Up to this point, the discussion has dealt with organizations that are designing an IP network for the ﬁrst time. In reality, this is rarely the case, unless a decision has been made to readdress the entire network.
Often the network has been up and running for some years. If this is the case, the usual task is to use some of the newer technologies available to reduce and manage network trafﬁc so that the network can grow without pain.
The simplest solution is to implement a classless routing protocol that sends the subnet mask in the updates and thus allows VLSM and summarization. OSPF, EIGRP, and IS-IS are examples of 102 Chapter 3: Designing IP Networks classless routing protocols. For a detailed comparison of the various routing protocols, refer to Chapter 1, “IP Routing Principles,” in the section “Types of Routing Protocols.” However appropriate the routing protocol that you have chosen, it might not be possible to use the summarization feature. As explained earlier, this capability is determined in part by how well the addressing scheme mirrors and is supported by the physical topology.
You can use the following guidelines to determine whether summarization can be conﬁgured within
a particular network:
■ The network addressing scheme should reﬂect the physical topology of the network.
■ The physical and logical topology of the network should be hierarchical in design.
■ Given the network addressing scheme, the addresses to be summarized need to share the same high-order bits.
■ If the subnet addresses are clearly set on a single binary border, this suggests a preﬁx mask of /21 or 255.255.248.0. Because the subnets are multiples of 8, they might be summarized by a higher subnet value that is divisible by 8, such as 188.8.131.52. The following subnets provide an example:
■ The nature of the trafﬁc ﬂow within the network should reﬂect the hierarchical logical and physical design.
■ The routing protocol used must support VLSM.
Using this list to identify whether summarization is possible, you might ﬁnd that you do not have the answers to some of the questions that arise or that another solution to readdressing must be found.
For example, any design of a network requires very careful analysis of the current network and a clear understanding of the organization’s plans. Unfortunately, it is not always possible to determine the nature or ﬂow of data through a network. Intranets and internal web pages have made the nature of the trafﬁc within an organization far more unpredictable.
The increased tendency for organizations to need ﬂexibility or mobility in addressing can make the IP design very challenging. The design would need to include Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers to maximize the ﬂexibility of the network.
DHCP allows end hosts to be assigned an IP address upon application. As an example, consider an airline that assumes that not everyone will turn up for the ﬂight, so it can oversell the seats on the plane. In a similar fashion, the DHCP server has a block of addresses, but it does not expect every machine on the network to turn on at the same time. Thus, 100 users are provided 60 IP addresses.
The DNS server provides a name-to-address translation, which is extremely useful when the DNS server works in conjunction with the DHCP server.
It is also important to understand fully the nature of the trafﬁc in the network, particularly if it is a client/server environment, in which the design must allow for servers to communicate with each other and with their clients.
Using the existing addressing of the organization might not be possible. If this is the case, the decision must be made to readdress the network. You might need to make this decision for two reasons: either the network cannot scale because of the limitations of the classful address that has been acquired from the IANA, or the original design does not allow for the current environment or growth.
If the addressing scheme is inadequate in size, you have several options. The ﬁrst action for the administrator to take is to apply to the IANA for another address; the second is to use private addressing. The next section describes private addresses on the Internet.
Private Addresses on the Internet
Private addressing is one of the solutions (along with VLSM, IPv6 with an address ﬁeld of 128 bits, and CIDR addressing and preﬁx routing) that the Internet community began to implement when it became apparent that there was a severe limitation to the number of IP addresses available on the Internet.
Private addressing is deﬁned by RFC 1597 and revised in RFC 1918. It was designed as an addressing method for organizations that have no intention of ever connecting to the Internet. If Internet connectivity is not required, there is no requirement for a globally unique address from the Internet. The individual organization could address its network without any reference to the Internet, using one of the address ranges provided.
The advantage of the Internet is that none of the routers within the Internet recognize any of the addresses designated as private addresses. If an organization that deployed private addressing as outlined in RFC 1918 (in error) connected to the Internet, all its trafﬁc would be dropped. The routers of Internet service providers (ISPs) are conﬁgured to ﬁlter all network routing updates from networks using private addressing. In the past, organizations “invented” addresses, which were, in fact, valid addresses that had already been allocated to another organization. There are many amusing and horrifying stories of organizations connecting to the Internet and creating duplicate addresses within the Internet. A small company inadvertently masquerading as a large state university can cause much consternation.
Table 3-2 outlines the IP address ranges reserved for private addressing, as speciﬁed in RFC 1918.
Table 3-2 Private Address Ranges
The use of private addressing has now become widespread among companies connecting to the Internet. It has become the means by which an organization avoids applying to the IANA for an address. As such, it has dramatically slowed, if not prevented, the exhaustion of IP addresses.
Because private addresses have no global signiﬁcance, an organization cannot just connect to the Internet. It must ﬁrst go through a gateway that can form a translation to a valid, globally signiﬁcant address. This is called a Network Address Translation (NAT) or NAT gateway.
Conﬁguring private addressing is no more complicated than using a globally signiﬁcant address that has been obtained from the IANA and is “owned” by the organization. In many ways, conﬁguring private addressing is easier, because there are no longer any restrictions on the subnet allocation, particularly if you choose the Class A address 10.0.0.0.
The reasons for addressing your organization’s network using private addressing include the following:
■ There is a shortage of addressing within the organization.
■ You require security. Because the network must go through a translation gateway, it will not be visible to the outside world.
■ You have an ISP change. If the network is connecting to the Internet through an ISP, the addresses allocated are just on loan or are leased to your organization. If the organization decides to change its ISP, the entire network will have to be readdressed. If the addresses provided deﬁne just the external connectivity and not the internal subnets, however, readdressing is limited and highly simpliﬁed.
The use of private addressing has been implemented by many organizations and has had a dramatic impact on the design of IP networks and the shortage of globally signiﬁcant IP addresses. You should bear some things in mind when designing an IP network address plan using private addressing, including the following:
■ If connections to the Internet are to be made, hosts wanting to communicate externally will need some form of address translation performed.
■ Because private addresses have no global meaning, routing information about private networks will not be propagated on interenterprise links, and packets with private source or destination addresses should be forwarded across such links with extreme care. Routers in networks not using private address space, especially those of ISPs, are expected to be conﬁgured to reject (ﬁlter out) routing information about private networks.
■ In the future, you might be connecting, merging, or in some way incorporating with another company that has also used the same private addressing range.
■ Security and IP encryption do not always allow NAT.
If private addressing is deployed in your network and you are connecting to the Internet, you will be using some form of NAT. The following section explains this technology.
Connecting to the Outside World with NAT
When connecting to the outside world, some ﬁltering and address translation might be necessary. Unless an address has been obtained from the Internet or from an ISP, you must perform address translation. The RFC that deﬁnes NAT is RFC 1631, “The IP Network Address Translator.”
NAT is the method of translating an address on one network into a different address for another network. It is used when a packet is traversing from one network to another and when the source address on the transmitting network is not legal or valid on the destination network, such as when the source corresponds to a private address. The NAT software process must be run on a Layer 3 device or router (which is logical, because NAT deals with the translation of Layer 3 addresses).
NAT is often implemented on a device that operates at higher layers of the OSI model because of their strategic placement in the organization. NAT is often used on a ﬁrewall system, for example, which is a security device that guards the entrance into the organization from the outside world. The position of the ﬁrewall makes it an excellent choice for NAT, because most translations are required for trafﬁc exiting an organization that has used private addressing as deﬁned in RFC 1918.
NAT had a controversial childhood, particularly when it was used for translating addresses that did not use RFC 1918 guidelines for private addressing; sometimes an organization used an address that had just been created imaginatively by a network administrator. This practice occurred when there was no glimmer of a possibility that the organization would ever connect to the Internet. This certainty that a company would never connect to the Internet is unrealistic, even for small companies, in an era when even individual homes have Internet connectivity.
Therefore, NAT is useful in the following circumstances:
■ To connect organizations that used address space issued to other organizations to the Internet
■ To connect organizations that use private address space deﬁned in RFC 1918 and want to connect to the Internet
■ To connect two organizations that have used the same private address, in line with RFC 1918
■ When the organization wants to hide its addresses and is using NAT as part of ﬁrewall capabilities or is using additional security features
TIP NAT is designed for use between an organization and the outside world. Although it might be used to solve addressing problems within an organization, you should see this as a temporary ﬁx. In such situations, NAT is a transitory solution to keep the network functional while you are designing and readdressing it appropriately.
Figure 3-5 Connecting to the Outside World Using NAT
Connecting to the Outside World with NAT
Cisco supports the use of NAT on the majority of its platforms, as well as on its Cisco Secure PIX ﬁrewall. Various levels of support are offered, depending on the platform and the IOS release that your company has purchased. Cisco now bundles NAT support into the standard product offering. It started to be widely offered from IOS version 11.2 with the purchase of the “plus” software, and full NAT functionality became available in the Base IOS form with version 12.0. NAT itself is currently at version 3.0. The following sections describe the main features and functions of NAT that Cisco offers.
NOTE If you are considering implementing NAT, contact Cisco via its web page. You should always contact the vendor of a product before purchase to appreciate fully the latest offerings and pricing. Because this industry is so dynamic, it is wise to verify the latest data.
The Main Features of NAT
The main features of NAT, as supported by Cisco, include the following:
■ Static addressing —This one-to-one translation is manually conﬁgured.
■ Dynamic source address translation —Here, a pool of addresses is deﬁned. These addresses are used as the product of the translation. They must be a contiguous block of addresses.
■ Port address translation (PAT) —Different local addresses (within the organization) are translated into one address that is globally signiﬁcant for use on the Internet. The additional identiﬁer of a TCP or UDP port unravels the multiple addresses that have been mapped to single addresses. The uniqueness of the different local addresses is ensured by the use of the port number mapped to the single address.
■ Destination address rotary translation —This is used for trafﬁc entering the organization from the outside. The destination address is matched against an access list, and the destination address is replaced by an address from the rotary pool. This is used only for TCP trafﬁc, unless other translations are in effect.
The Main Functions of NAT
The basic operation of NAT is very straightforward, although the terminology is rather confusing. The list of address deﬁnitions in Table 3-3 clariﬁes the different terms.
To translate one network address into another, the process must differentiate between the functionality of the addresses being translated. Table 3-3 lists the categories of functions.
Table 3-3 Categories of Functions
As shown in Figure 3-6, a router within the organization sees the inside addresses and the address of the router connecting them to the outside world, namely the Outside Local address. The router that connects to the outside world has an Inside Global address (how it is seen by the rest of the world) and an address to connect to the ISP, the Outside Global address. The diagram shows what each router sees based on its position in the NAT world.