• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 353
  • Last Modified:

Tying together VLANs to make VPNs

I am looking for ways to support multiple site to site VPNs for our company.   The hardware I am currently using includes a

3524-XL switch with IOS 3500XL v12.0(5)wc3b
2611 router with IOS V12.3(12a)

I can set up site to site VPNs using my ethernet ports on the router, but those are getting to be rare (I am using 5/6 ports currently).  I have to expand our VPN capabilities significantly, as one of our projects is to bring satellite locations (5+) under our umbrella, and allow them to VPN in to our network.  I was wondering if there was a way to make my switch an extention of my ethernet ports of my router by assigning IPs and VLAN tags to it, and create my tunnels from there.  Any information on this would be way cool!
2 Solutions

the only way I know for tying Vlans is to define a MLL entry in the switch.
MLL = multicasts linked list.
MLL also known as IPM = IP multicasts

usually, the router/switch has a table, that can be configured by the managment for MLL entries.
each entry hold list of VLANs that attached to this MLL entry. (tied VLAN ...)

the traffic should be sent to a special MAC_DA that also configured to point to the MLL entry mentioned above. (instead of the regular MAC address that point to a pair of device_num & port_num)

I am developing switchs/routers (ASIC) for the past 6 years, so there is a nice chance the chip you are working with, related to my company "Galileo/Marvell".

Use GRE tunnels to link your sites, the GRE interface is a virtual interface. Then you run IPSEC over the GRE  interfaces without using up physical interfaces.  Does your 2611 have a AIM card? The 2611 is a low end router, not much horse power, you will not be able to expand your VPN capabilities significantly with this device without taking a performance hit. I would recommend a 2651XM for your project.

trenchantAuthor Commented:
My understanding of GRE tunnels is that they are not secure.  I need to use IPSEC in my environment (medical).
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

GRE is not secure, thats why you are going to run IPSEC between the GRE endpoints.
It will be IPSEC inside GRE.

I think that what you are looking for is multipoint GRE and IPSEC VPn's (Dynamic Multipoint VPN)..
This document is very thorough:
trenchantAuthor Commented:
Thanks for the info.  Actually I'm stuck in the mud right now, and trying to dig my way out, but thats another story.. indeed!

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now