CCIE Security Written Exam: Cisco IOS RRI

Cisco IOS RRI

Prev Question Next Question

Question

Which three statements about Cisco IOS RRI are correct? (Choose three.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

BCD.

Cisco IOS RRI (Reverse Route Injection) is a mechanism that allows dynamic insertion of reverse routes into the routing table of a spoke router in a hub-and-spoke network, to enable spoke-to-spoke communication in a secure manner.

The correct statements about Cisco IOS RRI are:

A. RRI is not supported with ipsec-profiles.

This statement is correct. RRI is not supported with ipsec-profiles. Instead, it is supported with crypto maps.

B. Routes are created from ACL entries when they are applied to a static crypto map.

This statement is correct. In a hub-and-spoke network, the hub router can inject routes to spoke networks into the spoke routers' routing table. When a static crypto map is used, the spoke router's routing table is updated with the routes from the hub router's access list (ACL).

C. Routes are created from source proxy IDs by the receiver with dynamic crypto maps.

This statement is incorrect. Routes are created from source proxy IDs by the sender with dynamic crypto maps. The sender is responsible for inserting routes into the spoke router's routing table, based on the source proxy IDs in the dynamic crypto map.

D. VRF-based routes are supported.

This statement is correct. RRI can be configured on a per-VRF basis, so VRF-based routes are supported.

E. RRI must be configured with DM VPN.

This statement is incorrect. RRI can be used with DM VPN, but it is not a requirement. RRI can also be used with other VPN technologies, such as GET VPN.

In summary, the three correct statements about Cisco IOS RRI are:

  • RRI is not supported with ipsec-profiles.
  • Routes are created from ACL entries when they are applied to a static crypto map.
  • VRF-based routes are supported.