ip versions and nating using cisco router

7/29/2019 ip versions and nating using cisco router

1/35

1

CHAPTER 1

IP VESRSIONS

1.1 INTRODUCTION

The Internet is a global system of interconnected computer networks that use the standard

Internet protocol suite (often called TCP/IP, although not all applications use TCP) to serve

billions of users worldwide.

It is a network of networks that consists of millions of private, public, academic, business,

and government networks, of local to global scope, that are linked by a broad array of

electronic, wireless and optical networking technologies.

The Internet carries an extensive range of information resources and services, such as the

inter-linked hypertext documents of the World Wide Web (WWW) and the infrastructure to

support email. The Internet allows greater flexibility in working hours and location,

especially with the spread of unmetered high-speed connections.

The Internet can be accessed almost anywhere by numerous means, including through

mobile Internet devices. Mobile phones, data cards, handheld game consoles and cellular

routers allow users to connect to the Internet wirelessly.

Within the limitations imposed by small screens and other limited facilities of such

pocket-sized devices, the services of the Internet, including email and the web, may be

available. Educational material at all levels from pre-school to post-doctoral is available from

websites.

Email is an important communications service available on the Internet. The concept of

sending electronic text messages between parties in a way analogous to mailing letters or

memos predates the creation of the Internet. Pictures, documents and other files are sent as

email attachments


2/35

2

Internet telephony is another common communications service made possible by the creation

of the Internet. VoIP stands for Voice-over-Internet Protocol, referring to the protocol that

underlies all Internet communication. The idea began in the early 1990s with walkie-talkie-

like voice applications for personal computers. File sharing is an example of transferring

large amounts of data across the Internet.

The communications infrastructure of the Internet consists of its hardware components and

a system of software layers that control various aspects of the architecture. While the

hardware can often be used to support other software systems, it is the design and the

rigorous standardization process of the software architecture that characterizes the Internet

and provides the foundation for its scalability and success.

The Internet standards describe a framework known as the Internet protocol suite. This is a

model architecture that divides methods into a layered system of protocols (RFC 1122, RFC

1123). The layers correspond to the environment or scope in which their services operate.

At the top is the application layer, the space for the application-specific networking

methods used in software applications, e.g., a web browser program. Below this top layer, the

transport layer connects applications on different hosts via the network (e.g., clientserver

model) with appropriate data exchange methods. Underlying these layers are the core

networking technologies, consisting of two layers.

The internet layer enables computers to identify and locate each other via Internet

Protocol (IP) addresses, and allows them to connect to one-another via intermediate (transit)

networks. Last, at the bottom of the architecture, is a software layer, the link layer, that

provides connectivity between hosts on the same local network link, such as a local area

network (LAN) or a dial-up connection. The model is also known as TCP/IP.

Other models have been developed, such as the Open Systems Interconnection (OSI)

model, but they are not compatible in the details of description or implementation; many

similarities exist and the TCP/IP protocols are usually included in the discussion of OSI

networking.


3/35

3

The most prominent component of the Internet model is the Internet Protocol (IP), which

provides addressing systems (IP addresses) for computers on the Internet. IP enables

internetworking and in essence establishes the Internet itself.

1.2 IP ADDRESS

An Internet Protocol address (IP address) is a numerical label assigned to each device

(e.g., computer, printer) participating in a computer network that uses the Internet Protocol

for communication.

An IP address serves two principal functions: host or network interface identification and

location addressing. Its role has been characterized as follows: "A name indicates what we

seek. An address indicates where it is. A route indicates how to get there.

The designers of the Internet Protocol defined an IP address as a 32-bit number and this

system, known as Internet Protocol Version 4 (IPv4), is still in use today. However, due to

the enormous growth of the Internet and the predicted depletion of available addresses, a new

addressing system (IPv6), using 128 bits for the address, was developed in 1995 and its

deployment has been ongoing since the mid-2000s.

IP addresses are binary numbers, but they are usually stored in text files and displayed in

human-readable notations, such as 172.16.254.1 (for IPv4), and 2001:db8:0:1234:0:567:8:1

(for IPv6).

The Internet Assigned Numbers Authority (IANA) manages the IP address space

allocations globally and delegates five regional Internet registries (RIRs) to allocate IP

address blocks to local Internet registries (Internet service providers) and other entities.
http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Binary_numberhttp://en.wikipedia.org/wiki/Human-readablehttp://en.wikipedia.org/wiki/IPv6http://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authorityhttp://en.wikipedia.org/wiki/Regional_Internet_registrieshttp://en.wikipedia.org/wiki/Local_Internet_registryhttp://en.wikipedia.org/wiki/Internet_service_providerhttp://en.wikipedia.org/wiki/Internet_service_providerhttp://en.wikipedia.org/wiki/Local_Internet_registryhttp://en.wikipedia.org/wiki/Regional_Internet_registrieshttp://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authorityhttp://en.wikipedia.org/wiki/IPv6http://en.wikipedia.org/wiki/Human-readablehttp://en.wikipedia.org/wiki/Binary_numberhttp://en.wikipedia.org/wiki/Internet


4/35

4

1.3 IP VERSIONS

Two versions of the Internet Protocol (IP) are in use:

1) IP Version 42) IP Version 6

IPv4 Internet Protocol version 4 is the fourth revision in the development of the Internet

Protocol (IP) and the first version of the protocol to be widely deployed. IPv4 is a

connectionless protocol for use on packet-switched Link Layer networks (e.g., Ethernet). It

operates on a best effort delivery model. In that it does not guarantee delivery, nor does it

assure proper sequencing or avoidance of duplicate delivery. These aspects, including data

integrity, are addressed by an upper layer transport protocol, such as the Transmission

Control Protocol (TCP).

IPv5, also called the Internet Stream Protocol, was developed in the 1980s as an experiment.

It was created to transmit audio, video, and simulations over the Internet. While it did gain

some popularity with large corporations it was never used as an official protocol. In its

original form, IPv5 was never widely distributed. It was, however, adapted and developed

into whats now known as ST2.

IPv6 (Internet Protocol version 6) is a revision of the Internet Protocol (IP) developed by the

Internet Engineering Task Force (IETF). IPv6 is intended to succeed IPv4, which is the

dominant communications protocol for most Internet traffic as of 2012.
http://en.wikipedia.org/wiki/Link_Layerhttp://en.wikipedia.org/wiki/Link_Layer


5/35

5

1.4 IP Version 4

IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g.,

Ethernet). It operates on a best effort delivery model. In that it does not guarantee delivery,

nor does it assure proper sequencing or avoidance of duplicate delivery. These aspects,

including data integrity, are addressed by an upper layer transport protocol, such as the

Transmission Control Protocol (TCP).

1.4.1IPV4 HEADER FORMAT

An IP datagram consists of header part and text part. The header has a 20 byte fixed part and

variable length optional part. It is transmitted in big endian order from left to right, with high

order bit of the version field going first.

VERSION FIELD keeps track of which version of the protocol the datagram belongs to. By

including the version each datagram, it becomes possible to have the transition between

versions take years, which some machines running the old version and other running the new

one. Currently a transition between IPV4 and IPV6 is going on.

Sincethe header length is not constant a field in the header, IHL, isprovided to tell how long

the header is, in 32 bit words. The minimum value is 5, which applies when no options are

Version IHL Type of service Total length

Identification D

F

M

F

Fragement offset

Time to live Protocol Header checksum

Source address

Destination address

Options (0 or more words)
http://en.wikipedia.org/wiki/Link_Layerhttp://en.wikipedia.org/wiki/Link_Layer


6/35

6

present. The maximum value of this 4 bit field is 15, which limits the header to 60 bytes, and

thus the options field to 40 bytes.

Type of service field is one of the few fields that has changed its meaning over the years. It

was and is still intended to distinguish between different classes of service. Various

combinations of reliability and speeds are possible.

Originally, the 6 -bit field contained (from left to right), a three-bit precedence field and 3

flags D, T, and R.

Precedence field was a priority, from 0(normal) to 7(network control packet).The 3 flag bits

allowed the host to specify what it cared most about from the set(Delay

Throughtput,Reliability)

Total length includes everything in the datagram-both header and data. The maximum

length is 65,535 bytes.

Identification field is needed to allow the destination host to determine which datagram a

newly arrived fragment belongs to. All the fragments of a datagram contain the same

identification value.

Next comes an unused bit and then two 1-bit fields.

DF (dont fragment) is an order to the router not to fragment the datagram because the

destination is incapable of putting the pieces back together again.

MF (more fragment) all fragments except the last one have this bit set. It is needed to know

when all fragments of a datagram have arrived. The fragment offset tells where in the current

datagram this fragments belongs. All fragments except the last one in a datagram must be a

multiple of 8 bytes, the elementary fragment unit. Since 13 bits are provided, there is a

maximum of 8192 fragments per datagram, giving a maximum datagram length of 65,536

bytes, one more than the total length field.

Time to live field is a counter used to limit packet life times. It is supposed to count time in

seconds allowing a maximum life time of 255 seconds. It must be decremented on each hope

and is supposed to be decremented multiple times when queued for a long time in a router.

When it hits zero the packet is discarded and a warning packet is sent back to the source host.


7/35

7

This feature prevents datagrams from wandering around forever, something that otherwise

might happen if the routing tables ever become corrupted.

Protocol field tells it which transport process to give it to.TCP is one possibility, but so are

UDP and some others. The numbering of protocols is global across the entire Internet.

Header checksum verifies the header only. Such a checksum is useful for detecting errors

generated by bad memory words inside a router. The algorithm is to add up all the 16-bit

halfwords as they arrive, using ones complement arithmetic and then the ones complement

of the result. For purposes of this algorithm, the header checksum is assumed to be zero

upon arrival. This algorithm is more robust than using a normal add.

Source and Destination indicate the network number and host number.

Options field was designed to provide an escape to allow subsequent versions of the protocol

to include information not present in the original design, to permit experimenters to try out

new ideas, and to avoid allocated header bits to information that is rarely needed. The options

are variable length. Each begins with a one byte code identifying the option. The options field

is padded out to a multiple of 4 bytes.

1.4.2 IPV4 ADDRESSES

Decomposition of an IPv4 address from dot-decimal notation to its binary value. In IPv4

an address consists of 32 bits which limits the address space to 4294967296 (232

) possible

unique addresses. IPv4 reserves some addresses for special purposes such as private networks

(~18 million addresses) or multicast addresses (~270 million addresses).


8/35

8

IPv4 addresses are canonically represented in dot-decimal notation, which consists of four

decimal numbers, each ranging from 0 to 255, separated by dots, e.g., 172.16.254.1. Each

part represents a group of 8 bits (octet) of the address. In some cases of technical writing,

IPv4 addresses may be presented in various hexadecimal, octal, or binary representations.

1.4.3IPV4 SUBNETTING

Classful network design allowed for a larger number of individual network assignmentsand fine-grained sub network design. The first three In the early stages of development of the

Internet Protocol, network administrators interpreted an IP address in two parts: network

number portion and host number portion. The highest order octet (most significant eight bits)

in an address was designated as the network number and the remaining bits were called the

rest field or host identifier and were used for host numbering within a network.

This early method soon proved inadequate as additional networks developed that were

independent of the existing networks already designated by a network number. In 1981, the

Internet addressing specification was revised with the introduction of classful network

architecture.

Classful network design allowed for a larger number of individual network assignments

and fine-grained sub network design. The first three bits of the most significant octet of an IP

address were defined as the class of the address. Three classes (A, B, and C) were defined for

universal unicast addressing.

Depending on the class derived, the network identification was based on octet boundary

segments of the entire address. Each class used successively additional octets in the network

identifier, thus reducing the possible number of hosts in the higher order classes (B and C).


9/35

9

1.5 ADDRESS CLASSES

The Internet community originally defined five address classes to accommodate networks

of varying sizes. Microsoft TCP/IP supports class A, B, and C addresses assigned to hosts.

The class of address defines which bits are used for the network ID and which bits are used

for the host ID. It also defines the possible number of networks and the number of hosts per

network.

Class A

Class A addresses are assigned to networks with a very large number of hosts. The high-

order bit in a class A address is always set to zero. The next seven bits (completing the first

octet) complete the network ID. The remaining 24 bits (the last three octets) represent the

host ID. This allows for 126 networks and 16,777,214 hosts per network. Figure 1.4

illustrates the structure of class A addresses.

Class B

Class B addresses are assigned to medium-sized to large-sized networks. The two high-

order bits in a class B address are always set to binary 1 0. The next 14 bits (completing the

first two octets) complete the network ID. The remaining 16 bits (last two octets) represent

the host ID. This allows for 16,384 networks and 65,534 hosts per network. Figure 1.5

illustrates the structure of class B addresses.

Class C

Class C addresses are used for small networks. The three high-order bits in a class C

address are always set to binary 1 1 0. The next 21 bits (completing the first three octets)


10/35

10

complete the network ID. The remaining 8 bits (last octet) represent the host ID. This allows

for 2,097,152 networks and 254 hosts per network. Figure 1.6 illustrates the structure of class

C addresses.

Class D

Class D addresses are reserved for IP multicast addresses. The four high-order bits in a

class D address are always set to binary 1 1 1 0. The remaining bits are for the address that

interested hosts recognize. Microsoft supports class D addresses for applications to multicast

data to multicast-capable hosts on an internetwork.

Class E

Class Eis an experimental address that is reserved for future use. The high-order bits in a

class E address are set to 1111.

Table 1.5.1 IP Address Class Summary

Class Value for

w 1

Network ID

Portion

Host ID

Portion

Available

Networks

Hosts per

Network

A 1126 w x.y.z 126 16,777,214

B 128191 w.x y.z 16,384 65,534

C 192223 w.x.y z 2,097,152 254


11/35

11

1.6 IPV4 PRIVATE ADDRESSES

Early network design, when global end-to-end connectivity was envisioned for

communications with all Internet hosts, intended that IP addresses be uniquely assigned to a

particular computer or device. However, it was found that this was not always necessary as

private networks developed and public address space needed to be conserved.

Computers not connected to the Internet, such as factory machines that communicate only

with each other via TCP/IP, need not have globally unique IP addresses.Today, when needed,

such private networks typically connect to the Internet through network address translation

(NAT).

IANA-reserved private IPv4 network ranges

Start End No. of addresses

24-bit block (/8 prefix, 1 A) 10.0.0.0 10.255.255.255 16777216

20-bit block (/12 prefix, 16 B) 172.16.0.0 172.31.255.255 1048576

16-bit block (/16 prefix, 256 C) 192.168.0.0 192.168.255.255 65536

Any user may use any of the reserved blocks. Typically, a network administrator will divide a

block into subnets; for example, many homerouters automatically use a default address range

of 192.168.0.0 through 192.168.0.255 (192.168.0.0/24).

1.7 IPV4 ADDRESS EXHAUSTION

IPv4 address exhaustion is the decreasing supply of unallocated Internet Protocol Version

4 (IPv4) addresses available at the Internet Assigned Numbers Authority (IANA) and the

regional Internet registries (RIRs) for assignment to end users and local Internet registries,

such as Internet service providers


12/35

12

1.8. Subnet Masking

Subnet masking, or subnetting, is used to break one large group into several smaller

subnetworks.

Figure 2-3 IP Address Structure After Subnetting

These subnets can then be distributed throughout an enterprise. This results in less IP

address waste and better logical organization. Formalized with RFC 950 in 1985, subnetting

introduced a third level of hierarchy to the IPv4 addressing structure. The number of bits

available to the network, subnet, and host portions of a given address varies depending on the

size of the subnet mask.

A subnet mask is a 32-bit number that acts as a counterpart to the IP address. Each bit in

the mask corresponds to its counterpart bit in the IP address. Logical ANDing is applied to

the address and mask. If a bit in the IP address corresponds to a 1 bit in the subnet mask, the

IP address bit represents a network number. If a bit in the IP address corresponds to a 0 bit in

the subnet mask, the IP address bit represents a host number.

When the subnet mask is known, it overrides the address class to determine whether a bit

either a network or a host is. This allows routers to recognize addresses differently than the

format dictated by class. The mask can be used to tell hosts that although their addresses are

Class B, the first three octets, instead of the first two, are the network number. In this case,

the additional octet acts like part of the network number, but only inside the organization

where the mask is configured.

The subnet mask applied to an address ultimately determines the network and host

portions of an IP address. The network and host portions change when the subnet mask

changes. If a 16-bit mask, 255.255.0.0, is applied to an IP address, only the first 16 bits, or
http://popup%28%27/content/images/chap02_1587131358/elementLinks/fig03.jpg')http://popup%28%27/content/images/chap02_1587131358/elementLinks/fig03.jpg')


13/35

13

two octets, of the IP address 172.24.100.45 represent the network number. Therefore, the

network number for this host address is 172.24.0.0.

Because the rules of class dictate that the first two octets of a Class B address are the

network number, this 16-bit mask does not create subnets within the 172.24.0.0 network.

To create subnets with this Class B address, a mask must be used that identifies bits in the

third or fourth octet as part of the network number.

If a 24-bit mask such as 255.255.255.0 is applied, the first 24 bits of the IP address are

specified as the network number. The network number for the host in this example is

172.24.100.0. The gray portion of the address shown in Figure 2-5 indicates this.

Routers and hosts configured with this mask see all 8 bits in the third octet as part of the

network number. These 8 bits are considered to be the subnet field because they represent

network bits beyond the two octets prescribed by classful addressing.

Inside this network, devices configured with a 24-bit mask use the 8 bits of the third octet

to determine to what subnet a host belongs. Because 8 bits remain in the host field, 254 hosts

may populate each network. Just as hosts must have identical network addresses, they also

must match subnet fields to communicate with each other directly. Otherwise, the services of

a router must be used so that a host on one network or subnet can talk to a host on another.


14/35

14

A Class B network with an 8-bit subnet field creates 28, or 256, potential subnets, each one

equivalent to one Class C network. Because 8 bits remain in the host field, 254 hosts may

populate each network. Two host addresses are reserved as the network number and

broadcast address, respectively. By dividing a Class B network into smaller logical groups,

the internetwork can be made more manageable, more efficient, and more scalable.

Notice that subnet masks are not sent as part of an IP packet header. This means that

routers outside this network will not know what subnet mask is configured inside the

network. An outside router, therefore, treats 172.24.100.45 as just one of 65,000 hosts that

belong to the 172.24.0.0 network. In effect, subnetting classful IP addresses provides a

logical structure that is hidden from the outside world.

1.9 IP Version 6

IPv6 (Internet Protocol version 6) is a revision of the Internet Protocol (IP) developed by

the Internet Engineering Task Force (IETF). IPv6 is intended to succeed IPv4, which is the

dominant communications protocol for most Internet traffic as of 2012.IPv6 was developed

to deal with the long-anticipated problem of IPv4 running out of addresses. IPv6 implements

a new addressing system that allows for far more addresses to be assigned than with IPv4.

Each device on the Internet, such as a computer or mobile telephone, must be assigned an

IP address in order to communicate with other devices. With the ever-increasing number of

new devices being connected to the Internet, there is a need for more addresses than IPv4 can

accommodate. IPv6 uses 128-bit addresses, allowing for 2128, or approximately 3.41038

addresses. IPv4 uses 32-bit addresses, allowing for only 4,294,967,296 addresses worldwide.


15/35

15

1.8.1 IPV6 ADDRESSES

Decomposition of an IPv6 address from hexadecimal representation to its binary value.

The rapid exhaustion of IPv4 address space, despite conservation techniques, prompted the

Internet Engineering Task Force (IETF) to explore new technologies to expand the Internet's

addressing capability. The permanent solution was deemed to be a redesign of the Internet

Protocol itself.

This next generation of the Internet Protocol, intended to replace IPv4 on the Internet, was

eventually namedInternet Protocol Version 6(IPv6) in 1995.The address size was increased

from 32 to 128 bits or 16 octets. This, even with a generous assignment of network blocks, is

deemed sufficient for the foreseeable future. Mathematically, the new address space provides

the potential for a maximum of 2128

, or about 3.4031038

unique addresses.

The new design is not intended to provide a sufficient quantity of addresses on its own,

but rather to allow efficient aggregation of subnet routing prefixes to occur at routing nodes.

As a result, routing table sizes are smaller, and the smallest possible individual allocation is a

subnet for 264

hosts, which is the square of the size of the entire IPv4 Internet. At these levels,

actual address utilization rates will be small on any IPv6 network segment.

The new design also provides the opportunity to separate the addressing infrastructure of

a network segment that is the local administration of the segment's available space
http://en.wikipedia.org/wiki/Octet_%28computing%29http://en.wikipedia.org/wiki/Octet_%28computing%29


16/35

16

from the addressing prefix used to route external traffic for a network. IPv6 has facilities that

automatically change the routing prefix of entire networks, should the global connectivity or

the routing policy change, without requiring internal redesign or renumbering.

The large number of IPv6 addresses allows large blocks to be assigned for specific

purposes and, where appropriate, to be aggregated for efficient routing. With a large address

space, there is not the need to have complex address conservation methods as used in

Classless Inter-Domain Routing (CIDR).

Many modern desktop and enterprise server operating systems include native support for

the IPv6 protocol, but it is not yet widely deployed in other devices, such as home networking

routers, voice over IP (VoIP) and multimedia equipment, and network peripherals.

IPv6 ADDRESSING

IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces. There are three

types of addresses:

Unicast: An identifier for a single interface. A packet sent to a unicast address is delivered

to the interface identified by that address.

Anycast: An identifier for a set of interfaces (typically belonging to different nodes). A

packet sent to an anycast address is delivered to one of the interfaces identified by that

address (the "nearest" one, according to the routing protocols' measure of distance).

Multicast: An identifier for a set of interfaces (typically belonging to different nodes). A

packet sent to a multicast address is delivered to all interfaces identified by that address.
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routinghttp://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing


17/35

17

1.9 COMPARISON BETWEEN IPV4 AND IPV6:

IPV4 IPV6

1.Addresses are 32 bits (4 bytes) in length 1.Addresses are 128 bits (16 bytes) in length

2.Address (A) resource records in DNS to

map host names to IPv4 addresses

2.Address (AAAA) resource records in DNS

to map host names to IPv6 addresses

3. IPSec is optional and should be supported

externally

3.IPSec support is not optional

4.Header does not identify packet flow for

QoS handling by routers

4. Header contains Flow Label field, which

Identifies packet flow for QoS handling by

router

5. Both routers and the sending host fragment

packets.

5. Routers do not support packet

fragmentation. Sending host fragments

packets

6. Header includes a checksum. 6. Header does not include a checksum.

7. Header includes options. 7. Optional data is supported as extension

headers.

8. Must support a 576-byte packet size

(possibly fragmented).

8. Must support a 1280-byte packet size

(without fragmentation).

9. Broadcast addresses are used to send

traffic to all nodes on a subnet

9. IPv6 uses a link-local scope all-nodes

multicast address.

10.Internet Group Management Protocol

(IGMP) manages membership in local subnet

groups

10. Multicast Listener Discovery (MLD)

messages manage membership in local

subnet groups.

11. Configured either manually or through

DHCP.

11. Does not require manual configuration or

DHCP.


18/35

18

1.10 ADVANTGES OF IPV6 OVER IPV4

Larger address space

The main advantage of IPv6 over IPv4 is its larger address space. The length of an IPv6

address is 128 bits, compared to 32 bits in IPv4.The address space therefore has 2128

or

approximately 3.41038

addresses.

Multicasting

Multicasting, the transmission of a packet to multiple destinations in a single send

operation, is part of the base specification in IPv6. In IPv4 this is an optional although

commonly implemented feature.IPv6 multicast addressing shares common features andprotocols with IPv4 multicast, but also provides changes and improvements by eliminating

the need for certain protocols.

Mandatory network-layer security

Internet Protocol Security (IPsec) was originally developed for IPv6, but found

widespread deployment first in IPv4, into which it was back-engineered. Earlier, IPsec was

an integral part of the base IPv6 protocol suite

but has since been made optional

.

Simplified processing by routers

In IPv6, the packet header and the process of packet forwarding have been simplified.

Although IPv6 packet headers are at least twice the size of IPv4 packet headers, packet

processing by routers is generally more efficientthereby extending the end-to-end principle

of Internet design.

Privacy

The privacy enhancements in IPv6 have been mostly developed in response to a

misunderstanding. Interfaces can have addresses based on the MAC address of the machine,

but this is not a requirement. Even when an address is not based on the MAC address though,

the interface's address is (contrary to IPv4) usually global instead of local, which makes it

much easier to identify a single user through the IP address.


19/35


20/35

20

When the packets pass through the NAT gateway they will be modified so that they

appear to be coming from the NAT gateway itself. The NAT gateway will record the

changes it makes in its state table so that it can a) reverse the changes on return packets and

b) ensure that return packets are passed through the firewall and are not blocked. For

example, the following changes might be made:

Source IP: replaced with the external address of the gateway (for example, 24.5.0.5) Source port: replaced with a randomly chosen, unused port on the gateway (for

example, 53136)

Neither the internal machine nor the Internet host is aware of these translation steps. To

the internal machine, the NAT system is simply an Internet gateway. To the Internet host, thepackets appear to come directly from the NAT system; it is completely unaware that the

internal workstation even exists.

When the Internet host replies to the internal machine's packets, they will be addressed to

the NAT gateway's external IP (24.5.0.5) at the translation port (53136). The NAT gateway

will then search the state table to determine if the reply packets match an already established

connection. A unique match will be found based on the IP/port combination which tells PF

the packets belong to a connection initiated by the internal machine 192.168.1.35. PF will

then make the opposite changes it made to the outgoing packets and forward the reply

packets on to the internal machine.

Translation of ICMP packets happens in a similar fashion but without the source port

modification.


21/35

21

2.2 IMPLEMENTATION OF NATING:

Network address translation can be done:

1) Static

2) DynamicIn static NAT a certain fixed original IP is always translated to the same NAT IP at all

times, and no other IP gets translated to a same NAT IP

In Dynamic NAT the NAT IP depends on various run time conditions and may be a

completely different one for each single connection.

2.2.1 STATIC NAT:

The process of the Static NAT translation is the same for every device that supports it

(assuming the manufacturer has followed the RFCs). This means that whether we use a

router or a firewall appliance to perform Static NAT they'll both follow the same guidelines.

Consider our example network: figure 1

2.2.1.1 example network of static NAT

As the diagram describes we have Workstation No.1, which sends a request to the

Internet. Its gateway is the router that connects the LAN to the Internet and also performs

Static NAT.


22/35

22

1) The diagram below shows us how the Workstation's packet is altered as it transits the

router before it's sent to the Internet (outgoing packet):

2.2.1.2 outgoing Packet Modification of static NAT

As you can see, the only thing that changes is the Source IP, which was 192.168.0.3 and

was given the value of 203.31.220.135, which is a real IP Address on the Internet. The

Destination IP Address, Source Port and Destination Port are not modified.

Assuming the packet arrives at its destination, we would most likely expect to see a

reply. It would be logical to assume that the reply, or incoming packet, will require some sort

of modification in order to successfully arrive at the originating host located on our private

network (that's Workstation 1).

2) Here is how the incoming packet is altered as it transits the router:

2.2.1.2 Incoming Packet Modification of static NAT


23/35

23

The diagram above shows the part of the incoming packet that is altered by the router.

Only the destination IP Address is changed, from 203.31.220.135 to 192.168.0.3 so the

packet can then be routed to the internal workstation. Source IP Address, Source Port and

Destination Port remain the same.

3) The diagram below shows you what the outgoing and incoming packets looked likebefore and after transiting the router:

2.2.1.4 complete static NAT process

2.2.2 DYNAMIC NAT:

The way Dynamic NAT differentiates from Static NAT is that where Static NAT provides

a one-to-one internal to public static IP mapping, Dynamic NAT does the same but without

making the mapping to the public IP static and usually uses a group of available public IPs.

With Dynamic NAT, we also map our internal IP Addresses to real public IP Addresses,

but the mapping is not static, meaning that for each session our internal hosts communicate

with the Internet, their public IP Addresses remain the same, but are likely to change. These

Ips are taken from a pool of public IP Addresses that have been reserved by our ISP for our

public network.


24/35

24

With Dynamic NAT, translations dont exist in the NAT table until the router receives

traffic that requires translation. Dynamic translations have a timeout period after which they

are purged from the translation table, thus making them available for other internal hosts.

1) The diagram below illustrates the way Dynamic NAT works:

2.2.2.1 Dynamic NAT working

The diagram above is an example network and shows router, which is configured to

perform Dynamic NAT for the network. We request 4 public IPs from our ISP

(203.31.218.210 to 203.31.218.213), which will be dynamically mapped by our router to our

internal hosts. In this particular session our workstation, with IP Address 192.168.0.1, sends

a request to the Internet and is assigned the public IP address 203.31.218.210. This mapping

between the workstation's private and public IP Address will remain until the session

finishes.

The router is configured with a special NAT timeout and, after this timeout is reached (no

traffic sent/received during that time), the router will expire the particular mapping and reuse

it for a different internal host.

If users of workstations with IP Address 192.168.0.1 and 192.168.0.3 do not use their

PC , so they log off and leave their PCs on (even if they switched them off, it wouldn't make

a difference unless they had some program running that was constantly generating Internet

traffic because the NAT timeout would never be reached). While these users went out , the


25/35

25

user on the workstation with IP Address 192.168.0.2 decided to stay and do some extra work

on the Internet. After 1 hour, the users return and log back on, launch their web browser and

start to search on the net.

The router, as expected, deleted the old mappings once the NAT timeout had been

reached for each mapping and created new ones once the users launched their web browsers,

because that action generated traffic to the Internet and therefore had to transit the router.

Here's how the new mappings look

2.2.2.2 Dynamic NAT mapping

2.3 SECURITY AND ADMINISTRATION

Implementing dynamic NAT automatically creates a firewall between your internal

network and outside networks or the Internet. Dynamic NAT allows only connections that

originate inside the stub domain. Essentially, this means that a computer on an external

network cannot connect to your computer unless your computer has initiated the contact. So

you can browse the Internet and connect to a site, even download a file. But somebody else

can't simply latch onto your IP address and use it to connect to a port on your computer.

Static NAT, also called inbound mapping, allows connections initiated by external

devices to computers on the stub domain to take place in specific circumstances. For

instance, you may wish to map an inside global address to a specific inside local address that

is assigned to your Web server.


26/35

26

2.4 MULTI-HOMING

As businesses rely more and more on the Internet, having multiple points of connection

to the Internet is fast becoming an integral part of their network strategy. Multiple

connections, known as multi-homing, reduces the chance of a potentially catastrophic

shutdown if one of the connections should fail.

In addition to maintaining a reliable connection, multi-homing allows a company to

perform load-balancing by lowering the number of computers connecting to the Internet

through any single connection. Distributing the load through multiple connections optimizes

the performance and can significantly decrease wait times.

Multi-homed networks are often connected to several different ISPs (Internet Service

Providers). Each ISP assigns an IP address (or range of IP addresses) to the company.

Routers use BGP (Border Gateway Protocol), a part of the TCP/IP protocol suite, to route

between networks using different protocols. In a multi-homed network, the router utilizes

IBGP (Internal Border Gateway Protocol) on the stub domain side and EBGP (External

Border Gateway Protocol) to communicate with other routers.

When using NAT with multi-homing, the NAT router is configured with multiple pools

of inside global addresses allocated by different ISPs. The same inside local address should

be mapped to more than one inside global address from the configured pools, depending on

the provider through which the traffic gets routed to the destination. This is known as NAT

by destination.

Multi-homing really makes a difference if one of the connections to an ISP fails. As soon

as the router assigned to connect to that ISP determines that the connection is down, it will

reroute all data through one of the other routers.

NAT can be used to facilitate scalable routing for multi-homed multi-provider connectivity.


27/35

27

2.5NAT ADVANTAGES

NAT saves public IP addresses. Because a client only needs a public IP address whenit is communicating with the Internet, the pool of globally routable IP addresses can

be shared with other clients. Therefore, you need fewer public IP addresses than theactual number of internal clients that need access to the public network if you use

NAT. NAT hides the internal network's IP addresses.

It simplifies routing. Since internal hosts are assigned IP addresses from the internalnetwork, other internal systems can access them without special routes or routers.

The same hosts are accessed from the public network through globally routable IP

addresses translated by NAT.

NAT is transparent to the client and, therefore, allows you to support a wider rangeof clients.

NAT supports a wide range of services with a few exceptions. Any application thatcarries and uses the IP address inside the application does not work through NAT.

NAT consumes fewer computer resources and is more efficient than using SOCKSand application proxy servers.

The Universal Connection can flow through NAT.

2.6 NAT DISADVANTAGES

NAT provides minimum logging services. You must enable IP forwarding before you can use NAT to make an Internet

connection.

NAT is not as adept as either the SOCKS or application proxy servers in detectingattacks.

NAT can break certain applications, or make these applications more difficult to run.


28/35

28

2.7 IMPLEMENTATION OF NATING USING CISCO ROUTER

CONNECTING TO A CISCO ROUTER

We can connect to a Cisco router to configure it, verify its configuration, and check

statistics. There are different ways to do this, but most often, the first place we would

connect to is the console port. The console port is usually an RJ-45 (8-pin Modular)

connection located at the back of the routerby default, theres no password set.

We can also connect to a Cisco router through an auxiliary portwhich is really the same

thing as a console port, so it follows that you can use it as one. But this auxiliary port also

allows you to configure modem commands so that a modem can be connected to the router.

This is a cool Feature it lets you dial up a remote router and attach to the auxiliary port if

the router is down and you need to configure it out-of-band (which means, basically, out-

of-the-network). Inband means the oppositeconfiguring the router through the

network. The third way to connect to a Cisco router is in-band, through the program

Telnet

Telnet is a terminal emulation program that acts as though its a dumb terminal. You can

use Telnet to connect to any active interface on a router like an Ethernet or serial port


29/35

29

2.8GENERAL COMMANDS

There are 3 different modes of operation within the Cisco IOS.

1. Disabled mode2. Enabled mode3. Configuration mode

In the Disabled mode you can use a limited number of commands. This is used primarily to

monitor the router.

The Enabled mode is used to show configuration information, enter the configuration mode,

and make changes to the configuration.

The Configuration mode is used to enter and update the runtime configuration.

To get a list of the commands for the cisco type '?' at the prompt. To get further information

about any command, type the command followed by a '?'.

Clear Reset functions

Clock Manage the system clock

Configure Enter configuration mode

DebugDebugging functions (see also

'undebug')

Disable Turn off privileged commands

Enable Turn on privileged commands

EraseErase flash or configuration

memory

Exit Exit from the EXEC

HelpDescription of the interactive

help system

Login Log in as a particular user

Logout Exit from the EXEC

No Disable debugging functions

Ping Send echo messages

Reload Halt and perform a cold restart

SetupRun the SETUP command

facility

ShowShow running system

information

telnet Open a telnet connection

Terminal Set terminal line parameters

TestTest subsystems, memory, and

interfacesTraceroute Trace route to destination


30/35

30

Tunnel Open a tunnel connection

UndebugDisable debugging functions

(see also 'debug')

Verify Verify checksum of a Flash file

Write Write running configuration tomemory, network, or terminal

Show

access-lists List access lists

Arp ARP table

Buffers Buffer pool statistics

ConfigurationContents of Non-Volatile

memory

Controllers Interface controller status

Debugging State of each debugging optionDialer Dialer parameters and statistics

Extended Extended Interface Information

Flash System Flash information

flh-log Flash Load Helper log buffer

HistoryDisplay the session command

history

HostsIP domain-name, lookup style,

name servers, and host table

InterfacesInterface status and

configuration

Ip IP information

Isdn ISDN information

Line TTY line information

loggingShow the contents of logging

buffers

Memory Memory statistics

Privilege Show current privilege level

Processes Active process statistics

Protocols Active network routing protocols

Queue Show queue contents

Queueing Show queueing configuration

Reload Scheduled reload information

route-map route-map information

running-config Current operating configuration

sessionsInformation about Telnet

connections

Smf Software MAC filter

Stacks Process stack utilization


31/35

31

2.9 CONFIGURATION CORNER

AUTNET#show running-config

Building configuration

Current configuration : 1295 bytes

!

! Last configuration change at 06:52:00

UTC Wed Mar 9 2011

!

Version 15.0

Service timestamps debug datetime msec

Service timestamps log datetime msec

no service password-encryption

!

hostname AUTNET

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip name-server 218.248.255.177



multilink bundle-name authenticated

license udi pid CISCO 2911/K9 sn

FHK1432F3WY

interface GigabitEthernet0/0

ip address 117.211.86.58 255.255.255.248

ip nat outside

ip virtual-reassembly


32/35

32

duplex auto

speed auto

!


ip address 10.34.130.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!


ip address 117.211.123.193

255.255.255.224

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip nat pool auniverse 117.211.86.58

117.211.86.62 netmask 255.255.255.0

ip nat inside source list 20 pool

auniverse overload

ip route 0.0.0.0 0.0.0.0 117.211.86.57

!access-list 20 permit 10.34.130.0

0.0.0.255

!

!

!

line con 0

line aux 0

line vty 0 4


33/35

33

password Admin123

login

!

scheduler allocate 20000 1000

end

AUINET# wr

Building configuration

[OK]


34/35

34

CONCLUSION

Many organizations have been reluctant to widely deploy the next generation Internet

Protocol (IPv6) up to now. However, sooner or later IPv6 will replace IPv4 with a phase of

coexistence of many years.

Enterprises and service providers should carefully plan for the in-evitable transition

towards IPv6. They should develop IPv6 expertise so that they will be able to decide, when

to move to IPv6. Careful transition planning will reduce and distribute costs over many

years.

Multiple client devices can appear to share IP addresses because an IPv4 network

address translator (NAT) acts as an intermediary agent on behalf of its customers, in which

case the real originating IP addresses might be hidden from the server receiving a request.

NAT became a popular tool for alleviating the consequences of IPv4 address exhaustion.

It has become a common, indispensable feature in routers for home and small-office Internet

connections. Most systems using NAT do so in order to enable multiple hosts on a private

network to access the Internet using a single public IP address.

Most NAT devices today allow the network administrator to configure translation table

entries for permanent use. NAT saves public ip address because a client only needs a public

ip address when it is communicating with internet, the pool of globally routable ip address

can be shared with other clients. Therefore we need fewer public ip addresses than the actual

number of internal clients.

NAT is transparent to client and therefore, allows to support the wider range of clients.

Finally, NAT supports a wide range of services with a few exceptions.
http://en.wikipedia.org/wiki/Router_%28computing%29http://en.wikipedia.org/wiki/Host_%28network%29http://en.wikipedia.org/wiki/Host_%28network%29http://en.wikipedia.org/wiki/Router_%28computing%29


35/35

ip versions and nating using cisco router

Documents