Dears, Thanks a lot for your support guys, Piotr, Tyson & Sadiq I appreciate it a lot. Any reference regarding the scalability i mean the router processing power for KS as i have more than hundred branches, can anyone help me with a document?
Thanks On Mon, Nov 22, 2010 at 10:51 PM, Piotr Matusiak <[email protected]> wrote: > Karim, > > Although this is possible to cross-register KS this is NOT recommended. > This solution is not scalable, can lead to network instability, and you'll > not get any support from TAC in case of troubles. > > I'd recommend using GM role for traffic encryption and KS for key > distribution. Make sure you have at least 2 KS in the network as this is > "key" component of this solution. > > > HTH, > -- > Piotr Matusiak > CCIE #19860 (R&S, Security), CCSI #33705 > Technical Instructor > website: www.MicronicsTraining.com > blog: www.ccie1.com > > “If you can't explain it simply, you don't understand it well enough” - > Albert Einstein > > > 2010/11/22 karim jamali <[email protected]> > > Hi Sadiq, >> >> Thanks for sharing the info. Let me just try to understand what Tyson has >> said which seems interesting to me. >> >> I have 4 routers R1 & R2 are KS1,2 and R3/R4 are GM of KS1 (R1) >> >> R1 is KS1/R2 is KS2/R3 & R4 are GM of KS1 for instance. >> >> I need also to utilize R1 as a GM thus I can only subscribe it to KS2 & on >> R2 i will only subscribe it to KS1 (R1). >> >> What happens if R1 needs to talk to R4 recall that R1 is registered to KS2 >> & >> R4 is registered to KS1 (R1). >> >> As per my understanding that a policy will be downloaded from KS (which >> contains the ACL encrypted traffic, the transform-set..etc, there are also >> KEK/TEK which will be sent by the KS to the GM. Will it not create any >> kind >> of conflict problem having the policies/Keys received from 2 KS, assuming >> that the policies definitely have to match. >> >> Will this in any way affect the COOP operation (Active/Standby) operation >> of >> the KS? >> >> Thanks a lot for your help/feedback. >> >> Best Regards, >> >> >> >> >> >> On Mon, Nov 22, 2010 at 8:40 PM, Sadiq Yakasai <[email protected]> >> wrote: >> >> > Hi Karim, >> > >> > Thats correct. I believe if its a KS (KS1), then a router can only be a >> GM >> > if it subscribes to another KS (KS2). KS1 and KS2 can be running coop if >> you >> > want to. >> > >> > Someone correct me if I'm off target please. >> > >> > Sadiq >> > >> > On Mon, Nov 22, 2010 at 5:24 PM, karim jamali <[email protected] >> >wrote: >> > >> >> Dear Gents, >> >> >> >> I have a real world implementation regarding GET VPN & I would need >> some >> >> expertise help to confirm what I believe I understood. In a GET VPN >> >> scenario, the KS only provide KS functionality, i.e. the KS itself >> cannot >> >> be >> >> a GM subscribed to the KS and thus we have to dedicate one router or >> maybe >> >> two for redundancy for KS functionality apart from all the other >> routers >> >> as >> >> GM. Is this correct? Please if it is not I would appreciate if you will >> >> correct me. >> >> >> >> Thanks >> >> >> >> Regards, >> >> -- >> >> KJ >> >> >> >> >> >> Blogs and organic groups at http://www.ccie.net >> >> >> >> _______________________________________________________________________ >> >> Subscription information may be found at: >> >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> > >> > -- >> > CCIEx2 (R&S|Sec) #19963 >> > >> >> >> >> -- >> KJ >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> > -- KJ
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
