[44087] in North American Network Operators' Group
Re: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
daemon@ATHENA.MIT.EDU (Joe Rhett)
Sat Nov 3 19:55:46 2001
Date: Sat, 3 Nov 2001 16:52:36 -0800
From: Joe Rhett <jrhett@isite.net>
To: Rodney Thayer <rodney@tillerman.to>
Cc: nanog@merit.edu
Message-ID: <20011103165236.C2121@isite.net>
Mail-Followup-To: Rodney Thayer <rodney@tillerman.to>,
nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.2.20011023164957.037f3cf0@127.0.0.1>; from rodney@tillerman.to on Tue, Oct 23, 2001 at 04:54:13PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
> I assume "fully meshed" means each node connects to each other
> node, so each node has 109 tunnels (110 total).
> I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.)
> and not MPLS-only.
>
> In that case, 120 is not 'large' according to the vendor
> community -- 'large' starts at around 5000 tunnels. I suspect that,
> in nature (or in the land of the Nanogians) that under 1000 is
> more like a 'large' one.
Hardly. Until the very latest T-code releases, there was a hard limit of
200 on the number of open SAs any IPSec router could have open. 200 routers
talking fully meshed is impossible, nevermind 5000. If communications are
opened in 2 directions, 100 routers with a single access-list entry
identifying the other site was the max.
--
Joe Rhett Chief Geek
JRhett@ISite.Net ISite Services, Inc.
