NATing to the virtual MAC address of an HSRP group problems...
I have a problem where I need to NAT various IP addresses, and need the NATd addresses to carry the virtual MAC address of the HSRP group on the onward travels..
By default, with the Cisco 871's I'm using, the packets are NATd, but carry the MAC address of the external interface.. not the virtual MAC address.
The problem is that when I failover to the standby 871, the packets will then have the MAC address of the standby (new active) 871. This causes problems because my next hop doesn't update its ARP tables (very infrequent updates).
The next hop will accept packets NATd by the standby (now live), but will continue to send reply (eg ICMP) to the live (now standby) because it hasn't updated its ARP table.
I know that I can create a NAT pool with the virtual IP address as the only member of the pool. Packets will then have the virtual MAC address, and the problem will be fixed, but if I need to NAT IP addresses to *different* NATd addresses, then I would have to create multiple HSRP groups, with different virtual IP's and MAC's, and then create multiple NAT pools...
If I can't get my next hop (which I have minimal control over) to refresh/update it's ARP table, then I will consider the multiple HSRP group config, but before I try that I would like to know whether I would be able to have multiple virtual IP's and MAC's on a single interface. Apparently there was a problem with the Catalyst 2500/4500 series where the same MAC address would be used for all HSRP groups, and you had to use burned-in MAC addresses for HSRP groups.. which wouldn't provide a solution in this case..
Any ideas on how to fix this would be greatly appreciated. BTW I have proxy-arp on external interface, and gratuitous arp.
Re: NATing to the virtual MAC address of an HSRP group problems.
Thanks for your response. The articles were interesting and I think I can gain from the second one, as I am doing static mapping.
I actually figured out a solution to my problem.
I needed to use a virtual MAC address for the outside HSRP group, and create ARP aliases for all of the static IP addresses. By doing this, all the packets get NAT'd to the correct IP address, and get the virtual MAC address, so if one of the routers fails, the return packets will go to the new live router..
Much easier than creating multiple NAT pools with HSRP IP addresses as their only NAT address, and then using one NAT pool/HSRP group per IP address that I need NAT'd!!!
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.