Mr_Networks
asked on
Transfer VLAN over VPN
Hi,
I work in Disaster recovery area where we have many customers and sometimes they need to connect back to their base which is on the same subnet or to one of our sites for workarea. I need to have a way of communication between different sites no more than 2 at a time. each site has its own public ip address and no MPLS network. So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start. I have access to ASA 5520 or PIX 515 or cisco 3640 router. so any solution can be implemented by me. You help is very much appreciated.
I work in Disaster recovery area where we have many customers and sometimes they need to connect back to their base which is on the same subnet or to one of our sites for workarea. I need to have a way of communication between different sites no more than 2 at a time. each site has its own public ip address and no MPLS network. So they epect me to have a setup where they pretty much expect a bridge over the internet which i know is possible with some means of DOT1Q tunnelling but have no idea howor where to start. I have access to ASA 5520 or PIX 515 or cisco 3640 router. so any solution can be implemented by me. You help is very much appreciated.
ckbhupen
Have you considered site-to-site VPN using Cisco ASA 5520?
Why do you need to bridge between two subnets ?
it would be much more efficient if you routed between them.
If you bridge, then all broadcast traffic will also be bridged,and depending on the link bandwidth, this may have a significant effect on performance.
it would be much more efficient if you routed between them.
If you bridge, then all broadcast traffic will also be bridged,and depending on the link bandwidth, this may have a significant effect on performance.
ckbhupen: ASA l2l-vpn cannot do bridging.
ArneLovius: I cant spear for the author here but the question can be highly relevant. What if you DO have one common network split between different sites? I have seen it happen, for example in Vmware-environments that requires the HA VM:s to be on the same vlans no matter which physical site they are on.
Mr Networks: Cool question. I can say for sure that you cant do it with ASA, because its vpn is limited to crypto map implementations. I was thinking of doing bridging with tunnel-interfaces and just tried it out in my lab without success so I follow this thread with a load of interrest to see if someone else can come up with something useful. But I can say for sure that you need to use your 3600 routers to make this happen.
/Kvistofta
ArneLovius: I cant spear for the author here but the question can be highly relevant. What if you DO have one common network split between different sites? I have seen it happen, for example in Vmware-environments that requires the HA VM:s to be on the same vlans no matter which physical site they are on.
Mr Networks: Cool question. I can say for sure that you cant do it with ASA, because its vpn is limited to crypto map implementations. I was thinking of doing bridging with tunnel-interfaces and just tried it out in my lab without success so I follow this thread with a load of interrest to see if someone else can come up with something useful. But I can say for sure that you need to use your 3600 routers to make this happen.
/Kvistofta
ASKER
@Kvistofta:
You are correct in saying that i have both sites on the same subnet possibly having a DHCP server on one side supplying DHCP leases to pcs on the other site.
Basically due to the nature of my work i do not have much control over the IP address assignment. And we need the customer to see it as a lan extension. Except that it is done over the internet.
You are correct in saying that i have both sites on the same subnet possibly having a DHCP server on one side supplying DHCP leases to pcs on the other site.
Basically due to the nature of my work i do not have much control over the IP address assignment. And we need the customer to see it as a lan extension. Except that it is done over the internet.
I'm wondering if using double NAT (NAT both sides) in combination with proxy ARP would work on a per host basis, its not a tru bridge, but just a way of pretending...
host-a (10.0.0.1) a sends a packet to host-b (10.0.0.2)
asa-aa proxy arps host b, nats it to be FROM a different address (192.168.1.1) and forwards (over the VPN) TO 192.168.2.1.
asa-b nats 192.168.2.1 to be FROM 10.0.0.1 and forwards it to 10.0.0.2
so static and dynamic nat in both directions, in combination with proxy arp for the "remote" hosts
------------
I used to maintain sites that used bridged IPX/SPX for a local governmant, over 64k leased lines....
When I finally persuaded them to move to routed, the difference it made was enormous :-)
host-a (10.0.0.1) a sends a packet to host-b (10.0.0.2)
asa-aa proxy arps host b, nats it to be FROM a different address (192.168.1.1) and forwards (over the VPN) TO 192.168.2.1.
asa-b nats 192.168.2.1 to be FROM 10.0.0.1 and forwards it to 10.0.0.2
so static and dynamic nat in both directions, in combination with proxy arp for the "remote" hosts
------------
I used to maintain sites that used bridged IPX/SPX for a local governmant, over 64k leased lines....
When I finally persuaded them to move to routed, the difference it made was enormous :-)
you might need to look at other platforms
http://www.usenix.org/event/usenix2000/freenix/full_papers/keromytis/keromytis_html/node9.html
http://www.usenix.org/event/usenix2000/freenix/full_papers/keromytis/keromytis_html/node9.html
ASKER
True. This would be a good solution. But when i have a DHCP server on one side supplying ip addresses to both sides i will have no means of specifying which addresses are to be natted and which are just local ip addresses.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Or move to Juniper...
http://kb.juniper.net/kb/documents/public/VPN/ScreenOS_VPN_with_Overlapping_Subnets.pdf
http://kb.juniper.net/kb/documents/public/VPN/ScreenOS_VPN_with_Overlapping_Subnets.pdf
my bad, the juniper example was just another double NAT
the L2TPv3 is probably the best (possibly only...) way apart from "rolling your own" as per the other link I posted
the L2TPv3 is probably the best (possibly only...) way apart from "rolling your own" as per the other link I posted
ASKER
I did consider L2TPV3 when i first started but got carried away when we got the 5520s. I will try out the L2TP. Will keep u updated on da progress.
The Junper solution says:
"However, if the destination IP resides on a different network, the packet is sent to the next-hop router based on the host’s routing table."
...and the diagram shows the same local IP address in use at each end.
So, I might help more but how is this supposed to work? It sounds a little like a "then a miracle occurs" block in the diagram.
Presumably the issue cannot be addressed by avoiding having identical IP addresses at each site as a general rule.
But if you want or need (why?) to use a single DHCP server that spans the sites then that general (and very understandable) requirement must not be one that's needed here.
Since identical addresses aren't *planned* in general then maybe they aren't needed in specific either. That suggests splitting up the address range between sites in blocks.
An easy solution to all this and the DHCP might be to just use two DHCP servers (one at each site) and have their address ranges different. I can see how doing that could help deal with the "same subnet" issue by splitting the subnet into ranges - whcih could become sub-subnets. But, it that were to be the case then you'd not actually have the "same subnet" problem. For example, you could have 192.168.1.0 / 25 and 192.168.128.0 /25 (i.e. 255.255.255.128) with 126 usable addresses each.
Then, depending on the gateway devices, it may be easy enough to route packets from site to site.
"However, if the destination IP resides on a different network, the packet is sent to the next-hop router based on the host’s routing table."
...and the diagram shows the same local IP address in use at each end.
So, I might help more but how is this supposed to work? It sounds a little like a "then a miracle occurs" block in the diagram.
Presumably the issue cannot be addressed by avoiding having identical IP addresses at each site as a general rule.
But if you want or need (why?) to use a single DHCP server that spans the sites then that general (and very understandable) requirement must not be one that's needed here.
Since identical addresses aren't *planned* in general then maybe they aren't needed in specific either. That suggests splitting up the address range between sites in blocks.
An easy solution to all this and the DHCP might be to just use two DHCP servers (one at each site) and have their address ranges different. I can see how doing that could help deal with the "same subnet" issue by splitting the subnet into ranges - whcih could become sub-subnets. But, it that were to be the case then you'd not actually have the "same subnet" problem. For example, you could have 192.168.1.0 / 25 and 192.168.128.0 /25 (i.e. 255.255.255.128) with 126 usable addresses each.
Then, depending on the gateway devices, it may be easy enough to route packets from site to site.
fmarshall:
if you read through the juniper solution, on page it is doing nat at each end
your last paragraph is exactly as I suggested...
If however for whatever reason the two sites _need_ to be bridged, it would appear that another platform is required.
if you read through the juniper solution, on page it is doing nat at each end
your last paragraph is exactly as I suggested...
If however for whatever reason the two sites _need_ to be bridged, it would appear that another platform is required.
ArneLovius:
yes, I see that it's doing NAT on each end. That doesn't answer how it works at the originating computer.
We can take this off line and maybe you can explain. Or, I guess I could post a new question here.
You can find:
http://www.coastal-computers-networks.com/id14.html
yes, I see that it's doing NAT on each end. That doesn't answer how it works at the originating computer.
We can take this off line and maybe you can explain. Or, I guess I could post a new question here.
You can find:
http://www.coastal-computers-networks.com/id14.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.