I am designing a 40 site MPLS hub-and-spoke network. The spokes will have 10-50Mb/s with the majority at 10Mb/s and the head-end is currently slated for 500Mb/s.
I would like to have the option of encrypting the hub to spoke connectivity (IPSEC with AES) but realize that the head-end will need a somewhat beefy device to be able to keep up with the possibility of 500mb/s of encrypted traffic.
My question is, is there a CCR model that can do this?
Thanks!
A CCR can cope with 500Mbps of IPSEC/AES traffic, a 1100AHx2 (which is also IPSEC/AES hardware accelerated) maybe, depending on setup. See http://forum.mikrotik.com/t/ccr1009-or-rb1100ahx2-for-eoip-ipsec/77976/1
I would pick a CCR1009 minimum to size it in advance.
IMHO encrypting however will nullify MPLS advantages in terms of processing load and shorter paths in packet flow, see http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6
An additional question that remains is, will the spoke endpoints be able to cope with 10-50Mbps of IPSec encrypted traffic?
The only hardware accelerated IPSec (AES) devices in routerboard lineup are the RB850Gx2, RB1100AHx2 and CCRs.
RB850Gx2 does hardware offload only from the second hardware revision, but you’ll have to decide if these are optimal for your specific MPLS deployment, as their max L2MTU is 1580, see
http://wiki.mikrotik.com/wiki/Manual:Maximum_Transmission_Unit_on_RouterBoards
Thanks for the reply. I should clarify that this is a Provider MPLS network…I am not configuring the MPLS. The idea is that since this is an untrusted entity that would have access to view our traffic, we would like to encrypt it with the devices we attach to the MPLS network.
Thanks for the reference to that other discussion topic…that is very helpful, although it left me somewhat suspicious of the CCR line.
My plan was just to do simple IPSec tunnels between the spokes and whatever head-end device. I haven’t decided fully on what to use at the spokes, but Adtran makes a very affordable router that will do 100Mb/s of IPSec. The concern there then of course is IPSec interoperability between RouterOS and Adtran, but I’m not too concerned about that. If I was, it sounds like an RB850 could be the answer for end-to-end Mikrotik.
CCR are very recent devices on an innovative platform, most people posting in a forum do because of their problems, (those using them fine don’t feel the need to come and post) take that into account as you may get a distorted impression.
MPLS/VPLS is one of the areas where Mikrotik is being used widely, and most people is deploying CCRs nowadays.
Depending on the L2MTU deployed for the transit network, a RB1100AHx2 would be a better solution than a RB850Gx2 as it has a much bigger maximum L2MTU.
RB850Gx2 is more tailored for a router serving Provider Edge duties: IPSEC acceleration, 512Mb RAM, dual ppc processor… best suited for VPN access through internet, Firewalling, QoS, NAT, etc.