The Best Damn Windows Server 2003 Book Period- P80 pot

In this chapter, we first review the basics of IP routing, including the role of routing tables, static and dynamic routing, and routing protocols such as Routing Information Protocol RI

You should also provide a DHCP server at each location When you have multiple DHCP servers on your network, use the 80/20 rule to balance the load on the subnet: 80 percent of the scope will be on the primary server, with 20 percent on the other server.The DHCP server must have an interface on each network for which it has a scope defined, or you must locate a DHCP relay server on the same subnet as the DHCP clients

If you implement WINS, you will need to examine the quantity of data replicated between WINS servers and the cost of WINS reverse lookups from DNS servers.You should minimize the number of WINS servers you implement in order to minimize the impact of WINS replication traffic on your network

Use the Help and Support Center on Windows Server 2003 to see examples of performance statistics in a high traffic environment to help you gauge your enterprise needs

Planning Network Traffic Management

After you decide where to place your physical equipment, the users will begin accessing the services supplied by DHCP, DNS, and WINS Other traffic comes from accessing the Internet, file sharing, and the many other network resources that will be used.You can estimate the amount of traffic at peak times by using some of the utilities provided with the operating system.The tools can be used

to create baselines, identify the peak network usage areas, and identify the traffic sources

You will also need to monitor network traffic and analyze the usage.You might be able to iden-tify illicit network access from external sites, find Trojan horse viruses that generate broadcast

storms, or just discover who is actually hogging all that Internet bandwidth.You can also determine whether your server-to-server traffic is managed well, or if it is necessary to modify the physical location of equipment

Monitoring Network Traffic and Network Devices

Every network administrator should be familiar with two key utilities:

■ Network Monitor Allows you to capture data, identify the source, and analyze the con-tent and format of the message

■ System Monitor Allows you to monitor other resources and determine the performance

of those resources

Network Monitor should be run during low-usage times or for short intervals to minimize the impact on performance of capturing all that data on your machine It is also useful to identify the type of traffic you are concerned with and use the filters to capture only the data you need

Using System Monitor

System Monitor is a Microsoft Management Console (MMC) snap-in tool that allows you to use counters to monitor the performance of hardware, applications, and operating system components

on Windows Server 2003 machines

756 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure

System Monitor also allows you to view more than one log file at the same time, so you can compare baseline logs with the current data.The Performance Logs and Alerts service can gather data and store it in a Microsoft SQL Server database that can be viewed by System Monitor.You can also save portions of log files or SQL Server data to a new file.This can help save space, simplify comparisons of data, and reduce analysis time

Determining Bandwidth Requirements

When you have captured performance statistics and viewed the network traffic during various times

of the day, you can identify the different sources of traffic on your network.You will need to analyze how name resolution occurs, where the requests for name resolution initiate, and the server-to-server traffic when replicating the information

You will need to identify the following:

■ The slow connections and the quantity of data transmitted over those connections.This will help you to identify how often servers transmit replicated data to other servers

■ The cost of one client obtaining information from these servers.You can then use that information to calculate the cost of many users

■ Broadcast traffic, so that you can isolate that to certain networks.You will be able to iden-tify areas where clients communicate heavily with other clients, such as file servers, and locate those resources on the same segment as the heavy users

Optimizing Network Performance

TCP traffic uses a sliding window method of transmitting data As data is successful transmitted to the

destination, the window slides over the remaining data and transmits the next packets of data Window size is basically the maximum number of packets that can be sent without waiting for positive

acknowledgment If you transmit large amounts of TCP data, then larger TCP windows will improve TCP/IP performance.The maximum window size is limited to 64 kilobytes by default and is deter-mined by the windows size setting of the destination host machine It is possible to increase the size of the TCP window dynamically on Windows Server 2003 to accommodate this by enabling large TCP window support Client computers can be set to request large windows by editing their Registries

These are then called TCP1323Opts-enabled computers.The window size is negotiated during the TCP three-way handshake process.TCP1323 is a TCP extension defined in RFC 1323

With Windows Server 2003, it is possible to disable NetBIOS encapsulation over TCP/IP (disable NetBT).This can significantly reduce the overhead of data transfer and eliminate the need for WINS and any other NetBIOS name resolution It will also reduce the browse master traffic.The drawback

to disabling NetBIOS encapsulation is that you can no longer browse network resources In addition, some applications depend on NetBIOS and will not work without it If you are using NetBIOS name resolution, you should have WINS servers to allow for directed send requests for name resolution,

Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 757

rather than broadcast for that information WINS servers share data with each other on a regular interval.You might wish to reduce that traffic by modifying the replication intervals to increase the time between synchronizations.You should minimize the number of WINS servers used on your net-work It is not necessary to have a WINS server on every LAN.The more WINS servers you imple-ment, the more network traffic is generated due to WINS database replication

The placement of other servers that provide network services is also important DHCP servers must have an interface on the same segment as the clients that will use the DHCP server, or you must provide a means for DHCP requests to cross routers (such as a DHCP relay or using routers that allow DHCP and BOOTP requests) Place DNS servers on each LAN to minimize the amount

of traffic generated when performing host name resolution.You can also designate which DNS servers can act as forwarders to control which machines can perform iterative DNS queries over the Internet

758 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure

Planning, Implementing, and Maintaining a Routing Strategy

In this chapter:

 Understanding IP Routing

 Security Considerations for Routing

 Troubleshooting IP Routing

Introduction

In the preceding chapter, you learned about the TCP/IP protocols and how to set up a TCP/IP infrastructure One of the biggest advantages of TCP/IP as a network/transport protocol stack is its capability to route packets between different networks or subnets Dealing with routing issues is an important part of the job of a Windows Server 2003 network administrator for a typical medium-to-large size network In this chapter, we first review the basics of IP routing, including the role of routing tables, static and dynamic routing, and routing protocols such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF)

You’ll learn to use the Netsh commands related to routing, and then we’ll show you how to evaluate routing options.This includes selecting the proper connectivity devices, and we’ll discuss hubs, bridges, switches (Layer 2, 3, and 4 varieties), and routers We’ll look at how you can use a Windows Server 2003 machine as a router and how to con-figure the Routing and Remote Access Service (RRAS) to do so

Next, we look at security considerations related to routing We’ll show you how to analyze requirements for routing components from a security-conscious point of view, and we’ll discuss methods of simplifying the network topology to provide fewer attack points.This includes minimizing the number of network interfaces, the number of routes, and the number of routing protocols We will also discuss router-to-router virtual private networks (VPNs), packet filtering, firewalls, and logging levels

Finally, we cover how to troubleshoot IP routing issues We’ll identify trou-bleshooting tools and take a look at some common routing problems, including those

Chapter 22

759

related to interface configuration, RRAS configuration, routing protocols,TCP/IP configuration, and routing table configuration

Understanding IP Routing Basics

Understanding the concepts concerning IP addressing is critical to understanding how IP routing works A good understanding of IP addressing, and subsequently the art of subnetting, requires that you be comfortable with binary notation and math

You already know that an IP address is a numeric identifier assigned to every machine on a network.This address tells where the device is located on the specific network

As a quick review, IP addresses are currently made up of 32 bits of information.These bits are divided into four sections (octets) that each contains 1 byte (6 bits).You will see IP addresses speci-fied in three basic formats:

■ Binary such as in 11000000.10101000.00000000.00000001

■ Dotted-decimal such as in 192.168.0.1

■ Hexadecimal such as in C0 A8 00 01 All three of these examples represent the same IP address In reality, the computer can use only the binary version.The other two formats are provided because they are easier for people to under-stand and use

There are three basic types of IP addresses:

■ Unicast addresses IP addresses assigned to a single network interface that is attached on the network Unicast IP addresses are used for one-to-one communications between hosts

■ Broadcast addresses IP addresses designed to be received and processed by every IP address located on a given network.They’re basically one-to-many communications

■ Multicast addresses IP addresses where one or more IP nodes can listen in on the same network segment Multicast IP addresses are also one-to-many communications

Next, you should also understand the differences between routed and Network Address Translation (NAT) connections NAT is the process of switching back and forth between the IP

addresses used on an internal network, sometimes referred to as private addresses, and Internet IP addresses, sometimes known as public addresses.

There are three address blocks set aside and defined as private address space:

■ 10.0.0.0 with a subnet mask of 255.0.0.0, or 10.0.0.0/8 This network is a private address space that has 24 host bits that can be used

■ 172.16.0.0 with a subnet mask of 255.240.0.0, or 172.16.0.0/12 This network is a private address space that has 20 host bits that can be used.This provides a range of 16 class B network IDs from 172.0.0.0/16 through 172.31.0.0./16

760 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy

■ 192.168.0.0 with a subnet mask of 255.255.0.0, 192.168.0.0./16 This network is a private address space that has 16 host bits that can be used.This provides a range of 256 class C network IDs from 192.168.0.0/24 through 192.168.255.0/24

Remember that private and public spaces do not overlap Machines on an intranet with a pri-vate IP address cannot directly connect to the Internet Instead, they must be connected indirectly via either a proxy server of NAT Essentially, all of the computers on your intranet are masquerading behind a single public IP address

Routed connections require a single public IP address for each connection to the Internet

Using NAT allows you to connect multiple private addresses to a single public IP address.This is done by translating and modifying packets to reflect the changed addressing information

There are three basic components that make up NAT:

■ Translation This component maintains the NAT table for inbound and outbound con-nections

■ Addressing This component is handled by a stripped-down version of a Dynamic Host Configuration Protocol (DHCP) server that assigns the IP address, subnet mask, default gateway, and IP address of the Domain Name System (DNS) server

■ Name resolution This component forwards all name-resolution requests to the DNS server defined on the Internet-connected adapter, and then returns the reply It can be thought of as a DNS proxy

Keep in mind that NAT is not always the solution It is extremely limited when it comes to security.You cannot encrypt anything carrying or that has been derived from an IP address.Tracking hackers and other problems is also extremely difficult, because the source IP address is stripped away

in the NAT process Another problem arises when you try to use NAT with large networks that have many hosts attempting to communicate with the Internet at the same time.The size of the mapping tables in this kind of environment is overwhelming and can cause performance problems

NAT is discussed in detail later Chapter 25, “Planning, Implementing and Maintaining Routing and Remote Access.”

Another basic concept related to IP routing is how the Internet Control Message Protocol (ICMP) works ICMP is a maintenance protocol used to create and maintain routing tables It sup-ports router discovery and advertisements to hosts on a network Very simply, its designed to pass control and status information between TCP/IP devices When a client computer starts up on your network, it usually has only a few entries in its routing table When that host sends data out to a specific destination on a network, the host first checks its routing table to see if there is already an entry matching the destination’s IP address If no match is found, the packet is sent to the default gateway When the default gateway receives the packet, it will check to see if it has a matching entry

in its routing table If it does, it forwards the packet to the destination At the same time, it sends an ICMP message back to the originating host, telling that host about the better route available ICMP can also let hosts on a network know if a specific router is still active by sending out periodic mes-sages with this kind of information

Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 761

Routing Tables

A routing table is basically a list, a huge list sometimes, that is used to direct traffic on a network The table includes information about what other networks are reachable from a given network by providing the network address and subnet mask, as well as the metric, or cost, for that specific net-work route Another way to think of it is as a database of routes to other locations

The way this works is simple When a packet arrives at the routing device (which could be a dedicated router or a Windows Server 2003 computer), the routing table is queried to discover the lowest cost route to the intended destination Sometimes, when there is no specific information concerning that network in the routing table, the packet will be forwarded to the default gateway, assuming that the default gateway will get the packet where it needs to go

The level of detail, or the number of routes in the table, depends on whether the IP node is a host or a router Usually, a host will have fewer entries in this table than a router has in its table For instance, it would be normal to find an IP host configured with a default gateway Creating a default route in the table allows for the effective summarization of all destinations Routing tables on a router, on the other hand, will normally contain an entry for each and every reachable network on the IP network system

Let’s turn our attention back to the table itself Each of the rows in this list, or entries in this

database, is commonly referred to as a route.There are three basic types of routes:

■ Host route A route to a specific IP address in the network A host is a particular com-puter, or more specifically, an interface on a computer or device In these cases, the net-work mask is always 255.255.255.255 (/32) Host routes are typically used for custom routes to specific hosts.This helps in the optimization and control of a network

■ Network ID route A route for classful, classless, subnet, and supernetted destinations The network mask in these cases will be somewhere between 129.0.0.0 (/1) and 255.255.255.254 (/31)

■ Default route A route to all other destinations.This route is used when the routing table cannot find a host or network ID route that matches the destination in the packet’s header.The default route has a destination of 0.0.0.0 and a network mask of 0.0.0.0 (/0), and it is sometimes expressed as 0/0 All destinations not found in the routing table are simply forwarded to this destination, where the specific destination address will be found Each route in the routing table contains the necessary forwarding information for a range of destination IP addresses.This information includes two values for the destination IP address: the

next-hop interface and the next-hop IP address.The next-hop interface is just a representation of the next physical or logical device over which the IP packet will be forwarded.The next-hop IP address is

the IP address of the node to which the IP packet is being forwarded In an indirect delivery, the next-hop IP address is the IP address of a directly reachable intermediate router to which the packet

is being forwarded

The routing table shown in Figure 22.1 (viewed from the Windows Server 2003 Routing and Remote Access utility) is for a computer running Windows Server 2003 Enterprise Edition with one 10MB network adapter, an IP address of 192.168.0.13, a subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1

762 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy

Let’s look at the individual rows more closely:

■ The first row in the table, beginning with 0.0.0.0, is the default route

■ The second and third rows, beginning with 127.0.0.0 and 127.0.0.1, are the loopback network

■ The fourth row, beginning with 192.168.0.0, is the local network

■ The fifth row, beginning with 192.168.0.13, is the local IP address

■ The second-to-last row, beginning with 224.0.0.0, is the multicast address

■ The final row, beginning with 255.255.255.255, is the limited broadcast address

We’ll now turn our attention to the upkeep of these tables.You can perform the maintenance of

the routing tables manually or automatically If you do it manually, you’ll be using static routing If you do it automatically, you’ll be using dynamic routing Let’s take a closer look at these two concepts.

Static versus Dynamic Routing

Remember that the basic idea of routing is that each packet you find on your network has a source and a destination.That means that any device that receives the packet inspects the packet’s headers

to determine where it came from and where it’s going When the device has information about the network, such as how long it would take a packet to go from one point to another, that device can change the routing intelligently to improve the performance of the network

Static routing uses manually configured routes Here, there is no attempt to discover other routers or systems on a network All entries into the routing table are entered by hand, and the routing table is used to get information to other networks.This type of routing works well with classless routing, because each route must be added with a network mask It works well for small networks, but it doesn’t scale well Static routes are often used to connect to the Internet Static routing is, however, not fault tolerant

Dynamic routing doesn’t depend on fixed, unchangeable routes to remote networks being added to the routing tables In other words, you don’t need to enter the routes by hand Dynamic routing uses routing protocols to maintain the routing tables Dynamic routing allows for the dis-covery of the networks surrounding the router by finding and communicating with other nearby

Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 763

Figure 22.1 IP Routing Table

routers in the network Routes are discovered using routing protocol traffic and are then added or removed from IP routing tables as required Dynamic routing can provide fault tolerance When a route is unreachable, the route is removed from the routing table Figure 22.2 shows a more com-plex network using dynamic routing

Gateways

As you know, a gateway is a device that connects networks using different communication protocols

in a way that allows for information to pass from one network to the other It both transfers and converts the information into a form that can be used by the protocols on the receiving network In other words, a gateway is somewhat of a router A router, by definition, is a device or computer that sends packets between two or more network segments as necessary, using logical network addresses, most often IP addresses.The default gateway is a router that connects your host to remote network segments It’s the exit point for all the packets in your network that have destinations outside your network

Routing Protocols

Router discovery enables new, or rebooted, routers to configure themselves automatically.The two major and most common dynamic-routing protocols are RIP and OSPF Both of these protocols are supported by the Windows Server 2003 family Both are interior gateway protocols (IGPs) that use routers to communicate (not to be confused with the proprietary Cisco IGRP) But before we dis-cuss these two protocols, we need to explore how protocols make routing decisions

In general, routing protocols can use one of two different approaches to making routing decisions:

■ Distance vectors A distance-vector protocol makes its decision based on a measurement

of the distance between the source and the destination addresses

■ Link states A link-state protocol bases its decisions on various states of the links that connect the source and the destination addresses

764 Chapter 22 • Planning, Implementing, and Maintaining a Routing Strategy

Figure 22.2 A More Complex Network Using Dynamic Routing

Server

Workstation Workstation

Workstation Workstation

Workstation Workstation Workstation Workstation

Server

IBM Compatible IBM Compatible IBM Compatible

Distance-vector algorithms, also known as Bellman-Ford algorithms, periodically pass copies of

their routing tables to their immediate network neighbors.The recipient adds what is called a dis-tance vector, which is little more than a disdis-tance value, to the routing table it has just received, and then forwards it on to its immediate neighbors.The process results in each router learning about the other routers and thereby developing a cumulative table of network distances to other routers.This table is then used to update the router’s own routing table Keep in mind that the only thing the router learns about is distance

The main drawback to distance-vector routing is that it requires time for the changes in a net-work to propagate across the netnet-work.This makes distance-vector routing inappropriate for larger, more complex networks.The advantages of distance-vector routing are its ease of configuration, use, and maintenance As we will discuss shortly, RIP is the epitome of distance-vector routing

Link-state routing algorithms are usually known cumulatively as shortest path first (SPF) protocols.

OSPF, which will be discussed shortly, is an example of this protocol group.These protocols main-tain a complex database that describes the network’s topology Link-state protocols develop and maintain extensive information concerning the network’s routers and how they interconnect.They

do this by exchanging link-state advertisements (LSAs) with each other Any change in the network will trigger the exchange of LSAs Each router then constructs an extensive database using these received LSAs, so it can compute different routes and determine how reachable the networked des-tinations really are.This information is then used to update the routing table Component failures and growth of the network are easily documented

The main drawbacks to using link-state protocols involve the heavy use of bandwidth, memory, and processor time Especially during the initial discovery process, link-state protocols flood the net-work with messages, thereby lowering the overall netnet-work efficiency Also, overall, link-state proto-cols require more memory and higher processor speeds than distance-vector protoproto-cols need for efficient operation

The main advantage of link-state protocols comes into play with large and complicated net-works A well-designed network will be more able to withstand the effects of unexpected changes using link-state protocols Overhead of the frequent, time-driven updates required for distance-vector protocols can be avoided Networks using a link-state protocol are also more scalable For most large networks, the advantages of using link-state protocols will outweigh the disadvantages

RIP

RIP is simple and easy to configure and is used widely in small and medium-sized networks RIP is

an IGP used to route data within autonomous networks RIP does have performance limitations, however, that restrict its usefulness on medium-sized to large networks RIP is a distance-vector routing protocol.This means it distributes routing information in the form of a network ID and the number of hops (or the distance) from the destination RIP has a maximum distance of 15 hops

Anything over that is considered unreachable

There are two versions of RIP: version 1 described in RFC 1058 and version 2 described in RFC 1723 Windows Server 2003 supports both RIP versions

RIP version 1 is a class-based routing protocol Only the network ID is announced here RIP version 2 is a classless routing protocol.This version includes both a network ID and a subnet mask

in its announcement It also provides more information, allowing for both authentication and a measure of security

Planning, Implementing, and Maintaining a Routing Strategy • Chapter 22 765