I've got two major internal networks in different buildings, one has data and Cisco VoIP voice infrastructure (site A), the other has data only (site B). Both sites have their own VTP domains, multiple VLANs (unfortunately with non-unique VLID numbers for all the VLANs), and are connected by a a pair of 3845 firewall routers over fiberoptics with very tight filtering rules since the latter site B is a law enforcement organization and requires tight security.

I also now have several small remote sites, some of which need both voice and data from the parent Site A, some need secure data from site B and voice from site A. The remote sites have available to them, some microwave WAN links ranging from 10Mbps capacity to 100Mbps. The problem is the microwave redundant backhaul link infrastructure is based on Moxa industrial switches which use a proprietary port-based VLAN technology that simply does not play nicely with Cisco 802.1q VLANs. The Moxa switches shut down when they receive 802.1Q tagged traffic when I connect a Cisco switch to them

Therefore I believe I probably need to employ site-to-site VPN links with L2TPv3 tunnelling of the VLANs between the main Site A and B locations to these smaller remote sites (water purification plant, fire stations and a pubsafety vehicle radio shop, and need to use the microwave WAN link infrustructure as my backhaul.

I cannot change out the Moxa switches with Cisco. Their place in the wireless network is carved into stone, and non-negotiable. That wireless network is used primarily for "other stuff", but I need to make use of it's TCP/IP backhaul capability as a private WAN between the two big sites and the remotes.

Given that the typical small remote site might have at most 2 or 3 Cisco phones, and the same number of PC workstations, what is the best choice for an affordable router capable of L2TPv3 tunnelling of two or more VLANs thru a site-to-site VPN to deploy at these remote offices? Cisco 800 series? Or do I need the bigger 1800 series? We're a small city government and on a very tight budget nowdays. I figure I'll probably have to deploy two routers at the sites that need Site A's voice VLAN combined with Site B's data and just use separate physical switches and cabling for the phones at those sites.

Also, could I accomplish what I need with ASA 5505 devices at the remote sites? I've already got a couple of these left over from another project but I'm unsure if they can do L2TPv3 tunneling of VLANs. I've got an ASA 5520 at Site A used as an Internet firewall, and it's got a couple unused ports on it. I've got a couple unused 10/100 ports on each 3845 router at Site A and Site B too, so I've got equipment at the two central main sites already that's probably sufficiently capable of handling the job at those two sites.

It's imperative that I encrypt the LEO data links between Site B and any remote sites, while in transit over the microwave WAN links. It's not so important that I encrypt the voice or data from Site A, while in transit over the microwave links, but I might as well do so anyway.