Best Router for GRE Tunnels

francisco_1 · ‎09-04-2008

I need a router to handle thru-put up to 20 or more GRE Tunnels from our branch offices terminating in our Datacenter. All branch offices will terminate at the Datacenters via IPSEC tunnels on cisco ASA's 5520. One Router (Powerful) will seat at the Datacenter behind the ASA's able to handle all GRE tunnels and also provide routing to our head office through the DC. i can use low-end routers at the branch offices. The design is based on HUB (DC Router) and Spoke (Brand Routers). My plan is to have the GRE tunnels through the IPSEC on the ASA's used as a backup to our lease lines to the branch offices.

Can someone recommend a low-end router for the brach offices and a good router for the DC.

Cheers.

graemeporter · ‎09-04-2008

Hi there,

We've got a similar setup, though not identical - we have a DMZ protected by Nokia hardware firewall appliances running Checkpoint (though these will soon be replaced by PIX), and the IPSec and GRE tunnels come from the same router.

We use a Cisco 3845 with the VPN accelerator AIM installed. We currently have at least 30 tunnels (GRE over IPSec) running from this device. For backup purposes, we have an identical router in our office in Norway, which has a 45 Mbit WAN connection back to the UK, and a dedicated internet circuit of its own. Each branch office router has a tunnel to both devices, with the routing cost being set lower for the tunnel back to our main site.

Our branch office routers differ considerably, as we're big VoIP users; we have a mix of various Cisco 2800-series routers for branch offices. From the 2801 to the 2851, we've got it as a remote VPN branch office router. If you're not using VoIP on each site, a 2801 is a good, capable router that is relatively inexpensive.

Just ensure you order an IOS image that supports the full crypto command set, on all the routers.

Hope this helps!

Kind regards,

Graeme

francisco_1 · ‎09-04-2008

Graeme, thanks for replying. So in your setup you used the VPN accelerator AIM card since you're terminating both IPSEC/GRE on the same router. right?

The spec on the 3800 series looks good.

We will also run VOIP from the branch office. Is the 2801 good just to route the VOIP traffic but not run any Voice card?

garsmi · ‎09-04-2008

It really depends on the size of the remote offices. I have used 2801's for VPN & Voice. These were small offices with less than 10 users. Also for the datacenter, a 3800 series will work, but is not needed for 20-30 offices. The 2800 series is more than enough. (I would say a 2821)

francisco_1 · ‎09-05-2008

thank you.

glenn-mchenry · ‎10-22-2008

At my work I'm just a jack of all trades sort of tech. They came to me the other day, wanting me to set up a vpn btn two sites off our corporate infrastructure using Cisco 2821s. I'm leaning towards IPSEC GRE tunneling (mainly because from what I'm told it's pretty secure). Is there a guide for the basic layman to use to set this up? I have access to get any IOS that I need. Both have 256 MB ram and 64 mb compact flash cards. They both also have2 ge ports (0/0 & 0/1), 16 fa ports, and a vwic 2mft-t1 module. Our backbone is GigE so I was thinking of using the GigE ports to connect in to the corporate backbone. There will only be at most 10 users that will utilize this setup. Any and all help is appreciated!

Thank you for your time.

Glenn McHenry

Glenn.mchenry@gmail.com

ajagadee · ‎10-22-2008

Glenn,

Below is a sample configuration for configuring IPSEC GRE Tunnel.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f85.shtml

Regards,

Arul

*Pls rate if it helps*