To test this feature, visit your live site.

Connecting PAN's b/w Sites using L2

Connecting PAN's between Head office and Data Center

PAN1 (Head Office) <----- Switch1 ------Trunk Link to Datacenter ------Switch 2-------->PAN2 (DataCenter)

Trunk Link between Head office and Data Center is L2MPLS/Pseudowire Link

For the above to work,

1. Im going to create VLAN 35 on Cisco Switches and use Trunk Link between Head Office and Data Center

2. Im going to provide an IP for PAN1 : 192.168.35.1 (@Head Office) and IP for PAN 2 : 192.168.35.2 (@DataCenter) and associate VLAN 35 tag to it.

Reason for doing above is if there are PC's/Servers on VLAN 35 then I'm going to point the gateway as 192.168.35.2 as a static route on PAN1.

Will the above work, what configs should i need to have on both the Cisco Switches and PAN's on both sites ?

If the above is not a good way to proceed, please suggest some better options.

2 answers2 replies

Comments (4)

Reaper

Dec 14, 2020

Are all your other VLAN's on the inter-site trunk as well? In that case you'd need to move the PAN VLAN interfaces over to the PAN2 and add routes to PAN1 crossing vlan35, the SVI's route can be changed to point to PAN2

Reaper

Dec 14, 2020

Up to the point where you mention PCs/Servers, it reads like you will simply use vlan35 as an interconnection between the two sites, in which case you would simply treat each remote firewall as a next-hop router (ie, add routes for site2 on PAN1 pointing to 192.168.35.2, and add routes for site1 to PAN2 pointing to 192.168.35.1)

So far so good I think, but is there a reason for PCs and Servers to also live on vlan35?

If there are, you need to consider where their default route is pointed and how that will influence traffic pointed to both sites. If you set the default route to .35.2, everything on site2 will work as expected, as site2 will simply be a connected network with no complications, but if these systems also need to reach resources on site1, how will you address this.

- If you add static routes on the hosts themselves, that will work. The drawback is that this will introduce 'non standard configuration' that could cause issues in the future if you add or replace a host.

- If you bounce sessions off of PAN2, you need to add U-turn NAT so the connections are source NATed behind the PAN2 interface (192.168.35.2) to prevent PAN1 replying directly to the host and creating an incomplete session of PAN2 (which will close the session and cause connectivity problems for the hosts in vlan35)

So if you can prevent having hosts in vlan35, i would recommend you consider this. It will make deployment very straight forward

hope this helps

rakesh.anandaraj

Dec 14, 2020

Replying to

Thankyou for your response.

I will go ahead and create a VLAN only for interconnectivity for the Firewalls.

Just to add to that. we will be moving important VM's from Site 1(Headoffice) to Site 2 (Datacenter). Probably Site 2 will become the central Hub for all connections.

We will be using the PAN @ Headoffice for Primarily EastWest Traffic and for any outbound connections to ISP , it will be redirecting requests to PAN2 @ Data center.

Currently we have SVI's on Cisco Switch and few VLAN's interface on the Firewall.

All Vlan's on the Cisco Switch is uplinked to PAN and has a deafult route 0.0.0.0 /0 to 192.168.1.1

So for me to point all VLAN's gateway to PAN2 only for outbound connection to Internet , how will I be able to do it ?

Reaper

Dec 15, 2020

Replying to

@rakesh.anandaraj you'd simply need to set the default route to the vlan35 IP of PAN2, all the other networks will be locally connected so will route locally

Forum: Forum