1841 ISR VLANs Across Physical Interfaces

Unanswered Question
Sep 16th, 2010

Greetings.

Our network setup looks like the following:-

ASA 5510 --->> E0/1 (1841 ISR) E0/0 --->> VLANS / Catalyst Switch

We've recently added ASAs to our network. Our intention is to setup a VPN tunnel to our branch office. The head office setup shown above has many VLANs on the E0/0 interface one of which is a voice VLAN that handles our VoIP phone system traffic.

When we setup the VPN tunnel, we want to have the voice VLAN available at the branch office.

How would I go about doing this?

Currently the E0/1 interface of the ISR is configured with the IP address 192.168.15.254. The ASA's IP address for the lan/inside interface is 192.168.15.250.

Would I need to configure the ISR's E0/1 interface for sub interfaces instead?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Peter Paluch Thu, 09/16/2010 - 09:35

Felix,

The question is whether you need to actually span this voice VLAN over your 1841, or whether there can be another IP subnet (a VLAN or just another routed LAN) devoted as the voice VLAN for your branch offices. As the voice VLAN is effectively terminated on your 1841 E0/0, even creating subinterfaces on the E0/1 alone will not help because these two ports will still be separated by a router internally. The VLAN IDs may be the same but they are still made separate and independent of each other because of a router interconnecting them.

If the voice VLAN has to be effectively extended over your 1841 then I can imagine configuring an IRB bridge between your E0/0.X and E0/1.X interface (X meaning the voice VLAN you are currently using) and so extend this VLAN towards the ASA. I do not think however that this is a best practice design.

Also, is the VPN between your head office and the branch office working as Layer2 or Layer3 VPN? My question relates to the fact whether there is actual routing involved inside the VPN for the branch office to reach the head office. If yes then there is no point in extending the VLAN anyway. The basic question here is whether the VLAN must really span into the branch office, or whether the branch offices can have their own voice VLAN and route the voice data towards the voice VLAN on your central location.

Best regards,

Peter

Felix Bowman Thu, 09/16/2010 - 10:03

Thanks for the reply.

The VPN between the head office and the branch office will be IPSEC L2L. It's not setup on the ASAs as yet as the old firewall hardware is still in place.

Currently at the head office, the VoIP phones are connected to Catalyst switches. Each port on the Catalysts that have a phone connected to it has a configuration like this:

!

interface GigabitEthernet0/1

switchport access vlan 3

switchport mode access

switchport voice vlan 2

switchport priority extend trust

mls qos trust cos

spanning-tree portfast

!

I'll double check and see whether the phones can be manually programmed since that's the only way it would work if the VLAN isn't trunked across the VPN.

Actions

This Discussion