Cisco Certified Internetwork Expert (CCIE) Practice Test

The statement that each VRF supports only one CTS-SXP connection is accurate because in a Cisco TrustSec architecture, each Virtual Routing and Forwarding (VRF) instance is designed to maintain its own unique security context. This means that a single CTS-SXP (Control Plane Security Exchange Protocol) connection is established for each VRF, allowing for the secure exchange of context-specific information regarding the identity of endpoints and security group tags. Having one connection per VRF ensures that the control plane messages relevant to that VRF do not interfere with or mix with those of other VRFs, thereby maintaining the integrity and separation of security policies and identities within the network.

The other choices present scenarios that do not align with the fundamental operations of CTS-SXP within a VRF context. For instance, supporting multiple connections or sharing peers among different VRFs would lead to complexity and potential security risks, which the architecture is designed to avoid.