Fwd: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
 
            I assume "fully meshed" means each node connects to each other node, so each node has 109 tunnels (110 total). I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.) and not MPLS-only. In that case, 120 is not 'large' according to the vendor community -- 'large' starts at around 5000 tunnels. I suspect that, in nature (or in the land of the Nanogians) that under 1000 is more like a 'large' one. On the other hand, drop one box with 119 tunnels set up and restart it and time how long it takes to re-initiate all 119 tunnels, and you may very well be unhappy.
From: "Tim Bass" <bass@silkroad.com>
We have a Cisco IPSEC based VPN with over 110 edge routers in a full tunnel-mode mesh, mostly 'big hunking routers' with average CPU utilization under 15 percent. The VPN is controlled by a single organization, under centralized admin.
 
            Yes. Fully meshed. N(N-1)/2 tunnels..................... Is around 5995 tunnels if I remember the correct formula off the top of my head. Straight IPSEC tunnels. No MPLS. No GRE. Just imagine a corporate customer to a big ISP, each site a single homed stub AS tunneling nicely across the ISP to other sites. Adding a few more sites monthly. Have not had a problem reported with routers dropping and long-time-lags with tunnels being re-established. Would be interested in hearing from large ISPs to see who has a running N(N-1)./2 fully meshed VPN where N>110 and what potential problems they have and how to mitigate against problems. Thanks! Finest Regards, Tim www.silkroad.com ----- Original Message ----- From: "Rodney Thayer" <rodney@tillerman.to> To: <nanog@merit.edu> Sent: Tuesday, October 23, 2001 7:54 PM Subject: Fwd: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
I assume "fully meshed" means each node connects to each other node, so each node has 109 tunnels (110 total). I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.) and not MPLS-only.
In that case, 120 is not 'large' according to the vendor community -- 'large' starts at around 5000 tunnels. I suspect that, in nature (or in the land of the Nanogians) that under 1000 is more like a 'large' one.
On the other hand, drop one box with 119 tunnels set up and restart it and time how long it takes to re-initiate all 119 tunnels, and you may very well be unhappy.
From: "Tim Bass" <bass@silkroad.com>
We have a Cisco IPSEC based VPN with over 110 edge routers in a full tunnel-mode mesh, mostly 'big hunking routers' with average CPU utilization under 15 percent. The VPN is controlled by a single organization, under centralized admin.
 
            I assume "fully meshed" means each node connects to each other node, so each node has 109 tunnels (110 total). I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.) and not MPLS-only.
In that case, 120 is not 'large' according to the vendor community -- 'large' starts at around 5000 tunnels. I suspect that, in nature (or in the land of the Nanogians) that under 1000 is more like a 'large' one.
Hardly. Until the very latest T-code releases, there was a hard limit of 200 on the number of open SAs any IPSec router could have open. 200 routers talking fully meshed is impossible, nevermind 5000. If communications are opened in 2 directions, 100 routers with a single access-list entry identifying the other site was the max. -- Joe Rhett Chief Geek JRhett@ISite.Net ISite Services, Inc.
participants (3)
- 
                 Joe Rhett Joe Rhett
- 
                 Rodney Thayer Rodney Thayer
- 
                 Tim Bass Tim Bass