Re: [c-nsp] SD-WAN design for large scale
Look at Aryaka SDWAN which solves all these problems. Cheers Hitesh On Tue, Mar 24, 2020 at 12:38 AM omar parihuana wrote: > Guys I've just read the follow document: > > > https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-wan/white-paper-c11-743108.html > > > So i am asking about the IPsec tunnel scalability in SD-WAN large > deployments. One benefit of L3VPN in MPLS are the full mesh connectivity. > From point of view of CE one default route could be enough. Now in SDWAN > data plane if I want a full mesh topology a lot of IPsec tunnels are > established... maybe I am wrong but I will expect n(n-1)/2 IPsec Tunnels > (without consider the second path) then for example if I have 300 branch I > could expect 37350 tunnels... really? So hub-and-spoke will be the > solution... comments please... maybe it is time to say goodbye to full mesh > in SD-WAN deployments? > > -- > Omar E.P.T > - > Certified Networking Professionals make better Connections! > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SD-WAN design for large scale
> > Moving to a session based approach instead of a tunnel based approach. DTLS session based is using UDP and is shipping from Sproute Networks for a many years now. It scales fantastic in a full mesh fashion too ! They also have all cloud based multi tenant controller so both API and GUI based mgmt works like a charm. For endpoints both software and hardware options are available. https://www.sproute.com/ I know I am sounding like a salesmen - but I am using their products for few years now both privately and commercially and never had any issues. Best R. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SD-WAN design for large scale
--- Begin Message --- Hi, > > Omar: Yes, by default you will have a full mesh of tunnels. It's easy > > to build Hub and Spoke topology if you want to. Often large > > organizations build regional Hub and Spoke where you traverse a Hub to > > go to another geographical region, such as EU to US etc. > > > Is that the case really? > When we were reviewing sd-wan solutions from a number of vendors last > year -my recollection is that hub and spoke or dual hub and spoke (but not > multi-hub and spoke) was their go to topology and most of them didn't even > considered full-mesh of tunnels between spoke sites until I asked. > Yes, me too. I think it could be interesting to see if anyone tries using a quic (or quic like) solution to replace ipsec. It would be similar to what 128 technologies is pushing. Moving to a session based approach instead of a tunnel based approach. Brian --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SD-WAN design for large scale
On 2020-03-26 05:51, adamv0...@netconsultings.com wrote: daniel@reaper.nu Sent: Tuesday, March 24, 2020 10:27 AM Cisco SD-WAN doesn't use DMVPN, it uses OMP for control plane and IPSec for data plane. Omar: Yes, by default you will have a full mesh of tunnels. It's easy to build Hub and Spoke topology if you want to. Often large organizations build regional Hub and Spoke where you traverse a Hub to go to another geographical region, such as EU to US etc. Is that the case really? When we were reviewing sd-wan solutions from a number of vendors last year -my recollection is that hub and spoke or dual hub and spoke (but not multi-hub and spoke) was their go to topology and most of them didn't even considered full-mesh of tunnels between spoke sites until I asked. Yes. Full mesh is the default for Cisco. They do recommend changing the default if your org has more than 50 sites (I believe that number's right). If you consider what sd-wan is selling, its MPLS like QOE over cheapo Internet links - for which they need at least two (ideally more) links, then the number of tunnels is going to be n(n-1)/2 times the number of cheapo links to the spoke site. Correct -- n is the number of transport links, not the number of devices. adam -Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SD-WAN design for large scale
> daniel@reaper.nu > Sent: Tuesday, March 24, 2020 10:27 AM > > Cisco SD-WAN doesn't use DMVPN, it uses OMP for control plane and IPSec > for data plane. > > Omar: Yes, by default you will have a full mesh of tunnels. It's easy to build > Hub and Spoke topology if you want to. Often large organizations build > regional Hub and Spoke where you traverse a Hub to go to another > geographical region, such as EU to US etc. > Is that the case really? When we were reviewing sd-wan solutions from a number of vendors last year -my recollection is that hub and spoke or dual hub and spoke (but not multi-hub and spoke) was their go to topology and most of them didn't even considered full-mesh of tunnels between spoke sites until I asked. If you consider what sd-wan is selling, its MPLS like QOE over cheapo Internet links - for which they need at least two (ideally more) links, then the number of tunnels is going to be n(n-1)/2 times the number of cheapo links to the spoke site. adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SD-WAN design for large scale
Hey, You are right. My old school IWAN knowledge, and I don't have read further "Dynamic tunnels in large-scale routing environments". Sorry. Christohpe - Mail original - De: "daniel dib" À: "christophe" , "omar parihuana" Cc: cisco-nsp@puck.nether.net Envoyé: Mardi 24 Mars 2020 11:27:14 Objet: RE: [c-nsp] SD-WAN design for large scale Cisco SD-WAN doesn't use DMVPN, it uses OMP for control plane and IPSec for data plane. Omar: Yes, by default you will have a full mesh of tunnels. It's easy to build Hub and Spoke topology if you want to. Often large organizations build regional Hub and Spoke where you traverse a Hub to go to another geographical region, such as EU to US etc. Best regards, Daniel -Original Message- From: cisco-nsp On Behalf Of Christophe LUCAS Sent: den 24 mars 2020 11:05 To: omar parihuana Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SD-WAN design for large scale Hi, No, DMVPN and NHRP phase3 make you able to make spoke-to-spoke communications. Regards, Christophe - Mail original - De: "omar parihuana" À: cisco-nsp@puck.nether.net Envoyé: Lundi 23 Mars 2020 20:02:22 Objet: [c-nsp] SD-WAN design for large scale Guys I've just read the follow document: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-wan/white-paper-c11-743108.html So i am asking about the IPsec tunnel scalability in SD-WAN large deployments. One benefit of L3VPN in MPLS are the full mesh connectivity. From point of view of CE one default route could be enough. Now in SDWAN data plane if I want a full mesh topology a lot of IPsec tunnels are established... maybe I am wrong but I will expect n(n-1)/2 IPsec Tunnels (without consider the second path) then for example if I have 300 branch I could expect 37350 tunnels... really? So hub-and-spoke will be the solution... comments please... maybe it is time to say goodbye to full mesh in SD-WAN deployments? -- Omar E.P.T - Certified Networking Professionals make better Connections! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SD-WAN design for large scale
Cisco SD-WAN doesn't use DMVPN, it uses OMP for control plane and IPSec for data plane. Omar: Yes, by default you will have a full mesh of tunnels. It's easy to build Hub and Spoke topology if you want to. Often large organizations build regional Hub and Spoke where you traverse a Hub to go to another geographical region, such as EU to US etc. Best regards, Daniel -Original Message- From: cisco-nsp On Behalf Of Christophe LUCAS Sent: den 24 mars 2020 11:05 To: omar parihuana Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SD-WAN design for large scale Hi, No, DMVPN and NHRP phase3 make you able to make spoke-to-spoke communications. Regards, Christophe - Mail original - De: "omar parihuana" À: cisco-nsp@puck.nether.net Envoyé: Lundi 23 Mars 2020 20:02:22 Objet: [c-nsp] SD-WAN design for large scale Guys I've just read the follow document: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-wan/white-paper-c11-743108.html So i am asking about the IPsec tunnel scalability in SD-WAN large deployments. One benefit of L3VPN in MPLS are the full mesh connectivity. From point of view of CE one default route could be enough. Now in SDWAN data plane if I want a full mesh topology a lot of IPsec tunnels are established... maybe I am wrong but I will expect n(n-1)/2 IPsec Tunnels (without consider the second path) then for example if I have 300 branch I could expect 37350 tunnels... really? So hub-and-spoke will be the solution... comments please... maybe it is time to say goodbye to full mesh in SD-WAN deployments? -- Omar E.P.T - Certified Networking Professionals make better Connections! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SD-WAN design for large scale
Hi, No, DMVPN and NHRP phase3 make you able to make spoke-to-spoke communications. Regards, Christophe - Mail original - De: "omar parihuana" À: cisco-nsp@puck.nether.net Envoyé: Lundi 23 Mars 2020 20:02:22 Objet: [c-nsp] SD-WAN design for large scale Guys I've just read the follow document: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-wan/white-paper-c11-743108.html So i am asking about the IPsec tunnel scalability in SD-WAN large deployments. One benefit of L3VPN in MPLS are the full mesh connectivity. From point of view of CE one default route could be enough. Now in SDWAN data plane if I want a full mesh topology a lot of IPsec tunnels are established... maybe I am wrong but I will expect n(n-1)/2 IPsec Tunnels (without consider the second path) then for example if I have 300 branch I could expect 37350 tunnels... really? So hub-and-spoke will be the solution... comments please... maybe it is time to say goodbye to full mesh in SD-WAN deployments? -- Omar E.P.T - Certified Networking Professionals make better Connections! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
