Having 5,000 Branches and 25,000 devices.

Troyee
Getting noticed

Having 5,000 Branches and 25,000 devices.

Good day Everyone,

 

May i ask if what device can handle a 5,000 concurrent vpn and an end point equipment that has 25,000 devices.

 

Thank you.

8 REPLIES 8
BrechtSchamp
Kind of a big deal

At the moment there is no MX that scales that high up. The numbers are in the MX datasheet:

https://meraki.cisco.com/lib/pdf/meraki_datasheet_mx.pdf

 

If you're plan is to use it for client vpn... Don't. There are better solutions out there for that. Look for something that has software client support and SSL vpn tunnels. Both of which aren't supported by MX atm.

 

If not, consider if you need to have all clients through a single device.

 

Edit: Also, for those numbers, please get in contact with a Cisco partner or Meraki SE's.

Hi Brecht,

 

This will be used as VPN Tunnel on different locations. May i ask if MX450 can be used as Active-Active to do a load balance? If not, is there any possible way to cater the 25,000 end devices having 5 devices per branch?

 

Thank you sir.

BrechtSchamp
Kind of a big deal

I notice now that it's not for client VPN but for regular site-to-site VPN between 5000 branches.

 

 An MX450 can support up to 5000 tunnels. While not a hard limit I would stay under those numbers.

 

When you have two in warm spare, it's an active-passive setup. But nothing stops you from having multiple hubs. What you could do is divide those branches up into regions and have a tiered setup. Let's say you have a US East, US West, Europe and Asia hub. Each of those could be hub to 1250 branches. You can select which hub each branch uses as exit hub (you can even have multiple for redundancy). This lowers the number of tunnels needed per hub.

 

The hubs themselves can be in full mesh to provide connectivity between everything.

 

You can also use local breakout for regular internet and only use the tunnels for corporate applications. This will also lower the resource usage on the hubs.

 

Now there are multiple caveats when counting the number of tunnels needed. Like for example when you have multiple WAN connections, a tunnel is built over each WAN connection. I made a post about that earlier:

https://community.meraki.com/t5/Security-SD-WAN/Maths-number-of-tunnels-full-mesh-and-hub-and-spoke/...

 

That's also the reason why I recommend that you get in contact with a Cisco Meraki partner or a Meraki SE for a huge project like this. They can go into the design deeper and support you in building the right setup.

Nick
Head in the Cloud

Good advice above - an exciting project though!
Troyee
Getting noticed

Hi Everyone,

 

Just finished talking to the Meraki guys. They gave a very nice solution for this one. The best way to do it is to have a set of One arm concentrator on the Head Office to dissiminate the VPN traffic and to cater all the 25,000 devices. Given that, We'll be having 8 one arm concentrator on the Head Office.

 

Cheers everyone, hope this helps.

Nick
Head in the Cloud

Hi Troyee,

Would you mind sharing the specs of the kit they suggested?

Thanks
Troyee
Getting noticed

Hi Nick,

 

We're gonna be using 8x Meraki 450MX that has a Warm Spare for the VPN Concentrator on the HQ/DC. For all the branches mentioned above will be Meraki 68W. So it will be 700 concurrent VPN connections per 450MX thus, having 8x of it. 

 

I hope this helps.

 

Thanks.

 

 

 

 

Nick
Head in the Cloud

Thanks thats helpful!
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels