IWAN Saclalblity.

Unanswered Question
Apr 18th, 2017
User Badges:

With the MTT (Multiple Tunnel Termination) feature enabled from the IOS XE software (Everest 16.4.1), We would like to know what the scalability of sites supported with 3 WAN Links (DMVPN's) in each Border Router?

We have ASR1001X (IOS XE 03.16.05.S) as both MC and Border router.

Any help is appreciated. Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Philip D'Ath Thu, 04/20/2017 - 01:03
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 WAN, LAN, VPN

I don't know the answer.  I would expect it to be many thousands of sites per router.


I was looking after a DMVPN customer that had 240 spokes each with dual terminations going back to a Cisco 2921 and it was handling it easy.


I would be gutted if an ASR1k couldn't handle 10 times as much load.

Vasilii Mikhail... Thu, 05/11/2017 - 11:39
User Badges:
  • Gold, 750 points or more

Hello.

iWAN 2.2 includes the feature MTT, but iWAN is not supported on 16.4.1.

iWAN 2.2 is supported on 16.3.3+ and 15.6(3)M2 (only the trains).

iWAN is tested for 3 WAN links and currently been scaled to 2000 spokes.

At the same time if you terminate all three on the same box, it would be question of routing scalability, as ASR1001X may not be capable of running 6000 IGP/iBGP peers.


PS: please let me know how many do you need to run on the ASR1001X and I'll try to check if it's feasible.

Tim Fairclough Wed, 06/21/2017 - 17:10
User Badges:

Hi Vasilii, All


I have a similar question to the OP, and would be interested to see if you are able to provide any insight.

I am currently building a Dual DC Hybrid IWAN deployment for a customer, and would like to understand capacity for the ASR1001X's when using MTT. First some background:

The solution will eventually support approx 300 sites. Half will have dual 4331 routers (single transport per router), the remainder will be single 4331 with dual transports (MPLS & INET).

This is a multi-VRF design; each spoke will have the following 'user' VRF's: CORP (5 prefixes), SCADA (4 prefixes, non-summarisable), CONTROL (2-3 prefixes), GUEST (1 prefix), as well as the 2x FVRF's (INET/MPLS)

Each spoke site would typically have 2-3 of these VRF's active at any time.

Hub would obviously have all VRF's active at all times. Each VRF has a DMVPN cloud per transport, totaling 8x DMVPN clouds. Each is running EIGRP over tunnels.

Cisco haven't yet released the mVRF IWAN CVD; so hopefully my design is in line with their eventual CVD...

My build has:

Hub MPLS BR - ASR1k

Hub INET BR - ISR4451

Hub MC - currently 4331, but will be replaced with ASR1001x to support roll out

Transit MPLS BR - ASR1k

Transit INET BR - ISR4451

Transit MC - currently 4331, but will be replaced with ASR1001x to support roll out


Cisco advise that all BR's must be same platform to be a supported IWAN design  (this is a WAAS requirement I think).

My question is whether the ASR1001X would cope if I built using MTT at each DC (ie, 1x ASR BR per DC, terminating both MPLS & INET Tunnels. I.e, can we get away without purchasing a third pair of ASR1k's to replace the 4451's.

EDIT: I should add that DC's have stretched L2, so all services would remain available if we lost one BR.

Apologies for the long post!

Vasilii Mikhail... Wed, 06/21/2017 - 22:53
User Badges:
  • Gold, 750 points or more

Hello.

Unfortunately iWAN 2.2 does not support MTT in VRF, the support comes (tentative information) in iWAN 2.2.1 tentatively scheduled for the August 2017 in releases 16.6.1 and 15.7(3)M

As far as I understood you are going to run around 300*8 = 2400 IPSec SAs and routing peers.

iWAN capacity depends on multiple factors including:

  • a number of routing neighbors and protocols;
  • a number of traffic-classes.

Please clarify what is the routing protocol and what will be the iWAN policy per VRF, so I'll check the platform capacity to run these.

Tim Fairclough Wed, 06/21/2017 - 23:24
User Badges:

Hi Vasilii,

Thanks for your prompt response.

That is unfortunate about MTT / VRF support - I was just assuming I would be able to use MTT in this fashion (with 16.3.4).

2400IPSec SA's would be the maximum; Most sites will only require 2 or 3 VRF's, so in reality it may be closer to 1500-1800 SA's / EIGRP neighbours (total).

EIGRP end to end; one instance per VRF.

I have to admit I am only just starting on the PFR component - I have it up and running, but am yet to fully understand all aspects, and do not yet have a view as to what the eventual policy will look like.I currently have the standard CVD (IWAN 2.2) policy configured, and am yet to start adjusting it.

The CORP VRF will probably have the most policy requirements; SCADA and CONTROL VRF's have fairly basic needs and numbers of TC's. PFR for the GUEST VRF is not required, and will simply rely on EIGRP routing info.


Thanks,

Tim

Actions

This Discussion