01-21-2021 07:24 AM
Hello all
I have the following scenario,
I use Eigrp for building A with mpls to my other offices within my company. Now I need to move to Building B and its slow planned phased move. I have MPLS ready in Building B but I need to use the same subnet for building A and B.
So lets say I have a device 192.168.10 in Building A and 192.168.1.20 in Building B and i Use MPLS in both sites, how would eigrp work if i were to reach these devices from another office in my company? Would eigrp route me through to right building?
Initially I planned to use IPSec between Building B and Building A and Building A has already MPLS but if this is possible, I will remove the IPSec due to packet overheads
let me know your thoughts
01-21-2021 07:59 AM
Hello @NetworkGuy! ,
if possible you should use different IP subnets in Building A and Building B and this will allow EIGRP to work properly.
if you need to extend a VLAN/IPsubnet or a set between the two buildings you need to build a L2 transport over IP like L2TPv3 for routers or to use some MPLS service.
This will make your network solution much more complex and the link between buildings will get all the flooding traffic of the extended VLANs.
This is a reason to avoid this as much as possible
Hope to help
Giuseppe
01-21-2021 08:06 AM
we need some more information what is exiting arrangement ? Layer 2 or VPN, any small network diagram and config wil help
what is the new building arrangement MPLS Layer 2 ? Layer 3
pleae clarify the IP address below : ( first IP address we dont see 4th octet ?)
192.168.10 in Building A and 192.168.1.20
01-21-2021 08:41 AM - edited 01-21-2021 08:43 AM
Building A currently uses 192.168.0.0/16
Now I need to the same subnet to transistion to Building B but in a phased approach.
I have MPLS (layer 3) in both buildings that can connect to other offices in the company
Initially I was planning onto to use IPSec between the building A and B to extend the IP subnet but can with MPLS being delivered on building B, i was thinking if its possible to use that? I just want to minimize the over head of using IPSec - or is the overheads not a lot and I can continue to use IPSec and ignore MPLS for now?
01-21-2021 08:58 AM
why do you need Layer 2 extention ? is this must ?, if not make Layer 3 network so network reach each other.
01-21-2021 09:51 AM
I might be able to get away from Layer 2 extension but I will need to retain the same IP subnet on both sides and without IpSec tunnel, I cant think of anyway?
01-21-2021 10:45 AM - edited 01-22-2021 10:54 PM
First we need some clarification. The original post says "device 192.168.10 in Building A and 192.168.1.20 in Building B". I am assuming that this was a typo and that probably it is supposed to be something like 192.168.1.10 and 192.168.1.20. Is that correct?
Several times the original poster tells us that they need the same IP subnet in both buildings, which sort of makes sense if this is a phased transition from one building to a different building. But this is actually quite a challenge. The important aspect of this is that if some host in building A (perhaps 192.168.1.10) wants to communicate with the host in building B (perhaps 192.168.1.20) then the host simply sends an arp request for the other host. There is not any dynamic routing protocol that can make this work. There have been several references to using ipsec for this and I do not see how ipsec would help.
I can think of several approaches which might help with this transition.
1) as has been suggested the most straightforward would be some type of layer 2 extension such as L2TPv3 which would allow the arp request to be forwarded between the buildings.
2) depending on the number of hosts, and depending on how much flexibility there is about addressing it might work to put building A addresses in the lower half of the address block and building B addresses in the upper half of the address block and temporarily treat it as 2 /25 subnets.
3) it might work for the duration of the transition to configure address translation for one of the building such that internally the hosts in that building used 192.168.1 addresses but outside the building they appeared to be 192.168.2 addresses.
01-22-2021 01:26 AM
Thank Rick
Yes it was typo, so we need to keep same subnet (1192.168.0.0/16) across both buildings. Remember these are sites that in production and devices already have been assigned an IP to them so I cant split them as upper half and lower half. Example: I have MPLS router as 192.168.1.100 and firewall as 192.168.1.110.
L2TP - I thought about it, but it has no security right? IKE on top of it makes it as IPSec tunnel?
So in case having two mpls routers on either side will not work using BGP for peering with provider and EIGRP for internal routing, correct?
If i Use IPSec, then on building B side, I just need the internet connection going into the firewall form IPSec tunnel to keep the IP addressing consistent correct? I have tried and asked ISP to provide layer 2 circuit but i no joy hence thought about this way
01-22-2021 11:13 PM
Thanks for confirming that it was a typo. That does clarify a bit.
I appreciate that in an existing network it would be challenging to split upper half/lower half. I mention it as a potential way to work out having the same subnet in 2 locations and understand that it might not be feasible in your situation. I thought it worth mentioning, especially for other people who might be facing a similar issue and read this discussion.
You have several times mentioned ipsec tunnels. I understand that you might have concerns about securing the traffic between sites. But I do not see how ipsec tunnels could work in your situation. Every implementation of ipsec that I am aware of assumes that there is a distinct IP subnet on one end and a different IP subnet on the other end. I suggest that we focus on finding a way for the 2 buildings to communicate and after that we can consider securing the traffic. I continue to believe that the biggest challenge in your situation is that a device in building A who wants to communicate with a device in building B will arp for the destination. We need to find a solution that will make arp between sites work.
We do not have information about connectivity between the buildings and that might be helpful to have. Is it that both buildings connect to the MPLS cloud (ISP)? Or is there perhaps a direct connection site to site separate from MPLS?
01-23-2021 01:11 AM
You are Looking for more of a DC kind of solution? extending your layer across another area?
if you looking for that route ? do you have enough budget and hardware to meet that requiremnet.
you also input that IPSEC not an option.
My suggestion here :
1. Darkfiber or MPLS/VPLS Layer 2
2. OTV this solution costs high for a simple setup.
01-21-2021 08:24 AM - edited 01-21-2021 01:22 PM
use two different VRF in edge router
use same subtend for each VRF.
I will try to find the example how to config it.
01-22-2021 01:27 AM
Thanks MHM but I dont understand, so is this on building B site or A side or both sides?
01-23-2021 02:35 AM - edited 01-23-2021 02:39 AM
Hello
Without re-addressing either site the most simplistic approach would be to nat between the two sites thus hiding each sites internal subnet and either static/dynamic route between their respective “public” addressing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide