Trunk Between Routers, GRE over IPSec

Posted on 2010-09-14
Medium Priority
Last Modified: 2012-05-10
I am looking to add a 2nd ISP to our main site which is currently using a 3640 as our internet router (NAT), and a 2821 as our Firewall/Inter-VLAN router (Router on a stick)...  One of our remote sites is connected to the internet using an 1841, and utilizes VPN to connect to the main site...  I'm looking to change the way the remote site connects to our main site by utilizing GRE over IPSec,,, and I was wanting to see if we can utilize both ISPs at our main site for redundancy on the vpn connection.  The diagram below shows what I would like to accomplish, but I am not sure if a trunk between the 2 routers would work the way I want it to or not.  I can't find much documentation about trunking between routers...  Also I am not fully sure if using subinterfaces between the routers would limit functionality compared to using just the physical interface on 1 subnet?

Basically I want to create 2 seperate GRE tunnels on the 1841 at the remote site, to tunnel to each IP on the 2821 subinterfaces at the main site.  The trunk link between the 2821 and the 3640 would require public subnets from the 2 ISPs because NAT would cause issues.   I want the GRE to terminate on the 2821 because the cisco 3640 doesn't have a crypto IOS and the 2821 has vpn hardware builtin to the motherboard...

 Proposed network change
Would this work or can you forsee any problems?  Thanks!
Question by:cathchar
  • 2
  • 2
LVL 17

Accepted Solution

surbabu140977 earned 2000 total points
ID: 33682772
1) I don't see any reason, what 3640 can do and 2821 can't. We have used 2821 as our core router for such a long time with 70 tunnels and gigs of traffic with no issues. Why don't you swap the role of 3640 and 2821? Things will be a sweet breeze to you then.

2) What's the problem for upgrading the ios of 3640 to a crypto one for supporting vpn?


LVL 17

Expert Comment

ID: 33682794
If you have usable public Ip's for lan from your isp, use them in the 2800 with usual trunking between 3640 and 2821 and terminate the gre as usual. There would be no issues.


Author Comment

ID: 33682949
Thanks for the response surbabu,
We are using the 2821 as our intervlan router because of it's dual gigabit ports..  the 3640 only has FEs...  

The 3640 is limited by it's flash memory, which is at 16MB...  from what I am seeing I would need 32 to upgrade and I was wanting to avoid investing in it... but I might look into that... but I still like the idea of the 2821 terminating the vpn due to cpu costs..

The 2 reasons I am using the 3640 to connect the internets is because it has the interfaces, and now I can use netflow to monitor the port on the 2821 connect to the 3640 to get accurate information.  I use netflow to monitor the 3640 ports,, NAT causes the reporting to be un-usable because it shows the NATed address rather than the prenat addresses..

I was attempting to configure the trunk last night during a maintenance window I had, and it appears the 3640 is not able to do VLAN trunking, or at least on the interface cards that we have in it.  I can create the subinterfaces, but the encap command is not available.  I am not sure if that is an IOS issue which needs and upgrade, or a limitation of the addin ethernet cards..

The IOS version is 3600 Software (C3640-I-M), Version 12.4(25d).

Maybe I'll go ahead and grab 16MB more of flash and upgrade to a better feature set...

Author Closing Comment

ID: 33682993
Thanks surbabu140977!!!

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question