07-05-2011 02:22 PM
Hi there,
Wondering if anyone can assist me.
I have 2 active sites (Site A and Site B), currently there are a number of vlans stretched between the 2 location via a layer 2 link. We are looking at a planned refresh and moving away from an layer 2 link to a layer 3 link. We are also deploying Cisco ASA5520 at below locations. I still need to be able to stretch the vlan between the 2 location and wondering how best to achieve this. Can this be achieve using Cisco ASA or do I require a layer of routers in from of the Cisco ASA to achieve this.
Any thoughts or design examples would be much appreciated.
Regards,
Michael.
07-06-2011 09:48 AM
Hi Michael,
ASA is a Firewall. hence its primary function is to protect the network. Routing might be an issue if you make an ASA do it.
If i understand correctly, then the two site are on the same network and not acorss internet. i guess a router will be a better choice.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
07-06-2011 01:52 PM
Hi Michael,
Firstly a PIX/ASA firewall is a NAT router. The routing protocols may be limited but all the same thats what it is.
The information you have provided is a little open ended and may allow for flair or assumption. I guess you could do without both.
I have pruned from your questions theses facts:
You should be aware that the ASA can act as a bump in the wire at layer2. However, the implementation of 802.1Q tagging has not been proven or is accepted as supported (there have been some attempts if you google it).
It still raises a few questions and specifically what are your requirements ? objectives ?
If layer2 meets your needs why change it ? if you need to change it for security purposes then again there is still a need to understand your underlying need to operate multiple segments and what they deliver. I have reviewed and offered a response to similar clients and identified that the options are many and could include:
If you wish to be more specific then we may be able to offer something a little more detailed.
Regards
Ju
07-11-2011 01:36 PM
Hi there,
Thanks for replies to date.
L3 link is provided by ISP. The 2 sites have a direct connection to the Internet via the ISP. So I have vlan x defined in both location but I have a requirement to have the vlan talk to each other over an L2 connection over IPSEC i think. Do you think this is possible?
So logicall the setup at each site is:
InterNet Router (Service Provider)
LAN Router (facing ISP)
Firewalls
Core Switch, where vlan x is located.
Regards,
Michael.
07-12-2011 04:32 PM
Hi Michael,
How much money do you have ?
is it viable, then the answer is yes. is it viable over an IPSEC tunnel with a pair of 5520 ASA's then the answer is no, unless
you have the funds to implement a couple of hi spec appliances to look at some of the MPLS/GRE based solutions that are coming out of the woodwork. As I understand it there is currently an RFC in process with a patent for Layer2 VPN over IPSEC.
Check this out: Data Centre Interconnect (DCI)
Alternativly, consider your requirements. Often Layer2 is identified as a solution when the requirement cant be met by the technology
Best Regards
Julian
08-31-2011 12:08 AM
Hi Michael,
Are you looking to HA your ASA Appliances (E.g. Active unit at Site A and the Standby Unit at Site B)?
09-01-2011 05:50 AM
Hi Ryan,
Will have a per of ASA's(active/standby) at each site.
I want to stretch a couple of vlans between 2 locations over a L3 link. I'm thinking of using LT2PV3 to acheive this but wondering is any experience or test cases of this that I could work too.
Regards,
Michael.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide