GRE Tunnel

Question 1

Refer to the exhibit. After configuring GRE between two routers running OSPF that are connected to each other via a WAN link, a network engineer notices that the two routers cannot establish the GRE tunnel to begin the exchange of routing updates. What is the reason for this?

A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 47.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 57.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 47.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 57.

Answer: A

GRE packets are encapsulated within IP and use IP protocol type 47

Question 2

An engineer is configuring a GRE tunnel interface in the default mode. The engineer has assigned an IPv4 address on the tunnel and sourced the tunnel from an Ethernet interface. Which option also is required on the tunnel interface before it is operational?

A. tunnel destination address
B. keepalives
C. IPv6 address
D. tunnel protection

Answer: A

A GRE interface definition includes:

+ An IPv4 address on the tunnel
+ A tunnel source
+ A tunnel destination

Below is an example of how to configure a basic GRE tunnel:

interface Tunnel 0
ip address 10.10.10.1 255.255.255.0
tunnel source fa0/0
tunnel destination 172.16.0.2

In this case the “IPv4 address on the tunnel” is 10.10.10.1/24 and “sourced the tunnel from an Ethernet interface” is the command “tunnel source fa0/0”. Therefore it only needs a tunnel destination, which is 172.16.0.2.

Note: A multiple GRE (mGRE) interface does not require a tunnel destination address.

Question 3

When the tunnel interface is configured in default mode, which statement about routers and the tunnel destination address is true?

A. The router must have a route installed towards the tunnel destination
B. The router must have wccp redirects enabled inbound from the tunnel destination
C. The router must have cisco discovery protocol enabled on the tunnel to form a CDP neighborship with the tunnel destination
D. The router must have redirects enabled outbound towards the tunnel destination

Answer: A

The tunnel interface is configured in default mode means the tunnel has been configured as a point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up state) as soon as it is configured with a valid tunnel source address or interface which is up and a tunnel destination IP address which is routable.

Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in recursion.

Therefore if a route towards the tunnel destination has not been configured then the tunnel is stuck in up/down state.

Question 4

A network engineer has configured GRE between two IOS routers. The state of the tunnel interface is continuously oscillating between up and down. What is the solution to this problem?

A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable

Answer: A

In this question only answer A is a reasonable answer. When the state of the tunnel interface is continuously moving between up and down we must make sure the route towards the tunnel destination address is good. If it is not good then that route may be removed from the routing table -> the tunnel interface comes down.

Question 5

Which two GRE features can you configure to prevent fragmentation? (Choose two)

A. TCP MSS
B. DF Bit Clear
C. IP MTU
D. PMTUD
E. MTU ignore
F. UDP window sizes

Answer: A D

The IP protocol was designed for use on a wide variety of transmission links. Although the maximum length of an IP datagram is 65535, most transmission links enforce a smaller maximum packet length limit, called an MTU. The value of the MTU depends on the type of the transmission link. The design of IP accommodates MTU differences since it allows routers to fragment IP datagrams as necessary. The receiving station is responsible for the reassembly of the fragments back into the original full size IP datagram.

Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized technique to determine the maximum transmission unit (MTU) size on the network path between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all modern operating systems use it on endpoints.

The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not handle the case where there is a smaller MTU link in the middle between these two endpoints. PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the lowest MTU along the path from a packet’s source to its destination.

Note: IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later.

Question 6

Which two statement about GRE tunnel interface are true?

A. A tunnel can be established when a source the source interface is in the up/down state
B. A tunnel destination must be routable, but it can be unreachable
C. To establish a tunnel the source interface must be a loopback
D. To establish a tunnel the source interface must be up/up state
E. A tunnel destination must be a physical interface that is on up/up state

Answer: B D

A valid tunnel destination is one which is routable (which means the destination is present or there is a default route in the routing table). However, it does not have to be reachable -> Answer B is correct.

For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and the destination must be reachable according to your own routing table.

Question 7

Which of the following is a GRE Tunnel characteristic?

A. GRE impose more CPU overhead than IPSec on VPN gateways
B. GRE tunnels can run through IPsec tunnels.
C. GRE Tunnel doesn’t have support for IPv6
D. GRE consists of two sub-protocols: Encapsulated Security Payload (ESP) and Authentication Header (AH).

Answer: B

Question 8

Router R1, a branch router, connects to the Internet using DSL. Some traffic flows through a GRE and IPsec tunnel, over the DSL connection, destined for an Enterprise network. Which of the following answers best describes the router’s logic that tells the router, for a given packet, to apply GRE encapsulation to the packet?

A. When the packet received on the LAN interface is permitted by the ACL listed on the tunnel gre acl command under the incoming interface
B. When routing the packet, matching a route whose outgoing interface is the GRE tunnel interface
C. When routing the packet, matching a route whose outgoing interface is the IPsec tunnel interface
D. When permitted by an ACL that was referenced in the associated crypto map

Answer: B

Question 9

What is a key benefit of using a GRE tunnel to provide connectivity between branch offices and headquarters?

A. authentication, integrity checking, and confidentiality
B. less overhead
C. dynamic routing over the tunnel
D. granular QoS support
E. open standard
F. scalability

Answer: C

GRE tunnel provides a way to encapsulate any network layer protocol over any other network layer protocol. GRE allows routers to act as if they have a virtual point-to-point connection to each other. GRE tunneling is accomplished by creating routable tunnel endpoints that operate on top of existing physical and/or other logical endpoints. Especially, IPsec does not support multicast traffic so GRE tunnel is a good solution instead (or we can combine both).

Question 10

A network administrator uses GRE over IPSec to connect two branches together via VPN tunnel. Which one of the following is the reason for using GRE over IPSec?

A. GRE over IPSec provides better QoS mechanism and is faster than other WAN technologies.
B. GRE over IPSec decreases the overhead of the header.
C. GRE supports use of routing protocol, while IPSec supports encryption.
D. GRE supports encryption, while IPSec supports use of routing protocol.

Answer: C

Question 11

Which statement is true about an IPSec/GRE tunnel?

A. The GRE tunnel source and destination addresses are specified within the IPSec transform set.
B. An IPSec/GRE tunnel must use IPSec tunnel mode.
C. GRE encapsulation occurs before the IPSec encryption process.
D. Crypto map ACL is not needed to match which traffic will be protected.

Answer: C

When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and then GRE is encrypted by IPSec -> C is correct.

Question 12

What are the four main steps in configuring a GRE tunnel over IPsec on Cisco routers? (Choose four)

A. Configure a physical interface or create a loopback interface to use as the tunnel endpoint.
B. Create the GRE tunnel interfaces.
C. Add the tunnel interfaces to the routing process so that it exchanges routing updates across that interface.
D. Add the tunnel subnet to the routing process so that it exchanges routing updates across that interface.
E. Add all subnets to the crypto access-list, so that IPsec encrypts the GRE tunnel traffic.
F. Add GRE traffic to the crypto access-list, so that IPsec encrypts the GRE tunnel traffic.

Answer: A B D F

Four steps to configure GRE tunnel over IPsec are:

1. Create a physical or loopback interface to use as the tunnel endpoint. Using a loopback rather than a physical interface adds stability to the configuration.
2. Create the GRE tunnel interfaces.
3. Add the tunnel subnet to the routing process so that it exchanges routing updates across that interface.
4. Add GRE traffic to the crypto access list, so that IPsec encrypts the GRE tunnel traffic.

An example of configuring GRE Tunnel is shown below:

interface Tunnel0
ip address 192.168.16.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 14.38.88.10
tunnel mode gre ip

Note: The last command is enabled by default so we can ignore it in the configuration)

Question 13

Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel was configured, but the tunnel is not coming up.
What did the TAC engineer configure incorrectly?

A. The crypto isakmp configuration is not correct.
B. The crypto map configuration is not correct.
C. The interface tunnel configuration is not correct.
D. The network configuration is not correct; network 172.16.1.0 is missing

Answer: A

The address of the crypto isakmp key (line “crypto isakmp key ******* address 172.16.1.2”) should be 192.168.2.1, not 172.16.1.2 -> A is correct.

Question 14

Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel was configured, but the tunnel is not coming up.
What did the TAC engineer configure incorrectly?

A. The crypto map is not configured correctly.
B. The crypto ACL is not configured correctly.
C. The crypto map is not applied to the correct interface.
D. The OSPF network is not configured correctly.

Answer: B

The access-list must also support GRE traffic with the “access-list 102 permit gre host 192.168.1.1 host 192.168.2.1” command -> B is correct.

Below is the correct configuration for GRE over IPsec on router B1 along with descriptions.

The interface tunnel configuration is rather simple so I don’t post it here.

Question 15

Refer to the exhibit. A new TAC engineer came to you for advice. A GRE over IPsec tunnel was configured, but the tunnel is not coming up.
What did the TAC engineer configure incorrectly?

A. The crypto isakmp configuration is not correct.
B. The crypto map configuration is not correct.
C. The network 172.16.1.0 is not included in the OSPF process.
D. The interface tunnel configuration is not correct.

Answer: D

The “tunnel destination” in interface tunnel should be 192.168.2.1, not 172.16.1.2 -> D is correct.