VLANS OVER FR WANS - HELP!!!!!!!!

[networknewbie99]

Okay, this is my final shot here ... I have posted several times for help and get lots of half configs and empty promises but i am holding out for the kind of help I see you giving everyone else ... so here goes

I have a head office 4506 core switch running IOS that has ip routing enabled, and has 10 VLANs on it ... in my head office, i have 6 floors, and each floor requires varied access to varying vlans ... the edge switches are 2924xl's and 3750's .. these work flawlessly ... the problem is my 4 remote, FR connected offices. These must be on vlans as well and require access to servers in VLAN's on the 4506 at my head office. All routers are 26xx, all networks are Enet there is NOTHING odd or unusual in the set up, I just have no idea how to make the remote sites see the vlans or talk to the vlans at head office... SOMEONE PLEASE HELP ME MAKE THIS WORK!!!!!!

 

[lambent]

If you replace the word "VLAN" with the word "IP subnet" then you may get a clearer picture of what you actually want to do.

In other words, you have several IP subnets on your 4506 core switch and you want the remote IP subnets to access the servers on the IP subnets on your 4506 core switch. So what you need to do is to perform simple IP routing over the FR.

Actually are you networkgod99? I've found a similar post which I gave a solution though not with a command-based configuration script or whatever.

http://www.tek-tips.com/viewthread.cfm?qid=1077233

 

[networknewbie99]

Actually I am not .... I have however used his account in the past (much to his dismay however)

The problem is that all the VLAN's are already created and unfortunately the executives here have it in thier heads that it must be VLAN's ..... All the remote offices can already access all the servers at head office ... it is the segmentation of the secure servers that they feel the VLAN's are necessary ..... can you help?

 

[lambent]

VLAN is just a broadcast domain. Creating different VLANs means creating different broadcast domain so that broadcast will not be forwarded from 1 VLAN to another VLAN. The remote subnets in your case is of course different broadcast domains from those in your head office if you enable routing through the FR. A router, by default, does not forward broadcast from one interface to another. Thus you can say that every interface on a router belongs to a different VLAN without any VLAN tagging, just like the "switchport mode access" on Catalyst switches.

Also, DO NOT solely rely on VLANs for security purpose. Strictly speaking, creating VLANs DOES NOT strengthen the security of your network. Think of the SSID in wireless network. Again some people may think that SSID provides security, but actually it's easy to use a wireless sniffer to get the SSIDs around, and that's why there are WEP/WPA/dot1x.

In your situation, I strongly recommend you to implement firewalls, or at least ACLs on Core switches or routers, to provide limited access to those secure servers. Also properly harden your servers, routers and switches will definitely improve the security. Remember, improving security is not simply a one-click action.

 

[ChrisAC]

The only way that you could carry VLAN's across a WAN link would be to have the telco provider set up QinQ tag stacking to encapsulate your VLAN's within the telco VLAN's. At the moment I'm guessing that your traffic is been passed out of the routers to the FR network 'un-tagged'. You would have to have trunk ports into telco switches which could then encapsulate that traffic and pass it over their network to a trunk port on a switch at the other end over a metro-ethernet network. You can't just route traffic out of a router and expect it to carry VLAN info the other other end.

http://www.ciscopress.com/articles/article.asp?p=101367

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[BuckWeet]

how bout just implement IP ROUTING on the remote devices and use ACLs