352-001 · Question #711
An enterprise company has an audit requirement to encrypt traffic between selected development teams. Those teams are located in multiple sites across the country. They must migrate all locations to a
The correct answer is A. Implement GETVPN with selective encryption only for the development traffic. GETVPN with selective encryption is the only solution that integrates natively with MPLS L3 VPN, supports traffic-specific encryption policies to protect development traffic, and leaves VoIP unencrypted and mirrorable for recording.
Question
An enterprise company has an audit requirement to encrypt traffic between selected development teams. Those teams are located in multiple sites across the country. They must migrate all locations to an MPLS Layer 3 VPN-based service, but this implementation must not impact the VoIP solution. The VoIP traffic to and from the call center sites must be copied to the data center servers so that it is recorded to meet another audit requirement. Which solution meets these requirements?
Options
- AImplement GETVPN with selective encryption only for the development traffic
- BImplement a DMVPN-based solution encrypting all traffic except the VoIP traffic
- CImplement LISP-based tunnels for the development traffic
- DImplement site-to-site GRE tunnels only for development traffic
How the community answered
(20 responses)- A55% (11)
- B30% (6)
- C5% (1)
- D10% (2)
Why each option
GETVPN with selective encryption is the only solution that integrates natively with MPLS L3 VPN, supports traffic-specific encryption policies to protect development traffic, and leaves VoIP unencrypted and mirrorable for recording.
GETVPN operates natively within an MPLS network without creating overlay tunnels, preserving existing IP addressing, routing, and QoS policies so the VoIP solution is completely unaffected. Selective encryption uses Group Policy ACLs to encrypt only development team traffic while allowing VoIP to flow in the clear, enabling that traffic to be mirrored to data center servers for call recording. This satisfies the encryption audit requirement, the MPLS migration requirement, and the VoIP recording requirement simultaneously.
DMVPN creates spoke-to-spoke overlay tunnels that alter packet headers and can disrupt MPLS-based QoS markings for VoIP, and it is not natively designed to operate within an MPLS L3 VPN service.
LISP provides location and identity separation for routing scalability but does not offer native encryption capabilities to satisfy the development traffic encryption audit requirement.
GRE tunnels alone provide no encryption, and combining them with IPsec adds significant complexity without native MPLS L3 VPN integration or selective encryption support.
Concept tested: GETVPN selective encryption over MPLS
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book.html
Topics
Community Discussion
No community discussion yet for this question.