L2 VPN traffic from central to remote

  • 1
  • Question
  • Updated 5 years ago
  • Answered
I have a BR100 in AP-mode configured as a L2 VPN client, and an AP320 configured as a L2 VPN Server.

On the BR100, I have one UserProfile that is used for clients that connect both to the SSID and the 4 LAN ports.
Traffic from users in this User Profile is configured to be tunneled. The traffic should connect to VLAN 11 on the central site.

From the remote site, this works like a charm.
Clients that connect to the SSID or the LAN ports on the BR100 receive an IP adress from the correct VLAN on the central site, and are able to contact hosts that are found on the central site.

But... What I would like to do is also to be able to have a host with a static IP connected to one of the LAN ports of the BR100 on the remote site. And then let devices on the central site network contact this host across the L2 VPN.
I have tested a little, but have not found any solutions to this. When the traffic is coming in that direction, there is no obvious way to tell the AP that this traffic should be tunneled as it is not tied to a User Profile.
Is this at all possible to achieve with a L2 VPN? Or is a L3 VPN with a HiveOS VA be required in this scenario?

regards,
Ivar
Photo of Ivar Bauge

Ivar Bauge

  • 8 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Out of curiosity, if your remote client is using a DHCP address, can devices on the central side contact the remote client? Just curious whether the static IP address has something to do with it, that since the remote client never had to go through the tunnel to get an IP address, that the AP320 doesn't have an ARP record for it yet.

If this is the problem, then maybe instead of setting a static IP address on the remote client, you instead make a DHCP reservation for it.

I'll try to mock this up in my lab in the next few days and see what I can find out.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Also, are you sure there are no firewall rules configured for the user profile that would block inbound traffic to the client?
Photo of Ivar Bauge

Ivar Bauge

  • 8 Posts
  • 0 Reply Likes
Hi Andrew,
Thanks for your reply!

I have also asked the same question to the Aerohive Support Desk.
And I have just received this answer:

"Ivar,

Layer 2 tunnels only allow connections from the VPN client side of the network to the VPN server side of the network, they are effectively one-way.

For get bi-directional communication between the BR100 site and the central office, you would need a CVG in place and use Layer 3 tunnels.

This is documented on the VPN Service Settings page of the Aerohive Help, if you need to show an example to your customer."

So I guess there is no need to do any further testing on this...

Regards,
Ivar