300-415 Question #350: Real Exam Question with Answer & Explanation

Question

Options

• Apolicy data-policy Srvc_Plane_NAT vpn-list VPN1 sequence 10 match source-ip 10.0.0.1/32 ! action accept nat pool 1 ! ! default-action accept !
• Bpolicy data-policy Srvc_Plane_NAT vpn-list VPN2 sequence 10 match source-ip 10.0.0.1/32 ! action accept nat pool 1 ! ! default-action accept ! vpn 2 interface ge0/0/0 ip address 192.168.1.1/32 no shutdown
• Cpolicy data-policy Srvc_Plane_NAT vpn-list VPN2 sequence 10 match source-ip 10.0.0.1/32 ! action accept nat pool 1 ! ! default-action accept ! vpn2 interface natpool1 ip address 192.168.1.1/32 no shutdown
• Dpolicy data-policy Srvc_Plane_NAT vpn-list VPN1 sequence 10 match source-ip 10.0.0.1/32 ! action accept nat use-vpn 0 ! ! default-action accept !

Explanation

To resolve overlapping IP addresses between branch sites, a service-side NAT data policy using a NAT pool must be applied to translate the source IP before traffic traverses the SD-WAN overlay.

Common mistakes.

• B. Option B incorrectly appends a VPN interface configuration block with a static IP address inside the data policy, which is not valid syntax for a data policy and would not resolve the overlap.
• C. Option C contains invalid syntax - 'vpn2' (no space) and 'interface natpool1' are not valid configuration constructs within a data policy block.
• D. Option D uses 'nat use-vpn 0', which is the syntax for Direct Internet Access NAT to VPN 0, not for resolving overlapping IPs between two service-side VPNs.

Concept tested. Service-side NAT data policy for overlapping IP resolution

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/nat-for-traffic-flows.html

No community discussion yet for this question.