s57
Contributor
Contributor

Fence parameters in NSX-V

Jump to solution

Hi NSX experts,

We're running NSX-v 6.4.6 and have a need to support multiple overlapping networks (multiple networks with the same IP address range).  Looking through the documentation, it seems like this is supported with the "Fence Parameters" option:

pastedImage_0.png

However, I can find very little documentation on how these parameters work.  The admin docs just state the following:

pastedImage_1.png

So I'm looking for more in-depth guidance on how to set this up -- preferably something with examples.  Is anyone aware of more detailed resources?  Any help will be appreciated!

0 Kudos
1 Solution

Accepted Solutions
nachogonzalez
Expert
Expert

For training purposes, vCloud Director would be ideal... lol

What you need is to apply a multi-tenant configuration.
I know that it can be done with NSX-V With vCloud or vRealize automation. If you don't have any of those you might need to configure it via API call (I'm not sure how)

Thinking out loud another option is something like this:
pastedImage_3.png

(Sorry for the quality of the drawing, I made it real quick)
But the idea would be to provision 1 nsx edge with NAT enabled for each student and logical switches with different network segments.
One side of the NSX Edge would be a transit network and the other would be a "local" side in which you can have local networks and IP ranges can be the same nat would do the trick.


Not 100% sure, if someone can correct me I would appreciate it.

View solution in original post

0 Kudos
8 Replies
nachogonzalez
Expert
Expert

Fenced Networks are a vCloud Director feature. Do you have it available?
Can you tell me a little more about what are you trying to accomplish?

0 Kudos
s57
Contributor
Contributor

Ah, thanks for clarifying.  No, we do not have vCloud Director.

We'll have sets of VMs that we need to clone for training purposes.  So there may be, say, 5 VMs in a set.  They'll be configured with static IP addresses (which in some cases is mandatory).  We'll then create 25 or more clones of this set of VMs.  So we'll have a bunch of VMs with overlapping IPs.  We need those VMs to have outbound Internet access.

0 Kudos
nachogonzalez
Expert
Expert

For training purposes, vCloud Director would be ideal... lol

What you need is to apply a multi-tenant configuration.
I know that it can be done with NSX-V With vCloud or vRealize automation. If you don't have any of those you might need to configure it via API call (I'm not sure how)

Thinking out loud another option is something like this:
pastedImage_3.png

(Sorry for the quality of the drawing, I made it real quick)
But the idea would be to provision 1 nsx edge with NAT enabled for each student and logical switches with different network segments.
One side of the NSX Edge would be a transit network and the other would be a "local" side in which you can have local networks and IP ranges can be the same nat would do the trick.


Not 100% sure, if someone can correct me I would appreciate it.

View solution in original post

0 Kudos
Lalegre
Commander
Commander

Hey,

The functionality you are looking for is "NAT", which means translation of one IP address to another one when there are overlapping scenarios or when need to translate Private IPs to Public IPs. The combinations could be many and depending on your complete scenario there can be multiple variations.

Basically as nachogonzalez​ pointed to you, the scenario you are trying to follow needs to be done using NAT Networks. However take into account that for accessing those virtual machines you will need to dedicate specific IPs that will need to be DNATed to access them.

If the VMs do not need to be accessed from outside networks then you can have those VMs living inside and they will be able to communicate with each other. On the other hand if the VMs need to access the Internet or any other service that is outside, you can create some SNAT rules for the whole subnets and use some Private or Public IPs for reaching them.

0 Kudos
nachogonzalez
Expert
Expert

Lalegre​ they need VM's to have outbound internet connectivity.  (please, check the second reply)

s57​ just a comment on that: I don't think I've seen a training environment that has internet access, most likely they have all the "external" dependencies resolved with internal servers. IE: git, RHEL Repos, WSUS repos, etc.

0 Kudos
Lalegre
Commander
Commander

Then if they need outbound connectivity he can SNAT the full ranges over different Public IPs for each student group and then route it to their Internet using the mechanism that they are already using.

Another case is to NAT the overlapping segments into routable private IPs and then keep using the already NAT that you are probably using for your whole LAN to travel to Internet.

0 Kudos
s57
Contributor
Contributor

Thanks all for the feedback.  Yes, I'm familiar with NAT -- we already use it for some applications.  These environments do definitely need outbound access -- even though they're for training.  The products in use are on a rapid development schedule and change all the time -- so they require connectivity to pull the latest updates.  I'm afraid that I may need to setup a separate Edge gw for each network -- which would be a lot of overhead since we could have dozens or even hundreds of these overlapping networks.  I guess the ultimate solution would be to obtain vCloud Director or vRealize.  {:-)

0 Kudos
nachogonzalez
Expert
Expert

Just to avoid confusions:
You will still need one edge per student using vCloud Director or vRealize Automation, it only automates the deployment (and enables fencing in vCD)

With NSX-T you can consolidate all those edges with VRF's and service routers. But as far as I recall this question is for NSX-V

0 Kudos