[c-nsp] NAT & two routers

Christian Zeng christian at zengl.net
Fri Nov 3 06:42:49 EST 2006


Hi,

* matthew zeier <mrz at velvet.org> wrote:
>I'll be fronting several networks with a pair of 6503/Sup32s and need to 
>NAT the inside networks out.
>
>Mentally I can't figure out how that'd work if both routers are running 
>glsb/hsrp on the inside and outside interfaces and that NAT translation 
>table isn't sync'd between the two.

If its static NAT (1:1 mapping) and you're using HSRP, you can have a
single global network per internal network. Because of the 1:1 mapping,
sessions survive a router failure. The second one simply continues the
translation. The global addresses must be routed to the HSRP address.

For dynamic/overload NAT, you can use different address pools on each
router, but this will not provide any stateful failover functionality.

I'm not sure how GLSB fits into this, but I assume that both routers
will be active and provide translation services for your internal
networks. You'd need to have dedicated address pools/networks per
router, so ingress traffic hits the correct device. Again, this does not
provide any stateful failover.

I'd rather use one of the options described above than syncing state
tables. Think about short living sessions like HTTP and if it makes
sense to track states for them - and consider the additional load on the
devices caused by the synchronization.

Best regards,


Christian


More information about the cisco-nsp mailing list