I have read the Network Virtualization Services Edge Design Guide (single tier routed FWSM implementation) but still can't figure out how I am going to solve the problem of overlapping customer IP addresses without using NAT (which I am currently using).
So here is the problem:
My customers' IP spaces may overlap (as I don't have any control over them). From the shared servers I need to be able to manage customer kit using customer IP addresses.
So to cover both traffic flows (inbound and outbound) here is an example with customer_A and customer_B VRFs:
A. (inbound) SSH to a box in customer_A:10.1.1.1 or customer_B:10.1.1.1 from my shared server with a unique public IP:22.214.171.124
B. (outbound) customer_A:10.1.1.2 box authenticates on my shared services TACACS box on public 126.96.36.199 - Likewise customer_B:10.1.1.2 authenticates using 188.8.131.52 too.
The PE router directly attached to the shared servers can happily differentiate between customer_A and customer_B VRF routing tables and deal with the IP overlap I am describing, however I can't see how the shared servers (in OS and application level ) can deal with that IP overlap.
Right now, we are using NAT to overome the IP overlap problem, so customer_A:10.1.1.1 gets NAT'd to a unique management IP of: 10.255.255.1 and customer_B:10.1.1.2 gets NAT'd to a different (unique) management IP of 10.255.255.255.2. That works, however, due to the amount of NATs required, this solution (using NAT) doesn't scale very well for us. Hence my investigation in network virtualization. To be honest, as much as I want to get rid of NAT, I can't see how this scenario can work without it. Any assistance/thought is greatly appreciated, in case I am missing something obvious.