[c-nsp] How to terminate 100.000 IPsec VPN clients?

Kenny Sallee kenny.sallee at gmail.com
Thu Sep 8 15:33:50 EDT 2011


On Thu, Sep 8, 2011 at 12:05 PM, Eugeniu Patrascu <eugen at imacandi.net>wrote:

> On Fri, Sep 2, 2011 at 16:55, Florian Bauhaus
> <f.bauhaus at portrix-systems.de> wrote:
> > Hello,
> >
> > What would be the best way to terminate 100k IPsec VPN clients?
> >
> > Use a 6500/7600 with appropriate modules? Put 10 ASA5580-20 in a rack?
> > How to manage the whole thing?
> > The clients won't make a lot of traffic so throughput isn't really a
> matter.
>

Where I work we terminate somewhere between 5-7k ACL based VPN tunnels (last
I checked) on 4 6504's w/ hardware encryption modules - configured w/ 2 HSRP
groups for failover and stateful IPSEC - purrs along.  Has been implemented
for probably about 8 years (on the same hardware).  When one fails, no-one
notices.  We use a home-grown management tool to spin up and down VPN
tunnels (and create client side configs).  I'm sure you can find some vendor
to say they support a bazillion tunnels but at the end of the day, for this
many tunnels and I'm sure associated revenue, you will have to build out a
solution that scales horizontally.  If you want more details on the config
and more of my .02 on how to build something like this, you can contact me
off list with more details on what you are trying to accomplish, types of
tunnels, and any other relevant info
Kenny


More information about the cisco-nsp mailing list