09-16-2010 09:21 AM - edited 03-06-2019 01:01 PM
Greetings.
Our network setup looks like the following:-
ASA 5510 --->> E0/1 (1841 ISR) E0/0 --->> VLANS / Catalyst Switch
We've recently added ASAs to our network. Our intention is to setup a VPN tunnel to our branch office. The head office setup shown above has many VLANs on the E0/0 interface one of which is a voice VLAN that handles our VoIP phone system traffic.
When we setup the VPN tunnel, we want to have the voice VLAN available at the branch office.
How would I go about doing this?
Currently the E0/1 interface of the ISR is configured with the IP address 192.168.15.254. The ASA's IP address for the lan/inside interface is 192.168.15.250.
Would I need to configure the ISR's E0/1 interface for sub interfaces instead?
09-16-2010 09:35 AM
Felix,
The question is whether you need to actually span this voice VLAN over your 1841, or whether there can be another IP subnet (a VLAN or just another routed LAN) devoted as the voice VLAN for your branch offices. As the voice VLAN is effectively terminated on your 1841 E0/0, even creating subinterfaces on the E0/1 alone will not help because these two ports will still be separated by a router internally. The VLAN IDs may be the same but they are still made separate and independent of each other because of a router interconnecting them.
If the voice VLAN has to be effectively extended over your 1841 then I can imagine configuring an IRB bridge between your E0/0.X and E0/1.X interface (X meaning the voice VLAN you are currently using) and so extend this VLAN towards the ASA. I do not think however that this is a best practice design.
Also, is the VPN between your head office and the branch office working as Layer2 or Layer3 VPN? My question relates to the fact whether there is actual routing involved inside the VPN for the branch office to reach the head office. If yes then there is no point in extending the VLAN anyway. The basic question here is whether the VLAN must really span into the branch office, or whether the branch offices can have their own voice VLAN and route the voice data towards the voice VLAN on your central location.
Best regards,
Peter
09-16-2010 10:03 AM
Thanks for the reply.
The VPN between the head office and the branch office will be IPSEC L2L. It's not setup on the ASAs as yet as the old firewall hardware is still in place.
Currently at the head office, the VoIP phones are connected to Catalyst switches. Each port on the Catalysts that have a phone connected to it has a configuration like this:
!
interface GigabitEthernet0/1
switchport access vlan 3
switchport mode access
switchport voice vlan 2
switchport priority extend trust
mls qos trust cos
spanning-tree portfast
!
I'll double check and see whether the phones can be manually programmed since that's the only way it would work if the VLAN isn't trunked across the VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide