I want to reach multiple VPNs that contain overlapping IPv4 addresses from a single device.
Is this possible? What type of device might be needed? (ideal current candidates include a 650x switch (with Supervisor Engine 720), or a FWSM with a recent ASA version in a 650x switch)
This seems like a nice candidate for stateless NAT64 (probably combined with VRFs), but I can't find documentation for specifying multiple prefixes. (The "nat64 prefix stateless" command seem to only allow a single prefix) (Or is is possible to apply it within a VRF?)
So summary (based on diagram):
Translation device has 3 subinterfaces, one for each VPN (with unique IPs for now)
A unique /96 prefix is assigned to each VPN, so a IPv6 device that want to address the IPv4 device with IP 10.101.22.12 within VPN1, it adresses 2001:DB8:1:10.101.22.12. The device should then do NAT64 to map it to a source IP within the VPN range (Something like 198.51.100.5 for the example) (Multiple IPv6 servers should be supported)
Is this possible with Cisco equipment? Can it be done with NAT64 (or which other mechanism if not)? What type of equipment would be necessary for the NAT and how would the configuration look? (Translation device is R1 in the diagram)
This seems like a nice, clean efficient way to deal with providing common services to multiple VPNs that have overlapping IPs, but the configuration stll seems like it might be difficult, if at all possible currently...
Another note: I don't care about DNS64 currently, so that is optional.
... I gave it a go on an CSR1000V - both stateless and not-so-stateful approaches turned out to be working, but only traffic coming from one single "external IPv4 domain" was being mapped into one single IPv6 prefix.
That's one problem: you can only define a single NAT64 prefix into which the IPv4 domain gets NATted.
There's a second problem:
In the return packet/outbound packet, after NAT64 extracts the (overlapping) v4-destination-address-to-be from the IPv6 address, there will be ambiguity which route is the correct one - into VPN1, VPN2, VPN3, all of which have overlapping IPv4 address space?
I don't think that policy routing would help here, as PBR is done upon ingress and fixes the outbound interface. IPv6 PBR would then still have to pass along the packet to the NAT64 engine while giving a hint about the intended choice of egress interface. I' not quite shure, but that seems a loooong shot to me.
In short: I think NAT64 currently can only be used once per routing instance. So either...
it's one IOS XE router per customer/overlapping IPv4 domain (CSR1000V might come in handy, here)
we get an IOS XE release that has VRF aware NAT64 capabilities (and while wer'e at that - som DNS Fixup Engine right along would be really cool!)
Cisco DNA Software Demo Series - Cisco ThousandEyesRegister nowWednesday, May 12, 202110:00 am Pacific Daylight Time(San Francisco, GMT-07:00)SaaS applications and cloud-based services are increasingly critical for on-campus users, but they can be challen...
New Cisco Champion Radio release on Cisco Smart Building SolutionsListen: https://smarturl.it/CCRS8E16Follow us: https://twitter.com/CiscoChampion Now more than ever, sustainable and flexible building designs are at the forefront of every develo...
DRAFT -- THIS DOCUMENT IS STILL IN DRAFT FORM
MACsec is IEEE standard 802.1AE. It was developed by the IEEE to compliment the 802.1X-2004 standard. MACsec was developed to allow authorized systems to connect and then encrypt data that is transmitt...
Today I'm going to talk about SD-wan including SD-WAN advanced lab ,, first thing let's take a small brief about the SD_WAN. What is SD-WAN? SD-WAN is Software define wide area network and SD-WAN is key part of the technology o...
Leopold Fisher, Cisco Meraki IoT specialist, will introduce you to new and innovative additions to the Meraki portfolio coming in April 2021.
Meraki Vision Session
MV smart camera range is getting big...