Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Route VLAN across WAN (MPLS)

Hi,

I'm working on segmenting my network for users that are members of Finance. These users are distributed among several locations, each site is connected over MPLS Layer 2 network. At Site A I have a VLAN 10 setup with the Finance users at that location as members, those users on that LAN can communicate as expected. Now, I need users at Site B that are members of Finance to be able to communicate on that same VLAN.

How would I accomplish this? Do I need to setup QinQ? 

Any guidance would be appreciated. 

Thank you...

1 ACCEPTED SOLUTION

Accepted Solutions

You could definitely use an

You could definitely use an ACL to restrict access. If you need to restrict access within Site B then I would do the ACL there. If you just need to restrict what VLAN 10 has access to coming from Site B to A then you could apply it on your 7204 MPLS facing interface.

11 REPLIES

If it is just a layer 2

If it is just a layer 2 connection then you should be able to pass VLANs without using QinQ. Or are the sites routed layer 3?

New Member

My mistake, yes I am routing

My mistake, yes I am routing between sites.

What devices terminate the

What devices terminate the connection?

Would the requirement be that users at Site B need to be on the same subnet as Site A? Or could you designate a finance VLAN at Site B and just make sure they are able to route between sites? 

 

New Member

At site A i have a Cisco

At site A i have a Cisco 7204VXR, at Site B i have an HP Procurve 3500yl with standard licensing. I just discovered that I need Premium licensing to run QinQ on that device. So that is not an option.

 

Originally, I wanted them on the same subnet if possible. However, it's not mandatory and I could just route between sites.

I think you just answered

I think you just answered your own question then. Now you can determine if static or dynamic routing is the best approach for this. 

I'm going to make some assumptions about the HP switch as I have no knowledge of it.

If you need them on the same subnet you could use sub interfaces on the 7204. You can have VLAN 10 extend to Site B this way. Site B would have the HP switch and a trunk (or access depending on other requirements) to the L2 MPLS. The users at Site B would basically use Site A as the gateway.

New Member

Thank you for talking through

Thank you for talking through this. So, I setup the following and when I trace route it loops at the remote site.

Site A

  • VLAN 10 - 172.16.100.0/24
  • Firewall (Gateway) - 172.16.100.1
  • Client 1 - 172.16.100.2

Site B

  • VLAN 10 - 172.16.121.0/24
  • Router VLAN 10 IP - 172.16.121.1

 

I have a route on the firewall to the core router at Site A 172.16.121.0/24 to 10.0.0.1. Note: Core Router WAN interface is 172.16.200.1

On the core router I have a route to Site B 172.16.121.0/24 to 172.16.200.21 

On the Router at Site B I created a VLAN (id 10) with an IP of 172.16.121.1

Note: Router at Site B WAN interface is 172.16.200.21

Trace Route results
  1    <1 ms    <1 ms    <1 ms  172.16.100.1
  2    <1 ms    <1 ms    <1 ms  10.0.0.1
  3     9 ms     8 ms     8 ms  172.16.200.21
  4     1 ms     1 ms     1 ms  172.16.200.1
  5     5 ms     6 ms     4 ms  172.16.200.21
  6     2 ms     2 ms     2 ms  172.16.200.1
  7     6 ms     6 ms     6 ms  172.16.200.21

 

The information would be

The information would be easier understood if you could provide a diagram with interfaces and what is routing where.

So VLAN10 is on the firewall. You have a route for VLAN10 to go to the router. On the router you should have a route to the VLAN 10 subnet at Site B. You will also need return routes. Or you could bypass this with OSPF if your L3 switch supports it.

New Member

Ok, so the routing works as I

Ok, so the routing works as I described above. One interesting note is that the loop occurs if no device is attached. Once I connected a laptop to that subnet the loop did not occur. Learn something new every day. 

At this point my routing is good. Now I need to figure out how to secure the VLAN at Site B as it is not behind a firewall. I'm thinking an ACL will do the trick?

Also, my L3 switches (HP Pro) do not support OSPF without the premium license. 

 

You could definitely use an

You could definitely use an ACL to restrict access. If you need to restrict access within Site B then I would do the ACL there. If you just need to restrict what VLAN 10 has access to coming from Site B to A then you could apply it on your 7204 MPLS facing interface.

New Member

Since I'm controlling access

Since I'm controlling access at Site A via a Firewall, I think what I need is to control access to VLAN 10 at Site B. 

 

What I want ultimately is to deny all subnets with the exception of 172.16.1xx.0 at all sites. This is my first site that I am setting this up, I will have several others.

New Member

Thank you for your help on

Thank you for your help on this. I think I knew this in theory and just needed someone to walk through it with me. I now have an ACL on the VLAN 10 interface at Site B that permits 172.16.100.0 0.0.0.255. Implicit deny on everything else. 

 

Works. 

610
Views
4
Helpful
11
Replies
CreatePlease login to create content