Cisco Certified Internetwork Expert (CCIE) Practice Test

Which statement about VRF-aware GDOI group members is true?

• A. IPsec is used only to secure data traffic
• B. Registration traffic and rekey traffic must operate on different VRFs
• C. Multiple VRFs are used to separate control traffic and data traffic
• D. The GM cannot route control traffic through the same VRF as Data traffic

The correct answer is: Multiple VRFs are used to separate control traffic and data traffic

The correct option highlights the use of multiple VRFs to separate control traffic and data traffic in VRF-aware GDOI (Group Domain of Interpretation) group members. When implementing VRF (Virtual Routing and Forwarding), it is essential to ensure that both the control plane, which handles registration and management of the data group, and the data plane, which carries the encrypted data traffic, are independently routed. Using multiple VRFs allows for clear separation of traffic types, which is critical for preventing potential security issues and ensuring optimal performance. For instance, the control traffic may require different security policies or routing behaviors compared to the actual data traffic. This separation is particularly important in complex networks where different types of data might have different performance or security needs. Control traffic and data traffic being routed through the same VRF could lead to complications, such as security vulnerabilities or configuration management challenges, making it harder to apply distinct routing policies or security measures to different traffic types. Therefore, ensuring that these two types of traffic are encapsulated in their respective VRFs aligns with best practices in network design and management.