10-16-2015 02:19 PM - edited 03-08-2019 02:15 AM
we are looking at resolving a couple off issues and I am not really sure what is the best technology to use. I am hoping someone will help me by pointing me in the right direction. we are following the typical cisco 3 level architecture (core, dist, access). the core is layer-3 only. we are currently getting ready to implement new hardware and mpls in the core. here are the two issues we are trying to resolve.
1. we have various dept's located in multiple buildings at different distribution points. the users want to move between building's while keeping the same ip address and vlan. we are not going to extend vlans thru the core, so I was hoping something like eompls or vpls would work. but after reading further, I don't believe either will resolve this issue. any ideas ?
2. we have dept firewalls that exist deep within our network and not on the dmz. due to politics this will not change. per request from the dept, sometimes we have to allow all ip traffic to their devices. what we want to do, is find a way to extend their outside interface to our public facing vlan. not sure how to accomplish this either, any ideas are welcomed and appreciated ?
10-16-2015 11:01 PM
we are looking at resolving a couple off issues and I am not really sure what is the best technology to use. I am hoping someone will help me by pointing me in the right direction. we are following the typical cisco 3 level architecture (core, dist, access). the core is layer-3 only. we are currently getting ready to implement new hardware and mpls in the core. here are the two issues we are trying to resolve. 1. we have various dept's located in multiple buildings at different distribution points. the users want to move between building's while keeping the same ip address and vlan. we are not going to extend vlans thru the core, so I was hoping something like eompls or vpls would work. but after reading further, I don't believe either will resolve this issue. any ideas ? 2. we have dept firewalls that exist deep within our network and not on the dmz. due to politics this will not change. per request from the dept, sometimes we have to allow all ip traffic to their devices. what we want to do, is find a way to extend their outside interface to our public facing vlan. not sure how to accomplish this either, any ideas are welcomed and appreciated ?
Hi Bob,
Few Queries from above post.
1) Is this setup is in only one location
2) Do we have dual core, dust and access layers
3) How is the department connectivity with existing network
4) Do we have architecture diagram to support more
5) What is the traffic flow in your architecture , is it North to South or East to West
Need more input to provide you some guidance and best practices for your help.
-GI
10-17-2015 10:26 AM
I agree that if we knew more about the environment then we might be able to give better advice. But in general if they need to extend VLANs across a layer 3 network then I think that something like L2TPv3 might be the solution they are looking for. Here is a link with some information that might be helpful
https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
HTH
Rick
10-18-2015 08:15 AM
Users don't want to 'keep the same ip address and vlan'. Users want constant user experience. Interview them and then formulate again the requirements. You will probably find out they don't need to keep the IP address if you can offer them alternatives.
10-19-2015 06:48 AM
I took a look at the documentation and I don't believe I have the hardware to support it. we are purchasing nexus 7700's for the core and 6800's for the distribution points and edge. we are also looking at asr1000's for other uses. I will check the doc's for this devices. thanks for the reply.
10-19-2015 06:35 AM
hi,
thank you for responding to my post. I have attached a simple network diagram to Illustrate my point.
the users are in multiple locations. the dept is spread over several building and distribution points. the core and edge are redundant, the distribution and access layers are not. the dept users want to move from building to building and maintain the same vlan and ip address. this is a requirement because they have legacy apps that still use ip based security. also, we have another dept that has their firewall connected to our access layer switch. we would like to be able to extend our outside internet vlan to this firewall, thru our layer-3 network. this way they would be responsible for securing this traffic and we would not have to pass it thru our network to them.
thanks again for responding and I will check out the l2tpv3 documentation. any suggestions you have would be appreciated.
10-19-2015 09:13 AM
the dept is spread over several building and distribution points. the core and edge are redundant, the distribution and access layers are not. the dept users want to move from building to building and maintain the same vlan and ip address. this is a requirement because they have legacy apps that still use ip based security. also, we have another dept that has their firewall connected to our access layer switch.
Hi,
Considering the requirement of having same VLAN and ip address across any building, In that case you need to have layer 2 network which can traverse from building to building without any issue.
Core layer with Layer 3 routing for internet traffic.
we would like to be able to extend our outside internet vlan to this firewall, thru our layer-3 network. this way they would be responsible for securing this traffic and we would not have to pass it thru our network to them.
Why you want to extend the outside lan till down the firewall ?? why can it be simple routing from firewall till outside VLAN..
-GI
10-19-2015 09:30 AM
I am not sure I understand your response. are you suggesting we extend the layer-2 network from building to building ? we are not going to abandon the layer-3 core. I was hoping to use a layer-2 technology on top of our layer-3 network. is that not possible ?
as for the firewall issue. I am not sure I understand this response either. what are you proposing ?
thanks again for your help.
10-19-2015 11:41 AM
Have you seen the 6800 configuration guide which covers all the options for MPLS -
I haven't used any of them but is there a reason you don't think EoMPLS or more likely VPLS wouldn't work as these seem to be the standard way of extending a vlan across a L3 network.
If they and the other options listed really wouldn't work then please do not take this the wrong way but you have designed a network the way you want it rather than to meet all the requirements and as such it is not fit for purpose.
Like I say I haven't used any of the technologies to extend L2 over a L3 MPLS network but other possible solutions -
1) for the legacy apps as far as I know the 6800 supports NAT. So the users could get any IP and all you have to do is translate that IP to an acceptable IP when the traffic goes into the legacy vlan.
That said NAT is a fix and you should not need fixes like this with a new design unless you were looking to get rid of the legacy apps in the near future.
2) the firewall vlan extension, rather than extending the vlan have you considered VRFs where the traffic is routed but from their firewall can only get to your main firewall ?
Again I would stress I have not used the L2 over L3 MPLS technologies but my understanding of them is that they are exactly what you are looking for.
Jon
10-19-2015 12:19 PM
hey jon thanks for your reply. I have not tested vpls, so I am not sure. I have tested eompls and it works great for connecting 2 sites together over an mpls network. but it doesn't work for trying to extend a vlan between distribution point's within a network. eompls is not supported on svi interfaces, according to the documentation. so I have no way to use the local layer-2 switching and eompls on the same vlan. I would need a flexwan based module, which we don't have at this point. does that make sense ?
Use FlexWAN-based EoMPLS when you want local Layer 2 switching and EoMPLS on the same VLAN.
You need to configure EoMPLS on the SVI; the core-facing card must be a FlexWAN module. When
local Layer 2 switching is not required, use PFC-based EoMPLS configured on the subinterface or
physical interface.
as for vpls, I believe it has the same limitations. but it allows you to connect multiple sites instead of just two.
as for the firewall solution, we have considered using vrf's. what we want to do is extend their outside interface to the internet so they are responsible for managing access to their resources, does that make sense ?
10-19-2015 12:35 PM
Thanks for the details.
So if I understand what you are saying about EoMPLS it assumes the L3 interface for the vlan is actually a L3 routed port and not an SVI ?
If so seems a bit limiting but I will take your word for it.
I can't comment on the details of VPLS but if it is the same then yes I can see why that wouldn't work either.
What you want to do with the firewalls I understand but I'm just not sure how to do it to be honest.
I completely understand why you have to do it even though in an ideal world you probably wouldn't (I have been there myself) but it does sound a bit worrying to say the least.
Do these depts. have access to other parts of the network that doesn't have to go through a firewall and is this part of the reasoning for MPLS in the core ie. are depts. split up into separate VPNs ?
Sorry I am asking more out of interest than anything else as I am sure you are aware of all the issues :-)
One thought that occurred is if you can't extend the vlan then you potentially have to allow all IP just for it to be filtered by their firewall and I can see why you wouldn't want to do that.
What about using contexts on your main firewall and giving them a context.
You would still probably want to use a VRF between their firewall and the main one in case they made a mistake but it would mean you did not need to allow all IP traffic through your main firewall.
Jon
10-19-2015 01:46 PM
hey jon,
1. firewall
the dept's in question do have access to other parts of the network. these users sit behind their firewall. in some cases we are forced to allow all ip traffic to certain services that sit behind their firewall. we are considering routing their outside interface to an interface on our firewall. the dept in question has been offered a context and declined. the vrf solution should work, but being able to extend their outside interface to our internet vlan would be the perfect solution for us.
2. eompls
it is rather limiting. I tried to configure it and could never get the vc to come up and then I read the documentation and found out it was not supported, unless you have the flex wan card. I am considering opening a case with cisco.
01-30-2024 02:32 PM
Old thread, but the modern response to this is 'use SDA/fabric'
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide