Routing and Remote Access (RRAS)

Install the Routing and Remote Access (RRAS) role in Windows 2008 Server

If you go into the Add Roles Wizard, the RRAS role can be difficult to find because what you
really need to add is the Network Policy and Access Services role then the Routing and
Remote Access Services Role
Installation will take a couple of minutes and present an install summary. Just click Close.

After installing, browse over to the RRAS console from Administrative Tools.

Next Configure Routing and Remote Access by opening the RRAS MMC, right-clicking
the server, and clicking Configure and Enable Routing and Remote Access
The Routing and Remote Access Server Setup Wizard appears

There are several options available to you when configuring remote access:
Remote Access (Dial-Up Or VPN) This option enables remote clients to connect to the
server by using either a dial-up connection or a secure VPN.

Network Address Translation (NAT This option enables internal clients to connect to the
Internet using a single, external IP address.

Virtual Private Network (VPN) Access And NAT This option configures NAT for the
internal network and configures VPN connections.

Secure Connection Between Two Private Networks This option is useful when, for
example, setting up a router-to-router VPN.

Custom Configuration As noted previously, you use this option when none of the service
combinations meet your exact needs.
Types of IP Routing

A router can find best route to the destination by exchanging the routing information. This is
possible only when any kind of IP Routing is enabled on the routers.

There are two types of IP Routing:

 Static Routing: uses a route that a network administrator enters into the router
manually.

 Dynamic Routing: uses a route that a network routing protocol adjusts automatically
for topology and traffic changes. RIPv2 and OSPF

Configuring and Managing Routing Protocols

The dynamic routing protocols RIP and OSPF allow routers to determine paths along which
to send traffic.

RIP
When you enable RIP, you allow Windows Server 2008 to advertise routes to neighbouring
routers and to automatically detect neighbouring routers and remote networks.
RIP is a dynamic routing protocol that routers use to determine the best path to send given
data. Routes to destinations are chosen according to lowest cost.
By default, this cost is determined by the number of hops or routers between endpoints;
however, you can manually adjust the cost of any route as needed.

Importantly, RIP discards routes that are determined to have a cost higher than 15. This
feature effectively limits the size of the network in which RIP can operate. Another important
feature of RIP is that RIP-enabled routers advertise their entire routing tables to each other
every 30 seconds. The service therefore generates a substantial amount of network traffic.

Advantages and Disadvantages of RIP

The main advantage of RIP is that it is easy to deploy. You can implement it on your network
simply by enabling the protocol on each router. However, RIP does not scale well to large
networks because of the 15-hop limitation. Other disadvantages of RIP include its high
convergence times in medium-sized networks and its inability to factor costs other than hops
(such as bandwidth) into the route cost metric.

Managing RIP Security

RIP includes a number of configurable security features, including authentication, peer

filtering, route filters, and neighbors.

To enable RIP

In Server Manager, right-click Roles\Network Policy and Access Services\Routing and

Remote Access\IPv4\General, and then choose New Routing Protocol.
In the New Routing Protocol dialog box, select RIP Version 2 For Internet Protocol, and then
click OK.

Now that you have RIPv2 installed, you can configure it. Configuring it is really as easy as
adding the interfaces that you want to use to exchange RIP routes with. To do this, go to the
RIP section, right click, click on New Interface and select the interface you want to add
under RIP.
In the New Interface For RIP Version 2 For Internet Protocol dialog box, select the interface
you want to advertise with RIP. Then click OK.RIP is now enabled on the selected interface.

Configure RIP settings to match those of neighboring routers. The default settings will work
in most environments. You can adjust settings using the four tabs of the RIP Properties
dialog box:

General Select whether RIP v1 or RIP v2 is used and whether authentication is required.
This is where you can define general information about how RIP will operate on your server.
On this tab, Operation Mode refers to how RIP will update its tables. The two choices are
Auto-static Mode and Periodic Update Mode, which is the default. Auto-static Mode means
that an update will be triggered when another router requests an update while Periodic
Update Mode means that the routing table will be updated at a defined interval (defined on
the Advanced tab).

The General tab also provides a place for you to define the incoming and outgoing protocol.
For outgoing packets, you can choose RIP1 broadcast, RIP2 broadcast, RIP2 multicast or
silent RIP. In silent mode, the system only listens for new RIP announcements but does not
make any itself. If your network uses consistent network masks throughout, you can use
RIP1, but I don’t recommend it unless you have devices that can only use RIP1. You can
also specify the route cost for this interface as well as a tag number for the routes on this
interface. Finally, a password can be specified to be used for RIP2 updates as a means of
identification.

Security Choose whether to filter router advertisements. Because a routing protocol could
be used to advertise a route to a malicious computer, RIP could be used as part of a man-in-
the-middle attack. Therefore, you should restrict the advertised routes that will be accepted
whenever possible.

Neighbors Allows you to manually list the neighbors that the computer will communicate
with.
Advanced Configure announcement intervals and time-outs, as well as other infrequently
used settings such as Split horizon and poison reverse, useful in preventing routing loops
Static Routing

You can view the IP routing table by using the Routing And Remote Access console or the
command prompt.

In the Routing And Remote Access console, expand the IP Routing node,
right-click the Static Routes node, and then click Show IP Routing Table.

To view the routing table from the command prompt, type route print and press Enter
To add static routes

1. In Server Manager, right-click Roles\Network Policy and Access Services\Routing and

Remote Access\IPv4\Static Routes, and then choose New Static Route.

2. In the IPv4 Static Route dialog box, select the network interface that will be used to
forward traffic to the remote network.
In the Destination box, type the network ID of the destination network.
In the Network Mask box, type the subnet mask of the destination network.
In the Gateway box, type the IP address of the router that packets for the destination
network should be forwarded to.
Adjust the Metric only if you have multiple paths to the same destination network and want
the computer to prefer one gateway over the others; in this case, configure the preferred
routes with lower metrics.
If a computer needs to use different routers to communicate with different remote networks,
you need to configure static routing. For example, the client computer would have a default
gateway of 192.168.1.1 (because that leads to the Internet, where most IP address
destinations reside). However, an administrator would need to configure a static route for the
192.168.2.0/24 subnet that uses the gateway at 192.168.1.2.

Typically, you would do this configuration using the command-line tool Route.
For the example shown, you could allow it to access the 192.168.2.0/24 network by running

route -p add 192.168.2.0 MASK 255.255.255.0 192.168.1.2

route add destination mask subnetmask gateway metric cost interface

When using the Route Add command, the –p parameter makes a route persistent. If a route
is not persistent, it will be removed the next time you restart the computer.

Run Route Print at the command prompt and verify that the static route has been added.

Exam Tip Know that a router’s IP address must always be on the same subnet as the
computer.

Configuring Demand-Dial Routing

Routing and Remote Access also includes support for demand-dial routing (also known as
dial-on-demand routing). When the router receives a packet, the router can use demand dial
routing to initiate a connection to a remote site. The connection becomes active only when
data is sent to the remote site. The link is disconnected when no data has been sent over
the link for a specified amount of time. Because demand-dial connections for low traffic
situations can use existing dial-up telephone lines instead of leased lines, demand dial
routing can significantly reduce connection costs.

The first step in deploying demand-dial routing is to configure a demand-dial interface on

each computer you wish to function as a demand-dial router.

You can configure these interfaces by using the Demand-Dial Interface Wizard when you
initially set up Routing and Remote Access or as an option after the Routing and Remote
Access service has already been configured and enabled.

If you have previously configured and enabled the Routing and Remote Access service
without demand-dial functionality, you must enable this functionality before you create any
demand-dial interfaces.

To enable demand-dial functionality

Select the LAN and Demand-Dial Routing option in the General tab of the Routing and
Remote Access Properties dialog box
If you don’t have a DHCP Server in your local network you have to add a static address pool.
This could be if you have a stand-alone Server by your provider.

DHCP Relay Agent

DHCP Relay Agent is a routing protocol that allows client computers to obtain an address
from a DHCP server on a remote subnet. Typically, DHCP clients broadcast DHCPDiscover
packets that are then received and answered by a DHCP server on the same subnet.
Because routers block broadcasts, DHCP clients and servers must normally be located on
the same physical subnet.

However, two methods can help you work around this limitation. First, if the routers
separating the DHCP server and clients are RFC 1542–compliant, the routers can be
configured for Boot Protocol (BOOTP) forwarding. Through BOOTP forwarding, routers
forward DHCP broadcasts between clients and servers and inform servers of the originating
subnet of the DHCP requests. This process allows DHCP servers to assign addresses to the
remote clients from the appropriate scope.

The second way to allow remote communication between DHCP servers and clients is to
configure a DHCP relay agent on the subnet containing the remote clients. DHCP relay
agents intercept DHCP Discover packets and forward them to a remote DHCP server whose
address has been preconfigured. Although DHCP Relay Agent is configured through Routing
and Remote Access, the computer hosting the agent does not need to be functioning as an
actual router between subnets.

Exam Tip: Expect a topology question about DHCP Relay Agent and RFC 1542–compliant
routers on the exam.
Note: You cannot use the DHCP Relay Agent component on a computer running any of the
following: the DHCP service, the NAT routing protocol component with automatic addressing
enabled, or ICS.

Installing the DHCP Relay Agent

NOTE: DHCP Relay Agent cannot be installed on a server which already is running DHCP
server

1. Launch Routing and Remote Access Service [RRAS] console.

2. Open IP Routing, right-click General, and select New Routing Protocol.
3. Select DHCP Relay Agent and click OK.

This will install the DHCP Relay Agent.

Add network interfaces to the DHCP Relay Agent.

This allows relaying DHCP broadcast messages from DHCP clients to DHCP servers on
different IP networks. Right-click the DHCP Relay Agent node and select New Interface...
Verify that the DHCP Interface is configured to Relay DHCP packets
Right the interface and select Properties

Configure the Global DHCP Relay

This configuration is achieved through the DHCP Relay Agent Properties dialog box.
Enter the IP address of your DHCP server and click Add, then OK to save the settings.

Configure the DHCP Relay Agent to point to the address of at least one remote DHCP
server. (Use more than one DHCP server for fault tolerance.)

Verifying that DHCP Relay Agent Is Functioning

You can verify that the DHCP Relay Agent is functioning by using the Routing And Remote
Access console.
To do so, select the DHCP Relay Agent node and view the statistics in the details pane.
The details pane compiles requests received, replies received, requests discarded, and
replies discarded.
If this data reveals that both requests and replies have been received, the DHCP Relay
Agent is functioning.
You want to deploy one DHCP server on your network that consists of two subnets.
What are two methods that will enable you to achieve this task?

You can separate the two subnets with an RFC 1542–compatible router and enable BOOTP
forwarding, or you can configure a DHCP relay agent on the subnet that does not have the
DHCP server.