Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3760
Views
0
Helpful
8
Replies

Extend Layer 2 VLAN between two data center using WAN MACSEC

ben lora
Level 1
Level 1

‎07-17-2018 09:36 AM - edited ‎03-05-2019 10:47 AM

Hello everyone,

 

I have the classic requirement to extend the layer 2 vlan's to another data center via a 10Gb layer 2 metro Ethernet connection. I have the following requirements.

1- Extend the layer 2 VLAN's so no re-IP is required-- the two data center must have the same broadcast domain.

2- Use WAN MACSEC to secure/encrypt all communication between the two data center

 

Now, normally this would not be a problem due to the fact that I'm already planning on using a layer 2 metro Ethernet connection. I would simply have to connect the network provider Ethernet hand off to my switch. The issues is that I need to use WAN MACSEC and the only way I can do this is by using an ASR 1002HX to connect the two data center (DCI).

 

So the question I have is how do I make the ASR router Switch (NOT ROUTE) the packets from the internal interface to the external interface thereby extending my layer 2 domain to the remote DC?

 

I was told that the solution is to create identical sub-interfaces on the ASR internal and external interfaces with the same VLANS. This would cause the switch to create SVI's and since the SVI on both interfaces are the same VLAN, that the switch would then switch the packets. I was not aware of this behavior and wanted to check with you guys and see if this is correct and if this configuration as any issues. Thanks everyone!  

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎07-17-2018 12:16 PM

As per my understanding

 

Each DC working as of now and live, you only want to transit the traffic between DC - by extending L2.

and you do not like traffic to go out DC1 to DC2 and internet vice versa ? is this correct ?

 

refer below link give you some guidance :

 

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2016/WP-WAN-MACsecDep-Aug2016.pdf

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ben lora
Level 1
Level 1
In response to balaji.bandi

‎07-17-2018 02:06 PM

The picture below shows my configuration. There is no internet connectivity in this solution. So my question is can I switch the layer 2 traffic through the ASR's thereby extending my layer 2 domain to each DC? Basically, behind each ASR I have server workloads, can server 1 in DC 1, VLAN 1 communicate with server 2 in DC 2 over the same VLAN1/subnet. I need to switch the traffic (NOT ROUTE it) through the ASR. Thanks so very much for your assistance!! Untitled.png

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ben lora

‎07-18-2018 07:01 AM

I have two suggestions that I think might satisfy your requirements.

1) Configure Concurrent Routing and Bridging on both ASR. CRB uses a virtual interface BVI to establish a layer 3 interface used for routing and uses bridging/switching to move traffic between the physical interfaces. 

2) Use L2TPv3 on ASR to extend the vlan.

 

HTH

 

Rick

HTH

Rick
0 Helpful

ben lora
Level 1
Level 1
In response to Richard Burts

‎07-18-2018 07:33 AM

Thank you for the assistance. Are the options and/or? Also if you would provide me with URL for the solutions that would be great!! Thanks again for your assistance!!!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ben lora

‎07-18-2018 08:04 AM

In my response I suggested CRB. I really should have suggested Integrated Routing and Bridging. CRB and IRB are similar but IRB is the later and better solution. Use one or the other (not both) if that is what you are asking. I would assume that IRB would be preferable.

 

Here is a link that describes IRB and has sample configuration

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/17054-741-10.html

 

 

Here is a link for L2TPv3 if you want to look into this option

https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/L2TPv3.html

 

HTH

 

Rick

HTH

Rick
0 Helpful

ben lora
Level 1
Level 1
In response to Richard Burts

‎07-18-2018 10:28 AM

Got it. Now I need to find out if this feature works with interface being configured with WAN MACSEC... LOL

 

Thanks so very much!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ben lora

‎07-18-2018 11:25 AM

Yes that is a very important question. And unfortunately I do not know that answer with any confidence. My guess is that it should work, especially with IRB. But that is only a guess. Please let us know what you find out.

 

HTH

 

Rick

HTH

Rick
0 Helpful

ben lora
Level 1
Level 1
In response to Richard Burts

‎07-18-2018 02:42 PM

Will do! Although I do not see any restrictions with regards to WAN MACSEC and IRB. Thanks again for all your assistance!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card