Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

INTRANET

Mc lc
I. II. III. IV. V. VI. VII. VIII. IX. X. M hnh OSI, a ch IP v Subnet mask, Cu trc IP Datagram, Gateway................................ 2 Cc vn v nh tuyn................................................................................................................ 5 Dich v FTP ..................................................................................................................................... 9 Giao thc HTTP, HTTPS............................................................................................................... 9 Dch v DNS ........................................................................................................................................ 9 Giao thc DHCP ............................................................................................................................. 9 Giao thc Email .............................................................................................................................. 9 Bo mt vi Access Control List (ACL) .................................................................................. 10 Cu Trc Gi IP Datagram.......................................................................................................... 13 C ch NAT ....................................................................................................................................... 16

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

I.

M hnh OSI, a ch IP v Subnet mask, Cu trc IP Datagram, Gateway 1. M hnh OSI Cc chng u ca ti liu: Nhp mn mng 2. a ch IP IP Address l mt s duy nht c gn cho mt thit b trong mt mng. Cc thit b ny c th l mt my tnh, router, my in mng ( loi my in c Card mng ) ..vv...vv. Kiu a ch ny gi l Software Address. N khc vi kiu a ch Hardware Address hay ta cn bit nh kiu MAC Address ca Card mng hay hardcode trong mt s thit b mng. Xin ni qua v a ch kiu ny. Mi nh sn xut Card mng trn th gii trc khi sn xut u phi xin mua mt l a ch MAC t InterNIC => mi a ch MAC address l duy nht trn th gii v khng bao gi c hai a ch ny trng nhau bt c u. IP Address l mt s 32 Bit v c chia thnh 4 phn mi phn 8 Bit v ngn cch nhau bi du chm (.). C 3 cch biu din mt a ch IP : Dng thp phn : 130.57.30.56 Dng nh phn : 10000010. 00111001.00011110.00111000 Dng Hecxa : 82 39 1E 38 Chng ta th thng s dng a ch di dng s thp phn, nhng my tnh th thng s dng a chi IP di dng s nh phn Mt a ch IP bao gi cng c hai phn l a ch mng ( Network Address ) v a ch my ( Node Address ). Network Address l mt s duy nht dng xc nh mt mng. Mi my tnh trong mt mng bao gi cng c cng mt a ch mng. Node Address l mt s duy nht c gn cho mt my tnh trong mt mng Mt s a ch IP c bit Ghi ch: Node Address l a ch phn host 1- Nu a ch ca Network Address ton l cc Bit 0 ngha l n i din cho mng ( this network ) 2- Nu a ch ca Network Address ton l cc Bit 1 ngha l n i din cho tt c cc mng 3- a ch mng l 127 c gi l a ch LoopBack c thit k cho mi my ( local node ), thng dng cho vic t kim tra m khng nh hng n giao dich trn mang v d ping 127.0.0.1 4 - Tt c cc Bit ca Node Address ton l 0 - this node
2

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

5 - Tt c cc Bit ca Node Address ton l 1 - Tt c cc my trong mt mng no 6 - Tt c a ch IP l ton Bit 0 - c s dng bi RIP protocol 7 - Tt c a ch IP l ton Bit 1 - a ch truyn tin (Broadcast ) cho tt c cc my trong mt mng IP Address c chia thnh 5 lp l A,B,C,D,E. Hai lp D v E ang d tr, ch cn 3 lp A,B,C l ang s dng Lp : A nh dng : Mng.Node.Node.Node Bit u tin : 0 y ta nhn thy l ngoi tr Bit u tin ca a ch IP l 0 - dng xc nh l mng lp A, cn li 7 Bit c th nhn cc gi tr 1 hoc 0 => t hp chp oc 2 m 7 v tr => c 128 mng cho lp A . Nhng theo quy nh l nu tt c cc Bit ca a ch mng l 0 s khng c s dng => cn 127 mng cho lp A. Nhng a ch 127 l a ch c ton Bit 1 trong Network Address => cng khng s dng c a ch ny => Lp A ch cn 126 lp mng bt u t 1 -126 => Khi nhn vo mt a ch IP ta ch cn nhin vo Bit u tin nu biu din dng nh phn l s 0 th chnh l mng lp A, cn nu dng thp phn thi n nm trong khong t 1- 126. Th s my tnh trong mi mng lp A l bao nhiu ? ta cng c th tnh oc l 2 m 24 - 2 =16,777,214 my trong Lp : B nh dng : Mng.Mng.Node.Node Hai Bit u tin : 10 Tng t nh cch tnh vi lp A ta cng c s mng ca lp B s l 2 m 14 = 16384 mng lp B - tng ng vi s thp phn l 128 - 191. v s my trong mi mng lp A l 2 m 16 -2 = 65,534 my => Mt a ch IP m hai Bit u tin l 10 hay dng thp phn m l 128 - 191 th l my tnh trong mng lp B Lp : C nh dng : Mng.Mng.Mng.Node Ba Bit u tin : 110 => S mng lp C s l 2,097,152 mng v 254 my trong mt mng => Mt a ch IP m cc Bit u tin l 110 hay dng thp phn m l 192 - 223 th l my tnh trong mng lp C InterNIC v IANA a ra mt s di a ch IP gi l private address dng thit lp cho cc mng cc b khng kt ni vi Internet. Theo RFC 1597 th 3 di l : 10.0.0.0 vi Subnet mask l 255.0.0.0
3

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

172.16.0.0 vi Subnet mask l 255.255.0.0 192.168.0.0 vi Subnet mask l 255.255.255.0 => bn c th s dng bt c a ch no trong di ny thit lp cho mng ca bn Bt u t win98 tr i Microsoft a ra mt c ch gi l Automatic private IP Addressing ( APIPA) - Trn mt mng nh khng c DHCP hay trn mt mng m DHCP b Down th my Client DHCP cso th dng cch gii p tn NetBIOS nt B cp cho Card mng ca n mt a ch IP duy nht t mt khng gian a ch c bit 169.254.0.1 n 169.254.255.254. Sau my ny c th dng TCP/IP lin lc vi mt my khc bt k m c kt ni cng Hub ca mng LAN v cng dng c ch APIPA => sau ny nu bn nhn thy IP c dng 169.254.x.x th ngha l DHCP Server ca bn Down ri. 3. Subnet mask Thng th mi t chc, cng ty hay quc gia c InterNIC cp cho mt s a ch IP nht nh v n c cc my tnh t cc vng khc nhau. Cch tt nht qun l l chia ra thnh cc mng nh v kt ni vi nhau bi router. Nhng mng nh nh th gi l Subnets. Khi chia ra thnh cc Subnet nhm lm : 1- Gim giao dch trn mng : lc ny router s kim sot cc gi tin trn mng ch c gi tin no c a ch ch ngoi mi oc chuyn ra 2 - Qun l n gin hn v nu c s c th cng d kim tra v xc nh c nguyn nhn gy li hn l trong mt mng ln. Mt iu quan trng cng cn phi nh l mi mt Subnet vn l mt phn ca mng nhng n cng cn c phn bit vi cc Subnet khc bng cch thm vo mt inh danh no . nh danh ny c gi l Subnet addess. Trc khi chia mng thnh cc Subnet ta cn xc nh s Subnet cho mng v s my trong mi Subnet l bao nhiu, cn router trn mi mt subnet ch cn bit cc thng tin: a ch ca mi my trn mt Subnet m n qun l a ch ca cc Subnet khc Ta bit rng mi my tnh trong mt mng c th no th phi c cng mt a ch mng => a ch mng khng th thay i c => ch cn cch ly mt phn a ch Node Address lm inh danh cho mi Subnet. => iu ny c th thc hin c bng cch gn cho mi my tnh mt Subnet mask. Subnet mask l mt s 32 Bit gm cc Bit 1 v 0 - Cc Bit 1 cc v tr ca Network Address hoc Subnet mask cn cc Bit 0 v tr ca Node Address cn li. Khng phi l tt c cc mng u cn c Subnet v v th khng cn s dng

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

II. 1.

2.

Subnet - Trong trng hp ny ngi ta ni l s dng Subnet mask mc nh (default Subnet mask ) Lp A Subnet mask l 255.0.0.0 Lp B Subnet mask l 255.255.0.0 Lp C Subnet mask l 255.255.255.0 Cng thc dng tnh s subnet ln nht v s Host ln nht c th c trong mt Subnet s l : S subnet ln nht ( trong mt mng ) = 2^ Bit 1 ( trong subet mask ) 2 S Host ln nht ( trong mt Subnet ) = 2^ bit 0 ( trong subet mask ) 2 cho d hiu xin minh ha qua v d sau : Gi s ta c mt a ch IP cho ton b h thng mng ca ta l 132.8.18.60 => y l mt a ch lp B v ta c biu din ca n theo dng a ch mng. a ch mng. a ch Host. a ch Host 1000 0100 . 0000 1000 . 0001 0010 . 0011 1100 => N c 16 Bit cho a ch mng v 16 Bit cho a ch Host => ta c th ly mt s Bit trong phn a ch Host lm Subnet Mask Gi s ta cn chia mng ca ta thnh 14 mng con => ta cn xc nh ly my Bit ca a ch Host lm Sub net mask : 14 + 2 = 16 = 2^4 => cn 4 Bit Ta c Subnet Mask : 1111 1111. 1111 1111. 1111 0000 0000 0000 V ta cng tnh c lun s Host trong mi Subnet l 2 ^12 -2 = 4094. 4. Cu trc gi IP Datagram 5. Gateway Cc vn v nh tuyn Gii thiu v nh tuyn nh tuyn l qu trnh m router thc hin chuyn gi d liu ti mng ch. Tt c cc router dc theo ng i u da vo a ch IP ch ca gi d liu chuyn gi theo ng hng n ch cui cng. nh tuyn chia lm hai dng nh tuyn ng v nh tuyn tnh. nh tuyn tnh i vi nh tuyn tnh, cc thng tin v ng i phi do ngi qun tr mng nhp cho router. Khi cu trc mng c bt k s thay i no th chnh ngi qun tr mng phi xo hoc thm thng tin v ng i cho router. nhng loi ng nh vy gi l ng c nh. Hot ng ca nh tuyn tnh c th c chia ra lm ba bc sau: + u tin, ngi qun tr mng cu hnh cc ng c nh cho router

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

+ Router ci t cc ng i ny vo bng nh tuyn + Gi d liu c nh tuyn theo cc ng c nh ny Ngi qun tr mng cu hnh ng c nh cho router bng lnh ip route. C php ca lnh ip route nh sau:

Router(config) # ip route prefix mask {address / interface } [distance] [tag tag] [permanent] prefix IP ca mng ch. mask Subnet mask ca mng ch. address a ch IP ca next hop i n mng ch. interface Cng ra trn router i n mng ch distance (ty chn) Khong cch qun tr ca giao thc. tag tag(tu chn) S dng lm gi tr so snh iu khin vic phn b ng qua bn ng i (trong CCNP). Permanent (tu chn) Ch ra rng con ng ny khng b xo k c khi cng b shutdown. (trong CCNP) Mt vn cn quan tm n i vi nh tuyn tnh l ch s tin cy.Ch s tin cy l mt thng s o lng tin cy ca mt ng i. ch s ny cng thp th tin cy cng cao. Do vy nu hai con ng cng i n mt ch th con ng no c tin cy nh hn th ng c t vo bng nh tuyn ca router trc. V d ng c nh s dng a ch IP ca trm k tip s c ch s tin cy mc nh l 1, cn ng c nh s dng cng ra th c ch s tin cy mc nh l 0. Nu ta mun ch nh ch s tin cy thay v s dng gi tr mc nh th ta thm thng s ny vo sau thng s v cng ra hoc a ch IP trm k tip ca cu lnh. Gi tr ny nm trong khong t 0 n 255. V d: router(config)# ip route 172.16.2.0 255.255.255.0 172.16.4.1 124 Nu router khng chuyn c gi tin ra cng giao tip c cu hnh th c ngha cng giao tip ang b ng, ng i tng ng s khng c t vo bng nh tuyn. Note: nh tuyn tnh t tn ti nguyn, dng trong mng nh, t s thay i. 3. nh tuyn ng

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Giao thc nh tuyn ng c s dng giao tip gia cc router vi nhau. Giao thc nh tuyn ng cho php router ny chia s cc thng tin nh tuyn m n bit cho cc router khc. T , cc router c th xy dng v bo tr bng nh tuyn ca n. Mt s giao thc nh tuyn ng: + RIP ( Routing Information Protocol) + IPGP (Interior Gateway Routing Protocol) + EIGRP (Enhanced Interior Gateway Routing Protocol) + OSPF (Open Shortest Path First) Note: nh tuyn ng tn ti nguyn, dng trong mng ln, c nhiu s thay i 4. Phn loi cc giao thc nh tuyn ng a s cc thut ton nh tuyn ng c xp vo 2 loi sau: a) Vect khong cch - hot ng theo c ch loan bo - cc router khng c s tnh ton ng i - bng nh tuyn c gi i tun hon - sau khong 30, 60, 90, 120s cc router li gi li bng nh tuyn - cc giao thc: RIP, IGIP, EIGIP b) Trng thi ng lin kt - mi router c ton b CSDL ca ton b topo mng - xy dng cy SPF (shortest path first) ly n lm gc, dng thut ton SPF trn cy -> tm ng i ngn nht n cc mng. tuyn ng tt nht c ua vo bng nh tuyn. - khng gi bng inh tuyn ch khi c s thay i trong mng. - cc giao thc: OSPF, EIGP nh tuyn theo trng thi ng lin kt c cc nhc im sau: + B x l trung tm ca router phi tnh ton nhiu + i hi dung lng b nh ln + Chim dung lng bng thng ng truyn nh tuyn theo vect khong cch l chn ng theo hng v khong cch ti ch. Cn nh tuyn theo trng thi ng lin kt th chn ng ngn nht da trn cu trc ca ton b h thng mng.

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

5.

Cc giao thc nh tuyn lp internet ca b giao thc TCP/IP, router s dng mt giao thc nh tuyn IP thc hin vic nh tuyn. Sau y l mt s giao thc nh tuyn IP: + RIP giao thc nh tuyn ni theo vect khong cch. + IGRP giao thc nh tuyn ni vect khong cch ca Cisco. + OSPF giao thc nh tuyn ni theo trng thi ng lin kt. + EIGRP giao thc m rng ca IGRP. + BGP giao thc nh tuyn ngoi theo vect khong cch. * Mt s c im c bn ca RIP + L giao thc nh tuyn theo vect khong cch. + S dng s lng hop lm thng s chn ng i. + Nu s lng hop i ti ch ln hn 15 th gi d liu s b hu b. + Cp nht theo nh k mc nh l 30 giy. IGRP (Interior Gateway Routing Protocol) l giao thc c pht trin c quyn ca Cisco. * Mt s c im ca IGRP : + L giao thc nh tuyn theo vect khong cch. + S dng bng thng, ti, tr v tin cy ca ng truyn lm thng s la chn ng i. + Cp nht theo nh k mc nh l 90 giy. OSPF (Open Shortest Path First) l giao thc nh tuyn theo trng thi ng lin kt. * Mt vi c im chnh ca OSPF + L giao thc nh tuyn theo trng thi ng lin kt.. + c nh ngha trong RFC 2328. + S dng thut ton SPF tnh ton chn ng i tt nht. + Ch cp nht khi cu trc mng c s thay i. EIRGP l giao thc nh tuyn nng cao theo vect khong cch v l giao thc c quyn ca Cisco. * Mt s c im ca EIRGP + L giao thc nng cao vect khong cch. + C chia ti. + C cc u im ca nh tuyn theo vect khong cch v nh tuyn trng thi ng lin kt. + S dng thut ton DUAL (Difused Update Algorithm) tnh ton chn ng i tt nht.

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

+ Cp nht theo nh k mc nh l 90 giy hoc cp nht khi c s thay i v cu trc mng. BGP (Border Gateway Protocol) l giao thc nh tuyn ngoi. * Vi c im c bn ca BGP + L giao thc nh tuyn ngoi theo vect khong cch. + c s dng nh tuyn gia cc ISP hoc ISP v khch hng. + c s dng nh tuyn lu lng Internet gia cc h t qun (AS)

Note: Cc giao thc ca tng ng dng c y trong Nhp mn mng

III. IV. Dich v FTP -Nhp mn mng Giao thc HTTP, HTTPS -Chaper 2a-Nhp mn mng Dch v DNS -Ti liu ca thy -Cheper 2b-Nhp mn mng Giao thc DHCP -Ti liu ca thy Giao thc Email

V.

VI. VII.

SMTP l g? SMTP l ch vit tt ca "Simple Message Transfer Protocol". SMTP l mt nghi thc ca Internet dng gi th. Khi dng SMTP gi th, bn thng phi dng mt chng trnh Sendmail (Sendmail Deamon). C th tc khc gi l QMail nhng thng thng Sendmail vn ph bin hn c mc d Sendmaili l mt nghi thc gi th rt khng an ton. POP3 l g? POP3 l ch vit tt ca "Post Office Protocol Version 3". POP3 daemon thng c chy cng 110 (y l cng chun ca n). Dng check mail, bn phi kt ni n server ang chy POP3 daemon cng 110. IMAP l g ? IMAP (ting Anh: Internet Message Access Protocol) l th h mi ca giao thc POP (Post Office Protocol). Ni mt cch n gin, IMAP t s kim sot email trn mail server trong khi nhim v ca POP l ti ton b thng ip email v client server yu cu. C th, IMAP
9

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

cung cp truy cp email theo ba ch khc nhau: offline (ngoi tuyn), online (trc tuyn) v disconnected (ngt kt ni). Truy cp ch offline IMAP ging nh POP, cc thng ip email c truyn n my client server, xa khi mail server v mi lin kt b ngt. Sau ngi dng c, tr li, lm cc vic khc ch ngoi tuyn, v nu mun gi th mi i h phi kt ni li. Truy cp ch online l ch IMAP truy cp m ngi dng c v lm vic vi thng ip email trong khi vn gi ang kt ni vi mail server (kt ni m). Cc thng ip ny vn nm mail server cho n khi no ngi dng quyt nh xa n i. Chng u c gn nhn hiu cho bit loi "c" hay "tr li". Trong ch disconnected, IMAP cho php ngi dng lu tm thng ip client server v lm vic vi chng, sau cp nht tr li vo mail server ln kt ni k tip. Ch ny hu ch cho nhng ai dng laptop hay truy cp mng bng lin kt quay s in thoi, ng thi khng mun b ph nhng li im ca kho cha th mail server. VIII. Bo mt vi Access Control List (ACL)

ACL l g ?

ACL l mt danh sch cc cu lnh c p t vo cc cng (interface) ca router. Danh sch ny ch ra cho router bit loi packet no c chp nhn (allow) v loi packet no b hy b (deny). S chp nhn v hu b ny c th da vo a ch ngun, a ch ch hoc ch s port.

Ti sao phi s dng access list ?

10

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Access Control List trong m hnh mng - Qun l cc IP traffic - H tr mc c bn v bo mt cho cc truy cp mng, th hin tnh nng lc cc packet qua router

Cc ng dng ca access list

- Permit hoc deny cc packet di chuyn qua router. -Permit hoc deny cc truy cp t xa hoc t router.

Cc loi access list

ACL c chia thnh 2 loi :

Standard ACL Extended ACL

ACL c th c to cho tt c cc routed-network-protocol (IP, IPX) lc packet qua router.

11

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Hot ng ca ACL

ACL s c thc hin theo trnh t ca cc cu lnh trong danh sch cu hnh khi to access-list. Nu c mt iu kin c so khp (matched) trong danh sch th n s thc hin, v cc cu lnh cn li s khng c kim tra na.Trng hp tt c cc cu lnh trong danh sch u khng khp (unmatched) th mt cu lnh mc nh deny any c thc hin. Cui access-list mc nh s l lnh loi b tt c (deny all). V vy, trong access-list cn phi c t nht mt cu lnh permit.

Th t kim tra cc cu lnh trong ACL

Khi packet i vo mt interface, router s kim tra xem c mt ACL trong inbound interface hay khng, nu c packet s c kim tra i chiu vi nhng iu kin trong danh sch. Nu packet c cho php (allow) n s tip tc c kim tra trong bng routing quyt nh chn interface i n ch. Tip , router s kim tra xem outbound interface c ACL hay khng. Nu khng th packet c th s c gi ti mng ch. Nu c ACL outbound interface, n s kim tra i chiu vi nhng iu kin trong danh sch ACL .

12

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Lu hot ng ca inbound ACL Ngoi ra c th tham kho thm y: http://www.vn-seo.com/quang-ba-website-seo/access-control-list/ http://www.thuatngu.vn/wiki/ACL_%28Access_Control_List%29 IX. Cu Trc Gi IP Datagram

D liu truyn trn mng s dng a ch IP c gi trong mt thng ip gi l IP datagrams.Trong bi vit ny s gii thiu IPv4 datagram IPv4 datagram c chia lm 2 phn: header and payload.Phn header lu tr thng tin ca a ch v cc trng iu khin,trong khi phn payload mang d liu tht s cn truyn. Mc d IP kh n gin v khng tin cy tuy nhin phn header li mng mt lng ln thng tin ,do phn header chim dung lng kh ln ca IP datagram.Trong trng hp nh nht n cng chim 20 bytes, sau y l khun dng IP datagram

13

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Trong

Trng

Size (bits) M t phin bn IP dng to ra IP datagram. Vi IPv4,ng nhintrng ny c gi tr 4. Mc ch ca trng ny l m bo tng thch gia cc thit b s dng phin bn IP khc nhau.Thng thng,cc thit b s dng phin bn IP c s t chi IP datagram c to ra t phin bn mi hn,do cc phin bn c khng th phin dch mt cch chnh xc IP datagram ca phin bn mi to ra nh ra di phn header, tnh theo 32-bit words.N cng bao gm di trng option v padding.Thng thng gi tr ca trng ny khi khng c option l 5 (5 32-bit words = 5*4 = 20 bytes). Type Of Service (TOS): Trng ny c to ra mang thng tin v cht lng dch v,nh u tin chuyn Cc trng trong TOS

Version

IHL

TOS

+Precedence(3 bits):nh ra mc u tin ca IP datagram vi mc t thp n cao +D(1 bit): nu bit D = 1: yu cu truyn gp

14

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

+T(1 bit) : nu bit T = 1: yu cu truyn vi ng truyn cht lng cao +R(1 bit) : nu bit R = 1: yu cu truyn m bo +Reserved(2 bits) : khng dng Total 16 Length (TL) Identif-ication 16 Tng di ca IP datagram, tnh theo bytes. di ti a ca 1 IP datagram l 65,535 bytes,hu ht l nh hn nhiu nh danh IP datagram xc nh IP datagram l duy nht trn mng Gm 3 trng nh +Reserved(1 bit):khng dng Flags 3 +DF(1 bit) : Don't Fragment:nu l 1 th IP datagram khng b phn mnh +MF(1 bit) : More Fragment:nu l 1 th vn cn Fragment Fragment Offset 13 Khi c s phn mnh, trng ny s c gi tr offset, hay l v tr ca mnh(Fragment),thng thng l bi s ca 8. Fragment u tin c gi tr 0. Time To Live (TTL): nh ra thi gian IP datagram c sng trn mng,da vo s trm trung gian (router hop).Khi qua mi router,gi tr TTL s gim i 1.Nu gi tr TTL tr v 0,router s discard n nh ra giao thc dng trong IP datagram,mt s giao thc thng dng 01h 1:ICMP Protocol 4 02h 2:IGMP 06h 6:TCP 11h 17:UDP Header 16 Header Checksum:Dng kim tra xem IP datagram c b li
15

TTL

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Checksum Source Address Destination Address Options Padding Data 32 32 Variable Variable Variable

trn ng truyn khng a ch IP ni gi. a ch ny c gi nguyn trong sut qu trnh truyn. a ch IP ni nhn. a ch ny c gi nguyn trong sut qu trnh truyn. La chn, di phn option c th thay i Nu c nhiu option,m s bit ko phi l bi s ca 32,cc bit 0 s c thm lt s bit l bi s 32(4 bytes) D liu

X.

C ch NAT

a.Gii thiu chung v NAT Khi c hai my tnh trn cng mt lp mng (cng subnet), cc my tnh ny kt ni trc tip vi nhau, iu ny c ngha l chng c th gi v nhn d liu trc tip vi nhau. Nu nhng my tnh ny khng trn cng mt lp mng v khng c kt ni trc tip th d liu s c chuyn tip qua li gia nhng lp mng ny v nh th phi cn mt router (c th l phn mm hoc phn cng) y l trng hp khi mt my tnh no mun kt ni ti mt my khc trn internet. b.NAT hot ng nh th no? NAT lm vic nh mt router, cng vic ca n l chuyn tip cc gi tin (packets) gia nhng lp mng khc nhau trn mt mng ln. Bn cng c th ngh rng Internet l mt mng n nhng c v s subnet. Routers c kh nng hiu c cc lp mng khc nhau xung quanh n v c th chuyn tip nhng gi tin n ng ni cn n. NAT s dng IP ca chnh n lm IP cng cng cho mi my con (client) vi IP ring. Khi mt my con thc hin kt ni hoc gi d liu ti mt my tnh no trn internet, d liu s c gi ti NAT, sau NAT s thay th a ch IP gc ca my con ri gi gi d liu i vi a ch IP ca NAT. My tnh t xa hoc my tnh no trn internet khi nhn c tn hiu s gi gi tin tr v cho NAT computer bi v chng ngh rng NAT computer l my gi nhng gi d liu i. NAT ghi li bng thng tin ca nhng my tnh gi nhng gi tin i ra ngi trn mi cng dch v v gi nhng gi tin nhn c v ng my tnh (client).

16

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

c. NAT thc hin nhng cng vic sau: Chuyn i a ch IP ngun thnh a ch IP ca chnh n, c ngha l d liu nhn c bi my tnh t xa (remote computer) ging nh nhn c t my tnh c cu hnh NAT. Gi d liu ti my tnh t xa v nh c gi d liu s dng cng dch v no. D liu khi nhn c t my tnh t xa s c chuyn ti cho cc my con. Mt c ch m rng ca NAT l PAT (Port Address Translation ) cng dng cho mc ch tng ng. Lc ny thay v ch chuyn i a ch IP th c cng dch v (port) cng c chuyn i ( do router NAT quyt nh). Cc k thut NAT K thut NAT tnh . Vi NAT tnh, a ch IP thng c nh x tnh vi nhau thng qua cc lnh cu hnh. Trong NAT tnh, mt a ch Inside Local lun lun c nh x vo a ch Inside Global. Nu c s dng, mi a ch Outside Local lun lun nh x vo cng a ch Outside Global. NAT tnh khng c tit kim a ch thc. Mc d NAT tnh khng gip tit kim a ch IP, c ch NAT tnh cho php mt my ch bn trong hin din ra ngoi Internet, bi v my ch s lun dng cng mt a ch IP thc . Cch thc thc hin NAT tnh th d dng v ton b c ch dch a ch c thc hin bi mt cng thc n gin: a ch ch =a ch mng mi OR (a ch ngun AND ( NOT netmask)) V d : Mt a ch private c map vi mt a ch public. V d 1 mt my trng mng LAN c a ch 10. 1. 1. 1 c phin dch thnh 1 a ch public 20. 1. 1. 1 khi gi tin ra ngoi Internet.

17

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Bt u bng mt gi tin c gi t mt PC bn tri ca hnh n mt my ch bn phi a ch 170. 1. 1. 1. a ch ngun private 10. 1. 1. 1 c dch thnh mt a ch thc 200. 1. 1. 1. My client gi ra mt gi tin vi a ch ngun 10. 1. 1. 1 nhn g router NAT thay i a ch ngun thnh 200. 1. 1. 1. Khi server nhn c mt gi tin vi a ch ngun 200. 1. 1. 1, my ch ngh rng n ang ni chuyn vi my 200. 1. 1. 1, v vy my ch tr li li bng mt gi tin gi v a ch ch 200. 1. 1. 1. Router sau s dch a ch ch 200. 1. 1. 1 ngc li thnh 10. 1. 1. 1. K thut NAT ng (dynamic NAT). Vi NAT, khi s IP ngun khng bng s IP ch. S host chia s ni chung b gii hn bi s IP ch c sn. NAT ng phc tp hn NAT tnh, v th chng phi lu gi li thng tin kt ni v thm ch tm thng tin ca TCP trong packet. Mt s ngi dng n thay cho NAT tnh v mc ch bo mt. Nhng ngi t bn ngoi khng th tm c IP no kt ni vi host ch nh v ti thi im tip theo host ny c th nhn mt IP hon ton khc. Nhng kt ni t bn ngoi th ch c th khi nhng host ny vn cn nm gi mt IP trong bng NAT ng. Ni m NAT router lu gi nhng thng tin v IP bn trong (IP ngun )c lin kt vi NAT-IP(IP ch). Cho mt v d trong mt session ca FPT non-passive. Ni m server c gng thit lp mt knh truyn d liu v th khi server c gng gi mt IP packet n FTP client th phi c mt entry cho client trong bng NAT. N vn phi cn lin kt mt IPclient vi cng mt NAT-IPs khi client bt u mt knh truyn control tr khi FTP session ri sau mt thi gian timeout. Xin ni thm giao thc FTP c 2 c ch l passive v non-passive . Giao thc FTP lun dng 2 port (control v data) . Vi c ch passive (th ng ) host kt ni s nhn thng tin v data port t server
18

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

v ngc li non-passive th host kt ni s ch nh dataport yu cu server lng nghe kt ni ti. Bt c khi no nu mt ngi t bn ngoi mun kt ni vo mt host ch nh bn trong mng ti mt thi im ty ch c 2 trng hp : + Host bn trong khng c mt entry trong bng NAT khi s nhn c thng tin host unreachable hoc c mt entry nhng NAT-IPs l khng bit. + Bit c IP ca mt kt ni bi v c mt kt ni t host bn trong ra ngoi mng. Tuy nhin ch l NAT-IPs v khng phi l IP tht ca host. V thng tin ny s b mt sau mt thii gian timeout ca entry ny trong bng NAT router. V d: Mt a ch private c map vi mt a ch public t mt nhm cc da ch public. V d mt mng LAN c a ch 10. 1. 1. 1/8 c phin dch thnh 1 a ch public trong di 200. 1. 1. 1 n 200. 1. 1. 100 khi gi tin ra ngoi Internet.

K thut NAT overloading ( hay PAT) Dng nh x nhiu a ch IP ring sang mt a ch cng cng v mi a ch ring c phn bit bng s port. C ti 65. 356 a ch ni b c th chuyn i sang 1 a ch cng cng. Nhng thc t th khang 4000 port. PAT hot ng bng cch nh du mt s dng lu lng TCP hoc UDP t nhiu my cc b bn trong xut hin nh cng t mt hoc mt vi a ch Inside Global. Vi PAT, thay v ch dch a ch IP, NAT cng dch cc cng khi cn thit.V bi v cc trng ca cng c chiu di 16 bit, mi a ch Inside Global c th h tr ln n 65000 kt ni TCP v UDP ng thi. V d, trong mt h thng mng c 1000 my, mt a ch IP thc c dng nh l a ch
19

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Inside Global duy nht c th qun l trung bnh su dng d liu n v i t cc my trn Internet. V d : PAT map nhiu a ch Private n mt a ch Public, vic phn bit cc a ch Private ny c da theo port, v d IP address 10. 1. 1. 1 s c map n ip address 200. 1. 1. 6:port_number

* Mi quan h gia NAT v PAT PAT c mi quan h gn gi vi NAT nn vn thng c gi l NAT Trong NAT, nhn chung ch a ch ip c i. C s tng ng 1:1 gia a ch ring v a ch cng cng. Trong PAT, c a ch ring ca ngi gi v cng u c thay i. Thit b PAT s chn s cng m cc hosts trn mng cng cng s nhn thy. Trong NAT, nhng gi tin t ngoi mng vo c nh tuyn ti a ch IP ch ca n trn mng ring bng cch tham chiu a ch ngn i vo Trong PAT, Ch c mt a ch IP cng cng c nhn thy t bn ngoi v gi tin i vo t mng cng cng c nh tuyn ti ch ca chng trn mng ring bng cch tham chiu ti bng qun l tng cp cng private v public lu trong thit b PAT. Ci ny thng c gi l connection tracking
20

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

Mt s thit b cung cp NAT, nh broadband routers, thc t cung cp PAT. v l do ny, c s nhm ln ng k gia cc thut ng. Nhn chung ngi ta s dng NAT bao gm nhng thit b PAT . Masquerading ( hay NAPT) y l mt trng hp c bit ca NAT ng. N c s dng trong Linux. Vi NAPT, nhiu a ch IP c n i di mt a ch duy nht. N tng phn vi NAT ng , rng ch c mt kt ni cho mt IP duy nht ti mt thi im. Trong NAPT nhiu kt ni n cng mt IP s c phn chia thng qua TCP Port. Vn c bit c a NAPT l mt s service trn host ch nh ch chp nhn kt ni t nhng port c quyn m bo rng kt ni i vo khng phi l t mt user bnh thng. C l ch superuser c th x l nhng port ny. V trn DOS hoc Window mi ngi u c th s dng chng nn mt s chng trnh khng th s dng kt ni NAPT. NAPT thng s dng nhng port mt tm vc cao. Trong Linux , bt u l 61000 v kt thc l 61000+4096. Mc nh ny c th thay i . iu ny cng ch ra rng Linux hin thc NAPT ch cho ng thi 4096 kt ni NAPT . Kt ni NAPT cn phi lu gi nhiu thng tin v trng thi kt ni. V d trn Linux, n xem nh tt c cc packet vi Destination IP= Local IP v Destination port nm trong tm port cho php ca NAPT khi phi demasqueraded (phn gii nhng packet c masqueraded) . Thc cht l vic thay i destination address v source address trong header packet. Nh vy NAPT ch c mt chiu . Nhng kt ni vo th khng th Masquerading . V thm ch khi mt host c mt entry trong masquerading table ca NAT device th entry ny ch hp l khi mt kt ni ang c active. Ngay c mt ICMP-Reply lin quan n kt ni (host/port unreachable) cng phi c filter v relay bi NAT router. Li ch ln nht ca Masquerading l ch cn mt IP c cp m ton mng vn c th kt ni trc tip n Internet. V d : - Masquerading cho mng 203. 156. 0. 0 dng NAT n IP local - Cho mi packet IP i ra source IP s c thay bi IP ca NAT router. Source port s c i thnh mt port nm trong tm ca Masquerading. Mt s k thut NAT khc 1, Virtual Server (Loadbalancing) NAT router ng vai tr l mt virtual server v cc kt ni vo s c chuyn n 2 hay nhiu server tht . Ph thuc vo gii thut c xy dng m kt ni ny s i vo server no bn trong. V d : - To mt virtual server vi IP l 203. 156. 98. 100

21

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

- S dng 2 host l 203. 156. 98. 111 v 203. 156. 98. 112 l nhng real server cho virtual server. - Mt kt ni t bn ngoi s c remap bi NAT router s dng mt trong 2 hos t (realserver) - Load Balancing Gii thut quyt nh real server no c kt ni. Cho v d kim tra ti trn nhng real server da trn vic m s packet trn mi giy i qua NAT device n real server sau s chn ra real server c hiu nng nht. Bng cch y s iu chnh c traffic trn mng v gim ti cho cc server. S gii thut c s dng y th khng th m c v da trn nhng cch tnh ton khc nhau nhng tt c u c chung mc ch l gim ti cho server. Khi nim ti y th khng r rng v khng c nh ngha duy nht. V d: Chy mt deamon trn mi server cung cp thng tin cho NAT router v ti (load) trn my ny v remap nhng kt ni mi n h thng ni m s ny l thp nht. iu ny i hi s lin lc gia nhng host (real server) v NAT router v th chng ta nn s dng nhng thng tin c trn NAT router nh l s kt ni hin ti ang c remap n mt host hoc ta phi s dng nhng thng tin vn khng c trn server nhng c th d dng c tm thy nh l s byte hoc packet mi giy ca mt host hin ti handle. Yu t c cp y s l mt vi nim quyt nh vic t c s cn bng trong vic phn b ti. Chnh xc hn l chng ta c gng o lng v tnh ton ti cho mi host. C mt s gii thut v d nh gii thut da trn hc thuyt v nguyn l khng chc chn trong nh lng ca Heisenberg. V th chng ta phi tm cch lm ti thiu chi ph ca host quyt nh ti v host s c kt ni. Ngay c khi chng ta gi s tm ra mt phng thc chnh xc v tt quyt nh ti c s dng da trn vic nh ngha ti l g th thc tin vn cha phi l gii php tt nht v mt IP packet c kch thc nh nht ch c xc nh bng cch nh lng vt l. Chng ta c th ch mi chn c host no chng ta cn gi kt ni n khi mt kt ni mi c m m cha tht s ti u. Tuy nhin d sao i na cc phng thc cp trn cng c th c p dng vo thc tin cho vic xc nh c n bng ti ngoi ra c th c mt cch tnh ton no tt nht m chng ta cha tm ra. C nhiu cch tip cn gii quyt cho bi ton Load balancing , hu ht trong s chng u mc application. Mt v d c m t trong RFC 1794 l dng DNS support cho Load balancing. Trong ti liu ny cp n vic dng DNS cho vic iu khin ti ca my bng cch tm ra IP ca my t bn rn nht khi c cht vn (queried). V DNS-queries s c cache bi lin tip cc DNS-server vi vic iu khin cc gii hn mt cch kht khe. N lm vic hon ton tt khi c nhiu cht vn v ngay c khi chng
22

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

n t nhiu my client. Tuy nhin d cho Load balancing c lm vic trong trng thi tt th cch tip cn ny s khng gip c g mt khi server b fail v thm ch ngay c khi cc IP c phn chia ring bit trong vic cht vn th n vn cn c cache do khi server b fail th c th server ny l hiu nng nht v c ch load balancing hon ton b ph v . Mt v d cho chng trnh cache ni ting l Squid n s dng gii thut phc tp tm ra mt mc tiu tt nht. Gii quyt ny cha hn ging trn NAT nhng mc tiu ca n l nh nhau. Vi NAT chng ta c th phn b ti cho nhng service ln v a dng da trn IP cn Squid phc v cho mt mc ch khc v s so snh ny cha hn hon ton hp l. Ngi vit chn squid l mt v d v trong squid thc hin vic load balancing tm ra mt d liu sao cho ti u mt cch thng minh. - Backup SystemsVirtual server cng c th c s dng t c kh nng phc v tt nht nu gii quyt c bi ton mt real server bt k b fail trn. V cc service c cung cp bi Virtual server th c kh nng trn bt k real server . t trng hp mt real server b fail c xc sut l p th mt virtual server s dng NAT real server trong trng hp b fail c th c tnh ton nh sau: t + p1. . pn l kh nng xy ra li ca server n trn N (N l s server c cung cp cho virtual server) + pNAT: kh nng xy ra li ca NAT router, li ny khng ph thuc vo thit b khc + pvirt: kh nng xy ra li ca virtual server khi mt realserver b fail Cng thc c tnh ton l: Pvirt=1-((1- [tch(pi) chy t 1->n]) X (1-pNAT)) D nhin setup h thng s dng cng thc trn cho vic tnh ton load balancing phi thay i danh sch server c s dng bi NAT router ngay khi mt real server b fail . iu ny khng thuc v NAT-code nhng c th thc hin tt mc cao , thm ch t shell scripts. Quan trng l phi c c ch remove server b fail t bng virtual server v th phi xy dng bng virtual server c kh nng thay i d dng nhng IP c th thm vo hoc loi b trong thi gian thc thi (runtime) . Nh vy vi cch lm ny chng ta c mt lin kt gia 2 kh nng l load balancing v high availability dng virtual server. N th hon ton trong sut i vi tt c cc host , ngi s dng v nhng chng trnh dng virtual service. 2, Multiple routers per Destination Nh trn chng ta thy chng ta c th dng NAT phn b ti qua nhiu host v t c kh nng sn sng cao (high availability) . Chng ta c th s dng NAT lm iu ny cho nhiu mng khng? Vng chng ta c th. phn trn chng ta thy
23

Xng rng v nhng ci gai Ti liu n thi mn Thit k Intranet

chng ta s dng virtual server thay th cho nhiu host tht s (real server) . Chng ta cng c th to ra kt ni mng o (virtual network) gm nhiu mch tht s (real wire) dng k thut virtual server. Chng ta c th lm iu ny vi NAT nh th no? Hy tng tng chng ta c 2 ngun cung cp Internet (Internet provider). Chn 2 bi v chng ta khng mun xy ra li khi mt ngun b hng. Mi host cn kt ni Internet phi c mt IP duy nht v th chng ta mua cho mi host mt IP t 2 nh cung cp khc nhau. Nh vy chng ta c th s dng mt trong 2 host gi packet n cng mt v tr. By gi chng ta s setup cho h thng m t trn, chng ta s phn b ti bng cch s dng mt t host thng qua provider 1 v mt vi ci khc thng qua provider 2 v chng ta c higher availibility ca kt ni n Internet . Tuy nhin chng ta cng c th hnh dung ra rng rt kh thc hin load balancing khi mi host quyt nh gi packet i. Chng ta khng cp n lm th no mt mng dng IP ny hay IP khc. y vn l s s dng mt central authority quyt nh host no s s dng provider no d nhin thng qua mt special NAT router. S dng Nat my tnh Local ca chng ta ch cn mt IP. Nu chng ta c mt provider tin cy chng ta c th s dng IP ca provider ny cung cp ng thi vn c th s dng cc IP bn trong mng. By gi nu mt host bn trong mng mun thit lp mt kt ni mi ti Internet n ch cn gi packet n default router (NAT-router) vi source IP l IP ca host ny. Do NAT-router bit c tt c nhng kt ni i ra, n s quyt nh provider gi packet i sao cho ti u. N s thay source IP l IP ca provider chn v gi packet n router ca provider ny. V source IP l IP ca provider cung cp nn con ng i tip theo ca packet s do provider quyt nh thng qua provider router . Host gi packet i s khng bao gi bit provider no c chn bi NAT router v th x l l trong sut. Chng ta c th s dng cng mt gii thut s dng cho Virtual server. im khc nhau gia ng dng l ng dng ny chng ta can thip vo x l routing.

24