ALTE DOCUMENTE
|
|||||||||
Choose an address allocation method that best fits your structured address model. Addressing by topology is recommended. However, you can choose one or more of the following methods:
Random address allocation. Under a random addressing structure, you can assign blocks of addresses randomly. Random address allocation might be the most frequently used address allocation method, but it is the least desirable. For a small network where no significant growth is anticipated, this approach might be appropriate. However, if the network does grow, random address allocation can cause extra work for network administrators. Summarizing the random collection of routes might be difficult or impossible. This method can cause stability problems, with numerous routes being advertised to the core tier.
Addressing by organization chart. To base your address structure on your organization chart, you create subnets based on a pool of addresses preassigned to a department or team. If, for example, you designate the Sales department as 10.2.0.0/16, the address 10.2.1.0/24 might be the subnet for the sales team at one site and 10.2.2.0/24 might be the subnet for the sales team at another site. To the extent that contiguous subnets remain unassigned, this address allocation method offers limited possibilities for route summarization, but, as a rule, this kind of addressing scheme does not scale well.
Addressing by geographical region. When you base your address structure on location, a greater degree of summarization is possible. However, as the internetwork of a geographically diverse organization continues to grow, fewer routes are available for summarization.
Addressing by topology. By basing your address structure on topology, you can ensure that summarization takes place and that an internetwork remains scalable and stable. Addressing by topology makes the addressing structure router-centric, enhancing efficiency.
If you use a direct (routed) connection to the Internet, you must use public addresses. If you use an indirect connection such as a proxy server or Network Address Translator (NAT), use private addresses. If your organization is not connected to the Internet, use private addresses (rather than "unauthorized" addresses) so that if you later connect to the Internet using an indirect connection, you do not need to change addresses already in use.
If you connect to the Internet by using an Internet service provider (ISP), the ISP might provide only private addresses. The ISP itself uses public addresses to connect to the Internet.
IANA assigns public addresses and guarantees them to be globally unique on the Internet. In addition, routes are programmed into the routers on the Internet so that traffic can reach those assigned public addresses. That is why public addresses can be reached on the Internet.
Private addresses are a predefined set of IPv4 addresses that the designers of the Internet provided for those hosts within an organization that do not require direct access to the Internet. These addresses do not duplicate already assigned public addresses. RFC 1918, "Address Allocation for Private Internets," defines the following three private address blocks:
The 10.0.0.0/8 private network is a Class A network ID that supports the following range of valid IP addresses: 10.0.0.1 through 10.255.255.254. The 10.0.0.0/8 private network has 24 host bits that a private organization can use for any subnetting scheme within the organization.
The 172.16.0.0/12 private network can be interpreted either as a block of 16 Class B network IDs or as a 20-bit assignable address space (20 host bits) that can be used for any subnetting scheme within the private organization. The 172.16.0.0/12 private network supports the following range of valid IP addresses: 172.16.0.1 through 172.31.255.254.
The 192.168.0.0/16 private network can be interpreted either as a block of 256 Class C network IDs or as a 16-bit assignable address space (16 host bits) that can be used for any subnetting scheme within the private organization. The 192.168.0.0/16 private network supports the following range of valid IP addresses: 192.168.0.1 through 192.168.255.254.
Because IANA never assigns IP addresses in the private address space as public addresses, routes for private addresses never exist on the Internet routers. Any number of organizations can repeatedly use the private address space, which helps to prevent the depletion of public addresses.
Private addresses cannot be reached on the Internet. Therefore, Internet traffic from a host that has a private address must either send its requests to an application layer gateway (such as a proxy server), which has a valid public address, or have its private address translated into a valid public address by a NAT before it is sent over the Internet.
For an introduction to TCP/IP and more information about public and private addresses, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at https://www.microsoft.com/reskit).
Network administrators of private networks who have no plans to connect to the Internet can choose any IP addresses they want, even public addresses that IANA has assigned to other organizations. Such potentially duplicate addresses are known as unauthorized (or illegal) addresses. Later, if the organization decides to connect directly to the Internet after all, its current addressing scheme might include addresses that IANA has assigned to other organizations. You cannot connect to the Internet by using unauthorized addresses.
Do not use unauthorized addresses if even the slightest possibility exists of ever establishing a connection between your network and the Internet. On some future date, discovering that you need to quickly replace the IP addresses of all the nodes on a large private network can require considerable time and interrupt network operation.
Network address translation, defined in RFC 3022, is the translation process performed by an IP router functioning as a network address translator (NAT). A NAT translates IP addresses from private network addresses used inside an organization to public addresses used outside the organization. Typically, a NAT-enabled router connects an internal corporate network with the Internet and builds a table that maps the connections between hosts inside the network and hosts outside on the Internet.
You can use NAT to map multiple internal private addresses to a single external public IP address. For example, a small business might obtain an ISP allocated public IP address for each computer on its network. By using NAT, however, the business could use private addressing internally and have NAT map its private addresses to one or more public IP addresses that the ISP allocates.
NAT makes it more difficult for external users to attack systems on a private network. NAT also allows several nodes on the private network, each with its own private address, to share a smaller number of scarcer public addresses to access the Internet. However, although NAT allows you to reuse the private address space, it does not support standards-based network layer security or the correct mapping of all higher layer protocols. One purpose for the large number of addresses made available with the introduction of IPv6 is to make address conservation techniques such as NAT unnecessary.
Windows Server 2003 also supports IPSec NAT traversal (NAT-T), which allows nodes located behind a NAT (that is, they use private addresses) to use Encapsulating Security Payload (ESP) to protect traffic. This capability allows the creation of Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) connections from remote access clients and routers located behind NATs.
For more information about unicast IP routing, including technical information about the NAT routing protocol component of the Routing and Remote Access service, see the Internetworking Guide of the Windows Server 2003 Resource Kit (or see the Internetworking Guide on the Web at https://www.microsoft.com/reskit).
|
