Question: Extend L2 network across L3 tunnels with only a L3 switch
I currently have a large campus with multiple networks tunneling over a single inner campus transport network. Currently, these networks are using DOT1Q tunneling to connect to one another and the VLANs for each "client" network extend to every building on the campus. I'd to encrypt the traffic of the client networks before it gets to the transport network with IPSEC, but still maintain these campus wide VLANs.
Is there a way to do this with only one L3 switch in each building? I know Q-in-Q would likely be a good solution, but, as I understand it, I'd have to get an additional device for each building and don't want to suffer that expense. Also heard MACsec might be a good solution, but know little about it and am not sure if our current switches support it.
I'd essentially like to turn the in-side of the tunnel interface into a trunk port. Diagram below is the concept.
I am not clear on what you currently have configured. Dot1q tunneling and Q-in-Q are the same thing. That said, if all the equipment is under your control, why do you employ any sort of tunneling and/or IPSec at all, why not simply use trunks ?
Policy mainly. All traffic across the transport network needs to be encrypted. Part of it is to keep an unmanaged internet access network separated from the corporate client network. Same with the security camera network, another network running over the transport. Don't want someone to get into a camera port and some how manage to gain access to the client network or see the traffic on it. That and transport network is owned and managed by a different entity than the client networks, I just work on both.
If I am understanding your post correctly I believe that macsec would be the better solution to provide encryption. But of course it depends on whether your current switches support this feature. The other solutions that I can think of which supply encryption of traffic operate at layer 3 and would not support the layer 2 vlans spread across the entire campus.
GoalDocumentationDefineAdd Device to Smart AccountSync Smart Account via vManage1.1 VNF package for vBranchDesignDeployOperate
To successfully provision a ENCS device in remote site with internet connection.
Minimum software relea...
はじめに確認方法Version による Application name の変更について備考参考情報 はじめに本ドキュメントでは Cisco SD-WAN における Policy 上で設定可能な Application を確認する方法について記載しています。 確認方法サポートされている Application name についてはご使用されている vManage へ API を呼び出して確認することが可能です。https://<IP or FQDN>/...
DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spok...
On 24th August 2021, Cisco announced the latest IOS XE release - Cisco IOS XE Bengaluru 17.6.1a
IOS XE 17.6.1a unlocks various routing features and enhancements comprehensively covering different technology segments such as voice, security,...
DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where th...