NAT/PAT, VIP/FHRP, and Subinterfaces
Key Takeaways
- NAT translates IP addresses; PAT (NAT overload) multiplexes many inside connections onto one public IP using unique source ports.
- Static NAT is one-to-one, dynamic NAT draws from a pool, and PAT is the common many-to-one method for internet access.
- A VIP is a shared virtual address fronting a load-balanced service or a redundant gateway.
- FHRP (HSRP, VRRP, GLBP) presents a virtual gateway IP and MAC so hosts keep their gateway when a router fails.
- Router-on-a-stick uses 802.1Q-tagged subinterfaces on one physical link to route between VLANs.
Where These Topics Sit
Routing implementation rarely stops at the route table. Real designs add address translation, gateway redundancy, and VLAN-aware interfaces - all at the boundary between hosts, switches, routers, firewalls, and the internet. N10-009 tests them in practical, scenario-driven items.
NAT and PAT
| Term | What changes | Typical use |
|---|---|---|
| NAT | The IP address is translated | Private-to-public, or overlapping networks |
| Static NAT | One inside address maps to one outside address | Publish a server; preserve a fixed mapping |
| Dynamic NAT | Inside hosts draw from a pool of outside addresses | Translate many clients with a public pool |
| PAT / NAT overload | Many inside hosts share one outside IP via unique ports | The standard internet-access method |
| Port forwarding | An outside port maps to an inside host:port | Allow inbound access to one service |
PAT is why dozens of private hosts browse the internet behind a single public IP. The translation table tracks the inside local address and port, the translated outside address and port, and the remote endpoint - a four-tuple that keeps each session distinct.
PAT Translation Walkthrough
Follow one HTTPS session as it crosses a PAT-enabled edge router (inside host 192.168.10.25, public IP 198.51.100.10, web server 93.184.216.34):
| Step | Source before | Source after | Destination |
|---|---|---|---|
| Client request out | 192.168.10.25:51512 | 198.51.100.10:40001 | 93.184.216.34:443 |
| Server reply arrives | 93.184.216.34:443 | (unchanged) | 198.51.100.10:40001 |
| Router untranslates | 93.184.216.34:443 | (unchanged) | 192.168.10.25:51512 |
The router remembers that outside port 40001 belongs to 192.168.10.25:51512, so the return packet is mapped back to the right host. If the NAT entry has aged out, the inside/outside interface roles are swapped, or no entry was ever created, the return packet is dropped even when the route table looks perfect. This is a classic "works outbound, fails on reply" PBQ symptom.
Important distinction: NAT and PAT hide and conserve addressing - they are not a firewall. Inbound filtering is a separate policy decision. A port forward without a matching firewall rule still fails.
VIP and FHRP
A virtual IP (VIP) can front a service or a redundant gateway.
| Use case | What the VIP represents | Clue |
|---|---|---|
| Load balancer VIP | One front-end address for a server pool | Users hit one IP; traffic spreads to backends |
| FHRP gateway VIP | Shared default gateway for a VLAN | Hosts keep their gateway when one router fails |
First-hop redundancy protocols (FHRP) let two or more routers cooperatively provide a resilient default gateway. The exam may say "FHRP" generically or name HSRP, VRRP, or GLBP.
| FHRP concept | Meaning |
|---|---|
| Active / master router | Currently forwarding for the virtual gateway |
| Standby / backup router | Ready to take over on failure |
| Virtual IP | The gateway address configured on hosts |
| Virtual MAC | MAC tied to the virtual gateway (so ARP need not change) |
| Priority | Influences which router becomes active |
| Preemption | Lets a restored higher-priority router reclaim active |
Hosts should always point their default gateway at the virtual IP, never at a physical router interface - that is what makes failover invisible to the host. Quick contrast: HSRP and GLBP are Cisco-proprietary; VRRP is an open standard; GLBP can load-balance across multiple active routers, while HSRP/VRRP use one active and one or more standby.
Subinterfaces and Router-on-a-Stick
A subinterface is a logical interface created under one physical interface. In router-on-a-stick, a single physical router link connects to a switch trunk, and each VLAN gets a subinterface tagged with 802.1Q.
| Component | Example | Role |
|---|---|---|
| Physical interface | G0/0 | Carries the 802.1Q trunk |
| Subinterface | G0/0.10 | Gateway for VLAN 10 |
| Encapsulation tag | 802.1Q VLAN 10 | Identifies VLAN 10 frames |
| IP address | 192.168.10.1/24 | Default gateway for VLAN 10 hosts |
Three things must line up: the subinterface number/tag, the switch trunk must allow that VLAN, and the host gateway must equal the subinterface IP.
Symptom map
| Symptom | Likely issue |
|---|---|
| Internal users ping gateway but not internet | Missing default route, NAT/PAT fault, or upstream filtering |
| One published server unreachable from outside | Port forward, static NAT, firewall rule, or server gateway |
| Hosts lose gateway when primary router fails | FHRP misconfigured, wrong VIP, or priority/preemption |
| VLAN 20 hosts cannot reach other VLANs | Missing subinterface, wrong tag, trunk, or wrong gateway |
| NAT works one way, return traffic fails | Stale table, swapped inside/outside roles, asymmetric routing |
PBQ practice prompt
A switch trunk feeds a router serving VLAN 10 (users), VLAN 20 (voice), and VLAN 30 (servers). VLAN 10 reaches its gateway but cannot reach VLAN 30. The router has G0/0.10 and G0/0.20 but no G0/0.30. Fix: add the VLAN 30 subinterface with the matching 802.1Q tag and gateway IP, then confirm the trunk allows VLAN 30.
Which technology lets many private hosts share a single public IP address by tracking unique source port numbers?
In a network using an FHRP such as VRRP, what address should client hosts use as their default gateway?
In a router-on-a-stick design, subinterfaces use the _____ standard to tag and identify each VLAN's traffic on the trunk.
Type your answer below