2

I will have a routed network with both public and private subnets routed with OSPF. There will be two core routers that both have a default route to the internet.

My question is how I make sure that no traffic with a private src-addr is routed outside my OSPF-area and also how I NAT this traffic. My idea right now is to have a specific NAT-router set up in the network and then do policy based routing on the core routers.

EDIT: We are using L3 switches of different brands. The aggregation layer is mostly HP5400 and the core layer will be Dell S6000-ON. In the diagram you can see a simplyfied picture of our network. Right now we plan to have a dedicated NAT router (probably a linux machine) which lives on both private and public adresses to which we direct traffic from the core switches with PBR Network Diagram

Peter
  • 406
  • 3
  • 16

2 Answers2

1

Core Switch is ON -> Open network, i would guess they run Cumulus Operating system.

Just do the Nat on the L3 core switches.

Match private IP's leaving for the Upstream router and nat them as required.

Pieter
  • 1,437
  • 10
  • 14
0

My idea right now is to have a specific NAT-router set up in the network and then do policy based routing on the core routers.

As long as you can set up a rule based on the combination of source (private) and destination (outside your network) that overrides normal routing and sends packets to the NAT box this should work fine as a means of bringing outgoing traffic to the NAT box. Incoming traffic can be brought to the NAT box by normal IP routing.

Having only a single NAT box is a calculated risk. It makes the NAT box a single point of failure but it also means that re-routes won't break established sessions.

Peter Green
  • 13,882
  • 2
  • 23
  • 54