Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

NAT High Availability not using Virtual MAC Address

Stephen Craven
Level 4
Level 4

‎11-02-2015 07:31 AM - edited ‎03-05-2019 02:39 AM

We are attempting to use the NAT box-to-box high availability functionality that replaced the HSRP-based NAT failover in IOS 15.3. Unless we are doing something wrong it appears the routers respond for NAT'ed IP addresses with their physical MAC addresses instead of their shared, virtual MAC address.

Failover is accomplished using gratuitous ARPs, requiring the end device to updates its ARP table. This behavior causes problems with some of our older equipment, which ignores gratuitous ARPs.

Our setup is shown below. We have a server with interfaces in two different VLANs (VLAN 100: 100.0.0.10 & VLAN 200: 200.0.0.20). The routers are NAT'ing both the source and destination IP addresses according to the following:
REAL IP NAT'ed IP
200.0.0.20 <-> 100.0.0.20
100.0.0.10 <-> 200.0.0.10

The configuration we're using on router ONE is:

redundancy
 application redundancy
 group 1
 name HOPE
 preempt
 priority 105
 control GigabitEthernet0/0.666 protocol 1
 data GigabitEthernet0/0.666
 track 1 decrement 10
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 100.0.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 redundancy rii 100
 redundancy group 1 ip 100.0.0.1 exclusive decrement 10
interface GigabitEthernet0/0.200
 encapsulation dot1Q 200
 ip address 200.0.0.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 redundancy rii 200
 redundancy group 1 ip 200.0.0.1 exclusive decrement 10
ip nat inside source static 100.0.0.10 200.0.0.10 redundancy 1 mapping-id 123
ip nat outside source static 200.0.0.20 100.0.0.20 redundancy 1 mapping-id 234 add-route

A packet capture of this behavior can be seen here. Router ONE has MAC address ending in 29:F0 and router TWO has MAC address 2B:E8.

In addition to not using a shared virtual MAC address, it appears the failover is not seamless and the two routers fight over the NAT'ed IP address. For a short time the routers appear to be split-brain. This creates further problems as the new active router only sends one gratuitous ARP for the NAT'ed addresses. The soon-to-be standby router, which still thinks it's active, responds to the new active's gratuitous ARPs with gratuitous ARPs of its own. Meaning the end devices continue to use the MAC addresses of the soon-to-be standby router and ignore the gratuitous ARPs from the new active router.

Is there a way to get the two routers in the redundancy group to share a virtual MAC address for the NAT'ed IP addresses? 

If not, is there a way to get the failover to be seamless, without a period of split-brain?

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic