I am facing a problem while trying to put VLANs traffic over Dynamic IPSec VPN.VLANs traffic is at remote site and vlans user want to connect their corporate LAN over Dynamic IPsec VPN.Both end have Cisco PIX FW and remote site have L3 Switch 3750 for Intervlan routing.
I want to know about how VLAN traffic would travel over Dynamic IPSec VPN from Remote site to HO.Is there any procedure for this?I required some configuration example for aove scenario.
All you need to do is make sure that your devices know how to route to the network(s).
This can either be done with static routes+default routes if your network is small and doesn't change much or a dynamic protocol like OSPF if you need it.
Depending on the model of PIX you have, you'll effectively stop using VLANs on egress of the switches - N.B 515E and above support VLANs so with those they could terminate at the PIX.
Here's a sample workflow relying on default routes (and static routes on the PIXs):
Case: Client A on site A needs to send data to client B on site B
1) Client A doesn't have a specific route for the destination in its local table so it sends to its default gateway (3750A-VLAN1)
2) 3750A doesn't have any static routes for that destination or dynamic routing enabled, only a route to 0.0.0.0 (via PIXA) - so it sends to its default gateway (PIXA)
3) PIX A has a crypto map for the remote network so does its IPSec/ESP work - the result is an Internet routable packet but with encapsulated/encrypted payload
4) PIX A sends the packet on its way via its default route (normally to your ISP router) and it heads out across the Internet
...A little while later ...
5) PIX B gets the packet, decrypts it and sees the private destination IP. This matches with its routing table (static route to internal networks have been set) and sends it to its next hop (3750B)
6) 3750B matches the packet against its local routing table and see's its a match for one of the SVIs
7) The 3750B sends packet to host via the appropriate SVI
I have missed quite a lot out to keep things short (ish) - but hopefully you can see that the VLANs are kept to each site, and all you need to worry about is routing and having the VPN setup correctly on the PIX (you can use the PDM wizards to help if you've never setup a VPN before)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :