Solved: Sending a VLAN across a VPN

charles.e.davis · ‎10-21-2010

We have a situation where we must cluster 2 enterprise servers that are geographically separated. The clustering software will only work if one of the connections on both servers are on the same network segment. I've been told by the vendor that this was accomplished in the past via a VLAN. Is it possible to send a VLAN via an encrypted IPSEC VPN using an ASA 5510? If so, how is it accomplished and how would that address be advertised out? I know this is a bit of a complicated questions, so thanks in advance for the effort.

jan.nielsen · ‎10-21-2010

It's not possible, a VLAN is defined on layer2, an ipsec tunnel encrypts IP packets, and so works from layer3. You need switching tehcnology for this, like dark fibre, or EoMPLS if you have an mpls connection between your sites. You could look into L2TP, might be able to do what you need, but i believe it's not available in the new asa versions >7.x

View solution in original post

Marcin Latosiewicz · ‎10-21-2010

Charles,

It does sound a bit odd. I don't reall understand the phrase "one of the connections on both servers are on the same network segment".

Does it mean that client needs to to keep connection with servers on local subnet for server (directly connected network) or do both need to keep a session with each other, or both with a client... can you alleborate?

Regarding vlans assignment, what you can do on the ASA is to spcify vlan for egress packets:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1549174

Marcin

jan.nielsen · ‎10-21-2010

It's not possible, a VLAN is defined on layer2, an ipsec tunnel encrypts IP packets, and so works from layer3. You need switching tehcnology for this, like dark fibre, or EoMPLS if you have an mpls connection between your sites. You could look into L2TP, might be able to do what you need, but i believe it's not available in the new asa versions >7.x