NAT Project Report

Six Months Industrial Training Report

On

Network Address Translation(NAT)

At

HCL Infosystems Ltd.

Submitted in partial fulfillment of the requirements

for the award of the degree of

Bachelor of Technology

Submitted To: Submitted By:

Mr.Rakesh Khanna Komalbir Singh

ECE Deptt. 7070405482

ECE/8th sem

1

PREFACE

The “NAT (Network address translation)” This project provides information for the Internet community. When a client attempts to access a server in a data center, the client incorporates its IP address in the IP header when it connects to the server. An ACL placed between the client and the server can either preserve the client IP address or translate that IP address to a routable address in the server network, based on a pool of reserved dynamic NAT addresses or a static NAT address mapping, and pass the request on to the server. This project does not specify an Internet standard of any kind. Distribution of this project is unlimited. You can use private addresses on your inside networks. Private addresses are not routable on the Internet. NAT hides the local addresses from other networks, so attackers cannot learn the real address of a server in the data center. You can resolve IP routing problems such as overlapping addresses when you have two interfaces connected to overlapping subnets.

This document defines basic terminology for describing different types of Network Address Translation (NAT) behavior when handling Unicast UDP and also defines a set of requirements that would allow many applications, such as multimedia communications or online gaming, to work consistently. Developing NATs that meet this set of requirements will greatly increase the likelihood that these applications will function properly.

ACKNOWLEDGEMENT

2

First and foremost I thank GGSCMT-KHARAR for allowing me to complete my

‘Project’ successfully. I express my sincere gratitude to Mr. Manjot Singh(My

project guide) & all those who initiated and helped me in the successful

completion of this project. Sincere thanks, profound gratitude to my guide Ms.

Anupama (Faculty, GGSCMT) for helping me in carrying out the project and for

many valuable and useful information while bringing out this project. I again

express my sincere gratitude to Mr. Rakesh khanna Head of Department (ECE),

and to my respected teachers of GGSCMT KHARAR for their kind consent,

expert guidance, valuable suggestion and affectionate encouragement.

I also express my gratitude towards all the people associated with project for their

support, co-operation and cheerful readiness in reviewing this project. Last but not

least, I am very thankful to my parents who are my source of inspiration in every

field of life.

Komalbir singh

ECE (8th Sem)

3

INDEX

1. INTRODUCTION PAGE NO.

a. ABOUT COMPANY 7-8

b. ABOUT PROJECT 9-11

c. TEAM ROLE 11-12

2. PROJECT ANALYSIS 13-14

a. FEASIBILITY STUDY

i. TECHNICAL FEASIBILITY

ii. BEHAVIORIAL / OPERATIONAL FEASIBILITY

iii. ECONOMICAL FEASIBILITY

b. H/W & S/W SPECIFICATION

c. REQUIREMENT ANALYSIS

i. WORK FLOW DIAGRAM

3. DESIGN

i. MODULEii. IMPLEMENTATION AND MAINTENANCE

5

4. TESTING

i. ALPHA TESTINGii. BETA TESTING

5. SNAPSHOTS

6. FUTURE SCOPE

7. CONCLUSION

8. BIBLIOGRAPHY

6

Introduction:-

This document explains configuring Network Address Translation (NAT) on a Cisco router for use in common network scenarios. The target audience of this document is first time NAT users.

Note: In this document, when the internet, or an internet device is referred to, it means a device on any external network.

Company’s Profile:-

HCL Enterprise Limited (formally known as HCL Computers Limited) is one of

India's largest electronics, computing and information Technology Company.

Based in Noida, near Delhi, the company comprises two publicly listed Indian

companies, HCL Technologies and HCL Infosystems.

HCL was founded in 1976 by Shiv Nadar, Arjun Malhotra, Subhash Arora, Ajai

Chowdhry, DS Puri, & Yogesh Vaidya. HCL was focused on addressing the IT

hardware market in India for the first two decades of its existence with some

sporadic activity in the global market. In 1981, HCL seeded a company focused on

addressing the computer training industry, NIIT, though it has currently divested

its stake in the company. In 1991, HP took minority stake in the company (26%)

and the company was known as HCL HP for the five years of the joint venture. On

termination of the joint venture in 1996, HCL became an enterprise which

comprises HCL Technologies (to address the global IT services market) and HCL

Infosystems (to address the Indian and APAC IT hardware market). HCL has since

then operated as a holding company.

7

HCL Infosystems Ltd., a listed subsidiary of HCL, is an India-based hardware and

systems integrator. It claims a presence in 170 locations and 300 service centres.

Its manufacturing facilities are based in Chennai, Pondicherry and Uttarakhand .Its

headquarters is in Noida.

HCL Peripherals (a unit of HCL Infosystems Ltd.), founded in the year 1983, has

established itself as a leading manufacturer of computer peripherals in India,

encompassing Display Products, Thin Client solutions, Information and Interactive

Kiosks and a wide range of Networking products & Solutions. HCL Peripherals

has two Manufacturing facilities, one in Pondicherry (Electronics) and the other in

Chennai (Mechanical).The company has been accredited with ISO 9001:2000, ISO

14001,

As the training arm of HCL Infosystems, HCL Career Development Centre (CDC)

carries forth a legacy of excellence spanning across more than three decades. HCL

CDC is an initiative that enables individuals and organisations to benefit from

HCL's deep expertise in the IT space.

Among the fastest growing IT education brands in India, HCL CDC offers a

complete spectrum of quality training programs on software, hardware, networking

as well as global certifications in association with leading IT organisations

worldwide.

8

http://en.wikipedia.org/wiki/Noida

http://en.wikipedia.org/wiki/Uttarakhand

About Project:-

In today’s Internet the two main problems related to the IP protocol are shortage of IP addresses and scaling in routing. Long-term solutions to these problems are being developed, like Ipv6, but they will take their time to be widely accepted. Meanwhile, short-term solutions are proposed and used, that help to delay the problems for some time. One of these solutions is Network Address Translation (NAT), implementation of which is the subject of our project.

The principle of NAT is IP address reuse that can be used in small and mid-

range local networks. NAT uses the fact that in these environments a very small

percentage of hosts are communicating outside their local domain at any given

time. That is to say, almost all TCP/TP packets on the local network are destined to

hosts in this local network, and thus these hosts can have IP addresses that are not

globally unique. The NAT module placed at the border router of the domain

performs IP address translation inside IP datagrams passing through it in both

directions. When an IP datagram is sent from a local host to the Internet with local

IP address that is not globally unique, the NAT module substitutes it with a

globally unique IP address taken from a pool, and sends the datagram out. In

reverse direction the reverse translation is needed.

The possible changes in datagram’s involved in the translation are as follows:

change of Source or Destination IP address in IP header; adjustment of the IP

Checksum in IP header because of changes in the header; also a TCP Checksum,

because it reflects changes in IP address, and all places in the data portion of TCP,

UDP, ICMP and other packets, where source or destination IP addresses are stored.

Undoubtedly, it is impossible to do the right translation needed in all possible

9

TCP/IP applications. So our implementation of NAT will support the general set of

protocols and applications, such as FTP, Telnet, HTTP, ICMP and others.

Types of NAT

NAT can be implemented using one of three methods:

Static NAT –performs a static one-to-one translation between twoaddresses, or between a port on one address to a port on another address.Static NAT is most often used to assign a public address to a device behind aNAT-enabled firewall/router.

Dynamic NAT –Utilizes a pool of global addresses to dynamically translate the outbound traffic of clients behind a NAT-enabled device.

NAT Overload Or Port Address Translation (PAT) –Translates the outbound traffic of clients to unique port numbers off of a single global address. PAT is necessary when the number of internal clients exceeds the available global addresses.

NAT Terminology Specific terms are used to identify the various NAT addresses:

•Inside Local –The specific IP address assigned to an inside host behind a NAT-enabled device (usually a private address).

• Inside Global –The address that identifies an inside host to the outside world (usually a public address). Essentially, this is the dynamically or statically-assigned public address assigned to a private host.

• Outside Global

10

– The address assigned to an outside host (usually a public address).

• Outside Local– The address that identifies an outside host to the inside network. Often, this is the

SameAddress as the Outside Global.However, it is occasionally necessary to translate an outside (usuallyPublic) address to an inside (usually private) address.

Team role

Teamwork is work performed by a team towards a common goal. A

dynamic process involving two or more healthcare professionals with

complementary backgrounds and skills, sharing common health goals and

exercising concerted physical and mental effort in assessing, planning, or

evaluating patient care

Workplace Activities: Because teamwork is important to a productive and

healthy work environment, teamwork activities should be a part of the

workplace. Possible activities include job swapping, where workers swap

jobs with each other to develop empathy. It also requires workers to help

each other to learn the jobs. Another idea is to start a team newsletter that

provides the latest information on activities and accomplishments of the

team members.

Projects: Projects require that team members work together to achieve a

common goal. Projects can involve activities like putting puzzles together or

cleaning up or rebuilding a property. Projects typically involve assigning

11

each team member a specific task that he is responsible for completing,

which helps to develop trust within the team.

If we consider about the team work regarding my project, it has been a good

exposure to me. But as the project is assigned to me individually because to

understand the core of the technology of the project.It has been a great

learning under the expertise of Manjot singh (HCL INFOSYSTEMS

TRAINER) expert in NAT, PAT, ROUTING, TROUBLESHOOTING etc. I

managed to learn a lot under his teaching. Its amazing experience to me

which helps to me enlarge my knowledge regarding the project through team

work. I was considered to be the designer and implementor of the NAT

technology.

12

Project Analysis

The main purpose of conducting system analysis is to study the various processes

and to find out its requirements. These may include ways of capturing or

processing data, producing information, controlling a business activity or

supporting management. The determination of requirements entrails studying the

existing details about it to find out what these requirements are.

System analysis has been conducted with the following objectives in mind:

1. Identify the customers’ need.

2. Evaluate the system concept of feasibility.

3. Perform economic and technical analysis.

4. Allocate functions to hardware, software, people, database and other system

elements.

5. Establish cost and schedule constraints.

6. Create a system definition that forms the foundation for all subsequent

engineering work.

System Analysis includes requirement analysis. The requirement analysis is the

task of discovery, refinement, modeling and specification. Requirement analysis

allows the software engineer to refine the software allocation and build models of

the data, functional, and behavioral domains that will be treated by software.

Requirement Specification provides the developer and the customer with the

means to assess quality once software is built.

While the analysis phase of development of this project following set of principles

were considered:

13

1. The information domain of a problem must be represented and understood.

2. The functions that the software is to perform must be defined.

3. The behavior of the software must be represented.

4. The models that depict information function and behavior must be

partitioned in a manner that uncovers detail in a layered fashion.

The analysis process should move from essential information towards

implementation detail.

Feasibility Study

It is a very important aspect of any project report. There is always chance of

manual errors. Cost factor is also there which depends upon the size of the work.

Feasibility studies aim to objectively and rationally uncover the strengths and

weaknesses of the existing business or proposed venture, opportunities and threats

as presented by the environment, the resources required to carry through, and

ultimately the prospects for success. In its simplest term, the two criteria to judge

feasibility are cost required and value to be attained. As such, a well-designed

feasibility study should provide a historical background of the business or project,

description of the product or service, accounting statements, details of the

operations and management, marketing research and policies, financial data, legal

requirements and tax obligations. Generally, feasibility studies precede technical

development and project implementation.

Technical Feasibility

In the preliminary investigation phase, we examine the feasibility of the project.

We find the likelihood the Network which we established will be useful to the

organization. We determine whether the solution is a viable or not. For this

14

purpose, the analyst clearly establishes the feasibility of each alternative testing for

benefits, costs and other resources.

Behaviorial / Operational Feasibility

For any network which we implemented and used by an organization, its

behavioral nature must be analyzed. It means that if any organization want to

access the net on many systems by using only one internet service provider then it

can be done by with the help of NAT

Operational feasibility is a measure of how well a proposed system solves the

problems, and takes advantage of the opportunities identified during scope

definition and how it satisfies the requirements identified in the requirements

analysis phase of system development.

Economical Feasibility

This project does not specify an Internet standard of any kind. Distribution of this project is unlimited.You can use private addresses on your inside networks. Private addresses are not routable on the Internet. NAT hides the local addresses from other networks, so attackers cannot learn the real address of a server in the data center You can resolve IP routing problems such as overlapping addresses when you have two interfaces connected to overlapping subnets.

Economic analysis is the most frequently used method for evaluating the effectiveness of a new system. More commonly known as cost/benefit analysis, the procedure is to determine the benefits and savings that are expected from a candidate system and compare them with costs. If benefits outweigh costs, then the

15

decision is made to design and implement the system. An entrepreneur must accurately weigh the cost versus benefits before taking an action.

Cost-based study: It is important to identify cost and benefit factors, which can be categorized as follows: 1. Development costs; and 2. Operating costs. This is an analysis of the costs to be incurred in the system and the benefits derivable out of the system.

Time-based study: This is an analysis of the time required to achieve a return on investments. The future value of a project is also a factor.

16

S/W & H/W Requirement specification

The information in this document is based on these software and hardware versions:

Cisco 2500 Series Routers Cisco IOS® Software Release 12.2 (10b) Cisco Switches Cisco Hubs Wireless Device Copper Straight-Through Cable Copper Cross-Over Cable Fiber Optics Cable Coaxial Cable Serial DCE Cable Serial DTE Cable

The information in this document was created from the devices in a specific lab

environment. All of the devices used in this document started with a cleared

(default) configuration. If your network is live, make sure that you understand the

potential impact of any command.

Windows xp

Windows server 2003

Server & Client

And also this document is not restricted to specific software and hardware

versions.

17

Requirements Analysis

1. Elicitation-determine the operational requirements

(User needs and customer expectations).

2. Analysis-translate operational requirements into technical specifications.

3. Documentation-record the operational requirements and technical

specifications.

4. Verification-check that specifications are complete, correct and consistent

with Needs and expectations

5. Generate acceptance test scenarios

6. Requirements Management-control changes to requirements

Protocol Used

Transmission Control Protocol

Similar to incoming translation

thread, the cases of establishment and termination of connections regarding to

SYN and FIN flags, are the same. The special case here is FTP Command. (We

detect FTP Command connection by the destination port number 21 in the TCP

header). It can contain the Source IP address in the ASCII form inside the data

portion of TCP segment. (PORT command). It should be translated also, as the

Source IP in the IP header. We need also adjust the TCP Checksum because it

covers the whole TCP segment including the data. Also we must fix the IP total

length field, because the replaced IP was in ASCII, and the new one could be

shorter or longer (in ASCII).

18

In case SYN flag is on, it means that a TCP connection is being established.So we

must trace the TCP 3-way handshake to be sure that a connection has been

established, and then raise flag in the Translation Table telling that there is an

active TCP connection in this entry. In case FIN flag is on, it means that a TCP

connection is being terminated.So we must trace the TCP connection shutdown

mechanism to be sure that the connection has been closed. Then we clear the flag,

and this entry can be cleared in case of global IP addresses shortage.

Local_IP

The local IP address of the local host

Global_IP

The globally unique IP (that is bound to local IP if this entry is in

use)

Conn Protocol

This field is for identifying which type of onnection this host

is using: TCP or other. Used in Timeout detection algorithm (as will be

described below)

Timestamp

Also used in Timeout detection algorithm. This field is

updated each time this entry is used, i.e. the IP packet is sent from or to this IP

address. Thus we can always find an entry which is the longest idle session.

TCP_State

19

This field reflects current state of TCP connection, for use

with Timeout detection algorithm. Used to trace when the TCP connection is

completely established or shut down.

ICMP

when an ICMP error message arrives, besides of the regular

NAT IP header translation, we need also to change the data ICMP field because it

contains the IP header + the first 8 bytes of data of original IP datagram that

generated the problem. We need to fix the IP address in this header, (inside the

ICMP data field) and the ICMP checksum as well.The rest of the protocols need no

changes in their headers and data

20

Work Flow Diagram

21

DESIGN

System Design

Modules

The project will consist of four main modules:1. The NAT gateway module2. The packet monitor module3. The MAC level API4. The IP level APIModules interaction:

22

The NAT gateway

The NAT module, which sits between the local network and the router as described in the introduction, is combined mainly from four threads, two pairs. Each pair is doing a similar task but from opposite direction.

The four threads are:

Listhen_Local_thread,

Listhen_Global_thread,

Translate_To_Local_thread,

The threads cooperate through common data structures which are:

Ip_translation_Table,

Local_Ip_Packet_Buff,

Global_Ip_Packet_Buff.

In addition each thread communicate with the appropriate network through IP API.

23

NAT gateway modules interaction:

24

The packet monitor

Packet monitor will be implemented as a stand-alone Windows application. It can be used on any NT machine which has the PACKET32.DLL device driver installed (this driver is needed to directly access a NIC). The monitor is capable of displaying and filtering of packets on MAC, IP and upper layers. Monitor results can be saved to a disk file for printing, studying TCP/IP protocols, and network problems debugging.

The blocks are:

Receiver - A thread looping infinitely, that receives all packets that pass through the chosen NIC. It listens on the NIC using Promiscuous Mode, and thus gets all the packets that pass on the wire, not only destined to that NIC or broadcasted. Whenever a packet arrives, it puts it in the Frame Buffer, and notifies the Filter and Display module that there is a packet to process. This takes really little time, and it continues to listen to next packet, thus the chances to loose packets because of processing are small, and depends on the size of a frame buffer.

25

Frame buffer - Implemented as a circular queue. Size is user configurable. The elements of queue are buffers of 1514 bytes each, that is maximum size of an Ethernet frame (1500 bytes for data plus 14 bytes for header).

Filter and Display - Performs decoding of the frame received from the frame buffer. Decoding is performed from the bottom up, i.e. MAC data type, then IP protocol type (TCP, UDP, and ICMP), than TCP/UDP port, etc. Discards packets that do not answer to the current filtering mode. Filtering can be performed by:1. Packet type: All, IP, ICMP, ARP/RARP, TCP and UDP2. Source address: MAC/IP3. Destination address: MAC/IP

Monitor Main Window and Control - The monitor is a menu-driven Windows application, so it has a main window's procedure, which processes all messages that are sent to it. That includes messages from the menu (i.e. user), or from inner tasks (Receiver thread, Display module). It also controls all monitoring process, i.e. starts/stops monitoring, saves results to a disk,

The MAC level API

Set of data structures and functions enabling access to Ethernet frames. Direct access to packets is achieved by the use of device driver PACKET32.DLL (it is given, and not a part of our roject).

Data structures needed include:ETHERADR - Ethernet 6-byte address;ETHERHDR - Ethernet header (Old format, RFC 894);ETHER802HDR - Ethernet header (IEEE 802.3 format, RFC 1042);

Also a set of constants related to these structures is defined, such as maximum frame size and encapsulated protocol types. All low-level functions of MAC level are already provided to us by the device driver PACKET32.DLL, such as PacketReceivePacket(), PacketSendPacket() and so on. So we need only implement some miscellaneous functions, which will be useful in Packet Monitor,

The IP level API

26

Set of data structures and functions enabling various work with IP datagrams. Uses MAC level API to receive/send IP datagrams. Data structures needed include:IPADR - IP address;IPHDR - IP header;

Also a set of constants related to these structures is defined, such as encapsulated protocol type.Functions needed:

IPGetPacket(LPADAPTER lpadp, BYTE *buf) - Listen for next incoming IP datagram;

IPSendPacket(LPADAPTER lpadp, BYTE *buf) - Send an IP datagram;

char *IPAddrToStr(PIPADR p, char *str) - Convert IP address to string;

Implementation and Maintenance

VLAN

I think it’s about time to give you some actual examples to make this clear to you. This example shows you how to configure four things:

1. How to configure a port connected to an IP phone to use the CoS value for classifying incoming traffic2. How to configure the port to use IEEE 802.1p priority tagging for voice traffic3. How to configure it to use the Voice VLAN (10) to carry all voice traffic4. And last, how to configure VLAN 3 to carry PC data

27

Configuring Inter-VLAN Routing

ISR#Config t

ISR (config)#

int f0/0.1

ISR(config-subif)#

encapsulation ?

dot1Q IEEE 802.1Q Virtual LAN

ISR(config-subif)#

Notice that my 2811 router (named ISR) only supports 802.1Q. We’d need an older-modelrouter to run the ISL encapsulation, but why bother?The sub interface number is only locally significant, so it doesn’t matter which sub interfacenumbers are configured on the router. Most of the time, I’ll configure a sub interface with thesame number as the VLAN I want to route. It’s easy to remember that way since the sub interface number is used only for administrative purposes.It’s really important that you understand that each VLAN is a separate subnet. True, I know—they don’t have to be. But it really is a good idea to configure your VLANs as separate subnets, so just do that. Now, I need to make sure you’re fully prepared to configure inter-VLAN routing, as wellas determine the port IP addresses of hosts connected in a switched VLAN environment. And asalways, it’s also a good idea to be able to fix any problems that may arise. To set you up for success, let me give you few examples.

By this point in the book, you should be able to determine the IP address, masks, and default gateways of each of the hosts in the VLANs. The next step after that is to figure out which subnets are being used. By looking at the router configuration in the figure, you can see that we’re using 192.168.1.64/26 with VLAN 1 and

28

192.168.1.128/27 with VLAN 10. And by looking at the switch configuration, you can see that ports 2 and 3 are in VLAN 1 and port 4 is in VLAN 10. This means that HostA and HostB are in VLAN 1 and HostC is in VLAN 10.

Here’s what the hosts’ IP addresses should be:

HostA:

192.168.1.66, 255.255.255.192, default gateway 192.168.1.65

HostB:

192.168.1.67, 255.255.255.192, default gateway 192.168.1.65

HostC:

192.168.1.130, 255.255.255.224, default gateway 192.168.1.129 The hosts could be any address in the range—I just choose the first available IP address after the default gateway address. That wasn’t so hard, was it?

Inter-VLAN example 2

VLAN 1HostA HostBHostEInternetFa0/2 Fa0/3Fa0/1

VLAN 2Fa0/6Fa0/0Fa0/4 Fa0/5HostC HostD HostF

VLAN 3The configuration of the switch would look something like this:2960#config t

29

2960(config)#int f0/12960(config-if)#switchport mode trunk2960(config-if)#int f0/22960(config-if)#switchport access vlan 12960(config-if)#int f0/32960(config-if)#switchport access vlan 12960(config-if)#int f0/42960(config-if)#switchport access vlan 32960(config-if)#int f0/52960(config-if)#switchport access vlan 32960(config-if)#int f0/62960(config-if)#switchport access vlan 2

Before we configure the router, we need to design our logical network:

VLAN 1:192.168.10.16/28

VLAN 2:192.168.10.32/28

VLAN 3:192.168.10.48/28The configuration of the router would then look like this:ISR#config tISR(config)#

30

int f0/0ISR(config-if)#no ip addressISR(config-if)#no shutdownISR(config-if)#int f0/0.1ISR(config-subif)#encapsulation dot1q 1ISR(config-subif)#ip address 192.168.10.17 255.255.255.240ISR(config-subif)#int f0/0.2ISR(config-subif)#encapsulation dot1q 2ISR(config-subif)#ip address 192.168.10.33 255.255.255.240ISR(config-subif)#int f0/0.3ISR(config-subif)#encapsulation dot1q 3ISR(config-subif)#

ip address 192.168.10.49 255.255.255.240

The hosts in each VLAN would be assigned an address from their subnet range, and the default gateway would be the IP address assigned to the router’s subinterface in that VLAN.Now, let’s take a look at another figure and see if you can determine the switch and router configurations without looking at the answer—no cheating! Figure 9.11 shows a router con-nected to a 2960 switch with two VLANs. One host in each VLAN is assigned an IP address.What are your router and switch configurations based on these IP addresses?Since the hosts don’t list a subnet mask, you have to look for the number of hosts used in each VLAN to figure out the block size. VLAN 1 has 85 hosts and VLAN 2 has 115 hosts.Each of these will fit in a block size of 128, which is a /25 mask, or 255.255.255.128.

31


VLAN 185 HostsHostA172.16.10.126F0/2F0/1F0/3

VLAN 2115 HostsHostB172.16.10.129

You should know by now that the subnets are 0 and 128; the 0 subnet (VLAN 1) has a host range of 1–126, and the 128 subnet (VLAN 2) has a range of 129–254. You can almost be fooled since HostA has an IP address of 126, which makes itAlmost seem that HostA and B are in the same subnet. But they’re not, and you’re way too smart by now to be fooled by this one!Here is the switch configuration:2960#config t2960(config)#int f0/12960(config-if)#switchport mode trunk2960(config-if)#int f0/22960(config-if)#switchport access vlan 12960(config-if)#int f0/32960(config-if)#switchport access vlan 2Here is the router configuration:ISR#config tISR(config)#

32

int f0/0ISR(config-if)#no ip addressISR(config-if)#no shutdownISR(config-if)#int f0/0.1ISR(config-subif)#encapsulation dot1q 1ISR(config-subif)#ip address 172.16.10.1 255.255.255.128ISR(config-subif)#int f0/0.2ISR(config-subif)#encapsulation dot1q 2ISR(config-subif)#ip address 172.16.10.254 255.255.255.128

I used the first address in the host range for VLAN 1 and the last address in the range for VLAN 2, but any address in the range would work. You just have to configure the host’s default gateway to whatever you make the router’s address.Now, before we go on to the next example, I need to make sure you know how to set the IP address on the switch. Since VLAN 1 is typically the administrative VLAN, we’ll use an IP address from that pool of addresses. Here’s how to set the IP address of the switch (I’m not nagging, but you really should already know this!):

2960#config t2960(config)#int vlan 12960(config-if)#ip address 172.16.10.2 255.255.255.1282960(config-if)#no shutdownYes, you have to do a no shutdown on the VLAN interface. One more example, and then we’ll move on to VTP—another important subject that you definitely don’t want to miss! In Figure 9.12 there are two VLANs. By looking at the router

33

configuration, what’s the IP address, mask, and default gateway of HostA? Use the last IP address in the range for HostA’s address:


VLAN 1HostAF0/2F0/1F0/3HostBRouter#config t192.168.10.17Router(config)#int f0/0Router(config-if)#no ip address

VLAN 2Router(config-if)#no shutdownRouter(config-if)#int f0/0.1Router(config-subif)#encapsulation dot1q 1Router(config-subif)#ip address 192.168.10.129 255.255.255.240Router(config-subif)#int f0/0.2Router(config-subif)#encapsulation dot1q 2Router(config-subif)#ip address 192.168.10.46 255.255.255.240

If you really look carefully at the router configuration (the hostname in this figure is just Router), there is a simple and quick answer. Both subnets are using a /28, or 255.255.255.240 mask, which is a block size of 16. The router’s address for VLAN

34

1 is in subnet 128. The next subnet is 144, so the broadcast address of VLAN 1 is 143 and the valid host range is 129–142.

So the host address would be this:

IP Address:192.168.10.142Mask:255.255.255.240Default Gateway:192.168.10.129Configuring VTP All Cisco switches are configured to be VTP servers by default. To configure VTP, first you have to configure the domain name you want to use. And of course, once you configure the VTP information on a switch, you need to verify it

VTP

When you create the VTP domain, you have a bunch of options, including setting the domain name, password, operating mode, and pruning capabilities of the switch. Use the vtp global configuration mode command to set all this information. In the following example, I’ll set the S1 switch to vtp server, the VTP domain to Lammle, and the VTP password to todd:By default, only hosts that are members of the same VLAN can communicate. To change this and allow inter-VLAN communication, you need a router or a layer 3 switch. I’m going to start with the router approach.To support ISL or 802.1Q routing on a Fast Ethernet interface, the router’s interface is divided into logical interfaces—one for each VLAN. These are called sub interfaces. From a Fast Ethernet or Gigabit interface, you can set the interface to trunk with the encapsulation command:

Configuring VTP

S1#config tS1#(config)#vtp mode server

35

Device mode already VTP SERVER.S1(config)#vtp domain LammleChanging VTP domain name from null to LammleS1(config)#vtp password toddSetting device VLAN database password to toddS1(config)#do show vtp passwordVTP Password: toddS1(config)#do show vtp status

VTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 255Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : LammleVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x15 0x54 0x88 0xF2 0x50 0xD9 0x03 0x07

Configuration last modified by 192.168.24.6 at 3-14-93 15:47:32Local updater ID is 192.168.24.6 on interface Vl1 (lowest numbered VLAN interface found) Please make sure you remember that all switches are set to VTP server mode by default, and if you want to change any VLAN information on a switch, you absolutely must be in VTP server mode. After you configure the VTP information, you can verify it with the show vtp command as shown in the preceding output. The preceding switch output shows the VTP domain, the VTP password, and the switch’s mode.Before we move onward to configuring the Core and the S2 switch with VTP information, take a minute to reflect on the fact that the show vtp status output shows that the maximum number of VLANs supported locally is only 255. Since you can create over 1,000 VLANs on a switch, this seems like it would definitely be a problem if you have more then 255 switches and you’re using VTP. And, well,

36

yes, it is problem—if you are trying to configure the 256 th VLAN on a switch, you’ll get a nice little error message stating that there are not enough hardware resources available, and then it will shut down the VLAN and the 256th VLAN willshow up in suspended state in the output of the show vlan command. Not so good! Let’s go to the Core and S2 switches and set them into the Lammle VTP domain. It is very important to remember that the VTP domain name is case sensitive! VTP is not forgiving—one teeny small mistake and it just won’t work.

Core#

config tCore(config)#vtp mode clientSetting device to VTP CLIENT mode.Core(config)#vtp domain LammleChanging VTP domain name from null to LammleCore(config)#vtp password toddSetting device VLAN database password to toddCore(config)#

do show vtp statusVTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : ServerVTP Domain Name : LammleVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x2A 0x6B 0x22 0x17 0x04 0x4F 0xB8 0xC2

Configuration last modified by 192.168.10.19 at 3-1-93 03:13:16Local updater ID is 192.168.24.7 on interface Vl1 (first interface found)

37

S2#config tS2(config)#vtp mode clientSetting device to VTP CLIENT mode.S2(config)#vtp domain LammleChanging VTP domain name from null to LammleS2(config)#vtp password toddSetting device VLAN database password to toddS2(config)#do show vtp status

VTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : ClientVTP Domain Name : LammleVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x02 0x11 0x18 0x4B 0x36 0xC5 0xF4 0x1FConfiguration last modified by 0.0.0.0 at 0-0-00 00:00:00 Let’s take a look using the show vlan brief command on the Core and S2 switch:Core#

sh vlan briefVLAN Name Status Ports---- ------------------ --------- ---------------------1 default active Fa0/1,Fa0/2,Fa0/3,Fa0/4Fa0/9, Fa0/10,Fa0/11,Fa0/12Fa0/13, Fa0/14,Fa0/15,Fa0/16, Fa0/17, Fa0/18, Fa0/19,Fa0/20, Fa0/21, Fa0/22, Fa0/23,

38

Fa0/24, Gi0/1, Gi0/22Salesactive3Marketingactive4Accountingactive

S2#sh vlan briVLAN Name Status Ports---- ---------------------- --------- ---------------------1 default active Fa0/3,Fa0/4,Fa0/5,Fa0/6,Fa0/7, Fa0/8, 2 Sales active3 Marketing active4 Accounting active

Troubleshooting VTP

You connect your switches with crossover cables, the lights go green on both ends, and you’re up and running! Yeah—in a perfect world, right? Don’t you wish it was that easy? Well, actually, it pretty much is—without VLANs, of course. But if you’re using VLANs—and you definitely should be—then you need to use VTP if you have multiple VLANs configured in your switched network.But here there be monsters: If VTP is not configured correctly, it (surprise!) will not work, so you absolutely must be capable of troubleshooting VTP. Let’s take a look at a couple of configurations and solve the problems. Study the output from the two following switches:

SwitchA#sh vtp statusVTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 64Number of existing VLANs : 7VTP Operating Mode : ServerVTP Domain Name : RouterSimVTP Pruning Mode : DisabledVTP V2 Mode : Disabled

39

VTP Traps Generation : Disabled

SwitchB#sh vtp statusVTP Version : 2Configuration Revision : 1Maximum VLANs supported locally : 64Number of existing VLANs : 7VTP Operating Mode : ServerVTP Domain Name : GlobalNetVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : Disabled

So what’s happening with these two switches? Why won’t they share VLAN information?At first glance, it seems that both servers are in VTP server mode, but that’s not the problem. Servers in VTP server mode will share VLAN information using VTP. The problem is that they’re in two different VTP domains. SwitchA is in VTP domain RouterSim and SwitchB is in VTP domain GlobalNet. They will never share VTP information because the VTP domain names are configured differently.Now that you know how to look for common VTP domain configuration errors in your switches, let’s take a look at another switch configuration:

SwitchC#sh vtp statusVTP Version : 2Configuration Revision:1Maximum VLANs supported locally : 64Number of existing VLANs : 7VTP Operating Mode : ClientVTP Domain Name : ToddVTP Pruning Mode : Disabled

Configuring Static NAT

40

The first step to configureStatic NAT is to identify the inside (usually private) and outside (usually public) interfaces:

Router(config)# int e0/0Router(config)# int s0/0Router(config-if)# ip nat insideRouter(config-if)# ip nat outside

To statically map a public address to a private address, the syntax is as follows:

Router(config)#ip nat inside source static 172.16.1.1 158.80.1.40This command performs a static translation of the source address 172.16.1.1(located on the inside of the network), to the outside address of 158.80.1.40.

Configuring Dynamic NAT

When configuring Dynamic NAT , the inside and outside interfaces must first be identified:

Router(config)# int e0/0Router(config)# int s0/0Router(config-if)# ip nat insideRouter(config-if)# ip nat outside

Next, a pool of global addresses must be specified. Inside hosts willdynamically choose the next available address in this pool, whencommunicating outside the local network:

Router(config)#ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask 255.255.255.0The above command specifies that the pool named POOLNAME contains a range of public addresses from 158.80.1.1 through 158.80.1.50.Finally, a list of private addresses that are allowed to be dynamically translated must be specified:

41

Router(config)# ip nat inside source list 10 pool POOLNAMERouter(config)# access-list 10 permit 172.16.1.0 0.0.0.255

The first command states that any inside host with a source that matches access- list 10 can be translated to any address in the pool named POOLNAME.The access-list specifies any host on the 172.16.1.0 network.

Configuring NAT Overload (or PAT)

Recall that NAT Overload (or PAT ) is necessary when the number of internal clients exceeds the available global addresses. Each internal host is translated to a unique port number off of a single global address.

Configuring NAT overload is relatively simple

Router(config)# int e0/0Router(config-if)# ip nat inside Router(config)# int s0/0Router(config-if)# ip nat outsideRouter(config)# ip nat inside source list 10 interface Serial0/0 overloadRouter(config)# access-list 10 permit 172.16.1.0 0.0.0.255

Any inside host with a source that matches access- list 10 will be translated with overload to the IP address configured on the Serial0/0 interface.

To clear all dynamic NAT entries from the translation table:

Quick Start Steps for Configuring and Deploying NAT

When you configure NAT, it is sometimes difficult to know where to begin, especially if you are new to NAT. These steps guide you to define what you want NAT to do and how to configure it:

1. Define NAT inside and outside interfaces. o Do users exist off multiple interfaces? o Are there multiple interfaces going to the internet?

2. Define what you're trying to accomplish with NAT. o Are you trying to allow internal users to access the internet?

42

o Are you trying to allow the internet to access internal devices (such as a mail server or web server)?

o Are you trying to redirect TCP traffic to another TCP port or address? o Are you using NAT during a network transition (for example, you

changed a server's IP address and until you can update all the clients you want the non-updated clients to be able to access the server using the original IP address as well as allow the updated clients to access the server using the new address)?

o Are you using NAT to allow overlapping networks to communicate? 3. Configure NAT in order to accomplish what you defined above. Based on

what you defined in step 2, you need determine which of the following features to use:

o Static NATo Dynamic NATo Overloadingo Any combination of the above

4. Verify the NAT operation.

Each of the following NAT examples guides you through steps 1 through 3 of the Quick Start Steps above. These examples describe some common scenarios in which Cisco recommends you deploy NAT.

Defining NAT Inside and Outside Interfaces

The first step in deploying NAT is to define NAT inside and outside interfaces. You may find it easiest to define your internal network as inside, and the external network as outside. However, the terms internal and external are subject to arbitration as well. The figure below shows an example of this.

43

Example: Allowing Internal Users to Access the Internet

You may want to allow internal users to access the internet, but you may not have enough valid addresses to accommodate everyone. If all communication with devices in the internet will originate from the internal devices, you need a single valid address or a pool of valid addresses.

The figure below shows a simple network diagram with the router interfaces defined as inside and outside:

44

In this example, we want NAT to allow certain devices (the first 31 from each subnet) on the inside to originate communication with devices on the outside by translating their invalid address to a valid address or pool of addresses. The pool has been defined as the range of addresses 172.16.10.1 through 172.16.10.63.

Now you are ready to configure NAT. In order to accomplish what is defined above, use dynamic NAT. With dynamic NAT, the translation table in the router is initially empty and gets populated once traffic that needs to be translated passes through the router. (As opposed to static NAT, where a translation is statically configured and is placed in the translation table without the need for any traffic.)

In this example, we can configure NAT to translate each of the inside devices to a unique valid address, or to translate each of the inside devices to the same valid address. This second method is known as overloading. An example of how to configure each method is given below.

Configuring NAT to Allow Internal Users to Access the Internet

NAT Router

interface ethernet 0 ip address 10.10.10.1 255.255.255.0 ip nat inside

!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.

45



interface serial 0 ip address 172.16.10.64 255.255.255.0 ip nat outside

!--- Defines serial 0 with an IP address and as a NAT outside interface.

ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24 !

!--- Defines a NAT pool named no-overload with a range of addresses !--- 172.16.10.1 - 172.16.10.63.

ip nat inside source list 7 pool no-overload ! !

!--- Indicates that any packets received on the inside interface that !--- are permitted by access-list 7 !--- will have the source address translated to an address out of the !--- NAT pool "no-overload".

access-list 7 permit 10.10.10.0 0.0.0.31

46

access-list 7 permit 10.10.20.0 0.0.0.31

!--- Access-list 7 permits packets with source addresses ranging from !--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.

Note: Cisco highly recommends that you do not configure access lists referenced by NAT commands with permit any. Using permit any can result in NAT consuming too many router resources which can cause network problems.

Notice in the above configuration that only the first 32 addresses from subnet 10.10.10.0 and the first 32 addresses from subnet 10.10.20.0 are permitted by access-list 7. Therefore, only these source addresses are translated. There may be other devices with other addresses on the inside network, but these won't be translated.

The final step is to verify that NAT is operating as intended.

Configuring NAT to Allow Internal Users to Access the Internet Using Overloading

NAT Router





interface serial 0

47

ip address 172.16.10.64 255.255.255.0 ip nat outside

!--- Defines serial 0 with an IP address and as a NAT outside interface.

ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24 !

!--- Defines a NAT pool named ovrld with a range of a single IP !--- address, 172.16.10.1.

ip nat inside source list 7 pool ovrld overload ! ! ! !

!--- Indicates that any packets received on the inside interface that !--- are permitted by access-list 7 will have the source address !--- translated to an address out of the NAT pool named ovrld. !--- Translations will be overloaded which will allow multiple inside !--- devices to be translated to the same valid IP address.

access-list 7 permit 10.10.10.0 0.0.0.31access-list 7 permit 10.10.20.0 0.0.0.31

!--- Access-list 7 permits packets with source addresses ranging from !--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.

Note in the second configuration above, the NAT pool "ovrld"only has a range of one address. The keyword overload used in the ip nat inside source list 7 pool ovrld overload command allows NAT to translate multiple inside devices to the single address in the pool.

48

Configuring NAT for Use During a Network Transition

NAT Router

interface ethernet 0 ip address 172.16.10.1 255.255.255.0 ip nat outside

!--- Defines Ethernet 0 with an IP address and as a NAT outside interface.



interface serial 0 ip address 200.200.200.5 255.255.255.252

!--- Defines serial 0 with an IP address. This interface is not !--- participating in NAT.

ip nat inside source static 172.16.50.8 172.16.10.8

!--- States that any packet received on the inside interface with a !--- source IP address of 172.16.50.8 will be translated to 172.16.10.8.

49

Note that the inside source NAT command in this example also implies that packets received on the outside interface with a destination address of 172.16.10.8 will have the destination address translated to 172.16.50.8.

The final step is to verify that NAT is operating as intended.

Example: Using NAT in Overlapping Networks

Overlapping networks result when you assign IP addresses to internal devices that are already being used by other devices within the internet. Overlapping networks also result when two companies, both of whom use RFC 1918 IP addresses in their networks, merge. These two networks need to communicate, preferably without having to readdress all their devices. Refer to Using NAT in Overlapping Networks for more information about configuring NAT for this purpose.

Difference between One-to-One Mapping and Many-to-Many

A static NAT configuration creates a one-to-one mapping and translates a specific address to another address. This type of configuration creates a permanent entry in the NAT table as long as the configuration is present and enables both inside and outside hosts to initiate a connection. This is mostly useful for hosts that provide application services like mail, web, FTP and so forth. For example:

Router(config)#ip nat inside source static 10.3.2.11 10.41.10.12 Router(config)#ip nat inside source static 10.3.2.12 10.41.10.13

Dynamic NAT is useful when fewer addresses are available than the actual number of hosts to be translated. It creates an entry in the NAT table when the host initiates a connection and establishes a one-to-one mapping between the addresses. But, the mapping can vary and it depends upon the registered address available in the pool at the time of the communication. Dynamic NAT allows sessions to be initiated only from inside or outside networks for which it is configured. Dynamic NAT entries are removed from the translation table if the host does not communicate for a specific period of time which is configurable. The address is then returned to the pool for use by another host.

For example, complete these steps of the detailed configuration:

1. Create a pool of addresses

50

1. Router(config)#ip nat pool MYPOOLEXAMPLE

2. 10.41.10.1 10.41.10.41 netmask 255.255.255.0

3. Create an access-list for the inside networks that has to be mapped

Router(config)#access-list100 permit ip 10.3.2.0 0.0.0.255 any

4. Associate the access-list 100 that is selecting the internal network

10.3.2.0 0.0.0.255 to be natted to the pool MYPOOLEXAMPLE and

then overload the addresses.

5. Router(config)#ip nat inside source list 100 pool

6. MYPOOLEXAMPLE overload

Verifying NAT Operation

Once you've configured NAT, verify that it is operating as expected. You can do this in a number of ways: using a network analyzer, show commands, or debug commands. For a detailed example of NAT verification, refer to Verifying NAT Operation and Basic NAT Troubleshooting.

51

TESTING

Alpha Testing

Alpha testing is simulated or actual operational testing by potential users/customers or an independent test team at the developers' site. Alpha testing is often employed for off-the-shelf software as a form of internal acceptance testing, before the software goes to beta testing.

Troubleshooting NAT

To view all current static and dynamic translations:

Router# show ip nat translations

To view whether an interface is configure as an inside or outside NAT interface, and to display statistical information regarding active NAT translations:

Router# show ip nat statistics

To view NAT translations in real-time:

Router# debug ip nat

Beta Testing

Beta testing comes after alpha testing and can be considered a form of external

user acceptance testing. Versions of the software, known as beta versions, are

released to a limited audience outside of the programming team. The software is

released to groups of people so that further testing can ensure the product has few

faults or bugs. Sometimes, beta versions are made available to the open public to

increase the feedback field to a maximal number of future users

52

To view the active NAT translations is used with the -s state option. This option

will list all the current NAT sessions:

# pfctl -s state

TCP 192.168.1.35:2132 > 24.5.0.5:53136 > 65.42.33.245:22

TIME_WAIT:TIME_WAIT

UDP 192.168.1.35:2491 > 24.5.0.5:60527 > 24.2.68.33:53

MULTIPLE:SINGLE

Explanations (first line only):

Indicates the interface that the state is bound to. The word self will appear if the

state is floating.

TCP

The protocol being used by the connection. 192.168.1.35:2132

The IP address (192.168.1.35) of the machine on the internal network. The source

port (2132) is shown after the address. This is also the address that is replaced in

the IP header.

The IP address (24.5.0.5) and port (53136) on the gateway that packets are being

translated to.

53

The IP address (65.42.33.245) and the port (22) that the internal machine is

connecting to.

54

SNAP SHOTS

Simple Static routing In NAT:-

Dynamic Routing In NAT:

55

Dynamic Routing With Clock Rate In NAT:-

EIGRP In NAT:-

56

Inter V-Lan 1 In NAT:-

57



58

DHCP In NAT:-

Access List In NAT:-

FUTURE SCOPE

59

Telephony: Configuring Voice VLANs

If you do yoga, meditate, chain smoke, or consume mass quantities of comfort food when stressed, take a little break and do that now because, and I’m going to be honest, this isn’t the easiest part of the chapter—or even the book, for that matter. But I promise that I’ll do my best to make this as painless for you as possible.

The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone.When a switch is connected to a Cisco IP phone, the IP phone sends voice traffic with layer 3 IP precedence and layer 2 class of service (CoS) values, which are both set to 5 for voice traffic; all other traffic defaults to 0.

Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS. (802.1p provides a mechanism for implementing QoS at the MAC level.) The 802.1p field is carried in the 802.1Q trunk header. If you look at the fields in an 802.1Q tag, you will see a field called the priority field; this is where the 802.1p information goes. QoS uses classification and scheduling to send network traffic from the switch in an organized, predictable manner.The Cisco IP phone is a configurable device, and you can configure it to forward traffic with an IEEE 802.1p priority. You can also configure the switch to either trust or override the traffic priority assigned by an IP phone—which is exactly what we’re going to do. The Cisco phone basically has a three-port switch: one to connect to the Cisco switch, one to a PC device, and one to the actual phone, which is internal.You can also configure an access port with an attached Cisco IP phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone—like a PC. You can configure access ports on the switch to send Cisco Discovery Protocol (CDP) packets that instruct an attached Cisco IP phone to send voice traffic to the switch in any of these ways:In the voice VLAN tagged with a layer 2 CoS priority valueIn the access VLAN tagged with a layer 2 CoS priority valueIn the access VLAN, untagged (no layer 2 CoS priority value)

Telephony: Configuring Voice VLANs

60

The switch can also process tagged data traffic (traffic in IEEE 802.1Q or IEEE 802.1p frame types) from the device attached to the access port on the Cisco IP phone. You can con-figure layer 2 access ports on the switch to send CDP packets that instruct the attached Cisco IP phone to configure the IP phone access port in one of these modes:

In trusted mode, all traffic received through the access port on the Cisco IP phone passes through the IP phone unchanged.

In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames received through the access port on the IP phone receive a configured layer 2 CoS value. The default layer 2 CoS value is 0. Untrusted mode is the default.

Configuring the Voice VLAN

By default, the voice VLAN feature is disabled; you enable it by using the interface command switchport voice vlan. When the voice VLAN feature is enabled, all untagged traffic is sent according to the default CoS priority of the port. The CoS value is not trusted for IEEE 802.1p or IEEE 802.1Q tagged traffic.These are the voice VLAN configuration guidelines:

You should configure voice VLAN on switch access ports; voice VLAN isn’t supported on trunk ports, even though you can actually configure it! The voice VLAN should be present and active on the switch for the IP phone to correctlycommunicate on it. Use the show vlan privileged EXEC command to see if the VLAN is present—if it is, it’ll be listed in the display.Before you enable the voice VLAN, it’s recommend that you enable QoS on the switch by entering the mls qos global configuration command and set the port trust state to trust by entering the mls qos trust cos interface configuration command.You must make sure that CDP is enabled on the switch port connected to the Cisco IP phone to send the configuration. This is on by default, so unless you disabled it, you shouldn’t have a problem.

The PortFast feature is automatically enabled when the voice VLAN is configured, but when you disable the voice VLAN, the PortFast feature isn’t automatically disabled.To return the port to its default setting, use the no switchport voice vlan interfaceconfiguration command.

61

Configuring IP Phone Voice Traffic

You can configure a port connected to the Cisco IP phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority as well as forward all voice traffic through the native (access) VLAN. The IP phone can also send untagged voice traffic, or use its own configuration to send voice traffic in the access VLAN. In all configurations, the voice traffic carries a layer 3 IP precedence value—again, for voice the setting is usually 5.

62

CONCLUSION

The examples in this document demonstrate quick start steps can help you configure and deploy NAT. These quick start steps include:

1. Defining NAT inside and outside interfaces. 2. Defining what you are trying to accomplish with NAT. 3. Configuring NAT in order to accomplish what you defined in Step 2. 4. Verifying the NAT operation.

In each of the examples above, various forms of the ip nat inside command were used. You can also use the ip nat outside command to accomplish the same objectives, keeping in mind the NAT order of operations. For configuration examples using the ip nat outside commands, refer to Sample Configuration Using the ip nat outside source list Command and Sample Configuration Using the ip nat outside source static Command.

The examples above also demonstrated the following:

Command Action

ip nat inside source

Translates the source of IP packets that are traveling inside to outside.

Translates the destination of the IP packets that are traveling outside to inside.

63

ip nat outside source

Translates the source of the IP packets that are traveling outside to inside.

Translates the destination of the IP packets that are traveling inside to outside.

64

BIBLIOGRAPHY

1. www.cisco.com

2. Wikipedia

3. CCNA E-Book

4. RFC 1631: The IP NAT

5. RFC 1918: Address Allocation For Private Internet

6. RFC 3022: (Traditional NAT)

7. Technical Support And Documentation - Cisco systems

65

http://www.cisco.com/

NAT Project Report

Documents

Transcript of NAT Project Report