Policies have to match for both by default anyways. Again although what you have pointed out below is possible. It is more of a CCIE scenario then real world. I don't recommend it. But you are more than welcome to try.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of karim jamali Sent: Monday, November 22, 2010 12:56 PM To: Sadiq Yakasai Cc: Cisco certification; [email protected] Subject: Re: [OSL | CCIE_Security] OT:GETVPN Enquiry KS Hi Sadiq, Thanks for sharing the info. Let me just try to understand what Tyson has said which seems interesting to me. I have 4 routers R1 & R2 are KS1,2 and R3/R4 are GM of KS1 (R1) R1 is KS1/R2 is KS2/R3 & R4 are GM of KS1 for instance. I need also to utilize R1 as a GM thus I can only subscribe it to KS2 & on R2 i will only subscribe it to KS1 (R1). What happens if R1 needs to talk to R4 recall that R1 is registered to KS2 & R4 is registered to KS1 (R1). As per my understanding that a policy will be downloaded from KS (which contains the ACL encrypted traffic, the transform-set..etc, there are also KEK/TEK which will be sent by the KS to the GM. Will it not create any kind of conflict problem having the policies/Keys received from 2 KS, assuming that the policies definitely have to match. Will this in any way affect the COOP operation (Active/Standby) operation of the KS? Thanks a lot for your help/feedback. Best Regards, On Mon, Nov 22, 2010 at 8:40 PM, Sadiq Yakasai <[email protected]> wrote: Hi Karim, Thats correct. I believe if its a KS (KS1), then a router can only be a GM if it subscribes to another KS (KS2). KS1 and KS2 can be running coop if you want to. Someone correct me if I'm off target please. Sadiq On Mon, Nov 22, 2010 at 5:24 PM, karim jamali <[email protected]> wrote: Dear Gents, I have a real world implementation regarding GET VPN & I would need some expertise help to confirm what I believe I understood. In a GET VPN scenario, the KS only provide KS functionality, i.e. the KS itself cannot be a GM subscribed to the KS and thus we have to dedicate one router or maybe two for redundancy for KS functionality apart from all the other routers as GM. Is this correct? Please if it is not I would appreciate if you will correct me. Thanks Regards, -- KJ Blogs and organic groups at http://www.ccie.net _______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html -- CCIEx2 (R&S|Sec) #19963 -- KJ
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
