Tài liệu Module 2: TCP/IP as a Solution for Networking pdf

Designing a Functional TCP/IP Solution Provide an introduction to IP addressing and address schemes used for public and private Internets.. Lead-in To design a TCP/IP solution, you must

Contents

Overview 1

Designing a Functional TCP/IP Solution 7

Enhancing a TCP/IP Design for Availability 28

Optimizing a TCP/IP Design

Lab A: Designing a TCP/IP Solution 41

Review 47

Module 2: TCP/IP as a Solution for Networking

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries/regions

Project Lead: Don Thompson (Volt Technical)

Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc

Instructional Design Consultants: Paul Howard, Susan Greenberg

Program Managers: Jack Creasey, Doug Steen (Independent Contractor)

Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies

Graphic Artist: Kirsten Larson (S&T OnSite)

Editing Manager: Lynette Skinner

Editor: Kristen Heller (Wasser)

Copy Editor: Kaarin Dolliver (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aditi)

Online Support: Eric Brandt (S&T Consulting)

Multimedia Development: Kelly Renner (Entex)

Test Leads: Sid Benevente, Keith Cotton

Test Developer: Greg Stemp (S&T OnSite)

Production Support: Lori Walker (S&T Consulting)

Manufacturing Manager: Rick Terek (S&T OnSite)

Manufacturing Support: Laura King (S&T OnSite)

Lead Product Manager, Development Services: Bo Galford

Lead Product Manager: Ken Rosen

Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with the information and decision-making experiences needed to design a Transmission Control Protocol/Internet Protocol (TCP/IP) solution in a Microsoft® Windows® 2000 networking infrastructure Students will recognize the appropriate IP address structures when designing a TCP/IP solution to meet the networking requirements of an organization

At the end of this module, students will be able to:

Identify the features of TCP/IP in Windows 2000 and the functionality provided by those features

Recognize an IP address structure appropriate for private or public network TCP/IP functionality

Describe methods available to secure TCP/IP data traffic

Describe strategies to improve the availability of TCP/IP routing structures

Describe strategies for the efficient use of IP traffic data transmission Upon completion of the design lab, students will be able to design TCP/IP solutions that meet the networking requirements of a variety of organizations

Course Materials and Preparation

This section provides you with the required materials and preparation tasks that are needed to teach this module

Required Materials

To teach this module, you need the following materials:

Microsoft® PowerPoint® file 1562B_02.ppt

Preparation Tasks

To prepare for this module:

Review the contents of this module

Read any relevant information in the Windows 2000 Help files, the Windows 2000 Resource Kit, or in documents provided on the Instructor

CD

Read any relevant RFCs in the Windows 2000 Help files

Be familiar with TCP/IP subnetting, supernetting, Classless Inter-Domain Routing (CIDR), and variable length subnet masks (VLSM)

Know how and where to obtain IP address blocks

Read the review questions and be prepared to elaborate beyond the answers provided in the text

Review the discussion material and be prepared to lead class discussions on the topics

Complete the labs and be prepared to elaborate beyond the solutions found there

Presentation:

60 Minutes

Lab:

60 Minutes

Module Strategy

Use the following strategy to present this module

Introducing TCP/IP Provide an introduction to TCP/IP for creating network design solutions The purpose of this module is to lay the foundation for developing a Windows 2000 network

• Emphasize the main features of TCP/IP that will assist the students in designing TCP/IP solutions Explain how the technology features provided by TCP/IP in Windows 2000 support business solutions

Designing a Functional TCP/IP Solution Provide an introduction to IP addressing and address schemes used for public and private Internets

• Describe the purpose of subnet masks and how IP devices determine the portions of an IP address that are used for routing and host addressing

• Explain the manual allocation, DHCP manual, DHCP dynamic, and Automatic Private IP Addressing (APIPA) IP configuration

methodologies used by network hosts

Securing a TCP/IP Solution When the TCP/IP data is sent on the network, unauthorized users can access

it Discuss the methods for securing a TCP/IP solution

• Describe the IPSec protection levels Emphasize that to reduce the CPU overhead associated with the provision of authentication and encryption, you must select the lowest level of protection that meets the security requirements

• Point out that the exchange of authenticated and encrypted data between the peer computers that use IPSec, requires negotiation of the security keys

Enhancing a TCP/IP Design for Availability

A TCP/IP network must be available for users to transfer data over the network In this section, discuss the use of redundant routers and links to enhance the availability of a TCP/IP design

Optimizing a TCP/IP Design for Performance Emphasize the fact that the performance of a TCP/IP network design focuses on the average length of time required to transmit an IP packet Discuss the strategies used to ensure efficient data transmission

In this section:

• Explain that dividing IP address ranges with variable length subnets, and combining IP address ranges by supernets, are the two methods of optimizing subnet designs

• Describe how to recognize traffic patterns and performance factors to optimize IP performance on the network You can use the following information to explain optimization of IP performance:

The characteristics of a wide area network (WAN) most likely to limit application performance are the available bandwidth and delay A designer may not be able to make the technology decisions, which affect the Maximum Transmission Unit (MTU) for a network, but the Receive Window Size may require adjustment to suit the

Delay/Bandwidth product for links within a WAN

Consider a latency sensitive traffic example On a 10 megabits per second (Mbps) local area network (LAN) segment where delay is essentially zero, consider a client to domain controller log on and an authentication transaction If the transaction requires 18 packets, with an average of 120 bytes per packet, and the domain controller processing overhead is 150 milliseconds (ms), a simple indication of the transaction time would be:

(time_for_one_packet) * 18 + (DC_overhead) = Transaction_time (120*8*1/10*106)*18+150*10-3=151ms

The transaction time here is dominated by the domain controller response times, so primarily the computers used limit performance This level of performance is typical in LAN-based environments

If the same transaction occurred over a 256Kbps WAN link with 130ms roundtrip time (RTT) delay:

(time_for_one_packet) * 18 + (9*Delay) + (DC_overhead) = Transaction_time

(120*8*1/256*103)*18+(9*130*10-3)+150*10-3=1.24Secs The transaction time here is dominated by the delay time, so link speed and computer processing time have a reduced effect

If this transaction is required as part of Web pages transacted over HTTPS, this authentication might occur many times and be the major component of the refresh time for a page, thereby rendering the application unacceptable when used across a WAN A design may be required to provide a domain controller at the remote site to bring the client performance to an acceptable level

• Emphasize that remote networks require special consideration when you develop an IP addressing scheme Describe how to optimize remote subnets

• Present Quality of Service (QoS) as a solution for optimizing the performance of a TCP/IP network

• Remind the students that implementing QoS enables real-time programs

to make the most efficient use of network bandwidth The goal of a QoS implementation is a guaranteed delivery system for network traffic, such

as IP packets

Lab Strategy

Use the following strategy to present this lab

Lab A: Designing a TCP/IP Solution

This lab is designed to assist the student in assimilating the information presented in the workbook into a network design solution To evaluate a network solution, students are expected to have basic network design and technology implementation knowledge

In this lab, students will design a TCP/IP solution based on specific requirements outlined in the given scenario Students review a set of requirements and read supporting materials They use the information from the module to develop a detailed design that uses TCP/IP as a solution for the scenario

To conduct this lab:

Read through the lab carefully, paying close attention to the instructions and

to the details of the scenario

Divide the class into teams of two or more students

Present the lab and make sure students understand the instructions and the purpose of the lab

Explain that the Design Worksheet is to be used to develop the design of their solution

Remind students to consider any functionality, security, availability, and performance criteria that are provided in the scenario, and to think about how they will incorporate strategies to meet these criteria in their design

Take the opportunity to assess each student’s comprehension of the design strategies presented in the module while students are completing the lab

Allow some time to discuss the solutions after the lab is completed A solution is provided on the Instructor CD Encourage students to critique each other’s solutions and to discuss any ideas for improving the designs

Overview

Organizations are facing a growing need for Internet connectivity, and connectivity between dissimilar operating systems and hardware platforms spread over large geographic distances Because Transmission Control Protocol/Internet Protocol (TCP/IP) operates on a wide variety of physical networks and can be scaled to suit small to large networks, it is the only protocol that can meet the requirements of these organizations

At the end of this module, you will be able to:

Identify the features of TCP/IP in Microsoft® Windows® 2000 and the functionality provided by those features

Recognize the IP address structure appropriate for private or public network TCP/IP functionality

Describe methods available to secure TCP/IP data traffic

Describe strategies to improve the availability of TCP/IP routing structures

Describe strategies for efficient use of IP traffic data transmission

In this module, you will

define the role of TCP/IP in

a networking infrastructure

and create a functional

TCP/IP networking solution

Introducing TCP/IP

TCP/IP operates on a wide variety of physicalnetworks and can be scaled to suit small to large networks IP is the protocol used for communications on public networks such as the Internet

To design a TCP/IP network infrastructure, you need to:

Describe the components of the TCP/IP protocol suite

Determine the design decisions influencing a TCP/IP solution

Describe the features and functionality provided by TCP/IP in Windows 2000

Slide Objective

To define the role of TCP/IP

in a network and review the

features that support that

role

Lead-in

TCP/IP operates on a wide

variety of physicalnetworks

and can be scaled to suit

small to large networks

TCP/IP Protocol Suite

OSI Model TCP/IP Model TCP/IP Protocol Suite7

6 5 4 3 2 1

Application

Transport Layer

Transport Layer

Application Presentation Session Transport Network Data link Physical

Frame

Network Data link Physical

The TCP/IP suite of protocols allows the design of a logical peer network by using an underlying physical network infrastructure These vendor-independent protocols can be used to implement IP networks ranging from small local area networks (LANs) to large enterprise networks

The Internet Engineering Task Force (IETF) continues to revise and improve the TCP/IP suite of protocols Microsoft continuously updates the TCP/IP implementation to comply with the latest IETF standards

The preceding illustration shows the mapping of the Open Systems Interconnection (OSI) seven-layer model to the TCP/IP four-layer model, and the major components of the TCP/IP suite The OSI layer one and two infrastructure is considered to be in place for any design considerations in this module

Slide Objective

To describe the components

of the TCP/IP protocol suite

Lead-in

The TCP/IP suite of

protocols supports the

design of a logical peer

network by using an

underlying physical network

infrastructure

Key Points

The TCP/IP suite of

vendor-independent protocols can

be used to implement IP

networks ranging from small

local area networks (LANs)

to large enterprise networks

Avoid covering the TCP/IP

protocol suite in detail The

students are expected to

know this information Use

the slide to remind them of

the extent of the TCP/IP

suite and that the layer one

and two network

infrastructure already exists

Design Decisions for a TCP/IP Solution

Microsoft Windows 98

Microsoft Windows NT®

Network Printer Windows 2000

Windows 2000–based Router

communication in heterogeneous, multiple-vendor networks Before you design

a TCP/IP solution, you must identify the design decisions that influence the design

To design a TCP/IP solution, you need to analyze:

The number of hosts requiring IP connectivity

The requirement for public and/or private IP addressing

The number of physical subnets and routers

The OSI layer 1 and 2 network configuration

Slide Objective

To introduce the decisions

that influence the design of

a TCP/IP solution

Lead-in

To design a TCP/IP

solution, you must

determine the number of

hosts, the addressing

structure needs, the number

of subnets and routers, and

the underlying network

configuration

Discuss the points listed on

the slide Tell students that

these are the design

decisions they need to

consider before designing a

TCP/IP solution

TCP/IP Features

Security

Bandwidth Management

Automatic Private

IP Addressing

ICMP Router Discovery

Disabling NetBIOS over TCP/IP

TCP/IP

Performance Improvement

To design an effective TCP/IP solution, you must understand the features of TCP/IP and how these features solve the connectivity requirements of your organization

Security

TCP/IP allows enhanced data and connection security by supporting a number

of IETF-proposed standards for data encryption, authentication, and filtering The Windows 2000 implementation of TCP/IP supports Internet Protocol Security (IPSec) and TCP/IP filtering for packet-level authentication and data encryption, and for filtering data

Bandwidth Management

Time-sensitive IP traffic streams such as streaming multimedia require connection protocols that provide bandwidth reservation within a network TCP/IP supports bandwidth reservation by using Quality of Service (QoS) mechanisms, which allow IP traffic to be prioritized

Automatic Private IP Addressing

Automatic Private IP Addressing (APIPA) automates TCP/IP address configuration for hosts on a single-subnet network that has no DHCP server APIPA eliminates IP address configuration for simple networks not connected

to the Internet The IP addresses for APIPA are allocated from 169.254.0.0/16, which is reserved by the Internet Assigned Numbers Authority (IANA)

Slide Objective

To describe the features of

TCP/IP and the functionality

provided by these features

Lead-in

After considering the design

decisions, you need to

understand the features

supported by TCP/IP to use

them in designing a TCP/IP

solution

Delivery Tip

Focus on the new features

and mention them briefly

Remind the students that

they will consider these

features while designing

TCP/IP solutions

Performance Improvement

The following features of TCP/IP have been enhanced to improve the performance of TCP/IP solutions:

Large TCP Windows TCP window size reflects the maximum number of

packets that can be sent without waiting for positive acknowledgment TCP window scaling (RFC 1323) improves TCP/IP performance when a large amount of data is in transit between the sender and receiver, such as in wide area network (WAN) environments

TCP Selective Acknowledgment A selective acknowledgment (SACK) is a

TCP option (RFC 2018) that allows the receiver to selectively notify and request that the sender resend only data that is actually missing This results

in smaller amounts of data requiring retransmission and in better use of network bandwidth

ICMP Router Discovery

Windows 2000–based computers running Routing and Remote Access support Internet Control Message Protocol (ICMP) router discovery (RFC 1256) This allows a host to discover the router automatically, although a default gateway is not configured for the host ICMP router discovery is disabled by default on TCP/IP for Windows 2000 hosts, and is managed by using DHCP

Disabling NetBIOS over TCP/IP

Windows 2000 allows you to disable network basic input/output system (NetBIOS) over TCP/IP (NetBT) for computers that use only DNS name registration and resolution These computers can browse resources only on those computers that:

Have NetBT disabled

Use Client for Microsoft Networks, and File and Print Sharing for Microsoft Networks components

NetBT is typically disabled only on those computers that you place in specialized roles in your network, such as edge proxy servers or bastion hosts in

a firewall environment, where NetBT support is not required or desired

Note

Designing a Functional TCP/IP Solution

To determine the appropriate TCP/IP infrastructure, you must evaluate your Internet accessibility needs, the use of routers, and public address availability

To allow peer-to-peer communication, all hosts in a TCP/IP network require unique IP addresses IP supports a 32-bit address structure, publicly

administered by a standards body (IETF), which can be used to implement both public and private address structures

In designing a functional IP network, you need to consider:

The IP address and mask configuration

The addressing structures for private network operation

The addressing structures to allow subnet routing

A methodology for a consistent design of IP networks

To design the functional

aspects of TCP/IP, you must

determine Internet

accessibility needs, router

usage, and public address

availability

Explain the fundamentals of

routing, subnetting, and

supernetting Do not spend

too much time explaining

the mechanics of these

Addressing Structures

Depending on the routing protocols used, you can specify IP addresses based on:

Classes (A, B, C) with an associated default mask

Classes with variable length subnet masks (VLSM)

Classless Inter-Domain Routing (CIDR) with a specified prefix length

Class-based networks support a single subnet mask, and are suitable for networks routed by using Routing Information Protocol (RIP) version 1 VLSM and CIDR support multiple masks or prefixes per network Both VLSM and CIDR require routers that support more advanced interior routing protocols such as RIP version 2 and Open Shortest Path First (OSPF)

The following table lists the class-based addresses

Address Class Address Range Default Mask Purpose

To describe the use of

addressing structures and

address This address is

unique for each host that

communicates by using

TCP/IP

Delivery Tip

The students are likely

familiar with IP addressing

Use the slide and student

text to ensure that the

students understand that

VLSM and CIDR require

specific routing support

Subnet Masks

Class-based IP addresses are split into two portions—the network and host address fields The subnet mask allows the derivation of network and host fields

of the IP address The network field is required to make routing decisions

When using class-based addresses and VLSM, you cannot decrease the number of bits that determine the network address below the number that is assigned to the default subnet mask

The following table lists and describes the RFCs pertaining to subnet masks

950 Internet Standard Subnetting Procedure Subnetting of IP addresses

1518 An Architecture IP Address Allocation

with CIDR

Introduction to the architecture required to support CIDR

1519 Classless Inter-Domain Routing (CIDR)

an Address Assignment and Aggregation Strategy

Designing with route aggregation

1812 Requirements for IPv4 Routers, Section

4.2.2.11

All ones and zeros in the IP address mask

1878 Variable Length Subnet Table For IPv4 Subnet masking of variable length

Before implementing IPv4 by using VLSM or CIDR, you must ensure that the routers on your network support VLSM and CIDR

Note

Important

IP Addressing for a Private Network

Use

• Large number of hosts require direct Internet access

• Sufficient number of registered public addresses exist for private network hosts

• Large number of hosts require direct Internet access

• Sufficient number of registered public addresses exist for private network hosts

• Few hosts require direct Internet access

• Sufficient number of registered public addresses do not exist for private network hosts

• Few hosts require direct Internet access

• Sufficient number of registered public addresses do not exist for private network hosts

Pros

• Addresses are owned

• All hosts are Internet accessible

• Addresses are owned

• All hosts are Internet accessible

Public Addressing Schemes

Hosts connected directly to the Internet require a public, globally unique IP address Any network connected to the Internet has a minimum of one public address for Internet connectivity

To enhance security, a private network that uses public addresses, and is connected to the Internet, requires isolation from the Internet by a firewall, a screened subnet, or a packet-filtering router

Use a public addressing scheme if the organization has:

A large number of hosts that require direct Internet access

A sufficient number of registered public addresses that can be assigned to all network hosts

If the network design requires that a large number of IP addresses be accessible from the Internet, you must obtain a suitable range of public IP addresses You can apply for public IP addresses from an Internet service provider (ISP) or Internet registry Acquiring a large number of public addresses is expensive to maintain and in most cases unnecessary

Organizations that use a public addressing scheme must also anticipate their network growth The total number of addresses available can restrict network growth After you assign all of the public addresses, you cannot add additional devices to the network unless more public addresses are acquired

Private network devices can

be defined with either a

public or a private

addressing scheme

Key Points

You can assign hosts that

are not directly connected to

the Internet either a public

or private address, but if you

require connection to the

Internet, you need at least

one public IP address

Private Addressing Schemes

Most organizations do not require each host to be accessible from the Internet Network security is improved by preventing direct Internet access for hosts on the private network

Use a private addressing scheme if the organization has:

Few hosts that require direct Internet access

Insufficient public addresses for all private network hosts

Using a private addressing scheme for the intranet is inexpensive and can be designed to accommodate virtually unlimited network growth

In your network design, include a firewall and a network address translation (NAT) device to act as an intermediary between the organization’s private network and the Internet The only IP address visible to the Internet is the IP address of the NAT device

RFC 1918 lists the IP address ranges that are reserved by the IETF and available for use in private addressing schemes

In addition to the addresses in RFC 1918, IANA allows the use of 169.254.0.0/16 for private addressing

Any IP address may be used on a private network that is isolated from the Internet by the use of a NAT device The use of the addresses shown in RFC 1918 is recommended because these addresses are not routed on the Internet

Note

IP Address Subnet Requirements

Network design specifications

Router or IP switch capacity

Future growth

Subnet for each remote connection

Overloaded segments

Future growth

Increase SubnetsIncrease Hosts

The number of physical subnets that exist

The number of logical subnets that you can create

The host population on both physical and logical subnets

A good subnet mask design does not restrict expected growth in either the number of subnets or the number of hosts per subnet You need to adjust the subnet mask to provide for expected host population and network growth

Limits on the Number of Hosts per Subnet

Consider the following in determining the number of hosts per subnet:

Network design specifications Create your network design specifications to meet required performance goals This requires analyzing the bandwidth utilization, broadcast domain size, routing configuration, distance vector delays, and application data flow requirements

Router performance Evaluate the number of hosts supported by any new or existing routers To determine the maximum number of hosts supported per subnet, divide the total number of hosts on any LAN by the number of subnets supported by the router(s) If this number exceeds the host capacity

of a subnet or limits performance, then redesign the network to increase the number of subnets

Slide Objective

To describe how to

determine the number of

hosts per subnet, and the

number of subnets in an

IP-routed network design

Lead-in

As a designer, after

selecting a public or private

addressing scheme, you

need to design a subnet

mask to suit your network

Delivery Tip

First explain the

inter-relationship between the

number of hosts per subnet

and the number of subnets

After the students have a

clear understanding of that,

talk about determining the

limits for both

Key Points

A good subnet mask design

must not restrict the

expected growth in either

the number of subnets or

the number of hosts per

subnet You need to adjust

the subnet mask to provide

for expected host population

and network growth

It may be necessary to test how many hosts you can support on a subnet before client performance is affected These tests must use production applications

Future growth Examine the subnet mask to determine if the number of hosts per subnet provides for current needs, performance expectations, and future growth

Limits on the Number of Subnets

Use the following options to determine the validity of a subnet mask in an routed network:

IP-
Subnet for each WAN connection Examine the network design for any remote connectivity To support routing, each remote connection requires a subnet

Overloaded segments Evaluate the number of hosts supported by any new

or existing router To determine the minimum number of routers required at any single location, divide the total number of hosts by the number of hosts optimally supported by the router

Future growth Examine the subnet mask to determine if the number of subnets and the number of hosts per subnet provide for growth If possible, design for an excess of subnets, because router technology usually limits the number of hosts per subnet

Note

IP Configuration Methodology

Manual Allocation

 For non-DHCP hosts and/or hosts requiring fixed IP addresses

DHCP Manual

 For servers in a client/server relationship

 IP address must be a fixed address

DHCP Dynamic

 For clients in a client/server relationship

 IP address can fall within an address range

APIPA

 For small, single segment LANs where DHCP is unavailable

Windows 2000 automates the process for providing a host IP address by using DHCP manual assignment, DHCP dynamic assignment, or APIPA automatic assignment Depending upon the type of network device or client in your network, you can use any of these IP configuration methods

Manual Allocation

Some hosts on a network, such as special function servers, routers, and NAT devices, require manual configuration of the address, mask, and neighbor or gateway addresses Server applications that assign IP addresses and resolve symbolic names to IP addresses require a fixed IP address, subnet mask, and default gateway

Addresses are usually configured manually for DHCP servers, DNS servers, WINS servers, routers, and non–Microsoft hosts that do not support DHCP

DHCP Manual Method

A system administrator configures the address for a host in the DHCP database The address is then issued to the host by using the Dynamic Host Configuration Protocol (DHCP) Use the manual configuration method for devices that function primarily as servers in a client/server relationship and require fixed IP addresses

DHCP Dynamic Method

DHCP leases addresses from a scope defined for each subnet Use dynamic address allocation if the majority of clients on a network support this method and do not require fixed IP addresses

By setting the lease time to infinite, you can also use DHCP to configure

clients with a permanent IP address Setting the lease time to infinite provides flexibility in allocating permanent addresses where the host is DHCP-enabled

Automatic Private IP Addressing

Automatic Private IP Addressing (APIPA) allows a computer running Windows 2000 in a small, single-segment network to select an IP address automatically when DHCP is not available

The APIPA address is selected from the IANA-reserved address block 169.254.0.0/16 APIPA does not provide a default gateway IP address to the client and as a result, the client cannot operate in a routed network

Note

Discussion: Evaluating TCP/IP Functional Requirements

T1 Link

Fractiona

l T1

Private Network

T1 L

ink

LocationB LocationA Internet

To design a functional TCP/IP solution for connecting networks, you must decide on the number of subnets required for each location, and the number of public and private IP addresses required for the design

The following scenario describes an organization’s current network configuration Read through the scenario and then answer the questions Be prepared to discuss your answers with the class

Scenario

An organization has decided to restructure an existing TCP/IP network You are assigned the task of evaluating the existing physical network and determining the design changes

The current network configuration provides:

Intranet access to all shared folders and Web-based applications at all locations

Access to the Internet from all locations

Support for the existing networking infrastructure

Support for the number of hosts per location as shown in the preceding diagram, which includes router interfaces and the proxy server intranetwork interface

Support for a mission-critical Web-based application that requires a-day, 7-days-a-week operation

24-hours-
Isolation of the organization’s network from the Internet by using a combined firewall and proxy server

TCP/IP solution, you must

decide on the number of

subnets required for each

location, and the number of

public and private IP

addresses required for the

design

Delivery Tip

Read the scenario to the

students and review the

questions as a group Give

the students time to

consider their answers and

then lead a discussion

based on their responses

Remind the students that

there can be more than one

possible solution to the

scenario

Do not spend too much time

on discussions Try to finish

the discussion in 10

minutes

Design Requirements

Your assessment of the existing network configuration, and your investigation

of the future configuration requirements, reveal the following design requirements that you must meet in your solution:

Existing configuration information The configuration of the existing network is:

• The network currently uses 172.20.0.0/16 as the private address block from which all host addresses are allocated

• The site routers private network interfaces are currently configured as 172.20.16.0/19, 172.20.32.0/19, 172.20.48.0/19, and 172.20.64.0/19

• Company policy mandates that client computers are turned off when not

in use, but servers and other network-related devices are left on

Future configuration requirements The required configuration for the future network is:

• Private addressing will be used, based on the current private address block, and the site router interfaces will keep the same address and subnet mask

• New site routers are to be installed and these devices will restrict the host population per segment to 200 or less

Questions

Answer the following questions to determine the design decisions for planning

a TCP/IP solution

Either write-in or circle the correct answer

1 For this design, what is the minimum number of subnets required in each location, based on router performance?

Total Subnets:

LocationA: 7 LocationB: 5 LocationC: 1 LocationD: 4 Total Subnets: 17

2 Choose an appropriate subnet mask for hosts in this design

3 What is the total number of required private host IP addresses?

4 What is the minimum number of required public IP addresses that are required?

a 1 public IP address

b 2 public IP addresses

c 2,903 public IP addresses

d 4,032 public IP addresses

The correct answer is a, 1 public IP address

5 At maximum, how many hosts per subnet does the subnet mask in the design provide?

a 254 hosts per subnet

b 1,022 hosts per subnet

c 6,398 hosts per subnet

d 65,534 hosts per subnet

The correct answer is a The subnet mask design allows a maximum of

254 hosts per subnet

6 Management has suggested that a new private address could be chosen Which of the following private IP network addresses is appropriate for the design?

Securing a TCP/IP Solution

The security of a network design is measured by the ability of the design to prevent unauthorized access to data transmission and intranet-based resources TCP/IP incorporates security features that provide protection of the TCP/IP data

as it is sent on the network, along with configuration of the types of local host traffic that are processed

You can secure data traffic by:

Filtering IP packets within the TCP/IP protocol

Encrypting data with IPSec

Authenticating and encrypting data with the IPSec protection levels

Using the security keys negotiated by the IPSec Internet Key Exchange (IKE)

Protecting IP Traffic with Filters

Minimizing the protocols and ports exposed on a host can reduce the risk of unauthorized access By using a firewall, you can filter IP traffic to minimize the risks This type of filtering may be difficult to manage, particularly if many hosts have different filtering requirements The Windows 2000 implementation

of TCP/IP supports application layer filtering of IP traffic by allowing you to set filters on a host-by-host basis

TCP/IP filtering blocks the delivery of any IP packets that do not conform to the preset criteria You can use TCP/IP filtering for dedicated servers that provide services on well-known protocols, TCP ports, and User Datagram Protocol (UDP) ports TCP/IP filtering does not apply to routed traffic that is forwarded between interfaces

Include TCP/IP filtering in your network design to:

Control traffic to dedicated servers

Block all inbound traffic except that which you specifically list

Provide filtering at the application layer

For most situations, you permit the acceptance of all IP traffic

Evaluate the effect of any enabled TCP/IP filters to ensure proper computer operation It is not recommended to enable filtering because it may restrict the operation of essential services

You can filter IP packets based on the following criteria:

TCP port number

UDP port number

IP protocol type (except for TCP, UDP, ICMP, IGMP or IPSec)

inbound traffic to a server,

include filtering in your

network design

Caution