300-415 Question #181: Real Exam Question with Answer & Explanation

Question

Options

• AConfigure the timezone on vBond to Europe/London.
• BConfigure the encapsulation ipsec command under the tunnel interface on vManage.
• CConfigure a default route on vBond pointing to 172.16.2.254.
• DRemove the encapsulation ipsec command under the tunnel interface of vBond.

Explanation

To resolve a connection issue in the depicted network, configuring a default route on vBond pointing to 172.16.2.254 is required, implying that vBond lacks proper network reachability to other components. A missing default route is a common cause for connectivity failures between SD-WAN controllers or to the Internet.

Common mistakes.

• A. Incorrect timezone configuration on vBond typically affects certificate validation and logging synchronization, but it does not directly prevent basic IP connectivity necessary for establishing connections.
• B. vManage controllers typically establish DTLS/TLS connections, not IPsec directly from a tunnel interface command in this context, and IPsec is usually handled by the underlying tunnel setup. Forcing encapsulation ipsec on vManage's control plane tunnel interfaces would likely be incorrect and cause issues if not aligned with the overall secure communication protocol for controllers.
• D. vBond uses DTLS for initial orchestration, and its tunnels are established securely. Removing encapsulation ipsec (if it were present and correctly configured) could compromise security or break expected tunnel behavior. More importantly, vBond's initial DTLS connections do not primarily rely on an explicit encapsulation ipsec command on a tunnel interface in the same manner as data plane IPsec tunnels.

Concept tested. Cisco SD-WAN controller network reachability and routing

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/sdwan-xe-gs-book_chapter_01.html#id_24754

No community discussion yet for this question.