Cisco 350-701 Practice Test - Questions Answers, Page 3

Configure a Crypto ISAKMP Key In order to configure apresharedauthentication key, enter thecrypto isakmp keycommand in global configuration mode: crypto isakmp key cisco123 address 172.16.1.1 https://community.cisco.com/t5/vpn/isakmp-with-0-0-0-0-dmvpn/td-p/4312380

Cisco's Group Encrypted Transport VPN (GETVPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM.

GETVPN provides instantaneous large-scale any-to-any IP connectivity using a group IPsec security paradigm.

Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/group-encryptedtransport-vpn/GETVPN_DIG_version_2_0_External.pdf

Stateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This failover process is transparent to users and does not require adjustment or reconfiguration of any remote peer.

Stateful failover for IPsec requires that your network contains two identical routers that are available to be either the primary or secondary device. Both routers should be the same type of device, have the same CPU and memory, and have either no encryption accelerator or identical encryption accelerators.

Prerequisites for Stateful Failover for IPsec

Complete, Duplicate IPsec and IKE Configuration on the Active and Standby Devices This document assumes that you have a complete IKE and IPsec configuration.

The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device.

That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on crypto map sets, all AAA configurations used for crypto, client configuration groups, IP local pools used for crypto, and ISAKMP profiles.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpnavailability-15-mt-book/sec-state-fail-ipsec.htmlAlthough the prerequisites only stated that "Both routers should be the same type of device" but inthe"Restrictions for Stateful Failover for IPsec" section of the link above, it requires "Both the active andstandby devices must run the identical version of the Cisco IOS software" so answer E is better thananswer B.

FlexVPN is an IKEv2-based VPN technology that provides several benefits beyond traditional site-tosite VPN implementations. FlexVPN is a standards-based solution that can interoperate with non- Cisco IKEv2 implementations. Therefore

FlexVPN can support a multivendor environment. All of the three VPN technologies support traffic between sites (site-to-site or spoke-to-spoke).

DTLS is used for delay sensitive applications (voice and video) as its UDP based while TLS is TCP based.

Therefore DTLS offers strongest throughput performance. The throughput of DTLS at the time of AnyConnect connection can be expected to have processing performance close to VPN throughput.

In its essence, FlexVPN is the same as DMVPN. Connections between devices are still point-to-point GRE tunnels, spoke-to-spoke connectivity is still achieved with NHRP redirect message, IOS routers even run the same NHRP code for both DMVPN and FlexVPN, which also means that both are Cisco's proprietary technologies.

Reference: https://packetpushers.net/cisco-flexvpn-dmvpn-high-level-design/