Re: vlan transport through VPN-Router possible?

hancisco · ‎01-22-2004

I'd like to manage a switch (3550-24) which is located in a branch-office, connected to a cisco836ADSL-router, which is connected to my inside-network via a pix525. All traffic is transported in a vpn-tunnel (Ipsec).

I tried to configure the uplink-port on the branch-switch as a trunk-port, but that doesn't seem to help much.

VTP-settings are all checked and ok, I use the same management-vlan as I use on the inside-network.

Should I be able to configure trunking on the router?

At this point I'm not even able to get a ping-reply from the switch.

Anybody any suggestions?

mostiguy · ‎01-22-2004

you won't be able to bridge a subnet across a ipsec link involving a pix. if it were ios to ios, I think you could do it.

THat said, why do you want to do it?

hancisco · ‎01-22-2004

basicly I'd just like to be able to do switch-management from my main-office. There's a few production-systems on the branch-switch. I'd like to monitor the switchports over there, do some show-commands and things like that.

It would be nice to be able to manage this switch as if it were really part of our main-office inside network.

mostiguy · ‎01-22-2004

You should be able to manage that switch remotely by ip if it is a manageable switch. Nothing you said would really necessitate trying to bridge the same subnet across an ipsec tunnel.

The problem with trying to bridge a subnet across distances is that many network protocols are chatty (send lots of broadcasts) on a subnet. All this chatter would need to go across the the tunnel. This is all especially true with microsoft networking.

hancisco · ‎01-22-2004

I'm sorry, but I'm not really sure what you mean by "bridge a subnet" across an ipsec tunnel.

maybe I have to explain some more:

The reason for the ipsec-tunnel is that one of the clients connected to the remote-switch uses the databases from our inside-network and has to connect over an encrypted-line. So the reason for ipsec-tunneling has got nothing to do with the switchmanagement. I do want to be able to manage this switch via telnet, though. To me it's not neccesary that this happens over a secure-line, but the switch hasn't got a public ip-adress, so the only way of access is in my opinion through the already existing tunnel.

Remote I use a 192.168.12.0 network with it's own BDC and dhcp, the main-inside-network and the management vlan uses 172.48.0.0 network.

In the ADSL/VPNrouter I give up rules for encryption from the 192.168.12.0 to the 172.48.0.0 and that all works fine.

I already tried to make a rule that included the ip of the management vlan of the remote switch, so that would also be included in encryption. But that doesn't help.

Some suggestions left?

thanks.

mostiguy · ‎01-22-2004

Is the 172.48 network the management network at the main site, or the remote site?

hancisco · ‎01-23-2004

the 172.48 network is management network for the main-site. to be precise: it's the main-network at the main-site, in which I use the 172.48.254 -range for switch-management.

I thought it would be possible to use this network just for switch-management on the remote-side as well. (hence the vlan/trunking for the uplink-port on the remote-side).

mostiguy · ‎01-23-2004

not with a pix. i would recommend that you establish a separate management vlan for the remote office, and have the switch management ip live in it. you could allow the pix to route to it. you could then create a ipsec tunnel just between the two management vlans, so that only management vlan machines in the main office can manage the remote switch

hancisco · ‎01-23-2004

I understand your suggestion and you might be right.

I'll try this out sometime soon. (when I'm in the branch-office again).

Thanks again!