Tunnel VLANs through GRE

Unanswered Question
Jun 9th, 2008

Ok, so I'm kind of a new at this, but I think I've been coming along so far. This question may be simple for some, but after much searching, I have not been able to come up with an answer.

Problem: Need to extend a Guest VLAN access over our private bonded T1 WAN to our remote site. We currently have a separate layer 2 VLAN at the main office that allows only internet traffic out a separate cable modem. I need to extend that VLAN (we'll call it VLAN 2) to our remote site. From what I have found so far, it sounds like I could set up a GRE tunnel and have VLAN 2 go through that to the remote site. But, I am unsure how to configure that. I found some procedures on how to create the basic GRE tunnel, but how would I associate that to VLAN 2 only, and not VLAN 1? Is this even possible? Also, because it's a private WAN, I do not require IPSec.

Routers: Main office: Cisco 3825. Remote Office: Cisco 2811

Thanks for any help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 06/09/2008 - 13:33

It's possible to extend a L2 vlan across a route network. However using GRE is not a supported configuration from Cisco and i don't know of any docs on CCO for it.

However there is something called L2TPv3 which allows you to do exactly waht you want. It does depend on whether your equipment supports it. Attached is a link explaining it in more detail.

http://www.cisco.com/en/US/netsol/ns588/networking_solutions_white_paper09186a008017fa6e.shtml

Jon

fishcorefish Mon, 06/09/2008 - 13:35

Thanks a lot! I'll look over this document to see what I can figure out.

Thanks!

Paolo Bevilacqua Mon, 06/09/2008 - 14:18

Hi,

there is no reason for trying to extended VLANs in your case.

On the remote site, you will have another "guest vlan" and by the use of ACLs on both routers, the subnet pertaining to this VLAN, will be able to access the internet only.

The ACLs are of the basic type and are applied as "ip access-group" under the interfaces of the LANs that you're protecting.

eg,

access-list 50 deny 192.168.2.0 0.0.0.255

access-list 50 permit any

interface fa0/0

ip access-group 50 in

Hope this helps, please rate post if it does!

fishcorefish Mon, 06/09/2008 - 14:24

Thanks for the reply! So, you're saying to create a separate layer 3 VLAN up there and through ACLs it will only allow access out to the internet. Doing this would direct that internet traffic out our production internet connection instead of that separate cable modem (which I don't care). So, this configuration would be done on the switch up there, not the router, right? That sounds like it would be a simpler approach.

Thanks!

Paolo Bevilacqua Mon, 06/09/2008 - 14:40

Well, basically yes.

Then to decide exatly what configuration is needed and where, one would need to see a detailed diagram and current configs.

But with a little of common sense you can figure that out anyway.

Actions

This Discussion