400-007 · Question #375
Which three characteristics of the Single Tier and the Dual Tier Headend Architectures for DMVPN designs are true? (Choose three.)
The correct answer is B. In a Single Tier Headend Architecture there is a single headend router per DMVPN cloud E. In a Single Tier Headend Architecture, the GRE tunnel endpoint and encryption endpoint F. In a Dual Tier Headend Architecture, the GRE tunnel endpoint and encryption endpoint. DMVPN headend architectures differ in whether GRE tunnel termination and IPsec encryption are handled by the same router (Single Tier) or separated across different routers (Dual Tier).
Question
Which three characteristics of the Single Tier and the Dual Tier Headend Architectures for DMVPN designs are true? (Choose three.)
Options
- AA Dual Tier Headend Architecture is required when using dual cloud topologies with spoke-to-
- BIn a Single Tier Headend Architecture there is a single headend router per DMVPN cloud
- CA Single Tier Headend Architecture is required when using dual cloud topologies with spoke-to-
- DIn a Dual Tier Headend Architecture, there are two different headend routers per DMVPN cloud
- EIn a Single Tier Headend Architecture, the GRE tunnel endpoint and encryption endpoint
- FIn a Dual Tier Headend Architecture, the GRE tunnel endpoint and encryption endpoint
How the community answered
(37 responses)- A16% (6)
- B73% (27)
- C3% (1)
- D8% (3)
Why each option
DMVPN headend architectures differ in whether GRE tunnel termination and IPsec encryption are handled by the same router (Single Tier) or separated across different routers (Dual Tier).
Neither architecture is mandated by dual cloud topology - the choice between Single and Dual Tier is driven by scalability and functional separation requirements, not cloud count.
Single Tier places one headend router per DMVPN cloud that handles all functions, making it the simplest topology for smaller deployments.
Single Tier is not required for dual cloud topologies - Dual Tier can equally support dual cloud designs including spoke-to-spoke tunnels.
Dual Tier is not defined by simply having two routers per cloud - its defining trait is the functional separation of GRE and IPsec endpoints, and a Single Tier headend can also have multiple routers for redundancy.
In Single Tier, the GRE tunnel endpoint and IPsec encryption endpoint are collocated on the same headend router, so both NHRP registration and crypto processing occur on one device.
In Dual Tier, the front-end router terminates GRE tunnels and processes NHRP while a separate back-end router handles IPsec encryption, distributing the processing load across two functional layers.
Concept tested: DMVPN Single Tier vs Dual Tier headend architecture design
Source: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2T/DMVPN-2.html
Topics
Community Discussion
No community discussion yet for this question.