Solved

Networking Design

Posted on 2013-12-24
7
411 Views
Last Modified: 2013-12-25
We have about 100 remote sites with IPsec tunnels terminated to our HQ Cisco  ISR router in a hub-spoke design. Each site has Sonicwall TZ105 router, and each site has its own network ID. Meaning that each site IP addressing is different (10.10.xx.0/24  xx being 0-255). And so far, everything works flawlessly.  So, here is the challenge; for continuity and easy management, my boss wants to use same network ID for each site so that every site is configured the same way from the router to connected devices: same IP address information for each type of connected device at each site. As great as that would be for me as the network admin, the problem comes down to the HQ end where VPN tunnels are terminated: users at HQ regularly need remote access to each site for remote network devices management or just VNC into remote users' PCs.

Let's assume that Cisco IOS would allow  to use same ACL for every site's crypto map, how would HQ router know where to route an given packet to specific remote device thru VPN tunnel?

So, I have not researched or looked into all possible options to re-design this, but I want to start here and see if anyone has come across similar situation and found a way around that.

FYI:
 - we do not have MPLS and we do not plan  to go with MPLS yet.
- Our Cisco ISR router is running Cisco IOS version 15.1T
0
Comment
Question by:SamBizimungu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 39738794
He wants ever site to use the same exact IP subnet?  

Well, as I think you know, they will not be able to talk to each other using any type of VPN connection.

You can continue to use what you have and just standardize on things like 10.10.x.1 - .10 are reserved for network devices (routers/switches),  10.10.x.11 - .30 are reserved for servers, 10.10.x.31-40 are reserved for printers, 10.10.x.41-249 are used by DHCP to assign to desktops, and 10.10.x.250-254 reserved for special use.  While still having the ".x." being a location identifier.
0
 

Author Comment

by:SamBizimungu
ID: 39738802
Thanks Gil.

That's how we currently have it.

Yes , he wants one same subnet for all sites.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 250 total points
ID: 39738816
Technically you could use NAT, but the effort of maintaining a large NAT solution would likely be more effort than giving each remote site unique IP's.  Here are some design guides, but I don't recommend intentionally creating potential IP conflicts.

http://www.sonicwall.com/downloads/configuring_vpns_with_overlapping_networks.pdf

http://www.sonicwall.com/downloads/NAT_over_VPN_with_SonicOS_Enhanced.pdf
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 8

Expert Comment

by:gsmartin
ID: 39739093
What is your boss's background?  He apparently is not a network engineer or has any knowledge of designing networks.  There's obviously a point to his request.  So, why is does he what all sites on one subnet?  It sounds like he's doesn't know much about NAT'ing, Broadcast/Security Domains, VPN, VLANs, Routing, etc...  Otherwise, I doubt he would be making such a request.  

I am not trying to put him down.  I would like to understand what has made him feel this necessary?  Because it's certainly not Simplicity!  Is it a problem he is trying to fix?   Or some non-IT person complained or had an issue with their IP address, or local server IP addresses, or some other related issue???

I feel it's better to properly qualify this issue.  Given that any design recommendations really goes against any type of best practice or standards; as well as would challenging to implement and support.  Ultimately, creating an Admin nightmare.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39739272
Bad idea! There is no nice way to do this although it is possible.  I would tell your boss that it's a minefield and that although it may minimize the time it takes to roll-out a site the cons far outweigh the pros.  It would also be a massive admin task to renumber everything at each site.  Just no!!

Router performance would take a massive hit by having to maintain so many NAT sessions.  That's not something you'd want.

I'm sure that (s)he's reasonable.  If you put the case against this and back it up with what we're saying here there will be little resistance to your explanation I'm sure.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 39739280
Exactly the point!  Not a good idea!
0
 

Author Comment

by:SamBizimungu
ID: 39739332
Thanks to everyone who contributed to this post. I agree with everyone of you. Per your comments I would not spend any of my time researching about this any further.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question