Solved

Transfer VLAN over VPN

Posted on 2010-09-10
15
1,310 Views
Last Modified: 2012-05-10
Hi,
I work in Disaster recovery area where we have many customers and sometimes they need to connect back to their base which is on the same subnet or to one of our sites for workarea. I need to have a way of communication between different sites no more than 2 at a time. each site has its own public ip address and no MPLS network. So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start. I have access to ASA 5520 or PIX 515 or cisco 3640 router. so any solution can be implemented by me. You help is very much appreciated.

 
0
Comment
Question by:Mr_Networks
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 2

Expert Comment

by:ckbhupen
ID: 33644583
Have you considered site-to-site VPN using Cisco ASA 5520?
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33644623
Why do you need to bridge between two subnets ?

it would be much more efficient if you routed between them.

If you bridge, then all broadcast traffic will also be bridged,and depending on the link bandwidth, this may have a significant effect on performance.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33644659
ckbhupen: ASA l2l-vpn cannot do bridging.

ArneLovius: I cant spear for the author here but the question can be highly relevant. What if you DO have one common network split between different sites? I have seen it happen, for example in Vmware-environments that requires the HA VM:s to be on the same vlans no matter which physical site they are on.

Mr Networks: Cool question. I can say for sure that you cant do it with ASA, because its vpn is limited to crypto map implementations. I was thinking of doing bridging with tunnel-interfaces and just tried it out in my lab without success so I follow this thread with a load of interrest to see if someone else can come up with something useful. But I can say for sure that you need to use your 3600 routers to make this happen.

/Kvistofta


0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:Mr_Networks
ID: 33644712
@Kvistofta:
You are correct in saying that i have both sites on the same subnet possibly having a DHCP server on one side supplying DHCP leases to pcs on the other site.

Basically due to the nature of my work i do not have much control over the IP address assignment. And we need the customer to see it as a lan extension. Except that it is done over the internet.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33644739
I'm wondering if using double NAT (NAT both sides) in combination with proxy ARP would work on a per host basis, its not a tru bridge, but just a way of pretending...

host-a (10.0.0.1) a sends a packet to host-b (10.0.0.2)

asa-aa proxy arps host b, nats it to be FROM a different address (192.168.1.1) and forwards (over the VPN) TO 192.168.2.1.

asa-b nats 192.168.2.1 to be FROM 10.0.0.1 and forwards it to 10.0.0.2

so static and dynamic nat in both directions, in combination with proxy arp for the "remote" hosts

------------

I used to maintain sites that used bridged IPX/SPX for a local governmant, over 64k leased lines....

When I finally persuaded them to move to routed, the difference it made was enormous :-)


0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33644742
0
 

Author Comment

by:Mr_Networks
ID: 33644759
True. This would be a good solution. But when i have a DHCP server on one side supplying ip addresses to both sides i will have no means of specifying which addresses are to be natted and which are just local ip addresses.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 250 total points
ID: 33644764
ArneLovius: Your example works but it will never be a l2-connection (transferring dhcp requests, other broadcasts and pure l2-packets).

Mr Networks: Have a look at l2tpv3, that is probably what you are looking for. Havent tried it myself but it can be done with the 3640-router you have. Doesnt look that complicated to try out.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html

/Kvistofta
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33644770
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33644779
my bad, the juniper example was just another double NAT

the L2TPv3 is probably the best (possibly only...) way apart from "rolling your own" as per the other link I posted
0
 

Author Comment

by:Mr_Networks
ID: 33644804
I did consider L2TPV3  when i first started but got carried away when we got the  5520s. I will try out the L2TP. Will keep u updated on da progress.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 33649559
The Junper solution says:
"However, if the destination IP resides on a different network, the packet is sent to the next-hop router based on the host’s routing table."
...and the diagram shows the same local IP address in use at each end.
So, I might help more but how is this supposed to work?  It sounds a little like a "then a miracle occurs" block in the diagram.

Presumably the issue cannot be addressed by avoiding having identical IP addresses at each site as a general rule.
But if you want or need (why?) to use a single DHCP server that spans the sites then that general (and very understandable) requirement must not be one that's needed here.  
Since identical addresses aren't *planned* in general then maybe they aren't needed in specific either.  That suggests splitting up the address range between sites in blocks.

An easy solution to all this and the DHCP might be to just use two DHCP servers (one at each site) and have their address ranges different.  I can see how doing that could help deal with the "same subnet" issue by splitting the subnet into ranges - whcih could become sub-subnets.  But, it that were to be the case then you'd not actually have the "same subnet" problem.  For example, you could have 192.168.1.0 / 25 and 192.168.128.0 /25 (i.e. 255.255.255.128) with 126 usable addresses each.

Then, depending on the gateway devices, it may be easy enough to route packets from site to site.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33649658
fmarshall:

if you read through the juniper solution, on page it is doing nat at each end

your last paragraph is exactly as I suggested...

If however for whatever reason the two sites _need_ to be bridged, it would appear that another platform is required.

0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 33650456
ArneLovius:
yes, I see that it's doing NAT on each end.  That doesn't answer how it works at the originating computer.  
We can take this off line and maybe you can explain.  Or, I guess I could post  a new question here.
You can find:
http://www.coastal-computers-networks.com/id14.html
0
 
LVL 24

Assisted Solution

by:rfc1180
rfc1180 earned 250 total points
ID: 33651125
>So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start.

Very possible, we have this deployed in several POPs where they do not have a common backbone (separate AS numbers) for customers that need end to end vlans.

More information here:
http://www.openflowswitch.org/wk/index.php/Tunneling_-_GRE/L2TP#Layer_2_Protocol_Tunneling

Good Luck
Billy
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stuck in INIT/DROTHER 2 23
EIGRP Configuration 2 48
How to setup 3 isps on a redundant mode? 3 30
Configuring VPN in server 2012 5 18
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question