Disable dynamic route entries in Windows 2003?

How do I prevent Windows Server from accepting RIP/OSPF route broadcasts and
creating dynamic entries in the routing table?

I have an ISA server with two NIC's, each in a separate VLAN. I am using it
to publish applications to the Internet; I want inbound Internet traffic to
hit one NIC (interface), and internal traffic to/from the app servers to go
through the other NIC (interface).

At first glance, it shouldn't be a problem - except for the fact that the
networking group set both VLAN's up as "internal", i.e. they can "see" all
other internal networks, and traffic can go through either VLAN anywhere on
the network.

This is a problem for ISA server, because if it detects routes to the same
destination network through two different interfaces, it disables traffic to
that destination network. ISA picks up routes from the Windows routing
table, and since the network admins have RIP or OSPF turned on for those
VLAN's, these multiple routes show up as routing broadcasts in both VLANs.

I don't know when (or if) I'll be able to convince the networking folks to
turn off RIP for "my" two VLAN's, so I have to go about it another way -
finding a way to get Windows to ignore these RIP broadcasts, and then build
the entire routing table by hand using static routes.

Unfortunately, I can find NO information anywhere on how to do this; lots
of info on how to add static routes. I can delete routing table entries, but
they show up again when the next RIP broadcast occurs.

I know this isn't the optimal way of doing things, but it's the only option
open to me given the limited control I have over networking resources. Any
ideas?

Thanks in advance for any help or suggestions.

Mike

PS: Eventually, one of the VLAN's will only have a single route to the
Internet DMZ proxy servers, and the other VLAN will have routes to every
other internal network EXCEPT FOR the Internet DMZ. When that happens, then
the RIP broadcasts won't advertise routes to the Internet DMZ in both VLAN's,
and the issue will be moot. Again, though, I don't know when (or if) that
will happen.

Thanks again.

Please read all the way to the end before replying. Things at the end can
effect things at the beginning.

"MikeS@MLS" <(E-Mail Removed)> wrote in message
news:F44A0757-3A99-4C4A-A2B6-(E-Mail Removed)...
> How do I prevent Windows Server from accepting RIP/OSPF route broadcasts
> and
> creating dynamic entries in the routing table?

You don't need to stop it from doing that.

> I have an ISA server with two NIC's, each in a separate VLAN.

VLANs are irrelevant, a subnet is a subnet, no matter how it happens. You
have two Nics. Internal -vs- External? What? The truth makes a
difference,...be specific

> I am using it
> to publish applications to the Internet; I want inbound Internet traffic
> to
> hit one NIC (interface), and internal traffic to/from the app servers to
> go
> through the other NIC (interface).

Be specific. What Applications? Doing what specifically? What Protocols?
Source comming from where? Destination being where?

> At first glance, it shouldn't be a problem - except for the fact that the
> networking group set both VLAN's up as "internal", i.e. they can "see" all
> other internal networks, and traffic can go through either VLAN anywhere
> on
> the network.
> This is a problem for ISA server, because if it detects routes to the same
> destination network through two different interfaces, it disables traffic
> to
> that destination network.

Then remove the second IP Range from the Internal Network Definition.
Create a new Network Definiton that uses the other IP Range. If the two
subnets hit different Nics then they are not VLANs,...they may be VLANs
inside the Switch, but they would be Physical LANs between the Switch and
the ISA,...however if both subnets use the same patch cable and same NIC
then the NIC and its corresponding Driver needs to be VLAN Aware and can
separate the traffic correctly. Again, truth makes a difference,...so be
specific on the details

> ISA picks up routes from the Windows routing
> table, and since the network admins have RIP or OSPF turned on for those
> VLAN's, these multiple routes show up as routing broadcasts in both VLANs.

If you correctly configure the ISA machine with respect to the VLANs and the
LAN's virtual and physical topology,..the Dynamic Routes are perfectly fine.
If not then just uninstall the RIP and OSPF from the ISA box and use Static
Routes if they are needed.

> I know this isn't the optimal way of doing things, but it's the only
> option
> open to me given the limited control I have over networking resources.
> Any
> ideas?

Ok,...if you want the cleanest, simplest, most straight forward way of doing
this:

1. Forget VLANs with respect to the ISA.

2. Run 2 Nics in the ISA,...one on the Public Side (External) and one nic on
the LAN Side (Internal). Configure the Nic for *ONE* subnet each. The ISA
will sit on onely *one* LAN Segment and have the other nic facing the
"External world".

3. Add all the LAN's IP Ranges to the Internal Network Definition. I mean
*all*,...VLANs are irrelevant,...an IP segment is an IP segment,..it does
not matter how it came to be.

4. If the Dynamic Routing works correctly at this point then leave it
alone,...but if not then uninstall the Routing Protocols from the ISA box
and add a Static Route from the command prompt on the ISA machine that tells
it what LAN Router to use to get to any other other Subnets on the LAN.
Again VLANs are irrelevant,..a Subnet is a Subnet,..it still takes a LAN
Router to get there.

5. When all that works correctly, *then* we can discuss what other things
you are trying to do,...but it is a waist of time to do that if the
foundation is not in place.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/l...chNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/l...chNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

Uh, thanks, I guess.....

Anyway, if I didn't explain it well enough the first time, the the problem
IS with the VLAN's, and how they're configured/managed by the network folks.

My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ, and
one that connects to the local Internal network (lower-case "n").
Unfortunately for me, the two VLANs are hosted on the same Cisco Core switch,
and for all practical purposes are part of the same address space
(10.89.x.x). Furthermore, the network admins have set them both up as fully
routable to all other networks, subnets, or whaterver it is you wish to call
them.

So, from the standpoint of ISA Server, there are two separate interfaces
(which, in ISA terms, means two Networks with a big "N"); one is the internal
Network, and one is the interface to the external Network. However, ISA
<N>etworks (and "networks behind networks) are supposed to represent
separate address spaces. That isn't the case (at least not right now), so
I'm trying to fake out ISA by modifying the routing tables in Windows (which
is how ISA ends up detecting multiple routes to the same destination through
different interfaces).

The network guys won't help me out in the short term by preventing the Cisco
switches from broadcasting routes into the two VLAN's. And they haven't
(yet) modified the routing rules so that the the route broadcasts don't
confuse ISA (i.e. the local DMZ VLAN can only route to the Internet VLAN, and
the "Internal VLAN can NOT route to the Internet VLAN, so the routing
broadcasts are correct).

Therefore, all that's left is to try and find a way to prevent Windows from
accepting routing broadcasts from the local network devices so that I can
manage the routing tables manually. All the other stuff you mentioned is
important, but not pertinent to my original question....

....unless you can tell me how to prevent ISA from reading the local routing
tables and detecting (and barfing about) multiple routes through different
intefaces to the same destination?

Mike


"Phillip Windell" wrote:

> Please read all the way to the end before replying. Things at the end can
> effect things at the beginning.
>
> "MikeS@MLS" <(E-Mail Removed)> wrote in message
> news:F44A0757-3A99-4C4A-A2B6-(E-Mail Removed)...
> > How do I prevent Windows Server from accepting RIP/OSPF route broadcasts
> > and
> > creating dynamic entries in the routing table?
>
> You don't need to stop it from doing that.
>
> > I have an ISA server with two NIC's, each in a separate VLAN.
>
> VLANs are irrelevant, a subnet is a subnet, no matter how it happens. You
> have two Nics. Internal -vs- External? What? The truth makes a
> difference,...be specific
>
> > I am using it
> > to publish applications to the Internet; I want inbound Internet traffic
> > to
> > hit one NIC (interface), and internal traffic to/from the app servers to
> > go
> > through the other NIC (interface).
>
> Be specific. What Applications? Doing what specifically? What Protocols?
> Source comming from where? Destination being where?
>
> > At first glance, it shouldn't be a problem - except for the fact that the
> > networking group set both VLAN's up as "internal", i.e. they can "see" all
> > other internal networks, and traffic can go through either VLAN anywhere
> > on
> > the network.
> > This is a problem for ISA server, because if it detects routes to the same
> > destination network through two different interfaces, it disables traffic
> > to
> > that destination network.
>
> Then remove the second IP Range from the Internal Network Definition.
> Create a new Network Definiton that uses the other IP Range. If the two
> subnets hit different Nics then they are not VLANs,...they may be VLANs
> inside the Switch, but they would be Physical LANs between the Switch and
> the ISA,...however if both subnets use the same patch cable and same NIC
> then the NIC and its corresponding Driver needs to be VLAN Aware and can
> separate the traffic correctly. Again, truth makes a difference,...so be
> specific on the details
>
> > ISA picks up routes from the Windows routing
> > table, and since the network admins have RIP or OSPF turned on for those
> > VLAN's, these multiple routes show up as routing broadcasts in both VLANs.
>
> If you correctly configure the ISA machine with respect to the VLANs and the
> LAN's virtual and physical topology,..the Dynamic Routes are perfectly fine.
> If not then just uninstall the RIP and OSPF from the ISA box and use Static
> Routes if they are needed.
>
> > I know this isn't the optimal way of doing things, but it's the only
> > option
> > open to me given the limited control I have over networking resources.
> > Any
> > ideas?
>
> Ok,...if you want the cleanest, simplest, most straight forward way of doing
> this:
>
> 1. Forget VLANs with respect to the ISA.
>
> 2. Run 2 Nics in the ISA,...one on the Public Side (External) and one nic on
> the LAN Side (Internal). Configure the Nic for *ONE* subnet each. The ISA
> will sit on onely *one* LAN Segment and have the other nic facing the
> "External world".
>
> 3. Add all the LAN's IP Ranges to the Internal Network Definition. I mean
> *all*,...VLANs are irrelevant,...an IP segment is an IP segment,..it does
> not matter how it came to be.
>
> 4. If the Dynamic Routing works correctly at this point then leave it
> alone,...but if not then uninstall the Routing Protocols from the ISA box
> and add a Static Route from the command prompt on the ISA machine that tells
> it what LAN Router to use to get to any other other Subnets on the LAN.
> Again VLANs are irrelevant,..a Subnet is a Subnet,..it still takes a LAN
> Router to get there.
>
> 5. When all that works correctly, *then* we can discuss what other things
> you are trying to do,...but it is a waist of time to do that if the
> foundation is not in place.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Technet Library
> ISA2004
> http://technet.microsoft.com/en-us/l...chNet.10).aspx
> ISA2006
> http://technet.microsoft.com/en-us/l...chNet.10).aspx
>
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/p...s/default.mspx
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>
>

Ok, let me see if I can stay with this. I think you have some misconceptions
about a couple things and are wanting to get rid of the Dynaimc Routing to
cover up what you think it happening, but I don't think that is the problem,
and is not the right way to adjust for it. If you have to forward my posts
to the networking people then foward my posts to the networking people.

Continuing on below....

"MikeS@MLS" <(E-Mail Removed)> wrote in message
news25F222B-9939-4D20-BA04-(E-Mail Removed)...
> My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ,
> and
> one that connects to the local Internal network (lower-case "n").

That is fine. The DMZ may be "internal" to you in your mind,...but to the
ISA (as you have it with two nics) the DMZ is going to be External. You can
change the Network relationship to "routed" instead of "NATed" if you feel
you need to but it is still going to be the External network to the ISA.

> Unfortunately for me, the two VLANs are hosted on the same Cisco Core
> switch,

That is always true. It is true here at our place, I don't see anyway it
could not be true, so there is nothing unusual about that. But unless the
VLANs are "reapeated" in the configuration of other Switches, then the VLANs
exist *only within* the Core Switch,...once the patch cable physically
leaves the switch port it is just a Physical LAN/Segment, not a VLAN. You
cannot run two VLANs over the same physical cable unless the receiving
Switch at the other end of the cable has the same VLAN Configuration
"repeated" within it,..or the PC on the end of the cable has a Nic/nic
Drivers that can properly deal with that particular Vendor's Frame Tagging
Implementation. So for the most part, VLANs only exist within the Switch
Fabric of a single Core Switch or they exist across the Switch
Fabric/Backbone of a group of Switches that have the VLAN configuration
repeaded within them.

So, I really don't think the VLAN element really plays into this quite like
you think it is.

Anyway, lets keep moving...

> and for all practical purposes are part of the same address space
> (10.89.x.x).

And "address space" and a subnet are effectively the same things. The VLAN
represents an "address space", aka - a subnet, so it is not possible for
multiple VLANS to be in the same "address space".

> <N>etworks (and "networks behind networks) are supposed to represent
> separate address spaces.

The ISA's definition of a "Network" is all the addresses that are reachble
from a particular Nic no matter how many "hops" away they are, no mater what
the subnet break down is.

That isn't the case (at least not right now), so
> I'm trying to fake out ISA by modifying the routing tables in Windows
> (which
> is how ISA ends up detecting multiple routes to the same destination
> through
> different interfaces).

The LAN obviously has multple subnets (that's what the VLANs
are),...therfore you have a LAN Router *somewhere* that is directly
reachable by the ISA. In our LAN that device is what you called the "Core
Switch" but it may not be in yours. This is the Router that ISA must use to
acknowledge all the other subnet/VLANs.

If the Dynamic Routing provides correct routes for that,...and I believe it
*will* if you design your ISA deployment as I have described, then then are
no static routes to create and it will work fine.

> Therefore, all that's left is to try and find a way to prevent Windows
> from
> accepting routing broadcasts from the local network devices so that I can
> manage the routing tables manually. All the other stuff you mentioned is
> important, but not pertinent to my original question....

Windows does not naturally on its own accept dynamic routing
broadcasts,...it wouldn't know what to do with them if it tripped over
them,...just like it would not know what to do with an IP# if you
uninstalled TCP/IP from the OS. Dynamic Routing requires Dynamic Routing
Protocols to be installed in order to accept and interpret the Dynamic
Routing Updates. Uninstall the Dynamic Routing Protocols (RIP, OSPF, IGRP,
GRP, ect) and the Dynamic Routing disappears.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------