[c-nsp] How to terminate 100.000 IPsec VPN clients?
Jeff Kell
jeff-kell at utc.edu
Tue Sep 6 22:05:46 EDT 2011
On 9/6/2011 8:09 PM, Chris Evans wrote:
> Checked the 5585 limits? It's supposed to blow a 5580 out of the water...
> On paper.
I don't think anyone has mentioned it yet, but there is also ASA VPN
Load Balancing clusters. You can combine a number of boxes together,
configure the cluster (participation channel/key plus a virtual IP for
the cluster) members.
Clients connect to the cluster, it forwards them to the member with the
least load.
It's a bit "manual" setting up the members (you have to insure all
insides/outsides are on same subnets, with equivalent VPN
groups/policies across the board, there's no auto-synchronization like
you get with failover pairs), but it works. Each box will need its own
internal VPN IP pool and routing, etc.
Just got through doing a POC of a small cluster (as opposed to an
active/standby pair) on latest 8.x software, but given that I'm
terminating several orders of magnitude less than 100K clients <grin>
I'll take the simplicity of the failover pair.
Jeff
More information about the cisco-nsp
mailing list