300-730 Question #184: Real Exam Question with Answer & Explanation

The correct answer is C: Multi-SA VTIs. Multi-SA VTIs (Virtual Tunnel Interfaces) satisfy all three requirements. First, they are supported on IOS XE routers. Second, they can interoperate with policy-based VPN peers from both Cisco and non-Cisco devices because they still negotiate standard IPsec SAs compatible with c

Secure Communications Architectures

Question

An engineer must design a VPN solution with this criteria: - Configured on the IOS XE router. - Able to terminate policy-based VPNs from Cisco and non-Cisco devices. - QoS can be applied on a per-tunnel basis. Which VPN technology must be used to accomplish this design?

Options

AGETVPN
BDMVPN
CMulti-SA VTIs
DDynamic Crypto map

Explanation

Multi-SA VTIs (Virtual Tunnel Interfaces) satisfy all three requirements. First, they are supported on IOS XE routers. Second, they can interoperate with policy-based VPN peers from both Cisco and non-Cisco devices because they still negotiate standard IPsec SAs compatible with crypto-map-based configurations on the remote side. Third - and critically - VTIs present as logical routed interfaces, meaning QoS policies (service-policy) can be applied directly to each tunnel interface, enabling per-tunnel QoS. DMVPN does not cleanly support per-tunnel QoS in all configurations. GETVPN is group-based and not designed for per-tunnel policy. Dynamic crypto maps are a legacy approach and do not offer VTI-style per-tunnel QoS control.

Topics

#Multi-SA VTI#IOS XE#policy-based VPN#QoS per-tunnel

Community Discussion

No community discussion yet for this question.

Full 300-730 Practice