Configuring RBM+VRRP+NAT server causes nat server address conflict problem
- 0 Followed
- 0Collected ,1634Browsed
Network Topology
The network topology is as follows.
Problem Description
RBM configuration is omitted, please refer to the official website HA typical configuration for details.
https://www.h3c.com/en/d_202102/1383627_294551_0.htm
Configure the G1/0/1 port on RBM1 with the G1/0/1 port on RBM2 as follows.
RBM1:
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 2.1.1.1 255.255.255.0
vrrp vrid 1
virtual-ip 2.1.1.3 active
nat server global 2.1.1.4 inside 10.1.1.15 rule ServerRule_1
RBM2:
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 2.1.1.2 255.255.255.0
vrrp vrid 1
virtual-ip 2.1.1.3 standby
nat server global 2.1.1.4 inside 10.1.1.15 rule ServerRule_1
As a result, we see that the device keeps reporting address conflicts.
%Sep 29 07:31:37:044 2021 H3C ARP/6/DUPIFIP: -COntext=1; Duplicate address 2.1.1.4 on interface GigabitEthernet1/0/1, sourced from 7ab2-2c0e-0206.
Process Analysis
By default, if the destination IP address of the ARP packet request received by the NAT device is in the same network segment as the IP address of the NAT interface, the NAT device uses the physical MAC address of the NAT interface to respond to the ARP request packet.
The reason is that the global address of NAT SERVER configured on RBM1 and RBM2 both respond to ARP with the physical MAC address of the interface, which is equivalent to having two MAC addresses for the same IP, so IP address conflicts are reported.
Solution
Solution 1.
Configure NAT SERVER binding VRRP backup group in G1/0/1 of RBM1 and G1/0/1 of RBM2, at this time, the global address of NAT SERVER will respond to ARP with virtual MAC of VRRP, and no more address conflict will be reported.
RBM1:
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 2.1.1.1 255.255.255.0 vrrp vrid 1
virtual-ip 2.1.1.3 active
nat server global 2.1.1.4 inside 10.1.1.15 vrrp 1 rule ServerRule_1
RBM2:
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 2.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 2.1.1.3 active
nat server global 2.1.1.4 inside 10.1.1.15 vrrp 1 rule ServerRule_1
Option 2.
The address of the nat server uses an address that is not in the same network segment as the interface, and then the uplink and downlink devices are configured to route to the NAT SERVER global address.