IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 3S
Configuring NAT for High Availability
Downloads: This chapterpdf (PDF - 1.28MB) The complete bookPDF (PDF - 5.38MB) | The complete bookePub (ePub - 1.18MB) | Feedback

Configuring NAT for High Availability

Configuring NAT for High Availability

This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient IP networks. This network resiliency is required where application connectivity needs to continue unaffected by failures to links and routers at the NAT border.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring NAT for High Availability

To understand how high availability is implemented on Cisco ASR 1000 Series Aggregation Services Routers, see the “High Availability Overview” module in the Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide.

Restrictions for Configuring NAT for High Availability

  • Using any IP address configured on a device IP address as an address pool or in a NAT static rule is not supported. NAT can share the physical interface address (not any other IP address) of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.
  • Virtual routing and forwarding (VRF) NAT with Hot Standby Router Protocol (HSRP) is not supported.
  • Static NAT mappings must be mirrored on two or more HSRP devices, because the NAT state is not exchanged between devices running NAT in an HSRP group.
  • If you configure both HSRP devices with the same static NAT and the hsrp keyword to link these devices to the same HSRP group is not configured, the behavior of the devices will be unpredictable.

Information About Configuring NAT for High Availability

Static Mapping Support with HSRP for High Availability Feature Overview

When an Address Resolution Protocol (ARP) query is triggered for an address that is configured with NAT static mapping and owned by the device, NAT responds with the burned in MAC (BIA MAC) address on the interface to which the ARP is pointing. Two devices act as the Hot Standby Router Protocol (HSRP) active and standby. You must enable and configure the NAT inside interfaces of the active and standby devices to belong to a group.

Address Resolution with ARP

A device in IP can have both a local address (which uniquely identifies the device on its local segment or LAN) and a network address (which identifies the network to which the device belongs). The local address is more properly known as a data link address because it is contained in the data link layer (Layer 2 of the OSI model) part of the packet header and is read by data-link devices (bridges and all device interfaces, for example). The local address is referred to as the MAC address, because the MAC sub-layer within the data link layer processes addresses for the layer.

To communicate with a device on Ethernet, for example, the Cisco IOS software first must determine the 48-bit MAC or local data-link address of that device. The process of determining the local data-link address from an IP address is called address resolution. The process of determining the IP address from a local data-link address is called reverse address resolution.

The software uses three forms of address resolution: Address Resolution Protocol (ARP), proxy ARP, and Probe (similar to ARP). The software also uses the Reverse Address Resolution Protocol (RARP). ARP, proxy ARP, and RARP are defined in RFCs 826, 1027, and 903, respectively. Probe is a protocol developed by the Hewlett-Packard Company (HP) for use on IEEE-802.3 networks.

ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated media address. Once a media or MAC address is determined, the IP address or media address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP).

How to Configure NAT for High Availability

Configuring NAT Static Mapping Support for HSRP

When an Address Resolution Protocol (ARP) query is triggered for an address that is configured with NAT static mapping and owned by the router, NAT responds with the burned in MAC (BIA MAC) address on the interface to which the ARP is pointing. Two routers are acting as HSRP active and standby. Their NAT inside interfaces must be enabled and configured to belong to a group.

Benefits of Configuring Static Mapping Support for HSRP are the following:

  • Using static mapping support for HSRP, failover is ensured without having to time out and repopulate upstream ARP caches in a high-availability environment, where HSRP router pairs have identical NAT configuration for redundancy.
  • Static mapping support for HSRP allows the option of having only the HSRP active router respond to an incoming ARP for a router configured with a NAT address.

Both of the following tasks are required and must be performed on both the active and standby routers to configure NAT static mapping support for HSRP:

Enabling HSRP on the NAT Interface

Perform this task to enable HSRP on the NAT interface of both the active and standby routers.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type number

    4.    ip address ip-address mask

    5.    no ip redirects

    6.    ip nat {inside | outside}

    7.    standby [group-number] ip [ip-address [secondary]]

    8.    standby [group-number] preempt

    9.    standby [group-number] ip [ip-address | secondary]

    10.    standby [group-number] name [group-name]

    11.    standby [group-number] track interface-number

    12.    end

    13.    show standby

    14.    show ip nat translations [verbose]


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables higher privilege levels, such as privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface type number


    Example:
    Device(config)# interface gigabitethernet 1/1/1 
     

    Configures an interface and enters interface configuration mode.

     
    Step 4 ip address ip-address mask


    Example:
    Device(config-if)# ip address 192.168.1.27 255.255.255.0 
     

    Sets the primary IP address on the interface.

     
    Step 5 no ip redirects


    Example:
    Device(config-if)# no ip redirects
     

    Disables the sending of redirect messages

     
    Step 6 ip nat {inside | outside}


    Example:
    Device(config)# ip nat inside 
     

    Connects the interface to the inside network.

     
    Step 7 standby [group-number] ip [ip-address [secondary]]


    Example:
    Device(config-if)# standby 10 priority 105
     

    Enables the HSRP protocol.

     
    Step 8 standby [group-number] preempt


    Example:
    Device(config-if)# standby 10 preempt
     

    Configures HSRP preemption.

     
    Step 9 standby [group-number] ip [ip-address | secondary]


    Example:
    Device(config-if)# standby 10 ip 192.168.5.30 
     

    Enables the HSRP protocol.

     
    Step 10 standby [group-number] name [group-name]


    Example:
    Device(config-if)# standby 10 name HSRP1 
     

    Sets the HSRP group name.

     
    Step 11 standby [group-number] track interface-number


    Example:
    Device(config-if)# standby 10 track gigabitethernet1/1/1
     

    Configures HSRP to track an object and to change the hot standby priority on the basis of the state of the object.

     
    Step 12 end


    Example:
    Device(config-if)# exit
     

    Exits interface configuration mode and returns to privileged EXEC mode.

     
    Step 13 show standby


    Example:
    Device# show standby
     

    (Optional) Displays HSRP information

     
    Step 14 show ip nat translations [verbose]


    Example:
    Device# show ip nat translations verbose
     

    (Optional) Displays active NAT translations.

     

    Enabling Static NAT for HSRP

    Before You Begin

    To enable static mapping support with HRSP for high availability, perform this task on both the active and standby devices.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ip nat inside source static local-ip global-ip redundancy group-name

      4.    ip classless

      5.    ip route prefix mask interface-type interface-number

      6.    no ip http server

      7.    end

      8.    show ip nat translations [verbose]

      9.   

      10.   


    DETAILED STEPS
       Command or ActionPurpose
      Step 1enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

       
      Step 2configure terminal


      Example:
      Device# configure terminal
       
      Enters global configuration mode.
      • Enter your password if prompted.
       
      Step 3ip nat inside source static local-ip global-ip redundancy group-name


      Example:
      Device(config)# ip nat inside source static 192.168.5.33 10.10.10.5 redundancy HSRP1
       

      Enables a device to respond to Address Resolution Protocol (ARP) queries using BIA MAC, if HSRP is configured on the NAT inside interface.

       
      Step 4ip classless


      Example:
      Device(config)# ip classless
       

      Enables a device to forward packets that are destined for a subnet of a network that has no network default route, to the best supernet route possible.

       
      Step 5ip route prefix mask interface-type interface-number


      Example:
      Device(config)# ip route 10.10.10.0 255.255.255.0 gigabitethernet 0/0/0
       

      Establishes static routes.

       
      Step 6no ip http server


      Example:
      Device(config)# no ip http server
       

      Enables the HTTP server on your IP system.

       
      Step 7end


      Example:
      Device(config)# end
       

      Exits global configuration mode and returns to privileged EXEC mode.

       
      Step 8show ip nat translations [verbose]


      Example:
      Device# show ip nat translations verbose
       

      (Optional) Displays active NAT translations.

       
      Step 9


      Example:  

       

      Step 10


      Example:  

       

      Configuration Example for NAT for High Availability

      Example: Configuring Static NAT in an HSRP Environment

      The following example shows support for NAT with a static configuration in an HSRP environment. Two devices act as HSRP active and standby, and the NAT inside interfaces are HSRP enabled and configured to belong to group HSRP1.

      Active Device Configuration

      interface BVI10 
       ip address 192.168.5.54 255.255.255.255.0 
       no ip redirects 
       ip nat inside 
       standby 10 priority 105 preempt 
       standby 10 name HSRP1 
       standby 10 ip 192.168.5.30 
       standby 10 track gigabitethernet1/1/1 
      ! 
      ! 
       ip default-gateway 10.0.18.126 
       ip nat inside source static 192.168.5.33 10.10.10.5 redundancy HSRP1 
       ip classless 
       ip route 10.10.10.0 255.255.255.0 gigabitethernet1/1/1 
       ip route 172.22.33.0 255.255.255.0 gigabitethernet1/1/1 
       no ip http server 

      Standby Device Configuration

      interface BVI10 
       ip address 192.168.5.56 255.255.255.255.0 
       no ip redirects 
       ip nat inside 
       standby 10 priority 100 preempt 
       standby 10 name HSRP1 
       standby 10 ip 192.168.5.30 
       standby 10 track gigabitethernet0/0/1 
      ! 
       ip default-gateway 10.0.18.126 
       ip nat inside source static 192.168.5.33 3.3.3.5 redundancy HSRP1 
       ip classless 
       ip route 10.0.32.231 255.255.255 gigabitethernet0/0/1 
       ip route 10.10.10.0 255.255.255.0 gigabitethernet0/0/1 
       no ip http server 

      Additional References for Configuring NAT for High Availability

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Command List, All Releases

      NAT commands: complete command syntax, command mode, command history, usage guidelines, and examples

      Cisco IOS IP Addressing Services Command Reference

      IP Access List Sequence Numbering

      IP Access List Sequence Numbering document

      NAT configuration tasks

      “Configuring NAT for IP Address Conservation” module

      NAT maintenance

      “Monitoring and Maintaining NAT” module

      Using NAT with MPLS VPNs

      “Integrating NAT with MPLS VPNs” module

      Standards and RFCs

      Standard/RFC

      Title

      RFC 903

      Reverse Address Resolution Protocol

      RFC 826

      Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware

      RFC 1027

      Using ARP to implement transparent subnet gateways

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for Configuring NAT for High Availability

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Table 1 Feature Information for Configuring NAT for High Availability

      Feature Name

      Releases

      Feature Configuration Information

      NAT—Static Mapping Support with HSRP for High Availability

      Cisco IOS XE Release 2.1

      Static mapping support for HSRP allows the option of having only the HSRP active router respond to an incoming ARP for a router configured with a NAT address.