Every spanning tree switched network or broadcast domain has a switch designated as the root bridge. It serves as the reference point for all spanning-tree-enabled switches. The spanning tree algorithm determines which redundant paths to block. It is selected as an election process.
The figure below illustrates the bridge ID (BID) fields. BID is a unique identity when the switch is part of a network. It is a 64-bit field divided into three parts: the 4 4-bit Bridge Priority field, the 12 12-bit Extended System ID field, and the switch’s 48-bit MAC address. The Bridge Priority field is configurable, while the MAC address is unique among all switches. The sum of these two ensures a unique Bridge ID.
Root Bridge election
All switches in the broadcast domain join the election process. When switches complete their booting process, they send out BPDU frames every two seconds containing the switch BID and the root ID. The adjacent switches receive the BPDU frames and read the root ID information from them. If the root ID of the BPDU sending switch is lower than the root ID on the receiving switch, the receiving switch updates its root ID, identifying the adjacent switch as the root bridge.
It doesn’t need to be the adjacent switch. It could be any other switch in the broadcast domain. The switch then sends new BPDU frames with the lower root ID to the adjacent switches. Finally, the switch with the lowest BID is selected as the root bridge for the spanning tree instance.
Now, look at the election process from another angle. Before manually configuring the bridge priority, all the switches have a default priority. Therefore, it is a tie based on priority. The switch with the lowest Mac address will become a root bridge. In the figure below, switch-3 is elected as the Root-Bridge because the bridge priority ID is the default, which is 32769; so, the switches elect the root-bridge based on the MAC address. The switch-3 is the lowest MAC address, so all the root-bridge ports become in the forwarding state, i.e., designated port.
IEEE 802.1D Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP) use the Spanning Tree Algorithm (STA) to decide which switch ports on a network must be put in a blocking state to prevent loops. The Spanning Tree Algorithm designates one switch in the network as the root bridge. The root bridge is considered the reference for all path calculations.
The root bridge is selected through an election process. All switches in the network that enable the spanning tree protocol participate in the election process. The switches exchange BPDU frames to decide which switch should be the root bridge in the network. The switch with the lowest Bridge ID automatically becomes the root bridge for the STA calculations.
A BPDU is a messaging frame containing a Bridge ID identifying the switch that sent it. The Bridge ID includes a priority value, the sending switch’s MAC address, and an optional extended system ID. The combination of these three values determines the lowest Bridge ID value.
When the Root Bridge is elected, the Spanning Tree Algorithm (STA) calculates the shortest path to the root bridge. Each switch uses the Spanning Tree Algorithm (STA) to decide which ports to block. The Spanning Tree Algorithm (STA) selects the best paths to the root bridge for all switch ports in the broadcast domain.
The spanning-tree algorithm uses cost to determine the shortest path to the root bridge. The slower the interface, the higher the cost is. The path with the lowest cost will be used to reach the root bridge. The sum of the port cost values determines the overall path cost to the root bridge. If there is more than one path to choose from, STA selects the path with the lowest path cost.
After determining the most relevant paths to each switch, STA assigns port roles to the participating switch ports. The different port roles are the following:-
Root ports– The switch ports closest to the root bridge are known as the root ports. The figure below illustrates the root ports of the network switch. If one side of the trunk is a designated port, the other must be a root or alternate port.
Designated ports—All ports are still permitted to forward data on the network, and root ports are designated ports. Designated ports are chosen on a per-trunk basis. If one side of a trunk is a root port, the other must be a specified port. All ports on the root bridge are designated ports.
Alternate and backup ports—Alternate ports and backup prevent a loop on the network. These ports are configured to block. Alternate ports are chosen only on trunk links where neither end is a root port.
Disabled ports– A disabled port is a switch port that is shut down.
Learn about the various port roles in Spanning Tree Protocol (STP) and their importance in network topology
FAQs
What is the Spanning Tree Protocol (STP)?
Spanning Tree Protocol (STP) is designed to prevent network loops by creating a loop-free logical topology in Ethernet networks.
What are the main port roles in STP?
The main port roles in STP are Root Port, Designated Port, and Blocked Port. Each role has a specific function in maintaining a loop-free network topology.
What is the function of the Root Port in STP?
The Root Port is the switch port with the lowest path cost to the Root Bridge. It forwards traffic to the Root Bridge.
What is the function of the Designated Port in STP?
The Designated Port is the network segment port with the lowest path cost to the Root Bridge. It is responsible for forwarding traffic to and from that segment.
What is the function of the Blocked Port in STP?
The Blocked port does not forward traffic to prevent network loops. It remains on standby and is ready to become active if the network topology changes.
In the previous article, I have explained the redundancy. It increases the network availability by protecting the network from a single point of failure, such as a fault in a network cable or fault in a switch. When engineers introduce physical redundancy in design, loops and duplicate frames happen.
I have written in the previous lesson that loops and duplicate frames have several disadvantages for a switched network. The duplicate frames and nonstop broadcast frames in a loop network need a logical mechanism. The Spanning Tree Protocol (STP) is the mechanism that was developed to address loop issues in the switched network.
Spanning Tree Protocol (STP) ensures only one logical path between all destinations on the network. It blocks all the redundant paths that can cause a loop. Data cannot enter or leave that port. Preventing loops on the network is not an easy task.
The physical connection is still available to provide a redundant path, but the STP only disabled the paths to prevent the loops from occurring. In case of failure of the switch and cable, the STP recalculates the paths and unblocks the necessary ports to allow the redundant path to becoming active.
PC1 sends a broadcast packet out onto the network.
Switch-1 is configured with Spanning Tree Protocol (STP) and Port 1/0/2 is set to the blocking state which preventing from being used to forward user data. Switch-1 forwards a broadcast frame out all switch ports, except the originating port from PC1 and port 1/0/2.
Switch-3 receives the broadcast frame and forwards the frame out all of its switch ports, where it reaches Switch-4, PC4 Switch-2 and PC2. When switch-2 receive the frame it forward to PC-2 and drops the frame. The Layer 2 loop is prevented.
Spanning Tree Protocol (STP) prevents loops from occurring by putting the port of the switch in “blocking-state” strategically. The switches running Spanning Tree Protocol (STP) can avoid failures by dynamically unblocked the previously blocked ports and permitting traffic on that port.
Spanning Tree Protocol (STP) is based on an algorithm invented by Radia Joy Perlman is an American computer programmer and network engineer. Radia Perlman was working for Digital Equipment Corporation, and published in the 1985 paper “An Algorithm for Distributed Computation of a Spanning Tree in an Extended LAN“.
Reliability is the quality of a computer network that consistently performs according to its specifications. It has long been considered one of three related attributes that must be considered when planning a network.
Network Redundancy is one of the key factors to maintain network reliability. Multiple physical connections between network devices provide redundant network paths. The network can continue its operation when a single link or port has failed. Redundant links also share the traffic load and increase capacity and speed.
The Spanning Tree Protocols are the best to use and manage Layer 2 redundancy. Without a proper protocol, layer 2 loops are created which cause network breakdown. The spanning tree protocol chooses the best paths and also chooses an alternate path immediately when the primary path fails.
The network devices provide the capability of network redundancy, such as multilayer switches or routers; provide the facility for a user to use an alternate gateway when the primary gateway fails.
A client may now the ability to connect more than one possible default gateway. First Hop Network Redundancy Protocols manages the client’s default gateway, and also the ability to use an alternate default gateway should the primary default gateway fail.
Network Redundancy at OSI Layers 1 and 2
The three-tier hierarchical network attempts to eliminate a single point of failure on the network. Multiple cabled connections between switches provide physical redundancy in a switched network.
Network Redundancy improves the reliability and availability of the network. With alternate physical connections for data to pass through the network makes it possible for users to access network resources, regardless of any interference.
Nowadays, the availability of the network is very necessary for every organization to complete their business needs. So, the network infrastructure plan is a serious component. Path redundancy eliminates the possibility of failure and continues the services without any disruption.
A hierarchical network design that uses core, distribution, and access layers with network redundancy, attempts to eliminate any disruption of network services to users.
Redundant networks need physical connection including logical redundancy. However, there are possibilities of physical and logical layer 2 loops in the redundant paths in a switched Ethernet network.
When multiple paths exist between two switches on a network, and there is no spanning tree protocol between both, a Layer 2 loop occurs. A Layer 2 loop can result in three primary issues:
MAC database instability
Broadcast storms
Multiple frame transmission
MAC Database Instability (Layer 1 Redundancy)
Ethernet frames require a mechanism to block the continued propagation of broadcast frames on a switched network. The Ethernet frames propagate between switches endlessly, or until a link is disrupted and breaks the loop because the Ethernet frames have no TTL value in their frame headers. This nonstop propagation between switches can result in MAC database instability.
The MAC Address instability occurs due to broadcast frames forwarding which is forwarded out to all switch ports, except the original ingress port. The broadcast ensures that all devices in a broadcast domain can receive the frame.
So, if there is a redundant network path between networks switches that cause an endless loop result. When a loop occurs, it is possible for the MAC address table on a switch to constantly change with the updates from the broadcast frames, which results in MAC database instability.
Now look at the below topology PC-1 and PC has a redundant path without any proper logical mechanism. The process of packet sending is as under:
When PC1 sends a broadcast frame to Switch-1. Switch-1 will receive the broadcast frame on F0/1. When Switch-1 receives the broadcast frame, it updates its MAC address table that PC1 is available on port F0/1.
Due to broadcast frame, Switch-1 forwards the frame out to all its ports, including both Trunks. When the broadcast frame arrives at Switch2 and Switch-4, the switches update their MAC address tables to indicate that PC1 is available on port F0/8 on Switch-2 and F0/11 on Switch-4.
So, when the broadcast frame received on Switch-2 and Switch-4, they forward the frame out all ports, except the incoming ports. Both switches send the broadcast frame to Switch-3. If Switch-3 received the broadcast frame from Switch-2 first, it maintains the MAC address table that PC-1 is available on F0/2, and flood the frame out to all its port accept the port 0/2. Meanwhile, it receives the frame from switch-4 on the interface F0/9, the switch-3 overwrite its MAC address table again and flood the same packet to all its interfaces except F0/9
Now again the same packet will circulate into the entire network. Each switch forwards the broadcast frame out all of its ports, except the ingress port. Each time the MAC address table is updated with the last entry received from the other two switches.
This process continuous nonstop until the loop is broken. The loop can be broken by disconnecting the connections physically or powering down one of the switches in the loop. The loop between switches put a high load on the CPU load of all switches which slows down performance on the switch when genuine traffic arrives.
A host participating in the network loop cannot access to other hosts on the network. At the last, due to the constant changes in the MAC table, the switch does not know which port to forward unicast frames.
Broadcast Storms (Layer 1 Redundancy)
When so many broadcast frames caught in a Layer 2 loop that consumes all available bandwidth and there is no bandwidth available for legitimate traffic and the network becomes unavailable for data communication, the broadcast storm occurs. This is also known as an effective denial of service (DoS).
A broadcast storm is expected on a looped network because more devices send broadcasts traffic over the network, which causes more broadcast traffic, is caught in the loop and consumes network resources. This finally creates a broadcast storm that causes the network to fail.
There are other disadvantages of the broadcast storm because traffic is forwarded out every port on a switch; all the connected devices must process all the broadcast traffic that is flooded endlessly around the looped network. This can cause the end device to malfunction.
Duplicate Unicast Frames (Layer 1 Redundancy)
Broadcast frames are not only the type of frames that are affected by loops. Unicast frames sent onto a looped network can result in duplicate frames arriving at the destination device.
Most upper-layer protocols cannot recognize duplicate frames. This protocol generally makes use of a sequence-numbering mechanism assume that the transmission has failed and that the sequence number has recycled for another communication session. Ethernet protocol (Layer 2), require a mechanism to recognize and eliminate endlessly looping frames.
Layer 3 implement a TTL mechanism for eliminating the loops because TTL limits the number of times a Layer 3 networking device can retransmit a packet. Layer 2 devices do not have a mechanism like TTL, so they continue to retransmit looping traffic again and again.
STP, a Layer 2 loop-avoidance mechanism, was developed to solve these problems. To stop these issues from occurring in a redundant network, some type of spanning tree must be enabled on the switches. By spanning tree is enabled in all the Cisco switches to stop Layer 2 loops from occurring.
NAT and private IPv4 addresses have slowed down the depletion of IPv4 addresses, but NAT has some disadvantages. The one major benefit provided by NAT is security.
NAT hides the private IPv4 network from the public Internet, providing a perceived level of security by denying computers on the public Internet from accessing internal hosts. However, NAT is not the alternative for proper network security, such as security provided by a firewall.
In RFC 5902, the IAB included the NAT for the IPv6 quote. “It is commonly perceived that a NAT box provides one level of protection because external hosts cannot directly initiate communication with hosts behind a NAT. However, one should not confuse NAT boxes with firewalls.
As discussed in [RFC4864], Section2.2, translation does not provide security. The stateful filtering function can provide the same level of protection without requiring a translation function. For further discussion, see [RFC4864], Section 4.2.”
IPv6, an addressing scheme, provides 340 undecillion addresses. It has its own IPv6 private address space and NAT, which are implemented differently than for IPv4.
IPv6 Unique Local Addresses (ULA)
These addresses are similar to the private addresses of IPv4, but there are major differences between both. IPv6 Unique Local Addresses (ULA) intends to provide IPv6 address space for communications within a local site. It does not provide any additional IPv6 address space and does not provide any level of security.
The IPv6 Unique Local Addresses (ULA) prefix is FC00::/7, which ranges in the first hextet from FC00 to FDFF. The figure below illustrates the Unique Local Addresses (ULA).
After the prefix, the next 1 bit is set to 1 if the prefix is locally assigned. Set to 0 may be defined later. The next 40 bits are a randomly generated global ID followed by a 16-bit Subnet ID. These first 64 bits make the ULA prefix. The remaining 64 bits are used as the interface ID. These addresses are defined in RFC 4193. ULAs are also known as local IPv6 addresses.
ULA allows sites to be privately interconnected without creating address conflicts. The address can be used independently without any ISP and for communications within a site without having any Internet connectivity.
The ULA is not routable across the internet like the RFC 1918 private IPv4 address; however, if by chance it is leaked by routing or DNS, there is no conflict with any other addresses.
The IPv6 addresses are not created to be used in the form of NAT to translate between unique local addresses and IPv6 global unicast addresses. The execution and possible uses for IPv6 unique local addresses are still under-examined by the Internet community.
NAT for IPv6
There are several varieties of NAT for IPv6, which provide transparent access between IPv6-only and IPv4-only networks. NAT for IPv6 is not a private IPv6 to global IPv6 translation like NAT for IPv4 addresses.
The IPv6 devices should communicate with each other over IPv6 networks. However, during the IPv4 to IPv6 transition, the IETF has developed several techniques, including dual-stack, tunneling, and translation, to accommodate IPv4-to-IPv6.
In dual-stack, both IPv4 and IPv6 are running on the devices in parallel. Tunneling involves encapsulating an IPv6 packet inside an IPv4 packet. This allows the IPv6 packet to be transmitted over an IPv4-only network.
NAT for IPv6 cannot be used as a long-term approach. It is only a temporary method to assist in the transition from IPv4 to IPv6. NAT for IPv6 has several methods, including Network Address Translation-Protocol Translation (NAT-PT) and NAT64.
Configuring port forwarding on Cisco routers is similar to configuring static NAT. It is a static NAT translation with a specific TCP or UDP port number.
The figure above shows an example of configuring port forwarding using Cisco IOS commands on router R2. 192.168.11.100 is the web server’s inside local IPv4 address.
The webserver’s listening port is 80. The administrator wants to access this internal webserver from an external network using the global IP address 202.128.54.1, a globally unique public IPv4 address.
It is the address of the g0/1 interface of R2. The global port is configured as 8080, and the destination port is used, along with the global IPv4 address of 202.128.54.1, to access the internal webserver. The command syntax to configure port forwarding is the following:
TCP or UDP – This parameter shows that the port belongs to TCP or UDP
Local IP—It is the IPv4 address of the host inside the local network.
Local Port— It is the port of the local host in a range of 1-65535.
Global-IP—It is the inside host’s IPv4 address, which is globally unique. The outside clients will use this IP to reach the internal host.
Global port—This is the global TCP/UDP port between 1 and 65535. It is the port number the outside client will use to reach the internal server.
Extendable – The extendable option is applied automatically. This keyword allows the user to configure ambiguous static translation. It extends the static translation to more than one port if necessary
When we want to use a port other than a well-known port, the client must specify the port number in the web request. Like the simple static or dynamic NAT configuration, we should configure port forwarding for inside and outside NAT interfaces. To configure port forwarding on R1, the commands are:
Similar to static NAT verification, we can also verify the port forwarding configuration using the “show ip nat translations” command. The image below illustrates the output of this command.
When the router receives the packet with the inside global IPv4 address of 202.128.54.1, including TCP destination port 8080, it looks up the NAT table using the destination IPv4 address and destination port as the key. It translates the address to the inside local address of the host 192.168.11.100, including the destination port 80.
R2 then forwards the packet to the web server. When the web server replies the packets back to the client, this process is reversed.
Port forwarding is also known as port mapping and tunnelling. It is the method of forwarding traffic destined to a specific network port from one network node to another.
The external user can access a specific port on a private IPv4 address inside a LAN from the outside, through a NAT-enabled router. In other words, port forwarding is directing traffic from the outside world to the right server inside a local TCP/IP network.
Port forwarding is mostly used to isolate network traffic, optimize network speed and to permanently assign a network path for a specific protocol or network service. Usually, well-known port numbers are being used in port forwarding. It is typically implemented at a gateway router, to mechanize the process of identifying and transferring network packets to a destination port.
Usually, peer to peer programs such as web servers and outgoing FTP, require port forwarding or open ports to allow these services to work. Because NAT hides internal addresses, but peer-to-peer only works from the inside out where NAT can map outgoing requests against incoming replies.
NAT does not allow connection establishment from the outside network. This condition can be resolved with port forwarding to identify specific ports that can be forwarded to inside hosts.
The Internet software applications working on different ports that need to be open or available to those applications. For example, HTTP operates through the well-known port 80 and FTP operate through the well-known port 21.
When someone wants to open the https://networkustad.comaddress, the browser displays the networkustad home page. They do not specify the HTTP port number for the page request, because the application assumes port 80.
If a https://networkustad.com is configured with a different port number, then it can be appended to the URL separated by a colon (:). For example, if we configure the server port 8080 in place of 80. then we will enter the address on our browser to open the website on address like
Port forwarding allows access to internal servers from the internet via the WAN port address of the router and the matched external port number. The internal servers are typically configured private IPv4 addresses.
When a request is received to WAN port of the router with IPv4 address of the WAN port in packet header from the Internet, the router forwards the request to the appropriate server on the private network. By default, the broadband router does not permit any external network request to be forwarded to an inside network.
The figure below illustrates the example of port forwarding. An internet service provider opens a web server for their client on their local network. The server can be accessed within the local network because it has a private IPv4 address, it is not publically accessible from the Internet.
Now the owner wants to provide access from anywhere on the Internet. So, port forwarding on the router is configured using the destination port number and the private IPv4 address of the webserver. To access the server, the client software would use the public IPv4 address of the router and the destination port of the server.
We should specify the local address that requests should be forwarded to. In the above configuration, HTTP service requests, coming into a wireless router, will be forwarded to the webserver with the inside local address of 192.168.10.101. If the external WAN IPv4 address of the wireless router is 202.128.54.1, the external user can enter http://www.domain_name.com and the wireless router redirects the HTTP request to the internal webserver at IPv4 address 192.168.10.101, using the default port number 80.
We can change the default port of the webserver but, the external user would have to know the specific port number to use. The above figure illustrates the port forwarding window of the TP-Link router. But it depends on the brand of the router as well as the model of the broadband router.
Port Address Translation (PAT) is also known as NAT overload. Port Address Translation preserves addresses in the inside global address pool. Port Address Translation (PAT) allows the router to simultaneously use one inside global address for several inside local addresses.
We can use a single public IPv4 address for hundreds, even thousands of internal private IPv4 addresses. Router with Port Address Translation (PAT) configuration maintains information from higher-level protocols, such as TCP or UDP port numbers, for example, translate the inside global address back into the accurate inside local address while multiple inside local addresses map to one inside global address. This is possible due to each inside host’s correct TCP or UDP port numbers.
There are 65536 port numbers that we can bind with inside local addresses. So, theoretically, we can translate 65,536 inside local addresses per one global IP address.
But practically, this is too difficult for the router and impossible. A single IP address can be assigned around 4,000 internal addresses. We can configure the Port Address Translation (PAT) in two ways: for a single public IPv4 address and multiple IPv4 addresses.
Configuring Port Address Translation for a Pool of Public IP Addresses
To configure Port Address Translation (PAT) on a Cisco router, first create a NAT pool with a range of public IP addresses allotted by the internet service provider.
After pool configuration, you must create a standard access list to identify and permit the group of private inside IP addresses allowed for NAT translation.
After creating a pool of global IP addresses and an IP access list to identify the traffic, you must configure NAT using “ip nat” command.
Finally, you must specify which is inside the interface and which is the outside interface. The main difference between configuring Dynamic NAT and Port Address Translation (PAT) is using the keyword “overload”.
Example Configuration
The example configuration shown in the figure below establishes overload translation for the NAT pool named Global_pool. The pool contains the same addresses used in the previous lesson, from 202.128.54.3 to 202.128.54.14. Hosts in the 192.168.10.0/24 and 192.168.11.0/24 networks are needed to translate.
The sub-interface S0/0/0.101 is an outside interface, and g0/0 and g0/1 are inside interfaces. The router R2 is the Port Address Translation (PAT) router. We are using the same topology used in the previous lesson, “Dynamic NAT Configuration.”
Now look at the commands executed on R2 for NAT overload configuration on router R2.
R2(config)#ip nat pool Global_pool 202.128.54.3 202.128.54.14 netmask 255.255.255.240
R2(config)#ip nat inside source list 1 pool Global_pool overload
R2(config)#interface gigabitEthernet 0/0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#interface serial 0/0/0.101
R2(config-subif)#ip nat outside
After the above configuration, the network 192.168.10.0/24 can access the internet but network 192.168.11.0/24 is still can’t access the internet. The network 192.168.11.0 is still required configuration:
Now, the network 192.168.11.0 can access the internet. The outside NAT interface is already configured for network 192.168.10.0/24. It will use the same interface for outside. We have configured the “ACL permission” and “ip nat inside” interfaces.
Configuring Port Address Translation for a Single Public IPv4 Address
If only a public IPv4 address is available, the overload configuration typically assigns the public address to the outside interface connecting to the ISP. When leaving the outside interface, all inside addresses are translated to a single IPv4 address. The steps to follow to configure Port Address Translation (PAT) with a single IPv4 address are as follows:
Define an ACL to permit the traffic to be translated.
Configure source translation using the interface and overload keywords. The interface keyword defines which interface IP address to use when translating inside addresses. The overload keyword instructs the router to track port numbers with each NAT entry.
Identify which interfaces are inside and which are outside in relation to NAT. The inside interface is any interface that connects to the inside network, and the outside interface is an interface connected to the outside network.
The configuration is similar to dynamic NAT, except that the interface keyword is used to identify the outside IPv4 address instead of a pool of addresses. Therefore, no NAT pool is defined. Now look at the below configuration on R2 for a single IPv4 address on the same topology. The commands for Port Address Translation (PAT) -single IP configuration is the following:
The process of NAT overload is similar to the process of NAT, except there is only one address for translation. Analyzing the above-configured example using a single public IPv4 address, PC1 wants to communicate with the web server, and Laptop0 also wants to communicate with the web server. Both PC1 and PC2 are configured with private IPv4 addresses, with R2 enabled for Port Address Translation (PAT).
PC to Server Process
The figure below illustrates PC1 and Laptop0 sending packets to the web server simultaneously. PC1 has the source IPv4 address 192.168.11.100 and uses TCP source port 1025. Laptop0 has the source IPv4 address 192.168.10.101 and is also assigned the source port 1025.
The packet from PC1 reaches R2 first. Using PAT, R2 translates the source IPv4 address to 202.128.54.1 inside the global address. Since no other devices in the NAT table are using port 1025, PAT maintains the same port number. The packet is then forwarded to the webserver at 201.128.35.2.
PAT is configured to use a single inside global IPv4 address for all translations, so when a packet from Laptop0 arrives on R2, similar to PC1, PAT translates Laptop0’s source IPv4 address to the inside global address 202.128.54.1.
However, the Laptop’s source port number is the same as that of a current PAT entry, the translation for PC1. PAT increases the source port number until it becomes unique in its table. In this example, the source port entry in the NAT table is increased to 1025.
Both hosts use the same translated address, the inside global address of 202.128.54.1, and the same source port number of 1024; however, the R2 process modifies the port number for Laptop0 to 1025. This will become evident in the packets sent from the servers back to the clients.
Server-to-PC Process
The servers use the source port from the received packet as the destination port and the source address as the destination address for the return traffic. The servers give the impression that they are communicating with the same host at 202.128.35.1, but this is not actual.
When the router receives the packet at interface serial 0/0/0.101 on R2, it looks up its NAT table for a unique entry using the packet’s destination address and port.
Multiple entries were received from the server with the destination IPv4 address 202.128.54.1 but only one with the destination port 1025. R2 matched the entry with the NAT table and changed the packet’s destination IPv4 address to 192.168.11.101. No change was required for the destination port. The packet was then forwarded to PC1.
When a packet is received with destination port 1026 to R2, R2 performs a similar translation. The destination IPv4 address of 202.128.54.1 is found again with multiple entries. But R2 uses the destination port of 1026 to uniquely identify the translation entry. The destination IPv4 address is translated to 192.168.10.101.
Verifying Port Address Translation
We can use the commands discussed in “Static NAT Configuration and Dynamic NAT Configuration” to verify Port Address Translation (PAT). The figure below illustrates the output of the show ip nat translations command. The figure displays the translations from two different hosts to a single web server.
We can also use the show ip nat statistics command to verify that NAT-POOL2 has allocated a single address. The running-config command is another command we can use for the PAT configuration.
Dynamic NAT maps inside local addresses to inside global addresses automatically. The inside global addresses are usually public IPv4 addresses. Dynamic NAT uses a pool of public IPv4 address or a group public IPv4 addresses for translation.
Dynamic NAT also requires the configuration of the inside and outside interfaces participating in NAT like Static NAT. The difference between static and dynamic NAT is that the static NAT creates a permanent mapping to a single address but dynamic NAT uses a pool of addresses.
The example topology shown in the figure above has an inside network containing two LANs, 192.168.10.0/24 and 192.168.11.0/24. The R1 is working as a border router. It is configured for dynamic NAT using a pool of public IPv4 addresses 202.128.54.0/28.
Any device from the inside devices can access the internet using the pool of inside global IPv4 address pool. The inside network can use this pool on a first-come first-get basis. The dynamic NAT, translate a single inside address into a single outside address.
Like a static NAT, dynamic NAT also required enough addresses in the pool to accommodate all the inside devices want to access the outside network at the same time. If all of the addresses in the pool translated to with inside addresses, other devices will wait for an available address before it can access the outside network.
Configuring Dynamic NAT
First of all, define the inside global IP pool using the“ip nat pool” This pool is usually a group of public IPv4 addresses assigned by the server providers. The pool is defined by indicating the start and end IP addresses including the netmask or prefix-length.
After configuring the pool, dynamic NAT required a standard ACL. The ACL identify and permit the addresses required to be translated. Don’t forget to configure the implicit deny all statement at the end of each ACL.
Now bind the configured ACL to the address pool. We can bind the ACL with IP pool using the“ip nat inside source list <access-list-number> pool<pool name>”
Identify the inside and outside interfaces concerning NAT that connects to the inside or outside network and configure them accordingly.
Now I am going to configure the router R1for dynamic routing according to the above steps.
R2(config)#ip nat pool Global_pool 202.128.54.3 202.128.54.14 netmask 255.255.255.240
R2(config)#ip nat inside source list 1 pool Global_pool
R2(config)#interface gigabitEthernet 0/0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#interface serial 0/0/0.101
R2(config-subif)#ip nat outside
After the above configuration, the network 192.168.10.0/24 can access the internet but network 192.168.11.0/24 is still can’t access the internet. The network 192.168.11.0 is still required configuration:
Now the network 192.168.11.0 can access the internet. The outside NAT interface is already configured for network 192.168.10.0/24, it will use the same interface for outside. We have just configured the “ACL permission” and “ip nat inside” interface.
Analyzing Dynamic NAT
Using the previous configuration of the figures illustrate the dynamic NAT translation process between the clients and the webserver. The traffic flow from inside to outside is shown in the below figures step by step:
The hosts 192.168.11.100 send an ICMP message to the webserver at the public IPv4 address 201.128.35.2. in the figure below, we can read the outbound PDU information. The source IP address is 192.168.11.100 and the destination IP address is 201.128.35.2, the IP address of the webserver netwrokustad.com.
When R2 receives the packet from host 192.168.11.100 on an interface configured with inside NAT interface, because of inside NAT, R2 checks the NAT configuration to determine if this packet should be translated. If the ACL permits the packet, so R2 will translate the packet. R2 checks its NAT configuration table.
If translation entry found the R2 forward the packet, if no translation entry found the, R2 determines that the source address 192.168.1.100 must be translated dynamically. R2 selects the first available global address from the dynamic address pool and creates a translation entry, in this example, as shown in the figure below 128.54.3.
The above address belongs to the inside global address pool. You can see highlighted entries in the inbound interfaces and also in the outbound interfaces. At the outbound interfaces, the source address is now changed to 202.128.54.3.
R2 replaces the inside local source address of PC1, 192.168.11.100, with the inside global addresses of 202.128.54.3 and forwards the packet. Here I am going to escape the packet on internet cloud and R1. The server receives the packet from PC1 and responds using the IPv4 destination address of 202.128.54.3 as shown in the figure below.
When R2 receives the packet with the destination IPv4 address of 202.128.54.3; it performs a NAT table lookup. Using the mapping from the table, R2 translates 202.128.54.3 back to the 192.168.11.100, the inside local address forwards the packet toward PC1. The same process will be done for host 192.168.10.101.
Verifying Dynamic NAT
The command show ip nat translations are used to verify the dynamic NAT configuration. We have already discussed this command in the Static NAT configuration.
The command displays all static translations including any dynamic translations that have been created by traffic. The figure below illustrates the output of this command for dynamic NAT configuration.
The translation entries remain in the translation table for 24 24 hours by default, but we can reconfigure the timer with theip nat translation timeout <timeout-seconds> command in global configuration mode.
We can also clear the dynamic entries translation using “theclear ip nat translation”command in privileged EXEC mode. To clear dynamic NAT entries use the command “clear ip nat translation *in privileged EXEC mode. Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the translation table.
We can also use theshow ip nat statistics command. The command displays information about the total number of active translations including NAT configuration parameters, the total addresses in the pool, and currently allocated an address. We can also use theshow running-config command and look for dynamic NAT configuration.
Static NAT maps inside and outside addresses one-to-one. It allows external devices to establish a session with internal devices using the statically assigned public address. For example, an internal web server is mapped to a specific inside global address.
The figure below illustrates an inside network containing a web server with a private IPv4 address accessible from the outside network using a global IPv4 address.
Router R1 is configured with static NAT, allowing devices on the outside network to access the webserver. Static NAT translates the public IPv4 address to the private IPv4 address So the devices outside access the web server. The steps for configuring a static route are the following:
Create a mapping between the inside local address and the inside global addresses
After mapping, the interfaces participating in the translation are configured as interfaces inside or outside relative to NAT.
When NAT is applied, the packets arriving at the router’s inside interface are translated and forwarded to the outside interface. Packets arriving on the outside interface are addressed to the configured inside global IPv4 address, translated to the inside local address, and forwarded to the inside network.
Example configuration of Static NAT
There are four basic terms for configuring NAT: inside local, inside global, outside local, and outside global. We discussed these terms in the previous lesson. In this lesson, I am going to explain static NAT briefly. The following topology is used to configure static NAT.
The above figure shows the topology for static NAT configuration. The topology contains both the inside and outside networks. R2 is the NAT router, which translates packets from web servers with 192.168.10.101 and 192.168.11.100 to public IPv4 addresses 202.128.54.3 and 202.128.54.4.
The Internet client directs web requests to the public IPv4 addresses 202.128.54.3 and 202.128.54.4. R2 forwards that traffic to the web server on IP addresses 192.168.10.101 and 192.168.11.100. Now, let’s configure R2 for static NAT. All other necessary configurations have been done previously.
Configuration of Static NAT for Server-1 (192.168.11.100)
Configuration of Static NAT for Server-2 (192.168.11.100)
For Server-2 the inside global is also s0/0/0.100 sub-interface, which is already marked with ip nat outside, therefore we do not need to configure the ip nat outside again.
The configuration illustrates the static NAT translation process between the client and the web server. Generally, static translations are configured when clients on the internet need to reach devices on the private network. Now look at the above topology and analyze the network after the NAT configuration:
PC-1 is on the Internet, and both servers are in the private network. PC-1 wants to open a connection to web server-1. The client sends a packet to server-1 using the public IPv4 destination address 202.128.54.4, which is the inside global address of the web server.
Upon receiving the first packet from the outside interface, R2 checks its NAT table. The packet’s destination IPv4 address is in the NAT table and translated.
R2 translates the inside global address 202.128.54.4 into the inside local address 192.168.11.100 and then forwards the packet to the web server.
The web server receives the packet from R2 and relies on PC-1, which uses the inside local address 192.168.11.100.
R2 receives the packet from the web server using interface g0/1, the inside interface with a source address of the web server’s inside local address, 192.168.11.100.
R2 again checks the NAT table for translation, and the address is found in the NAT table. It translates the source address (inside local address) to the inside global address 202.128.54.4 and forwards the packet from its serial 0/0/0.100 interface to the client.
The client received the packet and continued the conversation. The NAT router performs Steps 2 to 7 for each packet.
Verifying Static NAT
The “show ip nat translations” command is important for verifying the workings of NAT. Its output displays active NAT translations, while static translations are always in the NAT table.
If the command is executed during an active session, the output also indicates the address of the outside device, as shown in the figure below; otherwise, it only translates the inside address.
We can also use the “showip nat statistics” command. This command displays the total number of active translations, including NAT configuration parameters, the number of addresses in the pool, and the number of addresses allocated. The figure below illustrates the output of this command.
To verify that the NAT translation works, clear the previous statistics using the clear ip nat statistics command before testing. Before sending any packet to the web servers, execute the “show ip nat statistics” command; it will display no current hits. After establishing the session with the server, the “show ip nat statistics” command will display the increment to hits.
