01-22-2004 04:02 AM - edited 02-21-2020 01:00 PM
I'd like to manage a switch (3550-24) which is located in a branch-office, connected to a cisco836ADSL-router, which is connected to my inside-network via a pix525. All traffic is transported in a vpn-tunnel (Ipsec).
I tried to configure the uplink-port on the branch-switch as a trunk-port, but that doesn't seem to help much.
VTP-settings are all checked and ok, I use the same management-vlan as I use on the inside-network.
Should I be able to configure trunking on the router?
At this point I'm not even able to get a ping-reply from the switch.
Anybody any suggestions?
01-22-2004 04:20 AM
you won't be able to bridge a subnet across a ipsec link involving a pix. if it were ios to ios, I think you could do it.
THat said, why do you want to do it?
01-22-2004 04:39 AM
basicly I'd just like to be able to do switch-management from my main-office. There's a few production-systems on the branch-switch. I'd like to monitor the switchports over there, do some show-commands and things like that.
It would be nice to be able to manage this switch as if it were really part of our main-office inside network.
01-22-2004 05:48 AM
You should be able to manage that switch remotely by ip if it is a manageable switch. Nothing you said would really necessitate trying to bridge the same subnet across an ipsec tunnel.
The problem with trying to bridge a subnet across distances is that many network protocols are chatty (send lots of broadcasts) on a subnet. All this chatter would need to go across the the tunnel. This is all especially true with microsoft networking.
01-22-2004 07:06 AM
I'm sorry, but I'm not really sure what you mean by "bridge a subnet" across an ipsec tunnel.
maybe I have to explain some more:
The reason for the ipsec-tunnel is that one of the clients connected to the remote-switch uses the databases from our inside-network and has to connect over an encrypted-line. So the reason for ipsec-tunneling has got nothing to do with the switchmanagement. I do want to be able to manage this switch via telnet, though. To me it's not neccesary that this happens over a secure-line, but the switch hasn't got a public ip-adress, so the only way of access is in my opinion through the already existing tunnel.
Remote I use a 192.168.12.0 network with it's own BDC and dhcp, the main-inside-network and the management vlan uses 172.48.0.0 network.
In the ADSL/VPNrouter I give up rules for encryption from the 192.168.12.0 to the 172.48.0.0 and that all works fine.
I already tried to make a rule that included the ip of the management vlan of the remote switch, so that would also be included in encryption. But that doesn't help.
Some suggestions left?
thanks.
01-22-2004 08:52 AM
Is the 172.48 network the management network at the main site, or the remote site?
01-23-2004 12:43 AM
the 172.48 network is management network for the main-site. to be precise: it's the main-network at the main-site, in which I use the 172.48.254 -range for switch-management.
I thought it would be possible to use this network just for switch-management on the remote-side as well. (hence the vlan/trunking for the uplink-port on the remote-side).
01-23-2004 04:20 AM
not with a pix. i would recommend that you establish a separate management vlan for the remote office, and have the switch management ip live in it. you could allow the pix to route to it. you could then create a ipsec tunnel just between the two management vlans, so that only management vlan machines in the main office can manage the remote switch
01-23-2004 05:07 AM
I understand your suggestion and you might be right.
I'll try this out sometime soon. (when I'm in the branch-office again).
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide