Re: VLAN Extension over GRE/IPSEC

abbas.ali · ‎08-14-2010

I have a client who are in process of moving some of their hosts/servers from the Data Center to their own Campus. They don't want to change the IP addresses and thinks that they can extend the VLANS over GRE/IPSEC tunnel. They are running a fiber between the Campus and the Data Center. I have never come a cross where you can extend VLANs over GRE/IPSEC tunnel. I know it is possible to extend VLANs over Layer II trunk as long as the switches at both ends are in a same VTP Domain.

Any feedback will be appreciated.

Giuseppe Larosa · ‎08-14-2010

Hello Abbas,

this is possible by using GRE/IPSec to protect a L2TPv3 session between the two routers

see for L2TPv3

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html

but make customer aware of limitations of this solution:

wan link speed

performance of WAN routers

Hope to help

Giuseppe

abbas.ali · ‎08-15-2010

Hello Giuseppe,

Thanks for the information. The questions remains the swith at the other has to be the member of the same VTP domain in order for switch to send the packet to the correct destination.

For Example,

If I configure VLAN 110 on both switches SWA and SWB. Even though the VLAN ID 110 are exactly the same, but will be treated differently unless I put both switches in the same VTP domain.

Going back to my previous questions, suppose the VLAN 110, VTP CISCO is currently configured in the Data Center Switch with following IPs:

10.1.1.1/24---------Assigned to Data Server

10.1.1.2/24---------Assigned to Application Server

10.1.1.3/24--------Assigned to Workstation 1

10.1.1.4/24--------Assigned to Workstation 2

Now I go head and move Data Server 10.1.1.1/24 and Workstation 2 10.1.1.4/24 to my Campus Netowork.

I create VLAN 110 in one of my campus switches and connect my Data Server 10.1.1.1/24 and Workstation 10.1.1.4/24. I then configure L2TPV3 between my Core Routers that connect Data Center and Campus. Now Assume, 10.1.1.3/24 (Workstation 1) want to initiate a session with Data Center Server (Now resides in Campus Network) and can only create a successful session if both the switches in Data Center and Campus Network are under VTP Domain CISCO.

Please advise!

Giuseppe Larosa · ‎08-16-2010

Hello Abbas,

>> If I configure VLAN 110 on both switches SWA and SWB. Even though the VLAN ID 110 are exactly the same, but will be treated differently unless I put both switches in the same VTP domain.

This is not correct if the two switches have a L2 path between them everything works with appropriate configuration.

VTP is a protocol to propagate existence of vlans but it does not imply anything in the forwarding plane

if you need to carry multiple Vlans via L2TPv3 configure the port towards the router as manual trunk and with switchport nonegotiate and with a list of vlans that contain only the vlans you want to be carried over the WAN link by L2TPv3

I would not try to join the VTP domains over L2TPv3 even if this is possible if desired.

Hope to help

Giuseppe