VLAN Trunking through a VPN

We currently have two buildings within our company. We want to connect the two building with a vpn. I was wondering if it is possible to get VLAN trunking through the vpn so that both buildings' switches can utilize the same VLANs. Is this possible with a GRE tunnel, or an L2TPv3 vpn? Any advice that can be given would be most appriciated.

Reply to
jjfunaz
Loading thread data ...

We currently have two buildings within our company. We want to connect the two building with a vpn. I was wondering if it is possible to get VLAN trunking through the vpn so that both buildings' switches can utilize the same VLANs. Is this possible with a GRE tunnel, or an L2TPv3 vpn? Any advice that can be given would be most appriciated.

Reply to
jjfunaz

Why would you want to do such a thing!!!!! I know there are special cases where this would be a good idea, but that is the extreme exception and not the rule. What is the problem with routing the traffic? It's just as fast as layer 2 and you have the advantage of not propagating the layer 2 broadcasts from one location to another and a layer 2 problem (such as spanning-tree problem) will affect only one location instead of both. The entire point of Layer 3 is to limit your layer 2 broadcast domain, and trunking VLANs across a WAN connection is waste of bandwidth. Tell the server guys to setup a DNS server, and use DNS names instead of IP addresses and then it won't matter if a server moves from location a to location b. There is a reason that IP was invented, and this is one of them.

Scott

Reply to
thrill5

Where in the original post do you read they don't have a DHCP server or don't use DNS names already? They're already using VLANs so are aware of the benefits of VLANs in regard to separating broadcast domains. Are they VPN'ing across a WAN? You're probably right in assuming they are but that hasn't been mentioned.

DNS 'names' just resolve to an 'IP address' ... how can a server move from location 'A' to location 'B' if location 'B' doesn't have the same VLAN/subnet available? Having to change a servers IP address just to bring it up in another location can cause more pain than it's worth. Having at least one (say the server) VLAN trunked to the other location allows 'seamless failover'.

Yes, VLAN's can be trunked through a GRE tunnel or a L2TP VPN and can prove to be very useful. We almost went down that path because we had a 1Gb (provider managed) Dark-Fibre link from our main building to our DR site 3 klm away and wanted to have 'same-subnet' availability. It passed through the suppliers Cabletron switching and we were rather limited as to what VLANs we could actually trunk as we couldn't duplicate any they we already using.

VPN or L2LP would allow us to trunk whatever we wanted so we started to investigate the possibilities but decided to fast-track our own Dark-Fibre solution instead ... bypassing anyone else's infrastructure.

To cut a long story short ... yes you can trunk through a GRE Tunnel or L2TP VPN ... but I never got that far.

BernieM

Reply to
BernieM

One of the key functions of a Network Architect is to resits the mad-cap suggestions of the network users. The integrity of the network is your responsibility and there is no reason to give in to the simplistic views of the network users, in this case the system admins, it would seem.

Tell them that it is not "best practise" to extend VLANS unnecessarily and use two subnets (networks).

This is easy to substantiate form publically available Cisco documents.

Have fun.

Reply to
anybody43

On 25.03.2006 01:34 snipped-for-privacy@hotmail.com wrote

Real world is not always that simple. Often there are good reasons (like during migration) to have a L2 backup though you do not want it as a permanent solution.

Reply to
Arnold Nipper

Thank you all for the responses. I didn't think it was possible to actually split a subnet over a VPN. I can see that it might be complicated but does anyone have any links on cisco's site or another that gives examples of how this is done or resources to point me in the right direction?

Thank you again, John Furnari

Reply to
jjfunaz

If I understand correctly, you should be able to this with 7.x OS on Cisco PIX 515E, 525, or 535, or Cisco ASA 5500 -- in that you are able to establish layer 2 transparent VPNs with that equipment.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.