cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2513
Views
5
Helpful
3
Replies

VRF-Lite Two Customers Same Subnet

Bryan Lemeer
Level 1
Level 1

Hello,

We want to deploy a NMS (Network Monitoring System), in this case SolarWinds, to monitor devices we have deployed at the customer site. We will make an IP VPN connection (ASA5510 with Cisco 800's) to the customer site. We have one primary NMS installation running in our datacenter. This NMS has to have a connection to all customer sites. We run into a problem when two customers use the same subnet. We want to use VRF-Lite to solve this problem but I am stuck in my design.

I have attached "VRF.jpg" to show the (basic) design I have made. The connection from customer to the router in the datacenter is not a problem. We can put the fa0.1 and vpn interface in the same VRF group. Via one physical cable we will go from router to NMS in which the NMS has multiple virtual interfaces. The datacenter router will route between the 192.168.x.x (NMS) and 10.1.1.x (Customer).

What I can't seem to comprehend is how the NMS can decide how to get to Customer 1 or Customer 2. The customer can reach the NMS one-way but the NMS has no way to reply back because if it replies to 10.1.1.1 it can either use interface fa0.1 or interface fa0.2.

Any thoughts?

-Bryan

1 Accepted Solution

Accepted Solutions

Hi Bryan,

I have faced the same problem in the past.

We overcome this issue by assigning to the customer different loopback management IPs for each CE. You have only to check that these IPs do not conflict with existing Management IP of other customers and are reachable by the NMS.

If the customer can not configure new management loopback IP, you have to use static nat entries to the management IP to a interface of your router.

Static NAT is required in order to use a subnet that does not conflict with existing IPs and to have a dedicated IP per managed CE.

Hope that helps,

Vasilis

View solution in original post

3 Replies 3

Hi Bryan,

You will need some unique IP addresses in order to work. You can configure some loopbacks on the client equipments, and export into the management vrf only those IPs.

I do belive that this is the best solution.

Another one will be NAT.

Regards

Dan

Hi Bryan,

I have faced the same problem in the past.

We overcome this issue by assigning to the customer different loopback management IPs for each CE. You have only to check that these IPs do not conflict with existing Management IP of other customers and are reachable by the NMS.

If the customer can not configure new management loopback IP, you have to use static nat entries to the management IP to a interface of your router.

Static NAT is required in order to use a subnet that does not conflict with existing IPs and to have a dedicated IP per managed CE.

Hope that helps,

Vasilis

Hello,

Thanks for the replies. I believe static nat will be the only way to configure this.

Cheers,

Bryan

Review Cisco Networking for a $25 gift card