Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
10
Helpful
5
Replies

NAT - MAC Conflict

snarayanaraju
Level 4
Level 4

‎08-04-2012 12:42 AM - edited ‎03-04-2019 05:10 PM

Hi Friends,

I am seeking your expert opinion to help me to troubleshoot the below scenario;

I have Internet connection in Ethernet Medium connected to a L2 Switch (Cisco 2960). I have 2 Routers (Cisco 2900). I have a webserver to be accessed from Internet. The physical IP address of the server is Private range.

I have configured Stateful NAT as below

157.220.100.61 is Static NAT to 10.1.1.3 using redundancy

Though HSRP is working good, when RTR-1 is down, I am not able to reach Webserver (10.1.1.3) using RTR-2

We found in the that ISP Switch, that even when RTR-1 is down, the MAC address for 157.220.100.61 is still present one pointing to RTR-1 and other pointing to RTR-2. There are 2 MAC address entries for 157.220.100.61

What is the mistake and what is the workaround. Can you help me

regards,

SAIRAM

Labels:
Preview file
78 KB
0 Helpful
5 Replies 5

John Blakley
VIP Alumni
VIP Alumni

‎08-04-2012 03:56 AM

What you should do is configure hsrp on the inside as well and make your vIP the default gateway for the server. Then you'll only have one vMAC associated to the vIP address that you have assigned and you're problem should be resolved.

HTH,

John

HTH, John *** Please rate all useful posts ***

snarayanaraju
Level 4
Level 4
In response to John Blakley

‎08-04-2012 11:09 AM

Thanks John,

Yes, I have HSRP configured in both Inside (LAN) interface and WAN interface. The problem is static nat Public IP address 157.220.100.61 is resolved with MAC address of both RTR-1 and RTR-2

Hope I have explained the problem correctly

Thanks in advance

regards

SAIRAM

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to snarayanaraju

‎08-05-2012 06:03 AM

Sairam,

Sorry for not getting back with you sooner. Okay, since you're running hsrp on the inside, how are you testing? If you're pulling the circuit leading to the ISP, the inside interface is still up. The server's default gateway is the vIP of the hsrp group and, assuming RTR-1 is the active for the group, RTR-2 never changes over to the active state for the LAN side interface but will for the WAN (if you're pulling the circuit). If that's the case, you'll need to configure ip sla and tracking for the standby group to relinquish the role of active on the lan side if the wan interface goes into standby. (More on this in a moment.)

The other issue is that you should have the same nat translation on both routers. I'll assume that you have that, so I'll put below what you can do for sla:

ip sla monitor 1

type echo protocol ipicmpecho 157.220.100.1

frequency 5

ip sla monitor schedule 1 start now life forever

track 1 rtr 1 reachability

int (This would go on the inside interface, not the outside toward ISP)

standby 1 track 1 decrement 10

The decrement command is to decrease the priority. The goal is to get the priority lower than standby for preempt to happen. Once the WAN circuit goes down, the router will know (because of the ping happening in the background) and tracking will fail. Once it fails, your outside interface will go into standby for natural causes and then you're internal will fail over because of the tracking failure. Try it out and let me know if you have any issues with it.

Thanks!

John

HTH, John *** Please rate all useful posts ***

snarayanaraju
Level 4
Level 4
In response to John Blakley

‎08-07-2012 12:00 AM

Hi John

Thank you very much for your support.You explained the IP SLA in a more precise way. I appreciate this.

IP SLA is already there. Let me explain the problem and my troubleshooting

Problem: Configured Stateful NAT for Static NAT. HSRP is in Inside (LAN). During HSRP failover, I am seeing 2 MAC address for the Same IP address one pointing to RTR-1 and other pointing to RTR-2. So, I am not able to reach the Servers behind the static NAT

0 Helpful

Tomas Fidler
Level 1
Level 1
In response to snarayanaraju

‎08-07-2012 02:19 AM

I see the problem... when you are doing static nat on both routers hsrp group name should be hsrp group name configured on internal (inside) nat interface...

try this:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnthsrp.html

note that after change state of hsrp on a router to active... active router will generate few ARP packets with new information in translated direction (with static inside global address and physical mac of router interface... this way it should update information on ISP router.... what sees L2 switch in ARP is i hope not relevant.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card