CCIE Security Written Exam 400-251: Crypto GDOI Group Configuration
Question
crypto gdoi group gdoi_group identity number 1234 server local sa receive-only sa ipsec 1 profile gdoi-p match address ipv4 120 Which statement about the above configuration is true?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B.
This configuration snippet is defining a GDOI group with the identity number 1234. The group is configured to use the local device as the key server. The group is configured to receive only Security Associations (SAs) and install them inbound. The SAs are protected by IPsec profile "gdoi-p" and the SA traffic is matched based on an IPv4 access-list numbered 120.
Now let's analyze each answer option to see which one is true:
A. The key server instructs the DM VPN spoke to install SAs outbound only. This answer is incorrect because the configuration does not reference DM VPN spokes, and the "sa receive-only" command instructs the device to install SAs inbound only.
B. The key server instructs the GDOI group to install SAs inbound only. This answer is correct. The "sa receive-only" command instructs the devices in the GDOI group to install SAs inbound only.
C. The key server instructs the DM VPN hub to install SAs outbound only. This answer is incorrect because the configuration does not reference DM VPN hubs, and the "sa receive-only" command instructs the device to install SAs inbound only.
D. The key server instructs the GDOI spoke to install SAs inbound only. This answer is incorrect because the configuration does not reference GDOI spokes explicitly. However, the GDOI group can have both spokes and key servers as members, so this answer could have been correct if the question had specified that the device is a GDOI spoke.
Therefore, the correct answer is B. The key server instructs the GDOI group to install SAs inbound only.
