cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Having 5,000 Branches and 25,000 devices.

Getting noticed

Having 5,000 Branches and 25,000 devices.

Good day Everyone,

 

May i ask if what device can handle a 5,000 concurrent vpn and an end point equipment that has 25,000 devices.

 

Thank you.

8 REPLIES 8
Kind of a big deal

Re: Having 5,000 Branches and 25,000 devices.

At the moment there is no MX that scales that high up. The numbers are in the MX datasheet:

https://meraki.cisco.com/lib/pdf/meraki_datasheet_mx.pdf

 

If you're plan is to use it for client vpn... Don't. There are better solutions out there for that. Look for something that has software client support and SSL vpn tunnels. Both of which aren't supported by MX atm.

 

If not, consider if you need to have all clients through a single device.

 

Edit: Also, for those numbers, please get in contact with a Cisco partner or Meraki SE's.

Getting noticed

Re: Having 5,000 Branches and 25,000 devices.

Hi Brecht,

 

This will be used as VPN Tunnel on different locations. May i ask if MX450 can be used as Active-Active to do a load balance? If not, is there any possible way to cater the 25,000 end devices having 5 devices per branch?

 

Thank you sir.

Kind of a big deal

Re: Having 5,000 Branches and 25,000 devices.

I notice now that it's not for client VPN but for regular site-to-site VPN between 5000 branches.

 

 An MX450 can support up to 5000 tunnels. While not a hard limit I would stay under those numbers.

 

When you have two in warm spare, it's an active-passive setup. But nothing stops you from having multiple hubs. What you could do is divide those branches up into regions and have a tiered setup. Let's say you have a US East, US West, Europe and Asia hub. Each of those could be hub to 1250 branches. You can select which hub each branch uses as exit hub (you can even have multiple for redundancy). This lowers the number of tunnels needed per hub.

 

The hubs themselves can be in full mesh to provide connectivity between everything.

 

You can also use local breakout for regular internet and only use the tunnels for corporate applications. This will also lower the resource usage on the hubs.

 

Now there are multiple caveats when counting the number of tunnels needed. Like for example when you have multiple WAN connections, a tunnel is built over each WAN connection. I made a post about that earlier:

https://community.meraki.com/t5/Security-SD-WAN/Maths-number-of-tunnels-full-mesh-and-hub-and-spoke/...

 

That's also the reason why I recommend that you get in contact with a Cisco Meraki partner or a Meraki SE for a huge project like this. They can go into the design deeper and support you in building the right setup.

A model citizen

Re: Having 5,000 Branches and 25,000 devices.

Good advice above - an exciting project though!
Getting noticed

Re: Having 5,000 Branches and 25,000 devices.

Hi Everyone,

 

Just finished talking to the Meraki guys. They gave a very nice solution for this one. The best way to do it is to have a set of One arm concentrator on the Head Office to dissiminate the VPN traffic and to cater all the 25,000 devices. Given that, We'll be having 8 one arm concentrator on the Head Office.

 

Cheers everyone, hope this helps.

A model citizen

Re: Having 5,000 Branches and 25,000 devices.

Hi Troyee,

Would you mind sharing the specs of the kit they suggested?

Thanks
Getting noticed

Re: Having 5,000 Branches and 25,000 devices.

Hi Nick,

 

We're gonna be using 8x Meraki 450MX that has a Warm Spare for the VPN Concentrator on the HQ/DC. For all the branches mentioned above will be Meraki 68W. So it will be 700 concurrent VPN connections per 450MX thus, having 8x of it. 

 

I hope this helps.

 

Thanks.

 

 

 

 

A model citizen

Re: Having 5,000 Branches and 25,000 devices.

Thanks thats helpful!
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.