building a cicso network for windows 2000 phần 4 doc

154 Chapter 4 • Protocols and Networking Concepts

Summary

The language spoken by each computer is a binary system of ones and

zeros. The protocol stack is the syntax of that language when it travels

between computers. When you look at a protocol stack, you should use the

OSI reference model to relate to how that protocol works with the other

protocols in the stack.

Transmission Control Protocol/Internet Protocol (TCP/IP) is the pro￾tocol stack used by the Internet. It is the protocol that is closest to being

implemented universally on networks worldwide. The protocol stack works

over most media, wide area network (WAN) protocols, and the IEEE

(Institute of Electrical and Electronics Engineers) 802 series physical and

data-link layer protocols, which includes Ethernet (IEEE 802.3) and Token

Ring (IEEE 802.5) as well as many others. The network layer protocol, IP

(Internet Protocol), provides the addressing for network nodes and seg￾ments. The transport layer protocols, TCP (Transmission Control Protocol)

and UDP (User Datagram Protocol), provide connection-oriented and con￾nectionless connectivity, respectively.

Each interface in a server or router is given its own IP address. On

Windows 2000, the IP address is set in the Network and Dial-up connec￾tions applet found in the Control Panel. On a Cisco router, the IP address

is set in interface configuration mode.

DNS (Domain Name System) is important for mapping host names to IP

addresses. DNS is required for Windows 2000 Active Directory. It is the

mechanism by which servers discover each other to exchange information,

and by which clients discover servers in order to authenticate and query

the Active Directory database. DNS services can be installed on Windows

2000, or Windows 2000 can be configured to use other DNS servers.

DNS is a hierarchical system that includes root servers on the Internet.

DNS lookups that cannot be resolved on a DNS server can be passed

through the hierarchy until an answer is found. DNS uses a zone for each

segment of its hierarchy. A DNS server can have a primary zone, for which

it is the sole authoritative server, or a secondary zone, which is a copy of a

primary zone on a different server. A Windows 2000 DNS server can also

use an Active-Directory-Integrated zone to take advantage of the redun￾dancy found within the Active Directory.

DHCP (Dynamic Host Configuration Protocol) is used for assigning IP

addresses to hosts. A scope is created on a DHCP server. The scope con￾sists of a pool of IP addresses that can be assigned to clients. When a

client requests an address, the DHCP server assigns either an address

reserved for it, or one from within a pool of available addresses. DHCP ser￾vices can be installed on Windows 2000, or Windows 2000 can be config￾www.syngress.com

71_BCNW2K_04 9/10/00 12:36 PM Page 154

Protocols and Networking Concepts • Chapter 4 155

ured as a DHCP client. DHCP is based on BOOTP (Boot Protocol), which

uses UDP (User Datagram Protocol). UDP packets are broadcast-based and

not typically forwarded beyond the current network segment. In a routed

environment, routers must be configured to forward UDP packets in order

for a DHCP server to provide its services to segments to which it is not

directly connected. This is usually accomplished by configuring an IP

helper address on the router.

FTP (File Transfer Protocol) is an application layer protocol used for

manipulating files on remote servers. Windows 2000 can be configured as

an FTP server through the installation and configuration of the Internet

Information Services. If FTP services are not to be provided across a router,

the router can be configured to filter the FTP protocol with an access con￾trol list.

Telnet is an application layer protocol used to provide terminal ses￾sions. Cisco routers are automatically Telnet servers, providing sessions for

remote control of the routers from which an administrator can configure

the routers. Windows 2000 can be configured as a Telnet server, and can

include two types of Telnet clients—telnet.exe and HyperTerminal.

HTTP (HyperText Transfer Protocol) is an application layer protocol

used for downloading HTML (HyperText Markup Language) documents.

HTTP is the basis of the World Wide Web. Windows 2000 can be installed

with Internet Information Services and configured to provide Web services.

NNTP (Network News Transport Protocol) is an application layer pro￾tocol used for Usenet newsgroups. Windows 2000 can be configured to

provide newsgroup services from its Internet Information Services applica￾tion.

RPCs (Remote Procedure Calls) are a session layer API (Application

Programming Interface) that can make remote procedures appear to be

happening locally. Windows 2000 Active Directory depends on RPCs for its

replication traffic both within sites and between sites.

SMTP (Simple Mail Transport Protocol) is a protocol typically used for

transferring electronic messages over TCP/IP. Windows 2000 Active

Directory can use SMTP for replication between sites that do not share a

domain. This is done through specific configuration of a site link in the

Active Directory Sites and Services console.

IPX (Internetwork Packet Exchange) is usually associated with Novell

NetWare servers. Windows NT and Windows 2000 servers also use it as a

mode of network transport. If you install the Active Directory, you must

have TCP/IP as the network protocol stack. However, in multiprotocol net￾works or for standalone servers, IPX is optional. Cisco router interfaces

can be configured with IPX in interface configuration mode.

www.syngress.com

71_BCNW2K_04 9/10/00 12:36 PM Page 155

156 Chapter 4 • Protocols and Networking Concepts

RDP (Remote Desktop Protocol) is a protocol used by Terminal Services

on Windows 2000, and runs on top of TCP/IP. RDP provides the client

interface as a terminal session.

H.323 is a multiservices support protocol. It provides voice, video, and

data transmissions. Four components are available in H.323 networks:

H.323 terminals, H.323 MCUs (Multimedia Communication Units), H.323

gateways, and H.323 gatekeepers. Voice-over IP (VoIP) and Fax-over IP use

H.323.

FAQs

Q : Is it possible to convert an Active-Directory-Integrated DNS zone to

primary?

A : Yes. You can convert any type of DNS zone (primary, secondary, or

Active-Directory-Integrated) to any other type on a Windows 2000 DNS

server. When you convert an Active-Directory-Integrated zone to a pri￾mary zone, the DNS server becomes the single primary for that zone.

The Active Directory information must be deleted from all the domain

controllers’ domain partitions after the conversion to prevent errors.

Q : Can I filter out RDP communications between two computers located

on the same network segment?

A : No, you cannot filter out a protocol on a segment without placing some

filtering device between them. Filters are access control lists placed on

Cisco routers that specify which protocols can or cannot be permitted

through an interface. This effectively would create a firewall at the pro￾tocol level between two segments. An IP access control list can be used

specifying the TCP port number used for RDP to filter it out between

the two segments.

Q: What is the difference between Fax-over IP and Voice-over IP?

A : The difference between Fax- and Voice-over IP is not that great. Fax￾over IP is an H.323 Voice-over IP system with faxing “extras.” For

example, in a store and forward fax Cisco router configuration, the dif￾ference is that the router must be configured to support fax informa￾tion such as the fax header information. In real time fax Cisco router

configuration, the router must be configured to support the queuing of

faxes so that fax devices experience the delays they normally would

experience in standard faxing, in which pages are negotiated between

fax machines on a page-by-page basis.

www.syngress.com

71_BCNW2K_04 9/10/00 12:36 PM Page 156

Routing and

Remote Access

Solutions in this chapter:

■ Understanding remote access protocols

■ Understanding routing protocols

■ Enabling routing on a Windows 2000

server

■ Securing a network through virtual

private networking

Chapter 5

157

71_BCNW2K_05 9/10/00 12:59 PM Page 157

158 Chapter 5 • Routing and Remote Access

Introduction

One of the interesting things about a Cisco and Microsoft Windows 2000

network is that both Cisco routers and Windows 2000 servers can perform

routing. In order to route, each needs to have at least two interfaces, and

needs to be configured to route data from one network segment to another.

So if both will support this feature, why not just use Windows 2000 to do

it all—file, print, Web, and routing services? This is the kind of question

that you may run across from time to time. Engineers instinctively veer

away from running everything on a single machine, but it makes little

sense to nontechnical people to spread the processing around the network

if it can all be done in a single place. In projects where each expense must

be justified, you can use the following reasons to explain your network

design.

■ Performance and availability on the network is decreased when a

combination server and router is used, thus increasing downtime,

which affects the productivity of network users.

■ Single points of failure cause excessive downtime if there is a

failure. A Windows 2000 server that also acts as a router is a

single point of failure on the network.

■ Using separate hosts (a Cisco router as a router, and a Windows

2000 server as a server, for instance) for different functions on the

network will increase the security on the network—a hacker must

breach both the router and the server in order to access the net￾work.

■ Using separate routers and servers vastly increases the scalability

of the network.

Because remote access servers utilize modems in the same way as a

network interface they are, effectively, routers. That is why remote access

and routing are generally grouped together.

Remote Access Protocols

Legacy remote access protocols were simply those that worked across the

plain old telephone system (POTS). They were required to convert digital

data to analog, travel across a serial line, and then be converted back at

the receiving station. Though analog lines are still used to connect to

remote access servers today, alternate means of communications are now

available.

www.syngress.com

71_BCNW2K_05 9/10/00 12:59 PM Page 158

ISDN

The Integrated Services Digital Network (ISDN) is sometimes referred to as

the “I Still Don’t kNow” acronym. The reason for this sarcastic description

is based on the fact that ISDN was not available immediately, even though

it was broadly discussed. ISDN was an exciting option for remote access

since it provided increased bandwidth, reduced latency, faster call estab￾lishment, and less noise interference with the signal.

ISDN is a digital call switching service that is provided in two forms:

■ Basic Rate Interface (BRI)

■ Primary Rate Interface (PRI)

Both types of interfaces are available in most areas where legacy analog

Public Switched Telephone Network (PSTN) equipment has been updated

with digital equipment. The new digital switches can support both ISDN

and POTS.

BRI provides two B (bearer) channels and one D (data) channel. The B

channels provide 64 Kbps bandwidth each and are used for bearer services

(voice or data), and the D channel, at 16 Kbps, is used for signaling and

control. The D channel is used for building, maintaining, and releasing the

bearer service connections over the B channels. BRI’s bandwidth is there￾fore 128 Kbps over the B channels. BRI can be provided over legacy analog

phone service local loops. ISDN local loop length is limited to approxi￾mately 18,000 feet.

PRI provides 23 B channels at 64 Kbps and 1 D channel at 64 Kbps.

The B channels still provide bearer services and the D channel provides

signaling and control in the same way as it does for BRI. PRI services are

provided over T1 lines. PRI’s bandwidth is 1.472 Mbps over those 23 B

channels. (PRI services also can be provided over E1 leased lines with 30

64Kbps B channels and a single 64Kbps D channel.)

ISDN Equipment Types

The components used in ISDN networks include several types:

Terminal Adapter (TA) An adapter that is used with legacy equipment or

non-ISDN-capable equipment in order to connect to the ISDN network.

This is used for BRI rates.

Terminal Equipment Type 1 (TE1) A device that can connect directly to

an ISDN network and has ISDN capabilities built in.

Terminal Equipment Type 2 (TE2) A device that requires a TA to con￾nect to the ISDN network.

Routing and Remote Access • Chapter 5 159

www.syngress.com

71_BCNW2K_05 9/10/00 12:59 PM Page 159