Extending VLANs Across Network and NAT Too!

Unanswered Question
Jan 21st, 2008
User Badges:

I have two design questions that I would like to get answered if at all possible. I don't need config help but just an understanding of how this is accomplished.


In an enterprise network that consists of direct internet access at the corporate or main location with multiple branch offices and remote locations whose traffic has to come back to corporate before going to the internet, how is layer 2 trunking and VLANs supported?


How do I get a vlan at the corporate office to reside at a branch location while traversing several routers over L3? Say I needed one port on a switch at the branch office to be the 'Public' VLAN because they wanted to place a public facing server there. Or, I wanted to extend a management VLAN across the entire network. How is this accomplished across the routers?


This brings me to my next question on NAT. Please refer to the diagram. I have a firewall that NAT's traffic for public servers residing on the inside interface. Say I have a private WAN that connects a remote location that is accessible from internally only? How would I NAT a public address to a server that doesn't reside on the inside network? Is it possible?


Thanks for your help!



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Mon, 01/21/2008 - 14:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


If you are running an MPLS network you could talk to your service provider about running VPLS which allows you to extend vlans across an MPLS network.


If you aren't then you can use L2TPv3 which allows you to extend a vlan across a L3 routed network. See attached link for details


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a756b.html


As for the NAT, not quite sure i fully understand. You can NAT any private address to a public IP address. As long as that private address is reachable from the firewall and the firewall is reachable from the private address it doesn't matter how many routers/switches etc. are between the firewall and the private address.


Hope i have understood


Jon

ryanparr9 Tue, 01/22/2008 - 12:24
User Badges:

Thanks for the info. As for extending VLANs across a routed network, I thought it was simpler than that and that I was just missing something. Are there other tactics that enterprises would use or do they just generally not extend VLANs through the organization?


As for NAT, I assumed that the address on the private side of the firewall had to be attached to the inside interface. It sounds like it just has to be pingable though and it should work.


Thanks for your help!

Actions

This Discussion