Extend a VLAN from one switch over a layer-2 link to another switch?

[agrikk]

I am trying to accomplish this:

That is, I have an existing network connecting an office to a colo to the internet. I have a range of public IP addresses assigned to the public interface of a firewall.

I am trying to set up a "public" wireless access network in our office that is completely seperate from our corporate network that we can use for consultants, iPhones, etc that cannot in any way access resources on our corporate network without using VPN.

I envision adding a second loop to our existing network that lives on a seperate VLAN on our switch at the colo that would not have access to our existing VLAN network. I would somehow pass that VLAN traffic across the gigE link to a seperate VLAN on our office switch that would connect to the WAPs of the public network.

Any idea how do do this?


I cannot figure out how to send separate VLAN traffic over the L2 point-to-point link.

 

[calvinj]

Any idea how do do this?
I cannot figure out how to send separate VLAN traffic over the L2 point-to-point link.

My first guess might have to be talking to the people providing you the l2l link between the color and the office.

Would it potentially be easier to just write acls around the "guest access" traffic since you are sharing bandwidth with your production network anyways?

EDIT:

IIRC you are using that sonicwall right? Couldn't you turn one of those ports into your guest access firewall and then do your content filtering and etc with those? Just another thought

 

[archivalbackup]

QinQ tunneling?

What are the details of your gig Point to Point link, is is routed or an L2 connection?

 

[just2cool]

Yep, QinQ will do it.

Alternatively, L2FM/TRILL will do this, but that's a new technology and designed for data centers mostly -- it's based on IS-IS.

 

[calvinj]

sweet learned something new

EDIT:

After Googling this quick I do have one question.. Does the SP have to setup anything on their side to allow you to do QinQ?

 

[agrikk]

My first guess might have to be talking to the people providing you the l2l link between the color and the office.

Would it potentially be easier to just write acls around the "guest access" traffic since you are sharing bandwidth with your production network anyways?

EDIT:

IIRC you are using that sonicwall right? Couldn't you turn one of those ports into your guest access firewall and then do your content filtering and etc with those? Just another thought

I could turn one of the ports of the firewall into a DMZ or guest access firewall or whatever, but the problem remains that the firewall is in the data center and my office is a Layer 2 connection away. I'd have to find some way of extending the guest access network into the office from the datacenter.

QinQ tunneling?

What are the details of your gig Point to Point link, is is routed or an L2 connection?

QinQ tunneling? Google here I come...

The gigE link is a basic L2 connection.

 

[Berg0]

what equipment are you using? VPN tunnel maybe?

 

[Shadowspawn]

The gigE link is a basic L2 connection.

When I see L2 in reference to networking I think of layer 2, as in a switched link. If those are routers they are layer 3, as in you have one subnet on your side of the router, a PtP subnet between the routers and another subnet above.

If this is the case and the router is your gateway then I would simply add the guest VLAN and limit access with an ACL. On my network we use a guest VLAN (we call it "remedial") to allow extremely limited access to unknown systems that have been connected.

Could you explain the "L2"?

 

[agrikk]

When I see L2 in reference to networking I think of layer 2, as in a switched link. If those are routers they are layer 3, as in you have one subnet on your side of the router, a PtP subnet between the routers and another subnet above.

If this is the case and the router is your gateway then I would simply add the guest VLAN and limit access with an ACL. On my network we use a guest VLAN (we call it "remedial") to allow extremely limited access to unknown systems that have been connected.

Could you explain the "L2"?

You are correct. It is a layer 2 connection on the OSI model. A Layer 2 connection with routers on either end pass layer three traffic, but this is a layer 2 point to point connection. Just like I can put two routers on a switch and have the switch pass traffic between them. The switch is a layer two device that passes layer three traffic, but is perfectly happy passing layer two traffic too.

But in talking about this, now I wonder if I can pull the GBICs out of the routers and stick them straight into the switches themselves and now instead of a routed network link, I'd have a bridge between the two offices and I could build a trunk link that passes the guest VLAN from the office to the colo and out to the internet.

 

[agrikk]

what equipment are you using? VPN tunnel maybe?

The switches are Dell PowerConnect 6248P
The routers are Cisco 1941 Series with 2 gigE over copper interfaces and one EHWIC with a fiber interface
The linksys is a WRT54GS router
The firewall is a Sonicwall 4500

 

[B1zz]

completely talking out my ass for a minute....why not do some EoIP? the cisco design documents laying out how to do it specifically mention a scenario such as this....granted a WCS is more than likely gonna be required, but i dont know exactly what gear you already have, and i'm going to assume the business need/budget for this is "get it done without buying shit".....

 

[agrikk]

completely talking out my ass for a minute....why not do some EoIP? the cisco design documents laying out how to do it specifically mention a scenario such as this....granted a WCS is more than likely gonna be required, but i dont know exactly what gear you already have, and i'm going to assume the business need/budget for this is "get it done without buying shit".....

An interesting thought. I could perhaps buy a pair of WRT54G's and plop DD-WRT on them. Then I could point their WAN sides at each other over this link and use a DMZ port on the Sonicwall as the main internet access interface. Wonder if the boss would go for spending the dough on that?

 

[keenan]

Does it need to be layer 2? You could just set up a GRE tunnel or similar between the WiFi VLAN and your remote gateway, going over your internal network for transport, and just rely on the basic DHCP etc. offered by your access point.

 

[Captain Colonoscopy]

Just setup another VLAN and be done with it. Why use the routers if you're not going to route? Not really seeing the point there. Setup a guest VLAN and plug that into the DMZ or something on your firewall. Put your guest wireless AP on that VLAN, done.

 

[calvinj]

Just setup another VLAN and be done with it. Why use the routers if you're not going to route? Not really seeing the point there. Setup a guest VLAN and plug that into the DMZ or something on your firewall. Put your guest wireless AP on that VLAN, done.

What he said

 

[agrikk]

Just setup another VLAN and be done with it. Why use the routers if you're not going to route? Not really seeing the point there. Setup a guest VLAN and plug that into the DMZ or something on your firewall. Put your guest wireless AP on that VLAN, done.

If the office and the firewall were on the same subnet it would be as easy as that (which in fact is the setup I have running in our current office). If I can get the GBICs working in the switches and the bridge setup working this whole thread is moot. I won't need routers and thus won't need to figure out how to extend a VLAN across a routed link.

However if it doesn't work then I'm back to the other options in this thread because I'll have a VLAN for public access set up on one switch stack, but the traffic will still have to cross the routed link to get to the other switch stack to access the firewall to access the public IP space. And I don't know how to do that. Hence this thread.

 

[Captain Colonoscopy]

Well, you said it was a L2 point to point link. If it's L2 then you're not routing. If you're not routing it should be no problem to extend a VLAN across the link. However, if the P2P link IS routed, then yes, you need to be a bit more creative. I would setup another VLAN/subnet for the guest network and setup ACLs on the routers to prevent routing to the corporate subnet and allow internets only. May have to put your firewall on a separate subnet from your corp VLAN at the colo.

 

[Berg0]

If the office and the firewall were on the same subnet it would be as easy as that (which in fact is the setup I have running in our current office). If I can get the GBICs working in the switches and the bridge setup working this whole thread is moot. I won't need routers and thus won't need to figure out how to extend a VLAN across a routed link.

However if it doesn't work then I'm back to the other options in this thread because I'll have a VLAN for public access set up on one switch stack, but the traffic will still have to cross the routed link to get to the other switch stack to access the firewall to access the public IP space. And I don't know how to do that. Hence this thread.

get rid of the routers on your l2 link, you're just putting two extra devices on a point to point link by the looks of it. you can do your inter vlan routing with a single router. your "office" and "colo" switches, or stacked switches, or whatever they are need to use the fiber connection as a trunk, and then you jsut trunk your corp/dev/prod/DMZ VLANs to the switches, and do your inter VLAN routing on your cisco routers. if they support it, you could even do VRRP now (can't recall if they do?) since you'll have a spare

 

[cymon]

An interesting thought. I could perhaps buy a pair of WRT54G's and plop DD-WRT on them. Then I could point their WAN sides at each other over this link and use a DMZ port on the Sonicwall as the main internet access interface. Wonder if the boss would go for spending the dough on that?

What? Point to point wifi link to connect corporate office to Internet?

The SP's metro ethernet switches should support Q in Q without a problem. If they don't, ask them where your 7000$ a month is going. If they do support QinQ, then you can merely set up the switch ports on both sides of the fiber line as VLAN trunk ports. The SP network should merely appear as a long fiber line to you.