300-415 Question #122: Real Exam Question with Answer & Explanation

Question

Site 1:
vpn10
 service FW address 1.1.1.1
On vSmart
 policy
 lists
 site-list firewall-sites
 site-id 1
 apply-policy
 site-list firewall-sites control-policy firewall-service out

Options

• Acontrol-policy firewall-service sequence 10 match route site-id 2 action accept set service local default-action accept
• BOn vSmart control-policy firewall-service sequence 10 match route site-id 2 action accept set service FW vpn 10 default-action accept
• COn vSmart control-policy firewall-service sequence 10 match route site-id 2 action accept set service FW vpn 10 set service local default-action accept
• DOn vSmart control-policy firewall-service sequence 10 match route site-id 2 action accept set service FW vpn 10 default-action accept

Explanation

To redirect data traffic from Site 1 to Site 2 through a configured firewall service, the vSmart control policy must match routes destined for Site 2 and set the appropriate service.

Common mistakes.

• A. set service local redirects traffic to a local service on the WAN Edge router itself, not to the named firewall service FW in VPN 10.
• B. The syntax for set service is incorrect; service FW vpn 10 should follow set directly within the action block.
• C. This configuration attempts to set two services, FW vpn 10 and local, simultaneously, which is not how service chaining is configured for a single traffic flow.

Concept tested. vSmart control policy service chaining

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/m-policy-chapter.html#_Toc2227184

No community discussion yet for this question.