ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 400-007 All Questions

View all questions & answers for the 400-007 exam
Go to Exam

Exam 400-007 topic 1 question 54 discussion

Actual exam question from Cisco's 400-007
Question #: 54
Topic #: 1
[All 400-007 Questions]

Company XYZ has 30 sites running a legacy private WAN architecture that connects to the Internet via multiple high-speed connections. The company is now redesigning their network and must comply with these design requirements:
* Use a private WAN strategy that allows the sites to connect to each other directly and caters for future expansion
* Use the Internet as the underlay for the private WAN
* Securely transfer the corporate data over the private WAN
Which two technologies should be incorporated into the design of this network? (Choose two.)

  • A. PPTP
  • B. DMVPN
  • C. IPsec
  • D. GET VPN
  • E. S-VTI
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by ying162 at Nov. 27, 2022, 2:52 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ying162
Highly Voted 1 year, 11 months ago
Selected Answer: BC
Internet as underlay, GETVPN is not an option due to IP header preservation.
upvoted 12 times
bdp123
1 year, 5 months ago
You can use DMVPN as the underlay for GETVPN and it has proven to work fine - GETVPN is the Private WAN - the two configured together works for what they are asking.
upvoted 2 times
...
...
ba7a09d
Most Recent 4 months, 1 week ago
Selected Answer: BC
IPSEC & DMVPN, works in real life. GETVPN is for private (non Internet) WAN, at least in the Cisco world.
upvoted 2 times
...
famov66542
5 months, 3 weeks ago
Selected Answer: BC
For those who say that we can combine DMVPN & GET VPN we would still be force to use IPsec. So, ... DMVPN + IPSec would do the trick that DMVPN & GET VPN offers.
upvoted 2 times
...
kzqc
10 months, 1 week ago
DMVPN does work very nicely with GETVPN over Internet. My previous company always use DMVPN together with GETVPN. You have to realize that, GETVPN is just a better way to setup IPSEC SAs, in a group fashion instead of individually. For DMVPN with IPSEC, you need to configure IPSEC phase 1 and phase 2 configurations on all hubs and spokes, and the IPSEC SA will be created on the fly between hub/spoke or spoke/spoke when needed. For DMVPN with GETVPN, you configure IPSEC phase 1 and phase 2 configurations on the GDOI KS. All the hubs/spokes will get the same IPSEC SA from the GDOI KS, and do not need to create the SA on the fly. It is easier to manage and has better performance. The only risk is that you need to expose the GDOI KS to the Internet. Better protect it with a FW.
upvoted 1 times
kzqc
10 months, 1 week ago
Now that both BC and BD seem to be correct, I would still pick BC since that is a typical answer and may be what the exam is asking for.
upvoted 1 times
...
...
Sheeda
1 year ago
Tunnel Header Preservation I mentioned earlier that the IP header is preserved in GET VPN. In a traditional IPSec, the tunnel endpoint addresses are used as the new packet source and destination. The tunnel header preservation seems very similar to IPSec transport mode but the underlying mode of operation is IPSec tunnel mode. IPSec transport mode reuses the original IP header but it suffers from fragmentation and reassembly limitation and must not be used in deployments where encrypted or clear text packets may require fragmentation. GET VPN is suitable for MPLS, L2 or an IP infrastructure with end to end IP connectivity. It’s not suitable for deploying over the Internet though because the addresses are typically not routable and NAT functions interfere with the tunnel header preservation. GET VPN can be combined with DMVPN where DMVPN is used for routing and GET VPN for encryption.
upvoted 1 times
...
bdp123
1 year, 5 months ago
Selected Answer: BD
Reading the question closely, private WAN strategy is GETVPN and the underlay for it would be DMVPN for transporting over the Internet https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html#:~:text=Cisco%20Group%20Encrypted%20Transport%20VPN%20%28GET%20VPN%29%20is,on%20or%20flows%20through%20a%20Cisco%20IOS%20device.
upvoted 1 times
...
Akkisingh
1 year, 5 months ago
Selected Answer: BD
GETVPN alongwith DMVPN can be run over internet, see below: https://lostintransit.se/2016/02/12/ccde-introduction-to-get-vpn-and-get-vpn-design-considerations/?doing_wp_cron=1682702436.4848649501800537109375
upvoted 1 times
nifengfei
1 year, 5 months ago
In the link you shared: GET VPN is suitable for MPLS, L2 or an IP infrastructure with end to end IP connectivity. It’s not suitable for deploying over the Internet though because the addresses are typically not routable and NAT functions interfere with the tunnel header preservation. GET VPN can be combined with DMVPN where DMVPN is used for routing and GET VPN for encryption. So is the answer should be two technologies work spearatly or together?
upvoted 1 times
...
...
Akkisingh
1 year, 5 months ago
GETVPN alongwith DMVPN can be run over internet, see below: https://lostintransit.se/2016/02/12/ccde-introduction-to-get-vpn-and-get-vpn-design-considerations/?doing_wp_cron=1682702436.4848649501800537109375
upvoted 1 times
...
Horvoe
1 year, 6 months ago
Selected Answer: BC
GETVPN does not support internet overlay due to IP header preservation https://ipwithease.com/getvpn-vs-dmvpn/
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago