Lesson 1: Configuring IPv4 CHAPTER 6 313 if you cannot get past a firewall on your organization’s network, Ping is still useful. You can check that the IPv4 protocol is working on a computer by entering ping 127.0.0.1. You can then ping the IPv4 address of the computer. You can find out what this is by using the Ipconfig tool. If your computer has more than one interface combined in a network bridge, you can ping the IPv4 address of the network bridge. When you have established that you can ping your computer using an IPv4 address, you can test that DNS is working internally on your network (assuming you are connected to a DNS server, a WAP, or have ICS configured on your network) by pinging your computer name—for example, entering ping canberra. Note that if DNS is not implemented on your system, ping canberra still works because the IPv6 link-local address resolves automatically. More Info NETWORK BRIDGES For more information about network bridges, see http://technet.microsoft.com/en-us/ library/cc781097.aspx. Although this is a fairly old article (concerning Windows Server 2003), it gives a clear explanation and some excellent diagrams. For a more recent article (although not about Windows 7), see http://technet.microsoft.com/en-us/library/cc748895.aspx. This also gives information about ICS. You can also use the Ipconfig tool for troubleshooting. Entering ipconfig /all gives you configuration information for all interfaces. Figure 6-6 shows the output from an ipconfig /all command. The computer whose configuration is shown here is a wireless-enabled laptop used on a small test network. It obtains its configuration through DHCP from a third-party WAP with an IPv4 address 192.168.123.254. The WAP also provides internal DNS services. However, the resolution of FQDNs such as www.contoso.com is provided by the ISP’s DNS server with the public IPv4 address 194.168.4.100. FIGURE 6-6 Ipconfig /all output for a wireless-enabled laptop on a test network When you are debugging connection problems by using the Ipconfig /all command, look out for an address in the APIPA range 169.254.0.1 through 169.254.255.254. If your computer is not on a completely isolated network and receives its configuration through DHCP, an APIPA address indicates a connection error. 3 1 4 CHAPTER 6 Network Settings If you can ping your computer by name and IPv4 address, you can then ping other workstations on your network by IPv4 address and computer name. Finally, you should check that you can ping your default gateway from all the computers in your network. On a small network, you can then test connectivity to your ISP by pinging the ISP’s DNS server. On an enterprise network, you can ping DNS servers and domain controllers (typically the same servers), and computers on other subnets. If you cannot ping a computer on your network to test connectivity, make sure your internal firewalls are not blocking ICMP. If the problem still exists with the firewalls reconfigured or disabled (please remember to enable them afterward), use Ipconfig on the computer you cannot reach to check its IP settings. Quick Check n You have purchased a secondhand computer and are connecting it to a hybrid network that obtains its configuration from DHCP provided by a third-party WAP. The computer is not wireless-enabled, so you plug it into the Ethernet switch on the WAP and switch it on. It cannot access the Internet. You use the Ipconfig tool and discover that the computer has an IP address of 10.1.10.231. You know the WAP is working properly and the Ethernet connection is okay. What should you check next? Quick Check Answer n Check that the computer is set to receive its IPv4 configuration dynamically. It has not been reconfigured by DHCP on the WAP and its previous owner has probably configured it statically with the 10.1.10.231 address. You need to reconfigure the computer to receive its IPv4 settings dynamically. If you want to reconfigure IP settings on a client computer on your network, you can reboot the client. If this is not convenient, the commands ipconfig /release and ipconfig /renew release the old configuration and obtain a new one. (In theory, ipconfig /renew should be sufficient, but it is safer to use both commands.) Sometimes when you renew a computer’s configuration, it does not immediately register its new settings in DNS and you cannot ping it by computer name. In this case, ipconfig /registerdns forces registration. Note that you need to enter these commands in an elevated command prompt. If you try to ping a computer by name or access a Web site from a client workstation and DNS cannot resolve the computer name or URL, then information that resolution has failed is stored (cached) in the workstation. If you try to do the same thing again, the source computer does not attempt to obtain name resolution but instead uses the cached information and again fails the request. This is known as negative caching. However, name resolution might have failed because of a temporary glitch in the internal or external DNS service. Even though DNS is now working, the computer name or FQDN is not resolved to an IPv4 address because of the cached information. The problem disappears in 30 minutes or so because the Lesson 1: Configuring IPv4 CHAPTER 6 315 workstation’s DNS resolver cache is regularly cleared. However, if you do not want to wait this long, you can solve the problem immediately by entering the ipconfig /flushdns command to flush the DNS cache. note THE /ALLCOMPARTMENTS SWITCH If you use the /allcompartments switch after the Ipconfig command, you can apply the command universally across all interfaces; for example, ipconfig /allcompartments /all or ipconfig /allcompartments /renew. If you want to trace the route of an IP packet through an internetwork (a series of networks or hops), you can use the Tracert tool to list the path the packet took and the delays encountered at each hop; for example, tracert 194.168.4.100. You can use the Tracert tool to trace the path to a Web site; for example, tracert –d www.contoso.com. The –d flag prevents the tool from resolving IPv4 addresses to host names, which significantly reduces the time the command takes to complete. The Pathping tool (for example, pathping www.contoso.com) traces a route in much the same way as the Tracert tool but gives more detailed statistics about each hop. Using the Windows Network Diagnostics Tool There has never been a substitute for good basic fault-finding. However, after you have gone through the basic checks, Windows 7 provides automated assistance with the Windows Network Diagnostics tool. You can access the automated Windows Network Diagnostics tool if you fail to connect to a Web site on the Internet. The Web page that appears in your browser gives you a direct link to the tool when you click Diagnose Connection Problems, as shown in Figure 6-7. FIGURE 6-7 The Diagnose Connection Problems link 3 1 6 CHAPTER 6 Network Settings You can also access the Windows Network Diagnostics tool by clicking Change Adapter Settings in Network And Sharing Center, right-clicking the interface that is having problems, and choosing Diagnose. You can also access the tool from Network And Sharing Center if you click the red X that denotes you have a problem connecting your computer to your network or your network to the Internet. Whatever way you access the tool, it performs a diagnosis automatically and (if possible) comes up with one or more suggested solutions. In Figure 6-8, you can see that the administrator has failed to follow first principles and has not checked that the Ethernet cable is plugged in. FIGURE 6-8 Failure diagnosis Additional diagnostic options are available when you click Troubleshoot Problems in Network And Sharing Center, as shown in Figure 6-9. However, most of these tools simply provide another method of accessing Windows Network Diagnostics. FIGURE 6-9 Tools for troubleshooting problems Lesson 1: Configuring IPv4 CHAPTER 6 317 Configuring Network Settings in Windows Firewall Chapter 7, “Windows Firewall and Remote Management,” discusses firewalls and firewall configuration in detail. This chapter therefore provides only a brief introduction and discusses firewall settings only insofar as they affect network connectivity and your ability to test and troubleshoot this connectivity. The defaults in Windows Firewall and Windows Firewall with Advanced Security (WFAS) are sensible, and often you can solve problems by restoring these defaults. Windows Firewall is enabled by default in Windows 7. It blocks all incoming traffic other than traffic that meets the criteria defined in the exceptions. You can configure an exception by allowing a program to send information back and forth through the firewall—sometimes called unblocking. You can also allow a program through the firewall by opening one or more ports. Windows Firewall allows Core Networking Components by default in both public and private networks. As shown in Figure 6-10, the Core Networking firewall rules are required for reliable IPv4 and IPv6 connectivity. However, these rules do not allow ICMPv4 or ICMPv6 Echo Requests; hence, the firewall blocks Ping commands. FIGURE 6-10 Core Networking firewall rules You access Windows Firewall by clicking System And Security in Control Panel and then clicking Windows Firewall. In the left pane, you can choose to turn the firewall on or off and change the notification settings. You can also click Advanced Settings to access WFAS. Figure 6-11 illustrates the Core Networking Inbound Rules in WFAS. The Outbound Rules that allow Core Networking and File And Printer Sharing are displayed in Figure 6-12. These 3 1 8 CHAPTER 6 Network Settings FIGURE 6-11 WFAS Inbound Rules FIGURE 6-12 WFAS Outbound Rules rules allow specific traffic that lets Windows 7 carry out these functions but do not permit the use of the Ping tool. If you are having connectivity problems and disabling Windows Firewall solves them, look at your firewall settings. In some cases, restoring the defaults solves your immediate problems, but this is a simplistic approach. The settings were changed for a reason. You need to investigate further. Chapter 7 gives you the tools to do so. Lesson 1: Configuring IPv4 CHAPTER 6 319 For example, restoring the defaults does not permit you to use Ping to test continuity on your network, and it would not be a good idea to disable firewalls on all the computers on your subnet. Instead, you need to add rules that enable ICMPv4 and ICMPv6 packets to pass through your firewall: To permit ICMPv4 and enable you to ping other computers by their IPv4 addresses, enter the following in an elevated command prompt on all computers on your network: netsh advfirewall firewall add rule name="ICMPv4" protocol=icmpv4:any,any dir=in action=allow To permit ICMPv6 and enable you to ping other computers by their IPv6 addresses, enter the following in an elevated command prompt on all computers on your network: netsh advfirewall firewall add rule name="ICMPv6" protocol=icmpv6:any,any dir=in action=allow Quick Check n How do you restore the default firewall settings? Quick Check Answer n In Control Panel, click System and Security. Click Windows Firewall. In the left pane, click Restore Defaults. eXaM tIP Remember that in Windows 7, you cannot ping other computers on your network by default. Accessing Network Statistics If you are debugging performance issues as opposed to troubleshooting a total connectivity failure, you need information about the various protocols that implement network connectivity. The Netstat command-line tool displays active connections, the ports on which the computer is listening, Ethernet statistics, the IP routing table, and IPv4 and IPv6 statistics. Used without parameters, the command displays active connections, as shown in Figure 6-13. FIGURE 6-13 The Netstat command displays active connections. 3 2 0 CHAPTER 6 Network Settings The syntax of the Netstat command is as follows: netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] The parameters implement the following functions: n -a Displays all active connections and the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports on which the computer is listening. n -e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s. n -n Displays active connections. Addresses and port numbers are expressed numerically and no attempt is made to determine names. n -o Displays active connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. n -p protocol Shows connections for the protocol specified by the protocol variable, which can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, which can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6. n -s Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMPv4, ICMPv6, IPv4, and IPv6 protocols. The -p parameter can be used to specify a set of protocols. n -r Displays the contents of the IP routing table. This is equivalent to the route print command. n interval Displays the selected information periodically. The number of seconds between each display is defined by the interval parameter. If this parameter is omitted, Netstat prints the selected information only once. Netstat provides statistics for the following: n The name of the protocol (TCP or UDP) n The IP address of the local computer and the port number being used n The IP address and port number of the remote computer n The state of a TCP connection More Info TCP CONNECTION STATES For more information about the states of a TCP connection, see http://support.microsoft.com/ kb/137984. This article was written some time ago but remains relevant to Windows 7. For example, to display both the Ethernet statistics and the statistics for all protocols, enter the following command: netstat -e -s To display the TCP statistics for the IPv4 protocol, enter the following command: netstat -s -p tcp Lesson 1: Configuring IPv4 CHAPTER 6 321 Figure 6-14 shows the TCP statistics for the IPv4 protocol on the Canberra computer. FIGURE 6-14 TCP protocol statistics for IPv4 Practice Configuring IPv4 Network Connectivity and Setting Up ICS In this practice, you configure the Canberra and Aberdeen computers with static IPv4 addresses, configure the firewalls on both computers to allow Ping commands, and test connectivity. You then reconfigure the computers to obtain their IPv4 configuration automatically and set up ICS in Canberra so both computers can access the Internet through Canberra’s wireless link. exercise 1 Configuring IPv4 Connectivity This exercise assumes that Canberra and Aberdeen are configured to obtain their IPv4 configurations automatically (the default). If they are both physical computers, they need to be connected on the same Ethernet network either by a switch or hub or by a crossover Ethernet cable. To configure IPv4 connectivity, proceed as follows: 1. Log on to the Canberra computer using the Kim_Akers account. 2. Open an elevated command prompt. 3. To allow ICMPv4 traffic through the Canberra firewall, enter netsh advfirewall firewall add rule name=”ICMPv4” protocol=icmpv4:any,any dir=in action=allow. 4. To configure static IPv4 configuration, enter netsh interface ipv4 set address “local area connection” static 10.0.0.11 255.255.255.0 10.0.0.1. Currently, there is no DNS service on your private network, so there is no point configuring a DNS setting. Note that if you are using virtual machines, the connection to your private wired network may have a name other than Local Area Connection. 5. Enter ipconfig. Your screen should look similar to Figure 6-15. 6. Remaining logged on to the Canberra computer, log on to the Aberdeen computer using the Kim_Akers account. 3 2 2 CHAPTER 6 Network Settings FIGURE 6-15 Static configuration of the Canberra computer 7. Open an elevated command prompt. 8. To allow ICMPv4 traffic through the Aberdeen firewall, enter netsh advfirewall firewall add rule name=”ICMPv4” protocol=icmpv4:any,any dir=in action=allow. 9. Open Network And Sharing Center. Click Change Adapter Settings. 10. Right-click the Ethernet adapter Local Area Connection and choose Properties. 11. Click Internet Protocol Version 4 (TCP/IPv4) and click Properties. 12. Configure the connection as shown in Figure 6-16. FIGURE 6-16 Configuring the Aberdeen computer 13. Click OK. Click Close. . Figure 6-1 3. FIGURE 6-1 3 The Netstat command displays active connections. 3 2 0 CHAPTER 6 Network Settings The syntax of the Netstat command is as follows: netstat [-a] [-e] [-n] [-o] [-p Protocol]. Connection Problems, as shown in Figure 6 -7 . FIGURE 6 -7 The Diagnose Connection Problems link 3 1 6 CHAPTER 6 Network Settings You can also access the Windows Network Diagnostics tool by clicking. (concerning Windows Server 2003), it gives a clear explanation and some excellent diagrams. For a more recent article (although not about Windows 7) , see http://technet.microsoft.com/en-us/library/cc748895.aspx.