Chapter 11 Network Address Translation

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Chapter 11 Network Address Translation"

Transcription

1 Chapter 11 Network Address Translation You can configure an HP routing switch to perform standard Network Address Translation (NAT). NAT enables private IP networks that use nonregistered IP addresses to connect to the Internet. Configure NAT on the HP device at the border of an inside network and an outside network (such as the Internet). NAT translates the internal local addresses to globally unique IP addresses before sending packets to the outside network. NAT also allows a more graceful renumbering strategy for organizations that are changing service providers or voluntarily renumbering into Classless Interdomain Routing (CIDR) blocks. Use NAT to translate your private (inside) IP addresses into globally unique (outside) IP addresses when communicating outside of your network. NOTE: This feature is supported on all chassis routing switches with Redundant Management modules. It is not available on HP fixed-port devices. NOTE: The maximum number of global IP addresses you can configure depends on how much memory the routing switch has and whether you enable the Port Address Translation feature. Regardless of the amount of memory, you cannot configure more than 256 global IP addresses. NOTE: NAT support is available for traffic originated by hosts on the private network. You cannot configure NAT to translate global addresses into private addresses for traffic generated by global addresses. An HP device configured for NAT must have an interface to the private network and an interface to a public network (for example, the Internet). In a typical environment, NAT is configured on the HP device between the private network and the Internet. When you configure an HP device for NAT, the device does not advertise the private networks to the Internet. However, the device can advertise route information received from the Internet to the private networks. Figure 11.1 shows a basic example of a network using NAT on an HP device. In this example, an HP 9308M routing switch is using NAT to translate traffic originated from the hosts on the x/24 sub-net into public addresses from the address pool. 11-1

2 Advanced Configuration and Management Guide Internet The device performs NAT for traffic between the outside NAT interface and the inside NAT interface. NAT Pool = /24 Internet access router Port 1/ Outside NAT interface Port 1/ Inside NAT interface Figure 11.1 Network Using Inside NAT In this example, the HP 9308M is configured to perform dynamic NAT to translate between the private addresses in the x/24 sub-net and the Internet addresses in the x/24 sub-net. NOTE: This example is simplified to show how NAT is used. For detailed configuration examples, see Configuration Examples on page To configure NAT on a routing switch, you must configure an inside NAT interface and an outside NAT interface. The inside NAT interface is connected to the private addresses. The outside NAT interface is connected to the Internet. The inside NAT interface in Figure 11.1 uses the address pool / /24 to map the private addresses to public addresses for traffic initiated by hosts in the x/24 sub-net. You can configure the following types of NAT: Dynamic NAT Dynamic NAT maps private addresses to Internet addresses in a pool. The global addresses come from a pool of addresses that you configure. In the example in Figure 11.1, the pool is the range of addresses from / /24. When you use dynamic NAT, the software uses a round robin technique to select a global IP address to map to a private address from a pool that you configure. Static NAT Static NAT maps a particular global IP address with a particular private address. Use static NAT when you want to ensure that the software always maps the same global address to a given private address. For example, use static NAT when you want specific hosts in the private network to always use the same Internet address when communicating outside the private network. NOTE: You can configure both dynamic and static NAT on the same HP device. When you configure both types of NAT, static NAT takes precedence over dynamic NAT. Thus, if you configure a static NAT translation for a private address, the device always uses that translation instead of creating a dynamic one. 11-2

3 Network Address Translation Port Address Translation Normally, NAT maps each private address that needs to be routed to the outside network to a unique IP address from the pool. However, it is possible for the global address pool to have fewer addresses than the number of private addresses. In this case, you can configure the HP device to use Port Address Translation. Port Address Translation maps a client s IP address and TCP or UDP port number to both an IP address and a TCP or UDP port number. In this way, the HP device can map many private addresses to the same public address and use TCP or UDP port numbers to uniquely identify the private hosts. NOTE: This type of feature is sometimes called Overloading an Inside Global Address. In the example in Figure 11.1, the pool contains enough addresses to ensure that every host on the private network can be mapped to an Internet address in the pool. However, suppose the enterprise implementing this configuration has only 20 Internet addresses. For example, the pool might be / /24. In this case, the pool does not contain enough addresses to ensure that all the hosts in the private network can be mapped to Internet addresses. Without Port Address Translation, it is possible that the device will not be able to provide NAT for some hosts. However, with Port Address Translation, the device can provide NAT for all the hosts by using a unique TCP or UDP port number in addition to the IP address to map to each host. For example, the device can map the following addresses: Inside address Outside address : : : : : :4002 NAT is mapping the same global IP address to three different private addresses along with their TCP or UDP ports, but uses a different TCP or UDP port number for each private address to distinguish them. Notice that the Port Address Translation feature does not attempt to use the same TCP or UDP port number as in the client s packet. The way NAT deals with the client s TCP or UDP port number depends on whether Port Address Translation is enabled: Port Address Translation enabled NAT treats the client s IP address and TCP or UDP port number as a single entity, and uniquely maps that entity to another entity consisting of an IP address and TCP or UDP port number. The NAT entry the device creates in the NAT translation table therefore consists of an IP address plus a TCP or UDP port number. The device maintains the port type in the translation address: If the client s packet contains a TCP port number, the device uses a TCP port in the translation address. If the client s packet contains a UDP port, the device uses a UDP port in the translation address. The device does not try to use the same TCP or UDP port number for the untranslated and translated addresses. Instead, the device maps the client IP address plus the TCP or UDP port number to a unique combination of IP address plus TCP or UDP port number. When the device receives reply traffic to one of these hosts, NAT can properly translate the Internet address back into the private address because the TCP or UDP port number in the translation address uniquely identifies the host. To enable Port Address Translation, use the overload option when you configure the source list, which associates a private address range with a pool of Internet addresses. See Configuring Dynamic NAT Parameters on page Port Address Translation disabled The device translates only the client s IP address into another IP address and retains the TCP or UDP port number unchanged. 11-3

4 Advanced Configuration and Management Guide Maximum Number of Addresses If the routing switch cannot allocate an address because it has run out of addresses, the routing switch drops the packet and sends an ICMP Host Unreachable packet. NOTE: The maximum number of global IP addresses you can configure depends on how much memory the routing switch has and whether you enable the Port Address Translation feature. Regardless of the amount of memory, you cannot configure more than 256 global IP addresses. Protocols Supported for NAT HP NAT supports the following protocols: ICMP UDP/TCP (generic) FTP VDOLive StreamWorks CU-SeeMe RealAudio and RealVideo RealMedia QuickTime Microsoft Media Services Web Theater (Vxtreme) Configuring NAT To configure NAT, perform the following tasks: Configure the static address mappings, if needed. Static mappings explicitly map a specific private address to a specific Internet address to ensure that the addresses are always mapped together. Use static address mappings when you want to ensure that a specific host in the private network is always mapped to the Internet address you specify. Configure dynamic NAT parameters: Configure a standard or extended ACL for each range of private addresses for which you want to provide NAT. Configure a pool for each consecutive range of Internet addresses to which you want NAT to be able to map the private addresses specified in the ACLs. Each pool must contain a range with no gaps. If your Internet address space has gaps, configure separate pools for each consecutive range within the address space. Associate a range of private addresses (specified in a standard or extended ACL) with a pool. Optionally, enable the Port Address Translation feature. Use this feature if you have more private addresses that might need NAT than the Internet address pools contain. Enable inside NAT on the interface connected to the private addresses. Enable outside NAT on the interface connected to global addresses. The configuration does not take effect until you enable inside and outside NAT on specific interfaces. 11-4

5 Network Address Translation NOTE: You must configure inside NAT on one interface and outside NAT on another interface. The device performs NAT for traffic between the interfaces. In addition to the tasks listed above, you can modify the age timers for the address translation entries the device creates. See Changing Translation Table Timeouts on page 11-7 for information. For information about viewing the active NAT translations, see Displaying the Active NAT Translations on page The following sections provide procedures for configuring NAT. Configuring Static Address Translations Use the following CLI method to configure static NAT. NOTE: NAT supports translation of private (inside) addresses into global (outside) addresses only. Translation of global addresses into private addresses is not supported. USING THE CLI To configure static NAT for an IP address, enter commands such as the following: HP9300(config)# ip nat inside source static The commands in this example statically map the private address to the Internet address Syntax: [no] ip nat inside source static <private-ip> <global-ip> This command associates a specific private address with a specific Internet address. Use this command when you want to ensure that the specified addresses are always mapped together. The inside source parameter specifies that the mapping applies to the private address sending traffic to the Internet. The <private-ip> parameter specifies the private IP address. The <global-ip> parameter specifies the Internet address. The device supports up to 256 global IP addresses. Neither of the IP address parameters needs a network mask. Configuring Dynamic NAT Parameters To configure dynamic NAT: Configure a standard or extended ACL for each private address range. Configure a pool for each consecutive range of Internet addresses. Associate private addresses (ACLs) with pools. Optionally, enable the Port Address Translation feature. Use the following CLI method to configure dynamic NAT. USING THE CLI You can configure dynamic NAT with the Port Address Translation feature disabled or enabled. Example with Port Address Translation Disabled To configure dynamic NAT with the Port Address Translation feature disabled, enter commands such as the following at the global CONFIG level of the CLI: HP9300(config)# access-list 1 permit /24 HP9300(config)# ip nat pool OutAdds prefix-length 24 HP9300(config)# ip nat inside source list 1 pool OutAdds 11-5

6 Advanced Configuration and Management Guide These commands configure a standard ACL for the private sub-net x/24, then enable inside NAT for the sub-net. Make sure you specify permit in the ACL, rather than deny. If you specify deny, the HP device will not provide NAT for the addresses. Example with Port Address Translation Enabled To configure dynamic NAT with the Port Address Translation feature enabled, enter commands such as the following at the global CONFIG level of the CLI: HP9300(config)# access-list 1 permit /24 HP9300(config)# ip nat pool OutAdds prefix-length 24 HP9300(config)# ip nat inside source list 1 pool OutAdds overload These commands are the same as the ones in Example with Port Address Translation Disabled, except the ip nat inside source command uses the overload parameter. This parameter enables the Port Address Translation feature. Command Syntax Syntax: [no] ip nat pool <pool-name> <start-ip> <end-ip> netmask <ip-mask> prefix-length <length> This command configures the address pool. The <pool-name> parameter specifies the pool name. The name can be up to 255 characters long and can contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around the entire name. The <start-ip> parameter specifies the IP address at the beginning of the pool range. Specify the lowest numbered IP address in the range. The <end-ip> parameter specifies the IP address at the end of the pool range. Specify the highest-numbered IP address in the range. NOTE: The address range cannot contain any gaps. Make sure you own all the IP addresses in the range. If the range contains gaps, you must create separate pools containing only the addresses you own. The netmask <ip-mask> prefix-length <length> parameter specifies a classical sub-net mask (example: netmask ) or the length of a Classless Interdomain Routing prefix (example: prefix-length 24). NOTE: The maximum number of global IP addresses you can configure depends on how much memory the routing switch has and whether you enable the Port Address Translation feature. Regardless of the amount of memory, you cannot configure more than 256 global IP addresses. Syntax: [no] ip nat inside source list <acl-name-or-num> pool <pool-name> [overload] This command associates a private address range with a pool of Internet addresses and optionally enables the Port Address Translation feature. The inside source parameter specifies that the translation applies to private addresses sending traffic to global addresses (Internet addresses). The list <acl-name-or-num> parameter specifies a standard or extended ACL. You can specify a numbered or named ACL. NOTE: For complete standard and extended ACL syntax, see Using Access Control Lists (ACLs) on page 3-1. The pool <pool-name> parameter specifies the pool. You must create the pool before you can use it with this command. The overload parameter enables the Port Address Translation feature. Use this parameter if the IP address pool does not contain enough addresses to ensure NAT for each private address. The Port Address Translation feature conserves Internet addresses by mapping the same Internet address to more than one private address and using a TCP or UDP port number to distinguish among the private hosts. The device supports up to 50 global IP addresses with this feature enabled. 11-6

7 Network Address Translation Enabling NAT The NAT configuration does not take effect until you enable it on specific interfaces. You can enable NAT on Ethernet ports and on virtual interfaces. You also can enable the feature on the primary port of a trunk group, in which case the feature applies to all the ports in the trunk group. NOTE: You must configure inside NAT on one interface and outside NAT on another interface. The device performs NAT for traffic between the interfaces. To enable NAT, use the following CLI methods. Enabling Inside NAT To enable inside NAT on the interface attached to the private addresses, use the following CLI method. USING THE CLI To enable inside NAT on an interface, enter commands such as the following: HP9300(config)# interface ethernet 1/1 HP9300(config-if-1/1)# ip nat inside This command enables inside NAT on Ethernet port 1/1. Syntax: [no] ip nat inside To enable inside NAT on a virtual interface, enter commands such as the following: HP9300(config)# interface ve 1 HP9300(config-vif-1)# ip nat inside This command enables inside NAT on virtual interface 4. Enabling Outside NAT To enable outside NAT on the interface attached to public addresses, use the following CLI method. USING THE CLI To enable outside NAT on an interface, enter commands such as the following: HP9300(config)# interface ethernet 1/2 HP9300(config-if-1/2)# ip nat outside This command enables outside NAT on Ethernet port 1/2. Syntax: [no] ip nat outside To enable outside NAT on a virtual interface, enter commands such as the following: HP9300(config)# interface ve 2 HP9300(config-vif-2)# ip nat outside This command enables outside NAT on virtual interface 4. Changing Translation Table Timeouts The NAT translation table contains all the currently active NAT translation entries on the device. An active entry is one that the device created for a private address when that client at that address sent traffic to the Internet. NAT performs the following steps to provide an address translation for a source IP address: The feature looks in the NAT translation table for an active NAT entry for the translation. If the table contains an active entry for the session, the device uses that entry. If NAT does not find an active entry in the NAT translation table, NAT creates an entry and places the entry in the table. The entry remains in the table until the entry times out. Each NAT entry remains in the NAT translation table until the entry ages out. The age timers apply globally to all interfaces on which NAT is enabled. 11-7

8 Advanced Configuration and Management Guide Dynamic timeout This age timer applies to all entries (static and dynamic) that do not use Port Address Translation. The default is 120 seconds. UDP timeout This age timer applies to entries that use Port Address Translation based on UDP port numbers. The default is 120 seconds. TCP timeout This age timer applies to entries that use Port Address Translation based on TCP port numbers. The default is 120 seconds. NOTE: This timer applies only to TCP sessions that do not end gracefully, with a TCP FIN or TCP RST. TCP FIN/RST timeout This age timer applies to TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The default is 120 seconds. NOTE: This timer is not related to the TCP timeout. The TCP timeout applies to packets to or from a host address that is mapped to an global IP address and a TCP port number (Port Address Translation feature). The TCP FIN/RST timeout applies to packets that terminate a TCP session, regardless of the host address or whether Port Address Translation is used. DNS timeout This age timer applies to connections to a Domain Name Server (DNS). The default is 120 seconds. To change the timeout for a dynamic entry type, use the following CLI method. USING THE CLI To change the age timeout for all entries that do not use Port Address Translation to 1800 seconds (one half hour), enter a command such as the following at the global CONFIG level of the CLI: HP 9304M or HP 9308M(config)# ip nat timeout 1800 Syntax: [no] ip nat translation timeout udp-timeout tcp-timeout finrst-timeout dns-timeout <secs> Use one of the following parameters to specify the dynamic entry type: timeout All entries that do not use Port Address Translation. The default is 120 seconds. udp-timeout Dynamic entries that use Port Address Translation based on UDP port numbers. The default is 120 seconds. tcp-timeout Dynamic entries that use Port Address Translation based on TCP port numbers. The default is 120 seconds. finrst-timeout TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The default is 120 seconds. dns-timeout Connections to a Domain Name Server (DNS). The default is 120 seconds. The <secs> parameter specifies the number of seconds. For each entry type, you can enter a value from Displaying the Active NAT Translations To display the currently active NAT translations, display the NAT translation table using the following CLI method. NOTE: For information about the aging timer for NAT translation entries, see Changing Translation Table Timeouts on page USING THE CLI To display the currently active NAT translations, enter the following command at any level of the CLI: HP9300(config)# show ip nat translation Pro Inside global Inside local Outside local Outside global

9 Network Address Translation Syntax: show ip nat translation The show ip nat translation command shows the following information. Table 11.1: CLI Display of Active NAT Translations This Field... Pro Inside global Inside local Outside global Outside local Displays... When Port Address Translation is enabled, this field indicates the protocol NAT is using to uniquely identify the host. NAT can map the same IP address to multiple hosts and use the protocol port to distinguish among the hosts. This field can have one of the following values: tcp In addition to this IP address, NAT is associating a TCP port with the host on the private network. udp In addition to this IP address, NAT is associating a UDP port with the host on the private network. The Internet address mapped to the private address listed in the Inside local field for inside NAT. The private address mapped to the Internet private address listed in the Inside global field for inside NAT. The destination of the traffic. If Port Address Translation is enabled, the TCP or UDP port also is shown. In the current release, the same as Outside global. Displaying NAT Statistics To display NAT statistics, use the following CLI method. USING THE CLI To display the NAT statistics, enter the following command at any level of the CLI: HP9300(config)# show ip nat statistics Total translations: 10 (0 static, 10 dynamic) Hits: 10 Misses: 1 Expired translations: 1 Dynamic mappings: pool rtrpool: mask = start end total addresses 1 overloaded IP Fragments: saved 0, restored 0, timed out 0 Sess: Total , Avail , NAT 22 Inside global Last Inside Local xmit pkts xmit bytes rx pkts rx bytes cnt Syntax: show ip nat statistics The show ip nat statistics command shows the following information. 11-9

10 Advanced Configuration and Management Guide Table 11.2: CLI Display of NAT Statistics This Field... Total translations Hits Misses Expired translations Dynamic mappings Displays... The number of translations that are currently active. This number changes when translations are added or age out. To display the currently active translations, enter the show ip nat translation command. The number of times NAT searched the translation table for a NAT entry and found the needed entry. (To optimize performance, NAT looks in the NAT table for an existing entry for a given translation before creating an entry for that translation.) The number of times NAT did not find a needed entry in the translation table. When this occurs, NAT creates the needed entry and places it in the table. The total number of dynamic translations that have aged of the translation table since the HP device was booted. Lists the dynamic translation parameters configured for the device. The following information is displayed: pool The name of the pool from which the address used for the translation was drawn. mask The sub-net mask or prefix used for addressed in the pool. start The beginning (lowest) IP address in the pool. end The ending (highest) IP address in the pool. total addresses The total number of active address translations that are based on addresses in this pool. In addition, if the pool uses the Port Address Translation feature, the word overloaded appears at the end of this row. IP Fragments Lists statistics for fragmented packets: saved The number of out-of-sequence IP fragments saved. restored The number of saved out-of-sequence IP fragments that were successfully forwarded. timed out The number of saved out-of-sequence IP fragments that were dropped because the first IP fragment was never received

11 Network Address Translation Table 11.2: CLI Display of NAT Statistics (Continued) This Field... Sess Inside global Last Inside Local xmit pkts xmit bytes rx pkts rx bytes cnt Displays... Lists session statistics. NAT uses the session table for managing the translations. Total The total number of both used and available internal session resources. Avail The number of free internal session resources. NAT The number of internal session resources currently used by NAT. For information about the session table, see Layer 4 Session Table on page 6-6. A global IP address. The last inside local IP address to use the global IP address. The number of packets send out for this NAT global IP address from the inside to the outside network. The number of bytes send out for this NAT global IP address from the inside to the outside network. The number of packets received from the outside network to the inside network for this NAT global IP address. The number of bytes received from the outside network to the inside network for this NAT global IP address. The number of session resources in use for the translation. Note: If the value is 0, then translation is not taking place. Check your configuration. For example, make sure you have enabled both inside NAT (on the interface to the private addresses) and outside NAT (on the interface to the Internet). Clearing Translation Table Entries In addition to the aging mechanism, the software allows you to manually clear entries from the NAT table. The software provides the following clear options: Clear all entries (static and dynamic) Clear an entry for a specific NAT entry based on the private and global IP addresses Clear an entry for a specific NAT entry based on the IP addresses and the TCP or UDP port number. Use this option when you are trying to clear specific entries created using the Port Address Translation feature. To clear entries, use the following CLI method. USING THE CLI To clear all dynamic entries from the NAT translation table, enter the following command at the Privileged EXEC level of the CLI: HP9300# clear ip nat all Syntax: clear ip nat all To clear only the entries for a specific address entry, enter a command such as the following: HP9300# clear ip nat inside

12 Advanced Configuration and Management Guide This command clears the inside NAT entry that maps private address to Internet address Here is the syntax for this form of the command. Syntax: clear ip nat inside <global-ip> <private-ip> If you use Port Address Translation, you can selectively clear entries based on the TCP or UDP port number assigned to an entry by the feature. For example, the following command clears one of the entries associated with Internet address but does not clear other entries associated with the same address. HP 9304M or HP 9308M# clear ip nat inside The command above clears all inside NAT entries that match the specified global IP address, private IP address, and TCP or UDP ports. Syntax: clear ip nat <protocol> inside <global-ip> <internet-tcp/udp-port> <private-ip> <private-tcp/udp-port> The <protocol> parameter specifies the protocol type and can be tcp or udp. NAT Debug Commands To configure the device to display diagnostic information for NAT, enter a debug ip nat command. Syntax: [no] debug ip nat icmp tcp udp <ip-addr> Syntax: [no] debug ip nat transdata The <ip-addr> parameter specifies an IP address. The address applies to packets with the address as the source or the destination. Specify to enable the diagnostic mode for all addresses. The following examples show sample output from debug ip nat commands. The first three examples show the output from the diagnostic mode for ICMP NAT, TCP NAT, and UDP NAT. The fourth command shows the output for the diagnostic mode for NAT translation requests. HP9300# debug ip nat icmp NAT: ICMP debugging is on NAT: icmp src => trans dst NAT: ICMP src => trans dst NAT: ID len 60 txfid 13 icmp (8/0/512/13824) NAT: ICMP dest => trans dst NAT: ID 5571 len 60 txfid 15 icmp (0/0/512/13824) NAT: icmp src => trans dst NAT: ICMP src => trans dst NAT: ID len 60 txfid 13 icmp (8/0/512/14080) NAT: ICMP dest => trans dst NAT: ID 5572 len 60 txfid 15 icmp (0/0/512/14080) NAT: icmp src => trans dst NAT: ICMP src => trans dst NAT: ID len 60 txfid 13 icmp (8/0/512/14336) NAT: ICMP dest => trans dst NAT: ID 5573 len 60 txfid 15 icmp (0/0/512/14336) HP9300# debug ip nat tcp NAT: TCP debugging is on NAT: tcp src :1144 => trans :8012 dst :53 NAT: tcp data src :1144 => trans :8012 dst :53 NAT: : :53 flags S ID len 44 txfid 13 NAT: tcp data dest :8012 => trans :53 dst :1144 NAT: : :1144 flags S A ID len 44 txfid 15 NAT: tcp data src :1144 => trans :8012 dst :53 NAT: : :53 flags A ID len 40 txfid 13 NAT: tcp data src :1144 => trans :8012 dst :53 NAT: : :53 flags A ID len 78 txfid 13 NAT: tcp data dest :8012 => trans :53 dst :1144 NAT: : :1144 flags A ID len 147 txfid

13 Network Address Translation NAT: tcp data src :1144 => trans :8012 dst :53 NAT: : :53 flags A ID len 40 txfid 13 NAT: tcp data src :1144 => trans :8012 dst :53 NAT: : :53 flags FA ID 23 len 40 txfid 13 NAT: tcp data dest :8012 => trans :53 dst :1144 NAT: : :1144 flags A ID len 40 txfid 15 NAT: tcp data dest :8012 => trans :53 dst :1144 NAT: : :1144 flags FA ID len 40 txfid 15 NAT: tcp data src :1144 => trans :8012 dst :53 NAT: : :53 flags A ID 279 len 40 txfid 13 HP9300# debug ip nat udp NAT: udp src :1140 => trans :8008 dst :53 NAT: udp data src :1140 => trans :8008 dst :53 NAT: : :53 ID len 63 txfid 13 NAT: udp src :1141 => trans :8009 dst :53 NAT: udp data src :1141 => trans :8009 dst :53 NAT: : :53 ID len 63 txfid 13 NAT: udp data dest :8008 => trans :53 dst :1140 NAT: : :1140 ID len 246 txfid 15 NAT: udp data dest :8009 => trans :53 dst :1141 NAT: : :1141 ID len 246 txfid 15 HP9300# debug ip nat transdata NAT: icmp src :2048 => trans dst NAT: udp src :1561 => trans :65286 dst :53 NAT: tcp src :1473 => trans :8016 dst :53 To disable the NAT diagnostic mode, enter a command such as the following: HP9300# no debug ip nat tcp This command disables the diagnostic mode for NAT performed on TCP packets. NAT diagnostics for other types of packets remain enabled. You also can use the following syntax to disable the diagnostic mode for NAT: Syntax: undebug ip nat icmp tcp udp transdata 11-13

14 Advanced Configuration and Management Guide Configuration Examples This section shows two complete configuration examples for NAT. The examples are based on different network topologies. NAT clients connected to the routing switch by a switch. NAT clients connected directly to routing switch ports. NOTE: You also can enable the feature on the primary port of a trunk group, in which case the feature applies to all the ports in the trunk group. These examples do not show this configuration. Private NAT Clients Connected to the routing switch by a switch Figure 11.2 shows an example of a NAT configuration in which the clients in the private network are attached to the routing switch through a switch. The device performs NAT for traffic between the outside NAT interface and the inside NAT interface. Internet NAT Pool = / /26 Internet access router / Outside NAT interface Port 4/ / Inside NAT interface Port 1/ /26 HP Switch /26 Figure 11.2 NAT clients connected the routing switch by a switch Here are the CLI commands for implementing the NAT configuration for the HP 9308M shown in Figure These commands configure the following: An Access Control List (ACL) for the range of private addresses in the private network on virtual interface 10 A Pool of public (Internet) address to use for translation of the private addresses An association of the ACL for the private addresses with the pool for translation A default route that has the Internet access router as the route s next-hop gateway The commands also enable inside NAT and outside NAT on the ports connected to the private network s switch and to the Internet access router, and save the configuration changes to the startup-config file. Routing Switch Commands The following commands access the configuration level of the CLI

15 Network Address Translation HP9300> en HP9300# configure terminal HP9300(config)# The following command configures an ACL to identify the range of private addresses for which you want to provide NAT services. This ACL identifies the private address range as HP9300(config)# access-list 9 permit NOTE: The format of the network mask for an ACL uses zeroes to indicate a value that must match, and ones (255 in decimal) as a wildcard. In this case, means the first three parts of the IP address must match exactly, but the fourth part can have any value. The following command configures the NAT address pool. The routing switch translates a client s address from the private network to an address from this pool when the client sends traffic to a public network, in this case a network located somewhere on the Internet. HP9300(config)# ip nat pool np netmask This command configures a pool named np1, and adds public address range / / 26 to the pool. Generally, a pool contains more than two addresses, but this pool is small so that this configuration can also demonstrate the Port Address Translation feature. The following command associates the range of private addresses identified by the ACL with the pool, and in this case also enables the Port Address Translation feature. Port Address Translation allows you to use an address pool that contains fewer addresses than the number of NAT clients in the private network. HP9300(config)# ip nat inside source list 9 pool np1 overload The inside source list 9 portion of the command identifies the range of source addresses. The value 9 is the number of the ACL configured above. The pool np1 portion of the command identifies the IP address pool configured above. The overload parameter enables Port Address Translation. When this feature is enabled, NAT associates a TCP or UDP port number with the public address for a client. In this case, there are four clients but only two addresses in the pool. Port Address Translation allows NAT to provide translation addresses for all four clients. When two translation clients have the same public IP address, the software can still distinguish between the clients because each client has a unique TCP or UDP port number. The following command configures a static default route to the Internet access router. The routing switch uses this route for traffic that is addressed to a destination for which the IP route table does not have an explicit route. Typically, the IP route table does not have explicit routes to all destination networks on the Internet. HP9300(config)# ip route The address is the standard notation for an IP default route. The address is the address of the next-hop gateway for the route. In this case, the next-hop gateway is the routing switch s IP interface with Internet access router. The following commands change to the configuration level for port 1/24, configure an IP address on the port, and enable inside NAT on the port. Port 1/24 connects the routing switch to the switch, which is connected to the private network containing the NAT clients. HP9300(config)# interface ethernet 1/24 HP9300(config-if-1/24)# ip address HP9300(config-if-1/24)# ip nat inside HP9300(config-if-1/24)# exit The following commands change to the configuration level for port 4/1, configure an IP address on the port, and enable outside NAT on the port. Port 4/1 connects the routing switch to the Internet access device. HP9300(config)# interface ethernet 4/1 HP9300(config-if-4/1)# ip address HP9300(config-if-4/1)# ip nat outside v(config-if-4/1)# exit 11-15

16 Advanced Configuration and Management Guide The following command saves all the configuration changes above to the routing switch s startup-config file on flash memory. The routing switch applies NAT configuration information as soon as you enter it into the CLI. Saving the changes to the startup-config file ensures that the changes are reinstated following a system reload. HP 9304M or HP 9308M(config)# write memory Private NAT Clients Connected Directly to the routing switch Figure 11.3 shows an example of a NAT configuration in which the NAT clients on the private network are directly connected to the routing switch. The configuration commands are similar to those for the configuration in Private NAT Clients Connected to the routing switch by a switch on page 11-14, except the inside NAT and outside NAT interfaces are virtual routing interfaces (called virtual interfaces or VEs ) instead of physical ports. Since all the clients are in the same sub-net, the routing switch is configured with a virtual interface to serve as the inside NAT interface, the routing switch s IP interface for the NAT clients who have private addresses. The virtual interface is required because you cannot configure IP addresses in the same sub-net on multiple physical interfaces on the routing switch. A virtual interface is a logical interface that allows you to associate the same IP address (the IP address of the virtual interface) with multiple physical ports. You can use a virtual interface for routing only when you add the interface to a port-based VLAN. A port-based VLAN is a separate Layer 2 broadcast domain, a logical switch within the HP device. The routing switch uses virtual interfaces to route Layer 3 traffic between port-based VLANs. Thus, this configuration also includes configuration of separate port-based VLANs for the clients inside NAT interface and for the outside NAT interface. Internet The device performs NAT for traffic between the outside NAT interface and the inside NAT interface. NAT Pool = / /26 Internet access router / Outside NAT interface 1/1 Virtual interface 15 8/ / /9 8/16 Inside NAT interface Virtual interface /26 8/ Figure 11.3 NAT clients connected directly to the routing switch Here are the CLI commands for implementing the NAT configuration shown in Figure These commands configure the following: Port-based VLAN 2 and virtual interface 10 for the inside NAT interface Port-based VLAN 3 and virtual interface 15 for the outside NAT interface An Access Control List (ACL) for the range of private address in the private network on virtual interface

17 Network Address Translation A Pool of public (Internet) address to use for translation of the private addresses An association of the ACL for the private addresses with the pool for translation A default route that has the Internet access router as the route s next-hop gateway The commands also enable inside NAT and outside NAT on the virtual interfaces and save the configuration changes to the startup-config file. All the commands are entered on the routing switch. The following commands access the configuration level of the CLI, then configure port-based VLAN 2 and add virtual interface 10 to the VLAN. HP9300> en HP9300# configure terminal HP9300(config)# vlan 2 by port HP9300(config-vlan-2)# untagged ethernet 8/1 to 8/24 HP9300(config-vlan-2)# router-interface ve 10 HP9300(config-vlan-2)# exit These commands add ports 8/1 through 8/24 as untagged ports to port-based VLAN 2. Generally, unless a port is a member of more than one port-based VLAN, you do not need to tag the port. The router-interface 10 command adds virtual interface 10. At this point the virtual interface does not have an IP address associated with it. The following commands add port-based VLAN 3 and add virtual interface 15 to the VLAN. HP9300(config)# vlan 3 by port HP9300(config-vlan-3)# untagged ethernet 1/1 HP9300(config-vlan-3)# router-interface ve 15 HP9300(config-vlan-3)# exit The following command configures an ACL to identify the range of private addresses for which you want to provide NAT services. This ACL identifies the private address range as HP9300(config)# access-list 9 permit NOTE: The format of the network mask for an ACL uses zeroes to indicate a value that must match, and ones (255 in decimal) as a wildcard. In this case, means the first three parts of the IP address must match exactly, but the fourth part can have any value. The following command configures the NAT address pool. The routing switch translates a client s address from the private network to an address from this pool when the client sends traffic to a public network, in this case a network located somewhere on the Internet. HP9300(config)# ip nat pool np netmask This command configures a pool named np1, and adds public address range / / 26 to the pool. Generally, a pool contains more than two addresses, but this pool is small so that this configuration can also demonstrate the Port Address Translation feature. The following command associates the range of private addresses identified by the ACL with the pool, and in this case also enables the Port Address Translation feature. Port Address Translation allows you to use an address pool that contains fewer addresses than the number of NAT clients in the private network. HP9300(config)# ip nat inside source list 9 pool np1 overload The inside source list 9 portion of the command identifies the range of source addresses. The value 9 is the number of the ACL configured above. The pool np1 portion of the command identifies the IP address pool configured above. The overload parameter enables Port Address Translation. When this feature is enabled, NAT associates a TCP or UDP port number with the public address for a client. In this case, there are four clients but only two addresses in the pool. Port Address Translation allows NAT to provide translation addresses for all four clients. When two translation clients have the same public IP address, the software can still distinguish between the clients because each client has a unique TCP or UDP port number

18 Advanced Configuration and Management Guide The following command configures a static default route to the Internet access router. The routing switch uses this route for traffic that is addressed to a destination for which the IP route table does not have an explicit route. Typically, the IP route table does not have explicit routes to all destination networks on the Internet. HP9300(config)# ip route The address is the standard notation for an IP default route. The address is the address of the next-hop gateway for the route. In this case, the next-hop gateway is the routing switch s IP interface with Internet access router. The following commands configure an IP address on virtual interface 10, which is the virtual interface for the private network, and enable inside NAT on the interface. HP9300(config)# interface ve 10 HP9300(config-ve-10)# ip address HP9300(config-ve-10)# ip nat inside HP9300(config-ve-10)# exit The following commands configure an IP address on virtual interface 15, which is the interface to the Internet access router, and enable outside NAT on the interface. HP9300(config)# interface ve 15 HP9300(config-ve-15)# ip address HP9300(config-ve-15)# ip nat outside HP9300(config-ve-15)# exit The following command saves all the configuration changes above to the routing switch s startup-config file on flash memory. The routing switch applies NAT configuration information as soon as you enter it into the CLI. Saving the changes to the startup-config file ensures that the changes are reinstated following a system reload. HP9300(config)# write memory 11-18

Network Address Translation Commands

Network Address Translation Commands Network Address Translation Commands This chapter describes the function and displays the syntax for Network Address Translation (NAT) commands. For more information about defaults and usage guidelines,

More information

Configuring Static and Dynamic NAT Translation

Configuring Static and Dynamic NAT Translation This chapter contains the following sections: Network Address Translation Overview, page 1 Information About Static NAT, page 2 Dynamic NAT Overview, page 3 Timeout Mechanisms, page 4 NAT Inside and Outside

More information

Chapter 6 Configuring IP

Chapter 6 Configuring IP Chapter 6 Configuring IP This chapter describes the Internet Protocol (IP) parameters on HP ProCurve routing switches and switches and how to configure them. After you add IP addresses and configure other

More information

Chapter 3 Using Access Control Lists (ACLs)

Chapter 3 Using Access Control Lists (ACLs) Chapter 3 Using Access Control Lists (ACLs) Access control lists (ACLs) enable you to permit or deny packets based on source and destination IP address, IP protocol information, or TCP or UDP protocol

More information

Configuring Network Address Translation (NAT)

Configuring Network Address Translation (NAT) 8 Configuring Network Address Translation (NAT) Contents Overview...................................................... 8-3 Translating Between an Inside and an Outside Network........... 8-3 Local and

More information

Chapter 4 Rate Limiting

Chapter 4 Rate Limiting Chapter 4 Rate Limiting HP s rate limiting enables you to control the amount of bandwidth specific Ethernet traffic uses on specific interfaces, by limiting the amount of data the interface receives or

More information

IP Routing Features. Contents

IP Routing Features. Contents 7 IP Routing Features Contents Overview of IP Routing.......................................... 7-3 IP Interfaces................................................ 7-3 IP Tables and Caches........................................

More information

Network Protocol Configuration

Network Protocol Configuration Table of Contents Table of Contents Chapter 1 Configuring IP Addressing... 1 1.1 IP Introduction... 1 1.1.1 IP... 1 1.1.2 IP Routing Protocol... 1 1.2 Configuring IP Address Task List... 2 1.3 Configuring

More information

Chapter 7 Configuring Trunk Groups and Dynamic Link Aggregation

Chapter 7 Configuring Trunk Groups and Dynamic Link Aggregation Chapter 7 Configuring Trunk Groups and Dynamic Link Aggregation This chapter describes how to configure trunk groups and 802.3ad link aggregation. Trunk groups are manually-configured aggregate links containing

More information

Brocade to Cisco Comparisons

Brocade to Cisco Comparisons 1 2 3 Console cables - The console cables are not interchangeable between Brocade and Cisco. Each vendor provides their console cable with each manageable unit it sells. Passwords - Neither Cisco or Brocade

More information

Chapter 2 Quality of Service (QoS)

Chapter 2 Quality of Service (QoS) Chapter 2 Quality of Service (QoS) Software release 06.6.X provides the following enhancements to QoS on the HP 9304M, HP 9308M, and HP 6208M-SX routing switches. You can choose between a strict queuing

More information

Network layer: Overview. Network layer functions IP Routing and forwarding

Network layer: Overview. Network layer functions IP Routing and forwarding Network layer: Overview Network layer functions IP Routing and forwarding 1 Network layer functions Transport packet from sending to receiving hosts Network layer protocols in every host, router application

More information

Skills Assessment Student Training Exam

Skills Assessment Student Training Exam Skills Assessment Student Training Exam Topology Assessment Objectives Part 1: Initialize Devices (8 points, 5 minutes) Part 2: Configure Device Basic Settings (28 points, 30 minutes) Part 3: Configure

More information

Network Address Translation on a Stick

Network Address Translation on a Stick Network Address Translation on a Stick Document ID: 6505 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Example 1 Network Diagram and Configuration

More information

Configuring Network Address Translation

Configuring Network Address Translation CHAPTER5 Configuring Network Address Translation The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. This chapter contains the following major sections

More information

Configuring Static and Dynamic NAT Simultaneously

Configuring Static and Dynamic NAT Simultaneously Configuring Static and Dynamic NAT Simultaneously Document ID: 13778 Contents Introduction Prerequisites Requirements Components Used Conventions Configuring NAT Related Information Introduction In some

More information

IOS Server Load Balancing

IOS Server Load Balancing IOS Server Load Balancing This feature module describes the Cisco IOS Server Load Balancing (SLB) feature. It includes the following sections: Feature Overview, page 1 Supported Platforms, page 5 Supported

More information

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing DG_PAFWLB_120718.1 TABLE OF CONTENTS 1 Overview... 4 2 Deployment Prerequisites... 4 3 Architecture Overview... 5 4 Access Credentials...

More information

Topic 7 DHCP and NAT. Networking BAsics.

Topic 7 DHCP and NAT. Networking BAsics. Topic 7 DHCP and NAT Networking BAsics. 1 Dynamic Host Configuration Protocol (DHCP) IP address assignment Default Gateway assignment Network services discovery I just booted. What network is this? What

More information

Configuring Network Address Translation

Configuring Network Address Translation 6 Configuring Network Address Translation Contents NAT Services on the ProCurve Secure Router....................... 6-2 Many-to-One NAT for Outbound Traffic........................ 6-2 Using NAT with

More information

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to

More information

Introduction to Network Address Translation

Introduction to Network Address Translation 1 Introduction to Network Address Translation Session 2 Agenda Basic Concept of Network Address Translation (NAT) and PAT Definition, Benefits, Availability and Application Support NAT Concepts and Terminology

More information

GVRP Overview. Overview

GVRP Overview. Overview 3 GVRP Contents Overview...................................................... 3-2................................................... 3-3 General Operation........................................... 3-4

More information

Firewall Load Balancing

Firewall Load Balancing CHAPTER 6 This chapter describes the (FWLB) feature. It includes the following sections: FWLB Overview, page 6-1 FWLB Features, page 6-2 FWLB Configuration Tasks, page 6-3 Monitoring and Maintaining FWLB,

More information

What is VLAN Routing?

What is VLAN Routing? Application Note #38 February 2004 What is VLAN Routing? This Application Notes relates to the following Dell product(s): 6024 and 6024F 33xx Abstract Virtual LANs (VLANs) offer a method of dividing one

More information

Appendix A Remote Network Monitoring

Appendix A Remote Network Monitoring Appendix A Remote Network Monitoring This appendix describes the remote monitoring features available on HP products: Remote Monitoring (RMON) statistics All HP products support RMON statistics on the

More information

Interconnecting Cisco Network Devices 1 Course, Class Outline

Interconnecting Cisco Network Devices 1 Course, Class Outline www.etidaho.com (208) 327-0768 Interconnecting Cisco Network Devices 1 Course, Class Outline 5 Days Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructorled training course

More information

GLBP - Gateway Load Balancing Protocol

GLBP - Gateway Load Balancing Protocol GLBP - Gateway Load Balancing Protocol Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed router or circuit, like Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy

More information

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. CHAPTER 5 OBJECTIVES Configure a router with an initial configuration. Use the

More information

8.2 The Internet Protocol

8.2 The Internet Protocol TCP/IP Protocol Suite HTTP SMTP DNS RTP Distributed applications Reliable stream service TCP UDP User datagram service Best-effort connectionless packet transfer Network Interface 1 IP Network Interface

More information

Troubleshooting the Firewall Services Module

Troubleshooting the Firewall Services Module 25 CHAPTER This chapter describes how to troubleshoot the FWSM, and includes the following sections: Testing Your Configuration, page 25-1 Reloading the FWSM, page 25-6 Performing Password Recovery, page

More information

Chapter 3 Configuring Basic IPv6 Connectivity

Chapter 3 Configuring Basic IPv6 Connectivity Chapter 3 Configuring Basic IPv6 Connectivity This chapter explains how to get a ProCurve Routing Switch that supports IPv6 up and running. To configure basic IPv6 connectivity, you must do the following:

More information

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall This document describes how to: - Create multiple routing VLANs - Obtain Internet access on

More information

100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) 100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) Course Overview This course provides students with the knowledge and skills to implement and support a small switched and routed network.

More information

Configuring Stickiness

Configuring Stickiness CHAPTER5 This chapter describes how to configure stickiness (sometimes referred to as session persistence) on an ACE module. It contains the following major sections: Stickiness Overview Configuration

More information

Understanding and Configuring NAT Tech Note PAN-OS 4.1

Understanding and Configuring NAT Tech Note PAN-OS 4.1 Understanding and Configuring NAT Tech Note PAN-OS 4.1 Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Scope... 3 Design Consideration... 3 Software requirement...

More information

ServerIron TrafficWorks Firewall Load Balancing Guide

ServerIron TrafficWorks Firewall Load Balancing Guide ServerIron TrafficWorks Firewall Load Balancing Guide ServerIron 4G Series ServerIronGT C Series ServerIronGT E Series ServerIron 350 & 350-PLUS ServerIron 350 & 350-PLUS ServerIron 450 & 450-PLUS Release

More information

Multi-Homing Security Gateway

Multi-Homing Security Gateway Multi-Homing Security Gateway MH-5000 Quick Installation Guide 1 Before You Begin It s best to use a computer with an Ethernet adapter for configuring the MH-5000. The default IP address for the MH-5000

More information

Configuring NetFlow. Information About NetFlow. Send document comments to nexus1k-docfeedback@cisco.com. CHAPTER

Configuring NetFlow. Information About NetFlow. Send document comments to nexus1k-docfeedback@cisco.com. CHAPTER CHAPTER 11 Use this chapter to configure NetFlow to characterize IP traffic based on its source, destination, timing, and application information, to assess network availability and performance. This chapter

More information

IOS Server Load Balancing

IOS Server Load Balancing IOS Server Load Balancing This feature module describes the Cisco IOS Server Load Balancing (SLB) feature. It includes the following sections: Feature Overview, page 1 Supported Platforms, page 5 Supported

More information

Configuring Class Maps and Policy Maps

Configuring Class Maps and Policy Maps CHAPTER 4 Configuring Class Maps and Policy Maps This chapter describes how to configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing

More information

Internet Protocol (IP) IP - Network Layer. IP Routing. Advantages of Connectionless. CSCE 515: Computer Network Programming ------ IP routing

Internet Protocol (IP) IP - Network Layer. IP Routing. Advantages of Connectionless. CSCE 515: Computer Network Programming ------ IP routing Process Process Process Layer CSCE 515: Computer Network Programming ------ IP routing Wenyuan Xu ICMP, AP & AP TCP IP UDP Transport Layer Network Layer Department of Computer Science and Engineering University

More information

642 523 Securing Networks with PIX and ASA

642 523 Securing Networks with PIX and ASA 642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall

More information

Lab 7.4.1: Basic DHCP and NAT Configuration

Lab 7.4.1: Basic DHCP and NAT Configuration Topology Diagram Addressing Table Device Interface IP Address Subnet Mask S0/0/0 10.1.1.1 255.255.255.252 R1 Fa0/0 192.168.10.1 255.255.255.0 Fa0/1 192.168.11.1 255.255.255.0 S0/0/0 10.1.1.2 255.255.255.252

More information

IP Addressing A Simplified Tutorial

IP Addressing A Simplified Tutorial Application Note IP Addressing A Simplified Tutorial July 2002 COMPAS ID 92962 Avaya Labs 1 All information in this document is subject to change without notice. Although the information is believed to

More information

IP Routing Between VLANs

IP Routing Between VLANs hp procurve 10/100-T xl module J4820A hp procurve 10/100-T xl module J4820A hp procurve Mini-GBIC xl mo d ule J4878A module IP Routing Between VLANs This example configuration provides IP routing between

More information

Common Application Guide

Common Application Guide April 2009 Common Application Guide WAN Failover Using Network Monitor Brief Overview of Application To increase reliability and minimize downtime, many companies are purchasing more than one means of

More information

Configuring Redundancy

Configuring Redundancy 7 CHAPTER This chapter describes how to configure redundancy and contains these sections: Configuring Fault Tolerance, page 7-1 Configuring HSRP, page 7-5 Configuring Interface and Device Tracking, page

More information

Chapter 16 Route Health Injection

Chapter 16 Route Health Injection Chapter 16 Route Health Injection You can configure an HP Routing Switch to check the health of the HTTP application and inject a host route into the network to force a preferred route to an actively responding

More information

Configuring the Switch IP Address and Default Gateway

Configuring the Switch IP Address and Default Gateway CHAPTER 3 Configuring the Switch IP Address and Default Gateway This chapter describes how to configure the IP address, subnet mask, and default gateway on the Catalyst enterprise LAN switches. Note For

More information

Enabling Remote Access to the ACE

Enabling Remote Access to the ACE CHAPTER 2 This chapter describes how to configure remote access to the Cisco Application Control Engine (ACE) module by establishing a remote connection by using the Secure Shell (SSH) or Telnet protocols.

More information

ICND1-100-101 IOS CLI Study Guide (CCENT)

ICND1-100-101 IOS CLI Study Guide (CCENT) ICND1-100-101 IOS CLI Study Guide (CCENT) Hostname: 2. hostname SW1 SWITCH CONFIGURATION Mgmt IP: 2. interface vlan 1 3. ip address 10.0.0.2 4. no shut Gateway: 2. ip default-gateway 10.0.0.1 Local User/Pwd:

More information

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1 Configuring the BIG-IP and Check Point VPN-1 /FireWall-1 Introducing the BIG-IP and Check Point VPN-1/FireWall-1 LB, HALB, VPN, and ELA configurations Configuring the BIG-IP and Check Point FireWall-1

More information

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version 1.0.0. 613-001339 Rev.

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version 1.0.0. 613-001339 Rev. Management Software AT-S106 Web Browser User s Guide For the AT-GS950/48 Gigabit Ethernet Smart Switch Version 1.0.0 613-001339 Rev. A Copyright 2010 Allied Telesis, Inc. All rights reserved. No part of

More information

The Internet/Network Layer

The Internet/Network Layer IP Addresses and Routing Tables Destination Gateway Genmask Flags MSS Window Irtt Iface 138.38.96.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo default 138.38.103.254 0.0.0.0

More information

Traffic Mirroring Commands on the Cisco IOS XR Software

Traffic Mirroring Commands on the Cisco IOS XR Software Traffic Mirroring Commands on the Cisco IOS XR Software This module describes the commands used to configure and monitor traffic mirroring. acl, page 2 clear monitor-session counters, page 4 destination

More information

Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router

Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router Lab 3.8.3 Configure Cisco IOS Firewall CBAC on a Cisco Router Objective Scenario Topology Estimated Time: 35 minutes Number of Team Members: Two teams with four students per team In this lab exercise,

More information

Troubleshooting the Firewall Services Module

Troubleshooting the Firewall Services Module CHAPTER 25 This chapter describes how to troubleshoot the FWSM, and includes the following sections: Testing Your Configuration, page 25-1 Reloading the FWSM, page 25-6 Performing Password Recovery, page

More information

Lab 7.2.9 Load Balancing Across Multiple Paths

Lab 7.2.9 Load Balancing Across Multiple Paths Lab 7.2.9 Load Balancing Across Multiple Paths Objective Configure Load balance across multiple paths. Observe the load balancing process. Background/Preparation Cable a network similar to the one in the

More information

Internet Addresses (You should read Chapter 4 in Forouzan)

Internet Addresses (You should read Chapter 4 in Forouzan) Internet Addresses (You should read Chapter 4 in Forouzan) IP Address is 32 Bits Long Conceptually the address is the pair (NETID, HOSTID) Addresses are assigned by the internet company for assignment

More information

Chapter 37 Server Load Balancing

Chapter 37 Server Load Balancing Chapter 37 Server Load Balancing Introduction... 37-3 Overview... 37-3 Server Load Balancer on the Switch... 37-5 TCP Virtual Balancer... 37-6 Route-Based Virtual Balancer... 37-6 HTTP Virtual Balancer...

More information

NAT (Network Address Translation) & PAT (Port Address Translation)

NAT (Network Address Translation) & PAT (Port Address Translation) NAT (Network Address Translation) & PAT (Port Address Translation) First let s define NAT terms: Inside local address The IP address assigned to a host on the inside network. The address is usually not

More information

IPv6 Diagnostic and Troubleshooting

IPv6 Diagnostic and Troubleshooting 8 IPv6 Diagnostic and Troubleshooting Contents Introduction.................................................. 8-2 ICMP Rate-Limiting........................................... 8-2 Ping for IPv6 (Ping6)..........................................

More information

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager DEPLOYMENT GUIDE Version 1.1 DNS Traffic Management using the BIG-IP Local Traffic Manager Table of Contents Table of Contents Introducing DNS server traffic management with the BIG-IP LTM Prerequisites

More information

Configuring IP Load Sharing in AOS Quick Configuration Guide

Configuring IP Load Sharing in AOS Quick Configuration Guide Configuring IP Load Sharing in AOS Quick Configuration Guide ADTRAN Operating System (AOS) includes IP Load Sharing for balancing outbound IP traffic across multiple interfaces. This feature can be used

More information

CS 43: Computer Networks IP. Kevin Webb Swarthmore College November 5, 2013

CS 43: Computer Networks IP. Kevin Webb Swarthmore College November 5, 2013 CS 43: Computer Networks IP Kevin Webb Swarthmore College November 5, 2013 Reading Quiz IP datagram format IP protocol version number header length (bytes) type of data max number remaining hops (decremented

More information

Sample Configuration Using the ip nat outside source list C

Sample Configuration Using the ip nat outside source list C Sample Configuration Using the ip nat outside source list C Table of Contents Sample Configuration Using the ip nat outside source list Command...1 Introduction...1 Before You Begin...1 Conventions...1

More information

Cisco Configuring Commonly Used IP ACLs

Cisco Configuring Commonly Used IP ACLs Table of Contents Configuring Commonly Used IP ACLs...1 Introduction...1 Prerequisites...2 Hardware and Software Versions...3 Configuration Examples...3 Allow a Select Host to Access the Network...3 Allow

More information

Scaling the Network: Subnetting and Other Protocols. Networking CS 3470, Section 1

Scaling the Network: Subnetting and Other Protocols. Networking CS 3470, Section 1 Scaling the Network: Subnetting and Other Protocols Networking CS 3470, Section 1 Today CIDR Subnetting Private IP addresses ICMP, IMAP, and DHCP Protocols 2 Packet Encapsulation ** Creative Commons: http://en.wikipedia.org/wiki/file:udp_encapsulation.svg

More information

Evaluation guide. Vyatta Quick Evaluation Guide

Evaluation guide. Vyatta Quick Evaluation Guide VYATTA, INC. Evaluation guide Vyatta Quick Evaluation Guide A simple step-by-step guide to configuring network services with Vyatta Open Source Networking http://www.vyatta.com Overview...1 Booting Up

More information

Configuring RADIUS Server Support for Switch Services

Configuring RADIUS Server Support for Switch Services 7 Configuring RADIUS Server Support for Switch Services Contents Overview...................................................... 7-2 Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting

More information

Instructor Notes for Lab 3

Instructor Notes for Lab 3 Instructor Notes for Lab 3 Do not distribute instructor notes to students! Lab Preparation: Make sure that enough Ethernet hubs and cables are available in the lab. The following tools will be used in

More information

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0 Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0 COURSE OVERVIEW: Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0 is a five-day, instructor-led training course that teaches learners

More information

IP Address: the per-network unique identifier used to find you on a network

IP Address: the per-network unique identifier used to find you on a network Linux Networking What is a network? A collection of devices connected together Can use IPv4, IPv6, other schemes Different devices on a network can talk to each other May be walls to separate different

More information

Command Manual - Network Protocol Quidway S3000 Series Ethernet Switches. Table of Contents

Command Manual - Network Protocol Quidway S3000 Series Ethernet Switches. Table of Contents Table of Contents Table of Contents Chapter 1 ARP Configuration Commands... 1-1 1.1 ARP Configuration Commands... 1-1 1.1.1 arp static... 1-1 1.1.2 arp timer aging... 1-2 1.1.3 debugging arp packet...

More information

Advanced SLB High Availability and Stateless SLB

Advanced SLB High Availability and Stateless SLB Advanced SLB High Availability and Stateless SLB Objectives Upon completion of this module, you will be able to: Describe Server Load Balancing (SLB) high availability Distinguish between different high

More information

ICS 351: Today's plan

ICS 351: Today's plan ICS 351: Today's plan Quiz, on overall Internet function, linux and IOS commands, network monitoring, protocols IPv4 addresses: network part and host part address masks IP interface configuration IPv6

More information

Chapter 51 Server Load Balancing

Chapter 51 Server Load Balancing Chapter 51 Server Load Balancing Introduction... 51-3 Overview... 51-3 Server Load Balancer on the Router... 51-5 TCP Virtual Balancer... 51-6 Route-Based Virtual Balancer... 51-6 HTTP Virtual Balancer...

More information

Sample Configuration Using the ip nat outside source static

Sample Configuration Using the ip nat outside source static Sample Configuration Using the ip nat outside source static Table of Contents Sample Configuration Using the ip nat outside source static Command...1 Introduction...1 Before You Begin...1 Conventions...1

More information

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs Tasks: 1 (10 min) Verify that TCP/IP is installed on each of the computers 2 (10 min) Connect the computers together via a switch 3 (10 min)

More information

HOST AUTO CONFIGURATION (BOOTP, DHCP)

HOST AUTO CONFIGURATION (BOOTP, DHCP) Announcements HOST AUTO CONFIGURATION (BOOTP, DHCP) I. HW5 online today, due in week! Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 I. Auto configuration

More information

Configuring System Message Logging

Configuring System Message Logging CHAPTER 1 This chapter describes how to configure system message logging on the Cisco 4700 Series Application Control Engine (ACE) appliance. Each ACE contains a number of log files that retain records

More information

LAB Configuring NAT. Objective. Background/Preparation

LAB Configuring NAT. Objective. Background/Preparation LAB Configuring NAT Objective Configure a router to use network address translation (NAT) to convert internal IP addresses, typically private addresses, into outside public addresses. Configure static

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch University of Jordan Faculty of Engineering & Technology Computer Engineering Department Computer Networks Laboratory 907528 Lab. 2 Network Devices & Packet Tracer Objectives 1. To become familiar with

More information

Configuring VIP and Virtual IP Interface Redundancy

Configuring VIP and Virtual IP Interface Redundancy CHAPTER 6 Configuring VIP and Virtual IP Interface Redundancy This chapter describes how to plan for and configure Virtual IP (VIP) and Virtual IP Interface Redundancy on the CSS. Information in this chapter

More information

- Basic Router Security -

- Basic Router Security - 1 Enable Passwords - Basic Router Security - The enable password protects a router s Privileged mode. This password can be set or changed from Global Configuration mode: Router(config)# enable password

More information

Deploying ACLs to Manage Network Security

Deploying ACLs to Manage Network Security PowerConnect Application Note #3 November 2003 Deploying ACLs to Manage Network Security This Application Note relates to the following Dell PowerConnect products: PowerConnect 33xx Abstract With new system

More information

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router 1 Basic Configuration of Cisco 2600 Router Basic Configuration Cisco 2600 Router I decided to incorporate the Cisco 2600 into my previously designed network. This would give me two seperate broadcast domains

More information

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes Dynamic Host Configuration Protocol (DHCP) 1 1 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons: IP addresses are assigned on-demand Avoid manual IP

More information

Lab 4.1.2 Characterizing Network Applications

Lab 4.1.2 Characterizing Network Applications Lab 4.1.2 Characterizing Network Applications Objective Device Designation Device Name Address Subnet Mask Discovery Server Business Services 172.17.1.1 255.255.0.0 R1 FC-CPE-1 Fa0/1 172.17.0.1 Fa0/0 10.0.0.1

More information

Broadband Phone Gateway BPG510 Technical Users Guide

Broadband Phone Gateway BPG510 Technical Users Guide Broadband Phone Gateway BPG510 Technical Users Guide (Firmware version 0.14.1 and later) Revision 1.0 2006, 8x8 Inc. Table of Contents About your Broadband Phone Gateway (BPG510)... 4 Opening the BPG510's

More information

IP Subnetting and Addressing

IP Subnetting and Addressing Indian Institute of Technology Kharagpur IP Subnetting and Addressing Prof Indranil Sengupta Computer Science and Engineering Indian Institute of Technology Kharagpur Lecture 6: IP Subnetting and Addressing

More information

AP6511 First Time Configuration Procedure

AP6511 First Time Configuration Procedure AP6511 First Time Configuration Procedure Recommended Minimum Configuration Steps From the factory, all of the 6511 AP s should be configured with a shadow IP that starts with 169.254.xxx.xxx with the

More information

Introduction to Cisco IOS Flexible NetFlow

Introduction to Cisco IOS Flexible NetFlow Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity

More information

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1) INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1) COURSE OVERVIEW: Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructor-led training course that teaches learners

More information

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc. Emerald Network Collector Version 4.0 Emerald Management Suite IEA Software, Inc. Table Of Contents Purpose... 3 Overview... 3 Modules... 3 Installation... 3 Configuration... 3 Filter Definitions... 4

More information

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe

More information

Network layer" 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! goals: "

Network layer 1DT066! Distributed Information Systems!! Chapter 4 Network Layer!! goals: 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! Network layer" goals: "! understand principles behind layer services:" " layer service models" " forwarding versus routing" " how a

More information

Introducing the BIG-IP and SharePoint Portal Server 2003 configuration

Introducing the BIG-IP and SharePoint Portal Server 2003 configuration Deployment Guide Deploying Microsoft SharePoint Portal Server 2003 and the F5 BIG-IP System Introducing the BIG-IP and SharePoint Portal Server 2003 configuration F5 and Microsoft have collaborated on

More information