TCP/IP’s success as the network protocol of the Internet is largely due to its ability to connect networks of different sizes and systems of different types. The Internet community originally defined five address classes: A through E. Microsoft TCP/IP supports classes A, B, and C. The classes have predefined sizes, each of which can be divided into smaller subnetworks, a process known as subnetting. Subnetting becomes necessary as you reconcile the logical address scheme of the Internet with the physical networks used by the real world. Subnetting allows you to partition a single TCP/IP network into a number of separate networks called subnets. By subnetting a multitiered Web network environment, you can enhance security and add bandwidth to your network, as well as increase your system’s availability. In this lesson you’ll learn how to design a subnetting structure for your multitiered Web environment in order to enhance security, add bandwidth, and increase availability.
Each TCP/IP host is identified by a logical IP address. The IP address is a network layer address and has no dependence on the Data-Link layer address (such as a Media Access Control [MAC] address of a network adapter). A unique IP address is required for each host and network component that uses TCP/IP to communicate.
The IP address identifies a system’s location on the network in the same way a street address identifies a house on a city block. Just as a street address must identify a unique residence, an IP address must be globally unique and have a uniform format. Each IP address includes a network ID and a host ID.
The network ID identifies the TCP/IP hosts that are located on the same physical network. All hosts on the same physical network must be assigned the same network ID to communicate with one another. A network ID should adhere to the following guidelines:
The host ID identifies a TCP/IP host within a network. The combination of IP network ID and IP host ID is an IP address. A host ID should adhere to the following guidelines:
The 32 bits of the IP address are apportioned between network IDs and host IDs, depending on how many networks and hosts per network are needed. However, it isn’t always practical to have all possible network nodes on the same broadcast domain. All the hosts on the same physical network bounded by IP routers share the same broadcast traffic. For example, a class A network ID can contain more than 16 million hosts on the same network, which isn’t a practical solution. As a result, most of the 16 million host addresses are unassignable and are wasted. Even a class B network with 65,000 hosts per network is impractical.
In an effort to create smaller broadcast domains and to better utilize the bits in the host ID, an IP network can be subdivided into smaller networks, each bounded by an IP router and assigned a new subnetted network ID, which is a subset of the original class-based network ID. This creates subnets, subdivisions of an IP network each with its own unique subnetted network ID. Subnetted network IDs are created by using bits from the host ID portion of the original class-based network ID.
For example, Figure 2.6 shows a class B network with a network ID of 18.104.22.168. The network can include up to 65,534 nodes. The network should be subnetted, but it should be done in such a way so that it neither affects the rest of the IP internetwork nor requires its reconfiguration.
Figure 2.6 - Network 22.214.171.124 before subnetting
Network 126.96.36.199 is subnetted by utilizing the first 8 host bits of the host ID (the third octet) for the new subnetted network ID. The subnetting of 188.8.131.52, as shown in Figure 2.7, creates separate networks with their own subnetted network IDs (184.108.40.206, 220.127.116.11, and 18.104.22.168). The router is aware of the separate subnetted network IDs and routes IP packets to the appropriate subnet.
Figure 2.7 - Network 22.214.171.124 after subnetting
Note that the rest of the IP internetwork still regards all the nodes on the three subnets as being on network 126.96.36.199. The other routers in the IP internetwork are unaware of the subnetting being done on network 188.8.131.52 and therefore require no reconfiguration.
A key element of subnetting is still missing. How does the router that’s subdividing network 184.108.40.206 know how the network is being subdivided and which subnets are available on which router interfaces? To give the IP nodes this new level of awareness, they must be told exactly how to discern the new subnetted network ID regardless of Internet address classes. A subnet mask is used to tell an IP node how to extract a class-based or subnetted network ID.
Although the conceptual notion of subnetting by using host bits is straightforward, the actual mechanics of subnetting are a bit more complicated. Subnetting requires a three-step procedure:
The number of host bits being used for subnetting determines the possible number of subnets and hosts per subnet. Before you choose the number of host bits, you should have a good idea of the number of subnets and hosts you’ll have in the future. Using more bits for the subnet mask than is required saves you the time of reassigning IP addresses in the future.
The more host bits you use, the more subnets (subnetted network IDs) you can have—but each subnet will have fewer hosts. Using too many host bits allows for growth in the number of subnets but limits the growth in the number of hosts. Using too few hosts allows for growth in the number of hosts but limits the growth in the number of subnets.
For example, Figure 2.8 illustrates the subnetting of up to the first 8 host bits of a class B host ID. If you choose 1 host bit for subnetting, you obtain two subnetted network IDs with 16,382 hosts per subnetted network ID. If you choose 8 host bits for subnetting, you obtain 256 subnetted network IDs with 254 hosts per sub-netted network ID.
Figure 2.8 - Subnetting a class B network ID
In practice, network administrators define a maximum number of nodes they want on a single network. Recall that all nodes on a single network share all the same broadcast traffic; they reside in the same broadcast domain. Therefore, growth in the number of subnets is favored over growth in the number of hosts per subnet.
Based on the number of host bits you use for your subnetting, you must list the new subnetted network IDs. There are two main approaches:
Either method produces the same result: the enumerated list of subnetted network IDs.
Based on the enumeration of the subnetted network IDs, you must now list the valid IP addresses for new subnetted network IDs. To list each IP address individually would be unnecessarily tedious. Instead, enumerate the IP addresses for each subnetted network ID by defining the range of IP addresses (the first and the last) for each subnetted network ID. There are two main approaches:
Either method produces the same result: the range of IP addresses for each subnetted network ID.
All Web sites must be managed in such a way that adequate protections are provided for the confidentiality, privacy, integrity, and availability of information. Security is essential to the success of any business site. A business site uses multiple security domain segments. Systems with the same security needs are grouped into the same segment, and each segment is protected by a network filter or firewall, as shown in Figure 2.9. The three principal domain segments, each separated by a firewall, are as follows:
Figure 2.9 - The three principal domain segments
Data networks internal to the perimeter network should be segregated for security, as well as to add bandwidth. Generally, each computer should be equipped with two or more NICs. You should adhere to the following guidelines when segmenting the perimeter network:
When segmenting a network in order to support a secure, highly available Web environment, you can implement a multitiered strategy and use a separate network segment for the heartbeat LAN connection within each cluster and a network segment to act as the management network. Each of these strategies is outlined in Table 2.3.
Table 2.3 Segmenting Your Network
A multitiered network should be divided into at least three basic domain segments that are each separated by a fire-wall: the public network; a perimeter network, where front ends and content servers are placed; and a secure network, where content is created or staged and secure data is managed and stored. In some cases the perimeter network is divided into smaller segments. The multitiered environment segregates Internet traffic from back-end traffic, preventing direct access from the Internet to the internal network.
The heartbeat LAN provides a segregated network segment in which servers within the same cluster can communicate with each other. Clustering is discussed in more detail later in this book.
A management network segregates management traffic from all other traffic. Although a separate segment isn’t required, it’s generally recommended to ensure a more secure environment.
To set up the most effective Web environment, you should implement all three of these strategies. A multitiered topology provides for a higher level of security, the heartbeat LAN segment is essential for clustering functionality, and the management network is strongly recommended because it eliminates management traffic through firewalls, which reduces vulnerabilities.
The network topology shown in Figure 2.10 shows a highly available system. The design represents a large site and demonstrates both topological and com- ponent redundancy. Critical services can survive most failure modes short of a major disaster. Servers in each of the ISP 1 through ISP N groupings support each of the site’s critical functions, so even the loss of an ISP will not take the site down. Providing nonstop service through most disaster scenarios requires replication of the entire site in multiple geographies (geoplex). Cisco’s DistributedDirector is commonly used to support the geoplex. Unfortunately, site replication can more than double a site’s cost and may introduce data consistency issues for Web applications.
The network design illustrates multiple connections for redundancy, labeled ISP 1 and ISP N. These should be provisioned from diverse (physically separate) networks. Servers on front-end networks are exposed to the Internet. Firewalls are essential security components that provide network isolation by filtering traffic by packet type as well as source and destination addresses. They form one boundary of a perimeter network depicted by the double-ended arrows. The first components in the path are Router/Firewalls, whose functions may be distinct or combined in single devices.
The front end provides the core Web services, such as HTTP/HTTPS, by using Microsoft Internet Information Server (IIS) to serve up Hypertext Markup Language (HTML) and ASP pages and Lightweight Directory Access Protocol (LDAP) servers to authenticate customers.
Figure 2.10 - Web-based network topology with multiple segments
Each front-end server is specially hardened for security and connects to three networks:
This network segregation improves security while increasing total available bandwidth and improving redundancy.
Note that the only publicly accessible IP addresses on any of the servers in this site are the virtual IP addresses, to which only the front-end servers can respond. IP filtering applied to Internet-facing NICs ensures that only the correct type and source of traffic for the functions supported can enter the front-end server. IP forwarding on the Web servers (through RRAS) has also been disabled between these networks.
The back-end network supports all perimeter network servers through use of a high-speed, private 10.10.1.x LAN. This architecture prevents direct network access from the Internet to the perimeter network servers, even if the firewall were to be breached, because Internet routers aren’t permitted to forward designated ranges of IP addresses, including the 10.x.x.x range. As with the front-end network, redundant switches provide access to all front-end and back-end servers. All back-end switches share a common network, so back-end traffic loading can become problematic for active sites, especially if a separate management network isn’t available for logging and other front-end management network traffic.
The major components on the back-end network are security-hardened server clusters that provide services for storing Web content and session state. File shares within the cluster support file storage services. Microsoft SQL Server running on the cluster provides database services. Each cluster server employs at least four NICs: one for each switch, one for the private heartbeat LAN (which should use another private network address, such as 192.168.10.x), and one for the management LAN. In addition to the servers’ physical addresses, each cluster is assigned two virtual IP addresses (one for each NIC connected to the back-end switches).
Another firewall forms the inner boundary of the perimeter network and isolates what we term the secure network from the back-end network. The firewall is configured to allow only required communications between permitted port and source/destination pairs. The secure network again comprises a private network (10.10.2.0 in this example), a pair of coupled switches, a variety of servers, and a device labeled VPN/Router that provides connectivity to the internal corporate network. The secure network is logically part of the corporate network. Servers on the secure network are often members of an internal corporate domain, so domain controllers and address and name servers are assumed to be internal.
A site management system is often built on a separate network to ensure high availability. Using a separate network for the management system also relieves the back-end network of the management traffic, which improves overall performance and response time. Sometimes, management and operations use the back-end network, but this isn’t recommended for large, highly available sites.
The network ID identifies the TCP/IP hosts that are located on the same physical network. The host ID identifies a TCP/IP host within a network. The 32 bits of the IP address are apportioned between network IDs and host IDs, depending on how many networks and hosts per network are needed. To create smaller broadcast domains and to better utilize the bits in the host ID, you can subdivide an IP network into smaller networks, each bounded by an IP router and assigned a new subnetted network ID, which is a subset of the original class-based network ID. Subnetting requires a three-step procedure: determining the number of host bits to be used, enumerating the new subnetted network IDs, and enumerating the IP address of each new subnetted network ID. The three principal domain segments, each separated by a firewall, are the public network; a perimeter network, where front ends and content servers are placed; and a secure network, where content is created or staged and secure data is managed and stored. You can divide the perimeter network into smaller segments. In addition, it’s generally recommended that you use a separate segment for a management network to ensure high availability and relieve the back-end management traffic. You should also use a heartbeat LAN for clustering.