Karim,
Depends on KS hardware. For example, single c7200 is able to support up to
2000 GMs (for Phase 1.0) and more (in latter phases).
This depends on two factors:
1. registration speed (c7200 can handle ~12 registrations/sec for PKI and 30
reg/sec for PSK)
2. registration window (different for each GETVPN Phase, for 1.0 this is
30sec, for Phase 1.2 this is 150sec by default)
As Tyson said, you should contact your Cisco representative to scale it
right.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/11/22 karim jamali <karim.jamali_at_gmail.com>
> Dears,
>
> Thanks a lot for your support guys, Piotr, Tyson & Sadiq I appreciate it a
> lot. Any reference regarding the scalability i mean the router processing
> power for KS as i have more than hundred branches, can anyone help me with
a
> document?
>
> Thanks
>
>
> On Mon, Nov 22, 2010 at 10:51 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
>> Karim,
>>
>> Although this is possible to cross-register KS this is NOT recommended.
>> This solution is not scalable, can lead to network instability, and you'll
>> not get any support from TAC in case of troubles.
>>
>> I'd recommend using GM role for traffic encryption and KS for key
>> distribution. Make sure you have at least 2 KS in the network as this is
>> "key" component of this solution.
>>
>>
>> HTH,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security), CCSI #33705
>> Technical Instructor
>> website: www.MicronicsTraining.com
>> blog: www.ccie1.com
>>
>> �If you can't explain it simply, you don't understand it well enough� -
>> Albert Einstein
>>
>>
>> 2010/11/22 karim jamali <karim.jamali_at_gmail.com>
>>
>> Hi Sadiq,
>>>
>>> Thanks for sharing the info. Let me just try to understand what Tyson has
>>> said which seems interesting to me.
>>>
>>> I have 4 routers R1 & R2 are KS1,2 and R3/R4 are GM of KS1 (R1)
>>>
>>> R1 is KS1/R2 is KS2/R3 & R4 are GM of KS1 for instance.
>>>
>>> I need also to utilize R1 as a GM thus I can only subscribe it to KS2 &
>>> on
>>> R2 i will only subscribe it to KS1 (R1).
>>>
>>> What happens if R1 needs to talk to R4 recall that R1 is registered to
>>> KS2 &
>>> R4 is registered to KS1 (R1).
>>>
>>> As per my understanding that a policy will be downloaded from KS (which
>>> contains the ACL encrypted traffic, the transform-set..etc, there are
>>> also
>>> KEK/TEK which will be sent by the KS to the GM. Will it not create any
>>> kind
>>> of conflict problem having the policies/Keys received from 2 KS, assuming
>>> that the policies definitely have to match.
>>>
>>> Will this in any way affect the COOP operation (Active/Standby) operation
>>> of
>>> the KS?
>>>
>>> Thanks a lot for your help/feedback.
>>>
>>> Best Regards,
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Nov 22, 2010 at 8:40 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>> wrote:
>>>
>>> > Hi Karim,
>>> >
>>> > Thats correct. I believe if its a KS (KS1), then a router can only be a
>>> GM
>>> > if it subscribes to another KS (KS2). KS1 and KS2 can be running coop
>>> if you
>>> > want to.
>>> >
>>> > Someone correct me if I'm off target please.
>>> >
>>> > Sadiq
>>> >
>>> > On Mon, Nov 22, 2010 at 5:24 PM, karim jamali <karim.jamali_at_gmail.com
>>> >wrote:
>>> >
>>> >> Dear Gents,
>>> >>
>>> >> I have a real world implementation regarding GET VPN & I would need
>>> some
>>> >> expertise help to confirm what I believe I understood. In a GET VPN
>>> >> scenario, the KS only provide KS functionality, i.e. the KS itself
>>> cannot
>>> >> be
>>> >> a GM subscribed to the KS and thus we have to dedicate one router or
>>> maybe
>>> >> two for redundancy for KS functionality apart from all the other
>>> routers
>>> >> as
>>> >> GM. Is this correct? Please if it is not I would appreciate if you
>>> will
>>> >> correct me.
>>> >>
>>> >> Thanks
>>> >>
>>> >> Regards,
>>> >> --
>>> >> KJ
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net
>>> >>
>>> >>
>>> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> > --
>>> > CCIEx2 (R&S|Sec) #19963
>>> >
>>>
>>>
>>>
>>> --
>>> KJ
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
> --
> KJ
Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 22 2010 - 22:36:24 ART