CCDE: Cisco Certified Design Expert (Written) — Question 36

Which restriction prevents a designer from using a GDOI-based VPN to secure traffic that traverses the Internet?

Answer options

• A. Enterprise host IP addresses are typically not routable.
• B. GDOI is less secure than traditional IPsec.
• C. Network address translation functions interfere with tunnel header preservation.
• D. The use of public addresses is not supported with GDOI.

Correct answer: C

Explanation

The correct answer is C because network address translation (NAT) can alter the headers of packets, making it difficult to maintain the integrity of the tunnel. Option A is incorrect as enterprise host IP addresses can be routable with proper configuration. Option B is misleading since GDOI can provide robust security comparable to IPsec, and option D is not accurate as GDOI can function with public addresses under certain conditions.