A shared-access-VRF is a VRF that provides the access to the outside Internet to one or more VRFs in the system that do not have direct access to the Internet. Multiple VRFs that contain overlapping IP networks do not provide any means of determining which of the overlapping VRFs the packet is intended for, when packets ingress a shared-access-VRF .
In NAT-Inside-VRF Configuration for Overlapping IP Networks, Packet A ingresses the VRF segmented router on VRF Alpha-Group using VLAN 10. Even though overlapping 192.168.10.10/24 IP networks exist on both the VRF Alpha-Group and VRF Beta-Group, the VLAN Packet A ingresses on determines the VRF that will route the packet.
Packet B ingresses the system on the shared-access-VRF Internet-Access. Packet B ultimately needs to be routed to 192.168.10.15 on VRF Alpha-Group, which is a member of subnet 192.168.10.10/24 on VLAN 10. Subnet 192.168.10.10/24 on VRF Alpha-Group VLAN 10 overlaps with subnet 192.168.10.10/24 on VRF Beta-Group VLAN 100.
Given the configuration in NAT-Inside-VRF Configuration for Overlapping IP Networks, there is a conflict between VRFs Alpha-Group and Beta-Group for any packet sourced outside of the system that needs to be routed to the correct VRF through the shared-access-VRF Internet-Access.
There would be no problem if VRF Alpha-Group or Beta-Group were:
Because VRF Internet-Access is used as the shared access resource out of the router for both VRF Alpha-Group and Beta-Group, a means of masking the conflicting networks is required. These conflicting networks can be masked using the NAT-inside-VRF feature. NAT-inside-VRF is a means of letting the outside NAT configuration know which VRF the inside NAT configuration belongs to. NAT-inside-VRF can be configured for both static or dynamic inside NAT.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB