CCNA Crash Course Day 04

8/10/2019 CCNA Crash Course Day 04

1/113

1


2/113

2

Layer 2 Switching

Switching breaks up large collision domains intosmaller ones

Collision domain is a network segment with two or

more devices sharing the same bandwidth.

A hub network is a typical example of this type oftechnology

Each port on a switch is actually its own collisiondomain, you can make a much better Ethernet LANnetwork just by replacing your hubs with switches


3/113

3

Switching Services

Unlike bridges that use software to create and manage afilter table, switches use Application Specific IntegratedCircuits (ASICs)

Layer 2 switches and bridges are faster than routersbecause they donttake up time looking at the Networklayer header information.

They look at the frames hardware addresses beforedeciding to either forward the frame or drop it.

layer 2 switching so efficient is that no modification tothe data packet takes place


4/113

4

How Switches and BridgesLearn Addresses

Bridges and switches learn in the following ways:

Reading the source MAC address of eachreceived frame or datagram

Recording the port on which the MAC addresswas received.

In this way, the bridge or switch learns which addressesbelong to the devices connected to each port.


5/113

5

Ethernet Access with Hubs


6/113


7/113

Address learning

Forward/filter decision

Loop avoidance

Ethernet Switches and Bridges


8/113

8

Switch Features

There are three conditions in which a switch will flood aframe out on all ports except to the port on which theframe came in, as follows:

Unknown unicast address

Broadcast frame

Multicast frame


9/113

9

MAC Address Table

Initial MAC address table is empty.


10/113

10

Learning Addresses

Station A sends a frame to station C.

Switch caches the MAC address of station A to port E0 bylearning the source address of data frames.

The frame from station A to station C is flooded out to all

ports except port E0 (unknown unicasts are flooded).


11/113

11

Learning Addresses (Cont.)

Station D sends a frame to station C.

Switch caches the MAC address of station D to port E3 bylearning the source address of data frames.

The frame from station D to station C is flooded out to all ports

except port E3 (unknown unicasts are flooded).


12/113

12

Filtering Frames

Station A sends a frame to station C.

Destination is known; frame is not flooded.


13/113

13

Station D sends a broadcast or multicast frame.

Broadcast and multicast frames are flooded to all portsother than the originating port.

Broadcast and MulticastFrames


14/113

14

Forward/Filter Decision

When a frame arrives at a switch interface, the destinationhardware address is compared to the forward/ filter MAC database.

If the destination hardware address is known and listed in the

database, the frame is sent out only the correct exit interface

If the destination hardware address is not listed in the MACdatabase, then the frame is flooded out all active interfaces exceptthe interface the frame was received on.

If a host or server sends a broadcast on the LAN, the switch willflood the frame out all active ports except the source port.


15/113

15

Learning Mac Address


16/113

16



17/113

17



18/113

18



19/113

19



20/113

20



21/113

21



22/113

22

Forward/Filter PC3 to PC1


23/113

23

Forward/Filter PC3 to PC2


24/113

24

Loop Avoidance

Redundant links betweenswitches are a good ideabecause they help preventcomplete network failures

in the event one link stopsworking

However, they often causemore problems becauseframes can be flooded

down all redundant linkssimultaneously

This creates network loops


25/113

25

Network Broadcast Loops

A manufacturing floor PC sent anetwork broadcast to request aboot loader

The broadcast was first receivedby switch sw1 on port 2/1

The topology is redundantlyconnected; therefore, switch sw2receives the broadcast frame aswell on port 2/1

Switch sw2 is also receiving acopy of the broadcast frameforwarded to the LAN segmentfrom port 2/2 of switch sw1.

In a small fraction of the time,we have four packets. Theproblem grows exponentiallyuntil the network bandwidth issaturated


26/113

26

Multiple Frame Copies


27/113

27


28/113

28

Overview

Redundancy in a network is extremely importantbecause redundancy allows networks to be fault tolerant.

Redundant topologies based on switches and bridges

are subject to broadcast storms, multiple frametransmissions, and MAC address database instability.

Therefore network redundancy requires careful planning

and monitoring to function properly.

The Spanning-Tree Protocol is used in switchednetworks to create a loop free network


29/113

29

Provides a loop-free redundant network topology by

placing certain ports in the blocking state.

Spanning-Tree Protocol


30/113

30

Spanning Tree Protocol

Spanning Tree Protocol resides in Data link Layer

Ethernet bridges and switches can implement the IEEE 802.1DSpanning-Tree Protocol and use the spanning-tree algorithm to

construct a loop free network.


31/113


32/113

32

Selecting the Root Bridge

The first decision that all switches in the network make, is to identify theroot bridge.

When a switch is turned on, the spanning-tree algorithm is used to identifythe root bridge. BPDUs are sent out with the Bridge ID (BID).

The BID consists of a bridge priority that defaults to 32768 and the switchbase MAC address.

When a switch first starts up, it assumes it is the root switch and sendsBPDUs. These BPDUs contain BID.

All bridges see these and decide that the bridge with the smallest BID valuewill be the root bridge.

A network administrator may want to influence the decision by setting theswitch priority to a smaller value than the default.


33/113

33

Spanning Tree Protocol Terms

BPDU Bridge Protocol Data Unit (BPDU) - All the switches exchange information to use in theselection of the root switch

Bridge ID- The bridge ID is how STP keeps track of all the switches in the network. It is determined bya combination of the bridge priority (32,768 by default on all Cisco switches) and the base MAC address.

Root Bridge-The bridge with the lowest bridge ID becomes the root bridge in the network.

Nonroot bridge- These are all bridges that are not the root bridge.

Root port- The root port is always the link directly connected to the root bridge or the shortest path tothe root bridge. If more than one link connects to the root bridge, then a port cost is determined bychecking the bandwidth of each link.

Designated port- A designated port is one that has been determined as having the best (lowest) cost.

A designated port will be marked as a forwarding port

Nondesignated Port - A nondesignated port is one with a higher cost than the designated port.Nondesignated ports are put in blocking mode

Forwarding Port - A forwarding port forwards frames

Blocked Port - A blocked port is the port that will not forward frames, in order to prevent loops


34/113

34

Bpdu = Bridge Protocol Data Unit

(default = sent every two seconds)

Root bridge = Bridge with the lowest bridge ID

Bridge ID =

In the example, which switch has the lowest bridge ID?

Spanning-Tree ProtocolRoot Bridge Selection


35/113

35

One root bridge per network

One root port per nonroot bridge

One designated port per segment

Nondesignated ports are unused

Spanning-Tree Operation

S l i h


36/113

36

Selecting the Root Port

The STP cost is an accumulated total path cost based on the ratedbandwidth of each of the linksThis information is then used internally to select the root port for thatdevice


37/113

37

One root bridge per network

One root port per nonroot bridge

One designated port per segment

Nondesignated ports are unused

Spanning-Tree Operation


38/113

38

Switching Methods

1. Cut-Through (Fast Forward)The frame is forwarded through the switch before the entire frame isreceived. At a minimum the frame destination address must be read beforethe frame can be forwarded. This mode decreases the latency of thetransmission, but also reduces error detection.

2. Fragment-Free (Modified Cut-Through)Fragment-free switching filters out collision fragments before forwardingbegins. Collision fragments are the majority of packet errors. In Fragment-Free mode, the switch checks the first 64 bytes of a frame.

3. Store-and-ForwardThe entire frame is received before any forwarding takes place. Filters areapplied before the frame is forwarded. Most reliable and also most latencyespecially when frames are large.


39/113

39

Switching Methods


40/113

40


41/113

41

Physical Startup of the Catalyst Switch

Switches are dedicated, specialized computers, which contain a CPU,RAM, and an operating system.

Switches usually have several ports for the purpose of connectinghosts, as well as specialized ports for the purpose of management.

A switch can be managed by connecting to the console port to viewand make changes to the configuration.

Switches typically have no power switch to turn them on and off.They simply connect or disconnect from a power source.

Verifying Port LEDs During Switch


42/113

43

Verifying Port LEDs During SwitchPOST

Once the power cable is connected, the switch initiates aseries of tests called the power-on self test (POST).

POST runs automatically to verify that the switch functionscorrectly.

The System LED indicates the success or failure of POST.


43/113

44

Switch Command Modes

Switches have several command modes.

The default mode is User EXEC mode, which ends in a greater-than character (>).

The commands available in User EXEC mode are limited to thosethat change terminal settings, perform basic tests, and displaysystem information.

The enablecommand is used to change from User EXEC mode

to Privileged EXEC mode, which ends in a pound-sign character (#).

The configure command allows other command modes to beaccessed.


44/113

45

Show Commands in User-Exec Mode


45/113

46

Tasks

Setting the passwords (Password must be between 4and 8 characters)

Setting the hostname

Configuring the IP address and subnetmask

Erasing the switch configurations

S tti S it h H t


46/113

47

Setting Switch HostnameSetting Passwords on Lines


47/113

48

Switch Configuration

There are two reasons to set the IP address information on the switch:

To manage the switch via Telnet or other management software

To configure the switch with different VLANs and other network functions

See the default IP configuration = show IP command

Configure IP Addresssw1(config-if)#interface vlan 1

sw1(config-if)#ip address 10.0.0.1 255.0.0.0

sw1(config-if)#no shut

sw1(config-if)#exit

sw1(config)ip default-gateway 10.0.0.254


48/113

49

Configuring Interface Descriptions

You can administratively set a name for each interface on theswitches

SW1#config tEnter configuration commands, one per line. End with CNTL/ZSW1(config)#int e0/1

SW1(config-if)#description Finance_VLANSW1(config-if)#int f0/26SW1(config-if)#description trunk_to_Building_4SW1(config-if)#

Setting Port SecuritySw1(config-if)#switchport port-security mac-address mac-address

Now only this one MAC address is allowed on this switch port


49/113

50

Switch Configuration

Connect two machine to a switch

To view the MAC table

sw1#show mac-address-table dynamic

Sw1#sh spanning-tree

Sw1(config)#spanning-tree vlan 1 priority ?

Sw1(config)#spanning-tree vlan 1 priority 4096

Erase the configuration


50/113

51


51/113

52

VLANs

A VLAN is a logical grouping of network users andresources connected to administratively defined ports ona switch.

Ability to create smaller broadcast domains within a layer

2 switched internetwork by assigning different ports onthe switch to different subnetworks.

Frames broadcast onto the network are only switchedbetween the ports logically grouped within the same

VLAN By default, no hosts in a specific VLAN can communicate

with any other hosts that are members of another VLAN,

For Inter VLAN communication you need routers

VLAN


52/113

53

VLANs

VLAN implementation combines Layer 2 switching and Layer 3 routingtechnologies to limit both collision domains and broadcast domains.

VLANs can also be used to provide security by creating the VLANgroups according to function and by using routers to communicate

between VLANs.

A physical port association is used to implement VLAN assignment.

Communication between VLANs can occur only through the router.

This limits the size of the broadcast domains and uses the router todetermine whether one VLAN can talk to another VLAN.

NOTE: This is the only way a switch can break up a broadcast domain!


53/113

54

A VLAN = A Broadcast Domain = Logical Network (Subnet)

VLAN Overview

Segmentation

Flexibility

Security


54/113

55

History

11 Hosts are connected to the switchAll From same Broadcast domainNeed to divide them in separate logical segmentHigh broadcast traffic reasons

ARP

DHCPSAPXWindowsNetBIOS


55/113

56

Definition

Logically Defined community of interest that limits aBroadcast domain

LAN are created on the software of Switch

All devices in a VLAN are members of the samebroadcast domain and receive all broadcasts

The broadcasts, by default, are filtered from all ports on

a switch that are not members of the same VLAN.


56/113

57

Security

A Flat internetworkssecurity used to be tackled by connecting hubsand switches together with routers

This arrangement is ineffective because

Anyone connecting physical network could access network resourceslocated on that physical LAN

Can observe the network traffic by plugging network analyzer into theHUB

Users could join a workgroup by just plugging their workstations intothe existing hub

By creating VLANsadministrators have control over each port and

user

H VLAN Si lif N t k


57/113

58

How VLANs Simplify NetworkManagement

If we need to break the broadcast domain we need to connect arouter

By usingVLANswe can divide Broadcast domain at Layer-2

A group of users needing high security can be put into a VLAN sothat no users outside of the VLAN can communicate with them.

As a logical grouping of users by function, VLANs can be consideredindependent from their physical locations.


58/113

59

VLAN Memberships

VLAN created based on port is known as Static VLAN.

VLAN assigned based on hardware addresses into adatabase, is called a dynamic VLAN


59/113

60

VLAN Membership Modes


60/113


61/113

62

Dynamic VLANs

A dynamic VLAN determines a nodesVLAN assignmentautomatically

Using intelligent management software, you can baseVLAN assignments on hardware (MAC) addresses.

Dynamic VLAN need VLAN Management Policy Server(VMPS) server


62/113


63/113

64

LAB Deleting VLAN

port1 port5

To delete VLANSw(config)# no vlan 2Sw(config)# no vlan 3

To bring port back to VLAN 1Sw(config-if)#switchport mode accesSw(config-if)#switch port access vlan1For a RangeSw(config)#int range fastethernet 0/1 - 5Sw(config-if)#switch port access vlan1


64/113


65/113

66

Types of Links

Access links

This type of link is only part of one VLAN

Its referred to as the native VLAN of the port.

Any device attached to an access link is unaware of a VLAN

Switches remove any VLAN information from the frame beforeits sent to an access-link device.

Trunk links

Trunks can carry multiple VLANs

These carry the traffic of multiple VLANs

Atrunk link is a 100- or 1000Mbps point-to-point link betweentwo switches, between a switch and router.


66/113

67

Access links


67/113

68

Trunk links


68/113

69

Frame Tagging

Can create VLANs to span more than one connected switch Hosts are unaware of VLAN When host A Create a data unit and reaches switch, the switch adds a

Frame tagging to identify the VLAN Frame tagging is a method to identify the packet belongs to a particular

VLAN Each switch that the frame reaches must first identify the VLAN ID from the

frame tag It finds out what to do with the frame by looking at the information in the

filter table Once the frame reaches an exit to an access link matching the framesVLAN

ID, the switch removes the VLAN identifier


69/113

70

Frame Tagging Methods

There are two frame tagging methods Inter-Switch Link (ISL)

IEEE 802.1Q

Inter-Switch Link (ISL)

proprietary to Cisco switches used for Fast Ethernet and Gigabit Ethernet links only

IEEE 802.1Q

Created by the IEEE as a standard method of frametagging

it actually inserts a field into the frame to identify the VLAN

If youre trunking between a Cisco switched link and adifferent brand of switch, you have to use 802.1Q for thetrunk to work.


70/113


71/113

72

LAB-Creating Trunk

Create two VLAN's on eachswitches

#vlan database

sw(vlan)#vlan 2 name red

sw(vlan)#vlan 3 name blue

sw(vlan)#exit

sw#config tsw(config)#int fastethernet 0/1

sw(config-if)#switch-portaccess vlan 2

sw(config)#int fastethernet 0/4


To see Interface status

#show interface status

10.0.0.3

10.0.0.4

1 2 3 41 2 3 4

10.0.0.1

10.0.0.2

24 12

Trunk Port Configuration

sw#config t


sw(config-if)#switchport trunkencapsulation dot1q

sw(config-if)#switchport mode trunk

* 2950 Only dot1q Encapsulation

Assigning Access Ports to a


72/113

73

Assigning Access Ports to aVLAN

Switch(config)#interface gigabitethernet 1/1

Enters interface configuration mode

Switch(config-if)#switchport mode access

Configures the interface as an access port

Switch(config-if)#switchport access vlan 3

Assigns the access port to a VLAN

Verifying the VLAN


73/113

74

y gConfiguration

Switch#show vlan [id | name][vlan_num | vlan_name]

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/5, Fa0/7

Fa0/8, Fa0/9, Fa0/11, Fa0/12Gi0/1, Gi0/2

2 VLAN0002 active51 VLAN0051 active52 VLAN0052 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------1 enet 100001 1500 - - - - - 1002 1003

2 enet 100002 1500 - - - - - 0 051 enet 100051 1500 - - - - - 0 052 enet 100052 1500 - - - - - 0 0

Remote SPAN VLANs------------------------------------------------------------------------------Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------

Verifying the VLAN Port


74/113

75

y gConfiguration

Switch#show running-config interface {fastethernet |gigabitethernet} slot/port

Displays the running configuration of the interface

Switch#show interfaces [{fastethernet | gigabitethernet}slot/port] switchport

Displays the switch port configuration of the interface

Switch#show mac-address-table interface interface-id[vlanvlan-id] [ | {begin | exclude | include} expression]

Displays the MAC address table information for the specified

interface in the specified VLAN


75/113

A messaging system that advertises VLAN configuration information

Maintains VLAN configuration consistency throughout a commonadministrative domain

Sends advertisements on trunk ports only

VTP Protocol Features


76/113

77

VLAN Trunking Protocol (VTP)

Benefits of VTPConsistent VLAN configuration across all switches in

the network

Accurate tracking and monitoring of VLANsDynamic reporting of added VLANs to all switches in

the VTP domain


77/113

78

Forwardsadvertisements

Synchronizes

Not saved inNVRAM

Creates VLANs

Modifies VLANs

Deletes VLANs

Sends/forwardsadvertisements

Synchronizes Saved in NVRAM

Creates VLANs

Modifies VLANs

Deletes VLANs

Forwardsadvertisements

Does notsynchronize

Saved in NVRAM

VTP Modes

VTP Operation


78/113

79

VTP Operation

VTP advertisements are sent as multicast frames.

VTP servers and clients are synchronized to the latest update identifiedrevision number.

VTP advertisements are sent every 5 minutes or when there is a change.


79/113

80

VTP Pruning

VTP pruning provides a way for you to preservebandwidth by configuring it to reduce the amount ofbroadcasts, multicasts, and unicast packets.

If Switch A doesnthave any ports configured for VLAN5, and a broadcast is sent throughout VLAN 5, thatbroadcast would not traverse the trunk link to Switch A.

By default, VTP pruning is disabled on all switches.

Pruning is enabled for the entire domain

VTP Pruning


80/113

81

Increases available bandwidth by reducing unnecessary flooded traffic

Example: Station A sends broadcast, and broadcast is flooded only toward

any switch with ports assigned to the red VLAN

VTP Pruning


81/113

C ti VTP D i


82/113

83

wg_sw_1900#configure terminal

Enter configuration commands, one per line. End with CNTL/Zwg_sw_1900(config)#vtp transparentwg_sw_1900(config)#vtp domain switchlab

wg_sw_1900(config)#vtp [server | transparent | client] [domaindomain-name] [trap {enable | disable}] [passwordpassword][pruning {enable | disable}]

Creating a VTP Domain

Catalyst 1900

Catalyst 2950

wg_sw_2950#vlan databasewg_sw_2950(vlan)#vtp [ server | client | transparent ]wg_sw_2950(vlan)#vtp domain domain-namewg_sw_2950(vlan)#vtp passwordpasswordwg_sw_2950(vlan)#vtp pruning


83/113

Verifying the VTP


84/113

85

Verifying the VTPConfiguration (Cont.)

Switch#show vtp counters

Switch#show vtp counters

VTP statistics:Summary advertisements received : 7

Subset advertisements received : 5Request advertisements received : 0Summary advertisements transmitted : 997Subset advertisements transmitted : 13Request advertisements transmitted : 3Number of config revision errors : 0Number of config digest errors : 0

Number of V1 summary errors : 0

VTP pruning statistics:Trunk Join Transmitted Join Received Summary advts received from

non-pruning-capable device---------------- ---------------- ---------------- ---------------------------Fa5/8 43071 42766 5

VLAN t VLAN


85/113

86

VLAN to VLAN

If you want to connect between twoVLANs you need a layer 3 device

R t Sti k


86/113

87

Router on Stick

10.0.0.3

20.0.0.3

1 2 3 41 2 3 4

10.0.0.220.0.0.2

24 12

Create two VLAN's on eachswitches

#vlan database

sw(vlan)#vlan 2 name red

sw(vlan)#vlan 3 name blue

sw(vlan)#exit

sw#config tsw(config)#int fastethernet 0/1




To see Interface status

#show interface status

Trunk Port Configuration

sw#config t


sw(config-if)#switchport trunkencapsulation dot1q


Router Configuration

R1#config t

R1(config)#int fastethernet 0/0.1

R1(config-if)#encapsulation dot1q 2

R1(config-if)#ip address 10..0.0.1 255.0.0.0

R1(config-if# No shut

R1(config-Iif)# EXIT

R1(config)#int fastethernet 0/0.2

R1(config-if)# encapsulation dot1q 3R1(config-if)#ip address 20..0.0.1 255.0.0.0

R1(config-if# No shut

Router-Switch Port to be made as Trunk


sw(config-if)#switchport trunk enacapsulationdot1q


10.0.0.1

20.0.0.1FA0/0

9


87/113

88

Fig. 3 NAT (TI1332EU02TI_0003 New Address Concepts, 7)

New Addressing Concepts


88/113

89

Problems with IPv4

Shortage of IPv4 addresses

Allocation of the last IPv4 addresses was for the year 2005

Address classes were replaced by usage of CIDR, but this is not sufficient

Short term solutionNAT: Network Address Translator

Long term solution

IPv6 = IPng (IP next generation)

Provides an extended address range

Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

NAT: Network Address Translator


89/113

90

NAT

Translates between local addresses and public ones

Many private hosts share few global addresses

Public Network

Uses public addresses

Public addresses are

globally unique

Private NetworkUses private address range

(local addresses)

Local addresses may not

be used externally

Fig. 4 How does NAT work? (TI1332EU02TI_0003 New Address Concepts, 9)


90/113

Inside/O tside


91/113

92

Inside/Outside


92/113

NAT Addressing Terms


93/113

94

NAT Addressing Terms

Outside Global

The termoutsiderefers to an address used for a host outsidean enterprise, the Internet.

An outside global is the actual IP address assigned to a host that

resides in the outside network, typically the Internet.

Outside Local

NAT uses an outside local address to represent the outside host

as the packet is sent through the private network. This address is outside private, outside host with a private

address

Network Address Translation


94/113

95

Network Address Translation

An IP address is either local or global. Local IP addresses are seen in the inside network.


95/113

Static NAT


96/113

97

Static NAT

Static NAT - Mapping an unregistered IP address to a registered IPaddress on a one-to-one basis. Particularly useful when a deviceneeds to be accessible from outside the network.

In static NAT, the computer with the IP address of 192.168.32.10

will always translate to 213.18.123.110.

Dynamic NAT


97/113

98

Dynamic NAT

Dynamic NAT - Maps an unregistered IP address to a registered IPaddress from a group of registered IP addresses.

In dynamic NAT, the computer with the IP address 192.168.32.10will translate to the first available address in the range from213.18.123.100 to 213.18.123.150.

Overloading NAT with PAT (NAPT)


98/113

99

Overloading NAT with PAT (NAPT)

Overloading - A form of dynamic NAT that maps multiple unregisteredIP addresses to a single registered IP address by using different ports.This is known also as PAT (Port Address Translation), single addressNAT or port-level multiplexed NAT.

In overloading, each computer on the private network is translated tothe same IP address (213.18.123.100), but with a different portnumber assignment..

Static NAT Configuration


99/113

100

Static NAT Configuration

For each interface you need to configure INSIDE or OUTSIDE


E0B

A 10.0.0.1

S0

200.0.0.1

C

Internet10.0.0.2

10.0.0.3

10.0.0.254

R1(config)#Int fastethernet 0/0R1(config-if)# IP NAT insideR1(config-if)##Int s 0/0

R1(config-if)# IP NAT outsideR1(config-if)# ExitR1(config)# ip NAT inside source static 10.0.0.1 200.0.0.1To see the tableR1(config)#show ip nat translationsR1(config)#show ip nat statistics

INSIDE/OUTSIDE


100/113

101

INSIDE/OUTSIDE

Dynamic NAT


101/113

102

Dynamic NAT

Dynamic NAT sets up a pool of possible inside globaladdresses and defines criteria for the set of insidelocal IP addresses whose traffic should be translatedwith NAT.

The dynamic entry in the NAT table stays in there aslong as traffic flows occasionally.

If a new packet arrives, and it needs a NAT entry, butall the pooled IP addresses are in use, the routersimply discards the packet.


Dynamic NAT


102/113

103

Dynamic NAT

Instead of creating static IP, create a pool of IPAddress, Specify a range

Create an access list and permit hosts

Link Access list to the Pool



103/113

PAT


104/113

105

PAT

Overloading an inside global address NAT overload only one global IP shared among all hosts


E0B

A 10.0.0.1

C

10.0.0.2

10.0.0.3

10.0.0.254 200.0.0.1Internet

Shared Global IP

200.0.0.1:1025

200.0.0.1:1026

200.0.0.1:1027

PAT


105/113

106

PAT

PAT


106/113

107

PAT

PAT


107/113

108

PAT

PAT


108/113

109

PAT

PAT


109/113

110

PAT

PAT


110/113

111

PAT

PAT


111/113

112

PAT


112/113

PAT LAB


113/113

PAT LAB

R1#config t

R1(config)# int e 0

R1(config-if)# ip nat insde

R1(config)# int s 0

R1(config-if)# ip nat outside

R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255

R1(config)#ip nat inside source list 1 interface s 0 overload

To see host to host ping configure static ordynamic routing

S0S0E0

E0

192.168.10.2

A B

200.0.0.2

192.168.10.1

200.0.0.1

192.168.20.2

192.168.20.1

R2#config t

R2(config)# int e 0

R2(config-if)# ip nat insde

R2(config)# int s 0

R2(config-if)# ip nat outside

R2(config)#access-list 1 permit 192.168.20.0 0.0.0.255

R2(config)#ip nat inside source list 1 interface s 0 overload

To see host to host ping configure static ordynamic routing

Documents

CCNA Crash Course Day 04