300-415 Question #251: Real Exam Question with Answer & Explanation

Question

Options

• Apolicy lists vpn-list restricted_vpns vpn 2-100 ! vpn-membership restrict_1 sequence 10 match vpn-list restricted_vpns action reject ! default-action accept !
• Bpolicy lists vpn-list VPN2-100 vpn 2-100 ! control-policy restrict_2-100 sequence 10 match route vpn-list VPN2-100 ! action reject ! default-action accept
• Cpolicy lists vpn-list VPN1 vpn 1 ! control-policy restrict_1 sequence 10 match route vpn-list VPN1 ! action reject ! default-action accept
• Dpolicy lists vpn-list restricted_vpns vpn 1 ! vpn-membership restrict_1 sequence 100 match vpn-list restricted_vpns action reject ! default-action accept !

Explanation

To restrict outbound route updates for VPN1, a control policy must be configured to specifically match VPN1 routes and then apply a 'reject' action, with a default action to accept other VPN routes.

Common mistakes.

• A. This configuration uses 'vpn-membership', which is a different type of policy than a control policy for route updates, and it incorrectly matches VPNs 2-100 to reject them, which is the opposite of the requirement (reject VPN1).
• B. This control policy is designed to reject VPNs 2-100, not VPN1, which contradicts the stated goal of restricting outbound updates for VPN1.
• D. This configuration uses 'vpn-membership', which is not the correct policy type for restricting outbound route updates. It also uses a high sequence number (100) before a default accept, which might allow VPN1 routes to be accepted before the specific reject if other rules are present.

Concept tested. Cisco SD-WAN control policy for route filtering

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/sdwan-policy-config.html#Cisco_Concept.dita_09c31326-8051-40b9-8086-538423402778

No community discussion yet for this question.