01-24-2013 09:48 AM
We are implementing a secondary office location. Until our new fiber is put in place, we will be using a wireless access point and creating a VPN tunnel between the 2 sites. I can't get my head around how I can have the remote switch connected to our network at our main site.
Currently I have the remote switch (2900al) at the main site for configuration and have it connected to our network no problem and can see the switch in PCM. To enable the connection to our network I created a VLAN on both switches and made sure the ports on each switch were in this new VLAN. The main site has a pair of 5406zl that are trunked together. How would I be able to accomplish the same thing when the switch is in a remote location?
01-24-2013 02:11 PM
If you want to join "CORE switches" and "Remote Switch" from your diagram on the same VLAN, you need to provide a layer 2 (bridged/switched) connection between them. Since you have a firewall in the data path, it's very unlikely that you have this - your connection is most likely layer 3. There are various ways to achieve what you're asking, including plugging your fibre (when it comes) directly into the switches and bypassing the firewalls (assuming your ISP is providing a bridged connection), but this is generally not a preferred option. Layer 2 WAN links have the possibility of taking down both sites with a broadcast storm (even a single bad workstation NIC can do this), so i would recommend keeping the sites separated at layer 3 and using routing to get between them.
01-25-2013 01:51 PM
Im not quite following your comments are you able to amend doubleH diagram to your suggested config/topology?
01-25-2013 04:44 PM
The issue with L2 WAN links is you have everything in one broadcast domain. See http://blog.ioshints.info/2012/05/layer-2-network-
01-26-2013 07:42 AM
01-26-2013 08:10 AM
A broadcast storm in one VLAN should not impact another on the same site, but think about what happens to a 100 Mbps WAN link, for example, if it is connecting two 1 Gbps environments: a broadcast storm on VLAN 10 on site A floods across the link to site B, and even though VLAN 20 on site A may be unaffected, VLAN 20 between the two sites is affected, because VLAN 10 is taking all of the bandwidth on the link. This can happen in LAN environments as well, but will often have less impact.
01-26-2013 01:27 PM
Also what if a variation of spanning tree were enabled on the two switches? Would that alter your concerns of a L2 WAN link?
01-26-2013 02:26 PM
Broadcasts are sent to the all-ones MAC address (ff:ff:ff:ff:ff:ff), and switches forward these frames to all ports on the VLAN except for the one on which they receive them. So broadcast storms are certainly possible.
Spanning Tree can prevent broadcast storms at the source, and it should definitely be deployed on normal office LANs. But a broadcast storm will definitely cross an L2 WAN link if it is not prevented before reaching it.
I'm not saying you should immediately change your link from L2 to L3, but when i'm deploying new WAN links, i always try to use L3.