VLAN's over WAN?

Answered Question
Jun 3rd, 2010

I hope I titled this correctly, however. I wanted to know if it is possible to communicate

across VLAN's over WAN or over the internet.

If I am right, we can not. It is not possible - only through Layer 3 will an IP address be used as the destination and Layer 2 VLAN's are not.

Please advise.

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by belovell about 6 years 6 months ago

What I assume you are looking for(given the meaning of "WAN" in this context) is to encap L2 frames so they can be sent across L3 domain(s) or VC(virtual circuit). QinQ would not provide for this. As it is L2 in L2 encap.

1) L2TVPv3

L2TPv3 provides a VC over an IP network. The full L2 frame is wrapped up in headers like so..

L2 WAN header|IP header|L2TVPv3 header|L2 payload

Fragmentation of VC packets is not desirable for performance reasons but is not detrimental.

2) EoMPLS

EoMPLS provides a VC over an MPLS network. Headers look like so..

L2 WAN header|MPLS path label|VC label|L2 payload

Fragmentation of VC packets is detrimental and must be avoided.

If you are not familiar with MPLS networks then L2TPv3 is your best bet as it only require IP connectivity between the two VC end points.

I can post simple configs if you think it would help understand.

-Ben

Correct Answer by Federico Coto F... about 6 years 6 months ago

QinQ is normally used by ISPs to transport VLANs across sites (could be through the internet).

Is a mechanism also to avoid conflicts with overlapping VLANs from other customers.

Take a look:

http://en.wikipedia.org/wiki/QinQ

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (14 ratings)
Loading.
Federico Coto F... Thu, 06/03/2010 - 19:53

Joseph,

Is not impossible, because if the WAN is just a layer 2 medium (ethernet), u can have the same VLAN on both sides of the WAN.

VLANscan be extended across a WAN, the question is why would you want to do it?

It will create a broadcast domain across the WAN and I don't see any benefits.

Hope to help.

Federico.

Hitesh Vinzoda Thu, 06/03/2010 - 23:25

There are two options that comes to my mind

1. Transparent bridging

2. L2TP Psuedowire using MPLS

But however that will a bad design to have layer 2 spanned across the WAN,

HTH

Hitesh Vinzoda

Pls rate useful posts.

joealbergo Fri, 06/04/2010 - 12:54

I always rate everyone that answers my questions. You are all very helpful and it means a lot to have you here. No b.s.

Now to get back on the subject, perhaps because I am not into WAN's yet - I might have posed the wrong question.

I guess from what your saying a WAN could be inside a large building and the medium could be ethernet cable or fiber, correct?

Which would be no problem because then we just hook up the two switches.

However,

I basically want to have a VLAN communicate with another VLAN - across the internet.

That was what I was asking ----- so I have VLAN99 in Building_A communicate over the internet to VLAN99 in Building_B


Does that make more sense?

Federico Coto F... Fri, 06/04/2010 - 13:06

When you say a WAN that goes through the Internet, what type of communication media are you referring to?

Because a WAN that goes through the Internet could be a point-to-point link, a leased line, an IPsec VPN tunnel, Frame Relay, etc....

Just out of curiosity, what's the benefit of wanting to extend the VLAN over the WAN?

Federico.

joealbergo Fri, 06/04/2010 - 13:35

Federico -

Let's forget I even said WAN - because I might have used the wrong terminology.

I used the word "WAN" thinking it was a Wide-Area-Network (THROUGH) the Internet.

I was just talking about a VLAN over internet VLAN - communication.

joealbergo Fri, 06/04/2010 - 15:33

This is what I was looking for! This is the answer to my question.

This is what I was talking to my professor about. I said to myself what would be the purpose of having a VLAN on one network, secure computers on one and the remainder on another VLAN. If I can not continue the security outside of the LAN.

I basically was becoming confused.

See I was assuming that the router once looking at the VLAN tag would turn around and send the frame back to the switch because they are on the same subnet.

So how do you route that frame out the router through the ISP using QinQ? Am I re-enapsulating the second VLAN Tag with my SP's equipment outside the router? or outside the switch?    

Federico Coto F... Sat, 06/05/2010 - 10:06

QinQ is pretty much an Ethernet extension of 802.1q
Remember that 801.q allows a single tag to be inserted to a frame to identify that frames through trunks.
QinQ allows multiple VLAN headers to be inserted into a single frame.

For example when a company chooses to have the same L2 network in geographically separated sites,
the ISP can provide QinQ to extend the VLAN across the WAN.


This is an alternative to having two separate LANs and just route between them.

The ISP uses its own set of tags to identify the VLANs across the SP.


The traffic passes through the SP network as QinQ frames, but when sent to the customer, there are sent as
regular 802.1q frames.

Federico.

Correct Answer
belovell Sat, 06/05/2010 - 10:46

What I assume you are looking for(given the meaning of "WAN" in this context) is to encap L2 frames so they can be sent across L3 domain(s) or VC(virtual circuit). QinQ would not provide for this. As it is L2 in L2 encap.

1) L2TVPv3

L2TPv3 provides a VC over an IP network. The full L2 frame is wrapped up in headers like so..

L2 WAN header|IP header|L2TVPv3 header|L2 payload

Fragmentation of VC packets is not desirable for performance reasons but is not detrimental.

2) EoMPLS

EoMPLS provides a VC over an MPLS network. Headers look like so..

L2 WAN header|MPLS path label|VC label|L2 payload

Fragmentation of VC packets is detrimental and must be avoided.

If you are not familiar with MPLS networks then L2TPv3 is your best bet as it only require IP connectivity between the two VC end points.

I can post simple configs if you think it would help understand.

-Ben

joealbergo Sat, 06/05/2010 - 11:27

Belovell.

Your response was extremely helpful also.

This is more what I was trying to begin the topic with. I was trying to learn about "if start off with a LAN using a few switches and a router"

So inside the one LAN I had VLAN's and this would be at one area in one city.

Then have another identical setup in another city - with VLAN's that I want to continue filtering.


From city to city I would want to retain the VLAN configurations for consistency going across the internet or by any medium possible.

-------------------------------------------------------

My professor had brought up something that sort of brings another question regarding this. -----

If my network is sending frames out the switch -----> to the router ------ Will the router see the frames are in the same subnet and just send them back to the switch? or does the L2TPv3 have the setup where the router knows where to forward these?

----------------------------------------------------

I am going to have to study MPLS and L2TPv3 - I have only heard of these in discussion, never in my books or classes.

So I believe your answer was more direct towards my initial question.

Everyone here has offered me such great information towards my Cisco education and I appreciate that a lot.

Belovell - Anything you post up here I will use and read and study.  Thank you again.

belovell Sat, 06/05/2010 - 11:59

If my network is sending frames out the switch -----> to the router ------ Will the router see the frames are in the same subnet and just send them back to the switch? or does the L2TPv3 have the setup where the router knows where to forward these?

Consider the following topo

switch--router---router--switch

Each router has an xconnect statement on the interface facing it's nearside switch(no ip address -- routing IP packets on this interface is no longer possible, all frames must go over the VC). The routers will blindly encap all frames that come in that interface and send the traffic over the VC. So the topo from the switches' point of view is just switch---switch. Just as the term Virtual Circuit implies, the switches function as if they are connected right to each other.

So to answer your question, the routers do not care about subnets or MAC addresses(they just encap and send to the other end). Per vanilla ethernet bridging rules, if the switches' source MAC lookup points out the interface facing the VC then the frame will go to the router to be tunneled.

-Ben

joealbergo Sat, 06/05/2010 - 12:17

Ben

So I am going to have to look into the VC - what is that exactly?

and....

"if the switches' source MAC lookup points out the interface facing the VC"

This means the switch on the opposite side has to be set in the first switches lookup table.

So switch1----(table)----router----router----switch2

Switch1 knows the source mac is to the router - router forwards to switch2?

I am here online studying so I will await your reply. Thank you

Joe

Giuseppe Larosa Sat, 06/05/2010 - 13:55

Hello Joe,

>> f my network is sending frames out the switch -----> to the router ------ Will the router see the frames are in the same subnet and just send them back to the switch? or does the L2TPv3 have the setup where the router knows where to forward these?

This is the key point as explained by Ben that has also provided some internal details

A dedicated interface or vlan subinterface is needed for the L2TPv3 or EoMPLS service.

The service provided is a point -to- point L2 transport service and the router just checks if the frame is correct and if the 802.1Q tag vlan-id field = X = enc dot1q X in the subinterface.

The router might provide also L3 services to the IP subnet but it needs to do this using a different interface/subinterface

VC = Virtual Circuit we indicate with this term the point-to-point transport service provided by EoMPLS or by L2TPv3.

Ben has added other details. To make you understand the meaning of how blind is the forwarding over the VC  I make an example:

some years ago I tested an EoMPLS solution over a production MPLS network using high end 12000 GSR routers.

By using a traffic generator I could send IPv6 packets with a specific vlan tag. The frames were taken and sent in another town where with a trick they were re-injected with another vlan-id in another VC and the come back on initial PE node with a different vlan-tag

When we had tested in a lab we discovered that the router accepted to carry over the pseudowire (other name for the VC) frames with MAC destination address = to that of its own interface!!!

The case of multilayer switches can be different but also for scalability reasons only the L2 switch populates its CAM table with the MAC addresses of the remote site and associate them to port to the router providing the VC.

However, as noted by Hitesh this kind of setup should be avoided because WAN routers have much less forwarding capabilities then LAN switches and because broadcast traffic will consume WAN bandwidth.

Some use of this is seen in some disaster recovery designs that ask for extending selected Vlans between central site and disaster recovery site.

Another use of L2TPv3 may be protected by IPsec I saw in a course about IP telephony: instead of carrying the call manager servers and other devices we had some Vlans carried over the internet to the site where the servers were located.

We could make our labs.

Hope to help

Giuseppe

joealbergo Sat, 06/05/2010 - 15:16

Thanks Giuseppe, that is my name as well. However I go by Joe or Joseph

Ben,

What does this mean "Each router has an xconnect statement on the interface facing it's nearside switch(no ip address -- routing IP packets on this interface is no longer possible, all frames must go over the VC)."

belovell Sat, 06/05/2010 - 16:07

joealbergo wrote:

Thanks Giuseppe, that is my name as well. However I go by Joe or Joseph

Ben,

What does this mean "Each router has an xconnect statement on the interface facing it's nearside switch(no ip address -- routing IP packets on this interface is no longer possible, all frames must go over the VC)."

consider the following configs of two routers that use L2TPv3. They are one hop away from each other but this is irrelevant. They just need to be able to deliver IP packets between 1.1.1.1 and 2.2.2.2

switch1(e1/1)--(e0/2)router1(e0/1)--(e0/1)router2(e0/2)--(e1/1)switch2

router1

pseudowire-class VC1

encapsulation l2tpv3

ip local interface Loopback0 <--- source tunnel packets from 1.1.1.1

int loopback0 <-----local vc tunnel endpoint

ip address 1.1.1.1 255.255.255.255

interface e0/1

ip add 192.168.1.1 255.255.255.0

interface e0/2 

xconnect 2.2.2.2 pw-class VC1 <-- create tunnel to 2.2.2.2 using parameters in pseudowire-class VC1

ip route 2.2.2.2 255.255.255.255 192.168.1.2

router2

pseudowire-class VC1

encapsulation l2tpv3

ip local interface Loopback0

int loopback0

ip address 2.2.2.2 255.255.255.255

interface e0/1

ip add 192.168.1.2 255.255.255.0

interface e0/2

xconnect 1.1.1.1 pw-class VC1 

ip route 1.1.1.1 255.255.255.255 192.168.1.1

When a frame comes in router1(e0/2) it is encap'd in L2TPv3 header and ip header 1.1.1.1->2.2.2.2. When the tunnel packet gets to 2.2.2.2 router2 decaps the ip and L2TPv2 headers and sends the frame out it's e0/2 interface just as it was when it came into router1. All frames that come in e0/2 MUST go to the other end of the tunnel. This is what I mean by "routing IP packets on this interface is no longer possible, all frames must go over the VC"

-Ben

joealbergo Sat, 06/05/2010 - 16:21

Why are we using Loopback0 interface?

If I am getting far ahead of myself - I am sorry. I hope that my questions are not frustrating..

belovell Sat, 06/05/2010 - 16:40

For use in this example it is a matter of convention and it not strictly needed. 192.168.1.1 could have been the tunnel end point.

In other cases such as EoMPLS it is required to have /32 route to tunnel end point hence the loopback.

-Ben

joealbergo Sat, 06/05/2010 - 17:02

Ben

I'm going to slow down and start doing some researching on "Multi-Protocol Switched Labeling"

I also am going to have to invest some time in VC "Virtual Circuits"

This is 6 months into Cisco as of today so I am far behind.

Your help and again everyone else who contributed to my thread is greatly appreciated.

Anyone has any links to documentation - I always review and favorite them for use in reading and the future.

Thanks everyone! 

joealbergo Sun, 06/06/2010 - 14:30

Lamav

Your post was extremely helpful however I am going to have to slow down and go over a few of the things everyone has been telling me.

I am about a quarter of the way into my CCENT with the Cisco Networking Academy and I only read a few pages on MPLS and not sure what SONET is. I do not know what VM or VMotion is yet either.

I understand about 20% of what you posted

However OTV sounds a lot like the QinQ except this OTV is done in house instead of by the SP - correct?

Thanks

Joe

lamav Sun, 06/06/2010 - 15:37

Joseph:

Im sorry you didnt get too much out of my post, but its OK -- just save it and one day you can re-read it and it will make sense to you.

To answer your question, the answer is no, Q-in-Q is something totally different in terms of its application and its technique. But yes, Q-in-Q does allow you to span a VLAN across a domain, but the domain is a L2 domain, not L3.

Victor

joealbergo Sun, 06/06/2010 - 19:59

Victor

I did get some information from your post - perhaps we can continue the education.

Let's start off with L2 Domain & L3 Domain.

What are we talking about when we speak of these "Domains" at level 2 and level 3 I assume?

Would that be a switch to switch (L2 Domain) and a router to router (L3 Domain)

Hope to hear back from you

Joe

Reza Sharifi Sun, 06/06/2010 - 20:20

Hi Joe,

L-2 Domain is basically a cloud of layer-2 devices only (switches).  It is not very common to see L-2 Domain only these days.  L-3 Domain is a cloud of routes and multilayer switches (layer-3 devices) running routing protocols ie OSPF, RIP, ISIS and BGP.

HTH

Reza

joealbergo Sun, 06/06/2010 - 20:51

But I take it back -

Why do you recommend that book?

It's not that expensive actually...

lamav Sun, 06/06/2010 - 14:13

Joseph:

There is one new option to creating a L2 adjacency over a L3 domain that hasn't been mentioned yet. It's called Overlay Transport Virtualization (OTV) and it is intended for use in data center environments. The L3 domain can be IP, MPLS, SONET, etc. This technology provides a solution to the challenge of providing L3 isolation with routed inter-data center connectivity, while still preserving the ability to selectively extend L2 domain functionality.

In a nutshell, OTV allows edge switches, like the Nx7000, in one data center to exchange MAC address table information with other Nx7000 switches across a L3 domain.

This can be useful when you need to migrate a VM with VMotion from one ESX server located in one data center to a destination ESX server that sits in a separate data center. VMotion requires a L2 adjaceny to exist between ESX hosts. To achieve this, the edge Nx7000 switch running OTV will encapsulate the data in an IP datagram, route it across the L3 domain, which will then get de-encapsulated at the destination.To the end devices, the destination host seems to be in the same L2  domain, when in reality it exists in another data center.

Even better is that OTV allows selective spanning of control plane and data plane functionality, maximizing the benefits of extending a L2 domain, while mitigating the potential pitfalls, such as bridging loops and broadcast storms. These functions remain local to the L2 domain.

HTH

Victor

Actions

This Discussion