Solved: Re: VPN and VLAN

alan.morris · ‎01-26-2004

We have a site split into 2 IEE802.1Q VLANs, using non Cisco switches. They have a PIX515 for Internet access. This is also configured to provide incoming VPN access for management and general access purposes.

In principal is it possible to configure a new VPN connection which results in its inside traffic being tagged with a specific VLAN ID whilst all other traffic (including other VPN connections) remain untagged?

baileja · ‎02-06-2004

If the PIX is terminating your VPN's from the outside than the answer is no. If the VPN's are comming from the outside and terminating to the PIX than it never traverses a VLAN. VLAN tagging is used to identify which VLAN a source frame originated and which VLAN it is destined for so a vlan aware switch can "route" the frame through the appropriate VLAN. For what reason would you want to tag VPN traffic originating from the outside? If it is to control access, than you can specify VLAN 2 and VLAN 3 on the PIX (as long as it has code 6.3), and control which VLAN you want each VPN group to have access to by use of ACL's. Each VLAN on a PIX is treated as a physical interface. It has its own security pref (0-100) and can have ACL's applied to them just as physical interfaces.

View solution in original post

umedryk · ‎01-30-2004

Standard. 802.1Q is an "internal tagging" or one level tagging scheme, whereas Cisco's ISL is an "external tagging" or two level tagging scheme; So, I believe this is possible with Cisco Swithches only.

alan.morris · ‎02-04-2004

Sorry, I do not understand what you mean by internal/external tagging, would youmind explaining plase?

baileja · ‎02-05-2004

I am having trouble understanding what your question is. Can you elaborate? Are you asking if you have two VPN's terminated at the PIX, communicating to the inside, is it possible to have one VPN ride a trunked link and get tagged and the other over an access link? Is this what your asking? If so why would you want to do this? If your PIX is configured as the termination for VPN's than no. Because the pix is not capable of source routing. You would not beable to differintiate the paths for VPN 1 or VPN2 to the inside.

alan.morris · ‎02-06-2004

My apologies if my question was not clear. To clarify:

The client has 2 VLANS on the inside of the pix (say 2 and 3). We want all non vpn incoming traffic to be tagged with a 2, and a remote access VPN connection (used for remote support) to be tagged with a 3.

At a later stage we may also need to establish other remote access vpn connections for general use to be tagged with a 2.

Reading the documentation I think that this should be possible using logical interfaces, but I am unable to test it since the only pix I currently have access to in a test environment is a 501 which does not support logical interfaces.

Regards,

baileja · ‎02-06-2004

If the PIX is terminating your VPN's from the outside than the answer is no. If the VPN's are comming from the outside and terminating to the PIX than it never traverses a VLAN. VLAN tagging is used to identify which VLAN a source frame originated and which VLAN it is destined for so a vlan aware switch can "route" the frame through the appropriate VLAN. For what reason would you want to tag VPN traffic originating from the outside? If it is to control access, than you can specify VLAN 2 and VLAN 3 on the PIX (as long as it has code 6.3), and control which VLAN you want each VPN group to have access to by use of ACL's. Each VLAN on a PIX is treated as a physical interface. It has its own security pref (0-100) and can have ACL's applied to them just as physical interfaces.