Chapter 4, IP Routing Designs

ginglyformweekΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

73 εμφανίσεις

Chapter 4, IP Routing Designs

|1|

Chapter 4 Overview


A.

Designs That Include IP Routing


1.

Describe the role of IP routing in Windows 2000.


2.

Identify IP routing business requirements and constraints.


3.

Review IP routing decisions for multiple and si
ngle locations.


B.

Essential IP Routing Design Concepts


1.

Determine where to place routers in new and existing designs.


2.

Select methods for maintaining unicast routing tables.


3.

Understand multicast routing.


4.

Learn when to implement Internet Gro
up Messaging Protocol (IGMP)
multicast proxy and Dynamic Host Configuration Protocol (DCHP)
Relay Agent.


C.

Data Protection on Unsecured Segments


1.

Prevent unwanted IP traffic by using IP packet filtering.


2.

Determine when to use router authentication
.


3.

Learn when to use Internet Protocol Security (IPSec) or virtual private
network (VPN) to encrypt data.


D.

IP Routing Design Optimization


1.

Improve IP routing availability.


2.

Improve the performance of the design.

Chapter 4, Lesson 1

Designs That

Include IP Routing


1.

IP Routing in Windows 2000


A.

Routing in Windows 2000 is provided by Routing and Remote Access.


1.

Any computer running Windows 2000 can provide routing for the
network.


2.

All TCP/IP devices in the network can participate in rou
ting because
each device maintains a routing table.

|2|

B.

Routing example: when a source host sends an IP packet to the
destination host


1.

The source host determines the IP address of the destination host


2.

The source host examines its local routing t
able and determines that the
destination host can be reached through Router A


3.

The source host sends the IP packet to Router A


a.

This is known as host routing.


b.

All TCP/IP devices must support host routing. Most operating
systems support host routi
ng.


4.

Router A examines its local routing table and determines that the
destination host can be reached through Router B


5.

Router A forwards the IP packet to Router B


a.

This is known as router routing.

2

Outline,
Chapter 4


Designing a Micr
osoft Windows 2000 Network I nfrastructure



b.

Typically, hardware routers, IP switches and

other hardware support
router routing.


c.

Windows 2000 Routing and Remote Access provides software
-
based
router routing.


d.

This chapter covers router routing.


6.

Router B examines its local routing table and determines that the
destination host can be

reached directly


7.

Router B forwards the IP packet to the destination host

|3|

2.

IP Routing Design Requirements and Constraints


A.

Before designing, review the business and technical design
requirements and constraints, including


1.

Amount and confid
entiality of the data sent through the router


2.

Plans for network growth


3.

Existing router placement, WAN connections, and protocols


4.

Application response times


5.

User access reliability


B.

Base design decisions on your review.

|4|

3.

IP Routing
Design Decisions


A.

Types of connections


1.

Persistent


2.

Nonpersistent


B.

Connection technologies for each router


1.

T1


2.

Public Switched Telephone Network (PSTN)


3.

Integrated Services Digital Network (ISDN)


4.

Digital Subscriber Line (DSL)


5.

X.25


C.

Dynamic routing protocols or static routing table entries for each router


D.

Multiple route paths and multiple routers to improve availability and
performance


E.

Packet traffic filtering criteria


F.

Authentication and encryption algorithms

|5|

4.

Edge of Network Scenario


A.

Edge of network designs connect private networks to public networks.


B.

Router requirements


1.

Prevent unauthorized access.


a.

Use Routing and Remote Access IP filters.


b.

Use VPN.


2.

Provide Internet or public network
access.


3.

Protect data confidentiality by providing router identity, data integrity,
and data encryption.


4.

Connect to a variety of WAN types.

Outline,
Chapter 4

3

Designing a Microsoft Windows 2000 Network I nfrastructure



C.

Internal routers


1.

Provide no function other than IP routing


2.

Aren’t required to encrypt data or ide
ntify other routers


3.

Can be basic routers without Routing and Remote Access features


D.

Firewalls are sometimes optional in the design.


1.

Optional when the routers support point
-
to
-
point communications
because the endpoints are known


a.

You can rest
rict routers to the endpoints.


b.

You can encrypt the data between the endpoints.


2.

Optional when router filters provide enough security

for example,
when IP routing filters are used

|6|

5.

Multiple Location Scenario



A.

The figure on Slide 6 shows how

to connect multiple locations over a
public network such as the Internet.


B.

You can connect remote locations by using point
-
to
-
point leased lines
or the Internet.


C.


When you connect multiple locations, each router must


1.

Use all Routing and Remot
e Access features


2.

Authenticate other routers. Routing and Remote Access authenticates
routers and VPN tunnels with


a.

User account authentication such as the Active Directory directory
service


b.

Machine certificates such as Kerberos v5 tickets, X509

certificates,
or preshared keys

|7|

6.

Single Location Scenario


A.

The figure on Slide 7 shows how to connect a single location with
several network segments within a private network and then connect
the network to the Internet.


B.

Using Routing and Rem
ote Access can reduce cost.

C.

Single location designs are most appropriate for small organizations or
branches of larger organizations.


D.

Single location and edge of network designs require the same design
decisions.


Chapter 4, Lesson 2

Essential IP Routi
ng Design Concepts


1.

Placing Routers in the Network Design


A.

Connect network segments with dissimilar LAN or WAN technologies.


B.

Reduce network traffic between network segments.


C.

Prevent unauthorized traffic between segments.


D.

Prevent unauthori
zed access to confidential data.

4

Outline,
Chapter 4


Designing a Micr
osoft Windows 2000 Network I nfrastructure


|8|

2.

Multiple Location Scenario


A.

Connect network segments with dissimilar LAN or WAN technologies.


1.

Internal routers are inappropriate because network Segments A, B, and C
aren’t dissimilar technologies.


2.

Edge of

network routers are appropriate because the router interfaces
connected to the Internet are connecting dissimilar technologies.


B.

Reduce network traffic between network segments.


1.

Internal routers are appropriate because you want to reduce the traffi
c
between Segments A, B, and C.


2.

Edge of network routers are appropriate because you want to reduce the
traffic between locations.


C.

Prevent unauthorized network traffic between network segments by
using IP filters.


1.

Internal routers are inappropri
ate because the organization isn’t
concerned about unauthorized traffic within each location.


2.

Edge of network routers are appropriate because the organization wants
to block unauthorized traffic from the Internet.


D.

Prevent unauthorized access to con
fidential data transmitted over
public networks by using encryption and authentication.


1.

Internal routers are inappropriate because the organization isn’t
concerned about unauthorized viewing of confidential data within each
location.


2.

Edge of networ
k routers is appropriate because the organization wants to
prevent unauthorized viewing of confidential data transmitted between
locations.

|9|

3.

Integrating Routers into an Existing Network

A.

Most routers have at least two network interfaces.

B.

For each int
erface you must specify


1.

IP configuration information such as IP address and subnet mask


2.

Type of connection between router interface and network (persistent or
nonpersistent)


3.

Authentication level


4.

Filtering level


5.

Encryption level


C.

Rou
ter IP address specifications


1.

You must specify a fixed IP address and subnet for each router interface.


2.

The subnet mask you specify must match the subnet mask of the subnet
to which the interface is directly connected.


D.

Router interface connecti
on specifications


1.

You must specify the router interface connection for each router
interface.


2.

The connection must match the network segment technology.


3.

Persistence is based on physical (and VPN) connections.


4.

Use LAN interfaces when the inte
rface

Outline,
Chapter 4

5

Designing a Microsoft Windows 2000 Network I nfrastructure



a.

Shows as a LAN adapter to Routing and Remote Access


b.

Supports persistent connections


c.

Includes Ethernet, Token Ring, Fiber Distributed Data Interface
(FDDI), T1, or T34


5.

Use demand
-
dial interfaces when the interface


a.

Shows as a demand
-
dial adapter to Routing and Remote Access


b.

Supports nonpersistent connections


c.

Requires authentication or connection initiation procedures such as
Digital Subscriber Line (DSL) and Integrated Services Digital
Network (ISDN)


d.

Costs more when it is

active, such as with ISDN


E.

Router security


1.

Customize the security of the router when sending data over public
networks.


2.

Use authentication between routers that exchange data.


3.

Use encryption to secure confidential data.


4.

Prevent unauthori
zed access to private networks.

|10|

4.

Unicast Routing


A.

Each router maintains a unicast routing table.


1.

Enter router information manually using static routing tables, or;


2.

Enter routing table information automatically using


a.

Autostatic entries


b.

Dynamic routing entries


c.

Subnet entries for directly connected subnets


3.

Routing table entries are automatically created for network segments
connected directly to router interfaces.


B.

Use any combination of static and dynamic routing table ent
ries.


C.

Determine the method of managing routing table entries first.


1.

Review the network utilization level.


a.

Use dynamic routing between private network segments in one
location.


b.

Use static routing between locations or network segments when
dy
namic routing saturates the segment.


2.

Review the number of segments within a location requiring routing table
updates.


a.

Use static routing for locations containing a single network segment.


b.

Use dynamic routing with multiple network segments.


3.

Review the current method of managing routing tables and integrate it
with existing routers.

|11|

D.

Static routing


1.

Static routing occurs when a static routing table entry determines the
route path.


a.

Static entries don’t change.

6

Outline,
Chapter 4


Designing a Micr
osoft Windows 2000 Network I nfrastructure



b.

You can’t modify

entries. Instead, you must delete old entries and
add new entries.


2.

Use static routing when


a.

You want to reduce network use due to routing table management


b.

You want to hide the private network structure


c.

The time it takes to update tables is

acceptable


d.

Network paths change infrequently


e.

The design includes a demand
-
dial interface (default gateway)


f.

Your design doesn’t have redundant route paths, and packets aren’t
forwarded to alternate route paths


|12|

E.

Default route entries


1.

Are a special type of static route entry


2.

Specify the router path for all unknown network destinations


3.

Have two main purposes


a.

Reduce the number of routing table entries


b.

Specify a single route path from one or more network segments


4.

Disad
vantage: the default router path is used even for invalid paths.

|13|

F.

Autostatic route entries


1.

Combine the best features of dynamic and static routing


2.

Use when you want to exchange dynamic routing entries between
locations at scheduled intervals


3.

Advantage over dynamic routing: to minimize network congestion, you
can specify when to exchange routing information


4.

Use in designs when you want to


a.

Prevent initiation of demand
-
dial connections when an explicit
routing table entry doesn’t exi
st


b.

Update routing tables less frequently than dynamic routers would,
since you can manually force updates


5.

Can be used with RIP for IP, RIP for Internetwork Packet Exchange
(IPX), and Service Advertising Protocol (SAP) for IPX

|14|

G.

RIP for IP rou
ting


1.

Is the most mature dynamic routing protocol, supported by most routers
and operating systems


2.

Can use Routing and Remote Access to support RIP version 1 or 2


3.

Can be used to enable autostatic RIP routing


4.

Use in designs when


a.

Existing
routers use RIP for IP


b.

You can’t dedicate the time to update static routing table entries


c.

Network route paths change frequently (RIP for IP updates them
automatically)


d.

You use a demand
-
dial interface and you want to use autostatic RIP
routing


e.

Your network requires fewer than 15 router hops. The total network
diameter must be less than 15.

Outline,
Chapter 4

7

Designing a Microsoft Windows 2000 Network I nfrastructure



f.

The design requires redundant route paths


5.

Use RIP for IP version 2 when the design must support


a.

Classless Interdomain Routing (CIDR)


b.

Variab
le Length Subnet Mask (VLSM)


c.

Multicast traffic exchanging routing table information


d.

Passwords for mutual router authentication

|15|

H.

OSPF routing


1.

Is a recent dynamic routing protocol that addresses many of the
disadvantages of RIP for IP


2.

Is supported by Routing and Remote Access


3.

Maintains a network map in a link state database rather than a routing
table


4.

Whenever a change occurs in the link state database, OSPF routers
recalculate route paths.


5.

Use OSPF in the design when


a.

T
he existing routers use OSPF


b.

The network diameter is larger than 15 segments


c.

You don’t want to spend time updating the static routing tables


d.

Network route paths change frequently


e.

The design requires redundant route paths

|16|

6.

Arrange an
OSPF design in a top
-
down hierarchy to minimize the
impact of updates and the number of entries in the link state database.


7.

OSPF includes the following components:


a.

OSPF autonomous system.: use where all routers belong to the same
system. If there
are external routes in the system, they can include


(1)

Other OSPF autonomous systems


(2)

RIP for IP networks


(3)

Static routes


(4)

Route paths added by Simple Network Management Protocol
(SNMP)


b.

One or more OSPF areas


(1)

An area is a grouping of
routers that connect to contiguous
network segments.


(2)

The OSPF autonomous system must include a backbone area
that connects all other areas within the system.


c.

One or more OSPF networks


(1)

OSPF areas consist of one or more OSPF networks.


(2)

An O
SPF network is a network segment that resides within
and is managed by an OSPF area.

|17|

5.

Multicast Routing


A.

Routers that include RIP for IP version 2 can multicast traffic to
exchange route information.


B.

Use IGMP in Routing and Remote Access as a

multicast proxy.

C.

Multicast proxying is a subset of features to a multicast router.

8

Outline,
Chapter 4


Designing a Micr
osoft Windows 2000 Network I nfrastructure


D.

Use multicast proxying when


1.

You want to give multicast traffic to multicast clients connected to the
same network segment as the router


2.

You have full
-
featured rout
ers between the multicast proxy and
multicast source


E.

Specify the following in a multicast proxy:


1.

Proxy mode interface


a.

Can specify only one proxy mode interface


b.

Appears as a multicast client


c.

Forwards multicast registration requests and m
ulticast traffic from
clients


2.

Router mode interface


a.

Can specify multiple router mode interfaces


b.

Appears as a multicast router


c.

Listens for multicast registration requests and multicast traffic from
clients


|18|

6.

DHCP Relay Agent


A.

Use D
HCP Relay Agent because


1.

Most routing designs include a DHCP configuration


2.

DHCP uses broadcast traffic, so IP routers may not forward the DHCP
traffic


3.

It forwards DHCP traffic between network segments


a.

The DHCP Relay Agent allows routers to f
ilter broadcast traffic
while forwarding DHCP requests.


B.

To forward DHCP traffic between clients and servers, enable the
following on routers:


1.

Broadcast traffic forwarding


a.

Advantage: all routers support broadcast traffic forwarding.


b.

Disadv
antage: all broadcast traffic is forwarded and can saturate
networks.


2.

DHCP/Boot Protocol (BOOTP) forwarding


a.

Advantage: existing routers may be able to support DHCP/BOOTP
forwarding.


b.

Disadvantage: DHCP and BOOTP requests are forwarded throughou
t
network.


3.

DHCP Relay Agent


a.

Advantage: it converts DHCP to unicast traffic for forwarding.


b.

Disadvantage: you may need to replace existing routers.


Outline,
Chapter 4

9

Designing a Microsoft Windows 2000 Network I nfrastructure


Chapter 4, Lesson 3

Data Protection on Unsecured Segments


1.

Filtering Unwanted IP Traffic


A
.

Unauthorized traffic can come from many sources.


1.

Unauthorized Internet users attempting to access a private network


2.

Private network users attempting to access confidential resources


3.

Unsupported or unauthorized applications within the private
network

|19|

B.

Using the IP filters in Routing and Remote Access can prevent
unwanted IP traffic.


1.

IP filters are similar to firewall rules.


2.

You must specify IP filters on each router interface.


3.

You can filter inbound and outbound IP traffic be
tween two or more
network segments.


4.

You can use IP filters on internal routers on private networks.


C.

Filter the source or destination IP address range to restrict traffic to or
from


1.

A specific IP address


2.

An IP address range assigned to an or
ganization or network segment


D.

Filter the IP protocol number to restrict traffic to or from a specific
application.


E.

Combine IP filters.


1.

Filters apply to all traffic coming through the router.


2.

Filters can be cumulative across multiple routers
.

|20|

2.

Router Identification


A.

Use router identification to allow routers to exchange information only
with known routers.


1.

Routing and Remote Access can identify routers using routing protocol,
IPSec, or demand
-
dial.


2.

You can combine identifica
tion methods.


B.

You can use routing protocol methods for identifying routers.


1.

Use plain text passwords, peer security, and RIP neighbors.



10

Outline,
Chapter 4


Designing a Micr
osoft Windows 2000 Network I nfrastructure



2.

Use for internal routers in a private network


3.

Can use plain text passwords in the form of RIP for IP
version 2 or
OSPF passwords


4.

Can use RIP for IP peer security, which allows routers to accept RIP
announcements only from designated routers


5.

Can use RIP for IP neighbors


a.

Are sent as unicast packets directed to neighboring routers (routers
are di
rectly accessible to the router sending the packet)


C.

You can use IPSec for identifying routers.


1.

IPSec uses encrypted machine certificates to identify routers.


2.

Machine certificates authenticate the computer rather than the
individual.


3.

You can

use the IPSec Authentication Header (AH) or Encapsulating
Security Payload (ESP) protocol.


4.

You can use Kerberos v5 tickets, X509 certificates, or preshared keys
for machine certificates.


5.

Use for internal routers on the private network.


D.

You can

use demand
-
dial for router identification.


1.

Is used when routers communicate over demand
-
dial interfaces


2.

Uses one or more user accounts stored on the router or the Active
Directory directory service


3.

Can use any authentication protocol available

in Routing and Remote
Access


4.

All authentication is one
-
way, except for Microsoft Challenge
Handshake Authentication Protocol Version 2 (MS
-
CHAP v2).


a.

One
-
way authentication means that the originating router can’t
identify the responding router.


b.

MS
-
CHAP v2, which provides two
-
way authentication, is
recommended for demand
-
dial authentication.


5.

VPN is a type of demand
-
dial interface.

|21|

3.

Router
-
To
-
Router Data Protection


A.

Can protect confidential data using VPN tunnels or IPSec



B.

These
methods support both router authentication and data encryption.


1.

VPN tunnels


a.

You can use Point
-
to
-
Point Tunneling Protocol (PPTP) or Layer 2
Tunneling Protocol (L2TP)/IPSec tunnels to encrypt data.


b.

VPN tunnels are most appropriate for edge of ne
twork routers.


c.

Determine tunnel protocol by reviewing


(1)

The protocols supported by current routers


(2)

Authentication requirements for tunnel


(3)

Encryption strength requirements or regulations

Outline,
Chapter 4

11

Designing a Microsoft Windows 2000 Network I nfrastructure



2.

IPSec tunnels


a.

Use IPSec transport mode or IP
Sec tunnel mode to encrypt data.


(1)

When using tunnel mode, you must specify a separate IPSec
tunnel between each router combination.


(2)

If you specify only IPSec tunnel mode, all traffic must be sent
to the other endpoint of the tunnel.


b.

Can be use
d alone or with L2TP


c.

Use IPSec without L2TP when


(1)

Encrypting data between internal routers


(2)

L2TP overhead is unnecessary


(3)

Machine authentication is adequate


d.

Use IPSec with L2TP when


(1)

Encrypting data between edge of network routers


(2)

The router interface is a demand
-
dial interface


(3)

User and machine authentication are required


Chapter 4, Lesson 4

IP Routing Design Optimization

|22|

1.

Improving IP Routing Availability and Performance


A.

Configure routers with the RIP for IP ro
uting protocol to use RIP
neighbors.


1.

Performance can be improved because RIP advertisements are sent by
unicast instead of multicast.


2.

Unicast traffic reduces packet traffic.


B.

Replace nonpersistent connections with persistent connections.


1.

Dia
l
-
up connections may receive busy signals.


2.

Dial
-
up connections may cause connection delays.


C.

Add more connections.


1.

Additional connections improve availability by providing redundant
paths.


2.

Additional connections improve performance by increa
sing bandwidth.


D.

Add more router interfaces.


1.

Additional router interfaces improve availability because redundant
interfaces provide backup if an interface fails.


2.

Additional router interfaces increase bandwidth between route paths.


E.

Add more r
outers.


1.

Additional routers provide redundancy.


2.

Additional routers increase bandwidth when other routers are congested.

|23|

Chapter Summary


A.

Routing in Microsoft Windows 2000 is provided by Routing and Remote
Access.


B.

Base design decisions on

a business and technology review.

12

Outline,
Chapter 4


Designing a Micr
osoft Windows 2000 Network I nfrastructure



1.

Persistent or nonpersistent connections


2.

Connections used, such as T1 or DSL


3.

Dynamic vs. static routing table entries


4.

Route paths, packet filtering, encryption, and authentication


C.

Determine where to pla
ce routers based on whether you want to


1.

Connect dissimilar network segments


2.

Reduce network traffic between segments


3.

Prevent unauthorized traffic between segments


4.

Prevent unauthorized access to the network


D.

In unicast routing, each router

maintains a routing table.


1.

Routing tables can be managed manually or dynamically.


2.

Static routing and default route entries are options.


3.

Autostatic route entries can be used in many cases.


4.

Most routers support RIP for IP routing.


5.

OSPF
routing is a recent dynamic protocol.


E.

RIP for IP version 2 can perform multicast routing.


F.

Dynamic Host Configuration Protocol (DHCP) Relay Agent forwards
DHCP traffic between network segments.


G.

Consider data protection design.


1.

Filter unwante
d IP traffic, using IP filters in Routing and Remote
Access.


2.

Identify routers using routing protocol, IPSec, or demand
-
dial.


3.

Use VPN tunnels or IPSec for router
-
to
-
router data protection.