Six Months Industrial Training Report
On
Network Address Translation(NAT)
At
HCL Infosystems Ltd.
Submitted in partial fulfillment of the requirements
for the award of the degree of
Bachelor of Technology
Submitted To: Submitted By:
Mr.Rakesh Khanna Komalbir Singh
ECE Deptt. 7070405482
ECE/8th sem
1
PREFACE
The “NAT (Network address translation)” This project provides information for the Internet community. When a client attempts to access a server in a data center, the client incorporates its IP address in the IP header when it connects to the server. An ACL placed between the client and the server can either preserve the client IP address or translate that IP address to a routable address in the server network, based on a pool of reserved dynamic NAT addresses or a static NAT address mapping, and pass the request on to the server. This project does not specify an Internet standard of any kind. Distribution of this project is unlimited. You can use private addresses on your inside networks. Private addresses are not routable on the Internet. NAT hides the local addresses from other networks, so attackers cannot learn the real address of a server in the data center. You can resolve IP routing problems such as overlapping addresses when you have two interfaces connected to overlapping subnets.
This document defines basic terminology for describing different types of Network Address Translation (NAT) behavior when handling Unicast UDP and also defines a set of requirements that would allow many applications, such as multimedia communications or online gaming, to work consistently. Developing NATs that meet this set of requirements will greatly increase the likelihood that these applications will function properly.
ACKNOWLEDGEMENT
2
First and foremost I thank GGSCMT-KHARAR for allowing me to complete my
‘Project’ successfully. I express my sincere gratitude to Mr. Manjot Singh(My
project guide) & all those who initiated and helped me in the successful
completion of this project. Sincere thanks, profound gratitude to my guide Ms.
Anupama (Faculty, GGSCMT) for helping me in carrying out the project and for
many valuable and useful information while bringing out this project. I again
express my sincere gratitude to Mr. Rakesh khanna Head of Department (ECE),
and to my respected teachers of GGSCMT KHARAR for their kind consent,
expert guidance, valuable suggestion and affectionate encouragement.
I also express my gratitude towards all the people associated with project for their
support, co-operation and cheerful readiness in reviewing this project. Last but not
least, I am very thankful to my parents who are my source of inspiration in every
field of life.
Komalbir singh
ECE (8th Sem)
3
4
INDEX
1. INTRODUCTION PAGE NO.
a. ABOUT COMPANY 7-8
b. ABOUT PROJECT 9-11
c. TEAM ROLE 11-12
2. PROJECT ANALYSIS 13-14
a. FEASIBILITY STUDY
i. TECHNICAL FEASIBILITY
ii. BEHAVIORIAL / OPERATIONAL FEASIBILITY
iii. ECONOMICAL FEASIBILITY
b. H/W & S/W SPECIFICATION
c. REQUIREMENT ANALYSIS
i. WORK FLOW DIAGRAM
3. DESIGN
i. MODULEii. IMPLEMENTATION AND MAINTENANCE
5
4. TESTING
i. ALPHA TESTINGii. BETA TESTING
5. SNAPSHOTS
6. FUTURE SCOPE
7. CONCLUSION
8. BIBLIOGRAPHY
6
Introduction:-
This document explains configuring Network Address Translation (NAT) on a Cisco router for use in common network scenarios. The target audience of this document is first time NAT users.
Note: In this document, when the internet, or an internet device is referred to, it means a device on any external network.
Company’s Profile:-
HCL Enterprise Limited (formally known as HCL Computers Limited) is one of
India's largest electronics, computing and information Technology Company.
Based in Noida, near Delhi, the company comprises two publicly listed Indian
companies, HCL Technologies and HCL Infosystems.
HCL was founded in 1976 by Shiv Nadar, Arjun Malhotra, Subhash Arora, Ajai
Chowdhry, DS Puri, & Yogesh Vaidya. HCL was focused on addressing the IT
hardware market in India for the first two decades of its existence with some
sporadic activity in the global market. In 1981, HCL seeded a company focused on
addressing the computer training industry, NIIT, though it has currently divested
its stake in the company. In 1991, HP took minority stake in the company (26%)
and the company was known as HCL HP for the five years of the joint venture. On
termination of the joint venture in 1996, HCL became an enterprise which
comprises HCL Technologies (to address the global IT services market) and HCL
Infosystems (to address the Indian and APAC IT hardware market). HCL has since
then operated as a holding company.
7
HCL Infosystems Ltd., a listed subsidiary of HCL, is an India-based hardware and
systems integrator. It claims a presence in 170 locations and 300 service centres.
Its manufacturing facilities are based in Chennai, Pondicherry and Uttarakhand .Its
headquarters is in Noida.
HCL Peripherals (a unit of HCL Infosystems Ltd.), founded in the year 1983, has
established itself as a leading manufacturer of computer peripherals in India,
encompassing Display Products, Thin Client solutions, Information and Interactive
Kiosks and a wide range of Networking products & Solutions. HCL Peripherals
has two Manufacturing facilities, one in Pondicherry (Electronics) and the other in
Chennai (Mechanical).The company has been accredited with ISO 9001:2000, ISO
14001,
As the training arm of HCL Infosystems, HCL Career Development Centre (CDC)
carries forth a legacy of excellence spanning across more than three decades. HCL
CDC is an initiative that enables individuals and organisations to benefit from
HCL's deep expertise in the IT space.
Among the fastest growing IT education brands in India, HCL CDC offers a
complete spectrum of quality training programs on software, hardware, networking
as well as global certifications in association with leading IT organisations
worldwide.
8
About Project:-
In today’s Internet the two main problems related to the IP protocol are shortage of IP addresses and scaling in routing. Long-term solutions to these problems are being developed, like Ipv6, but they will take their time to be widely accepted. Meanwhile, short-term solutions are proposed and used, that help to delay the problems for some time. One of these solutions is Network Address Translation (NAT), implementation of which is the subject of our project.
The principle of NAT is IP address reuse that can be used in small and mid-
range local networks. NAT uses the fact that in these environments a very small
percentage of hosts are communicating outside their local domain at any given
time. That is to say, almost all TCP/TP packets on the local network are destined to
hosts in this local network, and thus these hosts can have IP addresses that are not
globally unique. The NAT module placed at the border router of the domain
performs IP address translation inside IP datagrams passing through it in both
directions. When an IP datagram is sent from a local host to the Internet with local
IP address that is not globally unique, the NAT module substitutes it with a
globally unique IP address taken from a pool, and sends the datagram out. In
reverse direction the reverse translation is needed.
The possible changes in datagram’s involved in the translation are as follows:
change of Source or Destination IP address in IP header; adjustment of the IP
Checksum in IP header because of changes in the header; also a TCP Checksum,
because it reflects changes in IP address, and all places in the data portion of TCP,
UDP, ICMP and other packets, where source or destination IP addresses are stored.
Undoubtedly, it is impossible to do the right translation needed in all possible
9
TCP/IP applications. So our implementation of NAT will support the general set of
protocols and applications, such as FTP, Telnet, HTTP, ICMP and others.
Types of NAT
NAT can be implemented using one of three methods:
Static NAT –performs a static one-to-one translation between twoaddresses, or between a port on one address to a port on another address.Static NAT is most often used to assign a public address to a device behind aNAT-enabled firewall/router.
Dynamic NAT –Utilizes a pool of global addresses to dynamically translate the outbound traffic of clients behind a NAT-enabled device.
NAT Overload Or Port Address Translation (PAT) –Translates the outbound traffic of clients to unique port numbers off of a single global address. PAT is necessary when the number of internal clients exceeds the available global addresses.
NAT Terminology Specific terms are used to identify the various NAT addresses:
•Inside Local –The specific IP address assigned to an inside host behind a NAT-enabled device (usually a private address).
• Inside Global –The address that identifies an inside host to the outside world (usually a public address). Essentially, this is the dynamically or statically-assigned public address assigned to a private host.
• Outside Global
10
– The address assigned to an outside host (usually a public address).
• Outside Local– The address that identifies an outside host to the inside network. Often, this is the
SameAddress as the Outside Global.However, it is occasionally necessary to translate an outside (usuallyPublic) address to an inside (usually private) address.
Team role
Teamwork is work performed by a team towards a common goal. A
dynamic process involving two or more healthcare professionals with
complementary backgrounds and skills, sharing common health goals and
exercising concerted physical and mental effort in assessing, planning, or
evaluating patient care
Workplace Activities: Because teamwork is important to a productive and
healthy work environment, teamwork activities should be a part of the
workplace. Possible activities include job swapping, where workers swap
jobs with each other to develop empathy. It also requires workers to help
each other to learn the jobs. Another idea is to start a team newsletter that
provides the latest information on activities and accomplishments of the
team members.
Projects: Projects require that team members work together to achieve a
common goal. Projects can involve activities like putting puzzles together or
cleaning up or rebuilding a property. Projects typically involve assigning
11
each team member a specific task that he is responsible for completing,
which helps to develop trust within the team.
If we consider about the team work regarding my project, it has been a good
exposure to me. But as the project is assigned to me individually because to
understand the core of the technology of the project.It has been a great
learning under the expertise of Manjot singh (HCL INFOSYSTEMS
TRAINER) expert in NAT, PAT, ROUTING, TROUBLESHOOTING etc. I
managed to learn a lot under his teaching. Its amazing experience to me
which helps to me enlarge my knowledge regarding the project through team
work. I was considered to be the designer and implementor of the NAT
technology.
12
Project Analysis
The main purpose of conducting system analysis is to study the various processes
and to find out its requirements. These may include ways of capturing or
processing data, producing information, controlling a business activity or
supporting management. The determination of requirements entrails studying the
existing details about it to find out what these requirements are.
System analysis has been conducted with the following objectives in mind:
1. Identify the customers’ need.
2. Evaluate the system concept of feasibility.
3. Perform economic and technical analysis.
4. Allocate functions to hardware, software, people, database and other system
elements.
5. Establish cost and schedule constraints.
6. Create a system definition that forms the foundation for all subsequent
engineering work.
System Analysis includes requirement analysis. The requirement analysis is the
task of discovery, refinement, modeling and specification. Requirement analysis
allows the software engineer to refine the software allocation and build models of
the data, functional, and behavioral domains that will be treated by software.
Requirement Specification provides the developer and the customer with the
means to assess quality once software is built.
While the analysis phase of development of this project following set of principles
were considered:
13
1. The information domain of a problem must be represented and understood.
2. The functions that the software is to perform must be defined.
3. The behavior of the software must be represented.
4. The models that depict information function and behavior must be
partitioned in a manner that uncovers detail in a layered fashion.
The analysis process should move from essential information towards
implementation detail.
Feasibility Study
It is a very important aspect of any project report. There is always chance of
manual errors. Cost factor is also there which depends upon the size of the work.
Feasibility studies aim to objectively and rationally uncover the strengths and
weaknesses of the existing business or proposed venture, opportunities and threats
as presented by the environment, the resources required to carry through, and
ultimately the prospects for success. In its simplest term, the two criteria to judge
feasibility are cost required and value to be attained. As such, a well-designed
feasibility study should provide a historical background of the business or project,
description of the product or service, accounting statements, details of the
operations and management, marketing research and policies, financial data, legal
requirements and tax obligations. Generally, feasibility studies precede technical
development and project implementation.
Technical Feasibility
In the preliminary investigation phase, we examine the feasibility of the project.
We find the likelihood the Network which we established will be useful to the
organization. We determine whether the solution is a viable or not. For this
14
purpose, the analyst clearly establishes the feasibility of each alternative testing for
benefits, costs and other resources.
Behaviorial / Operational Feasibility
For any network which we implemented and used by an organization, its
behavioral nature must be analyzed. It means that if any organization want to
access the net on many systems by using only one internet service provider then it
can be done by with the help of NAT
Operational feasibility is a measure of how well a proposed system solves the
problems, and takes advantage of the opportunities identified during scope
definition and how it satisfies the requirements identified in the requirements
analysis phase of system development.
Economical Feasibility
This project does not specify an Internet standard of any kind. Distribution of this project is unlimited.You can use private addresses on your inside networks. Private addresses are not routable on the Internet. NAT hides the local addresses from other networks, so attackers cannot learn the real address of a server in the data center You can resolve IP routing problems such as overlapping addresses when you have two interfaces connected to overlapping subnets.
Economic analysis is the most frequently used method for evaluating the effectiveness of a new system. More commonly known as cost/benefit analysis, the procedure is to determine the benefits and savings that are expected from a candidate system and compare them with costs. If benefits outweigh costs, then the
15
decision is made to design and implement the system. An entrepreneur must accurately weigh the cost versus benefits before taking an action.
Cost-based study: It is important to identify cost and benefit factors, which can be categorized as follows: 1. Development costs; and 2. Operating costs. This is an analysis of the costs to be incurred in the system and the benefits derivable out of the system.
Time-based study: This is an analysis of the time required to achieve a return on investments. The future value of a project is also a factor.
16
S/W & H/W Requirement specification
The information in this document is based on these software and hardware versions:
Cisco 2500 Series Routers Cisco IOS® Software Release 12.2 (10b) Cisco Switches Cisco Hubs Wireless Device Copper Straight-Through Cable Copper Cross-Over Cable Fiber Optics Cable Coaxial Cable Serial DCE Cable Serial DTE Cable
The information in this document was created from the devices in a specific lab
environment. All of the devices used in this document started with a cleared
(default) configuration. If your network is live, make sure that you understand the
potential impact of any command.
Windows xp
Windows server 2003
Server & Client
And also this document is not restricted to specific software and hardware
versions.
17
Requirements Analysis
1. Elicitation-determine the operational requirements
(User needs and customer expectations).
2. Analysis-translate operational requirements into technical specifications.
3. Documentation-record the operational requirements and technical
specifications.
4. Verification-check that specifications are complete, correct and consistent
with Needs and expectations
5. Generate acceptance test scenarios
6. Requirements Management-control changes to requirements
Protocol Used
Transmission Control Protocol
Similar to incoming translation
thread, the cases of establishment and termination of connections regarding to
SYN and FIN flags, are the same. The special case here is FTP Command. (We
detect FTP Command connection by the destination port number 21 in the TCP
header). It can contain the Source IP address in the ASCII form inside the data
portion of TCP segment. (PORT command). It should be translated also, as the
Source IP in the IP header. We need also adjust the TCP Checksum because it
covers the whole TCP segment including the data. Also we must fix the IP total
length field, because the replaced IP was in ASCII, and the new one could be
shorter or longer (in ASCII).
18
In case SYN flag is on, it means that a TCP connection is being established.So we
must trace the TCP 3-way handshake to be sure that a connection has been
established, and then raise flag in the Translation Table telling that there is an
active TCP connection in this entry. In case FIN flag is on, it means that a TCP
connection is being terminated.So we must trace the TCP connection shutdown
mechanism to be sure that the connection has been closed. Then we clear the flag,
and this entry can be cleared in case of global IP addresses shortage.
Local_IP
The local IP address of the local host
Global_IP
The globally unique IP (that is bound to local IP if this entry is in
use)
Conn Protocol
This field is for identifying which type of onnection this host
is using: TCP or other. Used in Timeout detection algorithm (as will be
described below)
Timestamp
Also used in Timeout detection algorithm. This field is
updated each time this entry is used, i.e. the IP packet is sent from or to this IP
address. Thus we can always find an entry which is the longest idle session.
TCP_State
19
This field reflects current state of TCP connection, for use
with Timeout detection algorithm. Used to trace when the TCP connection is
completely established or shut down.
ICMP
when an ICMP error message arrives, besides of the regular
NAT IP header translation, we need also to change the data ICMP field because it
contains the IP header + the first 8 bytes of data of original IP datagram that
generated the problem. We need to fix the IP address in this header, (inside the
ICMP data field) and the ICMP checksum as well.The rest of the protocols need no
changes in their headers and data
20
Work Flow Diagram
21
DESIGN
System Design
Modules
The project will consist of four main modules:1. The NAT gateway module2. The packet monitor module3. The MAC level API4. The IP level APIModules interaction:
22
The NAT gateway
The NAT module, which sits between the local network and the router as described in the introduction, is combined mainly from four threads, two pairs. Each pair is doing a similar task but from opposite direction.
The four threads are:
Listhen_Local_thread,
Listhen_Global_thread,
Translate_To_Local_thread,
The threads cooperate through common data structures which are:
Ip_translation_Table,
Local_Ip_Packet_Buff,
Global_Ip_Packet_Buff.
In addition each thread communicate with the appropriate network through IP API.
23
NAT gateway modules interaction:
24
The packet monitor
Packet monitor will be implemented as a stand-alone Windows application. It can be used on any NT machine which has the PACKET32.DLL device driver installed (this driver is needed to directly access a NIC). The monitor is capable of displaying and filtering of packets on MAC, IP and upper layers. Monitor results can be saved to a disk file for printing, studying TCP/IP protocols, and network problems debugging.
The blocks are:
Receiver - A thread looping infinitely, that receives all packets that pass through the chosen NIC. It listens on the NIC using Promiscuous Mode, and thus gets all the packets that pass on the wire, not only destined to that NIC or broadcasted. Whenever a packet arrives, it puts it in the Frame Buffer, and notifies the Filter and Display module that there is a packet to process. This takes really little time, and it continues to listen to next packet, thus the chances to loose packets because of processing are small, and depends on the size of a frame buffer.
25
Frame buffer - Implemented as a circular queue. Size is user configurable. The elements of queue are buffers of 1514 bytes each, that is maximum size of an Ethernet frame (1500 bytes for data plus 14 bytes for header).
Filter and Display - Performs decoding of the frame received from the frame buffer. Decoding is performed from the bottom up, i.e. MAC data type, then IP protocol type (TCP, UDP, and ICMP), than TCP/UDP port, etc. Discards packets that do not answer to the current filtering mode. Filtering can be performed by:1. Packet type: All, IP, ICMP, ARP/RARP, TCP and UDP2. Source address: MAC/IP3. Destination address: MAC/IP
Monitor Main Window and Control - The monitor is a menu-driven Windows application, so it has a main window's procedure, which processes all messages that are sent to it. That includes messages from the menu (i.e. user), or from inner tasks (Receiver thread, Display module). It also controls all monitoring process, i.e. starts/stops monitoring, saves results to a disk,
The MAC level API
Set of data structures and functions enabling access to Ethernet frames. Direct access to packets is achieved by the use of device driver PACKET32.DLL (it is given, and not a part of our roject).
Data structures needed include:ETHERADR - Ethernet 6-byte address;ETHERHDR - Ethernet header (Old format, RFC 894);ETHER802HDR - Ethernet header (IEEE 802.3 format, RFC 1042);
Also a set of constants related to these structures is defined, such as maximum frame size and encapsulated protocol types. All low-level functions of MAC level are already provided to us by the device driver PACKET32.DLL, such as PacketReceivePacket(), PacketSendPacket() and so on. So we need only implement some miscellaneous functions, which will be useful in Packet Monitor,
The IP level API
26
Set of data structures and functions enabling various work with IP datagrams. Uses MAC level API to receive/send IP datagrams. Data structures needed include:IPADR - IP address;IPHDR - IP header;
Also a set of constants related to these structures is defined, such as encapsulated protocol type.Functions needed:
IPGetPacket(LPADAPTER lpadp, BYTE *buf) - Listen for next incoming IP datagram;
IPSendPacket(LPADAPTER lpadp, BYTE *buf) - Send an IP datagram;
char *IPAddrToStr(PIPADR p, char *str) - Convert IP address to string;
Implementation and Maintenance
VLAN
I think it’s about time to give you some actual examples to make this clear to you. This example shows you how to configure four things:
1. How to configure a port connected to an IP phone to use the CoS value for classifying incoming traffic2. How to configure the port to use IEEE 802.1p priority tagging for voice traffic3. How to configure it to use the Voice VLAN (10) to carry all voice traffic4. And last, how to configure VLAN 3 to carry PC data
27
Configuring Inter-VLAN Routing
ISR#Config t
ISR (config)#
int f0/0.1
ISR(config-subif)#
encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN
ISR(config-subif)#
Notice that my 2811 router (named ISR) only supports 802.1Q. We’d need an older-modelrouter to run the ISL encapsulation, but why bother?The sub interface number is only locally significant, so it doesn’t matter which sub interfacenumbers are configured on the router. Most of the time, I’ll configure a sub interface with thesame number as the VLAN I want to route. It’s easy to remember that way since the sub interface number is used only for administrative purposes.It’s really important that you understand that each VLAN is a separate subnet. True, I know—they don’t have to be. But it really is a good idea to configure your VLANs as separate subnets, so just do that. Now, I need to make sure you’re fully prepared to configure inter-VLAN routing, as wellas determine the port IP addresses of hosts connected in a switched VLAN environment. And asalways, it’s also a good idea to be able to fix any problems that may arise. To set you up for success, let me give you few examples.
By this point in the book, you should be able to determine the IP address, masks, and default gateways of each of the hosts in the VLANs. The next step after that is to figure out which subnets are being used. By looking at the router configuration in the figure, you can see that we’re using 192.168.1.64/26 with VLAN 1 and
28
192.168.1.128/27 with VLAN 10. And by looking at the switch configura- tion, you can see that ports 2 and 3 are in VLAN 1 and port 4 is in VLAN 10. This means that HostA and HostB are in VLAN 1 and HostC is in VLAN 10.
Here’s what the hosts’ IP addresses should be:
HostA:
192.168.1.66, 255.255.255.192, default gateway 192.168.1.65
HostB:
192.168.1.67, 255.255.255.192, default gateway 192.168.1.65
HostC:
192.168.1.130, 255.255.255.224, default gateway 192.168.1.129 The hosts could be any address in the range—I just choose the first available IP address after the default gateway address. That wasn’t so hard, was it?
Inter-VLAN example 2
VLAN 1HostA HostBHostEInternetFa0/2 Fa0/3Fa0/1
VLAN 2Fa0/6Fa0/0Fa0/4 Fa0/5HostC HostD HostF
VLAN 3The configuration of the switch would look something like this:2960#config t
29
2960(config)#int f0/12960(config-if)#switchport mode trunk2960(config-if)#int f0/22960(config-if)#switchport access vlan 12960(config-if)#int f0/32960(config-if)#switchport access vlan 12960(config-if)#int f0/42960(config-if)#switchport access vlan 32960(config-if)#int f0/52960(config-if)#switchport access vlan 32960(config-if)#int f0/62960(config-if)#switchport access vlan 2
Before we configure the router, we need to design our logical network:
VLAN 1:192.168.10.16/28
VLAN 2:192.168.10.32/28
VLAN 3:192.168.10.48/28The configuration of the router would then look like this:ISR#config tISR(config)#
30
int f0/0ISR(config-if)#no ip addressISR(config-if)#no shutdownISR(config-if)#int f0/0.1ISR(config-subif)#encapsulation dot1q 1ISR(config-subif)#ip address 192.168.10.17 255.255.255.240ISR(config-subif)#int f0/0.2ISR(config-subif)#encapsulation dot1q 2ISR(config-subif)#ip address 192.168.10.33 255.255.255.240ISR(config-subif)#int f0/0.3ISR(config-subif)#encapsulation dot1q 3ISR(config-subif)#
ip address 192.168.10.49 255.255.255.240
The hosts in each VLAN would be assigned an address from their subnet range, and the default gateway would be the IP address assigned to the router’s subinterface in that VLAN.Now, let’s take a look at another figure and see if you can determine the switch and router configurations without looking at the answer—no cheating! Figure 9.11 shows a router con-nected to a 2960 switch with two VLANs. One host in each VLAN is assigned an IP address.What are your router and switch configurations based on these IP addresses?Since the hosts don’t list a subnet mask, you have to look for the number of hosts used in each VLAN to figure out the block size. VLAN 1 has 85 hosts and VLAN 2 has 115 hosts.Each of these will fit in a block size of 128, which is a /25 mask, or 255.255.255.128.
31
Inter-VLAN example 3
VLAN 185 HostsHostA172.16.10.126F0/2F0/1F0/3
VLAN 2115 HostsHostB172.16.10.129
You should know by now that the subnets are 0 and 128; the 0 subnet (VLAN 1) has a host range of 1–126, and the 128 subnet (VLAN 2) has a range of 129–254. You can almost be fooled since HostA has an IP address of 126, which makes itAlmost seem that HostA and B are in the same subnet. But they’re not, and you’re way too smart by now to be fooled by this one!Here is the switch configuration:2960#config t2960(config)#int f0/12960(config-if)#switchport mode trunk2960(config-if)#int f0/22960(config-if)#switchport access vlan 12960(config-if)#int f0/32960(config-if)#switchport access vlan 2Here is the router configuration:ISR#config tISR(config)#
32
int f0/0ISR(config-if)#no ip addressISR(config-if)#no shutdownISR(config-if)#int f0/0.1ISR(config-subif)#encapsulation dot1q 1ISR(config-subif)#ip address 172.16.10.1 255.255.255.128ISR(config-subif)#int f0/0.2ISR(config-subif)#encapsulation dot1q 2ISR(config-subif)#ip address 172.16.10.254 255.255.255.128
I used the first address in the host range for VLAN 1 and the last address in the range for VLAN 2, but any address in the range would work. You just have to configure the host’s default gateway to whatever you make the router’s address.Now, before we go on to the next example, I need to make sure you know how to set the IP address on the switch. Since VLAN 1 is typically the administrative VLAN, we’ll use an IP address from that pool of addresses. Here’s how to set the IP address of the switch (I’m not nagging, but you really should already know this!):
2960#config t2960(config)#int vlan 12960(config-if)#ip address 172.16.10.2 255.255.255.1282960(config-if)#no shutdownYes, you have to do a no shutdown on the VLAN interface. One more example, and then we’ll move on to VTP—another important subject that you definitely don’t want to miss! In Figure 9.12 there are two VLANs. By looking at the router
33
configuration, what’s the IP address, mask, and default gateway of HostA? Use the last IP address in the range for HostA’s address:
Inter-VLAN example 4
VLAN 1HostAF0/2F0/1F0/3HostBRouter#config t192.168.10.17Router(config)#int f0/0Router(config-if)#no ip address
VLAN 2Router(config-if)#no shutdownRouter(config-if)#int f0/0.1Router(config-subif)#encapsulation dot1q 1Router(config-subif)#ip address 192.168.10.129 255.255.255.240Router(config-subif)#int f0/0.2Router(config-subif)#encapsulation dot1q 2Router(config-subif)#ip address 192.168.10.46 255.255.255.240
If you really look carefully at the router configuration (the hostname in this figure is just Router), there is a simple and quick answer. Both subnets are using a /28, or 255.255.255.240 mask, which is a block size of 16. The router’s address for VLAN
34
1 is in subnet 128. The next subnet is 144, so the broadcast address of VLAN 1 is 143 and the valid host range is 129–142.
So the host address would be this:
IP Address:192.168.10.142Mask:255.255.255.240Default Gateway:192.168.10.129Configuring VTP All Cisco switches are configured to be VTP servers by default. To configure VTP, first you have to configure the domain name you want to use. And of course, once you configure the VTP information on a switch, you need to verify it
VTP
When you create the VTP domain, you have a bunch of options, including setting the domain name, password, operating mode, and pruning capabilities of the switch. Use the vtp global con- figuration mode command to set all this information. In the following example, I’ll set the S1 switch to vtp server, the VTP domain to Lammle, and the VTP password to todd:By default, only hosts that are members of the same VLAN can communicate. To change this and allow inter-VLAN communication, you need a router or a layer 3 switch. I’m going to start with the router approach.To support ISL or 802.1Q routing on a Fast Ethernet interface, the router’s interface is divided into logical interfaces—one for each VLAN. These are called sub interfaces. From a Fast Ethernet or Gigabit interface, you can set the interface to trunk with the encapsulation command:
Configuring VTP
S1#config tS1#(config)#vtp mode server
35
Device mode already VTP SERVER.S1(config)#vtp domain LammleChanging VTP domain name from null to LammleS1(config)#vtp password toddSetting device VLAN database password to toddS1(config)#do show vtp passwordVTP Password: toddS1(config)#do show vtp status
VTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 255Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : LammleVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x15 0x54 0x88 0xF2 0x50 0xD9 0x03 0x07
Configuration last modified by 192.168.24.6 at 3-14-93 15:47:32Local updater ID is 192.168.24.6 on interface Vl1 (lowest numbered VLAN interface found) Please make sure you remember that all switches are set to VTP server mode by default, and if you want to change any VLAN information on a switch, you absolutely must be in VTP server mode. After you configure the VTP information, you can verify it with the show vtp command as shown in the preceding output. The preceding switch output shows the VTP domain, the VTP password, and the switch’s mode.Before we move onward to configuring the Core and the S2 switch with VTP information, take a minute to reflect on the fact that the show vtp status output shows that the maximum number of VLANs supported locally is only 255. Since you can create over 1,000 VLANs on a switch, this seems like it would definitely be a problem if you have more then 255 switches and you’re using VTP. And, well,
36
yes, it is problem—if you are trying to configure the 256 th VLAN on a switch, you’ll get a nice little error message stating that there are not enough hard- ware resources available, and then it will shut down the VLAN and the 256th VLAN willshow up in suspended state in the output of the show vlan command. Not so good! Let’s go to the Core and S2 switches and set them into the Lammle VTP domain. It is very important to remember that the VTP domain name is case sensitive! VTP is not forgiving—one teeny small mistake and it just won’t work.
Core#
config tCore(config)#vtp mode clientSetting device to VTP CLIENT mode.Core(config)#vtp domain LammleChanging VTP domain name from null to LammleCore(config)#vtp password toddSetting device VLAN database password to toddCore(config)#
do show vtp statusVTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : ServerVTP Domain Name : LammleVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x2A 0x6B 0x22 0x17 0x04 0x4F 0xB8 0xC2
Configuration last modified by 192.168.10.19 at 3-1-93 03:13:16Local updater ID is 192.168.24.7 on interface Vl1 (first interface found)
37
S2#config tS2(config)#vtp mode clientSetting device to VTP CLIENT mode.S2(config)#vtp domain LammleChanging VTP domain name from null to LammleS2(config)#vtp password toddSetting device VLAN database password to toddS2(config)#do show vtp status
VTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : ClientVTP Domain Name : LammleVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x02 0x11 0x18 0x4B 0x36 0xC5 0xF4 0x1FConfiguration last modified by 0.0.0.0 at 0-0-00 00:00:00 Let’s take a look using the show vlan brief command on the Core and S2 switch:Core#
sh vlan briefVLAN Name Status Ports---- ------------------ --------- ---------------------1 default active Fa0/1,Fa0/2,Fa0/3,Fa0/4Fa0/9, Fa0/10,Fa0/11,Fa0/12Fa0/13, Fa0/14,Fa0/15,Fa0/16, Fa0/17, Fa0/18, Fa0/19,Fa0/20, Fa0/21, Fa0/22, Fa0/23,
38
Fa0/24, Gi0/1, Gi0/22Salesactive3Marketingactive4Accountingactive
S2#sh vlan briVLAN Name Status Ports---- ---------------------- --------- ---------------------1 default active Fa0/3,Fa0/4,Fa0/5,Fa0/6,Fa0/7, Fa0/8, 2 Sales active3 Marketing active4 Accounting active
Troubleshooting VTP
You connect your switches with crossover cables, the lights go green on both ends, and you’re up and running! Yeah—in a perfect world, right? Don’t you wish it was that easy? Well, actually, it pretty much is—without VLANs, of course. But if you’re using VLANs—and you definitely should be—then you need to use VTP if you have multiple VLANs configured in your switched network.But here there be monsters: If VTP is not configured correctly, it (surprise!) will not work, so you absolutely must be capable of troubleshooting VTP. Let’s take a look at a couple of configurations and solve the problems. Study the output from the two following switches:
SwitchA#sh vtp statusVTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 64Number of existing VLANs : 7VTP Operating Mode : ServerVTP Domain Name : RouterSimVTP Pruning Mode : DisabledVTP V2 Mode : Disabled
39
VTP Traps Generation : Disabled
SwitchB#sh vtp statusVTP Version : 2Configuration Revision : 1Maximum VLANs supported locally : 64Number of existing VLANs : 7VTP Operating Mode : ServerVTP Domain Name : GlobalNetVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : Disabled
So what’s happening with these two switches? Why won’t they share VLAN information?At first glance, it seems that both servers are in VTP server mode, but that’s not the problem. Servers in VTP server mode will share VLAN information using VTP. The problem is that they’re in two different VTP domains. SwitchA is in VTP domain RouterSim and SwitchB is in VTP domain GlobalNet. They will never share VTP information because the VTP domain names are configured differently.Now that you know how to look for common VTP domain configuration errors in your switches, let’s take a look at another switch configuration:
SwitchC#sh vtp statusVTP Version : 2Configuration Revision:1Maximum VLANs supported locally : 64Number of existing VLANs : 7VTP Operating Mode : ClientVTP Domain Name : ToddVTP Pruning Mode : Disabled
Configuring Static NAT
40
The first step to configureStatic NAT is to identify the inside (usually private) and outside (usually public) interfaces:
Router(config)# int e0/0Router(config)# int s0/0Router(config-if)# ip nat insideRouter(config-if)# ip nat outside
To statically map a public address to a private address, the syntax is as follows:
Router(config)#ip nat inside source static 172.16.1.1 158.80.1.40This command performs a static translation of the source address 172.16.1.1(located on the inside of the network), to the outside address of 158.80.1.40.
Configuring Dynamic NAT
When configuring Dynamic NAT , the inside and outside interfaces must first be identified:
Router(config)# int e0/0Router(config)# int s0/0Router(config-if)# ip nat insideRouter(config-if)# ip nat outside
Next, a pool of global addresses must be specified. Inside hosts willdynamically choose the next available address in this pool, whencommunicating outside the local network:
Router(config)#ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask 255.255.255.0The above command specifies that the pool named POOLNAME contains a range of public addresses from 158.80.1.1 through 158.80.1.50.Finally, a list of private addresses that are allowed to be dynamically translated must be specified:
41
Router(config)# ip nat inside source list 10 pool POOLNAMERouter(config)# access-list 10 permit 172.16.1.0 0.0.0.255
The first command states that any inside host with a source that matches access- list 10 can be translated to any address in the pool named POOLNAME.The access-list specifies any host on the 172.16.1.0 network.
Configuring NAT Overload (or PAT)
Recall that NAT Overload (or PAT ) is necessary when the number of internal clients exceeds the available global addresses. Each internal host is translated to a unique port number off of a single global address.
Configuring NAT overload is relatively simple
Router(config)# int e0/0Router(config-if)# ip nat inside Router(config)# int s0/0Router(config-if)# ip nat outsideRouter(config)# ip nat inside source list 10 interface Serial0/0 overloadRouter(config)# access-list 10 permit 172.16.1.0 0.0.0.255
Any inside host with a source that matches access- list 10 will be translated with overload to the IP address configured on the Serial0/0 interface.
To clear all dynamic NAT entries from the translation table:
Quick Start Steps for Configuring and Deploying NAT
When you configure NAT, it is sometimes difficult to know where to begin, especially if you are new to NAT. These steps guide you to define what you want NAT to do and how to configure it:
1. Define NAT inside and outside interfaces. o Do users exist off multiple interfaces? o Are there multiple interfaces going to the internet?
2. Define what you're trying to accomplish with NAT. o Are you trying to allow internal users to access the internet?
42
o Are you trying to allow the internet to access internal devices (such as a mail server or web server)?
o Are you trying to redirect TCP traffic to another TCP port or address? o Are you using NAT during a network transition (for example, you
changed a server's IP address and until you can update all the clients you want the non-updated clients to be able to access the server using the original IP address as well as allow the updated clients to access the server using the new address)?
o Are you using NAT to allow overlapping networks to communicate? 3. Configure NAT in order to accomplish what you defined above. Based on
what you defined in step 2, you need determine which of the following features to use:
o Static NATo Dynamic NATo Overloadingo Any combination of the above
4. Verify the NAT operation.
Each of the following NAT examples guides you through steps 1 through 3 of the Quick Start Steps above. These examples describe some common scenarios in which Cisco recommends you deploy NAT.
Defining NAT Inside and Outside Interfaces
The first step in deploying NAT is to define NAT inside and outside interfaces. You may find it easiest to define your internal network as inside, and the external network as outside. However, the terms internal and external are subject to arbitration as well. The figure below shows an example of this.
43
Example: Allowing Internal Users to Access the Internet
You may want to allow internal users to access the internet, but you may not have enough valid addresses to accommodate everyone. If all communication with devices in the internet will originate from the internal devices, you need a single valid address or a pool of valid addresses.
The figure below shows a simple network diagram with the router interfaces defined as inside and outside:
44
In this example, we want NAT to allow certain devices (the first 31 from each subnet) on the inside to originate communication with devices on the outside by translating their invalid address to a valid address or pool of addresses. The pool has been defined as the range of addresses 172.16.10.1 through 172.16.10.63.
Now you are ready to configure NAT. In order to accomplish what is defined above, use dynamic NAT. With dynamic NAT, the translation table in the router is initially empty and gets populated once traffic that needs to be translated passes through the router. (As opposed to static NAT, where a translation is statically configured and is placed in the translation table without the need for any traffic.)
In this example, we can configure NAT to translate each of the inside devices to a unique valid address, or to translate each of the inside devices to the same valid address. This second method is known as overloading. An example of how to configure each method is given below.
Configuring NAT to Allow Internal Users to Access the Internet
NAT Router
interface ethernet 0 ip address 10.10.10.1 255.255.255.0 ip nat inside
!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.
45
interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside
!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.
interface serial 0 ip address 172.16.10.64 255.255.255.0 ip nat outside
!--- Defines serial 0 with an IP address and as a NAT outside interface.
ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24 !
!--- Defines a NAT pool named no-overload with a range of addresses !--- 172.16.10.1 - 172.16.10.63.
ip nat inside source list 7 pool no-overload ! !
!--- Indicates that any packets received on the inside interface that !--- are permitted by access-list 7 !--- will have the source address translated to an address out of the !--- NAT pool "no-overload".
access-list 7 permit 10.10.10.0 0.0.0.31
46
access-list 7 permit 10.10.20.0 0.0.0.31
!--- Access-list 7 permits packets with source addresses ranging from !--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.
Note: Cisco highly recommends that you do not configure access lists referenced by NAT commands with permit any. Using permit any can result in NAT consuming too many router resources which can cause network problems.
Notice in the above configuration that only the first 32 addresses from subnet 10.10.10.0 and the first 32 addresses from subnet 10.10.20.0 are permitted by access-list 7. Therefore, only these source addresses are translated. There may be other devices with other addresses on the inside network, but these won't be translated.
The final step is to verify that NAT is operating as intended.
Configuring NAT to Allow Internal Users to Access the Internet Using Overloading
NAT Router
interface ethernet 0 ip address 10.10.10.1 255.255.255.0 ip nat inside
!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.
interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside
!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.
interface serial 0
47
ip address 172.16.10.64 255.255.255.0 ip nat outside
!--- Defines serial 0 with an IP address and as a NAT outside interface.
ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24 !
!--- Defines a NAT pool named ovrld with a range of a single IP !--- address, 172.16.10.1.
ip nat inside source list 7 pool ovrld overload ! ! ! !
!--- Indicates that any packets received on the inside interface that !--- are permitted by access-list 7 will have the source address !--- translated to an address out of the NAT pool named ovrld. !--- Translations will be overloaded which will allow multiple inside !--- devices to be translated to the same valid IP address.
access-list 7 permit 10.10.10.0 0.0.0.31access-list 7 permit 10.10.20.0 0.0.0.31
!--- Access-list 7 permits packets with source addresses ranging from !--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.
Note in the second configuration above, the NAT pool "ovrld"only has a range of one address. The keyword overload used in the ip nat inside source list 7 pool ovrld overload command allows NAT to translate multiple inside devices to the single address in the pool.
48
Configuring NAT for Use During a Network Transition
NAT Router
interface ethernet 0 ip address 172.16.10.1 255.255.255.0 ip nat outside
!--- Defines Ethernet 0 with an IP address and as a NAT outside interface.
interface ethernet 1 ip address 172.16.50.1 255.255.255.0 ip nat inside
!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.
interface serial 0 ip address 200.200.200.5 255.255.255.252
!--- Defines serial 0 with an IP address. This interface is not !--- participating in NAT.
ip nat inside source static 172.16.50.8 172.16.10.8
!--- States that any packet received on the inside interface with a !--- source IP address of 172.16.50.8 will be translated to 172.16.10.8.
49
Note that the inside source NAT command in this example also implies that packets received on the outside interface with a destination address of 172.16.10.8 will have the destination address translated to 172.16.50.8.
The final step is to verify that NAT is operating as intended.
Example: Using NAT in Overlapping Networks
Overlapping networks result when you assign IP addresses to internal devices that are already being used by other devices within the internet. Overlapping networks also result when two companies, both of whom use RFC 1918 IP addresses in their networks, merge. These two networks need to communicate, preferably without having to readdress all their devices. Refer to Using NAT in Overlapping Networks for more information about configuring NAT for this purpose.
Difference between One-to-One Mapping and Many-to-Many
A static NAT configuration creates a one-to-one mapping and translates a specific address to another address. This type of configuration creates a permanent entry in the NAT table as long as the configuration is present and enables both inside and outside hosts to initiate a connection. This is mostly useful for hosts that provide application services like mail, web, FTP and so forth. For example:
Router(config)#ip nat inside source static 10.3.2.11 10.41.10.12 Router(config)#ip nat inside source static 10.3.2.12 10.41.10.13
Dynamic NAT is useful when fewer addresses are available than the actual number of hosts to be translated. It creates an entry in the NAT table when the host initiates a connection and establishes a one-to-one mapping between the addresses. But, the mapping can vary and it depends upon the registered address available in the pool at the time of the communication. Dynamic NAT allows sessions to be initiated only from inside or outside networks for which it is configured. Dynamic NAT entries are removed from the translation table if the host does not communicate for a specific period of time which is configurable. The address is then returned to the pool for use by another host.
For example, complete these steps of the detailed configuration:
1. Create a pool of addresses
50
1. Router(config)#ip nat pool MYPOOLEXAMPLE
2. 10.41.10.1 10.41.10.41 netmask 255.255.255.0
3. Create an access-list for the inside networks that has to be mapped
Router(config)#access-list100 permit ip 10.3.2.0 0.0.0.255 any
4. Associate the access-list 100 that is selecting the internal network
10.3.2.0 0.0.0.255 to be natted to the pool MYPOOLEXAMPLE and
then overload the addresses.
5. Router(config)#ip nat inside source list 100 pool
6. MYPOOLEXAMPLE overload
Verifying NAT Operation
Once you've configured NAT, verify that it is operating as expected. You can do this in a number of ways: using a network analyzer, show commands, or debug commands. For a detailed example of NAT verification, refer to Verifying NAT Operation and Basic NAT Troubleshooting.
51
TESTING
Alpha Testing
Alpha testing is simulated or actual operational testing by potential users/customers or an independent test team at the developers' site. Alpha testing is often employed for off-the-shelf software as a form of internal acceptance testing, before the software goes to beta testing.
Troubleshooting NAT
To view all current static and dynamic translations:
Router# show ip nat translations
To view whether an interface is configure as an inside or outside NAT interface, and to display statistical information regarding active NAT translations:
Router# show ip nat statistics
To view NAT translations in real-time:
Router# debug ip nat
Beta Testing
Beta testing comes after alpha testing and can be considered a form of external
user acceptance testing. Versions of the software, known as beta versions, are
released to a limited audience outside of the programming team. The software is
released to groups of people so that further testing can ensure the product has few
faults or bugs. Sometimes, beta versions are made available to the open public to
increase the feedback field to a maximal number of future users
52
To view the active NAT translations is used with the -s state option. This option
will list all the current NAT sessions:
# pfctl -s state
TCP 192.168.1.35:2132 > 24.5.0.5:53136 > 65.42.33.245:22
TIME_WAIT:TIME_WAIT
UDP 192.168.1.35:2491 > 24.5.0.5:60527 > 24.2.68.33:53
MULTIPLE:SINGLE
Explanations (first line only):
Indicates the interface that the state is bound to. The word self will appear if the
state is floating.
TCP
The protocol being used by the connection. 192.168.1.35:2132
The IP address (192.168.1.35) of the machine on the internal network. The source
port (2132) is shown after the address. This is also the address that is replaced in
the IP header.
The IP address (24.5.0.5) and port (53136) on the gateway that packets are being
translated to.
53
The IP address (65.42.33.245) and the port (22) that the internal machine is
connecting to.
54
SNAP SHOTS
Simple Static routing In NAT:-
Dynamic Routing In NAT:
55
Dynamic Routing With Clock Rate In NAT:-
EIGRP In NAT:-
56
Inter V-Lan 1 In NAT:-
57
Inter V-Lan 2 In NAT:-
Inter V-Lan 3 In NAT:-
58
DHCP In NAT:-
Access List In NAT:-
FUTURE SCOPE
59
Telephony: Configuring Voice VLANs
If you do yoga, meditate, chain smoke, or consume mass quantities of comfort food when stressed, take a little break and do that now because, and I’m going to be honest, this isn’t the easiest part of the chapter—or even the book, for that matter. But I promise that I’ll do my best to make this as painless for you as possible.
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone.When a switch is connected to a Cisco IP phone, the IP phone sends voice traffic with layer 3 IP precedence and layer 2 class of service (CoS) values, which are both set to 5 for voice traffic; all other traffic defaults to 0.
Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS. (802.1p provides a mechanism for implementing QoS at the MAC level.) The 802.1p field is carried in the 802.1Q trunk header. If you look at the fields in an 802.1Q tag, you will see a field called the priority field; this is where the 802.1p information goes. QoS uses classification and scheduling to send network traffic from the switch in an organized, predictable manner.The Cisco IP phone is a configurable device, and you can configure it to forward traffic with an IEEE 802.1p priority. You can also configure the switch to either trust or override the traffic priority assigned by an IP phone—which is exactly what we’re going to do. The Cisco phone basically has a three-port switch: one to connect to the Cisco switch, one to a PC device, and one to the actual phone, which is internal.You can also configure an access port with an attached Cisco IP phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone—like a PC. You can configure access ports on the switch to send Cisco Discovery Protocol (CDP) packets that instruct an attached Cisco IP phone to send voice traffic to the switch in any of these ways:In the voice VLAN tagged with a layer 2 CoS priority valueIn the access VLAN tagged with a layer 2 CoS priority valueIn the access VLAN, untagged (no layer 2 CoS priority value)
Telephony: Configuring Voice VLANs
60
The switch can also process tagged data traffic (traffic in IEEE 802.1Q or IEEE 802.1p frame types) from the device attached to the access port on the Cisco IP phone. You can con-figure layer 2 access ports on the switch to send CDP packets that instruct the attached Cisco IP phone to configure the IP phone access port in one of these modes:
In trusted mode, all traffic received through the access port on the Cisco IP phone passes through the IP phone unchanged.
In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames received through the access port on the IP phone receive a configured layer 2 CoS value. The default layer 2 CoS value is 0. Untrusted mode is the default.
Configuring the Voice VLAN
By default, the voice VLAN feature is disabled; you enable it by using the interface command switchport voice vlan. When the voice VLAN feature is enabled, all untagged traffic is sent according to the default CoS priority of the port. The CoS value is not trusted for IEEE 802.1p or IEEE 802.1Q tagged traffic.These are the voice VLAN configuration guidelines:
You should configure voice VLAN on switch access ports; voice VLAN isn’t supported on trunk ports, even though you can actually configure it! The voice VLAN should be present and active on the switch for the IP phone to correctlycommunicate on it. Use the show vlan privileged EXEC command to see if the VLAN is present—if it is, it’ll be listed in the display.Before you enable the voice VLAN, it’s recommend that you enable QoS on the switch by entering the mls qos global configuration command and set the port trust state to trust by entering the mls qos trust cos interface configuration command.You must make sure that CDP is enabled on the switch port connected to the Cisco IP phone to send the configuration. This is on by default, so unless you disabled it, you shouldn’t have a problem.
The PortFast feature is automatically enabled when the voice VLAN is configured, but when you disable the voice VLAN, the PortFast feature isn’t automatically disabled.To return the port to its default setting, use the no switchport voice vlan interfaceconfiguration command.
61
Configuring IP Phone Voice Traffic
You can configure a port connected to the Cisco IP phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority as well as forward all voice traffic through the native (access) VLAN. The IP phone can also send untagged voice traffic, or use its own configuration to send voice traffic in the access VLAN. In all configurations, the voice traffic carries a layer 3 IP precedence value—again, for voice the setting is usually 5.
62
CONCLUSION
The examples in this document demonstrate quick start steps can help you configure and deploy NAT. These quick start steps include:
1. Defining NAT inside and outside interfaces. 2. Defining what you are trying to accomplish with NAT. 3. Configuring NAT in order to accomplish what you defined in Step 2. 4. Verifying the NAT operation.
In each of the examples above, various forms of the ip nat inside command were used. You can also use the ip nat outside command to accomplish the same objectives, keeping in mind the NAT order of operations. For configuration examples using the ip nat outside commands, refer to Sample Configuration Using the ip nat outside source list Command and Sample Configuration Using the ip nat outside source static Command.
The examples above also demonstrated the following:
Command Action
ip nat inside source
Translates the source of IP packets that are traveling inside to outside.
Translates the destination of the IP packets that are traveling outside to inside.
63
ip nat outside source
Translates the source of the IP packets that are traveling outside to inside.
Translates the destination of the IP packets that are traveling inside to outside.
64
BIBLIOGRAPHY
1. www.cisco.com
2. Wikipedia
3. CCNA E-Book
4. RFC 1631: The IP NAT
5. RFC 1918: Address Allocation For Private Internet
6. RFC 3022: (Traditional NAT)
7. Technical Support And Documentation - Cisco systems
65
Top Related