Re: [OSL | CCIE_Security] OT:GETVPN Enquiry KS

[Daniel Kutchin]

Karim -

> Any reference regarding the scalability 

Check this: "GET VPN Design and Implementation Guide"
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETV
PN_DIG_version_1_0_External.pdf

Also search the internet for "Networkers_2009_IPSEC_and_GET_VPN" and
download the .rar-files. 


> i mean the router processing power for 
> KS as i have more than hundred branches..?

2x2900s can handle them. It's not just processing power that counts. It's
also (global) redundancy. The KSs must be highly available.


-
Daniel


-----Original Message-----
From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf Of
karim jamali
Sent: Montag, 22. November 2010 21:43
To: Piotr Matusiak
Cc: Sadiq Yakasai; Cisco certification; ccie_security@onlinestudylist.com
Subject: Re: OT:GETVPN Enquiry KS

Dears,

Thanks a lot for your support guys, Piotr, Tyson & Sadiq I appreciate it a
lot. Any reference regarding the scalability i mean the router processing
power for KS as i have more than hundred branches, can anyone help me with a
document?

Thanks

On Mon, Nov 22, 2010 at 10:51 PM, Piotr Matusiak <pit...@gmail.com> wrote:

> Karim,
>
> Although this is possible to cross-register KS this is NOT recommended.
> This solution is not scalable, can lead to network instability, and 
> you'll not get any support from TAC in case of troubles.
>
> I'd recommend using GM role for traffic encryption and KS for key 
> distribution. Make sure you have at least 2 KS in the network as this 
> is "key" component of this solution.
>
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705 Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> If you can't explain it simply, you don't understand it well enough 
> - Albert Einstein
>
>
> 2010/11/22 karim jamali <karim.jam...@gmail.com>
>
> Hi Sadiq,
>>
>> Thanks for sharing the info. Let me just try to understand what Tyson 
>> has said which seems interesting to me.
>>
>> I have 4 routers R1 & R2 are KS1,2 and R3/R4 are GM of KS1 (R1)
>>
>> R1 is KS1/R2 is KS2/R3 & R4 are GM of KS1 for instance.
>>
>> I need also to utilize R1 as a GM thus I can only subscribe it to KS2 
>> & on
>> R2 i will only subscribe it to KS1 (R1).
>>
>> What happens if R1 needs to talk to R4 recall that R1 is registered 
>> to KS2 &
>> R4 is registered to KS1 (R1).
>>
>> As per my understanding that a policy will be downloaded from KS 
>> (which contains the ACL encrypted traffic, the transform-set..etc, 
>> there are also KEK/TEK which will be sent by the KS to the GM. Will 
>> it not create any kind of conflict problem having the policies/Keys 
>> received from 2 KS, assuming that the policies definitely have to 
>> match.
>>
>> Will this in any way affect the COOP operation (Active/Standby) 
>> operation of the KS?
>>
>> Thanks a lot for your help/feedback.
>>
>> Best Regards,
>>
>>
>>
>>
>>
>> On Mon, Nov 22, 2010 at 8:40 PM, Sadiq Yakasai <sadiqta...@gmail.com>
>> wrote:
>>
>> > Hi Karim,
>> >
>> > Thats correct. I believe if its a KS (KS1), then a router can only 
>> > be a
>> GM
>> > if it subscribes to another KS (KS2). KS1 and KS2 can be running 
>> > coop if
>> you
>> > want to.
>> >
>> > Someone correct me if I'm off target please.
>> >
>> > Sadiq
>> >
>> > On Mon, Nov 22, 2010 at 5:24 PM, karim jamali 
>> ><karim.jam...@gmail.com
>> >wrote:
>> >
>> >> Dear Gents,
>> >>
>> >> I have a real world implementation regarding GET VPN & I would 
>> >> need
>> some
>> >> expertise help to confirm what I believe I understood. In a GET 
>> >> VPN scenario, the KS only provide KS functionality, i.e. the KS 
>> >> itself
>> cannot
>> >> be
>> >> a GM subscribed to the KS and thus we have to dedicate one router 
>> >> or
>> maybe
>> >> two for redundancy for KS functionality apart from all the other
>> routers
>> >> as
>> >> GM. Is this correct? Please if it is not I would appreciate if you 
>> >> will correct me.
>> >>
>> >> Thanks
>> >>
>> >> Regards,
>> >> --
>> >> KJ
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> __________________________________________________________________
>> >> _____ Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > CCIEx2 (R&S|Sec) #19963
>> >
>>
>>
>>
>> --
>> KJ
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _____________________________________________________________________
>> __ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>


--
KJ


Blogs and organic groups at http://www.ccie.net

_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html







_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com