300-410 · topic practice

DMVPN practice questions

Practise Cisco CCNP ENARSI 300-410 DMVPN practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security

What the exam tests

What to know about DMVPN

DMVPN questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common DMVPN exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

DMVPN questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a DMVPN phase 2 hub-and-spoke deployment. The hub router has mGRE and NHRP configured, and spokes register successfully. However, spoke-to-spoke traffic is not being encrypted, even though IPsec profiles are applied to the mGRE tunnel interface on both the hub and spokes. The engineer verifies that the crypto map is not applied to the tunnel interface. What is the most likely cause of this issue?

Question 2hardmultiple choice
Read the full VPN explanation →

An engineer is troubleshooting a DMVPN phase 3 network where spoke-to-spoke tunnels are not being established dynamically. The hub router has NHRP redirect enabled, and spokes have NHRP shortcut enabled. The engineer notices that when a spoke sends traffic to another spoke, the hub forwards the traffic but does not send an NHRP redirect. The hub's NHRP configuration includes the command 'ip nhrp redirect'. What is the most likely cause?

Question 3hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a DMVPN phase 2 network where spoke-to-spoke tunnels are established, but traffic between spokes is intermittently dropped. The engineer captures packets and sees that IPsec packets are being fragmented. The tunnel interface MTU is set to 1400 bytes, and the physical interface MTU is 1500 bytes. The engineer also notices that the IPsec transform set uses ESP with AES-256 and SHA-256. What is the most likely cause of the intermittent drops?

Question 4mediummultiple choice
Study the full EIGRP explanation →

An engineer is troubleshooting a DMVPN phase 3 network where spokes are unable to reach the hub's LAN subnet. The hub router is running EIGRP over the DMVPN tunnel interface, and the spokes are learning the hub's LAN route. However, pings from a spoke to the hub's LAN IP fail. The engineer checks the hub's routing table and sees the spoke's LAN route. The hub's tunnel interface has 'ip nhrp redirect' and 'ip nhrp shortcut' enabled. What is the most likely cause?

Question 5mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a DMVPN phase 2 network where the hub router is not forming an NHRP adjacency with a spoke. The spoke router is configured with 'ip nhrp nhs 10.0.0.1' and 'ip nhrp map 10.0.0.1 192.168.1.1'. The hub's tunnel interface IP is 10.0.0.1, and the physical interface IP is 192.168.1.1. The engineer pings the hub's tunnel IP from the spoke and it succeeds. However, 'show ip nhrp' on the spoke shows no NHRP entries. What is the most likely cause?

Question 6hardmultiple choice
Read the full VPN explanation →

An engineer is troubleshooting a DMVPN phase 3 network where spoke-to-spoke tunnels are established, but traffic between spokes is taking a suboptimal path through the hub. The engineer checks 'show ip nhrp shortcut' on the spoke and sees no shortcut entries. The hub has 'ip nhrp redirect' enabled, and the spoke has 'ip nhrp shortcut' enabled. The engineer also verifies that the spoke's routing table has a route to the remote spoke's LAN via the hub. What is the most likely cause?

Question 7mediummultiple choice
Study the full EIGRP explanation →

A network engineer is troubleshooting a DMVPN phase 2 network where the hub router is not learning the loopback interface routes from the spokes via EIGRP. The spokes have EIGRP configured on the tunnel interface and are advertising their loopback0 interface. The hub's EIGRP neighbor relationship with the spokes is established. However, the hub's routing table does not contain the loopback routes. The engineer checks the spoke's EIGRP configuration and sees that the loopback interface is not included in any network statement. What is the most likely cause?

Question 8mediummultiple choice
Study the full EIGRP explanation →

An engineer is troubleshooting a DMVPN phase 2 network where the hub router is not forming an EIGRP neighbor relationship with a spoke. The spoke's tunnel interface is configured with 'ip nhrp nhs 10.0.0.1' and 'ip nhrp map 10.0.0.1 192.168.1.1'. The hub's tunnel interface IP is 10.0.0.1. The engineer pings the hub's tunnel IP from the spoke and it succeeds. The engineer checks 'show ip eigrp neighbors' on the hub and sees no neighbors. What is the most likely cause?

Question 9hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a DMVPN phase 2 network where spoke-to-spoke tunnels are not being established. The hub router has 'ip nhrp redirect' enabled, and spokes have 'ip nhrp shortcut' enabled. The engineer notices that when a spoke sends traffic to another spoke, the hub forwards the traffic correctly, but the spoke does not initiate an NHRP resolution request to the destination spoke. The spoke's routing table shows the destination subnet via the hub. What is the most likely cause?

Question 10mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show dmvpn

Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket #Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Addr State  UpDn Tm Attrb

----- --------------- ---------------- ----- -------- ----- 1 10.1.1.2 172.16.0.2 UP 00:02:15 D 1 10.1.1.3 172.16.0.3 UP 00:01:45 D

Based on this output, which statement is correct?

Question 11hardmultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show ip nhrp
192.168.1.0/24 via 172.16.0.2

Tunnel0 created 00:00:15, expire 00:01:45 Type: dynamic, Flags: unique NBMA address: 10.1.1.2

192.168.2.0/24 via 172.16.0.3

Tunnel0 created 00:00:10, expire 00:01:50 Type: dynamic, Flags: unique NBMA address: 10.1.1.3

Based on this output, what is the problem?

Question 12mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot status

10.1.1.2        10.1.1.1        MM_ACTIVE      1       0     ACTIVE
10.1.1.3        10.1.1.1        MM_ACTIVE      2       0     ACTIVE

Based on this output, which statement is correct?

Question 13hardmultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: DMVPN, local addr 10.1.1.1

protected vrf: (none) local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/47/0) remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/47/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150 #pkts decaps: 145, #pkts decrypt: 145, #pkts verify: 145 #send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2 path mtu 1500, ip mtu 1500, ip mtu idb Tunnel0 current outbound spi: 0x12345678(305419896) PFS (Y/N): N, DH group: none

Based on this output, what is the problem?

Question 14hardmultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R1:

R1# show ip route ospf

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O        172.16.0.0/24 [110/100] via 172.16.0.2, 00:00:15, Tunnel0
O        172.16.0.0/24 [110/100] via 172.16.0.3, 00:00:10, Tunnel0

Based on this output, what is the problem?

Question 15mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show dmvpn detail

Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket #Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Addr State  UpDn Tm Attrb

----- --------------- ---------------- ----- -------- ----- 1 10.1.1.1 172.16.0.1 UP 00:10:00 S

Based on this output, what is the problem?

Question 16hardmultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show ip nhrp nhs

NHS: 172.16.0.1 Tunnel0 status: registered NHS: 172.16.0.2 Tunnel0 status: not registered

Based on this output, what is the problem?

Question 17mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa detail

Codes: C - IKE, M - IKEv2, P - IPsec

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1 10.1.1.1 10.1.1.2 ACTIVE aes sha md5 2 86400 2 10.1.1.1 10.1.1.3 ACTIVE aes sha md5 2 86400

Based on this output, what is the problem?

Question 18mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show ip nhrp traffic

NHRP Traffic Statistics Sent: 100 requests, 50 replies Received: 50 requests, 100 replies

Based on this output, what is the problem?

Question 19mediummultiple choice
Read the full VPN explanation →

Consider the following partial DMVPN configuration on a hub router:

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip nhrp network-id 100
 ip nhrp authentication cisco123

tunnel source GigabitEthernet0/0 tunnel mode gre multipoint

ip nhrp map multicast dynamic

!

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full VPN explanation →

A spoke router has the following DMVPN configuration:

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.1

tunnel source GigabitEthernet0/0 tunnel mode gre multipoint

ip nhrp map 10.0.0.1 192.168.1.1

!

What is missing from this configuration?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused DMVPN sessions

Start a DMVPN only practice session

Every question in these sessions is drawn from the DMVPN domain — nothing else.

Related practice questions

Related 300-410 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 300-410 exam test about DMVPN?
DMVPN questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just DMVPN questions in a focused session?
Yes — the session launcher on this page draws every question from the DMVPN domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 300-410 topics?
Use the topic links above to move to related areas, or go back to the 300-410 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 300-410 exam covers. They are not copied from any real exam or dump site.