 
					
				
		
07-17-2018 09:36 AM - edited 03-05-2019 10:47 AM
Hello everyone,
I have the classic requirement to extend the layer 2 vlan's to another data center via a 10Gb layer 2 metro Ethernet connection. I have the following requirements.
1- Extend the layer 2 VLAN's so no re-IP is required-- the two data center must have the same broadcast domain.
2- Use WAN MACSEC to secure/encrypt all communication between the two data center
Now, normally this would not be a problem due to the fact that I'm already planning on using a layer 2 metro Ethernet connection. I would simply have to connect the network provider Ethernet hand off to my switch. The issues is that I need to use WAN MACSEC and the only way I can do this is by using an ASR 1002HX to connect the two data center (DCI).
So the question I have is how do I make the ASR router Switch (NOT ROUTE) the packets from the internal interface to the external interface thereby extending my layer 2 domain to the remote DC?
I was told that the solution is to create identical sub-interfaces on the ASR internal and external interfaces with the same VLANS. This would cause the switch to create SVI's and since the SVI on both interfaces are the same VLAN, that the switch would then switch the packets. I was not aware of this behavior and wanted to check with you guys and see if this is correct and if this configuration as any issues. Thanks everyone!
07-17-2018 12:16 PM
As per my understanding
Each DC working as of now and live, you only want to transit the traffic between DC - by extending L2.
and you do not like traffic to go out DC1 to DC2 and internet vice versa ? is this correct ?
refer below link give you some guidance :
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2016/WP-WAN-MACsecDep-Aug2016.pdf
BB
 
					
				
		
07-17-2018 02:06 PM
The picture below shows my configuration. There is no internet connectivity in this solution. So my question is can I switch the layer 2 traffic through the ASR's thereby extending my layer 2 domain to each DC? Basically, behind each ASR I have server workloads, can server 1 in DC 1, VLAN 1 communicate with server 2 in DC 2 over the same VLAN1/subnet. I need to switch the traffic (NOT ROUTE it) through the ASR. Thanks so very much for your assistance!! 
07-18-2018 07:01 AM
I have two suggestions that I think might satisfy your requirements.
1) Configure Concurrent Routing and Bridging on both ASR. CRB uses a virtual interface BVI to establish a layer 3 interface used for routing and uses bridging/switching to move traffic between the physical interfaces.
2) Use L2TPv3 on ASR to extend the vlan.
HTH
Rick
 
					
				
		
07-18-2018 07:33 AM
Thank you for the assistance. Are the options and/or? Also if you would provide me with URL for the solutions that would be great!! Thanks again for your assistance!!!
07-18-2018 08:04 AM
In my response I suggested CRB. I really should have suggested Integrated Routing and Bridging. CRB and IRB are similar but IRB is the later and better solution. Use one or the other (not both) if that is what you are asking. I would assume that IRB would be preferable.
Here is a link that describes IRB and has sample configuration
Here is a link for L2TPv3 if you want to look into this option
HTH
Rick
 
					
				
		
07-18-2018 10:28 AM
Got it. Now I need to find out if this feature works with interface being configured with WAN MACSEC... LOL
Thanks so very much!
07-18-2018 11:25 AM
Yes that is a very important question. And unfortunately I do not know that answer with any confidence. My guess is that it should work, especially with IRB. But that is only a guess. Please let us know what you find out.
HTH
Rick
 
					
				
		
07-18-2018 02:42 PM
Will do! Although I do not see any restrictions with regards to WAN MACSEC and IRB. Thanks again for all your assistance!
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide