Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Trunk Between Routers, GRE over IPSec

Posted on 2010-09-14
Medium Priority
Last Modified: 2012-05-10
I am looking to add a 2nd ISP to our main site which is currently using a 3640 as our internet router (NAT), and a 2821 as our Firewall/Inter-VLAN router (Router on a stick)...  One of our remote sites is connected to the internet using an 1841, and utilizes VPN to connect to the main site...  I'm looking to change the way the remote site connects to our main site by utilizing GRE over IPSec,,, and I was wanting to see if we can utilize both ISPs at our main site for redundancy on the vpn connection.  The diagram below shows what I would like to accomplish, but I am not sure if a trunk between the 2 routers would work the way I want it to or not.  I can't find much documentation about trunking between routers...  Also I am not fully sure if using subinterfaces between the routers would limit functionality compared to using just the physical interface on 1 subnet?

Basically I want to create 2 seperate GRE tunnels on the 1841 at the remote site, to tunnel to each IP on the 2821 subinterfaces at the main site.  The trunk link between the 2821 and the 3640 would require public subnets from the 2 ISPs because NAT would cause issues.   I want the GRE to terminate on the 2821 because the cisco 3640 doesn't have a crypto IOS and the 2821 has vpn hardware builtin to the motherboard...

 Proposed network change
Would this work or can you forsee any problems?  Thanks!
Question by:cathchar
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 17

Accepted Solution

surbabu140977 earned 2000 total points
ID: 33682772
1) I don't see any reason, what 3640 can do and 2821 can't. We have used 2821 as our core router for such a long time with 70 tunnels and gigs of traffic with no issues. Why don't you swap the role of 3640 and 2821? Things will be a sweet breeze to you then.

2) What's the problem for upgrading the ios of 3640 to a crypto one for supporting vpn?


LVL 17

Expert Comment

ID: 33682794
If you have usable public Ip's for lan from your isp, use them in the 2800 with usual trunking between 3640 and 2821 and terminate the gre as usual. There would be no issues.


Author Comment

ID: 33682949
Thanks for the response surbabu,
We are using the 2821 as our intervlan router because of it's dual gigabit ports..  the 3640 only has FEs...  

The 3640 is limited by it's flash memory, which is at 16MB...  from what I am seeing I would need 32 to upgrade and I was wanting to avoid investing in it... but I might look into that... but I still like the idea of the 2821 terminating the vpn due to cpu costs..

The 2 reasons I am using the 3640 to connect the internets is because it has the interfaces, and now I can use netflow to monitor the port on the 2821 connect to the 3640 to get accurate information.  I use netflow to monitor the 3640 ports,, NAT causes the reporting to be un-usable because it shows the NATed address rather than the prenat addresses..

I was attempting to configure the trunk last night during a maintenance window I had, and it appears the 3640 is not able to do VLAN trunking, or at least on the interface cards that we have in it.  I can create the subinterfaces, but the encap command is not available.  I am not sure if that is an IOS issue which needs and upgrade, or a limitation of the addin ethernet cards..

The IOS version is 3600 Software (C3640-I-M), Version 12.4(25d).

Maybe I'll go ahead and grab 16MB more of flash and upgrade to a better feature set...

Author Closing Comment

ID: 33682993
Thanks surbabu140977!!!

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question