[vpn] VPN Question

Dana J. Dawson djdawso at qwest.com
Thu Sep 27 14:27:45 EDT 2001 

"Raymakers, Guy" wrote:
> 
> Hi,
> 
> I've got a very specific question about the Cisco routers and I hope that
> someone has been confronted with this before ...  more exactly, it's about
> the C7120. When you use this one centrally and want to create a GRE/IPSEC
> VPN hub and spoke topology, you need to apply a crypto map per remote (to
> set the peer). For each crypto map you have to specify a match criteria
> which is set in an Access-list. The question I have is, how many extended
> access-lists can you create (if there's a software limit at all...) ?  The
> normal number for an extended acl are from 100-199 and 2000 till 2699.
> Adding this together gives 800 extended acl's, but I'm not sure when a named
> extended acl is used whether this number of 800 is also valid ...
> 
> Many thanks,
> Guy
> 
> VPN is sponsored by SecurityFocus.com


I don't think there is a hard limit on named access-lists, but it's a bit of a
moot point anyway.  Even though the brochures state support for 2000 to 3000
remote peers, depending on the hardware you have, these are idealized lab-type
numbers, not real world numbers.  First, that number is the number of SA's, and
each actual peer will have a minimum of three SA's (probably exactly three if
you're using GRE), so that reduces the number of peers by a factor of three
right there.  Also, those numbers assume all the router is doing is IPSec, so
you have to reduce them even further if you want your router to do other things
as well, such as running a routing protocol or the firewall feature set, etc. 
The knowledgeable VPN people I've spoken to at Cisco recommend a max of around
200 - 250 remote peers per 7100 router in an actual production environment. 
That doesn't mean you can't configure 500 or more peers, but it implies to me
that the farther you go the more you're pushing your luck.  Personally, I'm not
sure I'd want several hundred remote sites to terminate in a single box even if
it could, since that's a pretty big single point of failure.

HTH

Dana

-- 
Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Global Services              (612) 664-3364
Qwest Communications               (612) 664-4779 (FAX)            
600 Stinson Blvd., Suite 1S        
Minneapolis  MN  55413-2620

"Hard is where the money is."

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list