The Problem — Why NAT and DHCP Exist
When post arrives addressed to the building, the reception desk (NAT) reads which internal room it's meant for and routes it accordingly. When a new employee joins, they don't bring their own room number from home — the facilities manager (DHCP) automatically assigns them one from a pool, along with the building's phone directory and post room address.
That is exactly what NAT and DHCP do for networks — and without them, the IPv4 internet would have run out of addresses in the 1990s.
Three blocks are reserved for private use — they are never routed on the public Internet:
10.0.0.0 / 8 — ~16.7 million addresses (large enterprises)
172.16.0.0 – 172.31.255.255 / 12 — ~1 million addresses (medium networks)
192.168.0.0 / 16 — ~65,000 addresses (home & small office — most common)
DHCP gives out addresses from these ranges. NAT translates them to your single public IP.
DHCP — Dynamic Host Configuration Protocol
DHCP (RFC 2131, 1997) automatically assigns network configuration to devices the moment they connect. A device does not need any prior configuration — it simply broadcasts "I need an address!" and the DHCP server responds with everything needed: IP address, subnet mask, default gateway, DNS servers, and a lease duration.
🏭 Animated: The DHCP DORA Process — Full Working
DHCP works in four messages remembered as DORA: Discover → Offer → Request → Acknowledge. Every device joining a network goes through this exact sequence. The entire exchange completes in milliseconds.
💡 DHCP Discover and Request use broadcast (255.255.255.255) because the client has no IP yet. Offer and Acknowledge are sent to the client's MAC address (unicast or broadcast depending on implementation).
DHCP Lease Lifecycle — Renewal, Rebinding & Expiry
A DHCP lease is not permanent. The server sets a lease time and the client must renew before it expires. This allows addresses to be reclaimed from devices that have left the network (like a phone that disconnected weeks ago).
T1 = 50% of lease time (unicast renewal attempt). T2 = 87.5% of lease time (broadcast rebind to ANY server). Expiry = address released back to pool.
DHCP Relay — Crossing Router Boundaries
DHCP uses broadcasts — and routers do not forward broadcasts between subnets. How does a device on a remote subnet reach the DHCP server? A DHCP Relay Agent (also called IP Helper) solves this.
The relay agent intercepts the broadcast Discover on the local subnet and forwards it as a unicast packet to the DHCP server — inserting the client's subnet information (giaddr) so the server knows which pool to assign from.
Configuring a Cisco router as both DHCP server and relay agent requires only a handful of commands. The ip helper-address command on the client-facing interface is the key for relay.
! ── Cisco IOS: Configure router as DHCP SERVER ──────────────
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.49 ! Reserve for statics
Router(config)# ip dhcp pool OFFICE_LAN
Router(dhcp-config)# network 192.168.1.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
Router(dhcp-config)# lease 1 ! 1 day
Router(dhcp-config)# domain-name office.local
! ── DHCP RELAY on a router interface facing clients ──────────
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip helper-address 10.0.1.100 ! Forward broadcasts to DHCP server
! ── Verify leases ────────────────────────────────────────────
Router# show ip dhcp binding
Router# show ip dhcp pool
Router# show ip dhcp conflict
DHCP Security — Starvation, Spoofing & Snooping
In 2019, a student at a UK university accidentally connected a consumer router to the campus network with DHCP enabled. The rogue router began assigning itself as the default gateway to hundreds of devices, causing intermittent Internet outages for an entire building for 6 hours. Rogue DHCP incidents are among the most common self-inflicted network outages in large organisations. Source: JANET UK Network Security Notes, 2019; Cisco CCNA Security guide.
NAT — Network Address Translation
NAT (RFC 3022) allows an entire private network to share one (or a few) public IP addresses. A NAT device — typically your router — maintains a translation table mapping each private IP:port pair to a unique public IP:port pair. Outbound packets get their source rewritten; inbound replies get their destination rewritten back.
Without NAT, every device in your home or office would need its own globally unique public IP address. With ~4.29 billion IPv4 addresses and 15+ billion connected devices, this is mathematically impossible. NAT is what kept the IPv4 internet alive after 1994.
Three Types of NAT
🏭 Animated: PAT (NAT Overload) — Full Working
PAT is what runs in your home router right now. Three devices simultaneously browsing the web — all sharing one public IP, differentiated only by their port numbers. The animation shows the complete outbound and inbound flow with the NAT table.
💡 The NAT table is keyed by (Protocol, Private IP, Private Port). The router picks a unique ephemeral public port for each session. When the reply arrives, the router reverse-looks up the table and delivers to the correct private host.
Port Forwarding & NAT Traversal
PAT's biggest limitation: the Internet cannot initiate a connection to a device behind NAT. The NAT table only has entries for outbound connections. Unsolicited inbound packets — like someone trying to connect to your home game server — have no matching NAT entry and are dropped. Two solutions exist: Port Forwarding (static) and NAT Traversal / STUN (dynamic).
| Rule | Value |
|---|---|
| External port | 25565 (Minecraft) |
| Internal IP | 192.168.1.100 |
| Internal port | 25565 |
| Protocol | TCP |
| Effect | Any inbound connection to 203.0.113.1:25565 is forwarded to 192.168.1.100:25565 |
| Step | Action |
|---|---|
| 1 | Client contacts STUN server on public Internet |
| 2 | STUN reflects client's public IP:port back |
| 3 | Client shares its public address with peer |
| 4 | Peer connects directly — NAT entry exists (hole punched) |
Every video call you make from home uses STUN (Session Traversal Utilities for NAT) and ICE (Interactive Connectivity Establishment) to punch through NAT and establish peer-to-peer connections. When direct punch-through fails (symmetric NAT), traffic falls back to a TURN relay server. This is why corporate firewalls blocking STUN/TURN ports break video calling entirely.
NAT on Cisco IOS — PAT Configuration
! ── Cisco IOS: Configure PAT (NAT Overload) ─────────────────
! Define which addresses are "inside" (private)
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
! Mark interfaces as inside/outside
Router(config)# interface GigabitEthernet0/0 ! LAN-facing
Router(config-if)# ip nat inside
Router(config)# interface GigabitEthernet0/1 ! WAN-facing
Router(config-if)# ip nat outside
! Enable PAT using the outside interface IP
Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload
! Static NAT entry (port forward) — expose internal web server
Router(config)# ip nat inside source static tcp 192.168.1.100 80 203.0.113.1 80
! Verify
Router# show ip nat translations
Router# show ip nat statistics
🏭 Animated: NAT + DHCP Together — New Device to Internet
This animation shows the complete journey of a new phone connecting to your home Wi-Fi and loading a webpage — combining DHCP address assignment and PAT translation in a single end-to-end flow.
💡 The router serves dual roles here: it is both the DHCP server (assigning the phone's 192.168.1.x address) and the NAT gateway (translating that private IP to the public IP when the phone visits a website).
Real-World Incidents & Comparison
NAT vs DHCP — Side-by-Side
| Feature | DHCP | NAT / PAT |
|---|---|---|
| Purpose | Assign IP addresses automatically | Share one public IP across many private IPs |
| OSI Layer | Application (Layer 7) over UDP | Network (Layer 3) — IP header rewriting |
| Port numbers | Client: 68, Server: 67 | Tracks sessions via port numbers (PAT) |
| RFC | RFC 2131 (1997) | RFC 3022 (2001) |
| Where it runs | Server (router, Windows Server, ISC DHCP) | Edge router / firewall |
| IPv6 equivalent | DHCPv6 or SLAAC (stateless) | NAT64 / not needed with enough IPv6 space |
| Security risk | Rogue DHCP / starvation | NAT table overflow / application breakage |
| Stateful? | Yes — lease database | Yes — translation table (TCP state) |
| Breaks with | No server reachable; pool exhausted | FTP active mode; SIP; IPsec ESP (without NAT-T) |
FTP Active Mode: The server initiates a connection back to the client —
NAT blocks it. Fix: use FTP Passive Mode (client initiates both connections).
SIP / VoIP: SIP embeds the private IP in the packet payload — NAT only
rewrites headers. Fix: SIP Application Layer Gateway (ALG) or STUN/ICE.
IPsec ESP: Encrypts the transport header including ports — NAT can't track
sessions. Fix: NAT-Traversal (UDP encapsulation of ESP, RFC 3948).
Golden Rules — DHCP & NAT
ip dhcp excluded-address before configuring the pool.
Failure to do so causes IP conflicts when DHCP eventually assigns that address.
DHCP is the invisible concierge that greets every device joining your
network — handing it an identity (IP address), directions (default gateway), and a
contact list (DNS servers) automatically in milliseconds via the DORA sequence.
NAT / PAT is the shared reception desk that lets thousands of private
addresses share a single public face on the Internet — tracking every conversation by
port number, translating addresses on the fly, and reversing the process for incoming
replies with nanosecond precision.
Together they are why the IPv4 Internet still functions — buying time until IPv6 adoption
makes address scarcity a historical footnote.