Re: OT:GETVPN Enquiry KS from karim jamali on 2010-11-22 (Ccielab archives 11/2010)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Mon, 22 Nov 2010 20:55:34 +0300

Hi Sadiq,

Thanks for sharing the info. Let me just try to understand what Tyson has
said which seems interesting to me.

I have 4 routers R1 & R2 are KS1,2 and R3/R4 are GM of KS1 (R1)

R1 is KS1/R2 is KS2/R3 & R4 are GM of KS1 for instance.

I need also to utilize R1 as a GM thus I can only subscribe it to KS2 & on
R2 i will only subscribe it to KS1 (R1).

What happens if R1 needs to talk to R4 recall that R1 is registered to KS2 &
R4 is registered to KS1 (R1).

As per my understanding that a policy will be downloaded from KS (which
contains the ACL encrypted traffic, the transform-set..etc, there are also
KEK/TEK which will be sent by the KS to the GM. Will it not create any kind
of conflict problem having the policies/Keys received from 2 KS, assuming
that the policies definitely have to match.

Will this in any way affect the COOP operation (Active/Standby) operation of
the KS?

Thanks a lot for your help/feedback.

Best Regards,

On Mon, Nov 22, 2010 at 8:40 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Hi Karim,
>
> Thats correct. I believe if its a KS (KS1), then a router can only be a GM
> if it subscribes to another KS (KS2). KS1 and KS2 can be running coop if you
> want to.
>
> Someone correct me if I'm off target please.
>
> Sadiq
>
> On Mon, Nov 22, 2010 at 5:24 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
>
>> Dear Gents,
>>
>> I have a real world implementation regarding GET VPN & I would need some
>> expertise help to confirm what I believe I understood. In a GET VPN
>> scenario, the KS only provide KS functionality, i.e. the KS itself cannot
>> be
>> a GM subscribed to the KS and thus we have to dedicate one router or maybe
>> two for redundancy for KS functionality apart from all the other routers
>> as
>> GM. Is this correct? Please if it is not I would appreciate if you will
>> correct me.
>>
>> Thanks
>>
>> Regards,
>> --
>> KJ
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Mon Nov 22 2010 - 20:55:34 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART