Designing a .NET TCP/IP Network

Topics on this Page TCP/IP Overview The TCP/IP Deployment Process Planning a TCP/IP Infrastructure Developing Routing Strategies Designing an IP Addressing Scheme Planning an IP Configuration Strategy Planning TCP/IP Security Enhancing Your Design for Availability Optimizing TCP/IP for Performance Planning IPv4/IPv6 Coexistence and Migration to IPv6 Testing Your Design Additional Resources The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite defines industry standard networking protocols for TCP/IP-based networks, including the Internet. TCP/IP provides communications across diverse hardware architectures and various operating systems. The Microsoft® Windows .NET implementation of TCP/IP supplies the foundation for building large, enterprise internetworks. Determining how best to design and implement TCP/IP will ensure optimal reliability, availability, scalability, security, and performance for your network. You can also begin to take advantage of the increased efficiency and security provided by the next generation of TCP/IP — IPv6 — by implementing IPv4/IPv6 coexistence, and you can plan for eventual migration to IPv6. Related Information in the Resource Kits For more information about IP configuration strategies using DHCP, see "Designing a DHCP Infrastructure" in this book. For more information about using DNS for name resolution, see "Deploying DNS" in this book. For more information about using WINS for name resolution in networks supporting Windows® NT® 4.0 and earlier clients, see "Building a WINS Infrastructure" in this book. For more information about using IPSec, see "Securing Networks with IPSec " in this book. For more information about deploying Network Address Translator (NAT), see "Securing Networks with ISA" in this book. For more information about building test network prototypes in a lab, see "Building a Windows .NET Server Test Lab" in this book. TCP/IP Overview Designing your TCP/IP deployment includes deciding how you want to implement TCP/IP in a new environment, or — for most organizations — examining your existing infrastructure and deciding what to change. As a first step in the deployment process, understand how current technology can provide effective solutions to your technical and business requirements. Windows .NET TCP/IP Solutions Windows .NET Server TCP/IP enables enterprise networking and connectivity on Windows .NET Server, Windows 2000, Windows NT, and Windows 9x–based computers. Adding TCP/IP to a Windows .NET Server configuration offers the following advantages: Provides most widely used protocol. Windows .NET Server TCP/IP is a standard, routable enterprise networking protocol that is the most complete and accepted protocol available. All modern networking operating systems offer TCP/IP support, and most large networks rely on TCP/IP for much of their network traffic. Connects dissimilar systems. Windows .NET Server TCP/IP is a technology for connecting dissimilar systems. Many standard connectivity utilities are available to access and transfer data between dissimilar systems, including File Transfer Protocol (FTP) and Telnet, a terminal emulation protocol. Several of these standard utilities are included with Windows .NET Server TCP/IP. Provides client/server framework. Windows .NET Server TCP/IP is a robust, scalable, cross-platform client/server framework. Windows .NET Server TCP/IP offers the Windows Sockets interface, which is ideal for developing client/server applications that can run on Windows Sockets-compliant TCP/IP protocol implementations from other vendors. Provides access to Internet. Windows .NET Server TCP/IP is a method of gaining access to the Internet. The Internet consists of thousands of networks worldwide, connecting research facilities, universities, libraries, private companies, and other organizations. Introduces support for IPv6. Windows .NET Server also includes an IPv6 stack to provide you with a means for testing IPv6 and implementing a coexisting IPv4 and IPv6 network for possible future migration to a complete IPv6 infrastructure. Deploying TCP/IP in a New or Existing Network Organizations that set up TCP/IP for the first time and organizations that modify an existing TCP/IP infrastructure can use the guidelines provided in this chapter to plan and carry out their TCP/IP deployment. New network. When you set up a new network, designing your TCP/IP infrastructure is the first step. Start by determining what network hardware and software to use. For example, decide whether to use Fiber Distributed Data Interface (FDDI) as a high-speed backbone, where to locate firewalls and routers, and how and where to attach workstations and servers. To deploy TCP/IP for a new network, follow all the design processes described here. When you are done, the next step is to purchase required hardware and software and then deploy DHCP. Existing network. To modify an existing TCP/IP network, you must first review aspects of your TCP/IP deployment and determine what you want to change. Action required might be as simple as upgrading servers to Windows .NET Server. You might choose to rework your addressing scheme to account for recent or impending mergers or acquisitions. You might find that you need to move hosts from static to a dynamic addressing scheme. To upgrade an existing network, determine which topics covered here are appropriate for the changes you want to make. When you are done, the next step depends on the changes you have made. For example, if you have changed the design for your addressing scheme, you must make the appropriate changes to your DHCP server. For more information about TCP/IP, see "Introduction to TCP/IP" and "Windows .NET TCP/IP" in the Networking Guide of the Microsoft Windows .NET Server Resource Kit. The TCP/IP Deployment Process Network architects must make a number of design decisions about the network infrastructure required to introduce or upgrade to Windows .NET Server TCP/IP. For enterprise scalability, plan your TCP/IP infrastructure based on the three-tier hierarchical network design model. Decide whether to use hardware or software-based routers, whether to use static routing or dynamic routing protocols, and which specific routing protocol to use. Design a structured model for assigning IP addresses that fits your networking environment, and decide what type of address allocation method to use and whether to use public or private addresses. Plan your TCP/IP configuration strategy; typically, a Windows-based organization uses a DHCP server to configure TCP/IP. Next, plan your TCP/IP security strategy, including whether to use IPSec and what options to use for securing your perimeter network. For better availability and load balancing, include redundancy in your TCP/IP network design. Decide how to optimize TCP/IP for performance, including whether to use Quality of Service (QoS) to improve voice and video traffic quality or IP multicast technologies to optimize bandwidth. Decide whether to deploy IPv6 on any network hosts and, if so, how to implement IPv4/IPv6 coexistence and whether you want eventually to migrate to an IPv6-only network. Finally, buy the hardware and software you have decided to deploy and test your solution. Figure 2.1 shows the design stages required for deploying TCP/IP. Figure Error! Reference source not found..1 TCP/IP Deployment Process Planning a TCP/IP Infrastructure Plan your TCP/IP infrastructure based on the three-tier design model. The three-tier model, a hierarchical network design model described by Cisco Systems, Inc., and other networking vendors, is widely used by enterprise networks. Segmenting the network design into three tiers separates local traffic from high-volume traffic. The modular design of the three-tier model allows for greater scalability of your TCP/IP network. Each tier focuses on specific functions. The ability to aggregate and filter traffic at three distinct levels makes the three-tier model ideal even for large networks of worldwide scope. Figure 2.2 shows the levels that you design to create a three-tier TCP/IP infrastructure. Figure 2.2 Planning a TCP/IP Infrastructure The tiers of a design model are logical constructs. They may be physical constructs as well. The three tiers can refer to three separate devices or sets of devices or to different functionalities in the same device or in sets of devices. The modular nature of the three-tier model can make deployment easier. Problems occurring on one tier might not affect other tiers or prevent deploying the remaining network components. The three-tier structure also assists in both capacity planning and in troubleshooting a large internetwork. The three tiers of the hierarchical model are the core, distribution, and access tiers. Figure 2.3 illustrates the relationship between routers operating on each tier of the three-tier hierarchical network model. (The three-tier model originally used routers to delineate each tier. Now, in addition to routed networks, switched or bridged networks also exist.) If your browser does not support inline frames, click here to view on a separate page. Figure 2.3 Three-tier network design model To design your infrastructure in the form of a three-tier hierarchical model, you must plan the core, distribution, and access tiers. Designing the Core Tier The core tier, at the top of the hierarchy, facilitates the efficient transfer of data between interconnected networks. The core is typically the internetwork's high-speed backbone. The core tier can include campus backbone LANs and regional backbones. Configure routers in the core tier to optimize packet throughput. Do not use packet filters or other features that slow down packet manipulation. Do not place anything on the core tier that slows traffic. As a rule, servers, workstations, and similar devices do not belong in the core. Even application servers central to the organization are not appropriate here. Because fault tolerance is an important concern in the core tier, design it with both redundant paths and redundant hardware components. An example technology used in the core is the Fiber Distributed Data Interface (FDDI), which has built-in fault tolerance provided by its two fiber optic rings. Alternatives to FDDI at the core tier include Fast or Gigabit Ethernet with redundant links, or Asynchronous Transfer Mode (ATM). The core should be designed for load balancing and rapid convergence. Convergence is the agreement process used by routers to determine optimal routes. Designing the Distribution Tier Using the distribution tier to demarcate the core tier from the access tier lets you isolate problems by isolating traffic. Distribution tier routers separate slow-speed local traffic at the access tier from the high-speed core tier backbone. Implement network and security policies at the distribution tier, including address translation and firewalls. Implementing address translation, which converts private addresses to Internet addresses, at the distribution tier enables devices in the access tier to use private rather than public IP addresses. The distribution tier aggregates traffic flowing from the access tier and then routes this traffic into a smaller number of more efficient paths connecting to the core. Routing protocols are redistributed here, and static routing is also used. The distribution tier is the home of a range of functions that impact traffic flow, such as access lists, packet filtering, and queuing. Active Directory, DNS, DHCP, and WINS are examples of Windows servers and associated services that you typically install at this tier. Designing the Access Tier The access tier connects users to network services. The access tier can contain routers, switches, bridges, and shared-media hubs. The access tier is where workstations and servers (such as file and print servers) that are typically not located in the distribution tier, attach to the network. From the access tier, workgroups connect to the distribution tier. From the distribution tier, network and security policies flow to the access tier. Access tier functions include both shared and switched bandwidth, media access control (MAC) layer filtering, and micro-segmentation. Remote access services are connected to a designated point on the access tier. Generally, do not add new routers in the access tier. Adding routers in the access tier expands the network diameter, which is the number of routers a packet must cross to reach its destination; networks and services that are more than a certain number of hops (often 14 or 16) away are considered unreachable. Adding routers in the access tier also increases the maximum number of hops between two nodes, and undermines the topology's predictability. Instead, attach them through the distribution tier. Developing Routing Strategies After completing the plan for your TCP/IP infrastructure based on the three-tier design model, you must plan how to implement routing. Figure 2.4 shows the steps required to develop a routing strategy. If your browser does not support inline frames, click here to view on a separate page. Figure 2.4 Developing a routing strategy The following sections will help you decide between hardware routers versus routing software, static routing versus dynamic routing protocols, and distance vector versus link state protocols. Choosing Hardware Routers or Routing Software By projecting network traffic and routing needs, you can better decide whether to use a dedicated hardware router, routing software, or a combination. Generally, dedicated hardware routers handle heavier routing demands best, and software-based routers are sufficient to handle lighter routing loads and are cost-effective. In comparison with the Open Systems Interconnection (OSI) model layer 2 (Data Link Layer) interconnecting devices (bridges and switches), the performance of a layer 3 (Network Layer) router is characterized by high latency and the relatively low number of packets per second (PPS) propagated out an interface. This is a natural consequence of the overhead demands placed upon the router as a result of its layer 3 forwarding role, a responsibility not present on layer 2 devices. A router vendor can design a dedicated router's hardware architecture, to a large extent, to compensate for those limitations. The router vendor can then develop proprietary software that builds on the specific strengths of that hardware design. A software-based routing solution, such as the Windows .NET Server Routing and Remote Access Service (RRAS), can be ideal in a small, segmented network with relatively light traffic between subnets. You do not need to invest in a dedicated hardware router where routing software running on a computer can perform the same job just as well. Conversely, enterprise internetwork environments divided into numerous network segments might need a variety of hardware routers with different capabilities to play different roles at different locations on the internetwork. To reduce costs, you can also include Windows .NET Server-based computers running RRAS in networks that primarily use hardware routers. Choosing Static or Dynamic Routing Decide whether to use static routing for all paths or dynamic routing protocols. If you choose dynamic routing but plan to use static routing on some paths, decide which paths to configure with static routes. Routers use routing protocols to communicate reachability information and to dynamically determine the best path to a destination network. Routing protocols work with, but are different from, the routable data protocols — such as the TCP/IP or IPX network protocol suites— that carry traffic from the sending computer to the destination computer. The routing protocol establishes a metric that the router uses to select the best path to the destination network. Several IP-based routing protocols provide a method for sharing routing information with other routers in order to build and maintain routing tables, which map destination network IDs to the IP address of the next hop, Routers obtain the information they need for route selection in one of the following ways: Static routing. An administrator enters route information manually. Dynamic routing protocols. A dynamic routing protocol obtains route information dynamically and uses it to build the routing table. The next two sections describe static routing and dynamic routing protocols and provide information you can use to determine which routing strategy you want to implement. Static Routing A network administrator enters static routes manually into the routing table by indicating the following information: The destination IP address The IP address of an adjacent router (also called the next hop) The number of the router port interface from which the packets will travel to reach the destination Static routing drawbacks include the following: A network administrator defines a static route, which makes it more prone to error than a dynamically assigned route. A simple typographical error can create chaos on the network. An even greater problem is the inability of a static route to adapt to topology changes. When the topology changes, the administrator must make changes to the routing tables on every static router. This does not scale well in a large internetwork. In contrast to using static routing as your only routing method, you can also use a static route as the redundant backup for a dynamically configured route. A second way of combining static and dynamic routing is to use dynamic routing for most paths but configure a few static paths. For example, you might configure routers to force traffic over a given path to a high-bandwidth link. Dynamic Routing Protocols Dynamic IP routers contain routing tables that update automatically based on the exchange of routing information with other routers. The most common dynamic routing protocols are: Distance vector routing protocols Link state routing protocols Understanding how the different dynamic routing protocols work will enable you to choose the type of dynamic routing that best suits your network needs. The next two sections describe the dynamic routing protocols. Distance vector protocols A distance vector routing protocol advertises the number of hop counts (the distance) to a network destination and the direction in which a network destination can be reached (the vector). The distance vector or Bellman-Ford algorithm enables a router to pass updates to its neighbors at regularly scheduled intervals. Each neighbor then inserts its own distance value into the table and forwards it on to its immediate neighbors. The end result of this process is a cumulative table containing the distance to each network destination. Distance vector protocols, the first dynamic routing protocols, are an improvement over static routing but have some limitations. When the topology of the internetwork changes, distance vector protocols can take several minutes to detect the change and make the appropriate corrections. One advantage of distance vector routing protocols is simplicity. Distance vector protocols are easy to configure and administer. They are well suited for smaller networks with lower performance requirements. Most distance vector protocols use a hop count as a routing metric. The routing metric is a number associated with a route that is used by a router to select the best of several matching routes in the IP routing table. The hop count is the number of routers that a datagram (data package) must cross to reach the destination. Routing Information Protocol (RIP) is the best known and most widely used of the distance vector protocols. RIP version 1 (RIP v1) was the first routing protocol accepted as a standard for TCP/IP. RIP version 2 (RIP v2) is an updated version of RIP and provides authentication support, multicast announcing, and better support for classless networks. Windows .NET Server RRAS supports both RIP v1 and RIP v2. Using RIP, the maximum hop count from the first router to the destination is 15. Any destination greater than 15 hops away is considered unreachable. This limits the size of a router group to 15. However, if you place your routers in a hierarchical structure, 15 hops can cover a very large number of destinations. Link state protocols Link state routing protocols address some of the limitations of distance vector routing protocols. For example, link state protocols provide faster convergence and greater scalability than distance vector protocols. Although link state protocols are more scalable, more reliable, and require less bandwidth than distance vector protocols, they are also more complex and more CPU and memory intensive. Unlike distance vector protocols that broadcast updates to all routers at regularly scheduled intervals, link-state protocols provide updates only when a network link changes state. When such an event occurs, a notification, in the form of a link-state advertisement, is sent throughout the network. The best-known and most widely used link-state routing protocol is the Open Shortest Path First (OSPF) protocol, an open standard developed by the Internet Engineering Task Force (IETF) as an alternative to RIP. OSPF compiles a complete topological database of the internetwork. The shortest path first (SPF), or Djikstra algorithm, is used to compute the least-cost path to each destination. Whereas RIP calculates cost on the basis of hop count, OSPF calculates cost on the basis of additional metrics such as link speed and reliability in addition to hop count. Unlike RIP, OSPF has no hop count limit. OSPF transmits multicast frames, reducing CPU usage in a LAN environment. OSPF networks can be hierarchically sub-divided into areas, reducing router memory and CPU overhead. Other OSPF advantages include its support of variable length subnet masks and noncontiguous subnets. Windows .NET Server RRAS supports OSPF. For information about variable length subnet masks and noncontiguous subnets, see "Designing a Structured Address Assignment Model " later in this chapter. Selecting the appropriate routing protocol Select a routing protocol based on the following considerations: Use a simpler distance vector routing protocol like RIP for a small, simple network that is not expected to grow. Use a newer, more sophisticated link state routing protocol like OSPF for a large, complex internetwork. Use RIPv2 or OSPF if you need to support variable length subnet masks (VLSM). Although RIP v1 is still widely used in private networks, it does not support VLSM and is not recommended for use in enterprise networks. For more information about VLSM, see "Planning for Variable Length Subnet Masks (VLSM)" later in this chapter. Designing an IP Addressing Scheme You must design an IP addressing scheme that meets the needs of your networking infrastructure before you begin assigning addresses. Figure 2.5 shows the steps required to design your IP addressing system. If your browser does not support inline frames, click here to view on a separate page. Figure 2.5 Designing an IP addressing scheme The following sections explain how to plan your address assignment model, address allocation method, and public or private addressing. Designing a Structured Address Assignment Model You can ease the burden of enterprise internetwork administration by designing a structured address assignment model. Troubleshooting becomes easier and more systematic. A structured address assignment model helps you interpret network maps and locate specific devices. It also makes network management software easier to use. For enterprise scalability, assign address blocks hierarchically. However, the structured model for assigning addresses should reflect more than just hierarchical concerns. To maximize network stability and scalability, assign a block of addresses based on a physical network, rather than on membership in a department or team, to avoid complications when a user's workstation is moved to a new location. For more about designing your IP addressing scheme in conjunction with the method you choose for address allocation, see "Choosing an Address Allocation Method" later in this chapter. As a general rule, assign static addresses to routers and servers and assign dynamic addresses to workstations. Such a scheme minimizes the amount of manual addressing needed, reduces the chances of address duplication, and adds stability to the network's addressing structure. You can assign meaningful numbers when using static addresses; for example, reserve host addresses in the low (or high) portion of the range and manually assign them to routers or servers. To design a structured model for assigning addresses: Choose classful or classless IP addressing. Choose classful or classless routing. Choose flat routing or route summarization. Plan noncontiguous subnets. Plan variable length subnet masks (VLSM). Plan supernetting and classless interdomain routing (CIDR). The following sections describe each of these topics. Choosing Classful or Classless IP Addressing The 32-bit IP address is divided into four octets of eight bits each. Its most common representation, four decimal numbers separated by dots, is known as dotted decimal notation. Traditionally there are five types of IP addresses, referred to as classes: A, B, C, D, and E. Class D addresses are used for IP multicasting (sending a message simultaneously to more than one network destination) and Class E addresses are reserved for experimental purposes. That leaves A, B, and C for the addresses of specific devices on a TCP/IP network. In Class A addresses, the first byte, or octet, represents the network ID, and the three remaining bytes are used for node addresses. Class B addresses use the first two bytes for the network portion of the address and the last two bytes for nodes. Class C addresses use the first three bytes for the network address and the final byte for nodes. Classful IP addressing is restricted to the standard Class A, B, and C addresses. Without some means of subdividing these class-designated networks, all available IP addresses would have been depleted a long time ago. Classless IP addressing, which allows subnetting, was developed to handle this problem. Determining the Number of Subnets and Hosts To better use the address space, you can use subnet addressing, which lets you "borrow" additional bits from the host part of the address to divide the network into subnets. The subnet mask consists of the octets assigned to the network plus the bits added for the subnet. Traditionally, subnet mask notation is used to indicate these leftmost contiguous bits. For example, for a Class B address, which has a default subnet mask of 255.255.0.0, you can allocate an additional eight bits for subnets. That is, for a Class B address such as: 131.107.65.37 you can use the following subnet mask: Subnet mask is represented by 255's in decimal notation Subnet mask is represented by 1's in binary notation 255.255.255.0   11111111 11111111 11111111 00000000   In this Class B example, because you chose 8 host bits for subnetting, you obtain 256 (that is, 28) subnetted network Ids (subnets) with 254 hosts per subnet. The number of hosts is 254 because eight zeros remain for the host: 28 minus two — you subtract two because subnetting rules exclude the all-ones pattern and the all-zeros pattern — is 254. An alternative to subnet mask notation is the network prefix length notation. A network prefix is a shorthand way to express a subnet mask by expressing the number of bits that constitute the subnet mask using the notation: <IP address>/<# of bits>; where # of bits defines the network/subnet part of the IP address and the remaining bits represent the hosts. For example, in the Class B address 131.107.65.37/24 24 refers to the number of ones shown in a subnet mask in binary notation, again leaving 8 bits (the eight zeroes in binary notation) for hosts. In contrast, if you anticipate needing, say, only 32 subnets rather than 256, you can have up to 2,046 (211 minus two) hosts on each of the 32 subnets. The subnet mask in this case is: Subnet Mask in Decimal Notation Subnet Mask in Binary Notation 255.255.248.0   11111111 11111111 11111000 00000000   The network prefix length notation to indicate the 21 bits needed to create up to 32 subnets is: 131.107.65.37/21 Again, 21 indicates the number of ones shown in binary notation, leaving 11 bits (the eleven zeroes) for hosts Determine the appropriate number of subnets versus hosts in your organization as follows: More subnets Allocating more host bits for subnetting provides an increased number of subnets but decreases the number of hosts per subnet. More hosts Using fewer host bits for subnetting allows for a larger number of hosts but limits the growth in the number of subnets. For more information about subnetting, see "Introduction to TCP/IP" in the Networking Guide. Choosing Classful or Classless Routing In classful or traditional routing, IP addresses for devices on a TCP/IP network are based on the standard Class A, B, or C IP addressing scheme. Using classful routing protocols, IP hosts and routers recognize only the network address designated by the class. An IP host device or a router using a classful protocol is unable to recognize subnets. Classful protocols, such as the original IP RIP (RIP v1), were used before subnets were widely implemented. Classless routing protocols extend the standard Class A, B, or C IP addressing scheme by using a subnet mask (described earlier) to modify how an IP address is interpreted. Classless routing protocols include full prefix information along with IP address transmissions. Prefixes representing the network ID are not restricted to those of one, two, or three octets designated by the address classes but can contain a variable number of bits. Such prefix flexibility allows you to group several networks as a single entry in a routing table, significantly reducing routing overhead. Classless routing tables include RIP v2, OSPF, Border Gateway Routing Protocol (BGP), and Intermediate System to Intermediate System (IS-IS). If your network contains routers that support only RIP v1 and you want to upgrade from classful to classless routing, upgrade the RIPv1 routers to support RIP v2 or use another protocol, such as OSPF. For example, you might decide to use VLSM to implement subnets of different sizes, or you might want to use CIDR to implement supernetting. VLSM and CIDR are described later in this chapter. For more information about classful and classless routing, see the "Microsoft® Windows® 2000 TCP/IP Protocols and Services Technical Reference" book. Choosing Flat Routing or Route Summarization In route summarization or aggregation, used in a hierarchical routing infrastructure, one route in a routing table represents many routes. A routing table entry for the highest level (the network) is also the route used for subnets and sub-subnets. In contrast, in a flat routing infrastructure, each network segment is represented with its own entry in the routing table on every router in the network. When you use flat routing, the network IDs have no network/subnet structure and cannot be summarized. RIP-based IPX internetworks use flat network addressing and have a flat routing infrastructure. Using route summarization lets you contain topology changes occurring in one area of the network within that area. Route summarization simplifies routing tables and reduces the amount of routing information exchanged, but it requires more planning. To use route summarization: Classless protocols (those including prefix length information along with the IP address, as described earlier) are required. All IP addresses used in route summarization must share identical high-order bits. The length of the prefix can be any number of bits, up to 32. For more information about route summarization, see "Planning for Variable Length Subnet Masks (VLSM)" and "Planning for Supernetting and Classless Interdomain Routing (CIDR)" later in this chapter. Planning Noncontiguous Subnets If you use classful routing, during the design process you need to consider the implications of using noncontiguous subnets. Under classful routing, all summarization is automatic. As mentioned earlier, classful routing protocols recognize only those networks indicated by an address class. Because subnet and prefix length information are not transmitted, using classful protocols with noncontiguous subnets can impair communication because each subnet can have the same network ID. Noncontiguous subnets occur when subnets of a class-based network ID are not contiguous, that is, do not share a neighboring router. For example, the two routers shown in Figure 2.6 separate two subnets each with the address 10.0.0.0. The two routers are connected to each other by a segment of another class-based network that has the address 206.73.118.0. Figure Error! Reference source not found..2 Noncontiguous networks using classful routing can encounter difficulty communicating In this example using classful routing, each router summarizes and advertises the class-based network ID of 10.0.0.0/8, resulting in two routes to 10.0.0.0/8, each of which has a different metric. Which subnet you reach depends on your location on the network. Figure 2.7 again shows two noncontiguous subnets connected by an unrelated major network. In this example using classless routing, the two noncontiguous subnets are able to communicate with each other because a classless protocol includes a subnet mask and thus can distinguish between the two noncontiguous subnets. Figure Error! Reference source not found..3 Noncontiguous subnets using classless routing can communicate successfully Planning Variable Length Subnet Masks (VLSM) The designers who developed TCP/IP subnetting originally planned to use it to divide a major class-based network ID into a series of equal-size subnets. With the advent of classless routing protocols, prefix length information can now be made available for each destination. Consequently, subnetting, as a method of using host bits to express subnets, is no longer limited to equal-size subnets. Variable length subnet masks (VLSM) allow you to use different prefix lengths at different locations, so that subnets of different sizes can coexist in the same network. Instead of using one subnet mask across the network, you apply several masks to the same address space, producing subnets of different sizes. For example, given the class B network ID of 135.41.0.0, you can configure one subnet with up to 32,766 hosts, 15 subnets with up to 2,046 hosts, and eight subnets with up to 254 hosts. Tip When using VLSM, make sure you do not accidentally overlap blocks of addresses. If possible, start with equal-size subnets and then sub-divide them. Another situation where VLSM is often used is when a point-to-point WAN link exists between a serial port on each of two routers. Such a WAN link requires the creation of a small subnet, consisting of only two addresses. For example, without VLSM, you might divide a Class C network ID into an equal number of two-device subnets. If only one WAN link is in use, all the subnets but one serve no purpose and 252 addresses are wasted. With VLSM, you can divide the Class C network into sixteen workgroup subnets of 14 nodes each. To do this, you use a prefix of 28 bits (or in subnet mask terms 255.255.255.240). Using VLSM, you can then subdivide one of those 16 subnets into eight smaller subnets, each supporting only two nodes. You can use one of the eight for your existing WAN link and reserve the remaining seven for similar links that might be needed in the future. To accomplish this act of sub-subnetting under VLSM, you use a prefix of 30 bits (or in subnet mask terms 255.255.255.252). Figure 2.8 shows variable-length subnetting for two-host WAN subnets. If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..8 Variable length subnetting of 131.107.106.0 This approach can require significant administrator overhead if you have numerous WAN links, each with its own subnet. If you do not use route summarization, each subnet requires another entry in the routing table, increasing the overhead of the routing process. Some vendors provide routers that support unnumbered connections. A link with unnumbered connections does not require its own subnet. However, you cannot ping the interfaces of an unnumbered connection. Planning Supernetting and Classless Interdomain Routing (CIDR) Although a class A network can have more than 16 million hosts, only 127 class A network IDs exist and no class A network IDs are currently available. For most organizations, the 254 host addresses available in a class C network ID is not sufficient. The 65,534 host addresses available in a class B network ID — if available — provide for a flexible subnetting scheme for most medium or large-size organizations. However, with the explosive growth of the Internet, Class B network IDs will soon be depleted. The Internet Assigned Numbers Authority (IANA) devised a new method of assigning network IDs to prevent the depletion of class B network IDs. Instead of assigning a class B network ID to a large organization or an organization that anticipates growth, IANA can assign a range of class C network IDs that contain enough network and host IDs for an organization's needs. This is known as supernetting. Similar to the way that subnetting allows you to divide class-based networks into smaller subnets by "borrowing" bits from the host part of the address, supernetting allows you to combine contiguous subnets into larger supernets by "borrowing" bits from the network part of the address. For example, rather than allocating a class B network ID to an organization that has 2,000 hosts, IANA might allocate a range of eight class C network IDs. Each class C network ID accommodates 254 hosts, for a total of 2,032 host IDs. Although this technique helps conserve class B network IDs, it creates a new problem. Using conventional routing techniques, the routers on the Internet must, in this example, have eight class C network ID entries in their routing tables to route IP packets to the organization. To prevent Internet routers from becoming overwhelmed with routes, a technique called Classless Interdomain Routing (CIDR) is used to collapse multiple network ID entries into a single entry corresponding to all of the class C network IDs allocated to that organization. CIDR is the form of route summarization used on the Internet. A supernetted subnet mask conveys the starting network ID and the number of class C network IDs allocated. The tables below demonstrate how eight class C network IDs are allocated. Table 2.2 indicates the contiguous allocation of eight class C network IDs, starting with network ID 220.78.168.0. Note that the first 21 bits (underlined) are the same in both rows. The last three bits of the third octet, which are borrowed from the network ID, range from 000 to 111. In decimal, the range is 0 to 7, or 8 total contiguous subnets, which are combined into one supernet. Table 2.2 Supernetted block of addresses Starting Network ID   220.78.168.0   11011100 01001110 10101000 00000000   Ending Network ID   220.78.175.0   11011100 01001110 10101111 00000000   If you use CIDR, a block of supernetted addresses, such as those in Table 2.2, is known as a CIDR block. Table 2.3 indicates the single CIDR entry that appears in the routing table. This entry represents all eight class C network IDs allocated to the example organization. Table 2.3 CIDR routing table entry Network ID Subnet Mask Subnet Mask (binary) 220.78.168.0   255.255.248.0   11111111 11111111 11111000 0000000   Using network prefix notation, the CIDR entry is 220.78.168.0/21. RIP v2, OSPF, and BGP v4, which can exchange routing information in the form of [Network ID, Network Mask] pairs, support CIDR. Choosing an Address Allocation Method You must choose an address allocation method that best fits your structured address model. You can choose one of the following methods, or combine two or more of them: Random address allocation. Using a random addressing structure, you can assign blocks of addresses randomly. Random address allocation might be the most frequently used address allocation method but it is the least desirable. For a small packet switching network where no significant growth is anticipated, this might be an appropriate approach. However, if the network does grow, random address allocation can cause extra work for network administrators. Summarizing the random collection of routes might be difficult or impossible. This method can cause stability problems, with numerous routes being advertised into the core. Addressing by organization chart. Using an address structure based on organization chart, you create subnets based on a pool of addresses pre-assigned to a department or team. If, for example, Sales is designated as 10.2.0.0/16, the address 10.2.1.0/24 might be the subnet for the sales team at one site and 10.2.2.0/24 might be the subnet for the sales team at another site. Limited possibilities for summarization might exist to the extent that contiguous subnets remain unassigned, but, as a rule, this kind of addressing scheme does not scale well. Addressing by geographical region. Using an address structure based on location, a greater degree of summarization is possible. However, as the internetwork of a geographically diverse organization continues to grow, fewer routes will be available for summarization. Addressing by topology. Using an address structure based on topology is the best way to make sure that summarization will take place and that an internetwork will remain effectively scalable and stable. Addressing by topology makes the addressing structure router-centric. Choosing Public or Private Addresses If you use a direct (routed) connection to the Internet, you must use public addresses. If you use an indirect connection, such as a proxy server or network address translator (NAT), you should use private addresses. Even an organization not connected to the Internet should use private addresses (rather than "unauthorized" addresses, described below) so that if the organization connects to the Internet using an indirect connection in the future, addresses then in use will not need to be changed. Public, private, and unauthorized addresses are described in the following sections. Public Addresses Public addresses are assigned by IANA and are guaranteed to be globally unique to the Internet. When public addresses are assigned, routes are programmed into the routers of the Internet so that traffic to assigned public addresses can reach those locations. Public addresses are reachable on the Internet. Private Addresses Private addresses are a pre-defined set of IP addresses provided by the designers of the Internet for those hosts within the organization that do not require direct access to the Internet. These addresses do not duplicate already-assigned public addresses. RFC 1918 defines the following three private address blocks: 10.0.0.0/8. The 10.0.0.0/8 private network is a class A network ID that allows the following range of valid IP addresses: 10.0.0.1 to 10.255.255.254. The 10.0.0.0/8 private network has 24 host bits that can be used for any subnetting scheme within the private organization. 172.16.0.0/12. The 172.16.0.0/12 private network can be interpreted either as a block of 16 class B network IDs or as a 20-bit assignable address space (20 host bits) that can be used for any subnetting scheme within the private organization. The 172.16.0.0/12 private network allows the following range of valid IP addresses: 172.16.0.1 to 172.31.255.254. 192.168.0.0/16. The 192.168.0.0/16 private network can be interpreted either as a block of 256 class C network IDs or as a 16-bit assignable address space (16 host bits) that can be used for any subnetting scheme within the private organization. The 192.168.0.0/16 private network allows the following range of valid IP addresses: 192.168.0.1 to 192.168.255.254. Because IP addresses in the private address space will never be assigned by IANA as public addresses, routes for private addresses will never exist in the Internet routers. The private address space can be re-used over and over again by any number of organizations, which helps to prevent the depletion of public addresses. Private addresses are not reachable on the Internet. Therefore, Internet traffic from a host that has a private address must either send its requests to an application layer gateway (such as a proxy server), which has a valid public address, or have its private address translated into a valid public address by a NAT before it is sent on the Internet. For more information about public and private addresses see "Introduction to TCP/IP" in the Networking Guide. Unauthorized Addresses Network administrators of private networks that have no plans to connect to the Internet can choose any IP addresses they want, even public addresses that IANA has assigned to other organizations. Such potentially duplicate addresses are known as unauthorized (or illegal) addresses. Later, if you decide to connect directly to the Internet after all, your current addressing scheme might include addresses already assigned by the IANA to other organizations. You cannot connect to the Internet using unauthorized addresses. Avoid using unauthorized addresses if even the slightest possibility exists of ever establishing a connection between your network and the Internet. At some future date, discovering that you need to quickly replace the IP addresses of all the nodes on a large private network can require considerable time and interrupt network operation. Network and Port Address Translation A Network Address Translator (NAT), defined in RFC 3022, is an IP router that can translate IP addresses from private (or public, that is, unauthorized) network addresses used inside an organization to public addresses used outside the organization. Implementing a NAT can be a good security solution for a small organization with multiple computers connecting to the Internet. For example, a small business typically obtains an Internet service provider (ISP)-allocated public IP address for each computer on the network. By using NAT, however, the small business can use private addressing and have NAT map its private addresses to a single or to multiple public IP addresses allocated by the ISP. Using NAT makes penetrating systems on the private network more difficult. It also allows several nodes on the private network, each with its own private address, to share a smaller number of scarcer public addresses to access the Internet. A variation of NAT is the Port Address Translator (PAT). By using PAT, you can map a private IP address to a specific TCP or UDP port running on top of a public IP address. In this way, you can map numerous private addresses to different ports with the same public address to keep separate conversations distinct. For more information about deploying NAT, see "Securing Networks with ISA" in this book. For more technical information about the NAT routing protocol component of RRAS, see "Unicast IP Routing" in the Internetworking Guide of the Microsoft Windows .NET Server Resource Kit. Planning an IP Configuration Strategy Every computer on a TCP/IP network requires a unique name and IP address. As noted earlier, using static addressing for TCP/IP clients is time-consuming and prone to error. To provide an alternative, the IETF developed the Dynamic Host Configuration Protocol (DHCP), based on the earlier bootstrap protocol (BOOTP) standard. Figure 2.9 shows the stage in the TCP/IP design process where you decide what to use for IP configuration. The flowchart assumes that most organizations choose to use DHCP. If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..4 Choosing an IP configuration method Although BOOTP and DHCP hosts can interoperate, DHCP's ease of configuration makes it the preferred choice. BOOTP requires maintenance by a network administrator, whereas DHCP requires minimal maintenance after the initial installation and configuration. The DHCP standard, defined in RFC 2131, defines a DHCP server as any computer running the DHCP service. DHCP simplifies IP address management because the DHCP server automatically allocates IP addresses and related TCP/IP configuration settings to DHCP-enabled clients on the network. This is especially useful in a network that frequently changes network configurations, including organizations with a large number of mobile users. The DHCP server dynamically assigns specific addresses from a manually designated range of addresses called a scope. The use of a scope permits such dynamic assignment to clients on the network no matter where they are located or how often they move. The DHCP implementation in Windows .NET Server is closely linked to the Domain Name System (DNS) and Windows Internet Name Service (WINS), so that network administrators benefit from combining all three when planning deployment. If you use DHCP servers for Microsoft network clients, you must use a name resolution service. Windows .NET Server networks use the DNS service to support Active Directory (in addition to general name resolution). Networks supporting Windows® NT® 4.0 and earlier clients must use WINS servers. Networks supporting a combination of Windows .NET Server, Windows® 2000, and Windows NT 4.0 clients must implement both WINS and DNS. The DHCP server uses three methods for assigning IP addresses to a client: Automatic allocation. The permanent assignment of an IP address to a client. Dynamic allocation. The assignment of an IP address to a client for a finite period of time, called a lease. Static allocation. A static IP address assignment made manually by an administrator. The DHCP server conveys that address assignment to the designated client. For more information about developing a DHCP strategy, see "Designing a DHCP Infrastructure" in this book. For more information about dynamic IP address allocation as well as information about name resolution on your Windows .NET TCP/IP network, see "Address Allocation and Name Resolution" in the Networking Guide. Planning TCP/IP Security The original developers of what became TCP/IP built decentralization into its basic structure to make it an inherently secure technology — if one part of a TCP/IP network, such as a large enterprise network or the Internet, fails or is sabotaged, the whole network is not brought down. Decentralization includes the following two components: End-node verification. When one computer (or other device) communicates with another in a TCP/IP network, the receiving computer acknowledges to the sending computer that the message was received and verifies the accuracy of the message based on its decoding of information included in the message by the sending computer. In this way, the end nodes (the computers at each end of the transmission) do not depend on some central verifying entity that, if out of commission, would prevent communication between the two nodes. Dynamic routing. Computers and other devices in a TCP/IP network can communicate via multiple paths, so that, if one path is down, transmission is not interrupted. The routers located along the various paths assess which path is most efficient at any given moment for forwarding the message. Since the advent of TCP/IP, additional possible security measures have evolved. You must develop the strategy for your TCP/IP deployment in tandem with your overall network security plan. Although elements of the security plan might not relate directly to IP deployment, every element of the deployment strategy will be impacted by that security plan. Security concerns that you can handle when deploying TCP/IP fall into two areas: Data encryption. Providing end-to-end security by encrypting the data stream. Internet Protocol security (IPSec) is the most efficient way of providing a secure data stream. Perimeter network. Securing your internal network from intrustion. A number of options are available for using a perimeter network to secure your internal network. Figure 2.10 shows the steps to incorporate IPSec and a perimeter network in your TCP/IP security plan. The flowchart assumes that most organizations will choose to use IPSec and to implement a perimeter network. If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..5 Planning TCP/IP security The next two sections describe IPSec data encryption and establishing a perimeter network in the context of TCP/IP security. Using IPSec Data Encryption Effective integration with Internet Protocol security (IPSec) is becoming increasingly important to the secure deployment of TCP/IP in an enterprise internetwork. IPSec is the newly emerging framework of open standards for ensuring private, secure communications over IP networks through the use of cryptographic security services. The Windows .NET Server implementation of IPSec is based on standards developed by the IETF IPSec working group. Windows .NET Server uses the IPSec protocol suite to protect data traffic as it crosses a network. Although file encryption and required passwords protect information stored on network resources, they do not protect information as it moves across a network. Implementing IPSec lets you secure the following types of data: Data that moves across the part of your intranet that is not accessed by external users Data that moves across the part of your intranet that can be accessed by external users who have appropriate permissions Data that moves across the Internet Data that moves across an extranet IPSec security has two components: Authentication. To protect data from tampering en route, two computers authenticate each other before exchanging data. In Windows .NET TCP/IP, any computer can be an IPSec client (a computer initiating a connection to another computer) or IPSec server (the computer to which the IPSec client wants to connect). Encryption. Authentication prevents data tampering but does not prevent an intruder from seeing it. After authentication takes place, the IPSec client and server use the Internet Key Exchange (IKE) protocol to establish a secret key that encrypts the exchanged data so that it cannot be read. IPSec encryption is applied at the IP network layer, which makes it transparent to most applications that use specific protocols for network communication. With IPSec end-to-end security, the sending computer encrypts the IP packets, which are unreadable en route and can be decrypted only by the recipient computer. Due to a special algorithm for generating the same shared encryption key at both ends of the connection, the key does not need to be passed over the network. IPSec effectively provides data confidentiality and integrity as well as authentication between participating devices operating at the network layer. For more information about deploying IPSec see "Securing Networks with IPSec" in this book. For more technical information about IPSec see "Internet Protocol Security" in the Networking Guide. Using a Perimeter Network to Secure Your Internal Network Because the design and deployment of an IP internetworking environment require balancing private and public network concerns, the appropriately named "firewall" has become a key ingredient in safeguarding network integrity. A firewall is not a single component. The National Computer Security Association (NCSA) defines a firewall as "a system or combination of systems that enforces a boundary between two or more networks." Although different terms are used, that boundary is frequently known as a perimeter network. The perimeter network protects your intranet or enterprise LAN from intrusion by controlling access from the Internet or other large network. Figure 2.11 shows a perimeter network bounded by firewalls placed between a private network and the Internet in order to secure the private network. If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..6 A perimeter network securing the internal network Organizations vary in their approach to using firewalls for providing security. IP packet filtering offers weak security, is cumbersome to manage, and is easily defeated. Application gateways are more secure than packet filters and easier to manage because they pertain only to a few specific applications, such as a particular e-mail system. Circuit gateways are most effective when the user of a network application is of greater concern than the data being passed by that application. The proxy server is a comprehensive security tool that includes an application gateway, safe access for anonymous users, and other services. IP packet filtering was the earliest implementation of firewall technology. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information. Packet filtering is a limited technology that works best in clear security environments where, for example, everything outside the perimeter network is not trusted and everything inside is. In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol inspection. You can configure packet filtering either 1) to accept specific types of packets and deny all others, or 2) to deny specific types of packets and accept all others. Application gateways are used when the actual content of an application is of greatest concern. That they are application-specific is both their strength and their limitation, because they do not adapt easily to changes in technology. Circuit gateways are tunnels built through a firewall connecting specific processes or systems on one side with specific processes or systems on the other. Circuit gateways are best employed in situations where the person using an application is potentially a greater risk than the information carried by the application. The circuit gateway differs from a packet filter in its ability to connect to an out-of-band application scheme that can add additional information. Proxy servers are comprehensive security tools, which include firewall and application gateway functionality, that manage Internet traffic to and from a local area network (LAN). Proxy servers also provide document caching and access control. A proxy server can improve performance by caching and directly supplying frequently requested data, such as a popular Web page. A proxy server can also filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files. Take advantage of those firewall security features that can help you. Position a perimeter network in your network topology at a point where all traffic from outside the corporate network must pass through the perimeter maintained by the external firewall. You can fine-tune access control for the firewall to meet your needs and can configure firewalls to report all attempts at unauthorized access. Enhancing Your Design for Availability Availability refers to how much time the network is operational. You must track your current network's record of mean time between failures (MTBF) and mean time to recovery (MTTR). MTBF and MTTR tell you how often the network has failed in the past, and, on each occasion of failure, how much time was needed to restore service. To translate your general deployment plans into a specific TCP/IP network design, you need a clear grasp of your organization's availability requirements. For some organizations, unanticipated downtime is simply an irritating inconvenience. In other environments, unanticipated downtime could mean financial disaster, dramatic loss of credibility, or, as in health care or law enforcement, a risk to people's lives. Figure 2.12 shows strategies for optimizing availability in your network. The flowchart assumes that, for most organizations, network availability is either critical or important. If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..7 Using redundancy to enhance availability To enhance your design for availability, avoid single points of failure by including: Redundant links and routers Secondary or back-up paths Each method for enhancing availability places different demands on the design of your structure. As the risk of downtime to your operation increases, you must build more redundancy into your design, both in terms of hardware and routing. Similarly, the greater the consequences of failure, the more resilient the network needs to be; that is, the greater the stress the network must be able to handle before its functionality is threatened. Also plan for disaster recovery when enhancing your design for availability. You must respond to the threat of network outage due to natural and man-made disasters. The more unacceptable the consequences of network failure, the more elaborate those precautions need to be. Redundant Links and Routers Single points of failure, such as devices, links and interfaces, can make a network vulnerable. If one such point were to fail, it would isolate users from services and, in the worst case, bring the entire network down. For a purely hierarchical network, one based on summarization and controlled access between tiers, every device and link is, by definition, such a point of failure. The role of redundancy is to provide alternative paths around points of failure. In a purely redundant network, each individual device, link, and interface is dispensable. No single device, link, or interface could isolate users or knock out the network. In most production environments, neither a purely hierarchical nor a purely redundant network is practical. You must balance the efficiency of a hierarchical network with the safety net of redundancy. Secondary or Backup Paths A secondary path consists of the interconnecting devices and the links between them that serve to duplicate the primary path's interconnecting devices and the links between them. For example, you can configure multiple routers to provide redundancy. A redundant design uses the secondary path to maintain network connectivity when any of the primary path's devices or links are down. Be sure to test on a regular basis any secondary paths you have implemented. Do not assume that they will work. The switch from the primary to the secondary path should occur transparently, if possible. For mission-critical applications, automatic failover is mandatory. Load Balancing In addition to its safety-net function, redundancy plays a second valuable role. The presence of two or more paths connecting the same source and destination networks, when properly configured, can significantly improve throughput by providing load balancing. Load balancing evenly divides the flow of traffic among parallel links. Most open standards routing protocols support load balancing across paths determined by the protocol to be equally favorable to the destination. In addition, some vendor proprietary routing protocols support load balancing where the cost of the paths (their relative favorability to the destination in terms of shortest distance, number of hops, and other criteria) are not considered equal. Optimizing TCP/IP for Performance For organizations that depend on delay-sensitive applications, performance optimization is an increasingly critical networking issue. You must design such networks to provide preferential service for these applications. After becoming familiar with the range of options offered both by vendors and by standards bodies, develop strategies to address the control of jitter and delay and to optimize the efficient use of bandwidth. Performance optimization can be categorized into two categories: Quality of Service (QoS) IP multicast If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..8 Optimizing TCP/IP for performance The following sections explain when and why to use QoS and IP multicasting. Using QoS to Optimize Voice and Video With the increasing importance of voice and video in internetworking and the additional bandwidth requirements these applications place on a network, TCP/IP network designers must consider more than just the quantity of bandwidth required by an application. Quality of traffic flow is equally important. Quality of Service (QoS) refers to a combination of mechanisms that enable you to select among varied services for network traffic. Each such service provides a specific quality level to application traffic crossing a network or multiple, disparate networks. Different classes of applications have varying degrees of tolerance for delay in network throughput. A QoS guarantee ensures the ability of an application to transmit data in an acceptable way, that is, in an acceptable time frame so that the transmission is not delayed, distorted, or lost. Implementing QoS means combining a set of IETF-defined technologies designed to alleviate the problems caused by shared network resources and limited bandwidth. For more information about QoS, see "IP Quality of Service" in the Networking Guide. Using IP Multicast Technologies to Optimize Bandwidth Using multicast addressing, a TCP/IP-based computer can use a single IP multicast address to send directed communication to a set of computers sharing that group address. Multicast addressing is particularly suitable for multiple-user multimedia applications, such as video conferencing, distance learning, and collaborative computing. Multicasting is an alternative to broadcasting and unicasting. Broadcast packet transmissions go to all nodes on the network (not just to those running the relevant application), which impairs the performance of every device on the network. Unicasting eliminates such datagram transmission to inappropriate devices, but simultaneous unicasts of identical data streams to a large number of users can flood the network. Multicasting transmits a single message to a select group of recipients. Multicast addressing supports dynamic membership, which allows individual computers to join or leave a multicast group at any time. Group membership is not limited by size, and computers are not restricted to membership in any single group. A TCP/IP-based computer can send datagrams to any multicast group in a way that is similar to sending e-mail to a group. Using an IP multicast address as the destination address, an IP datagram is forwarded to all members of the multicast group identified by the address. Standards for the multicast transmission of a data stream between the subnets of an internetwork include RFC 1112: Host Extensions for IP Multicasting and RFC 2236: Internet Group Management Protocol, Version 2. Such standards instruct routers how and where to route multicast traffic and, in general, how to optimize the transmission of multimedia. A multicast group of hosts shares the same Class D IP address. Class D addresses range, in dotted-decimal, from 224.0.0.0 to 239.255.255.255. Such a multicast group also uses a MAC-layer multicast address, allowing network adapters on inappropriate devices to ignore the data stream in question. Ethernet addresses reserved for multicasting range from 01-00-5E-00-00-00 to 01-00-5E-7F-FF-FF. For more information about IP Multicasting, see "Windows .NET TCP/IP" in the Networking Guide. Planning IPv4/IPv6 Coexistence and Migration to IPv6 In addition to the TCP/IP stack installed by default, Windows XP and the Windows .NET Server family include an IPv6 protocol stack you can use to test IPv6, to implement IPv4 and IPv6 coexistence, and to prepare for migration to a native IPv6 infrastructure. The transition from IPv4 to IPv6 is expected to take years. Depending on their needs, some organizations might choose to continue to use IPv4 exclusively, some will choose to migrate slowly while running both IPv4 and IPv6 in the interim, and some will choose to maintain IPv4 in one or more sections of their organization and implement IPv6 in other sections. After a brief overview introducing IPv6, the following sections describe mechanisms to enable coexistence with an IPv4 infrastructure and to prepare to eventually migrate to an IPv6-only infrastructure: IPv6 over IPv4 tunneling encapsulates IPv6 packets with an IPv4 header so they can be sent over an IPv4 infrastructure. PortProxy enables IPv4 applications for IPv6. DNS infrastructure is needed for successful coexistence because of the prevalent use of names (rather than addresses) to refer to network resources. As indicated in Figure 2.14, to support IPv6/IPv4 coexistence you must choose an IPv6 tunneling configuration (including choosing which technology to use to implement the tunneling) and upgrade your DNS infrastructure to support IPv6 nodes. If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..9 Establishing IPv6/IPv4 coexistence IPv6 Overview To determine whether your organization will gain from implementing IPv6, consider how the following IPv6 features might improve your network and thus advance your organizational goals: New header format. The IPv6 header is designed to minimize overhead. Although IPv6 addresses are four times as large as IPv4 addresses, the IPv6 header is only twice as large as the IPv4 header. The efficient header design provides faster processing at intermediate routers. Large address space. IPv6 provides 16-byte IP addresses, in contrast to the 4-byte IPv4 IP addresses. The large IPv6 address space is designed to enable multiple levels of subnetting and address allocation from the Internet to individual subnets within an organization. Address-conservation techniques, such as the use of NATs, are no longer needed. Efficient and hierarchical addressing and routing infrastructure. IPv6 global addresses used on the IPv6 portion of the Internet are designed to create an efficient, hierarchical, and summarizable routing infrastructure that is based on the common occurrence of multiple levels of Internet service providers. On the IPv6 Internet, backbone routers have much smaller routing tables. Stateless and stateful address configuration. IPv6 simplifies host configuration by supporting both stateful address configuration (which uses a DHCP server) and stateless address configuration (which works without a DHCP server). By using stateless address configuration, hosts on a link automatically configure themselves with IPv6 addresses called link-local addresses and with addresses derived from prefixes advertised by local routers. Even without a router, hosts on the same link can automatically configure themselves with link-local addresses and can communicate with each other. Built-in security. IPv6 requires support for IPSec, which provides a standards-based solution for network security and promotes interoperability between different IPv6 implementations. Better support for QoS. The IPv6 header contains new fields that define how traffic is identified and prioritized. Because traffic is identified in the IPv6 header, support for QoS is available even when IPSec encryption is used. New protocol for neighboring node interaction. The IPv6 Neighbor Discovery protocol is a series of Internet Control Message Protocol for IPv6 (ICMPv6) messages that manage the interaction of nodes on the same link. Neighbor discovery replaces broadcast-based ARP, ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient multicast and unicast Neighbor Discovery messages. Extensibility. IPv6 is easily extended for new features by adding extension headers after the IPv6 header. The size of IPv6 extension headers is limited only by the size of the IPv6 packets. The following sections describe Windows .NET IPv6 dual-stack architecture, types of nodes recognized by IPv6, and how to install IPv6 on a computer running Windows XP or Windows ,NET Server. Windows .NET IPv6 dual-stack architecture Two implementations of the TCP/IP protocol suite that support both IPv4 and IPv6 in hosts and routers are the following: Standard dual IP layer Windows .NET dual-stack architecture The dual IP layer implementation of the TCP/IP protocol stack provides both an IPv4 and an IPv6 Internet layer as the mechanism that IPv6/IPv4 nodes use to communicate with both IPv4-only and IPv6-only nodes. However, the Windows XP and Windows .NET Server family IPv6 protocol is not exactly the same as the standard dual IP layer. Instead, Windows provides the same functionality in terms of supporting IPv4 and IPv6 coexistence and migration by using a different dual-stack architecture. The Windows IPv6 protocol driver, Tcpip6.sys, contains a separate implementation of TCP and UDP for IPv4 and for IPv6. Figure 2.15 shows how the standard dual IP layer and the Windows dual-stack alternative implementation each has an architecture that is different in structure but similar in function. If your browser does not support inline frames, click here to view on a separate page. Figure 2.15 Standard dual-IP layer and Windows dual-stack implementation Both types of architecture enable IPv6/IPv4 nodes to communicate with either an IPv4-only node or an IPv6-only node, as indicated in Figure 2.16. Figure 2.16 IPv6/IPv4 node using standard dual IP layer or Windows .NET dual-stack layer for communication According to RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers, either the standard dual IP layer technique or the Windows dual-stack architecture may be used with the IPv6-over-IPv4 tunneling techniques. Types of nodes RFC 2893 defines the following types of nodes: IPv4-only node. Does not support IPv6. IPv6-only node. Can communicate only with IPv6 nodes and applications. IPv6/IPv4 node. Implements both IPv4 and IPv6. IPv4 node. Can be either an IPv4-only node or an IPv6/IPv4 node. IPv6 node. Can be an IPv6-only node or an IPv6/IPv4 node. IPv4-only nodes can communicate with IPv6-only nodes by using an IPv4-to-IPv6 translation gateway. Coexistence between IPv4 and IPv6 occurs when IPv4-only nodes can communicate with IPv6/IPv4 nodes. Migration occurs after all IPv4-only nodes are converted to IPv6-only nodes. For the foreseeable future, however, partial migration is the practical goal. Partial migration occurs when as many IPv4-only nodes as possible are converted to IPv6/IPv4 nodes. For more information about the different node types, see RFC 2893. Installing IPv6 on a computer After you install either the Windows XP or a Windows .NET Server family operating system on a computer, you can install IPv6 on that computer by typing ipv6 install at the command prompt. Doing so makes this computer an IPv6/IPv4 node that can use the Windows dual-stack layer to communicate with IPv4-only nodes and with IPv6-only nodes. Planning Tunneling Configurations for IPv6 Based on your current network infrastructure and future plans, you must choose a configuration to tunnel IPv6 traffic between IPv6/IPv4 nodes over an IPv4 infrastructure. The different tunneling configurations defined in RFC 2893 are: Router-to-Router Host-to-Router or Router-to-Host Host-to-Host Note IPv6 over IPv4 tunneling only encapsulates IPv6 packets with an IPv4 header so they can travel across an IPv4 infrastructure. Unlike tunneling for the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol (L2TP), no messages for tunnel setup, maintenance, or termination are exchanged. Router-to-Router Tunneling Use the router-to-router tunneling configuration to transmit messages between two IPv6 nodes in two IPv4 or IPv6 domains (or other infrastructures) separated by an IPv4 infrastructure. The tunnel that conveys the message across the IPv4 infrastructure has an IPv6/IPv4 router at each end. The IPv6-over-IPv4 tunnel between the two routers acts as a single hop between the two IPv4 or IPv6 infrastructures. Figure 2.17 shows router-to-router tunneling. If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..17 Router-to-router tunneling Examples of router-to-router tunneling include: An IPv6-only test lab that tunnels across an organizations IPv4 infrastructure to reach the IPv6 Internet. Two IPv6-only domains that tunnel across the IPv4 Internet. A 6to4 router that tunnels across the IPv4 Internet to reach another 6to4 router or a 6to4 relay router. Host-to-Router and Router-to-Host Tunneling Use the host-to-router and router-to-host tunneling configuration to send IPv6 packets between an IPv6/IPv4 node in an IPv4 infrastructure and an IPv6 node in an IPv4 or IPv6 infrastructure: Host-to-router. An IPv6/IPv4 node in an IPv4 infrastructure creates an IPv6-over-IPv4 tunnel to reach an IPv6/IPv4 router that then forwards the message to an IPv6 node in an IPv4 or IPv6 infrastructure. The IPv6-over-IPv4 tunnel between the IPv6/IPv4 node and the IPv6/IPv4 router acts as a single hop. Router-to-host. When an IPv6 node in an IPv4 or IPv6 infrastructure sends a message to an IPv6/IPv4 node in an IPv4 infrastructure, it first sends the message to an IPv6/IPv4 router, and then the router creates an IPv6-over-IPv4 tunnel across an IPv4 infrastructure to forward the message to the IPv6/IPv4 node. The IPv6-over-IPv4 tunnel between the IPv6/IPv4 router and the IPv6/IPv4 node acts as a single hop. Figure 2.18 shows host-to-router (for traffic traveling from Node A to Node B) and router-to-host (for traffic traveling from Node B to Node A) tunneling. If your browser does not support inline frames, click here to view on a separate page. Figure Error! Reference source not found..18 Host-to-router and router-to-host tunneling Examples of host-to-router and router-to-host tunneling include: An IPv6/IPv4 host that tunnels across an organization's IPv4 infrastructure to reach the IPv6 Internet. An Intra-site Automatic Tunnel Addressing Protocol (ISATAP) host that tunnels across an IPv4 network to an ISATAP router to reach the IPv4 Internet, another IPv4 network, or an IPv6 network. (For more information about ISATAP, see "Choosing Tunneling Technologies" later in this chapter.) An ISATAP router that tunnels across an IPv4 network to reach an ISATAP host. Host-to-Host Tunneling Use the host-to-host tunneling configuration to transmit messages between two IPv6/IPv4 nodes inside an IPv4 infrastructure. The sending IPv6/IPv4 node creates an IPv6 over IPv4 tunnel to reach the other IPv6/IPv4 node. The IPv6-over-IPv4 tunnel between the IPv6/IPv4 nodes acts as a single hop. Figure 2.19 shows host-to-host tunneling. Figure Error! Reference source not found..19 Host-to-host tunneling Examples of host-to-host tunneling include: Two computers running Windows XP or Windows .NET Server family that use 6to4 to tunnel to each other's site across the Internet. IPv6/IPv4 hosts that use ISATAP addresses to tunnel across an organization's IPv4 infrastructure Using Configured or Automatic Tunnels RFC 2893 defines the following types of tunnels: Configured Automatic The type of tunneling configuration needed — router-to-router, host-to-router and router-to-host, or host-to-host (described earlier) — determines whether or not you use configured or automatic tunnels. A configured tunnel requires manual configuration of tunnel endpoints. Router-to-router and host-to-router tunneling configurations typically require manual configuration. For example, you can manually configure an IPv6 tunnel to reach the IPv6 Internet across the IPv4 Internet. However, not all router-to-router and host-to-router tunnels require manual configuration. As described later, 6to4-router-to-6to4-router tunnels and ISATAP-host-to-ISTAP-router tunnels are configured automatically. To manually create a configured tunnel for the IPv6 protocol for Windows XP and the Windows .NET Server family, use the netsh interface ipv6 add v6v4tunnel command. An automatic tunnel does not require manual configuration. Tunnel endpoints are determined by the use of logical tunnel interfaces, routes, and source and destination IPv6 addresses. Windows XP and Windows .NET Server use automatic tunnels for IPv4-compatible addresses, 6to4 addresses, 6over4 addresses, and addresses with ISATAP-derived interface identifiers. Automatic Tunneling Technologies After determining the tunneling configurations required by your networking environment, you should understand the different technologies used to implement the tunneling. Windows XP and the Windows .NET Server family support the following automatic tunneling technologies: 6over4 6to4 ISATAP The following sections describe each of these technologies. 6over4 6over4, also known as IPv4 multicast tunneling, is a host-to-host, host-to-router, and router-to-host automatic tunneling technology that is described in RFC 2529. 6over4 enables IPv6 communication among IPv6/IPv4 nodes over an IPv4 multicast-enabled infrastructure. 6over4 for the IPv6 protocol for Windows XP and for the Windows .NET Server family is disabled by default. To enable 6over4 for specific IPv4 addresses, type netsh interface ipv6 set global 6over4=enabled at the command prompt. This command creates a new 6over4 tunneling pseudo-interface for each IPv4 address assigned to the node. 6to4 6to4 is an address assignment and router-to-router automatic tunneling technology that is described in RFC 3056. 6to4 enables the use of IPv6 without the requirement of obtaining either a direct connection to the IPv6 Internet or an IPv6 global address prefix from an Internet service provider (ISP). For example, use 6to4 hosts, an IPv6 routing infrastructure within a site, a 6to4 router at the site boundary, and a 6to4 relay router to enable the following types of communication: A 6to4 host communicating with another 6to4 host within the same site. A 6to4 host communicating with 6to4 hosts in other sites across the IPv4 Internet. A 6to4 host communicating with hosts on the IPv6 Internet. ISATAP Intra-site Automatic Tunnel Addressing Protocol (ISATAP) is an address assignment and host-to-host, host-to-router, and router-to-router automatic tunneling technology that is described in the Internet Draft titled "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)" (draft-ietf-ngtrans-isatap-0x.txt). To read the draft, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. ISATAP enables the communication between IPv6/IPv4 nodes on the same logical subnet in an IPv4 network, but not with IPv6 addresses on other subnets. ISATAP derives an interface identifier (the last 64 bits of an IPv6 address) based on an IPv4 address assigned to the node. The encoded IPv4 address in the source and destination IPv6 addresses are used as the automatic tunnel endpoints. To communicate outside the logical subnet using ISATAP-derived global addresses, IPv6 hosts using ISATAP-derived addresses must tunnel their packets to an ISATAP router. ISATAP hosts do not require any manual configuration and create ISATAP-derived addresses using standard address autoconfiguration mechanisms. Note You do not need to choose whether to use 6to4 or ISATAP. Windows XP and Windows .NET Server will determine whether to use 6to4, ISATAP, or both, depending upon the Internet layer protocol (IPv4 or IPv6) of the sending host and the destination of the next hop. Using PortProxy to Enable IPv4 Applications for IPv6 You use new PortProxy service for nodes that do not support IPv6. PortProxy facilitates the communication between nodes or applications that cannot connect using a common address, Internet layer protocol (IPv4 or IPv6), TCP port, or UDP port. Its primary purpose is to enable IPv4 applications for IPv6. PortProxy translates TCP and UDP traffic from IPv4 to either IPv4 or IPv6 or from IPv6 to either IPv6 or IPv4. In the context of IPv6/IPv4 coexistence or migration, use the PortProxy service to enable any of the following scenarios: An IPv4-only node can access an IPv6-only node. An IPv6-only node can access an IPv4-only node. An IPv6 node can access an IPv4-only service (such as Internet Information Services (IIS), which, for Beta 3, does not use IPv6) running on an IPv6/IPv4 node. An IPv6 node can access another IPv6 node. The Netsh Interface Portproxy commands provide a command-line tool to administer servers that act as proxies between IPv4 and IPv6 networks and applications. To configure the PortProxy service, use the netsh interface portproxy add|set|delete v4tov4|v4tov6|v6tov4|v6tov6 commands. For details about how to use the PortProxy netsh commands, see "Netsh commands for Interface PortProxy" in Windows .NET Server Help and Support Center or in the operating system command-line Help file called Ntcmds.chm. For more information about IPv6, see "Introduction to IPv6" and "Windows. NET IPv6" in the Networking Guide; and see the IPv6 link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources/default.asp. Configuring DNS for IPv6/IPv4 Coexistence For IPv6/IPv4 coexistence, you must upgrade the DNS infrastructure by populating the DNS servers with IPv6 address records to support IPv6 name-to-address resolutions and, optionally, pointer records to support IPv6 address-to-name resolutions: Address Records. The DNS infrastructure must contain the following resource records (populated either manually or dynamically) to successfully resolve domain names to addresses: A records for IPv4-only and IPv6/IPv4 nodes AAAA records for IPv6-only and IPv6/IPv4 nodes Pointer Records (optional). The DNS infrastructure must contain the following resource records (populated either manually or dynamically) to successfully resolve addresses to domain names (reverse queries): PTR records in the IN-ADDR.ARPA domain for IPv4-only and IPv6/IPv4 nodes PTR records in the IP6.INT domain for IPv6-only and IPv6/IPv4 nodes For name-to-address resolution, after the querying node obtains the set of addresses corresponding to the name, the node must determine the set of addresses to choose as source and destination for outbound packets. Supporting IPv6 name-to-address resolution is not an issue in today's prevalent IPv4-only environment. However, in an environment in which IPv4 and IPv6 coexist, the set of addresses returned in a DNS query may contain multiple IPv4 and IPv6 addresses. The querying host is configured with at least one IPv4 address and (typically) multiple IPv6 addresses. Deciding which type of address (IPv4 versus IPv6), and then the scope of the address (public versus private for IPv4 and link-local versus site-local versus global versus coexistence for IPv6), for both the source and the destination addresses is complex. Two algorithms, one for source address selection and another for destination address selection, specify default behavior for all IPv6 implementations. All IPv6 nodes, including both hosts and routers, must implement default address selection. These algorithms do not override choices made by applications or upper-layer protocols, nor do they preclude the development of more advanced mechanisms for address selection. The two algorithms include an optional mechanism that lets administrators override the default behavior. In dual-stack implementations, the destination address selection algorithm considers both IPv4 and IPv6 addresses, and determines whether it prefers IPv6 addresses over IPv4 addresses, or vice-versa. For more information about default address selection rules, see the InternetDraft titled "Default Address Selection for IPv6" (draft-ietf-ipngwg-default-addr-select-0x.txt). To read the draft, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources/default.asp. Testing Your Design After purchasing any new hardware and software required by your TCP/IP network design but before implementing your new TCP/IP infrastructure in your production network, you must systematically measure your solution against your organization's business and technical goals. Test your deployment strategy before you implement your new design in your production environment to help ensure the success of your design. Network testing lets you assess the performance quality of network devices and technologies. It also lets you assess the reliability of a service provider, anticipate potential bottlenecks, identify implementation-related risks, and instill confidence about the process in others in the organization. Figure 2.20 shows the network design testing process. If your browser does not support inline frames, click here to view on a separate page. Figure 2.20 Testing your network design For information about building test network prototypes in a lab, see "Setting Up a Test Environment" in this book. Reviewing Industry Tests Vendors, trade journals, and independent test labs extensively test devices and other network solutions. You may find their published results useful for validating or rejecting assumptions. Keep in mind that most lab tests are component tests rather than system tests and may fail to measure how a particular network design might impact the performance of the specific device or technology being evaluated. Using Network Testing Tools Use the following tools to test your network design: Modeling and Simulation Tools Network Management and Monitoring Tools QoS and Service Management Tools The following sections describe each of these sets of tools. Some of these tools are designed for testing purposes, and others are for more general use. Modeling and Simulation Tools Use statistical analysis and modeling techniques to simulate a mathematical model of a network. Creating a model lets you to isolate potential performance problems before you actually implement any part of an IP network. In most cases, no actual traffic behavior is measured by these tools, so evaluate the results with this limitation in mind. Network Management and Monitoring Tools Typically, you use network management and monitoring tools after you have already implemented a network. However, these tools can also be of great use when your IP network is still in its testing phase. You can use a number of effective commercially available network management applications to identify problems and potential problems on your test network. Many of these applications run on dedicated network management stations (NMS) and communicate with internetworking devices using Simple Network Management Protocol (SNMP) or Remote Monitoring (RMON). Using data supplied by an SNMP or RMON Management Information Base or MIB located on the devices, a network management application can isolate performance problems in a proposed network design. Windows .NET Server includes Network Monitor (Netmon.exe), a protocol analyzer that you can use to monitor a new network design. Network Monitor captures and displays packets, analyzing their traffic patterns, rate of broadcast, errors, utilization, and other aspects of their behavior. The Network Monitor component that ships with the Windows .NET Server family can capture frames that are sent to or from the computer on which Network Monitor is installed. To capture frames that are sent to or from a remote computer, you can use the Network Monitor component that ships with Microsoft Systems Management Server (SMS), which can capture frames sent to or from any computer on which the Network Monitor driver is installed. For more information about Network Monitor, see the Windows .NET Server online Help. For the SMS Network Monitor component, see the SMS Downloads link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources/default.asp. QoS and Service Management Tools Use QoS and service management tools to perform end-to-end performance analysis. Some of these tools monitor the real-time performance of an application and others anticipate an application's performance before it is deployed. Additional Resources These resources contain additional information related to this chapter. Related Information in the Resource Kits "Introduction to TCP/IP" in the Networking Guide for more information about TCP/IP. "Windows .NET TCP/IP" in the Networking Guide for more information about TCP/IP implementation in Windows .NET Server. "TCP/IP Tools" in the Networking Guide for more information about tools used for TCP/IP-based networks. "Introduction to IPv6" and "Windows .NET IPv6" in the Networking Guide for more information about Ipv6. "Address Allocation and Name Resolution" in the Networking Guide for more information about dynamic IP address allocation as well as information about name resolution on your Windows .NET TCP/IP network. "Unicast IP Routing" in the Internetworking Guide for technical information about the NAT routing protocol component of RRAS. "Internet Protocol Security" in the Networking Guide for technical information about IPSec. "Windows .NET TCP/IP" in the Networking Guide for more information about IP Multicasting. Related Information Outside the Resource Kits Top-Down Network Design by Priscilla Oppenheimer, 1999, Indianapolis, IN: Cisco Press/Macmillan Technical Publishing. Routing in the Internet (2nd Edition) by Christian Huitema, 2000, Upper Saddle River, NJ: Prentice Hall PTR. Interconnections (2nd Edition) by Radia Perlman, 2000, Reading, MA: Addison-Wesley.

MPRM Group Limited ~ Free Music ~ CanadaEmails.com ~ Family Internet ~ e-Music.ca RSS News Channel Reader