NAT Box-2-Box High Availability feature on · NAT Box-2-Box High Availability feature on ISR ... •Box-2-Box High Availability feature •NAT-HA Solution ... Dynamic NAT and PAT
Post on 20-Jun-2018
411 Views
Preview:
Transcript
NAT Box-2-Box High Availability feature on
ISRUMA SANKAR MOHANTY
NAT Box-to-Box High-Availability feature on ISR
BRKARC-2033
Agenda
• Redundancy, A Wise Investment
• Box-2-Box High Availability feature
• NAT-HA Solution
• Design Recommendation
• Implementation Topology
• Configuration Design
• Troubleshooting Tips
• Conclusion
Redundancy a Wise Investment…
Box-2‐Box High Availability Feature
• B2B HA feature is used to make IP network more resilient to potential link and router failures.
• The Key Elements
B2B HA Feature :
• The services provided by the RG Infra present in the ISR G2 platforms is used by NAT to implement the HA feature.
• RG Infra defines multiple redundancy groups to which applications can subscribe and function in an Active-Standby mode across different routers.
RG Infra (Redundancy Group Infrastructure) :
• The protocol is responsible for determining the RG active/standby role and triggers switchover.
• Responsible for communicating with the RG Peers.
RG Protocol :
• RG Transport creates the Transport information structure which enables communication channel setup between Active and Standby.
• The Transport information is negotiated over the Control link.
RG Transport :
• Manages the Creation/Deletion of virtual interfaces per RG.
RG Interface :
• Detects the Faults and updates the run time priority.
• Responsible for communicating Control interface status to the RG Protocol.
• Communicates the updated priority to the RG protocol.
RG Fault :
• The configuration related to RG
• Informs the core about new RG groups.
RG Config :
• This is the core infrastructure for High Availability.
• RG state progression & notifications
• Receives new group information from the RG config.
• Receives the Role Information
RG Framework :
NAT- HA Solution
NAT HA Solution :
• NAT-HA feature enables application connectivity to continue unaffected in the event of potential failures around the NAT border.
• Currently the feature is used in a HSRP-Like fashion that means configuration would have Virtual IP Addresses(VIP) and Virtual MAC.
Terminologies & Working
• RG Control Interface
• Dedicated interface used for the exchange of control Information by RG.
• Used for RG protocol negotiation
• Used for RG transport query
• Used for peer reachability detection
Note : The Control & Data Interfaces can be on the same physical interface.
Terminologies & Working• RG Data Interface :
• Dedicated physical interface that will provide connectivity between the twoISR routers.
• Used by the RG Infra for data information exchanges between ISR devices, such as NAT’s session information.
Terminologies & Working
• RG AR(Asymmetric-Routing) Interface
• Dedicated physical interface used for forwarding AR packets from Standby to Active and vice versa; (optional)
INIT
RESET
STANDBY
HOT
ACTIVE
SOLO
ACTIVE STANDBY
RESET ACTIVE
STANDBY PRESENT BULK SYNC
SUCCEEDED
State Transition in B2B HA NAT :
• B2BHA States are Active, Standby Hot, Standby Cold and Init.
• State changes from
Active Init Standby
“or”
Standby Active
• A router with High priority value is given the Active Role. If both router’s have the same priority, then the IP address is used to decide the role. The router with higher control interface IP address would be given the role of Active.
Design Recommendation
Software• Supported from 15.3(2)T and later releases.
Behavior
• HSRP-Like Behavior.
• We need a Virtual IP & VMAC.
Design
• Control and Data interfaces can be on the same physical interface but different logical ones.
Tracking
• Multiple objects could be tracked by the RG and influence the priority of the RG.
• We can use IP SLA or induce it to the RG Fault via “redundancy rii <num> decrement <val>”
Design Consideration :
Failover Triggers
Power loss/reload
Control interface down
Data interface downTracked object failure
Priority of Active goes down below
the Standby
Implementation Topology
B2BHA NAT LAN-LAN Topology
WAN CLOUD
B2BHA NAT WAN-LAN Topology
Configuration Design
Supported NAT Configurations
Simple Static NAT Configuration
Extended Static NAT configurations
Network Static NAT configurations
Dynamic NAT and PAT configurations
NAT Inside source, Nat outside source & NAT inside destination rules
NAT rules for VRF to IP Cases
NAT Rules for VRF to VRF(within same VRF) cases
Configuration Design :
Unsupported NAT Configurations :
NAT Configurations with interface overload options
NAT with MPLS L3VPN
NVI-NAT Feature
Supported ALGs :
The only Supported ALG at this time is FTP.
B2B NAT-HA Configuration Key Elements :
Step 1 : Configure RG-ID
ISR1(config)#redundancy
ISR1(config-red)#application redundancy
ISR1(config-red-app)#group 1
ISR1(config-red-app-grp)#shutdown
This is the first step where we need to configure RG infra
and ‘shutdown’ it before proceeding further steps.
Currently we support only two RG groups.
Step 2 : Mention the Control & Data interface.
ISR1(config-red-app-grp)#control Ethernet0/1.10
ISR1(config-red-app-grp)#data Ethernet0/1.20
Define both the Control and Data interfaces.
Step 3: Mention the Protocol
ISR1(config-red-app)#protocol 1
Define the RG protocol. Currently we support only 1
protocol (protocol 1)
Step 4 : Mention the Asymmetric-routing interface
(optional)
ISR1(config-red-app-grp)#asymmetric-routing interface
Ethernet0/1.30
The same Interface can be used as of the Data and Control
interface.
Step 5 : Setup Preempt, priority & Group name.(optional)
..app-grp)#name CISCO
…app-grp)#preempt
…app-grp)#priority 150
This set of commands are optional.
Naming the RG group.
Allows the router to become the active router when the
priority is higher.
Redundancy Configurations :
Step 1 : Configure the Redundancy rii.
ISR1(config)#interface GigabitEthernet 0/0/0
ISR1(config-if)#redundancy rii 100
Each interface which is part of RG infra should
be configured with unique number on a device.
Here ‘number’ is a unique identification number
for each interface which is part of RG infra.
Step 2 : Configure RG-id & Virtual IP
ISR1(config-if)#redundancy group 1 ip 10.2.2.20
exclusive decrement 100
Each interface on LAN should be configured
with RG-id & Virtual IP address. This VIP will
only be enabled on device which is in active
redundancy group state. This LAN/WAN
interface should be already assigned with IP
address. And also VIP should be chosen from
same subnet of interface’s address.
Step 3 : Configure NAT inside & outside
interfaces
ISR1(config-if)#ip nat inside/outside
The inside and outside NAT interfaces should be
configured
Interface Configurations :
NAT Configurations :
Step 1 : Configure NAT Statements for RG Infra
ISR1(config)# ip nat inside source list acl_100
pool pool_100 redundancy 1 mapping-id 120
overload
Each NAT statements which are part of RG infra
should be assigned with ‘RG-id’ & ‘map-id’
Make RG to Roll :
Step 1 : Enable RG Infra
ISR1(config)#redundancy
ISR1(config-red)#application redundancy
ISR1(config-red-app)#group 1
ISR1(config-red-app-grp)#no shutdown
ISR1(config-red-app-grp)#
After configuring all NAT rules, make sure similar
NAT configuration is applied on other peer router
as well, and then RG can be enabled to start the
negotiations. After completing NAT config on
both NAT routers, RG should be enabled.
Standby
Active
AR Packets
WAN CLOUD
RG1
AR
RG1
WAN CLOUD
WAN BRII 1
WAN ARII 1
LAN
AR
Asymmetric-Routing Support Enabled
Standby
Active
AR Packets
WAN CLOUD
RG1
AR
RG1
WAN CLOUD
WAN BRII 1
WAN ARII 1
LAN
AR
Asymmetric-Routing Support Enabled
Standby
Active
AR Packets
WAN CLOUD
RG1
AR
RG1
WAN CLOUD
WAN BRII 1
WAN ARII 1
LAN
AR
Asymmetric-Routing Support Enabled
Standby
Active
AR Packets
WAN CLOUD
RG1
AR
RG1
WAN CLOUD
WAN BRII 1
WAN ARII 1
LAN
AR
Asymmetric-Routing Support Enabled
Troubleshooting Tips
show ip nat redundancy <RG-id>
show ip nat translations redundancy <RG-id> [verbose]
show redundancy application group <RG-id>
show redundancy application protocol group <RG-id>
show ip route
show ip cef
show tech-support
Troubleshooting tips :
RG ID: 1 RG Name: RG1
Current State: IPNAT_HA_RG_ST_ACT_BULK_DONE
Previous State: IPNAT_HA_RG_ST_ACTIVE
Recent Events: Curr: IPNAT_HA_RG_EVT_RF_ACT_STBY_HOT
Prev:IPNAT_HA_RG_EVT_RF_ACT_STBY_BULK_START
Statistics :
Static Mappings: 1, Dynamic Mappings: 0
Sync-ed Entries :
NAT Entries: 0, Door Entries: 0
Mapping ID Mismatches: 0
Forwarded Packets: 0, Dropped Packets : 0
Redirected Packets: 0
ISR1#show ip nat redundancy 1
RG ID: 1 RG Name: RG1
Current State: IPNAT_HA_RG_ST_STBY_HOT
Previous State: IPNAT_HA_RG_ST_STBY_COLD
Recent Events: Curr: IPNAT_HA_RG_EVT_RF_STBY_COLD
Prev: IPNAT_HA_RG_EVT_NAT_CFG_REF
Statistics :
Static Mappings: 1, Dynamic Mappings: 0
Sync-ed Entries :
NAT Entries: 0, Door Entries: 0
Mapping ID Mismatches: 0
Forwarded Packets: 0, Dropped Packets : 0
Redirected Packets: 0
ISR2#show ip nat redundancy 1
ISR1#show ip nat translations redundancy 1 verbose
--- 6.6.6.6 5.5.5.5 --- ---
create 00:00:10, use 00:00:10 timeout:0,
flags:
static, created-by-local, use_count: 0, router/rg id: 0/1 ha_entry_num: 0
mapp_id[in/out]: 120/0, entry-id: 1, lc_entries: 0
ISR2#show ip nat translations redundancy 1 verbose
--- 6.6.6.6 5.5.5.5 --- ---
create 00:01:38, use 00:01:38 timeout:0,
flags:
static, created-by-local, use_count: 0, router/rg id: 0/1 ha_entry_num: 0
mapp_id[in/out]: 120/0, entry-id: 1, lc_entries: 0
Common error cases :
debug ip nat redundancy errors
Messages info :
debug ip nat redundancy messages [[detailed] [errors ]]
Packet info :
debug ip nat redundancy packets
Data base info :
debug ip nat redundancy db [errors]
Check pointing Facility :
debug ip nat redundancy cf
Redundancy Framework :
debug ip nat redundancy rf [errors]
Debugs for TAC Analysis :
Conclusion
• RG on active is reloaded with
“redundancy application reload group <rg-number> self”
• RG on active is shut down with the use of these CLI commands in
redundancy config mode:
ISR1(config-red-app)#group 1
ISR1(config-red-app-grp)#shutdown
• clear ip nat translation redundancy <RG-id> *
• clear ip nat translation redundancy <RG-id> forced
Useful Commands :
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-
book/iadnat-b2b-ha.html
https://supportforums.cisco.com/document/12206251/nat-box-box-high-availability-function-
overview
Useful Links :
• Purpose of Redundancy.
• Redundancy for the NAT Traffic and it’s Importance.
• Key Elements for NAT B2B HA Feature.
• Key Elements
• State Changes
• Design Recommendation.
• Triggers for Failover
• Supported Topologies.
• Supported & Unsupported Config.
• Configuration Design.
• Troubleshooting tips.
Key Takeaways :
“Q & A”
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
top related