2

I will have a routed network with both public and private subnets routed with OSPF. There will be two core routers that both have a default route to the internet.

My question is how I make sure that no traffic with a private src-addr is routed outside my OSPF-area and also how I NAT this traffic. My idea right now is to have a specific NAT-router set up in the network and then do policy based routing on the core routers.

EDIT: We are using L3 switches of different brands. The aggregation layer is mostly HP5400 and the core layer will be Dell S6000-ON. In the diagram you can see a simplyfied picture of our network. Right now we plan to have a dedicated NAT router (probably a linux machine) which lives on both private and public adresses to which we direct traffic from the core switches with PBR Network Diagram

Peter
  • 406
  • 3
  • 16
  • 1
    Am I missing something? Seems like VRF is the solution here. – generalnetworkerror Jul 04 '15 at 08:45
  • generalnetworkerror, I have never worked with VRF, please tell me more. – Peter Jul 04 '15 at 08:49
  • Did not really quite get the questions but just a lil reminder that in OSPF, we should aim to make the addresses contiguous so as to maintain the hierarchy when summarizing the prefixes. With this, I think it would be a problem if private and public addresses would reside on a single OSPF area. – Joseph Otico Jul 04 '15 at 15:21
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. – Ron Maupin Aug 07 '17 at 19:48

2 Answers2

1

Core Switch is ON -> Open network, i would guess they run Cumulus Operating system.

Just do the Nat on the L3 core switches.

Match private IP's leaving for the Upstream router and nat them as required.

Pieter
  • 1,417
  • 10
  • 14
0

My idea right now is to have a specific NAT-router set up in the network and then do policy based routing on the core routers.

As long as you can set up a rule based on the combination of source (private) and destination (outside your network) that overrides normal routing and sends packets to the NAT box this should work fine as a means of bringing outgoing traffic to the NAT box. Incoming traffic can be brought to the NAT box by normal IP routing.

Having only a single NAT box is a calculated risk. It makes the NAT box a single point of failure but it also means that re-routes won't break established sessions.

Peter Green
  • 12,935
  • 2
  • 20
  • 46
  • A NAT is a single point of failure, anyway. Return traffic which passed through a NAT device _must_ come back through that same NAT device in order to be translated. If the traffic comes back through a different NAT device, that device will not have the NAT table entries in order to translate the addresses. – Ron Maupin Sep 02 '16 at 15:48
  • 1
    There is a distinction between failure of existing TCP/UDP sessions and failure of both existing and new sessions. A setup with multiple NAT boxes increases the chance of the former while reducing the chance of the latter. – Peter Green Sep 02 '16 at 15:57
  • But asymmetric return traffic doesn't work correctly with multiple NAT devices, and it may be impossible to control. – Ron Maupin Sep 02 '16 at 16:06
  • 1
    As long as each NAT has it's own public IP (or pool of public IPs) normal IP routing should bring return traffic back to the correct NAT. – Peter Green Sep 02 '16 at 16:11
  • One may think that, but we fought the asymmetric routing problem for a long time before we gave up. We had no control over how the carrier MPLS cloud brings traffic back to a site with two routers and connections to different POPs. Traffic for one NAT router coming into the other NAT router would get dropped because the other NAT router didn't have the correct NAT table. – Ron Maupin Sep 02 '16 at 16:16
  • @ronmaupin: I'm curious to understand what your problem really was. Router A translates packet's source using public ip address a.a.a.a . Return packet with ip.dst=a.a.a.a arrives on router B which routes it to A where it is untranslated. What am I missing? – hertitu Sep 03 '16 at 22:25
  • @hertitu, Router B has the `ip nat outside` command on the WAN interface, and it tries to translate incoming, it fails, and the traffic gets sent to Router A on an inside interface, so the traffic never tries to translate. We had Cisco experts with multiple CCIEs, and some of our own working on the problem. – Ron Maupin Sep 03 '16 at 22:30
  • Interesting, I don't belive that would be an issue with Linux NAT because it doesn't have a concept of "outside" and "inside" interfaces. – Peter Green Sep 04 '16 at 09:36
  • I don't claim to be a Cisco expert but I think there must be a way to solve that - e.g. routing the packets to a loopback interface with "nat outside". @RonMaupin: maybe you should post a question :) – hertitu Sep 05 '16 at 07:50