Installing, Configuring, and Troubleshooting IP Routing

Installing, Configuring, and Troubleshooting IP Routing

With Routing and Remote Access (RRAS) , a system running Windows 2000 can function as a network router, which routes packets between networks. This setup allows LANs and WANs to be interconnected . The benefit is that the routing technology is built into the operating system, thus providing small and large businesses with a cost effective and secure way of interconnecting their networks. Some of the features included with RRAS in Windows 2000 include:

• Support for both the Routing Information Protocol (RIP) and Open Shortest Path First (OSPF)

• Support for Network Address Translation (NAT), which allows a single public IP address to be shared among clients on the internal network

• Support for demand-dial routing that initiates a connection with a router when outbound traffic is required and terminates the connection when the link is not needed (although the connection can also be configured as persistent)

• Support for both unicast and multicast routing. With unicast routing, a packet is sent to a single host, whereas multicast routing sends a packet to a group of hosts

• Support for virtual private networks (VPNs), which allows remote users or remote offices to securely connect to a network using a public network, such as the Internet, as a transport medium

The following section looks at the fundamental concepts behind IP routing and discusses how to implement, configure, and troubleshoot IP routing using Windows 2000 Server.

Keep in mind that Windows 2000 can also route IPX packets. However, the focus of this chapter is on IP routing.

IP Routing

Because all IP packets have a source and destination IP address, routing is the process of sending a packet from the source address to the destination address. Of course, how the routing of IP packets actually occurs is much more complex.

Because each IP packet has addressing information within the header, routers can use this information to determine where a packet should be sent to reach the destination host. Routers maintain information about the physical network, such as the path to a destination network and the metric associated with the route. (The metric is the number of hops, or the number of routers to cross, between the source and destination network.)

For routers to know the location to which packets must be forwarded, they must also know about their neighboring routers. This information is stored within the routing table . When a router receives a packet, it checks the routing table to determine where the packet must be sent to reach the destination host. The information within a routing table can be generated statically or dynamically, as you discover in the next sections.

Static Routing

With static routing , an administrator must manually configure the routing table by adding entries that tell the router how to reach other networks. Using the route command, an administrator updates the routing table by specifying the network addresses, the subnet masks, and the metrics associated with each route.

When deciding whether to use static routing, keep in mind that it works best for networks that do not change on a regular basis. If the network configuration is constantly changing, the administrative overhead associated with constantly having to update the routing tables greatly increases because the changes must be made on each router. In such cases, it may be more beneficial to implement dynamic routing.

Dynamic Routing

Dynamic routing eliminates the overhead associated with manually updating routing tables. Routers can dynamically build their own routing tables by communicating with other routers on the network.

With dynamic routing, the routing tables are built automatically through router communication. Using a routing communication protocol, routers periodically exchange messages containing location information about routes through the network. This information is used to build and update routing tables.

The major advantage of dynamic routing is that it reduces the administrative overhead associated with manually updating routing tables. For example, if a router goes down, the change is automatically propagated to all routers on the network so they are all aware of the change in the network topology. One of the major disadvantages is the amount of traffic that it generates.

Routing Protocols

For routers to share information and dynamically update their routing tables, a routing protocol must be used. As already mentioned, the two routing protocols supported by Windows 2000 are Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) . Although both routing protocols are used for dynamic routing, there are some distinct differences between the two.

Routing Information Protocol (RIP)

The Routing Information Protocol (RIP) is designed for small- to medium- sized networks. There are two versions of RIP: RIPv1 and RIPv2. RIPv1 was originally a classful, broadcast-based routing protocol and had no protection; RIPv2 added subnet masking with each route entry, uses multicasts, and provides for a simple authentication scheme. One of the main benefits for choosing RIP is that it's very simple to configure and deploy. One of the major drawbacks associated with this protocol is that it's limited to a maximum hop count of 15. This means any networks more than 15 hop counts away are considered unreachable. Also, as a network increases in size, there can be excessive traffic generated from RIP announcements.

As mentioned earlier, all routes to a destination network are assigned a metric, which defines the distance between the source and destination. RIP uses a hop count (the number of routers to cross) to identify the distance between two networks. A value of 1 is added to the hop count for each router between a source and destination network.

When a router is first configured as a RIP router, the only entries in the routing table are for those networks to which it is physically connected. It then begins to send announcements of its availability to notify other routers of the networks it services. RIPv1 sends the announcements as broadcasts whereas RIPv2 can broadcast multicast packets for the announcements.

When changes occur to the network topology, RIPv2 uses triggered updates to communicate the changes to other routers. With triggered updates, the change to the network topology can be propagated immediately.

If you are considering using RIPv1, keep in mind that it does not support multicasting, it does not support any type of security between routers, and it does have known issues with routing loops . Because it may take several minutes for routers to reconfigure themselves after a change in network topology (for example, when an existing router becomes unavailable), routing loops in which routers send data in a circle can occur.

The Windows 2000 implementation of RIP supports the following features:

• The capability to select the version of RIP to implement for incoming and outgoing packets

• Support for routing filters to configure which routes should be accepted or denied

• Password authentication between routers

• Split-horizon to avoid router loops

• Triggered updates to ensure changes to the network topology are propagated immediately

RIPv2 supports multicasting for updating the routing tables. RIPv1 does not support this feature. RIPv1 routers cannot communicate with RIPv2 routers using multicasting for updates.

Open Shortest Path First (OSPF)

OSPF is designed for large internetworks ( especially those spanning more than 15 router hops). The disadvantage of OSPF is that it's generally more complex to set up and requires a certain amount of planning.

OSPF is not supported for non-persistent, demand-dial connections.

OSPF uses the Shortest Path First (SPF) algorithm to calculate routes. The shortest path (the route with the lowest cost) is always used first.

Unlike RIP, which only uses announcements to update and share routing information, OSPF maintains a map of the network, known as the link state database . This map is synchronized between adjacent routers, or those neighboring OSPF routers. When a change is made to the network topology, the first router to receive the change sends out a change notification. Each router then updates its copy of the link state database and the routing table is recalculated.

One of the main differences between OSPF and RIP is that OSPF divides the network into different areas. Each of the routers maintains information only in the link state database about those areas to which it is connected. Another difference is that OSPF replicates only the changes to the routing table, not the entire table.

An area is a group of neighboring networks. The areas are connected to a backbone area. Area border routers connect the different areas to the backbone area.

Configuring RRAS

Routing and Remote Access (RRAS) is installed by default with Windows 2000. Before you can use a Windows 2000 Server as a network router, RRAS must be enabled. To enable RRAS, perform the following steps:

1. Click Start, point to Programs, Administrative Tools, and click Routing and Remote Access.

2. Right-click the server you want to configure and select Configure and Enable Routing and Remote Access. This launches the Routing and Remote Access Server setup wizard. Click Next.

3. From the Common Configurations window, select Network router (see Figure 7.1). Click Next.

   Figure 7.1. Configuring a network router from the Common Configurations window.

   

4. Verify that all the protocols you want to route are listed. If additional protocols are required, select the No I Need to Add Protocols option. Click Next.

5. From the Demand-dial Connections window (see Figure 7.2), select Yes to set up a demand-dial connection. If you select No, a demand-dial connection can be configured afterward. Click Next.

   Figure 7.2. Configuring demand-dial routing via the Demand-dial Connections window.

   

6. If you selected No at the Demand-dial Connections window, click Finish. If you selected Yes, specify how incoming demand-dial connections will be assigned an IP address. If you select From a specified range, click Next and type in the range of IP addresses. Click Finish.

For a server running RRAS to be configured as a network router, you must configure a demand-dial interface (if demand-dialing is required). After demand-dialing is configured, you will assign an IP address to each network interface that will route IP packets, and install and configure one or both of the routing protocols just mentioned.

Configuring IP Routing

Once RRAS has been enabled, some general IP Routing properties can be configured. When you select the General node found under the IP Routing option within the RRAS console, all the known interfaces on the system are displayed. Right-clicking the General node brings up the General Properties window shown in Figure 7.3.

The configuration options are not overly complex. You can enable or disable logging and specify the type of information to log on the General tab. The Preference Levels tab is used to configure the preference level of different routing sources. For example, routes that are statically configured are given preference over dynamic routes. You can change the preference level of a routing source by selecting the source and using the Move Up or Move Down buttons .

Configuring Interfaces

The General node lists all the interfaces available on the system that can be used for IP routing. This includes any LAN interfaces, as well as any demand-dial interfaces. You'll also notice two other ones listed by default: internal and loopback . Summary information is listed about each interface, including the type of interface (such as dedicated or demand-dial), the IP address, and the status of the interface. To view this summary information, expand the RRAS server, IP Routing, and click the General Node.

As you will see, each interface has its own set of configurable options (see Figure 7.4).

Use the General tab to configure any of the following options:

• Enable IP router management Select this option to configure the administrative status of the interface.

• Enable router discovery advertisements Enables ICMP discovery messages over the interface. The Advertisement lifetime defines how long a discovery advertisement remains valid. The Preference level is used to define the preference level for using the interface as the default gateway.

• Minimum time The minimum time allowed (measured in minutes) between router advertisements.

• Maximum time The maximum time allowed (measured in minutes) between router advertisements.

• Enable fragmentation checking Specifies whether fragmented IP packets are discarded.

The Configuration tab is used to configure the IP address for the interface. An IP address can be obtained from a DHCP server or a static IP address can be configured. The remaining two tabs are used to configure multicasting.

Updating a Windows 2000 Routing Table Using Static Routes

There might be instances when you need to add a static route to your Windows 2000 router. This, of course, has its advantages and disadvantages.

Creating a static route is simple enough to do; however, the routes you configure are not shared between routers.

Static routes specify the network address and subnet mask telling the router how to get to a certain destination. The router uses the information to determine which gateway to forward the packet to so it can get to the destination host.

Static routes can be configured in one of two ways: using the Route command or through the RRAS management console. Using the Route Add command, static entries can be added to the local routing table on a router (you can also specify whether they should be persistent routesmeaning they will remain in the routing table when the system rebootsby using the p parameter).

The syntax for the Route Add command is as follows :

route add <destination> mask < netmask > <gateway> metric <interface>

The second option is to configure a static route within the RRAS management console. To configure a static route using this method, perform the following steps:

1. Within the RRAS management console, expand IP routing.

2. Right-click Static Routes and select New Static Route. The Static Route window appears (see Figure 7.5).

   Figure 7.5. Creating a new static route via the Static Route window.

   

3. Using the drop-down arrow, select the interface that will be used to route IP packets.

4. Type the destination IP address and subnet mask.

5. Type the IP address of the gateway for the RRAS server.

6. Click OK.

Implementing Demand-Dial Routing

There are two types of demand-dial connections: on-demand connections and persistent connections . With demand-dial connections, a connection with the remote router is established only when necessary. A connection is established to route information and terminated when the link is not in use. The benefit of this is obviously the cost associated with using a link. With persistent connections, the link does not need to be terminated , even when it is not in use. No additional charges are incurred.

Connections between network routers can be one-way initiated or two-way initiated, meaning a connection can be initiated by only one router or by both the routers.

With one-way initiated connections, one router is designated as the answering router and the other is designated as the calling router, which is responsible for initiating any connections.

Creating a One-Way Demand-Dial Interface

Demand-dial connections can be created within the Routing and Remote Access snap-in. How you configure the connection depends on whether you are configuring a one-way or two-way initiated connection. To create a demand-dial interface on the calling router, perform the following steps:

1. Right-click Routing Interfaces and click New Demand-dial Interface. This launches the Demand-dial Interface wizard. Click Next.

2. Type a name for the interface. Click Next.

3. From the Connection Type window, ensure the option to Connect using a modem, ISDN adapter, or other physical device. Click Next.

4. Enter the phone number of the remote dial-up server or router. Click Next.

5. From the Protocols and Security window (see Figure 7.6), select the necessary options from the list that follows.

   • Route IP packets on this interface

   • Route IPX packets on this interface

   • Add a user account so remote users can dial in

   • Send a plaintext password if that is the only way to connect

   • Use scripting to complete the connection with the remote router

   Figure 7.6. Configuring demand-dial protocols and security.

   

   If you are routing IP only packets, make sure Route IPX Packets on This Interface is not selected. Click Next.

6. From the Dial Out Credentials window, specify the username and password that the dial-out router will use to connect to the remote router (see Figure 7.7). Click Next.

   Figure 7.7. Configuring the dial out credentials via the Dial Out Credentials window.

   

7. Click Finish.

Before you attempt to create a new demand-dial interface, make sure the router is enabled for LAN and demand-dial routing instead of just a LAN router. You can enable this option by right-clicking the RRAS server and choosing Properties. From the General tab, select the LAN and demand-dial routing.

The answering router also needs to be configured for one-way demand-dial connections. A user account must be created on the answering router with dial-in permissions and the appropriate policy permissions. The user account is used to authenticate connections from the calling routers. A static route can then be configured on the user account. Also make sure when creating a user account that the Password Never Expires option is selected and the User Must Change Password at Next Logon option is not selected.

When configuring the calling router, make sure that the dial out credentials match the user account name configured on the answering router.

Creating a Two-Way Demand-Dial Connection

Creating a two-way demand-dial connection is similar to configuring a one-way connection with a few distinct differences. A demand-dial interface is created on each RRAS server using the process outlined previously. You must assign the interface a name, as well as specify the phone number to dial, the device to be used, the protocol and security settings, and the dial-out credentials. A user account must also be configured on each RRAS server with the appropriate remote access permissions. The important thing to keep in mind is that the user account name must be identical to the name assigned to the demand-dial interface of the calling router. Finally, a static route must be configured using the demand-dial interface.

Remember when you are configuring two-way demand-dialing, the user account names on the answering router must be identical to the demand-dial interface names on the calling routers.

Configuring a Demand-Dial Connection

Once a demand-dial connection has been created, you can configure it further using the Properties window for the connection. From the General tab, you can configure the connection device and specify alternative phone numbers to dial. As shown in Figure 7.8, the Options tab is where you configure the connection type: demand-dial or persistent. The dialing policy can also be set by specifying the number of times the calling router will redial if there is no answer and specifying the interval between redial attempts.

The Security tab enables you to configure the security options for the dial-out connection (see Figure 7.9). This includes whether unsecured passwords are permitted, whether the connection requires data encryption, and whether a script will be run after dialing.

As shown in Figure 7.10, the Networking tab is used to configure the type of dial-up server that is dialed in to and the different network components that the connection uses.

There are several other configurations that you can make to a demand-dial interface. Demand-dial filtering allows you to control the type of IP traffic that can initiate a connection. You can allow or deny a connection based on the type of IP traffic. For example, you may only want Web and FTP traffic to initiate the demand-dial connection.

Dial-out hours determine the times of day that a connection can be initiated. This allows an administrator to control when the demand-dial connection is used.