Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1036
Views
0
Helpful
2
Replies

NAT High Availability not using Virtual MAC Address

Stephen Craven
Level 4
Level 4

‎11-02-2015 07:31 AM - edited ‎03-05-2019 02:39 AM

We are attempting to use the NAT box-to-box high availability functionality that replaced the HSRP-based NAT failover in IOS 15.3. Unless we are doing something wrong it appears the routers respond for NAT'ed IP addresses with their physical MAC addresses instead of their shared, virtual MAC address.

Failover is accomplished using gratuitous ARPs, requiring the end device to updates its ARP table. This behavior causes problems with some of our older equipment, which ignores gratuitous ARPs.

Our setup is shown below. We have a server with interfaces in two different VLANs (VLAN 100: 100.0.0.10 & VLAN 200: 200.0.0.20). The routers are NAT'ing both the source and destination IP addresses according to the following:
REAL IP NAT'ed IP
200.0.0.20 <-> 100.0.0.20
100.0.0.10 <-> 200.0.0.10

The configuration we're using on router ONE is:

redundancy
 application redundancy
 group 1
 name HOPE
 preempt
 priority 105
 control GigabitEthernet0/0.666 protocol 1
 data GigabitEthernet0/0.666
 track 1 decrement 10
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 100.0.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 redundancy rii 100
 redundancy group 1 ip 100.0.0.1 exclusive decrement 10
interface GigabitEthernet0/0.200
 encapsulation dot1Q 200
 ip address 200.0.0.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 redundancy rii 200
 redundancy group 1 ip 200.0.0.1 exclusive decrement 10
ip nat inside source static 100.0.0.10 200.0.0.10 redundancy 1 mapping-id 123
ip nat outside source static 200.0.0.20 100.0.0.20 redundancy 1 mapping-id 234 add-route

A packet capture of this behavior can be seen here. Router ONE has MAC address ending in 29:F0 and router TWO has MAC address 2B:E8.

In addition to not using a shared virtual MAC address, it appears the failover is not seamless and the two routers fight over the NAT'ed IP address. For a short time the routers appear to be split-brain. This creates further problems as the new active router only sends one gratuitous ARP for the NAT'ed addresses. The soon-to-be standby router, which still thinks it's active, responds to the new active's gratuitous ARPs with gratuitous ARPs of its own. Meaning the end devices continue to use the MAC addresses of the soon-to-be standby router and ignore the gratuitous ARPs from the new active router.

Is there a way to get the two routers in the redundancy group to share a virtual MAC address for the NAT'ed IP addresses? 

If not, is there a way to get the failover to be seamless, without a period of split-brain?

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Mathias Bartz
Level 1
Level 1

‎12-15-2015 03:03 AM

i have the same problem.

Does anybody has a solution for this?

0 Helpful

Stephen Craven
Level 4
Level 4
In response to Mathias Bartz

‎12-15-2015 07:00 AM

I've tested an EEM script that provides similar functionality by monitoring HSRP on a different subinterface and turning up/down a BVI with a MAC address and IP address that's shared by the two routers. Since only one BVI is up at a time you get HSRP-like functionality with a virtual MAC address for NAT'ing.

interface BVI10
 mac-address 0000.dead.beef ! Virtual MAC addr
 ip address 10.0.0.2 255.255.255.0 second
 ip address 10.0.0.1 255.255.255.0 ! Virtual IP
 ip nat inside
 shutdown 
 
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 bridge-group 10
interface BVI20
 mac-address 0000.abba.cafe ! Virtual MAC addr
 ip address 192.168.0.1 255.255.255.0 ! Virtual IP addr
 ip nat outside
 shutdown 
 
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 bridge-group 20
 
! Turn up BVIs when router becomes HSRP active
event manager applet NAT-FAILOVER-ON-HSRP
 event syslog pattern "HSRP-5-STATECHANGE: GigabitEthernet0/0.40 Grp 40 state .* -> Active"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface bvi 10"
 action 2.3 cli command "no shut" 
 action 3.0 cli command "interface bvi 20"
 action 3.3 cli command "no shut" 
 action 4.0 cli command "end"
! Turn down BVIs when router becomes HSRP standby
event manager applet NAT-REMOVAL-ON-HSRP
 event syslog pattern "HSRP-5-STATECHANGE: GigabitEthernet0/0.40 Grp 40 state Active -> "
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface bvi 10"
 action 2.3 cli command "shut" 
 action 3.0 cli command "interface bvi 20"
 action 3.3 cli command "shut" 
 action 4.0 cli command "end"
 action 5.0 cli command "clear ip nat trans *"
! Handle case where router is first booted and might have BVI’s ‘no shut’ in config
event manager applet NAT-REMOVAL-ON-BOOT
 event syslog pattern "HSRP-5-STATECHANGE: GigabitEthernet0/0.40 Grp 40 state Speak -> Standby"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface bvi 10"
 action 2.3 cli command "shut" 
 action 3.0 cli command "interface bvi 20"
 action 3.3 cli command "shut" 
 action 4.0 cli command "end"
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card