trenchant
asked on
Tying together VLANs to make VPNs
I am looking for ways to support multiple site to site VPNs for our company. The hardware I am currently using includes a
3524-XL switch with IOS 3500XL v12.0(5)wc3b
2611 router with IOS V12.3(12a)
I can set up site to site VPNs using my ethernet ports on the router, but those are getting to be rare (I am using 5/6 ports currently). I have to expand our VPN capabilities significantly, as one of our projects is to bring satellite locations (5+) under our umbrella, and allow them to VPN in to our network. I was wondering if there was a way to make my switch an extention of my ethernet ports of my router by assigning IPs and VLAN tags to it, and create my tunnels from there. Any information on this would be way cool!
3524-XL switch with IOS 3500XL v12.0(5)wc3b
2611 router with IOS V12.3(12a)
I can set up site to site VPNs using my ethernet ports on the router, but those are getting to be rare (I am using 5/6 ports currently). I have to expand our VPN capabilities significantly, as one of our projects is to bring satellite locations (5+) under our umbrella, and allow them to VPN in to our network. I was wondering if there was a way to make my switch an extention of my ethernet ports of my router by assigning IPs and VLAN tags to it, and create my tunnels from there. Any information on this would be way cool!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My understanding of GRE tunnels is that they are not secure. I need to use IPSEC in my environment (medical).
GRE is not secure, thats why you are going to run IPSEC between the GRE endpoints.
It will be IPSEC inside GRE.
harbor235
It will be IPSEC inside GRE.
harbor235
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info. Actually I'm stuck in the mud right now, and trying to dig my way out, but thats another story.. indeed!
the only way I know for tying Vlans is to define a MLL entry in the switch.
MLL = multicasts linked list.
MLL also known as IPM = IP multicasts
usually, the router/switch has a table, that can be configured by the managment for MLL entries.
each entry hold list of VLANs that attached to this MLL entry. (tied VLAN ...)
the traffic should be sent to a special MAC_DA that also configured to point to the MLL entry mentioned above. (instead of the regular MAC address that point to a pair of device_num & port_num)
I am developing switchs/routers (ASIC) for the past 6 years, so there is a nice chance the chip you are working with, related to my company "Galileo/Marvell".
tal