Designing Medium site-to-site network (500+ users)

Hi Experts,

I am pre-paring for a network upgrade of both infrastructure and bandwidth. We will be implementing a site-to-site VPN network for 30 locations. Most of the remote locations are small and only have up to 5 users at a time. Eight of the locations are larger with 20-75 users at each.

Currently we have Cisco site-to-site VPN's for the larger eight locations. Each site's router is doing the DHCP for the end users. All end users regardless of location are currently using the corporate DNS server.

Current Structure

Main Location - 192.168.2.0
Large Location 1 - 192.168.1.0
Large Location 2 - 192.168.3.0
Large Location 4 - 192.168.4.0
Large Location 5 - 192.168.5.0
Large Location 6 - 192.168.6.0
Large Location 7 - 192.168.7.0

Corporate DNS is on 192.168.2.0/24 network.

In terms of network infrastructure all sites will have SonicWall NSA240 and three of the larger sites will have NSA2400's. All sites traffic will route to our corporate building (currently the 192.168.2.0/24 network) and route all internet traffic out of the NSA2400. The sonicwalls will be setup so all traffic is allowed to all networks (Full Mesh VPN)

I am looking to have all users and end devices on the same subnet, however I am looking for some advice on how to setup the IP Schema. Essentially I would like to have all end users get DHCP/DNS from the coproporate office. The DHCP server is a Windows Server 2003.

Thanks!
LVL 1
RLComputingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

slakicCommented:
Hi,

One of the requirements to have site-to-site VPN's is that subnets on the both sides of the peers MUST be different, otherwise, whenever a host sends a packet to the IP address in the remote site's side which is on the same subnet, it will never send that packet to a gateway, and therefore  through the VPN tunnel.

In my opinion, you should leave subnetting as it is. As far as DHCP concern, you would either pass through broadcast or have some DHCP relay agents, which I am not sure how will perform in through VPNs.

Only way for you to have all hosts and devices in one subnet would be to lease VPLS from your ISP, and use ISP's VPN network as a basis to your subnet.
0
RLComputingAuthor Commented:
Hi Slakic,

We currently have our site-to-site VPN's on the same subnet now with no issues. The ACL lists in our routers allow for traffic to pass through all VPN's plus all users have the same DNS servers so I believe that handles the issue you are referring too.

I am working with my ISP on the issue and they are asisting in the site of the VPN's. With our site-to-site setup we are basically making our WAN network into a LAN network. All traffic will be able to pass from site to site.

0
slakicCommented:
Current Structure

Main Location - 192.168.2.0
Large Location 1 - 192.168.1.0
Large Location 2 - 192.168.3.0
Large Location 4 - 192.168.4.0
Large Location 5 - 192.168.5.0
Large Location 6 - 192.168.6.0
Large Location 7 - 192.168.7.0

I am probably missing something, because according to your current structure, you have different subnets in the main and 7 large locations. I  am assuming that all of these subnets are with 24 bit subnet masks.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

bgilsingCommented:
If you want to bridge all the locations together just have your ISP provide Ethernet bridging service and only deliver the Internet WAN access to the main location. Then you can get rid of all that sonic wall equipment and just put a few switches at each location and the whole network will be a layer 2 transparent bridge with no VPN requirements. Of course if you do this you will be sending a bunch of broadcast traffic over the WAN links, but if bandwidth is not a problem then it's probably not an issue.
0
bgilsingCommented:
Sorry... Forgot to answer your question. Use 10.x.x.x/22 for the whole thing. Then your systems are all on the same subnet and you have 1022 available addresses. The mask would be 255.255.252.0.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shareditCommented:
I'm with Slakic,  you cannot have a site to site vpn with the same network on each end.  Are you sure these are site to site vpns, and not some sort of an MPLS?

Also, I cant really think of a reason why I would want a single network across multiple site to site vpns.  One huge broadcast domain?  You should be able to setup a dhcp helper address, which would relay the dhcp request to the corporate server.

I dont think I would recomend having a single network accross all your remote sites.
0
RLComputingAuthor Commented:
Hi Everyone,

Sharedit - after reviewing the router config at all 7 sites, you are correct it is an MPLS network, however it looks like only three of the 7 sites are setup on MPLS and the other 4 are site-to-sites if that is even possible to have a mixed network like that. I just recently took the network over and was left no documentation so it's been quite the headache trying to put the pieces of the puzzle together.

The reason I was looking to set it up as one large domain was for remote support. In a nutshell, I want to be able to RDP into every single workstation/printer/device on the network from the coporate office without having end user interaction (having them log into vpn etc). It would also be nice to log into the DNS/DHCP server and see all devices and what address they have.

I am open to any ideas however we do need to have the sonic wall at each site.

0
slakicCommented:
Having site-to-sites will provide you with a possibility to login to every workstation via RDP, because all of those subnets will be routed to each other, or whatever meets your needs. However, for smaller locations, where you don't have a VPN router to create site-to-site tunnel (if I am understanding your topology right), you could try with OpenVPN remote access. You can set up client's OpenVPN servis to start on system boot, and access them via their virtual subnets, which will enable you to access all hosts without instructing them to log on to their vpn clients. All you need to set up is central VPN server on one of your main locations, and clients certificates.
0
RLComputingAuthor Commented:
We are going to go with the site-to-site VPN at every location. Each site will then route out through the main location which will have the NSA2400 so we can monitor/fileter web traffic. Each sonicwall nsa240 at the smaller locations will have DHCP helper enabled pointing to our main location which will run the main DNS/DHCP for the entire network.

The IP Schema will be setup along these lines:

Main Location- 10.10.100.x
Location 2 - 10.10.101.x
Location 3 - 10.10.102.x

All sites will be on the subnet 255.255.0.0 so we can remote access into all devices. We set this up on a test router and everything worked great as long as all devices where on the same subnet.

Thank you for help/suggestions!
0
shareditCommented:
It does defy logic that you would have multiple site to site VPNs all using a 16 bit mask,  and 10.10. in those fisrt two octets.

if your routing is setup, and access lists are setup, there should not be any problem RDPing any of your remote sites using thier specific IP.

For example, I have more than several site to site VPNs to client sites in my office.  I can access any of them, which are all on a varried range of networks and masks, just by RDPing to thier unique client IP addresses.

keeping the same network may work,  but I would be expecting that at somepoint a problem could possibly arrise from the setup.

If you are not clear,  you would typically not setup a VPN between sites with the same IP range,  because when a PC on one side trys to get to a PC on the opposite side,  it will see the IP as a local IP, and not know to send it down your unknown traffic/default gateway path.   It looks like you are accounting for the problem of duplicate IPs with the 3rd octet,  I would probably move to a 24 bit mask, 255.255.255.0.   Are you finding that you cannot connect to your remote sites when you use different networks/masks  at your remote sites?

It may work, it apparently does,  but if in the future you run into connectivity issues,  that would be one of the first things to consider.

Good Luck!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.