Big thanks to You Piotr & Tyson.. On Tue, Nov 23, 2010 at 12:36 AM, Piotr Matusiak <[email protected]> wrote:
> Karim, > > Depends on KS hardware. For example, single c7200 is able to support up to > 2000 GMs (for Phase 1.0) and more (in latter phases). > > This depends on two factors: > 1. registration speed (c7200 can handle ~12 registrations/sec for PKI and > 30 reg/sec for PSK) > 2. registration window (different for each GETVPN Phase, for 1.0 this is > 30sec, for Phase 1.2 this is 150sec by default) > > As Tyson said, you should contact your Cisco representative to scale it > right. > > > HTH, > -- > Piotr Matusiak > CCIE #19860 (R&S, Security), CCSI #33705 > Technical Instructor > website: www.MicronicsTraining.com > blog: www.ccie1.com > > “If you can't explain it simply, you don't understand it well enough” - > Albert Einstein > > > 2010/11/22 karim jamali <[email protected]> > >> Dears, >> >> Thanks a lot for your support guys, Piotr, Tyson & Sadiq I appreciate it a >> lot. Any reference regarding the scalability i mean the router processing >> power for KS as i have more than hundred branches, can anyone help me with a >> document? >> >> Thanks >> >> >> On Mon, Nov 22, 2010 at 10:51 PM, Piotr Matusiak <[email protected]>wrote: >> >>> Karim, >>> >>> Although this is possible to cross-register KS this is NOT recommended. >>> This solution is not scalable, can lead to network instability, and you'll >>> not get any support from TAC in case of troubles. >>> >>> I'd recommend using GM role for traffic encryption and KS for key >>> distribution. Make sure you have at least 2 KS in the network as this is >>> "key" component of this solution. >>> >>> >>> HTH, >>> -- >>> Piotr Matusiak >>> CCIE #19860 (R&S, Security), CCSI #33705 >>> Technical Instructor >>> website: www.MicronicsTraining.com >>> blog: www.ccie1.com >>> >>> “If you can't explain it simply, you don't understand it well enough” - >>> Albert Einstein >>> >>> >>> 2010/11/22 karim jamali <[email protected]> >>> >>> Hi Sadiq, >>>> >>>> Thanks for sharing the info. Let me just try to understand what Tyson >>>> has >>>> said which seems interesting to me. >>>> >>>> I have 4 routers R1 & R2 are KS1,2 and R3/R4 are GM of KS1 (R1) >>>> >>>> R1 is KS1/R2 is KS2/R3 & R4 are GM of KS1 for instance. >>>> >>>> I need also to utilize R1 as a GM thus I can only subscribe it to KS2 & >>>> on >>>> R2 i will only subscribe it to KS1 (R1). >>>> >>>> What happens if R1 needs to talk to R4 recall that R1 is registered to >>>> KS2 & >>>> R4 is registered to KS1 (R1). >>>> >>>> As per my understanding that a policy will be downloaded from KS (which >>>> contains the ACL encrypted traffic, the transform-set..etc, there are >>>> also >>>> KEK/TEK which will be sent by the KS to the GM. Will it not create any >>>> kind >>>> of conflict problem having the policies/Keys received from 2 KS, >>>> assuming >>>> that the policies definitely have to match. >>>> >>>> Will this in any way affect the COOP operation (Active/Standby) >>>> operation of >>>> the KS? >>>> >>>> Thanks a lot for your help/feedback. >>>> >>>> Best Regards, >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Nov 22, 2010 at 8:40 PM, Sadiq Yakasai <[email protected]> >>>> wrote: >>>> >>>> > Hi Karim, >>>> > >>>> > Thats correct. I believe if its a KS (KS1), then a router can only be >>>> a GM >>>> > if it subscribes to another KS (KS2). KS1 and KS2 can be running coop >>>> if you >>>> > want to. >>>> > >>>> > Someone correct me if I'm off target please. >>>> > >>>> > Sadiq >>>> > >>>> > On Mon, Nov 22, 2010 at 5:24 PM, karim jamali <[email protected] >>>> >wrote: >>>> > >>>> >> Dear Gents, >>>> >> >>>> >> I have a real world implementation regarding GET VPN & I would need >>>> some >>>> >> expertise help to confirm what I believe I understood. In a GET VPN >>>> >> scenario, the KS only provide KS functionality, i.e. the KS itself >>>> cannot >>>> >> be >>>> >> a GM subscribed to the KS and thus we have to dedicate one router or >>>> maybe >>>> >> two for redundancy for KS functionality apart from all the other >>>> routers >>>> >> as >>>> >> GM. Is this correct? Please if it is not I would appreciate if you >>>> will >>>> >> correct me. >>>> >> >>>> >> Thanks >>>> >> >>>> >> Regards, >>>> >> -- >>>> >> KJ >>>> >> >>>> >> >>>> >> Blogs and organic groups at http://www.ccie.net >>>> >> >>>> >> >>>> _______________________________________________________________________ >>>> >> Subscription information may be found at: >>>> >> http://www.groupstudy.com/list/CCIELab.html >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> > >>>> > >>>> > -- >>>> > CCIEx2 (R&S|Sec) #19963 >>>> > >>>> >>>> >>>> >>>> -- >>>> KJ >>>> >>>> >>>> Blogs and organic groups at http://www.ccie.net >>>> >>>> _______________________________________________________________________ >>>> Subscription information may be found at: >>>> http://www.groupstudy.com/list/CCIELab.html >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >> >> >> -- >> KJ >> > > -- KJ
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
