300-415 Question #238: Real Exam Question with Answer & Explanation

Question

Options

• Asequence 5 match destination-port 80 443 destination-ip 0.0.0.0/0 ! action accept nat use-vpn 0
• Bsequence 20 match destination-port 80 443 source-ip 0.0.0.0/0 ! action accept set local-tloc-list color biz-internet
• Csequence 20 match destination-port 80 443 destination-ip 0.0.0.0/0 ! action accept nat use-vpn 0
• Dsequence 5 match destination-port 80 443 source-ip 0.0.0.0/0 ! action accept set local-tloc-list color biz-internet

Explanation

To permit only web browsing traffic for Direct Internet Access (DIA) in VPN 67 without transport discrimination, a data policy must be configured with a lower sequence number to match destination ports 80 and 443 to any destination IP, then accept and direct the traffic to the internet via 'nat use-vpn 0'.

Common mistakes.

• B. This option incorrectly uses 'source-ip 0.0.0.0/0' instead of destination IP for internet-bound traffic, and 'set local-tloc-list color biz-internet' explicitly selects a transport, contradicting the requirement of 'without further discrimination about which transport to use'. Additionally, sequence 20 would be after the default drop.
• C. While the match and action are largely correct, 'sequence 20' is too high. This rule would be evaluated after the 'default-action drop' in the existing policy, causing the web browsing traffic to be dropped before this sequence is reached.
• D. This option incorrectly uses 'source-ip 0.0.0.0/0' and explicitly sets a TLOC, which goes against the requirement of not discriminating about which transport to use.

Concept tested. SD-WAN data policy for DIA with sequence order

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/config-policies.html

No community discussion yet for this question.