cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
4
Replies
Highlighted
Beginner

GETVPN

GETVPN is providing redundancy. but can it provide load balancing ? If yes then how please explain

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

ETEHi,

Thanks for clarifying.

COOP KSs provide redundancy to GET VPN. Multiple KSs are supported by GET VPN to ensure redundancy, high availability (HA), and fast recovery in case of network failure.

The primary KS is responsible for creating and distributing group policy. It also periodically sends out group information updates to all other KSs to keep those servers in synchronization. If the secondary KSs somehow miss the updates, they contact the primary KS to directly request information updates. The secondary KSs mark the primary KS as unreachable if the updates are not received for an extended period of time.

Cooperative GDOI KSs can jointly manage the GDOI registrations for the group, which achieves load balancing during GM registration process. When a new policy is created on a primary KS, the primary KS to distribute rekey messages to GDOI GMs regardless of which KS a GM is registered with.

COOP KSs use announcement messages to communicate with each other. These messages are exchanged on UDP port 848, as defined for GDOI. All KS-to-KS messages are secured using Phase I (ISAKMP) negotiated keys.

Primary KSs periodically send announcement messages to the secondary KSs. These messages enable the KSs to exchange state information about GMs and policies. The various components of these messages are:


----KS sender priority:


This value describes the priority of the sender, which is configurable using the CLI. The KS with the highest priority becomes the primary KS. If two KSs have the same priority, the KS with the highest IP address becomes the primary KS.


--- KS role:

This value describes the role of a KS (primary or secondary).

--- Group policies:


---Group policies are maintained for a group and include information such as GM information and IPsec SAs and keys.

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hi,

GETVPN is just a feature. It is used to encrypt traffic but won't change the flow of traffic in the network and cannot load balance traffic on its own.

Remember that one of GETVPN's key features is IP Header Preservation - the original IP header inside the  IPsec packet is preserved so the packet will be routed the same.

So the answer to your question is as long as HSRP/VRRP/GLBP is enabled and
working in your network to route traffic across the network GETVPN will continue doing its job of encrypting the packets.

Regards,

Aditya

Please rate helpful and mark correct answers

Highlighted

I am talking in the case of GETVPN COOP. When there are multiple key servers then in that case it does not provide load balance? see in the topology i have attached

Highlighted

ETEHi,

Thanks for clarifying.

COOP KSs provide redundancy to GET VPN. Multiple KSs are supported by GET VPN to ensure redundancy, high availability (HA), and fast recovery in case of network failure.

The primary KS is responsible for creating and distributing group policy. It also periodically sends out group information updates to all other KSs to keep those servers in synchronization. If the secondary KSs somehow miss the updates, they contact the primary KS to directly request information updates. The secondary KSs mark the primary KS as unreachable if the updates are not received for an extended period of time.

Cooperative GDOI KSs can jointly manage the GDOI registrations for the group, which achieves load balancing during GM registration process. When a new policy is created on a primary KS, the primary KS to distribute rekey messages to GDOI GMs regardless of which KS a GM is registered with.

COOP KSs use announcement messages to communicate with each other. These messages are exchanged on UDP port 848, as defined for GDOI. All KS-to-KS messages are secured using Phase I (ISAKMP) negotiated keys.

Primary KSs periodically send announcement messages to the secondary KSs. These messages enable the KSs to exchange state information about GMs and policies. The various components of these messages are:


----KS sender priority:


This value describes the priority of the sender, which is configurable using the CLI. The KS with the highest priority becomes the primary KS. If two KSs have the same priority, the KS with the highest IP address becomes the primary KS.


--- KS role:

This value describes the role of a KS (primary or secondary).

--- Group policies:


---Group policies are maintained for a group and include information such as GM information and IPsec SAs and keys.

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

Highlighted

Thanks Aditya