How can I have a single /24 private IP address space that spans two locations across a VPN?
aka VPLS
Scenario:
We have a /24: 192.168.100.0/24 that has workstations and servers on it. Servers are .5 through .30, workstations are .50-.254.
- Currently, all this is at a single physical location.
- The servers are all VMWare instances on a single VMWare host.
- We currently use Sonicwall NSA 3600 and similar models
We need to move the servers to a data center (to reclaim the office space, etc), and, for a number of reasons, need to keep the networking as is. (There is extensive configuration at app server and client level giving specific rights to specific IP address, blocking access by IP, and putting different types of users in different IP address blocks.)
When I have done VPN configs in the past, we always had a different subnet at each location. This would break many layers of app setup, so we are looking to avoid it. We need the same subnet (192.168.100.0/24) to span two locations, and for the servers to see the clients properly (e.g. the client IP is represented to the server as it is now, when everything is in one physical location).
I have heard that MPLS and/or L2 servers from a telco may be able to solve for this, but I do not know exactly how. We would prefer to implement this in our own networking gear (to give us flexibility RE location, e.g. not to be completely dependant on telco), but need to understand the options.
Note:
– We understand that L2 bridging is not ideal from some perspectives
– It is, however, the right thing for this application
– We know about using NAT to route a "local" address across to another subnet. No need to explain that. This thread is "how to span a /24 subnet across two location"
a) Can this be done at all?
b) We know that telco has services like this. We want to know: Can we do it in our own gear? (We currently use the Sonicwall NSA 3600, but will migrate off if we need to. What do we need to have, spec wise, in gear to do that?)
c) Suggested "closest options" to this? (e.g. if our dream of VPLS in our own gear is not possible, is there another option between that and telco VPLS that solves in this way?)
Best Answer
Understanding and Configuring VLAN Routing and Bridging on a Router Using the IRB Feature
Background Information
In order for a VLAN to span a router, the router must be capable of forwarding frames from one interface to another, while maintaining the VLAN header. If the router is configured for routing a Layer 3 (network layer) protocol, it will terminate the VLAN and MAC layers at the interface a frame arrives on. The MAC layer header can be maintained if the router is bridging the network layer protocol. However, regular bridging still terminates the VLAN header.
Using the IRB feature in Cisco IOSĀ® Release 11.2 or greater, a router can be configured for routing and bridging the same network layer protocol on the same interface. This allows the VLAN header to be maintained on a frame while it transits a router from one interface to another. IRB provides the ability to route between a bridged domain and a routed domain with Bridge Group Virtual Interface (BVI). The BVI is a virtual interface within the router that acts like a normal routed interface that does not support bridging, but represents the comparable bridge group to routed interfaces within the router. The interface number of the BVI is the number of the bridge group that the virtual interface represents. The number is the link between the BVI and the bridge group.