Private Addressing and NAT
This section explains Network Address Translation (NAT) and how it can limit the waste of IP addresses by using the private addressing scheme.
Private IP Addresses (RFC 1918)
Because TCP/IP is the dominant routed protocol in the world, most network applications and operating systems offer extensive support for it. Therefore, many designers build their networks around TCP/IP, even if they do not require Internet connectivity. Internet hosts require globally unique IP addresses. However, private hosts that are not connected to the Internet can use any valid address, as long as it is unique within the private network.
Because many private networks exist alongside public networks, just grabbing any address is strongly discouraged. RFC 1918 sets aside three blocks of IP addresses for private or internal use:
A Class A range
A Class B range
A Class C range
Addresses in one of these ranges, shown in Table 2-7, are not routed on the Internet backbone. Internet routers immediately discard private addresses.
Table 2-7 Private Addresses in the WAN
RFC 1918 Internal Address Range
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
If any of the following are being addressed, these private addresses can be used instead of globally unique addresses:
A nonpublic intranet
A test lab
A home network
Global addresses must be obtained from a provider or a registry at some expense.
RFC 1918 addresses have found a home in production networks as well. Earlier in this chapter, the advantages of using VLSM to address the point-to-point WAN links in an internetwork were discussed. Recall that with VLSM, you can further subnet one of the subnets left in the address space of a Class C network. Although this solution is better than wasting an entire 30-host subnet on each two-host WAN link, it still costs one subnet that could have been used for future growth. A less-wasteful solution is to address the WAN links using private network numbers. The WAN links shown in Figure 2-13 are addressed using subnets from the private address space, 10.0.0.0/8.
Figure 2-13 Using Subnets to Address the WAN
How can these routers use private addresses if LAN users at Sites A, B, C, and D expect to access the Internet? End users at these sites should have no problem, because they use globally unique addresses from the 126.96.36.199 network. The routers use their serial interfaces with private addresses merely to forward traffic and exchange routing information. Upstream providers and Internet routers see only the source and destination IP addresses in the packet. Upstream providers do not care if the packet traveled through links with private addresses at some point. In fact, many providers use RFC 1918 network numbers in the core of their network to avoid depleting their supply of globally unique addresses.
There is one trade-off when using private numbers on WAN links. The serial interfaces cannot be the original source of traffic bound for the Internet or the final destination of traffic from the Internet. Routers normally do not spend time surfing the web. Therefore, this limitation typically becomes an issue only when you're troubleshooting with Internet Control Message Protocol (ICMP), using Simple Network Management Protocol (SNMP), or connecting remotely with Telnet over the Internet. In those cases, the router can be addressed only by its globally unique LAN interfaces.
The following sections discuss implementing a private address scheme, including the pitfalls of discontiguous subnets and the advantages of NAT.
Mixing private addresses with globally unique addresses can create discontiguous subnets. Discontiguous subnets are subnets from the same major network that are separated by a completely different major network or subnet.
In Figure 2-14, Site A and Site B both have LANs that are addressed using subnets from the same major network, 188.8.131.52. They are discontiguous because the 10.0.0.4/30 network separates them. Classful routing protocolsnotably, RIPv1 and IGRPcannot support discontiguous subnets because the subnet mask is not included in routing updates. If Site A and Site B are running RIPv1, Site A receives updates about network 184.108.40.206/24 but not about 220.127.116.11/27. This is because the subnet mask is not included in the update. Because Site A has an interface directly connected to that networkin this case, e0Site A rejects the Site B route.
Figure 2-14 Discontiguous Subnets
Even some classless routing protocols require additional configuration to solve the problem of discontiguous subnets. RIPv2 and EIGRP automatically summarize on classful boundaries, unless explicitly told not to. Usually, this type of summarization is desirable. However, in the case of discontiguous subnets, you must enter the following command for both RIPv2 and EIGRP to disable automatic summarization:
Finally, when using private addresses on a network that is connected to the Internet, packets and routing updates should be filtered. This is done to avoid leaking any RFC 1918 addresses between autonomous systems. If both the LAN and the provider use addresses from the 192.168.0.0/16 block, the routers could get confused if confronted with updates from both systems.
Network Address Translation (NAT)
NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP packet header. In practice, NAT is used to allow hosts that are privately addressed using RFC 1918 addresses to access the Internet.
A NAT-enabled device, such as a UNIX computer or a Cisco router, operates at the border of a stub domain. An example is an internetwork that has a single connection to the outside world. When a host inside the stub domain wants to transmit to a host on the outside, it forwards the packet to the NAT-enabled device. The NAT process then looks inside the IP header and, if appropriate, replaces the inside IP address with a globally unique IP address. When an outside host sends a response, as shown in Figure 2-15, the NAT does the following:
Checks the current table of network address translations.
Replaces the destination address with the original inside source.
Figure 2-15 NAT Router
NAT translations can occur dynamically or statically and can be used for a variety of purposes.
The most powerful feature of NAT routers is their capability to use Port Address Translation (PAT), which allows multiple inside addresses to map to the same global address. This is sometimes called a many-to-one NAT. With PAT, or address overloading, literally hundreds of privately addressed nodes can access the Internet using only one global address. The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers.
Lab 2.10.4a Network Address Translation: Static NAT and Dynamic NAT
In this lab, you learn how to configure static and dynamic NAT.
Lab 2.10.4b Network Address Translation: Port Address Translation and Port Forwarding
In this lab, you learn how to configure PAT and port forwarding.