cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
158
Views
5
Helpful
5
Replies
Highlighted

Question about VRF and NAT

Hi, everyone

 

I always appreciate for your support.

 

Now, each independent system will be connected through Catalyst 9300-48S-A, and Windows event log and Syslog will be transmitted to the cyber security operation center.

(In the figure below, the black line means an independent system, and devices in independent system were connected through an L2 switch. Also, there are about 20 independent systems.)


When connecting an independent system, there is a problem of duplicated IP address between several devices.

And there is a requirement to prevent communication between independent systems.


Thus, I think that to use VRF (Virtual Routing and Forwarding) would be solution to prevent communication between independent systems. Also, NAT (Network Address Translation) may be solution to resolve duplicated IP address.

(It's very likely that I'm wrong because i'm not a network expert.) 

 

There are my questions.

Question 1. If I use Catalyst 9300 like the picture below to use VRF and NAT, can the problem I mentioned be solved? 

(If the problem is not resolved, please recommend new solution. That would be very helpful.)

 

Question 2. Since there are 20 independent systems, it seems that 20 VRF should be used. If I use 20 VRF in the Catalyst 9300, is there any problems in performance?

 

Network Diagram.JPG

 

5 REPLIES 5
Highlighted
VIP Expert

Hello,

 

looking at your topology diagram, and since you have only two switches, end-to-end VRFs for each customer look like the best option, and the simplest one to configure. I don't really see how NAT can help.

 

20 VRFs...hard to say what the impact is. You should be ok, since the real limit is the TCAM size, and you only have one or two routes per VRF anyway...

Highlighted

 

Georg

 

If you use end to end VRFs what VRF is the syslog server going to be in ? 

 

Are you assuming it will have a trunk connection and a member of all VRFs ? 

 

Or am I misunderstanding ? 

 

Jon

Highlighted
VIP Mentor

Hello

Can you confirm if the cyberops server requires to iniciate any traffic flow or will it be just be a responce to an establish connection from the client?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Thank you for your reply

 

The Server (installed in cyber security operation center) operates only for receiving logs.

Highlighted

Hello
I’ve got to ask the question why you wish to have 20 areas running duplicate addressing I assume this is not a production set up presently but if it is how is it being segregated now?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Content for Community-Ad