Networking Design

We have about 100 remote sites with IPsec tunnels terminated to our HQ Cisco  ISR router in a hub-spoke design. Each site has Sonicwall TZ105 router, and each site has its own network ID. Meaning that each site IP addressing is different (10.10.xx.0/24  xx being 0-255). And so far, everything works flawlessly.  So, here is the challenge; for continuity and easy management, my boss wants to use same network ID for each site so that every site is configured the same way from the router to connected devices: same IP address information for each type of connected device at each site. As great as that would be for me as the network admin, the problem comes down to the HQ end where VPN tunnels are terminated: users at HQ regularly need remote access to each site for remote network devices management or just VNC into remote users' PCs.

Let's assume that Cisco IOS would allow  to use same ACL for every site's crypto map, how would HQ router know where to route an given packet to specific remote device thru VPN tunnel?

So, I have not researched or looked into all possible options to re-design this, but I want to start here and see if anyone has come across similar situation and found a way around that.

FYI:
 - we do not have MPLS and we do not plan  to go with MPLS yet.
- Our Cisco ISR router is running Cisco IOS version 15.1T
SamBizimunguAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
eeRootConnect With a Mentor Commented:
Technically you could use NAT, but the effort of maintaining a large NAT solution would likely be more effort than giving each remote site unique IP's.  Here are some design guides, but I don't recommend intentionally creating potential IP conflicts.

http://www.sonicwall.com/downloads/configuring_vpns_with_overlapping_networks.pdf

http://www.sonicwall.com/downloads/NAT_over_VPN_with_SonicOS_Enhanced.pdf
0
 
giltjrConnect With a Mentor Commented:
He wants ever site to use the same exact IP subnet?  

Well, as I think you know, they will not be able to talk to each other using any type of VPN connection.

You can continue to use what you have and just standardize on things like 10.10.x.1 - .10 are reserved for network devices (routers/switches),  10.10.x.11 - .30 are reserved for servers, 10.10.x.31-40 are reserved for printers, 10.10.x.41-249 are used by DHCP to assign to desktops, and 10.10.x.250-254 reserved for special use.  While still having the ".x." being a location identifier.
0
 
SamBizimunguAuthor Commented:
Thanks Gil.

That's how we currently have it.

Yes , he wants one same subnet for all sites.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
gsmartinManager of ITCommented:
What is your boss's background?  He apparently is not a network engineer or has any knowledge of designing networks.  There's obviously a point to his request.  So, why is does he what all sites on one subnet?  It sounds like he's doesn't know much about NAT'ing, Broadcast/Security Domains, VPN, VLANs, Routing, etc...  Otherwise, I doubt he would be making such a request.  

I am not trying to put him down.  I would like to understand what has made him feel this necessary?  Because it's certainly not Simplicity!  Is it a problem he is trying to fix?   Or some non-IT person complained or had an issue with their IP address, or local server IP addresses, or some other related issue???

I feel it's better to properly qualify this issue.  Given that any design recommendations really goes against any type of best practice or standards; as well as would challenging to implement and support.  Ultimately, creating an Admin nightmare.
0
 
Craig BeckCommented:
Bad idea! There is no nice way to do this although it is possible.  I would tell your boss that it's a minefield and that although it may minimize the time it takes to roll-out a site the cons far outweigh the pros.  It would also be a massive admin task to renumber everything at each site.  Just no!!

Router performance would take a massive hit by having to maintain so many NAT sessions.  That's not something you'd want.

I'm sure that (s)he's reasonable.  If you put the case against this and back it up with what we're saying here there will be little resistance to your explanation I'm sure.
0
 
gsmartinManager of ITCommented:
Exactly the point!  Not a good idea!
0
 
SamBizimunguAuthor Commented:
Thanks to everyone who contributed to this post. I agree with everyone of you. Per your comments I would not spend any of my time researching about this any further.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.