mazzy89
Contributor
Contributor

Multiple SNAT rules applied to different segments prevent Internet access to VMs

Jump to solution

On my NSX-T installation (v.2.5) I have the following situation: a segment with two SNAT rules.

snat1: Source IP: 192.168.0./24 Translated To: <PublicRoutableIP>

snat2: Source IP: 10.255.0.0/24 Translated To: <PublicRoutableIP>

This segment is connected to a tier1 gateway t1-gw.

Now I create a new tier1 gateway called t1-gw-2 and a new segment connected to it. I also create a SNAT rule:

snat3: Source IP: 172.16.0.0/16 Translated To: <PublicRoutableIP>

What happens is that VMs connected to this segment can't reach the Internet. However, once I disable both the two SNAT rules (snat1 and snat2) above everything works and the VMs can reach the Internet.

Why do multiple SNAT rules having different source IP blocks collide?

Note that the <PublicRoutableIP> is the same for all but this should not be a problem.

 

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
shank89
Expert
Expert

You can't have overlapping subnets / SNAT IP's / prefixes etc without segregating your  routing domains.  Think VRF's or separate T0's / Edges / T1's, this needs to be maintained across the physical fabric as well.  This is the same way to achieve overlapping subnets in a multitiered and multi-tenanted scenario.  Is there a reason you are setting it up this way?  Why not use the single T1 for the same SNAT'd IP? Or else you will need to VRF or something similar.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3

View solution in original post

9 Replies
shank89
Expert
Expert

You can't have overlapping subnets / SNAT IP's / prefixes etc without segregating your  routing domains.  Think VRF's or separate T0's / Edges / T1's, this needs to be maintained across the physical fabric as well.  This is the same way to achieve overlapping subnets in a multitiered and multi-tenanted scenario.  Is there a reason you are setting it up this way?  Why not use the single T1 for the same SNAT'd IP? Or else you will need to VRF or something similar.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
mazzy89
Contributor
Contributor

You can't have overlapping subnets / SNAT IP's / prefixes etc without segregating your  routing domains. 

in my case, the only thing overlapping is the public IP domain. can't that overlap? Did I get right?

>  Is there a reason you are setting it up this way?

I'm in a multi-tenants environment and I would like to segregate tenants per T1 gateway. So one T1 per tenant. I have only one Public IP address available so this is why I set NAT in that way.

How would you then recommend me to segregate tenants?

0 Kudos
shank89
Expert
Expert

You need to use VRFs or separated routing  domains to the physical layer.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
mazzy89
Contributor
Contributor

The problem is that I'm running NSX-T 2.5. I do not see any VRF option in my GUI. How can I create a VRF?

0 Kudos
shank89
Expert
Expert

You can peer physical fabric vrfs to dedicated t0 and edge clusters per vrf.

Please don't forget to kudo helpful answers and mark a response as a solution when you are happy with it. 

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
0 Kudos
mazzy89
Contributor
Contributor

The problem here is that I do not have access to the physical structure. I'm speaking about an NSX-T Installation provided to me by a third-party provider.

What I have access is only to the NSX-T. does it mean I should get in touch with the provider for the possibility of scaling?

0 Kudos
shank89
Expert
Expert

You should probably contact them to see what options they have available. 

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
0 Kudos
mazzy89
Contributor
Contributor

Thank you.

Just to understand here. how multiple routing domains are mapped to NSX-T resources? A routing domain is a combination of Edge-T0-T1? In my case, I have two edge servers. Does this mean that I can have only two routing domains. Did I get it right?

0 Kudos
shank89
Expert
Expert

Since you don't have the ability to use VRFs, you attach a single edge cluster which is usually a minimum of 2 edges, to a t0, then t1 and segments.

In your case, you will have a single global routing table across the two edge nodes.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
0 Kudos