Network Address Translation – Concepts and Application

Network Address Translation (NAT) is a method of mapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit. i.e. Basically, for an IP packet in transit,  the IP address is changed from one to another in a pre-determined manner.

Next question would be the need to translate (or map) one IP to another. There are multiple reasons for this translation as detailed below:

  • Translation of private addresses into unique public addresses when accessing the Internet: Many organizations use private address space internal to the organization with a view of conserving the IP addresses. When a host with a private address needs to access another host across the Internet, the private address has to be mapped to a public IP address before sending the packet over the Internet. The reverse process takes place when the packet arrives from the public Internet addressed to a host withing the organization.
  • Translation of addresses when transitioning internal addresses from one address range into another: Within an organization, some times need arises that an address range is mapped to another address range for compatibility reasons. For example, Company A acquires Company B, then the former may like to map the address range of the later for policy and compatibility reasons. NAT is used under such circumstances.
  • When simple TCP load sharing is required across many IP hosts: Assume that you have an application server catering to the needs of the entire organzation and you would like to distribute the load across various such servers for faster response times, but the end-user sees only one server (IP address or host). In such cases, NAT allows you to distribute the load across several servers and and yet the users communicating to a single host.

Now that we know some of the cases where network address translation is useful, we discuss various types of NAT:

  1. Static NAT: Maps an unregistered IP address to registered IP (globally unique) addresses on one-to-one basis.
    The command, ip nat inside source static <local ip> <global ip> configures address translation for static NAT.
  2. Dynamic NAT: Maps an unregistered IP address to a registered (globally unique) IP address from a group of registered (globally unique) IP addresses dynamically. It is not necessary that a host gets the same IP address for the second time.
    The command, ip nat inside source list <access-list-number> pool <name>
    is used to map the access-list to the IP NAT pool during the configuration of Dynamic NAT.
  3. Overloading NAT:A special case of dynamic NAT that maps multiple unregistered IP addresses to a single registered (globally unique) IP address by using different port numbers.
    Dynamic NAT with overloading is also known also as PAT (Port Address Translation).
  4. Overlapping NAT: When a host on your network is assigned an IP address that is on the same subnet as another device on the Internet or external network, the result is overlapping networks.  It is possible to allow communication between two overlapping networks without having to renumber any devices by using Network Address Translation (NAT).

Below are some of key terms related to NAT which play important role in IP address Translations:

  • Inside Local Address
  • Inside Global Address
  • Outside Local Address
  • Outside Global Address

In the above term, first we break down the words Inside, Outside, Local, and Global for clarity.

  • Inside = Under control of the customer. This will reside inside the customer network .
  • Outside = Customer can’t control and reside outside the customer network.
  • Local = Private addresses and refers to the address on the inside of your network.
  • Global = Public IP addresses which are Globally routable addresses. This refers to the address on the outside of customer network.

Now we come back to the 4 key terms of NAT:

  • Inside Local Address – Private addresses that customer can control. This is the IP address assigned to an end host on the inside  network. The IP address is provided by the customer himself and is not required to be taken from IP address authority or Service provider.
  • Inside Global Address – Public addresses that the customer can control. An example is the globally routable IP address(es) ISP provides to the organization (customer). A local address can’t traverse the Internet. Therefore, it needs to be translated to a global address before entering the global Internet. A packet with local IP address (generated on the local host) and destined for another host on the public Internet, needs to be translated to a routable public IP address given by the ISP.
  • Outside Local Address – Private Addresses that are outside of customer’s control. This is the address that the inside hosts use to refer an outside host. The outside local address may be the outside host’s actual address or another translated private address from a different private address block. In other words – The IP address of an outside host as it is known to the hosts on the inside network.
  • Outside Global Address – Public addresses that are outside of customer’s control.These are Globally Routable addresses and is the public IP address assigned to the end device on the other network to communicate over internet.  For example, if an internal host is accessing Google mail server on the Internet, the address of the Google mail server would be the Outside Global address and you have no control on the IP assignment on Google mail server.

By looking at the figure above, we can interpret various addresses as below with respect to host 10.1.12.1 and outside host 200.1.2.3

  • Inside Local address:10.1.12.1
  • Inside Global address:132.0.1.100
  • Outside Local address:192.168.1.7
  • Outside Global address:200.1.2.3

As you can see Inside Local and Inside Global corresponds to the customer and Outside Local and Outside Global corresponds to the outside host. Some times it would be confusing if this point is not clear during the exam.

Ref.: http://www.ciscopress.com/articles/article.asp?p=1725268

Spanning Tree Protocol (STP) in Local Area Networks (LANs)

What is Spanning Tree Protocol: In computer networking, data packets are forwarded from one network node to another as the packet travels from source to destination. However, in Ethernet networks, it is quite possible that these packets (in strict sense, these are called frames as they traverse at layer-2 of the OSI layer format within LAN) have multiple paths to the next hop address. Consider the simple figure given below:

Assume that Frame 1 originating at SwitchA needs to reach destination SwitchD. As may be seen in the adjacent figure, Frame 1 originating a SwitchA has multiple paths to reach SwitchC. If the redundant path is not blocked, it may result in a loop. i.e. the same frame Frame 1 may be broadcast at SwitchC and again come back via SwitchB. Remember that bridges and layer-2 switches natively send frames to all ports other than the port on which the frame is received.

Note: STP allows redundancy in Layer-2 networks. For example, in the above network, if the link from SwitchA to SwithcC fails, then the frames are transmitted via SwitchB.

The exact path that a frame takes when traversing from one node to another within a LAN depends on the STP configuration, and we discuss this later.

In summary, Spanning Tree Protocol (STP) is a network protocol designed to prevent layer 2 loops and it’s standardized as IEEE 802.D protocol.

Fundamentals of simple STP: STP runs within LANs, ie. on Layer-2 devices such as simple switches and bridges. If you are sitting in a office environment, it is very likely that you are connected to your office LAN consisting of switches and bridges. As mentioned earlier, the single most important feature of STP is to prevent loops within a network, and at the same time offering network redundancy. We discuss the mechanisms that are followed to achieve this objective.

STP uses what is known as BPDU (Bridge Protocol Data Unit), a multicast frame, to share information about switch and its interface connections. Switches within LAN use BPDUs to learn the LAN topology. BPDU frames are sent out as multicast in every two seconds. The LAN requires a reference node that controls all operations, and that node is Root Bridge.

Root Bridge is selected using the following criteria in STP:

  •  The switch with the lowest Bridge Priority field becomes the Root Bridge.
  • If there is a tie between switches having the same priority value, then the switch with the lowest MAC address becomes the Root Bridge.

Default priority value is 32768. If you want one switch to be Root Bridge, change its priority value to less than 32768. Selection process of Root Bridge runs each time when you add or remove a switch or a bridge in the LAN topology (note that switch and bridge are used interchangeably here for understanding). If other switches in network do not receive BPDUs from Root Bridge within a specified time (usually 20 seconds), they assume that Root Bridge had failed and an election process to choose a new Root Bridge will occur.

Note:  There are different flavors of STP, simplest being CSTP (Common STP) that will have only one LAN. In the entire article, we are assuming that VLANs are not used within the LAN network. When using VLANs, multiple instances of STP are present. These are defined by Multiple Spanning Tree (MST), Per-VLAN Spanning Tree (PVST) and Per-VLAN Spanning Tree Plus (PVST+). Once the concept is clear, it can be extended easily to networks with VLANs.

Root Bridge Election Process: Each BPDU consists of the following:

  1. Root Bridge ID or Root BID – BID of the switch that the sender of this BPDU believes to be the root switch
  2. Sender’s Bridge ID – BID of the switch sending this Hello BPDU
  3. Cost to the Root Bridge – The STP cost between this switch and the current root
  4. Timer values on Root Bridge – Hello Timer, Max Age Timer, Forward Delay Timer

Example:

In the figure above, all the three switches (Switch A, Switch B, and Switch C) are propagating BPDUs as shown. The Root Bridge is not yet elected. Switch C has the lowest MAC address and hence elected as the Root Bridge (Bridge priorities are same for all three switches here, otherwise, Switch with higher priority value would have been elected as Root irrespective of the MAC addresses). The figure below shows the final network topology after STP convergence. Note that P05 port is blocked with the assumption that all links have same bandwidth.

To recapitulate, initially each switch within the LAN assumes itself as the root bridge and sends out BPDUs. However, when a BPDU with better Bridge ID (BID) is received, it replaces Root Bridge ID in it’s own BPDU with that of the superior BID. This process continues till every switch with in LAN agrees on which switch has the lower BID, and hence deserves to be the Root Bridge.

Non-Root Bridge: All other switches in LAN except Root Bridge are known as non-Root Bridges. Non-Root Bridge receives updates from Root Bridge and update its STP database.

Port Costs:  STP assigns each port within LAN a cost, called port cost. Port cost is used to choose the best path when multiple paths are available between two switches. Port cost is determined by the bandwidth of connected media link. Switch always use the lowest port cost to forward the frames. As may be seen from the table below, higher the bandwidth.. lower the port cost.

Two set of port costs exist.

Bandwidth             Old Cost Value             New Cost Value
10 Gbps                                 1                                       2
1 Gbps                                    1                                       4
100 Mbps                          10                                      19
10 Mbps                          100                                   100

Note: In STP,  lower number reflects better ranking.

Root Port: Spanning Tree Root Port selection process in a Non-Root Switch is done using steps below:

  1. Select the port with the lowest Path Cost to the Root Bridge as the Root Port, (applicable only if a Non-Root Switch has two or more paths to reach the Root Bridge).
  2. If there is tie, Non-Root Switch will select the local port which is receiving lowest Bridge ID from neighbor Switch (Advertiser) as the Root Port.
  3. If there is a tie, it will select one with lowest received port-priority
  4. If there is a tie, Non-Root Switch will select the port which receives the lowest physical port number from neighbor Switch as the Root Port. This is the last tie breaker

Just remember the following:

Lowest Root Path Cost (tie) -> Port Receiving the Lowest Bridge id (tie)-> Lowest Received Port-Priority (tie) -> Lowest Advertised Port Identifier

Other related terms:

Designated Port:  Designated port is the port that is selected as having the lowest port cost. Designated port would be marked as forwarding port.

Non-Designated Port: Non-designated port is the port that is selected as having the higher port cost than the designated port. Non-designated port would be marked as blocking port and will not forward any frames. Of course, if there is any change in topology of the network, the same port may become a designated port.

Forwarding Port: Forwarding port is used to forward the frames with in the network.

Blocking Port: Blocking port remains disabled to remove loops. in the network.

Summary of Selection of Root Bridge, Root Port, and Designated Ports:

1. Lowest bridge ID (Priority+MAC Address) switch becomes the Root-Bridge
2. Each non-root bridge should have ONE root port (RP) which is the port having lowest path-cost to Root Bridge.
3. All ports in Root Bridge become Designated Ports (DP)
4. Each segment should have one Designated Port (DP)
5. All RP/DPs will be in FORWARDING state & all other ports will be in BLOCKING state.

References:

  1. https://www.tutorialsweb.com/networking/tcp-ip/index.htm