NAT を冗長化させるパターンについて
Cisco IOSにてNATを冗長化させるにはいくつかパターンがあげられるが私が調べた限り主に以下が考えられた。
■HSRP+NATを使用したパターン
- 単純にNATとHSRPを使っているため設定が割とシンプルになる
- NATテーブル情報が連携されない
■NAT Box to Box High Availabitliy を使ったパターン
- NATテーブル情報が連携される
- 新しい設定方式のため覚えることがある
Stateful NATという機能もあったようだが現在非推奨?なのか最新のIOSでは使えない
今回は HSRP+NATを使用したパターン を試したいと思う。
HSRP + NAT の設定
| Hostname | Interface | IP |
|---|---|---|
| ubuntu-0 | bond0 | 192.168.10.8/24 |
| ubuntu-1 | bond0 | 192.168.10.9/24 |
| HSRP-NAT | VIP | 192.168.10.1/24 |
| HSRP-NAT1 | giga0/0 | 192.168.10.2/24 |
| HSRP-NAT1 | giga0/1 | 10.0.0.254/24 |
| HSRP-NAT2 | giga0/0 | 192.168.10.3/24 |
| HSRP-NAT2 | giga0/1 | 10.0.0.254/24 |
| ubuntu-2 | enp0s2 | 10.0.0.8/24 |
| ubuntu-3 | enp0s2 | 10.0.0.8/24 |
※ubuntu-2とubuntu-3には同じIPを設定(後でAWSにつなぐのでこれでOK)
※iosvl2側がin、ubuntu2,3側がout
構成図
Ubuntu の設定
ubuntu-0の設定
/etc/netplan/network.yaml (macaddressは適宜変更)
network: version: 2 ethernets: switchports: match: name: enp0s[23] bonds: bond0: dhcp4: no dhcp6: no interfaces: [switchports] parameters: mode: balance-rr mii-monitor-interval: 1 addresses: [192.168.10.8/24] gateway4: 192.168.10.1
# 初期設定ファイルの無効化
mv /etc/netplan/50-cloud-init.yaml{,.disable}
sudo netplan apply
ubuntu-1の設定
/etc/netplan/network.yaml (macaddressは適宜変更)
network: version: 2 ethernets: switchports: match: name: enp0s[23] bonds: bond0: dhcp4: no dhcp6: no interfaces: [switchports] parameters: mode: balance-rr mii-monitor-interval: 1 addresses: [192.168.10.9/24] gateway4: 192.168.10.1
# 初期設定ファイルの無効化
mv /etc/netplan/50-cloud-init.yaml{,.disable}
sudo netplan apply
HSRP-NAT 設定
HSRP-NAT-1の Interface 設定
interface GigabitEthernet0/0 description to_sw1 ip address 192.168.10.2 255.255.255.0 ip nat inside ip virtual-reassembly in standby 5 ip 192.168.10.1 standby 5 priority 105 standby 5 preempt standby 5 name HSRP1 standby 5 track 10 decrement 100 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 description to_ubuntu-2 ip address 10.0.0.254 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45
HSRP-NAT-2の interface 設定
interface GigabitEthernet0/0 description to_sw2 ip address 192.168.10.3 255.255.255.0 ip nat inside ip virtual-reassembly in standby 5 ip 192.168.10.1 standby 5 preempt standby 5 name HSRP1 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 description to_ubuntu-3 ip address 10.0.0.254 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 !
※ちょっとハマったのが standby 5 preempt を入れないとtrackingでActiveになってくれないようです
HSRP-NAT-1 の オブジェクトトラッキング
以下で GigabitEthernet0/1 から 10.0.0.8の疎通監視をします。
疎通できなくなった場合HSRPに int giga 0/0 の standby 5 track 10 decrement 100 をもとにpriorityを100下げます。
それによりVIPの切り替えを行います。
ip sla 1 icmp-echo 10.0.0.8 source-interface GigabitEthernet0/1 frequency 10 ip sla schedule 1 life forever start-time now track 10 ip sla 1 reachability
HSRP-NAT-1,2 の NAT設定
HSRPで冗長させる場合、redundancyオプションが必要。
ip nat inside source static 192.168.10.8 10.0.0.201 redundancy HSRP1 ip nat inside source static 192.168.10.9 10.0.0.202 redundancy HSRP1
動作確認
ubuntu-0 -> ubuntu-2 に疎通
Primaryが現在105でVIP:192.168.10.1が設定されていることがわかる
hsrp-nat-1#show standby all
GigabitEthernet0/0 - Group 5
State is Active
7 state changes, last state change 01:53:51
Virtual IP address is 192.168.10.1
Active virtual MAC address is 0000.0c07.ac05
Local virtual MAC address is 0000.0c07.ac05 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.088 secs
Preemption enabled
Active router is local
Standby router is 192.168.10.3, priority 100 (expires in 10.032 sec)
Priority 105 (configured 105)
Track object 10 state Up decrement 100
Group name is "HSRP1" (cfgd)
hsrp-nat-1#アクティブルータ(HSRP-NAT-1) を経由し、NAT変換(送信元:192.168.10.8-> 10.0.0.201)されて疎通できていることがわかる
root@ubuntu-0:~# ping 10.0.0.8 PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data. 64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=3.11 ms 64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=4.13 ms 64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=2.85 ms
root@ubuntu-2:~# tcpdump -i enp0s2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s2, link-type EN10MB (Ethernet), capture size 262144 bytes 13:44:25.346572 IP 10.0.0.201 > ubuntu-2: ICMP echo request, id 13543, seq 14, length 64 13:44:25.346607 IP ubuntu-2 > 10.0.0.201: ICMP echo reply, id 13543, seq 14, length 64 13:44:25.663103 ARP, Request who-has 10.0.0.254 tell ubuntu-2, length 28 13:44:25.666529 ARP, Reply 10.0.0.254 is-at 52:54:00:0e:88:30 (oui Unknown), length 46 13:44:26.349612 IP 10.0.0.201 > ubuntu-2: ICMP echo request, id 13543, seq 15, length 64 13:44:26.349648 IP ubuntu-2 > 10.0.0.201: ICMP echo reply, id 13543, seq 15, length 64 13:44:27.350994 IP 10.0.0.201 > ubuntu-2: ICMP echo request, id 13543, seq 16, length 64 13:44:27.351031 IP ubuntu-2 > 10.0.0.201: ICMP echo reply, id 13543, seq 16, length 64 8 packets captured 8 packets received by filter 0 packets dropped by kernel root@ubuntu-2:~#
ubuntu-2のインターフェースをdownさせてVIPを移動させる
root@ubuntu-2:~# iip link set dev enp0s2 down
root@ubuntu-2:~# ip addr show dev enp0s2
2: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 52:54:00:13:83:f2 brd ff:ff:ff:ff:ff:ff
root@ubuntu-2:~#
下記の通り、trackで設定しているstateがdownしたのがわかる
hsrp-nat-1# *Oct 2 13:45:58.250: %TRACK-6-STATE: 10 ip sla 1 reachability Up -> Down *Oct 2 14:58:29.369: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 5 state Active -> Speak *Oct 2 14:58:40.153: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 5 state Speak -> Standby
下記の通り、Stateは Standby になりPriorityは 5 (=105-100)、Trackのstateがdownになっているのがわかる
hsrp-nat-1# show stand all
GigabitEthernet0/0 - Group 5
State is Standby
12 state changes, last state change 00:00:27
Virtual IP address is 192.168.10.1
Active virtual MAC address is 0000.0c07.ac05
Local virtual MAC address is 0000.0c07.ac05 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.304 secs
Preemption enabled
Active router is 192.168.10.3, priority 100 (expires in 8.176 sec)
Standby router is local
Priority 5 (configured 105)
Track object 10 state Down decrement 100
Group name is "HSRP1" (cfgd)
hsrp-nat-1(config-if)#
下記の通り、StateがActiveになっている(=VIPが移っている)ことがわかる
hsrp-nat-2#show stand all
GigabitEthernet0/0 - Group 5
State is Active
5 state changes, last state change 00:01:00
Virtual IP address is 192.168.10.1
Active virtual MAC address is 0000.0c07.ac05
Local virtual MAC address is 0000.0c07.ac05 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.176 secs
Preemption disabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
Group name is "HSRP1" (cfgd)
hsrp-nat-2#
pingが引き続き疎通が通る
root@ubuntu-0:~# ping 10.0.0.8 PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data. 64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=2.94 ms 64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=3.63 ms 64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=3.89 ms 64 bytes from 10.0.0.8: icmp_seq=4 ttl=63 time=3.65 ms --- 10.0.0.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3006ms^C rtt min/avg/max/mdev = 2.943/3.529/3.893/0.361 ms root@ubuntu-0:~#
ubuntu-3のtcpdumpを確認するとNAT変換され、届いていることがわかる
root@ubuntu-3:~# tcpdump -i enp0s2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s2, link-type EN10MB (Ethernet), capture size 262144 bytes 17:43:27.194055 Loopback, skipCount 0, Reply, receipt number 0, data (40 octets) 17:43:27.295920 IP 10.0.0.201 > ubuntu-3: ICMP echo request, id 13566, seq 1, length 64 17:43:27.295976 IP ubuntu-3 > 10.0.0.201: ICMP echo reply, id 13566, seq 1, length 64 17:43:28.296268 IP 10.0.0.201 > ubuntu-3: ICMP echo request, id 13566, seq 2, length 64 17:43:28.296304 IP ubuntu-3 > 10.0.0.201: ICMP echo reply, id 13566, seq 2, length 64 17:43:29.298791 IP 10.0.0.201 > ubuntu-3: ICMP echo request, id 13566, seq 3, length 64 17:43:29.298828 IP ubuntu-3 > 10.0.0.201: ICMP echo reply, id 13566, seq 3, length 64 ^C 7 packets captured 7 packets received by filter 0 packets dropped by kernel root@ubuntu-3:~#
ubuntu-2のインターフェースをupさせ、復旧させる
インターフェースをupさせる
root@ubuntu-2:~# ip link set dev enp0s2 up
hsrp-nat-1# *Oct 2 14:49:33.473: %TRACK-6-STATE: 10 ip sla 1 reachability Down -> Up *Oct 2 14:49:35.441: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 5 state Standby -> Active
hsrp-nat-1#show standby all
GigabitEthernet0/0 - Group 5
State is Active
13 state changes, last state change 00:06:47
Virtual IP address is 192.168.10.1
Active virtual MAC address is 0000.0c07.ac05
Local virtual MAC address is 0000.0c07.ac05 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.392 secs
Preemption enabled
Active router is local
Standby router is 192.168.10.3, priority 100 (expires in 9.840 sec)
Priority 105 (configured 105)
Track object 10 state Up decrement 100
Group name is "HSRP1" (cfgd)
hsrp-nat-1#root@ubuntu-0:~# ping 10.0.0.8 PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data. 64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=4.55 ms 64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=2.59 ms 64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=4.53 ms --- 10.0.0.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 2.591/3.896/4.559/0.924 ms root@ubuntu-0:~#
