Planning an IP Addressing Strategy Before you can implement an IP network infrastructure, there are many details that you must con- sider. Here, we will take a look at how to plan your network by identifying the appropriate addressing requirements and limitations that will shape the network. Understanding subnetting is a requirement to implement your addressing scheme.You will need to identify hardware requirements, decide what class of address you will need, and determine if access to the Internet is necessary for all or just some of your hosts. Subnetting will allow you to create logical segments on your network that will overlay the physical topology. By using a well-planned subnetting scheme, you can handle your current needs and plan for expansion for future needs.You can also make use of these segments to isolate and dis- tribute heavy traffic, without having a major impact on other segments of your network. Analyzing Addressing Requirements Since the host IP address must be unique, the simple rule to calculate the number of hosts for our network is one IP address per host, plus one IP address for each additional network adapter in a host machine. We have a concept of one network in the corporate sense, but when determining address requirements, there are a few more details we must consider. You can define IP addresses using one of the three classes available for standard IP communica- tions: classes A, B, and C. Before we decide which class to use, we need to determine the type of net- work we are implementing and how many hosts there are per segment.This material provides only a brief review of the topic, and assumes you are familiar with IP addressing concepts and practices. Creating a Subnetting Scheme As mentioned, host addresses can belong to one of three classes of IP address, and each has a range of addresses.The range is defined by the value of the first octet.Table 21.2 shows the classes and their ranges, as well as the binary representations of the ranges. Classes D and E are also classes of IP addresses, but Class D is restricted to multicasting and Class E addresses are reserved for future use. 127.0.0.0 is reserved for connectivity testing. 127.0.0.1 is a special address that represents the local loopback adapter that resolves as localhost. We can ping the local host to troubleshoot the protocol stack. We will discuss this in more detail in the “Troubleshooting IP Addressing” section later in this chapter. Each class also has a default subnet mask. Table 21.2 IP Address Classes and Their Ranges Range of Class Values Default Mask Networks Hosts Binary A 0 to 126 255.0.0.0 126 16,777,214 00000001 to 01111110 B 128 to 191 255.255.0.0 16,384 65,534 10000000 to 10111111 C 192 to 223 255.255.255.0 2,097,152 254 11000000 to 11011111 D 224 to 239 Not applicable Not applicable 746 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 746 As you know, the default mask for each class defines the number of networks and the number of hosts for each network. An IP address contains information about the network on which the host resides and the address of the host.The network ID is the reference to the logical subnet, and it refers to the octets that are predefined as the network ID and implemented with the default mask. The remaining octets are for the hosts. The first address in each network refers to “this network” (itself ), such as 24.0.0.0/8 or 204.79.26.0/24.The last address in each network or subnetwork is the broadcast address for that segment, such as 179.54.255.255 or 204.79.26.255. We can derive the formula for determining the number of hosts per network as 2 n – 2, where n is the number of bits available for host IDs. Class A addresses are used for networks that have a large number of hosts. Based on the default mask, we have the first octet for networks and the last three for hosts. So, we have 126 networks and 2 24 – 2 hosts, or 16,777,214. Likewise, with class B, the default mask is 255.255.0.0, so the first two octets are for the network IDs, for a total of 16,384, and the last two are for the hosts. So, class B networks have 2 16 – 2 hosts, or 65,534. Class C networks have more networks but are smaller, with 2 8 – 2 hosts, or 254. We could implement our network now very simply. Determine the number of hosts and the number of networks, and pick the class that fits. If you do not wish to assign a public IP address to all your machines, there is a solution.There are three banks of IP addresses that are called private IP address ranges.They are listed in Table 21.3.Typically, a network will need only one or two public addresses for the Internet interfaces, and everything internal to the company can use the private IP addresses internally. Table 21.3 Private IP Addresses Network ID Subnet Mask Range 10.0.0.0 255.0.0.0 10.0.0.1 to 10.255.255.254 172.16.0.0 255.240.0.0 172.16.0.1 to 172.31.255.254 192.168.0.0 255.255.0.0 192.168.0.1 to 192.168.255.254 Troubleshooting IP Addressing The flexibility of TCP/IP also contributes to the complexity of troubleshooting addresses and con- nections.There are several tools that can help isolate and identify issues with addressing, but it is also imperative that you understand IP addressing rules and subnetting.The ipconfig, ping, and tracert commands are the most useful tools for identifying addressing problems with client configurations and connections to other hosts on the Internet. Client Configuration Issues Some of the issues that occur with manual configuration of IP addresses include duplicate addresses, invalid subnet masks, invalid default gateways, and invalid or missing host name resolution settings (such as DNS and WINS).To help identify the problem, start by typing ipconfig /all at a com- mand prompt. Verify the information that is output by the command is correct, and then continue by using ping to help isolate the problem. Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 747 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 747 1. Ping the loopback address (127.0.0.1) to verify that the TCP/IP protocol stack is config- ured correctly on the local computer. 2. Ping the external IP address of the local computer to ensure the host is on the network and using a valid IP address; that is, there are no address conflicts. 3. Ping the IP address of the default gateway to verify that the default gateway is accessible and your local network configuration contains the correct subnet mask. 4. Ping the IP address of a remote host to verify that you can transmit data over the default gateway. If you are not able to get traffic through to a site, but you are making it through the default gateway, you should use tracert to identify the break in the route to the destination. DHCP Issues DHCP is an easy way to manage IP addressing schemes for larger networks. DHCP makes it pos- sible to boot a machine and access the network without configuring any protocol information.This eliminates many of the manual configuration issues, such as using the wrong subnet mask, duplicate IP addresses, and limited or no host name resolution. Some of the items to consider when you implement and use DHCP are lease time, number of hosts in a scope, network traffic, scope options, and topology. When a machine acquires an IP address from a DHCP server, it acquires a lease.The request for the lease is a message called a DHCPREQUEST, which is broadcast by the DHCP client looking for DHCPOFFERs of a lease from a DHCP server.The lease duration for a DCHP address is speci- fied in the scope set on the server and defaults to eight days. At 50 percent of the lease duration, the DCHP client sends a directed request to the DHCP server that issued the lease and requests a renewal of the lease. If no DHCPACK (acknowledgment) is received from the server, the DHCP client waits until 87.5 percent of the lease time, and then makes a final request to renew the IP address. If no DHCPACK is received at this point, the client waits until the lease is expired and starts the process over. If a DHCP client is unable to receive an IP address lease, it will use an alter- nate configuration, if one is specified. If there is no alternate configuration, the client will use APIPA to start the TCP/IP services and assign itself an address from the APIPA pool (169.254.0.0/16). To determine the appropriate lease time for your network, you should consider the following: ■ Number of hosts If the number of hosts is close to the number of total IP addresses in your DHCP server’s scope, the lease should be shorter—about three days. If there are a great deal more IP addresses than hosts, a longer lease can be assigned. ■ Mobile users If you have a small number of mobile users and the client machines do not frequently move from one network to the other, a longer lease duration is recom- mended. Conversely, if you have more mobile users, a shorter lease will be preferred, so that the IP addresses will be released sooner and returned to the available pool of addresses. 748 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 748 ■ Unlimited It is possible to set the lease duration to unlimited, but it presents a challenge if you wish to change the DHCP settings, since this setting requires the client to initiate the DHCPREQUEST. Because they are broadcast, the DHCPREQUEST messages do not cross router boundaries, unless the router is capable of forwarding DHCP broadcast messages, in compliance with RFC 2131.You can also configure a DHCP relay to forward the requests to a DHCP server. Using DHCP can reduce IP address conflicts by preventing the need for static IP address. It also can eliminate invalid subnet masks, since they are also assigned by the DHCP server. Another advan- tage is the scope properties. By assigning scope properties, you can define default gateways, DNS servers, WINS servers, and the type of name resolution that is preferred. By managing name resolu- tion settings, you can help eliminate broadcast traffic. Transitioning to IPv6 IPv6, defined in RFC 2460, is now production ready to use on most operating system platforms.At this point, it is still early in the transition from IPv4.The change to IPv6 will take some time, but with each day, it becomes more necessary due to the growing shortage of IPv4 addresses. Although the larger address space is the most immediate need, IPv6 offers other advantages over IPv4, including the following: ■ Better security (built in support for IPSec) ■ Support for both stateful and stateless address configuration ■ An efficient hierarchical routing infrastructure ■ A new header format that provides lower overhead ■ Neighbor Discovery (ND) for managing nodes on the same link, replacing ARP, ICMPv4 router discovery, and ICMPv4 redirect messages ■ Virtually unlimited extension headers (in comparison to IPv4’s limit of 40 bytes) ■ Quality of service (QoS) related header fields The utilities and concepts associated with IPv6 are similar to IPv4, but not identical. In the fol- lowing sections, we’ll take a look at how to install IPv6 and start to familiarize ourselves with the new utilities used to manage it. IPv6 on Windows Server 2003 provides a new header format that is streamlined to minimize overhead and provide more efficient processing while crossing intermediate routers. All the option fields and any other fields in the header that are not required for routing are placed after the IPv6 header.The IPv6 header also added more QoS support by adding Flow Label fields that provide special handling for a series of packets that travel between a source and destination. ND is a set of process and messages that are used in an IPv6 environment to identify relation- ships between neighboring nodes.This allows hosts to discover routers on the same segment, addresses, and address prefixes. With ND, hosts can also resolve neighboring nodes and determine when the MAC address of a neighbor changes (similar to ARP in IPv4). ND also provides the pro- cess for address autoconfiguration, also referred to as stateless address configuration. In the absence of a Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 749 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 749 stateful address configuration server, such as a DHCP version 6 (DHCPv6) protocol server, ND pro- vides a complex process that allows each interface to use router advertisement messages to define an IPv6 address, and then subsequently ensure the uniqueness of the selected address. Currently, the standards for DHCPv6 and IPv6 stateful addressing are still under development, so neither feature is supported on Windows XP/2003 products at this time. The new routing structure provides a hierarchical addressing and routing structure that includes a global addressing scheme. Global addresses are the equivalent of public IPv4 addresses and are accessible over the Internet.The global addressing scheme defines new ways to summarize global addresses to facilitate smaller routing tables on the Internet backbone, and thus improve the effi- ciency and performance on the Internet. IPv6 Utilities The traditional IPv4 utilities are still very useful for IPv4, but new utilities and features have been added to accommodate IPv6 functionality.To gain access to the new tools or functionality, you need to install the TCP/IP version 6 protocol. Install TCP/IP Version 6 1. Open Network Connections and double-click the Local Area Network icon.You will see the Local Area Connection Status dialog box. 2. Click Properties. 3. In the Local Area Network Connection Properties dialog box, click Install. 4. In the Select Network Component Type dialog box, select Protocol and click Add. 5. In the Select Network Protocol dialog box, select Microsoft TCP/IP version 6 and click OK. 6. You should return to the Local Area Connection Properties dialog box and see that Microsoft TCP/IP version 6 is installed. 7. Click Close. 8. Test the TCP/IP version 6 installation by opening Internet Explorer and navigating to www.ipv6.org.You should see a line under the line “Welcome to the IPv6 Information Page!” that states,“You are using IPv6 from <your IPv6 address>,” as shown in Figure 21.1. If you are behind a firewall or using 6to4 tunneling, you may not see the message that indicates you have an IPv6 address. If you are able to access the site described in step 9, then you are successfully using IPv6. 750 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 750 9. You can also navigate to an IPv6-only site from Microsoft Research on the Internet by going to http://ipv6.research.microsoft.com. Another way to test whether your IPv6 installation was successful is to run the ipconfig com- mand. If IPv6 is installed, your IP address will be shown in IPv6 format, as shown in Figure 21.2. Now that TCP/IP version 6 is installed, additional utilities are available with the IPv6 function- ality. Other than the utilities to manage, monitor, and troubleshoot IPv6, only Telnet, FTP, and Internet Explorer actually use the IPv6 protocol stack. Netsh Commands Netsh is an interactive command-line utility that allows you to manage local or remote network configurations of active machines. Netsh also supports scripting, so you can create batch configura- Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 751 Figure 21.1 Test the IPv6 Configuration Figure 21.2 Ipconfig Results after Installing IPv6 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 751 tions that run against the local machine or a specified host on the network.You can also use the Netsh utility to generate a configuration script to use as a backup configuration or as an aid to con- figure new machines in an identical fashion. Netsh works with the existing components installed with the operating system by using helper dynamic link libraries (DLLs). Each helper DLL contains the information necessary to execute the commands for the component to which it applies.The set of commands and features supported by the DLLs is called a context, and each context is unique to the networking component. The IPv6 interface has its own context with commands to manage and display information per- taining to the routes, interfaces, addresses, and caches specific to IPv6.There are currently no graph- ical user interface (GUI) applications to configure IPv6, so Netsh is necessary for configuring IPv6 and its associated components.The component called 6to4 has a subcontext within the IPv6 con- text, for configuring and managing 6to4 routers and hosts. For more information about Netsh, see the Windows Help and Support Center topic titled “Netsh Overview.” To put the netsh command into IPv6 context, type netsh at the command prompt, then at the netsh> prompt, type interface ipv6. Then you can use the IPv6 context commands, which include the following: ■ 6to4 Changes to 6to4 context. ■ Add Adds a configuration entry. ■ Delete Deletes a configuration entry. ■ Dump Shows a configuration script. ■ Install Installs IPv6. ■ Isatap Changes to isatap subcontext within IPv6 context. ■ Renew Restarts IPv6 interfaces. ■ Reset Resets IPv6 configuration. ■ Set Sets configuration information. ■ Show Displays information. ■ Uninstall Uninstalls IPv6. Ipsec6.exe Ipsec6.exe is used to configure and implement IPSec security policies (SPs) and security associations (SAs) for IPv6. Using this utility, you can save and load security policies and security associations to a file that can be edited in a text editor.This can be a real timesaver when you implement IPSec for IPv6 on multiple machines.The command to save a configuration is ipsec6 s FilenameWithNoExtension.The filename specified from the command line will be appended with the extension automatically.The extension .spd is added to security policy files, and the extension .sad is added to security association files. If you are executing this command for the first time, and there are no current policies and no current security associations, the files created can act as tem- plates to help you get started. 752 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 752 Other ipsec6 commands are available to works with security policies and security associations: ■ To load the configuration from these files, type ipsec6 l FilenameWithNoExtension. The security policies will be loaded from Filename.spd and the security associations from Filename.sad. ■ To delete security policies and security associations, type ipsec6 d [{sp | sa}] [Index] from a command line. Use the sp parameter with the Index of the policy you wish to delete, or the sa parameter to delete all of the security associations. ■ To determine what the current security policies are, type ipsec6 sp [Interface] from the command line, where Interface is optional and applies to the security policies for the speci- fied network interface. ■ To view the current security associations, type ipsec6 sa from the command line. Note that the output from the commands to view the security policies and security associations is not formatted well for a command line, so you might prefer to save the configuration and view the files in Notepad. IPv6 PING and Tracert Parameters Use the following steps to use IPv6 PING to verify connectivity: 1. From a command prompt, type netsh interface ipv6 show interface. 2. Find the Idx value for Local Area Connection. 3. Type netsh interface ipv6 show interface Idx, where Idx is the number from the pre- vious step.The Local Area Connection index number is usually 4. 4. Right-click in the command window and select Mark.Then highlight the address. Once it is highlighted, right-click in the command prompt window. When you release the mouse button, the address will be copied to the Clipboard.Take note of your Zone ID for Link, which should match the Idx number in step 3. 5. Exit the netsh command. At a regular command prompt, type ping, and then right-click in the command prompt window and select Paste. 6. Without adding any spaces, add %<ZoneID>, where ZoneID is the number noted in step 4, so the command looks like this: Ping fe80::204:5aff:fe08:fb4b%4 7. Press Enter.You should see four successful replies. 8. Continue by pinging another address on the same local network. 9. To test external hosts, ping the global address of another node. 10. To test name resolution with DNS or a hosts file, ping a node with ping -6 Name, where Name is the site name.The -6 parameter tells PING to use IPv6 only. Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 753 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 753 You can use Tracert to trace the path taken by IPv6 data packets from this host to the destina- tion host. From a command prompt, type tracert IPv6Address%ZoneID, where IPv6 is a valid IPv6 address and ZoneID is the destination address. Alternatively, type tracert –d -6 Hostname, where Hostname is the name of the remote machine. 6to4 Tunneling 6to4 tunneling is used to encapsulate IPv6 data packets in IPv4 headers before they are transmitted to the destination host. 6to4 tunneling uses a 6to4 host and 6to4 routers to deliver the IPv6 data. It is an Internet standard, defined in RFC 3056, and is used for interoperability between IPv4 and IPv6 networks. 6to4 hosts and routers are defined as follows: ■ 6to4 host Any IPv6 host that is configured with at least one 6to4 address. 6to4 can be configured with the netsh interface ipv6 6to4 commands. As you might have noticed when you ran the show interface command, by default, your IPv6-enabled host will have a 6to4 pseudo-interface, as well as an automatic tunneling pseudo-interface. ■ 6to4 router Uses IPv4 and IPv6 to forward 6to4 traffic to the destination 6to4 hosts. It is also possible to implement a 6to4 relay router to forward 6to4 router traffic on the IPv6 Internet. With 6to4 tunneling, it is not necessary for IPv6 hosts to get an IPv6 global address prefix from their ISPs.The host can create a 6to4 address automatically. IPv6 Helper Service The IPv6 Helper service is responsible for automatically configuring itself with the appropriate 6to4 addresses, but it uses a specific 6to4 router on the Internet.You can test functionality with the ping -6 command. The 6bone The 6bone is a dedicated IPv6 network that exists on the Internet. It began as a virtual network using IPv6 over IPv4 encapsulation. It contains links to many sites and includes a great deal of IPv6 data, testing plans, news, current events, and implementation instructions. It will be a valuable resource for managing IPv6 on your network. For more information about the 6bone, see www.6bone.net. For instructions on how to connect to the 6bone, see www.opus1.com/ipv6/whatisthe6bone.html. Teredo (IPv6 with NAT) Teredo is the name for IPv4 network address translator (NAT) traversal for IPv6. It provides an IPv6/IPv4 translation over NAT and address assignment.Teredo also provides the mechanism for host-to-host automatic tunneling for unicast IPv6 connectivity when IPv6/IPv4 hosts are located behind one or more NAT servers. Currently, to provide IPv6 connectivity over the Internet, you must have a 6to4 router with a public IPv4 address, which is not always feasible.Teredo provides a mechanism for IPv6 traffic to 754 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 754 traverse NATs and access the Internet using IPv6. Basically, IPv6 packets are sent as IPv4-based UDP messages, and this allows the IPv6 packets to pass through the IPv4 NAT server. For more information about Teredo, see the Teredo Overview document located at www.microsoft.com/win- dowsxp/pro/techinfo/administration/p2p/overview.asp. Planning the Network Topology The next phase in planning your TCP/IP infrastructure is planning the IP routing solution to manage the traffic on your network.This will depend on the physical location of your equipment and users, as well as on how you want to distribute the addresses. When your implement your strategy, you will also need to determine how the hosts on your network will resolve host names and implement the necessary services to provide that functionality.You will need to identify where the services such as DHCP, WINS, DNS, and so on must exist in your network to function properly and reduce the network bandwidth utilization. Analyzing Hardware Requirements Before you implement your network topology, you should identify the hardware needs. For each physical location, you will need to provide some sort of routing.You might need to implement a WAN solution using a T1 line, which also requires special hardware.You will need DHCP servers at each location or a DHCP relay agent.You will need to provide some form of name resolution, most likely DNS and possibly WINS. Depending on the traffic and if you have a large number of users, you may decide to install switches to help manage network traffic. For a DHCP server, the two major factors that affect performance are the amount of physical random access memory (RAM) and the speed of the disk input/output (I/O).You should always provide the largest amount of RAM possible and the fastest disk I/O for the best performance on a DHCP server.The same rules apply for WINS and DNS servers, although DNS is more dependent on network bandwidth. In any case, frequent zone updates require more RAM for better perfor- mance. If you are using Active Directory (AD) DNS, there are other considerations related to AD, such as these: ■ Increased network utilization due to dynamic DNS updates related to DCHP integration and WINS reverse lookups ■ Increased RAM requirements due the increased data volume Planning the Placement of Physical Resources The quantity of data and the type of network traffic affect the location of IP resource servers in your enterprise. If the WAN link is slow, you might want to place DNS caching servers at each location to reduce WAN traffic related to DNS resolution.You might also consider providing a DNS server at each location to provide redundancy. In addition, by creating an AD integrated pri- mary zone, you will allow clients to update their resource records locally. Defining which DNS servers can act as forwarders and perform iterative queries will help manage the Internet traffic. Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 755 301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 755 . information about the network on which the host resides and the address of the host .The network ID is the reference to the logical subnet, and it refers to the octets that are predefined as the network. speci- fied in the scope set on the server and defaults to eight days. At 50 percent of the lease duration, the DCHP client sends a directed request to the DHCP server that issued the lease and. on the local computer. 2. Ping the external IP address of the local computer to ensure the host is on the network and using a valid IP address; that is, there are no address conflicts. 3. Ping the