154 Chapter 4 • Protocols and Networking Concepts Summary The language spoken by each computer is a binary system of ones and zeros. The protocol stack is the syntax of that language when it travels between computers. When you look at a protocol stack, you should use the OSI reference model to relate to how that protocol works with the other protocols in the stack. Transmission Control Protocol/Internet Protocol (TCP/IP) is the pro- tocol stack used by the Internet. It is the protocol that is closest to being implemented universally on networks worldwide. The protocol stack works over most media, wide area network (WAN) protocols, and the IEEE (Institute of Electrical and Electronics Engineers) 802 series physical and data-link layer protocols, which includes Ethernet (IEEE 802.3) and Token Ring (IEEE 802.5) as well as many others. The network layer protocol, IP (Internet Protocol), provides the addressing for network nodes and seg- ments. The transport layer protocols, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), provide connection-oriented and con- nectionless connectivity, respectively. Each interface in a server or router is given its own IP address. On Windows 2000, the IP address is set in the Network and Dial-up connec- tions applet found in the Control Panel. On a Cisco router, the IP address is set in interface configuration mode. DNS (Domain Name System) is important for mapping host names to IP addresses. DNS is required for Windows 2000 Active Directory. It is the mechanism by which servers discover each other to exchange information, and by which clients discover servers in order to authenticate and query the Active Directory database. DNS services can be installed on Windows 2000, or Windows 2000 can be configured to use other DNS servers. DNS is a hierarchical system that includes root servers on the Internet. DNS lookups that cannot be resolved on a DNS server can be passed through the hierarchy until an answer is found. DNS uses a zone for each segment of its hierarchy. A DNS server can have a primary zone, for which it is the sole authoritative server, or a secondary zone, which is a copy of a primary zone on a different server. A Windows 2000 DNS server can also use an Active-Directory-Integrated zone to take advantage of the redun- dancy found within the Active Directory. DHCP (Dynamic Host Configuration Protocol) is used for assigning IP addresses to hosts. A scope is created on a DHCP server. The scope con- sists of a pool of IP addresses that can be assigned to clients. When a client requests an address, the DHCP server assigns either an address reserved for it, or one from within a pool of available addresses. DHCP ser- vices can be installed on Windows 2000, or Windows 2000 can be config- www.syngress.com 71_BCNW2K_04 9/10/00 12:36 PM Page 154 Protocols and Networking Concepts • Chapter 4 155 ured as a DHCP client. DHCP is based on BOOTP (Boot Protocol), which uses UDP (User Datagram Protocol). UDP packets are broadcast-based and not typically forwarded beyond the current network segment. In a routed environment, routers must be configured to forward UDP packets in order for a DHCP server to provide its services to segments to which it is not directly connected. This is usually accomplished by configuring an IP helper address on the router. FTP (File Transfer Protocol) is an application layer protocol used for manipulating files on remote servers. Windows 2000 can be configured as an FTP server through the installation and configuration of the Internet Information Services. If FTP services are not to be provided across a router, the router can be configured to filter the FTP protocol with an access con- trol list. Telnet is an application layer protocol used to provide terminal ses- sions. Cisco routers are automatically Telnet servers, providing sessions for remote control of the routers from which an administrator can configure the routers. Windows 2000 can be configured as a Telnet server, and can include two types of Telnet clients—telnet.exe and HyperTerminal. HTTP (HyperText Transfer Protocol) is an application layer protocol used for downloading HTML (HyperText Markup Language) documents. HTTP is the basis of the World Wide Web. Windows 2000 can be installed with Internet Information Services and configured to provide Web services. NNTP (Network News Transport Protocol) is an application layer pro- tocol used for Usenet newsgroups. Windows 2000 can be configured to provide newsgroup services from its Internet Information Services applica- tion. RPCs (Remote Procedure Calls) are a session layer API (Application Programming Interface) that can make remote procedures appear to be happening locally. Windows 2000 Active Directory depends on RPCs for its replication traffic both within sites and between sites. SMTP (Simple Mail Transport Protocol) is a protocol typically used for transferring electronic messages over TCP/IP. Windows 2000 Active Directory can use SMTP for replication between sites that do not share a domain. This is done through specific configuration of a site link in the Active Directory Sites and Services console. IPX (Internetwork Packet Exchange) is usually associated with Novell NetWare servers. Windows NT and Windows 2000 servers also use it as a mode of network transport. If you install the Active Directory, you must have TCP/IP as the network protocol stack. However, in multiprotocol net- works or for standalone servers, IPX is optional. Cisco router interfaces can be configured with IPX in interface configuration mode. www.syngress.com 71_BCNW2K_04 9/10/00 12:36 PM Page 155 156 Chapter 4 • Protocols and Networking Concepts RDP (Remote Desktop Protocol) is a protocol used by Terminal Services on Windows 2000, and runs on top of TCP/IP. RDP provides the client interface as a terminal session. H.323 is a multiservices support protocol. It provides voice, video, and data transmissions. Four components are available in H.323 networks: H.323 terminals, H.323 MCUs (Multimedia Communication Units), H.323 gateways, and H.323 gatekeepers. Voice-over IP (VoIP) and Fax-over IP use H.323. FAQs Q:Is it possible to convert an Active-Directory-Integrated DNS zone to primary? A:Yes. You can convert any type of DNS zone (primary, secondary, or Active-Directory-Integrated) to any other type on a Windows 2000 DNS server. When you convert an Active-Directory-Integrated zone to a pri- mary zone, the DNS server becomes the single primary for that zone. The Active Directory information must be deleted from all the domain controllers’ domain partitions after the conversion to prevent errors. Q:Can I filter out RDP communications between two computers located on the same network segment? A:No, you cannot filter out a protocol on a segment without placing some filtering device between them. Filters are access control lists placed on Cisco routers that specify which protocols can or cannot be permitted through an interface. This effectively would create a firewall at the pro- tocol level between two segments. An IP access control list can be used specifying the TCP port number used for RDP to filter it out between the two segments. Q: What is the difference between Fax-over IP and Voice-over IP? A:The difference between Fax- and Voice-over IP is not that great. Fax- over IP is an H.323 Voice-over IP system with faxing “extras.” For example, in a store and forward fax Cisco router configuration, the dif- ference is that the router must be configured to support fax informa- tion such as the fax header information. In real time fax Cisco router configuration, the router must be configured to support the queuing of faxes so that fax devices experience the delays they normally would experience in standard faxing, in which pages are negotiated between fax machines on a page-by-page basis. www.syngress.com 71_BCNW2K_04 9/10/00 12:36 PM Page 156 Routing and Remote Access Solutions in this chapter: ■ Understanding remote access protocols ■ Understanding routing protocols ■ Enabling routing on a Windows 2000 server ■ Securing a network through virtual private networking Chapter 5 157 71_BCNW2K_05 9/10/00 12:59 PM Page 157 158 Chapter 5 • Routing and Remote Access Introduction One of the interesting things about a Cisco and Microsoft Windows 2000 network is that both Cisco routers and Windows 2000 servers can perform routing. In order to route, each needs to have at least two interfaces, and needs to be configured to route data from one network segment to another. So if both will support this feature, why not just use Windows 2000 to do it all—file, print, Web, and routing services? This is the kind of question that you may run across from time to time. Engineers instinctively veer away from running everything on a single machine, but it makes little sense to nontechnical people to spread the processing around the network if it can all be done in a single place. In projects where each expense must be justified, you can use the following reasons to explain your network design. ■ Performance and availability on the network is decreased when a combination server and router is used, thus increasing downtime, which affects the productivity of network users. ■ Single points of failure cause excessive downtime if there is a failure. A Windows 2000 server that also acts as a router is a single point of failure on the network. ■ Using separate hosts (a Cisco router as a router, and a Windows 2000 server as a server, for instance) for different functions on the network will increase the security on the network—a hacker must breach both the router and the server in order to access the net- work. ■ Using separate routers and servers vastly increases the scalability of the network. Because remote access servers utilize modems in the same way as a network interface they are, effectively, routers. That is why remote access and routing are generally grouped together. Remote Access Protocols Legacy remote access protocols were simply those that worked across the plain old telephone system (POTS). They were required to convert digital data to analog, travel across a serial line, and then be converted back at the receiving station. Though analog lines are still used to connect to remote access servers today, alternate means of communications are now available. www.syngress.com 71_BCNW2K_05 9/10/00 12:59 PM Page 158 ISDN The Integrated Services Digital Network (ISDN) is sometimes referred to as the “I Still Don’t kNow” acronym. The reason for this sarcastic description is based on the fact that ISDN was not available immediately, even though it was broadly discussed. ISDN was an exciting option for remote access since it provided increased bandwidth, reduced latency, faster call estab- lishment, and less noise interference with the signal. ISDN is a digital call switching service that is provided in two forms: ■ Basic Rate Interface (BRI) ■ Primary Rate Interface (PRI) Both types of interfaces are available in most areas where legacy analog Public Switched Telephone Network (PSTN) equipment has been updated with digital equipment. The new digital switches can support both ISDN and POTS. BRI provides two B (bearer) channels and one D (data) channel. The B channels provide 64 Kbps bandwidth each and are used for bearer services (voice or data), and the D channel, at 16 Kbps, is used for signaling and control. The D channel is used for building, maintaining, and releasing the bearer service connections over the B channels. BRI’s bandwidth is there- fore 128 Kbps over the B channels. BRI can be provided over legacy analog phone service local loops. ISDN local loop length is limited to approxi- mately 18,000 feet. PRI provides 23 B channels at 64 Kbps and 1 D channel at 64 Kbps. The B channels still provide bearer services and the D channel provides signaling and control in the same way as it does for BRI. PRI services are provided over T1 lines. PRI’s bandwidth is 1.472 Mbps over those 23 B channels. (PRI services also can be provided over E1 leased lines with 30 64Kbps B channels and a single 64Kbps D channel.) ISDN Equipment Types The components used in ISDN networks include several types: Terminal Adapter (TA) An adapter that is used with legacy equipment or non-ISDN-capable equipment in order to connect to the ISDN network. This is used for BRI rates. Terminal Equipment Type 1 (TE1) A device that can connect directly to an ISDN network and has ISDN capabilities built in. Terminal Equipment Type 2 (TE2) A device that requires a TA to con- nect to the ISDN network. Routing and Remote Access • Chapter 5 159 www.syngress.com 71_BCNW2K_05 9/10/00 12:59 PM Page 159 160 Chapter 5 • Routing and Remote Access Network Termination Type 1 (NT1) A device that sends and receives sig- nals to the service provider’s ISDN switch. The ISDN U interface is used by an NT1. U interfaces are used in the United States to provide full-duplex data transmission over a single pair of wires. A U interface can connect only to a single NT1. An S/T interface supports full-duplex data transmis- sion over two pair of wires. The S/T interface can support up to seven NT1s. Network Termination Type 2 (NT2) A device that concentrates ISDN switching services at the client’s site. NT2 devices connect to NT1 devices in order to access the service provider’s ISDN network. Local Exchange (LE) An ISDN switch providing both switching and termi- nation services for ISDN traffic, located at the service provider’s network. It is possible to have TA and TE1 devices with NT2 devices built in, or with both NT1 and NT2 devices built in. It is common in Europe to have only a built-in NT2 device since service providers provide NT1 services. In the United States, however, both NT1 and NT2 devices are required. When configuring ISDN routing, each TE1, TE2, NT1, or NT2 device must be con- figured with the correct type of LE switch. ISDN Protocol When a connection between two hosts over an ISDN B channel link is cre- ated, it is encapsulated in Point-to-Point Protocol (PPP), High-level Data Link Control (HDLC), or X.25 or V.120 protocols. Both ISDN routers must be configured with the same encapsulation in order for data to transmit properly. The majority of ISDN implementations encapsulate with PPP. D channels use Link Access Protocol D (LAPD) for signaling between terminal equipment and the ISDN switch. Within a service provider’s ISDN network, the ISDN switches use Signaling System 7 (SS7) Protocol. ISDN operates at the physical, data-link, and network layers of the OSI protocol reference model. The LE provides clocking for the physical layer’s synchronous bitstream of ISDN data. Data-link layer addressing assigns a unique physical address called a Terminal Endpoint Identifier (TEI) to each ISDN interface. At the network layer, ISDN services on each device are assigned logical addresses. When either a TE1 or TE2 comes online, it requests a TEI from the ser- vice provider’s LE. The LE assigns a unique TEI for traffic identification. The switch assigns a Service Profile Identifier (SPID)—a logical address—to each B channel. The SPID is used like a telephone number to build the cir- cuit connection between ISDN devices. A Service Access Point Identifier (SAPI) is assigned to each separate service performed by the ISDN device. SAPIs are used to prioritize data. www.syngress.com 71_BCNW2K_05 9/10/00 12:59 PM Page 160 Routing and Remote Access • Chapter 5 161 Dial-on-Demand Routing Dial-on-demand routing (DDR) can provide seamless connectivity between networks. An ISDN router receives a packet destined for the other network and establishes the connection. After a configured time period of no routing to that network, the ISDN router disconnects. One use of ISDN DDR is as a redundant backup link for a network connection. DDR is useful in containing ISDN costs since there is no need for full- time data connectivity over leased lines. ISDN data services are charged on per-minute rates regardless of whether they are long distance or local calls. In addition, users must invest in ISDN equipment in order to use the ISDN services, such as an ISDN telephone or terminal adapter for use with their existing analog telephones. These costs are prohibitive for a casual ISDN user, but as a backup link, ISDN is a cost-effective option. Configuring BRI on a Cisco Router To configure BRI, you will need the type of ISDN switch used by the service provider. The ISDN switch types, all of which are used within the United States, use different signaling: ■ AT&T 5ESS ■ Northern DMS-100 ■ National ISDN-1 The command to identify the ISDN switch is entered in global configu- ration mode. The command follows, and Table 5.1 lists the switch options. isdn switch-type switchtype If you are using a Cisco 700 router, the set switch command is used, and only the three switches for the United States are options in the U.S. software image. The Cisco 700 router command is Set switch [5ess | dms | ni-1 | perm64 | perm128] After configuring the switch type, you then enter the SPIDs for a BRI. SPIDs are not required for PRI. These commands are entered in BRI inter- face configuration mode. The 5ess interface will allow up to eight SPIDs for each B channel, whereas the DMS-100 and National ISDN-1 interfaces allow two SPIDs for each B channel. To enter into this mode and then con- figure the SPIDs, type the following commands: router>enable router#conf t www.syngress.com 71_BCNW2K_05 9/10/00 12:59 PM Page 161 162 Chapter 5 • Routing and Remote Access router(config)#interface bri0 router(config-I)#isdn spid1 0828828201 8288282 router(config-I)#isdn spid2 0828828401 8288284 On the Cisco 700 Series, the SPID configuration again uses set com- mands, as follows: Set 1 spid 51282882820101 Set 1 directorynumber 8288282 Set phone1 = 8288282 Set 2 spid 51282882840101 To verify your BRI configuration, use the following command in EXEC mode: Show isdn status On the Cisco 700 Series router, you use the following command instead: Show status www.syngress.com Table 5.1 BRI Switch Types LE Switch Equipment Country in which the Command Identifier Switch Is Used for Switch Type 1TR6 AT&T 5ESS Northern DMS-100 NET3 National ISDN-1 NET3 NET3 TS013 NTT VN2 VN3 and VN4 Germany United States United States U.K. and Europe United States Norway New Zealand Australia Japan France France basic-1tr6 basic-5ess basic-dms100 basic-net3 basic-ni1 basic-nwnet3 basic-nznet3 basic-ts013 ntt vn2 vn3 71_BCNW2K_05 9/10/00 12:59 PM Page 162 Routing and Remote Access • Chapter 5 163 Configuring PRI on a Cisco Router PRI is configured on Multichannel Interface Processor (MIP) cards. MIP cards support channelized T1/E1 or PRI. There are PRI cards for Cisco 4x00, 36x0, 5x00, and 7x00 Series routers. To configure the ISDN switch type use the isdn switch type global configuration command as follows, along with the switches shown in Table 5.2: Isdn switch-type switchtype Table 5.2 PRI Switch Types LE Switch Equipment Country in which the Command Identifier Switch Is Used for Switch Type AT&T 4ESS United States primary-4ess AT&T 5ESS United States primary-5ess Northern Telecom United States primary-dms100 NET5 Europe primary-net5 NTT Japan primary-ntt TS014 Australia primary-ts014 Configuring the T1 or E1 controllers enables PRI services. The PRI B channels are numbered 0 through 23, but are mapped to primary-group timeslots numbered 1 through 24, as shown in the following router configuration: Controller t1 0 Framing esf Clock source line primary Linecode b8zs Pri-group timeslots 1-24 The D channel must be configured with the ISDN configuration com- mands. The D channel for a T1 line is interface serial0:23. Interface serial0:23 Dialer rotary-group 1 Interface dialer 1 Ip unnumbered ethernet0 www.syngress.com 71_BCNW2K_05 9/10/00 12:59 PM Page 163 [...]... point to a default route outside of the stub area Area area-id authentication Specifies that authentication is going to be used in the area Area area-id authentication message-digest Sets authentication to use MD5 Area area-id stub [no-summary] Defines an area to be a stub Area area-id default-cost cost Assigns the cost for the default route used in the stub area www.syngress.com 183 71_BCNW2K_05 1 84 9/10/00... IP packet in another IP packet with a new IP header—the AH header AH can authenticate the data source, but the AH header does not provide data confidentiality s IPSec tunnels use the Encapsulating Security Payload (ESP) protocol to provide data confidentiality by encrypting the original IP packet and attaching an ESP header with an IP header, plus an ESP trailer ESP also enables data source authentication... upload much smaller data amounts in the form of e-mail and small file transfers ADSL is not as appropriate for businesses that transmit equal amounts of data to and from the Internet Nor is it appropriate for an Internet Web server since a Web server tends to upload data to users through the Internet rather than download from them ADSL does not digitize the voice line Instead, ADSL transmits standard analog... 1 64 9/10/00 12:59 PM Page 1 64 Chapter 5 • Routing and Remote Access Encapsulation ppp Per default ip address pool default Dialer in-band Dialer idle-timeout 120 Dialer-group 1 No fair-queue No cdp enable Ppp authentication pap chap Ppp multilink Configuring an ISDN Interface on Windows 2000 Windows 2000 uses an ISDN line the same way that it uses a modem and analog line It is considered a dial-up network. .. (FDM) Assigns one frequency band for upstream data and another band for downstream data The downstream path is divided using time division multiplexing (TDM) into high- and lowspeed channels The upstream path is divided using TDM into corresponding low-speed channels so that each upstream and downstream channel is a pair Echo cancellation Assigns the upstream band to overlap the downstream band, then... of the network via router1 The default route for Router1 for any packets originating from that network would be to Router2 In addition, Router4 automatically can forward all packets originating from stub network 10.10.15.0 towards Router3 Routing protocols are responsible for creating and destroying routes within a router’s routing table These are dynamic routes, so named because they change along with... PM Page 183 Routing and Remote Access • Chapter 5 Once OSPF is enabled on the router you can configure parameters that are specific to each interface This is necessary since, in the cases of ABRs and ASBRs, the router will have an interface connected to one area or autonomous system, and another interface connected to a different area, autonomous system, or external network You can use these parameters... traffic that has no security association, whereas ipsec-manual will drop traffic that has no security association Crypto maps can transform unsecured traffic that is received by a router; otherwise that unsecured traffic (i.e., any packets that are not using IPSec) is dropped When configuring IPSec on a router, you will need to ascertain whether existing access lists are IPSec compatible, as well as create... analog voice service Whereas the voice service uses a dial-up number, the data service doesn’t A portion of the analog line’s bandwidth that is not utilized by voice transmission is used for data This enables a simultaneous voice and data transmission A splitter is placed on the telephone jack to filter out ADSL signaling and to ensure the quality of the line ADSL equipment divides the available bandwidth... define areas within an enterprise network in order to “divide and conquer” the issues with routing These areas are called autonomous systems, and are generally a set of routers that all connect to each other and are all managed by the same administrative unit Sometimes autonomous systems are defined for routers with similar routing policies IGRP sends update broadcasts every 90 seconds A route table entry . data amounts in the form of e-mail and small file transfers. ADSL is not as appropriate for businesses that transmit equal amounts of data to and from the Internet. Nor is it appropriate for an. Information Services applica- tion. RPCs (Remote Procedure Calls) are a session layer API (Application Programming Interface) that can make remote procedures appear to be happening locally. Windows. physical layer’s synchronous bitstream of ISDN data. Data-link layer addressing assigns a unique physical address called a Terminal Endpoint Identifier (TEI) to each ISDN interface. At the network