Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
2
Helpful
2
Replies

Branch Office VPN with Cisco Routers

dball79
Level 1
Level 1

‎12-10-2023 07:32 PM - edited ‎12-10-2023 07:33 PM

Hello!

I have a question about VPN networking with Cisco routers. I must say that I am a beginner in this field and am learning about networks. I might want to obtain a CCNA certification.

My question is this: Cisco routers have long been used for networking with a company's VPN network.

However, most of them cannot be operated as VPN clients. They can either be used as VPN servers, allowing a VPN connection from a single computer to the company network, or they support site-to-site VPN, which connects two LAN networks over a distance. At this point, the real-life scenario is somewhat unclear to me, which I would like to illustrate with an example.

Let's say we have a franchise company with many branches. For the example, I'll use a car rental company, as it's a good way to illustrate the point: a large network in the company headquarters and over a hundred small branches nationwide, each with about 3-4 computers plus printers, etc.

In this scenario, it would be logical to use the router as a VPN client. The branch would then receive a single IP address in the private LAN of the company headquarters, and the branch's LAN would remain separate and not directly reachable from the company headquarters. This way, each branch's LAN could maintain a standard IP range (e.g., 192.168.1.1 - 192.168.1.255), and the branches wouldn't need to coordinate with each other.

However, Cisco routers (and devices from other manufacturers as well) do not support this operation as a VPN client.

But since many Cisco routers are used in such branches (I've seen it myself), it must be done differently, and I wonder how exactly (in most cases)?

A site-to-site VPN in the scenario described above would most certainly be an administrative challenge.

Let's imagine: the company headquarters has a Class B network, with an IP range of 172.16.0.0 - 172.31.255.255, and the branches each have a Class C network. If all branches were connected to the headquarters via site-to-site VPN, then each branch would need to be assigned its own private IP range, which would have to be strictly adhered to.

Just to list it briefly so that everyone understands what I mean,  in case I've mixed up some terms here:

 

Company headquarters:
IP range 10.0.0.0 — 10.255.255.255

Branch 1:
IP range 192.168.1.0 — 192.168.1.255

Branch 2:
IP range 192.168.2.0 — 192.168.2.255

Branch 3:
IP range 192.168.3.0 — 192.168.3.255

etc.

Each LAN would be connected to the headquarters via S2S VPN, and thus the headquarters could reach every IP address in all three LANs, and vice versa.

This would be manageable with 3 branches, but if there are over a hundred nationwide, it would quickly become a huge mess. Every computer at any location could initially reach any other location nationwide directly via IP address (unless blocked by firewall rules).

Additionally, the IP range of each individual branch would need to be ‘carved in stone’, and great care would need to be taken to ensure that they do not overlap. The potential for errors would be enormous.

So my question is: Is this really how it's done? Or have I overlooked something? As I said, I'm a beginner in this field and still learning.

Thank you for your help.

2 Replies 2

MHM Cisco World
VIP
VIP

‎12-10-2023 08:33 PM

In each branch site use superNet 

Like 192.168.0.0/16 toward HQ 

In HQ use for each site LAN of site plust SuperNet.

This make branch site send traffic to HQ and HQ receive it and re forward to other branch according to branch site LAN subnet.

MHM

shawnpeter7707
Level 1
Level 1

‎03-16-2024 05:26 PM

I Hvae this problem too

 

0 Helpful
Customers Also Viewed These Support Documents