Stateful inter-chassis NAT redundancy requires synchronization on the CPM level and on the ISA and ESA levels.
CPM level synchronization is required to primarily exchange health information and keepalives between the nodes for the purpose of determining active and standby NAT groups between the two peers (nodes). Each peer is identified by a single IP address. The level of traffic exchanged between the peers for CPM synchronization is low.
The ISA or ESA level synchronization is required to synchronize flows between the ISA or ESAs. Each ISA or ESA becomes a peer and is identified by its own IP address. The level of traffic exchanged between ISA or ESA for synchronization purposes depends on the configuration and the amount of NAT traffic.
Basic configuration steps are described below with command syntax examples. Some of the steps are optional and can assume default values. For more information about each command, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.
Configure a synchronization peer on the CPM level. The health of the NAT group is exchanged between the chassis and the node that is elected as active for the NAT group. The other node becomes the standby for the same NAT group.
configure redundancy multi-chassis peer 192.0.2.0 nat nat-group 1 sync-tag ‟some-tag”
Configure keepalives between the nodes (CPMs).
configure isa nat-group 1 inter-chassis-redundancy nat keepalive 50 dropcount 2
Configure the minimum duration of the flow before it is synchronized. The operator may choose to synchronize only long-lived flows.
configure isa nat-group 1 inter-chassis-redundancy nat replication-threshold 60
Configure a timeout of the flow after a switchover. Independent of stateful redundancy, and depending on the type of traffic, each flow has a timeout value that determines its expiration time if there is inactivity. The initial flow timeouts are configured in a NAT policy. After a switchover, this timeout can be reset to the percentage of the originally-configured value. This can be useful because some of the flows switched over may already have been in an inactive state before the switchover.
configure isa nat-group 1 inter-chassis-redundancy nat flow-timeout-on-switchover 10
Configure the IP-MTU size of the packets carrying flow synchronization information between the ISA or ESAs.
configure isa nat-group 1 inter-chassis-redundancy nat ip-mtu 9000
Configure the IP address of the first ISA or ESA in a NAT group on local and remote nodes. The IP addresses for the remaining ISA or ESA are assigned automatically consecutively. These are peering addresses between the ISA and ESAs over which the flows are synchronized. Traffic from the first IP address on the local node is sent to the first IP address on the remote node.
configure isa nat-group 1 inter-chassis-redundancy nat local-ip-range-start 203.0.113.1
configure isa nat-group 1 inter-chassis-redundancy nat remote-ip-range-start 203.0.113.100
Configure parameters related to the monitoring status of the ports and other objects, such as SAPs, BFD sessions, or VRRP sessions in the system. The status of those object can affect the health of the system and can trigger a switchover.
configure isa nat-group 1 inter-chassis-redundancy nat monitor-oper-group ‛demo-grp’ health-drop 100
configure isa nat-group 1 inter-chassis-redundancy nat monitor-port 1/1/1 health-drop 50
Select the activity preference for a NAT group.
configure isa nat-group 1 inter-chassis-redundancy nat preferred
Reference a routing instance through which ISA or ESAs on redundant nodes exchange synchronization information.
configure isa nat-group 1 inter-chassis-redundancy nat router ‟Base”
Related show commands include the following:
show isa nat-group 3
show isa nat-group 3 inter-chassis-redundancy
show isa nat-group 3 inter-chassis-redundancy statistics
show isa nat-group 3 member 1 inter-chassis-redundancy
show isa nat-group 3 member 1 inter-chassis-redundancy statistics