Using VPN to maintain a flat network?

We currently have a completely flat network with only one location.  We are on the /16 network.

We are now in the process of opening a co location(location #2) that is connected to main office via a private circuit.  We originally thought the connection to the co location was a layer 2 connection so we IP addressed all of our new servers and devices within the /16 network.  We recently just found out the connection to the co location is a layer 3 connection.

We are now presented with a problem.  We can re ip the co location servers and devices.  However, this will take quite a bit of time, testing, and man power.  We are trying to avoid this if possible.

The other option we are looking at is using some type of VPN to establish a flat network between the main office and the co location.  We will already have layer 3 firewalls in place that could provide a VPN service.  Is is possible to maintain a flat network in these circumstances.?  I looked at site to site VPNs but it seems they are more geared for connections over the public internet;  the two connecting networks appear to have to be on different networks.  Any ideas on how to keep the main office and co location a flat network so we do not have to re ip address all the equipment going to the new co location?  Or should we go ahead and just re ip.

Thank for your help.  it is appreciated.

Who is Participating?
wyrickitsAuthor Commented:

  We decided with the re ip.  The network is now up and running!
Matt VCommented:
You want to look at a GRE tunnel.  You create a tunnel between the locations and then bridge the interfaces so the two networks thick they are one.
I am not really expert on vpn and layer3 networks, but as far as I know it is possible to estabilish a vpn beetween machines regardless of where they are, the important thing should be that the request of connection points toward the right address, I guess that makes no difference which kind of address it is.

VPN is ok for remote connections because of the cryptography, but again as far as I know, does not have the same performance that you can have on a regular network, furthermore can drop from time to time.

In my point of view it is not prefearable if compared to a regular network connection, unless the data are going to travel on an unsecure network.

So surely you can save time creating a VPN, but it might be also that you loose time afterwards.

I would change the IP on the servers, but again depends also on how many machines must be configured etc.

Normally is done on a regular network, I would stick to the general rule.

Hope this help you.

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

VPN is possible, but I would not recommend it. Stability would not be an issue on a private circuit, however, performance definitely would be as every packet passing between the networks would have to be encrypted and decrypted.

Best case from an administrative and performance stand point would be to re-number the networks, however, I understand your reluctance due to the time expenditure. What you could do is NAT the traffic. You will need to have a layer 3 router between the networks regardless to handle the traffic, that same device typically has the capability to perform policy based NAT. You would basically choose neutral subnets for both sides of the connection and translate the traffic as it goes through the router. The down side of this solution is management as it will be somewhat confusing, but if you plan it well and have the last octets of the subnets match, it shouldn't be too bad.
As a side comment. Considering that private circuits (T-1, MPLS, etc) are typically slower (1.5m, 3M, sometimes faster) than your LAN (100m or 1g) , you are much better off with the networks not being on the same subnet. With a layer 2 or bridged connection, all traffic, including broadcast traffic would be pushed over the private circuit and thus needlessly increasing the saturation level. With a layer 3 or routed connection only the needed traffic is allowed over the circuit, and from there you can even prioritize the traffic using QoS if need be.
What network devices do you have for connecting locations #1 and #2.
wyrickitsAuthor Commented:
We have Fortigate 80Cs at both sites.
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
With fortigates you cannot make a l2-vpn. If you had Cisco IOS-routers you could use l2tpv3 to make a l2-tunnel over your routed network.

However, as others has already told, there are plenty of reasons for you to make your connection l3 and re-ip one of the sites. It´s the easiest way and it will give you less headache.

if you have fortigate 80c on both the sites then easily you can create SITE to SITE ipsec vpn to get the connection secure .. but two diffrent network.
it may be two different network but manageability will not be an issue.
I fully agree with mpickreign.

However I just wanted to correct Kvistofta who is wrong about the Fortigates, they do support layer 2 tunneling and have done since at least v2.80.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.