Transfer VLAN over VPN

I work in Disaster recovery area where we have many customers and sometimes they need to connect back to their base which is on the same subnet or to one of our sites for workarea. I need to have a way of communication between different sites no more than 2 at a time. each site has its own public ip address and no MPLS network. So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start. I have access to ASA 5520 or PIX 515 or cisco 3640 router. so any solution can be implemented by me. You help is very much appreciated.

Who is Participating?
Jimmy Larsson, CISSP, CEHConnect With a Mentor Network and Security consultantCommented:
ArneLovius: Your example works but it will never be a l2-connection (transferring dhcp requests, other broadcasts and pure l2-packets).

Mr Networks: Have a look at l2tpv3, that is probably what you are looking for. Havent tried it myself but it can be done with the 3640-router you have. Doesnt look that complicated to try out.

Have you considered site-to-site VPN using Cisco ASA 5520?
Why do you need to bridge between two subnets ?

it would be much more efficient if you routed between them.

If you bridge, then all broadcast traffic will also be bridged,and depending on the link bandwidth, this may have a significant effect on performance.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
ckbhupen: ASA l2l-vpn cannot do bridging.

ArneLovius: I cant spear for the author here but the question can be highly relevant. What if you DO have one common network split between different sites? I have seen it happen, for example in Vmware-environments that requires the HA VM:s to be on the same vlans no matter which physical site they are on.

Mr Networks: Cool question. I can say for sure that you cant do it with ASA, because its vpn is limited to crypto map implementations. I was thinking of doing bridging with tunnel-interfaces and just tried it out in my lab without success so I follow this thread with a load of interrest to see if someone else can come up with something useful. But I can say for sure that you need to use your 3600 routers to make this happen.


Mr_NetworksAuthor Commented:
You are correct in saying that i have both sites on the same subnet possibly having a DHCP server on one side supplying DHCP leases to pcs on the other site.

Basically due to the nature of my work i do not have much control over the IP address assignment. And we need the customer to see it as a lan extension. Except that it is done over the internet.
I'm wondering if using double NAT (NAT both sides) in combination with proxy ARP would work on a per host basis, its not a tru bridge, but just a way of pretending...

host-a ( a sends a packet to host-b (

asa-aa proxy arps host b, nats it to be FROM a different address ( and forwards (over the VPN) TO

asa-b nats to be FROM and forwards it to

so static and dynamic nat in both directions, in combination with proxy arp for the "remote" hosts


I used to maintain sites that used bridged IPX/SPX for a local governmant, over 64k leased lines....

When I finally persuaded them to move to routed, the difference it made was enormous :-)

Mr_NetworksAuthor Commented:
True. This would be a good solution. But when i have a DHCP server on one side supplying ip addresses to both sides i will have no means of specifying which addresses are to be natted and which are just local ip addresses.
my bad, the juniper example was just another double NAT

the L2TPv3 is probably the best (possibly only...) way apart from "rolling your own" as per the other link I posted
Mr_NetworksAuthor Commented:
I did consider L2TPV3  when i first started but got carried away when we got the  5520s. I will try out the L2TP. Will keep u updated on da progress.
Fred MarshallPrincipalCommented:
The Junper solution says:
"However, if the destination IP resides on a different network, the packet is sent to the next-hop router based on the host’s routing table."
...and the diagram shows the same local IP address in use at each end.
So, I might help more but how is this supposed to work?  It sounds a little like a "then a miracle occurs" block in the diagram.

Presumably the issue cannot be addressed by avoiding having identical IP addresses at each site as a general rule.
But if you want or need (why?) to use a single DHCP server that spans the sites then that general (and very understandable) requirement must not be one that's needed here.  
Since identical addresses aren't *planned* in general then maybe they aren't needed in specific either.  That suggests splitting up the address range between sites in blocks.

An easy solution to all this and the DHCP might be to just use two DHCP servers (one at each site) and have their address ranges different.  I can see how doing that could help deal with the "same subnet" issue by splitting the subnet into ranges - whcih could become sub-subnets.  But, it that were to be the case then you'd not actually have the "same subnet" problem.  For example, you could have / 25 and /25 (i.e. with 126 usable addresses each.

Then, depending on the gateway devices, it may be easy enough to route packets from site to site.

if you read through the juniper solution, on page it is doing nat at each end

your last paragraph is exactly as I suggested...

If however for whatever reason the two sites _need_ to be bridged, it would appear that another platform is required.

Fred MarshallPrincipalCommented:
yes, I see that it's doing NAT on each end.  That doesn't answer how it works at the originating computer.  
We can take this off line and maybe you can explain.  Or, I guess I could post  a new question here.
You can find:
rfc1180Connect With a Mentor Commented:
>So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start.

Very possible, we have this deployed in several POPs where they do not have a common backbone (separate AS numbers) for customers that need end to end vlans.

More information here:

Good Luck
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.