Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
863
Views
0
Helpful
0
Replies

HSRP : routers respond with virtual mac AND physical mac to ARP requests

Frank__77
Level 1
Level 1

‎03-04-2014 12:05 PM - edited ‎03-07-2019 06:31 PM

Hello.

I've noticed a very strange behaviour on my two Cisco's 2621 with HSRP configured.

But first, this is a simplified schema of my current network.

HSRP.GIF

1. Summary

- IOS version : 12.2(37)

- File image : c2600-ik9o3s-mz.122-37.bin

- R1 is the active router.

- Both have tagged virtual interfaces : f0/0.10 & f0/0.60

- NAT functionnality is enabled.

     - f0/0.10 is configured as outside.

     - f0/0.60 is configured as inside.

2. Configuration samples

R1

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.0.254 255.255.255.0

ip nat outside

service-policy output parent_out_internet

no ip mroute-cache

standby 10 ip 192.168.0.2

standby 10 priority 120

standby 10 preempt

!

interface FastEthernet0/0.60

encapsulation dot1Q 60

ip address 192.168.1.254 255.255.255.0

ip nat inside

no ip mroute-cache

no cdp enable

standby 60 ip 192.168.1.1

standby 60 priority 120

standby 60 preempt

!

....

ip nat pool ovrld 192.168.0.2 192.168.0.2 prefix-length 24

ip nat inside source list internet pool ovrld overload

R2

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.0.253 255.255.255.0

ip nat outside

service-policy output parent_out_internet

no ip mroute-cache

standby 10 ip 192.168.0.2

standby 10 preempt

!

interface FastEthernet0/0.60

encapsulation dot1Q 60

ip address 192.168.1.253 255.255.255.0

ip nat inside

no ip mroute-cache

no cdp enable

standby 60 ip 192.168.1.1

standby 60 preempt

!

....

ip nat pool ovrld 192.168.0.2 192.168.0.2 prefix-length 24

ip nat inside source list internet pool ovrld overload

3. Events.

- When HSRP first runs or when there is a topology change, the active router sends correct ARP gratuitous reply packets (with the virtual MAC address)

- ARP table is filled in on the Internet router.

- When the ARP entry in the table expires it asks for the virtual IP mac address (192.168.0.2).

- R1 responds with the virtual MAC address ---- BUT ---- R2 also responds with its physical mac address !

- So packets are sent to the wrong router (R2) which can't route any packets because the NAT table is not up to date. I don't even have NAT command to synhronize NAT sessions between routers. But anyway, it should not solve my issue.

It occurs only on the NAT (outside) interface. On the other virtual interfaces it behaves as expected.

I don't have any explanations to this behaviour.

For the moment, I have to keep R2 offline and bring it back online in case of failure.

I tried several workarounds but I can neither filter ARP packets (no such function) on my router nor on my switch (too restrictive).

If I forgot any information please ask me.

Any help would be very much appreciated.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents