routing with windows server 2003 chapter 9. objectives for this chapter manage routing and remote...

Routing with Windows Server Routing with Windows Server 20032003

Chapter 9Chapter 9

Objectives for this ChapterObjectives for this Chapter

Manage Routing And Remote Access routing Manage Routing And Remote Access routing interfacesinterfaces

Manage packet filtersManage packet filters

Manage TCP/IP routingManage TCP/IP routing– Manage routing protocolsManage routing protocols– Manage routing tablesManage routing tables– Manage routing portsManage routing ports

Troubleshoot demand-dial routingTroubleshoot demand-dial routing

Troubleshoot connectivity to the InternetTroubleshoot connectivity to the Internet

Verify that the DHCP relay agent is working correctlyVerify that the DHCP relay agent is working correctly

In This ChapterIn This Chapter

Configuring Windows Server 2003 for LAN Configuring Windows Server 2003 for LAN Routing Routing

Configuring Demand-Dial Routing Configuring Demand-Dial Routing

Configuring NAT Configuring NAT

Configuring and Managing Routing Configuring and Managing Routing Protocols Protocols

Configuring Packet Filters Configuring Packet Filters

To Complete the Exercises:To Complete the Exercises:

On page 9-2 On page 9-2

Configuring Windows Server Configuring Windows Server 2003 for LAN Routing2003 for LAN Routing

RoutingRouting is the process of transferring data is the process of transferring data across an internetwork from one local area across an internetwork from one local area network (LAN) to another. (Layer 3)network (LAN) to another. (Layer 3)

A A bridgebridge connects network segments and connects network segments and shares traffic as necessary according to shares traffic as necessary according to hardware addresses, a router receives hardware addresses, a router receives and forwards traffic along appropriate and forwards traffic along appropriate pathways according to software pathways according to software addresses. (Layer 2)addresses. (Layer 2)

Note Note

Windows Server 2003 also supports Windows Server 2003 also supports AppleTalk routing. However, whereas AppleTalk routing. However, whereas Internetwork Packet Exchange (IPX) Internetwork Packet Exchange (IPX) routing is supported in Microsoft Windows routing is supported in Microsoft Windows 2000, computers running Windows Server 2000, computers running Windows Server 2003 cannot function as IPX routers 2003 cannot function as IPX routers

RRASRRAS

Routing And Remote Access service is Routing And Remote Access service is installed by Windows Server 2003 Setup installed by Windows Server 2003 Setup in a disabled state. in a disabled state.

Remote Access ServiceRemote Access Service

Remote access enables remote or Remote access enables remote or mobile workers who use dial-up mobile workers who use dial-up communication links to access corporate communication links to access corporate networks as if they were directly networks as if they were directly connected. connected. Two different types of remote access Two different types of remote access connectivity:connectivity:

1.1. Dial-up networking.Dial-up networking.2.2. Virtual private networking. Virtual private networking.

Routing and Remote Access Routing and Remote Access FeaturesFeatures

1.1. Network address translation (NAT), Network address translation (NAT),

2.2. Layer Two Tunneling Protocol (L2TP), Layer Two Tunneling Protocol (L2TP),

3.3. Internet Authentication Service (IAS), Internet Authentication Service (IAS), and and

4.4. Remote Access Policies (RAP). Remote Access Policies (RAP).

Router Discovery 031Router Discovery 031

Router discovery provides an improved Router discovery provides an improved method of configuring and detecting method of configuring and detecting default gateways. default gateways.

Router discovery is made up of two types Router discovery is made up of two types of packets:of packets:

1.1. Router solicitations. Router solicitations.

2.2. Router advertisements. Router advertisements.

Network Address TranslatorNetwork Address Translator

NAT is a standard defined in RFC 1631. NAT is a standard defined in RFC 1631.

A NAT is a router that translates IP addresses of A NAT is a router that translates IP addresses of an intranet or home LAN to valid Internet an intranet or home LAN to valid Internet addresses. addresses.

A NAT allows Internet connectivity for a private A NAT allows Internet connectivity for a private network with private addresses through a single network with private addresses through a single Internet IP address. Internet IP address.

Multicast RoutingMulticast Routing

Windows 2003 Server implements a Windows 2003 Server implements a limited form of multicast routing using a limited form of multicast routing using a multicast proxy. multicast proxy.

This proxy can be used to extend multicast This proxy can be used to extend multicast support beyond a true multicast router. support beyond a true multicast router.

Layer Two Tunneling ProtocolLayer Two Tunneling Protocol

L2TP can be thought of as the next version of L2TP can be thought of as the next version of Point-to-Point Tunneling Protocol (PPTP). Point-to-Point Tunneling Protocol (PPTP).

It works much like PPTP but is now a combined It works much like PPTP but is now a combined development effort with Cisco. development effort with Cisco.

L2TP combines Cisco's Layer 2 Forwarding L2TP combines Cisco's Layer 2 Forwarding (L2F) and PPTP technologies (created by (L2F) and PPTP technologies (created by Microsoft, Ascend, 3Com, U.S. Robotics, and Microsoft, Ascend, 3Com, U.S. Robotics, and ECI-Telematics). ECI-Telematics).

Internet Authentication ServiceInternet Authentication Service

IAS is a Remote Authentication Dial-In User IAS is a Remote Authentication Dial-In User Service (RADIUS) server. Service (RADIUS) server.

RADIUS is a network protocol that enables RADIUS is a network protocol that enables remote authentication, authorization, and remote authentication, authorization, and accounting of users who are connecting to a accounting of users who are connecting to a network access server (NAS). network access server (NAS).

A network access server such as Windows A network access server such as Windows Routing and Remote Access can be a RADIUS Routing and Remote Access can be a RADIUS client or RADIUS server.client or RADIUS server.

Remote Access PoliciesRemote Access Policies

In Windows 2003, remote access connections In Windows 2003, remote access connections are granted based on the dial-in properties of a are granted based on the dial-in properties of a user object and remote access policies. user object and remote access policies.

RAPs are a set of conditions and connection RAPs are a set of conditions and connection parameters that allow network administrators parameters that allow network administrators more flexibility in granting remote access more flexibility in granting remote access permissions and usage. permissions and usage.

Remote Access PoliciesRemote Access Policies

RAPs are stored on the local computer RAPs are stored on the local computer and are shared between Windows 2003 and are shared between Windows 2003 Routing and Remote Access and Windows Routing and Remote Access and Windows 2003 IAS. RAP is configured from the 2003 IAS. RAP is configured from the Internet Authentication Service Manager Internet Authentication Service Manager or from the Routing and Remote Access or from the Routing and Remote Access Manager.Manager.

Using the Routing And Remote Using the Routing And Remote Access ConsoleAccess Console

To Configure:To Configure:

Right-Click on the Right-Click on the server and select server and select configure and enable configure and enable routing and remote routing and remote accessaccess


You can enable any You can enable any of the following of the following combinations of combinations of services:services:


Custom Custom ConfigurationsConfigurations


When selected, the When selected, the wizard will finishwizard will finish


You can now start the You can now start the servicesservices


RRAS is ready to RRAS is ready to configureconfigure

Adding Interfaces Adding Interfaces

A A network interface network interface is a software is a software component that connects to a physical component that connects to a physical device such as a modem or a network device such as a modem or a network card. card.

Note:Note:– Remember that a demand-dial interface does Remember that a demand-dial interface does

not necessarily refer to a dial-up connection. It not necessarily refer to a dial-up connection. It can also refer to a VPN or PPPoE connection can also refer to a VPN or PPPoE connection over a dedicated line.over a dedicated line.

Configuring Routing And Remote Configuring Routing And Remote Access Service Properties Access Service Properties

There are Five tabsThere are Five tabs– GeneralGeneral– SecuritySecurity– IPIP– PPPPPP– LoggingLogging

Managing General IP Routing Managing General IP Routing PropertiesProperties

There are Three Tabs There are Three Tabs for thefor the GeneralGeneral Properties:Properties:

LoggingLogging

Preference LevelsPreference Levels

Multicast ScopesMulticast Scopes

Working with Routing TablesWorking with Routing Tables

Routers read the destination addresses of received Routers read the destination addresses of received packets and then route those packets according to packets and then route those packets according to directions provided by routing tables.directions provided by routing tables.

Right-Click Right-Click Static RoutesStatic Routes and select and select Show IP Routing Show IP Routing TableTable

Routing TableRouting Table

Three types of routes exist:Three types of routes exist:– Host routeHost route

A route to a specific destination host A route to a specific destination host

– Network routeNetwork route Provides a route to a specific destination network. Provides a route to a specific destination network.

– Default routeDefault route This route is used to forward all packets whose This route is used to forward all packets whose destination address does not match any address destination address does not match any address listed in the routing table. listed in the routing table.

What Does It Mean?What Does It Mean?

Network DestinationNetwork Destination – Entries that the router compares to the destination address of Entries that the router compares to the destination address of

every received IP packet. every received IP packet. Netmask Netmask – Determines which part of the IP packet’s destination address Determines which part of the IP packet’s destination address

is compared to the entries in the Network Destination column.is compared to the entries in the Network Destination column.Gateway Gateway – The gateway value determines the next address or hop for The gateway value determines the next address or hop for

which that packet is destined.which that packet is destined.Interface Interface – Which local network interface is used to forward the packet to Which local network interface is used to forward the packet to

the next hop.the next hop.Metric Metric – The cost of using a route The cost of using a route

Static and Dynamic RoutingStatic and Dynamic Routing

Addresses can occur in eight types: Addresses can occur in eight types: – The default address, The default address, – The loopback address, The loopback address, – The default gateway address, The default gateway address, – The Locally configured addresses, The Locally configured addresses, – The Local subnet addresses, The Local subnet addresses, – The Local subnet broadcast addresses, The Local subnet broadcast addresses, – The Limited broadcast address, andThe Limited broadcast address, and– The Multicast addresses The Multicast addresses

for each adapter. for each adapter.

Exploring LAN Routing Exploring LAN Routing ScenariosScenarios

Simple Routing ScenarioSimple Routing Scenario

Multiple-Router ScenarioMultiple-Router Scenario


Network A Network B

Router

Multiple-Router ScenarioMultiple-Router Scenario

Network A Network C

Router 1

Router 2

Network B

Understanding Static RoutesUnderstanding Static Routes

Adding Static RoutesAdding Static Routes

route add route add destination destination mask mask netmask gateway netmask gateway metricmetric

route add 10.0.0.0 route add 10.0.0.0 mask 255.0.0.0 192.168.0.1 1 mask 255.0.0.0 192.168.0.1 1

route add –p 10.0.0.0 mask 255.0.0.0 192.168.0.1 1route add –p 10.0.0.0 mask 255.0.0.0 192.168.0.1 1

This statement make the route Persistent.This statement make the route Persistent.

Use the Route Delete command to delete a Use the Route Delete command to delete a route that you have added route that you have added

Advantages of Static RoutingAdvantages of Static Routing

– Static routing is advantageous in small Static routing is advantageous in small networks for which configuring a few static networks for which configuring a few static routes is simpler than configuring a dynamic routes is simpler than configuring a dynamic routing protocol.routing protocol.

– Static routes are less resource-intensive than Static routes are less resource-intensive than are dynamic routing protocols.are dynamic routing protocols.

– Static routes provide support for Static routes provide support for unnumbered unnumbered connectionsconnections: :

Disadvantages of Static RoutingDisadvantages of Static Routing

– The main disadvantage of static routing is that The main disadvantage of static routing is that it is a feasible means of maintaining onlyit is a feasible means of maintaining onlysmall routed networks.small routed networks.

– The lack of fault tolerance The lack of fault tolerance

Practice:Practice:

Enabling and Configuring Routing And Enabling and Configuring Routing And Remote AccessRemote Access– Exercise: Running the Routing And Exercise: Running the Routing And

Remote Access Server Setup WizardRemote Access Server Setup WizardPage 9-26Page 9-26

Configuring Demand-Dial Configuring Demand-Dial Routing Routing

A demand-dial interface is a router interface that A demand-dial interface is a router interface that will be brought up on demand based on network will be brought up on demand based on network traffic. traffic. The demand-dial link is only initiated if the The demand-dial link is only initiated if the routing table shows that this interface is needed routing table shows that this interface is needed to reach the IP destination address. to reach the IP destination address. The routing table does not provide any discretion The routing table does not provide any discretion on who or what protocol can bring up the on who or what protocol can bring up the demand-dial link. demand-dial link. It is simply based on where the traffic needs to It is simply based on where the traffic needs to go.go.

Configuring Demand-Dial Configuring Demand-Dial InterfacesInterfaces

You cannot configure demand-dial You cannot configure demand-dial interface if you do not have an external interface if you do not have an external connection.connection.

Once you have enabled demand-dial Once you have enabled demand-dial routing, you can launch the Demand-Dial routing, you can launch the Demand-Dial InterfaceInterface

Four commands unique to the Four commands unique to the demand-dial interfacedemand-dial interface

Set CredentialsSet Credentials

Unreachability ReasonUnreachability Reason

Set IP Demand-Dial FiltersSet IP Demand-Dial Filters

Dial-Out HoursDial-Out Hours

Deploying a Demand-Dial Router-Deploying a Demand-Dial Router-to-Router Configuration to-Router Configuration

Several features required to configure:Several features required to configure:– Connection Endpoint Addressing.Connection Endpoint Addressing.– Differentiating Between Remote Access Differentiating Between Remote Access

Clients and Routers.Clients and Routers.– Configuring Both Ends of the Connection.Configuring Both Ends of the Connection.– Configuring Static Routes.Configuring Static Routes.

Troubleshooting Troubleshooting Demand-Dial RoutingDemand-Dial Routing

Pages 37 – 39Pages 37 – 39

Practice:Practice:

Configuring Demand-Dial RoutingConfiguring Demand-Dial Routing– Exercise 1: Installing Internet Information Exercise 1: Installing Internet Information

Services on Computer2Services on Computer2– Exercise 2: Configuring Routing And Remote Exercise 2: Configuring Routing And Remote

Access for Demand-Dial RoutingAccess for Demand-Dial RoutingPage 9-39Page 9-39

– Exercise 3: Testing the ConfigurationExercise 3: Testing the ConfigurationPage 9-42Page 9-42

Configuring NATConfiguring NAT

NAT NAT is a service built into a router that is a service built into a router that modifies the header information in IP modifies the header information in IP datagrams before sending them on to their datagrams before sending them on to their destinations. destinations.

Difference Between NAT and Difference Between NAT and ICSICS

The main difference between NAT and The main difference between NAT and ICS is configurability.ICS is configurability.

ICS is preconfigured and automatically ICS is preconfigured and automatically sets the internal address of the computer sets the internal address of the computer hosting the shared connection to hosting the shared connection to 192.168.0.1.192.168.0.1.

Note the Table Note the Table “Comparison of “Comparison of Translated Connections Features”Translated Connections Features” on on page 9-47 page 9-47

Exam Tip Exam Tip

When assigning IP addresses, ICS does not check When assigning IP addresses, ICS does not check for conflicts with static addresses already owned by for conflicts with static addresses already owned by computers on the network. For this reason, you computers on the network. For this reason, you should not deploy ICS on a network whose essential should not deploy ICS on a network whose essential servers are pre-configured with static addresses servers are pre-configured with static addresses near the beginning of the 192.168.0.0/24 range. near the beginning of the 192.168.0.0/24 range. Note:Note:– Also that if essential servers are preconfigured with static Also that if essential servers are preconfigured with static

addresses in a different logical address space (such as addresses in a different logical address space (such as 192.168.1.0/24), deploying ICS might render those 192.168.1.0/24), deploying ICS might render those essential servers inaccessible. Consequently, if in a essential servers inaccessible. Consequently, if in a scenario on the exam, any essential network services stop scenario on the exam, any essential network services stop functioning after ICS is installed, look for an option to functioning after ICS is installed, look for an option to replace ICS with NAT.replace ICS with NAT.

Practice: Installing and Practice: Installing and Configuring NATConfiguring NAT

However you need two network interface However you need two network interface cards to configure NAT.cards to configure NAT.

Exam Tip Exam Tip

For the 70-291 exam, you need to know that For the 70-291 exam, you need to know that the functionality provided by the Services the functionality provided by the Services And Ports tab and illustrated in Figure 9-28 And Ports tab and illustrated in Figure 9-28 is known as configuring is known as configuring special portsspecial ports. To . To configure a special port means to map an configure a special port means to map an internal service (such as a Web, Telnet, or internal service (such as a Web, Telnet, or FTP server) to the external interface of the FTP server) to the external interface of the NAT computer. This feature allows external NAT computer. This feature allows external requests for internal services to be requests for internal services to be forwarded to the proper computer.forwarded to the proper computer.

Configuring and Managing Configuring and Managing Routing Protocols Routing Protocols

Routing protocols Routing protocols provide communication provide communication between routers. between routers.

Two Types:Two Types:– Distance VectorDistance Vector

RIPRIP– Link StateLink State

OSPFOSPF

Also the multicast routing protocol Also the multicast routing protocol – IGMP Router And Proxy, and IGMP Router And Proxy, and – DHCP Relay Agent.DHCP Relay Agent.

Exam Tip Exam Tip

You need to be familiar with these RIP You need to be familiar with these RIP security features for the exam security features for the exam

Configuring RIPConfiguring RIP

RIP RIP is a dynamic routing protocol that is a dynamic routing protocol that helps routers determine the best path helps routers determine the best path throughthroughwhich to send given data.which to send given data.

Routes to destinations are chosen Routes to destinations are chosen according to lowest cost.according to lowest cost.

Exam Tip Exam Tip

You need to be familiar with these RIP You need to be familiar with these RIP security features for the exam. security features for the exam.

OSPF OverviewOSPF Overview

OSPF is designed for exchanging routing OSPF is designed for exchanging routing information within a large or very large information within a large or very large internetwork.internetwork.

The biggest advantageThe biggest advantage of OSPF is that it of OSPF is that it is efficient; OSPF requires little network is efficient; OSPF requires little network overhead even in very large internetworks. overhead even in very large internetworks.

The biggest disadvantageThe biggest disadvantage of OSPF is its of OSPF is its complexity;complexity;

Understanding DHCP Relay Understanding DHCP Relay AgentAgent

DHCP Relay Agent DHCP Relay Agent is a routing protocol is a routing protocol that allows client computers to obtain an that allows client computers to obtain an address from a DHCP server on a remote address from a DHCP server on a remote subnet. subnet.

Exam Tip Exam Tip

Expect to see a topology question about Expect to see a topology question about DHCP Relay Agent and RFC 1542–DHCP Relay Agent and RFC 1542–compliant routers on the exam.compliant routers on the exam.

Configuring Packet Filters Configuring Packet Filters

When Basic Firewall is enabled on an When Basic Firewall is enabled on an external interface in the Routing And external interface in the Routing And Remote Access console, that interface Remote Access console, that interface blocks all unsolicited traffic from entering blocks all unsolicited traffic from entering your network.your network.– Packet filters Packet filters are rules defined for a particular are rules defined for a particular

interface that allow or restrict traffic by source interface that allow or restrict traffic by source address, destination address, direction, or address, destination address, direction, or protocol type.protocol type.

Exam Tip Exam Tip

Watch for questions in which all packet Watch for questions in which all packet filters are defined correctly, but whose filters are defined correctly, but whose filter action is improperly configured.filter action is improperly configured.

Exam Tip Exam Tip

For the exam, know both the protocols For the exam, know both the protocols numbers and ports required for PPTP andnumbers and ports required for PPTP andL2TP/IPSec.L2TP/IPSec.

SummarySummary

Case Scenario ExerciseCase Scenario Exercise– Page 9-74Page 9-74

Troubleshooting LabTroubleshooting Lab– Page 9-77Page 9-77

Exam HighlightsExam Highlights– Key PointsKey Points– Key TermsKey Terms

Page 9-78Page 9-78

routing with windows server 2003 chapter 9. objectives for this chapter manage routing and remote...

Documents

windows routing

remote access connections

network access server

chaptermanage routing

appletalk routing

remote authentication

note windows server

remote access policies