nerdexam
Exams400-007Questions#94
Cisco

400-007 · Question #94

400-007 Question #94: Real Exam Question with Answer & Explanation

The correct answer is C: IPsec. IPsec is the correct answer. IPsec uses NAT Traversal (NAT-T), which encapsulates ESP packets inside UDP (port 4500), allowing encrypted tunnels to traverse NAT gateways seamlessly - a fundamental requirement for SD-WAN deployments where edge devices sit behind NAT. IPsec is the

Question

SDWAN networks capitalize the usage of broadband Internet links over traditional MPLS links to offer more cost benefits to enterprise customers. However, due to the insecure nature of the public Internet, it is mandatory to use encryption of traffic between any two SDWAN edge devices installed behind NAT gateways. Which overlay method can provide optimal transport over unreliable underlay networks that are behind NAT gateways?

Options

  • ATLS
  • BDTLS
  • CIPsec
  • DGRE

Explanation

IPsec is the correct answer. IPsec uses NAT Traversal (NAT-T), which encapsulates ESP packets inside UDP (port 4500), allowing encrypted tunnels to traverse NAT gateways seamlessly - a fundamental requirement for SD-WAN deployments where edge devices sit behind NAT. IPsec is the industry-standard encryption protocol used by virtually all major SD-WAN vendors (Cisco Viptela, VMware SD-WAN, etc.) precisely because it handles NAT traversal and provides strong encryption. GRE (D) provides no encryption and has poor NAT traversal since protocol 47 is often dropped by NAT devices. TLS (A) is TCP-based, which causes TCP-over-TCP performance problems on unreliable links due to competing retransmission timers. DTLS (B) is UDP-based and handles NAT, but it is not the primary standard used for SD-WAN overlay encryption - IPsec with NAT-T is the dominant and purpose-built solution for this scenario.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 400-007 Practice