Related Information in the Resource Kit

• For more information about Windows 2000 TCP/IP, see the Microsoft® Windows® 2000 Server Resource Kit TCP/IP Core Networking Guide.
• For more information about Windows 2000 Routing And Remote Access, see the Microsoft® Windows® 2000 Server Resource Kit Internetworking Guide.
• For more information about deploying security within a Windows 2000 infrastructure, see "Determining Windows 2000 Network Security Strategies" in this book.

Network Connectivity Overview

There are several things to consider when determining how to implement or upgrade your network to Windows 2000. If a network diagram that relates to your current network exists, then consult that diagram to determine where to strategically implement the new features of Windows 2000. As an example, you need to examine clients, servers, switches, and routers to see whether or not they currently use services such as Quality of Service (QoS), Asynchronous Transfer Mode (ATM), or routing protocols. Also examine and modify TCP/IP addressing schemes, if necessary, to take advantage of the new options in Windows 2000 Dynamic Host Configuration Protocol (DHCP).

If you have not done so already, create physical and logical diagrams that reflect your network needs. This is essential because the diagrams give an overall view of the infrastructure before any steps are taken to physically assemble the network. This allows the designer and administrator to work together to put network systems and devices in place. The following sections describe what you can include in the diagram.

Sites

Show a graphic depiction of where sites are located in the diagram. This helps when you determine wide-area and remote-site connectivity methods. You need to implement sites according to geographical boundaries, administrative boundaries, or both.

Remote Connectivity Methods

Include mediums for connecting remote sites to the central site in your diagram. This can include T1, E1, Frame Relay, Integrated Services Digital Network (ISDN), or plain old telephone service (POTS). You can also use the diagram to show the types of routers used to connect the sites to the wide-area backbone. These routers can be Windows 2000 routers or routers from various third-party vendors. Show methods for connecting remote users to sites, using technologies such as direct dial-up and virtual private networks (VPNs).

Internal Local Area Network Connectivity Within Sites

Create a graphical depiction of the internal networks of the sites in order to utilize the new features of Windows 2000 most efficiently. Include the following information:

Network medium Include the type of infrastructure you plan to use, such as 10 or 100BaseT connectivity, ATM, or gigabit Ethernet. If you plan to use ATM, determine which sections of the network will be directly connected to ATM, using IP over ATM or local area network emulation (LANE).

Routing and switching infrastructure Determine where you plan to place routers and switches. This is important to maintain network bandwidth and minimize bottlenecks. Also make sure that the routing and switching hardware you plan to use can support technologies such as QoS.

Protocols If you plan to use TCP/IP, show the IP addressing scheme for each subnet within the site. If you plan to use other protocols such as IPX, AppleTalk, or NetBIOS Enhanced User Interface (NetBEUI), show them also. Also consider including the routing protocols such as OSPF or RIP that you might use for connecting your networks. For more information about using TCP/IP, see "Windows 2000 TCP/IP" in the Microsoft Windows 2000 Core Networking Guide. Also see "Unicast IP Routing," "IPX Routing," and "Services for Macintosh" in the Microsoft Windows 2000 Server Internetworking Guide.

DNS and Active Directory structure Design the DNS and Active Directory^™ structure for your network. Include a logical domain diagram with your network diagram that shows the domains and forests in your company. For more information about the Active Directory directory service, see "Designing the Active Directory Structure" in this book.

Server infrastructure Show placement of DNS, DHCP, and WINS servers in your diagram.

Remote connectivity methods Show how remote clients and remote networks will connect to the corporate network in your diagram.

The following sections discuss designing a network that best incorporates the features of Windows 2000 Server into your organization and outline steps for determining a network connectivity strategy.

Figure 7.1 illustrates the primary steps for determining your network connectivity strategy.

Figure 7.1 Process for Determining Network Connectivity Strategies

Designing a network for Windows 2000 consists of first designing many small parts of a network that form the overall infrastructure. The sections that follow describe the different aspects of a wide area network (WAN), along with some procedures and design considerations for each. The external, wide-area aspects of a corporate network infrastructure are covered, such as demilitarized zones (DMZs), site implementation, and remote access connectivity. The internal aspects of the network, such as protocols, security, and local area network (LAN) connectivity methods, are also examined.

External Connectivity Within an Organization

For remote users to gain access to the central site, you need to deploy a connectivity method that allows site-to-site and remote client connectivity. Your organization's central site needs to have a network that permits these other sites and remote clients to gain access to the central site's internal network structure. The following sections describe what you need to include in an external connectivity strategy.

Designing the Demilitarized Zone

An important part of a large corporate network is the DMZ. This section describes what a DMZ is used for, and later sections in this chapter give examples of how a DMZ is used.

A demilitarized zone (DMZ) is a network that permits the egression of the Internet into a private network, while still maintaining the security of that network. The DMZ gives a business the ability to use the Internet as a cost-saving medium, while also allowing it to have a presence on the Internet. The DMZ saves money by utilizing the existing infrastructure of the Internet along with VPNs, thereby saving the wide-area connection costs of leasing communications lines. Essentially, the DMZ is a network that is in between a private network and the Internet.

The DMZ contains devices such as servers, routers, and switches that maintain security by preventing the internal network from being exposed on the Internet. The servers that reside within the DMZ usually consist of proxy server arrays, which the network uses to provide Web access for internal users; external Internet Information Services (IIS), which an organization can use to promote its presence on the Internet; and any VPN servers that are used to provide secure connections for remote clients. For more information about VPNs, see "VPN Security" and "L2TP over IPSec VPNs" later in this chapter.

An example of a DMZ is shown in Figure 7.2. The device on the edge of the DMZ is a router. Preferably, the speed of the connection exposed to the Internet is at least DS3, or 45 megabits per second (Mbps) for a large corporation. The connection between the router and the servers in the DMZ can be any high-speed LAN, but gigabit Ethernet or ATM are recommended if you expect heavy Internet traffic.

You can use a Windows 2000 Routing and Remote Access router on a DMZ interface for small- to medium-sized networks. You can enable packet filtering on the Internet interfaces to protect against unwanted traffic and provide security.

Site Connectivity for an Organization

Many large corporations have offices that are spread out in various geographical locations. These offices need a way to connect and remain connected to the main or central site. Different wide-area connection media are used in different parts of the world. Table 7.1 describes the various wide-area technologies and their uses.

Table 7.1 Wide-Area Technologies

Wide-Area Technology	Definition
T1	Transmits at a speed of 1.544 Mbps, and consists of 23 B channels, which are used for data, and a 1 D channel which is used for clocking. T1 can also be fractionalized into separate 64 kilobytes per second (Kbps) segments.
E1	Used primarily in Europe. Transmits at a speed of 2.048 Mbps.
T3	Transmits DS3 data at 44.736 Mbps.
Frame Relay	Packet-switched technology that is considered the replacement for X.25. Commonly runs at speeds up to T1.
Digital Subscriber Line (DSL)	DSL consists of an asymmetric digital subscriber line (ADSL), a high-data-rate digital subscriber line (HDSL), a single-line digital subscriber line (SDSL), and a very-high-data-rate digital subscriber line (VDSL).

Site connectivity can also rely on the use of dial-up mediums such as Integrated Services Digital Network (ISDN), or analog phone lines (POTS) for low traffic links or backup purposes. For instance, an organization might have a small site to which they normally connect by using a fractional T1 line, but in the event that their wide-area provider fails, they can use the POTS line as a backup.

Multiple sites within an organization are normally connected through routers. Windows 2000 Routing and Remote Access offers routing services that enable an organization to cost-effectively connect remote sites to the central corporate site. Sites can be connected through the Internet using VPNs, saving money for your organization. If you have a site that does not require a full-time connection to the central site, then you can implement a demand-dial router-to-router connection, saving wide-area connection costs.

Remote Client Connectivity

One of the things that makes an organization more effective is the ability of its users to access corporate resources, whether they are at home or traveling. Many corporations are starting to use a work-at-home strategy. This strategy allows employees to save the expense of commuting, while allowing the corporation the ability to cost-effectively manage office space as the number of employees grows. Another benefit of implementing remote client connectivity is the ability to permit traveling sales and technical people to dial in and retrieve files and e-mail.

In either case, users who are away from the office need to be able to connect to their mail and file servers, which are located within the corporate network infrastructure. The Windows 2000 Routing and Remote Access service allows this by being able to receive incoming remote access connections, and then routing the data to its intended destination. The Routing and Remote Access service can also be used to receive incoming VPN connections, providing a secure way to transfer data across the Internet. For more information about VPNs, see "VPN Security" and "L2TP over IPSec VPNs" later in this chapter.

Remote client access to a corporate infrastructure is not limited to just Internet Protocol (IP) clients. Windows 2000 Routing and Remote Access service also permits other clients, such as Macintosh, UNIX, or NetWare clients, to use remote access through its multiprotocol functionality. The VPN protocols supported in Windows 2000 PPTP) and Layer 2 Tunneling Protocol (L2TP) also support multiprotocol connections across the Internet.

Windows 2000 TCP/IP

Networks in today's organizations require a protocol that rates high in performance and scalability, and places a high degree of importance on Internet interoperability. The TCP/IP protocol is an industry-standard suite of protocols that is the foundation for large-scale internetworks that span LAN and WAN networks, and is quickly becoming the leading protocol for both intranets and the Internet.

Windows 2000 TCP/IP is:

• A networking protocol based on industry standards.
• A routable networking protocol that supports connecting Windows-based servers and clients to LANs and WANs.
• A scalable protocol for integrating Windows-based servers and workstations with heterogeneous systems.
• A foundation for gaining access to global Internet services.

Microsoft TCP/IP provides basic and advanced features that enable a computer running Windows 2000 to connect and share information with computers running other operating systems such as UNIX.

New Features in the Windows 2000 TCP/IP Suite

The new Microsoft TCP/IP suite is designed to adjust itself for reliability and performance. The next four sections discuss the new features in the TCP/IP suite.

Automatic Private IP Addressing Configuration

Automatic Private IP Addressing (APIPA) configuration consists of automatically allocating a unique address in the range of 169.254.0.1 through 169.254.255.254, with a subnet mask of 255.255.0.0 when a DHCP server is not present. APIPA is used for single subnet networks such as SOHO networks that are too small to justify running a separate DHCP server.

For example, if you have a home office and need a way to distribute IP addresses to internal Windows 2000 servers and clients, all you need to do is to connect the systems together through a network medium, then each Windows 2000 computer self-assigns an address from the APIPA address range.

Large Window Support

Large receive window support increases the amount of data that can be buffered on a connection at one time, reducing network traffic and speeding up data transfer.

Note Large window support is not enabled by default. The window size defaults to about 16 kilobytes (KB), which is double the window size of Windows NT 4.0.

Selective Acknowledgment

Selective acknowledgments allow the receiver to inform the sender to retransmit only the data it has not received as opposed to entire blocks of data. This enables more efficient use of network bandwidth.

Improved Estimation of Round Trip Time

TCP uses round trip time (RTT) to estimate the amount of time that is needed for roundtrip communication between the sender and receiver. Windows 2000 TCP makes better estimates of RTT for setting transmission timers, which improves overall TCP performance. This improvement in TCP primarily helps in WANs that span very long distances, or over slow links such as satellite communication.

Planning Considerations for Microsoft TCP/IP

If your network does not already use TCP/IP, then you need to develop a comprehensive IP addressing plan for your network. When planning your IP infrastructure, include IP network IDs and subnet masks. Use the information in the following sections to create a workable plan.

IP Address Classes

Choosing which address class to use depends on whether your network is private or connected to the Internet. Network addressing is also determined by the size of your infrastructure, which directly relates to which address range to use. Consider the following when planning IP addresses for your network:

Physical Subnet and Host Inventory Count the subnets and hosts that you have in your current network and then determine how many you need for your new one by subnetting your IP address space. As you do this, plan ahead for at least five years of growth so that you do not run out of addresses or subnets prematurely. If your network is connected directly to the Internet, you will need an IP address range assigned to you from your Internet service provider. For more information about subnetting IP addresses spaces, see "Internet Protocol Security" in the Windows 2000 Server Resource Kit TCP/IP Core Networking Guide.

Note It is important to have only a few TCP/IP systems within your network that are directly connected to the Internet, such as the DMZ. The fewer systems that are accessible from the Internet, the safer your network is from attack.

Private Networks with or without Proxy Connection to the Internet For private TCP/IP networks that are not connected to the Internet, or are connected to the Internet through a proxy server, you can use any range of valid IP addresses from the Class A, B, or C address classes. It is recommended, however, that you use private addresses to prevent a renumbering of your internetwork when you eventually connect to the Internet. The private IP address space is defined as three sets of IP addresses set aside by the Internet Assigned Numbers Authority (IANA). The reserved IP ranges are:

• 10.0.0.1/8 through 10.255.255.254/8
• 172.16.0.1/12 through 172.31.255.254/12
• 192.168.0.1/16 through 192.168.255.254/16

Note For more information about private addressing, see RFC 1918. The private network address range shown here uses network prefix notation, also known as Classless Interdomain Routing (CIDR) notation to define subnet masks.

Subnet Masks and Custom Subnetting

With public IP addresses in short supply, you can use customized subnet masks to implement IP subnetting. Custom subnetting is defined either as subnetting, Classless Interdomain Routing (CIDR), or variable length subnet mask (VLSM). With custom IP subnetting, you can go beyond the limitations of default subnet masks and use your IP address range more efficiently.

By customizing the subnet mask length, you can reduce the number of bits that are used for the actual host ID. In some cases, you can use default subnet masks for standard-size class A, B, and C networks. Default subnet masks are dotted decimal values that separate the network ID from the host ID of an IP address. For example, if you have a network segment and are using the class A IP address range starting at 10.0.0.0, the default subnet mask that you would use is 255.0.0.0. Typically, default values for subnet masks are acceptable for networks with no special requirements where each IP network segment corresponds to a single physical network.

Note To prevent addressing and routing problems, make sure all TCP/IP computers on any network segment use the same subnet mask.

You can also show subnet masks with your IP addresses by using network prefix notation. This option allows you to show a shortened version of the subnet mask while still maintaining its value. Table 7.2 describes this process. The underlined bits in Table 7.2 make up the network prefix.

Table 7.2 Network Prefix Length Subnet Masking

Address Class	Subnet Mask in Binary	Network Prefix with Decimal Equivalent
Class A	11111111 00000000 00000000 00000000	/8 = 255.0.0.0
Class B	11111111 11111111 00000000 00000000	/16 = 255.255.0.0
Class C	11111111 11111111 11111111 00000000	/24 = 255.255.255.0

TCP/IP and Windows Internet Name Service

The Windows Internet Name Service (WINS) is a service that maps network basic input/output system (NetBIOS) names to IP addresses. In versions of Windows earlier than Windows 2000, WINS is used in conjunction with DHCP to register NetBIOS names and dynamically-assigned IP addresses with the WINS database. In this case, a DHCP-enabled host queries a DHCP server for an IP address, the DHCP server then allocates a WINS server to the DHCP client as a DHCP option. After the DHCP lease allocation process is complete, the NetBIOS name and its associated IP address are registered in the WINS database by the DHCP client.

Windows 2000 provides integration between DNS and WINS. If a Windows 2000 DNS server cannot resolve a fully qualified domain name (FQDN), it converts the FQDN to a NetBIOS name and queries a configured WINS server. The IP address returned by the WINS server is forwarded to the DNS client.

In Windows 2000, you do not need WINS and NetBIOS over TCP/IP if you are using only Windows 2000 servers and clients. If you use systems such as Windows NT version 3.5x, Windows NT 4.0, Windows 95, Windows 98, or Windows 3.x, WINS is still required because those operating systems use NetBIOS name resolution and NetBIOS sessions to create file and print sharing connections.

WINS Design Considerations

If NetBIOS name resolution is required, each site within a domain needs to have at least one WINS server. You can install the WINS server on the same system as the DNS server, or you can install it separately. You also need to install a backup WINS server elsewhere in the network. You can install the backup WINS server on the same system as a Windows 2000 domain controller, or you can install it separately.

Routing and Remote Access

Routing is the process of using addressing information present in a network packet to determine the path that packet should take to reach its destination. Routing is required when the source host and destination host are on different logical networks. Routing is required in larger network infrastructures because it is impractical to use one set of addresses for the entire network. This is because as networks increase in size, so does the addressing complexity. In addition, it is impractical to put all systems in a large network on the same logical network. This causes a large amount of network traffic.

You can segment a TCP/IP network by dividing the IP address range into subnets. Once the IP addresses are broken up, the newly formed subnets use routers to forward data from one subnet to another. You can also use routing to connect dissimilar networks such as Ethernet, ATM, and Token Ring.

Routing tables are used to keep track of routes from hosts that reside in one subnet to hosts that reside in another. As networks increase in size, so do the number of routers within the infrastructure and the size of routing tables. If administrators had to keep track of these routes, they would have to constantly monitor the network for routers that go offline or links that temporarily fail, then manually enter this information into routing tables. Routers use industry standard routing protocols to dynamically update routing tables as the network changes.

Windows 2000 Server supplies businesses with LAN-to-LAN routing and offers an alternative to purchasing dedicated router hardware, by integrating the Routing and Remote Access service within Windows 2000 Server. This service supports the ability to dynamically route TCP/IP, Internetwork Packet Exchange (IPX), and AppleTalk traffic by utilizing built-in routing protocols. The Routing and Remote Access service can also provide remote office connectivity by supporting wide-area connections.

New Features of Windows 2000 Routing and Remote Access Service

This section discusses the new features of the Windows 2000 Routing and Remote Access service, which allows businesses and their associated remote access clients to send and receive data more securely by utilizing the Internet as a data path. Clients within the Windows 2000 network structure can enjoy the benefit of accessing multicast data from the Internet.

Table 7.3 describes the new features of Windows 2000 Routing and Remote Access.

Table 7.3 New Features of Windows 2000 Routing and Remote Access

Feature	Description
Windows 2000 Active Directory Integration	Permits browsing and managing Remote Access servers by using Active Directory–based tools such as the Routing and Remote Access administrative tool.
Version 2 of Microsoft Challenge Handshake Authentication Protocol (CHAP)	Strong security credential passing and encryption key generation. This protocol is designed specifically for authenticating VPN connections using the PPTP protocol.
Extensible Authentication Protocol (EAP)	Allows third-party authentication methods to plug in to the Windows 2000 point-to-point protocol (PPP) implementation. The built-in EAP/Transport Layer Security (TLS) method supports deployment of smart cards for secure authentication and strong encryption key generation.
Bandwidth Allocation Protocol	Allows a more efficient Multilink PPP connection by dynamically adding and dropping links to accommodate changes in traffic flow. This is useful for networks that carry charges based on bandwidth use. Useful with ISDN channels and similar communications technologies.
Remote access policies	Gives administrators the ability to control connections based on time of day, group membership, type of connection, and other criteria.
Layer 2 Tunneling Protocol (L2TP)	Provides client-to-gateway and gateway-to-gateway VPN connections, secured by Internet Protocol security (IPSec).
IP multicast support	Supports Internet Group Membership Protocol IGMP Version 2 and acts as a multicast forwarding router, which allows the forwarding of IP multicast traffic between connected clients and the Internet or a corporate network.
Network Address Translation (NAT)	Provides a small to medium network with a single interface that connects to the Internet and provides IP address translation services between public and private IP addresses. Also provides IP address assignment and DNS proxy name resolution services to internal network clients.
Internet Connection Sharing (ICS)	Provides a small network with an easy to configure, but limited interface that connects SOHO clients to the Internet. ICS provides DNS name resolution, automatic address allocation, and a single IP address range for IP distribution.

Remote Access Policy

In Windows NT versions 3.5x and 4.0, remote access authorization was based on a simple Grant dial-in permission to user option in User Manager or the Remote Access Administration tool. Callback options were also configured on a per-user basis. In Windows 2000, authorization is granted based on the dial-up properties of a user account and remote access policies. Remote access policies are a set of conditions and connection settings that give network administrators more flexibility when authorizing connection attempts. Windows 2000 Routing and Remote Access service and Windows 2000 Internet Authentication Service (IAS) both use remote access policies to determine whether to accept or reject connection attempts. In both cases, the remote access policies are stored locally. Policy is now dictated on a per-call basis.

With remote access policies, you can grant or deny authorization by time of day or day of the week, by the Windows 2000 group to which the remote access user belongs, by the type of connection being requested (dial-up networking or VPN connection), and so on. You can configure settings that limit the maximum session time, specify the authentication and encryption strengths, set Bandwidth Allocation Protocol (BAP) policies, and so on.

It is important to remember that with remote access policies, a connection is authorized only if the settings of the connection attempt to match at least one of the remote access policies (subject to the conditions of the dial-up properties of the user account and the profile properties of the remote access policy). If the settings of the connection attempt do not match at least one of the remote access policies, the connection attempt is denied regardless of the dial-up properties of the user account.

Remote Access Design Considerations

The following are some considerations when designing remote access schemes:

• If you have installed a DHCP server, configure the Routing and Remote Access server to use DHCP to obtain IP addresses for remote access clients.
• If you do not have a DHCP server installed, configure the Routing and Remote Access server with a static IP address pool, which is a subset of addresses from the subnet to which the remote access server is attached.
• If configuring IPX, configure the remote access server to automatically allocate the same IPX network ID to all remote access clients.

VPN Security

Network security is a concern for most organizations, and two protocols that Windows 2000 networks use to ensure secure communications across the Internet are the Point-to-Point Tunneling Protocol (PPTP) and the L2TP, which is used in conjunction with Internet Protocol security (IPSec). Microsoft TCP/IP, PPTP, and L2TP/IPSec provide the highest levels of security, protecting paths between hosts and gateways.

Benefits of Virtual Private Networking

The following list contains reasons why it is beneficial to use VPN connections instead of long distance direct-dial connections.

Reduced Cost Overhead One of the major concerns of a large organization is cost overhead, and phone costs are one of the largest expenses a company has. Using the Internet as a connection medium instead of a long distance telephone service saves the company phone expenses and requires less hardware. For example, the client only needs to call the local ISP, then, L2TP and IPSec allow users to obtain secure connections to Internet-attached Windows 2000 VPN servers running Routing and Remote Access service.

Reduced Management Overhead Because the local phone company owns and manages the phone lines that support your VPN connections, there is less management for network administrators.

Added Security Windows 2000 uses standard, interoperable authentication and encryption protocols that allow data to be hidden from the unsecured environment of the Internet, but remain accessible to corporate users through a VPN. Also, if the VPN tunnel is encrypted with IPSec, the Internet only sees the external IP addresses while the internal addresses are protected. In other words, it is extremely difficult for a hacker to interpret the data sent across a VPN tunnel.

Point-to-Point Tunneling Protocol VPNs

PPTP is an excellent solution to the tunneling needs of clients. It is relatively simple to set up when compared to L2TP/IPSec, and it provides good security when used with a user name/strong password method. PPTP is an industry standard protocol that was first supported in Windows NT 4.0. This protocol uses the authentication, compression, and encryption of the PPP. PPTP is still in wide use on networks today. Because L2TP along with IPSec can provide better security, this chapter discusses L2TP and IPSec encryption in more depth.

L2TP over IPSec VPNs

L2TP over IPSec VPNs enable a business to transport data over the Internet, while still maintaining a high level of security to protect data. You can use this type of secure connection for small or remote office clients that need access to the corporate network. You can also use L2TP over IPSec VPNs for routers at remote sites by using the local ISP and creating a demand-dial connection into corporate headquarters.

When you are deciding where and how to design L2TP over IPSec connections, remember that the Internet access point or DMZ of the network is where the VPN server will reside. The VPN server is responsible for enforcing user access policy decisions that might be configured on the user account in the Windows 2000 domain controller, in remote access policy and dial-up user profiles on the VPN server, or in the IAS.

L2TP creates the necessary IPSec security policy to secure tunnel traffic. You do not need to assign or activate your own IPSec policy on either computer. If the computer already has an IPSec policy active, the L2TP will simply add a security rule to protect L2TP tunnel traffic to the existing policy.

L2TP Deployment Considerations

For an L2TP over IPSec connection to occur, you need to install computer certificates on the VPN client and VPN server computers. After a client requests a VPN connection, VPN access is granted through the combination of the dial-up properties on the user account and remote access policies. In Windows NT 4.0, the administrator only needed to select Grant dial-in permission to user on the dial-up properties in User Manager or User Manager for Domains to allow remote access use.

In Windows 2000, the administrator can permit or deny remote access to the corporate network using remote access policies on the VPN server and in IAS, allowing you to better define security settings. With remote access policies, a connection is accepted only if its settings match at least one of the remote access policies. If it does not match, the connection is denied.

For deployment of large remote access VPNs, you can use the Connection Manager and the Connection Manager Administration Kit to provide a custom dialer with preconfigured VPN connections to all remote access clients across your organization. These tools produce a one-click dial-up and VPN connection for users, combining what would normally be two or three steps into one.

L2TP Examples

Following are a few situations where you can use L2TP:

Persistent Connection Router-to-Router VPN A router-to-router VPN is typically used to connect remote offices when both routers are connected to the Internet through permanent WAN links such as T1, T3, Frame-Relay, and cable modems. In this type of configuration, you only need to configure a single demand-dial interface at each router. Permanent connections can be initiated and left in a connected state 24 hours a day. Figure 7.2 depicts a router-to-router VPN.

Figure 7.2 Router-to-Router VPN

On-demand Router-to-Router VPN When a permanent WAN link is not possible or practical because of location or cost, you can configure an on-demand router-to-router VPN connection. This requires you to permanently connect the answering router to the Internet. The calling router connects to the Internet by using a dial-up link such as an analog phone line or ISDN. Then, you only need to configure a single demand-dial interface at the answering router.

VPN Security with IPSec

IPSec needs to be deployed on the VPN server that is located in the corporate DMZ. The design that is shown in Figure 7.3 shows the VPN server being combined with a multiprotocol remote access server. This combination is an effective way to keep the remote access part of the network together for easier manageability and security. Also, when a client dials in to the corporate network using VPN with IPSec, the client determines the type of IPSec security policy to use and the remote access server in which IPSec is installed. Then, it automatically sets up the tunnel, as defined by the client.

Figure 7.3 Routing and Remote Access Client Connection Through an L2TP/IPSec Tunnel

In this example, the VPN server has three interfaces, one is in the DMZ, the second interface is in the internal network connected to a router, and the third is a remote access interface. The interface that is the least secure is the interface in the DMZ. The DMZ is an area where, as stated earlier, the Internet egresses into the internal, private network, and needs to contain all of the servers that have a presence on the Internet.

The Windows 2000 implementation of IPSec is based on industry standards in development by the Internet Engineering Task Force IPSec working group.

Data encryption allows businesses to use the Internet as a secure, cost-effective way of getting information from a remote site or user to the corporate infrastructure. This strategy is cost effective because you use the already existing medium of the Internet. The security comes from IPSec.

On the Internet, L2TP puts the data into a tunnel, and IPSec provides security for the tunnel itself to keep the data safe, but what about the exposed interface itself?

You can protect the Internet-exposed interface on the VPN server from hackers in the following ways:

• When you initially set up the VPN server, ensure that there is not a routing protocol on the interface that is in the DMZ. Instead, the interface needs to point into the private corporate network through a set of summarized static routes.
• Have a routing protocol running on the interface that is on the private network.
• Use Routing and Remote Access filters (not IPSec filtering) on the Internet interface to set input and output permit filters for L2TP, which uses User Datagram Protocol (UDP) port "Any" and destination port 1701. Also set routing and remote access input and output permit filters for the Internet key exchange (IKE) protocol, which uses UDP source port "Any" and destination port 500, prohibiting everything but L2TP over IPSec traffic. Then, configure packet filtering in the remote access policy profile for user groups, permitting or denying certain types of IP traffic. To make this easier for the user, these filters are configured when you use the Routing and Remote Access setup wizard. No configuration by the user is required.

For L2TP over IPSec connections, the IPSec security negotiation (IKE) uses certificate-based authentication for the computers themselves. L2TP performs user authentication by using either a domain\userid and password, or by using a smart card, certificate, or token card with the Extensible Authentication Protocol (EAP). For more information about overriding this default behavior and using preshared key authentication, see "Virtual Private Networking" in the Microsoft Windows 2000 Server Internetworking Guide.

IPSec requires that you establish the trust relationship using certificates issued to each computer. For example, a salesperson from domain.com has regular sales transactions with reskit.com. In order to expedite the process of ordering, the salesperson dials in on a weekly basis to download the product order form from the Reskit supply department.

To ensure that all of the transactions are secure from competitors of domain.com, the salesperson dials in to reskit.com through an ISP using an L2TP over IPSec VPN. Both the remote client and the VPN server need to have a certificate issued to them, and to be able to trust each other's certificate. The salesperson's computer needs to have a computer certificate installed to negotiate a trust relationship with the reskit.com VPN server. Typically, the salesperson's computer received a certificate from a Windows 2000 certificate server when the computer was joined to domain.com. The computer received a Group Policy setting containing instructions for enrolling in the domain.com certificate server, called a certificate auto-enrollment policy. The public key infrastructure (PKI) certificate policy also specified that the client can trust the certificate server that issued the VPN server a certificate, probably the reskit.com certificate server. The VPN server is configured to trust the domain.com certificate server, so it will accept certificates that the client provides.

After the IPSec security association for L2TP is made, the salesperson's remote access policy is checked. This is a property that enables remote access for the user account in the domain. You can control user access in more detail by using Internet Authentication Service (IAS), a server that communicates access policy using the Remote Access Dial-In User Service (RADIUS) protocol.

You can also use IPSec to ensure that only certain computers with the proper certificates and credentials can connect to other computers. Windows 2000 user IDs and groups specified in access control lists (ACLs) control who can access specific shares.

Note You can also use IPSec inside a corporate network to encrypt data from client to client, or from client to server.

For more information about IPSec, see "Internet Protocol Security" in the TCP/IP Core Networking Guide.

Internet Authentication Service and Centralized Management

In large corporate networks, managing policies on more than one remote access server can be task intensive. IAS can assist network administrators in managing geographically dispersed remote access servers from a central location.

IAS provides:

Centralized user authentication IAS supports the ability to centrally manage user policy by authenticating users who are in Windows NT 4.0 and Windows 2000 domains. For authenticating users, IAS supports a variety of authentication protocols. They are:

• Password Authentication Protocol (PAP)
• Challenge Handshake Protocol (CHAP)
• Microsoft Challenge Handshake Protocol (MS-CHAP)
• Extensible Authentication Protocol (EAP)

Outsourcing remote access This allows you to use a local ISP's network to allow employees to connect to the corporate network through a VPN tunnel. IAS allows you to track expenses and users who connect to the ISP, which then permits you to pay the ISP for the services used. This approach results in monetary savings for the organization.

Centralized administration of remote access servers IAS enables network administrators to configure remote access policies on just one remote access server, then the rest of the remote access servers can act as RADIUS clients, getting policy from the IAS server.

Scalability Small- and medium-sized networks in large corporations and ISPs can use IAS.

Remote monitoring A network administrator can monitor IAS servers from anywhere on the network by using Event Viewer or Network Monitor, or by installing the Simple Network Management Protocol.

Import/Export IAS configuration A network administrator can important or export IAS configuration by using a command-line utility. For more information about IAS, see "Internet Authentication Service" in the Microsoft Windows 2000 Server Internetworking Guide.

Multihoming

A computer that is configured with more than one IP address is referred to as a multihomed system. You can implement a multihomed system in several ways, depending on your needs. You can multihome DHCP servers to provide service to more than one subnet. DNS can also benefit from multihoming because the DNS service can be enabled on individual interfaces and can be bound only to IP addresses that are specified. By default, DNS binds to all individual interfaces configured on the computer.

Multihoming is supported in several different ways:

• Multiple IP addresses for each network adapter
• Multiple network adapters

IP Routing Infrastructure

In order for users and administrators to fully utilize the features of Windows 2000 Server as a router, you need to analyze the network structure and make decisions about what type of routing infrastructure best meets your organization's needs. Table 7.4 describes the various types of routing configurations and their uses.

Table 7.4 Routing Configurations

Routing Configuration	Description
Static Routed Internetwork	Uses manually added routes to route network traffic.
Routing Information Protocol (RIP)-for-IP Internetwork	Uses RIP for IP to dynamically communicate routing information between routers.
Open Shortest Path First (OSPF) Internetwork	Uses the OSPF routing protocol to dynamically communicate routing information between routers.

Static Routed Networks

A static routed IP internetwork does not use routing protocols such as RIP-for-IP or OSPF to communicate routing information between routers. All of the routing information is stored in a routing table on each router. If you decide to implement static routing, ensure that each router has the appropriate routes in its routing table so that traffic can be exchanged between any two endpoints on the IP internetwork.

You can use the network diagram described at the beginning of this chapter to document any static routes in a network infrastructure, and it is an ideal way to keep the routes organized for future reference. Static routes can be entered into the routing table in a Windows 2000 router by using the Routing and Remote Access management console. For more information about adding static routes, see "Unicast IP Routing" in the Microsoft Windows 2000 Server Internetworking Guide.

Before you can use this routing service, you need to configure and enable it from within the management console. For more information about starting and configuring the Windows 2000 Routing and Remote Access service, see Windows 2000 Server online Help. For more information about installing and upgrading Windows 2000 member servers, see "Upgrading and Installing Member Servers" in this book.

You can implement static routes in small networks that require little administration and are not subject to a lot of growth over time, such as a small business with fewer than 10 network segments. However, because they require some administration, you might consider them impractical, especially with the ability of the Windows 2000 Routing and Remote Access service to dynamically build routing information tables for small to large networks using Open Shortest Path First (OSPF) or RIP for IP.

RIP-for-IP Network Design

RIP for IP is a distance-vector routing protocol that dynamically communicates routing information between neighboring routers, automatically adding and removing routes as needed. RIP has a hop limitation of 16. All destinations that are 16 hops and greater are considered unreachable. RIP networks are best implemented in small to medium infrastructures such as medium-sized businesses or branch offices.

Other caveats for using RIP for IP in your network include:

• RIP for IP uses hop count as the metric for the best route. For example, if a site has a T1 link and a satellite backup link, and the costs associated with both of the links are identical, then RIP for IP is free to select either link. To prevent this problem, you can configure the slow link (the satellite) with a cost of two, which forces the router to select the T1 link as the primary link.
• Bandwidth consumption is another consideration because RIP routers announce their lists of reachable networks every 30 seconds. Depending on the size of the network, these announcements can use up expensive WAN bandwidth. Also, as network size increases, the possibility of bottlenecks increases. You can use autostatic RIP updates to reduce bandwidth used by the routing protocol.

Windows 2000 Routing and Remote Access service supports versions 1 and 2 of RIP for IP. RIP version 1 is designed for classful environments and does not announce the subnet mask for each route. If there are routers in your network that only support RIP version 1, and you want to use classless interdomain routing (CIDR) or Variable Length Subnet Mask (VLSM), then upgrade the routers to support RIP version 2, or skip RIP altogether and use OSPF.

You can implement RIP for IP using the following steps:

1. Consult your network diagram to find out where the RIP routers are going to be placed. If you do not have a current diagram, consider designing one before you start. Consider putting routers on a high-bandwidth network in order to keep bottlenecks to a minimum.
2. Determine which IP address scheme is going to be used. Write down which addresses will be used for routers, which ones for servers, and which ones for clients. For example, if you use the private address range of 172.16 0.0/22, you can follow the format shown in Table 7.5.

   Table 7.5 IP Address Schemes

   Router	Address
   Interface on Router1 on the 172.16.4.0/22 network	172.16.4.1
   Interface on Router2 on the 172.16.8.0/22 network	172.16.8.1
   Domain controller on the 172.16.4.0/22 network	172.16.4.10
   Domain controller on the 172.16.8.0/22 network	172.16.8.10
   Client on the 172.16.4.0/22 network	172.16.4.20
   Client on the 172.16.8.0/22 network	172.16.8.20

3. Next, decide which RIP version is going to be used on each interface. If you are setting up a new network, consider using only RIP version 2, because this version supports CIDR and VLSM. If you have an existing network that uses RIP version 1, consider upgrading to RIP version 2.

OSPF Network Design

RIP for IP is an easy way to integrate a routing protocol into your small- to medium-sized network environment. But, if you have a larger network implemented, RIP for IP might not be sufficient. Another routing protocol that is supported by Windows 2000 Routing and Remote Access is called Open Shortest Path First (OSPF). An OSPF network is best suited for a large infrastructure with more than 50 networks.

OSPF is a link-state routing protocol that calculates routing table entries by constructing a shortest-path tree. It is a more efficient protocol than RIP and does not have the restrictive 16 hop-count problem, which causes data to be dropped after the 16th hop. An OSPF network can have an accumulated path cost of 65,535, which enables you to construct very large networks (within the maximum Time-To-Live value of 255) and assign a wide range of costs. OSPF also supports point-to-point dedicated connections, broadcast networks such as Ethernet, and nonbroadcast networks such as frame relay. One disadvantage to using OSPF is that it is more complex to configure than other routing protocols, such as RIP.

You can structure these networks hierarchically. The sections that follow describe OSPF in more detail.

Autonomous Systems

An autonomous system (AS) is a collection of networks that share a common administrative authority. The following guidelines are recommended when designing an OSPF AS:

• Subdivide the AS into OSPF areas.

  Partition an AS into areas so that OSPF can control traffic to maximize its ability to pass only intra-area traffic, keeping communication to other areas within the AS to a minimum.

• Designate the backbone area as a high-bandwidth network.

  Create a backbone that is capable of maintaining high capacity to help keep inter-area bottlenecks to a minimum.

• Ensure that all inter-area traffic transverses the backbone. Avoid creating virtual links that connect new or changing areas to the backbone.

Figure 7.4 depicts an AS.

Figure 7.4 An Autonomous System

OSPF Area Design

OSPF areas are subdivisions of an OSPF AS that contain a contiguous collection of subnets. Areas are administrative boundaries that you can use to separate sites, domains, or groups. Within these areas are networks, which, when joined together through a backbone, form an AS.

In an internal network, configure these areas so that inter-area communication is kept to a minimum. This could include DNS name resolution traffic and Active Directory replication traffic.

One way that traffic leaves and enters an OSPF area is through a router called an area border router (ABR). This router is connected to the backbone called Area 0.0.0.0, which then connects OSPF areas together. ABRs typically have an interface on a backbone area network. However, there are situations where the ABR cannot be physically connected to a backbone network segment. If this happens, you can connect the new OSPF areas to the backbone through a virtual link. Even though this method will work, it is not recommended because it can be complicated to set up and inclined to error. Figure 7.5 shows the backbone, the areas, and a virtual link.

Figure 7.5 An OSPF Area Design

To design an OSPF area, follow these guidelines:

• Assign IP addresses in a contiguous manner, allowing them to be summarized. Route summarization is the act of condensing ranges of IP addresses. Ideally, the ABR for an area would summarize all of its network IP addresses into one. This approach condenses routing information, reducing the workload on the ABRs and the number of OSPF routing table entries.

  Create stub areas whenever possible. Keep the following in mind:

  • Stub areas can be configured so that all external routes and routes for destinations outside the OSPF AS are summarized by a single static default route.
  • Any routes that are external to the AS (external routes) cannot be carried by a stub area, including routes that use other routing protocols. This means that stub areas cannot use AS boundary routers (ASBRs).
• Avoid creating virtual links. Virtual links are used to connect new areas in an AS to the backbone. Virtual links can cause routing and other problems, and can be difficult to configure. Always make an effort to connect new areas in your AS directly to the backbone. Ensure this by planning ahead before your AS is implemented.

IPX Routing Structure

NetWare servers and Windows 2000 systems are made interoperable on the same network by using NWLink, Client Services for NetWare, and Gateway Services for NetWare. Windows 2000 Server provides services that coexist and are interoperable with Novell NetWare networks and servers. The NWLink IPX/SPX/NetBIOS Compatible Transport Protocol (NWLink) is included with Windows 2000. This protocol provides connectivity between Windows 2000 and Novell NetWare systems. Reasons for using IPX/SPX in a mixed environment and enabling IPX routing are:

• Windows 2000 routers might be required to route traffic between NetWare clients and servers.
• Windows 2000 clients might need to access services on NetWare servers.

Windows 2000 routing supports RIP for IPX, which is very similar in function to RIP for IP and Service Advertising Protocol (SAP) for IPX, a protocol that gives nodes such as file servers and print servers the ability to advertise their service names and IPX addresses. Servers that host services send periodic SAP broadcasts, and IPX routers and SAP servers receive the broadcasts and propagate the service information through SAP announcements, which are sent every 60 seconds.

IPX Network Design

The IPX network ID is a 4-byte identifier expressed as an 8-digit hexadecimal number. This network ID has to be unique, or network connection problems can occur for NetWare clients. The 4-byte IPX network ID is an address space that you can use to group IPX networks based on the following:

Internal vs. External Networks Internal networks are virtual networks inside Novell NetWare servers, Windows 2000 routers, and other IPX routers that are also hosting services. The designation of an internal network ensures proper routing to these services.

Networks for Various Ethernet Frame Types For IPX environments that need to support multiple Ethernet frame types, you need to configure each Ethernet frame type with its own IPX network ID.

Remote Access Networks When you use a computer running Windows 2000 as a remote access server, remote access clients are assigned an IPX network ID. By default, the remote access server chooses a unique IPX network ID. You can specify an IPX network ID or range of IPX network IDs so that remote access IPX traffic is identified by its source IPX network address.

Department or Geographic Location You can allocate portions of the IPX address space based on geography (by building or site) or department (such as sales or research). For example, in a large campus environment, all of the IPX networks in building 5 might use 5 as the first digit of their addresses.

Maximum Diameter The maximum diameter of RIP and SAP for IPX is 16 hops, the same as for RIP for IP. The diameter is a measure of the size of an internetwork in terms of the number of routers a packet must cross to reach its destination. Networks and services that are more than 16 hops away are considered unreachable.

Confining and Directing NetBIOS-over-IPX Traffic You can control NetBIOS-over-IPX traffic by disabling the propagation of NetBIOS-over-IPX broadcasts on specific interfaces and by configuring static NetBIOS names. For example, if a specific IPX network does not contain any nodes that use NetBIOS over IPX, then you can disable NetBIOS-over-IPX broadcast propagation on all of the router interfaces connected to that network.

Preventing the Propagation of SAP Broadcasts The Service Advertising Protocol (SAP) is used on IPX networks to inform network clients of available network resources and services. If there are SAP broadcasts that do not need to propagate throughout the entire internetwork, you can use SAP filtering to prevent the IPX services from being advertised outside of a group of IPX networks. For example, if you want to hide the file servers in the human resources department, configure the routers that are connected to the human resources network to filter SAP broadcasts corresponding to the file and print sharing services of the human resources file servers. Another reason is to reduce traffic sent to subnets that do not require SAP services.

AppleTalk Routing Structure

Networking on the Macintosh platform relies on the AppleTalk suite of protocols. These protocols contain built-in routing capabilities that can be enabled to establish routers in an AppleTalk internetwork.

Multicast Support

Media services are becoming common on the Internet and on private networks. Windows 2000 TCP/IP supports the forwarding of multicast traffic, and Windows 2000 Routing and Remote Access service supports the Internet Group Management Protocol (IGMP) as a router. IGMP is used by hosts to join a multicast group. The Routing and Remote Access Service IGMP–enabled interfaces can operate in one of two modes:

• IGMP proxy mode interfaces forward IGMP reports and multicast traffic from other interfaces that are running in IGMP router mode.
• IGMP router mode interfaces listen for IGMP traffic from hosts and update the TCP/IP multicast forwarding table as appropriate, as well as sending IGMP queries.

The IGMP proxy that is provided with Windows 2000 Server is designed to pass IGMP Membership Report packets from a single network intranet to a multicast-capable portion of the Internet.

You can position the IGMP proxy router in the DMZ of the corporate infrastructure to provide internal network hosts with video and audio traffic from the Internet. Ensure that the IGMP router is on a high-bandwidth network with fast switches to minimize bottlenecking. The VPN server that is in the DMZ can also be used as an IGMP router, but only in smaller network structures where the server will not be overloaded with remote access and multicast traffic.

When you configure the IGMP interfaces, the interface that is in proxy mode faces the multicast-enabled Internet and the interface that is in router mode faces the internal network. An example is shown in Figure 7.6.

Figure 7.6 IGMP Interface in Proxy Mode

Note The example in Figure 7.6 will work only if the hardware router connecting the Windows 2000 IGMP router to the Internet is multicast capable, and if the ISP is on the multicast backbone.

Network Address Translation

Windows 2000 network address translation (NAT) allows computers on a small network, such as a small office/home office (SOHO), to share a single Internet connection. The computer on which NAT is installed can act as a network address translator, a simplified DHCP server, a DNS proxy, and a WINS proxy. NAT allows host computers to share one or more publicly registered IP addresses, helping to conserve public address space.

There are two types of connections to the Internet: routed and translated. When planning for a routed connection, you will need a range of IP addresses from your ISP to use on the internal portion of your network, and they will also give you the IP address of the DNS server you need to use. You can either statically configure the IP address configuration of each SOHO computer, or use a DHCP server.

The Windows 2000 router needs to be configured with a network adapter for the internal network (10 or 100BaseT Ethernet, for example). It also needs to be configured with an Internet connection such as an analog or ISDN modem, xDSL modem, cable modem, or a fractional T1 line.

The translated method, or NAT, gives you a more secure network because the addresses of your private network are completely hidden from the Internet. The connection shared computer, which uses NAT, does all of the translation of Internet addresses to your private network, and vice versa. However, be aware that the NAT computer does not have the ability to translate all payloads. This is because some applications use IP addresses in other fields besides the standard TCP/IP header fields.

• The following protocols do not work with NAT:
• Kerberos
• IPSec

The DHCP allocator functionality in NAT enables all DHCP clients in the SOHO network to automatically obtain an IP address, subnet mask, default gateway, and DNS server address from the NAT computer. If you have any non-DHCP computers on the network, then statically configure their IP address configuration.

To keep resource costs to a minimum with a SOHO network, only one Windows 2000 server is needed. Depending on whether you are running a translated or routed connection, this single server can suffice for NAT, APIPA, Routing and Remote Access, or DHCP.

For more information about NAT and its configuration, see the Windows 2000 Server online Help.

Windows 2000 DHCP

Every computer on a TCP/IP network needs to have a unique name and IP address. The Windows 2000 Dynamic Host Control Protocol (DHCP) offers you a way to simplify and automate this process, providing dynamic assignment of IP addresses to clients on the network no matter where they are or how much they move. This reduces administrator workload.

Benefits of Using DHCP

DHCP allows for reliable assignment of IP addresses in a network by reducing the need to manually assign addresses to each host. This prevents IP conflicts that can disable a network.

Mobile users receive much of the benefit of DHCP, which allows them to travel anywhere on the intranetwork and automatically receive IP addresses when they reconnect to the network.

Interoperability with DNS servers provides name resolution for network resources, allowing DHCP servers and DHCP clients to register with DNS.

New Features of Windows 2000 DHCP

The new features of Windows 2000 DHCP allow for a more flexible and extensible way to assign IP addresses to hosts. These new features are described in the following sections.

Enhanced Server Reporting

The general status of DHCP servers, scopes, and clients, or "member items," can be graphically tracked by the use of icons displayed in the DHCP Manager. For more information about this subject, see the DHCP Manager online Help.

Additional Scope Support

An extension to the Windows 2000 DHCP protocol standard supports the assignment of IP multicast addresses that are distributed in the same manner as unicast addresses. In Multicast DHCP, multicast scopes are configured in the same manner as regular DHCP scopes, but instead of using Class A, B, or C addresses, Class D scope uses a range of 224.0.0.0 to 239.255.255.255.

Typical applications for multicast are video and audio conferencing, which usually require users to specially configure multicast addresses. Unlike IP broadcasts, which need to be readable by all computers on the network, a multicast address is a group of computers that uses group membership to identify who receives the message.

The multicast address allocation feature has two parts: the server side, which hands out multicast addresses; and the client side application programming interface (API), which requests, renews, and releases multicast addresses. To use this feature, you need to first configure the multicast scopes and the corresponding multicast IP ranges on the server through the DHCP snap-in. The multicast addresses are then managed like normal IP addresses, and the client can call the APIs to request a multicast address from a scope.

DHCP and DNS Integration

Domain Name Servers provide name resolution for network resources and are closely related to DHCP services. In Windows 2000, DHCP servers and clients can register with Windows 2000 DNS dynamic update protocol. The integration of DHCP and DNS enables the registration of both type A (name-to-address) and Pointer (PTR) or address-to-name records. This allows the DHCP server to act as a proxy on behalf of Windows 95 and Windows NT 4.0 Workstation clients for the purpose of dynamic update registration within Active Directory.

Design Considerations for DHCP and DNS Integration

When using DHCP and DNS together on your network, consider whether or not you have older, static DNS servers in use. Static DNS servers cannot interact dynamically with DHCP and keep name-to-address mapping information synchronized in cases where DHCP client configurations change, such as with a mobile user who is always moving from subnet to subnet within an intranetwork. In this situation, it is best for you to upgrade all static DNS servers to Windows 2000 DNS.

Unauthorized DHCP Server Detection

The DHCP service for Windows 2000 is designed to prevent unauthorized DHCP servers from creating address assignment conflicts. This solves problems that might otherwise occur if users created unauthorized DHCP servers that could assign invalid IP addresses to clients elsewhere on the network. For example, a user could create what was intended to be a local DHCP server by using addresses that are not unique, which could lease the addresses to unintended clients requesting addresses from elsewhere on the network.

The DHCP server for Windows 2000 has management features to prevent unauthorized deployments and to detect existing unauthorized DHCP servers. In the past, anyone could create a DHCP server on a network, but now an authorization step is required. Authorized personnel usually include the administrator of the domain that the Windows 2000 Server platform belongs to or someone to whom they have delegated the task of managing the DHCP servers.

Dynamic Support for Bootstrap Protocol Clients

DHCP servers respond to both bootstrap protocol (BOOTP) requests and DHCP requests. BOOTP is an established TCP/IP standard [RFC 951] for host configuration that precedes DHCP. BOOTP was originally designed to enable boot configuration for diskless workstations. These workstations have a limited ability to store and locally retrieve IP addresses, and other configurable information that you need during the boot process to join a TCP/IP-based network.

With the new support for dynamic BOOTP, a pool of addresses can be designated for BOOTP clients in the same manner in which a scope is used for DHCP clients. This allows IP addresses to be dynamically managed for distribution to BOOTP clients. This also allows the DHCP service to reclaim IP addresses used in the dynamic BOOTP address pool, after first verifying that a specified lease time has elapsed and that each address is still in use by the BOOTP client.

Read-Only Console Access to the DHCP Manager

This feature provides a special-purpose local users group, the DHCP Users group, that is added when you install the DHCP service. By using the DHCP Manager console to add members to this group, you can provide read-only access to information related to DHCP services on a server computer for nonadministrators. This allows a user who has membership in this local group to view, but not modify, information and properties stored at a specified DHCP server. This feature is useful to Help desks when they need to pull DHCP status reports. Read/write access can only be granted though membership in the DHCP Administrators group.

Designing DHCP Into Your Network

When designing or upgrading your network, you can implement DHCP by using a centralized or distributed approach. (See Figures 7.7 and 7.8.) In a centralized environment, IP addresses are distributed centrally to the DHCP server with one DHCP server responsible for distributing addresses in its associated subnet or site. In a distributed environment, a DHCP server can be responsible for the site that it resides in, and any other site, local or remote, that is included in the given corporate structure.

In order to effectively plan which address distribution scheme you will use, consider the issues discussed in the following sections.

Network Infrastructure Size

How many sites do you have in your domain structure? If you have only a central site and two remote sites, then implementing distributed DHCP is ideal. A domain structure with three or more sites requires a centralized DHCP structure in which DHCP servers assign IP addresses to their given sites.

Figures 7.7 and 7.8 are examples of distributed and centralized DHCP environments. A distributed environment is used to distribute IP addresses to remote sites. A centralized environment is used to distribute IP addresses within the site. Because Windows Clustering works with all clustering-enabled Windows services, other clustering-enabled services can be run on the same server that is running cluster-enabled DHCP services.

In Figure 7.7, there are two sites, one main or central site, and one remote site. Both sites have a DHCP cluster that hands out IP addresses in their respective sites with no DHCP traffic traversing the wide area link.

Figure 7.7 Centralized DHCP

In Figure 7.8, there are again two sites, central and remote, but this time the central site is responsible for distributing IP addresses to itself and the remote site. Note that the remote site has a backup DHCP cluster server that handles DHCP traffic in case of a wide area link failure or other problem.

Figure 7.8 Distributed DHCP

For more information about DHCP, see Windows 2000 Help and the Windows® 2000 Resource Kit TCP/IP core Networking Guide.

Windows 2000 Asynchronous Transfer Mode

Windows 2000 ATM provides a flexible, scalable, high-speed solution to the increasing need for quality of service in networks where multiple information types, such as data, voice, and real-time video and audio, are supported. With ATM, each of these information types can pass through a single network connection. Windows 2000 ATM services allow seamless migration of existing network backbones to ATM, and interconnecting with traditional LANs using Windows 2000 LAN Emulation (LANE) services. For more information about LANE, see "Features of Windows 2000 ATM" later in this chapter.

Benefits of Using Windows 2000 ATM

Windows 2000 ATM has the following benefits:

• High-speed communication.
• Connection-oriented service, similar to traditional telephony.
• Fast hardware-based switching.
• A single, universal, interoperable network transport.
• A single network connection that can reliably mix voice, video, and data.
• Flexible and efficient allocation of network bandwidth.
• Support for Quality of Service (QoS), which gives administrators the ability to dedicate network bandwidth based on several parameters, including but not limited to who initiated the request, the type of data being sent (such as streaming video), or the destination. For more information about QoS, see the Windows® 2000 Resource Kit TCP/IP core Networking Guide.

Features of Windows 2000 ATM

The new features of Windows 2000 allow for a more extensible, scalable framework in which to build diverse network structures such as ATM. The following sections describe the new features that are included in Windows 2000 ATM.

ATM User Network Interface Call Manager

Windows 2000 now includes a Call Manager that supports and manages calls on an ATM network. It conforms to the ATM Forum UNI Version 3.1 signaling specifications and supports the creation of switched virtual circuits (SVCs) and permanent virtual circuits (PVCs).

Updated NDIS and ATM Hardware Support

NDIS version 5 now supports ATM network adapters directly. This permits ATM adapter vendors to more effectively use their hardware by writing ATM miniport device drivers that interface with Windows 2000. Drivers for most vendors of ATM network adapters are now included with Windows 2000.

ATM LAN Emulation

ATM LAN Emulation (LANE) services are needed to provide interoperability between ATM and traditional LAN environments. LANE allows easier migration and integration with traditional networking LAN technologies such as Ethernet or Token Ring by emulating these LANs on ATM networks. Windows 2000 includes support for ATM LAN Emulation, and can participate in an Emulated LAN (ELAN) as a LAN Emulation Client (LEC). The Windows 2000 LAN Emulation Client can use the LAN Emulation Services that ATM vendors supply with their network switches. By default, Windows 2000 will install the LAN Emulation Client if it detects that an ATM network adapter has been installed. The LEC will also, by default, attempt to participate in a default unspecified ELAN. Your LAN emulation services must be configured for this default ELAN.

Figure 7.9 illustrates a LANE network.

Figure 7.9 LANE Network

IP/ATM

IP/ATM enables TCP/IP to use the features of ATM networks directly. Windows 2000 now includes IP/ATM support. With this support, applications written to use TCP/IP can make direct use of ATM networks. Also, applications written to use Generic Quality of Service (QoS) under Windows Sockets will benefit directly from the inherent QoS capabilities provided by the ATM network.

IP/ATM is a group of services for communicating over an ATM network that can be used as an alternative to ATM LAN emulation. IP/ATM is handled by two main components: the IP/ATM client and the IP/ATM server. The IP/ATM server includes an ATM ARP server and a multicast address resolution server (MARS). IP/ATM server components can reside on a Windows 2000 server or an ATM switch.

The main advantage of using IP/ATM is that it is faster than LANE, because with IP/ATM, no additional header information is added to packets as they move through the protocol stack. Once an IP/ATM client has established a connection, data can be transferred without modification.

With IP/ATM, you can either use a static IP address or configure the TCP/IP profile to use a DHCP server. Figure 7.10 depicts an IP-over-ATM network.

Figure 7.10 IP/ATM

Multicast and Address Resolution Service

Windows 2000 includes a Multicast and Address Resolution Service to support the use of IP/ATM. This service supports the IP/ATM Address Resolution Protocol and enables the efficient use of multicasting with ATM networks.

PPP/ATM

With the coming of digital subscriber line (xDSL) technologies, high-speed network access from the home and small office environment is becoming more common. Several standards exist in these areas, including Asymmetric DSL (ADSL) and Universal ADSL (UADSL or DSL Lite). These technologies operate over the local loop (the last run of copper wire between the telephone network and the home). In most areas in the U.S., this local loop then connects to an ATM core network.

ATM over the xDSL service preserves high-speed characteristics, and QoS guarantees availability in the core networking layer, without changing protocols. This creates the potential for an end-to-end ATM network to the residence or small office. This network model provides several advantages, including:

• Protocol transparency
• Support for multiple classes of QoS with guarantees
• Bandwidth scalability
• An evolution path to newer DSL technologies

Adding Point-to-Point Protocol (PPP) over this end-to-end architecture adds functionality and usefulness. PPP provides the following additional advantages:

• User-level connection authentication
• Layer 3 address assignment
• Multiple concurrent sessions to different destinations
• Layer 3 protocol transparency
• Encryption and compression

If each virtual circuit (VC) carries only one Point-to-Point Protocol (PPP) session, each destination will have its own authenticated PPP session, providing authentication for each VC. This provides an extra measure of security and guaranteed bandwidth as if you had a dedicated line. Using Null Encapsulation over AAL5 (because PPP provides the protocol multiplexing) can further reduce overhead.

ATM Design Considerations

ATM networks are made up of three distinct components: endpoint elements (users), ATM switches, and interfaces. Consider the guidelines discussed in the following sections when you design an ATM network.

Use the Default ELAN

Windows 2000 ATM is initially configured with a default unspecified ELAN name. If you plan to implement a small LAN emulation, it is recommended that you use the preconfigured default unspecified ELAN. If you are implementing a large ATM network, multiple ELANs are more manageable and secure.

When purchasing an ATM switch, it is recommended that you check the product specifications to ensure that it is preconfigured with an ELAN that uses the default unspecified ELAN name. Switches that are preconfigured with a default ELAN allow for a more trouble-free setup in a small ATM environment.

Use Supported ATM Adapters

Before you buy an ATM adapter for use with Windows 2000, be certain that it is on the Windows 2000 Hardware Compatibility List. For more information, see the Hardware Compatibility List link on the Web resources page at http://windows.microsoft.com/windows2000/reskit/webresources .

Note Configurations Before You Upgrade

Before upgrading from Windows NT 4.0 to Windows 2000, note the following configuration information for each of the LAN emulation clients you plan to upgrade:

• The ELAN name
• The media type to be emulated on the LAN
• ATM addresses for the LAN Emulation Server (LES) and Broadcast and Unknown Server (BUS) associated with the ELAN

Configure the ELANs

After you note these configuration parameters, use the configuration interface on your ATM switch to configure the LAN Emulation Configuration Service (LECS), the LAN Emulation Service (LES), and the Broadcast and Unknown Service (BUS) to support the ELANs and their associated parameters. Next, install Windows 2000 and configure the ELAN name for each LEC.

Use Only One ATM ARP/MARS for Each Logical IP Subnet

If your network uses IP/ATM, it is recommended that you configure only one ATM ARP/MARS for each logical IP subnet on your network. If you have multiple ARP servers on the same network segment, and your ARP client is configured with the addresses for these servers, the ARP caches could become out of sync. This can render parts of the network unreachable.

Quality of Service

Windows 2000 Quality of Service (QoS) is a set of components and technologies that enable a network administrator to allocate and manage end-to-end network resources. QoS enables consistent bandwidth results for network traffic, such as video and audio applications and ERP applications that normally use large amounts of network bandwidth. QoS is a method that allows networks to control their traffic efficiently, potentially reducing the costs spent on new hardware resources. Management becomes easier with Admission Control Service, an administrative interface of QoS, which allows for the centralized management of QoS policies. These policies, which you can configure to meet the requirements of users, programs, or physical locations, determine how you can reserve and allocate priority bandwidth. In the past, QoS has been incorporated into router and switch hardware. Now that it is available as part of Windows 2000, a new level of control across the entire enterprise can be achieved right down to the desktop.

Windows 2000 QoS offers you these benefits:

• Centralized policy and subnet configuration through the QoS Admission Control Services Manager.
• Uses enterprise, subnet and user identities as criteria for reserving network resources and setting priorities.
• Ensures a priority bandwidth reservation that is transparent to the user and requires no user training.
• Enables a network administrator to allocate network resources to prioritized traffic.
• Safeguards for end-to-end delivery service with low delay guarantees.
• Interoperability with LAN, WAN, ATM, Ethernet, and Token Ring configurations.
• Support for multicast transmission of bandwidth reservation messages.
• Windows 2000 QoS Admission Control simplifies your management of priority bandwidth at a low cost of ownership. In this instance, lower cost of ownership equates to not having to replace network media to gain bandwidth.

For more information about DHCP, see Windows 2000 Help and the Windows® 2000 Resource Kit TCP/IP core Networking Guide.

Planning Task List for Networking Strategies

Table 7.6 outlines the tasks you need to perform when determining your network connectivity strategies.

Table 7.6 Planning Task List for Networking Strategies

Task	Chapter Section
Examine your current network diagram for connectivity structure. If none exists, design one.	Network Connectivity Overview
Examine TCP/IP structure.	Windows 2000 TCP/IP
Determine Internet and Routing and Remote Access connectivity methods.	Routing and Remote Access
Determine WINS needs.	TCP/IP and Windows Internet Name Service
Examine Routing and Remote Access considerations.	Routing and Remote Access
Examine data security considerations.	VPN Security and L2TP-over- IPSec VPNs
Examine IP routing structure.	IP Routing Infrastructure
Determine multicast needs.	Multicast Support
Determine DHCP requirements.	Windows 2000 DHCP
Examine any Quality of Service issues.	Quality of Service

Table of Contents Next Chapter