[44086] in North American Network Operators' Group
Re: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
daemon@ATHENA.MIT.EDU (Joe Rhett)
Sat Nov 3 19:52:24 2001
Date: Sat, 3 Nov 2001 16:49:51 -0800
From: Joe Rhett <jrhett@isite.net>
To: Tim Bass <bass@silkroad.com>
Cc: nanog@merit.edu
Message-ID: <20011103164951.B2121@isite.net>
Mail-Followup-To: Tim Bass <bass@silkroad.com>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000f01c15c15$4c2a6540$a900a8c0@silkroad.com>; from bass@silkroad.com on Tue, Oct 23, 2001 at 06:51:47PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
> We have a Cisco IPSEC based VPN with over 110 edge routers
> in a full tunnel-mode mesh, mostly 'big hunking routers' with
> average CPU utilization under 15 percent. The VPN is
> controlled by a single organization, under centralized admin.
>
> Are there larger fully meshed VPNs out there in ISP land?
>
> Are there any 'real-tangible issues' with a fully meshed VPN
> at the size we are talking (around 120 sites fully meshed)?
My god, your job is worse than mine ;-)
We have a fully meshed Cisco-VPN with half that many edge routers, and we
have more than 100 open bug reports with Cisco. Every single release they
have shipped has an issue that means we can't run it in one or more sites.
We're back to doing something I swore I would never do after working in the
NavSea MAN -- running the very latest code in brave but futile hope that
they've fixed something. 90% of the supposed 'bug fixes' they give us break
something else.
With 110 peers fully meshed, you must have only a single access-list
entry per site AND not all your sites talk at the same time. Until very
recently there was a hard cap on IPsec SAs that we kept slamming into
due to multiple access-list entries per site gives you (source+remote)^2
number of SAs...
--
Joe Rhett Chief Geek
JRhett@ISite.Net ISite Services, Inc.
