You are on page 1of 65

Six Months Industrial Training Report

On

Network Address Translation(NAT)

At

HCL Infosystems Ltd.

Submitted in partial fulfillment of the requirements


for the award of the degree of
Bachelor of Technology

Submitted To: Submitted By:


Mr.Rakesh Khanna Komalbir Singh
ECE Deptt. 7070405482

ECE/8th sem

1
PREFACE

The “NAT (Network address translation)” This project provides information


for the Internet community. When a client attempts to access a server in a data
center, the client incorporates its IP address in the IP header when it connects to
the server. An ACL placed between the client and the server can either preserve
the client IP address or translate that IP address to a routable address in the server
network, based on a pool of reserved dynamic NAT addresses or a static NAT
address mapping, and pass the request on to the server. This project does not
specify an Internet standard of any kind. Distribution of this project is unlimited.
You can use private addresses on your inside networks. Private addresses are not
routable on the Internet. NAT hides the local addresses from other networks, so
attackers cannot learn the real address of a server in the data center. You can
resolve IP routing problems such as overlapping addresses when you have two
interfaces connected to overlapping subnets.
This document defines basic terminology for describing different types of Network
Address Translation (NAT) behavior when handling Unicast UDP and also defines
a set of requirements that would allow many applications, such as multimedia
communications or online gaming, to work consistently. Developing NATs that
meet this set of requirements will greatly increase the likelihood that these
applications will function properly.

2
ACKNOWLEDGEMENT

First and foremost I thank GGSCMT-KHARAR for allowing me to complete my


‘Project’ successfully. I express my sincere gratitude to Mr. Manjot Singh(My
project guide) & all those who initiated and helped me in the successful
completion of this project. Sincere thanks, profound gratitude to my guide Ms.
Anupama (Faculty, GGSCMT) for helping me in carrying out the project and for
many valuable and useful information while bringing out this project. I again
express my sincere gratitude to Mr. Rakesh khanna Head of Department (ECE),
and to my respected teachers of GGSCMT KHARAR for their kind consent,
expert guidance, valuable suggestion and affectionate encouragement.

I also express my gratitude towards all the people associated with project for their
support, co-operation and cheerful readiness in reviewing this project. Last but not
least, I am very thankful to my parents who are my source of inspiration in every
field of life.

Komalbir singh

ECE (8th Sem)

3
4
INDEX

1. INTRODUCTION PAGE NO.


a. ABOUT COMPANY 7-8
b. ABOUT PROJECT 9-11
c. TEAM ROLE 11-12

2. PROJECT ANALYSIS 13-14

a. FEASIBILITY STUDY
i. TECHNICAL FEASIBILITY
ii. BEHAVIORIAL / OPERATIONAL FEASIBILITY

iii. ECONOMICAL FEASIBILITY

a. H/W & S/W SPECIFICATION

c. REQUIREMENT ANALYSIS
i. WORK FLOW DIAGRAM

5
1. DESIGN
i. MODULE
ii. IMPLEMENTATION AND MAINTENANCE

1. TESTING
i. ALPHA TESTING
ii. BETA TESTING

1. SNAPSHOTS

2. FUTURE SCOPE

3. CONCLUSION

4. BIBLIOGRAPHY

6
Introduction:-

This document explains configuring Network Address Translation (NAT) on a


Cisco router for use in common network scenarios. The target audience of this
document is first time NAT users.
Note: In this document, when the internet, or an internet device is referred to, it
means a device on any external network.
Company’s Profile:-
HCL Enterprise Limited (formally known as HCL Computers Limited) is one of
India's largest electronics, computing and information Technology Company.
Based in Noida, near Delhi, the company comprises two publicly listed Indian
companies, HCL Technologies and HCL Infosystems.

HCL was founded in 1976 by Shiv Nadar, Arjun Malhotra, Subhash Arora, Ajai
Chowdhry, DS Puri, & Yogesh Vaidya. HCL was focused on addressing the IT
hardware market in India for the first two decades of its existence with some
sporadic activity in the global market. In 1981, HCL seeded a company focused on
addressing the computer training industry, NIIT, though it has currently divested
its stake in the company. In 1991, HP took minority stake in the company (26%)
and the company was known as HCL HP for the five years of the joint venture. On
termination of the joint venture in 1996, HCL became an enterprise which

7
comprises HCL Technologies (to address the global IT services market) and HCL
Infosystems (to address the Indian and APAC IT hardware market). HCL has since
then operated as a holding company.

HCL Infosystems Ltd., a listed subsidiary of HCL, is an India-based hardware and


systems integrator. It claims a presence in 170 locations and 300 service centres.
Its manufacturing facilities are based in Chennai, Pondicherry and Uttarakhand .Its
headquarters is in Noida.

HCL Peripherals (a unit of HCL Infosystems Ltd.), founded in the year 1983, has
established itself as a leading manufacturer of computer peripherals in India,
encompassing Display Products, Thin Client solutions, Information and Interactive
Kiosks and a wide range of Networking products & Solutions. HCL Peripherals
has two Manufacturing facilities, one in Pondicherry (Electronics) and the other in
Chennai (Mechanical).The company has been accredited with ISO 9001:2000, ISO
14001,

As the training arm of HCL Infosystems, HCL Career Development Centre (CDC)
carries forth a legacy of excellence spanning across more than three decades. HCL
CDC is an initiative that enables individuals and organisations to benefit from
HCL's deep expertise in the IT space.
Among the fastest growing IT education brands in India, HCL CDC offers a
complete spectrum of quality training programs on software, hardware, networking
as well as global certifications in association with leading IT organisations
worldwide.

8
About Project:-

In today’s Internet the two main problems related to the IP protocol are
shortage of IP addresses and scaling in routing. Long-term solutions to these
problems are being developed, like Ipv6, but they will take their time to be widely
accepted. Meanwhile, short-term solutions are proposed and used, that help to
delay the problems for some time. One of these solutions is Network Address
Translation (NAT), implementation of which is the subject of our project.
The principle of NAT is IP address reuse that can be used in small and mid-
range local networks. NAT uses the fact that in these environments a very small
percentage of hosts are communicating outside their local domain at any given
time. That is to say, almost all TCP/TP packets on the local network are destined to
hosts in this local network, and thus these hosts can have IP addresses that are not
globally unique. The NAT module placed at the border router of the domain
performs IP address translation inside IP datagrams passing through it in both
directions. When an IP datagram is sent from a local host to the Internet with local
IP address that is not globally unique, the NAT module substitutes it with a
globally unique IP address taken from a pool, and sends the datagram out. In
reverse direction the reverse translation is needed.

The possible changes in datagram’s involved in the translation are as follows:


change of Source or Destination IP address in IP header; adjustment of the IP
Checksum in IP header because of changes in the header; also a TCP Checksum,
because it reflects changes in IP address, and all places in the data portion of TCP,
UDP, ICMP and other packets, where source or destination IP addresses are stored.
Undoubtedly, it is impossible to do the right translation needed in all possible

9
TCP/IP applications. So our implementation of NAT will support the general set of
protocols and applications, such as FTP, Telnet, HTTP, ICMP and others.

Types of NAT

NAT can be implemented using one of three methods:

Static NAT –
performs a static one-to-one translation between two
addresses, or between a port on one address to a port on another address.
Static NAT is most often used to assign a public address to a device behind a
NAT-enabled firewall/router.

Dynamic NAT –
Utilizes a pool of global addresses to dynamically translate the outbound traffic of
clients behind a NAT-enabled device.

NAT Overload Or Port Address Translation (PAT) –


Translates the outbound traffic of clients to unique port numbers off of a single
global address. PAT is necessary when the number of internal clients exceeds the
available global addresses.

NAT Terminology
Specific terms are used to identify the various NAT addresses:

•Inside Local –
The specific IP address assigned to an inside host behind a NAT-enabled device
(usually a private address).

• Inside Global –
The address that identifies an inside host to the outside world (usually a public
address). Essentially, this is the dynamically or statically-assigned public address
assigned to a private host.

10
• Outside Global
– The address assigned to an outside host (usually a public address).

• Outside Local
– The address that identifies an outside host to the inside network. Often, this is the

Same
Address as the Outside Global.
However, it is occasionally necessary to translate an outside (usually
Public) address to an inside (usually private) address.

Team role
• Teamwork is work performed by a team towards a common goal. A
dynamic process involving two or more healthcare professionals with
complementary backgrounds and skills, sharing common health goals and
exercising concerted physical and mental effort in assessing, planning, or
evaluating patient care

• Workplace Activities: Because teamwork is important to a productive and


healthy work environment, teamwork activities should be a part of the
workplace. Possible activities include job swapping, where workers swap
jobs with each other to develop empathy. It also requires workers to help
each other to learn the jobs. Another idea is to start a team newsletter that
provides the latest information on activities and accomplishments of the
team members.

• Projects: Projects require that team members work together to achieve a


common goal. Projects can involve activities like putting puzzles together or
cleaning up or rebuilding a property. Projects typically involve assigning

11
each team member a specific task that he is responsible for completing,
which helps to develop trust within the team.

• If we consider about the team work regarding my project, it has been a good
exposure to me. But as the project is assigned to me individually because to
understand the core of the technology of the project.It has been a great
learning under the expertise of Manjot singh (HCL INFOSYSTEMS
TRAINER) expert in NAT, PAT, ROUTING, TROUBLESHOOTING etc. I
managed to learn a lot under his teaching. Its amazing experience to me
which helps to me enlarge my knowledge regarding the project through team
work. I was considered to be the designer and implementor of the NAT
technology.

12
Project Analysis

The main purpose of conducting system analysis is to study the various processes
and to find out its requirements. These may include ways of capturing or
processing data, producing information, controlling a business activity or
supporting management. The determination of requirements entrails studying the
existing details about it to find out what these requirements are.

System analysis has been conducted with the following objectives in mind:

1. Identify the customers’ need.


2. Evaluate the system concept of feasibility.
3. Perform economic and technical analysis.
4. Allocate functions to hardware, software, people, database and other system
elements.
5. Establish cost and schedule constraints.
6. Create a system definition that forms the foundation for all subsequent
engineering work.
System Analysis includes requirement analysis. The requirement analysis is the
task of discovery, refinement, modeling and specification. Requirement analysis
allows the software engineer to refine the software allocation and build models of
the data, functional, and behavioral domains that will be treated by software.

Requirement Specification provides the developer and the customer with the
means to assess quality once software is built.

While the analysis phase of development of this project following set of principles
were considered:

13
1. The information domain of a problem must be represented and understood.
2. The functions that the software is to perform must be defined.
3. The behavior of the software must be represented.
4. The models that depict information function and behavior must be
partitioned in a manner that uncovers detail in a layered fashion.

The analysis process should move from essential information towards


implementation detail.

Feasibility Study
It is a very important aspect of any project report. There is always chance of
manual errors. Cost factor is also there which depends upon the size of the work.
Feasibility studies aim to objectively and rationally uncover the strengths and
weaknesses of the existing business or proposed venture, opportunities and threats
as presented by the environment, the resources required to carry through, and
ultimately the prospects for success. In its simplest term, the two criteria to judge
feasibility are cost required and value to be attained. As such, a well-designed
feasibility study should provide a historical background of the business or project,
description of the product or service, accounting statements, details of the
operations and management, marketing research and policies, financial data, legal
requirements and tax obligations. Generally, feasibility studies precede technical
development and project implementation.

Technical Feasibility
In the preliminary investigation phase, we examine the feasibility of the project.
We find the likelihood the Network which we established will be useful to the
organization. We determine whether the solution is a viable or not. For this

14
purpose, the analyst clearly establishes the feasibility of each alternative testing for
benefits, costs and other resources.

Behaviorial / Operational Feasibility

For any network which we implemented and used by an organization, its


behavioral nature must be analyzed. It means that if any organization want to
access the net on many systems by using only one internet service provider then it
can be done by with the help of NAT
Operational feasibility is a measure of how well a proposed system solves the
problems, and takes advantage of the opportunities identified during scope
definition and how it satisfies the requirements identified in the requirements
analysis phase of system development.

Economical Feasibility

This project does not specify an Internet standard of any kind. Distribution of this
project is unlimited.You can use private addresses on your inside networks. Private
addresses are not routable on the Internet. NAT hides the local addresses from
other networks, so attackers cannot learn the real address of a server in the data
center You can resolve IP routing problems such as overlapping addresses when
you have two interfaces connected to overlapping subnets.
Economic analysis is the most frequently used method for evaluating the
effectiveness of a new system. More commonly known as cost/benefit analysis, the
procedure is to determine the benefits and savings that are expected from a
candidate system and compare them with costs. If benefits outweigh costs, then the

15
decision is made to design and implement the system. An entrepreneur must
accurately weigh the cost versus benefits before taking an action.
Cost-based study: It is important to identify cost and benefit factors, which can be
categorized as follows: 1. Development costs; and 2. Operating costs. This is an
analysis of the costs to be incurred in the system and the benefits derivable out of
the system.
Time-based study: This is an analysis of the time required to achieve a return on
investments. The future value of a project is also a factor.

S/W & H/W Requirement specification

16
The information in this document is based on these software and hardware
versions:
• Cisco 2500 Series Routers
• Cisco IOS® Software Release 12.2 (10b)
• Cisco Switches
• Cisco Hubs
• Wireless Device
• Copper Straight-Through Cable
• Copper Cross-Over Cable
• Fiber Optics Cable
• Coaxial Cable
• Serial DCE Cable
• Serial DTE Cable
The information in this document was created from the devices in a specific lab
environment. All of the devices used in this document started with a cleared
(default) configuration. If your network is live, make sure that you understand the
potential impact of any command.

Windows xp

Windows server 2003

Server & Client

And also this document is not restricted to specific software and hardware
versions.

17
Requirements Analysis
1. Elicitation-determine the operational requirements
(User needs and customer expectations).

2. Analysis-translate operational requirements into technical specifications.


3. Documentation-record the operational requirements and technical
specifications.
4. Verification-check that specifications are complete, correct and consistent
with Needs and expectations
5. Generate acceptance test scenarios
6. Requirements Management-control changes to requirements

• Protocol Used

• Transmission Control Protocol


Similar to incoming translation
thread, the cases of establishment and termination of connections regarding to
SYN and FIN flags, are the same. The special case here is FTP Command. (We
detect FTP Command connection by the destination port number 21 in the TCP
header). It can contain the Source IP address in the ASCII form inside the data
portion of TCP segment. (PORT command). It should be translated also, as the
Source IP in the IP header. We need also adjust the TCP Checksum because it
covers the whole TCP segment including the data. Also we must fix the IP total
length field, because the replaced IP was in ASCII, and the new one could be
shorter or longer (in ASCII).

In case SYN flag is on, it means that a TCP connection is being established.So we
must trace the TCP 3-way handshake to be sure that a connection has been

18
established, and then raise flag in the Translation Table telling that there is an
active TCP connection in this entry. In case FIN flag is on, it means that a TCP
connection is being terminated.So we must trace the TCP connection shutdown
mechanism to be sure that the connection has been closed. Then we clear the flag,
and this entry can be cleared in case of global IP addresses shortage.

• Local_IP

The local IP address of the local host

• Global_IP

The globally unique IP (that is bound to local IP if this entry is in


use)

• Conn Protocol

This field is for identifying which type of onnection this host


is using: TCP or other. Used in Timeout detection algorithm (as will be
described below)

• Timestamp

Also used in Timeout detection algorithm. This field is


updated each time this entry is used, i.e. the IP packet is sent from or to this IP
address. Thus we can always find an entry which is the longest idle session.

• TCP_State

This field reflects current state of TCP connection, for use


with Timeout detection algorithm. Used to trace when the TCP connection is
completely established or shut down.

19
ICMP

when an ICMP error message arrives, besides of the regular


NAT IP header translation, we need also to change the data ICMP field because it
contains the IP header + the first 8 bytes of data of original IP datagram that
generated the problem. We need to fix the IP address in this header, (inside the
ICMP data field) and the ICMP checksum as well.The rest of the protocols need no
changes in their headers and data

Work Flow Diagram

20
21
DESIGN

System Design

Modules

The project will consist of four main modules:


1. The NAT gateway module
2. The packet monitor module
3. The MAC level API
4. The IP level API
Modules interaction:

22
The NAT gateway

The NAT module, which sits between the local network and the router as described
in the introduction, is combined mainly from four threads, two pairs. Each pair is
doing a similar task but from opposite direction.
The four threads are:
Listhen_Local_thread,
Listhen_Global_thread,
Translate_To_Local_thread,
The threads cooperate through common data structures which are:
Ip_translation_Table,
Local_Ip_Packet_Buff,
Global_Ip_Packet_Buff.
In addition each thread communicate with the appropriate network through IP
API.

23
NAT gateway modules interaction:

24
The packet monitor

25
Packet monitor will be implemented as a stand-alone Windows application. It can
be used on any NT machine which has the PACKET32.DLL device driver
installed (this driver is needed to directly access a NIC). The monitor is capable of
displaying and filtering of packets on MAC, IP and upper layers. Monitor results
can be saved to a disk file for printing, studying TCP/IP protocols, and network
problems debugging.

The blocks are:

Receiver - A thread looping infinitely, that receives all packets that pass through
the chosen NIC. It listens on the NIC using Promiscuous Mode, and thus gets all
the packets that pass on the wire, not only destined to that NIC or broadcasted.
Whenever a packet arrives, it puts it in the Frame Buffer, and notifies the Filter and
Display module that there is a packet to process. This takes really little time, and it
continues to listen to next packet, thus the chances to loose packets because of
processing are small, and depends on the size of a frame buffer.

Frame buffer - Implemented as a circular queue. Size is user configurable. The

26
elements of queue are buffers of 1514 bytes each, that is maximum size of an
Ethernet frame (1500 bytes for data plus 14 bytes for header).

Filter and Display - Performs decoding of the frame received from the frame
buffer. Decoding is performed from the bottom up, i.e. MAC data type, then IP
protocol type (TCP, UDP, and ICMP), than TCP/UDP port, etc. Discards packets
that do not answer to the current filtering mode. Filtering can be performed by:
1. Packet type: All, IP, ICMP, ARP/RARP, TCP and UDP
2. Source address: MAC/IP
3. Destination address: MAC/IP
Monitor Main Window and Control - The monitor is a menu-driven Windows
application, so it has a main window's procedure, which processes all messages
that are sent to it. That includes messages from the menu (i.e. user), or from inner
tasks (Receiver thread, Display module). It also controls all monitoring process,
i.e. starts/stops monitoring, saves results to a disk,

The MAC level API


Set of data structures and functions enabling access to Ethernet frames. Direct
access to packets is achieved by the use of device driver PACKET32.DLL (it is
given, and not a part of our roject).
Data structures needed include:
ETHERADR - Ethernet 6-byte address;
ETHERHDR - Ethernet header (Old format, RFC 894);
ETHER802HDR - Ethernet header (IEEE 802.3 format, RFC 1042);

Also a set of constants related to these structures is defined, such as maximum


frame size and encapsulated protocol types.
All low-level functions of MAC level are already provided to us by the
device driver PACKET32.DLL, such as PacketReceivePacket(),
PacketSendPacket() and so on. So we need only implement some miscellaneous
functions, which will be useful in Packet Monitor,
The IP level API
Set of data structures and functions enabling various work with IP datagrams. Uses
MAC level API to receive/send IP datagrams. Data structures needed include:
IPADR - IP address;
IPHDR - IP header;

27
Also a set of constants related to these structures is defined, such as encapsulated
protocol type.
Functions needed:

IPGetPacket(LPADAPTER lpadp, BYTE *buf) - Listen for next incoming IP


datagram;

IPSendPacket(LPADAPTER lpadp, BYTE *buf) - Send an IP datagram;

char *IPAddrToStr(PIPADR p, char *str) - Convert IP address to string;

Implementation and Maintenance


VLAN
I think it’s about time to give you some actual examples to make
this clear to you. This example shows you how to configure four things:

1. How to configure a port connected to an IP phone to use the CoS value for
classifying incoming traffic
2. How to configure the port to use IEEE 802.1p priority tagging for voice traffic
3. How to configure it to use the Voice VLAN (10) to carry all voice traffic
4. And last, how to configure VLAN 3 to carry PC data

Configuring Inter-VLAN Routing

ISR#
Config t

ISR (config)#

28
int f0/0.1

ISR(config-subif)#

encapsulation ?

dot1Q IEEE 802.1Q Virtual LAN

ISR(config-subif)#

Notice that my 2811 router (named ISR) only supports 802.1Q. We’d need an
older-model
router to run the ISL encapsulation, but why bother?
The sub interface number is only locally significant, so it doesn’t matter which sub
interface
numbers are configured on the router. Most of the time, I’ll configure a sub
interface with the
same number as the VLAN I want to route. It’s easy to remember that way since
the sub interface number is used only for administrative purposes.
It’s really important that you understand that each VLAN is a separate subnet. True,
I know—they don’t have to be. But it really is a good idea to configure your
VLANs as separate subnets, so just do that. Now, I need to make sure you’re fully
prepared to configure inter-VLAN routing, as well
as determine the port IP addresses of hosts connected in a switched VLAN
environment. And as
always, it’s also a good idea to be able to fix any problems that may arise. To set
you up for success, let me give you few examples.

By this point in the book, you should be able to determine the IP address, masks,
and default gateways of each of the hosts in the VLANs. The next step after that is
to figure out which subnets are being used. By looking at the router configuration in
the figure, you can see that we’re using 192.168.1.64/26 with VLAN 1 and
192.168.1.128/27 with VLAN 10. And by looking at the switch configura- tion, you
can see that ports 2 and 3 are in VLAN 1 and port 4 is in VLAN 10. This means
that HostA and HostB are in VLAN 1 and HostC is in VLAN 10.

Here’s what the hosts’ IP addresses should be:

29
HostA:

192.168.1.66, 255.255.255.192, default gateway 192.168.1.65

HostB:

192.168.1.67, 255.255.255.192, default gateway 192.168.1.65

HostC:

192.168.1.130, 255.255.255.224, default gateway 192.168.1.129 The hosts could be


any address in the range—I just choose the first available IP address after the
default gateway address. That wasn’t so hard, was it?

Inter-VLAN example 2

VLAN 1
HostA HostB
HostE
Internet
Fa0/2 Fa0/3
Fa0/1

VLAN 2
Fa0/6
Fa0/0
Fa0/4 Fa0/5
HostC HostD HostF

VLAN 3
The configuration of the switch would look something like this:
2960#
config t
2960(config)#
int f0/1
2960(config-if)#
switchport mode trunk
2960(config-if)#
int f0/2

30
2960(config-if)#
switchport access vlan 1
2960(config-if)#
int f0/3
2960(config-if)#
switchport access vlan 1
2960(config-if)#
int f0/4
2960(config-if)#
switchport access vlan 3
2960(config-if)#
int f0/5
2960(config-if)#
switchport access vlan 3
2960(config-if)#
int f0/6
2960(config-if)#
switchport access vlan 2

Before we configure the router, we need to design our logical network:

VLAN 1:
192.168.10.16/28

VLAN 2:
192.168.10.32/28

VLAN 3:
192.168.10.48/28
The configuration of the router would then look like this:
ISR#
config t
ISR(config)#
int f0/0
ISR(config-if)#
no ip address
ISR(config-if)#
no shutdown
ISR(config-if)#

31
int f0/0.1
ISR(config-subif)#
encapsulation dot1q 1
ISR(config-subif)#
ip address 192.168.10.17 255.255.255.240
ISR(config-subif)#
int f0/0.2
ISR(config-subif)#
encapsulation dot1q 2
ISR(config-subif)#
ip address 192.168.10.33 255.255.255.240
ISR(config-subif)#
int f0/0.3
ISR(config-subif)#
encapsulation dot1q 3
ISR(config-subif)#

ip address 192.168.10.49 255.255.255.240

The hosts in each VLAN would be assigned an address from their subnet range, and
the default gateway would be the IP address assigned to the router’s subinterface in
that VLAN.
Now, let’s take a look at another figure and see if you can determine the switch and
router configurations without looking at the answer—no cheating! Figure 9.11
shows a router con-nected to a 2960 switch with two VLANs. One host in each
VLAN is assigned an IP address.
What are your router and switch configurations based on these IP addresses?
Since the hosts don’t list a subnet mask, you have to look for the number of hosts
used in each VLAN to figure out the block size. VLAN 1 has 85 hosts and VLAN 2
has 115 hosts.
Each of these will fit in a block size of 128, which is a /25 mask, or
255.255.255.128.

Inter-VLAN example 3

VLAN 1
85 Hosts
HostA
172.16.10.126

32
F0/2
F0/1
F0/3

VLAN 2
115 Hosts
HostB
172.16.10.129

You should know by now that the subnets are 0 and 128; the 0 subnet (VLAN 1)
has a host range of 1–126, and the 128 subnet (VLAN 2) has a range of 129–254.
You can almost be fooled since HostA has an IP address of 126, which makes it
Almost seem that HostA and B are in the same subnet. But they’re not, and you’re
way too smart by now to be fooled by this one!
Here is the switch configuration:
2960#
config t
2960(config)#
int f0/1
2960(config-if)#
switchport mode trunk
2960(config-if)#
int f0/2
2960(config-if)#
switchport access vlan 1
2960(config-if)#
int f0/3
2960(config-if)#
switchport access vlan 2
Here is the router configuration:
ISR#
config t
ISR(config)#
int f0/0
ISR(config-if)#
no ip address
ISR(config-if)#
no shutdown
ISR(config-if)#

33
int f0/0.1
ISR(config-subif)#
encapsulation dot1q 1
ISR(config-subif)#
ip address 172.16.10.1 255.255.255.128
ISR(config-subif)#
int f0/0.2
ISR(config-subif)#
encapsulation dot1q 2
ISR(config-subif)#
ip address 172.16.10.254 255.255.255.128

I used the first address in the host range for VLAN 1 and the last address in the
range for VLAN 2, but any address in the range would work. You just have to
configure the host’s default gateway to whatever you make the router’s address.
Now, before we go on to the next example, I need to make sure you know how to
set the IP address on the switch. Since VLAN 1 is typically the administrative
VLAN, we’ll use an IP address from that pool of addresses. Here’s how to set the
IP address of the switch (I’m not nagging, but you really should already know
this!):

2960#
config t
2960(config)#
int vlan 1
2960(config-if)#
ip address 172.16.10.2 255.255.255.128
2960(config-if)#
no shutdown
Yes, you have to do a no shutdown on the VLAN interface. One more example, and
then we’ll move on to VTP—another important subject that you definitely don’t
want to miss! In Figure 9.12 there are two VLANs. By looking at the router
configuration, what’s the IP address, mask, and default gateway of HostA? Use the
last IP address in the range for HostA’s address:

Inter-VLAN example 4

VLAN 1

34
HostA
F0/2
F0/1
F0/3
HostB
Router#
config t
192.168.10.17
Router(config)#
int f0/0
Router(config-if)#
no ip address

VLAN 2
Router(config-if)#
no shutdown
Router(config-if)#
int f0/0.1
Router(config-subif)#
encapsulation dot1q 1
Router(config-subif)#
ip address 192.168.10.129 255.255.255.240
Router(config-subif)#
int f0/0.2
Router(config-subif)#
encapsulation dot1q 2
Router(config-subif)#
ip address 192.168.10.46 255.255.255.240

If you really look carefully at the router configuration (the hostname in this figure is
just Router), there is a simple and quick answer. Both subnets are using a /28, or
255.255.255.240 mask, which is a block size of 16. The router’s address for VLAN
1 is in subnet 128. The next subnet is 144, so the broadcast address of VLAN 1 is
143 and the valid host range is 129–142.

So the host address would be this:

IP Address:

35
192.168.10.142
Mask:
255.255.255.240
Default Gateway:
192.168.10.129
Configuring VTP All Cisco switches are configured to be VTP servers by default.
To configure VTP, first you have to configure the domain name you want to use.
And of course, once you configure the VTP information on a switch, you need to
verify it

VTP

When you create the VTP domain, you have a bunch of options, including setting
the domain name, password, operating mode, and pruning capabilities of the
switch. Use the vtp global con- figuration mode command to set all this
information. In the following example, I’ll set the S1 switch to vtp server, the VTP
domain to Lammle, and the VTP password to todd:
By default, only hosts that are members of the same VLAN can communicate. To
change this and allow inter-VLAN communication, you need a router or a layer 3
switch. I’m going to start with the router approach.
To support ISL or 802.1Q routing on a Fast Ethernet interface, the router’s interface
is divided into logical interfaces—one for each VLAN. These are called sub
interfaces. From a Fast Ethernet or Gigabit interface, you can set the interface to
trunk with the encapsulation command:

Configuring VTP

S1#
config t
S1#(config)#
vtp mode server
Device mode already VTP SERVER.
S1(config)#
vtp domain Lammle
Changing VTP domain name from null to Lammle
S1(config)#
vtp password todd
Setting device VLAN database password to todd

36
S1(config)#
do show vtp password
VTP Password: todd
S1(config)#
do show vtp status

VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : Lammle
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x15 0x54 0x88 0xF2 0x50 0xD9 0x03 0x07

Configuration last modified by 192.168.24.6 at 3-14-93 15:47:32


Local updater ID is 192.168.24.6 on interface Vl1 (lowest numbered VLAN
interface found)
Please make sure you remember that all switches are set to VTP server mode by
default, and if you want to change any VLAN information on a switch, you
absolutely must be in VTP server mode. After you configure the VTP information,
you can verify it with the show vtp command as shown in the preceding output. The
preceding switch output shows the VTP domain, the VTP password, and the
switch’s mode.
Before we move onward to configuring the Core and the S2 switch with VTP
information, take a minute to reflect on the fact that the show vtp status output
shows that the maximum number of VLANs supported locally is only 255. Since
you can create over 1,000 VLANs on a switch, this seems like it would definitely
be a problem if you have more then 255 switches and you’re using VTP. And, well,
yes, it is problem—if you are trying to configure the 256th VLAN on a switch,
you’ll get a nice little error message stating that there are not enough hard- ware
resources available, and then it will shut down the VLAN and the 256th VLAN will
show up in suspended state in the output of the show vlan command. Not so good!
Let’s go to the Core and S2 switches and set them into the Lammle VTP domain. It
is very important to remember that the VTP domain name is case sensitive! VTP is
not forgiving—one teeny small mistake and it just won’t work.

37
Core#

config t
Core(config)#
vtp mode client
Setting device to VTP CLIENT mode.
Core(config)#
vtp domain Lammle
Changing VTP domain name from null to Lammle
Core(config)#
vtp password todd
Setting device VLAN database password to todd
Core(config)#

do show vtp status


VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : Lammle
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x2A 0x6B 0x22 0x17 0x04 0x4F 0xB8
0xC2

Configuration last modified by 192.168.10.19 at 3-1-93 03:13:16


Local updater ID is 192.168.24.7 on interface Vl1 (first interface found)
S2#
config t
S2(config)#
vtp mode client
Setting device to VTP CLIENT mode.
S2(config)#
vtp domain Lammle

38
Changing VTP domain name from null to Lammle
S2(config)#
vtp password todd
Setting device VLAN database password to todd
S2(config)#
do show vtp status

VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name : Lammle
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x02 0x11 0x18
0x4B 0x36 0xC5 0xF4 0x1F
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Let’s take a look using the show vlan brief command on the Core and S2 switch:
Core#

sh vlan brief
VLAN Name Status Ports
---- ------------------ --------- ---------------------
1 default active Fa0/1,Fa0/2,Fa0/3,Fa0/4
Fa0/9, Fa0/10,Fa0/11,Fa0/12
Fa0/13, Fa0/14,Fa0/15,
Fa0/16, Fa0/17, Fa0/18, Fa0/19,
Fa0/20, Fa0/21, Fa0/22, Fa0/23,
Fa0/24, Gi0/1, Gi0/2
2Salesactive
3Marketingactive
4Accountingactive

39
S2#
sh vlan bri
VLAN Name Status Ports
---- ---------------------- --------- ---------------------
1 default active Fa0/3,Fa0/4,Fa0/5,Fa0/6,Fa0/7,
Fa0/8,
2 Sales active
3 Marketing active
4 Accounting active

Troubleshooting VTP

You connect your switches with crossover cables, the lights go green on both ends,
and you’re up and running! Yeah—in a perfect world, right? Don’t you wish it was
that easy? Well, actually, it pretty much is—without VLANs, of course. But if
you’re using VLANs—and you definitely should be—then you need to use VTP if
you have multiple VLANs configured in your switched network.
But here there be monsters: If VTP is not configured correctly, it (surprise!) will not
work, so you absolutely must be capable of troubleshooting VTP. Let’s take a look
at a couple of configurations and solve the problems. Study the output from the two
following switches:

SwitchA#
sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : RouterSim
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled

SwitchB#
sh vtp status
VTP Version : 2
Configuration Revision : 1

40
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : GlobalNet
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled

So what’s happening with these two switches? Why won’t they share VLAN
information?
At first glance, it seems that both servers are in VTP server mode, but that’s not the
problem. Servers in VTP server mode will share VLAN information using VTP.
The problem is that they’re in two different VTP domains. SwitchA is in VTP
domain RouterSim and SwitchB is in VTP domain GlobalNet. They will never
share VTP information because the VTP domain names are configured differently.
Now that you know how to look for common VTP domain configuration errors in
your switches, let’s take a look at another switch configuration:

SwitchC#
sh vtp status
VTP Version : 2
Configuration Revision:1
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : Todd
VTP Pruning Mode : Disabled

Configuring Static NAT

The first step to configure


Static NAT is to identify the inside (usually private) and outside (usually public)
interfaces:

41
Router(config)# int e0/0
Router(config)# int s0/0
Router(config-if)# ip nat inside
Router(config-if)# ip nat outside

To statically map a public address to a private address, the syntax is as follows:

Router(config)#
ip nat inside source static 172.16.1.1 158.80.1.40
This command performs a static translation of the source address
172.16.1.1(located on the inside of the network), to the outside address of
158.80.1.40.

Configuring Dynamic NAT

When configuring Dynamic NAT , the inside and outside interfaces must first be
identified:

Router(config)# int e0/0


Router(config)# int s0/0
Router(config-if)# ip nat inside
Router(config-if)# ip nat outside

Next, a pool of global addresses must be specified. Inside hosts will


dynamically choose the next available address in this pool, when
communicating outside the local network:

Router(config)#
ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask 255.255.255.0
The above command specifies that the pool named POOLNAME contains a range
of public addresses from 158.80.1.1 through 158.80.1.50.
Finally, a list of private addresses that are allowed to be dynamically translated
must be specified:

Router(config)# ip nat inside source list 10 pool POOLNAME


Router(config)# access-list 10 permit 172.16.1.0 0.0.0.255

42
The first command states that any inside host with a source that matches access-
list 10 can be translated to any address in the pool named POOLNAME.
The access-list specifies any host on the 172.16.1.0 network.

Configuring NAT Overload (or PAT)

Recall that NAT Overload (or PAT ) is necessary when the number of internal
clients exceeds the available global addresses. Each internal host is translated to a
unique port number off of a single global address.

Configuring NAT overload is relatively simple

Router(config)# int e0/0


Router(config-if)# ip nat inside
Router(config)# int s0/0
Router(config-if)# ip nat outside
Router(config)# ip nat inside source list 10 interface Serial0/0 overload
Router(config)# access-list 10 permit 172.16.1.0 0.0.0.255

Any inside host with a source that matches access- list 10 will be translated with
overload to the IP address configured on the Serial0/0 interface.

To clear all dynamic NAT entries from the translation table:


Quick Start Steps for Configuring and Deploying NAT
When you configure NAT, it is sometimes difficult to know where to begin,
especially if you are new to NAT. These steps guide you to define what you want
NAT to do and how to configure it:
1. Define NAT inside and outside interfaces.
○ Do users exist off multiple interfaces?
○ Are there multiple interfaces going to the internet?
2. Define what you're trying to accomplish with NAT.
○ Are you trying to allow internal users to access the internet?
○ Are you trying to allow the internet to access internal devices (such as
a mail server or web server)?
○ Are you trying to redirect TCP traffic to another TCP port or address?

43
○ Are you using NAT during a network transition (for example, you
changed a server's IP address and until you can update all the clients
you want the non-updated clients to be able to access the server using
the original IP address as well as allow the updated clients to access
the server using the new address)?
○ Are you using NAT to allow overlapping networks to communicate?
3. Configure NAT in order to accomplish what you defined above. Based on
what you defined in step 2, you need determine which of the following
features to use:
○ Static NAT
○ Dynamic NAT
○ Overloading
○ Any combination of the above
4. Verify the NAT operation.
Each of the following NAT examples guides you through steps 1 through 3 of the
Quick Start Steps above. These examples describe some common scenarios in
which Cisco recommends you deploy NAT.
Defining NAT Inside and Outside Interfaces
The first step in deploying NAT is to define NAT inside and outside interfaces.
You may find it easiest to define your internal network as inside, and the external
network as outside. However, the terms internal and external are subject to
arbitration as well. The figure below shows an example of this.

44
Example: Allowing Internal Users to Access the Internet
You may want to allow internal users to access the internet, but you may not have
enough valid addresses to accommodate everyone. If all communication with
devices in the internet will originate from the internal devices, you need a single
valid address or a pool of valid addresses.
The figure below shows a simple network diagram with the router interfaces
defined as inside and outside:

45
In this example, we want NAT to allow certain devices (the first 31 from each
subnet) on the inside to originate communication with devices on the outside by
translating their invalid address to a valid address or pool of addresses. The pool
has been defined as the range of addresses 172.16.10.1 through 172.16.10.63.
Now you are ready to configure NAT. In order to accomplish what is defined
above, use dynamic NAT. With dynamic NAT, the translation table in the router is
initially empty and gets populated once traffic that needs to be translated passes
through the router. (As opposed to static NAT, where a translation is statically
configured and is placed in the translation table without the need for any traffic.)
In this example, we can configure NAT to translate each of the inside devices to a
unique valid address, or to translate each of the inside devices to the same valid
address. This second method is known as overloading. An example of how to
configure each method is given below.

Configuring NAT to Allow Internal Users to Access the Internet

NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 0 with an IP address and


as a NAT inside interface.

interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside

46
!--- Defines Ethernet 1 with an IP address and
as a NAT inside interface.

interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside

!--- Defines serial 0 with an IP address and as a


NAT outside interface.

ip nat pool no-overload 172.16.10.1


172.16.10.63 prefix 24
!

!--- Defines a NAT pool named no-overload with


a range of addresses
!--- 172.16.10.1 - 172.16.10.63.

ip nat inside source list 7 pool no-overload


!
!

!--- Indicates that any packets received on the


inside interface that
!--- are permitted by access-list 7
!--- will have the source address translated to an
address out of the
!--- NAT pool "no-overload".

access-list 7 permit 10.10.10.0 0.0.0.31


access-list 7 permit 10.10.20.0 0.0.0.31

!--- Access-list 7 permits packets with source


addresses ranging from

47
!--- 10.10.10.0 through 10.10.10.31 and
10.10.20.0 through 10.10.20.31.

Note: Cisco highly recommends that you do not configure access lists referenced
by NAT commands with permit any. Using permit any can result in NAT
consuming too many router resources which can cause network problems.
Notice in the above configuration that only the first 32 addresses from subnet
10.10.10.0 and the first 32 addresses from subnet 10.10.20.0 are permitted by
access-list 7. Therefore, only these source addresses are translated. There may be
other devices with other addresses on the inside network, but these won't be
translated.
The final step is to verify that NAT is operating as intended.
Configuring NAT to Allow Internal Users to Access the Internet Using
Overloading

NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.

interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.

interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside

!--- Defines serial 0 with an IP address and as a NAT outside interface.

48
ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24
!

!--- Defines a NAT pool named ovrld with a range of a single IP


!--- address, 172.16.10.1.

ip nat inside source list 7 pool ovrld overload


!
!
!
!

!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 will have the source address
!--- translated to an address out of the NAT pool named ovrld.
!--- Translations will be overloaded which will allow multiple inside
!--- devices to be translated to the same valid IP address.

access-list 7 permit 10.10.10.0 0.0.0.31


access-list 7 permit 10.10.20.0 0.0.0.31

!--- Access-list 7 permits packets with source addresses ranging from


!--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.

Note in the second configuration above, the NAT pool "ovrld"only has a
range of one address. The keyword overload used in the ip nat inside source list 7
pool ovrld overload command allows NAT to translate multiple inside devices to
the single address in the pool.
Configuring NAT for Use During a Network Transition

NAT Router

49
interface ethernet 0
ip address 172.16.10.1 255.255.255.0
ip nat outside

!--- Defines Ethernet 0 with an IP address and as a NAT outside interface.

interface ethernet 1
ip address 172.16.50.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.

interface serial 0
ip address 200.200.200.5 255.255.255.252

!--- Defines serial 0 with an IP address. This interface is not


!--- participating in NAT.

ip nat inside source static 172.16.50.8 172.16.10.8

!--- States that any packet received on the inside interface with a
!--- source IP address of 172.16.50.8 will be translated to 172.16.10.8.

Note that the inside source NAT command in this example also implies that
packets received on the outside interface with a destination address of 172.16.10.8
will have the destination address translated to 172.16.50.8.

50
The final step is to verify that NAT is operating as intended.
Example: Using NAT in Overlapping Networks
Overlapping networks result when you assign IP addresses to internal
devices that are already being used by other devices within the internet.
Overlapping networks also result when two companies, both of whom use RFC
1918 IP addresses in their networks, merge. These two networks need to
communicate, preferably without having to readdress all their devices. Refer to
Using NAT in Overlapping Networks for more information about configuring
NAT for this purpose.
Difference between One-to-One Mapping and Many-to-Many
A static NAT configuration creates a one-to-one mapping and translates a
specific address to another address. This type of configuration creates a permanent
entry in the NAT table as long as the configuration is present and enables both
inside and outside hosts to initiate a connection. This is mostly useful for hosts that
provide application services like mail, web, FTP and so forth. For example:
Router(config)#ip nat inside source static 10.3.2.11 10.41.10.12
Router(config)#ip nat inside source static 10.3.2.12 10.41.10.13
Dynamic NAT is useful when fewer addresses are available than the actual
number of hosts to be translated. It creates an entry in the NAT table when the host
initiates a connection and establishes a one-to-one mapping between the addresses.
But, the mapping can vary and it depends upon the registered address available in
the pool at the time of the communication. Dynamic NAT allows sessions to be
initiated only from inside or outside networks for which it is configured. Dynamic
NAT entries are removed from the translation table if the host does not
communicate for a specific period of time which is configurable. The address is
then returned to the pool for use by another host.
For example, complete these steps of the detailed configuration:

1. Create a pool of addresses

1. Router(config)#ip nat pool MYPOOLEXAMPLE

2. 10.41.10.1 10.41.10.41 netmask 255.255.255.0

3. Create an access-list for the inside networks that has to be mapped


Router(config)#access-list100 permit ip 10.3.2.0 0.0.0.255 any

51
4. Associate the access-list 100 that is selecting the internal network 10.3.2.0
0.0.0.255 to be natted to the pool MYPOOLEXAMPLE and then overload
the addresses.

5. Router(config)#ip nat inside source list 100 pool


6. MYPOOLEXAMPLE overload

Verifying NAT Operation


Once you've configured NAT, verify that it is operating as expected. You can do
this in a number of ways: using a network analyzer, show commands, or debug
commands. For a detailed example of NAT verification, refer to Verifying NAT
Operation and Basic NAT Troubleshooting.

TESTING
Alpha Testing

Alpha testing is simulated or actual operational testing by potential users/customers


or an independent test team at the developers' site. Alpha testing is often employed
for off-the-shelf software as a form of internal acceptance testing, before the
software goes to beta testing.

52
Troubleshooting NAT

To view all current static and dynamic translations:

Router# show ip nat translations

To view whether an interface is configure as an inside or outside NAT interface,


and to display statistical information regarding active NAT translations:

Router# show ip nat statistics

To view NAT translations in real-time:

Router# debug ip nat

Beta Testing

Beta testing comes after alpha testing and can be considered a form of external
user acceptance testing. Versions of the software, known as beta versions, are
released to a limited audience outside of the programming team. The software is
released to groups of people so that further testing can ensure the product has few
faults or bugs. Sometimes, beta versions are made available to the open public to
increase the feedback field to a maximal number of future users

To view the active NAT translations is used with the -s state option. This option
will list all the current NAT sessions:

53
# pfctl -s state
TCP 192.168.1.35:2132 > 24.5.0.5:53136 > 65.42.33.245:22
TIME_WAIT:TIME_WAIT
UDP 192.168.1.35:2491 > 24.5.0.5:60527 > 24.2.68.33:53
MULTIPLE:SINGLE

Explanations (first line only):

Indicates the interface that the state is bound to. The word self will appear if the
state is floating.

TCP

The protocol being used by the connection. 192.168.1.35:2132

The IP address (192.168.1.35) of the machine on the internal network. The source
port (2132) is shown after the address. This is also the address that is replaced in
the IP header.

The IP address (24.5.0.5) and port (53136) on the gateway that packets are being
translated to.

The IP address (65.42.33.245) and the port (22) that the internal machine is
connecting to.

54
SNAP SHOTS

Simple Static routing In NAT:-

Dynamic Routing In NAT:

55
Dynamic Routing With Clock Rate In NAT:-

EIGRP In NAT:-

56
Inter V-Lan 1 In NAT:-

Inter V-Lan 2 In NAT:-

57
Inter V-Lan 3 In NAT:-

DHCP In NAT:-

58
Access List In NAT:-

FUTURE SCOPE

Telephony: Configuring Voice VLANs

59
If you do yoga, meditate, chain smoke, or consume mass quantities of
comfort food when stressed, take a little break and do that now because, and I’m
going to be honest, this isn’t the easiest part of the chapter—or even the book, for
that matter. But I promise that I’ll do my best to make this as painless for you as
possible.
The voice VLAN feature enables access ports to carry IP voice traffic from
an IP phone.
When a switch is connected to a Cisco IP phone, the IP phone sends voice traffic
with layer 3 IP precedence and layer 2 class of service (CoS) values, which are both
set to 5 for voice traffic; all other traffic defaults to 0.
Because the sound quality of an IP phone call can deteriorate if the data is
unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p
CoS. (802.1p provides a mechanism for implementing QoS at the MAC level.) The
802.1p field is carried in the 802.1Q trunk header. If you look at the fields in an
802.1Q tag, you will see a field called the priority field; this is where the 802.1p
information goes. QoS uses classification and scheduling to send network traffic
from the switch in an organized, predictable manner.
The Cisco IP phone is a configurable device, and you can configure it to forward
traffic with an IEEE 802.1p priority. You can also configure the switch to either
trust or override the traffic priority assigned by an IP phone—which is exactly what
we’re going to do. The Cisco phone basically has a three-port switch: one to
connect to the Cisco switch, one to a PC device, and one to the actual phone, which
is internal.
You can also configure an access port with an attached Cisco IP phone to use one
VLAN for voice traffic and another VLAN for data traffic from a device attached to
the phone—like a PC. You can configure access ports on the switch to send Cisco
Discovery Protocol (CDP) packets that instruct an attached Cisco IP phone to send
voice traffic to the switch in any of these ways:
In the voice VLAN tagged with a layer 2 CoS priority value
In the access VLAN tagged with a layer 2 CoS priority value
In the access VLAN, untagged (no layer 2 CoS priority value)

Telephony: Configuring Voice VLANs

The switch can also process tagged data traffic (traffic in IEEE 802.1Q or
IEEE 802.1p frame types) from the device attached to the access port on the Cisco
IP phone. You can con-figure layer 2 access ports on the switch to send CDP

60
packets that instruct the attached Cisco IP phone to configure the IP phone access
port in one of these modes:
In trusted mode, all traffic received through the access port on the Cisco IP
phone passes through the IP phone unchanged.
In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames
received through the access port on the IP phone receive a configured layer 2 CoS
value. The default layer 2 CoS value is 0. Untrusted mode is the default.

Configuring the Voice VLAN

By default, the voice VLAN feature is disabled; you enable it by using the
interface command switchport voice vlan. When the voice VLAN feature is
enabled, all untagged traffic is sent according to the default CoS priority of the port.
The CoS value is not trusted for IEEE 802.1p or IEEE 802.1Q tagged traffic.
These are the voice VLAN configuration guidelines:
You should configure voice VLAN on switch access ports; voice VLAN isn’t
supported on trunk ports, even though you can actually configure it! The voice
VLAN should be present and active on the switch for the IP phone to correctly
communicate on it. Use the show vlan privileged EXEC command to see if the
VLAN is present—if it is, it’ll be listed in the display.
Before you enable the voice VLAN, it’s recommend that you enable QoS on the
switch by entering the mls qos global configuration command and set the port trust
state to trust by entering the mls qos trust cos interface configuration command.
You must make sure that CDP is enabled on the switch port connected to the Cisco
IP phone to send the configuration. This is on by default, so unless you disabled it,
you shouldn’t have a problem.
The PortFast feature is automatically enabled when the voice VLAN is
configured, but when you disable the voice VLAN, the PortFast feature isn’t
automatically disabled.
To return the port to its default setting, use the no switchport voice vlan interface
configuration command.

Configuring IP Phone Voice Traffic

You can configure a port connected to the Cisco IP phone to send CDP packets to
the phone to configure the way in which the phone sends voice traffic. The phone

61
can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a
layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a
higher priority as well as forward all voice traffic through the native (access)
VLAN. The IP phone can also send untagged voice traffic, or use its own
configuration to send voice traffic in the access VLAN. In all configurations, the
voice traffic carries a layer 3 IP precedence value—again, for voice the setting is
usually 5.

CONCLUSION

The examples in this document demonstrate quick start steps can help you
configure and deploy NAT. These quick start steps include:
1. Defining NAT inside and outside interfaces.
2. Defining what you are trying to accomplish with NAT.
3. Configuring NAT in order to accomplish what you defined in Step 2.
4. Verifying the NAT operation.

62
In each of the examples above, various forms of the ip nat inside command were
used. You can also use the ip nat outside command to accomplish the same
objectives, keeping in mind the NAT order of operations. For configuration
examples using the ip nat outside commands, refer to Sample Configuration
Using the ip nat outside source list Command and Sample Configuration Using
the ip nat outside source static Command.

The examples above also demonstrated the following:

Command Action

• Translates the source of IP packets that are


traveling inside to outside.
ip nat inside source
• Translates the destination of the IP packets
that are traveling outside to inside.

• Translates the source of the IP packets that


are traveling outside to inside.
ip nat outside source
• Translates the destination of the IP packets
that are traveling inside to outside.

63
BIBLIOGRAPHY

1. www.cisco.com

2. Wikipedia

3. CCNA E-Book

4. RFC 1631: The IP NAT

5. RFC 1918: Address Allocation For Private Internet

6. RFC 3022: (Traditional NAT)

7. Technical Support And Documentation - Cisco systems

64
65