[c-nsp] Large-scale site-to-site IPSEC VPN device

Rodney Dunn rodunn at cisco.com
Mon Oct 11 09:37:15 EDT 2010


I asked around for you to a few of my peers that are more IPSEC savvy.

They informed me:


The ASR or the 65xx with the VPN SPA should be able to do it.

There is also the ASA-5580 and the new ASA-5585.

The 3945e has some pretty high numbers also.

Rodney



On 10/8/10 12:04 PM, Matteo Castelli ML wrote:
> Hi,
>   we need to maintain an infrastructure with a central hub and 2000
> remote locations that do not require connectivity between each other
> but only connectivity to/from the central hub.
>
> Due to the nature of the remote device endpoint we can only use
> standard IPSEC tunnels for connecting to the central location.
>
> Currently we are using a Netscreen 500 that is now reaching
> end-of-support so we'll have to change to a different device next year
> and we were focusing on Cisco devices.
>
> We are evaluating mainly two products Cisco ASR 1000 series and a
> Cisco Catalyst 6500.
>
> Our main requirements is simply being able to manage all these IPSEC
> tunnels and some simple firewall rules. Bandwidth is not an issue as
> we route small amount of management traffic.
>
> When Cisco quotes the number of supported IPSEC tunnels for device
> (e.g: http://tinyurl.com/de58xy) does it consider the number of SA
> (aka I will have to consider two "tunnels" per location and we will
> have to divide the number of "maximum tunnels" by two for our needs)?
>
> In another document from Cisco, I found the concept of "deployable
> tunnels" vs "maximum tunnels" (http://tinyurl.com/2ws739w), what does
> exactly mean?
>
> Any suggestion on the best possible device for our needs?
>
> Thanks,
>   Matteo
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list