Implementing WAN Networks

A Project report Submitted for B.tech

Submitted By: Submitted To:

Certificate

Abstract
The enterprise network is the lifeblood of any Small to Medium Enterprise (SME) with more than one site or supply chain partner. It enables access to business information and allows for profitable and effective communication flows between employees in different enterprise sites. Network enterprise network equipment are mature and ubiquitous, but the quality of services provided by similar networks varies from city to city and from country to country. In particular, the quality variation gap between most of the cities in some developing nations and their counterparts in advanced nations is very wide. This is due to the lack in developing nations of an adequate IT infrastructure, which is taken for granted in developed nations. Planning an enterprise network in a developing nation is almost like planning it in the middle of a desert. This project briefly discusses the architecture of an enterprise network. It examines the barriers to planning, designing and implementing an enterprise network. This project also covers the methods to implement enterprise level networks. In this project we will start from working Basics of routers and switches then covering the Routing technologies required to route data between branches. After that we have implement WAN and Framerelay is considered a good choice because it connects multiple location using single interface of router and reduce the hardware costs. So we have to study and implement FRAME-RELAY. For Internet connectivity we are also using frame relay. In this setup NAT is very essential in which we have translate live IP into local and vice-versa. In todays LAN Wi-Fi is also an important part that we have to implement for laptop and wireless devices. In short we can say a lot of technologies are studied and implemented for the successful completion of the project. Following list of technologies that are required in this project.

Administration of Router & Switches Frame Relay ISDN NAT ADSL

TECHNOLOGIES TO CREATE NETWORK

Frame relay for branch office Frame relay for ISP connectivity ISDN dialup as Backup Static NAT for Servers Dynamic NAT for clients Eigrp for branch office Default routing for internet

ROUTER BASIC SKILLS

Table of Contents
Cisco IOS Basic Skills Configuring the Router from a PC Understanding Command Modes Getting Help Enable Secret and Enable Passwords Entering Global Configuration Mode Using Commands Abbreviating Commands Undoing Commands Command-Line Error Messages Saving Configuration Changes

Cisco IOS Basic Skills

Understanding how to use Cisco IOS software saves time when you are configuring your router. If you need a refresher, take a few minutes to read this chapter. If you are already familiar with Cisco IOS software, go to "Configuring Remote Office to Corporate Office Networks" or "Configuring Small Office to ISP Networks." This chapter describes what you need to know before you begin configuring your Cisco 805 router with Cisco IOS software (the software that runs your router). Note Cisco recommends that inexperienced network administrators use the Cisco 805 Fast Step software to configure their routers. This chapter contains the following sections:

Configuring the Router from a PC Understanding Command Modes Getting Help Enable Secret and Enable Passwords Entering Global Configuration Mode Using Commands Saving Configuration Changes

Configuring the Router from a PC

You can configure your router from a connected PC. For information on how to connect the PC, refer to the Cisco 805 Router Hardware Installation Guide. After connecting the PC, you need terminal emulation software. The PC uses this software to send commands to your router. Table 2-1 lists some common types of this software, which are based on the type of PC you are using. Table 2-1 Terminal Emulation Software Software HyperTerm (included with Windows software), ProComm Plus Terminal (included with Windows software) ProComm, VersaTerm (supplied separately)

PC Operating System Windows 95, Windows 98, Windows NT Windows 3.1

Macintosh

You can use the terminal emulation software to change settings for the type of device that is connected to the PC, in this case a router. Configure the software to the following standard VT-100 emulation settings so that your PC can communicate with your router:

9600 baud 8 data bits No parity 1 stop bit No flow control

These settings should match the default settings of your router. To change the router baud, data bits, parity, or stop bits settings, you must reconfigure parameters in the ROM monitor. For more information, refer

to "ROM Monitor." To change the router flow control setting, use the flowcontrol line configuration command. For information on how to enter global configuration mode so that you can configure you router, refer to the "Entering Global Configuration Mode" section later in this chapter. Understanding Command Modes This section describes the Cisco IOS command mode structure. Each command mode supports specific Cisco IOS commands. For example, you can use the interface type number command only from global configuration mode. The following Cisco IOS command modes are hierarchical. When you begin a router session, you are in user EXEC mode.

User EXEC Privileged EXEC Global configuration

Table 2-2 lists the command modes that are used in this guide, how to access each mode, the prompt you see in that mode, and how to exit to a mode or enter the next mode. Because each mode configures different router elements, you might need to enter and exit modes frequently. You can see a list of available commands for a particular mode by entering a question mark (?) at the prompt. For a description of each command, including syntax, refer to the Cisco IOS 12.0 documentation set. Table 2-2 Mode Command Modes Summary Access Method Promp Exit/Entranc About this Mode t e Method Use this mode to: User EXEC Begin a session with your router. Router > To exit router session, enter the logout command. Change terminal settings. Perform basic tests. Display system information.

Privileged

Enter the

Router

To exit to

Use this mode to:

user EXEC mode, enter the disable command. # To enter global configuration mode, enter the configure command.

Configure your router operating parameters. Perform the verification steps shown in this guide. To prevent unauthorized changes to your router configuration , access to this mode should be protected with a password as described in "Enable Secret and Enable Passwords" later in this chapter.

EXEC

enable command from user EXEC mode.

Global Enter the configuratio configure n command from privileged EXEC mode.

Router To exit to (config) privileged # EXEC mode, enter the exit or end command, or press Ctrl-Z.

Use this mode to configure parameters that apply to your router as a whole.

Also, you can access the To enter following modes, interface which are configuration described later in mode, enter this table: the interface command. Interface configuration Router

configuration

Line configuration

Enter the interface command (with a specific Interface interface, configuratio such as n interface ethernet 0) from global configuration mode.

To exit to global configuration mode, enter the exit command. To exit to privileged EXEC mode, Router enter the end (config- command, or if)# press Ctrl-Z. To enter subinterface configuration mode, specify a subinterface with the interface command. Use this mode to configure parameters for the router Ethernet and serial interfaces or subinterfaces.

Enter your router command followed by the Router appropriate configuratio keyword, for n example router rip, from global configuration mode. Line Specify the configuratio line n command

To exit to global configuration mode, enter Router the exit Use this mode to (config- command. configure an IP router) To exit to routing protocol. # privileged EXEC mode, enter the end command, or press Ctrl-Z. Router To exit to Use this mode to (config- global configure line)# configuration parameters for the

with the desired keyword, for example, line 0, from global configuration mode.

mode, enter the exit command. To enter terminal line. privileged EXEC mode, enter the end command, or press Ctrl-Z.

Getting Help
You can use the question mark (?) and arrow keys to help you enter commands. For a list of available commands at that command mode, enter a question mark: router> ? access-enable Create a temporary access-list entry access-profile Apply user-profile to interface clear Reset functions ... To complete a command, enter a few known characters followed by a question mark (with no space): router> s? * s=show set show slip systat For a list of command variables, enter the command followed by a space and a question mark: router> show ? clock Display the system clock dialer Dialer parameters and statistics exception exception information ... To redisplay a command you previously entered, press the up-arrow key. You can continue to press the up arrow key for more commands. Enable Secret and Enable Passwords By default, the router ships without password protection. Because many privileged EXEC commands are used to set operating parameters, you should password-protect these commands to prevent unauthorized use.

You can use two commands to do this:

enable secret <password> (a very secure, encrypted password) enable <password> (a less secure, unencrypted password)

You must enter an enable secret password to gain access to privileged EXEC mode commands. For maximum security, the passwords should be different. If you enter the same password for both during the setup process, your router accepts the passwords, but warns you that they should be different. An enable secret password can contain from 1 to 25 uppercase and lowercase alphanumeric characters. An enable password can contain any number of uppercase and lowercase alphanumeric characters. In both cases, a number cannot be the first character. Spaces are also valid password characters; for example, two words is a valid password. Leading spaces are ignored; trailing spaces are recognized. If you lose or forget your enable password, refer to "Recovering a Lost Enable Password." Entering Global Configuration Mode To make any configuration changes to your router, you must be in global configuration mode. This section describes how to enter global configuration mode while using a terminal or PC that is connected to your router Console port. To enter global configuration mode:
Step 1 After your router boots up, answer no when the following question displays:

Would you like to enter the initial configuration dialog [yes]: no Step 2 Enter the enable command: router> enable Step 3 If you have configured your router with an enable password, enter it when you are prompted. The enable password does not show on the screen when you enter it. This example shows how to enter privileged EXEC mode: Password: <enable_password> router#

Enable mode is indicated by the # in the prompt. You can now make changes to your router configuration. Step 4 Enter the configure terminal command to enter global configuration mode, indicated by (config)# in the prompt: router# configure terminal router (config)# You can now make changes to your router configuration. Using Commands This section provides some tips about entering Cisco IOS commands at the command-line interface (CLI). Abbreviating Commands You only have to enter enough characters for the router to recognize the command as unique. This example shows how to enter the show version command: router # sh ver Undoing Commands If you want to disable a feature or undo a command you entered, you can enter the keyword no before most commands; for example, no ip routing. Command-Line Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your router. Table 2-3 Common CLI Error Messages Meaning You did not enter enough characters for your router to recognize the command. How to Get Help Reenter the command followed by a question mark (?) with no space between the command and the question mark. The possible keywords that you can enter with the command are

Error Message % Ambiguous command: "show con"

displayed. Reenter the command followed by a question mark (?) with no space between the command and the question mark. The possible keywords that you can enter with the command are displayed. Enter a question mark (?) to display all of the commands that are available in this command mode.

% Incomplete command.

You did not enter all of the keywords or values required by this command.

You entered the command incorrectly. The % Invalid input detected at `^' m error occurred arker. where the caret mark (^) appears.

Saving Configuration Changes

You need to enter the copy running-config startup-config command to save your configuration changes to nonvolatile RAM (NVRAM) so that they are not lost if there is a system reload or power outage. This example shows how to use this command to save your changes: router # copy running-config startup-config Destination filename [startup-config]? Press the Return key to accept the default destination filename startupconfig, or enter your desired destination filename and press the Return key. It might take a minute or two to save the configuration to NVRAM. After the configuration has been saved, the following message appears: Building configuration... router #

Summary Now that you have reviewed some Cisco IOS software basics, you can begin to configure your router. Remember:

You can use the question mark (?) and arrow keys to help you enter commands. Each command mode restricts you to a set of commands. If you are having difficulty entering a command, check the prompt, and then enter the question mark (?) for a list of available commands. You might be in the wrong command mode or using the wrong syntax. If you want to disable a feature, enter the keyword no before the command; for example, no ip routing. Save your configuration changes to NVRAM so that they are not lost if there is a system reload or power outage.

FRAME RELAY

Cisco - Configuring Frame Relay Introduction

Frame Relay switching is a means of switching packets based on the data-link connection identifier (DLCI). We can look on this as the Frame Relay equivalent of a Media Access Control (MAC) address. You perform switching by configuring your Cisco router or access server into a Frame Relay network. There are two parts to a Frame Relay network: Frame Relay data terminal equipment (DTE) - the router or access server. Frame Relay data circuit-terminating equipment (DCE) switch.

Components Used

This document is not restricted to specific software and hardware versions. The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Configure

In the configuration below, we are using the router Bharti as a Frame Relay switch. We are using Chandigarh as a hub router and Delhi and ISP as spoke routers. We have connected them as follows: Delhi serial 1 (s1) DTE is connected to Bharti serial 1/4 (s1/4) DCE. Chandigarh serial 0 (s0) DCE is connected to Bharti serial 1/5 (s1/5) DTE. ISP serial 1 (s1) DTE is connected to Bharti serial 3/4 (s3/4) DCE. Note: To find additional information on the commands used in this document, use the Command Lookup

Tool (registered customers only). Network Diagram This document is based on the following configuration:

Configurations: Chandigarh Delhi ISP Bharti

Chandigarh
Chandigarh#show running-config Building configuration... ! version 12.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Chandigarh ! ! ! interface Ethernet0 ip address 124.124.124.1 255.255.255.0 ! interface Serial0 ip address 3.1.3.1 255.255.255.0 encapsulation frame-relay frame-relay interface-dlci 130 frame-relay interface-dlci 140 ! ! router rip network 3.0.0.0 network 124.0.0.0 ! line con 0

! exec-timeout 0 0 transport input none line aux 0 line vty 0 4 login ! end

Delhi
Delhi#show running-config Building configuration... Current configuration : 1499 bytes ! version 12.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Delhi ! ! ! interface Ethernet0 ip address 123.123.123.1 255.255.255.0 ! interface Serial1 ip address 3.1.3.2 255.255.255.0 encapsulation frame-relay frame-relay interface-dlci 150 ! ! router rip network 3.0.0.0 network 123.0.0.0 ! ! line con 0 exec-timeout 0 0 transport input none line aux 0 line vty 0 4 login

! end

ISP
ISP#show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname ISP ! ! ! interface Ethernet0 ip address 122.122.122.1 255.255.255.0 ! interface Serial1 ip address 3.1.3.3 255.255.255.0 encapsulation frame-relay frame-relay interface-dlci 160 ! router rip network 3.0.0.0 network 122.0.0.0 ! ! line con 0 exec-timeout 0 0 transport input none line aux 0 line vty 0 4 login ! end

Bharti
Bharti#show running-config Building configuration... Current configuration: ! ! service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Bharti ! frame-relay switching ! ! interface Serial1/4 description *** static DCE connection to s1 Delhi no ip address encapsulation frame-relay clockrate 2000000 frame-relay intf-type dce frame-relay route 150 interface Serial1/5 140 ! interface Serial1/5 description *** static DCE connection to s0 spicy no ip address encapsulation frame-relay bandwidth 1000000 tx-queue-limit 100 frame-relay intf-type dce frame-relay route 130 interface Serial3/4 160 frame-relay route 140 interface Serial1/4 150 transmitter-delay 10 ! interface Serial3/4 description *** static DCE connection to s1 ISP encapsulation frame-relay no ip mroute-cache clockrate 2000000 frame-relay intf-type dce frame-relay route 160 interface Serial1/5 130 !

Verify
This section provides information you can use to confirm your configuration is working properly. Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output. show frame-relay map show frame-relay pvc Chandigarh Chandigarh#show frame-relay map Serial0 (up): ip 3.1.3.2 dlci 140(0x8C,0x20C0), dynamic, broadcast,, status defined, active Serial0 (up): ip 3.1.3.3 dlci 130(0x82,0x2020), dynamic, broadcast,, status defined, active Chandigarh#show frame-relay pvc PVC Statistics for interface Serial0 (Frame Relay DTE) Active Inactive Deleted Static Local 2 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 130, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0 input pkts 32 output pkts 40 in bytes 3370 out bytes 3928 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 30 out bcast bytes 2888 pvc create time 00:15:46, last time pvc status changed 00:10:42 DLCI = 140, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0 input pkts 282 output pkts 291 in bytes 25070 out bytes 27876 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 223 out bcast bytes 20884 Cisco - Configuring Frame Relay Switching pvc create time 02:28:36, last time pvc status changed 02:25:14

Delhi
Delhi#show frame-relay map Serial1 (up): ip 3.1.3.1 dlci 150(0x96,0x2460), dynamic, broadcast,, status defined, active Delhi#show frame-relay pvc PVC Statistics for interface Serial1 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Switched 0 0 0 0 Unused 0 0 0 DLCI = 150, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1 input pkts 311 output pkts 233 in bytes 28562 out bytes 22648 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 162 out bcast bytes 15748 pvc create time 02:31:39, last time pvc status changed 02:25:14

ISP
ISP#show frame-relay map Serial1 (up): ip 3.1.3.1 dlci 160(0xA0,0x2800), dynamic, broadcast, status defined, active ISP#show frame-relay pvc PVC Statistics for interface Serial1 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 160, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial input pkts 35 output pkts 32 in bytes 3758 out bytes 3366 dropped pkts 0 in FECN pkt 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 27 out bcast bytes 2846 pvc create time 00:10:53, last time pvc status changed 00:10:53

Frame Relay Hybrid Switching

for Cisco routers connected back-to-back using Frame Relay (FR) encapsulation with the Local Management Interface (LMI) enabled. The routers are connected using data communication equipment (DCE) and a data terminal equipment (DTE) serial cable. One of the routers is configured to serve as a hybrid FR switch to respond to LMI status enq sent by the second router. The router connected to the DCE cable must provide clocking. In this configuration, Router1 provides the clock at 64 kbps (clock rate 64000). Back-to-back setup is useful in test environments. Such a configuration is necessary only if the LMI debug messages are to be checked. For information on the most common method used to configure routers back-to-back with FR encapsulation, please refer to Back-to-Back Frame Relay.

Components Used
To implement this configuration, the following hardware and software components are required: Cisco IOS Software Release 10.0 or later that supports FR encapsulation. A router with an interface that supports FR encapsulation. This configuration was developed and tested using the software and hardware versions below. Cisco IOS Software Release 12.2(10b). Cisco 2500 series routers. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure
In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this

document, use the Command Lookup Tool (registered customers only).

Network Diagram
This document uses this network setup:

Configurations
This document uses these configurations: Router 1 Frame-relay switching !--- Allows this router to function !--- as a Frame relay switch. ! interface Serial0 ip address 172.16.120.105 255.255.255.0 encapsulation frame-relay !--- To enable Frame Relay encapsulation on the interface. frame-relay map ip 172.16.120.120 101 broadcast !--- The data-link connection identifiers(DLCIs) !--- configured in the map statements must match. clock rate 64000 frame-relay intf-type dce !--- This command specifies the !--- interface to handle LMI like a !--- Frame Relay DCE device. Router 2 Router 2 ! Interface Serial0 ip address 172.16.120.120 255.255.255.0 encapsulation frame-relay !--- To enable Frame Relay encapsulation on the interface. frame-relay map ip 172.16.120.105 101 broadcast !--- The DLCIs configured in the map !--- statements must match.

Verify
This section provides information you can use to confirm your configuration is working properly. Command Summary Router1 is configured to function as a hybrid Frame Relay switch and respond to LMI enquires sent by Router 2. The global command framerelay switching enables permanent virtual circuit (PVC) switching on

Router1. The interface command frame-relay intf-type dce enables Router1 to function as a switch connected to a router. The no keepalive command has not been added to either router. No special configuration is needed for Router2. For more information on configuring a router as a hybrid DTE/DCE FR switch, please see the configuration example in Hybrid Frame Relay Switching. frame-relay switching _Enables PVC switching on a FR DCE device or a network-to-network interface. frame-relay intf-type dce _Configures the FR switch type. A router or an access server functions as a switch connected to a router. show Commands Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output. show frame-relay pvc _Displays information and statistics about PVCs for FR interfaces. show frame-relay lmi _Displays statistics about the LMI.

NETWORK ADDRESS TRANSLATION

INAL DRAFT C

I NAT Foundation Topics

Characteristics of NAT

NAT enables non-registered IP addresses, or the RFC 1918 private address space, to be used inside a private network and to gain access to a public network, such as the World Wide Web. The edge router connected to the public network uses NAT to translate the private network addresses to a registered public address. The translation can be statically or dynamically done. In the case of a simple translation, each non-registered IP address is translated to a unique public address. This enables access from networks that are using non-registered addressing (or a private address space) to the WWW. In this scenario, the administrator would first have to find an Internet service provider (ISP) to supply a block of addresses for use. This may be monetarily difficult for all but the largest of companies. To conserve the use of address space, a private space can be overloaded to a single or small number of addresses by using the source IP address plus the source port of the packet to further distinguish the sending address. Figure 11-2 illustrates the packet header.

SCO CONFIDENTIAL

The disadvantages to NAT implementation are the increased latency, the address accountability, and the loss of certain application functionality, as defined in the following list:

 LatencyAn increased latency is due to the introduction of a translation step (a Layer 7 application used for the translation) in the switching path. AccountabilitySome may perceive the hiding of internal addresses from the external world as advantageous. However, this can be problematic when trying to determine which internal IP address is responsible for what traffic. Constantly monitoring the NAT connections or providing only static NAT translations would help your workload, but would also detract from the ease of use provided by a dynamic NAT implementation. FunctionalitySome applications that require a specific source port or source address would not be able to function in a NAT environment that provides randomly selected address and port assignments. For example, a specialized database that uses IP addresses Characteristics of NAT 337 for access to specific records would not function. Functionality could be restored, however, by using statically mapped translations, but again the dynamic functionality of NAT would be lost. Another reason that a specific source port or source address would not be able to function in a NAT environment is that some applications embed IP address information at the application layer, in addition to the IP packet addressing; when this happens, NAT is unable to identify the situation that is producing a mismatch between the information included in the IP packet and the information included at the application layer. Oracle and other relational databases are common examples of applications that embed IP address information. NAT conserves legal addresses, reduces overlap dysfunctionality, increases Internet flexibility, and eliminates network renumbering in a changed environment, as described in the following list: ConservationLegally registered addresses can be conserved using the private address space and NAT to gain access to the Internet. Overlap dysfunctionIn an overlapped network situation, NAT can enable immediate connectivity without renumbering. In the case in which two companies have merged and are both using the same private

address space, overlap dysfunction can be temporarily alleviated with NAT. The key here is the word temporary. This solution is not a design example but a Band-Aid for a quick resolution of the problem. In addition, if a service provider has connectivity to multiple clients that are using the same private address space, it may be necessary to allow connection to multiple clients that have elected to use the same private address space. FlexibilityConnecting to an Internet provider or changing providers can be accomplished with only minor changes to the NAT configuration. Becoming disgruntled or unenamored with an ISP provider is not uncommon. With NAT, changing ISPs is simply a matter of changing the pool of addresses that have been assigned. Because the NAT function occurs at the edge of the network, the router is the only device that requires a reconfiguration. If the customer accepts a nonprivate block of addresses from a provider and uses these on the inside network, changing ISPs would require renumbering the entire network. Eliminated renumberingAs network changes are made, the cost of immediate renumbering can be eliminated by using NAT to allow the existing address scheme to remain. The renumbering effort can be gradually implemented or relegated to a DHCP server in an incremental fashion rather than all at once.

Simple NAT Translation NAT translation (in its original form) replaced the source IP address with a publicly legitimate address. The replacement address came from a pool of addresses that were defined on the NAT device. These replacement addresses were, of course, publicly valid in the Internet address space. NAT is an application layer process that inserts the legitimate address into the packet header and maintains a table of translated addresses, as shown in Figure

Overloading Overloading uses the source port to further distinguish which sending station is transmitting. In this fashion, a single legitimate IP address can be used for many senders. The source port is a number greater than 1024 and is a software addressable port at the transport layer. The first 1024 port numbers are well-known ports, which are assigned by RFC 1400. The terms socket and port are often used interchangeably. This is incorrect. A socket is the IPaddress:Portnumber pair that is unique to an IP addressable device. The port refers to a numbered entity that is addressable by software. For example, every device has a port number of 23 for telnet (regardless of whether it is in use). In contrast, only one device has the socket of 122.5.7.8:23. In other words, the socket refers to a specific location on the network whereas a port is simply a reference point that could exist on any device.

The overloading feature of NAT uses the entire socket to track the sender; thus, the same IP address can be substituted for many sending addresses, as illustrated in Figure

NAT Definitions The addresses used for NAT translation can be summed up in four categories: Inside LocalIP addresses that are unique to the host inside the network, but not globally significant. They are generally allocated from RFC 1918 or randomly picked. Inside GlobalIP addresses that are assigned by the IANA or service provider. They are legitimate in the global address space or Internet.

The Inside Local addresses are translated to the Inside Global address for Internet use. Outside LocalIP addresses of a host on an outside network that is presented to the inside network and that is legitimate to the local network. These addresses do not have to be globally significant. They are generally selected from RFC 1918 or randomly picked. Outside GlobalIP addresses that are globally routable on the Internet space. To make the thought process easier, consider the following definitions: InsideAddresses that are inside my network OutsideAddresses that are outside my network LocalAddresses that are legitimate inside my network GlobalAddresses that are legitimate outside my network

Simple NAT translation replaces the inside local IP address with an inside global address. To say it another way, the neither-legal-or-RFC1918 addresses are converted to legal Internetroutable addresses, where both the global and local addresses are valid inside my network. In the previous scenario, inside my network is a point of perspective. The use of overloading is the same as simple NAT translation; however, the same Inside Global address is used over and over by maintaining the translation using the port address. For TCP load distribution, my network presents an Inside Global address to the Internet. When Internet users address this global address, it is translated to an Inside Local address. The need for the outside local address category occurs when two networks are using the same IP address space. In the case of overlapping network numbering, the network that is using an Outside Global address is translated to an Outside Local address. In addition, the outside address could be the same as the address that is being used on the inside, because the Outside Global address is, from my perspective, not-on-my-network-but-okay-where-it-is. Because this network address is okay-where-it-is but, in the case of overlapping networks, not okay- on-my-network, it must be translated to an Outside Local address. This address is outside my network but okaywhen-it-gets-in. Figure 11-6 shows each category of address and its location relative to my network. The terms inside and outside are relative to the network

being discussed; hence, what is outside my network is inside to the far side. NAT Configurations There are five general configurations that are used for NATsimple, static, overload, overlap, and load distribution. In all cases, you should recognize that the general syntax is essentially the same for each configuration. In addition, though, you should pay particular attention to the arguments that are added to indicate which configuration is being used. As a sample configuration, assume that you need to convert a simple translation to an overloaded translation. To do this, you would add the keyword overload to the end of the NAT translation statement. Overall, each configuration shown in the sections that follow has the same elements: Step 1 Declare the address pool that will be used for the translation. Step 2 Define the translation. Step 3 Define the interfaces that will participate in NAT. Step 4 Define the addresses that will be translated. 344 Chapter 11: Scaling IP Addresses with NAT Again, the successful CCNP candidate should review each of the configurations presented. While reviewing the configurations here, it can be helpful to identify each of the four elements in the configurations. Simple Dynamic NAT Configuration The simplest form of configuration is a one-to-one translation in which the IP address of the Inside Local address in the network header is replaced by an Inside Global address. The replacement can be done statically or dynamically. Example 11-1 shows a simple NAT translation with the assignments done dynamically.

Static NAT Configuration It is possible, and sometimes desirable, to configure NAT statically. A classic example of this configuration would be a resource on the inside of a network that must be accessed from the outside world at a specific location. In this situation, the advertised location of the resource is propagated to the world through DNS, and the inside resource must always carry in the outside world the same translated address and always be reachable at the same Inside Global address. Static translation is done using the following command: ip nat inside source static 10.0.0.1 108.77.2.1 This command says the following: ip nat, if the packet is inbound to a NAT inside interface destined for a NAT outside interface, always (statically) changes the address 10.0.0.1 to the address 108.77.2.1. If a group of requestors is being translated using a pool and one of the internal devices is a resource (10.0.0.1), the configuration from Example 11-1 is changed to that shown in Example