Home > BGP + MPLS 642-691 Exam > MPLS VPN Questions

MPLS VPN Questions

Here you will find answers to MPLS VPN Questions – Part 1

Question 1

Refer to the diagram. What problem can be caused by the second P router summarizing the loopback address of the egress PE router?

MPLS_summary_VPN.jpg

A. The first P router will be faced with a VPN label which it does not understand.
B. The second P router will be faced with a VPN label which it does not understand.
C. The egress PE router will not be able to establish a label switch path (LSP) to the ingress PE router.
D. A label switch path (LSP) will be established from the ingress PE router to the egress PE router, an event that is not desirable.
E. The ingress PE router will not be able to receive the VPN label from the egress PE router via MP-IBGP.

 

Answer: B

Explanation

When running MPLS VPN, there is a feature called penultimate hop popping (PHP). The “penultimate hop” is not the last LSR to process a labeled packet but the second-to-last LSR to process a labeled packet (which means the nearest router to the egress LSR). With this feature, the egress LSR does not have to perform two label lookups as PHP causes the penultimate hop to pop the MPLS label; leaving only VPN label for the egress LSR to proceed.

In this question, if the second P router summarizes the loopback IP address of the egress PE router then the Label Switch Path (LSP) tunnel will be broken.To understand why, let’s assume that the loopback address of the egress PE is 1.1.1.1/32 and the second P router summaries it as 1.1.0.0/16. The second P router has both networks in the routing table as below:
+ 1.1.1.1/32 (the original network)
+ 1.1.0.0/16 (the summary network)

The second P router only sends the summary network 1.1.0.0/16 to the first P router and ingress PE router. Also, the second P router thinks it is the last hop of the summary network 1.1.0.0/16 (because other routers don’t have information about this summary network) so it sends a pop label for this network to “First P router”. It also sends a label (7, for example) for the original netwok 1.1.1.1/32 to “First P router”.

MPLS_summary_VPN_explain.jpg

As the “Second P router” only sends summary network 1.1.0.0/16, “First P router” will understand that it needs to pop (remove) the label destined for this network, according to the PHP feature. It then sends this packet to the “second P router”. Therefore the “second P router” will get a VPN label which it cannot understand and the packet will be dropped.

Notice that in MPLS VPN, the next-hop label mapping to the downstream PE router’s loopback is used to forward the packet through the MPLS domain so the loopback address of the egress PE router is very important.

Some other useful information about MPLS VPN:

The VPN label of the BGP route is recognized only by the egress PE router, and will not be understood by any other router (core routers). At the egress PE router, that prefix  is associated with an outgoing interface belonging to a specific VRF on the router depending on the value in the VPN label. The VPN label is never touched until it reaches the egress PE router.

Aggregation should not be used where end-to-end LSPs are required, such as with:
– MPLS VPNs
– MPLS TEs
– MPLS-enabled ATM network
– Transit BGP where core routers are not running BGP

Question 2

On a dedicated subinterface implementation, PE-2 must establish an address-family vrf IPv4 BGP neighbor relationship with which router?

Internet Access Through a Dedicated Subinterface

MPLS_vrf_ipv4.jpg

A. CE-1
B. CE-2
C. PE-1
D. PE-IG
E. CE-1 and CE-2
F. PE-1 and PE-IG

 

Answer: B

Explanation

PE router needs to learn IP prefix from customer edge (CE) router so it must establish neighbor relationship with CE. The IP prefix is a member of IPv4 address family. After learning it, the PE converts it into a VPN-IPv4 prefix which is a member of VPN-IPv4 address family. It specifies the customer address uniquely even if the customer site uses private IP address.

Note:

You always have to configure a BGP address family for each VRF and configure route redistribution into BGP for each VRF, even if you do not use BGP as the PE-CE routing protocol.

(Reference: MPLS Student Guide)

Question 3

What are three drawbacks of a peer-to-peer VPN using a shared provider edge (PE) router? (Choose three)

A. A full mesh of virtual circuits is required between the customer sites.
B. All the customers have to share a common IP address space.
C. Optimal routing between customer sites cannot be guaranteed.
D. The shared PE router has to know all routes for all customers.
E. Packet filters are required on the PE routers.

 

Answer: B D E

Question 4

What is the difference in implementation between a managed CE services MPLS VPN and a central services MPLS VPN?

A. RD assignment
B. selective routes export
C. selective routes import
D. MP-BGP route redistribution filtering
E. CE-PE routing process
F. none

 

Answer: B

Question 5

What benefit does AToM provide to the service provider’s customers?

A. By supporting Layer 2 VPNs, customers maintain control of their site-to-site routings over the WAN.
B. By supporting Layer 3 VPNs, a full mesh of virtual circuits will not be required between the different customer sites to enable optimal routing. 
C. By supporting secured Layer 3 VPNs, customers do not have to deal with the complexity of configuring IPSec. 
D. By supporting MPLS traffic engineering over ATM, customers can better utilize their WAN link. 
E. By supporting Diff-Serv QoS, ATOM allows customers to deploy voice/video applications across the WAN.

 

Answer: A

Question 6

What is the purpose of the global configuration command, ip dhcp relay information option vpn?

A. enables the DHCP relay agent to insert the VPN suboptions to the BOOTP request
B. enables the DHCP relay agent to convert the broadcast DHCP request to a unicast DHCP request to a shared DHCP server 
C. enables the DHCP relay agent to perform VRF-aware NAT before forwarding the DHCP request to a shared DHCP server 
D. enables ODAP (On-Demand Address Pool) on the DHCP relay agent

 

Answer: A

Question 7

With MPLS VPN-aware NAT, what additional information is tracked inside the NAT translation table?

A. RD information 
B. RT information 
C. VRF information 
D. Multi-protocol BGP prefixes 
E. MPLS Labels

 

Answer: C

Question 8

Which of the following could be called a VPN identifier in the MPLS/VPN architecture?

A. route target 
B. route distinguisher 
C. VRF
D. VPN IPv4 address
E. BGP site-of-origin (SOO) extended community attribute

 

Answer: A

Explanation

The Route Distinguisher (RD) number is used to prefix the IP addresses for the site. This gives us a way to distinguish duplicate private addresses. For example, subnet 10.1.1.0 for VPN 16 is different than subnet 10.1.1.0 for VPN 20. From the MPLS VPN provider’s point of view they are 16:10.1.1.0 and 20:10.1.1.0, which are different. The RD is configured on the interface (or subinterface) connecting to the site.

But the RD cannot indicate that a site participates in more than one VPN. Therefore, route target (RT) were introduced in the MPLS VPN architecture to support complex VPN topologies. The RT indicates the VPN membership of a route and allows VPN routes to be imported or exported into or out of your VRFs. Similar to RDs, the RTs can be specified in one of these two formats:
* 16-bit AS number followed by a 32-bit decimal number (ASN:nn). For example, 15:3
* 32-bit IP address followed by a 16-bit decimal number (A.B.C.D:nn). For example, 172.16.23.45:10

Notice that while a particular prefix can have only one RD, that same prefix can have one or more RTs assigned to it.

Note: The route target can be considered a VPN identifier but route target is the closest approximation to a VPN identifier in the MPLS/VPN architecture.

Question 9

MPLS_VPN_neighbor.jpgRefer to the exhibit. The MPLS VPN Customer A is using a separate interface for Internet access. However, with the current configurations shown, the CE router is not receiving any Internet routes from the PE router. Which two additional configuration commands can resolve the Internet connectivity issue? (Choose two)

A. At the CE router, under router bgp 50101, add the neighbor 10.1.1.66 remote-as 50102 command.
B. At the CE router, under router bgp 50101, add the network 0.0.0.0 command.
C. At the CE router, under router bgp 50101, add the ip route 0.0.0.0 0.0.0.0 10.1.1.66 command.
D. At the PE router, under address-family ipv4 vrf Customer_A, add the neighbor 10.1.1.65 remote-as 50101 command.
E. At the PE router, under address-family ipv4 vrf Customer_A, add the neighbor 10.1.1.17 default-originate command.
F. At the PE router, under router bgp 50102, add the neighbor 10.1.1.65 remote-as 50101 command

 

Answer: A F

Question 10

Refer to the exhibit and the following connectivity requirements. How many different VRFs are required?

MPLS_VRF.jpgSites CE1A, CE1B, CE1C, and CE1D require connectivity among them.
Sites CE2A and CE2B require connectivity between them.
Site CE12A requires connectivity to sites CE1A, CE1B, CE1C, CE1D, and CE12B.
Site CE12B requires connectivity to sites CE2A, CE2B, and CE12A.

A. 2 VRFs 
B. 3 VRFs 
C. 4 VRFs 
D. 6 VRFs 
E. 8 VRFs 
F. 10 VRFs

 

Answer: C

Categories: BGP + MPLS 642-691 Exam Tags:
  1. delf
    April 29th, 2011 at 12:13 | #1

    q 8 no answer, corect “A”
    q 9 no E,F pages

  2. Kadeesa
    July 19th, 2011 at 06:07 | #2

    @all
    Can anyone plz explain Q.10 !! how can it be 4 VRFs only ?

  3. Cacaw
    August 13th, 2011 at 14:09 | #3

    @ Kadeesa

    CE1A, CE2A, CE12A is 1
    CE1B, CE2B, CE12B is 2
    CE1C, CE2C is 3
    CE1D is 4

    The connectivity between CE sites is accomplished through the use of Route Targets.

  4. nweshrugged
    September 23rd, 2011 at 07:29 | #4

    @Kadeesa

    > Question 10
    The interfaces of CE1A, CE1B, CE1C, and CE1D will belong to vrf_W.
    The interfaces of CE2A and CE2B will belong to vrf_X.
    The Interface of CE12A will belong to vrf_Y.
    The Interface of CE12B will belong to vrf_Z.

    The vrf_W has the route-target of CE1A, CE1B, CE1C, and CE1D.
    The vrf_X has the route-target of CE2A and CE2B.
    The vrf_Y has the route-target of CE12A, CE12B, and vrf_W.
    The vrf_Z has the route-target of CE12A, CE12B, and vrf_X.

  5. Tamiru
    October 19th, 2011 at 14:03 | #5

    @nweshrugged
    Nice explanation ! good guy !

  6. Meir
    December 22nd, 2011 at 22:56 | #6

    About Q.10 The “trick” is in the word __different__. How many _different_ VRFs are required. In other words, what is the minimum number of VRFs to meet the connectivity demands.

  7. wagzy
    February 17th, 2012 at 17:26 | #7

    Great explanation from Kadeesa and nwesshrugged.

    My construction is as follows:

    PE VRF RD Im_RT Ex_RT
    ————————————————————————————————————————————————————————————
    PE1 CE1 123:11 123:11 123:11
    CE2 123:22 123:22 123:22
    CE12A 123:111 123:11 123:11
    123:11 123:121 123:121

    PE2 CE1 123:11 123:11 123:11
    CE2 123:22 123:22 123:22
    CE12B 123:122 123:22 123:22
    123:11 123:121 123:121

    This is an overlapping VPN with CE1 comprising a simple VPN of CE1A, CE1B, CE1C, CE1D. CE2 comprises a simple VPN of CE2A and CE2B. CE12A overlaps a simple VPN to CE12B and CE1 likewise CE12B overlaps CE12A and CE2.

    This also explains Q8. The RDs could identify a simple VPN but where a site participates in more than one VPN, it is unable to appropriately represent that VPN as in the case of CE12A and CE12B. They need RTs to identify their participation in the other VPNs. CE12A and CE12B use Im_RT and Ex_RT 123:121 to id the vpn between themselves whiles CE12A uses 123:11 to participate in CE1 whiles CE12B uses 123:22 to participate in CE2

    Hopes this helps

  8. new
    February 18th, 2012 at 19:39 | #8

    @ nweshrugged
    Can’t we put CE12 A and B in same VRF like we do for CE1 and CE2.

    The interfaces of CE1A, CE1B, CE1C, and CE1D will belong to vrf_W.
    The interfaces of CE2A and CE2B will belong to vrf_X.
    The Interface of CE12A,CE12B will belong to vrf_Y.

    I think 3 vrf will be needed and RT will take care of other requirements.
    wagzy explained the same concept which i m trying to say. he used 3 vrf and different RTs.

    So ans of Q10 should be ‘B’

  9. dirraaan
    March 23rd, 2012 at 08:53 | #9

    Question 8 answer should be B.

    “MPLS VPN routes are advertised and placed in VRFs containing VPN identifiers (RD) and VPN membership information (RT).”
    Reference: Implementing Cisco MPLS volume 1 – MPLS VPN Technology module summary.

    RTs are just what makes up the access available inside the clients vrf (identified by the RD) but are not the clients VPN individually.

  10. EKTA
    March 27th, 2012 at 20:43 | #10

    Hi, plz tell me the good book to study MPLS and VPN for self studies ) as i only know CCNA voice.

  11. Chris
    May 12th, 2012 at 13:30 | #11

    Hello,

    I was thinking about question 10 and I guess guys your explanation is incorrect.
    VRFs are locally significant and you can’t have the same vrf on different PE routers (even if you give them the same name)

    IMHO correct answer is 4 vrfs which are:
    PE1:
    1) CE1A, CE1C, CE12A
    2) CE2A
    PE2:
    3) CE1B, CE1D
    4) CE2B, CE12B

    br
    Chris

  12. ki
    May 15th, 2012 at 15:27 | #12

    But unless to finish before october, MPLS exam will expire for CCIP

  13. costin
    May 27th, 2012 at 15:12 | #13

    @EKTA/ki: mpls fundamentals, by luc de ghein. and you can also try mpls and vpn architectures, by ivan pepelnjak and jim guichard.

  14. MrCisco
    June 19th, 2012 at 03:33 | #14

    No se compliquen demasiado.
    Cada “letra” es un cliente distinto. Son 4 clientes, se necesitan 4 VRF’s (una por cada cliente).

  15. Paul
    June 30th, 2012 at 12:38 | #15

    You can’t put CE12A and CE12B in the same VRF because they have a different VPN requirement.

    As stated:
    Site CE12A requires connectivity to sites CE1A, CE1B, CE1C, CE1D, and CE12B.
    Site CE12B requires connectivity to sites CE2A, CE2B, and CE12A.

    if you put CE12B and CE12A in the same VRF:
    CE12B will have access also to CE12A, CE1B, CE1C and CE1D which is not part of the requirement.
    In addition, CE12A will have access to CE2A and CE2B

    so CE12A and CE12B should be in seperate VRF.

  16. CCIP ASAP
    July 22nd, 2012 at 19:08 | #16

    i just pass MPLS+bgp today dodo 80 q is enough thanks great forum pass 980

  17. alaa
    July 26th, 2012 at 15:36 | #17

    Pass 1000 ,hope to be last one in the world got this exam

  18. FmyBoss
    July 27th, 2012 at 19:40 | #18

    Just passed, questions were 100% valid on this log! You are guys are the best!
    Too bad its the last day to take it…

  19. Gursharn
    October 21st, 2012 at 14:28 | #19

    can anybody please tell me that where can I find the latest dumps for bgp+mpls (Cisco 642-691) exam?

  20. Dinesh Kumar
    December 7th, 2012 at 02:11 | #20

    in CCNA there is tutorial available for each topic before taking the questions and answers. but here it was not available if its available better for us to recalling… Since CCNA explanation given was very simple to learn by anyone.. same expecting for each topic in CCNP as well as CCI………..

  21. Anonymous
    January 22nd, 2014 at 17:39 | #21

    Kindly assist i am a nigeria . i need a tutor in abuja for ccnp service privide . call 08030557125 or email ojotemitope4@gmail.com

  22. temmy
    January 22nd, 2014 at 17:39 | #22

    Kindly assist i am a nigeria . i need a tutor in abuja for ccnp service provider . call 08030557125 or email ojotemitope4@gmail.com

  1. No trackbacks yet.