AutoVPN tunnel count formula

MG41372
Conversationalist

AutoVPN tunnel count formula

Hopefully this is an easy one.

 

Can anyone explain to me why the documented formula for full mesh total tunnel count is ((H)*(H-1)/2) * L1 instead of ((H)*(H-1)/2) * L1 * L1 ?

 

Seems to be a simple geometry node formula and if each node has the same number of interfaces wouldn't there be a vpn tunnel per pair making the final factor squared?

The documented formula for the tunnel count per MX has this term squared, meaning there actually is a vpn tunnel per pair of interfaces, so why is it not squared in the total tunnel count?

 

Same thing for the Hub part of the total tunnel count of the Hub and Spoke topology. It should be identical to the full mesh total tunnel count, correct?

 

The documentation is here: Auto VPN Hub Deployment Recommendations - Cisco Meraki

 

I want to earn the Meraki cert, but I'm concerned about the exam questions requiring calculation on these formulas. Would the exam questions require correct calculations as documented, or as I suspect the correct formula should be?

 

 

8 Replies 8
KarstenI
Kind of a big deal
Kind of a big deal

I think you are right and the documentation is wrong.

The formulas are inconsistent. The easiest check is a full mesh with two hubs and two links each. The tunnel count per MX has to equal the total tunnel count. I assume that they just forgot the "to the power two" for the L1 in the first formula.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Bruce
Kind of a big deal

I’ve been thinking about this, and have to agree with @MG41372 . It does look like the total tunnel count for a full mesh with hubs needs the L1 to be squared. Take for example three hubs, if they each have one uplink the formula works, and gives the answer 3. However, consider if each hub has two uplinks, then each of the three hubs will try to build 4 tunnels to each other hub (W1-W1, W1-W2, W2-W1, W2-W2) - whether it succeeds or not is all part of the design, but this is what the hubs will try and do. Quickly you realise this is a total of twelve tunnels, so the L1 must be squared to make the formula work

MG41372
Conversationalist

Thanks for your reply, glad I'm not going crazy!

But my bigger concern is with the exam questions, since the ECMS2 course final exam scores its question using the calculated value from the incorrect formula as documented in the course material as well as the posted Meraki doc.

 

I have reached out to Cisco regarding the doc and course materials a while ago, but have not received any responses.

GreenMan
Meraki Employee
Meraki Employee

I'm not 100% sure, but I have a feeling this must have to do with the recommendation that Hubs are configured as One Armed Concentrators - with just one uplink.

KarstenI
Kind of a big deal
Kind of a big deal

I'll implement it that way the moment we can add an extra Concentrator to a combined network and assign "only" the Enterprise license to the concentrator while keeping AdvancedSecurity for the general Firewall. 😉

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
GreenMan
Meraki Employee
Meraki Employee

I was looking only to help with the original question.  😉

In my experience, there are a number of compelling reasons for choosing VPNC over routed mode for the majority of Hubs - with licensing cost not really a part of that design calculation.

I also can't help feeling that, whilst I understand people don't want to pay for features they will not be using, the overall 'cost' in time and complexity of needing to specify (and separately renew) licensing for individual devices probably outweighs the extra spend from a simple one-choice, applied to all approach - given the majority of networks have greater numbers of Spokes (where you want Adv Sec/SD-WAN+) than Hubs.

KarstenI
Kind of a big deal
Kind of a big deal

I know ... 😉

But regardless how this is calculated, Clients feel if they are robbed if an additional concentrator, that doesn't need the functionality, has the same license price.

But the real showstopper was typically that the major Meraki Feature, the Full-Stack-Visibility from client to leaving the network is broken with a concentrator in a different dashboard-network.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal

We have stayed away from using Meraki as our enterprise Edge as our sites are all linked with MX pairs over VPLS networks (L2 MPLS). This combined with all our public Internet MXs only needing the basic license means that to add 2x Advanced licences would mean upgrading about fifteen more that don't need it... 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels