Network Virtualization-Services Edge Design Question

Unanswered Question
Mar 16th, 2010
User Badges:

Hello,


I have read the Network Virtualization Services Edge Design Guide (single tier routed FWSM implementation) but still can't figure out how I am going to solve the problem of overlapping customer IP addresses without using NAT (which I am currently using).


So here is the problem:


My customers' IP spaces may overlap (as I don't have any control over them). From the shared servers I need to be able to manage customer kit using customer IP addresses.


So to cover both traffic flows (inbound and outbound) here is an example with customer_A and customer_B VRFs:


A. (inbound) SSH to a box in customer_A:10.1.1.1 or customer_B:10.1.1.1 from my shared server with a unique public IP:1.1.1.1

B. (outbound) customer_A:10.1.1.2 box authenticates on my shared services TACACS box on public 1.1.1.2 - Likewise customer_B:10.1.1.2 authenticates using 1.1.1.2 too.


The PE router directly attached to the shared servers can happily differentiate between customer_A and customer_B VRF routing tables and deal with the IP overlap I am describing, however I can't see how the shared servers (in OS and application level ) can deal with that IP overlap.


Right now, we are using NAT to overome the IP overlap problem, so customer_A:10.1.1.1 gets NAT'd to a unique management IP of: 10.255.255.1 and customer_B:10.1.1.2 gets NAT'd to a different (unique) management IP of 10.255.255.255.2. That works, however, due to the amount of NATs required, this solution (using NAT) doesn't scale very well for us. Hence my investigation in network virtualization. To be honest, as much as I want to get rid of NAT, I can't see how this scenario can work without it. Any assistance/thought is greatly appreciated, in case I am missing something obvious.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 03/16/2010 - 07:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Apostolos


The PE router directly attached to the shared servers can happily differentiate between customer_A and customer_B VRF routing tables and deal with the IP overlap I am describing, however I can't see how the shared servers (in OS and application level ) can deal with that IP overlap.


Correct in what you say. VRFs allow for use of overlapping IPs but if you have a server that needs to talk to multiple VRFs using the same overlapping IP then you need a way to distinguish them from each other. So NAT is the way to do it unless your server can understand VRF labels etc. and i'm not aware of any OSs/servers that can do this.


Jon

Actions

This Discussion