Thanks a lot Daniel..Much appreciated! On Tue, Nov 23, 2010 at 11:11 AM, Daniel Kutchin <[email protected]> wrote:
> Karim - > > > Any reference regarding the scalability > > Check this: "GET VPN Design and Implementation Guide" > > http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETV > PN_DIG_version_1_0_External.pdf<http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETV%0APN_DIG_version_1_0_External.pdf> > > Also search the internet for "Networkers_2009_IPSEC_and_GET_VPN" and > download the .rar-files. > > > > i mean the router processing power for > > KS as i have more than hundred branches..? > > 2x2900s can handle them. It's not just processing power that counts. It's > also (global) redundancy. The KSs must be highly available. > > > - > Daniel > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > karim jamali > Sent: Montag, 22. November 2010 21:43 > To: Piotr Matusiak > Cc: Sadiq Yakasai; Cisco certification; [email protected] > Subject: Re: OT:GETVPN Enquiry KS > > Dears, > > Thanks a lot for your support guys, Piotr, Tyson & Sadiq I appreciate it a > lot. Any reference regarding the scalability i mean the router processing > power for KS as i have more than hundred branches, can anyone help me with > a > document? > > Thanks > > On Mon, Nov 22, 2010 at 10:51 PM, Piotr Matusiak <[email protected]> wrote: > > > Karim, > > > > Although this is possible to cross-register KS this is NOT recommended. > > This solution is not scalable, can lead to network instability, and > > you'll not get any support from TAC in case of troubles. > > > > I'd recommend using GM role for traffic encryption and KS for key > > distribution. Make sure you have at least 2 KS in the network as this > > is "key" component of this solution. > > > > > > HTH, > > -- > > Piotr Matusiak > > CCIE #19860 (R&S, Security), CCSI #33705 Technical Instructor > > website: www.MicronicsTraining.com > > blog: www.ccie1.com > > > > If you can't explain it simply, you don't understand it well enough > > - Albert Einstein > > > > > > 2010/11/22 karim jamali <[email protected]> > > > > Hi Sadiq, > >> > >> Thanks for sharing the info. Let me just try to understand what Tyson > >> has said which seems interesting to me. > >> > >> I have 4 routers R1 & R2 are KS1,2 and R3/R4 are GM of KS1 (R1) > >> > >> R1 is KS1/R2 is KS2/R3 & R4 are GM of KS1 for instance. > >> > >> I need also to utilize R1 as a GM thus I can only subscribe it to KS2 > >> & on > >> R2 i will only subscribe it to KS1 (R1). > >> > >> What happens if R1 needs to talk to R4 recall that R1 is registered > >> to KS2 & > >> R4 is registered to KS1 (R1). > >> > >> As per my understanding that a policy will be downloaded from KS > >> (which contains the ACL encrypted traffic, the transform-set..etc, > >> there are also KEK/TEK which will be sent by the KS to the GM. Will > >> it not create any kind of conflict problem having the policies/Keys > >> received from 2 KS, assuming that the policies definitely have to > >> match. > >> > >> Will this in any way affect the COOP operation (Active/Standby) > >> operation of the KS? > >> > >> Thanks a lot for your help/feedback. > >> > >> Best Regards, > >> > >> > >> > >> > >> > >> On Mon, Nov 22, 2010 at 8:40 PM, Sadiq Yakasai <[email protected]> > >> wrote: > >> > >> > Hi Karim, > >> > > >> > Thats correct. I believe if its a KS (KS1), then a router can only > >> > be a > >> GM > >> > if it subscribes to another KS (KS2). KS1 and KS2 can be running > >> > coop if > >> you > >> > want to. > >> > > >> > Someone correct me if I'm off target please. > >> > > >> > Sadiq > >> > > >> > On Mon, Nov 22, 2010 at 5:24 PM, karim jamali > >> ><[email protected] > >> >wrote: > >> > > >> >> Dear Gents, > >> >> > >> >> I have a real world implementation regarding GET VPN & I would > >> >> need > >> some > >> >> expertise help to confirm what I believe I understood. In a GET > >> >> VPN scenario, the KS only provide KS functionality, i.e. the KS > >> >> itself > >> cannot > >> >> be > >> >> a GM subscribed to the KS and thus we have to dedicate one router > >> >> or > >> maybe > >> >> two for redundancy for KS functionality apart from all the other > >> routers > >> >> as > >> >> GM. Is this correct? Please if it is not I would appreciate if you > >> >> will correct me. > >> >> > >> >> Thanks > >> >> > >> >> Regards, > >> >> -- > >> >> KJ > >> >> > >> >> > >> >> Blogs and organic groups at http://www.ccie.net > >> >> > >> >> __________________________________________________________________ > >> >> _____ Subscription information may be found at: > >> >> http://www.groupstudy.com/list/CCIELab.html > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> > > >> > > >> > -- > >> > CCIEx2 (R&S|Sec) #19963 > >> > > >> > >> > >> > >> -- > >> KJ > >> > >> > >> Blogs and organic groups at http://www.ccie.net > >> > >> _____________________________________________________________________ > >> __ Subscription information may be found at: > >> http://www.groupstudy.com/list/CCIELab.html > >> > >> > >> > >> > >> > >> > >> > >> > > > > > -- > KJ > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > -- KJ
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
