Re: IP NAT INSIDE SOURCE with HSRP Redundancy?

Hi Tim, thanks for helping. I think I got it now. i initially didn't
understand because the example I was looking at was NATting to a new subnet
of it's own and thus the outside didn't use ARP at any point to reply.

For anyone stuck like me, i'll dumb it down to my level which might help:

    2
   / \
1 4
   \ /
    3

Net 123 uses 123.0.0.x
123.0.0.1 has default route to 123.0.0.100

123.0.0.2 runs hsrp as 123.0.0.100 with pri 150 and pre-empt
123.0.0.2 has IP NAT INSIDE SOURCE STATIC 123.0.0.1 234.0.0.1

123.0.0.3 runs hsrp as 123.0.0.100
123.0.0.3 has IP NAT INSIDE SOURCE STATIC 123.0.0.1 234.0.0.1

Net 234 uses 234.0.0.x
and has respective setup

So a ping from 123.0.0.1 to 234.0.0.4 should nat to 234.0.0.1 through the
active node. The ping works and if you check ARP on R4 it'll show (I modded
the BIA macs for ease of understanding):
Protocol Address Age (min) Hardware Addr Type Interface
Internet 234.0.0.2 0 0000.0200.2222 ARPA FastEthernet0/1
Internet 234.0.0.3 22 0000.0200.3333 ARPA FastEthernet0/1
Internet 234.0.0.4 - 0000.0200.4444 ARPA FastEthernet0/1
Internet 234.0.0.10 20 0000.0200.2222 ARPA FastEthernet0/1
Internet 234.0.0.100 18 0000.0c07.ac00 ARPA FastEthernet0/1

So although the HSRP address uses a virtual mac, the NAT address (.10) uses
the BIA mac of the active node.

Now if the active node lost power, HSRPs standby node (R3) would become
active and gratuitously ARP to update the switch CAM table to point the HSRP
virtual mac to it's own port.
From what I gather the redundancy keyword comes in here:

Without it R4 is left with 234.0.0.10 pointing to the BIA mac of the (now
down) R2. So if R1 pings R4, the traffic now correctly goes to R3 (new
active node) on the inside network, it's NATted correctly to the 234.0.0.10
address on R3 and traffic arrives at R4. R4 looks to reply, it already has
the ARP cached for 234.0.0.10 and sends it off to the BIA of R2 (which is
still dead). I think the ARP timeout is 4 hours so you could be down for a
while before connectivity is restored.

Now, if you have the redundancy switch on the NAT statement, pointing to the
inside HSRP name, R3 gratuitously ARPs for the NATted address and updates
R4s ARP table immediately. Connectivity is restored as soon as the standby
node goes active and the balance in the world is restored.

Feel free to point out any mistake/misinterpretation
Thanks again
Joe

2009/10/26 Timothy Chin <
tim_at_1c-solutions.com.35207004132574182296.send.nyms.net>

> The active HSRP router will answer the arp queries using the outside
> interface BIA MAC on initial inbound traffic destined for the static NAT
> IP.
> I'm using this on my network at home. Take a look at the output of a
> "show arp" for one of my static IP addresses.
>
> Active router:
>
> Protocol Address Age (min) Hardware Addr Type Interface
> Internet 96.57.114.170 - 001a.2f7f.0fc9 ARPA
> FastEthernet0/1
> Internet 96.57.114.171 - 001a.2f7f.0fc9 ARPA
> FastEthernet0/1
>
> 96.57.114.170 is the active router's public IP and 96.57.114.171 is a
> NAT IP.
>
> The standby router will not have the NAT IP in its table:
>
> Protocol Address Age (min) Hardware Addr Type Interface
> Internet 96.57.114.173 - 0009.7cdc.2f61 ARPA
> FastEthernet0/1
>
> 96.57.114.173 is the standby router's public IP but the NAT IP does not
> appear in the table.
>
> Now after shutting down the active router's inside interface:
>
> Standby router (Now active):
>
> Protocol Address Age (min) Hardware Addr Type Interface
> Internet 96.57.114.171 - 0009.7cdc.2f61 ARPA
> FastEthernet0/1
> Internet 96.57.114.173 - 0009.7cdc.2f61 ARPA
> FastEthernet0/1
>
>
> HTH
>
> Timothy Chin
> CCIE #23866 (R&S)
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> groupstudy_at_nyms.net
> Sent: Sunday, October 25, 2009 2:41 PM
> To: ccielab_at_groupstudy.com
> Subject: IP NAT INSIDE SOURCE with HSRP Redundancy?
>
> I found a previous thread on this here:
> http://www.groupstudy.com/archives/ccielab/200711/msg00420.html
> The question never seems to get answered and I am stuck trying to
> explain it.
> What does the REDUNDANCY <hsrpgroup> switch do on the IP NAT INSIDE
> SOURCE command?
> The only explanations I can find are that it prevents unpredictable
> NATting by allowing only the active HSRP router to perform the NAT (by
> answering ARP with it's BIA MAC). Surely any packet to be NATted will
> only ever arrive at the active router and will use the virtual MAC of
> the HSRP address?
>
> Cisco site says "Enables the router to respond to ARP queries using BIA
> MAC, if HSRP is configured on the NAT inside interface."
>
> What ARP queries are we talking about? I can't see how it's relevant for
> a static source translation. Arp for HSRP def gate give virtual mac,
> translated, arp for dest ip, then arp for HSRP def gate in reverse
> direction gives another virtual mac, then arp for original source.
>
> Can anyone help me out here? What am I missing - apart from my entire
> weekend?
> Thanks!
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 26 2009 - 02:30:55 ART