Cisco
352-001 · Question #197
352-001 Question #197: Real Exam Question with Answer & Explanation
The correct answer is B: In a GDOI-based VPN, all group members share a common security association.. GDOI-based GET VPN eliminates point-to-point tunnel and overlay routing overhead by distributing a single shared group Security Association to all members via a Key Server.
Question
You are designing a multisite VPN solution for a customer and you are concerned with the additional overhead of point-to-point tunnels and the associated overlay routing with DMVPN. How does a GDOI-based VPN eliminate the additional tunnel and routing overhead found in DMVPN?
Options
- AThe GDOI-based VPN requires overlaying a secondary routing infrastructure through the tunnels.
- BIn a GDOI-based VPN, all group members share a common security association.
- CThe GDOI-based VPN requires the provisioning of a complex connectivity mesh.
- DThe GDOI-based VPN leverages the routing protocol to find its peer for tunnel setup.
Explanation
GDOI-based GET VPN eliminates point-to-point tunnel and overlay routing overhead by distributing a single shared group Security Association to all members via a Key Server.
Common mistakes.
- A. GET VPN explicitly preserves the original IP header and relies on the underlay routing infrastructure, so it does not overlay a secondary routing infrastructure through tunnels.
- C. The group SA model means each member only registers with the Key Server to receive shared keys, eliminating the need to provision a complex point-to-point connectivity mesh.
- D. GDOI uses a Key Server registration and key-push model to distribute group keying material - it does not use a routing protocol to discover peers or set up tunnels.
Concept tested. GDOI GET VPN shared group Security Association and tunnel-less design
Community Discussion
No community discussion yet for this question.