Prerequisites for Static NAT Mapping with HSRP
To understand how high availability is implemented see the “High Availability Overview” module in the .
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient IP networks. This network resiliency is required where application connectivity needs to continue unaffected by failures to links and routers at the NAT border.
To understand how high availability is implemented see the “High Availability Overview” module in the .
Using any IP address configured on a device IP address as an address pool or in a NAT static rule is not supported. NAT can share the physical interface address (not any other IP address) of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.
Virtual routing and forwarding (VRF) NAT with Hot Standby Router Protocol (HSRP) is not supported. Effective with Cisco IOS XE Denali 16.3.3, this restriction is not applicable. Upgrade to this release if you want your device to support VRF NAT with HSRP.
Static NAT mappings must be mirrored on two or more HSRP devices, because the NAT state is not exchanged between devices running NAT in an HSRP group.
If you configure both HSRP devices with the same static NAT and the hsrp keyword to link these devices to the same HSRP group is not configured, the behavior of the devices will be unpredictable.
When an Address Resolution Protocol (ARP) query is triggered for an address that is configured with NAT static mapping and owned by the device, NAT responds with the burned in MAC (BIA MAC) address on the interface to which the ARP is pointing. Two devices act as the Hot Standby Router Protocol (HSRP) active and standby. You must enable and configure the NAT outside interfaces of the active and standby devices to belong to a group.
A device in IP can have both a local address (which uniquely identifies the device on its local segment or LAN) and a network address (which identifies the network to which the device belongs). The local address is known as a data link address because it is contained in the data link layer (Layer 2 of the OSI model) part of the packet header and is read by data-link devices such as bridges, all device interfaces and so on. The local address is referred to as the MAC address, because the MAC sublayer within the data-link layer processes addresses for the layer.
To communicate with a device on Ethernet, for example, the Cisco IOS software must first determine the 48-bit MAC or local data-link address of that device. The process of determining the local data-link address from an IP address is called address resolution. The process of determining the IP address from a local data-link address is called reverse address resolution.
The software uses three forms of address resolution: Address Resolution Protocol (ARP), proxy ARP, and Probe (similar to ARP). The software also uses the Reverse Address Resolution Protocol (RARP). ARP, proxy ARP, and RARP are defined in RFCs 826, 1027, and 903, respectively. Probe is a protocol developed by the Hewlett-Packard Company (HP) for use on IEEE-802.3 networks.
ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated media address. Once a media or MAC address is determined, the IP address or media address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP).
When a host sends an ARP request to resolve its own IP address, it is called gratuitous ARP. In the ARP request packet, the source and destination IP addresses are filled with the same source IP address itself. The destination MAC address is the Ethernet broadcast address.
When a router becomes active, it broadcasts a gratuitous ARP packet with the Hot Standby Router Protocol (HSRP) virtual MAC address to the affected LAN segment. If the segment uses an Ethernet switch, this allows the switch to change the location of the virtual MAC address so that packets flow to the new router instead of the one that is no longer active. End devices do not actually need gratuitous ARP if routers use the default HSRP MAC address.
When an Address Resolution Protocol (ARP) query is triggered for an address that is configured with NAT static mapping and owned by the router, NAT responds with the burned in MAC (BIA MAC) address on the interface to which the ARP is pointing. Two routers are acting as HSRP active and standby. Their NAT outside interfaces must be enabled and configured to belong to a group.
Benefits of Configuring Static Mapping Support for HSRP are the following:
Using static mapping support for HSRP, failover is ensured without having to time out and repopulate upstream ARP caches in a high-availability environment, where HSRP router pairs have identical NAT configuration for redundancy.
Static mapping support for HSRP allows the option of having only the HSRP active router respond to an incoming ARP for a router configured with a NAT address.
Note |
Static mapping for HSRP with outside-source NAT, via command ip nat outside source static local-ip global-ip redundancy group-name is not supported. |
Both of the following tasks are required and must be performed on both the active and standby routers to configure NAT static mapping support for HSRP:
Perform this task to enable HSRP on the NAT interface of both the active and standby routers.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables higher privilege levels, such as privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
interface type number Example:
|
Configures an interface and enters interface configuration mode. |
Step 4 |
ip address ip-address mask Example:
|
Sets the primary IP address on the interface. |
Step 5 |
no ip redirects Example:
|
Disables the sending of redirect messages |
Step 6 |
ip nat {inside | outside } Example:
|
Connects the interface to the inside network. |
Step 7 |
standby [group-number ] ip [ip-address [secondary ]] Example:
|
Enables the HSRP protocol. |
Step 8 |
standby [group-number ] preempt Example:
|
Configures HSRP preemption. |
Step 9 |
standby [group-number ] ip [ip-address | secondary ] Example:
|
Enables the HSRP protocol. |
Step 10 |
standby [group-number ] name [group-name ] Example:
|
Sets the HSRP group name. |
Step 11 |
standby [group-number ] track interface-number Example:
|
Configures HSRP to track an object and to change the hot standby priority on the basis of the state of the object. |
Step 12 |
end Example:
|
Exits interface configuration mode and returns to privileged EXEC mode. |
Step 13 |
show standby Example:
|
(Optional) Displays HSRP information |
Step 14 |
show ip nat translations [verbose ] Example:
|
(Optional) Displays active NAT translations. |
To enable static mapping support with HRSP for high availability, perform this task on both the active and standby devices.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. |
||
Step 2 |
configure terminal Example:
|
Enters global configuration mode.
|
||
Step 3 |
ip nat inside source static local-ip global-ip redundancy group-name Example:
|
Enables a device to respond to Address Resolution Protocol (ARP) queries using BIA MAC, if HSRP is configured on the NAT outside interface. |
||
Step 4 |
ip classless Example:
|
Enables a device to forward packets that are destined for a subnet of a network that has no network default route, to the best supernet route possible. |
||
Step 5 |
ip route prefix mask interface-type interface-number Example:
|
Establishes static routes. |
||
Step 6 |
no ip http server Example:
|
Enables the HTTP server on your IP system. |
||
Step 7 |
end Example:
|
Exits global configuration mode and returns to privileged EXEC mode. |
||
Step 8 |
show ip nat translations [verbose] Example:
|
(Optional) Displays active NAT translations.
|
The following example shows support for NAT with a static configuration in an HSRP environment. Two devices act as HSRP active and standby, and the NAT outside interfaces are HSRP enabled and configured to belong to group HSRP1.
interface BVI10
ip address 192.168.5.54 255.255.255.255.0
no ip redirects
ip nat outside
standby 10 priority 105 preempt
standby 10 name HSRP1
standby 10 ip 192.168.5.30
standby 10 track gigabitethernet1/1/1
!
!
ip default-gateway 10.0.18.126
ip nat inside source static 10.10.10.5 192.168.5.33 redundancy HSRP1
ip classless
ip route 10.10.10.0 255.255.255.0 gigabitethernet1/1/1
ip route 172.22.33.0 255.255.255.0 gigabitethernet1/1/1
no ip http server
interface BVI10
ip address 192.168.5.56 255.255.255.255.0
no ip redirects
ip nat outside
standby 10 priority 100 preempt
standby 10 name HSRP1
standby 10 ip 192.168.5.30
standby 10 track gigabitethernet0/0/1
!
ip default-gateway 10.0.18.126
ip nat inside source static 10.10.10.5 192.168.5.33 redundancy HSRP1
ip classless
ip route 10.0.32.231 255.255.255 gigabitethernet0/0/1
ip route 10.10.10.0 255.255.255.0 gigabitethernet0/0/1
no ip http server
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
NAT commands: complete command syntax, command mode, command history, usage guidelines, and examples |
Cisco IOS IP Addressing Services Command Reference |
IP Access List Sequence Numbering |
IP Access List Sequence Numbering document |
NAT configuration tasks |
“Configuring NAT for IP Address Conservation” module |
NAT maintenance |
“Monitoring and Maintaining NAT” module |
Using NAT with MPLS VPNs |
“Integrating NAT with MPLS VPNs” module |
Standard/RFC |
Title |
---|---|
RFC 903 |
Reverse Address Resolution Protocol |
RFC 826 |
Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware |
RFC 1027 |
Using ARP to implement transparent subnet gateways |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Name |
Releases |
Feature Configuration Information |
---|---|---|
NAT—Static Mapping Support with HSRP for High Availability |
Cisco IOS XE Release 2.1 |
Static mapping support for HSRP allows the option of having only the HSRP active router respond to an incoming ARP for a router configured with a NAT address. |