Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2845
Views
10
Helpful
3
Replies

Why Dynamic NAT with HSRP does not require NAT redundancy option?

mhiyoshi
Level 3
Level 3

‎12-18-2017 10:31 PM - edited ‎03-08-2019 01:09 PM

Dear support all,

 

I am little wondering why normally Dynamic NAT with HSRP is not necessary with NAT redundancy option. Here is the more detail below. I would like to know specification and related document regarding the following result.

 

[topology]

           INSIDE HSRP Act OUTSIDE
                    |-----Fa0---C891FJ--Gi8-----|
Cat3560G-----HSRP vip.254 -----Cat2960X
                    |-----Gi0/9-C841M---G0/8----|
          INSIDE HSRP Stb OUTSIDE

 

C891FJ - IOS-Ver.15,4(3)M5
C841M - IOS-Ver.15.6(2)T1

################################################################################################################################

Case 1 - Static NAT -> IP Duplicate messages happen when it configures S-NAT with HSRP.

(config)
ip nat inside source static 10.0.10.11 10.0.20.11

C891FJ#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.20.11 - 0000.1111.1111 ARPA GigabitEthernet8

*Dec 19 06:19:14.179: %IP-4-DUPADDR: Duplicate address 10.0.20.11 on GigabitEthernet8, sourced by 0000.2222.2222

C841M#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.20.11 - 0000.2222.2222 ARPA GigabitEthernet0/8

*Dec 19 06:11:00.127: %IP-4-DUPADDR: Duplicate address 10.0.20.11 on GigabitEthernet0/8, sourced by 0000.1111.1111

C891FJ#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 10.0.20.11 10.0.10.11 --- ---

C841M#sh ip nat translations
*Dec 19 06:11:53.839: %SYS-5-CONFIG_I: Configured from console by console
Pro Inside global Inside local Outside local Outside global
--- 10.0.20.11 10.0.10.11 --- ---

[W/A]
ip nat inside source static 10.0.10.11 10.0.20.11 redundancy HSRP

 

################################################################################################################################

Case 2 - Dyamic NAT -> Duplicate message does not happen and not possible to configure NAT redundancy option. no need any further confguration normally?

 

(config)
ip nat pool POOL 10.0.20.11 10.0.20.20 netmask 255.255.255.0
ip nat inside source list 1 pool POOL
access-list 1 permit any

Cat3560G#ping 10.0.20.4 repeat 1

C891FJ#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.20.11 - 0000.1111.1111 ARPA GigabitEthernet8

C841M#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface

C891FJ#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.0.20.11:36 10.0.10.11:36 10.0.20.4:36 10.0.20.4:36

C841M#sh ip nat translations

################################################################################################################################

 

Best Regards,

 

Masanobu Hiyoshi

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎12-19-2017 02:57 AM

Hello,

You have a very nice question at hand :)

When routers create a NAT entry, they also create an ARP entry for the translated IP address. This is because the translated IP address might be falling into the IP range of the outgoing interface. In that case, to the hosts on the outgoing interface, the translated IP address would be just an IP address from their own range and they would need to resolve it using ARP to be able to talk to it.

With static NAT, you are creating the translation entry unconditionally, including the ARP entry, whether the packets flow through that router or not. Obviously, if you do it on two or more routers that share the same uplink to internet (the same outgoing network), this will result into the messages about duplicate addresses, as all routers will send out a gratuitous ARP message for this translated IP, causing each other to believe that the address is in conflict. This is properly resolved by referencing the redundancy name, which causes the NAT translation entry and ARP entry being set up only if the router is HSRP Active.

For dynamic NAT, this is not necessary. With dynamic NAT, the actual translation entry and the ARP entry is created only when the router first handles a matching packet - here, the entries are not set up by cofiguration as opposed to static NAT, but rather, by actual packet flows. Because there can be only one HSRP Active router in a standby group at a time, and thus the packets will only flow through one router at a time, only one router at a time will be instantiating the NAT+ARP entries, and so there will be no conflict reported. As you can see, referencing the redundancy name here would not make much sense, anyway.

So the difference is given by the fact that in static NAT, the NAT+ARP entries are set up statically and unconditionally, regardless of which router is Active, while with dynamic NAT, the NAT+ARP entries are set up only on the particular router that handles the packet flow, and since it always can be only the HSRP Active, there will only be one router having those entries created.

Naturally, there can be situations where the Active role moves over to a different router which will then create its own NAT+ARP entries for dynamic NAT, while the previous Active router still has those entries created; this might indeed result even into dynamic NAT temporarily reporting address conflicts. These would be resolved after some time, though, when the former Active router expires the NAT+ARP entries, and could possibly be sped up by using a simple EEM script that would be started any time the role changed from Active to something else, and it would clear the NAT entries.

Feel welcome to ask further!

Best regards,
Peter

mhiyoshi
Level 3
Level 3
In response to Peter Paluch

‎12-21-2017 07:48 PM

Hello Peter,

 

Thank you very much!, Actually it has been taking so long for me to understand

your precious information. Now I am getting all of them!!

 

So now I think that it might be the solutions below for IP address conflicts when GARP send out occurs to NAT outside.

- 1. Adjust NAT entry timeout asap.
- 2. EEM script to execute "clear ip nat translation *" command when HSRP failover/preempt.
- 3. Different Dynamic NAT pool on each router.
- 4. Different network subnet for NAT outside on each router.
- 5. Any special solution? :)

 

In my opinion the solution 1 must be wait for the timeout, during keeping the NAT entry the conflicts also happen, the solution 3 & 4 are design and policy matters so it depends on the customer's situation.  Finally my conclusion is that the EEM script is on-demand solution when the conflicts happen, this is much better than the others right?

 

Best Regards,

 

Masanobu Hiyoshi

 

 

0 Helpful

jkilleda
Level 3
Level 3

‎02-22-2018 04:22 PM

Hello Masanobu,

 

Why Dynamic NAT with HSRP does not require NAT redundancy option?
If you also are using dynamic address translation, all these translations are lost when the active router fails. This can cause connectivity problems. SNAT even can work with HSRP section. Static NAT redundancy with HSRP provides redundancy for only static translation, not dynamic translation. With SNAT and HSRP, redundancy can be provided for both types of translations. The VRF-Aware Dynamic NAT mapping with HSRP feature supports stateless redundancy using HSRP with dynamic Network Translation (NAT)

Customers Also Viewed These Support Documents