[c-nsp] DMVPN scalability question on the 28XX ISR's
Luan Nguyen
luan at netcraftsmen.net
Wed Apr 21 09:35:37 EDT 2010
Like someone else said, if you don't have to run dynamic routing protocol,
then ODR or static would do wonder. In this case, a dual hub
(loadshare/backup) for 1000+ spokes would be just fine.
With EIGRP, you could safely do 500+ spokes per ASR. A few years back,
either Cisco did some tests and found that only a few...2,3 nodes fail when
they tried to bring up 500 tunnels at the same time on 7206VXR platform if I
recall correctly.
I've done 300+ spokes EIGRP on a 7206VXR before and never had any problem.
A 2851 with SSL-2 VPN card could push ~35M of DMVPN/IPSEC traffic. Of
course, if you do QOS, Zone Based Firewall...etc, any additional feature,
then performance will degrade a lot.
What kind of software do you folks use to provision/manage bigger size
DMVPN? Way back, I used Cisco IP Solution Center.
-Luan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Engelhard
Sent: Monday, April 19, 2010 8:06 PM
To: rodunn at cisco.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DMVPN scalability question on the 28XX ISR's
Any suggestion for 2000+ spokes with 4 headends? Headends will be
ASR100x. We think to put Loadbalancer (ACE) in front of ASR to spread
DMVPN traffic. Is it design wise?
Sent from my iPhone
On 2010/04/19, at 23:28, Rodney Dunn <rodunn at cisco.com> wrote:
> My suggestion is to run code that support dynamic BGP neighbors at
> the hub and run BGP over the mGRE to the spokes. ..or followed by
> EIGRP.
>
> Rodney
>
>
> On 4/18/10 7:14 AM, Anton Kapela wrote:
>>
>> On Apr 17, 2010, at 8:54 PM, Erik Witkop wrote:
>>
>>> We are considering DMVPN for a WAN network with (92) Cisco 870
>>> remote routers and (2) Cisco 2851 headend routers. My concern is
>>> around the scalability of the 92 connections to each 2851.
>>> Assuming we have AIM modules in each 2851 router, do you think
>>> that would be sized properly.
>>
>> While you have a chance, it'd be wise to toss in as much DRAM as
>> the 2851 can take. The reasons are many, but mostly you'll want
>> plenty (i.e. 20+ megabytes) of free ram to "cover" your needs
>> during transient conditions -- i.e. when all the ipsec endpoints
>> flap, timeout, then re-establish, or perhaps when 400 ospf "spoke"
>> neighbors timeout, flap, and re-stablish. If memory serves,
>> advipservices 12.4t and 15.0 on 28xx leaves a bit less than 100
>> megs free after booting (on a 256m box); expect another 20 to 30m
>> consumed when you have protocols + ipsec endpoints + full config up
>> and active. Probably safe with 256, but it's not worth risking a
>> surprise reload (that more dram could have prevented).
>>
>> My overall experience using DMVPN (i.e. mGRE + ipsec tunnel
>> protection) has been positive, and I find that usually boxes with
>> AIM-VPN or SA's (on 7200's I've used the SA-VAM and its cousins) is
>> the first 'wall' often hit -- i.e. max number of concurrent crypto
>> sessions is reached *well before* the platform maximum IDB limit is
>> reached. This means the first thing you should investigate is how
>> many sessions your installed AIM can support -- it may be far less
>> than you expected, and less than you require.
>>
>> As for GRE and encaps processing on the 28xx, this seems to be
>> nearly the same perf (without fragment processing considered) as
>> native IP forwarding on the box. In practice, I see 80+ mbits
>> usable (or 9 to 12 kpps) out of an 1841 doing GRE or IPIP encaps
>> without crypto -- and 2851 will usually push 100mbit+ doing same.
>> Again, the per-session crypto performance and max-session count
>> will be determined by the AIM, so YMMV, etc.
>>
>> Generally, the Cisco guidelines for DMVPN are sane, and my
>> experiences don't (so far) run counter to them. One definite wall
>> that I'd recommend you find before deployment is how many protocol
>> neighbors you can have up (i.e. ospf, isis, or eigrp neighbors),
>> flap, and re-establish in a timeframe you're happy with. That is to
>> say, I highly recommend lab'ing up a config that emulates 100, 200,
>> 300, etc OSPF neighbor sessions between the 28xx's -- you'll want
>> to know for certain that your routers can both support/hold up the
>> number of neighbors you need, *and* recover in a timely fashion
>> after they flap. So, while your platform may be more than adequate
>> for your given WAN-facing bandwidth needs to the spoke sites, you
>> may actually find that your 2851 cpu is under-whelming when
>> endpoints flap/register/converge -- depending, again, on the scale
>> you're taking things to.
>>
>> -Tk
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5034 (20100416) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
More information about the cisco-nsp
mailing list