CIDR, Clandestine Addresses, and NAT
The sky was falling in the aboriginal 1990s in that the commercialization of the Internet was rapidly
depleting the IP Version 4 abode space. Also, Internet routers’ acquisition tables were doubling
annually (at least). Afterwards some changes, the absurd advance of the Internet in the 1990s would
have been stifled.
To break the problems associated with this accelerated growth, several concise solutions were created,
as able-bodied as an ultimate abiding solution. The concise solutions included classless interdomain
routing (CIDR), which helps abate the admeasurement of acquisition tables by accumulation routes, and Network
Address Translation (NAT), which reduces the cardinal of appropriate accessible IP addresses acclimated by
each alignment or company. This area covers the capacity of CIDR and NAT, additional a few related
features. The abiding band-aid to this problem, IPv6, is covered in Chapter 20, “IP Version 6.”
Classless Interdomain Routing
CIDR is a assemblage authentic in RFCs 1517 through 1520 that calls for accumulation routes for
multiple classful arrangement numbers into a distinct acquisition table entry. The primary ambition of CIDR is
to advance the scalability of Internet routers’ acquisition tables. Imagine the implications of an Internet
router actuality abounding by accustomed a avenue to every chic A, B, and C arrangement on the planet!
CIDR uses both abstruse accoutrement and authoritative strategies to abate the admeasurement of the Internet
routing tables. Technically, CIDR uses avenue summarization, but with Internet calibration in mind.
112 Chapter 4: IP Addressing
For instance, CIDR ability be acclimated to acquiesce a ample ISP to ascendancy a ambit of IP addresses from
198.0.0.0 to 198.255.255.255, with the improvements to acquisition apparent in Figure 4-5.
Figure 4-5 Archetypal Use of CIDR
ISPs 2, 3, and 4 charge alone one avenue (198.0.0.0/8) in their acquisition tables to be able to forward
packets to all destinations that activate with 198. Note that this arbitrary absolutely summarizes
multiple chic C networks—a archetypal affection of CIDR. ISP 1’s routers accommodate added detailed
routing entries for addresses alpha with 198, based on area they admeasure IP addresses for
their customers. ISP 1 would abate its acquisition tables analogously with ample ranges acclimated by the
other ISPs.
CIDR attacks the botheration of ample acquisition tables via authoritative bureau as well. As apparent in
Figure 4-5, ISPs are assigned abutting blocks of addresses to use aback allotment addresses for
their customers. Likewise, bounded authorities are assigned ample abode blocks, so aback individual
companies ask for registered accessible IP addresses, they ask their bounded anthology to accredit them an
address block. As a result, addresses assigned by the bounded bureau will at atomic be aggregatable
into one ample geographic arena of the world. For instance, the Latin American and Caribbean
Internet Addresses Anthology (LACNIC, http://www.lacnic.net) administers the IP abode amplitude of
the Latin American and Caribbean arena (LAC) on account of the Internet community.
In some cases, the appellation CIDR is acclimated a little added about than the aboriginal absorbed of the RFCs.
Some texts use the appellation CIDR synonymously with the appellation avenue summarization. Others use the
term CIDR to accredit to the action of summarizing assorted classful networks together. In other
cases, aback an ISP assigns subsets of a classful arrangement to a chump who does not charge an entire
class C network, the ISP is about assuming subnetting; already again, this abstraction sometimes
gets categorized as CIDR. But CIDR itself refers to the authoritative appointment of ample address
blocks, and the accompanying abbreviated routes, for the purpose of abbreviation the admeasurement of the Internet
routing tables.
ISP #1
198.0.0.0 -
198.255.255.0
Route to 198.0.0.0 Mask
255.0.0.0 Credibility to ISP #1
Route to 198.0.0.0 Mask
255.0.0.0 Credibility to ISP #1
Route to 198.0.0.0 Mask
255.0.0.0 Credibility to ISP #1
Customer #1
198.8.3.0/24
Customer #2
198.4.2.0/24
198.4.3.0/24
Customer #3
198.1.0.0
ISP #2
ISP #3
ISP #4
CIDR, Clandestine Addresses, and NAT 113
Private Addressing
One of the issues with Internet advance was the appointment of all accessible arrangement numbers to
a baby cardinal of companies or organizations. Clandestine IP acclamation helps to abate this
problem by acceptance computers that will never be anon affiliated to the Internet to not use
public, Internet-routable addresses. For IP hosts that will agilely accept no absolute Internet
connectivity, you can use several aloof arrangement numbers, as authentic in RFC 1918 and listed
in Table 4-12.
In added words, any alignment can use these arrangement numbers. However, no alignment is
allowed to acquaint these networks application a acquisition agreement on the Internet. Furthermore, all
Internet routers should be configured to adios these routes.
Network Abode Translation
NAT, authentic in RFC 1631, allows a host that does not accept a accurate registered IP abode to
communicate with added hosts on the Internet. NAT has acquired such wide-spread acceptance
that the majority of action IP networks today use clandestine IP addresses for best hosts
on the arrangement and use a baby block of accessible IP addresses, with NAT advice between
the two.
NAT translates, or changes, one or both IP addresses central a packet as it passes through a router.
(Many firewalls additionally accomplish NAT; for the CCIE Acquisition and Switching exam, you do not need
to apperceive NAT accomplishing capacity on firewalls.) In best cases, NAT changes the (typically
private range) addresses acclimated central an action arrangement into abode from the accessible IP address
space. For instance, Figure 4-6 shows changeless NAT in operation; the action has registered
class C arrangement 200.1.1.0/24, and uses clandestine chic A arrangement 10.0.0.0/8 for the hosts inside
its network.
NOTE Because CIDR defines how to amalgamate routes for assorted classful networks into a
single route, some bodies anticipate of this action as actuality the adverse of subnetting. As a result,
many bodies accredit to CIDR’s summarization after-effects as supernetting.
Table 4-12 RFC 1918 Clandestine Abode Space
Range of IP Addresses
Class of
Networks
Number of
Networks
10.0.0.0 to 10.255.255.255 A 1
172.16.0.0 to 172.31.255.255 B 16
192.168.0.0 to 192.168.255.255 C 256
114 Chapter 4: IP Addressing
Figure 4-6 Basal NAT Concept
Beginning with the packets beatific from a PC on the larboard to the server on the right, the clandestine IP
source abode 10.1.1.1 is translated to a accessible IP abode of 200.1.1.1. The applicant sends a packet
with antecedent abode 10.1.1.1, but the NAT router changes the antecedent to 200.1.1.1—a registered
public IP address. Already the server receives a packet with antecedent IP abode 200.1.1.1, the server
thinks it is talking to host 200.1.1.1, so it replies with a packet beatific to destination 200.1.1.1. The
NAT router again translates the destination abode (200.1.1.1) aback to 10.1.1.1.
Figure 4-6 provides a acceptable accomplishments for the addition of a brace of key terms, Central Local
and Central Global. Both agreement booty the angle of the buyer of the action network. In
Figure 4-6, abode 10.1.1.1 is the Central Bounded address, and 200.1.1.1 is the Central All-around address.
Both addresses represent the applicant PC on the left, which is central the action network. Address
10.1.1.1 is from the enterprise’s IP abode space, which is alone locally routable central the
enterprise—hence the appellation Central Local. Abode 200.1.1.1 represents the bounded host, but the
address is from the globally routable accessible IP abode space—hence the name Central Global.
Table 4-13 lists and describes the four capital NAT abode terms.
Table 4-13 NAT Terminology
Name
Location of Host Represented
by Address
IP Abode Amplitude in Which Address
Exists
Inside Local
address
Inside the action arrangement Part of the action IP abode space;
typically a clandestine IP address
Inside Global
address
Inside the action arrangement Part of the accessible IP abode space
10.1.1.1
e0/0
s0/0
10.1.1.2
NAT
Internet
170.1.1.1
Server
SA 10.1.1.1 SA 200.1.1.1
Inside Local
10.1.1.1
10.1.1.2
Inside Global
200.1.1.1
200.1.1.2
DA 10.1.1.1 DA 200.1.1.1
Inside Outside
CIDR, Clandestine Addresses, and NAT 115
Static NAT
Static NAT works aloof like the archetype in Figure 4-6, but with the IP addresses statically mapped
to anniversary added via agreement commands. With changeless NAT:
■ A accurate Central Bounded abode consistently maps to the aforementioned Central All-around (public)
IP address.
■ If used, anniversary Alfresco Bounded abode consistently maps to the aforementioned Alfresco All-around (public)
IP address.
■ Changeless NAT does not conserve accessible IP addresses.
Although changeless NAT does not advice with IP abode conservation, changeless NAT does acquiesce an
engineer to accomplish an central server host accessible to audience on the Internet, because the central server
will consistently use the aforementioned accessible IP address.
Example 4-1 shows a basal changeless NAT agreement based on Figure 4-6. Conceptually, the NAT
router has to analyze which interfaces are central (attach to the enterprise’s IP abode space) or
outside (attach to the accessible IP abode space). Also, the mapping amid anniversary Central Bounded and
Inside All-around IP abode charge be made. (Although not bare for this example, alfresco addresses
can additionally be statically mapped.)
Name
Location of Host Represented
by Address
IP Abode Amplitude in Which Address
Exists
Outside Local
address
In the accessible Internet; or, alfresco the
enterprise network
Part of the action IP abode space;
typically a clandestine IP address
Outside Global
address
In the accessible Internet; or, alfresco the
enterprise network
Part of the accessible IP abode space
Example 4-1 Changeless NAT Configuration
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! E0/0 attaches to the centralized Clandestine IP space, so it is configured as an inside
! interface.
interface Ethernet0/0
ip abode 10.1.1.3 255.255.255.0
ip nat inside
! S0/0 is absorbed to the accessible Internet, so it is authentic as an outside
! interface.
interface Serial0/0
ip abode 200.1.1.251 255.255.255.0
ip nat outside
continues
Table 4-13 NAT Terminology (Continued)
116 Chapter 4: IP Addressing
The router is assuming NAT alone for central addresses. As a result, the router processes packets
entering E0/0—packets that could be beatific by central hosts—by analytical the antecedent IP address.
Any packets with a antecedent IP abode listed in the Central Bounded cavalcade of the appearance ip nat
translations command achievement (10.1.1.1 or 10.1.1.2) will be translated to antecedent address
200.1.1.1 or 200.1.1.2, respectively, per the NAT table. Likewise, the router examines the
destination IP abode of packets entering S0/0, because those packets would be destined for
inside hosts. Any such packets with a destination of 200.1.1.1 or .2 will be translated to 10.1.1.1
or .2, respectively.
In cases with changeless alfresco addresses actuality configured, the router additionally looks at the destination
IP abode of packets beatific from the central to the alfresco interfaces, and the antecedent IP abode of
packets beatific from alfresco interfaces to central interfaces.
Dynamic NAT Afterwards PAT
Dynamic NAT (without PAT), like changeless NAT, creates a one-to-one mapping amid an Inside
Local and Central All-around address. However, clashing changeless NAT, it does so by defining a set or pool
of Central Bounded and Central All-around addresses, and dynamically mapping pairs of addresses as
needed. For example, Figure 4-7 shows a basin of bristles Central All-around IP addresses—200.1.1.1
through 200.1.1.5. NAT has additionally been configured to construe any Central Bounded addresses whose
address starts with 10.1.1.
The numbers 1, 2, and 3 in Figure 4-7 accredit to the afterward arrangement of events:
1. Host 10.1.1.2 starts by sending its aboriginal packet to the server at 170.1.1.1.
2. As the packet enters the NAT router, the router applies some analogous argumentation to adjudge if the
packet should accept NAT applied. Because the argumentation has been configured to beggarly “translate
Inside Bounded addresses that alpha with 10.1.1,” the router dynamically adds an access in the NAT
table for 10.1.1.2 as an Central Bounded address.
3. The NAT router needs to admeasure a agnate IP abode from the basin of accurate Inside
Global addresses. It picks the aboriginal one accessible (200.1.1.1 in this case) and adds it to the NAT
table to complete the entry.
! Next, two central addresses are mapped, with the aboriginal abode advertence the
! Central Bounded address, and the abutting advertence the Central All-around address.
ip nat central antecedent changeless 10.1.1.2 200.1.1.2
ip nat central antecedent changeless 10.1.1.1 200.1.1.1
! Below, the NAT table lists the abiding changeless entries from the configuration.
NAT# appearance ip nat translations
Pro Central all-around Central bounded Alfresco bounded Alfresco global
--- 200.1.1.1 10.1.1.1 --- --
--- 200.1.1.2 10.1.1.2 --- ---
Example 4-1 Changeless NAT Agreement (Continued)
CIDR, Clandestine Addresses, and NAT 117
Figure 4-7 Activating NAT
With the achievement of footfall 3, the NAT router can absolutely construe the antecedent IP address, and
forward the packet. Note that as continued as the activating NAT access exists in the NAT table, alone host
10.1.1.2 can use Central All-around IP abode 200.1.1.1.
Overloading NAT with Anchorage Abode Translation
As mentioned earlier, NAT is one of the key appearance that helped to abate the acceleration at which the
IPv4 abode amplitude was actuality depleted. NAT overloading, additionally accepted as Anchorage Abode Translation
(PAT), is the NAT affection that absolutely provides the cogent accumulation of IP addresses. The key to
understanding how PAT works is to accede the following: From a server’s perspective, there is
no cogent aberration amid 100 altered TCP connections, anniversary from a altered host, and
100 altered TCP access all from the aforementioned host.
PAT works by authoritative ample numbers of TCP or UDP flows from abounding Central Bounded hosts appear
to be the aforementioned cardinal of ample flows from one (or a few) host’s Central All-around addresses. With PAT,
instead of aloof advice the IP address, NAT additionally translates the anchorage numbers as necessary. And
because the anchorage cardinal fields are 16 $.25 in length, anniversary Central All-around IP abode can abutment over
65,000 circumstantial TCP and UDP flows. For instance, in a arrangement with 1000 hosts, a distinct public
IP abode acclimated as the alone Central All-around abode could handle an boilerplate of six circumstantial flows
from anniversary host to and from hosts on the Internet.
10.1.1.1
10.1.1.2
NAT
Internet
170.1.1.1
Server
SA 10.1.1.2 SA 200.1.1.1
Inside Local
10.1.1.2
Inside Global
200.1.1.1
Inside Outside
1
2 3
4
NAT Table Afterwards Aboriginal Packet
Inside Bounded Central Global
NAT Table Before Aboriginal Packet
Criteria for Hosts to NAT:
10.1.1.0 - 10.1.1.255
NAT Pool:
200.1.1.1
200.1.1.2
200.1.1.3
200.1.1.4
200.1.1.5
118 Chapter 4: IP Addressing
Dynamic NAT and PAT Configuration
Like changeless NAT, activating NAT agreement begins with anecdotic the central and outside
interfaces. Additionally, the set of Central Bounded addresses is configured with the ip nat inside
global command. If you are application a basin of accessible Central All-around addresses, the set of addresses is
defined by the ip nat basin command. Archetype 4-2 shows a activating NAT agreement based on
the internetwork apparent in Figure 4-7. The archetype defines 256 Central Bounded addresses and two
Inside All-around addresses.
Example 4-2 Activating NAT Configuration
! First, the ip nat basin fred command lists a ambit of IP addresses. The ip nat
! central antecedent account 1 basin fred command credibility to ACL 1 as the account of Inside
! Bounded addresses, with a cross-reference to the basin name.
interface Ethernet0/0
ip abode 10.1.1.3 255.255.255.0
ip nat inside
!
interface Serial0/0
ip abode 200.1.1.251 255.255.255.0
ip nat outside
!
ip nat basin fred 200.1.1.1 200.1.1.2 netmask 255.255.255.252
ip nat central antecedent account 1 basin fred
!
access-list 1 admittance 10.1.1.0 0.0.0.255
! Next, the NAT table begins as an abandoned table, because no activating entries had
! been created at that point.
NAT# appearance ip nat translations
! The NAT statistics appearance that no hits or misses accept occurred. Hits action when
! NAT looks for a mapping, and finds one. Misses action aback NAT looks for a NAT
! table entry, does not acquisition one, and again needs to dynamically add one.
NAT# appearance ip nat statistics
Total alive translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
Ethernet0/0
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Central Source
access-list 1 basin fred refcount 0
pool fred: netmask 255.255.255.252
start 200.1.1.1 end 200.1.1.2
type generic, absolute addresses 2, allocated 0 (0%), misses 0
! At this point, a Telnet affair from 10.1.1.1 to 170.1.1.1 started.
CIDR, Clandestine Addresses, and NAT 119
! Below, the 1 “miss” bureau that the aboriginal packet from 10.1.1.2 did not accept a
! analogous access in the table, but that packet triggered NAT to add an access to the
! NAT table. Host 10.1.1.2 has again beatific 69 added packets, acclaimed as “hits” because
! there was an access in the table.
NAT# appearance ip nat statistics
Total alive translations: 1 (0 static, 1 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
Ethernet0/0
Hits: 69 Misses: 1
Expired translations: 0
Dynamic mappings:
-- Central Source
access-list 1 basin fred refcount 1
pool fred: netmask 255.255.255.252
start 200.1.1.1 end 200.1.1.2
type generic, absolute addresses 2, allocated 1 (50%), misses 0
! The activating NAT access is now displayed in the table.
NAT# appearance ip nat translations
Pro Central all-around Central bounded Alfresco bounded Alfresco global
--- 200.1.1.1 10.1.1.2 --- ---
! Below, the agreement uses PAT via the afflict parameter. Could accept acclimated the
! ip nat central antecedent account 1 int s0/0 afflict command instead, application a single
! IP Central All-around IP address.
NAT(config)# no ip nat central antecedent account 1 basin fred
NAT(config)# ip nat central antecedent account 1 basin fred overload
! To test, the activating NAT entries were austere afterwards alteration the NAT
! configuration. Before the abutting command was issued, host 10.1.1.1 had created two
! Telnet connections, and host 10.1.1.2 created 1 added TCP connection.
NAT# bright ip nat translations *
! Before the abutting command was issued, host 10.1.1.1 had created two
! Telnet connections, and host 10.1.1.2 created 1 added TCP connection. Note that
! all three dynamically mapped flows use accepted Central All-around 200.1.1.1.
NAT# appearance ip nat translations
Pro Central all-around Central bounded Alfresco bounded Alfresco global
tcp 200.1.1.1:3212 10.1.1.1:3212 170.1.1.1:23 170.1.1.1:23
tcp 200.1.1.1:3213 10.1.1.1:3213 170.1.1.1:23 170.1.1.1:23
tcp 200.1.1.1:38913 10.1.1.2:38913 170.1.1.1:23 170.1.1.1:23
Example 4-2 Activating NAT Agreement (Continued)