Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
10
Helpful
9
Replies

Tunneling VLAN though L3

Go to solution
Mokhalil82
Level 4
Level 4

‎01-22-2015 04:34 AM - edited ‎03-07-2019 10:20 PM

Hi Guys

Please see attached diagram for my topology.I have a primary and back sites both are about a mile apart. Both sites now have a link going out and I want to failover traffic to the backup site when the primary external link fails.

Now the ISP have provided a circuit at each site both are part of the same public LAN subnet of /28. The circuits are provided as active/standby for which they will be using HSRP. For them to do this we need to provide them a vlan that runs between both their circuits for their HSRP hellos. 

We have decided on using tunneling to run this vlan through our network, well management decided. Has anyone tried this before or does anyone know how this can be achieved. I have read about the L2TP protocol. Would that be the right way to go.

Thanks

Labels:
Preview file
28 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-22-2015 05:21 AM

You won't be able to that.

The vlan needs to terminate somewhere ie. a switch between you and the ISP routers because they also need to be in the same vlan.

But you don't have switches which is why you are asking about tunnelling.

Think of like this.

The WAN interfaces of your WAN routers need to be in the same vlan. So if each router was connected to a switch on it's WAN interface but the switches were not connected to each other then you could use tunnelling across your core.

But that still wouldn't solve the problem of ISP routers because they would also need to tunnel across your core so they could see each other in the two sites.

So even with switches not interconnected it wouldn't work.

Without any switches it is simply not possible as far as I can see.

All you can do is run cables from your WAN and ISP routers back to the core switches in each site and use a common vlan there.

I won't go into the reasons again of why either tunnelling or running cables via the core switches is a very bad idea because I know you understand and I appreciate this is not your fault.

We have all had to do things we didn't want to because management has said just do it.

But you are the network engineer. If you do run that vlan by the core and you end up being hacked, losing your site etc. management will quickly forget it was them that told you to do it or they will argue you did not make it clear what the risks were.

If cost is the issue I would seriously consider talking to the ISP again and asking why they need to run HSRP. A single point to point subnet of public IPs and no HSRP would remove all these issues for you but again I suspect you have tried this route.

Security for a lot of companies is a place where expense can be cut right up until the point something happens and then it becomes the most important thing as far as they are concerned.

I am really not trying to make your job more difficult but they very probably don't understand the risks involved with that decision.

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎01-23-2015 04:24 AM

I apologise in advance because all I seem to do is tell what won't work and here is another one.

I was going to mention this is a previous post but we were busy concentrating on HSRP so I didn't.

Here is the problem.

When you use an IP from the same subnet as the outside interface IP on a router (or firewall) for NAT then the router has to use proxy arp. What this means is that when the ISP sends traffic to that address it needs to get the mac address.

When it requests the mac address the router with the NAT translation responds with the mac address of it's outside interface. This is done so that traffic is sent to that router.

Now if you configure the same static NAT on both routers then when the ISP router requests the mac address both routers will respond with their mac addresses.

The main issue here is that because of the distance between sites it is likely the standby router's response will arrive after the primary routers which means it will overwrite the primary routers mac address in the ISP router's arp cache

So traffic would come in via the backup router but then the path back from inside would go via the primary firewall which doesn't have the VPN setup so it wouldn't work.

What you may be able to do is the make the HSRP VIP the IP the VPN connects to rather than a separate IP although I have never done this so can't say it would work for sure.

This would mean the VPN "followed" the VIP in case of failure.

It would probably still mean the VPN fails and needs to be re-established but it might work.

Or maybe the VPN at the remote end can be configured for multiple peers and you can tell it which order to use them in and use different IPs from the same public subnet on each WAN router.

The VPN devlce/client at the remote end may have some capabilities to address this but I obviously can't say one way or the other.

As far as i can see HSRP in general shouldn't be necessary on your WAN routers for all other traffic but you may need it for the VPN by the sounds of it.

I am sorry for continually pointing out things that won't work, and I'm not trying to make your job harder but it's better to get these things sorted now before implementing and then finding it doesn't work.

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-22-2015 05:21 AM

You won't be able to that.

The vlan needs to terminate somewhere ie. a switch between you and the ISP routers because they also need to be in the same vlan.

But you don't have switches which is why you are asking about tunnelling.

Think of like this.

The WAN interfaces of your WAN routers need to be in the same vlan. So if each router was connected to a switch on it's WAN interface but the switches were not connected to each other then you could use tunnelling across your core.

But that still wouldn't solve the problem of ISP routers because they would also need to tunnel across your core so they could see each other in the two sites.

So even with switches not interconnected it wouldn't work.

Without any switches it is simply not possible as far as I can see.

All you can do is run cables from your WAN and ISP routers back to the core switches in each site and use a common vlan there.

I won't go into the reasons again of why either tunnelling or running cables via the core switches is a very bad idea because I know you understand and I appreciate this is not your fault.

We have all had to do things we didn't want to because management has said just do it.

But you are the network engineer. If you do run that vlan by the core and you end up being hacked, losing your site etc. management will quickly forget it was them that told you to do it or they will argue you did not make it clear what the risks were.

If cost is the issue I would seriously consider talking to the ISP again and asking why they need to run HSRP. A single point to point subnet of public IPs and no HSRP would remove all these issues for you but again I suspect you have tried this route.

Security for a lot of companies is a place where expense can be cut right up until the point something happens and then it becomes the most important thing as far as they are concerned.

I am really not trying to make your job more difficult but they very probably don't understand the risks involved with that decision.

Jon

0 Helpful

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎01-22-2015 11:09 AM

Thanks Jon

I have been trying to push the idea of having a switch at each site connected to each other and then have the routers connect into that. Management however believe there must be some way to tunnel the vlan through which is why I thought il make sure there if there is.

What I have also found is we have a carpark server inside on our network that is accessed by the automatic car parking system so that is a VPN incoming connection that is important otherwise cars are manually checked in causing big queues. So now it looks like I cannot use a different public subnet at each site.

Now if I can get these switches in and setup, how best is it to setup my wan ips. The isp will be using hsrp with a virtual ip. Do I still keep a different ip on each router on the wan interface on my end or do i use a virtual ip as well. Internally on my core switch I my plan is to use IP SLA to track a certain ip and failover when the pings fail but I know this comes with its own disadvantages

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎01-22-2015 02:04 PM

With HSRP each WAN interface still needs it's own IP and then you use another IP as the VIP.

I am still working through all the failure scenarios but I'm not sure what HSRP gives you because outbound traffic will use the WAN interface IP and the ISP should send that back to the correct router.

I say should but I would check with your ISP what they expect.

However you may need it depending on your VPN setup.

What IP address is the VPN connecting to ie. is it going to be the external interface IP of your WAN router, in which case you, unless you can configure the VPN to try multiple IPs then you would want to use the HSRP VIP as the VPN IP to connect to siif you failed over the IP stays the same for the VPN.

Note you would still probably have to restart the VPN because it is going through a different firewall but at least it would be able to connect.

So can you confirm how the VPN works in terms of IP addressing.

Jon

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎01-23-2015 03:59 AM

Currently that VPN is hitting one of the IP addresses in my Public LAN subnet which is not the IP of my outside interface on my router but its in the same subnet. My router has a static NAT entry to that address. My ASA is where the VPN config is on.

So I am assuming when the ISP HSRP VIP fails over, the ISP will send it to the correct router

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎01-23-2015 04:24 AM

I apologise in advance because all I seem to do is tell what won't work and here is another one.

I was going to mention this is a previous post but we were busy concentrating on HSRP so I didn't.

Here is the problem.

When you use an IP from the same subnet as the outside interface IP on a router (or firewall) for NAT then the router has to use proxy arp. What this means is that when the ISP sends traffic to that address it needs to get the mac address.

When it requests the mac address the router with the NAT translation responds with the mac address of it's outside interface. This is done so that traffic is sent to that router.

Now if you configure the same static NAT on both routers then when the ISP router requests the mac address both routers will respond with their mac addresses.

The main issue here is that because of the distance between sites it is likely the standby router's response will arrive after the primary routers which means it will overwrite the primary routers mac address in the ISP router's arp cache

So traffic would come in via the backup router but then the path back from inside would go via the primary firewall which doesn't have the VPN setup so it wouldn't work.

What you may be able to do is the make the HSRP VIP the IP the VPN connects to rather than a separate IP although I have never done this so can't say it would work for sure.

This would mean the VPN "followed" the VIP in case of failure.

It would probably still mean the VPN fails and needs to be re-established but it might work.

Or maybe the VPN at the remote end can be configured for multiple peers and you can tell it which order to use them in and use different IPs from the same public subnet on each WAN router.

The VPN devlce/client at the remote end may have some capabilities to address this but I obviously can't say one way or the other.

As far as i can see HSRP in general shouldn't be necessary on your WAN routers for all other traffic but you may need it for the VPN by the sounds of it.

I am sorry for continually pointing out things that won't work, and I'm not trying to make your job harder but it's better to get these things sorted now before implementing and then finding it doesn't work.

Jon

0 Helpful

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎01-23-2015 12:21 PM

No need for the apology, the information is useful and as you said, I would rather know now, than trying to implement a solution that does not work.

I know the setup is not ordinary and there are many things to take in. After further discussions today with management they advised lets leave the VPN stuff out as if the primary fails we will work to get the link back up asap so just internet on the backup for that period is sufficient.

Also I will speak with the ISP to see if they provide other failover solutions where the L2 connectivity is not required. 

Finally if it's HSRP they will only provide then management will invest in two new switches for the L2 link. So leaving that till last.

 

Thanks for your help again 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎01-23-2015 03:58 PM

-

0 Helpful

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎01-24-2015 09:42 AM

I think that's a very good point for me to keep in mind abut the static address and moving it to secondary. I may put a plan of action in writing incase we have that scenario where the primary is down for a few days so its easy for anyone to configure the static ip on the secondary.

I will look into the VPNs using multiple IPs. Whatever solution we go for il let you know how it went, appreciate the input 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎01-23-2015 04:34 AM

One other point.

If you only have one IP public subnet and the WAN routers and the ISP routers are in it then as I say HSRP isn't really needed as far as I can see other than the issue we have just covered with the VPN.

However if at some later date you get a second block of public IPs then HSRP is needed because the ISP will route traffic to the HSRP VIP on your WAN routers for that new subnet which is what you would want them to do.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card