Greetings. What is the recommended option for building tunnels to combine two segments of geographically dispersed LANs into a single broadcast domain with a common DHCP server? bridge-gre + bridge or l2tpv3 + bridge and what is the fundamental difference between 2tpv3 (tcp) and l2tpv3 (udp) except that udp can work better NAT?
Well since you ask about what is recommended to bridge 2 LANs in a single broadcast domain, a very important point is that it is really, really NOT recommended to do this at all.
This being said,
GRE alone doesn’t encrypt traffic so require an additional layer, usually IPSEC, to protect the traffic.
IPSEC is not very NAT friendly, so if there’s a NAT between the endpoint, L2TPv3 would be preferred.
Regarding TCP vs UDP its a trade off between performance (where UDP > TCP due to less overhead) vs reliability (where TCP > UDP , managing retransmission and reordering).
In the case of a VPN tunnel UDP will perform better and the TCP traffic that is encapsulated will take care of the reliability.
So the answer is: DON’T DO THIS, please, this is a recipe for trouble; but if you really insist on doing it, then go L2TPv3 UDP.
Thank. Why is it not recommended to use the technology of combining two pieces of a common network spaced geographically into one with a single addressing?
I have done this in production before, for a sizeable network for a client who wanted (they insisted) exactly what you’re describing - a bridged connection between an island nation and a DR site on a continent. After experimenting with a lot of different options, I went with OpenVPN. I chose it because it was the only option (and I tried all the ones you’ve mentioned above as well) that offered everything. I was able to send 6 vlans through the one tunnel - and it encrypted them - vlan tags and all, and sent them out the other end of the tunnel with tags intact. it also handled fragmentation and reassembly extremely well, and even crazier (I know…) one of the vlans was an iSCSI SAN that ran with jumbo frames. vyos-openvpn-bridge took all of those jumbo frames, fragmented them, and re-assemled them at the other end just fine - and it ran without even 2 minutes of downtime for over 3 years.
… of course, this was on vyatta, before it became vyos. but the capabilities are pretty much the same.