GRE-IPsec tunnels are extremely CPU intensive and rapidly max a unit out. The best recommendation would be to use a NetVanta 4430 (with Enhanced Firmware) as your central-site device and leave the 3458's for the edges. The 4430 is our top-of-the-line unit and would be only one that has the potential to deal with all those tunnels in a single device but we cannot guarantee that.
Unfortunately we have no answer to the "recommended maximum" question because the usage cases are different for every customer. A GRE-IPSec tunnel that is relatively quiet (low usage) has an entirely different CPU utilization profile than one that is moderately or heavily used and there's just no way for us to test and validate every case.
So my best recommendation is the 4430 w/EFP and see how far it takes you, then supplement with a secondary unit later - either another 4430 and split the tunnels between them or use a spare 3458 for the few that the 4430 might not handle.
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.