Lesson 2: Designing a Subnet Addressing Structure for a TCPIP Network | MCSE Training Kit (Exam 70-226): Designing Highly Available Web Solutions with Microsoft Windows 2000 Server Technologies (MCSE Training Kits)

TCP/IP’s success as the network protocol of the Internet is largely due to its ability to connect networks of different sizes and systems of different types. The Internet community originally defined five address classes: A through E. Microsoft TCP/IP supports classes A, B, and C. The classes have predefined sizes, each of which can be divided into smaller subnetworks, a process known as subnetting. Subnetting becomes necessary as you reconcile the logical address scheme of the Internet with the physical networks used by the real world. Subnetting allows you to partition a single TCP/IP network into a number of separate networks called subnets. By subnetting a multitiered Web network environment, you can enhance security and add bandwidth to your network, as well as increase your system’s availability. In this lesson you’ll learn how to design a subnetting structure for your multitiered Web environment in order to enhance security, add bandwidth, and increase availability.

After this lesson, you will be able to

Describe subnets and the subnetting process
Design a subnet addressing structure for a TCP/IP network

Estimated lesson time: 25 minutes

Subnetting a Multitiered Web Environment

Each TCP/IP host is identified by a logical IP address. The IP address is a network layer address and has no dependence on the Data-Link layer address (such as a Media Access Control [MAC] address of a network adapter). A unique IP address is required for each host and network component that uses TCP/IP to communicate.

The IP address identifies a system’s location on the network in the same way a street address identifies a house on a city block. Just as a street address must identify a unique residence, an IP address must be globally unique and have a uniform format. Each IP address includes a network ID and a host ID.

The network ID identifies the TCP/IP hosts that are located on the same physical network. All hosts on the same physical network must be assigned the same network ID to communicate with one another. A network ID should adhere to the following guidelines:

The network ID must be unique to the IP internetwork. If you plan on having a direct routed connection to the Internet, the network ID must be unique to the Internet. If you don’t plan on connecting to the Internet, the local network ID must be unique to your private internetwork.
The network ID can’t begin with the number 127. The number 127 is reserved for internal loopback functions.
All bits within the network ID can’t be set to 1. All 1s in the network ID are reserved for use as an IP broadcast address.
All bits within the network ID can’t be set to 0. All 0s in the network ID are used to denote a specific host on the local network and aren’t routed.

The host ID identifies a TCP/IP host within a network. The combination of IP network ID and IP host ID is an IP address. A host ID should adhere to the following guidelines:

The host ID must be unique to the network ID.
All bits within the host ID can’t be set to 1 because this host ID is reserved as a broadcast address to send a packet to all hosts on a network.
All bits in the host ID can’t be set to 0 because this host ID is reserved to denote the IP network ID.

Subnets

The 32 bits of the IP address are apportioned between network IDs and host IDs, depending on how many networks and hosts per network are needed. However, it isn’t always practical to have all possible network nodes on the same broadcast domain. All the hosts on the same physical network bounded by IP routers share the same broadcast traffic. For example, a class A network ID can contain more than 16 million hosts on the same network, which isn’t a practical solution. As a result, most of the 16 million host addresses are unassignable and are wasted. Even a class B network with 65,000 hosts per network is impractical.

In an effort to create smaller broadcast domains and to better utilize the bits in the host ID, an IP network can be subdivided into smaller networks, each bounded by an IP router and assigned a new subnetted network ID, which is a subset of the original class-based network ID. This creates subnets, subdivisions of an IP network each with its own unique subnetted network ID. Subnetted network IDs are created by using bits from the host ID portion of the original class-based network ID.

For example, Figure 2.6 shows a class B network with a network ID of 139.12.0.0. The network can include up to 65,534 nodes. The network should be subnetted, but it should be done in such a way so that it neither affects the rest of the IP internetwork nor requires its reconfiguration.

Figure 2.6 - Network 139.12.0.0 before subnetting

Network 139.12.0.0 is subnetted by utilizing the first 8 host bits of the host ID (the third octet) for the new subnetted network ID. The subnetting of 139.12.0.0, as shown in Figure 2.7, creates separate networks with their own subnetted network IDs (139.12.1.0, 139.12.2.0, and 139.12.3.0). The router is aware of the separate subnetted network IDs and routes IP packets to the appropriate subnet.

Figure 2.7 - Network 139.12.0.0 after subnetting

Note that the rest of the IP internetwork still regards all the nodes on the three subnets as being on network 139.12.0.0. The other routers in the IP internetwork are unaware of the subnetting being done on network 139.12.0.0 and therefore require no reconfiguration.

A key element of subnetting is still missing. How does the router that’s subdividing network 139.12.0.0 know how the network is being subdivided and which subnets are available on which router interfaces? To give the IP nodes this new level of awareness, they must be told exactly how to discern the new subnetted network ID regardless of Internet address classes. A subnet mask is used to tell an IP node how to extract a class-based or subnetted network ID.

Subnetting

Although the conceptual notion of subnetting by using host bits is straightforward, the actual mechanics of subnetting are a bit more complicated. Subnetting requires a three-step procedure:

Determine the number of host bits to be used for the subnetting.
Enumerate the new subnetted network IDs.
Enumerate the IP addresses for each new subnetted network ID.

Step 1: Determining the Number of Host Bits

The number of host bits being used for subnetting determines the possible number of subnets and hosts per subnet. Before you choose the number of host bits, you should have a good idea of the number of subnets and hosts you’ll have in the future. Using more bits for the subnet mask than is required saves you the time of reassigning IP addresses in the future.

The more host bits you use, the more subnets (subnetted network IDs) you can have—but each subnet will have fewer hosts. Using too many host bits allows for growth in the number of subnets but limits the growth in the number of hosts. Using too few hosts allows for growth in the number of hosts but limits the growth in the number of subnets.

For example, Figure 2.8 illustrates the subnetting of up to the first 8 host bits of a class B host ID. If you choose 1 host bit for subnetting, you obtain two subnetted network IDs with 16,382 hosts per subnetted network ID. If you choose 8 host bits for subnetting, you obtain 256 subnetted network IDs with 254 hosts per sub-netted network ID.

Figure 2.8 - Subnetting a class B network ID

In practice, network administrators define a maximum number of nodes they want on a single network. Recall that all nodes on a single network share all the same broadcast traffic; they reside in the same broadcast domain. Therefore, growth in the number of subnets is favored over growth in the number of hosts per subnet.

Step 2: Enumerating Subnetted Network IDs

Based on the number of host bits you use for your subnetting, you must list the new subnetted network IDs. There are two main approaches:

Binary List all possible combinations of the host bits chosen for subnetting and convert each combination to dotted decimal notation.
Decimal Add a calculated increment value to each successive subnetted network ID and convert to dotted decimal notation.

Either method produces the same result: the enumerated list of subnetted network IDs.

Step 3: Enumerating IP Addresses for Each Subnetted Network ID

Based on the enumeration of the subnetted network IDs, you must now list the valid IP addresses for new subnetted network IDs. To list each IP address individually would be unnecessarily tedious. Instead, enumerate the IP addresses for each subnetted network ID by defining the range of IP addresses (the first and the last) for each subnetted network ID. There are two main approaches:

Binary Write down the first and last IP address for each subnetted network ID and convert to dotted decimal notation.
Decimal Add values incrementally, corresponding to the first and last IP addresses for each subnetted network ID and convert to dotted decimal notation.

Either method produces the same result: the range of IP addresses for each subnetted network ID.

Segmenting a Network into Subnets

All Web sites must be managed in such a way that adequate protections are provided for the confidentiality, privacy, integrity, and availability of information. Security is essential to the success of any business site. A business site uses multiple security domain segments. Systems with the same security needs are grouped into the same segment, and each segment is protected by a network filter or firewall, as shown in Figure 2.9. The three principal domain segments, each separated by a firewall, are as follows:

the public network
a perimeter network, where front ends and content servers are placed
a secure network, where content is created or staged and secure data is managed and stored

Figure 2.9 - The three principal domain segments

Data networks internal to the perimeter network should be segregated for security, as well as to add bandwidth. Generally, each computer should be equipped with two or more NICs. You should adhere to the following guidelines when segmenting the perimeter network:

Segregate different types of Internet traffic to different Web clusters. For example, Hypertext Transfer Protocol (HTTP) requests can be routed to one cluster and FTP requests can be routed to another cluster. You can then configure each cluster to reject traffic that’s different from the type it’s designed to service.
Segregate Internet traffic from back-end traffic. This prevents direct access from the Internet to the internal network and permits filters to be configured for each NIC, thereby limiting traffic to only types appropriate for the server.
Avoid IP forwarding in the Routing and Remote Access Service (RRAS) in Windows 2000 Server between the front-end servers. The only publicly accessible IP address is the virtual IP address used by the load-balanced front-end server cluster. Disabling IP forwarding is crucially important.
Use non-routable network addresses for internal Web site networks.
Implement a management network in order to segregate management from all other traffic. This also permits the configuration of NIC filters to restrict traffic to that NIC. Powerful management functions should then be restricted to the management network and be unable to traverse the service networks. It also eliminates management traffic from passing through firewalls, which further reduces vulnerabilities. Securing the management LAN itself is of crucial importance.

Making a Decision

When segmenting a network in order to support a secure, highly available Web environment, you can implement a multitiered strategy and use a separate network segment for the heartbeat LAN connection within each cluster and a network segment to act as the management network. Each of these strategies is outlined in Table 2.3.

Table 2.3 Segmenting Your Network

Strategy	Description
Multitiered network	A multitiered network should be divided into at least three basic domain segments that are each separated by a fire-wall: the public network; a perimeter network, where front ends and content servers are placed; and a secure network, where content is created or staged and secure data is managed and stored. In some cases the perimeter network is divided into smaller segments. The multitiered environment segregates Internet traffic from back-end traffic, preventing direct access from the Internet to the internal network.
Heartbeat LAN	The heartbeat LAN provides a segregated network segment in which servers within the same cluster can communicate with each other. Clustering is discussed in more detail later in this book.
Management network	A management network segregates management traffic from all other traffic. Although a separate segment isn’t required, it’s generally recommended to ensure a more secure environment.

Recommendations

To set up the most effective Web environment, you should implement all three of these strategies. A multitiered topology provides for a higher level of security, the heartbeat LAN segment is essential for clustering functionality, and the management network is strongly recommended because it eliminates management traffic through firewalls, which reduces vulnerabilities.

Example: A Subnetted Web Environment

The network topology shown in Figure 2.10 shows a highly available system. The design represents a large site and demonstrates both topological and com- ponent redundancy. Critical services can survive most failure modes short of a major disaster. Servers in each of the ISP 1 through ISP N groupings support each of the site’s critical functions, so even the loss of an ISP will not take the site down. Providing nonstop service through most disaster scenarios requires replication of the entire site in multiple geographies (geoplex). Cisco’s DistributedDirector is commonly used to support the geoplex. Unfortunately, site replication can more than double a site’s cost and may introduce data consistency issues for Web applications.

The network design illustrates multiple connections for redundancy, labeled ISP 1 and ISP N. These should be provisioned from diverse (physically separate) networks. Servers on front-end networks are exposed to the Internet. Firewalls are essential security components that provide network isolation by filtering traffic by packet type as well as source and destination addresses. They form one boundary of a perimeter network depicted by the double-ended arrows. The first components in the path are Router/Firewalls, whose functions may be distinct or combined in single devices.

Front-End Network Segment

The front end provides the core Web services, such as HTTP/HTTPS, by using Microsoft Internet Information Server (IIS) to serve up Hypertext Markup Language (HTML) and ASP pages and Lightweight Directory Access Protocol (LDAP) servers to authenticate customers.

Figure 2.10 - Web-based network topology with multiple segments

Each front-end server is specially hardened for security and connects to three networks:

Front-end network (Internet access)
Back-end network (access to perimeter network servers and, through inner firewalls, to the Secure Network)
Management network (supports management and operations functions)

This network segregation improves security while increasing total available bandwidth and improving redundancy.

Note that the only publicly accessible IP addresses on any of the servers in this site are the virtual IP addresses, to which only the front-end servers can respond. IP filtering applied to Internet-facing NICs ensures that only the correct type and source of traffic for the functions supported can enter the front-end server. IP forwarding on the Web servers (through RRAS) has also been disabled between these networks.

Back-End Network Segment

The back-end network supports all perimeter network servers through use of a high-speed, private 10.10.1.x LAN. This architecture prevents direct network access from the Internet to the perimeter network servers, even if the firewall were to be breached, because Internet routers aren’t permitted to forward designated ranges of IP addresses, including the 10.x.x.x range. As with the front-end network, redundant switches provide access to all front-end and back-end servers. All back-end switches share a common network, so back-end traffic loading can become problematic for active sites, especially if a separate management network isn’t available for logging and other front-end management network traffic.

The major components on the back-end network are security-hardened server clusters that provide services for storing Web content and session state. File shares within the cluster support file storage services. Microsoft SQL Server running on the cluster provides database services. Each cluster server employs at least four NICs: one for each switch, one for the private heartbeat LAN (which should use another private network address, such as 192.168.10.x), and one for the management LAN. In addition to the servers’ physical addresses, each cluster is assigned two virtual IP addresses (one for each NIC connected to the back-end switches).

Secure Network Segment

Another firewall forms the inner boundary of the perimeter network and isolates what we term the secure network from the back-end network. The firewall is configured to allow only required communications between permitted port and source/destination pairs. The secure network again comprises a private network (10.10.2.0 in this example), a pair of coupled switches, a variety of servers, and a device labeled VPN/Router that provides connectivity to the internal corporate network. The secure network is logically part of the corporate network. Servers on the secure network are often members of an internal corporate domain, so domain controllers and address and name servers are assumed to be internal.

Management Network Segment

A site management system is often built on a separate network to ensure high availability. Using a separate network for the management system also relieves the back-end network of the management traffic, which improves overall performance and response time. Sometimes, management and operations use the back-end network, but this isn’t recommended for large, highly available sites.

Lesson Summary

The network ID identifies the TCP/IP hosts that are located on the same physical network. The host ID identifies a TCP/IP host within a network. The 32 bits of the IP address are apportioned between network IDs and host IDs, depending on how many networks and hosts per network are needed. To create smaller broadcast domains and to better utilize the bits in the host ID, you can subdivide an IP network into smaller networks, each bounded by an IP router and assigned a new subnetted network ID, which is a subset of the original class-based network ID. Subnetting requires a three-step procedure: determining the number of host bits to be used, enumerating the new subnetted network IDs, and enumerating the IP address of each new subnetted network ID. The three principal domain segments, each separated by a firewall, are the public network; a perimeter network, where front ends and content servers are placed; and a secure network, where content is created or staged and secure data is managed and stored. You can divide the perimeter network into smaller segments. In addition, it’s generally recommended that you use a separate segment for a management network to ensure high availability and relieve the back-end management traffic. You should also use a heartbeat LAN for clustering.