Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
2
Replies

NATing to the virtual MAC address of an HSRP group problems...

blakem
Level 1
Level 1

‎10-07-2005 03:13 AM - edited ‎03-05-2019 11:39 AM

Hello

I have a problem where I need to NAT various IP addresses, and need the NATd addresses to carry the virtual MAC address of the HSRP group on the onward travels..

By default, with the Cisco 871's I'm using, the packets are NATd, but carry the MAC address of the external interface.. not the virtual MAC address.

The problem is that when I failover to the standby 871, the packets will then have the MAC address of the standby (new active) 871. This causes problems because my next hop doesn't update its ARP tables (very infrequent updates).

The next hop will accept packets NATd by the standby (now live), but will continue to send reply (eg ICMP) to the live (now standby) because it hasn't updated its ARP table.

I know that I can create a NAT pool with the virtual IP address as the only member of the pool. Packets will then have the virtual MAC address, and the problem will be fixed, but if I need to NAT IP addresses to *different* NATd addresses, then I would have to create multiple HSRP groups, with different virtual IP's and MAC's, and then create multiple NAT pools...

If I can't get my next hop (which I have minimal control over) to refresh/update it's ARP table, then I will consider the multiple HSRP group config, but before I try that I would like to know whether I would be able to have multiple virtual IP's and MAC's on a single interface. Apparently there was a problem with the Catalyst 2500/4500 series where the same MAC address would be used for all HSRP groups, and you had to use burned-in MAC addresses for HSRP groups.. which wouldn't provide a solution in this case..

Any ideas on how to fix this would be greatly appreciated. BTW I have proxy-arp on external interface, and gratuitous arp.

My software version is:

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.3(8)YI1, RELEASE SOFTWARE (fc1)

Synched to technology version 12.3(10.3)T2

Many thanks,

Michael Blake.

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎10-08-2005 04:25 AM

Hello Michael,

you might want to have a look at the documents below, describing two techniques developed for the problem of NAT in an HSRP environement:

NAT Stateful Failover of Network Address Translation.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftsnat.htm

NAT Static Mapping Support with HSRP for High Availability

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnthsrp.htm

Regards,

GP

0 Helpful

blakem
Level 1
Level 1
In response to Georg Pauwen

‎10-10-2005 01:47 AM

Hi GP

Thanks for your response. The articles were interesting and I think I can gain from the second one, as I am doing static mapping.

I actually figured out a solution to my problem.

I needed to use a virtual MAC address for the outside HSRP group, and create ARP aliases for all of the static IP addresses. By doing this, all the packets get NAT'd to the correct IP address, and get the virtual MAC address, so if one of the routers fails, the return packets will go to the new live router..

Much easier than creating multiple NAT pools with HSRP IP addresses as their only NAT address, and then using one NAT pool/HSRP group per IP address that I need NAT'd!!!

Thanks for your help.

Kind regards,

Michael.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card