You should also provide a DHCP server at each location. When you have multiple DHCP servers on your network, use the 80/20 rule to balance the load on the subnet: 80 percent of the scope will be on the primary server, with 20 percent on the other server.The DHCP server must have an interface on each network for which it has a scope defined, or you must locate a DHCP relay server on the same subnet as the DHCP clients. If you implement WINS, you will need to examine the quantity of data replicated between WINS servers and the cost of WINS reverse lookups from DNS servers.You should minimize the number of WINS servers you implement in order to minimize the impact of WINS replication traffic on your network. Use the Help and Support Center on Windows Server 2003 to see examples of performance statistics in a high traffic environment to help you gauge your enterprise needs. Planning Network Traffic Management After you decide where to place your physical equipment, the users will begin accessing the services supplied by DHCP, DNS, and WINS. Other traffic comes from accessing the Internet, file sharing, and the many other network resources that will be used.You can estimate the amount of traffic at peak times by using some of the utilities provided with the operating system.The tools can be used to create baselines, identify the peak network usage areas, and identify the traffic sources. You will also need to monitor network traffic and analyze the usage.You might be able to iden- tify illicit network access from external sites, find Trojan horse viruses that generate broadcast storms, or just discover who is actually hogging all that Internet bandwidth.You can also determine whether your server-to-server traffic is managed well, or if it is necessary to modify the physical location of equipment. Monitoring Network Traffic and Network Devices Every network administrator should be familiar with two key utilities: ■ Network Monitor Allows you to capture data, identify the source, and analyze the con- tent and format of the message. ■ System Monitor Allows you to monitor other resources and determine the performance of those resources. Network Monitor should be run during low-usage times or for short intervals to minimize the impact on performance of capturing all that data on your machine. It is also useful to identify the type of traffic you are concerned with and use the filters to capture only the data you need. Using System Monitor System Monitor is a Microsoft Management Console (MMC) snap-in tool that allows you to use counters to monitor the performance of hardware, applications, and operating system components on Windows Server 2003 machines. 756 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 756 System Monitor also allows you to view more than one log file at the same time, so you can compare baseline logs with the current data.The Performance Logs and Alerts service can gather data and store it in a Microsoft SQL Server database that can be viewed by System Monitor.You can also save portions of log files or SQL Server data to a new file.This can help save space, simplify comparisons of data, and reduce analysis time. Determining Bandwidth Requirements When you have captured performance statistics and viewed the network traffic during various times of the day, you can identify the different sources of traffic on your network.You will need to analyze how name resolution occurs, where the requests for name resolution initiate, and the server-to- server traffic when replicating the information. You will need to identify the following: ■ The slow connections and the quantity of data transmitted over those connections.This will help you to identify how often servers transmit replicated data to other servers. ■ The cost of one client obtaining information from these servers.You can then use that information to calculate the cost of many users. ■ Broadcast traffic, so that you can isolate that to certain networks.You will be able to iden- tify areas where clients communicate heavily with other clients, such as file servers, and locate those resources on the same segment as the heavy users. Optimizing Network Performance TCP traffic uses a sliding window method of transmitting data. As data is successful transmitted to the destination, the window slides over the remaining data and transmits the next packets of data. Window size is basically the maximum number of packets that can be sent without waiting for positive acknowledgment. If you transmit large amounts of TCP data, then larger TCP windows will improve TCP/IP performance.The maximum window size is limited to 64 kilobytes by default and is deter- mined by the windows size setting of the destination host machine. It is possible to increase the size of the TCP window dynamically on Windows Server 2003 to accommodate this by enabling large TCP window support. Client computers can be set to request large windows by editing their Registries. These are then called TCP1323Opts-enabled computers.The window size is negotiated during the TCP three-way handshake process.TCP1323 is a TCP extension defined in RFC 1323. With Windows Server 2003, it is possible to disable NetBIOS encapsulation over TCP/IP (disable NetBT).This can significantly reduce the overhead of data transfer and eliminate the need for WINS and any other NetBIOS name resolution. It will also reduce the browse master traffic.The drawback to disabling NetBIOS encapsulation is that you can no longer browse network resources. In addition, some applications depend on NetBIOS and will not work without it. If you are using NetBIOS name resolution, you should have WINS servers to allow for directed send requests for name resolution, Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 757 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 757 rather than broadcast for that information. WINS servers share data with each other on a regular interval.You might wish to reduce that traffic by modifying the replication intervals to increase the time between synchronizations.You should minimize the number of WINS servers used on your net- work. It is not necessary to have a WINS server on every LAN.The more WINS servers you imple- ment, the more network traffic is generated due to WINS database replication. The placement of other servers that provide network services is also important. DHCP servers must have an interface on the same segment as the clients that will use the DHCP server, or you must provide a means for DHCP requests to cross routers (such as a DHCP relay or using routers that allow DHCP and BOOTP requests). Place DNS servers on each LAN to minimize the amount of traffic generated when performing host name resolution.You can also designate which DNS servers can act as forwarders to control which machines can perform iterative DNS queries over the Internet. 758 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 758 Planning, Implementing, and Maintaining a Routing Strategy In this chapter: Understanding IP Routing Security Considerations for Routing Troubleshooting IP Routing Introduction In the preceding chapter, you learned about the TCP/IP protocols and how to set up a TCP/IP infrastructure. One of the biggest advantages of TCP/IP as a network/transport protocol stack is its capability to route packets between different networks or subnets. Dealing with routing issues is an important part of the job of a Windows Server 2003 network administrator for a typical medium-to-large size network. In this chapter, we first review the basics of IP routing, including the role of routing tables, static and dynamic routing, and routing protocols such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF). You’ll learn to use the Netsh commands related to routing, and then we’ll show you how to evaluate routing options.This includes selecting the proper connectivity devices, and we’ll discuss hubs, bridges, switches (Layer 2, 3, and 4 varieties), and routers. We’ll look at how you can use a Windows Server 2003 machine as a router and how to con- figure the Routing and Remote Access Service (RRAS) to do so. Next, we look at security considerations related to routing. We’ll show you how to analyze requirements for routing components from a security-conscious point of view, and we’ll discuss methods of simplifying the network topology to provide fewer attack points.This includes minimizing the number of network interfaces, the number of routes, and the number of routing protocols. We will also discuss router-to-router virtual private networks (VPNs), packet filtering, firewalls, and logging levels. Finally, we cover how to troubleshoot IP routing issues. We’ll identify trou- bleshooting tools and take a look at some common routing problems, including those Chapter 22 759 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 759 related to interface configuration, RRAS configuration, routing protocols,TCP/IP configuration, and routing table configuration. Understanding IP Routing Basics Understanding the concepts concerning IP addressing is critical to understanding how IP routing works. A good understanding of IP addressing, and subsequently the art of subnetting, requires that you be comfortable with binary notation and math. You already know that an IP address is a numeric identifier assigned to every machine on a network.This address tells where the device is located on the specific network. As a quick review, IP addresses are currently made up of 32 bits of information.These bits are divided into four sections (octets) that each contains 1 byte (6 bits).You will see IP addresses speci- fied in three basic formats: ■ Binary such as in 11000000.10101000.00000000.00000001 ■ Dotted-decimal such as in 192.168.0.1 ■ Hexadecimal such as in C0 A8 00 01 All three of these examples represent the same IP address. In reality, the computer can use only the binary version.The other two formats are provided because they are easier for people to under- stand and use. There are three basic types of IP addresses: ■ Unicast addresses IP addresses assigned to a single network interface that is attached on the network. Unicast IP addresses are used for one-to-one communications between hosts. ■ Broadcast addresses IP addresses designed to be received and processed by every IP address located on a given network.They’re basically one-to-many communications. ■ Multicast addresses IP addresses where one or more IP nodes can listen in on the same network segment. Multicast IP addresses are also one-to-many communications. Next, you should also understand the differences between routed and Network Address Translation (NAT) connections. NAT is the process of switching back and forth between the IP addresses used on an internal network, sometimes referred to as private addresses, and Internet IP addresses, sometimes known as public addresses. There are three address blocks set aside and defined as private address space: ■ 10.0.0.0 with a subnet mask of 255.0.0.0, or 10.0.0.0/8 This network is a private address space that has 24 host bits that can be used. ■ 172.16.0.0 with a subnet mask of 255.240.0.0, or 172.16.0.0/12 This network is a private address space that has 20 host bits that can be used.This provides a range of 16 class B network IDs from 172.0.0.0/16 through 172.31.0.0./16. 760 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 760 ■ 192.168.0.0 with a subnet mask of 255.255.0.0, 192.168.0.0./16 This network is a private address space that has 16 host bits that can be used.This provides a range of 256 class C network IDs from 192.168.0.0/24 through 192.168.255.0/24. Remember that private and public spaces do not overlap. Machines on an intranet with a pri- vate IP address cannot directly connect to the Internet. Instead, they must be connected indirectly via either a proxy server of NAT. Essentially, all of the computers on your intranet are masquerading behind a single public IP address. Routed connections require a single public IP address for each connection to the Internet. Using NAT allows you to connect multiple private addresses to a single public IP address.This is done by translating and modifying packets to reflect the changed addressing information. There are three basic components that make up NAT: ■ Translation This component maintains the NAT table for inbound and outbound con- nections. ■ Addressing This component is handled by a stripped-down version of a Dynamic Host Configuration Protocol (DHCP) server that assigns the IP address, subnet mask, default gateway, and IP address of the Domain Name System (DNS) server. ■ Name resolution This component forwards all name-resolution requests to the DNS server defined on the Internet-connected adapter, and then returns the reply. It can be thought of as a DNS proxy. Keep in mind that NAT is not always the solution. It is extremely limited when it comes to security.You cannot encrypt anything carrying or that has been derived from an IP address.Tracking hackers and other problems is also extremely difficult, because the source IP address is stripped away in the NAT process. Another problem arises when you try to use NAT with large networks that have many hosts attempting to communicate with the Internet at the same time.The size of the mapping tables in this kind of environment is overwhelming and can cause performance problems. NAT is discussed in detail later Chapter 25, “Planning, Implementing and Maintaining Routing and Remote Access.” Another basic concept related to IP routing is how the Internet Control Message Protocol (ICMP) works. ICMP is a maintenance protocol used to create and maintain routing tables. It sup- ports router discovery and advertisements to hosts on a network. Very simply, its designed to pass control and status information between TCP/IP devices. When a client computer starts up on your network, it usually has only a few entries in its routing table. When that host sends data out to a specific destination on a network, the host first checks its routing table to see if there is already an entry matching the destination’s IP address. If no match is found, the packet is sent to the default gateway. When the default gateway receives the packet, it will check to see if it has a matching entry in its routing table. If it does, it forwards the packet to the destination.At the same time, it sends an ICMP message back to the originating host, telling that host about the better route available. ICMP can also let hosts on a network know if a specific router is still active by sending out periodic mes- sages with this kind of information. Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 761 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 761 Routing Tables A routing table is basically a list, a huge list sometimes, that is used to direct traffic on a network. The table includes information about what other networks are reachable from a given network by providing the network address and subnet mask, as well as the metric, or cost, for that specific net- work route. Another way to think of it is as a database of routes to other locations. The way this works is simple. When a packet arrives at the routing device (which could be a dedicated router or a Windows Server 2003 computer), the routing table is queried to discover the lowest cost route to the intended destination. Sometimes, when there is no specific information concerning that network in the routing table, the packet will be forwarded to the default gateway, assuming that the default gateway will get the packet where it needs to go. The level of detail, or the number of routes in the table, depends on whether the IP node is a host or a router. Usually, a host will have fewer entries in this table than a router has in its table. For instance, it would be normal to find an IP host configured with a default gateway. Creating a default route in the table allows for the effective summarization of all destinations. Routing tables on a router, on the other hand, will normally contain an entry for each and every reachable network on the IP network system. Let’s turn our attention back to the table itself. Each of the rows in this list, or entries in this database, is commonly referred to as a route.There are three basic types of routes: ■ Host route A route to a specific IP address in the network. A host is a particular com- puter, or more specifically, an interface on a computer or device. In these cases, the net- work mask is always 255.255.255.255 (/32). Host routes are typically used for custom routes to specific hosts.This helps in the optimization and control of a network. ■ Network ID route A route for classful, classless, subnet, and supernetted destinations. The network mask in these cases will be somewhere between 129.0.0.0 (/1) and 255.255.255.254 (/31). ■ Default route A route to all other destinations.This route is used when the routing table cannot find a host or network ID route that matches the destination in the packet’s header.The default route has a destination of 0.0.0.0 and a network mask of 0.0.0.0 (/0), and it is sometimes expressed as 0/0.All destinations not found in the routing table are simply forwarded to this destination, where the specific destination address will be found. Each route in the routing table contains the necessary forwarding information for a range of destination IP addresses.This information includes two values for the destination IP address: the next-hop interface and the next-hop IP address.The next-hop interface is just a representation of the next physical or logical device over which the IP packet will be forwarded.The next-hop IP address is the IP address of the node to which the IP packet is being forwarded. In an indirect delivery, the next-hop IP address is the IP address of a directly reachable intermediate router to which the packet is being forwarded. The routing table shown in Figure 22.1 (viewed from the Windows Server 2003 Routing and Remote Access utility) is for a computer running Windows Server 2003 Enterprise Edition with one 10MB network adapter, an IP address of 192.168.0.13, a subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1. 762 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 762 Let’s look at the individual rows more closely: ■ The first row in the table, beginning with 0.0.0.0, is the default route. ■ The second and third rows, beginning with 127.0.0.0 and 127.0.0.1, are the loopback network. ■ The fourth row, beginning with 192.168.0.0, is the local network. ■ The fifth row, beginning with 192.168.0.13, is the local IP address. ■ The second-to-last row, beginning with 224.0.0.0, is the multicast address. ■ The final row, beginning with 255.255.255.255, is the limited broadcast address. We’ll now turn our attention to the upkeep of these tables.You can perform the maintenance of the routing tables manually or automatically. If you do it manually, you’ll be using static routing.If you do it automatically, you’ll be using dynamic routing. Let’s take a closer look at these two concepts. Static versus Dynamic Routing Remember that the basic idea of routing is that each packet you find on your network has a source and a destination.That means that any device that receives the packet inspects the packet’s headers to determine where it came from and where it’s going. When the device has information about the network, such as how long it would take a packet to go from one point to another, that device can change the routing intelligently to improve the performance of the network. Static routing uses manually configured routes. Here, there is no attempt to discover other routers or systems on a network.All entries into the routing table are entered by hand, and the routing table is used to get information to other networks.This type of routing works well with classless routing, because each route must be added with a network mask. It works well for small networks, but it doesn’t scale well. Static routes are often used to connect to the Internet. Static routing is, however, not fault tolerant. Dynamic routing doesn’t depend on fixed, unchangeable routes to remote networks being added to the routing tables. In other words, you don’t need to enter the routes by hand. Dynamic routing uses routing protocols to maintain the routing tables. Dynamic routing allows for the dis- covery of the networks surrounding the router by finding and communicating with other nearby Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 763 Figure 22.1 IP Routing Table 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 763 routers in the network. Routes are discovered using routing protocol traffic and are then added or removed from IP routing tables as required. Dynamic routing can provide fault tolerance. When a route is unreachable, the route is removed from the routing table. Figure 22.2 shows a more com- plex network using dynamic routing. Gateways As you know, a gateway is a device that connects networks using different communication protocols in a way that allows for information to pass from one network to the other. It both transfers and converts the information into a form that can be used by the protocols on the receiving network. In other words, a gateway is somewhat of a router. A router, by definition, is a device or computer that sends packets between two or more network segments as necessary, using logical network addresses, most often IP addresses.The default gateway is a router that connects your host to remote network segments. It’s the exit point for all the packets in your network that have destinations outside your network. Routing Protocols Router discovery enables new, or rebooted, routers to configure themselves automatically.The two major and most common dynamic-routing protocols are RIP and OSPF. Both of these protocols are supported by the Windows Server 2003 family. Both are interior gateway protocols (IGPs) that use routers to communicate (not to be confused with the proprietary Cisco IGRP). But before we dis- cuss these two protocols, we need to explore how protocols make routing decisions. In general, routing protocols can use one of two different approaches to making routing decisions: ■ Distance vectors A distance-vector protocol makes its decision based on a measurement of the distance between the source and the destination addresses. ■ Link states A link-state protocol bases its decisions on various states of the links that connect the source and the destination addresses. 764 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy Figure 22.2 A More Complex Network Using Dynamic Routing Server Workstation Workstation Workstation Workstation Workstation Workstation Workstation Workstation Monitor Monitor Server IBM Compatible IBM Compatible IBM Compatible 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 764 Distance-vector algorithms, also known as Bellman-Ford algorithms, periodically pass copies of their routing tables to their immediate network neighbors.The recipient adds what is called a dis- tance vector, which is little more than a distance value, to the routing table it has just received, and then forwards it on to its immediate neighbors.The process results in each router learning about the other routers and thereby developing a cumulative table of network distances to other routers.This table is then used to update the router’s own routing table. Keep in mind that the only thing the router learns about is distance. The main drawback to distance-vector routing is that it requires time for the changes in a net- work to propagate across the network.This makes distance-vector routing inappropriate for larger, more complex networks.The advantages of distance-vector routing are its ease of configuration, use, and maintenance. As we will discuss shortly, RIP is the epitome of distance-vector routing. Link-state routing algorithms are usually known cumulatively as shortest path first (SPF) protocols. OSPF, which will be discussed shortly, is an example of this protocol group.These protocols main- tain a complex database that describes the network’s topology. Link-state protocols develop and maintain extensive information concerning the network’s routers and how they interconnect.They do this by exchanging link-state advertisements (LSAs) with each other. Any change in the network will trigger the exchange of LSAs. Each router then constructs an extensive database using these received LSAs, so it can compute different routes and determine how reachable the networked des- tinations really are.This information is then used to update the routing table. Component failures and growth of the network are easily documented. The main drawbacks to using link-state protocols involve the heavy use of bandwidth, memory, and processor time. Especially during the initial discovery process, link-state protocols flood the net- work with messages, thereby lowering the overall network efficiency.Also, overall, link-state proto- cols require more memory and higher processor speeds than distance-vector protocols need for efficient operation. The main advantage of link-state protocols comes into play with large and complicated net- works. A well-designed network will be more able to withstand the effects of unexpected changes using link-state protocols. Overhead of the frequent, time-driven updates required for distance- vector protocols can be avoided. Networks using a link-state protocol are also more scalable. For most large networks, the advantages of using link-state protocols will outweigh the disadvantages. RIP RIP is simple and easy to configure and is used widely in small and medium-sized networks. RIP is an IGP used to route data within autonomous networks. RIP does have performance limitations, however, that restrict its usefulness on medium-sized to large networks. RIP is a distance-vector routing protocol.This means it distributes routing information in the form of a network ID and the number of hops (or the distance) from the destination. RIP has a maximum distance of 15 hops. Anything over that is considered unreachable. There are two versions of RIP: version 1 described in RFC 1058 and version 2 described in RFC 1723. Windows Server 2003 supports both RIP versions. RIP version 1 is a class-based routing protocol. Only the network ID is announced here. RIP version 2 is a classless routing protocol.This version includes both a network ID and a subnet mask in its announcement. It also provides more information, allowing for both authentication and a measure of security. Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 765 301_BD_W2k3_22.qxd 5/12/04 3:47 PM Page 765 . which the packet is being forwarded. The routing table shown in Figure 22.1 (viewed from the Windows Server 2003 Routing and Remote Access utility) is for a computer running Windows Server 2003. 20 percent on the other server .The DHCP server must have an interface on each network for which it has a scope defined, or you must locate a DHCP relay server on the same subnet as the DHCP clients. If. identify how often servers transmit replicated data to other servers. ■ The cost of one client obtaining information from these servers.You can then use that information to calculate the cost of many