Solved

Transfer VLAN over VPN

Posted on 2010-09-10
15
1,308 Views
Last Modified: 2012-05-10
Hi,
I work in Disaster recovery area where we have many customers and sometimes they need to connect back to their base which is on the same subnet or to one of our sites for workarea. I need to have a way of communication between different sites no more than 2 at a time. each site has its own public ip address and no MPLS network. So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start. I have access to ASA 5520 or PIX 515 or cisco 3640 router. so any solution can be implemented by me. You help is very much appreciated.

 
0
Comment
Question by:Mr_Networks
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 2

Expert Comment

by:ckbhupen
Comment Utility
Have you considered site-to-site VPN using Cisco ASA 5520?
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
Why do you need to bridge between two subnets ?

it would be much more efficient if you routed between them.

If you bridge, then all broadcast traffic will also be bridged,and depending on the link bandwidth, this may have a significant effect on performance.
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
ckbhupen: ASA l2l-vpn cannot do bridging.

ArneLovius: I cant spear for the author here but the question can be highly relevant. What if you DO have one common network split between different sites? I have seen it happen, for example in Vmware-environments that requires the HA VM:s to be on the same vlans no matter which physical site they are on.

Mr Networks: Cool question. I can say for sure that you cant do it with ASA, because its vpn is limited to crypto map implementations. I was thinking of doing bridging with tunnel-interfaces and just tried it out in my lab without success so I follow this thread with a load of interrest to see if someone else can come up with something useful. But I can say for sure that you need to use your 3600 routers to make this happen.

/Kvistofta


0
 

Author Comment

by:Mr_Networks
Comment Utility
@Kvistofta:
You are correct in saying that i have both sites on the same subnet possibly having a DHCP server on one side supplying DHCP leases to pcs on the other site.

Basically due to the nature of my work i do not have much control over the IP address assignment. And we need the customer to see it as a lan extension. Except that it is done over the internet.
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
I'm wondering if using double NAT (NAT both sides) in combination with proxy ARP would work on a per host basis, its not a tru bridge, but just a way of pretending...

host-a (10.0.0.1) a sends a packet to host-b (10.0.0.2)

asa-aa proxy arps host b, nats it to be FROM a different address (192.168.1.1) and forwards (over the VPN) TO 192.168.2.1.

asa-b nats 192.168.2.1 to be FROM 10.0.0.1 and forwards it to 10.0.0.2

so static and dynamic nat in both directions, in combination with proxy arp for the "remote" hosts

------------

I used to maintain sites that used bridged IPX/SPX for a local governmant, over 64k leased lines....

When I finally persuaded them to move to routed, the difference it made was enormous :-)


0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
0
 

Author Comment

by:Mr_Networks
Comment Utility
True. This would be a good solution. But when i have a DHCP server on one side supplying ip addresses to both sides i will have no means of specifying which addresses are to be natted and which are just local ip addresses.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 17

Accepted Solution

by:
Kvistofta earned 250 total points
Comment Utility
ArneLovius: Your example works but it will never be a l2-connection (transferring dhcp requests, other broadcasts and pure l2-packets).

Mr Networks: Have a look at l2tpv3, that is probably what you are looking for. Havent tried it myself but it can be done with the 3640-router you have. Doesnt look that complicated to try out.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html

/Kvistofta
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
my bad, the juniper example was just another double NAT

the L2TPv3 is probably the best (possibly only...) way apart from "rolling your own" as per the other link I posted
0
 

Author Comment

by:Mr_Networks
Comment Utility
I did consider L2TPV3  when i first started but got carried away when we got the  5520s. I will try out the L2TP. Will keep u updated on da progress.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
The Junper solution says:
"However, if the destination IP resides on a different network, the packet is sent to the next-hop router based on the host’s routing table."
...and the diagram shows the same local IP address in use at each end.
So, I might help more but how is this supposed to work?  It sounds a little like a "then a miracle occurs" block in the diagram.

Presumably the issue cannot be addressed by avoiding having identical IP addresses at each site as a general rule.
But if you want or need (why?) to use a single DHCP server that spans the sites then that general (and very understandable) requirement must not be one that's needed here.  
Since identical addresses aren't *planned* in general then maybe they aren't needed in specific either.  That suggests splitting up the address range between sites in blocks.

An easy solution to all this and the DHCP might be to just use two DHCP servers (one at each site) and have their address ranges different.  I can see how doing that could help deal with the "same subnet" issue by splitting the subnet into ranges - whcih could become sub-subnets.  But, it that were to be the case then you'd not actually have the "same subnet" problem.  For example, you could have 192.168.1.0 / 25 and 192.168.128.0 /25 (i.e. 255.255.255.128) with 126 usable addresses each.

Then, depending on the gateway devices, it may be easy enough to route packets from site to site.
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
fmarshall:

if you read through the juniper solution, on page it is doing nat at each end

your last paragraph is exactly as I suggested...

If however for whatever reason the two sites _need_ to be bridged, it would appear that another platform is required.

0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
ArneLovius:
yes, I see that it's doing NAT on each end.  That doesn't answer how it works at the originating computer.  
We can take this off line and maybe you can explain.  Or, I guess I could post  a new question here.
You can find:
http://www.coastal-computers-networks.com/id14.html
0
 
LVL 24

Assisted Solution

by:rfc1180
rfc1180 earned 250 total points
Comment Utility
>So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start.

Very possible, we have this deployed in several POPs where they do not have a common backbone (separate AS numbers) for customers that need end to end vlans.

More information here:
http://www.openflowswitch.org/wk/index.php/Tunneling_-_GRE/L2TP#Layer_2_Protocol_Tunneling

Good Luck
Billy
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now