08-16-2010 06:27 PM - edited 03-04-2019 09:27 AM
Hello,
I have three locations location 1,2 and 3 at each location I have a 1941 and the locations are connected by a point-to-point T1. Location 2 and 3 both connect back to the 1941 at location 1 (single WIC card 2-ports). I need to span vlan's across all three locations, the reason being is that one of the VLAN is in a DMZ. How would I span the VLAN's across all 3 locations? I originally thought of L2TPv3 but could only get it to work with two locations and not three. The reason is because each sub-interface could only have one xconnect statement. Any help would be appreciated?
Thanks,
Christopher Ronse
08-16-2010 10:37 PM
Hi,
I dont know whether this setup can work as I have not tested in my network but theoretically this seems to work. Please try.
I assume the setup is like hub and spoke where location 1 is hub which aggregates location 2 and 3. You can extend VLAN's between location 2 and 1 with native VLAN using L2TPv3. In location 1 switch, where the router is connected, you can do a self loop and carry the same VLAN over QinQ tunneling. This QinQ outer VLAN is again extended between location 1 and 3 with L2TPv3. Again in location 3 you can do a self loop in the switch and take the native VLAN's out.
QinQ tunneling does VLAN encapsulation over existing VLAN, thus it has two VLAN's. Inner VLAN being native VLAN and outer VLAN is for encapsulating and hiding the inner VLAN. QinQ is configured between location 1 and 3. Thus outer VLAN is encapsulated in location 1 and decapsulated in location 3 and vice-versa.
Config in location 1 is as follows:
Router:
interface fa0/0.xxx (native vlan)
xconnect
interface fa0/0.yyy (outer vlan)
xconnect
Switch
interface fa0/0 (connected to router)
open trunk or closed trunk
interface fa 0/1 (connect to fa 0/2 on same switch)
allow native vlan
interface fa 0/2 (connect to fa 0/1 on same switch, used to encapsulate the native vlan over outer vlan)
switch access vlan yyy
switchport mode dot1q-tunneling
Config in location 3:
Router:
interface fa 0/0.yyy (outer vlan)
xconnect
Switch
interface fa 0/0 (connected to router)
allow the outer vlan -- this is enough coz all native vlans are encapsulated over outer vlan
interface fa 0/1 (connect to fa 0/2 on same switch)
allow native vlan's
interface fa 0/2 (connect to fa 0/1 on same switch, used to encapsulate the native vlan over outer vlan)
switch access vlan yyy
switchport mode dot1q-tunneling
Config in location 2 is normal L2TPv3 config.
Thus native vlan's are carried over all 3 locations.
PS: The switch should support QinQ tunneling. C2960 and above swithces support it. MTU size in switches and routers over the entire WAN should be taken in to consideration as extra 4 bytes are added between location 1 and 3.
HTH
N Arun
08-17-2010 03:43 AM
Hello Christopher,
you should look for a routed solution for example VRF lite
if you can use Frame Relay you can dedicate a subinterface to DMZ VRF to site2 and to site3.
OR you can use point to point GRE tunnels to connect DMZ subnets in VRF in each site.
doing so the only point of contact between DMZ VRF and global routing table will be the firewall in central site.
see
http://www.cisco.com/en/US/docs/ios/12_2sb/12_2sba/feature/guide/vrflite.html
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide