cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
50604
Views
60
Helpful
26
Replies

VLAN's over WAN?

joealbergo
Level 1
Level 1

I hope I titled this correctly, however. I wanted to know if it is possible to communicate

across VLAN's over WAN or over the internet.

If I am right, we can not. It is not possible - only through Layer 3 will an IP address be used as the destination and Layer 2 VLAN's are not.

Please advise.

Thanks in advance.

2 Accepted Solutions

Accepted Solutions

QinQ is normally used by ISPs to transport VLANs across sites (could be through the internet).

Is a mechanism also to avoid conflicts with overlapping VLANs from other customers.

Take a look:

http://en.wikipedia.org/wiki/QinQ

Federico.

View solution in original post

What I assume you are looking for(given the meaning of "WAN" in this context) is to encap L2 frames so they can be sent across L3 domain(s) or VC(virtual circuit). QinQ would not provide for this. As it is L2 in L2 encap.

1) L2TVPv3

L2TPv3 provides a VC over an IP network. The full L2 frame is wrapped up in headers like so..

L2 WAN header|IP header|L2TVPv3 header|L2 payload

Fragmentation of VC packets is not desirable for performance reasons but is not detrimental.

2) EoMPLS

EoMPLS provides a VC over an MPLS network. Headers look like so..

L2 WAN header|MPLS path label|VC label|L2 payload

Fragmentation of VC packets is detrimental and must be avoided.

If you are not familiar with MPLS networks then L2TPv3 is your best bet as it only require IP connectivity between the two VC end points.

I can post simple configs if you think it would help understand.

-Ben

View solution in original post

26 Replies 26

Joseph,

Is not impossible, because if the WAN is just a layer 2 medium (ethernet), u can have the same VLAN on both sides of the WAN.

VLANscan be extended across a WAN, the question is why would you want to do it?

It will create a broadcast domain across the WAN and I don't see any benefits.

Hope to help.

Federico.

Hitesh Vinzoda
Level 4
Level 4

There are two options that comes to my mind

1. Transparent bridging

2. L2TP Psuedowire using MPLS

But however that will a bad design to have layer 2 spanned across the WAN,

HTH

Hitesh Vinzoda

Pls rate useful posts.

I always rate everyone that answers my questions. You are all very helpful and it means a lot to have you here. No b.s.

Now to get back on the subject, perhaps because I am not into WAN's yet - I might have posed the wrong question.

I guess from what your saying a WAN could be inside a large building and the medium could be ethernet cable or fiber, correct?

Which would be no problem because then we just hook up the two switches.

However,

I basically want to have a VLAN communicate with another VLAN - across the internet.

That was what I was asking ----- so I have VLAN99 in Building_A communicate over the internet to VLAN99 in Building_B


Does that make more sense?

When you say a WAN that goes through the Internet, what type of communication media are you referring to?

Because a WAN that goes through the Internet could be a point-to-point link, a leased line, an IPsec VPN tunnel, Frame Relay, etc....

Just out of curiosity, what's the benefit of wanting to extend the VLAN over the WAN?

Federico.

Federico -

Let's forget I even said WAN - because I might have used the wrong terminology.

I used the word "WAN" thinking it was a Wide-Area-Network (THROUGH) the Internet.

I was just talking about a VLAN over internet VLAN - communication.

QinQ is normally used by ISPs to transport VLANs across sites (could be through the internet).

Is a mechanism also to avoid conflicts with overlapping VLANs from other customers.

Take a look:

http://en.wikipedia.org/wiki/QinQ

Federico.

This is what I was looking for! This is the answer to my question.

This is what I was talking to my professor about. I said to myself what would be the purpose of having a VLAN on one network, secure computers on one and the remainder on another VLAN. If I can not continue the security outside of the LAN.

I basically was becoming confused.

See I was assuming that the router once looking at the VLAN tag would turn around and send the frame back to the switch because they are on the same subnet.

So how do you route that frame out the router through the ISP using QinQ? Am I re-enapsulating the second VLAN Tag with my SP's equipment outside the router? or outside the switch?    

QinQ is pretty much an Ethernet extension of 802.1q
Remember that 801.q allows a single tag to be inserted to a frame to identify that frames through trunks.
QinQ allows multiple VLAN headers to be inserted into a single frame.

For example when a company chooses to have the same L2 network in geographically separated sites,
the ISP can provide QinQ to extend the VLAN across the WAN.


This is an alternative to having two separate LANs and just route between them.

The ISP uses its own set of tags to identify the VLANs across the SP.


The traffic passes through the SP network as QinQ frames, but when sent to the customer, there are sent as
regular 802.1q frames.

Federico.

What I assume you are looking for(given the meaning of "WAN" in this context) is to encap L2 frames so they can be sent across L3 domain(s) or VC(virtual circuit). QinQ would not provide for this. As it is L2 in L2 encap.

1) L2TVPv3

L2TPv3 provides a VC over an IP network. The full L2 frame is wrapped up in headers like so..

L2 WAN header|IP header|L2TVPv3 header|L2 payload

Fragmentation of VC packets is not desirable for performance reasons but is not detrimental.

2) EoMPLS

EoMPLS provides a VC over an MPLS network. Headers look like so..

L2 WAN header|MPLS path label|VC label|L2 payload

Fragmentation of VC packets is detrimental and must be avoided.

If you are not familiar with MPLS networks then L2TPv3 is your best bet as it only require IP connectivity between the two VC end points.

I can post simple configs if you think it would help understand.

-Ben

Belovell.

Your response was extremely helpful also.

This is more what I was trying to begin the topic with. I was trying to learn about "if start off with a LAN using a few switches and a router"

So inside the one LAN I had VLAN's and this would be at one area in one city.

Then have another identical setup in another city - with VLAN's that I want to continue filtering.


From city to city I would want to retain the VLAN configurations for consistency going across the internet or by any medium possible.

-------------------------------------------------------

My professor had brought up something that sort of brings another question regarding this. -----

If my network is sending frames out the switch -----> to the router ------ Will the router see the frames are in the same subnet and just send them back to the switch? or does the L2TPv3 have the setup where the router knows where to forward these?

----------------------------------------------------

I am going to have to study MPLS and L2TPv3 - I have only heard of these in discussion, never in my books or classes.

So I believe your answer was more direct towards my initial question.

Everyone here has offered me such great information towards my Cisco education and I appreciate that a lot.

Belovell - Anything you post up here I will use and read and study.  Thank you again.

If my network is sending frames out the switch -----> to the router ------ Will the router see the frames are in the same subnet and just send them back to the switch? or does the L2TPv3 have the setup where the router knows where to forward these?

Consider the following topo

switch--router---router--switch

Each router has an xconnect statement on the interface facing it's nearside switch(no ip address -- routing IP packets on this interface is no longer possible, all frames must go over the VC). The routers will blindly encap all frames that come in that interface and send the traffic over the VC. So the topo from the switches' point of view is just switch---switch. Just as the term Virtual Circuit implies, the switches function as if they are connected right to each other.

So to answer your question, the routers do not care about subnets or MAC addresses(they just encap and send to the other end). Per vanilla ethernet bridging rules, if the switches' source MAC lookup points out the interface facing the VC then the frame will go to the router to be tunneled.

-Ben

Ben

So I am going to have to look into the VC - what is that exactly?

and....

"if the switches' source MAC lookup points out the interface facing the VC"

This means the switch on the opposite side has to be set in the first switches lookup table.

So switch1----(table)----router----router----switch2

Switch1 knows the source mac is to the router - router forwards to switch2?

I am here online studying so I will await your reply. Thank you

Joe

Hello Joe,

>> f my network is sending frames out the switch -----> to the router ------ Will the router see the frames are in the same subnet and just send them back to the switch? or does the L2TPv3 have the setup where the router knows where to forward these?

This is the key point as explained by Ben that has also provided some internal details

A dedicated interface or vlan subinterface is needed for the L2TPv3 or EoMPLS service.

The service provided is a point -to- point L2 transport service and the router just checks if the frame is correct and if the 802.1Q tag vlan-id field = X = enc dot1q X in the subinterface.

The router might provide also L3 services to the IP subnet but it needs to do this using a different interface/subinterface

VC = Virtual Circuit we indicate with this term the point-to-point transport service provided by EoMPLS or by L2TPv3.

Ben has added other details. To make you understand the meaning of how blind is the forwarding over the VC  I make an example:

some years ago I tested an EoMPLS solution over a production MPLS network using high end 12000 GSR routers.

By using a traffic generator I could send IPv6 packets with a specific vlan tag. The frames were taken and sent in another town where with a trick they were re-injected with another vlan-id in another VC and the come back on initial PE node with a different vlan-tag

When we had tested in a lab we discovered that the router accepted to carry over the pseudowire (other name for the VC) frames with MAC destination address = to that of its own interface!!!

The case of multilayer switches can be different but also for scalability reasons only the L2 switch populates its CAM table with the MAC addresses of the remote site and associate them to port to the router providing the VC.

However, as noted by Hitesh this kind of setup should be avoided because WAN routers have much less forwarding capabilities then LAN switches and because broadcast traffic will consume WAN bandwidth.

Some use of this is seen in some disaster recovery designs that ask for extending selected Vlans between central site and disaster recovery site.

Another use of L2TPv3 may be protected by IPsec I saw in a course about IP telephony: instead of carrying the call manager servers and other devices we had some Vlans carried over the internet to the site where the servers were located.

We could make our labs.

Hope to help

Giuseppe

Thanks Giuseppe, that is my name as well. However I go by Joe or Joseph

Ben,

What does this mean "Each router has an xconnect statement on the interface facing it's nearside switch(no ip address -- routing IP packets on this interface is no longer possible, all frames must go over the VC)."

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: