Designing a TCP/IP Network

Transcription

1 C H A P T E R 1 Designing a TCP/IP Network The TCP/IP protocol site defines indstry standard networking protocols for data networks, inclding the Internet. Determining the best design and implementation of yor TCP/IP network ensres optimal reliability, availability, scalability, secrity, and performance for yor enterprise. Yo can also start to explore the next generation of the Internet layer protocol of the TCP/IP protocol site IP version 6 (IPv6) by introdcing Microsoft Windows Server 2003 IPv6 into part of yor IPv4 network. In This Chapter Overview of Designing a TCP/IP Network...5 Planning the IP-Based Infrastrctre...8 Developing Roting Strategies Designing an IP Addressing Scheme Planning an IP Configration Strategy Planning Secrity Improving Availability Planning IP Mlticasting Introdcing IPv6 on Yor Network Testing Yor Design Additional Resorces Related Information For more information abot IP configration strategies sing Dynamic Host Configration Protocol (DHCP), see Deploying DHCP in this book. For more information abot sing Domain Name System (DNS) for name resoltion, see Deploying DNS in this book. For more information abot sing Windows Internet Name Service (WINS) for name resoltion in networks that spport clients rnning Microsoft Windows NT, see DeployingWINS in this book.

2 4 Chapter 1 Designing a TCP/IP Network Overview of Designing a TCP/IP Network Designing yor IP deployment incldes deciding how yo want to implement IP in a new environment, or for most organizations examining yor existing infrastrctre and deciding what to change. Windows Server 2003 TCP/IP, the most widely sed networking protocol, can connect different types of systems, provide a framework for client/server applications, and give sers access to the Internet. TCP/IP is inclded in the Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows Server 2003, Web Edition operating systems. Before yo start the TCP/IP design process, inventory yor hardware and software and create or pdate a map of yor network topology. Preparing an inventory and network map can save time and help yo focs on the design decisions yo want to address. After yo review yor existing network, yo might pgrade several servers to Windows Server 2003 in order to take advantage of end-to-end spport for TCP/IP, or yo might decide to redesign yor entire network to improve its efficiency and prepare for the ftre of IP networking. Determine which design tasks are relevant to yor environment, and then decide what changes yo want to make to yor network. For more information abot creating a hardware and software inventory and a network topology map, see Planning for Deployment in Planning, Testing, and Piloting Deployment Projects of this kit. To start the TCP/IP design process, yo mst make a nmber of design decisions abot yor network infrastrctre. For enterprise-wide scalability, yo might decide to plan yor IP infrastrctre based on a hierarchical network design model. Yo mst also choose between hardware and software-based roters, and decide where to se static roting or dynamic roting protocols. Yo mst careflly design a strctred model for IP address assignment that fits yor crrent networking environment and that accommodates expected growth. Yor model can se either pblic or private addresses, or yo can se a combination of pblic and private addresses. In addition, consider secrity isses for an IP network, inclding where best to se Internet Protocol secrity (IPSec) and which options are appropriate for secring yor perimeter network. For higher availability and load balancing, yo can inclde redndancy in yor network design. Decide whether yo need to se technology enhancements sch as IP mlticast to optimize server workload and network bandwidth. Yo might start deploying IPv6 on certain network servers or clients, and, if so, decide how yo want to implement IPv6/IPv4 coexistence. After yo develop yor network design, yo can se the remaining chapters in this book as a gide for deploying core featres, sch as DHCP, DNS, and WINS, as well as optional technologies, sch as spport for mobile or home sers, connecting remote sites, or deploying wireless soltions.

3 Overview of Designing a TCP/IP Network 5 Process for Designing a TCP/IP Network Figre 1.1 shows the design stages involved in deploying TCP/IP. Althogh the figre lists the stages seqentially, yo mst consider each topic in relation to the others rather than as a linear step-by-step process. Figre 1.1 Designing a TCP/IP Network Plan the IP-based infrastrctre Develop roting strategies Design IP addressing scheme Plan IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design

4 6 Chapter 1 Designing a TCP/IP Network Windows Server 2003 TCP/IP Backgrond Windows Server 2003 TCP/IP enables enterprise networking and connectivity on compters rnning Windows Server 2003, Microsoft Windows XP, Windows 2000, Windows NT, Windows Millennim Edition, Windows 98, and Windows 95. Benefits of Windows Server 2003 TCP/IP Using TCP/IP in a Windows Server 2003 configration offers the following advantages: Enables the most widely sed network protocol. Windows Server 2003 TCP/IP is a complete, standards-based implementation of the most widely accepted networking protocol in the world. IP is rotable, scalable, and efficient. IP forms the basis for the Internet, and it is also sed as the primary network technology on most major enterprise networks in prodction today. Yo can configre compters rnning Windows Server 2003 with TCP/IP to perform nearly any role that a networked compter reqires. Connects dissimilar systems. Althogh all modern networking operating systems offer TCP/IP spport, Windows Server 2003 TCP/IP provides the best platform for connecting Windows based systems to earlier Windows systems and to non-windows systems. Most standard connectivity tilities are available in Windows Server 2003 TCP/IP, inclding the File Transfer Protocol (FTP) program, the Line Printer (LPR) program, and Telnet, a terminal emlation protocol. Provides client/server framework. Windows Server 2003 TCP/IP provides a crossplatform client/server framework that is robst, scalable, and secre. Windows Server 2003 TCP/IP offers the Windows Sockets programming interface, which is ideal for developing client/server applications that can rn on Windows Sockets compliant TCP/IP protocol implementations from other vendors. Provides access to the Internet. Windows Server 2003 TCP/IP can provide sers with a method of gaining access to the Internet. A compter rnning Windows Server 2003 can be configred to serve as an Internet Web site, it can fnction in a variety of other roles as an Internet client or server, and it can se nearly all of the Internet-related software available today.

5 Planning the IP-Based Infrastrctre 7 Planning the IP-Based Infrastrctre To create or expand an enterprise network, yo can choose from many design models, inclding a network infrastrctre model based on the three-tier design model. This model, a hierarchical network design model described by Cisco Systems, Inc. and other networking vendors, is widely sed as a reference in the design of enterprise networks. Figre 1.2 shows the tasks involved in creating a three-tier TCP/IP infrastrctre. Figre 1.2 Planning the IP-Based Infrastrctre Plan IP-based infrastrctre Develop roting strategies Design IP addressing scheme Design access tier Design distribtion tier Design core tier Plan IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design

6 8 Chapter 1 Designing a TCP/IP Network The modlar natre of a hierarchical model sch as the three-tier model can simplify deployment, capacity planning, and trobleshooting in a large internetwork. In this design model, the tiers represent the logical layers of fnctionality within the network. In some cases, network devices serve only one fnction; in other cases, the same device may fnction within two or more tiers. The three tiers of this hierarchical model are referred to as the core, distribtion, and access tiers. Figre 1.3 illstrates the relationship between network devices operating within each tier. Figre 1.3 Three-Tier Network Design Model Core Tier High-speed switching Distribtion Tier Policy-based connectivity Access Tier Local and remote workgrop access Designing the Access Tier The access tier is the layer in which sers connect to the rest of the network, inclding individal workstations and workgrop servers. The access tier sally incldes a relatively large nmber of low- to medim-speed access ports, whereas the distribtion and core tiers sally contain fewer, bt higher-speed network ports. Design the access tier with efficiency and economy in mind, and balance the nmber and types of access ports to keep the volme of access reqests within the capacity of the higher layers.

7 Planning the IP-Based Infrastrctre 9 Designing the Distribtion Tier The distribtion tier distribtes network traffic between related access layers, and separates the locally destined traffic from the network traffic destined for other tiers throgh the core. Network secrity and access control policies are often implemented within this tier. Network devices in this layer can incorporate technologies sch as firewalls and address translators. The distribtion tier is often the layer in which yo define sbnets; throgh the definition of sbnets, distribtion devices often fnction as roters. Decisions abot roting methods and roting protocols affect the scalability and performance of the network in this tier. A server network in the distribtion layer might hose critical network services and centralized application servers. Compters rnning Windows Server 2003 can be sed there to rn the Active Directory directory service, DNS, DHCP, and other core infrastrctre services. Designing the Core Tier The core tier facilitates the efficient transfer of data between interconnected distribtion tiers. The core tier typically fnctions as the high-speed backbone of the enterprise network. This tier can inclde one or more bilding-wide or camps-wide backbone local area networks (LANs), metropolitan area network (MAN) backbones, and high-speed regional wide area network (WAN) backbones. The primary design goal for the core is reliable, high-speed network performance. As a general rle, locate any featre that might affect the reliability or performance of this tier in an access or distribtion tier instead. Select highly reliable network eqipment for the core tier, and design a falt-tolerant core system whenever possible. Many prodcts meet these criteria, and most major network vendors offer complete soltions to meet the reqirements of the core tier. For more information abot designing a three-tier network model, see Additional Resorces later in this chapter.

8 10 Chapter 1 Designing a TCP/IP Network Developing Roting Strategies After planning yor network infrastrctre based on yor design model, plan how to implement roting. Figre 1.4 shows the tasks involved in developing a nicast roting strategy. For information abot IP mlticast roting, see Planning IP Mlticasting later in this chapter. Figre 1.4 Developing a Roting Strategy Plan IP-based infrastrctre Develop roting strategies Choose hardware or software roting Design IP addressing scheme Choose static or dynamic roting Plan IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design

9 Developing Roting Strategies 11 To plan an effective roting soltion for yor environment, yo mst nderstand the differences between hardware roters and software roters; static roting and dynamic roting; and distance vector roting protocols and link state roting protocols. Choosing Hardware or Software Roting A roter is a device that holds information abot the state of its own network interfaces and contains a list of possible sorces and destinations for network traffic. The roter directs incoming and otgoing packets based on that information. By projecting network traffic and roting needs based on the nmber and types of hardware devices and applications sed in yor environment, yo can better decide whether to se a dedicated hardware roter, a software-based roter, or a combination of both. Generally, dedicated hardware roters handle heavier roting demands best, and less expensive software-based roters are sfficient to handle lighter roting loads. A software-based roting soltion, sch as the Windows Server 2003 Roting and Remote Access service, can be ideal on a small, segmented network with relatively light traffic between sbnets. Conversely, enterprise network environments that have a large nmber of network segments and a wide range of performance reqirements might need a variety of hardware-based roters to perform different roles throghot the network. Choosing Static or Dynamic Roting Roting can be either static or dynamic, depending on how roting information is generated and maintained: In static roting, roting information is entered manally by an administrator and remains constant throghot the roter s operation. In dynamic roting, a roter is configred to atomatically generate roting information and share the information with neighboring roters. Yo mst decide where best to implement each type of roting. Static Roting In static roting, a network administrator enters static rotes in the roting table manally by indicating: The network ID, consisting of a destination IP address and a sbnet mask. The IP address of a neighboring roter (the next hop). The roter interface throgh which to forward the packets to the destination.

10 12 Chapter 1 Designing a TCP/IP Network Static roting has significant drawbacks. Becase a network administrator defines a static rote, errors are more likely than with a dynamically assigned rote. A simple typographical error can create chaos on the network. An even greater problem is the inability of a static rote to adapt to topology changes. When the topology changes, the administrator might have to make changes to the roting tables on every static roter. This does not scale well on a large internetwork. However, static roting can be effective when sed in combination with dynamic roting. Instead of sing static roting exclsively, yo can se a static rote as the redndant backp for a dynamically configred rote. In addition, yo might se dynamic roting for most paths bt configre a few static paths where yo want the network traffic to follow a particlar rote. For example, yo might configre roters to force traffic over a given path to a high-bandwidth link. Dynamic Roting Protocols Conceptally, the dynamic roting method has two parts: the roting protocol that is sed between neighboring roters to convey information abot their network environment, and the roting algorithm that determines paths throgh that network. The protocol defines the method sed to share the information externally, whereas the algorithm is the method sed to process the information internally. The roting tables on dynamic roters are pdated atomatically based on the exchange of roting information with other roters. The most common dynamic roting protocols are: Distance vector roting protocols Link state roting protocols Understanding how these protocols work enables yo to choose the type of dynamic roting that best sits yor network needs. Distance Vector Roting Protocols A distance vector roting protocol advertises the nmber of hops to a network destination (the distance) and the direction in which a packet can reach a network destination (the vector). The distance vector algorithm, also known as the Bellman-Ford algorithm, enables a roter to pass rote pdates to its neighbors at reglarly schedled intervals. Each neighbor then adds its own distance vale and forwards the roting information on to its immediate neighbors. The reslt of this process is a table containing the cmlative distance to each network destination. Distance vector roting protocols, the earliest dynamic roting protocols, are an improvement over static roting, bt have some limitations. When the topology of the internetwork changes, distance vector roting protocols can take several mintes to detect the change and make the appropriate corrections.

11 Developing Roting Strategies 13 One advantage of distance vector roting protocols is simplicity. Distance vector roting protocols are easy to configre and administer. They are well sited for small networks with relatively low performance reqirements. Most distance vector roting protocols se a hop cont as a roting metric. A roting metric is a nmber associated with a rote that a roter ses to select the best of several matching rotes in the IP roting table. The hop cont is the nmber of roters that a packet mst cross to reach a destination. Roting Information Protocol (RIP) is the best known and most widely sed of the distance vector roting protocols. RIP version 1 (RIP v1), which is now otmoded, was the first roting protocol accepted as a standard for TCP/IP. RIP version 2 (RIP v2) provides athentication spport, mlticast annoncing, and better spport for classless networks. The Windows Server 2003 Roting and Remote Access service spports both RIP v1 and RIP v2 (for IPv4 only). Using RIP, the maximm hop cont from the first roter to the destination is 15. Any destination greater than 15 hops away is considered nreachable. This limits the diameter of a RIP internetwork to 15. However, if yo place yor roters in a hierarchical strctre, 15 hops can cover a large nmber of destinations. Link State Roting Protocols Link state roting protocols address some of the limitations of distance vector roting protocols. For example, link state roting protocols provide faster convergence than do distance vector roting protocols. Convergence is the process by which roters pdate roting tables after a change in network topology the change is replicated to all roters that need to know abot it. Althogh link state roting protocols are more reliable and reqire less bandwidth than do distance vector roting protocols, they are also more complex, more memory-intensive, and place a greater load on the CPU. Unlike distance vector roting protocols, which broadcast pdates to all roters at reglarly schedled intervals, link state roting protocols provide pdates only when a network link changes state. When sch an event occrs, a notification in the form of a link state advertisement is sent throghot the network.

12 14 Chapter 1 Designing a TCP/IP Network The Windows Server 2003 Roting and Remote Access service spports the Open Shortest Path First (OSPF) protocol, the best known and most widely sed link state roting protocol. OSPF is an open standard developed by the Internet Engineering Task Force (IETF) as an alternative to RIP. OSPF compiles a complete topological database of the internetwork. The shortest path first (SPF) algorithm, also known as the Djikstra algorithm, is sed to compte the least-cost path to each destination. Whereas RIP calclates cost on the basis of hop cont only, OSPF can calclate cost on the basis of metrics sch as link speed and reliability in addition to hop cont. Unlike RIP, OSPF can spport an internetwork diameter of 65,535 (assming that each link is assigned a cost of 1). OSPF transmits mlticast frames, redcing CPU sage on a LAN. Yo can hierarchically sbdivide OSPF networks into areas, redcing roter memory overhead and CPU overhead. Like RIP v2, OSPF spports variable length sbnet masks (VLSM) and noncontigos sbnets. For information abot variable length sbnet masks and noncontigos sbnets, see Designing a Strctred Address Assignment Model later in this chapter. Selecting the Appropriate Roting Protocol Select a roting protocol based on the following considerations: For a small, simple network that is not expected to grow, se a simpler distance vector roting protocol like RIP v2. For a large, complex internetwork, se a newer, more sophisticated link state roting protocol like OSPF. Use RIP v2 or OSPF if yo need to spport variable length sbnet masks. Althogh the otdated RIP v1 is still widely sed in private networks, it does not spport VLSM and ths is not well sited for enterprise networks. For more information abot VLSM, see Planning Variable Length Sbnet Masks later in this chapter. Designing an IP Addressing Scheme Before assigning addresses, design an IP addressing scheme that meets the reqirements of yor networking infrastrctre. Figre 1.5 shows the tasks involved in designing yor IP addressing system, inclding planning yor address assignment model, address allocation, and pblic or private addressing. Most organizations choose to se classless IP addressing, classless IP roting protocols, and rote smmarization.

13 Designing an IP Addressing Scheme 15 Figre 1.5 Designing an IP Addressing Scheme Plan IP-based infrastrctre Develop roting strategies Design IP addressing scheme Plan IP configration strategy Create strctred address assignment model Choose address allocation method Choose pblic or private addresses Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design For information abot IP mlticast addressing, see Planning IP Mlticasting later in this chapter.

14 16 Chapter 1 Designing a TCP/IP Network Creating a Strctred Address Assignment Model Yo can ease the brden of enterprise internetwork administration by designing a strctred address assignment model. A strctred address assignment model makes trobleshooting easier and more systematic and helps yo interpret network maps and locate specific devices. It also simplifies the se of network management software. For enterprise scalability, assign address blocks hierarchically. The strctred address assignment model reflects more than jst hierarchical concerns. To maximize network stability and scalability, assign a block of addresses based on a physical network rather than on membership within a department or team, to avoid complications when yo move a workstation to a new location. For more information abot address allocation as it relates to yor IP addressing scheme, see Choosing an Address Allocation Method later in this chapter. As a general rle, assign static addresses to roters and servers, and assign dynamic addresses to workstations. This scheme minimizes manal addressing, redcing the chances of address dplication and stabilizing the network s addressing strctre. Yo can assign meaningfl nmbers when sing static addresses; for example, reserve host addresses in the low or high portion of the range, and manally assign these addresses to roters or servers. To design a strctred model for assigning addresses: Plan classless IP addressing. Plan classless roting. Use rote smmarization. Plan variable length sbnet masks (VLSM). Plan spernetting and classless interdomain roting (CIDR). Planning Classless IP Addressing Classless IP addressing makes traditional classfl IP addressing methods restricted to the standard IP address classes in their defalt formats ot of date for enterprise networks. Of the five address classes, Class A, B, and C addresses, collectively known as IPv4 nicast addresses, are assigned to specific devices on an IPv4 network. Class D addresses, known as mlticast addresses, are sed for IP mlticasting (simltaneosly sending a message to more than one network destination). Class E addresses are reserved for experimental prposes.

15 Designing an IP Addressing Scheme 17 To be able to se sbnetting or spernetting, yo mst first nderstand the defalt formats of the nicast addresses. Unicast addresses have the following formats: All 32-bit IPv4 addresses contain for octets of 8 bits each, often represented as for decimal nmbers separated by dots (known as dotted decimal notation). In Class A addresses, the first byte, or octet, represents the network ID, and the three remaining bytes are sed for node addresses. In Class B addresses, the first 2 bytes represent the network ID, and the last 2 bytes are sed for nodes. In Class C addresses, the first 3 bytes are sed for the network ID, and the final byte is sed for nodes. Withot some means of sbdividing class-designated networks, all available IP addresses wold have been depleted long ago. Classless IP addressing, which allows sbnetting, was developed to handle this problem. Determining the Nmber of Sbnets and Hosts To better se the address space, instead of sing the nicast addresses in their defalt formats, yo can se sbnet addressing, which lets yo borrow additional bits from the host part of the address to divide the network into sbnets. In sbnetting, the sbnet mask consists of the octets assigned to the network pls the bits added for the sbnet. Yo can se sbnet mask notation to indicate these leftmost contigos bits. For example, for a Class B address, which has a defalt sbnet mask of , yo might allocate an additional 8 bits for sbnets. That is, for a Class B address sch as , yo can se the following sbnet mask, shown in both decimal and binary notation. Sbnet Mask in Decimal Notation Sbnet Mask in Binary Notation By sing 8 host bits for sbnetting, yo obtain 256 (that is, 2 8 ) sbnetted network IDs (sbnets), spporting as many as 254 hosts per sbnet. The nmber of hosts per sbnet is 254 becase 8 bits (2 8 mins 2) are reserved for the host ID. Yo sbtract 2 becase sbnetting rles exclde the host IDs consisting of all ones or all zeros. An alternative to sbnet mask notation is the network prefix length notation. A network prefix is shorthand for a sbnet mask, expressing the nmber of high-order bits that constitte the sbnetted network ID portion of the address in the format <IP address>/<# of bits>, where # of bits defines the network/sbnet part of the IP address, and the remaining bits represent the host ID portion of the address.

16 18 Chapter 1 Designing a TCP/IP Network The following is the network prefix length notation for the Class B address in the previos example: /24 The bit notation /24 refers to the nmber of high-order bits set to 1 in the binary notation for the sbnet mask, leaving 8 bits for hosts (the eight bits set to 0). Note IPv6 spports only network prefix length notation. It does not spport dotted decimal sbnet masks. For more information abot IPv6, see Introdcing IPv6 on Yor Network later in this chapter. By contrast, if yo anticipate needing only 32 sbnets rather than 256, each of the 32 sbnets can spport as many as 2,046 hosts (2 11 mins 2). That sbnet mask has the following decimal and binary notations. Sbnet Mask in Decimal Notation Sbnet Mask in Binary Notation The following network prefix length notation indicates the 21 bits needed to create as many as 32 sbnets: /21. Again, /21 indicates the nmber of high-order bits set to 1 in binary notation, leaving 11 bits (the 11 zeros) for the host ID portion of the address. To determine the appropriate nmber of sbnets verss hosts for yor organization s network, consider the following: More sbnets. Allocating more host bits for sbnetting spports more sbnets bt fewer hosts per sbnet. More hosts. Allocating fewer host bits for sbnetting spports more hosts per sbnet, bt limits the growth in the nmber of sbnets. For an introdction to TCP/IP, inclding information abot sbnetting, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at Planning Classless Roting Organizations today typically implement classless roting soltions. With classfl roting protocols, IP hosts and roters recognize only the network address designated by the standard address classes. An IP host device or a roter sing a classfl protocol sch as RIP v1 cannot recognize sbnets.

17 Designing an IP Addressing Scheme 19 Classless roting protocols extend the standard Class A, B, or C IP addressing scheme by sing a sbnet mask or mask length to indicate how roters mst interpret an IP network ID. Classless roting protocols inclde the sbnet mask along with the IP address when advertising roting information. Sbnet masks representing the network ID are not restricted to those defined by the address classes, bt can contain a variable nmber of high-order bits. Sch sbnet mask flexibility enables yo to grop several networks as a single entry in a roting table, significantly redcing roting overhead. In addition to RIP v2 and OSPF, described earlier, classless roting protocols inclde Border Gateway Protocol version 4 (BGP4) and Intermediate System to Intermediate System (IS-IS). If yor network contains roters that spport only RIP v1 and yo want to pgrade from classfl to classless roting, pgrade the RIP v1 roters to spport RIP v2 or se another protocol sch as OSPF. For example, yo might se VLSM to implement sbnets of different sizes or CIDR to implement spernetting. (VLSM and CIDR are described later in this chapter.) Planning Classless Noncontigos Sbnets One reason that classfl roting is ot of date is that classfl roting protocols cannot reliably handle noncontigos sbnets of a sbnetted class-based network ID. As mentioned earlier, classfl roting protocols recognize only those networks indicated by an address class. Becase classfl protocols do not transmit sbnet mask or prefix length information, noncontigos sbnets, when smmarized by a classfl roting protocol, can have the same class-based network ID. Noncontigos sbnets with classfl roting Noncontigos sbnets occr when another network with a different network ID separates sbnets of a classfl network. For example, the two roters in Figre 1.6 separate two sbnets that each se the base prefix /8, which is a Class A private network. A segment of another class-based network connects the two roters. (For more information abot private addresses, see Choosing Pblic or Private Addresses later in this chapter.) Figre 1.6 Classfl Roting Not Appropriate for Noncontigos Sbnets Internetwork / / / /24

18 20 Chapter 1 Designing a TCP/IP Network Each roter in Figre 1.6 mst se a sbnet mask to look p a match in the roting table. Becase a classfl address, by definition, has only its class-based defalt sbnet mask, the roter ses the network mask that corresponds to the class of the sbnet ID when advertising the rote for the sbnet. With classfl roting, each of the roters in Figre 1.6 smmarizes and advertises the class-based network ID of /8, reslting in two rotes to /8, each of which might have a different metric. Therefore, a packet meant for one sbnet cold be incorrectly roted to the other sbnet. In the figre, the arrows represent the rotes advertised by the roters. Noncontigos sbnets with classless roting Figre 1.7 also shows an nrelated network connecting two noncontigos sbnets. In this example, sing classless roting, the locations on the noncontigos sbnets are nambigos becase the classless protocol incldes a sbnet mask when advertising the rote. Roters in the intermediate network can distingish between the two noncontigos sbnets. Figre 1.7 Classless Roting Appropriate for Noncontigos Sbnets Internetwork / / / /24 Using Rote Smmarization With rote smmarization, or aggregation, in a hierarchical roting infrastrctre, one rote in a roting table represents many rotes. A roting table entry for the highest level (the network) is also the rote sed for sbnets and sb-sbnets. In contrast, in a flat roting infrastrctre, the roting table on every roter in the network contains an entry for each network segment. When yo se flat roting, the network IDs have no network/sbnet strctre and cannot be smmarized. RIP-based Internet Packet Exchange (IPX) internetworks se flat network addressing and have a flat roting infrastrctre. Using rote smmarization, yo can contain topology changes occrring in one area of the network within that area. Rote smmarization simplifies roting tables and redces the exchange of roting information, bt it reqires more planning than does a flat roting infrastrctre.

19 Designing an IP Addressing Scheme 21 To spport rote smmarization, yor IP addressing scheme mst meet the following reqirements: Classless roting protocols (those inclding sbnet mask or prefix length information along with the IP address) mst be sed. All IP addresses sed in rote smmarization mst share identical high-order bits. The length of the prefix can be any nmber of bits p to 32 (for IPv4). Planning Variable Length Sbnet Masks (VLSM) Variable length sbnet masks (VLSMs) allow yo to se different prefix lengths at different locations so that sbnets of different sizes can coexist on the same network. Instead of sing one sbnet mask throghot the network, yo apply several masks to the same address space, prodcing sbnets of different sizes. For example, given the Class B network ID of , yo can configre one sbnet with as many as 32,766 hosts, 15 sbnets with as many as 2,046 hosts, and 8 sbnets with as many as 254 hosts. Tip When sing VLSM, do not accidentally overlap blocks of addresses. If possible, start with eqal-size sbnets and then sbdivide them. VLSM also can be sed when a point-to-point WAN link connects two roters. One way to handle sch a WAN link is to create a small sbnet consisting of only two addresses. Withot VLSM, yo might divide a Class C network ID into an eqal nmber of two-address sbnets. If only one WAN link is in se, all the sbnets bt one serve no prpose, wasting 252 addresses. Alternatively, yo can divide the Class C network into 16 workgrop sbnets of 14 nodes each by sing a prefix length of 28 bits (or, in sbnet mask terms, ). By sing VLSM, yo can then sbdivide one of those 16 sbnets into 8 smaller sbnets, each spporting only 2 nodes. Yo can se one of the 8 sbnets for yor existing WAN link and reserve the remaining 7 sbnets for similar links that yo might need in the ftre. To accomplish this act of sbsbnetting by sing VLSM, se a prefix length of 30 bits (or, in sbnet mask terms, ). Figre 1.8 shows variable length sbnetting for two-host WAN sbnets. Figre 1.8 Variable Length Sbnetting of network with 254 hosts 16 networks with 14 hosts per network 8 networks with 2 hosts per network / / / / /30

20 22 Chapter 1 Designing a TCP/IP Network If yor network incldes nmeros WAN links, each with its own sbnet, this approach can reqire significant administrative overhead. If yo do not se rote smmarization, each sbnet reqires another entry in the roting table, increasing the overhead of the roting process. Some roters spport nnmbered connections; a link with nnmbered connections does not reqire its own sbnet. Planning Spernetting and Classless Interdomain Roting (CIDR) Similar to the way that sbnetting allows yo to divide class-based networks into smaller sbnets by borrowing bits from the host part of the address, spernetting allows yo to combine contigos sbnets into larger spernets by borrowing bits from the network part of the address. For example, rather than allocate a Class B network ID to an organization that has 2,000 hosts, the Internet Assigned Nmbers Athority (IANA) might allocate a range of eight Class C network IDs. Each Class C network ID accommodates 254 hosts, for a total of 2,032 host IDs. Althogh this techniqe helps conserve Class B network IDs, it creates a new problem. Using conventional roting techniqes, the roters on the Internet mst, in this example, have eight Class C network ID entries in their roting tables to rote IP packets to the organization. To prevent Internet roters from becoming overwhelmed with rotes, a techniqe called Classless Interdomain Roting (CIDR), which the Internet ses to smmarize rotes, collapses mltiple network ID entries into a single entry. In this example, CIDR collapses the network IDs that correspond to the eight Class C network IDs allocated to that organization into one entry. A spernetted sbnet mask conveys the starting network ID and the nmber of Class C network IDs allocated. The following tables demonstrate how eight Class C network IDs are allocated. Table 1.1 indicates the contigos allocation of eight Class C network IDs, starting with network ID Note that the first 21 bits (nderlined) are the same for the starting network ID and the ending network ID. The last 3 bits of the third octet, which are borrowed from the network ID, range from 000 throgh 111. In decimal notation, the range is 0 throgh 7, or 8 total contigos sbnets, which are combined into one spernet. Table 1.1 Spernetted Block of Addresses Network ID Sbnet Mask (Binary) Starting Network ID Ending Network ID A block of spernetted addresses, sch as those in Table 1.2, is known as a CIDR block. Table 1.2 indicates the single CIDR entry that appears in the roting table. This entry represents all eight Class C network IDs that are allocated to the example organization. Table 1.2 CIDR Roting Table Entry Network ID Sbnet Mask Sbnet Mask (Binary)

21 Designing an IP Addressing Scheme 23 In network prefix length notation, the CIDR block is /21. RIP v2, OSPF, and BGP4, which can exchange roting information in the form of [Network ID, Network Mask] pairs, spport CIDR. Choosing an Address Allocation Method Choose an address allocation method that best fits yor strctred address model. Addressing by topology is recommended. However, yo can choose one or more of the following methods: Random address allocation. Under a random addressing strctre, yo can assign blocks of addresses randomly. Random address allocation might be the most freqently sed address allocation method, bt it is the least desirable. For a small network where no significant growth is anticipated, this approach might be appropriate. However, if the network does grow, random address allocation can case extra work for network administrators. Smmarizing the random collection of rotes might be difficlt or impossible. This method can case stability problems, with nmeros rotes being advertised to the core tier. Addressing by organization chart. To base yor address strctre on yor organization chart, yo create sbnets based on a pool of addresses preassigned to a department or team. If, for example, yo designate the Sales department as /16, the address /24 might be the sbnet for the sales team at one site and /24 might be the sbnet for the sales team at another site. To the extent that contigos sbnets remain nassigned, this address allocation method offers limited possibilities for rote smmarization, bt, as a rle, this kind of addressing scheme does not scale well. Addressing by geographical region. When yo base yor address strctre on location, a greater degree of smmarization is possible. However, as the internetwork of a geographically diverse organization contines to grow, fewer rotes are available for smmarization. Addressing by topology. By basing yor address strctre on topology, yo can ensre that smmarization takes place and that an internetwork remains scalable and stable. Addressing by topology makes the addressing strctre roter-centric, enhancing efficiency. Choosing Pblic or Private Addresses If yo se a direct (roted) connection to the Internet, yo mst se pblic addresses. If yo se an indirect connection sch as a proxy server or Network Address Translator (NAT), se private addresses. If yor organization is not connected to the Internet, se private addresses (rather than nathorized addresses) so that if yo later connect to the Internet sing an indirect connection, yo do not need to change addresses already in se. If yo connect to the Internet by sing an Internet service provider (ISP), the ISP might provide only private addresses. The ISP itself ses pblic addresses to connect to the Internet.

22 24 Chapter 1 Designing a TCP/IP Network Pblic Addresses IANA assigns pblic addresses and garantees them to be globally niqe on the Internet. In addition, rotes are programmed into the roters on the Internet so that traffic can reach those assigned pblic addresses. That is why pblic addresses can be reached on the Internet. Private Addresses Private addresses are a predefined set of IPv4 addresses that the designers of the Internet provided for those hosts within an organization that do not reqire direct access to the Internet. These addresses do not dplicate already assigned pblic addresses. RFC 1918, Address Allocation for Private Internets, defines the following three private address blocks: /8. The /8 private network is a Class A network ID that spports the following range of valid IP addresses: throgh The /8 private network has 24 host bits that a private organization can se for any sbnetting scheme within the organization /12. The /12 private network can be interpreted either as a block of 16 Class B network IDs or as a 20-bit assignable address space (20 host bits) that can be sed for any sbnetting scheme within the private organization. The /12 private network spports the following range of valid IP addresses: throgh /16. The /16 private network can be interpreted either as a block of 256 Class C network IDs or as a 16-bit assignable address space (16 host bits) that can be sed for any sbnetting scheme within the private organization. The /16 private network spports the following range of valid IP addresses: throgh Becase IANA never assigns IP addresses in the private address space as pblic addresses, rotes for private addresses never exist on the Internet roters. Any nmber of organizations can repeatedly se the private address space, which helps to prevent the depletion of pblic addresses. Private addresses cannot be reached on the Internet. Therefore, Internet traffic from a host that has a private address mst either send its reqests to an application layer gateway (sch as a proxy server), which has a valid pblic address, or have its private address translated into a valid pblic address by a NAT before it is sent over the Internet. For an introdction to TCP/IP and more information abot pblic and private addresses, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at

23 Designing an IP Addressing Scheme 25 Unathorized Addresses Network administrators of private networks who have no plans to connect to the Internet can choose any IP addresses they want, even pblic addresses that IANA has assigned to other organizations. Sch potentially dplicate addresses are known as nathorized (or illegal) addresses. Later, if the organization decides to connect directly to the Internet after all, its crrent addressing scheme might inclde addresses that IANA has assigned to other organizations. Yo cannot connect to the Internet by sing nathorized addresses. Do not se nathorized addresses if even the slightest possibility exists of ever establishing a connection between yor network and the Internet. On some ftre date, discovering that yo need to qickly replace the IP addresses of all the nodes on a large private network can reqire considerable time and interrpt network operation. Network Address Translation Network address translation, defined in RFC 3022, is the translation process performed by an IP roter fnctioning as a network address translator (NAT). A NAT translates IP addresses from private network addresses sed inside an organization to pblic addresses sed otside the organization. Typically, a NAT-enabled roter connects an internal corporate network with the Internet and bilds a table that maps the connections between hosts inside the network and hosts otside on the Internet. Yo can se NAT to map mltiple internal private addresses to a single external pblic IP address. For example, a small bsiness might obtain an ISP allocated pblic IP address for each compter on its network. By sing NAT, however, the bsiness cold se private addressing internally and have NAT map its private addresses to one or more pblic IP addresses that the ISP allocates. NAT makes it more difficlt for external sers to attack systems on a private network. NAT also allows several nodes on the private network, each with its own private address, to share a smaller nmber of scarcer pblic addresses to access the Internet. However, althogh NAT allows yo to rese the private address space, it does not spport standards-based network layer secrity or the correct mapping of all higher layer protocols. One prpose for the large nmber of addresses made available with the introdction of IPv6 is to make address conservation techniqes sch as NAT nnecessary. Windows Server 2003 also spports IPSec NAT traversal (NAT-T), which allows nodes located behind a NAT (that is, they se private addresses) to se Encapslating Secrity Payload (ESP) to protect traffic. This capability allows the creation of Layer Two Tnneling Protocol with IPSec (L2TP/IPSec) connections from remote access clients and roters located behind NATs. For more information abot nicast IP roting, inclding technical information abot the NAT roting protocol component of the Roting and Remote Access service, see the Internetworking Gide of the Windows Server 2003 Resorce Kit (or see the Internetworking Gide on the Web at

24 26 Chapter 1 Designing a TCP/IP Network Planning an IP Configration Strategy Every compter on an IP network mst have a niqe IP address. As noted earlier, sing static addressing for clients is time-consming and prone to error. To provide an alternative for IPv4, the IETF developed the Dynamic Host Configration Protocol (DHCP), based on the earlier bootstrap protocol (BOOTP) standard. Figre 1.9 shows the stage in the TCP/IP design process dring which yo decide what to se for IP configration. Most organizations choose to se DHCP for IPv4. Figre 1.9 Planning an IP Configration Strategy Plan the IP-based infrastrctre Develop roting strategies Design an IP addressing scheme Plan an IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 into yor network Test yor design

25 Planning an IP Configration Strategy 27 Althogh BOOTP and DHCP hosts can interoperate, DHCP is easier to configre. BOOTP reqires maintenance by a network administrator, whereas DHCP reqires minimal maintenance after the initial installation and configration. The DHCP standard, defined in RFC 2131, defines a DHCP server as any compter rnning the DHCP service. Compared with static addressing, DHCP simplifies IP address management becase the DHCP server atomatically allocates IP addresses and related TCP/IP configration settings to DHCP-enabled clients on the network. This is especially sefl on a network with freqent configration changes for example, in an organization that has a large nmber of mobile sers. The DHCP server dynamically assigns specific addresses from a manally designated range of addresses called a scope. By sing scopes, yo can dynamically assign addresses to clients on the network no matter where the clients are located or how often they move. DHCP Integration with DNS and WINS The DHCP implementation in Windows Server 2003 is closely linked to name resoltion services sch as the Domain Name System (DNS) service and the Windows Internet Name Service (WINS). Network administrators benefit from combining all three when planning a deployment. If yo se DHCP servers for Windows-based network clients, yo mst se a name resoltion service. In addition to name resoltion, Windows Server 2003 networks se DNS to spport Active Directory. Domain-based networks spporting clients rnning Windows NT version 4.0 or earlier or NetBIOS applications mst se WINS servers. Networks spporting a combination of clients rnning Windows XP, Windows 2000, Windows Server 2003, and Windows NT 4.0 mst implement both WINS and DNS. DHCP, APIPA, and IP Address Allocation DHCP clients receive IP addresses as follows: Dynamic allocation from DHCP server. After yo configre DHCP, the DHCP server atomatically assigns an IP address from a specified scope to a client for a finite period of time called a lease. Most clients receive a dynamic IP address. Static allocation from DHCP server. For a specific compter (sch as a DHCP, DNS, or WINS server, or a print server, firewall, or roter), yo can manally configre the TCP/IP properties, inclding the IP address, the DNS and WINS parameters, and defalt gateway information. For the static clients to be on the same sbnet as other, dynamically allocated compters, the static IP addresses mst be within the scope or sbnet defined for dynamic address allocation. Yo can se the DHCP snap-in to set an exclsion range to prevent the DHCP server from dynamically allocating the static IP address. Client reservation from DHCP server. By sing the DHCP snap-in, yo can also reserve a specific IP address for permanent se by a given DHCP client.

26 28 Chapter 1 Designing a TCP/IP Network Atomatic allocation APIPA. In the absence of a DHCP server, Atomatic Private IP Addressing (APIPA) lets a workstation configre itself with an address in the range from to Compters sing APIPA addresses can commnicate only with other compters that are also sing APIPA addresses within a single sbnet. In this case, a compter has an IP address bt cannot connect otside the sbnet. APIPA reglarly checks for the presence of a DHCP server; if it detects one, it yields to the DHCP service, which then assigns a dynamic address to replace the APIPA address. APIPA is designed primarily for simple networks with only one sbnet, sch as small or home-based networks. On a larger network, APIPA can be sefl for identifying problems with DHCP: when a client ses an APIPA address, this indicates that a DHCP server has not been fond. Alternate configration ser configred. In the absence of a DHCP server, alternate configration lets a compter se an IP address configred manally by the ser. Alternate configration is designed for a compter that is sed on more than one network, sch as a laptop sed both at the office and at home. The ser can specify an IP address on the compter s TCP/IP properties Alternate Configration tab if at least one of the networks (for example, the home office) does not have a DHCP server and APIPA addressing is not wanted. If alternate configration is not configred and no DHCP server is fond, TCP/IP ses APIPA by defalt. For more information abot developing a DHCP strategy, see Deploying DHCP in this book. Planning Secrity IP does not have a defalt secrity mechanism. Withot secrity, both pblic and private IP networks are ssceptible to nathorized monitoring and access. To prevent these types of secrity breach, develop a secrity strategy for yor IP deployment in tandem with yor overall network secrity plan. Ways that yo can enhance secrity when deploying IP inclde: Secring IP packets. Provide end-to-end secrity by secring IP packets, which reqires that yo not se address translation (nless both peers spport IPSec NAT-T and se ESP to protect traffic). IPSec is the most efficient way to provide a secre data stream. Deploying a perimeter network. Use a perimeter network to help secre yor internal network from intrsion. Several options are available for doing this.

27 Planning Secrity 29 Figre 1.10 shows the tasks involved in incorporating IPSec and a perimeter network in yor IP secrity plan. Figre 1.10 Planning IP Secrity Plan IP-based infrastrctre Develop roting strategies Design IP addressing scheme Plan IP configration strategy Use IPSec Plan secrity Improve availability Use perimeter network Plan IP mlticasting Introdce IPv6 on yor network Test yor design

28 30 Chapter 1 Designing a TCP/IP Network Using IPSec Effective integration with IPSec is becoming increasingly important to the secre deployment of IP in an enterprise internetwork. IPSec is a framework of open standards for ensring private, secre commnications over IP networks throgh the se of cryptographic secrity services. The implementation of IPSec that rns on Windows Server 2003, Windows XP, and Windows 2000 is based on standards developed by the IETF IPSec working grop. IPSec provides a comprehensive technology for secring networks. However, the larger yor organization, the more planning and engineering are reqired to implement IPSec. Assess the relative importance of yor information resorces domain controllers, mail servers, and financial servers may rank high among the resorces yo want to protect. Inclde confidentiality considerations in yor assessment. For example, many organizations might target Hman Resorces information for IPSec protection. After identifying the critical information resorces to secre, configre IPSec policies as appropriate on those compters. Windows Server 2003 ses the IPSec protocol site to protect data traffic as it crosses a network. Althogh file encryption and reqired passwords protect information stored on network resorces, they do not protect information as it moves across a network. By implementing IPSec, yo can secre the following types of data: Data that moves across the part of yor intranet that external sers do not access. Data that moves across the part of yor intranet that can be accessed by external sers who have appropriate permissions. Data that moves across the Internet. Data that moves across an extranet. IPSec secrity protects the content of IP packets from both active and passive attacks. In an active attack, a hacker modifies existing data or adds false data. In a passive attack, an intrder reads data. IPSec secres commnication throgh the following methods: Peer athentication. IPSec verifies the identity of each compter. Each peer sends secrity credentials that are verified by the peer at the other end of the connection. Windows Server 2003 IPSec provides mltiple methods of peer athentication. Data origin athentication. By incorporating a cryptographic checksm calclated with a shared secret key with each packet of protected data, IPSec can verify that the packet mst have been sent by a peer that has knowledge of the secret key. Confidentiality (data encryption). IPSec offers confidentiality by encrypting data before transmission, ensring that the data cannot be read dring transmission even if an attacker monitors or intercepts the packet. IPSec encryption is applied at the IP network layer, which makes it transparent to applications that se TCP or User Datagram Protocol (UDP) for network commnication.

29 Planning Secrity 31 Integrity. IPSec protects data from nathorized modification in transit, ensring that the information received is exactly the same as the information sent. Anti-replay. IPSec ensres that any attacker who might intercept data cannot rese or replay that data to establish a session or to illegally gain information or access to resorces. Deploying IPSec reqires carefl planning. For more information abot deploying IPSec, see Deploying IPSec in this book. For more technical information abot IPSec, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at Using a Perimeter Network A perimeter network protects yor intranet or enterprise LAN from intrsion by controlling access from the Internet or other large network. The perimeter network (also known as a demilitarized zone or DMZ) is bonded by firewalls. A firewall is not a single component, bt rather a system or combination of systems that enforces a bondary between two or more networks. Figre 1.11 shows a perimeter network bonded by firewalls placed between a private network and the Internet in order to secre the private network. Figre 1.11 Perimeter Network Secring an Internal Network Secre Internal Network Contains most servers and all client compters Internal firewall Perimeter Network Contains servers that mst access the external world, sch as Proxy and Web servers External firewall Internet Organizations vary in their se of firewalls for providing secrity. IP packet filtering offers weak secrity, is cmbersome to manage, and is easily defeated. Application gateways are more secre than packet filters and easier to manage becase they pertain only to a few specific applications, sch as a particlar system. Circit gateways are most effective when the ser of a network application is of greater concern than the data being passed by that application. The proxy server the recommended soltion is a comprehensive secrity tool that incldes an application gateway, safe access for anonymos sers, and other services.

30 32 Chapter 1 Designing a TCP/IP Network IP packet filtering Yo can configre packet filtering, the earliest implementation of firewall technology, to accept or deny specific types of packets. Packet headers are examined for sorce and destination addresses, TCP and UDP port nmbers, and other information. Packet filtering is a limited technology that works best in clear secrity environments where, for example, everything otside the perimeter network is not trsted and everything inside is. Yo cannot se IP packet filtering when IP packet payloads are encrypted becase the port nmbers are encrypted and therefore cannot be examined. In recent years, varios vendors have improved on the packet filtering method by adding intelligent decision-making featres to the packet-filtering core, ths creating a new form of packet filtering called statefl protocol inspection. Application gateways Used when the actal content of an application is of greatest concern, application gateways do not adapt easily to changes in technology. However, nlike IP packet filtering, application gateways can be sed in conjnction with encryption. Circit gateways As tnnels connecting specific processes or systems on each side of a firewall, circit gateways are best employed in sitations where the person sing an application is potentially a greater risk than the information that the application carries. The circit gateway differs from a packet filter in its capability for connecting to an ot-of-band application scheme that can add additional information. Proxy servers Proxy servers are comprehensive secrity tools that inclde firewall and application gateway fnctionality to manage Internet traffic to and from a private intranet. Proxy servers also provide docment caching and access control. A proxy server can improve performance by caching and directly spplying freqently reqested data sch as a poplar Web page. A proxy server also can filter and discard reqests that the owner does not consider appropriate, sch as reqests for nathorized access to proprietary files. Take advantage of those firewall secrity featres that can help yo. Position a perimeter network in yor network topology at a point where all traffic from otside the corporate network mst pass throgh the perimeter that the external firewall maintains. Yo can fine-tne access control for the firewall to meet yor needs and can configre firewalls to report all attempts at nathorized access. Improving Availability Availability refers to how mch time the network is operational. Planning well for availability improves both yor network s mean time between failres (MTBF) and its mean time to recovery (MTTR) after a network failre. To improve availability in yor IP network design, yo mst know yor organization s availability reqirements. For some organizations, nanticipated down time is simply an irritating inconvenience. In other environments, nanticipated down time cold mean financial disaster, drastic loss of credibility, or, as in health care or law enforcement, a risk to safety.

31 Improving Availability 33 Figre 1.12 shows the process for improving availability on yor network. Figre 1.12 Improving Availability Plan IP-based infrastrctre Develop roting strategies Design IP addressing scheme Plan IP configration strategy Plan secrity Implement redndancy Improve availability Plan IP mlticasting Implement secondary paths Use load balancing Introdce IPv6 on yor network Test yor design

32 34 Chapter 1 Designing a TCP/IP Network Each method for improving availability places different demands on the design of yor network. As the risk of down time to yor operation increases, bild more redndancy into yor design, both in hardware and roting. Similarly, as the conseqences of failre increase, make yor network more resilient by increasing the amont of stress it can handle before it loses fnctionality. Implementing Redndancy Single points of failre, sch as devices, links, and interfaces, can make a network vlnerable. If one sch point fails, it isolates sers from services and, in the worst case, cases entire sections of the network to fail. For a prely hierarchical network one based on smmarization and controlled access between tiers every device and link is a point of failre. Redndancy provides alternative paths arond points of failre. In a prely redndant network, each individal device, link, and interface is dispensable. No single device, link, or interface can isolate sers or case the network to fail. In most prodction environments, neither a prely hierarchical nor a prely redndant network is practical. Yo mst balance the efficiency of a hierarchical network with the safety net of redndancy. Implementing Secondary Paths After deploying mltiple devices to eliminate single points of failre, configre secondary paths to take advantage of the mltiple devices. A secondary path, or backp path, consists of the interconnecting devices and the links between them that dplicate the devices and links in the primary path. For example, yo can configre mltiple roters to provide redndancy. A redndant design ses the secondary path to maintain network connectivity when any of the primary path s devices or links fails. Be sre to test any secondary paths on a reglar basis. Do not assme that they will work. If possible, ensre that the switch from the primary path to the secondary path occrs transparently. For mission-critical applications, atomatic failover is mandatory.

33 Planning IP Mlticasting 35 Using Load Balancing In addition to its safety net fnction, redndancy plays a second valable role. By properly configring two or more paths that connect the same sorce and destination networks, yo can significantly improve throghpt by providing load balancing. Load balancing evenly divides the flow of traffic among parallel links. Most roting protocols based on open standards spport load balancing across paths that the protocol determines to be eqally favorable to the destination. In addition, some vendors proprietary roting protocols spport load balancing where the costs of the paths (their relative favorability to the destination in terms of shortest distance, nmber of hops, and other criteria) are not considered eqal. For more information abot network load balancing, see Designing Network Load Balancing in Planning Server Deployments of this kit. Planning IP Mlticasting With IP mlticasting, one device can send a single data stream that the network replicates only as necessary so that mltiple devices receive the data. Becase of the minimal overhead reqired to create the data stream and the low overhead on the network, mlticast commnication is particlarly sitable for mltiple-ser mltimedia applications sch as video conferencing, distance learning, and collaborative compting. Yo can also se mlticast traffic to discover resorces on the internetwork and to spport datacasting applications sch as file distribtion or database synchronization. Using the IP mlticast components of the Windows Server 2003 TCP/IP protocol and the Roting and Remote Access service, yo can send and receive IP mlticast traffic from mlticast-enabled portions of yor intranet or the Internet and from remote access clients. Yo can se IP mlticast to optimize server loading and network bandwidth. Figre 1.13 shows the tasks involved in planning IP mlticasting.

34 36 Chapter 1 Designing a TCP/IP Network Figre 1.13 Planning IP Mlticasting Plan the IP-based infrastrctre Develop roting strategies Design an IP addressing scheme Plan an IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 into yor network Plan MADCAP servers Plain IP Mlticast-enabled roters Configre IGMP Configre IP Mlticast scopes Test yor design Configre client compters In mlticast roting, roters commnicate mlticast grop membership information to each other sing mlticast roting protocols, and forward data across the internetwork. Mlticast forwarding refers to the process of forwarding mlticast traffic to networks on which other mlticast devices are listening. The mlticast-capable portion of the Internet is referred to as the Internet mlticast backbone, or MBone.

35 Planning IP Mlticasting 37 All compters rnning Windows Server 2003 can both send and receive IP mlticast traffic. Windows Server 2003 TCP/IP can listen for IPv4 mlticast traffic and se a mlticast forwarding table to determine where to forward incoming mlticast traffic. Figre 1.14 shows one common configration of IP mlticast components. For examples of a nmber of spported mlticast configrations, see the Internetworking Gide of the Windows Server 2003 Resorce Kit (or see the Internetworking Gide on the Web at Figre 1.14 IP Mlticast Components IGMP roter mode interface IGMP proxy mode interface IP mlticast-enabled roter rnning a mlticast roting protocol Mlticast sorce Compter rnning Windows Server 2003 Roting and Remote Access service IP mlticast-enabled roter rnning a mlticast roting protocol Windows XP Host Enterprise Intranet Planning MADCAP Servers The Mlticast Address Dynamic Client Allocation Protocol (MADCAP), bilt on a client/server model, enables a compter to reqest an IP mlticast address from one or more mlticast address allocation servers, known as MADCAP servers. If a client sends a message and does not receive a response, it can retransmit its reqest. MADCAP as defined in RFC 2730, Mlticast Address Dynamic Client Allocation Protocol (MADCAP), differs sbstantially and is separate from DHCP. However, the Windows Server 2003 DHCP service combines spport for both the DHCP and MADCAP protocols for IPv4. Althogh MADCAP is packaged in the DHCP service, the DHCP and MADCAP services are independent of each other. A DHCP client might or might not be a MADCAP client, and a MADCAP client might or might not be a DHCP client.

36 38 Chapter 1 Designing a TCP/IP Network MADCAP Withot DHCP To se the DHCP service to deploy MADCAP servers independently of DHCP servers, create one or more mlticast scopes, bt do not create other scopes or sperscopes. The MADCAP server also fnctions as a DHCP server only if yo configre other scopes or sperscopes. MADCAP Secrity The IPSec protocol meets MADCAP reqirements for client/server identification and integrity protection as described in RFC 2730, and reqires no modifications to the MADCAP protocol. Therefore, when yo reqire strong secrity, se IPSec to protect all of the nicast messages of the MADCAP protocol. For more information abot MADCAP, inclding how to se IPSec in conjnction with MADCAP, see RFC 2730, Mlticast Address Dynamic Client Allocation Protocol (MADCAP). Planning IP Mlticast-Enabled Roters To implement IP mlticasting on a mltiple-roter intranet, yo mst install roters enabled for mlticast roting and configred with one or more mlticast roting protocols. Windows Server 2003 does not provide any mlticast roting protocols. To provide mlticast forwarding within a single-roter intranet or when connecting a single-roter intranet to the Internet, yo can configre the Internet Grop Management Protocol (IGMP) roting protocol component of the Roting and Remote Access service with interfaces set to IGMP roter mode and IGMP proxy mode. The IGMP roting protocol component exchanges and pdates information in the IP mlticast forwarding table abot host membership in specific grops. The IGMP roting protocol is not a mlticast roting protocol. To spport efficient mlticast forwarding and roting on a mltiple-roter intranet, yo mst also install IP mlticast-enabled roters that se one or more mlticast roting protocols. Mlticast roters se mlticast roting protocols to commnicate mlticast grop information with each other. Note Yo can configre the IGMP roter mode and IGMP proxy mode interfaces to provide mlticast forwarding spport in mltiple-roter intranets, bt doing so is not efficient and is therefore not recommended or spported.

37 Planning IP Mlticasting 39 Althogh Windows Server 2003 does not inclde any mlticast roting protocols, the Roting and Remote Access service is an extensible platform that can spport mlticast roting protocols. Mlticast roting protocols inclde Protocol-Independent Mlticast (PIM) in both Sparse Mode (PIM-SM) and Dense Mode (PIM-DM), Mlticast Extensions to OSPF (MOSPF), and the Distance Vector Mlticast Roting Protocol (DVMRP). Yor choice of mlticast roting protocol will depend on the size and type of network and the distribtion of mlticast grop members. Protocol-Independent Mlticast (PIM). The PIM protocol rotes to mlticast grops whose members span wide-area and interdomain internetworks. PIM fnctions independently of any nicast roting protocol. A mlticast grop that ses PIM can declare itself sparse or dense, sing either Sparse Mode or Dense Mode: Protocol-Independent Mlticast Sparse Mode (PIM-SM), the most widely sed mlticast roting protocol, is designed for mlticast grops whose members are distribted sparsely across a large region. PIM-SM can operate in a LAN environment bt is most efficient in a WAN environment. Using a dense-mode protocol for a mlticast grop whose members are distribted thinly can case nnecessary transmission and roter storage of data packets or membership report information. This overhead might be acceptable where mlticast grop members are poplated densely, bt it is inefficient for a sparse mode mlticast grop. In sparse mode, roters mst explicitly join and leave mlticast grops, which eliminates nnecessary traffic and storage. Protocol-Independent Mlticast Dense Mode (PIM-DM) is a dense-mode mlticast roting protocol designed for mlticast grops whose members are distribted thickly over an area where bandwidth is plentifl. PIM-DM is interoperable with the sparse mode, PIM-SM. PIM-DM does not scale well. Mlticast Extensions to OSPF (MOSPF). The MOSPF protocol, an extension of OSPF, is also a dense-mode mlticast roting protocol. MOSPF employs a nicast roting protocol that reqires that each roter in a network be aware of all available links. MOSPF is intended for se on a single organization s network, and does not scale well. MOSPF reqires OSPF as its accompanying nicast roting protocol. It can sometimes pt a heavy load on roter CPU bandwidth. Distance Vector Mlticast Roting Protocol (DVMRP). The original IPv4 mlticast roting protocol, DVMRP rns over mlticast-capable LANs sch as Ethernet. DVMRP can also tnnel IP mlticast packets as nicast packets throgh roters with no mlticast capability. DVMRP is a dense-mode mlticast roting protocol that does not scale well.

38 40 Chapter 1 Designing a TCP/IP Network Configring IGMP To spport IPv4 mlticast applications on a single-roter intranet or when connecting a singleroter intranet to the Internet, yo can se the Roting and Remote Access service on one or more compters rnning Windows Server 2003, add the IGMP roting protocol component on each server, and configre the server s otbond interface for IGMP roter mode and its inbond interface for IGMP proxy mode. If yor mlticast applications cross the Internet, the otbond interface is the intranet interface and the inbond interface is the Internet interface. IGMP roter mode on the otbond interface. In Windows Server 2003, an otbond interface rnning in IGMP roter mode listens for IGMP Membership Report messages and tracks grop membership. Enable IGMP roter mode on the interfaces to listening mlticast hosts. The TCP/IP protocol and the IGMP roting protocol component for interfaces rnning in IGMP roter mode forward mlticast traffic. IGMP proxy mode on the inbond interface. IGMP proxy mode is designed to pass IGMP Membership Report messages within a single-roter intranet or from a single-roter intranet to the MBone. (As explained earlier, in a mltiple-roter intranet, yo mst install roters that se one or more mlticast roting protocols.) With IGMP proxy mode enabled on the inbond interface, hosts can receive mlticast traffic from mlticast sorces and can send mlticast traffic to other hosts. Within a single-roter intranet, or when connecting a single-roter intranet to the Internet, yo do not need roters rnning mlticast roting protocols. However, within a mltiple-roter intranet that ses mlticast roters rnning mlticast roting protocols, yo can still se the Roting and Remote Access service as a mlticast forwarding roter on the periphery of yor intranet. RFC 1112, Host Extensions for IP Mlticasting, defines address and host extensions for IP hosts that spport mlticasting, and defines IGMP Version 1. RFC 2236, Internet Grop Management Protocol (IGMP), Version 2, defines IGMP Version 2. Windows Server 2003 spports IGMP Version 3, described in the Internet Draft Internet Grop Management Protocol, Version 3. Under IGMP Version 3, hosts can specify interest in receiving mlticast traffic from specified sorces or from all bt a specific set of sorces.

39 Planning IP Mlticasting 41 Configring IP Mlticast Scopes Mlticast addressing spports dynamic membership, nder which individal compters can join or leave a mlticast grop at any time. Grop membership is not limited by size, and compters are not restricted to membership in any single grop. On all IP networks, each compter mst first be configred with its own nicast IP address. After assigning this nicast address, yo can configre the compter to spport a mlticast address. A mlticast grop of compters shares the same mlticast IP address. IPv4 mlticast addresses range, in dotted decimal notation, from throgh ( /4). Sch a mlticast grop also ses a MAC-layer mlticast address, which allows all devices to filter nsolicited mlticast traffic at the link layer. Ethernet addresses reserved for mlticasting range from E throgh E-7F-FF-FF. Typically, yo specify IP address ranges for mlticast scopes on yor MADCAP server in the following ways: Administrative scoping is designed for mlticast IP addresses sed privately on yor intranet. Yo se the range of the mlticast (Class D) address space with a sbnet mask of This is known as the IPv4 Organization Local Scope. It provides 262,144 grop addresses (2 18 ) for se in all sbnets on yor network. For more information abot administrative scoping, see RFC 2365, Administratively Scoped IP Mlticast. Global scoping is designed for mlticast IP addresses sed on the Internet. Yo se the range of the mlticast address space. Global addresses are allocated in the following way: IANA (or another network registry) allocates and reserves the first 8 bits of the range (the 233 portion). The next 16 bits are based on yor Atonomos System (AS) nmber. For information abot obtaining yor existing AS nmber or acqiring a new one, see Using Mlticast Scopes in Help and Spport Center for Windows Server The last 8 bits provide the IP address range from which to configre any mlticast scopes for grop addresses that yo want to se pblicly on the Internet. Use a sbnet mask of For more information abot global scoping, see RFC 3180, GLOP Addressing in 233/8. For more information abot AS nmbering, see RFC 1930, Gidelines for Creation, Selection, and Registration of an Atonomos System (AS).

40 42 Chapter 1 Designing a TCP/IP Network Configring Client Compters On participating clients, install and configre the appropriate MADCAP-aware hardware and software. For example, for video conferencing, install video conferencing software and a video camera, sond card, and adio headset. Standards for the mlticast transmission of a data stream between the sbnets of an internetwork inclde RFC 1112, Host Extensions for IP Mlticasting ; RFC 2236, Internet Grop Management Protocol, Version 2 ; and the Internet Draft Internet Grop Management Protocol, Version 3. Sch standards instrct roters how and where to rote mlticast traffic. For more information abot IP mlticasting, inclding mltiple spported mlticast configrations, see the Internetworking Gide of the Windows Server 2003 Resorce Kit (or see the Internetworking Gide on the Web at and for information abot Windows Server 2003 TCP/IP, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at Introdcing IPv6 on Yor Network In addition to the IPv4 stack installed by defalt, Windows Server 2003 and Windows XP inclde an IPv6 protocol stack that yo can se to test IPv6, to explore IPv6-enabled applications, and to prepare for possible evental migration to a native IPv6 infrastrctre. It is expected that IPv4 and IPv6 will coexist on enterprise networks for a nmber of years. Depending on their needs, some organizations might contine to se IPv4 exclsively, some will migrate slowly while rnning both IPv4 and IPv6 in the interim, and some will maintain IPv4 in one or more sections of their organization and implement IPv6 in other sections. To ensre that yor organization makes best se of IPv6 capabilities with the least administrative overhead, inclde a plan for introdcing IPv6 into the design for yor TCP/IP network. To prepare to introdce IPv6, yo mst explore the new fnctionality introdced by IPv6, plan IPv6 addressing, plan how to rote IPv6 traffic over an existing IPv4 infrastrctre or an IPv6 infrastrctre, decide whether to deploy DNS dynamic pdate, and decide whether to deploy PortProxy to enable IPv4 applications (where possible) for IPv6. Figre 1.15 shows each task in the planning process.

41 Introdcing IPv6 on Yor Network 43 Figre 1.15 Introdcing IPv6 on Yor Network Plan IP-based infrastrctre Develop roting strategies Design IP addressing scheme Plan IP configration strategy Plan secrity Explore IPv6 Plan IPv6 addressing Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design Rote IPv6 traffic over IPv4 infrastrctre Configre DNS for IPv6/IPv4 coexistance Enable IPv4 applications for IPv6

42 44 Chapter 1 Designing a TCP/IP Network Exploring IPv6 Windows Server 2003 incldes an IPv6 stack, in addition to the IPv4 stack, which yo can se to explore the capabilities of IPv6, test new applications and network technologies, and plan the first steps toward the wider adoption of IPv6 on yor network. The crrent version of the Internet Protocol IP version 4, known as IPv4 dates from 1981 and has not changed sbstantially since it was introdced in RFC 791, Internet Protocol. Althogh IPv4 proved to be remarkably robst and endring, in the early 1990s the Internet Engineering Task Force (IETF) began to develop a site of protocols and standards IPv6 to better address the demands of modern networking. Two of the most important of these protocols are RFC 2460, Internet Protocol, Version 6 (IPv6) Specification, which defines IPv6, and RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification, which specifies a set of ICMP messages for se with IPv6. Before considering the design choices that yo mst make when introdcing IPv6 on yor network, yo mst become familiar with some of the basics abot IPv6, inclding: IPv6 featres. Spported featres, server applications, and application programming interfaces (APIs). Spported IPv6 tools. Types of nodes. IPv6 Featres The IPv6 protocol incldes the following featres and improvements over IPv4: New header format. The IPv6 header is designed to minimize overhead. Althogh the IPv6 address field is for times as long as the address field in IPv4, the IPv6 header is only twice as large as the IPv4 header overall. The more efficient header design enables faster processing at intermediate roters. Becase IPv6 headers are not interoperable with IPv4 headers, and the IPv6 protocol is not backward compatible with IPv4. A host or roter mst se an implementation of both IPv4 and IPv6 in order to recognize and process both header formats. Large address space. IPv6 provides 128-bit IP addresses, in contrast with the 32-bit IPv4 IP addresses. The address space is designed to accommodate a vast nmber of interconnected devices on any network, and its strctre is designed to redce the nmber of roting table entries in IPv6 roters. Hierarchical addressing and roting infrastrctre. IPv6 global addresses are designed to facilitate a hierarchical roting infrastrctre that is based on the common occrrence of mltiple levels of ISPs. It is anticipated that the roting tables for backbone roters on the IPv6 Internet will be mch smaller and, as a reslt, will be processed mch more efficiently.

43 Introdcing IPv6 on Yor Network 45 Atomatic address configration. IPv6 simplifies address configration and renmbering by enabling atomatic address configration for all hosts. Host interfaces atomatically learn their addresses throgh interactions with local IPv6 roters. They can learn new addresses on the fly, making network renmbering mch simpler than in IPv4. Integrated network secrity. Spport for IPSec is an IPv6 protocol site reqirement. Better spport for Qalify of Service (QoS). The IPv6 header contains a new field that can be sed to determine how to identify and prioritize traffic. Becase the traffic type can be identified within the IPv6 header, spport for QoS is available even when IPSec encryption is in se. New protocol for neighboring node interaction. The IPv6 Neighbor Discovery protocol is a series of Internet Control Message Protocols for IPv6 messages (ICMPv6) that manage the interaction of nodes on the same link. Neighbor Discovery replaces broadcast-based Address Resoltion Protocol (ARP), ICMPv4 Roter Discovery, and ICMPv4 Redirect messages with efficient mlticast and nicast Neighbor Discovery messages. Extensibility. IPv6 can be easily extended to incorporate new featres by adding extension headers after the IPv6 header. The size of IPv6 extension headers is limited only by the size of the IPv6 packets. Spported Featres, Server Applications, and APIs Windows Server 2003 spports IPv6 fnctionality for a wide range of services. Table 1.3 shows which IPv6 featres Windows Server 2003 IPv6 spports. Table 1.3 IPv6 Featres Spported by Windows Server 2003 IPv6 IPv6 Featre Spported by Windows Server 2003 IPv6 Installation (Use Add protocol GUI, or se the Netsh command-line tool) Uninstallation (Use Remove protocol GUI, or se the Netsh command-line tool) Dal IPv6/IPv4 stack 6to4 ISATAP 6over4 (manal) IPv6 NAT Traversal (also referred to as Teredo) Yes Yes Yes Yes Yes Yes No (contined)

44 46 Chapter 1 Designing a TCP/IP Network Table 1.3 IPv6 Featres Spported by Windows Server 2003 IPv6 (contined) IPv6 Featre Spported by Windows Server 2003 IPv6 DNS over IPv6 (also referred to as DNS AAAA records) Linklocal Mlticast Name Resoltion (LLMNR) DNS dynamic pdate DHCP TCP PortProxy Remote Desktop Remote Assistance IPv6 Management Information Base (MIB) for Simple Network Management Protocol (SNMP) Microsoft Network Monitor version 2 (Netmon) Visal Stdio.NET (VS.NET) IPSec athentication IPSec encryption Yes No Yes No Yes No No Yes Yes Yes Yes No Table 1.4 shows which server applications Windows Server 2003 IPv6 spports. Table 1.4 Server Applications Spported by Windows Server 2003 IPv6 Server Applications Spported by Windows Server 2003 IPv6 File sharing, printer sharing Windows Media Server Internet Information Services (IIS) 6.0 (HTTP only) Telnet server FTP server Active Directory Microsoft Exchange Server SQL Server Yes Yes Yes Yes No No No No

45 Introdcing IPv6 on Yor Network 47 Windows Server 2003 IPv6 also spports Internet Explorer. However, it does not inclde spport for literal addresses. In addition, the following APIs spport Windows Server 2003 IPv6:.NET Framework Windows Sockets 2 (Winsock2) API Remote procedre call (RPC) Distribted Component Object Model (DCOM) Windows Internet (WinINet) API (does not inclde spport for literal addresses) Windows HTTP Services (WinHTTP) HTTP.sys IP Helper API (IPHLPAPI) modle Debggers Spported IPv6 Tools Windows Server 2003 IPv6 spports the following tools. Ping Tracert Pathping Ipconfig Rote Netsh (Use netsh interface IPv6 commands) Netstat Nslookp Telnet client FTP client For more information abot these TCP/IP tools and commands, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at

46 48 Chapter 1 Designing a TCP/IP Network Types of Nodes To nderstand IPv6 tnneling technologies, sch as 6to4 and ISATAP (described later), yo mst nderstand the types of nodes that might be involved. Table 1.5 shows IPv4 and IPv6 node types. Table 1.5 IPv4 and IPv6 Node Types Node Type IPv4-only node IPv6-only node IPv6/IPv4 node IPv4 node IPv6 node Description A device that can commnicate only with IPv4 nodes and applications and that does not spport IPv6. A device that can commnicate only with IPv6 nodes and that does not spport IPv4. A device that implements both IPv4 and IPv6 and that can commnicate with either IPv6 or IPv4 nodes and applications. Any device that spports IPv4. Both IPv4-only and IPv6/IPv4 nodes are IPv4 nodes. Any device that spports IPv6. Both IPv6-only and IPv6/IPv4 nodes are IPv6 nodes. For more information abot the different node types, see RFC 2893, Transition Mechanisms for IPv6 Hosts and Roters. Planning IPv6 Addressing To plan an efficient IPv6 addressing strategy, yo mst nderstand how IPv6 addressing works. IPv6 addressing is a major departre from IPv4 addressing. The most obvios difference is that IPv4 ses 4-byte sorce and destination addresses, typically expressed in the familiar dotteddecimal notation, whereas IPv6 ses 16-byte addresses, typically expressed in colon-hexadecimal notation. Colon-hexadecimal notation ses eight 4-digit hexadecimal nmbers, with colons separating the 16-bit blocks (the 4-digit nmbers). To manage addresses more easily, IPv6 sppresses leading zeros and compresses a single contigos all-zero 16-bit block, representing the contigos block with two colons (::) (known as doble-colon compression). Table 1.6 shows the effects of sppressing leading zeros and doble-colon compression on the notation for an IPv6 address.

47 Introdcing IPv6 on Yor Network 49 Table 1.6 Leading Zero Sppression and All-Zero Contigos Block Compression IPv6 Address Notation IPv6 Address IPv6 address IPv6 address with leading zeros sppressed IPv6 address with leading zeros sppressed and an all-zero contigos block compressed FEC0:0000:0000:0000:02AA:00FF:FE3F:2A1C FEC0:0:0:0:2AA:FF:FE3F:2A1C FEC0::2AA:FF:FE3F:2A1C The 16 bytes, or 128 bits, provided in the IPv6 address space potentially spports addresses. However, the prpose of this large address space is not only to provide an inexhastible spply of addresses, bt also to enable a hierarchical roting infrastrctre that can be smmarized. IPv6 addressing is designed to minimize the size of roting tables and to redce roting complexity. IPv6 spports address configration both in the presence of a DHCP server, known as statefl address configration, and in the absence of a DHCP server, known as stateless address configration. Stateless address configration introdces the se of link-local addresses, whereby hosts on the same link atomatically configre themselves with IPv6 addresses for that link and can se those addresses to commnicate with the other hosts on the same link. If one or more local roters exist, hosts can se roter discovery to atomatically determine the roters addresses and can then commnicate with IPv6 hosts beyond the local link. As in IPv4, the high-order bits in an IPv6 address identify the type of address. In IPv6, the highorder bits are known as the Format Prefix (FP). IPv6 does not se sbnet masks to specify the network ID. Instead, it ses only prefix notation. IPv6 Address Types IPv6 has three types of addresses, which can be categorized by type and scope: Unicast addresses. A packet is delivered to one interface. Mlticast addresses. A packet is delivered to mltiple interfaces. Anycast addresses. A packet is delivered to the nearest of mltiple interfaces (in terms of roting distance). IPv6 does not se broadcast messages.

48 50 Chapter 1 Designing a TCP/IP Network Unicast and anycast addresses in IPv6 have the following scopes (for mlticast addresses, the scope is bilt into the address strctre): Link-local. The scope is the local link (nodes on the same sbnet). Site-local. The scope is the organization (private site addressing). Global. The scope is global (IPv6 Internet addresses). In addition, IPv6 has special addresses sch as the loopback address. The scope of a special address depends on the type of special address. Mch of the IPv6 address space is nassigned. Unicast IPv6 Addresses IPv6 has several major nicast address types. Unicast global addresses IPv6 nicast global addresses are similar to IPv4 pblic addresses. Also known as aggregatable global nicast addresses, global addresses are globally rotable. The strctre of an IPv6 nicast global address creates the three-level topology shown in the following illstration. 001 (3 bits) TLA ID (13 bits) Res (8 bits) NLA ID (24 bits) SLA ID (16 bits) Interface ID (64 bits) Pblic Topology (total 48 bits) Table 1.7 explains each field in a nicast global address. Table 1.7 Fields in a Unicast Global Address Site Topology Interface of a node on a specific sbnet Field Description 001 Identifies the address as an IPv6 nicast global address. Top Level Aggregation Identifier (TLA ID) Res Next Level Aggregation Identifier (NLA ID) Site Level Aggregation Identifier (SLA ID) Interface ID Identifies the highest level in the roting hierarchy. TLA IDs are administered by IANA, which allocates them to local Internet registries, which then allocate a given TLA ID to a global ISP. Reserved for ftre se (to expand either the TLA ID or the NLA ID). Identifies a specific cstomer site. Enables as many as 65,536 (2 16 ) sbnets within an individal organization s site. The SLA ID is assigned within the site; an ISP cannot change this part of the address. Identifies the interface of a node on a specific sbnet.

49 Introdcing IPv6 on Yor Network 51 Unicast site-local addresses IPv6 nicast site-local addresses are similar to IPv4 private addresses. The scope of a site-local address is the internetwork of an organization s site. (Yo can se both global addresses and sitelocal addresses in yor network.) The prefix for site-local addresses is FEC0::/48. The following illstration shows the strctre of a site-local address (10 bits) (38 bits) Sbnet ID (16 bits) Interface ID (64 bits) The initial 48 fixed bits are followed by a 16-bit Sbnet ID field, which provides as many as 65,536 sbnets in a flat sbnet strctre. Alternatively, yo can sbdivide the high-order bits of the Sbnet ID field to create a hierarchical roting infrastrctre. The last field is a 64-bit Interface ID field that identifies the interface of a node on a specific sbnet. Note Global addresses and site-local addresses share the same strctre after the first 48 bits the 16-bit SLA ID of a global address and the 16-bit Sbnet ID of a site-local address both identify the sbnets of an organization s site. Becase of this, yo can assign a specific sbnet nmber to identify a sbnet that is sed for both global and site-local nicast addresses. Unicast link-local addresses (FE80::/64) IPv6 nicast link-local addresses are similar to IPv4 APIPA addresses sed by compters rnning Microsoft Windows. Hosts on the same link (the same sbnet) se these atomatically configred addresses to commnicate with each other. Neighbor Discovery provides address resoltion. The prefix for link-local addresses is FE80::/64. The following illstration shows the strctre of a link-local address (10 bits) (54 bits) Interface ID (64 bits) Unicast nspecified address The IPv6 nicast nspecified address is eqivalent to the IPv4 nspecified address of The IPv6 nspecified address is 0:0:0:0:0:0:0:0:, or a doble colon (::). Unicast loopback address The IPv6 nicast loopback address is eqivalent to the IPv4 loopback address, The IPv6 loopback address is 0:0:0:0:0:0:0:1, or ::1.

50 52 Chapter 1 Designing a TCP/IP Network Unicast 6to4 addresses (2002::/16) IPv6 ses 6to4 addresses to commnicate between two IPv6/IPv4 nodes over the IPv4 Internet. A 6to4 address combines the prefix 2002::/16 with the 32 bits of the pblic IPv4 address of the node to create a 48-bit prefix 2002:WWXX:YYZZ::/48, where WWXX:YYZZ is the colonhexadecimal representation of w.x.y.z, a pblic IPv4 address. Therefore, the IPv4 address translates into a 6to4 address prefix of 2002:9D3C:5B7B::/48. The following illstration shows the strctre of a 6to4 address (10 bits) (54 bits) Interface ID (64 bits) However, this is often written sing the hexadecimal prefix: 2002:WWXX:YYZZ:SLA ID:Interface ID. The following example shows how the WWXX:YYZZ portion of the address is translated from colon-hexadecimal notation to dotted-decimal notation. In this example, 9D3C:5B7B translates to , as illstrated in the following example. Notation Type Colon-hexadecimal 9D 3C 5B 7B Dotted-decimal Use a calclator to convert each constitent nmber from one notation type to the other For more information abot 6to4 tnneling, see Roting IPv6 Traffic over an IPv4 Infrastrctre later in this chapter. Unicast ISATAP addresses IPv6 ses ISATAP addresses to commnicate between two IPv6/IPv4 nodes over an IPv4 intranet. An ISATAP address combines a 64-bit nicast link-local, site-local, or global prefix (a global prefix might be a 6to4 prefix) with a 64-bit sffix constrcted of the ISATAP identifier 0:5EFE, followed by the IPv4 address assigned to an interface of the host. The prefix is known as the sbnet prefix. Althogh a 6to4 address can incorporate only a pblic IPv4 address, an ISATAP address can incorporate either a pblic or a private IPv4 address. The following illstration shows the strctre of an ISATAP address. Sbnet prefix <A link-local, site-local, or global prefix> (64 bits) 0000:5EFE (32 bits) WWXX:YYZZ (32 bits)

51 Introdcing IPv6 on Yor Network 53 Table 1.8 shows an example of each type of ISATAP address. Table 1.8 Examples of ISATAP addresses Type of ISATAP Address With link-local prefix With site-local prefix With global prefix With global 6to4 prefix ISATAP Address FE80::5EFE: * FEC0::1111:0:5EFE: * 3FFE:1A05:510:1111:0:5EFE: * 2002:9D36:1:2:0:5EFE: * *Alternatively, the IPv4 address (in this example, ) can be written in hexadecimal (in this example, 836B:8108). By defalt, the IPv6 protocol for Windows XP and members of Windows Server 2003 atomatically configres the ISATAP address of FE80::5EFE:w.x.y.z for each IPv4 address that is assigned to the node. This link-local ISATAP address allows two hosts to commnicate over an IPv4 network by sing each other s ISATAP address. For more information abot ISATAP tnneling, see Roting IPv6 Traffic over an IPv4 Infrastrctre later in this chapter. Mlticast IPv6 Addresses IPv6 mlticast addresses are similar to IPv4 mlticast addresses. Packets addressed to a mlticast address are delivered to all interfaces that the address identifies. The following illstration shows the strctre of an IPv6 mlticast address (8 bits) Flags (4 bits) Scope (4 bits) Grop ID (112 bits) Table 1.9 explains each field in an IP mlticast address. The prefix for mlticast addresses is FF00::/8. Table 1.9 Fields in a Mlticast Address Field Description Identifies the address as an IP mlticast address. Flags Scope Grop ID Crrently, the only defined flag is the Transient (T) flag. Set to zero, the T flag identifies the address as a permanently assigned mlticast address. Set to 1, it identifies a transient address. Indicates the scope of the mlticast traffic, sch as interface-local, linklocal, site-local, organization-local, or global scope. identifies the mlticast grop.

52 54 Chapter 1 Designing a TCP/IP Network Mlticast solicited node address The IPv6 mlticast solicited node address is sed for efficient address resoltion. The IPv4 ARP Reqest frame is sent to the MAC-level broadcast, which distrbs all nodes on the network segment. The mlticast solicited node address combines the prefix FF02::1:FF00:0/104 with the last 24 bits of the IPv6 address being resolved. IPv6 ses the solicited node mlticast address for the Neighbor Solicitation message (the IPv6 eqivalent to the ARP Reqest frame) that resolves an IPv6 address to its link-layer address, distrbing few nodes dring the address resoltion process. Anycast IPv6 Addresses Anycast IPv6 addresses are similar to bt more efficient than the anycast addresses in IPv4, which are sed primarily by large ISPs. Anycast addresses se the nicast address space bt fnction differently from other nicast addresses. IPv6 ses anycast addresses to identify mltiple interfaces. IPv6 delivers packets addressed to an anycast address to the nearest interface that the address identifies. In contrast to a mlticast address, where delivery is from one to many, an anycast address delivery is from one to one-of-many. Crrently, anycast addresses are assigned only to roters and are sed only as destination addresses. IPv6 Addresses Assigned to Hosts and Roters An IPv6 host, inclding those with only one interface, typically has mltiple IPv6 addresses. By defalt, link-local addresses are atomatically configred for each interface on each IPv6 host or roter. To commnicate with non-neighboring nodes, a host mst also be configred with nicast site-local or global addresses. A host obtains these additional addresses either from roter advertisements or by manal assignment. Use commands in the netsh interface ipv6 context to manally configre IPv6 addresses. In IPv6, hosts and roters are typically assigned the following addresses: Unicast addresses: A link-local address for each interface A site-local address for each interface One or more global addresses for each interface The loopback address for the loopback interface

53 Introdcing IPv6 on Yor Network 55 Mlticast addresses (to listen for mlticast traffic): The interface-local scope all-nodes address (FF01::1) The link-local scope all-nodes address (FF02::1) The solicited node address for each nicast address on each interface The mlticast address for each joined grop on each interface In addition, IPv6 roters also have the following addresses: Mlticast addresses: The interface-local scope all-roters address (FF01::2) The link-local scope all-roters address (FF02::2) The site-local scope all-roters address (FF05::2) Anycast addresses: A sbnet-roter anycast address for each sbnet Optional Additional anycast addresses Table 1.10 smmarizes the major differences between IPv6 and IPv4 addresses. Table 1.10 Differences Between IPv4 Addressing and IPv6 Addressing IPv4 Address IPv6 Address Internet address classes N/A Mlticast addresses ( /4) IPv6 mlticast addresses (FF00::/8) Broadcast addresses N/A Unspecified address is Unspecified address is :: Loopback address is Loopback address is ::1 Pblic IP addresses Aggregatable global nicast addresses Private IP addresses Site-local addresses (FEC0::/48) Atoconfigred addresses Link-local addresses (FE80::/64) Dotted decimal notation Colon hexadecimal format Sbnet mask or prefix length notation Prefix length notation only A resorce records AAAA resorce records

54 56 Chapter 1 Designing a TCP/IP Network Roting IPv6 Traffic over an IPv4 Infrastrctre An evental sccessfl transition to IPv6 reqires interim coexistence of IPv6 nodes in today s predominantly IPv4 environment. To spport this, IPv6 packets are atomatically tnneled over IPv4 roting infrastrctres, enabling IPv6 clients to commnicate with each other by sing 6to4 or ISATAP addresses and tnneling IPv6 packets across IPv4 networks. For information abot atomatic tnneling of IPv6 packets, see RFC 2893, Transition Mechanisms for IPv6 Hosts and Roters. Spport for IPv6 atomatic tnneling technologies in Windows XP and Windows Server 2003 incldes: 6to4, to provide atomatic intersite tnnels across the IPv4 Internet. ISATAP, to provide atomatic intrasite tnnels. A compter rnning Windows XP or Windows Server 2003 can atomatically configre itself for 6to4 and ISATAP tnneling. The IPv6 Helper service, inclded with the IPv6 protocol for Windows XP and Windows Server 2003, provides spport for 6to4 hosts and 6to4 roters. Use netsh interface IPv6 isatap context commands to configre the IPv6 Helper service. In addition, yo can configre a compter rnning Windows XP or Windows Server 2003 as a 6to4 roter by enabling the Internet Connection Sharing (ICS) featre on the interface that is connected to the Internet. Both 6to4 and ISATAP encapslate an IPv6 packet within an IPv4 header. However, they send the packet across an IPv4 infrastrctre in different ways: 6to4 ses the IPv6 prefix. 6to4 ses a pblic IPv4 address to create the 64-bit sbnet identifier portion for an IPv6 address. For example, becomes 2002:836B:4798::/48. ISATAP ses the IPv6 interface ID. ISATAP ses a locally assigned IPv4 address (pblic or private) to create a 64-bit interface identifier. For example, becomes ::0:5EFE: In both cases, IPv4 addresses that are embedded in portions of the IPv6 address provide the information to determine the sorce and destination addresses in the encapslating IPv4 header.

55 Introdcing IPv6 on Yor Network 57 By deploying 6to4 or ISATAP, yo can integrate IPv6 traffic into yor IPv4 network environment. Understanding examples of each atomatic tnneling technology can help yo decide whether to deploy 6to4, ISATAP, or both as yo introdce IPv6 on yor network. Note For an introdction to IPv6, inclding information abot roter-to-roter, host-to-roter, roter-to-host, and host-to-host tnneling configrations that nderlie 6to4 and ISATAP tnneling, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at Using 6to4 for IPv6 Traffic Between Sbnets or Between Sites 6to4 is an address assignment and roter-to-roter atomatic tnneling technology that is described in RFC 3056, Connection of IPv6 Domains via IPv4 Clods. To facilitate the introdction of IPv6 in crrent IPv4 environments, IPv6 is designed so that yo can se 6to4 to handle traffic between IPv6 nodes withot obtaining an IPv6 global address prefix from an IPv6 ISP, and withot a direct connection to the IPv6 Internet. Figre 1.16 shows one way to se 6to4 to handle the following types of traffic: Direct 6to4 host commnication within a site (no tnnel). A 6to4 host can commnicate directly with another 6to4 host within the same site. A 6to4 host is an IPv6 host that is configred with at least one 6to4 address (a global address with the 2002::/16 prefix). Host A and Host B in Figre 1.16 se the local 6to4 roter to commnicate with each other. Tnnel across the IPv4 Internet by sing a 6to4 roter. A 6to4 host can commnicate with a non-local 6to4 host by sing a tnnel from a local 6to4 roter across an IPv4 network (sch as the Internet) to a 6to4 roter at the destination site. The first 6to4 roter encapslates the packet in an IPv4 header; the receiving 6to4 roter removes the IPv4 header and then forwards the IPv6 packet to the destination 6to4 host. Dring the first and last stages of the packet s transmission from the sending 6to4 host to its 6to4 roter, and from the recipient 6to4 roter to the destination 6to4 host the IPv6 roting infrastrctre in place at each site is sed. In Figre 1.16, 6to4 Host A (or 6to4 Host B) sends its packet to 6to4 Roter 1, which tnnels it across the IPv4 Internet to 6to4 Roter 2, which then forwards the packet to 6to4 Host C.

56 58 Chapter 1 Designing a TCP/IP Network Tnnel across the IPv4 Internet to the IPv6 Internet by sing a 6to4 roter and a 6to4 relay. A 6to4 host on an IPv4 network can commnicate with an IPv6-only host on the IPv6 Internet by sing a tnnel from a local 6to4 roter across the IPv4 Internet to a 6to4 relay that then forwards the packet across the IPv6 Internet to the recipient IPv6-only host. In this case, it is the 6to4 relay that removes the IPv4 header and forwards the IPv6 packet to the recipient IPv6-only host. In Figre 1.16, Host A (or Host B) sends its packet to 6to4 Roter 1, which tnnels it across the IPv4 Internet to the 6to4 relay, which then forwards the packet to 6to4 Host D. Figre 1.16 Using 6to4 to Rote IPv6 Packets 6to4 Host B IPv6/IPv4 6to4 Host A IPv6/IPv4 Site 1 6to4 Roter 1 IPv6/IPv4 IPv4 Internet 6to4 tnnel 6to4 tnnel 6to4 relay roter IPv6/IPv4 6to4 Roter 2 IPv6/IPv4 (XP/ICS) Site 2 IPv6 Internet 6to4 Host C IPv6/IPv4 IPv6 Host D IPv6-only

57 Introdcing IPv6 on Yor Network 59 In Figre 1.16, 6to4 Roter 2 represents a compter rnning Windows XP with ICS enabled. The private interface of the ICS compter connects to a single-sbnet intranet, and the ICS compter s pblic interface connects to the IPv4 Internet. The private interface of an ICS compter always ses the private IPv4 address Using ISATAP for IPv6 Traffic Between Sbnets Intrasite Atomatic Tnnel Addressing Protocol (ISATAP) is an address assignment and atomatic tnneling technology that is described in the Internet Draft Intrasite Atomatic Tnnel Addressing Protocol (ISATAP). ISATAP enables nicast commnication between IPv6/IPv4 nodes in an IPv4 intranet. ISATAP derives an interface identifier (the last 64 bits of an IPv6 address) from any IPv4 address assigned to the node, either pblic or private. The ISATAP address format spports configration of global addresses (inclding 6to4), site-local addresses, and link-local addresses. Figre 1.17 shows two IPv6/IPv4 hosts commnicating over an IPv4 network by sing each other s atomatically configred link-local ISATAP address. Figre 1.17 Using Link-Local ISATAP Addresses to Rote IPv6 Packets on an IPv4 Network ISATAP host IPv6 address: FE80::5EFE: IPv4 address: IPv4 Infrastrctre ISATAP host IPv6 address: FE80::5EFE: IPv4 address:

58 60 Chapter 1 Designing a TCP/IP Network IPv6/IPv4 hosts can also commnicate with non-local IPv6/IPv4 hosts by sing ISATAP-derived global addresses, and by sing an ISATAP roter to tnnel packets throgh an IPv4 infrastrctre. Under the IPv6 protocol that Windows XP and Windows Server 2003 spport, yo can se either of the following methods to configre the intranet IPv4 address of an ISATAP roter: Name resoltion (preferred). For compters rnning Windows XP (SP1 or later) or Windows Server 2003, atomatic resoltion of the name ISATAP to an IPv4 address. To ensre sccessfl name resoltion, name the compter sed as the ISATAP roter ISATAP. A compter rnning Windows XP or Windows Server 2003 then atomatically registers the appropriate records in DNS and WINS. For compters rnning Windows XP (earlier than SP1), the name resolved is _ISATAP. Netsh commands for Interface IPv6. Manal configration by sing commands in the Netsh Interface IPv6 context. An ISATAP host sends an IPv4-encapslated Roter Solicitation message to a configred ISATAP roter. The ISATAP roter responds with an IPv4-encapslated nicast Roter Advertisement message that contains prefixes for se in atoconfigring ISATAP-based addresses. This additional configration is needed only when the host s sbnet does not contain an IPv6 roter. The example in Figre 1.18 shows how two ISATAP hosts that se 6to4 prefixes can commnicate across the Internet even thogh each site is sing the /16 private address space.

59 Introdcing IPv6 on Yor Network 61 Figre 1.18 Using 6to4 and ISATAP to Rote IPv6 Packets Across the IPv4 Internet ISATAP Host A 2002:9D36:1:2:0:5EFE: ISATAP tnnel Site A IPv4 Infrastrctre 6to4/ISATAP Roter A IPv6/IPv to4 tnnel Internet 6to4/ISATAP Roter B IPv6/IPv ISATAP tnnel Site B IPv4 Infrastrctre ISATAP Host B 2002:836B:1:2:0:5EFE: Note Hosts rnning Windows XP or Windows Server 2003 determine whether to se 6to4, ISATAP, or both depending on their IPv4 configration.

60 62 Chapter 1 Designing a TCP/IP Network Configring DNS for IPv6/IPv4 Coexistence Throgh DNS dynamic pdate, DNS client compters register and dynamically pdate their resorce records with a DNS server whenever an IP address changes. This redces the need to manally administer zone files, especially for clients that freqently move or change locations and that se DHCP to obtain an IP address. In an IPv4 environment, by defalt the DNS Client service on compters rnning Windows 2000, Windows XP, or Windows Server 2003 dynamically pdates host (A) resorce records (RRs) in DNS. If all hosts on yor network rn those operating systems, DNS dynamic pdates are atomatic. However, on hosts that do not spport dynamic pdate, yo mst either enable dynamic pdate or manally add or pdate their DNS records. The same is tre on a network to which IPv6 has been introdced: hosts that do not spport dynamic pdate mst have dynamic pdate enabled or mst have DNS records added manally. IPv6 has the additional reqirement that IPv6 nodes se a new type of address resorce record, known as AAAA (qad-a) resorce records, to resolve a flly qalified domain name to an IPv6 address. (For A s are sed for the name of these resorce records becase 128-bit IPv6 addresses are for times as large as 32-bit IPv4 addresses.) Systems that spport IPv6 se the same domain names as the domain names sed in IPv4 bt have both IPv6 and IPv4 addresses registered in DNS. The DNS Server service in Windows Server 2003 and Windows 2000 spport processing for DNS IPv6 host records as defined in RFC 1886, DNS Extensions to Spport IP Version 6. An IPv6 host sends DNS name qeries to the DNS server to resolve host names to IPv6 addresses. The AAAA resorce records stored on the DNS server provide the mapping from a host name to its IPv6 address. DNS traffic is also spported over IPv6 for both client and server. The client and server are configred for IPv6 over DNS sing anycast or nicast DNS server IP addresses. For more information, see IPv6 configration items in Help and Spport Center for Windows Server Becase IPv6 addresses are too long to remember easily, yo can poplate yor DNS servers with IPv6 address resorce records to spport IPv6 name-to-address resoltions and optionally with pointer resorce records to spport IPv6 address-to-name resoltions: Address Resorce Records. To sccessflly resolve names to addresses, the DNS infrastrctre mst contain the following resorce records, poplated either manally or dynamically: A resorce records for the IPv4 addresses of IPv4 nodes. AAAA resorce records for the IPv6 addresses of IPv6 nodes. The following is an example of a AAAA resorce record: host1.microsoft.com IN AAAA FEC0::2AA:FF:FE3F:2A1C

61 Introdcing IPv6 on Yor Network 63 Pointer (PTR) Resorce Records (optional; not recommended). The DNS infrastrctre can also contain the following resorce records, poplated either manally or dynamically, to resolve addresses to host names in reverse qeries: PTR records in the IN-ADDR.ARPA domain for the IPv4 addresses of IPv4 nodes. PTR records in the IP6.ARPA domain for the IPv6 addresses of IPv6 nodes. (Recall that RFC 3152 specifies that IP6.INT be phased ot and replaced by IP6.ARPA.) The IP6.INT domain was created specifically for IPv6 reverse qeries. To create the namespace for reverse qeries, each hexadecimal digit in the 32-digit IPv6 address (zero compression and doble-colon compression notation cannot be sed) becomes a separate level in inverse order in the reverse domain hierarchy. Therefore, the reverse lookp domain name for the address FEC0::2AA:FF:FE3F:2A1C is: C.1.A.2.F.3.E.F.F.F.0.0.A.A C.E.F.IP6.INT Avoid integrating PTR resorce record spport into yor DNS infrastrctre; the reslts can be nreliable. For name-to-address resoltion, after the qerying node obtains the set of addresses corresponding to the name, that node mst determine the best set of addresses to se as the sorce and destination for otbond packets. While name-to-address resoltion is fairly straightforward in an IPv4-only environment, it becomes more complex in an environment in which IPv4 and IPv6 coexist. In the mixed IPv6/IPv4 scenario, a DNS qery can retrn both IPv4 and IPv6 addresses. The qerying host is configred with at least one IPv4 address and, typically, mltiple IPv6 addresses. Determining the type of address (IPv4 verss IPv6), and then the scope of the address (for IPv4, pblic verss private; for IPv6, link-local verss site-local verss global verss coexistence), for both the sorce and the destination addresses is complex. Two algorithms, one to select the sorce address and another to select the destination address, specify defalt behavior for IPv6 implementations. These algorithms do not override choices made by applications or pper-layer protocols, nor do they preclde the development of more advanced mechanisms for address selection. The two algorithms inclde an optional mechanism that lets yo override the defalt behavior. In dal-stack implementations, the destination address selection algorithm considers both IPv4 and IPv6 addresses, and determines whether it prefers IPv6 addresses over IPv4 addresses, or vice-versa. For more information abot defalt address selection rles for IPv6, inclding the sorce address selection algorithm and the destination address selection algorithm, see the Internet Draft Defalt Address Selection for IPv6. For an introdction to IPv6 and more information abot Windows Server 2003 IPv6, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at or see the IPv6 link on the Web Resorces page at

62 64 Chapter 1 Designing a TCP/IP Network Enabling IPv4 Applications for IPv6 Yo can se the PortProxy service as an application-layer gateway for nodes or applications that do not spport IPv6. PortProxy facilitates the commnication between nodes or applications that cannot connect sing a common address type, Internet layer protocol (IPv4 or IPv6), and TCP port. The primary prpose of the service is to allow IPv6 nodes to commnicate with IPv4 TCP applications. PortProxy relays TCP traffic from IPv4 to either IPv4 or IPv6, or from IPv6 to either IPv6 or IPv4. In the context of IPv6/IPv4 coexistence or migration, se the PortProxy service to enable any of the following scenarios: An IPv6 node accessing an IPv4-only application that is rnning on an IPv4 node. An IPv4-only node accessing an IPv6-only node. An IPv6-only node accessing an IPv4-only node. The Netsh commands for Interface Portproxy provide a command-line tool for administering servers that act as proxies between IPv4 and IPv6 networks and applications. For more information abot how to se the Netsh Interface PortProxy commands, see the Netsh commandline help, or see Netsh commands for Interface Port Proxy in Help and Spport Center for Windows Server Note The PortProxy service transmits only TCP traffic for application-layer protocols that do not embed address or port information in the TCP segment. For example, the File Transfer Protocol (FTP), which embeds addresses when sing the FTP Port command, does not work across a PortProxy compter. Unlike NAT, the PortProxy service does not inclde an eqivalent to NAT editors. Testing Yor Design After acqiring any new hardware and software that yor network design reqires, systematically measre the new soltion against yor organization s bsiness and technical goals. Testing yor design before deploying it in a prodction environment ensres that those goals are met with minimm impact. Predeployment testing lets yo assess the performance characteristics of network devices and technologies. Testing also helps yo identify deployment-related risks, and instills confidence in the deployment process throghot yor organization.

63 Testing Yor Design 65 Figre 1.19 shows the process for testing a TCP/IP network design. Figre 1.19 Testing Yor Network Design Plan IP-based infrastrctre Develop roting strategies Design IP addressing scheme Plan IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Review indstry tests Test yor design Use network testing tools

64 66 Chapter 1 Designing a TCP/IP Network Reviewing Indstry Tests Vendors, trade jornals, and independent test labs extensively test devices and other network soltions. Yo might find their pblished reslts sefl for validating or rejecting assmptions. Keep in mind that most lab tests are component tests rather than system tests and can fail to measre how a particlar network design might impact the performance of the specific device or technology. Using Network Testing Tools Use the following types of tools to test yor network design: Modeling and simlation tools Network management and monitoring tools Modeling and simlation tools Use statistical analysis and modeling techniqes to simlate a mathematical model of a network. By creating a model, yo can isolate potential performance problems before yo actally deploy any part of an IP network. In most cases, these tools do not measre actal traffic behavior, so evalate the reslts with this limitation in mind. Network management and monitoring tools Typically, yo se network management and monitoring tools after deploying a network. However, these tools can also help yo test yor IP network design in a lab. Yo can se a nmber of effective commercially available network management applications to identify problems and potential problems on yor test network. Many of these applications rn on dedicated network management stations (NMSs) and commnicate with internetworking devices sing Simple Network Management Protocol (SNMP) or Remote Monitoring (RMON). By sing data spplied by an SNMP or RMON Management Information Base (MIB) located on the devices, a network management application can isolate performance problems in a proposed network design. Windows Server 2003 incldes the Network Monitor tool (Netmon.exe), a protocol analyzer that yo can se to monitor a new network design. Network Monitor captres and displays packets, analyzing their traffic patterns, rate of broadcast, errors, tilization, and other aspects of their behavior. The Network Monitor component that ships with Windows Server 2003 can captre frames that are sent to or from the compter on which Network Monitor is installed. To captre frames that are sent to or from a remote compter, yo can se the Network Monitor component that ships with Microsoft Systems Management Server (SMS), which can captre frames sent to or from any compter on which the Network Monitor driver is installed. For more information abot the Network Monitor component, see Help and Spport Center for Windows Server For more information abot the SMS Network Monitor component, see the SMS Downloads link on the Web Resorces page at

65 Additional Resorces 67 Additional Resorces These resorces contain additional information related to this chapter. Related Information Deploying IPSec in this book for more information abot sing Internet Protocol secrity (IPSec). Deploying ISA Server in this book for more information abot deploying Network Address Translation (NAT). The Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at for more information abot TCP/IP, IPSec, and IPv6 in Windows Server The Internetworking Gide of the Windows Server 2003 Resorce Kit (or see the Internetworking Gide on the Web at for technical information abot nicast IP roting, inclding the NAT roting protocol component of the Roting and Remote Access service. Planning for Deployment in Planning, Testing, and Piloting Deployment Projects of this kit for more information abot inventorying yor network hardware and software and creating a map of yor network topology. Cisco Internetwork Design by Matthew Birkner, 2000, Indianapolis, IN: Cisco Press for more information abot the three-tier network design model. Top-Down Network Design by Priscilla Oppenheimer, 1999, Indianapolis, IN: Cisco Press/Macmillan Technical Pblishing for more information abot the three-tier network design model. Understanding IPv6 by Joseph Davies, 2002, Redmond, WA: Microsoft Press. Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference by Joseph Davies and Thomas Lee, 2002, Redmond, WA: Microsoft Press. Roting in the Internet (2nd Edition) by Christian Hitema, 2000, Upper Saddle River, NJ: Prentice Hall PTR. Interconnections (2nd Edition) by Radia Perlman, 2000, Reading, MA: Addison-Wesley.

66 68 Chapter 1 Designing a TCP/IP Network Related Tools Netsh commands for Interface IPv6 Yo can se the Netsh commands for Interface IPv6 to manage configration of the IPv6 protocol. For more information abot how to se the Netsh commands for Interface IPv6, see the Netsh command-line help or see Netsh commands for Interface IPv6 in the Help and Spport Center for Windows Server Netsh commands for Interface Portproxy The Netsh commands for Interface Portproxy provide a command-line tool for administering servers that act as proxies between IPv4 and IPv6 networks and applications. For more information abot how to se the Netsh Interface PortProxy commands, see the Netsh command-line help or see Netsh commands for Interface PortProxy in Help and Spport Center for Windows Server Ipsec6.exe For experimenting with IPSec for IPv6, yo can se the Ipsec6 tool to configre IPSec policies and secrity associations in an IPv6 environment. For more information abot Ipsec6, see IPv6 Utilities in Help and Spport Center for Windows Server Network Monitor (Netmon.exe) The Network Monitor tool (Netmon.exe) is a protocol analyzer that yo can se to monitor a new network design. For more information abot Netmon.exe, see Network Monitor in Help and Spport Center for Windows Server Related Help Topics For best reslts in identifying Help topics by title, in Help and Spport Center, nder the Search box, click Set search options. Under Help Topics, select the Search in title only checkbox. Using Mlticast Scopes in Help and Spport Center for Windows Server Netsh commands for Interface PortProxy in Help and Spport Center for Windows Server 2003.