11-29-2022 01:39 AM - edited 11-29-2022 01:53 AM
I'm having an interesting issue at one of my customers.
Scenario: customer is trying to reach an internal web server on its external public IP. Client IP SNAT is performed on an F5 (which also hosts the public IP of the web server), with the next hop being a Nexus vPC as WAN router.
Issue: when the client IP is SNATed to an IP in the same range as the web server, the traffic is dropped.
My best guess right now is that the vPC loop avoidance is the root cause of the connection issues:
- Packet is sent in vPC 9 from F5 -> DC-RTR-1 -> DC-RTR-2
- DC-RTR-2 checks ARP/MAC table and sees that the traffic is destined out vPC 9
- DC-RTR-2 drops the packet
Is this a supported topology? Any solution to overcome this issue?
My best solution right now would be to use DNAT or DNS to make sure the traffic is sent directly to the private IP of the web server, so it is not sent over the WAN RTRs, but is there anything that could be done on the Nexus?
Note that DC-RTR-1 does not have an IP in this WAN routing segment. Maybe giving this switch an IP and running HSRP would be a solution?
Solved! Go to Solution.
11-29-2022 03:13 AM
Found a solution: this is not a supported topology, DC-RTR-1 must also have an IP address in that segment.
11-29-2022 03:13 AM
Found a solution: this is not a supported topology, DC-RTR-1 must also have an IP address in that segment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide