300-320 · Question #337
300-320 Question #337: Real Exam Question with Answer & Explanation
The correct answer is B: Encapsulation of trafic with GRE or VTI. IPSec natively cannot encrypt multicast or broadcast traffic - it is designed only for unicast IP traffic. To carry multicast traffic over an IPSec VPN, you must first encapsulate the multicast packets inside a unicast tunnel. GRE (Generic Routing Encapsulation) tunnels or VTI (V
Question
Options
- AIPSec forwarding using tunnle mode
- BEncapsulation of trafic with GRE or VTI
- CAdditional bandwidth for headend
- DIPSec forwarding using transport mode
Explanation
IPSec natively cannot encrypt multicast or broadcast traffic - it is designed only for unicast IP traffic. To carry multicast traffic over an IPSec VPN, you must first encapsulate the multicast packets inside a unicast tunnel. GRE (Generic Routing Encapsulation) tunnels or VTI (Virtual Tunnel Interface) accomplish this: GRE/VTI wraps the multicast packet inside a unicast IP packet, and IPSec then encrypts that unicast outer packet normally. This is a fundamental limitation of IPSec that every network designer must account for. The GRE-over-IPSec or IPSec VTI design pattern is the standard solution for any network that needs to pass multicast (e.g., routing protocols like EIGRP/OSPF, or application multicast) across an IPSec VPN.
Community Discussion
No community discussion yet for this question.