[vpn] VPN Question
evyncke at cisco.com
Mon Oct 1 10:34:09 EDT 2001
At 22:04 28/09/2001 +0100, Raymakers, Guy wrote:
>When you mention the large scale VPN's : 1000 to 2000, I've some questions
>about it :
>what devices where used centrally and how many ? I assume that if Cisco
>71xx or 72xx's where used that +- 4 to 8 central systems ,at least, are in
>place .... what would be your recommended routing protocol in these cases
>(BGP, OSPF ...) between the central and remote routers ?
Actually, most of those large scale IPSec deployments are based
on the usual three tier architecture (like any plain network):
access, distribution and core. Those IPSec networks were for banks
with a hierarchical topology:
- branches to regional sites
- regional sites to a couple of centralized data centers
This usually reduces the fan-out factor to 100-200 branches per
regional sites which translates into 2 routers at the branches (mainly
for resilience purposes).
The routing protocol used was OSPF or EIGRP with all the bag of tricks
and guidelines for those protocols (like address summarization, tuning the
hello timers, ...).
>Also, I got the following performance stats from Cisco :
>C7120 with 700 tunnels using GRE/IPSEC with 3DES and SHA + IKE keepalive
>could pull 60 Mbps as total throughput with large packetsizes .... can you
>confirm this ?
It will of course depends on the CPU load and which kind of IPSec acceleration
module is used...
The new VAM card on a 7200vxr with NPE-400 can encrypt
large packets with GRE encapsulation and 3DES IPSec at more than 120 Mbps.
1) it really depends on the traffic mix and on the IPSec transforms
2) I would be reluctant to have more that 700 IKE peers on the same router
(if you loose this router, you will loose connectivity to a lot of peer IF
you do not have resiliency added to the design)
Hope this helps
>From: Eric Vyncke [mailto:evyncke at cisco.com]
>Sent: vrijdag 28 september 2001 8:49
>To: Dana J. Dawson
>Cc: 'vpn at securityfocus.com'
>Subject: Re: [vpn] VPN Question
>Dana and Guy,
>At 13:27 27/09/2001 -0500, Dana J. Dawson wrote:
> >The knowledgeable VPN people I've spoken to at Cisco recommend a max of
> >200 - 250 remote peers per 7100 router in an actual production environment.
> >That doesn't mean you can't configure 500 or more peers, but it implies to
> >that the farther you go the more you're pushing your luck. Personally,
> >I'm not
> >sure I'd want several hundred remote sites to terminate in a single box
> >even if
> >it could, since that's a pretty big single point of failure.
>You are fully right, you should limit the number of IKE peer to about 250
>with the 71xx or 72xx router with the ISA or ISM. (it is possible that the
>new VAM accelerator will boost this number). This 250 peers is real life
>figure where lines are going up and down, routers lost power and reload, ...
>Also, do not forget that you should run GRE + routing protocol to achieve a
>scalable resilience as well as an easy configuration. And, the routing
>protocols (OSPF, ...) have also their own limitations. Do not forget the
>last letter of VPN stands for Network ;-) so you need to use the usual
>routing bag of tricks like address summarization, ...
>Actually, I know a couple of VPN deployed with 1000 and even 2000 routers
>in the same VPN. All are using IPSec + GRE + routing protocols.
>Hope this helps
>VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
More information about the VPN