Вы находитесь на странице: 1из 22

Designing a TCP/IP Network

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

The TCP/IP protocol suite defines industry standard networking protocols for data
networks, including the Internet. Determining the best design and implementation of your
TCP/IP network ensures optimal reliability, availability, scalability, security, and
performance for your enterprise. You can also start to explore the next generation of the
Internet layer protocol of the TCP/IP protocol suite — IP version 6 (IPv6) — by
introducing Microsoft® Windows® Server 2003 IPv6 into part of your IPv4 network.

In This Chapter
Overview of Designing a TCP/IP Network

Planning the IP-Based Infrastructure

Developing Routing Strategies

Designing an IP Addressing Scheme

Planning an IP Configuration Strategy

Planning Security

Improving Availability

Planning IP Multicasting

Introducing IPv6 on Your Network

Testing Your Design

Additional Resources for Designing a TCP/IP Network

Related Information
• For more information about IP configuration strategies using Dynamic Host
Configuration Protocol (DHCP), see "Deploying DHCP" in this book.
• For more information about using Domain Name System (DNS) for name
resolution, see "Deploying Domain Name System (DNS)" in this book.

• For more information about using Windows Internet Name Service (WINS) for
name resolution in networks that support clients running Microsoft®
Windows NT®, see "Deploying WINS" in this book.

Overview of Designing a TCP/IP Network

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Designing your IP deployment includes deciding how you want to implement IP in a new
environment, or — for most organizations — examining your existing infrastructure and
deciding what to change. Windows Server 2003 TCP/IP, the most widely used
networking protocol, can connect different types of systems, provide a framework for
client/server applications, and give users access to the Internet. TCP/IP is included in the
Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003,
Enterprise Edition; Windows® Server 2003, Datacenter Edition; and Windows®
Server 2003, Web Edition operating systems.

Before you start the TCP/IP design process, inventory your hardware and software and
create or update a map of your network topology. Preparing an inventory and network
map can save time and help you focus on the design decisions you want to address. After
you review your existing network, you might upgrade several servers to Windows
Server 2003 in order to take advantage of end-to-end support for TCP/IP, or you might
decide to redesign your entire network to improve its efficiency and prepare for the future
of IP networking. Determine which design tasks are relevant to your environment, and
then decide what changes you want to make to your network. For more information about
creating a hardware and software inventory and a network topology map, see "Planning
for Deployment" in Planning, Testing, and Piloting Deployment Projects of this kit.

To start the TCP/IP design process, you must make a number of design decisions about
your network infrastructure. For enterprise-wide scalability, you might decide to plan
your IP infrastructure based on a hierarchical network design model. You must also
choose between hardware and software-based routers, and decide where to use static
routing or dynamic routing protocols. You must carefully design a structured model for
IP address assignment that fits your current networking environment and that
accommodates expected growth. Your model can use either public or private addresses,
or you can use a combination of public and private addresses.

In addition, consider security issues for an IP network, including where best to use
Internet Protocol security (IPSec) and which options are appropriate for securing your
perimeter network. For higher availability and load balancing, you can include
redundancy in your network design. Decide whether you need to use technology
enhancements such as IP multicast to optimize server workload and network bandwidth.
You might start deploying IPv6 on certain network servers or clients, and, if so, decide
how you want to implement IPv6/IPv4 coexistence.

After you develop your network design, you can use the remaining chapters in this book
as a guide for deploying core features, such as DHCP, DNS, and WINS, as well as
optional technologies, such as support for mobile or home users, connecting remote sites,
or deploying wireless solutions.

Planning the IP-Based Infrastructure

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

To create or expand an enterprise network, you can choose from many design models,
including a network infrastructure model based on the three-tier design model. This
model, a hierarchical network design model described by Cisco Systems, Inc. and other
networking vendors, is widely used as a reference in the design of enterprise networks.

Figure 1.2 shows the tasks involved in creating a three-tier TCP/IP infrastructure.

Figure 1.2 Planning the IP-Based Infrastructure


The modular nature of a hierarchical model such as the three-tier model can simplify
deployment, capacity planning, and troubleshooting in a large internetwork. In this design
model, the tiers represent the logical layers of functionality within the network. In some
cases, network devices serve only one function; in other cases, the same device may
function within two or more tiers.

The three tiers of this hierarchical model are referred to as the core, distribution, and
access tiers. Figure 1.3 illustrates the relationship between network devices operating
within each tier.

Figure 1.3 Three-Tier Network Design Model


Designing the Access Tier
The access tier is the layer in which users connect to the rest of the network, including
individual workstations and workgroup servers. The access tier usually includes a
relatively large number of low- to medium-speed access ports, whereas the distribution
and core tiers usually contain fewer, but higher-speed network ports. Design the access
tier with efficiency and economy in mind, and balance the number and types of access
ports to keep the volume of access requests within the capacity of the higher layers.

Designing the Distribution Tier


The distribution tier distributes network traffic between related access layers, and
separates the locally destined traffic from the network traffic destined for other tiers
through the core.

Network security and access control policies are often implemented within this tier.
Network devices in this layer can incorporate technologies such as firewalls and address
translators.

The distribution tier is often the layer in which you define subnets; through the definition
of subnets, distribution devices often function as routers. Decisions about routing
methods and routing protocols affect the scalability and performance of the network in
this tier.

A server network in the distribution layer might house critical network services and
centralized application servers. Computers running Windows Server 2003 can be used
there to run the Active Directory® directory service, DNS, DHCP, and other core
infrastructure services.
Designing the Core Tier
The core tier facilitates the efficient transfer of data between interconnected distribution
tiers. The core tier typically functions as the high-speed backbone of the enterprise
network. This tier can include one or more building-wide or campus-wide backbone local
area networks (LANs), metropolitan area network (MAN) backbones, and high-speed
regional wide area network (WAN) backbones.

The primary design goal for the core is reliable, high-speed network performance. As a
general rule, locate any feature that might affect the reliability or performance of this tier
in an access or distribution tier instead.

Select highly reliable network equipment for the core tier, and design a fault-tolerant core
system whenever possible. Many products meet these criteria, and most major network
vendors offer complete solutions to meet the requirements of the core tier.

For more information about designing a three-tier network model, see "Additional
Resources for Designing a TCP/IP Network" later in this chapter.

Developing Routing Strategies

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

After planning your network infrastructure based on your design model, plan how to
implement routing. Figure 1.4 shows the tasks involved in developing a unicast routing
strategy. For information about IP multicast routing, see "Planning IP Multicasting" later
in this chapter.
Figure 1.4 Developing a Routing Strategy

To plan an effective routing solution for your environment, you must understand the
differences between hardware routers and software routers; static routing and dynamic
routing; and distance vector routing protocols and link state routing protocols.

Designing an IP Addressing Scheme

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Before assigning addresses, design an IP addressing scheme that meets the requirements
of your networking infrastructure. Figure 1.5 shows the tasks involved in designing your
IP addressing system, including planning your address assignment model, address
allocation, and public or private addressing. Most organizations choose to use classless IP
addressing, classless IP routing protocols, and route summarization.

Figure 1.5 Designing an IP Addressing Scheme

For information about IP multicast addressing, see "Planning IP Multicasting" later in


this chapter.

Planning an IP Configuration Strategy

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Every computer on an IP network must have a unique IP address. As noted earlier, using
static addressing for clients is time-consuming and prone to error. To provide an
alternative for IPv4, the IETF developed the Dynamic Host Configuration Protocol
(DHCP), based on the earlier bootstrap protocol (BOOTP) standard. Figure 1.9 shows the
stage in the TCP/IP design process during which you decide what to use for IP
configuration. Most organizations choose to use DHCP for IPv4.

Figure 1.9 Planning an IP Configuration Strategy

Although BOOTP and DHCP hosts can interoperate, DHCP is easier to configure.
BOOTP requires maintenance by a network administrator, whereas DHCP requires
minimal maintenance after the initial installation and configuration.

The DHCP standard, defined in RFC 2131, defines a DHCP server as any computer
running the DHCP service. Compared with static addressing, DHCP simplifies IP address
management because the DHCP server automatically allocates IP addresses and related
TCP/IP configuration settings to DHCP-enabled clients on the network. This is especially
useful on a network with frequent configuration changes — for example, in an
organization that has a large number of mobile users.

The DHCP server dynamically assigns specific addresses from a manually designated
range of addresses called a scope. By using scopes, you can dynamically assign addresses
to clients on the network no matter where the clients are located or how often they move.
DHCP Integration with DNS and WINS
The DHCP implementation in Windows Server 2003 is closely linked to name resolution
services such as the Domain Name System (DNS) service and the Windows Internet
Name Service (WINS). Network administrators benefit from combining all three when
planning a deployment.

If you use DHCP servers for Windows-based network clients, you must use a name
resolution service. In addition to name resolution, Windows Server 2003 networks use
DNS to support Active Directory. Domain-based networks supporting clients running
Windows NT version 4.0 or earlier or NetBIOS applications must use WINS servers.
Networks supporting a combination of clients running Windows XP, Windows 2000,
Windows Server 2003, and Windows NT 4.0 must implement both WINS and DNS.

DHCP, APIPA, and IP Address Allocation


DHCP clients receive IP addresses as follows:

• Dynamic allocation — from DHCP server. After you configure DHCP, the
DHCP server automatically assigns an IP address from a specified scope to a
client for a finite period of time called a lease. Most clients receive a dynamic IP
address.

• Static allocation — from DHCP server. For a specific computer (such as a


DHCP, DNS, or WINS server, or a print server, firewall, or router), you can
manually configure the TCP/IP properties, including the IP address, the DNS and
WINS parameters, and default gateway information. For the static clients to be on
the same subnet as other, dynamically allocated computers, the static IP addresses
must be within the scope or subnet defined for dynamic address allocation. You
can use the DHCP snap-in to set an exclusion range to prevent the DHCP server
from dynamically allocating the static IP address.

• Client reservation — from DHCP server. By using the DHCP snap-in, you can
also reserve a specific IP address for permanent use by a given DHCP client.

• Automatic allocation — APIPA. In the absence of a DHCP server, Automatic


Private IP Addressing (APIPA) lets a workstation configure itself with an address
in the range from 169.254.0.1 to 169.254.255.254. Computers using APIPA
addresses can communicate only with other computers that are also using APIPA
addresses within a single subnet. In this case, a computer has an IP address but
cannot connect outside the subnet. APIPA regularly checks for the presence of a
DHCP server; if it detects one, it yields to the DHCP service, which then assigns a
dynamic address to replace the APIPA address. APIPA is designed primarily for
simple networks with only one subnet, such as small or home-based networks. On
a larger network, APIPA can be useful for identifying problems with DHCP:
when a client uses an APIPA address, this indicates that a DHCP server has not
been found.

• Alternate configuration — user configured. In the absence of a DHCP server,


alternate configuration lets a computer use an IP address configured manually by
the user. Alternate configuration is designed for a computer that is used on more
than one network, such as a laptop used both at the office and at home. The user
can specify an IP address on the computer’s TCP/IP properties Alternate
Configuration tab if at least one of the networks (for example, the home office)
does not have a DHCP server and APIPA addressing is not wanted. If alternate
configuration is not configured and no DHCP server is found, TCP/IP uses
APIPA by default.

Planning Security

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

IP does not have a default security mechanism. Without security, both public and private
IP networks are susceptible to unauthorized monitoring and access. To prevent these
types of security breach, develop a security strategy for your IP deployment in tandem
with your overall network security plan.

Ways that you can enhance security when deploying IP include:

• Securing IP packets. Provide end-to-end security by securing IP packets, which


requires that you not use address translation (unless both peers support IPSec
NAT-T and use ESP to protect traffic). IPSec is the most efficient way to provide
a secure data stream.

• Deploying a perimeter network. Use a perimeter network to help secure your


internal network from intrusion. Several options are available for doing this.

Figure 1.10 shows the tasks involved in incorporating IPSec and a perimeter network in
your IP security plan.

Figure 1.10 Planning IP Security


Improving Availability

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Availability refers to how much time the network is operational. Planning well for
availability improves both your network’s mean time between failures (MTBF) and its
mean time to recovery (MTTR) after a network failure.

To improve availability in your IP network design, you must know your organization’s
availability requirements. For some organizations, unanticipated down time is simply an
irritating inconvenience. In other environments, unanticipated down time could mean
financial disaster, drastic loss of credibility, or, as in health care or law enforcement, a
risk to safety.

Figure 1.12 shows the process for improving availability on your network.
Figure 1.12 Improving Availability

Each method for improving availability places different demands on the design of your
network. As the risk of down time to your operation increases, build more redundancy
into your design, both in hardware and routing. Similarly, as the consequences of failure
increase, make your network more resilient by increasing the amount of stress it can
handle before it loses functionality.

Implementing Redundancy
Single points of failure, such as devices, links, and interfaces, can make a network
vulnerable. If one such point fails, it isolates users from services and, in the worst case,
causes entire sections of the network to fail. For a purely hierarchical network — one
based on summarization and controlled access between tiers — every device and link is a
point of failure.

Redundancy provides alternative paths around points of failure. In a purely redundant


network, each individual device, link, and interface is dispensable. No single device, link,
or interface can isolate users or cause the network to fail.
In most production environments, neither a purely hierarchical nor a purely redundant
network is practical. You must balance the efficiency of a hierarchical network with the
safety net of redundancy.

Implementing Secondary Paths


After deploying multiple devices to eliminate single points of failure, configure
secondary paths to take advantage of the multiple devices. A secondary path, or backup
path, consists of the interconnecting devices and the links between them that duplicate
the devices and links in the primary path. For example, you can configure multiple
routers to provide redundancy.

A redundant design uses the secondary path to maintain network connectivity when any
of the primary path’s devices or links fails. Be sure to test any secondary paths on a
regular basis. Do not assume that they will work. If possible, ensure that the switch from
the primary path to the secondary path occurs transparently. For mission-critical
applications, automatic failover is mandatory.

Using Load Balancing


In addition to its safety net function, redundancy plays a second valuable role. By
properly configuring two or more paths that connect the same source and destination
networks, you can significantly improve throughput by providing load balancing. Load
balancing evenly divides the flow of traffic among parallel links.

Most routing protocols based on open standards support load balancing across paths that
the protocol determines to be equally favorable to the destination. In addition, some
vendors’ proprietary routing protocols support load balancing where the costs of the paths
(their relative favorability to the destination in terms of shortest distance, number of hops,
and other criteria) are not considered equal.

For more information about network load balancing, see "Designing Network Load
Balancing" in Planning Server Deployments of this kit.

Planning IP Multicasting

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

With IP multicasting, one device can send a single data stream that the network replicates
only as necessary so that multiple devices receive the data. Because of the minimal
overhead required to create the data stream and the low overhead on the network,
multicast communication is particularly suitable for multiple-user multimedia
applications such as video conferencing, distance learning, and collaborative computing.
You can also use multicast traffic to discover resources on the internetwork and to
support datacasting applications such as file distribution or database synchronization.

Using the IP multicast components of the Windows Server 2003 TCP/IP protocol and the
Routing and Remote Access service, you can send and receive IP multicast traffic from
multicast-enabled portions of your intranet or the Internet and from remote access clients.
You can use IP multicast to optimize server loading and network bandwidth.

Figure 1.13 shows the tasks involved in planning IP multicasting.

Figure 1.13 Planning IP Multicasting

In multicast routing, routers communicate multicast group membership information to


each other using multicast routing protocols, and forward data across the internetwork.
Multicast forwarding refers to the process of forwarding multicast traffic to networks on
which other multicast devices are listening. The multicast-capable portion of the Internet
is referred to as the Internet multicast backbone, or MBone.
All computers running Windows Server 2003 can both send and receive IP multicast
traffic. Windows Server 2003 TCP/IP can listen for IPv4 multicast traffic and use a
multicast forwarding table to determine where to forward incoming multicast traffic.

Figure 1.14 shows one common configuration of IP multicast components. For examples
of a number of supported multicast configurations, see the Networking Collection of the
Windows Server 2003 Technical Reference (or see the Networking Collection on the Web
at http://www.microsoft.com/reskit).

Figure 1.14 IP Multicast Components

ntroducing IPv6 on Your Network

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

In addition to the IPv4 stack installed by default, Windows Server 2003 and Windows XP
include an IPv6 protocol stack that you can use to test IPv6, to explore IPv6-enabled
applications, and to prepare for possible eventual migration to a native IPv6
infrastructure.
It is expected that IPv4 and IPv6 will coexist on enterprise networks for a number of
years. Depending on their needs, some organizations might continue to use IPv4
exclusively, some will migrate slowly while running both IPv4 and IPv6 in the interim,
and some will maintain IPv4 in one or more sections of their organization and implement
IPv6 in other sections.

To ensure that your organization makes best use of IPv6 capabilities with the least
administrative overhead, include a plan for introducing IPv6 into the design for your
TCP/IP network. To prepare to introduce IPv6, you must explore the new functionality
introduced by IPv6, plan IPv6 addressing, plan how to route IPv6 traffic over an existing
IPv4 infrastructure or an IPv6 infrastructure, decide whether to deploy DNS dynamic
update, and decide whether to deploy PortProxy to enable IPv4 applications (where
possible) for IPv6. Figure 1.15 shows each task in the planning process.

Figure 1.15 Introducing IPv6 on Your Network


Testing Your Design

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

After acquiring any new hardware and software that your network design requires,
systematically measure the new solution against your organization’s business and
technical goals. Testing your design before deploying it in a production environment
ensures that those goals are met with minimum impact.

Predeployment testing lets you assess the performance characteristics of network devices
and technologies. Testing also helps you identify deployment-related risks, and instills
confidence in the deployment process throughout your organization.

Figure 1.19 shows the process for testing a TCP/IP network design.

Figure 1.19 Testing Your Network Design


Reviewing Industry Tests
Vendors, trade journals, and independent test labs extensively test devices and other
network solutions. You might find their published results useful for validating or
rejecting assumptions. Keep in mind that most lab tests are component tests rather than
system tests and can fail to measure how a particular network design might impact the
performance of the specific device or technology.

Using Network Testing Tools


Use the following types of tools to test your network design:

• Modeling and simulation tools

• Network management and monitoring tools

Modeling and simulation tools

Use statistical analysis and modeling techniques to simulate a mathematical model of a


network. By creating a model, you can isolate potential performance problems before you
actually deploy any part of an IP network. In most cases, these tools do not measure
actual traffic behavior, so evaluate the results with this limitation in mind.

Network management and monitoring tools

Typically, you use network management and monitoring tools after deploying a network.
However, these tools can also help you test your IP network design in a lab. You can use
a number of effective commercially available network management applications to
identify problems and potential problems on your test network.

Many of these applications run on dedicated network management stations (NMSs) and
communicate with internetworking devices using Simple Network Management Protocol
(SNMP) or Remote Monitoring (RMON). By using data supplied by an SNMP or RMON
Management Information Base (MIB) located on the devices, a network management
application can isolate performance problems in a proposed network design.

Windows Server 2003 includes the Network Monitor tool (Netmon.exe), a protocol
analyzer that you can use to monitor a new network design. Network Monitor captures
and displays packets, analyzing their traffic patterns, rate of broadcast, errors, utilization,
and other aspects of their behavior.

The Network Monitor component that ships with Windows Server 2003 can capture
frames that are sent to or from the computer on which Network Monitor is installed. To
capture frames that are sent to or from a remote computer, you can use the Network
Monitor component that ships with Microsoft® Systems Management Server (SMS),
which can capture frames sent to or from any computer on which the Network Monitor
driver is installed.

For more information about the Network Monitor component, see Help and Support
Center for Windows Server 2003.

Additional Resources for Designing a TCP/IP Network

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

These resources contain additional information related to this chapter.

Related Information
• "Deploying IPSec" in this book for more information about using Internet
Protocol security (IPSec).

• "Deploying ISA Server" in this book for more information about deploying
Network Address Translation (NAT).

• The Networking Collection of the Windows Server 2003 Technical Reference (or
see the Networking Collection on the Web at http://www.microsoft.com/reskit)
for more information about TCP/IP, IPSec, and IPv6 in Windows Server 2003.

• The Networking Collection of the Windows Server 2003 Technical Reference (or
see the Networking Collection on the Web at http://www.microsoft.com/reskit)
for technical information about unicast IP routing, including the NAT routing
protocol component of the Routing and Remote Access service.

• "Planning for Deployment" in Planning, Testing, and Piloting Deployment


Projects of this kit for more information about inventorying your network
hardware and software and creating a map of your network topology.

• Cisco Internetwork Design by Matthew Birkner, 2000, Indianapolis, IN: Cisco


Press for more information about the three-tier network design model.

• Top-Down Network Design by Priscilla Oppenheimer, 1999, Indianapolis, IN:


Cisco Press/Macmillan Technical Publishing for more information about the
three-tier network design model.

• Understanding IPv6 by Joseph Davies, 2002, Redmond, WA: Microsoft Press.


• Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical
Reference by Joseph Davies and Thomas Lee, 2002, Redmond, WA: Microsoft
Press.

• Routing in the Internet (2nd Edition) by Christian Huitema, 2000, Upper Saddle
River, NJ: Prentice Hall PTR.

• Interconnections (2nd Edition) by Radia Perlman, 2000, Reading, MA: Addison-


Wesley.

Related Tools
• Netsh commands for Interface IPv6

You can use the Netsh commands for Interface IPv6 to manage configuration of
the IPv6 protocol. For more information about how to use the Netsh commands
for Interface IPv6, see the Netsh command-line help or see "Netsh commands for
Interface IPv6" in the Help and Support Center for Windows Server 2003.

• Netsh commands for Interface Portproxy

The Netsh commands for Interface Portproxy provide a command-line tool for
administering servers that act as proxies between IPv4 and IPv6 networks and
applications. For more information about how to use the Netsh Interface
PortProxy commands, see the Netsh command-line help or see "Netsh commands
for Interface PortProxy" in Help and Support Center for Windows Server 2003.

• Ipsec6.exe

For experimenting with IPSec for IPv6, you can use the Ipsec6 tool to configure
IPSec policies and security associations in an IPv6 environment. For more
information about Ipsec6, see "IPv6 utilities" in Help and Support Center for
Windows Server 2003.

• Network Monitor (Netmon.exe)

The Network Monitor tool (Netmon.exe) is a protocol analyzer that you can use to
monitor a new network design. For more information about Netmon.exe, see
"Network Monitor" in Help and Support Center for Windows Server 2003.

Related Help Topics


For best results in identifying Help topics by title, in Help and Support Center, under the
Search box, click Set search options. Under Help Topics, select the Search in title
only checkbox.
• "Using multicast scopes" in Help and Support Center for Windows Server 2003.

• "Netsh commands for Interface Portproxy" in Help and Support Center for
Windows Server 2003.