BACK

Network Infrastructure: DNS, IP, DHCP, DHCP and DNS, NetBIOS, WINS, Name Resolution, OSI and DOD Models, Networking

The repair button in the Windows GUI:

• DHCP renew
• ARP flush
• Flush NetBIOS cache
• Register WINS
• Flush DNS
• Register DNS

All of the above can be done as discrete manual steps from the command line - and the Windows admin should know how to do each of these. Button is there for non-133t end losers and for speed.

Windows NetBIOS dependencies

Starting off on an aside: It sounds palatable to say, "AD and 2003/XP/2003 are IP and DNS based and NetBIOS stuff is just in there for convenience and backwards compatibility." Technically true, but not really accurate; and convenience has a huge scope in that statement:

• Exchange in a multi-domain environment requires NetBIOS
• Many third party tools require NetBIOS to work or to be supported
• The Windows network neighborhood requires NetBIOS
• Named mapped drives, UNCs, require NetBIOS - thus many logon scripts
• File and Printer sharing with pre-W2K clients from W2K3 server? NetBIOS dependent
• Some applications

The list is long. Try to run a Windows environment without NetBIOS and NBT...

NetBIOS resource browsing (enumeration?) can use a "null" session:

• Default NT4 behavior
• Optional non-default with W2K3 and W2K for backwards comparability
• Allows client to query DCs for users / groups / SIDs / descriptions - then the client can choose what to try to authenticate to
• There are many well known SIDs, like Administrator, which doesn't lock out, so it can be brute forces, and the SID doesn't change if the account is renamed
• This null session is part of the Everyone group
• W2K3 uses the Authenticated users group instead of the Everyone group, by default, reducing this attack surface
• W2K3 and W2K, by default, do NOT allow null sessions to connect to them

Internet Protocol - IP

TCP/IP Addressing Relevant Terms:

• LAN - Local Area Network
• WAN - Wide Area Network
• VLAN - Switch based Virtual LAN
• IANA - Internet Assigned Numbers Authority. Controls and oversees numbers for protocols, the -Country Code Top Level Domains and maintains the IP Address allotments
• Classfull or class-based addressing and routing - subnet mask implicit in the value of the IP address and is not defined and written as a separate value
• Subnet mask - value which delineates network vs. host bits in an IP address. (The host portion granted by an ISP, for example, can then be farther broken up by subnetting the host portion into other multiple networks by using a different subnet mask internally. The subnet mask isn’t subnetted, rather each network has it’s own subnet mask and have routers between them.)
• CIDR - Classless Inter Domain Routing. Uses the slash notation, ex: /24 or /27
• 2^n -2 - Where “n” is the number of bits in the host address, this formula returns the number of host addresses
• VLSM - Variable Length Subnet Mask. Each network has a subnet mask appropriate for it, in other words, the IP address pie is split into environmentally appropriate pieces
• APIPA - Automatic Private IP Addressing. Clients set to use a DHCP server, but unable to receive an IP address from one, generate (randomly) their own address in the 169.254/16 network
• DHCP - Dynamic Host Configuration Protocol. Server service which leases IP addresses and other TCP/IP configuration values to clients

IPv4 addresses are written as "dotted decimal" or in binary (BASE 2) as four octets, also dotted or separated by dots. Why an "octet"? It's like a string quartet (four) which has two violins, a viola, and a cello (or a quintet (five) or sextet (six)) an octet is eight bits working together.

Internet Protocol version 6 - IPv6
http://en.wikipedia.org/wiki/IPv6

Internet Protocol version 4 - IPv4
http://en.wikipedia.org/wiki/Ipv4

Subnet Addressing mini-tutorial - mostly focused on classfull networks and networks vs. hosts
http://www.networkcomputing.com/unixworld/tutorial/001.html

Online IP Subnet Calculators
http://www.subnet-calculator.com
http://www.solarwinds.net/Tools/Free_tools/Subnet_Calc
http://www.wildpackets.com/products/free_utilities/ipsubnetcalc/overview

In Windows Server 2003, TCP/IP is installed by default and cannot be removed. Earlier versions of Windows allowed you to remove TCP/IP and reinstall it to return it to the installation defaults.

"netsh interface ip reset" When you run the reset command, it rewrites pertinent registry keys that are used by the Internet Protocol (TCP/IP) stack to reach the same result as the removal and the reinstallation of the protocol.

One to X types of network traffic:

UNICAST - 1 to 1 - from one host's IP address to another host's IP address. Most network traffic is composed of unicast packets. A unicast packet is one that has been addressed to a single computer. The destination IP address in a unicast packet is a Class A, B, or C IP address that has been assigned to a single host.

BROADCAST - 1 to all - from one host's IP address to all hosts IP address on the same network, via network's broadcast address. When a packet is addressed to the IP address 255.255.255.255, this is a local broadcast. A local broadcast is blocked by routers, but is propagated by hubs and switches. Local broadcasts are used by many applications to announce status and ensure that all interested hosts are informed of that status. A directed broadcast is an IP address with all the host bits set to 1. Computers use directed broadcasts to deliver a packet to all computers on a particular subnet. Broadcast packets are inefficient because they are processed by all hosts on a subnet. On a busy host/LAN, this may/will reduce performance levels.

MULTICAST - 1 to select many - from one host's IP address to one or many or many many host's IP address. This functionality is controlled by layer three router protocols where each multicast has host subscribe and added and removed, and the data goes from router to router such as to deliver the data to all applicable hosts. Can conceptualize as a unicast that has a single source and branches off at routers to end up as multiple unicasts from a single source, but more efficient than that.
Multicast packets are addressed to a group of computers using a Class D IP address. All computers that are part of a multicast group use the same multicast address. Any packets addressed to the multicast address are delivered to all computers in the multicast group. When a computer joins a multicast group, it informs the local router by sending an IGMP Join Group Request packet via multicast. The router tracks which subnets it has multicast clients on and ensures that multicast packets are forwarded to the proper subnets.
Multicast packets are an improvement compared with broadcast packets because multicast packets are processed by all hosts up to only the Internet layer rather than up to the Application layer. This reduces the processing load on busy hosts.

Routing is done at the IP layer (of the OSI / DOD / TCP models) and basically the point of that layer. At it's simplest level Network IDs are what determines the what's of IP routing. All the IPs, host IDs, subnet masks, CIDR*, VLSN*, supper-netting, broadcasts addresses all boil down to Network IDs.

A, or the, default gateway is generally a reference to a router on a network (AKA subnet)

The "gateway of last resort" is typically a entry in a routing table specifying what to do with an address the device has no other route for, often this is 0.0.0.0 and references an interface leading to the Internet.

A device's routing table is a what the OS user to direct or re-direct packets, either internally to itself, or to other networks via specific interfaces. The windows command route print shows the local routing table and is used to determine what stays on the box (loopback and local IPs) and what networks are found via each NIC - generally the local network (subnet) and everything else.

Microsoft NAT vs Cisco NAT/PAT:

• In Cisco-centric terminology and documentation: NAT is Network Address Translation, specifically a NAT device changes a socket on one interface to a socket on another interface where the IP address (SA (Source Address) and/or DA (Destination Address)) changed, but the ports remain the same; whereas PAT is Port Address Translation, like NAT but the port changes and the IPs stay the same.
• In Microsoft-centric terminology and documentation NAT = NAT and PAT

Planning aspects of TCP/IP, device (hub, switch, router, etc.) placement:

• Physical layout
• Number of sites
• Number of hosts per site
• Bandwidth requirements
• Utilization estimates
• Broadcast domain segmentation

TCP Ports

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535

List of all IANA registered ports: http://www.iana.org/assignments/port-numbers

Another list of well known ports: http://insecure.org/nmap/data/nmap-services

Dynamic Host Configuration Protocol - DHCP

DHCP and DNS

For best results and correct exam answers, choose ADI-DDNS, Active Directory Integrated Dynamic DNS.

DNS Aging/Scavenging Simplified http://www.myitforum.com/articles/16/view.asp?id=6287 DHCP and DDNS and DNS scavenging and scavenging configuration hints

The DDNS (Dynamic DNS) client server relationship and roles - how the client updates DNS

• Taken from a section within http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/tcpip2k.mspx, (a Windows 2000 document.)
• Support for dynamic updates to DNS is described in RFC 2136.
• Every time there is an address event (new address or renewal), the DHCP client sends option 81 and its fully qualified name to the DHCP server, and requests the DHCP server to register a DNS pointer resource record (PTR RR) on its behalf. The dynamic update client handles the A RR registration on its own. This is done because only the client knows which IP addresses on the host map to that name. The DHCP server may not be able to properly do the A RR registration because it has incomplete knowledge. However, the DHCP server can be configured to instruct the client to allow the server to register both records with the DNS.
• The Windows 2000 DHCP server handles option 81 requests as specified in the draft RFC10. If a Windows 2000 DHCP client talks to a down-level DHCP server that does not handle option 81, it registers a PTR RR on its own. The Windows 2000 DNS server is capable of handling dynamic updates.
• Statically configured (non-DHCP) clients register both the A RR and the PTR RR with the DNS server themselves.

Question: BIND supports DDNS, but with primary and secondary zones the clients or DHCP servers can't update the secondary zones directly so what happens there?
Possible answer: Have DHCP do all the DDNS registration and point the DHCP server at the primary zone for this only.

NetBIOS

NetBIOS = Network Basic Input Output System. (IBM 1983)

Session layer protocol

NetBIOS is a flat namespace. All machines talking to one another must have unique names for everything to work smoothly. Using NBT, NetBIOS is routed over TCP/IP. Still NetBIOS ideally wants a flat name space, even over this routed space... The NetBIOS scope can be used to segregate NetBIOS namespaces.

NBT = NetBIOS over TCP/IP. Basically NetBIOS tunneled over IP

The NetBIOS Name suffix:

• The 16th character of the NetBIOS name is the NetBIOS suffix
• Detailed here: http://support.microsoft.com/?id=163409

• Number(h)	Usage
  00	Workstation Service
  20	File Server Service
  1C	Domain Controllers

• Acts just like AD DNS SRV (service) locator records (more here in AD section), but in the flat NetBIOS namespace, preceding Windows AD
• use nbtstat -n to view

Wikipedia on NetBIOS

Broadcast based NetBIOS name resolution

• query is broadcast / response is unicast
• routers do not pass broadcast traffic
• caching is for 10 min - relatively inefficient

Windows Internet Naming Service - WINS

WiNS and lmhosts map NetBIOS to IP - in other words:
Resolves NetBIOS names to their IP and IPs to their NetBIOS names

Vastly preferable to NetBIOS broadcasts as WiNS uses unicast communications, name resolution crosses routers and network traffic is less

Automatic and dynamic - hosts register and remove themselves, WiNS grooms out dead records too

Microsoft's name for a NetBIOS Name Server, NBNS

Preferably all hosts will point to WiNS

WiNS servers need to point to themselves

I like to write it as WiNS, as it's an internet service, not an Internet one, but the the I is capitalized for the acronym I guess.

WiNS is sort of the evolved descendent of the lmhosts file

Client must be WINS compatible - to use WINS (non-Windows OSs can be WiNS clients, if designed as such)

Clients must be configured to use WINS (can be done by DHCP)

WINS offers no programmatic or GUI based delegation of administration

WINS is not easily segregated

The MAIN things WiNS does:

• Service Name Queries
  • Most Common function and the point of WiNS
  • Assumes the query is not cached on the client already
  • Client sends a Name Query Request to server, contains NetBIOS name of interest
  • Server sends a Name Query Response to client, contains either:
    • Target IP
    • Message stating name could not be resolved
  • This traffic is unicast
  • Client can be configured with multiple WiNS servers to try
• Takes Name Registrations
  • Client initiates on its boot up
  • Client sends a Name Registration Request
  • Server check if the name is in use already, and either:
    • Returns a successful Name Registration Response
    • Challenges the current/old name holder:
      • If the current answers the new registree gets a NACK (Negative ACKnowledgement)
      • If the old does not answer the new get registered to that name / IP pair and the client gets an ACK from the server
    • If a NACK not other configured WiNS servers are tried
  • WiNS database entry gets a TTL (Time To Live), client is provided this too
  • Default WiNS TTL is six days
  • Other configured WiNS servers are tried if the first ones don't answer
• Does Name Renewals
  • At 50% of the TTL client sends a Name Refresh Request
  • Server replies with a Name Refresh Response, and a new TTL
  • Record is released if TTL expires without a renewal
• Does Name Removals
  • On graceful shutdown,
    • Client sends a Name Release Request
    • Server releases the record and sends client a Name Release Response with a TTL of zero
  • Otherwise the stale record may cause weird issues, then eventually be tombstoned and purged out

Multiple WiNS servers:

• Used for fault tolerance
• Used for multiple locations - to reduce WAN traffic
• Start WiNS topology has fastest replication
• Replication Partner configuration governs replication:
  • Push
    • Threshold for number of changes met, then pusher triggers puller to pull changes only
    • (Infrequent changes can result in slow replication)
  • Pull
    • Puller poles for changes on a schedule
  • Push/Pull
    • Both of the above :-)
• Persistent connections result in slightly faster replication, but use bandwidth which might be undesired on a slow WAN
• Automatic finding of replication partners is a feature - req NOT to use it as it is just there for marketing and is lame

WiNS server configurations:

• Renewal Interval
  • TTL given to clients
• Extinction Interval
  • Time before an unused record is marked as extinct
• Extinction Timeout
  • Time an extinct record is kept in the DB
• Verification Interval
• DB Verification
  • Contact the other WiNS servers and conf DBs are the same
• Burst Handling
  • If too many requests, tell clients to try again in a few seconds
• Backup
  • Setup once, then does every three hours
  • Can set to back up on shutdown too
• DB compacting
  • net stop wins
  • jetpack wins.mdb temp.mdb
  • net start wins

The WINS Proxy service:

• Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\EnableProxy to 1
• On Windows NT 4.0, Windows 2000, Windows XP, and the Windows Server 2003 family.
• Configures a computer to act as a WINS proxy for B-node clients on the local subnet.
• Hears a broadcast, unicasts the NetBIOS to IP request to its WINS server, receives back the response, broadcasts the response out the originator to get.
• Just like a DHCP relay, but for WINS.

This write up of WiNS is incomplete without also reading most of the Name Resolution section, below

Name Resolution

See also the ARP section, below under networking - ARP is a basic primary underlying piece of name resolution

Winsock vs NetBIOS

• ping hostname.example.com vs ping hostname - these names actually are resolved differently to IPs for the ping!
• FQDN = DNS hostname + DNS domain suffix with dotted format separate. EX: nsa2027.google.com
• UNC = NetBIOS hostname + file system sharename + file system path with a leading double back-wack and separated with back-wacks (AKA back slashes). EX: \\empire\overlords\procedures. Note also the Microsoft domain name is relevant here insofar as containing the hostnames
• Also note that LDAP takes yet another convention and syntax for its paths

NetBIOS node types are generally configured via DHCP's option 46. (Can use HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NodeType registry value to 1 (Microsoft-enhanced B-node), 2 (P-node), 4 (M-node), or 8 (H-node) to specify also.)

Some command line tools related to name resolution. See the COMMANDS to know section for more detail

• ipconfig /displaydns - displays the DNS Resolver Cache
• ipconfig /flushdns - flushes the DNS Resolver Cache
• nslookup - way to see what DNS is returning
• nbtstat -c - Lists NBT's cache of remote [machine] names and their IP addresses
• nbtstat -RR - Sends Name Release packets to WINs and then, starts Refresh

HOSTS and lmhosts:

• Filesystem location: c:\windows\system32\drivers\etc
• Filesystem location: C:\WINNT\system32\drivers\etc
• Filesystem location: %systemroot%\system32\drivers\etc
• Neither of these files has an extension!

LMHOSTS

• There is a sample file named lmhosts.sam, provided, save-as or copy this to lmhosts to use
• LM comes from Lan Manager
• Some syntax:
  • #PRE - Defines which entries should be initially preloaded as permanent entries in the NetBIOS name cache. Preloaded entries reduce network broadcasts, because names are resolved from the cache rather than from broadcast queries. Entries with a #PRE tag are loaded automatically when TCP/IP is started or manually with the nbtstat –R command.
  • #INCLUDE Path\FileName - Loads and searches entries in the Path\FileName file
  • #BEGIN_ALTERNATE and #END_ALTERNATE - Defines a list of alternate locations for Lmhosts files
  • Using the above one can set up a centralized LMHOSTS file and have all the client's LMHOSTS' files reference it while also having fail-back local LMHOSTS mappings - which is cool, powerful, and rarely used

More than you probably want to know about NetBIOS over TCP/IP, from Chapter 11 of TCP/IP Fundamentals for Microsoft Windows of TechNet Home > Networking > Tasks > Evaluation & Planning. A few nice pix too.

Note that clients can be configured to point to multiple DNS servers. Logically if one DNS server is not available, DNS name resolution fails over to the next DNS server in the list. However Windows does NOT use a DNS service query to control this fail over (most *NIX systems do) so if the primary DNS server is up, for example, but the DNS service is not running on it, the client will not fail over to the secondary DNS server. Basically, if Windows can ping the server running said to be running DNS, that server is used. This complicates troubleshoot and maintenance.

OSI and DOD models

The Windows 2000 TCP-IP network model.doc - The Windows 2000 TCP/IP network model MS Word formatted from a MS KB article

Mnemonic OSI devices: All People Seem To Need Data Processing (down the stack to send :-) Please Don't N T Sausage Pizza A (up the stack to receive :-)

----------------------------------------------------------------------------

The DoD (Department of Defense) (AKA TCP/IP model) model is a layered abstract description for communications and computer network protocol design. It was created in the 1970s by DARPA for use in developing the Internet's protocols, and the structure of the Internet is still closely reflected by the DoD model. It has fewer, less rigidly defined layers than the commonly referenced OSI model, and thus provides an easier fit for real-world protocols. It has four layers:

Layer 4 - Process Layer or Application Layer - This is where the "higher level" protocols such as SMTP, FTP, SSH, HTTP, etc. operate.
Layer 3 - Host-To-Host (Transport) - This is where flow-control and connection protocols exist, such as TCP. This layer deals with opening and maintaining connections, ensuring that packets are in fact received.
Layer 2 - Internet or Internetworking Layer - This layer defines IP numbers, with many routing schemes for navigating packets from one IP address to another.
Layer 1 - Network Access - This layer describes the physical equipment necessary for communications, for example the MAC addresses of the network cards in an Ethernet.

----------------------------------------------------------------------------

The Open Systems Interconnection Reference Model (OSI Model or OSI Reference Model for short) is a layered abstract description for communications and computer network protocol design, developed as part of the Open Systems Interconnection initiative. It is also called the OSI seven layer model.

Layer 1: Physical layer
The Physical layer defines all the electrical and physical specifications for devices. This includes the layout of pins, voltages, and cable specifications. Hubs, repeaters and network adapters are physical-layer devices. The major functions and services performed by the physical layer are:

• establishment and termination of a connection to a communications medium.
• participation in the process whereby the communication resources are effectively shared among multiple users. For example, contention resolution and flow control.
• modulation, or conversion between the representation of digital data in user equipment and the corresponding signals transmitted over a communications channel. These are signals operating over the physical cabling -- copper and fiber optic, for example - or over a radio link.
• Parallel SCSI buses operate at this level. Various physical-layer Ethernet standards are also at this level; Ethernet incorporates both this layer and the data-link layer. The same applies to other local-area networks, such as Token ring, FDDI, and IEEE 802.11.

Layer 2: Data Link layer
The Data Link layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical layer. The addressing scheme is physical which means that the addresses (MAC address) are hard-coded into the network cards at the time of manufacture. The addressing scheme is flat. Note: The best known example of this is Ethernet. Other examples of data link protocols are HDLC and ADCCP for point-to-point or packet-switched networks and Aloha for local area networks. On IEEE 802 local area networks, and some non-IEEE 802 networks such as FDDI, this layer may be split into a Media Access Control (MAC) layer and the IEEE 802.2 Logical Link Control (LLC) layer.

This is the layer at which bridges and switches operate. Connectivity is provided only among locally attached network nodes; however, there's a reasonable argument to be made that these really belong at "layer 2.5" rather than strictly at layer 2.

"Layer 2.5"
While not a part of the official OSI model, the term "Layer 2.5" has been used to categorize some protocols that operate between layer 2 and layer 3. For example, Multiprotocol Label Switching (MPLS) operates on packets (layer 2) while working with IP addresses (layer 3) and uses labels to route packets differently.

Layer 3: Network layer
The Network layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks while maintaining the quality of service requested by the Transport layer. The Network layer performs network routing, flow control, segmentation/desegmentation, and error control functions. Routers operate at this layer -- sending data throughout the extended network and making the Internet possible (there also exist layer 3 (or IP) switches). This is a logical addressing scheme - values are chosen by the network engineer. The addressing scheme is hierarchical. The best known example of a layer 3 protocol is the Internet Protocol (IP).

Layer 4: Transport layer
The Transport layer provides transparent transfer of data between end users, thus relieving the upper layers from any concern with providing reliable and cost-effective data transfer. The transport layer controls the reliability of a given link. Some protocols are state and connection oriented. This means that the transport layer can keep track of the packets and retransmit those that fail. The best known example of a layer 4 protocol is TCP.

Layer 5: Session layer
The Session layer provides the mechanism for managing the dialogue between end-user application processes. It provides for either duplex or half-duplex operation and establishes checkpointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for "graceful close" of sessions, which is a property of TCP, and also for session checkpointing and recovery, which is not usually used in the Internet protocol suite.

Layer 6: Presentation layer
The Presentation layer relieves the Application layer of concern regarding syntactical differences in data representation within the end-user systems. MIME encoding, data compression, encryption, and similar manipulation of the presentation of data is done at this layer. Examples: converting an EBCDIC-coded text file to an ASCII-coded file, or serializing objects and other data structures into and out of XML.

Layer 7: Application layer
The Application layer services facilitate communication between software applications and lower-layer network services so that the network can interpret an application's request and, in turn, the application can interpret data sent from the network. Through Application layer protocols, software applications negotiate their formatting, procedural, security, synchronization, and other requirements with the network. Some common Application layer protocols are HTTP, SMTP, FTP and Telnet.

Layer 8: Politics
This layer often overrides more technically astute decisions made at lower levels. Needs at this level can dictate what happens below.

Layer 9: Religion or Money
This lay functions much like layer 8, but is more powerful. Religion can be seen as non-logically based or rigid. Money is basically the ultimate decision maker - it's all about dollars and sense.

----------------------------------------------------------------------------

en.wikipedia.org/wiki/OSI_model
en.wikipedia.org/wiki/DoD_model
www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ap1.htm
www.microsoft.com/technet/archive/winntas/maintain/featusability/tcparch.mspx

IEEE 802.3 = Ethernet.
Ethernet is de facto standard due to its high performance and low price.
Most common implementations use are 100 Mbps,1 Gbps, and 10 Mbps - highest speed avail is 10 Gbps.

Diagram of an Ethernet frame (public domain from http://en.wikipedia.org/wiki/Image:Ethernet_frame.svg):

Ethernet Type II Frame ((public domain from http://en.wikipedia.org/wiki/Image:Ethernet_Type_II_Frame_format.svg):

Both above images from the Ethernet page on Wikipedia

More Networking Stuff

MAC address vs. IP address:

• MAC - Machine Access Control. Six byte number written in dashed hex, xx-xx-xx-xx-xx-xx. First three byte specify a vender, last three are vender assigned per device
• IP - Internet Protocol
• IP packets traverse the network of routers, VLANs, switches, multi or dual homed hosts, hosts, and hubs. An IP packet has a source MAC, a destination MAC, a source IP, and a destination IP. The source and destination IP (with the exceptions of being NATed) stay the same from start to end of a unicast journey. However, the source and destination MAC change at each hop or leg of the trip, as this is how the packet makes its way from one physical device to the next.
• MACs are globally unique (more or less) centrally controlled, and constitute a flat namespace. MAC-spoofing and manufacturer error and re-use can cause duplication, but this is rarely of ill consequence.
• IP addresses in the public, Internet-routable space need to be globally unique and distributed in a decentralized manor.IANA (Internet Assigned Numbers Authority)
• IP addresses in use in private non-Internet-routable are not required to be, and are unlikely to be, globally unique. See private IP spaces in the IP section.
• As long as a duplicate IP (or MAC) are not aware or each other, and no other device sees both of then at once, there is no problem. [poorly written sentence] [links to Cisco's KBs on NAT for hiding private use of public IPs]

Internet vs. internet: Internet with a capital "I" is The Internet, the single global network of all networks; internet with a lower-case "i" is a network. This convention is often unknown, ignored, or mostly people simply don't refer to their network as an internet. (Note the breakdown, however, of CIDR, WINS, and ICND (Cisco class name))

ARP - Address Resolution Protocol

• Given a target IP address, hosts use ARP to figure out the MAC address that goes with that IP
• An ARP table is built, and IP to MAC pairings cached for a limited time
• ARP is also a Windows CLI CMD, which can be used to view and clear the local ARP cache
• ARP functions via broadcast. On some sniffers ARP conversations are shown as "Who has IP bla?" "I have IP bla, and my MAC is bla"
• InARP - Inverse ARP - Given a target MAC address, hosts use InARP to figure out the IP address that goes with it
• An ARP announcement or Gratuitous ARP is an a ARP done at system startup with the intention of avoiding duplicate IPs on the LAN
• (RARP - Reverse ARP - This protocol has been obsoleted by InARP)

Communications boundaries:

• Carrier Sense Multiple Access/Collision Detection (CSMA/CD) - Used by Ethernet to determine which computer is allowed to send data on the network and when
  • “Carrier Sense” indicates that a network card listens for traffic on the network to ensure that no other computers are currently transmitting.
  • “Multiple Access” indicates that there is no defined order for the computers to transmit data. Any computer can transmit as long as no other computer is transmitting.
  • “Collision Detection” comes into play because there is no control over when computers transmit on an Ethernet network. If two computers happen to transmit information on the network at the same time, then a collision results. When a collision occurs, the two computers that are transmitting data stop and wait for a random period of time before resending.
  • On a busy Ethernet network using hubs, collisions are very common and can significantly reduce the throughput of the network.
  • latency - lag time between receiving the signal and sending it out again, cumulative across devices
• Collision domain - Within CSMA/CD this is where the two C's are at work - basically hubs, ARP traffic, and repeaters (OSI layer 1). Each port on a switch (OSI layer 2 device) is it's own collision domain, so switches separate collision domains
• Broadcast domain - broadcasts basically stop at routers; this domain is hubs and switches (OSI layer 1 and 2)
• Router
  • Segregates networks or IP networks (subnets)
  • OSI layer 3
  • Routers are used to move traffic between networks
  • Controls network traffic based on logical IP addresses rather than physical characteristics such as cabling or MAC addresses
  • Maintains a list of IP networks called a routing table. Note that the routing table does not contain the addresses of individual computers. This makes routers much more scalable than switches, which track each computer based on MAC addresses
  • Routers can control traffic for hundreds of thousands of computers, whereas switches normally can track thousands of computers
• Switch
  • Layer two device
  • (When switches support VLANs and route between traffic between VLANs they are called layer 3 switches...)
  • Each port on a switch is a separate collision domain allowing the division of large networks and a reduction in the number of collisions.
  • Directs traffic only to the port to which the destination computer is attached, which reduces overall levels of network traffic.
  • Switches are also capable of connecting dissimilar network architectures, such as Ethernet and wireless
  • A switch divides network traffic based on MAC addresses. When a switch is first turned on, it is not configured with any information about which computers are connected to which ports. When a switch does not know where to deliver a packet, it is delivered to all ports. Therefore, in the first few moments of operation, it functions very much like a hub, in that it forwards each packet received to every port except the one from which the packet came.
  • Broadcast packets are always forwarded to all ports. As each packet is processed by the switch, the switch tracks the source MAC address of the packet and the port on which it was received. In this way, the switch eventually builds a list that contains the location of each computer on the network. Based on this list, the switch forwards packets only to the relevant port. This enhances network throughput by reducing traffic on the overall network.
  • Switches can operate at full-duplex. This can be a major enhancement for network backbones and servers. The internal speed of a switch is much faster than the individual ports.
• Duplex
• Half-duplex - can send data or receive data, but cannot do both at the same time
• Full-duplex connections can transmit and receive information at the same time. This doubles the throughput of the network. Useful for Servers, not so much so for workstations as the average user is usually not sending and receiving data at the same time
• NAT - interface between public and private, routable and non-routable (OSI layer 4 ???). NAT can however break IPSec and VPNs: IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
  http://support.microsoft.com/default.aspx?scid=kb;en-us;885348

Network Driver Interface Specification - NDIS
http://en.wikipedia.org/wiki/NDIS
NDIS is a specification created by Microsoft and 3Com to speed the development of device drivers and enhance networking capabilities. NDIS acts as an intermediary for all communication between the protocol and the network card driver. When a protocol is configured to use an adapter, it is referred to as a binding. Bindings between protocols and adapters are controlled by NDIS. A single adapter can be bound to multiple protocols. A single protocol can also be bound to multiple adapters. This is very important in a computer that is acting as a router or a server that communicates with clients using multiple protocols.
2003 uses v5.1, supports v4

Transport Driver Interface - TDI
The TDI layer provides clients and services with access to network resources. Applications talk to the TDI layer and the TDI layer passes on the requests to the protocols. TDI emulates two network access mechanisms: Network Basic Input/Output System (NetBIOS) and Windows Sockets (WinSock). Network Basic Input/Output System (NetBIOS) is an older network interface that is used by Windows 9x and Windows NT to access network resources. Windows Sockets (WinSock) is used by Internet applications such as Internet Explorer and Outlook Express to access network resources. Starting with Windows 2000, WinSock can also be used by Windows to access Active Directory-based resources. Windows Sockets Direct (WinSock Direct) is a new enhancement to WinSock that is used to access resources on system area networks.
Developers write services and clients that communicate with NetBIOS or WinSock to access network resources. The applications communicate with the TDI layer, which emulates these interfaces. Developers creating protocols code them to communicate with the TDI layer. For a client and service to communicate, they must both be using the same network access mechanism and protocol.

Description of Auto-static and Periodic Update Modes
http://support.microsoft.com/Default.aspx?kbid=241545
The operation mode of an interface determines whether the interface is treated as a 24 hours a day, 7 days a week (24x7) connection, such as a network adapter, or if the interface is treated like a DOD (Dial On Demand) connection, which is not normally a 24x7 connection. Periodic update mode means that RIP broadcasts or multicasts are sent over this interface based on the periodic rate, with a default value of once every 30 seconds. The Auto-static update mode indicates that periodic updates are not sent over the interface and that manual updates by the administrator are necessary. You may notice that by default, network adapters use periodic update mode, and DOD connections use Auto-static update mode. The administrator may change the update mode as necessary.

BACK