Big thanks to You Piotr & Tyson..
On Tue, Nov 23, 2010 at 12:36 AM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> Karim,
>
> Depends on KS hardware. For example, single c7200 is able to support up to
> 2000 GMs (for Phase 1.0) and more (in latter phases).
>
> This depends on two factors:
> 1. registration speed (c7200 can handle ~12 registrations/sec for PKI and
> 30 reg/sec for PSK)
> 2. registration window (different for each GETVPN Phase, for 1.0 this is
> 30sec, for Phase 1.2 this is 150sec by default)
>
> As Tyson said, you should contact your Cisco representative to scale it
> right.
>
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2010/11/22 karim jamali <karim.jamali_at_gmail.com>
>
>> Dears,
>>
>> Thanks a lot for your support guys, Piotr, Tyson & Sadiq I appreciate it a
>> lot. Any reference regarding the scalability i mean the router processing
>> power for KS as i have more than hundred branches, can anyone help me with
a
>> document?
>>
>> Thanks
>>
>>
>> On Mon, Nov 22, 2010 at 10:51 PM, Piotr Matusiak <pitt2k_at_gmail.com>wrote:
>>
>>> Karim,
>>>
>>> Although this is possible to cross-register KS this is NOT recommended.
>>> This solution is not scalable, can lead to network instability, and
you'll
>>> not get any support from TAC in case of troubles.
>>>
>>> I'd recommend using GM role for traffic encryption and KS for key
>>> distribution. Make sure you have at least 2 KS in the network as this is
>>> "key" component of this solution.
>>>
>>>
>>> HTH,
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security), CCSI #33705
>>> Technical Instructor
>>> website: www.MicronicsTraining.com
>>> blog: www.ccie1.com
>>>
>>> �If you can't explain it simply, you don't understand it well enough� -
>>> Albert Einstein
>>>
>>>
>>> 2010/11/22 karim jamali <karim.jamali_at_gmail.com>
>>>
>>> Hi Sadiq,
>>>>
>>>> Thanks for sharing the info. Let me just try to understand what Tyson
>>>> has
>>>> said which seems interesting to me.
>>>>
>>>> I have 4 routers R1 & R2 are KS1,2 and R3/R4 are GM of KS1 (R1)
>>>>
>>>> R1 is KS1/R2 is KS2/R3 & R4 are GM of KS1 for instance.
>>>>
>>>> I need also to utilize R1 as a GM thus I can only subscribe it to KS2 &
>>>> on
>>>> R2 i will only subscribe it to KS1 (R1).
>>>>
>>>> What happens if R1 needs to talk to R4 recall that R1 is registered to
>>>> KS2 &
>>>> R4 is registered to KS1 (R1).
>>>>
>>>> As per my understanding that a policy will be downloaded from KS (which
>>>> contains the ACL encrypted traffic, the transform-set..etc, there are
>>>> also
>>>> KEK/TEK which will be sent by the KS to the GM. Will it not create any
>>>> kind
>>>> of conflict problem having the policies/Keys received from 2 KS,
>>>> assuming
>>>> that the policies definitely have to match.
>>>>
>>>> Will this in any way affect the COOP operation (Active/Standby)
>>>> operation of
>>>> the KS?
>>>>
>>>> Thanks a lot for your help/feedback.
>>>>
>>>> Best Regards,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Nov 22, 2010 at 8:40 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>> wrote:
>>>>
>>>> > Hi Karim,
>>>> >
>>>> > Thats correct. I believe if its a KS (KS1), then a router can only be
>>>> a GM
>>>> > if it subscribes to another KS (KS2). KS1 and KS2 can be running coop
>>>> if you
>>>> > want to.
>>>> >
>>>> > Someone correct me if I'm off target please.
>>>> >
>>>> > Sadiq
>>>> >
>>>> > On Mon, Nov 22, 2010 at 5:24 PM, karim jamali <karim.jamali_at_gmail.com
>>>> >wrote:
>>>> >
>>>> >> Dear Gents,
>>>> >>
>>>> >> I have a real world implementation regarding GET VPN & I would need
>>>> some
>>>> >> expertise help to confirm what I believe I understood. In a GET VPN
>>>> >> scenario, the KS only provide KS functionality, i.e. the KS itself
>>>> cannot
>>>> >> be
>>>> >> a GM subscribed to the KS and thus we have to dedicate one router or
>>>> maybe
>>>> >> two for redundancy for KS functionality apart from all the other
>>>> routers
>>>> >> as
>>>> >> GM. Is this correct? Please if it is not I would appreciate if you
>>>> will
>>>> >> correct me.
>>>> >>
>>>> >> Thanks
>>>> >>
>>>> >> Regards,
>>>> >> --
>>>> >> KJ
>>>> >>
>>>> >>
>>>> >> Blogs and organic groups at http://www.ccie.net
>>>> >>
>>>> >>
>>>> _______________________________________________________________________
>>>> >> Subscription information may be found at:
>>>> >> http://www.groupstudy.com/list/CCIELab.html
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> > --
>>>> > CCIEx2 (R&S|Sec) #19963
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> KJ
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> KJ
>>
>
>
--
KJ
Blogs and organic groups at http://www.ccie.net
Received on Tue Nov 23 2010 - 00:53:45 ART