Exam 350-401 All QuestionsBrowse all questions from this exam
Go to Exam
Question 878

SIMULATION

-

Guidelines

-

This is a lab item in which tasks will be performed on virtual devices.

• Refer to the Tasks tab to view the tasks for this lab item.

• Refer to the Topology tab to access the device console(s) and perform the tasks.

• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.

• All necessary preconfigurations have been applied.

• Do not change the enable password or hostname for any device.

• Save your configurations to NVRAM before moving to the next item.

• Click Next at the bottom of the screen to submit this lab and move to the next question.

• When Next is clicked, the lab closes and cannot be reopened.

Topology

-

Tasks

-

The operations team started configuring network devices for a new site. R10 and R20 are preconfigured with the CORP VRF. R10 has network connectivity to R20. Complete the configurations to achieve these goals:

1. Extend the CORP VRF between R10 and R20 using Tunnel0.

2. Protect Tunnel0 using the preconfigured profile

3. Configure static routing on R10 and R20 so that users in VLANs100 and 101 that belong to the CORP VRF are able to communicate with each other. Tunnel0 should be the only interface used to route traffic for the CORP VRF

    Correct Answer:

Discussion
Klimy

This sim came up for me today without the ipsec. You just put it into vrf (ip vrf forwarding CORP) and set the 2 static routes in the CORP vrf. R10 ip route vrf CORP 10.101.2.0 255.255.255.0 tunnel0 R20 ip route vrf CORP 10.100.1.0 255.255.255.0 tunnel0 And of course save config. Just note that when you put it into vrf it loses the IP, so you need to set it again. (But you get a message, so you’ll see…)

Adalberto

And how about the Protection config ?

a197cbf

I had both the VRF with protection, and without protection, both questions on the same exam. For the tunnel protection, I think if you do a "show run | sec crypto" you should see that a crypto profile was made (I think it was called "MYPROFILE") on both routers. This already has all the proper keys, encryption, hashes, etc, already done for you, so you only have to apply the profile to the tunnel. Using MYPROFILE as an example, you would then do the following: (config)# interface Tunnel 0 (config-if)# tunnel protection ipsec profile MYPROFILE

AzraelOmbrixa

do a 'show ip int brief' to find IP of e0/1 of R1 and e0/2 of R20 (10.10.1.10 and 10.10.2.20 in this case) R1#conf t interface Tunnel0 vrf forwarding CORP ip address 10.100.100.1 255.255.255.0 Tunnel source e0/1 Tunnel destination 10.10.2.20 Tunnel protection ipsec profile MyProfile exit ip route vrf CORP 10.101.2.0 255.255.255.0 tunnel0 do wr R20#conf t interface tunnel0 vrf forwarding CORP ip address 10.100.100.2 255.255.255.0 Tunnel source e0/2 Tunell destination 10.10.1.10 Tunnel protection ipsec profile MyProfile exit ip route vrf CORP 10.100.1.0 255.255.255.0 tunnel0 do wr

post20

Simulations need to be updated!... Took the test yesterday. Had 4 simulations. The only one I saw from all presents on "examtopic" was GRE tunnel, without the 3rd task. The other different simulations were OSPF (had to elect DR and BDR without using the command ip ospf network point-to-point), BGP, and the other one with issues on a trunk link between two switches + issues on an ether-channel on two other switches present in the same topology... failed the exam :(

Claudiu1

I labbed this exercise and this is what I have to say. Without the exact configurations, I simply left R10 e0/1, R20 e0/2 and the ISP router with their global VRFs. No modifications there. Now I see there are multiple versions of the correct answer, so: - "tunnel vrf TECH" implies that there is a TECH VRF already configured on the R10 e0/1, R20 e0/2 and the ISP router. If there isn't, "ip vrf forwarding CORP" is enough to solve this exercise. - on the same note, "tunnel vrf CORP" command needs that the VRF CORP is also configured, on R10 e0/1, R20 e0/2 and the ISP router. Otherwise, this will break your config because CORP VRF has no routes to 10.10.1.0 and 10.10.2.0. If you get this lab in your exam, examine very careful the preconfiguration.

Exam12559

Although I do not know the pre-setting situation when questions are asked in the exam, I will assume that the following conditions are in place. ・"R10 and R20 are preconfigured with the CORP VRF. R10 has network connectivity to R20." From the above, the underlays 10.10.1.0/24 and 10.10.2.0/24 may also be configured with CORP VRF. ・It is not necessarily necessary to create a new VRF. Use default routing process. Therefore, I think the necessary settings are as follows. [Task 1] R10(config)# interface Tunnel 0 R10(config-if)# tunnel source e0/1 R10(config-if)# tunnel destination 10.10.2.20 R10(config-if)# tunnel vrf CORP [Task 2] R10(config-if)# tunnel protection ipsec EXAMPLE [Task 3] R10(config)# ip route 10.100.1.0 255.255.255.0 tunnel0 [others] R10# copy run sta

Exam12559

Correct the above. In [Task 1], it is stated that the CORP VRF will be expanded, so I think the tunnel will be established on the CORP VRF. The corrected version is as follows. R10 [Task 1] R10(config)# interface Tunnel 0 R10(config-if)# ip vrf forwarding CORP R10(config-if)# ip add 10.100.100.10 255.255.255.0 R10(config-if)# tunnel source e0/1 R10(config-if)# tunnel destination 10.10.2.20 [Task 2] R10(config-if)# tunnel protection ipsec EXAMPLE [Task 3] R10(config)# ip route vrf CORP 10.101.2.0 255.255.255.0 tunnel0 [others] R10# copy run sta

Din04

This is correct. When you apply the vrf on an interface, you always have to apply the IP address configuration again. Not sure why the provided answers mentions TECH vrf.

studying_1

for task2, the word profile is missing, the command is #tunnel protection ipsec profile (profile-name)

sharonmiller

I think the correct answer is "next" lol

Swiz005

I took and passed the CCNP ENCOR exam today. I had 89 questions and 4 laps. This was one of the labs. however, I had issues though, my keyboard would not do uppercase when entering the profile name. I complained anyway and they wanted to restart the lap but I was already running out of time so I skipped it. This was my second take. I made sure I scored over 80 percent (over 100 questions) from this site before going for my second take. Good luck to everyone and thanks to Examtopics

a197cbf

For some reason, using the provided configuration would not bring my tunnel up when using the "tunnel vrf CORP" command. Removing just that one command on both routers brought the tunnel up, so on my end it looks like you only need "ip vrf forwarding CORP" and not "tunnel vrf CORP". Anyone have any ideas as to why adding "tunnel vrf CORP" makes the tunnel go down? All other configs are the same on each side.

IgorLVG

i would like to share: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-16-12/ir-xe-16-12-book/ir-vrf-tunnels.html#GUID-4B490C97-7812-4825-999B-AAC2FFA35113 here explains why use 2 VRF and the meaining of "tunnel vrf"

slacker_at_work

Wrt protecting the tunnel; See article "Configuring a Virtual Tunnel Interface with IP Security" https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

CCAL

This configuration is correct R1# interface Tunnel0 vrf forwarding CORP ip address 10.100.100.1 255.255.255.255 Tunnel source e0/1 Tunnel destination 10.10.2.20 Tunnel protection ipsec profile MyProfile R2# interface tunnel0 vrf forwarding CORP ip address 10.100.100.2 255.255.255.255 Tunnel source e0/2 Tunell destination 10.10.1.10 Tunnel protection ipsec profile MyProfile R1# ip route vrf CORF 10.101.2.0 255.255.255.255 tunnel0 R2#ip route vrf CORF 10 .100.1.0 255.255.255.255 tunnel0

CCAL

255.255.255.0 not 255.255.255.255 sorry

sergiosolotrabajo

I've configured this on EVE-NG: hostname R10 ! ! ! ! ip vrf CORP description VRF-CORP rd 12956:1 ! ! ! interface Loopback1 ip vrf forwarding CORP ip address 10.10.10.10 255.255.255.255 no sh ! interface Tunnel0 ip vrf forwarding CORP ip address 10.100.100.2 255.255.255.0 tunnel source GigabitEthernet0/1 tunnel destination 10.10.2.2 tunnel vrf CORP ! interface GigabitEthernet0/0 ip vrf forwarding CORP ip address 10.100.1.1 255.255.255.0 no sh ! ! interface GigabitEthernet0/1 ip vrf forwarding CORP ip address 10.10.1.2 255.255.255.0 no sh ! ! router ospf 1 vrf CORP router-id 10.10.10.10 passive-interface default no passive-interface GigabitEthernet0/1 network 10.10.10.10 0.0.0.0 area 0 network 10.10.1.2 0.0.0.0 area 0 network 10.100.1.0 0.0.0.255 area 0 exit ! ip route vrf CORP 10.101.2.0 255.255.255.0 Tunnel 0 ! ! !

sergiosolotrabajo

hostname R20 ! ! ! ! ip vrf CORP description VRF-CORP rd 12956:1 ! ! ! interface Loopback1 ip vrf forwarding CORP ip address 12.12.12.12 255.255.255.255 no sh ! interface Tunnel0 ip vrf forwarding CORP ip address 10.100.100.3 255.255.255.0 tunnel source GigabitEthernet0/2 tunnel destination 10.10.1.2 tunnel vrf CORP ! interface GigabitEthernet0/0 ip vrf forwarding CORP ip address 10.101.2.1 255.255.255.0 no sh ! ! interface GigabitEthernet0/2 ip vrf forwarding CORP ip address 10.10.2.2 255.255.255.0 no sh ! ! router ospf 1 vrf CORP router-id 12.12.12.12 passive-interface default no passive-interface GigabitEthernet0/2 network 12.12.12.12 0.0.0.0 area 0 network 10.10.2.2 0.0.0.0 area 0 network 10.101.2.0 0.0.0.255 area 0 ! ip route vrf CORP 10.100.1.0 255.255.255.0 Tunnel0 ! ! !

eearmani

This one of the new labs