Solved: Load balancing using IP NAT INSIDE DESTINATION

sarahr202 · ‎12-11-2016

SET UP:

R1 and R2 are acting as servers , hosting the identical contents. These servers from outside are represented by a single IP 100.100.100.100

All traffic ( TCP TELNET) destined to 100.100.100.100 arriving on g1/0 from OUTSIDE , must be load balanced across these R1 and R2 by R3-NAT router using " ip nat inside destination list 1 pool ZEE"

EXPECTED BEHAVIOR:

All traffic with destination IP 100.100.100.100 arriving on g1/0 ( IP NAT OUTSIDE)will be checked against NAT translation table first, if there is an entry, NAT will be performed accordingly and then resulting IP packet will be routed . If there is no ENTRY in NAT table, entry will be created, NAT will be performed on the arriving packet, then routing.

But this is not happening!!

Below I generate TCP traffic by teleneting 100.100.100.100, on R4 but R3 does not create a NAT entry in NAT table, thus the packet is discarded.

R3-NAT CONFIG:

interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
duplex full
!
interface GigabitEthernet1/0
ip address 34.34.34.3 255.255.255.0
ip nat outside
negotiation auto

ip nat pool ZEE 10.10.10.1 10.10.10.2 prefix-length 24
ip nat inside destination list 1 pool ZEE

access-list 1 permit 100.100.100.100

Debug ip nat detailed on R3 shows NAT is not even attempted:

R3#debug ip nat detailed
IP NAT detailed debugging is on
R3#

R4#telnet 100.100.100.100
Trying 100.100.100.100 ...
% Connection timed out; remote host not responding

What am I missing here?

Have a nice weekend!!

Reza Sharifi · ‎12-11-2016

Hi Sarah,

Hope you are doing well.

Can you add "type rotary" to the end and test again?

ip nat pool ZEE 10.10.10.1 10.10.10.2 prefix-length 24 type rotary

Also, can you post "sh run"?

Thanks,

Reza

View solution in original post

Reza Sharifi · ‎12-11-2016

Hi Sarah,

Glad to know its working for you now.

I think you are the seeing the correct behavior that only TCP traffic is being translated.

From the NAT documentation:

Destination Address Rotary Translation

A dynamic form of destination translation can be configured for some outside-to-inside traffic. Once a mapping is set up, a destination address matching one of those on an access list will be replaced with an address from a rotary pool. Allocation is done in a round-robin basis, performed only when a new connection is opened from the outside to the inside. All non-TCP traffic is passed untranslated (unless other translations are in effect)

here is the link for more info:

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Thanks,

Reza

View solution in original post

Reza Sharifi · ‎12-11-2016

Hi Sarah,

Hope you are doing well.

Can you add "type rotary" to the end and test again?

ip nat pool ZEE 10.10.10.1 10.10.10.2 prefix-length 24 type rotary

Also, can you post "sh run"?

Thanks,

Reza

sarahr202 · ‎12-11-2016

Hi Reza,

How are you doing?

Worked like a charm!!

I did see " rotary " type ( as name indicates) assign IP in round-robin fashion as expected.

But question is : if we do not use this option what behavior should one expect? In my example, if this option is not configured no load balancing occurs. IOS does logs a message" Unexpected behavior will result type rotary is missing"

Based on some blogs in Cisco support community, it only works for TCP, I am trying to find the answer why TCP only.

R4#telnet 100.100.100.100
Trying 100.100.100.100 ... Open

User Access Verification

Password:
R1-90>exit

[Connection to 100.100.100.100 closed by foreign host]

R4#telnet 100.100.100.100
Trying 100.100.100.100 ... Open

User Access Verification

Password:
R2-100>

Thanks and have a nice weekend!!

Reza Sharifi · ‎12-11-2016

Hi Sarah,

Glad to know its working for you now.

I think you are the seeing the correct behavior that only TCP traffic is being translated.

From the NAT documentation:

Destination Address Rotary Translation

A dynamic form of destination translation can be configured for some outside-to-inside traffic. Once a mapping is set up, a destination address matching one of those on an access list will be replaced with an address from a rotary pool. Allocation is done in a round-robin basis, performed only when a new connection is opened from the outside to the inside. All non-TCP traffic is passed untranslated (unless other translations are in effect)

here is the link for more info:

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Thanks,

Reza

sarahr202 · ‎12-11-2016

Thanks for the link, it answers my question.

have a nice weekend!!

Paul Chapman · ‎12-11-2016

Hi -

A few comments and questions...

Does R4 have a route in it's routing table to 100.100.100.100? (or default route)
Did you see this example?
A router is not a load balancer. Even if you get the NAT working, it is unlikely you will get the desired behavior.

PSC

sarahr202 · ‎12-11-2016

Does R4 have a route in it's routing table to 100.100.100.100? (or default route)

yes,

Did you see this example?

Thanks , i will see it

A router is not a load balancer. Even if you get the NAT working, it is unlikely you will get the desired behavior.

That is debatable, granted router main job is to route traffic, but over the years we have assigned other many functions such as: DHCP server, TFTP server, CME ( call processing agent) load balancing using NAT as in my example, to name the few . It is working as expected, though we can only load balance TCP , still trying to figure out why this limitation.

Appreciate your input, have a nice weekend!!

Load balancing using IP NAT INSIDE DESTINATION

ECMP load-balancing in Catalyst 9000

ASA/FTD: VPN Load Balancing の設定と確認例

RADIUS Load Balancing for ISE

Re: How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP

Re: ISE Deployment with Load Balancing