The virtual address and real address of RBM plus VRRP are not on the same subnet, and the virtual address cannot access the public network
- 0 Followed
- 0Collected ,167Browsed
Network Topology
Two firewalls are configured in RBM active-standby mode with VRRP. The virtual address of VRRP and the real address are not on the same subnet, resulting in the virtual address being unable to reach the public network address.
Problem Description
Two firewalls are configured in RBM active-standby mode combined with VRRP. The virtual address of VRRP and the real address are not on the same subnet, resulting in the virtual address being unable to reach the public network address.
Process Analysis
The next hop ARP to the public network can be learned normally, and the VRRP status is normal
VRRP status is normal
===============display vrrp verbose===============
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 3
Interface Ten-GigabitEthernet1/3/0.3000
VRID (group) : 1 (Active) Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : Not supported
Version : 3
Virtual IP : X.X.20.93/24
Virtual MAC : 0000-5e00-0101
Master IP : 172.16.10.33
Source-based ping forwarding shows that the source address of the ICMP packet is the real interface address
Interface configuration check reveals that NAT outbound is configured on-site, causing NAT conversion during virtual address ping
interface Ten-GigabitEthernet1/3/0.300
ip address 172.16.10.33 255.255.255.252
vrrp vrid 1 virtual-ip x.x.20.93 255.255.255.0 active
ip last-hop hold
nat outbound
manage ping inbound
manage ping outbound
vlan-type dot1q vid 300
Solution
The test was successful after using the NAT address pool method.
nat address-group 1
address x.x.x.x x.x.x.x
interface gx/x/x
nat outbound address-group 1