[c-nsp] Large-scale site-to-site IPSEC VPN device

Matteo Castelli ML ml at mondopiccolo.net
Fri Oct 8 12:04:10 EDT 2010


Hi,
 we need to maintain an infrastructure with a central hub and 2000
remote locations that do not require connectivity between each other
but only connectivity to/from the central hub.

Due to the nature of the remote device endpoint we can only use
standard IPSEC tunnels for connecting to the central location.

Currently we are using a Netscreen 500 that is now reaching
end-of-support so we'll have to change to a different device next year
and we were focusing on Cisco devices.

We are evaluating mainly two products Cisco ASR 1000 series and a
Cisco Catalyst 6500.

Our main requirements is simply being able to manage all these IPSEC
tunnels and some simple firewall rules. Bandwidth is not an issue as
we route small amount of management traffic.

When Cisco quotes the number of supported IPSEC tunnels for device
(e.g: http://tinyurl.com/de58xy) does it consider the number of SA
(aka I will have to consider two "tunnels" per location and we will
have to divide the number of "maximum tunnels" by two for our needs)?

In another document from Cisco, I found the concept of "deployable
tunnels" vs "maximum tunnels" (http://tinyurl.com/2ws739w), what does
exactly mean?

Any suggestion on the best possible device for our needs?

Thanks,
 Matteo


More information about the cisco-nsp mailing list