exam questions

Exam 300-410 All Questions

View all questions & answers for the 300-410 exam

Exam 300-410 topic 1 question 473 discussion

Actual exam question from Cisco's 300-410
Question #: 473
Topic #: 1
[All 300-410 Questions]

SIMULATION
-


Guidelines
-

This is a lab item in which tasks will be performed on virtual devices.

• Refer to the Tasks tab to view the tasks for this lab item.
• Refer to the Topology tab to access the device console(s) and perform the tasks.
• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.
• All necessary preconfigurations have been applied.
• Do not change the enable password or hostname for any device.
• Do not replace existing routing policies or configurations.
• Save your configurations to NVRAM before moving to the next item.
• Click Next at the bottom of the screen to submit this lab and move to the next question.
• When Next is clicked, the lab closes and cannot be reopened.


Topology
-




Tasks
-

A DMVPN network is preconfigured with tunnel 0 IP address 192.168.1.254 on the HUB, IP connectivity, crypto policies, profiles, and EIGRP AS 100. The NHRP password is cсnp123, and the network ID and tunnel key is EIGRP ASN. Do not introduce a static route. Configure DMVPN connectivity between routers BR1 and BR2 to the HUB router using physical interface as the tunnel source to achieve these goals:

1. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR1.
2. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR2.
3. Ensure that packet fragmentation is done before encryption to account for GRE and IPsec header and allow a maximum TCP segment size of 1360 on an IP MTU of 1400 on the tunnel interfaces of both branch routers.
4. Apply an IPsec profile to the tunnel. Verify that direct spoke-to-spoke tunnel is functional between branch routers BR1 and BR2 by using traceroute to Ethernet 0/0 IP address to get a full score.









Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
HungarianDish_111
Highly Voted 1 year, 6 months ago
Sim was the same as here. Did not get full score for this sim on real exam, and could not figure out, what was missing. Still passed the exam. New question: MP-BGP NLRI attributes: RD, IPv4 Prefix, Next Hop, VPN Label https://networklessons.com/mpls/mpls-layer-3-vpn-explained
upvoted 7 times
ParisaAlipoor
1 year, 5 months ago
Thank you for your valuable comments... can you please describe the new question? MP-BGP NLRI attributes: RD, IPv4 Prefix, Next Hop, VPN Label
upvoted 1 times
HungarianDish_111
1 year, 5 months ago
List the MP-BGP NLRI attributes. Answer: RD, IPv4 Prefix, Next Hop, VPN Label
upvoted 3 times
...
...
keesu
1 year, 5 months ago
congratz on passing the exam! Thank you for your valuable comments throughout the Qs!
upvoted 4 times
...
...
chaba7654321
Highly Voted 7 months, 3 weeks ago
Had this same lab on the exam, config and provided solution is correct (apart from 'ip nhrp holdtime' - as someone mentioned earlier this needs to be 300 - as it is in seconds. There is no access to the HUB router on the exam, only config on the 2 spokes is needed. both spokes have a pre-configured ipsec profile already, I just applied it to tu0 Config provided by Hungarian dish below is correct
upvoted 6 times
dapardo
7 months, 2 weeks ago
thanks for this feedback
upvoted 1 times
...
...
leipeG
Most Recent 1 month, 2 weeks ago
Full lab setup based on Phase-3 DMVPN. Use a layer-2 switch (not a hub) for replicating the ISP. hostname HUB ! configure terminal ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-PROFILE set transform-set TRANSFORM-SET ! interface Tunnel0 ip address 192.168.1.254 255.255.255.0 ip nhrp authentication ccnp123 ip nhrp holdtime 300 ip nhrp network-id 100 ip nhrp shortcut ip nhrp map multicast dynamic ip nhrp redirect ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/0 ip address 172.16.0.254 255.255.255.0 no shutdown ! interface GigabitEthernet1/0 ip address 10.10.255.254 255.255.255.0 no shutdown ! router eigrp 100 network 10.10.255.0 0.0.0.255 network 172.16.0.0 0.0.0.255 network 192.168.1.0 0.0.0.255
upvoted 2 times
Telecommunications
2 weeks, 6 days ago
on the Hub : dont need the " ip nhrp shortcut" CLI.
upvoted 1 times
...
leipeG
1 month, 2 weeks ago
hostname BR1 ! configure terminal ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-PROFILE set transform-set TRANSFORM-SET ! interface Tunnel0 ip address 192.168.1.1 255.255.255.0 ip nhrp authentication ccnp123 ip nhrp nhs 192.168.1.254 nbma 10.10.255.254 multicast ip nhrp holdtime 300 ip nhrp network-id 100 ip nhrp shortcut ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/0 ip address 172.16.1.254 255.255.255.0 no shutdown ! interface GigabitEthernet1/0 ip address 10.10.255.1 255.255.255.0 no shutdown ! router eigrp 100 network 10.10.255.0 0.0.0.255 network 172.16.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255
upvoted 3 times
leipeG
1 month, 2 weeks ago
hostname BR2 ! configure terminal ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-PROFILE set transform-set TRANSFORM-SET ! interface Tunnel0 ip address 192.168.1.2 255.255.255.0 ip nhrp authentication ccnp123 ip nhrp nhs 192.168.1.254 nbma 10.10.255.254 multicast ip nhrp holdtime 300 ip nhrp network-id 100 ip nhrp shortcut ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/0 ip address 172.16.2.254 255.255.255.0 no shutdown ! interface GigabitEthernet1/0 ip address 10.10.255.2 255.255.255.0 no shutdown ! router eigrp 100 network 10.10.255.0 0.0.0.255 network 172.16.2.0 0.0.0.255 network 192.168.1.0 0.0.0.255 ! BR2#traceroute 172.16.1.254 <..> 1 10.10.255.1 28 msec 20 msec 40 msec
upvoted 3 times
...
...
...
Newmanas
8 months ago
Tell me please, is it possible to pass the exam if you skip Sim Lab question?
upvoted 1 times
Bombbear_W
8 months ago
That's impossible!!!
upvoted 4 times
Newmanas
7 months, 4 weeks ago
Tryed today exam. Had 3 lab questions, all of those skipped, and it looks like its pretty much impossible to pass the exam without those. So its more like - "maybe its possible" if you will answer all the questions 100% correctlly, but it would be on a very VERY thin line between passing and failing :)
upvoted 4 times
...
...
...
1948
9 months ago
Do you think we will get marked down for including config that is not asked for I.e. IP NHRP shortcut and IP NHRP redirect as it doesn't mention suboptimal paths.
upvoted 2 times
...
Not_That_Guy
10 months, 4 weeks ago
Anyone know if the test allows using 'ip nhrp nhs' like this instead of 'ip nhrp map', ip nhrp map multicast', and 'ip nhrp nhs'? !SPOKES interface Tunnel0 ip address 192.168.100.X 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp authentication CCNP ip nhrp nhs 192.168.100.1 nbma 10.100.255.1 multicast ip nhrp network-id 100 ip nhrp holdtime 300 ip nhrp shortcut tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile MyPROFILE exit ! !GLOBAL-Check the HUB and modify crypto options ! crypto isakmp policy 1 authentication pre-share ! crypto isakmp key MyKEY address 0.0.0.0 ! crypto ipsec transform-set MyTRANSFORM esp-aes esp-sha-hmac ! crypto ipsec profile MyPROFILE set transform-set MyTRANSFORM ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt
upvoted 1 times
...
Brand
1 year, 3 months ago
I got this exact sim in the exam and I'm here to confirm that presented answer is almost correct. Just make sure you use the lines below: ip nhrp holdtime 300 (you define the holdtime using seconds) tunnel mode gre multipoint (as the sim asks you to confirm direct communication between Spokes. Static destination is not what you looking for here)
upvoted 4 times
Brand
1 year, 3 months ago
Also, don't forget to add following lines in the global configuration mode as HungarianDish explained. crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt Because the sim asks you to make sure fragmentation is being done before the encryption with IPSec.
upvoted 4 times
...
...
GReddy2323
1 year, 6 months ago
I would like to lab this in CML, but what type of basic configuration does the ISP router need? I always struggle whenever an "ISP" router is put in the topology because I don't know what basic configuration it needs to get it to work.
upvoted 1 times
cir_
1 year, 6 months ago
You can use a layer 2 switch with no config to replicate the connectivity in this scenario
upvoted 1 times
HungarianDish_111
1 year, 6 months ago
L2 switch in the middle is the best! I saw also different topology in labs (e.g. boson netsim), where a router sits in the middle as ISP, and then static routes are added an all routers to reach each others WAN IPs. It is unnecessary to have such a topology for practicing DMVPN. L2 switch is perfect.
upvoted 3 times
...
...
...
HungarianDish_111
1 year, 7 months ago
hostname HUB ! crypto isakmp policy 5 hash md5 authentication pre-share crypto isakmp key cisco address 0.0.0.0 ! crypto ipsec transform-set ciscoset esp-3des mode tunnel ! crypto ipsec profile ciscoprofile set transform-set ciscoset ! interface Tunnel0 ip address 192.168.1.254 255.255.255.0 no ip redirects no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100 ip nhrp authentication ccnp123 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp redirect tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile ciscoprofile ! router eigrp 100 network 10.10.1.1 0.0.0.0 network 192.168.1.0 ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt
upvoted 3 times
RK139
1 week, 4 days ago
no ip split horizon EIGRP 100 ...it is ok....but no ip next-hop-self command is necessary?. Because ip nhrp redirect exist...anybody can help me
upvoted 1 times
...
HungarianDish_111
1 year, 7 months ago
int tu 0 ip nhrp map multicast dynamic (left out from previous comment by mistake)
upvoted 2 times
HungarianDish_111
1 year, 6 months ago
Some correction for transform-set: https://community.cisco.com/t5/vpn/dmvpn-tunnel-versus-transport-mode/td-p/1544252 Transport mode actually is recommended mode for DMVPN, because it saves 20 bytes overhead. crypto ipsec transform-set ciscoset esp-3des mode transport
upvoted 3 times
HungarianDish_111
1 year, 6 months ago
This document states that we would need "mode tunnel" if we want to do pre-fragmentation. Probably we can leave it in the default mode, which is tunnel. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/xe-16-10/sec-ipsec-data-plane-xe-16-10-book/sec-pre-frag-vpns.html Pre-fragmentation for IPsec VPNs operates in IPsec tunnel mode and IPsec tunnel mode with GRE, but not with IPsec transport mode.
upvoted 2 times
...
...
...
Almylle
1 year, 5 months ago
No tunnel destination ?
upvoted 1 times
chris110
1 year, 3 months ago
i dont think we need because of tunnel mode gre multipoint
upvoted 2 times
...
...
chris110
1 year, 3 months ago
Need to configure the HUB as well?
upvoted 1 times
dapardo
7 months ago
SEEMS that its not asked to configure the tunnel, just the spokes
upvoted 1 times
...
...
...
HungarianDish_111
1 year, 7 months ago
3. Ensure that packet fragmentation is done before encryption => For me, it suggests that following config is required (global config mode or interface config): crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt
upvoted 4 times
HungarianDish_111
1 year, 7 months ago
https://networkengineering.stackexchange.com/questions/11283/pre-fragmentation-for-ipsec-vpns-on-cisco-routers I added it in global config mode.
upvoted 1 times
HungarianDish_111
1 year, 6 months ago
Interestingly, "crypto ipsec fragmentation before-encrypt" is never displayed in the running config. Maybe it is due to this bug: CSCsr97396/CSCsh30577.
upvoted 1 times
...
...
...
HungarianDish_111
1 year, 7 months ago
The task is to create a direct spoke-to-spoke tunnel. So, setting a static tunnel destination on spokes is incorrect. We should use "tunnel mode gre multipoint"
upvoted 1 times
...
HungarianDish_111
1 year, 7 months ago
int tu 0 tunnel protection ipsec profile <name>
upvoted 1 times
...
HungarianDish_111
1 year, 7 months ago
"using physical interface as the tunnel source" => tunnel source eth0/1
upvoted 2 times
...
HungarianDish_111
1 year, 7 months ago
Holdtime seems to be incorrect: ip nhrp holdtime 300 ! Seconds that NHRP NBMA addresses are advertised as valid in positive NHRP responses https://www.ciscozine.com/dmvpn-phase-3-guide/ 5 minutes = 300 seconds
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago