I assume "fully meshed" means each node connects to each other
node, so each node has 109 tunnels (110 total).
I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.)
and not MPLS-only.
In that case, 120 is not 'large' according to the vendor
community -- 'large' starts at around 5000 tunnels. I suspect that,
in nature (or in the land of the Nanogians) that under 1000 is
more like a 'large' one.
On the other hand, drop one box with 119 tunnels set up and
restart it and time how long it takes to re-initiate all 119
tunnels, and you may very well be unhappy.
Yes. Fully meshed. N(N-1)/2 tunnels.....................
Is around 5995 tunnels if I remember the correct formula
off the top of my head. Straight IPSEC tunnels. No MPLS.
No GRE. Just imagine a corporate customer to a big ISP,
each site a single homed stub AS tunneling nicely across the
ISP to other sites. Adding a few more sites monthly.
Have not had a problem reported with routers dropping and
long-time-lags with tunnels being re-established. Would
be interested in hearing from large ISPs to see who has
a running N(N-1)./2 fully meshed VPN where N>110 and
what potential problems they have and how to mitigate against
problems. Thanks!
Finest Regards, Tim
www.silkroad.com
I assume "fully meshed" means each node connects to each other
node, so each node has 109 tunnels (110 total).
I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.)
and not MPLS-only.
In that case, 120 is not 'large' according to the vendor
community -- 'large' starts at around 5000 tunnels. I suspect that,
in nature (or in the land of the Nanogians) that under 1000 is
more like a 'large' one.
Hardly. Until the very latest T-code releases, there was a hard limit of
200 on the number of open SAs any IPSec router could have open. 200 routers
talking fully meshed is impossible, nevermind 5000. If communications are
opened in 2 directions, 100 routers with a single access-list entry
identifying the other site was the max.