Professional Documents
Culture Documents
CHAPTER THREE
ROUTING PROTOCOLS CONFIGURATION
3.1 Introduction to Routing
Routers are small physical devices that join multiple networks together. Technically, a router is a Layer 3
gateway device, meaning that it connects two or more networks and that the router operates at the network
layer of the OSI model.
Routing a process accomplished by router and defined as follows:
The process during which data packets are forwarded from one machine or device (technically referred
to as a node) to another on a network until they reach their destinations.
Selecting the minimum cost, distance, and/or time path from several alternatives for a good or message
to reach its destination.
The same as switching (with some very technical differences). IP routing uses IP addresses to forward
IP packets from their sources to their destinations. IP adopts packet switching.
The term routing encapsulates two tasks―deciding the paths for data transferred, and sending the packets on
these paths. Routing is a function carried out at the 3rd layer of the OSI reference model. A routing algorithm
decides the output line to transfer the incoming packets; algorithms are based on the routing protocol that uses
metrics―bandwidth, delay, and reliability-to assess whether a particular path is the optimal path available for
transfer of the data packets.
How routing works?
Let us consider a scenario where Balew’s sends a message from his computer in Burie to Dagnenet’s machine
in Debre Markos. TCP and other protocols do their work with the data on Balew's machine; then it is sent to
the IP protocol's module, where the data packets are bundled into IP packets and sent over the network
(Internet). These data packets have to cross through a lot of routers to reach their destination. The work these
routers do is called routing. Each packet carries the IP addresses of the source and destination machine.
Each of the intermediate routers consult the IP address of each packet received. Based on this, each will know
exactly in which direction to forward the packet. Normally, each router has a routing table, where data about
the neighboring routers is stored. This data (data in routing table) is used to calculate and decide where to send
the packets. The packets go each one its own way and can move through different networks and take different
paths. They all finally get routed to one same destination machine.
On reaching Dagnenet's machine, the destination address and the machine address will match. The packets
will be consumed by the machine, where the IP module on it will reassemble them and send the resulting data
above to the TCP service for further processing. This picture briefly depicts IP Routing.
A routing table is a type of data file that acts as a map and is often installed on a router, networked computer
or other hardware. A routing table is either a document stored in the router or on a network computer in the
form of a database, or is simply a file stored in the router. The data entered in the routing table is referred to
when the best possible path to transfer information across two computers in a network is to be determined.
The routing table contains information about various routes between devices in order to present the most
efficient paths for data packets. The table is a small in-memory database managed by the router's built-in
hardware and software.
A routing table uses static and dynamic Internet protocol or IP addresses to identify devices, and works with
an ARP cache that holds these addresses. The routing table is commonly referred to as a resource for finding
the next hop, or subsequent route for a data packet. Static or dynamic routes may be compared in order to find
the best path for data.
Part of the challenge of designing a routing table is in recording information on many devices with a fixed
memory or storage space. There’s also the issue of working with an ARP cache and correctly maintaining lists
of available routes for data. This is often referred to as incorrect definition of the topology of a network. Other
routing problems, such as black holes, which cause ineffective delivery, should also be considered when using
a routing table.
Routing tables contain a list of IP addresses. Each IP address identifies a remote router (or other network
gateway) that the local router is configured to recognize. For each IP address, the routing table additionally
stores a network mask and other data that specifies the destination IP address ranges that remote device will
accept.
Home network routers utilize a very small routing table because they simply forward all outbound traffic to
the Internet Service Provider (ISP) gateway which takes care of all other routing steps. Home router tables
typically contain ten or fewer entries. By comparison, the largest routers at the core of the Internet backbone
must maintain the full Internet routing table that exceeds 100,000 entries and growing as the Internet expands.
3.2. Types of routing
The two classifications of routing are static routing and dynamic routing. These classifications are based on
the way in which routing tables are created and updated every time they are used. Routings in which the data
in routing table is stored and updated manually called static routing. On the other hand, routings in which the
information in routing table is changed dynamically, by the router itself, are referred to as dynamic routing.
There are pros and cons to static routing, but that’s true for all routing processes. Static routing has the
following advantage and disadvantages:
Here’s the command syntax you use to add a static route to a routing table:
Use the following network topology to configure static/default route, EIGRP, and OSPF.
Exercise:
1. Configure a static route on both Router 1 and Router 2 so that PCs in 192.168.10.0/24 network are
able to communicate with PC 3 in 10.10.10.0/24 network and vice versa.
2. First remove the static configuration and then configure a default route on both Router 1 and
Router 2 so that PCs in 192.168.10.0/24 network are able to communicate with PC 3 in
10.10.10.0/24 network and vice versa.
3.2.2 Dynamic Routing
Dynamic routing uses a routing protocol and this protocols uses software and routing algorithms running on
the routing device (the router) to determine optimal network data transfer and communication paths between
network nodes. Routing protocols facilitate router communication and overall network topology
understanding. Routers in dynamic routing dynamically learn network destinations and how to get to them and
also advertise those destinations to other routers. This advertisement function allows all the routers to learn
about all the destination networks that exist and how to go those networks.
A dynamic routing table is created, maintained, and updated by a routing protocol running on the router.
Routers do share dynamic routing information with each other, which increases CPU, RAM, and bandwidth
usage. However, routing protocols are capable of dynamically choosing a different (or better) path when there
is a change to the routing infrastructure.
A router using dynamic routing will 'learn' the routes to all networks that are directly connected to the device.
Next, the router will learn routes from other routers that run the same routing protocol (RIP, RIP2, EIGRP,
OSPF, IS-IS, BGP etc.). Each router will then sort through its list of routes and select one or more 'best' routes
for each network destination the router knows or has learned.
Dynamic routing protocols will then distribute this 'best route' information to other routers running the same
routing protocol, thereby extending the information on what networks exist and can be reached. This gives
dynamic routing protocols the ability to adapt to logical network topology changes, equipment failures or
network outages 'on the fly'.
The following briefly outlines the advantages and disadvantages of dynamic routing:
Link-state protocols do not “route by rumor.” Instead, routers send updates advertising the state of their links
(a link is a directly-connected network). All routers know the state of all existing links within their area, and
store this information in a topology table. All routers within an area have identical topology tables.
The best route to each link (network) is stored in the routing (or shortest- path) table. If the state of a link
changes, such as a router interface failing, an advertisement containing only this link-state change will be sent
to all routers within that area. Each router will adjust its topology table accordingly, and will calculate a new
best route if required. By maintaining a consistent topology table among all routers within an area, link-state
protocols can converge very quickly and are immune to routing loops.
Additionally, because updates are sent only during a link-state change, and contain only the change (and not
the full table), link-state protocols are less bandwidth intensive than distance-vector protocols. However, the
three link-state tables utilize more RAM and CPU on the router itself. Link-state protocols utilize some form
of cost, usually based on bandwidth, to calculate a route’s metric. The Dijkstra formula is used to determine
the shortest path.
Do not confuse routing protocols with routed protocols:
A routed protocol is a Layer 3 protocol that applies logical addresses to devices and routes data
between networks (such as IP)
A routing protocol dynamically builds the network, topology, and next hop information in routing
tables (such as RIP, EIGRP, etc.)
3.3 Basic Concepts-AD, metrics and wildcard mask
There are some important things you should know about routing protocols before getting deeper into them.
Specifically, you need to understand administrative distances, metric and wild mask.
Administrative Distance
An administrative distance is the value used by routers to choose the best path when there are two or more
routes to the same destination from two different routing protocols. An administrative distance guides the
selection of one routing protocol (or static route) over another, when more than one protocol adds the same
route to the uncast routing table. Each routing protocol is prioritized in order of most to least reliable using an
administrative distance value.
Static routes have a default administrative distance of 1. A router prefers a static route to a dynamic route
because the router considers a route with a low number to be the shortest. If you want a dynamic route to
override a static route, you can specify an administrative distance for the static route. For example, if you have
two dynamic routes with an administrative distance of 120, you would specify an administrative distance that
is greater than 120 for the static route if you want the dynamic route to override the static route.
The administrative distance (AD) is used to rate the trustworthiness of routing information received on a
router from a neighbor router. An administrative distance is an integer from 0 to 255, where 0 is the most
trusted and 255 means no traffic will be passed via this route. If a router receives two updates listing the same
remote network, the first thing the router checks is the AD. If one of the advertised routes has a lower AD than
the other, then the route with the lowest AD will be placed in the routing table.
If both advertised routes to the same network have the same AD, then routing protocol metrics (such as hop
count or bandwidth of the lines) will be used to find the best path to the remote network. The advertised route
with the lowest metric will be placed in the routing table. But if both advertised routes have the same AD as
well as the same metrics, then the routing protocol will load-balance to the remote network (which means that
it sends packets down each link).
Table below shows the default administrative distances that a Cisco router uses to decide which route to take
to a remote network.
Metric
There are cases when a routing protocol learns of more than one route to the same destination. To select the
best path, the routing protocol must be able to evaluate and differentiate between the available paths. For this
purpose a metric is used. A metric is a value used by routing protocols to assign costs to reach remote
networks. The metric is used to determine which path is most preferable when there are multiple paths to the
same remote network.
Each routing protocol uses its own metric. For example, RIP uses hop count, EIGRP uses a combination of
bandwidth and delay, and Cisco's implementation of OSPF uses bandwidth. Hop count is the easiest metric to
envision. The hop count refers to the number of routers a packet must cross to reach the destination network.
Wildcard mask
A wildcard mask is a mask of bits that indicates which parts of an IP address can assume any value. In the
Cisco IOS, they are used in several places, for example:
To indicate the size of a network or subnet for some routing protocols, such as OSPF.
To indicate what IP addresses should be permitted or denied in access control lists (ACLs).
A wildcard mask can be thought of as a subnet mask, with ones and zeros inverted; for example, a wildcard
mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. A wildcard mask is usually used in
combination with an IP address. For example, in a standard ACL, a statement like the following: allows data
from subnet 10.0.3.0/24 to pass, that is, the first three octets must match exactly, whereas all the bits in the
fourth octet can take on any value.
However, any bits can be marked as "don't care". For example, a wildcard mask of 0.0.0.254 (binary
equivalent = 00000000.00000000.00000000.11111110) in an ACL might accept (or deny) all even-numbered
IP addresses in a specific network.
Wildcard masks are used in situations where the subnet mask may not apply. For example, in an ACL, two
affected hosts may fall in different subnets, but the use of a wildcard mask can group the two together.
RIPv2
– RIPv2 uses multicasts
– RIPv2 supports triggered updates—when a change occurs, a RIPv2 router will immediately propagate
its routing information to its connected neighbors.
– RIPv2 is a classless protocol. RIPv2 supports variable-length subnet masking (VLSM)
– RIPv2 supports authentication. You can restrict what routers you want to participate in RIPv2. This is
accomplished using a hashed password value.
RIP Timers
RIP uses four different kinds of timers to regulate its performance:
Route update timer
Sets the interval (typically 30 seconds) between periodic routing updates in which the router sends a complete
copy of its routing table out to all neighbors.
Hold-down timer
This sets the amount of time during which routing information is suppressed. Routes will enter into the hold-
down state when an update packet is received that indicated the route is unreachable. This continues either
until an update packet is received with a better metric or until the hold-down timer expires. The default is 180
seconds.
Route invalid timer
It determines the length of time that must elapse (180 seconds) before a router determines that a route has
become invalid. It will come to this conclusion if it hasn’t heard any updates about a particular route for that
period. When that happens, the router will send out updates to all its neighbors letting them know that the
route is invalid.
Route flush timer
This sets the time between a route becoming invalid and its removal from the routing table (240 seconds).
Before it's removed from the table, the router notifies its neighbors of that route's impending failure. The value
of the route invalid timer must be less than that of the route flush timer. This gives the router enough time to
tell its neighbors about the invalid route before the local routing table is updated.
Syntax:
RIPv1 RIPv2
router rip (on Global configuration mode) router rip (on Global configuration mode)
network Network_Address vesion 2
network Network_Address
3.3.2 Interior Gateway Routing Protocol (IGRP)
Interior Gateway Routing Protocol (IGRP) is a dynamic class routing protocol used by autonomous system
(AS) routers running on TCP/IP hosts. An AS is a collection of networks under a common administrative
domain, which basically means that all routers sharing the same routing table information are in the same AS.
EGPs are used to communicate between ASs.
IGRP overcomes Routing Information Protocol (RIP) network limitations and supports multiple routing
metrics, including delay, bandwidth, load and reliability. Routing updates are broadcast every 90 seconds (by
default).
- Developed by Cisco
- Uses composite metrics
- Uses multipath routing
- Supports unequal-cost load balancing
- Supports hold-downs and split horizon
- Deprecated *
3.3.3 Enhanced Interior Gateway Routing Protocol (EIGRP)
EIGRP is an advanced distance vector routing protocol based on the principles of the Interior Gateway
Routing Protocol (IGRP). EIGRP is a successor to the Interior Gateway Routing Protocol (IGRP). Both are
owned by Cisco and operate only on their devices. Cisco introduced EIGRP because it needed a protocol with
faster converging abilities, route selection and calculation and the ability to record information from
neighboring devices.
EIGRP uses bandwidth, delay, load and reliability to calculate the metric for its routing table (not hop count
used by legacy protocols). For this reason, EIGRP always selects and calculates the most optimal route for
efficiency. EIGRP uses a DUAL algorithm to avoid loops and send occasional hello packets to check the
status of neighbor routers.
It uses the following tables for route discovery i.e. neighbor table, topology table and route table.
*AS can be any number in the range from 1 to 65535 both inclusive.
OSPF is a link state routing protocol (LSRP) that uses the Shortest Path First (SPF) network communication
algorithm (Dijkstra's algorithm) to calculate the shortest connection path between known devices.
OSPF is an Interior Routing Protocol (IGP) that routes Internet Protocol (IP) packets within a single routing
network domain only. OSPF finds the best network layout (topology) by calculating shortest device
connection paths using the Shortest Path First (SPF) algorithm.
For example, a person in city A wants to travel to city M and is given two options:
Travel via cities B and C. The route would be ABCM. And the distance (or bandwidth cost in the
networking case) for A-B is 10 miles, B-C is 5 miles and C-M is 10 miles.
Travel via city F. The route would be AFM. And the distance for A-F is 20 miles and F-M is 10 miles.
The shortest route is always the one with least amount of distance covered in total. Thus, the ABCM route is
the better option (10+5+10=25), even though the person has to travel to two cities as the associated total cost
to travel to the destination is less than the second option with a single city (20+10=30). OSPF performs a
similar algorithm by first calculating the shortest path between the source and destination based on link
bandwidth cost and then allows the network to send and receive IP packets via the shortest route.
The larger network can be broken into the small areas so the routers in one area know less topology and they
don’t have information about other areas routers. Creating OSPF areas result in smaller database which reduce
the memory consumption and processing.
OSPF maintains a two layer hierarchy consisting of:
- Backbone area (area 0)
- Off backbone area ( area 1 -65, 535)
The followings are the characteristics of OSPF:
- AD value is 110
- Supports classless network
- Supports VLSM/CIDR and has unlimited hop counts
- Supports hierarchical network
- Route propagation using multicasting
OSPF Configuration (Refer your lecture note)
Syntax: router ospf Process_ID (On global Configuration mode)
network Network_Address Wildcard_mask area 0
* Process_ID can be any number in the range from 1 to 65535 both inclusive.
Access lists are a set of rules, organized in a rule table. Each rule or line in an access-list provides a condition,
either permit or deny:
When using an access-list to filter traffic, a permit statement is used to “allow” traffic, while a deny statement
is used to “block” traffic. Similarly, when using an access list to identify traffic, a permit statement is used to
“include” traffic, while a deny statement states that the traffic should “not” be included. It is thus interpreted
as a true/false statement.
Access control lists enable you to permit or deny packets based on source and destination IP address, IP
protocol information, or TCP or UDP protocol information.
Types of Access Lists
There are two categories of access lists: numbered and named. You can configure the following types of
numbered ACLs:
• Standard – Permits or denies packets based on source IP address. Valid standard ACL IDs are
1 – 99 or a string.
• Extended – Permits or denies packets based on source and destination IP address and also based on IP
protocol information. Valid extended ACL IDs are a number from 100 – 199 or a string.
Named access lists provide a bit more flexibility. Descriptive names can be used to identify your
access-lists. Additionally, individual lines can be removed from a named access-list. However, like
numbered lists, all new entries are still added to the bottom of the access list.
There are two common types of named access lists:
IP standard named access lists
IP extended named access lists
IP access-lists use wildcard masks to determine two things:
1. Which part of an address must match exactly?
2. Which part of an address can match any number?
Consider the following address and wildcard mask:
Address: 172.16.0.0
Wild Card Mask: 0.0.255.255
The above would match any address that begins “172.16.” The last two octets could be anything. How do I
know this?
Two Golden Rules of Access Lists:
1. If a bit is set to 0 in a wild-card mask, the corresponding bit in the address must be matched exactly.
2. If a bit is set to 1 in a wild-card mask, the corresponding bit in the address can match any number. In
other words, we “don’t care” what number it matches.
To see this more clearly, we’ll convert both the address and the wild card mask into binary:
Address: 10101100.00010000.00000000.00000000
Wild Card Mask: 00000000.00000000.11111111.11111111
Any 0 bits in the wildcard mask, indicates that the corresponding bits in the address must be matched exactly.
Thus, looking at the above example, we must exactly match the following in the first two octets:
10101100.00010000 = 172.16
Any 1 bits in the wildcard mask indicates that the corresponding bits can be anything. Thus, the last two octets
can be any number, and it will still match this access-list entry.
If wanted to match a specific address with a wildcard mask (we’ll use an example of 172.16.1.1), how would
we do it?
Address: 172.16.1.1
Wild Card Mask: 0.0.0.0
Written out in binary, that looks like:
Address: 10101100.00010000.00000001.00000001
Wild Card Mask: 00000000.00000000.00000000.00000000
Remember what a wildcard mask is doing. A 0 indicates it must match exactly, a 1 indicates it can match
anything. The above wildcard mask has all bits set to 0, which means we must match all four octets exactly.
There are actually two ways we can match a host:
• Using a wildcard mask with all bits set to 0 – 172.16.1.1 0.0.0.0
• Using the keyword “host” – host 172.16.1.1
How would we match all addresses with a wildcard mask?
Address: 0.0.0.0
Wild Card Mask: 255.255.255.255
Written out in binary, that looks like:
Address: 00000000.00000000.00000000.00000000
Wild Card Mask: 11111111.11111111.11111111.11111111
Notice that the above wildcard mask has all bits set to 1. Thus, each bit can match anything – resulting in the
above address and wildcard mask matching all possible addresses.
There are actually two ways we can match all addresses:
• Using a wildcard mask with all bits set to 1 – 0.0.0.0 255.255.255.255
• Using the keyword “any” – any
Standard IP Access List
Syntax: access-list [1-99] [permit | deny] [source address] [wildcard mask] [log]
Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to
the destination network.
Consider the following example:
In order to block network 172.18.0.0 from accessing the 172.16.0.0 network, we would create the following
access-list on Router A:
Router(config)# access-list 10 deny 172.18.0.0 0.0.255.255
Router(config)# access-list 10 permit any
Notice the wildcard mask of 0.0.255.255 on the first line. This will match (deny) all hosts on the 172.18.x.x
network.
The second line uses a keyword of any, which will match (permit) any other address. Remember that you
must have at least one permit statement in your access list.
private addressing scheme works well for computers that only have to access resources inside the network,
like workstations needing access to file servers and printers. Routers inside the private network can route
traffic between private addresses with no trouble. However, to access resources outside the network, like the
Internet, these computers have to have a public address in order for responses to their requests to return to
them. This is where NAT comes into play.
Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly
that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer
on the Internet. Routers within the network recognize that the request is not for a resource inside the network,
so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It
then makes the same request to the Internet using its own public address, and returns the response from the
Internet resource to the computer inside the private network. From the perspective of the resource on the
Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it
appears that communication is directly with the site on the Internet. When NAT is used in this way, all users
inside the private network access the Internet have the same public IP address when they use the Internet. That
means only one public addresses is needed for hundreds or even thousands of users.
Most modern firewalls are stateful - that is, they are able to set up the connection between the internal
workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet
order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way,
they are able to keep track of the session composed of communication between the workstation and the
firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the information
about the connection.
There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with
internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and
require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the
public to access the servers only through that IP address. However, as an additional layer of security, the
firewall acts as the intermediary between the outside world and the protected internal network. Additional
rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows
network engineers to more efficiently route internal network traffic to the same resources, and allow access to
more ports, while restricting access at the firewall. It also allows detailed logging of communications between
the network and the outside world.
Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or
other computers requiring special access outside the network can be assigned specific external IPs using NAT,
allowing them to communicate with computers and applications that require a unique public IP address.
Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port
access and protocols.
NAT is a very important aspect of firewall security. It conserves the number of public addresses used within
an organization, and it allows for stricter control of access to resources on both sides of the firewall.
Note: NAT is not restricted to private-to-public address translation, though that is the most common
application. NAT can also perform public-to-public address translation, as well as private-to-private address
translation.
NAT is only a temporarily solution to the address shortage problem. IPv4will eventually be replaced with
IPv6, which supports a vast address space. Both Cisco IOS devices and PIX/ASA firewalls support NAT.
Situation where you should use NAT
Your ISP did not provide you sufficient public IP address
Your company is going to merge in a company which use same address space
Where you want to hide your internal IP address space from outside
You want to assign the same IP address to multiple machines
Types of NAT
NAT comes in three flavors:
Static NAT: Provides one-to-one mapping between local and global addresses, consequently, every
computer on the network must be allocated a single dedicated routable IP address.
Dynamic NAT: A pool of routable IP addresses is configured on the router and dynamically the router
assigns addresses from this pool to every machine that requires sending traffic to the “outside world”.
This type of NAT needs good planning from the beginning so that the pool of IP addresses is enough
to cover the traffic needs of the peak hour traffic to the Internet.
NAT overload (PAT): Port address translation is another variation of NAT and the most popular one.
It is also called NAT Overloading because it is designed to map many private IP addresses to just a
single registered IP address (overloaded address) by applying different port addresses in the TCP or
UDP header.
Static NAT
In static NAT manual translation is performed by an address translation device, translating one IP address to a
different one. If you have 100 devices, you need to create 100 static entries in the address translation table.
Typically, static translation is done for inside resources that outside people want to access.
To configure static inside source address translation for the example shown in the Figure above, the following
need to be performed on the router:
Specify the inside interface:
o Router(config)#interface fast ethernet0/0 (private side interface)
o Router(config-if)# ip nat inside
Specify the outside interface:
o Router(config)#interface fast ethernet0/1 (Public side interface)
o Router(config-if)# ip nat outside
Enter static translation entry :
o Router(config)# ip nat inside source static 192.168.0.1 206.245.160.1
Dynamic NAT
Dynamic NAT is mostly used when inside users needs to access outside resources. The global address
assigned to the internal user isn't important, since outside devices don't directly connect to your internal users
they just return traffic to them that the inside user requested.
When an inside user sends traffic through the address translation device, say a router, it examines the source
IP address and compares it to the internal local address pool. If it finds a match, then it determines which
inside global address pool it should use for the translation. It then dynamically picks an address in the global
address pool that is not currently assigned to an inside device. The router adds this entry in its address
translation table, the packet is translated, and the packet is then sent to the outside world. If no matching entry
is found in the local address pool, the address is not translated and is forwarded to the outside world in its
original state.
When returning traffic comes back into your network, the address translation device examines the destination
IP addresses and checks them against the address translation table. Upon finding a matching entry, it converts
the global inside address to the local inside address in the destination IP address field of the packet header and
forwards the packet to the inside network.
To configure dynamic inside source address translation for the example shown in the figure above, the
following need to be performed:
Specify the inside interface:
o Router(config)#interface fast ethernet0/0
o Router(config-if)# ip nat inside
Specify the outside interface:
o Router(config)#interface serial0/0
o Router(config-if)# ip nat outside
Define an Access List to permit the inside local addresses to be translated:
o Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255
Define a pool of global addresses :
o Router(config)# ip nat pool DNAT1 179.2.2.65 179.2.2.90 netmask 255.255.255.224
Enter dynamic translation entry :
o Router(config)# ip nat inside source list 1 pool DNAT1
In the previous static NAT configuration on Cisco Routers, we saw how you can translate one IP address into
another single IP address. This part will cover how to translate many IP addresses into many IP addresses,
otherwise referred to as many-to-many translation.
Dynamic NAT allows us to translate many IP addresses into a pool of many IP addresses. The big thing to
realize here is that the pool does not need to contain enough IP addresses to translate all the internal addresses
at the same time, as would be the case if we used Static NAT. Dynamic NAT allows internal hosts to be
translated into an IP address in the pool when it requires a connection. Once the internal host has finished its
session the NAT entry is removed from the NAT table allowing another internal host to use the external IP
address for its session.
Assume we have 50 hosts in our inside network but only have 5 public IP addresses available to use. With
Dynamic NAT we can allow all 50 internal addresses to share the 5 public addresses as and when they need
them. This of course does impose a limit of only 5 simultaneous connections to the outside world and that is
where PAT would come in and solve that problem.
One of the benefits of using Dynamic NAT vs Static NAT, is that Dynamic NAT requires the session to
originate from the inside network. No outside connections can be established to the inside network. This is
obviously a more secure solution as connections from the outside won’t work; only traffic originating from
the inside will be translated. Static NAT is different in the fact that the entry is added to the NAT table on a
permanent basis and will allow connections in either direction.
NAT overloading (PAT)
NAT Overload, also known as PAT (Port Address Translation) is essentially NAT with the added feature of
TCP/UDP ports translation.
NAT overload is the most common operation in most businesses around the world, as it enables the whole
network to access the Internet using one single real IP address.
'Overloading' means that the single public IP assigned to your router can be used by multiple internal hosts
concurrently. This is done by translating source UDP/TCP ports in the packets and keeping track of them
within the translation table kept in the router (R1 in our case below). This is a typical NAT configuration for
almost all of today's networks.
The first step in any NAT configuration is to define the inside and outside interfaces. It is imperative that we
define these interfaces for NAT overload to function.
From this point onward, the router will happily create all the necessary translations to allow the
192.168.0.0/24 network access to the Internet.
NAT overloading is PAT, which involves using a pool with a range of one or more addresses or using an
interface IP address in combination with the port. When you overload, you create a fully extended translation.
This is a translation table entry containing IP address and source/destination port information, which is
commonly called PAT or overloading.
PAT (or overloading) is a feature of Cisco IOS NAT that is used to translate internal (inside local) private
addresses to one or more outside (inside global, usually registered/public) IP addresses. Unique source port
numbers on each translation are used to distinguish between the conversations.
With PAT, all devices that go through the address translation device have the same global IP address assigned
to them, so the source TCP or UDP port numbers are used to differentiate the different connections. If two
devices have the same source port number, the translation device changes one of them to ensure uniqueness.
Major difference between NAT and PAT is in NAT Only IP addresses are translated (not port numbers).
Disadvantages of Address Translation
Three main disadvantages with address translation are:
Each connection has an added delay.
Troubleshooting is more difficult.
Not all applications work with address translation.
Term Explanation
Inside local IP address The IPv4 address that is assigned to a host on the inside network
A legitimate IPv4 address assigned by the ISP that represents one or
Inside global IP address
more inside local IPv4 addresses to the outside world
Outside global IP address An outside device with a registered public IP address
Outside local IP address An outside device with an assigned private IP address