Marc

Mister861 · ‎11-13-2015

Topology:

I hope my topology is clear to everybody.

From the ASA5505's point of view you just receive 2 tagged VLAN's which are entering the trunk interface and the ASA5505 just acts as an L2 switch and untag the packets on another interface to the IPTV-BOX, (switchport acces vlan 4). (VLAN 6 is just for internet access with PPPoe auth.)

There is NO IP adressing going on on VLAN4 on the ASA5505, the IPTV-BOX receives it's IP adress from the ISP cloud through VLAN4.

I want to plug another IPTV-BOX on the other site (behind the ASA5520). There is an stable S2S IPSec tunnel over the internet between the ASA's and enough bandwith.

Does anyone now how i 'extend' VLAN4 to the other site of the VPN tunnel. So when i plug in another behind the ASA5520's LAN, the IPTV-BOX gets an IP adres from VLAN4 on the other site, the LAN on the ASA5505...

Kind regards, Marc

Richard Burts · ‎11-13-2015

Marc

If these were router connections I would wonder if something like L2TPv3 might give you what you want. But with the connections being through ASAs I can not think of a way to extend vlan 4 from the 5505 to the 5520.

HTH

Rick

HTH

Rick

Mister861 · ‎11-13-2015

Hi Rick..

That's a bummer.. I can put two 800-serie routers behind the ASA's (1 on each site off course :) ). But i'm thinking what the config/topology will be on the ASA5505 site..

I need to tag VLAN4 (which is the IPTV signal which needs to make a U-turn) from the ASA en VLAN 100 (for internet access) to the 800 series router... and then.. Config a L2TPv3 tunnel OVER the exsisting S2S IPSec tunnel to the other side.. So the exsisting S2S tunnel keeps in place and both 8xx routers can see eachother by LAN 2 LAN IP's...

I think i can manage that so far.. that the L2TPv3 tunnel is up/up OVER the exsisting S2S tunnel between the ASA's, so:

8xx - ASA5505 - Internet cloud - ASA5520 - 8xx

But from the 8xx on the ASA5505 side, how can i make the incoming tagged VLAN4 make a uturn towards the second 8xx (behind the ASA5520)...

/me is tyring to get the right picture in front of him..

Mister861 · ‎11-14-2015

Ok, put 2 878 routers behind the ASA5505 and ASA5520 and the L2TPv3 over IPSec seems to work fine:

Cisco-878-1#sh l2tun

%No active L2F tunnels

L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocID RemID Remote Name   State Remote Address Port Sessions L2TP Class/
                                                                VPDN Group
50644 39505 Cisco-878-2 est    192.168.200.3   0     1        VHV3CLASS

LocID      RemID      TunID      Username, Intf/      State Last Chg Uniq ID
                                 Vcid, Circuit
52560      62641      50644      1337, Vl4            est    00:53:15 3

BUT.....

The IPTV box isn't working behind the second 870 yet. It works when i put it behind an fastethernet interface in VLAN4 on the first 878 which is configured like this:

interface Vlan4
no ip address
xconnect 192.168.178.253 1337 pw-class IPTVL2TPV32

However, when i put the IPTV box behind the second 878, which is configured like this:

interface Vlan4
no ip address
xconnect 192.168.200.3 1337 pw-class IPTVL2TPV31

It doesn't receive an proper IP adress (which must come through the IPSec/L2TPv3 tunnel), see attachments.

Do i forget anything about multicast/broadcast traffic? The whole point is that they share theri broadcast-domain,.. right?

Kind regards, Marc

Mister861 · ‎11-14-2015

Ok.. Strange! Maybe a bug or something.. I can see the MAC-adress of the IPTV-box which is behind the 878-2 (so at the end of the L2TPv3 over IPSec tunnel) on my ASA5505, but the IPTVBOX doesn't get an valid IP address, it sends DHCP broadcasting packets..

Maybe a bug in the IOS versions on the 878? (i saw the adv.sec. is form 2005, lol :) )

Upgrading them first now to a newer one...

Edit: IOS upgrade didn't help.. MAC-adress from IPTV-box at the end of the line is still in the table on the ASA5505... Getting frustrated now :(

Extend VLAN over site2site VPN tunnel between ASA5505 - ASA5520