ENARSI Exam QuestionsBrowse all questions from this exam
Go to Exam

ENARSI Exam - Question 473

SIMULATION

-

Guidelines

-

This is a lab item in which tasks will be performed on virtual devices.

• Refer to the Tasks tab to view the tasks for this lab item.

• Refer to the Topology tab to access the device console(s) and perform the tasks.

• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.

• All necessary preconfigurations have been applied.

• Do not change the enable password or hostname for any device.

• Do not replace existing routing policies or configurations.

• Save your configurations to NVRAM before moving to the next item.

• Click Next at the bottom of the screen to submit this lab and move to the next question.

• When Next is clicked, the lab closes and cannot be reopened.

Topology

-

Tasks

-

A DMVPN network is preconfigured with tunnel 0 IP address 192.168.1.254 on the HUB, IP connectivity, crypto policies, profiles, and EIGRP AS 100. The NHRP password is cсnp123, and the network ID and tunnel key is EIGRP ASN. Do not introduce a static route. Configure DMVPN connectivity between routers BR1 and BR2 to the HUB router using physical interface as the tunnel source to achieve these goals:

1. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR1.

2. Configure NHRP authentication, static IP-to-NBMA address maps, hold time 5 minutes, network ID, and server on branch router BR2.

3. Ensure that packet fragmentation is done before encryption to account for GRE and IPsec header and allow a maximum TCP segment size of 1360 on an IP MTU of 1400 on the tunnel interfaces of both branch routers.

4. Apply an IPsec profile to the tunnel. Verify that direct spoke-to-spoke tunnel is functional between branch routers BR1 and BR2 by using traceroute to Ethernet 0/0 IP address to get a full score.

Show Answer
Correct Answer:

Discussion

15 comments
Sign in to comment
HungarianDish_111
Jun 18, 2023

Sim was the same as here. Did not get full score for this sim on real exam, and could not figure out, what was missing. Still passed the exam. New question: MP-BGP NLRI attributes: RD, IPv4 Prefix, Next Hop, VPN Label https://networklessons.com/mpls/mpls-layer-3-vpn-explained

keesu
Jun 29, 2023

congratz on passing the exam! Thank you for your valuable comments throughout the Qs!

ParisaAlipoor
Jul 8, 2023

Thank you for your valuable comments... can you please describe the new question? MP-BGP NLRI attributes: RD, IPv4 Prefix, Next Hop, VPN Label

HungarianDish_111
Jul 25, 2023

List the MP-BGP NLRI attributes. Answer: RD, IPv4 Prefix, Next Hop, VPN Label

HungarianDish_111
Jul 25, 2023

List the MP-BGP NLRI attributes. Answer: RD, IPv4 Prefix, Next Hop, VPN Label

chaba7654321
May 4, 2024

Had this same lab on the exam, config and provided solution is correct (apart from 'ip nhrp holdtime' - as someone mentioned earlier this needs to be 300 - as it is in seconds. There is no access to the HUB router on the exam, only config on the 2 spokes is needed. both spokes have a pre-configured ipsec profile already, I just applied it to tu0 Config provided by Hungarian dish below is correct

dapardo
May 10, 2024

thanks for this feedback

HungarianDish_111
May 24, 2023

Holdtime seems to be incorrect: ip nhrp holdtime 300 ! Seconds that NHRP NBMA addresses are advertised as valid in positive NHRP responses https://www.ciscozine.com/dmvpn-phase-3-guide/ 5 minutes = 300 seconds

HungarianDish_111
May 24, 2023

3. Ensure that packet fragmentation is done before encryption => For me, it suggests that following config is required (global config mode or interface config): crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt

HungarianDish_111
May 24, 2023

https://networkengineering.stackexchange.com/questions/11283/pre-fragmentation-for-ipsec-vpns-on-cisco-routers I added it in global config mode.

HungarianDish_111
Jun 5, 2023

Interestingly, "crypto ipsec fragmentation before-encrypt" is never displayed in the running config. Maybe it is due to this bug: CSCsr97396/CSCsh30577.

HungarianDish_111
Jun 5, 2023

Interestingly, "crypto ipsec fragmentation before-encrypt" is never displayed in the running config. Maybe it is due to this bug: CSCsr97396/CSCsh30577.

Brand
Sep 10, 2023

I got this exact sim in the exam and I'm here to confirm that presented answer is almost correct. Just make sure you use the lines below: ip nhrp holdtime 300 (you define the holdtime using seconds) tunnel mode gre multipoint (as the sim asks you to confirm direct communication between Spokes. Static destination is not what you looking for here)

Brand
Sep 10, 2023

Also, don't forget to add following lines in the global configuration mode as HungarianDish explained. crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt Because the sim asks you to make sure fragmentation is being done before the encryption with IPSec.

HungarianDish_111
May 24, 2023

"using physical interface as the tunnel source" => tunnel source eth0/1

HungarianDish_111
May 24, 2023

hostname HUB ! crypto isakmp policy 5 hash md5 authentication pre-share crypto isakmp key cisco address 0.0.0.0 ! crypto ipsec transform-set ciscoset esp-3des mode tunnel ! crypto ipsec profile ciscoprofile set transform-set ciscoset ! interface Tunnel0 ip address 192.168.1.254 255.255.255.0 no ip redirects no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100 ip nhrp authentication ccnp123 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp redirect tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile ciscoprofile ! router eigrp 100 network 10.10.1.1 0.0.0.0 network 192.168.1.0 ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt

HungarianDish_111
May 24, 2023

hostname BR1 ! interface Tunnel0 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ccnp123 ip nhrp map multicast 10.10.255.254 ip nhrp map 192.168.1.254 10.10.255.254 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 192.168.1.254 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile ciscoprofile ! router eigrp 100 network 10.10.10.1 0.0.0.0 network 192.168.1.0 ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt

HungarianDish_111
May 24, 2023

hostname BR2 ! interface Tunnel0 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ccnp123 ip nhrp map multicast 10.10.255.254 ip nhrp map 192.168.1.254 10.10.255.254 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 192.168.1.254 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile ciscoprofile ! router eigrp 100 network 10.10.10.2 0.0.0.0 network 192.168.1.0 ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt

HungarianDish_111
May 26, 2023

interface Tunnel0 ip nhrp shortcut (left out from previous comment by mistake)

HungarianDish_111
May 26, 2023

interface Tunnel0 ip nhrp shortcut (left out from previous comment by mistake)

HungarianDish_111
May 26, 2023

interface Tunnel0 ip nhrp shortcut (left out from previous comment by mistake)

HungarianDish_111
May 24, 2023

hostname BR2 ! interface Tunnel0 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ccnp123 ip nhrp map multicast 10.10.255.254 ip nhrp map 192.168.1.254 10.10.255.254 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 192.168.1.254 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile ciscoprofile ! router eigrp 100 network 10.10.10.2 0.0.0.0 network 192.168.1.0 ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt

HungarianDish_111
May 26, 2023

interface Tunnel0 ip nhrp shortcut (left out from previous comment by mistake)

HungarianDish_111
May 26, 2023

interface Tunnel0 ip nhrp shortcut (left out from previous comment by mistake)

HungarianDish_111
May 26, 2023

interface Tunnel0 ip nhrp shortcut (left out from previous comment by mistake)

HungarianDish_111
May 26, 2023

int tu 0 ip nhrp map multicast dynamic (left out from previous comment by mistake)

HungarianDish_111
Jun 5, 2023

Some correction for transform-set: https://community.cisco.com/t5/vpn/dmvpn-tunnel-versus-transport-mode/td-p/1544252 Transport mode actually is recommended mode for DMVPN, because it saves 20 bytes overhead. crypto ipsec transform-set ciscoset esp-3des mode transport

HungarianDish_111
Jun 7, 2023

This document states that we would need "mode tunnel" if we want to do pre-fragmentation. Probably we can leave it in the default mode, which is tunnel. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/xe-16-10/sec-ipsec-data-plane-xe-16-10-book/sec-pre-frag-vpns.html Pre-fragmentation for IPsec VPNs operates in IPsec tunnel mode and IPsec tunnel mode with GRE, but not with IPsec transport mode.

HungarianDish_111
Jun 7, 2023

This document states that we would need "mode tunnel" if we want to do pre-fragmentation. Probably we can leave it in the default mode, which is tunnel. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/xe-16-10/sec-ipsec-data-plane-xe-16-10-book/sec-pre-frag-vpns.html Pre-fragmentation for IPsec VPNs operates in IPsec tunnel mode and IPsec tunnel mode with GRE, but not with IPsec transport mode.

HungarianDish_111
Jun 5, 2023

Some correction for transform-set: https://community.cisco.com/t5/vpn/dmvpn-tunnel-versus-transport-mode/td-p/1544252 Transport mode actually is recommended mode for DMVPN, because it saves 20 bytes overhead. crypto ipsec transform-set ciscoset esp-3des mode transport

HungarianDish_111
Jun 7, 2023

This document states that we would need "mode tunnel" if we want to do pre-fragmentation. Probably we can leave it in the default mode, which is tunnel. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/xe-16-10/sec-ipsec-data-plane-xe-16-10-book/sec-pre-frag-vpns.html Pre-fragmentation for IPsec VPNs operates in IPsec tunnel mode and IPsec tunnel mode with GRE, but not with IPsec transport mode.

HungarianDish_111
Jun 7, 2023

This document states that we would need "mode tunnel" if we want to do pre-fragmentation. Probably we can leave it in the default mode, which is tunnel. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/xe-16-10/sec-ipsec-data-plane-xe-16-10-book/sec-pre-frag-vpns.html Pre-fragmentation for IPsec VPNs operates in IPsec tunnel mode and IPsec tunnel mode with GRE, but not with IPsec transport mode.

Almylle
Jul 7, 2023

No tunnel destination ?

chris110
Sep 15, 2023

i dont think we need because of tunnel mode gre multipoint

chris110
Sep 15, 2023

Need to configure the HUB as well?

dapardo
May 23, 2024

SEEMS that its not asked to configure the tunnel, just the spokes

chris110
Sep 15, 2023

i dont think we need because of tunnel mode gre multipoint

dapardo
May 23, 2024

SEEMS that its not asked to configure the tunnel, just the spokes

RK139
Dec 10, 2024

no ip split horizon EIGRP 100 ...it is ok....but no ip next-hop-self command is necessary?. Because ip nhrp redirect exist...anybody can help me

leipeG
Nov 1, 2024

Full lab setup based on Phase-3 DMVPN. Use a layer-2 switch (not a hub) for replicating the ISP. hostname HUB ! configure terminal ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-PROFILE set transform-set TRANSFORM-SET ! interface Tunnel0 ip address 192.168.1.254 255.255.255.0 ip nhrp authentication ccnp123 ip nhrp holdtime 300 ip nhrp network-id 100 ip nhrp shortcut ip nhrp map multicast dynamic ip nhrp redirect ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/0 ip address 172.16.0.254 255.255.255.0 no shutdown ! interface GigabitEthernet1/0 ip address 10.10.255.254 255.255.255.0 no shutdown ! router eigrp 100 network 10.10.255.0 0.0.0.255 network 172.16.0.0 0.0.0.255 network 192.168.1.0 0.0.0.255

leipeG
Nov 1, 2024

hostname BR1 ! configure terminal ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-PROFILE set transform-set TRANSFORM-SET ! interface Tunnel0 ip address 192.168.1.1 255.255.255.0 ip nhrp authentication ccnp123 ip nhrp nhs 192.168.1.254 nbma 10.10.255.254 multicast ip nhrp holdtime 300 ip nhrp network-id 100 ip nhrp shortcut ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/0 ip address 172.16.1.254 255.255.255.0 no shutdown ! interface GigabitEthernet1/0 ip address 10.10.255.1 255.255.255.0 no shutdown ! router eigrp 100 network 10.10.255.0 0.0.0.255 network 172.16.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255

leipeG
Nov 1, 2024

hostname BR2 ! configure terminal ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-PROFILE set transform-set TRANSFORM-SET ! interface Tunnel0 ip address 192.168.1.2 255.255.255.0 ip nhrp authentication ccnp123 ip nhrp nhs 192.168.1.254 nbma 10.10.255.254 multicast ip nhrp holdtime 300 ip nhrp network-id 100 ip nhrp shortcut ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/0 ip address 172.16.2.254 255.255.255.0 no shutdown ! interface GigabitEthernet1/0 ip address 10.10.255.2 255.255.255.0 no shutdown ! router eigrp 100 network 10.10.255.0 0.0.0.255 network 172.16.2.0 0.0.0.255 network 192.168.1.0 0.0.0.255 ! BR2#traceroute 172.16.1.254 <..> 1 10.10.255.1 28 msec 20 msec 40 msec

leipeG
Nov 1, 2024

hostname BR2 ! configure terminal ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt ! crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac mode transport ! crypto ipsec profile IPSEC-PROFILE set transform-set TRANSFORM-SET ! interface Tunnel0 ip address 192.168.1.2 255.255.255.0 ip nhrp authentication ccnp123 ip nhrp nhs 192.168.1.254 nbma 10.10.255.254 multicast ip nhrp holdtime 300 ip nhrp network-id 100 ip nhrp shortcut ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/0 ip address 172.16.2.254 255.255.255.0 no shutdown ! interface GigabitEthernet1/0 ip address 10.10.255.2 255.255.255.0 no shutdown ! router eigrp 100 network 10.10.255.0 0.0.0.255 network 172.16.2.0 0.0.0.255 network 192.168.1.0 0.0.0.255 ! BR2#traceroute 172.16.1.254 <..> 1 10.10.255.1 28 msec 20 msec 40 msec

Telecommunications
Dec 1, 2024

on the Hub : dont need the " ip nhrp shortcut" CLI.

HungarianDish_111
May 24, 2023

The task is to create a direct spoke-to-spoke tunnel. So, setting a static tunnel destination on spokes is incorrect. We should use "tunnel mode gre multipoint"

1948
Mar 23, 2024

Do you think we will get marked down for including config that is not asked for I.e. IP NHRP shortcut and IP NHRP redirect as it doesn't mention suboptimal paths.

Rabbit3232
Jan 28, 2025

crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt Ip mtu 1400 Ip tcp adjust-mss 1360 -> Tunnel key Tunnel mode gre mulitpoint Ip nhrp nhs Ip nhrp map Ip nhrp network-id 100 Ip nhrp authentication ccnp123 Ip http server It also says ensure you can tunnel to the ethernet port on the other side of the router, so make sure you can do that and the tunnel isn't just up.

HungarianDish_111
May 24, 2023

int tu 0 tunnel protection ipsec profile <name>

GReddy2323
May 30, 2023

I would like to lab this in CML, but what type of basic configuration does the ISP router need? I always struggle whenever an "ISP" router is put in the topology because I don't know what basic configuration it needs to get it to work.

cir_
Jun 4, 2023

You can use a layer 2 switch with no config to replicate the connectivity in this scenario

HungarianDish_111
Jun 5, 2023

L2 switch in the middle is the best! I saw also different topology in labs (e.g. boson netsim), where a router sits in the middle as ISP, and then static routes are added an all routers to reach each others WAN IPs. It is unnecessary to have such a topology for practicing DMVPN. L2 switch is perfect.

HungarianDish_111
Jun 5, 2023

L2 switch in the middle is the best! I saw also different topology in labs (e.g. boson netsim), where a router sits in the middle as ISP, and then static routes are added an all routers to reach each others WAN IPs. It is unnecessary to have such a topology for practicing DMVPN. L2 switch is perfect.

Not_That_Guy
Jan 28, 2024

Anyone know if the test allows using 'ip nhrp nhs' like this instead of 'ip nhrp map', ip nhrp map multicast', and 'ip nhrp nhs'? !SPOKES interface Tunnel0 ip address 192.168.100.X 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp authentication CCNP ip nhrp nhs 192.168.100.1 nbma 10.100.255.1 multicast ip nhrp network-id 100 ip nhrp holdtime 300 ip nhrp shortcut tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile MyPROFILE exit ! !GLOBAL-Check the HUB and modify crypto options ! crypto isakmp policy 1 authentication pre-share ! crypto isakmp key MyKEY address 0.0.0.0 ! crypto ipsec transform-set MyTRANSFORM esp-aes esp-sha-hmac ! crypto ipsec profile MyPROFILE set transform-set MyTRANSFORM ! crypto ipsec df-bit clear crypto ipsec fragmentation before-encrypt

Newmanas
Apr 19, 2024

Tell me please, is it possible to pass the exam if you skip Sim Lab question?

Bombbear_W
Apr 21, 2024

That's impossible!!!

Newmanas
Apr 26, 2024

Tryed today exam. Had 3 lab questions, all of those skipped, and it looks like its pretty much impossible to pass the exam without those. So its more like - "maybe its possible" if you will answer all the questions 100% correctlly, but it would be on a very VERY thin line between passing and failing :)

Newmanas
Apr 26, 2024

Tryed today exam. Had 3 lab questions, all of those skipped, and it looks like its pretty much impossible to pass the exam without those. So its more like - "maybe its possible" if you will answer all the questions 100% correctlly, but it would be on a very VERY thin line between passing and failing :)