nerdexam
Exams300-415Questions#418
Cisco

300-415 · Question #418

300-415 Question #418: Real Exam Question with Answer & Explanation

The correct answer is B: vpn 1 service FW address 10.0.0.2 interface ge0/2.1 description ""vpn 1"" ip address 10.0.0.1/28 no shutdown. To deploy service insertion at HQ for VPN 1 traffic through a firewall without route leaking, the configuration must define the firewall as a service directly within VPN 1.

Policies

Question

Refer to the exhibit. A customer wants to deploy service insertion at HQ in which traffic from VPN 1 must route to HQ from both sites to go through the firewall. No route leaking will be in place for this activity. Which configuration meets the requirement at HQ?

Options

  • Apolicy lists site-list device-1 site-id 1 control-policy firewall-service sequence 10 match route vpn 1 action accept set service FW ! apply-policy site-list device-1 control-policy firewall-service out
  • Bvpn 1 service FW address 10.0.0.2 interface ge0/2.1 description ""vpn 1"" ip address 10.0.0.1/28 no shutdown
  • Cvpn 1 service FW address 10.0.0.2 interface ge0/3.100 description ""vpn 11 FW Inside Interface"" ip address 1.1.1.1/29 no shutdown vpn 12 interface ge0/3.101 description ""vpn 12 FW Outside Interface"" ip address 2.2.2.1/29 no shutdown
  • Dvpn 1 service FW address 10.0.0.2 interface ge0/3.100 description ""vpn 1 FW Inside Interface"" ip address 1.1.1.1/28 no shutdown interface ge0/3.101 description ""vpn 1 FW Outside Interface"" ip address 2.2.2.1/29 no shutdown

Explanation

To deploy service insertion at HQ for VPN 1 traffic through a firewall without route leaking, the configuration must define the firewall as a service directly within VPN 1.

Common mistakes.

  • A. This is a control policy snippet configured on the vSmart controller, which primarily manipulates routes and TLOCs, not the local device configuration for defining a service insertion point within a VPN.
  • C. This configuration involves multiple interfaces and potentially multiple VPNs (vpn 11 and vpn 12), which would typically require route leaking between them to direct traffic through a firewall, contradicting the 'No route leaking' requirement.
  • D. This configuration attempts to define two interfaces within vpn 1 and assigns public IP addresses (1.1.1.1 and 2.2.2.1) which might be more complex than needed for simple service insertion and could imply route leaking if these IPs are on different segments.

Concept tested. Cisco SD-WAN local service insertion configuration

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/sdwan-xe-gs-book_chapter_01101.html#concept_F8D6222E58C349C2930219662C923B06

Topics

#Service Insertion#Firewall Integration#VPN Configuration#SD-WAN Policies

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-415 Practice