[43703] in North American Network Operators' Group
Fwd: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN
daemon@ATHENA.MIT.EDU (Rodney Thayer)
Tue Oct 23 19:58:59 2001
Message-Id: <5.1.0.14.2.20011023164957.037f3cf0@127.0.0.1>
Date: Tue, 23 Oct 2001 16:54:13 -0700
To: nanog@merit.edu
From: Rodney Thayer <rodney@tillerman.to>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
I assume "fully meshed" means each node connects to each other
node, so each node has 109 tunnels (110 total).
I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.)
and not MPLS-only.
In that case, 120 is not 'large' according to the vendor
community -- 'large' starts at around 5000 tunnels. I suspect that,
in nature (or in the land of the Nanogians) that under 1000 is
more like a 'large' one.
On the other hand, drop one box with 119 tunnels set up and
restart it and time how long it takes to re-initiate all 119
tunnels, and you may very well be unhappy.
>From: "Tim Bass" <bass@silkroad.com>
>We have a Cisco IPSEC based VPN with over 110 edge routers
>in a full tunnel-mode mesh, mostly 'big hunking routers' with
>average CPU utilization under 15 percent. The VPN is
>controlled by a single organization, under centralized admin.
