cathchar
asked on
Trunk Between Routers, GRE over IPSec
I am looking to add a 2nd ISP to our main site which is currently using a 3640 as our internet router (NAT), and a 2821 as our Firewall/Inter-VLAN router (Router on a stick)... One of our remote sites is connected to the internet using an 1841, and utilizes VPN to connect to the main site... I'm looking to change the way the remote site connects to our main site by utilizing GRE over IPSec,,, and I was wanting to see if we can utilize both ISPs at our main site for redundancy on the vpn connection. The diagram below shows what I would like to accomplish, but I am not sure if a trunk between the 2 routers would work the way I want it to or not. I can't find much documentation about trunking between routers... Also I am not fully sure if using subinterfaces between the routers would limit functionality compared to using just the physical interface on 1 subnet?
Basically I want to create 2 seperate GRE tunnels on the 1841 at the remote site, to tunnel to each IP on the 2821 subinterfaces at the main site. The trunk link between the 2821 and the 3640 would require public subnets from the 2 ISPs because NAT would cause issues. I want the GRE to terminate on the 2821 because the cisco 3640 doesn't have a crypto IOS and the 2821 has vpn hardware builtin to the motherboard...
Would this work or can you forsee any problems? Thanks!
Basically I want to create 2 seperate GRE tunnels on the 1841 at the remote site, to tunnel to each IP on the 2821 subinterfaces at the main site. The trunk link between the 2821 and the 3640 would require public subnets from the 2 ISPs because NAT would cause issues. I want the GRE to terminate on the 2821 because the cisco 3640 doesn't have a crypto IOS and the 2821 has vpn hardware builtin to the motherboard...
Would this work or can you forsee any problems? Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the response surbabu,
We are using the 2821 as our intervlan router because of it's dual gigabit ports.. the 3640 only has FEs...
The 3640 is limited by it's flash memory, which is at 16MB... from what I am seeing I would need 32 to upgrade and I was wanting to avoid investing in it... but I might look into that... but I still like the idea of the 2821 terminating the vpn due to cpu costs..
The 2 reasons I am using the 3640 to connect the internets is because it has the interfaces, and now I can use netflow to monitor the port on the 2821 connect to the 3640 to get accurate information. I use netflow to monitor the 3640 ports,, NAT causes the reporting to be un-usable because it shows the NATed address rather than the prenat addresses..
I was attempting to configure the trunk last night during a maintenance window I had, and it appears the 3640 is not able to do VLAN trunking, or at least on the interface cards that we have in it. I can create the subinterfaces, but the encap command is not available. I am not sure if that is an IOS issue which needs and upgrade, or a limitation of the addin ethernet cards..
The IOS version is 3600 Software (C3640-I-M), Version 12.4(25d).
Maybe I'll go ahead and grab 16MB more of flash and upgrade to a better feature set...
We are using the 2821 as our intervlan router because of it's dual gigabit ports.. the 3640 only has FEs...
The 3640 is limited by it's flash memory, which is at 16MB... from what I am seeing I would need 32 to upgrade and I was wanting to avoid investing in it... but I might look into that... but I still like the idea of the 2821 terminating the vpn due to cpu costs..
The 2 reasons I am using the 3640 to connect the internets is because it has the interfaces, and now I can use netflow to monitor the port on the 2821 connect to the 3640 to get accurate information. I use netflow to monitor the 3640 ports,, NAT causes the reporting to be un-usable because it shows the NATed address rather than the prenat addresses..
I was attempting to configure the trunk last night during a maintenance window I had, and it appears the 3640 is not able to do VLAN trunking, or at least on the interface cards that we have in it. I can create the subinterfaces, but the encap command is not available. I am not sure if that is an IOS issue which needs and upgrade, or a limitation of the addin ethernet cards..
The IOS version is 3600 Software (C3640-I-M), Version 12.4(25d).
Maybe I'll go ahead and grab 16MB more of flash and upgrade to a better feature set...
ASKER
Thanks surbabu140977!!!
best,