101 Question #44: Real Exam Question with Answer & Explanation

Question

Options

• AThe SNAT must be enabled for all VLANs.
• BThe SNAT must be enabled for the VLANs where desired packets leave the BIG-IP.
• CThe SNAT must be enabled for the VLANs where desired packets arrive on the BIG-IP.
• DThe SNAT must be enabled for the VLANs where desired packets arrive and leave the BIG-IP.

Explanation

SNAT on BIG-IP operates at ingress, so it must be enabled on the VLANs where the desired packets arrive in order to match and translate those packets.

Common mistakes.

• A. Enabling a SNAT for all VLANs is overly broad and unnecessary - it would also attempt SNAT processing on VLANs where no desired client traffic arrives, which is inefficient and potentially undesirable.
• B. SNAT is applied based on where packets arrive (ingress), not where they leave (egress); enabling it only on egress VLANs would mean the BIG-IP never evaluates the packets for SNAT translation.
• D. Enabling the SNAT on both ingress and egress VLANs is redundant because SNAT processing only occurs at ingress; the egress VLAN setting does not contribute to whether translation takes place.

Concept tested. SNAT VLAN scope and ingress processing on BIG-IP

Reference. https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-local-traffic-management-getting-started-with-snats.html

No community discussion yet for this question.