CCNA DMVPN Questions

73 questions · DMVPN · All types, answers revealed

1
MCQhard

An engineer configures EIGRP named mode on a DMVPN Phase 3 hub with 'eigrp stub' on the spoke routers. Unexpectedly, when a spoke loses its WAN connection to the hub, the hub's EIGRP table shows the spoke's routes as active (stuck-in-active) for an extended period. Which is the most likely explanation?

A.The spoke's EIGRP stub configuration in named mode does not suppress query propagation for all routes; the hub queries the spoke for routes that are not in the stub's advertised set, causing a stuck-in-active when the spoke is unreachable.
B.The spoke's EIGRP stub configuration in named mode automatically sets the 'receive-only' flag, preventing any queries from being sent to the spoke.
C.The DMVPN tunnel interface on the spoke is configured with 'eigrp stub', which causes the spoke to ignore queries from the hub, but the hub still expects a reply.
D.The hub's EIGRP process is in classic mode, while the spoke is in named mode, causing a mismatch in the stub behavior.
AnswerA

In named mode, the stub command only limits the routes the spoke advertises, but the hub still sends queries to the spoke for all routes. If the spoke is unreachable, the query remains active until the active timer expires.

Why this answer

In EIGRP named mode, the stub feature by default includes 'connected' and 'summary' routes, but not 'static' or 'redistributed'. If the spoke is configured as a stub with the default settings, it does not advertise any routes beyond its connected interfaces. However, if the spoke has a loopback or other network that is not directly connected to the EIGRP process, the hub may still query the spoke for those routes, and if the spoke is unreachable, the query times out, causing a stuck-in-active.

The corner case is that the stub configuration in named mode does not suppress query propagation for all routes unless explicitly configured with 'leak-map' or 'receive-only'.

2
MCQhard

A network engineer configures a DMVPN Phase 3 network with EIGRP and uses the 'ip nhrp redirect' and 'ip nhrp shortcut' commands on the hub and spokes. Unexpectedly, spoke-to-spoke traffic still goes through the hub even after the shortcut is established, based on show ip nhrp shortcut output. Which is the most likely explanation?

A.The EIGRP route to the remote spoke's network still has the hub as the next-hop with a lower metric than the NHRP shortcut, so the router prefers the hub path.
B.The 'ip nhrp shortcut' command is not configured on the spoke's tunnel interface, so the shortcut is not used for forwarding.
C.The NHRP redirect is not enabled on the hub, so the spoke never receives redirect messages to trigger shortcut creation.
D.The spoke's CEF is disabled, causing the shortcut to not be used in the forwarding path.
AnswerA

The NHRP shortcut creates a host route or /32 route, but if the EIGRP route has a lower administrative distance or better metric, the router will use the hub path.

Why this answer

In DMVPN Phase 3, the shortcut is created when the spoke receives a redirect from the hub and sends a resolution request to the target spoke. However, for the shortcut to be used, the routing table must have a route that points to the shortcut next-hop. EIGRP, by default, installs routes with the hub as the next-hop.

The corner case is that the spoke's routing table still prefers the hub as the next-hop because the EIGRP metric for the hub route is lower than the shortcut. The fix is to use 'ip nhrp shortcut' with 'ip nhrp redirect' and ensure that the routing protocol's metric is adjusted (e.g., using offset-list) or that the shortcut is installed with a better metric via NHRP.

3
MCQmedium

Consider the following DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 100 ip nhrp authentication cisco123 ip nhrp map multicast dynamic tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ! router eigrp 100 network 10.0.0.0 0.0.0.255 ! What is a potential issue with this configuration?

A.EIGRP split-horizon is enabled by default on the tunnel interface, preventing spokes from learning routes from other spokes.
B.The NHRP authentication is missing on the spokes.
C.The tunnel mode should be 'gre ip' instead of 'gre multipoint'.
D.The EIGRP network statement is too broad.
AnswerA

Split-horizon prevents the hub from advertising routes learned from one spoke to another spoke, which is a common issue in DMVPN.

Why this answer

EIGRP over DMVPN requires split-horizon to be disabled on the hub's tunnel interface to allow spokes to learn routes from other spokes.

4
MCQmedium

Given the following partial DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 100 ip nhrp authentication cisco123 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map multicast dynamic ip nhrp redirect ! What is the purpose of the 'ip nhrp redirect' command?

A.It enables the hub to send redirect messages to spokes, telling them to use a direct tunnel to another spoke.
B.It causes the hub to redirect all traffic through the hub itself.
C.It enables the hub to dynamically map multicast addresses.
D.It disables NHRP on the tunnel interface.
AnswerA

This is the correct function of NHRP redirect in Phase 3 DMVPN.

Why this answer

In DMVPN Phase 3, the hub uses NHRP redirect to inform spokes about better paths to other spokes, enabling spoke-to-spoke direct tunnels.

5
MCQmedium

A network engineer runs the following command to verify crypto engine connections on a DMVPN spoke: R2# show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec AES256-SHA 100 100 100 192.168.1.2 What does this output indicate?

A.No IPsec SAs are active; the connection list is empty.
B.An IPsec SA is active with 100 packets encrypted and decrypted, indicating traffic flow.
C.The IPsec SA is failing due to algorithm mismatch.
D.The connection is for IKE, not IPsec.
AnswerB

Correct: The output shows an active IPsec SA with counters increasing.

Why this answer

The output shows one active IPsec connection using AES256-SHA, with 100 packets encrypted and decrypted, indicating traffic is flowing over the DMVPN tunnel.

6
MCQmedium

In DMVPN, what is the default holdtime value for NHRP mappings on a spoke router?

A.300 seconds
B.600 seconds
C.7200 seconds
D.3600 seconds
AnswerC

Correct. Default NHRP holdtime is 7200 seconds.

Why this answer

The default NHRP holdtime is 7200 seconds (2 hours) for mappings learned from the hub. This can be changed with the 'ip nhrp holdtime' command.

7
MCQhard

A DMVPN Phase 3 network uses BGP for routing between hubs and spokes. R1 (hub) and R2 (spoke) have an eBGP peering. R2 advertises a prefix 192.168.1.0/24 to R1. R3 (another spoke) receives this prefix via R1 but with a higher local preference than expected, causing R3 to prefer the path through R1 even though a direct spoke-to-spoke tunnel exists. What is the root cause?

A.R1 has a route-map that sets local preference to 200 for prefixes received from R2, causing R3 to prefer the path through R1 over the direct path.
B.R3 has a static route pointing to R1 for 192.168.1.0/24, overriding BGP.
C.NHRP redirect is disabled on R1, preventing spoke-to-spoke tunnel establishment.
D.R2 is advertising the prefix with a MED of 0, causing R3 to prefer the path through R1.
AnswerA

Correct. BGP local preference is propagated to iBGP peers. If R1 sets a high local preference on routes from R2, R3 will prefer the path via R1, even if a direct spoke-to-spoke tunnel is available.

Why this answer

BGP local preference is manipulated on the hub (R1) using route-maps or policy, causing the prefix to have a higher local preference when advertised to other spokes. This overrides the normal BGP path selection and forces traffic through the hub, even if a direct spoke-to-spoke tunnel is available.

8
MCQhard

In DMVPN Phase 3, which loop prevention mechanism is used by default to prevent routing loops when using EIGRP?

A.Split horizon
B.Route poisoning
C.Feasibility Condition
D.Hold-down timers
AnswerC

Correct. EIGRP's DUAL algorithm uses the Feasibility Condition to prevent loops.

Why this answer

EIGRP uses the Feasibility Condition (FC) as its loop prevention mechanism. In DMVPN Phase 3, with EIGRP stub routing and summarization, the FC ensures that only feasible successors are used, preventing loops. Additionally, the 'no ip split-horizon' is often required on the hub, but loop prevention relies on EIGRP's DUAL algorithm and the FC.

9
MCQmedium

A network engineer runs the following command to troubleshoot IPsec on a DMVPN tunnel: R1# debug crypto isakmp ISAKMP: received peer 192.168.1.2, port 500, local 192.168.1.1 ISAKMP: SA created, initiating IKE Main Mode ISAKMP: sent MM_SA proposal to 192.168.1.2 ISAKMP: received MM_SA response from 192.168.1.2 ISAKMP: Main Mode complete, starting Quick Mode ISAKMP: sent QM_SA request to 192.168.1.2 ISAKMP: received QM_SA response from 192.168.1.2 ISAKMP: Quick Mode done, IPsec SA established What does this output indicate?

A.IKE negotiation failed; no IPsec SA was established.
B.IKE negotiation succeeded and an IPsec SA is now active.
C.The peer 192.168.1.2 is not responding to IKE requests.
D.IKE is using Aggressive Mode instead of Main Mode.
AnswerB

Correct: The debug confirms Main Mode and Quick Mode completion, and states 'IPsec SA established'.

Why this answer

The debug shows successful IKE Main Mode and Quick Mode exchanges, resulting in an established IPsec SA between 192.168.1.1 and 192.168.1.2.

10
MCQhard

In a DMVPN Phase 2 network with EIGRP, R1 (hub) and R2 (spoke) are configured with EIGRP stub leaking. R2 is a stub router with 'eigrp stub connected summary'. R3 (another spoke) is not a stub. R2's loopback 10.0.0.1/32 is not reachable from R3, even though R2 advertises it via EIGRP. What is the root cause?

A.R2 is configured with 'eigrp stub receive-only', which prevents it from advertising any routes, including connected ones.
B.R3 has a distribute-list filtering the prefix 10.0.0.1/32 from EIGRP updates.
C.R2's loopback is not in the same EIGRP autonomous system as the tunnel.
D.NHRP is not configured on R2, preventing route advertisement.
AnswerA

Correct. The 'receive-only' keyword in EIGRP stub configuration prevents the router from advertising any routes, including connected and summary routes.

Why this answer

EIGRP stub with 'connected summary' only advertises connected routes and summary routes. However, the stub router does not advertise routes learned from other peers, and the 'summary' keyword ensures that only the summary route (if configured) is advertised. The loopback is connected, so it should be advertised, but if R2 is also configured with 'eigrp stub receive-only', it would not advertise anything.

The most likely cause is that R2's stub configuration is 'receive-only' or 'static', which blocks advertisement of connected routes.

11
MCQhard

A network engineer configures mutual redistribution between EIGRP and OSPF on a DMVPN hub router. The EIGRP domain includes the DMVPN tunnel network, and OSPF includes a corporate backbone. Unexpectedly, after a few minutes, the routing table on the hub shows oscillating routes between EIGRP and OSPF for the same prefix, causing intermittent connectivity. Which is the most likely explanation?

A.The mutual redistribution creates a routing loop because the redistributed routes are re-injected into the original protocol without proper filtering, causing the hub to prefer the redistributed route with a lower AD.
B.The DMVPN tunnel interface is not included in the OSPF process, causing the redistributed routes to have an incorrect next-hop that points to the tunnel interface.
C.The EIGRP and OSPF processes are using different metric styles, causing the redistributed routes to have infinite metrics and be ignored.
D.The hub router's routing table is overloaded due to the DMVPN tunnel being a multipoint interface, causing route flapping.
AnswerA

Without route tagging, a route redistributed from EIGRP into OSPF (AD 110) and then back into EIGRP (AD 170) may be preferred over the original EIGRP internal route (AD 90) if the AD is misconfigured, but typically the original internal route has lower AD. However, if the route is external in EIGRP, the AD is 170, so the OSPF route (110) is preferred, causing a loop.

Why this answer

Mutual redistribution without route tagging or filtering can cause routing loops. When a route is redistributed from EIGRP into OSPF, it is then redistributed back into EIGRP with a different administrative distance (AD). Since OSPF has AD 110 and EIGRP has AD 90 (internal) or 170 (external), the redistributed route may be preferred over the original, causing a feedback loop.

The corner case is that the default AD values cause the redistributed route to be installed, and then the router advertises it back, leading to instability. The fix is to use route tags or distribute-lists to prevent re-redistribution.

12
MCQmedium

An engineer is troubleshooting a DMVPN phase 2 network where the hub router is not forming an EIGRP neighbor relationship with a spoke. The spoke's tunnel interface is configured with 'ip nhrp nhs 10.0.0.1' and 'ip nhrp map 10.0.0.1 192.168.1.1'. The hub's tunnel interface IP is 10.0.0.1. The engineer pings the hub's tunnel IP from the spoke and it succeeds. The engineer checks 'show ip eigrp neighbors' on the hub and sees no neighbors. What is the most likely cause?

A.The spoke's tunnel interface is missing the 'ip nhrp map multicast dynamic' command.
B.The hub's tunnel interface has 'no ip nhrp redirect' configured.
C.The spoke's EIGRP AS number does not match the hub's.
D.The hub's tunnel interface has 'ip nhrp authentication' configured but the spoke does not.
AnswerA

Correct because without multicast mapping, the spoke cannot send multicast traffic (including EIGRP hellos) to the hub.

Why this answer

EIGRP neighbor formation over a tunnel requires multicast support. In DMVPN, multicast traffic is sent via NHRP to the hub. If the spoke's tunnel interface does not have 'ip nhrp map multicast dynamic' or a static multicast map, the hub will not receive EIGRP hello packets from the spoke.

13
MCQeasy

What is the default NHRP holdtime value on a Cisco router?

A.3600 seconds
B.1800 seconds
C.7200 seconds
D.600 seconds
AnswerA

This is the default holdtime for NHRP mappings.

Why this answer

The default NHRP holdtime is 3600 seconds (1 hour). This value can be modified with the 'ip nhrp holdtime' command.

14
MCQmedium

A network engineer is troubleshooting a DMVPN phase 2 hub-and-spoke deployment. The hub router has mGRE and NHRP configured, and spokes register successfully. However, spoke-to-spoke traffic is not being encrypted, even though IPsec profiles are applied to the mGRE tunnel interface on both the hub and spokes. The engineer verifies that the crypto map is not applied to the tunnel interface. What is the most likely cause of this issue?

A.The NHRP authentication string does not match between the hub and spokes.
B.The IPsec profile is not applied to the mGRE tunnel interface on the hub and spokes.
C.The tunnel key is not configured on the spokes.
D.The spokes have a static crypto map applied to their physical interface.
AnswerB

Correct because DMVPN phase 2 requires the IPsec profile to be applied to the tunnel interface to protect spoke-to-spoke traffic.

Why this answer

In DMVPN phase 2, spoke-to-spoke dynamic tunnels require IPsec protection. The IPsec profile must be applied to the tunnel interface, not a crypto map. If the crypto map is missing or misapplied, IPsec will not be triggered for spoke-to-spoke traffic.

15
Multi-Selecthard

An engineer is configuring a DMVPN Phase 3 network with EIGRP as the routing protocol. The hub router has the following configuration snippet: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 1 ip nhrp redirect tunnel source GigabitEthernet0/1 tunnel mode gre multipoint ! router eigrp 100 network 10.0.0.0 0.0.0.255 Which TWO additional configuration changes are required on the hub to ensure that spokes can establish direct spoke-to-spoke tunnels? (Choose TWO.)

Select 2 answers
A.Add the command 'ip nhrp shortcut' under interface Tunnel0.
B.Add the command 'ip nhrp nhs 10.0.0.1' under interface Tunnel0.
C.Add the command 'ip nhrp map multicast dynamic' under interface Tunnel0.
D.Add the command 'no ip split-horizon eigrp 100' under interface Tunnel0.
E.Add the command 'ip nhrp authentication cisco123' under interface Tunnel0.
AnswersC, D

Correct. This command allows the hub to dynamically learn the NBMA addresses of spokes for multicast forwarding, which is required for routing protocol updates.

Why this answer

In DMVPN Phase 3, the hub must have 'ip nhrp redirect' to send redirect messages, and spokes need 'ip nhrp shortcut' to install the /32 route. However, the question asks about the hub. The hub already has 'ip nhrp redirect'.

To allow spokes to learn the hub's NBMA address, the hub needs 'ip nhrp map multicast dynamic' to accept dynamic registrations. Also, the hub must have a valid tunnel source IP and the tunnel interface must be up. The hub does not need 'ip nhrp shortcut' (that's for spokes).

The hub does not need 'ip nhrp nhs' (that's for spokes). The hub does not need 'no ip split-horizon' for EIGRP if using Phase 3 with BGP or if the hub is configured correctly; but in Phase 3, EIGRP split horizon can prevent spoke routes from being advertised to other spokes. Actually, to allow spokes to learn routes from other spokes, the hub must disable EIGRP split horizon on the tunnel interface.

So the two correct changes are: add 'ip nhrp map multicast dynamic' and 'no ip split-horizon eigrp 100'.

16
MCQmedium

Consider the following partial DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 100 ip nhrp authentication cisco123 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map multicast dynamic ! What is the effect of this configuration?

A.The hub will dynamically register spoke NHRP addresses and forward multicast traffic to all registered spokes.
B.The hub will only forward multicast traffic to spokes that are statically mapped.
C.The hub will not forward multicast traffic at all because dynamic mapping is not supported.
D.The hub will use broadcast instead of multicast for all traffic.
AnswerA

This is correct; dynamic multicast mapping enables the hub to forward multicast to all spokes that have registered with NHRP.

Why this answer

The command 'ip nhrp map multicast dynamic' allows the hub to dynamically learn spoke NHRP addresses for multicast replication, which is essential for routing protocols (e.g., EIGRP, OSPF) that use multicast.

17
MCQhard

A DMVPN Phase 3 network with BGP as the routing protocol experiences high CPU usage on the hub router R1. The 'show process cpu' command shows high usage by the 'BGP Scanner' process. What is the root cause?

A.R1 is receiving a large number of BGP updates from many spokes, causing the BGP Scanner to process many prefixes and consume high CPU.
B.R1 has a CoPP policy that rate-limits BGP traffic, causing packet drops and retransmissions.
C.R1's BGP table is fragmented due to memory issues.
D.R1 has 'bgp update-delay' configured, causing delayed processing of updates.
AnswerA

Correct. BGP Scanner processes route updates and can become CPU-bound with many prefixes. Route aggregation or filtering can reduce the load.

Why this answer

High BGP Scanner CPU usage can be caused by a large number of prefixes being processed, especially if there are many updates or flapping routes. In a DMVPN network, if spokes are configured to advertise many prefixes or if there is route instability (e.g., due to flapping tunnels), the BGP Scanner process can consume high CPU. Another common cause is that the hub is processing many BGP updates from multiple spokes without proper route filtering or aggregation.

18
MCQeasy

What is the default authentication type for NHRP in a DMVPN configuration?

A.Plaintext password
B.MD5 hash
C.No authentication
D.IPsec
AnswerC

Correct. NHRP has no authentication by default.

Why this answer

By default, NHRP does not use any authentication. Authentication can be configured using the 'ip nhrp authentication' command, but it is disabled by default.

19
MCQmedium

A spoke router has the following DMVPN configuration: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map 10.0.0.1 192.168.1.1 ! What is missing from this configuration?

A.The spoke is missing the 'ip nhrp map multicast dynamic' command to register with the hub.
B.The spoke is missing the 'ip nhrp authentication' command.
C.The spoke is missing the 'tunnel key' command.
D.The spoke is missing the 'ip nhrp holdtime' command.
AnswerA

Without multicast mapping, the spoke cannot send NHRP registration or receive routing updates via multicast.

Why this answer

In DMVPN Phase 2/3, spokes need to register with the NHS. The command 'ip nhrp map multicast dynamic' or a static multicast map is required for the spoke to send NHRP registration and receive multicast from the hub.

20
MCQhard

A network engineer runs the following command on Router R1: R1# show crypto ipsec sa interface: Tunnel0 Crypto map tag: DMVPN, local addr 10.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/47/0) remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/47/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150 #pkts decaps: 145, #pkts decrypt: 145, #pkts verify: 145 #send errors 0, #recv errors 0 local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2 path mtu 1500, ip mtu 1500, ip mtu idb Tunnel0 current outbound spi: 0x12345678(305419896) PFS (Y/N): N, DH group: none Based on this output, what is the problem?

A.There is packet loss on the IPsec tunnel.
B.The IPsec SA is using PFS.
C.The tunnel is not encrypting traffic.
D.The remote peer is 10.1.1.1.
AnswerA

Encaps count (150) is higher than decaps count (145), indicating loss.

Why this answer

The output shows IPsec SA details for a DMVPN tunnel. The protect identity uses GRE protocol (47) and the SA is between two spoke routers (172.16.0.0/24). The packet counts show 150 encapsulated but only 145 decapsulated, indicating packet loss on the tunnel.

This could be due to MTU issues or routing problems.

21
MCQmedium

In DMVPN Phase 3, which NHRP feature allows spokes to learn the NBMA address of other spokes without sending a resolution request?

A.NHRP redirect
B.NHRP shortcut
C.NHRP registration
D.NHRP resolution
AnswerA

NHRP redirect is the mechanism that tells a spoke to resolve the NBMA address of another spoke directly.

Why this answer

NHRP redirect is used in Phase 3 to inform spokes about better paths. The hub sends a redirect message to a spoke when it forwards a packet to another spoke, allowing the first spoke to learn the NBMA address of the second spoke.

22
MCQhard

An engineer configures IPsec on a DMVPN Phase 2 network using a transform set with ESP-AES-256-SHA. The hub and spokes are configured identically. Unexpectedly, the IPsec tunnel fails to establish, and debug output shows 'no matching crypto map entry' on the spoke. Which is the most likely explanation?

A.The crypto map on the spoke uses a dynamic map, but the hub is configured with a static crypto map entry for the spoke, causing a mismatch in the IPsec negotiation.
B.The transform set uses ESP-AES-256-SHA, but the hub is configured with ESP-AES-256-SHA-HMAC, causing a mismatch in the authentication algorithm.
C.The IPsec pre-shared key is configured correctly, but the ISAKMP policy uses aggressive mode, which is incompatible with DMVPN.
D.The spoke's tunnel interface is not in 'ip nhrp network-id' mode, causing NHRP to fail and IPsec to not trigger.
AnswerA

In DMVPN, the hub typically uses a static crypto map with multiple peers, while spokes use a dynamic crypto map to accept connections from any hub. If the spoke incorrectly uses a static map, or the hub uses a dynamic map, the negotiation fails.

Why this answer

In DMVPN, the crypto map is applied to the tunnel interface. However, if the spoke's crypto map does not match the hub's due to a missing or mismatched 'match address' access-list (interesting traffic definition), the IPsec tunnel will not initiate. The corner case is that in DMVPN, the interesting traffic is typically defined by the tunnel network itself (e.g., IPsec protects traffic between tunnel IPs).

If the access-list uses the wrong source/destination, or if the crypto map is not correctly applied to the tunnel interface, the IPsec negotiation fails. Additionally, if the crypto map uses dynamic maps for the spoke, but the hub is configured with a static map, a mismatch can occur.

23
MCQhard

In a DMVPN Phase 2 network with EIGRP, R1 (hub) and R2 (spoke) are configured. R2's tunnel interface has 'ip nhrp redirect' enabled. R3 (another spoke) can ping R2's tunnel IP, but when R3 tries to reach a subnet behind R2, traffic is forwarded to R1 instead of directly to R2. What is the root cause?

A.R1 (hub) does not have 'ip nhrp redirect' enabled on its tunnel interface, so it does not send redirect messages to R3, preventing direct spoke-to-spoke tunnel establishment.
B.R2 has 'ip nhrp shortcut' disabled, preventing direct tunnel establishment.
C.R3 has a static route pointing to R1 for the subnet behind R2.
D.EIGRP is not redistributing the subnet behind R2 to R3.
AnswerA

Correct. In Phase 2, the hub must have NHRP redirect enabled to inform spokes of direct paths. Without it, spokes forward traffic through the hub.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are established using NHRP redirect. However, if the hub does not have 'ip nhrp redirect' enabled, it will not send redirect messages to spokes. Without redirect, spokes will not learn the direct path to other spokes and will forward traffic through the hub.

24
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa detail Codes: C - IKE, M - IKEv2, P - IPsec C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1 10.1.1.1 10.1.1.2 ACTIVE aes sha md5 2 86400 2 10.1.1.1 10.1.1.3 ACTIVE aes sha md5 2 86400 Based on this output, what is the problem?

A.The IKE policy uses weak authentication (MD5) and DH group 2.
B.The IKE SAs are not active.
C.The IPsec SAs are missing.
D.The lifetime is too short.
AnswerA

MD5 and DH group 2 are cryptographically weak.

Why this answer

The output shows IKE phase 1 SAs with encryption aes, hash sha, authentication md5, and DH group 2. The problem is that MD5 is used for authentication, which is considered weak and insecure. Modern DMVPN deployments should use stronger algorithms like SHA-256.

Additionally, DH group 2 is weak.

25
MCQmedium

A network engineer runs the following command on Router R1: R1# show dmvpn detail Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket #Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Addr State UpDn Tm Attrb ----- --------------- ---------------- ----- -------- ----- 1 10.1.1.1 172.16.0.1 UP 00:10:00 S Based on this output, what is the problem?

A.The spoke has a static NHRP mapping for the hub, which is correct for phase 1 DMVPN.
B.The spoke has dynamically learned the hub.
C.The hub is not reachable.
D.The spoke is configured as a hub.
AnswerA

In phase 1, spokes only communicate via hub; static mapping is normal.

Why this answer

The output shows a spoke router with one NHRP peer (the hub) marked as static (S). The spoke is only seeing the hub, which is normal for a spoke. However, the problem is that the spoke is not seeing any other spokes, which is expected in a DMVPN phase 2 or 3 where spokes should see each other dynamically.

But here the peer is static, indicating the spoke is configured with a static NHRP mapping for the hub, and no dynamic spoke-to-spoke tunnels are established.

26
MCQmedium

A network engineer runs the following command to verify EIGRP routes over DMVPN: R1# show ip eigrp topology all-links P 10.10.10.0/24, 1 successors, FD is 128256 via 10.0.0.2 (128256/128256), Tunnel0 via 10.0.0.3 (131072/128256), Tunnel0 What does this output indicate?

A.The route 10.10.10.0/24 has two equal-cost paths via Tunnel0.
B.The route has a successor via 10.0.0.2 and a feasible successor via 10.0.0.3.
C.Both paths are in active state and being queried.
D.The route is not reachable because both paths are down.
AnswerB

Correct: The successor has the lowest FD, and the other path has a reported distance equal to the FD, making it a feasible successor.

Why this answer

The output shows two paths for 10.10.10.0/24: one via 10.0.0.2 with feasible distance 128256 (successor), and one via 10.0.0.3 with reported distance 128256 (feasible successor).

27
Multi-Selecthard

Which TWO statements about the operation of DMVPN Phase 2 are true? (Choose TWO.)

Select 2 answers
A.Spoke routers can dynamically establish direct tunnels with each other.
B.The hub router must be configured with the 'ip nhrp redirect' command.
C.The hub router must use a point-to-point GRE tunnel interface.
D.All spoke-to-spoke traffic must traverse the hub router.
E.NHRP is not required for Phase 2 operation.
AnswersA, B

This is a key feature of Phase 2: spokes can build direct tunnels using NHRP redirect/shortcut.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are built dynamically using NHRP redirect and shortcut routes. The spoke router learns the NBMA address of another spoke via an NHRP redirect from the hub, and then initiates a direct tunnel. Phase 2 uses the 'ip nhrp redirect' command on the hub and 'ip nhrp shortcut' on spokes.

The other statements are incorrect: Phase 2 does not require a multipoint GRE tunnel on the hub (it can be point-to-multipoint), and spoke-to-spoke traffic does not always go through the hub after the shortcut is established.

28
MCQhard

A network engineer runs the following command on Router R1: R1# show ip nhrp 192.168.1.0/24 via 172.16.0.2 Tunnel0 created 00:00:15, expire 00:01:45 Type: dynamic, Flags: unique NBMA address: 10.1.1.2 192.168.2.0/24 via 172.16.0.3 Tunnel0 created 00:00:10, expire 00:01:50 Type: dynamic, Flags: unique NBMA address: 10.1.1.3 Based on this output, what is the problem?

A.The NHRP holdtime is too short, causing frequent re-registrations.
B.The NHRP entries are static and will not expire.
C.The tunnel interface is down.
D.The NBMA addresses are incorrect.
AnswerA

Expire time of 2 minutes indicates a holdtime of 120 seconds, which is low.

Why this answer

The output shows NHRP cache entries for remote networks. The expire time is decreasing, indicating these are dynamic entries learned via NHRP. The problem is that the NHRP holdtime is set to 2 minutes (120 seconds), as seen from the expire time starting at 2 minutes.

This is a short holdtime that may cause frequent re-registrations.

29
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 10.1.1.1 MM_ACTIVE 1 0 ACTIVE 10.1.1.3 10.1.1.1 MM_ACTIVE 2 0 ACTIVE Based on this output, which statement is correct?

A.IKE phase 1 is complete for both peers.
B.IKE phase 2 is complete for both peers.
C.The IPsec tunnels are established.
D.The peers are not responding.
AnswerA

MM_ACTIVE indicates successful IKE phase 1.

Why this answer

The show crypto isakmp sa command shows IKE phase 1 security associations. The state MM_ACTIVE indicates that IKE phase 1 is complete and active. The output shows two active SAs with the local router (10.1.1.1) and two remote peers (10.1.1.2 and 10.1.1.3).

30
MCQhard

A network engineer runs the following command on Router R1: R1# show ip nhrp nhs NHS: 172.16.0.1 Tunnel0 status: registered NHS: 172.16.0.2 Tunnel0 status: not registered Based on this output, what is the problem?

A.Router R1 is not registered with the second NHS, indicating a registration failure.
B.Both NHS are registered successfully.
C.The tunnel interface is down.
D.The NHS addresses are swapped.
AnswerA

Status 'not registered' for second NHS indicates a problem.

Why this answer

The show ip nhrp nhs command displays the NHRP server (NHS) registrations. The output shows that R1 is registered with NHS 172.16.0.1 but not registered with NHS 172.16.0.2. This indicates a problem with the registration to the second NHS, possibly due to authentication mismatch, reachability issues, or configuration error.

31
MCQhard

A network engineer configures Control Plane Policing (CoPP) on a DMVPN hub router to protect the control plane. The policy includes a class-map matching NHRP traffic and a police rate of 1000 pps. Unexpectedly, after applying the policy, NHRP registrations from spokes fail intermittently, and debug shows packets being dropped by CoPP. Which is the most likely explanation?

A.The CoPP policy's class-default has a lower police rate or is set to drop, and NHRP traffic is not explicitly matched in a higher class, causing it to fall into class-default and be dropped.
B.The police rate of 1000 pps is too high for the hub's CPU, causing the router to drop packets due to CPU overload.
C.The CoPP policy is applied to the wrong interface; it should be applied to the tunnel interface, not the physical interface.
D.The NHRP packets are being classified as 'critical' traffic, and the CoPP policy has a lower priority for critical traffic.
AnswerA

If NHRP traffic is not classified in a specific class, it matches class-default, which may have a restrictive policy, leading to drops.

Why this answer

CoPP rate-limits control plane traffic. If the police rate is set in packets per second (pps), but the actual NHRP registration traffic is bursty (e.g., multiple spokes registering simultaneously), the policer may drop packets. The corner case is that the default CoPP class-default may also match NHRP traffic if not explicitly classified, and the class-default may have a lower rate or be set to drop.

Additionally, CoPP uses a token bucket; if the rate is too low or the burst size is insufficient, packets are dropped. The engineer should ensure that NHRP traffic is matched in a dedicated class with appropriate rate and burst.

32
MCQmedium

A network engineer is troubleshooting a DMVPN phase 2 network where the hub router is not forming an NHRP adjacency with a spoke. The spoke router is configured with 'ip nhrp nhs 10.0.0.1' and 'ip nhrp map 10.0.0.1 192.168.1.1'. The hub's tunnel interface IP is 10.0.0.1, and the physical interface IP is 192.168.1.1. The engineer pings the hub's tunnel IP from the spoke and it succeeds. However, 'show ip nhrp' on the spoke shows no NHRP entries. What is the most likely cause?

A.The hub router has 'ip nhrp authentication DMVPN' configured, but the spoke does not.
B.The spoke's tunnel interface is in a different VRF than the hub's.
C.The hub's tunnel interface has 'no ip nhrp server-only' configured.
D.The spoke's NHRP map is incorrect; it should map the hub's tunnel IP to the hub's tunnel IP.
AnswerA

Correct because NHRP authentication must match between hub and spoke for registration to succeed.

Why this answer

NHRP registration requires the spoke to send a Registration Request to the hub. If the hub does not respond, the spoke will not have NHRP entries. A common cause is that the hub's NHRP authentication is configured with a password, but the spoke's NHRP authentication is missing or mismatched.

33
MCQhard

In a DMVPN Phase 2 network with EIGRP, R1 (hub) and R2 (spoke) are configured. R2's tunnel interface has an ACL applied inbound that denies ICMP. R2 can ping R1's tunnel IP, but R1 cannot ping R2's tunnel IP. What is the root cause?

A.R2's tunnel interface has an inbound ACL that denies ICMP, blocking R1's ping requests.
B.R1's tunnel interface has an outbound ACL that denies ICMP.
C.NHRP is not resolving R2's tunnel IP to its physical IP on R1.
D.EIGRP is not advertising R2's tunnel IP to R1.
AnswerA

Correct. Inbound ACLs filter traffic entering the interface. ICMP echo requests from R1 are denied, so R1 cannot ping R2.

Why this answer

The ACL on R2's tunnel interface inbound denies ICMP. When R1 sends an ICMP echo request to R2, it is denied by the ACL. However, R2 can ping R1 because the ACL does not affect outbound traffic.

The issue is that the ACL is applied inbound, blocking incoming ICMP packets.

34
MCQhard

A network engineer runs the following command to verify OSPF database on a DMVPN hub: R1# show ip ospf database router 2.2.2.2 OSPF Router with ID (1.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 100 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 2.2.2.2 Advertising Router: 2.2.2.2 LS Seq Number: 80000001 Checksum: 0x1234 Length: 48 Number of Links: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 10.0.0.1 (Link Data) Router Interface address: 10.0.0.2 Number of MTID metrics: 0 TOS 0 Metrics: 10 What does this output indicate?

A.The router 2.2.2.2 is advertising a stub network via Tunnel0.
B.The router 2.2.2.2 is connected to the DR at 10.0.0.1 over the DMVPN tunnel with cost 10.
C.The router 2.2.2.2 is the DR for the DMVPN network.
D.The OSPF database is empty; no LSAs have been received.
AnswerB

Correct: The LSA shows a transit link to DR 10.0.0.1 with metric 10.

Why this answer

The output shows the router LSA from 2.2.2.2, advertising a link to a transit network (the DMVPN tunnel) with metric 10, indicating the spoke is connected to the hub's DR.

35
MCQeasy

A network engineer runs the following command to troubleshoot EIGRP over DMVPN: R1# debug eigrp packets EIGRP: Received HELLO on Tunnel0 nbr 10.0.0.2 EIGRP: New peer 10.0.0.2 What does this output indicate?

A.EIGRP neighbor adjacency with 10.0.0.2 is established over Tunnel0.
B.EIGRP is not enabled on Tunnel0.
C.The EIGRP neighbor is in a stuck-in-active state.
D.EIGRP authentication is failing between the routers.
AnswerA

Correct: Receiving a hello and creating a new peer indicates adjacency formation.

Why this answer

The debug output shows that R1 has received an EIGRP hello from 10.0.0.2 on Tunnel0 and has formed a new neighbor adjacency.

36
Multi-Selecthard

Which THREE commands can be used to verify the status of a DMVPN Phase 2 spoke-to-spoke tunnel? (Choose THREE.)

Select 3 answers
A.show dmvpn
B.show ip nhrp
C.show crypto isakmp sa
D.show ip route
E.show crypto ipsec sa
AnswersA, B, C

Correct. This command displays DMVPN tunnel status, including the state of spoke-to-spoke tunnels.

Why this answer

To verify a spoke-to-spoke tunnel, 'show dmvpn' displays the tunnel status including peers and up/down state. 'show ip nhrp' shows NHRP cache entries, including the /32 host route for the remote spoke. 'show crypto isakmp sa' shows the IKE phase 1 SA, which must be active for the IPsec tunnel. 'show ip route' shows the routing table but does not specifically show tunnel status. 'show crypto ipsec sa' shows IPsec phase 2 SAs, but the question asks for commands that verify the tunnel, and 'show crypto isakmp sa' is more fundamental for the initial establishment. However, both are valid; we choose three that are most direct. 'show ip route' is not specific enough, and 'show crypto ipsec sa' is also valid but we need exactly three. The correct set is 'show dmvpn', 'show ip nhrp', and 'show crypto isakmp sa'.

37
MCQhard

A network engineer configures iBGP between DMVPN hub and spokes using the hub as a route reflector. On the hub, the BGP configuration includes 'neighbor <spoke-ip> next-hop-self'. Unexpectedly, spokes receive routes from other spokes with the next-hop set to the hub's tunnel IP, but the spokes cannot reach that next-hop because it is not in their routing table. Which is the most likely explanation?

A.The hub's 'next-hop-self' command is configured under the BGP neighbor statement for the spoke, but the route reflector behavior overrides it, causing the hub to not modify the next-hop for routes reflected between spokes.
B.The spokes are not configured as route-reflector clients, so the hub does not reflect routes between them, and the next-hop remains unchanged.
C.The iBGP session between hub and spokes is using loopback interfaces, and the next-hop is set to the loopback IP, which is not reachable via the tunnel.
D.The 'next-hop-self' command is only applicable for eBGP sessions, not iBGP, so it has no effect on the reflected routes.
AnswerA

In a route reflector setup, 'next-hop-self' must be configured under the address-family for the neighbor; otherwise, the reflector does not change the next-hop for reflected routes.

Why this answer

In a DMVPN Phase 2 or 3 network, the hub typically sets the next-hop to itself using 'next-hop-self' for routes advertised to spokes. However, if the hub is a route reflector, it does not change the next-hop for routes received from one spoke and advertised to another spoke, unless 'next-hop-self' is explicitly configured. The corner case is that 'next-hop-self' must be applied under the address-family or neighbor configuration, and if it is misapplied or missing for the route-reflector client sessions, the spoke-to-spoke routes retain the original next-hop (the other spoke's tunnel IP), which may not be reachable if NHRP redirect or shortcuts are not enabled.

38
MCQhard

An engineer is troubleshooting a DMVPN phase 3 network where spoke-to-spoke tunnels are not being established dynamically. The hub router has NHRP redirect enabled, and spokes have NHRP shortcut enabled. The engineer notices that when a spoke sends traffic to another spoke, the hub forwards the traffic but does not send an NHRP redirect. The hub's NHRP configuration includes the command 'ip nhrp redirect'. What is the most likely cause?

A.The spoke does not have 'ip nhrp shortcut' enabled.
B.The hub router does not have a route to the spoke's LAN subnet.
C.The tunnel interface on the hub has 'no ip nhrp redirect' configured.
D.The spoke's NHRP registration does not include the LAN subnet.
AnswerB

Correct because the hub must have a route to the spoke's subnet to generate an NHRP redirect; without it, the hub forwards traffic without sending a redirect.

Why this answer

In DMVPN phase 3, the hub must have 'ip nhrp redirect' enabled on the tunnel interface, and the spoke must have 'ip nhrp shortcut' enabled. Additionally, the hub must have a route to the spoke's subnet; otherwise, the hub will not send an NHRP redirect. The issue is that the hub does not have a route to the spoke's subnet.

39
MCQhard

A DMVPN Phase 3 network with MPLS LDP configured on the tunnel interfaces experiences label distribution failures. R1 (hub) and R2 (spoke) have LDP neighborships established, but R2 is not receiving labels for prefixes behind R3 (another spoke). What is the root cause?

A.LDP is not enabled on the tunnel interface of R3, so R2 cannot receive labels for prefixes behind R3.
B.R2 has a higher LDP router ID, causing it to become the LDP session initiator.
C.NHRP is not resolving R3's tunnel IP to its physical IP, preventing LDP hello packets from reaching R3.
D.The MPLS label range on R2 is exhausted, preventing new label bindings.
AnswerA

Correct. LDP must be enabled on all tunnel interfaces for label distribution. If R3 does not have 'mpls ip' on its tunnel interface, it will not distribute labels.

Why this answer

In DMVPN Phase 3, the tunnel interface is a multipoint interface. LDP uses the primary IP address of the interface for neighbor discovery. If the tunnel interface is configured with 'ip mtu' or 'ip tcp adjust-mss' that differs between routers, or if the LDP hello packets are not reaching the other routers due to NHRP resolution issues, label distribution may fail.

The most common cause is that LDP is not enabled on the tunnel interface or the label space is not correctly configured for DMVPN.

40
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on the DMVPN hub's physical interface facing the WAN. Unexpectedly, spokes are unable to communicate with each other via the hub, even though direct spoke-to-spoke tunnels are working. Which is the most likely explanation?

A.uRPF strict mode on the physical interface drops packets from spokes because the reverse path to the spoke's tunnel IP is via the DMVPN tunnel interface, not the physical interface.
B.uRPF strict mode on the physical interface drops packets because the source IP of the spoke is not in the routing table at all.
C.uRPF strict mode is incompatible with DMVPN because the tunnel interface uses GRE encapsulation, which modifies the source IP.
D.The 'allow-default' option is not configured, which is required for uRPF to work with DMVPN.
AnswerA

The hub routes traffic to spoke tunnel IPs through the tunnel interface, so the reverse path check fails on the physical interface, causing drops.

Why this answer

uRPF strict mode checks that the source IP address of incoming packets has a route back to the source via the same interface. In a DMVPN network, when a spoke sends traffic to another spoke via the hub, the source IP is the spoke's tunnel IP. The hub's routing table may have a route to that spoke's tunnel IP via the DMVPN tunnel interface, not the physical WAN interface.

Therefore, uRPF strict mode on the physical interface drops the packet because the reverse path is not through the same interface. The fix is to use uRPF loose mode or allow-default option, or apply uRPF on the tunnel interface.

41
MCQhard

A network engineer runs the following command on Router R1: R1# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks O 172.16.0.0/24 [110/100] via 172.16.0.2, 00:00:15, Tunnel0 O 172.16.0.0/24 [110/100] via 172.16.0.3, 00:00:10, Tunnel0 Based on this output, what is the problem?

A.OSPF is learning the same subnet from multiple spokes, indicating a misconfiguration.
B.The OSPF cost is 100, which is high.
C.The routes are learned via EIGRP.
D.The tunnel interface is down.
AnswerA

Duplicate routes for the same network via different next hops is problematic.

Why this answer

The output shows OSPF routes for the same network 172.16.0.0/24 via two different next hops (172.16.0.2 and 172.16.0.3). This indicates that OSPF is seeing the same subnet from multiple spokes, which is incorrect because the tunnel network should be unique per spoke. This suggests a misconfiguration where the tunnel IP addresses are overlapping or OSPF is not properly filtering.

42
Multi-Selectmedium

Which THREE symptoms indicate a potential issue with NHRP registration in a DMVPN network? (Choose THREE.)

Select 3 answers
A.The spoke router does not receive an NHRP Registration Reply from the hub.
B.The hub router's NHRP cache does not contain an entry for the spoke.
C.The spoke router's tunnel interface shows 'UP/UP' but NHRP registration status is 'NOT REGISTERED'.
D.The spoke router's tunnel interface shows 'UP/DOWN'.
E.The spoke router's routing table shows routes learned from the hub.
AnswersA, B, C

This indicates that the registration request failed, possibly due to authentication mismatch or reachability issues.

Why this answer

Common symptoms of NHRP registration problems include the spoke not receiving a registration reply from the hub, the spoke not appearing in the hub's NHRP cache, and the spoke's tunnel interface showing a status of 'UP/UP' but the NHRP registration being 'NOT REGISTERED'. The other options are not direct symptoms of NHRP registration issues.

43
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nhrp traffic NHRP Traffic Statistics Sent: 100 requests, 50 replies Received: 50 requests, 100 replies Based on this output, what is the problem?

A.There is a mismatch between sent requests and received replies, indicating packet loss.
B.The router is receiving more replies than requests.
C.The NHRP process is functioning normally.
D.The router is configured as a hub.
AnswerA

100 requests sent vs 50 replies received shows loss.

Why this answer

The output shows NHRP traffic statistics. The router sent 100 requests but received only 50 replies, indicating that half of the requests are not being answered. This could be due to network issues, misconfiguration, or packet loss.

44
Drag & Drophard

Drag and drop the troubleshooting steps for DMVPN adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting DMVPN connectivity starts with verifying physical and IP reachability to the hub. Next, check NHRP registration status on the spoke. Then verify mGRE tunnel interface parameters and IPsec phase 1 (IKE) status.

Finally, examine NHRP resolution between spokes to isolate the failure point.

45
MCQeasy

A network engineer runs the following command to verify IPsec transform sets on a DMVPN hub: R1# show crypto ipsec transform-set Transform set combined: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, }, Transform set TS1: { esp-aes 256 esp-sha-hmac } will negotiate = { Transport, }, What does this output indicate?

A.Both transform sets are configured with the same encryption and authentication algorithms.
B.The transform set 'combined' is used for DMVPN because it uses tunnel mode.
C.The transform set 'TS1' is used for DMVPN because it uses transport mode.
D.No transform sets are configured; the output is empty.
AnswerA, C

Correct: Both use esp-aes 256 and esp-sha-hmac, differing only in mode.

Why this answer

The output shows two transform sets: 'combined' uses tunnel mode, 'TS1' uses transport mode. DMVPN typically uses transport mode for mGRE tunnels.

46
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the NHRP registration status of a spoke router in a DMVPN Phase 2 network? (Choose TWO.)

Select 2 answers
A.show dmvpn
B.show ip nhrp
C.show crypto isakmp sa
D.show ip route
E.show ip eigrp neighbors
AnswersA, B

This command shows the DMVPN tunnel status, including the NHRP registration state (e.g., 'UP/UP' with registration status).

Why this answer

The 'show dmvpn' command displays the current DMVPN tunnel status, including the NHRP registration state of each peer. The 'show ip nhrp' command shows the NHRP cache entries, which include the registration status and mapping information. The other commands either do not show NHRP registration details or are for different purposes.

47
MCQmedium

A network engineer runs the following command to verify DMVPN tunnel status: R1# show ip nhrp detail 10.0.0.2/32 via Tunnel0 Created: 00:10:15, Expire: 01:49:45 Type: dynamic, Flags: unique registered NBMA: 192.168.1.2 (no socket) What does this output indicate?

A.The spoke 10.0.0.2 has registered with the hub and its NBMA address is 192.168.1.2.
B.The spoke 10.0.0.2 is using a static NBMA mapping.
C.The NHRP entry is about to expire and needs re-registration.
D.The spoke has not registered; the entry is incomplete.
AnswerA

Correct: The entry is dynamic, unique, registered, and shows the NBMA address.

Why this answer

The output shows a dynamic NHRP cache entry for a spoke (10.0.0.2) with NBMA address 192.168.1.2, indicating the spoke has registered and the entry is valid.

48
MCQmedium

An engineer is troubleshooting a DMVPN phase 3 network where spokes are unable to reach the hub's LAN subnet. The hub router is running EIGRP over the DMVPN tunnel interface, and the spokes are learning the hub's LAN route. However, pings from a spoke to the hub's LAN IP fail. The engineer checks the hub's routing table and sees the spoke's LAN route. The hub's tunnel interface has 'ip nhrp redirect' and 'ip nhrp shortcut' enabled. What is the most likely cause?

A.The hub's EIGRP is not configured to advertise the LAN subnet.
B.The spoke's tunnel interface has 'ip nhrp shortcut' disabled.
C.The hub's tunnel interface has 'no ip nhrp redirect' configured.
D.The spoke's NHRP registration is not reaching the hub.
AnswerA

Correct because if the hub's LAN subnet is not advertised via EIGRP, the spokes will not have a route to it.

Why this answer

In DMVPN phase 3, the hub's NHRP redirect and shortcut features can cause the hub to forward traffic to the spoke's LAN via the spoke's tunnel IP, but if the spoke's LAN subnet is not advertised via EIGRP, the hub may not have a route. However, the issue is that the hub's EIGRP is not advertising the hub's LAN subnet to the spokes, or the spokes are not receiving the route. The most common cause is that the hub's EIGRP network statement does not include the LAN subnet.

49
MCQmedium

A network engineer is troubleshooting a DMVPN phase 2 network where the hub router is not learning the loopback interface routes from the spokes via EIGRP. The spokes have EIGRP configured on the tunnel interface and are advertising their loopback0 interface. The hub's EIGRP neighbor relationship with the spokes is established. However, the hub's routing table does not contain the loopback routes. The engineer checks the spoke's EIGRP configuration and sees that the loopback interface is not included in any network statement. What is the most likely cause?

A.The spoke's EIGRP network statement does not include the loopback subnet.
B.The hub's EIGRP is configured with a distribute-list that filters the loopback routes.
C.The tunnel interface on the spoke has 'no ip split-horizon' configured.
D.The loopback interface on the spoke is in a different VRF than the tunnel interface.
AnswerA

Correct because EIGRP must have a network statement that matches the loopback subnet to advertise it.

Why this answer

EIGRP only advertises networks that are included in a network statement or configured under the EIGRP process. If the loopback interface is not included in a network statement, EIGRP will not advertise it.

50
MCQhard

A network engineer is troubleshooting a DMVPN phase 2 network where spoke-to-spoke tunnels are established, but traffic between spokes is intermittently dropped. The engineer captures packets and sees that IPsec packets are being fragmented. The tunnel interface MTU is set to 1400 bytes, and the physical interface MTU is 1500 bytes. The engineer also notices that the IPsec transform set uses ESP with AES-256 and SHA-256. What is the most likely cause of the intermittent drops?

A.The IPsec transform set uses AES-256, which requires more CPU and causes performance drops.
B.The tunnel MTU is set too high for the IPsec overhead, causing fragmentation and potential drops.
C.The physical interface MTU is set to 1500, which is too high for DMVPN.
D.The spokes have different IPsec transform sets configured.
AnswerB

Correct because the tunnel MTU of 1400 bytes does not account for IPsec overhead, leading to fragmentation and drops.

Why this answer

IPsec adds overhead (ESP header, trailer, and authentication data). With AES-256 and SHA-256, the overhead can be around 50-60 bytes. If the tunnel MTU is set to 1400, the effective payload MTU is lower.

Fragmentation can cause drops if the DF bit is set or if intermediate routers drop fragments. The issue is that the tunnel MTU is too high for the IPsec overhead, causing fragmentation.

51
MCQeasy

Which statement about the Next Hop Resolution Protocol (NHRP) in DMVPN is correct regarding the purpose of NHRP Registration Request packets?

A.They are used to resolve the NBMA address of a destination tunnel IP address.
B.They are used to register the spoke's tunnel IP and NBMA address with the hub.
C.They are used to purge outdated NHRP cache entries on the hub.
D.They are used to establish an IPsec security association between spokes.
AnswerB

Correct. Registration Request packets register the spoke's mapping with the hub.

Why this answer

NHRP Registration Request packets are sent from spoke routers to the hub to register their tunnel IP address (NHS) and corresponding NBMA address. This allows the hub to build a mapping database for forwarding.

52
MCQmedium

A network engineer configures a DMVPN spoke with the following: interface Tunnel0 ip address 10.0.0.3 255.255.255.0 ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map 10.0.0.1 192.168.1.1 ip nhrp map multicast 192.168.1.1 ! What will happen when the spoke tries to send traffic to another spoke (10.0.0.4)?

A.The spoke will send traffic directly to 10.0.0.4 if it has a cached NHRP mapping, otherwise through the hub.
B.The spoke will always send traffic through the hub because of the static multicast map.
C.The spoke will send traffic directly to 10.0.0.4 without using the hub.
D.The spoke will drop the traffic because it does not have a route to 10.0.0.4.
AnswerA

Spokes can build direct tunnels if they have learned the mapping via NHRP; otherwise, traffic goes via the hub.

Why this answer

In DMVPN Phase 2/3, spokes initially send traffic through the hub. The hub then uses NHRP redirect (if configured) to tell the spoke to establish a direct tunnel. Without NHRP redirect on the hub, traffic always goes through the hub.

53
MCQhard

A DMVPN Phase 3 network with OSPF as the IGP experiences routing loops between hubs. R1 and R2 are both hubs with OSPF adjacencies to each other and to spokes. R1 has a route to 10.0.0.0/8 via a spoke, and redistributes it into OSPF. R2 learns this route and also has a direct connection to the same spoke, causing a loop. What is the root cause?

A.R1 is redistributing a route learned from a spoke into OSPF, and R2 learns this route and forwards traffic back to R1, creating a loop due to lack of route tagging and filtering.
B.OSPF network type is set to broadcast on both hubs, causing DR/BDR election issues.
C.NHRP redirect is enabled on both hubs, causing conflicting redirect messages.
D.R2 has a higher OSPF router ID, causing it to become DR and attract traffic.
AnswerA

Correct. Redistribution without route tagging (e.g., using a route-map with tag) can cause loops. The route should be tagged to prevent re-redistribution.

Why this answer

Redistribution of routes from one routing protocol into OSPF can cause routing loops if not properly filtered. In this case, R1 redistributes a route learned from a spoke into OSPF, and R2 learns it and may forward traffic back to R1, creating a loop. The issue is that OSPF does not have a mechanism to prevent loops from redistribution without proper route tagging and filtering.

54
MCQmedium

A network engineer runs the following command on Router R1: R1# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket #Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Addr State UpDn Tm Attrb ----- --------------- ---------------- ----- -------- ----- 1 10.1.1.2 172.16.0.2 UP 00:02:15 D 1 10.1.1.3 172.16.0.3 UP 00:01:45 D Based on this output, which statement is correct?

A.Router R1 is a spoke with two hub peers.
B.Router R1 is a hub with two dynamically registered spokes.
C.The NHRP peers are static and not dynamic.
D.One spoke is experiencing a registration failure.
AnswerB

Type:Hub and two dynamic (D) entries confirm this.

Why this answer

The show dmvpn command displays NHRP peers. The output shows two dynamic peers (D) with their NBMA and tunnel addresses. The hub has two spokes registered, both in UP state.

The correct answer identifies the role and peer count.

55
MCQeasy

What is the default OSPF network type for a tunnel interface configured with 'tunnel mode gre multipoint'?

A.Broadcast
B.Point-to-multipoint
C.Point-to-point
D.Non-broadcast
AnswerA

The default OSPF network type for multipoint GRE tunnels is broadcast.

Why this answer

By default, a multipoint GRE tunnel interface uses the broadcast network type, which requires DR/BDR elections.

56
Drag & Dropmedium

Drag and drop the steps to establish a DMVPN Phase 2 spoke-to-spoke tunnel into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 2, spoke-to-spoke tunnels are built dynamically. First, the spoke must have a valid NHRP registration to the hub. When traffic from one spoke to another triggers an NHRP resolution request, the hub forwards it to the target spoke, which replies.

The spoke then initiates a direct mGRE tunnel, and finally, the spoke-to-spoke IPsec session is established.

57
MCQhard

Which statement about the default behavior of 'auto-summary' in EIGRP for DMVPN tunnel interfaces in IOS-XE is correct?

A.Auto-summary is enabled by default and summarizes routes at classful boundaries.
B.Auto-summary is disabled by default, preventing classful summarization.
C.Auto-summary is enabled by default but only for tunnel interfaces.
D.Auto-summary is disabled by default but can be enabled only for DMVPN.
AnswerB

Correct. Auto-summary is off by default in IOS-XE.

Why this answer

In modern IOS-XE versions (15.x and later), auto-summary is disabled by default for EIGRP. This is a change from older IOS versions where it was enabled by default. Disabling auto-summary is essential in DMVPN to prevent incorrect summarization at classful boundaries.

58
MCQmedium

What is the default OSPF metric for a route learned over a DMVPN tunnel interface when the OSPF network type is broadcast?

A.1
B.10
C.100
D.0
AnswerA

Correct. With default reference bandwidth 100 Mbps and tunnel bandwidth 100 Mbps, metric = 100/100 = 1.

Why this answer

OSPF default metric for a route is based on the reference bandwidth (default 100 Mbps) divided by the interface bandwidth. For a tunnel interface, the default bandwidth is 100 Mbps (on many platforms), so the metric is 1. However, if the tunnel bandwidth is set differently, the metric changes.

The default metric is 1 when bandwidth is 100 Mbps.

59
MCQhard

A network engineer is troubleshooting a DMVPN phase 2 network where spoke-to-spoke tunnels are not being established. The hub router has 'ip nhrp redirect' enabled, and spokes have 'ip nhrp shortcut' enabled. The engineer notices that when a spoke sends traffic to another spoke, the hub forwards the traffic correctly, but the spoke does not initiate an NHRP resolution request to the destination spoke. The spoke's routing table shows the destination subnet via the hub. What is the most likely cause?

A.The spoke's tunnel interface does not have 'ip nhrp shortcut' enabled.
B.The hub's tunnel interface does not have 'ip nhrp redirect' enabled.
C.The spoke's routing table has a static route to the destination subnet via the hub.
D.The hub's NHRP authentication is configured but the spoke's is not.
AnswerA

Correct because 'ip nhrp shortcut' is required for the spoke to initiate NHRP resolution requests for spoke-to-spoke tunnels.

Why this answer

In DMVPN phase 2, spoke-to-spoke tunnels are triggered by the spoke sending an NHRP resolution request to the hub. The spoke will only send this request if it has a route to the destination subnet via the tunnel interface. If the spoke's routing table shows the route via the hub (next-hop is the hub's tunnel IP), the spoke should send a resolution request.

However, if the spoke's 'ip nhrp shortcut' is not enabled, it will not attempt to create a shortcut. The issue is that 'ip nhrp shortcut' is missing on the spoke.

60
MCQhard

An engineer configures OSPF on a DMVPN Phase 1 network with a single hub and multiple spokes. The hub is configured with 'ip ospf network broadcast' and the spokes with 'ip ospf network point-to-multipoint'. The hub's OSPF priority is set to 255, and all spokes have priority 0. Unexpectedly, the hub does not become the DR, and no OSPF adjacency is formed. Which is the most likely explanation?

A.The OSPF network type mismatch causes the hub to send multicast Hellos, but the spokes expect unicast Hellos, so no adjacency forms.
B.The hub's OSPF priority of 255 ensures it becomes the DR, but the spokes with priority 0 cannot become BDR, causing the election to fail.
C.The spokes are configured with 'ip ospf network point-to-multipoint' but the hub is broadcast; the hub will still form adjacencies with the spokes if the MTU matches.
D.The OSPF process on the hub has a lower Router ID than the spokes, causing the spokes to become DR instead of the hub.
AnswerA

Broadcast network uses multicast 224.0.0.5, while point-to-multipoint uses unicast; without matching, Hellos are not received.

Why this answer

In OSPF, the DR election is based on priority and Router ID. However, on a broadcast network, all routers must have the same network type to participate in the election. With a mix of broadcast and point-to-multipoint, the point-to-multipoint routers do not participate in the DR election, and the broadcast router may still attempt to elect a DR.

But if the hub is the only router with broadcast network type, it will become the DR (since no other routers participate). However, the adjacency may still fail because the point-to-multipoint routers do not respond to multicast Hellos from the hub. The corner case is that the hub's OSPF interface is configured as broadcast, but the spokes are point-to-multipoint, which means the spokes send unicast Hellos and expect unicast Hellos in return.

The hub sends multicast Hellos, which the spokes ignore, and vice versa, leading to no adjacency.

61
MCQhard

An experienced network engineer configures a DMVPN Phase 2 network with OSPF as the routing protocol. On the hub router, the tunnel interface is configured with 'ip ospf network broadcast' and the spokes with 'ip ospf network point-to-multipoint'. Unexpectedly, the hub OSPF neighbor state with each spoke remains stuck in EXSTART/EXCHANGE. Which is the most likely explanation?

A.The OSPF MTU mismatch between hub and spokes causes the adjacency to stall during the DD exchange phase.
B.The OSPF network type mismatch between hub (broadcast) and spokes (point-to-multipoint) prevents proper Hello and DD packet exchange, causing the stuck state.
C.The NHRP registration process is incomplete, causing OSPF to fail to establish neighbor relationships over the DMVPN tunnel.
D.The hub router's OSPF priority is set to 0, preventing it from becoming the DR, which disrupts the adjacency formation.
AnswerB

Mismatched OSPF network types lead to different Hello packet formats (multicast vs unicast) and DR election behavior, preventing the adjacency from progressing beyond EXSTART/EXCHANGE.

Why this answer

OSPF requires matching network types to form a full adjacency. A broadcast network type expects a DR/BDR election and uses multicast Hellos, while point-to-multipoint uses unicast Hellos. The mismatch causes the hub to send Database Descriptor packets (DD) expecting a response from a DR, but the spoke, configured as point-to-multipoint, does not participate in DR election and responds differently, leading to a stuck state in EXSTART/EXCHANGE.

The fix is to use 'ip ospf network broadcast' on all routers or use 'ip ospf network point-to-multipoint' consistently.

62
MCQmedium

In a DMVPN Phase 2 deployment using EIGRP as the routing protocol, what is the default hello timer value on the tunnel interface?

A.5 seconds
B.10 seconds
C.30 seconds
D.60 seconds
AnswerA

Correct. EIGRP default hello timer on tunnel interfaces is 5 seconds.

Why this answer

EIGRP uses a default hello timer of 5 seconds on high-speed interfaces (including tunnel interfaces) and 60 seconds on low-speed interfaces. DMVPN tunnel interfaces are treated as high-speed by default.

63
Multi-Selecthard

Which THREE configuration steps are required to enable DMVPN Phase 3 on a spoke router? (Choose THREE.)

Select 3 answers
A.Configure the tunnel interface as a multipoint GRE interface.
B.Set the tunnel source to the physical interface (e.g., GigabitEthernet0/1).
C.Configure an NHRP map to the hub with an authentication string.
D.Disable split horizon on the tunnel interface.
E.Configure the tunnel mode as 'tunnel mode ipsec ipv4'.
AnswersA, B, C

DMVPN Phase 3 requires the tunnel to be multipoint GRE (mGRE) to support multiple spoke connections.

Why this answer

To enable DMVPN Phase 3 on a spoke, you must configure the tunnel interface as multipoint GRE (mGRE), set the tunnel source to the physical interface, and configure an NHRP map to the hub with an authentication string. Phase 3 also uses 'ip nhrp shortcut' and 'ip nhrp redirect' commands, but the question asks for required steps that are common to all Phase 3 spokes. The other options are either not required or are for different phases.

64
MCQhard

In a DMVPN Phase 2 network with OSPF as the IGP, R1 (hub) and R2 (spoke) are configured with 'ip ospf network broadcast' on the tunnel interface. R3 (another spoke) has 'ip ospf network point-to-multipoint'. R2 can ping R3's tunnel IP, but OSPF adjacencies between R2 and R3 are not forming. What is the root cause?

A.OSPF network type mismatch between R2 (broadcast) and R3 (point-to-multipoint) prevents adjacency formation because the multicast and unicast OSPF packets are not compatible.
B.R3's OSPF priority is set to 0, preventing it from becoming DR/BDR.
C.R2 has an ACL blocking OSPF multicast traffic (224.0.0.5/6).
D.The DMVPN tunnel is not in Phase 2 mode, preventing spoke-to-spoke adjacencies.
AnswerA

Correct. OSPF network types must match on all routers in the same network segment for adjacencies to form. Broadcast uses multicast, point-to-multipoint uses unicast, causing communication failure.

Why this answer

OSPF network type mismatch on the DMVPN tunnel prevents adjacency formation. Broadcast network type requires a DR/BDR election and uses multicast 224.0.0.5/6, while point-to-multipoint uses unicast and does not elect DR/BDR. The mismatch causes OSPF packets to be ignored or not processed correctly.

65
MCQmedium

In DMVPN Phase 3 using OSPF, what is the default network type on a multipoint GRE tunnel interface?

A.broadcast
B.point-to-multipoint
C.NBMA
D.point-to-point
AnswerC

Correct. The default OSPF network type for mGRE is NBMA.

Why this answer

By default, a multipoint GRE tunnel interface is treated as an OSPF NBMA network type. This requires manual neighbor configuration unless the interface is set to broadcast or point-to-multipoint.

66
MCQhard

In DMVPN Phase 2, what is the default behavior of the 'ip nhrp redirect' command on the hub router?

A.It is enabled by default and causes the hub to send redirect messages to spokes.
B.It is disabled by default and must be configured for spoke-to-spoke direct communication.
C.It is disabled by default and is used in Phase 3 to enable NHRP redirects.
D.It is enabled by default and is used to disable NHRP shortcut switching.
AnswerC

Correct. The command is off by default and is a Phase 3 feature.

Why this answer

In DMVPN Phase 2, the 'ip nhrp redirect' command is not enabled by default on the hub. It is used in Phase 3 to enable NHRP redirects, which allow the hub to inform spokes that a better path exists directly to another spoke. In Phase 2, spoke-to-spoke tunnels are established based on NHRP resolution triggered by traffic, not by redirect messages.

67
MCQhard

A DMVPN Phase 3 network with EIGRP as the routing protocol experiences intermittent connectivity between spokes. R1 (hub) has 'ip summary-address eigrp 100 10.0.0.0 255.255.0.0' configured on the tunnel interface. R2 (spoke) shows 'show ip eigrp topology all-links' listing 10.1.0.0/24 as reachable via R1, but traffic from R2 to 10.1.0.1 (another spoke) is forwarded to R1 instead of directly via the spoke-to-spoke tunnel. What is the root cause?

A.The summary route on the hub creates a less specific route that is preferred over the more specific /24 routes learned from other spokes, causing suboptimal routing.
B.EIGRP stub configuration on spokes prevents them from learning routes from other spokes.
C.NHRP redirect is disabled on the hub, preventing spoke-to-spoke tunnel establishment.
D.The spoke-to-spoke tunnel interface has a different MTU causing fragmentation.
AnswerA

Correct. EIGRP summary routes have administrative distance 5 by default, which is lower than the distance of learned routes (90/170). This causes spokes to prefer the summary route and forward traffic to the hub, even though more specific routes exist.

Why this answer

The hub's summary route 10.0.0.0/16 is advertised to spokes, causing them to prefer the summary route over the more specific /24 routes learned from other spokes via NHRP redirect. This prevents spoke-to-spoke direct tunnels from being established or used, as traffic is forwarded to the hub based on the summary route.

68
MCQmedium

A network engineer runs the following command to troubleshoot a DMVPN spoke not registering with the hub: R2# debug nhrp NHRP: Send Registration Request via Tunnel0 10.0.0.2, target 10.0.0.1 NHRP: Receive Registration Reply via Tunnel0 10.0.0.1, src 10.0.0.1, dst 10.0.0.2 NHRP: Registration successful for 10.0.0.2/32 via Tunnel0 What does this output indicate?

A.The spoke is unable to reach the hub; the registration request is being sent but no reply is received.
B.The spoke has successfully registered its tunnel IP 10.0.0.2/32 with the hub at 10.0.0.1.
C.The spoke is sending a registration request to 10.0.0.1 but the hub is not responding, causing a timeout.
D.The spoke is attempting to register with the wrong hub IP address.
AnswerB

Correct: The debug shows the registration request and reply, ending with 'Registration successful'.

Why this answer

The debug output shows a successful NHRP registration: the spoke sends a registration request to the hub and receives a reply, confirming that the spoke's tunnel IP is registered with the hub.

69
Multi-Selectmedium

Which TWO commands can be used to verify the NHRP shortcut route creation in a DMVPN Phase 3 network? (Choose TWO.)

Select 2 answers
A.show ip nhrp
B.show ip route
C.show dmvpn
D.show crypto ipsec sa
E.show ip eigrp topology
AnswersA, B

This command shows NHRP cache entries, including shortcut routes with the 'shortcut' flag.

Why this answer

In DMVPN Phase 3, shortcut routes are created by NHRP. The 'show ip nhrp' command displays the NHRP cache, which includes shortcut entries. The 'show ip route' command shows the routing table, where shortcut routes appear as NHRP-learned routes.

The other commands do not show shortcut route information.

70
MCQmedium

A network engineer runs the following command to troubleshoot OSPF over DMVPN: R1# debug ip ospf adj OSPF: 2 Way Communication to 10.0.0.2 on Tunnel0, state 2WAY OSPF: Send DBD to 10.0.0.2 on Tunnel0 seq 0x1234 opt 0x52 flag 0x7 OSPF: Rcv DBD from 10.0.0.2 on Tunnel0 seq 0x1235 opt 0x52 flag 0x2 OSPF: Exchange Done with 10.0.0.2 on Tunnel0 OSPF: Build router LSA for area 0, router ID 1.1.1.1 What does this output indicate?

A.OSPF adjacency with 10.0.0.2 is stuck in 2WAY state and not progressing.
B.OSPF adjacency with 10.0.0.2 is forming successfully and will reach FULL state.
C.OSPF is not enabled on Tunnel0.
D.There is an OSPF MTU mismatch causing the adjacency to fail.
AnswerB

Correct: The sequence shows normal adjacency formation steps.

Why this answer

The debug shows OSPF adjacency formation: 2-way state, database description exchange, and exchange done, indicating a full adjacency is being established.

71
MCQhard

An engineer is troubleshooting a DMVPN phase 3 network where spoke-to-spoke tunnels are established, but traffic between spokes is taking a suboptimal path through the hub. The engineer checks 'show ip nhrp shortcut' on the spoke and sees no shortcut entries. The hub has 'ip nhrp redirect' enabled, and the spoke has 'ip nhrp shortcut' enabled. The engineer also verifies that the spoke's routing table has a route to the remote spoke's LAN via the hub. What is the most likely cause?

A.The hub router does not have a route to the remote spoke's LAN subnet.
B.The spoke's 'ip nhrp shortcut' command is missing on the tunnel interface.
C.The spoke's routing table has a static route to the remote spoke's LAN via the hub.
D.The hub's tunnel interface has 'no ip nhrp redirect' configured.
AnswerA

Correct because the hub must have a route to the destination subnet to send an NHRP redirect.

Why this answer

In DMVPN phase 3, for spoke-to-spoke shortcuts to be installed, the spoke must receive an NHRP redirect from the hub. If the hub does not send a redirect, the spoke will not create a shortcut. The hub sends a redirect only if it has a route to the destination subnet.

If the hub does not have a route to the remote spoke's LAN, it will not send a redirect.

72
Drag & Dropmedium

Drag and drop the steps to verify and validate DMVPN operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validating DMVPN starts with checking the tunnel interface status, then verifying NHRP mappings and IPsec security associations. Next, confirm routing protocol adjacencies over the tunnel. Finally, test end-to-end reachability to ensure the DMVPN network is fully operational.

73
MCQmedium

A network engineer configures a DMVPN spoke with OSPF as the routing protocol: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp map 10.0.0.1 192.168.1.1 ip nhrp map multicast 192.168.1.1 ! router ospf 1 network 10.0.0.0 0.0.0.255 area 0 ! What is a common issue with OSPF in this DMVPN Phase 2 configuration?

A.OSPF will elect a DR/BDR on the hub, which can cause suboptimal routing and adjacency issues.
B.OSPF will not form adjacencies because of NHRP authentication.
C.OSPF will use point-to-point network type by default.
D.OSPF will automatically adjust to the DMVPN environment.
AnswerA

By default, OSPF over a multipoint interface uses broadcast network type, leading to DR/BDR elections that may not work well with DMVPN.

Why this answer

OSPF over DMVPN Phase 2 requires the hub to be configured as an OSPF point-to-multipoint network type to avoid issues with DR/BDR elections and to allow spoke-to-spoke adjacencies.

Ready to test yourself?

Try a timed practice session using only DMVPN questions.