Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLANs traffic over Dynamic IPSec VPN

Hi All,

I am facing a problem while trying to put VLANs traffic over Dynamic IPSec VPN.VLANs traffic is at remote site and vlans user want to connect their corporate LAN over Dynamic IPsec VPN.Both end have Cisco PIX FW and remote site have L3 Switch 3750 for Intervlan routing.

I want to know about how VLAN traffic would travel over Dynamic IPSec VPN from Remote site to HO.Is there any procedure for this?I required some configuration example for aove scenario.

Pls reply ASAP.



New Member

Re: VLANs traffic over Dynamic IPSec VPN

Hi Jai,

All you need to do is make sure that your devices know how to route to the network(s).

This can either be done with static routes+default routes if your network is small and doesn't change much or a dynamic protocol like OSPF if you need it.

Depending on the model of PIX you have, you'll effectively stop using VLANs on egress of the switches - N.B 515E and above support VLANs so with those they could terminate at the PIX.

Here's a sample workflow relying on default routes (and static routes on the PIXs):

Case: Client A on site A needs to send data to client B on site B

1) Client A doesn't have a specific route for the destination in its local table so it sends to its default gateway (3750A-VLAN1)

2) 3750A doesn't have any static routes for that destination or dynamic routing enabled, only a route to (via PIXA) - so it sends to its default gateway (PIXA)

3) PIX A has a crypto map for the remote network so does its IPSec/ESP work - the result is an Internet routable packet but with encapsulated/encrypted payload

4) PIX A sends the packet on its way via its default route (normally to your ISP router) and it heads out across the Internet

...A little while later ...

5) PIX B gets the packet, decrypts it and sees the private destination IP. This matches with its routing table (static route to internal networks have been set) and sends it to its next hop (3750B)

6) 3750B matches the packet against its local routing table and see's its a match for one of the SVIs

7) The 3750B sends packet to host via the appropriate SVI

I have missed quite a lot out to keep things short (ish) - but hopefully you can see that the VLANs are kept to each site, and all you need to worry about is routing and having the VPN setup correctly on the PIX (you can use the PDM wizards to help if you've never setup a VPN before)

Check the SRNDs for the more examples -



New Member

Re: VLANs traffic over Dynamic IPSec VPN

Hi Colin,

First of all, thanks for your reply and giving proper procedure/guideline for moving vlan traffic over VPN.It's really helpfull for implementing VLAN over VPN.

But,I solved my problem and now it's working.There was some ISAKMP Policy problem at PIX and no route for Remote site LAN at 3750 Switch.

Thanks again.

Best Regards,


CreatePlease login to create content