebetweenthedatalinkandnetworklayersoftheOSImodelthatwouldenableasingleNICinstalledinacomputertocarrytrafficgeneratedbymultipleprotocols.Thisinterfaceinsulatestheprotocoldriversandothercomponentsattheupperlayersoftheprotocolstacksothattheprocessofaccessingnetworkresourcesisalwaysthesame,nomatterwhatNICisinstalledinthemachine.AslongasthereisanNDIS-compatibleNICdriveravailable,theinterfacecanpasstherequestsfromthevariousprotocoldriverstothecard,asneeded,fortransmissionoverthenetwork.
ThevariousWindowsnetworkclientsusedifferentversionsofNDISfortheiradapterdrivers,asshowninTable22-1.NDIS2wastheonlyversionoftheinterfacethatrunsintheIntelprocessor’srealmode,usingconventionalratherthanextendedmemory,anditusedadriverfilewitha.dosextension.MicrosoftClient3.0forMS-DOSreliedonthisversionofthespecificationfornetworkaccess,buttheprimaryjobofNDIS2wastofunctionasareal-modebackupforWindowsforWorkgroups,Windows95,98,andMe.AllfouroftheseoperatingsystemsincludedlaterversionsoftheNDISspecificationthatraninprotectedmode,butthereal-modedriverwasincludedforsituationsinwhichitwasimpossibletoloadtheprotected-modedriver.
Table22-1NDISVersionsandtheOperatingSystemsThatUseThem
TheprimaryadvantageoftheNDIS3driversincludedwithWindowsforWorkgroupsandthefirstWindowsNTreleaseswastheirabilitytoruninprotectedmode,whichcanusebothextendedandvirtualmemory.ThedrivertooktheformofanNDISwrapper,whichisgeneric,andaminiportdriverthatisdevicespecific.Becausemostoftheinterfacecodeispartofthewrapper,thedevelopmentofminiportdriversbyindividualNICmanufacturerswasrelativelysimple.
NDIS3.1,firstusedinWindows95,introducedplug-and-playcapabilitiestotheinterface,whichgreatlysimplifiedtheprocessofinstallingNICs.NDIS4providedadditionalfunctionality,suchassupportforinfraredandothernewmediaandpower-managementcapabilities.NDIS5addedaconnection-orientedservicethatsupportsthe
ATMprotocolinitsnativemode,aswellasitsquality-of-servicefunctions.Inaddition,TCP/IPtaskoffloadingenabledenhancedNICstoperformfunctionsnormallyimplementedbythetransportlayerprotocol,suchaschecksumcomputationsanddatasegmenting,whichreducestheloadonthesystemprocessor.
NDIS6broughtimprovedperformanceforbothclientsandserversinadditiontosimplifiedresethandling,anditstreamlineddriverinitialization.NDIS6.4,thelatestversion,addedmorefunctions.
AlloftheWindowsnetworkclientsshipwithNDISdriversforanassortmentofthemostpopularNICsthatareinuseatthetimeoftheproduct’srelease.Thismeans,ofcourse,thatolderclientsdonotincludesupportforthelatestNICsonthemarket,buttheNICmanufacturersallsupplyNDISdriversfortheirproducts.
ProtocolDriversSinceWindows95,WindowsnetworkclientsallsupporttheuseofTCP/IP.WhenMicrosoftfirstaddednetworkingtoWindows,NetBEUIwasthedefaultprotocolbecauseitiscloselyrelatedtotheNetBIOSinterfacethatWindowsusestonamethecomputersonthenetwork.NetBEUIisself-adjustingandrequiresnoconfigurationormaintenanceatall,butitslackofroutingcapabilitiesmakesitunsuitablefortoday’snetworks.Thisshortcoming,plustheriseinthepopularityoftheInternet,ledtoTCP/IPbeingadoptedastheprotocolofchoiceonmostnetworks,despiteitsneedforindividualclientconfiguration.
TheIPXprotocolsuitewasdevelopedbyNovellforitsNetWareoperatingsystem,whichwasthemostpopularnetworkingsolutionatthetimethatWindowsnetworkingwasintroduced.AfterthereleaseofWindowsVistaandWindowsServer2003x645,youneedtocontactNovellforsupportoneitherIPXorSPX.NovellclientsupportforWindows7,8,and8.1aswellasWindowsx64canbefoundathttps://www.novell.com/documentation/windows_client.
ClientServicesTheupperlayersofthenetworkingstackinaWindowsclienttakedifferentnamesandforms,dependingontheoperatingsystem.Aserviceisaprogramthatrunscontinuouslyinthebackgroundwhiletheoperatingsystemisloaded,theequivalentofadaemoninUnix.
Inmostcases,theWindowsnetworkingarchitectureenablesyoutoinstalladditionalclientservicesthatcantakeadvantageofthesameprotocolandadaptermodulesastheWindowsnetworkclient.Forexample,toturnontheNetworkClientinWindows8.1,followthesesteps:
1.HolddowntheWindowskeyandpressI,andfromtheresultingSettingscolumnontherightsideofyourwindow,chooseControlPanel.
2.FromtheControlPanel,chooseNetworkAndInternet.
3.SelectNetworkAndInternetandthenNetworkAndSharingCenter.
4.Fromthecolumnontheleft,chooseChangeAdapterSettings.
5.Fromthechoicesdisplayed,right-clickthenetworkadapteryouwanttouse.
6.Fromtheresultingmenu,chooseProperties,asshowninFigure22-2.
Figure22-2ChoosePropertiesfromtheright-clickmenu.
7.EnsurethattheClientForMicrosoftNetworkslistitemhasacheckinthecheckbox,asshowninFigure22-3.
Figure22-3TheEthernetPropertiesdialoghasseveraloptionsforeachadapter.
8.ClickOKtoclosethedialogboxandthenclickControlPaneltoreturntotheControlPanelwindow.
NetWareClientsNovellNetWaredominatedthenetworkoperatingsystemmarketwhennetworkingwasbeingintegratedintotheWindowsoperatingsystems,sotheabilitytoaccesslegacyNetWareresourceswhilerunningaWindowsnetworkwasapriorityforMicrosoft’sdevelopmentteam.
NeitherWindows3.1norWindowsforWorkgroupsincludedaNetWareclient,butbothofthemfunctionedwiththeclientssuppliedbyNovell.Atthetimethatthe16-bit
versionsofWindowswerereleased,NetWareclientsusedeithertheNetWareshell(NETX)ortheNetWareDOSRequestor(VLM)clientfortheupper-layerfunctionalityandusedeitheramonolithicorOpenDatalinkInterface(ODI)driverfortheNIC.Amonolithicdriverisasingleexecutable(calledIpx.com)thatincludesthedriversupportforaparticularNIC,whileODIistheNovellequivalentofNDIS,amodularinterfacethatpermitstheuseofmultipleprotocolswithasinglenetworkcard.ThecombinationofanODIdriverandtheVLMrequestorwasthemostadvancedNetWareclientavailableatthattime.
AlloftheseclientoptionsloadedfromtheDOScommandline,whichmeantthattheyprovidednetworkaccesstoDOSapplicationsoutsideofWindows,butalsomeantthattheyutilizedlargeamountsofconventionalanduppermemory.Infact,withoutacarefullyconfiguredbootsequenceoranautomatedmemorymanagementprogram,itwasdifficulttokeepenoughconventionalmemoryfreetoloadapplications.
MacintoshClientsManyoftoday’snetworkscontainworkstationswithdifferentoperatingsystems.AllMacintoshsystemsincludeanintegratednetworkinterface,andthishaslongbeentoutedasevidenceoftheplatform’ssimplicityandsuperiority.InearliertimesMacintoshworkstationsrequiredspecialtreatmenttoconnectthemtoanetworkrunningotherplatforms,suchasWindowsorUnix.However,sinceOSX’sinitialreleasetherehasbeennoproblemrunningaMaconaUnix-basednetwork(OSXisUnix)andfewissuesonaWindowsnetwork.
Inmostcases,however,youcanconfigureyournetworktohandleMacintoshclients,enablingMacuserstosharefileswithWindowsandotherclients.Ifyouselectapplicationsthatareavailableincompatibleversionsforthedifferentclientplatformsyou’rerunning,MacuserscanevenworkonthesamefilesasWindowsusers.
ConnectingMacintoshSystemstoWindowsNetworksOlderWindowsversionscontainedMicrosoftServicesforMacintosh,whichimplementedtheAppleTalkprotocolontheWindowscomputer,enablingMacintoshsystemstoaccessfileandprintersharesontheserver.UnlikeWindowsclients,olderMacsystemsdidnotparticipateaspeersontheWindowsnetwork.
Today,youdonotneedanyextrasoftwaretoaccessnetworkdrivesfromyourApplemachines.
1.OpenaFinderwindowbypressingCOMMAND-N.
2.ChoosefromoneoftheShareditemsintheleftcolumn,asshowninFigure22-4.
Figure22-4TheMacintoshFinderwindowshowsshareditemsinanetwork.
NOTEAlternatively,youcanmaketheFinderutilityontheMacactivebypressingtheFindericon.ThenpressCOMMAND-Ktomanuallyenteraserver’saddress,orclicktheBrowsebuttontobrowsealistofavailableservers.
3.Eitherbrowseamongthesystemsorentertheappropriateaddress.
4.ClickConnectAstodeterminehowyouwanttoconnect.Youmaysigninasaguestorwitharegisteredusernameontheservertowhichyouaretryingtoconnect.
5.ClicktheConnectbuttoninthebottom-rightcornerofthewindowwhenfinished,asshowninFigure22-5.
Figure22-5Connecttoaserveronthenetworkeitherasaguestorwitharegisteredusername.
MicrosoftServicesforMacintoshDiscontinuedin2011,MicrosoftServicesforMacintoshmadeitpossibleforMacintoshsystemstoaccessWindowsServershareswithoutmodifyingtheconfigurationoftheworkstations.
UnixClientsThreeprimarymechanismsprovideclient-serveraccessbetweenUnixsystems.Twoofthesehavebeenportedtomanyothercomputingplatforms,andyoucanusethemtoaccessUnixsystemsfromworkstationsrunningotheroperatingsystems.Thesethreemechanismsareasfollows:
•BerkeleyremotecommandsDesignedforUnix-to-Unixnetworking,thesecommandsprovidefunctionssuchasremotelogin(rlogin),remoteshellexecution(rsh),andremotefilecopying(rcp).
•DARPAcommandsDesignedtoprovidebasicremotenetworkingtasks,suchasfiletransfers(ftp)andterminalemulation(telnet),theDARPAcommandsoperateindependentlyoftheoperatingsystemandhavebeenportedtovirtuallyeveryplatformthatsupportstheTCP/IPprotocols.
•NetworkFileSystem(NFS)DesignedbySunMicrosystemsinthe1980stoprovidetransparentfilesharingbetweennetworksystems,NFShassincebeenpublishedasRFC1813,aninformationalrequestforcomments(RFC),bytheInternetEngineeringTaskForce(IETF).NFSisavailableonawiderangeofcomputingplatforms,enablingmostclientworkstationstoaccessthefilesonUnixsystems.
ApplicationsInmostcases,theTCP/IPstacksonclientcomputersincludeapplicationsprovidingtheDARPAftpandtelnetcommands.SinceallUnixversionsrunFileTransferProtocol(FTP)andTelnetserverservicesbydefault,youcanusetheseclientapplicationstoaccessanyUnixsystemavailableonthenetwork.Theseserverapplicationshavebeenportedtootheroperatingsystemsaswell.
EarlierversionsofWindowsTCP/IPclientsincludedFTPandTelnetclientapplications,withtheexceptionofMicrosoftClient3.0forMS-DOS.InstallingthisclientprovidedaTCP/IPstackandtheWinsockdriverneededtorunInternetapplications,buttheFTPandTelnetprogramswerenotincluded.Youcould,however,usethird-partyFTPandTelnetclientstoaccessUnixandotherserversystems.
UnixAccessWhileFTPandTelnetprovidebasicaccesstoaUnixsystem,theyarenottheequivalentoffullclientcapabilities.Forexample,FTPprovidesonlybasicfiletransferandfilemanagementcapabilities.ToopenadocumentonaUnixsystemusingFTP,youmustdownloadthefiletoalocaldriveanduseyourapplicationtoopenitfromthere.NFS,ontheotherhand,enablestheclientsystemtoaccessaservervolumeasthoughitwereavailablelocally.NFSdownloadsonlytheblocksthattheclientapplicationneeds,insteadofthewholefile.
Thus,whileFTPandTelnetarenearlyalwaysavailableatnocost,clientsthatneedregularaccesstoUnixfilesystemsarebetteroffusingNFS.ThereareNFSproductsthatmakefilesystemcommunicationswithUnixsystemspossible.
ClientforNetworkFileSystems(NFS)andSubsystemforUnix-basedApplications(SUA)areavailablewithWindowscomputers(throughWindows7)toaccessUnixvolumesandtopublishtheirdrivesasNFSvolumesforUnixclients.TheproductalsoincludesaTelnetserverforWindows,aswellasapasswordsynchronizationdaemonforUnixsystems.Withtheservicesinplace,theWindowscomputersystemcanmapadrivelettertoanNFSvolumeonaUnixsystemorreferenceitusingeitherstandardUniversalNamingConvention(UNC)namesortheUnixserver:/exportformat.UnixsystemscanaccessWindowsdrivesjustastheywouldanyotherNFSvolume.
Windows7InterfaceToinstallSUAinWindows7UltimateorEnterpriseorWindowsServer2008R2,followthesesteps:
1.FromStart,clickControlPanelandchoosePrograms.
2.UnderProgramsAndFeatures,clickTurnWindowsFeaturesOnOrOff.
3.IftheUserAccountControldialogboxopens,clickContinue.Otherwise,proceedtothenextstep.
4.IntheWindowsFeaturesdialogbox,selecttheSubsystemForUNIX-basedApplicationscheckbox,asshowninFigure22-6.ClickOK.
Figure22-6SubsystemForUNIX-basedApplicationscheckboxintheWindowsFeaturesdialogbox
5.ClickSetuptoruntheWinZipSelf-Extractorutility,asshowninFigure22-7.
Figure22-7WinZipSelf-Extractorutility
TheprogramappearsonyourStartmenu,asshowninFigure22-8.ThislinkcontainstheshellsandshortcutswithwhichyoucaneditUnix-baseditems.
Figure22-8InstalledSUAontheWindows7Startmenu
Windows8InterfaceWhiletheSUAhasbeendeprecatedinWindows8.1andWindowsServer2012R2,youcanstilldownloadandinstallitinWindows8orServer2012.Gotowww.microsoft.com/en-us/download/confirmation.aspx?id=35512todownloadtheprogram;thenfollowthesesteps:
1.Downloadthepackagethatmatchesthearchitectureofthetargetcomputer.
2.Aftertheexecutableprogramisonyourcomputer,clickSetuptoopentheWinZipSelf-Extractorutility.
3.ClickSetuptoruntheself-extractorandinstalltheutilitiesandSDKforSUA.
CHAPTER
23 NetworkSecurityBasics
Securityisanessentialelementofanynetwork,andmanyofthedailymaintenancetasksperformedbythenetworkadministratoraresecurityrelated.Simplyput,allofthesecuritymechanismsprovidedbythevariouscomponentsofanetworkaredesignedtoprotectasystem’shardware,software,anddatafromaccidentaldamageandunauthorizedaccess.Thegoalofthesecurityadministrationprocessistoprovideuserswithaccesstoalloftheresourcestheyneed,whileinsulatingthemfromthosetheydon’tneed.Thiscanbeafinelinefortheadministratortodrawandadifficultonetomaintain.Properuseofallthesecurityadministrationtoolsprovidedbythenetworkcomponentsisessentialtomaintainingasecureandproductivenetwork.Therearemanydifferentsecuritymechanismsontheaveragenetwork;someareallbutinvisibletousersandattimestoadministrators,whileothersrequireattentiononadailybasis.Thisonechaptercannothopetoprovideanythingclosetoacomprehensivetreatiseonnetworksecurity,butitdoesexaminesomeofthemajorcomponentsyoucanusetoprotectyournetworkandyourdatafromunauthorizedaccess.
SecuringtheFileSystemAllofyourdataisstoredinfilesonyourcomputers,andprotectingthefilesystemisoneofthemostbasicformsofnetworksecurity.Notonlydoesfilesystemsecuritypreventunauthorizedaccesstoyourfiles,italsoenablesyoutoprotectyourdatafrombeingmodifiedordeleted,eitheraccidentallyordeliberately.Therearetwobasicformsofsecuritythatyoucanapplytothefilesystemonyourcomputers:accesspermissionsanddataencryption.
Filesystempermissionsarethemostcommonlyusedsecurityelementonnetworkservers.Allofthemajorserveroperatingsystemshavefilesystemsthatsupporttheuseofpermissionstoregulateaccesstospecificfilesanddirectories.Filesystempermissionstypicallytaketheformofanaccesscontrollist(ACL),whichisalistofusers(orgroupsofusers),maintainedbyeachfileanddirectory,thathavebeengrantedaspecificformofaccesstothatfileordirectory.EachentryintheACLcontainsauserorgroupname,plusaseriesofbitsthatdefinethespecificpermissionsgrantedtothatuserorgroup.
Itisstandardpracticeforafilesystemtobreakdownaccesspermissionsintoindividualtasks,suchasreadandwrite,andtoassignthemtousersseparately.Thisenablesthenetworkadministratortospecifyexactlywhataccesseachusershouldhave.Forexample,youmaywanttograntcertainusersthereadpermissiononly,enablingthemtoreadthecontentsofafilebutnotmodifyit.Manipulatingpermissionassignmentsisaneverydaytaskfortheadministratorofaproperlyprotectednetwork.
Thefollowingsectionsexaminethefilesystempermissions,asimplementedbyeachofthemajorserveroperatingsystemplatforms.
TheWindowsSecurityModel
SecurityisanintegralpartoftheWindowsoperatingsystemdesign,andtofullyunderstandtheuseofpermissionsintheseoperatingsystems(OSs),ithelpstohavesomeknowledgeoftheoverallsecuritymodeltheyuse.ThesecuritysubsysteminWindowsisintegratedthroughouttheOSandisimplementedbyanumberofdifferentcomponents,asshowninFigure23-1.UnlikeotherWindowsenvironmentalsubsystemsrunninginusermode,thesecuritysubsystemisknownasanintegralsubsystembecauseitisusedbytheentireOS.AllofthesecuritysubsystemcomponentsinteractwithSecurityReferenceMonitor,thekernelmodesecurityarbitratorthatcomparesrequestsforaccesstoaresourcetothatresource’sACL.
Figure23-1TheWindowssecurityarchitecture
Theusermodesecuritysubsystemcomponentsandtheirfunctionsareasfollows:
•LogonProcessAcceptslogoninformationfromtheuserandinitiatestheauthenticationprocess
•LocalSecurityAuthority(LSA)Functionsasthecentralclearinghouseforthesecuritysubsystembyinitiatingthelogonprocess,callingtheauthenticationpackage,generatingaccesstokens,managingthelocalsecuritypolicy,andloggingauditmessages
•SecurityAccountsManager(SAM)Databasecontainingtheuserandgroupaccountsforthelocalsystem
•SecurityPolicyDatabaseContainspolicyinformationonuserrights,auditing,andtrustrelationships
•AuditLogContainsarecordofsecurity-relatedeventsandchangesmadetosecuritypolicies
Duringatypicaluserlogontothelocalmachine,thesecomponentsinteractasfollows:
1.ThelogonprocessappearsintheformoftheLogondialogboxproducedwhentheuserpressesCTRL-ALT-DELETEafterthesystemboots.Theuserthensuppliesausernameandpassword.
2.ThelogonprocesscallstheLSAthatrunstheauthenticationpackage.
3.Theauthenticationpackagecheckstheusernameandpasswordagainstthe
localSAMdatabase.
4.Whentheusernameandpasswordareverified,theSAMrepliestotheauthenticationpackagewiththesecurityIDs(SIDs)oftheuserandallthegroupsofwhichtheuserisamember.
5.TheauthenticationpackagecreatesalogonsessionandreturnsittotheLSAwiththeSIDs.
6.TheLSAcreatesasecurityaccesstokencontainingtheSIDsandtheuserrightsassociatedwiththeSIDs,aswellasthenameoftheuserandthegroupstowhichtheuserbelongs,andsendsittothelogonprocess,signalingasuccessfullogon.ThesystemwillusetheSIDsinthistokentoauthenticatetheuserwheneverheorsheattemptstoaccessanyobjectonthesystem.
7.ThelogonsessionsuppliestheaccesstokentotheWin32subsystem,whichinitiatestheprocessofloadingtheuser’sdesktopconfiguration.
NOTEThisprocedureoccurswhenauserlogsonusinganaccountonthelocalmachineonly,notwhenloggingontoanActiveDirectorydomain.ActiveDirectorylogonsaremorecomplexandareexaminedlaterinthischapter.
MuchoftheWindowssecuritysubsystem’sworkistransparenttousersandadministrators.Thesecuritycomponentsthataremostconspicuousinday-to-dayactivitiesaretheSAMdatabase(whichholdsallthelocalWindowsuser,group,andcomputeraccounts)andActiveDirectory.EveryWindowssystemhasaSAMdatabaseforitslocalaccounts,acopyofwhichisstoredoneachdomaincontroller(DC).ActiveDirectoryisaseparateservicethathasitsownsecurityarchitecture,butforthepurposeofassigningpermissions,ActiveDirectoryobjectsfunctioninthesamewayasaccountsintheSAMdatabase.EveryobjectonthesystemthatisprotectedbyWindowssecurityincludesasecuritydescriptorthatcontainsanACL.TheACLconsistsofaccesscontrolentries(ACEs)thatspecifywhichusersandgroupsaretobegrantedaccesstotheobjectandwhataccesstheyaretoreceive.Whenyouspecifythepermissionsforanobject,suchasafile,directory,share,orregistrykey,youaremodifyingtheentriesinthatobject’sACL.ClickingtheAddbuttonontheSecuritypageinthePropertiesdialogboxforaspecificfolder,forexample(seeFigure23-2),displaysalistoftheusersandgroupsintheSAMdatabaseortheobjectsintheActiveDirectory.SelectingusersandgrantingthempermissiontoaccesstheshareaddstheuserstotheACLforthatshare.
Figure23-2YouuseanActiveDirectoryUsersAndComputersdialogboxlikethisonetocreateACEsforWindowsobjects.
WhenyoulogontoanActiveDirectory,thesystemaccessesanaccountdatabasethatislocatedononeofthenetwork’sdomaincontrollersforauthentication.Theuser,group,andcomputeraccountsforthedomainarestoredintheDCsandareaccessedwheneveryouuseautilitythatmodifiestheACLsofsystemobjects.Duringadomainsession,youusethesameSecuritypageshowninFigure23-2toselecttheusersandgroupsinthedomainasyouwouldthoseinthelocalSAM.Youcanalsoselectusersandgroupsfromotherdomainsonthenetwork,aslongasthoseotherdomainsaretrustedbythedomaininwhichthesystemiscurrentlyparticipating.
WhenaWindowscomputerisamemberofadomain,thelocalSAMdatabasestillexists.TheLogOnToWindowsdialogboxletsyouselectadomainorthelocalsystemforthecurrentsession.NotethatadomainandalocalSAMdatabasecanhaveuserandgroupaccountswiththesamename.Thereis,forexample,anAdministratoraccountinthedomainandanAdministratoraccountforthelocalsystem,bothofwhichareautomaticallycreatedbydefault.Thesetwoaccountsarenotinterchangeable.Theycanhavedifferentpasswordsanddifferentrightsandpermissions.Toinstallanetworkadapterdriver,youmustbeloggedonastheadministratorofthelocalsystem(oranequivalent).Bydefault,adomainadministratoraccountdoesnothavetherightstomodifythehardwareconfigurationonthelocalsystem.
WindowsFileSystemPermissionsGrantingauserorgrouppermissionstoaccessaWindowsresourceaddsthemasanACEtotheresource’sACL.Thedegreeofaccessthattheuserorgroupisgranteddependsonwhatpermissionstheyareassigned.NTFSdefinessixstandardpermissionsforfilesandfolders—read,readandexecute,modify,write,listfoldercontents,andfullcontrol—plusoneextraforfoldersonly.ThestandardpermissionsforNTFSfilesandfoldersareactuallycombinationsofindividualpermissions.
Thefollowingarethefunctionsofthestandardpermissionswhenappliedtoafolder:
ReadEnablesauser/groupto
•Seethefilesandsubfolderscontainedinthefolder
•Viewtheownership,permissions,andattributesofthefolder
ReadandExecuteEnablesauser/groupto
•Navigatethroughrestrictedfolderstoreachotherfilesandfolders
•PerformallactionsassociatedwiththeReadandListFolderContentspermissions
ModifyEnablesauser/groupto
•Deletethefolder
•PerformallactionsassociatedwiththeWriteandReadandExecutepermissions
WriteEnablesauser/groupto
•Createnewfilesandsubfoldersinsidethefolder
•Modifythefolderattributes
•Viewtheownershipandpermissionsofthefolder
ListFolderContentsEnablesauser/groupto
•Viewthenamesofthefilesandsubfolderscontainedinthefolder
FullControlEnablesauser/groupto
•Modifythefolderpermissions
•Takeownershipofthefolder
•Deletesubfoldersandfilescontainedinthefolder
•PerformallactionsassociatedwithalloftheotherNTFSfolderpermissions
Thefollowingarethefunctionsofthestandardpermissionswhenappliedtoafile:
ReadEnablesauser/groupto
•Readthecontentsofthefile
•Viewtheownership,permissions,andattributesofthefile
ReadandExecuteEnablesauser/groupto
•PerformallactionsassociatedwiththeReadpermission
•Runapplications
ModifyEnablesauser/groupto
•Modifythefile
•Deletethefile
•PerformallactionsassociatedwiththeWriteandReadandExecutepermissions
WriteEnablesauser/groupto
•Overwritethefile
•Modifythefileattributes
•Viewtheownershipandpermissionsofthefile
FullControlEnablesauser/groupto
•Modifythefilepermissions
•Takeownershipofthefile
•PerformallactionsassociatedwithalloftheotherNTFSfilepermissions
Thefollowingaretheindividualpermissionsthatmakeupeachofthestandardpermissions:
ReadEnablesauser/groupto
•Listfolder/readdata
•Readattributes
•Readextendedattributes
•Readpermissions
•Synchronizewithmultithreaded,multiprocessingprograms
NOTEMultithreadedprogramsarethosethatcanbeusedbymorethanoneuseratatimewithouttheprogrambeingloadedbyeachuser.Eachrequestforsuchuseiscalledathread.Synchronizingpermissionsallowtheuser(orgroup)tocoordinate(synchronize)theuseofsuchprograms.Multiprocessingprogramsarethosethatcanberunbytwo(ormore)differentprocessorsonthesamecomputer.
ReadandExecuteEnablesauser/groupto
•Listfolder/readdata
•Readattributes
•Readextendedattributes
•Readpermissions
•Synchronizewithmultithreaded,multiprocessingprograms
•Traversefoldersandexecutefiles
ModifyEnablesauser/groupto
•Createfilesandwritedata
•Createfoldersandappenddata
•Deletefilesandfolders
•Listfoldersandreaddata
•Readattributes
•Readextendedattributes
•Readpermissions
•Synchronizewithmultithreaded,multiprocessingprograms
•Writeattributes
•Writeextendedattributes
WriteEnablesauser/groupto
•Createfilesandwritedata
•Createfoldersandappenddata
•Readpermissions
•Synchronizewithmultithreaded,multiprocessingprograms
•Writeattributes
•Writeextendedattributes
ListFolderContentsEnablesauser/groupto
•Listfoldersandreaddata
•Readattributes
•Readextendedattributes
•Readpermissions
•Synchronizewithmultithreaded,multiprocessingprograms
•Traversefoldersandexecutefiles
FullControlEnablesauser/groupto
•Changepermissions
•Createfilesandwritedata
•Createfoldersandappenddata
•Deletefilesandfolders
•Deletesubfoldersandfiles
•Listfoldersandreaddata
•Readattributes
•Readextendedattributes
•Readpermissions
•Synchronizewithmultithreaded,multiprocessingprograms
•Takeownership
•Writeattributes
•Writeextendedattributes
Thefunctionsoftheindividualpermissionsareasfollows:
•TraverseFolder/ExecuteFileTheTraverseFolderpermissionallowsordeniesuserstheabilitytomovethroughfoldersthattheydonothavepermissiontoaccess,soastoreachfilesorfoldersthattheydohavepermissiontoaccess(appliestofoldersonly).TheExecuteFilepermissionallowsordeniesuserstheabilitytorunprogramfiles(appliestofilesonly).
•ListFolder/ReadDataTheListFolderpermissionallowsordeniesuserstheabilitytoviewthefileandsubfoldernameswithinafolder(appliestofoldersonly).TheReadDatapermissionallowsordeniesuserstheabilitytoviewthecontentsofafile(appliestofilesonly).
•ReadAttributesAllowsordeniesuserstheabilitytoviewtheNTFSattributesofafileorfolder.
•ReadExtendedAttributesAllowsordeniesuserstheabilitytoviewtheextendedattributesofafileorfolder.
•CreateFiles/WriteDataTheCreateFilespermissionallowsordeniesuserstheabilitytocreatefileswithinthefolder(appliestofoldersonly).TheWriteDatapermissionallowsordeniesuserstheabilitytomodifythefileandoverwriteexistingcontent(appliestofilesonly).
•CreateFolders/AppendDataTheCreateFolderspermissionallowsordeniesuserstheabilitytocreatesubfolderswithinafolder(appliestofoldersonly).TheAppendDatapermissionallowsordeniesuserstheabilitytoadddatatotheendofthefilebutnottomodify,delete,oroverwriteexistingdatainthefile(appliestofilesonly).
•WriteAttributesAllowsordeniesuserstheabilitytomodifytheNTFSattributesofafileorfolder.
•WriteExtendedAttributesAllowsordeniesuserstheabilitytomodifytheextendedattributesofafileorfolder.
•DeleteSubfoldersandFilesAllowsordeniesuserstheabilitytodeletesubfoldersandfiles,eveniftheDeletepermissionhasnotbeengrantedonthesubfolderorfile.
•DeleteAllowsordeniesuserstheabilitytodeletethefileorfolder.
•ReadPermissionsAllowsordeniesuserstheabilitytoreadthepermissionsforthefileorfolder.
•ChangePermissionsAllowsordeniesuserstheabilitytomodifythepermissionsforthefileorfolder.
•TakeOwnershipAllowsordeniesuserstheabilitytotakeownershipofthe
fileorfolder.
•SynchronizeAllowsordeniesdifferentthreadsofmultithreaded,multiprocessorprogramstowaitonthehandleforthefileorfolderandsynchronizewithanotherthreadthatmaysignalit.
PermissionsarestoredaspartoftheNTFSfilesystem,notinActiveDirectoryortheSAMdatabase.Tomodifythepermissionsforafileordirectory,youselecttheSecuritytabinthePropertiesdialogboxofafileorfoldertodisplaycontrolslikethoseshowninFigure23-3.HereyoucanaddusersandgroupsfromthelocalSAM,fromthecurrentdomain,andfromothertrusteddomains,andspecifythestandardpermissionsthateachoneistobeallowedordenied.
Figure23-3FromthePropertiesdialogboxforNTFSfilesystemobjectsinWindows,usetheSecuritytabtoassignpermissions.
Aswithallfilesystems,thepermissionsthatyouassigntoafolderareinheritedbyallofthefilesandsubfolderscontainedinthatfolder.Byjudiciouslyassigningpermissionsthroughoutthefilesystem,youcanregulateuseraccesstofilesandfolderswithgreatprecision.
ClicktheAdvancedbuttontoopentheAdvancedSettingsdialogbox,asshowninFigure23-4.
Figure23-4TheAdvancedSecuritySettingsdialogboxenablesyoutoworkwithindividualpermissions.
IfthestandardNTFSpermissionsdonotprovideyouwiththeexactdegreeofaccesscontrolyouneed,youcanworkdirectlywiththeindividualpermissionsbyclickingtheAdvancedbuttonandthentheSharetabtodisplaythePermissionEntryForUsersdialogboxforthefileorfolder,liketheoneinFigure23-5.SelectanameduserandclickViewtoseewhatpermissionshavebeengranted.Youcanmodifythesepermissionsatwilltocustomizetheuser’sorgroup’saccesstothefilesystemresource.
Figure23-5ThePermissionEntryForUsersdialogboxexplainswhatpermissionsaregrantedforaselecteduser.
Thefileanddirectorypermissionsapplytoeveryonewhoaccessestheobject,eitheronthelocalsystemorthroughthenetwork.Itisalsopossibletocontrolnetworkaccesstothefilesystembyusingsharepermissions.TomakeanNTFSdriveordirectoryavailableforaccessoverthenetwork,youhavetocreateashareoutofit,andshareshaveaccesscontrollistsjustlikefilesanddirectoriesdo.Tosetsharepermissions,youopenadrive’sorfolder’sPropertiesdialogbox,selecttheSharingtab,andclickthePermissionsbuttontodisplayadialogboxlikethatshowninFigure23-5.Toaccessthefilesonashare,anetworkusermusthavepermissionsforboththeshareandthefilesanddirectoriesintheshare.
Thepermissionsyoucangranttospecificusersandgroupsforsharesaredifferentfromthoseusedforfilesanddirectories.
NOTEInWindows,it’simportanttounderstandthatpermissionsarenotthesamethingasrights.Rightsarerulesthatidentifyspecificactionsauserisallowedtoperformonthelocalsystem,suchasAccessThisComputerFromTheNetworkandBackUpFilesAndDirectories.Manypeopleusethetermrightsincorrectlywhentheymeanpermissions,asin“Theuserhastherightstoaccessthedirectory.”
UnixFileSystemPermissionsUnixalsousespermissionstocontrolaccesstoitsfilesystem,butthesystemissubstantiallydifferentfromthoseofWindows.InUnix,thereareonlythreepermissions:read,write,andexecute.
Thefollowingaretheaccesstypesprovidedbyeachpermissionwhenappliedtoadirectory:
•ReadEnablesausertolistthecontentsofthedirectory
•WriteEnablesausertocreateorremovefilesandsubdirectoriesinthedirectory
•ExecuteEnablesausertochangetothedirectoryusingthecdcommand
Thefollowingaretheaccesstypesprovidedbyeachpermissionwhenappliedtoafile:
•ReadEnablestheusertoviewthecontentsofthefile
•WriteEnablestheusertoalterthecontentsofthefile
•ExecuteEnablesausertorunthefileasaprogram
Eachofthesethreepermissionscanbeappliedtothreeseparateentities:thefile’sowner,thegrouptowhichthefilebelongs,andallotherusers.Whenyoulistthecontentsofadirectoryusingthels-lcommand,youseeadisplayforeachfileanddirectorylikethefollowing:-rwxr-xr--1csmithsales776Sep1509:34readme
Thefirstcharacterinthedisplayidentifiesthefilesystemelement,usingthefollowingvalues:
•-~File
•dDirectory
•bSpecialblockfile
•cSpecialcharacterfile
•lSymboliclink
•PNamedpipespecialfile
Thenextthreecharacters(rwx)indicatethepermissionsgrantedtotheownerofthefile(csmith).Inthiscase,theownerhasallthreepermissions.Thenextthreecharactersindicatethepermissionsgrantedtothefile’sgroup,andthefollowingthreeindicatethepermissionsgrantedtoallotherusers.Inthisexample,ther-xvalueindicatesthatthefile’sgroup(sales)hasbeengrantedthereadandexecutepermissionsonly,andther—valueindicatesthattheotherusershavebeengrantedonlythereadpermission.Tochangethepermissions,youusethechmodcommand.
ThisaccesscontrolmechanismiscommontoallUnixvariants,butitdoesn’tprovideanywherenearthegranularityoftheNTFSandNetWarefilesystems.Thesystemrecognizesonlythreebasicclassesofusers(users,groups,andothers),makingitimpossibletograntpermissionstoseveralusersindifferentgroupswhileblockingaccessbyeveryoneelse.Toaddressthisshortcoming,someUnixoperatingsystemsincludemoreadvancedaccesscontrolmechanisms.
VerifyingIdentitiesUserauthenticationisanotheroneoftheimportantsecuritymechanismsonadata
network.Assigningfilesystempermissionstospecificusersispointlessunlessthesystemcanverifytheuser’sidentityandpreventunauthorizedpeoplefromassumingthatidentity.Authenticationisanexchangeofinformationthatoccursbeforeauserispermittedtoaccesssecurednetworkresources.Inmostcases,theauthenticationprocessconsistsoftheusersupplyinganaccountnameandanaccompanyingpasswordtothesystemhostingtheresourcestheuserwantstoaccess.Thesystemreceivingthenameandpasswordchecksthemagainstanaccountdirectoryand,ifthepasswordsuppliedisthecorrectoneforthataccount,grantstheuseraccesstotherequestedresource.
Applicationsandservicesusedifferenttypesofauthenticationmechanisms,rangingfromthesimpletotheextremelycomplex.Thefollowingsectionsexaminesomeofthesemechanisms.
FTPUserAuthenticationTheFileTransferProtocol(FTP)isabasicTransmissionControlProtocol/InternetProtocol(TCP/IP)servicethatenablesuserstouploadfilestoanddownloadthemfromanothercomputeronthenetwork,aswellastoperformbasicfilemanagementtasks.However,beforeanFTPclientcandoanyofthis,itmustauthenticateitselftotheFTPserver.FTPisanexampleofthesimplestpossibletypeofauthenticationmechanismandoneofthemostinsecure.AftertheFTPclientestablishesastandardTCPconnectionwiththeserver,itemploystheUSERandPASScommandstotransmitanaccountnameandpassword.Theserverchecksthecredentialsoftheuserandeithergrantsordeniesaccesstotheservice.
NOTEInmanycases,theauthenticationsequenceremainsinvisibletotheuseroperatingtheFTPclient.Thisisbecause,ontheInternet,accesstomanyFTPserversisunrestricted.Theserveracceptsanyaccountnameandpassword,andthetraditionistouseanonymousastheaccountnameandtheuser’se-mailaddressasthepassword.ManyFTPclientprogramsautomaticallysupplythisinformationwhenconnectingtoaservertosavetheuserfromhavingtosupplyitmanually.
TheFTPauthenticationprocessisinherentlyinsecurebecauseittransmitstheuser’saccountnameandpasswordoverthenetworkincleartext.AnyonerunningaprotocolanalyzerorotherprogramthatiscapableofcapturingthepacketstransmittedoverthenetworkanddisplayingtheircontentscanviewthenameandpasswordandusethemtogainaccesstotheFTPserver.Iftheusershouldhappentobeanetworkadministratorwhoisthoughtlessenoughtouseanaccountthatalsoprovideshigh-levelaccesstoothernetworkresources,thesecuritycompromisecouldbesevere.
Clearly,whileFTPmaybesuitableforbasicfiletransfertasks,youshouldnotcountonitsaccesscontrolmechanismtosecuresensitivedatabecauseitistooeasyfortheaccountpasswordstobeintercepted.
Kerberos
AttheotherendofthespectrumofauthenticationmechanismsisasecurityprotocolcalledKerberos,developedbyMITandoriginallydefinedintheRFC1510documentpublishedbytheInternetEngineeringTaskForce(IETF).(Today’sversionisVersion5.)WindowsActiveDirectorynetworksuseKerberostoauthenticateusersloggingontothenetwork.BecauseKerberosreliesonthepublickeyinfrastructurewhenexchangingdatawiththeclientsandserversinvolvedintheauthenticationprocess,allpasswordsandothersensitiveinformationaretransmittedinencryptedforminsteadofcleartext.Thisensuresthatevenifanunauthorizedindividualweretocapturethepacketsexchangedduringtheauthenticationprocedure,nosecuritycompromisewouldresult.
OneofthefundamentalprinciplesofActiveDirectoryisthatitprovidesuserswithasinglenetworklogoncapability,meaningthatoneauthenticationprocedurecangrantauseraccesstoresourcesalloverthenetwork.Kerberosisaperfectsolutionforthistypeofarrangementbecauseitisdesignedtofunctionasanauthenticationservicethatisseparatefromtheservershostingtheresourcesthattheclientneedstoaccess.Forexample,duringanFTPauthentication,onlytwopartiesareinvolved,theclientandtheserver.Theserverhasaccesstothedirectorycontainingtheaccountnamesandpasswordinformationforauthorizedusers,checksthecredentialssuppliedbyeachconnectingclient,andeithergrantsordeniesaccesstotheserveronthatbasis.IftheclientwantstoconnecttoadifferentFTPserver,itmustperformtheentireauthenticationprocessalloveragain.
Bycontrast,duringanActiveDirectorylogon,theclientsendsitscredentialstotheKerberosKeyDistributionCenter(KDC)servicerunningonadomaincontroller,whichinKerberosterminologyiscalledanauthenticationserver(AS).OncetheAScheckstheclient’scredentialsandcompletestheauthentication,theclientcanaccessresourcesonserversalloverthenetwork,withoutperformingadditionalauthentications.Forthisreason,Kerberosiscalledatrustedthird-partyauthenticationprotocol.
PublicKeyInfrastructureWindowsusesapublickeyinfrastructure(PKI)thatstrengthensitsprotectionagainsthackingandotherformsofunauthorizedaccess.Intraditionalcryptography,alsocalledsecretkeycryptography,asinglekeyisusedtoencryptanddecryptdata.Fortwoentitiestocommunicate,theymustbothpossessthekey,whichimpliestheneedforsomepreviouscommunicationduringwhichthekeyisexchanged.Ifthekeyisinterceptedorcompromised,theentireencryptionsystemiscompromised.
ThefundamentalprincipleofaPKIisthatthekeysusedtoencryptanddecryptdataaredifferent.Eachsystemhasapublickeyusedtoencryptdataandaprivatekeyusedtodecryptit.Bysupplyingyourpublickeytoothersystems,youenablethemtoencryptdatabeforesendingittoyousothatyoucandecryptitusingyourprivatekey.However,thepublickeycannotdecryptthedataonceithasbeenencrypted.Thus,whileintrudersmayinterceptpublickeysastheyaretransmittedacrossthenetwork,theycan’taccessanyencrypteddataunlesstheyhavetheprivatekeysaswell,andprivatekeysarenevertransmittedoverthenetwork.
TheuseofaPKImakesitpossibletotransmitauthenticationdataacrossaWindowsnetworkwithgreatersecuritythanclear-textauthenticationmechanismslikethatofFTPorevenothersecretkeycryptographymechanisms.APKIalsoprovidesthecapabilityto
usedigitalsignaturestopositivelyidentifythesenderofamessage.Adigitalsignatureisamethodforencryptingdatawithaparticularuser’sprivatekey.Otherusersreceivingthetransmissioncanverifythesignaturewiththeuser’spublickey.Changingevenonebitofthedatainvalidatesthesignature.Whenthetransmissionarrivesintact,thevalidsignatureprovesnotonlythatthetransmissionhasnotbeenchangedinanywaybutalsothatitunquestionablyoriginatedfromthesendinguser.Today,inmanylocations,adigitallysignedtransmissioncancarryasmuchlegalandethicalweightasasignedpaperdocument.
Kerberosauthenticationisbasedontheexchangeofticketsthatcontainanencryptedpasswordthatverifiesauser’sidentity.WhenauseronaWindowsclientsystemlogsontoanActiveDirectorydomain,ittransmitsalogonrequestcontainingtheuser’saccountnametoanAS,whichisanActiveDirectorydomaincontroller.TheKDCserviceonthedomaincontrollerthenissuesaticket-grantingticket(TGT)totheclientthatincludestheuser’sSID,thenetworkaddressoftheclientsystem,atimestampthathelpstopreventunauthorizedaccess,andthesessionkeythatisusedtoencryptthedata.TheASencryptstheresponsecontainingtheTGTusingakeythatisbasedonthepasswordassociatedwiththeuser’saccount(whichtheASalreadyhasinitsdirectory).WhentheclientreceivestheresponsefromtheAS,itdecryptsthemessagebypromptingtheuserforthepassword,whichisthedecryptionkey.Thus,theuser’sidentityisauthenticatedwithoutthepasswordbeingtransmittedoverthenetwork.
TheTGTisretainedbytheclientsystem,tobeusedasalicenseforfutureauthenticationevents.Itisessentiallyapassaffirmingthattheuserhasbeenauthenticatedandisauthorizedtoaccessnetworkresources.OnceaclienthasaTGT,itcanuseittoidentifytheuser,eliminatingtheneedtorepeatedlysupplyapasswordwhenaccessingvariousnetworkresources.
Whentheuserwantstoaccessaresourceonanetworkserver,theclientsendsarequesttoaticket-grantingservice(TGS)onthedomaincontroller,whichidentifiestheuserandtheresourceserverandincludesacopyoftheTGT.TheTGS,whichsharesthesessionkeyfortheTGTwiththeAS,decryptstheTGTtoaffirmthattheuserisauthorizedtoaccesstherequestedresource.TheTGSthenreturnsaservicetickettotheclientthatgrantstheuseraccesstothatparticularresourceonly.Theclientsendsanaccessrequesttotheresourceserverthatcontainstheuser’sIDandtheserviceticket.Theresourceserverdecryptstheserviceticketand,aslongastheuserIDmatchestheIDintheticket,grantstheuseraccesstotherequestedresource.Aclientsystemcanretainmultipleserviceticketstoprovidefutureaccesstovariousnetworkresources.Thissystemprotectsboththeserverandtheuserbecauseitprovidesmutualauthentication;theclientisauthenticatedtotheserverandtheservertotheclient.
DigitalCertificatesForthePKItooperate,computersmustexchangethepublickeysthatenabletheircorrespondentstoencryptdatabeforetransmittingittothemoverthenetwork.However,thedistributionofthepublickeyspresentsaproblem.Forthetransmissiontobetrulysecure,theremustbesomewaytoverifythatthepublickeysbeingdistributedactuallycamefromthepartytheypurporttoidentify.Forexample,ifyouremployersendsyouan
e-mailencryptedwithyourpublickey,youcandecryptthemessageusingyourprivatekey,sureintheknowledgethatnoonecouldhaveinterceptedthemessageandreaditscontents.Buthowdoyouknowthemessagedidindeedcomefromyourbosswhenit’spossibleforsomeoneelsetohaveobtainedyourpublickey?Also,whatwouldstopsomeonefrompretendingtobeyouanddistributingapublickeythatotherscanusetosendencryptedinformationintendedforyou?
Oneanswertothesequestionsistheuseofdigitalcertificates.Acertificateisadigitallysignedstatement,issuedbyathirdpartycalledacertificateauthority(CA),thatbindsauser,computer,orserviceholdingaprivatekeywithitscorrespondingpublickey.BecausebothcorrespondentstrusttheCA,theycanbeassuredthatthecertificatestheyissuecontainvalidinformation.Acertificatetypicallycontainsthefollowing:
•SubjectidentifierinformationName,e-mailaddress,orotherdataidentifyingtheuserorcomputertowhichthecertificateisbeingissued
•SubjectpublickeyvalueThepublickeyassociatedwiththeuserorcomputertowhichthecertificateisbeingissued
•ValidityperiodSpecifieshowlongthecertificatewillremainvalid
•IssueridentifierinformationIdentifiesthesystemissuingthecertificate
•IssuerdigitalsignatureEnsuresthevalidityofthecertificatebypositivelyidentifyingitssource
OntheInternet,certificatesareusedprimarilyforsoftwaredistribution.Forexample,whenyourwebbrowserdownloadsaplug-increatedbyKoolStuffCorporationthatisrequiredtodisplayaparticulartypeofwebpage,acertificatesuppliedbytheserververifiesthatthesoftwareyouaredownloadingdidactuallycomefromKoolStuffGraphics.ThispreventsanyoneelsefrommodifyingorreplacingthesoftwareanddistributingitasKoolStuff’sown.
ThecertificatesusedontheInternetaretypicallydefinedbytheITU-TX.509standardandissuedbyaseparatecompanythatfunctionsastheCA.Oneofthemostwell-knownpublicCAsiscalledVeriSign.It’salsopossibletocreateyourowncertificatesforinternaluseinyourorganization.Youcanusecertificatestoauthenticateuserstowebservers,sendsecuree-mail,and(optionally)authenticateuserstodomains.Forthemostpart,theuseofcertificatesistransparenttousers,butadministratorscanmanagethemmanuallyusingtheCertificatessnap-infortheMicrosoftManagementConsole.
Today,thereareanumberofcertificateauthenticationservicesavailable.Nomatterwhichserviceisused,ensureyouhavethelatest,updatedversiontoforestallanysystemproblems,suchasthoseexperiencedduring2014andtheHeartbleedvulnerability.
Token-BasedandBiometricAuthenticationAlloftheauthenticationmechanismsdescribedthusfarrelyonthetransmissionofpasswordsbetweenclientsandservers.Passwordsareareasonablysecuremethodofprotectingdatathatissomewhatsensitive,butnotextremelyso.Whendatamustremaintrulysecret,passwordsareinsufficientforseveralreasons.Mostnetworkusershavea
tendencytobesloppyaboutthepasswordstheyselectandhowtheyprotectthem.Manypeoplechoosepasswordsthatareeasyforthemtorememberandtype,unawarethattheycaneasilybepenetrated.Namesofspouses,children,orpets,aswellasbirthdaysandothersuchcommon-knowledgeinformation,donotprovidemuchsecurity.Inaddition,someuserscompromisetheirownpasswordsbywritingthemdowninobviousplacesorgivingthemtootherusersforthesakeofconvenience.Acarefullyplannedregimenofpasswordlengthandcompositionrequirements,rotations,andmaintenancepoliciescanhelpmakeyourpasswordsmoresecure.Therearealsomechanismsyoucanuseinadditiontopasswordsthatcangreatlyenhancethesecurityofyournetwork.
Toaddresstheinherentweaknessofpassword-basedauthenticationandprovidegreatersecurity,it’spossibleforeachusertoemployaseparatehardwaredeviceaspartoftheauthenticationprocess.Token-basedauthenticationisatechniqueinwhichtheusersuppliesauniquetokenforeachlogon,aswellasapassword.Thetokenisaone-timevaluethatisgeneratedbyaneasilyportabledevice,suchasasmartcard.Asmartcardisacreditcard–sizeddevicewithamicroprocessorinitthatsuppliesatokeneachtimetheuserrunsitthroughacardreaderconnectedtoacomputer.Theideabehindtheuseofatokenisthatapassword,eveninencryptedform,canbecapturedbyaprotocolanalyzerand“replayed”overthenetworktogainaccesstoprotectedresources.Becauseauser’stokenchangesforeachlogon,itcan’tbereused,socapturingitispointless.Token-basedauthenticationalsorequirestheusertosupplyapersonalidentificationnumber(PIN)orapasswordtocompletethelogonsothatifthesmartcardislostorstolen,itcan’tbeusedbyitselftogainaccesstothenetwork.Becausethistypeofauthenticationisbasedonsomethingyouhave(thetoken)andsomethingyouknow(thePINorpassword),thetechniqueisalsocalledtwo-factorauthentication.
Smartcardscanalsocontainotherinformationabouttheirusers,includingtheirprivatekeys.ThesecurityofWindowsPKIreliesontheprivateencryptionkeysremainingprivate.Typically,theprivatekeyisstoredontheworkstation,whichmakesitsusceptibletobothphysicalanddigitalintrusion.Storingtheprivatekeyonthecardinsteadofonthecomputerprotectsitagainsttheftorcompromiseandalsoenablestheusertoutilizethekeyonanycomputer.
Anothertoolthatcanbeusedtoauthenticateusersisabiometricscanner.Abiometricscannerisadevicethatreadsaperson’sfingerprints,retinalpatterns,orsomeotheruniquecharacteristicandthencomparestheinformationitgathersagainstadatabaseofknownvalues.WhileitmayseemthatweareventuringintoJamesBondterritory,thesedevicesdoexist,andtheyprovideexcellentsecuritysincetheuser’s“credentials”cannoteasilybemisplacedorstolen.Thedownsidetothistechnologyisitsgreatexpense,anditisusedonlyininstallationsrequiringextraordinarysecurity.
SecuringNetworkCommunicationsAuthenticationisameansforverifyingusers’identitiestoensurethattheyareauthorizedtoaccessspecificresources.Manyauthenticationsystemsuseencryptiontopreventpasswordsfrombeinginterceptedandcompromisedbythirdparties.However,authorizationprotocolssuchasKerberosuseencryptiononlyduringtheauthenticationprocess.Oncetheuserhasbeengrantedaccesstoaresource,theparticipationofthe
authenticationprotocolandtheencryptionitprovidesends.Thus,youmayhavedatathatissecuredbypermissions(orevenbyfilesystemencryption)whileitisstoredontheserver,butonceanauthorizedclientaccessesthatdata,theserverusuallytransmitsitoverthenetworkinanunprotectedform.JustaswiththeFTPpasswordsdiscussedearlier,anintrudercouldconceivablycapturethepacketswhiletheytraveloverthenetworkandviewthedatacarriedinside.
Inmanycases,thedangerpresentedbyunprotectednetworktransmissionsisminor.Forinstanceswhenextraprotectioniswarranted,itispossibletoencryptdataasittravelsoverthenetwork.ThefollowingsectionsexaminetheIPSecurity(IPsec)protocolandtheSecureSocketsLayer(SSL)protocol,bothofwhicharecapableofencryptingdatabeforeitistransmittedoverthenetworkanddecryptingitonreceiptatthedestination.
IPsecVirtuallyallTCP/IPcommunicationusestheInternetProtocolatthenetworklayertocarrythedatageneratedbytheprotocolsoperatingattheupperlayers.IPsecisaseriesofstandardsthatdefineamethodforsecuringIPcommunicationsusingavarietyoftechniques,includingauthenticationandencryption.WindowssupportstheuseofIPsec,asdomanyUnixvariants.UnlikemanyotherTCP/IPprotocols,IPsecisdefinedbymanydifferentdocuments,allpublishedasrequestsforcomments(RFCs)bytheIETF.Youcanfindcurrentstandardsatietf.org.
AlthoughIPsecisusuallythoughtofprimarilyasanencryptionprotocol,itprovidesseveraldataprotectionservices,includingthefollowing:
•EncryptionTheIPsecstandardsallowfortheuseofvariousformsofencryption.Forexample,WindowscanusetheDataEncryptionStandard(DES)algorithmortheTripleDataEncryptionStandard(3DES)algorithm.DESusesa56-bitkeytoencrypteach64-bitblock,while3DESencryptseachblockthreetimeswithadifferentkey,for168-bitencryption.BothDESand3DESaresymmetricalencryptionalgorithms,meaningthattheyusethesamekeytoencryptanddecryptthedata.
•AuthenticationIPsecsupportsavarietyofauthenticationmechanisms,includingKerberos,InternetKeyExchange(IKE),digitalcertificates,andpresharedkeys.ThisenablesdifferentIPsecimplementationstoworktogether,despiteusingdifferentmethodsofauthentication.
•NonrepudiationByemployingpublickeytechnology,IPseccanaffixdigitalsignaturestodatagrams,enablingtherecipienttobecertainthatthedatagramwasgeneratedbythesigner.Thesendingcomputercreatesthedigitalsignaturesusingitsprivatekey,andthereceiverdecryptsthemusingthesender’spublickey.Sincenoonebutthesenderhasaccesstotheprivatekey,amessagethatcanbedecryptedusingthepublickeymusthaveoriginatedwiththeholderoftheprivatekey.Thesender,therefore,cannotdenyhavingsentthemessage.
•ReplaypreventionItissometimespossibleforanunauthorizedusertocaptureanencryptedmessageanduseittogainaccesstoprotectedresourceswithoutactuallydecryptingit,bysimplyreplayingthemessageinitsencrypted
form.IPsecusesatechniquecalledcipherblockchaining(CBC)thataddsauniqueinitializationvectortothedataencryptionprocess.Theresultisthateachencrypteddatagramisdifferent,evenwhentheycontainexactlythesamedata.
•DataintegrityIPseccanaddacryptographicchecksumtoeachdatagramthatisbasedonakeypossessedonlybythesendingandreceivingsystems.Thisspecialtypeofsignature,alsocalledahashmessageauthenticationcode(HMAC),isessentiallyasummaryofthepacket’scontentscreatedusingasecret,sharedkey,whichthereceivingsystemcancomputeusingthesamealgorithmandcomparetothesignaturesuppliedbythesender.Ifthetwosignaturesmatch,thereceivercanbecertainthatthecontentsofthepackethavenotbeenmodified.
Encryptingnetworktransmissionsatthenetworklayerprovidesseveraladvantagesoverdoingitatanyotherlayer.First,network-layerencryptionprotectsthedatageneratedbyalloftheprotocolsoperatingattheupperlayersoftheprotocolstack.Someothersecurityprotocols,suchasSSL,operateattheapplicationlayerandthereforecanprotectonlyspecifictypesofdata.IPsecprotectsthedatageneratedbyanyapplicationorprotocolthatusesIP,whichisvirtuallyallofthem.
Second,networklayerencryptionprovidesdatasecurityovertheentirejourneyofthepacket,fromsourcetodestination.Thecomputerthatoriginatesthepacketencryptsit,anditremainsencrypteduntilitreachesitsfinaldestination.ThisnotonlyprovidesexcellentsecuritybutalsomeansthattheintermediatesystemsinvolvedinthetransmissionofthepacketdonothavetosupportIPsec.Arouter,forexample,receivespackets,stripsoffthedatalinklayerprotocolheaders,andrepackagesthedatagramsfortransmissionoveranothernetwork.Throughoutthisprocess,thedatagramremainsintactandunmodified,sothereisnoneedtodecryptit.
IPseciscomposedoftwoseparateprotocols:theIPAuthenticationHeader(AH)protocolandtheIPEncapsulatingSecurityPayload(ESP)protocol.Together,thesetwoprotocolsprovidethedataprotectionservicesjustlisted.IPseccanusethetwoprotocolstogether,toprovidethemaximumamountofsecuritypossible,orjustoneofthetwo.
IPAuthenticationHeaderTheIPAuthenticationHeaderprotocolprovidestheauthentication,nonrepudiation,replayprevention,anddataintegrityserviceslistedearlier,inotherwords,alloftheservicesIPsecprovidesexceptdataencryption.ThismeansthatwhenAHisusedalone,itispossibleforunauthorizeduserstoreadthecontentsoftheprotecteddatagrams,buttheycannotmodifythedataorreuseitwithoutdetection.
AHaddsanextraheadertoeachpacket,immediatelyfollowingtheIPheaderandprecedingthetransportlayerorotherheaderencapsulatedwithintheIPdatagram.ThefieldsoftheAHheaderareillustratedinFigure23-6.Thefunctionsofthefieldsareasfollows:
Figure23-6TheAuthenticationHeaderprotocolheader
•NextHeader(1byte)IdentifiestheprotocolthatgeneratedtheheaderimmediatelyfollowingtheAHheader,usingvaluesdefinedinthe“AssignedNumbers”RFC.
•PayloadLength(1byte)SpecifiesthelengthoftheAHheader.
•Reserved(2bytes)Reservedforfutureuse.
•SecurityParametersIndex(4bytes)Containsavaluethat,incombinationwiththeIPaddressofthedestinationsystemandthesecurityprotocolbeingused(AHorESP),formsasecurityassociationforthedatagram.Asecurityassociationisacombinationofparameters(suchastheencryptionkeyandsecurityprotocolstobeused)thatthesendingandreceivingsystemsagreeuponbeforetheybegintoexchangedata.ThesystemsusetheSPIvaluetouniquelyidentifythissecurityassociationamongothersthatmayexistbetweenthesametwocomputers.
•SequenceNumber(4bytes)ImplementstheIPsecreplaypreventionservicebycontainingaunique,incrementingvalueforeachpackettransmittedbyasecurityassociation.Thereceivingsystemexpectseverydatagramitreceivesinthecourseofaparticularsecurityassociationtohaveadifferentvalueinthisfield.Packetswithduplicatevaluesarediscarded.
•AuthenticationData(variable)Containsanintegritycheckvalue(ICV)thatthesendingcomputercalculatesfortheentireAHheader,includingtheAuthenticationDatafield(whichissettozeroforthispurpose)andtheencapsulatedprotocolheader(orheaders)anddatathatfollowtheAHheader.ThereceivingsystemperformsthesameICVcalculationandcomparestheresultstothisvaluetoverifythepacket’sintegrity.
TheIPstandarddictatesthattheProtocolfieldintheIPheadermustidentifytheprotocolthatgeneratedthefirstheaderfoundinthedatagram’spayload.Normally,thefirstheaderinthepayloadisaTCPorUDPheader,sotheProtocolvalueis6or17,respectively.ICMPdatacanalsobecarriedinIPdatagrams,withaProtocolvalueof1.WhenIPsecaddsanAHheader,itbecomesthefirstheaderfoundinthedatagram’spayload,sothevalueoftheProtocolfieldischangedto51.Tomaintaintheintegrityoftheprotocolstack,theNextHeaderfieldintheAHheaderidentifiestheprotocolthatfollowsAHinthedatagram.InthecaseofdatagramsthatuseAHalone,theNextHeaderfieldcontainsthevaluefortheTCP,UDP,orICMPprotocolformerlyfoundintheIPheader’sProtocolfield.IfIPsecisusingbothAHandESP,theAHNextHeaderfieldcontainsavalueof50,whichidentifiestheESPprotocol,andESP’sownNextHeaderfieldidentifiestheTCP,UD,orICMPprotocoldataencapsulatedwithin.
IPEncapsulatingSecurityPayloadUnlikeAH,theESPprotocolcompletelyencapsulatesthepayloadcontainedineachdatagram,usingbothheaderandfooterfields,asshowninFigure23-7.ThefunctionsoftheESPfieldsareasfollows:
Figure23-7TheEncapsulatingSecurityPayloadprotocolframe
•SecurityParametersIndex(4bytes)Containsavaluethat,incombinationwiththeIPaddressofthedestinationsystemandthesecurityprotocolbeingused(AHorESP),formsasecurityassociationforthedatagram.Asecurityassociationisacombinationofparameters(suchastheencryptionkeyandsecurityprotocolstobeused)thatthesendingandreceivingsystemsagreeuponbeforetheybegintoexchangedata.ThesystemsusetheSPIvaluetouniquelyidentifythissecurityassociationamongothersthatmayexistbetweenthesametwocomputers.
•SequenceNumber(4bytes)ImplementstheIPsecreplaypreventionservicebycontainingaunique,incrementingvalueforeachpackettransmittedbyasecurityassociation.Thereceivingsystemexpectseverydatagramitreceivesinthecourseofaparticularsecurityassociationtohaveadifferentvalueinthisfield.Packetswithduplicatevaluesarediscarded.
•PayloadData(variable)ContainstheoriginalTCP,UDP,orICMPheaderanddatafromthedatagram.
•Padding(0–255bytes)Somealgorithmsarecapableonlyofencryptingdatainblocksofaspecificlength.Thisfieldcontainspaddingtoexpandthesizeofthepayloaddatatotheboundaryofthenext4-byteword.
•PadLength(1byte)SpecifiesthesizeofthePaddingfield,inbytes.
•NextHeader(1byte)IdentifiestheprotocolthatgeneratedtheheaderimmediatelyfollowingtheESPheader,usingvaluesdefinedinthe“AssignedNumbers”RFC.
•AuthenticationData(variable)OptionalfieldthatcontainsanICVthatthesendingcomputercalculatesforallthefieldsfromthebeginningoftheESPheadertotheendoftheESPtrailer(excludingtheoriginalIPheaderandtheESPAuthenticationDatafielditself).ThereceivingsystemperformsthesameICVcalculationandcomparestheresultstothisvaluetoverifythepacket’sintegrity.
ESPencryptsthedatabeginningattheendoftheESPheader(thatis,theendoftheSequenceNumberfield)andproceedingtotheendoftheNextHeaderfieldintheESP
footer.ESPisalsocapableofprovidingitsownauthentication,replayprevention,anddataintegrityservices,inadditiontothoseofAH.TheinformationthatESPusestocomputetheintegritysignaturerunsfromthebeginningoftheESPheadertotheendoftheESPtrailer.TheoriginalIPheaderfromthedatagramisnotincludedinthesignature(althoughitisintheAHsignature).ThismeansthatwhenIPsecusesESPalone,it’spossibleforsomeonetomodifytheIPheadercontentswithoutthechangesbeingdetectedbytherecipient.AvoidingthispossibilityiswhytheuseofbothAHandESPisrecommendedformaximumprotection.Figure23-8showsapacketusingboththeAHandESPprotocolsandshowsthesignedandencryptedfields.
Figure23-8AnIPdatagramusingbothAHandESP
SSLSecureSocketsLayerisaseriesofprotocolsprovidingmanyofthesameservicesasIPsecbutinamorespecializedrole.InsteadofprotectingallTCP/IPtrafficbysigningandencryptingnetworklayerdatagrams,SSLisdesignedtoprotectonlytheTCPtrafficgeneratedbyspecificapplications,mostnotablytheHypertextTransferProtocol(HTTP)trafficgeneratedbywebserversandbrowsers.Inmostcases,whenyouuseawebbrowsertoconnecttoasecuredsite(forthepurposeofconductingacreditcardorothertransaction),theclientandserveropenaconnectionthatissecuredbySSL,usuallyevidencedbyanicononthebrowser’sstatusbar.ThemajorwebserversandbrowsersallsupportSSL,withtheresultthatitsuseisvirtuallytransparenttotheclient.
SSLconsistsoftwoprimaryprotocols:theSSLRecordProtocol(SSLRP)andtheSSLHandshakeProtocol(SSLHP).SSLRPisresponsibleforencryptingtheapplicationlayerdataandverifyingitsintegrity,whileSSLHPnegotiatesthesecurityparametersusedduringanSSLsession,suchasthekeysusedtoencryptanddigitallysignthedata.
SSLHandshakeProtocolClientsandserversthatuseSSLexchangeacomplexseriesofSSLHPmessagesbeforetheytransmitanyapplicationdata.Thismessageexchangeconsistsoffourphases,whichareasfollows:
•EstablishsecuritycapabilitiesDuringthisphase,theclientandtheserverexchangeinformationabouttheversionsofSSLtheyuseandtheencryptionandcompressionalgorithmstheysupport.Thesystemsneedthisinformationinordertonegotiateasetofparameterssupportedbybothparties.
•ServerauthenticationandkeyexchangeIftheserverneedstobeauthenticated,itsendsitscertificatetotheclient,alongwiththealgorithmsandkeysthatitwillusetoencrypttheapplicationdata.
•ClientauthenticationandkeyexchangeAfterverifyingtheserver’scertificateasvalid,theclientrespondswithitsowncertificate,iftheserverhasrequestedone,plusitsownencryptionalgorithmandkeyinformation.
•FinishTheclientandserveruseaspecialprotocolcalledtheSSLChangeCipherSpecProtocoltomodifytheircommunicationstousetheparameterstheyhaveagreeduponintheearlierphases.Thetwosystemssendhandshakecompletionmessagestoeachotherusingthenewparameters,whichcompletestheestablishmentofthesecureconnectionbetweenthetwocomputers.ThetransmissionofapplicationdatausingSSLRPcannowbegin.
SSLRecordProtocolTheprocessbywhichSSLRPpreparesapplicationlayerdatafortransmissionoverthenetworkconsistsoffivesteps,whichareasfollows:
1.FragmentationSSLRPsplitsthemessagegeneratedbytheapplicationlayerprotocolintoblocksnomorethan2kilobyteslong.
2.CompressionOptionally,SSLRPcancompresseachfragment,butthecurrentimplementationsdonotdothis.
3.SignatureSSLRPgeneratesamessageauthenticationcode(MAC)foreachfragment,usingasecretkeyexchangedbythetransmittingandreceivingsystemsduringtheSSLHPnegotiation,andappendsittotheendofthefragment.
4.EncryptionSSLRPencryptseachfragmentwithanyoneofseveralalgorithmsusingkeysofvarioussizes.Theencryptionissymmetrical,withakeythatisalsoexchangedduringtheSSLHPnegotiation.
5.EncapsulationSSLRPaddsaheadertoeachfragmentbeforepassingitdowntotheTCPprotocolforfurtherencapsulation.
Afterthisentireprocessiscompleted,eachSSLRPfragmentconsistsofthefollowingfields:
•ContentType(1byte)Identifiestheapplicationlayerprotocolthatgeneratedthedatafragment
•MajorVersion(1byte)SpecifiesthemajorversionofSSLinuse
•MinorVersion(1byte)SpecifiestheminorversionofSSLinuse
•CompressedLength(2bytes)SpecifiesthelengthoftheDatafield
•Data(upto2kilobytes)Containsafragmentof(possiblycompressed)applicationlayerdata
•MessageAuthenticationCode(0,16,or20bytes)Containsthedigitalsignatureforthefragment,whichthereceivingsystemusestoverifyitsintegrity
FirewallsAfirewallisahardwareorsoftwareentitythatprotectsanetworkfromintrusionbyoutsideusersbyregulatingthetrafficthatcanpassthrougharouterconnectingittoanothernetwork.ThetermismostoftenusedinrelationtoprotectionfromunauthorizedusersontheInternet,butafirewallcanalsoprotectalocalareanetwork(LAN)fromusersonotherLANs,eitherlocalorwideareanetworks(WANs).Withoutsomesortofafirewallinplace,outsideuserscanaccessthefilesonyournetwork,plantviruses,useyourserversfortheirownpurposes,orevenwipeyourdrivesentirely.
Completelyisolatinganetworkfromcommunicationwithothernetworksisnotdifficult,butthisisnotthefunctionofafirewall.Afirewallisdesignedtopermitcertaintypesoftraffictopassovertherouterbetweenthenetworks,whiledenyingaccesstoallothertraffic.YouwantyourclientworkstationstobeabletosendHTTPrequestsfromtheirwebbrowserstoserversontheInternetandfortheserverstobeabletoreply,butyoudon’twantoutsideusersontheInternettobeabletoaccessthoseclients.Firewallsuseseveraldifferentmethodstoprovidevaryingdegreesofprotectiontonetworksystems.Aclientworkstationhasdifferentprotectionrequirementsthanawebserver,forexample.
Dependingonthesizeofyournetwork,thefunctionofyourcomputers,andthedegreeofrisk,firewallscantakemanyforms.Thetermhascometobeusedtorefertoanysortofprotectionfromoutsideinfluences.Infact,atruefirewallisreallyasetofsecuritypoliciesthatmaybeimplementedbyseveraldifferentnetworkcomponentsthatworktogethertoregulatenotonlythetrafficthatispermittedintothenetwork,butpossiblyalsothetrafficthatispermittedout.InadditiontopreventingInternetusersfromaccessingthesystemsonyournetwork,youcanuseafirewalltopreventcertaininternalusersfromsurfingtheWeb,whileallowingthemtheuseofInternete-mail.
Aninexpensivesoftwarerouterprogramcanusenetworkaddresstranslation(NAT)toenableclientworkstationsonasmallnetworktouseunregisteredIPaddresses,andinaloosesenseoftheterm,thisisaformofafirewall.AlargecorporationwithmultipleT-1connectionstotheInternetismorelikelytohaveasystembetweentheinternalnetworkandtheInternetroutersthatisrunningsoftwarededicatedtofirewallfunctions.Somefirewallcapabilitiesareintegratedintoarouter,whileotherfirewallsareseparatesoftwareproductsthatyoumustinstallonacomputer.
Firewallprotectioncanstemfromeitheroneofthefollowingtwobasicpolicies,thechoiceofwhichisgenerallydependentonthesecurityrisksinherentinthenetworkandtheneedsofthenetworkusers:
•Everythingnotspecificallypermittedisdenied.
•Everythingnotspecificallydeniedispermitted.
Thesetwopoliciesareessentiallyareflectionofseeingaglassasbeingeitherhalffullorhalfempty.Youcanstartwithanetworkthatiscompletelysecuredineverywayandopenupportalspermittingthepassageofspecifictypesoftraffic,oryoucanstartwithacompletelyopennetworkandblockthetypesoftrafficconsideredtobeintrusive.Theformermethodismuchmoresecureandisgenerallyrecommendedinallenvironments.However,ittendstoemphasizesecurityovereaseofuse.Thelattermethodislesssecure
butmakesthenetworkeasiertouse.Thismethodalsoforcestheadministratortotrytoanticipatethetechniquesbywhichthefirewallcanbepenetrated.IfthereisonethingthatisknownforcertainaboutthedigitalvandalsthatinhabittheInternet,itisthattheyareendlesslyinventive,andkeepingupwiththeirdiabolicalactivitiescanbedifficult.
Networkadministratorscanuseavarietyoftechniquestoimplementthesepoliciesandprotectthedifferenttypesofsystemsonthenetwork.Thefollowingsectionsexaminesomeofthesetechniquesandtheapplicationsforwhichthey’reused.
PacketFiltersPacketfilteringisafeatureimplementedonroutersandfirewallsthatusesrulesspecifiedbytheadministratortodeterminewhetherapacketshouldbepermittedtopassthroughthefirewall.Therulesarebasedontheinformationprovidedintheprotocolheadersofeachpacket,includingthefollowing:
•IPsourceanddestinationaddresses
•Encapsulatedprotocol
•Sourceanddestinationport
•ICMPmessagetype
•Incomingandoutgoinginterface
Byusingcombinationsofvaluesforthesecriteria,youcanspecifypreciseconditionsunderwhichpacketsshouldbeadmittedthroughthefirewall.Forexample,youcanspecifytheIPaddressesofcertaincomputersontheInternetthatshouldbepermittedtousetheTelnetprotocoltocommunicatewithaspecificmachineonthelocalnetwork.Asaresult,allpacketsdirectedtothesystemwiththespecifieddestinationIPaddressandusingport23(thewell-knownportfortheTelnetprotocol)arediscarded,exceptforthosewiththesourceIPaddressesspecifiedintherule.Usingthisrule,thenetworkadministratorscanpermitcertainremoteusers(suchasotheradministrators)toTelnetintonetworksystems,whileallothersaredeniedaccess.Thisisknownasservice-dependentfilteringbecauseitisdesignedtocontrolthetrafficforaparticularservice,suchasTelnet.
Service-independentfilteringisusedtopreventspecifictypesofintrusionthatarenotbasedonaparticularservice.Forexample,ahackermayattempttoaccessacomputeronaprivatenetworkbygeneratingpacketsthatappearasthoughtheyoriginatedfromaninternalsystem.Thisiscalledspoofing.AlthoughthepacketsmighthavetheIPaddressofaninternalsystem,theyarriveattherouterthroughtheinterfacethatisconnectedtotheInternet.AproperlyconfiguredfiltercanassociatetheIPaddressesofinternalsystemswiththeinterfacetotheinternalnetworksothatpacketsarrivingfromtheInternetwiththosesourceIPaddressescanbedetectedanddiscarded.
Packetfilteringisafeatureintegratedintomanyrouters,sonoextramonetarycostisinvolvedinimplementingprotectioninthisway,andnomodificationtoclientsoftwareorproceduresisrequired.However,creatingacollectionoffiltersthatprovidesadequateprotectionforanetworkagainstmosttypesofattackrequiresadetailedknowledgeofthewayinwhichthevariousprotocolsandserviceswork,andeventhenthefiltersmaynotbe
sufficienttopreventsometypesofintrusion.Packetfilteringalsocreatesanadditionalprocessingburdenontherouter,whichincreasesasthefiltersbecomemorenumerousandcomplex.
NetworkAddressTranslationNetworkaddresstranslationisatechniquethatenablesaLANtouseprivate,unregisteredIPaddressestoaccesstheInternet.ANATserverorarouterwithNATcapabilitiesmodifiestheIPdatagramsgeneratedbyclientstomakethemappearasthoughtheywerecreatedbytheNATserver.TheNATserver(whichhasaregisteredIPaddress)thencommunicateswiththeInternetandrelaystheresponsestotheoriginalclient.BecausetheclientsdonothavevalidInternetIPaddresses,theyareinvisibletooutsideInternetusers.
ProxyServersProxyservers,alsoknownasapplication-levelgateways,provideamuchstricterformofsecuritythanpacketfilters,buttheyaredesignedtoregulateaccessonlyforaparticularapplication.Inessence,aproxyserverfunctionsasthemiddlemanbetweentheclientandtheserverforaparticularservice.Packetfilteringisusedtodenyalldirectcommunicationbetweentheclientsandserversforthatservice;alltrafficgoestotheproxyserverinstead.
Becausetheproxyserverhasmuchmoredetailedknowledgeofthespecificapplicationanditsfunctions,itcanmorepreciselyregulatethecommunicationsgeneratedbythatapplication.Afirewallmightrunindividualproxyserversforeachoftheapplicationsneededbyclientsystems.
ThemostcommonformofproxyserverusedtodayisfortheWeb.Theclientbrowsersonthenetworkareconfiguredtosendalloftheirrequeststotheproxyserver,insteadoftotheactualInternetservertheywanttoreach.Theproxyserver(whichdoeshaveaccesstotheInternet)thentransmitsarequestforthesamedocumenttotheappropriateserverontheInternetusingitsownIPaddressasthesourceoftherequest,receivesthereplyfromtheserver,andpassestheresponseontotheclientthatoriginallygeneratedtherequest.
Becauseonlytheproxyserver’saddressisvisibletotheInternet,thereisnowayforInternetintruderstoaccesstheclientsystemsonthenetwork.Inaddition,theserveranalyzeseachpacketarrivingfromtheInternet.Onlypacketsthatareresponsestoaspecificrequestareadmitted,andtheservermayevenexaminethedataitselffordangerouscodeorcontent.Theproxyserverisinauniquepositiontoregulateusertrafficwithgreatprecision.Atypicalwebproxyserver,forexample,enablesthenetworkadministratortokeepalogofusers’webactivities,restrictaccesstocertainsitesorcertaintimesofday,andevencachefrequentlyaccessedsitesontheproxyserveritself,enablingotherclientstoaccessthesameinformationmuchmorequickly.
Thedrawbacksofproxyserversarethatyouneedanindividualserverforeveryapplication,andmodificationstotheclientprogramarerequired.Awebbrowser,forexample,mustbeconfiguredwiththeaddressoftheproxyserverbeforeitcanuseit.Traditionally,manualconfigurationofeachclientbrowserwasneededtodothis,buttherearenowproxyserverproductsthatcanenablethebrowsertoautomaticallydetectaserver
andconfigureitselfaccordingly.
Circuit-LevelGatewaysAcircuit-levelgateway,afunctionthatisusuallyprovidedbyapplication-levelgatewayproducts,enablestrustedusersontheprivatenetworktoaccessInternetserviceswithallthesecurityofaproxyserverbutwithoutthepacketprocessingandfiltering.ThegatewaycreatesaconduitbetweentheinterfacetotheprivatenetworkandtheInternetinterface,whichenablestheclientsystemtosendtrafficthroughthefirewall.ThegatewayserverstillsubstitutesitsownIPaddressforthatoftheclientsystemsothattheclientisstillinvisibletoInternetusers.
CombiningFirewallTechnologiesTherearevariouswaysinwhichthesefirewalltechnologiescanbecombinedtoprotectanetwork.ForarelativelysimpleinstallationinwhichonlyclientaccesstotheInternetisrequired,packetfilteringorNATalone—orpacketfilteringincombinationwithaproxyserver—canprovideasufficientfirewall.Addingtheproxyserverincreasesthesecurityofthenetworkbeyondwhatpacketfilteringprovidesbecauseapotentialintruderhastopenetratetwolevelsofprotection.However,ifyourunserversthatmustbevisibletotheInternet,theproblembecomesmorecomplicated.
Oneofthemostsecurefirewallarrangementsyoucanuseforthistypeofenvironmentiscalledascreenedsubnetfirewall.Thisconsistsofademilitarizedzone(DMZ)networkbetweentheprivatenetworkandtheInternet.Usingtworouterswithpacket-filteringcapabilities,youcreateaDMZnetworkthatcontainsyourproxyserver,aswellasyourweb,e-mail,andFTPservers,andanyothermachinesthatmustbevisibletotheInternet.
ThetworoutersareconfiguredtoprovidesystemsontheprivatenetworkandtheInternetwithacertaindegreeofaccesstocertainsystemsontheDMZnetwork,butnotrafficpassesdirectlythroughtheDMZ.UsersfromtheInternetmustthenpassthroughthreeseparatelayersofsecurity(router,proxy,androuter)beforetheycanaccessasystemontheprivatenetwork.
Firewallsofthistypearecomplexmechanismsthatmustbeconfiguredspecificallyforaparticularinstallationandcanrequireagreatdealoftime,money,andexpertisetoimplement.Thepricesofcomprehensivefirewallsoftwareproductsforenterprisenetworkscanrunwellintofivefigures,anddeployingthemisnotsimplyamatterofrunninganinstallationprogram.However,comparedtothepotentialcostinlostdataandproductivityofahackerintrusion,theefforttakentoprotectyournetworkisnotwasted.
CHAPTER
24 WirelessSecurity
Withtoday’sproliferationofwirelessappliances,itisessentialthatnetworksbeprotectedfromunauthorizedaccess.Withthemanymobiledevicesusedtoday,networksecurityismoreimportantthanever.Awirelessnetworkisonethatuseshigh-frequencyradiosignalstosendandreceiveinformationinsteadofcablesthatconnectvariousappliancestoeachother.Thedevicescanrangefromprinterstolaptopsandfromtabletstofileservers.
ThetechnologyavailabletodaymakesitpossibleforbusinessestoallowemployeeaccessfromanyplacewithintheirnetworkareaorfromanyWi-Fihotspot.NotethatWi-Fihasbeendefinedinvariousways,amongthemwirelessfidelityorwirelessInternet.Wi-Fi,basedontheIEEE802.11protocolstandard,isatrademarkednamebelongingtotheWi-FiAlliance.Thistradeassociationformedin1999asanonprofit,internationalgrouptopromotethetechnology.
Thischapterdiscussesthevariousmethodsofsecurityspecificallyforwirelessdevicesandnetworks,bothathomeandinbusinesssettings.
WirelessFunctionalitySinceWi-Fiisbasedonthetransmissionofradiosignalsonasinglefrequency,thesignalsarevulnerabletointerception.Bothanadvantageanddisadvantageofwirelessconnectivityisthatdevicesarepotentiallycompatiblewitheverythingfromyourrackservertoagamedevice.
WirelessNetworkComponentsWhilesimilartowirednetworks,awirelessnetworkmusthaveseveralcomponentstofunctionproperly.
WirelessNetworkAdapters/WirelessNetworkInterfaceCardsWhileavailableasstand-alonedevicestobeconnectedwithUniversalSerialBus(USB)connectors,todaywirelessnetworkadaptersareusuallyincludedincomputersorotherdevicestobeusedonawirelessnetwork.Forsmallnetworks,suchasthoseinahome,theseadapters(ornetworkinterfacecards[NICs])areoftenallthatisneededtocreateapeer-to-peeroradhocnetworkthatallowssuchdevicesascomputers,printers,tablets,andsoontotalktoeachother.
WirelessRouterThebroadbandwirelessrouterconsistsofanaccesspoint,severalEthernetportstoconnecttowireddevicesonyournetworksuchasprinters,andabroadbandwideareanetworkporttoconnecttotheInternet.(See“WirelessAccessPoints”laterinthischapterformoreinformationonaccesspoints.)Itusuallyincludesabuilt-inDynamicHostConfigurationProtocol(DHCP)serverthatassignsanIPaddresstoeachconnected
device.AstheInternetgateway,eachrouteralsocontainsatwo-wayradiothatbothtransmitsandreceivesradiosignalsandcomesequippedwithatleastoneantennatoincreasetherangeoftheradiosignal.)Today’swirelessrouterusuallyincludesDomainNameSystem(DNS)settings,asdiscussedinChapter15,andafirewall,anditiscapableofencryptionforaddedsecurity.
WirelessRepeater/RangeExpander/SignalBoosterToboostthesignalsemittedbytherouter,arepeatercanbeinstalledtoeitherarouteroranaccesspointtoensuresignalsarebeingtransmittedandreceived.Thiscanbeusefulifyourdevicesareondifferentfloorsofabuilding.
WirelessRouterTypesDependingonthetypeofnetworkwithwhichyouwillbeworking,severalIEEE802.11technologiesareavailableforyourwirelessrouter,aswellasotherstandardsfordifferentuses.SeeTable24-1forsomecomparisons.
Table24-1RouterStatistics
Single-BandandDual-BandRoutersThemaindifferencebetweensingle-bandanddouble-bandroutersistherangeofthesignal.Asarule,single-bandrouters,usinga2.4GHzband,transmitweakersignalsthandual-banddevices.Sincedual-bandrouters,whichcontainboth2.4GHzand5.0GHzbands,canusemorethanonesignalband,theirrange,signalstrength,andoftenspeedcanbegreater.Notallwirelessdevicescanrunonthe5.0GHzband,sothereisoftennotasmuchtrafficonthatfrequency.
Single-BandRoutersManydevicesusethe2.4GHzbandwidthfoundinsingle-bandrouters.Someoftheseareasfollows:
•Cordlessphones
•Microwaveovens
•Babymonitors
•Bluetoothappliances
•Wi-Fiaccesspoints
•Smartphones
•Televisionstationsandtowers
•RemotecontrollersforTVandcable
•Gamecontrollers
Thesingle-bandfrequencyhasthreenonoverlappingchannelswithwhichtowork,butasyoucansee,themanyotherusersofthisbandwidthcancreatequiteabottleneckforyournetwork.Thiswidespreadusagecancreateinterferenceonyourconnectionandslowdowntransmissions.Whileithasahigherrangethanthe5.0GHzfrequency,the5.0GHzfrequencyallowsmorebandwidththrough.
Dual-BandRoutersTheseroutershaveboth2.4GHzand5.0GHzbands,sospeedisenhanced,makingthisbandsuitableforbothgamingandvideostreaming.Sincefewerdevicesusethe5.0GHzband,thereislesschanceforinterferenceonthisfrequency;5.0GHzhas23nonoverlappingchannelsavailable.Ifmultipledevicesconnecttoyourrouteratthesametime,considerasimultaneousdual-bandrouter.
Dual-bandrouterscanbeeithersimultaneousorselectable.Simultaneousdual-bandroutershavethefollowing:
•Twotimesthebandwidthofthesingle-bandrouter
•AdedicatedWi-Finetworkforhigh-speedtransmission,suchasvideo
•TwoseparateWi-Finetworksoperatingatthesametime
Selectabledual-bandroutershavethefollowing:
•HavetoselectoneWi-Finetwork
•Havethesamebandwidthasthesingle-bandrouter
OtherConsiderationsWhendecidingonarouterforyourwirelessnetwork,considertheageofyourcurrenthardware.Today’shardwareneedshigherbandwidths,soifyourcompanyanditsemployeeshavenotebooks,tablets,smartphones,orothersuchdevices,dual-bandroutersareimportant.
Also,mostroutershaveEthernetportsthatallowconnectionsviaEthernetcables.Thisconnectioncanaddspeedandreliabilityforthatdevice.
WirelessTransmissionThewirelessnetworkinterfacecontrollerinyourdeviceconvertsdigitaldataintoradiowavesand,inturn,sendsthemtoyourwirelessrouter.TherouterthenbroadcaststheradiowavestotheInternet.Thesmall,wirelessnetworkformedbytheNICsandtheroutercanbeaccessedbyanyonewithinrangeoftheradiosignals.Somehavedescribedtherouterasasmallradiostation,capableofbothbroadcastingandreceivingsignals.
WirelessAccessPointsAwirelessaccesspoint(WAP)canbepartofawirelessrouterorastand-alonedevice.Somestand-aloneWAPsareusedasboostersforbothbusinessandhomenetworks.AllsuchpointsaremanagedbyawirelessLANcontrollertocontrolauthentication,transmissionchannels,radio-frequency(RF)power,andsecurity.
Manylibraries,cafes,andotherbusinessesofferpublicWAPsfortheircustomers.Theselocations,calledhotspots,meanthatInternetconnectivityisavailableatthatlocation.Whiletheseaccesspointsprovidegreatconvenience,theyalsocanbesecurityrisks.
WAPsaredirectlyconnectedtoawiredEthernetconnectionandprovidethelinkthatallowsseveraldevicestobeconnectedtothiswiredconnection.ThereareseveralwaysyoucanensurethatyouraccesspointsufferstheleastamountofinterferencewiththehighestpossibleInternetspeed:
•PlacementManyobstaclestogoodconnectionsareonthefloor(orground)levelofyouroffice.ConsiderputtingyourWAPhigherup,perhapsonahighshelforeventheceiling.
•VicinityIfyouhaveseveraldevicesusingthesameWAP,thebestlocationforyourWAPisnearestthedeviceyouusethemost.Thestrongestsignalisalwaystheclosesttoyouraccesspoint.
•Line-of-sightThebestlocationforyouraccesspointisinaclearline-of-sightwithyourprimarydevice.Anyimpedimentwilldecreasesignalstrength.
•NonreflectivityReflectionfromwindows,brightcountertops,ormirrorscaninterferewithWi-Fisignals.Positionyouraccesspointsothatthesignalsdonotbounceoffreflectivesurfaces.
NOTEWhenseveraldevicesequippedwithwirelessnetworkadaptersareclosetogether,theycancommunicatewithouteitheraWAPorarouter.Thistypeofwirelessnetworkisknownasanadhocnetwork.
SettingUpaWirelessAccessPointWAPscomewithadefaultIPaddress,someofwhichareassignedbyDHCPandotherswithpreviouslyassignedaddresses.ThebottomoftheboxinwhichtheWAPwasshippedwillshowwhichmethodisused.MostWAPswillconnecttothenearestexistingnetworkconnection.Whileeachmodelisslightlydifferent,allrequireatleastthesethreesteps.Keepawrittennoteofeachofthesesettingsasyouproceed.Youwillneedtheinformationwhenconnectingthisnetworktoyourcomputer.
•Servicesetidentifier(SSID)Createanameforthiswirelessnetwork.Thisisalsoknownasthenetworkname.
•InfrastructureversusadhocChooseInfrastructure.
•EncryptionThisisasecuritymeasure.Ensureitison,usingthe
recommendedsettingsonthedevice.See“UnderstandingEncryption”laterinthischapter.
SomeWAPscomewithaCDorDVDwithbasicconfigurationinstructions.Othersrequirethatyouconnecttothemanufacturer’swebsiteandfollowtheinstructionsonthesite.
ConfiguringaWirelessRouterAfteryouhavephysicallyconnectedyourroutertoabroadbandInternetconnectionwithanEthernetcable,connectatleastonecomputertoyourrouterwithanEthernetcable.Afteryouhaveconfiguredtherouter,youcandisconnectthiscomputer.
1.LocatetheIPaddressoftherouter.Formostrouters,thisaddressis192.168.1.1.
2.Usingthecomputerattachedtoyourrouter,openawebbrowserandentertheIPaddressoftherouterinthebrowser’saddressbar.Youwillbepromptedforyournameandpassword,asshownhere.Dependingontheroutermodel,thiscanbe“password”and“password”or“admin”and“password.”Theroutermayshowthisinformationonanattachedlabelorincludeitinthewrittendocumentation.Somewebsitesallowyoutoleaveoneorbothfieldsblank.
3.Logontoyourrouter,andyouaretakentoeithertherouter’smainmenuorthestatusscreen,asintheexampleofanASUSRT-N66Ushownhere.
4.Enteryournetworkname.ThefieldisusuallyNameorSSID.Mostroutersuse“default”orthebrandnameoftherouter.EnsureyouhaveenabledSSIDbroadcastsoyournetworkisactive.
5.Setasecurity/encryptionmethod.ThebestchoiceisWPA2-PSK(Pre-sharedKeyModeorPersonalMode).See“SecuringaWirelessRouter”laterinthischapterformoreinformation.
6.Enterapassword/passphraseforyournetwork.Makesurethisincludesuppercaseandlowercaseletters,numbers,andsymbols.Thebestchoiceshaveatleast8to13charactersandcontainnowordsfoundinadictionary.Makeanoteofthispassword.(Butdonotputitonastickynoteonyourmonitor!)
7.Applyyoursettings.Oncetherouterhascompleteditssetup,youcanuseyourwirelessnetwork.
8.Changetherouterusernameandpasswordfromthedefaultsthatcamewithyourrouter.Makeanoteofthemboth.
9.Testthenetworkbyconnectingadevice.Aslongasthenewdeviceiswithinrange,itshouldseeyournetworkandaskforthepassword/passphrase.Onceyou
haveenteredthatphrase,yourdevicewillrememberthenetworkandconnectautomaticallyeachtimeitispoweredonwithinrangeofthenetwork.
10.Wheneverythingisfunctioning,logoutofyourrouter.
CreatingaSecureWirelessNetworkThetermsecurewirelessnetworkmaybeacontradictioninterms.Allwirelessnetworksandthedevicestheyconnectarevulnerabletooutsiders.AddthisunderstandingtothefactthatevenITprofessionalsseldomuseeffectivesecuritymeasures,andyouhavethepotentialforwidespreadattacks.
SecuringaWirelessHomeNetworkSincewirelesssignalscanbeaccessedbyanyonewithinrange,includingyournext-doorneighbor,theramificationsofunsecuredhomenetworksaregreat.ByusurpingyourInternetsignal,thespeedbywhichyoucanconnectisdecreasedasthesignalissharedwithothercomputers(ormobiledevices).Theuseofyoursignalcanalsoopenapathwayforhackersusingprogramsthatcangainpersonalinformationfromyourcomputerorinsertmalwareontoyoursystem.
Youcanensureyourhomenetworkisprotectedinseveralways.
ChangingtheUsernameandPasswordSincemostroutermanufacturerswanttomakeitaseasyaspossibleforthehomeusertosetupawirelessnetwork,defaultpasswordsareavailableonthemanufacturer’swebsiteaswellasmanyplacesontheInternet.Checkinanydocumentationthatcamewithyourrouterordownloadthedocumentationfromthewebsite.Toaccessyourwirelessrouter,followthesesteps:
1.Determinethedefaultusernameandpasswordforyourmodelrouter.
2.Type192.168.1.1intotheaddressbarofanywebbrowser.
3.Enterthedefaultusernameandpasswordtoopenyourrouter’sinterface.
4.Findtheadministrativesectionthatdisplaystheusernameandpassword.Theimageyouseewillbedifferent,dependingontherouterbrandyouareusing.
5.Changeboththeusernameandthepassword,accordingtotheinstructionsonyourrouter.Ensureyourpasswordcontainssymbols,uppercaseandlowercaseletters,andnumbers.Thebestonescontainatleast8characters,and13isevenbetter.Also,considerchangingthepasswordevery60to90daystobemoresecure.
6.Savethechanges.
ChangingtheNetworkNameChangingyourSSIDhelpsinseveralways.First,itmakesiteasywhenconnectingnewdevicestoanavailablewirelessnetwork.Somefamilieshaveonenetworkfortheparents
andanotherforcellphoneorlaptopconnection.Evenifoutsidescannersfindyournetwork,theycannotjoinwithouttheappropriatepassword.
Tochangethename,opentherouteradministrativewindowasdescribedearlierandfindthelocationofyourwirelessname,asshownhere.
ApplyingMediaAccessControlFiltersMostwirelessroutersprovideawaywithwhichyoucanadd,orwhitelist,thedevicesthatconnecttoyourwirelessnetwork.Considerlistingthemediaaccesscontrol(MAC)addressesofthemostcommonlyconnecteddevices,suchassmartphones.Eachdevicehasitsownaddress,andyoucanlistthoseaddressesinyourrouter’sMACfilter,asshownnext.
EnablingStrongEncryption
EnsurethatyourrouterissettoWi-FiProtectedAccess2(WPA2)ratherthantheolderWEPsetting.See“UnderstandingEncryption”laterinthischapterformoreinformation.
OtherOptionsYouhaveacoupleotheroptions,discussedhere:
•Ensurethatyourrouterhasthelatestupdates.Gotoyourmanufacturer’swebsiteanddownloadthelatestfirmware.
•Use“antiWi-Fi”paintononeofthewalls.However,sincethisspecialpainthaschemicalsthatabsorbradiosignals,donotpaintthistypeofpaintintheentireroom.
SecuringaBusinessNetworkWirelessbusinessnetworkshavemanyofthesameissuesashomenetworks.However,theremaybemoretoolswithwhichtoalleviatetheseproblemsbecauseITprofessionalsareusually(butnotalways!)moreawareoftheissues.
Whenworkingwithasmallorlargewirelessnetworkinabusinesssetting,understandtheprocessandaddresseachconcernandthenfollowthroughonaregularbasistoatleastlessenthethreatofinfiltration.
CreatingaSecurityPolicyforWirelessNetworksThefirststepinanypolicyisidentifyingtheneedsandenumeratingthemethodstosatisfyeachneed.Thepolicyshouldincludeatleastthefollowing:
•Whatdevicesareincludedsuchasbothcompany-ownedandemployee-ownedlaptops,smartphones,tablets,andsoforth
•WhatWAPscanbeconnectedtothenetwork
•Whatprotectionorsettingsarerequiredonallconnectedorpotentially
connecteddevices
•Howdevicesareconfigured,suchaswhatdevicescanconnectonlytotheInternetorwhichsitesareontheInternet
•Howthepolicywillbeenforced
SettingUpProtectionWirednetworkscanbeprotectedphysicallybyeliminatingEthernetconnectivity.Inawirelesssetting,accesspointsandotherdevicesmustbeprotectedfromtheft,tampering,orotherphysicalassault.Considerusingtouchpadlocksonallstorageandwiringclosetstoeliminateunauthorizedvisits.
Passwordsshouldberequiredforbothinternalandexternaluseonallnetworkdevices.Setatimewhenallpasswordsmustbechanged,anddonotallowthesamepasswordtobeusedmorethanonce.
Ensureyourwirelessnetworkencryptionisreviewedandrevisedasnecessary.Thisshouldbedoneonatleastaquarterlybasis.Aspartofthispolicy,ensurethatwirelessdevicesdonothaveadministrationrightsaccesstothenetwork.
MACIdentificationFilteringWhiletrackingtheMACaddressesofdevicesconnectedtoahomewirelessnetworkcanbeeffective,inmostbusinessenvironmentsitcanbeproblematic.Thereareoftentoomanydevices,toomanychanges,andtoomuchchanceofincorrectlyenteredMACaddressestomakethisaviablepracticeinallbutverysmallnetworks.
SegmentationofAccessBestpracticesoftenlimitnetworkaccessbygrouporneed.Forexample,someresourcescanbeaccessedonlythroughavirtualprivatenetwork(VPN),orfiletransferscanbeblocked.Thispolicyshouldbeestablishedandreviewedonaregularbasis.
UsingAnti-malwareAsmalwarebecomesincreasinglydestructive,networkadministratorsmustensurethattheirsystemsareprotected.Adware,worms,Trojans,andotherpotentiallyunwantedprograms(PUPs)caninfectbothwirelessandwireddevices.
RemoteAuthenticationDial-InUserServiceThismodeofWPA2providesgreatersecurityandrequireseitherahostedserviceoraRemoteAuthenticationDial-InUserService(RADIUS)server.802.1X/RADIUScanincreasesecuritybutcanalsobedifficultforendusersunlesstheirdeviceispreconfiguredtousethislevelofsecurity.Sincetrackingandreportsarebasedonthenameoftheclients,itiseasiertorestrictcertainusers.
MaintainingSecurityMeasureonanOngoingBasisNopoliciesorprocedurescansurviveinavacuum.Ateverylevel,ensurethepoliciesare
followedbyeachemployeeanddepartment.Considerusingcompanymeetingsforeducationoncurrentsecurityissuesandrequirethatallnewemployeeshavecopiesofthepolicies.
SecuringaWirelessRouterWhensettingupawirelessrouter,thereareseveralwaystoensureitssecurity:
•Disableremoteadministrativemanagement.Ifnooneoutsidecanaccesstheadministrativetools,thelikelihoodofunauthorizedadministrativechangesislessened.
•ConsiderchangingthedefaultIPaddressofyourrouter.Usingsomethinglesscommoncanfoilcross-siterequestforgery(CSRF)attacksonyournetwork.Theseattackstransmitunwantedrequestsinwebapplicationsandcompromiseuserdata.
•Whenworkingwiththerouter,requireeveryonetoactuallylogout.
•EnsurethatAESWPA2isturnedon,andeliminateWPS.Also,changedefaultpasswords.
•Aswithallrouters,updatethefirmwareregularly.Itisgoodpracticetocreatealogtoensureallfirmwareandsoftwareareupdatedonaschedule.
SecuringMobileDevicesWhilethetermsmobileandwirelessareoftenusedassynonyms,theyaredifferent.Mobiledevicesareportable,containinternalbatteriesandthereforeneednoexternalpower,andcanbetakenanywhere.Toexchangedata,thedevicemustbeconnectedtoamobilenetworkbutdoesnotneedtobeattachedtoanyhardwareinfrastructure.Themobilenetwork,however,mustbeconnectedatsomepointtoahardwiredsystem.
Wirelessdoesnotmeanportableormobile.WirelessnetworkscanconnectdevicestotheInternetoreachother,mustbeconnectedtoanexternalpowersource,andareusuallykeptinoneplace.Whilewirelessnetworkscanaccessmobilenetworks,they,too,must,atsomepoint,connecttoahardwired,broadbandInternetconnection.Securityformobiledevices,therefore,differsfromthatofnonportabledevices.
Althoughphoneandtabletsecurityisnotstrictlypartofnetworking,manybusinessesprovidetheseelectronicdevicesforusebytheiremployees.Thefollowingaresomeofthewaysyouandyouremployeescanprotectthesedevicesand,inturn,protectyournetwork:
•Educateyouremployeesaboutphishing,maliciousorunknownphonenumbers,andopenWi-Finetworks.Createawrittencompanypolicyabouttheusageofthesedevices.
•EnablepasswordsorPINsoneachdevice.Somephonesacceptonlyacertainnumberoftriesforthecorrectpasswordandthenlockthephone.
•Makesurealloperatingsystemupdatesareloadedontoeachdevice.
•Installantivirusandanti-malwareappsonalldevicesandensuretheyare
keptuptodate.
•Installanduseencryptionsoftwareoneachdevice.
•Donotdownloadunapprovedapps.EachITdepartmentshouldmaintainalistofapprovedappsforcompanydevices.
•TurnoffbothWi-FiandBluetoothsettingswhenthedeviceisnotbeingused.Inthisway,unknowndevicescannotconnecttothenetworkthroughthedevice.
•Periodicallycheckeachdevicetoensureithasnotbeencompromised.Lookforsuchitemsasthefollowing:
•Checkforodddatapatterns.
•Checkforunverifiablechargesoncellphoneinvoices.
•Lookforunapprovedappsonthedevice.
•Ensurephysicalsecurityofdeviceswhennotbeingusedbytheemployee.
•Eachdevicehasbuilt-inlimitationsfromthefactory.Ensuretheselimitationsarestillinplaceandthedevicehasnotbeen“jailbroken.”
WhatAretheRisks?Therisksinwirelesstechnologycancreatehavoconyournetworkandthroughoutyourcompany.Whilesecurityisimportantwhenworkingwithawirednetwork,itiscriticalwhenworkingwithawirelessnetwork.Whetherathome,inabusiness,orinthecloud,therearemanywaysinwhichyourwirelessnetworkcanbecompromised.
UnsecuredHomeNetworksWhilemostbusinessnetworkshaveatleastsomepasswordorpassphraseprotection,openwirelessbusinessnetworksarenotcommon.However,homenetworksthatconnectcomputers,tablets,laptops,smartphones,andotherdevicesposesecurityissuesnotonlytothehomeownerbuttoother,moreprotectednetworks,suchasthebusinesswherethathomenetworkownerworks.Adhocnetworksareespeciallyvulnerabletooutsiders.
Withoutencryption,anyonecanconnecttoanetworkforbothlegalandillegalpurposes.Ifanetworkisinpromiscuousmode,thatis,unprotected,anyonewithinrangecanusethenetwork.Ifanext-doorneighboraccessesanunprotectedwirelessnetworkanddownloadsanythingillegally,theactioncanbetracedtotheoriginalIPaddress,andtheownerofthenetworkcouldbechargedwiththecrime.
Alldataonsuchnetworksistransmittedinplaintext.Thatis,itislegibletoanyonewhocanaccesstheinformation.Witheasilyobtainablesoftware,outsiderscanreadanydatathatwasrelayedonthisnetwork.ThisincludescreditcardorotherpersonalinformationenteredintoawebsitewithoutanHTTPSconnection.
Somehotspotaccesspointsareunencrypted,sobecautiouswhenaccessingsensitive
dataatyourlocalcoffeeshop.Thepersonintentlystudyingalaptopacoupleoftablesawaycouldbewatchingyourdatainterchange.
Thefollowingarethepossiblethreatsforunsecurednetworks:
•PasswordcapturePasswordsfore-mailaccountsaresometimessentintheclear,meaninganyonecouldaccesspersonale-mailandtakeadvantageofanypersonalinformationfoundinthosee-mails.
•DataaccessIffilesharingisturnedon,anyonewithaccesstoanunsecurednetworkcanreadthedatathroughoutthesharedfiles.
•SpamandothermalwareWhenanunsecuredwirelessnetworkishacked,thehackercanusethedevicesonthatnetworkasthesourceforspamandothermalware.
WirelessInvasionToolsAswirelesssecuritymeasuresareapplied,softwareandhardwaredevicesaredevelopedtoovercomethemeasures.Someofthesearediscussedhere.
HiddenSSIDLocatersTherearesomesecuritysuggestionsthatencourageuserstohidethenameorSSIDoftheirnetwork.WhenanSSIDishidden,snoopingutilityprogramscanfindthenetworkquickly.Ifawirelessnetworkissuspected,simplymonitoringthatnetworkwilleventuallyrevealanattemptedconnection,andaspartoftheconnectionprocess,thenameoftheSSIDisrevealed.Devicesattempttoconnecttothehiddennetworkatalltimes.
MACAddressCapturesWhenwirelesspacketsaretransmitted,thedeviceMACaddressesareincluded.Hackerssimplychangetheirhardware’sMACaddressandlogontothenetworkwiththatdevice.
WEPandWPA1TheencryptioninWEPisvulnerabletodecryption,andthereforeanydevicestillsettoWEPshouldbeupdatedorreplaced.ThefirstversionofWPAisalsovulnerable.EnsureallwirelessroutersaresettoWPA2.
Wi-FiProtectedSetupSomeroutershaveaPINwithwhichadevicecanconnecttoyournetworkinsteadofusingapassphrase.Somesoftwareprogramscangothroughallpossiblenumberconnectionsuntiltherouteracknowledgesthattherightonehasbeenfound.ManysecurityexpertsrecommenddisablingWi-FiProtectedSetup(WPS)forthisreason.
PasswordVulnerabilitiesWithWPA2,passwordsandpassphrasescanbebetween8and63characters.Dictionaryattacksoftwareinterceptsarouterpacketandrunsthroughallpossiblecombinationstodiscoverthepasswordorpassphrase.Usingstrongpasswordsandpassphraseswith
numbers,letters,andsymbolsisthebestmethod.
UnderstandingEncryptionEncryptionisaprocessthatmakestransmitteddataunreadablebythosenotauthorizedtoseeit.Whensendinginformationonawirelessnetwork,itisespeciallyimportanttounderstandhowandwhenencryptionisapplied.Successfulencryptionmethodscoverbothstatic,storedinformationandtransmitteddata.
At-RestEncryptionInformationprocessedandstoredincompanyservers,especiallyincompaniesthatmaintainfinancialormedicaldata,isregulatedandprotectedbygovernmentregulation.However,recenteventshaveprovedthateventhisinformationissubjecttoattackandisvulnerabletooutsidesources.Encryptioncanbeappliedtoindividualfilesortoalldatastoredonaserverorgroupofservers.Thereareseveralmethodstoprotectsuchdata.
FileorFolderEncryptionAtthefileorfolderlevel,noonecanopenthefileorthefolderwithouttheappropriateencryptionkey.Therearesoftwareprogramsthatencryptanddecryptthefileoncetheappropriatekeyisentered.Theseprogramsofferoptionssuchastheabilitytoautomaticallyencryptspecificfiletypes,encryptfilescreatedbyparticularusersorapplications,orencryptallfilesandfoldersdesignatedbythesystemadministrator.
Thismethodprotectsonlythedatawithinthefilesorfolders.Itdoesnotprotectfileorfoldernames.Often,copyingormovingthesefileswilldecryptthedata.
Full-Disk(orWhole-Disk)EncryptionSomeoperatingsystemscomewithutilitiestoencryptanentireharddrive.MacOScomeswithFileVaultencryption,Windows8.1includesPervasiveDeviceEncryption,andearlierversionsofWindowsincludedBitLocker.Thereareseveralfreefull-diskencryptionsoftwarepackagesavailable.Theonlywaytoaccesstheinformationonaprotecteddiskiswiththeappropriateauthorizationkey.
VolumeandVirtualEncryptionThismethodencryptsonlyapartitiononaharddrive,leavingsectionsofthediskopenandunencrypted.Theprocessencryptsafile,creatingacontainerthatcanholdotherfilesandfolders.Thiscontainercanbeaccessedonlywiththeproperkey.EncryptedcontainersoftenholdbootandsystemvolumesonaPC,externalharddrives,andUSBflashdrives.Sincecontainersareportable,thecontentscanbecopiedortransferredacrossmediums.SeeTable24-2foracomparisonofthesemethods.
Table24-2At-RestEncryptionMethods
In-TransitEncryptionDatathatisbeingtransmittedissaidtobeintransit.Severaltypesofencryptiontechniquescanbeappliedtodataasitmovesacrossanetwork.Themainfocusofthesetechniquesistopreventunauthorizedusersfromseeingthedata.
TransportLayerSecurity/SecureSocketsLayerMostwebsitesthatrequirepersonalinformationuseeitherTransportLayerSecurity(TLS)ortheearlierSecureSocketsLayer(SSL)toprotectthisdata.Websitesthatemploythislevelofsecurityareshownwiththeinitialhttpsratherthanthenormalhttp(whichstandsforHypertextTransferProtocol)intheaddress.HTTPoperatesintheapplicationlayeroftheInternetProtocolsuite.
NOTEOriginally,HTTPSstoodforHypertextTransferProtocolwithSSL.Today,itindicatesthatthesiteusesTLS.
WPA2WPA2isWi-FiProtectedAccessII,aprogramdevelopedbytheWi-FiAlliancetoalleviatetheweaknessesinWPA.
InternetProtocolSecurityThismethodoperatesintheInternetlayeroftheInternetProtocolsuiteandthereforeprotectsalldataattheupperlayers.Itcanbeappliedinbothtransportandtunnelmodes:
•Intunnelmode,theentirepacketisencrypted.Thismodeisusedtocreatevirtualprivatenetworks(see“VirtualPrivateNetwork”next),host-to-networktransmissionssuchasremoteuseraccessconnections,andprivatecommunicationsuchashost-to-hosttransmissions.
•Transportmodeencryptsonlythemessageofthepacket,nottheheader.
VirtualPrivateNetworkThisisanencryptedprivate“throughway”betweentwoentitiesthatallowsinformationtobetransmittedsecurely.Onceestablished,theseconnectionsofferthefollowing:
•Confidentialityinthatanyunauthorized“snooper”wouldseeonlyencrypteddata
•Authenticationofthesender
•Messageintegrity
•IncludesIPsecandTLS
CHAPTER
25 OverviewofNetworkAdministration
Althoughbusinessnetworksoftenrunavarietyofoperatingsystems,particularlyontheirservers,manyuserworkstationsrunsomeformofWindows.WhetheryouagreewithMicrosoftthattheWindowsinterfaceisuserfriendlyandintuitive,thereisnoquestionthatadministeringafleetofhundredsorthousandsofWindowsworkstationsisanextremelyformidabletask.Inaddition,thischaptercoversnetworkadministrationinformationontheothermainoperatingsystemsinusetoday,MacOSandLinux.
Nearlyallsoftwareincludestoolsthatnetworkadministratorscanusetosimplifytheprocessofinstalling,managing,andmaintainingtheoperatingsystemonalargenumberofworkstations.Thischapterexaminessomeofthesetoolsandhowyoucanusethemtoconfigureworkstationsenmasse,ratherthanworkingonthemoneatatime.
Oneoftheprimarygoalsofanynetworkadministratorshouldbetocreateworkstationconfigurationsthatarestandardizedandconsistentsothatwhenproblemsoccur,thesupportstaffisfullyacquaintedwiththeuser’sworkingenvironment.Failuretodothiscangreatlyincreasethetimeandeffortneededtotroubleshootproblems,thusincreasingtheoverallcostofoperatingthecomputer.Unfortunately,usershaveatendencytoexperimentwiththeircomputers,suchasmodifyingtheconfigurationsettingsorinstallingunauthorizedsoftware.Thiscanmakethesystemunstableandcaninterferewiththemaintenanceandtroubleshootingprocesses.Therefore,itisadvisablethatadministratorsimposesomeformofrestraintsonnetworkworkstationstopreventthisunauthorizedexperimentation.
Featuressuchasuserprofilesandsystempoliciesarebasictoolsyoucanusetodothisonmostnetworksystems,towhateverdegreeyoujudgeisnecessaryforyourusers.Usingthesetools,youcanlimittheprogramsthatasystemisabletorun,denyaccesstocertainelementsoftheoperatingsystem,andcontrolaccesstonetworkresources.Imposingrestrictivepoliciesandlimitingusers’accesstotheirworkstationscanbesensitiveundertakings,andnetworkadministratorsshouldcarefullyconsiderthecapabilitiesoftheirusersbeforemakingdecisionslikethese.Unsophisticatedcomputeruserscanbenefitandmayevenappreciatearestrictedenvironmentthatinsulatesthemfromthemoreconfusingelementsoftheoperatingsystem.However,userswithmoreexperiencemighttakeoffenseatbeinglimitedtoasmallsubsetofthecomputer’sfeatures,andtheirproductivitymayevenbeimpairedbyit.
LocatingApplicationsandDatainWindowsSystemsOneofthebasictasksofthenetworkadministratoristodecidewheredatashouldbestoredonthenetwork.Networkworkstationsrequireaccesstooperatingsystemfiles,applications,anddata,andthelocationswheretheseelementsarestoredisanimportantpartofcreatingasafeandstablenetworkenvironment.Someadministratorsactuallyexercisenocontroloverwhereusersstorefiles.Fortunately,mostWindowsapplicationsinstallthemselvestoadefaultdirectorylocatedintheC:\ProgramFilesfolderonthelocal
system,whichprovidesameasureofconsistencyifnothingelse.Someapplicationsevencreatedefaultdatadirectoriesonthelocaldrive,butleavinguserstotheirowndeviceswhenitcomestostoringtheirdatafilesisaninherentlydangerouspractice.Manyusershavelittleornoknowledgeoftheircomputer’sdirectorystructureandlittleornotraininginfilemanagement.Thiscanresultinfilesfordifferentapplicationsallbeingdumpedintoasinglecommondirectoryandleftunprotectedfromaccidentaldamageorerasure.
Server-BasedOperatingSystemsIntheearlydaysofWindows,runningtheoperatingsystemfromaserverdrivewasapracticalalternativetohavingindividualinstallationsoneveryworkstation.Storingtheoperatingsystemfilesonaserverenabledthenetworkadministratornotonlytopreventthemfrombeingtamperedwithoraccidentallydeleted,butalsotoupgradealltheworkstationsatonce.Thetechniquealsosaveddiskspaceontheworkstation’slocaldrive.However,astheyearspassed,thecapacityofatypicalharddriveonanetworkworkstationgrewenormously,asdidthesizeoftheWindowsoperatingsystemitself.
Today,thepracticeofinstallinganoperatingsystemontoamappedserverdriveisnotpractical.AworkstationrunningWindowsmustloadmanymegabytesoffilesjusttobootthesystem,andwhenyoumultiplythisbyhundredsofcomputers,theamountofnetworktrafficcreatedbythispracticecouldsaturateeventhefastestnetwork.Inaddition,diskspaceshortagesarenotabigproblemnowthatworkstationsroutinelyshipwithdrivesthatholdanywherefrom500GBto1TBormore.Installingtheoperatingsystemontothelocaldriveis,inmostcases,theobvioussolution.
However,newertechnologiesareavailabletodaythatareonceagainmakingitpracticaltorunaWindowsoperatingsystemfromaserver.Thistime,theworkstationsdonotdownloadtheentireoperatingsystemfromtheserverdrive.Instead,theworkstationsfunctionasclientterminalsthatconnecttoaterminalserver.Theworkstationoperatingsystemandapplicationsactuallyrunontheserver,whiletheterminalfunctionssolelyasaninput/outputdevice.Asaresult,theworkstationsrequireonlyminimalresourcesbecausetheservertakesmostoftheburden.
Server-BasedApplicationsRunningapplicationsfromaserverdriveratherthanindividualworkstationinstallationsisanotherwaytoprovideaconsistentenvironmentforyourusersandminimizethenetwork’sadministrativeburden.Atitssimplest,youdothisbyinstallinganapplicationintheusualmannerandspecifyingadirectoryonanetworkdriveinsteadofalocaldirectoryasthelocationfortheprogramfiles.Windowsapplicationsarerarelysimple,however,andtheprocessisusuallymorecomplicated.
Runningapplicationsfromserverdriveshasbothadvantagesanddisadvantages.Ontheplusside,aswithserver-basedoperatingsystems,yougetdiskspacesavingsonthelocaldrives,theabilitytoprotecttheapplicationfilesagainstdamageordeletion,andtheabilitytoupgradeandmaintainasinglecopyoftheapplicationfilesratherthanindividualcopiesoneachworkstation.Thedisadvantagesarethatserver-basedapplicationsnearlyalwaysrunmoreslowlythanlocalones,generateasubstantialamountofnetworktraffic,
anddonotfunctionwhentheserverismalfunctioningorotherwiseunavailable.
InthedaysofDOS,applicationswereself-containedandusuallyconsistedofnomorethanasingleprogramdirectorythatcontainedalloftheapplication’sfiles.Youcouldinstalltheapplicationtoaserverdriveandthenletothersystemsuseitsimplybyrunningtheexecutablefile.Today’sapplicationsaremuchmorecomplex,andtheinstallationprogramismorethanjustameansofcopyingfiles.Inadditiontotheprogramfiles,aWindowsapplicationinstallationmayincluderegistrysettingsandWindowsDLLsthatmustbeinstalledonthelocalmachine,aswellasaprocedureforcreatingtheStartmenuentriesandiconsneededtolaunchtheapplication.
Whenyouwanttoshareaserver-basedapplicationwithmultipleworkstations,youusuallystillhavetoperformacompleteinstallationoneachcomputer.ThisistoensurethateachworkstationhasalloftheDLLfiles,registrysettings,andiconsneededtoruntheapplication.Onewaytoimplementaserver-basedapplicationistoperformacompleteinstallationoftheprogramoneachworkstation,specifyingthesamedirectoryonaserverdriveasthedestinationfortheprogramfilesineachcase.Thisway,eachworkstationreceivesallofthenecessaryfilesandmodifications,andonlyonecopyoftheapplicationfilesisstoredontheserver.
However,anotherimportantissueistheabilitytomaintainindividualconfigurationsettingsforeachofthecomputersaccessingtheapplication.Whenoneusermodifiestheinterfaceofasharedapplication,youdon’twantthosemodificationstoaffecteveryotheruser.Asaresult,eachoftheapplication’susersmustmaintaintheirowncopiesoftheapplicationconfigurationsettings.Whetherthisisaneasytask,orevenapossibleone,dependsonhoweachindividualapplicationstoresitsconfigurationsettings.If,forexample,thesettingsarestoredintheregistryoraWindowsINIfile,theinstallationprocesswillcreateaseparateconfigurationoneachworkstation.However,ifthesettingsarestoredwiththeprogramfilesontheserverbydefault,youmusttakestepstopreventeachuser’schangesfromoverwritingthoseoftheotherusers.
Insomecases,itispossibletoconfigureanapplicationtostoreitsconfigurationsettingsinanalternativelocation,enablingyoutoredirectthemtoeachworkstation’slocaldriveortoeachuser’shomedirectoryonaserver.Ifthisisnotpossible,theapplicationmaynotbesuitableforuseinasharedenvironment.Inmanycases,themostpracticalwaytorunapplicationsfromaserveristoselectapplicationsthathavetheirownnetworkingcapabilities.MicrosoftOffice,forexample,letsyoucreateanadministrativeinstallationpointonaserverthatyoucanusetoinstalltheapplicationonyourworkstations.Whenyouperformeachinstallation,youcanselectwhethertheapplicationfilesshouldbecopiedtothelocaldrive,runfromtheserverdrive,orsplitbetweenthetwo.
Manycompaniesaremovingtowardcloud-basedappsthesedays,whichcanberunonvirtuallyanyOSandanydevicethathasanInternetconnectionandawebbrowser,eliminatingtheneedforinstallinganyfiles.Thesewouldalsobeconsideredserver-basedapplications.
StoringDataFiles
Onmostoftoday’sWindowsnetworks,boththeoperatingsystemandtheapplicationsareinstalledonlocalworkstationdrives,butitisstilluptothenetworkadministratortodecidewherethedatafilesgeneratedandaccessedbyusersshouldbestored.Thetwoprimaryconcernsthatyoumustevaluatewhenmakingthisdecisionareaccessibilityandsecurity.Usersmustcertainlyhaveaccesstotheirowndatafiles,buttherearealsofilesthathavetobesharedbymanyusers.Importantdatafilesalsohavetobeprotectedfrommodificationanddeletionbyunauthorizedpersonnelandhavetobebackeduptoanalternativemediumtoguardagainstadisaster,suchasafireordiskfailure.
Datafilescomeinvarioustypesandformatsthatcanaffectthewayinwhichyoustorethem.Individualuserdocuments,suchasthosecreatedinwordprocessororspreadsheetapplications,aredesignedforusebyonepersonatatime,whiledatabasescansupportsimultaneousaccessbymultipleusers.Inmostcases,databasefilesarestoredonthecomputerrunningthedatabaseserverapplication,soadministratorscanregulateaccesstothemwithfilesystempermissionsandprotectthemwithregularbackups.Othertypesoffilesmayrequireadditionalplanning.
SincemanyWindowsoperatingsystemsarepeer-to-peernetworkoperatingsystems,youcanallowuserstostoretheirdocumentfilesoneithertheirlocaldrivesoraserverandstillsharethemwithotherusersonthenetwork.However,thereareseveralcompellingreasonswhyitisbetterforalldatafilestobestoredonservers.Thefirstandmostimportantreasonistoprotectthefilesfromlossduetoaworkstationordiskfailure.Serversaremorelikelytohaveprotectivemeasuresinplace,suchasRAIDarraysormirroreddrives,andaremoreeasilybackedup.Serversalsomakethedataavailableatalltimes,whileaworkstationmightbeturnedoffwhentheuserisabsent.
Thesecondreasonisaccesscontrol.AlthoughWindowsworkstationsandserversbothhavethesamecapabilitieswhenitcomestograntingaccesspermissionstospecificusers,usersrarelyhavetheskillsortheinclinationtoprotecttheirownfileseffectively,anditisfareasierfornetworkadministratorstomanagethepermissionsonasingleserverthanonmanyindividualworkstations.Anotherimportantreasonforstoringdataonserversisthatsharingthedrivesoneveryworkstationcanmakeitmuchmoredifficulttolocateinformationonthenetwork.TolookataWindowsdomainandseedozensorhundredsofcomputers,eachwithitsownshares,makesthetaskoflocatingaspecificfilemuchmorecomplicated.Limitingthesharestoarelativelyfewserverssimplifiestheprocess.
Asaresult,thebeststrategyformostWindowsnetworksistoinstalltheoperatingsystemandapplicationsonlocaldrivesandimplementastrategyforstoringalldatafilesonnetworkservers.Themostcommonpracticeistocreateahomedirectoryforeachuseronaserver,towhichtheyhavefullaccesspermissions.Youshouldthenconfigureallapplicationstostoretheirfilesinthatdirectory,bydefault,sothatnovaluabledataisstoredonlocaldrives.Dependingontheneedsofyourusers,youcanmakethehomedirectoriesprivate,sothatonlytheuserwhoownsthedirectorycanaccessit,orgrantallusersread-onlyaccesstoallofthehomedirectories.Thismakesitpossibleforuserstosharefilesatwillsimplybygivinganotheruserthefilenameorlocation.
WhenyoucreateauserobjectintheWindowsActiveDirectoryorauseraccountinaWindowsdomain,youhavetheoptionofcreatingahomedirectoryfortheuseratthesametime.Bydefault,usersaregivenfullcontrolovertheirhomedirectories,andnoone
elseisgivenanyaccessatall.Youmaywanttomodifythesepermissionstograntaccesstothedirectorytotheotherusersonthenetworkor,attheveryleast,toadministrators.
SettingEnvironmentVariablesinWindowsInWindows7,opentheEnvironmentVariablesdialogbox.Todoso,followthesesteps:
1.ClickStartandchooseControlPanel.
2.ClickUserAccounts.
3.SelectChangeMyEnvironmentVariablesfromtheTaskpaneontheleftofyourscreen.TheEnvironmentVariablesdialogboxappears,asshowninFigure25-1.
Figure25-1TheEnvironmentVariablesdialogboxinWindows7
Fromthisdialogbox,youcancreateanewenvironmentvariableormodifyanexistingone.
InWindows8,ittakesafewmoresteps.
1.ClicktheDesktoptile,andfromthedesktop,clickStart.
2.Right-clickthedesktopfolder,andfromthecontextmenu,chooseFileExplorer.
3.Right-clickThisPCattheleftsideofyourwindow.Fromthecontextmenuthatappears,clickProperties.
4.AttheleftpaneoftheSystemwindowthatopens,selectAdvancedSystemSettings.
5.FromtheSystemPropertiesdialogbox,selecttheAdvancedtab.YouwillseetheEnvironmentVariablesbuttonatthebottomrightoftheAdvancedtab.
6.ClickNewtoaddanewvariableorclickEdittomakechangestoanexistingvariable.UsetheDeleteoptiontodeleteavariable.
7.ClickOKwhenyouhavemadeyourchoices.
SettingEnvironmentVariablesinLinuxInLinux,enterthefollowingcommandatashellprompt,dependingonwhichshellyouareusing:
csh/tcsh:setenvvariablevalue
bash/ksh:exportvariable=value
Inthiscase,variableisthenameoftheenvironmentvariableandvalueisthevalueyouwanttoassigntothisvariable.
SettingEnvironmentVariablesinOSXWhenyouareusingMacOSX,youmustfirstopenaterminalwindow.Ifyouwanttorunjobsfromthecommandline,enterthefollowingcommand:
exportvariable=value
Inthisexample,variableisthenameoftheenvironmentvariableandvalueisthevalueyouwanttoassigntothisvariable.Youcandetermineanyenvironmentvariablesthathavebeensetwiththeenvcommand.
ControllingtheWorkstationEnvironmentInanorganizationcomposedofexpertcomputerusers,youcanleaveeveryonetotheirowndeviceswhenitcomestomanagingtheirWindowsdesktops.Experienceduserscancreatetheirowndesktopicons,managetheirownStartmenushortcuts,andmaptheirowndriveletters.However,notmanynetworkshaveonlypowerusers;inmostcases,itisbetterforthenetworkadministratortocreateaviableandconsistentworkstationenvironment.
DriveMappingsinWindows
Manylesssophisticatedcomputerusersdon’tfullyunderstandtheconceptofanetworkandhowaserverdrivecanbemappedtoadriveletteronalocalmachine.AusermayhavethedriveletterFmappedtoaparticularserverdriveandassumethatotherusers’systemsareconfiguredthesameway.Ifworkstationdrivemappingsareinconsistent,confusionresultswhenoneusertellsanotherthatafileislocatedontheFdrive,andtheotheruser’sFdrivereferstoadifferentshare.Toavoidproblemslikethese,administratorsshouldcreateaconsistentdrive-mappingstrategyforuserswhowillbesharingthesameresources.
Asanexample,inmanycasesuserswillhaveadepartmentalorworkgroupserverthatistheir“home”server,andit’sagoodideaforeveryworkstationtohavethesamedrivelettermappedtothathomeserver.Ifthereareapplicationserversthatprovideresourcestoeveryoneonthenetwork,suchasacompanydatabaseserver,theneverysystemshouldusethesamedrivelettertoreferencethatserver,ifadriveletterisneeded.Implementingminorpolicieslikethesecansignificantlyreducethenumberofnuisancecallstothenetworkhelpdeskgeneratedbypuzzledusers.
Toimplementasetofconsistentdrivemappingsforyourusers,youcancreatelogonscriptfilescontainingNETUSEcommandsthatmapdrivestotheappropriateserverseachtimetheuserlogsontothenetwork.Bystructuringthecommandsproperly,youshouldbeabletocreateasinglelogonscriptformultipleusers.Tomapadrivelettertoeachuser’sownhomedirectory,youuseacommandlikethefollowing:
NETUSEX:/home
wherehomeisthenameofthedirectory.
MappingaWindowsDriveinLinuxBeforeyoucanshareaWindowsdrive,ensurethatyournetworksettingsallowtheconnection.Todoso,gototheNetworkandSharingCenter.InWindows7,chooseChangeAdvancedSharingSettings.ToaccesstheNetworkCenterinWindows8,accesstheNetworkandSharingCenterthroughControlPanel|NetworkAndInternet.Turnonnetworkdiscoveryandfileandprintersharing,asshowninFigure25-2.
Figure25-2ChangesettingsinWindowsNetworkandSharingCentertoenablemappingaLinuxdrive.
CreateafolderonyourWindowsmachinetoshare.ThisexampleusesafolderonthedesktopnamedLinuxShare.Right-clickthenewfolderandclickPropertiestoopenthePropertiesdialogbox.ClicktheSharingtabandchooseAdvancedSharing.
Click“Sharethisfolder.”
ClickPermissionstoopenthePermissionsdialogbox.Addorremovetheuseraccounts(ontheWindowscomputer)andindicatethecontrolsyouwantapplied.ClickOKtocloseeachwindow.WhilestillinthePropertiesdialogbox,selecttheSecuritytab.Ensurethepermissionsshowinginthistabarethesameasyousetintheearlierdialogs.Ifallisthesame,clickClosetoclosethedialogbox.YournewfolderisnowsharedandavailabletoyourLinuxcomputer.
YourLinuxcomputermusthaveeitherDIFSorSMBFS.TheLinuxkernelyouareusingmustbeconfiguredforbinarydistribution.ThefollowingarethecommandstoinstallCIFS/SMBFSforUbuntu,Debian,andRedHat.Foreach,youmustfirstopenaterminal:
•InRedHat,thecommandissudoyuminstallcifs-utils.
•InDebianorUbuntu,thecommandissudoapt-getinstallsmbfs.
Then,createadirectoryandmountyoursharedfoldertothatdirectory.Usethefollowingcommand:mkdir~/Desktop/Windows-LinuxShare
sudomount.cifs//WindowsPC/Share/home/MyComputer/Desktop/Windows-
LinuxShare-ouser=Bobbi
YoumaybepromptedfortherootpasswordforbothyourLinuxandWindowscomputers.
MappingaWindowsDriveinAppleOSX
MacOSXcontainsashortcutwithwhichyoucaneasilymapandaccessnetworkdriveswithoutanyextrasoftware.
1.OpentheFinderutility.
2.PressCOMMAND-SHIFT-Ktoopentheappropriateserverconnections.
3.Thedialogboxthatopensallowsyoutoentertheappropriatenetworkaddressorbrowsethenetwork.ClicktheConnectbuttonatthebottomrightofthewindowwhenyouhavelocatedthedrive.
UserProfilesCreatinguserprofilesisamethodofstoringtheshortcutsanddesktopconfigurationsettingsforindividualusersinadirectory,whereacomputercanaccessthemduringthesystemstartupsequence.Bycreatingseparateprofilesfordifferentusers,eachpersoncanretrievetheirownsettingswhentheylogon.Whenyoustoremultipleprofilesonalocalmachine,youmakeitpossibleforuserstosharethesameworkstationwithoutoverwritingeachother’ssettings.Whenyoustoretheprofilesonanetworkserver,userscanaccesstheirsettingsfromanynetworkworkstation;thisiscalledaroamingprofile.Inaddition,youcanforceuserstoloadaspecificprofileeachtimetheylogontoasystemandpreventthemfromchangingit;thisiscalledamandatoryprofile.
TheregistryonaWindowscomputercontainstwofilesonthelocaldrive,calledSystem.datandNTUser.dat.NTUser.datcorrespondstotheHKEY_CURRENT_USERkeyintheregistry,whichcontainsalloftheenvironmentalsettingsthatapplytotheuserwhoiscurrentlyloggedon.OnaWindowsoperatingsystemafterWindowsME,thecorrespondingfileiscalledNtuser.dat.Thisfile,calledaregistryhive,formsthebasisofauserprofile.ByloadinganNtuser.datfileduringthelogonsequence,thecomputerwritesthesettingscontainedinthefiletotheregistry,andtheythenbecomeactiveonthesystem.
Theuserhivecontainsthefollowingtypesofsystemconfigurationsettings:
•Alluser-definablesettingsforWindowsExplorer
•Persistentnetworkdriveconnections
•Networkprinterconnections
•Alluser-definablesettingsintheControlPanel,suchastheDisplaysettings
•Alltaskbarsettings
•Alluser-definablesettingsforWindowsaccessories,suchasCalculator,Notepad,Clock,Paint,andHyperTerminal
•AllbookmarkscreatedintheWindowsHelpsystem
Inadditiontothehive,auserprofilecanincludesubdirectoriesthatcontainshortcutsandotherelementsthatformpartsoftheworkstationenvironment.Thesesubdirectoriesareasfollows:
•ApplicationDataContainsapplication-specificdata,suchascustom
dictionaryfiles
•CookiesContainscookiesusedbyInternetExplorertostoreinformationaboutthesystem’sinteractionwithspecificInternetsites
•DesktopContainsshortcutstoprogramsandfilesthatappearontheWindowsdesktop
•FavoritesContainsshortcutstoprograms,files,andURLsthatappearinInternetExplorer’sFavoriteslist
•LocalSettingsThisdirectorycontainsthefollowingsubfolders:
•ApplicationData
•History
•Temp
•TemporaryInternetFiles
•MyDocumentsContainsshortcutstopersonaldocumentsandotherfiles
•NetHoodContainsshortcutsthatappearintheNetworkNeighborhoodwindow
•PrintHoodContainsshortcutsthatappearinthePrinterswindow
•RecentContainsshortcutstofilesthatappearintheDocumentsfolderintheStartmenu
•SendToContainsshortcutstoprogramsandfilesystemlocationsthatappearinthecontextmenu’sSendTofolder
•StartMenuContainsfoldersandshortcutstoprogramsandfilesthatappearintheStartmenu
•TemplatesContainsshortcutstodocumenttemplates
NOTETheNetHood,PrintHood,andTemplatesdirectoriesarehiddenbydefault.Toviewthem,youmustconfigureWindowsExplorertodisplayhiddenfiles.
Betweenthehiveandthesubdirectories,theuserprofileconfiguresmostofauser’sworkstationenvironment—includingcosmeticelements,suchasscreencolorsandwallpaper,andoperationalelements,suchasdesktopiconsandStartmenushortcuts.Themoreconcreteelementsofthesystemconfiguration,suchashardwaredevicedriversandsettings,arenotincludedintheuserprofile.If,forexample,youinstallanewpieceofhardwareonasystem,alluserswillhaveaccesstoit,regardlessofwhichprofileisinuse.
Bydefault,WindowscreatesauserprofileforeachdifferentuserwhologsontothemachineandstoresthemintheDocumentsandSettingsfolderdirectoryonthesystemdrive.Thesystemalsocreatesadefaultuserprofileduringtheoperatingsysteminstallationprocessthatfunctionsasatemplateforthecreationofnewprofiles.Ifthereareelementsthatyouwantincludedinallofthenewprofilescreatedonacomputer,you
canmakechangestotheprofileintheDefaultUsersubdirectorybeforeanyoftheuserslogon.Thesystemwillthencopythedefaultprofiletoanewsubdirectoryeachtimeanewuserlogson.ChangingtheDefaultUsersubdirectorydoesnotaffecttheuserprofilesthathavealreadybeencreated,however.
CreatingRoamingProfilesWindowsstoresuserprofilesonthelocalmachinebydefault.Youcanmodifythis
behaviorbyspecifyingalocationonanetworkserverforaparticularuser’sprofileinthesameWindowsProfilepageorUserEnvironmentProfiledialogboxinwhichyouspecifiedthelocationoftheuser’shomedirectory.Theprofileservercanbeanysystemthatisaccessiblebytheworkstation.Onceyouspecifythelocationfortheprofile,theoperatingsystemontheworkstationcopiestheactiveprofiletotheserverdrivethenexttimetheuserlogsoffthenetwork.
Thebestwaytoorganizeuserprofilesonthenetworkistodesignateasinglemachineasaprofileserverandcreatesubdirectoriesnamedforyourusers,inwhichtheprofileswillbestored.Whenyouspecifythelocationoftheprofiledirectoryforeachuser,youcanusethe%UserName%variableaspartofthepath,asfollows:\\Ntserver\Profiles\%UserName%
Thesystemthenreplacesthe%UserName%variablewiththeuser’slogonname,aslongasthevariableappearsonlyonceinthepathandthevariableisthelastsubdirectoryinthepath.Inotherwords,thepath\Ntserver\Users\%UserName%\Profilewouldnotbeacceptable.However,thesystemdoesrecognizeanextensionaddedtothevariable,making\Ntserver\Profiles\%UserName%.mananacceptablepath.
Storinguserprofilesonaserverdoesnotdeletethemfromtheworkstationfromwhichtheyoriginated.Oncetheserver-basedprofileiscreated,eachlogonbytheusertriggersthefollowingprocess:
1.Theworkstationcomparestheprofileontheserverwiththeprofileontheworkstation.
2.Iftheprofileontheserverisnewerthanthatontheworkstation,thesystemcopiestheserverprofiletotheworkstationdriveandloadsitfromthereintomemory.
3.Ifthetwoprofilesareidentical,theworkstationloadstheprofileonthelocaldriveintomemorywithoutcopyingfromtheserver.
4.Whentheuserlogsoff,theworkstationwritestoboththelocaldriveandtheserveranychangesthathavebeenmadetotheregistrykeysandshortcutdirectoriesthatmakeuptheprofile.
Becausetheprofileisalwaysloadedfromtheworkstation’slocaldrive,evenwhenanewversioniscopiedfromtheserver,itisimportanttoconsidertheramificationsofmakingchangestotheprofilefromanothermachine.If,forexample,anadministratormodifiesaprofileontheserverbydeletingcertainshortcuts,thesechangeswilllikelyhavenoeffectbecausethoseshortcutsstillexistontheworkstationandcopyingtheserverprofiletotheworkstationdrivedoesnotdeletethem.Tomodifyaprofile,youmustmake
changesonboththeserverandworkstationcopies.
Oneofthepotentialdrawbacksofstoringuserprofilesonanetworkserveristheamountofdatathatmustbetransferredonaregularbasis.Theregistryhiveandthevariousshortcutsubdirectoriesareusuallynotaproblem.Butif,forexample,aWindowsuserstoresmanymegabytesworthoffilesintheMyDocumentsdirectory,thetimeneededtocopythatdirectorytotheserverandreaditbackagaincanproduceanoticeabledelayduringthelogoffandlogonprocesses.
CreatingMandatoryProfilesWhenusersmodifyelementsoftheirWindowsenvironment,theworkstationwritesthosechangestotheiruserprofilessothatthenexttimetheylogon,thechangestakeeffect.However,it’spossibleforanetworkadministratortocreatemandatoryprofilesthattheusersarenotpermittedtochangesothatthesameworkstationenvironmentloadseachtimetheylogon,regardlessofthechangestheymadeduringthelastsession.Topreventusersfrommodifyingtheirprofileswhenloggingoffthesystem,yousimplychangethenameoftheregistryhiveintheserverprofiledirectoryfromNtuser.dattoNtuser.manorfromUser.dattoUser.man.WhentheworkstationdetectstheMANfileintheprofiledirectory,itloadsthatinsteadoftheDATfileanddoesnotwriteanythingbacktotheprofiledirectoryduringthelogoffprocedure.
NOTEWhencreatingamandatoryprofile,besurethattheuserisnotloggedontotheworkstationwhenyouchangetheregistryhivefileextensionfrom.datto.man.Otherwise,thehivewillbewrittenbacktotheprofilewitha.datextensionduringthelogoff.
Anothermodificationyoucanmaketoenforcetheuseoftheprofileistoadda.manextensiontothedirectoryinwhichtheprofileisstored.Thispreventstheuserfromloggingontothenetworkwithoutloadingtheprofile.Iftheserveronwhichtheprofileisstoredisunavailable,theusercan’tlogon.Ifyouchoosetodothis,besuretoaddthe.manextensionbothtothedirectorynameandtothepathspecifyingthenameoftheprofiledirectoryintheuserobject’sPropertiesdialogboxortheUserEnvironmentProfiledialogbox.
It’simportanttonotethatmakingprofilesmandatorydoesnotpreventusersfrommodifyingtheirworkstationenvironments;itjustpreventsthemfromsavingthosemodificationsbacktotheprofile.Also,makingaprofilemandatorydoesnotinitselfpreventtheuserfrommanuallymodifyingtheprofilebyaddingordeletingshortcutsoraccessingtheregistryhive.Ifyouwanttoexercisegreatercontrolovertheworkstationtopreventusersfrommakinganychangestotheinterfaceatall,youmustuseanothermechanism,suchassystempolicies,andbesuretoprotecttheprofiledirectoriesontheserverusingfilesystempermissions.
ReplicatingProfilesIfyouintendtorelyonserver-baseduserprofilestocreateworkstationenvironmentsforyourusers,youshouldtakepainstoensurethatthoseprofilesarealwaysavailabletoyour
userswhentheylogon.Thisisparticularlytrueifyouintendtousemandatoryprofileswith.manextensionsonthedirectorynamesbecauseiftheserveronwhichtheprofilesarestoredismalfunctioningorunavailable,theuserscannotlogon.OnewayofdoingthisistocreateyourprofiledirectoriesonadomaincontrollerandthenusetheDirectoryReplicatorserviceinWindowstocopytheprofiledirectoriestotheotherdomaincontrollersonthenetworkonaregularbasis.
Onceyouhavearrangedfortheprofiledirectoriestobereplicatedtoallofyourdomaincontrollers,youcanusethe%LogonServer%variableineachuser’sprofilepathtomakesuretheycanalwaysaccesstheprofilewhenloggingon,asinthefollowingexample:
\\%LogonServer%\users\%UserName%
Duringthelogonprocess,theworkstationreplacesthe%LogonServer%variablewiththenameofthedomaincontrollerthatauthenticatedtheuser.Sincetheprofiledirectorieshavebeencopiedtoallofthedomaincontrollers,theworkstationalwayshasaccesstotheprofileaslongasithasaccesstoadomaincontroller.Ifnodomaincontrollerisavailable,youhavemuchbiggerproblemstoworryaboutthanuserprofiles.
CreatingaNetworkDefaultUserProfileWindowssystemshaveadefaultuserprofiletheyuseasatemplateforthecreationofnewprofiles.Asmentionedearlier,youcanmodifythisdefaultprofilesothatallofthenewprofilescreatedonthatmachinehavecertaincharacteristics.Itisalsopossibletocreateadefaultuserprofileonyournetworktoprovidethesameserviceforallnewprofilescreatedonthenetwork.
ControllingtheWorkstationRegistryTheregistryisthecentralrepositoryforconfigurationdatainmostWindowssystems,andexercisingcontrolovertheregistryisamajorpartofasystemadministrator’sjob.Theabilitytoaccessaworkstation’sregistryineitheraremoteorautomatedfashionenablesyoutocontrolvirtuallyanyaspectofthesystem’sfunctionalityandalsoprotecttheregistryfromdamageduetounauthorizedmodifications.
UsingSystemPoliciesNearlyallWindowsoperatingsystemsincludesystempolicies,whichenableyoutoexerciseagreatdealofcontroloveraworkstation’senvironment.Bydefiningasetofpoliciesandenforcingthem,youcancontrolwhatelementsoftheoperatingsystemyourusersareabletoaccess,whatapplicationstheycanrun,andtheappearanceofthedesktop.Systempoliciesarereallynothingmorethancollectionsofregistrysettingsthatarepackagedintoasystempolicyfileandstoredonaserverdrive.Whenauserlogsontothenetwork,theworkstationdownloadsthesystempolicyfilefromtheserverandappliestheappropriatesettingstotheworkstation’sregistry.Becauseworkstationsloadthepolicyfileautomaticallyduringthelogonprocess,userscan’tevadethem.Thismakessystempoliciesanexcellenttoolforlimitingusers’accesstotheWindowsinterface.
Usingsystempoliciesisanalternativetomodifyingregistrykeysdirectlyandreducesthepossibilityofsystemmalfunctionsduetotypographicalorothererrors.Insteadofbrowsingthroughtheregistrytree,searchingforcryptickeysandvaluenames,andenteringcodedvalues,youcreatesystempolicyfilesusingagraphicalutilitycalledSystemPolicyEditor(SPE).SPEdisplaysregistrysettingsintheformofpolicies,plain-EnglishphraseswithstandardWindowsdialogboxelementsarrangedinatreelikehierarchy,suchastheLocalGroupPolicyEditordialogasseeninFigure25-3.
Figure25-3TheLocalGroupPolicyEditordialogbox
InbothWindows7andWindows8,youmustusetheRuncommandtoopenSPE.InWindows7,typegpedit.mscinthesearchbox;inWindows8,findtheRunapp,typegpedit.msc,andclickOK,asshowninFigure25-4.
Figure25-4OpeningtheLocalGroupPolicyEditorfromtheRuncommandorapp
SystemPolicyTemplates
SystemPolicyEditorissimplyatoolforcreatingpolicyfiles;ithasnocontroloverthepoliciesitcreates.Thepoliciesthemselvescomefromsystempolicytemplates,whichareASCIIfilesthatcontaintheregistrykeys,possiblevalues,andexplanatorytextthatmakeupthepoliciesdisplayedinSPE.Forexample,thefollowingexcerptfromtheCommon.admpolicytemplatecreatestheRemoteUpdatepolicy:
AlloftheWindowsoperatingsystemsincludeavarietyofadministrativetemplatefilesinadditiontotheSPEprogramitself.Thesefilescurrentlyhavethe.admxextension,althoughearlierversionsused.adm.Otherapplications,suchasMicrosoftOfficeandInternetExplorer,includetheirowntemplatefilescontainingpoliciesspecifictothoseapplications,andyoucanevencreateyourowncustomtemplatestomodifyotherregistrysettings.
ByselectingOptions|PolicyTemplate,youcanloadthetemplatesthatSPEwillusetocreatepolicyfiles.YoucanloadmultipletemplatesintoSPE,andthepoliciesinthemwillbecombinedintheprogram’sinterface.WheneveryoulaunchSPE,itloadsthetemplatesthatitwasusingwhenitwaslastshutdown,aslongasthefilesarestillinthesamelocations.WhenyouusemultiplepolicytemplatesinSPE,itispossibleforpoliciesdefinedintwodifferenttemplatestoconfigurethesameregistrysetting.Ifthistypeofduplicationoccurs,thepolicyclosesttothebottomofthehierarchyintheobject’sPropertiesdialogboxtakesprecedence.
SystemPolicyFilesUsingSPE,youcancreatepoliciesthatapplytoonlyspecificusers,groups,andcomputers,aswellascreateDefaultUserandDefaultComputerpolicies.Policiesformultiplenetworkusersandcomputersarestoredinasinglefilethateverycomputerdownloadsfromaserverasitlogsontothenetwork.
RestrictingWorkstationAccesswithSystemPoliciesOneoftheprimaryfunctionsofsystempoliciesistopreventusersfromaccessingcertainelementsoftheoperatingsystem.Thereareseveralreasonsfordoingthis,suchasthese:
•Prohibitingusersfromrunningunauthorizedsoftware
•Preventingusersfromadjustingcosmeticelementsoftheinterface
•Insulatingusersfromfeaturestheycannotusesafely
Bydoingthesethings,youcanpreventusersfromwastingtimeonnonproductiveactivitiesandcausingworkstationmalfunctionsthroughmisguidedexperimentationthatrequiretechnicalsupporttofix.Thefollowingsectionsdescribehowyoucanusespecificsystempoliciestocontroltheworkstationenvironment.
RestrictingApplicationsOneoftheprimarycausesofinstabilityonWindowsworkstationsistheinstallationofincompatibleapplications.MostWindowssoftwarepackagesincludedynamiclinklibrary(DLL)modulesthatgetinstalledtotheWindowssystemdirectories,andmanytimesthesemodulesoverwriteexistingfileswithnewversionsdesignedtosupportthatapplication.TheproblemwiththistypeofsoftwaredesignisthatinstallinganewversionofaparticularDLLmayaffectotherapplicationsalreadyinstalledinthesystemthatareusingtheDLL.
Thewaytoavoidproblemsstemmingfromthistypeofversionconflictistoassembleagroupofapplicationsthatsuppliestheusers’needsandthentesttheapplicationsthoroughlytogether.Onceyouhavedeterminedthattheapplicationsarecompatible,youinstallthemonyourworkstationsandpreventusersfrominstallingothersoftwarethatcanintroduceincompatibleelements.Restrictingtheworkstationsoftwarealsopreventsusersfrominstallingnonproductiveapplications,suchasgames,thatcanoccupylargeamountsoftime,diskspace,andevennetworkbandwidth.
NOTEThiskindoftestingcantakealotoftime.AnotherpotentialsourceofunauthorizedsoftwareistheInternet.Ifyouaregoingto
provideyouruserswithaccesstoservicessuchastheWeb,youmaywanttotakestepstopreventthemfrominstallingdownloadedsoftware.Onewayofdoingthis,andofpreventingallunauthorizedsoftwareinstallations,istousesystempoliciesthatpreventusersfromrunningthesetupprogramneededtoinstallthesoftware.Someofthepoliciesthatcanhelpyoudothisareasfollows:
•RemoveRunCommandfromStartmenuPreventstheuserfromlaunchingapplicationinstallationprogramsbypreventingaccesstotheRundialogbox.
•RunOnlyAllowedWindowsApplicationsEnablestheadministratortospecifyalistofexecutablefilesthataretheonlyprogramstheuserispermittedtoexecute.Whenusingthispolicy,besuretoincludeexecutablesthatareneededfornormalWindowsoperation,suchasSystray.exeandExplorer.exe.
LockingDowntheInterfaceTherearemanyelementsoftheWindowsinterfacethatunsophisticatedusersdonotneedtoaccess,andsuppressingtheseelementscanprevent
themorecurioususersfromexploringthingstheydon’tunderstandandpossiblydamagingthesystem.Someofthepoliciesyoucanusetodothisareasfollows:
•RemoveFoldersfromSettingsonStartmenuSuppressestheappearanceoftheControlPanelandPrintersfoldersintheStartmenu’sSettingsfolder.ThispolicydoesnotpreventusersfromaccessingtheControlPanelinotherways,butitmakestheuserfarlesslikelytoexploreitoutofidlecuriosity.YoucanalsosuppressspecificControlPaneliconsonWindowssystemsusingpoliciessuchasthefollowing:
•RestrictNetworkControlPanel
•RestrictPrinterSettings
•RestrictPasswordsControlPanel
•RestrictSystemControlPanel
•RemoveTaskbarfromSettingsonStartmenuPreventsusersfrommodifyingtheStartmenuandtaskbarconfigurationsettings.
•RemoveRunCommandfromStartmenuPreventsusersfromlaunchingprogramsorexecutingcommandsusingtheRundialogbox.ThispolicyalsoprovidesuserswithadditionalinsulationfromelementssuchastheControlPanelandthecommandprompt,bothofwhichcanbeaccessedwithRuncommands.
•HideAllItemsonDesktopSuppressesthedisplayofalliconsontheWindowsdesktop.IfyouwantyouruserstorelyontheStartmenutolaunchprograms,youcanusethispolicytoremovethedistractionofthedesktopicons.
•DisableRegistryEditingToolsDirectaccesstotheWindowsregistryshouldbelimitedtopeoplewhoknowwhatthey’redoing.Thispolicypreventsusersfromrunningtheregistry-editingtoolsincludedwiththeoperatingsystem.
•DisableContextMenusfortheTaskbarPreventsthesystemfromdisplayingacontextmenuwhenyouclickthesecondarymousebuttononataskbaricon.
Youcanalsousesystempoliciestosecurethecosmeticelementsoftheinterface,preventingusersfromwastingtimeadjustingthescreencolorsanddesktopwallpaper.Inaddition,youcanconfiguretheseitemsyourselftocreateastandardizeddesktopforallofyournetwork’sworkstations.
Asanalternativetouserprofiles,systempoliciesenableyoutoconfigurewithgreaterprecisiontheshortcutsfoundontheWindowsdesktopandintheStartmenu.Insteadofaccessinganentireuserprofileasawhole,youcanspecifythelocationsofindividualshortcutdirectoriesforvariouselementsoftheinterface.
ProtectingtheFileSystemLimitingaccesstothefilesystemisanotherwayofprotectingyourworkstationsagainstusertampering.Ifyoupreconfiguretheoperatingsystemandapplicationsonyournetworkworkstationsandforceyouruserstostoreallofthedatafilesonserverdrives,thereisnocompellingreasonwhyusersshouldhavedirectaccesstothelocalfilesystem.Byblockingthisaccesswithsystempolicies,youcan
preventusersfrommoving,modifying,ordeletingfilesthatarecrucialtotheoperationoftheworkstation.Youcanlimitusers’accesstothenetworkalso,usingpoliciessuchasthefollowing:
•HideDrivesinMyComputerSuppressesthedisplayofalldrivelettersintheMyComputerwindow,includingbothlocalandnetworkdrives.
•HideNetworkNeighborhoodSuppressesthedisplayoftheNetworkNeighborhoodiconontheWindowsdesktopanddisablesUNCconnectivity.Forexample,whenthispolicyisenabled,userscan’taccessnetworkdrivesbyopeningawindowwithaUNCnameintheRundialogbox.
•NoEntireNetworkinNetworkNeighborhoodSuppressestheEntireNetworkiconintheNetworkNeighborhoodwindow,preventingusersfrombrowsingnetworkresourcesoutsidethedomainorworkgroup.
•NoWorkgroupContentsinNetworkNeighborhoodSuppressestheiconsrepresentingthesystemsinthecurrentdomainorworkgroupintheNetworkNeighborhoodwindow.
•RemoveFindCommandfromStartMenuSuppressestheFindcommand,preventingusersfromaccessingdrivesthatmayberestrictedinotherways.If,forexample,youusetheHiddenattributetoprotectthelocalfilesystem,theFindcommandcanstillsearchthelocaldriveanddisplaythehiddenfiles.
Lockingdownthefilesystemisadrasticstep,onethatyoushouldconsiderandplanforcarefully.Onlycertaintypesofuserswillbenefitfromthisrestrictedaccess,andothersmayseverelyresentit.Inadditiontosystempolicies,youshouldbepreparedtousefilesystempermissionsandattributestopreventspecifictypesofuseraccess.
Aboveall,youmustmakesurethatthesystempoliciesyouusetorestrictaccesstoyourworkstationsdonotinhibitthefunctionalityyourusersneedtoperformtheirjobsandthatthefeaturesyouplantorestrictarenotaccessiblebyothermethods.Forexample,youmightpreventaccesstotheControlPanelbyremovingthefolderfromtheSettingsgroupintheStartmenu,butuserswillstillbeabletoaccessitfromtheMyComputerwindowortheRundialogbox,unlessyourestrictaccesstothoseaswell.
DeployingSystemPoliciesTheuseofsystempoliciesbyaWindowscomputerisitselfcontrolledbyapolicycalledRemoteUpdate,whichisapplicabletoalloftheWindowsoperatingsystems.Thispolicyhasthreepossiblesettings:
•OffThesystemdoesnotusesystempoliciesatall.
•AutomaticThesystemcheckstherootdirectoryoftheNetlogonshareontheauthenticatingdomaincontrollerforapolicyfilecalledNtconfig.polorConfig.pol.
•ManualThesystemchecksforapolicyfileinadirectoryspecifiedasthevalueofanotherpolicycalledPathforManualUpdate.
UsingtheRemoteUpdatepolicy,youcanconfigureyoursystemstoaccesspolicy
filesfromthedefaultlocationorfromanylocationyouname.Forworkstationstohaveaccesstothepolicyfilesatalltimes,itisagoodideatoreplicatethemtoallofyourdomaincontrollers,eithermanuallyorautomatically,justlikeyoucandowithuserprofiles.
CHAPTER
26 NetworkManagementandTroubleshootingTools
Nomatterhowwelldesignedandwellconstructedyournetworkis,therearegoingtobetimeswhenitdoesnotfunctionproperly.Partofthejobofanetworkadministratoristomonitortheday-to-dayperformanceofthenetworkandcopewithanyproblemsthatarise.Todothis,youmusthavetheappropriatetools.InChapter2,youlearnedaboutthesevenlayersofthenetworkingstackasdefinedintheOpenSystemsInterconnection(OSI)referencemodel.Breakdownscanoccuratvirtuallyanylayer,andthetoolsusedtodiagnoseproblemsatthevariouslayersarequitedifferent.Knowingwhatresourcesareavailabletoyouisalargepartofthetroubleshootingbattle;knowinghowtousethemproperlyisanotherlargepart.
OperatingSystemUtilitiesManyadministratorsareunawareofthenetworktroubleshootingcapabilitiesthatarebuiltintotheirstandardoperatingsystems,andasaresult,theysometimesspendmoneyneedlesslyonthird-partyproductsandoutsideconsultants.Thefollowingsectionsexaminesomeofthenetworktroubleshootingtoolsthatareprovidedwiththeoperatingsystemscommonlyusedontoday’snetworks.
WindowsUtilitiesTheWindowsoperatingsystemsincludeavarietyoftoolsthatyoucanusetomanageandtroubleshootnetworkconnections.MostofthesetoolsareincludedinvariousWindowspackages,althoughtheymaytakeslightlydifferentforms.Tolearnmoreabouteachutility,typeitsnamefollowedbyaspaceandthen/?.
NOTEWhileCommandPromptcommandslooksimilartooldMS-DOScommands,theyarenotDOScommandsbecausethecurrentWindowsconfigurationsdonotcontainMS-DOS.
AccessingtheCommandPromptinWindows7ThesetoolsareexercisedattheCommandPromptline.InWindows7,thereareseveralwaystoaccesstheCommandPrompt:
•ChooseStart|AllPrograms|Accessories|CommandPrompt,asshowninFigure26-1.
Figure26-1CommandPromptintheAccessoriesfolder
•Typecmd.exeintheStartsearchbox.
•TypecommandintheStartsearchboxandselectCommandPromptfromtheresultingmenu.
AccessingtheCommandPromptinWindows8.1YoucanquicklyaccesstheCommandPromptinWindows8.1inthefollowingways:
•HolddowntheWindowskeyandpressR.ThisopenstheRundialogbox.TypecmdandclickOK(orEnter),asshowninFigure26-2.
Figure26-2UsetheRundialogboxinWindows8.1.
•HolddowntheWindowskeyandpressX(orright-clicktheStartbutton)toopenthePowerUsermenu.ChooseCommandPrompt,asshowninFigure26-3.
Figure26-3FindCommandPromptonthePowerUsermenu.
•FromtheAppsscreen,onatouchscreen,swipetotherighttofindtheWindowsSystemsection.ClickCommandPrompt.Whenusingamouse,dragyourmousefromtherightsideofthescreen.
Net.exeTheNETcommandistheprimarycommand-linecontrolfortheWindowsnetworkclient.YoucanuseNETtoperformmanyofthesamenetworkingfunctionsthatyoucanperformwithgraphicalutilities,suchasWindowsExplorerinWindows7orFileExplorerinWindows8.BecauseNETisacommand-lineutility,youcanincludethecommandsin
logonscriptsandbatchfiles.Forexample,youcanusethiscommandtologonandoffofthenetwork,mapdriveletterstospecificnetworkshares,startandstopservices,andlocatesharedresourcesonthenetwork.
Tousetheprogram,youexecutethefilefromthecommandlinewithasubcommand,whichmaytakeadditionalparameters.ThesesubcommandsandtheirfunctionsarelistedinTable26-1,withsomeofthekeyfunctionsbeingexaminedinthefollowingsections.ThesubcommandsdisplaywhenyoutypeNETintheCommandPromptdialog,asshowninFigure26-4.
Table26-1WindowsNETSubcommands
Figure26-4NETsubcommands
TCP/IPUtilitiesTransmissionControlProtocol/InternetProtocol(TCP/IP)hasbecomethemostcommonlyusedprotocolsuiteinthenetworkingindustry,andmanynetworkadministrationandtroubleshootingtasksinvolveworkingwithvariouselementsoftheseprotocols.BecausevirtuallyeverycomputingplatformsupportsTCP/IP,anumberofbasictoolshavebeenportedtomanydifferentoperatingsystems,someofwhichhavealsobeenadaptedtospecificneeds.Thefollowingsectionsexaminesomeofthesetoolsbutdosomorefromtheperspectiveoftheirbasicfunctionalityandusefulnesstothenetworkadministratorthanfromtheoperationalelementsofspecificimplementations.
PingPingisunquestionablythemostcommonTCP/IPdiagnostictoolandisincludedinvirtuallyeveryimplementationoftheTCP/IPprotocols.Inmostcases,Pingisacommand-lineutility,althoughsomegraphicalormenu-drivenversionsareavailablethatuseadifferentinterfacetoperformthesametasks.ThebasicfunctionofPingistosendamessagetoanotherTCP/IPsystemonthenetworktodeterminewhethertheprotocolstackuptothenetworklayerisfunctioningproperly.BecausetheTCP/IPprotocolsfunctioninthesamewayonallsystems,youcanusePingtotesttheconnectionbetweenanytwocomputers,regardlessofprocessorplatformoroperatingsystem.
PingworksbytransmittingaseriesofEchoRequestmessagestoaspecificIPaddressusingtheInternetControlMessageProtocol(ICMP).WhenthecomputerusingthatIPaddressreceivesthemessages,itgeneratesanEchoReplyinresponsetoeachEchoRequestandtransmitsitbacktothesender.ICMPisaTCP/IPprotocolthatusesseveraldozenmessagetypestoperformvariousdiagnosticanderror-reportingfunctions.ICMPmessagesarecarrieddirectlywithinIPdatagrams.Notransportlayerprotocolisinvolved,soasuccessfulPingtestindicatesthattheprotocolstackisfunctioningproperlyfromthenetworklayerdown.IfthesendingsystemreceivesnorepliestoitsEchoRequests,somethingiswrongwitheitherthesendingorreceivingsystemorthenetworkconnectionbetweenthem.
WhenPingisimplementedasacommand-lineutility,youusethefollowingsyntaxtoperformaPingtest:PINGdestination
wherethedestinationvariableisreplacedbythenameoraddressofanothersystemonthe
network.ThedestinationsystemcanbeidentifiedbyitsIPaddressorbyaname,assumingthatanappropriatemechanismisinplaceforresolvingthenameintoanIPaddress.Thismeansyoucanuseahostnameforthedestination,aslongasyouhaveaDNSserverorHOSTSfiletoresolvethename.OnWindowsnetworks,youcanalsouseNetBIOSnames,alongwithanyofthestandardmechanismsforresolvingthem,suchasWINSservers,broadcasttransmissions,oranLMHOSTSfile.
ThescreenoutputproducedbyapingcommandonaWindowssystemlookslikeFigure26-5.
Figure26-5ResultofusingthepingcommandinaWindows7system
TheprogramdisplaysaresultlineforeachofthefourEchoRequestmessagesitsendsbydefault,specifyingtheIPaddressoftherecipient,thenumberofbytesofdatatransmittedineachmessage,theamountoftimeelapsedbetweenthetransmissionoftherequestandthereceiptofthereply,andthetargetsystem’stimetolive(TTL).TheTTListhenumberofroutersthatapacketcanpassthroughbeforeitisdiscarded.
Pinghasotherdiagnosticusesapartfromsimplydeterminingwhetherasystemisupandrunning.IfyoucansuccessfullypingasystemusingitsIPaddressbutpingssenttothesystem’snamefail,youknowthatamalfunctionisoccurringinthenameresolutionprocess.Whenyou’retryingtocontactanInternetsite,thisindicatesthatthereisaproblemwitheitheryourworkstation’sDNSserverconfigurationortheDNSserveritself.IfyoucanpingsystemsonthelocalnetworksuccessfullybutnotsystemsontheInternet,youknowthereisaproblemwitheitheryourworkstation’sDefaultGatewaysettingortheconnectiontotheInternet.
NOTESendingapingcommandtoasystem’sloopbackaddress(127.0.0.1)teststheoperabilityoftheTCP/IPprotocolstack,butitisnotanadequatetestofthenetworkinterfacebecausetrafficsenttotheloopbackaddresstravelsdowntheprotocolstackonlyasfarasthenetworktransportlayerandisredirectedbackupwithouteverleavingthecomputerthroughthenetworkinterface.
InmostPingimplementations,youcanuseadditionalcommand-lineparameterstomodifythesizeandnumberoftheEchoRequestmessagestransmittedbyasinglepingcommand,aswellasotheroperationalcharacteristics.IntheWindowsPing.exeprogram,forexample,theparametersareasfollows:ping[-t][-a][-ncount][-lsize][-f][-iTTL][-vTOS][-rcount][-s
count][[-jhost-list]|[-khost-list]][-wtimeout]destination
•-tPingsthespecifieddestinationuntilstoppedbytheuser(withCTRL-C)
•-aResolvesdestinationIPaddressestohostnames
•-ncountSpecifiesthenumberofEchoRequeststosend
•-lsizeSpecifiesthesizeoftheEchoRequestmessagestosend
•-fSetstheIPDon’tFragmentflagineachEchoRequestpacket
•-iTTLSpecifiestheIPTTLvaluefortheEchoRequestpackets
•-vTOSSpecifiestheIPTypeofService(TOS)valuefortheEchoRequestpackets
•-rcountRecordstheIPaddressesoftheroutersforthespecifiednumberofhops
•-scountRecordsthetimestampfromtheroutersforthespecifiednumberofhops
•-jhost-listSpecifiesapartiallistofroutersthatthepacketsshoulduse
•-khost-listSpecifiesacompletelistofroutersthatthepacketsshoulduse
•-wtimeoutSpecifiesthetime(inmilliseconds)thatthesystemshouldwaitforeachreply
Therearemanydifferentapplicationsfortheseparametersthatcanhelpyoumanageyournetworkandtroubleshootproblems.Forexample,bycreatinglarger-than-normalEchoRequestsandsendinglargenumbersofthem(orsendingthemcontinuously),youcansimulateusertrafficonyournetworktotestitsabilitytostandupunderheavyuse.Youcanalsocomparetheperformanceofvariousroutesthroughyournetwork(orthroughtheInternet)byspecifyingtheIPaddressesoftheroutersthattheEchoRequestpacketsmustusetoreachtheirdestinations.The-jparameterprovidesloosesourcerouting,inwhichthepacketsmustusetherouterswhoseIPaddressesyouspecifybutcanuseotherroutersalso.The-kparameterprovidesstrictsourcerouting,inwhichyoumustspecifytheaddressofeveryrouterthatpacketswillusetoreachtheirdestination.
PathpingCombiningthefeaturesofbothTracertandPing,Pathping,designedfornetworkswithmorethanonerouterbetweenhosts,sendsaseriesofpacketstoeachrouteralongtheroutetothehost.AnypacketlossatanylinkalongtherouteispinpointedbyPathping.
TracerouteorTracertTracerouteisanotherutilitythatisusuallyimplementedasacommand-lineprogramand
includedinmostTCP/IPprotocolstacks,althoughitsometimesgoesbyadifferentname.OnMac,Linux,orUnixsystems,thecommandiscalledtraceroute,butWindowsimplementsthesamefunctionsinaprogramcalledTracert.exe.ThefunctionofthistoolistodisplaytheroutethatIPpacketsaretakingtoreachaparticulardestinationsystem.
EachoftheentriesinatracerepresentsarouterthatprocessedthepacketsgeneratedbytheTracerouteprogramonthewaytotheirdestination.Ineachentrytherearethreenumericalfiguresthatspecifytheround-triptimetothatrouter,inmilliseconds,followedbytheDNSnameandIPaddressoftherouter.Inatracetoanoverseasdestination,theround-triptimesarerelativelyhighandcanprovideyouwithinformationaboutthebackbonenetworksyourISPusesandthegeographicalpaththatyourtraffictakes.Forexample,whenyourunatracetoadestinationsystemonanothercontinent,youcansometimestellwhenthepathcrossesanoceanbyasuddenincreaseintheround-triptimes.Onaprivatenetwork,youcanuseTraceroutetodeterminethepaththroughyourroutersthatlocaltraffictypicallytakes,enablingyoutogetanideaofhowtrafficisdistributedaroundyournetwork.
MostTracerouteimplementationsworkbytransmittingthesametypeofICMPEchoRequestmessagesusedbyPing,whileothersuseUDPpacketsbydefault.TheonlydifferenceinthemessagesthemselvesisthattheTracerouteprogrammodifiestheTTLfieldforeachsequenceofthreepackets.TheTTLfieldisaprotectivemechanismthatpreventsIPpacketsfromcirculatingendlesslyaroundanetwork.EachrouterthatprocessesapacketdecrementstheTTLvaluebyone.IftheTTLvalueofapacketreacheszero,therouterdiscardsitandreturnsanICMPTimetoLiveExceededinTransiterrormessagetothesystemthatoriginallytransmittedit.
InthefirstTraceroutesequence,thepacketshaveaTTLvalueof1,sothatthefirstrouterreceivingthepacketsdiscardsthemandreturnserrormessagesbacktothesource.Bycalculatingtheintervalbetweenamessage’stransmissionandthearrivaloftheassociatederror,Traceroutegeneratestheround-triptimeandthenusesthesourceIPaddressintheerrormessagetoidentifytherouter.Inthesecondsequenceofmessages,theTTLvalueis2,sothepacketsreachthesecondrouterintheirjourneybeforebeingdiscarded.ThethirdsequenceofpacketshasaTTLvalueof3,andsoon,untilthemessagesreachthedestinationsystem.
ItisimportanttounderstandthatalthoughTraceroutecanbeausefultool,acertainamountofimprecisionisinherentintheinformationitprovides.Justbecauseapackettransmittedrightnowtakesacertainpathtoadestinationdoesnotmeanthatapackettransmittedaminutefromnowtothatsamedestinationwilltakethatsamepath.Networks(andespeciallythoseontheInternet)aremutable,androutersaredesignedtocompensateautomaticallyforthechangesthatoccur.TheroutetakenbyTraceroutepacketstotheirdestinationcanchange,eveninthemidstofatrace,soitisentirelypossibleforthesequenceofroutersdisplayedbytheprogramtobeacompositeoftwoormoredifferentpathstothedestinationbecauseofchangesthatoccurredinmidstream.Onaprivatenetwork,thisislesslikelytobethecase,butitisstillpossible.
RouteTheroutingtableisavitalpartofthenetworkingstackonanyTCP/IPsystem,eventhose
thatdonotfunctionasrouters.Thesystemusestheroutingtabletodeterminewhereitshouldtransmiteachpacket.TheRoute.exeprograminWindowsandtheroutecommandincludedwithmostotherversionsenableyoutoviewtheroutingtableandaddordeleteentriestoit.ThesyntaxfortheWindowsRoute.exeprogramisasfollows:ROUTE[-f][-p][command[destination][MASKnetmask][gateway][METRIC
metric][IFinterface]]
Thecommandvariabletakesoneofthefollowingfourvalues:
•PRINTDisplaysthecontentsoftheroutingtable
•ADDCreatesanewentryintheroutingtable
•DELETEDeletesanentryfromtheroutingtable
•CHANGEModifiestheparametersofaroutingtableentry
TheotherparametersusedontheRoute.execommandlineareasfollows:
•–fDeletesalloftheentriesfromtheroutingtable
•–pCreatesapermanententryintheroutingtable(calledapersistentroute)whenusedwiththeADDcommand
•destinationSpecifiesthenetworkorhostaddressoftheroutingtableentrybeingadded,deleted,orchanged
•MASKnetmaskSpecifiesthesubnetmaskassociatedwiththeaddressspecifiedbythedestinationvariable
•gatewaySpecifiestheaddressoftherouterusedtoaccessthehostornetworkaddressspecifiedbythedestinationvariable
•METRICmetricIndicatestherelativeefficiencyoftheroutingtableentry
•IFinterfaceSpecifiestheaddressofthenetworkinterfaceadapterusedtoreachtherouterspecifiedbythegatewayvariable
NetstatNetstatisacommand-lineutilitythatdisplaysnetworktrafficstatisticsforthevariousTCP/IPprotocolsand,dependingontheplatform,maydisplayotherinformationaswell.NearlyalloperatingsystemssupportNetstat.Thecommand-lineparametersforNetstatcanvaryindifferentimplementations,butoneofthemostbasiconesisthe-sparameter,whichdisplaysthestatisticsforeachofthemajorTCP/IPprotocols,asshowninFigure26-6.
Figure26-6NetstatcreatesadisplayofIPstatistics.
Apartfromthetotalnumberofpacketstransmittedandreceivedbyeachprotocol,NetstatprovidesvaluableinformationabouterrorconditionsandotherprocessesthatcanhelpyoutroubleshootnetworkcommunicationproblemsatvariouslayersoftheOSImodel.TheWindowsversionofNetstatalsocandisplayEthernetstatistics(usingthe-eparameter),whichcanhelptoisolatenetworkhardwareproblems.
Whenexecutedwiththe-aparameter,NetstatdisplaysinformationabouttheTCP
connectionscurrentlyactiveonthecomputerandtheUDPservicesthatarelisteningforinput.TheStatecolumnindicateswhetheraconnectioniscurrentlyestablishedoraprogramislisteningonaparticularportformessagesfromothercomputers,waitingtoestablishanewconnection.
NslookupNslookupisautilitythatenablesyoutosendqueriesdirectlytoaparticularDNSserverinordertoresolvenamesintoIPaddressesorrequestotherinformation.Unlikeothernameresolutionmethods,suchasusingPing,NslookupletsyouspecifywhichserveryouwanttoreceiveyourcommandssothatyoucandeterminewhetheraDNSserverisfunctioningproperlyandwhetheritissupplyingthecorrectinformation.OriginallydesignedforUnixsystems,anNslookupprogramisavailableonMac,Linux,andWindowssystems.Nslookupcanrunineitherinteractiveornoninteractivemode.Totransmitasinglequery,youcanusenoninteractivemode,usingthefollowingsyntaxfromthecommandprompt:Nslookuphostnamenameserver
ReplacethehostnamevariablewiththeDNSnameorIPaddressthatyouwanttoresolve,andreplacethenameservervariablewiththenameoraddressoftheDNSserverthatyouwanttoreceivethequery.Ifyouomitthenameservervalue,theprogramusesthesystem’sdefaultDNSserver.
TorunNslookupininteractivemode,youexecutetheprogramfromthecommandpromptwithnoparameters(tousethedefaultDNSserver)orwithahypheninplaceofthehostnamevariable,followedbytheDNSservername,asfollows:Nslookup–nameserver
Theprogramproducesapromptintheformofananglebracket(>),atwhichyoucantypethenamesoraddressesyouwanttoresolve,aswellasalargenumberofcommandsthataltertheparametersthatNslookupusestoquerythenameserver.Youcandisplaythelistofcommandsbytypinghelpattheprompt.Toexittheprogram,pressCTRL-C.
IpconfigTheIpconfigprogramisasimpleutilityfordisplayingasystem’sTCP/IPconfigurationparameters.ThisisparticularlyusefulwhenyouareusingDynamicHostConfigurationProtocol(DHCP)serverstoautomaticallyconfigureTCP/IPclientsonyournetworkbecausethereisnoothersimplewayforuserstoseewhatsettingshavebeenassignedtotheirworkstations.Nearlyallsystemsincludetheipconfigcommand(derivedfrominterfaceconfiguration).
NetworkAnalyzersAnetworkanalyzer,sometimescalledaprotocolanalyzer,isadevicethatcapturesthetraffictransmittedoveranetworkandanalyzesitspropertiesinanumberofdifferentways.Theprimaryfunctionoftheanalyzeristodecodeanddisplaythecontentsofthepacketscapturedfromyournetwork.Foreachpacket,thesoftwaredisplaystheinformationfoundineachfieldofeachprotocolheader,aswellastheoriginalapplicationdatacarriedinthepayloadofthepacket.Analyzersoftencanprovidestatisticsaboutthe
trafficcarriedbythenetworkaswell,suchasthenumberofpacketsthatuseaparticularprotocolandtheamountoftrafficgeneratedbyeachsystemonthenetwork.Anetworkanalyzerisalsoanexcellentlearningtool.Thereisnobetterwaytoacquaintyourselfwithnetworkingprotocolsandtheirfunctionsthanbyseeingtheminaction.
Thereisawidevarietyofnetworkanalyzerproducts,rangingfromself-containedhardwaredevicescostingthousandsofdollarstosoftware-onlyproductsthatarerelativelyinexpensiveorfree.
Anetworkanalyzerisessentiallyasoftwareapplicationrunningonacomputerwithanetworkinterface.Thisiswhyproductscaneitherincludehardwareortaketheformofsoftwareonly.AtravelingnetworkconsultantmighthaveaportablecomputerwithcomprehensivenetworkanalyzersoftwareandavarietyofNICstosupportthedifferentnetworksatvarioussites,whileanadministratorsupportingaprivatenetworkmightbebetterservedbyalessexpensivesoftware-basedanalyzerthatsupportsonlythetypeofnetworkrunningatthatsite.
AnetworkanalyzertypicallyworksbyswitchingtheNICinthecomputeronwhichitrunsintopromiscuousmode.Normally,aNICexaminesthedestinationaddressinthedatalinklayerprotocolheaderofeachpacketarrivingatthecomputer,andifthepacketisnotaddressedtothatcomputer,theNICdiscardsit.ThispreventstheCPUinthesystemfromhavingtoprocessthousandsofextraneouspackets.WhentheNICisswitchedintopromiscuousmode,however,itacceptsallofthepacketsarrivingoverthenetwork,regardlessoftheiraddresses,andpassesthemtothenetworkanalyzersoftwareforprocessing.Thisenablesthesystemtoanalyzenotonlythetrafficgeneratedbyanddestinedforthesystemonwhichthesoftwareisrunning,butalsothetrafficexchangedbyothersystemsonthenetwork.
Oncetheapplicationcapturesthetrafficfromthenetwork,itstorestheentirepacketsinabufferfromwhichitcanaccessthemlaterduringtheanalysis.Dependingonthesizeofyournetworkandtheamountoftrafficitcarries,thiscanbeanenormousamountofdata,soyoucanusuallyspecifythesizeofthebuffertocontroltheamountofdatacaptured.Youcanalsoapplyfilterstolimitthetypesofdatatheanalyzercaptures.
FilteringDataBecauseofthesheeramountofdatatransmittedovermostnetworks,controllingtheamountofdatacapturedandprocessedbyanetworkanalyzerisanimportantpartofusingtheproduct.Youexercisethiscontrolbyapplyingfilterseitherduringthecaptureprocessorafterward.Whenyoucapturerawnetworkdata,theresultscanbebewilderingbecauseallthepacketsgeneratedbythevariousapplicationsonmanynetworksystemsaremixedtogetherinachronologicaldisplay.Tohelpmakemoresenseoutofthevastamountofdataavailable,youcanapplyfiltersthatcausetheprogramtodisplayonlythedatayouneedtosee.
Twotypesoffiltersareprovidedbymostnetworkanalyzers:
•CapturefiltersLimitthepacketsthattheanalyzerreadsintoitsbuffers
•DisplayfiltersLimitthecapturedpacketsthatappearinthedisplay
Usually,bothtypesoffiltersfunctioninthesameway;theonlydifferenceisinwhentheyareapplied.Youcanchoosetofilterthepacketsastheyarebeingreadintotheanalyzer’sbuffersorcaptureallofthedataonthenetworkandusefilterstolimitthedisplayofthatdata(orboth).
Youcanfilterthedatainanetworkanalyzerinseveraldifferentways,dependingonwhatyou’retryingtolearnaboutyournetwork.Ifyou’reconcernedwiththeperformanceofaspecificcomputer,forexample,youcancreateafilterthatcapturesonlythepacketsgeneratedbythatmachine,thepacketsdestinedforthatmachine,orboth.Youcanalsocreatefiltersbasedontheprotocolsusedinthepackets,makingitpossibletocaptureonlytheDNStrafficonyournetwork,forexample,oronpatternmatches,enablingyoutocaptureonlypacketscontainingaspecificASCIIorhexadecimalstring.Bycombiningthesecapabilities,usingBooleanoperatorssuchasANDandOR,youcancreatehighlyspecificfiltersthatdisplayonlytheexactinformationyouneed.
AgentsHardware-basednetworkanalyzersareportableanddesignedtoconnecttoanetworkatanypoint.Software-basedproductsarenotasportableandoftenincludeamechanism(sometimescalledanagent)thatenablesyoutocapturenetworktrafficusingtheNICinadifferentcomputer.Usingagents,youcaninstalltheanalyzerproductononemachineanduseittosupportyourentirenetwork.Theagentisusuallyadriverorservicethatrunsonaworkstationelsewhereonthenetwork.Previously,manyversionsofWindowsincludedtheWindowsNetworkMonitor,autilitythatprovidedremotecapturecapabilities.Thisapplicationwasforcapturingallthetrafficonyournetwork.
In2012,MicrosoftreleasedtheNetworkMessageAnalyzer,advertisedas“muchmorethananetworksnifferorpackettracingtool.”Thisutility,afreedownload,allowsyoutocapture,display,andanalyzemessageandtrafficonyourWindowsnetwork.
Whenyourunanetworkanalyzeronasystemwithasinglenetworkinterface,theapplicationcapturesthedataarrivingoverthatinterfacebydefault.Ifthesystemhasmorethanoneinterface,youcanselecttheinterfacefromwhichyouwanttocapturedata.Whentheanalyzeriscapableofusingagents,youcanusethesamedialogboxtospecifythenameoraddressofanothercomputeronwhichtheagentisrunning.Theapplicationthenconnectstothatcomputer,usesitsNICtocapturenetworktraffic,andtransmitsittothebuffersinthesystemrunningtheanalyzer.Whenyouuseanagentonanothernetworksegment,however,it’simportanttobeawarethatthetransmissionsfromtheagenttotheanalyzerthemselvesgenerateasignificantamountoftraffic.
TrafficAnalysisSomenetworkanalyzerscandisplaystatisticsaboutthetrafficonthenetworkwhileitisbeingcaptured,suchasthenumberofpacketspersecond,brokendownbyworkstationorprotocol.Dependingontheproduct,youmayalsobeabletodisplaythesestatisticsingraphicalform.Youcanusethisinformationtodeterminehowmuchtrafficeachnetworksystemoreachprotocolisgenerating.
Usingthesecapabilities,youcandeterminehowmuchofyournetworkbandwidthis
beingutilizedbyspecificapplicationsorspecificusers.If,forexample,younoticethatuserJohnDoe’sworkstationisgeneratingadisproportionateamountofHTTPtraffic,youmightconcludethatheisspendingtoomuchcompanytimesurfingtheWebwhenheshouldbedoingotherthings.Withcarefulapplicationofcapturefilters,youcanalsoconfigureanetworkanalyzertoalertyouofspecificconditionsonyournetwork.Someproductscangeneratealarmswhentrafficofaparticulartypereachescertainlevels,suchaswhenanEthernetnetworkexperiencestoomanycollisions.
Inadditiontocapturingpacketsfromthenetwork,someanalyzerscangeneratethem.Youcanusetheanalyzertosimulatetrafficconditionsatpreciselevels,toverifytheoperationalstatusofthenetwork,ortostress-testequipment.
ProtocolAnalysisOncetheanalyzerhasanetworktrafficsampleinitsbuffers,youcanexaminethepacketsingreatdetail.Inmostcases,thepacketscapturedduringasampleperiodaredisplayedchronologicallyinatablethatliststhemostimportantcharacteristicsofeachone,suchastheaddressesofthesourceanddestinationsystemsandtheprimaryprotocolusedtocreatethepacket.Whenyouselectapacketfromthelist,youseeadditionalpanesthatdisplaythecontentsoftheprotocolheadersandthepacketdata,usuallyinbothrawanddecodedforms.
Thefirstapplicationforatoolofthistypeisthatyoucanseewhatkindsoftrafficarepresentonyournetwork.If,forexample,youhaveanetworkthatusesWANlinksthatareslowerandmoreexpensivethantheLANs,youcanuseananalyzertocapturethetrafficpassingoverthelinkstomakesurethattheirbandwidthisnotbeingsquanderedonunnecessarycommunications.
Oneofthefeaturesthatdifferentiateshigh-endnetworkanalyzerproductsfromthemorebasiconesistheprotocolsthattheprogramsupports.Tocorrectlydecodeapacket,theanalyzermustsupportalltheprotocolsusedtocreatethatpacketatalllayersoftheOSIreferencemodel.Forexample,abasicanalyzerwillsupportEthernetandpossiblyTokenRingatthedatalinklayer,butifyouhaveanetworkthatusesFDDIorATM,youmayhavetobuyamoreelaborateandexpensiveproduct.Thesameistrueattheupperlayers.VirtuallyallanalyzerssupporttheTCP/IPprotocols,andmanyalsosupportIPXandNetBEUI,butbesurebeforeyoumakeapurchasethattheproductyouselectsupportsalltheprotocolsyouuse.Youshouldalsoconsidertheneedforupgradestosupportfutureprotocolmodifications,suchasIPv6.
Bydecodingapacket,theanalyzerisabletointerpretthefunctionofeachbitanddisplaythevariousprotocolheadersinauser-friendly,hierarchicalformat.Theanalyzerhasdecodedtheprotocolheaders,andthedisplayindicatesthattheHTTPdataiscarriedinaTCPsegment,whichinturniscarriedinanIPdatagram,whichinturniscarriedinanEthernetframe.Youcanexpandeachprotocoltoviewthecontentsofthefieldsinitsheader.
Anetworkanalyzerisapowerfultoolthatcanjustaseasilybeusedforillicitpurposesasfornetworktroubleshootingandsupport.Whentheprogramdecodesapacket,itdisplaysallofitscontents,includingwhatmaybesensitiveinformation.TheFTP
protocol,forexample,transmitsuserpasswordsincleartextthatiseasilyvisibleinanetworkanalyzerwhenthepacketsarecaptured.Anunauthorizeduserrunningananalyzercaninterceptadministrativepasswordsandgainaccesstoprotectedservers.ThisisonereasonwhytheversionofNetworkMonitorincludedwithWindows2000andNTislimitedtocapturingthetrafficsenttoandfromthelocalsystem.
CableTestersNetworkanalyzerscanhelpyoudiagnosemanytypesofnetworkproblems,buttheyassumethatthephysicalnetworkitselfisfunctioningproperly.Whenthereisaproblemwiththecableinstallationthatformsthenetwork,adifferenttypeoftool,calledacabletester,isrequired.Cabletestersareusuallyhandhelddevicesthatyouconnecttoanetworkinordertoperformavarietyofdiagnostictestsonthesignal-conductingcapabilitiesofthenetworkcable.Asusual,thereisawiderangeofdevicestochoosefromthatvarygreatlyintheirpricesandcapabilities.Simpleunitsareavailableforafewhundreddollars,whiletop-of-the-linemodelscancostseveralthousanddollars.Somecombinationtesterscanconnecttovarioustypesofnetworkcables,suchasunshieldedtwisted-pair(UTP),shieldedtwisted-pair(STP),andcoaxial,whileotherscantestonlyasinglecabletype.Forcompletelydifferentsignalingtechnologies,suchasfiber-opticcable,youneedaseparatedevice.
Cabletestersareratedforspecificcablestandards,suchasCategory5,sothattheycandeterminewhetheracable’sperformanceiscompliantwiththatstandard.Thisiscalledcontinuitytesting.Duringacableinstallation,acompetenttechniciantestseachlinktoseewhetheritisfunctioningproperly,takingintoaccountproblemsthatcanbecausedbythequalityofthecableitselforbythenatureoftheinstallation.Forexample,agoodcabletestertestsforelectricalnoisecausedbyproximitytofluorescentlightsorotherelectricalequipment;crosstalkcausedbysignalstravelingoveranadjacentwire;attenuationcausedbyexcessivelylongcablesegmentsorimproperlyratedcable;andkinkedorstretchedcables,asindicatedbyspecificlevelsofcapacitance.
Inadditiontotestingtheviabilityofaninstallation,cabletestersaregoodfortroubleshootingcablingproblems.Forexample,atesterthatfunctionsasatime-delayreflectometercandetectbreaksorshortsinacablebytransmittingahigh-frequencysignalandmeasuringtheamountoftimeittakesforthesignaltoreflectbacktothesource.Usingthistechnique,youcandeterminethatacablehasabreakorotherfaultacertaindistanceawayfromthetester.Knowingthattheproblemis20feetaway,forexample,canpreventyoufromhavingtopokeyourheadupintotheceilingeveryfewfeettocheckthecablesrunningthroughthere.Sometesterscanalsohelpyoulocatetheroutethatacabletakesthroughwallsorceilings,usingatonegeneratorthatsendsastrongsignaloverthecablethatcanbedetectedbythetesterunitwhenitisnearby.
Allnetworkproblemscanbesolvedbyrecognizingthesignsofspecificsymptomsandtyingthosetotheactualfaultinasystem.Thespeedofisolatingandrepairingthediscrepancyisdependentonthetechnician’sknowledgeofthetoolsavailableandnetworkarchitecture.
CHAPTER
27 BackingUp
Oneoftheprimaryfunctionsofacomputernetworkistostore,manipulate,andsupplydata,andprotectingthatdataagainstdamageorlossisacrucialpartofthenetworkadministrator’sjobdescription.Harddiskdrivescontainmostoftherelativelyfewmovingpartsinvolvedinthenetworkdatastorageprocessandareconstructedtoincrediblytighttolerances.Asaresult,theycananddofailonoccasion,causingserviceinterruptionsanddataloss,andserverdrivesworkthehardestofall.Whenyouexaminetheinnerworkingsofaharddrive,youmayactuallywonderwhytheydon’tfailmoreoften.Inadditiontomechanicaldrivefailures,datalosscanoccurformanyothercauses,includingviruses,computertheft,naturaldisaster,orsimpleusererror.Toprotectthedatastoredonyournetwork,itisabsolutelyessentialthatyouperformregularbackupstoanalternativestoragemedium.
Whenbackingupinformationforonecomputer,youmayuseanexternalharddrive,aclouddestination,aCD/DVD,orevenaflashdrive.Manyindividualssimplycopyinformationfromtheirsmartphoneontotheircomputerandcallit“good.”Whilebackingupdataisanimportantmaintenancetaskforallcomputers,itisparticularlyvitalonanetwork,forseveralreasons.First,thedatatendstobemoreimportant;alossofcrucialdatacanbeacatastropheforabusinessthatresultsinlosttime,money,business,reputation,andinsomecasesevenlives.Second,networkdataisoftenmorevolatilethanthedataonastand-alonecomputerbecausemanydifferentusersmightaccessandmodifyitonaregularbasis.
Networkbackupsdifferfromstand-alonecomputerbackupsinfourmajorways:speed,capacity,automation,andprice.Abusinessnetworktypicallyhasdatastoredonmanydifferentcomputers,andthat,combinedwiththeever-increasingdrivecapacitiesintoday’scomputers,meansthatanetworkbackupsolutionmayhavetoprotectthousandsofterabytesofdata.Tobackupthismuchdata,backupdrivesthatarecapableofunprecedentedspeedsarerequired.
Thebigadvantageofbackingupmultiplecomputersthatareallconnectedtoanetworkisthatyoucanuseonebackupdrivetoprotectmanycomputers,usingavarietyofmethodstotransferthedata(asshowninFigure27-1),ratherthanaseparatedriveoneachcomputer.
Figure27-1Allnetworkdevicescantransmitdatatoavarietyofdevices.
Forthistobepractical,thenetworkadministratormustbeabletocontrolthebackupprocessforallofthecomputersfromacentrallocation.Withoutthistypeofautomation,theadministratorwouldhavetotraveltoeachcomputertocreateanindividualbackupjob.Byinstallingthebackupdriveandbackupsoftwareononeofthenetwork’scomputers,youcreateabackupserverthatcanprotectalloftheothercomputersonthenetwork.
Automationalsoenablesbackupstooccurduringnightorothernonworkinghours,whenthenetworkisidle.Backingupremotecomputersnaturallyentailstransferringlargeamountsofdataacrossthenetwork,whichgeneratesalotoftrafficthatcanslowdownnormalnetworkoperations.Inaddition,datafilesthatarebeingusedbyapplicationsarefrequentlylockedopen,meaningthatnootherapplicationcangainaccesstothem.Thesefilesareskippedduringatypicalbackupjobandarethereforenotprotected.Networkbackupsoftwareprogramsenableyoutoschedulebackupjobstooccuratanytimeofthedayornight,whenthefilesareavailableforaccess.Withappropriatehardware,theentirebackupprocesscanruncompletelyunattended.
Anetworkbackupsolutionconsistsattheveryleastofabackupdrive,backupmediaforthedrive,andbackupsoftware.Dependingontheamountandtypeofdatatobebackedupandtheamountoftimeavailabletoperformthebackups,youmayalsoneedotherequipment,suchasmultiplebackupdrives,anautochanger,oroptionalsoftwarecomponents.Selectingappropriatehardwareandsoftwareforyourbackupneedsandlearningtousethemcorrectlyaretheessentialelementsofcreatingaviablenetworkbackupsolution.Inmanycases,backupproductsarenotcheap,butasthesayinggoes,youcanpaynoworyoucanpaylater.
BackupHardware
Youcanusevirtuallyanytypeofdrivethatemploysremovablemediaasabackupdrive.WritableCDorDVD-ROMdrivesarepossiblesolutions,asareexternalharddrives,internalredundantarrayofindependent(inexpensive)disks(RAID)systems,magnetictapedrives,network-attachedsystems(NASs),orcommercialcloudbackupservices.However,whilesomeofthesemethodsareusefulforsinglecomputersorsmallbusinessnetworks,theyarenotasusefulforlargebusinessnetworkbackups,fortwomainreasons:insufficientcapacityandexcessivemediacost.Oneofthemainobjectivesofanetworkbackupsolutionistoavoidtheneedformediachangesduringajobsothattheentireprocesscanrununattended.
Storingbacked-updataoff-siteisthebestwaytoprotectdata.Thedatacanbestoredinthecloud,usingeithercommercialcloudbackupservicesoranin-housecloudlocation.Evenifyouusetraditionaldatabackuphardware,consideroff-sitestorageforthishardware.Youcanhousethestoragedevicesinadifferent,securelocation.DeviceswiththecapabilityofstoringinformationfrommultiplecomputersthathasbeenaccessedoverthebusinessnetworkoreventheInternetarethenormtoday.Forsmallcompanies,theoff-sitestoragecanbeanexternalharddrivehousedinabanksafety-depositboxorevenasbasicasadesignatedITpersonwhotakesthedevicehomewiththem.
Inadditiontostorageprotection,youneedanetworkbackupsolutiontoretainthehistoryoftheprotecteddataforagivenperiodsothatit’spossibletorestorefilesthatareseveralweeksormonthsold.Maintainingabackuparchivelikethisrequiresalotofstorage,andthepriceofthemediumisamajorfactorintheoveralleconomyofthebackupsolution.
Theresultofthisneedforhighmediacapacitiesandlowmediacostsisthatsomecombinationofexternalharddisks,RAIDsystems,ormagnetictapebecomesthebackupmediumofchoiceinanetworkenvironment.Magnetictapescanholdenormousamountsofdatainasmallpackage,andthecostofthemediaislow.Inaddition,bothexternaldisksandmagnetictapesaredurableandeasytostore.
NOTEManynetworksusedatastoragetechnologiessuchasRAIDtoincreasedataavailabilityandprovidefaulttolerance.However,despitethatthesetechnologiescanenableyournetworktosurviveaharddrivefailureorsimilarproblem,theyarenotareplacementforregularbackups.Viruses,fires,andothercatastrophescanstillcauseirretrievabledatalossinharddrive–basedstoragearrays,whilebackupswithoff-sitestorageprovideprotectionagainsttheseoccurrences.
BackupCapacityPlanningMagnetictape,externalharddisks,and,morerecently,cloudstoragecapabilitiesandnetwork-attachedstoragedevicesareseveralofthemethodsofdatabackuptechnology,andasaresult,therearemanydifferentformatsanddrives.Inadditiontothepriceandcompatibilityconsiderationsimportanttoeverypurchase,thecriteriayoushouldusetoevaluatebackupsolutionsarecapacity,reliability,andmediacosts,plusthespeedatwhichthedrivecancopydatatothemedium.Together,thecapacityandthetransferspeed
dictatewhetherthedriveiscapableofbackingupyourdatainthetimeyouhaveavailable.Notsurprisingly,thebackupdriveswithgreatercapacityandfasterspeedscommandhigherprices.Dependingonyoursituation,youmaybeabletotradeoffsomespeedforincreasedcapacityoremphasizemaximumspeedovercapacity.
HardDiskDrivesHarddiskdrives(HDDs)havebeenthemainstayformanysmallnetworks,includinghomenetworks,forseveralyears.Theyareavailablebothasportable(orlaptop-class)anddesktopmodels,withtheportabledrivesusingthepowerfromtheconnectingUSBcable.Desktopdrivesoftenrequireconnectiontopowerandoftencomewithaninternalfantopreventtheoverheatingthatcansometimesoccurwiththesmaller,portableunits.
BothtypesareeasilyattachedtoanydevicewithaUniversalSerialBus(USB)port.Mostarefairlyquietandsomewhatdependable.Theyusuallycontainrotatingdisks,usually2.5-inchdrivesintheportableunitsand3.5-inchdrivesinthedesktopmodels.Ifyouareconsideringoneoftheserelativelyinexpensivesolutionsforyourbackup,makesurethatthestoragecapacityisseveraltimeslargerthantheinformationyouwanttosaveortheharddriveyouwanttobackup.Also,thespeedatwhichtheexternaldevicerunsisdeterminedbytheconnectionspeed.Forexample,aUSB3.0connectionwillbefasterthanaUSB2.0port.ConsidertheinformationinTable27-1whenmakingyourdecision.
Table27-1ProsandConsofaUSB-ConnectedHDD
Solid-StateDrivesWithnomovingparts,solid-statedrives(SSDs)aremorereliable,faster,andmoredurable.Today,mostofthesedrivesaredesignedtolooklikeexternalHDDs;however,atthiswriting,theyarestillexpensivewhencalculatingdollarspergigabytewhencomparedwithHDDs.HDDsworkbestwithfilesthathavebeenwrittenwithcontiguousblocks,likemostinternaldrivesdotoday.SSDsstoredataonsemiconductorchipsinsteadofmagnetically.Thetransistors(cells)arewiredinseries,ratherthanparallelasinHDDs.Solid-statedriveshavebothadvantagesanddisadvantagesaswell,asshowninTable27-2.
Table27-2ProsandConsofSDDs
MultipleHardDrives(Multidrives)Asnetworksandtheirstoragerequirementsgrow,thethirdUSBconnectionoptionisaRAIDsystemwithmultipledisksconnectedtoonecomputer.Theseunitsareusuallysmallenclosuresholdingtwoormoreharddrivesthat“mirror”eachother.See“RAIDSystems”laterinthischapterformoreinformation.
ConnectionsUSB2.0(andnow3.0and3.1),eSATA,FireWire,andThunderboltareallmethodsbywhichyourexternaldrivescanbeconnectedtoyourcomputer.Eachoptionoffersvariousadvantagesanddisadvantages.
USB2.0and3.0USBconnectionshavebeenaroundsince1996,withUSB2.0becomingthestandardby2001.USBconnectorsstandardizeconnectionsbetweenyourcomputerandthemanyperipheralsavailable.Fromkeyboardstonetworkadapterstodigitalcameras,theUSBporthasmadeconnectionsquickandeasy.USBhasreplacedtheearlierserialandparallelportconnectionsand,sinceitusuallyhasitsownpower,hasevenreplacedseparatepowerappliancesinsomecases.ManynewdevicescomewithbothUSB2.0andUSB3.0connections.Youcandeterminethetypeofconnectionbytheindicatoronthedevice,asshowninFigure27-2.
Figure27-2USB2.0and3.0connectorsandsymbols
USB2.0and3.0arecompatiblewitheachother;however,theperformancewilldefaulttothelowerofthetwoconnectionsbeingused.
ThedifferencesbetweenthevariousconnectorsareshowninTable27-3.
Table27-3USBConnectorDifferences
eSATAExternalSerialAdvancedTechnologyAttachment(eSATA)wasoftenusedby
manybecauseitofferedfasterdatatransferspeedsthanothermethods,insomecasesthreetimesthatofUSB2.0orFireWire400.ConnecteddirectlytoaSATAharddriveonacomputersothatthecomputer’sprocessorwasdealingwithonlyonedevice,thethroughputtransferspeedwasfasterthanUSBconnections,wheretheprocessorwashandlingseveralUSBdevicesatthesametime.ConnectedtoaninternalSATAdrive,eSATAconnectionsofferedSATAdrivespeed.WiththeadventofUSB3.0devicesandThunderbolt,eSATAdrivesnolongerhavethespeedadvantage.
Today,inabusinessnetworkenvironment,usingeSATAcanhelpprotectyoursystem.WiththeproliferationofUSBdevicesoneachworkstation,thechanceforaccidentalinputofmalwareortheoutputofdataisgreatbyanyonewithaccesstothoseUSBports.SomemanagersdisabletheUSBportsandenabletheuseofexternaldriveswitheSATA.
Forthosewhoneedtoconnecttheircomputerstoothermedia,suchasTVDVRsorothermediadevices,themostcommoninterfaceisstilleSATA.eSATAmakesstorageforlargemediafilesefficientandquick.
Toconnecttoanexternalharddrive,boththatHDDandthecomputermusthavetheeSATAconnector,andyoumustuseaneSATAcable.Thiscablecanbenolongerthan2meters(6.5feet),sodistanceisanissue,andbothUSBandFireWireconnectionscanbelonger.
FireWireWithtransferratesofupto400Mbps,FireWire400wasfastandefficientwhenitwasintroducedbyAppleearlyin1986asareplacementfortheparallelSCSIbus.TheIEEE1394(FireWire)standardwasoriginallydesignedforhigh-speedtransfer,specificallyforlargevideoandaudiofiles.FireWirecanconnectupto63devices,anditallowspeer-to-peercommunicationwithoutinvolvingeithertheprocessororthecomputermemory(USBrequiresthatdevicesbeconnectedtoacomputerinordertotransferinformation).FireWireisalsohot-swappable(asisUSB),meaningthatyoucanremovethedevicewithoutturningoffthecomputer.FireWire800arrivedin2002andwasstandardonApplemachinesuntiltheadventofThunderbolt.(See“Thunderbolt”laterinthischapterformoreinformation.)FireWire400haseitherafour-pinorsix-pinconnection,whileFireWire800hasninepins,asshowninFigure27-3.
Figure27-3FireWire400andFireWire800cablesandports
Devicesequippedwithsix-pinFireWirecansupplytheirownpowerdirectionfromtheircomputerconnection,upto1.5ampsat8to30volts.Devicesthatcomewiththefour-pinconfigurationsavespacebyomittingthetwopowerpins.FireWire800withitsnine-pindesignoffersgroundingtoprotecttheotherwires.FireWire800isbackwardcompatiblewithFireWire400;however,transferspeedwillbethatoftheslowerFireWire400(seeTable27-4).
Table27-4FireWire400andFireWire800Specifications
In2007and2008,FireWireS1600andS3200wereintroducedtocompetewithUSB3.0.Thedevelopmentcamewiththesamenine-pinconnectionasFireWire800,buteventhoughthesystemwasdeveloped,someunitswerenotavailableuntil2012.Therefore,fewdevicesotherthansomeSonycamerasusedthenewertechnology.
ThunderboltIn2011,AppledevicesincludedanewportcalledThunderboltthathadthecapabilitiesandspeedofFireWireandUSB,alongwithexternaldisplaycapabilities
forVideoGraphicsArray(VGA),HighDefinitionMultimediaInterface(HDMI),DisplayPort,andDigitalVideoInterface(DVI).WhilenotalldeviceshadtheabilitytouseThunderbolt,foratime,thisinterfacehadthefastesttransferrate.Someusersreportedbeingabletotransfera15GBHDmovieinlessthanoneminute.
WhilesomeWindowsmachinescontainThunderboltconnections,mostdevicesusingthistechnologyarefortheMac.AsUSB3.0hasbecomethestandard,Thunderbolt’sspeedytransferrateisoftenmatchedbytheUSBconnection.However,formediatransfersandconnectivitytovideodevices,Thunderboltisuseful.
AsUSB3.1isbeingreleased,Thunderbolt3isduetobeonstoreshelvesinearly2015.ThistechnologyistiedtonewIntelarchitecture,whichisalsodueinearly2015.
NOTEThunderboltwasdevelopedbybothAppleandIntel.WirelessWhilethethoughtofnowirescansoundappealing,especiallyifyouhaveawireless(WiFi)network,backinguptoawirelessexternaldrivecanbeasecurityrisk.Ifyouuseencryptiononyourwirelessnetwork,considerencryptingtheexternalharddriveaswell.Today,thereareseveraltypesofencryptionprotocolstohelpprotectbothyournetworkandyourexternaldevice:
•WiredEquivalentPrivacy(WEP)wascreatedinthe1990s,anditsnamedescribesitsmainsellingpoint,whichisthatitisequivalenttoawirednetwork.Asdataonwirelessnetworksistransmittedbyradiowaves,WEPaddssomedegreeofsecuritytothesystembyencryptingor“coding”thedatabeingtransmitted.WEPhasseveraldifferentlevelsofsecurity,from64-bitthrough256-bit,eachofwhichrequiredentranceofastringofhexadecimalcharactersthatwerethentranslatedintoasecurealgorithm.
•WEPhassomeserioussecurityflaws,suchasthefollowing:
•Outsidedevicesbeingabletointerjectnewdatafrommobilestations
•Theabilitytodecryptthedatafromanotheraccesspoint
•Theability,insomecases,toanalyzethetransmitteddataand,afteratime,decryptit
•Wi-FiProtectedAccess(WPA),availablesince2003,wasoriginallydesignedtosolvesomeofthesecurityissueswithWEP.WPAhasnowbeensupersededbyWPA2.WPA2usesmuchofthesamealgorithmsasWPAbutwithenhancedconfidentiality.
Noencryptionsystemormechanismisfoolproof.However,runningawirelessdevicewithoutsomesystemcancreatehavoc.
RAIDSystemsThemassstoragesubsystemsusedinnetworkserversfrequentlygobeyondjusthavinggreatercapacitiesandfasterdrives.Therearealsomoreadvancedstoragetechnologiesthatprovidebetterperformance,reliability,andfaulttolerance.RAIDisthemostcommon
ofthesetechnologies.ARAIDarrayisagroupofharddrivesthatfunctiontogetherinanyoneofvariousways,calledlevels.TherearesixbasicRAIDlevels,numberedfrom0to5,plusseveralotherRAIDstandardsthatareproprietaryorvariationsononeoftheotherlevels.ThedifferentRAIDlevelsprovidevaryingdegreesofdataprotectionandperformanceenhancement.
Originallydesignedforlargenetworkstostorelargeamountsofdataatalowcost,RAIDcanalsobeaviablebackupsolutionforsmallernetworksaswell.Today,youmayseeRAIDonasinglecomputerwithtwoharddrivesconnectedtocreatemorestoragecapacity,orwithtwodrives,withonebeingusedasaduplicate(clone)oftheother.Thatway,ifdrive1fails,alltheinformationisavailableondrive2withnointerruptionofservice.
UsingRAIDRAIDcanbeimplementedinhardwareorsoftware,inwholeorinpart.Third-partysoftwareproductscanprovideotherRAIDlevels.Generallyspeaking,however,thebestRAIDperformancecomesfromahardwareRAIDimplementation.
HardwareRAIDsolutionscanrangefromdedicatedRAIDcontrollercards(whichyouinstallintoaserverlikeanyotherPCIexpansioncardandconnecttoyourharddrives)tostand-aloneRAIDdrivearrays.ARAIDcontrollercardtypicallycontainsacoprocessorandalargememorycache.ThishardwareenablesthecontrolleritselftocoordinatetheRAIDactivity,unlikeasoftwaresolutionthatutilizesthecomputer’sownmemoryandprocessor.WhenyouuseahardwareRAIDsolution,thedrivearrayappearstothecomputerasasingledrive.Alloftheprocessingthatmaintainsthestoreddataisinvisible.
ARAIDdrivearrayisaunit,eitherseparateorintegratedintoaserver,thatcontainsaRAIDcontrollerandslotsintowhichyouinsertharddiskdrives,likethoseshowninFigure27-4.Insomecases,theslotsaremerelycontainersforthedrives,andyouusestandardSCSIandpowercablestoconnectthemtotheRAIDcontrollerandtothecomputer’spowersupply.Inhigher-endarrays,thedrivesplugdirectlyintoabackplane,whichconnectsallofthedevicestotheSCSIbus,suppliesthemwithpower,andeliminatestheneedforseparatecables.Insomecases,thedrivesarehot-swappable,meaningthatyoucanreplaceamalfunctioningdrivewithoutpoweringdownthewholearray.Somearraysalsoincludeahotstandbydrive,whichisanextradrivethatremainsidleuntiloneoftheotherdrivesinthearrayfails,atwhichtimethestandbydriveimmediatelytakesitsplace.Someserversarebuiltaroundanarrayofthistype,whileinothercasesthearrayisaseparateunit,eitherstandingaloneormountedinarack.Theseseparatedrivearraysarewhatyouusewhenyouwanttobuildaserverclusterwithshareddrives.
Figure27-4Stand-aloneRAIDdrivearrays
WhetheryouimplementRAIDusingsoftwareorhardware,youchoosetheRAIDlevelthatbestsuitsyourinstallation.AlthoughthevariousRAIDlevelsarenumberedconsecutively,thehigherlevelsarenotalways“better”thantheloweronesineverycase.Insomecases,forexample,youaretradingoffspeedordiskspaceinreturnforaddedprotection,whichmaybewarrantedinoneinstallationbutnotinanother.ThevariouslevelsofRAIDaredescribedinthefollowingsections.
RAID0:DiskStripingDiskstripingisamethodforenhancingtheperformanceoftwoormoredrivesbyusingthemconcurrently,ratherthanindividually.Technically,diskstripingisnotRAIDatallbecauseitprovidesnoredundancyandthereforenodataprotectionorfaulttolerance.Inastripedarray,theblocksofdatathatmakeupeachfilearewrittentodifferentdrivesinsuccession.Inafour-drivearraylikethatshowninFigure27-5,forexample,thefirstblock(A)iswrittentothefirstdrive,thesecondblock(B)iswrittentotheseconddrive,andsoon,throughthefourthblock(D).Thenthefifthblock(E)iswrittentothefirstdrive,thesixth(F)iswrittentotheseconddrive,andthepatterncontinuesuntilalloftheblockshavebeenwritten.OperatingthedrivesinparallelincreasestheoverallI/OperformanceofthedrivesduringbothreadsandwritesbecausewhilethefirstdriveisreadingorwritingblockA,theseconddriveismovingitsheadsintopositiontoreadorwriteblockB.Thisreducesthelatencyperiodcausedbytheneedtomovetheheadsbetweeneachblockinasingledrivearrangement.Toreducethelatencyevenfurther,youcanuseaseparatecontrollerforeachdrive.
Figure27-5RAIDlevel0
Asmentionedearlier,diskstripingprovidesnoadditionalprotectiontothedataandindeedevenaddsanelementofdanger.IfoneofthedrivesinaRAID0arrayshouldfail,theentirevolumeislost,andrecoveringthedatadirectlyfromthediskplattersismuchmoredifficult,ifnotimpossible.However,diskstripingprovidesthegreatestperformanceenhancementofanyoftheRAIDlevels,largelybecauseitaddstheleastamountofprocessingoverhead.RAID0issuitableforapplicationsinwhichlargeamountsofdatamustberetrievedonaregularbasis,suchasvideoandhigh-resolutionimageediting,butyoumustbecarefultobackupyourdataregularly.
NOTEIt’spossibletostripedataacrossaseriesofharddriveseitheratthebytelevelorattheblocklevel(oneblocktypicallyequals512bytes).Byte-levelstripingisbettersuitedtothestorageoflargedatarecordsbecausethecontentsofarecordcanbereadinparallelfromthestripesondifferentdrives,thusimprovingthedatatransferrate.Block-levelstripingisbettersuitedforthestorageofsmalldatarecordsinanenvironmentwheremultipleconcurrentrequestsarecommon.Asinglestripeismorelikelytocontainanentirerecord,whichenablesthevariousdrivesinthearraytoprocessindividualrequestsindependentlyandsimultaneously.
RAID1:DiskMirroringandDuplexingDiskmirroringanddiskduplexingarethesimplestarrangementsthattrulyfitthedefinitionofRAID.Diskmirroringisatechniquewheretwoidenticaldrivesareconnectedtothesamehostadapter,andalldataiswrittentobothofthedrivessimultaneously,asshowninFigure27-6.Thisway,thereisalwaysabackup(ormirror)copyofeveryfileimmediatelyavailable.Ifoneofthedrivesshouldfail,theothercontinuestooperatewithnointerruptionwhatsoever.Whenyoureplaceorrepairthemalfunctioningdrive,allofthedatafromthemirroriscopiedtoit,thusreestablishingtheredundancy.Diskduplexingisanidenticalarrangement,exceptthatthetwodrivesareconnectedtoseparatecontrollers.Thisenablesthearraytosurviveafailureofoneofthedisksoroneofthecontrollers.
Figure27-6RAIDlevel1
Obviously,diskmirroringprovidescompleteharddrivefaulttolerance,anddiskduplexingprovidesbothdriveandcontrollerfaulttolerancebecauseacompletecopyofeveryfileisalwaysavailableforimmediateaccess.However,mirroringandduplexingdothiswiththeleastpossibleefficiencybecauseyourealizeonlyhalfofthediskspacethatyouarepayingfor.Two10GBdrivesthataremirroredyieldonlya10GBvolume.Asyouwillsee,otherRAIDlevelsprovidetheirfaulttolerancewithgreaterefficiency,asfarasavailablediskspaceisconcerned.
Diskmirroringandduplexingdoenhancediskperformanceaswell,butonlyduringreadoperations.Duringwriteoperations,thefilesarewrittentobothdrivessimultaneously,resultinginthesamespeedasasingledrive.Whenreading,however,thearraycanalternatebetweenthedrives,doublingthetransactionrateofasingledrive.Inshort,writeoperationsaresaidtobeexpensiveandreadoperationsefficient.Likediskstriping,mirroringandduplexingaretypicallyimplementedbysoftwareandarecommonfeaturesinserveroperatingsystemslikeWindows2000.However,asmentionedearlier,usingthesystemprocessorandmemoryforthispurposecandegradetheperformanceoftheserverwhendiskI/Oisheavy.
RAID2:HammingECCRAID2isaseldom-usedarrangementwhereeachofthedisksinadrivearrayisdedicatedtothestorageeitherofdataoroferrorcorrectingcode(ECC).Asthesystemwritesfilestothedatadisks,italsowritestheECCtodrivesdedicatedtothatpurpose.Whenreadingfromthedatadrives,thesystemverifiesthedataascorrectusingtheerrorcorrectioninformationfromtheECCdrives.TheECCinthiscaseishammingcode,whichwasthesametypeofECCusedonSCSIharddrivesthatsupporterrorcorrection.BecauseallSCSIharddrivesalreadysupportedECCandbecausearelativelylargenumberofECCdriveswererequiredforthedatadrives,RAID2isaninefficientmethodthathasalmostneverbeenimplementedcommercially.
RAID3:ParallelTransferwithSharedParityARAID3arrayisacombinationofdatastripingandthestorageofatypeofECCcalledparityonaseparatedrive.RAID3requiresaminimumofthreedrives,withtwoormoreofthedrivesholdingdatastripedatthebytelevelandonedrivededicatedtoparityinformation.TheuseofstripingonthedatadrivesenhancesI/Operformance,justasinRAID0,andusingonedriveinthearrayforparityinformationaddsfaulttolerance.Wheneverthearrayperformsareadoperation,itusestheinformationontheparitydrive
toverifythedatastoredonthestripeddrives.Becauseonlyoneofthedrivesholdstheparityinformation,yourealizeagreateramountofusablediskspacefromyourarraythanyoudowithRAID2.Ifoneofthestripeddrivesshouldfail,thedataitcontainscanbereconstructedusingtheparityinformation.However,thisreconstructiontakeslongerthanthatofRAID1(whichisimmediate)andcandegradeperformanceofthearraywhileitisoccurring.
WhenyouhitRAID3andthelevelsaboveit,theresourcesrequiredbythetechnologymakethemmuchmoredifficulttoimplementinsoftwareonly.MostserversthatuseRAID3orhigheruseahardwareproduct.
RAID4:IndependentDataDiskswithSharedParityRAID4issimilartoRAID3,exceptthatthedrivesarestripedattheblocklevel,ratherthanatthebytelevel.Thereisstillasingledrivedevotedtoparityinformation,whichenablesthearraytorecoverthedatafromafaileddriveifneeded.TheperformanceofRAID4incomparisontoRAID3iscomparableduringreadoperations,butwriteperformancesuffersbecauseoftheneedtocontinuallyupdatetheinformationontheparitydrive.RAID4isalsorarelyusedbecauseitoffersfewadvantagesoverRAID5.
RAID5:IndependentDataDiskswithDistributedParityRAID5isthesameasRAID4,exceptthattheparityinformationisdistributedamongallofthedrivesinthearray,insteadofbeingstoredonadrivededicatedtothatpurpose.Becauseofthisarrangement,thereisnoparitydrivetofunctionasabottleneckduringwriteoperations,andRAID5providessignificantlybetterwriteperformancethanRAID4,alongwiththesamedegreeoffaulttolerance.Therebuildprocessintheeventofadrivefailureisalsomademoreefficientbythedistributedparityinformation.ReadperformancesuffersslightlyinRAID5,however,becausethedriveheadsmustskipovertheparityinformationstoredonallofthedrives.
RAID5isthelevelthatisusuallyimpliedwhensomeonereferstoaRAIDarraybecauseitprovidesagoodcombinationofperformanceandprotection.Inafour-diskarray,only25percentofthediskspaceisdevotedtoparityinformation,asopposedto50percentinaRAID1array.
RAID6:IndependentDataDiskswithTwo-DimensionalParityRAID6isavariationonRAID5thatprovidesadditionalfaulttolerancebymaintainingtwoindependentcopiesoftheparityinformation,bothofwhicharedistributedamongthedrivesinthearray.Thetwo-dimensionalparityschemegreatlyincreasesthecontrolleroverheadsincetheparitycalculationsaredoubled,andthearray’swriteperformanceisalsodegradedbecauseoftheneedtosavetwiceasmuchparityinformation.However,aRAID6arraycansustainmultiplesimultaneousdrivefailureswithoutdatalossandisanexcellentsolutionforread-intensiveenvironmentsworkingwithmission-criticaldata.
RAID7:AsynchronousRAIDRAID7isaproprietarysolutionmarketedbyStorageComputerCorporation,whichconsistsofastripeddataarrayandadedicatedparitydrive.ThedifferenceinRAID7is
thatthestoragearrayincludesitsownembeddedoperatingsystem,whichcoordinatestheasynchronouscommunicationswitheachofthedrives.Asynchronouscommunication,inthiscontext,meansthateachdriveinthearrayhasitsowndedicatedhigh-speedbusanditsowncontrolanddataI/Opaths,aswellasaseparatecache.TheresultisincreasedwriteperformanceoverotherRAIDlevelsandveryhighcachehitratesundercertainconditions.ThedisadvantagesofRAID7areitshighcostandthedangerresultingfromanyinvestmentinaproprietarytechnology.
RAID10:StripingofMirroredDisksRAID10isacombinationofthediskstripingusedinRAID0andthediskmirroringusedinRAID1.Thedrivesinthearrayarearrangedinmirroredpairs,anddataisstripedacrossthem,asshowninFigure27-7.Themirroringprovidescompletedataredundancywhilethestripingprovidesenhancedperformance.ThedisadvantageofRAID10isthehighcost(atleastfourdrivesarerequired)andthesamelowdatastorageefficiencyasRAID1.
Figure27-7RAIDlevel10
RAID0+1:MirroringofStripedDisksRAID0+1istheoppositeofRAID10.Insteadofstripingdataacrossmirroredpairsofdisks,RAID0+1takesanarrayofstripeddisksandmirrorsit.TheresultingperformanceissimilartothatofRAID10,butasingledrivefailureturnsthearraybacktoasimpleRAID0installation.
Network-AttachedStorageNetwork-attachedstorageisatermthatisgenerallyappliedtoastand-alonestoragesubsystemthatconnectstoanetworkandcontainseverythingneededforclientsandserverstoaccessthedatastoredthere.AnNASdevice,sometimescalledanetwork
storageappliance,isnotjustaboxwithapowersupplyandanI/Obuswithharddrivesinstalledinit.Theunitalsohasaself-containedfilesystemandastripped-down,proprietaryoperatingsystemthatisoptimizedforthetaskofservingfiles.TheNASapplianceisessentiallyastand-alonefileserverthatcanbeaccessedbyanycomputeronthenetwork.NASappliancescanreducecostsandsimplifythedeploymentandongoingmanagementprocesses.Becausetheapplianceisacompleteturnkeysolution,thereisnoneedtointegrateseparatehardwareandoperatingsystemproductsorbeconcernedaboutcompatibilityissues.
NASappliancescanconnecttonetworksindifferentways,anditisherethatthedefinitionofthetechnologybecomesconfusing.AnNASserverisadevicethatcanrespondtofileaccessrequestsgeneratedbyanyothercomputeronthenetwork,includingclientsandservers.
TherearetwodistinctmethodsfordeployinganNASserver,however.YoucanconnecttheappliancedirectlytotheLAN,usingastandardEthernetconnection,enablingclientsandserversaliketoaccessitsfilesystemdirectly,oryoucanbuildadedicatedstoragenetwork,usingEthernetorFibreChannel,enablingyourserverstoaccesstheNASandsharefileswithnetworkclients.
Thelattersolutionplacesanadditionalburdenontheservers,butitalsomovestheI/OtrafficfromtheLANtoadedicatedstoragenetwork,thusreducingnetworktrafficcongestion.WhichoptionyouchooselargelydependsonthetypeofdatatobestoredontheNASserver.IfyouusetheNAStostoreusers’ownworkfiles,forexample,itcanbeadvantageoustoconnectthedevicetotheLANandletusersaccesstheirfilesdirectly.However,iftheNASservercontainsdatabasesore-mailstores,aseparateapplicationserverisrequiredtoprocessthedataandsupplyittoclients.Inthiscase,youmaybenefitmorebycreatingadedicatedstoragenetworkthatenablestheapplicationservertoaccesstheNASserverwithoutfloodingtheclientnetworkwithI/Otraffic.
MagneticTapeDrivesUnlikeothermassstoragedevicesusedincomputers,magnetictapedrivesdonotproviderandomaccesstothestoreddata.Harddisksandopticaldrivesallhaveheadsthatmovebackandforthacrossaspinningmedium,enablingthemtoplacetheheadatanylocationonthediskalmostinstantaneouslyandreadthedatastoredthere.Themagnetictapedrivesusedincomputersworkjustlikeaudiotapedrives;thetapeispulledoffofaspoolanddraggedacrossaheadtoreadthedata,asshowninFigure27-8.Thisiscalledlinearaccess.Toreadthedataatapointneartheendofatape,thedrivemustunspoolalloftheprecedingtapebeforeaccessingthedesiredinformation.Becausetheyarelinearaccessdevices,magnetictapedrivesarenotmountedasvolumesinthecomputer’sfilesystem.Youcan’tassignadrivelettertoatapeandaccessitsfilesthroughadirectorydisplay,asyoucanwithaCD-ROMorafloppydisk.Magnetictapedrivesareusedexclusivelybybackupsoftwareprograms,whicharespecificallydesignedtoaccessthem.
Figure27-8Linearaccessdrivesleavethetapeinthecartridgeandpressitagainststaticheads.
Linearaccessdevicesliketapedrivesalsocannotconvenientlyuseatablecontaininginformationaboutthefilestheycontain,aswithahardorfloppydisk.Whenabackupsystemwritesharddrivefilestotape,itreadstheinformationabouteachfilefromtheharddrive’sfileallocationtable(orwhateverequivalentthatparticulardrive’sfilesystemuses)andwritesittotapeasaheaderbeforecopyingthefileitself.Thefileisfrequentlyfollowedbyanerrorcorrectioncodethatensuresthevalidityofthefile.Thisway,alloftheinformationassociatedwitheachfileisfoundatonelocationonthetape.However,sometapedrivetechnologies,suchasdigitalaudiotape(DAT)anddigitallineartape(DLT),docreateanindexoneachtapeofallthefilesitcontains,whichfacilitatestherapidrestorationofindividualfiles.
TapeDriveInterfacesToevaluatebackuptechnologies,it’sagoodideatofirstestimatetheamountofdatayouhavetoprotectandtheamountoftimeyouwillhaveforthebackupjobstorun.Theobjectistoselectadrive(ordrives)thatcanfitallofthedatayouneedtoprotectduringtheaveragebackupjobonasingledeviceinthetimeavailable.Besuretoconsiderthatitmaynotbenecessaryforyoutobackupallofthedataonallofyourcomputersduringeverybackupjob.Mostofthefilesthatmakeupacomputer’soperatingsystemandapplicationsdonotchange,soitisn’tnecessarytobackthemupeveryday.Youcanbacktheseuponceaweekorevenmoreseldomandstillprovideyourcomputerswithsufficientprotection.Theimportantfilesthatyoushouldbackupeverydayarethedataandsystemconfigurationfilesthatchangefrequently,allofwhichmightadduptofarlessdata.
Inadditiontothecapabilitiesofthedrive,youmustconsidertheinterfacethat
connectsittothecomputerthatwillhostit.Whenusingatapedrive,theprocessofwritingdatatoamagnetictaperequiresthatthetapedrivereceiveaconsistentstreamofdatafromthecomputer.Interruptionsinthedatastreamforcethetapedrivetostopandstartrepeatedly,whichwastesbothtimeandtapecapacity.
MagneticTapeCapacitiesThestoragecapacityofamagnetictapeisoneofitsmostdefiningcharacteristicsandcanalsobeoneofthemostpuzzlingaspectsofthebackupprocess.Manyuserspurchasetapedriveswithratedcapacitiesandthenaredisappointedtofindthattheproductdoesnotstoreasmuchdataonatapeasthemanufacturerstates.Inmostcases,thisisnotamatteroffalseclaimsonthepartofthedrive’smaker.
Therearethreeelementsthatcanaffectthedatacapacityofamagnetictape,whichareasfollows:
•Compression
•Datastream
•Writeerrors
CompressionMagnetictapestoragecapacitiesareoftensuppliedbymanufacturersintermsofcompresseddata.Areputablemanufacturerwillalwaysstateinitsliteraturewhetherthecapacitiesitcitesarecompressedoruncompressed.Mostofthetapedrivesdesignedforcomputerbackupsincludehardware-basedcompressioncapabilitiesthatusestandarddatacompressionalgorithmstostorethemaximumamountofdataonatape.Incaseswherethedrivedoesnotsupporthardwarecompression,thebackupsoftwaremightimplementitsowncompressionalgorithms.Whenyouhaveachoice,youshouldalwaysusehardware-basedcompressionoversoftwarecompressionbecauseimplementingthedatacompressionprocessinthesoftwareplacesanadditionalprocessingburdenonthecomputer.Hardware-basedcompressionisperformedbyaprocessorinthetapedriveitselfandisinherentlymoreefficient.
NOTESomemanufacturersexpresstapedrivecapacitiesusingthetermnative.Adrive’snativecapacityreferstoitscapacitywithoutcompression.
Thedegreetowhichdatacanbecompressed,andthereforethecapacityofatape,dependsontheformatofthefilesbeingbackedup.Afileinaformatthatisalreadycompressed,suchasaGIFimageoraZIParchive,cannotbecompressedanyfurtherbythetapedrivehardwareorthebackupsoftwareandthereforehasacompressionratioof1:1.Otherfiletypescompressatdifferentratios,rangingfrom2:1,whichistypicalforprogramfilessuchasEXEsandDLLs,to8:1orgreater,aswithuncompressedimageformatslikeBMP.Itisstandardpracticeformanufacturerstoexpressthecompressedstoragecapacityofatapeusinga2:1compressionratio.However,youractualresultsmightvarygreatly,dependingonthenatureofyourdata.
DataStreamTowritedatatothetapeinthemostefficientmanner,thetapedrivemustreceivethedatafromthecomputerinaconsistentstreamatanappropriaterateofspeed.Therateatwhichthedataarrivesatthetapedrivecanbeaffectedbymanyfactors,includingtheinterfaceusedtoconnectthedrivetothecomputer,thespeedofthecomputer’sprocessorandsystembus,orthespeedoftheharddriveonwhichthedataisstored.Whenyouarebackingupdatafromthenetwork,youaddthespeedofthenetworkitselfintotheequation.Evenifyouhaveahigh-qualitytapedriveinstalledinastate-of-the-artserver,slownetworkconditionscausedbyexcessivetrafficorfaultyhardwarecanstillaffectthespeedofthedatastreamreachingthetapedrive.Thisisoneofthereasonswhynetworkbackupsareoftenperformedatnightorduringotherperiodswhenthenetworkisnotbeingusedbyotherprocesses.
Tapedriveswritedatatothetapeinunitscalledframesorsometimesblocks,whichcanvaryinsizedependingonthedrivetechnologyandthemanufacturer.Theframeisthesmallestunitofdatathatthedrivecanwritetothetapeatonetime.Thedrivecontainsabufferequalinsizetotheframesituses,inwhichitstoresthedatatobebackedupasitarrivesfromthecomputer.Whenthebackupsystemisfunctioningproperly,thedataarrivesatthetapedrive,fillsupthebuffer,andtheniswrittentothetapewithnodelay.Thisenablesthetapedrivetoruncontinuously,drawingthetapeacrosstheheads,writingthebuffereddatatothetape,andthenemptyingthebufferforthenextincomingframe’sworthofdata.Thisiscalledstreaming.
NOTETheframesusedbytapedrivesdocorrespondinsizeorconstructionwiththedatalinklayerprotocolframesusedindatanetworking.
Whenthedataarrivesatthetapedrivetooslowly,thedrivehastostopthetapewhileitwaitsforthebuffertofillupwithdata.Thisprocessofconstantlystoppingandstartingthetapeiscalledshoe-shining,anditisoneofthemainsignalsthatthedriveisnotrunningproperly.Thebufferhasabuilt-indataretentiontimeout,afterwhichthedriveflushesthebufferandwritesitscontentstotape,whetherit’sfullofdataornot.Ifthebufferisnotfullwhenthetimeoutperiodexpires,thedrivepadsouttheframewithnonsensedatatofillitupandthenwritesthecontentsofthebuffer(includingthepadding)tothetape.Theendresultisthateachframewrittentothetapecontainsonlyafractionoftheactualdatathatitcanhold,thusreducingtheamountofusabledatastoredonthetape.
Thewaytoavoidhavingpartiallyfilledbuffersflushedtotapeistoensurethattherearenobottlenecksinthepathfromthesourcesofyourdatatothetapedrive.Thepathisonlyasfastasitsslowestcomponent,andtospeedupthedatatransferrate,youmayhavetodoanyofthefollowing:
•Replaceharddriveswithfastermodels
•Installthetapedriveinafastercomputer
•Reducetheprocessingloadonthecomputerhostingthetapedrive
•Schedulebackupjobstooccurduringperiodsoflownetworktraffic
WriteErrorsAnotherpossiblereasonfordiminishedtapecapacityisanexcessofrecoverablewriteerrors.Awriteerrorisconsideredtoberecoverablewhenthetapedrivedetectsabadframeonthetapewhilethedataisstillinthebuffer,makingitpossibleforthedrivetoimmediatelywritethesameframetothetapeagain.Drivestypicallydetecttheseerrorsbypositioningareadheadrightnexttothewriteheadsothatthedrivecanreadeachframeimmediatelyafterwritingit.
Whenthedriverewritesaframe,itdoesnotoverwritethebadframebyrewindingthetape;itsimplywritesthesameframetothetapeagain,immediatelyfollowingthefirstone.Thismeansthatoneframe’sworthofdataisoccupyingtwoframes’worthoftape,andiftherearemanyerrorsofthistype,asignificantamountofthetape’sstoragecapacitycanbewasted.Recoverablewriteerrorsaremostoftencausedbydirtyheadsinthetapedriveorbadmedia.Mostbackupsoftwareproductscankeeptrackofanddisplaythenumberofrecoverablewriteerrorsthatoccurduringaparticularbackupjob.Thefirstthingyoushoulddowhenyounoticethatmorethanahandfulofrecoverablewriteerrorshaveoccurredduringabackupjobistocleanthedriveheadsusingapropercleaningtapeandthenrunatestjobusinganew,good-qualitytape.Iftheerrorscontinue,thismightbeanindicationofamoreserioushardwareproblem.
NOTEDirtydriveheadsarethesinglemostcommoncauseoftapedriveproblems.Theimportanceofregularheadcleaningcannotbeoveremphasized.
BackupSoftwareForhomeandsmallbusinessnetworks,therearemanysoftwareproductsavailable,includingtheabilitytobackuptoaserverataremotelocation,suchasthecloud.Ifyoudecidethatyoumustpurchaseanetworkbackupsoftwarepackage,it’sagoodideatofamiliarizeyourselfwiththecapabilitiesofthevariousproductsonthemarketandthencomparethemwithyourneeds.Insomecases,youcanobtainevaluationversionsofbackupsoftwareproductsandtestthemonyournetwork.Thiscanhelpyouidentifypotentialproblemsyoumayencounterwhilebackingupyournetwork.Thefollowingsectionsexaminesomeofthebasicfunctionsofabackupsoftwarepackageandhowtheyapplytoatypicalnetworkbackupsituation.
NOTEWhileavailableinearlierversions,Windows8.1doesnotcontainaBackupandRestoreutility.
SelectingBackupTargetsThesimplesttypeofbackupjobisafullbackup,inwhichyoubackuptheentirecontentsofacomputer’sdrives.However,fullbackupsusuallyaren’tnecessaryonadailybasisbecausemanyofthefilesstoredonacomputerdonotchangeandbecausefullbackupscantakealotoftimeandusealotofstoragecapacity.Oneofthebeststrategieswhen
planningabackupsolutionforanetworkistopurchaseadrivethatcansaveallofyourdatafilesandtheimportantsystemconfigurationfilesonasinglemedia.Thisenablesyoutopurchasealessexpensivedriveandstillprovideyournetworkwithcompleteprotection.
Beingselectiveaboutwhatyouwanttobackupcomplicatestheprocessofcreatingabackupjob,andagoodbackupsoftwareprogramprovidesseveraldifferentwaystoselectthecomputers,drives,directories,orfiles(collectivelycalledtargets)thatyouwanttobackup.Selectingadriveordirectoryforbackupincludesallofthefilesandsubdirectoriesitcontainsaswell.Youcanthendeselectcertainfilesorsubdirectoriesthatyouwanttoexcludefromthebackup.Somebackupsoftwareprogramscanalsolistthetargetsforabackupjobintextform.Whenyou’recreatingalarge,complexjobinvolvingmanycomputers,thisformatcansometimesbeeasiertocomprehendandmodify.
UsingFiltersTheexpandabledisplayisgoodforselectingbackuptargetsbasedonthedirectorystructure,butitisn’tpracticalforothertypesoftargetselection.Manyapplicationsandoperatingsystemscreatetemporaryfilesasthey’rerunning,andthesefilesarefrequentlynamedusingaspecificpattern,suchasaTMPextension.Inmostcases,youcansafelyexcludethesefilesfromabackupbecausetheywouldonlybeautomaticallydeletedatalatertimeanyway.However,manuallydeselectingallofthefileswithaTMPextensioninadirectorydisplaywouldbeverytimeconsuming,andyoualsohavenoassurancethattheremightnotbeotherTMPfilesonyourdriveswhenthebackupjobactuallyruns.
Toselect(ordeselect)filesbasedoncharacteristicssuchasextension,filename,date,size,andattributes,mostbackupsoftwareprogramsincludefilters.Afilterisamechanismthatisappliedtoallorpartofabackuptargetthatinstructsthesoftwaretoincludeorexcludefileswithcertaincharacteristics.Forexample,toexcludeallfileswithaTMPextensionfromabackupjob,youwouldapplyanexcludefiltertothedrivesthatspecifiedthefilemask*.tmp.
Youcanusefiltersinmanywaystolimitthescopeofabackupjob,suchasthefollowing:
•Createanincludefilterspecifyingamodificationdatetobackupallthefilesthathavechangedsinceaparticularday
•Createexcludefiltersbasedonfileextensionstoavoidbackingupprogramfiles,suchasEXEsandDLLs
•Createafilterbasedonaccessdatestoexcludeallfilesfromabackupthathaven’tbeenaccessedinthelast30days
IncrementalandDifferentialBackupsThemostcommontypeoffilterusedinbackupsisonethatisbasedontheArchiveattribute.Thisisthefilterthatbackupsoftwareproductsusetoperformincrementalanddifferentialbackups.Fileattributesaresinglebitsincludedwitheveryfileonadiskdrivethatarededicatedtoparticularfunctions.Differentfilesystemshavevariousattributes,butthemostcommononesfoundinalmostallfilesystemsareRead-only,Hidden,and
Archive.TheRead-onlyandHiddenattributesaffecthowspecificfilesaremanipulatedanddisplayedbyfilemanagementapplications.Undernormalconditions,afilewiththeHiddenattributeactivatedisinvisibletotheuser,andaRead-onlyfilecan’tbemodified.TheArchiveattributehasnoeffectinanormalfilemanagementapplication,butbackupprogramsuseittodeterminewhetherfilesshouldbebackedup.
Atypicalbackupstrategyforanetworkconsistsofafullbackupjobthatisrepeatedeveryweekwithdailyincrementalordifferentialjobsinbetween.Whenyouconfigureabackupsoftwareprogramtoperformafullbackupofadrive,thesoftwaretypicallyresetstheArchiveattributeoneachfile,meaningthatitchangesthevalueofalltheArchivebitsto0.Afterthefullbackup,wheneveranapplicationorprocessmodifiesafileonthedrive,thefilesystemautomaticallychangesitsArchivebittoavalueof1.ItisthenpossibletocreateabackupjobthatusesanattributefiltertocopytotapeonlythefileswithArchivebitvaluesof1,whicharethefilesthathavechangedsincethelastfullbackup.Theresultisabackupjobthatusesfarlesstapeandtakesfarlesstimethanafullbackup.
AnincrementalbackupjobisonethatcopiesonlythefilesthathavebeenmodifiedsincethelastbackupandthenresetstheArchivebitsofthebacked-upfilesto0.Thismeansthateachincrementaljobyouperformcopiesonlythefilesthathavechangedsincethelastjob.IfyouperformyourfullbackupsonSunday,Monday’sincrementaljobconsistsofthefilesthathavechangedsinceSunday’sfullbackup.Tuesday’sincrementaljobconsistsofthefilesthathavechangedsinceMonday’sincremental,Wednesday’sjobconsistsofthefileschangedsinceTuesday,andsoforth.Filesthataremodifiedfrequentlymightbeincludedineachoftheincrementaljobs,whileoccasionallymodifiedfilesmightbebackeduponlyonceortwiceaweek.
Theadvantageofperformingincrementaljobsisthatyouusetheabsoluteminimumamountoftimeandstoragecapacitybecauseyouneverbackupanyfilesthathaven’tchanged.Thedrawbackofusingincrementaljobsisthatinordertoperformacompleterestorationofadriveordirectory,youhavetorestorethecopyfromthelastfullbackupandthenrepeatthesamerestorejobfromeachoftheincrementalsperformedsincethatfullbackup,inorder.Thisisbecauseeachoftheincrementaljobsmaycontainfilesthatdon’texistontheotherincrementalsandbecausetheymightcontainnewerversionsoffilesonthepreviousincrementals.Bythetimeyoucompletetherestoreprocess,youhaverestoredalloftheuniquefilesonalloftheincrementalsandoverwrittenalloftheolderversionsofthefileswiththelatestones.
Ifyouhavealotofdatatobackupandwantthemosteconomicalsolution,performingincrementaljobsisthewaytogo.Therestoreprocessismorecomplex,butperformingafullrestoreofadriveis(ideally)arelativelyrareoccurrence.Whenyouhavetorestoreasinglefile,youjusthavetomakesurethatyourestorethemostrecentcopyfromtheappropriatefullorincrementalbackuptape.
AdifferentialbackupjobdiffersfromanincrementalonlyinthatitdoesnotresettheArchivebitsofthefilesitbacksup.Thismeansthateachdifferentialjobbacksupallofthefilesthathavechangedsincethelastfullbackup.IfafileismodifiedonMonday,thedifferentialjobsbackituponMonday,Tuesday,Wednesday,andsoon.Theadvantageofusingdifferentialjobsisthattoperformacompleterestore,youhavetorestoreonlyfromthelastfullbackupandthemostrecentdifferentialbecauseeachdifferentialhasallofthe
filesthathavechangedsincethelastfullbackup.Thedisadvantageofdifferentialsisthattheyrequiremoretimeandtapebecauseeachjobincludesallofthefilesfromthepreviousdifferentialjobs.Ifyourtapedrivehassufficientcapacitytostoreallofyourmodifieddataforafullweekonasingletape,differentialsarepreferabletoincrementalsbecausetheysimplifytherestorationprocess.
Inmostcases,theincrementalanddifferentialbackupoptionsarebuiltintothesoftware,soyoudon’thavetousefilterstomanipulatetheArchiveattributes.Thesoftwaretypicallyprovidesameansofselectingfromamongbasicbackuptypeslikethefollowing:
•NormalPerformsafullbackupofallselectedfilesandresetstheirArchivebits
•CopyPerformsafullbackupofallselectedfilesanddoesnotresettheirArchivebits
•IncrementalPerformsabackuponlyoftheselectedfilesthathavechangedanddoesnotresettheirArchivebits
•DifferentialPerformsabackuponlyoftheselectedfilesthathavechangedandresetstheirArchivebits
•DailyPerformsabackuponlyoftheselectedfilesthathavechangedtoday
•WorkingSetPerformsabackuponlyoftheselectedfilesthathavebeenaccessedinaspecifiednumberofdays
NOTEDifferentbackupsoftwareproductsmaynotprovidealloftheseoptionsormayprovideadditionaloptions.Theymayalsorefertotheseoptionsusingdifferentnames.
BackingUpOpenFilesThesinglebiggestproblemyouarelikelytoencounterwhileperformingbackupsinanetworkenvironmentisthatofopenfiles.Whenafileisbeingusedbyanapplication,inmostcasesitislockedopen,meaningthatanotherapplicationcannotopenitatthesametime.Whenabackupprogramwithnospecialopenfilecapabilitiesencountersafilethatislocked,itsimplyskipsitandproceedstothenextfile.Theactivitylogkeptbythebackupsoftwaretypicallyliststhefilesthathavebeenskippedandmaydeclareabackupjobashavingfailedwhenfilesareskipped(evenwhenthevastmajorityoffileswerebackedupsuccessfully).Obviously,skippedfilesarenotprotectedagainstdamageorloss.
Openfilesareoneofthemainreasonsforperformingbackupsduringtimeswhenthenetworkisnotinuse.Evenduringoff-hours,filescanbeleftopenforavarietyofreasons.Forexample,usersmayleavetheircomputersattheendofthedaywithfilesloadedintoanapplication.Theagentsincludedwithmostnetworkbackupproductsarecapableofbackingupfilesleftopeninthisway.Thisisoneofthebigadvantagesofusinganagent,ratherthansimplyaccessingfilesthroughthenetwork.
Themostcriticaltypeofopenfilesituationinvolvesapplicationsanddatafilesthat
areleftrunningcontinuously,suchasdatabaseande-mailservers.Theseapplicationsoftenmustrunaroundtheclock,andsincetheirdatafilesareconstantlybeingaccessedbytheapplication,theyarealwayslockedopen.Anormalbackupproductcanbackupmostofanapplication’sprogramfilesinacaselikethis,butthemostimportantfiles,containingthedatabasesthemselvesorthee-mailstores,areskipped.Thisisamajoromissionthatmustbeaddressedinordertofullyprotectanetwork.
Inmostcases,networkbackupproductsarecapableofbackinguplivedatabasesande-mailstores,butyoumustpurchaseextrasoftwarecomponentstodoso.Networkbackupsoftwareproductsusuallyhaveoptionalmodulesforeachofthemajordatabaseande-mailproducts,whicharesoldseparately.Theoptionalcomponentmayconsistofanupgradetothemainbackupapplication,aprogramthatrunsonthedatabaseore-mailserver,orboth.Theseoptionsgenerallyworkbycreatingatemporarydatabasefileore-mailstore(sometimescalledadeltafile)thatcanprocesstransactionswithclientsandotherserverswhiletheoriginaldatafilesintheserverarebeingbackedup.Oncethebackupiscomplete,thetransactionsstoredinthedeltafileareappliedtotheoriginaldatabaseandnormalprocessingcontinues.
NOTEManycloudbackupstrategiesbackupopenfilesontheflywhenachangeismadetoit.
RecoveringfromaDisasterAnotheradd-onmoduleavailablefrommanybackupsoftwaremanufacturersisadisasterrecoveryoption.Inthiscontext,adisasterisdefinedasacatastrophiclossofdatathatrendersacomputerinoperable,suchasafailureoftheharddrivecontainingtheoperatingsystemfilesinaserver.Thistypeofdatalosscanalsoresultfromavirusinfection,theft,fire,ornaturaldisaster,suchasastormorearthquake.Assumingyouhavebeendiligentlyperformingyourregularbackupsandstoringcopiesoff-site,yourdatashouldbesafeifadisasteroccurs.However,restoringthedatatoanewdriveorareplacementservernormallymeansthatyoumustfirstreinstalltheoperatingsystemandthebackupsoftware,whichcanbealengthyprocess.Adisasterrecoveryoptionisameansofexpeditingtherestorationprocessinthistypeofscenario.
Adisasterrecoveryoptionusuallyworksbycreatingsomeformofbootmediumthatprovidesonlytheessentialcomponentsneededtoperformarestorejobfromabackup.Intheeventofadisaster,anetworkadministratoronlyhastorepairorreplaceanycomputerhardwarethatwaslostordamaged,insertaCD/DVD,andbootthecomputer.Thedisasterrecoverydisksuppliesthefilesneededtobringthecomputertoabasicoperationalstatefromwhichyoucanperformarestore,usingyourmostrecentbackup.
JobSchedulingAnotherimportantpartofanetworkbackupsoftwareproductisitsabilitytoschedulejobstooccuratparticulartimes.Somerudimentarybackupsoftwareproducts(suchasthosethatcomefreewithanexternalharddrive)canonlyexecuteabackupjobimmediately.Aneffectivenetworkbackupsolutionrequiresthatyoucreateaseriesofjobsthatexecuteat
regularintervals,preferablywhenthenetworkisnototherwiseinuse.Agoodbackupsoftwareproductcanbeconfiguredtoexecutejobsatanytimeofthedayornightandrepeatthematspecifiedintervals,suchasdaily,weekly,andmonthly.Morecomplicatedschedulingoptionsarealsouseful,suchastheabilitytoexecuteajobonthelastdayofthemonth,thefirstFridayofthemonth,oreverythreeweeks.
Thetypesofjobsyoucreateandhowoftenyourunthemshoulddependontheamountofdatayouhavetobackup,theamountoftimeyouhavetoperformthebackups,thecapabilitiesofyourhardware,andtheimportanceofyourdata.Forexample,atypicalnetworkbackupscenariowouldcallforafullbackupperformedonceaweek,andincrementalordifferentialjobsperformedontheotherdays,withallofthejobsrunningduringthenight.
RotatingMediaNetworkbackupsoftwareproductstypicallyenableyoutocreateyourownbackupstrategybycreatingandschedulingeachjobseparately,butmostalsohavepreconfiguredjobscenariosthataresuitableformostnetworkconfigurations.Thesescenariosusuallyincludeamediarotationscheme,whichisanotherpartofaneffectivenetworkbackupstrategy.Amediarotationschemeisanorganizedpatternofdevicelabelingandallocationthatenablesyoutofullyprotectyournetworkusingtheminimumpossiblenumberofdevices.Youcanconceivablyuseanewdriveforeverybackupjobyourun,butthiscangetveryexpensive.Whenyoureusedrivesinstead,youmustbecarefulnottooverwriteadriveyoumaystillneedintheeventofadisaster.
ThemostcommonmediarotationschemeimplementedbybackupsoftwareproductsiscalledGrandfather-Father-Son.Thesethreegenerationsrefertomonthly,weekly,anddailybackupjobs,respectively.The“Son”jobsruneachdayandaretypicallyincrementalsordifferentials.Theschemecallsforseveraldrives(dependingonhowmanydaysperweekyouperformbackups),whicharereusedeachweek.Forexample,youwouldhaveadrivedesignatedfortheWednesdayincrementaljob,whichyouoverwriteeveryWednesday.The“Father”jobsaretheweeklyfullbackups,whichareoverwritteneachmonth.Therewillbefourorfiveweeklyjobseachmonth(dependingonthedayyouperformthejobs).Thedrivesyouuseforthefirstfullbackupofthemonth,forexample,willbeoverwrittenduringthefirstfullbackupofthenextmonth.The“Grandfather”jobsaremonthlyfullbackups,themediaforwhicharereusedonceeveryyear.
TIPThemonthlydrivesinthemediarotationareoftendesignatedforoff-sitestorage,whichisanessentialpartofagoodbackupstrategy.Diligentlymakingbackupswilldoyouandyourcompanynogoodifthebuildingburnsdown,takingallofyourbackupdriveswithit.Periodicfullbackupsshouldbestoredatasecuredsite,suchasafireproofvaultorabanksafedepositbox.Someadministratorssimplybringthetapeshomeonaregularbasis,whichcanbeequallyeffective.
BackupAdministration
Whencreatinganautomatednetworkbackupsolution,properplanningandpurchasingarethemostimportantfactors.Oncethesystemisinplace,thereshouldbelittleuserinteractionrequired,exceptformakingsurethattheproperdriveisconnectedeachday.It’salsoimportantfortheadministratortomakesurethatthebackupjobsareexecutingasdesigned.
EventLoggingNetworkbackupsoftwareproductsnearlyalwayshaveanindicatorthatspecifieswhethereachbackupjobhascompletedsuccessfullyorhasfailed.However,simplycheckingthisindicatordoesnotnecessarilygiveanadequatepictureofthejob’sstatus.Thecriteriausedtoevaluateajob’ssuccessorfailurecanvaryfromproducttoproduct.Ajobfailurecanbeanindicationofamajorproblem,suchasahardwarefailurethathaspreventedanydatafrombeingwrittentotheexternaldrive.Withsomeproducts,asinglefilethatisskippedbecauseitislockedopencancauseajobtobelistedashavingfailed,eventhoughalloftheotherfileshavebeensuccessfullywritten.
Tocheckthestatusofthejobingreaterdetail,youexaminetheeventlogsmaintainedbythesoftware.Backuplogscancontainavaryingamountofdetail,andmanysoftwareproductsletyouspecifywhatinformationyouwanttobekeptinthelog.Afullorcompletelogcontainsanexhaustiveaccountofthebackupjob,includingalistofallofthefilescopied.Thistypeoflogcontainseverythingyoucouldeverwanttoknowaboutabackupjob,includingwhichtargetswerebackedupandwhichwereskipped,aswellasanyerrorsthatmayhaveoccurred.Thecompletefilelistingcausesaloglikethistobeenormousinmostcases,andtheaverageadministratorislesslikelytocheckthelogsregularlywhenit’snecessarytoscrollthroughhundredsofpagesoffilenamestodoso.
Maintainingafulllogmightbeagoodideaasyouarelearningtheintricaciesofyourbackupsoftware,butafterthefirstfewjobs,you’llprobablywanttoreconfigurethesoftwaretokeepasummarylogcontainingonlythedetailsthatyouneedtoexamineonaregularbasis,suchaswhethertargetcomputerswerebackedupornot,thenamesoffilesthatwereskipped,anderrormessages.Administratorsshouldexaminethelogsfrequentlytomakesurethatthebackupjobsarerunningasplanned.
PerformingRestoresLogsandsuccessindicatorsareusuallyreliablemethodsofconfirmingthatyourbackupsarecompletingsuccessfully,buttheyarenosubstituteforperformingaregularseriesoftestrestores.Thewholereasonforrunningbackupsinthefirstplaceissoyoucanrestoredatawhennecessary.Ifyoucan’tdothis,thenallofthetimeandmoneyyou’vespentiswasted.It’sentirelypossibleforajobtobelistedashavingcompletedsuccessfullyandforthelogstoindicatethatallofthetargetshavebeenbackedup,onlytofindthatit’simpossibletorestoreanydata.Thereasonsforthisaremany,buttherearemanyhorrorstoriestoldbynetworkadministratorsaboutpeoplewhohavediligentlyperformedbackupsformonthsoryearsandhavecarefullylabeledandstoredthebackupsonlytofindthatwhentheysufferadisaster,everythingisblank.Performingtestrestoresonaregularbasiscanpreventthissortofcatastrophe.
Backupsoftwareproductshavearestorefunctionthatusuallylooksalotliketheinterfaceyouusetocreatebackupjobs.Youcanbrowsethroughadirectorystructuretolocatethefilesthatyouwanttorestore.Whenyoubrowseinthisway,youarelookingatanindexofallofthestoredfiles.Withouttheindex,thesoftwarehasnowayofknowingwhatfilesarewhere.Allbackupsoftwareproductscreateanindexforeachbackupjobtheycomplete,butwheretheystoretheindexcanvary.
Index
Pleasenotethatindexlinkspointtopagebeginningsfromtheprintedition.Locationsareapproximateine-readers,andyoumayneedtopagedownoneormoretimesafterclickingalinktogettotheindexedmaterial.
Symbols
|(pipe),joiningtools,386
Numbers
2BIQdataencoding,NorthAmerica,123
4B3Tdataencoding,Europe,123
5-4-3rule
appliedtoEthernetcabling,177
calculatingnetworkperformanceoverEthernet,178–179
10BaseEthernet
10Base-2.SeeThinEthernet(10Base-2)
10Base-5.SeeThickEthernet(10Base-5)
10Base-F,176
10Base-T,172,174–175,187
autonegotiationsystemand,195
cablingstandards,178
100BaseEthernet
100Base-FX,191
100Base-T,172,174–175
100Base-T4,190–191
100Base-TX,187,190
autonegotiationsystem,194–195
cablelengthrestrictions,191
full-duplexoperationand,187
hubconfigurations,191–193
overviewof,189
physicallayeroptions,189–190
timingcalculations,193–194
100Baselinkpulse(FLP),autonegotiationsystemand,195
100VG-AnyLAN
medium-dependentinterface,206
overviewof,202–203
sublayersof,203–206
workingwith,206–207
1000BaseEthernet.SeealsoGigabitEthernet
1000Base-LX,199–200
1000Base-SX,200
1000Base-T,195,200
full-duplexoperationand,187
A
A(address)resourcerecord,292
AAL(ATMadaptationlayer),135
abortdelimiterframe,TokenRing,218
abstractsyntax,presentationlayer,33
accesscontrolentries(ACEs),Windowssecuritymodel,350,423
accesscontrol,FTPcommandsfor,327
accesscontrollists.SeeACLs(accesscontrollists)
accesspoints.SeeAPs(accesspoints)
ACEs(accesscontrolentries),Windowssecuritymodel,350,423
ACKframes,CSMA/CD,111
ACKmessages,TCP,275
ACLs(accesscontrollists)
filesystemsecurity,421–422
Windowssecuritymodel,350,423
ACR(attenuation-to-crosstalk),cablecategoriesand,88
activemonitor(AM),TokenRing,216
AD(ActiveDirectory)
architecture,364
creating/configuringsites,373–375
creatingdomaincontrollers,369–370
deploying,369
directoryreplication,370–372
DNSand,368–369
domains,trees,forests,367–368
globalcatalogserver,369
MMC(MicrosoftManagementConsole)and,372–373
objectnaming,365–367
objecttypes,364–365
asoptionalWindowsnetworkingservice,360
overviewof,363
planningdomains,trees,andforests,375–376
Windowssecuritymodel,423–424
adhocinfrastructure
settingupwirelessaccesspoints,451
WLANs,101–102
AddressResolutionProtocol.SeeARP(AddressResolutionProtocol)
addressesframe,MAC,110
addressing
ATM,134–135
atdatalinklayer,23
IPaddresses.SeeIPaddresses
MACaddresses.SeeMACaddresses
networkingand,8
adjustedringlength(ARL),TokenRing,213
administration
ofbackups,515–516
controllingworkstations,468
creatingdefaultuserprofile,474
deployingsystempolicies,479
mandatoryprofiles,473
mappingdrives,468–470
overviewof,463
profilereplication,473–474
ofregistry,474
remoteadministrationofwebservers,317
restrictingworkstationaccess,476–479
roamingprofiles,472–473
ofserver-basedapplications,464–465
ofserver-basedoperatingsystems,464
settingenvironmentvariables,466–468
storingdatafiles,465–466
systempolicyfiles,476
systempolicytemplates,474–476
userprofiles,470–472
ADSL(asymmetricaldigitalsubscriberline),124–125
AdvancedResearchProjectsAgencyNetwork(ARPANET)
cloudenvisionedbyfoundersof,398
precursorstocloudcomputing,399
agents,usewithnetworkanalyzers,492
AH(AuthenticationHeader)protocol,438–439
AllRingsBroadcast(ARB),TokenRing,60
AM(activemonitor),TokenRing,216
AM(amplitudemodulated)signaling,20
AmazonWebServices,400
AmericanNationalStandardsInstitute.SeeANSI(AmericanNationalStandardsInstitute)
AmericanWireGauge(AWG),cablesizein,80
amplitudemodulated(AM)signaling,20
analog
leasedlines,118
physicallayersignaling,20
ANSI(AmericanNationalStandardsInstitute)
100Base-Xstandard,190
cablingstandard,81–82
FDDIstandard,220
FibreChannelstandard,199
anti-malware,456
anycastaddresses,IPv6,264
APIs(applicationprogramminginterfaces)
TDIserviceand,354
WindowsOSs,355–356
applicationlayer,ofOSImodel,34–35
application-levelgateways(proxyservers),444
applicationprogramminginterfaces.SeeAPIs(applicationprogramminginterfaces)
applications
administeringserver-based,464–465
client-serverarchitectureand,11–12
leased-line,120–121
restrictingonworkstationswithsystempolicies,477
router,64–65
wirelessnetwork,98–100
APs(accesspoints)
802.11infrastructuretopology,102–103
wireless.SeeWAPs(wirelessaccesspoints)
ARB(AllRingsBroadcast),TokenRing,60
architecture
ActiveDirectory,364
client-server,11–12,104,393–395
cloudcomputing,402–403
GigabitEthernet,196
TCP/IP,236–237
UnixOSs,387–388
Windowsnetworking,352–353,411–413
ARL(adjustedringlength),TokenRing,213
ARP(AddressResolutionProtocol)
caching,256
messageformat,254
overviewof,253–254
resolvingMACaddressestoIPaddresses,237
transactions,254–255
ARPANET(AdvancedResearchProjectsAgencyNetwork)
cloudenvisionedbyfoundersof,398
precursorstocloudcomputing,399
AS(authenticationserver),Kerberosand,433–434
AS(autonomoussystems),routingand,72
association,WLANbasicserviceset,101–102
asymmetricaldigitalsubscriberline(ADSL),124–125
asymmetricalmultiprocessing,140
AsynchronousTransferMode.SeeATM(AsynchronousTransferMode)
at-restencryption,459–460
ATMadaptationlayer(AAL),135
ATM(AsynchronousTransferMode)
adaptationlayer,135
addressing,134–135
backbonespeedand,157
cablecategoriesand,88
Ethernetcompatibilitycomparedto,165
overviewof,130–132
physicallayer,132–133
support,135
virtualcircuits,134
attachmentunitinterface.SeeAUI(attachmentunitinterface)
attenuation,ofsignalovercabling,49
attenuation-to-crosstalk(ACR),cablecategoriesand,88
attributeschemaobjects,364
attributes,TCP/IP,235–236
auditing,Windowssecuritymodel,422
AUI(attachmentunitinterface)
fiber-opticcablingand,176
forThickNetcabling,173
authentication
digitalcertificates,434–435
FTPuserauthentication,431–432
functionsofPPP,246
IPsecfeatures,437
Kerberos,432–433
loggingintoUnixsystems,390
overviewof,432
PKIand,433–434
protocolsinPPP,250
token-basedandbiometric,435–436
AuthenticationHeader(AH)protocol,438–439
Authenticationphase,connectionestablishmentinPPP,252
authenticationserver(AS),Kerberosand,433–434
authorizationstate,POP3,339–340
autonegotiationsystem,100BaseEthernet,194–195
autonomoussystems(AS),routingand,72
AWG(AmericanWireGauge),cablesizein,80
B
Bchannels,ISDN,122–123
back-endarchitecture,cloudcomputing,402–403
backbones
differingdefinitions,152
faulttolerance,157–158
ininternetworkdesign,155–157
selectingLANprotocolfor,158–159
typesof,157
backingoffprocess,collisionsand,169–170
backplane
connectingRAIDdrivesto,502
indistributedbackbone,157
backupsoftware
backingupopenfiles,513
disasterrecovery,514
filters,511
incrementalanddifferentialbackups,511–513
overviewof,510
rotatingbackupmedia,514–515
schedulingbackups,514
selectingbackuptargets,510–511
backups
administering,515–516
capacityplanning,497
connectionmethods,498–501
disasterrecovery,514
diskdrivesfor,498
filteringscopeof,511
hardwarefor,497
incrementalanddifferential,511–513
magnetictapecapacity,508–510
magnetictapedriveinterfaces,507–508
magnetictapedrives,507
NASdevices,506–507
ofopenfiles,513
overviewof,495–496
RAIDsystems,502–506
rotatingmediafor,514–515
scheduling,514
selectingbackuptargets,510–511
softwarefor,510
bandwidth
ISDNservices,122
LANsvs.WANs,115–116
NICselectionand,45
packet-switchingservices,127
physicaldevicespeedmeasuredin,40
baseband,broadbandcomparedwith,4
bashshell,Unix,388
BasicRateInterface(BRI),ISDN,122
basicserviceset.SeeBSS(basicserviceset),WLANs
basicservicesetID(BSSID),MACframeaddressfield,110
BayonetNeill-Concelmanconnectors.SeeBNC(BayonetNeill-Concelman)connectors
BC-P(BorderGatewayProtocol),72
beaconreceiveauto-removaltest,218
beacontransmitauto-removaltest,217
beaconing,TokenRing,217–218
Berkeleyremotecommands
Unixclientsand,418
Unixremotecommands,390
bindingdata,storedinglobalcatalog,369
biometricscanners,authenticationwith,435–436
bitrepeatmode,tokenpassing,213
blocks,writingdatatotapedrives,509
Bluetooth,aswirelessnetwork,98
BNC(BayonetNeill-Concelman)connectors
connectingcoaxialcable,85
repeatersand,50
ThinNetusing,174
bootingLinuxcomputer,381
BOOTP,Unixand,389
BorderGatewayProtocol(BC-P),72
bottlenecks,NICselectionand,44–45
boundedmedia,97
Bourneshell,Unix,388
BPDUs(bridgeprotocoldataunits),57
branchingtreeconfiguration,ofEthernethubs,212
BRI(BasicRateInterface),ISDN,122
bridgeloops,58–59
bridgeprotocoldataunits(BPDUs),57
bridges
bridgeloops,58–59
defined,9
designated,57
EthernettoTokenRing,61–62
ISDNcommunicationsatdatalinklayer,123
overviewof,55–57
sourceroutebridging,60–61
sourceroutetransparentbridging,63
translationalbridging,62
transparentbridging,58
WANstoLANs,113–114
broadband
basebandcomparedwith,4
ISDN,136
broadcastaddresses,inEthernetframe,182
broadcastdomains,collisiondomainscontrastedwith,52
broadcastindicators,60–61
broadcaststorms
bridgeloopsand,59
troubleshootingEthernet,201
browsers
HTTProleinbrowser/servercommunication,318
webserversand,313
BSDUnix
Berkeleyremotecommands,390
historicalNOSs,397–398
Unixvarieties,389
BSS(basicserviceset),WLANs
adhoctopology,101–102
distributionsystem,104
infrastructuretopology,102–103
overviewof,101
BSSID(basicservicesetID),MACframeaddressfield,110
bursts,framerelaynetworks,127
bus-architectureswitching,75
businterface,NICselectionand,44
busmastering,NICfeatures,42
bustopology
cablingpatterns,6
mixingandlinksegmentsconnecting,54
businessnetworks,securing,455–456
bypassswitch,FDDItopology,222
C
Cprogramminglanguage,377
Cshell,Unix,388
cablemodems,86
cabletesters,493–494
cablednetworks
advantagesanddisadvantagesof,98–99
wirelessnetworksvs.,97–98
cables
5-4-3ruleappliedto,177
100BaseEthernetlengthrestrictions,191
attenuationofsignalover,49
Cat5e,Cat6/6a,Cat7,88–89
coaxial,84–85
connectorpinouts,89–92
connectorsforfiber-opticcable,94–95
constructionoffiber-opticcable,93–94
crossovercables,54
datalinklayerstandards,84
Ethernetspecificationguidelines,176
Ethernetspecificationleeway,180–181
fiber-optic,93
FibreChannelphysicallayer,145
NICselectionand,43–44
overviewof,79
propertiesof,79–81
segments,4
standards,81–82
STP,92–93
ThickNet,85,172–173
ThinNet,85–86,173–174
TIA/EIA-568standard,82–84
TokenRing,210
topologies,5–8
TVserviceover,86
twistedpair,86
UTP,86–88,178
cachedatapersistence,DNSservers,296–297
caching,ARP(AddressResolutionProtocol),256
canonicalname(CNAME),DNSresourcerecords,292
capacityplanning,forbackupsystem,497
capturefilters,datafiltering,491
carriersense
CSMA/CDphase,169
GMIIsignals,198
CarrierSenseMultipleAccesswithCollisionAvoidance(CSMA/CA),110–111
CarrierSenseMultipleAccesswithCollisionDetection.SeeCSMA/CD(CarrierSenseMultipleAccesswithCollisionDetection)
CAs(certificateauthorities),434–435
case,server,138
Cat5/5ecable
in1000Base-T,200
cabletesters,494
coaxialcable,88
EIA/TIAcablecategories,80
selectingnetworkmedium,154
inTokenRing,210
Cat6/6acable
coaxialcable,88
EIA/TIAcablecategories,80
selectingnetworkmedium,154
Cat7cable,89
categories,cable.Seealsobyspecificcategories
in1000Base-T,200
specificationsandtypes,87–89
TIA/EIA-568colorcodes,87
CAUs(controlaccessunits),TokenRing,211–212
CBIR(committedburstinformationrate)
framerelaynetworks,127
PVCswithown,129
CCITT(ConsultativeCommitteeforInternationalTelephoneandTelegraphy),13
CDdrives,backuphardware,497
CDDI(CopperDistributedDataInterface),FDDIsublayers,224
cellheader,ATM,133
celllosspriority(CLP),ATMcells,133–134
cellswitching,packetswitchingcomparedwith,4
cells,encapsulationterminology,17
certificateauthorities(CAs),434–435
certificates,digital,434–435
CGI(CommonGatewayInterface),315
ChallengeAuthenticationProtocol(CHAP),250
channelserviceunit/dataserviceunit(CSU/DSU),120
CHAP(ChallengeAuthenticationProtocol),250
cheapernet.SeeThinEthernet(10Base-2)
checkpoints,indialogseparation,31–32
chmodcommand,changingpermissionswith,431
CIDR(ClasslessInter-DomainRouting),237
CIFS(CommonInternetFileSystem),147–148
CIR(committedinformationrate)
framerelaynetworks,127
PVCswithown,129
circuit-levelgateways,445
circuitswitching
ISDNas,122
packetswitchingcomparedwith,5
WANservices,127
ClassIhubs,100BaseEthernet,192
ClassIIhubs,100BaseEthernet,192
classschemaobjects,364
classes
FibreChannelservice,146–147
objectclass,364
classes,IPaddress
overviewof,240–241
specialaddresses,241–242
unregisteredaddresses,241
ClasslessInter-DomainRouting(CIDR),237
clear-to-send(CTS)messages,CSMA/CA,111
ClientforNetworkFileSystems(NFS),419
client-serverarchitecture
802.11infrastructuretopology,104
overviewof,11
UnixOSs,393–395
clients
e-mail,333–334
HTTPclienterrorcodes,324–325
networkclients.Seenetworkclients
cloud
advantagesof,400–401
backupcapacityplanning,497
disadvantagesof,401–402
earlyproviders,399–400
framerelayusingFRADstoconnectto,128
howitworks,402–404
IaaSservicemodel,405–406
NaaSservicemodel,408
overviewof,399
PaaSservicemodel,406–407
packet-switchingservicesusingnetwork,127
precursors,399
SaaSservicemodel,407–408
selectingWANprotocolforinternetworkdesign,159
typesofservices,404–405
CLP(celllosspriority),ATMcells,133–134
clustering,multiprocessingserver,141–143
CNAME(canonicalname),DNSresourcerecords,292
coaxialcable
cabletesters,493–494
Cat5e,88
Cat6/6a,88
Cat7,89
connectorpinouts,89–92
overviewof,84–85
repeatersand,50
shieldedtwisted-pair.SeeSTP(shieldedtwisted-pair)cable
thickEthernet,85
thinEthernet,85–86
TVserviceover,86
twistedpair,86
unshieldedtwistedpair.SeeUTP(unshieldedtwistedpair)
collapse,networkdegradation,170
collapsedbackbones
distributedbackbonescomparedwith,157
fiber-opticcableand,95
collapsed(logical)ring,TokenRing,210
collisiondetection
inCSMA/CD,169
GMIIsignals,198
physicallayerspecifications,19
collisiondomains,broadcastdomainscontrastedwith,52
collisions
comparingTokenRingandEthernet,209
CSMA/CD,168–170
dialogseparationand,31
Ethernetand,168–171
late,171
troubleshootingEthernet,201
collisions,indirectoryreplication,370
command(MAC)frame,TokenRing,218
commandprompt,accessinginWindows7and8,482
commands,LinuxOSs,381–383
commands,Unix
DARPAcommands,392–393
remotecommands,390–392
committedburstinformationrate(CBIR)
framerelaynetworks,127
PVCswithown,129
committedinformationrate(CIR)
framerelaynetworks,127
PVCswithown,129
CommonGatewayInterface(CGI),315
CommonInternetFileSystem(CIFS),147–148
CommonLogFileformat,315–316
communication,betweenlayersofOSImodel
dataencapsulationand,14–16
encapsulationterminology,17–18
horizontalcommunication,16
overviewof,14
verticalcommunication,17
communicationsecurity
AuthenticationHeaderprotocol,438–439
EncapsulatingSecurityPayloadprotocol,439–440
IPsec,436–437
overviewof,436
SSL,440–442
communications
FibreChannel,146–147
ISDN,122–123
betweenlayersofOSImodel,30–31
communitycloud,typesofcloudservices,405
compression,magnetictapecapacityand,508
computers
bootingLinuxcomputer,381
connectingintoworkgroups,5
mainframe,399
selectingforSOHOnetworkdesign,153–154
concentrators.Seealsohubs;MAUs(multistationaccessunits),6
connectiondevices
bridgeloops,58–59
bridges,55–57
bridgingEthernetandTokenRingnetworks,61–62
hubconfigurations,53–55
hubtypes,50–53
ICMProutingfunctions,70–71
Layer3switching,76–77
multiple-layerswitching,77
overviewof,49
packetmanagement,70
repeaters,49–50
routeselection,69
routerapplications,64–65
routerfunctions,65–66
routers,63
routingprotocols,71–72
routingtables,66–68
routingvs.switching,75
sourceroutebridging,60–61
sourceroutetransparentbridging,63
staticanddynamicrouting,68–69
switchtypes,73–75
switches,72–73
translationalbridging,62
transparentbridging,58
virtualLANs,75–76
connectionestablishment,functionsofPPP,246
connection-orientedprotocols
connectionlessprotocolscomparedwith,26–27
LCCsublayerfunctions,184
transportlayerand,27–28
connectionlessprotocols
connection-orientedprotocolscomparedwith,26–27
LCCsublayerfunctions,184
transportlayerand,27–28
connections
LANsvs.WANs,115–116
optionsforbackuphardware,498–501
PSTNorPOTSWAN,117–118
connections,TCP
establishing,274–276
terminating,280–281
connectors.Seealsobyindividualtypes
connectorpinouts,89–92
fiber-opticcable,94–95
forhubsandrepeaters,50
NICselectionand,44
straightthroughwiringand,53
ThinNetcable,174
TokenRing,210
UTPcable,175
ConsultativeCommitteeforInternationalTelephoneandTelegraphy(CCITT),13
containerobjects,ActiveDirectory,364–365
contentiontime(slottime),collisionsand,169
continuitytesting,cabletesters,494
controlaccessunits(CAUs),TokenRing,211–212
controlfield,LLCheaderfields,184–185
controlframes,802.11atMAClayer,108–110
controlpanel,WindowsOSs,359
convergencesublayer(CS),ATMadaptionlayer,135
coppercables
compatibilitywithfiber-optic,159
physicallayercablingand,18
shielded.SeeSTP(shieldedtwisted-pair)cable
unshielded.SeeUTP(unshieldedtwistedpair)
CopperDistributedDataInterface(CDDI),FDDIsublayers,224
county-code(international)domains,289
CRC(cyclicalredundancycheck)
collisionsand,169
errordetectionatdatalinklayer,24
troubleshootingEthernet,201
crimpers,forworkingwithcoaxialcable,86
cross-siterequestforgery(CSRF),securingwirelessrouters,456
crossbarswitching,hardwareconfigurationforswitches,74
crossovercables
connectingtohubvia,175
uplinkportand,54
UTP,91
cryptography.Seealsoencryption,433
CS(convergencesublayer),ATMadaptionlayer,135
CSMA/CA(CarrierSenseMultipleAccesswithCollisionAvoidance),110–111
CSMA/CD(CarrierSenseMultipleAccesswithCollisionDetection)
collisionsonEthernetnetworksand,170–171
GigabitEthernetusing,196
IEEE802.3standard,166–167
mediaaccesscontrol,8,24,110–111,166
overviewof,168–170
CSRF(cross-siterequestforgery),securingwirelessrouters,456
CSU/DSU(channelserviceunit/dataserviceunit),120
CTS(clear-to-send)messages,CSMA/CA,111
cut-throughswitches,73
cybersquatting,controllingdomainnamesforprofit,288–289
cyclicalredundancycheck.SeeCRC(cyclicalredundancycheck)
D
Dchannels,ISDNcommunications,122–123
DA(destinationaddress),MACframeaddressfield,110
DACs(dualattachmentconcentrators),FDDItopology,221–223
daemons,Unixserverapplicationsrunningas,395
daisychains,cablingpatterns,7
DAP(DirectoryAccessProtocol),365
DARPAcommands,Unix,392–393,418
DASs(dualattachmentstations),FDDItopology,221–223
databuffering,NICfunctions,40
datacenters,internetworkdesign,161–162
dataencapsulation
incommunicationbetweenlayersofOSImodel,14–16
terminology,17–18
dataencoding/decoding
NICfunctions,41
telephonecompanies,123
datafield,inEthernetframe,182–183
datafiles,storing,465–466
dataframes
802.11atMAClayer,108–110
FDDI,225–227
TokenRing,218–219
dataintegrity,IPsecfeatures,437
datalinkconnectionidentifiers(DLCIs),framerelay,129–130
datalinklayer,ofOSImodel
802.11,110–113
addressing,23
bridgingEthernetandTokenRingnetworks,61–62
cablestandards,84
errordetection,24
framerelayat,127
frames,108–110
interfacebetweendatalinkandphysicallayers,198
ISDNcommunicationsat,123
LCC(logicallinkcontrol)sublayerof,183–186
MAC(mediaaccesscontrol)sublayerof,183
mediaaccesscontrol,23–24
overviewof,22–23
protocolindicator,24
switchesoperatingat,72
datastream,magnetictapecapacityand,509
datatransfer
NICfunctions,40
TCP,277–279
datatransmission/reception,NICfunctions,41
datagrams
encapsulationterminology,17
fragmenting,259–260
packaging,256–259
DC(domaincontrollers)
creating,369–370
sitesascollectionof,371
Windowssecuritymodel,423
DDNS(dynamicDNS),369
dedicatedconnections,118
dedicatedstoragenetwork,deployingNASserveras,148
deltafiles,513
demandpriority,in100VG-AnyLAN,203
demilitarizedzone(DMZ),445
deployingActiveDirectory
creatingdomaincontrollers,369–370
directoryreplication,370
intersitereplication,372
intrasitereplication,371–372
multimasterdatasynchronization,370–371
overviewof,369
sites,370–371
deployingsystempolicies,479
designatedbridges,57
designingnetworks
backbonefaulttolerance,157–158
backboneoptionsforinternetworkdesign,157
connectinginternetworkstoremotenetworks,159
datacenters,161–162
finalizingdesign,162
gettingapproval,153
internetworkdesign,155
locatingequipmentforinternetworkdesign,160
overviewof,151–152
planninginternetaccess,160
reasonforneeding,152
segmentsandbackbonesforinternetworkdesign,155–157
selectingbackboneLANprotocolforinternetworkdesign,158–159
selectingcomputersforSOHOdesign,153–154
selectingnetworkmediumforSOHOdesign,154–155
selectingnetworkspeedforSOHOdesign,155
selectingprotocolsforSOHOdesign,154
selectingWANprotocolforinternetworkdesign,159–160
smalloffice/homeoffice(SOHO)design,153
wiringclosets,161
desktop,lockingdownWindowsinterface,478
destinationaddress(DA),MACframeaddressfield,110
destinationaddress,inEthernetframe,181
destinationserviceaccesspoint(DSAP),184
destinationunreachablemessages,ICMPerrormessages,268–269
devicedrivers
NDISdriversforMacclients,353
NDISdriversforWindowsclients,352–353,413–415
DHCP(DynamicHostConfigurationProtocol)
assigningIPaddresses,239–240,368–369
ipconfigand,490
asoptionalWindowsnetworkingservice,360–361
Unixand,389
dialogs,sessionlayer
defined,30
dialogcontrol,31–32
dialogseparation,32–33
differentialbackups,511–513
DifferentialManchester,inTokenRing,21–22,210
digitalcertificates,434–435
digitalleasedlines,WANs
hardware,120
overviewof,118–119
digitalmodem,120
digitalsignals,physicallayer,20–21
digitalsignatures,publickeyinfrastructureand,433
digitalsubscriberline.SeeDSL(digitalsubscriberline)
direct-sequencespreadspectrum(DSSS),physicallayermedia,104–106
DirectoryAccessProtocol(DAP),365
directorypermissions,Unix,431
directoryreplication
ActiveDirectory,370–372
intersitereplication,372
intrasitereplication,371–372
multimasterdatasynchronization,370–371
overviewof,370
sites,370–371
directoryschema,364
directoryservices.SeeAD(ActiveDirectory)
directorystructure,Linux,381–382
disasterrecovery
advantagesofcloudcomputing,401
frombackup,514
performingrestore,516
diskdrives
backupcapacityplanning,497
forbackups,498
HDDs(harddiskdrives),498
magnetictape.Seemagnetictape
mapping,468–470
SSDs(solid-statedrives),498–499
diskduplexing,RAID,504
diskmirroring,RAID,504,506
diskstriping,RAID,503,506
displayfilters,datafiltering,491
distinguishednames(DN),365–366
distributedbackbones,collapsedbackbonescomparedwith,157
distributeddatabase,DNSas,290
distributionsystem(DS)
802.11,104
leased-linetypes,119
distributions(distros),Linux,377–378
DIXEthernetII,166
DLCIs(datalinkconnectionidentifiers),framerelay,129–130
DMA(directmemoryaccess),40
DMZ(demilitarizedzone),445
DN(distinguishednames),365–366
DNS(DomainNameSystem)
ActiveDirectoryand,368–369
applicationprotocolsofTCP/IPsuite,237
.comdomainconflicts,288
county-code(international)domains,289
cybersquatting,288–289
DNSrequests,293–294
domainnamingprocess,285–287
dynamicupdates,300
emailaddressingand,332–333
functionsof,291–292
headerfields,301–303
hosttables,283–284
loadbalancing,296
messageformat,301
messagenotation,305–307
nameregistration,299–300
nameresolutionmessages,307–309
objectivesof,284–285
overviewof,283
QuestionsectionofDNSmessage,303
resolvers,293
resolvingdomainnames,294–296
ResourceRecordsectionofDNSmessage,303–305
resourcerecords,292–293
reversenameresolution,297–298
rootnameserverdiscovery,309–310
rootnameservers,294
second-leveldomains,289–290
servercaching,296–297
subdomains,290–291
supplyinguser-friendlynames,244–245
top-leveldomains,287–288
Unixand,389
zonetransfermessages,310–312
zonetransfers,300–301
DNSqueries
generating,293
recursiveanditerative,293–294
DNSservers
DDNSsupport,369
loadbalancing,297
asoptionalWindowsnetworkingservice,361
overviewof,285
primarymasterandsecondarymasterroles,300–301
queryingwithnslookup,490
requests,293–294
resolvingdomainnames,294–296
rootnameserverdiscovery,309–310
rootnameservers,294
servercaching,296–297
DNStree,285
domaincontrollers.SeeDC(domaincontrollers)
domainnamespeculators,288
DomainNameSystem.SeeDNS(DomainNameSystem)
domainnames,emailaddressingand,332
domains
ActiveDirectory,367–368
basicelementsofDNS,285
.comdomainconflicts,288
county-code(international)domains,289
namingprocess,286–287
overviewof,285–286
planningActiveDirectorydomains,375–376
resolvingdomainnames,294–296
second-leveldomains,289–290
subdomains,290–291
top-level,287–288
DOSenvironmentsubsystem,inWindowsOSs,351–352
dotteddecimalnotation,inIPv4,238
drivers.Seedevicedrivers
DS(distributionsystem)
802.11,104
leased-linetypes,119
DSAP(destinationserviceaccesspoint),184
DSL(digitalsubscriberline)
overviewof,124
routerapplications,64
typesandpropertiesof,125
DSSS(direct-sequencespreadspectrum),physicallayermedia,104–106
dualattachmentconcentrators(DACs),FDDItopology,221–223
dualattachmentstations(DASs),FDDItopology,221–223
dual-bandrouters,448–449
dualhoming,FDDItopology,223
dualringoftrees,FDDItopology,221
DVDdrives,497
dynamicDNS(DDNS),369
DynamicHostConfigurationProtocol.SeeDHCP(DynamicHostConfigurationProtocol)
dynamicrouting,68–69,262
dynamictopology,WLANs,101
dynamicupdates,DNSnames,300
E
addressing,332–333
clientsandservers,333–334
IMAP,341–342
MIME,337–339
overviewof,332
POP3,339
POP3authorizationstate,339–340
POP3transactionstate,340
POP3updatestate,341
SMTP,334
SMTPcommands,334–336
SMTPreplies,336–337
SMTPtransactions,337
earlycollisions.Seealsocollisions,171,201
earlytokenrelease(ETR)
FDDI,228
TokenRing,214
EC(errorcontrol),ATMcells,134
ECC(errorcorrectingcode),RAID2,504–505
EchoReplymessage,ICMPqueries,270
EchoRequestmessage
ICMPqueries,270
pingutilityand,486
edgeswitch,packet-switchingservice,127
EGP(ExteriorGatewayProtocol),72
EIA(ElectronicIndustriesAlliance)
cablecategories,80
cablingstandards,82
TIA/EIA-568colorcodes,87
TIA/EIA-568standard,82–84
TIA/EIA-568standardforconnectorpinouts,89–90
EMI(electromagneticinterference)
selectingnetworkmediumand,154
STPcableprotectedagainst,92
EncapsulatingSecurityPayload(ESP)protocol,439–440
encapsulation.Seedataencapsulation
encryption
backingupwirelessnetworks,501
configuringwirelessrouters,452
IPsecfeatures,436
at-restencryption,459–460
risksrelatedtounsecuredhomenetworks,458
securinghomenetworks,454
settingupwirelessaccesspoints,451
in-transitencryption,460–461
end-to-endprotocols
PPP.SeePPP(Point-to-PointProtocol)
SLIP.SeeSLIP(SerialLineInternetProtocol)
endpoints,systemareanetwork,142
entities,HTTP,322
environmentsubsystems,inWindowsOSs,351
environmentvariables,466–468
ephemeralportnumbers,244
equipment,internetworkdesign,160
errorcodes,HTTP
clienterrorcodes,324–325
servererrorcodes,325
errorcontrol(EC),ATMcells,134
errorcorrectingcode(ECC),RAID2,504–505
errorcorrection,TCP,279–280
errordetection
atdatalinklayer,24
attransportlayer,29–30
errormessages,ICMP,266–270
errors
Ethernet,200–201
TokenRing,218–220
writeerrorsinmagnetictape,510
eSATA(ExternalSerialAdvancedTechnologyAttachment),498–499
ESP(EncapsulatingSecurityPayload)protocol,439–440
ESS(extendedservicesset),104
Ethernet.Seealsobyspecifictypes
5-4-3ruleappliedtocabling,177
bridgingEthernetandTokenRingnetworks,61–62
cablecategoriesand,88–89
cablingguidelines,176
cablingspecificationleeway,180–181
calculatingnetworkperformance,178–179
collisions/collisionavoidance,168–171
Ethernetframe,181
EthernetIIframeformat,183
fiber-opticEthernet,175–176
full-duplexEthernet,186–188
GigabitEthernetasLANprotocol,144
IEEE802.3frameformat,181–183
LCCsublayer,183–186
MACaddresses,23
multipointrepeaters,51
overviewof,165–166
packetfragmentation,70
physicallayercablingand,18
physicallayerguidelines,171–172
segmentoptions,176
selectingnetworkprotocol,154
selectingnetworkspeed,155
SNAPheader,186
standards,166–168
ThickEthernet(10Base-5),172–173
ThinEthernet(10Base-2),173–174
translationalbridging,62
Twisted-PairEthernet(10Base-T/100Base-T),174–175
UTPcablelength,51
UTPcabling,178
worst-casepath,179–180
Ethernetframe.Seealsoframes
EthernetIIframeformat,183
IEEE802.3frameformat,181–183
LCCsublayer,183–186
overviewof,181
EthernetII
frameformat,183
historyof,166
IEEE802.3comparedwith,167–168
Ethernettroubleshooting
errortypes,200–201
isolatingtheproblem,202
overviewof,200
Ethertype,EthernetIIframeformat,183
ETR(earlytokenrelease)
FDDI,228
TokenRing,214
eventlogs,backupadministration,515–516
exchange,FibreChannelcommunications,146
exporting/sharing,NFS(NetworkFileSystem),393
ext2/ext3/ext4,Linuxfilesystems,380
ExtendedLogFileformat,316
extendedservicesset(ESS),104
ExteriorGatewayProtocol(EGP),72
ExternalSerialAdvancedTechnologyAttachment(eSATA),498–499
F
fabrictopology,FibreChannelnetwork,145–146
fan,purchasingserver,138–139
FastEthernet
backbonespeedand,156
cablecategoriesand,88
collisiondetection,187
full-duplexoperationand,187
selectingnetworkspeed,155
fasthopsystem,802.11FHSS,105
FAT16
Linuxfilesystems,380
Windowsfilesystems,356
FAT32
Linuxfilesystems,380
Windowsfilesystems,356–357
faulttolerance
backbones,157–158
withserverclustering,141–142
ofUTPnetworks,175
FC-0-5layers,FibreChannel,144
FCS(framechecksequence)
collisionsand,169
errordetectionatdatalinklayer,24
inEthernetframe,183
inGigabitEthernet,197
FDDI(FiberDistributedDataInterface)
backbonespeedand,156
Ethernetcompatibilitycomparedto,165
MAClayer,224–228
overviewof,220–221
physicallayer,225
PMDlayer,224–225
stationmanagementlayer,228–231
sublayersof,224
topologyof,221–224
typesofmediaaccesscontrol,24
FHSS(frequency-hoppingspectrum),physicallayer
frame,106–107
overviewof,104–106
FiberDistributedDataInterface.SeeFDDI(FiberDistributedDataInterface)
fiber-opticcable
alternativetocoppercable,79
connectors,94–95
constructionof,93–94
inFDDI,220
NICselectionand,46
overviewof,93
physicallayercablingand,18
selectingbackboneLANprotocol,158–159
selectingnetworkmedium,154
Fiber-opticEthernet
full-duplexoperationand,187
overviewof,175–176
physicallayeroptions,172
Fiber-OpticInter-RepeaterLink(FOIRL),176
fiber-opticMAU(FOMAU),176
Fiber-PMDstandard,FDDIsublayers,224
FibreChannel
ANSIspecification,199
HSM,144–147
SANsusing,148–149
FileExplorer(Windows8),482
filepermissions
Unix,431
Windows,425
fileservers,313
filesystems
filepermissions,425
folderpermission,424–425
LinuxOSs,380
NTFSpermissions,428–430
protectingwithsystempolicies,478–479
securing,421–422
Unixpermissions,430–431
userandgrouppermissions,426–428
WindowsOSs,356–357
Windowssecuritymodel,422–424
FileTransferProtocol.SeeFTP(FileTransferProtocol)
files
backingupopenfiles,513
encryption,459
HSM.SeeHSM(hierarchicalstoragemanagement)
systempolicies,476
workingwithLinuxfiles,383
filters
backup,511
data,491–492
FINcontrol,TCPconnectiontermination,280–281
firewalls
circuit-levelgateways,445
combiningtypesof,445
NAT,444
overviewof,442–443
packetfilters,443–444
proxyservers,444
FireWire(IEEE1394),498,500–501
flowcontrol
full-duplexEthernet,188
TCP,280
attransportlayer,29
flowlabel,IPv6,264
FLP(100Baselinkpulse),autonegotiationsystemand,194–195
FM(frequencymodulated)signals,physicallayer,20
foiltwisted-pair(FTP),92
FOIRL(Fiber-OpticInter-RepeaterLink),176
folders
encryption,459
Windowspermissions,424–425
FOMAU(fiber-opticMAU),176
forestrootdomain,368
forests,ActiveDirectory
overviewof,367–368
planning,375–376
forwarders,DNS,294
FQDN(fullyqualifieddomainnames),DNS,287
fractionalT-1service,120
FRADs(frame-relayaccessdevices),127–129
fragmentation
lackinginLinuxOSs,383
atnetworklayer,26
ofpackets,70
framechecksequence.SeeFCS(framechecksequence)
framerelay
hardware,127–129
messaging,129–130
overviewof,127
virtualcircuits,129
frame-relayaccessdevices(FRADs),127–129
frames
in100VG-AnyLAN,203–205
802.11datalinklayer,108–110
802.11physicallayer,106–108
802.3standard,181–183
dataencapsulationand,15–17
EthernetIIframeformat,183
LCPframeinPPP,248–250
MTUs(maximumtransferunits),61
PPP,247–248
roleofNICsinconstructing,40
TokenRing,218
writingdatatotapedrives,509
FreeBSD,397–398
frequency-hoppingspectrum(FHSS),physicallayer
frame,106–107
overviewof,104–106
frequencymodulated(FM)signals,physicallayer,20
frequencyoffset,OFDMsensitivityto,105
front-endarchitecture,cloudcomputing,402–403
ftpcommand,Unix,392,418
FTP(FileTransferProtocol)
applicationprotocolsofTCP/IPsuite,237
commands,326–328
datatransfer,277
messaging,331–332
replycodes,329–331
servers,325–326
Unixand,389
userauthentication,431–432
FTP(foiltwisted-pair),92
full-disk(wholedisk)encryption,459
full-duplexEthernet
applications,188
flowcontrol,188
overviewof,186–187
requirementsfor,187
fullduplexsystems
NICfeatures,41–42
TCPas,275
fullmeshtopology,159–160
fullyqualifieddomainnames(FQDN),DNS,287
G
gateways
application-level,444
circuit-level,445
GDI(GraphicalDeviceInterface),inWindowsOSs,351
genericflowcontrol(GFC),ATMcells,133
GFC(genericflowcontrol),ATMcells,133
giantpackets,troubleshootingEthernet,201
GigabitEthernet
architectureof,196
backbonespeedand,157
cablecategoriesand,88–89
full-duplexoperationand,187
GMII,198
asLANprotocol,144
mediaaccesscontrol,196–198
overviewof,196
physicalcodingsublayer,198
physicallayeroptions,199–200
physicalmediumsublayers,199
selectingnetworkspeed,155
gigabitmedium-independentinterface(GMII),198
globalcatalogserver,ActiveDirectory,369
globaldomains,287
globalunicastaddresses,IPv6,265
globallyuniqueidentifier(GUID)
assignedtoobjects,364
overviewof,366
GMII(gigabitmedium-independentinterface),198
Google,earlycloudproviders,400
GraphicalDeviceInterface(GDI),inWindowsOSs,351
grouppolicies,Windows,359–360
groups
Unixpermissions,431
Windowspermissions,426–428
GUID(globallyuniqueidentifier)
assignedtoobjects,364
overviewof,366
H
HAL(hardwareabstractionlayer),348
half-duplexEthernet,186
handshakes,ISDNcommunications,123
harddiskdrives(HDDs),498
hardware
backup,497
clusternetworking,142–143
clusterstorage,143
framerelay,127–129
ISDN,123–124
leased-line,119–120
multiprocessing,140
Unixrequirements,387
hardwareabstractionlayer(HAL),348
hardwareaddresses.SeeMACaddresses
HDDs(harddiskdrives),498
HDSL(high-bit-ratedigitalsubscriberline)
deployedbylocaltelephonecarriers,124–125
leased-linehardware,120
headerfields
DNS,301–303
HTTP,319–322
IP,256–259
IPv6,263–264
LLCsublayer,184–185
TCP,273–274
UDP,271–272
heartbeats,servercluster,142
hierarchicalstar,cablingpattern,7
hierarchicalstoragemanagement.SeeHSM(hierarchicalstoragemanagement)
high-bit-ratedigitalsubscriberline(HDSL)
deployedbylocaltelephonecarriers,124–125
leased-linehardware,120
homenetworks
risksrelatedtounsecuredhomenetworks,457–458
securingwirelessnetworks,453–455
horizontalnetworks.Seesegments
hosttables
overviewof,283
problemswith,284
hosts,IPaddressesidentifyingnetworkhosts,238
hotfixes,Windowsupdates,347
hotswappabledrives,RAID,502
hotspots
creating,98
wirelessaccesspoints,450
HSM(hierarchicalstoragemanagement)
FibreChannelnetworking,144–147
networkstoragesubsystems,147–149
overviewof,143–144
HTML(HypertextMarkupLanguage)
foundingofWorldWideWeband,399
overviewof,318
webserversand,313
HTTP(HypertextTransferProtocol)
datatransfer,277
headers,319–322
overviewof,318
requests,318–319
responses,322–325
webserversand,313
hubs
in10Base-Tnetworks,175
in100Basenetworks,191–193
branchingtreeconfigurationof,212
configurations,53
connectingusingcrossovercables,175
DACs(dualattachmentconcentrators),221
inhierarchicalstartopology,7
MAUs(multistationaccessunits),52–53
modular,55
overviewof,50
passive,50
repeating,active,andintelligent,51–52
stackable,54–55
instartopology,6
uplinkport,53–54
hybridcloud,405
HypertextMarkupLanguage.SeeHTML(HypertextMarkupLanguage)
HypertextTransferProtocol.SeeHTTP(HypertextTransferProtocol)
I
I/OManager,inWindowsOSs,351
IaaS(infrastructureasaservice),cloudservicemodels,405–406
IANA(InternetAssignedNumbersAuthority)
registeringIPaddresses,240–241
well-knownports,244
IBMCablingSystem(ICS)TypeI,TokenRing,210
IBMdataconnectors(IDCS),210
IBSS(independentbasicserviceset),102
ICANN(InternetCorporationforAssignedNamesandNumbers)
counteractingcybersquatting,289
domainregistration,288
ICMP(InternetControlMessageProtocol)
fordiagnosticsanderrorreporting,237
errormessages,266–270
overviewof,266
querymessages,270–271
routingand,70–71
ICS(IBMCablingSystem)TypeI,TokenRing,210
IDCS(IBMdataconnectors),210
IEEE802.1d(spanningtreealgorithm),56
IEEE802.2standard,183
IEEE802.3standard
100VG-AnyLANusing802.3frames,204
Ethernetframeformat,181–183
EthernetIIcomparedwith,167–168
fiber-opticalternatives,176
full-duplexEthernetin802.3xsupplement,186
GigabitEthernetdefinedin802.3zsupplement,196
historyof,166–167
linksegmentsandmixingsegments,176
physicallayerspecifications,19
IEEE802.5(TokenRing)
100VG-AnyLANusing802.5frames,204
comparingTokenRingandEthernet,209
IEEE802.11standard
amendments,106
datalinklayer,110–113
physicallayerframes,106–108
physicallayermedia,101–106
physicallayertopologies,101–104
wirelessLAN,100
IEEE802.12standard(100VG-AnyLAN),202
IEEE1394(FireWire)standard,498,500–501
IEEE(InstituteofElectricalandElectronicEngineers)
historyof,166–167
MACaddresses,23
networkingstandards,10
registryofNICmanufacturers,41
shorthandidentifiersforEthernetnetworks,167–168
IETF(InternetEngineeringTaskForce)
Kerberosprotocol,432–433
networkingstandards,11
NFSstandard,393
objectnamingconventions,365
roleindevelopmentofdomainnamesystem,284–285
IMAP(InternetMessageAccessProtocol)
incomingemailserver,333–334
overviewof,341–342
in-transitencryption,460
incrementalbackups,511–513
independentbasicserviceset(IBSS),102
indicationprimitives,facilitatingcommunicationbetweenOSIlayers,31
IndustryStandardArchitecture(ISA)bus,45–46
informationformat,LLCcontrolfield,185
infrared,physicallayer
frame,107
overviewof,104–106
infrastructureasaservice(IaaS),cloudservicemodels,405–406
infrastructuretopology
settingupwirelessaccesspoints,451
WLANs,101
initialsequencenumber(ISN),TCP,274
installingLinuxOS,381
InstituteofElectricalandElectronicEngineers.SeeIEEE(InstituteofElectricalandElectronicEngineers)
integralsubsystems,inWindowsOSs,351
IntegratedServicesforDigitalNetworks.SeeISDN(IntegratedServicesforDigitalNetworks)
interference,wirelessnetworksand,98
interframegapshrinkage,incalculatingnetworkperformance,178–179
interiorgatewayroutingprotocols,71
intermediatesystems,inrouting,261
international(county-code)domains,289
InternationalOrganizationforStandardization.SeeISO(InternationalOrganizationforStandardization)
Internet
leasedlineapplication,120–121
PSTNlinesusedfor,118
InternetAssignedNumbersAuthority(IANA)
registeringIPaddresses,240–241
well-knownports,244
InternetControlMessageProtocol.SeeICMP(InternetControlMessageProtocol)
InternetCorporationforAssignedNamesandNumbers(ICANN)
counteractingcybersquatting,289
domainregistration,288
InternetEngineeringTaskForce.SeeIETF(InternetEngineeringTaskForce)
InternetMessageAccessProtocol(IMAP)
incomingemailserver,333–334
overviewof,341–342
InternetProtocolControlProtocol(IPCP)
connectionestablishmentinPPP,253
IPCPframeinPPP,250–251
Internetserviceproviders(ISPs),241
Internetservices
e-mail,332
e-mailaddressing,332–333
e-mailclientsandservers,333–334
FTPcommands,326–328
FTPmessaging,331–332
FTPreplycodes,329–331
FTPservers,325–326
HTML,318
HTTP,318
HTTPheaders,319–322
HTTPrequests,318–319
HTTPresponses,322–325
IMAP,341–342
MIME,337–339
overviewof,313
POP3,339
POP3authorizationstate,339–340
POP3transactionstate,340
POP3updatestate,341
SMTP,334
SMTPcommands,334–336
SMTPreplies,336–337
SMTPtransactions,337
webserverfunctions,314–317
webservers,313
internetworkdesign
backbonefaulttolerance,157–158
backboneoptions,157
connectingtoremotenetworks,159
datacenters,161–162
finalizing,162
locatingequipment,160
overviewof,155
planninginternetaccess,160
segmentsandbackbones,155–157
selectingbackboneLANprotocol,158–159
selectingWANprotocol,159–160
wiringclosets,161
internetworks,LANsand,8–9
interruptrequestline(IRQ),NICsrequiring,47
intersitereplication,372
intrasitereplication,371–372
invasiontools,wirelessnetworks,458–459
IPaddresses
classes,240–241
comparingIPv4withIPv6,238
configuringwirelessrouters,451
functionsofIPprotocol,256
IPversions,237
IPv4,237–239
IPv4addressclasses,240
IPv6,263–264
IPv6addressstructure,265
IPv6addresstypes,264–265
networkaddressing,8
inpacketdelivery,256
registering,239–240
resolvingdomainnamesto,294–296
resolvingMACaddressesto,237
reversenameresolution,297
specialaddresses,241–242
subnetmasks,239
subnetting,242–243
unregisteredaddresses,241
IP(InternetProtocol)
addressing,256
defined,237
fragmentingdatagrams,259–260
headerfields,256–259
overviewof,255–256
packagingdatagrams,256
routersand,63
routing,25,261–262
versions,237
ipconfigcommand,490
IPCP(InternetProtocolControlProtocol)
connectionestablishmentinPPP,253
IPCPframeinPPP,250–251
IPsec
AuthenticationHeaderprotocol,438–439
EncapsulatingSecurityPayloadprotocol,439–440
encryptionand,460
overviewof,436–437
IRQ(interruptrequestline),NICsrequiring,47
ISA(IndustryStandardArchitecture)bus,45–46
ISDN(IntegratedServicesforDigitalNetworks)
communications,122–123
DSLspeedvs.,124
hardware,123–124
overviewof,121–122
routerapplications,64
services,122
SONETatphysicallayerofbroadband,136
ISN(initialsequencenumber),TCP,274
ISO(InternationalOrganizationforStandardization)
networkingstandards,10
roleindevelopmentofOSImodel,13
sessionlayerprotocols,30
ISPs(Internetserviceproviders),241
ITU-T(TelecommunicationsStandardizationSectorofInternationalTelecommunicationsUnion)
roleindevelopmentofOSImodel,13
X.509standardforcertificates,435
J
jabbering
malfunctioningnetworkinterface,170
troubleshootingEthernet,201
jampatterns,collisionsand,169
jitter,TokenRingmonitorsreducing,216
journaling,LinuxOSs,383
K
KCC(KnowledgeConsistencyChecker),371–372
KDC(KeyDistributionCenter),433–434
Kerberos
authenticationmechanisms,432–433
ticketexchangeinauthentication,433–434
kernelmodecomponents,Windows,348–351
kernelmodule,Unix,387
KeyDistributionCenter(KDC),433–434
keys,Windowsregistry,357
KnowledgeConsistencyChecker(KCC),371–372
Kornshell(ksh),Unix,388
L
labels,DNSnamenotation,305
LAMs(lobeattachmentmodules),TokenRing,212
LANs(localareanetworks)
datacentersjoining,161–162
firewallsand,442
internetworks,8–9
overviewof,3–4
routerapplicationsand,64
selectingbackboneLANprotocol,158–159
WANbridges/routersconnectionsto,113–114
wideareanetworkscomparedwith,9–10
wireless.SeeWLANs(wirelessLANs)
workgroups,5
LAPD(LinkAccessProcedureforDChannel),123,129
LAPF(LinkAccessProcedureforFrame-modeBearerServices),129
laptopcomputers,NICselectionand,46
last-miletechnologies,ISDNandDSL,121
late(out-of-window)collisions,171,201
latencybuffer,inTokenRing,216
latency,minimizingduringdirectoryreplication,371
Layer3switching,76–77
Layer4switching,77
LC(localorLucentconnector),usewithfiber-opticcable,94
LCP(LinkControlProtocol),248–250
LCW(linkcodeword),195
LDAP(LightweightDirectoryAccessProtocol)
DNnotation,366
objectnamingconventions,365
workingwithActiveDirectory,363
leafobjects,ActiveDirectory,364–365
learningbridges.Seetransparentbridging
leasedlines,WANs
applications,120–121
hardware,119–120
overviewof,118–119
typesof,119–120
legacydevices,49
lengthfield,inEthernetframe,182
LightweightDirectoryAccessProtocol.SeeLDAP(LightweightDirectoryAccessProtocol)
linearaccess,onmagnetictape,507
LinkAccessProcedureforDChannel(LAPD),123,129
LinkAccessProcedureforFrame-modeBearerServices(LAPF),129
linkcodeword(LCW),195
LinkControlProtocol(LCP),248–250
LinkDeadphase,PPPconnections,251
link-localaddresses,IPv6,265
LinkOpenphase,PPPconnections,253
linkqualitymonitoring,PPPconnections,252
linksegments
connectingbus,54
IEEE802.3standardforsegments,176
LinkTerminationphase,PPPconnections,253
LinuxOSs
advantages/disadvantages,378–379
bootingandloggingout,381
commands,381–383
directorystructure,381
distributions,377–378
drivemappings,469–470
filesystem,380
hostsfile,283
installation,381
overviewof,377
routingtables,67
selectingcomputersforSOHOdesign,153–154
settingenvironmentvariables,468
workingwithfiles,383
LLC(logicallinkcontrol)sublayer
100VG-AnyLANsublayers,203
applications,186
GigabitEthernet,196
headerfields,184–185
IEEE802.3standard,167
overviewof,183–184
loadbalancing
backbonesand,158
DNS,296
serverclusteringfor,141–142
lobeattachmentmodules(LAMs),TokenRing,212
lobecable,TokenRing,210
localareanetworks.SeeLANs(localareanetworks)
LocalGroupPolicyEditor,475
localorLucentconnector(LC),usewithfiber-opticcable,94
localprocedurecall(LPC)facility,inWindowsOSs,350–351
LocalSecurityAuthority(LSA),Windowssecuritymodel,422
logical(collapsed)ring,TokenRing,210
logicallinkcontrolsublayer.SeeLLC(logicallinkcontrol)sublayer
logicaltopology,physicaltopologycomparedwith,8
login/logout,Linux,381
login,Windows,422
logs
CommonLogFileformat,315–316
eventlogs,515–516
ExtendedLogFileformat,316
Windowssecuritymodel,422
looptopology,FibreChannelnetwork,145
loopbackstate,TokenRingMAUs,212
LPC(localprocedurecall)facility,inWindowsOSs,350–351
LSA(LocalSecurityAuthority),Windowssecuritymodel,422
M
MACaddresses
datalinklayerand,23
inEthernetframe,182
networkaddressing,8
partsinassigning,41
resolvingtoIPaddresses,237
risksrelatedtounsecuredhomenetworks,458
MAC(mediaaccesscontrol)
100VG-AnyLANsublayers,203–204
comparingTokenRingandEthernet,209
CSMA/CDand,166
FDDIsublayers,224–228
frames,108–110
forfull-duplexflowcontrol,188
GigabitEthernet,196–198
IEEE802.3standard,167
networkingand,8
NICfunctions,40
overviewof,110–111
physicallayerspecifications,19
securingbusinessnetworks,455
securinghomenetworks,454
Macintoshclients
connectingtoWindowsnetworks,415–418
overviewof,415
MacintoshOSs
mappingWindowsdrivein,470
routingtables,67
selectingcomputersforSOHOdesign,153–154
settingenvironmentvariables,468
magnetictape
capacity,508–509
driveinterfaces,507–508
drives,507
planningbackups,497
writeerrors,510
mailexchanger(MX)
DNSresourcerecords,292
emailaddressingand,333
mainframecomputers,399
malware
anti-malware,456
risksrelatedtounsecuredhomenetworks,458
management
gettingapprovalfornetworkdesign,153
tools.Seeutilities
managementframes,802.11atMAClayer,108–110
Manchesterencodingscheme
Ethernetsignals,210
overviewof,21
mandatoryprofiles
creating,473
defined,470
MANs(metropolitanareanetworks),10
mapping
diskdrives,468–470
transportlayerservicestonetworklayerservices,28
massivelyparallelprocessing(MPP),140
masterserver,DNSservers,300
matrixswitching,hardwareconfigurationforswitches,74
MAUs(mediumattachmentunits).Seealsotransceivers
fiber-optic(FOMAU),176
forThickNetcabling,173
MAUs(multistationaccessunits)
cablingTokenRingnetworks,50
comparedwithhubs,52–53
systemcapabilityforjoiningTokenRing,214–215
inTokenRing,210–213
maximumcollisiondiameter,Ethernetcablingand,177
maximumsegmentsize(MSS),TCP,277–278
maximumtransferunits.SeeMTUs(maximumtransferunits)
MDI(mediumdependentinterface)
100VG-AnyLAN,206
connectingMAUtocable,173
MDI(multiple-documentinterface),loadingmultipleMMCsnap-ins,372
media
physicallayer,101,104–106
rotatingbackupmedia,514–515
mediaaccesscontrol.SeeMAC(mediaaccesscontrol)
mediumdependentinterface(MDI)
100VG-AnyLAN,206
connectingMAUtocable,173
medium-independentinterface(MMI)sublayers,206
memory,purchasingserver,139
messageformat,DNS,301
messagenotation,DNS,305–307
messages,PDUsatapplicationlayer,17
messaging,framerelay,129–130
metropolitanareanetworks(MANs),10
MicrosoftManagementConsole(MMC)
creating/configuringsites,373–375
managingActiveDirectory,372–373
MicrosoftServicesforMacintosh,418
Microsofttechnicalsupport,347–348
middleware,cloudcomputingand,404
MIME(MultipurposeInternetMailExtension)
contenttypes,339
encodingdataforinclusioninemailmessages,337–339
mirroreddisk,clusterstoragehardware,143
mixingsegments
connectingbus,54
IEEE802.3standard,176
MLT-3(Multi-LevelTransition),225
MMC(MicrosoftManagementConsole)
creating/configuringsites,373–375
managingActiveDirectory,372–373
MMI(medium-independentinterface)sublayers,206
mobiledevices,securing,456–457
modularhubs
hubconfigurations,53
overviewof,55
monitors,TokenRing
contention,216
monitorsettingbit,213
overviewof,216–218
mountcommands,Unix,395
mountingremotefilesystems,393
MPP(massivelyparallelprocessing),140
MPR(multiproviderrouter),WindowsOSs,354–355
MS-DOS,412
MSAs(multisourceagreements),LCCsublayerfunctions,184
MSAU(multistationaccessunit),inringtopology,6
MSS(maximumsegmentsize),TCP,277–278
MTUs(maximumtransferunits)
datagramfragmentingand,259
framesizeand,61
translationalbridgingand,62
Multi-LevelTransition(MLT-3),225
multicastaddresses
ClassDIPaddresses,241
inEthernetframe,182
IPv6,264
multihomedsystems
defined,63
IPaddressesand,238
multimasterdatasynchronization,370–371
multimodefiber-opticcable,93–94,145
multipleaccessphase,inCSMA/CD,169
multiple-documentinterface(MDI),loadingmultipleMMCsnap-ins,372
multiple-layerswitching,77
multiplemasterreplication,deployingActiveDirectory,370
multipleUNCprovider(MUP),Windows,354
multipointrepeaters,Ethernethubs,51
multiportrepeaters,starnetworksand,9
multiproviderrouter(MPR),WindowsOSs,354–355
MultipurposeInternetMailExtension(MIME)
contenttypes,339
encodingdataforinclusioninemailmessages,337–339
multisourceagreements(MSAs),LCCsublayerfunctions,184
multistationaccessunit(MSAU),inringtopology,6
multistationaccessunits.SeeMAUs(multistationaccessunits)
MUP(multipleUNCprovider),Windows,354
MX(mailexchanger)
DNSresourcerecords,292
emailaddressingand,333
N
NaaS(networkasaservice),cloudservicemodels,408
nameregistration,DNS,299–300
nameresolution.SeealsoDNS(DomainNameSystem)
messages,307–309
process,294–296
reversenameresolution,297–298
nameserver(NS),DNSresourcerecords,292
NAS(networkattachedstorage)
backuphardware,497
backups,506–507
defined,144
overviewof,147–148
NAT(networkaddresstranslation)
firewallsand,442
IPfeatures,237
overviewof,444
NationalCenterforSupercomputingApplications(NCSA),315–316
NationalInstituteofStandardsandTechnology(NIST),406
NAUN(nearestactiveupstreamneighbor),TokenRing,217
NAV(networkallocationvector),CSMA/CA,111
NCPs(NetworkControlProtocols),inPPP,250–251,253
NCSA(NationalCenterforSupercomputingApplications),315–316
NDIS(NetworkDriverInterfaceSpecification)
Macdrivers,353
Windowsdrivers,413–414
Windowsnetworkingand,352–353,411–412
wrapper,353
near-endcrosstalk,DSLservice,124
nearendcrosstalk(NEXT),cablecategoriesand,88
nearestactiveupstreamneighbor(NAUN),TokenRing,217
nearlinestorage,HSM,143
negativecaching,DNSservers,296
NETcommands,WindowsOSs
fromcommandprompt,485
drivemappingwithNETUSE,468–469
listof,484
overviewof,482–483
NetBEUI(NetBIOSExtendedUserInterface)
sessionlayerprotocols,30
Windowsnetworkingarchitecturebasedon,412
NetBIOS(NetworkBasicInput/OutputSystem)
APIsthatworkwithWindowsOSs,355
comparingDNSandActiveDirectory,368
sessionlayerprotocols,30
NetBSD,398
netstatcommand
displayingnetworktrafficstatisticswith,488–490
displayingroutingtables,67
NetWareclients,415
networkadapters
integrated,46
wireless,447
networkaddresstranslation.SeeNAT(networkaddresstranslation)
networkadministration.Seeadministration
networkallocationvector(NAV),CSMA/CA,111
networkanalyzers
agents,492
analyzingprotocolswith,493
analyzingtrafficwith,492
overviewof,490–491
networkasaservice(NaaS),cloudservicemodels,408
networkattachedstorage.SeeNAS(networkattachedstorage)
NetworkBasicInput/OutputSystem.SeeNetBIOS(NetworkBasicInput/OutputSystem)
networkclients
accessingUnixsystems,418–419
applicationsforUnixclients,418
connectingMacclientstoWindowsnetworks,415–418
Macclients,415
NDISdriversforWindowsclients,413–414
NetWareclients,415
overviewof,411
protocoldriversforWindowsclients,414
Unixclients,418
Windows7interface,419–420
Windows8interface,420
Windowsclientservices,414–415
Windowsclients,411–412
Windowsnetworkarchitecture,412–413
networkcommunicationsecurity.Seecommunicationsecurity
NetworkControlProtocols(NCPs),inPPP,250–251,253
NetworkDriverInterfaceSpecification.SeeNDIS(NetworkDriverInterfaceSpecification)
NetworkFileSystem.SeeNFS(NetworkFileSystem)
NetworkInformationCenter(NIC),maintainingregistryofhostnames,284
networkinterface
jabbering,170
NICselectionand,44
networkinterfaceadapters.SeeNICs(networkinterfacecards)
networkinterfacecards.SeeNICs(networkinterfacecards)
networklayer,ofOSImodel
connection-orientedandconnectionlessprotocols,26–27
fragmenting,26
ISDNcommunicationsat,123
overviewof,25
routing,25–26
networklayerprotocolconnectionestablishment,functionsofPPP,246
networkmedium,selectingforSOHOnetworkdesign,154–155
networksecurity.Seesecurity
networksegments.Seesegments
networkstorageappliance
defined,147
NASand,506
networkstoragesubsystems
NAS,147–148
overviewof,147
SANs,148–149
Network-to-NetworkInterface(NNI),ATM,133
networkingstack.Seeprotocolstack
networks,introduction
addressing,8
basebandvs.broadband,4
cablesandtopologies,5–8
client-serverarchitecture,11
localareanetworks,3–4
mediaaccesscontrol,8
operatingsystemsandapplications,11–12
overviewof,3
packetswitchingvs.circuitswitching,4–5
protocolsandstandards,10–11
repeaters,bridges,switches,androuters,8–9
wideareanetworks,9–10
NEXT(nearendcrosstalk),cablecategoriesand,88
NFS(NetworkFileSystem)
NASusing,147–148
Unixclientsand,418–419
UnixOSs,393–395
NIC(NetworkInformationCenter),maintainingregistryofhostnames,284
NICs(networkinterfacecards)
addressingand,8
features,41–42
functions,40–41
hardwareresourcerequirements,47–48
OUIs(organizationallyuniqueidentifiers),182
overviewof,39
selecting,43–46
TokenRing,211
wireless,447
NIST(NationalInstituteofStandardsandTechnology),406
NLP(normallinkpulse),194
NNI(Network-to-NetworkInterface),ATM,133
Non-ReturntoZeroInverted(NRZI),FDDIsignalingscheme,225
nonrepudiation,IPsecfeatures,437
normallinkpulse(NLP),194
NOSs(networkoperatingsystem)
ActiveDirectory.SeeAD(ActiveDirectory)
client-serverarchitectureand,11
cloud-based.Seecloud
historicalsystems,397–398
Linux.SeeLinuxOSs
Unix.SeeUnixOSs
Windows.SeeWindowsOSs
NRZI(Non-ReturntoZeroInverted),FDDIsignalingscheme,225
NS(nameserver),DNSresourcerecords,292
nslookuputility,490
NT1(NetworkTermination1),ISDN,123–124
NTFS
Linuxfilesystems,380
permissions,428–430
Windowsfilesystems,357
Windowsnetworkclients,411
O
objecthandles,referencingobjectsinWindows,349–350
ObjectManager,349–350
objects
defined,364
naming,365–367
typesinActiveDirectory,364–365
WindowsObjectManager,349–350
octets,IPv4addresses,265
OFDM(orthogonalfrequencydivisionmultiplexing)
frame,107–108
overviewof,105–106
openfiles,backingup,513
OpenShortestPathFirst(OSPF),72
opensource
advantages/disadvantagesofLinux,379–380
LinuxOSs,377–378
OpenSystemsInterconnectionmodel.SeeOSI(OpenSystemsInterconnection)model
OpenBSD,398
operatingsystems.SeeOSs(operatingsystems)
OracleSolaris,398
organizationalunits(OUs),ActiveDirectorycontainerobjects,364
organizationallyuniqueidentifiers(OUIs),182
orthogonalfrequencydivisionmultiplexing(OFDM)
frame,107–108
overviewof,105–106
OSI(OpenSystemsInterconnection)model
applicationlayer,34–35
communicationbetweenlayersof,14
dataencapsulationand,14–16
datalinklayerof,22–24
encapsulationterminology,17–18
facilitatingcommunicationbetweenOSIlayers,30–31
horizontalcommunication,16
networklayer,25–27
networkingprotocolsand,10
overviewof,13–14
physicallayerof,18–22
presentationlayer,33–34
sessionlayer,30–33
transportlayer,27–30
verticalcommunication,17
Windowsnetworkingarchitectureand,413
OSPF(OpenShortestPathFirst),72
OSs(operatingsystems)
administeringserver-based,464
networkoperatingsystems.SeeNOSs(networkoperatingsystem)
overviewof,11–12
OUIs(organizationallyuniqueidentifiers),182
OUs(organizationalunits),ActiveDirectorycontainerobjects,364
out-of-window(late)collisions,171,201
P
PaaS(platformasaservice),cloudservicemodels,406–407
packetbursting,GigabitEthernet,197
packetcollisions.Seealsocollisions,169
packetfiltering
defined,55–56
firewallsand,443–444
packetswitching
circuitswitchingcomparedwith,4–5
WANservices,126–127
packets
discarding,70
encapsulationterminology,17
fragmentationof,70
IPaddressesforpacketdelivery,256
segmentationandreassemblyattransportlayer,29
understanding,4–5
padding
attainingallowablelengthofEthernetframe,182–183
GigabitEthernet,197
PAM(PulseAmplitudeModulation),in1000Base-T,200
PAP(PasswordAuthenticationProtocol),250
paralleldetection,autonegotiationsystemand,195
parallelprocessing,139–140
parallel/serialconversion,NICfunctions,40–41
ParallelTasking,NICfeatures,42
parity,RAIDvarietiesand,505–506
pass-throughservice
presentationlayer,33
UDPas,271
passivehubs,50
PasswordAuthenticationProtocol(PAP),250
passwords
risksrelatedtounsecuredhomenetworks,458
securinghomenetworks,453
vulnerabilities,459
patchcable,TokenRing,210
patchreleases,Windowsupdates,347
pathping,487
pause-time,full-duplexflowcontrol,188
payload,ATM,134
PBX(privatebranchexchange)
ISDNcommunicationsatdatalinklayer,123
leasedlines,118
PCI(PeripheralComponentInterconnect)bus,45–46
PCS(physicalcodingsublayer),GigabitEthernet,198–199
PDUs(protocoldataunits)
dataencapsulationand,15,17
LCCsublayerfunctions,184
LLCcontrolfieldand,185
peer-to-peernetwork
802.11adhoctopologyoperatingas,102
Unixas,389
Windowsas,345
performance,calculatingperformanceoverEthernet,178–179
PeripheralComponentInterconnect(PCI)bus,45–46
permanentvirtualcircuits(PVC)
ATM,134
framerelay,129
permissions
filepermissions,425
filesystemsecurity,421–422
folderpermission,424–425
NTFS,428–430
Unix,430–431
userandgrouppermissions,426–428
Windowssecuritymodel,422–424
personalidentificationnumber(PIN),intoken-basedauthentication,435–436
phantomvoltage,TokenRingMAUs,212
phaselooplock(PLL)circuits,20
physicalcharacteristics,wiredvs.wirelessnetworks,99
physicalcodingsublayer(PCS),GigabitEthernet,198–199
physicalenvironment,accessingwirelessnetworks,98
physicallayer,OSImodel
100BaseEthernetoptions,189–191
802.11frames,106–108
802.11media,101–106
802.11topologies,101–104
Ethernetguidelines,171–172
FDDIsublayer,224–225
FibreChannel,145
GigabitEthernetoptions,199–200
interfacebetweendatalinkandphysicallayers,198
overviewof,18–19
signaling,19–22
specifications,19
TokenRing,209–210
physicalmediumattachment(PMA),199
physicalmediumdependent.SeePMD(physicalmediumdependent)
physicalmedium-independent(PMI),203,205–206
physicalmediumsublayers,GigabitEthernet,199
physicaltopology,logicaltopologycomparedwith,8
PIN(personalidentificationnumber),intoken-basedauthentication,435–436
pingutility
ICMPand,266
implementingfromcommand-line,485–486
overviewof,483
parameters,486–487
Unixand,389
pipe(|),joiningtools,386
PKI(publickeyinfrastructure)
digitalcertificates,434–435
Kerberosand,432–433
overviewof,433–434
plainoldtelephoneservice.SeePOTS(plainoldtelephoneservice)
plaintext,risksrelatedtounsecuredhomenetworks,458
planning
internetworkdesign,160
networkdesign.Seedesigningnetworks
platformasaservice(PaaS),cloudservicemodels,406–407
plenum,forcabling,80
PLL(phaselooplock)circuits,20
plug-and-play,NICselectionand,47
PMA(physicalmediumattachment),199
PMD(physicalmediumdependent)
100VG-AnyLANsublayers,203
FDDIsublayer,224–225
overviewof,199
PMI(physicalmedium-independent),203,205–206
pointofpresence.SeePOP(pointofpresence)
Point-to-PointProtocol.SeePPP(Point-to-PointProtocol)
point-to-pointprotocols
PPP.SeePPP(Point-to-PointProtocol)
SLIP.SeeSLIP(SerialLineInternetProtocol)
point-to-pointtopology,FibreChannelnetwork,145
polarsignaling,physicallayersignaling,21
policies
securingbusinessnetworks,455
Windowssecuritymodel,422
POP(pointofpresence)
frame-relayconnectiontonearest,127
ISDNandDSLusing,121
ISDNhardwareand,123
leasedlines,118
POP3(PostOfficeProtocolversion3)
authorizationstate,339–340
incomingemailserver,333–334
overviewof,339
transactionstate,340
updatestate,341
portablecomputing,NICselectionand,46
ports
connectingworkstationstoFDDInetwork,222
TCP/IP,244
PostOfficeProtocolversion3.SeePOP3(PostOfficeProtocolversion3)
POTS(plainoldtelephoneservice)
DSLand,121,124–125
ISDNand,121
WANconnections,117–118
powersupplies
NICselectionand,47
purchasingservers,138
PPP(Point-to-PointProtocol)
authenticationprotocolsin,250
connectionestablishment,251–253
frameformat,247–248
LCPframein,248–250
forlinklayercommunication,237
networkcontrolprotocolsin,250–251
overviewof,246–247
selectingnetworkprotocol,154
preamble,inEthernetframe,181
presentationcontextidentifier,34
presentationlayer,ofOSImodel,33–34
PresentationServiceAccessPoint(PSAP),33
PRI(PrimaryRateInterface),ISDN,122
primarymasterrole,DNSservers,300
privatebranchexchange(PBX)
ISDNcommunicationsatdatalinklayer,123
leasedlines,118
privatecloud,405
privatekeys,433
ProcessandThreadManager,inWindows,350
processes,WindowsOSs,349
processors
purchasingserver,139
usingmultiple,139–143
programmedI/O,fordatatransfer,40
programs,Unix,387–388
promiscuousmode
bridgesand,55
networkanalyzersand,194
riskofoperatingin,458
properties,cable,79–81
protocolanalyzers.Seenetworkanalyzers
protocoldataunits.SeePDUs(protocoldataunits)
protocolstack
OSImodel,13
overviewof,10
TCP/IPmodel,14
protocols
applicationlayer,34
ATMadaptionlayer,135
classesoftransportlayerprotocols,28
connection-orientedandconnectionless,26–27
datalinkprotocolinNICselection,43
defined,235
FibreChannel,144–145
networkingstandardsand,10–11
protocoldriverssupportingWindowsclients,414–415
routingprotocols,71–72
selectingbackboneLANprotocol,158–159
selectingforSOHOnetworkdesign,154
selectingWANprotocol,159–160
sessionlayer,30
TCP/IPprotocolstack,236–237
topologiescontrastedwith,22
transportlayer,27–28
protocols,networking
Ethernet.SeeEthernet
FDDI.SeeFDDI(FiberDistributedDataInterface)
TokenRing.SeeTokenRing
proxyservers(application-levelgateways),444
PSAP(PresentationServiceAccessPoint),33
PSTN(publicswitchedtelephonenetwork),117–118
PTI(payloadtypeidentifier),ATMcells,133
PTR(pointer),DNSresourcerecords,292
publiccloud,404–405
publickeyinfrastructure.SeePKI(publickeyinfrastructure)
publickeys,433
publicswitchedtelephonenetwork(PSTN),117–118
PulseAmplitudeModulation(PAM),in1000Base-T,200
PVC(permanentvirtualcircuits)
ATM,134
framerelay,129
Q
QCLASSfield,DNSresourcerecords,306–307
QTYPEfield,DNSresourcerecords,305–306
quanta,full-duplexflowcontrol,188
quartetsignaling,in100VG-AnyLAN,202,205
querymessages,ICMP,270–271
Questionsection,ofDNSmessages,303
R
r*commands,Unix,390
RA(receiveraddress),MACframeaddressfield,110
radiofrequency(RF),wirelessaccesspointsand,450
RADIUS(RemoteAuthenticationDial-InUserService),456
RADSL(rateadaptivedigitalsubscriberline),125
RAID0(diskstriping),503
RAID1(diskmirroringandduplexing),504
RAID2(HammingECC),504–505
RAID3(paralleltransferwithsharedparity),505
RAID4(independentdatadiskswithsharedparity),505
RAID5(independentdatadiskswithdistributedparity),505
RAID6(independentdatadiskswithtwo-dimensionalparity),505–506
RAID7(asynchronousRAID),506
RAID10(stripingofmirroreddisks),506
RAID(RedundantArrayofInexpensiveDisks)
backuphardware,497
overviewof,502–503
varietiesof,503–506
rangeextender,addingtorouteroraccesspoint,448
RapidSpanningTreeProtocol(RSTP),57
rateadaptivedigitalsubscriberline(RADSL),125
rcpcommand,Unix,391–392
RD(receivedata),53
RDN(relativedistinguishednames),365–367
reassembly,ofpacketsattransportlayer,29
receivedata(RD),53
receiveraddress(RA),MACframeaddressfield,110
recovery/restore.Seedisasterrecovery
redirect,ICMPerrormessages,269
redundancy,lackingincloudservices,402
RedundantArrayofInexpensiveDisks.SeeRAID(RedundantArrayofInexpensiveDisks)
referrals,DNS,293
ReFS(ResilientFileSystem),357
registry
controllingworkstationregistry,474
keysandvalues,358
overviewof,357
registryeditors,360
registryeditors
lockingdownWindowsinterfacewithsystempolicies,478
RegistryEditor(regedit.exe),360
registryhive,userprofilesand,470–471
relativedistinguishednames(RDN),365–367
reliability,wiredvs.wirelessnetworks,99
remoteadministration,webservers,317
RemoteAuthenticationDial-InUserService(RADIUS),456
remotecommands,Unix,390–392,418
remotenetworks,connectingto,159
RemoteUpdate,deployingsystempolicies,479
repeatstate,TokenRing,215
repeatermediaaccesscontrol(RMAC),203–205
repeaters
addingtorouteroraccesspoint,448
defined,9
overviewof,49–50
repeating,active,andintelligenthubs,51–52
replayprevention,IPsec,437
replication.Seedirectoryreplication
replycodes
FTP,329–331
SMTP,336–337
requestforcomments(RFCs)
PPPstandards,247
TCP/IPstandards,236
requests,HTTP
overviewof,318–319
requestheaderfields,320–321
ResilientFileSystem(ReFS),357
resolvers,DNS
generatingDNSqueries,293
overviewof,285
resourcerecords.SeeRRs(resourcerecords)
responses,HTTP
clienterrorcodes,324–325
informationalcodes,322–323
overviewof,322
redirectioncodes,323–324
responseheaderfields,321
servererrorcodes,325
successfulcodes,323
reversenameresolution,DNS,297–298
RF(radiofrequency),wirelessaccesspointsand,450
RFCs(requestforcomments)
PPPstandards,247
TCP/IPstandards,236
RG-8coaxialcable
runlengths,156
ThickNetusing,85,172
RG-58cable,ThinNetusing,85–86,173–174
RIF(routinginformationfield),sourceroutebridging,60,63
RII(routinginformationindicator),sourceroutebridging,60
ringerrormonitor,TokenRing,218
ringpolling,identifyingnearestTokenRingneighbor,217
ringtopology
cablingpatterns,6
double-ringinFDDI,221
selectingWANprotocolforinternetworkdesign,160
inTokenRing,209–210
RIP(RoutingInformationProtocol),72
RJ-45connectors
networkinterfaceinNICselection,44
straightthroughwiringand,53
twistedpaircableusing,89
usewithhubs,50
rlogincommand,Unix,390–391
RMAC(repeatermediaaccesscontrol),203–205
roamingprofiles
creating,472–473
defined,470
rootbridges,56
rootnameservers,DNS
discovery,309–310
overviewof,294
rootpartition,Linux,383
rootpathcosts,56
round-tripsignaldelaytime
in100BaseEthernet,193–194
calculating,178–179
round-triptime,TCP,280
routecommand
creatingstaticentriesinroutingtable,68
displayingroutingtables,67
viewing/workingwithroutingtables,488
routeselection,69
RouterAdvertisement,ICMPquerymessages,270–271
RouterSolicitation,ICMPquerymessages,270
routers
applications,64–65
connectingLANstoWANs,113–114
defined,9
functions,65–66
handlingdatagramfragments,260
InternetControlMessageProtocolroutingfunctions,70–71
overviewof,63
packetmanagement,70
passingtrafficbetweennetworks,238–239
routeselection,69
routingprotocols,71–72
routingtables,66–68
routingvs.switching,75
staticanddynamicrouting,68–69
routers,wireless
configuring,451–453
overviewof,448
securing,456
typesof,448–450
routing
ICMPand,70–71
atnetworklayer,25–26
overviewof,261–262
protocols,71–72
routeselection,69
staticanddynamic,68–69
RoutingandRemoteAccessServer,69
routinginformationfield(RIF),sourceroutebridging,60,63
routinginformationindicator(RII),sourceroutebridging,60
RoutingInformationProtocol(RIP),72
routingtables
overviewof,66
parsing,67–68
viewing/workingwith,488
WindowsorLinuxsystems,67
RPCprocedures,inNFSversions,394
RRs(resourcerecords)
emailaddressingand,333
ResourceRecordsectionofDNSmessage,303–305
typesof,292–293,305–306
rshcommand,Unix,391
RSTP(RapidSpanningTreeProtocol),57
RTS(request-to-send)messages,CSMA/CA,111
runtpackets
defined,171
troubleshootingEthernet,201
S
S-DISCONNECTprimitive,32
S-EXPEDITEDprimitive,32
S-RELEASEprimitive,32
S-SYNC-MAJORprimitive,33
S-SYNC-MINORprimitive,32
S-TOKEN-GIVEprimitive,32
S-TOKEN-PLEASEprimitive,32
SA(sourceaddress)
inEthernetframe,181
MACframe,110
SaaS(softwareasaservice),cloudservicemodels,407–408
Salesforce.com,earlycloudproviders,399–400
SAM(SecurityAccountsManager),422–424
SANs(systemareanetworks)
defined,144
FibreChannelassociationwith,144
overviewof,148–149
serverclustering,142
SAR(segmentationandreassemblylayer),ATMadaptionlayer,135
SASs(single-attachmentstations),FDDItopology,221–223
SC(subscriber,standard,orSiemonconnector),usewithfiber-opticcable,94
scalability,advantages/disadvantagesofLinux,378–379
schedulingbackups,514
screenedsubnetfirewalls,445
ScTP(screenedtwistedpair),92
SDH(SynchronousDigitalHierarchy),136
SDSL(symmetricaldigitalsubscriberline),125
SEAL(SimpleandEfficientAdaptationLayer),135
second-leveldomains,289–290
secondary(slave)masterrole,DNSservers,300
secretkeycryptography,433
secureshellcommands,Unix,392
SecureSocketsLayer.SeeSSL(SecureSocketsLayer)
security
AuthenticationHeaderprotocol,438–439
circuit-levelgateways,445
communicationsecurity,436
digitalcertificates,434–435
disadvantagesofcloudcomputing,401
EncapsulatingSecurityPayloadprotocol,439–440
filepermissions,425
filesystemsecurity,421–422
firewalls,442–443,445
folderpermission,424–425
FTPuserauthentication,432
IPsec,436–437
Kerberosprotocolfor,432–433
NAT,444
NTFSpermissions,428–430
overviewof,421
packetfilters,443–444
PKI,433–434
proxyservers,444
SSL,440–442
token-basedandbiometricauthentication,435–436
Unixfilesystempermissions,430–431
userandgrouppermissions,426–428
userauthentication,431–432
Windowssecuritymodel,422–424
wiredvs.wirelessnetworks,99
SecurityAccountsManager(SAM),422–424
securityextensions,IPv6,264
securityidentifiers(SIDs),350
securitypolicies,455
SecurityReferenceMonitor,inWindowsOSs,350
security,wireless
encryptionand,459–461
invasiontoolsandvulnerabilities,458–459
risksrelatedtounsecuredhomenetworks,457–458
securingbusinessnetwork,455–456
securinghomenetwork,453–455
securingmobiledevices,456–457
securingwirelessrouters,456
segmentationandreassemblylayer(SAR),ATMadaptionlayer,135
segmentation,ofpacketsattransportlayer,29
segments
bridgeloops,58–59
cables,4
Ethernetoptions,176
ininternetworkdesign,155–157
IPv6addressstructure,265
mixingandlinksegments,54
TCP,17,272
self-timing,physicallayersignaling,21
sequences
FibreChannelcommunications,146
TCP,17,272
SerialLineInternetProtocol.SeeSLIP(SerialLineInternetProtocol)
Serverservice,WindowsOSs,355
servers,333–334
administeringserver-basedapplications,464–465
administeringserver-basedoperatingsystems,464
client-serverarchitecture,11
DNS.SeeDNSservers
FTP,325–326
hierarchicalstoragemanagement.SeeHSM(hierarchicalstoragemanagement)
HTTPservererrorcodes,325
Internetservers,313
multiprocessing,139–143
NAS,147–148
NICselectionand,48
overviewof,137
purchasing,137–139
SAN,148–149
webservers,313–317
serviceclasses,FibreChannel,146–147
service-dependentfiltering,packetfilters,443
service-independentfiltering,packetfilters,443
servicepacks,Windows,347
servicerequestprimitives,30–33
servicesetidentifier.SeeSSID(servicesetidentifier)
services
Internet.SeeInternetservices
ISDN,122
WANswitching,125–127
services,WindowsOSs
NDIS,352–353
overviewof,352
Serverservice,355
TDI,353–354
Workstationservice,354–355
sessionlayer,ofOSImodel
dialogcontrol,31–32
dialogseparation,32–33
overviewof,30–31
SessionServiceAccessPoint(SSAP),33
shareddisk,clusterstoragehardware,143
sharedmemory
datatransfertechnologies,40
hardwareconfigurationforswitches,75
sharednothing,clusterstoragehardware,143
shells,Unix
overviewof,387–388
secureshellcommands,392
shieldedcables,81
shoe-shinning,delayinwritingdatatotapedrives,509
shortcuttrusts,betweenchilddomains,376
SIDs(securityidentifiers),350
signalbooster,addingtorouteroraccesspoint,448
signalqualityerrors(SQE),169
signalederrors,errordetectionattransportlayer,29
SimpleandEfficientAdaptationLayer(SEAL),135
SimpleMailTransferProtocol.SeeSMTP(SimpleMailTransferProtocol)
SimpleNetworkManagementProtocol(SNMP),52
single-attachmentstations(SASs),FDDItopology,221–223
single-bandrouters,448–449
singlemasterreplication,370
singlemodefiber-opticcable,93–94,145
sitelinkbridgeobjects,374
sitelinkobjects,374
sites,ActiveDirectory
creating/configuring,373–375
intersitereplication,372
intrasitereplication,371–372
overviewof,370–371
slidingwindowflowcontrol,TCP,280
SLIP(SerialLineInternetProtocol)
forlinklayercommunication,237
overviewof,245–246
shortcomingsof,246
slottime(contentiontime),collisionsand,169
slowhopsystem,802.11FHSS,105
smalloffice/homeofficenetworkdesign
overviewof,153
selectingcomputers,153–154
selectingnetworkmedium,154–155
selectingnetworkspeed,155
selectingprotocols,154
smartcards,fortoken-basedauthentication,435–436
SMP(symmetricmultiprocessing)
hardwareandsoftware,140–141
overviewof,140
SMT(stationmanagement)layer,FDDI,224,228–231
SMTP(SimpleMailTransferProtocol)
applicationprotocolsofTCP/IPsuite,237
commands,334–336
overviewof,334
receivingoutgoingemailmessagesvia,333–334
replies,336–337
supportforsitelinks,374
transactions,337
snap-ins,MMC,372–373
SNAP(SubnetworkAccessProtocol),186
SNMP(SimpleNetworkManagementProtocol),52
SOA(startofauthority),DNSresourcerecords,292
sockets,combiningIPaddressandport,244
software
forbackups,510–513
multiprocessing,140
softwareasaservice(SaaS),cloudservicemodels,407–408
SOHOdesign.Seesmalloffice/homeofficenetworkdesign
SONET(SynchronousOpticalNetwork),136
sortcommand,Unix,386
sourceaddress(SA)
inEthernetframe,181
MACframe,110
sourcequench,ICMPerrormessages,269
sourceroutebridging
bridgingEthernetandTokenRingnetworks,62
overviewof,60–61
SRT(sourceroutetransparent)bridging,63
sourceroutetransparent(SRT)bridging,63
sourcerouting,pingutilityand,487
sourceserviceaccesspoint(SSAP),184
spam,458
spanningtreealgorithm(STA),56
SPE(SystemPolicyEditor)
overviewof,474–476
registryeditingtool,359–360
speed
DSLvs.ISDN,124
LANsvs.WANs,116
selectingnetworkspeedforSOHOnetworkdesign,155
wiredvs.wirelessnetworks,99
spoofing,packetfilters,443
SQE(signalqualityerrors),169
SRT(sourceroutetransparent)bridging,63
SSAP(SessionServiceAccessPoint),33
SSAP(sourceserviceaccesspoint),184
SSDs(solid-statedrives),498–499
SSID(servicesetidentifier)
configuringwirelessrouters,452
risksrelatedtounsecuredhomenetworks,458
securinghomenetworks,453
settingupwirelessaccesspoints,451
SSLhandshakeprotocol(SSLHP),441
SSLrecordprotocol(SSLRP),441–442
SSL(SecureSocketsLayer)
encryptionand,460
overviewof,440
SSLhandshakeprotocol,441
SSLrecordprotocol,441–442
SSLHP(SSLhandshakeprotocol),441
SSLRP(SSLrecordprotocol),441–442
ST(straight-tip)connectors
networkinterfaceinNICselection,44
usewithfiber-opticcable,94
UTPcabling,175
STA(spanningtreealgorithm),56
stackablehubs
hubconfigurations,53
overviewof,54–55
stand-alonehubs,53
standards
ANSI.SeeANSI(AmericanNationalStandardsInstitute)
Ethernet,166–168
IEEE.SeeIEEE(InstituteofElectricalandElectronicEngineers)
IETF.SeeIETF(InternetEngineeringTaskForce)
networking,10–11
NFS,393
PPPstandards,247
TCP/IPstandards,236
USOCstandardforconnectorpinouts,89–90
X.509standardforcertificates,435
standards,cable
datalinklayer,84
overviewof,81–82
TIA/EIA-568,82–84
standbymonitors,TokenRing,216
starbustopology
cablingpatterns,6
configurationofEthernethubs,212
inFDDI,221
multiportrepeaters,9
selectingWANprotocolforinternetworkdesign,159
TokenRingand,210
star(hubandspoke)topology,6
Startmenu,lockingdownWindowsinterface,477–478
startofauthority(SOA),DNSresourcerecords,292
startofframedelimiter,inEthernetframe,181
stateless,NFSservers,393
staticrouting,68–69,262
stationmanagement(SMT)layer,FDDI,224,228–231
storage
hardwareforcluster,143
HSM.SeeHSM(hierarchicalstoragemanagement)
storeandforward
byhubs,51
typesofswitches,73–74
STP(shieldedtwisted-pair)cable
100BaseEthernetrunningon,189
cabletesters,493–494
FibreChanneland,145
overviewof,92–93
TokenRingand,210
straightthroughwiring
RJ-45connectors,53
UTPcable,91
straight-tipconnectors.SeeST(straight-tip)connectors
streamingdata,writingdatatotapedrives,509
strippingstate,TokenRing,216
SUA(SubsystemforUnix-basedApplications)
accessingUnixsystems,419
UnixinterfaceforWindows7,419–420
UnixinterfaceforWindows8,420
subdomains,290–291
subnetmasks
IPaddressesand,239
subnettingand,242–243
subnetobjects,associationwithsitesandservers,374
subnets,identifiersinIPaddresses,242–243
SubnetworkAccessProtocol(SNAP),186
subscriber,standard,orSiemonconnector(SC),usewithfiber-opticcable,94
SubsystemforUnix-basedApplications.SeeSUA(SubsystemforUnix-basedApplications)
supervisoryformat,LLCcontrolfield,185
support,ATM,135
SVC(switchedvirtualcircuits)
ATM,134
framerelay,129
switches
defined,9
full-duplexEthernetand,187
Layer3switching,76–77
multiple-layerswitching,77
overviewof,72–73
routingvs.switching,75
typesof,73–75
virtualLANs,75–76
switchinghubs,full-duplexEthernetusing,187
switchingservices,WANs,125–127
symboliclinks,referencingobjectsinWindows,349–350
symmetricmultiprocessing(SMP)
hardwareandsoftware,140–141
overviewof,140
symmetricaldigitalsubscriberline(SDSL),125
SYNmessages,TCP,274–276
SynchronousDigitalHierarchy(SDH),136
SynchronousOpticalNetwork(SONET),136
system
checkingcapabilityforjoiningTokenRing,214–215
operationalstatesinTokenRing,215–216
systemareanetworks.SeeSANs(systemareanetworks)
systempolicies
deploying,479
files,476
restrictingworkstationaccess,476–479
templates,474–476
WindowsOSs,359–360
SystemPolicyEditor(SPE)
overviewof,474–476
registryeditingtool,359–360
T
T-1lines
addingtoframerelay,129
leased-lineapplications,120–121
leased-linehardware,120
NorthAmericantypes,119–120
PBX,118
T-connectors,BNC,174
TA(transmitteraddress),MACframeaddressfield,110
tapedrives.Seemagnetictape
taskbar,lockingdownWindowsinterface,478
tasks,WindowsOSs,349
TCP/IP(TransmissionControlProtocol/InternetProtocol)
architectureof,236–237
ARP,253–255
attributes,235–236
authenticationprotocolsinPPP,250
datagramfragmenting,259–260
datagrampacking,256–259
DNSnames,244–245
ICMP,266
ICMPerrormessages,266–270
ICMPquerymessages,270–271
IPaddressclasses,240–241
IPaddressregistration,239–240
IPaddressing,256
IP(InternetProtocol),255–256
IPversions,237
ipconfigcommand,490
IPv4,237–239
IPv6,263–264
IPv6addressstructure,265
IPv6addresstypes,264–265
LCPframeinPPP,248–250
netstatcommand,488–490
networkaddressing,8
networkcontrolprotocolsinPPP,250–251
nslookuputility,490
overviewof,235
pathpingutility,487
pingutility,483,485–487
portsandsockets,244
PPPconnections,251–253
PPPframeformat,247–248
PPP(Point-to-PointProtocol),246–247
protocolstack,14
routecommand,488
routing,261–262
SLIP(SerialLineInternetProtocol),245–246
specialIPaddresses,241–242
standard,236
subnetmasks,239
subnetting,242–243
taskoffloading,414
TCP,272
TCPconnectionestablishment,274–276
TCPconnectiontermination,280–281
TCPdatatransfer,277–279
TCPerrorcorrection,279–280
TCPheader,273–274
traceroute(tracert)utility,487–488
UDP,271–272
Unixusing,385
unregisteredIPaddresses,241
utilities,483
Windowsnetworkingarchitecturebasedon,412
TCP(TransmissionControlProtocol)
connectionestablishment,274–276
connectiontermination,280–281
datatransfer,277–279
encapsulationand,17
errorcorrection,279–280
header,273–274
operatingattransportlayerofTCP/IPsuite,237
overviewof,272
three-wayhandshake,339–340
transportlayerfunctions,29
TD(transportdata),straightthroughwiringand,53
TDI(TransportDriverInterface),353–354
TDM(timedivisionmultiplexing),digitalleasedlines,120
TDR(timedomainreflectometry),inworst-casepathcalculation,179
TE1(terminalequipment1),ISDN,123–124
TE2(terminalequipment2),ISDN,124
TechNetEvaluationCenter,Microsofttechnicalsupport,347
technicalsupport,347–348
TelecommunicationsIndustryAssociation.SeeTIA(TelecommunicationsIndustryAssociation)
TelecommunicationsStandardizationSectorofInternationalTelecommunicationsUnion(ITU-T),13
telecommunications,WANs,114–115
Telenet,precursorstocloudcomputing,399
telephonesystem,asexampleofcircuitswitchingnetwork,5
televisioncablemodems,86
telnetcommand
applicationsavailabletoUnixclients,418
overviewof,389
UnixDARPAcommands,392
templates,systempolicies,474–476
terminalequipment1(TE1),ISDN,123–124
terminalequipment2(TE2),ISDN,124
tftpcommand,Unix,392–393
TGS(ticket-grantingservice),434
TGT(ticket-grantingticket),434
ThickEthernet(10Base-5)
historyof,166
maximumcollisiondiameter,177
overviewof,172–173
physicallayeroptions,172
RG-8/U,85
ThinEthernet(10Base-2),173–174
historyof,166
maximumcollisiondiameter,177
physicallayeroptions,172
RG-58,85–86
threads,WindowsOSs,349
three-wayhandshake,TCP,339–340
Thunderbolt,connectionsforbackupdevices,498,501
TIA(TelecommunicationsIndustryAssociation)
cablecategories,80
cablingstandards,82
TIA/EIA-568standard,82–84
TIA/EIA-568standardcolorcodes,87
TIA/EIA-568standardforconnectorpinouts,89–90
ticket-grantingservice(TGS),434
ticket-grantingticket(TGT),434
timedivisionmultiplexing(TDM),digitalleasedlines,120
timedomainreflectometry(TDR),inworst-casepathcalculation,179
timeexceeded,ICMPerrormessages,269–270
TimetoLive(TTL)
cachedatapersistence,297
discardingpacketsand,70
timingcalculations
for100BaseEthernet,193–194
calculatingnetworkperformanceoverEthernet,178–180
TLS(TransportLayerSecurity),460
token-basedauthentication,435–436
tokenframe,TokenRing,218
tokenpassing
FDDI,228
monitoring,216
TokenRing,213–214
typesofmediaaccesscontrol,8,24
TokenRing
bridgingEthernetandTokenRingnetworks,61–62
cablingoptions,210
calculatingadjustedringlength,213
DifferentialManchester,21–22
errors,218–220
fragmentingand,26
frames,218
MACaddresses,23
MAUs,52–53,211–213
monitors,216–218
NICs,211
overviewof,209
packetfragmentation,70
physicallayer,209–210
STPcableusedwith,92
systemcapabilityforjoining,214–215
systemoperationalstates,215–216
tokenpassing,213–214
translationalbridging,62
typesofmediaaccesscontrol,24
tokens
comparingTokenRingandEthernet,209
defined,213
top-leveldomains,287–288
topologies
bus,54
cablingpatterns,5–7
FDDI,221–224
FibreChannel,145–146
fullmesh,159–160
infrastructure,101,451
physicallayer,101–104
physicalvs.logical,8
protocolscontrastedwith,22
ring,209–210,221
starbus,9,159,210,212
WAN,115–117
TP(twistedpair)-PMDstandard,FDDIsublayers,224–225
TP0toTP4,classesoftransportlayerprotocols,28
traceroute(tracert)utility
overviewof,487–488
Unixand,389
traffic,accessingwirelessnetworks,98
transactionstate,POP3,340
transceivers
physicallayersignaling,19
forThickNetcabling,173
transfersyntax,presentationlayer,33
transitivetrusts,trustrelationshipsbetweendomains,366
translationalbridging,62
TransmissionControlProtocol.SeeTCP(TransmissionControlProtocol)
TransmissionControlProtocol/InternetProtocol.SeeTCP/IP(TransmissionControlProtocol/InternetProtocol)
transmissionpower
accessingwirelessnetworks,98
LANsvs.WANs,116
transmissionrates
DSL,124
NICselectionand,43
transmitstate,TokenRing,215
transmitteraddress(TA),MACframeaddressfield,110
transparentbridging
bridgingEthernetandTokenRingnetworks,61–62
overviewof,58
sourceroutetransparentbridging,63
transportdata(TD),straightthroughwiringand,53
TransportDriverInterface(TDI),353–354
transportlayer,ofOSImodel
errordetectionandrecovery,29–30
flowcontrol,29
overviewof,27
protocolfunctions,29
protocolservicecombinations,27–28
segmentationandreassemblyofpackets,29
TransportLayerSecurity(TLS),460
trees,ActiveDirectory
objectsin,364
overviewof,367–368
planning,375–376
troubleshootingtools.Seeutilities
truncatedbinaryexponentialbackoff,collisionsand,170
trunkring,double-ringinFDDI,221
trust,relationshipsbetweendomains,366
TTL(TimetoLive)
cachedatapersistence,297
discardingpacketsand,70
TVservice,overcoaxialcable,86
TWA(two-wayalternate)
dialogcontrolinsessionlayer,31
dialogseparationinsessionlayer,32
twistperinch,cablecategories,87
twistedpaircable
cablecategories,87–89
connectorpinouts,89–92
overviewof,86
STP(shieldedtwistedpair),92–93
UTP(unshieldedtwistedpair),86–88
Twisted-PairEthernet(10Base-T/100Base-T),172,174–175
twistedpair(TP)-PMDstandard,FDDIsublayers,224–225
two-factorauthentication,435–436
two-wayalternate(TWA)
dialogcontrolinsessionlayer,31
dialogseparationinsessionlayer,32
TWS(two-waysimultaneous)
dialogcontrolinsessionlayer,31
dialogseparationinsessionlayer,32
U
UDCs(universaldataconnectors),210
UDP(UserDatagramProtocol)
DNSmessagingand,301
encapsulationand,17
operatingattransportlayerofTCP/IPsuite,237
overviewof,271–272
transportlayerfunctions,29
UDRP(UniformDomainNameResolutionPolicy),289
unboundedmedia
defined,97
physicallayer,101
UNC(UniformNamingConvention)
UnixOSs,419
WindowsOSs,354
UNI(UserNetworkInterface),ATM,133
unicastaddresses,IPv6,264–265
UniformDomainNameResolutionPolicy(UDRP),289
UniformNamingConvention(UNC)
UnixOSs,419
WindowsOSs,354
uniformresourcelocators(URLs)
elementsforidentifying/locatingresources,314–315
socketsand,244
unique-localaddresses,IPv6,265
universaldataconnectors(UDCs),210
UniversalSerialBus(USB)
connections,44
connectionsforbackupdevices,498–500
Unixclients
applicationsfor,418
overviewof,418
Windows7andWindows8interfaces,419–420
UnixOSs
advantagesofLinuxover,379
architecture,387–388
BSDUnix,389
clientaccess,418–419
client/servernetworking,393–395
DARPAcommands,392–393
hostsfile,283
networkingwith,389
NFS(NetworkFileSystem),393–395
overviewof,385–386
permissions,430–431
principles,386–387
remotecommands,390–392
routingtables,67
selectingcomputersforSOHOdesign,153–154
UnixSystemV,388–389
versions,388
UnixSystemV,388–389
unshieldedcables,81
unshieldedtwistedpair.SeeUTP(unshieldedtwistedpair)
unsignalederrors,errordetectionattransportlayer,30
updatesequencenumbers(USNs),directoryreplicationand,370
updatestate,POP3,341
uplinkport,hubs,53–54
UPN(userprinciplename),assignedtouserobjects,366–367
URLs(uniformresourcelocators)
elementsforidentifying/locatingresources,314–315
socketsand,244
USB(UniversalSerialBus)
connections,44
connectionsforbackupdevices,498–500
UserDatagramProtocol.SeeUDP(UserDatagramProtocol)
usermodecomponents,WindowsOSs,351–352
UserNetworkInterface(UNI),ATM,133
userprinciplename(UPN),assignedtouserobjects,366–367
userprofiles
creatingdefaultuserprofile,474
mandatoryprofiles,473
overviewof,470–472
replicating,473–474
roamingprofiles,472–473
username,securinghomenetworks,453
users
Unixpermissions,431
Windowspermissions,426–428
USNs(updatesequencenumbers),directoryreplicationand,370
USOCstandard,forconnectorpinouts,89–90
utilities
agentsusedwithnetworkanalyzers,492
cabletesters,493–494
filters,491–492
ipconfigcommand,490
NETcommands,483–485
netstatcommand,488–490
networkanalyzers,490–491
nslookuputility,490
pathping,487
pingutility,483,485–487
protocolanalyzers,493
routecommand,488
TCP/IP,483
traceroute(tracert)utility,487–488
trafficanalyzers,492
WindowsOSs,481–483
UTP(unshieldedtwistedpair)
100BaseEthernetrunningon,189
cablecategories,87–89
cablelengthonEthernetnetworks,51
cableoptionsinTokenRing,210
cabletesters,493–494
compatibilityofcoppercablewithfiber-optic,159
connectorpinouts,89–92
Ethernetcablingstandards,178
overviewof,86–88
physicallayercablingand,18
selectingnetworkmedium,154–155
straightthroughwiringand,53
Twisted-PairEthernet(10Base-T/100Base-T),174–175
V
vampiretap,173
VC(virtualchannel),ATM,134
VCI(virtualchannelidentifier),ATMcells,133
VCs(virtualcircuits)
ATM,134
framerelay,129
packet-switchingservices,127
VDSL(veryhighbit-ratedigitalsubscriberline),125
VeriSigncertificateauthority,435
veryhighbit-ratedigitalsubscriberline(VDSL),125
videoadapter,138
virtualchannelidentifier(VCI),ATMcells,133
virtualchannel(VC),ATM,134
virtualcircuits.SeeVCs(virtualcircuits)
virtualdirectories,webservers,317
virtualmemory,350
virtualpathidentifier(VPI),ATMcells,133
virtualpath(VP),ATM,134
virtualprivatenetworks(VPNs)
encryptionand,461
inevolutionofcloudcomputing,399
VLANs(virtualLANs),75–76
VMM(VirtualMemoryManager),inWindowsOSs,350
voicetelecommunications,PBX,118
voidframes,in100VG-AnyLAN,205
volumes,encrypting,459
VP(virtualpath),ATM,134
VPI(virtualpathidentifier),ATMcells,133
VPNs(virtualprivatenetworks)
encryptionand,461
inevolutionofcloudcomputing,399
vulnerabilities,wirelessnetworks,458–459
W
W3C(WorldWideWebConsortium)
ExtendedLogFileformat,316
foundingofWorldWideWeband,399
Wake-on-LAN(WoL),NICfeatures,42
WANs(wideareanetworks)
ATM,130–135
connectingtoremotenetworks,159
datacentersprovidingaccessto,161–162
DSL,124–125
firewallsand,442
framerelay,127–130
ISDN,121–124
leasedlines,118–121
localareanetworkscomparedwith,9–10
overviewof,113–114
PSTNconnections,117–118
routerapplicationsand,64
selectingtopology,115–117
selectingWANprotocolforinternetworkdesign,159–160
SONET,136
switchingservices,125–127
telecommunicationsand,114–115
WAPs(wirelessaccesspoints)
accessingwirelessnetworksanddistancefrom,98
defined,97–98
overviewof,450
settingup,450–451
webservers
functionsof,314–317
HTTProleinbrowser/servercommunication,318
overviewof,313
selecting,314
well-knownports,244
WEP(WiredEquivalentPrivacy)
backingupwirelessnetworks,501
risksrelatedtounsecuredhomenetworks,458
whitelists,securinghomenetworks,454
wholedisk(full-disk)encryption,459
Wi-FiProtectedAccess.SeeWPA(Wi-FiProtectedAccess)
Wi-FiProtectedSetup(WPS),459
wideareanetworks.SeeWANs(wideareanetworks)
WiFi,asmostwidelyusedwirelessnetwork,98
Win16environmentsubsystem,351–352
Win32environmentsubsystem,351
Windows7
accessingcommandprompt,482
interfaceforUnixclients,419–420
settingenvironmentvariables,466–467
versionsofWindowsnetworkoperatingsystems,346
Windows8
accessingcommandprompt,482
interfaceforUnixclients,420
settingenvironmentvariables,467
versionsofWindowsnetworkoperatingsystems,346–347
Windows2000,346
Windowsclients
clientservices,414–415
NDISdriversforWindowsclients,413–414
overviewof,411–412
protocoldriversforWindowsclients,414
Windowsnetworkarchitecture,412–413
WindowsExplorer(Windows7),482
WindowsforWorkgroups,411
WindowsInternetNamingService(WINS)
comparingDNSandActiveDirectory,368
asoptionalWindowsnetworkingservice,361
WindowsManager,351
WindowsNT,346
WindowsOSs
accessingcommandpromptinWindows7and8,482
APIsand,355–356
controlpanel,359
drivemappings,468–470
filepermissions,425
filesystems,356–357
folderpermission,424–425
kernelmodecomponents,348–351
lockingdownWindowsinterfacewithsystempolicies,477
Microsofttechnicalsupport,347–348
NDISdriversforWindowsclients,413–414
NDIS(NetworkDriverInterfaceSpecification),353
NETcommands,483–485
networkingarchitecture,352–353
NTFSpermissions,428–430
optionalnetworkingservices,360–361
overviewandroleof,345
registry,357–359
registryeditors,360
routingtables,67
securitymodel,422–424
selectingcomputersforSOHOdesign,153–154
server-basedapplications,464–465
server-basedOSs,464
Serverservice,355
servicepacks,347
services,352
settingenvironmentvariables,466–467
storingdatafiles,465–466
systemandgrouppolicies,359–360
TDI(TransportDriverInterface),353–354
userandgrouppermissions,426–428
usermodecomponents,351–352
utilities,481–483
versions,346–347
Windows7interfaceforUnixclients,419–420
Windows8interfaceforUnixclients,420
Workstationservice,354–355
WindowsSockets(Winsock),355–356
WindowsVista,346
WindowsXP,346
WINS(WindowsInternetNamingService)
comparingDNSandActiveDirectory,368
asoptionalWindowsnetworkingservice,361
Winsock(WindowsSockets),355–356
WiredEquivalentPrivacy(WEP)
backingupwirelessnetworks,501
risksrelatedtounsecuredhomenetworks,458
wirelessaccesspoints.SeeWAPs(wirelessaccesspoints)
wirelessLANs.SeeWLANs(wirelessLANs)
wirelessnetworks
advantagesanddisadvantagesof,98–99
applicationsof,98–100
backingup,501
components,447–448
configuringwirelessrouters,451–453
encryptionand,459–461
invasiontoolsandvulnerabilities,458–459
overviewof,97–98
risksrelatedtounsecuredhomenetworks,457–458
routertypes,448–450
securingbusinessnetwork,455–456
securinghomenetwork,453–455
securingmobiledevices,456–457
securingwirelessrouters,456
transmissionover,450
typesof,98
WAPs(wirelessaccesspoints),450–451
wirelessrouters.Seerouters,wireless
wiringclosets,internetworkdesign,161
WLANs(wirelessLANs)
datalinklayer,110–113
IEEE802.11standards,100
overviewof,97
physicallayerframes,106–108
physicallayermedia,101–106
physicallayertopologies,101–104
wirelessnetworks,97–100
WoL(Wake-on-LAN),NICfeatures,42
workgroups,connectingcomputersinto,5
Workstationservice,WindowsOSs,354–355
workstations
administrationof,463
capabilityforjoiningTokenRing,214–215
connectingtoFDDInetwork,222
controlling,468
creatingmandatoryprofiles,473
creatingroamingprofiles,472–473
drivemappings,468–470
NICselectionand,48
policiesforrestrictingaccess,476–479
registryof,474
replicatingprofiles,473–474
userprofilesand,470–471
WorldWideWebConsortium(W3C)
ExtendedLogFileformat,316
foundingofWorldWideWeband,399
WorldWideWeb,foundingof,399
worst-casepath
for100BaseEthernet,194
calculatingnetworkperformance,179–180
WPA(Wi-FiProtectedAccess)
backingupwirelessnetworks,501
risksrelatedtounsecuredhomenetworks,458
securinghomenetworkswithWPA2,454
WPS(Wi-FiProtectedSetup),459
wrappedring,FDDItopology,221
writeerrors,magnetictape,510
X
X.509,ITU-Tstandardforcertificates,435
XDR(ExternalDataRepresentation),393
XPS,Linuxfilesystems,380
Z
zones,DNS
breakingdomainnamespaceintoadministrativezones,291
transfermessages,310–312
transfers,300–301