Using VPN to maintain a flat network?

Posted on 2010-09-15
Medium Priority
Last Modified: 2012-05-10
We currently have a completely flat network with only one location.  We are on the /16 network.

We are now in the process of opening a co location(location #2) that is connected to main office via a private circuit.  We originally thought the connection to the co location was a layer 2 connection so we IP addressed all of our new servers and devices within the /16 network.  We recently just found out the connection to the co location is a layer 3 connection.

We are now presented with a problem.  We can re ip the co location servers and devices.  However, this will take quite a bit of time, testing, and man power.  We are trying to avoid this if possible.

The other option we are looking at is using some type of VPN to establish a flat network between the main office and the co location.  We will already have layer 3 firewalls in place that could provide a VPN service.  Is is possible to maintain a flat network in these circumstances.?  I looked at site to site VPNs but it seems they are more geared for connections over the public internet;  the two connecting networks appear to have to be on different networks.  Any ideas on how to keep the main office and co location a flat network so we do not have to re ip address all the equipment going to the new co location?  Or should we go ahead and just re ip.

Thank for your help.  it is appreciated.

Question by:wyrickits
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Expert Comment

by:Matt V
ID: 33687635
You want to look at a GRE tunnel.  You create a tunnel between the locations and then bridge the interfaces so the two networks thick they are one.

Expert Comment

ID: 33687675
I am not really expert on vpn and layer3 networks, but as far as I know it is possible to estabilish a vpn beetween machines regardless of where they are, the important thing should be that the request of connection points toward the right address, I guess that makes no difference which kind of address it is.

VPN is ok for remote connections because of the cryptography, but again as far as I know, does not have the same performance that you can have on a regular network, furthermore can drop from time to time.

In my point of view it is not prefearable if compared to a regular network connection, unless the data are going to travel on an unsecure network.

So surely you can save time creating a VPN, but it might be also that you loose time afterwards.

I would change the IP on the servers, but again depends also on how many machines must be configured etc.

Normally is done on a regular network, I would stick to the general rule.

Hope this help you.


Expert Comment

ID: 33687946
VPN is possible, but I would not recommend it. Stability would not be an issue on a private circuit, however, performance definitely would be as every packet passing between the networks would have to be encrypted and decrypted.

Best case from an administrative and performance stand point would be to re-number the networks, however, I understand your reluctance due to the time expenditure. What you could do is NAT the traffic. You will need to have a layer 3 router between the networks regardless to handle the traffic, that same device typically has the capability to perform policy based NAT. You would basically choose neutral subnets for both sides of the connection and translate the traffic as it goes through the router. The down side of this solution is management as it will be somewhat confusing, but if you plan it well and have the last octets of the subnets match, it shouldn't be too bad.
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.


Expert Comment

ID: 33687978
As a side comment. Considering that private circuits (T-1, MPLS, etc) are typically slower (1.5m, 3M, sometimes faster) than your LAN (100m or 1g) , you are much better off with the networks not being on the same subnet. With a layer 2 or bridged connection, all traffic, including broadcast traffic would be pushed over the private circuit and thus needlessly increasing the saturation level. With a layer 3 or routed connection only the needed traffic is allowed over the circuit, and from there you can even prioritize the traffic using QoS if need be.

Expert Comment

ID: 33688142
What network devices do you have for connecting locations #1 and #2.

Author Comment

ID: 33688194
We have Fortigate 80Cs at both sites.
LVL 17

Expert Comment

ID: 33689026
With fortigates you cannot make a l2-vpn. If you had Cisco IOS-routers you could use l2tpv3 to make a l2-tunnel over your routed network.


However, as others has already told, there are plenty of reasons for you to make your connection l3 and re-ip one of the sites. It´s the easiest way and it will give you less headache.

LVL 11

Expert Comment

ID: 33689554
if you have fortigate 80c on both the sites then easily you can create SITE to SITE ipsec vpn to get the connection secure .. but two diffrent network.
it may be two different network but manageability will not be an issue.

Expert Comment

ID: 33749373
I fully agree with mpickreign.

However I just wanted to correct Kvistofta who is wrong about the Fortigates, they do support layer 2 tunneling and have done since at least v2.80.

Accepted Solution

wyrickits earned 0 total points
ID: 33914188

  We decided with the re ip.  The network is now up and running!

Featured Post

Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question