Question 1

Refer to the following output:

Router#show ip nhrp detail via, Tunnel1 created 00:00:12, expire 01:59:47
Type: dynamic, Flags: authoritative unique nat registered used
NBMA address:

What does the authoritative flag mean in regards to the NHRP information?

A. It was obtained directly from the next-hop server.
B. Data packets are process switches for this mapping entry.
C. NHRP mapping is for networks that are local to this router.
D. The mapping entry was created in response to an NHRP registration request.
E. The NHRP mapping entry cannot be overwritten.

Answer: A

From the output we learn that the logical address is mapped to the NBMA address Type “dynamic” means NBMA address was obtained from NHRP Request packet. Type “static” means NBMA address is statically configured. The “authoritative” flag means that the NHRP information was obtained from the Next Hop Server (NHS).

Question 2

Which common issue causes intermittent DMVPN tunnel flaps?

A. a routing neighbor reachability issue
B. a suboptimal routing table
C. interface bandwidth congestion
D. that the GRE tunnel to hub router is not encrypted

Answer: A

When DMVPN tunnels flap, check the neighborship between the routers as issues with neighborship formation between routers may cause the DMVPN tunnel to flap. In order to resolve this problem, make sure the neighborship between the routers is always up.

Question 3

Which Cisco IOS VPN technology leverages IPsec, mGRE, dynamic routing protocol, NHRP, and Cisco Express Forwarding?

A. FlexVPN
D. Cisco Easy VPN

Answer: B

DMVPN is not a protocol, it is the combination of the following technologies:

+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)

Question 4

A company has just opened two remote branch offices that need to be connected to the corporate network. Which interface configuration output can be applied to the corporate router to allow communication to the remote sites?

A. interface Tunnel0
bandwidth 1536
ip address
tunnel source Serial0/0
tunnel mode gre multipoint

B. interface fa0/0
bandwidth 1536
ip address
tunnel mode gre multipoint

C. interface Tunnel0
bandwidth 1536
ip address
tunnel source
tunnel-mode dynamic

D. interface fa 0/0
bandwidth 1536
ip address
tunnel source
tunnel destination
tunnel-mode dynamic

Answer: A

To allow communication to multiple sites using only one tunnel interface, we need to configure that tunnel in “multipoint” mode. Otherwise we have to create many tunnel interfaces, each can only communicate to one site.

Question 5

Which Cisco VPN technology can use multipoint tunnel, resulting in a single GRE tunnel interface on the hub, to support multiple connections from multiple spoke devices?

C. Cisco Easy VPN
D. FlexVPN

Answer: A

An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not require a unique tunnel interface for each connection between Hub and spoke like traditional GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.

Question 6

A network administrator is troubleshooting a DMVPN setup between the hub and the spoke. Which action should the administrator take before troubleshooting the IPsec configuration?

A. Verify the GRE tunnels
B. Verify ISAKMP
C. Verify NHRP
D. Verify crypto maps

Answer: A

GRE tunnels are the first thing we have to configure to create a DMVPN network so we should start troubleshooting from there. NHRP can only work properly with operating GRE tunnels.

Question 7

Which protocol is used in a DMVPN network to map physical IP addresses to logical IP addresses?


Answer: D

Question 8

A network engineer is troubleshooting a DMVPN setup between the hub and the spoke. The engineer executes the command “show crypto isakmp sa” and observes the output that is displayed. What is the problem?

A. That ISAKMP is not enabled
B. That ISAKMP is using default settings
C. An incompatible IP sec transform set
D. An incompatible ISAKMP policy

Answer: B

The “show crypto isakmp sa” command displays all current Internet Key Exchange (IKE) security associations (SAs) at a peer.

QM_IDLE state means this tunnel is UP and the IKE SA key exchange was successful, but is idle and may be used for subsequent quick mode exchanges. It is in a quiescent state (QM) -> Answers A, C, D are incorrect so answer B is the only suitable answer left.

Question 9

A network engineer wants to display the statistics of an active tunnel on a DMVPN network. Which command should the administrator execute to accomplish this task?

A. Router#show crypto ipsec sa
B. Router#show crypto isakmp peers
C. Router#show crypto isakmp sa
D. Router#show crypto ipsec transform-set
E. Router#show crypto engine connections active

Answer: A

The DMVPN is comprised of IPsec/GRE tunnels that connect branch offices to the data center. DMVPN troubleshooting requires the network engineer to verify neighbor links, routing and VPN peer connectivity. The GRE protocol is required to support routing advertisements. The VPN peer connection is comprised of IKE and IPsec security association exchanges.

The command “show crypto ipsec sa” is used to verify IPsec connectivity between branch office and data center router. We can also use this command to display the statistics of an active tunnel on a DMVPN network.

+ The command “show crypto isakmp sa” is used on DMVPN to verify IKE connectivity status to branch offices. The normal IKE state = QM IDLE for branch routers and data center routers.
+ The command “show crypto engine connection active” displays the total encrypts and decrypts per SA.

Question 10

Which two phases of DMVPN allow the spoke site to create dynamic tunnels to one other? (Choose two)

A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4
E. Phase 5

Answer: B C

Question 11

Which two commands configure on a DMVPN hub to enable phase 3? (Choose two)

A. ip nhrp interest
B. ip nhrp redirect
C. ip nhrp shortcut
D. ip network id
E. ip nhrp map
F. ip redirects

Answer: B C

Question 12

During which DMVPN phase is spoke-to-spoke communication enabled?

A. phase 2
B. phase 4
C. phase 5
D. phase 6
E. phase 1

Answer: A

Both DMVPN Phase 2 and phase 3 support spoke to spoke communications (spokes talk to each other directly). In this case there is only an option of phase 2 (not phase 3) so it is the only correct answer.

Question 13

Which protocols support DMVPN?

B. RIPv2

Answer: A C D

Some documents say RIPv2 also supports DMVPN but EIGPR, OSPF and BGP are the better choices so we should choose them.

Question 14

Which two protocols are required for DMVPN? (Choose two)

A. IPSec
E. Open VPN

Answer: C D


DMVPN is not a protocol, it is the combination of the following technologies:
+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)

DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop Resolution Protocol) to perform its job and save the administrator the need to define multiple static crypto maps and dynamic discovery of tunnel endpoints.

Question 15

What is the NHRP role in DMVPN? (Choose two)

A. Obtains the next-hop to be used for routing
B. Routes the packet through the tunnel
C. Identifies the PIM-SM RP used to route the packet
D. Can authenticate VPN endpoints
E. It requires each tunnel endpoint to have an unique network ID

Answer: A D