Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VLAN's over internet/IPSec Tunnel

Hi All !

I have a problem.

I have trunked 5 VLANS from various sites over sattelite and have them all ending on a hub router ,

but my difficulty now is in getting them sent to the HQ over the internet.

I have thought about only 2 ways of possibly being able to do this

1. Get a leased Line :-)

2. and the only feasable alternative ! is to get the VLANs sent per IPSec over the internet but this is my problem....

How do I get a packet from a VLAN into an IPSec tunnel and vice versa ?

What equipment would I need ? (more switches/routers)

Do I need 1 IPSec tunnel for each VLAN to keep them separate from each other ?

Can someone please help.

Hall of Fame Super Gold

Re: VLAN's over internet/IPSec Tunnel


Your drawing suggests that you are thinking about trying to do 5 separate IPSec tunnels from the remote router to the central router. I do not believe that you can do multiple separate tunnels between the same two peer routers.

I have a question about what your real requirements are. Do you really need to get the 5 VLANs to HQ (as separate VLANs) or do you need to get the traffic from the remotes to HQ?

I think it is very problematic to try to get the VLANs separately to HQ. One way to understand VLANs is that a VLAN is essentially a broadcast domain. It is problematic to try to extend a broadcast domain over an Internet connection. It is usually much better to terminate the VLAN at the edge of the cloud and to route over the Internet to establish connectivity between the remote end stations and the HQ.




Re: VLAN's over internet/IPSec Tunnel


If you want to extend the LAN or VLAN end to end you could look at whether your SP can do an AToM or L2TPv3.


New Member

Re: VLAN's over internet/IPSec Tunnel

Hi Rick,

What I need to do is just keep the traffic separated in any way until it gets to the HQ.

All Remote sites have 5 VLANs.

but VLAN 2 from site 1 is not allowed to speak with any other VLAN from any other site until it gets back to HQ.

so the VLAN traffic has to be completely separate until it has reached HQ.

what I was thinking about (but did not get to work) was just by using IP addresses from the different VLAN subnets with ACL's to keep the data separate on the Hub router in the middle of the sketch before sending it all as 1 data stream over an IPSec tunnel.

Any advances on this thought ?



CreatePlease to create content