nerdexam
Exams300-730Questions#143
Cisco

300-730 · Question #143

300-730 Question #143: Real Exam Question with Answer & Explanation

The correct answer is C: Set the tunnel IP MTU to 1400.. The tunnel interface IP MTU must be reduced by the encryption overhead so the resulting outer encrypted packet does not exceed the physical interface MTU and trigger fragmentation, which is dropped by the security policy.

Site-to-site VPNs on Routers and Firewalls

Question

A network engineer is implementing a FlexVPN tunnel between two Cisco IOS routers. The FlexVPN tunnels will terminate an encrypted traffic on an interface configured with an IP MTU of 1500, and the company has a security policy to drop segmented traffic coming into or leaving the network. The tunnel will be used to transfer TFTP data between users and internal servers. When the TFTP traffic is not traversing a VPN, it can have a maximum IP packet size of 1500. Assuming the encrypted payload will add 90 bytes, which configuration allows TFTP traffic to traverse the FlexVPN tunnel without being dropped?

Options

  • ASet the tunnel IP MTU to 1500.
  • BSet the tunnel tcp adjust-mss to 1460.
  • CSet the tunnel IP MTU to 1400.
  • DSet the tunnel tcp adjust-mss to 1360.

Explanation

The tunnel interface IP MTU must be reduced by the encryption overhead so the resulting outer encrypted packet does not exceed the physical interface MTU and trigger fragmentation, which is dropped by the security policy.

Common mistakes.

  • A. A tunnel IP MTU of 1500 still allows inner packets of up to 1500 bytes, which after 90 bytes of encryption overhead become 1590-byte outer packets that exceed the physical MTU and require fragmentation.
  • B. The tcp adjust-mss command only modifies the MSS value in TCP SYN packets to limit TCP segment size; TFTP uses UDP, so this setting has no effect on TFTP traffic.
  • D. Like option B, tcp adjust-mss only applies to TCP connections and does not affect UDP-based TFTP traffic, leaving TFTP packets subject to fragmentation.

Concept tested. VPN tunnel MTU sizing to avoid fragmentation

Reference. https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

Topics

#FlexVPN#MTU#fragmentation#tunnel interface

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice