MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.
Course Of The Month
5 days, left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Transfer VLAN over VPN
Posted on 2010-09-10
Hi,
I work in Disaster recovery area where we have many customers and sometimes they need to connect back to their base which is on the same subnet or to one of our sites for workarea. I need to have a way of communication between different sites no more than 2 at a time. each site has its own public ip address and no MPLS network. So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start. I have access to ASA 5520 or PIX 515 or cisco 3640 router. so any solution can be implemented by me. You help is very much appreciated.
I work in Disaster recovery area where we have many customers and sometimes they need to connect back to their base which is on the same subnet or to one of our sites for workarea. I need to have a way of communication between different sites no more than 2 at a time. each site has its own public ip address and no MPLS network. So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start. I have access to ASA 5520 or PIX 515 or cisco 3640 router. so any solution can be implemented by me. You help is very much appreciated.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
6-
3
2- +3
15 Comments
Why do you need to bridge between two subnets ?
it would be much more efficient if you routed between them.
If you bridge, then all broadcast traffic will also be bridged,and depending on the link bandwidth, this may have a significant effect on performance.
it would be much more efficient if you routed between them.
If you bridge, then all broadcast traffic will also be bridged,and depending on the link bandwidth, this may have a significant effect on performance.
ckbhupen: ASA l2l-vpn cannot do bridging.
ArneLovius: I cant spear for the author here but the question can be highly relevant. What if you DO have one common network split between different sites? I have seen it happen, for example in Vmware-environments that requires the HA VM:s to be on the same vlans no matter which physical site they are on.
Mr Networks: Cool question. I can say for sure that you cant do it with ASA, because its vpn is limited to crypto map implementations. I was thinking of doing bridging with tunnel-interfaces and just tried it out in my lab without success so I follow this thread with a load of interrest to see if someone else can come up with something useful. But I can say for sure that you need to use your 3600 routers to make this happen.
/Kvistofta
ArneLovius: I cant spear for the author here but the question can be highly relevant. What if you DO have one common network split between different sites? I have seen it happen, for example in Vmware-environments that requires the HA VM:s to be on the same vlans no matter which physical site they are on.
Mr Networks: Cool question. I can say for sure that you cant do it with ASA, because its vpn is limited to crypto map implementations. I was thinking of doing bridging with tunnel-interfaces and just tried it out in my lab without success so I follow this thread with a load of interrest to see if someone else can come up with something useful. But I can say for sure that you need to use your 3600 routers to make this happen.
/Kvistofta
@Kvistofta:
You are correct in saying that i have both sites on the same subnet possibly having a DHCP server on one side supplying DHCP leases to pcs on the other site.
Basically due to the nature of my work i do not have much control over the IP address assignment. And we need the customer to see it as a lan extension. Except that it is done over the internet.
You are correct in saying that i have both sites on the same subnet possibly having a DHCP server on one side supplying DHCP leases to pcs on the other site.
Basically due to the nature of my work i do not have much control over the IP address assignment. And we need the customer to see it as a lan extension. Except that it is done over the internet.
I'm wondering if using double NAT (NAT both sides) in combination with proxy ARP would work on a per host basis, its not a tru bridge, but just a way of pretending...
host-a (10.0.0.1) a sends a packet to host-b (10.0.0.2)
asa-aa proxy arps host b, nats it to be FROM a different address (192.168.1.1) and forwards (over the VPN) TO 192.168.2.1.
asa-b nats 192.168.2.1 to be FROM 10.0.0.1 and forwards it to 10.0.0.2
so static and dynamic nat in both directions, in combination with proxy arp for the "remote" hosts
------------
I used to maintain sites that used bridged IPX/SPX for a local governmant, over 64k leased lines....
When I finally persuaded them to move to routed, the difference it made was enormous :-)
host-a (10.0.0.1) a sends a packet to host-b (10.0.0.2)
asa-aa proxy arps host b, nats it to be FROM a different address (192.168.1.1) and forwards (over the VPN) TO 192.168.2.1.
asa-b nats 192.168.2.1 to be FROM 10.0.0.1 and forwards it to 10.0.0.2
so static and dynamic nat in both directions, in combination with proxy arp for the "remote" hosts
------------
I used to maintain sites that used bridged IPX/SPX for a local governmant, over 64k leased lines....
When I finally persuaded them to move to routed, the difference it made was enormous :-)
you might need to look at other platforms
http://www.usenix.org/event/usenix2000/freenix/full_papers/keromytis/keromytis_html/node9.html
http://www.usenix.org/event/usenix2000/freenix/full_papers/keromytis/keromytis_html/node9.html
True. This would be a good solution. But when i have a DHCP server on one side supplying ip addresses to both sides i will have no means of specifying which addresses are to be natted and which are just local ip addresses.
ArneLovius: Your example works but it will never be a l2-connection (transferring dhcp requests, other broadcasts and pure l2-packets).
Mr Networks: Have a look at l2tpv3, that is probably what you are looking for. Havent tried it myself but it can be done with the 3640-router you have. Doesnt look that complicated to try out.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html
/Kvistofta
Mr Networks: Have a look at l2tpv3, that is probably what you are looking for. Havent tried it myself but it can be done with the 3640-router you have. Doesnt look that complicated to try out.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html
/Kvistofta
my bad, the juniper example was just another double NAT
the L2TPv3 is probably the best (possibly only...) way apart from "rolling your own" as per the other link I posted
the L2TPv3 is probably the best (possibly only...) way apart from "rolling your own" as per the other link I posted
I did consider L2TPV3 when i first started but got carried away when we got the 5520s. I will try out the L2TP. Will keep u updated on da progress.
Active today
The Junper solution says:
"However, if the destination IP resides on a different network, the packet is sent to the next-hop router based on the host’s routing table."
...and the diagram shows the same local IP address in use at each end.
So, I might help more but how is this supposed to work? It sounds a little like a "then a miracle occurs" block in the diagram.
Presumably the issue cannot be addressed by avoiding having identical IP addresses at each site as a general rule.
But if you want or need (why?) to use a single DHCP server that spans the sites then that general (and very understandable) requirement must not be one that's needed here.
Since identical addresses aren't *planned* in general then maybe they aren't needed in specific either. That suggests splitting up the address range between sites in blocks.
An easy solution to all this and the DHCP might be to just use two DHCP servers (one at each site) and have their address ranges different. I can see how doing that could help deal with the "same subnet" issue by splitting the subnet into ranges - whcih could become sub-subnets. But, it that were to be the case then you'd not actually have the "same subnet" problem. For example, you could have 192.168.1.0 / 25 and 192.168.128.0 /25 (i.e. 255.255.255.128) with 126 usable addresses each.
Then, depending on the gateway devices, it may be easy enough to route packets from site to site.
"However, if the destination IP resides on a different network, the packet is sent to the next-hop router based on the host’s routing table."
...and the diagram shows the same local IP address in use at each end.
So, I might help more but how is this supposed to work? It sounds a little like a "then a miracle occurs" block in the diagram.
Presumably the issue cannot be addressed by avoiding having identical IP addresses at each site as a general rule.
But if you want or need (why?) to use a single DHCP server that spans the sites then that general (and very understandable) requirement must not be one that's needed here.
Since identical addresses aren't *planned* in general then maybe they aren't needed in specific either. That suggests splitting up the address range between sites in blocks.
An easy solution to all this and the DHCP might be to just use two DHCP servers (one at each site) and have their address ranges different. I can see how doing that could help deal with the "same subnet" issue by splitting the subnet into ranges - whcih could become sub-subnets. But, it that were to be the case then you'd not actually have the "same subnet" problem. For example, you could have 192.168.1.0 / 25 and 192.168.128.0 /25 (i.e. 255.255.255.128) with 126 usable addresses each.
Then, depending on the gateway devices, it may be easy enough to route packets from site to site.
fmarshall:
if you read through the juniper solution, on page it is doing nat at each end
your last paragraph is exactly as I suggested...
If however for whatever reason the two sites _need_ to be bridged, it would appear that another platform is required.
if you read through the juniper solution, on page it is doing nat at each end
your last paragraph is exactly as I suggested...
If however for whatever reason the two sites _need_ to be bridged, it would appear that another platform is required.
Active today
ArneLovius:
yes, I see that it's doing NAT on each end. That doesn't answer how it works at the originating computer.
We can take this off line and maybe you can explain. Or, I guess I could post a new question here.
You can find:
http://www.coastal-computers-networks.com/id14.html
yes, I see that it's doing NAT on each end. That doesn't answer how it works at the originating computer.
We can take this off line and maybe you can explain. Or, I guess I could post a new question here.
You can find:
http://www.coastal-computers-networks.com/id14.html
>So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start.
Very possible, we have this deployed in several POPs where they do not have a common backbone (separate AS numbers) for customers that need end to end vlans.
More information here:
http://www.openflowswitch.org/wk/index.php/Tunneling_-_GRE/L2TP#Layer_2_Protocol_Tunneling
Good Luck
Billy
Very possible, we have this deployed in several POPs where they do not have a common backbone (separate AS numbers) for customers that need end to end vlans.
More information here:
http://www.openflowswitch.org/wk/index.php/Tunneling_-_GRE/L2TP#Layer_2_Protocol_Tunneling
Good Luck
Billy
Featured Post
The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Let’s list some of the technologies that enable smooth teleworking.Â
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market. Every year, Cisco displays cutting-edge technol…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month5 days, left to enroll
688 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.