Hub-to-Spoke FlexVPN Tunnel Termination Command

D.

In a Flex VPN hub-and-spoke topology, the hub acts as a VPN server and the spokes act as VPN clients. By default, the Flex VPN hub terminates spoke-to-hub tunnels. However, in some scenarios, it may be necessary for the hub to terminate Flex VPN tunnels from spokes as well.

If spoke-to-spoke tunnels are not allowed in the topology, the hub needs to be configured to terminate the Flex VPN tunnels from the spokes. This can be achieved by configuring a virtual template interface on the hub. The virtual template interface is used to define the common configuration parameters for the virtual access interfaces that will be created dynamically for the spokes.

The correct answer to the question is option D: interface virtual-template.

The virtual-template interface can be configured with the necessary Flex VPN parameters, such as the IKEv2 profile, transform set, and authorization information. When a spoke connects to the hub, a virtual access interface is created dynamically with the same configuration parameters as the virtual-template interface. This allows the hub to terminate the Flex VPN tunnels from the spokes.

Option A: interface virtual-access is incorrect as it is used to create the virtual access interface on the spoke, not the hub.

Option B: ip nhrp redirect is incorrect as it is used in DM VPN environments to redirect traffic between spokes, which is not relevant to this scenario.

Option C: interface tunnel is incorrect as it is used to create a GRE tunnel, which is not related to Flex VPN.