Pan documentation is very weak on large scale mutli-vendor IPSEC hub terminations. Can someone help out and provide best practices, reference architecture, guides, pitfalls or experiences? My design goals: - Separate VSYS - Use dynamic routing for Tunnel Interfaces. (Either OSPF with stub areas to inject default to remote tunnels or RIP) - Tunnel Interface network routing summarization for optimal system performance with maximum spokes per tunnel. - Separate virtual router for un-trust interface VPN termination with separate virtual router for tunnel and trust interface. - IF OSPF maximum spokes per OSPF Area. - Dynamic routing protocol for VPN VSYS is an autonomous system, BGP summaries are used for trusted network routing. My environment today is multi-tenant 7050 design utilizing BGP \ OSPF for segregated departmental internet with 50,000 users in multi-vrf interconnectivity. This VPN service is another layered virtual system that will be collapsed as part of our firewall consolidation project.
... View more