Designing a TCP/IP Network

(1)

The TCP/IP protocol suite defines industry standard networking protocols for data networks, including the Internet. Determining the best design and implementation of your TCP/IP network ensures optimal reliability, availability, scalability, security, and performance for your enterprise.

You can also start to explore the next generation of the Internet layer protocol of the TCP/IP protocol suite — IP version 6 (IPv6) — by introducing Microsoft® Windows® Server 2003 IPv6 into part of your IPv4 network.

In This Chapter

Overview of Designing a TCP/IP Network...5

Planning the IP-Based Infrastructure...8

Developing Routing Strategies ... 11

Designing an IP Addressing Scheme... 15

Planning an IP Configuration Strategy... 27

Planning Security ... 29

Improving Availability ... 33

Planning IP Multicasting ... 36

Introducing IPv6 on Your Network ... 43

Testing Your Design ... 65

Additional Resources... 68 Related Information

u For more information about IP configuration strategies using Dynamic Host Configuration Protocol (DHCP), see “Deploying DHCP” in this book.

u For more information about using Domain Name System (DNS) for name resolution, see

“Deploying DNS” in this book.

u For more information about using Windows Internet Name Service (WINS) for name resolution in networks that support clients running Microsoft® Windows NT®, see

“DeployingWINS” in this book.

Designing a TCP/IP

Network

(2)

Overview of Designing a TCP/IP Network

Designing your IP deployment includes deciding how you want to implement IP in a new environment, or — for most organizations — examining your existing infrastructure and deciding what to change. Windows Server 2003 TCP/IP, the most widely used networking protocol, can connect different types of systems, provide a framework for client/server applications, and give users access to the Internet. TCP/IP is included in the Microsoft®

Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition;

Windows® Server 2003, Datacenter Edition; and Windows® Server 2003, Web Edition operating systems.

Before you start the TCP/IP design process, inventory your hardware and software and create or update a map of your network topology. Preparing an inventory and network map can save time and help you focus on the design decisions you want to address. After you review your existing network, you might upgrade several servers to Windows Server 2003 in order to take advantage of end-to-end support for TCP/IP, or you might decide to redesign your entire network to improve its efficiency and prepare for the future of IP networking. Determine which design tasks are relevant to your environment, and then decide what changes you want to make to your network. For more information about creating a hardware and software inventory and a network topology map, see “Planning for Deployment” in Planning, Testing, and Piloting Deployment Projects of this kit.

To start the TCP/IP design process, you must make a number of design decisions about your network infrastructure. For enterprise-wide scalability, you might decide to plan your IP infrastructure based on a hierarchical network design model. You must also choose between hardware and software-based routers, and decide where to use static routing or dynamic routing protocols. You must carefully design a structured model for IP address assignment that fits your current networking environment and that accommodates expected growth. Your model can use either public or private addresses, or you can use a combination of public and private addresses.

In addition, consider security issues for an IP network, including where best to use Internet Protocol security (IPSec) and which options are appropriate for securing your perimeter network.

For higher availability and load balancing, you can include redundancy in your network design.

Decide whether you need to use technology enhancements such as IP multicast to optimize server workload and network bandwidth. You might start deploying IPv6 on certain network servers or clients, and, if so, decide how you want to implement IPv6/IPv4 coexistence.

After you develop your network design, you can use the remaining chapters in this book as a guide for deploying core features, such as DHCP, DNS, and WINS, as well as optional technologies, such as support for mobile or home users, connecting remote sites, or deploying wireless solutions.

(3)

Process for Designing a TCP/IP Network

Figure 1.1 shows the design stages involved in deploying TCP/IP. Although the figure lists the stages sequentially, you must consider each topic in relation to the others rather than as a linear step-by-step process.

Figure 1.1 Designing a TCP/IP Network

Plan the IP-based infrastructure

Develop routing strategies

Design IP addressing scheme

Plan security

Improve availability

Plan IP multicasting

Introduce IPv6 on your network

Test your design Plan IP configuration strategy

(4)

Windows Server 2003 TCP/IP Background

Windows Server 2003 TCP/IP enables enterprise networking and connectivity on computers running Windows Server 2003, Microsoft® Windows® XP, Windows® 2000, Windows NT®, Windows® Millennium Edition, Windows® 98, and Windows® 95.

Benefits of Windows Server 2003 TCP/IP

Using TCP/IP in a Windows Server 2003 configuration offers the following advantages:

u Enables the most widely used network protocol. Windows Server 2003 TCP/IP is a complete, standards-based implementation of the most widely accepted networking protocol in the world. IP is routable, scalable, and efficient. IP forms the basis for the Internet, and it is also used as the primary network technology on most major enterprise networks in production today. You can configure computers running Windows Server 2003 with TCP/IP to perform nearly any role that a networked computer requires.

u Connects dissimilar systems. Although all modern networking operating systems offer TCP/IP support, Windows Server 2003 TCP/IP provides the best platform for connecting Windows–based systems to earlier Windows systems and to non-Windows systems. Most standard connectivity utilities are available in Windows Server 2003 TCP/IP, including the File Transfer Protocol (FTP) program, the Line Printer (LPR) program, and Telnet, a terminal emulation protocol.

u Provides client/server framework. Windows Server 2003 TCP/IP provides a cross- platform client/server framework that is robust, scalable, and secure. Windows Server 2003 TCP/IP offers the Windows Sockets programming interface, which is ideal for developing client/server applications that can run on Windows Sockets−compliant TCP/IP protocol implementations from other vendors.

u Provides access to the Internet. Windows Server 2003 TCP/IP can provide users with a method of gaining access to the Internet. A computer running Windows Server 2003 can be configured to serve as an Internet Web site, it can function in a variety of other roles as an Internet client or server, and it can use nearly all of the Internet-related software available today.

(5)

Planning the IP-Based Infrastructure

To create or expand an enterprise network, you can choose from many design models, including a network infrastructure model based on the three-tier design model. This model, a hierarchical network design model described by Cisco Systems, Inc. and other networking vendors, is widely used as a reference in the design of enterprise networks.

Figure 1.2 shows the tasks involved in creating a three-tier TCP/IP infrastructure.

Figure 1.2 Planning the IP-Based Infrastructure

Plan IP-based infrastructure

Develop routing strategies Design IP addressing scheme

Plan security

Improve availability Plan IP multicasting

Introduce IPv6 on your network Test your design Plan IP configuration strategy

Design access tier

Design distribution tier Design core tier

(6)

The modular nature of a hierarchical model such as the three-tier model can simplify

deployment, capacity planning, and troubleshooting in a large internetwork. In this design model, the tiers represent the logical layers of functionality within the network. In some cases, network devices serve only one function; in other cases, the same device may function within two or more tiers.

The three tiers of this hierarchical model are referred to as the core, distribution, and access tiers.

Figure 1.3 illustrates the relationship between network devices operating within each tier.

Figure 1.3 Three-Tier Network Design Model

Core Tier High-speed switching

Distribution Tier Policy-based connectivity

Access Tier Local and remote workgroup access

Designing the Access Tier

The access tier is the layer in which users connect to the rest of the network, including individual workstations and workgroup servers. The access tier usually includes a relatively large number of low- to medium-speed access ports, whereas the distribution and core tiers usually contain fewer, but higher-speed network ports. Design the access tier with efficiency and economy in mind, and balance the number and types of access ports to keep the volume of access requests within the capacity of the higher layers.

(7)

Designing the Distribution Tier

The distribution tier distributes network traffic between related access layers, and separates the locally destined traffic from the network traffic destined for other tiers through the core.

Network security and access control policies are often implemented within this tier. Network devices in this layer can incorporate technologies such as firewalls and address translators.

The distribution tier is often the layer in which you define subnets; through the definition of subnets, distribution devices often function as routers. Decisions about routing methods and routing protocols affect the scalability and performance of the network in this tier.

A server network in the distribution layer might house critical network services and centralized application servers. Computers running Windows Server 2003 can be used there to run the Active Directory® directory service, DNS, DHCP, and other core infrastructure services.

Designing the Core Tier

The core tier facilitates the efficient transfer of data between interconnected distribution tiers.

The core tier typically functions as the high-speed backbone of the enterprise network. This tier can include one or more building-wide or campus-wide backbone local area networks (LANs), metropolitan area network (MAN) backbones, and high-speed regional wide area network (WAN) backbones.

The primary design goal for the core is reliable, high-speed network performance. As a general rule, locate any feature that might affect the reliability or performance of this tier in an access or distribution tier instead.

Select highly reliable network equipment for the core tier, and design a fault-tolerant core system whenever possible. Many products meet these criteria, and most major network vendors offer complete solutions to meet the requirements of the core tier.

For more information about designing a three-tier network model, see “Additional Resources”

later in this chapter.

(8)

Developing Routing Strategies

After planning your network infrastructure based on your design model, plan how to implement routing. Figure 1.4 shows the tasks involved in developing a unicast routing strategy. For information about IP multicast routing, see “Planning IP Multicasting” later in this chapter.

Figure 1.4 Developing a Routing Strategy

Plan security

Choose hardware or software routing

Choose static or dynamic routing

(9)

To plan an effective routing solution for your environment, you must understand the differences between hardware routers and software routers; static routing and dynamic routing; and distance vector routing protocols and link state routing protocols.

Choosing Hardware or Software Routing

A router is a device that holds information about the state of its own network interfaces and contains a list of possible sources and destinations for network traffic. The router directs incoming and outgoing packets based on that information. By projecting network traffic and routing needs based on the number and types of hardware devices and applications used in your environment, you can better decide whether to use a dedicated hardware router, a software-based router, or a combination of both. Generally, dedicated hardware routers handle heavier routing demands best, and less expensive software-based routers are sufficient to handle lighter routing loads.

A software-based routing solution, such as the Windows Server 2003 Routing and Remote Access service, can be ideal on a small, segmented network with relatively light traffic between subnets. Conversely, enterprise network environments that have a large number of network segments and a wide range of performance requirements might need a variety of hardware-based routers to perform different roles throughout the network.

Choosing Static or Dynamic Routing

Routing can be either static or dynamic, depending on how routing information is generated and maintained:

u In static routing, routing information is entered manually by an administrator and remains constant throughout the router’s operation.

u In dynamic routing, a router is configured to automatically generate routing information and share the information with neighboring routers.

You must decide where best to implement each type of routing.

Static Routing

In static routing, a network administrator enters static routes in the routing table manually by indicating:

u The network ID, consisting of a destination IP address and a subnet mask.

u The IP address of a neighboring router (the next hop).

u The router interface through which to forward the packets to the destination.

(10)

Static routing has significant drawbacks. Because a network administrator defines a static route, errors are more likely than with a dynamically assigned route. A simple typographical error can create chaos on the network. An even greater problem is the inability of a static route to adapt to topology changes. When the topology changes, the administrator might have to make changes to the routing tables on every static router. This does not scale well on a large internetwork.

However, static routing can be effective when used in combination with dynamic routing.

Instead of using static routing exclusively, you can use a static route as the redundant backup for a dynamically configured route. In addition, you might use dynamic routing for most paths but configure a few static paths where you want the network traffic to follow a particular route. For example, you might configure routers to force traffic over a given path to a high-bandwidth link.

Dynamic Routing Protocols

Conceptually, the dynamic routing method has two parts: the routing protocol that is used between neighboring routers to convey information about their network environment, and the routing algorithm that determines paths through that network. The protocol defines the method used to share the information externally, whereas the algorithm is the method used to process the information internally.

The routing tables on dynamic routers are updated automatically based on the exchange of routing information with other routers. The most common dynamic routing protocols are:

u Distance vector routing protocols u Link state routing protocols

Understanding how these protocols work enables you to choose the type of dynamic routing that best suits your network needs.

Distance Vector Routing Protocols

A distance vector routing protocol advertises the number of hops to a network destination (the distance) and the direction in which a packet can reach a network destination (the vector). The distance vector algorithm, also known as the Bellman-Ford algorithm, enables a router to pass route updates to its neighbors at regularly scheduled intervals. Each neighbor then adds its own distance value and forwards the routing information on to its immediate neighbors. The result of this process is a table containing the cumulative distance to each network destination.

Distance vector routing protocols, the earliest dynamic routing protocols, are an improvement over static routing, but have some limitations. When the topology of the internetwork changes, distance vector routing protocols can take several minutes to detect the change and make the appropriate corrections.

(11)

One advantage of distance vector routing protocols is simplicity. Distance vector routing protocols are easy to configure and administer. They are well suited for small networks with relatively low performance requirements.

Most distance vector routing protocols use a hop count as a routing metric. A routing metric is a number associated with a route that a router uses to select the best of several matching routes in the IP routing table. The hop count is the number of routers that a packet must cross to reach a destination.

Routing Information Protocol (RIP) is the best known and most widely used of the distance vector routing protocols. RIP version 1 (RIP v1), which is now outmoded, was the first routing protocol accepted as a standard for TCP/IP. RIP version 2 (RIP v2) provides authentication support, multicast announcing, and better support for classless networks. The Windows Server 2003 Routing and Remote Access service supports both RIP v1 and RIP v2 (for IPv4 only).

Using RIP, the maximum hop count from the first router to the destination is 15. Any destination greater than 15 hops away is considered unreachable. This limits the diameter of a RIP

internetwork to 15. However, if you place your routers in a hierarchical structure, 15 hops can cover a large number of destinations.

Link State Routing Protocols

Link state routing protocols address some of the limitations of distance vector routing protocols.

For example, link state routing protocols provide faster convergence than do distance vector routing protocols. Convergence is the process by which routers update routing tables after a change in network topology — the change is replicated to all routers that need to know about it.

Although link state routing protocols are more reliable and require less bandwidth than do distance vector routing protocols, they are also more complex, more memory-intensive, and place a greater load on the CPU.

Unlike distance vector routing protocols, which broadcast updates to all routers at regularly scheduled intervals, link state routing protocols provide updates only when a network link changes state. When such an event occurs, a notification in the form of a link state advertisement is sent throughout the network.

(12)

The Windows Server 2003 Routing and Remote Access service supports the Open Shortest Path First (OSPF) protocol, the best known and most widely used link state routing protocol. OSPF is an open standard developed by the Internet Engineering Task Force (IETF) as an alternative to RIP. OSPF compiles a complete topological database of the internetwork. The shortest path first (SPF) algorithm, also known as the Djikstra algorithm, is used to compute the least-cost path to each destination. Whereas RIP calculates cost on the basis of hop count only, OSPF can calculate cost on the basis of metrics such as link speed and reliability in addition to hop count.

Unlike RIP, OSPF can support an internetwork diameter of 65,535 (assuming that each link is assigned a cost of 1). OSPF transmits multicast frames, reducing CPU usage on a LAN. You can hierarchically subdivide OSPF networks into areas, reducing router memory overhead and CPU overhead.

Like RIP v2, OSPF supports variable length subnet masks (VLSM) and noncontiguous subnets.

For information about variable length subnet masks and noncontiguous subnets, see “Designing a Structured Address Assignment Model” later in this chapter.

Selecting the Appropriate Routing Protocol

Select a routing protocol based on the following considerations:

u For a small, simple network that is not expected to grow, use a simpler distance vector routing protocol like RIP v2. For a large, complex internetwork, use a newer, more sophisticated link state routing protocol like OSPF.

u Use RIP v2 or OSPF if you need to support variable length subnet masks. Although the outdated RIP v1 is still widely used in private networks, it does not support VLSM and thus is not well suited for enterprise networks. For more information about VLSM, see “Planning Variable Length Subnet Masks” later in this chapter.

Designing an IP Addressing Scheme

Before assigning addresses, design an IP addressing scheme that meets the requirements of your networking infrastructure. Figure 1.5 shows the tasks involved in designing your IP addressing system, including planning your address assignment model, address allocation, and public or private addressing. Most organizations choose to use classless IP addressing, classless IP routing protocols, and route summarization.

(13)

Figure 1.5 Designing an IP Addressing Scheme

Plan security

Create structured address assignment model

Choose address allocation method

Choose public or private addresses

For information about IP multicast addressing, see “Planning IP Multicasting” later in this chapter.

(14)

Creating a Structured Address Assignment Model

You can ease the burden of enterprise internetwork administration by designing a structured address assignment model. A structured address assignment model makes troubleshooting easier and more systematic and helps you interpret network maps and locate specific devices. It also simplifies the use of network management software. For enterprise scalability, assign address blocks hierarchically.

The structured address assignment model reflects more than just hierarchical concerns. To maximize network stability and scalability, assign a block of addresses based on a physical network rather than on membership within a department or team, to avoid complications when you move a workstation to a new location. For more information about address allocation as it relates to your IP addressing scheme, see “Choosing an Address Allocation Method” later in this chapter.

As a general rule, assign static addresses to routers and servers, and assign dynamic addresses to workstations. This scheme minimizes manual addressing, reducing the chances of address duplication and stabilizing the network’s addressing structure. You can assign meaningful numbers when using static addresses; for example, reserve host addresses in the low or high portion of the range, and manually assign these addresses to routers or servers.

To design a structured model for assigning addresses:

u Plan classless IP addressing.

u Plan classless routing.

u Use route summarization.

u Plan variable length subnet masks (VLSM).

u Plan supernetting and classless interdomain routing (CIDR).

Planning Classless IP Addressing

Classless IP addressing makes traditional classful IP addressing methods — restricted to the standard IP address classes in their default formats — out of date for enterprise networks. Of the five address classes, Class A, B, and C addresses, collectively known as IPv4 unicast addresses, are assigned to specific devices on an IPv4 network. Class D addresses, known as multicast addresses, are used for IP multicasting (simultaneously sending a message to more than one network destination). Class E addresses are reserved for experimental purposes.

(15)

To be able to use subnetting or supernetting, you must first understand the default formats of the unicast addresses. Unicast addresses have the following formats:

u All 32-bit IPv4 addresses contain four octets of 8 bits each, often represented as four decimal numbers separated by dots (known as dotted decimal notation).

u In Class A addresses, the first byte, or octet, represents the network ID, and the three remaining bytes are used for node addresses.

u In Class B addresses, the first 2 bytes represent the network ID, and the last 2 bytes are used for nodes.

u In Class C addresses, the first 3 bytes are used for the network ID, and the final byte is used for nodes.

Without some means of subdividing class-designated networks, all available IP addresses would have been depleted long ago. Classless IP addressing, which allows subnetting, was developed to handle this problem.

Determining the Number of Subnets and Hosts

To better use the address space, instead of using the unicast addresses in their default formats, you can use subnet addressing, which lets you “borrow” additional bits from the host part of the address to divide the network into subnets. In subnetting, the subnet mask consists of the octets assigned to the network plus the bits added for the subnet. You can use subnet mask notation to indicate these leftmost contiguous bits.

For example, for a Class B address, which has a default subnet mask of 255.255.0.0, you might allocate an additional 8 bits for subnets. That is, for a Class B address such as 131.107.65.37, you can use the following subnet mask, shown in both decimal and binary notation.

Subnet Mask in Decimal Notation Subnet Mask in Binary Notation

255.255.255.0 11111111 11111111 11111111 00000000

By using 8 host bits for subnetting, you obtain 256 (that is, 2⁸) subnetted network IDs (subnets), supporting as many as 254 hosts per subnet. The number of hosts per subnet is 254 because 8 bits (2⁸ minus 2) are reserved for the host ID. You subtract 2 because subnetting rules exclude the host IDs consisting of all ones or all zeros.

An alternative to subnet mask notation is the network prefix length notation. A network prefix is shorthand for a subnet mask, expressing the number of high-order bits that constitute the subnetted network ID portion of the address in the format <IP address>/<# of bits>, where # of bits defines the network/subnet part of the IP address, and the remaining bits represent the host ID portion of the address.

(16)

The following is the network prefix length notation for the Class B address in the previous example:

131.107.65.37/24

The bit notation “/24” refers to the number of high-order bits set to 1 in the binary notation for the subnet mask, leaving 8 bits for hosts (the eight bits set to 0).

By contrast, if you anticipate needing only 32 subnets rather than 256, each of the 32 subnets can support as many as 2,046 hosts (2¹¹ minus 2). That subnet mask has the following decimal and binary notations.

Subnet Mask in Decimal Notation Subnet Mask in Binary Notation

255.255.248.0 11111111 11111111 11111000 00000000

The following network prefix length notation indicates the 21 bits needed to create as many as 32 subnets:

131.107.65.37/21.

Again, “/21” indicates the number of high-order bits set to 1 in binary notation, leaving 11 bits (the 11 zeros) for the host ID portion of the address.

To determine the appropriate number of subnets versus hosts for your organization’s network, consider the following:

u More subnets. Allocating more host bits for subnetting supports more subnets but fewer hosts per subnet.

u More hosts. Allocating fewer host bits for subnetting supports more hosts per subnet, but limits the growth in the number of subnets.

For an introduction to TCP/IP, including information about subnetting, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at

http://www.microsoft.com/reskit).

Planning Classless Routing

Organizations today typically implement classless routing solutions. With classful routing protocols, IP hosts and routers recognize only the network address designated by the standard address classes. An IP host device or a router using a classful protocol such as RIP v1 cannot recognize subnets.

Note

IPv6 supports only network prefix length notation. It does not support dotted decimal subnet masks. For more information about IPv6, see “Introducing IPv6 on Your Network” later in this chapter.

(17)

Classless routing protocols extend the standard Class A, B, or C IP addressing scheme by using a subnet mask or mask length to indicate how routers must interpret an IP network ID. Classless routing protocols include the subnet mask along with the IP address when advertising routing information. Subnet masks representing the network ID are not restricted to those defined by the address classes, but can contain a variable number of high-order bits. Such subnet mask

flexibility enables you to group several networks as a single entry in a routing table, significantly reducing routing overhead. In addition to RIP v2 and OSPF, described earlier, classless routing protocols include Border Gateway Protocol version 4 (BGP4) and Intermediate System to Intermediate System (IS-IS).

If your network contains routers that support only RIP v1 and you want to upgrade from classful to classless routing, upgrade the RIP v1 routers to support RIP v2 or use another protocol such as OSPF. For example, you might use VLSM to implement subnets of different sizes or CIDR to implement supernetting. (VLSM and CIDR are described later in this chapter.)

Planning Classless Noncontiguous Subnets

One reason that classful routing is out of date is that classful routing protocols cannot reliably handle noncontiguous subnets of a subnetted class-based network ID. As mentioned earlier, classful routing protocols recognize only those networks indicated by an address class. Because classful protocols do not transmit subnet mask or prefix length information, noncontiguous subnets, when summarized by a classful routing protocol, can have the same class-based network ID.

Noncontiguous subnets with classful routing

Noncontiguous subnets occur when another network with a different network ID separates subnets of a classful network. For example, the two routers in Figure 1.6 separate two subnets that each use the base prefix 10.0.0.0/8, which is a Class A private network. A segment of another class-based network connects the two routers. (For more information about private addresses, see “Choosing Public or Private Addresses” later in this chapter.)

Figure 1.6 Classful Routing Not Appropriate for Noncontiguous Subnets

10.0.0.0/8

Internetwork

10.0.0.0/8

10.0.20.0/24 10.0.10.0/24

(18)

Each router in Figure 1.6 must use a subnet mask to look up a match in the routing table. Because a classful address, by definition, has only its class-based default subnet mask, the router uses the network mask that corresponds to the class of the subnet ID when advertising the route for the subnet. With classful routing, each of the routers in Figure 1.6 summarizes and advertises the class-based network ID of 10.0.0.0/8, resulting in two routes to 10.0.0.0/8, each of which might have a different metric. Therefore, a packet meant for one subnet could be incorrectly routed to the other subnet. In the figure, the arrows represent the routes advertised by the routers.

Noncontiguous subnets with classless routing

Figure 1.7 also shows an unrelated network connecting two noncontiguous subnets. In this example, using classless routing, the locations on the noncontiguous subnets are unambiguous because the classless protocol includes a subnet mask when advertising the route. Routers in the intermediate network can distinguish between the two noncontiguous subnets.

Figure 1.7 Classless Routing Appropriate for Noncontiguous Subnets

10.0.20.0/24

Internetwork

10.0.10.0/24

10.0.20.0/24 10.0.10.0/24

Using Route Summarization

With route summarization, or aggregation, in a hierarchical routing infrastructure, one route in a routing table represents many routes. A routing table entry for the highest level (the network) is also the route used for subnets and sub-subnets. In contrast, in a flat routing infrastructure, the routing table on every router in the network contains an entry for each network segment. When you use flat routing, the network IDs have no network/subnet structure and cannot be

summarized. RIP-based Internet Packet Exchange (IPX) internetworks use flat network addressing and have a flat routing infrastructure.

Using route summarization, you can contain topology changes occurring in one area of the network within that area. Route summarization simplifies routing tables and reduces the exchange of routing information, but it requires more planning than does a flat routing infrastructure.

(19)

To support route summarization, your IP addressing scheme must meet the following requirements:

u Classless routing protocols (those including subnet mask or prefix length information along with the IP address) must be used.

u All IP addresses used in route summarization must share identical high-order bits.

u The length of the prefix can be any number of bits up to 32 (for IPv4).

Planning Variable Length Subnet Masks (VLSM)

Variable length subnet masks (VLSMs) allow you to use different prefix lengths at different locations so that subnets of different sizes can coexist on the same network. Instead of using one subnet mask throughout the network, you apply several masks to the same address space, producing subnets of different sizes. For example, given the Class B network ID of 131.107.0.0, you can configure one subnet with as many as 32,766 hosts, 15 subnets with as many as 2,046 hosts, and 8 subnets with as many as 254 hosts.

VLSM also can be used when a point-to-point WAN link connects two routers. One way to handle such a WAN link is to create a small subnet consisting of only two addresses. Without VLSM, you might divide a Class C network ID into an equal number of two-address subnets. If only one WAN link is in use, all the subnets but one serve no purpose, wasting 252 addresses.

Alternatively, you can divide the Class C network into 16 workgroup subnets of 14 nodes each by using a prefix length of 28 bits (or, in subnet mask terms, 255.255.255.240). By using VLSM, you can then subdivide one of those 16 subnets into 8 smaller subnets, each supporting only 2 nodes. You can use one of the 8 subnets for your existing WAN link and reserve the remaining 7 subnets for similar links that you might need in the future. To accomplish this act of sub-

subnetting by using VLSM, use a prefix length of 30 bits (or, in subnet mask terms, 255.255.255.252).

Figure 1.8 shows variable length subnetting for two-host WAN subnets.

Figure 1.8 Variable Length Subnetting of 131.107.106.0 1 network with

254 hosts

16 networks with 14 hosts per network

8 networks with 2 hosts per network 131.107.106.0/24 131.107.106.0/28

131.107.106.240/28 131.107.106.240/30

131.107.106.252/30 Tip

When using VLSM, do not accidentally overlap blocks of addresses. If possible, start with equal-size subnets and then subdivide them.

(20)

If your network includes numerous WAN links, each with its own subnet, this approach can require significant administrative overhead. If you do not use route summarization, each subnet requires another entry in the routing table, increasing the overhead of the routing process.

Some routers support unnumbered connections; a link with unnumbered connections does not require its own subnet.

Planning Supernetting and Classless Interdomain Routing (CIDR)

Similar to the way that subnetting allows you to divide class-based networks into smaller subnets by “borrowing” bits from the host part of the address, supernetting allows you to combine contiguous subnets into larger supernets by “borrowing” bits from the network part of the address. For example, rather than allocate a Class B network ID to an organization that has 2,000 hosts, the Internet Assigned Numbers Authority (IANA) might allocate a range of eight Class C network IDs. Each Class C network ID accommodates 254 hosts, for a total of 2,032 host IDs.

Although this technique helps conserve Class B network IDs, it creates a new problem. Using conventional routing techniques, the routers on the Internet must, in this example, have eight Class C network ID entries in their routing tables to route IP packets to the organization. To prevent Internet routers from becoming overwhelmed with routes, a technique called Classless Interdomain Routing (CIDR), which the Internet uses to summarize routes, collapses multiple network ID entries into a single entry. In this example, CIDR collapses the network IDs that correspond to the eight Class C network IDs allocated to that organization into one entry.

A supernetted subnet mask conveys the starting network ID and the number of Class C network IDs allocated. The following tables demonstrate how eight Class C network IDs are allocated.

Table 1.1 indicates the contiguous allocation of eight Class C network IDs, starting with network ID 220.78.168.0. Note that the first 21 bits (underlined) are the same for the starting network ID and the ending network ID. The last 3 bits of the third octet, which are borrowed from the network ID, range from 000 through 111. In decimal notation, the range is 0 through 7, or 8 total contiguous subnets, which are combined into one supernet.

Table 1.1 Supernetted Block of Addresses

Network ID Subnet Mask (Binary) Starting Network ID 220.78.168.0 11011100 01001110 10101000 00000000 Ending Network ID 220.78.175.0 11011100 01001110 10101111 00000000

A block of supernetted addresses, such as those in Table 1.2, is known as a CIDR block.

Table 1.2 indicates the single CIDR entry that appears in the routing table. This entry represents all eight Class C network IDs that are allocated to the example organization.

Table 1.2 CIDR Routing Table Entry

Network ID Subnet Mask Subnet Mask (Binary)

220.78.168.0 255.255.248.0 11111111 11111111 11111000 0000000

(21)

In network prefix length notation, the CIDR block is 220.78.168.0/21.

RIP v2, OSPF, and BGP4, which can exchange routing information in the form of [Network ID, Network Mask] pairs, support CIDR.

Choosing an Address Allocation Method

Choose an address allocation method that best fits your structured address model. Addressing by topology is recommended. However, you can choose one or more of the following methods:

u Random address allocation. Under a random addressing structure, you can assign blocks of addresses randomly. Random address allocation might be the most frequently used address allocation method, but it is the least desirable. For a small network where no significant growth is anticipated, this approach might be appropriate. However, if the network does grow, random address allocation can cause extra work for network administrators.

Summarizing the random collection of routes might be difficult or impossible. This method can cause stability problems, with numerous routes being advertised to the core tier.

u Addressing by organization chart. To base your address structure on your organization chart, you create subnets based on a pool of addresses preassigned to a department or team.

If, for example, you designate the Sales department as 10.2.0.0/16, the address 10.2.1.0/24 might be the subnet for the sales team at one site and 10.2.2.0/24 might be the subnet for the sales team at another site. To the extent that contiguous subnets remain unassigned, this address allocation method offers limited possibilities for route summarization, but, as a rule, this kind of addressing scheme does not scale well.

u Addressing by geographical region. When you base your address structure on location, a greater degree of summarization is possible. However, as the internetwork of a

geographically diverse organization continues to grow, fewer routes are available for summarization.

u Addressing by topology. By basing your address structure on topology, you can ensure that summarization takes place and that an internetwork remains scalable and stable. Addressing by topology makes the addressing structure router-centric, enhancing efficiency.

Choosing Public or Private Addresses

If you use a direct (routed) connection to the Internet, you must use public addresses. If you use an indirect connection such as a proxy server or Network Address Translator (NAT), use private addresses. If your organization is not connected to the Internet, use private addresses (rather than

“unauthorized” addresses) so that if you later connect to the Internet using an indirect connection, you do not need to change addresses already in use.

If you connect to the Internet by using an Internet service provider (ISP), the ISP might provide only private addresses. The ISP itself uses public addresses to connect to the Internet.

(22)

Public Addresses

IANA assigns public addresses and guarantees them to be globally unique on the Internet. In addition, routes are programmed into the routers on the Internet so that traffic can reach those assigned public addresses. That is why public addresses can be reached on the Internet.

Private Addresses

Private addresses are a predefined set of IPv4 addresses that the designers of the Internet provided for those hosts within an organization that do not require direct access to the Internet.

These addresses do not duplicate already assigned public addresses. RFC 1918, “Address Allocation for Private Internets,” defines the following three private address blocks:

u 10.0.0.0/8. The 10.0.0.0/8 private network is a Class A network ID that supports the following range of valid IP addresses: 10.0.0.1 through 10.255.255.254. The 10.0.0.0/8 private network has 24 host bits that a private organization can use for any subnetting scheme within the organization.

u 172.16.0.0/12. The 172.16.0.0/12 private network can be interpreted either as a block of 16 Class B network IDs or as a 20-bit assignable address space (20 host bits) that can be used for any subnetting scheme within the private organization. The 172.16.0.0/12 private network supports the following range of valid IP addresses: 172.16.0.1 through 172.31.255.254.

u 192.168.0.0/16. The 192.168.0.0/16 private network can be interpreted either as a block of 256 Class C network IDs or as a 16-bit assignable address space (16 host bits) that can be used for any subnetting scheme within the private organization. The 192.168.0.0/16 private network supports the following range of valid IP addresses: 192.168.0.1 through

192.168.255.254.

Because IANA never assigns IP addresses in the private address space as public addresses, routes for private addresses never exist on the Internet routers. Any number of organizations can repeatedly use the private address space, which helps to prevent the depletion of public addresses.

Private addresses cannot be reached on the Internet. Therefore, Internet traffic from a host that has a private address must either send its requests to an application layer gateway (such as a proxy server), which has a valid public address, or have its private address translated into a valid public address by a NAT before it is sent over the Internet.

For an introduction to TCP/IP and more information about public and private addresses, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).

(23)

Unauthorized Addresses

Network administrators of private networks who have no plans to connect to the Internet can choose any IP addresses they want, even public addresses that IANA has assigned to other organizations. Such potentially duplicate addresses are known as unauthorized (or illegal) addresses. Later, if the organization decides to connect directly to the Internet after all, its current addressing scheme might include addresses that IANA has assigned to other organizations. You cannot connect to the Internet by using unauthorized addresses.

Do not use unauthorized addresses if even the slightest possibility exists of ever establishing a connection between your network and the Internet. On some future date, discovering that you need to quickly replace the IP addresses of all the nodes on a large private network can require considerable time and interrupt network operation.

Network Address Translation

Network address translation, defined in RFC 3022, is the translation process performed by an IP router functioning as a network address translator (NAT). A NAT translates IP addresses from private network addresses used inside an organization to public addresses used outside the organization. Typically, a NAT-enabled router connects an internal corporate network with the Internet and builds a table that maps the connections between hosts inside the network and hosts outside on the Internet.

You can use NAT to map multiple internal private addresses to a single external public IP address. For example, a small business might obtain an ISP−allocated public IP address for each computer on its network. By using NAT, however, the business could use private addressing internally and have NAT map its private addresses to one or more public IP addresses that the ISP allocates.

NAT makes it more difficult for external users to attack systems on a private network. NAT also allows several nodes on the private network, each with its own private address, to share a smaller number of scarcer public addresses to access the Internet. However, although NAT allows you to reuse the private address space, it does not support standards-based network layer security or the correct mapping of all higher layer protocols. One purpose for the large number of addresses made available with the introduction of IPv6 is to make address conservation techniques such as NAT unnecessary.

Windows Server 2003 also supports IPSec NAT traversal (NAT-T), which allows nodes located behind a NAT (that is, they use private addresses) to use Encapsulating Security Payload (ESP) to protect traffic. This capability allows the creation of Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) connections from remote access clients and routers located behind NATs.

For more information about unicast IP routing, including technical information about the NAT routing protocol component of the Routing and Remote Access service, see the Internetworking Guide of the Windows Server 2003 Resource Kit (or see the Internetworking Guide on the Web at http://www.microsoft.com/reskit).

(24)

Planning an IP Configuration Strategy

Every computer on an IP network must have a unique IP address. As noted earlier, using static addressing for clients is time-consuming and prone to error. To provide an alternative for IPv4, the IETF developed the Dynamic Host Configuration Protocol (DHCP), based on the earlier bootstrap protocol (BOOTP) standard. Figure 1.9 shows the stage in the TCP/IP design process during which you decide what to use for IP configuration. Most organizations choose to use DHCP for IPv4.

Figure 1.9 Planning an IP Configuration Strategy

Design an IP addressing scheme

Plan security

Introduce IPv6 into your network

Test your design Plan an IP configuration strategy

(25)

Although BOOTP and DHCP hosts can interoperate, DHCP is easier to configure. BOOTP requires maintenance by a network administrator, whereas DHCP requires minimal maintenance after the initial installation and configuration.

The DHCP standard, defined in RFC 2131, defines a DHCP server as any computer running the DHCP service. Compared with static addressing, DHCP simplifies IP address management because the DHCP server automatically allocates IP addresses and related TCP/IP configuration settings to DHCP-enabled clients on the network. This is especially useful on a network with frequent configuration changes — for example, in an organization that has a large number of mobile users.

The DHCP server dynamically assigns specific addresses from a manually designated range of addresses called a scope. By using scopes, you can dynamically assign addresses to clients on the network no matter where the clients are located or how often they move.

DHCP Integration with DNS and WINS

The DHCP implementation in Windows Server 2003 is closely linked to name resolution services such as the Domain Name System (DNS) service and the Windows Internet Name Service (WINS). Network administrators benefit from combining all three when planning a deployment.

If you use DHCP servers for Windows-based network clients, you must use a name resolution service. In addition to name resolution, Windows Server 2003 networks use DNS to support Active Directory. Domain-based networks supporting clients running Windows NT version 4.0 or earlier or NetBIOS applications must use WINS servers. Networks supporting a combination of clients running Windows XP, Windows 2000, Windows Server 2003, and Windows NT 4.0 must implement both WINS and DNS.

DHCP, APIPA, and IP Address Allocation

DHCP clients receive IP addresses as follows:

u Dynamic allocation — from DHCP server. After you configure DHCP, the DHCP server automatically assigns an IP address from a specified scope to a client for a finite period of time called a lease. Most clients receive a dynamic IP address.

u Static allocation — from DHCP server. For a specific computer (such as a DHCP, DNS, or WINS server, or a print server, firewall, or router), you can manually configure the TCP/IP properties, including the IP address, the DNS and WINS parameters, and default gateway information. For the static clients to be on the same subnet as other, dynamically allocated computers, the static IP addresses must be within the scope or subnet defined for dynamic address allocation. You can use the DHCP snap-in to set an exclusion range to prevent the DHCP server from dynamically allocating the static IP address.

u Client reservation — from DHCP server. By using the DHCP snap-in, you can also reserve a specific IP address for permanent use by a given DHCP client.

(26)

u Automatic allocation — APIPA. In the absence of a DHCP server, Automatic Private IP Addressing (APIPA) lets a workstation configure itself with an address in the range from 169.254.0.1 to 169.254.255.254. Computers using APIPA addresses can communicate only with other computers that are also using APIPA addresses within a single subnet. In this case, a computer has an IP address but cannot connect outside the subnet. APIPA regularly checks for the presence of a DHCP server; if it detects one, it yields to the DHCP service, which then assigns a dynamic address to replace the APIPA address. APIPA is designed primarily for simple networks with only one subnet, such as small or home-based networks.

On a larger network, APIPA can be useful for identifying problems with DHCP: when a client uses an APIPA address, this indicates that a DHCP server has not been found.

u Alternate configuration — user configured. In the absence of a DHCP server, alternate configuration lets a computer use an IP address configured manually by the user. Alternate configuration is designed for a computer that is used on more than one network, such as a laptop used both at the office and at home. The user can specify an IP address on the computer’s TCP/IP properties Alternate Configuration tab if at least one of the networks (for example, the home office) does not have a DHCP server and APIPA addressing is not wanted. If alternate configuration is not configured and no DHCP server is found, TCP/IP uses APIPA by default.

For more information about developing a DHCP strategy, see “Deploying DHCP” in this book.

Planning Security

IP does not have a default security mechanism. Without security, both public and private IP networks are susceptible to unauthorized monitoring and access. To prevent these types of security breach, develop a security strategy for your IP deployment in tandem with your overall network security plan.

Ways that you can enhance security when deploying IP include:

u Securing IP packets. Provide end-to-end security by securing IP packets, which requires that you not use address translation (unless both peers support IPSec NAT-T and use ESP to protect traffic). IPSec is the most efficient way to provide a secure data stream.

u Deploying a perimeter network. Use a perimeter network to help secure your internal network from intrusion. Several options are available for doing this.

(27)

Figure 1.10 shows the tasks involved in incorporating IPSec and a perimeter network in your IP security plan.

Figure 1.10 Planning IP Security

Plan security

Use IPSec

Use perimeter network

(28)

Using IPSec

Effective integration with IPSec is becoming increasingly important to the secure deployment of IP in an enterprise internetwork. IPSec is a framework of open standards for ensuring private, secure communications over IP networks through the use of cryptographic security services. The implementation of IPSec that runs on Windows Server 2003, Windows XP, and Windows 2000 is based on standards developed by the IETF IPSec working group.

IPSec provides a comprehensive technology for securing networks. However, the larger your organization, the more planning and engineering are required to implement IPSec. Assess the relative importance of your information resources — domain controllers, mail servers, and financial servers may rank high among the resources you want to protect. Include confidentiality considerations in your assessment. For example, many organizations might target Human Resources information for IPSec protection. After identifying the critical information resources to secure, configure IPSec policies as appropriate on those computers.

Windows Server 2003 uses the IPSec protocol suite to protect data traffic as it crosses a network.

Although file encryption and required passwords protect information stored on network resources, they do not protect information as it moves across a network.

By implementing IPSec, you can secure the following types of data:

u Data that moves across the part of your intranet that external users do not access.

u Data that moves across the part of your intranet that can be accessed by external users who have appropriate permissions.

u Data that moves across the Internet.

u Data that moves across an extranet.

IPSec security protects the content of IP packets from both active and passive attacks. In an active attack, a hacker modifies existing data or adds false data. In a passive attack, an intruder reads data.

IPSec secures communication through the following methods:

u Peer authentication. IPSec verifies the identity of each computer. Each peer sends security credentials that are verified by the peer at the other end of the connection. Windows Server 2003 IPSec provides multiple methods of peer authentication.

u Data origin authentication. By incorporating a cryptographic checksum calculated with a shared secret key with each packet of protected data, IPSec can verify that the packet must have been sent by a peer that has knowledge of the secret key.

u Confidentiality (data encryption). IPSec offers confidentiality by encrypting data before transmission, ensuring that the data cannot be read during transmission — even if an attacker monitors or intercepts the packet. IPSec encryption is applied at the IP network layer, which makes it transparent to applications that use TCP or User Datagram Protocol (UDP) for network communication.

(29)

u Integrity. IPSec protects data from unauthorized modification in transit, ensuring that the information received is exactly the same as the information sent.

u Anti-replay. IPSec ensures that any attacker who might intercept data cannot reuse or replay that data to establish a session or to illegally gain information or access to resources.

Deploying IPSec requires careful planning. For more information about deploying IPSec, see

“Deploying IPSec” in this book. For more technical information about IPSec, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).

Using a Perimeter Network

A perimeter network protects your intranet or enterprise LAN from intrusion by controlling access from the Internet or other large network. The perimeter network (also known as a demilitarized zone or DMZ) is bounded by firewalls. A firewall is not a single component, but rather a system or combination of systems that enforces a boundary between two or more networks.

Figure 1.11 shows a perimeter network bounded by firewalls placed between a private network and the Internet in order to secure the private network.

Figure 1.11 Perimeter Network Securing an Internal Network

Internet

External firewall Secure Internal

Network Contains most servers and all client computers

Internal firewall

Perimeter Network Contains servers that must access the external world, such as Proxy and

Web servers

Organizations vary in their use of firewalls for providing security. IP packet filtering offers weak security, is cumbersome to manage, and is easily defeated. Application gateways are more secure than packet filters and easier to manage because they pertain only to a few specific applications, such as a particular e-mail system. Circuit gateways are most effective when the user of a network application is of greater concern than the data being passed by that application. The proxy server — the recommended solution — is a comprehensive security tool that includes an application gateway, safe access for anonymous users, and other services.

(30)

You can configure packet filtering, the earliest implementation of firewall technology, to accept or deny specific types of packets. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information. Packet filtering is a limited technology that works best in clear security environments where, for example,

everything outside the perimeter network is not trusted and everything inside is. You cannot use IP packet filtering when IP packet payloads are encrypted because the port numbers are

encrypted and therefore cannot be examined.

In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol inspection.

Used when the actual content of an application is of greatest concern, application gateways do not adapt easily to changes in technology. However, unlike IP packet filtering, application gateways can be used in conjunction with encryption.

As tunnels connecting specific processes or systems on each side of a firewall, circuit gateways are best employed in situations where the person using an application is potentially a greater risk than the information that the application carries. The circuit gateway differs from a packet filter in its capability for connecting to an out-of-band application scheme that can add additional information.

Proxy servers are comprehensive security tools that include firewall and

application gateway functionality to manage Internet traffic to and from a private intranet. Proxy servers also provide document caching and access control. A proxy server can improve

performance by caching and directly supplying frequently requested data such as a popular Web page. A proxy server also can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files.

Take advantage of those firewall security features that can help you. Position a perimeter network in your network topology at a point where all traffic from outside the corporate network must pass through the perimeter that the external firewall maintains. You can fine-tune access control for the firewall to meet your needs and can configure firewalls to report all attempts at unauthorized access.

Improving Availability

Availability refers to how much time the network is operational. Planning well for availability improves both your network’s mean time between failures (MTBF) and its mean time to recovery (MTTR) after a network failure.

To improve availability in your IP network design, you must know your organization’s

availability requirements. For some organizations, unanticipated down time is simply an irritating inconvenience. In other environments, unanticipated down time could mean financial disaster, drastic loss of credibility, or, as in health care or law enforcement, a risk to safety.

IP packet filtering

Application gateways

Circuit gateways

Proxy servers

(31)

Figure 1.12 shows the process for improving availability on your network.

Figure 1.12 Improving Availability

Plan security

Implement redundancy

Implement secondary paths

Use load balancing

(32)

Each method for improving availability places different demands on the design of your network.

As the risk of down time to your operation increases, build more redundancy into your design, both in hardware and routing. Similarly, as the consequences of failure increase, make your network more resilient by increasing the amount of stress it can handle before it loses functionality.

Implementing Redundancy

Single points of failure, such as devices, links, and interfaces, can make a network vulnerable. If one such point fails, it isolates users from services and, in the worst case, causes entire sections of the network to fail. For a purely hierarchical network — one based on summarization and controlled access between tiers — every device and link is a point of failure.

Redundancy provides alternative paths around points of failure. In a purely redundant network, each individual device, link, and interface is dispensable. No single device, link, or interface can isolate users or cause the network to fail.

In most production environments, neither a purely hierarchical nor a purely redundant network is practical. You must balance the efficiency of a hierarchical network with the safety net of redundancy.

Implementing Secondary Paths

After deploying multiple devices to eliminate single points of failure, configure secondary paths to take advantage of the multiple devices. A secondary path, or backup path, consists of the interconnecting devices and the links between them that duplicate the devices and links in the primary path. For example, you can configure multiple routers to provide redundancy.

A redundant design uses the secondary path to maintain network connectivity when any of the primary path’s devices or links fails. Be sure to test any secondary paths on a regular basis. Do not assume that they will work. If possible, ensure that the switch from the primary path to the secondary path occurs transparently. For mission-critical applications, automatic failover is mandatory.

(33)

Using Load Balancing

In addition to its safety net function, redundancy plays a second valuable role. By properly configuring two or more paths that connect the same source and destination networks, you can significantly improve throughput by providing load balancing. Load balancing evenly divides the flow of traffic among parallel links.

Most routing protocols based on open standards support load balancing across paths that the protocol determines to be equally favorable to the destination. In addition, some vendors’

proprietary routing protocols support load balancing where the costs of the paths (their relative favorability to the destination in terms of shortest distance, number of hops, and other criteria) are not considered equal.

For more information about network load balancing, see “Designing Network Load Balancing”

in Planning Server Deployments of this kit.

Planning IP Multicasting

With IP multicasting, one device can send a single data stream that the network replicates only as necessary so that multiple devices receive the data. Because of the minimal overhead required to create the data stream and the low overhead on the network, multicast communication is particularly suitable for multiple-user multimedia applications such as video conferencing, distance learning, and collaborative computing. You can also use multicast traffic to discover resources on the internetwork and to support datacasting applications such as file distribution or database synchronization.

Using the IP multicast components of the Windows Server 2003 TCP/IP protocol and the Routing and Remote Access service, you can send and receive IP multicast traffic from multicast-enabled portions of your intranet or the Internet and from remote access clients. You can use IP multicast to optimize server loading and network bandwidth.

Figure 1.13 shows the tasks involved in planning IP multicasting.

(34)

Figure 1.13 Planning IP Multicasting

Design an IP addressing scheme

Plan security

Introduce IPv6 into your network

Test your design Plan an IP configuration

strategy Plan MADCAP

servers

Plain IP Multicast-enabled routers Configure IGMP

Configure IP Multicast scopes

Configure client computers

In multicast routing, routers communicate multicast group membership information to each other using multicast routing protocols, and forward data across the internetwork. Multicast forwarding refers to the process of forwarding multicast traffic to networks on which other multicast devices are listening. The multicast-capable portion of the Internet is referred to as the Internet multicast backbone, or MBone.