[vpn] VPN Question
Raymakers, Guy
guy.raymakers at eds.com
Fri Sep 28 17:04:20 EDT 2001
Eric,
When you mention the large scale VPN's : 1000 to 2000, I've some questions
about it :
what devices where used centrally and how many ? I assume that if Cisco
71xx or 72xx's where used that +- 4 to 8 central systems ,at least, are in
place .... what would be your recommended routing protocol in these cases
(BGP, OSPF ...) between the central and remote routers ?
Also, I got the following performance stats from Cisco :
C7120 with 700 tunnels using GRE/IPSEC with 3DES and SHA + IKE keepalive
could pull 60 Mbps as total throughput with large packetsizes .... can you
confirm this ?
Thanks,
Guy
-----Original Message-----
From: Eric Vyncke [mailto:evyncke at cisco.com]
Sent: vrijdag 28 september 2001 8:49
To: Dana J. Dawson
Cc: 'vpn at securityfocus.com'
Subject: Re: [vpn] VPN Question
Dana and Guy,
At 13:27 27/09/2001 -0500, Dana J. Dawson wrote:
>The knowledgeable VPN people I've spoken to at Cisco recommend a max of
around
>200 - 250 remote peers per 7100 router in an actual production environment.
>That doesn't mean you can't configure 500 or more peers, but it implies to
me
>that the farther you go the more you're pushing your luck. Personally,
>I'm not
>sure I'd want several hundred remote sites to terminate in a single box
>even if
>it could, since that's a pretty big single point of failure.
You are fully right, you should limit the number of IKE peer to about 250
with the 71xx or 72xx router with the ISA or ISM. (it is possible that the
new VAM accelerator will boost this number). This 250 peers is real life
figure where lines are going up and down, routers lost power and reload, ...
Also, do not forget that you should run GRE + routing protocol to achieve a
scalable resilience as well as an easy configuration. And, the routing
protocols (OSPF, ...) have also their own limitations. Do not forget the
last letter of VPN stands for Network ;-) so you need to use the usual
routing bag of tricks like address summarization, ...
Actually, I know a couple of VPN deployed with 1000 and even 2000 routers
in the same VPN. All are using IPSec + GRE + routing protocols.
Hope this helps
-eric
VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list