Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3346
Views
0
Helpful
15
Replies

Solution for network connection with same IP address (NAT, VRF, etc.)

WangSteven02215
Level 1
Level 1

‎11-19-2023 02:00 PM - edited ‎11-19-2023 02:02 PM

Hi,

As shown in the picture, each industrial PC is connected to the L2 Switch (No VLAN). 

The customer wants to install a data collection server and a data monitoring server. The data must be transferred from the industrial PCs to the data collection server and then the data collection server must send data to the data monitoring server.

However, since the IP address of Industrial PC cannot be changed, there are duplication of IP address (PC 1 and 3) and same network (192.168.100.0/24). For newly installed servers, IP settings can be freely set.

To solve this problem, I could think about using NAT and VRF. However, as aspect of cost, maintenance, etc., I cannot decide best network configuration because of insufficient experience. 

Please give me advice how to overcome this situation and build a network. If you suggest detailed network configuration including command line, that would be really helpful.

Thank you very much.

 

Preview file
88 KB
0 Helpful
15 Replies 15

MHM Cisco World
VIP
VIP

‎11-19-2023 02:19 PM - edited ‎12-08-2023 12:07 PM

MHM

0 Helpful

WangSteven02215
Level 1
Level 1
In response to MHM Cisco World

‎11-19-2023 09:58 PM

Maybe everyone knows that the static NAT is needed. I need a more detailed explanation of a network configuration. Could you give me more information? I believe that you would be a great help. Thanks.

0 Helpful

paul driver
VIP
VIP

‎11-20-2023 01:10 AM

Hello
You are correct that vrf/nat would be applicable, as it an easy way to "Hide and segregate your network. 
For this to be applicable, you would require a new router and a additional switch, then you can create individual VRFs and apply them to each sub-interface of the rtr physical interface which will then connect to the new switch via a trunk interface, The rtr will also be where NAT can be introduced.

Data collect server<>NEW RTR<>NEW SWITCH<> l2 switches<>pcs

If you are able to obtain a rtr and switch then the configuration to complete the connectivity should be straight forward.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

WangSteven02215
Level 1
Level 1
In response to paul driver

‎11-20-2023 12:06 PM

 

I really appreciate your explanation. According to your explanation, I have configured it as shown in the attached file, and entered the commands into the router (R1) and L2 switch (CiscoL2Switch-1) as follows:

Switch#conf t

Switch(config)# interface gi1/0
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# exit

 

R1#conf t
R1(config)# ip nat inside source static 192.168.100.10 192.168.100.11
R1(config)# ip routing
R1(config)# ip vrf VRF_A
R1(config-vrf)# exit
R1(config)# ip vrf VRF_B
R1(config-vrf)# exit
R1(config)# ip vrf VRF_C
R1(config-vrf)# exit
R1(config)# ip vrf VRF_D
R1(config-vrf)# exit


R1(config)#interface fa0/0
R1(config-if)#interface fa0/0.10
R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip vrf forwarding VRF_A
R1(config-subif)#ip address 192.168.100.1 255.255.255.0
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0
R1(config-if)#interface fa0/0.20
R1(config-subif)#encapsulation dot1q 20
R1(config-subif)#ip vrf forwarding VRF_B
R1(config-subif)#ip nat inside
R1(config-subif)#ip address 192.168.100.1 255.255.255.0
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0
R1(config-if)#interface fa0/0.30
R1(config-subif)#encapsulation dot1q 30
R1(config-subif)#ip vrf forwarding VRF_C
R1(config-subif)#ip address 178.142.3.1 255.255.255.0
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0
R1(config-if)#interface fa0/0.40
R1(config-subif)#encapsulation dot1q 40
R1(config-subif)#ip vrf forwarding VRF_D
R1(config-subif)#ip address 178.142.1.1 255.255.255.0
R1(config-subif)#no shutdown
R1(config-subif)#exit

R1(config)#interface fa1/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fa1/1
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

 

Unfortunately, ping test from Industrial PC 1~8 to the data collect server was failed. Please note that VLAN setting on the existing switches (Switch 1~4) is impossible because the configuration for existing switches cannot be changed.

Could you tell me what is the problem or suggest a solution to solve the problem I mentioned?

Thanks.

Preview file
89 KB
0 Helpful

paul driver
VIP
VIP
In response to WangSteven02215

‎11-23-2023 09:00 AM

Hello
Reachability is achievable -.Based on your topology diagram for the data monitoring/collect servers to communicate to all industrial hosts

R1
1) Create static route entrys in each of rtr1 vrf route tables to point to each external servers subnet
2) apply outside nat domain to each external interface
3) apply inside nat domain to each vrf internal subinterface
4) Create static 1-2.1 vrf nat statements for each industrial host to a specific inside global nat subnet (this can be any subnet of your choosing as long as it is free to use, the external servers will be able to reach them as thay have default gateways pointing to the nat rtr anyway. ( in the below example I chosen 10.1.14.0/24)

Example -Rtr1
ip route vrf VRF_A 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
ip route vrf VRF_A 192.168.2.0 255.255.255.0 FA1/1 192.168.2.3 global
ip route vrf VRF_B 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
ip route vrf VRF_B 192.168.2.0 255.255.255.0 FA1/1 192.168.2.3 global
ip route vrf VRF_C 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
ip route vrf VRF_C 192.168.2.0 255.255.255.0 FA1/1 192.168.2.3 global
ip route vrf VRF_D 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
ip route vrf VRF_D 192.168.2.0 255.255.255.0 FA1/1 192.168.2.3 global

interface fa1/0
no shut
ip nat outside

interface fa1/1
no shut
ip nat outside

fa0/0.10
ip vrf forwarding VRF_A
ip nat inside
fa0/0.20
ip vrf forwarding VRF_B
ip nat inside
fa0/0.30
ip vrf forwarding VRF_C
ip nat inside
fa0/0.40
ip vrf forwarding VRF_D
ip nat inside


ip nat inside source static 192.168.100.10 10.1.14.10 vrf VRF_A
ip nat inside source static 192.168.100.30 10.1.14.11 vrf VRF_A
ip nat inside source static 192.168.100.10 10.1.14.12 vrf VRF_B
ip nat inside source static 192.168.100.20 10.1.14.13 vrf VRF_B
ip nat inside source static 178.142 3.5  10.1.14.14 vrf VRF_C
ip nat inside source static 178.142 3.2  10.1.14.15 vrf VRF_C
ip nat inside source static 178.142 1.2  10.1.14.16 vrf VRF_D
ip nat inside source static 178.142 1.4  10.1.14.17 vrf VRF_D

sh ip nat translations


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

WangSteven02215
Level 1
Level 1
In response to paul driver

‎11-24-2023 06:30 AM

I really appreciate it. Your explanation could be helpful to people who experience similar problems. It's still a problem. I entered the commands below referring to your explanation. Just so you know, the industrial PCs (PC 1~8) send data to the data collect server only. Ping test from the industrial PCs to the data collect server was failed. Also, Ping test from the industrial PCs to gateway address was failed

e.g. Industrial PC 1

PC1> ping 192.168.1.3  → failed

PC1> ping 192.168.100.1 → failed

Switch#conf t
Switch(config)# interface gi1/0
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# exit

 

R1#conf t
R1(config)# ip routing
R1(config)# ip vrf VRF_A
R1(config-vrf)# exit
R1(config)# ip vrf VRF_B
R1(config-vrf)# exit
R1(config)# ip vrf VRF_C
R1(config-vrf)# exit
R1(config)# ip vrf VRF_D
R1(config-vrf)# exit
R1(config)#ip nat inside source static 192.168.100.10 10.1.14.10 vrf VRF_A
R1(config)#ip nat inside source static 192.168.100.30 10.1.14.11 vrf VRF_A
R1(config)#ip nat inside source static 192.168.100.10 10.1.14.12 vrf VRF_B
R1(config)#ip nat inside source static 192.168.100.20 10.1.14.13 vrf VRF_B
R1(config)#ip nat inside source static 178.142 3.5 10.1.14.14 vrf VRF_C
R1(config)#ip nat inside source static 178.142 3.2 10.1.14.15 vrf VRF_C
R1(config)#ip nat inside source static 178.142 1.2 10.1.14.16 vrf VRF_D
R1(config)#ip nat inside source static 178.142 1.4 10.1.14.17 vrf VRF_D

R1(config)#interface fa0/0.10
R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip vrf forwarding VRF_A
R1(config-subif)#ip address 192.168.100.1 255.255.255.0
R1(config-subif)#ip nat inside
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0.20
R1(config-subif)#encapsulation dot1q 20
R1(config-subif)#ip vrf forwarding VRF_B
R1(config-subif)#ip address 192.168.100.1 255.255.255.0
R1(config-subif)#ip nat inside
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0.30
R1(config-subif)#encapsulation dot1q 30
R1(config-subif)#ip vrf forwarding VRF_C
R1(config-subif)#ip address 178.142.3.1 255.255.255.0
R1(config-subif)#ip nat inside
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0.40
R1(config-subif)#encapsulation dot1q 40
R1(config-subif)#ip vrf forwarding VRF_D
R1(config-subif)#ip address 178.142.1.1 255.255.255.0
R1(config-subif)#ip nat inside
R1(config-subif)#no shutdown
R1(config-subif)#exit

R1(config)#interface fa1/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fa1/1
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#ip route vrf VRF_A 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
R1(config)#ip route vrf VRF_B 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
R1(config)#ip route vrf VRF_C 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
R1(config)#ip route vrf VRF_D 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global

0 Helpful

paul driver
VIP
VIP

‎11-25-2023 10:05 AM - edited ‎11-25-2023 10:10 AM

Hello

You have two “wan” interfaces in the global route table so you need static routes in each vrf route tables to point towards both of them. At present you are missing the statics for fa1/1 interface
Also make sure the each access switch has the correct vlans created and each industrial host assigned to the correct vlan access port

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

WangSteven02215
Level 1
Level 1
In response to paul driver

‎11-26-2023 11:47 AM

As I mentioned above, to create VLAN on the existing switches (Switch 1~4) is impossible because the configuration for existing switches cannot be changed. So, it's a difficult problem to solve. In order to reflect your comment (At present you are missing the statics for fa1/1 interface), I've entered commands below. However, it is still not working. Ping test was failed. Could you tell me what is the problem or suggest a solution to solve the problem? Thanks.


Switch#conf t
Switch(config)# interface gi1/0
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# exit

 

R1#conf t
R1(config)# ip routing
R1(config)# ip vrf VRF_A
R1(config-vrf)# exit
R1(config)# ip vrf VRF_B
R1(config-vrf)# exit
R1(config)# ip vrf VRF_C
R1(config-vrf)# exit
R1(config)# ip vrf VRF_D
R1(config-vrf)# exit
R1(config)#ip nat inside source static 192.168.100.10 10.1.14.10 vrf VRF_A
R1(config)#ip nat inside source static 192.168.100.30 10.1.14.11 vrf VRF_A
R1(config)#ip nat inside source static 192.168.100.10 10.1.14.12 vrf VRF_B
R1(config)#ip nat inside source static 192.168.100.20 10.1.14.13 vrf VRF_B
R1(config)#ip nat inside source static 178.142.3.5 10.1.14.14 vrf VRF_C
R1(config)#ip nat inside source static 178.142.3.2 10.1.14.15 vrf VRF_C
R1(config)#ip nat inside source static 178.142.1.2 10.1.14.16 vrf VRF_D
R1(config)#ip nat inside source static 178.142.1.4 10.1.14.17 vrf VRF_D

 

R1(config)#interface fa0/0.10
R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip vrf forwarding VRF_A
R1(config-subif)#ip address 192.168.100.1 255.255.255.0
R1(config-subif)#ip nat inside
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0.20
R1(config-subif)#encapsulation dot1q 20
R1(config-subif)#ip vrf forwarding VRF_B
R1(config-subif)#ip address 192.168.100.1 255.255.255.0
R1(config-subif)#ip nat inside
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0.30
R1(config-subif)#encapsulation dot1q 30
R1(config-subif)#ip vrf forwarding VRF_C
R1(config-subif)#ip address 178.142.3.1 255.255.255.0
R1(config-subif)#ip nat inside
R1(config-subif)#no shutdown
R1(config-subif)#exit
R1(config)#interface fa0/0.40
R1(config-subif)#encapsulation dot1q 40
R1(config-subif)#ip vrf forwarding VRF_D
R1(config-subif)#ip address 178.142.1.1 255.255.255.0
R1(config-subif)#ip nat inside
R1(config-subif)#no shutdown
R1(config-subif)#exit

 

R1(config)#interface fa1/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fa1/1
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

 

R1(config)#ip route vrf VRF_A 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
R1(config)#ip route vrf VRF_B 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
R1(config)#ip route vrf VRF_C 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
R1(config)#ip route vrf VRF_D 192.168.1.0 255.255.255.0 FA1/0 192.168.1.3 global
R1(config)#ip route vrf VRF_A 192.168.2.0 255.255.255.0 FA1/1 192.168.2.3 global
R1(config)#ip route vrf VRF_B 192.168.2.0 255.255.255.0 FA1/1 192.168.2.3 global
R1(config)#ip route vrf VRF_C 192.168.2.0 255.255.255.0 FA1/1 192.168.2.3 global
R1(config)#ip route vrf VRF_D 192.168.2.0 255.255.255.0 FA1/1 192.168.2.3 global

0 Helpful

WangSteven02215
Level 1
Level 1

‎12-01-2023 01:28 PM

Independent networks must be connected to a new server without network configuration change of existing devices.

However, I had found a problem of IP address duplication, so I uploaded a post on the CISCO Community in order to solve the problem, but no one can solve it.

I'm looking for an expert to solve this problem. For more information, please refer to the URL below. Thanks.

https://community.cisco.com/t5/routing/solution-for-network-connection-with-same-ip-address-nat-vrf-etc/td-p/4962580

0 Helpful

MHM Cisco World
VIP
VIP

‎12-02-2023 06:07 AM - edited ‎12-08-2023 12:06 PM

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎12-02-2023 06:09 AM - edited ‎12-08-2023 12:06 PM

MHM

0 Helpful

WangSteven02215
Level 1
Level 1
In response to MHM Cisco World

‎12-08-2023 11:57 AM

I don't understand why you mentioned commands that don't work. The Cisco community is a place that many people including me find a solution. It is important to understand more clearly what the problem is. To leave an opinion without awareness of the problem can cause misunderstanding. Your opinion may cause a confusion. You should refer to the comments left by Paul driver.

0 Helpful

MHM Cisco World
VIP
VIP
In response to WangSteven02215

‎12-08-2023 12:05 PM

That so

0 Helpful

paul driver
VIP
VIP

‎12-03-2023 03:44 AM - edited ‎12-03-2023 06:41 AM

Hello

@WangSteven02215 wrote:
 Please note that VLAN setting on the existing switches (Switch 1~4) is impossible because the configuration for existing switches cannot be changed.


The above statement makes no sense, your OP shown no routing device which you would require for NAT to work, so even you have introduced a new rtr or you just omitted it from the OP, either way the rtr must be performing at the very least the VRF segmentation and have then NAT enabled for you requirement to succeed.

Now If that rtr already existed then it would be performing the routing and VRF segmentation, as such based on that topology your shared I have already provided a working solution - Additionally I have since tested it working from a working POC lab exercise based on your OP, So it proven to work accordingly.

Although based on the assumption all switch<>switch interconnectivity are trunks allowing all vlans, and the industrial pcs are in the correct vlan for their respective L3 tagged subinterface residing on the RTR


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents