cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
539
Views
0
Helpful
8
Replies

VLAN's over a WAN link

hancorp
Level 1
Level 1

We have a primary and secondary site which I need to span with the same VLAN structure (i.e. four VLAN's). The only type of WAN link available between the two sites does not support any form of traffic separation (i.e. not ATM or Frame). Can the VLANS at the two sites be connected over this type of link while still keeping them separate (for security reasons)? The article http://www.cisco.com/warp/public/473/741_10.html seems to indicate this can be done with IRB but the example does not refer to VLAN's at all.

8 Replies 8

Prashanth Krishnappa
Cisco Employee
Cisco Employee

Bridging is the only way I can think of if you need the same VLAN/Subnets on both sides

Regards,

-Prashanth

Yes...but can I bridge 4 VLAN's over a single link and still maintain separation? If so how?

Erick Bergquist
Level 6
Level 6

Since you can't use a WAN protocol that allows VC's to seperate the traffic, can you use a channelized module? This would let you have different interfaces for different timeslot ranges...

I'm not sure if this work (haven't tested it ever) - You could turn trunking on the switch port going to the router, and on the router LAN interface config it for just a bridge-group and same for the WAN interfaces and LAN interface at other site. Logically, this should bridge everything at L2 to the remote site including the VLAN headers but since VLAN packets can be larger packets I'm not sure if the routers will leave them alone when bridging between the interfaces and

such.

Good Luck, Erick

That seem to be what the article in my original post implies but as I said the example seemed a bit irrelevant....I'll try it and see.

Thanks

Erick Bergquist
Level 6
Level 6

Another thought...

You might consider using fiber between the sites if they are relatively close... this way it will be LAN connection. There are also services offered by carriers/telcos/etc if you're in a metro area that give a LAN-like connection.

The WAN link we have is actually a carrier provided LAN however they do not allow customers to implement their own VLAN structure because they use it internally to maintain customer separation. Also the sites are too far apart for 'private' fiber.

DALE FRANCIS
Level 3
Level 3

This might be a bit OTT,

However reading your question and the replies, led me to this thought and we have done it in the past.

I assume you are stuck with your WAN link and have to work around that at minimal expense.

Okay beside's going the channelised route despite it being multiplexed into one continual stream anyway at the end of the day. The suggestion is to create a form of LOGICAL seperation, now this can be done via Tunnels across your WAN link, this was traffic is still multiplexed over a single link but still kept seperate in terms of L3, then fo security one could use IPSEC for encryption.

As said, i know this might be a bit over the top but it is not hard to config and can at least provide you with security without changing your WAN infrastructure. This logical seperation can be implemented in an hour with all the correct commands etc whilst a change in curcuit etc will take longer.

Regards

Yes, we are stuck with our current WAN link. I may have to revert to tunnels but I really wanted L2 connectivity if possible.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: