Static NAT Mapping with HSRP

This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient IP networks. This network resiliency is required where application connectivity needs to continue unaffected by failures to links and routers at the NAT border.

Prerequisites for Static NAT Mapping with HSRP

To understand how high availability is implemented see the “High Availability Overview” module in the .

Restrictions for Static NAT Mapping with HSRP

  • Using any IP address configured on a device IP address as an address pool or in a NAT static rule is not supported. NAT can share the physical interface address (not any other IP address) of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.

  • Virtual routing and forwarding (VRF) NAT with Hot Standby Router Protocol (HSRP) is not supported. Effective with Cisco IOS XE Denali 16.3.3, this restriction is not applicable. Upgrade to this release if you want your device to support VRF NAT with HSRP.

  • Static NAT mappings must be mirrored on two or more HSRP devices, because the NAT state is not exchanged between devices running NAT in an HSRP group.

  • If you configure both HSRP devices with the same static NAT and the hsrp keyword to link these devices to the same HSRP group is not configured, the behavior of the devices will be unpredictable.

Information About Static NAT Mapping with HSRP

Static Mapping Support with HSRP for High Availability Feature Overview

When an Address Resolution Protocol (ARP) query is triggered for an address that is configured with NAT static mapping and owned by the device, NAT responds with the burned in MAC (BIA MAC) address on the interface to which the ARP is pointing. Two devices act as the Hot Standby Router Protocol (HSRP) active and standby. You must enable and configure the NAT outside interfaces of the active and standby devices to belong to a group.

Address Resolution with ARP

A device in IP can have both a local address (which uniquely identifies the device on its local segment or LAN) and a network address (which identifies the network to which the device belongs). The local address is known as a data link address because it is contained in the data link layer (Layer 2 of the OSI model) part of the packet header and is read by data-link devices such as bridges, all device interfaces and so on. The local address is referred to as the MAC address, because the MAC sublayer within the data-link layer processes addresses for the layer.

To communicate with a device on Ethernet, for example, the Cisco IOS software must first determine the 48-bit MAC or local data-link address of that device. The process of determining the local data-link address from an IP address is called address resolution. The process of determining the IP address from a local data-link address is called reverse address resolution.

The software uses three forms of address resolution: Address Resolution Protocol (ARP), proxy ARP, and Probe (similar to ARP). The software also uses the Reverse Address Resolution Protocol (RARP). ARP, proxy ARP, and RARP are defined in RFCs 826, 1027, and 903, respectively. Probe is a protocol developed by the Hewlett-Packard Company (HP) for use on IEEE-802.3 networks.

ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated media address. Once a media or MAC address is determined, the IP address or media address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP).

Gratuitous ARP

When a host sends an ARP request to resolve its own IP address, it is called gratuitous ARP. In the ARP request packet, the source and destination IP addresses are filled with the same source IP address itself. The destination MAC address is the Ethernet broadcast address.

When a router becomes active, it broadcasts a gratuitous ARP packet with the Hot Standby Router Protocol (HSRP) virtual MAC address to the affected LAN segment. If the segment uses an Ethernet switch, this allows the switch to change the location of the virtual MAC address so that packets flow to the new router instead of the one that is no longer active. End devices do not actually need gratuitous ARP if routers use the default HSRP MAC address.

How to Configure Static NAT Mapping with HSRP

Configuring NAT Static Mapping Support for HSRP

When an Address Resolution Protocol (ARP) query is triggered for an address that is configured with NAT static mapping and owned by the router, NAT responds with the burned in MAC (BIA MAC) address on the interface to which the ARP is pointing. Two routers are acting as HSRP active and standby. Their NAT outside interfaces must be enabled and configured to belong to a group.

Benefits of Configuring Static Mapping Support for HSRP are the following:

  • Using static mapping support for HSRP, failover is ensured without having to time out and repopulate upstream ARP caches in a high-availability environment, where HSRP router pairs have identical NAT configuration for redundancy.

  • Static mapping support for HSRP allows the option of having only the HSRP active router respond to an incoming ARP for a router configured with a NAT address.

Both of the following tasks are required and must be performed on both the active and standby routers to configure NAT static mapping support for HSRP:

Enabling HSRP on the NAT Interface

Perform this task to enable HSRP on the NAT interface of both the active and standby routers.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. ip address ip-address mask
  5. no ip redirects
  6. ip nat {inside | outside }
  7. standby [group-number ] ip [ip-address [secondary ]]
  8. standby [group-number ] preempt
  9. standby [group-number ] ip [ip-address | secondary ]
  10. standby [group-number ] name [group-name ]
  11. standby [group-number ] track interface-number
  12. end
  13. show standby
  14. show ip nat translations [verbose ]

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:
Device> enable

Enables higher privilege levels, such as privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:
Device(config)# interface gigabitethernet 1/1/1

Configures an interface and enters interface configuration mode.

Step 4

ip address ip-address mask

Example:
Device(config-if)# ip address 192.168.1.27 255.255.255.0

Sets the primary IP address on the interface.

Step 5

no ip redirects

Example:
Device(config-if)# no ip redirects

Disables the sending of redirect messages

Step 6

ip nat {inside | outside }

Example:
Device(config)# ip nat outside

Connects the interface to the inside network.

Step 7

standby [group-number ] ip [ip-address [secondary ]]

Example:
Device(config-if)# standby 10 priority 105

Enables the HSRP protocol.

Step 8

standby [group-number ] preempt

Example:
Device(config-if)# standby 10 preempt

Configures HSRP preemption.
Step 9

standby [group-number ] ip [ip-address | secondary ]

Example:
Device(config-if)# standby 10 ip 192.168.5.30

Enables the HSRP protocol.

Step 10

standby [group-number ] name [group-name ]

Example:
Device(config-if)# standby 10 name HSRP1

Sets the HSRP group name.

Step 11

standby [group-number ] track interface-number

Example:
Device(config-if)# standby 10 track gigabitethernet1/1/1

Configures HSRP to track an object and to change the hot standby priority on the basis of the state of the object.

Step 12

end

Example:
Device(config-if)# exit

Exits interface configuration mode and returns to privileged EXEC mode.

Step 13

show standby

Example:
Device# show standby

(Optional) Displays HSRP information

Step 14

show ip nat translations [verbose ]

Example:
Device# show ip nat translations verbose

(Optional) Displays active NAT translations.

Enabling Static NAT for HSRP

Before you begin

To enable static mapping support with HRSP for high availability, perform this task on both the active and standby devices.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip nat inside source static local-ip global-ip redundancy group-name
  4. ip classless
  5. ip route prefix mask interface-type interface-number
  6. no ip http server
  7. end
  8. show ip nat translations [verbose]

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode.

Step 2

configure terminal

Example:
Device# configure terminal
Enters global configuration mode.

  • Enter your password if prompted.

Step 3

ip nat inside source static local-ip global-ip redundancy group-name

Example:
Device(config)# ip nat inside source static 192.168.5.33 10.10.10.5 redundancy HSRP1

Enables a device to respond to Address Resolution Protocol (ARP) queries using BIA MAC, if HSRP is configured on the NAT outside interface.

Step 4

ip classless

Example:
Device(config)# ip classless

Enables a device to forward packets that are destined for a subnet of a network that has no network default route, to the best supernet route possible.

Step 5

ip route prefix mask interface-type interface-number

Example:
Device(config)# ip route 10.10.10.0 255.255.255.0 gigabitethernet 0/0/0

Establishes static routes.

Step 6

no ip http server

Example:
Device(config)# no ip http server

Enables the HTTP server on your IP system.

Step 7

end

Example:
Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Step 8

show ip nat translations [verbose]

Example:
Device# show ip nat translations verbose

(Optional) Displays active NAT translations.

Configuration Example for Static NAT Mapping with HSRP

Example: Configuring Static NAT in an HSRP Environment

The following example shows support for NAT with a static configuration in an HSRP environment. Two devices act as HSRP active and standby, and the NAT outside interfaces are HSRP enabled and configured to belong to group HSRP1.

Active Device Configuration 


interface BVI10 
 ip address 192.168.5.54 255.255.255.255.0 
 no ip redirects 
 ip nat outside 
 standby 10 priority 105 preempt 
 standby 10 name HSRP1 
 standby 10 ip 192.168.5.30 
 standby 10 track gigabitethernet1/1/1 
! 
! 
 ip default-gateway 10.0.18.126 
 ip nat inside source static 192.168.5.33 10.10.10.5 redundancy HSRP1 
 ip classless 
 ip route 10.10.10.0 255.255.255.0 gigabitethernet1/1/1 
 ip route 172.22.33.0 255.255.255.0 gigabitethernet1/1/1 
 no ip http server

Standby Device Configuration


interface BVI10 
 ip address 192.168.5.56 255.255.255.255.0 
 no ip redirects 
 ip nat outside 
 standby 10 priority 100 preempt 
 standby 10 name HSRP1 
 standby 10 ip 192.168.5.30 
 standby 10 track gigabitethernet0/0/1 
! 
 ip default-gateway 10.0.18.126 
 ip nat inside source static 192.168.5.33 3.3.3.5 redundancy HSRP1 
 ip classless 
 ip route 10.0.32.231 255.255.255 gigabitethernet0/0/1 
 ip route 10.10.10.0 255.255.255.0 gigabitethernet0/0/1 
 no ip http server

Additional References for Static NAT Mapping with HSRP

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

NAT commands: complete command syntax, command mode, command history, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

IP Access List Sequence Numbering

IP Access List Sequence Numbering document

NAT configuration tasks

“Configuring NAT for IP Address Conservation” module

NAT maintenance

“Monitoring and Maintaining NAT” module

Using NAT with MPLS VPNs

“Integrating NAT with MPLS VPNs” module

Standards and RFCs

Standard/RFC

Title

RFC 903

Reverse Address Resolution Protocol

RFC 826

Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware

RFC 1027

Using ARP to implement transparent subnet gateways

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Static NAT Mapping with HSRP

Table 1. Feature Information for Static NAT Mapping with HSRP

Feature Name

Releases

Feature Configuration Information

NAT—Static Mapping Support with HSRP for High Availability

Cisco IOS XE Release 2.1

Static mapping support for HSRP allows the option of having only the HSRP active router respond to an incoming ARP for a router configured with a NAT address.