To have a public IP-Address costs money. To have a whole public subnet, costs more money.
So companys with little money but clever admins can use a technic, which helps them to use less
public IP-Addresses, but make it possible for lots of clients to connect to the Internet.
This technic is called NAT or Network Address Translation.
As the name says, an Network Address (IP-Address) is been translated to another address.
Mostly, a private IP-Address (172.16.X.X or 196.168.X.X) is translated in a public IP which the company
gets from an ISP and pays for the public IP or IPs.
There are some terms which must be understanded before going deeper in that material.
Its necessary for CCNA Certification to differ between them.
Inside local address
A private IP Address, not useable in the Internet.
Inside global address
A public IP address in the inside network.
Outside local address
A IP on the outside of the network, as its seen by an inside host.
Not necessarily public address.
Outside global address
A IP address in the outside network, which is a public address.
There are three forms of NAT
Static NAT
ONE private IP is translated to ONE public IP.
Allways the same private IP is mapped to the same public IP.
Dynamic NAT
A private IP is mapped to a public IP, which is from a pool of public IPs.
It must not allways be the same privat IP, which is mapped to a specific public IP.
This is selected dynamically.
Overloading
Many private IPs are mapped to one public IP.
This is also known as PAT (Port Address Translation).
Its a Form of dynamic NAT.
A private IP establishes a connection, for example is source port 2353.
The pakets come to the router. The router translates the IP to a public IP.
The router writes the Information about source IP and source Port into
its NAT Table. When the answer Pakets arrive from Internet the router again
checks its NAT Table and translates the pakets back to the private IP from where
the requesting pakets did origin, depending on the port entry in NAT Table.
Configuration commands
Static NAT
router(config)#ip nat inside source static local-ip global-ip
router(config)#interface fa0/4
router(config-if)#ip nat inside <<
Dynamic NAT
router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
router(config)#access-list acl-number permit source-IP [source-wildcard]
router(config)#ip nat inside source list acl-number pool name
router(config)#interface fa0/4
router(config-if)#ip nat inside
router(config-if)#exit
router(config)#interface s0
router(config-if)#ip nat outside
Overloading
router(config)#access-list acl-number permit source-IP source-wildcard
router(config)#ip nat inside source list acl-number interface interface overload
router(config)#interface fa0/4
router(config-if)#ip nat inside
router(config-if)#exit
router(config)#interface s0
router(config-if)#ip nat outside
Wednesday, February 3, 2010
Learn NAT in 5 minutes
CCNA Security Study Notes
Hi Guys,
During my CCNA Security Studies I have been creating some 'last minute revision' notes. I thought I would let you all know about them and where you can download them from just incase it helps anyone with the last minute cram. It's a PDF document about 55 pages long, probably contains a few errors as well (don't we won't mention them)
CCNA Security Notes
If there is interest I have notes for the CCNA & CCNA Voice as well but they will have to wait until I get the CCNA Security under my belt - they need a bit of editing!!
Best regards,
Mike.
Tuesday, December 15, 2009
Vlans, Trunking, And Vtp, Short Guide
VLANs
Vlans are a logical grouping of devices, grouped together regardless of physical location. This limits broadcasts, improves security, stability, and management. To communicate between VLANs, traffic must pass through a layer 3 device.
Static Vlans are assigned to ports, regardless of what device is plugged into them. Dynamic Vlans are assigned to a MAC address, so you can actually move the device around without it changing Vlans.
Vlan 1 is the default Vlan on Cisco switches
Vlans 2-1001 are for ethernet vlans.
Vlans 1002-1005 are for FDDI
Vlans 1006-1024 are for system use
Vlans 1025-4094 are for ethernet vlans
Private Vlans (pVLANs) are isolated ports within a Vlan while still being on the same subnet. The primary vlan is the main vlan that encompasses the secondary vlans. Secondary vlans can have community vlans, which can communicate which other devices within it, or the can be isolated, which cannot communicate with anything but promiscuous ports. Promiscuous ports can be reached by community vlans as well, and are usually servers and routers that everyone needs access to.
Trunking
Trunking allows VLANs to span multiple switches. ISL is a Cisco proprietary encapsulation for vlan traffic. 802.1q is an industry standard that tags the traffic with the vlan information. ISL is being phased out by Cisco.
Native VLANs are a default vlans that 802.1q trunks tag when there is no vlan specified.
Dynamic Trunking Protocol (DTP) is a cisco proprietary protocol that negotiates trunk ports between switches, and selects the trunking protocol to be used.
Vlan mapping allows to limit vlans across a trunk, and allows you to control what is dropped. This can improve bandwidth and processor utilization. It also automatically will map extended 802.1q vlans to ISL vlan numbers if necessary.
802.1q also supports a feature called 802.1q-in-q tunneling. This allows service providers to transport Vlan traffic across their network, without the vlan information having to be unique.
VTP
Vlan Trunking Protocol is used to distribute and synchronize vlan information throughout the network. When a switch is configured as a Server in a vtp domain, it is able to create, modify and send vlan information to other switches using the latest information it receives from other switches. In transparent mode, a switch is able to modify vlan information and forward it, but it does not synchronize with other switches. When in client mode, a switch will receive and synchronize with the vtp information it receives, but it will not save them in nvram, and cannot modify them. When VTP is turned off, it simply drops vtp information.
By default, VTP is flooded every 5 minutes, or whenever a change occurs.
VTP pruning is when a switch determines certain information from the vtp floods does not need to go out. If a switch does not have any vlans from an advertisement, it will not be forwarded the unnecessary information.
To secure vtp you can use authenticated passwords inside of vtp advertisements.
-Configuration
To configure a new VLAN use vlan 2 where 2 is the vlan ID to use
You can name the vlan with name department
You need to type exit to save the configs
To assign a device port to a VLAN use switchport access vlan 2
To configure a trunk port, from the interface assign switchport trunk encapsulation dot1q
Then switchport mode trunk
To set the native vlan, switchport trunk native vlan 3
To configure VTP mode to server, use vtp server
To set the domain, use vtp domain myname
For authentication, use vtp password mypass
And vtp pruning to enable pruning
-Show Commands
show id vlan 2 – displays information about a vlan
show int fasteth 0/1 switchport – shows detained switchport information
show int eth0/1 trunk – displays trunk information for the port
show vtp status – displays vtp configurations
show vtp counters – displays statistics on the vtp process
