Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Large scale VPN setup

Hi guys

We are investigating setting up a VPN to connect a potential 20,000 devices.

Could someone recommend the model of ASA to best suit this (or another device if recommended)?

From comparisons of the models I am not sure if any of the models support this number of connections!?

(just in case it matters the clients will be connecting using either software VPN client or Microsofts inbuilt IPSEC client)

Could anybody help?

Many thanks.

Everyone's tags (5)
1 REPLY
Cisco Employee

Large scale VPN setup

Hi Mike,

For this kind of pre-sales and design questions I would suggest to talk to the party you buy your Cisco gear from (Partner/Reseller/Cisco Sales), but for what it is worth: it depends if these 20000 devices will (potentially) all connect at the same time or if you will only have e.g. 5000 simultaneous connections.

Assuming you mean 20,000 simultaneous connections, then indeed this cannot be handled by a single ASA but you can get multiple ASA 5585 and put them in a load-balancing setup (or if you consider using Anyconnect, you could put the ASAs in geographically different locations and use Optimal Gateway Selection on the client to find the nearest one). The ASA software has load-balancing functionality built-in so you do not need an external load balancer device.

Have a look at table 9 in this document for the specs of the top models:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

I'm not a sales/design guy but personally I'd look at getting e.g. 3x ASA5585-X with SSP-20 or maybe 5x SSP-10.

If the setup is really critical and you need stateful failover, double the number and create failover pairs (e.g. 3 pairs of 5585 with SSP-20).

All of the above is just looking at amount of tunnels - you may need to look at other constraints as well, e.g. throughput, TCP/UDP connections per second etc. etc.

hth

Herbert

516
Views
0
Helpful
1
Replies