That is the design recommendation. So the answer is the KS "should not" be a GM. It actually can be a GM through registering the primary key server to the backup and the backup to the primary. But depending on the size of your network this could bite you in the butt if you attempt it. I will be honest that I am not sure of the full load required as I have not implemented this in a production environment.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of karim jamali Sent: Monday, November 22, 2010 12:24 PM To: Cisco certification; [email protected] Subject: [OSL | CCIE_Security] OT:GETVPN Enquiry KS Dear Gents, I have a real world implementation regarding GET VPN & I would need some expertise help to confirm what I believe I understood. In a GET VPN scenario, the KS only provide KS functionality, i.e. the KS itself cannot be a GM subscribed to the KS and thus we have to dedicate one router or maybe two for redundancy for KS functionality apart from all the other routers as GM. Is this correct? Please if it is not I would appreciate if you will correct me. Thanks Regards, -- KJ
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
