Handling Overlapping CIDRs in OCI

May 29, 2023 | 3 minute read
Mohsin Kamal
Master Cloud Architect
Text Size 100%:

Overlapping IP addresses are common in larger scale networks due to various reasons such as network misconfiguration, subnetting errors or mergers and acquisitions. This particularly is a big challenge to solve in an already established network since removing the conflict means you must assign new non overlapping IP address range and reconfigure the network. Cloud is no different when it comes to overlapping IP address challenges.

There are number of design options available that Network Architect or Administrator can utilize to work around this problem. In this blog, I am going to go over one such architecture where we will try to establish connectivity between two overlapping IP addresses.

Let’s look at our scenario. We have one Webserver running in one of the VNC with CIDR (10.10.0.0/16) and we have a remote client that wants to connect to this server over the IPSEC tunnel with a source IP of 10.10.0.100/32. As you can see that client IP belongs to the same subnet space as the destination, we can route the traffic all the way to the remote VCN but the server won’t be able to reply back to the client since the return IP address belongs to the host VCN.

 

Test Scenario

 

 

Now let’s look at the design on how to overcome this challenge using OCI Flexible load balancer.

 

Overlapping CIDR with LBaaS

 

Following are the step-by-step instruction on how to deploy this architecture.

  • Add a non-overlapping VCN CIDR in the VCN and create subnet for Loadbalancer.
  • Add a Flexible Load Balancer in the non-overlapping subnet and make sure to associate the load balancer with the appropriate backend sets and listeners.
  • Create route rules in the VCN route table attached to the non-overlapping subnet to point the route to DRG.
  • Update/Create new the DNS records to point to the load balancer.

Verification

To verify the end-to-end connectivity, I have a test user with IP address 10.10.0.100 in the on-premises that is trying to reach the newly deployed Load balancer.The on-premises CPE will advertise the more specific IP addresses over the BGP to DRG.

 

BGP received route

 

DRG will have two overlapping subnets one from VCN and one more specific route coming from the IPSec tunnel.

DRG Route table

 

Add more specific route rules in VCN route table attached to the Load balancer

VCN Route table

Now that everything is in place we should be able to access the Test Server

curl-test-server

 

Conclusion

You can see from the results the end user (10.10.0.100) can reach the test server even though its part of an overlapping subnet. As I mentioned in the beginning of this blog there are multiple architectures that we can use to solve overlapping CIDR issue, this is just one option. In the next blog I will go over another design option that can overcome this same challenge.

Mohsin Kamal

Master Cloud Architect


Previous Post

OCI DMZ common architectures - part 1 - concepts

Radu Nistor | 10 min read

Next Post


Upload the DNS zone when the zonefile is over the accepted limit

Catalin Andrei | 5 min read