Cisco 1111-8P Crypto map on vlan interface LAN ports

ICPS_IS · ‎02-14-2022

Hello, I am using a Cisco 4331 and intend to use the Cisco 1111-8P as router with 2 WAN ISP where I have IPSEC tunnels constructed.

I have seen that there is a constraint on etherchannel supported on the 2 routed ports and not the LAN ports.

To address this i will be the routed ports and construct the lacp etherchannel to the LAN and connect the two wan on the LAN ports and use vlans.

My question is whether I can apply crypto-map or construct vti from the vlan wan interface from the LAN switched ports.

Thanks,

Georg Pauwen · ‎02-14-2022

Hello,

can you draw this out ? I am not clear on what you want the topology to look like...

ICPS_IS · ‎02-14-2022

Hello Georg ,

Please find a simplified topology with the main objective is to have an etherchannel with internal lan

ROUTED PORT1 internal LAN LACP ----ISR 1100 --- wan isp 1 LAN PORT VLAN 100 APPLY CRYPTO MAP

ROUTED PORT2 internal LAN LACP ----- --- wan isp 2 LAN PORT VLAN 200 APPLY CRYPTO MAP

The ISR 1100 fits our requirement in terms of routing performance, WAN links will not be more than 50 Mbps and encryption throughput not more than 10 Mbps so the ISR 4300 is an overkill for our requirements but the redundant LAN is a requirement and I wanted to confirm if it can be achieved with the ISR 1100.

Georg Pauwen · ‎02-14-2022

Hello,

so basically you are moving the uplinks to the switchports, and use the 2 routed ports for the port channel connected to the LAN ?

I guess that should work. However, keep in mind that anything 'crypto map' is considered legacy, and VTIs are the better option, but both work.

That said, I read about the LAN ports not having the option of being bundled into an Etherchannel...it looks like the router cannot handle that amount of (multigigabit) traffic.