Frame Relay is a wide area networking protocol.
Frame Relay Basics
With PPP, you would need a separate physical wire for each connection. So let's say you had a router in the Los Angeles headquarters, and three branch offices in Chicago, New York, and Atlanta. If using PPP, the Los Angeles router would need three physical serial interfaces. Assuming the three branch offices all need to connect not just to LA but to each other as well, these would each need three serial interfaces as well:
PPPMULTI
As the business grows, the number of serial connections could grow exponentially. A better protocol is therefore needed for situations like this. Enter frame relay. Frame relay allows you to set up your router as if it has multiple connections to other routers, even though it only has one physical connection to your service provider. For example, physically, you could have this set up:
PHYSICAL FRAME RELAY
And then you could set up virtual connections, called Virtual Circuits or VCs, between each branch, making it act just like multiple independent connections:
VIRTUAL FRAME RELAY
In this case, the physical serial interface is broken into multiple virtual sub-interfaces. For example, s0/0 becomes s0/0.1 and s0/0.2, which then connect to the branch offices. Each sub-interfaces would be in its own sub-network, just as if they were separate physical interfaces.
DLCI
Each virtual circuit has an identifier called a Data Link Connection Identifier (DLCI). Think of this in the way you would think of a bus or train number. The DLCI address to get to another location is locally significant, unlike an IP address which is the address of the far computer. The far router in this case may not even be aware of the number of the DLCI used to get to it. For example, in the following illustration, the DLCI to reach the New York branch office is numbered 101, in effect saying, "Any packets that want to go to NY need to get on DLCI 101. But note that New York doesn't know or care what number the DLCI is. In fact, from it's end, the DLCI has a different number: 205. And it uses DLCI 205 to send packets to Los Angeles.
DLCI DEMO
So keep in mind that DLCIs are a bit different than addresses, as they are only important for the local router to know about.
LMI
Each virtual circuit also has a Link Management Interfae (LMI), which maintains the status of the virtual circuit to make sure it is still up. The LMI type needs to be the same on both ends, and there are three types of LMI: ansi, cisco, and q933a.
Encapsulation
The encapsulation type is obviously frame relay, but this can be of two types: cisco and ietf.
FECN, BECN, and DE
A frame relay service is provided by your service provider, and your router then connects to the service provider. The provider will provide a guarantee of a certain amount of bandwidth, but many times you can go over that amount. However, any data that is over the amount cannot be guaranteed and can be marked with a Discard Eligibility bit (DE), which tags it as "OK to be discarded if over bandwidth."
Now, let's consider a situation where the frame relay network is getting congested with traffic. You may want to be able to tell the routers to slow down their transmission rate if this occurs. The service provider's frame relay switch can notify your receiving router to expect a delay in traffic, and it can notify your sending router that there is congestion in order to give it the option to slow down. The frame relay switch can set the Forward Explicit Congestion Notifier, which notifies the receiving router of the congestion:
FECN
The frame relay switch can also set the Backward Explicit Congestion Notifier, which tells the receiving router to notify the sending router of the congestion when it sends any packets (for example, confirmation notifications) to the recieving router:
BECN
The FECN and BECN bits can then be used for shaping traffic: causing routers to slow down or speed up in response to congestion, in order to avoid too much data being tagged with a DE bit and discarded.
Inverse ARP
Remember Address Resolution Protocol? When a computer needs to know the MAC (physical) address of a local computer, it broadcasts an ARP message, in effect asking, "Hey, whoever 192.168.3.101 is, please give me your MAC address so I can send you some data!"
Inverse ARP is used in frame relay to get the IP address of a DLCI. The router will broadcast, "Hey, DLCI 101! Give me the IP address that you connect to on the other end!" In this way, it will automatically map DLCIs to IP addresses so that it knows which DLCI to put packets on.
Configuration
The simplest way to configure frame relay is to simply enter the interface mode, and then the command "encap frame relay."
Thursday, January 16, 2014
Tuesday, January 7, 2014
Subnetting
IP addresses consist of two parts: the network ID, and the device (or host) ID. Think of the network ID as the postal zip code, and the device ID as the street address. The network ID identifies the network the device is located on, and then the device or host ID identifies the device on that network.
Subnetting Basics
Remember that an IP address is divided into the network portion, and device (or host) portion. For example, a class B address of 130.16.27.4 has a network address of 130.16 and a device address of 27.4. The subnet mask indicates which portion is the network address and which portion is the host address. In this case, 255.255.0.0, which indicates the first two octets are the network address.
For more flexibility, and to avoid wasting IP addresses, you can "steal" bits from the device portion of the address and make them part of the network address. If you only have 200 or so devices on a network, you could take that class B address above and make the third octet part of the network address. This is called a subnet. The mask becomes 255.255.255.0, and only the last octet is used for device addresses. So the network ID from the above example would now be 130.16.27.0, and the device addresses would be 130.16.27.1, 130.16.27.2, and so on, all the way up to 130.16.27.255, which would be the broadcast address.
The tricky part comes when you only want to steal a few bits from the host portion of the address. What happens when you steal three bits from the host portion? The binary version of the subnet mask would be 11111111.11111111.11100000.00000000, but what is the mask written in decimal? And what is the range of addresses for each subnetwork?
The best way to do subnetting is to simply memorize a few tables. Commit this list to memory:
128, 192, 224, 240, 248, 252, 254, 255
For each bit in the subnet, you will now know what the subnet mask is. In the above example, we stole three bits from the host portion of the address, so simply count three numbers in on the list you've memorized, which would be 224. So the decimal version of the above address is 255.255.224.0.
But now you need to know the start and ending address of each network within the subnet, and the usable device addresses. Here is the second list you need to commit to memory:
128, 64, 32, 16, 8, 4, 2, 1
Sticking with the example above, you again count three numbers in for the three bits we stole from the host portion, which would be 32. So you know each subnet increments by 32. So the first subnetwork address range would be 130.16.0.0 up to 130.16.31.0, and the next subnetwork would be 130.16.32.0 to 130.16.63.0. Note that in that third octet, (mask 255.255.224.0) we are incrementing by 32.
So the first usable device address in that first subnetwork would be 130.16.0.1, the next would be 130.16.0.2, and so on up to 130.16.0.255, followed by 130.16.1.0, 130.16.1.1, and so on. Until we hit the number right before the next subnetwork (130.16.31.255). If we add one more to this, it will be in the next subnetwork (130.16.32.0), so we know that we now have the broadcast address of this network. Subtract one from this broadcast address, and you have the last usable device address: 130.16.31.254.
REMEMBER THIS: The first address in the range of each subnetwork is the network address, and the last is the subnetwork's broadcast address.
To recap, the first subnetwork range of addresses would be:
130.16.0.0 network address
130.16.0.1 first usable device address
130.16.31.254 last usable device address
130.16.31.255 network broadcast address
And our next network would be the next 32 block:
130.16.32.0 network address
130.16.32.1 first usable device address
130.16.63.254 last usable device address
130.16.63.255 network broadcast address
And so on in blocks of 32.
Now let's say that we stole 5 bits from the host portion of the address. So the subnet mask is now 11111111.11111111.11111000.00000000. What is the subnet mask in decimal? You memorized the numbers I told you to memorize above, so you simply count 5 in:
128,192,224,240,248,252,254,255
…which would be 248. So the subnet mask is 255.255.248.0. Now what is the network increment size? Again count five in:
128,64,32,16,8,4,2,1
The increment is 8. So in the third octet, the network will increment by 8. So the address range is:
130.16.0.0 network address
130.16.0.1 first usable host address
130.16.7.254 last usable host address
130.16.7.255 network broadcast address
130.16.8.0 network address
130.16.8.1 first usable host
130.16.15.254 last usable host
130.16.15.255 last usable host
And so on until we hit 255 in the third octet.
CIDR Notation
A different way to represent the subnet mask is to list the number of bits used in the mask. So the last example above uses the first two octets (16), plus five more bits from the host portion, for a total of 21. So the addresses above could be written like this: 130.16.0.0/21.
Practice, Practice, Practice!
You need to be able to do subnetting quickly, in your head. Let's say you see the following address: 196.43.16.18/29. You may need to know what subnetwork this address is a part of. Note the CIDR notation of 29 bits. Note that the address is a class C address (between 192 and 223). So you know that the normal mask for a class C address is 255.255.255.0, or /24. Since this address uses 29 bits for the mask, that is 5 bits past the normal mask for a class C address. Count five in from the list you memorized:
128,192,224,240,248,252,254,255
So you now know that the subnet mask is 255.255.255.248.
Now count five in from the other list of numbers you memorized:
128,64,32,16,8,4,2,1
So you know the network increment size is 8. For example, the first network would be 196.43.16.0, the next would be 196.43.16.8, then 196.43.16.16, followed by 196.43.16.24 and so on, with the host addresses in between. So the IP address of 196.43.16.18 falls between 196.43.16.16 and 196.43.16.24, so it belongs to the 196.43.16.16 network.
Now, what is the first usable host from this network? One more than the network address. The network address is 196.43.16.16, so the first usable host address would be 196.43.16.17.
And what is the broadcast address for this network? One less than the next network address. The next network addres is 196.43.16.24, so the broadcast address is 196.43.16.23.
So we started with this: 196.43.16.18/29
And got this:
196.43.16.16 network address
196.43.16.17 first usable host address
196.43.16.23 broadcast address
You need to be able to do this backwards as well. Let's say you have 20.27.42.11, with a subnet mask of 255.240.0.0. What is the CIDR notation for this? As long as you keep that table in mind, you should not have any problems:
128,192,224,240,248,252,254,255
That mask is four numbers in, so the CIDR would be four numbers more than the normal mask address for that class, which would be 8, so the CIDR would be four more than that: /12. Since you know you are four past the normal mask, you can then get the network increment:
128,64,32,16,8,4,2,1
And you will know that 20.27.42.11 belongs to the 20.16.0.0 network, with a broadcast address of 20.31.255.255, which is one less than the next network of 20.32.0.0.
This needs to be second nature, so use subnettingquestions.com for an endless supply of randomly-generated practice questions.
Practice, Practice, Practice!
You need to be able to do subnetting quickly, in your head. Let's say you see the following address: 196.43.16.18/29. You may need to know what subnetwork this address is a part of. Note the CIDR notation of 29 bits. Note that the address is a class C address (between 192 and 223). So you know that the normal mask for a class C address is 255.255.255.0, or /24. Since this address uses 29 bits for the mask, that is 5 bits past the normal mask for a class C address. Count five in from the list you memorized:
128,192,224,240,248,252,254,255
So you now know that the subnet mask is 255.255.255.248.
Now count five in from the other list of numbers you memorized:
128,64,32,16,8,4,2,1
So you know the network increment size is 8. For example, the first network would be 196.43.16.0, the next would be 196.43.16.8, then 196.43.16.16, followed by 196.43.16.24 and so on, with the host addresses in between. So the IP address of 196.43.16.18 falls between 196.43.16.16 and 196.43.16.24, so it belongs to the 196.43.16.16 network.
Now, what is the first usable host from this network? One more than the network address. The network address is 196.43.16.16, so the first usable host address would be 196.43.16.17.
And what is the broadcast address for this network? One less than the next network address. The next network addres is 196.43.16.24, so the broadcast address is 196.43.16.23.
So we started with this: 196.43.16.18/29
And got this:
196.43.16.16 network address
196.43.16.17 first usable host address
196.43.16.23 broadcast address
You need to be able to do this backwards as well. Let's say you have 20.27.42.11, with a subnet mask of 255.240.0.0. What is the CIDR notation for this? As long as you keep that table in mind, you should not have any problems:
128,192,224,240,248,252,254,255
That mask is four numbers in, so the CIDR would be four numbers more than the normal mask address for that class, which would be 8, so the CIDR would be four more than that: /12. Since you know you are four past the normal mask, you can then get the network increment:
128,64,32,16,8,4,2,1
And you will know that 20.27.42.11 belongs to the 20.16.0.0 network, with a broadcast address of 20.31.255.255, which is one less than the next network of 20.32.0.0.
This needs to be second nature, so use subnettingquestions.com for an endless supply of randomly-generated practice questions.
Sunday, January 5, 2014
Access Control Lists (ACLs)
Access Control Lists (ACLs) allow you to permit or deny traffic with IP addresses or ports that you specify as permitted or denied.
ACL Basics
Think of an ACL as a bouncer at a nightclub. An incoming packet will be matched against a guest list, and if its IP address is not on the list, it doesn't get to go into (or come out of) the router's interface. Or if the packet is on a "banned" list, it doesn't get to pass either.
Standard ACLs
Standard access lists can only look at the source IP address of incoming or outgoing packets. A packet comes along with a source IP address of 10.4.56.21, the router looks at the access list, and sees that addresses in that range are permitted, so let's it through. Like a bouncer, if the address were not explicitly permitted, then it would be denied. So this access list would effectively block all traffic except for packets with that one source IP address.
Extended ACLs
These types of access lists can look at the protocol (such as IP, TCP, and UDP), the source and destination IP addresses, and the source and destination port numbers. So there are many options for filtering packets here, such as filtering out all HTTP traffic by denying anything with a destination port of 80.
Numbered vs Named ACLs
Access lists, both standard and extended, can be either numbered or named. With numbered access lists, each permit or deny statement is created in the order you want, and then cannot be removed. The only way to remove a statement is to delete the whole access list and start fresh. However, with named access lists, you will enter your statements in a sub-prompt and can use line numbers to re-order, delete them, and so on.
Wild Card Masks
ACLs use wild cards to allow you to filter based on a range of IP addresses. The "masked out" part is the part you don't care about, like saying "anything here." In other words, the wild card. A wild card mask is simply an inverted subnet mask, so make sure you understand subnet masks before trying to understand wildcards.
Here is an example. Let's say you want to deny all traffic from, not just a single IP address, but an entire subnetwork. The network 192.168.1.64/26. This would include IP addresses 192.168.1.64 to 192.168.1.126. So your subnet mask is 255.255.255.192. Your wildcard mask will be the inverse of this mask. The easiest way to get this is to find the block size of the subnet (remember your subnetting?), which is 64, and then subtract one from the block size: 63. So the wildcard mask is 0.0.0.63. So to block all IP addresses in that range, you would use 192.168.1.64 0.0.0.63. If you convert the wildcard to bits, it will be 00000000.00000000.00000000.00111111, which tells the access list that you don't care what the last six bits are. Those first 26 bits are all you need the list to look at.
ACL Configuration
Numbered Standard Access Lists
First, the command "access-list", followed by the number. This number can be from 1 to 99, or from 1300 to 1999. Then you either permit or deny, followed by the source IP address that you want to permit or deny. Finally, the wild card mask. Then you can create the next permit or deny statement.
After you have created your access list, you need to apply it to an interface, and tell it whether to apply the list for outgoing or incoming packets.
Named Standard Access Lists
The first command is "ip access-list standard", followed by the name you want to give it (which can include numbers if you like). Then you press ENTER, which brings you into the access list sub-prompt. Within this sub prompt you begin entering your permit and deny statements, or removing them if necessary. You can start each one with a line number if you want (typically 10, 20, etc to allow you to insert statements in between them later if you decide). Finally, type "exit" to exit the sub prompt.
Then you just need to apply it to the interface and tell it to match either incoming or outgoing packets, as above.
Numbered Extended Access Lists
As above, you simply use the command "access-list" followed by a number, but for it to be an extended ACL the number must be from 100 to 199, or from 2000 to 2699. This is followed by a "permit" or "deny" statement, and then the protocol you want the list to be concerned with, such as IP or TCP. Next is the source IP address and port, followed by the destination IP address and port. For port numbers, you can use several operators such as "eq 80" to mean "if the port number equals 80", or "new 80" to mean "if the port number is anything other than 80. Other operators include "lt" for "less than", and "gt" for "greater than". Instead of port numbers, you can also use protocols. For example, instead of saying "eq 80", you could use "eq HTTP." As with all the others, you must then apply it to the interface you want.
Named Standard Access Lists
The first command is "ip access-list extended", followed by the name you want to give the list. Then press ENTER, which brings you to the ACL configuration sub-prompt. Now enter your statements beginning with a line number if you like (if not, it just puts the permit/deny statement at the end of the ACL), followed by "permit" or "deny", followed by the protocol (IP, TCP, UDP), followed by the source IP address and port, and the destination IP address and port. Finally, apply it to the interface you want.
Example 1: Numbered Standard Access List
1. Create an access list numbered "47" that will permit any traffic from subnetwork 10.22.32.0/19, and deny traffic from anywhere else:
1. Create an access list named "MyACL", which will begin the sub-prompt:
1. Create the numbered access list statement, denying packets bound for an HTTP server by denying all packets with a destination port of 80:
1. Create a named list called "MyACL", which will also enter you into the ACL sub-prompt:
You can look to see which ACLs exist on a router by using the "show run" command, or by using the "show ip access-list" command.
ACL Basics
Think of an ACL as a bouncer at a nightclub. An incoming packet will be matched against a guest list, and if its IP address is not on the list, it doesn't get to go into (or come out of) the router's interface. Or if the packet is on a "banned" list, it doesn't get to pass either.
Standard ACLs
Standard access lists can only look at the source IP address of incoming or outgoing packets. A packet comes along with a source IP address of 10.4.56.21, the router looks at the access list, and sees that addresses in that range are permitted, so let's it through. Like a bouncer, if the address were not explicitly permitted, then it would be denied. So this access list would effectively block all traffic except for packets with that one source IP address.
Extended ACLs
These types of access lists can look at the protocol (such as IP, TCP, and UDP), the source and destination IP addresses, and the source and destination port numbers. So there are many options for filtering packets here, such as filtering out all HTTP traffic by denying anything with a destination port of 80.
Numbered vs Named ACLs
Access lists, both standard and extended, can be either numbered or named. With numbered access lists, each permit or deny statement is created in the order you want, and then cannot be removed. The only way to remove a statement is to delete the whole access list and start fresh. However, with named access lists, you will enter your statements in a sub-prompt and can use line numbers to re-order, delete them, and so on.
Wild Card Masks
ACLs use wild cards to allow you to filter based on a range of IP addresses. The "masked out" part is the part you don't care about, like saying "anything here." In other words, the wild card. A wild card mask is simply an inverted subnet mask, so make sure you understand subnet masks before trying to understand wildcards.
Here is an example. Let's say you want to deny all traffic from, not just a single IP address, but an entire subnetwork. The network 192.168.1.64/26. This would include IP addresses 192.168.1.64 to 192.168.1.126. So your subnet mask is 255.255.255.192. Your wildcard mask will be the inverse of this mask. The easiest way to get this is to find the block size of the subnet (remember your subnetting?), which is 64, and then subtract one from the block size: 63. So the wildcard mask is 0.0.0.63. So to block all IP addresses in that range, you would use 192.168.1.64 0.0.0.63. If you convert the wildcard to bits, it will be 00000000.00000000.00000000.00111111, which tells the access list that you don't care what the last six bits are. Those first 26 bits are all you need the list to look at.
ACL Configuration
Numbered Standard Access Lists
First, the command "access-list", followed by the number. This number can be from 1 to 99, or from 1300 to 1999. Then you either permit or deny, followed by the source IP address that you want to permit or deny. Finally, the wild card mask. Then you can create the next permit or deny statement.
After you have created your access list, you need to apply it to an interface, and tell it whether to apply the list for outgoing or incoming packets.
Named Standard Access Lists
The first command is "ip access-list standard", followed by the name you want to give it (which can include numbers if you like). Then you press ENTER, which brings you into the access list sub-prompt. Within this sub prompt you begin entering your permit and deny statements, or removing them if necessary. You can start each one with a line number if you want (typically 10, 20, etc to allow you to insert statements in between them later if you decide). Finally, type "exit" to exit the sub prompt.
Then you just need to apply it to the interface and tell it to match either incoming or outgoing packets, as above.
Numbered Extended Access Lists
As above, you simply use the command "access-list" followed by a number, but for it to be an extended ACL the number must be from 100 to 199, or from 2000 to 2699. This is followed by a "permit" or "deny" statement, and then the protocol you want the list to be concerned with, such as IP or TCP. Next is the source IP address and port, followed by the destination IP address and port. For port numbers, you can use several operators such as "eq 80" to mean "if the port number equals 80", or "new 80" to mean "if the port number is anything other than 80. Other operators include "lt" for "less than", and "gt" for "greater than". Instead of port numbers, you can also use protocols. For example, instead of saying "eq 80", you could use "eq HTTP." As with all the others, you must then apply it to the interface you want.
Named Standard Access Lists
The first command is "ip access-list extended", followed by the name you want to give the list. Then press ENTER, which brings you to the ACL configuration sub-prompt. Now enter your statements beginning with a line number if you like (if not, it just puts the permit/deny statement at the end of the ACL), followed by "permit" or "deny", followed by the protocol (IP, TCP, UDP), followed by the source IP address and port, and the destination IP address and port. Finally, apply it to the interface you want.
Example 1: Numbered Standard Access List
1. Create an access list numbered "47" that will permit any traffic from subnetwork 10.22.32.0/19, and deny traffic from anywhere else:
access-list 47 permit 10.22.32.0 0.0.31.2552. Apply this access list to all incoming traffic on port fa0/0 on the router:
interface fa0/0Example 2: Named Standard Access List
ip access-group 47 in
1. Create an access list named "MyACL", which will begin the sub-prompt:
ip access-list standard MyACL2. In the sub-prompt, begin entering the permit/deny statements:
10 permit 10.22.32.0 0.0.31.25520 deny 192.168.1.0 0.0.0.2553. Apply the access list to interface fa0/0:
interface fa0/0ip access-group MyACL outExample 3: Numbered Extended Access List
1. Create the numbered access list statement, denying packets bound for an HTTP server by denying all packets with a destination port of 80:
access-list 147 deny tcp 10.22.32.0 0.0.31.255 192.168.1.1 0.0.0.0 eq 802. Apply the list to packings coming into interface s0/1
interface s0/1Example 4: Named Extended Access List
ip access-group 147 in
1. Create a named list called "MyACL", which will also enter you into the ACL sub-prompt:
ip access-list extended MyACL2. Within the sub-prompt, begin entering permit and deny statements, using line numbers. If line numbers had not been used, new statements would have just been placed at the end of the list. We want to permit all traffic from network 10.22.32.0/19, and deny all (note the word "any" to substitute 0.0.0.0 255.255.255.255) FTP traffic to the FTP server. Note that we could also use "eq 21":
10 permit ip 10.22.32.0 0.0.31.255 65.32.10.1 0.0.0.03. Finally, apply the access list to the Fast Ethernet interface 1/2, for packets going out:
20 deny tcp any 192.168.3.102 eq ftp
interface fa1/2Verifying Access Control Lists
ip access-group MyACL out
You can look to see which ACLs exist on a router by using the "show run" command, or by using the "show ip access-list" command.
Thursday, January 2, 2014
NAT
Network Address Translation (NAT) is simple in concept but the configuration can be a bit tricky.
NAT Basics
Think of two networks: your local area network (using private IP addresses), and the outside world (using public IP addresses). The packets on your LAN will typically have source IP addresses in the private IP address ranges (such as 192.168.1.1), so how can they travel outside your local network?
The answer is to let the packets swap out their private source addresses temporarily for a globally routable, public IP address. This can be from a pool of public IP addresses your company may have purchased. The router is told what the pool is, and then one of those addresses is grabbed and becomes the source address for the outgoing packet:
The reverse then happens when the packet is coming back.
This can also be used to make a privately addressed web server available to the public. In that case, then, packets with a public IP address are swapped out with the private internal IP address of your web server:
The outside world thinks your web server's IP address is 91.24.32.1, but in reality, the server's address is the private 192.168.2.2.
The reasons to use NAT? Most often, it is used to share Internet access with all computers in a private LAN. The outgoing packets have their
Some Tricky Terminology
A real, private, local IP address is called "inside local". A real, public, IP address is called "outside global."
After a packet has passed through NAT and had its source or destination IP address changed, a real, public IP address that has been "transformed" into an internal, private IP address is called "outside local." Because it is an outside address that has been changed temporarily to a local private IP address.
And a packet that has passed through NAT going from your private LAN to a globally routable IP address is called "inside global", because it is an inside private address that has been swapped out temporarily with a globally routable public address.
To recap this terminology because it can be confusing:
Step1: Tell the router which interfaces are inside and which are outside
The first step to configuring NAT is to tell the router which interface is inside and which is outside. Generally, inside interfaces would be the LAN, and outside would be public outward-facing interfaces. This is not set in stone, however. For example, you may decide to connect two internal networks together and use NAT because you have overlapping IP subnets. In this case, it is arbitrary which network is "inside" and which is "outside", since they are both technically inside.
Step 2: Create the pool of addresses to use for the swapping
Next, you tell the router your pool of addresses you want to use for swapping purposes. This could be a range of IP addresses, or just a single IP address. This type of NAT is called "dynamic", since the router "decides" which address to swap out on the fly. You could also create a one-to-one address swap, which is called "static NAT". In that case, there is no need for a pool of addresses, obviously.
Step 3: Decide whether to use overloading or not
A third possibility is to have source addresses swapped out with the router's own single public (outside) interface address. This is called "overloaded NAT", since every single local computer will be swapped out with the single source address of your router. How does the router keep track of which local IP address to put back on the returning packet, though, if they all have the same address? They take advantage of the fact that packets will have a randomly generated source port number (so packets know which application they are destined for when returning), and this port number is how the router knows which internal address to put back on the returning packet. For this reason, it is also called Port Address Translation (PAT). Overloaded NAT is what is used for home routers which give Internet access to every computer in the home.
Step 4: Access List
Then, you will create the list of devices that should use NAT. Typically, the list of your internal devices that you want to be translated to outside global addresses. If you just want your entire internal network to use NAT, for example, you would just create an access list permitting your entire subnet.
Step 5: Turn it On
Finally, turn NAT on by telling the router whether to swap out source or destination addresses, the name of the access list of devices that are to use NAT, the name of the pool of addresses that will be used for the swapping, and whether to use overloaded NAT or not.
Example 1
1. Set interfaces to be inside or outside:
1. Set interfaces to be inside or outside:
NAT Basics
Think of two networks: your local area network (using private IP addresses), and the outside world (using public IP addresses). The packets on your LAN will typically have source IP addresses in the private IP address ranges (such as 192.168.1.1), so how can they travel outside your local network?
The answer is to let the packets swap out their private source addresses temporarily for a globally routable, public IP address. This can be from a pool of public IP addresses your company may have purchased. The router is told what the pool is, and then one of those addresses is grabbed and becomes the source address for the outgoing packet:
The reverse then happens when the packet is coming back.
This can also be used to make a privately addressed web server available to the public. In that case, then, packets with a public IP address are swapped out with the private internal IP address of your web server:
The outside world thinks your web server's IP address is 91.24.32.1, but in reality, the server's address is the private 192.168.2.2.
The reasons to use NAT? Most often, it is used to share Internet access with all computers in a private LAN. The outgoing packets have their
Some Tricky Terminology
A real, private, local IP address is called "inside local". A real, public, IP address is called "outside global."
After a packet has passed through NAT and had its source or destination IP address changed, a real, public IP address that has been "transformed" into an internal, private IP address is called "outside local." Because it is an outside address that has been changed temporarily to a local private IP address.
And a packet that has passed through NAT going from your private LAN to a globally routable IP address is called "inside global", because it is an inside private address that has been swapped out temporarily with a globally routable public address.
To recap this terminology because it can be confusing:
- Outside global: a public IP address, before NAT translation
- Inside local: a private IP address, before NAT translation
- Outside local: a public IP address that has been turned into a private address by NAT
- Inside global: a private IP address that has been turned into a public address by NAT
Step1: Tell the router which interfaces are inside and which are outside
The first step to configuring NAT is to tell the router which interface is inside and which is outside. Generally, inside interfaces would be the LAN, and outside would be public outward-facing interfaces. This is not set in stone, however. For example, you may decide to connect two internal networks together and use NAT because you have overlapping IP subnets. In this case, it is arbitrary which network is "inside" and which is "outside", since they are both technically inside.
Step 2: Create the pool of addresses to use for the swapping
Next, you tell the router your pool of addresses you want to use for swapping purposes. This could be a range of IP addresses, or just a single IP address. This type of NAT is called "dynamic", since the router "decides" which address to swap out on the fly. You could also create a one-to-one address swap, which is called "static NAT". In that case, there is no need for a pool of addresses, obviously.
Step 3: Decide whether to use overloading or not
A third possibility is to have source addresses swapped out with the router's own single public (outside) interface address. This is called "overloaded NAT", since every single local computer will be swapped out with the single source address of your router. How does the router keep track of which local IP address to put back on the returning packet, though, if they all have the same address? They take advantage of the fact that packets will have a randomly generated source port number (so packets know which application they are destined for when returning), and this port number is how the router knows which internal address to put back on the returning packet. For this reason, it is also called Port Address Translation (PAT). Overloaded NAT is what is used for home routers which give Internet access to every computer in the home.
Step 4: Access List
Then, you will create the list of devices that should use NAT. Typically, the list of your internal devices that you want to be translated to outside global addresses. If you just want your entire internal network to use NAT, for example, you would just create an access list permitting your entire subnet.
Step 5: Turn it On
Finally, turn NAT on by telling the router whether to swap out source or destination addresses, the name of the access list of devices that are to use NAT, the name of the pool of addresses that will be used for the swapping, and whether to use overloaded NAT or not.
Example 1
1. Set interfaces to be inside or outside:
int fa0/02. Create a pool named "OurPool" of IP addresses from 11.2.1.2 to 11.2.1.200, with a subnet mask of 255.0.0.0:
ip nat inside
int s0/0
ip nat outside
ip nat pool OurPool 11.2.1.2 11.2.1.200 netmask 255.0.0.03. Create an access list allowing certain devices to use NAT; in this case, all internal devices:
access-list 7 permit 192.168.1.0 0.0.0.2554. Finally, turn NAT on by telling it whether to swap outgoing source or outgoing destination addresses. In this case, we are telling it to swap outbound packet source addresses with the "inside source" command. For packets coming in, this would swap out the destination address. If you want the outgoing packets to swap out their destination addresses, you would use "outside souce". This command also lists the access list (the inside devices that should use NAT), the pool of addresses for swapping, and that it should not use overloading:
ip nat inside source list 7 pool OurPool no-overloadExample 2
1. Set interfaces to be inside or outside:
int fa0/02. Create a pool named "OurPool" of the single public IP address of the router. We will do overloading with this configuration:
ip nat inside
int s0/0
ip nat outside
ip nat pool overld OurPool 11.2.1.2 netmask 255.0.0.03. Create an access list allowing certain devices to use NAT; in this case, all internal devices:
access-list 7 permit 192.168.1.0 0.0.0.2554. Finally, turn NAT on by telling it whether to swap outgoing source or outgoing destination addresses. In this case, we are telling it to swap outbound packet source addresses with the "inside source" command. For packets coming in, this would swap out the destination address. If you want the outgoing packets to swap out their destination addresses, you would use "outside souce". This command also lists the access list (the inside devices that should use NAT), the pool of addresses for swapping, and that it should not use overloading:
ip nat inside source list 7 pool OurPool overloadNOTE: You could also skip the pool, and replace "pool OurPool" in this last command with "interface serial 0/0" to automatically have the router use its serial interface IP address for the overloading.
Subscribe to:
Posts (Atom)