Chapter 4: Planning, Implementing, and Maintaining a Routing Strategy

1.

Your IT Director has decided the new internal network needs to use private addressing. Which of the following IP addresses are private addresses?

1. 193.168.0.1

2. 171.17.0.1

3. 10.0.0.1

4. 172.16.0.15

2.

Your IT Director has determined that your network should use dynamic routing. You’ve determined that a route is now being considered unreachable. What has happened to that route in the routing table?

1. It has been marked as unreachable in the routing table.

2. Nothing has happened to that route in the routing table.

3. It has been removed from the routing table.

4. You must manually go into the routing table and remove the entry.

3.

Your newest hire has been assigned the task of configuring a Windows Server 2003 computer as a router and has asked you how to determine if a machine address or an IP address is being used at the router. You explain that routers use IP addresses, while bridges and hubs use machine addresses. You continue to explain that the OSI reference model has seven layers and that IP, or the Internet Protocol, operates at what layer?

1. The Physical layer

2. The Data Link layer

3. The Network layer

4. The Transport layer

4.

Your IT Director has opened a command prompt window on your Windows Server 2003 computer and is trying to figure out what routes are available to this computer. Which of the following commands should you tell him to use to list the active routes from the command prompt?

1. route list

2. route print

3. show route

4. dump

5.

Your IT Director is determined to use static routing on your large corporate network. You need to convince him that static routing probably is not the best choice, and you want him to think that decision was his idea. You decide to do this by asking him which of the following is an advantage of using static routing?

1. Fault tolerance

2. Scalability

3. Manual configuration

4. Classless routing

6.

RRAS is enabled on your Windows Server 2003 computer, and you have three network adapter cards in the computer configured for subnet IDs of 192.168.32.0/20, 192.168.64.0/20, and 192.168.96.0/20. Which subnet ID can you use if you need to support another subnet with this RRAS server?

1. 192.168.20.0/20

2. 192.168.40.0/20

3. 192.168.48.0/20

4. 192.168.60.0/20

7.

You want to configure a multiple gateway on a Windows Server 2003 machine, but you have only one NIC installed. How do you accomplish this goal?

1. Assign the IP addresses 192.168.0.10 and 192.168.1.10 to the interface.

2. Assign the IP addresses 10.0.0.1 and 172.16.0.1 to the interface.

3. Assign the IP addresses 172,16.0.1 and 192.168.0.1 to the interface.

4. You cannot configure multiple gateways on a machine with one NIC.

8.

Your IT Director has been reading again. He has decided that he wants to convert the network to OSPF, but he is having some difficulty with terminology. He knows that an OSPF router can serve one of four roles. His problem is that he can’t remember which role exists when one of the router’s interfaces is on the backbone area. Help him out. Which of the following is it?

1. Internal router

2. Area border router

3. Backbone router

4. Autonomous system boundary router

1.

C, D. The three blocks of private address space are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Answer C, 10.0.0.1, falls in this range, as does Answer D, 172.16.0.15.

A, B. Neither of these IP addresses fall within any of the three blocks of address spaces assigned to private addressing. Remember, the three address blocks set aside and defined as private address space are as follows:

• 10.0.0.0 with a subnet mask of 255.0.0.0, or 10.0.0.0/8 This network is a private address space that has 24 host bits that can be used.

• 172.16.0.0 with a subnet mask of 255.240.0.0, or 172.16.0.0/12 This network is a private address space that has 20 host bits that can be used. This provides a range of 16 class B network IDs from 172.0.0.0/16 through 172.31.0.0./16.

• 192.168.0.0 with a subnet mask of 255.255.0.0, 192.168.0.0./16 This network is a private address space that has 16 host bits that can be used. This provides a range of 256 class C network IDs from 192.168.0.0/24 through 192.168.255.0/24.

2.

C. In dynamic routing, when a route is unreachable, the route is removed from the routing table.

A, B, D. Because it is removed from the routing table, it is not marked as unreachable, so both answers A and B are incorrect. Answer D is incorrect because this is dynamic routing, not static, so you don’t need to manually enter or change the router table entry.

3.

C. The Network layer implements protocols that can transport data across a LAN segment. These protocols are known as routable protocols because their data can be forwarded by routers past the local network. IP is the dominant routable protocol. IP, and other Layer 3 protocols, are considered asynchronous because they send the data with no attempt to verify that the data arrived at its destination.

A, B, C. Answer A is incorrect because the Physical layer of the OSI reference model is responsible for the transmission of data. This layer operates only with ones and zeros. Answer B is incorrect because the Data Link layer is responsible for providing end-to-end validity of the data being transmitted. Answer D is incorrect because the Transport layer is also responsible for the end-to-end integrity of data transmissions. An example of a protocol used at the Transport layer is TCP. TCP and other Layer 4 protocols are considered synchronous because they verify the successful arrival of the data at its destination.

4.

B. To produce a list of the active routes from the command prompt, type route print and press the Enter key.

A, C, D. None of these are route commands. They are Netsh commands.

5.

D. Static routing works well with classless routing because each route must be added with a network mask.

A, B, C. Static routing is not fault tolerant. Although it works well for small networks, it does not scale well. It requires manual configuration and makes no attempt at discovery of other networks or other systems on the network.

6.

C. The subnet mask of 20 bits means that the first two octets and the first four bits of the third octet are used to define the subnet ID. The rightmost bit of the four bits used in the third octet represents a value of 16. Each subnet ID must therefore have a value in the third octet that is divisible by 16. The only one in the list that meets this criterion is Answer A.

A, B, D These answers are incorrect because none of them meets the criterion. In Answer A, 192.168.20.0/20, the 20 in the third octet is not divisible by 16. The same situation exists for Answer B, 192.168.40.0/20. The 40 in the third octet is not divisible by 16. Finally, in Answer D, 192.168.60.0/20, the 60 in the third octet is not divisible by 16.

7.

A. When using a single NIC, the IP addresses must be assigned to either the same network segment or to segments that are part of the same single logical network. Answer A is the only answer that meets this criterion.

B, C, D. In Answer B, the two network addresses, 10.0.0.1 and 172.16.0.1, to be assigned to the interface are located on two different logical networks. The same holds true for Answer C. Here, the addresses 172.16.0.1 and 192.168.0.1 are also on separate and different logical networks. A single NIC can be used when the IP addresses assigned are from the same network segment or to segments that are part of the same single logical network. This statement rules out Answer D.

8.

C. If one of a router’s interfaces is on the backbone area, that router is considered a backbone router.

A, B, D. When all interfaces are connected to the same area, the router is considered an internal router. This rules out Answer A. When a router’s interfaces are connected to different areas, that router is an area border router (ABR). This rules out Answer B. When the router exchanges routes with sources outside the network area, it is known as an autonomous system boundary router (ASBR). This rules out Answer D.

9.

As the network administrator, you are asked to set up network access so that a group of contract developers can work via a VPN connection connecting to your network’s Windows Server 2003 VPN server. The contract developers are all using either Windows 2000 Professional or Windows XP Professional workstations. You must meet the following requirements:

• The contract developers must be allowed to connect to the network via the Internet.

• You must use PPP encryption.

• You must use a protocol that provides tunnel authentication.

• You must use a protocol that secures the data between the endpoints of the tunnel.

You configure a VPN using PPTP. Which of requirements are met? (Select all that apply.)

1. The contract developers are able to connect to the network via the Internet.

2. PPP encryption is used.

3. Tunnel authentication is used.

4. Data between the endpoints of the tunnel is secure.

10.

You have enabled RRAS on your Windows Server 2003 computer. You want to set up IP packet filtering to help you manage access from remote clients. Where in the Routing and Remote Access console will you enable IP packet filters?

1. The properties of the remote-access ports

2. The properties of the remote-access server

3. The profile of a remote-access policy

4. The conditions of a remote-access policy

11.

You have set up an isolated, secure subnet with only an RRAS server running on Windows Server 2003 connecting the two parts of your internal network. You are protecting your internal network against unauthorized access with your firewall, and authorized users on the intranet establish VPN tunnels to your secure subnet through the RRAS server. You do have a problem, however. It seems that remote VPN clients cannot access the secure subnet through your configuration. How should you reconfigure the system to allow remote VPN clients access to the secure subnet?

1. Ask your ISP to create the necessary filters to allow IPSec traffic to pass.

2. Create filters on the RRAS server to allow only VPN traffic to pass.

3. Define filters on the firewall to allow the VPN traffic to pass.

4. Configure the router in front of the firewall to allow IPSec traffic to pass.

12.

You’ve been asked to provide Internet access for clients on your network. You decide to use NAT. You try to establish a secure VPN session from a remote site unsuccessfully. You try again using L2TP. Again the connection fails. You are able to successfully connect when in the same office. Why are you unable to make a connection from the remote location?

1. You haven’t configured the NAT server to translate the IP Security packets.

2. You cannot establish an L2TP connection behind a computer running NAT. The L2TP session fails because the IP Security packets become corrupted.

3. L2PT does not work with Windows Server 2003 VPNs.

4. NAT does not allow for remote networking.

13.

You’ve just been asked to set up things so that a group of developers can work from home and still connect to your office network. The developers are using either Windows 2000 Professional or Windows XP Professional. You must meet the following requirements:

• Allow the developers to connect to the network through the Internet.

• Use PPTP encryption.

• Use a protocol that provides tunnel authentication.

• Use a protocol that secures data between the endpoints of the tunnel.

You plan to configure a VPN that uses L2TP. Which requirement or requirements are met?

1. The developers can connect to the network through the Internet.

2. PPTP encryption is used.

3. Tunnel authentication is provided.

4. Data between the endpoints of the tunnel is secured.

9.

A, B, D. Using a VPN allows these developers to connect to the local network in a secure manner. The VPN allows users to exchange data between computers in the network as if there were a point-to-point private link between them. In order for this to succeed, a protocol such as PPTP must be used to encapsulate the PPP frames. PPTP creates the tunnel and uses a modified version of GRE to encapsulate the PPP frames as tunneled data.

C. Unlike L2TP, PPTP does not support tunnel authentication.

10.

C. IP packet filters are managed in the remote-access profile of a remote-access policy. The ability to request an IP address, IP packet filters, idle time allowed before being disconnected, and length of session are settings defined in the remote-access profile.

A, B, D. IP address assignment management cannot be performed via the properties sheets of either the remote-access server or the remote-access ports or via the conditions of a remote-access policy.

11.

C. The most likely reason that VPN traffic is unable to access the secure subnet through the RRAS server is that the firewall isn’t configured to allow VPN traffic to pass from the Internet. Correct the problem by configuring filters on the firewall to allow this traffic to pass.

A, B, D. Data packet transmission is transparent to all hosts between the source and the recipient. This includes all routers on the ISP’s network and any router you might have in front of the firewall. As a result, Answer A, asking your ISP to create the necessary filters to allow IPSec traffic to pass, isn’t correct because your ISP’s routers are between the source and the destination and therefore transparent. Because internal VPN traffic is occurring, you know that filters are already created on the RRAS server allowing the VPN traffic to pass. This means Answer B, create filters on the RRAS server to allow only VPN traffic to pass, is incorrect also. Finally, Answer D, configure the router in front of the firewall to allow the VPN traffic to pass, is incorrect because the traffic is transparent between the source and the recipient.

12.

B. You cannot use NAT with L2TP.

A, C, D. Answer A, regarding not having configured the NAT server to translate the IP Security packets, is incorrect because there is nothing to configure. L2PT does work with Windows Server 2003 VPNs, so Answer C is incorrect. Finally, Answer D stipulates that NAT doesn’t allow for remote networking. This is incorrect, because it does. It just doesn’t allow for using L2PT security.

13.

A, C. The VPN allows the developers to work from home over the Internet. L2TP is a combination of PPTP and Layer 2 forwarding that can be used as a tunneling protocol.

B, D. L2TP doesn’t use PPTP, but rather uses IPSec to encrypt data. This means that the data between the two endpoints of the tunnel will not be secure in this situation.

14.

You’ve installed RRAS on a Windows Server 2003 computer in your network. The network is not connected directly to the Internet, and the private IP address range you are using is 192.168.0.0. When you dial in, you connect successfully, but you’re unable to access any resources. Pinging other servers using their IP addresses results in the message “Request timed out.” Running the ipconfig command shows you that your dial-up connection is being given the IP address 169.254.75.182. What should you do to resolve the problem?

1. Configure the remote-access server to act as a DHCP Relay Agent.

2. Ensure that the remote-access server is able to connect to a DHCP server that has a scope for its subnet.

3. Configure the remote-access server with the address of a DHCP server.

4. Authorize the remote-access server to receive multiple addresses from a DHCP server.

15.

You think you may have a problem on your network. You need to open a command line window and troubleshoot your network. Which of the following lists of commands represent the command-line utilities most often used in maintaining and testing routing functionality?

1. show helpers, Trace, PING, Route

2. pathping, Tracert, show helpers, show routing

3. pathping, PING, Route, Tracert

4. pathping, PING, Route, Trace

14.

B. Your dial-up connection is being assigned a default IP address because it is unable to obtain an assigned IP address from a DHCP server. This is because the remote-access server is unable to connect to a DHCP server that has the proper scope.

Answers A, C, D. The IP address being assigned to the dial-up connection, 169.254.75.182, is an automatically assigned IP address that computers that have either Windows 2000 Professional or Windows XP Professional installed will assign themselves when no DHCP server is available or can be contacted. Answer A is incorrect because, unless the remote-access server can connect to a DHCP server in the first place, being able to relay DHCP information will be of no assistance in this situation. Answer C is incorrect because you don’t assign a computer the address of a DHCP server. DHCP works through broadcast. Finally, Answer D is incorrect because a single network interface cannot receive multiple addresses from a DHCP server. Even if it could, if the machine is not receiving DHCP broadcasts, it still won’t be assigned an address, and the automatic assignment will still take place.

15.

C. The four commonly used command-line utilities most often used in maintaining and testing routing functionality are pathping, PING, Route, and Tracert.

A, B, D. Answer A is wrong because show helpers is a Netsh command. Answer B is wrong because both show helpers and show routing are Netsh commands. Answer D is wrong because Trace is a C++ debugger command.