Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
Lots of old and dear friends in NANOG to say HELLO!, it has been many, many years since I've posted here. Hopefully this very simply question will not be very controversial :) I did a search of the archives on VPN with keywords 'size' and 'mesh' only to find a thread debating the merits of MPLS. This was an interested thread and some of my old and dear friends were active in that discussion. Please allow me to ask a simple less-technical question. My apologies if this has been discussed and I missed it in the archives. We have a Cisco IPSEC based VPN with over 110 edge routers in a full tunnel-mode mesh, mostly 'big hunking routers' with average CPU utilization under 15 percent. The VPN is controlled by a single organization, under centralized admin. Are there larger fully meshed VPNs out there in ISP land? Are there any 'real-tangible issues' with a fully meshed VPN at the size we are talking (around 120 sites fully meshed)? The marketing hype tends to be great. I like -vadim's closing comments in: http://www.merit.edu/mail.archives/nanog/2001-08/msg00311.html as follows: "Sometimes older ways are simply better." --vadim This seems to be true regarding a simple fully-meshed IPSEC VPN in tunnel-mode, right NANOG geniuses? Is 110 fulled meshed edge routers considered big?? Finest Regards, Tim www.silkroad.com
We have a Cisco IPSEC based VPN with over 110 edge routers in a full tunnel-mode mesh, mostly 'big hunking routers' with average CPU utilization under 15 percent. The VPN is controlled by a single organization, under centralized admin.
Are there larger fully meshed VPNs out there in ISP land?
Are there any 'real-tangible issues' with a fully meshed VPN at the size we are talking (around 120 sites fully meshed)?
My god, your job is worse than mine ;-) We have a fully meshed Cisco-VPN with half that many edge routers, and we have more than 100 open bug reports with Cisco. Every single release they have shipped has an issue that means we can't run it in one or more sites. We're back to doing something I swore I would never do after working in the NavSea MAN -- running the very latest code in brave but futile hope that they've fixed something. 90% of the supposed 'bug fixes' they give us break something else. With 110 peers fully meshed, you must have only a single access-list entry per site AND not all your sites talk at the same time. Until very recently there was a hard cap on IPsec SAs that we kept slamming into due to multiple access-list entries per site gives you (source+remote)^2 number of SAs... -- Joe Rhett Chief Geek JRhett@ISite.Net ISite Services, Inc.
participants (2)
-
Joe Rhett
-
Tim Bass