Tip
This is the documentation for the 24.06 version. Looking for the documentation of the latest version? Have a look here.
VRRP with Outside NAT¶
This example is a two-node VRRP cluster with internal and external VR address and NAT.
See also
For an example without NAT, see VRRP Example.
In this example, the WAN-side VR address (203.0.113.254) is used for
outbound NAT from the internal private subnet 10.2.0.0/24. Clients will use
the LAN-side VR address (10.2.0.1) as their gateway.
Interface tracking is included in the example to protect against a single failure of either WAN or LAN.
See also
See VRRP Configuration for more information on how the commands in the example function.
Required Information¶
These tables contain all required information to configure the cluster.
The information in this first table is related to the setup in general, not a specific cluster node.
Item |
Value |
|---|---|
Upstream Gateway |
203.0.113.1 |
Shared WAN VR Address |
203.0.113.254 |
NAT Pool Address |
203.0.113.254 |
Shared LAN VR Address |
10.2.0.1 |
LAN Client Gateway |
10.2.0.1 |
This information is for the primary node, which in this example is called R1.
Item |
Value |
|---|---|
R1 WAN Interface |
0000:06:00.0 |
R1 WAN IP Address |
203.0.113.2/24 |
R1 WAN VR ID |
220 |
R1 WAN VR Priority |
254 |
R1 LAN Interface |
0000:06:00.1 |
R1 LAN IP Address |
10.2.0.2/24 |
R1 LAN VR ID |
210 |
R1 LAN VR Priority |
254 |
R1 Priority Decrease |
240 (14) |
This information is for the secondary node, which in this example is called R2. Note that the interface addresses are different than R1, but the same VR address is used.
Item |
Value |
|---|---|
R2 WAN Interface |
0000:06:00.0 |
R2 WAN IP Address |
203.0.113.3/24 |
R2 WAN VR ID |
220 |
R2 WAN VR Priority |
100 |
R2 LAN Interface |
0000:06:00.1 |
R2 LAN IP Address |
10.2.0.3/24 |
R2 LAN VR ID |
210 |
R2 LAN VR Priority |
100 |
R2 Priority Decrease |
90 (10) |
Example Configuration¶
The configuration commands in this section show how the settings from the table above are applied to each node. Some additional VRRP settings are shown in the commands but not the tables, but they are using the default values, shown for emphasis.
First, set the R1 interface names:
r1 tnsr(config)# dataplane dpdk dev 0000:06:00.0 network name WAN
r1 tnsr(config)# dataplane dpdk dev 0000:06:00.1 network name LAN
r1 tnsr(config)# service dataplane restart
Now configure the R1 WAN interface:
r1 tnsr(config)# int WAN
r1 tnsr(config-interface)# ip address 203.0.113.2/24
r1 tnsr(config-interface)# ip vrrp-virtual-router 220
r1 tnsr(config-vrrp4)# preempt true
r1 tnsr(config-vrrp4)# accept-mode true
r1 tnsr(config-vrrp4)# v3-advertisement-interval 100
r1 tnsr(config-vrrp4)# priority 254
r1 tnsr(config-vrrp4)# track-interface LAN priority-decrement 240
r1 tnsr(config-vrrp4)# virtual-address 203.0.113.254
r1 tnsr(config-vrrp4)# exit
r1 tnsr(config-interface)# exit
r1 tnsr(config)#
Next, configure the R1 LAN interface:
r1 tnsr(config)# int LAN
r1 tnsr(config-interface)# ip address 10.2.0.2/24
r1 tnsr(config-interface)# ip vrrp-virtual-router 210
r1 tnsr(config-vrrp4)# preempt true
r1 tnsr(config-vrrp4)# accept-mode true
r1 tnsr(config-vrrp4)# v3-advertisement-interval 100
r1 tnsr(config-vrrp4)# priority 254
r1 tnsr(config-vrrp4)# track-interface WAN priority-decrement 240
r1 tnsr(config-vrrp4)# virtual-address 10.2.0.1
r1 tnsr(config-vrrp4)# exit
r1 tnsr(config-interface)# exit
r1 tnsr(config)#
Configure NAT on R1:
r1 tnsr(config)# nat global-options nat44 forwarding true
r1 tnsr(config)# nat global-options nat44 endpoint-dependent true
r1 tnsr(config)# nat global-options nat44 enabled true
r1 tnsr(config)# nat pool address 203.0.113.254
r1 tnsr(config)# int WAN
r1 tnsr(config-interface)# ip nat outside
r1 tnsr(config-interface)# exit
r1 tnsr(config)# int LAN
r1 tnsr(config-interface)# ip nat inside
r1 tnsr(config-interface)# exit
R1 is now complete.
Set the R2 interface names:
r2 tnsr(config)# dataplane dpdk dev 0000:06:00.0 network name WAN
r2 tnsr(config)# dataplane dpdk dev 0000:06:00.1 network name LAN
r2 tnsr(config)# service dataplane restart
Configure the R2 WAN interface:
r2 tnsr(config)# int WAN
r2 tnsr(config-interface)# ip address 203.0.113.3/24
r2 tnsr(config-interface)# ip vrrp-virtual-router 220
r2 tnsr(config-vrrp4)# preempt true
r2 tnsr(config-vrrp4)# accept-mode true
r2 tnsr(config-vrrp4)# v3-advertisement-interval 100
r2 tnsr(config-vrrp4)# priority 100
r2 tnsr(config-vrrp4)# track-interface LAN priority-decrement 90
r2 tnsr(config-vrrp4)# virtual-address 203.0.113.254
r2 tnsr(config-vrrp4)# exit
r2 tnsr(config-interface)# exit
r2 tnsr(config)#
Next, configure the R2 LAN interface:
r2 tnsr(config)# int LAN
r2 tnsr(config-interface)# ip address 10.2.0.3/24
r2 tnsr(config-interface)# ip vrrp-virtual-router 210
r2 tnsr(config-vrrp4)# preempt true
r2 tnsr(config-vrrp4)# accept-mode true
r2 tnsr(config-vrrp4)# v3-advertisement-interval 100
r2 tnsr(config-vrrp4)# priority 100
r2 tnsr(config-vrrp4)# track-interface WAN priority-decrement 90
r2 tnsr(config-vrrp4)# virtual-address 10.2.0.1
r2 tnsr(config-vrrp4)# exit
r2 tnsr(config-interface)# exit
r2 tnsr(config)#
Finally, configure NAT on R2:
r2 tnsr(config)# nat global-options nat44 forwarding true
r2 tnsr(config)# nat global-options nat44 endpoint-dependent true
r2 tnsr(config)# nat global-options nat44 enabled true
r2 tnsr(config)# nat pool address 203.0.113.254
r2 tnsr(config)# int WAN
r2 tnsr(config-interface)# ip nat outside
r2 tnsr(config-interface)# exit
r2 tnsr(config)# int LAN
r2 tnsr(config-interface)# ip nat inside
r2 tnsr(config-interface)# exit
At this point, the interface and VRRP configuration is complete for both nodes.
LAN clients in 10.2.0.0/24 can use the LAN VR address of
10.2.0.1 as their default gateway. When traffic exits WAN, NAT will
translate the source address to 203.0.113.254.