Chapter 11
This presentation is the property of its rightful owner.
Sponsored Links
1 / 55

Chapter 11 PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on
  • Presentation posted in: General

Chapter 11. Routing. Objectives. Configure Windows Server 2003 as a router Create and configure demand-dial connections for routing Configure Network Address Translation (NAT) for Internet connectivity Install Internet Connection Sharing (ICS) Configure Internet Connection Firewall (ICF).

Download Presentation

Chapter 11

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Chapter 11

Chapter 11

Routing


Objectives

Objectives

  • Configure Windows Server 2003 as a router

  • Create and configure demand-dial connections for routing

  • Configure Network Address Translation (NAT) for Internet connectivity

  • Install Internet Connection Sharing (ICS)

  • Configure Internet Connection Firewall (ICF)


Router installation and configuration

Router Installation and Configuration

  • Windows Server 2003

    • Can be used as a router

    • Can perform routing for TCP/IP and AppleTalk

    • Does not support IPX/SPX for routing

  • Implementing Windows Server 2003 as a router

    • Main benefit is cost

    • Server must be connected to at least two networks


Router installation and configuration continued

Router Installation and Configuration (Continued)

  • Internet Security and Acceleration Server (ISA)

    • Provides proxy services

  • Routing and Remote Access snap-in

    • Used to add routing


Enabling rras as a router

Enabling RRAS as a Router


Enabling ip routing

Enabling IP Routing


Routing tables

Routing Tables

  • Routers

    • Make decisions about how to move packets from one network to another in the fastest way possible

  • Routing table

    • List of networks that are known to the router

    • Each entry contains

      • IP address of the network

      • Subnet mask of the network

      • Gateway used to reach the network

      • Router interface used to reach the gateway

      • Metric that measures how far away the network is


Routing tables continued

Routing Tables (Continued)

  • ROUTE PRINT command

    • Used to view routing table

  • Static routing

    • Entries that are added manually

    • Used when security is required

    • Addition of new network means routing table of each server must be changed

    • Introduction of error each time a change is made


Routing tables continued1

Routing Tables (Continued)

  • Dynamic routing

    • Entries that are added automatically based on a routing protocol

    • Routers talk to each other to build their routing tables


Routing protocols

Routing Protocols

  • Responsible for

    • Calculating best path from one network to another

    • Advertising routes for dynamic routing

  • Routing Information Protocol (RIP)

    • No configuration necessary under most circumstances

    • Hops

      • Number of routers through which the data must pass

    • Distance-vector routing

      • Path with the least number of hops


Routing protocols continued

Routing Protocols (Continued)

  • Does not differentiate between different link speeds

  • Each RIP router sends broadcast packet every 30 seconds

  • Open Shortest Path First (OSPF)

    • Determines the best path from one network to another based on cost

    • Not normally implemented on Windows routers

    • Each interface on a router is assigned a cost


  • Routing protocols continued1

    Routing Protocols (Continued)

    • Routing table

      • Builds a picture of the entire network

    • When communicating with other routers

      • Only sends changes in its routing table

      • Changes sent only when they occur, not every 30 seconds


    Configuring rip

    Configuring RIP

    • RIP properties

      • Can configure type of events to be logged

      • Can configure IP addresses from which router accepts updates

      • General tab

        • Periodic update mode removes entries from routing table if router that advertised them is disabled or unreachable

        • Auto static update mode adds RIP learned routes to the routing table as static entries


    Configuring rip continued

    Configuring RIP (Continued)

    • RIP routers

      • Advertise routes learnt from other routers then increment number of hops by 1

    • RIP properties

      • Security tab

        • Allows you to configure which incoming and outgoing routes are accepted on this interface

      • Neighbors tab

        • Used only if broadcasts and multicasts are limited on the network


    Configuring rip continued1

    Configuring RIP (Continued)

    • Advanced tab

      • Can adjust how often routing table announcements are sent

      • Can adjust how long entries in the routing table last before they expire

      • Can adjust how long after they expire before they are removed from the routing table

  • Split-horizon processing and poison-reverse processing

    • Used to prevent routing loops in the case of a router failure


  • Security tab rip interface properties

    Security Tab, RIP Interface Properties


    Neighbors tab rip interface properties

    Neighbors tab, RIP Interface Properties


    Advanced tab rip interface properties

    Advanced tab, RIP interface properties


    Demand dial connections

    Demand-Dial Connections

    • Used to establish a connection between two routers when there is data to be sent

    • Demand-dial connections

      • Used to minimize the amount of phone time used on dial-up connections between routers

      • Can be used to initiate VPN connections between Windows routers

      • Can be created for Point-to-Point Protocol over Ethernet (PPPoE) connections

    • PPPoE

      • Used by many high-speed Internet providers to control access to their network

      • Authentication requires username and password


    Creating demand dial connections

    Creating Demand-dial Connections

    • For demand-dial connection to function properly

      • Server must be enabled to perform demand-dial routing

      • Port must be configured to allow demand-dial routing

      • Demand-dial interface must be created

    • Demand-dial Interface Wizard

      • Creates demand-dial connections


    Enabling demand dial routing

    Enabling demand-dial routing


    Configuring a port for demand dial routing

    Configuring a Port for Demand-dial Routing


    Interface name demand dial interface wizard

    Interface Name, Demand-Dial Interface Wizard


    Demand dial interface properties

    Demand-dial Interface Properties

    • Can be used to configure

      • Security settings

      • Idle timeout

    • Options tab

      • If “Persistent connection” option is chosen, servers are connected whenever RRAS is functional

      • If “Demand dial” option chosen, you can set an idle timeout

    • Security tab

      • Provides standard security options available on a VPN connection


    Options tab demand dial interface properties

    Options tab, demand-dial interface properties


    Dial out hours

    Dial-out Hours

    • Controls when a demand-dial connection can be active

    • Typical configuration of dial-out hours

      • Allows a connection every few hours

      • Data is moved from one network to another in batches every few hours

    • If users are expected to access resources using the demand-dial connection at all times

      • Dial-out hours should be left at the default of 24 hours per day, seven days per week


    Dial out hours continued

    Dial-out Hours (Continued)


    Demand dial filters

    Demand-dial Filters

    • Used to reduce amount of time a demand-dial connection is active

    • Control which types of network traffic trigger a demand-dial connection

    • Configuration is similar to a firewall rule

    • Can initiate a demand-dial connection

      • For specific traffic

      • For all traffic except that specified by a rule


    Demand dial filters continued

    Demand-dial filters (Continued)


    Adding a demand dial filter

    Adding a demand-dial filter


    Network address translation nat

    Network Address Translation (NAT)

    • Uses a single Internet IP address to provide Internet access to all client computers

    • Included with Windows Server 2003

    • Address ranges reserved for internal use

      • 10.0.0.0 through 10.255.255.255

      • 172.16.0.0 through 172.31.255.255

      • 192.168.0.0 through 192.168.255.255


    Network address translation continued

    Network Address Translation (Continued)

    • Proxy server

      • If implemented, clients must be configured to use the proxy server

      • Provides caching to speed up Internet connectivity

    • Most implementations are FTP aware and translate FTP packets properly


    How nat works

    How NAT Works

    • Modifies IP headers of packets that are forwarded through a router

    • Builds a table to keep track of translations

    • Table lists

      • Original source IP address

      • Original source port number

      • New source port number

    • New source IP address

      • Always the external interface on the router

      • Does not need to be included in the table


    Outgoing request through nat

    Outgoing request through NAT


    Incoming response through nat

    Incoming response through NAT


    Installing nat

    Installing NAT

    • NAT protocol

      • Automatically installed when RRAS is configured to be a router

    • NAT Interface properties

      • For proper NAT functionality

        • One interface must be configured as a public interface

        • At least one interface must be configured as private interface

      • Basic firewall

        • Allows you to configure static packet filters


    Installing nat continued

    Installing NAT (Continued)

    • Services and Ports tab

      • Allows you to host services behind NAT but still allow access from Internet

    • ICMP tab

      • Dictates the types of ICMP packets the interface responds to

    • Address Pool tab

      • Defines a range of IP addresses that are handed out to client computers


    Nat basic firewall tab nat interface properties

    NAT/Basic Firewall tab, NAT interface properties


    Configuring nat

    Configuring NAT

    • NAT/Basic Firewall – Properties

      • General tab

        • Controls the level of logging that is performed

      • Translation tab

        • Configures how long mappingsare kept in the NAT table

      • Address Assignment tab

        • Can configure NAT to act as a DHCP server

      • Name Resolution tab

        • Configures the NAT router to act as a DNS proxy

        • Settings on this tab need not be enabled if internal DNS servers exist


    Translation tab nat basic firewall properties

    Translation Tab, NAT/Basic Firewall Properties


    Name resolution tab nat basic firewall properties

    Name Resolution Tab, NAT/Basic Firewall Properties


    Internet connection sharing ics

    Internet Connection Sharing (ICS)

    • Provides automated way for a small office to connect to the Internet using Windows Server 2003 as a router

    • Automatically performs NAT

    • Configures network connections

    • Because NAT is used, server must have at least two network cards

    • Configuration used by ICS cannot be changed


    Internet connection sharing continued

    Internet Connection Sharing (Continued)

    • The following changes are made

      • Internal network connection is configured with

        • IP address 192.168.0.1

        • Subnet mask 255.255.255.0

      • Autodial enabled for dial-up/VPN/PPPOE connections

      • Static route for default gateway enabled when dial-up/VPN/PPPOE connection is activated

      • The ICS service is started

      • DHCP allocator is configured to distribute IP addresses from 192.168.0.2 to 192.168.0.254

      • The DNS proxy is enabled


    Enabling ics

    Enabling ICS


    Internet connection sharing continued1

    Internet Connection Sharing (Continued)

    • ICS server can only have one internal IP address

    • Network bridging

      • Allows interfaces to share a single IP address

    • Bridge

      • Controls network traffic based on MAC addresses

      • Allows computers on two different physical network segments to be on the same IP network

    • When network bridging is enabled

      • Choose multiple network cards in a server to act as a single IP network


    Internet connection firewall

    Internet Connection Firewall

    • A stateful packet filter that can be used to protect any server running Windows Server 2003

    • Stateful firewall

      • Requires only one rule for outbound traffic

      • Keeps track of TCP connections that are created by internal clients

      • Automatically allows response packets to return


    Internet connection firewall continued

    Internet Connection Firewall (Continued)

    • Enabling ICF

      • ICF is configured per connection

      • If ICF enabled on a server that is not a router

        • Only that server is protected

      • If ICF enabled on a router

        • All computers on internal network are protected


    Enabling icf

    Enabling ICF


    Configuring icf

    Configuring ICF

    • When ICF is enabled

      • All packets addressed to server are dropped

    • Configuring services

      • Allows requests from the network to access services on the server running ICF

      • Services defined are the firewall rules for ICF


    Services defined for icf and ics

    Services Defined for ICF and ICS


    Icmp options for icf

    ICMP Options for ICF


    Logging options for icf

    Logging Options for ICF


    Summary

    Summary

    • Windows Server 2003

      • Can be configured as a low-cost router for TCP/IP and AppleTalk

    • Static routing

      • Requires administrators to configure routing tables

    • Dynamic routing

      • Allows routers to communicate

      • Automatically builds routing tables

    • RIP

      • A distance-vector routing algorithm that calculates paths based on hops


    Summary continued

    Summary (Continued)

    • OSPF

      • A link-state routing algorithm that calculates paths based on a configurable metric called cost

    • Demand-dial connections

      • Activated when required

      • Requires static routes

      • Can be configured with dial-out hours to limit the times they are active

    • NAT

      • Many computers can access the Internet using a single IP address

      • Modifies the IP headers of packets that are routed through the NAT router


    Summary continued1

    Summary (Continued)

    • DHCP allocator and DNS proxy

      • Can be configured as part of NAT

    • ICS

      • Automated way to configure a router for NAT

      • Network bridging required if there is more than one internal interface

      • Is a stateful packet filter


  • Login