Escolar Documentos
Profissional Documentos
Cultura Documentos
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
The TCP/IP protocol suite defines industry standard networking protocols for data
networks, including the Internet. Determining the best design and implementation of your
TCP/IP network ensures optimal reliability, availability, scalability, security, and
performance for your enterprise. You can also start to explore the next generation of the
Internet layer protocol of the TCP/IP protocol suite — IP version 6 (IPv6) — by
introducing Microsoft® Windows® Server 2003 IPv6 into part of your IPv4 network.
In This Chapter
Overview of Designing a TCP/IP Network
Planning Security
Improving Availability
Planning IP Multicasting
Related Information
• For more information about IP configuration strategies using Dynamic Host
Configuration Protocol (DHCP), see "Deploying DHCP" in this book.
• For more information about using Domain Name System (DNS) for name
resolution, see "Deploying Domain Name System (DNS)" in this book.
• For more information about using Windows Internet Name Service (WINS) for
name resolution in networks that support clients running Microsoft®
Windows NT®, see "Deploying WINS" in this book.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
Designing your IP deployment includes deciding how you want to implement IP in a new
environment, or — for most organizations — examining your existing infrastructure and
deciding what to change. Windows Server 2003 TCP/IP, the most widely used
networking protocol, can connect different types of systems, provide a framework for
client/server applications, and give users access to the Internet. TCP/IP is included in the
Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003,
Enterprise Edition; Windows® Server 2003, Datacenter Edition; and Windows®
Server 2003, Web Edition operating systems.
Before you start the TCP/IP design process, inventory your hardware and software and
create or update a map of your network topology. Preparing an inventory and network
map can save time and help you focus on the design decisions you want to address. After
you review your existing network, you might upgrade several servers to Windows
Server 2003 in order to take advantage of end-to-end support for TCP/IP, or you might
decide to redesign your entire network to improve its efficiency and prepare for the future
of IP networking. Determine which design tasks are relevant to your environment, and
then decide what changes you want to make to your network. For more information about
creating a hardware and software inventory and a network topology map, see "Planning
for Deployment" in Planning, Testing, and Piloting Deployment Projects of this kit.
To start the TCP/IP design process, you must make a number of design decisions about
your network infrastructure. For enterprise-wide scalability, you might decide to plan
your IP infrastructure based on a hierarchical network design model. You must also
choose between hardware and software-based routers, and decide where to use static
routing or dynamic routing protocols. You must carefully design a structured model for
IP address assignment that fits your current networking environment and that
accommodates expected growth. Your model can use either public or private addresses,
or you can use a combination of public and private addresses.
In addition, consider security issues for an IP network, including where best to use
Internet Protocol security (IPSec) and which options are appropriate for securing your
perimeter network. For higher availability and load balancing, you can include
redundancy in your network design. Decide whether you need to use technology
enhancements such as IP multicast to optimize server workload and network bandwidth.
You might start deploying IPv6 on certain network servers or clients, and, if so, decide
how you want to implement IPv6/IPv4 coexistence.
After you develop your network design, you can use the remaining chapters in this book
as a guide for deploying core features, such as DHCP, DNS, and WINS, as well as
optional technologies, such as support for mobile or home users, connecting remote sites,
or deploying wireless solutions.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
To create or expand an enterprise network, you can choose from many design models,
including a network infrastructure model based on the three-tier design model. This
model, a hierarchical network design model described by Cisco Systems, Inc. and other
networking vendors, is widely used as a reference in the design of enterprise networks.
Figure 1.2 shows the tasks involved in creating a three-tier TCP/IP infrastructure.
The three tiers of this hierarchical model are referred to as the core, distribution, and
access tiers. Figure 1.3 illustrates the relationship between network devices operating
within each tier.
Network security and access control policies are often implemented within this tier.
Network devices in this layer can incorporate technologies such as firewalls and address
translators.
The distribution tier is often the layer in which you define subnets; through the definition
of subnets, distribution devices often function as routers. Decisions about routing
methods and routing protocols affect the scalability and performance of the network in
this tier.
A server network in the distribution layer might house critical network services and
centralized application servers. Computers running Windows Server 2003 can be used
there to run the Active Directory® directory service, DNS, DHCP, and other core
infrastructure services.
Designing the Core Tier
The core tier facilitates the efficient transfer of data between interconnected distribution
tiers. The core tier typically functions as the high-speed backbone of the enterprise
network. This tier can include one or more building-wide or campus-wide backbone local
area networks (LANs), metropolitan area network (MAN) backbones, and high-speed
regional wide area network (WAN) backbones.
The primary design goal for the core is reliable, high-speed network performance. As a
general rule, locate any feature that might affect the reliability or performance of this tier
in an access or distribution tier instead.
Select highly reliable network equipment for the core tier, and design a fault-tolerant core
system whenever possible. Many products meet these criteria, and most major network
vendors offer complete solutions to meet the requirements of the core tier.
For more information about designing a three-tier network model, see "Additional
Resources for Designing a TCP/IP Network" later in this chapter.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
After planning your network infrastructure based on your design model, plan how to
implement routing. Figure 1.4 shows the tasks involved in developing a unicast routing
strategy. For information about IP multicast routing, see "Planning IP Multicasting" later
in this chapter.
Figure 1.4 Developing a Routing Strategy
To plan an effective routing solution for your environment, you must understand the
differences between hardware routers and software routers; static routing and dynamic
routing; and distance vector routing protocols and link state routing protocols.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
Before assigning addresses, design an IP addressing scheme that meets the requirements
of your networking infrastructure. Figure 1.5 shows the tasks involved in designing your
IP addressing system, including planning your address assignment model, address
allocation, and public or private addressing. Most organizations choose to use classless IP
addressing, classless IP routing protocols, and route summarization.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
Every computer on an IP network must have a unique IP address. As noted earlier, using
static addressing for clients is time-consuming and prone to error. To provide an
alternative for IPv4, the IETF developed the Dynamic Host Configuration Protocol
(DHCP), based on the earlier bootstrap protocol (BOOTP) standard. Figure 1.9 shows the
stage in the TCP/IP design process during which you decide what to use for IP
configuration. Most organizations choose to use DHCP for IPv4.
Although BOOTP and DHCP hosts can interoperate, DHCP is easier to configure.
BOOTP requires maintenance by a network administrator, whereas DHCP requires
minimal maintenance after the initial installation and configuration.
The DHCP standard, defined in RFC 2131, defines a DHCP server as any computer
running the DHCP service. Compared with static addressing, DHCP simplifies IP address
management because the DHCP server automatically allocates IP addresses and related
TCP/IP configuration settings to DHCP-enabled clients on the network. This is especially
useful on a network with frequent configuration changes — for example, in an
organization that has a large number of mobile users.
The DHCP server dynamically assigns specific addresses from a manually designated
range of addresses called a scope. By using scopes, you can dynamically assign addresses
to clients on the network no matter where the clients are located or how often they move.
DHCP Integration with DNS and WINS
The DHCP implementation in Windows Server 2003 is closely linked to name resolution
services such as the Domain Name System (DNS) service and the Windows Internet
Name Service (WINS). Network administrators benefit from combining all three when
planning a deployment.
If you use DHCP servers for Windows-based network clients, you must use a name
resolution service. In addition to name resolution, Windows Server 2003 networks use
DNS to support Active Directory. Domain-based networks supporting clients running
Windows NT version 4.0 or earlier or NetBIOS applications must use WINS servers.
Networks supporting a combination of clients running Windows XP, Windows 2000,
Windows Server 2003, and Windows NT 4.0 must implement both WINS and DNS.
• Dynamic allocation — from DHCP server. After you configure DHCP, the
DHCP server automatically assigns an IP address from a specified scope to a
client for a finite period of time called a lease. Most clients receive a dynamic IP
address.
• Client reservation — from DHCP server. By using the DHCP snap-in, you can
also reserve a specific IP address for permanent use by a given DHCP client.
Planning Security
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
IP does not have a default security mechanism. Without security, both public and private
IP networks are susceptible to unauthorized monitoring and access. To prevent these
types of security breach, develop a security strategy for your IP deployment in tandem
with your overall network security plan.
Figure 1.10 shows the tasks involved in incorporating IPSec and a perimeter network in
your IP security plan.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
Availability refers to how much time the network is operational. Planning well for
availability improves both your network’s mean time between failures (MTBF) and its
mean time to recovery (MTTR) after a network failure.
To improve availability in your IP network design, you must know your organization’s
availability requirements. For some organizations, unanticipated down time is simply an
irritating inconvenience. In other environments, unanticipated down time could mean
financial disaster, drastic loss of credibility, or, as in health care or law enforcement, a
risk to safety.
Figure 1.12 shows the process for improving availability on your network.
Figure 1.12 Improving Availability
Each method for improving availability places different demands on the design of your
network. As the risk of down time to your operation increases, build more redundancy
into your design, both in hardware and routing. Similarly, as the consequences of failure
increase, make your network more resilient by increasing the amount of stress it can
handle before it loses functionality.
Implementing Redundancy
Single points of failure, such as devices, links, and interfaces, can make a network
vulnerable. If one such point fails, it isolates users from services and, in the worst case,
causes entire sections of the network to fail. For a purely hierarchical network — one
based on summarization and controlled access between tiers — every device and link is a
point of failure.
A redundant design uses the secondary path to maintain network connectivity when any
of the primary path’s devices or links fails. Be sure to test any secondary paths on a
regular basis. Do not assume that they will work. If possible, ensure that the switch from
the primary path to the secondary path occurs transparently. For mission-critical
applications, automatic failover is mandatory.
Most routing protocols based on open standards support load balancing across paths that
the protocol determines to be equally favorable to the destination. In addition, some
vendors’ proprietary routing protocols support load balancing where the costs of the paths
(their relative favorability to the destination in terms of shortest distance, number of hops,
and other criteria) are not considered equal.
For more information about network load balancing, see "Designing Network Load
Balancing" in Planning Server Deployments of this kit.
Planning IP Multicasting
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
With IP multicasting, one device can send a single data stream that the network replicates
only as necessary so that multiple devices receive the data. Because of the minimal
overhead required to create the data stream and the low overhead on the network,
multicast communication is particularly suitable for multiple-user multimedia
applications such as video conferencing, distance learning, and collaborative computing.
You can also use multicast traffic to discover resources on the internetwork and to
support datacasting applications such as file distribution or database synchronization.
Using the IP multicast components of the Windows Server 2003 TCP/IP protocol and the
Routing and Remote Access service, you can send and receive IP multicast traffic from
multicast-enabled portions of your intranet or the Internet and from remote access clients.
You can use IP multicast to optimize server loading and network bandwidth.
Figure 1.14 shows one common configuration of IP multicast components. For examples
of a number of supported multicast configurations, see the Networking Collection of the
Windows Server 2003 Technical Reference (or see the Networking Collection on the Web
at http://www.microsoft.com/reskit).
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
In addition to the IPv4 stack installed by default, Windows Server 2003 and Windows XP
include an IPv6 protocol stack that you can use to test IPv6, to explore IPv6-enabled
applications, and to prepare for possible eventual migration to a native IPv6
infrastructure.
It is expected that IPv4 and IPv6 will coexist on enterprise networks for a number of
years. Depending on their needs, some organizations might continue to use IPv4
exclusively, some will migrate slowly while running both IPv4 and IPv6 in the interim,
and some will maintain IPv4 in one or more sections of their organization and implement
IPv6 in other sections.
To ensure that your organization makes best use of IPv6 capabilities with the least
administrative overhead, include a plan for introducing IPv6 into the design for your
TCP/IP network. To prepare to introduce IPv6, you must explore the new functionality
introduced by IPv6, plan IPv6 addressing, plan how to route IPv6 traffic over an existing
IPv4 infrastructure or an IPv6 infrastructure, decide whether to deploy DNS dynamic
update, and decide whether to deploy PortProxy to enable IPv4 applications (where
possible) for IPv6. Figure 1.15 shows each task in the planning process.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
After acquiring any new hardware and software that your network design requires,
systematically measure the new solution against your organization’s business and
technical goals. Testing your design before deploying it in a production environment
ensures that those goals are met with minimum impact.
Predeployment testing lets you assess the performance characteristics of network devices
and technologies. Testing also helps you identify deployment-related risks, and instills
confidence in the deployment process throughout your organization.
Figure 1.19 shows the process for testing a TCP/IP network design.
Typically, you use network management and monitoring tools after deploying a network.
However, these tools can also help you test your IP network design in a lab. You can use
a number of effective commercially available network management applications to
identify problems and potential problems on your test network.
Many of these applications run on dedicated network management stations (NMSs) and
communicate with internetworking devices using Simple Network Management Protocol
(SNMP) or Remote Monitoring (RMON). By using data supplied by an SNMP or RMON
Management Information Base (MIB) located on the devices, a network management
application can isolate performance problems in a proposed network design.
Windows Server 2003 includes the Network Monitor tool (Netmon.exe), a protocol
analyzer that you can use to monitor a new network design. Network Monitor captures
and displays packets, analyzing their traffic patterns, rate of broadcast, errors, utilization,
and other aspects of their behavior.
The Network Monitor component that ships with Windows Server 2003 can capture
frames that are sent to or from the computer on which Network Monitor is installed. To
capture frames that are sent to or from a remote computer, you can use the Network
Monitor component that ships with Microsoft® Systems Management Server (SMS),
which can capture frames sent to or from any computer on which the Network Monitor
driver is installed.
For more information about the Network Monitor component, see Help and Support
Center for Windows Server 2003.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
Related Information
• "Deploying IPSec" in this book for more information about using Internet
Protocol security (IPSec).
• "Deploying ISA Server" in this book for more information about deploying
Network Address Translation (NAT).
• The Networking Collection of the Windows Server 2003 Technical Reference (or
see the Networking Collection on the Web at http://www.microsoft.com/reskit)
for more information about TCP/IP, IPSec, and IPv6 in Windows Server 2003.
• The Networking Collection of the Windows Server 2003 Technical Reference (or
see the Networking Collection on the Web at http://www.microsoft.com/reskit)
for technical information about unicast IP routing, including the NAT routing
protocol component of the Routing and Remote Access service.
• Routing in the Internet (2nd Edition) by Christian Huitema, 2000, Upper Saddle
River, NJ: Prentice Hall PTR.
Related Tools
• Netsh commands for Interface IPv6
You can use the Netsh commands for Interface IPv6 to manage configuration of
the IPv6 protocol. For more information about how to use the Netsh commands
for Interface IPv6, see the Netsh command-line help or see "Netsh commands for
Interface IPv6" in the Help and Support Center for Windows Server 2003.
The Netsh commands for Interface Portproxy provide a command-line tool for
administering servers that act as proxies between IPv4 and IPv6 networks and
applications. For more information about how to use the Netsh Interface
PortProxy commands, see the Netsh command-line help or see "Netsh commands
for Interface PortProxy" in Help and Support Center for Windows Server 2003.
• Ipsec6.exe
For experimenting with IPSec for IPv6, you can use the Ipsec6 tool to configure
IPSec policies and security associations in an IPv6 environment. For more
information about Ipsec6, see "IPv6 utilities" in Help and Support Center for
Windows Server 2003.
The Network Monitor tool (Netmon.exe) is a protocol analyzer that you can use to
monitor a new network design. For more information about Netmon.exe, see
"Network Monitor" in Help and Support Center for Windows Server 2003.
• "Netsh commands for Interface Portproxy" in Help and Support Center for
Windows Server 2003.