3 3 8 CHAPTER 6 Network Settings Configuring IPv6 Connectivity Windows Server 2008 provides tools that let you configure IPv6 interfaces and check IPv6 connectivity and routing. Tools also exist that implement and check IPv4-to-IPv6 compatibility. In Windows 7 the standard command-line tools such as Ping, Ipconfig, Pathping, Tracert, Netstat, and Route have full IPv6 functionality. For example, Figure 6-22 shows the Ping command used to check a link-local IPv6 address on the Canberra computer. The IPv6 address on your computer is different. Note that if you were pinging from one host to another using link-local addresses, you would also need to include the interface ID (for example, ping fe80::d1ff:d166:7888:2fd6%12). Interface IDs are discussed later in this lesson. Note also that this command works because you are pinging a link-local address in the same computer. To ping between computers you need to allow ICMPv6 traffic though each computer’s firewall. FIGURE 6-22 Pinging an IPv6 link-local address note Ping6 The Ping6 command-line tool is not supported in Windows 7. Tools specific to IPv6 are provided in the Netsh command structure. For example, the netsh interface ipv6 show neighbors command shows the IPv6 interfaces of all hosts on the local subnet. You use this command in the practice later in this lesson, after you have configured IPv6 connectivity on a subnet. Verifying IPv6 Configuration and Connectivity If you are troubleshooting connectivity problems or merely want to check your configuration, arguably the most useful tool—and certainly one of the most used—is Ipconfig. If you enter ipconfig /all, this displays both IPv4 and IPv6 configuration. The output from this tool was shown in Figure 6-6. If you want to display the configuration of only the IPv6 interfaces on the local computer, you can enter netsh interface ipv6 show address. Figure 6-23 shows the output of this command run on the Canberra computer. Note the % character followed by a number after each IPv6 address. This is the interface ID, which identifies the interface that is configured with the IPv6 address. Lesson 2: Configuring IPv6 CHAPTER 6 339 FIGURE 6-23 Displaying IPv6 addresses and interface IDs note NETWORK CONNECTION DETAILS INFORMATION BOX You can also find the IPv6 address of an interface by accessing the Network Connection Details information box. The procedure to do this is described in Lesson 3 and the information box is shown in Figure 6-38 in that lesson. However, the Network Connection Details information box does not show the interface ID. If you are administering an enterprise network with a number of sites, you also need to know site IDs. You can obtain a site ID by entering the command netsh interface ipv6 show address level=verbose. Part of the output from this command is shown in Figure 6-24. FIGURE 6-24 Displaying IPv6 addresses and site IDs 3 4 0 CHAPTER 6 Network Settings Configuring IPv6 Interfaces Typically, most IPv6 addresses are configured through autoconfiguration or DHCPv6. However, if you need to manually configure an IPv6 address, you can use the Netsh interface ipv6 set address command, as in this example: netsh interface ipv6 set address "local area connection" fec0:0:0:ffee::2. You need to run the command prompt as an administrator to use this command. In Windows 7, you can also manually configure IPv6 addresses from the properties of the Internet Protocol Version 6 (TCP/IPv6) GUI. Figure 6-25 shows this configuration. FIGURE 6-25 Configuring an IPv6 address through a GUI The advantage of using the TCP/IPv6 GUI is that you can specify the IPv6 addresses of one or more DNS servers in addition to specifying the interface address. If, however, you choose to use Command Line Interface (CLI) commands, the command to add IPv6 addresses of DNS servers is Netsh interface ipv6 add dnsserver, as in this example: netsh interface ipv6 add dnsserver "local area connection" fec0:0:0:ffee::ff. The command to add a default gateway is Netsh interface ipv6 add route followed by the metric (the order of preference if there are multiple routes), as in this example: netsh interface ipv6 add route ::/0 "local area connection" fec0:0:0:ffee::1. To change the properties of IPv6 interfaces (but not their configuration), use the Netsh interface ipv6 set interface command, as in this example: netsh interface ipv6 set interface "local area connection" forwarding=enabled. You need to run the command prompt as an administrator to use any Netsh configuration commands. Lesson 2: Configuring IPv6 CHAPTER 6 341 More Info Netsh Netsh is an exceptionally powerful and versatile utility that enables you to carry out a very large number of configuration tasks through a command-line interface. For more information, see http://technet.microsoft.com/en-us/library/cc785383.aspx. Quick Check n What Netsh command lists site IDs? Quick Check Answer n netsh interface ipv6 show address level=verbose Verifying IPv6 Connectivity To verify connectivity on a local network, your first step should be to flush the neighbor cache, which stores recently resolved link-layer addresses and might give a false result if you are checking changes that involve address resolution. You can check the contents of the neighbor cache by entering netsh interface ipv6 show neighbors. Entering netsh interface ipv6 delete neighbors flushes the cache. You need to run the command prompt as an administrator to use these commands. You can test connectivity to a local host on your subnet and to your default gateway by using the Ping command. Note that Windows Firewall blocks Ping commands by default and you need to allow ICMPv6 packets through the firewalls of both computers before one can ping the other by its IPv4 address. You can add the interface ID to the IPv6 interface address to ensure that the address is configured on the correct interface. Figure 6-22 shows a Ping command using an IPv6 address and an interface ID. To check connectivity to a host on a remote network, your first task should be to check and clear the destination cache, which stores next-hop IPv6 addresses for destinations. You can display the current contents of the destination cache by entering netsh interface ipv6 show destinationcache. To flush the destination cache, enter netsh interface ipv6 delete destinationcache. As before, these commands need administrator credentials. Your next step is to check connectivity to the default router interface on your local subnet. This is your default gateway. You can identify the IPv6 address of your default router interface by using the Ipconfig, Netsh interface ipv6 show routes, or Route print command. You can also specify the zone ID, which is the interface ID for the default gateway on the interface on which you want the ICMPv6 Echo Request messages to be sent. When you have ensured that you can reach the default gateway on your local subnet, ping the remote host by its IPv6 address. Note that you cannot ping a remote host (or a router interface) by its link-local IPv6 address because link-local addresses are not routable. 3 4 2 CHAPTER 6 Network Settings If you can connect to the default gateway but cannot reach the remote destination address, trace the route to the remote destination by using the Tracert –d command followed by the destination IPv6 address. The –d command-line switch prevents the Tracert tool from performing a DNS reverse query on router interfaces in the routing path. This speeds up the display of the routing path. If you want more information about the routers in the path, and particularly if you want to verify router reliability, use the Pathping -d command, again followed by the destination IPv6 address. Quick Check n What Netsh command could you use to identify the IPv6 address of your default router interface? Quick Check Answer n netsh interface ipv6 show route Troubleshooting Connectivity If you cannot connect to a remote host, you first need to check the various hardware connections (wired and wireless) in your organization and ensure that all network devices are up and running. If these basic checks do not find the problem, the Internet Protocol Security (IPSec) configuration might not be properly configured, or firewall problems (such as incorrectly configured packet filters) might exist. You can use the IP Security Policies Management console, shown in Figure 6-26, to check and configure IPSec policies and the Windows Firewall With Advanced Security console (shown previously in Figures 6-11 and 6-12 in Lesson 1) to check and configure IPv6-based packet filters. FIGURE 6-26 The IP Security Policies Management console Lesson 2: Configuring IPv6 CHAPTER 6 343 note IPSec6 The IPSec6 tool is not implemented in Windows 7. You might be unable to reach a local or remote destination because of incorrect or missing routes in the local IPv6 routing table. You can use the Route print, Netstat –r, or Netsh interface ipv6 show route command to view the local IPv6 routing table and verify that you have a route corresponding to your local subnet and to your default gateway. Note that the Netstat –r and Route print commands display both IPv4 and IPv6 routing tables. Practice Configuring IPv6 Connectivity In this practice, you configure a static site-local IPv6 configuration on the Canberra computer running Windows 7. You then configure a static site-local IPv6 configuration on the Aberdeen computer running Windows 7 and test IPv6 connectivity. exercise 1 Configuring IPv6 on the Canberra Computer In this exercise, you configure IPv6 on the Canberra computer. 1. Log on to the Canberra computer with the Kim_Akers account. 2. To permit ICMPv6 traffic to pass through the Canberra firewall, open an elevated command prompt and enter netsh advfirewall firewall add rule name=”ICMPv6” protocol=icmpv6:any,any dir=in action=allow. 3. Open Network And Sharing Center and click Change Adapter Settings. 4. Right-click the network connection to your private network and choose Properties. 5. Select Internet Protocol Version 6 (TCP/IPv6) and click Properties. 6. Configure a static site-local IPv6 address, fec0:0:0:fffe::1. 7. Click the box beside Subnet Prefix Length. The value 64 is entered automatically. The Properties dialog box should look similar to Figure 6-27. FIGURE 6-27 IPv6 configuration on the Canberra computer 3 4 4 CHAPTER 6 Network Settings 8. Click OK. Close the Local Area Connections Properties dialog box. 9. Close Network And Sharing Center. 10. In the elevated command prompt, enter ping fec0:0:0:fffe::1. Your screen should look similar to Figure 6-28. FIGURE 6-28 Pinging a site-local IPv6 address exercise 2 Configuring the Aberdeen Computer and Testing IPv6 Connectivity In this exercise, you configure IPv6 site-local addresses on the Aberdeen computer and test connectivity. You need to have configured the IPv6 settings on the Canberra computer before you start this exercise. If Aberdeen is a virtual machine, the designation of the Ethernet adapter that connects to your private network may be something other than “local area connection.” If so, adjust the commands accordingly. 1. Log on to the Aberdeen computer with the Kim_Akers account. 2. To permit ICMPv6 traffic to pass through the Aberdeen firewall, open an elevated command prompt and enter netsh advfirewall firewall add rule name=”ICMPv6” protocol=icmpv6:any,any dir=in action=allow. 3. To configure static IPv6 configuration, enter netsh interface ipv6 set address “local area connection” fec0:0:0:fffe::a. 4. Enter ping fec0:0:0:fffe::a to test your IPv6 configuration. 5. If necessary, log on to the Canberra computer using the Kim_Akers account and open an elevated command prompt. 6. Enter ping fec0:0:0:fffe::a. You should get the response shown in Figure 6-29. Lesson 2: Configuring IPv6 CHAPTER 6 345 FIGURE 6-29 Pinging the Aberdeen computer from Canberra 7. Enter netsh interface ipv6 show neighbors. Figure 6-30 shows the fec0:0:0:fffe::a interface as a neighbor on the same subnet as the Canberra computer. FIGURE 6-30 Showing the Canberra computer neighbors Lesson Summary n IPv6 supports unicast, multicast, and anycast addresses. Unicast addresses can be global, site-local, link-local, or special. n IPv6 is fully supported in Windows 7 and addresses problems such as lack of address space that are associated with IPv4. n IPv6 is designed to be backward-compatible, and you can specify IPV4-compatible addresses such as Teredo and 6to4 addresses. n Tools to configure and troubleshoot IPv6 include Ping, Ipconfig, Tracert, Pathping, and Netsh. n You can configure IPv6 by using the TCP/IPv6 Properties GUI. You can also use Netsh interface ipv6 commands to configure IPv6 settings. 346 CHAPTER 6 Network Settings Lesson Review You can use the following questions to test your knowledge of the information in Lesson 2, “Configuring IPv6.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. What type of unicast IPv6 address would you typically use on the subnets of a private network to implement IPv6 connectivity over the subnet? a. Site-local address B. Link-local address c. Special address D. Anycast address 2. You are analyzing the configuration of an IPv6 network. Which of the following addresses can be used across the IPv6 Internet and is the equivalent of an IPv4 unicast public address? a. fec0:0:0:0:fffe::1 B. 21cd:53::3ad:3f:af37:8d62 c. fe80:d1ff:d166:7888:2fd6 D. ::1 3. You are using Network Monitor to analyze traffic on an IPv6 network. You want to examine the protocol that uses ICMPv6 messages to manage the interaction of neighboring nodes and resolves IPv6 addresses to hardware (MAC) addresses. What protocol do you examine? a. ARP B. DNS c. DHCPv6 D. ND 4. You are examining transition technologies on a network and want to identify the IPv4-to-IPv6 compatibility addresses being used. Which of the following is a Teredo address? a. 2001::0a0a:1efe:e866:efff:f5ff:ebfe B. 2002:c058:6301:: c. fe80::5efe:0a00:028f D. fec0:0:0:0:fffe::1 Lesson 2: Configuring IPv6 CHAPTER 6 347 5. You are examining a DNS forward lookup zone to investigate problems with name resolution. What type of resource record enables DNS to resolve a host name to an IPv6 address? a. PTR B. A c. AAAA D. Host [...]... problems configuring (for example) external DNS settings through DHCP Windows 7 Printing Enhancements Windows 7 introduces location-aware printing, printer driver isolation, configurable ­ efault d spooler security settings, and an improved point-and-print experience for users These e ­ nhancements build upon the features introduced by Windows Vista and are fully ­ upported s in Windows 7, such as high-fidelity... characters Both WPA-Personal and WPA-2 P ­ ersonal modes are supported in Windows 7 WPA-Enterprise and WPA2-Enterprise authenticate through the Extensible Authentication Protocol (EAP) and require computer security certificates rather than PSKs The following EAP types are included in the certification program: n EAP-TLS n EAP-TTLS/MSCHAPv2 n PEAPv0/EAP-MSCHAPv2 n PEAPv1/EAP-GTC n EAP-SIM More Info EAP... to the manufacturer’s documentation for details More Info External resolution It is unlikely that the 7 0- 680 examination will test your knowledge of how DNS works over the Internet However, if you want to learn more out of professional interest, see http://technet .microsoft. com/en-us/library/cc 7 75 6 37. aspx Lesson 3: Network Configuration CHAPTER 6 349 If you have two or more wireless computers in close... on Windows 7, and you can print this document without re-rendering to an XPS-capable printer by using Microsoft XPS Document Writer You can view XPS documents in Internet Explorer by using the Microsoft XPS Viewer 3 68 CHAPTER 6 Network Settings By default, Windows 7 renders print jobs on the client instead of the print server This can significantly reduce print processing times when printing to XPS-capable... Privacy (WEP) Figure 6-4 0  The Security tab of the Wireless Network Properties dialog box The following authentication types are available: n No authentication (open) n Shared (a shared secret passkey) n Wi-Fi Protected Access (WPA)-Personal n WPA2-Personal n WPA-Enterprise n WPA2-Enterprise n 802.1X WPA and WPA2 indicate compliance with the security protocol created by the Wi-Fi Alliance to secure... the maximum range is up to 150 feet (46 meters) indoors and 300 feet (92 meters) outdoors With 802.11a routers and access points, the maximum range is 50 feet ( 15 meters) indoors and 100 feet (30 meters) outdoors These ranges are for optimal conditions with no interference If a wireless-enabled computer is (for example) on a desktop that is 50 feet distant from one WAP and 70 feet away from another,... for wireless ones However, changing default ICS settings is not in the objectives for the 7 0- 680 examination When you right-click an adapter and click Properties, this accesses the Local Area Connections Properties dialog box From this dialog box, you can enable or disable the items shown, or install more items (client services, server services, or protocols) by clicking Install Typically, the Local... both versatile and powerful As with all command-line utilities, the best way of becoming familiar with it is to use it and experiment with it This is one of the suggested practices at the end of this chapter Figure 6-3 7 shows the commands available for the Netsh wlan utility Figure 6-3 7 Netsh wlan utility commands Lesson 3: Network Configuration CHAPTER 6 353 You can configure wireless connection behavior... WAP a unique SSID Figure 6-4 2 shows the wireless setup page for a third-party WAP with default settings This page lets you specify the channel and change the SSID Lesson 3: Network Configuration CHAPTER 6 3 65 Figure 6-4 2  SSID, channel, SSID broadcast, and security settings on a typical third-party WAP You should always secure a wireless network by changing the SSID and configuring other security... Wireless Networks,” later in this lesson 3 54 CHAPTER 6 Network Settings Figure 6-3 9  Configuring connection properties You can add additional wireless-enabled computers to your network by inserting the USB flash drive and clicking Wireless Network Setup Wizard in the AutoPlay dialog box Alternatively, you can manually add a wireless computer running Windows 7 to your network by clicking Connect To A . command. In Windows 7, you can also manually configure IPv6 addresses from the properties of the Internet Protocol Version 6 (TCP/IPv6) GUI. Figure 6-2 5 shows this configuration. FIGURE 6-2 5 Configuring. static site-local IPv6 configuration on the Canberra computer running Windows 7. You then configure a static site-local IPv6 configuration on the Aberdeen computer running Windows 7 and test IPv6. the 7 0- 680 examination will test your knowledge of how DNS works over the Internet. However, if you want to learn more out of professional interest, see http://technet .microsoft. com/en-us/library/cc 7 75 6 37. aspx.