ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 350-401 All Questions

View all questions & answers for the 350-401 exam
Go to Exam

Exam 350-401 topic 1 question 878 discussion

Actual exam question from Cisco's 350-401
Question #: 878
Topic #: 1
[All 350-401 Questions]

SIMULATION
-




Guidelines
-

This is a lab item in which tasks will be performed on virtual devices.

• Refer to the Tasks tab to view the tasks for this lab item.
• Refer to the Topology tab to access the device console(s) and perform the tasks.
• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.
• All necessary preconfigurations have been applied.
• Do not change the enable password or hostname for any device.
• Save your configurations to NVRAM before moving to the next item.
• Click Next at the bottom of the screen to submit this lab and move to the next question.
• When Next is clicked, the lab closes and cannot be reopened.


Topology
-




Tasks
-

The operations team started configuring network devices for a new site. R10 and R20 are preconfigured with the CORP VRF. R10 has network connectivity to R20. Complete the configurations to achieve these goals:

1. Extend the CORP VRF between R10 and R20 using Tunnel0.
2. Protect Tunnel0 using the preconfigured profile
3. Configure static routing on R10 and R20 so that users in VLANs100 and 101 that belong to the CORP VRF are able to communicate with each other. Tunnel0 should be the only interface used to route traffic for the CORP VRF

Show Suggested Answer Hide Answer
Suggested Answer:
by Exam12559 at Nov. 20, 2023, 3:01 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Klimy
Highly Voted 1 year, 1 month ago
This sim came up for me today without the ipsec. You just put it into vrf (ip vrf forwarding CORP) and set the 2 static routes in the CORP vrf. R10 ip route vrf CORP 10.101.2.0 255.255.255.0 tunnel0 R20 ip route vrf CORP 10.100.1.0 255.255.255.0 tunnel0 And of course save config. Just note that when you put it into vrf it loses the IP, so you need to set it again. (But you get a message, so you’ll see…)
upvoted 14 times
Adalberto
8 months, 2 weeks ago
And how about the Protection config ?
upvoted 2 times
a197cbf
6 months, 1 week ago
I had both the VRF with protection, and without protection, both questions on the same exam. For the tunnel protection, I think if you do a "show run | sec crypto" you should see that a crypto profile was made (I think it was called "MYPROFILE") on both routers. This already has all the proper keys, encryption, hashes, etc, already done for you, so you only have to apply the profile to the tunnel. Using MYPROFILE as an example, you would then do the following: (config)# interface Tunnel 0 (config-if)# tunnel protection ipsec profile MYPROFILE
upvoted 7 times
...
...
...
AzraelOmbrixa
Highly Voted 10 months, 2 weeks ago
do a 'show ip int brief' to find IP of e0/1 of R1 and e0/2 of R20 (10.10.1.10 and 10.10.2.20 in this case) R1#conf t interface Tunnel0 vrf forwarding CORP ip address 10.100.100.1 255.255.255.0 Tunnel source e0/1 Tunnel destination 10.10.2.20 Tunnel protection ipsec profile MyProfile exit ip route vrf CORP 10.101.2.0 255.255.255.0 tunnel0 do wr R20#conf t interface tunnel0 vrf forwarding CORP ip address 10.100.100.2 255.255.255.0 Tunnel source e0/2 Tunell destination 10.10.1.10 Tunnel protection ipsec profile MyProfile exit ip route vrf CORP 10.100.1.0 255.255.255.0 tunnel0 do wr
upvoted 12 times
...
sharonmiller
Most Recent 5 months, 4 weeks ago
I think the correct answer is "next" lol
upvoted 3 times
...
Swiz005
6 months ago
I took and passed the CCNP ENCOR exam today. I had 89 questions and 4 laps. This was one of the labs. however, I had issues though, my keyboard would not do uppercase when entering the profile name. I complained anyway and they wanted to restart the lap but I was already running out of time so I skipped it. This was my second take. I made sure I scored over 80 percent (over 100 questions) from this site before going for my second take. Good luck to everyone and thanks to Examtopics
upvoted 6 times
hugoplur
4 months, 3 weeks ago
thanks for your feedback, and congratulations!
upvoted 1 times
...
...
a197cbf
6 months, 1 week ago
For some reason, using the provided configuration would not bring my tunnel up when using the "tunnel vrf CORP" command. Removing just that one command on both routers brought the tunnel up, so on my end it looks like you only need "ip vrf forwarding CORP" and not "tunnel vrf CORP". Anyone have any ideas as to why adding "tunnel vrf CORP" makes the tunnel go down? All other configs are the same on each side.
upvoted 1 times
Steve122
5 months, 2 weeks ago
tunnel vrf xxx -> underlay (front-door VRF) vrf forwarding CORP -> overlay
upvoted 2 times
...
...
IgorLVG
9 months, 2 weeks ago
i would like to share: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-16-12/ir-xe-16-12-book/ir-vrf-tunnels.html#GUID-4B490C97-7812-4825-999B-AAC2FFA35113 here explains why use 2 VRF and the meaining of "tunnel vrf"
upvoted 3 times
zbeugene7
2 months, 1 week ago
Thank you ! I was looking for this , but couldn't find it...
upvoted 1 times
...
...
slacker_at_work
10 months, 1 week ago
Wrt protecting the tunnel; See article "Configuring a Virtual Tunnel Interface with IP Security" https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html
upvoted 1 times
...
Claudiu1
10 months, 2 weeks ago
I labbed this exercise and this is what I have to say. Without the exact configurations, I simply left R10 e0/1, R20 e0/2 and the ISP router with their global VRFs. No modifications there. Now I see there are multiple versions of the correct answer, so: - "tunnel vrf TECH" implies that there is a TECH VRF already configured on the R10 e0/1, R20 e0/2 and the ISP router. If there isn't, "ip vrf forwarding CORP" is enough to solve this exercise. - on the same note, "tunnel vrf CORP" command needs that the VRF CORP is also configured, on R10 e0/1, R20 e0/2 and the ISP router. Otherwise, this will break your config because CORP VRF has no routes to 10.10.1.0 and 10.10.2.0. If you get this lab in your exam, examine very careful the preconfiguration.
upvoted 4 times
...
CCAL
11 months, 1 week ago
This configuration is correct R1# interface Tunnel0 vrf forwarding CORP ip address 10.100.100.1 255.255.255.255 Tunnel source e0/1 Tunnel destination 10.10.2.20 Tunnel protection ipsec profile MyProfile R2# interface tunnel0 vrf forwarding CORP ip address 10.100.100.2 255.255.255.255 Tunnel source e0/2 Tunell destination 10.10.1.10 Tunnel protection ipsec profile MyProfile R1# ip route vrf CORF 10.101.2.0 255.255.255.255 tunnel0 R2#ip route vrf CORF 10 .100.1.0 255.255.255.255 tunnel0
upvoted 2 times
WENG_POGI
6 days, 19 hours ago
this most correct answer
upvoted 1 times
...
CCAL
11 months, 1 week ago
255.255.255.0 not 255.255.255.255 sorry
upvoted 1 times
...
...
sergiosolotrabajo
1 year ago
I've configured this on EVE-NG: hostname R10 ! ! ! ! ip vrf CORP description VRF-CORP rd 12956:1 ! ! ! interface Loopback1 ip vrf forwarding CORP ip address 10.10.10.10 255.255.255.255 no sh ! interface Tunnel0 ip vrf forwarding CORP ip address 10.100.100.2 255.255.255.0 tunnel source GigabitEthernet0/1 tunnel destination 10.10.2.2 tunnel vrf CORP ! interface GigabitEthernet0/0 ip vrf forwarding CORP ip address 10.100.1.1 255.255.255.0 no sh ! ! interface GigabitEthernet0/1 ip vrf forwarding CORP ip address 10.10.1.2 255.255.255.0 no sh ! ! router ospf 1 vrf CORP router-id 10.10.10.10 passive-interface default no passive-interface GigabitEthernet0/1 network 10.10.10.10 0.0.0.0 area 0 network 10.10.1.2 0.0.0.0 area 0 network 10.100.1.0 0.0.0.255 area 0 exit ! ip route vrf CORP 10.101.2.0 255.255.255.0 Tunnel 0 ! ! !
upvoted 2 times
sergiosolotrabajo
1 year ago
hostname R20 ! ! ! ! ip vrf CORP description VRF-CORP rd 12956:1 ! ! ! interface Loopback1 ip vrf forwarding CORP ip address 12.12.12.12 255.255.255.255 no sh ! interface Tunnel0 ip vrf forwarding CORP ip address 10.100.100.3 255.255.255.0 tunnel source GigabitEthernet0/2 tunnel destination 10.10.1.2 tunnel vrf CORP ! interface GigabitEthernet0/0 ip vrf forwarding CORP ip address 10.101.2.1 255.255.255.0 no sh ! ! interface GigabitEthernet0/2 ip vrf forwarding CORP ip address 10.10.2.2 255.255.255.0 no sh ! ! router ospf 1 vrf CORP router-id 12.12.12.12 passive-interface default no passive-interface GigabitEthernet0/2 network 12.12.12.12 0.0.0.0 area 0 network 10.10.2.2 0.0.0.0 area 0 network 10.101.2.0 0.0.0.255 area 0 ! ip route vrf CORP 10.100.1.0 255.255.255.0 Tunnel0 ! ! !
upvoted 1 times
WENG_POGI
6 days, 19 hours ago
its said static route,not dynamic routing (OSPF)
upvoted 1 times
...
...
...
eearmani
1 year ago
This one of the new labs
upvoted 1 times
...
post20
1 year ago
Simulations need to be updated!... Took the test yesterday. Had 4 simulations. The only one I saw from all presents on "examtopic" was GRE tunnel, without the 3rd task. The other different simulations were OSPF (had to elect DR and BDR without using the command ip ospf network point-to-point), BGP, and the other one with issues on a trunk link between two switches + issues on an ether-channel on two other switches present in the same topology... failed the exam :(
upvoted 5 times
...
Exam12559
1 year, 1 month ago
Although I do not know the pre-setting situation when questions are asked in the exam, I will assume that the following conditions are in place. ・"R10 and R20 are preconfigured with the CORP VRF. R10 has network connectivity to R20." From the above, the underlays 10.10.1.0/24 and 10.10.2.0/24 may also be configured with CORP VRF. ・It is not necessarily necessary to create a new VRF. Use default routing process. Therefore, I think the necessary settings are as follows. [Task 1] R10(config)# interface Tunnel 0 R10(config-if)# tunnel source e0/1 R10(config-if)# tunnel destination 10.10.2.20 R10(config-if)# tunnel vrf CORP [Task 2] R10(config-if)# tunnel protection ipsec EXAMPLE [Task 3] R10(config)# ip route 10.100.1.0 255.255.255.0 tunnel0 [others] R10# copy run sta
upvoted 2 times
Exam12559
1 year, 1 month ago
Correct the above. In [Task 1], it is stated that the CORP VRF will be expanded, so I think the tunnel will be established on the CORP VRF. The corrected version is as follows. R10 [Task 1] R10(config)# interface Tunnel 0 R10(config-if)# ip vrf forwarding CORP R10(config-if)# ip add 10.100.100.10 255.255.255.0 R10(config-if)# tunnel source e0/1 R10(config-if)# tunnel destination 10.10.2.20 [Task 2] R10(config-if)# tunnel protection ipsec EXAMPLE [Task 3] R10(config)# ip route vrf CORP 10.101.2.0 255.255.255.0 tunnel0 [others] R10# copy run sta
upvoted 5 times
studying_1
1 year, 1 month ago
for task2, the word profile is missing, the command is #tunnel protection ipsec profile (profile-name)
upvoted 3 times
...
Din04
1 year, 1 month ago
This is correct. When you apply the vrf on an interface, you always have to apply the IP address configuration again. Not sure why the provided answers mentions TECH vrf.
upvoted 3 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago