nerdexam
Exams350-401Questions#1238
CiscoCisco

350-401 · Question #1238

350-401 Question #1238: Real Exam Question with Answer & Explanation

Lab Simulation 20 — VRF-Aware GRE Tunnel Configuration on R22 > Note: There is a discrepancy in the provided materials. The "Answer" block assigns IP 10.10.10.2 to Tunnel0, while the "Procedure" block assigns 10.10.10.10. In a real exam, 10.10.10.2 is almost certainly correct â

Submitted by asante_acc· Mar 6, 2026Infrastructure

Question

Lab Simulation 20 Guidelines This is a lab item in which tasks will be performed on virtual devices. - Refer to the Tasks tab to view the tasks for this lab item. - Refer to the Topology tab to access the device console(s) and perform the tasks. - Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window. - All necessary preconfigurations have been applied. - Do not change the enable password or hostname for any device. - Save your configurations to NVRAM before moving to the next item. - Click Next at the bottom of the screen to submit this lab and move to the next question. - When Next is clicked, the lab closes and cannot be reopened. Topology Tasks Answer: R22: int tun0 vrf forwarding FINANCE ip add 10.10.10.2 255.255.255.0 tunn source e0/0 tunnel dest 209.165.200.230 no shut ip route vrf FINANCE 10.10.111.0 255.255.255.0 tunn0 int et0/1 vrf forwarding FINANCE ip address 10.22.22.1 255.255.255.252 wr Verification:

Options

  • taskComplete the configurations on R22 to extend the Finance VRF between R11 and R22 using Tunnel 10, and configure static routing such that traffic between VLAN 111 and VLAN 222 uses Tunnel 10 exclusively.
  • prerequisitesConsole access to R22

Explanation

Lab Simulation 20 — VRF-Aware GRE Tunnel Configuration on R22

Note: There is a discrepancy in the provided materials. The "Answer" block assigns IP 10.10.10.2 to Tunnel0, while the "Procedure" block assigns 10.10.10.10. In a real exam, 10.10.10.2 is almost certainly correct — R11 would hold .1 and R22 holds .2 on the tunnel subnet. The explanation below uses .2.

1. Overall Goal

VRF (Virtual Routing and Forwarding) creates isolated routing tables within a single router — like separate virtual routers. The FINANCE VRF already exists on both R11 and R22, but they are physically separated by a shared (non-FINANCE) IP backbone.

A GRE tunnel punches a virtual point-to-point pipe through that shared backbone. By placing the tunnel interface inside the FINANCE VRF, the two routers share one logical FINANCE routing domain across sites — without leaking FINANCE routes into the global table. VLAN 111 (behind R11) and VLAN 222 (behind R22) can then reach each other exclusively through that tunnel.

2. Step-by-Step Breakdown

Step 1 — int tun0

Enter interface configuration for Tunnel0. GRE tunnels are logical interfaces; they don't exist on a physical port. You must create and configure one explicitly.

Skip this: Nothing to configure — you stay in global config and no tunnel is built.

Step 2 — vrf forwarding FINANCE

Assigns Tunnel0 to the FINANCE VRF. This is the critical step that makes the tunnel "belong" to the FINANCE routing table instead of the global table.

Important side effect: This command wipes any IP address already on the interface. That is why IP address assignment always comes after VRF assignment.

Skip this: The tunnel joins the global routing table. FINANCE traffic would bleed into the global table, breaking VRF isolation entirely.

Do out of order (set IP before VRF): The IP gets erased when VRF is applied — you'd have to re-enter it.

Step 3 — ip address 10.10.10.2 255.255.255.0

Assigns the tunnel's logical IP address within the FINANCE VRF. R11 holds 10.10.10.1; R22 holds 10.10.10.2. This /24 is the tunnel subnet — both ends need an address on the same subnet to establish adjacency.

Skip this: The tunnel has no IP, so no routing over it is possible.

Step 4 — tunnel source e0/0

Tells the router which physical interface to use as the GRE encapsulation source. The outer IP header (the "wrapper" around FINANCE packets) will carry the IP address of e0/0 as its source address.

Skip this: The tunnel stays down — Cisco requires both a source and a destination to bring a GRE tunnel up.

Step 5 — tunnel destination 209.165.200.230

Sets the remote end of the tunnel — R11's public-facing IP on e0/0. The router will send GRE-encapsulated packets to this address across the shared backbone.

Skip this: Same result as above — tunnel stays down (%TUN-5-RECURDOWN or simply line-protocol down).

Step 6 — no shutdown

Brings the tunnel interface up. Tunnel interfaces are administratively down by default on some IOS versions.

Skip this: The interface stays down regardless of correct source/destination config.

Step 7 — ip route vrf FINANCE 10.10.111.0 255.255.255.0 tunnel0

Adds a static route inside the FINANCE VRF telling R22: "To reach VLAN 111's subnet (10.10.111.0/24), send traffic out Tunnel0." Because the tunnel is VRF-aware, traffic stays within FINANCE end-to-end.

Skip this: R22 has no idea how to reach 10.10.111.0. Traffic from VLAN 222 destined for VLAN 111 drops with "no route to host."

Use global table instead of vrf FINANCE: The route goes into the wrong routing table and is never consulted for FINANCE traffic.

Step 8 — int et0/1

Enter configuration for the physical LAN-facing interface connecting R22 to VLAN 222's switch/segment.

Step 9 — vrf forwarding FINANCE (on et0/1)

Places the LAN interface into the FINANCE VRF so that hosts on VLAN 222 are reachable within the FINANCE routing domain — not the global table.

Same rule applies: This erases any IP on et0/1, so IP assignment must come next.

Skip this: VLAN 222 hosts are in the global routing table, not FINANCE. They can never communicate with VLAN 111 through the FINANCE tunnel.

Step 10 — ip address 10.22.22.1 255.255.255.252

Assigns the gateway IP for the VLAN 222 segment. The /30 (255.255.255.252) is a point-to-point subnet — exactly 2 usable host addresses, which is all you need between the router and the downstream switch/host.

Skip this: No IP on the LAN interface; hosts have no gateway and can't communicate.

Step 11 — wr (write memory)

Saves the running configuration to NVRAM. Without this, a reload wipes all your work.

Skip this on an exam: Automatic failure — the grading system typically reloads the device to verify persistent config.

3. What Happens if Steps Are Out of Order

MistakeConsequence
IP before VRF on any interfaceIP is silently removed when VRF is applied
Tunnel source/dest before no shutTunnel stays down (minor — order doesn't matter much here)
Static route before tunnel is upRoute installs but is unusable until tunnel comes up
wr skippedConfig lost on reload; exam grade fails

4. Memory Tips

VRF before IP — always. Think: "You must join the club before you get a membership number." Applying vrf forwarding after an IP is the #1 mistake on VRF lab questions.

GRE tunnel checklist: Source → Destination → IP → No Shut. Like a phone call: you need your number (source), you need to dial a number (destination), you need a voice (IP), then you pick up (no shut).

ip route vrf <name> — if the interface is in a VRF, the static route must explicitly name the VRF or it goes into the wrong table.

Topics

#VRF#GRE Tunnel#Static Routing#Interface Configuration

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-401 PracticeBrowse All 350-401 Questions