exam questions

Exam 300-410 All Questions

View all questions & answers for the 300-410 exam

Exam 300-410 topic 1 question 326 discussion

Actual exam question from Cisco's 300-410
Question #: 326
Topic #: 1
[All 300-410 Questions]

What are the two prerequisites of setting up DMVPN tunnel? (Choose two.)

  • A. Before a multipoint GRE (mGRE) and IPsec tunnel can be established, define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command.
  • B. The Public IP’s of the routers should be able to ping each other.
  • C. To enable 2547oDMPVN - Traffic Segmentation Within DMVPN configure multiprotocol label switching (MPLS) by using the mpls ip command
  • D. It is mandatory to use wildcard preshared keys to build the DMVPN tunnel
  • E. DMVPN can work on all OEM devices that support IKE.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
0d2257b
6 days, 21 hours ago
Selected Answer: AC
From the Cisco page that HungarianDish_111 shared below: Prerequisites for Dynamic Multipoint VPN (DMVPN) Before a multipoint GRE (mGRE) and IPsec tunnel can be established, you must define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command. For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency can support two peers (IKE and IPsec) being translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them [that is, Peer Address Translation (PAT)]), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated. To enable 2547oDMPVN--Traffic Segmentation Within DMVPN you must configure multiprotocol label switching (MPLS) by using the mpls ip command.
upvoted 1 times
...
tsamoko
2 months, 2 weeks ago
Selected Answer: AC
According to this it's A, C
upvoted 1 times
...
XBfoundX
3 months ago
What makes me choose C is that you do not need to ping that device for build UP the phase 1 ike tunnel and then the CHILD_SA what you need is to make intresting traffic for the VPN. After that you should have the tunnel UP and you can do other traffic like http/tcp/udp or other type of traffic that you need. So I will go with A and C the other one do not make much sense
upvoted 1 times
...
bk989
3 months, 2 weeks ago
I'm going for A and C based on the documentation provided in the comments below. For B, if we NAT the ip address, the original public IP addresses don't have to be pingable. For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency can support two peers (IKE and IPsec) being translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them [that is, Peer Address Translation (PAT)]), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated.
upvoted 1 times
bk989
3 months, 2 weeks ago
Also for PHASE I DMVPN the public ip addressess of the spokes do not need to ping eachother
upvoted 1 times
bk989
3 months, 1 week ago
Google: No, in phase 1 of Dynamic Multipoint VPN (DMVPN), spokes do not need to be able to ping each other because there is no direct communication between them: Explanation: In phase 1, all traffic goes through the hub, and spokes only need a default route to the hub to reach other spokes. The hub is the only router that uses a multipoint GRE interface, while spokes use point-to-point GRE tunnel interfaces.
upvoted 1 times
...
...
...
Fenix7
3 months, 3 weeks ago
I vote for AB, because for configuring DMVPN, you don't need the "mpls ip" command.
upvoted 1 times
...
tubirubs
3 months, 3 weeks ago
Selected Answer: AB
A. Before a multipoint GRE (mGRE) and IPsec tunnel can be established, define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command. Correct: Defining an IKE policy is essential for establishing secure communication between routers. The IKE policy is used to configure the parameters for IKE negotiations, which are necessary for setting up IPsec encryption. B. The Public IP’s of the routers should be able to ping each other. Correct: The routers need to be able to reach each other over the public Internet or other IP network. This connectivity is crucial for establishing the initial DMVPN connection and ensuring that the routers can communicate.
upvoted 1 times
...
[Removed]
4 months, 2 weeks ago
Selected Answer: AC
A & C are correct
upvoted 1 times
bk989
3 months, 4 weeks ago
what about B, shouldn't the IP's be able to ping eachother....?"?????
upvoted 1 times
...
...
HungarianDish_111
1 year, 6 months ago
The question is clearly taken from here, as DUBC89x pointed out, and so, I agree on the answers "A", "C". https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html#GUID-D8F6839F-D735-4C8E-A199-602CDD8F7DD0 However: IPsec is only optional for basic DMVPN tunnel configuration. https://networklessons.com/cisco/ccie-routing-switching/dmvpn-over-ipsec Of course, I can't imagine using DMVPN without IPsec, still it is a tricky question, because IPsec is not needed for the DMVPN tunnel establishment. Also, normally I would check reachability via the WAN/public IPs before setting up the tunnel. So, I would not say that "B" is wrong.
upvoted 3 times
alex711
1 year, 3 months ago
Yes, Agree.
upvoted 1 times
...
...
DUBC89x
2 years ago
Given answer is correct. "Prerequisites for Dynamic Multipoint VPN (DMVPN) Before a multipoint GRE (mGRE) and IPsec tunnel can be established, you must define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command. For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency can support two peers (IKE and IPsec) being translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them [that is, Peer Address Translation (PAT)]), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated. To enable 2547oDMPVN--Traffic Segmentation Within DMVPN you must configure multiprotocol label switching (MPLS) by using the mpls ip command." https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html#GUID-D8F6839F-D735-4C8E-A199-602CDD8F7DD0
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago