Windows 2000 Routing
The "Routing and Remote Access" administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The "Routing and Remote Access" administrative tool or the "route" command line utility can be used to configure a static router and add a routing table. A routing table is required for static routing. Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the "Routing and Remote Access" tool, the following information is entered:
- Interface - Specify the network card that the route applies to which is where the packets will come from.
- Destination - Specify the network address that the packets are going to such as 192.168.1.0.
- Network Mask - The subnet mask of the destination network.
- Gateway - The IP address of the network card on the network that is configured to forward the packets such as 192.168.1.1.
- Metric - The number of routers that packets must pass through to reach the intended network. If there are more than 1, the Gateway address will not match the network address of the destination network.
Windows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three Windows 2000 supported Dynamic routing protocols are:
- Routing Information Protocol (RIP) version 2 for IP
- Open Shortest Path First (OSPF)
- Internet Group Management Protocol (IGMP) version 2 with router or proxy support.
The "Routing and Remote Access" tool is used to install, configure, and monitor these protocols and routing functions. After any of these dynamic routing protocals are installed, they must be configured to use one or more routing interfaces.
- Area border router - A router that interfaces to subnets in more than one OSPF area.
- Autonomous system - Routing areas that are administered by a single organization.
- Autonomous system boundary router - A router that connects an autonomous system to another autonomous system or the internet.
- Backbone area - The main OSPF or root routing area that is connected to all other areas with an ID of 0.0.0.0 (ID number does not reflect any IP address).
- Internal router - Router that does internal routing.
- Internal routing - Routing done in one routing area.
- Routing area - A group of IP subnets connected by links with an ID similar to an IP address that is used to identify the area. In Active Directory, a routing area would likely be configured for each site. Passwords are used for each routing area.
Routing Configuration Issues
- RIP - Tabs:
- On the security tab of the RIP properties dialog box there as a selection of one of:
- Accept announcements from all routers
- Accept announcements from listed routers only - A list must be created.
- Ignore announcements from all listed routers - A list must be created.
- General - Maximum delay setting controlling how long the router waits to update other routers. Includes logging controls.
- OSPF - Property box tabs:
- Areas - In the OSPF properties dialog box (Areas tab?) select one of the following network types:
- Broadcast - For normal local area networks.
- Point-to-point - For demand dial interfaces.
- Non-broadcast multiple access (NBMA) - For frame relay or X.25 networks.
- General - Includes logging controls along with "Router Identification field" and "Enable Autonomous System Boundary Router" checkbox.
- Virtual Interfaces - If an OSPF area is not connected directly to the backbone area, a virtual interface must be created to allow for it to go through one or more intermediate networks. The virtual interface tells OSPF which router has an interface that connects to the backbone area. The entered password must be the one required by the router with the interface connecting to the backbone area that packets are being sent to.
- External Routing - Allow or reject external route table sources.
- Internet Group Management Protocol (IGMP) version 2 Router and Proxy is used to manage routing of multicast network traffic.
- Routers must be configured with IGMP to use multicasting on a network. The interface may be configured as an IGMP router or an IGMP proxy. An IGMP router will update its table with group information and forward multicast traffic.
The "Routing and Remote Access" tool server properties dialog box contains these tabs:
- General - Can enable the computer as a router for LAN routing only or for LAN and demand dialing. Also the computer may be enables as a Remote Access Server (RAS).
- Security - Can select Windows Authentication or RADIUS authentication for remote access and dial on demand connections. A provider to log all sessions with the router can be selected. Chioces are none, Windows accounting, or RADIUS accounting.
- IP - Can "Enable IP routing", and "Allow IP-based remote access and demand-dial connections". The computer may also be configured to use a DHCP server to assign IP addresses to client computers or to use a static IP address pool.
- PPP - Options:
- Multilink connections
- Dynamic bandwidth control using BAP or BACP
- Link control protocol (LCP) extensions
- Software compression
- Event Logging - Can enable or disable PPP logging. Other options:
- Log errors only
- Log errors and warnings
- Log the maximum amount of information
- Disable event logging
Network Address Translation (NAT) is the same thing as IP Masquerading. It is used to allow one computer to masquarade on one interface for all other computers that are on another of its interfaces. It it not a firewall but adds security by allowing multiple computers to access the internet or an external network through it. External computers cannot directly contact computers on the network inside the NAT computer. The only registered interface is the interface on the NAT computer on the outside. If it is on the internet, it must have a registered IP address. NAT must be set up to use an interface that is set for routing.
The "Routing and Remote Access" administrative tool is used to install and configure NAT. Components:
- Addressing - A server component that assigns IP address, netmask, gateway, and DNS server address to clients.
- Translation - Maintains NAT table for connections.
- Name Resolution - Acts as DNS server for internal machines on the network.
NAT Properties dialog box tabs:
- General - Configure event logging to one of log errors only, log errors and warnings, log the maximum amount of information, and disable logging.
- Translation - Configure the number of minutes it takes for NAT to remove TCP and UDP port mappings.
- Address Assignment - Can set "Automatically assign IP addresses by using DHCP" and specify ranges and excluded addresses.
- Name Resolution - Can configure NAT to act as a DNS proxy. If you have a separate DNS server, this option will not be necessary.
NAT Interface Properties dialog box tabs:
- General - Select private interface connected to network or select public interface connected to internet. If it is connected to the internet, there is an option to allow TCP and UDP headers to be translated to send and receive data through the interface.
- Address Pool - A public IP address may be assigned to an internal server (although on a different internal address) such as a FTP or web server. Requests to that public address will be sent internally to that server.
- Special Ports - Allows requests to specific ports to another internal address.
TCP/IP Packet Filtering
Controls the type of packets (based on port destination) that a routing interface will receive or forward. It is configured using the "Network and Dial-up Connections" folder by right clicking on the local connection and selecting "Properties". You can set specific TCP and UDP ports along with specific IP protocols. Each protocol has a protocol number listed in the protocol or protocols file. Some examples are TCP, UDP, ICMP, IGMP, and more.