Routing and Remote Access (RRAS)

Install the Routing and Remote Access (RRAS) role in Windows 2008 Server

If you go into the Add Roles Wizard, the RRAS role can be difficult to find because what you really need to add is the Network Policy and Access Services role then the Routing and Remote Access Services Role

Installation will take a couple of minutes and present an install summary. Just click Close.

After installing, browse over to the RRAS console from Administrative Tools.

Next Configure Routing and Remote Access by opening the RRAS MMC, right-clicking the server, and clicking Configure and Enable Routing and Remote Access

The Routing and Remote Access Server Setup Wizard appears

There are several options available to you when configuring remote access:

Remote Access (Dial-Up Or VPN) This option enables remote clients to connect to the server by using either a dial-up connection or a secure VPN.

Network Address Translation (NAT This option enables internal clients to connect to the Internet using a single, external IP address.

Virtual Private Network (VPN) Access And NAT This option configures NAT for the internal network and configures VPN connections.

Secure Connection Between Two Private Networks This option is useful when, for example, setting up a router-to-router VPN.

Custom Configuration As noted previously, you use this option when none of the service combinations meet your exact needs.

Types of IP Routing

A router can find best route to the destination by exchanging the routing information. This is possible only when any kind of IP Routing is enabled on the routers.

There are two types of IP Routing:

Static Routing: uses a route that a network administrator enters into the router manually.

Dynamic Routing: uses a route that a network routing protocol adjusts automatically for topology and traffic changes. RIPv2 and OSPF

Configuring and Managing Routing Protocols

The dynamic routing protocols RIP and OSPF allow routers to determine paths along which to send traffic.

RIPWhen you enable RIP, you allow Windows Server 2008 to advertise routes to neighbouringrouters and to automatically detect neighbouring routers and remote networks.

RIP is a dynamic routing protocol that routers use to determine the best path to send given data. Routes to destinations are chosen according to lowest cost.By default, this cost is determined by the number of hops or routers between endpoints; however, you can manually adjust the cost of any route as needed.

Importantly, RIP discards routes that are determined to have a cost higher than 15. This feature effectively limits the size of the network in which RIP can operate. Another important feature of RIP is that RIP-enabled routers advertise their entire routing tables to each other every 30 seconds. The service therefore generates a substantial amount of network traffic.

Advantages and Disadvantages of RIPThe main advantage of RIP is that it is easy to deploy. You can implement it on your network simply by enabling the protocol on each router. However, RIP does not scale well to large networks because of the 15-hop limitation. Other disadvantages of RIP include its high convergence times in medium-sized networks and its inability to factor costs other than hops (such as bandwidth) into the route cost metric.

Managing RIP Security

RIP includes a number of configurable security features, including authentication, peer filtering, route filters, and neighbors.

To enable RIP

In Server Manager, right-click Roles\Network Policy and Access Services\Routing andRemote Access\IPv4\General, and then choose New Routing Protocol.

In the New Routing Protocol dialog box, select RIP Version 2 For Internet Protocol, and then click OK.

Now that you have RIPv2 installed, you can configure it. Configuring it is really as easy as adding the interfaces that you want to use to exchange RIP routes with. To do this, go to the RIP section, right click, click on New Interface and select the interface you want to add under RIP.

In the New Interface For RIP Version 2 For Internet Protocol dialog box, select the interface you want to advertise with RIP. Then click OK.RIP is now enabled on the selected interface.

Configure RIP settings to match those of neighboring routers. The default settings will work in most environments. You can adjust settings using the four tabs of the RIP Propertiesdialog box:

General Select whether RIP v1 or RIP v2 is used and whether authentication is required.

This is where you can define general information about how RIP will operate on your server. On this tab, Operation Mode refers to how RIP will update its tables. The two choices are Auto-static Mode and Periodic Update Mode, which is the default. Auto-static Mode means that an update will be triggered when another router requests an update while Periodic Update Mode means that the routing table will be updated at a defined interval (defined on the Advanced tab).

The General tab also provides a place for you to define the incoming and outgoing protocol. For outgoing packets, you can choose RIP1 broadcast, RIP2 broadcast, RIP2 multicast or silent RIP. In silent mode, the system only listens for new RIP announcements but does not make any itself. If your network uses consistent network masks throughout, you can use RIP1, but I don’t recommend it unless you have devices that can only use RIP1. You can also specify the route cost for this interface as well as a tag number for the routes on this interface. Finally, a password can be specified to be used for RIP2 updates as a means of identification.

Security Choose whether to filter router advertisements. Because a routing protocol could be used to advertise a route to a malicious computer, RIP could be used as part of a man-in-the-middle attack. Therefore, you should restrict the advertised routes that will be accepted whenever possible.

Neighbors Allows you to manually list the neighbors that the computer will communicate with.

Advanced Configure announcement intervals and time-outs, as well as other infrequently used settings such as Split horizon and poison reverse, useful in preventing routing loops

Static Routing

You can view the IP routing table by using the Routing And Remote Access console or thecommand prompt.

In the Routing And Remote Access console, expand the IP Routing node,right-click the Static Routes node, and then click Show IP Routing Table.

To view the routing table from the command prompt, type route print and press Enter

To add static routes

1. In Server Manager, right-click Roles\Network Policy and Access Services\Routing and Remote Access\IPv4\Static Routes, and then choose New Static Route.

2. In the IPv4 Static Route dialog box, select the network interface that will be used to forward traffic to the remote network.In the Destination box, type the network ID of the destination network. In the Network Mask box, type the subnet mask of the destination network. In the Gateway box, type the IP address of the router that packets for the destination network should be forwarded to.Adjust the Metric only if you have multiple paths to the same destination network and want the computer to prefer one gateway over the others; in this case, configure the preferred routes with lower metrics.

If a computer needs to use different routers to communicate with different remote networks,you need to configure static routing. For example, the client computer would have a default gateway of 192.168.1.1 (because that leads to the Internet, where most IP address destinations reside). However, an administrator would need to configure a static route for the 192.168.2.0/24 subnet that uses the gateway at 192.168.1.2.

Typically, you would do this configuration using the command-line tool Route. For the example shown, you could allow it to access the 192.168.2.0/24 network by running

route -p add 192.168.2.0 MASK 255.255.255.0 192.168.1.2

route add destination mask subnetmask gateway metric cost interface

When using the Route Add command, the –p parameter makes a route persistent. If a route is not persistent, it will be removed the next time you restart the computer.

Run Route Print at the command prompt and verify that the static route has been added.

Exam Tip Know that a router’s IP address must always be on the same subnet as the computer.

Configuring Demand-Dial Routing

Routing and Remote Access also includes support for demand-dial routing (also known asdial-on-demand routing). When the router receives a packet, the router can use demand dial

routing to initiate a connection to a remote site. The connection becomes active only when data is sent to the remote site. The link is disconnected when no data has been sent over the link for a specified amount of time. Because demand-dial connections for low traffic situations can use existing dial-up telephone lines instead of leased lines, demand dial routing can significantly reduce connection costs.

The first step in deploying demand-dial routing is to configure a demand-dial interface on each computer you wish to function as a demand-dial router.

You can configure these interfaces by using the Demand-Dial Interface Wizard when you initially set up Routing and Remote Access or as an option after the Routing and Remote Access service has already been configured and enabled.

If you have previously configured and enabled the Routing and Remote Access service without demand-dial functionality, you must enable this functionality before you create anydemand-dial interfaces.

To enable demand-dial functionality

Select the LAN and Demand-Dial Routing option in the General tab of the Routing and Remote Access Properties dialog box

If you don’t have a DHCP Server in your local network you have to add a static address pool. This could be if you have a stand-alone Server by your provider.

DHCP Relay Agent

DHCP Relay Agent is a routing protocol that allows client computers to obtain an address from a DHCP server on a remote subnet. Typically, DHCP clients broadcast DHCPDiscover packets that are then received and answered by a DHCP server on the same subnet. Because routers block broadcasts, DHCP clients and servers must normally be located on the same physical subnet.

However, two methods can help you work around this limitation. First, if the routers separating the DHCP server and clients are RFC 1542–compliant, the routers can be configured for Boot Protocol (BOOTP) forwarding. Through BOOTP forwarding, routers forward DHCP broadcasts between clients and servers and inform servers of the originating subnet of the DHCP requests. This process allows DHCP servers to assign addresses to the remote clients from the appropriate scope.

The second way to allow remote communication between DHCP servers and clients is to configure a DHCP relay agent on the subnet containing the remote clients. DHCP relay agents intercept DHCP Discover packets and forward them to a remote DHCP server whose address has been preconfigured. Although DHCP Relay Agent is configured through Routing and Remote Access, the computer hosting the agent does not need to be functioning as an actual router between subnets.

Exam Tip: Expect a topology question about DHCP Relay Agent and RFC 1542–compliant routers on the exam.

Note: You cannot use the DHCP Relay Agent component on a computer running any of the following: the DHCP service, the NAT routing protocol component with automatic addressing enabled, or ICS.

Installing the DHCP Relay Agent

NOTE: DHCP Relay Agent cannot be installed on a server which already is running DHCP server

1. Launch Routing and Remote Access Service [RRAS] console.2. Open IP Routing, right-click General, and select New Routing Protocol.3. Select DHCP Relay Agent and click OK.

This will install the DHCP Relay Agent.

Add network interfaces to the DHCP Relay Agent.

This allows relaying DHCP broadcast messages from DHCP clients to DHCP servers on different IP networks. Right-click the DHCP Relay Agent node and select New Interface...

Verify that the DHCP Interface is configured to Relay DHCP packetsRight the interface and select Properties

Configure the Global DHCP Relay

This configuration is achieved through the DHCP Relay Agent Properties dialog box.

Enter the IP address of your DHCP server and click Add, then OK to save the settings.

Configure the DHCP Relay Agent to point to the address of at least one remote DHCP server. (Use more than one DHCP server for fault tolerance.)

Verifying that DHCP Relay Agent Is Functioning

You can verify that the DHCP Relay Agent is functioning by using the Routing And Remote Access console. To do so, select the DHCP Relay Agent node and view the statistics in the details pane. The details pane compiles requests received, replies received, requests discarded, and replies discarded. If this data reveals that both requests and replies have been received, the DHCP Relay Agent is functioning.

You want to deploy one DHCP server on your network that consists of two subnets.What are two methods that will enable you to achieve this task?

You can separate the two subnets with an RFC 1542–compatible router and enable BOOTP forwarding, or you can configure a DHCP relay agent on the subnet that does not have the DHCP server.