nerdexam
Exams300-415Questions#354
Cisco

300-415 · Question #354

300-415 Question #354: Real Exam Question with Answer & Explanation

The correct answer is C: sequence 15 match destination-data-prefix-list GOVERNMENT-WEBSITES ! action accept set local-tloc-list color biz-internet. To route government website traffic via Direct Internet Access using a specific TLOC, the policy sequence must be inserted before competing sequences and use 'set local-tloc-list color biz-internet' to pin traffic to the correct transport.

Policies

Question

An engineer is modifying an existing data policy for VPN 115 to meet these additional requirements: - When browsing government websites, the traffic must use direct internet access. - The source address of the traffic leaving the site toward the government websites must be set to an IP range associated with the country itself, a particular TLOC. The policy configuration is as follows: vpn 0 interface ge0/0.100 ip address 198.51.100.2/30 nat ! tunnel-interface encapsulation ipsec color biz-internet mtu 1496 no shutdown ! interface ge0/1.10 ip address 10.254.254.2/30 ! tunnel-interface encapsulation ipsec color private1 mtu 1496 no shutdown ! ip route 0.0.0.0/0 198.51.100.1 ip route 0.0.0.0/0 10.254.254.1 ! data-policy DIA vpn-list VPN-115 sequence 10 match destination-data-prefix-list INTERNAL-NETWORKS ! action accept sequence 20 match destination-ip 0.0.0.0/0 ! action accept nat use-vpn 0 ! ! default-action accept

Options

  • Asequence 25 match destination-data-prefix-list GOVERNMENT-WEBSITES ! action accept nat use-vpn 0
  • Bsequence 30 match destination-data-prefix-list GOVERNMENT-WEBSITES ! action accept set local-tloc-list color biz-internet
  • Csequence 15 match destination-data-prefix-list GOVERNMENT-WEBSITES ! action accept set local-tloc-list color biz-internet
  • Dsequence 15 match source-data-prefix-list GOVERNMENT-WEBSITES ! action accept set local-tloc-list color private1

Explanation

To route government website traffic via Direct Internet Access using a specific TLOC, the policy sequence must be inserted before competing sequences and use 'set local-tloc-list color biz-internet' to pin traffic to the correct transport.

Common mistakes.

  • A. Using 'nat use-vpn 0' sends traffic to VPN 0 for NAT but does not pin it to a specific TLOC color, so the source IP cannot be guaranteed to originate from the biz-internet interface as required.
  • B. Sequence 30 is placed too late in the policy and government website traffic may already be matched and handled by an earlier sequence, making this sequence ineffective.
  • D. Matching on 'source-data-prefix-list GOVERNMENT-WEBSITES' is incorrect because government websites are the destination, not the source; this match would target traffic originating from government IP ranges rather than traffic destined to them.

Concept tested. Data policy sequence ordering and TLOC selection for DIA

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/centralized-policy.html

Topics

#SD-WAN Data Policy#TLOC#Direct Internet Access#Policy Sequencing

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-415 Practice