VLAN over WAN

vlanvpnwide-area-network

Ive never done VLAN before, in our own LAN i create subnets physically by using CISCO ASA 5505.

We now have added a new site and Ive been requested to create a VPN connection and 2 or 3 VLANs between 2 sites, this is the same VLANs in site 1 to have them in site 2. As example, one of the vlans will be use for the ip phones at both sites. Another VLAN will be used for Applications.

Sites will be connected over a 10mb leased line.

Im going to be given a Cisco 2821 router at either end. but ive been looking on the internet and this is a Layer 2 router.

Now, what is the best whay to do this?
Should i request to have a different router which is layer 3 or should i request a layer 3 switch to plug into that router?

Thanks

Nico

Best Answer

Firstoff, the Cisco 2821 is just a router. I don't know where you've gotten this "layer 2 router" business from (the statement is an oxymoron in itself), but a 2821 is a perfectly capable IP router.

You don't want to extend a layer 2 broadcast domain across a VPN. You won't like how it performs.

Let's call your existing location "site A" and the new location "site B". Let's call the networks:

Site A Data subnet - VLAN id 1 - 192.168.0.0/24
Site A Voice subnet - VLAN id 2 - 192.168.1.0/24
Site B Data subnet - VLAN id 1 - 192.168.2.0/24
Site B Voice subnet - VLAN id 2 - 192.168.3.0/24

In your 2821's, you'd setup an IPSEC tunnel between the sites. Here's a decent example using a static key: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Once you've got that, you'll create VLAN interfaces on the routers on each end, assigning the routers IP addresses in each VLAN:

Router in Site A:

interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.1
encapsulation dot1q 1 native
ip address 192.168.0.1 255.255.255.0 
interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.1.1 255.255.255.0

Router in Site B:

interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.1
encapsulation dot1q 1 native
ip address 192.168.2.1 255.255.255.0 
interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.3.1 255.255.255.0

Assuming you've set the IPSEC tunnel up properly w/ the proper addresses being excluded from NAT, traffic between the various subnets in the sites will be transparently encrypted and sent to the other end. The routers at each end will, because of their VLAN interfaces and static routing table entries, automatically tag traffic with the appropriate VLAN tags and drop them onto the Ethernet.

You'll need to configure the switches at both ends with trunk ports to connect the routers to, and you'll have to figure out how to integrate the Site A router into your existing routing topology re: the existing ASA-5505, but this should give you enough to go on to get started.

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)

Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.

EDIT

That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.

if you were following the instructions there, you probably applied the crypto map like this:

crypto map outside_map interface outside

if you are testing on the same lan you would need to do this:

crypto map outside_map interface inside

Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.

If that doesn't work, would you be willing put post your running config?

EDIT 2:

Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.

What Device/System to use as a “router on a stick”

Option 1 is good as:

ASA hardware is very reliable and if you have add-on module like CSC then you get anti-virus protection between LANs (For HTTP/FTP/SMTP/POP3 Only).
If you are using ASA you reduce points of failure and you would already be familiar with ASA firewall syntax.

Option 2 and 3 are not desirable due to cost over head.

Option 4 and 5 both are ok. If your NIS server remains up most of the time and does not require tinkering. If you use NIS server for interVLAN routing then whenever you reboot server for maintenance, network will stop working. If NIS server is not reliable or requires frequent reboots then dedicated server is better. Again depends on how much cost of one additional server matters.

Option 4 and 5 will allow you to put basic firewall rules in iptables if you want to allow only certain type of interVLAN traffic. You can also capture packets using tcpdump/wireshark and analyze in case of problems. Having a Linux machine as main router would be heaven for people who want to learn network diagnostics by capturing and analysing packets. You can also run DHCP server on this machine, since you do not have Layer 3 switch you cannot specify 'ip helper-address', so this is the only way to have centralized DHCP server without having a L3 switch.

Best Answer

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

What Device/System to use as a “router on a stick”

Related Topic