nerdexam
Exams350-501Questions#614
CiscoCisco

350-501 · Question #614

350-501 Question #614: Real Exam Question with Answer & Explanation

To implement transparent, hardware-accelerated, data-link layer encryption between switches with minimal performance impact, MACsec with AES-256 encryption is the ideal solution.

Networking

Question

A regional company is planning to bolster the security of their LAN infrastructure by implementing advanced encryption techniques between their core switch and their distribution switch. The solution must leverage hardware-accelerated encryption capabilities to transparently encrypt all traffic between the two switches at the data-link layer to safeguard against unauthorized access. However, it is important for the solution to have minimal impact on network performance and latency. Which action must the engineer take to meet the requirements?

Options

  • ADeploy an IPsec tunnel with MD5 hashing between the two switches.
  • BEnable SSL VPN with SHA-256 encryption on all interfaces on both switches.
  • CEnable L2TP with RSA encryption on both switches.
  • DImplement MACsec with AES-256 encryption on both switches.

Explanation

To implement transparent, hardware-accelerated, data-link layer encryption between switches with minimal performance impact, MACsec with AES-256 encryption is the ideal solution.

Common mistakes.

  • A. IPsec operates at Layer 3, not the data-link layer, and while it provides encryption, it might not be as transparent or optimized for direct switch-to-switch links as MACsec. Additionally, MD5 hashing is generally considered less secure than modern algorithms like AES for integrity and authenticity.
  • B. SSL VPNs are primarily designed for remote access or site-to-site connectivity over IP (Layer 3/4) and are not a suitable solution for transparent, hardware-accelerated, data-link layer encryption between internal switches. Enabling it on all interfaces would be overly complex and inefficient for this use case.
  • C. L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used for VPNs, often combined with IPsec for security, but it's not a native, transparent data-link layer encryption solution designed for hardware-accelerated switch-to-switch security. RSA is an asymmetric algorithm typically used for key exchange and digital signatures, not for bulk data encryption itself.

Concept tested. Layer 2 encryption (MACsec)

Reference. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/sec/b_1612_sec_9300_cg/macsec_config.html

Topics

#MACsec#Data-link layer encryption#Network security protocols#Hardware acceleration

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-501 PracticeBrowse All 350-501 Questions