Cisco
300-415 · Question #295
300-415 Question #295: Real Exam Question with Answer & Explanation
The correct answer is C: sequence 5 match source-ip 0.0.0.0/0 ! action accept nat use-vpn 0. To enable Direct Internet Access (DIA) for external networks in VPN 10, a data policy sequence is required that matches all source IP traffic from the VPN and directs it to the transport VPN 0 for NATing.
Policies
Question
An engineer creates this data policy for DIA for VPN 10:
data-policy DIA
vpn-list VPN-10
sequence 10
match
destination-data-prefix-list INTERNAL-NETWORKS
!
action accept
Which policy sequence enables DIA for external networks?
Options
- Asequence 5 match destination-ip 0.0.0.0/0 ! action reject ! default-action accept
- Bsequence 20 match source-ip 0.0.0.0/0 ! action reject ! default-action accept
- Csequence 5 match source-ip 0.0.0.0/0 ! action accept nat use-vpn 0
- Dsequence 20 match destination-ip 0.0.0.0/0 ! action accept nat use-vpn 0
Explanation
To enable Direct Internet Access (DIA) for external networks in VPN 10, a data policy sequence is required that matches all source IP traffic from the VPN and directs it to the transport VPN 0 for NATing.
Common mistakes.
- A. The
action rejectcommand in this sequence would block traffic, preventing Direct Internet Access rather than enabling it. - B. Similar to option A, the
action rejectcommand would prevent traffic from being forwarded, thus failing to enable Direct Internet Access. - D. While this sequence uses the correct
action accept nat use-vpn 0for DIA and targetsdestination-ip 0.0.0.0/0, placing it atsequence 20would cause it to be evaluated aftersequence 10. The correct answer C is typically considered a broader DIA policy by matching all source traffic at a higher priority.
Concept tested. SD-WAN Data Policy, Direct Internet Access (DIA) configuration
Topics
#SD-WAN Data Policy#Direct Internet Access (DIA)#NAT#Policy Sequencing
Community Discussion
No community discussion yet for this question.