Home > Uncategorized > Managing IP Routing

Managing IP Routing

We will be covering the following topics regarding Microsofts Routing and Remote Access Services.

  • Understanding IP Routing
  • Installing RRAS
  • Configuring IP Routing
  • Configuring TCP\IP Packet Filters
  • Configuring VPN Packet Filters

Understanding IP Routing

The first term that needs to be discussed is routing.  In it’s most basic form “routing is the process of delivering traffic to the correct address”.  In terms of routing packets, every packet contains a source and destination address. 

Below is an example of an IP header.  The IP Address and Subnet mask use 32 bits or 4 Octets.   Click here to read more on IPv4 on Wikipedia.

 

Although the job of routing is primarily done by routers, such as Microsoft’s Routing and Remote Access Server, every windows PC contains it’s own routing table.  Below is a sample routing table being used on my own laptop while connected to the Sprint Wireless Broadband network    There are two commands that can be used to display the following local routing table: 

route print or netstat -r

As you can see it lists all of my existing network adapters or connections and thier corresponding MAC addresses.  Some other relevant information here is:

  • Network address of the remote host or network – (Network Destination + Netmask)
  • Forwarding address to which traffic for the remote network should be sent – (Default Gateway)
  • Network interface that should be used to send the packet to the forwarding address – (Interface)
  • A cost, or metric, that indicates what relative priority should be assigned to this route – (Metric)

These routes can be static or dynamic.  Dynamic routes are created by routing protocols which discover the world around them and communicate with other routers.  A staic route is a manual entry which is applied until removed.  The following command can be used to add a persistent static route to the table above, which currently has no static routes configured.

Route –p add x.x.x.x mask x.x.x.x default gateway metric 1

Two dynamic routing protocols used by RRAS are Open Shortest Path First (OSPF) & Routing Information Protocol (RIPv2).  RIPv2 has the following characteristic:

  • Uses Multicasts only when the routes have changed
  • Support plaintext authentication of username\password
  • Force trigger updates
  • Prevents loops
  • Supports a metric of 15

RRAS can be used to set up two kinds of filters for notifying and listening for updates:

  • Route Filter: choose network you want to accept announcements
  • Peer Filter: control which neighboring routers your router will listen to

RIPv2 has the following operation modes:

  • Periodic Update Mode: RIP router sends out its list of known routes at periodic intervals which you define and are cleared once router is rebooted
  • Auto-Static Update Model: RRAS router broadcasts the contents of it’s routing table only whan a remote router asks for it and remain static even after rebooting

As it turns out RIP is used mainly for small networks and for much larger networks OSPF is used.  The following are OSPF characteristics:

  • Free of loops
  • Uses a link-state map and adjacencies with neighboring routers
  • Areas are used to break down a large network into more manageable segments and Area Border routers interlink them.
  • Uses multicast for router updates

The following are the OSPF routing Multicast Addresses used:

  • 244.0.0.0 – Base address
  • 224.0.0.1 – All Hosts, all systems on same network
  • 224.0.0.2 – All Routers, all routers on same network
  • 224.0.0.5 – All OSPF Routers
  • 224.0.0.6 – All Designated OSPF Routers
  • 224.0.0.9 – All RIP 2 Routers

The Internet Group Management Protocol (IGMP) is used to exchange multicast group membership and RRAS has two modes: Router and Proxy. 

Ex: 9.1: Installing the Routing and Remote Access Services for IP Routing

Once the RRAS server has been installed you will see the following:

EX: 9.2: Creating a Demand Dial Interface

On the General icon under IP Routing you will see all available interfaces including the Demand Dial one just created:

Note: This Internal interface is part of RRAS and represents all Remote Access Services (RAS) devices. All RAS clients are part of this interface.

Ex: 9.3: Installing the RIP and OSPF Protocols

Once RIPv2 has been installed you will now see the following addition under IP Routing called RIP

Once you have added the routing protocols you will also need to attach them to an interface.  Right-click RIP and choose “New Interface”.  Add the Demand Dial interface configured earlier.  Now Right-Click the interface and choose “Properties”.  There are several tabs including the following:

  • General
  • Security
  • Neighbors
  • Advanced

On the “Advanced” tab an option that can be enabled here is “Enable Split Horizon Processing” and “Enable Poison-Reverse Processing”.  Enable Split Horizon Processing allows a route learned by a RIP router on a network not to rebroadcast to that network and therefore prevents routing loops.  Enabel Poison Reverse Processing modifies Split Horizon as routes learned from a network are rebroadcast to the network with a metric of 16.  I’ve come across both concepts when taking practice exams for 291. 

OSPF also needs to be attached to an interface and is done exactly the same as RIP.  The tabs however are different.  OSPF has the following tabs:

  • General
  • NBMA Neighbors (Non Broadcast Multiple Access)
  • Advanced

Configuring TCP/IP Packet Filters

The reason why routers are most ofter used as gateway devices in relation to security is that they are able to screen out unwanted traffic through the use of packet filters.  Packet filters work in both directions and can be configured to both allow and deny traffic into and out of your network.  They are associated with a particiular network interface and can be used to filter by IP Address and or Protocol. 

 Configuring VPN Packet Filters

There are two types of VPN packet filters that can be created: PPTP or L2TP.  PPTP and L2TP require 2 filters for incoming and 2 for outgoing. 

PPTP requires filters set up to allow Protocol ID 47 GRE (Generic Routing Encapsulation) and TCP 1723 for PPTP.

Ex: 9.5: Configuring PPTP Packet Filters

  1. Expand the server and IP Routing nodes to expse the General node
  2. Right-click the appropriate interface and choose Properties
  3. In the General tab of the interface Properties dialog box, click the Inbound Filters button. 
  4. Click the New button and add IP Filter dialog box appears
  5. Fill out the Add IP Filter dialog box as follows

   6.  Once you click OK the Inbound Filters baox reappears.  Repeat step 5, but this time specify Other in the Protocol field and fill in a protocol ID of 47.  You should see the following:

    7.  In the Inbound filters dialog box, click the Drop All Packets Except Those That Meet The Criteria Below radio button and click OK.

    8.  Repeat steps 3-7 but this time create output filters.  Make sure to specifiy the IP Address of the VPN adapter as the source, not the destination.

Exercises for Chapter 9: Managing IP Routing

9-1 – Installing the Routing and Remote Access Services for IP Routing
9.2 – Creating a Demand Dial Interface
9.3 – Installing the RIP and OSPF Protocols
9.4 – Adding and Removing Static Routes
9.5 – Configuring PPTP Packet Filters
9.6 – Monitoring Routing Status

Advertisements
Categories: Uncategorized
  1. December 17, 2014 at 2:58 pm

    I’m amazed, I have to admit. Seldom do I encounter a blog that’s both equally educative
    and engaging, and without a doubt, you have hit the nail on the
    head. The problem is something which too few folks are
    speaking intelligently about. Now i’m very happy I came
    across this during my search for something concerning this.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: