VMware Networking Community
Alan_Sugano
Contributor
Contributor
‎05-24-2017 06:00 PM

Use NSX Edge Services Gateway Site to Site VPN with duplicate remote subnets

We're running vCloud Director and each client resides in their own Virtual Data Center.  Currently we use our Firewall and vLANs on our physical switch to segregate traffic.  We are considering moving to NSX.  If we use an NSX Services Gateway to establish Site to Site VPNs to our vCloud Director clients what's the best way to handle clients that have conflicting subnets?  For example if Client A and Client B both have remote subnets of 192.168.1.0/24 and we want to create Site to Site VPNs for both clients can both clients be setup on the same NSX Services Gateway or do we have to create a separate NSX Services Gateway every time we have a conflicting subnet?

0 Kudos
3 Replies
Sreec
VMware Employee
VMware Employee
‎05-24-2017 09:53 PM

So currently you are running VCD with VCNS ? AFAIK overlapping subnets are not supported in Site-Site VPN. You need to leverage l2 vpn solution for that.Edge gateways in a vCloud Director environment support L2 VPN, which allows extension of your organization virtual datacenter by allowing virtual machines to retain network connectivity while retaining the same IP address across geographical boundaries. If the edge gateway for your organization virtual datacenter has been converted to an advanced edge gateway, you can use the tenant portal's L2 screen to configure the L2 VPN service on that edge gateway.

To create the L2 VPN tunnel, you configure an L2 VPN server and L2 VPN client. As described in the NSX Administration Guide, the L2 VPN server is the destination edge gateway and the L2 VPN client is the source edge gateway. After configuring the L2 VPN settings on each edge gateway, you must then enable the L2 VPN service on both the server and the client.

Please refer --> VMware Documentation Library

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
Alan_Sugano
Contributor
Contributor
‎05-25-2017 10:21 AM

We are a Private Cloud Provider and the connectivity is from our Client's Cloud Servers to their local office(s).  We currently use "External Networks" in vCloud Director to perform our segmentation and not NSX.  Creating a Layer 2 VPN tunnel isn't an option because our clients don't have any NSX infrastructure at their locations and would require a subnet change at their local office.  L2 VPN will work great when we stand up a secondary Data Center with vCloud Director in a different physical location, but not for this situation.  When we do have overlapping subnets, we've used NAT in the VPN tunnel to get around the duplicate subnet issue, but this can cause problems when a client has a Domain Controller at their office and other Domain Controllers that run in their VDC. 

So multiple Edge Gateway Servers won't work?

0 Kudos
Sreec
VMware Employee
VMware Employee
‎05-25-2017 11:58 PM

Yes you can always deploy multiple edges and do that ,nothing wrong with that approach . For your secondary site it not mandatory to have NSX configured for l2-vpn ,you can simply deploy a standalone edge and do that.->Layer 2 VPN to the Cloud – Tom Fojta's Blog

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos