55
Hands-On Microsoft Windows Server 2003 Networking Chapter 11 Routing

Chapter 11

Embed Size (px)

DESCRIPTION

Chapter 11. Routing. Objectives. Configure Windows Server 2003 as a router Create and configure demand-dial connections for routing Configure Network Address Translation (NAT) for Internet connectivity Install Internet Connection Sharing (ICS) Configure Internet Connection Firewall (ICF). - PowerPoint PPT Presentation

Citation preview

Hands-On Microsoft Windows Server 2003

Networking

Chapter 11

Routing

2

Objectives

• Configure Windows Server 2003 as a router• Create and configure demand-dial connections

for routing• Configure Network Address Translation (NAT)

for Internet connectivity• Install Internet Connection Sharing (ICS)• Configure Internet Connection Firewall (ICF)

3

Router Installation and Configuration

• Windows Server 2003– Can be used as a router– Can perform routing for TCP/IP and AppleTalk– Does not support IPX/SPX for routing

• Implementing Windows Server 2003 as a router – Main benefit is cost– Server must be connected to at least two

networks

4

Router Installation and Configuration (Continued)

• Internet Security and Acceleration Server (ISA)– Provides proxy services

• Routing and Remote Access snap-in– Used to add routing

5

Enabling RRAS as a Router

6

Enabling IP Routing

7

Routing Tables

• Routers– Make decisions about how to move packets from

one network to another in the fastest way possible

• Routing table– List of networks that are known to the router – Each entry contains

• IP address of the network• Subnet mask of the network• Gateway used to reach the network• Router interface used to reach the gateway• Metric that measures how far away the network is

8

Routing Tables (Continued)

• ROUTE PRINT command– Used to view routing table

• Static routing– Entries that are added manually

– Used when security is required

– Addition of new network means routing table of each server must be changed

– Introduction of error each time a change is made

9

Routing Tables (Continued)

• Dynamic routing– Entries that are added automatically based on a

routing protocol

– Routers talk to each other to build their routing tables

10

Routing Protocols• Responsible for

– Calculating best path from one network to another

– Advertising routes for dynamic routing• Routing Information Protocol (RIP)

– No configuration necessary under most circumstances

– Hops• Number of routers through which the data must

pass– Distance-vector routing

• Path with the least number of hops

11

Routing Protocols (Continued)

– Does not differentiate between different link speeds

– Each RIP router sends broadcast packet every 30 seconds

• Open Shortest Path First (OSPF)– Determines the best path from one network to

another based on cost

– Not normally implemented on Windows routers

– Each interface on a router is assigned a cost

12

Routing Protocols (Continued)

– Routing table• Builds a picture of the entire network

– When communicating with other routers• Only sends changes in its routing table

• Changes sent only when they occur, not every 30 seconds

13

Configuring RIP

• RIP properties– Can configure type of events to be logged– Can configure IP addresses from which router

accepts updates – General tab

• Periodic update mode removes entries from routing table if router that advertised them is disabled or unreachable

• Auto static update mode adds RIP learned routes to the routing table as static entries

14

Configuring RIP (Continued)

• RIP routers– Advertise routes learnt from other routers then

increment number of hops by 1• RIP properties

– Security tab• Allows you to configure which incoming and

outgoing routes are accepted on this interface– Neighbors tab

• Used only if broadcasts and multicasts are limited on the network

15

Configuring RIP (Continued)

– Advanced tab• Can adjust how often routing table announcements

are sent • Can adjust how long entries in the routing table

last before they expire• Can adjust how long after they expire before they

are removed from the routing table

• Split-horizon processing and poison-reverse processing– Used to prevent routing loops in the case of a

router failure

16

Security Tab, RIP Interface Properties

17

Neighbors tab, RIP Interface Properties

18

Advanced tab, RIP interface properties

19

Demand-Dial Connections• Used to establish a connection between two

routers when there is data to be sent• Demand-dial connections

– Used to minimize the amount of phone time used on dial-up connections between routers

– Can be used to initiate VPN connections between Windows routers

– Can be created for Point-to-Point Protocol over Ethernet (PPPoE) connections

• PPPoE – Used by many high-speed Internet providers to

control access to their network – Authentication requires username and password

20

Creating Demand-dial Connections

• For demand-dial connection to function properly– Server must be enabled to perform demand-dial

routing

– Port must be configured to allow demand-dial routing

– Demand-dial interface must be created

• Demand-dial Interface Wizard– Creates demand-dial connections

21

Enabling demand-dial routing

22

Configuring a Port for Demand-dial Routing

23

Interface Name, Demand-Dial Interface Wizard

24

Demand-dial Interface Properties• Can be used to configure

– Security settings– Idle timeout

• Options tab– If “Persistent connection” option is chosen,

servers are connected whenever RRAS is functional

– If “Demand dial” option chosen, you can set an idle timeout

• Security tab– Provides standard security options available on a

VPN connection

25

Options tab, demand-dial interface properties

26

Dial-out Hours

• Controls when a demand-dial connection can be active

• Typical configuration of dial-out hours– Allows a connection every few hours

– Data is moved from one network to another in batches every few hours

• If users are expected to access resources using the demand-dial connection at all times– Dial-out hours should be left at the default of 24

hours per day, seven days per week

27

Dial-out Hours (Continued)

28

Demand-dial Filters

• Used to reduce amount of time a demand-dial connection is active

• Control which types of network traffic trigger a demand-dial connection

• Configuration is similar to a firewall rule• Can initiate a demand-dial connection

– For specific traffic– For all traffic except that specified by a rule

29

Demand-dial filters (Continued)

30

Adding a demand-dial filter

31

Network Address Translation (NAT)

• Uses a single Internet IP address to provide Internet access to all client computers

• Included with Windows Server 2003• Address ranges reserved for internal use

– 10.0.0.0 through 10.255.255.255

– 172.16.0.0 through 172.31.255.255

– 192.168.0.0 through 192.168.255.255

32

Network Address Translation (Continued)

• Proxy server– If implemented, clients must be configured to use

the proxy server– Provides caching to speed up Internet

connectivity

• Most implementations are FTP aware and translate FTP packets properly

33

How NAT Works

• Modifies IP headers of packets that are forwarded through a router

• Builds a table to keep track of translations• Table lists

– Original source IP address

– Original source port number

– New source port number

• New source IP address– Always the external interface on the router

– Does not need to be included in the table

34

Outgoing request through NAT

35

Incoming response through NAT

36

Installing NAT

• NAT protocol– Automatically installed when RRAS is configured

to be a router• NAT Interface properties

– For proper NAT functionality• One interface must be configured as a public

interface • At least one interface must be configured as

private interface– Basic firewall

• Allows you to configure static packet filters

37

Installing NAT (Continued)

– Services and Ports tab• Allows you to host services behind NAT but

still allow access from Internet

– ICMP tab• Dictates the types of ICMP packets the

interface responds to

– Address Pool tab • Defines a range of IP addresses that are

handed out to client computers

38

NAT/Basic Firewall tab, NAT interface properties

39

Configuring NAT• NAT/Basic Firewall – Properties

– General tab• Controls the level of logging that is performed

– Translation tab• Configures how long mappings are kept in the NAT

table

– Address Assignment tab• Can configure NAT to act as a DHCP server

– Name Resolution tab• Configures the NAT router to act as a DNS proxy• Settings on this tab need not be enabled if internal DNS

servers exist

40

Translation Tab, NAT/Basic Firewall Properties

41

Name Resolution Tab, NAT/Basic Firewall Properties

42

Internet Connection Sharing (ICS)

• Provides automated way for a small office to connect to the Internet using Windows Server 2003 as a router

• Automatically performs NAT• Configures network connections• Because NAT is used, server must have at least two

network cards• Configuration used by ICS cannot be changed

43

Internet Connection Sharing (Continued)

• The following changes are made– Internal network connection is configured with

• IP address 192.168.0.1 • Subnet mask 255.255.255.0

– Autodial enabled for dial-up/VPN/PPPOE connections

– Static route for default gateway enabled when dial-up/VPN/PPPOE connection is activated

– The ICS service is started– DHCP allocator is configured to distribute IP

addresses from 192.168.0.2 to 192.168.0.254– The DNS proxy is enabled

44

Enabling ICS

45

Internet Connection Sharing (Continued)

• ICS server can only have one internal IP address• Network bridging

– Allows interfaces to share a single IP address• Bridge

– Controls network traffic based on MAC addresses– Allows computers on two different physical

network segments to be on the same IP network• When network bridging is enabled

– Choose multiple network cards in a server to act as a single IP network

46

Internet Connection Firewall

• A stateful packet filter that can be used to protect any server running Windows Server 2003

• Stateful firewall– Requires only one rule for outbound traffic– Keeps track of TCP connections that are created

by internal clients– Automatically allows response packets to return

47

Internet Connection Firewall (Continued)

• Enabling ICF– ICF is configured per connection

– If ICF enabled on a server that is not a router• Only that server is protected

– If ICF enabled on a router• All computers on internal network are protected

48

Enabling ICF

49

Configuring ICF

• When ICF is enabled– All packets addressed to server are dropped

• Configuring services– Allows requests from the network to access services

on the server running ICF

– Services defined are the firewall rules for ICF

50

Services Defined for ICF and ICS

51

ICMP Options for ICF

52

Logging Options for ICF

53

Summary

• Windows Server 2003 – Can be configured as a low-cost router for

TCP/IP and AppleTalk• Static routing

– Requires administrators to configure routing tables

• Dynamic routing – Allows routers to communicate– Automatically builds routing tables

• RIP– A distance-vector routing algorithm that

calculates paths based on hops

54

Summary (Continued)

• OSPF– A link-state routing algorithm that calculates paths

based on a configurable metric called cost• Demand-dial connections

– Activated when required – Requires static routes– Can be configured with dial-out hours to limit the

times they are active• NAT

– Many computers can access the Internet using a single IP address

– Modifies the IP headers of packets that are routed through the NAT router

55

Summary (Continued)

• DHCP allocator and DNS proxy – Can be configured as part of NAT

• ICS– Automated way to configure a router for NAT

– Network bridging required if there is more than one internal interface

– Is a stateful packet filter