02-24-2021 09:02 AM
Hi everyone,
I always appreciate for technical support.
In order to transmit syslog and Windows event log to the cyber security operation center, I have plan to connect 20 independent systems with Catalyst 9300.
Since the IP address of each independent system cannot be changed, there is same IP address space.
To solve this problem, I would like to use VRF on the basis of URL below:
If I use VRF, Is there any problem in transmitting logs? Also, If 20 VRFs are used in the Catalyst 9300, is there any performance problem?
I would like to change duplicated IP address for distinguishment in the cyber security operation center.
Can I change duplicated IP address through the NAT in the catalyst 9300?
If there is a problem with the solution I was thinking of, please let me know what solution would be suitable.
02-24-2021 09:09 AM - edited 02-24-2021 09:09 AM
You can use VRF to ship the Logs there is no performance issue here. ( you need to network advantage License for Cat 9300 to create VRF).
Can I change duplicated IP address through the NAT in the catalyst 9300?
Cat 9300 is switch.
May be you can ship the Logs with host-name - you need network level Log shipper which can translate the IP to Host-name, So your central SIEM get a host-name.
as i remember you have posted same question few months back we have clarified the same i guess.
02-24-2021 09:43 AM - edited 02-24-2021 09:45 AM
Are you saying that there is no problem in transmitting logs even if I don't use NAT?
I am asking the question again because your answer is unclear.
02-24-2021 09:55 AM
Are you saying that there is no problem in transmitting logs even if I don't use NAT?
When you send the Logs with out NAT, you get duplicate co-relation, If you do NAT - how will you preserv the orginal IP address.
what my suggestion was each site make a Log shipper which can convert IP to hostname to differentiate where the Logs come from.
is this make sense ?
02-24-2021 11:59 AM
Hi,
For this design, since you are using the same IP segments for multiple locations, you can use VRF-lite. Create one vrf per system on the 9300, and then use a sub-interface or vlan for each VRF on the connection between the 9300 and the 9500. Once the traffic reached the 9500 in each VRF, you would have to leak each VRF to the global routing table to reach the log server. Is this what you have in mind?
HTH
02-24-2021 04:28 PM
Duplicate post
https://community.cisco.com/t5/switching/question-about-vrf-and-nat/m-p/4296508#M501188
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide