Extend a VLAN from one switch over a layer-2 link to another switch?

Discussion in 'Networking & Security' started by agrikk, Jun 8, 2010.

  1. agrikk

    agrikk Gawd

    Messages:
    927
    Joined:
    Apr 16, 2002
    I am trying to accomplish this:

    [​IMG]


    That is, I have an existing network connecting an office to a colo to the internet. I have a range of public IP addresses assigned to the public interface of a firewall.

    I am trying to set up a "public" wireless access network in our office that is completely seperate from our corporate network that we can use for consultants, iPhones, etc that cannot in any way access resources on our corporate network without using VPN.

    I envision adding a second loop to our existing network that lives on a seperate VLAN on our switch at the colo that would not have access to our existing VLAN network. I would somehow pass that VLAN traffic across the gigE link to a seperate VLAN on our office switch that would connect to the WAPs of the public network.

    Any idea how do do this?


    I cannot figure out how to send separate VLAN traffic over the L2 point-to-point link.
     
  2. calvinj

    calvinj [H]ard|Gawd

    Messages:
    1,738
    Joined:
    Mar 2, 2009
    My first guess might have to be talking to the people providing you the l2l link between the color and the office.

    Would it potentially be easier to just write acls around the "guest access" traffic since you are sharing bandwidth with your production network anyways?

    EDIT:

    IIRC you are using that sonicwall right? Couldn't you turn one of those ports into your guest access firewall and then do your content filtering and etc with those? Just another thought
     
  3. archivalbackup

    archivalbackup Gawd

    Messages:
    643
    Joined:
    Oct 12, 2007
    QinQ tunneling?

    What are the details of your gig Point to Point link, is is routed or an L2 connection?
     
  4. just2cool

    just2cool Gawd

    Messages:
    524
    Joined:
    Sep 22, 2005
    Yep, QinQ will do it.

    Alternatively, L2FM/TRILL will do this, but that's a new technology and designed for data centers mostly -- it's based on IS-IS.
     
  5. calvinj

    calvinj [H]ard|Gawd

    Messages:
    1,738
    Joined:
    Mar 2, 2009
    sweet learned something new

    EDIT:

    After Googling this quick I do have one question.. Does the SP have to setup anything on their side to allow you to do QinQ?
     
    Last edited: Jun 8, 2010
  6. agrikk

    agrikk Gawd

    Messages:
    927
    Joined:
    Apr 16, 2002
    I could turn one of the ports of the firewall into a DMZ or guest access firewall or whatever, but the problem remains that the firewall is in the data center and my office is a Layer 2 connection away. I'd have to find some way of extending the guest access network into the office from the datacenter.

    QinQ tunneling? Google here I come...

    The gigE link is a basic L2 connection.
     
  7. Berg0

    Berg0 [H]ard|Gawd

    Messages:
    1,038
    Joined:
    May 16, 2005
    what equipment are you using? VPN tunnel maybe?
     
  8. Shadowspawn

    Shadowspawn [H]ard|Gawd

    Messages:
    1,872
    Joined:
    Sep 17, 2002
    :confused:

    When I see L2 in reference to networking I think of layer 2, as in a switched link. If those are routers they are layer 3, as in you have one subnet on your side of the router, a PtP subnet between the routers and another subnet above.

    If this is the case and the router is your gateway then I would simply add the guest VLAN and limit access with an ACL. On my network we use a guest VLAN (we call it "remedial") to allow extremely limited access to unknown systems that have been connected.

    Could you explain the "L2"?
     
  9. agrikk

    agrikk Gawd

    Messages:
    927
    Joined:
    Apr 16, 2002
    You are correct. It is a layer 2 connection on the OSI model. A Layer 2 connection with routers on either end pass layer three traffic, but this is a layer 2 point to point connection. Just like I can put two routers on a switch and have the switch pass traffic between them. The switch is a layer two device that passes layer three traffic, but is perfectly happy passing layer two traffic too.

    But in talking about this, now I wonder if I can pull the GBICs out of the routers and stick them straight into the switches themselves and now instead of a routed network link, I'd have a bridge between the two offices and I could build a trunk link that passes the guest VLAN from the office to the colo and out to the internet.
     
  10. agrikk

    agrikk Gawd

    Messages:
    927
    Joined:
    Apr 16, 2002
    The switches are Dell PowerConnect 6248P
    The routers are Cisco 1941 Series with 2 gigE over copper interfaces and one EHWIC with a fiber interface
    The linksys is a WRT54GS router
    The firewall is a Sonicwall 4500
     
  11. B1zz

    B1zz Gawd

    Messages:
    934
    Joined:
    Aug 1, 2003
    completely talking out my ass for a minute....why not do some EoIP? the cisco design documents laying out how to do it specifically mention a scenario such as this....granted a WCS is more than likely gonna be required, but i dont know exactly what gear you already have, and i'm going to assume the business need/budget for this is "get it done without buying shit".....
     
  12. agrikk

    agrikk Gawd

    Messages:
    927
    Joined:
    Apr 16, 2002
    An interesting thought. I could perhaps buy a pair of WRT54G's and plop DD-WRT on them. Then I could point their WAN sides at each other over this link and use a DMZ port on the Sonicwall as the main internet access interface. Wonder if the boss would go for spending the dough on that?
     
  13. keenan

    keenan 2[H]4U

    Messages:
    2,696
    Joined:
    Aug 5, 2009
    Does it need to be layer 2? You could just set up a GRE tunnel or similar between the WiFi VLAN and your remote gateway, going over your internal network for transport, and just rely on the basic DHCP etc. offered by your access point.
     
  14. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,862
    Joined:
    Feb 19, 2004
    Just setup another VLAN and be done with it. Why use the routers if you're not going to route? Not really seeing the point there. Setup a guest VLAN and plug that into the DMZ or something on your firewall. Put your guest wireless AP on that VLAN, done.
     
  15. calvinj

    calvinj [H]ard|Gawd

    Messages:
    1,738
    Joined:
    Mar 2, 2009
    What he said ;)
     
  16. agrikk

    agrikk Gawd

    Messages:
    927
    Joined:
    Apr 16, 2002
    If the office and the firewall were on the same subnet it would be as easy as that (which in fact is the setup I have running in our current office). If I can get the GBICs working in the switches and the bridge setup working this whole thread is moot. I won't need routers and thus won't need to figure out how to extend a VLAN across a routed link.

    However if it doesn't work then I'm back to the other options in this thread because I'll have a VLAN for public access set up on one switch stack, but the traffic will still have to cross the routed link to get to the other switch stack to access the firewall to access the public IP space. And I don't know how to do that. Hence this thread.
     
    Last edited: Jun 9, 2010
  17. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,862
    Joined:
    Feb 19, 2004
    Well, you said it was a L2 point to point link. If it's L2 then you're not routing. If you're not routing it should be no problem to extend a VLAN across the link. However, if the P2P link IS routed, then yes, you need to be a bit more creative. I would setup another VLAN/subnet for the guest network and setup ACLs on the routers to prevent routing to the corporate subnet and allow internets only. May have to put your firewall on a separate subnet from your corp VLAN at the colo.
     
  18. Berg0

    Berg0 [H]ard|Gawd

    Messages:
    1,038
    Joined:
    May 16, 2005
    get rid of the routers on your l2 link, you're just putting two extra devices on a point to point link by the looks of it. you can do your inter vlan routing with a single router. your "office" and "colo" switches, or stacked switches, or whatever they are need to use the fiber connection as a trunk, and then you jsut trunk your corp/dev/prod/DMZ VLANs to the switches, and do your inter VLAN routing on your cisco routers. if they support it, you could even do VRRP now (can't recall if they do?) since you'll have a spare :p
     
  19. cymon

    cymon Limp Gawd

    Messages:
    453
    Joined:
    Apr 16, 2009
    What? Point to point wifi link to connect corporate office to Internet?

    The SP's metro ethernet switches should support Q in Q without a problem. If they don't, ask them where your 7000$ a month is going. If they do support QinQ, then you can merely set up the switch ports on both sides of the fiber line as VLAN trunk ports. The SP network should merely appear as a long fiber line to you.