Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
2
Replies

Multiple GET VPN Clouds with Multicast

Go to solution
Xavier Lloyd
Level 1
Level 1

‎10-02-2013 07:37 AM

Hi all,

Is it a recommended approach to use different multicast addresses if using one key server to manage several GET VPN groups? It isn't a hosted service provider environment but just for a single customer with a need for logical separation.

I figure it would be a good idea to do that but I'm not very familiar with multicast on a whole so I'd appreciate anyone sharing similar experiences or any potential pitfalls with this config. Is there anything I need to watch out for?

Xavier

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-02-2013 09:20 AM

Xavier,

since we can separate information on GDOI group level you shoudl not need to use mutliple addresses.

However consider a scenario in which a GM is part of group 1 but not group 2. It will recive rekey for both, but will not be able to understand group2 rekey, once an hour you will see log messages indicating a problem.

It makes sense to separate mcast addresses especially if this deployment might grow/fork/expand in future.

M.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-02-2013 09:20 AM

Xavier,

since we can separate information on GDOI group level you shoudl not need to use mutliple addresses.

However consider a scenario in which a GM is part of group 1 but not group 2. It will recive rekey for both, but will not be able to understand group2 rekey, once an hour you will see log messages indicating a problem.

It makes sense to separate mcast addresses especially if this deployment might grow/fork/expand in future.

M.

0 Helpful

Go to solution
Xavier Lloyd
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-04-2013 07:30 AM

Thanks Marcin, decided to go with the second multicast group after all. Just finished labbing it up so I should be good.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents