1

EIGRP

Let’s analyze these columns:

+ H: lists the neighbors in the order this router was learned
+ Address: the IP address of the neighbors
+ Interface: the interface of the local router on which this Hello packet was
received
+ Hold (sec): the amount of time left before neighbor is considered in “down”
status
+ Uptime: amount of time since the adjacency was established
+ SRTT (Smooth Round Trip Timer): the average time in milliseconds between the
transmission of a packet to a neighbor and the receipt of an acknowledgement.
+ RTO (Retransmission Timeout): if a multicast has failed, then a unicast is sent to
that particular router, the RTO is the time in milliseconds that the router waits for an
acknowledgement of that unicast.
+ Queue count (Q Cnt): shows the number of queued EIGRP packets. It is usually
0.
+ Sequence Number (Seq Num): the sequence number of the last update EIGRP
packet received. Each update message is given a sequence number, and the
received ACK should have the same sequence number. The next update message to
that neighbor will use Seq Num + 1.
 2

The “eigrp stub” command is equivalent to the “eigrp stub connected summary”
command which advertises the connected routes and summarized routes.

type of message does a device configured with the eigrp stub command send in
response to EIGRP queries? . inaccessible

Command would you use to set EIGRP routes to be prioritized? distance eigrp 89

EIGRP is implemented in a Frame Relay network but there is no adjacency. Which

options cause the adjacency to come up? (choose two)
A. Disable split horizon
B. Neighbor command to configure it for a point to multipoint on the WAN interface
When EIGRP is configured in a point-to-multipoint Frame Relay network, although
the Hub can receive routing updates sent from its Spoke routers but split horizon
rule forbids the Hub from relaying advertisements back out the interface on which
they were received. For example in the topology below, Hub can receive routing
updated from two Spokes but it cannot relay them out of S0/0 interface again (as it
is the interface where it received the updates). To solve this problem we need to
disable split horizon on S0/0 interface of Hub.

In Non-broadcast networks (such as Frame-Relay), multicast (and broadcast) are not

allowed while EIGRP (and OSPF, RIPv2) uses multicast to send Hello and Update
 3

messages. Therefore these dynamic routing protocols would not work well under
Frame-Relay. To overcome this issue we usually add the keyword “broadcast” at the
end of the frame-relay map statement (for example, “frame-relay map ip 10.1.1.1
403 broadcast“). This makes EIGRP to send update via unicast instead of multicast.
Another way to resolve above issue is to use the “neighbor” command. This
command also make EIGRP to communicate with its neighbors via unicast -> B is
correct.
Note: Although we can use the “neighbor” command to set up EIGRP neighbor
relationship but the routes cannot be advertised from the Hub to the Spoke because
of split horizon rule.

summary routes have AD of 5

static redistributed routes have AD of 170
In a point-to-multipoint Frame Relay topology, which two methods ensure that all
routing updates are received by all EIGRP routers within the Frame Relay network?
Disable split horizon
Use subinterface
Although we can use the “neighbor” command to set up EIGRP neighbor relationship
but the routes cannot be advertised from the Hub to the Spoke because of split
horizon rule To overcome the split horizon rule we can use subinterface as each
subinterface is treated like a separate physical interface so routing updates can be
advertised back from Hub to Spokes
Note: The split horizon rule states that routes will not be advertised back out an
interface in which they were received on

Security
Both RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (Terminal
Access Controller Access-Control System) Plus) are the main protocols to provide
Authentication, Authorization, and Accounting (AAA) services on network devices.

ACL
Which access list used to filter upper layer protocol?
A. extended access-list

What is the command to enable IPv6 access list?

 4

The command “ipv6 traffic-filter access-list-name { in | out }” applies the access

list to incoming or outgoing traffic on the interface.

Which configuration can you apply to a device so that it always blocks the outbound
web traffic on Saturdays and Sunday between the hours of 1:00 AM and 11:59 PM?

Which access list entry checks for an ACK within a packet header?
access-list 149 permit tcp any any eq 21 established

uRPF
Which mode of uRPF causes a router interface to accept a packet, if the network to
which the packet’s source IP address belongs is found in the router’s FIB?Loose
The command “ip verify unicast source reachable-via any” enables uRFP in loose
mode, which only checks if the router has a matching entry for the source in the
routing table.

The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard
against malformed or “spoofed” IP packets passing through a router. A spoofed IP
address is one that is manipulated to have a forged IP source address. Unicast RPF
enables the administrator to drop packets that lack a verifiable source IP address at
the router.
Unicast RPF is enabled on a router interface. When this feature is enabled, the
router checks packets that arrive inbound on the interface to see whether the source
address matches the receiving interface. Cisco Express Forwarding (CEF) is required
on the router because the Forwarding Information Base (FIB) is the mechanism
checked for the interface match.
Unicast RPF works in one of three different modes:
+ Strict mode: router will perform two checks for all incoming packets on a certain
interface. First check is if the router has a matching entry for the source in the
routing table. Second check is if the router uses the same interface to reach this
source as where it received this packet on.
+ Loose mode: only check if the router has a matching entry for the source in the
routing table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate
 5

an incoming packet’s source IP address against the VRF table configured for an
eBGP neighbor.

Normally, uRPF will not allow traffic that only matches the default route. The “allow-
default” keyword will override this behavior and uRPF will allow traffic matched the
default route to pass through

(config)#ip cef
(config)#interface fa0/0
(config-if)#ip verify unicast source reachable-via rx allow-default

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of

incoming packets. If it matches with the interface used to reach this source IP then
the packets are allowed to enter (strict mode).

The any option enables a Loose Mode uRPF on the router. This mode allows the
router to reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the
router reaches the source address only via the interface on which the packet was
received.
You can also use the allow-default option, so that the default route can match
when checking source address
The allow-self-ping option allows the router to ping itself
Another feature of uRPF is we can use an access-list to specify the traffic we want or
don’t want to check. An example is shown below:
Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#interface fa0/1
Router(config-if)#ip verify unicast source reachable-via any 110

When a packet is received at the interface where Unicast RPF and ACLs have been
configured, the following actions occur:
 6

Step 1: Input ACLs configured on the inbound interface are checked.

Step 2: Unicast RPF checks to see if the packet has arrived on the best return path
to the source, which it does by doing a reverse lookup in the FIB table.
Step 3: CEF table (FIB) lookup is carried out for packet forwarding.
Step 4: Output ACLs are checked on the outbound interface.
Step 5: The packet is forwarded.

Which type of traffic does DHCP snooping drop? DHCP messages where the source
MAC and client MAC do not match

A network engineer is configuring a solution to allow failover of HSRP nodes during

maintenance windows, as an alternative to powering down the active router and
letting the network respond accordingly. Which action will allow for manual switching
of HSRP nodes?

Track the up/down state of a loopback interface and shut down this interface during
maintenance.

The Management Plane Protection (MPP) feature in Cisco IOS software

provides the capability to restrict the interfaces on which network management
packets are allowed to enter a device. The MPP feature allows a network operator to
designate one or more router interfaces as management interfaces. Device
management traffic is permitted to enter a device only through these management
interfaces. After MPP is enabled, no interfaces except designated management
interfaces will accept network management traffic destined to the device.
In the command management-interface interface allow protocols we can
configure these protocols (to allow on the designated management interface):
+ BEEP
+ FTP
+ HTTP
+ HTTPS
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
Therefore these are also the protocols that can be affected by MPP.
PPPOE

PPPoE provides a standard method of employing the authentication methods of the

Point-to-Point Protocol (PPP) over an Ethernet network. When used by ISPs, PPPoE
allows authenticated assignment of IP addresses. In this type of implementation, the
PPPoE client and server are interconnected by Layer 2 bridging protocols running
over a DSL or other broadband connection.
 7

PPPoE is composed of two main phases:

+ Active Discovery Phase: In this phase, the PPPoE client locates a PPPoE server,
called an access concentrator. During this phase, a Session ID is assigned and the
PPPoE layer is established.
+ PPP Session Phase: In this phase, PPP options are negotiated and
authentication is performed. Once the link setup is completed, PPPoE functions as a
Layer 2 encapsulation method, allowing data to be transferred over the PPP link
within PPPoE headers.

PPP options are negotiated and authentication is performed. Once the link setup is
completed, PPPoE functions as a Layer 2 encapsulation method that allows data to
be transferred over the PPP link within PPPoE headers.

The “dialer persistent” command (under interface configuration mode) allows a dial-
on-demand routing (DDR) dialer profile connection to be brought up without being
triggered by interesting traffic. When configured, the dialer persistent command
starts a timer when the dialer interface starts up and starts the connection when the
timer expires. If interesting traffic arrives before the timer expires, the connection is
still brought up and set as persistent. An example of configuring is shown below:

interface Dialer1
ip address 12.12.12.1 255.255.255.0
encapsulation ppp
dialer-pool 1
dialer persistent

The “vpdn enable” command is used to enable virtual private dialup networking
(VPDN) on the router and inform the router to look for tunnel definitions in a local
database and on a remote authorization server (home gateway). The following steps
include: configure the VPDN group; configure the virtual-template; create the IP
pools.

There are three authentication methods that can be used to authenticate a PPPoE
connection:
+ CHAP – Challenge Handshake Authentication Protocol
+ MS-CHAP – Microsoft Challenge Handshake Authentication Protocol Version 1 & 2
+ PAP – Password Authentication Protocol
In which MS-CHAP & CHAP are two encrypted authentication protocol while PAP is
unencrypted authentication protocol.
A PPPoE session is initiated by the PPPoE client. If the session has a timeout or is
disconnected, the PPPoE client will immediately attempt to reestablish the session.
The following four steps describe the exchange of packets that occurs when a PPPoE
client initiates a PPPoE session:
 8

1. The client broadcasts a PPPoE Active Discovery Initiation (PADI) packet.

2. When the access concentrator receives a PADI that it can serve, it replies by
sending a PPPoE Active Discovery Offer (PADO) packet to the client.
3. Because the PADI was broadcast, the host may receive more than one PADO
packet. The host looks through the PADO packets it receives and chooses one. The
choice can be based on the access concentrator name or on the services offered.
The host then sends a single PPPoE Active Discovery Request (PADR) packet to the
access concentrator that it has chosen.
4. The access concentrator responds to the PADR by sending a PPPoE Active
Discovery Session-confirmation (PADS) packet. At this point a virtual access interface
is created that will then negotiate PPP, and the PPPoE session will run on this virtual
access.
If a client does not receive a PADO for a preceding PADI, the client sends out a PADI
at predetermined intervals. That interval is doubled for every successive PADI that
does not evoke a response, until the interval reaches a configured maximum.
If PPP negotiation fails or the PPP line protocol is brought down for any reason, the
PPPoE session and the virtual access will be brought down. When the PPPoE session
is brought down, the client waits for a predetermined number of seconds before
trying again to establish a PPPoE.

interface Ethernet 0
pppoe-client dial-pool-number 5
pppoe-client ppp-max-payload 1500
interface Dialer 1
ip address negotiated
dialer pool 5
mtu 1492

This configuration represents a complete PPPoE client configuration on an Ethernet

connection.

command configures a PPPoE client and specifies dial-on-demand routing

functionality?>> pppoe-client dial-pool-number

command instruct a PPPoE client to obtain its IP address from the PPPoE server? ip
address negotiated
 9

Which two configurations can a PPPoE client support? (Choose two)

A. Eight clients are configured on a single CPE.
B. The client is connected to multiple hosts over DMVPN
he PPPoE client does not support the following:
+ More than ten clients per customer premises equipment (CPE

+ Coexistence of the PPPoE client and server on the same device

PBR

Normal policy based routing (PBR) is used to route packets that pass through the
device. Packets that are generated by the router (itself) are not normally policy-
routed. To control these packets, local PBR should be used. For example:
 10

Router(config)# ip local policy route-map map-tag (compared with normal PBR:

Router(config-if)# ip policy route-map map-tag)

When policy-based routing (PBR) is being configured, which three criteria can the
set command specify?

A. all interfaces through which the packets can be routed

C. adjacent next hop router in the path toward the destination
F. type of service and precedence in the IP packets

The set command specifies the action(s) to take on the packets that match the
criteria. You can specify any or all of the following:
* precedence: Sets precedence value in the IP header. You can specify either the
precedence number or name.
* df: Sets the “Don’t Fragment” (DF) bit in the ip header.
* vrf: Sets the VPN Routing and Forwarding (VRF) instance.
* next-hop: Sets next hop to which to route the packet.
* next-hop recursive: Sets next hop to which to route the packet if the hop is to a
router which is not adjacent.
* interface: Sets output interface for the packet.
* default next-hop: Sets next hop to which to route the packet if there is no explicit
route for this destination.
* default interface: Sets output interface for the packet if there is no explicit route
for this destination.

The “show route-map “route-map name” displays the policy routing match counts so
we can learn if PBR reacts to packets sourced from 172.16.0.0/16 or not.

Based upon the configuration, you need to understand why the policy routing match
counts are not increasing. Which would be the first logical step to take?

First we should check the access-list log, if the hit count does not increase then no
packets are matched the access-list -> the policy based routing match counts will
not increase.
 11

SNMP

The SNMPv3 Agent supports the following set of security levels:

+ NoAuthnoPriv: Communication without authentication and privacy.
+ AuthNoPriv: Communication with authentication and without privacy. The
protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).
+ AuthPriv: Communication with authentication and privacy. The protocols used for
Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard)
and AES (Advanced Encryption Standard) protocols can be used. For Privacy
Support, you have to install some third-party privacy packages.
In the CLI, we use “priv” keyword for “AuthPriv” (“noAuth” keyword for
“noAuthnoPriv”; “auth” keyword for “AuthNoPriv”). The following example shows
how to configure a remote user to receive traps at the “priv” security level when the
SNMPv3 security model is enabled:
Router(config)# snmp-server group group1 v3 priv
Router(config)# snmp-server user PrivateUser group1 remote 1.2.3.4 v3 auth md5
password1 priv access des5

Router#show snmp user abcd

User name: abcd
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: 10
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: 3DES
Group name: VacmGroupName
Group name: VacmGroupName

Router(config)#snmp-server host 192.168.1.3 traps version 2c CISC

The snmp-server host global configuration command is used to specify the

recipient of an SNMP notification operation, in this case 192.168.1.3. In other words,
traps of the local router will be sent to 192.168.1.3. Therefore this command is often
used to manage the device.

B. The manager sends GET and SET messages.

C. SNMPv3 supports authentication and encryption.
D. The manager polls the agent using UDP port 161

CEF

The command “show ip cef” is used to display the CEF Forwarding Information Base
(FIB) table. There are some entries we want to explain:
+ If the “Next Hop” field of a network prefix is set to receive, the entry represents
 12

an IP address on one of the router’s interfaces. In this case, 192.168.201.2 and

192.168.201.31 are IP addresses assigned to interfaces on the local router.
+ If the “Next Hop” field of a network prefix is set to attached, the entry
represents a network to which the router is directly attached. In this case the prefix
192.168.201.0/27 is a network directly attached to router R2’s Fa0/0 interface.

The “show adjacency” command is used to display information about the Cisco
Express Forwarding adjacency table or the hardware Layer 3-switching adjacency
table.
There are two known reasons for an incomplete adjacency:
+ The router cannot use ARP successfully for the next-hop interface.
+ After a clear ip arp or a clear adjacency command, the router marks the
adjacency as incomplete. Then it fails to clear the entry.
Note: Two nodes in the network are considered adjacent if they can reach each
other using only one hop.
How does an IOS router process a packet that should be switched by Cisco Express
Forwarding without an FIB entry?drop packet

Cisco Express Forwarding (CEF) provides the ability to switch packets through a
device in a very quick and efficient way while also keeping the load on the router’s
processor low. CEF is made up of two different main components: the Forwarding
Information Base (FIB) and the Adjacency Table. These are automatically
updated at the same time as the routing table.
The adjacency table is tasked with maintaining the layer 2 next-hop information
for the FIB.
Glean adjacency – in short when the router is directly connected to hosts the FIB
table on the router will maintain a prefix for the subnet rather than for the individual
host prefix. This subnet prefix points to a GLEAN adjacency.
Punt adjacency – When packets to a destination prefix can’t be CEF Switched, or
the feature is not supported in the CEF Switching path, the router will then use the
next slower switching mechanism configured on the router.
 13

Nodes in the network are said to be adjacent if they can reach each other with a
single hop across a link layer. In addition to the FIB, CEF uses adjacency tables to
prepend Layer 2 addressing information. The adjacency table maintains Layer 2
next-hop addresses for all FIB entries.

BGP

Private autonomous system (AS) numbers which range from 64512 to 65535 are
used to conserve globally unique AS numbers.

Globally unique AS numbers (1 – 64511) are assigned by InterNIC.

These private AS number cannot be leaked to a global Border Gateway Protocol

(BGP) table because they are not unique

0: reserved.
1-64.495: public AS numbers.
64.496 – 64.511 – reserved to use in documentation.
64.512 – 65.534 – private AS numbers.
65.535 – reserved

If MTU on two interfaces are mismatched, the BGP neighbors may flap, the BGP
state drops and the logs generate missing BGP hello keepalives or the other peer
terminates the session.

BGP peers are established by manual configuration between routing devices to

create a TCP session on (destination) port 179.

Below is the list of BGP states in order, from startup to peering:

1 – Idle: the initial state of a BGP connection. In this state, the BGP speaker is
waiting for a BGP start event, generally either the establishment of a TCP connection
or the re-establishment of a previous connection. Once the connection is
established, BGP moves to the next state.
2 – Connect: In this state, BGP is waiting for the TCP connection to be formed. If
the TCP connection completes, BGP will move to the OpenSent stage; if the
connection cannot complete, BGP goes to Active
3 – Active: In the Active state, the BGP speaker is attempting to initiate a TCP
session with the BGP speaker it wants to peer with. If this can be done, the BGP
state goes to OpenSent state.
4 – OpenSent: the BGP speaker is waiting to receive an OPEN message from the
remote BGP speaker
5 – OpenConfirm: Once the BGP speaker receives the OPEN message and no error
is detected, the BGP speaker sends a KEEPALIVE message to the remote BGP
 14

speaker
6 – Established: All of the neighbor negotiations are complete. You will see a
number (2 in this case), which tells us the number of prefixes the router has
received from a neighbor or peer group.

SYSLOG

The “service timestamps log uptime” enables timestamps on log messages, showing the time since
the system was rebooted.

00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

-> The log secerity level of this warning is 3 – errors

Frame relay
Normal (Ethernet) ARP Request knows the Layer 3 address (IP) and requests for Layer 2 address
(MAC). On the other hand, Frame Relay Inverse ARP knows the Layer 2 address (DLCI) and
requests for Layer 3 address (IP) so we called it “Inverse”.

When saying “Frame Relay point-to-point” network, it means “Frame Relay subinterfaces” run
“point-to-point”. Notice that Frame Relay subinterfaces can run in two modes:
+ Point-to-Point: When a Frame Relay point-to-point subinterface is configured, the subinterface
emulates a point-to-point network and OSPF treats it as a point-to-point network type
+ Multipoint: When a Frame Relay multipoint subinterface is configured, OSPF treats this
subinterface as an NBMA network type.

And there are 4 network types which can be configured with OSPF. The hello & dead intervals of
these types are listed below:

Network Type Hello Interval (secs) Dead Interval (secs)

Point-to-Point 10 40

Point-to-Multipoint 30 120
 15

Broadcast 10 40

Non-Broadcast 30 120

Therefore the default OSPF hello interval on a Frame Relay point-to-point network is 10 seconds.

Traffic shaping should be used when:

+ Hub site (headquarter) has much faster speed link than the spokes (remote sites). In this case
we need to rate-limit the hub site so that it does not exceed the remote side access rate
+ Hub site has the same speed link as the spokes. For example both the headquarter and the
spokes use T1 links. In this case, we need to rate-limit the remote sites so as to not overrun the
hub.

In which two ways can split horizon issues be overcome in a Frame Relay network environment?

Configuring multiple subinterfaces on a single physical interface to various remote sites.

Disabling split horizon.

Router 1 cannot ping router 2 via the Frame Relay between them. Which two statements describe
the problems?

Encapsulation is mismatched.

DLCI is inactive or deleted.

Which two statements about configuring Frame Relay point-to-multipoint connections are true?
(Choose two)

They require the frame-relay mapping command to be configured

They require inverse ARP
 16

What is the function of the command “redistribute ospf 1 match internal” ?

means that just inter and intra will be redistributed

Which is an invalid option when redistributing from EIGRP into OSPF?

A. ACL
B. tag
C. metric
D. route map

efer to Exhibit:
access-list 1 permit 192.168.1.1
access-list 1 deny any
access-list 2 permit 192.168.1.4
access-list 2 deny any
!
ntp access-group peer 2
ntp access-group serve 1
ntp master 4
!

Which three NTP features can be deduced on the router? (Choose three)

A. Only accepts time requests from 192.168.1.1

B. Only handle four requests at a time
C. Only is in stratum 4
D. Only updates its time from 192.168.1.1
E. Only accepts time requests from 192.168.1.4
F. Only updates its time from 192.168.1.4

Answer: A C F

Explanation

First we need to understand some basic knowledge about NTP. There are two types of NTP
messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status
information. It is not used for time synchronization so we will not care about them in this question.
+ Request/Update messages: for time synchronization. Request messages ask for
synchronization information while Update messages contains synchronization information and may
change the local clock.

There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it
permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other words, it
permits the local router to reply to NTP requests, but drops NTP update. This access-group allows
control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other
words, it permits the local router to respond to NTP requests only. This access-group denies
control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no local
system time synchronization with remote system is permitted.

From my experience, you just need to remember:

+ Peer: serve and to be served
+ Serve: serve but not to be served

Therefore in this question:

+ The “ntp access-group peer 2” command says “I can only accept NTP updates and respond to
NTP (time) requests from 192.168.1.4“. -> Answer F is correct while answer D is not correct.
 17

+ The “ntp access-group serve 1” command says “I can only reply to time requests (but cannot
accept time update) from 192.168.1.1 ” -> Answer A is correct*

The “ntp master 4” indicates it is running as a time source with stratum level of 4 -> Answer B is
not correct while answer C is correct.

Answer E is not correct because it can accept time requests from both 192.168.1.1 and
192.168.1.4.

*Note: In fact answer A is incorrect too because the local router can accept time requests from
both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake of this
question.

Which three NTP operating modes must the trusted-Key command be configured on for
authentication to operate properly? (Choose Three)
A. interface
B. client
C. peer
D. server
E. broadcast

After doing some lab testing I found the following:

Basically the device that is requesting the update have to trust the configured key.
in Client\Server Mode: the trusted-key command had to be configured on the Client but not the
server.

Peer Mode: trusted-key command had to be configured on the less trustworthy peer to sync with
the peer.

Broadcast: trusted-key command had to be configured on the device that was in broadcast client
mode but not on the device that was in broadcast mode.

A network engineer wants an NTP client to be able to update the local system without updating or
synchronizing with the remote system. Which option for the ntp access-group command is needed
to accomplish this?
A. Serve

GRE
The tunnel interface is configured in default mode means the tunnel has been configured as a
point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up state) as
soon as it is configured with a valid tunnel source address or interface which is up and a tunnel
destination IP address which is routable.

Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down
state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in
recursion.

Therefore if a route towards the tunnel destination has not been configured then the tunnel is
stuck in up/down state.

Two scenarios for preventing fragmentation on GRE tunnel (Choose two)

The IP protocol was designed for use on a wide variety of transmission links. Although the
maximum length of an IP datagram is 65535, most transmission links enforce a smaller maximum
packet length limit, called an MTU. The value of the MTU depends on the type of the transmission
link. The design of IP accommodates MTU differences since it allows routers to fragment IP
 18

datagrams as necessary. The receiving station is responsible for the reassembly of the fragments
back into the original full size IP datagram.

Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized

technique to determine the maximum transmission unit (MTU) size on the network path between
two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended
for routers in IPv4. However, all modern operating systems use it on endpoints.

The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host
is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the
IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a
TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value
is not negotiated between hosts. The sending host is required to limit the size of data in a single
TCP segment to a value less than or equal to the MSS reported by the receiving host.

TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not
handle the case where there is a smaller MTU link in the middle between these two endpoints.
PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is
used to dynamically determine the lowest MTU along the path from a packet’s source to its
destination.

Note: IP fragmentation involves breaking a datagram into a number of pieces that can be
reassembled later.

. A tunnel destination must be routable, but it can be unreachable

To establish a tunnel the source interface must be up/up state

. GRE tunnels can run through IPsec tunnels.

GRE supports use of routing protocol, while IPSec supports encryption.

GRE encapsulation occurs before the IPSec encryption process.

our steps to configure GRE tunnel over IPsec are:

1. Create a physical or loopback interface to use as the tunnel endpoint. Using a loopback rather
than a physical interface adds stability to the configuration.
2. Create the GRE tunnel interfaces.
3. Add the tunnel subnet to the routing process so that it exchanges routing updates across that
interface.
4. Add GRE traffic to the crypto access list, so that IPsec encrypts the GRE tunnel traffic.
19