Escolar Documentos
Profissional Documentos
Cultura Documentos
On
At
ECE/8th sem
1
PREFACE
2
ACKNOWLEDGEMENT
I also express my gratitude towards all the people associated with project for their
support, co-operation and cheerful readiness in reviewing this project. Last but not
least, I am very thankful to my parents who are my source of inspiration in every
field of life.
Komalbir singh
3
4
INDEX
a. FEASIBILITY STUDY
i. TECHNICAL FEASIBILITY
ii. BEHAVIORIAL / OPERATIONAL FEASIBILITY
c. REQUIREMENT ANALYSIS
i. WORK FLOW DIAGRAM
5
1. DESIGN
i. MODULE
ii. IMPLEMENTATION AND MAINTENANCE
1. TESTING
i. ALPHA TESTING
ii. BETA TESTING
1. SNAPSHOTS
2. FUTURE SCOPE
3. CONCLUSION
4. BIBLIOGRAPHY
6
Introduction:-
HCL was founded in 1976 by Shiv Nadar, Arjun Malhotra, Subhash Arora, Ajai
Chowdhry, DS Puri, & Yogesh Vaidya. HCL was focused on addressing the IT
hardware market in India for the first two decades of its existence with some
sporadic activity in the global market. In 1981, HCL seeded a company focused on
addressing the computer training industry, NIIT, though it has currently divested
its stake in the company. In 1991, HP took minority stake in the company (26%)
and the company was known as HCL HP for the five years of the joint venture. On
termination of the joint venture in 1996, HCL became an enterprise which
7
comprises HCL Technologies (to address the global IT services market) and HCL
Infosystems (to address the Indian and APAC IT hardware market). HCL has since
then operated as a holding company.
HCL Peripherals (a unit of HCL Infosystems Ltd.), founded in the year 1983, has
established itself as a leading manufacturer of computer peripherals in India,
encompassing Display Products, Thin Client solutions, Information and Interactive
Kiosks and a wide range of Networking products & Solutions. HCL Peripherals
has two Manufacturing facilities, one in Pondicherry (Electronics) and the other in
Chennai (Mechanical).The company has been accredited with ISO 9001:2000, ISO
14001,
As the training arm of HCL Infosystems, HCL Career Development Centre (CDC)
carries forth a legacy of excellence spanning across more than three decades. HCL
CDC is an initiative that enables individuals and organisations to benefit from
HCL's deep expertise in the IT space.
Among the fastest growing IT education brands in India, HCL CDC offers a
complete spectrum of quality training programs on software, hardware, networking
as well as global certifications in association with leading IT organisations
worldwide.
8
About Project:-
In today’s Internet the two main problems related to the IP protocol are
shortage of IP addresses and scaling in routing. Long-term solutions to these
problems are being developed, like Ipv6, but they will take their time to be widely
accepted. Meanwhile, short-term solutions are proposed and used, that help to
delay the problems for some time. One of these solutions is Network Address
Translation (NAT), implementation of which is the subject of our project.
The principle of NAT is IP address reuse that can be used in small and mid-
range local networks. NAT uses the fact that in these environments a very small
percentage of hosts are communicating outside their local domain at any given
time. That is to say, almost all TCP/TP packets on the local network are destined to
hosts in this local network, and thus these hosts can have IP addresses that are not
globally unique. The NAT module placed at the border router of the domain
performs IP address translation inside IP datagrams passing through it in both
directions. When an IP datagram is sent from a local host to the Internet with local
IP address that is not globally unique, the NAT module substitutes it with a
globally unique IP address taken from a pool, and sends the datagram out. In
reverse direction the reverse translation is needed.
9
TCP/IP applications. So our implementation of NAT will support the general set of
protocols and applications, such as FTP, Telnet, HTTP, ICMP and others.
Types of NAT
Static NAT –
performs a static one-to-one translation between two
addresses, or between a port on one address to a port on another address.
Static NAT is most often used to assign a public address to a device behind a
NAT-enabled firewall/router.
Dynamic NAT –
Utilizes a pool of global addresses to dynamically translate the outbound traffic of
clients behind a NAT-enabled device.
NAT Terminology
Specific terms are used to identify the various NAT addresses:
•Inside Local –
The specific IP address assigned to an inside host behind a NAT-enabled device
(usually a private address).
• Inside Global –
The address that identifies an inside host to the outside world (usually a public
address). Essentially, this is the dynamically or statically-assigned public address
assigned to a private host.
10
• Outside Global
– The address assigned to an outside host (usually a public address).
• Outside Local
– The address that identifies an outside host to the inside network. Often, this is the
Same
Address as the Outside Global.
However, it is occasionally necessary to translate an outside (usually
Public) address to an inside (usually private) address.
Team role
• Teamwork is work performed by a team towards a common goal. A
dynamic process involving two or more healthcare professionals with
complementary backgrounds and skills, sharing common health goals and
exercising concerted physical and mental effort in assessing, planning, or
evaluating patient care
11
each team member a specific task that he is responsible for completing,
which helps to develop trust within the team.
• If we consider about the team work regarding my project, it has been a good
exposure to me. But as the project is assigned to me individually because to
understand the core of the technology of the project.It has been a great
learning under the expertise of Manjot singh (HCL INFOSYSTEMS
TRAINER) expert in NAT, PAT, ROUTING, TROUBLESHOOTING etc. I
managed to learn a lot under his teaching. Its amazing experience to me
which helps to me enlarge my knowledge regarding the project through team
work. I was considered to be the designer and implementor of the NAT
technology.
12
Project Analysis
The main purpose of conducting system analysis is to study the various processes
and to find out its requirements. These may include ways of capturing or
processing data, producing information, controlling a business activity or
supporting management. The determination of requirements entrails studying the
existing details about it to find out what these requirements are.
System analysis has been conducted with the following objectives in mind:
Requirement Specification provides the developer and the customer with the
means to assess quality once software is built.
While the analysis phase of development of this project following set of principles
were considered:
13
1. The information domain of a problem must be represented and understood.
2. The functions that the software is to perform must be defined.
3. The behavior of the software must be represented.
4. The models that depict information function and behavior must be
partitioned in a manner that uncovers detail in a layered fashion.
Feasibility Study
It is a very important aspect of any project report. There is always chance of
manual errors. Cost factor is also there which depends upon the size of the work.
Feasibility studies aim to objectively and rationally uncover the strengths and
weaknesses of the existing business or proposed venture, opportunities and threats
as presented by the environment, the resources required to carry through, and
ultimately the prospects for success. In its simplest term, the two criteria to judge
feasibility are cost required and value to be attained. As such, a well-designed
feasibility study should provide a historical background of the business or project,
description of the product or service, accounting statements, details of the
operations and management, marketing research and policies, financial data, legal
requirements and tax obligations. Generally, feasibility studies precede technical
development and project implementation.
Technical Feasibility
In the preliminary investigation phase, we examine the feasibility of the project.
We find the likelihood the Network which we established will be useful to the
organization. We determine whether the solution is a viable or not. For this
14
purpose, the analyst clearly establishes the feasibility of each alternative testing for
benefits, costs and other resources.
Economical Feasibility
This project does not specify an Internet standard of any kind. Distribution of this
project is unlimited.You can use private addresses on your inside networks. Private
addresses are not routable on the Internet. NAT hides the local addresses from
other networks, so attackers cannot learn the real address of a server in the data
center You can resolve IP routing problems such as overlapping addresses when
you have two interfaces connected to overlapping subnets.
Economic analysis is the most frequently used method for evaluating the
effectiveness of a new system. More commonly known as cost/benefit analysis, the
procedure is to determine the benefits and savings that are expected from a
candidate system and compare them with costs. If benefits outweigh costs, then the
15
decision is made to design and implement the system. An entrepreneur must
accurately weigh the cost versus benefits before taking an action.
Cost-based study: It is important to identify cost and benefit factors, which can be
categorized as follows: 1. Development costs; and 2. Operating costs. This is an
analysis of the costs to be incurred in the system and the benefits derivable out of
the system.
Time-based study: This is an analysis of the time required to achieve a return on
investments. The future value of a project is also a factor.
16
The information in this document is based on these software and hardware
versions:
• Cisco 2500 Series Routers
• Cisco IOS® Software Release 12.2 (10b)
• Cisco Switches
• Cisco Hubs
• Wireless Device
• Copper Straight-Through Cable
• Copper Cross-Over Cable
• Fiber Optics Cable
• Coaxial Cable
• Serial DCE Cable
• Serial DTE Cable
The information in this document was created from the devices in a specific lab
environment. All of the devices used in this document started with a cleared
(default) configuration. If your network is live, make sure that you understand the
potential impact of any command.
Windows xp
And also this document is not restricted to specific software and hardware
versions.
17
Requirements Analysis
1. Elicitation-determine the operational requirements
(User needs and customer expectations).
• Protocol Used
In case SYN flag is on, it means that a TCP connection is being established.So we
must trace the TCP 3-way handshake to be sure that a connection has been
18
established, and then raise flag in the Translation Table telling that there is an
active TCP connection in this entry. In case FIN flag is on, it means that a TCP
connection is being terminated.So we must trace the TCP connection shutdown
mechanism to be sure that the connection has been closed. Then we clear the flag,
and this entry can be cleared in case of global IP addresses shortage.
• Local_IP
• Global_IP
• Conn Protocol
• Timestamp
• TCP_State
19
ICMP
20
21
DESIGN
System Design
Modules
22
The NAT gateway
The NAT module, which sits between the local network and the router as described
in the introduction, is combined mainly from four threads, two pairs. Each pair is
doing a similar task but from opposite direction.
The four threads are:
Listhen_Local_thread,
Listhen_Global_thread,
Translate_To_Local_thread,
The threads cooperate through common data structures which are:
Ip_translation_Table,
Local_Ip_Packet_Buff,
Global_Ip_Packet_Buff.
In addition each thread communicate with the appropriate network through IP
API.
23
NAT gateway modules interaction:
24
The packet monitor
25
Packet monitor will be implemented as a stand-alone Windows application. It can
be used on any NT machine which has the PACKET32.DLL device driver
installed (this driver is needed to directly access a NIC). The monitor is capable of
displaying and filtering of packets on MAC, IP and upper layers. Monitor results
can be saved to a disk file for printing, studying TCP/IP protocols, and network
problems debugging.
Receiver - A thread looping infinitely, that receives all packets that pass through
the chosen NIC. It listens on the NIC using Promiscuous Mode, and thus gets all
the packets that pass on the wire, not only destined to that NIC or broadcasted.
Whenever a packet arrives, it puts it in the Frame Buffer, and notifies the Filter and
Display module that there is a packet to process. This takes really little time, and it
continues to listen to next packet, thus the chances to loose packets because of
processing are small, and depends on the size of a frame buffer.
26
elements of queue are buffers of 1514 bytes each, that is maximum size of an
Ethernet frame (1500 bytes for data plus 14 bytes for header).
Filter and Display - Performs decoding of the frame received from the frame
buffer. Decoding is performed from the bottom up, i.e. MAC data type, then IP
protocol type (TCP, UDP, and ICMP), than TCP/UDP port, etc. Discards packets
that do not answer to the current filtering mode. Filtering can be performed by:
1. Packet type: All, IP, ICMP, ARP/RARP, TCP and UDP
2. Source address: MAC/IP
3. Destination address: MAC/IP
Monitor Main Window and Control - The monitor is a menu-driven Windows
application, so it has a main window's procedure, which processes all messages
that are sent to it. That includes messages from the menu (i.e. user), or from inner
tasks (Receiver thread, Display module). It also controls all monitoring process,
i.e. starts/stops monitoring, saves results to a disk,
27
Also a set of constants related to these structures is defined, such as encapsulated
protocol type.
Functions needed:
1. How to configure a port connected to an IP phone to use the CoS value for
classifying incoming traffic
2. How to configure the port to use IEEE 802.1p priority tagging for voice traffic
3. How to configure it to use the Voice VLAN (10) to carry all voice traffic
4. And last, how to configure VLAN 3 to carry PC data
ISR#
Config t
ISR (config)#
28
int f0/0.1
ISR(config-subif)#
encapsulation ?
ISR(config-subif)#
Notice that my 2811 router (named ISR) only supports 802.1Q. We’d need an
older-model
router to run the ISL encapsulation, but why bother?
The sub interface number is only locally significant, so it doesn’t matter which sub
interface
numbers are configured on the router. Most of the time, I’ll configure a sub
interface with the
same number as the VLAN I want to route. It’s easy to remember that way since
the sub interface number is used only for administrative purposes.
It’s really important that you understand that each VLAN is a separate subnet. True,
I know—they don’t have to be. But it really is a good idea to configure your
VLANs as separate subnets, so just do that. Now, I need to make sure you’re fully
prepared to configure inter-VLAN routing, as well
as determine the port IP addresses of hosts connected in a switched VLAN
environment. And as
always, it’s also a good idea to be able to fix any problems that may arise. To set
you up for success, let me give you few examples.
By this point in the book, you should be able to determine the IP address, masks,
and default gateways of each of the hosts in the VLANs. The next step after that is
to figure out which subnets are being used. By looking at the router configuration in
the figure, you can see that we’re using 192.168.1.64/26 with VLAN 1 and
192.168.1.128/27 with VLAN 10. And by looking at the switch configura- tion, you
can see that ports 2 and 3 are in VLAN 1 and port 4 is in VLAN 10. This means
that HostA and HostB are in VLAN 1 and HostC is in VLAN 10.
29
HostA:
HostB:
HostC:
Inter-VLAN example 2
VLAN 1
HostA HostB
HostE
Internet
Fa0/2 Fa0/3
Fa0/1
VLAN 2
Fa0/6
Fa0/0
Fa0/4 Fa0/5
HostC HostD HostF
VLAN 3
The configuration of the switch would look something like this:
2960#
config t
2960(config)#
int f0/1
2960(config-if)#
switchport mode trunk
2960(config-if)#
int f0/2
30
2960(config-if)#
switchport access vlan 1
2960(config-if)#
int f0/3
2960(config-if)#
switchport access vlan 1
2960(config-if)#
int f0/4
2960(config-if)#
switchport access vlan 3
2960(config-if)#
int f0/5
2960(config-if)#
switchport access vlan 3
2960(config-if)#
int f0/6
2960(config-if)#
switchport access vlan 2
VLAN 1:
192.168.10.16/28
VLAN 2:
192.168.10.32/28
VLAN 3:
192.168.10.48/28
The configuration of the router would then look like this:
ISR#
config t
ISR(config)#
int f0/0
ISR(config-if)#
no ip address
ISR(config-if)#
no shutdown
ISR(config-if)#
31
int f0/0.1
ISR(config-subif)#
encapsulation dot1q 1
ISR(config-subif)#
ip address 192.168.10.17 255.255.255.240
ISR(config-subif)#
int f0/0.2
ISR(config-subif)#
encapsulation dot1q 2
ISR(config-subif)#
ip address 192.168.10.33 255.255.255.240
ISR(config-subif)#
int f0/0.3
ISR(config-subif)#
encapsulation dot1q 3
ISR(config-subif)#
The hosts in each VLAN would be assigned an address from their subnet range, and
the default gateway would be the IP address assigned to the router’s subinterface in
that VLAN.
Now, let’s take a look at another figure and see if you can determine the switch and
router configurations without looking at the answer—no cheating! Figure 9.11
shows a router con-nected to a 2960 switch with two VLANs. One host in each
VLAN is assigned an IP address.
What are your router and switch configurations based on these IP addresses?
Since the hosts don’t list a subnet mask, you have to look for the number of hosts
used in each VLAN to figure out the block size. VLAN 1 has 85 hosts and VLAN 2
has 115 hosts.
Each of these will fit in a block size of 128, which is a /25 mask, or
255.255.255.128.
Inter-VLAN example 3
VLAN 1
85 Hosts
HostA
172.16.10.126
32
F0/2
F0/1
F0/3
VLAN 2
115 Hosts
HostB
172.16.10.129
You should know by now that the subnets are 0 and 128; the 0 subnet (VLAN 1)
has a host range of 1–126, and the 128 subnet (VLAN 2) has a range of 129–254.
You can almost be fooled since HostA has an IP address of 126, which makes it
Almost seem that HostA and B are in the same subnet. But they’re not, and you’re
way too smart by now to be fooled by this one!
Here is the switch configuration:
2960#
config t
2960(config)#
int f0/1
2960(config-if)#
switchport mode trunk
2960(config-if)#
int f0/2
2960(config-if)#
switchport access vlan 1
2960(config-if)#
int f0/3
2960(config-if)#
switchport access vlan 2
Here is the router configuration:
ISR#
config t
ISR(config)#
int f0/0
ISR(config-if)#
no ip address
ISR(config-if)#
no shutdown
ISR(config-if)#
33
int f0/0.1
ISR(config-subif)#
encapsulation dot1q 1
ISR(config-subif)#
ip address 172.16.10.1 255.255.255.128
ISR(config-subif)#
int f0/0.2
ISR(config-subif)#
encapsulation dot1q 2
ISR(config-subif)#
ip address 172.16.10.254 255.255.255.128
I used the first address in the host range for VLAN 1 and the last address in the
range for VLAN 2, but any address in the range would work. You just have to
configure the host’s default gateway to whatever you make the router’s address.
Now, before we go on to the next example, I need to make sure you know how to
set the IP address on the switch. Since VLAN 1 is typically the administrative
VLAN, we’ll use an IP address from that pool of addresses. Here’s how to set the
IP address of the switch (I’m not nagging, but you really should already know
this!):
2960#
config t
2960(config)#
int vlan 1
2960(config-if)#
ip address 172.16.10.2 255.255.255.128
2960(config-if)#
no shutdown
Yes, you have to do a no shutdown on the VLAN interface. One more example, and
then we’ll move on to VTP—another important subject that you definitely don’t
want to miss! In Figure 9.12 there are two VLANs. By looking at the router
configuration, what’s the IP address, mask, and default gateway of HostA? Use the
last IP address in the range for HostA’s address:
Inter-VLAN example 4
VLAN 1
34
HostA
F0/2
F0/1
F0/3
HostB
Router#
config t
192.168.10.17
Router(config)#
int f0/0
Router(config-if)#
no ip address
VLAN 2
Router(config-if)#
no shutdown
Router(config-if)#
int f0/0.1
Router(config-subif)#
encapsulation dot1q 1
Router(config-subif)#
ip address 192.168.10.129 255.255.255.240
Router(config-subif)#
int f0/0.2
Router(config-subif)#
encapsulation dot1q 2
Router(config-subif)#
ip address 192.168.10.46 255.255.255.240
If you really look carefully at the router configuration (the hostname in this figure is
just Router), there is a simple and quick answer. Both subnets are using a /28, or
255.255.255.240 mask, which is a block size of 16. The router’s address for VLAN
1 is in subnet 128. The next subnet is 144, so the broadcast address of VLAN 1 is
143 and the valid host range is 129–142.
IP Address:
35
192.168.10.142
Mask:
255.255.255.240
Default Gateway:
192.168.10.129
Configuring VTP All Cisco switches are configured to be VTP servers by default.
To configure VTP, first you have to configure the domain name you want to use.
And of course, once you configure the VTP information on a switch, you need to
verify it
VTP
When you create the VTP domain, you have a bunch of options, including setting
the domain name, password, operating mode, and pruning capabilities of the
switch. Use the vtp global con- figuration mode command to set all this
information. In the following example, I’ll set the S1 switch to vtp server, the VTP
domain to Lammle, and the VTP password to todd:
By default, only hosts that are members of the same VLAN can communicate. To
change this and allow inter-VLAN communication, you need a router or a layer 3
switch. I’m going to start with the router approach.
To support ISL or 802.1Q routing on a Fast Ethernet interface, the router’s interface
is divided into logical interfaces—one for each VLAN. These are called sub
interfaces. From a Fast Ethernet or Gigabit interface, you can set the interface to
trunk with the encapsulation command:
Configuring VTP
S1#
config t
S1#(config)#
vtp mode server
Device mode already VTP SERVER.
S1(config)#
vtp domain Lammle
Changing VTP domain name from null to Lammle
S1(config)#
vtp password todd
Setting device VLAN database password to todd
36
S1(config)#
do show vtp password
VTP Password: todd
S1(config)#
do show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : Lammle
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x15 0x54 0x88 0xF2 0x50 0xD9 0x03 0x07
37
Core#
config t
Core(config)#
vtp mode client
Setting device to VTP CLIENT mode.
Core(config)#
vtp domain Lammle
Changing VTP domain name from null to Lammle
Core(config)#
vtp password todd
Setting device VLAN database password to todd
Core(config)#
38
Changing VTP domain name from null to Lammle
S2(config)#
vtp password todd
Setting device VLAN database password to todd
S2(config)#
do show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name : Lammle
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x02 0x11 0x18
0x4B 0x36 0xC5 0xF4 0x1F
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Let’s take a look using the show vlan brief command on the Core and S2 switch:
Core#
sh vlan brief
VLAN Name Status Ports
---- ------------------ --------- ---------------------
1 default active Fa0/1,Fa0/2,Fa0/3,Fa0/4
Fa0/9, Fa0/10,Fa0/11,Fa0/12
Fa0/13, Fa0/14,Fa0/15,
Fa0/16, Fa0/17, Fa0/18, Fa0/19,
Fa0/20, Fa0/21, Fa0/22, Fa0/23,
Fa0/24, Gi0/1, Gi0/2
2Salesactive
3Marketingactive
4Accountingactive
39
S2#
sh vlan bri
VLAN Name Status Ports
---- ---------------------- --------- ---------------------
1 default active Fa0/3,Fa0/4,Fa0/5,Fa0/6,Fa0/7,
Fa0/8,
2 Sales active
3 Marketing active
4 Accounting active
Troubleshooting VTP
You connect your switches with crossover cables, the lights go green on both ends,
and you’re up and running! Yeah—in a perfect world, right? Don’t you wish it was
that easy? Well, actually, it pretty much is—without VLANs, of course. But if
you’re using VLANs—and you definitely should be—then you need to use VTP if
you have multiple VLANs configured in your switched network.
But here there be monsters: If VTP is not configured correctly, it (surprise!) will not
work, so you absolutely must be capable of troubleshooting VTP. Let’s take a look
at a couple of configurations and solve the problems. Study the output from the two
following switches:
SwitchA#
sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : RouterSim
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
SwitchB#
sh vtp status
VTP Version : 2
Configuration Revision : 1
40
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : GlobalNet
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
So what’s happening with these two switches? Why won’t they share VLAN
information?
At first glance, it seems that both servers are in VTP server mode, but that’s not the
problem. Servers in VTP server mode will share VLAN information using VTP.
The problem is that they’re in two different VTP domains. SwitchA is in VTP
domain RouterSim and SwitchB is in VTP domain GlobalNet. They will never
share VTP information because the VTP domain names are configured differently.
Now that you know how to look for common VTP domain configuration errors in
your switches, let’s take a look at another switch configuration:
SwitchC#
sh vtp status
VTP Version : 2
Configuration Revision:1
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : Todd
VTP Pruning Mode : Disabled
41
Router(config)# int e0/0
Router(config)# int s0/0
Router(config-if)# ip nat inside
Router(config-if)# ip nat outside
Router(config)#
ip nat inside source static 172.16.1.1 158.80.1.40
This command performs a static translation of the source address
172.16.1.1(located on the inside of the network), to the outside address of
158.80.1.40.
When configuring Dynamic NAT , the inside and outside interfaces must first be
identified:
Router(config)#
ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask 255.255.255.0
The above command specifies that the pool named POOLNAME contains a range
of public addresses from 158.80.1.1 through 158.80.1.50.
Finally, a list of private addresses that are allowed to be dynamically translated
must be specified:
42
The first command states that any inside host with a source that matches access-
list 10 can be translated to any address in the pool named POOLNAME.
The access-list specifies any host on the 172.16.1.0 network.
Recall that NAT Overload (or PAT ) is necessary when the number of internal
clients exceeds the available global addresses. Each internal host is translated to a
unique port number off of a single global address.
Any inside host with a source that matches access- list 10 will be translated with
overload to the IP address configured on the Serial0/0 interface.
43
○ Are you using NAT during a network transition (for example, you
changed a server's IP address and until you can update all the clients
you want the non-updated clients to be able to access the server using
the original IP address as well as allow the updated clients to access
the server using the new address)?
○ Are you using NAT to allow overlapping networks to communicate?
3. Configure NAT in order to accomplish what you defined above. Based on
what you defined in step 2, you need determine which of the following
features to use:
○ Static NAT
○ Dynamic NAT
○ Overloading
○ Any combination of the above
4. Verify the NAT operation.
Each of the following NAT examples guides you through steps 1 through 3 of the
Quick Start Steps above. These examples describe some common scenarios in
which Cisco recommends you deploy NAT.
Defining NAT Inside and Outside Interfaces
The first step in deploying NAT is to define NAT inside and outside interfaces.
You may find it easiest to define your internal network as inside, and the external
network as outside. However, the terms internal and external are subject to
arbitration as well. The figure below shows an example of this.
44
Example: Allowing Internal Users to Access the Internet
You may want to allow internal users to access the internet, but you may not have
enough valid addresses to accommodate everyone. If all communication with
devices in the internet will originate from the internal devices, you need a single
valid address or a pool of valid addresses.
The figure below shows a simple network diagram with the router interfaces
defined as inside and outside:
45
In this example, we want NAT to allow certain devices (the first 31 from each
subnet) on the inside to originate communication with devices on the outside by
translating their invalid address to a valid address or pool of addresses. The pool
has been defined as the range of addresses 172.16.10.1 through 172.16.10.63.
Now you are ready to configure NAT. In order to accomplish what is defined
above, use dynamic NAT. With dynamic NAT, the translation table in the router is
initially empty and gets populated once traffic that needs to be translated passes
through the router. (As opposed to static NAT, where a translation is statically
configured and is placed in the translation table without the need for any traffic.)
In this example, we can configure NAT to translate each of the inside devices to a
unique valid address, or to translate each of the inside devices to the same valid
address. This second method is known as overloading. An example of how to
configure each method is given below.
NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
46
!--- Defines Ethernet 1 with an IP address and
as a NAT inside interface.
interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
47
!--- 10.10.10.0 through 10.10.10.31 and
10.10.20.0 through 10.10.20.31.
Note: Cisco highly recommends that you do not configure access lists referenced
by NAT commands with permit any. Using permit any can result in NAT
consuming too many router resources which can cause network problems.
Notice in the above configuration that only the first 32 addresses from subnet
10.10.10.0 and the first 32 addresses from subnet 10.10.20.0 are permitted by
access-list 7. Therefore, only these source addresses are translated. There may be
other devices with other addresses on the inside network, but these won't be
translated.
The final step is to verify that NAT is operating as intended.
Configuring NAT to Allow Internal Users to Access the Internet Using
Overloading
NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
48
ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24
!
!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 will have the source address
!--- translated to an address out of the NAT pool named ovrld.
!--- Translations will be overloaded which will allow multiple inside
!--- devices to be translated to the same valid IP address.
Note in the second configuration above, the NAT pool "ovrld"only has a
range of one address. The keyword overload used in the ip nat inside source list 7
pool ovrld overload command allows NAT to translate multiple inside devices to
the single address in the pool.
Configuring NAT for Use During a Network Transition
NAT Router
49
interface ethernet 0
ip address 172.16.10.1 255.255.255.0
ip nat outside
interface ethernet 1
ip address 172.16.50.1 255.255.255.0
ip nat inside
interface serial 0
ip address 200.200.200.5 255.255.255.252
!--- States that any packet received on the inside interface with a
!--- source IP address of 172.16.50.8 will be translated to 172.16.10.8.
Note that the inside source NAT command in this example also implies that
packets received on the outside interface with a destination address of 172.16.10.8
will have the destination address translated to 172.16.50.8.
50
The final step is to verify that NAT is operating as intended.
Example: Using NAT in Overlapping Networks
Overlapping networks result when you assign IP addresses to internal
devices that are already being used by other devices within the internet.
Overlapping networks also result when two companies, both of whom use RFC
1918 IP addresses in their networks, merge. These two networks need to
communicate, preferably without having to readdress all their devices. Refer to
Using NAT in Overlapping Networks for more information about configuring
NAT for this purpose.
Difference between One-to-One Mapping and Many-to-Many
A static NAT configuration creates a one-to-one mapping and translates a
specific address to another address. This type of configuration creates a permanent
entry in the NAT table as long as the configuration is present and enables both
inside and outside hosts to initiate a connection. This is mostly useful for hosts that
provide application services like mail, web, FTP and so forth. For example:
Router(config)#ip nat inside source static 10.3.2.11 10.41.10.12
Router(config)#ip nat inside source static 10.3.2.12 10.41.10.13
Dynamic NAT is useful when fewer addresses are available than the actual
number of hosts to be translated. It creates an entry in the NAT table when the host
initiates a connection and establishes a one-to-one mapping between the addresses.
But, the mapping can vary and it depends upon the registered address available in
the pool at the time of the communication. Dynamic NAT allows sessions to be
initiated only from inside or outside networks for which it is configured. Dynamic
NAT entries are removed from the translation table if the host does not
communicate for a specific period of time which is configurable. The address is
then returned to the pool for use by another host.
For example, complete these steps of the detailed configuration:
51
4. Associate the access-list 100 that is selecting the internal network 10.3.2.0
0.0.0.255 to be natted to the pool MYPOOLEXAMPLE and then overload
the addresses.
TESTING
Alpha Testing
52
Troubleshooting NAT
Beta Testing
Beta testing comes after alpha testing and can be considered a form of external
user acceptance testing. Versions of the software, known as beta versions, are
released to a limited audience outside of the programming team. The software is
released to groups of people so that further testing can ensure the product has few
faults or bugs. Sometimes, beta versions are made available to the open public to
increase the feedback field to a maximal number of future users
To view the active NAT translations is used with the -s state option. This option
will list all the current NAT sessions:
53
# pfctl -s state
TCP 192.168.1.35:2132 > 24.5.0.5:53136 > 65.42.33.245:22
TIME_WAIT:TIME_WAIT
UDP 192.168.1.35:2491 > 24.5.0.5:60527 > 24.2.68.33:53
MULTIPLE:SINGLE
Indicates the interface that the state is bound to. The word self will appear if the
state is floating.
TCP
The IP address (192.168.1.35) of the machine on the internal network. The source
port (2132) is shown after the address. This is also the address that is replaced in
the IP header.
The IP address (24.5.0.5) and port (53136) on the gateway that packets are being
translated to.
The IP address (65.42.33.245) and the port (22) that the internal machine is
connecting to.
54
SNAP SHOTS
55
Dynamic Routing With Clock Rate In NAT:-
EIGRP In NAT:-
56
Inter V-Lan 1 In NAT:-
57
Inter V-Lan 3 In NAT:-
DHCP In NAT:-
58
Access List In NAT:-
FUTURE SCOPE
59
If you do yoga, meditate, chain smoke, or consume mass quantities of
comfort food when stressed, take a little break and do that now because, and I’m
going to be honest, this isn’t the easiest part of the chapter—or even the book, for
that matter. But I promise that I’ll do my best to make this as painless for you as
possible.
The voice VLAN feature enables access ports to carry IP voice traffic from
an IP phone.
When a switch is connected to a Cisco IP phone, the IP phone sends voice traffic
with layer 3 IP precedence and layer 2 class of service (CoS) values, which are both
set to 5 for voice traffic; all other traffic defaults to 0.
Because the sound quality of an IP phone call can deteriorate if the data is
unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p
CoS. (802.1p provides a mechanism for implementing QoS at the MAC level.) The
802.1p field is carried in the 802.1Q trunk header. If you look at the fields in an
802.1Q tag, you will see a field called the priority field; this is where the 802.1p
information goes. QoS uses classification and scheduling to send network traffic
from the switch in an organized, predictable manner.
The Cisco IP phone is a configurable device, and you can configure it to forward
traffic with an IEEE 802.1p priority. You can also configure the switch to either
trust or override the traffic priority assigned by an IP phone—which is exactly what
we’re going to do. The Cisco phone basically has a three-port switch: one to
connect to the Cisco switch, one to a PC device, and one to the actual phone, which
is internal.
You can also configure an access port with an attached Cisco IP phone to use one
VLAN for voice traffic and another VLAN for data traffic from a device attached to
the phone—like a PC. You can configure access ports on the switch to send Cisco
Discovery Protocol (CDP) packets that instruct an attached Cisco IP phone to send
voice traffic to the switch in any of these ways:
In the voice VLAN tagged with a layer 2 CoS priority value
In the access VLAN tagged with a layer 2 CoS priority value
In the access VLAN, untagged (no layer 2 CoS priority value)
The switch can also process tagged data traffic (traffic in IEEE 802.1Q or
IEEE 802.1p frame types) from the device attached to the access port on the Cisco
IP phone. You can con-figure layer 2 access ports on the switch to send CDP
60
packets that instruct the attached Cisco IP phone to configure the IP phone access
port in one of these modes:
In trusted mode, all traffic received through the access port on the Cisco IP
phone passes through the IP phone unchanged.
In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames
received through the access port on the IP phone receive a configured layer 2 CoS
value. The default layer 2 CoS value is 0. Untrusted mode is the default.
By default, the voice VLAN feature is disabled; you enable it by using the
interface command switchport voice vlan. When the voice VLAN feature is
enabled, all untagged traffic is sent according to the default CoS priority of the port.
The CoS value is not trusted for IEEE 802.1p or IEEE 802.1Q tagged traffic.
These are the voice VLAN configuration guidelines:
You should configure voice VLAN on switch access ports; voice VLAN isn’t
supported on trunk ports, even though you can actually configure it! The voice
VLAN should be present and active on the switch for the IP phone to correctly
communicate on it. Use the show vlan privileged EXEC command to see if the
VLAN is present—if it is, it’ll be listed in the display.
Before you enable the voice VLAN, it’s recommend that you enable QoS on the
switch by entering the mls qos global configuration command and set the port trust
state to trust by entering the mls qos trust cos interface configuration command.
You must make sure that CDP is enabled on the switch port connected to the Cisco
IP phone to send the configuration. This is on by default, so unless you disabled it,
you shouldn’t have a problem.
The PortFast feature is automatically enabled when the voice VLAN is
configured, but when you disable the voice VLAN, the PortFast feature isn’t
automatically disabled.
To return the port to its default setting, use the no switchport voice vlan interface
configuration command.
You can configure a port connected to the Cisco IP phone to send CDP packets to
the phone to configure the way in which the phone sends voice traffic. The phone
61
can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a
layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a
higher priority as well as forward all voice traffic through the native (access)
VLAN. The IP phone can also send untagged voice traffic, or use its own
configuration to send voice traffic in the access VLAN. In all configurations, the
voice traffic carries a layer 3 IP precedence value—again, for voice the setting is
usually 5.
CONCLUSION
The examples in this document demonstrate quick start steps can help you
configure and deploy NAT. These quick start steps include:
1. Defining NAT inside and outside interfaces.
2. Defining what you are trying to accomplish with NAT.
3. Configuring NAT in order to accomplish what you defined in Step 2.
4. Verifying the NAT operation.
62
In each of the examples above, various forms of the ip nat inside command were
used. You can also use the ip nat outside command to accomplish the same
objectives, keeping in mind the NAT order of operations. For configuration
examples using the ip nat outside commands, refer to Sample Configuration
Using the ip nat outside source list Command and Sample Configuration Using
the ip nat outside source static Command.
Command Action
63
BIBLIOGRAPHY
1. www.cisco.com
2. Wikipedia
3. CCNA E-Book
64
65