Skip to main content

IP in Practice: Public and Private IP Addresses

Do you speak another language? Personally, I love learning new languages, but one of the hardest parts is translation. When it comes to networking, it is something similar. Devices within our home and office networks do not directly go to the internet. There needs to be a "translator". What does this have to do with public and private IPv4 addresses? In this post, we will explore:

  • IPv4 Addresses Private Ranges 
  • The difference and teamwork between NAT and PAT
  • Helpful troubleshooting commands such as ipconfig or ping
  • A demo that puts it altogether.  (Link to topology here.)

By the end of this post, you will see how public and private IP addresses work together in action. 

IPv4 Address Private Ranges

RFC1918 Private IP Address Ranges
Class IANA Blocks Range Total Addresses
A 10.0.0.0/8 10.0.0.0 - 10.255.255.255 16.7 million (16,777,216)
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255 1.04 million (1,048,576)
C 192.168.0.0/16 192.168.0.0 - 192.168.255.255 65,536

The Internet Assigned Numbers Authority (IANA) identifies three IP private address blocks, documented in RFC1918. These addresses may be repeated within different networks. Unlike public IP addresses, any IP address within these private ranges do not need to be referenced to IANA. However, within a network, these addresses cannot repeat.

Under the IANA Blocks, you see an IP address followed by a slash and a number, such as 10.0.0.0/8. This is called CIDR notation, a shorthand way of writing the subnet mask, showing how large an IP address block is. You may wonder what does 8 have to do with 16.7 million. Don't worry - this series will have an in-depth look into subnetting. You can also see how this value is calculated by reading about subnetting here

We need private IP addresses

An IP address has 32 bits, which means 232 or 4.2 billion possible IPv4 addresses that can be used. By the end of the 1970s, Earth's population reached approximately 4.38 billion. At the time, 4.2 billion IP addresses were sufficient. Last year, there were over 17.7 billion connected IoT devices, which need IP addresses. Doing the math, IoT devices alone would take up the entire IPv4 address pool.

Private IP addresses were a temporary solution to deal with address exhaustion. In addition to being reusable, these IP addresses provide a layer of security by not being directly accessible on the Internet. But remember, these private IP addresses are not routable to the Internet. The solution was a two-parter: reusable private IP addresses and a non-reusable, public IP address. The second part of the solution also had 3 letters: N-A-T. 

The 3-Letter Solutions: NAT and PAT

You can use command tools like ipconfig (Windows) or ifconfig/ip addr (Linux/Unix) to find your private IP address within your environment. If you were to visit sites like whatismyip.com, you will get a public IP address. It looks like your computer is giving you wrong information, but it's not. 

If you are talking to someone who speaks another language, there can be miscommunication. It may be helpful to have a translator app. Similarly, for networks, there needs to be a translator between your local private address and your public, routable address. NAT translates your local private address to public IP addresses to reach Internet resources and optimize the available IP address space.

With NAT, you can have different types of IP translation mappings. For example, if you have a private web server and want people over the Internet to access it. You can create a one-to-one NAT translation, mapping that private IP address to one public IP address. This is also called static NAT. 

Some networks choose to use a many-to-many NAT translation, where each device on the network borrows a public IP address from a pool of reserved public addresses. This is also called dynamic NAT. For example, if a company has 100 devices (192.168.20.0/24) but their ISP only provides a block of public IP addresses (32.20.12.0/28), at most 14 devices can access the Internet at a time. If a 15th user tries to connect to the Internet, that one will have to wait until one of the 14 sessions are done. Dynamic NAT does provide devices with a more direct connection, but it can be wasteful if not everyone can get access and not really practical in heavy, large business environments. 

Commonly, however, your home network will use a many-to-one NAT translation, where multiple devices on your network will be represented as one public IP address provided by your ISP. This is also called Port Address Translation (PAT) or NAT overload. 

Network Address Translations (NATs)
NAT Type Mapping Example Common Use
Static NAT One-to-one 192.168.10.23 → 132.212.210.10
192.168.10.24 → 132.212.210.11
192.168.10.25 → 132.212.210.12		 Company website
Internal servers for external access
VPN gateway
Dynamic NAT Many-to-many 192.168.10.23 → 132.212.210.10/28 Elastic cloud computing
Small business
SOHO network
PAT (NAT overload) Many-to-one 192.168.10.23 ↘
192.168.10.24 → 132.212.210.10
192.168.10.30 ↗ 		SOHO network
data centers
campus networks (most common)
To demonstrate many-to-one NAT or PAT in action, here is a simple topology showing how a device on a home network reaches a web server over the Internet through a public IP:


But first let's break it up by answering two questions:
  • Am I on the LAN or going over the Internet?
    • If the traffic is internal, such as moving within a LAN, that is inside traffic.
    • If the traffic is external, such as moving across the Internet, that is outside traffic.
  • Is the network public or private?
    • The key is to look at your IP addresses. If it falls within any of the private ranges, then it is considered a local or private address. 
    • Otherwise, it is a global-routable, public address.
Let's put them together:
  • Inside local: The private IP address of a device within the LAN
  • Inside global: Public IP address used to represent the LAN devices before reaching the Internet
  • Outside local: Public IP address used to represent the external, Internet-facing device as it appears to the LAN 
  • Outside global: The real public IP of the internet-facing device
In this topology, a PC user on the network (192.168.100.23) tries to access a web server over the Internet (132.212.210.10). Since the PC is within the LAN with a private IP, the inside local address is 192.168.100.23. 

To reach the router for the web server, it goes out the last-hop router's default gateway (172.17.1.1). This is a class B private address and has not reached the Internet, so it uses the last-hop router's default gateway as the inside global address. 

After it reaches the router of the web server, it may need to translate the public IP of the internet-facing device. This protects it from being directly accessible to the Internet. Since we are over the Internet, we can represent this with the outside local address (132.212.210.10). The actual IP address of the web server would be the outside global. In this case, they are the same. 

You might have also noticed how each NAT translation has a colon and a number. This is where PAT comes in. I used ping to test connectivity of the NAT network. On a Windows device, it is set as default to send 4 ICMP messages to test connectivity. For each message, it is assigned a port. This helps the device on the other end to return the reply to the intended session. To get the result, use the Cisco command show ip nat translations. You can also use show ip nat statistics to see NAT interfaces and how it is operating. You must be in privileged EXEC mode (#) to run these commands. 

That is the beauty of NAT: it lets our private devices communicate with the Internet and provides a means of security by masking our private IP addresses from external networks. 

NAT Demo Overview
Address Type IP Address Description
Inside Local 192.168.100.23 Private IP of the PC user
Inside global 172.17.1.1 Public-facing side of the NAT router
Outside local 132.212.210.10 Web server's IP address as seen to the PC user
Outside global 132.212.210.10 The actual IP address of the web server

What's next?

Understanding public and private addresses is important because they are the door to our resources. It makes the difference between locking the door and leaving it open for guests to come in - invited or uninvited. It is also important to understand because proper translation between the two determines if there will be any communication. Without it, data can get lost or sent to the wrong recipient. Proper NAT or PAT configuration ensures this.

So far, this series has talked about what an IP address is, its structure, types, and mechanisms such as PAT and NAT. There will be a visual demo of how to configure a network with NAT (static and dynamic) and PAT. Stay tuned. 
Labels:

Comments

Post a Comment

Popular posts from this blog

Subnets: Key to Network Organization

Whether it is a to-do list or a big project, organization is key. We have busy lives. The task in itself can have several parts or may require some sort of collaboration with a partner or a team. A project may call to meet deadlines, which means keeping up with those crucial dates and having a system of order. Similarly, our networks are busy, transferring a great deal of data across links and nodes. The amount of traffic generated can lead to bottlenecks, packet loss, and delays. A network’s design can vary in complexity, depending on the environment or needs of a customer. Just as we find a manageable way to handle heavy workloads, our networks have a way of efficiently handling network traffic by creating "mini-networks" within our network. This process is called subnetting.   Why We Subnet To reduce congestion. Just as traffic in cities cause slowdowns and delays, too much traffic can lead to bottlenecks, packet loss, and delays. Subnetting breaks the netwo...
Post a Comment
Read more

How to Set Up a Cisco Router as a DHCP Server (Step-by-Step Guide)

Lab time! Want to build a DHCP server?  In this lab, I will show you how to build your own DHCP server on a router using Cisco Packet Tracer, as shown above. By the end of this post, you will be able to create your own DHCP server with a Cisco 2911 router, perhaps in a home lab setting, and prepare you to build your own on other hardware.  Why a Router?  A DHCP server is a centralized, automated service that assigns important network configuration details to devices on a network, such as IP addresses. Without it, we would have to create manual entries for our entire network, which can be time-consuming and lead to errors. Traditionally, there are dedicated servers to handle these functions. There are many ways to implement a DHCP server in your topology, including a dedicated physical server, a virtual machine, cloud-based gateways, and firewalls. However, there are specific benefits to using a router as your DHCP server: Reduced infrastructur...
Post a Comment
Read more