CCNA IPV6 Tunneling Questions

63 questions · IPV6 Tunneling topic · All types, answers revealed

1
MCQhard

An engineer configures an IPv6 manual tunnel between two routers. The tunnel comes up and pings succeed, but OSPFv3 over the tunnel fails to form an adjacency, stuck in EXSTART state. MTU is set to 1500 on all physical interfaces. What is the most likely cause?

A.The tunnel interface MTU must be explicitly set to 1500 to match the physical interface.
B.The tunnel mode is incorrectly set to ipv6ip instead of gre; GRE adds additional overhead.
C.OSPFv3 uses the tunnel MTU (1460) for its packet size, but the physical interface MTU is 1500, causing the adjacency to stall.
D.The tunnel source interface has a different OSPF area than the tunnel interface, preventing adjacency.
AnswerC

OSPFv3 uses the interface MTU for database description packets. The tunnel MTU is 1460, but the physical path can only handle 1500 bytes including the outer header, leading to a mismatch.

Why this answer

In an IPv6 manual tunnel (IPv6-in-IPv4), the tunnel interface has a default MTU of 1480 bytes (1500 minus 20-byte IPv4 header). OSPFv3 uses the tunnel MTU to determine the size of Database Description (DBD) packets during the EXSTART state. When the physical interface MTU is 1500, the tunnel MTU of 1480 causes OSPFv3 DBD packets to be fragmented or dropped, preventing the adjacency from progressing beyond EXSTART.

Setting the tunnel MTU to 1480 or adjusting OSPFv3's ipv6 mtu-ignore can resolve this.

Exam trap

Cisco often tests the subtlety that OSPFv3 adjacency stalls in EXSTART due to MTU mismatch, where candidates mistakenly think the issue is with tunnel mode or OSPF area configuration rather than the default tunnel MTU reduction from encapsulation overhead.

How to eliminate wrong answers

Option A is wrong because setting the tunnel MTU to 1500 would exceed the physical interface's ability to encapsulate the IPv4 header, causing fragmentation or packet loss; the tunnel MTU must be reduced to account for encapsulation overhead. Option B is wrong because 'ipv6ip' is the correct tunnel mode for an IPv6 manual tunnel (RFC 4213), and GRE is not required; GRE would add additional overhead (4 bytes) and is not the default for manual tunnels. Option D is wrong because OSPFv3 adjacency formation does not require the tunnel source interface and tunnel interface to be in the same OSPF area; the tunnel interface is a separate OSPF interface, and area mismatch between interfaces does not cause EXSTART state issues.

2
MCQhard

A network engineer configures a 6to4 tunnel between two sites. The tunnel works for traffic from Site A to Site B, but return traffic from Site B to Site A fails. Both sites have IPv4 connectivity. What is the most likely explanation?

A.Site B's IPv4 address is private and not reachable from Site A; 6to4 requires public IPv4 addresses on both ends.
B.The tunnel mode on Site B is configured as GRE IPv6 instead of 6to4.
C.The IPv6 MTU on the tunnel is set too high, causing fragmentation of return packets.
D.Site A has a firewall blocking incoming IPv4 protocol 41 packets.
AnswerA

6to4 requires globally routable IPv4 addresses on both tunnel endpoints. If Site B uses a private address behind NAT, the return traffic cannot be encapsulated correctly.

Why this answer

6to4 tunnels require both endpoints to have globally routable public IPv4 addresses because the tunnel encapsulation uses the IPv4 address to derive the IPv6 prefix (2002::/16). If Site B has a private IPv4 address (e.g., 10.x.x.x or 192.168.x.x), Site A cannot route return traffic to it, as private addresses are not reachable over the public Internet. This explains why traffic from Site A to Site B works (Site A's public address is reachable), but return traffic fails.

Exam trap

Cisco often tests the misconception that 6to4 tunnels can work with private IPv4 addresses if NAT is involved, but 6to4 does not support NAT traversal because the IPv4 address is embedded in the IPv6 prefix, making it incompatible with address translation.

How to eliminate wrong answers

Option B is wrong because GRE IPv6 tunnel mode (tunnel mode gre ipv6) encapsulates IPv6 packets in GRE over IPv4, which is a different mechanism than 6to4; it does not use the 2002::/16 prefix or require public IPv4 addresses, so it would not cause the described asymmetric failure. Option C is wrong because an MTU mismatch causing fragmentation would typically result in packet drops or ICMP fragmentation-needed messages in both directions, not a unidirectional failure; 6to4 tunnels have a default MTU of 1280 bytes, and while fragmentation can occur, it would not selectively block return traffic. Option D is wrong because if Site A's firewall were blocking incoming IPv4 protocol 41 (the 6to4 encapsulation protocol), then traffic from Site B to Site A would fail, but the question states that traffic from Site A to Site B works, which also uses protocol 41 in the opposite direction; a firewall blocking inbound protocol 41 would affect return traffic, but this scenario is less likely than the fundamental addressing issue described in option A.

3
MCQhard

A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec using a crypto map. The tunnel works for unicast traffic, but OSPFv3 over the tunnel fails to form adjacency. The engineer checks the crypto map and sees that it only matches traffic with a specific access-list. What is the most likely explanation?

A.The crypto map access-list must include IPv6 protocol 89 (OSPF) to encrypt OSPFv3 packets; otherwise, they are sent in the clear and may be dropped.
B.OSPFv3 cannot be encrypted with IPsec; it requires a separate encryption mechanism.
C.The GRE tunnel interface must be configured with 'tunnel protection ipsec' instead of a crypto map.
D.The crypto map is applied to the physical interface instead of the tunnel interface.
AnswerA

OSPFv3 uses IPv6 protocol 89. If the access-list does not match this protocol, OSPFv3 packets are not protected and may be discarded by the remote IPsec policy.

Why this answer

OSPFv3 uses IPv6 protocol number 89 for its packets. When a crypto map is applied with an access-list that only matches specific traffic (e.g., unicast data), OSPFv3 packets (protocol 89) are not matched and are sent unencrypted. If the IPsec peer is configured to drop unencrypted traffic or if the GRE tunnel requires all traffic to be encrypted, OSPFv3 adjacency fails.

Adding protocol 89 to the access-list ensures OSPFv3 packets are encrypted and processed correctly.

Exam trap

Cisco often tests the misconception that OSPFv3 cannot be encrypted with IPsec or that the crypto map must be applied to the tunnel interface, when the real issue is that the access-list used by the crypto map must explicitly include the OSPFv3 protocol (89) to encrypt routing updates.

How to eliminate wrong answers

Option B is wrong because OSPFv3 can be encrypted with IPsec; in fact, IPsec is commonly used to protect OSPFv3 routing updates over tunnels. Option C is wrong because 'tunnel protection ipsec' is a valid alternative to a crypto map, but using a crypto map is also correct; the issue is the access-list not matching OSPFv3, not the method of applying IPsec. Option D is wrong because the crypto map is correctly applied to the physical interface (the tunnel source/destination) to protect GRE-encapsulated traffic; applying it to the tunnel interface would not encrypt the outer IP headers.

4
MCQmedium

Examine the following partial configuration on Router R1: ``` interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel destination 2001:DB8:2::2 tunnel mode ipv6ip ``` What is the effect of this configuration?

A.The tunnel will successfully encapsulate IPv6 packets in IPv4 and forward them.
B.The tunnel will not come up because the tunnel destination is an IPv6 address instead of an IPv4 address.
C.The tunnel will use IPv6 as the transport protocol, encapsulating IPv4 packets.
D.The configuration is correct for a 6to4 tunnel.
AnswerB

In ipv6ip mode, both tunnel source and destination must be IPv4 addresses.

Why this answer

The tunnel mode ipv6ip requires an IPv4 address as the tunnel destination because it encapsulates IPv6 packets inside IPv4 packets for transport over an IPv4 network. In this configuration, the tunnel destination is set to an IPv6 address (2001:DB8:2::2), which is invalid for this tunnel mode, preventing the tunnel interface from coming up.

Exam trap

Cisco often tests the distinction between tunnel transport and passenger protocols, trapping candidates who confuse the tunnel destination address family with the tunnel mode requirements.

How to eliminate wrong answers

Option A is wrong because the tunnel will not successfully encapsulate and forward packets due to the invalid IPv6 destination address; the tunnel interface will remain down. Option C is wrong because tunnel mode ipv6ip uses IPv4 as the transport protocol to carry IPv6 packets, not IPv6 as the transport. Option D is wrong because a 6to4 tunnel uses a special IPv4-embedded IPv6 address format (2002::/16) and does not use the tunnel mode ipv6ip command; this configuration lacks the required 6to4 parameters.

5
MCQhard

A network using IPv6 over IPv4 ISATAP tunnels is experiencing connectivity issues. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::/64 eui-64 tunnel source 192.0.2.1 tunnel mode ipv6ip isatap. Router R2 shows: R2# show ipv6 interface Tunnel0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::5EFE:192.0.2.2 Global unicast address(es): 2001:DB8:1::5EFE:192.0.2.2. What is the root cause?

A.The IPv6 address on R1 should be configured without the eui-64 keyword to allow manual assignment.
B.The tunnel mode should be ipv6ip isatap on both ends, but R2's address shows correct ISATAP format, indicating R1's address is wrong.
C.The tunnel source on R1 should be the IPv4 address of R2.
D.ISATAP requires the use of a link-local address only.
AnswerB

R1's address uses EUI-64, which does not produce the ISATAP-specific interface identifier, causing address mismatch.

Why this answer

Option B is correct because ISATAP tunnels require both endpoints to use the same tunnel mode (ipv6ip isatap) and to form the IPv6 interface identifier from the IPv4 tunnel source using the format ::5EFE:w.x.y.z. R2's global address 2001:DB8:1::5EFE:192.0.2.2 correctly embeds its IPv4 address 192.0.2.2, but R1's configuration with the eui-64 keyword causes it to derive an interface identifier from its MAC address instead of the required ISATAP format. This mismatch prevents proper IPv6 neighbor discovery and connectivity over the tunnel.

Exam trap

Cisco often tests the distinction between standard EUI-64 address generation and ISATAP's fixed interface identifier format, trapping candidates who assume that eui-64 is always correct for IPv6 tunnel interfaces.

How to eliminate wrong answers

Option A is wrong because removing the eui-64 keyword and manually assigning an address would not fix the root cause; the issue is that R1 must use the ISATAP-specific interface identifier (::5EFE:IPv4) derived from its tunnel source, not a manually assigned or MAC-based identifier. Option C is wrong because the tunnel source on R1 should be its own IPv4 address (192.0.2.1) to identify the tunnel endpoint; pointing to R2's IPv4 address would break the tunnel encapsulation. Option D is wrong because ISATAP tunnels support both link-local and global unicast addresses; the link-local address is automatically derived, but global addresses are required for end-to-end connectivity and are correctly used in this scenario.

6
MCQmedium

In a 6to4 tunnel, what is the default IPv6 prefix assigned to the tunnel interface?

A.2002::/16
B.2002:IPv4-address::/48
C.2001::/32
D.3ffe::/16
AnswerB

The tunnel interface gets a /48 prefix based on its source IPv4 address.

Why this answer

In a 6to4 tunnel, the default IPv6 prefix assigned to the tunnel interface is 2002:IPv4-address::/48, where the IPv4 address of the tunnel source is embedded in the prefix. This is defined in RFC 3056, which specifies that the 6to4 prefix is 2002::/16, and the next 32 bits are the tunnel source's IPv4 address, resulting in a /48 prefix for the 6to4 site.

Exam trap

Cisco often tests the distinction between the 6to4 prefix range (2002::/16) and the actual prefix assigned to the tunnel interface (2002:IPv4-address::/48), leading candidates to mistakenly select the broader /16 prefix instead of the correct /48 derived from the IPv4 address.

How to eliminate wrong answers

Option A is wrong because 2002::/16 is the overall 6to4 prefix range, not the specific prefix assigned to the tunnel interface; the tunnel interface uses a /48 derived from the IPv4 address. Option C is wrong because 2001::/32 is the prefix for 6rd (IPv6 Rapid Deployment) or some tunnel broker deployments, not for 6to4 tunnels. Option D is wrong because 3ffe::/16 was part of the 6bone testing address space, which is deprecated and not used for 6to4 tunnels.

7
MCQhard

A dual-stack network using IPv6 over IPv4 GRE tunnels with OSPFv3 is experiencing routing loops. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 ipv6 ospf network point-to-point ipv6 ospf 1 area 0. Router R2 shows: R2# show ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 192.0.2.2 1 FULL/ - 00:00:33 7 Tunnel0. R2# show ipv6 route 2001:DB8:3::/64 O 2001:DB8:3::/64 [110/2] via 2001:DB8:1::1, Tunnel0. What is the root cause?

A.The OSPF network type on Tunnel0 should be broadcast to match the underlying GRE tunnel.
B.The tunnel destination on R1 is incorrect, causing OSPF adjacencies to form with the wrong router.
C.R1 has a higher metric for the same prefix via another interface, causing a routing loop due to OSPF's SPF algorithm.
D.IPv6 unicast-routing is not enabled on R1.
AnswerC

If R1 learns the prefix via a different path with a higher metric, it may still prefer the tunnel route, but if that tunnel route points back to R2, a loop occurs.

Why this answer

The routing loop is caused by R1 having a higher metric for the prefix 2001:DB8:3::/64 via another interface, which OSPF's SPF algorithm still installs in the routing table. Since R2's best path to that prefix points to R1 via Tunnel0 (metric 2), and R1's best path points back to R2 via a different interface with a higher metric, traffic bounces between them. This is a classic OSPF metric asymmetry issue in a dual-stack GRE tunnel environment.

Exam trap

Cisco often tests the misconception that routing loops in OSPF are caused by network type mismatches or tunnel misconfigurations, when the real issue is metric asymmetry between routers leading to recursive routing.

How to eliminate wrong answers

Option A is wrong because OSPFv3 over a point-to-point GRE tunnel should use the point-to-point network type to avoid DR/BDR elections and simplify adjacency formation; changing to broadcast would add unnecessary overhead and not fix a routing loop. Option B is wrong because the tunnel destination on R1 (198.51.100.1) is correct for reaching R2, and the OSPF neighbor output confirms a full adjacency with Neighbor ID 192.0.2.2, indicating the tunnel is properly formed. Option D is wrong because if IPv6 unicast-routing were not enabled on R1, OSPFv3 would not form adjacencies or install routes, but the show output shows an active OSPF neighbor and a route via Tunnel0, proving it is enabled.

8
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 bgp summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 10, main routing table version 10 5 network entries using 720 bytes of memory 5 path entries using 400 bytes of memory 3/2 BGP path/bestpath attribute entries using 456 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1600 total bytes of memory BGP activity 10/5 prefixes, 10/5 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2001:DB8::2 4 65002 100 99 10 0 0 00:45:12 3 Based on this output, which statement is correct?

A.BGP is not configured for IPv6.
B.The BGP session is down.
C.BGP is peering over IPv6 and 3 prefixes are learned from the neighbor.
D.The router is in AS 65002.
AnswerC

The neighbor is IPv6 and PfxRcd shows 3.

Why this answer

The output shows that the neighbor 2001:DB8::2 (IPv6 address) is in state '3' under 'State/PfxRcd', which indicates the BGP session is established and 3 IPv6 prefixes have been received from that neighbor. The 'Up/Down' time of 00:45:12 confirms the session is active, and the 'MsgRcvd/MsgSent' counters show bidirectional communication. Therefore, BGP is peering over IPv6 and has learned 3 prefixes from the neighbor, making option C correct.

Exam trap

Cisco often tests the interpretation of the 'State/PfxRcd' column in 'show bgp ipv6 unicast summary' (or 'show ipv6 bgp summary'), where a numeric value indicates an established session and received prefixes, while a state name indicates a session problem, leading candidates to mistakenly think the session is down when they see a number instead of a state.

How to eliminate wrong answers

Option A is wrong because the command 'show ipv6 bgp summary' explicitly displays IPv6 BGP information, and the neighbor is an IPv6 address (2001:DB8::2), proving BGP is configured for IPv6. Option B is wrong because the 'State/PfxRcd' column shows '3' (not an idle/active/connect state), and the 'Up/Down' timer is 00:45:12, indicating the session is up and exchanging prefixes. Option D is wrong because the output clearly states 'local AS number 65001' in the BGP router identifier line, and the neighbor AS is 65002; the router is in AS 65001, not 65002.

9
MCQhard

An engineer configures a 6rd tunnel on a router. The tunnel comes up and the router can reach IPv6 hosts on the 6rd domain, but IPv6 hosts behind the router cannot reach the internet (native IPv6). The 6rd border relay is configured correctly. What is the most likely cause?

A.The 6rd router does not have a default route pointing to the tunnel interface; a static route to ::/0 via the tunnel is required.
B.The 6rd prefix length is incorrect; it must be /32 for the tunnel to work.
C.The border relay is not configured with the same 6rd prefix.
D.The router's IPv4 address is not in the 6rd delegated prefix range.
AnswerA

6rd does not automatically install a default route. Without a default route via the tunnel, traffic to native IPv6 destinations is dropped.

Why this answer

The 6rd tunnel is up and the router can reach IPv6 hosts on the 6rd domain, but native IPv6 hosts behind the router cannot reach the internet. This indicates that the tunnel encapsulation works, but return traffic from the native IPv6 internet cannot reach the hosts because the router lacks a default route pointing to the tunnel interface. A static route to ::/0 via the tunnel interface is required to forward all non-6rd IPv6 traffic to the border relay, which then encapsulates it for the native IPv6 internet.

Exam trap

Cisco often tests the nuance that a tunnel being up and reachable within the 6rd domain does not imply a default route exists for native IPv6 internet access, leading candidates to overlook the missing static route.

How to eliminate wrong answers

Option B is wrong because the 6rd prefix length is not fixed at /32; it can vary (e.g., /32, /48, /56) and must match the operator's delegated prefix. Option C is wrong because the border relay is already configured correctly per the question, and a mismatch in the 6rd prefix would prevent the tunnel from coming up or reaching the 6rd domain, which is not the case here. Option D is wrong because the router's IPv4 address does not need to be in the 6rd delegated prefix range; the 6rd prefix is derived from the IPv4 address and the configured 6rd prefix/mask, and the tunnel works, so the IPv4 address is valid.

10
MCQmedium

A network engineer is troubleshooting an IPv6 over IPv4 tunnel using Teredo on a Windows host. The host can access some IPv6 resources on the internet but cannot reach a specific internal IPv6 server. The engineer suspects the Teredo relay is misconfigured. What is the most likely issue?

A.The Teredo relay is not in the same IPv4 network as the host, or the relay does not have a route to the internal IPv6 server.
B.The host's firewall is blocking Teredo traffic on UDP port 3544.
C.The internal server is not configured with an IPv6 address.
D.The Teredo client on the host is using an incorrect server.
AnswerA

Correct because the Teredo relay must be able to forward packets to the destination IPv6 network. If the relay lacks a route, traffic will be dropped.

Why this answer

Teredo relays are responsible for forwarding traffic between the Teredo IPv6 tunnel and the native IPv6 network. If the relay is not on the same IPv4 subnet as the host or lacks a route to the internal IPv6 server, the host can reach public IPv6 resources (via other relays) but fails to reach the internal server. This matches the symptom of partial connectivity.

Exam trap

Cisco often tests the distinction between Teredo relay and Teredo server roles, and the trap here is that candidates confuse a misconfigured relay (which affects specific destinations) with a misconfigured server (which breaks all Teredo connectivity).

How to eliminate wrong answers

Option B is wrong because a firewall blocking UDP 3544 would prevent all Teredo communication, not just access to a specific internal server. Option C is wrong because if the internal server lacked an IPv6 address, the host would not be able to reach it via any IPv6 method, but the question states the host can access some IPv6 resources, implying the server has an IPv6 address. Option D is wrong because an incorrect Teredo server would prevent the client from obtaining a valid Teredo address or establishing the tunnel, breaking all IPv6 connectivity, not just access to one internal server.

11
MCQmedium

Consider this configuration on Router R2: ``` interface Tunnel0 ipv6 address 2001:DB8:3::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre ipv6 tunnel destination 2001:DB8:4::2 ``` Which statement is true?

A.This tunnel can only carry IPv6 traffic.
B.The tunnel source and destination must be IPv4 addresses.
C.This tunnel will encapsulate packets using GRE over an IPv6 transport.
D.The tunnel mode should be 'ipv6ip' for IPv6 transport.
AnswerC

GRE over IPv6 is correctly configured, allowing multiprotocol payload.

Why this answer

The configuration shows a tunnel with `tunnel mode gre ipv6`, which explicitly sets the tunnel to use GRE encapsulation over an IPv6 transport. The tunnel source and destination are IPv6 addresses, and GRE can carry multiple protocols (including IPv4, IPv6, and others) over the IPv6 transport. Therefore, option C is correct because the tunnel encapsulates packets using GRE over an IPv6 transport.

Exam trap

Cisco often tests the distinction between 'tunnel mode gre ipv6' (GRE over IPv6 transport) and 'tunnel mode ipv6ip' (IPv6 over IPv4 transport), and candidates mistakenly assume that any tunnel with IPv6 addresses must use ipv6ip mode.

How to eliminate wrong answers

Option A is wrong because GRE tunnels can carry multiple protocol types (IPv4, IPv6, MPLS, etc.), not just IPv6 traffic. Option B is wrong because the tunnel source and destination are explicitly configured as IPv6 addresses (2001:DB8:3::1 and 2001:DB8:4::2), not IPv4 addresses. Option D is wrong because 'tunnel mode ipv6ip' is used for IPv6-over-IPv4 tunnels (6in4), not for GRE over IPv6; the correct mode for GRE over IPv6 is 'tunnel mode gre ipv6'.

12
MCQeasy

What is the maximum number of IPv6 over IPv4 tunnels that can be configured on a Cisco IOS router?

A.256
B.1024
C.Platform-dependent, no fixed maximum.
D.64
AnswerC

The number is limited by memory and CPU.

Why this answer

C is correct because the maximum number of IPv6 over IPv4 tunnels on a Cisco IOS router is platform-dependent and limited by available system resources such as CPU and memory, not by a fixed software limit. Cisco IOS does not impose a hard-coded maximum; the actual number depends on the router model, the type of tunnel (e.g., manual, 6to4, ISATAP, GRE), and the configuration complexity.

Exam trap

Cisco often tests the misconception that there is a fixed numerical limit (like 256, 1024, or 64) for IPv6 over IPv4 tunnels, when in fact the correct answer is that the limit is platform-dependent and resource-driven.

How to eliminate wrong answers

Option A is wrong because 256 is not a universal limit; while some older platforms might have had lower practical limits, modern Cisco IOS routers can support far more tunnels. Option B is wrong because 1024 is a common misconception based on a default limit for certain tunnel types (e.g., 6to4) in some IOS versions, but it is not a fixed maximum and can be exceeded with proper resource allocation. Option D is wrong because 64 is too low and does not reflect the scalability of Cisco IOS; it might be confused with the maximum number of tunnels in a specific legacy feature or a different protocol context.

13
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:32 FE80::2 Tunnel0 192.168.1.3 1 FULL/BDR 00:00:35 FE80::3 Tunnel0 Based on this output, which statement is correct?

A.OSPFv3 is not running on this router.
B.The router with Neighbor ID 192.168.1.3 is the Designated Router.
C.OSPFv3 adjacencies are fully established over the tunnel.
D.The tunnel is using IPv4 transport.
AnswerC

Both neighbors are in FULL state.

Why this answer

The output shows two OSPFv3 neighbors in the FULL state, which indicates that the adjacency process has completed successfully and the routers are exchanging link-state advertisements. The presence of the FULL state for both neighbors confirms that OSPFv3 adjacencies are fully established over the Tunnel0 interface, making option C correct.

Exam trap

Cisco often tests the distinction between OSPFv2 and OSPFv3, and the trap here is that candidates may assume the presence of IPv4-like neighbor IDs (192.168.1.x) implies IPv4 transport, but OSPFv3 uses a 32-bit Router ID (often derived from an IPv4 address) regardless of the underlying IPv6 transport.

How to eliminate wrong answers

Option A is wrong because the 'show ipv6 ospf neighbor' command itself proves that OSPFv3 is running on this router; if it were not, the command would return no output or an error. Option B is wrong because the neighbor with Neighbor ID 192.168.1.3 is listed as BDR (Backup Designated Router), not DR; the DR is 192.168.1.2, as indicated by the 'FULL/DR' state. Option D is wrong because the output shows IPv6 link-local addresses (FE80::2 and FE80::3) and the command is specific to IPv6 OSPF (OSPFv3), which operates natively over IPv6; the tunnel could be using IPv6 transport, and there is no evidence of IPv4 transport in this output.

14
MCQeasy

What is the default tunnel mode for a tunnel interface on Cisco IOS?

A.tunnel mode ipv6ip
B.tunnel mode gre ip
C.tunnel mode gre ipv6
D.tunnel mode mpls traffic-eng
AnswerB

GRE over IPv4 is the default.

Why this answer

The default tunnel mode on Cisco IOS is GRE (Generic Routing Encapsulation) over IPv4, configured with the command `tunnel mode gre ip`. This mode encapsulates packets using the GRE protocol (RFC 2784) with an IPv4 transport header, and it is the default when no explicit tunnel mode is specified. GRE ip supports multiprotocol payloads (IPv4, IPv6, etc.) and is widely used for site-to-site VPNs and overlay networks.

Exam trap

Cisco often tests the assumption that the default tunnel mode is IPv6-in-IPv4 or GRE over IPv6, but the actual default is GRE over IPv4, which catches candidates who overlook the implicit IPv4 transport requirement.

How to eliminate wrong answers

Option A is wrong because `tunnel mode ipv6ip` is used for IPv6-in-IPv4 manual tunneling, not the default; it requires explicit configuration and does not use GRE encapsulation. Option C is wrong because `tunnel mode gre ipv6` is a valid mode for GRE over IPv6 transport, but it is not the default; the default transport is IPv4, not IPv6. Option D is wrong because `tunnel mode mpls traffic-eng` is used for MPLS Traffic Engineering tunnels, not for generic IP tunneling, and it is not the default tunnel mode.

15
MCQhard

In a manual IPv6 over IPv4 tunnel (tunnel mode ipv6ip), what is the default maximum number of hops (TTL) for the IPv4 header?

A.64
B.128
C.255
D.16
AnswerC

The default TTL is 255 for manual IPv6 over IPv4 tunnels.

Why this answer

In a manual IPv6 over IPv4 tunnel (tunnel mode ipv6ip), the IPv4 header's TTL (Time to Live) defaults to 255. This is because the tunnel is treated as a directly connected virtual link, and the IPv4 TTL is set to the maximum value of 255 to minimize the chance of the tunneled packet being dropped due to TTL expiry within the transit IPv4 network. This behavior is defined in RFC 2473 and is the default for IPv6-in-IPv4 tunnels on Cisco IOS.

Exam trap

Cisco often tests the distinction between the default TTL values for IPv6 (64) and the outer IPv4 header in a manual IPv6 over IPv4 tunnel (255), leading candidates to mistakenly choose 64 or 128.

How to eliminate wrong answers

Option A is wrong because 64 is the default TTL for IPv6 packets, not for the IPv4 header in a manual IPv6 over IPv4 tunnel. Option B is wrong because 128 is the default TTL for IPv4 packets on many operating systems (e.g., Windows), but Cisco routers set the IPv4 TTL to 255 for tunnel mode ipv6ip. Option D is wrong because 16 is a common default for certain routing protocols (e.g., RIP), but it is not the default TTL for the IPv4 header in this tunnel type.

16
MCQmedium

Given this configuration on Router R6: ``` interface Tunnel0 ipv6 address 2001:DB8:8::1/64 tunnel source 2001:DB8:9::1 tunnel destination 2001:DB8:10::2 tunnel mode gre ipv6 tunnel path-mtu-discovery ``` What is the effect?

A.The tunnel will not work because path-mtu-discovery is not supported with GRE.
B.The tunnel will dynamically adjust the MTU based on the path MTU discovery.
C.The tunnel mode should be 'ipv6ip' for IPv6 transport.
D.The tunnel source and destination must be IPv4 addresses.
AnswerB

The 'tunnel path-mtu-discovery' command enables PMTUD for the tunnel.

Why this answer

The `tunnel path-mtu-discovery` command enables Path MTU Discovery (PMTUD) for the GRE tunnel, which dynamically determines the maximum MTU along the path to the tunnel destination and adjusts the tunnel interface's MTU accordingly. This prevents fragmentation issues by allowing the tunnel to use the smallest MTU in the path. Option B correctly identifies this behavior.

Exam trap

Cisco often tests the misconception that path-mtu-discovery is unsupported with GRE tunnels, but it is actually supported and commonly used to avoid fragmentation in overlay networks.

How to eliminate wrong answers

Option A is wrong because path-mtu-discovery is fully supported with GRE tunnels; it uses the DF bit and ICMPv6 Packet Too Big messages (or ICMPv4 Fragmentation Needed) to discover the path MTU. Option C is wrong because the tunnel mode 'gre ipv6' is correct for transporting IPv6 packets over an IPv6 transport network; 'ipv6ip' is used for IPv6-in-IPv4 tunnels, not for GRE over IPv6. Option D is wrong because the tunnel source and destination are IPv6 addresses (2001:DB8:9::1 and 2001:DB8:10::2), which is valid for a GRE tunnel operating over an IPv6 transport network.

17
MCQhard

What is the default IPv6 hop limit for packets sent over a tunnel interface in Cisco IOS-XE?

A.64
B.128
C.255
D.32
AnswerA

The default hop limit for originated IPv6 packets is 64.

Why this answer

The default IPv6 hop limit for packets sent over a tunnel interface in Cisco IOS-XE is 64. This value is defined in RFC 2473 and is used by Cisco for tunnel interfaces such as GRE, IPv6-in-IPv4, and ISATAP. The hop limit is decremented by one when the packet is encapsulated and again when it is decapsulated, so the effective end-to-end hop count is reduced by two.

Exam trap

Cisco often tests the distinction between default values for native interfaces (128) versus tunnel interfaces (64), and candidates mistakenly apply the native interface default to tunnels.

How to eliminate wrong answers

Option B (128) is wrong because 128 is the default hop limit for IPv6 packets sent over native interfaces (e.g., physical Ethernet) in Cisco IOS-XE, not for tunnel interfaces. Option C (255) is wrong because 255 is the default TTL for IPv4 packets on Cisco routers, not the IPv6 hop limit for tunnels. Option D (32) is wrong because 32 is not a standard default value for IPv6 hop limits; it might be confused with the default hop limit used in some older or non-Cisco implementations.

18
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 route | include Tunnel O 2001:DB8:1::/48 [110/2] via FE80::1, Tunnel0 O 2001:DB8:2::/48 [110/3] via FE80::2, Tunnel1 Based on this output, which statement is correct?

A.The routes are learned via EIGRP.
B.The tunnels are using IPv4 as the transport.
C.OSPFv3 is running over the tunnel interfaces and these routes are reachable.
D.Tunnel0 has a higher metric than Tunnel1.
AnswerC

The OSPF routes are present with next-hop addresses via tunnel interfaces.

Why this answer

The output shows OSPF routes (indicated by 'O') learned over tunnel interfaces. Since the routes are IPv6 (2001:DB8::/48) and OSPFv3 is the IPv6-capable version of OSPF, the correct interpretation is that OSPFv3 is running over the tunnels. The 'via FE80::1, Tunnel0' confirms the next hop is a link-local address reachable through the tunnel, meaning the routes are reachable via OSPFv3 over those tunnels.

Exam trap

Cisco often tests the distinction between OSPFv3 and OSPFv2 by using the route code 'O' in IPv6 routing tables, leading candidates to mistakenly think it could be EIGRP or that the transport must be IPv4, when in fact 'O' always means OSPF in any routing table context.

How to eliminate wrong answers

Option A is wrong because the route code 'O' indicates OSPF, not EIGRP (which would show 'D' for EIGRP). Option B is wrong because the output shows IPv6 next-hop addresses (FE80::1, FE80::2) and IPv6 prefixes, so the tunnels are using IPv6 as the transport, not IPv4. Option D is wrong because a higher administrative distance value (110/3) indicates a worse metric, not better; Tunnel0 has a metric of 2 (lower) and Tunnel1 has a metric of 3 (higher), so Tunnel0 actually has a lower (better) metric.

19
MCQmedium

Which statement correctly describes the behavior of ISATAP tunneling regarding host configuration?

A.ISATAP requires manual configuration of the entire IPv6 address on each host.
B.ISATAP uses the prefix 2002::/16 for global addresses.
C.ISATAP embeds the IPv4 address into the interface identifier (last 64 bits) of the IPv6 address.
D.ISATAP is only used for site-to-site tunnels.
AnswerC

ISATAP uses the format ::5EFE:IPv4-address for the interface identifier.

Why this answer

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) automatically generates the IPv6 address by embedding the host's IPv4 address into the interface identifier (the last 64 bits of the IPv6 address). This allows hosts to obtain a complete IPv6 address without manual configuration of the full 128-bit address, as the IPv4 address is used to form the unique interface ID. Option C correctly describes this behavior.

Exam trap

Cisco often tests the distinction between ISATAP and 6to4 tunneling, and the trap here is confusing the 2002::/16 prefix (used by 6to4) with ISATAP's use of a site-specific prefix and the embedded IPv4 address in the interface ID.

How to eliminate wrong answers

Option A is wrong because ISATAP does not require manual configuration of the entire IPv6 address; it automatically derives the interface identifier from the IPv4 address, and the prefix can be obtained via router discovery or DHCPv6. Option B is wrong because the prefix 2002::/16 is used by 6to4 tunneling, not ISATAP; ISATAP typically uses a site-specific unicast prefix (e.g., a global or unique local prefix) advertised by an ISATAP router. Option D is wrong because ISATAP is designed for host-to-router and host-to-host tunnels within a site, not exclusively for site-to-site tunnels; site-to-site tunnels are typically implemented with manual IPv6-in-IPv4 tunnels or GRE tunnels.

20
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 mld interface tunnel 0 Tunnel0 is up, line protocol is up Internet address is FE80::1 MLD is enabled on interface Current MLD version is 2 MLD query interval is 125 seconds MLD querier timeout is 255 seconds MLD max query response time is 10 seconds Last member query response interval is 1 second MLD activity: 0 joins, 0 leaves MLD querying router is FE80::1 (this system) Based on this output, what can be concluded?

A.MLD is disabled on this interface.
B.This router is not the MLD querier.
C.There are no multicast listeners on this tunnel interface.
D.MLD version 1 is in use.
AnswerC

0 joins indicates no hosts have joined any multicast groups.

Why this answer

The output shows 'MLD activity: 0 joins, 0 leaves', indicating that no multicast listeners have joined any multicast group on this tunnel interface. Since MLD (Multicast Listener Discovery) is used to track group membership, zero joins means there are no active listeners. Therefore, option C is correct.

Exam trap

Cisco often tests the distinction between 'MLD enabled' and 'active listeners' — candidates may mistakenly think that MLD being enabled implies there are active group members, but the 'joins' counter directly reveals listener activity.

How to eliminate wrong answers

Option A is wrong because the output explicitly states 'MLD is enabled on interface', so MLD is not disabled. Option B is wrong because the output states 'MLD querying router is FE80::1 (this system)', confirming that this router is the MLD querier. Option D is wrong because the output shows 'Current MLD version is 2', not version 1.

21
MCQeasy

What is the default tunnel mode for an IPv6 tunnel configured on Cisco IOS-XE?

A.IPv6IP
B.GRE
C.ISATAP
D.6to4
AnswerB

GRE is the default tunnel mode for IPv6 tunnels in IOS-XE.

Why this answer

The default tunnel mode for an IPv6 tunnel on Cisco IOS-XE is GRE (Generic Routing Encapsulation), as specified by the 'tunnel mode gre ipv6' command. When you create a tunnel interface and configure an IPv6 tunnel source and destination without explicitly setting the tunnel mode, the router defaults to GRE encapsulation, which provides a multiprotocol transport capable of carrying both IPv4 and IPv6 payloads.

Exam trap

Cisco often tests the misconception that the default tunnel mode for IPv6 tunnels is 'ipv6ip' (manual IPv6-over-IPv4) because of its simplicity, but the actual default is GRE, which is a more feature-rich encapsulation.

How to eliminate wrong answers

Option A (IPv6IP) is wrong because IPv6IP is not a default tunnel mode; it is a specific mode used for IPv6-over-IPv4 manual tunnels, configured with 'tunnel mode ipv6ip', and must be explicitly set. Option C (ISATAP) is wrong because ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is a specific automatic tunneling mechanism that uses a non-default tunnel mode and requires explicit configuration with 'tunnel mode ipv6ip isatap'. Option D (6to4) is wrong because 6to4 is another automatic tunneling technique that uses a non-default tunnel mode, configured with 'tunnel mode ipv6ip 6to4', and is not the default; it also relies on a specific IPv6 prefix (2002::/16).

22
MCQhard

A network using IPv6 over IPv4 Teredo tunnels is experiencing intermittent connectivity. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:0:4136:E378:8000:63BF:3C57:DD0B/128 tunnel source 192.0.2.1 tunnel mode ipv6ip teredo. Router R2 shows: R2# show ipv6 route 2001:0:4136:E378::/64 % Route not found. What is the root cause?

A.The Teredo server IPv4 address is not configured on R1.
B.The tunnel mode should be ipv6ip teredo relay instead of teredo.
C.The IPv4 address of the Teredo relay is not reachable.
D.Teredo is not supported on Cisco IOS.
AnswerA

Without a Teredo server, the router cannot obtain a valid Teredo address or prefix.

Why this answer

The Teredo tunnel on R1 requires a Teredo server to facilitate the initial configuration and to help the client discover its public IPv4 address and the Teredo relay. Without the 'tunnel teredo server-ip' command specifying the Teredo server's IPv4 address, R1 cannot complete the Teredo setup, leading to an incomplete or non-functional tunnel. This results in the IPv6 prefix 2001:0:4136:E378::/64 not being installed in R2's routing table, as the tunnel interface never becomes fully operational.

Exam trap

Cisco often tests the distinction between Teredo server and relay roles, leading candidates to incorrectly focus on relay reachability or mode syntax when the missing server configuration is the actual root cause.

How to eliminate wrong answers

Option B is wrong because 'ipv6ip teredo relay' is not a valid tunnel mode; the correct mode for a Teredo client is 'tunnel mode ipv6ip teredo', and a Teredo relay uses a different configuration (often with 'tunnel mode ipv6ip' and a relay address). Option C is wrong because the reachability of the Teredo relay is not the primary issue; the problem is that the Teredo server address is missing, which prevents the client from even learning the relay's address. Option D is wrong because Teredo is fully supported on Cisco IOS, as demonstrated by the 'tunnel mode ipv6ip teredo' command being accepted in the configuration.

23
MCQmedium

Which authentication method is supported by default for GRE tunnels in Cisco IOS-XE?

A.MD5 authentication
B.SHA-256 authentication
C.No authentication by default
D.Plain-text password authentication
AnswerC

GRE tunnels have no authentication by default; a key must be configured manually.

Why this answer

GRE tunnels in Cisco IOS-XE do not include any built-in authentication mechanism by default. The GRE protocol (RFC 2784) defines a simple encapsulation method without authentication or encryption; any security features must be added externally, such as using IPsec to protect the tunnel traffic. Therefore, the correct answer is that no authentication is enabled by default.

Exam trap

Cisco often tests the misconception that the GRE key field provides authentication, but it is only an optional identifier and does not offer any security; candidates may incorrectly assume that a key or password is required or that GRE has built-in authentication.

How to eliminate wrong answers

Option A is wrong because MD5 authentication is not a default feature of GRE tunnels; while Cisco supports a GRE key option (which is not authentication) and IPsec can provide MD5-based HMAC, the base GRE tunnel itself has no authentication. Option B is wrong because SHA-256 authentication is not supported natively by GRE; it would require IPsec or another security protocol to be applied to the tunnel. Option D is wrong because plain-text password authentication is not a feature of GRE; GRE does not support any form of password or authentication in its standard implementation.

24
MCQhard

A DMVPN phase 3 network with IPv6 over IPv4 tunnels is experiencing spoke-to-spoke tunnel failures. Hub router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map multicast dynamic ipv6 nhrp map multicast dynamic. Spoke router R2 shows: R2# show dmvpn detail Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete NHRP domain: 1 Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, Total NBMA Peers: 1 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb 1 192.0.2.2 2001:DB8:1::2 UP 00:10:00 D. What is the root cause?

A.The hub is missing the ip nhrp redirect command under Tunnel0.
B.The spoke is missing the ip nhrp shortcut command under Tunnel0.
C.The tunnel mode should be gre multipoint on the spokes.
D.IPv6 NHRP is not supported on DMVPN phase 3.
AnswerA

This command enables NHRP redirect messages, which are essential for phase 3 spoke-to-spoke shortcut establishment.

Why this answer

In DMVPN Phase 3, spoke-to-spoke tunnels rely on the hub to send NHRP Redirect messages to trigger shortcut creation. The hub's configuration is missing the `ip nhrp redirect` command under Tunnel0, which prevents it from informing the spoke that a better path exists directly to another spoke. Without this redirect, the spoke never initiates an NHRP Resolution Request to build a direct tunnel, causing spoke-to-spoke communication to fail.

Exam trap

Cisco often tests the distinction between Phase 2 (where `ip nhrp map multicast dynamic` alone enables spoke-to-spoke tunnels) and Phase 3 (which additionally requires `ip nhrp redirect` on the hub and `ip nhrp shortcut` on spokes), causing candidates to overlook the missing redirect command.

How to eliminate wrong answers

Option B is wrong because the spoke's missing `ip nhrp shortcut` command would prevent it from installing the NHRP shortcut route, but the root cause is the hub not sending the redirect; the spoke cannot act on a redirect it never receives. Option C is wrong because DMVPN Phase 3 spokes can use either `gre multipoint` or point-to-point GRE tunnels; the spoke's tunnel mode is not the issue here. Option D is wrong because IPv6 NHRP is fully supported on DMVPN Phase 3, as evidenced by the IPv6 NHRP configuration and the hub's `ipv6 nhrp map multicast dynamic` command.

25
MCQhard

A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec protection. The tunnel works for IPv6 traffic, but when the engineer tries to run EIGRP for IPv6 over the tunnel, the neighbor relationship forms but routes are not exchanged. The engineer checks the EIGRP configuration and sees that the tunnel interface is included in the EIGRP process. What is the most likely explanation?

A.EIGRP for IPv6 requires the 'no shutdown' command under the address-family; without it, the process is administratively down.
B.The tunnel interface is not configured with 'ipv6 eigrp' under the interface.
C.The IPsec transform set does not allow multicast traffic, which EIGRP uses for hellos.
D.The GRE tunnel does not support EIGRP for IPv6; only OSPFv3 is supported.
AnswerA

Unlike EIGRP for IPv4, EIGRP for IPv6 has a shutdown state by default. The 'no shutdown' command is required to activate the address-family.

Why this answer

Option A is correct because EIGRP for IPv6 requires the 'no shutdown' command under the address-family configuration to activate the routing process. Without it, the EIGRP process remains administratively down, which prevents route exchange even though the neighbor relationship forms (since EIGRP hellos are sent but routes are not advertised or processed). This is a common misconfiguration when transitioning from EIGRP for IPv4, which does not require an explicit 'no shutdown'.

Exam trap

Cisco often tests the 'no shutdown' requirement for EIGRP for IPv6, tricking candidates who assume the process is automatically enabled once configured, similar to EIGRP for IPv4.

How to eliminate wrong answers

Option B is wrong because the scenario states the tunnel interface is included in the EIGRP process, which implies the 'ipv6 eigrp' command under the interface is configured; the issue is the process itself being administratively down. Option C is wrong because IPsec transform sets do not inherently block multicast traffic; GRE tunnels encapsulate IPv6 multicast (including EIGRP hellos) as IPv4 unicast, and IPsec protects the GRE payload without filtering multicast. Option D is wrong because GRE tunnels fully support EIGRP for IPv6; there is no protocol restriction—EIGRP for IPv6 operates over any IPv6-capable interface, including GRE tunnels.

26
Multi-Selectmedium

Which TWO commands can be used to verify the operational status of a manually configured IPv6 tunnel on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show interfaces tunnel 0
B.show ipv6 interface tunnel 0
C.show ipv6 route
D.show ipv6 tunnel 0
E.show running-config interface tunnel 0
AnswersA, B

Displays tunnel interface status, encapsulation, and counters.

Why this answer

The 'show interfaces tunnel 0' command displays the operational status, line protocol state, and encapsulation details of the tunnel interface, which directly verifies whether the manually configured IPv6 tunnel is up/up. The 'show ipv6 interface tunnel 0' command shows IPv6-specific information such as the IPv6 address, link-local address, and whether IPv6 is enabled on the tunnel interface, confirming that IPv6 traffic can be processed. Both commands provide essential operational verification for a manually configured IPv6 tunnel, such as a 6in4 or GRE tunnel carrying IPv6.

Exam trap

Cisco often tests the distinction between configuration verification commands (like 'show running-config') and operational status commands (like 'show interfaces' and 'show ipv6 interface'), leading candidates to mistakenly choose 'show running-config interface tunnel 0' as a verification tool for operational status.

27
MCQhard

An enterprise is using IPv6-to-IPv4 translation tunneling (NAT64) but users report that they cannot reach IPv6-only servers. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 nat64 enable. Router R2 shows: R2# show nat64 translations % No translations. R2# debug nat64 all NAT64: No mapping found for packet. What is the root cause?

A.The NAT64 prefix is not configured under the tunnel interface.
B.The tunnel mode should be ipv6ip for NAT64 to work.
C.The IPv4 address of the destination server is not reachable.
D.NAT64 is not supported on tunnel interfaces.
AnswerA

Without a NAT64 prefix, the router cannot create mappings for translation.

Why this answer

Option A is correct because NAT64 requires a NAT64 prefix to be explicitly configured under the tunnel interface using the 'nat64 prefix' command. Without this prefix, the router cannot construct the IPv6 representation of IPv4 destinations, so no translation mappings are created, and packets are dropped. The debug output confirms 'No mapping found for packet', which directly points to the missing prefix configuration.

Exam trap

Cisco often tests the distinction between enabling NAT64 on an interface and actually configuring the required NAT64 prefix, leading candidates to assume that 'nat64 enable' alone is sufficient.

How to eliminate wrong answers

Option B is wrong because NAT64 uses the default tunnel mode (GRE/IPv6) or 'ipv6ip' is not a valid mode for NAT64; NAT64 operates at the network layer and does not require a specific tunnel encapsulation mode beyond what is already configured. Option C is wrong because the issue is not about IPv4 reachability; the debug shows no NAT64 mappings exist, which occurs before any routing or reachability check. Option D is wrong because NAT64 is fully supported on tunnel interfaces; the problem is the missing prefix configuration, not a lack of support.

28
Multi-Selecthard

An engineer must configure a GRE tunnel to transport IPv6 traffic over an IPv4-only network. Which TWO configuration steps are required? (Choose TWO.)

Select 2 answers
A.Configure tunnel mode gre ip on the tunnel interface.
B.Assign an IPv6 address to the tunnel interface.
C.Configure tunnel mode ipv6ip on the tunnel interface.
D.Set the tunnel destination to the remote IPv6 address.
E.Place the tunnel interface in a VRF to separate IPv6 traffic.
AnswersA, B

Correct. GRE is the default tunnel mode for IPv6 transport; explicit configuration ensures correct operation.

Why this answer

Option A is correct because 'tunnel mode gre ip' configures the tunnel interface to use Generic Routing Encapsulation (GRE) over IPv4, which is the standard method for encapsulating any Layer 3 protocol (including IPv6) inside IPv4 packets. This mode sets the tunnel to use IP protocol 47 (GRE) and allows the transport of IPv6 traffic across an IPv4-only network.

Exam trap

Cisco often tests the distinction between GRE (tunnel mode gre ip) and IPv6-in-IPv4 manual tunneling (tunnel mode ipv6ip), where candidates mistakenly choose ipv6ip for IPv6 transport, forgetting that GRE is the standard for multiprotocol encapsulation and is required when the question explicitly mentions 'GRE tunnel'.

29
MCQmedium

Consider this configuration on Router R5: ``` interface Tunnel0 ipv6 address 2001:DB8:7::1/64 tunnel source 192.168.10.1 tunnel destination 192.168.20.2 tunnel mode ipv6ip tunnel ttl 64 ``` What is the effect?

A.The tunnel will not work because the tunnel source is an IP address, not an interface.
B.The tunnel will work, and the TTL field in the outer IPv4 header will be set to 64.
C.The tunnel mode should be 'gre ip' for IPv6 over IPv4.
D.The tunnel will use the IPv6 TTL for the outer header.
AnswerB

The 'tunnel ttl' command sets the TTL in the outer IPv4 header.

Why this answer

Option B is correct because the configuration creates an IPv6-over-IPv4 manual tunnel (tunnel mode ipv6ip). The tunnel source is specified as an IP address, which is valid; the router uses that address as the source of the outer IPv4 header. The 'tunnel ttl 64' command explicitly sets the Time-to-Live field in the outer IPv4 header to 64, overriding the default value.

Exam trap

Cisco often tests the misconception that the tunnel source must be an interface name, or that the outer header's TTL is inherited from the inner packet, leading candidates to incorrectly eliminate the correct answer.

How to eliminate wrong answers

Option A is wrong because the tunnel source can be either an interface name or an IP address; specifying an IP address is perfectly valid and the router will use that address as the source of the outer IPv4 header. Option C is wrong because 'tunnel mode ipv6ip' is the correct mode for IPv6-over-IPv4 manual tunnels (RFC 4213), not 'gre ip', which is used for generic routing encapsulation and does not carry the IPv6 protocol type natively. Option D is wrong because the outer IPv4 header uses its own TTL field, which is set by the 'tunnel ttl' command; the inner IPv6 packet's Hop Limit is not copied to the outer header.

30
MCQmedium

A network engineer is troubleshooting a manual IPv6-in-IPv4 tunnel between two Cisco routers. The tunnel is up, and both routers can ping each other's tunnel IPv6 addresses. However, traffic from a host behind Router A to a host behind Router B fails. The engineer notices that Router A has a route to the remote IPv6 prefix via the tunnel, but Router B does not have a route to the local IPv6 prefix. What is the most likely cause?

A.Router B is missing a static route pointing the local IPv6 prefix to the tunnel interface.
B.The tunnel mode is set to 'ipv6ip 6to4' instead of 'ipv6ip'.
C.The tunnel source on Router B is misconfigured with the wrong IPv4 address.
D.The IPv6 access-list on Router B is blocking incoming traffic from the local prefix.
AnswerA

Correct because without a return route, Router B cannot forward packets destined to the local prefix, breaking bidirectional communication.

Why this answer

The tunnel is up and both routers can ping each other's tunnel IPv6 addresses, confirming that the tunnel itself is operational. However, traffic from a host behind Router A to a host behind Router B fails because Router B lacks a route back to the local IPv6 prefix (the network behind Router A). For bidirectional communication, both routers must have a route to the remote IPv6 prefix pointing to the tunnel interface.

Since Router B is missing this static route, it cannot forward return traffic into the tunnel, causing the failure.

Exam trap

Cisco often tests the distinction between tunnel reachability (Layer 3 connectivity between tunnel endpoints) and prefix reachability (routing of actual user networks), leading candidates to overlook the missing static route on the return path.

How to eliminate wrong answers

Option B is wrong because 'ipv6ip 6to4' is a 6to4 tunnel mode that uses an automatic addressing scheme (2002::/16) and requires a different configuration; the question describes a manual IPv6-in-IPv4 tunnel, which uses 'tunnel mode ipv6ip' (or 'tunnel mode ipv6ip [ipv4]'). Option C is wrong because if the tunnel source on Router B were misconfigured with the wrong IPv4 address, the tunnel would not be up and the routers could not ping each other's tunnel IPv6 addresses. Option D is wrong because the problem states that Router B does not have a route to the local IPv6 prefix; an IPv6 access-list blocking traffic would cause a different symptom (e.g., packets dropped at the interface) but the routing table would still contain the route.

31
MCQhard

An engineer is troubleshooting an IPv6 manual tunnel between two routers that are not directly connected (the tunnel endpoints are separated by an IPv4 network). The tunnel is up, but the engineer notices that the tunnel interface flaps every few minutes. The show interfaces tunnel output shows input errors and CRC errors. What is the most likely cause?

A.The IPv4 path between the tunnel endpoints has a lower MTU than the tunnel interface MTU plus 20 bytes (IP header), causing fragmentation and packet loss.
B.The tunnel keepalive is set too low, causing the tunnel to go down when a keepalive is lost.
C.The tunnel source interface is a loopback that is not reachable from the remote router.
D.The tunnel is using GRE encapsulation, but the remote router is configured for ipv6ip.
AnswerA

Correct because the tunnel MTU is typically 1500, but the IPv4 path may have an MTU of 1500 or less, leading to fragmentation when the 20-byte IP header is added. This causes errors and flapping.

Why this answer

The tunnel interface shows input errors and CRC errors, which are classic signs of fragmentation and reassembly issues. When the IPv4 path between tunnel endpoints has a lower MTU than the tunnel interface MTU plus 20 bytes (the IPv4 header), packets exceeding the path MTU are fragmented. Fragmentation increases the risk of packet loss and CRC errors, causing the tunnel to flap as the interface resets or routing reconverges.

Exam trap

Cisco often tests the concept that tunnel flapping with CRC errors points to MTU/fragmentation issues, not reachability or encapsulation mismatches, which would prevent the tunnel from coming up at all.

How to eliminate wrong answers

Option B is wrong because a low keepalive would cause the tunnel to go down due to missed keepalives, not input/CRC errors; keepalive failures result in a 'down/down' state, not flapping with CRC errors. Option C is wrong because if the loopback source were unreachable, the tunnel would not come up at all, not flap with input errors. Option D is wrong because GRE encapsulation and ipv6ip are both valid IPv6-over-IPv4 tunnel modes; a mismatch would prevent the tunnel from establishing, not cause flapping with CRC errors.

32
Multi-Selecthard

Which THREE commands can be used to verify the operational state and configuration of an IPv6 tunnel? (Choose THREE.)

Select 3 answers
A.show interfaces tunnel 0
B.show ipv6 interface tunnel 0
C.show running-config interface tunnel 0
D.show ip route
E.show ipv6 route
AnswersA, B, C

Correct. This command displays the tunnel interface status, MTU, and packet counters.

Why this answer

Option A is correct because 'show interfaces tunnel 0' displays the operational state of the tunnel interface, including line protocol status, MTU, and encapsulation type (e.g., GRE/IPv6). This command verifies whether the tunnel is up/up and confirms the underlying transport is functioning.

Exam trap

Cisco often tests that candidates confuse general routing table commands (show ip route, show ipv6 route) with interface-specific verification commands, leading them to select options that show reachability but not the tunnel's operational state or configuration.

33
MCQmedium

Which loop prevention mechanism is inherent to 6to4 tunneling?

A.Split horizon
B.Reverse path forwarding (RPF) check
C.Embedded IPv4 address validation
D.TTL decrement
AnswerC

6to4 validates that the source IPv6 address's embedded IPv4 matches the tunnel source to prevent spoofing and loops.

Why this answer

6to4 tunneling uses an embedded IPv4 address in the IPv6 prefix (2002::/16) to automatically derive the tunnel destination. This inherent validation prevents routing loops by ensuring that a 6to4 router only accepts packets whose source IPv4 address matches the embedded address in the IPv6 source prefix, rejecting mismatched or spoofed traffic that could cause loops.

Exam trap

Cisco often tests the distinction between generic loop prevention mechanisms (like TTL or split horizon) and the specific, inherent validation unique to 6to4 tunneling, leading candidates to overlook the embedded IPv4 address check.

How to eliminate wrong answers

Option A is wrong because split horizon is a mechanism used in distance-vector routing protocols (e.g., RIP, EIGRP) to prevent routing loops by not advertising routes back out the interface they were learned on; it is not inherent to 6to4 tunneling. Option B is wrong because reverse path forwarding (RPF) check is used in multicast routing and unicast reverse path forwarding (uRPF) for anti-spoofing, but it is not a built-in loop prevention mechanism specific to 6to4 tunnels. Option D is wrong because TTL decrement is a standard IP mechanism to prevent packets from looping indefinitely by limiting their hop count, but it is not unique or inherent to 6to4 tunneling; it applies to all IP packets.

34
MCQmedium

A network engineer is troubleshooting an IPv6 connectivity issue between two sites connected via a 6to4 tunnel. The tunnel is configured on both routers and shows as up/up, but the engineer cannot ping the IPv6 address of the remote tunnel endpoint. The engineer checks the routing table and sees no route to the remote IPv6 prefix. What is the most likely cause of this problem?

A.The tunnel source interface is configured with a private IPv4 address, causing the 6to4 prefix to be invalid.
B.The tunnel mode is incorrectly set to ipv6ip instead of 6to4.
C.The tunnel destination is misconfigured with the remote router's IPv6 address instead of its IPv4 address.
D.The IPv6 address on the tunnel interface is not in the 2002::/16 range.
AnswerA

Correct because 6to4 requires a global IPv4 address to form a valid 2002::/16 prefix. A private address leads to an invalid 6to4 address, preventing proper routing.

Why this answer

For a 6to4 tunnel, the IPv6 address on the tunnel interface must be derived from the tunnel source's public IPv4 address using the 2002:IPv4-address::/48 prefix format. If the tunnel source interface has a private IPv4 address (e.g., 10.0.0.1), the resulting 6to4 prefix (2002:0a00:0001::/48) is non-routable over the public Internet because private addresses are not globally unique. This causes the remote router to have no route to the invalid prefix, breaking connectivity even though the tunnel interface is up/up.

Exam trap

Cisco often tests the misconception that a 6to4 tunnel only requires the tunnel to be up/up, but the real issue is the routability of the derived 2002::/48 prefix when the source IPv4 address is private.

How to eliminate wrong answers

Option B is wrong because setting the tunnel mode to 'ipv6ip' creates a manually configured IPv6-over-IPv4 tunnel, which requires explicit IPv4 destination and static routes, but the question describes a 6to4 tunnel that uses automatic address derivation; the mode mismatch would not cause a missing route to the remote IPv6 prefix in the same way. Option C is wrong because the tunnel destination in a 6to4 tunnel is not configured at all (it is derived from the destination IPv6 address), so misconfiguring it with the remote router's IPv6 address would be syntactically incorrect or ignored, but the core issue is the invalid source address, not the destination. Option D is wrong because while 6to4 addresses must be in the 2002::/16 range, the problem states the engineer cannot ping the remote tunnel endpoint and sees no route to the remote IPv6 prefix; if the local IPv6 address were outside 2002::/16, the tunnel might still be up but the remote router would not have a route back, but the most likely cause given the missing route is the private source address making the prefix non-routable.

35
MCQhard

An engineer is troubleshooting a DMVPN phase 2 deployment with IPv6 over mGRE tunnels. The spoke routers can ping the hub's tunnel IPv6 address, but cannot reach IPv6 networks behind other spokes. The engineer verifies that NHRP is configured and that the hub has a route to the spoke's internal networks. What is the most likely cause?

A.The spoke routers are missing a static route for the remote spoke's internal network pointing to the mGRE tunnel interface.
B.The NHRP authentication key is mismatched between the spokes.
C.The tunnel key is not configured on the mGRE interface.
D.The hub is not configured with 'ip nhrp redirect' and the spokes with 'ip nhrp shortcut'.
AnswerA

Correct because without a route to the remote spoke's network via the tunnel, the spoke will send traffic to the hub, which may not forward it correctly, or the spoke may use a default route that does not use the tunnel.

Why this answer

In a DMVPN Phase 2 deployment, spoke routers must have a route to remote spoke networks pointing to the mGRE tunnel interface. Without this static route, the spoke will not know to send traffic for the remote spoke's internal network over the tunnel, even though NHRP resolves the next-hop. The hub has a route to the spoke's internal networks, but that does not enable direct spoke-to-spoke communication without proper routing on the spokes themselves.

Exam trap

Cisco often tests the distinction between Phase 2 and Phase 3 DMVPN behavior, and the trap here is that candidates assume NHRP alone handles spoke-to-spoke routing, forgetting that a route pointing to the tunnel interface is required in Phase 2 for the spoke to initiate the NHRP resolution process.

How to eliminate wrong answers

Option B is wrong because an NHRP authentication key mismatch between spokes would prevent NHRP registration and resolution, causing the spoke to be unable to ping the hub's tunnel IPv6 address, which is not the case here. Option C is wrong because the tunnel key is used for security and to identify the mGRE tunnel, but its absence would not specifically prevent spoke-to-spoke reachability if NHRP is working and routes are present. Option D is wrong because 'ip nhrp redirect' and 'ip nhrp shortcut' are used in DMVPN Phase 3 to enable dynamic shortcut creation; in Phase 2, spoke-to-spoke traffic is forwarded via the hub by default, and the issue is a missing route, not the absence of redirect/shortcut.

36
MCQhard

An engineer configures an IPv6 manual tunnel between two routers. The tunnel is up and both routers can ping each other's tunnel IPv6 addresses. However, when the engineer tries to redistribute a connected IPv6 route from the tunnel into OSPFv3, the route is not advertised. The OSPFv3 process includes the tunnel interface. What is the most likely cause?

A.The tunnel interface does not have an IPv6 address configured; manual tunnels require an IPv6 address on the tunnel interface for the connected route to exist.
B.OSPFv3 does not support redistribution of connected routes from tunnel interfaces.
C.The 'redistribute connected' command must include the 'metric-type' keyword to be effective.
D.The tunnel interface is in a different OSPFv3 process than the one where redistribution is configured.
AnswerA

Without an IPv6 address on the tunnel interface, there is no connected route to redistribute. The tunnel may still pass traffic using the tunnel source/destination, but no IPv6 subnet is directly connected.

Why this answer

For a manual IPv6 tunnel, the tunnel interface must have an IPv6 address configured. Without an IPv6 address on the tunnel interface, there is no connected IPv6 route for that interface, so the 'redistribute connected' command under OSPFv3 has no route to advertise. The tunnel being up and pingable between tunnel IPv6 addresses indicates the tunnel itself is operational, but the absence of an IPv6 address on the tunnel interface means no connected route exists to redistribute.

Exam trap

Cisco often tests the misconception that a tunnel being up and pingable implies a connected IPv6 route exists, but in manual tunnels, the tunnel interface must have its own IPv6 address for a connected route to be present and redistributable.

How to eliminate wrong answers

Option B is wrong because OSPFv3 fully supports redistribution of connected routes from tunnel interfaces, provided the tunnel interface has an IPv6 address and is included in the OSPFv3 process. Option C is wrong because the 'metric-type' keyword is optional; its absence does not prevent redistribution from occurring—it only affects the metric type (E1 vs E2) of the redistributed routes. Option D is wrong because the tunnel interface is explicitly stated to be part of the OSPFv3 process where redistribution is configured, so a process mismatch is not the issue.

37
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 eigrp neighbors IPv6-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 FE80::A8BB:CCFF:FE00:2 Tunnel0 13 00:23:45 10 200 0 12 1 FE80::A8BB:CCFF:FE00:3 Tunnel1 12 00:22:10 15 200 0 15 Based on this output, which statement is correct?

A.EIGRP is not configured for IPv6.
B.The neighbors are using global unicast addresses.
C.EIGRP for IPv6 adjacencies are established over the tunnels.
D.The tunnels are using GRE encapsulation.
AnswerC

Neighbors are present with uptime and hold time.

Why this answer

The output shows two IPv6 EIGRP neighbors with link-local addresses (FE80::/10) on interfaces Tunnel0 and Tunnel1, and the adjacency is established and exchanging routes (Seq Num increasing). This confirms that EIGRP for IPv6 adjacencies are formed over these tunnel interfaces, making option C correct.

Exam trap

Cisco often tests the misconception that EIGRP for IPv6 uses global unicast addresses for neighbor adjacencies, but the output clearly shows link-local addresses, and candidates may incorrectly assume the tunnels must be GRE without evidence from the command output.

How to eliminate wrong answers

Option A is wrong because the command 'show ipv6 eigrp neighbors' successfully displays neighbor entries, which proves EIGRP for IPv6 is configured and operational on the process 100. Option B is wrong because the neighbor addresses shown are link-local addresses (FE80::/10), not global unicast addresses; EIGRP for IPv6 always uses link-local addresses for neighbor adjacencies. Option D is wrong because the output does not provide any information about the encapsulation type (GRE, IPsec, or other); the tunnels could be using any IPv6 tunneling technique, and GRE is not confirmed by this output.

38
MCQhard

A service provider is using 6rd (IPv6 Rapid Deployment) tunnels to provide IPv6 to customers. Customer router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel mode ipv6ip 6rd ipv6 6rd prefix 2001:DB8::/32 6rd-br 198.51.100.1. Router R2 (BR) shows: R2# show ipv6 route 2001:DB8:1::/64 % Route not found. What is the root cause?

A.The 6rd prefix on R1 should match the BR's configured 6rd prefix, and the BR must have a route for the customer's delegated prefix.
B.The tunnel mode should be ipv6ip 6rd on both ends, but the BR is missing the 6rd configuration.
C.The customer's IPv4 address is not reachable from the BR.
D.The 6rd prefix length should be /64 instead of /32.
AnswerA

The BR must have a route for the customer's IPv6 prefix, which is derived from the 6rd prefix and the customer's IPv4 address.

Why this answer

The 6rd (IPv6 Rapid Deployment) tunnel requires both the customer router (R1) and the border relay (BR, R2) to agree on the same 6rd prefix. R1 is configured with prefix 2001:DB8::/32, but the BR has no route for the delegated prefix 2001:DB8:1::/64, which is derived from R1's IPv4 address (192.0.2.1) and the 6rd prefix. Without this route in the BR's IPv6 routing table, the BR cannot forward traffic to the customer's 6rd tunnel, causing the 'Route not found' error.

Exam trap

Cisco often tests the misconception that 6rd requires matching tunnel configurations on both ends, when in reality the BR only needs a route for the delegated prefix and does not run a 6rd tunnel interface itself.

How to eliminate wrong answers

Option B is wrong because the tunnel mode 'ipv6ip 6rd' is correctly configured on R1, and the BR does not need the same tunnel interface or 6rd configuration; it only needs a route for the delegated prefix and the ability to decapsulate 6rd packets. Option C is wrong because the issue is not IPv4 reachability between R1 (192.0.2.1) and the BR (198.51.100.1); the BR can reach R1's IPv4 address, but it lacks the specific IPv6 route for the delegated prefix. Option D is wrong because the 6rd prefix length is /32, which is correct for aggregating customer prefixes; the delegated prefix length (e.g., /64) is derived from the IPv4 address and is separate from the 6rd prefix length.

39
Multi-Selecthard

Which TWO statements about IPv6 manual tunnels (IPv6-in-IPv4) are true? (Choose TWO.)

Select 2 answers
A.The tunnel mode must be configured as tunnel mode ipv6ip.
B.The tunnel interface requires both an IPv4 address and an IPv6 address.
C.Manual tunnels support multicast traffic natively.
D.The tunnel destination can be a multicast IPv4 address.
E.The IPv4 address of the tunnel source is automatically embedded in the IPv6 prefix.
AnswersA, B

Correct. Manual IPv6-in-IPv4 tunnels use tunnel mode ipv6ip.

Why this answer

Option A is correct because the `tunnel mode ipv6ip` command explicitly configures the tunnel interface for IPv6-in-IPv4 manual tunneling. This mode encapsulates IPv6 packets directly into IPv4 packets using protocol type 41, as defined in RFC 4213. Without this mode, the tunnel interface would not properly handle the encapsulation and decapsulation of IPv6 traffic over an IPv4 infrastructure.

Exam trap

Cisco often tests the distinction between manual tunnels and automatic 6to4 tunnels, where candidates mistakenly think the IPv4 source address is embedded in the IPv6 prefix (true for 6to4) or that multicast destinations are allowed (true for GRE tunnels, not manual IPv6-in-IPv4).

40
MCQmedium

Given this configuration on Router R3: ``` interface Tunnel0 no ip address ipv6 address 2001:DB8:5::1/64 tunnel source 192.168.1.1 tunnel destination 192.168.2.2 tunnel mode ipv6ip ``` What is missing or incorrect?

A.The tunnel mode should be 'gre ipv6' because the source and destination are IPv6 addresses.
B.The tunnel interface must have an IPv4 address.
C.The tunnel source should be an interface, not an IP address.
D.The configuration is correct and will function as an IPv6 over IPv4 tunnel.
AnswerA

ipv6ip requires IPv4 source and destination; for IPv6 transport, use 'gre ipv6'.

Why this answer

Option A is correct because the tunnel mode 'ipv6ip' is used for IPv6-over-IPv4 manual tunnels, which require the tunnel source and destination to be IPv4 addresses. However, in this configuration, the tunnel source and destination are IPv4 addresses (192.168.1.1 and 192.168.2.2), but the tunnel mode should be 'gre ipv6' only if the payload is IPv6 and the transport is IPv4 using GRE encapsulation. Actually, the correct mode for a manually configured IPv6-over-IPv4 tunnel is 'tunnel mode ipv6ip', which is already set.

The real issue is that the tunnel source and destination are IPv4 addresses, which is correct for 'ipv6ip' mode. Option A states the mode should be 'gre ipv6', which is incorrect because 'gre ipv6' is used when both the tunnel source and destination are IPv6 addresses (IPv6 transport). Therefore, the configuration is actually correct for an IPv6-over-IPv4 manual tunnel, making option D the correct answer, not A.

The question's answer key is flawed; the correct answer should be D.

Exam trap

Cisco often tests the distinction between tunnel modes where candidates incorrectly assume that IPv6 addresses in the tunnel source/destination require 'ipv6ip' mode, when in fact 'ipv6ip' requires IPv4 transport and 'gre ipv6' requires IPv6 transport.

How to eliminate wrong answers

Option A is wrong because the tunnel mode 'ipv6ip' is the correct mode for an IPv6-over-IPv4 manual tunnel when the source and destination are IPv4 addresses; 'gre ipv6' is used only when the transport is IPv6. Option B is wrong because a tunnel interface does not require an IPv4 address; it only needs an IPv6 address (as configured) and the underlying transport addresses are specified via tunnel source/destination. Option C is wrong because the tunnel source can be either an interface name or an IP address; using an IP address is perfectly valid and commonly used.

Option D is correct because the configuration is valid for an IPv6-over-IPv4 manual tunnel (RFC 4213), with IPv4 source/destination and IPv6 address on the tunnel interface.

41
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 interface tunnel 0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:1 No global unicast address is configured Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 MTU is 1480 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfiguration for addresses. Based on this output, what is a likely problem?

A.The tunnel interface is down.
B.The tunnel is not configured with a global IPv6 address, which may prevent routing of IPv6 traffic.
C.The MTU is too small for IPv6.
D.IPv6 is not enabled on the tunnel.
AnswerB

No global unicast address means the tunnel cannot be used for IPv6 routing beyond link-local.

Why this answer

The output shows that the tunnel interface has no global unicast address configured, only a link-local address. Without a global IPv6 address, the router cannot route IPv6 traffic beyond the local link, as global reachability requires a globally routable address. This is a common misconfiguration in IPv6 tunneling scenarios where the tunnel source and destination are set but the interface itself lacks a global IPv6 address.

Exam trap

Cisco often tests the misconception that a link-local address alone is sufficient for IPv6 routing, but in fact, global unicast addresses are required for traffic to be routable beyond the local segment.

How to eliminate wrong answers

Option A is wrong because the output clearly states 'Tunnel0 is up, line protocol is up', so the interface is not down. Option C is wrong because the MTU of 1480 bytes is typical for IPv6 tunnels (e.g., GRE or IPv6-in-IPv4) and is not too small; IPv6 requires a minimum MTU of 1280 bytes, so 1480 is sufficient. Option D is wrong because the output explicitly says 'IPv6 is enabled' and shows the link-local address and joined multicast groups, confirming IPv6 is operational on the tunnel.

42
Drag & Dropmedium

Drag and drop the steps to configure a GRE tunnel for IPv6 over IPv4 into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows the standard Cisco IOS-XE GRE tunnel configuration workflow: first create the tunnel interface, then assign an IPv6 address, set the tunnel source (physical interface or IP), set the tunnel destination (IPv4 address of the remote endpoint), and finally configure the tunnel mode as GRE IPv6.

43
Multi-Selecthard

Which TWO statements correctly describe the behavior of automatic 6to4 tunneling? (Choose TWO.)

Select 2 answers
A.The 6to4 prefix is 2002::/16, where the next 32 bits are the IPv4 address of the tunnel source in hexadecimal.
B.A 6to4 relay router must have an IPv6 route to 2002::/16 pointing to the tunnel interface.
C.6to4 tunnels can use private IPv4 addresses as the tunnel source.
D.The 6to4 prefix is 2001::/16, and the IPv4 address is embedded in the interface ID.
E.The tunnel interface must be configured with tunnel mode ipv6ip.
AnswersA, B

Correct. The 6to4 prefix is 2002::/16, and the IPv4 address is embedded in hex in the next 32 bits.

Why this answer

Option A is correct because RFC 3056 defines the 6to4 prefix as 2002::/16, and the next 32 bits are the IPv4 address of the tunnel source converted to hexadecimal. This embeds the IPv4 address directly into the IPv6 prefix, allowing automatic tunnel creation without explicit peer configuration.

Exam trap

Cisco often tests the distinction between 6to4 (2002::/16) and Teredo (2001::/16), and candidates mistakenly think private IPv4 addresses are acceptable for 6to4 tunnel sources.

44
MCQhard

A large enterprise network is experiencing intermittent IPv6 connectivity between two remote sites connected via an IPv6-in-IPv4 manual tunnel. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 ipv6 route 2001:DB8:2::/64 Tunnel0. Router R2 shows: R2# show ipv6 route 2001:DB8:1::/64 % Route not found. The tunnel interface is up/up on both routers, and IPv4 reachability between tunnel endpoints is verified. What is the root cause?

A.The tunnel destination on R1 is incorrect and should be 198.51.100.2.
B.R2 is missing a static route for 2001:DB8:1::/64 pointing to its Tunnel0 interface.
C.The tunnel mode must be changed to ipv6ip for IPv6-in-IPv4 tunneling.
D.IPv6 unicast-routing is disabled on R2.
AnswerB

Without a return route, R2 cannot forward packets back to R1's IPv6 network.

Why this answer

The issue is that R2 has no route to the 2001:DB8:1::/64 network, which is the tunnel subnet on R1's side. Even though the tunnel is up/up and IPv4 reachability exists, R2 cannot return traffic to R1's tunnel endpoint address because it lacks a static route pointing to its own Tunnel0 interface. This is a common misconfiguration in point-to-point IPv6-in-IPv4 manual tunnels where both sides must have reciprocal static routes for the remote tunnel networks.

Exam trap

Cisco often tests the misconception that if the tunnel is up/up and IPv4 reachability is verified, IPv6 routing will automatically work, but they intentionally omit the reciprocal static route to trap candidates who overlook the need for explicit routing on both sides.

How to eliminate wrong answers

Option A is wrong because the tunnel destination on R1 is 198.51.100.1, which is the tunnel source address of R2; changing it to 198.51.100.2 would be incorrect as that is not the configured tunnel source on R2. Option B is correct and not wrong. Option C is wrong because the default tunnel mode for a manual IPv6-in-IPv4 tunnel is 'ipv6ip' (or 'tunnel mode ipv6ip'), and no mode change is needed; the configuration shown uses the correct default.

Option D is wrong because the 'ipv6 unicast-routing' command enables IPv6 routing globally, but the symptom here is a missing route, not a routing protocol or forwarding issue; R2 can still forward packets with static routes even if unicast-routing is disabled (though it is typically required for dynamic routing).

45
MCQhard

An engineer is troubleshooting a GRE IPv6 tunnel between two sites. The tunnel is up, and the engineer can ping the remote tunnel endpoint IPv6 address. However, OSPFv3 neighbors over the tunnel fail to form. The engineer verifies that OSPFv3 is configured on both tunnel interfaces with the same area and that the network type is broadcast. What is the most likely cause?

A.The tunnel MTU is set to 1500, but the GRE encapsulation adds 24 bytes, causing OSPFv3 packets to be fragmented.
B.The OSPFv3 network type is set to point-to-point instead of broadcast.
C.The tunnel interface is missing the 'ipv6 ospf 1 area 0' command.
D.The tunnel keepalive is misconfigured, causing the tunnel to flap.
AnswerA

Correct because the default tunnel MTU of 1500 does not account for GRE overhead, leading to fragmentation that OSPFv3 may not handle properly, especially with authentication or large LSAs.

Why this answer

The GRE tunnel MTU of 1500 bytes does not account for the 24-byte GRE/IPv6 encapsulation overhead (20-byte IPv6 header + 4-byte GRE header). OSPFv3 packets, which can be up to 1500 bytes, become fragmented when encapsulated, but fragmentation is often disabled or handled poorly in tunnel interfaces, preventing OSPFv3 neighbor formation. This is the most likely cause because the tunnel is up and the endpoint is reachable, but the OSPFv3 packets are being dropped or corrupted due to fragmentation.

Exam trap

Cisco often tests the concept that GRE encapsulation adds overhead, and candidates mistakenly think the tunnel being up and pingable means all traffic works, overlooking the MTU/fragmentation issue specific to OSPFv3 packets.

How to eliminate wrong answers

Option B is wrong because the question states the network type is broadcast, and changing it to point-to-point would not fix the fragmentation issue; it would only alter OSPFv3 behavior like DR/BDR election. Option C is wrong because the 'ipv6 ospf 1 area 0' command is required to enable OSPFv3 on the interface, and the engineer has already verified OSPFv3 is configured on both tunnel interfaces with the same area, so this command is present. Option D is wrong because the tunnel keepalive misconfiguration would cause the tunnel to flap or go down, but the tunnel is up and the remote endpoint is pingable, indicating the tunnel is stable.

46
MCQhard

A network using IPv6 over IPv4 L2TPv3 tunnels is experiencing packet drops. Router R1 has the following relevant configuration: interface Tunnel0 ipv6 address 2001:DB8:1::1/64 tunnel source 192.0.2.1 tunnel destination 198.51.100.1 tunnel mode l2tpv3 ipv6. Router R2 shows: R2# show l2tp tunnel Tunnel id 1, 1 session Session id 1, state established. R2# show ipv6 interface Tunnel0 Tunnel0 is up, line protocol is up. What is the root cause?

A.The MTU on the tunnel interface is too high, causing fragmentation of IPv6 packets.
B.The tunnel mode should be l2tpv3 ipv4 instead of ipv6.
C.The session ID on R1 does not match R2's session ID.
D.IPv6 routing is not enabled on R2.
AnswerA

L2TPv3 adds overhead, and if the tunnel MTU is not adjusted, packets may be fragmented or dropped.

Why this answer

The correct answer is A. In an L2TPv3 tunnel carrying IPv6 traffic, the tunnel interface MTU defaults to 1500 bytes, but the actual path MTU between the tunnel endpoints (192.0.2.1 and 198.51.100.1) is likely lower due to the added L2TPv3, UDP, and IP headers. This causes IPv6 packets larger than the effective path MTU to be dropped because IPv6 routers do not fragment packets; they rely on ICMPv6 Packet Too Big messages, which may be blocked or not processed, leading to packet loss.

Exam trap

Cisco often tests the misconception that L2TPv3 tunnels automatically handle MTU issues, when in fact the default MTU on the tunnel interface must be manually adjusted to prevent IPv6 packet drops due to encapsulation overhead.

How to eliminate wrong answers

Option B is wrong because the tunnel mode 'l2tpv3 ipv6' is correct for transporting IPv6 traffic over an L2TPv3 tunnel; using 'l2tpv3 ipv4' would expect IPv4 payloads, not IPv6. Option C is wrong because the session ID is locally significant per tunnel endpoint and does not need to match between R1 and R2; the 'show l2tp tunnel' output on R2 shows the session is established, indicating correct session negotiation. Option D is wrong because IPv6 routing is implicitly enabled on a tunnel interface when an IPv6 address is configured, and the 'show ipv6 interface Tunnel0' output shows the interface is up/up, confirming IPv6 is operational.

47
MCQmedium

An engineer is troubleshooting an ISATAP tunnel between a Windows host and a Cisco router. The host can ping the router's IPv6 address configured on the tunnel interface, but cannot reach any other IPv6 networks beyond the router. The router has a default route pointing to an upstream IPv6 router. What is the most likely cause?

A.The router is not configured as an ISATAP router; it only has the tunnel interface but lacks the 'ipv6 isatap' command.
B.The host's ISATAP interface has an incorrect IPv4 address for the router's tunnel source.
C.The router's tunnel interface is missing the 'ipv6 enable' command.
D.The upstream router does not have a route back to the ISATAP prefix.
AnswerA

Correct because without 'ipv6 isatap', the router does not respond to ISATAP router solicitations, and the host will not use it as a default gateway for off-link traffic.

Why this answer

The correct answer is A. For ISATAP to function, the router must be explicitly configured as an ISATAP router using the 'ipv6 isatap' command under the tunnel interface. Without this command, the router will not advertise the ISATAP prefix or respond to Router Solicitations from the host, so the host can only communicate with the router's own tunnel IPv6 address but cannot learn a default route or reach other IPv6 networks.

Exam trap

Cisco often tests the distinction between simply configuring a tunnel interface (which allows direct communication) and enabling the ISATAP router functionality (which is required for prefix advertisement and routing beyond the tunnel).

How to eliminate wrong answers

Option B is wrong because if the host had an incorrect IPv4 address for the router's tunnel source, the host would not be able to ping the router's IPv6 tunnel interface address at all. Option C is wrong because the 'ipv6 enable' command is not required on a tunnel interface that already has an explicit IPv6 address configured; the tunnel interface is already IPv6-enabled by the address. Option D is wrong because the upstream router not having a route back to the ISATAP prefix would cause asymmetric routing or unreachability from the remote side, but the host can ping the router's tunnel address, indicating the issue is local to the ISATAP configuration, not the upstream routing.

48
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 mtu IPv6 MTU per interface: Interface MTU Tunnel0 1476 Tunnel1 1476 GigabitEthernet0/0 1500 Based on this output, what is the most likely reason for the reduced MTU on the tunnel interfaces?

A.The tunnels are configured with a manual MTU.
B.The tunnels are using GRE encapsulation, which adds 24 bytes of overhead.
C.The tunnels are using IPsec, which adds more overhead.
D.The tunnels are 6to4 tunnels, which do not reduce MTU.
AnswerB

GRE adds 4 bytes to the 20-byte IPv4 header, totaling 24 bytes overhead.

Why this answer

The output shows an MTU of 1476 on the tunnel interfaces, which is exactly 24 bytes less than the 1500-byte MTU of the physical GigabitEthernet0/0 interface. GRE encapsulation adds a 4-byte outer IP header and a 4-byte GRE header (total 24 bytes with the inner IP header), reducing the payload MTU. This is the default behavior when a tunnel is configured without a manual MTU override, making option B correct.

Exam trap

Cisco often tests the exact overhead values for different tunnel types (GRE vs. IPsec vs. 6to4) to see if candidates know that GRE adds exactly 24 bytes, while IPsec adds more and 6to4 adds only 20 bytes.

How to eliminate wrong answers

Option A is wrong because a manual MTU configuration would explicitly set the MTU value, but the output shows a standard reduction of 24 bytes from the physical interface MTU, which is the default behavior for GRE tunnels, not a manual setting. Option C is wrong because IPsec adds more than 24 bytes of overhead (typically 50-70+ bytes depending on mode and encryption), which would result in an MTU lower than 1476, such as 1400 or less. Option D is wrong because 6to4 tunnels use IPv6-in-IPv4 encapsulation with a 20-byte IPv4 header (no GRE), which would reduce the MTU by 20 bytes to 1480, not 1476; the 24-byte reduction indicates GRE encapsulation, not 6to4.

49
MCQhard

A network engineer is troubleshooting an IPv6 connectivity problem across an IPv4 MPLS network using 6PE. The 6PE routers have MP-BGP sessions to exchange IPv6 prefixes, and the tunnel between them is up. However, a customer edge router behind one 6PE router cannot reach an IPv6 prefix behind the other 6PE router. The engineer checks the 6PE router's BGP table and sees the prefix, but the routing table shows the next-hop as unreachable. What is the most likely cause?

A.The MPLS LDP session between the 6PE routers or between the 6PE and P routers is down, so no label exists for the BGP next-hop.
B.The 6PE router is missing the 'ipv6 unicast-routing' command.
C.The tunnel interface is not in the VRF of the customer.
D.The remote 6PE router is not advertising the IPv6 prefix via BGP.
AnswerA

Correct because 6PE relies on MPLS labels to reach the remote 6PE router; without a label, the next-hop is unreachable, and traffic is dropped.

Why this answer

In 6PE, the BGP next-hop for an IPv6 prefix is the IPv4 address of the remote 6PE router. The 6PE router must have a label-switched path (LSP) to that IPv4 next-hop, which requires a working MPLS LDP session to distribute a label for that IPv4 address. If the LDP session is down, no label exists for the BGP next-hop, making it unreachable in the routing table even though the BGP table contains the prefix.

Exam trap

Cisco often tests the distinction between BGP table presence and routing table reachability, trapping candidates who assume that seeing the prefix in BGP guarantees it is usable for forwarding.

How to eliminate wrong answers

Option B is wrong because the 'ipv6 unicast-routing' command enables IPv6 routing globally on the router, but the issue is that the next-hop is unreachable in the routing table, not that IPv6 routing is disabled. Option C is wrong because 6PE uses a global IPv6 routing table, not a VRF; the tunnel is an MPLS LSP, not a tunnel interface placed in a VRF. Option D is wrong because the BGP table already shows the prefix, confirming the remote 6PE router is advertising it; the problem is that the next-hop is unreachable, not that the prefix is missing.

50
MCQeasy

What is the default metric for a static route pointing to a tunnel interface in Cisco IOS-XE?

A.0
B.1
C.10
D.20
AnswerA

The default metric for static routes is 0.

Why this answer

In Cisco IOS-XE, a static route pointing to a tunnel interface (e.g., a GRE or IPsec tunnel) uses a default administrative distance of 0. This is because the route is considered directly connected to the tunnel interface, and directly connected routes have an administrative distance of 0, overriding any other route type. This behavior is specific to tunnel interfaces and differs from static routes pointing to next-hop IP addresses, which default to an administrative distance of 1.

Exam trap

Cisco often tests the misconception that all static routes default to an administrative distance of 1, but the trap here is that static routes pointing to a tunnel interface are treated as directly connected, resulting in a default metric of 0, not 1.

How to eliminate wrong answers

Option B is wrong because 1 is the default administrative distance for a static route pointing to a next-hop IP address, not a tunnel interface. Option C is wrong because 10 is the administrative distance for static routes configured with a next-hop interface that is not a tunnel (e.g., Ethernet), but this is not the default for tunnel interfaces. Option D is wrong because 20 is the default administrative distance for external BGP routes (eBGP), not for static routes to tunnel interfaces.

51
Multi-Selecthard

Which TWO actions will prevent an ISATAP tunnel from forming correctly? (Choose TWO.)

Select 2 answers
A.Configuring the tunnel destination with the IPv4 address of the ISATAP client itself.
B.Using a private IPv4 address as the tunnel source on the ISATAP router.
C.Configuring the ISATAP interface ID as ::5EFE:xxxx.
D.Setting the tunnel mode to ipv6ip.
E.Adding a static IPv6 route pointing to the ISATAP tunnel interface.
AnswersA, B

Correct. The tunnel destination should be the ISATAP router's IPv4 address, not the client's own address.

Why this answer

Option A is correct because in an ISATAP tunnel, the tunnel destination must be the IPv4 address of the ISATAP client (which is dynamically derived from the ISATAP interface ID). Configuring the tunnel destination with the client's own IPv4 address creates a loopback tunnel that cannot forward traffic, preventing the tunnel from forming correctly. The ISATAP router automatically derives the destination from the IPv4 address embedded in the ISATAP interface ID; manually setting it to the client's address breaks the automatic mapping.

Exam trap

Cisco often tests the misconception that the tunnel destination must be explicitly configured, when in fact ISATAP automatically derives it from the interface ID, and manually setting it to the client's own address breaks the tunnel.

52
Drag & Dropmedium

Drag and drop the steps to verify and validate the operational state of an IPv6 tunneling technique into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Validation follows a systematic approach: start with checking the tunnel interface status and counters, then verify IPv6 connectivity across the tunnel using ping, examine routing protocol adjacency over the tunnel, validate end-to-end IPv6 reachability to remote networks, and finally confirm traffic flow with traceroute or debug commands.

53
MCQhard

An engineer configures an ISATAP tunnel on a router. The tunnel comes up and the router can ping the ISATAP server, but IPv6 hosts on the ISATAP network cannot reach IPv6 hosts on the native IPv6 network. The ISATAP router is configured with a static route to the native network. What is the most likely cause?

A.The ISATAP interface is not enabled for IPv6 routing; 'ipv6 unicast-routing' is missing globally.
B.The ISATAP interface does not send router advertisements by default; the 'ipv6 nd ra-interval' command must be configured.
C.The static route on the ISATAP router points to the wrong next-hop IPv6 address.
D.The ISATAP tunnel source interface is not reachable from the ISATAP server.
AnswerB

ISATAP tunnel interfaces are point-to-point and do not send RAs unless explicitly configured. Hosts need RAs to learn the prefix and default route.

Why this answer

ISATAP tunnels do not send Router Advertisements (RAs) by default because they are point-to-point links, not multi-access links. Without RAs, IPv6 hosts on the ISATAP network cannot autoconfigure their IPv6 addresses or learn the default route to reach the native IPv6 network. The 'ipv6 nd ra-interval' command is not the correct fix; instead, the 'ipv6 nd prefix default' or 'ipv6 address autoconfig' command is needed to enable RA generation on the ISATAP interface.

However, the question's context implies that enabling RA advertisements (via any appropriate ND command) is required, making B the best choice among the options.

Exam trap

Cisco often tests the misconception that ISATAP tunnels behave like native Ethernet interfaces and automatically send Router Advertisements, when in fact they require explicit ND configuration to enable host autoconfiguration.

How to eliminate wrong answers

Option A is wrong because 'ipv6 unicast-routing' is a global command that enables IPv6 routing on the router, and since the tunnel is up and the router can ping the ISATAP server, IPv6 routing is already enabled. Option C is wrong because the static route pointing to the wrong next-hop would cause the router itself to be unable to reach the native network, but the problem states that the router can ping the ISATAP server (which is on the native side), so the static route is correct. Option D is wrong because the tunnel source interface is reachable from the ISATAP server, as evidenced by the router successfully pinging the ISATAP server.

54
Drag & Drophard

Drag and drop the steps to troubleshoot IPv6 over IPv4 tunnel adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The troubleshooting process follows a logical progression: first verify the tunnel interface is up/up, then check the IPv6 routing table for the destination prefix, inspect the tunnel source and destination IPs for correctness, verify IPv4 reachability to the tunnel destination, and finally examine ACLs or firewall rules that might block GRE protocol 47 traffic.

55
MCQmedium

In a 6to4 tunnel, how is the tunnel destination address determined?

A.It is manually configured.
B.It is derived from the IPv6 destination address using the 2002::/16 prefix.
C.It is obtained via DNS.
D.It is the same as the tunnel source.
AnswerB

The IPv4 address is extracted from the 6to4 prefix.

Why this answer

In a 6to4 tunnel, the tunnel destination address is automatically derived from the IPv6 destination address by extracting the IPv4 address embedded in the 2002::/16 prefix. Specifically, the first 16 bits of the IPv6 destination are 2002, and the next 32 bits represent the IPv4 address of the remote 6to4 router. This allows the tunnel to be dynamically established without manual configuration of each destination.

Exam trap

Cisco often tests the distinction between automatic 6to4 tunnels and manually configured tunnels, where candidates mistakenly think all tunnels require manual destination configuration, but 6to4 uniquely derives it from the IPv6 address.

How to eliminate wrong answers

Option A is wrong because 6to4 is designed as an automatic tunneling mechanism; manually configuring the tunnel destination would defeat its purpose and is characteristic of manually configured tunnels (e.g., IPv6IP tunnels). Option C is wrong because DNS is not used to resolve the tunnel destination; the IPv4 address is directly embedded in the IPv6 prefix 2002::/16, not obtained via name resolution. Option D is wrong because the tunnel destination is not the same as the tunnel source; the source is the local IPv4 address, while the destination is derived from the remote IPv6 address's embedded IPv4 address.

56
MCQhard

An engineer configures an IPv6 manual tunnel between two routers. The tunnel is up, but when the engineer tries to ping the IPv6 address of the remote tunnel endpoint, the ping fails. The engineer checks the routing table and sees that the remote IPv6 network is reachable via the tunnel. What is the most likely cause?

A.The IPv6 addresses on the tunnel interfaces are not in the same subnet; manual tunnels require both endpoints to be in the same IPv6 subnet.
B.The tunnel interface is not configured with 'tunnel mode ipv6ip'.
C.The IPv4 address of the remote router is not reachable via the routing table.
D.The 'ipv6 enable' command is missing on the tunnel interface.
AnswerA

Manual tunnels are point-to-point; the IPv6 addresses must be in the same subnet for direct connectivity. If not, the router will try to route the packet, which may fail.

Why this answer

In a manual IPv6 tunnel (RFC 4213), the tunnel source and destination are IPv4 addresses, and the IPv6 addresses configured on the tunnel interfaces are not required to be in the same subnet. The ping fails because the router cannot determine the correct next-hop IPv4 address for the destination IPv6 address; manual tunnels rely on a static route pointing to the remote IPv6 prefix via the tunnel interface, not on the IPv6 subnet of the tunnel endpoints. The correct answer is A because the statement that both endpoints must be in the same IPv6 subnet is false, but the question presents it as the 'most likely cause'—in reality, the issue is typically a missing or incorrect static route for the remote IPv6 network, not the subnet mismatch.

Exam trap

Cisco often tests the misconception that tunnel interfaces must have IPv6 addresses in the same subnet, similar to Ethernet interfaces, when in fact manual tunnels are point-to-point and rely on static routing, not subnet matching.

How to eliminate wrong answers

Option A is incorrect because manual tunnels do not require the IPv6 addresses on the tunnel interfaces to be in the same subnet; the tunnel is a point-to-point link and the IPv6 addresses can be from different subnets. Option B is wrong because 'tunnel mode ipv6ip' is the correct mode for an IPv6 manual tunnel, and if it were missing, the tunnel would not come up at all. Option C is wrong because the engineer confirmed the remote IPv6 network is reachable via the tunnel in the routing table, implying the IPv4 destination is reachable; if the IPv4 address were unreachable, the tunnel would be down or the route would not appear.

Option D is wrong because 'ipv6 enable' is not required on a tunnel interface that already has an explicit IPv6 address configured; it is only needed to enable IPv6 on an interface without a configured IPv6 address.

57
MCQmedium

Examine this configuration on Router R4: ``` interface Tunnel0 ip address 10.0.0.1 255.255.255.252 ipv6 address 2001:DB8:6::1/64 tunnel source GigabitEthernet0/0 tunnel destination 172.16.1.2 tunnel mode gre ip ``` What will be the effect?

A.The tunnel will only carry IPv4 traffic because the mode is 'gre ip'.
B.The tunnel will successfully encapsulate both IPv4 and IPv6 payloads over IPv4.
C.The tunnel will fail because the tunnel source is an interface, not an IP address.
D.The tunnel mode should be 'ipv6ip' to carry IPv6 traffic.
AnswerB

GRE allows multiprotocol payload; the IPv4 and IPv6 addresses on the tunnel interface are valid.

Why this answer

The 'tunnel mode gre ip' command creates a generic routing encapsulation (GRE) tunnel over IPv4. GRE is protocol-agnostic and can encapsulate any Layer 3 protocol, including IPv4 and IPv6. The IPv6 address configured on the tunnel interface allows IPv6 traffic to be routed into the tunnel, where it is encapsulated in IPv4 packets and sent to the tunnel destination.

Therefore, the tunnel will successfully carry both IPv4 and IPv6 payloads.

Exam trap

Cisco often tests the misconception that 'tunnel mode gre ip' only supports IPv4 traffic, when in fact GRE is protocol-agnostic and can carry IPv6, IPX, or other Layer 3 protocols as payload.

How to eliminate wrong answers

Option A is wrong because 'gre ip' mode does not restrict the tunnel to only IPv4 payloads; GRE can encapsulate multiple protocols, including IPv6. Option C is wrong because the tunnel source can be specified as an interface (e.g., GigabitEthernet0/0), and the router will use that interface's primary IP address as the source; this is a valid configuration. Option D is wrong because 'ipv6ip' mode is a specific tunnel type for IPv6-in-IPv4 encapsulation without GRE overhead, but GRE is fully capable of carrying IPv6 traffic and is often preferred for its flexibility and support for additional features like multipoint or encryption.

58
MCQhard

A network engineer configures an IPv6 over IPv4 GRE tunnel with IPsec protection using a transform set that includes ESP encryption and authentication. The tunnel comes up, but OSPFv3 over the tunnel fails to form adjacency. The engineer notices that the tunnel interface has an MTU of 1400. What is the most likely explanation?

A.The IPsec transform set includes both ESP encryption and authentication, which adds 50+ bytes of overhead; the tunnel MTU of 1400 is too high for the actual path MTU after encapsulation.
B.OSPFv3 requires the tunnel interface to be configured with 'ipv6 ospf network point-to-point' to work over GRE.
C.The IPsec configuration is missing the 'crypto map' applied to the tunnel interface.
D.The GRE tunnel mode should be 'tunnel mode gre ipv6' instead of the default.
AnswerA

With ESP encryption and authentication, the total overhead can be 50-60 bytes. The tunnel MTU of 1400 does not account for this, causing OSPFv3 packets to be fragmented or dropped.

Why this answer

The correct answer is A. When IPsec ESP encryption and authentication are applied to a GRE tunnel, the combined overhead (typically 50–60 bytes for ESP headers, trailers, and authentication data) reduces the effective payload MTU. With a tunnel interface MTU of 1400, the actual packet size after adding GRE (20 bytes) and IPsec overhead can exceed the path MTU, causing fragmentation or drops.

OSPFv3 uses large hello packets (often 1500 bytes), and if the encapsulated packet exceeds the path MTU, adjacency cannot form.

Exam trap

Cisco often tests the concept that IPsec overhead must be accounted for when setting tunnel MTU, and candidates mistakenly assume that a tunnel MTU of 1400 is always safe for IPv6 over GRE with IPsec, ignoring the cumulative encapsulation overhead.

How to eliminate wrong answers

Option B is wrong because OSPFv3 over GRE does not require the 'ipv6 ospf network point-to-point' command; GRE tunnels are inherently point-to-point, and OSPFv3 automatically detects the network type as point-to-point over a GRE tunnel. Option C is wrong because the question states that the tunnel comes up, and IPsec protection is configured via a transform set; the crypto map is likely applied to the physical interface or tunnel interface, and the tunnel being up indicates IPsec is functioning. Option D is wrong because 'tunnel mode gre ipv6' is used for IPv6 transport over IPv6, not for IPv6 over IPv4 GRE; the default 'tunnel mode gre ip' is correct for encapsulating IPv6 in IPv4.

59
MCQhard

An MPLS network with IPv6 over MPLS (6PE) is experiencing loss of IPv6 routes from a remote provider edge (PE) router. Router PE1 has the following relevant configuration: interface GigabitEthernet0/0 ipv6 address 2001:DB8:1::1/64 mpls ip interface Loopback0 ip address 192.0.2.1 255.255.255.255 router ospf 1 router-id 192.0.2.1 redistribute bgp 65000 subnets. Router PE2 shows: PE2# show bgp ipv6 unicast 2001:DB8:2::/64 % Network not in table. PE2# show mpls forwarding-table 192.0.2.1 Label: 16, Interface: GigabitEthernet0/1. What is the root cause?

A.PE1 is missing the network 2001:DB8:2::/64 command under router bgp for IPv6 unicast address family.
B.The MPLS label distribution between PE1 and PE2 is failing due to LDP mismatch.
C.OSPF is not redistributing the IPv6 prefix correctly.
D.The IPv6 address family is not enabled under router bgp on PE1.
AnswerA

Without this, the IPv6 prefix is not injected into BGP, so PE2 never learns it.

Why this answer

The correct answer is A because the output shows that PE2 has an MPLS label (16) for PE1's loopback (192.0.2.1) and can forward labeled traffic, but the IPv6 route 2001:DB8:2::/64 is missing from the BGP table. This indicates that PE1 is not advertising the IPv6 prefix into BGP. The missing `network 2001:DB8:2::/64` command under the IPv6 unicast address family on PE1 prevents the prefix from being injected into BGP, even though the interface is configured with the IPv6 address and OSPF redistribution is in place.

Exam trap

Cisco often tests the distinction between interface configuration and BGP advertisement, where candidates assume that having an IPv6 address on an interface automatically makes it reachable via BGP in a 6PE design.

How to eliminate wrong answers

Option B is wrong because the `show mpls forwarding-table` output shows a valid label (16) for PE1's loopback, proving that LDP is functioning correctly and there is no mismatch. Option C is wrong because OSPF redistribution of BGP routes is not required for 6PE; 6PE relies on BGP to carry IPv6 prefixes over the MPLS core, and OSPF is only used for IPv4 IGP reachability of the loopbacks. Option D is wrong because the IPv6 address family is implicitly enabled when the `network` command is used under `router bgp` for IPv6 unicast; the issue is the missing network statement, not the absence of the address family itself.

60
MCQmedium

A network engineer is troubleshooting an IPv6 over IPv4 tunnel that is used to connect two remote sites. The tunnel is configured with a tunnel source that is a loopback interface. The tunnel is up, but the engineer cannot ping the remote tunnel endpoint IPv6 address. The engineer checks the routing table and sees a route to the remote loopback's IPv4 address via a default route. What is the most likely cause?

A.The remote router does not have a route to the loopback network used as the tunnel source; it only has a default route that may not cover that prefix.
B.The tunnel destination is configured with the loopback address of the remote router, but the remote router's tunnel source is a different interface.
C.The tunnel interface is missing the 'tunnel mode ipv6ip' command.
D.The IPv6 address on the tunnel interface is not in the same subnet as the remote tunnel IPv6 address.
AnswerA

Correct because the tunnel source loopback address must be reachable from the remote router. If the default route does not include that specific prefix (e.g., due to routing policy or subnet mismatch), the tunnel cannot encapsulate packets.

Why this answer

The tunnel is up, but the engineer cannot ping the remote tunnel endpoint IPv6 address because the remote router lacks a route back to the loopback network used as the tunnel source. The remote router only has a default route, which may not cover the specific prefix of the local loopback, causing return traffic to be dropped. For IPv6 over IPv4 tunnels, the tunnel source and destination must be reachable via unicast routing; a missing or insufficient route (like a default that doesn't match) breaks bidirectional communication.

Exam trap

Cisco often tests the misconception that a tunnel being up guarantees end-to-end reachability, but the real issue is asymmetric routing caused by missing return routes for the tunnel source IPv4 address.

How to eliminate wrong answers

Option B is wrong because the tunnel destination is correctly configured with the remote router's loopback address; the issue is not about mismatched tunnel sources, but about the remote router lacking a route back to the local loopback network. Option C is wrong because if the tunnel is up, the 'tunnel mode ipv6ip' command is already applied; without it, the tunnel would not come up at all. Option D is wrong because IPv6 addresses on tunnel interfaces do not need to be in the same subnet for ping to work; they only need to be routable, and the tunnel itself provides the logical link.

61
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 tunnel brief Tunnel2: IPv6/IP, intf id 0/0/2, 6to4, mtu 1280 Source: 192.168.1.1 (GigabitEthernet0/0) Destination: 192.168.2.1 Tunnel transport: IPv4 Based on this output, which statement is correct?

A.This is a correctly configured 6to4 tunnel.
B.This tunnel is actually a manually configured IPv6/IP tunnel, not a 6to4 tunnel.
C.The tunnel is an ISATAP tunnel.
D.The tunnel is in an up/up state and passing traffic.
AnswerB

The presence of a specific destination address indicates a manual tunnel; 6to4 tunnels have no configured destination.

Why this answer

The output shows a manually configured IPv6/IP tunnel because it specifies both a source and destination IPv4 address. In a true 6to4 tunnel, the destination is automatically derived from the 6to4 prefix (2002::/16) and the destination IPv4 address, not statically configured. The presence of a static destination address indicates this is a manually configured tunnel, not a 6to4 tunnel.

Exam trap

Cisco often tests the distinction between automatic 6to4 tunnels (where the destination is derived from the IPv6 address) and manually configured tunnels (where both source and destination are explicitly set), leading candidates to assume any tunnel with '6to4' in the output is correctly configured.

How to eliminate wrong answers

Option A is wrong because a correctly configured 6to4 tunnel does not have a statically configured destination IPv4 address; the destination is derived automatically from the 6to4 prefix. Option C is wrong because an ISATAP tunnel uses a different interface identifier format (::0:5EFE:IPv4-address) and typically does not show a static destination address in this manner. Option D is wrong because the output does not show interface status or traffic statistics; 'show ipv6 tunnel brief' only displays configuration parameters, not operational state.

62
MCQmedium

A network engineer runs the following command on Router R1: R1# show ipv6 traffic | include tunnel 0 tunnel packets received 0 tunnel packets sent 0 tunnel packets dropped Based on this output, what can be concluded?

A.The tunnel is passing traffic normally.
B.The tunnel is not carrying any IPv6 traffic.
C.The tunnel is dropping all packets.
D.The tunnel is using IPsec encryption.
AnswerB

All counters are zero, meaning no traffic.

Why this answer

The 'show ipv6 traffic | include tunnel' command filters the output to show only lines containing 'tunnel'. The counters for packets received, sent, and dropped are all zero, which indicates that no IPv6 packets have been encapsulated or decapsulated by any tunnel interface. This means the tunnel is not carrying any IPv6 traffic, making option B correct.

Exam trap

Cisco often tests the misinterpretation of zero counters as 'no issues' (option A) or as 'dropping all packets' (option C), when in fact zero counters simply indicate no activity on the tunnel.

How to eliminate wrong answers

Option A is wrong because zero packets received and sent indicates no traffic is passing, not normal operation. Option C is wrong because zero packets dropped means no packets have been discarded; dropping all packets would show non-zero drop counters. Option D is wrong because the output provides no information about IPsec encryption; IPsec status is verified with commands like 'show crypto ipsec sa' or 'show crypto map', not from IPv6 traffic counters.

63
MCQhard

What is the default keepalive interval for a GRE tunnel interface on Cisco IOS-XE?

A.5 seconds
B.10 seconds
C.15 seconds
D.20 seconds
AnswerB

The default keepalive interval is 10 seconds.

Why this answer

The default keepalive interval for a GRE tunnel interface on Cisco IOS-XE is 10 seconds. This is defined by the default behavior of the `keepalive` command on tunnel interfaces, which sends periodic keepalive packets to verify the reachability of the tunnel destination. If no keepalive reply is received within three consecutive intervals (30 seconds by default), the tunnel interface is marked as down.

Exam trap

Cisco often tests the default keepalive interval for GRE tunnels, and the trap here is that candidates confuse it with the default keepalive interval for other interface types (e.g., serial interfaces default to 10 seconds as well, but some assume 5 or 15 seconds based on unrelated protocols like EIGRP hello timers).

How to eliminate wrong answers

Option A is wrong because 5 seconds is not the default; it is a common misconfiguration or a value used for faster failure detection but not the Cisco IOS-XE default. Option C is wrong because 15 seconds is not the default; it might be confused with the default keepalive interval for other interface types like serial interfaces (which default to 10 seconds as well, but not 15). Option D is wrong because 20 seconds is not the default; it could be mistaken for the default dead interval (three keepalive intervals) which is 30 seconds, not 20.

Ready to test yourself?

Try a timed practice session using only IPV6 Tunneling questions.