Ch. 9 VTP (Trunking, VTP, Inter-VLAN Routing) CCNA 3 version 3.0
Overview Explain the origins and functions of VLAN trunking Describe how trunking enables the implementation of VLANs in a large network Define IEEE 802.1Q Define Cisco ISL Configure and verify a VLAN trunk Define VTP Explain why VTP was developed Describe the contents of VTP messages List and define the three VTP modes Configure and verify VTP on an IOS-based switch Explain why routing is necessary for inter-vlan communication Explain the difference between physical and logical interfaces Define subinterfaces Configure inter-vlan routing using subinterfaces on a router port 2
History of trunking a trunk is a single communications line that carries multiple channels of radio signals. A trunk is a physical and logical connection between two switches across which network traffic travels. 3
. A Closer look at VLAN Tagging ISL Ethernet Frame 1500 bytes plus 18 byte header (1518 bytes) IEEE 802.1Q SA and DA SA and 802.1q DA MACs MACsTag Type/Length Field Data (max 1500 bytes) CRC New CRC There are two types of VLAN Tagging: ISL (Inter-Switch Link) Cisco Proprietary IEEE 802.1Q 802.1Q is recommended by Cisco and is used with multi-vendor switches. Caution: Some older Cisco switches will only do ISL while some new Cisco switches will only do 802.1Q. The following slides on ISL and 802.1Q are FYI only. 4
IEEE 802.1Q NIC cards and networking devices can understand this baby giant frame (1522 bytes). However, a Cisco switch must remove this encapsulation before sending the frame out on an access link. SA and DA SA and 802.1q DA MACs MACsTag Type/Length Field Data (max 1500 bytes) CRC New CRC 2-byte TPID 2-byte TCI Tag Protocol Identifier Tag Control Info (includes VLAN ID) Significantly less overhead than the ISL As opposed to the 30 bytes added by ISL, 802.1Q inserts only an additional 4 bytes into the Ethernet frame 5
. Trunking operation or 802.1Q Trunking protocols were developed to effectively manage the transfer of frames from different VLANs on a single physical line. The trunking protocols establish agreement for the distribution of frames to the associated ports at both ends of the trunk. Trunk links may carry traffic for all VLANs or only specific VLANs. 6
. VLANs and trunking Non-Trunk Links Trunk Link Non-Trunk Links A trunk is a single channel between two points that are usually switching centers. It is important to understand that a trunk link does not belong to a specific VLAN. The responsibility of a trunk link is to act as a conduit for VLANs between switches and routers (or switches and switches). 7
. Configuring Trunking Note: On many switches, the switchport trunk encapsulation command must be done BEFORE the switchport mode trunk command. These commands will be explained in the following slides. 8
. Configuring Trunking Switch(config-if)switchport trunk encapsulation [dot1q isl] This command configures VLAN tagging on an interface if the switch supports multiple trunking protocols. The two options are: dot1q IEEE 802.1Q isl ISL The tagging must be the same on both ends. 9
Before attempting to configure a VLAN trunk on a port, determine what encapsulation the port can support. This can be done using the show port capabilities command. 10
. Configuring Trunking Switch(config-if)switchport mode [access trunk] By default, 2900XL switchports are configured as access ports. Not true on most other switches (default is dynamic desirable). An access port means that the port (interface) can only belong to a single VLAN. Access ports are used when: Only a single device is connected to the port Multiple devices (hub) are connected to the port, all belonging to the same VLAN Another switch is connected to this interface, but this link is only carrying a single VLAN (non-trunk link). Trunk ports are used when: Another switch is connected to this interface, and this link is carrying multiple VLANa (trunk link). 11
Configuring Trunking No VLAN Tagging Switch(config-if)switchport mode access VLAN Tagging Switch(config-if)switchport mode trunk 12
. DTP Dynamic Trunking Protocol To Trunk or not to Trunk (access mode), that is the question.
. DTP Dynamic Trunking Protocol The next few slides will give a brief overview of DTP. These slides refer to the Catalyst 2950 and 3550 switches. There may be some small differences with the 2900XL switches. 14
. DTP Dynamic Trunking Protocol Ethernet trunk interfaces support several different trunking modes. Access Dynamic desirable (default mode on Catalyst 2950 and 3550) Dynamic auto Trunk Non-negotiate dotq-tunnel (Not an option on the Catalyst 2950.) Using these different trunking modes, an interface can be set to trunking or nontrunking or even able to negotiate trunking with the neighboring interface. To automatically negotiate trunking, the interfaces must be in the same VTP domain. (VTP is discussed in the next section.) Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Cisco proprietary Point-to-Point Protocol. These various modes are configured using the switchport mode interface command 15
. DTP Dynamic Trunking Protocol These various modes are configured using the switchport mode interface command. We have already discussed the two non-dynamic options: Switch(config-if)switchport mode access Switch(config-if)switchport mode trunk These options set the interface to non-trunking (access) or trunking (trunk) 16
. DTP Dynamic Trunking Protocol All of these DTP modes and their various combinations can be somewhat confusing. Looking at some of the basic combinations can help clarify this. 17
. DTP Default for 2900XL Default for 2950 and 3550 By default, Ethernet interfaces on Catalyst 2950 and 3550 switches default to desirable mode. (2900XL switches default to access mode.) Desirable mode will create a trunk link if the neighboring interface is set to desirable, trunk, or auto mode. On 2950 and 3550 switches, because both interfaces by default are in desirable mode, this means a link between two of these switches will automatically become a trunk link unless configured otherwise. 18
. Creating VLANs Default: dynamic desirable This link will become a trunking link unless one of the ports is configured with as an access link, I.e. switchport mode access By default, all ports are configured as switchport mode dynamic desirable, which means that if the port is connected to another switch with an port configured with the same default mode (or desirable or auto), this link will become a trunking link. (See my article on DTP on my web site for more information.) When the switchport access vlan command is used, the switchport mode access command is not necessary since the switchport access vlan command configures the interface as an access port (non-trunk port). This will be discussed in more in the next chapter, section on DTP. 19
. DTP Default 2950/3550 This figure shows the various DTP trunking modes and the results of the different combinations. Selecting the right combination on the two ends of the link is important, as some combinations should not be used as they will have unexpected results. One combination that could result in traffic being blocked from transmitting the link is if one interface is in access mode and the neighboring interface is in trunk mode. 20
. VTP VLAN Trunking Protocol Create once and send to the other switches. VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLAN on a single domain. VTP messages are encapsulated in either Cisco proprietary ISL or IEEE 802.1Q protocol frames and then passed across trunk links to other devices. NOTE: before creating VLANs on the switch, you must first set up a VTP management domain
. Benefits of VTP (VLAN Trunking Protocol) Before discussing VTP, it is important to understand that VTP is not necessary in order to configure VLANs or Trunking on Cisco Switches. VTP is a Cisco proprietary protocol that allows VLAN configuration to be consistently maintained across a common administrative domain. VTP minimizes the possible configuration inconsistencies that arise when changes are made. Additionally, VTP reduces the complexity of managing and monitoring VLAN networks, allowing changes on one switch to be propagated to other switches via VTP. On most Cisco switches, VTP is running and has certain defaults already configured. 22
. VTP Operation Revision Number VTP advertisements are transmitted out all trunk connections, including ISL, IEEE 802.1Q, IEEE 802.10, and ATM LANE trunks. A critical parameter governing VTP function is the VTP configuration revision number. This 32-bit number indicates the particular revision of a VTP configuration. A configuration revision number starts at 0 and increments by 1 with each modification until it reaches 4294927295, at which point it recycles back to 0 and starts incrementing again. Each VTP device tracks its own VTP configuration revision number VTP packets contain the sender s VTP configuration number. This information determines whether the received information is more recent than the current version. If the switch receives a VTP advertisement over a trunk link, it inherits the VTP domain name and configuration revision number. The switch ignores advertisements that have a different VTP domain name or an earlier configuration revision number. 23
. Verifying VTP This command is used to verify VTP configuration settings on a Cisco IOS command-based switch. 24
. VTP Operation VTP clients cannot create, modify, or delete VLAN information. The only role of VTP clients is to process VLAN changes and send VTP messages out all trunk ports. The VTP client maintains a full list of all VLANs within the VTP domain, but it does not store the information in NVRAM. VTP clients behave the same way as VTP servers, but it is not possible to create, change, or delete VLANs on a VTP client. Any changes made must be received from a VTP server advertisement. 25
. VTP Operation Switches in VTP transparent mode forward VTP advertisements but ignore information contained in the message. A transparent switch will not modify its database when updates are received, nor will the switch send out an update indicating a change in its own VLAN status. Except for forwarding VTP advertisements, VTP is disabled on a transparent switch. There is also an off VTP mode in which switches behave the same as in the VTP transparent mode, except VTP advertisements are not forwarded. 26
. VTP Operation VTP switches operate in one of three modes: Server Client Transparent VTP servers can create, modify, delete VLAN and VLAN configuration parameters for the entire domain, and save VLAN configuration information in Catalyst NVRAM, and send VTP messages out to all trunk ports. 27
. VTP configuration VTP can be configured by using these configuration modes. VTP Configuration in global configuration mode VTP Configuration in VLAN configuration mode VLAN configuration mode is accessed by entering the vlan database privileged EXEC command. 28
VTP configuration Step 1: Determine the version number of VTP that will be utilized. Step 2: Decide if this switch is to be a member of an existing management domain or if a new domain should be created. If a management domain does exist, determine the name and password of the domain. Step 3: Choose a VTP mode for the domain. 29
. VTP configuration - Version Two different versions of VTP can run in the management domain, VTP Version 1 and VTP Version 2. Two versions are not interoperable. The two versions are not interoperable in the same VTP domain. The major difference between the two versions is version 2 introduces support for Token Ring VLANs. If all switches in a VTP domain can run VTP Version 2, version 2 only needs to be enabled on one VTP server switch, which propagates it to other VTP switches in the VTP domain. Version 2 should not be enabled unless every switch in the VTP domain supports version 2. 30
. VTP configuration Domain and Password The domain name can be between 1 and 32 characters. The optional password must be between 8 and 64 characters long. If the switch being installed is the first switch in the network, the management domain will need to be created. However, if the network has other switches running VTP, then the new switch will join an existing management domain. Caution: The domain name and password are case sensitive. 31
. VTP configuration Domain and Password By default, management domains are set to a nonsecure mode, meaning that the switches interact without using a password. Adding a password automatically sets the management domain to secure mode. The same password must be configured on every switch in the management domain to use secure mode. 32
. VTP configuration VTP mode Switch#config terminal Switch(config)#vtp mode [client server transparent] Switch#vlan database Switch(vlan)#vtp [client server transparent] 33
. VTP Configuration - Overview VTP Configuration in global configuration mode: Switch#config terminal Switch(config)#vtp version 2 Switch(config)#vtp mode server Switch(config)#vtp domain cisco Switch(config)#vtp password mypassword VTP Configuration in VLAN configuration mode: Switch#vlan database Switch(vlan)#vtp v2-mode Switch(vlan)#vtp server Switch(vlan)#vtp domain cisco Switch(vlan)#vtp password mypassword 34
. Verifying VTP This command is used to verify VTP configuration settings on a Cisco IOS command-based switch. 35
. Verifying VTP This command is used to display statistics about advertisements sent and received on the switch. 36
Adding a switch to an existing VTP domain Use caution when inserting a new switch into an existing domain. In order to prepare a switch to enter an existing VTP domain, perform the following steps. Delete the VLAN database, erase the startup configuration, and power cycle the switch. This will avoid potential problems resulting from residual VLAN configurations or adding a switch with a higher VTP configuration revision number that could result in the propagation of incorrect VLAN information. From the privileged mode, issue the delete vlan.dat and erase startup-config commands, then power cycle the switch. 37
VTP Pruning VTP pruning enhances network bandwidth use by reducing unnecessary flooding of traffic, such as broadcast, multicast, unknown, and flooded unicast packets, by default, VTP pruning is disabled. VLAN 1 (default) is always pruning ineligible. Switch(vlan)#vtp pruning To make specific VLANs pruning ineligible Switch(config)#interface fastethernet 0/3 Switch(config-if)#switchport trunk pruning vlan remove vlan-id 38
. Inter-VLAN Routing
. Inter-VLAN Routing When a node in one VLAN needs to communicate with a node in another VLAN, a router is necessary to route the traffic between VLANs. Without the routing device, inter-vlan traffic would not be possible. 40
. Inter-VLAN Routing - Non-trunk Links 10.10.0.11/16 10.20.0.22/16 10.10.0.1/16 10.20.0.1/16 One option is to use a separate link to the router for each VLAN instead of trunk links. Each VLAN must have a unique Layer 3 network address assigned. This enables routers to switch packets between VLANs. Although it does load balance between VLANs, it may not make efficient use of links with little traffic. Be sure hosts and routers have the proper IP addresses, associated with the proper VLANs. It is common practice to assign VLAN numbers the same as IP addresses when possible. 41
. Physical and logical interfaces Subinterfaces on a router can be used to divide a single physical interface into multiple logical interfaces. Lower-end routers such as the 2500 and 1600 do not support subinterfaces. Each physical interface can have up to 65,535 logical interfaces. Rtr(config)#interface fastethernet port/interface.subinterface 42
Configure subinterface 43
. Inter-VLAN Routing - Trunk Links 10.10.0.11/16 10.20.0.22/16 10.1.0.1/16 10.10.0.1/16 10.20.0.1/16 Rtr(config)#interface fastethernet 0/1.1 Rtr(config-subif)#description VLAN 1 Rtr(config-subif)#encapsulation dot1q 1 Rtr(config-subif)#ip address 10.1.0.1 255.255.0.0 We will talk about VLAN 1 and the Management VLAN in a moment. It is recommended that VLAN 1 is not used for either Management traffic or user traffic. 44
. Inter-VLAN Routing - Trunk Links 10.10.0.11/16 10.20.0.22/16 10.10.0.1/16 10.20.0.1/16 Rtr(config)#interface fastethernet 0/1.10 Rtr(config-subif)#description Management VLAN 10 Rtr(config-subif)#encapsulation dot1q 10 Rtr(config-subif)#ip address 10.10.0.1 255.255.0.0 Rtr(config)#interface fastethernet 0/1.20 Rtr(config-subif)#description Management VLAN 20 Rtr(config-subif)#encapsulation dot1q 20 Rtr(config-subif)#ip address 10.20.0.1 255.255.0.0 45
Management VLAN For more information regarding VLAN 1, Management VLAN, default VLAN and the Native VLAN, see my article on my web site, NativeVLAN.pdf. This article will help explain the various types of VLANS and attempt to clear up some of this confusion. By default, all Ethernet interfaces on Cisco switches are on VLAN 1. On Catalyst switches all of these VLANs listed above default to VLAN 1, which can add to the difficulty of understanding their differences. 46
Management VLAN We won t go into detail here but here are some guidelines. Notice that User VLANs have been configured for VLANs other than VLAN 1. The management VLAN refers to a separate VLAN for your switches and routers. This helps ensure access to these devices when another VLAN is experiencing problems. 47
Summary By default, VLAN 1 is the native VLAN and should only be used to carry control traffic, CDP, VTP, PAgP, and DTP. This information is transmitted across trunk links untagged. User VLANs should not include the native VLAN, VLAN 1. This information will be sent as tagged frames across VLAN trunks. The Management VLAN should be a VLAN separate from the user VLANs and should not be the native VLAN. This will insure access to networking devices in case of problems with the network. The subinterface on the router that is used to send and receive native VLAN traffic must be configured with the native option on the encapsulation interface command. This will let the router know that any frames coming in untagged belong to that subinterface and are a member of VLAN 1, the native VLAN. This is assuming that the native VLAN is the VLAN 1, the default native VLAN. 48
Ch. 1 Scaling IP Addresses NAT/PAT CCNA 4 version 3.0 Rick Graziani Cabrillo College 1
Overview Identify private IP addresses as described in RFC 1918 Discuss characteristics of NAT and PAT Explain the benefits of NAT Explain how to configure NAT and PAT, including static translation, dynamic translation, and overloading Identify the commands used to verify NAT and PAT configuration List the steps used to troubleshoot NAT and PAT configuration Discuss the advantages and disadvantages of NAT Describe the characteristics of DHCP Explain the differences between BOOTP and DHCP Explain the DHCP client configuration process Configure a DHCP server Verify DHCP operation Troubleshoot a DHCP configuration Explain DHCP relay requests 2
IP scaling solutions rapid growth of the Internet would have exhausted the current supply of IP addresses several solutions are as follows: NAT (Network Address Translation :RFC 1631) DHCP (Dynamic Host Configuration Protocol ) private IP addresses as described in RFC 1918 3
Private addressing 172.16.0.0 172.31.255.255: 172.16.0.0/12 Where does the /12 come from? 12 bits in common 10101100. 00010000. 00000000. 00000000 172.16.0.0 10101100. 00011111. 11111111. 11111111 172.31.255.255 ------------------------------------------------------------- 10101100. 00010000. 00000000. 00000000 172.16.0.0/12 4
5
Introducing NAT and PAT NAT is designed to conserve IP addresses and enable networks to use private IP addresses on internal networks. These private, internal addresses are translated to routable, public addresses. NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP packet header. In practice, NAT is used to allow hosts that are privately addressed to access the Internet. NAT translations can occur dynamically or statically. The most powerful feature of NAT routers is their capability to use port address translation (PAT), which allows multiple inside addresses to map to the same global address. This is sometimes called a many-to-one NAT. 6
Stub network A NAT enabled device typically operates at the border of a stub network. The border gateway router performs the NAT process, translating the internal private address of a host to a public, external routable address. 7
NAT Example 8
NAT Example 1 2 DA SA DA SA 128.23.2.2 10.0.0.3... Data 128.23.2.2 179.9.8.80... Data IP Header 1 2 IP Header The translation from Private source IP address to Public source IP address. 9
NAT Example 1 2 10
NAT Example 4 3 DA SA DA SA 10.0.0.3 128.23.2.2... Data 179.9.8.80 128.23.2.2... Data 4 IP Header IP Header Translation back, from Public destination IP address to Private destination IP address. 3 11
NAT Example NAT allows you to have more than your allocated number of IP addresses by using RFC 1918 address space with smaller mask. However, because you have to use your Public IP addresses for the Internet, NAT still limits the number of hosts you can have access the Internet at any one time (depending upon the number of hosts in your public network mask.) 12
Major NAT features NAT translations can be used for a variety of purposes and can be either dynamically or statically assigned. Static NAT is designed to allow one-to-one mapping of local and global addresses. This is particularly useful for hosts which must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices. Dynamic NAT is designed to map a private IP address to a public address. Any IP address from a pool of public IP addresses is assigned to a network host. The dynamic also perform one-to-one mapping. This is particularly useful for hosts which DO NOT NEED to have a consistent address. 13
PAT Port Address Translation PAT (Port Address Translation) allows you to use a single Public IP address and assign it up to 65,536 inside hosts per IP address (4,000 is more realistic). The port number is encoded in 16 bits. PAT modifies the TCP/UDP source port to track inside Host addresses. Tracks and translates SA, DA and SP (which uniquely identifies each connection) for each stream of traffic. 14
PAT Port Address Translation Overloading, or Port Address Translation (PAT), maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number. PAT uses unique source port numbers on the inside global IP address to distinguish between translations. The port number is encoded in 16 bits. The total number of internal addresses that can be translated to one external address could theoretically be as high as 65,536 per IP address. Realistically, the number of ports that can be assigned a single IP address is around 4000. PAT will attempt to preserve the original sourceport. If this source port is already used, PAT will assign the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address configured, PAT moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses. 15
PAT Example NAT/PAT table maintains translation of: DA, SA, SP DA SA DP SP DA SA DP SP 128.23.2.2 10.0.0.3 80 1331 Data 128.23.2.2 179.9.8.80 80 3333 Data IP Header TCP/UDP Header 1 2 IP Header TCP/UDP Header DA SA DP SP DA SA DP SP 128.23.2.2 10.0.0.2 80 1555 Data 128.23.2.2 179.9.8.80 80 2222 Data IP Header TCP/UDP Header IP Header TCP/UDP Header 16
PAT Example NAT/PAT table maintains translation of: SA (DA), DA (SA), DP (SP) DA SA DP SP DA SA DP SP 10.0.0.3 128.23.2.2 1331 80 Data 179.9.8.80 128.23.2.2 3333 80 Data IP Header TCP/UDP Header 4 3 IP Header TCP/UDP Header DA SA DP SP DA SA DP SP 10.0.0.2 128.23.2.2 1555 80 Data 179.9.8.80 128.23.2.2 2222 80 Data IP Header TCP/UDP Header IP Header TCP/UDP Header 17
PAT Port Address Translation With PAT a multiple private IP addresses can be translated by a single public address (many-to-one translation). This solves the limitation of NAT which is one-to-one translation. 18
PAT Port Address Translation DA SA DP SP DA SA DP SP 128.23.2.2 10.0.0.3 80 1331 Data 128.23.2.2 179.9.8.80 80 3333 Data IP Header TCP/UDP Header 1 2 IP Header TCP/UDP Header DA SA DP SP DA SA DP SP 128.23.2.2 10.0.0.2 80 1555 Data 128.23.2.2 179.9.8.80 80 2222 Data IP Header TCP/UDP Header IP Header TCP/UDP Header From CCNP 2 curriculum As long as the inside global port numbers are unique for each inside local host, NAT overload will work. For example, if the host at 10.1.1.5 and 10.1.1.6 both use TCP port 1234, the NAT router can create the extended table entries mapping 10.1.1.5:1234 to 171.70.2.2:1234 and 10.1.1.6:1234 to 171.70.2.2:1235. In fact, NAT implementations do not necessarily try to preserve the original port number. 19
Major NAT and PAT benefits NAT offers the following benefits: Eliminates reassigning each host a new IP address when changing to a new ISP. Conserves addresses through application port-level multiplexing. With PAT, internal hosts can share a single public IP address for all external communications. Example: home linksys router In this type of configuration, very few external addresses are required to support many internal hosts, thereby conserving IP addresses. Protects network security. Because private networks do not advertise their addresses or internal topology, they remain reasonably secure when used in conjunction with NAT to gain controlled external access. 20
Configuring 21
Configuring Static Translation Router(config)#ip nat inside source static local-ip global-ip Establishes static translation between an inside local address and an inside global address Router(config-if)#ip nat inside Marks the interface as connected to the inside Router(config-if)#ip nat outside Marks the interface as connected to the outside 22
Configuring Static NAT Router(config)#ip nat inside source static 10.1.1.2 192.168.1.2 Router(config)#interface s0 Router(config-if)#ip nat outside Router(config-if)#interface e0 Router(config-if)#ip nat inside 23
Configuring Static NAT 24
Configuring Static NAT 25
Configuring Dynamic Translation Router(config)#ip nat pool name start-ip end-ip {netmask netmask prefix-length prefix-length} Defines a pool of global addresses to be allocated as needed Router(config)#access-list access-list-number permit source [source-wildcard] Defines a standard IP access list permitting those inside local addresses that are to be translated Router(config)#ip nat inside source list access-list-number pool name Establishes dynamic source translation, specifying the access list defined in the prior step 26
Configuring Dynamic NAT 27
Configuring Dynamic NAT The network address space you have received from ARIN or your ISP is 179.9.8.0/24. nat-pool 179.9.8.80/24 to 179.9.8.95/24 In ISP s routing table: 179.9.8.0/24 via 192.168.1.1 ISP Translate to these outside addresses Start here 0.0.255.255 Source IP address must match here 28
29
Configure PAT Overloading NAT 30
Configure PAT Overloading NAT 192.168.1.1 is the address your ISP has assigned you. Instead of a host, you put a router there, running PAT so you can have multiple hosts share that same 192.168.1.1 address. 10.1.0.0 In this example a single Public IP addresses is used, using PAT, source ports, to differentiate between connection streams. 31
Configure PAT Overloading NAT 32
Configure PAT Overload This is a different example, using the IP address of the outside interface instead specifying an IP address 33
NAT/PAT Clear Commands 34
Verifying NAT/PAT 35
Troubleshooting NAT/PAT 36
Issues with NAT/PAT NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses. Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings. 37