Stretching VLAN between 2 site via Cisco ASA 5520

michaelnolan · ‎07-05-2011

Hi there,

Wondering if anyone can assist me.

I have 2 active sites (Site A and Site B), currently there are a number of vlans stretched between the 2 location via a layer 2 link. We are looking at a planned refresh and moving away from an layer 2 link to a layer 3 link. We are also deploying Cisco ASA5520 at below locations. I still need to be able to stretch the vlan between the 2 location and wondering how best to achieve this. Can this be achieve using Cisco ASA or do I require a layer of routers in from of the Cisco ASA to achieve this.

Any thoughts or design examples would be much appreciated.

Regards,

Michael.

andamani · ‎07-06-2011

Hi Michael,

ASA is a Firewall. hence its primary function is to protect the network. Routing might be an issue if you make an ASA do it.

If i understand correctly, then the two site are on the same network and not acorss internet. i guess a router will be a better choice.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

ju_mobile · ‎07-06-2011

Hi Michael,

Firstly a PIX/ASA firewall is a NAT router. The routing protocols may be limited but all the same thats what it is.

The information you have provided is a little open ended and may allow for flair or assumption. I guess you could do without both.

I have pruned from your questions theses facts:

two sites
multiple vlans
deployment of an ASA proposed location not defined

You should be aware that the ASA can act as a bump in the wire at layer2. However, the implementation of 802.1Q tagging has not been proven or is accepted as supported (there have been some attempts if you google it).

It still raises a few questions and specifically what are your requirements ? objectives ?

If layer2 meets your needs why change it ? if you need to change it for security purposes then again there is still a need to understand your underlying need to operate multiple segments and what they deliver. I have reviewed and offered a response to similar clients and identified that the options are many and could include:

Multiple IPSEC tunnels using multiple interfaces
Implement MPLS or VRF lite solution
Do you actually need the firewall

If you wish to be more specific then we may be able to offer something a little more detailed.

Regards

Ju

michaelnolan · ‎07-11-2011

Hi there,

Thanks for replies to date.

L3 link is provided by ISP. The 2 sites have a direct connection to the Internet via the ISP. So I have vlan x defined in both location but I have a requirement to have the vlan talk to each other over an L2 connection over IPSEC i think. Do you think this is possible?

So logicall the setup at each site is:

InterNet Router (Service Provider)

LAN Router (facing ISP)

Firewalls

Core Switch, where vlan x is located.

Regards,

Michael.

ju_mobile · ‎07-12-2011

Hi Michael,

How much money do you have ?

is it viable, then the answer is yes. is it viable over an IPSEC tunnel with a pair of 5520 ASA's then the answer is no, unless

you have the funds to implement a couple of hi spec appliances to look at some of the MPLS/GRE based solutions that are coming out of the woodwork. As I understand it there is currently an RFC in process with a patent for Layer2 VPN over IPSEC.

Check this out: Data Centre Interconnect (DCI)

Alternativly, consider your requirements. Often Layer2 is identified as a solution when the requirement cant be met by the technology

Best Regards

Julian

ryan-wessels · ‎08-31-2011

Hi Michael,

Are you looking to HA your ASA Appliances (E.g. Active unit at Site A and the Standby Unit at Site B)?

michaelnolan · ‎09-01-2011

Hi Ryan,

Will have a per of ASA's(active/standby) at each site.

I want to stretch a couple of vlans between 2 locations over a L3 link. I'm thinking of using LT2PV3 to acheive this but wondering is any experience or test cases of this that I could work too.

Regards,

Michael.