300-420 · Question #261
300-420 Question #261: Real Exam Question with Answer & Explanation
The correct answer is A: They use vSmart controllers as key exchange servers.. {"question_number": 4, "question_summary": "Cisco SD-WAN mechanism for data plane encryption key exchange", "correct_answers": ["A"], "explanation": "In Cisco SD-WAN (formerly Viptela architecture), the control plane is centralized. WAN Edge routers do not perform IKE/IKEv2 negot
Question
Prior to establishing full-mesh IPsec tunnels in a typical Cisco SD-WAN deployment, which mechanism do WAN Edge routers use to exchange key information for data plane encryption?
Options
- AThey use vSmart controllers as key exchange servers.
- BThey use IKEv2 when exchanging keys with each other.
- CThey use vManage as a key exchange server.
- DThey use vBond as a key exchange server.
Explanation
{"question_number": 4, "question_summary": "Cisco SD-WAN mechanism for data plane encryption key exchange", "correct_answers": ["A"], "explanation": "In Cisco SD-WAN (formerly Viptela architecture), the control plane is centralized. WAN Edge routers do not perform IKE/IKEv2 negotiation directly with each other to establish IPsec tunnels. Instead, the vSmart controller distributes the necessary key material-specifically pairwise IPsec keys-to all WAN Edge routers using the Overlay Management Protocol (OMP) over a secure DTLS/TLS control-plane session. Because vSmart acts as the key distribution point, WAN Edge routers already have each other's keys before needing to send data, allowing them to build full-mesh IPsec tunnels immediately without peer-to-peer key negotiation. vBond is the orchestrator (authenticates and helps WAN Edges find vSmart/vManage), and vManage is the management plane; neither distributes encryption keys.", "generated_by": "claude-sonnet", "llm_judge_score": 4}
Topics
Community Discussion
No community discussion yet for this question.