Solved

Using VPN to maintain a flat network?

Posted on 2010-09-15
10
529 Views
Last Modified: 2012-05-10
We currently have a completely flat network with only one location.  We are on the 10.10.0.0 /16 network.

We are now in the process of opening a co location(location #2) that is connected to main office via a private circuit.  We originally thought the connection to the co location was a layer 2 connection so we IP addressed all of our new servers and devices within the 10.10.0.0 /16 network.  We recently just found out the connection to the co location is a layer 3 connection.

We are now presented with a problem.  We can re ip the co location servers and devices.  However, this will take quite a bit of time, testing, and man power.  We are trying to avoid this if possible.

The other option we are looking at is using some type of VPN to establish a flat network between the main office and the co location.  We will already have layer 3 firewalls in place that could provide a VPN service.  Is is possible to maintain a flat network in these circumstances.?  I looked at site to site VPNs but it seems they are more geared for connections over the public internet;  the two connecting networks appear to have to be on different networks.  Any ideas on how to keep the main office and co location a flat network so we do not have to re ip address all the equipment going to the new co location?  Or should we go ahead and just re ip.

Thank for your help.  it is appreciated.

0
Comment
Question by:wyrickits
10 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33687635
You want to look at a GRE tunnel.  You create a tunnel between the locations and then bridge the interfaces so the two networks thick they are one.
0
 
LVL 7

Expert Comment

by:Daxit
ID: 33687675
Hello
Hi
I am not really expert on vpn and layer3 networks, but as far as I know it is possible to estabilish a vpn beetween machines regardless of where they are, the important thing should be that the request of connection points toward the right address, I guess that makes no difference which kind of address it is.

VPN is ok for remote connections because of the cryptography, but again as far as I know, does not have the same performance that you can have on a regular network, furthermore can drop from time to time.

In my point of view it is not prefearable if compared to a regular network connection, unless the data are going to travel on an unsecure network.

So surely you can save time creating a VPN, but it might be also that you loose time afterwards.

I would change the IP on the servers, but again depends also on how many machines must be configured etc.

Normally is done on a regular network, I would stick to the general rule.

Hope this help you.

Bye
0
 
LVL 4

Expert Comment

by:mpickreign
ID: 33687946
VPN is possible, but I would not recommend it. Stability would not be an issue on a private circuit, however, performance definitely would be as every packet passing between the networks would have to be encrypted and decrypted.

Best case from an administrative and performance stand point would be to re-number the networks, however, I understand your reluctance due to the time expenditure. What you could do is NAT the traffic. You will need to have a layer 3 router between the networks regardless to handle the traffic, that same device typically has the capability to perform policy based NAT. You would basically choose neutral subnets for both sides of the connection and translate the traffic as it goes through the router. The down side of this solution is management as it will be somewhat confusing, but if you plan it well and have the last octets of the subnets match, it shouldn't be too bad.
0
 
LVL 4

Expert Comment

by:mpickreign
ID: 33687978
As a side comment. Considering that private circuits (T-1, MPLS, etc) are typically slower (1.5m, 3M, sometimes faster) than your LAN (100m or 1g) , you are much better off with the networks not being on the same subnet. With a layer 2 or bridged connection, all traffic, including broadcast traffic would be pushed over the private circuit and thus needlessly increasing the saturation level. With a layer 3 or routed connection only the needed traffic is allowed over the circuit, and from there you can even prioritize the traffic using QoS if need be.
0
 
LVL 4

Expert Comment

by:bjove
ID: 33688142
What network devices do you have for connecting locations #1 and #2.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:wyrickits
ID: 33688194
We have Fortigate 80Cs at both sites.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33689026
With fortigates you cannot make a l2-vpn. If you had Cisco IOS-routers you could use l2tpv3 to make a l2-tunnel over your routed network.

http://isc.sans.edu/diary.html?storyid=8704

However, as others has already told, there are plenty of reasons for you to make your connection l3 and re-ip one of the sites. It´s the easiest way and it will give you less headache.

/Kvistofta
0
 
LVL 11

Expert Comment

by:diprajbasu
ID: 33689554
if you have fortigate 80c on both the sites then easily you can create SITE to SITE ipsec vpn to get the connection secure .. but two diffrent network.
it may be two different network but manageability will not be an issue.
0
 
LVL 4

Expert Comment

by:Whiterat
ID: 33749373
I fully agree with mpickreign.

However I just wanted to correct Kvistofta who is wrong about the Fortigates, they do support layer 2 tunneling and have done since at least v2.80.
0
 

Accepted Solution

by:
wyrickits earned 0 total points
ID: 33914188
Hey,

  We decided with the re ip.  The network is now up and running!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now