Solved: Using the same local VLAN in Remote locations with different VTP domains

douglas.mckee · ‎01-04-2016

Can you use the same local VLAN in multiple remote areas which have different VTP domains? When specific users log on from remote locations we would like them to be assigned to a local VLAN from our main location. Is this possible or will this just cause more issues?

Thank you,

Doug

Philip D'Ath · ‎01-08-2016

Forget L2TPv3. It wont scale to 15 sites very easily. It will be difficult.

Either for for LISP, or get a price from your service provide for a layer 2 WAN service.

LISP would suit this problem very well I must say, and all your current routers have LISP functionality.

I'll also mention it again, if you could limit this application to WiFi only this is much easier to solve using the your Cisco WLC. You would just need to fix your WiFi network.

View solution in original post

Philip D'Ath · ‎01-07-2016

You can use the same VLANs on remote switches ... but are you saying you want these remote VLANs to be joined to your local VLANS (rather than separated) so that they share the same layer 3 subnet?

If you want them joined you need some kind of layer 2 wan service - which unless you have a small number of sites is not recommend.

Cisco Wireless Lan Controllers can be quite good and providing WiFi networks that look like this.

douglas.mckee · ‎01-08-2016

Good Morning,

No we do not want the external VLANs to join our local VLANS. We only have one specific local VLAN that we would like certain users to automatically be assigned to when they log in through our remote sites. They should be able to plug into any port remotely and be assigned to this local VLAN. Not sure if this can be tunneled or some sort of relay setup. Definitely don't want to cause any spanning tree issues.

We have Cisco Wireless but unfortunately clients lose their connection after about 15 mins and can't log back on. So far, this hasn't been too reliable but will be having Cisco look at this in the future.

Thank You,

Doug

Jon Marshall · ‎01-08-2016

Doug

If you are talking about wired connections and the remote sites are connected with L3 links then there are ways to do this depending on the devices you are using to connect the sites eg. routers or switches etc. but it can be a bit of a pain to setup.

What is the reason you need to have clients in remote sites to be in the same vlan as the main site ?

Jon

douglas.mckee · ‎01-08-2016

Jon,

Most of our remote sites use 3845 routers going through MPLS (Local Provider) connected through our local core router. We do have one location that uses the sonet service which is only providing layer 1 connectivity.

Reason:

We have a secure local VLAN that we need these users to connect remotely with. These machines are laptops so they move around from site to site alot.

Thank You,

Doug

douglas.mckee · ‎01-08-2016

Most of our switches are 3560G's with some 3560X and 3750X's in the mix.

Jon Marshall · ‎01-08-2016

Doug

The way to do it with 3845s would be to use L2TPv3 which allows you to extend a L2 vlan across a L3 network.

If you do a search on that you should find an example.

Should say I have never used it so not sure how well it will scale or if it can be done in your scenario but that is the way you would do it, as far as I know, with the equipment you have.

Jon

douglas.mckee · ‎01-08-2016

Jon,

Attached is the L2TPv3 diagram example I found per your suggestion. I'm currently looking at the Cisco documentation and will need to do some testing before putting this option into play. As always you've been realy helpful.

Thank You,

Doug

Philip D'Ath · ‎01-08-2016

Because you don't want your remote VLANs to be an extension of your local VLANs you don't need L2TP. You just need to use plain old routing.

Jon Marshall · ‎01-08-2016

The requirement as I understand it is that one vlan needs to be extended so that users at remote sites can be connected into that vlan.

Jon

Philip D'Ath · ‎01-08-2016

I asked that question earlier and Douglass responded "No we do not want the external VLANs to join our local VLANS."

Jon Marshall · ‎01-08-2016

You're right but then the next sentence suggests it is just for one specific vlan.

Could be me :)

Jon

douglas.mckee · ‎01-08-2016

Correct. We just have 1 local VLAN that we need personnel in remote areas to connect back to us. They should be able to connect back to our Local VLAN regardless of which remote switch their laptops access.

douglas.mckee · ‎01-08-2016

"but are you saying you want these remote VLANs to be joined to your local VLANS (rather than separated) so that they share the same layer 3 subnet"

I took this portion of your answer as merging the remote site VLANS with our Local VLANS database. Probably a misinterpretation on my part.

Thank You,

Doug

Philip D'Ath · ‎01-08-2016

Ok that changes everything.

L2TP is a point to point technology. So it is easy to connect two sites. You can connect a small number of remote sites using additional interfaces on your core router, but it wont scale very well. So if you have a small number of sites consider using L2TP.

Otherwise LISP is a good option.

http://lisp.cisco.com/

Lisp allows you to use the same layer 3 subnet at multiple remote sites, at the same time. It does this by adding a locator ID into the LISP router table. This allows it to know, for example, that 192.168.1.1/24 is at site 1, while 192.168.1.2/24 is at site two, even though they are in the same subnet, and 192.168.1.1 and 192.168.1.2 can still talk to each other.

LISP is a good way to create DR data centres as well. This document has an example and explains it a bit better.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DCI/5-0/LISPmobility/DCI_LISP_Host_Mobility/LISPmobile_A.html