Designing a TCP/IP Network

Transcription

1 C H A P T E R 1 Designing a TCP/IP Network The TCP/IP protocol site defines indstry standard networking protocols for data networks, inclding the Internet. Determining the best design and implementation of yor TCP/IP network ensres optimal reliability, availability, scalability, secrity, and performance for yor enterprise. Yo can also start to explore the next generation of the Internet layer protocol of the TCP/IP protocol site IP version 6 (IPv6) by introdcing Microsoft Windows Server 2003 IPv6 into part of yor IPv4 network. In This Chapter Overview of Designing a TCP/IP Network...5 Planning the IP-Based Infrastrctre...8 Developing Roting Strategies Designing an IP Addressing Scheme Planning an IP Configration Strategy Planning Secrity Improving Availability Planning IP Mlticasting Introdcing IPv6 on Yor Network Testing Yor Design Additional Resorces Related Information For more information abot IP configration strategies sing Dynamic Host Configration Protocol (DHCP), see Deploying DHCP in this book. For more information abot sing Domain Name System (DNS) for name resoltion, see Deploying DNS in this book. For more information abot sing Windows Internet Name Service (WINS) for name resoltion in networks that spport clients rnning Microsoft Windows NT, see DeployingWINS in this book.

2 4 Chapter 1 Designing a TCP/IP Network Overview of Designing a TCP/IP Network Designing yor IP deployment incldes deciding how yo want to implement IP in a new environment, or for most organizations examining yor existing infrastrctre and deciding what to change. Windows Server 2003 TCP/IP, the most widely sed networking protocol, can connect different types of systems, provide a framework for client/server applications, and give sers access to the Internet. TCP/IP is inclded in the Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows Server 2003, Web Edition operating systems. Before yo start the TCP/IP design process, inventory yor hardware and software and create or pdate a map of yor network topology. Preparing an inventory and network map can save time and help yo focs on the design decisions yo want to address. After yo review yor existing network, yo might pgrade several servers to Windows Server 2003 in order to take advantage of end-to-end spport for TCP/IP, or yo might decide to redesign yor entire network to improve its efficiency and prepare for the ftre of IP networking. Determine which design tasks are relevant to yor environment, and then decide what changes yo want to make to yor network. For more information abot creating a hardware and software inventory and a network topology map, see Planning for Deployment in Planning, Testing, and Piloting Deployment Projects of this kit. To start the TCP/IP design process, yo mst make a nmber of design decisions abot yor network infrastrctre. For enterprise-wide scalability, yo might decide to plan yor IP infrastrctre based on a hierarchical network design model. Yo mst also choose between hardware and software-based roters, and decide where to se static roting or dynamic roting protocols. Yo mst careflly design a strctred model for IP address assignment that fits yor crrent networking environment and that accommodates expected growth. Yor model can se either pblic or private addresses, or yo can se a combination of pblic and private addresses. In addition, consider secrity isses for an IP network, inclding where best to se Internet Protocol secrity (IPSec) and which options are appropriate for secring yor perimeter network. For higher availability and load balancing, yo can inclde redndancy in yor network design. Decide whether yo need to se technology enhancements sch as IP mlticast to optimize server workload and network bandwidth. Yo might start deploying IPv6 on certain network servers or clients, and, if so, decide how yo want to implement IPv6/IPv4 coexistence. After yo develop yor network design, yo can se the remaining chapters in this book as a gide for deploying core featres, sch as DHCP, DNS, and WINS, as well as optional technologies, sch as spport for mobile or home sers, connecting remote sites, or deploying wireless soltions.

3 Overview of Designing a TCP/IP Network 5 Process for Designing a TCP/IP Network Figre 1.1 shows the design stages involved in deploying TCP/IP. Althogh the figre lists the stages seqentially, yo mst consider each topic in relation to the others rather than as a linear step-by-step process. Figre 1.1 Designing a TCP/IP Network Plan the IP-based infrastrctre Develop roting strategies Design IP addressing scheme Plan IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design

4 6 Chapter 1 Designing a TCP/IP Network Windows Server 2003 TCP/IP Backgrond Windows Server 2003 TCP/IP enables enterprise networking and connectivity on compters rnning Windows Server 2003, Microsoft Windows XP, Windows 2000, Windows NT, Windows Millennim Edition, Windows 98, and Windows 95. Benefits of Windows Server 2003 TCP/IP Using TCP/IP in a Windows Server 2003 configration offers the following advantages: Enables the most widely sed network protocol. Windows Server 2003 TCP/IP is a complete, standards-based implementation of the most widely accepted networking protocol in the world. IP is rotable, scalable, and efficient. IP forms the basis for the Internet, and it is also sed as the primary network technology on most major enterprise networks in prodction today. Yo can configre compters rnning Windows Server 2003 with TCP/IP to perform nearly any role that a networked compter reqires. Connects dissimilar systems. Althogh all modern networking operating systems offer TCP/IP spport, Windows Server 2003 TCP/IP provides the best platform for connecting Windows based systems to earlier Windows systems and to non-windows systems. Most standard connectivity tilities are available in Windows Server 2003 TCP/IP, inclding the File Transfer Protocol (FTP) program, the Line Printer (LPR) program, and Telnet, a terminal emlation protocol. Provides client/server framework. Windows Server 2003 TCP/IP provides a crossplatform client/server framework that is robst, scalable, and secre. Windows Server 2003 TCP/IP offers the Windows Sockets programming interface, which is ideal for developing client/server applications that can rn on Windows Sockets compliant TCP/IP protocol implementations from other vendors. Provides access to the Internet. Windows Server 2003 TCP/IP can provide sers with a method of gaining access to the Internet. A compter rnning Windows Server 2003 can be configred to serve as an Internet Web site, it can fnction in a variety of other roles as an Internet client or server, and it can se nearly all of the Internet-related software available today.

5 Planning the IP-Based Infrastrctre 7 Planning the IP-Based Infrastrctre To create or expand an enterprise network, yo can choose from many design models, inclding a network infrastrctre model based on the three-tier design model. This model, a hierarchical network design model described by Cisco Systems, Inc. and other networking vendors, is widely sed as a reference in the design of enterprise networks. Figre 1.2 shows the tasks involved in creating a three-tier TCP/IP infrastrctre. Figre 1.2 Planning the IP-Based Infrastrctre Plan IP-based infrastrctre Develop roting strategies Design IP addressing scheme Design access tier Design distribtion tier Design core tier Plan IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design

6 8 Chapter 1 Designing a TCP/IP Network The modlar natre of a hierarchical model sch as the three-tier model can simplify deployment, capacity planning, and trobleshooting in a large internetwork. In this design model, the tiers represent the logical layers of fnctionality within the network. In some cases, network devices serve only one fnction; in other cases, the same device may fnction within two or more tiers. The three tiers of this hierarchical model are referred to as the core, distribtion, and access tiers. Figre 1.3 illstrates the relationship between network devices operating within each tier. Figre 1.3 Three-Tier Network Design Model Core Tier High-speed switching Distribtion Tier Policy-based connectivity Access Tier Local and remote workgrop access Designing the Access Tier The access tier is the layer in which sers connect to the rest of the network, inclding individal workstations and workgrop servers. The access tier sally incldes a relatively large nmber of low- to medim-speed access ports, whereas the distribtion and core tiers sally contain fewer, bt higher-speed network ports. Design the access tier with efficiency and economy in mind, and balance the nmber and types of access ports to keep the volme of access reqests within the capacity of the higher layers.

7 Planning the IP-Based Infrastrctre 9 Designing the Distribtion Tier The distribtion tier distribtes network traffic between related access layers, and separates the locally destined traffic from the network traffic destined for other tiers throgh the core. Network secrity and access control policies are often implemented within this tier. Network devices in this layer can incorporate technologies sch as firewalls and address translators. The distribtion tier is often the layer in which yo define sbnets; throgh the definition of sbnets, distribtion devices often fnction as roters. Decisions abot roting methods and roting protocols affect the scalability and performance of the network in this tier. A server network in the distribtion layer might hose critical network services and centralized application servers. Compters rnning Windows Server 2003 can be sed there to rn the Active Directory directory service, DNS, DHCP, and other core infrastrctre services. Designing the Core Tier The core tier facilitates the efficient transfer of data between interconnected distribtion tiers. The core tier typically fnctions as the high-speed backbone of the enterprise network. This tier can inclde one or more bilding-wide or camps-wide backbone local area networks (LANs), metropolitan area network (MAN) backbones, and high-speed regional wide area network (WAN) backbones. The primary design goal for the core is reliable, high-speed network performance. As a general rle, locate any featre that might affect the reliability or performance of this tier in an access or distribtion tier instead. Select highly reliable network eqipment for the core tier, and design a falt-tolerant core system whenever possible. Many prodcts meet these criteria, and most major network vendors offer complete soltions to meet the reqirements of the core tier. For more information abot designing a three-tier network model, see Additional Resorces later in this chapter.

8 10 Chapter 1 Designing a TCP/IP Network Developing Roting Strategies After planning yor network infrastrctre based on yor design model, plan how to implement roting. Figre 1.4 shows the tasks involved in developing a nicast roting strategy. For information abot IP mlticast roting, see Planning IP Mlticasting later in this chapter. Figre 1.4 Developing a Roting Strategy Plan IP-based infrastrctre Develop roting strategies Choose hardware or software roting Design IP addressing scheme Choose static or dynamic roting Plan IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design

9 Developing Roting Strategies 11 To plan an effective roting soltion for yor environment, yo mst nderstand the differences between hardware roters and software roters; static roting and dynamic roting; and distance vector roting protocols and link state roting protocols. Choosing Hardware or Software Roting A roter is a device that holds information abot the state of its own network interfaces and contains a list of possible sorces and destinations for network traffic. The roter directs incoming and otgoing packets based on that information. By projecting network traffic and roting needs based on the nmber and types of hardware devices and applications sed in yor environment, yo can better decide whether to se a dedicated hardware roter, a software-based roter, or a combination of both. Generally, dedicated hardware roters handle heavier roting demands best, and less expensive software-based roters are sfficient to handle lighter roting loads. A software-based roting soltion, sch as the Windows Server 2003 Roting and Remote Access service, can be ideal on a small, segmented network with relatively light traffic between sbnets. Conversely, enterprise network environments that have a large nmber of network segments and a wide range of performance reqirements might need a variety of hardware-based roters to perform different roles throghot the network. Choosing Static or Dynamic Roting Roting can be either static or dynamic, depending on how roting information is generated and maintained: In static roting, roting information is entered manally by an administrator and remains constant throghot the roter s operation. In dynamic roting, a roter is configred to atomatically generate roting information and share the information with neighboring roters. Yo mst decide where best to implement each type of roting. Static Roting In static roting, a network administrator enters static rotes in the roting table manally by indicating: The network ID, consisting of a destination IP address and a sbnet mask. The IP address of a neighboring roter (the next hop). The roter interface throgh which to forward the packets to the destination.

10 12 Chapter 1 Designing a TCP/IP Network Static roting has significant drawbacks. Becase a network administrator defines a static rote, errors are more likely than with a dynamically assigned rote. A simple typographical error can create chaos on the network. An even greater problem is the inability of a static rote to adapt to topology changes. When the topology changes, the administrator might have to make changes to the roting tables on every static roter. This does not scale well on a large internetwork. However, static roting can be effective when sed in combination with dynamic roting. Instead of sing static roting exclsively, yo can se a static rote as the redndant backp for a dynamically configred rote. In addition, yo might se dynamic roting for most paths bt configre a few static paths where yo want the network traffic to follow a particlar rote. For example, yo might configre roters to force traffic over a given path to a high-bandwidth link. Dynamic Roting Protocols Conceptally, the dynamic roting method has two parts: the roting protocol that is sed between neighboring roters to convey information abot their network environment, and the roting algorithm that determines paths throgh that network. The protocol defines the method sed to share the information externally, whereas the algorithm is the method sed to process the information internally. The roting tables on dynamic roters are pdated atomatically based on the exchange of roting information with other roters. The most common dynamic roting protocols are: Distance vector roting protocols Link state roting protocols Understanding how these protocols work enables yo to choose the type of dynamic roting that best sits yor network needs. Distance Vector Roting Protocols A distance vector roting protocol advertises the nmber of hops to a network destination (the distance) and the direction in which a packet can reach a network destination (the vector). The distance vector algorithm, also known as the Bellman-Ford algorithm, enables a roter to pass rote pdates to its neighbors at reglarly schedled intervals. Each neighbor then adds its own distance vale and forwards the roting information on to its immediate neighbors. The reslt of this process is a table containing the cmlative distance to each network destination. Distance vector roting protocols, the earliest dynamic roting protocols, are an improvement over static roting, bt have some limitations. When the topology of the internetwork changes, distance vector roting protocols can take several mintes to detect the change and make the appropriate corrections.

11 Developing Roting Strategies 13 One advantage of distance vector roting protocols is simplicity. Distance vector roting protocols are easy to configre and administer. They are well sited for small networks with relatively low performance reqirements. Most distance vector roting protocols se a hop cont as a roting metric. A roting metric is a nmber associated with a rote that a roter ses to select the best of several matching rotes in the IP roting table. The hop cont is the nmber of roters that a packet mst cross to reach a destination. Roting Information Protocol (RIP) is the best known and most widely sed of the distance vector roting protocols. RIP version 1 (RIP v1), which is now otmoded, was the first roting protocol accepted as a standard for TCP/IP. RIP version 2 (RIP v2) provides athentication spport, mlticast annoncing, and better spport for classless networks. The Windows Server 2003 Roting and Remote Access service spports both RIP v1 and RIP v2 (for IPv4 only). Using RIP, the maximm hop cont from the first roter to the destination is 15. Any destination greater than 15 hops away is considered nreachable. This limits the diameter of a RIP internetwork to 15. However, if yo place yor roters in a hierarchical strctre, 15 hops can cover a large nmber of destinations. Link State Roting Protocols Link state roting protocols address some of the limitations of distance vector roting protocols. For example, link state roting protocols provide faster convergence than do distance vector roting protocols. Convergence is the process by which roters pdate roting tables after a change in network topology the change is replicated to all roters that need to know abot it. Althogh link state roting protocols are more reliable and reqire less bandwidth than do distance vector roting protocols, they are also more complex, more memory-intensive, and place a greater load on the CPU. Unlike distance vector roting protocols, which broadcast pdates to all roters at reglarly schedled intervals, link state roting protocols provide pdates only when a network link changes state. When sch an event occrs, a notification in the form of a link state advertisement is sent throghot the network.

12 14 Chapter 1 Designing a TCP/IP Network The Windows Server 2003 Roting and Remote Access service spports the Open Shortest Path First (OSPF) protocol, the best known and most widely sed link state roting protocol. OSPF is an open standard developed by the Internet Engineering Task Force (IETF) as an alternative to RIP. OSPF compiles a complete topological database of the internetwork. The shortest path first (SPF) algorithm, also known as the Djikstra algorithm, is sed to compte the least-cost path to each destination. Whereas RIP calclates cost on the basis of hop cont only, OSPF can calclate cost on the basis of metrics sch as link speed and reliability in addition to hop cont. Unlike RIP, OSPF can spport an internetwork diameter of 65,535 (assming that each link is assigned a cost of 1). OSPF transmits mlticast frames, redcing CPU sage on a LAN. Yo can hierarchically sbdivide OSPF networks into areas, redcing roter memory overhead and CPU overhead. Like RIP v2, OSPF spports variable length sbnet masks (VLSM) and noncontigos sbnets. For information abot variable length sbnet masks and noncontigos sbnets, see Designing a Strctred Address Assignment Model later in this chapter. Selecting the Appropriate Roting Protocol Select a roting protocol based on the following considerations: For a small, simple network that is not expected to grow, se a simpler distance vector roting protocol like RIP v2. For a large, complex internetwork, se a newer, more sophisticated link state roting protocol like OSPF. Use RIP v2 or OSPF if yo need to spport variable length sbnet masks. Althogh the otdated RIP v1 is still widely sed in private networks, it does not spport VLSM and ths is not well sited for enterprise networks. For more information abot VLSM, see Planning Variable Length Sbnet Masks later in this chapter. Designing an IP Addressing Scheme Before assigning addresses, design an IP addressing scheme that meets the reqirements of yor networking infrastrctre. Figre 1.5 shows the tasks involved in designing yor IP addressing system, inclding planning yor address assignment model, address allocation, and pblic or private addressing. Most organizations choose to se classless IP addressing, classless IP roting protocols, and rote smmarization.

13 Designing an IP Addressing Scheme 15 Figre 1.5 Designing an IP Addressing Scheme Plan IP-based infrastrctre Develop roting strategies Design IP addressing scheme Plan IP configration strategy Create strctred address assignment model Choose address allocation method Choose pblic or private addresses Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 on yor network Test yor design For information abot IP mlticast addressing, see Planning IP Mlticasting later in this chapter.

14 16 Chapter 1 Designing a TCP/IP Network Creating a Strctred Address Assignment Model Yo can ease the brden of enterprise internetwork administration by designing a strctred address assignment model. A strctred address assignment model makes trobleshooting easier and more systematic and helps yo interpret network maps and locate specific devices. It also simplifies the se of network management software. For enterprise scalability, assign address blocks hierarchically. The strctred address assignment model reflects more than jst hierarchical concerns. To maximize network stability and scalability, assign a block of addresses based on a physical network rather than on membership within a department or team, to avoid complications when yo move a workstation to a new location. For more information abot address allocation as it relates to yor IP addressing scheme, see Choosing an Address Allocation Method later in this chapter. As a general rle, assign static addresses to roters and servers, and assign dynamic addresses to workstations. This scheme minimizes manal addressing, redcing the chances of address dplication and stabilizing the network s addressing strctre. Yo can assign meaningfl nmbers when sing static addresses; for example, reserve host addresses in the low or high portion of the range, and manally assign these addresses to roters or servers. To design a strctred model for assigning addresses: Plan classless IP addressing. Plan classless roting. Use rote smmarization. Plan variable length sbnet masks (VLSM). Plan spernetting and classless interdomain roting (CIDR). Planning Classless IP Addressing Classless IP addressing makes traditional classfl IP addressing methods restricted to the standard IP address classes in their defalt formats ot of date for enterprise networks. Of the five address classes, Class A, B, and C addresses, collectively known as IPv4 nicast addresses, are assigned to specific devices on an IPv4 network. Class D addresses, known as mlticast addresses, are sed for IP mlticasting (simltaneosly sending a message to more than one network destination). Class E addresses are reserved for experimental prposes.

15 Designing an IP Addressing Scheme 17 To be able to se sbnetting or spernetting, yo mst first nderstand the defalt formats of the nicast addresses. Unicast addresses have the following formats: All 32-bit IPv4 addresses contain for octets of 8 bits each, often represented as for decimal nmbers separated by dots (known as dotted decimal notation). In Class A addresses, the first byte, or octet, represents the network ID, and the three remaining bytes are sed for node addresses. In Class B addresses, the first 2 bytes represent the network ID, and the last 2 bytes are sed for nodes. In Class C addresses, the first 3 bytes are sed for the network ID, and the final byte is sed for nodes. Withot some means of sbdividing class-designated networks, all available IP addresses wold have been depleted long ago. Classless IP addressing, which allows sbnetting, was developed to handle this problem. Determining the Nmber of Sbnets and Hosts To better se the address space, instead of sing the nicast addresses in their defalt formats, yo can se sbnet addressing, which lets yo borrow additional bits from the host part of the address to divide the network into sbnets. In sbnetting, the sbnet mask consists of the octets assigned to the network pls the bits added for the sbnet. Yo can se sbnet mask notation to indicate these leftmost contigos bits. For example, for a Class B address, which has a defalt sbnet mask of , yo might allocate an additional 8 bits for sbnets. That is, for a Class B address sch as , yo can se the following sbnet mask, shown in both decimal and binary notation. Sbnet Mask in Decimal Notation Sbnet Mask in Binary Notation By sing 8 host bits for sbnetting, yo obtain 256 (that is, 2 8 ) sbnetted network IDs (sbnets), spporting as many as 254 hosts per sbnet. The nmber of hosts per sbnet is 254 becase 8 bits (2 8 mins 2) are reserved for the host ID. Yo sbtract 2 becase sbnetting rles exclde the host IDs consisting of all ones or all zeros. An alternative to sbnet mask notation is the network prefix length notation. A network prefix is shorthand for a sbnet mask, expressing the nmber of high-order bits that constitte the sbnetted network ID portion of the address in the format <IP address>/<# of bits>, where # of bits defines the network/sbnet part of the IP address, and the remaining bits represent the host ID portion of the address.

16 18 Chapter 1 Designing a TCP/IP Network The following is the network prefix length notation for the Class B address in the previos example: /24 The bit notation /24 refers to the nmber of high-order bits set to 1 in the binary notation for the sbnet mask, leaving 8 bits for hosts (the eight bits set to 0). Note IPv6 spports only network prefix length notation. It does not spport dotted decimal sbnet masks. For more information abot IPv6, see Introdcing IPv6 on Yor Network later in this chapter. By contrast, if yo anticipate needing only 32 sbnets rather than 256, each of the 32 sbnets can spport as many as 2,046 hosts (2 11 mins 2). That sbnet mask has the following decimal and binary notations. Sbnet Mask in Decimal Notation Sbnet Mask in Binary Notation The following network prefix length notation indicates the 21 bits needed to create as many as 32 sbnets: /21. Again, /21 indicates the nmber of high-order bits set to 1 in binary notation, leaving 11 bits (the 11 zeros) for the host ID portion of the address. To determine the appropriate nmber of sbnets verss hosts for yor organization s network, consider the following: More sbnets. Allocating more host bits for sbnetting spports more sbnets bt fewer hosts per sbnet. More hosts. Allocating fewer host bits for sbnetting spports more hosts per sbnet, bt limits the growth in the nmber of sbnets. For an introdction to TCP/IP, inclding information abot sbnetting, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at Planning Classless Roting Organizations today typically implement classless roting soltions. With classfl roting protocols, IP hosts and roters recognize only the network address designated by the standard address classes. An IP host device or a roter sing a classfl protocol sch as RIP v1 cannot recognize sbnets.

17 Designing an IP Addressing Scheme 19 Classless roting protocols extend the standard Class A, B, or C IP addressing scheme by sing a sbnet mask or mask length to indicate how roters mst interpret an IP network ID. Classless roting protocols inclde the sbnet mask along with the IP address when advertising roting information. Sbnet masks representing the network ID are not restricted to those defined by the address classes, bt can contain a variable nmber of high-order bits. Sch sbnet mask flexibility enables yo to grop several networks as a single entry in a roting table, significantly redcing roting overhead. In addition to RIP v2 and OSPF, described earlier, classless roting protocols inclde Border Gateway Protocol version 4 (BGP4) and Intermediate System to Intermediate System (IS-IS). If yor network contains roters that spport only RIP v1 and yo want to pgrade from classfl to classless roting, pgrade the RIP v1 roters to spport RIP v2 or se another protocol sch as OSPF. For example, yo might se VLSM to implement sbnets of different sizes or CIDR to implement spernetting. (VLSM and CIDR are described later in this chapter.) Planning Classless Noncontigos Sbnets One reason that classfl roting is ot of date is that classfl roting protocols cannot reliably handle noncontigos sbnets of a sbnetted class-based network ID. As mentioned earlier, classfl roting protocols recognize only those networks indicated by an address class. Becase classfl protocols do not transmit sbnet mask or prefix length information, noncontigos sbnets, when smmarized by a classfl roting protocol, can have the same class-based network ID. Noncontigos sbnets with classfl roting Noncontigos sbnets occr when another network with a different network ID separates sbnets of a classfl network. For example, the two roters in Figre 1.6 separate two sbnets that each se the base prefix /8, which is a Class A private network. A segment of another class-based network connects the two roters. (For more information abot private addresses, see Choosing Pblic or Private Addresses later in this chapter.) Figre 1.6 Classfl Roting Not Appropriate for Noncontigos Sbnets Internetwork / / / /24

18 20 Chapter 1 Designing a TCP/IP Network Each roter in Figre 1.6 mst se a sbnet mask to look p a match in the roting table. Becase a classfl address, by definition, has only its class-based defalt sbnet mask, the roter ses the network mask that corresponds to the class of the sbnet ID when advertising the rote for the sbnet. With classfl roting, each of the roters in Figre 1.6 smmarizes and advertises the class-based network ID of /8, reslting in two rotes to /8, each of which might have a different metric. Therefore, a packet meant for one sbnet cold be incorrectly roted to the other sbnet. In the figre, the arrows represent the rotes advertised by the roters. Noncontigos sbnets with classless roting Figre 1.7 also shows an nrelated network connecting two noncontigos sbnets. In this example, sing classless roting, the locations on the noncontigos sbnets are nambigos becase the classless protocol incldes a sbnet mask when advertising the rote. Roters in the intermediate network can distingish between the two noncontigos sbnets. Figre 1.7 Classless Roting Appropriate for Noncontigos Sbnets Internetwork / / / /24 Using Rote Smmarization With rote smmarization, or aggregation, in a hierarchical roting infrastrctre, one rote in a roting table represents many rotes. A roting table entry for the highest level (the network) is also the rote sed for sbnets and sb-sbnets. In contrast, in a flat roting infrastrctre, the roting table on every roter in the network contains an entry for each network segment. When yo se flat roting, the network IDs have no network/sbnet strctre and cannot be smmarized. RIP-based Internet Packet Exchange (IPX) internetworks se flat network addressing and have a flat roting infrastrctre. Using rote smmarization, yo can contain topology changes occrring in one area of the network within that area. Rote smmarization simplifies roting tables and redces the exchange of roting information, bt it reqires more planning than does a flat roting infrastrctre.

19 Designing an IP Addressing Scheme 21 To spport rote smmarization, yor IP addressing scheme mst meet the following reqirements: Classless roting protocols (those inclding sbnet mask or prefix length information along with the IP address) mst be sed. All IP addresses sed in rote smmarization mst share identical high-order bits. The length of the prefix can be any nmber of bits p to 32 (for IPv4). Planning Variable Length Sbnet Masks (VLSM) Variable length sbnet masks (VLSMs) allow yo to se different prefix lengths at different locations so that sbnets of different sizes can coexist on the same network. Instead of sing one sbnet mask throghot the network, yo apply several masks to the same address space, prodcing sbnets of different sizes. For example, given the Class B network ID of , yo can configre one sbnet with as many as 32,766 hosts, 15 sbnets with as many as 2,046 hosts, and 8 sbnets with as many as 254 hosts. Tip When sing VLSM, do not accidentally overlap blocks of addresses. If possible, start with eqal-size sbnets and then sbdivide them. VLSM also can be sed when a point-to-point WAN link connects two roters. One way to handle sch a WAN link is to create a small sbnet consisting of only two addresses. Withot VLSM, yo might divide a Class C network ID into an eqal nmber of two-address sbnets. If only one WAN link is in se, all the sbnets bt one serve no prpose, wasting 252 addresses. Alternatively, yo can divide the Class C network into 16 workgrop sbnets of 14 nodes each by sing a prefix length of 28 bits (or, in sbnet mask terms, ). By sing VLSM, yo can then sbdivide one of those 16 sbnets into 8 smaller sbnets, each spporting only 2 nodes. Yo can se one of the 8 sbnets for yor existing WAN link and reserve the remaining 7 sbnets for similar links that yo might need in the ftre. To accomplish this act of sbsbnetting by sing VLSM, se a prefix length of 30 bits (or, in sbnet mask terms, ). Figre 1.8 shows variable length sbnetting for two-host WAN sbnets. Figre 1.8 Variable Length Sbnetting of network with 254 hosts 16 networks with 14 hosts per network 8 networks with 2 hosts per network / / / / /30

20 22 Chapter 1 Designing a TCP/IP Network If yor network incldes nmeros WAN links, each with its own sbnet, this approach can reqire significant administrative overhead. If yo do not se rote smmarization, each sbnet reqires another entry in the roting table, increasing the overhead of the roting process. Some roters spport nnmbered connections; a link with nnmbered connections does not reqire its own sbnet. Planning Spernetting and Classless Interdomain Roting (CIDR) Similar to the way that sbnetting allows yo to divide class-based networks into smaller sbnets by borrowing bits from the host part of the address, spernetting allows yo to combine contigos sbnets into larger spernets by borrowing bits from the network part of the address. For example, rather than allocate a Class B network ID to an organization that has 2,000 hosts, the Internet Assigned Nmbers Athority (IANA) might allocate a range of eight Class C network IDs. Each Class C network ID accommodates 254 hosts, for a total of 2,032 host IDs. Althogh this techniqe helps conserve Class B network IDs, it creates a new problem. Using conventional roting techniqes, the roters on the Internet mst, in this example, have eight Class C network ID entries in their roting tables to rote IP packets to the organization. To prevent Internet roters from becoming overwhelmed with rotes, a techniqe called Classless Interdomain Roting (CIDR), which the Internet ses to smmarize rotes, collapses mltiple network ID entries into a single entry. In this example, CIDR collapses the network IDs that correspond to the eight Class C network IDs allocated to that organization into one entry. A spernetted sbnet mask conveys the starting network ID and the nmber of Class C network IDs allocated. The following tables demonstrate how eight Class C network IDs are allocated. Table 1.1 indicates the contigos allocation of eight Class C network IDs, starting with network ID Note that the first 21 bits (nderlined) are the same for the starting network ID and the ending network ID. The last 3 bits of the third octet, which are borrowed from the network ID, range from 000 throgh 111. In decimal notation, the range is 0 throgh 7, or 8 total contigos sbnets, which are combined into one spernet. Table 1.1 Spernetted Block of Addresses Network ID Sbnet Mask (Binary) Starting Network ID Ending Network ID A block of spernetted addresses, sch as those in Table 1.2, is known as a CIDR block. Table 1.2 indicates the single CIDR entry that appears in the roting table. This entry represents all eight Class C network IDs that are allocated to the example organization. Table 1.2 CIDR Roting Table Entry Network ID Sbnet Mask Sbnet Mask (Binary)

21 Designing an IP Addressing Scheme 23 In network prefix length notation, the CIDR block is /21. RIP v2, OSPF, and BGP4, which can exchange roting information in the form of [Network ID, Network Mask] pairs, spport CIDR. Choosing an Address Allocation Method Choose an address allocation method that best fits yor strctred address model. Addressing by topology is recommended. However, yo can choose one or more of the following methods: Random address allocation. Under a random addressing strctre, yo can assign blocks of addresses randomly. Random address allocation might be the most freqently sed address allocation method, bt it is the least desirable. For a small network where no significant growth is anticipated, this approach might be appropriate. However, if the network does grow, random address allocation can case extra work for network administrators. Smmarizing the random collection of rotes might be difficlt or impossible. This method can case stability problems, with nmeros rotes being advertised to the core tier. Addressing by organization chart. To base yor address strctre on yor organization chart, yo create sbnets based on a pool of addresses preassigned to a department or team. If, for example, yo designate the Sales department as /16, the address /24 might be the sbnet for the sales team at one site and /24 might be the sbnet for the sales team at another site. To the extent that contigos sbnets remain nassigned, this address allocation method offers limited possibilities for rote smmarization, bt, as a rle, this kind of addressing scheme does not scale well. Addressing by geographical region. When yo base yor address strctre on location, a greater degree of smmarization is possible. However, as the internetwork of a geographically diverse organization contines to grow, fewer rotes are available for smmarization. Addressing by topology. By basing yor address strctre on topology, yo can ensre that smmarization takes place and that an internetwork remains scalable and stable. Addressing by topology makes the addressing strctre roter-centric, enhancing efficiency. Choosing Pblic or Private Addresses If yo se a direct (roted) connection to the Internet, yo mst se pblic addresses. If yo se an indirect connection sch as a proxy server or Network Address Translator (NAT), se private addresses. If yor organization is not connected to the Internet, se private addresses (rather than nathorized addresses) so that if yo later connect to the Internet sing an indirect connection, yo do not need to change addresses already in se. If yo connect to the Internet by sing an Internet service provider (ISP), the ISP might provide only private addresses. The ISP itself ses pblic addresses to connect to the Internet.

22 24 Chapter 1 Designing a TCP/IP Network Pblic Addresses IANA assigns pblic addresses and garantees them to be globally niqe on the Internet. In addition, rotes are programmed into the roters on the Internet so that traffic can reach those assigned pblic addresses. That is why pblic addresses can be reached on the Internet. Private Addresses Private addresses are a predefined set of IPv4 addresses that the designers of the Internet provided for those hosts within an organization that do not reqire direct access to the Internet. These addresses do not dplicate already assigned pblic addresses. RFC 1918, Address Allocation for Private Internets, defines the following three private address blocks: /8. The /8 private network is a Class A network ID that spports the following range of valid IP addresses: throgh The /8 private network has 24 host bits that a private organization can se for any sbnetting scheme within the organization /12. The /12 private network can be interpreted either as a block of 16 Class B network IDs or as a 20-bit assignable address space (20 host bits) that can be sed for any sbnetting scheme within the private organization. The /12 private network spports the following range of valid IP addresses: throgh /16. The /16 private network can be interpreted either as a block of 256 Class C network IDs or as a 16-bit assignable address space (16 host bits) that can be sed for any sbnetting scheme within the private organization. The /16 private network spports the following range of valid IP addresses: throgh Becase IANA never assigns IP addresses in the private address space as pblic addresses, rotes for private addresses never exist on the Internet roters. Any nmber of organizations can repeatedly se the private address space, which helps to prevent the depletion of pblic addresses. Private addresses cannot be reached on the Internet. Therefore, Internet traffic from a host that has a private address mst either send its reqests to an application layer gateway (sch as a proxy server), which has a valid pblic address, or have its private address translated into a valid pblic address by a NAT before it is sent over the Internet. For an introdction to TCP/IP and more information abot pblic and private addresses, see the Networking Gide of the Windows Server 2003 Resorce Kit (or see the Networking Gide on the Web at

23 Designing an IP Addressing Scheme 25 Unathorized Addresses Network administrators of private networks who have no plans to connect to the Internet can choose any IP addresses they want, even pblic addresses that IANA has assigned to other organizations. Sch potentially dplicate addresses are known as nathorized (or illegal) addresses. Later, if the organization decides to connect directly to the Internet after all, its crrent addressing scheme might inclde addresses that IANA has assigned to other organizations. Yo cannot connect to the Internet by sing nathorized addresses. Do not se nathorized addresses if even the slightest possibility exists of ever establishing a connection between yor network and the Internet. On some ftre date, discovering that yo need to qickly replace the IP addresses of all the nodes on a large private network can reqire considerable time and interrpt network operation. Network Address Translation Network address translation, defined in RFC 3022, is the translation process performed by an IP roter fnctioning as a network address translator (NAT). A NAT translates IP addresses from private network addresses sed inside an organization to pblic addresses sed otside the organization. Typically, a NAT-enabled roter connects an internal corporate network with the Internet and bilds a table that maps the connections between hosts inside the network and hosts otside on the Internet. Yo can se NAT to map mltiple internal private addresses to a single external pblic IP address. For example, a small bsiness might obtain an ISP allocated pblic IP address for each compter on its network. By sing NAT, however, the bsiness cold se private addressing internally and have NAT map its private addresses to one or more pblic IP addresses that the ISP allocates. NAT makes it more difficlt for external sers to attack systems on a private network. NAT also allows several nodes on the private network, each with its own private address, to share a smaller nmber of scarcer pblic addresses to access the Internet. However, althogh NAT allows yo to rese the private address space, it does not spport standards-based network layer secrity or the correct mapping of all higher layer protocols. One prpose for the large nmber of addresses made available with the introdction of IPv6 is to make address conservation techniqes sch as NAT nnecessary. Windows Server 2003 also spports IPSec NAT traversal (NAT-T), which allows nodes located behind a NAT (that is, they se private addresses) to se Encapslating Secrity Payload (ESP) to protect traffic. This capability allows the creation of Layer Two Tnneling Protocol with IPSec (L2TP/IPSec) connections from remote access clients and roters located behind NATs. For more information abot nicast IP roting, inclding technical information abot the NAT roting protocol component of the Roting and Remote Access service, see the Internetworking Gide of the Windows Server 2003 Resorce Kit (or see the Internetworking Gide on the Web at

24 26 Chapter 1 Designing a TCP/IP Network Planning an IP Configration Strategy Every compter on an IP network mst have a niqe IP address. As noted earlier, sing static addressing for clients is time-consming and prone to error. To provide an alternative for IPv4, the IETF developed the Dynamic Host Configration Protocol (DHCP), based on the earlier bootstrap protocol (BOOTP) standard. Figre 1.9 shows the stage in the TCP/IP design process dring which yo decide what to se for IP configration. Most organizations choose to se DHCP for IPv4. Figre 1.9 Planning an IP Configration Strategy Plan the IP-based infrastrctre Develop roting strategies Design an IP addressing scheme Plan an IP configration strategy Plan secrity Improve availability Plan IP mlticasting Introdce IPv6 into yor network Test yor design

25 Planning an IP Configration Strategy 27 Althogh BOOTP and DHCP hosts can interoperate, DHCP is easier to configre. BOOTP reqires maintenance by a network administrator, whereas DHCP reqires minimal maintenance after the initial installation and configration. The DHCP standard, defined in RFC 2131, defines a DHCP server as any compter rnning the DHCP service. Compared with static addressing, DHCP simplifies IP address management becase the DHCP server atomatically allocates IP addresses and related TCP/IP configration settings to DHCP-enabled clients on the network. This is especially sefl on a network with freqent configration changes for example, in an organization that has a large nmber of mobile sers. The DHCP server dynamically assigns specific addresses from a manally designated range of addresses called a scope. By sing scopes, yo can dynamically assign addresses to clients on the network no matter where the clients are located or how often they move. DHCP Integration with DNS and WINS The DHCP implementation in Windows Server 2003 is closely linked to name resoltion services sch as the Domain Name System (DNS) service and the Windows Internet Name Service (WINS). Network administrators benefit from combining all three when planning a deployment. If yo se DHCP servers for Windows-based network clients, yo mst se a name resoltion service. In addition to name resoltion, Windows Server 2003 networks se DNS to spport Active Directory. Domain-based networks spporting clients rnning Windows NT version 4.0 or earlier or NetBIOS applications mst se WINS servers. Networks spporting a combination of clients rnning Windows XP, Windows 2000, Windows Server 2003, and Windows NT 4.0 mst implement both WINS and DNS. DHCP, APIPA, and IP Address Allocation DHCP clients receive IP addresses as follows: Dynamic allocation from DHCP server. After yo configre DHCP, the DHCP server atomatically assigns an IP address from a specified scope to a client for a finite period of time called a lease. Most clients receive a dynamic IP address. Static allocation from DHCP server. For a specific compter (sch as a DHCP, DNS, or WINS server, or a print server, firewall, or roter), yo can manally configre the TCP/IP properties, inclding the IP address, the DNS and WINS parameters, and defalt gateway information. For the static clients to be on the same sbnet as other, dynamically allocated compters, the static IP addresses mst be within the scope or sbnet defined for dynamic address allocation. Yo can se the DHCP snap-in to set an exclsion range to prevent the DHCP server from dynamically allocating the static IP address. Client reservation from DHCP server. By sing the DHCP snap-in, yo can also reserve a specific IP address for permanent se by a given DHCP client.

26 28 Chapter 1 Designing a TCP/IP Network Atomatic allocation APIPA. In the absence of a DHCP server, Atomatic Private IP Addressing (APIPA) lets a workstation configre itself with an address in the range from to Compters sing APIPA addresses can commnicate only with other compters that are also sing APIPA addresses within a single sbnet. In this case, a compter has an IP address bt cannot connect otside the sbnet. APIPA reglarly checks for the presence of a DHCP server; if it detects one, it yields to the DHCP service, which then assigns a dynamic address to replace the APIPA address. APIPA is designed primarily for simple networks with only one sbnet, sch as small or home-based networks. On a larger network, APIPA can be sefl for identifying problems with DHCP: when a client ses an APIPA address, this indicates that a DHCP server has not been fond. Alternate configration ser configred. In the absence of a DHCP server, alternate configration lets a compter se an IP address configred manally by the ser. Alternate configration is designed for a compter that is sed on more than one network, sch as a laptop sed both at the office and at home. The ser can specify an IP address on the compter s TCP/IP properties Alternate Configration tab if at least one of the networks (for example, the home office) does not have a DHCP server and APIPA addressing is not wanted. If alternate configration is not configred and no DHCP server is fond, TCP/IP ses APIPA by defalt. For more information abot developing a DHCP strategy, see Deploying DHCP in this book. Planning Secrity IP does not have a defalt secrity mechanism. Withot secrity, both pblic and private IP networks are ssceptible to nathorized monitoring and access. To prevent these types of secrity breach, develop a secrity strategy for yor IP deployment in tandem with yor overall network secrity plan. Ways that yo can enhance secrity when deploying IP inclde: Secring IP packets. Provide end-to-end secrity by secring IP packets, which reqires that yo not se address translation (nless both peers spport IPSec NAT-T and se ESP to protect traffic). IPSec is the most efficient way to provide a secre data stream. Deploying a perimeter network. Use a perimeter network to help secre yor internal network from intrsion. Several options are available for doing this.