Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 97 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
97
Dung lượng
2,17 MB
Nội dung
Lesson 1: Confi guring Routing CHAPTER 2 69 Layer 2 and Layer 3 Addresses T he destination IP address (a Layer 3 address) of a packet never changes; it is always set to the IP address of the target computer. To forward packets to a router without changing the destination IP address, computers use the media access control (MAC) address (a Layer 2 address). Therefore, as the packet is forwarded between networks, the source and destination IP addresses never change. However, the source and destination MAC addresses are rewritten for every network between the client and server. Confi guring Static Routing with Routing and Remote Access After installing the Network Policy and Access Services server role, you can view the IP rout- ing table by right-clicking Roles\Network Policy and AccessServices\Routing And Remote Access\IPv4\Static Routes and then selecting Show IP Routing Table. Routing And Remote Access displays the static routing table (which does not include any dynamic routes added from RIP). You install the Network Policy and Access Services server role and view the IP route table in the practice session later in this lesson. Using Routing Information Protocol Static route table confi guration is effi cient if your network contains only a few (typically fi ve or fewer) routers and the network confi guration does not frequently change. For larger (but not very large) networks, typically containing up to 15 routers, or for networks in which the network topology is liable to change—for example, a dynamic corporate network used by a small but rapidly expanding organization—the use of a routing protocol is indicated. The Microsoft software-based routing solution is not appropriate for large, complex net- works in which hardware routers or layer 3 switches might be used. Consequently, Windows Server 2008 supports Routing Information Protocol (RIP), which is designed for exchanging routing information within a small to medium-size network. RIP is simple to confi gure and deploy. However, it cannot scale to large or very large networks. The maximum hop count RIP routers can use is 15, and networks that are more than 15 hops away are considered unreachable. As networks grow larger in size, the periodic announcements that each RIP router generates can cause excessive traffi c. Layer 2 and Layer 3 Addresses T he destination IP address (a Layer 3 address) of a packet never changes; it is always set to the IP address of the target computer. To forward packets to a router without changing the destination IP address, computers use the media access control (MAC) address (a Layer 2 address). Therefore, as the packet is forwarded between networks, the source and destination IP addresses never change. However, the source and destination MAC addresses are rewritten for every network between the client and server. 70 CHAPTER 2 Confi guring IP Services Compared to more sophisticated routing protocols (for example, OSPF), RIP has a high recovery time. When the network topology changes, it can take several minutes before the RIP routers reconfi gure themselves to the new network topology. While the network recon- fi gures itself, routing loops might form that result in lost or undeliverable data. However, using RIP still results in less delay and lost traffi c than manually reconfi guring route tables on 15 routers. Initially, the route table for each router includes only the networks that are physically con- nected. A RIP router periodically sends announcements that contain its route table entries to inform other local RIP routers about the networks it can reach. RIPv1 uses IP broadcast packets for its announcements. RIPv2 uses either multicast or broadcast packets for its announcements. Figure 2-4 illustrates the route announcement process. I can access 10.0.3.0/24 and 10.0.4.0/24, so send packets for those networks to me I can access 10.0.1.0/24 and 10.0.2.0/24, so send packets for those networks to me 10.0.3.0/24 10.1.1.0/24 10.0.1.0/24 10.0.2.0/24 10.0.4.24 FIGURE 2-4 RIP announcements. NOTE SILENT RIP Silent RIP accepts updates from other systems but does not respond to requests or send updates. By default, RIP sends a complete update to all neighbors and replies to all incom- ing requests (LAN only). This is sometimes known as periodic RIP. RIP routers can also communicate routing information through triggered updates. Trig- gered updates occur when the network topology changes and updated routing information is sent that refl ects those changes. RIP routers send triggered updates immediately and do not wait for the next periodic announcement. Suppose, for example, that a RIP router detects a link or router failure. It immediately updates its own route table and sends updated routes. Each router that receives the triggered update modifi es its own route table and propagates the change. NOTE SILENT RIP NOTE SILENT RIPNOTE Silent RIP accepts updates from other systems but does not respond to requests or send updates. By default, RIP sends a complete update to all neighbors and replies to all incom- ing requests (LAN only). This is sometimes known as periodic RIP. Lesson 1: Confi guring Routing CHAPTER 2 71 Windows Server 2008 RRAS supports RIPv1 and RIPv2. RIPv2 supports multicast announcements, simple password authentication, and more fl exibility in subnetted and classless interdomain routing (CIDR) environments and is the default routing protocol for Windows Server 2008. The Windows Server 2008 implementation of RIP has the following features: n You can select which RIP version to run on each interface for incoming and outgoing packets. n Split-horizon, poison-reverse, and triggered-update algorithms are used to avoid rout- ing loops and to speed recovery of the network when topology changes occur. n You can use route fi lters to confi gure networks to ignore or accept announcements. On the Security tab of the RIP Properties dialog box (discussed in Lesson 2), you can confi gure the router to Accept Announcements From All Routers, Accept Announce- ments From Listed Routers Only, or Ignore Announcements From Listed Routers. n You can use peer fi lters to choose which router’s announcements to accept. n Router announcements are confi gurable, and you can set route aging timers. n Simple password authentication is supported. n You can disable subnet summarization. NOTE CONFIGURING ROUTING FROM THE COMMAND PROMPT You can use the routing context of the netsh command to control announcements and route advertisements from the command prompt. For example, the netsh routing ip rip add peerfi lter server=10.10.10.161 command confi gures RIPv2 to accept announcements from the router at 10.10.10.161. The announcefi lter option fi lters specifi c advertised routes rather than accepting all updates from a particular router. You can use the netsh rout- ing ipv6 add persistentroute command to add a static persistent IPv6 route to a particular interface. You can use netsh routing ipv6 delete persistentroute to remove a persistent route and netsh routing ipv6 show persistentroute to provide a list of all persistent routes. Netsh routing ipv6 add fi lter adds an IPv6 packet fi lter to a specifi ed interface. MORE INFO COUNT TO INFINITY Even if a routing protocol supports split horizon with poison reverse, count-to-infi nity can still occur in a multipath internetwork because routes to networks can be learned from multiple sources. For more information about the count-to-infi nity problem, see http:// www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/intwork/inae_ips_vzbs .mspx?mfr=true. This is an old link, but the problem has not changed and is well described here. NOTE CONFIGURING ROUTING FROM THE COMMAND PROMPT NOTE CONFIGURING ROUTING FROM THE COMMAND PROMPTNOTE You can use the routing context of the netsh command to control announcements and route advertisements from the command prompt. For example, the netsh routing ip rip add peerfi lter server=10.10.10.161 command confi gures RIPv2 to accept announcements from the router at 10.10.10.161. The announcefi lter option fi lters specifi c advertised routes announcefi lter option fi lters specifi c advertised routes announcefi lter rather than accepting all updates from a particular router. You can use the netsh rout- ing ipv6 add persistentroute command to add a static persistent IPv6 route to a particular interface. You can use netsh routing ipv6 delete persistentroute to remove a persistent route and netsh routing ipv6 show persistentroute to provide a list of all persistent routes. Netsh routing ipv6 add fi lter adds an IPv6 packet fi lter to a specifi ed interface. routing ipv6 add fi lter adds an IPv6 packet fi lter to a specifi ed interface.routing ipv6 add fi lter MORE INFO COUNT TO INFINITY Even if a routing protocol supports split horizon with poison reverse, count-to-infi nity can still occur in a multipath internetwork because routes to networks can be learned from multiple sources. For more information about the count-to-infi nity problem, see http:// www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/intwork/inae_ips_vzbs .mspx?mfr=true . This is an old link, but the problem has not changed and is well described here. 72 CHAPTER 2 Confi guring IP Services Split Horizon, Poison Reverse, and Triggered Updates S plit horizon helps reduce convergence time by not allowing routers to adver- tise networks in the direction from which those networks are learned. The information sent in RIP announcements is for those networks that are beyond the neighboring router in the opposite direction. Networks learned from the neighbor- ing router are not included. Split horizon eliminates count-to-infi nity and routing loops during convergence in single-path internetworks and reduces the chances of count-to-infi nity in multi- path internetworks. Split horizon helps reduce convergence time because the only information sent in RIP announcements is for those networks that are beyond the neighboring router in the opposite direction. Split horizon with poison reverse differs from simple split horizon because it announces all networks. However, networks learned in the direction prohibited by split horizon are announced with a hop count of 16, indicating that the network is unreachable. In a single-path internetwork, split horizon with poison reverse has no benefi t beyond split horizon. However, in a multipath internetwork, split horizon with poison reverse reduces count-to-infi nity and routing loops. Triggered updates enable a RIP router to announce changes in metric values almost immediately rather than waiting for the next periodic announcement. A change to a metric in an entry in the routing table triggers the update. For example, net- works that become unavailable can be announced with a hop count of 16 through a triggered update. This update is sent almost immediately. However, a small time interval to wait is specifi ed on the router. If triggered updates were sent by all rout- ers immediately, each triggered update could cause a cascade of broadcast traffi c across the IPv4 network. Triggered updates improve the convergence time of RIP internetworks but at the expense of additional broadcast traffi c as the triggered updates are propagated. Examining Network Routes You can use the pathping and tracert commands to determine how packets travel between your computer and a destination. Tracert provides a quicker response, but pathping provides a more detailed analysis of network performance. Figure 2-5 and Figure 2-6 demonstrate how pathping displays a route to the www.microsoft.com destination. Split Horizon, Poison Reverse, and Triggered Updates S plit horizon helps reduce convergence time by not allowing routers to adver- tise networks in the direction from which those networks are learned. The information sent in RIP announcements is for those networks that are beyond the neighboring router in the opposite direction. Networks learned from the neighbor- ing router are not included. Split horizon eliminates count-to-infi nity and routing loops during convergence in single-path internetworks and reduces the chances of count-to-infi nity in multi- path internetworks. Split horizon helps reduce convergence time because the only information sent in RIP announcements is for those networks that are beyond the neighboring router in the opposite direction. Split horizon with poison reverse differs from simple split horizon because it announces all networks. However, networks learned in the direction prohibited by split horizon are announced with a hop count of 16, indicating that the network is unreachable. In a single-path internetwork, split horizon with poison reverse has no benefi t beyond split horizon. However, in a multipath internetwork, split horizon with poison reverse reduces count-to-infi nity and routing loops. Triggered updates enable a RIP router to announce changes in metric values almost immediately rather than waiting for the next periodic announcement. A change to a metric in an entry in the routing table triggers the update. For example, net- works that become unavailable can be announced with a hop count of 16 through a triggered update. This update is sent almost immediately. However, a small time interval to wait is specifi ed on the router. If triggered updates were sent by all rout- ers immediately, each triggered update could cause a cascade of broadcast traffi c across the IPv4 network. Triggered updates improve the convergence time of RIP internetworks but at the expense of additional broadcast traffi c as the triggered updates are propagated. Lesson 1: Configuring Routing CHAPTER 2 73 FIGURE 2-5 Route from source to destination. FIGURE 2-6 Latency to each router. Pathping shows the data in two sections. The first shows the route from the source to the destination. The second shows the latency in milliseconds to each router. The last line of the first section shows three asterisk (*) symbols. This occurs when a node does not respond to the Internet Control Message Protocol (ICMP) requests. Sometimes serv- ers are configured to ignore ICMP. Consequently, they will not appear in the list even though they might be online and responding to other requests. Figure 2-7 shows the output from the tracert www.microsoft.com command. The tracert command completes quicker than pathping but gives less information. 74 CHAPTER 2 Configuring IP Services FIGURE 2-7 Using tracert. PracticE Installing and Configuring Routing In this practice session, you install the Network Policy and Access Services server role and Routing and Remote Access Services role service. You then configure your Windows Server 2008 server as a router. ExErcisE 1 Install the Network Policy and Access Services Server Role To install the Network Policy and Access Services server role, follow these steps: 1. Log on to your domain controller with the Kim_Akers account. 2. If Server Manager does not open automatically, click Start, and then select Server Manager. 3. In the left pane, select Roles, and then, in the right pane, click Add Roles. 4. If the Before You Begin page appears, click Next. 5. On the Select Server Roles page, select the Network Policy and Access Services check box, as shown in Figure 2-8, and then click Next. Lesson 1: Configuring Routing CHAPTER 2 75 FIGURE 2-8 Adding the Network Policy and Access Services role. 6. On the Network Policy and Access Services page, click Next. 7. On the Role Services page, select the Routing and Remote Access Services check box. The wizard automatically selects the Remote Access Service and Routing check boxes, as shown in Figure 2-9. 8. Click Next. FIGURE 2-9 Specifying the Routing and Remote Access Services role service. 76 CHAPTER 2 Configuring IP Services 9. On the Confirm Installation Selections page, click Install. 10. After the Add Roles Wizard completes the installation, click Close. 11. In the left-side pane of Server Manager, expand Roles, expand Network Policy and Access Services, and then select Routing and Remote Access. 12. Right-click Routing and Remote Access, and then select Configure and Enable Routing And Remote Access. The Routing and Remote Access Server Setup Wizard appears. 13. On the Welcome To The Routing And Remote Access Server Setup Wizard page, click Next. 14. On the Configuration page, select Custom Configuration, and then click Next. 15. On the Custom Configuration page, select the LAN Routing check box, as shown in Figure 2-10, and then click Next. FIGURE 2-10 Selecting the check box to configure LAN routing. 16. On the Completing The Routing And Remote Access Server Wizard page, click Finish. 17. Click Start Service. If you do not see this button, right-click Routing and Remote Access, select All Tasks, and click Start. ExErcisE 2 Use RRAS Graphical Tools to View and Configure Static Routes In this exercise, you use the RRAS graphical tools in Server Manager to view the static route table and to add and then remove a static route. You must perform Exercise 1 before you attempt this exercise. To view, add, and delete static routes, follow these steps: Lesson 1: Configuring Routing CHAPTER 2 77 1. In the Server Manager console tree, expand Roles, expand Network Policy and Access Services, expand Routing and Remote Access, expand IPv4, right-click Static Routes, and then select Show IP Routing Table. The IPv4 route table is displayed as shown in Figure 2-11. The route table on your domain controller will probably show different routes. FIGURE 2-11 The IPv4 route table displayed through Server Manager. 2. Close the route table display. Right-click Static Routes, and then select New Static Route. 3. In the IPv4 Static Route dialog box, select the network interface that will be used to forward traffic to the remote network. In the Destination box, type the network ID of the destination network. In the Network Mask box, type the subnet mask of the des- tination network. In the Gateway box, type the router that packets for the destination network should be forwarded to. Adjust metric only if you have multiple paths to the same destination network and want to prefer one gateway over the others. In this case, configure the preferred routes with lower metrics. The IPv4 Static Route dialog box should look similar to Figure 2-12. Click OK. FIGURE 2-12 Adding a static route. 78 CHAPTER 2 Configuring IP Services Routing and Remote Access adds the static route, which is displayed in the Static Routes pane. 4. Right-click the static route you have created, and then select Delete. ExErcisE 3 Enable RIP In this exercise, you enable RIP. This allows Windows Server 2008 to advertise routes to neigh- boring routers and to detect neighboring routers and remote networks automatically. You must perform Exercise 1 before you attempt this exercise. To enable RIP, follow these steps: 1. In the Server Manager console tree, expand Roles, expand Network Policy and Access Services, expand Routing and Remote Access, expand IPv4, right-click General, and then select New Routing Protocol. 2. In the New Routing Protocol dialog box, select RIP Version 2 For Internet Protocol, and then click OK. RIP appears under IPv4 in the left-side pane. 3. Right-click RIP, and then select New Interface. 4. In the New Interface for RIP Version 2 For Internet Protocol dialog box, select the inter- face you want to advertise with RIP, as shown in Figure 2-13. The interfaces on your domain controller might differ from those in the figure. 5. Click OK. FIGURE 2-13 Selecting the interface you want to advertise with RIP. 6. Configure the RIP settings by using the RIP Properties dialog box. In practice, on a production network, you would choose settings that match those of neighboring routers. The default settings work in most environments. You can adjust settings by using the four tabs of the dialog box. On the General tab, you can choose [...]... CHAPTER 2 79 A route add 10.0.1.0 MASK 25 5 .25 5 .25 5.0 10.0.0.11 B route add 10.0.1.0 MASK 25 5 .25 5 .25 5.0 10.0.0 .21 C route add 10.0.0.0 MASK 25 5 .25 5 .25 5.0 10.0.0 .21 D route add 10.0.0 .21 MASK 25 5 .25 5 .25 5.0 10.0.1.0 2 Which of the following are supported by Windows Server 20 03 but not by Windows Server 20 08? (Choose all that apply.) A RIPv2 B NWLink C Services for Macintosh D Basic Firewall E OSPF F SSTP... rules method is new to Windows Server 20 08 and is typically used in combination with WFAS As a Windows Server 20 03 administrator, you will be more familiar with the concepts behind IPsec policies Using Connection Security Rules Windows Server 20 08 refers to IPsec rules as connection security rules They perform the same function as the IPsec rules available in previous versions of Windows but support... running a new installation of Windows Server 20 08 is on For computers that were upgraded to Windows Server 20 08 from an earlier version of Windows Server, the state of WFAS is preserved from the state of Windows Firewall on the previously installed operating system Lesson 2: Configuring IPsec CHAPTER 2 89 Show The show command displays settings that apply either globally or to the per-profile configurations... Traffic To create a new IP filter list, click Add on the IP Filter List page, as shown in Figure 2- 21 This procedure opens the IP Filter List dialog box Figure 2- 21 The IP Filter List page To specify a new IP filter to add to the IP filter list you are creating, click Add in the IP Filter List dialog box, as shown in Figure 2- 22 This launches the IP Filter Wizard Figure 2- 22 Adding a filter to the... DOMaIN ISOLatION For more information about domain isolation in Windows Server 20 08, see http://technet microsoft. com/en-us/library/cc770610.aspx microsoft. com/en-us/library/cc770610.aspx Windows Server 20 08 introduces connection security rules, which facilitate implementing IPsec for authenticated communication on a network Windows Server 20 08 gives you the option of enforcing connection security rules... best tool for Windows Server 20 08 The netsh ipsec static and netsh ipsec dynamic contexts are still provided, but they are for compatibility with previous versions of Windows They do not enable you to manage or interact with any of the IPsec features that are new to Windows Server 20 08 Microsoft recommends that you use the netsh advfirewall context instead MORE INFO NETSH IPSEC If you want to remind... D Basic Firewall E OSPF F SSTP 3 You configure a computer running Windows Server 20 08 with two network interfaces Each interface is connected to a different subnet One of those subnets has four other routers connected to it, and each router provides access to several subnets You would like the computer running Windows Server 20 08 to automatically identify the routers and determine which remote subnets... If you want to remind yourself about how the tools provided in the netsh ipsec static and netsh ipsec dynamic contexts work, see http://technet .microsoft. com/en-us/library /cc 725 926 .aspx /cc 725 926 .aspx MORE INFO hOW tO USe NETSH ADVFIREWALL For more information about the netsh advfirewall commands that replace the netsh ipsec commands in Windows Server 20 08, see http://support .microsoft. com/kb/947709... http://www .microsoft. com/windowsserver2008/en/us/security-policy.aspx For more information about NAP, see Chapter 4, “Configuring Network Access Security.” Netsh Commands for IPsec As with almost all administrative functions, you can use the network shell command (netsh) instead of graphical tools to administer IPsec However, the netsh ipsec context, which you might have used to administer Windows Server 20 03... subnets to communicate n You can use static routing to allow computers with multiple routers connected to their subnet to forward traffic with different destinations to the correct subnet n You can use pathping and tracert to identify the routers between a source and a destination You can use both tools to identify routing problems n Windows Server 20 08 supports RIP, which you can enable by installing . MASK 25 5 .25 5 .25 5.0 10.0.0.11 B. route add 10.0.1.0 MASK 25 5 .25 5 .25 5.0 10.0.0 .21 C. route add 10.0.0.0 MASK 25 5 .25 5 .25 5.0 10.0.0 .21 D. route add 10.0.0 .21 MASK 25 5 .25 5 .25 5.0 10.0.1.0 2. Which. http://www .microsoft. com/windowsserver2008/en/us/security-policy.aspx . http://www .microsoft. com/windowsserver2008/en/us/security-policy.aspx. http://www .microsoft. com/windowsserver2008/en/us/security-policy.aspx For. graphical tools to administer IPsec. However, the netsh ipsec context, which you might have used to administer Windows Server 20 03 IPsec, is not the best tool for Windows Server 20 08. The netsh