HELP: Possible to do LAN bridging over IPSEC VPN (using ADSL)?

Discussion in 'Cisco' started by Jason, Oct 31, 2003.

  1. Jason

    Jason Guest

    Hello all,

    Let me start right off by stating that I am no Cisco internetworking
    expert so please forgive my ignorance and feel free to point out the
    error of my ways ...

    We have a remote DR site that in an emergency situation we want to LAN
    bridge to using an IPSEC VPN over ADSL links at either end. Proposed
    hardware is Cisco 1720 one end and a 2500(?) the other end (with all
    Ethernet interfaces), with external ADSL modems at either end also,
    although as I understand it there is an ADSL WIC card that would allow
    a direct ADSL connection to the routers (is there any benefit?).

    I'm relatively confident of setting up the IPSEC tunnel (done it on
    non-Cisco kit) but as for the transparent LAN bridging then I'm into
    the unknown. From what I've read you can group interfaces into
    bridge groups, and this seems all well and good, but leads me to ask
    would an IPSEC VPN present itself as an 'interface' that can be used
    in a bridge group? If it does then am I home-free?

    I realise that setting up 2 seperate routable networks at either end
    would be another solution, but that would be a major headache - with a
    LAN bridge then the transition to the DR site would be seamless.

    All help and guidance gratefully received.

    Jason
     
    Jason, Oct 31, 2003
    #1
    1. Advertisements

  2. Jason

    Andre Beck Guest

    Bad thing is, it doesn't. On Cisco gear, IPsec is established using
    crypto maps and access lists, there is no interface-style configuration
    for it. It's arguable whether this is a good idea or not, but it is to
    some extend what IPsec was actually thought to be originally - a trans-
    parent layer *within* IP. As IPsec is only tunneling IP, it cannot
    constitute a full featured *L2* interface anyway (as you would need for
    bridging).

    The obvious solution is to establish any kind of tunnel that is able
    to work on top of IP (like GRE or L2TP or something like that) *through*
    the VPN. If the tunnel is able to do transparent bridging (I'm not sure
    with GRE, but L2TP is based on PPP which has a BridgeCP), you have it.
     
    Andre Beck, Nov 1, 2003
    #2
    1. Advertisements

  3. Jason

    Scooby Guest

    Well, I guess the real question is why? What is wrong with a standard vpn
    tunnel and routing? Do you need broadcasts for some reason?

    Anyway, I think the answer to your question is that it depends how you set
    it up. There are different was to create a vpn tunnel on cisco. Rather
    than creating a crypto map and applying it to an interface, you can create a
    tunnel interface and apply an ipsec profile to it. Do a search on Cisco for
    mGRE. It is a newer method of creating dynamic gre networks and it works
    well. That would give you the interface that you need. I'm weak on LAN
    bridging too, so not much help there. But, hopefully I helped with the
    interface part of it.

    Jim
     
    Scooby, Nov 1, 2003
    #3
  4. Jason

    Jason Guest

    Andre - thanks for clarify that in my mind - after I wrote this I
    realised that there was inherently a problem with using IPSec (Layer
    3) to do LAN bridging (layer 2) ...
    Good solution - had a look at GRE; as you say, not sure it can be
    done. L2TP sounds like the way to go ... any pointers on how to
    configure it under IOS?

    Jason Dinsdale
     
    Jason, Nov 4, 2003
    #4
  5. Jason

    Andre Beck Guest

    I've never done anything remotely like that, so I can't plug in much hints
    here. In such cases, I'm usually doing two things:

    1) Go www.cisco.com, enter the terms in question at the search prompt,
    and scan/read a bit through what comes out, collecting buzzwords and
    trying to get a scheme.
    2) Go to Products/IOS Software/Release 12.x/Config Guides/... and look
    for the guide that most likely will have it. Print and have a nice
    read...

    Sometimes you're the lucky one, finding a TAC approved recipe for exactly
    what you were searching instantly upon 1). Just give it a try.
     
    Andre Beck, Nov 6, 2003
    #5
  6. Jason

    Jason Guest


    I was hoping of course that you might just be able to throw something
    out 'off the top of you head' so to speak! Thanks for the help in
    sanity-checking what I'm trying to do - much appreciated.

    Jason
     
    Jason, Nov 8, 2003
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.