[c-nsp] number of VRFs on Cisco Cat/7600

Adam Armstrong lists at memetic.org
Sat Apr 25 05:23:30 EDT 2009 

Benny Amorsen wrote:
> Adam Armstrong <lists at memetic.org> writes:
>
>   
>> I have heard it said that more than 512 VRFs is crazy. more than 1024
>> *INSANE*.
>>     
>
> Why? You want as many customers one one box as possible, to keep costs
> and maintenance down. Having an array of PE's at 1/100th of capacity
> just because they're limited to 512 VRFs is crazy.
>   
Hardware limitations?

Stealing from inetpro.org's Wiki (which i'm assuming to be accurate) :

"The VPN CAM maps VPNs to VLANs within the 6500. As all interfaces 
(included routed) are ultimately assigned a vlan (see above), we know 
that a match here will result in a pop operation and the destination 
network will be plain old IP. The current size of the VPN CAM is 512 
entries. Therefore, *512 is the maximum number of VPNs suggested on a 
6500*. While 4096 is the hard absolute limit, more than 1024 is insane 
and more than 512 crazy.

In a normal operation, a packet due to exit to an IP network will do a 
query in the VPN CAM based on its VPN ID and be given a hit. At this 
point, the 6500 knows to strip the MPLS label and disregard it. It will 
copy the TOS value in to the internal DSCP and then process the packet 
through the TCAM as normal.

If there is a miss, but we still want to pop out to a regular IP 
network, we make a TCAM lookup based on the ingress VLAN number. We then 
get a match in the FIB to recirculate. Becuase we still have a full MPLS 
label and no adjacency information, the packet must do just that and go 
back around. The match from earlier, gives us an ingress VLAN to look up 
(based this time on our egress destination) and we get our correct L2 
rewrite info etc, as well as any ACLs and policing on the packet. Due to 
this, a full VPN CAM will halve performance for those packets getting 
misses!

The absolute limit of 4096 is due to the maximum number of supported 
vlans in a 6500. Of course, in the real world, vlans will be used 
elsewhere, so be sure to provision an internal vlan for each VRF."

adam.

More information about the cisco-nsp mailing list