Configuring two 2901s with NATed Box 2 Box High Availability

jamancol1 · ‎02-02-2016

Hi, I've been using a guide ( http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-b2b-ha.html ) in an attempt to set up NAT BtoBHA in a test lab before deploying it to a production network with the same configuration. I'm fairly new to NATing and the BtoBHA is adding an extra level of complexity to it for me. The lab I've constructed consists of two 2901 routers (IOS 15.4) each with only two ports, two stacked 3750X's as the outside Network switches, and two trunked Dell 2248's as the internal switches. The production 2901's are only running IOS 15.0, and to my understanding that does not support SNAT HSRP nor B2BHA, so I'm not sure what to do about that since I don't have the licensing to upgrade the IOS to a newer version.

The final map will look like this:

GW

/ \

FW1 FW2 (The ISP is unwilling to do NAT at this level and insists I do it on my routers)

| |

3750A==3750B (stacked)

------- demarc to isp ------------

| | ( G0/1 interface on routers )

2901A 2901B

| | (many sub-interfaces on the 2901 G0/0 interface that are trunked on Dell switches)

Dell1 ----- Dell2 ( trunked )

I'm thinking the configuration will look something like this:

2901A:

redundancy
application redundancy
   group 1
    name RG1
    preempt
    priority 105
    control Ethernet0/0.2 protocol 1
    data Ethernet0/0.2

interface Ethernet0/0
interface Ethernet0/0.2
   description Data and Control interface for B2BHA
   ip address 192.168.2.2 255.255.255.0
interface GigabitEthernet0/0.10
   ip address 192.168.10.2 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   redundancy rii 10
   redundancy group 1 ip 192.168.10.1 exclusive decrement 100
interface GigabitEthernet0/0.20
   ip address 192.168.20.2 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   redundancy rii 20
   redundancy group 1 ip 192.168.20.1 exclusive decrement 100
interface GigabitEthernet0/0.30
   ip address 192.168.30.2 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   redundancy rii 30
   redundancy group 1 ip 192.168.30.1 exclusive decrement 100
interface GigabitEthernet0/0.40
   ip address 192.168.40.2 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   redundancy rii 40
   redundancy group 1 ip 192.168.40.1 exclusive decrement 100

interface Ethernet0/1
   ip address 10.0.0.2 255.255.255.0
   ip nat outside
   ip virtual-reassembly in
   redundancy rii 101
   redundancy group 1 ip 10.0.0.1 exclusive decrement 100

ip nat inside source static 192.168.10.5 10.0.0.10 redundancy 1 mapping-id 120
ip nat inside source static 192.168.20.5 10.0.0.11 redundancy 1 mapping-id 120
ip nat inside source static 192.168.30.5 10.0.0.12 redundancy 1 mapping-id 120
ip nat inside source static 192.168.40.5 10.0.0.13 redundancy 1 mapping-id 120

2901B:

redundancy
application redundancy
   group 1
name RG1
preempt
    control Ethernet0/0.2 protocol 1
    data Ethernet0/0.2

interface Ethernet0/0
interface Ethernet0/0.2
   description Data and Control interface for B2BHA
   ip address 192.168.2.3 255.255.255.0
interface GigabitEthernet0/0.10
   ip address 192.168.10.3 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   redundancy rii 10
   redundancy group 1 ip 192.168.10.1 exclusive decrement 100
interface GigabitEthernet0/0.20
   ip address 192.168.20.3 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   redundancy rii 20
   redundancy group 1 ip 192.168.20.1 exclusive decrement 100
interface GigabitEthernet0/0.30
   ip address 192.168.30.3 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   redundancy rii 30
   redundancy group 1 ip 192.168.30.1 exclusive decrement 100
interface GigabitEthernet0/0.40
   ip address 192.168.40.3 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   redundancy rii 40
   redundancy group 1 ip 192.168.40.1 exclusive decrement 100

interface Ethernet0/1
   ip address 10.0.0.3 255.255.255.0
   ip nat outside
   ip virtual-reassembly in
   redundancy rii 101
   redundancy group 1 ip 10.0.0.1 exclusive decrement 100

ip nat inside source static 192.168.10.5 10.0.0.10 redundancy 1 mapping-id 120
ip nat inside source static 192.168.20.5 10.0.0.11 redundancy 1 mapping-id 120
ip nat inside source static 192.168.30.5 10.0.0.12 redundancy 1 mapping-id 120
ip nat inside source static 192.168.40.5 10.0.0.13 redundancy 1 mapping-id 120

The problem is the documentation seems to be rather simple, and I'm finding this configuration to be much more complex than the documentation explains. So I have many questions and uncertainties. And am not wholly certain the above configuration will even work.

1) Can I use a sub-interface going through a vlan on the dell switches as the control/data interface for the B2BHA, or will I need to find an extra HWIC for each router to use as a direct link between the two?

2) Does B2BHA perform all the functions of HSRP while doing NATing?

3) Am I correct in assuming that I can assign each sub-interface a different RII and have it work in the redundancy group?

4) The documentation says I can use the command ( rtr(config-red-app-grp)# track [object-number] decrement [value] ) to track interfaces and expedite fail-over if they should go down. The problem is there is no explanation as to what the "object-number" is? The options for it are 1-255, but I have no idea where they are getting it from. I've tried using the interface if-index numbers to no avail.. so I'm not sure what that number is. Can someone please explain?

5) If I have to get a new HWIC to support the the data/control link for the B2BHA would it make more sense to get an 8 port gig switchpack (that has a 1gb backplain but will process vlans in software) or continue to use the 1g interface (with 800mbps backplain) with configured sub-interfaces when it comes to system resource overhead, since the router will have access lists, routing, NATing, Vlan routing, and B2BHA processing to deal with?

6) If I have to get a new HWIC, I may get the GB 8 port EHWIC and a single 1GB HWIC as well.. does anyone know if the 2901 will support those together. The documentation only says that it will support 1x 8port, 2x 4port, and 4x 1port hwics... it does not however discuss combinations of different hwics.

7) Is there any way in B2BHA to have various vlans routed in an ( active/secondary <-> secondary/active ) manner, or can it only be implemented as an entire router is active/secondary?

Philip D'Ath · ‎02-03-2016

I don't know the answers, but I know I would:

Want to get SmartNets so the software can be upgraded
Would want a dedicated interface for the Data and Control interfaces

Handling fail-over on interface failure must be tricky if the interface you are trying to fail over is also your control channel.

jamancol1 · ‎02-03-2016

Hmm good point about it not being ideal for the data/control interface to traverse the failover port being managed. I guess I'll have to obtain an HWIC for each router then. Just wish I knew which HWIC setup would be best resource wise.

As far as SmartNET coverage, that isn't up to me unfortunately. I'll trade out the routers for my lab routers with the 15.4 code if I can't get the coverage.

Philip D'Ath · ‎02-03-2016

You'll probably want to get a pair of EHWIC-1GE-SFP-CU or a 4 port switch module, EHWIC-4ESG.

I often use the switch ports as you get 4 ports at a time. You have to create VLAN interfaces to access them, but in the big scheme that is not such a big deal. The switch port module would also allow you to dual connect the data/control plane. It would use spanning tree to disable the second port, so not the best - but it should not need to kick in very often.