VLAN and VPN

VLAN and VPN
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.lans.ethernet  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
VLAN and VPN elesser 01-17-2007
---> Re: VLAN and VPN Walter Roberson01-17-2007
Posted by elesser on January 17, 2007, 1:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


Hi everyone,

I had a the following question today on my exam:
"Is it possible to use a VPN connection on a VLAN ?".

I answered that technically it is possible, but that it is not
recommended to do so, because VLAN is running on layer 2 and VPN on
layer 3/4. Furthermore, there is a new standard in development, L2VPN.
So logically, is VPN would be available for layer 2 protocols, why
would we need a new standard?

My question is now: does this make any sense at all??

Thanks


Network Magic Graduation 20% off animated banner
Posted by Walter Roberson on January 17, 2007, 4:44 pm
If you were  Registered and logged in, you could reply and use other advanced thread options



>I had a the following question today on my exam:
>"Is it possible to use a VPN connection on a VLAN ?".

>I answered that technically it is possible, but that it is not
>recommended to do so, because VLAN is running on layer 2 and VPN on
>layer 3/4. Furthermore, there is a new standard in development, L2VPN.
>So logically, is VPN would be available for layer 2 protocols, why
>would we need a new standard?

>My question is now: does this make any sense at all??

Your last line is circular reasoning. It could be that there
were some layer 2 facets that there was some choice about in
implementing a layer 2 VPN, with a standard arising to
unify the choices, but with it still (hypothetically) being
perfectly possible to do layer 2 VPNs. Any given standard does
not have to introduce new functionality: it could instead act to
normalize existing functionality.


Before answering the question, I would want to know what they
meant by VPN and what they meant by VLAN. For example, is it
possible to use MLPS to implement a private layer 2 extension
to a LAN that was carrying 802.1Q packets? (As far as I understand, Yes).
Can GRE be used to encapsulate layer 2 packets, with or without
ISL tags? (Sure can.) Can PIX 6.3 be configured to sit on an 802.1Q
tagged trunk and see foreign-destined IP packets with any given
802.1Q tag, and forward those on (stripped of tag) over an IPSec VPN?
(Yes.) Will PIX 6.3 preserve random 802.1Q tags in regular traffic
over an IPSec VPN (no, it will ignore the packets unless configured
to have a "logical interface" in that VLAN.)

Posted by elesser on January 17, 2007, 4:54 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


Hi,

Thanks for your reply.

I am not entirely familair with all the things you mentioned, but the
question was actually very general. They simply asked if VLAN would in
any way be compatible with VPN technically and if yes, if it would be
'a good idea' to implement such a configuration.

Now, I am pretty sure that it is technically possible to implement VPN
in a VLAN, but I am not sure if this would be ethically correct with
the OSI concept of layers. So that's basically what I'm asking here.

Thanks.

On 17 jan, 22:44, rober...@hushmail.com (Walter Roberson) wrote:
>
> >I had a the following question today on my exam:
> >"Is it possible to use a VPN connection on a VLAN ?".
> >I answered that technically it is possible, but that it is not
> >recommended to do so, because VLAN is running on layer 2 and VPN on
> >layer 3/4. Furthermore, there is a new standard in development, L2VPN.
> >So logically, is VPN would be available for layer 2 protocols, why
> >would we need a new standard?
> >My question is now: does this make any sense at all??Your last line is
circular reasoning. It could be that there
> were some layer 2 facets that there was some choice about in
> implementing a layer 2 VPN, with a standard arising to
> unify the choices, but with it still (hypothetically) being
> perfectly possible to do layer 2 VPNs. Any given standard does
> not have to introduce new functionality: it could instead act to
> normalize existing functionality.
>
> Before answering the question, I would want to know what they
> meant by VPN and what they meant by VLAN. For example, is it
> possible to use MLPS to implement a private layer 2 extension
> to a LAN that was carrying 802.1Q packets? (As far as I understand, Yes).
> Can GRE be used to encapsulate layer 2 packets, with or without
> ISL tags? (Sure can.) Can PIX 6.3 be configured to sit on an 802.1Q
> tagged trunk and see foreign-destined IP packets with any given
> 802.1Q tag, and forward those on (stripped of tag) over an IPSec VPN?
> (Yes.) Will PIX 6.3 preserve random 802.1Q tags in regular traffic
> over an IPSec VPN (no, it will ignore the packets unless configured
> to have a "logical interface" in that VLAN.)


Posted by Denis Jedig on January 18, 2007, 12:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


On 17 Jan 2007 13:54:01 -0800 elesser wrote:

> Now, I am pretty sure that it is technically possible to implement VPN
> in a VLAN, but I am not sure if this would be ethically correct with
> the OSI concept of layers. So that's basically what I'm asking here.

I still can't understand the reason for your confusion. L2 VLANs are
completely transparent at L3, so questions about VPNs being in any way
"compatible with" or "ethical correct within" VLANs are moot. The two
technologies do not provide even remotely similar functionality, so what is
your actual problem?

--
Denis Jedig
syneticon networks GbR http://syneticon.net/service/

Posted by elesser on January 18, 2007, 12:36 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


Hi,

Let me try to explain my difficulty:
For example, a VLAN **can** be configured by IP-addresses, but it's not
recommended to do this because by doing so you're allowing ip-headers
to be opened in layer 2, which is not correct considering the OSI
model. However, it is technically possible to do it.

My question is now if there isn't a similair "concern" when using VPN
on a VLAN ?

Thanks.

> On 17 Jan 2007 13:54:01 -0800 elesser wrote:
>
> > Now, I am pretty sure that it is technically possible to implement VPN
> > in a VLAN, but I am not sure if this would be ethically correct with
> > the OSI concept of layers. So that's basically what I'm asking here.I still
can't understand the reason for your confusion. L2 VLANs are
> completely transparent at L3, so questions about VPNs being in any way
> "compatible with" or "ethical correct within" VLANs are moot. The two
> technologies do not provide even remotely similar functionality, so what is
> your actual problem?
>
> --
> Denis Jedig
> syneticon networks GbR http://syneticon.net/service/


Similar ThreadsPosted
VLAN Help (for a Vlan newbie) November 6, 2006, 12:09 pm
port-based vlan and tag-based vlan October 21, 2008, 2:03 pm
port-based vlan and tag-based vlan October 21, 2008, 2:03 pm
VLAN December 13, 2005, 10:23 am
VPN Vs VLAN December 21, 2007, 3:54 pm
VLAN May 24, 2008, 2:08 am
mac vlan September 29, 2008, 10:14 am
VLAN and Subnet March 27, 2005, 1:31 pm
VLAN Configuration October 20, 2005, 8:26 pm
Confused by VLAN... January 31, 2006, 6:25 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map