Professional Documents
Culture Documents
Designing a TCP/IP
Network
The TCP/IP protocol suite defines industry standard networking protocols for data networks, including the
Internet. Determining the best design and implementation of your TCP/IP network ensures optimal reliability,
availability, scalability, security, and performance for your enterprise. You can also start to explore the next
generation of the Internet layer protocol of the TCP/IP protocol suite — IP version 6 (IPv6) — by introducing
Microsoft® Windows® Server 2003 IPv6 into part of your IPv4 network.
In This Chapter
Overview of Designing a TCP/IP Network.............................................................. ...4
Planning the IP-Based Infrastructure................................................ .......................7
Developing Routing Strategies................................................................. .............10
Designing an IP Addressing Scheme........................................ .............................14
Planning an IP Configuration Strategy......................................................... ..........26
Planning Security.......................................................................... ........................28
Improving Availability.................................................................................... ........32
Planning IP Multicasting.............................................................. ..........................35
Introducing IPv6 on Your Network......................................................................... .42
Testing Your Design............................................................................ ...................64
Additional Resources................................................................................ .............67
Related Information
• For more information about IP configuration strategies using Dynamic Host Configuration
Protocol (DHCP), see “Deploying DHCP” in this book.
• For more information about using Domain Name System (DNS) for name resolution, see
“Deploying DNS” in this book.
• For more information about using Windows Internet Name Service (WINS) for name resolution
in networks that support clients running Microsoft® Windows NT®, see “DeployingWINS” in
this book.
4 Chapter 1 Designing a TCP/IP Network
The modular nature of a hierarchical model such as the three-tier model can simplify deployment, capacity
planning, and troubleshooting in a large internetwork. In this design model, the tiers represent the logical layers
of functionality within the network. In some cases, network devices serve only one function; in other cases, the
same device may function within two or more tiers.
The three tiers of this hierarchical model are referred to as the core, distribution, and access tiers. Figure 1.3
illustrates the relationship between network devices operating within each tier.
Figure 1.3 Three-Tier Network Design Model
To plan an effective routing solution for your environment, you must understand the differences between
hardware routers and software routers; static routing and dynamic routing; and distance vector routing protocols
and link state routing protocols.
Static Routing
In static routing, a network administrator enters static routes in the routing table manually by indicating:
• The network ID, consisting of a destination IP address and a subnet mask.
• The IP address of a neighboring router (the next hop).
• The router interface through which to forward the packets to the destination.
12 Chapter 1 Designing a TCP/IP Network
Static routing has significant drawbacks. Because a network administrator defines a static route, errors are more
likely than with a dynamically assigned route. A simple typographical error can create chaos on the network. An
even greater problem is the inability of a static route to adapt to topology changes. When the topology changes,
the administrator might have to make changes to the routing tables on every static router. This does not scale
well on a large internetwork.
However, static routing can be effective when used in combination with dynamic routing. Instead of
using static routing exclusively, you can use a static route as the redundant backup for a
dynamically configured route. In addition, you might use dynamic routing for most paths but
configure a few static paths where you want the network traffic to follow a particular route. For
example, you might configure routers to force traffic over a given path to a high-bandwidth link.
One advantage of distance vector routing protocols is simplicity. Distance vector routing protocols are easy to
configure and administer. They are well suited for small networks with relatively low performance
requirements.
Most distance vector routing protocols use a hop count as a routing metric. A routing metric is a number
associated with a route that a router uses to select the best of several matching routes in the IP routing table. The
hop count is the number of routers that a packet must cross to reach a destination.
Routing Information Protocol (RIP) is the best known and most widely used of the distance vector routing
protocols. RIP version 1 (RIP v1), which is now outmoded, was the first routing protocol accepted as a standard
for TCP/IP. RIP version 2 (RIP v2) provides authentication support, multicast announcing, and better support for
classless networks. The Windows Server 2003 Routing and Remote Access service supports both RIP v1 and
RIP v2 (for IPv4 only).
Using RIP, the maximum hop count from the first router to the destination is 15. Any destination greater than 15
hops away is considered unreachable. This limits the diameter of a RIP internetwork to 15. However, if you
place your routers in a hierarchical structure, 15 hops can cover a large number of destinations.
The Windows Server 2003 Routing and Remote Access service supports the Open Shortest Path First (OSPF)
protocol, the best known and most widely used link state routing protocol. OSPF is an open standard developed
by the Internet Engineering Task Force (IETF) as an alternative to RIP. OSPF compiles a complete topological
database of the internetwork. The shortest path first (SPF) algorithm, also known as the Djikstra algorithm, is
used to compute the least-cost path to each destination. Whereas RIP calculates cost on the basis of hop count
only, OSPF can calculate cost on the basis of metrics such as link speed and reliability in addition to hop count.
Unlike RIP, OSPF can support an internetwork diameter of 65,535 (assuming that each link is assigned a cost of
1). OSPF transmits multicast frames, reducing CPU usage on a LAN. You can hierarchically subdivide OSPF
networks into areas, reducing router memory overhead and CPU overhead.
Like RIP v2, OSPF supports variable length subnet masks (VLSM) and noncontiguous subnets. For information
about variable length subnet masks and noncontiguous subnets, see “Designing a Structured Address
Assignment Model” later in this chapter.
Designing an IP Addressing
Scheme
Before assigning addresses, design an IP addressing scheme that meets the requirements of your networking
infrastructure. Figure 1.5 shows the tasks involved in designing your IP addressing system, including planning
your address assignment model, address allocation, and public or private addressing. Most organizations choose
to use classless IP addressing, classless IP routing protocols, and route summarization.
Developing Routing Strategies 15
For information about IP multicast addressing, see “Planning IP Multicasting” later in this chapter.
16 Chapter 1 Designing a TCP/IP Network
To be able to use subnetting or supernetting, you must first understand the default formats of the unicast
addresses. Unicast addresses have the following formats:
• All 32-bit IPv4 addresses contain four octets of 8 bits each, often represented as four decimal
numbers separated by dots (known as dotted decimal notation).
• In Class A addresses, the first byte, or octet, represents the network ID, and the three remaining
bytes are used for node addresses.
• In Class B addresses, the first 2 bytes represent the network ID, and the last 2 bytes are used for
nodes.
• In Class C addresses, the first 3 bytes are used for the network ID, and the final byte is used for
nodes.
Without some means of subdividing class-designated networks, all available IP addresses would have been
depleted long ago. Classless IP addressing, which allows subnetting, was developed to handle this problem.
By using 8 host bits for subnetting, you obtain 256 (that is, 28) subnetted network IDs (subnets), supporting as
many as 254 hosts per subnet. The number of hosts per subnet is 254 because 8 bits (28 minus 2) are reserved for
the host ID. You subtract 2 because subnetting rules exclude the host IDs consisting of all ones or all zeros.
An alternative to subnet mask notation is the network prefix length notation. A network prefix is shorthand for a
subnet mask, expressing the number of high-order bits that constitute the subnetted network ID portion of the
address in the format <IP address>/<# of bits>, where # of bits defines the network/subnet part of the IP address,
and the remaining bits represent the host ID portion of the address.
18 Chapter 1 Designing a TCP/IP Network
The following is the network prefix length notation for the Class B address in the previous example:
131.107.65.37/24
The bit notation “/24” refers to the number of high-order bits set to 1 in the binary notation for the subnet mask,
leaving 8 bits for hosts (the eight bits set to 0).
Note
IPv6 supports only network prefix length notation. It does not support
dotted decimal subnet masks. For more information about IPv6, see
“Introducing IPv6 on Your Network” later in this chapter.
By contrast, if you anticipate needing only 32 subnets rather than 256, each of the 32 subnets can support as
many as 2,046 hosts (211 minus 2). That subnet mask has the following decimal and binary notations.
Subnet Mask in Decimal Notation Subnet Mask in Binary Notation
255.255.248.0 11111111 11111111 11111000 00000000
The following network prefix length notation indicates the 21 bits needed to create as many as 32 subnets:
131.107.65.37/21.
Again, “/21” indicates the number of high-order bits set to 1 in binary notation, leaving 11 bits (the 11 zeros) for
the host ID portion of the address.
To determine the appropriate number of subnets versus hosts for your organization’s network, consider the
following:
• More subnets. Allocating more host bits for subnetting supports more subnets but fewer hosts
per subnet.
• More hosts. Allocating fewer host bits for subnetting supports more hosts per subnet, but limits
the growth in the number of subnets.
For an introduction to TCP/IP, including information about subnetting, see the Networking Guide of the
Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit).
Classless routing protocols extend the standard Class A, B, or C IP addressing scheme by using a subnet mask
or mask length to indicate how routers must interpret an IP network ID. Classless routing protocols include the
subnet mask along with the IP address when advertising routing information. Subnet masks representing the
network ID are not restricted to those defined by the address classes, but can contain a variable number of high-
order bits. Such subnet mask flexibility enables you to group several networks as a single entry in a routing
table, significantly reducing routing overhead. In addition to RIP v2 and OSPF, described earlier, classless
routing protocols include Border Gateway Protocol version 4 (BGP4) and Intermediate System to Intermediate
System (IS-IS).
If your network contains routers that support only RIP v1 and you want to upgrade from classful to classless
routing, upgrade the RIP v1 routers to support RIP v2 or use another protocol such as OSPF. For example, you
might use VLSM to implement subnets of different sizes or CIDR to implement supernetting. (VLSM and CIDR
are described later in this chapter.)
Each router in Figure 1.6 must use a subnet mask to look up a match in the routing table. Because a classful
address, by definition, has only its class-based default subnet mask, the router uses the network mask that
corresponds to the class of the subnet ID when advertising the route for the subnet. With classful routing, each
of the routers in Figure 1.6 summarizes and advertises the class-based network ID of 10.0.0.0/8, resulting in two
routes to 10.0.0.0/8, each of which might have a different metric. Therefore, a packet meant for one subnet
could be incorrectly routed to the other subnet. In the figure, the arrows represent the routes advertised by the
routers.
Noncontiguous subnets with classless routing
Figure 1.7 also shows an unrelated network connecting two noncontiguous subnets. In this example, using
classless routing, the locations on the noncontiguous subnets are unambiguous because the classless protocol
includes a subnet mask when advertising the route. Routers in the intermediate network can distinguish between
the two noncontiguous subnets.
Figure 1.7 Classless Routing Appropriate for Noncontiguous Subnets
To support route summarization, your IP addressing scheme must meet the following requirements:
• Classless routing protocols (those including subnet mask or prefix length information along
with the IP address) must be used.
• All IP addresses used in route summarization must share identical high-order bits.
• The length of the prefix can be any number of bits up to 32 (for IPv4).
Tip
When using VLSM, do not accidentally overlap blocks of addresses. If
possible, start with equal-size subnets and then subdivide them.
VLSM also can be used when a point-to-point WAN link connects two routers. One way to handle such a WAN
link is to create a small subnet consisting of only two addresses. Without VLSM, you might divide a Class C
network ID into an equal number of two-address subnets. If only one WAN link is in use, all the subnets but one
serve no purpose, wasting 252 addresses.
Alternatively, you can divide the Class C network into 16 workgroup subnets of 14 nodes each by using a prefix
length of 28 bits (or, in subnet mask terms, 255.255.255.240). By using VLSM, you can then subdivide one of
those 16 subnets into 8 smaller subnets, each supporting only 2 nodes. You can use one of the 8 subnets for your
existing WAN link and reserve the remaining 7 subnets for similar links that you might need in the future. To
accomplish this act of sub-subnetting by using VLSM, use a prefix length of 30 bits (or, in subnet mask terms,
255.255.255.252).
Figure 1.8 shows variable length subnetting for two-host WAN subnets.
Figure 1.8 Variable Length Subnetting of 131.107.106.0
22 Chapter 1 Designing a TCP/IP Network
If your network includes numerous WAN links, each with its own subnet, this approach can require significant
administrative overhead. If you do not use route summarization, each subnet requires another entry in the
routing table, increasing the overhead of the routing process.
Some routers support unnumbered connections; a link with unnumbered connections does not require its own
subnet.
A block of supernetted addresses, such as those in Table 1.2, is known as a CIDR block. Table 1.2 indicates the
single CIDR entry that appears in the routing table. This entry represents all eight Class C network IDs that are
allocated to the example organization.
Table 1.2 CIDR Routing Table Entry
Network ID Subnet Mask Subnet Mask (Binary)
220.78.168.0 255.255.248.0 11111111 11111111 11111000 0000000
Developing Routing Strategies 23
Public Addresses
IANA assigns public addresses and guarantees them to be globally unique on the Internet. In addition, routes are
programmed into the routers on the Internet so that traffic can reach those assigned public addresses. That is
why public addresses can be reached on the Internet.
Private Addresses
Private addresses are a predefined set of IPv4 addresses that the designers of the Internet provided for those
hosts within an organization that do not require direct access to the Internet. These addresses do not duplicate
already assigned public addresses. RFC 1918, “Address Allocation for Private Internets,” defines the following
three private address blocks:
• 10.0.0.0/8. The 10.0.0.0/8 private network is a Class A network ID that supports the following
range of valid IP addresses: 10.0.0.1 through 10.255.255.254. The 10.0.0.0/8 private network
has 24 host bits that a private organization can use for any subnetting scheme within the
organization.
• 172.16.0.0/12. The 172.16.0.0/12 private network can be interpreted either as a block of 16
Class B network IDs or as a 20-bit assignable address space (20 host bits) that can be used for
any subnetting scheme within the private organization. The 172.16.0.0/12 private network
supports the following range of valid IP addresses: 172.16.0.1 through 172.31.255.254.
• 192.168.0.0/16. The 192.168.0.0/16 private network can be interpreted either as a block of 256
Class C network IDs or as a 16-bit assignable address space (16 host bits) that can be used for
any subnetting scheme within the private organization. The 192.168.0.0/16 private network
supports the following range of valid IP addresses: 192.168.0.1 through 192.168.255.254.
Because IANA never assigns IP addresses in the private address space as public addresses, routes for private
addresses never exist on the Internet routers. Any number of organizations can repeatedly use the private
address space, which helps to prevent the depletion of public addresses.
Private addresses cannot be reached on the Internet. Therefore, Internet traffic from a host that has a private
address must either send its requests to an application layer gateway (such as a proxy server), which has a valid
public address, or have its private address translated into a valid public address by a NAT before it is sent over
the Internet.
For an introduction to TCP/IP and more information about public and private addresses, see the Networking
Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit).
Developing Routing Strategies 25
Unauthorized Addresses
Network administrators of private networks who have no plans to connect to the Internet can choose any IP
addresses they want, even public addresses that IANA has assigned to other organizations. Such potentially
duplicate addresses are known as unauthorized (or illegal) addresses. Later, if the organization decides to
connect directly to the Internet after all, its current addressing scheme might include addresses that IANA has
assigned to other organizations. You cannot connect to the Internet by using unauthorized addresses.
Do not use unauthorized addresses if even the slightest possibility exists of ever establishing a connection
between your network and the Internet. On some future date, discovering that you need to quickly replace the IP
addresses of all the nodes on a large private network can require considerable time and interrupt network
operation.
Planning an IP Configuration
Strategy
Every computer on an IP network must have a unique IP address. As noted earlier, using static addressing for
clients is time-consuming and prone to error. To provide an alternative for IPv4, the IETF developed the
Dynamic Host Configuration Protocol (DHCP), based on the earlier bootstrap protocol (BOOTP) standard.
Figure 1.9 shows the stage in the TCP/IP design process during which you decide what to use for IP
configuration. Most organizations choose to use DHCP for IPv4.
Figure 1.9 Planning an IP Configuration Strategy
Developing Routing Strategies 27
Although BOOTP and DHCP hosts can interoperate, DHCP is easier to configure. BOOTP requires maintenance
by a network administrator, whereas DHCP requires minimal maintenance after the initial installation and
configuration.
The DHCP standard, defined in RFC 2131, defines a DHCP server as any computer running the DHCP service.
Compared with static addressing, DHCP simplifies IP address management because the DHCP server
automatically allocates IP addresses and related TCP/IP configuration settings to DHCP-enabled clients on the
network. This is especially useful on a network with frequent configuration changes — for example, in an
organization that has a large number of mobile users.
The DHCP server dynamically assigns specific addresses from a manually designated range of addresses called
a scope. By using scopes, you can dynamically assign addresses to clients on the network no matter where the
clients are located or how often they move.
Planning Security
IP does not have a default security mechanism. Without security, both public and private IP networks are
susceptible to unauthorized monitoring and access. To prevent these types of security breach, develop a security
strategy for your IP deployment in tandem with your overall network security plan.
Ways that you can enhance security when deploying IP include:
• Securing IP packets. Provide end-to-end security by securing IP packets, which requires that
you not use address translation (unless both peers support IPSec NAT-T and use ESP to protect
traffic). IPSec is the most efficient way to provide a secure data stream.
• Deploying a perimeter network. Use a perimeter network to help secure your internal network
from intrusion. Several options are available for doing this.
Developing Routing Strategies 29
Figure 1.10 shows the tasks involved in incorporating IPSec and a perimeter network in your IP security plan.
Figure 1.10 Planning IP Security
30 Chapter 1 Designing a TCP/IP Network
Using IPSec
Effective integration with IPSec is becoming increasingly important to the secure deployment of IP in an
enterprise internetwork. IPSec is a framework of open standards for ensuring private, secure communications
over IP networks through the use of cryptographic security services. The implementation of IPSec that runs on
Windows Server 2003, Windows XP, and Windows 2000 is based on standards developed by the IETF IPSec
working group.
IPSec provides a comprehensive technology for securing networks. However, the larger your organization, the
more planning and engineering are required to implement IPSec. Assess the relative importance of your
information resources — domain controllers, mail servers, and financial servers may rank high among the
resources you want to protect. Include confidentiality considerations in your assessment. For example, many
organizations might target Human Resources information for IPSec protection. After identifying the critical
information resources to secure, configure IPSec policies as appropriate on those computers.
Windows Server 2003 uses the IPSec protocol suite to protect data traffic as it crosses a network. Although file
encryption and required passwords protect information stored on network resources, they do not protect
information as it moves across a network.
By implementing IPSec, you can secure the following types of data:
• Data that moves across the part of your intranet that external users do not access.
• Data that moves across the part of your intranet that can be accessed by external users who have
appropriate permissions.
• Data that moves across the Internet.
• Data that moves across an extranet.
IPSec security protects the content of IP packets from both active and passive attacks. In an active attack, a
hacker modifies existing data or adds false data. In a passive attack, an intruder reads data.
IPSec secures communication through the following methods:
• Peer authentication. IPSec verifies the identity of each computer. Each peer sends security
credentials that are verified by the peer at the other end of the connection. Windows
Server 2003 IPSec provides multiple methods of peer authentication.
• Data origin authentication. By incorporating a cryptographic checksum calculated with a
shared secret key with each packet of protected data, IPSec can verify that the packet must have
been sent by a peer that has knowledge of the secret key.
• Confidentiality (data encryption). IPSec offers confidentiality by encrypting data before
transmission, ensuring that the data cannot be read during transmission — even if an attacker
monitors or intercepts the packet. IPSec encryption is applied at the IP network layer, which
makes it transparent to applications that use TCP or User Datagram Protocol (UDP) for network
communication.
• Integrity. IPSec protects data from unauthorized modification in transit, ensuring that the
information received is exactly the same as the information sent.
• Anti-replay. IPSec ensures that any attacker who might intercept data cannot reuse or replay
that data to establish a session or to illegally gain information or access to resources.
Deploying IPSec requires careful planning. For more information about deploying IPSec, see “Deploying
IPSec” in this book. For more technical information about IPSec, see the Networking Guide of the Windows
Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).
Developing Routing Strategies 31
Organizations vary in their use of firewalls for providing security. IP packet filtering offers weak security, is
cumbersome to manage, and is easily defeated. Application gateways are more secure than packet filters and
easier to manage because they pertain only to a few specific applications, such as a particular e-mail system.
Circuit gateways are most effective when the user of a network application is of greater concern than the data
being passed by that application. The proxy server — the recommended solution — is a comprehensive security
tool that includes an application gateway, safe access for anonymous users, and other services.
32 Chapter 1 Designing a TCP/IP Network
IP packet filtering
You can configure packet filtering, the earliest implementation of firewall
technology, to accept or deny specific types of packets. Packet headers are examined for source and destination
addresses, TCP and UDP port numbers, and other information. Packet filtering is a limited technology that
works best in clear security environments where, for example, everything outside the perimeter network is not
trusted and everything inside is. You cannot use IP packet filtering when IP packet payloads are encrypted
because the port numbers are encrypted and therefore cannot be examined.
In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-
making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol
inspection.
Application gateways
Used when the actual content of an application is of greatest concern,
application gateways do not adapt easily to changes in technology. However, unlike IP packet filtering,
application gateways can be used in conjunction with encryption.
Circuit gateways
As tunnels connecting specific processes or systems on each side of a firewall, circuit
gateways are best employed in situations where the person using an application is potentially a greater risk than
the information that the application carries. The circuit gateway differs from a packet filter in its capability for
connecting to an out-of-band application scheme that can add additional information.
Proxy servers
Proxy servers are comprehensive security tools that include firewall and application
gateway functionality to manage Internet traffic to and from a private intranet. Proxy servers also provide
document caching and access control. A proxy server can improve performance by caching and directly
supplying frequently requested data such as a popular Web page. A proxy server also can filter and discard
requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary
files.
Take advantage of those firewall security features that can help you. Position a perimeter network in your
network topology at a point where all traffic from outside the corporate network must pass through the
perimeter that the external firewall maintains. You can fine-tune access control for the firewall to meet your
needs and can configure firewalls to report all attempts at unauthorized access.
Improving Availability
Availability refers to how much time the network is operational. Planning well for availability improves both
your network’s mean time between failures (MTBF) and its mean time to recovery (MTTR) after a network
failure.
To improve availability in your IP network design, you must know your organization’s availability requirements.
For some organizations, unanticipated down time is simply an irritating inconvenience. In other environments,
unanticipated down time could mean financial disaster, drastic loss of credibility, or, as in health care or law
enforcement, a risk to safety.
Developing Routing Strategies 33
Figure 1.12 shows the process for improving availability on your network.
Figure 1.12 Improving Availability
34 Chapter 1 Designing a TCP/IP Network
Each method for improving availability places different demands on the design of your network. As the risk of
down time to your operation increases, build more redundancy into your design, both in hardware and routing.
Similarly, as the consequences of failure increase, make your network more resilient by increasing the amount
of stress it can handle before it loses functionality.
Implementing Redundancy
Single points of failure, such as devices, links, and interfaces, can make a network vulnerable. If one such point
fails, it isolates users from services and, in the worst case, causes entire sections of the network to fail. For a
purely hierarchical network — one based on summarization and controlled access between tiers — every device
and link is a point of failure.
Redundancy provides alternative paths around points of failure. In a purely redundant network, each individual
device, link, and interface is dispensable. No single device, link, or interface can isolate users or cause the
network to fail.
In most production environments, neither a purely hierarchical nor a purely redundant network is practical. You
must balance the efficiency of a hierarchical network with the safety net of redundancy.
Planning IP Multicasting
With IP multicasting, one device can send a single data stream that the network replicates only as necessary so
that multiple devices receive the data. Because of the minimal overhead required to create the data stream and
the low overhead on the network, multicast communication is particularly suitable for multiple-user multimedia
applications such as video conferencing, distance learning, and collaborative computing. You can also use
multicast traffic to discover resources on the internetwork and to support datacasting applications such as file
distribution or database synchronization.
Using the IP multicast components of the Windows Server 2003 TCP/IP protocol and the Routing and Remote
Access service, you can send and receive IP multicast traffic from multicast-enabled portions of your intranet or
the Internet and from remote access clients. You can use IP multicast to optimize server loading and network
bandwidth.
Figure 1.13 shows the tasks involved in planning IP multicasting.
36 Chapter 1 Designing a TCP/IP Network
In multicast routing, routers communicate multicast group membership information to each other using
multicast routing protocols, and forward data across the internetwork. Multicast forwarding refers to the process
of forwarding multicast traffic to networks on which other multicast devices are listening. The multicast-capable
portion of the Internet is referred to as the Internet multicast backbone, or MBone.
Developing Routing Strategies 37
All computers running Windows Server 2003 can both send and receive IP multicast traffic. Windows
Server 2003 TCP/IP can listen for IPv4 multicast traffic and use a multicast forwarding table to determine where
to forward incoming multicast traffic.
Figure 1.14 shows one common configuration of IP multicast components. For examples of a number of
supported multicast configurations, see the Internetworking Guide of the Windows Server 2003 Resource Kit (or
see the Internetworking Guide on the Web at http://www.microsoft.com/reskit).
Figure 1.14 IP Multicast Components
MADCAP Security
The IPSec protocol meets MADCAP requirements for client/server identification and integrity protection as
described in RFC 2730, and requires no modifications to the MADCAP protocol. Therefore, when you require
strong security, use IPSec to protect all of the unicast messages of the MADCAP protocol.
For more information about MADCAP, including how to use IPSec in conjunction with MADCAP, see
RFC 2730, “Multicast Address Dynamic Client Allocation Protocol (MADCAP).”
Note
You can configure the IGMP router mode and IGMP proxy mode
interfaces to provide multicast forwarding support in multiple-router
intranets, but doing so is not efficient and is therefore not
recommended or supported.
Although Windows Server 2003 does not include any multicast routing protocols, the Routing and Remote
Access service is an extensible platform that can support multicast routing protocols. Multicast routing protocols
include Protocol-Independent Multicast (PIM) in both Sparse Mode (PIM-SM) and Dense Mode (PIM-DM),
Multicast Extensions to OSPF (MOSPF), and the Distance Vector Multicast Routing Protocol (DVMRP). Your
choice of multicast routing protocol will depend on the size and type of network and the distribution of
multicast group members.
• Protocol-Independent Multicast (PIM). The PIM protocol routes to multicast groups whose
members span wide-area and interdomain internetworks. PIM functions independently of any
unicast routing protocol. A multicast group that uses PIM can declare itself sparse or dense,
using either Sparse Mode or Dense Mode:
• Protocol-Independent Multicast Sparse Mode (PIM-SM), the most widely used
multicast routing protocol, is designed for multicast groups whose members are distributed
sparsely across a large region. PIM-SM can operate in a LAN environment but is most
efficient in a WAN environment. Using a dense-mode protocol for a multicast group whose
members are distributed thinly can cause unnecessary transmission and router storage of
data packets or membership report information. This overhead might be acceptable where
multicast group members are populated densely, but it is inefficient for a sparse mode
multicast group. In sparse mode, routers must explicitly join and leave multicast groups,
which eliminates unnecessary traffic and storage.
• Protocol-Independent Multicast Dense Mode (PIM-DM) is a dense-mode multicast
routing protocol designed for multicast groups whose members are distributed thickly over
an area where bandwidth is plentiful. PIM-DM is interoperable with the sparse mode,
PIM-SM. PIM-DM does not scale well.
• Multicast Extensions to OSPF (MOSPF). The MOSPF protocol, an extension of OSPF, is
also a dense-mode multicast routing protocol. MOSPF employs a unicast routing protocol that
requires that each router in a network be aware of all available links. MOSPF is intended for
use on a single organization’s network, and does not scale well. MOSPF requires OSPF as its
accompanying unicast routing protocol. It can sometimes put a heavy load on router CPU
bandwidth.
• Distance Vector Multicast Routing Protocol (DVMRP). The original IPv4 multicast routing
protocol, DVMRP runs over multicast-capable LANs such as Ethernet. DVMRP can also tunnel
IP multicast packets as unicast packets through routers with no multicast capability. DVMRP is
a dense-mode multicast routing protocol that does not scale well.
40 Chapter 1 Designing a TCP/IP Network
Configuring IGMP
To support IPv4 multicast applications on a single-router intranet or when connecting a single-router intranet to
the Internet, you can use the Routing and Remote Access service on one or more computers running Windows
Server 2003, add the IGMP routing protocol component on each server, and configure the server’s outbound
interface for IGMP router mode and its inbound interface for IGMP proxy mode. If your multicast applications
cross the Internet, the outbound interface is the intranet interface and the inbound interface is the Internet
interface.
• IGMP router mode on the outbound interface. In Windows Server 2003, an outbound
interface running in IGMP router mode listens for IGMP Membership Report messages and
tracks group membership. Enable IGMP router mode on the interfaces to listening multicast
hosts. The TCP/IP protocol and the IGMP routing protocol component for interfaces running in
IGMP router mode forward multicast traffic.
• IGMP proxy mode on the inbound interface. IGMP proxy mode is designed to pass IGMP
Membership Report messages within a single-router intranet or from a single-router intranet to
the MBone. (As explained earlier, in a multiple-router intranet, you must install routers that use
one or more multicast routing protocols.) With IGMP proxy mode enabled on the inbound
interface, hosts can receive multicast traffic from multicast sources and can send multicast
traffic to other hosts.
Within a single-router intranet, or when connecting a single-router intranet to the Internet, you do not need
routers running multicast routing protocols. However, within a multiple-router intranet that uses multicast
routers running multicast routing protocols, you can still use the Routing and Remote Access service as a
multicast forwarding router on the periphery of your intranet.
RFC 1112, “Host Extensions for IP Multicasting,” defines address and host extensions for IP hosts that support
multicasting, and defines IGMP Version 1. RFC 2236, “Internet Group Management Protocol (IGMP), Version
2,” defines IGMP Version 2. Windows Server 2003 supports IGMP Version 3, described in the Internet Draft
“Internet Group Management Protocol, Version 3.” Under IGMP Version 3, hosts can specify interest in
receiving multicast traffic from specified sources or from all but a specific set of sources.
Developing Routing Strategies 41
Exploring IPv6
Windows Server 2003 includes an IPv6 stack, in addition to the IPv4 stack, which you can use to explore the
capabilities of IPv6, test new applications and network technologies, and plan the first steps toward the wider
adoption of IPv6 on your network.
The current version of the Internet Protocol — IP version 4, known as IPv4 — dates from 1981 and has not
changed substantially since it was introduced in RFC 791, “Internet Protocol.” Although IPv4 proved to be
remarkably robust and enduring, in the early 1990s the Internet Engineering Task Force (IETF) began to
develop a suite of protocols and standards — IPv6 — to better address the demands of modern networking. Two
of the most important of these protocols are RFC 2460, “Internet Protocol, Version 6 (IPv6) Specification,”
which defines IPv6, and RFC 2463, “Internet Control Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification,” which specifies a set of ICMP messages for use with IPv6.
Before considering the design choices that you must make when introducing IPv6 on your network, you must
become familiar with some of the basics about IPv6, including:
• IPv6 features.
• Supported features, server applications, and application programming interfaces (APIs).
• Supported IPv6 tools.
• Types of nodes.
IPv6 Features
The IPv6 protocol includes the following features and improvements over IPv4:
• New header format. The IPv6 header is designed to minimize overhead. Although the IPv6
address field is four times as long as the address field in IPv4, the IPv6 header is only twice as
large as the IPv4 header overall. The more efficient header design enables faster processing at
intermediate routers. Because IPv6 headers are not interoperable with IPv4 headers, and the
IPv6 protocol is not backward compatible with IPv4. A host or router must use an
implementation of both IPv4 and IPv6 in order to recognize and process both header formats.
• Large address space. IPv6 provides 128-bit IP addresses, in contrast with the 32-bit IPv4 IP
addresses. The address space is designed to accommodate a vast number of interconnected
devices on any network, and its structure is designed to reduce the number of routing table
entries in IPv6 routers.
• Hierarchical addressing and routing infrastructure. IPv6 global addresses are designed to
facilitate a hierarchical routing infrastructure that is based on the common occurrence of
multiple levels of ISPs. It is anticipated that the routing tables for backbone routers on the IPv6
Internet will be much smaller and, as a result, will be processed much more efficiently.
Developing Routing Strategies 45
(continued)
46 Chapter 1 Designing a TCP/IP Network
Table 1.3 IPv6 Features Supported by Windows Server 2003 IPv6 (continued)
Supported by Windows
IPv6 Feature
Server 2003 IPv6
DNS over IPv6 Yes
(also referred to as DNS AAAA records)
Linklocal Multicast Name Resolution (LLMNR) No
DNS dynamic update Yes
DHCP No
TCP PortProxy Yes
Remote Desktop No
Remote Assistance No
IPv6 Management Information Base (MIB) for Yes
Simple Network Management Protocol (SNMP)
Microsoft Network Monitor version 2 (Netmon) Yes
Visual Studio .NET (VS.NET) Yes
IPSec authentication Yes
IPSec encryption No
Table 1.4 shows which server applications Windows Server 2003 IPv6 supports.
Table 1.4 Server Applications Supported by Windows Server 2003 IPv6
Supported by Windows
Server Applications
Server 2003 IPv6
File sharing, printer sharing Yes
Windows Media Server Yes
Internet Information Services (IIS) 6.0 (HTTP only) Yes
Telnet server Yes
FTP server No
Active Directory No
Microsoft® Exchange Server No
SQL Server™ No
Developing Routing Strategies 47
Windows Server 2003 IPv6 also supports Internet Explorer. However, it does not include support for literal
addresses.
In addition, the following APIs support Windows Server 2003 IPv6:
• .NET Framework
• Windows Sockets 2 (Winsock2) API
• Remote procedure call (RPC)
• Distributed Component Object Model (DCOM)
• Windows Internet (WinINet) API (does not include support for literal addresses)
• Windows HTTP Services (WinHTTP)
• HTTP.sys
• IP Helper API (IPHLPAPI) module
• Debuggers
• Netstat
• Nslookup
• Telnet client
• FTP client
For more information about these TCP/IP tools and commands, see the Networking Guide of the Windows
Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).
48 Chapter 1 Designing a TCP/IP Network
Types of Nodes
To understand IPv6 tunneling technologies, such as 6to4 and ISATAP (described later), you must understand the
types of nodes that might be involved. Table 1.5 shows IPv4 and IPv6 node types.
Table 1.5 IPv4 and IPv6 Node Types
Node Type Description
IPv4-only node A device that can communicate only with IPv4
nodes and applications and that does not
support IPv6.
IPv6-only node A device that can communicate only with IPv6
nodes and that does not support IPv4.
IPv6/IPv4 node A device that implements both IPv4 and IPv6 and
that can communicate with either IPv6 or IPv4
nodes and applications.
IPv4 node Any device that supports IPv4. Both IPv4-only
and IPv6/IPv4 nodes are IPv4 nodes.
IPv6 node Any device that supports IPv6. Both IPv6-only
and IPv6/IPv4 nodes are IPv6 nodes.
For more information about the different node types, see RFC 2893, “Transition Mechanisms for IPv6 Hosts
and Routers.”
Table 1.6 Leading Zero Suppression and All-Zero Contiguous Block Compression
IPv6 Address Notation IPv6 Address
IPv6 address FEC0:0000:0000:0000:02AA:00FF:FE3F
:2A1C
IPv6 address with leading zeros FEC0:0:0:0:2AA:FF:FE3F:2A1C
suppressed
IPv6 address with leading zeros FEC0::2AA:FF:FE3F:2A1C
suppressed and an all-zero contiguous
block compressed
The 16 bytes, or 128 bits, provided in the IPv6 address space potentially supports 2128 addresses. However, the
purpose of this large address space is not only to provide an inexhaustible supply of addresses, but also to enable
a hierarchical routing infrastructure that can be summarized. IPv6 addressing is designed to minimize the size of
routing tables and to reduce routing complexity.
IPv6 supports address configuration both in the presence of a DHCP server, known as stateful address
configuration, and in the absence of a DHCP server, known as stateless address configuration. Stateless address
configuration introduces the use of link-local addresses, whereby hosts on the same link automatically configure
themselves with IPv6 addresses for that link and can use those addresses to communicate with the other hosts on
the same link. If one or more local routers exist, hosts can use router discovery to automatically determine the
routers’ addresses and can then communicate with IPv6 hosts beyond the local link.
As in IPv4, the high-order bits in an IPv6 address identify the type of address. In IPv6, the high-order bits are
known as the Format Prefix (FP). IPv6 does not use subnet masks to specify the network ID. Instead, it uses
only prefix notation.
Unicast and anycast addresses in IPv6 have the following scopes (for multicast addresses, the scope is built into
the address structure):
• Link-local. The scope is the local link (nodes on the same subnet).
• Site-local. The scope is the organization (private site addressing).
• Global. The scope is global (IPv6 Internet addresses).
In addition, IPv6 has special addresses such as the loopback address. The scope of a special address depends on
the type of special address.
Much of the IPv6 address space is unassigned.
The initial 48 fixed bits are followed by a 16-bit Subnet ID field, which provides as many as 65,536 subnets in
a flat subnet structure. Alternatively, you can subdivide the high-order bits of the Subnet ID field to create a
hierarchical routing infrastructure. The last field is a 64-bit Interface ID field that identifies the interface of a
node on a specific subnet.
Note
Global addresses and site-local addresses share the same structure
after the first 48 bits — the 16-bit SLA ID of a global address and the
16-bit Subnet ID of a site-local address both identify the subnets of an
organization’s site. Because of this, you can assign a specific subnet
number to identify a subnet that is used for both global and site-local
unicast addresses.
However, this is often written using the hexadecimal prefix: 2002:WWXX:YYZZ:SLA ID:Interface ID.
The following example shows how the WWXX:YYZZ portion of the address is translated from colon-
hexadecimal notation to dotted-decimal notation. In this example, 9D3C:5B7B translates to 157.60.91.123, as
illustrated in the following example.
Use a calculator to convert each constituent
Notation Type number
from one notation type to the other
Colon-hexadecimal 9D 3C 5B 7B
Dotted-decimal 157 60 91 123
For more information about 6to4 tunneling, see “Routing IPv6 Traffic over an IPv4 Infrastructure” later in this
chapter.
Unicast ISATAP addresses
IPv6 uses ISATAP addresses to communicate between two IPv6/IPv4 nodes over an IPv4 intranet. An ISATAP
address combines a 64-bit unicast link-local, site-local, or global prefix (a global prefix might be a 6to4 prefix)
with a 64-bit suffix constructed of the ISATAP identifier 0:5EFE, followed by the IPv4 address assigned to an
interface of the host. The prefix is known as the subnet prefix. Although a 6to4 address can incorporate only a
public IPv4 address, an ISATAP address can incorporate either a public or a private IPv4 address.
The following illustration shows the structure of an ISATAP address.
Developing Routing Strategies 53
By default, the IPv6 protocol for Windows XP and members of Windows Server 2003 automatically configures
the ISATAP address of FE80::5EFE:w.x.y.z for each IPv4 address that is assigned to the node. This link-local
ISATAP address allows two hosts to communicate over an IPv4 network by using each other’s ISATAP address.
For more information about ISATAP tunneling, see “Routing IPv6 Traffic over an IPv4 Infrastructure” later in
this chapter.
Table 1.9 explains each field in an IP multicast address. The prefix for multicast addresses is FF00::/8.
Table 1.9 Fields in a Multicast Address
Field Description
1111 1111 Identifies the address as an IP multicast address.
Flags Currently, the only defined flag is the Transient (T) flag.
Set to zero, the T flag identifies the address as a
permanently assigned multicast address. Set to 1, it
identifies a transient address.
Scope Indicates the scope of the multicast traffic, such as
interface-local, link-local, site-local, organization-local, or
global scope.
Group ID identifies the multicast group.
54 Chapter 1 Designing a TCP/IP Network
By deploying 6to4 or ISATAP, you can integrate IPv6 traffic into your IPv4 network environment.
Understanding examples of each automatic tunneling technology can help you decide whether to deploy 6to4,
ISATAP, or both as you introduce IPv6 on your network.
Note
For an introduction to IPv6, including information about router-to-router,
host-to-router, router-to-host, and host-to-host tunneling configurations
that underlie 6to4 and ISATAP tunneling, see the Networking Guide of
the Windows Server 2003 Resource Kit (or see the Networking Guide
on the Web at http://www.microsoft.com/reskit).
• Tunnel across the IPv4 Internet to the IPv6 Internet by using a 6to4 router and a 6to4
relay. A 6to4 host on an IPv4 network can communicate with an IPv6-only host on the IPv6
Internet by using a tunnel from a local 6to4 router across the IPv4 Internet to a 6to4 relay that
then forwards the packet across the IPv6 Internet to the recipient IPv6-only host. In this case, it
is the 6to4 relay that removes the IPv4 header and forwards the IPv6 packet to the recipient
IPv6-only host. In Figure 1.16, Host A (or Host B) sends its packet to 6to4 Router 1, which
tunnels it across the IPv4 Internet to the 6to4 relay, which then forwards the packet to 6to4
Host D.
Figure 1.16 Using 6to4 to Route IPv6 Packets
Developing Routing Strategies 59
In Figure 1.16, 6to4 Router 2 represents a computer running Windows XP with ICS enabled. The private
interface of the ICS computer connects to a single-subnet intranet, and the ICS computer’s public interface
connects to the IPv4 Internet. The private interface of an ICS computer always uses the private IPv4 address
192.168.0.1.
IPv6/IPv4 hosts can also communicate with non-local IPv6/IPv4 hosts by using ISATAP-derived global
addresses, and by using an ISATAP router to tunnel packets through an IPv4 infrastructure. Under the IPv6
protocol that Windows XP and Windows Server 2003 support, you can use either of the following methods to
configure the intranet IPv4 address of an ISATAP router:
• Name resolution (preferred). For computers running Windows XP (SP1 or later) or Windows
Server 2003, automatic resolution of the name ISATAP to an IPv4 address. To ensure successful
name resolution, name the computer used as the ISATAP router ISATAP. A computer running
Windows XP or Windows Server 2003 then automatically registers the appropriate records in
DNS and WINS. For computers running Windows XP (earlier than SP1), the name resolved is
_ISATAP.
• Netsh commands for Interface IPv6. Manual configuration by using commands in the Netsh
Interface IPv6 context.
An ISATAP host sends an IPv4-encapsulated Router Solicitation message to a configured ISATAP router. The
ISATAP router responds with an IPv4-encapsulated unicast Router Advertisement message that contains
prefixes for use in autoconfiguring ISATAP-based addresses. This additional configuration is needed only when
the host’s subnet does not contain an IPv6 router.
The example in Figure 1.18 shows how two ISATAP hosts that use 6to4 prefixes can communicate across the
Internet even though each site is using the 192.168.0.0/16 private address space.
Developing Routing Strategies 61
Figure 1.18 Using 6to4 and ISATAP to Route IPv6 Packets Across the IPv4 Internet
62 Chapter 1 Designing a TCP/IP Network
Note
Hosts running Windows XP or Windows Server 2003 determine
whether to use 6to4, ISATAP, or both depending on their IPv4
configuration.
• Pointer (PTR) Resource Records (optional; not recommended). The DNS infrastructure can
also contain the following resource records, populated either manually or dynamically, to
resolve addresses to host names in reverse queries:
• PTR records in the IN-ADDR.ARPA domain for the IPv4 addresses of IPv4 nodes.
• PTR records in the IP6.ARPA domain for the IPv6 addresses of IPv6 nodes. (Recall that
RFC 3152 specifies that IP6.INT be phased out and replaced by IP6.ARPA.) The IP6.INT
domain was created specifically for IPv6 reverse queries. To create the namespace for
reverse queries, each hexadecimal digit in the 32-digit IPv6 address (zero compression and
double-colon compression notation cannot be used) becomes a separate level in inverse
order in the reverse domain hierarchy. Therefore, the reverse lookup domain name for the
address FEC0::2AA:FF:FE3F:2A1C is:
C.1.A.2.F.3.E.F.F.F.0.0.A.A.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.E.F.IP6.INT
Avoid integrating PTR resource record support into your DNS infrastructure; the results can be
unreliable.
For name-to-address resolution, after the querying node obtains the set of addresses corresponding to the name,
that node must determine the best set of addresses to use as the source and destination for outbound packets.
While name-to-address resolution is fairly straightforward in an IPv4-only environment, it becomes more
complex in an environment in which IPv4 and IPv6 coexist. In the mixed IPv6/IPv4 scenario, a DNS query can
return both IPv4 and IPv6 addresses. The querying host is configured with at least one IPv4 address and,
typically, multiple IPv6 addresses. Determining the type of address (IPv4 versus IPv6), and then the scope of the
address (for IPv4, public versus private; for IPv6, link-local versus site-local versus global versus coexistence),
for both the source and the destination addresses is complex.
Two algorithms, one to select the source address and another to select the destination address, specify default
behavior for IPv6 implementations. These algorithms do not override choices made by applications or upper-
layer protocols, nor do they preclude the development of more advanced mechanisms for address selection. The
two algorithms include an optional mechanism that lets you override the default behavior. In dual-stack
implementations, the destination address selection algorithm considers both IPv4 and IPv6 addresses, and
determines whether it prefers IPv6 addresses over IPv4 addresses, or vice-versa.
For more information about default address selection rules for IPv6, including the source address selection
algorithm and the destination address selection algorithm, see the Internet Draft “Default Address Selection for
IPv6.”
For an introduction to IPv6 and more information about Windows Server 2003 IPv6, see the Networking Guide
of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit), or see the IPv6 link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
64 Chapter 1 Designing a TCP/IP Network
Note
The PortProxy service transmits only TCP traffic for application-layer
protocols that do not embed address or port information in the TCP
segment. For example, the File Transfer Protocol (FTP), which embeds
addresses when using the FTP Port command, does not work across a
PortProxy computer. Unlike NAT, the PortProxy service does not
include an equivalent to NAT editors.
Figure 1.19 shows the process for testing a TCP/IP network design.
Figure 1.19 Testing Your Network Design
66 Chapter 1 Designing a TCP/IP Network
Additional Resources
These resources contain additional information related to this chapter.
Related Information
• “Deploying IPSec” in this book for more information about using Internet Protocol security
(IPSec).
• “Deploying ISA Server” in this book for more information about deploying Network Address
Translation (NAT).
• The Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide
on the Web at http://www.microsoft.com/reskit) for more information about TCP/IP, IPSec, and
IPv6 in Windows Server 2003.
• The Internetworking Guide of the Windows Server 2003 Resource Kit (or see the
Internetworking Guide on the Web at http://www.microsoft.com/reskit) for technical
information about unicast IP routing, including the NAT routing protocol component of the
Routing and Remote Access service.
• “Planning for Deployment” in Planning, Testing, and Piloting Deployment Projects of this kit
for more information about inventorying your network hardware and software and creating a
map of your network topology.
• Cisco Internetwork Design by Matthew Birkner, 2000, Indianapolis, IN: Cisco Press for more
information about the three-tier network design model.
• Top-Down Network Design by Priscilla Oppenheimer, 1999, Indianapolis, IN: Cisco
Press/Macmillan Technical Publishing for more information about the three-tier network design
model.
• Understanding IPv6 by Joseph Davies, 2002, Redmond, WA: Microsoft Press.
• Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference by Joseph
Davies and Thomas Lee, 2002, Redmond, WA: Microsoft Press.
• Routing in the Internet (2nd Edition) by Christian Huitema, 2000, Upper Saddle River, NJ:
Prentice Hall PTR.
• Interconnections (2nd Edition) by Radia Perlman, 2000, Reading, MA: Addison-Wesley.
68 Chapter 1 Designing a TCP/IP Network
Related Tools
• Netsh commands for Interface IPv6
You can use the Netsh commands for Interface IPv6 to manage configuration of the IPv6
protocol. For more information about how to use the Netsh commands for Interface IPv6, see
the Netsh command-line help or see “Netsh commands for Interface IPv6” in the Help and
Support Center for Windows Server 2003.
• Netsh commands for Interface Portproxy
The Netsh commands for Interface Portproxy provide a command-line tool for administering
servers that act as proxies between IPv4 and IPv6 networks and applications. For more
information about how to use the Netsh Interface PortProxy commands, see the Netsh
command-line help or see “Netsh commands for Interface PortProxy” in Help and Support
Center for Windows Server 2003.
• Ipsec6.exe
For experimenting with IPSec for IPv6, you can use the Ipsec6 tool to configure IPSec policies
and security associations in an IPv6 environment. For more information about Ipsec6, see “IPv6
Utilities” in Help and Support Center for Windows Server 2003.
• Network Monitor (Netmon.exe)
The Network Monitor tool (Netmon.exe) is a protocol analyzer that you can use to monitor a
new network design. For more information about Netmon.exe, see “Network Monitor” in Help
and Support Center for Windows Server 2003.
Related Help Topics
• For best results in identifying Help topics by title, in Help and Support Center, under the
Search box, click Set search options. Under Help Topics, select the Search in title only
checkbox.
• “Using Multicast Scopes” in Help and Support Center for Windows Server 2003.
• “Netsh commands for Interface PortProxy” in Help and Support Center for Windows
Server 2003.