lesson 7: configuring ip routing (part 2)

7/29/2019 Lesson 7: Configuring IP Routing (Part 2)

1/39

Mahmmoud A. Mahdi


2/39

The Routing Information Protocol The important differences between RIPv1 and RIPv2:

The primary, or most important, difference between versions 1and 2 of RIP is that: RIPv2 supports variable-length subnet masking (VLSM). VLSM helps

preserve IP address space by enabling networks to be subdivided intosmaller blocks based on need.

RIPv2 supports simple (that is, plain text) username/passwordauthentication which is handy to prevent unwanted changes from cluttering your routing

tables.

RIPv2 routers add the ability to receive triggered updates. When you know that your network topology is changing. This trigger

forces all the RIP routers you own to assimilate the changes immediately.

Triggered updates are also useful because routers that detect a link orrouter failure can update their routing tables and announce the change,making their neighbors aware of it sooner rather than later.


3/39

You can use the Routing And Remote Accesssnap-in to set up two kinds of filters thatscreen out some types of RIP updates:

Route filters allow you to pick and choose thenetworks that you want to admit knowing aboutand for which you want to acceptannouncements.

Peer filters give you control over theneighboring routers to which your router willlisten.


4/39

RIP has two operation modes: Periodic update mode, a RIP router sends out its list

of known routes at periodic intervals (which you

define). Autostatic update mode, the RRAS router

broadcasts the contents of its routing table onlywhen a remote router asks for it. One drawback to RIP in either version is that it causes the

router to send its entire routing table with every update.This can generate a large amount of traffic and makes RIPinappropriate for many of todays networks.

Another routing protocol, Open Shortest Path First, solvesthis problem by sending updates for only routes that havechanged.


5/39

Internal routing:

Refers to routing that occurs within your

internetwork. By contrast, border routing iswhat happens when packets leave your

internetwork and go to another router

someplace else.


6/39

Filters are usually used to block out

undesirable traffic.

In general, the idea is to keep out packetsthat your machines doesnt need to see.

You can construct filters that allow traffic

into or deny traffic out of your network

based on rules that specify source and

destination addresses and ports.


7/39

The basic idea behind packet filtering issimple:

1. You specify filter rules.

2. Incoming packets are measured against thoserules.

There are two types of filter rule:

Accept all packets except those prohibited by arule.

Drop all packets except those permitted by arule.


8/39

The following are some examples of filters:

Block all packets to a web server except those

on TCP ports 80 and 443. Block all outgoing packets on the ports used by

the MSN and AOL instant messaging tools.

Filters on a PPTP or L2TP server can screen out

everything except VPN traffic.


9/39

You create and remove filters by using theInput Packet Filters and Output Packet Filtersbuttons on the General tab of the Local Area

Network Properties dialog box. The mechanics of working with incoming and

outbound filters are identical; just rememberthe following guidelines:

You create inbound filters to screen traffic coming tothe interface.

You create outbound filters to screen traffic goingback out through that interface.


10/39


11/39

This dialog box has the following six parts: Receive All Packets Except Those That Meet The Criteria Below

excludes the packets you specify and accepts everything else. This option is inactive until you create a filter rule.

Drop All Packets Except Those That Meet The Criteria Belowaccepts only those packets you specify and excludes everything else. This option is inactive until you create a filter rule.

The Filters list, which is initially empty, shows you which filters aredefined on this interface. Each entry in the list shows the following:

Source address and mask

Destination address and mask

Protocol, port, and traffic type specified in the rule

The New, Edit, and Delete buttons allow you to add, edit, andremove filters.


12/39


13/39

To create a filter that blocks packets by their origin or sourceaddress, check the Source Network box, and supply the IPaddress and subnet mask for the source you want to block.

To create a filter that blocks packets according to theirdestination address, check the Destination Network box, and fillin the appropriate address and subnet mask.

To filter by protocol, choose the protocol you want to block: Any, which blocks everything

TCP

TCP (Established)

IP UDP

ICMP

Other, with a fill-in field for a protocol number


14/39

Packet filters provide a useful security

mechanism for blocking unwanted traffic on

particular machines. Its a good idea to use packet filters to keep non-VPN

traffic out of your VPN servers.


15/39

You need at least two filters to adequately screenout non-PPTP traffic:

The first filter allows traffic with a protocol ID of 47

the Generic Routing Encapsulation (GRE) protocoltopass to the destination address of the PPTP interface.

The second filter allows inbound traffic bound for TCPport 1723 (the PPTP port) to come to the PPTPinterface.

You can add a third filter if the PPTP server also worksas a PPTP client; in that case, the third filter needs theinterfaces destination address, a protocol type of TCP(established), and a source port of 1723.


16/39

1. Open the Routing And Remote Access snap-in by selecting Start\

Administrative Tools \Routing And Remote Access. Expand the server and

IPv4 nodes to expose the General node of the server on which youre working.

Select the General node.

2. Right-click the Local Area Connection interface, and choose Properties.

3. In the General tab of the interfaces Properties dialog box, click the Inbound

Filters button. The Inbound Filters dialog box appears.

4. Click the New button, and the Add IP Filter dialog box appears.

5. Fill out the Add IP Filter dialog box as follows:

Check the Destination Network check box.

Fill in the destination IP address field with the IP address of the remote VPN interface. (Forthis exercise, we entered 192.168.1.254. You can use the same.)

Enter a destination subnet mask of 255.255.255.255.

Select a protocol type of TCP, and then specify a source port of 0 and a destination port of

1723.

Click the OK button.


17/39


18/39

6. The Inbound Filters dialog box reappears, listingthe new filter you created in step 5.

Add another new filter using the same IP address and

subnet mask, but this time specify Other in the Protocolfield and fill in a protocol number of 47.

When youre done, click the OK button to return to theInbound Filters dialog box.

7. In the Inbound Filters dialog box,

Click the Drop All Packets Except Those That Meet TheCriteria Below radio button

And click the OK button.

8. Close the interfaces Properties dialog box.


19/39


20/39


21/39

Four filters are requiredtwo input filters andtwo output filters: Two input filters with a destination of the VPN

interface address and a netmask of255.255.255.255, filtering UDP: One with a source and destination port of 500

The second with a source and destination port of 1701

Two output filters with a source of the VPN

interface address and a netmask of255.255.255.255, filtering UDP: One with a source and destination port of 500

The second with a source and destination port of 1701


22/39

1. Open the Routing And Remote Access snap-in by selecting Start \Administrative Tools \Routing And Remote Access.

2. Select the server whose status you want to monitor in the left pane of theMMC.

3. Select the Network Interfaces node. Notice that the right pane of the MMC now lists all known interfaces along with their

status and connection state.4. Select the General node beneath IPv4.

Notice that the right pane of the MMC updates to show the IP interfaces, their IPaddresses, their administrative and operational states, and whether IP filtering isenabled on each interface.

5. Right-click the General node, and choose the Show TCP/IP Informationcommand.

Check the number of IP routes shown.6. Right-click the Static Routes node, and choose the Show IP Routing Table

command. Note that the number of routes listed corresponds to the route count in the TCP/IP

Information window and that some of the routes listed are automatically generated.


23/39


24/39


25/39

IP multicasting works by sending to a singleIP address a packet that is read by manyhosts.

Multicasting uses a special range of IPaddresses, called the Class D address space, thatis reserved exclusively for multicasting.

Internet Group Management Protocol(IGMP) is used to exchange multicast groupmembership information betweenmulticast capable routers.


26/39

You can configure RRAS in two modes: IGMP router mode

Listens for IGMP membership report packets and tracksgroup membership.

Must be attached to any interfaces that connect tomulticast configured hosts.

IGMP proxy mode essentially acts like a multicast host, except that it forwards

IGMP membership report packets to an IGMP router.

This provides a list of multicast-enabled hosts to anupstream router that normally wouldnt be aware of thehosts.

Typically, it is used on single-router networks connected tothe Internet.


27/39

IP-in-IP interfaces (or IP-in-IP tunnels)

You may need to send multicast traffic across

non-multicast-compatible routers. An IP-in-IP interface actually encapsulates

packets with an additional IP header.

You create and manage IP-in-IP interfaces in

RRAS the same way you configure otherinterfaces.


28/39

Lesson 1


29/39

What Are Static and Dynamic Routing?

How the IP Protocol Selects a Route

Demonstration: Viewing a Routing Table Troubleshooting Routing


30/39

Statically configured routers:

Do not automatically discover the IDs of remotenetworks.

Do not exchange information with other routers. Are not fault tolerant.

Dynamically configured routers:

Discover the IDs of remote networks automatically.

Use a routing protocol to exchange information withother routers.

Can be fault tolerant.


31/39


32/39

Lesson 2


33/39

RRAS Routing Roles

Routing Protocols

Configuration Options for an Interface Information Available for an Interface

Demonstration: Configuring RRAS as a LAN

Router


34/39

Routing roles include:

Routing role Description

LAN router Can route IPv4 and IPv6 packets between network

segments

Demand-dial Automatically create a connection to a remote location

by using dial-up networking or a VPN connection

NAT Perform NAT and allow computers to access the

internet by sharing a single internet addressable IPv4

address.


35/39

Routing protocols include:

Routing Protocol Description

DHCP Relay Agent Allows a RRAS server to relay DHCP requests to a DHCPserver on a remote network

IGMP Router

Proxy

Allows a RRAS server to act as an IGMP router or proxy

for multicast traffic

NAT Allows a RRAS server to act as a NAT router to share a

single IPv4 address.RIP Version 2 for

Internet Protocol

Allows a RRAS router to perform dynamic routing with

other RIP routers.

DHCPv6 Relay

Agent

Allows a RRAS server to relay DHCP request to a DHCPv6

server on a remote network.


36/39

Interface configuration options include:

Configuration Option Description

IP Router Manager Enables or disables TCP/IP for the interface.Router Discovery

Advertisements

Clients use router discovery advertisements to

dynamically discover default gateways.

Inbound/Outbound

filters

Filters similar to Windows Firewall.

Fragmentation checking Specifies whether filtering is performed on packetfragments.

Multicast boundaries Configures time to live for multicast traffic.

Multicast heartbeat

detection

Used to confirm that multicast infrastructure is

functioning properly.


37/39

Available interface information includes:

Interface information Description

TCP/IP Information Statistics such as number of packets sent and

received.

Address Translations Translations from IP address to physical address.

IP Addresses IP addresses that are bound to this computer.

IP Routing Table Host and network routes in the routing table of this

computerTCP connections Active connection and listening TCP ports.

UDP listener ports A list of UDP ports listening to accept UDP packets.


38/39

Tool Use for Where to find it

Routing and Remote

Access

Configuring Routing and

Remote Access as a

router, VPN server, dial-

up server, or RADIUS

client.

Administrative Tools

Computer Management.

Route Views and modifies the

routing table.

Command prompt

Ping Verifying host availability

and reachability

Command prompt

Tracert Use to verify routerstatus on a network path

Command prompt

Pathping Use to verify router

status on a network path

Command prompt

Group Policy

Management Console

Edit group policy objects

Create QoS policies

Administrative Tools


39/39

Contact Me: [email protected]

lesson 7: configuring ip routing (part 2)

Documents