nanog mailing list archives
Re: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
From: Joe Rhett <jrhett () isite net>
Date: Sat, 3 Nov 2001 16:52:36 -0800
I assume "fully meshed" means each node connects to each other node, so each node has 109 tunnels (110 total). I also assume "Cisco IPSEC based VPN" means IPsec (rfc 2401/2411/etc.) and not MPLS-only. In that case, 120 is not 'large' according to the vendor community -- 'large' starts at around 5000 tunnels. I suspect that, in nature (or in the land of the Nanogians) that under 1000 is more like a 'large' one.
Hardly. Until the very latest T-code releases, there was a hard limit of 200 on the number of open SAs any IPSec router could have open. 200 routers talking fully meshed is impossible, nevermind 5000. If communications are opened in 2 directions, 100 routers with a single access-list entry identifying the other site was the max. -- Joe Rhett Chief Geek JRhett () ISite Net ISite Services, Inc.
Current thread:
- Re: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode) Joe Rhett (Nov 03)
- <Possible follow-ups>
- Re: Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode) Joe Rhett (Nov 03)