CHAPTER 1 INTRODUCTION TO NETWORK AND SYSTEM ADMINISTRATION What is Network & System administration? Network & System administration is a branch of engineering that concerns the operational management of human–computer systems. It is unusual as an engineering discipline in that it addresses both the technology of computer systems and the users of the technology on an equal basis. It is about putting together a network of computers (workstations, PCs and supercomputers), getting them running and then keeping them running in spite of the activities of users who tend to cause the systems to fail. Basic terminologies:  System  Network /system Administration  Network/system Administrator

System: The combination/integration/ of subsystems which are independent objects, having specific performances to attain the same goal. In the Network system objects that constitute a system are:  Users  Hardware resources  Software resources  Network expertise/Network administrator

Network/system Administration: Network/system administration is a system/ procedure/ implemented by a person or a group of persons under the supervision of knowledgeable person that is Network administrator. It is a process of installing, configuring, troubleshooting and maintaining a network.

Network administration is the process of implementing and managing systems that send information over the network. It is the way to monitor the delivery of information

(including data, voice and video) across a network and protect the network from internal and external security threats. It is also the concept of responsibility for the wired and wireless local area networks that connect their company’s network to remote networks and the Internet

Network/ System Administrator: Network/system administrator is professional person who is responsible for the physical design, management of system and network – administration. It is also responsible for the overall network process. Network/System administrators are responsible for the security and availability of the network services they manage. A system administrator works for users, so that they can use the system to produce work. Some system administrators are responsible for both the hardware of the network and the computers which it connects, i.e. the cables as well as the computers. Physical network design is one of the responsibilities of network /system administrator;

What is Network design? Designing a network is an activity where you evaluate various parameters to arrive at a network design that is optimal for a given set of conditions and requirements. The Network administrator chooses a design so that it can accommodate future needs, upgrades, and expansions.

Designing a network involves making various decisions regarding the architecture of the network:  The LAN and WAN technologies to be used  The transmission media to be used. Eg. UTP cables: CAT-5 or CAT-5e, thick or thin coaxial cable etc  The cable layout- to create high speed backbones (568-A or B standard)  The hardware equipment to be used

Designing each activity is a unique and challenging task to the network administrator. The tasks involved in making a network design are:  Understanding the requirements o Identifying the rationale or basis to perform analysis o Choosing the method of requirement analysis o Analyzing the requirements Network administrators are responsible for the security and availability of the networks they manage. Network administrators must adhere to this and all relevant universal Information Technology Policies, in particular: 

Network Connection Policy



Wireless LAN Policy



Network and Systems Monitoring Policy



Network security Policy



Network access Policy

For each network there should be at least one network administrator available at all times during normal working hours and emergency call General Network/System administration tasks Network/System administration is not just about installing operating systems. It is about planning and designing an efficient community of computers so that real users will be able to get their jobs done. These tasks are performed by network/system administrator & it includes:  Installing sever software(windows server OS) windows sever 2000, 2003 or 2005  Configuring active directory users and computers using DCPROMO utilities Active directories are o used to manage network accounts o Provides all network utilities about users and computers that are registered in the network  Securing network resources (managing network security)

 Configuring and administering network print services  Administering the desktop computing environment (managing remote desktop connectivity)  Install and configure network devices-Routers, switches, servers etc.  IP addressing and sub-netting tasks  Verify /test network connectivity for error free communication Basic Network/system Administration tasks can be categorized in to 3(three): 1. Managing network accounts 2. Managing Network security 3. Managing network Performances Managing network account involves the following sub tasks: a) Creating user accounts b) Creating group accounts c) Creating computer accounts d) Deleting user and computer accounts e) Renaming user and computer accounts f) Assigning access rights to the users (allow & deny policies) Managing network security involves: a) Securing data stored on the network (server computer) from external or unauthorized bodies b) Retrieving data from storage in the event of data loss The Network administrator must include the following points as a check list in his network security planning, these are: 1. What should be protected? 2. From whom should be protected? 3. How likely is the occurrence of the threat or challenges? 4. What is the estimated financial loss due to the treat or challenges?

There are two types of network securities: 1. Physical security & 2. Data security

Physical security involves:  Securing hardware resources such as cables, servers and others from physical damage Data security involves  Securing network data and software resources

Managing Network performance:  Involves verifying the proper working of network devices: such as network cards, connectivity devices, computers… The key role of system and Network Administrator 1. Document the network and its resources  Any modification made to the network should be documented immediately Documentation should contain the following information;  Type of computer being used  The name of computer( assigned by network administrator)  The IP address of computers  Operating system being used on each computer  The network design or map detailing the location of network resources-topology concept

2. Administering network IP addresses and sub-netting:  Group computers on the basis of department or functional location  Assigning IP address and subnet masks: this can be done manually using static configuration or dynamically by using DHCP server

3. Educating (Training) network users:  Educating the network users is the best way to maintain the network. o It involves the proper use of networking and its resources o Providing knowledge about virus treats & its solution

4. Designing a network which is logical and efficient:  Deciding what services are needed.  Planning and implementing adequate security.  Providing a comfortable environment for users.  Developing ways of fixing errors and problems which occur. Concept of server based Networking In the environment with more than 10 users, a P2P network will not adequate. There is a need to use a dedicated computer/server which optimize or increase the service of network to clients. This type of networking is also known as client/server based network. What is client/server? It is a network architecture in which client requests data from server and the server responds to the request-in retrieving the required information  It is the base to manage & to administer networking  Is a dedicated computer that provide resources to the network users  A dedicated computer with a special software to carry out some task on the behalf of the users  Allow the user to store and access files  It provides shared resources such as: o Software o Peripherals o Files and o Storage devices Advantage of server based networking: 1. Sharing centralized resources 2. Managing network security 3. Backup purpose: Full backup & Incremental backup schemes  Full backup: all files are backed up in this scheme  Incremental backup: in this scheme, only the files changed since the last full or incremental backup are copied. 4. Maximizing number of clients in the network 5. High capacity to store data

CHAPTER 2 Managing software infrastructures Windows server 2003 aims to improve and reducing the administration time required to the server based networks with improved management tools and better desktop control functionality. Windows server 2003 features: 1. windows server 2003 standard edition 2. windows server 2003 enterprise edition 3. windows server 2003 data center edition 4. windows server 2003 web edition ** Windows server 2003 standard edition:  designed for most common server environment  used for small to medium sized networks (departmental level) ** Windows server 2003 enterprise edition:  Designed for large business enterprise that requires high performance. Eg. Bank, Air lines ** Windows server 2003 data center edition:  designed for business that uses mission critical application(for very important and sensitive governmental security center)  Secured and always available. Eg. o Regional data center o Federal data center o CBO (Capacity Building Office ) data center ** Windows server 2003 web edition:  Designed for web servers to store and manage web sites o Enable organizations to upload and download their web pages Preparing to install windows server 2003 Before you begin the installation you should make sure you have the following information:  Hardware requirements  System compatibilities

 Installation options  Partitioning  Licensing options  Network configuration options System compatibility:  Windows server 2003 or win XP (latest) CD comes with a utility to check system compatibility  When you launch the CD, you will see several options: one is check my system automatically.  When you are connected to the internet your computer to be checked with most updated information  If there is any error, report will be generated and details can be viewed Installation Options:  Clean installation and  Upgrading Clean installation:  Is a recommended approach for any operating system  It eliminates any chance of incompatibilities with older software  Allow the new operating system to control over hardware configuration Upgrading:  During upgrading the new operating system replaces the existing one but preserves the existing configuration/settings/, installed applications and data files as it is.  Cannot solve compatibility conflicts  The only OS that can be upgraded to windows server 2003 are o Windows NT-server o Windows 2000 –server Any other OS cannot be upgraded but can be coexists as a multi boot environment with windows server 2003 Partitioning options: This is another issue that you have to understand before installing windows server 2003. Partitioning is a discrete portion of hard drive. It can be used for Boot files or user files. File systems in a partitioning:



FAT and NTFS

NTFS: - New technology filing system  Offers/ provides high security level of files and folders in addition to sharing options  It allows to set specific permission over network resources FAT (FAT16/32):-File allocation table  Less or optional choice when setting up network server  It provides files and folder sharing option but:  It does not provide any security options  Does not provide the network administrator to set a specific permission to the users over the resources Licensing Methods:  Licensing method is the right to access: o Per user-all users can access resources at the same time(no limitation) o Per server- refers to how many computers can access a server at a time Network configuration options:  Your computer will be part /member of o Work group-P2P based o Domain – server based Specify your computer as part of Domain not as part of local work group  Determining computers name (unique on the network)  Administrator password (strong or complex password will be recommended) o Choose a password of at least 6/7 characters based up on default password policy o Avoid any form of the word administrator to use as a password character o Make use of both upper and lower case letters, numbers and symbols to make your password strong(complex) Concept of Active Directory (AD) and Domain Controllers Active directory is a database of computers, users, shared printers, shared folders and other network resources. It enables user to find a particular resource. Active directory is a Directory service or an architecture which stores all this information about everything on a network and allows administrator to see a hierarchal view of the network

Active directory (AD) allows:  Also named as active directory users and computers  Easy management of users account, client machines, printers and network servers  Centralizes security and management  Make the job of administrator easier Domain controller:  Is a computer with windows server 2003 OS that provides a complete network data base or active directory  It provide the network administrator with a facility to control all objects in the network environment Logging on to windows server 2003 For the administrative purpose windows server 2003 use its own logon procedures. After the computer reboot:  It requires the user authentication o Authentication is verifying the identity or the registered users at network level o The user having correct user account (user name and password) only can logon to the server  It requires the user to press CTRL-ALT-DELETE keys to display logon windows dialog box  Once the user enter the correct user account and click OK the computer will finish loading windows OS and the desktop will appear Upgrading server to a domain controller  Installing windows server 2003 on a computer doesn’t mean that the computer provide a domain controller options or complete network data base that is Active directory users and computers  Upgrading windows server to a domain controller requires DCpromo utility  The system requests for windows server 2003 CD while you are upgrading the server to domain controller for the first time Once the computer is upgraded to domain controller; running DCprom will remove all configurations and active directory users and computers from the network data base.

Chapter 3 Managing active directory users and group accounts User accounts 

Each user requires a user account to log on to window server 2003 domain



User accounts are used to authenticate a user on a network



User accounts refers to o User name and o Password assigned by the network administrator



Once the user logon they can access resources based on the permission that have been assigned by the network administrator

Built in users in active directory In windows server 2003 domain the active directory users and computers utility has a container called users- which contains two built in user accounts, these are: 

Administrator account and



Guest account

Each built in account has rights and permissions that has been automatically assigned by default Administrator account 

Created locally when you install windows server 2003



It is a special account that has full control over the computer/domain/

Administrator’s account default settings: 

Full rights: to control users and computers



Assign users’ access rights

Administrator is the member of the following groups: 

Administrators group



Domain admin



Enterprise admin



Group policy creators

The administrator account cannot be deleted /removed, for a security purpose it is recommended to rename than disabling. If the administrator account is disabled it can still be used when the server is booted in safe mode, that is why renaming the administrator account increase computers’ security level Guest Account 

Allow users to access the computer even if they don not have a unique user name and password



Because of a security risk associated with this account, this account is disabled by default



This account is given very limited privileges

User name and password rules 

The real requirements for creating a new user is providing a valid user name and password to logon



User name and password assignment must follow windows server 2003 rules and conventions



It is a good idea to have your own rules for user name

Windows server 2003 rules for user names 

The user name must be unique to the user



It cannot contain the following characters o * ? / \ () : ; [ ] = + < > “



Cannot contain period(.) and space

Password rules 

Are based on domain security settings defined through administrative tools of the operating system i.e. password policy



These password policies are configured by the network administrator

Password policies 

Enforce password history: specify how many passwords are remembered in a single domain o Used to prevent users from reusing the same password o The default password to be remembered by win server 2003 OS is 24

o The network administrator can configure the password to be remembered as more or less than 24 

Maximum password age: o Define how many days a user can keep the same password before to create a new password/before resetting/ o It refers to password expiration date o Default password age is 42 days and the minimum password age is 1-day



Minimum password length: o Specify minimum number of characters a password can contain o Default number of characters/password length/ are 7 characters



Password must meet complexity requirement: o Specifies that password must not contain user’s account name o Must be a minimum of six characters o Must contain characters from three of the following groups: 

Upper case letters



Lower case letters and



Numbers/none alphanumeric characters i.e. $, %)

o By default it is enabled/active/ 

Creating new users using active directory: o The main tools for managing users, groups and computers is active directory users and computers utility o You can access this utility through administrative tools on win server 2003 domain controller(after dcpromo)

Options that can be configured for new users: 

First name, initials, last name and full name- to provide more detail about the user



User logon name: define the user name for the new account that will be used during the logon process o User logon names are not case sensitive as passwords o User principal name(UPN)is the real user logon name stored on the server or domain controller o UPN is not used during the logon process by the user at client computer

o UPN is made up of user logon name and the principal name suffix (domain controllers name) connected with @ sign o If the user logon name is Kman and the domain controller is wuni.local, the UPN will be [email protected] 

Password: assigned by the network administrator to the user initially



User must change password at next logon : o If selected, it allows the user to change his own password o This is to increase level of security o It moves password responsibility to the user and away from the administrator



User cannot change password: o If this option is selected, it prevents a user from changing the password o Password responsibility is in the hand of network administrator



Password never expires: o Specify that the password will never expire, even if a password policy has been specified



Account is disabled: o Specify that this account cannot be used for logon purpose Disabling/deleting user account



When a user account is no longer needed the account should be disabled



If you choose to disable an account you can enable later



An account that is deleted can never be recovered

Reasons to disable user account 

If the user will not be using it for a period of time

Eg. An employee is going on vacation/taking a leave of absence 

If the network administrator planning to put another user in the same function(with the same user account)

Eg. When your company hires a new engineering manager-Tadesse, because of the previous engineering-Lemma, quits, In this case if you disable Lemma’s account before, now you can enable the account and simply rename the user account from Lemma to Tadesse.



This method ensures that the new user will have all of the user properties and all the resources used by the previous one.



Disabling an account also provides a security mechanism(for special situations)

Eg. If your company laying off a group of people from their job- the network administrator must be informed to take action for a security purpose, then he would be disable the account of those people before they get their layoff notices. 

This prevents the company’s file from damage.



You disable the user account by right clicking on the user account and selecting the disable account option.



After an account has been disabled it will be displayed with a red circle and an Xsign over the user account icon-with in the active directory.

Deleting user account 

You should delete a user account if you are sure that the account will never be needed again.

Changing a forgotten user’s password: 

The Network administrator can change the password for those users who forget their password and can’t logon.



This is common when a user changes a password on Friday afternoon or before a holiday.



The network administrator is not requested to type the old password to give a new one. He can change the user’s password and then the user can use the new password

Configuring user properties 

In the active directory users you can configure variety of properties-by using active directory users and computers utility.

Steps: Start>programs>administrative tools> active directory users and computers >click users folder to open >double click the user account you want in the right panel



The user account properties dialog box will appear



There are 13 main tabs in the properties dialog box to configure. But in our case we are going to discuss about general tab and account tab

General tab 

Used to record contact information for the user o Telephone o E-mail o Full name o Description o Office location etc



It contains the information that you supplied when you set up the new user account to identify the user uniquely.

Account tab 

It shows the logon name information that you supplied

It allows configuring the following settings o User logon name and principal name suffix o The logon hours for the user o The logon to option o Account expire options User logon name & principal name suffix: 

Enable the network administrator to change user logon name or to configure the server that the user want to access in the net work environment

The logon hours: 

By default users are allowed to log on 24 hours a day and 7 days a week.



The network administrator can adjust or restrict the hour in which the user can log on



You can change the log on hours by selecting the hours you want to modify and clicking the log on permitted radio button- to permit the user to log on to the computer on the specific time.

Eg.



Select all day-to permit the user to log on 24hrs a day.



Select Monday 8:00 AM to 10:00 AM – to permit the user for the specified day and time only

Logon denied: 

The network administrator can configure the day and hour to block the user to logon & access the resources by clicking on log on denied option

Logon to Option: 

This option is used to configure the computers that the user is allowed to logon



The network administrator can restrict the user to logon using defined or limited computers



When you click the log on tab the log on workstation will be displayed with the following options: o This user can log on to:-





All computers



The following computers

In case of the following computers option the network administrator must specify/select the computer to which the user can logon to

Account expire options: 

This option is used to configure the expiration date, month and year for the user account created in the active directory by selection end of option or



To make an account never expire by selecting never expire option

Account Lockout options: 

This option is configured through domain security settings for password policy and account lockout policy

Options under account lockout policies: o Account lockout duration o Account lockout threshold o Account lockout counter Account lockout duration:

o Specify how long the account will be locked in the event that the account lockout threshold is exceeded(after invalid attempts) Account lockout threshold: o Specify that the user gets(permitted with) a specific number of invalid log in attempts before the account is locked o Invalid log on attempts are decided by Network administrator Account lockout counter after: o Specify how long the account lockout threshold will be tracked (blocked) after the invalid logon attempts o Account lockout counter starts after the last invalid logon attempt o Used to display the remaining time for the next threshold (specify after how many minutes the user can attempt to log on for the second round). 

If you configure account lockout policies and the user violets the account lockout policy, the account will be come disabled Trouble shooting user Authentication

If a user can’t logon there are many possible causes of logon failure 1.

incorrect user log on name: The network administrator checks the active directory users and computers utility to verify the name was spelled correctly.

2.

Incorrect password: a. Check the proper case (caps lock key is not on) b. Check the password has not expired c. Check the account has not been locked out If the password still doesn’t work assign a new password to the user

3.

prohibitive user right: a. Does the user have permission to logon locally at the computer(domain controller)? The user logon locally to the computer using his own local user name and password and then attempt to log on to the domain controller-in this case access will deny.

b. Regular users(local users) don’t have permission to log on to domain controller c. The users will log on to the domain from network workstation using the user log on name and password assigned by network administrator d. If the user has a reason to log on locally at the domain the user should be assigned the logon locally user right in domain controller security policy by the network administrator 4. 

disabled/deleted account: Verify whether an account has been disabled or deleted

5. The computer is not part of the domain: 

If the computer is not part of/member of the domain the user will not be able to logon

Understanding Group type and scope: Group type is used to organize users, computers, and other groups in to logical objects for management purpose (to assign different configuration/settings, permission--). You can use groups to control access to resources or to logically categorized people in your company. For example, you may have different groups for your marketing, sales, finance, accounting, IT, HR, and operations employees. Within each of those departments, you may have teams. These teams may access different resources (e.g. printers or shared folders) that require different active directory security settings. Groups can be either a security group or a distribution group. 1. Security groups: 

They are security enabled groups ( listed under access control list)



They need to access specific resources(secured resources of an organization)



They need permission to have a security access rights.

2. Distribution groups 

They have common characteristics in accessing resources (eg. Computing e-mail and application programs)



They are not security enabled(have no security access rights)



They need permission to access resources

Built in groups in windows server 2003 domain 1.

Account Operators: 

Members of this group can create and manage domain users, groups and computer accounts



Account operators don’t have rights to modify administrators groups



This group has no default members unless the network administrator create in the directory

2.

Administrators: 

The members of this group has full rights and privileges on all domain controllers



Its members can grant themselves any permissions they don’t have by default to manage objects(users and computers)



By default the members of this group includes: o Administrator account o Domain admin and o Enterprise admin

3.

4.

Backup operators: 

The members of this group have rights to backup and restore the file system



They can access the file system only through backup utilities



They can not modify files

Print operators: 

Print administrators group members can administer, create, delete and share printers connected to domain controller

5.

Remote desktop users: 

This group allows its members to logon to the server remotely by using a remote desktop connection



By default the user can not log on to the server computer through desktop connection

6.

server operators: 

The members of this group can administer domain server



The administration task of server operator includes: o Creating and deleting shared resources o Starting and stopping services(remote desktop connection services, license login services …) o Formatting hard disk o Backup and restoring file system

Crating New groups To create new group accounts: 

Logon to computer as an administrator or account operator or as a member of administrators group



Start>administrative tools>active directory users and computers



Right click on users folder>select new>and select group



Follow the steps & complete it

Identifying group members: 

You can identify what groups a user belongs to by viewing the users properties and clicking the “member of” tab



You can also add/remove users to/from a group by using add/remove button from properties dialog box

Chapter-4 Working with computer accounts Computer Accounts: 

These accounts are stored in the computers container with in active directory



Used to uniquely identify, authenticate and manage computers in the domain.



Created for any computers that joins the domain from win2000 professional, winXP professional or win server 2003(without domain controller)



You can manage computer accounts through active directory users and computers utility.

Creating computer accounts: There are two options to create computer accounts 1. through active directory users and computers utility (form server computer)before the computer is joined to the domain 2. Through computer name tab of clients computer’s properties(from clients computer) In order to add computers to the domain you must be logged in as a member of administrator/as an administrator 

To create a computer account in the active directory users and computers utility take the following steps:

1. select start>administrative tools>active directory users and computers to open active directory users and computers utility as follows

2. right click the computers folder and select new from the pop up menu and then select computer 3. the new object computer dialog box will appear as shown that uniquely identify the object with in active directory

4. Click next and finish the step

To add computer to the domain through the computer tab of computer properties dialog box (from client’s computer) follow the following steps:

1.

On the computer that you are adding to the domain, select >start>right click my computer and select properties to display properties dialog box as follows

2.

Click computer name tab from the system properties dialog box to display system properties dialog box with change button as follows

3.

Click change button from system properties to display computer name change dialog box

4.

Type computer name in the computer name box

5.

select domain option under member of and type the name of domain controller to which the computer will join as indicated above

6.

click ok button, the computer name changes request for username and password of an account with permission to join the domain

7.

Type the user name and password of a user who has a right to add the computer to the domain (member of administrator/administrator) and click ok

8.

You will see a confirmation dialog box welcoming you to the domain that you have joined. Click ok button.

9.

Click ok again to restart the computer

Resetting computer accounts 

Computer accounts are assigned passwords that are changed (reset) every 30 days as a part of active directory security



Although the user password and user name is correct the user can’t logon to computer that did not receive a reset message from the network administrator



Right click the computer you want to reset its account from active directory users and computers under computers container and select reset account

Trouble shooting computer accounts If you have a problem in connecting a computer account to a domain, you should check the following conditions: 

The computer joined to the domain must be running win XP professional or win server 2003



Network connection to the domain controller (NIC central device, cable…)



The computer joining the domain must have unique computer name and IP address.



The user who is adding the computer to the domain must login as o A member of account operator group o Domain admin group o Enterprise admin group or o Administrator

Locating /searching objects in the active directory: If your active directory stores hundreds or thousands of users, computers and other objects, it is time consuming to locate specific objects easily. 

Active directory users and computers offers the utility to search: o Users, contacts and groups o Computers

o Printers o Shared folders… Procedures: 

From active directory users and computers right click the domain you want to search



Select find



Type the name of the user, group or computer you want



Click find now icon



The search result will be displayed in the bottom of the dialog box

Chapter 5 Managing Network access 

Network access defines what access/rights a user has to local resources.



It refers to the scope of access users can have to the resources



Network administrator can limit user’s access by using NTFS permission to files and folders



A powerful feature of networking is the ability to allow or protect access to files and folders

Accessing files and folders Network administrator can create shared files /folders on a network so that users with appropriate access rights can access files and folders. To enable users to access files and folders the Network administrator must perform the following tasks: 1. create shared files and folders 2. assign access rights to the users

Partition system and local security policy 

There are two types of file systems used by local partitions o FAT(which includes FAT 16 and FAT 32) o NTFS



FAT partitions don’t support local security option



NTFS partitions also support local security options



If the partition is NTFS the network administrator can specify the access level each user has to the folders and files on the partition



NTFS permission is the process to control access to NTFS folders and files



Network administrator can configure access level by allowing or denying NTFS permissions to the users



NTFS permissions are cumulative type, based on group member’s access type



If the user has denied access and allowed access through group, denied permissions over ride allowed permissions

o If user “A” allowed a “write” permission in the accounting group and denied to “write” in the marketing group, the cumulative permissions of user “A” indicate that user “A” has no any permission to “write”

Levels of NTFS Permissions Windows server 2003 offers six levels of NTFS permissions: 

Level1-Full control: this permission allows the following rights: o Create folders and execute files/ programs in the folders(folder properties,copy and move files) o List the content of folders and read data in the folder o Create new files and write data to the file o Delete folders and files o See files or folders attributes(read only, hidden, archive) o Set /change permissions for files and folders

If you select full control permission, all permissions will be checked by default.

If you unchecked any lower level permission (such as read, or others) the full control allow check box will be automatically unchecked 

Level 2-Modify: This permission allows the following rights o Create new folders and write data to the files o Delete folders and files o List the contents of folders and read the data in a folders o Execute files(Access files) in the folders

o See files or folders attributes(read only, hidden, archive) 

If you select modify permission the following will be checked /allowed o Read and execute o List folder content o Read o Write



Level 3-Read and execute: This permission allows the following rights: o Execute files in the folders (copy, move,& renaming…) o List the content of folder and read data in a folder’s file o See files or folders attributes(read only, hidden, archive)



If you select the read and execute permission the following will be allowed automatically o List folder contents & o Read permission



Level4-list folder contents: this permission allows the following rights o List the content of folders o See files/folders attributes



Level 5- Read: this permission allows the following rights o List the content of folder and o read the data in a folder’s files



Level 6- Write: this permission allows the following rights o Create new folder/file o Write data to the file o Overwrite a file(modify a file) o Change files/folder’s attribute

Applying NTFS permissions 

Write click the file/folder you want



Select properties



From properties dialog box click security tab



Use add button, to add user to whom you want to assign access permission



Use remove button, to remove user from access permission



Finally click ok

This dialog box allow you to set NTFS permissions to the users/groups

Understanding user’s effective permissions 

Users effective permission is the right the user actually has to access file or folder



To determine user’s effective permission combine all permissions that have been allowed to the user through user name or group association and subtract/remove/ all permissions that have been denied to the user o Example: Suppose “Merry” was a member of accounting and IT groups. She was assigned the following access permissions through groups

Merry’s permissions in the Accounting group Permission

Allowed

Deny

Full control √

Modify √

Read and execute List folder contents

√ √

Read

√

Write Merry’s permissions in the IT group Permission

Allowed

Deny

Full control √

Modify Read and execute List folder contents

√ √

Read

√

Write

Merry’s effective permissions are: Permissions allowed (pA) – permissions denied (PD)= Effective permissions(EP) Or effective permissions will be all permissions allowed that are not found in permissions denied 

Therefore, Merry’s effective permissions are: o Read and execute o List folder contents and o Read

Permission inheritance 

Suppose you may have sub folders in the main folders that you apply permission to



By default parent folders permissions are applied to any files and sub folders in the folder-This is called inherited permission

To configure permission inheritance 

Right click the folder you want



Click properties



Click advanced tab



Select allow inheritable permissions from the parent to propagate to this object check box and click ok

The following dialog box indicates permission inheritance allowed to the users in the entries box

You should assign permissions at higher level folders with in directory structure and use inheritable permissions to propagate permissions to all child objects with in structure

Determining NTFS permissions

1. copy files 2. Move files

When you move or copy NTFS files, the permissions that have been set for those files might be changed

1. If you move a file from one folder to another folder on the same NTFS volume, the file will retain the original NTFS permissions(NTFS permissions of the source folder) 2. If you move file from one folder to another folder b/n different NTFS volumes, the file is treated as a copy and will have the same permissions as the destination folder 3. If you copy a file from one folder to another folder on the same NTFS volume or on different volume the file will have the same permission as the destination folder 4. If you copy/move a folder or file to a FAT partition, it will not retains any NTFS permission

Creating shared folders

To share a folder, you must be logged on as a member of administrator or server operators group 

In the folder properties dialog box, click sharing tab



Select don’t share this folder option to unshared folder



Select share this folder option to share folder

The following dialog box indicate how a folder called merry was shared

Configuring share permissions 

To control users’ access to shared folders, you have to assign share permissions.



Share permissions are less complex than NTFS permissions and they can applied only to folders where as NTFS permissions are applied to both folders and files

To assign share permissions: 

Click permission button in the sharing tab of the folder properties dialog box o You can assign 3-types of share permissions: 1. Full control share permission to allow full access to the shared folder 2. change share permission to allow users to change data in a file( to modify)

3. Read share permission to allow users to view and execute files in the shared folders

Full control permissions allowed to the user Merry 

Read is a default share permission on a shared folder for every one



Shared folders do not use the concept of inheritance as NTFS permission



If you share a folder there is no way to block access to lower level resources in the structure

Viewing shared folders 

When you select shares in the shared folder utility, you will see all shares that have been configured on the computer



A share that is followed by a dollar sigh($) indicated that the share is hidden from view when user access through my network places o Example: C$ for C:\ and D$ for D:\



A shared folder looks like the following

Chapter – 6 Managing Network Printing Basic concepts The process of creating, managing, and deleting printers is fairly easy. When you connect a plug and play printer to a windows server 2003, it is typically recognized through the found New Hardware wizard. You can also manually configure printers through the Add New printer wizard, which will walk you through the process of installing and configuring your printer.

Each printer has an associated set of print properties, which allows you to exercise full control over how the printer is set up. For example, you can determine whether the printer is shared, whether it will use advanced features such as print pooling, and which users and groups can access the printer.

Setting up Network printers Before you can access your physical print device under windows server 2003, you must first create a logical printer. After you create logical printers, you may need to manage physical printers. The network administrator can create a local printer, which is a print device that is directly attached to the local computer, or a network printer which is a print device that is attached to another computer on the network or a print device that has its own network card and attaches directly to the network similar to the computers. The computer on which you run the Add printer wizard and create the printer automatically becomes the print server for that printer. The print server manages all of the printers that have been created on the computer. As the print server, the computer must have enough processing power to support incoming print jobs and enough disk space to hold all of the print jobs that will be queued

To manually create a new local or network printer, take the following steps: 

Select start > printer and fax/devices and printers



Click the add printer icon. The add printer wizard will start. Click the next button to continue

Managing printer properties Once printer has been set up, printer properties allow you to configure options such as the printer name, whether or not the printer is shared, and printer security issues. To access the printer properties dialog box, open the printers and faxes/devices and printers folder, right click the printer you want to manage, and choose properties from the pop-up menu. The printer properties dialog box has a minimum of six tabs: General, sharing, ports, security, device settings, and advanced.

Basic configuration of printer properties Configuring General properties: The general tab of the network printer properties dialog box contains information about the printer. It also lets you set printing preferences and print test pages

The name of the printer, the location, and comment about the printer is shown here to reflect your entries when you set up the printer. Using general tab you can also set printing preferences/print a test page to check your printer connectivity.

Setting printing preferences Clicking the printing preferences button opens the printing preferences dialog box as shown below. This dialog box will allows you to specify the layout of the paper (orientation-portrait or vertical, Landscape or horizontal), number of page per sheet, and page order.

Configuring sharing properties The sharing tab of printer properties dialog box allows you to specify whether the printer will be configured as a local printer of as a shared network printer. If you choose to share the printer, you also need to specify a share name, which will be seen by the network users.

If you uncheck share this printer check box, the printer will become local printer and no one can use this printer as a shared network printer. Configuring Port properties The ports tabs allow you to configure all of the ports that have been defined for printer use. A port is defined as the interface that allows the computer to communicate with the print device.

Windows server 2003 supports local ports/physical ports/ and Logical ports which can be: 

Parallel ports



Serial ports



USB ports



Infrared



TCP/IP ports and others

Local ports are used when the printer attaches directly to the computer. Standard TCP/IPphysical ports are used when the printer is attached to the network by installing a network card in the printer. The advantage of network printers is that they are faster than local printers and can be located anywhere on the network. When you specify TCP/IP port you must know the IP address of the network printer Along with deleting and reconfiguring the existing ports, you can also set up printer pooling - redirecting print jobs to another printer.

The ports tab of the printer properties dialog box

Printer Pooling Printer pools are used to associate multiple physical print devices with a single logical printer, as illustrated in the following diagram. You would use a printer pool if you had multiple physical printers in the same location that were the same type and could use a single print driver.

The advantage of configuring and using a printer pool is that the first available print device will print you job. This is useful in situations where there is a group of devices shared by a group of users, such as secretarial pool.

To configure a printer pool, click the enable printer pooling check box at the bottom of the ports tab and then check all of the ports that the print devices in the printer pool will attach to. If you do not select the enable printer pooling option, you can select only one port per printer.

Redirecting print jobs to another printer If your print device fails, you can redirect all of the jobs that are scheduled to be printed to that print device to another print device that has been configured and attached as a printer to another client computer in the network environment. For this redirection to work, the new print device must be able to use the same print driver as the old print device. Basic configuration: To redirect print jobs

Click the Add port button in the ports tab; the following printer ports dialog box will be displayed.

 From the available port types, highlight Local port and choose New port, the following port name dialog box will appear.

 In the port name box, type the name of the computer and printer that you want to redirect the print jobs to, in the following format and click ok button to start print job. Syntax: \\computername\printer-sharename. Look the following example

Configuring Advanced Network Print Properties The advanced tab of the printer properties dialog box allows you to control many characteristics of the printer. You can configure the following options: 

Printer availability



Printer priority



Spooling properties



Separator page

Printer Availability Configuration Printer availability specifies when a printer will service print jobs. Usually, you control availability when you have multiple printers that use a single print device. By default, the always available radio button in the advanced tab is selected, so that users can use the printer 24 hrs a day. To limit the printer’s availability, select the available from radio button and specify the range of time when the printer will be available for print service. The following printer availability option is configured to force the printer available only from 8:00 AM to 12:00 AM

Printer Priority configuration Priority is another option that you might configure if you have multiple printers that use a single print device. When you set priority, you specify how jobs are directed to the print device.

For example, you might use this option when two/more groups share a printer and you need to control the priority in which print jobs are serviced by the print device. In the advanced tab of the printer properties dialog box, you can set the priority value to a number from 1 to 99, with 1 as the lowest priority and 99 as the highest priority

Example: Suppose that a single print device is used by the accounting department.

The creator/owners in the accounting department always want their print jobs to print before the jobs created by the other users in the accounting department. To configure this arrangement, you could create a printer called CREATOR/OWNERS on a port LPT1 with a priority of 99. You would then create a printer on the same port LPT1 called USERS with a priority of 1.

Through the security tab of the printer properties dialog box, you would allow only creator/owners to use the CREATOR/OWNERS printer and allow the other users to use the USERS printer

Two logical printers that uses a single physical print device in the network

The following diagram shows how the two logical printers (users and creator/owners) can be configured to use the same port (LPT1)

The

following

printer

properties

dialog

box

shows

how

to

configure

CREATOR/OWNERS to have a permission to print their document using creator/owners printer where as USERS can not print using this printer.

The following configuration shows how a priority can be set to 99 for creator/owner printer with higher priority to print

Spooling When you configure spooling options, you specify whether print jobs are spooled or sent directly to the printer. Spooling means that print jobs are saved to disk into a printer queue before they are sent to the printer. Spooling keeps all of the print jobs from trying to print at the same time and make the print job faster. By default, spooling is enabled.

Separator pages Separator pages are used at the beginning of each document to be printed to identify the user who submitted the print job and to separate print jobs/documents. If your printer is not shared a separator page is generally a waste of paper. If the printer is shared by many users, the separator page can be useful for distributing finished print jobs. To add a separator page click the separator page button in the lower-right corner of the advanced tab of the printer properties dialog box. This opens the separator page dialog box as shown below. Click the browse button to locate and select the separator page file that you want to use. Windows server 2003 supplies the separator files listed below, which are stored in the \windir\system32 folder. These separator page files are: 

Pcl.sep



Pscript.sep



Sysprint.sep



Sysprintj.sep

When you click separator page button for the first time the system will display the following dialog box and prompt you to choose the separator page files from windows folder using browse button.

After you choose a separator page file – pcl.sep the system will display the following separator page dialog box. Click Ok to finish the set up.

Security Properties – print permissions

The network administrator can control which and groups can access windows server 2003 printers by configuring the print permissions. The administrator can allow or deny access to a printer using security tab from printer properties dialog box.

Followings are the print permissions assigned by windows server 2003: 

Print: allow a user or group to connect to a printer and send print jobs to the printer



Manage printers: allow administrative control of the printer (change printer settings, share or unshared a printer, change print permissions, and manage printer properties)

 Manage documents: allow users to manage documents (pausing, restarting, resuming, and deleting queued documents). Users with this permission cannot manage printer properties.

The following printer properties dialog box shows how the network administrator configures the printer security permissions. In this case the administrator set manages documents permission and deny print and manage this printer permission to the users.

Chapter 7 IP Addressing and sub-netting concepts In a TCP/IP, Networks must have two addresses 1. An IP address 2. MAC address IP address is a logical address and is a combination of the Network address (N) and Host address (H). 

It is used to create a unique address for each device on a network.



IP address is needed to deliver the packet to the correct network address



A 4 octet numbers separated by dote called subnet mask is used to separate Network and Host portions of an IP address



An IP address is a 32 bit sequence of 1s & 0s



All bits representing network address are 1s or 255



All bits representing host portion of the address are 0s

A 32 bits number is used to represent the network and host portions of a particular IP address. Bits in the network portion plus bits in the host portion is equal to 32 bits.

Network Portion in the IP address address

Host portion in the IP

32 bits 

Each octets in the IP address are ranging from 0 to 255



The first address is 0.0.0.0 and the last address is 255.255.255.255

Address types: 

Network address: The address by which we refer to the network (area code)



Broad cast address: A special address used to send data to all hosts in the network



Host address: An address assigned to an end devices in the network

Obtaining an IP address 

IP address can be assigned to computers statically or dynamically.



Static addressing is manually done by a system administrator



Dynamic addressing is the process by which network devices can obtain a unique IP address automatically



Static addressing is best for small and frequently changing network environment



Static addressing is difficult to assign to all computers in the network when the number of devices increase in this case dynamic addressing is preferable

IP address classes In different address classes the number of octets representing the network and host portion varies accordingly.  Class A- First octet represents the NW portion and the remaining octets represents the host portion. Class A IP addressing is used for very large networks. There are 224 possible combinations and 224-2 usable hosts in the host portion  Class B- First and second octets represents NW and the remaining octets represents Host portion. Class B IP addressing is used for medium networking. There are 216 possible combinations and 216-2 usable (possible) hosts in the host portion.  Class C- First, second and third octets represents network portions and the remaining 1 octet represents the host portion. Class C IP addressing is used for small network environment. There are 28 possible combinations and 28-2 possible hosts in the host portion  Class D- with in class D IP addressing there is no specific distinction b/n network and host portions in the network. It is used for multicast groups (for Network technicians).  Class E – used for research purpose( reserved) o Why (-2) is for possible Host combinations in the network?

Because the first and the last IP addresses are not assigned to the host (computers in the network).the first IP address 0.0.0.0 is reserved for a default network and the last IP address 255.255.255.255 is used for broadcasts.

Network portion, Host portion and octets in class A, B, C, and D IP addressing Class A

Network

Octet

1st

Class B Octet

Host 2nd

1st

Host

2nd

3rd

4th

Network 1st

Host

2nd

3rd

Class D Octet

4th

Network

Class C Octet

3rd

4th

Host 1st

2nd

3rd

4th

Determining Address classes To determine address class one can use the first few higher order bits in the binary number of the first octet (left to right)

Example: IP address

Higher order bits in the 1st

1st octet address

Number of bits in

class

octet

range

the network address

Class A

0-01111111

0 - 127

8

Class B

10000000-10111111

128 – 191

16

Class C

11000000-11011111

192 – 223

24

Class D

11100000-11101111

224 – 239

-

Note: with in address class A 0 and 127 are reserved address (not usable).Usable addresses in class A are 1 to 126

Subnet mask- Basic concept Subnet mask is a 32 bits number used to get the network address of a particular IP address in the network environment. There are 232 possible combinations to assign subnet mask to the network portion of the class address. All bits of the subnet mask corresponding to the network address are set to 1s (255) and those corresponding to host bits are set to 0s. The subnet mask indicates the number of bits that have been borrowed from the host portion for the subnet portion. Prefix notation or slash notation format indicates the number of binary 1s in a mask with a slash (/). Ex: 192.168.0.100/24 ---> IP address = 192.168.0.100, subnet mask = 255.255.255.0

Example: Address class

Network/Host

Subnet mask

representation/model Class A

N

H

H

H

Bit set

ON OFF OFF

OFF

Class B

N

H

Bit set

ON

Class C

Bit set

N

H

ON

OFF

N

N

N

N

ON

ON

ON

OFF

255.0.0.0

255.255.0.0

OFF 255.255.255.0

Note:  N= Network portion

H= Host portion

 ON= All bits corresponding to Network address are set to 1s  OFF= All bits corresponding to Host address are set to 0s

 The subnet mask in address class A 255.0.0.0 represents 11111111.00000000.00000000.00000000 in binary number in which all bits corresponding to network address are set to 1s.

Q1. What is the subnet mask for an IP address 10.128.16.4?

Solution:  This IP address is classified under class A, because the 1st octet is b/n 0 and 127  Class A Network and Host address portion is represented by NHHH model  The binary number for NHHH model is 11111111.00000000.00000000.00000000  The subnet mask for the above binary representation is 255.0.0.0  Network address is 10.0.0.0  Host address is 255.128.16.4

Q2. Determine: A. IP address in binary number B. Address class C. Subnet mask D. Network address E. Host address; for the IP address 129.118.32.189 Reserved Address in the Network Two addresses on any network can’t be used by hosts. These are 1. Network address(doesn’t assigned to the host & it is the first Network address) 2. Broad cast address( the last address in the network area, doesn’t assigned to the host) Network address:  Used to identify the network itself  The host bits of a network address are all set to 0s  The network bits are the bits of the network portion within a given address

Example:

Consider the IP address 10.140.160.63  It is a class A address  Its default subnet mask is 255.0.0.0  The network portion of this class address is the first octet(in the NHHH model)  The network address of the given IP address is 10.0.0.0(by setting all host addresses to 0s) Broadcast Address  Used for broadcasting packets to all the devices(hosts) in the network  The network bits for broadcast address are the bits of the network portion in a given IP address  All the host bits of a broadcast address are set to 1s(255) Determine the broadcast address for the IP address 10.140.160.63 Solution:  This IP address is class A IP address with NHHH model  The network portion of this IP address is the first octet (10)  The broadcast address for a given IP address is 10.255.255.255(by setting all the host bits to 1s) Q3. Consider the IP address 176.10.22.93 & identify: 1. Address class 2. subnet mask 3. Network address 4. Broadcast address Q4. Identify the address class, subnet mask, Network address and broadcast address for an IP address 197.118.32.189 Note: The subnet masks are used to tell which part of the IP address represents the network on which the computer connected (network portion) & the computer’s unique identifiers on that network(host portion). If a computer has an IP address of 192.168.1.25 and the subnet mask of 255.255.255.0, then the network portion (area code on which the computer connected) would be 192.168.1 and the host would be device #25 on the network. In this case host #0 in the network address 192.168.1.0 is reserved to represent the network itself and host #255 in

the broadcast address 192.168.1.255 is reserved for broadcasting. You can use an IP address from 192.168.1.1 to 192.168.1.254 to assign to the hosts as a usable address. Valid IP address is the address between network address and broadcast address.

Sub netting concept Sub netting is the process of dividing a network in to smaller networks called sub networks/subnets using subnet masks other than the convention or standard class A, B, and C subnet masks (/8, /16, and /24). To create subnets some host bits are reassigned or borrowed as network bits. Always start borrowing with the left most host bits –the one closest to the last network octet to expand the network. Consider the IP address 192.168.10.0/27 borrowing 3 bits from the host bits to create subnets.  Write the subnet mask in the binary form: 255.255.255.0=11111111.11111111.11111111.000 00000 Remaining host bits Bits to be borrowed as a network bits

1 128

2 64

3 34

4 5 16

6 8

7 4

8 2

1

3-bits borrowed=128 + 64 + 32 = 224 = 11100000 in binary The default subnet mask/network mask/ for this IP address is 255.255.255.0 the new subnet mask after the network expansion would be 255.255.255.224 The new subnet musk was created by using a binary 1 in the network and subnet bits of 0(zero) in the host bits. The subnet mask for class C address after borrowing 3-host bits would be 255.255.255.224 or Borrowed bits 11111111.11111111.11111111.111 00000 Slash 27 or /27 represents the total network bits and subnet bits (borrowed bits)

Total value of bits borrowed 255.255.255.224 8 + 8 + 8 + 3 = 27 (total bits in the network & subnet) = 24 bits in the Network + 3 bits in the sub net Number of bits borrowed Q1. In the IP address 126.16.10.33/28 what would be the subnet mask before and after the bits are borrowed?

Important Computation Bits Borrowed Cumulative value(mask)

1 128

2 192

3 224

4 240

5 248

6 252

7 254

8 255

Determining the number of IP address with in a subnet mask You can calculate the number of IP address in a subnet mask by subtracting the last octet of a given subnet mask from 256(28 ) possible combinations. If you have a subnet mask of 255.255.255.192/29 then the number of IP address with in this subnet would be 256 – 192 = 64. This is also used as an increment to determine the next network address in the subnet.

Determining range of IP addresses

To determine range of IP addresses (boundary of the Network-Network address and broadcast address) within each sub net you have to know the packet IP address of the network. Packet IP address is the IP address with slash format. E.g. 192.168.3.56/27

Steps: 1. Determine the subnet mask of a given IP address 2. Subtract the last octet of the network portion in the subnet mask from 256 to get the number of IP address in the subnet. 3. Divide the last octet of packet IP address by the number of IP address in the subnet (under step 2) and don’t bother with the remainder. 4. Multiply this result by the number of IP address in the subnet to get the last octet in the network address 5. The last octet of the broad cast address is the sum of the last octet in the network address and number of IP address in the subnet minus 1(one) 6. Usable or valid host IP addresses are the address between the network address and the broadcast address

Q2. Determine the network boundaries and the valid host IP addresses in the subnet for the packet IP address of 192.168.3.56/27

Solution:  This packet IP address is class C address with a default subnet mask of 255.255.255.0  /27 for this class address indicates 3-bits are borrowed, this means 8+8+8=24 for the first 3-octets of Network portions  27-24=3(number of bits borrowed),Because 24+3=27  The total cumulative values for 3-bits borrowed are 224  The new subnet mask for a given packet IP address would be 255.255.255.224  Number of IP address in the subnet = 256 - 224=32  56/32 = 1

(step 2)

(step 3)

 32 x 1 = 32 last octet in the network address to yield 192.168.3.32 (step 4)

 32 + 32 -1 = 63 the last octet in the broadcast address to yield 192.168.3.63 (step 5)

The Network boundaries (Network address & Broadcast address) for the packet address 192.168.3.56 would be: Network address

= 192.168.3.32

The first host IP address = 192.168.3.33 The last host IP address = 192.168.3.62 Broadcast address

= 192.168.3.63

The increment number to determine the next network address in the next subnet is 32 (number of network or 2^ the remaining host bits=2^5)

Q3. Determine the network boundaries in the subnet for the packet IP

address of

216.151.193.92/28

Determining:  Number of subnet networks(2to the power of borrowed bits) = 2b, b= borrowed bits  Number of hosts per subnet(2to the power of remaining host bits) = 2r , r= remaining bits  Number of usable hosts per subnet(2to the power of remaining host bits – 2)

Slash format

/25

/26

/27

/28

/29

/30

/31

NA

Bits borrowed

1

2

3

4

5

6

7

8

Mask/value

128

192

224

240

248

252

254

255

Total sub networks

2

4

8

16

32

64

128

Total hosts per subnet

128

64

32

16

8

4

2

Usable hosts per subnet

126

62

30

14

6

2

-

Given a packet IP address of 172.16.10.36/27, determine the followings:  IP address: 172.16.10.36  Address class: Class B  Subnet mask: 255.255.255.224(8+8+8+3=27 in which 8+3 bits are borrowed)

 Total bits borrowed: 11  Bits in the network portion: /27=8+8+8+3=27  Bits in the host portion: 8 - 3= 5  Number of subnets: 2borrowed bits = 211 = 2048  Number of hosts in each subnets: 2remaining host bits =25 =32  Subnet ID(Network address) for the first subnet: 172.16.10.32 o 256-224=32 number of IP address o 36 last octet in the IP address/32 number of IP address=1(don’t bother about the remainder) o 1x32=32 last octet in the network address to yield 172.16.10.32

 Broadcast address for the first sub network: 172.16.10.63 o Last octet in the broadcast address= No. of Network address + Last octet in the network address – 1 i.e. 32+32-1=63 to yield 172.16.10.63  Valid host range in the first subnet: First valid= 172.16.10.33 Last valid= 172.16.10.62 (.33 to .62) Given the packet IP address 60.55.13.64/21, determine: a. IP address____________________________ b. Address Class_________________________ c. Subnet mask__________________________ d. Bits Borrowed_________________________ e. Bits in the network portion_________________________________ f. Bits in the Host portion____________________________________ g. Number of subnet works___________________________________ h. Number of Hosts in each subnet_____________________________ i. Subnet ID(Network address) for the first subnet_________________ j. Broadcast address for the first subnet__________________________ k. Valid host range in the first subnet: First valid______________Last valid________________

Some benefits of sub-netting are: 

Reduce network traffic and bandwidth utilization



Optimizing network performance



More efficient use and allocation of network address



Simplified administration and management

Sub netting Practice If an Organization was given/purchased a packet IP address of 192.168.4.0/27 from internet service provider (ISP) and requests you to design and expand a given packet IP address in to 3 sub networks only in the organization. How can you design the subnet working for an organization? Procedures:  Determine number of total subnets in the network (23=8) –borrowed bits  Determine the number of hosts per sub net-increments (25=32)-remaining bits  Determine the sub net ID, Number of IP addresses, Host range and broad cast address in each subnet work  Start your design in the following manner

Subnet#

subnet ID

Host range

Broad cast address with in each subnet

0

192.168.4.0

.1 to .30

192.168.4.31

1

192.168.4.32

.33 to .62

192.168.4.63

2

192.168.4.64

.65 to .94

192.168.4.95

3

192.168.4.96

.97 to .126

192.168.4.127

If an organization continues to expand its network, what will be the last sub net ID, Host range and Broadcast address?

NB. Since 3-bits are borrowed, there are 5-bits remaining for the hosts. Therefore, there are 25(32) hosts per subnet. This number is used to identify the next subnet ID of the subnet or as an increment in the subnet .where as 23 (8) bits represent the number of total or possible subnet works

Identifying unused extra IP addresses in the sub network

The network administrator configure the IP addressing using given IP packet for the serial link between two routers as shown above in the figure. Each interface on the same router belongs to a different network address. the facing interfaces on opposing routers need to share a network to talk. How many IP numbers do we really need on the network interconnecting the two routers?

Because a point-to-point link will never have anything but two devices, we need only two IP numbers, one for each serial interface (se0/1 and se0/2). Unfortunately, we have an eight-bit subnet mask (255.255.255.0), so we are wasting 252 of the 254 usable and available numbers on the subnet.

Sub-netting the IP address 172.16.10.0/24 The network mask is 255.255.0.0 where as the sub-network mask after borrowing 8 bits is 255.255.255.0

Network address 172.16.10.0 The first host IP address in the sub network 172.16.10.1 The last host IP address in the sub network 254 (256-0=256-2=254 usable IP addresses) Broadcast IP address for this sub network 255 (last usable IP +1=254+1=255) Number of sub networks/increment=256-0=256 (if the number of increment is 256 then the number of sub-network will be only one) Number of hosts in the subnet 2^8=256 Useable host addresses=256-2=254 Among all these IP addresses the net work administrator uses two of them only (172.16.10.1 and 172.16.10.2) and all the rest -252 host IP addresses were lost. One best solution to solve such kind of IP addressing problem is using the concept of Variable Length Subnet Masks (VLSM)

What is a variable length subnet mask? As the name suggests, with variable length subnet masks (VLSMs) we can have different subnet masks for different subnets of the same network. So, for the preceding example, we could have a subnet mask of 255.255.255.252(30). In this case we have only two usable host IP address (2^2 – 2), which is exactly what we need for our serial link between the two routers. (30) or /30 indicates number of bits in the subnet mask.

The network address 172.16.10.0/24 now can be written in the form of 172.16.10.0/30 which provides the VLSM of 255.255.255.252

Using VLSM, instead of making our subnet mask longer, as in the previous example, we can make our subnet mask shorter. This is also called super- netting.

VLSM design Example For the network topology designed below, we have the following set of requirements for our network addressing:

Segments Servers

Number of valid host IP address required 14

Ethernet users

158

Serial links

2

Router interconnection

6

VLSM design topology

N.B. We can easily determine the subnet mask required for each segment in our example by looking the closest host number size which is greater than or equal to the number of hosts needed in our design. All maximum number of hosts in the sub net is given in base-2 format (2n where n is greater or equal to 2).

We can determine the required valid number of IP address by subtracting 2 from the maximum number of hosts in the subnet-those two addresses are not valid host address, one is network address and the remaining one is broadcast address for that subnet work.

Table to determine the subnet mask for the required number of hosts in the design:

Maximum number of hosts

Bits in the subnet mask

Subnet mask

in the subnet

(prefix-slash format)

4

/30

255.255.255.252

8

/29

255.255.255.248

16

/28

255.255.255.240

32

/27

255.255.255.224

64

/26

255.255.255.192

128

/25

255.255.255.128

256

/24

255.255.255.0

:

:

:

In our example servers need 14 valid IP addresses. In this case the number of host size closest and greater/equal to 14 is 16 (refer in the table above) and the subnet mask for this sub-network is 255.255.255.240(28).

We can list the required valid host address and subnet masks for segments in our design:

Segments

Maximum IP address Valid IP address Subnet mask required

required

Serial Link

4

4-2 = 2

255.255.255.252(30)

Router

8

8 -2 = 6

255.255.255.248(29)

interconnection Servers

16

16 -2

= 14

255.255.255.240(28)

Ethernet users

160

160 -2

= 158

255.255.255.0(24)

Assign valid IP ranges to each segment in the sub network using VLSM Based on the above table now we can determine: 

Sub network address



First valid IP address



Last valid IP address



Broadcast IP address



Valid IP range needed for each segment sub network in the design

The network administrator must begin allocating addresses starting with the segment requiring the greatest prefix length/slash format. This helps the network administrator to identify the already used sub network IP addresses in the sub networks; otherwise he may repeatedly assign the same sub network addresses to the segments which make the sub networks do not work properly. Given IP packet is:

172.16.10.0 (class B address for all sub networks)

Serial Link: Subnet mask = 255.255.255.252(30) 

Sub network address: 172.16.10.0



First valid IP address: 172.16.10.1



Last valid IP address: 172.16.10.2



Broad cast IP address: 172.16.10.3



Valid IP range : 172.16.10.1 – 172.16.10.2

Router interconnection: Subnet mask = 255.255.255.248(29) The sub network address for this sub network is 172.16.10.0 which is already used for serial link. Therefore we have to use the next sub network address for this subnet mask. The increment for this subnet work is 8 (256-248 =8), hence the next sub network address will be 172.16.10.8. In fact, there is another two host subnet at 4, (172.16.10.4172.16.10.7) which we had to skip- that can be used in the future.



Sub network address: 172.16.10.8



First valid IP address: 172.16.10.9



Last valid IP address: 172.16.10.14



Broad cast IP address: 172.16.10.15



Valid IP range : 172.16.10.9 – 172.16.10.14

Servers: Subnet mask = 255.255.255.240(28) Already used sub network addresses are 172.16.10.0, 172.16.10.8, the next sub network should be determined for this sub network address. The increment for this sub network is 16 (256-240 =16), therefore the sub network address for this subnet should be 172.16.10.16 (16+16=32-2 =30 which is the last octet of valid IP address for this subnet), from this idea the broad cast address is with the last octet 31 

Sub network address: 172.16.10.16



First valid IP address: 172.16.10.17



Last valid IP address: 172.16.10.30



Broad cast IP address: 172.16.10.31



Valid IP range : 172.16.10.17 – 172.16.10.30

Ethernet users: Subnet mask= 255.255.255.0(24) For this subnet work, a network administrator needs maximum of 160 hosts IP addresses (158 usable host addresses). The increment for this subnet work is 256 (256- 0 = 256). To accommodate 160 maximum host IP addresses, the network admin must starts from the network address with the last octet of zero (0), i.e. 0/256 = 0, 0x256 (increment) = 0 which will be the last octet of network address (172.16.10.0), but this network address has been used before in the first sub-network or serial link. The next network addresses are 172.16.10.8 and 172.16.10.16 which has been also occupied. The next free sub-network address is 172.16.10.32 which can only accommodate 16 IP addresses (.31 to .46), where as we need to accommodate 158 usable IP addresses.

To solve this problem, the network administrator uses the 3rd octet in the sub network which is 255 to determine the 3rd octet in the network address to differentiate from those pre-occupied addresses. To do this: 256 – 255 = 1, this is an increment to control over the 3rd octet only. Then the network address will be 172.16.11.0 Since the increment in the 4th octet is 256 (256 – 0 = 256), the broadcast address will be 256 – 1 = 255 and valid IP addresses will be lays between the network and broadcast addresses. 

Sub network address: 172.16.11.0



First valid IP address: 172.16.11.1



Last valid IP address: 172.16.11.254



Broad cast IP address: 172.16.11.255



Valid IP range : 172.16.11.1 – 172.16.11.254

We can now take our VLSM address ranges and apply them to our network diagram as shown below.

VLSM example with IP addresses

Chapter 8 Routing Principles and Configurations Router and Routing Concepts: What is a router? A router is a computer and has many of the common hardware components found on other types of computers. A router is a computer, just like any other computer including a PC. Routers have many of the same hardware and software components that are found in other computers including: 

CPU



RAM



ROM



Operating system

The main purpose of a router is to connect multiple networks and forward packets destined/designed/ for its own networks or other networks. When a router receives a packet, it examines the destination IP address. If the packet does not belongs to any of the router’s directly connected networks or learned networks, the router must forward/ broadcast this packet to another routers or drop the packet- that is why one can say router is a switch until it learns the route.

Each network that a router connects to is typically requires a separate interface. These interfaces are used to connect a combination of both local-area networks (LAN) and wide-area networks (WAN). LANs are commonly Ethernet networks that contain devices such as PCs, printers and servers (end devices). WANs are used to connect networks over a large geographical area and are commonly used to connect a LAN to the internet service provider’s (ISP) network. The CPU of a router executes operating system instructions, such as 

System initialization



Routing functions



Network interface configuration data

The router’s RAM stores the instructions and data needed to be executed by the CPU. It is volatile memory that loses its content when the router is powered down or restarted. For this reason the router also contains permanent storage areas such as ROM, Flash, and NVRAM. ROM is a form of permanent storage to store bootstrap instructions. The IOS (internetwork operating system) is permanently stored in flash memory and copied into RAM during the boot up process.

NVRAM is non-volatile random access memory that does not lose its information when power is turned off. NVRAM is used to store the start up configuration file.

Router Boot up Process Like all computers, a router uses a systematic process to boot up. The four phases are: 1. POST: Testing the router hardware 2. Loading the boot-strap program from ROM 3. Locating and loading the IOS from flash memory 4. Locating and loading the start up configuration file/startup mode from NVRAM

Router ports and Interfaces

Management Ports:

Routers have management ports, which are physical connectors used by the administrator to configure the router and are not used for packet forwarding. The most common of the management ports are: 

Console port: it must be used during initial configuration of router and local access to the devices using a console cable



Auxiliary port: is used to manage remote devices through modem

Interfaces: The term interface on routers refers to a physical connector on the router whose main purpose is to receive and forward packets. Routers have multiple interfaces used to connect to multiple networks. A router’s Ethernet interface usually uses an RJ-45 jack that supports unshielded twisted pair (UTP) cabling. When a router is connected to a switch, a straight-through cable is used. When a PC’s network interface card (NIC) is connected directly to a router’s Ethernet interface, a crossover cable is used.

The following labeled figure shows the basic external components of a router:

1. 4-ethernet switch network interfaces/to receive and send packet 2. Flash module 3. USB port 4. Fast Ethernet port 0/1 5. Management port for local access to device and initial configuration for router (console port) 6. Fast Ethernet port 0/0 7. Management port for remote access through modem (Auxiliary port) 8. High speed WAN interfaces (serial interfaces)

Routing Routing is the process of transmitting packets from a network to another network. A router can only forward packets to routes or subnets in its routing table.

Route and Routing Table

A route is the information a router keeping about a network number, outgoing interface, and metric/hop count/ between itself and the next router towards the destination within internetworking.

A router always has the routes to directly connected networks. For non- directly connected networks, the router must learn and know how to get to there. The information can be manually configured (static routing), or learn from other routers using routing protocols (dynamic routing).

Once a router has learned a route, it places it in a repository for future use. This repository is known as a routing table. The routing table of each router includes the network number, outgoing interface, and metric (hop count) to all networks in the system.

The router also uses its routing table to determine the best path to forward the packet. When a mach is found, the router encapsulates the IP packet into the data link frame of the outgoing or exit interface, and the packet is forwarded towards its correct destination. Static routes and dynamic routing protocols are used by routers to learn information /route/ about remote networks and build their routing tables. In order to view the IP routing table on your router, you need to use the command –show IP route at privileged mode.

Distance Vector Routing Protocols –RIP & IGRP Routing protocols are used by routers: 

To figure out the network topology



Find paths to all networks in an internetwork



Determine the best path to a network and



Fill the routing tables with the routing information

Distance vector routing is broken down into two parts: distance and vector. Distance is the measure of how far it is to reach the destination, or the metric/hop count to reach the destination. Vector or direction is the direction/the outgoing interface the packet must travel to reach that destination. Distance vector protocols are known by rumor. What this means is that a router will learn routes/internetwork information/ from its neighbors.

With distance-vector routing protocols, every router in a network advertises all its known routes (complete routing table) to its neighboring routers. Finally, each router would have a complete routing table to all the subnets in the network by combining the received routing updates with its own routing table entries. Below describes the operation of distance vector algorithms 1. RT1 advertises all its directly connected networks to its directly connected routers /neighbors-RT2 through all its interfaces 2. RT2 which received RT1 routing updates would advertise all its directly connected networks and the routes learned from RT1 through all its interfaces (RT1 and RT3 would receive it) 3. RT3 which received RT2’s routing updates would advertise all its directly connected networks to all its neighbors through all its interfaces. 4. Like this routers send and receive periodic routing updates to and from their neighboring routers. Below shows the operation of distance vector protocols and routing tables of each router which includes the network number, outgoing interface, and metric (hop count) to all networks before and after convergence.

N.B Convergence is the condition by which routers exchange their routes through all their interfaces and have complete routing table about neighboring routers within the internetworks. Convergence is also refers to a speed and ability of routers to agree on the topology of the network after a change in that topology. Convergence occurs, when all routers’ routing tables are at a state of consistency or uniformity. The network has converged when all routers have complete and accurate information about the network topology.

RIP and IGRP

Routing Information Protocol (RIP) and Interior Gateway Routing Protocol (IGRP) are Distance vector protocols. Both are designed for small networks. The main advantage of IGRP over RIP is it provides a better measurement when determining the best route. IGRP overcomes the limitation of RIP maximum hop count-15 to broadcast routes.

RIP has the following key characteristics: 

Hop count is used as the metric for path selection Hop count is a simple metric or algorithm that counts the number of routers a packet must traverse through. Metric is different cases or algorithms that the routers choose to select the best path



If the metric for a network is greater than 15, RIP cannot supply a route to that network



Routing updates are broadcast or multicast every 30 seconds-by default

IGRP has the following key design characteristics: 

Bandwidth, delay, load, and reliability are used to create a composite metric or algorithm to choose the best path. Bandwidth is path selection influenced with the highest bandwidth Load consider traffic utilization of a link or network-a link with low traffic is preferred Delay considers the time a packet takes to traverse a path Reliability consider the probability of link failure-interface error or previous link failure count



Routing updates are broadcast every 90 seconds-by default

Internetworking operating system (IOS) IOS stands for Internetworking Operating System. Today almost all current routers and switches run IOS, the routing and switching software in the devices.

Internetworking operating system (IOS) modes: Below lists the main IOS modes: User EXEC mode

Provide limited access

(Router>) Privileged mode

Allow show commands and limited configuration commands

(Router#) Global configuration

More configuration commands are being entered in this

mode

mode. Unable to check status with show commands

(Router(config)#)

IOS command Line Interface (CLI)

IOS command line interface (CLI) is the text based user interface to a device for configuring, administering, and managing the devices. Below describes some basic IOS commands:

Enter user EXEC mode and move to privileged mode: Router> enable Router# Move into global configuration mode: Router# config terminal Router (config)# Name the router with the name you want-in our case say RT1: Router (config)# hostname RT1 RT1 (config) #

Enter interface configuration mode for fast Ethernet 0/0 RT1 (config) # interface fa0/0 RT1 (config-if)#

Set an interface address as 192.168.1.1/24 RT1 (config-if)# ip address 192.168.1.1 255.255.255.0 RT1 (config-if)# Activate an interface-up link using No shutdown command RT1 (config-if)# no shutdown Save any configuration using do write command RT1 (config-if)# do write Configure the DCE side of the link to clock bit at 64000bps: RT1 (config-if)# clock rate 64000 Exit from global configuration mode to privileged mod-using end or exit command RT1 (config-if)# exit RT1 (config)# exit RT1# Display detailed information and statistics about all interfaces: RT1# show interfaces RT1# Display summary of all interfaces, including status of IP address assigned RT1# show ip interface brief RT1# Display the routing table-detail information (routes) RT1# show ip route RT1# Display the current configuration in RAM: RT1# show running-config RT1#p-config Display the configuration saved in NVRAM: RT1# show startup-config

RT1#

Routing configurations and verifications

Basic configuration includes 

Designing network topology



Cabling- interconnecting devices using appropriate cable(serial or Ethernet)



Assigning IP addresses to routers and end devices (PCs, printers, and servers)

The following diagram shows basic logical network configurations:

Note: Both RT2 serial interfaces are DCEs and need clock rate configuration.

Initial configuration examples on Routers (RT1, RT2, and RT3) Initial configuration on router1 (RT1)

Test the network connectivity on all devices with the ping command

Currently, a request timed out error message would be received when trying to ping not directly connected networks or PC2, PC3, and PC4 from PC1. The ping command works only between devices within the same sub networks, example, you can ping from PC2 to PC3 or from PC1 to 192.168.1.1. This is due to routing configuration is not configured on all routers to ping or to reach all networks. To make all the devices to communicate or to reach all the networks, we have to configure either of the followings: 

Static routing configuration



RIP configuration



IGRP configuration

Static Routing Configuration With this configuration option, we have to configure the router with networks not directly connected (remote networks) to currently configured router using their last outgoing or

exit interface to reach currently configured router. Static route supports route summarization.

To configure static route with an exit interface specified, use the following syntax: Router (config) # ip route network-address subnet-mask exit-interface

Network address is the remote network to be added to the routing table Subnet-mask is the subnet mask of the remote network Exit-interface is the last outgoing interface for remote networks to reach currently configured router Example: refer to the network topology above. To configure static route on router-RT1 Remote networks to this router are: 

192.168.3.0



192.168.4.0



192.168.5.0

The last outgoing/exit interface for these networks to reach RT1 is the se0/0 (192.168.2.2) on the RT2.

Below are the static routing configurations on RT1, RT2, and RT3

The value in the bracket [x/y] of the routes shown in the show IP route command represents the administrative distance (AD) and metric respectively.

Administrative Distance (AD) AD is the trustworthiness or reliability (honest or believable) of the routing information sources- that is the routing protocol that produced the route/information. Administrative distance can by any value between 0 and 255. The lower the number, the more reliable or honest the source of the route

The administrative distance is used by routers to rate the trustworthiness of routing information sources. When a router learned multiple routes from different routing protocols to the same network, the AD will be first considered to select the best route to be stored into its routing table (the lower the better).

If multiple routes to the same network have the same AD (learned from the same routing protocol), then only the metric will be used to select the best route.

If multiple routes have the same AD and metric, equal cost links will be used for load balancing- when the router sending packets over multiple paths to the same destination network. Default administrative distance for different sources of route Source of route

Default administrative distance

Static route

1

RIP (Routing Information Protocol)

120

IGRP(Interior Gateway Routing Protocol)

100

As seen in the table above, IGRP is more believable than RIP. When both IGRP and RIP routing protocols are being used to the same subnet, only the routes learned by IGRP will be added into the routing table. Default Static Route configuration Default routing is very useful in situations where learning all the more specific distance networks is not desirable due to limited system resources. To minimize the size of the routing tables, add a default static route. Packets designed to the networks that are not in the routing table (unknown destination networks) will be directed to the default route. Default routing can only be used on stub networks- networks with only one entry and exit point to all outside networks. In our example RT1 and RT3 are considered as stub networks. Default routes can be configured by substituting the network address and subnet mask with 0.0.0.0 and uses the last outgoing interface for all distance network addresses as it is in the IP route static routing configuration command.

Below is an example to configure default static route on RT1: Before configuring default static route on router 1 (RT1) remove all static route

configuration from RT1 using no IP route command. Notice an asterisk (*) indicates a default route configuration RIP configuration The main command when configuring RIP is the router rip at global configuration mode and presses enter to type the command network then IP address During RIP configuration, we have to configure each router with directly connected network addresses (not a remote network addresses like static route configuration)

Example: To configure RIP on RT1 RT1 (config)# router rip RT1 (config-router)# network 192.168.1.0 RT1 (config-router)# network 192.168.2.0 RT1 (config-router)# network 192.168.3.0 RT1 (config-router)# end RT1#

Before configuring RIP, remove any pre configured static routes from the router. Below are the RIP configurations on RT1, RT2, and RT3

Note: Remember that the administrative distances of static routes and RIP routes are 1 and 120 respectively, hence static routes must be removed in order to use the route via RIP, otherwise the router chooses the administrative distance with less value (1)-static.

Route Summarization concepts Multiple static routes can be summarized into a single static route if: 

The destination networks can be summarized into a single network address.



The multiple static routes all use the same exit-interface to reach currently configured router.



The network addresses are contiguous

Route summarization concept implies that, it is preferable to summarize multiple static routes into a single network address to configure the router. This is called route summarization. Directly connected network addresses are not included into route summary.

Example: The following routers are configured using static routes.

In the above example RT3 has three static routes. All three routes are configured using the same exit interface on RT2 (se0/1 or 192.168.4.1). These three static routes on RT3 are:



Ip route 192.168.1.0 255.255.255.0 se0/1



Ip route 192.168.2.0 255.255.255.0 se0/1



Ip route 192.168.3.0 255.255.255.0 se0/1

Now, we would like to summarize all of these routes into a single static route. 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 can be summarized into 192.168.0.0/22 network. Since all the three routes use the same exit interface, they can be summarized into a single 192.168.0.0 255.255.252.0.

Steps to calculate a summary route: Here is the process of creating the summary route 192.168.0.0/22 1. Write out the networks that you want to summarize in binary 2. To find the subnet mask for summarization, start with the left-most matching bits 3. Work your way to the right, finding all the bits that match consecutively 4. When you find a column of bits that do not match, stop. You are at the summary boundary. 5. Now, count the number of left most matching bits, which in our example are 22. This number becomes your subnet mask for the summarized route, /22 or 255.255.252.0 6. To find the network address for summarization, copy all the matching values in each octet found in a summary boundary, and write o bits for those non-matching bits outside the summary boundary.

All the three routes can be summarized into a single route 192.168.0.0/22 or 192.168.0.0 255.255.252.0

Configuring a summary route: To implement the summary route, we must first delete the three current static route from RT3 as follows: RT3(config)# no ip route 192.168.1.0 255.255.255.0 se0/1 RT3(config)# no ip route 192.168.2.0 255.255.255.0 se0/1 RT3(config)# no ip route 192.168.3.0 255.255.255.0 se0/1

Next, we will configure a single summary static route on RT3: RT3(config)# ip route 192.168.0.0 255.255.252.0 se0/1

We can test the reconfiguration using the ping command to verify that we still have proper connectivity throughout the network.

*** END ***