Same networks, two sites. Poor network design solution?

brettp · ‎03-21-2019

I've inherited a mess a couple of years ago, I left things the way they were but now's the time it's biting me in the a**. We have 10.0.0.0/8 network at HQ. We have a MPLS connection to our DR site. That DR site also have a 10.0.0.0/8 network (it's essentially a mirror of the network at HQ.) For data to replicate across the link, we have NATs set up on the edge routers. 10.0.0.0/8 at HQ NATs to 11.0.0.0 when heading to DR. DR NATs to 12.0.0.0 when heading to HQ. This works fine... but we're dropping MPLS. My director is interested in a layer 2 point to point, but I don't think that's a viable option because it makes NATing not possible. Another option is a simple VPN between ASAs, that *should* work, but that's a lot more traffic using our internet connection now. SDWAN could potentially be an option... My question is, does any one have any suggestions on how to clean up this mess? Ideally, as poor of a design as it is, it would be best to keep the same networks on each side at HQ and DR. Thanks.

Richard Burts · ‎03-23-2019

I follow your explanation through the part where you will be dropping MPLS and the part where your director wants a layer 2 point to point but you think that will not work (and I agree with that). Then you identify some alternatives but I do not understand what type of connection these are based on. Can you provide clarification about this?

Certainly whatever it is it must provide a layer 3 connection to allow address translation.

HTH

Rick

HTH

Rick

brettp · ‎03-26-2019

Richard, sorry for my delay in replying. I did not receive an email that that you responded despite that little checkbox being checked! Sorry, this is what happens when they send a helpdesk person for a little training and certification -- I have no first hand experience with many of the situations I've come up against. My one solution is a simple site to site VPN which would just utilize the internet. I can do the NATing on the ASA. I know that will work... but my director is fixated on a point to point connection. Upon further thinking, it might just work. I only need to NAT a couple of networks which would be routed via our core layer 3 switches on both sides of the link... I can probably just have the SVI set up as in/out and have them do the NATing before it hits the actual point to point link. Seems like it would work in my brain, but I will have to test it out. With that said, I was wondering what other people do in such a situation where there are two of the same networks on each side of a link. Clearly... NATing needs to happen somewhere. Thanks!

Richard Burts · ‎03-26-2019

Sorry about the confusion with notifications. The little check box is to enable email notifications. But for the last couple of weeks they have been doing some maintenance activity on the community and disabled the email notifications till that maintenance is completed.

In the discussion and planning for discontinuing the MPLS was there much planning for what would replace it? Your original post mentions interest of your director in a layer 2 point to point connection. Did he have any mechanism for that in mind, any kind of provider offering? I agree with you that the layer 2 part of it is problematic. But if there were some kind of provider offering there might be layer 3 possibilities as well. Depending on where your data centers are located provisioning a point to point connection might be problematic (or be expensive, which for many of us is the same as being problematic).

A site to site vpn would act like a point to point connection. (or even a GRE tunnel would mimic a point to point connection) But someone needs to evaluate the implications of mixing your DC to DC traffic with your Internet traffic.

HTH

Rick

HTH

Rick