Configuring Stateful NAT Redundancy
ErrorMessage : Error while constructing the Hinav

null
Downloads: This chapterpdf (PDF - 421.0KB) | Feedback

Configuring Stateful Inter-Chassis Redundancy

Table Of Contents

Configuring Stateful Inter-Chassis Redundancy

Finding Feature Information

Contents

Overview of Stateful Inter-Chassis Redundancy

How Stateful Inter-Chassis Redundancy Works

Associations with Firewalls and NAT

Supported Topologies

Configuring Stateful Inter-Chassis Redundancy

Configuring the Control Interface Protocol

Configuring a Redundancy Group

Configuring NAT with Stateful Inter-Chassis Redundancy

Managing and Monitoring Stateful Inter-Chassis Redundancy

Configuration Example for Stateful Inter-Chassis Redundancy

Redundancy Group Configuration

Redundant Traffic Interface Configuration

Where to Go Next

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Stateful Inter-Chassis Redundancy


Configuring Stateful Inter-Chassis Redundancy


First Published: July 30, 2010

This chapter contains information about and instructions for configuring Stateful Inter-Chassis Redundancy.

Finding Feature Information

For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Stateful Inter-Chassis Redundancy" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Overview of Stateful Inter-Chassis Redundancy

Configuring Stateful Inter-Chassis Redundancy

Configuring NAT with Stateful Inter-Chassis Redundancy

Managing and Monitoring Stateful Inter-Chassis Redundancy

Configuration Example for Stateful Inter-Chassis Redundancy

Where to Go Next

Additional References

Feature Information for Stateful Inter-Chassis Redundancy

Overview of Stateful Inter-Chassis Redundancy

The Stateful Inter-Chassis Redundancy feature enables you to configure pairs of routers to act a backups for each other. This feature can be configure to determine which member of the group is the active router based an a number of failover conditions. When a failover occurs, the standby router, seamlessly takes over and starts performing traffic forwarding services as a well as maintaining a dynamic routing table.

How Stateful Inter-Chassis Redundancy Works

You can configure pairs of routers to act as hot standbys for each other. This redundancy is configured on an interface basis. The determination of which interface is the active interface is based on the relative state of the two interfaces and the quality of the connection. The redundancy is on an application level. and does not require a complete physical failure of the interface or router for a switchover of the application to occur. When a swithover occurs, the application activity seamlessly continues to run to the redundant interface.

Pairs of redundant interfaces are known as redundancy groups. Figure 1 shows how the redundancy group is configured for a pair of routers that each have one outgoing interface. Figure 2 shows how two redundancy groups is configured for a pair of routers that each have two outgoing interface.

Note that in both cases, the redundant routers are joined by a configurable control link and a data synchronization link. The control link is used to communicate the status the router to each other. The data synchronization link is used to transfer stateful information from NAT and the firewall and to synchronize the stateful database for these applications.

Also, in both cases, the pairs of redundant interfaces are configured with the same unique ID number known as the Redundant Interface Identifier (RII).

Figure 1

Figure 2

The status of Redundancy Group members is determined through the use of hello messages, sent over the control link. If either router does not respond to a hello message within a configurable amount of time, it is considered that a failure has occurred, and a switch over is initiated. To detect a failure in milliseconds, the control links runs the failover protocol integrated with the Bidirectional Forwarding Detection (BFD) protocol. You can configure the following parameters for the hello messages:

Active timer

Standby timer

Hellotime — The interval at which hello messages are sent

Holdtime — The amount of time before the active or the standby is declared to be down

.The hellotime defaults to 3 seconds to align with HSRP, and the holdtime defaults to 10 seconds. You can also configure these timers in either seconds or milliseconds.

To determine which pairs of interfaces are affected by the switch over, you must configure a unique ID number for each pair of redundant interfaces. This ID number is known as the Redundant Interface Identifier (RII) associated with this interface.

A switch over to the standby router can also occur under other circumstances. Another factor that can cause a switch over is a priority setting that is configurable for each router. The router with the highest priority setting will be the active router. If a fault occurs on either the active or standby router, the priority of the router is decremented by a configurable amount known as the weight. If redundancy preemption is enabled and the priority of the active router falls below the priority of the standby router, a switch over occurs and the standby router becomes the active router. By default, preemption is disabled. To enable it, you must set the preemption attribute for the Redundancy Group. You can also configure each interface to decrement a specified amount from the priority when the L1 state of the interface goes down. This amount overrides the default amount configured for the Redundancy Group.

Each failure event that causes a modification of a redundancy group's priority generates a syslog entry that contains a timestamp, the redundancy group that was affected, previous priority, new priority, and a description of the failure event cause.

Another situation that will cause a switch over to occur is when the priority of a router or interface falls below a configurable threshold level.

In summary, a switch over to the standby router occurs under the following circumstances:

Power loss or reload occurs on the active router (this includes crashes).

The run-time priority of the active router goes down below that of the standby router.

The run-time priority of the active router goes down below that of the threshold configured.

The Redundancy Group on the active router is reloaded manually using the command redundancy application reload group rg-number

Two consecutive hello messages missed on any monitored interface forces the interface into testing mode. When this occurs, both units first verify the link status on the interface and then both units execute the following tests:

Network activity test

ARP test

Broadcast ping test

Associations with Firewalls and NAT

Firewalls will use the association of the redundancy group with a traffic interface.

NAT will associate the redundancy group with a mapping ID.

Supported Topologies

Only the LAN-LAN topology shown in Figure 3 is supported.


Note Asymetric routing is not suported.


Figure 3 shows this topology. When a dedicated appliance based Firewall solution is used, traffic is often directed to the correct firewall by configuring static routing in the upstream or downstream routers to an appropriate Virtual IP address. As well as supporting this routing configuration, the ASR should also be able to participate in dynamic routing with upstream or downstream routers. The dynamic routing configuration to be supported on LAN facing interfaces must not introduce a dependency on routing protocol convergence, otherwise fast failover requirements will not be met.

Figure 3

Configuring Stateful Inter-Chassis Redundancy

Use the following tasks to configure Stateful Inter-Chassis Redundancy:

Configuring the Control Interface Protocol

Configuring a Redundancy Group

Configuring the Control Interface Protocol

The configuration for the control interface protocol consists of the following elements:

Protocol instance

Group name

hello time

hold time

authentication information

Use of BFD

For more information n these elements. see the "Overview of Stateful Inter-Chassis Redundancy" section.

SUMMARY STEPS

1. enable

2. configure terminal

3. redundancy

4. mode none

5. application redundancy

6. protocol {1 | 2)

7. name instance-name

8. timers [msec] hello num [msec] holdtime num

9. authentication {text sting | md5 key-string [0 | 7] key | md5 key-chain key-chain-name}

10. bfd

11. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

redundancy

Example:

Router(config)# redundancy

Enters redundancy configuration mode.

Step 4 

mode none

Example:

Router(config-red)# mode none

Sets the redundancy mode to none, which is required for this feature.

Step 5 

application redundancy

Example:

Router(config-red)# application redundancy

Enters application redundancy configuration mode.

Step 6 

protocol num

Example:

Router(config-red-app)# protocol 4

Specifies the protocol instance that will be attached to a control interface. The range for num is 1 to 8.

Step 7 

name instance-name

Example:

Router(config-red-app-pro1)# name blgd-8

Specifies an optional alias for the protocol instance.

Step 8 

timers hellotime [msec] num holdtime [msec] num

Example:

Router(config-red-app-pro1)# timers hellotime 4 holdtime 6

Specifies the interval between hello messages are sent and the time before a router is declared to be down. The default for the hellotime is 3 seconds and 10 seconds for the holdtime. Use the msec keyword.to configure the timers in milliseconds. The range for the hellotime is 1-254 seconds or 50-1000 milliseconds. The range for the holdtime is 6-255 seconds or 750-3000 milliseconds

Step 9 

authentication {text sting | md5 key-string [0 | 7] key | md5 key-chain key-chain-name}

Example:

Router(config-red-app-pro1)# authentication text password

Specifies the authentication information. The options are:

text string — Use clear text authentication.

md5 key-string [0 | 7] key — Use MD5 key authentication. The key argument can be up to 64 characters in length (at least 16 characters is recommended). Specifying 0 means the key will be unencrypted (the default). Specifying 7 means the key will be encrypted.

md5 key-chain key-chain-name — Use MD5 key-chain authentication.

Step 10 

bfd

Example:

Router(config-red-app-pro1)# bfd

Enables the integration of the failover protocol running on the control interface with the Bidirectional Forwarding Detection (BFD) protocol to achieve failure detection in milliseconds. BFD is enabled by default.

Step 11 

end

Example:

Router(config-red-app-pro1)# end

Exits the current configuration mode and returns to privileged EXEC mode.

Configuring a Redundancy Group

Redundancy groups consists of the following configuration elements:

Group instance

Group name

fail-over priority

fail-over threshold

Faults (objects) that will decrement the priority

Amount the priority that will be decremented for each object

Initialization delay timer

Interface that will be used as the control interface

Interface that will be used as the data interface

Interface associated with the Redundancy Group (RG)

Redundant Interface Identifier (RII) number of the RG interface

For more information n these elements. see the "Overview of Stateful Inter-Chassis Redundancy" section.

SUMMARY STEPS

1. enable

2. configure terminal

3. redundancy

4. application redundancy

5. group {1 | 2}

6. name group-name

7. priority num failover-threshold num

8. track object-number [decrement num | shutdown]

9. preempt

10. timers delay seconds [reload seconds]

11. control interface-name protocol instance

12. data interface-name

13. end

14. configure terminal

15. interface interface-name

16. redundancy group-num ip address exclusive [decrement num]

17. redundancy rii num

18. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

redundancy

Example:

Router(config)# redundancy

Enters redundancy configuration mode.

Step 4 

application redundancy

Example:

Router(config-red)# application redundancy

Enters application redundancy configuration mode.

Step 5 

group {1 | 2}

Example:

Router(config-red-app)# group 1

Specifies the redundancy group instance.

Step 6 

name group-name

Example:

Router(config-red-app-grp1)# name blgd-8

Specifies an optional alias for the protocol instance.

Step 7 

priority num failover-threshold num

Example:

Router(config-red-app-grp1)# priority 120 failover-threshold 80

Specifies the initial priority and failover threshold for the redundancy group.

Step 8 

track object-number [decrement num| shutdown]

Example:

Router(config-red-app-grp1)# track 44 decrement 20

Specifies the amount the priority of a redundancy group will be decremented if an event occurs. The options are:

object-number — ID number of the event type. For a complete description of the objects, refer to the CISCO-RTTMON-MIB.my file, available from the Cisco MIB website.

decrement num — amount that the priority will be decremented. The range is 1 to 255.

decrement shutdown — Shutdown the router instead decrement the priority when the event occurs.

You can track multiple objects that will influence the priority of the redundancy group.

Step 9 

preempt

Example:

Router(config-red-app-grp1)# preempt

Enables preemption on the group and enables the standby router to preempt the active router regardless of which priority is higher.

Step 10 

timers delay seconds [reload seconds]

Example:

Router(config-red-app-grp1)# timers delay 10 reload 20

Specifies the amount of time RG will delay role negotiations that start after a fault occurs or the system is reloaded. You can configure a different delay for reloads.

Step 11 

control interface-name protocol instance

Example:

Router(config-red-app-grp1)# control GigabitEthernet 0/0/1 protocol 1

Specifies which control interface will be used by the Redundancy Group. This interface is also associated with a instance of the control interface protocol.

Step 12 

data interface-name

Example:

Router(config-red-app-grp1)# data GigabitEthernet 0/0/1

Specifies which data interface will be used by the Redundancy Group.

Step 13 

end

Example:

Router(config-red-app-grp1)# end

Exits the current configuration mode and returns to privileged EXEC mode.

Step 14 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 15 

interface interface-name

Example:

Router(config)#interface GigabitEthernet 2

Selects an interface to associate with the Redundancy Group.

Step 16 

redundancy group-num ip address exclusive [decrement num]

Example:

Router(config-if)# redundancy 1 ip 10.10.1.1 exclusive decrement 20

Associates the interface with the Redundancy Group identified by group-num. The other options are:

ip address — IP address of the interface.

exclusive — The interface is not shared with another Redundancy Group (RG).

[decrement num] — Amount decremented from the priority when the L1 state of the interface goes down. This overrides the default amount for the RG.

Step 17 

redundancy rii num

Example:

Router(config-if)# redundancy rii 40

Specifies a number for the Redundant Interface Identifier (RII) associated with this interface. The range for the number is 1 to 65535. This number must match the RII of the other interface in the Redundancy Group.

Step 18 

end

Example:

Router(config-if)# end

Exits the current configuration mode and returns to privileged EXEC mode.

Configuring NAT with Stateful Inter-Chassis Redundancy

You must use a mapping ID to associate NAT with the redundancy group

SUMMARY STEPS

1. enable

2. config terminal

3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

4. ip nat inside source {list {access-list-number | access-list-name} | route-map name} pool name [mapping-id map-id | overload | reversible | vrf name] [match-in-vrf] [oer]

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Example:

Router(config)# ip nat pool VPN-18 10.10.0.0 10.10.255.255 netmask 255.255.0.0

Defines a pool of IP addresses for Network Address Translation (NAT).

Step 4 

ip nat inside source {list {access-list-number | access-list-name} | route-map name} pool name [mapping-id map-id | overload | reversible | vrf name] [match-in-vrf] [oer]

Example:

Router(config)# ip nat inside source list VPN-18 pool VPN-18 mapping-id 152

Enables Network Address Translation (NAT) of the inside source address. You must use a mapping ID to associate NAT with the redundancy group.

Step 5 

end

Example:

Router(config)# end

Exits the current configuration mode and returns to privileged EXEC mode.

Managing and Monitoring Stateful Inter-Chassis Redundancy

Use the following commands to manage and monitor Stateful Inter-Chassis Redundancy.

SUMMARY STEPS

1. enable

2. redundancy application reload group group [peer | self]

3. show redundancy application group {group-id | all}

4. show redundancy application transport {group-id | all}

5. show redundancy application protocol {group-id | all}

6. show redundancy application faults {group-id | all}

7. show redundancy application if-mgr {group-id | all}

8. show redundancy application control-interface [interface-name]

9. show redundancy application data-interface [interface-name]

10. show monitor event-trace rg_infra [all]

11. debug redundancy application group [all | transport | protocol | faults | if-mgr] [event | error | ....]

12. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

redundancy application reload group num [peer | self]

Example:

Router# redundancy application reload group 2 self

Forces the active RG to reload and the standby RG. to become the active RG. You must enter this command on the active RG.

Step 3 

show redundancy application group {group-id | all}

Example:

Router# show redundancy application group 2

Shows summary information for the specified group or for all groups.

Step 4 

show redundancy application transport {group-id | all}

Example:

Router# show redundancy application transport 2

Shows transport information for the specified group or for all groups.

Step 5 

show redundancy application protocol {group-id | all}

Example:

Router# show redundancy application protocol 2

Shows protocol information for the specified group or for all groups.

Step 6 

show redundancy application faults {group-id | all}

Example:

Router# show redundancy application faults 2

Shows information about faults for the specified group or for all groups.

Step 7 

show redundancy application if-mgr {group-id | all}

Example:

Router# show redundancy application if-mgr 2

Shows information about the if-mgr for the specified group or for all groups.

Step 8 

show redundancy application control-interface {interface-name}

Example:

Router# show redundancy application control-interface IF-2

Shows interface information associated with redundancy groups for the specified control interface.

Step 9 

show redundancy application data-interface [interface-name]

Example:

Router# show redundancy application group data-interface IF-2

Shows interface information associated with redundancy groups for the specified data interface.

Step 10 

show monitor event-trace rg_infra [all]

Example:

Router# show monitor event-trace rg_infra

Shows event trace information associated with redundancy groups.

Step 11 

debug redundancy application group [all | transport | protocol | faults | if-mgr] [event | error | ...]

Example:

Router# debug redundancy application group all

Enables debug logging of the specified type of information associated with redundancy groups.

Step 12 

end

Example:

Router# end

Exits the current configuration mode and returns to privileged EXEC mode.

Configuration Example for Stateful Inter-Chassis Redundancy

Redundancy Group Configuration

redundancy
 application redundancy
  group 1
   name rg1
   control GigabitEthernet0/1/0 protocol 1
   data GigabitEthernet0/1/2
  group 2
   name rg2
   control GigabitEthernet0/1/1 protocol 2
   data GigabitEthernet0/1/3

Redundant Traffic Interface Configuration

This configuration also includes the commands for NAT:

interface GigabitEthernet0/1/5
 ip address 12.1.1.2 255.0.0.0
 ip nat outside
 ip virtual-reassembly
 negotiation auto
 redundancy rii 200
 redundancy group 1 ip 12.1.1.200 exclusive decrement 10
!
interface GigabitEthernet0/1/6
 ip address 11.1.1.2 255.0.0.0
 ip nat inside
 ip virtual-reassembly
 negotiation auto
 redundancy rii 100
 redundancy group 1 ip 11.1.1.100 exclusive decrement 10
!

Where to Go Next

For more information about configuring objects, consult the Cisco IOS IPSLA Configuration Guide.

Additional References

The following sections provide references related to NAT and Firewalls.

Related Documents

Related Topic
Document Title

IP addressing commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

Fundamental principles of IP addressing and IP routing

IP Routing Primer ISBN 1578701082


Standards

Standard
Title

No new or modified standards are supported, and support for existing standards has not been modified


MIBs

MIB
MIBs Link

No new or modified MIBs are supported, and support for existing MIBs has not been modified


RFCs

RFC 1
Title

RFC 791

Internet Protocol

http://www.ietf.org/rfc/rfc0791.txt

RFC 1338

Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy
http://www.ietf.org/rfc/rfc1519.txt

RFC 1466

Guidelines for Management of IP Address Space
http://www.ietf.org/rfc/rfc1466.txt

RFC 1716

Towards Requirements for IP Routers
http://www.ietf.org/rfc/rfc1716.txt

RFC 1918

Address Allocation for Private Internets
http://www.ietf.org/rfc/rfc1918.txt

RFC 3330

Special-Use IP Addresses
http://www.ietf.org/rfc/rfc3330.txt

1 These references are only a sample of the many RFCs available on subjects related to IP addressing and IP routing. Refer to the IETF RFC site at http://www.ietf.org/rfc.html for a full list of RFCs.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Stateful Inter-Chassis Redundancy

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.


Table 1 Feature Information for Stateful Inter-Chassis Redundancy

Feature Name
Releases
Feature Information

NAT Stateful Inter-Chassis Redundancy

Cisco IOS XE
Release 3.1S

This feature enables you to configure pairs of routers to act a backups for each other.