Routing private addresses between different sites?

FimchickFimchick Member Posts: 2 ■□□□□□□□□□
Hello, I'm hoping to get a little clarification on this since it's not quite clear how this works.

Let's say I have three separate office sites, and I want employees from each site to be able to connect to any of the servers in the other sites.

So in that case, I have to set up my IP addressing to never overlap, otherwise the routing tables will not know what's where and packets will not be delivered to their destination.

For example:
Site-A has 10.100.0.0/22 which is a pool of 10.100.0.0 - 10.100.3.255
Site-B then has to have 10.100.4.0/22 which is a pool of 10.100.4.0 - 10.100.7.255
Site-C then has to have 10.100.8.0/22 which is a pool of 10.100.8.0 - 10.100.11.255

The sites can never have overlapping IP pools, otherwise I can't route from one to the other, is that correct? If that's the case, then it's safe to say that any organization, no matter how big, always has to have all the addressing fit within the same IP scheme and can never have overlapping IP ranges (unless they are inside non-routable labs, etc).

Does this make sense or am I completeyl confused? Thanks!

Comments

  • martell1000martell1000 Member Posts: 389
    this is correct, but you can use NAT to deal with overlapping networks, for example if you have companies merging and overlapping address schemes might occur.

    Using NAT in Overlapping Networks - Cisco Systems
    And then, I started a blog ...
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    Fimchick wrote: »
    The sites can never have overlapping IP pools, otherwise I can't route from one to the other, is that correct? If that's the case, then it's safe to say that any organization, no matter how big, always has to have all the addressing fit within the same IP scheme and can never have overlapping IP ranges (unless they are inside non-routable labs, etc).

    In best practice, yes, each site has it's own IP ranges that are unique within your routing domain. However, this is not a hard requirement, as NAT can solve overlapping IP space issues (think acquisition.. company A buys company B and wants to integrate the networks, but they both use the same IP space. NAT can allow the two to talk to each other while one side or the other re-addresses)

    There are also certain applications where you'll have multiple hosts addressed with the same IP addresses on purpose. This is usually used in an anycast setup, where you're deploying services like DNS, but want the routes to go to the geographically closer host. So if lets say I have a site in New York and a site in London. If the DNS servers are in New York, the London users have to cross a trans-atlantic link in order to resolve DNS. Now lets say I have a DNS server in each location - great, now I have to configure hosts in each section to use their local DNS server.

    Or I could give all the DNS servers the same IP, and advertise them into my routing protocol. The routing protocol metric will ensure my traffic goes to whomever has the shortest path (Unless you're doing something wrong, London should no longer be preferring a route to New York to resolve DNS). This allows me to configure all hosts with the same DNS servers, and if one goes down, I've got automatic resiliency built in as the downed box will simply have it's route withdrawn and the routing protocol will reconverge to allow me to use the next closest server.

    Note - AnyCast is an advanced concept, and not something you're going to be asked about on the CCENT/CCNA. I mention it solely for the sake of completeness and to demonstrate that, like most everything in the network world, the answer to your question is 'it depends'
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    Those are private addresses. If you're going over a public network such as the internet it shouldn't matter if the three separate networks overlap in the private address space as datagrams sourced to private addresses shouldn't be routable over the internet (Assuming you're talking about this). You could use NAT to translate between the public/private addresses. I hope I understood you in what you're asking.

    EDIT: Forsaken got there first :p and is more detailed.
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
  • FimchickFimchick Member Posts: 2 ■□□□□□□□□□
    Got it -- thank you everyone!
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    Woah... A true lurker! Join date is 2004!
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    CodeBlox wrote: »
    Those are private addresses. If you're going over a public network such as the internet it shouldn't matter if the three separate networks overlap in the private address space as datagrams sourced to private addresses shouldn't be routable over the internet (Assuming you're talking about this). You could use NAT to translate between the public/private addresses. I hope I understood you in what you're asking.

    Just a note, while it's technically true that you can't route private IP space over the public internet, in practice, it's done all the time. Tunnels solve alot of problems, they're the duct tape of the internetwork world.

    For example, I have a server that I lease out in the public IP realm. My home network is on a residential internet connection, and it's fairly extensive. In order to get full access to everything, I'd have to get incredibly creative with NAT port forwarding, not to mention the split DNS views to make sure stuff resolves correctly internally and externally.

    So what I did instead was establish a tunnel between the public IP addresses of my internal router and my leased box and setup routing over the tunnel. For all intents and purposes, my leased box is a direct extension of my internal routing domain. Then I setup VPN services on the leased box. Whenever I want access to my internal network, I simply VPN into the leased box and thanks to the tunnel, it's as if I VPN'd into the home network directly (VPN over NAT is just a huge headache)
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    Wow, sounds like you have quite a network. My toy ( a dlink access point ) doesn't allow me to configure NAT pools or anything at all -_- So how much networking equipment do you have on your live home network?
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
Sign In or Register to comment.