nerdexam
Cisco

352-001 · Question #402

Which two options are considered risks or concerns when both the Internet and VPN service functions are on the same PE router? (Choose two.)

The correct answer is A. Internet-based attacks can affect VPN customers. D. Failure on the PE router affects both VPN and Internet services.. Hosting both Internet and VPN services on a single PE router creates a security risk and a single point of failure that simultaneously impacts both service types.

Designing Network Infrastructure

Question

Which two options are considered risks or concerns when both the Internet and VPN service functions are on the same PE router? (Choose two.)

Options

  • AInternet-based attacks can affect VPN customers.
  • BBGP cannot simultaneously run on the PE router that runs MPLS.
  • CMP-BGP prefixes increase routers' global routing tables, which affects network convergence.
  • DFailure on the PE router affects both VPN and Internet services.
  • ECustomer performance can be affected by VPN traffic if Internet-based traffic is not prioritized on

How the community answered

(41 responses)
  • A
    78% (32)
  • B
    2% (1)
  • C
    7% (3)
  • E
    12% (5)

Why each option

Hosting both Internet and VPN services on a single PE router creates a security risk and a single point of failure that simultaneously impacts both service types.

AInternet-based attacks can affect VPN customers.Correct

When Internet-facing and VPN services share the same PE router, malicious Internet traffic such as DDoS or exploitation attempts can consume router resources or exploit vulnerabilities that directly impact the VPN customers hosted on the same device.

BBGP cannot simultaneously run on the PE router that runs MPLS.

BGP can run concurrently with MPLS on the same PE router; in fact, MP-BGP is a fundamental component of standard MPLS L3VPN design and routinely coexists on PE devices.

CMP-BGP prefixes increase routers' global routing tables, which affects network convergence.

In MPLS VPN architecture, MP-BGP VPN prefixes are stored in per-VRF routing tables, not the global routing table, so they do not inflate the global RIB or negatively affect convergence in the way described.

DFailure on the PE router affects both VPN and Internet services.Correct

A hardware failure, software crash, or overload condition on the shared PE router will simultaneously bring down both Internet and VPN services, eliminating any service isolation and violating typical SLA requirements for VPN customers.

ECustomer performance can be affected by VPN traffic if Internet-based traffic is not prioritized on

The statement is logically reversed and misleadingly worded; while resource contention is a real concern, the primary documented risks of co-located Internet and VPN services are the security exposure and single point of failure captured by A and D.

Concept tested: MPLS PE router colocation risks for Internet and VPN

Source: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/MPLS_over_IP-IPSec/mpls_vpn_over_ip-ipsec.html

Topics

#MPLS VPN#PE router#Internet co-location#service isolation

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice