Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
AR2240 / NAT and VRRP iss...

AR2240 / NAT and VRRP issue

Created: Jun 4, 2019 13:55:09Latest reply: Jun 5, 2019 09:17:57 911 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hello,


I'm trying to setup redondancy for my edge router. I have 2 routers AR2240, each one have wan interface and local interface. I have setup NAT for internal subnet but it's not working as expected. When master change, i can see outgoing packets on the new master but incoming packet are showing up on the old master.


Am i missing some config ? I have see a vrrp option for outgoinf nat but not really documented and after some tests it doesn't change anything.


Here are my configs. lan traffic is comming from eth-t10, xg0/0/1 is public IP lan, xg0/0/0 is wan interco :


R1:

 nat address-group 1 yy.yy.yy.201 yy.yy.yy.201

#

acl number 2000                           

 rule 5 permit source 192.168.0.0 0.0.255.255 

#

interface XGigabitEthernet0/0/0

 description TO MT

 ip address xx.xx.xx.27 255.255.255.248

 vrrp vrid 1 virtual-ip xx.xx.xx.26

 vrrp vrid 1 priority 120

 vrrp vrid 1 preempt-mode timer delay 60

 nat outbound 2000 address-group 1

#                                         

interface XGigabitEthernet0/0/1           

 description To_Switch

 ip address yy.yy.yy.211 255.255.255.0   

 vrrp vrid 2 virtual-ip yy.yy.yy.253     

 vrrp vrid 2 priority 120                 

 vrrp vrid 2 preempt-mode timer delay 60  

 nat outbound 2000 address-group 1

#

interface Eth-Trunk10

 undo portswitch

 ip address 10.0.0.211 255.255.255.0

 vrrp vrid 3 virtual-ip 10.0.0.254

 vrrp vrid 3 priority 120

 vrrp vrid 3 preempt-mode timer delay 60

 mode lacp-static

#


R2:

 nat address-group 1 yy.yy.yy.201 yy.yy.yy.201

#

acl number 2000                           

 rule 5 permit source 192.168.0.0 0.0.255.255 

#

interface XGigabitEthernet0/0/0

 description TO MT

 ip address xx.xx.xx.28 255.255.255.248

 vrrp vrid 1 virtual-ip xx.xx.xx.26

 vrrp vrid 1 priority 120

 vrrp vrid 1 preempt-mode timer delay 60

 nat outbound 2000 address-group 1

#                                         

interface XGigabitEthernet0/0/1           

 description To_Switch

 ip address yy.yy.yy.210 255.255.255.0   

 vrrp vrid 2 virtual-ip yy.yy.yy.253     

 vrrp vrid 2 priority 120                 

 vrrp vrid 2 preempt-mode timer delay 60  

 nat outbound 2000 address-group 1

#

interface Eth-Trunk10

 undo portswitch

 ip address 10.0.0.210 255.255.255.0

 vrrp vrid 3 virtual-ip 10.0.0.254

 vrrp vrid 3 priority 120

 vrrp vrid 3 preempt-mode timer delay 60

 mode lacp-static


What config should i change to achieve NAT HA ?


NATVRRP

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Global Interface with support BAS and user vlan
Next: All the commands of routers?
Featured Answers

Recommended answer

(0) (0)
Popeye_Wang
Admin Created Jun 5, 2019 08:31:58

Posted by Rhada at 2019-06-05 07:16My bad, it was a wrong copy / paste. The preempt and priority config is only present on the master ...
The possible cause is that the return route of the ISP is incorrect. It points to the IP address of R1 instead of virtual-ip. So 'incoming packets are showing up on the old master'.
View more
  • x
  • convention:
All Answers
(0) (0)
2#
Popeye_Wang
Popeye_Wang Admin Created Jun 4, 2019 14:59:55

For the NAT configuration,  have you configured the default route? 
I noticed that you have configured two NAT egresses, maybe you should also configure redirection. 


View more
  • x
  • convention:
(0) (0)
3#
Popeye_Wang
Popeye_Wang Admin Created Jun 4, 2019 15:02:15

When configuring VRRP, in normal cases, you only need to configure higher priority and preemption for the master device. What causes the master change? Three VRRP groups are configured, what are the outbound/inbound interfaces you mentioned? Can you give a simple topology?
View more
  • x
  • convention:
(0) (0)
4#
Rhada
Rhada Created Jun 5, 2019 06:55:52

Posted by Popeye_Wang at 2019-06-04 14:59 For the NAT configuration,  have you configured the default route? I noticed that you have config ...
Yes the default route is set for both routers.

There are 2 egresses because i need NAT to go out of my network and also to work with my own IPs in public range

I will have a look on redirection

Thank you for your help
View more
  • x
  • convention:
(0) (0)
5#
Rhada
Rhada Created Jun 5, 2019 07:16:55

Posted by Popeye_Wang at 2019-06-04 15:02 When configuring VRRP, in normal cases, you only need to configure higher priority and preemption fo ...
My bad, it was a wrong copy / paste. The preempt and priority config is only present on the master.

The master change is on nqa tests failed and interfaces tracking. For testing i shutdown wan interface and it switch as intended.

regarding the topo, my routers are the gateway of our lan (192.168.0.0/16) and nat outgoing traffic on specific IP and are also gw for our public network. The eth-trunk interface is for traffic comming from lan, xg0/0/1 is for our public IP subnet and xg0/0/0 is the wan interface connected to our ISP.

you can find a simplified toppo here : https://pastebin.com/c4itpknn

thank you
View more
  • x
  • convention:
(0) (0)
6#
Popeye_Wang
Popeye_Wang Admin Created Jun 5, 2019 08:31:58

Posted by Rhada at 2019-06-05 07:16My bad, it was a wrong copy / paste. The preempt and priority config is only present on the master ...
The possible cause is that the return route of the ISP is incorrect. It points to the IP address of R1 instead of virtual-ip. So 'incoming packets are showing up on the old master'.
View more
  • x
  • convention:
(0) (0)
7#
Rhada
Rhada Created Jun 5, 2019 09:17:57

Posted by Popeye_Wang at 2019-06-05 08:31 The possible cause is that the return route of the ISP is incorrect. It points to the IP address o ...
I have checked with our ISP and now it's working ... They said that they haven't change anything. Strange ...

Thank you for your help
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.