NAT/PAT, VIP/FHRP, and Subinterfaces
Key Takeaways
- NAT translates IP addresses, while PAT overloads many internal connections onto one or more public IP addresses using ports.
- Static NAT maps one internal address to one external address; dynamic NAT uses a pool; PAT is the common many-to-one internet access method.
- A VIP is a shared virtual address used by load balancers or first-hop redundancy protocols.
- FHRP technologies provide a resilient default gateway for hosts by presenting a virtual gateway IP address.
- Router subinterfaces are commonly used for router-on-a-stick inter-VLAN routing with 802.1Q tags.
Routing implementation often includes translation, gateway redundancy, and VLAN-aware interfaces. These topics appear in practical scenarios because they sit at the boundary between hosts, switches, routers, firewalls, and the internet.
NAT and PAT
| Term | What changes | Typical use |
|---|---|---|
| NAT | IP address is translated | Private-to-public or overlapping networks |
| Static NAT | One inside address maps to one outside address | Publish a server or preserve a fixed mapping |
| Dynamic NAT | Inside addresses use a pool of outside addresses | Translate many clients with a public pool |
| PAT/NAT overload | Many inside clients share addresses by using unique ports | Common internet access for private networks |
| Port forwarding | Outside port maps to an inside host and port | Allow inbound access to a specific service |
PAT is why many private hosts can browse the internet through one public IP address. The translation table tracks inside local address and port, outside address and port, and the remote endpoint.
Translation Example
| Step | Source before translation | Source after translation | Destination |
|---|---|---|---|
| Client sends request | 192.168.10.25:51512 | 198.51.100.10:40001 | 93.184.216.34:443 |
| Web server replies | 93.184.216.34:443 | 93.184.216.34:443 | 198.51.100.10:40001 |
| Firewall forwards reply | 93.184.216.34:443 | 93.184.216.34:443 | 192.168.10.25:51512 |
If the NAT table expires, is missing, or uses the wrong inside/outside interface, return traffic may be dropped even when routing looks correct.
VIP and FHRP
A virtual IP address can represent a service or a redundant gateway.
| Use case | What the VIP represents | Example clue |
|---|---|---|
| Load balancer VIP | Front-end address for an application pool | Users connect to one service IP, traffic is distributed to servers |
| FHRP gateway VIP | Shared default gateway address for a VLAN | Hosts keep the same gateway if one router fails |
First-hop redundancy protocols let two or more routers provide a resilient gateway for hosts. Network+ may refer to FHRP generally or to common examples such as HSRP, VRRP, and GLBP.
| FHRP concept | Meaning |
|---|---|
| Active/master router | Router currently forwarding for the virtual gateway |
| Standby/backup router | Router ready to take over |
| Virtual IP | Default gateway configured on hosts |
| Virtual MAC | MAC address associated with the virtual gateway |
| Priority | Value that influences which router becomes active |
| Preemption | Higher-priority router can reclaim active role when restored |
Subinterfaces and Router-on-a-Stick
A router subinterface is a logical interface under one physical interface. In router-on-a-stick designs, one physical router link connects to a switch trunk, and each VLAN has a subinterface with an 802.1Q tag.
| Component | Example | Role |
|---|---|---|
| Physical interface | G0/0 | Carries trunk traffic |
| Subinterface | G0/0.10 | Gateway for VLAN 10 |
| Encapsulation tag | 802.1Q VLAN 10 | Identifies VLAN traffic |
| IP address | 192.168.10.1/24 | Default gateway for VLAN 10 hosts |
Scenario Guidance
| Symptom | Likely issue |
|---|---|
| Internal users can ping gateway but not internet | Missing default route, NAT/PAT issue, or upstream filtering |
| One published server is unreachable from outside | Port forward, static NAT, firewall rule, or server gateway problem |
| Hosts lose gateway when primary router fails | FHRP not configured, wrong VIP, or priority/preemption issue |
| VLAN 20 hosts cannot reach other VLANs | Missing subinterface, wrong 802.1Q tag, trunk issue, or wrong gateway |
| NAT works one way but return traffic fails | Translation table, wrong inside/outside role, or asymmetric routing |
PBQ Practice Prompt
A PBQ shows a switch trunk to a router and three VLANs: 10 users, 20 voice, and 30 servers. Users in VLAN 10 can reach their gateway but cannot reach VLAN 30. The router has G0/0.10 and G0/0.20, but no G0/0.30. The correct implementation is to add the VLAN 30 subinterface with the matching 802.1Q tag and IP gateway, then confirm the switch trunk allows VLAN 30.
Common Traps
| Trap | Better reasoning |
|---|---|
| Configure host gateways as physical router IPs when FHRP is used | Hosts should use the virtual gateway IP |
| Open a port forward but forget the firewall policy | NAT and filtering are separate decisions on many devices |
| Add a subinterface with the wrong VLAN tag | The tag must match the VLAN carried on the trunk |
| Treat NAT as a security control by itself | NAT hides addressing but does not replace filtering or segmentation |
Which technology lets many private hosts share one public IP address by tracking port numbers?
In an FHRP design, what IP address should hosts normally use as their default gateway?
In a router-on-a-stick design, subinterfaces usually use the _____ tagging standard to identify VLAN traffic.
Type your answer below