What is the correct order of steps?

Your VPN Community includes three Security Gateways. Each Gateway has its own intemal network defined as a VPN Domain. You must test the VPN1 NGX routebased VPN feature, Without stopping the VPN. What is the correct order of steps?

Your VPN Community includes three Security Gateways. Each Gateway has its own intemal network defined as a VPN Domain. You must test the VPN1 NGX routebased VPN feature, Without stopping the VPN. What is the correct order of steps?

A.
1.Add anew interface on each gateway
2.Remove the newly added network from the current VPN Domain for each Gateway.
3.Create VTIs on each Gateway, to point to the other two peers.
4.Enable advanced routing on all three Gateways.

B.
1.Add anew interface on each gateway
2.Remove the newly added network from the current VPN Domain for each Gateway.
3.Create VTIs on each Gateway, to point to the other two peers.
4.Add static routes on three Gateways, to route the new network to each peer’s VTI interface

C.
1.Add anew interface on each gateway
2.Add the newly added network into the exsiting VPN Domain for each Gateway.
3.Create VTIs on each Gateway, to point to the other two peers.
4.Enable advanced routing on all three Gateways.

D.
1.Add anew interface on each gateway
2.Add the newly added network into the exsiting VPN Domain for each Gateway.
3.Create VTIs on each Gateway, to point to the other two peers.
4.Add static routes on three Gateways, to route the new network to each peer’s VTI interface

Explanation:

In the VPN NGX (R60) Route Based VPN Deployments Documentation (August 30,2005) on page 7 it states that

"The order between the two VPN routing methods is simply set by the order of the VPN routing decisions. First, the Domain Based VPN routing tables are consulted, to determine the proper origin and/or target VPN gateway for the traffic. If no Domain Based VPN routing applies, the IP routing table is consulted, to determine whether the traffic is routed through a VPN Tunnel Interface." (see screen print below)

For this reason, you must ‘remove’ the new network from the VPN domain or you will never be able to ‘test’ the routebased VPN feature. Secondly, you must add the static routes, (enabling advanced routing is only for dynamic routing) Therefore, answer C is incorrect and answer B is the correct answer.

Note: This assumes as the question states that the "newly added network" does not have any VPN’s currently running on it. VPN’s not on this network will continue to run.



Leave a Reply 2

Your email address will not be published. Required fields are marked *


networkmanagers

networkmanagers

I agree with the answer. B