Lab Manual

Section 1: Static vs. Dynamic Routing

There are two basic methods of building a routing table:
 Static Routing
 Dynamic Routing
A static routing table is created, maintained, and updated by a network administrator, manually.
A static route to every network must be configured on every router for full connectivity. This
provides a granular level of control over routing, but quickly becomes impractical on large
networks. Routers will not share static routes with each other, thus reducing CPU/RAM
overhead and saving bandwidth. However, static routing is not fault-tolerant, as any change to
the routing infrastructure (such as a link going down, or a new network added) requires manual
intervention. Routers operating in a purely static environment cannot seamlessly choose a better
route if a link becomes unavailable. Static routes have an Administrative Distance (AD) of 1, and
thus are always preferred over dynamic routes, unless the default AD is changed. A static route
with an adjusted AD is called a floating static route.
A dynamic routing table is created, maintained, and updated by a routing protocol running on
the router. Examples of routing protocols include RIP (Routing Information Protocol), EIGRP
(Enhanced Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First). Specific
dynamic routing protocols are covered in great detail in other guides. Routers do share dynamic
routing information with each other, which increases CPU, RAM, and bandwidth usage.
However, routing protocols are capable of dynamically choosing a different (or better) path when
there is a change to the routing infrastructure. Do not confuse routing protocols with routed
protocols:
 A routed protocol is a Layer 3 protocol that applies logical addresses to devices and
routes data between networks (such as IP)
 A routing protocol dynamically builds the network, topology, and next hop information
in routing tables (such as RIP, EIGRP, etc.)
The following briefly outlines the advantages and disadvantages of static routing:
Advantages of Static Routing
 Minimal CPU/Memory overhead
 No bandwidth overhead (updates are not shared between routers)

Page 1 of 20 Compiled by Berhanu A.

  Granular control on how traffic is routed
Disadvantages of Static Routing
 Infrastructure changes must be manually adjusted
 No “dynamic” fault tolerance if a link goes down
 Impractical on large network
The following briefly outlines the advantages and disadvantages of dynamic routing:
Advantages of Dynamic Routing
 Simpler to configure on larger networks
 Will dynamically choose a different (or better) route if a link goes down
 Ability to load balance between multiple links
Disadvantages of Dynamic Routing
 Updates are shared between routers, thus consuming bandwidth
 Routing protocols put additional load on router CPU/RAM
 The choice of the “best route” is in the hands of the routing protocol, and not the
network administrator.
Dynamic Routing Categories
There are two distinct categories of dynamic routing protocols:
 Distance-vector protocols
 Link-state protocols
Examples of distance-vector protocols include RIP and IGRP. Examples of link-state protocols
include OSPF and IS-IS. EIGRP exhibits both distance vector and link-state characteristics, and
is considered a hybrid protocol.
Distance-vector Routing Protocols
All distance-vector routing protocols share several key characteristics:
 Periodic updates of the full routing table are sent to routing neighbors.
 Distance-vector protocols suffer from slow convergence, and are highly susceptible to
loops.
 Some form of distance is used to calculate a route’s metric.
 The Bellman-Ford algorithm is used to determine the shortest path.

Page 2 of 20 Compiled by Berhanu A.

A distance-vector routing protocol begins by advertising directly-connected networks to its
neighbors. These updates are sent regularly (RIP – every 30 seconds; IGRP – every 90 seconds).
Neighbors will add the routes from these updates to their own routing tables.
Each neighbor trusts this information completely, and will forward their full routing table
(connected and learned routes) to every other neighbor. Thus, routers fully (and blindly) rely on
neighbors for route information, a concept known as routing by rumor.
There are several disadvantages to this behavior. Because routing information is propagated from
neighbor to neighbor via periodic updates, distance-vector protocols suffer from slow
convergence. This, in addition to blind faith of neighbor updates, results in distance-vector
protocols being highly susceptible to routing loops. Distance-vector protocols utilize some form
of distance to calculate a route’s metric. RIP uses hopcount as its distance metric, and IGRP
uses a composite of bandwidth and delay.
Link-State Routing Protocols
Link-state routing protocols were developed to alleviate(to mitigate risk) the convergence and
loop issues of distance-vector protocols. Link-state protocols maintain three separate tables:
 Neighbor table – contains a list of all neighbors, and the interface each neighbor is
connected off of. Neighbors are formed by sending Hello packets.
 Topology table – otherwise known as the “link-state” table, contains a map of all links
within an area, including each link’s status.
 Shortest-Path table – contains the best routes to each particular destination (otherwise
known as the “routing” table”)
Link-state protocols do not “route by rumor.” Instead, routers send updates advertising the state
of their links (a link is a directly-connected network). All routers know the state of all existing
links within their area, and store this information in a topology table. All routers within an area
have identical topology tables.
The best route to each link (network) is stored in the routing (or shortestpath) table. If the state
of a link changes, such as a router interface failing, an advertisement containing only this link-
state change will be sent to all routers within that area. Each router will adjust its topology table
accordingly, and will calculate a new best route if required. By maintaining a consistent topology
table among all routers within an area, link-state protocols can converge very quickly and are
immune to routing loops.

Page 3 of 20 Compiled by Berhanu A.

Additionally, because updates are sent only during a link-state change, and contain only the
change (and not the full table), link-state protocols are less bandwidth intensive than distance-
vector protocols. However, the three link-state tables utilize more RAM and CPU on the router
itself. Link-state protocols utilize some form of cost, usually based on bandwidth, to calculate a
route’s metric. The Dijkstra formula is used to determine the shortest path.

Configuring Static Routes

The basic syntax for a static route is as follows:
Router(config)# ip route [destination_network] [subnet_mask] [next-hop]

RouterA will have the 172.16.0.0/16 and 172.17.0.0/16 networks in its routing table as directly-
connected routes. To add a static route on RouterA, pointing to the 172.18.0.0/16 network off of
RouterB:
RouterA(config)# ip route 172.18.0.0 255.255.0.0 172.17.1.2
Notice that we point to the IP address on RouterB’s fa0/0 interface as the next-hop address.
Likewise, to add a static route on RouterB, pointing to the 172.16.0.0/16 network off of RouterA:
RouterB(config)# ip route 172.16.0.0 255.255.0.0 172.17.1.1
To remove a static route, simply type no in front of it:
RouterA(config)# no ip route 172.18.0.0 255.255.0.0 172.17.1.2
On point-to-point links, an exit-interface can be specified instead of a nexthop address. Still
using the previous diagram as an example:
RouterA(config)# ip route 172.18.0.0 255.255.0.0 fa0/1
RouterB(config)# ip route 172.16.0.0 255.255.0.0 fa0/0
A static route using an exit-interface has an Administrative Distance of 0, as opposed to the
default AD of 1 for static routes. An exit-interface is only functional on a point-to-point link, as
there is only one possible next-hop device.

Page 4 of 20 Compiled by Berhanu A.

 Section Two:
RIP (Routing Information Protocol)
RIP is a standardized Distance Vector protocol, designed for use on smaller networks. RIP was
one of the first true Distance Vector routing protocols, and is supported on a wide variety of
systems.
RIP adheres to the following Distance Vector characteristics:
 RIP sends out periodic routing updates (every 30 seconds)
 RIP sends out the full routing table every periodic update
 RIP uses a form of distance as its metric (in this case, hopcount)
 RIP uses the Bellman-Ford Distance Vector algorithm to determine the best “path” to a
particular destination
Other characteristics of RIP include:
 RIP supports IP and IPX routing.
 RIP utilizes UDP port 520
 RIP routes have an administrative distance of 120.
 RIP has a maximum hopcount of 15 hops.
Any network that is 16 hops away or more is considered unreachable to RIP, thus the maximum
diameter of the network is 15 hops. A metric of 16 hops in RIP is considered a poison route or
infinity metric.
If multiple paths exist to a particular destination, RIP will load balance between those paths (by
default, up to 4) only if the metric (hopcount) is equal. RIP uses a round-robin system of load-
balancing between equal metric routes, which can lead to pinhole congestion. For example, two
paths might exist to a particular destination, one going through a 9600 baud link, the other via a
T1. If the metric (hopcount) is equal, RIP will load balance, sending an equal amount of traffic
down the 9600 baud link and the T1. This will (obviously) cause the slower link to become
congested.
RIP Versions
RIP has two versions, Version 1 (RIPv1) and Version 2 (RIPv2). RIPv1 (RFC 1058) is
classful, and thus does not include the subnet mask with its routing table updates. Because of
this, RIPv1 does not support Variable Length Subnet Masks (VLSMs). When using RIPv1,
networks must be contiguous, and subnets of a major network must be configured with identical

Page 5 of 20 Compiled by Berhanu A.

subnet masks. Otherwise, route table inconsistencies (or worse) will occur. RIPv1 sends updates
as broadcasts to address 255.255.255.255. RIPv2 (RFC 2543) is classless, and thus does
include the subnet mask with its routing table updates. RIPv2 fully supports VLSMs, allowing
discontiguous networks and varying subnet masks to exist.
Other enhancements offered by RIPv2 include:
 Routing updates are sent via multicast, using address 224.0.0.9
 Encrypted authentication can be configured between RIPv2 routers
 Route tagging is supported (explained in a later section)
RIPv2 can interoperate with RIPv1. By default:
 RIPv1 routers will sent only Version 1 packets
 RIPv1 routers will receive both Version 1 and 2 updates
 RIPv2 routers will both send and receive only Version 2 updates
We can control the version of RIP a particular interface will “send” or “receive.” Unless RIPv2
is manually specified, a Cisco will default to RIPv1 when configuring RIP.
RIPv1 Basic Configuration

Routing protocol configuration occurs in Global Configuration mode. On

Router A, to configure RIP, we would type:
Router(config)# router rip
Router(config-router)# network 172.16.0.0
Router(config-router)# network 172.17.0.0
The first command, router rip, enables the RIP process. The network statements tell RIP which
networks you wish to advertise to other RIP routers. We simply list the networks that are directly
connected to our router. Notice that we specify the networks at their classful boundaries, and we
do not specify a subnet mask.
To configure Router B:
Router(config)# router rip
Router(config-router)# network 172.17.0.0
Router(config-router)# network 172.18.0.0
The routing table on Router A will look like:
RouterA# show ip route
<eliminated irrelevant header>
Gateway of last resort is not set
C 172.16.0.0 is directly connected, Ethernet0
C 172.17.0.0 is directly connected, Serial0

Page 6 of 20 Compiled by Berhanu A.

R 172.18.0.0 [120/1] via 172.17.1.2, 00:00:00, Serial0
The routing table on Router B will look like:
RouterB# show ip route
<eliminated irrelevant header>
Gateway of last resort is not set
C 172.17.0.0 is directly connected, Serial0
C 172.18.0.0 is directly connected, Ethernet0
R 172.16.0.0 [120/1] via 172.17.1.1, 00:00:00, Serial0
RIPv2 Configuration

RIPv2 overcomes the limitations of RIPv1 by including the subnet mask in its routing updates.
By default, Cisco routers will use RIPv1. To change to
Version 2, you must type:
Router(config)# router rip
Router(config-router)# version 2
Thus, the configuration of Router A would be:
RouterA(config)# router rip
RouterA(config-router)# version 2
RouterA(config-router)# network 10.1.5.0
RouterA(config-router)# network 10.3.5.0
Despite the fact that RIPv2 is a classless routing protocol, we still specify networks at their
classful boundaries, without a subnet mask. However, when Router A sends a RIPv2 update to
Router B via Serial0, by default it will still summarize the 10.1.5.0/16 and 10.3.5.0/16 networks

Page 7 of 20 Compiled by Berhanu A.

to 10.0.0.0/8. Again, this is because the 10.1.5.0 and 10.3.5.0 networks do not belong to the same
major network. Thus, RIPv2 acts like RIPv1 in this circumstance… …unless you disable auto
summarization:
RouterA(config)# router rip
RouterA(config-router)# version 2
RouterA(config-router)# no auto-summary
The no auto-summary command will prevent Router A from summarizing the 10.1.5.0 and
10.3.5.0 network. Instead, Router A will send an update that includes both the subnetted network
(10.1.5.0) and its subnet mask (255.255.0.0).
Thus, the configuration of Router B would be:
RouterB(config)# router rip
RouterB(config-router)# version 2
RouterB(config-router)# network 10.3.5.0
RouterB(config-router)# network 10.4.5.0
RouterB(config-router)# no auto-summary
Thus, the configuration of Router C would be:
RouterC(config)# router rip
RouterC(config-router)# version 2
RouterC(config-router)# network 10.2.5.0
RouterC(config-router)# network 10.4.5.0
RouterC(config-router)# no auto-summary

Section 3:
Interior Gateway Routing Protocol
IGRP (Interior Gateway Routing Protocol)
IGRP is a Cisco-proprietary Distance-Vector protocol, designed to be more scalable than RIP, its
standardized counterpart. IGRP adheres to the following Distance-Vector characteristics:
 IGRP sends out periodic routing updates (every 90 seconds).
 IGRP sends out the full routing table every periodic update.
 IGRP uses a form of distance as its metric (in this case, a composite of bandwidth and
delay).

Page 8 of 20 Compiled by Berhanu A.

  IGRP uses the Bellman-Ford Distance Vector algorithm to determine the best “path” to a
particular destination.
Other characteristics of IGRP include:
 IGRP supports only IP routing.
 IGRP utilizes IP protocol 9.
 IGRP routes have an administrative distance of 100.
 IGRP, by default, supports a maximum of 100 hops. This value can be adjusted to a
maximum of 255 hops.
 IGRP is a classful routing protocol.
IGRP uses Bandwidth and Delay of the Line, by default, to calculate its distance metric.
Reliability, Load, and MTU are optional attributes that can be used to calculate the distance
metric.
IGRP requires that you include an Autonomous System (AS) number in its configuration. Only
routers in the same Autonomous system will send updates between each other.
Configuring IGRP

Routing protocol configuration occurs in Global Configuration mode. On Router A, to configure

IGRP, we would type:
Router(config)# router igrp 10
Router(config-router)# network 172.16.0.0
Router(config-router)# network 172.17.0.0
The first command, router igrp 10, enables the IGRP process. The “10” indicates the
Autonomous System number that we are using. Only other IGRP routers in Autonomous System
10 will share updates with this router. The network statements tell IGRP which networks you
wish to advertise to other RIP routers. We simply list the networks that are directly connected to
our router. Notice that we specify the networks at their classful boundaries, and we do not
specify a subnet mask.
To configure Router B:
Router(config)# router igrp 10

Page 9 of 20 Compiled by Berhanu A.

Router(config-router)# network 172.17.0.0
Router(config-router)# network 172.18.0.0
The routing table on Router A will look like:
RouterA# show ip route
Gateway of last resort is not set
C 172.16.0.0 is directly connected, Ethernet0
C 172.17.0.0 is directly connected, Serial0
I 172.18.0.0 [120/1] via 172.17.1.2, 00:00:00, Serial0
The routing table on Router B will look like:
RouterB# show ip route
Gateway of last resort is not set
C 172.17.0.0 is directly connected, Serial0
C 172.18.0.0 is directly connected, Ethernet0
I 172.16.0.0 [120/1] via 172.17.1.1, 00:00:00, Serial0
Section Four
Enhanced Interior Gateway Routing Protocol
EIGRP (Enhanced Interior Gateway Routing Protocol)
EIGRP is a Cisco-proprietary Hybrid routing protocol, incorporating features of both Distance-
Vector and Link-State routing protocols. EIGRP adheres to the following Hybrid characteristics:
 EIGRP uses Diffusing Update Algorithm (DUAL) to determine the best path among all
“feasible” paths. DUAL also helps ensure a loop free routing environment.
 EIGRP will form neighbor relationships with adjacent routers in the same Autonomous
System (AS).
 EIGRP traffic is either sent as unicasts, or as multicasts on address 224.0.0.10, depending
on the EIGRP packet type.
 Reliable Transport Protocol (RTP) is used to ensure delivery of most EIGRP packets.
 EIGRP routers do not send periodic, full-table routing updates. Updates are sent when a
change occurs, and include only the change.
 EIGRP is a classless protocol, and thus supports VLSMs.
Other characteristics of EIGRP include:
 EIGRP supports IP, IPX, and Appletalk routing.

Page 10 of 20 Compiled by Berhanu A.

  EIGRP applies an Administrative Distance of 90 for routes originating within the local
Autonomous System.
 EIGRP applies an Administrative Distance of 170 for external routes coming from
outside the local Autonomous System
 EIGRP uses Bandwidth and Delay of the Line, by default, to calculate its distance
metric. It also supports three other parameters to calculate its metric: Reliability, Load,
and MTU.
 EIGRP has a maximum hop-count of 224, though the default maximum hop-count is set
to 100.
EIGRP, much like OSPF, builds three separate tables:
 Neighbor table – list of all neighboring routers. Neighbors must belong to the same
Autonomous System
 Topology table – list of all routes in the Autonomous System
 Routing table – contains the best route for each known network
Configuring Basic EIGRP

Routing protocol configuration occurs in Global Configuration mode. On

Router A, to configure EIGRP, we would type:
RouterA(config)# router eigrp 10
RouterA(config-router)# network 172.16.0.0
RouterA(config-router)# network 10.0.0.0
The first command, router eigrp 10, enables the EIGRP process. The “10”
indicates the Autonomous System number that we are using. The
Autonomous System number can range from 1 to 65535. Only other EIGRP
routers in Autonomous System 10 will form neighbor adjacencies and share
updates with this router.
The network statements serve two purposes in EIGRP:

Page 11 of 20 Compiled by Berhanu A.

  First, they identify which networks you wish to advertise to other EIGRP
routers (similar to RIP).
 Second, they identify which interfaces on the local router to attempt to form
neighbor relationships out of (similar to OSPF).
Prior to IOS version 12.0(4), the network statements were classful, despite the
fact that EIGRP is a classless routing protocol. For example, the above network
10.0.0.0 command would advertise the networks of directly connected interfaces
belonging to the 10.0.0.0/8 network and its subnets. It would further attempt to
form neighbor relationships out of these interfaces.
IOS version 12.0(4) and later provided us with more granular control of our
network statements. It introduced a wildcard mask parameter, which allows us to
choose the networks to advertise in a classless fashion:
RouterA(config)# router eigrp 10
RouterA(config-router)# network 172.16.0.0 0.0.255.255
RouterA(config-router)# network 10.1.4.0 0.0.0.255

Section Five
Open Shortest Path First
OSPF (Open Shortest Path First)
OSPF is a standardized Link-State routing protocol, designed to scale efficiently to support
larger networks. OSPF adheres to the following Link State characteristics:
 OSPF employs a hierarchical network design using Areas.
 OSPF will form neighbor relationships with adjacent routers in the same Area.
 Instead of advertising the distance to connected networks, OSPF advertises the status of
directly connected links using Link-State Advertisements (LSAs).
 OSPF sends updates (LSAs) when there is a change to one of its links, and will only send
the change in the update. LSAs are additionally refreshed every 30 minutes.
 OSPF traffic is multicast either to address 224.0.0.5 (all OSPF routers) or 224.0.0.6 (all
Designated Routers).

Page 12 of 20 Compiled by Berhanu A.

  OSPF uses the Dijkstra Shortest Path First algorithm to determine the shortest path.
 OSPF is a classless protocol, and thus supports VLSMs.
Other characteristics of OSPF include:
 OSPF supports only IP routing.
 OSPF routes have an administrative distance is 110.
 OSPF uses cost as its metric, which is computed based on the bandwidth of the link.
OSPF has no hop-count limit.
The OSPF process builds and maintains three separate tables:
 A neighbor table – contains a list of all neighboring routers.
 A topology table – contains a list of all possible routes to all known networks within an
area.
 A routing table – contains the best route for each known network.

Configuring Basic OSPF

Routing protocol configuration occurs in Global Configuration mode. On

Router A, to configure OSPF:
RouterA(config)# router ospf 1
RouterA(config-router)# router-id 1.1.1.1
RouterA(config-router)# network 172.16.0.0 0.0.255.255 area 1
RouterA(config-router)# network 172.17.0.0 0.0.255.255 area 0
The first command, router ospf 1, enables the OSPF process. The “1” indicates the OSPF
process ID, and can be unique on each router. The process ID allows multiple OSPF processes to
run on the same router. The router-id command assigns a unique OSPF ID of 1.1.1.1 for this
router.
Note the use of a wildcard mask instead of a subnet mask in the network statement. With OSPF,
we’re not telling the router what networks to advertise; we’re telling the router to place certain

Page 13 of 20 Compiled by Berhanu A.

interfaces into specific areas, so those routers can form neighbor relationships. The wildcard
mask 0.0.255.255 tells us that the last two octets can match any number. The first network
statement places interface E0 on Router A into Area 1. Likewise, the second network statement
places interface S0 on Router A into Area 0. The network statement could have been written
more specifically:
RouterA(config)# router ospf 1
RouterA(config-router)# network 172.16.1.2 0.0.0.0 area 1
RouterA(config-router)# network 172.17.1.1 0.0.0.0 area 0
In order for Router B to form a neighbor relationship with Router A, its connecting interface
must be put in the same Area as Router A:
RouterB(config)# router ospf 1
RouterB(config-router)# router-id 2.2.2.2
RouterB(config-router)# network 172.17.1.2 0.0.0.0 area 0
RouterB(config-router)# network 172.18.1.1 0.0.0.0 area 2
If Router B’s S0 interface was placed in a different area than Router A’s S0 interface, the two
routers would never form a neighbor relationship, and never share routing updates.
Section Six
DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network protocol that lets network
administrators manage and automate the assignment of IP addresses. Without DHCP, the
administrator must manually assign and configure IP addresses, preferred DNS servers, and
default gateways. As the network grows in size, this becomes an administrative problem when
devices are moved from one internal network to another.
Configuring Basic DHCP

Page 14 of 20 Compiled by Berhanu A.

Step 1: Build the Network and Configure Basic Device Settings
Step 2: Configure basic settings for each router
Step 3: Configure intervlan
Step 4: Configure DHCP on router R1
R1(config)# ip dhcp excluded-address 192.168.0.1 192.168.0.10
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)# ip dhcp pool VLAN10
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
R1(dhcp-config)# dns-server 209.165.200.225
R1(dhcp-config)# domain-name asu.edu.com
R1(dhcp-config)# lease 2
R1(dhcp-config)# exit
R1(config)# ip dhcp pool VLAN20
R1(dhcp-config)# network 192.168.0.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.0.1
R1(dhcp-config)# dns-server 209.165.200.225
R1(dhcp-config)# domain-name asu.edu.com
R1(dhcp-config)# lease 2

Page 15 of 20 Compiled by Berhanu A.

 Section Seven
Network Address Translation - NAT
The rapid growth of the Internet resulted in a shortage of available IPv4 addresses. In response, a
specific subset of the IPv4 address space was designated as private, to temporarily alleviate this
problem.
A public address can be routed on the Internet. Thus, devices that must be Internet-accessible
must be configured with (or reachable by) public addresses. Allocation of public addresses is
governed by the Internet Assigned Numbers Authority (IANA).
A private address is intended for internal use within a home or organization, and can be freely
used by anyone. However, private addresses can never be routed on the Internet. In fact, Internet
routers are configured to immediately drop traffic with private addresses.
Three private address ranges were defined in RFC 1918, one for each IPv4 class:
 Class A - 10.x.x.x /8
 Class B - 172.16.x.x /12
 Class C - 192.168.x.x /24
It is possible to translate between private and public addresses, using Network Address
Translation (NAT). NAT allows a host configured with a private address to be stamped with a
public address, thus allowing that host to communicate across the Internet. It is also possible to
translate multiple privately-addressed hosts to a single public address, which conserves the
public address space.
NAT provides an additional benefit – hiding the specific addresses and addressing structure of
the internal (or private) network.
Note: NAT is not restricted to private-to-public address translation, though that is the most
common application. NAT can also perform public-to-public address translation, as well as
private-to-private address translation.
NAT is only a temporarily solution to the address shortage problem. IPv4 will eventually be
replaced with IPv6, which supports a vast address space. Both Cisco IOS devices and PIX/ASA
firewalls support NAT.

Types of NAT

Page 16 of 20 Compiled by Berhanu A.

NAT can be implemented using one of three methods:
Static NAT – performs a static one-to-one translation between two addresses, or between a port
on one address to a port on another address. Static NAT is most often used to assign a public
address to a device behind a NAT-enabled firewall/router.
Dynamic NAT – utilizes a pool of global addresses to dynamically translate the outbound traffic
of clients behind a NAT-enabled device.
NAT Overload or Port Address Translation (PAT) – translates the outbound traffic of clients
to unique port numbers off of a single global address. PAT is necessary when the number of
internal clients exceeds the available global addresses.
NAT Terminology
Specific terms are used to identify the various NAT addresses:
 Inside Local – the specific IP address assigned to an inside host behind a NAT-enabled
device (usually a private address).
 Inside Global – the address that identifies an inside host to the outside world (usually a
public address). Essentially, this is the dynamically or statically-assigned public address
assigned to a private host.
 Outside Global – the address assigned to an outside host (usually a public address).
 Outside Local – the address that identifies an outside host to the inside network. Often,
this is the same address as the Outside Global. However, it is occasionally necessary to
translate an outside (usually public) address to an inside (usually private) address.
For simplicity sake, it is generally acceptable to associate global addresses with public
addresses, and local addresses with private addresses. However, remember that public-to-public
and private-to-private translation is still possible. Inside hosts are within the local network, while
outside hosts are external to the local network.
NAT Terminology Example

Consider the above example. For a connection from HostA to HostB, the NAT addresses are
identified as follows:

Page 17 of 20 Compiled by Berhanu A.

  Inside Local Address - 10.1.1.10
 Inside Global Address - 55.1.1.1
 Outside Global Address – 99.1.1.2
 Outside Local Address – 99.1.1.2
HostA’s configured address is 10.1.1.10, and is identified as its Inside Local address. When
HostA communicates with the Internet, it is stamped with RouterA’s public address, using PAT.
Thus, HostA’s Inside Global address will become 55.1.1.1.
When HostA communicates with HostB, it will access HostB’s Outside Global address of
99.1.1.2. In this instance, the Outside Local address is also 99.1.1.2. HostA is never aware of
HostB’s configured address.
It is possible to map an address from the local network (such as 10.1.1.5) to the global address of
the remote device (in this case, 99.1.1.2). This may be required if a legacy device exists that will
only communicate with the local subnet. In this instance, the Outside Local address would be
10.1.1.5.

The above example demonstrates how the source (SRC) and destination (DST) IP addresses
within the Network-Layer header are translated by NAT.

Configuring Static NAT

The first step to configure Static NAT is to identify the inside (usually private) and outside
(usually public) interfaces:
Router(config)# int e0/0
Router(config-if)# ip nat inside
Router(config)# int s0/0
Page 18 of 20 Compiled by Berhanu A.
 Router(config-if)# ip nat outside
To statically map a public address to a private address, the syntax is as follows:
Router(config)# ip nat inside source static 172.16.1.1 158.80.1.40
This command performs a static translation of the source address 172.16.1.1 (located on the
inside of the network), to the outside address of 158.80.1.40.
Configuring Dynamic NAT
When configuring Dynamic NAT, the inside and outside interfaces must first be identified:
Router(config)# int e0/0
Router(config-if)# ip nat inside
Router(config)# int s0/0
Router(config-if)# ip nat outside
Next, a pool of global addresses must be specified. Inside hosts will dynamically choose the next
available address in this pool, when communicating outside the local network:
Router(config)# ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask
255.255.255.0
The above command specifies that the pool named POOLNAME contains a range of public
addresses from 158.80.1.1 through 158.80.1.50.
Finally, a list of private addresses that are allowed to be dynamically translated must be
specified:
Router(config)# ip nat inside source list 10 pool POOLNAME
Router(config)# access-list 10 permit 172.16.1.0 0.0.0.255
The first command states that any inside host with a source that matches access-list 10 can be
translated to any address in the pool named POOLNAME.
The access-list specifies any host on the 172.16.1.0 network.

Configuring NAT Overload (or PAT)

Recall that NAT Overload (or PAT) is necessary when the number of internal clients exceeds
the available global addresses. Each internal host is translated to a unique port number off of a
single global address. Configuring NAT overload is relatively simple:
Router(config)# int e0/0
Router(config-if)# ip nat inside

Page 19 of 20 Compiled by Berhanu A.

 Router(config)# int s0/0
Router(config-if)# ip nat outside
Router(config)# ip nat inside source list 10 interface Serial0/0 overload
Router(config)# access-list 10 permit 172.16.1.0 0.0.0.255
Any inside host with a source that matches access-list 10 will be translated with overload to the
IP address configured on the Serial0/0 interface.
Troubleshooting NAT
To view all current static and dynamic translations:
Router# show ip nat translations
To view whether an interface is configure as an inside or outside NAT interface, and to display
statistical information regarding active NAT translations:
Router# show ip nat statistics
To view NAT translations in real-time:
Router# debug ip nat
To clear all dynamic NAT entries from the translation table:
Router# clear ip nat translation

Page 20 of 20 Compiled by Berhanu A.