Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Vlans over VPN?

Hi,

I've been asked to set one of our statlite offices up with a couple of voip phones, a couple of WAPs and a few control devices and PCs, I only just passed ROUTE so am still quite new to this.

I am hoping to use a dsl line and a suitable cisco 800series router with maybe a 3750 if we need extra ports. My intention is set this up as a vpn client back to our 6500.

My problem is that on campus we tend to use set Vlans for voice and wifi and if, say, three of these could be trunked to the remote site that would save us a lot of trouble - we're a univesity so we use eduroam for wifi and would not want to set this site up just to give access to the internet directly via the dsl line, the phones ideally and control devices especially need IP addresses from a preset private range.

We would normally be inclined to use dark fibre or a dedicated line, but are hoping to save some cash by going with dsl.

Can you suggest: i] is this doable? ii] is it desirable, or at least not kill out network iii] can you think of a better or cheaper alternative that doe not require a dedicated line?

If you can point me in the direction of any cisco docs for the implemetation I would be most grateful

Thanks.

Everyone's tags (3)
7 REPLIES
Bronze

Re: Vlans over VPN?

Hi,

If I understand you correctly, you want to continue your VLANs at the campus to satellite office. Regardless of whether you use an IPSec VPN or an MPLS solution, you will have a problem with routing.

If one of your vlans is 10.10.10.0/24 at the Campus, and you want to use that at the Satellite office as well, how does your network know where 10.10.10.0/24 is? It is in two locations separated by a WAN link. For a VPN, you have to specify source and destination traffic to match for encryption. Your crypto-map would look like this; match traffic source 10.10.10.0/24 destination 10.10.10.0/24. This will not work.

You could subnet 10.10.10.0/24 into smaller networks, say 10.10.10.0/25 and 10.10.10.128/25 and assign them to each location. All though this will work, it is not ideal and should be avoided if possible.

What you need to do is create 3 new subnets for the Satellite office and assign them to the appropriate VLANs. Add routes to your network advertise the new subnets, and add routes at the Satellite office for the Campus networks.

HTH,

Paul

HTH Paul ****Please rate useful posts****
New Member

Re: Vlans over VPN?

Thanks,

I see what you are saying about tthe crypto map.

I am going to have to think abou tthis a bit more.... The Control devices especially, want to be in a particular network range and as far as I know, won't work if they are not. I'm wondering if is worth trying to forward some ports with a some multihomed linux boxes and IPtables. Or will NAT do the job?

The phones, as I understand it, are capable of connection to the VPN themselves, so this might be a better option, assuming a DSL line will cut the mustard QoSwise.

Then there is the Wifi, arround campus we use cisco aironet 1140 as thin clients, I have just read:

The Cisco Aironet 1140 Series is a component of the Cisco Unified Wireless Network, which can scale up to 18,000 access points with full Layer 3 mobility across central or remote locations on the enterprise campus, in branch offices, and at remote sites.

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10092/datasheet_c78-502793.html

Not had much to do with this before, on campus, we just plug them in and the start to work, but if they can work at a remote location and contact our controller & radius servers directly then this should be ok, but I guess that's another thread...

Hall of Fame Super Silver

Vlans over VPN?

Hello Roger,

a routed solution is possible for both phones and WAPs so it is the direction to go.

Providing  a L2 transport service over a simple DSL link can become a real issue as the WAN precious bandwidth is wasted to carry broadcast frames.And DSL upstream is not so fast is less then 1 Mbps!.

So even if L2TPv3 could do the job of transporting Vlans over an IP network, in your scenario you should build a routed solution as it provides protection and control over WAN bandwidth usage.

You just need to build an IPSec VPN and to route over it to/from HQ.

Hope to help

Giuseppe

Re: Vlans over VPN?

You need to answer approximately 2 million questions before a final answer can be given. But first and probably most importantly is, what type of bandwidth are you planning for on this link? Because unless it's pretty low, an 800 series router isn't going to cut it. Look on the Cisco site for the portable products data sheet, divide those numbers by four, then pick a generally more suitable router, which I'm going to guess will be no less than a 2911.

Sent from Cisco Technical Support iPad App

New Member

Re: Vlans over VPN?

Thanks, we are looking at a DSL line, so in the region of 2-50Mbs depending on what BT can muster.

Vlans over VPN?

Hi Roger,

If it is ADSL, I guess BT can provide upto max 8 Mbbps..

Regards,

Smitesh

New Member

Vlans over VPN?

Hi,

one solution could be to use GRE tunnel to encapsulate L2 packets (I tested GRE to encapsulate L3, not L2).

The idea is to use 2 features:

- GRE tunneling

- IRB (Intergrating Routing and Brisgin), which permit to use 2 router interfaces as a bridge.

Configuration elements on the remote router :

- 1 physical Ethernet interface for each vlan

- 3 classical GRE tunnels up to the C6500 (or more probably the access router)

- 3 bridge-group, each bridge-group associated to each tunnel

The idea is that each packet of each vlan on the remote network is forwarded in a dedicated GRE tunnel.

On the main site, the GRE tunnels deliver packet in the right vlan.

Not sure it will work exactly following this way, but I am wite sure the direction is the good one.

Another solution is L2VPN, using MPLS (so, it is necessary to hace LDP feature available on both side), which I think is even more simple to implement (the idea is to create a tunnel between 2 physical interfaces configure in the same way).

Regards

D.

14245
Views
0
Helpful
7
Replies
CreatePlease login to create content