Solved

Networking Design

Posted on 2013-12-24
7
400 Views
Last Modified: 2013-12-25
We have about 100 remote sites with IPsec tunnels terminated to our HQ Cisco  ISR router in a hub-spoke design. Each site has Sonicwall TZ105 router, and each site has its own network ID. Meaning that each site IP addressing is different (10.10.xx.0/24  xx being 0-255). And so far, everything works flawlessly.  So, here is the challenge; for continuity and easy management, my boss wants to use same network ID for each site so that every site is configured the same way from the router to connected devices: same IP address information for each type of connected device at each site. As great as that would be for me as the network admin, the problem comes down to the HQ end where VPN tunnels are terminated: users at HQ regularly need remote access to each site for remote network devices management or just VNC into remote users' PCs.

Let's assume that Cisco IOS would allow  to use same ACL for every site's crypto map, how would HQ router know where to route an given packet to specific remote device thru VPN tunnel?

So, I have not researched or looked into all possible options to re-design this, but I want to start here and see if anyone has come across similar situation and found a way around that.

FYI:
 - we do not have MPLS and we do not plan  to go with MPLS yet.
- Our Cisco ISR router is running Cisco IOS version 15.1T
0
Comment
Question by:SamBizimungu
7 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 39738794
He wants ever site to use the same exact IP subnet?  

Well, as I think you know, they will not be able to talk to each other using any type of VPN connection.

You can continue to use what you have and just standardize on things like 10.10.x.1 - .10 are reserved for network devices (routers/switches),  10.10.x.11 - .30 are reserved for servers, 10.10.x.31-40 are reserved for printers, 10.10.x.41-249 are used by DHCP to assign to desktops, and 10.10.x.250-254 reserved for special use.  While still having the ".x." being a location identifier.
0
 

Author Comment

by:SamBizimungu
ID: 39738802
Thanks Gil.

That's how we currently have it.

Yes , he wants one same subnet for all sites.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 250 total points
ID: 39738816
Technically you could use NAT, but the effort of maintaining a large NAT solution would likely be more effort than giving each remote site unique IP's.  Here are some design guides, but I don't recommend intentionally creating potential IP conflicts.

http://www.sonicwall.com/downloads/configuring_vpns_with_overlapping_networks.pdf

http://www.sonicwall.com/downloads/NAT_over_VPN_with_SonicOS_Enhanced.pdf
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Expert Comment

by:gsmartin
ID: 39739093
What is your boss's background?  He apparently is not a network engineer or has any knowledge of designing networks.  There's obviously a point to his request.  So, why is does he what all sites on one subnet?  It sounds like he's doesn't know much about NAT'ing, Broadcast/Security Domains, VPN, VLANs, Routing, etc...  Otherwise, I doubt he would be making such a request.  

I am not trying to put him down.  I would like to understand what has made him feel this necessary?  Because it's certainly not Simplicity!  Is it a problem he is trying to fix?   Or some non-IT person complained or had an issue with their IP address, or local server IP addresses, or some other related issue???

I feel it's better to properly qualify this issue.  Given that any design recommendations really goes against any type of best practice or standards; as well as would challenging to implement and support.  Ultimately, creating an Admin nightmare.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39739272
Bad idea! There is no nice way to do this although it is possible.  I would tell your boss that it's a minefield and that although it may minimize the time it takes to roll-out a site the cons far outweigh the pros.  It would also be a massive admin task to renumber everything at each site.  Just no!!

Router performance would take a massive hit by having to maintain so many NAT sessions.  That's not something you'd want.

I'm sure that (s)he's reasonable.  If you put the case against this and back it up with what we're saying here there will be little resistance to your explanation I'm sure.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 39739280
Exactly the point!  Not a good idea!
0
 

Author Comment

by:SamBizimungu
ID: 39739332
Thanks to everyone who contributed to this post. I agree with everyone of you. Per your comments I would not spend any of my time researching about this any further.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now