Turn from: Http://hi.baidu.com/qkjzsjqsehailte/item/1042151cc0959f426926bbb4
IP address Assignment
The IP address identifies the location of a system in the network. We know that each IP address is made up of two parts: the network number and the host number. Where the network number identifies a physical network, all hosts on the same network need the same network number, which is unique on the Internet, and the host number determines a client, server, router, and other TCP/IP host on the network. For the same network number, the host number is unique. Each TCP/IP host is determined by a logical IP address.
Network number and host number
There are two representations of an IP address: binary representation (1 and 0 too many are confusing) and dotted decimal notation. The length of each IP address is 4 bytes, consisting of four 8-bit domains, which we commonly call eight-bit bodies. The eight-bit body is separated by a period, expressed as a decimal number between 0-255. The 4 domains of an IP address are marked with the network number and the host number respectively.
2, Address type
To accommodate different sizes of networks, the Internet defines 5 types of IP addresses.
You can determine the type of address by the first eight bits of the IP address:
Type IP form Network number host number
Class A w.x.y.z W x.y.z
Class B w.x.y.z w.x y.z
Class C w.x.y.z w.x.y Z
Let's take a look at these 5 types of addresses:
Class A address: can have a large number of hosts, the highest bit of 0, followed by the 7-bit network number, 24 digits representing the host number, a total of 126 networks allowed.
Class B Address: Assigned to medium-scale and large-scale networks, the highest two bits are always placed in binary 10, allowing 16,384 networks.
Class C Address: is used in LAN. The high three bits are placed in binary 110, allowing approximately 2 million networks.
Class D Address: is used for multicast group users, high four bits are always set to 1110, the remaining bits are used to indicate the group to which the client belongs.
The E-class address is a test-only address.
3. Address Assignment Guide
The following guidelines should be followed when assigning network numbers and host numbers:
(1) The network number cannot be 127. It is known that the identification number is reserved for loop and diagnostic functions, and that you remember the usual ping
127.0.0.1.
(2) Can not be the network number and host number of all of you set 1. If each digit is 1, the address will be interpreted as a net
Broadcast rather than a host number. (TCP/IP is a broadcast protocol.)
(3) corresponding to the above, you can not set 0, otherwise the address is interpreted as "is the network."
(4) For this network, the host number should be unique. (otherwise, an error such as an IP address is assigned or a conflict occurs)
Assigning network numbers
For each network and wide area connection, there must be a unique network number, which is used to differentiate between different hosts in the same physical network. If the network is connected by a router, each wide area Connection requires a unique network number.
Assigning host numbers
The host number is used to differentiate between different hosts in the same network, and the host number should be unique. All hosts, including the interface between routers, should have a unique network number. The host number of the router to be configured as the workstation's default gateway address.
A valid host number
Class A: w.0.0.1--w.255.255.254
Class B: w.x.0.1--w.x.255.254
Class C: w.x.y.1--w.x.y.254
4, Subnet screen and IP address
Each host on TCP/IP requires a subnet mask number. It is a 4-byte address that encapsulates or "masks" part of an IP address to differentiate between network numbers and host numbers. When the network is not yet divided into subnets, you can use the default subnet mask, and when the network is divided into several subnets, it is necessary to use a custom subnet mask.
Default value
Let's look at the default subnet mask value, which is used for a network that has not yet been divided into subnets. Even on a single segment of the network, this default value is required for each host.
Its form depends on the address type of the network. In its 4 bytes, all the bits of the corresponding network number are set to 1, so each eight-bit decimal value is 255, and all the digits to the host number are set to 0. For example: Class C network address 192.168.0.1 and the corresponding default shielding value 255.255.255.0.
Determine the destination address of the packet
We say that the "and" operation of shielding values and IP addresses is an internal process that determines whether a packet is passed to a host on a local or remote network. The corresponding procedure is this: when the TCP/IP initialization, the host's IP address and subnet mask value phase "and". Before the packet is sent, the destination address and the shielding value are "and", so that if the source IP address and destination IP address are found to match, the IP protocol knows that the packet belongs to a host on the local network, otherwise the packet will be sent to the router.
Note: We know that the "and" operation is to compare each of the IP addresses with the corresponding bits in the subnet mask.
Public network ip/intranet IP:
in the TCP/IP protocol, three IP address areas are reserved for private addresses, and their addresses range as follows:
10.0.0.0/8:10.0.0.0~10.255.255.255
172.16.0.0/12:172.16.0.0~172.31.255.255
192.168.0.0/16:192.168.0.0~192.168.255.255
A network that uses a reserved address can only communicate internally and not interconnect with other networks. Because the address in this network may also be used by other networks, if the network interconnection, then the search for routing will be because the address of the problem. However, these networks using reserved addresses can be interconnected with external networks by translating the reserved address translation into a public address in this network. This is one of the important ways to ensure network security.
But some broadband operators, although also using a private address to assign to users, but because of routing settings, other users on the Internet do not have access to these IP.
We will use these two cases of IP called Intranet IP.
If the IP address of the network interface on its own machine falls within the reserved address range, you can be sure that you are in intranet mode.
Intranet IP access to the Internet must be through the proxy, NAT (network address translation) technology is based on the TCP level agent, can be used quite well in various IP service applications, so widely used. The reason is very good, because NAT requires the entire service connection from the intranet to the external network initiative, and extranet users can not directly (actively) to the intranet intranet services to initiate a connection request, unless in the NAT (all) gateway to the service port for port mapping.
types of NAT conversions:
There are four NAT conversion models that can cover the basic application of the current NAT.
1, static conversion (static NAT)
The corresponding relationship between private IP address and public network IP address is manually configured on the router, and the conversion table is permanent once configured. The obvious example is a NAT router configured extranet user access intranet server: Intranet server still use private network address, on the NAT router, assign a public network address and configure private network address/public network address of the conversion table, external network IP address to external users to visit.
NAT conversion table: 202.110.10.10 8080---> 10.110.10.10 (WWW)
2. Dynamic NAT
The router retains a list of legitimate addresses, and whenever there is a need for conversion, select one from the list to convert. Note: Dynamic conversions are still one-to-one.
1 The IP address used for each conversion is not necessarily the same as the selection from the list;
2 After the legal address is adopted, the other conversion requirements can no longer use this legal IP.
3. Multiplexing conversion (overloading NAT)
In dynamic transformations, each legitimate IP address can only be used once in the conversion table, and the IP address in the list of legitimate addresses will soon be insufficient if the internal network host accesses external requirements. At this point, you can use the upper protocol identification, such as the port number field using the Transport Layer TCP/UDP to assist in the establishment of a NAT conversion table entry (the identifier field in the ICMP header of the ICMP message can also be used to implement functions similar to the port number). In this way, multiple private addresses can be converted through a legitimate address, and this type of NAT conversion can also be called the PAT (port address translation).
Convert Table Entry Example:
10.10.1.1 100 202.110.10.1 100
10.10.1.1 101 202.110.10.1 101
10.10.1.2 102 202.110.10.1 102
......
Theoretically, 1 public network addresses can provide a conversion table entry for 2^16=65535 (no known port count has been deducted). This is a typical application of NAT on the Internet. The function of server load sharing can also be realized by reusing transformations.
4, overlapping conversion (overlapping NAT)
The intranet uses an address that overlaps the external network, and it needs to be transformed with an externally overlapping IP address. On the NAT router, the overlapping IP of the external network is remap to an IP address that does not overlap. This solution solves the problem of merging enterprise networks using the same private network segment
The
Established conversion table entries are as follows:
10.10.10.1 168.192.10.1 172.10.1.1 10.10.10.1
10.10.10.1 172.10.1.1 168.192.10.1 10.10.10.1
On the NAT router, the overlapping IP of the external network is remap to an IP address that does not overlap. This solution solves the problem of merging enterprise networks using the same private network segment.
------------------------------
4 address types are:
Internal local addresses (IL Inside regional address)
Internal Global Address (IG Inside Global Address)
External local addresses (OL Outside)
External global addresses (OG Outside global addressing)
------------------------------ The br> NAT conversion table
NAT forwards packets according to the transformation table. The
1) Forwarding principle differs depending on whether the source of the packet is internal or external. Nat overlay Conversion As an example, establish the following conversion table:
Internal local internal global external local External Global
10.10.10.1 172.10.10.1 -- --
-- -- 168.192.10.1 10.10.10.1
10.10.10.1 172.10.10.1 168.192.10.1 10.10.10.1
Packet_1 IP packets from the left host to access the right host after the NAT router transformation, the source IP address will be converted to 172.10.10.1 Based on line 1th of the conversion table entry, and the destination IP address will be converted to 10.10.10.1 According to the 2nd row of the conversion table entry and vice versa.
2 According to the data-driven way to establish, there are static, dynamic two kinds. Static Address Translation Type table entries, once established, will always exist. Dynamic Address table entries are created dynamically when needed, and if no IP message query is used for a period of time, the entry is automatically deleted and the resource is reused when it reaches the aging time.
---------------------------
from the functional perspective, there are several typical NAT: traditional NAT (Basic nat,napt), two times NAT, multihomed Nat.
Two times NAT: that is, "overlapping translation nat" above
Multi-host NAT (multihomed NAT)
Using NAT can cause a lot of problems (RFC2993). For example, a NAT device needs to maintain state information for its session, and the request and response of a session must be routed through the same NAT device, so it is generally required that the NAT peripheral domain router must be unique and that all IP packets are either initiated or terminated in the domain. This configuration, however, turns the NAT device into a possible single point of failure.
In order for an internal network to be able to maintain connectivity to the external network in the event of a NAT link failure, it is often desirable to have multiple connections (multihomed) from the internal network to the same or different ISP, in the hope of passing the same or different NAT devices.
If, for example, multiple NAT devices or multiple links use the same NAT, sharing the same NAT configuration can provide a fail-safe backup between each other. In this case, it is necessary to have the backup NAT device Exchange state information so that when the primary NAT fails, backup NAT can assume the ability to maintain the session transparently.
Traditional NAT (internal address, port) and (internal address, port) Mapping method mainly has the following several typical types: Clonenat (full Cone, restricted Cone, Port restricted Cone,) and symmetric NAT.
1. Cloning Nat (Clonenat)
When on (private IP, private port) with (public IP. Public ports after a port mapping table has been established, clone NAT will reuse the mapping for calls that are subsequently initiated from the same private address and port number, provided that at least one of the sessions that uses a mapping (and sometimes an industry called binding) continues to remain active.
As you can see from the figure below, client a initiates two session requests to server 1 and server 2, respectively, from the same internal address and port number (10.0.0.1:1234), because the two requests are from the same internal address and port, so the clone NAT assigns the same public endpoint number to the two different session requests (100.100.100.100:62,000) to ensure that client A's "identity" can remain consistent after translation. NAT and firewalls do not translate port numbers, so they are also nat for cloning methods. Depending on the size of the cloning, cloning Nat can be divided into the following three kinds:
(1) Total clone (full Cone)
First, all requests from the same internal IP address and port are mapped to the same external 1P address and port. Second, any external host can send the packet to the internal host by sending a TP packages to the mapped external IP address.
(2) Restrictive cloning (restricted Cone)
Map all requests from the same internal IP address and port number to the same external IP address and ports. Unlike full clone NAT, the external host with an IP address of x can send an IP packet to the internal host only if the internal host has previously sent a packet to an external host with an IP address of x.
(3) Port restrictive cloning (ports restricted Cone)
Port restrictive cloning is similar to restrictive cloning, except that there are many port numbers in the limit. In particular, an external host can send a source IP address and the source port number (x,p) of IP packets to the internal host, only when the internal host has previously given IP address x, port number P for the external host sent a packet, The external host with an IP address of x can send an IP packet of a source port number p to the internal host.
2. Symmetric NAT
Symmetric NAT (symmetric NAT) refers to mapping all requests from the same internal IP address and port number to a specific destination 1P address and port number to the same external TP address and ports. If the same host uses different source and port pairs, and the destination addresses are sent differently, a different mapping is used. Only an external host that receives an IP packet can send back a UDP packet to the internal host. Symmetric NAT does not guarantee the consistency of bindings between (private, private) and (public IP, public ports) in all sessions. Instead, it assigns a new port number to each new session.
As you can see from the figure below, if customer A is initiating two session requests from the same internal address and port number (10.0.0.1:1234) to server 1 and server 2, the symmetric NAT may assign a different open endpoint number to the two session requests from the same location, such as 100 100. 100.1:62,000 assigned to session 1, put 100 100. 100.1:62,001 assigned to session 2. Because the two sessions have a different endpoint, Nat can still work correctly, although the identity of client a changes during the translation process
Nat settings:
Due to the limited number of public network IP address, many ISPs are using a number of intranet users through the proxy and gateway routing shared a public network IP on the Internet, which limits the users on their own computer set up personal website, to achieve in these users to set up a website, the most critical point is that How to map the intranet IP of multi-user and the IP that they only share the Internet. Just like in a LAN or Internet café, although you can set up more than one server and Web site, but the external network, you still have only an external IP address, how to map the IP network to the corresponding intranet IP address, this should be the intranet of the proxy server or gateway router should do, For our private IP address users that means this is our Access ISP service provider (China Telecom, Unicom, Netcom, railcom, etc.) should provide services, because the implementation of this technology for them is a little effort, and for us is more difficult, first of all, the support of the system administrator can be achieved. Because all of these settings must be done on the proxy server.
To do this, you can use Windows Server's port mapping feature, in addition to WinRoute Pro, as well as a variety of enterprise-class firewalls. For our ordinary users, I am afraid it is most convenient to use Windows Server.
Let's start by introducing Nat,nat (Network address translation) is a way to map an IP address domain to another IP address domain technology, thereby providing a transparent route for the terminal host. NAT includes static network address translation, dynamic network address translation, network address and port conversion, dynamic network address and port conversion, port mapping and so on. NAT is often used to convert private address domains to public address domains to address the lack of IP addresses. After NAT is implemented on the firewall, the internal topological structure of the protected network can be hidden and the security of the network is improved to some extent. If the reverse NAT provides dynamic network address and port conversion function, it can also achieve load balancing functions.
The port mapping feature allows a machine in the internal network to provide WWW services to the outside, not directly to the host that provides the WWW service, if so, there are two shelters, one is the internal machine is not safe, because in addition to WWW, The external network can access all the features of the machine through address translation, and the second is that when multiple machines need to provide this service, they must have the same number of IP addresses to convert, so as not to achieve the goal of saving IP addresses. The port mapping feature maps a host's bogus IP address to a true IP address, and when a user accesses a port that provides a mapped port host, the server transfers the request to a host that provides this particular service to the internal host The port mapping feature also allows you to map multiple ports of a true IP address machine to different ports on different machines on the inside. The port mapping function can also accomplish some specific agent functions, such as proxy pop,smtp,telnet and other protocols. Theoretically can provide more than 60,000 ports mapping, I am afraid we will never use the end.
First, the following to introduce the Internet through NAT sharing and the use of NAT to implement port mapping.
1. On Windows Routing, enter the Routing and Remote Access service from the Administrative Tools, right-click on the server,-"Configure and Enable Routing and Remote Access"
2, point "next"
3, choose "Internet connection Server", so that intranet host can access the Internet through this server.
(It is best to configure a good NAT sharing, so that the LAN host can be normal Internet, otherwise, after the port mapping to configure the NAT sharing is a bit of trouble, do not have a good NAT to share.) )
4. Select "Set up a router with network address translation (NAT) routing protocol", and do not select "Set up Internet Connection Sharing (ICS)". (The difference between ICS and NAT is how easy it is to use, to enable ICS, you only need to select a check box, and in order to enable NAT, more configuration tasks are required, and the reason why ICS is used for small networks is that it requires a fixed range of IP addresses for internal hosts ; for communication with the external network, it is limited to a single public IP address; it only allows a single internal network interface. )
5, first of all here to say my network situation:
Internet connection 192.200.200.3 (also an internal address, no way, Tietong network is not very good, fast speed, price and expensive, my life is really bitter AH)
Dormitory Connection 192.168.0.1 (the dormitory has a LAN, a total of 4 computers, one of which is installed Sambar 5.1b5 Web server, the Web port is 80, will be from the extranet (with 192.200 200.55来) to access this 192.168.0.2 : 80 on the Web page)
On this NAT host, IIS 5.0 is opened and the port is 80, and port mapping is used to map the 8081 port to the 80 port on the internal host 192.168.0.2.
6. In the Routing and Remote Access Server Setup Wizard, select Internet connection (that is, the connection to the Internet), click Next.
7, choose "Complete"
So far, Nat sharing settings are complete, the internal host can also be online. The network settings for the internal host are as follows:
IP address range is 912.168.0.2~192.168.0.254, subnet mask is 255.255.255.0, Gateway is 192.168.0.1,dns for ISP address, ours is 211.98.xxx.xxx
Second, using NAT to map ports
1, add NAT protocol. Right-click "General",-"New routing Protocol"
2. In "New routing protocol" Select "Network address translation (NAT)", click "OK"
3, so in "IP routing" in the One More "network address translation (NAT)"
4, right click Network Address Translation (NAT), add "New Interface"
5. In the new interface of network address translation (NAT), select Internet connection (that is, the connection to the Internet, not the wrong choice)
6. In the "Network address translation-internet connection properties" Select "Public interface to the Internet", check "Convert TCP/UDP header (recommended)"
7. Add the start and end addresses you need to provide port redirection in the address pool option. (Also
7,
Is that you're going to take out all the IP addresses of the port mappings, usually we have an IP address, so we can talk about the difference between the "address pool". This assumes 8 addresses, which are set as follows:
This is what happens when you add a good:
8, in the "Special Port" tab provides you need to orient the data Connection protocol (TCP or UDP protocol, such as Web and FTP is the TCP protocol), select the "Add"
9, "Add Special port", here is the core of the set port mapping, the NAT host of which port map to the intranet host which port is set up here, because of the "address pool", so you can add "address pool" in "public address" any address, here Tim is " 192.200.200.3 ", it is
Is my address, if you do not set "address pool" in the front, then in this option page "This address pool item" is not optional, you can only select "This interface",
That is, you only have a public network IP address, which is more suitable for only one IP friend, you can not use the "address pool", why do unnecessary settings. If there is a problem, it is not asking for trouble.
"Incoming port" is the port where someone else accesses a NAT server with a public network IP from outside the net, set to 8080.
"Private address and outgoing address" is the IP address of the internal host and the port that provides the special service, where the 8080 ports on the 192.200.200.3 are mapped to 80 ports on the 192.168.0.2.
This is the TCP protocol port redirection, as for UDP's orientation page is similar, the following figure is to add a port map after the situation.
Iv. test Results
In the 192.200.200.55 out of the NAT host on the Web server and intranet 192.168.0.2 built on the Web server, the results are as follows: (sorry, the middle changed the port number, 192.200.200.3 on the 8081-port map to the 192.168.0.2 of the 80-terminal Mouth