Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Networking Design

Posted on 2013-12-24
7
Medium Priority
?
422 Views
Last Modified: 2013-12-25
We have about 100 remote sites with IPsec tunnels terminated to our HQ Cisco  ISR router in a hub-spoke design. Each site has Sonicwall TZ105 router, and each site has its own network ID. Meaning that each site IP addressing is different (10.10.xx.0/24  xx being 0-255). And so far, everything works flawlessly.  So, here is the challenge; for continuity and easy management, my boss wants to use same network ID for each site so that every site is configured the same way from the router to connected devices: same IP address information for each type of connected device at each site. As great as that would be for me as the network admin, the problem comes down to the HQ end where VPN tunnels are terminated: users at HQ regularly need remote access to each site for remote network devices management or just VNC into remote users' PCs.

Let's assume that Cisco IOS would allow  to use same ACL for every site's crypto map, how would HQ router know where to route an given packet to specific remote device thru VPN tunnel?

So, I have not researched or looked into all possible options to re-design this, but I want to start here and see if anyone has come across similar situation and found a way around that.

FYI:
 - we do not have MPLS and we do not plan  to go with MPLS yet.
- Our Cisco ISR router is running Cisco IOS version 15.1T
0
Comment
Question by:SamBizimungu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1000 total points
ID: 39738794
He wants ever site to use the same exact IP subnet?  

Well, as I think you know, they will not be able to talk to each other using any type of VPN connection.

You can continue to use what you have and just standardize on things like 10.10.x.1 - .10 are reserved for network devices (routers/switches),  10.10.x.11 - .30 are reserved for servers, 10.10.x.31-40 are reserved for printers, 10.10.x.41-249 are used by DHCP to assign to desktops, and 10.10.x.250-254 reserved for special use.  While still having the ".x." being a location identifier.
0
 

Author Comment

by:SamBizimungu
ID: 39738802
Thanks Gil.

That's how we currently have it.

Yes , he wants one same subnet for all sites.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 1000 total points
ID: 39738816
Technically you could use NAT, but the effort of maintaining a large NAT solution would likely be more effort than giving each remote site unique IP's.  Here are some design guides, but I don't recommend intentionally creating potential IP conflicts.

http://www.sonicwall.com/downloads/configuring_vpns_with_overlapping_networks.pdf

http://www.sonicwall.com/downloads/NAT_over_VPN_with_SonicOS_Enhanced.pdf
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 8

Expert Comment

by:gsmartin
ID: 39739093
What is your boss's background?  He apparently is not a network engineer or has any knowledge of designing networks.  There's obviously a point to his request.  So, why is does he what all sites on one subnet?  It sounds like he's doesn't know much about NAT'ing, Broadcast/Security Domains, VPN, VLANs, Routing, etc...  Otherwise, I doubt he would be making such a request.  

I am not trying to put him down.  I would like to understand what has made him feel this necessary?  Because it's certainly not Simplicity!  Is it a problem he is trying to fix?   Or some non-IT person complained or had an issue with their IP address, or local server IP addresses, or some other related issue???

I feel it's better to properly qualify this issue.  Given that any design recommendations really goes against any type of best practice or standards; as well as would challenging to implement and support.  Ultimately, creating an Admin nightmare.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39739272
Bad idea! There is no nice way to do this although it is possible.  I would tell your boss that it's a minefield and that although it may minimize the time it takes to roll-out a site the cons far outweigh the pros.  It would also be a massive admin task to renumber everything at each site.  Just no!!

Router performance would take a massive hit by having to maintain so many NAT sessions.  That's not something you'd want.

I'm sure that (s)he's reasonable.  If you put the case against this and back it up with what we're saying here there will be little resistance to your explanation I'm sure.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 39739280
Exactly the point!  Not a good idea!
0
 

Author Comment

by:SamBizimungu
ID: 39739332
Thanks to everyone who contributed to this post. I agree with everyone of you. Per your comments I would not spend any of my time researching about this any further.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question