Implementing Secure Solutions with Virtual Private Networks (SVPN) — Question 64

A network engineer is implementing a FlexVPN tunnel between two Cisco IOS routers. The FlexVPN tunnels will terminate on encrypted traffic on an interface configured with an IP MTU of 1500, and the company has a security policy to drop fragmented traffic coming into or leaving the network. The tunnel will be used to transfer TFTP data between users and internal servers. When the TFTP traffic is not traversing a VPN, it can have a maximum IP packet size of 1500. Assuming the encrypted payload will add 90 bytes, which configuration allows TFTP traffic to traverse the FlexVPN tunnel without being dropped?

Answer options

• A. Set the tunnel IP MTU to 1500.
• B. Set the tunnel tcp adjust-mss to 1460.
• C. Set the tunnel IP MTU to 1400.
• D. Set the tunnel tcp adjust-mss to 1360.

Correct answer: C

Explanation

Setting the tunnel IP MTU to 1400 ensures that the additional 90 bytes from encryption do not cause fragmentation, allowing the TFTP traffic to pass without being dropped. The other options either keep the MTU too high or adjust the MSS incorrectly, leading to potential fragmentation and violations of the security policy.