Planning an IP Addressing Strategy
Before you can implement an IP network infrastructure, there are many details that you must con-
sider. Here, we will take a look at how to plan your network by identifying the appropriate
addressing requirements and limitations that will shape the network. Understanding subnetting is a
requirement to implement your addressing scheme.You will need to identify hardware requirements,
decide what class of address you will need, and determine if access to the Internet is necessary for all
or just some of your hosts.
Subnetting will allow you to create logical segments on your network that will overlay the
physical topology. By using a well-planned subnetting scheme, you can handle your current needs
and plan for expansion for future needs.You can also make use of these segments to isolate and dis-
tribute heavy traffic, without having a major impact on other segments of your network.
Analyzing Addressing Requirements
Since the host IP address must be unique, the simple rule to calculate the number of hosts for our
network is one IP address per host, plus one IP address for each additional network adapter in a host
machine. We have a concept of one network in the corporate sense, but when determining address
requirements, there are a few more details we must consider.
You can define IP addresses using one of the three classes available for standard IP communica-
tions: classes A, B, and C. Before we decide which class to use, we need to determine the type of net-
work we are implementing and how many hosts there are per segment.This material provides only a
brief review of the topic, and assumes you are familiar with IP addressing concepts and practices.
Creating a Subnetting Scheme
As mentioned, host addresses can belong to one of three classes of IP address, and each has a range
of addresses.The range is defined by the value of the first octet.Table 21.2 shows the classes and
their ranges, as well as the binary representations of the ranges. Classes D and E are also classes of IP
addresses, but Class D is restricted to multicasting and Class E addresses are reserved for future use.
127.0.0.0 is reserved for connectivity testing. 127.0.0.1 is a special address that represents the local
loopback adapter that resolves as localhost. We can ping the local host to troubleshoot the protocol
stack. We will discuss this in more detail in the “Troubleshooting IP Addressing” section later in this
chapter. Each class also has a default subnet mask.
Table 21.2 IP Address Classes and Their Ranges
Range of

Class Values Default Mask Networks Hosts Binary
A 0 to 126 255.0.0.0 126 16,777,214 00000001 to 01111110
B 128 to 191 255.255.0.0 16,384 65,534 10000000 to 10111111
C 192 to 223 255.255.255.0 2,097,152 254 11000000 to 11011111
D 224 to 239 Not applicable Not applicable
746 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 746
As you know, the default mask for each class defines the number of networks and the number
of hosts for each network. An IP address contains information about the network on which the host
resides and the address of the host.The network ID is the reference to the logical subnet, and it
refers to the octets that are predefined as the network ID and implemented with the default mask.
The remaining octets are for the hosts.
The first address in each network refers to “this network” (itself ), such as 24.0.0.0/8 or
204.79.26.0/24.The last address in each network or subnetwork is the broadcast address for that
segment, such as 179.54.255.255 or 204.79.26.255. We can derive the formula for determining the
number of hosts per network as 2
n
– 2, where n is the number of bits available for host IDs.
Class A addresses are used for networks that have a large number of hosts. Based on the default
mask, we have the first octet for networks and the last three for hosts. So, we have 126 networks and
2
24
– 2 hosts, or 16,777,214. Likewise, with class B, the default mask is 255.255.0.0, so the first two
octets are for the network IDs, for a total of 16,384, and the last two are for the hosts. So, class B
networks have 2
16
– 2 hosts, or 65,534. Class C networks have more networks but are smaller, with
2
8
– 2 hosts, or 254.

We could implement our network now very simply. Determine the number of hosts and the
number of networks, and pick the class that fits. If you do not wish to assign a public IP address to
all your machines, there is a solution.There are three banks of IP addresses that are called private IP
address ranges.They are listed in Table 21.3.Typically, a network will need only one or two public
addresses for the Internet interfaces, and everything internal to the company can use the private IP
addresses internally.
Table 21.3 Private IP Addresses
Network ID Subnet Mask Range
10.0.0.0 255.0.0.0 10.0.0.1 to 10.255.255.254
172.16.0.0 255.240.0.0 172.16.0.1 to 172.31.255.254
192.168.0.0 255.255.0.0 192.168.0.1 to 192.168.255.254
Troubleshooting IP Addressing
The flexibility of TCP/IP also contributes to the complexity of troubleshooting addresses and con-
nections.There are several tools that can help isolate and identify issues with addressing, but it is also
imperative that you understand IP addressing rules and subnetting.The ipconfig, ping, and tracert
commands are the most useful tools for identifying addressing problems with client configurations
and connections to other hosts on the Internet.
Client Configuration Issues
Some of the issues that occur with manual configuration of IP addresses include duplicate addresses,
invalid subnet masks, invalid default gateways, and invalid or missing host name resolution settings
(such as DNS and WINS).To help identify the problem, start by typing ipconfig /all at a com-
mand prompt. Verify the information that is output by the command is correct, and then continue
by using ping to help isolate the problem.
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 747
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 747
1. Ping the loopback address (127.0.0.1) to verify that the TCP/IP protocol stack is config-
ured correctly on the local computer.
2. Ping the external IP address of the local computer to ensure the host is on the network
and using a valid IP address; that is, there are no address conflicts.
3. Ping the IP address of the default gateway to verify that the default gateway is accessible

and your local network configuration contains the correct subnet mask.
4. Ping the IP address of a remote host to verify that you can transmit data over the default
gateway.
If you are not able to get traffic through to a site, but you are making it through the default
gateway, you should use tracert to identify the break in the route to the destination.
DHCP Issues
DHCP is an easy way to manage IP addressing schemes for larger networks. DHCP makes it pos-
sible to boot a machine and access the network without configuring any protocol information.This
eliminates many of the manual configuration issues, such as using the wrong subnet mask, duplicate
IP addresses, and limited or no host name resolution. Some of the items to consider when you
implement and use DHCP are lease time, number of hosts in a scope, network traffic, scope options,
and topology.
When a machine acquires an IP address from a DHCP server, it acquires a lease.The request for
the lease is a message called a DHCPREQUEST, which is broadcast by the DHCP client looking
for DHCPOFFERs of a lease from a DHCP server.The lease duration for a DCHP address is speci-
fied in the scope set on the server and defaults to eight days. At 50 percent of the lease duration, the
DCHP client sends a directed request to the DHCP server that issued the lease and requests a
renewal of the lease. If no DHCPACK (acknowledgment) is received from the server, the DHCP
client waits until 87.5 percent of the lease time, and then makes a final request to renew the IP
address. If no DHCPACK is received at this point, the client waits until the lease is expired and
starts the process over. If a DHCP client is unable to receive an IP address lease, it will use an alter-
nate configuration, if one is specified. If there is no alternate configuration, the client will use
APIPA to start the TCP/IP services and assign itself an address from the APIPA pool
(169.254.0.0/16).
To determine the appropriate lease time for your network, you should consider the following:
■
Number of hosts If the number of hosts is close to the number of total IP addresses in
your DHCP server’s scope, the lease should be shorter—about three days. If there are a
great deal more IP addresses than hosts, a longer lease can be assigned.
■

Mobile users If you have a small number of mobile users and the client machines do
not frequently move from one network to the other, a longer lease duration is recom-
mended. Conversely, if you have more mobile users, a shorter lease will be preferred, so
that the IP addresses will be released sooner and returned to the available pool of
addresses.
748 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 748
■
Unlimited It is possible to set the lease duration to unlimited, but it presents a challenge
if you wish to change the DHCP settings, since this setting requires the client to initiate
the DHCPREQUEST.
Because they are broadcast, the DHCPREQUEST messages do not cross router boundaries,
unless the router is capable of forwarding DHCP broadcast messages, in compliance with RFC
2131.You can also configure a DHCP relay to forward the requests to a DHCP server.
Using DHCP can reduce IP address conflicts by preventing the need for static IP address. It also
can eliminate invalid subnet masks, since they are also assigned by the DHCP server. Another advan-
tage is the scope properties. By assigning scope properties, you can define default gateways, DNS
servers, WINS servers, and the type of name resolution that is preferred. By managing name resolu-
tion settings, you can help eliminate broadcast traffic.
Transitioning to IPv6
IPv6, defined in RFC 2460, is now production ready to use on most operating system platforms.At
this point, it is still early in the transition from IPv4.The change to IPv6 will take some time, but
with each day, it becomes more necessary due to the growing shortage of IPv4 addresses. Although
the larger address space is the most immediate need, IPv6 offers other advantages over IPv4,
including the following:
■
Better security (built in support for IPSec)
■
Support for both stateful and stateless address configuration
■

An efficient hierarchical routing infrastructure
■
A new header format that provides lower overhead
■
Neighbor Discovery (ND) for managing nodes on the same link, replacing ARP, ICMPv4
router discovery, and ICMPv4 redirect messages
■
Virtually unlimited extension headers (in comparison to IPv4’s limit of 40 bytes)
■
Quality of service (QoS) related header fields
The utilities and concepts associated with IPv6 are similar to IPv4, but not identical. In the fol-
lowing sections, we’ll take a look at how to install IPv6 and start to familiarize ourselves with the
new utilities used to manage it.
IPv6 on Windows Server 2003 provides a new header format that is streamlined to minimize
overhead and provide more efficient processing while crossing intermediate routers. All the option
fields and any other fields in the header that are not required for routing are placed after the IPv6
header.The IPv6 header also added more QoS support by adding Flow Label fields that provide
special handling for a series of packets that travel between a source and destination.
ND is a set of process and messages that are used in an IPv6 environment to identify relation-
ships between neighboring nodes.This allows hosts to discover routers on the same segment,
addresses, and address prefixes. With ND, hosts can also resolve neighboring nodes and determine
when the MAC address of a neighbor changes (similar to ARP in IPv4). ND also provides the pro-
cess for address autoconfiguration, also referred to as stateless address configuration. In the absence of a
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 749
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 749
stateful address configuration server, such as a DHCP version 6 (DHCPv6) protocol server, ND pro-
vides a complex process that allows each interface to use router advertisement messages to define an
IPv6 address, and then subsequently ensure the uniqueness of the selected address. Currently, the
standards for DHCPv6 and IPv6 stateful addressing are still under development, so neither feature is
supported on Windows XP/2003 products at this time.

The new routing structure provides a hierarchical addressing and routing structure that includes
a global addressing scheme. Global addresses are the equivalent of public IPv4 addresses and are
accessible over the Internet.The global addressing scheme defines new ways to summarize global
addresses to facilitate smaller routing tables on the Internet backbone, and thus improve the effi-
ciency and performance on the Internet.
IPv6 Utilities
The traditional IPv4 utilities are still very useful for IPv4, but new utilities and features have been
added to accommodate IPv6 functionality.To gain access to the new tools or functionality, you need
to install the TCP/IP version 6 protocol.
Install TCP/IP Version 6
1. Open Network Connections and double-click the Local Area Network icon.You will
see the Local Area Connection Status dialog box.
2. Click Properties.
3. In the Local Area Network Connection Properties dialog box, click Install.
4. In the Select Network Component Type dialog box, select Protocol and click Add.
5. In the Select Network Protocol dialog box, select Microsoft TCP/IP version 6 and
click OK.
6. You should return to the Local Area Connection Properties dialog box and see that
Microsoft TCP/IP version 6 is installed.
7. Click Close.
8. Test the TCP/IP version 6 installation by opening Internet Explorer and navigating to
www.ipv6.org.You should see a line under the line “Welcome to the IPv6 Information
Page!” that states,“You are using IPv6 from <your IPv6 address>,” as shown in Figure 21.1.
If you are behind a firewall or using 6to4 tunneling, you may not see the message that
indicates you have an IPv6 address. If you are able to access the site described in step 9,
then you are successfully using IPv6.
750 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 750
9. You can also navigate to an IPv6-only site from Microsoft Research on the Internet by
going to .

Another way to test whether your IPv6 installation was successful is to run the ipconfig com-
mand. If IPv6 is installed, your IP address will be shown in IPv6 format, as shown in Figure 21.2.
Now that TCP/IP version 6 is installed, additional utilities are available with the IPv6 function-
ality. Other than the utilities to manage, monitor, and troubleshoot IPv6, only Telnet, FTP, and
Internet Explorer actually use the IPv6 protocol stack.
Netsh Commands
Netsh is an interactive command-line utility that allows you to manage local or remote network
configurations of active machines. Netsh also supports scripting, so you can create batch configura-
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 751
Figure 21.1 Test the IPv6 Configuration
Figure 21.2 Ipconfig Results after Installing IPv6
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 751
tions that run against the local machine or a specified host on the network.You can also use the
Netsh utility to generate a configuration script to use as a backup configuration or as an aid to con-
figure new machines in an identical fashion.
Netsh works with the existing components installed with the operating system by using helper
dynamic link libraries (DLLs). Each helper DLL contains the information necessary to execute the
commands for the component to which it applies.The set of commands and features supported by
the DLLs is called a context, and each context is unique to the networking component.
The IPv6 interface has its own context with commands to manage and display information per-
taining to the routes, interfaces, addresses, and caches specific to IPv6.There are currently no graph-
ical user interface (GUI) applications to configure IPv6, so Netsh is necessary for configuring IPv6
and its associated components.The component called 6to4 has a subcontext within the IPv6 con-
text, for configuring and managing 6to4 routers and hosts. For more information about Netsh, see
the Windows Help and Support Center topic titled “Netsh Overview.”
To put the netsh command into IPv6 context, type netsh at the command prompt, then at the
netsh> prompt, type interface ipv6. Then you can use the IPv6 context commands, which
include the following:
■
6to4 Changes to 6to4 context.

■
Add Adds a configuration entry.
■
Delete Deletes a configuration entry.
■
Dump Shows a configuration script.
■
Install Installs IPv6.
■
Isatap Changes to isatap subcontext within IPv6 context.
■
Renew Restarts IPv6 interfaces.
■
Reset Resets IPv6 configuration.
■
Set Sets configuration information.
■
Show Displays information.
■
Uninstall Uninstalls IPv6.
Ipsec6.exe
Ipsec6.exe is used to configure and implement IPSec security policies (SPs) and security associations
(SAs) for IPv6. Using this utility, you can save and load security policies and security associations to
a file that can be edited in a text editor.This can be a real timesaver when you implement IPSec for
IPv6 on multiple machines.The command to save a configuration is ipsec6 s
FilenameWithNoExtension.The filename specified from the command line will be appended with
the extension automatically.The extension .spd is added to security policy files, and the extension
.sad is added to security association files. If you are executing this command for the first time, and
there are no current policies and no current security associations, the files created can act as tem-
plates to help you get started.

752 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 752
Other ipsec6 commands are available to works with security policies and security associations:
■
To load the configuration from these files, type ipsec6 l FilenameWithNoExtension. The
security policies will be loaded from Filename.spd and the security associations from
Filename.sad.
■
To delete security policies and security associations, type ipsec6 d [{sp | sa}] [Index]
from a command line. Use the sp parameter with the Index of the policy you wish to
delete, or the sa parameter to delete all of the security associations.
■
To determine what the current security policies are, type ipsec6 sp [Interface] from the
command line, where Interface is optional and applies to the security policies for the speci-
fied network interface.
■
To view the current security associations, type ipsec6 sa from the command line. Note
that the output from the commands to view the security policies and security associations
is not formatted well for a command line, so you might prefer to save the configuration
and view the files in Notepad.
IPv6 PING and Tracert Parameters
Use the following steps to use IPv6 PING to verify connectivity:
1. From a command prompt, type netsh interface ipv6 show interface.
2. Find the Idx value for Local Area Connection.
3. Type netsh interface ipv6 show interface Idx, where Idx is the number from the pre-
vious step.The Local Area Connection index number is usually 4.
4. Right-click in the command window and select Mark.Then highlight the address. Once
it is highlighted, right-click in the command prompt window. When you release the
mouse button, the address will be copied to the Clipboard.Take note of your Zone ID
for Link, which should match the Idx number in step 3.

5. Exit the netsh command. At a regular command prompt, type ping, and then right-click
in the command prompt window and select Paste.
6. Without adding any spaces, add %<ZoneID>, where ZoneID is the number noted in step
4, so the command looks like this:
Ping fe80::204:5aff:fe08:fb4b%4
7. Press Enter.You should see four successful replies.
8. Continue by pinging another address on the same local network.
9. To test external hosts, ping the global address of another node.
10. To test name resolution with DNS or a hosts file, ping a node with ping -6 Name, where
Name is the site name.The -6 parameter tells PING to use IPv6 only.
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 753
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 753
You can use Tracert to trace the path taken by IPv6 data packets from this host to the destina-
tion host. From a command prompt, type tracert IPv6Address%ZoneID, where IPv6 is a valid IPv6
address and ZoneID is the destination address. Alternatively, type tracert –d -6 Hostname, where
Hostname is the name of the remote machine.
6to4 Tunneling
6to4 tunneling is used to encapsulate IPv6 data packets in IPv4 headers before they are transmitted
to the destination host. 6to4 tunneling uses a 6to4 host and 6to4 routers to deliver the IPv6 data. It
is an Internet standard, defined in RFC 3056, and is used for interoperability between IPv4 and
IPv6 networks. 6to4 hosts and routers are defined as follows:
■
6to4 host Any IPv6 host that is configured with at least one 6to4 address. 6to4 can be
configured with the netsh interface ipv6 6to4 commands. As you might have noticed
when you ran the show interface command, by default, your IPv6-enabled host will have
a 6to4 pseudo-interface, as well as an automatic tunneling pseudo-interface.
■
6to4 router Uses IPv4 and IPv6 to forward 6to4 traffic to the destination 6to4 hosts. It
is also possible to implement a 6to4 relay router to forward 6to4 router traffic on the IPv6
Internet.

With 6to4 tunneling, it is not necessary for IPv6 hosts to get an IPv6 global address prefix from
their ISPs.The host can create a 6to4 address automatically.
IPv6 Helper Service
The IPv6 Helper service is responsible for automatically configuring itself with the appropriate 6to4
addresses, but it uses a specific 6to4 router on the Internet.You can test functionality with the ping
-6 command.
The 6bone
The 6bone is a dedicated IPv6 network that exists on the Internet. It began as a virtual network
using IPv6 over IPv4 encapsulation. It contains links to many sites and includes a great deal of IPv6
data, testing plans, news, current events, and implementation instructions. It will be a valuable
resource for managing IPv6 on your network. For more information about the 6bone, see
www.6bone.net. For instructions on how to connect to the 6bone, see
www.opus1.com/ipv6/whatisthe6bone.html.
Teredo (IPv6 with NAT)
Teredo is the name for IPv4 network address translator (NAT) traversal for IPv6. It provides an
IPv6/IPv4 translation over NAT and address assignment.Teredo also provides the mechanism for
host-to-host automatic tunneling for unicast IPv6 connectivity when IPv6/IPv4 hosts are located
behind one or more NAT servers.
Currently, to provide IPv6 connectivity over the Internet, you must have a 6to4 router with a
public IPv4 address, which is not always feasible.Teredo provides a mechanism for IPv6 traffic to
754 Chapter 21 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 754
traverse NATs and access the Internet using IPv6. Basically, IPv6 packets are sent as IPv4-based
UDP messages, and this allows the IPv6 packets to pass through the IPv4 NAT server. For more
information about Teredo, see the Teredo Overview document located at www.microsoft.com/win-
dowsxp/pro/techinfo/administration/p2p/overview.asp.
Planning the Network Topology
The next phase in planning your TCP/IP infrastructure is planning the IP routing solution to
manage the traffic on your network.This will depend on the physical location of your equipment
and users, as well as on how you want to distribute the addresses. When your implement your

strategy, you will also need to determine how the hosts on your network will resolve host names
and implement the necessary services to provide that functionality.You will need to identify where
the services such as DHCP, WINS, DNS, and so on must exist in your network to function properly
and reduce the network bandwidth utilization.
Analyzing Hardware Requirements
Before you implement your network topology, you should identify the hardware needs. For each
physical location, you will need to provide some sort of routing.You might need to implement a
WAN solution using a T1 line, which also requires special hardware.You will need DHCP servers at
each location or a DHCP relay agent.You will need to provide some form of name resolution, most
likely DNS and possibly WINS. Depending on the traffic and if you have a large number of users,
you may decide to install switches to help manage network traffic.
For a DHCP server, the two major factors that affect performance are the amount of physical
random access memory (RAM) and the speed of the disk input/output (I/O).You should always
provide the largest amount of RAM possible and the fastest disk I/O for the best performance on a
DHCP server.The same rules apply for WINS and DNS servers, although DNS is more dependent
on network bandwidth. In any case, frequent zone updates require more RAM for better perfor-
mance.
If you are using Active Directory (AD) DNS, there are other considerations related to AD, such
as these:
■
Increased network utilization due to dynamic DNS updates related to DCHP integration
and WINS reverse lookups
■
Increased RAM requirements due the increased data volume
Planning the Placement of Physical Resources
The quantity of data and the type of network traffic affect the location of IP resource servers in
your enterprise. If the WAN link is slow, you might want to place DNS caching servers at each
location to reduce WAN traffic related to DNS resolution.You might also consider providing a
DNS server at each location to provide redundancy. In addition, by creating an AD integrated pri-
mary zone, you will allow clients to update their resource records locally. Defining which DNS

servers can act as forwarders and perform iterative queries will help manage the Internet traffic.
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 21 755
301_BD_W2k3_21.qxd 5/12/04 2:43 PM Page 755