Solved

Networking Design

Posted on 2013-12-24
7
415 Views
Last Modified: 2013-12-25
We have about 100 remote sites with IPsec tunnels terminated to our HQ Cisco  ISR router in a hub-spoke design. Each site has Sonicwall TZ105 router, and each site has its own network ID. Meaning that each site IP addressing is different (10.10.xx.0/24  xx being 0-255). And so far, everything works flawlessly.  So, here is the challenge; for continuity and easy management, my boss wants to use same network ID for each site so that every site is configured the same way from the router to connected devices: same IP address information for each type of connected device at each site. As great as that would be for me as the network admin, the problem comes down to the HQ end where VPN tunnels are terminated: users at HQ regularly need remote access to each site for remote network devices management or just VNC into remote users' PCs.

Let's assume that Cisco IOS would allow  to use same ACL for every site's crypto map, how would HQ router know where to route an given packet to specific remote device thru VPN tunnel?

So, I have not researched or looked into all possible options to re-design this, but I want to start here and see if anyone has come across similar situation and found a way around that.

FYI:
 - we do not have MPLS and we do not plan  to go with MPLS yet.
- Our Cisco ISR router is running Cisco IOS version 15.1T
0
Comment
Question by:SamBizimungu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 39738794
He wants ever site to use the same exact IP subnet?  

Well, as I think you know, they will not be able to talk to each other using any type of VPN connection.

You can continue to use what you have and just standardize on things like 10.10.x.1 - .10 are reserved for network devices (routers/switches),  10.10.x.11 - .30 are reserved for servers, 10.10.x.31-40 are reserved for printers, 10.10.x.41-249 are used by DHCP to assign to desktops, and 10.10.x.250-254 reserved for special use.  While still having the ".x." being a location identifier.
0
 

Author Comment

by:SamBizimungu
ID: 39738802
Thanks Gil.

That's how we currently have it.

Yes , he wants one same subnet for all sites.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 250 total points
ID: 39738816
Technically you could use NAT, but the effort of maintaining a large NAT solution would likely be more effort than giving each remote site unique IP's.  Here are some design guides, but I don't recommend intentionally creating potential IP conflicts.

http://www.sonicwall.com/downloads/configuring_vpns_with_overlapping_networks.pdf

http://www.sonicwall.com/downloads/NAT_over_VPN_with_SonicOS_Enhanced.pdf
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 8

Expert Comment

by:gsmartin
ID: 39739093
What is your boss's background?  He apparently is not a network engineer or has any knowledge of designing networks.  There's obviously a point to his request.  So, why is does he what all sites on one subnet?  It sounds like he's doesn't know much about NAT'ing, Broadcast/Security Domains, VPN, VLANs, Routing, etc...  Otherwise, I doubt he would be making such a request.  

I am not trying to put him down.  I would like to understand what has made him feel this necessary?  Because it's certainly not Simplicity!  Is it a problem he is trying to fix?   Or some non-IT person complained or had an issue with their IP address, or local server IP addresses, or some other related issue???

I feel it's better to properly qualify this issue.  Given that any design recommendations really goes against any type of best practice or standards; as well as would challenging to implement and support.  Ultimately, creating an Admin nightmare.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39739272
Bad idea! There is no nice way to do this although it is possible.  I would tell your boss that it's a minefield and that although it may minimize the time it takes to roll-out a site the cons far outweigh the pros.  It would also be a massive admin task to renumber everything at each site.  Just no!!

Router performance would take a massive hit by having to maintain so many NAT sessions.  That's not something you'd want.

I'm sure that (s)he's reasonable.  If you put the case against this and back it up with what we're saying here there will be little resistance to your explanation I'm sure.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 39739280
Exactly the point!  Not a good idea!
0
 

Author Comment

by:SamBizimungu
ID: 39739332
Thanks to everyone who contributed to this post. I agree with everyone of you. Per your comments I would not spend any of my time researching about this any further.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Set up secondary Domain Controller 4 113
SOA*.tmp files 2 180
Force a WIFI client onto a specific access point 7 97
Network latency question 9 85
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question