What are the two prerequisites of setting up DMVPN tunnel? (Choose two.)
A.
Before a multipoint GRE (mGRE) and IPsec tunnel can be established, define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command.
B.
The Public IP’s of the routers should be able to ping each other.
C.
To enable 2547oDMPVN - Traffic Segmentation Within DMVPN configure multiprotocol label switching (MPLS) by using the mpls ip command
D.
It is mandatory to use wildcard preshared keys to build the DMVPN tunnel
E.
DMVPN can work on all OEM devices that support IKE.
From the Cisco page that HungarianDish_111 shared below:
Prerequisites for Dynamic Multipoint VPN (DMVPN)
Before a multipoint GRE (mGRE) and IPsec tunnel can be established, you must define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command.
For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency can support two peers (IKE and IPsec) being translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them [that is, Peer Address Translation (PAT)]), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated.
To enable 2547oDMPVN--Traffic Segmentation Within DMVPN you must configure multiprotocol label switching (MPLS) by using the mpls ip command.
What makes me choose C is that you do not need to ping that device for build UP the phase 1 ike tunnel and then the CHILD_SA what you need is to make intresting traffic for the VPN.
After that you should have the tunnel UP and you can do other traffic like http/tcp/udp or other type of traffic that you need.
So I will go with A and C the other one do not make much sense
I'm going for A and C based on the documentation provided in the comments below. For B, if we NAT the ip address, the original public IP addresses don't have to be pingable.
For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency can support two peers (IKE and IPsec) being translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them [that is, Peer Address Translation (PAT)]), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated.
Google: No, in phase 1 of Dynamic Multipoint VPN (DMVPN), spokes do not need to be able to ping each other because there is no direct communication between them:
Explanation: In phase 1, all traffic goes through the hub, and spokes only need a default route to the hub to reach other spokes. The hub is the only router that uses a multipoint GRE interface, while spokes use point-to-point GRE tunnel interfaces.
A. Before a multipoint GRE (mGRE) and IPsec tunnel can be established, define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command.
Correct: Defining an IKE policy is essential for establishing secure communication between routers. The IKE policy is used to configure the parameters for IKE negotiations, which are necessary for setting up IPsec encryption.
B. The Public IP’s of the routers should be able to ping each other.
Correct: The routers need to be able to reach each other over the public Internet or other IP network. This connectivity is crucial for establishing the initial DMVPN connection and ensuring that the routers can communicate.
The question is clearly taken from here, as DUBC89x pointed out, and so, I agree on the answers "A", "C".
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html#GUID-D8F6839F-D735-4C8E-A199-602CDD8F7DD0
However: IPsec is only optional for basic DMVPN tunnel configuration.
https://networklessons.com/cisco/ccie-routing-switching/dmvpn-over-ipsec
Of course, I can't imagine using DMVPN without IPsec, still it is a tricky question, because IPsec is not needed for the DMVPN tunnel establishment. Also, normally I would check reachability via the WAN/public IPs before setting up the tunnel. So, I would not say that "B" is wrong.
Given answer is correct.
"Prerequisites for Dynamic Multipoint VPN (DMVPN)
Before a multipoint GRE (mGRE) and IPsec tunnel can be established, you must define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command.
For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency can support two peers (IKE and IPsec) being translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them [that is, Peer Address Translation (PAT)]), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated.
To enable 2547oDMPVN--Traffic Segmentation Within DMVPN you must configure multiprotocol label switching (MPLS) by using the mpls ip command."
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html#GUID-D8F6839F-D735-4C8E-A199-602CDD8F7DD0
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
0d2257b
6 days, 21 hours agotsamoko
2 months, 2 weeks agoXBfoundX
3 months agobk989
3 months, 2 weeks agobk989
3 months, 2 weeks agobk989
3 months, 1 week agoFenix7
3 months, 3 weeks agotubirubs
3 months, 3 weeks ago[Removed]
4 months, 2 weeks agobk989
3 months, 4 weeks agoHungarianDish_111
1 year, 6 months agoalex711
1 year, 3 months agoDUBC89x
2 years ago