Solved: two same scopes

TECH-JEFF · ‎03-23-2016

Hi, this is just an inquiry, not much of an urgent issue. I was once interviewed by one of the network admins before and my question was like this.

Is it possible to communicate 2 networks or 2 sites linked via MPLS or SSVPN. In Site1 the scope of LAN is: 192.168.10.x /24 and the Site2 has also a scope of 192.168.10.x /24.

Can both networks communicate knowing that they will conflict? As for me, my answer is no but not sure with cisco technology if possible.

Thanks

Jeff

Jefferson Co

Peter Paluch · ‎03-23-2016

Jeff,

If the VPN operates as a Layer3 VPN, meaning that the sites are separated by routing, then without additional configuration, these networks will not be able to communicate. The primary reason is extremely simple: If Site1 station 192.168.10.x attempts to send packets to Site2 station 192.168.10.y, then these two addresses are in the same IP network, and so the Site1 station won't even attempt to send its packets through the VPN. Instead, it will try to contact this host in its own network, and will end up talking to a different host than intended, or not finding that host at all. A temporary solution would be to perform NAT so that from the viewpoint of each site, the other site is in a different, unique address space.

If the VPN operates as a Layer2 VPN then the sites are bridged/switched together, and form a single broadcast domain, thus they constitute a single IP network. In such a case, it is correct, and even necessary, for the two sites to share the same IP space although they still need to assign unique IP addresses to different hosts according to usual IP addressing rules. In this case, the communication would be posible, because the Layer2 VPN acts like a cross-over cable, or a switch, to all interconnected sites, and has nothing to do with routing.

MPLS provides both Layer3 and Layer2 VPNs, and so you would need to ask for a clarification before answering this question. SSLVPN, to my best knowledge, is a routed solution - a Layer3 VPN - and so having two sites with the same IP space would prevent them from communicating unless NAT was used to "transpose" the overlapping IP space on each site into unique ranges.

Best regards,
Peter

View solution in original post

Peter Paluch · ‎03-23-2016

Jeff,

If the VPN operates as a Layer3 VPN, meaning that the sites are separated by routing, then without additional configuration, these networks will not be able to communicate. The primary reason is extremely simple: If Site1 station 192.168.10.x attempts to send packets to Site2 station 192.168.10.y, then these two addresses are in the same IP network, and so the Site1 station won't even attempt to send its packets through the VPN. Instead, it will try to contact this host in its own network, and will end up talking to a different host than intended, or not finding that host at all. A temporary solution would be to perform NAT so that from the viewpoint of each site, the other site is in a different, unique address space.

If the VPN operates as a Layer2 VPN then the sites are bridged/switched together, and form a single broadcast domain, thus they constitute a single IP network. In such a case, it is correct, and even necessary, for the two sites to share the same IP space although they still need to assign unique IP addresses to different hosts according to usual IP addressing rules. In this case, the communication would be posible, because the Layer2 VPN acts like a cross-over cable, or a switch, to all interconnected sites, and has nothing to do with routing.

MPLS provides both Layer3 and Layer2 VPNs, and so you would need to ask for a clarification before answering this question. SSLVPN, to my best knowledge, is a routed solution - a Layer3 VPN - and so having two sites with the same IP space would prevent them from communicating unless NAT was used to "transpose" the overlapping IP space on each site into unique ranges.

Best regards,
Peter