VLAN Site - to Site VPN Issues



  • Going to try and explain this correctly 🙂 (before people jump in with why VLAN's we just are 😛 )

    So got our HO Network 10.0.1.X - Cisco Switch 10.0.1.220 inter VLAN routing - VLAN30 172. VLAN50 172. VLAN15 172.20.0.220

    Everything is working fine at HO as PC's on the 10.0.1. address can see/ping all the VLAN's and vice versa. So the VLAN stuff is working (well it's been set-up for almost 12 months and it's fine. Should also mention we have 44 sites connected via MPLS and they are also working and can access the VLAN's

    the issue has arrived where we have added a few sites we acquired via Site-Site VPN using a mix of Draytek 2860 and EdgeRouters (until they are added to the MPLS in Jan'17), they are pinging the 10.0.1. network fine but I can't get them to ping any of the VLAN networks. They can ping 10.0.1.220 (cisco switch), also the Cisco switch has got the static route to these sites via the Draytek at HO (10.0.1.242).

    I'm wondering have I missed a Tick Box somewhere or missed a setting where I should add the VLAN IP's, or Tagging on the Switch/Router.

    On tagging I have the port from the Draytek to the switch is set to Tagged on all VLAN's

    Diagram of the basic concept i'm trying to work on.
    0_1474969088226_VLAN Trouble.png



  • So I've got the Draytek working by adding the VLAN IP to the VPN settings:-
    0_1474976107708_VLANIPADD.png

    Just need to find the command for the EdgeRouter now 🙂


  • Banned

    MPLS is most likely using BGP and advertising the networks. a VPN needs a Phase 2 entery for every network (or a superscope that covers it). VPNs also need proper firewall rules compared to MPLS which is usually treated as trusted.



  • You have to add a subnet for each remote network in the ERL. You could simply change the remote network to 10.0.1.0/17 or something.
    0_1474979419339_upload-2e5b8b23-aaa4-4457-9f29-1f1986001acf


Log in to reply