[43705] in North American Network Operators' Group
Re: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
daemon@ATHENA.MIT.EDU (Tim Bass)
Tue Oct 23 21:31:40 2001
Message-ID: <007601c15c2b$5bc26460$a900a8c0@silkroad.com>
Reply-To: "Tim Bass" <bass@silkroad.com>
From: "Tim Bass" <bass@silkroad.com>
To: <nanog@merit.edu>, "Rodney Thayer" <rodney@tillerman.to>
Date: Tue, 23 Oct 2001 21:29:41 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Yes. Fully meshed. N(N-1)/2 tunnels.....................
Is around 5995 tunnels if I remember the correct formula
off the top of my head. Straight IPSEC tunnels. No MPLS.
No GRE. Just imagine a corporate customer to a big ISP,
each site a single homed stub AS tunneling nicely across the
ISP to other sites. Adding a few more sites monthly.
Have not had a problem reported with routers dropping and
long-time-lags with tunnels being re-established. Would
be interested in hearing from large ISPs to see who has
a running N(N-1)./2 fully meshed VPN where N>110 and
what potential problems they have and how to mitigate against
problems. Thanks!
Finest Regards, Tim
www.silkroad.com
----- Original Message -----
From: "Rodney Thayer" <rodney@tillerman.to>
To: <nanog@merit.edu>
Sent: Tuesday, October 23, 2001 7:54 PM
Subject: Fwd: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN
(Tunnel Mode)
>
> I assume "fully meshed" means each node connects to each other
> node, so each node has 109 tunnels (110 total).
> I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.)
> and not MPLS-only.
>
> In that case, 120 is not 'large' according to the vendor
> community -- 'large' starts at around 5000 tunnels. I suspect that,
> in nature (or in the land of the Nanogians) that under 1000 is
> more like a 'large' one.
>
> On the other hand, drop one box with 119 tunnels set up and
> restart it and time how long it takes to re-initiate all 119
> tunnels, and you may very well be unhappy.
>
> >From: "Tim Bass" <bass@silkroad.com>
>
> >We have a Cisco IPSEC based VPN with over 110 edge routers
> >in a full tunnel-mode mesh, mostly 'big hunking routers' with
> >average CPU utilization under 15 percent. The VPN is
> >controlled by a single organization, under centralized admin.
>
