VMware NSX-T Data Center Advanced (VCAP-NV Design) — Question 36

An architect is helping an organization with the Logical Design of an NSX-T Data Center solution.
This information was gathered during the Assessment Phase:
✑ Data between two networks connected over a public network needs to be encrypted.
✑ Certificate authentication is required.
✑ Dynamic route learning is preferred.
Which selection should the architect include in their design? (Choose the best answer.)

Answer options

• A. Deploy a Tier-0 gateway in Active/Standby mode. Configure policy-based IPSec VPN with SHA512 with RSA as the hash algorithm.
• B. Deploy a Tier-0 gateway in Active/Active mode. Configure route-based IPSec VPN with SHA512 with RSA as the hash algorithm.
• C. Deploy a Tier-0 gateway in Active/Standby mode. Configure route-based IPSec VPN with SHA512 with RSA as the hash algorithm.
• D. Deploy a Tier-0 gateway in Active/Active mode. Configure policy-based IPSec VPN with SHA512 with RSA as the hash algorithm.

Correct answer: C

Explanation

The correct answer is C because it meets all the requirements: it uses a Tier-0 gateway in Active/Standby mode and route-based IPSec VPN, which allows for dynamic route learning. Options A and D use policy-based VPNs, which do not support dynamic routing, while option B uses Active/Active mode, which isn't aligned with the requirement for certificate authentication and encryption needed over the public network.