[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Using VPN to maintain a flat network?

Posted on 2010-09-15
Medium Priority
Last Modified: 2012-05-10
We currently have a completely flat network with only one location.  We are on the /16 network.

We are now in the process of opening a co location(location #2) that is connected to main office via a private circuit.  We originally thought the connection to the co location was a layer 2 connection so we IP addressed all of our new servers and devices within the /16 network.  We recently just found out the connection to the co location is a layer 3 connection.

We are now presented with a problem.  We can re ip the co location servers and devices.  However, this will take quite a bit of time, testing, and man power.  We are trying to avoid this if possible.

The other option we are looking at is using some type of VPN to establish a flat network between the main office and the co location.  We will already have layer 3 firewalls in place that could provide a VPN service.  Is is possible to maintain a flat network in these circumstances.?  I looked at site to site VPNs but it seems they are more geared for connections over the public internet;  the two connecting networks appear to have to be on different networks.  Any ideas on how to keep the main office and co location a flat network so we do not have to re ip address all the equipment going to the new co location?  Or should we go ahead and just re ip.

Thank for your help.  it is appreciated.

Question by:wyrickits
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Expert Comment

by:Matt V
ID: 33687635
You want to look at a GRE tunnel.  You create a tunnel between the locations and then bridge the interfaces so the two networks thick they are one.

Expert Comment

ID: 33687675
I am not really expert on vpn and layer3 networks, but as far as I know it is possible to estabilish a vpn beetween machines regardless of where they are, the important thing should be that the request of connection points toward the right address, I guess that makes no difference which kind of address it is.

VPN is ok for remote connections because of the cryptography, but again as far as I know, does not have the same performance that you can have on a regular network, furthermore can drop from time to time.

In my point of view it is not prefearable if compared to a regular network connection, unless the data are going to travel on an unsecure network.

So surely you can save time creating a VPN, but it might be also that you loose time afterwards.

I would change the IP on the servers, but again depends also on how many machines must be configured etc.

Normally is done on a regular network, I would stick to the general rule.

Hope this help you.


Expert Comment

ID: 33687946
VPN is possible, but I would not recommend it. Stability would not be an issue on a private circuit, however, performance definitely would be as every packet passing between the networks would have to be encrypted and decrypted.

Best case from an administrative and performance stand point would be to re-number the networks, however, I understand your reluctance due to the time expenditure. What you could do is NAT the traffic. You will need to have a layer 3 router between the networks regardless to handle the traffic, that same device typically has the capability to perform policy based NAT. You would basically choose neutral subnets for both sides of the connection and translate the traffic as it goes through the router. The down side of this solution is management as it will be somewhat confusing, but if you plan it well and have the last octets of the subnets match, it shouldn't be too bad.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 33687978
As a side comment. Considering that private circuits (T-1, MPLS, etc) are typically slower (1.5m, 3M, sometimes faster) than your LAN (100m or 1g) , you are much better off with the networks not being on the same subnet. With a layer 2 or bridged connection, all traffic, including broadcast traffic would be pushed over the private circuit and thus needlessly increasing the saturation level. With a layer 3 or routed connection only the needed traffic is allowed over the circuit, and from there you can even prioritize the traffic using QoS if need be.

Expert Comment

ID: 33688142
What network devices do you have for connecting locations #1 and #2.

Author Comment

ID: 33688194
We have Fortigate 80Cs at both sites.
LVL 17

Expert Comment

ID: 33689026
With fortigates you cannot make a l2-vpn. If you had Cisco IOS-routers you could use l2tpv3 to make a l2-tunnel over your routed network.


However, as others has already told, there are plenty of reasons for you to make your connection l3 and re-ip one of the sites. It´s the easiest way and it will give you less headache.

LVL 11

Expert Comment

ID: 33689554
if you have fortigate 80c on both the sites then easily you can create SITE to SITE ipsec vpn to get the connection secure .. but two diffrent network.
it may be two different network but manageability will not be an issue.

Expert Comment

ID: 33749373
I fully agree with mpickreign.

However I just wanted to correct Kvistofta who is wrong about the Fortigates, they do support layer 2 tunneling and have done since at least v2.80.

Accepted Solution

wyrickits earned 0 total points
ID: 33914188

  We decided with the re ip.  The network is now up and running!

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question