jump to navigation

VLAN across WAN July 9, 2009

Posted by jamesisaac in Uncategorized.
Tags: ,
trackback

Stop me if you’ve heard this: you can’t extend a VLAN across a WAN. Or the alternative comment: you can, but why would you want to? After all, a VLAN is a container for a broadcast domain, right? And those are done with local, physical entities. Routers act to block broadcasts, so your broadcast domain can’t extend past a router.

Sure, that’s true to one degree or another. In a bandwidth-constricted environment, forwarding all your broadcasts across a small pipe is a recipe for disaster. But what if you’ve got a larger pipe, say, 10mb ethernet, and you promise that you’ll selectively forward some VLANs and not others? Then can you do it?

I pursued this for practical and theoretical reasons, and found that you can in fact span a VLAN across a WAN with by reaching waaaaay back and building a bridge. Yep, we’re going to bridge that WAN.

I have two routers, with two ethernet interfaces each. Fast0/0 is the inside and Fast0/1 is the outside on both routers. The secret is to create subinterfaces and encapsulate dot1q for your subinterfaces. That puts the VLAN tag on that traffic. Then, just enable bridging for each respective subinterface, and you’re gold.

This config is for Cisco routers. YMMV.

bridge crb

!

!

interface FastEthernet0/0

description Corp local network

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 3

ip address 192.168.1.1 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.102

encapsulation dot1Q 102

no snmp trap link-status

bridge-group 102

!

interface FastEthernet0/0.103

encapsulation dot1Q 103

no snmp trap link-status

bridge-group 103

!

interface FastEthernet0/1

description Interface to DC

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.3

encapsulation dot1Q 3

ip address 192.168.2.1 255.255.255.252

no snmp trap link-status

!

interface FastEthernet0/1.102

encapsulation dot1Q 102

no snmp trap link-status

bridge-group 102

!

interface FastEthernet0/1.103

encapsulation dot1Q 103

no snmp trap link-status

bridge-group 103

!

bridge 102 protocol ieee

bridge 103 protocol ieee

So what I did was, I have built three subinterfaces on this wire. VLAN 3 is routed using a subnet on one side and a different subnet on the other, with a tiny subnet inbetween to glue the two networks together. We use VLANs here even though this is just a routed network because the network ports on either side are full 802.1 trunk ports. VLAN 102 and VLAN 103 are true “broadcast” VLANs. There’s no ip information contained in them, because you don’t use ip routing with a bridge. The secret sauce is configuring a bridge-group for each VLAN and then turning on broadcast traffic with the “bridge 102 protocol ieee” command. This doesn’t show up explicitly in the configs but is not on by default (at least in the version of code I was using).  The other router should be configured identically, except that the VLAN 3 information would be for the local network on the other side. Use the same VLAN encapsulation and bridge-group numbering.

I don’t recommend doing this with your main networks, as you will then be sending all of your broadcast traffic across the wire for (probably) no good reason. I’m doing it to fix some workstation deployment issues using a non-standard PXE boot appliance, as well as just to see if it is possible. Using VLANs in this manner essentially makes your VLAN’ed network portable between physical networks. Since the ip addresses don’t change (remember, it’s not a routed network), you can move your devices around from one site to another without having to renumber them. Keep in mind that their default router may be on the other side of the physical network, though, so you may want to fix that once you finish moving devices around.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: