nerdexam
Cisco

352-001 · Question #711

An enterprise company has an audit requirement to encrypt traffic between selected development teams. Those teams are located in multiple sites across the country. They must migrate all locations to a

The correct answer is A. Implement GETVPN with selective encryption only for the development traffic. GETVPN with selective encryption is the only solution that integrates natively with MPLS L3 VPN, supports traffic-specific encryption policies to protect development traffic, and leaves VoIP unencrypted and mirrorable for recording.

Designing Security

Question

An enterprise company has an audit requirement to encrypt traffic between selected development teams. Those teams are located in multiple sites across the country. They must migrate all locations to an MPLS Layer 3 VPN-based service, but this implementation must not impact the VoIP solution. The VoIP traffic to and from the call center sites must be copied to the data center servers so that it is recorded to meet another audit requirement. Which solution meets these requirements?

Options

  • AImplement GETVPN with selective encryption only for the development traffic
  • BImplement a DMVPN-based solution encrypting all traffic except the VoIP traffic
  • CImplement LISP-based tunnels for the development traffic
  • DImplement site-to-site GRE tunnels only for development traffic

How the community answered

(20 responses)
  • A
    55% (11)
  • B
    30% (6)
  • C
    5% (1)
  • D
    10% (2)

Why each option

GETVPN with selective encryption is the only solution that integrates natively with MPLS L3 VPN, supports traffic-specific encryption policies to protect development traffic, and leaves VoIP unencrypted and mirrorable for recording.

AImplement GETVPN with selective encryption only for the development trafficCorrect

GETVPN operates natively within an MPLS network without creating overlay tunnels, preserving existing IP addressing, routing, and QoS policies so the VoIP solution is completely unaffected. Selective encryption uses Group Policy ACLs to encrypt only development team traffic while allowing VoIP to flow in the clear, enabling that traffic to be mirrored to data center servers for call recording. This satisfies the encryption audit requirement, the MPLS migration requirement, and the VoIP recording requirement simultaneously.

BImplement a DMVPN-based solution encrypting all traffic except the VoIP traffic

DMVPN creates spoke-to-spoke overlay tunnels that alter packet headers and can disrupt MPLS-based QoS markings for VoIP, and it is not natively designed to operate within an MPLS L3 VPN service.

CImplement LISP-based tunnels for the development traffic

LISP provides location and identity separation for routing scalability but does not offer native encryption capabilities to satisfy the development traffic encryption audit requirement.

DImplement site-to-site GRE tunnels only for development traffic

GRE tunnels alone provide no encryption, and combining them with IPsec adds significant complexity without native MPLS L3 VPN integration or selective encryption support.

Concept tested: GETVPN selective encryption over MPLS

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book.html

Topics

#GETVPN#selective encryption#MPLS L3VPN#VoIP recording

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice